Malware Musings

Thoughts on malware and malware analysis

  • Home
  • About
  • Scriptery
    • Python
    • UNIX Shell Scripts
  • Scripts
    • dupext.bat: Duplicate file extension association and rename files
    • misql.py: A Cuckoo Package for MySQL Commands
    • parsemysql.py: Extract SQL commands from MySQL TCP data streams
    • parsetds.bro: Extract SQL commands and login credentials from TDS (MS-SQL) TCP data
    • parsetds.py: Extract SQL commands and login credentials from TDS (MS-SQL) TCP data
    • unhex.awk: Convert hex encoded strings to ASCII characters
    • unpack.py (v2013.02.26): Script using WinAppDbg to automatically unpack malware
    • unpack.py: Script using WinAppDbg to automatically unpack malware
  • Supporting Files
    • b64decode.py: A Base64 Decoder
    • bashwrapper.c: Check environment variables for shellshock exploit
    • dionaea-mysql.py.diff: Patch for dionaea to capture cna12 MySQL binaries
    • dionaea-mysql.py.diff (base64)
    • dionaea-shellshock.diff: A Dionaea Patch to Download ShellShock URLs
    • dionaea-shellshock.diff (base64)
    • logstartup.diff
    • memtst.s
    • Reverse Engineering Challenge #1: file
  • malwearmusings (t-shirts)
    • Don’t follow me, I’m going phishing
    • some assembly required
  • GitHub
    • CRAB
    • Unpacker
  • Reference

Mitigating the Effects of Ransomware: Hiding Your Files

Posted by Karl on May 16, 2017
Posted in: Muse Food. Tagged: Ransomware. Leave a comment

The WannaCry/WannaCrypt ransomware/worm struck late last week and wreaked havoc with a number of important files/documents being encrypted. Can a twenty year old idea of mine actually help to restrict the damage caused by ransomware by essentially ‘hiding’ your important files so that ransomware can’t find them?

Continue Reading

Share this:

  • Email
  • LinkedIn
  • Reddit
  • Twitter
  • Facebook
  • Google

Like this:

Like Loading...

April Fool?

Posted by Karl on April 1, 2017
Posted in: Muse Food. Leave a comment

After my tinkering with IT as a kid progressed to more of a hobby, followed by almost 22 years of full time employment as an IT engineer, I’m started to wonder if I’ve been a tad foolish.

I’m starting to think that there is more to life than IT (despite seeing more and more people that seem to think that it’s more important to walk around looking at the screen of their mobile phone rather than looking where they’re going), and with this realisation comes another realisation — that a life of IT has left me with very few practical life skills.

So now I find myself at a point where I want to do something that’s actually useful to people/society, but all I know how to do is IT.

I’m wondering how to implement ideas and make them a reality? How can I build (physical) things — how do you join pieces of wood for instance? How do businesses work?

How can I do something useful, and hopefully change lives — if not the world — when I don’t seem to be able to change a tap washer?!

Share this:

  • Email
  • LinkedIn
  • Reddit
  • Twitter
  • Facebook
  • Google

Like this:

Like Loading...

Michelangelo Virus Day — What have we done in the last 25 years?!

Posted by Karl on March 6, 2017
Posted in: A False Sense of Security, General Information. Tagged: Internet safety. Leave a comment

The 06th March is the day that the Michelangelo virus (a virus I came across back in the early nineties) would overwrite disk sectors, and it apparently caused quite a frenzy back in January 1992. I was thinking, here we are 25 years later, and what have we done? (Look out — this is another one of my non-technical posts!) Continue Reading

Share this:

  • Email
  • LinkedIn
  • Reddit
  • Twitter
  • Facebook
  • Google

Like this:

Like Loading...

A Thousand Monkeys Writing a JavaScript Malware Downloader: De-obfuscating the JavaScript

Posted by Karl on January 19, 2017
Posted in: Malware Analysis, Reverse Engineering. Tagged: deobfuscation, downloader, JavaScript. Leave a comment

There’s a theory that a thousand monkeys typing away at a thousand typewriters will eventually reproduce the works of Shakespeare. I got home one day to find a JavaScript downloader semi-randomly creating dynamic functions until one of them worked and downloaded some malware that I hadn’t seen before. Continue Reading

Share this:

  • Email
  • LinkedIn
  • Reddit
  • Twitter
  • Facebook
  • Google

Like this:

Like Loading...

