Malware Analysis - 0xC0DECAFE.com

Learn how to fix PE magic numbers with Malduck

2021-01-28 2021-01-26 / Malware Analysis

Malware often corrupts the Portable Executable (PE) header to hinder its analysis. By overwriting parts of the PE header, malware evades simple memory dumpers and thwarts proper loading by analysis tools. If we’re lucky then malware only overwrites the magic numbers of the PE header (MZ and PE) and leaves the rest of the header …

Learn how to fix PE magic numbers with Malduck Read More »

The malware analyst’s guide to PE timestamps

2021-01-22 2021-01-27 / Malware Analysis, Cyber Threat Intelligence

This blog post is all about time. More exactly, timestamps found in Portable Executable (PE) files that describe a (possible) compilation date. These PE timestamps may even reveal details about a threat actor. For instance, it is possible to deduce a threat actor’s working hours and use this information – hopefully together with other artifacts …

The malware analyst’s guide to PE timestamps Read More »

The malware analyst’s guide to aPLib decompression

2021-01-08 2021-01-27 / Malware Analysis

aPLib is a compression library that is very easy to use and integrate with C/C++ projects. It is a pure LZ-based compression library. There is also an executable packer based on it called aPACK. Due to its ease of use and tiny footprint, it’s a very popular library utilized by many malware families like ISFB/Ursnif, …

The malware analyst’s guide to aPLib decompression Read More »

The malware analyst’s guide to zlib compression

2021-01-02 2021-01-27 / Malware Analysis

Malware often utilizes data compression like zlib or aPLib. There are several reasons for this behavior: first, it saves space and makes binaries smaller and network transfers faster. Second, it adds another layer of obfuscation as the malware analyst needs to detect the compression algorithm first. One of the widely adopted data compression libraries in …

The malware analyst’s guide to zlib compression Read More »

How to patch a Windows API in x64dbg

2020-12-24 2021-01-27 / Malware Analysis

Some months ago, I analyzed a banking Trojan that employed a chain of injections. First, it hollowed an instance of svchost.exe. From there, it injected its code into several processes (especially browsers). My goal was to analyze the network protocol. Unfortunately, all processes could communicate with the CC and there was a mutual exclusion scheme …

How to patch a Windows API in x64dbg Read More »

Learn to quickly detect RC4 encryption in (malicious) binaries

2020-12-23 2021-01-27 / Malware Analysis

RC4 (also known as ARC4) is a simple stream cipher. It was designed in the late 1980s and its internals became known to the public in the mid-1990s. While it is a very simple and fast crypto algorithm, security researchers have discovered multiple flaws in it throughout the years. Today, it is just another broken …

Learn to quickly detect RC4 encryption in (malicious) binaries Read More »