Reversing Revil Malware – Part 2 - String Obfuscation and Configuration Setup
· β˜• 8 min read · ✍️ suidroot
This is the second in a series looking at part of the Revil malware. The first post covered a triage and unpacking of the first stage. The post will look at the high-level flow and look in-depth at the configuration embedded in the sample and some options. Revil Process Diagram Looking at the flow diagram (shown above), there is a pretty straightforward flow to the sample. It initially sets itself up by resolving the import table, reading the embedded configuration data, and command-line arguments.

Reversing Revil Malware - Part 1 - Stage 1 Unpacker
· β˜• 3 min read · ✍️ suidroot
This is the first in a series looking at part of the REvil malware. I will start off by showing a brief triage overview of the sample and then dive into the initial details of the stage 1 unpacker. Let us get into it! Initial Triage The Revil (aka Sodinokibi) malware is ransomware that encrypts files on a victim’s disk and leaves a note to head to a Tor link to send payment to decrypt your files.

Decoding Malware Payload encoded in a PNG part 2 - "W.H.O.bat"
· β˜• 7 min read · ✍️ suidroot
This post is a sequel to the post covering the sample β€œBank Statement.bat.” I had received this message before the Bank Statement message, but I found the sample in the previous post was less obfuscated and easier to reverse engineer. In this post, I will cover the different ways that this sample hid the decoding routes and how I was able to gather the data to run the same decoding script I used before to extract the payload from the PNG data within this sample.

Decoding Malware Payload encoded in a PNG - "Bank Statement.bat"
· β˜• 7 min read · ✍️ suidroot
When looking through my Spam folder, I have run across a few messages with β€œ.bat” files attached to them. Most messages have had different content in the message to entice a victim to open the attachment. I started to investigate each of the attachments and found they were Windows Binaries, and at least two had PNG files in the resources. After doing this initial triage, I wanted to see if the payload of these pieces of malware is encoded in this PNG data and how it was encoded.

Ryuk Malware - Analysis and Reverse Engineering
· β˜• 12 min read · ✍️ suidroot
Summary In this post, I will reverse and analyze a Ryuk malware sample. Ryuk is pretty well-known ransomware that encrypts the contents of a victim’s hard drive. The sample uses two executable stages, one that determines if the system is a 32bit or a 64bit system, then extracts out the appropriate second stage executable onto the file system and executes the second stage. The second stage then attempts to gain persistence through creating a registry key and then finally injects an encryption process into another process and starts to encrypt the file systems leaving behind a Ransom note for the user to find.

Link: Exploring Key Features of Cisco ISE Release 2.6
· β˜• 1 min read · ✍️ suidroot
In July I wrote for the CDW blog about the new version of the Cisco Identity Services Engine (ISE) software. Exploring Key Features of Cisco ISE Release 2.6 The latest version of this cybersecurity tool offers unique device identification and an IoT protocol.

Link: Enhancing Password Security Through Memorized Secrets
· β˜• 1 min read · ✍️ suidroot
In March I posted the following article on CDW blog Enhancing Password Security Through Memorized Secrets Revisiting NIST recommendations provides some essential techniques for protecting your organization’s accounts

BSidesNH 2019 Recap
· β˜• 2 min read · ✍️ suidroot
Back on May 18th, I attended the inaugural BsidesNH event. It was a fantastic one-day event. The day started pretty early for me driving down from Maine arriving at Southern NH University. I arrived to pick up the fantastic badge made out of an old 3.5β€³ disk. After grabbing some coffee and a snack I settled into the auditorium and for a day of great talks. There were a few that stood out to me from the day that I will talk about.

OSCP Notes
· β˜• 1 min read · ✍️ Ben Mason
Topic Index Note: This material is based on the First revision of the OSCP and does not cover topics in the new version (v2?) OSCP Notes – Buffer Overflows OSCP Notes – Enumeration OSCP Notes – Metasploit OSCP Notes – Password attacks OSCP Notes – Pivoting OSCP Notes – Shell and Linux / UNIX OSCP Notes – Web Exploitation OSCP Notes – Windows Student Notes and Guides OSCP Goldmine (not clickbait) | 0xc0ffeeβ˜• My OSCP Diary – Week 1 – Threat Week GitHub – areyou1or0/OSCP: OSCP abatchy’s blog | How to prepare for PWK/OSCP, a noob-friendly guide Thunderson’s Journey To The OSCP Passing OSCP – scund00r Introduction Β· Total OSCP Guide Introduction Β· OSCP – Useful Resources The Journey to Try Harder: TJnull’s Preparation Guide for PWK/OSCP | NetSec Focus Thoughts on OSCP certification and the exam!