Static and Dynamic Analysis

Introduction

In this particular I’m going to reflect light on Russian APT group Turla Operating backdoor/trojan “SilentMoon”. Turla APT group is operational to conduct hijack satellite communication for hacking into governments, private sectors , APT as they are moreover like cyber espionage operational APT group for nearly past two decades ( around 2004 ).


Static & Dynamic Analysis

Introduction

In this particular blog, i will walk you through the internals of Stop Ransomware where we will see the static as well as dynamic analysis of Stop Ransomware.


Japan faces consistent threat from NK APT Lazarus.

Introduction

In this particular blog , i will walk you through internals of two malware “VSingle” and “ValeforBeta” used by Unit180 in targeted hacking operations against Japan as like the hacking operations was done by Unit180 in “Operations Dream Job” against Japan where they had used “Torisma” and “LCPDot”. In this campaign also malware were build following similar tactics and techniques.

Analysis

Static Analysis (Basic)


Reverse Engineering New Variant of Ransomware seen in 2021

Introduction

Babuk Ransom is the newly discovered ransomware that targets enterprises as the operation called Big Game Hunting. Babuk threat actors first and the foremost seen in 2021 as being lurking as part of double extortion groups. In this blog i will be revering latest sample of Babuk ransom.

The sample analyzed in this report has hash as:

18e299d4331ccff805275b21f33be0a3bd3d1d9ce72a79ba78d2f32dd657bfbb .

Analysis

Static Analysis (Basic)


Ransomware used to target Microsoft Exchange Servers.

Recently attackers of APT groups started-off targeting Microsoft Exchange Servers after the flaw( 0day ) in the Microsoft exchange servers was published on github. As the 0day exploit is being published on github attackers of APT groups started hacking on MS-Exchange servers by scanning the servers for the 0day vulnerability and ransom’ing servers with the DearCry ransomware. In this blog i will be walking you through the reverse engineering of DearCry ransom where you will be seeing me reversing DearCry ransom for Static and Dynamic Analysis.

Static and Dynamic Analysis

Static Analysis (Basic)


Analysis of .Net Ransomware of “Ryzerlo” Malware Family.

Intezer Report: https://analyze.intezer.com/analyses/0762ca51-f301-4dc2-9f3c-786cffd0437a#ttp-section .

Static Analysis (Basic)


This blog is about analysis of Trojan packed in APT29 PolyGlot Duke.

It’s the follow-up blog on my previous blog on PolyGlot Duke in which i had unpacked the packed PolyGlot Duke. Here is the link to that blog.

Static and Dynamic Analysis

Static Analysis (Basic)

File Information


Unpacking, Static and Dynamic Analysis of PolyGlot Duke.

In this blog, i will be unpacking , static and dynamic analysis of trojan “PolyGlot Duke” from APT29. For this blog we only focus on Unpacking.

Unpacking

File Information

It’s a 64-bit malware. Which is basically a packed.


Advance Persistence Threats recent targeted espionage and collaboration.

In this particular we will see the matching patterns in malware targeted codes by APTs recently being observed in organised cyber crime activities.

Assertion after Analysis (APTs Collaborating)

APT-C-41, APT40, APT28, APT39, APT29,UNC2452, UNC2546, APT37 and APT38.

Starting off from StrongPity and Chinese APT tool SManager.

Entry function of both the malware from APT-C-41 and APT40 are quiet similar. Where StrongPity uses executable as backdoor on the other hand APT40 uses .dll for its cyber espionage tool for its targets.


Quick and Dirty way to unpacking SManager Chinese APT tool.

This blog is my last blog in series of Analysis of SManager. I had planned to write more blogs on unpacking for our infosec. community. Hope you like this one.

If you haven’t read my previous blogs on SManager Chinese APT Tool then go head and read them. I’m mentioning them in here.

It’s SManager Loader analysis:

It’s SManager analysis:

Here we go for unpacking SManager Tool.

File Information:

Here look carefully, Entropy is high around 6.727. Its the 32bit malware loader which we have to hammer down to SManager executable.

0xthreatintel

Honey. Malware Analyst. I write blogs related to threat intelligence , malware analysis, APTs , network intrusions and incident responding.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store