Reversing Revil Malware – Part 2 - String Obfuscation and Configuration Setup
· β˜• 8 min read · ✍️ suidroot
This is the second in a series looking at part of the Revil malware. The first post covered a triage and unpacking of the first stage. The post will look at the high-level flow and look in-depth at the configuration embedded in the sample and some options. Revil Process Diagram Looking at the flow diagram (shown above), there is a pretty straightforward flow to the sample. It initially sets itself up by resolving the import table, reading the embedded configuration data, and command-line arguments.

Reversing Revil Malware - Part 1 - Stage 1 Unpacker
· β˜• 3 min read · ✍️ suidroot
This is the first in a series looking at part of the REvil malware. I will start off by showing a brief triage overview of the sample and then dive into the initial details of the stage 1 unpacker. Let us get into it! Initial Triage The Revil (aka Sodinokibi) malware is ransomware that encrypts files on a victim’s disk and leaves a note to head to a Tor link to send payment to decrypt your files.

Decoding Malware Payload encoded in a PNG part 2 - "W.H.O.bat"
· β˜• 7 min read · ✍️ suidroot
This post is a sequel to the post covering the sample β€œBank Statement.bat.” I had received this message before the Bank Statement message, but I found the sample in the previous post was less obfuscated and easier to reverse engineer. In this post, I will cover the different ways that this sample hid the decoding routes and how I was able to gather the data to run the same decoding script I used before to extract the payload from the PNG data within this sample.

Decoding Malware Payload encoded in a PNG - "Bank Statement.bat"
· β˜• 7 min read · ✍️ suidroot
When looking through my Spam folder, I have run across a few messages with β€œ.bat” files attached to them. Most messages have had different content in the message to entice a victim to open the attachment. I started to investigate each of the attachments and found they were Windows Binaries, and at least two had PNG files in the resources. After doing this initial triage, I wanted to see if the payload of these pieces of malware is encoded in this PNG data and how it was encoded.

Ryuk Malware - Analysis and Reverse Engineering
· β˜• 12 min read · ✍️ suidroot
Summary In this post, I will reverse and analyze a Ryuk malware sample. Ryuk is pretty well-known ransomware that encrypts the contents of a victim’s hard drive. The sample uses two executable stages, one that determines if the system is a 32bit or a 64bit system, then extracts out the appropriate second stage executable onto the file system and executes the second stage. The second stage then attempts to gain persistence through creating a registry key and then finally injects an encryption process into another process and starts to encrypt the file systems leaving behind a Ransom note for the user to find.

CTF Box: Kioptrix level 1 walk-through
· β˜• 6 min read · ✍️ Ben Mason
This is a walk-through of the first level of the CTF box series named Kioptrix. The virtual machines images can be downloaded from:,22/ There are two methods I used to exploit this machine, but first, let’s enumerate the server. Enumeration To start, I ran a Nmap scan on the server to see what services are running on it. # Nmap 7.70 scan initiated Sat Apr 13 14:05:06 2019 as: nmap -O -A -sV -sC -oA nmap/knoptrix1 192.

Enabling old TLS / SSL ciphers in OpenSSL
· β˜• 1 min read · ✍️ suidroot
I was reminded of this tip during the CTF at a recent DC207 meetup. This config change is needed on machines with modern versions of OpenSSL that have disabled the older ciphers. The issue is that the old TLS, SSL and associated cipher suites have become insecure and support is subsequently dropped in OpenSSL. For a workaround to this, you can edit the following lines at the bottom of /etc/ssl/openssl.cnf

My OSCP Experience
· β˜• 6 min read · ✍️ suidroot
What is the OSCP Offensive Security Certified Professional (OSCP) is an entry-level hands-on penetration testing certification. The OSCP is one of a few certifications by Offensive Security. It consists of the self-study Penetration Testing Training with Kali Linux (PwK) class and an online proctored practical exam. The course costs at minimum $800 USD and includes 30 days of lab access and one OSCP exam attempt. There are packages that include longer lab access and you can extend your lab access if you find you need longer to prepare.

Link: Exploring Key Features of Cisco ISE Release 2.6
· β˜• 1 min read · ✍️ suidroot
In July I wrote for the CDW blog about the new version of the Cisco Identity Services Engine (ISE) software. Exploring Key Features of Cisco ISE Release 2.6 The latest version of this cybersecurity tool offers unique device identification and an IoT protocol.