Year: 2016

Analysis of False/Morel

Introduction About a month ago, a group called the Shadow Brokers claimed to have stolen a number of cyber espionage tools from the Equation Group. They made a number of the files available to prove the validity of their claim

Tagged with: , ,

Using NodeJS To Deobfuscate Malicious JavaScript

Introduction A group of analysts in the office are spending some time reverse engineering an Angler sample found at The website shows a screen capture of the malicious javascript that was injected into a page served by a compromised

Tagged with: , , ,

Reverse Engineering a Malicious MS Word Document

Introduction This blog post analyzes a Word document that was used to deliver a ransomware executable. The Word document includes a macro that will execute when the document is opened if the end user clicks a button called “enable content”.

Tagged with: , ,

Spies and Social Media

The Internet opens countless avenues of communication and convenience, but brings risk as well. Attackers can use seemingly innocuous social media connections and other information to find sensitive information about you, like your home address, password security questions, and more. Goals

Reverse Engineering Necurs (Part 4 – IDA Pro’s Python API)

Introduction In the previous post, we had paused execution of the malware sample at a point where the malware had “unpacked” itself. We then used the .writemem WinDbg command to output the unpacked data into a file. Finally, we used

Tagged with: , ,

Reverse Engineering Necurs (Part 3 – Patching)

Introduction In the previous post, we started to step through the Necurs sample using WinDbg. We also used IDA Pro to perform static analysis of the malware sample so we could get an idea of where to set breakpoints. However,

Tagged with: , ,

Reverse Engineering Necurs (Part 2 – Unpacking)

Introduction In the previous post, we talked about using tcpdump on a VM to monitor network traffic produced by another VM infected with Necurs.  We noticed that some “weird” UDP packets were being generated after infection, and used this observation

Tagged with: , , ,

Reverse Engineering Necurs (Part 1 – Preliminaries)

A few weeks ago, a fellow analyst sent me a link to a write-up of a new peer-to-peer botnet called Necurs.  The write-up included a link to a SANS blog entry.  The blog entry included a pcap containing traffic captured from

Tagged with: , , ,