Clone of . For those who would prefer to not be tracked by MS.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

29 KiB




Software Distribution Malware Infection Vector

  • In this paper we present an efficient mechanism as well as the corresponding reference implementation for on- the-fly infecting of executable code with malicious soft- ware. Our algorithm deploys virus infection routines and network redirection attacks, without requiring to modify the application itself. This allows to even infect executa- bles with a embedded signature when the signature is not automatically verified before execution. We briefly dis- cuss also countermeasures such as secure channels, code authentication as well as trusted virtualization that en- ables the isolation of untrusted downloads from other ap- plication running in trusted domains or compartments.

Shellcode Analysis Pipeline

  • I recently required an automated way of analyzing shellcode and verifying if it is detected by Libemu, Snort, Suricata, Bro, etc. Shellcode had to come from public sources like Shell-Storm, Exploit-DB and Metasploit. I needed an automated way of sourcing shellcode from these projects and pass it on to the analysis engines in a pipeline-like mechanism. This posts documents the method I used to complete this task and the overall progress of the project.

Reverse-Engineering Malware Cheat Sheet

[Claimsman](Claimsman logs all file handle creation on Windows systems, and logs to both a local file and centralized log management system.)


  • Unpacker for a variety of packing tools.

Unpacking with OllyBonE

  • This is a brief tutorial giving the basic steps to unpack code using the OllyBonE plugin.

COM Object hijacking: the discreet way of persistence

Poweliks: the persistent malware without a file

Temporal Persistence with bitsadmin and schtasks

License to Kill: Malware Hunting with the Sysinternals Tools

Many ways of malware persistence (that you were always afraid to ask)

Thousand ways to backdoor a Windows domain (forest)


  • INetSim is a software suite for simulating common internet services in a lab environment, e.g. for analyzing the network behaviour of unknown malware samples. Regshot Regshot is an open-source (LGPL) registry compare utility that allows you to quickly take a snapshot of your registry and then compare it with a second one - done after doing system changes or installing a new software product.

Mandiant ApateDNS

  • Mandiant ApateDNS is a tool for controlling DNS responses though an easy to use GUI. As a phony DNS server, Mandiant ApateDNS spoofs DNS responses to a user-specified IP address by listening on UDP port 53 on the local machine. Mandiant ApateDNS also automatically sets the local DNS to localhost. Upon exiting the tool, it sets back the original local DNS settings.

Dependency Walker

  • Dependency Walker is a free utility that scans any 32-bit or 64-bit Windows module (exe, dll, ocx, sys, etc.) and builds a hierarchical tree diagram of all dependent modules. For each module found, it lists all the functions that are exported by that module, and which of those functions are actually being called by other modules. Another view displays the minimum set of required files, along with detailed information about each file including a full path to the file, base address, version numbers, machine type, debug information, and more.

Analyzing Malware for Embedded Devices: TheMoon Worm


  • Script to create templates to use with VirtualBox to make vm detection harder

Analysis of a Romanian Botnet

  • Going from first sighting in logs to tracing attackers to their C2 IRC room

Statistical Structures: Fingerprinting Malware for Classification and Analysis - Daniel Bilar

Nesting doll: unwrapping Vawtrak *

Malcom - Malware Communication Analyzer

  • Malcom is a tool designed to analyze a system's network communication using graphical representations of network traffic, and cross-reference them with known malware sources. This comes handy when analyzing how certain malware species try to communicate with the outside world.

IRMA - Incident Response & Malware Analysis

  • IRMA intends to be an open-source platform designed to help identifying and analyzing malicious files. However, today's defense is not only about learning about a file, but it is also getting a fine overview of the incident you dealt with: where / when a malicious file has been seen, who submitted a hash, where a hash has been noticed, which anti-virus detects it, ... An important value with IRMA comes from you keep control over where goes / who gets your data. Once you install IRMA on your network, your data stays on your network. Each submitted files is analyzed in various ways. For now, we focus our efforts on multiple anti-virus engines, but we are working on other "probes" (feel free to submit your own).

###Tutorials Malware Analysis Tutorials: a Reverse Engineering Approach

Malware analyis noob to ninja 60min presentation slides

Automating Removal of JS Obfuscators

  • In this post we detail a method to improve analysis of Java code for a particular obfuscator, we document the process that was followed and demonstrate the results of automating our method. Obscurity will not stop an attacker and once the method is known, methodology can be developed to automate the process.

