Blog Archives

Analysis of False/Morel

Introduction About a month ago, a group called the Shadow Brokers claimed to have stolen a number of cyber espionage tools from the Equation Group. They made a number of the files available to prove the validity of their claim

Posted in Reverse Engineering Tagged with: , ,

Using NodeJS To Deobfuscate Malicious JavaScript

Introduction A group of analysts in the office are spending some time reverse engineering an Angler sample found at http://malware-traffic-analysis.net/2016/03/02/index2.html. The website shows a screen capture of the malicious javascript that was injected into a page served by a compromised

Posted in Reverse Engineering Tagged with: , , ,

Reverse Engineering a Malicious MS Word Document

Introduction This blog post analyzes a Word document that was used to deliver a ransomware executable. The Word document includes a macro that will execute when the document is opened if the end user clicks a button called “enable content”.

Posted in Reverse Engineering Tagged with: , ,

Reverse Engineering Necurs (Part 4 – IDA Pro’s Python API)

Introduction In the previous post, we had paused execution of the malware sample at a point where the malware had “unpacked” itself. We then used the .writemem WinDbg command to output the unpacked data into a file. Finally, we used

Posted in Reverse Engineering Tagged with: , ,

Reverse Engineering Necurs (Part 3 – Patching)

Introduction In the previous post, we started to step through the Necurs sample using WinDbg. We also used IDA Pro to perform static analysis of the malware sample so we could get an idea of where to set breakpoints. However,

Posted in Reverse Engineering Tagged with: , ,

Reverse Engineering Necurs (Part 2 – Unpacking)

Introduction In the previous post, we talked about using tcpdump on a VM to monitor network traffic produced by another VM infected with Necurs.  We noticed that some “weird” UDP packets were being generated after infection, and used this observation

Posted in Reverse Engineering Tagged with: , , ,

Reverse Engineering Necurs (Part 1 – Preliminaries)

A few weeks ago, a fellow analyst sent me a link to a write-up of a new peer-to-peer botnet called Necurs.  The write-up included a link to a SANS blog entry.  The blog entry included a pcap containing traffic captured from

Posted in Reverse Engineering Tagged with: , , ,