In this post, we’ll showcase the Garbageman analysis tool—a powerful resource for extracting information from packed or obfuscated .NET malware. Garbageman works by intercepting .NET’s memory management components and saving relevant data for later analysis. For a detailed look at its inner workings, check out this excellent blog post on Garbageman’s architecture. With this approach, […]
Author Archives: Emin Baylarov
10
Apr
Apr
In this post, we’ll use regular expressions and TLS certificate analysis to identify 83 scattered Qakbot servers. These servers are crafted to avoid traditional detection methods—there are few consistent patterns in ports, service names, or ASNs that could be used for simple signatures. Instead, we’ll focus on shared attributes within the subject_dn and issuer_dn fields […]
Uncategorized
Using Ghidra for Malware Analysis: Identifying, Decoding, and Decrypting Encrypted Strings
10
Mar
Mar
In this post, we’ll examine a Vidar malware sample containing suspicious encrypted strings. Using Ghidra’s cross-referencing features, we’ll analyze these strings to pinpoint where they are utilized within the code. With this approach, we’ll identify the string decryption function and use a debugger to intercept inputs and outputs, allowing us to retrieve the decrypted strings. […]
Uncategorized
Using Ghidra for Shellcode Analysis and Extracting Cobalt Strike Command and Control Servers
10
Feb
Feb
In previous posts, we decoded various malicious scripts to retrieve Cobalt Strike shellcode. After acquiring the shellcode, we utilized SpeakEasy emulation to understand its functionality—a helpful approach, though relying solely on automated tools isn’t always ideal, even when effective. In this post, we’ll take a more hands-on approach, diving deeply into a Cobalt Strike shellcode […]
09
Jan
Jan
Practical queries for identifying malware infrastructure with FOFA. AsyncRAT Hardcoded Certificate Values cert.subject.cn=”AsyncRAT Server” || cert.issuer.cn=”AsyncRAT Server” – Link Cobalt Strike Default Certificate Values cert.issuer.cn=”Major Cobalt Strike” – Link cert.issuer.org=”cobaltstrike” – Link Amadey Bot Re-used certificate values cert.subject.cn=”desas.digital” – Link Quasar RAT Default certificate values. cert.subject.cn=”Quasar Server CA” – Link Laplas Clipper Certificate values and favicon hash. cert.subject.cn=”Laplas.app” – Link icon_hash=”1123908622″ – Link Sliver C2 Default Certificate values cert.subject.cn=”multiplayer” […]