{DIY Android Malware Analysis with OBAD](

###Writeups Decoding ZeuS disguised as an .RTF File

  • Excellent step by step writeup

Hacking Team Writeup

FinFisher Malware Dropper Analysis

How To Dissect Android Flappy Bird Malware

[Analyzing unknown malware blogpost series](

Android/Beita.A malware analysis

[Trojan.Foxy writeup](

  • Today I will write about a sample that I will refer to as Trojan.Foxy. Trojan.Foxy requests and parses .JPG images that contain encoded instructions. The encoding algorithm used by this Trojan is loosely based off of the Vigenère cipher; however there is a deviation in how the cipher is applied.


Data Obfuscation: Now you see me... Now you don't...

  • This blog post shows how malware authors use Adobe Flash files to hide their creations' 'sensitive' data. I'll be using 2 recent Neutrino EK and 1 FlashPack malvertising samples to demonstrate it. In the case of Neutrino EK our goal will be extraction and decryption of its configuration file and in the malvertising case we'll be after the initial payload URL + exploit shellcode.

Full details on CVE-2015-0096 and the failed MS10-046 Stuxnet fix

North Korean Malware Writeup

Regin Malware writeup by F-Secure

Case study of the miner botnet

How ESEA detects cheat software in its online gaming league - Let's get physical!

  • Before we dig in, this post should not be construed as an attack on ESEA, anti-cheat software, or fair gaming in general. It is simply an analysis thereof, detailing what the ESEA driver does on your machine. Although analysis will make attack vectors clear and obvious, no code or detailed explanation of how to leverage these points will be given.

###Malware Repositories/Collecting & Obtaining Malware The Zoo

  • A repository of LIVE malwares for your own joy and pleasure

Mobile Malware dumps - Contagio

Contagio/Contagio mobile

Ragpicker - Malware Crawler

  • Ragpicker is a Plugin based malware crawler with pre-analysis and reporting functionalities. Use this tool if you are testing antivirus products, collecting malware for another analyzer/zoo.

###Mobile: A timeline of mobile botnets

  • With the recent explosion in smartphone usage, malware authors have increasingly focused their attention on mobile devices, leading to a steep rise in mobile malware over the past couple of years. In this paper, Ruchna Nigam focuses on mobile botnets, drawing up an inventory of types of known mobile bot variants.

Android Sandbox V1

  • Automated Malware Analysis

Obfuscation in Android Malware and how to fight back

Android/Beita.A malware analysis

Obfuscation in Android malware, and how to fight back

###Android obfuscators ProGuard


###Android De-obfuscators De-hoser

  • Unpacker for the HoseDex2Jar APK Protection which packs the original file inside the dex header


  • hides or reveals a given method in a DEX file

Android Unpacker presented at Defcon 22: Android Hacker Protection Level 0

  • native-unpacker/ - Unpacker for APKProtect/Bangcle/LIAPP/Qihoo Packer that runs natively, no dependency on gdb
  • hide-qemu/ - Small hacks for hiding the qemu/debuggers, specifically from APKProtect

###Anti-VM/Detecting VMs


  • Script to create templates to use with VirtualBox to make vm detection harder.

Breaking the Sandbox - Sudeep Singh

  • Abstract: In this paper, I would like to discuss various existing and interesting techniques which are used to evade the detection of a virus in Sandbox. We will also look at ways a sandbox can be hardened to prevent such evasion.

On the Cutting Edge: Thwarting Virtual Machine Detection

Paranoid Fish

  • Pafish is a demo tool that performs some anti(debugger/VM/sandbox) tricks. Most of them are often used by malware to avoid debugging and dynamic analysis. The project is open source, you can read the code of all anti-analysis checks. You can also download the compiled executable (or compile it by yourself) and reverse engineer it, which is quite recommended.

rdtsc x86 instruction to detect virtual machines

Win64/Vabushky - The Great Code Heist Scientific but Not Academical Overview of Malware Anti-Debugging, Anti-Disassembly and Anti- VM Technologies

  • This talk catalogs the common evasion techniques malware authors employ, applying over 50 different static detections, combined with a few dynamic ones for completeness. We validate our catalog by running these detections against a database of 4 million samples (the system is constantly running and the numbers will be updated for the presentation), enabling us to present an analysis on the real state of evasion techniques in use by malware today. The resulting data will help security companies and researchers around the world to focus their attention on making their tools and processes more efficient to rapidly avoid the malware authors' countermeasures.

