Reverse Engineering

Supreme Leader's Not-That-Supreme Malwares

  • Posted on: 14 January 2015
  • By: siteadm

Recently while surfing Reddit, I came across this beautiful subreddit which is dedicated to NK. While reading "mind blowing" miracles of the Supreme Leader, I clicked on several links, one link led to another and during my visits to several NK web sites, I came across the Korean Central News Agency of DPRK. Just by taking a look at very top of the HTML source code of homepage, I saw this code:

Building Ultimate Anonymous Malware Analysis and Reverse Engineering Machine

  • Posted on: 17 October 2014
  • By: siteadm

In this article, I'll show you my malware analysis environment and setup. I have to say that all software and configurations written in this article are totally my personal preference, this is my configuration and I like it, but please don't hesitate to share your ideas. So I'll start from very beginning: OS installation.

FinFisher Shell Extension and Drivers Analysis

  • Posted on: 14 October 2014
  • By: siteadm

Analysis of Finfisher shell extension which is basically a keylogger DLL, driverw.sys file which they use for MBR modifications (in case \\.\PhysicalDrive0 wasn't accessible from user-mode) and mssounddx.sys which is in direct communication with MBR code and used to create thread and inject code into user-mode processes.

FinFisher Malware Analysis - Part 2

  • Posted on: 2 October 2014
  • By: siteadm

In previous post, I fully analyzed dropper part of FinFisher malware. In this post, I'll share with you details of FinFisher malware main component which I got it from the dropper. This part is also as interesting as dropper part and does have several techniques and tricks, but as far as I know, again, most of them was already known and used in other malwares, but I might be wrong. So stay tuned for a another very detailed step by step analysis.

Havex Malware Analysis and Inside Malware C&C Server

  • Posted on: 19 August 2014
  • By: siteadm

In this article I'll analyze recent Havex malware. You can read more about this malware here.

First of all I want to thank Kyle Wilhoit for providing me all samples of Havex malware.

Ok, let's start... As far as I've seen all samples of this malware have a resource called ICT (in SCADA module it is called TYU) which contains encoded config file: