In this post, we’ll use regular expressions and TLS certificate analysis to identify 83 scattered Qakbot servers. These servers are crafted to avoid traditional detection methods—there are few consistent patterns in ports, service names, or ASNs that could be used for simple signatures. Instead, we’ll focus on shared attributes within the subject_dn and issuer_dn fields […]
Category Archives: Uncategorized
Uncategorized
Using Ghidra for Malware Analysis: Identifying, Decoding, and Decrypting Encrypted Strings
10
Mar
Mar
In this post, we’ll examine a Vidar malware sample containing suspicious encrypted strings. Using Ghidra’s cross-referencing features, we’ll analyze these strings to pinpoint where they are utilized within the code. With this approach, we’ll identify the string decryption function and use a debugger to intercept inputs and outputs, allowing us to retrieve the decrypted strings. […]
Uncategorized
Using Ghidra for Shellcode Analysis and Extracting Cobalt Strike Command and Control Servers
10
Feb
Feb
In previous posts, we decoded various malicious scripts to retrieve Cobalt Strike shellcode. After acquiring the shellcode, we utilized SpeakEasy emulation to understand its functionality—a helpful approach, though relying solely on automated tools isn’t always ideal, even when effective. In this post, we’ll take a more hands-on approach, diving deeply into a Cobalt Strike shellcode […]
09
Jan
Jan
Practical queries for identifying malware infrastructure with FOFA. AsyncRAT Hardcoded Certificate Values cert.subject.cn=”AsyncRAT Server” || cert.issuer.cn=”AsyncRAT Server” – Link Cobalt Strike Default Certificate Values cert.issuer.cn=”Major Cobalt Strike” – Link cert.issuer.org=”cobaltstrike” – Link Amadey Bot Re-used certificate values cert.subject.cn=”desas.digital” – Link Quasar RAT Default certificate values. cert.subject.cn=”Quasar Server CA” – Link Laplas Clipper Certificate values and favicon hash. cert.subject.cn=”Laplas.app” – Link icon_hash=”1123908622″ – Link Sliver C2 Default Certificate values cert.subject.cn=”multiplayer” […]
Uncategorized
Mastering CyberChef for Malware Analysis: A Comprehensive Walkthrough with Practical Examples
09
Dec
Dec
We’re all familiar with basic CyberChef operations like ‘From Base64,’ ‘From Decimal,’ and the occasional magic decode or XOR. But what happens when we need to tackle more complex tasks? CyberChef offers a range of advanced operations that are often overlooked in favor of Python scripting. Many are unaware of its more powerful features, such […]