###Malware Campaign Writeups

Unmasking Careto through Memory Analysis - Andrew Case





Rotten Tomatoes campaign by Sophos

Fanny Malware Writeup

RIG Exploit Kit Writeup

Equation Group Malware Samples - ContagioDump

Operation SMN: Axiom Threat Actor Group Report Executive Summary Analysis of Urobouros

####FinFisher writeup: Part 1 Part 2 Part 3

####Finspy Hacking FinSpy - a Case Study - Atilla Marosi - [TROOPERS15]

###Dynamic Malware Analysis

Zero Wine

  • Zero wine is an open source (GPL v2) research project to dynamically analyze the behavior of malware. Zero wine just runs the malware using WINE in a safe virtual sandbox (in an isolated environment) collecting information about the APIs called by the program.


  • HoneyAgent is a Java agent library that creates a Sandbox for Java applications and applets. Therefore, it uses the JVMTI as well as the JNI to intercept class loading and function calls. During runtime HoneyAgent traces function calls from the analysed application. It is displayed which class calles which function with which parameters. Reflected function calls are translated to the origin function names for simpler reading.

Pybox Research paper on it

  • user-level framework for monitoring processes

####Setting up the Lab

Awesome Guide to building a VM for anonymous Malware Analysis and Reverse Engineering


API Monitor

  • API Monitor is a free software that lets you monitor and control API calls made by applications and services. Its a powerful tool for seeing how applications and services work or for tracking down problems that you have in your own applications.


  • SpyStudio shows and interprets calls, displaying the results in a structured way which is easy for any IT professional to understand. SpyStudio can show registry keys and files that an application uses, COM objects and Windows the application has created, and errors and exceptions.


  • Inject JS into native apps


  • Truman can be used to build a "sandnet", a tool for analyzing malware in an environment that is isolated, yet provides a virtual Internet for the malware to interact with. It runs on native hardware, therefore it is not stymied by malware which can detect VMWare and other VMs. The major stumbling block to not using VMs is the difficulty involved with repeatedly imaging machines for re-use. Truman automates this process, leaving the researcher with only minimal work to do in order to get an initial analysis of a piece of malware. Truman consists of a Linux boot image (originally based on Chas Tomlin's Windows Image Using Linux) and a collection of scripts. Also provided is pmodump, a Perl-based tool to reconstruct the virtual memory space of a process from a PhysicalMemory dump. With this tool it is possible to circumvent most packers to perform strings analysis on the dumped malware.

###Static Malware Analysis ####Tools


  • WinMerge is an Open Source differencing and merging tool for Windows. WinMerge can compare both folders and files, presenting differences in a visual text format that is easy to understand and handle.


  • static malware comparison tool
  • ssdeep is a program for computing context triggered piecewise hashes (CTPH). Also called fuzzy hashes, CTPH can match inputs that have homologies. Such inputs have sequences of identical bytes in the same order, although bytes in between these sequences may be different in both content and length.


  • DRAKVUF is an agentless dynamic malware analysis system built on Xen, LibVMI, Volatility and Rekall. It allows for in-depth execution tracing of malware samples and extracting deleted files from memory, all without having to install any special software within the virtual machine used for analysis.


Amoco - Static binary analysis tool

  • Amoco is a python package dedicated to the (static) analysis of binaries.
  • Worth a check on the Github

###Encoders/Packers/AV Evasion Use PEiD to id most packers/etc.


Stack Overflow RE -What are the different types of packers?

The Backdoor Factory (BDF)

  • For security professionals and researchers only. The goal of BDF is to patch executable binaries with user desired shellcode and continue normal execution of the prepatched state.
  • Derbycon Presentation

Deep dive into a custom malware packer

Corkami - Packers

  • Beautiful.

Manually unpacking a Morphine-packed DLL with OllyDbg

[A study of the packer problem and its solutions](A Study of the Packer Problem and Its Solutions)

Packer Analysis Report - Debugging and unpacking the NsPack 3.4 and 3.7 packer

One packer to rule them all: Empirical identification, comparison and circumvention of current Antivirus detection techniques

Making FinFisher Undetectable

Paper on Manual unpacking of UPX packed executable using Ollydbg and Importrec - An Experiment in AV Evasion

Implementing a Custom X86 Encoder

  • This paper describes the process of implementing a custom encoder for the x86 architecture. To help set the stage, the McAfee Subscription Manager ActiveX control vulnerability, which was discovered by eEye, will be used as an example of a vulnerability that requires the implementation of a custom encoder. In particular, this vulnerability does not permit the use of uppercase characters. To help make things more interesting, the encoder described in this paper will also avoid all characters above 0x7f. This will make the encoder both UTF-8 safe and tolower safe.