Analysing CryptoLocker with unpack.py: Network Communications (part 3)

Posted by Karl on May 13, 2016
Posted in: Malware Analysis. Tagged: CryptoLocker, dynamic analysis, malware analysis. 1 Comment

Previous posts in this series have demonstrated how unpack.py, when used on a CryptoLocker variant, extracts the malicious PE file injected in to explorer.exe, and how it can also be used to analyse the injected PE file. This post demonstrates how unpack.py can now be used to analyse our CryptoLocker variant’s network communications by dumping the cleartext traffic sent over its HTTPS connections.

Continue Reading

Share this:

  • Email
  • LinkedIn
  • Reddit
  • Twitter
  • Facebook
  • Google

Like this:

Like Loading...

Analysing CryptoLocker with unpack.py: The unpacked payload (part 2)

Posted by Karl on March 30, 2016
Posted in: Malware Analysis. Tagged: CryptoLocker, dynamic analysis, malware analysis. Leave a comment

This is the second part in a series of posts showing how we can use my unpack.py script to find quite a bit of useful information about a CryptoLocker variant. This post will analyse the unpacked payload that we found in part one. Continue Reading

Share this:

  • Email
  • LinkedIn
  • Reddit
  • Twitter
  • Facebook
  • Google

Like this:

Like Loading...

Analysing CryptoLocker with unpack.py: Initial Analysis (part 1)

Posted by Karl on March 8, 2016
Posted in: Malware Analysis. Tagged: CryptoLocker, malware analysis. 1 Comment

My automated unpacking script (which really needs a sensible name!) is a few years old now, so I was interested to see how it would go with some malware that was developed after it was. That is, I wanted to answer the question ‘is my script still useful?’. It turns out it is still useful, and this post is the first of a few posts that aim to demonstrate why. Continue Reading

Share this:

  • Email
  • LinkedIn
  • Reddit
  • Twitter
  • Facebook
  • Google

Like this:

Like Loading...

Posts navigation

← Older Entries
  • Search

  • Categories

  • Recent Posts

    • Mitigating the Effects of Ransomware: Hiding Your Files
    • April Fool?
    • Michelangelo Virus Day — What have we done in the last 25 years?!
    • A Thousand Monkeys Writing a JavaScript Malware Downloader: De-obfuscating the JavaScript
    • Analysing CryptoLocker with unpack.py: Network Communications (part 3)
  • Archives

  • Subscribe to RSS Feeds

    RSS Feed RSS - Posts

    RSS Feed RSS - Comments

  • Follow Malware Musings on WordPress.com
  • Enter your email address to follow this blog and receive notifications of new posts by email.

  • Blogroll

    • DeepEnd Research
    • FireEye Blog
    • Internet Storm Center's StormCasts
    • Lenny Zeltser on Information Security
    • MalwareTech Blog
    • McAfee Labs
  • Dynamic Analysis Tools

    • Cuckoo Sandbox
    • dsniff
    • eventlog-to-syslog
    • Netcat
    • Wireshark and tshark
  • Static Analysis Tools

    • GNU Binutils
  • View Karl Denton's profile on LinkedIn
  • Social

    • View malwaremusings’s profile on Twitter
    • View karldenton’s profile on LinkedIn
    • View malwaremusings’s profile on GitHub
  • RSS My Github activity

    • malwaremuser closed an issue in malwaremusings/harbour-pocketcacher April 22, 2018
    • malwaremuser commented on issue malwaremusings/harbour-pocketcacher#5 April 22, 2018
    • malwaremuser pushed to master in malwaremusings/harbour-pocketcacher April 22, 2018
Blog at WordPress.com.
Malware Musings
Blog at WordPress.com.
loading Cancel
Post was not sent - check your email addresses!
Email check failed, please try again
Sorry, your blog cannot share posts by email.
Cancel
%d bloggers like this: