Home

Building Offensive Malicious Documents

Generally, the attacker will use the below techniques in leveraging Microsoft Office features and vulnerabilities: Exploits Macros Remote template injection and many more… In this post, we will learn various techniques on how to make malicious documents that can execute our malicious code. Of course, to make it simple we will just run ...

Read more

Checklist: Windows Malware Analysis

Introduction When doing an analysis or investigation on a malware, what is the important things to solve or to answer in analysing the malware? This checklist may help us to determine what is the goal when we’re doing a malware analysis on a malware, so it can avoid us from reversing/analysing part of the malicious code that does not important ...

Read more

UPX manual unpack: ELF and EXE

Introduction Recently, I’ve come across a Golang malware sample which have been packed by UPX. The sample was made to be cannot be unpack using UPX tool. So, I thinks it’s good to write a blog/note to explain how the UPX manually unpacking works. UPX tool doesn’t work In the figure below, there are certain situation when the malware author make...

Read more

Powershell 101 in Malware Analysis

PowerShell attacks are currently the popular weapon of alternative for several of those attacks as a result of it provides variety of techniques for bypassing existing security. Not least of all, the flexibility to run directly in memory and remotely download payloads gave a lot of benefits to attacker. Let’s learn a little bit about Powershell...

Read more

Lemon-Duck Powershell: An easy way to deobfuscate it!

I came across a fileless malware called Lemon-Duck crypto miner during our (my officemate and I) investigation on suspicious communication in our client network. This malware completely leveraging the PowerShell module to execute most of their payloads. PowerShell attacks are currently the popular weapon of alternative for several of those atta...

Read more

Cheat-Sheet: Malicious Document Analysis

MS-MSDT scheme aka Follina Exploit A sample shared by nao_sec that abusing ms-msdt to execute code. Refer here. Unzipping the documents, and navigate to maldoc-name\word\_rels\document.xml.rels will reveal the HTML URL which will execute their payload. The payload might looks something like this: <!doctype html> <html lang="en...

Read more

Write-up: FIRST 2020 CTF Challenge

Hey. A CTF online competition organized by U.S. Department of Homeland Security’s (DHS) Cybersecurity & Infrastructure Security Agency (CISA) was ended yesterday (27/6). This post will going through all challenges that my team solved. Let’s go. Tools used: FTK Imager Linux terminal Online tools Wireshark Forensics For this categ...

Read more