Using dual-mappings to evade automated unpackers

  • Automated unpackers such as Renovo, Saffron, and Pandora's Bochs attempt to dynamically unpack executables by detecting the execution of code from regions of virtual memory that have been written to. While this is an elegant method of detecting dynamic code execution, it is possible to evade these unpackers by dual-mapping physical pages to two distinct virtual address regions where one region is used as an editable mapping and the second region is used as an executable mapping. In this way, the editable mapping is written to during the unpacking process and the executable mapping is used to execute the unpacked code dynamically. This effectively evades automated unpackers which rely on detecting the execution of code from virtual addresses that have been written to.

Android Packers

Locreate: An Anagram for Relocate

  • This paper presents a proof of concept executable packer that does not use any custom code to unpack binaries at execution time. This is different from typical packers which generally rely on packed executables containing code that is used to perform the inverse of the packing operation at runtime. Instead of depending on custom code, the technique described in this paper uses documented behavior of the dynamic loader as a mechanism for performing the unpacking operation. This difference can make binaries packed using this technique more difficult to signature and analyze, but only when presented to an untrained eye. The description of this technique is meant to be an example of a fun thought exercise and not as some sort of revolutionary packer. In fact, it's been used in the virus world many years prior to this paper.

Duping the machine: malware strategies, post Sandbox detection

Bypass AV through several basic/effective techniques



  • WinMerge is an Open Source differencing and merging tool for Windows. WinMerge can compare both folders and files, presenting differences in a visual text format that is easy to understand and handle.


  • Pyew is a (command line) python tool to analyse malware. It does have support for hexadecimal viewing, disassembly (Intel 16, 32 and 64 bits), PE and ELF file formats (it performs code analysis and let you write scripts using an API to perform many types of analysis), follows direct call/jmp instructions in the interactive command line, displays function names and string data references; supports OLE2 format, PDF format and more. It also supports plugins to add more features to the tool.

Microsoft Message Analyzer

  • Microsoft Message Analyzer is a new tool for capturing, displaying, and analyzing protocol messaging traffic and other system messages. Message Analyzer also enables you to import, aggregate, and analyze data from log and trace files. It is the successor to Microsoft Network Monitor 3.4 and a key component in the Protocol Engineering Framework (PEF) that was created by Microsoft for the improvement of protocol design, development, documentation, testing, and support. With Message Analyzer, you can choose to capture data live or load archived message collections from multiple data sources simultaneously.


  • Python malware for pentesters that bypasses most antivirus (signature and heuristics) and IPS using sheer stupidity


Binary and Directory tree comparison tool using the Fuzzy Hashing concept (ssdeep)


SubVirt: Implementing malware with virtual machines

  • We evaluate a new type of malicious software that gains qualitatively more control over a system. This new type of malware, which we call a virtual-machine based rootkit (VMBR), installs a virtual-machine mon- itor underneath an existing operating system and hoists the original operating system into a virtual machine. Virtual-machine based rootkits are hard to detect and remove because their state cannot be accessed by soft- ware running in the target system. Further, VMBRs support general-purpose malicious services by allowing such services to run in a separate operating system that is protected from the target system. We evaluate this new threat by implementing two proof-of-concept VMBRs. We use our proof-of-concept VMBRs to sub- vert Windows XP and Linux target systems, and we implement four example malicious services using the VMBR platform. Last, we use what we learn from our proof-of-concept VMBRs to explore ways to defend against this new threat. We discuss possible ways to detect and prevent VMBRs, and we implement a de- fense strategy suitable for protecting systems against this threat.

[Modeling Zero Day Malware Spread](

Duping the Machine: malware strategies, post sandbox detection Slide deck presentation

PortEX: Robust static anaylsis of Portable Executable Malware

VirusTotal Mining


Generate MS Office Macro Malware Script

  • Standalone Powershell script that will generate a malicious Microsoft Office document with a specified payload and persistence method


  • Tiny snippet of code that pulls ASCII shellcode from pastebin and executes it. The purpose of this is to have a minimal amount of benign code so AV doesn't freak out, then it pulls down the evil stuff. People have been doing this kind of stuff for years so I take no credit for the concept. That being said, this code (or similar code) works surprisingly often during pentests when conventional malware fails. PowerLoader Injection - Something truly amazing