Category Archives: Malware Analyzer

Instrument Microsoft Office applications to defeat macro obfuscations

With the recent increase in documents with macros used to deliver malwares, researchers spend considerable amount of time to analyze these attached scripts to understand the inner workings. Though the macros does follow the similar pattern in file download and … Continue reading

Posted in Document Macro malware Analysis, Exploit, Malware, Malware Analyzer | Tagged , , , , | 1 Comment

Dealing with pcaps in windows using Fiddler/FiddlerCore

Many a times when we receive a pcap(especially exploit packs pcaps) for malware analysis purpose we had to do lot of manual work to load it in Fiddler and extract the objects and analyze those. While using windows, i depend … Continue reading

Posted in Malware, Malware Analyzer, Tools, Web, Windows | Tagged , , , , , , | Leave a comment

Digging deep into Recent Angler Exploit kit Fileless delivery

Recently ThreatGlass released a PCAP related to Angler Exploit kit from wira-ku.com. Looking into this, Angler EK has changed it’s obfuscation techniques to load it’s dropper from the exploit server. Let’s dig into this. The initial dropper is downloaded before … Continue reading

Posted in Exploit, Exploit Kit, Malware, Malware Analyzer, Shellcode, Windows | Tagged , , , | Leave a comment

Windows Process name hashes – List 1

accesschk.exe                      = 0x9ee47cc6accessenum.exe                  = 0x03e17cb7adexplorer.exe                     = 0x3ee17c67adinsight.exe                       = 0x9fe67ca6adrestore.exe                       = 0xbfe5fcceaircrack-ng gui.exe             = 0x4d4668b4anubis.exe                           = 0x52d5fa16apimonitor.exe                   = 0x10ec3c9fapis32.exe                           = 0x6ed7fb8eapispy32.exe                       = 0x94d4bd8eautologon.exe                    = 0xace67d4eautoruns.exe                      = 0xbed23c1eautorunsc.exe                    = 0xb0e77dceavp.exe                               = 0x26cdf916bdagent.exe                       = 0x85d43a7ebginfo.exe                          = 0x40d4fa6ecacheset.exe                      = 0x83d77c26cain.exe                             = 0x4acdf96ecamrecorder.exe               = 0x1ae33177camtasiastudio.exe           … Continue reading

Posted in Malware, Malware Analyzer, Reversing, Shellcode, Windows | Tagged , , , , | Leave a comment

Windows API Hash List 2

    ModuleName= C:\Windows\SysWOW64\ntdll.dll (0xDF956BA6)        Export: A_SHAFinal(0x736DA974)        Export: A_SHAInit(0xBFC6BCC1)        Export: A_SHAUpdate(0xCF06FD70)        Export: AlpcAdjustCompletionListConcurrencyCount(0x23B53BE8)        Export: AlpcFreeCompletionListMessage(0x02E14901)        Export: AlpcGetCompletionListLastMessageInformation(0x9254AE4E)        Export: AlpcGetCompletionListMessageAttributes(0x1B542730)        Export: AlpcGetHeaderSize(0x5C9A17B2)        Export: AlpcGetMessageAttribute(0x4F2DB942)        Export: AlpcGetMessageFromCompletionList(0xE0E08C02)        Export: AlpcGetOutstandingCompletionListMessageCount(0x199B910D)        Export: AlpcInitializeMessageAttribute(0x65D95C89)        Export: AlpcMaxAllowedMessageLength(0xF650E8D2)        Export: AlpcRegisterCompletionList(0xBD8E2C03)        Export: AlpcRegisterCompletionListWorkerThread(0x8D3B647D)        Export: AlpcRundownCompletionList(0xC366721E)        Export: AlpcUnregisterCompletionList(0x7B09D25B)        Export: AlpcUnregisterCompletionListWorkerThread(0x64F5C9F9)        … Continue reading

Posted in Malware, Malware Analyzer, Windows | Tagged , , , | 4 Comments

Windows API Hash List 1

ModuleName= C:\Windows\SysWOW64\ntdll.dll (0x4414F3EA)    Export: A_SHAFinal(0xB52E8E6D)    Export: A_SHAInit(0xD79837F8)    Export: A_SHAUpdate(0xDFAE19E0)    Export: AlpcAdjustCompletionListConcurrencyCount(0xA77D0476)    Export: AlpcFreeCompletionListMessage(0x2920205C)    Export: AlpcGetCompletionListLastMessageInformation(0x95C9D24A)    Export: AlpcGetCompletionListMessageAttributes(0x84E6036A)    Export: AlpcGetHeaderSize(0x42F64B93)    Export: AlpcGetMessageAttribute(0xB72849E5)    Export: AlpcGetMessageFromCompletionList(0x11805C1C)    Export: AlpcGetOutstandingCompletionListMessageCount(0x7221A333)    Export: AlpcInitializeMessageAttribute(0x2B912CBB)    Export: AlpcMaxAllowedMessageLength(0x1D1A5ECA)    Export: AlpcRegisterCompletionList(0xC58077B1)    Export: AlpcRegisterCompletionListWorkerThread(0x6C8FB1A7)    Export: AlpcRundownCompletionList(0xCE43D86C)    Export: AlpcUnregisterCompletionList(0x3A4B6F61)    Export: AlpcUnregisterCompletionListWorkerThread(0xB93F2C9E)    Export: … Continue reading

Posted in Malware, Malware Analyzer, Windows | Tagged , , | 1 Comment

MITM Gmail SMTP STARTTLS Traffic in LAB machines

During auditing we may face with the challenge of MITM Gmail SMTP STARTTLS traffic to retrieve the email content/credentials. Most of the .Net programs does NOT allow connecting to a Secure server using a self-signed certificates. I used starttls-mitm (https://github.com/ipopov/starttls-mitm) … Continue reading

Posted in .Net, Google, Malware Analyzer, Tools, Windows | Tagged , , , | 1 Comment