Malfind Labs

Exploring the intersection of malware analysis and artificial intelligence

December 1, 2022

Malware triage in 30 minutes or how to get infected when browsing google

Today when looking to download a new version of VLC Player, I got served with this malicious advertisement on google and thought it might be an excellent opportunity to show how to make a quick malware triage. In this article, I show not only what are the dangers of malicious advertisements in google, but also how to triage malware in 30 minutes without any knowledge of coding, assembly, or reverse engineering tools like disassemblers or debuggers. I only use basic, freely available tools but yet I am able to discover not only malware family, and all important indicators of compromise (IoCs) but also can make good assumptions about its capabilities.

Malware analysis vidar malware triage vidar

November 25, 2021

From the archive #2: Ursnif dropper deobfuscation

In this article, I want to show a simple approach to JavaScript deobfuscation, based on an older Ursnif dropper sample. This is part 2 of my “From The Archive” series, where I release older reports lying on my disk. I hope you will enjoy and learn something from this post.

Deobfuscation Dropper JavaScript Malware analysis Ursinf deobfuscation dropper javascript malware python ursnif

November 24, 2021

From the archive #1: OSTap downloader deobfuscation and analysis

In this article, I deobfuscate and analyze a quite old but very interesting OSTAP JavaScript downloader. I show the deobfuscation methodology, as well as discuss the capabilities of the malware code. In addition to standard downloader features, this malware has one very interesting capability that I will not spoil here, you can read about it at the end of this post.

Deobfuscation Malware analysis deobfuscation downloader malware ostap

April 20, 2020

Revisiting Code Injection #1. Classic DLL injection

Lately I am involved in a project that requires me to write some C/C++ code. As my C++ is very rusty, I tried to sharpen it a little by doing these small development tasks. Since I am also involved in some reversing of a code using DLL injection techniques, I thought it would be a good idea to understand DLL injection better by writing some injectors myself. I will start with a simplest, classical DLL injection through LoadLibraryA call via CreateRemoteThread.

C Development Malware analysis

June 2, 2019

Tips & tricks #1: MITM proxy with fakenet and realnet mode

This post will be the first of quick tips & tricks series. I don’t have the time, and to be honest nor the inspiration lately to write longer in-depth posts as I would like to. Therefore I will stick to shorter forms, hopefully this will make this blog a little bit more alive.

In this short tip, I would like to share with you my setup for a Man-in-the-Middle proxy for my malware analysis lab. When porting my lab to the new machine I had to reconfigure few things, and to my surprise I found out that there seems to be no good tutorial to correctly set a MITM proxy for malware analysis.

There are multiple tutorials showing how to set up a malware lab with a fake net and HTTPS interception using both inetsim and burp. You can find them here:

Because of them I won’t be making another tutorial how to set up your lab. You can use tutorials above. If you are curious, I am using a very similar setup with Flare VM on my main Windows 10 box and an intercept router based on Debian with both fakenet and realnet modes (which I will explain later).

Malware analysis Tips & tricks burp fakenet inetsim linux malware mitm proxy realnet vm

May 21, 2019

Extracting IP and port from a meterpreter payload

When an attacker has already gained access to our network and he managed to steal some passwords or hashes, he is usually looking to break into something more interesting than HR workstation. This is a time when he uses stolen passwords to gain access to servers crucial for his operations.

If you see a service installation event (7045) in your System log, with PowerShell code containing a gzipped payload, this is most likely evidence of the attacker’s lateral movement.

Evidence of lateral movement

Deobfuscation Forensics Incident Response Powershell forensics incident response metaspolit meterpreter reverse shell shellcode

December 21, 2018

How I accidentally found a clickjacking feature in Facebook

I would’ve never thought that one of my first blog posts will be about looking for bugs in Facebook. I don’t consider myself a bounty hunter, and had never actively looked for bugs. I focus mostly on Incident Response, Forensics and Malware Analysis. To my surprise then I am sharing this particular story with you. It’s about my first bug report, a short spam campaign and a strange Facebook feature.

Bug bounty Clickjacking Facebook Websites bugbounty clickjacking facebook

July 23, 2018

Deobfuscating Emotet's powershell payload

Emotet is a banking trojan, targeting computer users since around 2014. During that time it has changed its structure a lot. Lately we see massive emotet spam campaigns, using multiple phishing methods to bait users to download and launch a malicious payload, usually in the form of a weaponized Word document.

Emotet’s chain of infection

First user receives a fake e-mail, trying to persuade him to click on the link, where the weaponized doc is being downloaded. Document is then trying to trick user to enable content and allow macros in order to launch embedded VBA code. VBA is obfuscated. We can also deobfuscate it, but in the end it launches a powershell command. Let’s skip VBA deobuscation today, as I want to focus on powershell. We can obtain powershell command launched by VBA code without deobfuscation, by using any sandbox with powershell auditing.

Deobfuscation Emotet Malware analysis deobfuscation dropper emotet malware powershell python