Tag: Reverse Engineer

Reverse Engineering Necurs (Part 4 – IDA Pro’s Python API)

Introduction In the previous post, we had paused execution of the malware sample at a point where the malware had “unpacked” itself. We then used the .writemem WinDbg command to output the unpacked data into a file. Finally, we used

Tagged with: , ,

Reverse Engineering Necurs (Part 2 – Unpacking)

Introduction In the previous post, we talked about using tcpdump on a VM to monitor network traffic produced by another VM infected with Necurs.  We noticed that some “weird” UDP packets were being generated after infection, and used this observation

Tagged with: , , ,

Reverse Engineering Necurs (Part 1 – Preliminaries)

A few weeks ago, a fellow analyst sent me a link to a write-up of a new peer-to-peer botnet called Necurs.  The write-up included a link to a SANS blog entry.  The blog entry included a pcap containing traffic captured from

Tagged with: , , ,