I personally despise trying to analyze shellcode, but shellcode is becoming more common in malware of all types. From Metasploit and Cobalt Strike to GuLoader, loads of malicious tools include shel...
HCrypt Injecting BitRAT using PowerShell, HTAs, and .NET
One of my colleagues made a statement recently about how commonplace process injection has become among malware, to the point where it seems adversaries don’t have to think about the injection tech...
BazarISO Analysis - Loading with Advpack.dll
Malware comes in all shapes and sizes, and in the case of BazarISO it comes in the form of an ISO file that contains a malicious shortcut and an executable. In this post I’ll tear apart the ISO to ...
Extracting Payloads from Excel-DNA XLL Add-Ins
A few different malware families have included Excel XLL add-in files as distribution mechanisms lately. These include IcedID and some commodity threats that HP’s security team documented as using ...
Emotet's Excel 4.0 Macros Dropping DLLs
It’s been a little while since I checked in on Emotet to see how its first stage loaders are doing. Lately the first stage has been using Excel 4.0 macros to drop payloads, so in this post I’ll wal...
Analyzing a CACTUSTORCH HTA Leading to Cobalt Strike
There are loads of different ways adversaries can distribute Cobalt Strike beacons and other malware. One of the common methods includes using HTML Application (HTA) files. In this post I’m going t...
Inspecting a PowerShell Cobalt Strike Beacon
In this post I want to take a look at a PowerShell-based Cobalt Strike beacon that appeared on MalwareBazaar. This particular beacon is representative of most PowerShell Cobalt Strike activity I se...
Looking at PowerPoint Macros with Olevba
In this post I want to walk through analysis of a malicious PowerPoint file using olevba. This tool allows you to view macros within Office documents without opening them. If you want to follow alo...
Decoding an Encoded Webshell Using NodeJS
In this post I want to walk through a process of using the NodeJS REPL (Read, Eval, Print Loop) to safely decode portions of malware during analysis. If you want to follow along at home, the sample...
Adventures in YARA Hashing and Entropy
In this post I’m going to take a look at a couple of simple YARA rules that excited me during my daily analysis tasks. These rules were inspired by the #100DaysOfYARA hashtag, and if you’re not fol...