Oct 18, 2015 · A list of sites that analysts may find useful in their day-to-day analysis of indicators and threats. While verifying and searching for new sources, I came across Links and resources for malware samples, Malware Analysis and Incident Response Tools for the Frugal and Lazy, and Free Online Tools for Looking …
A few days ago Jindrich Kubec (Avast) pinged me that the RunForestRun malware changed the domain generating algorithm (DGA) and now uses waw.pl subdomains (instead of .ru) in malicious URLs. I decided to take a look at the new scripts and found quite a few very interesting changes.
The obfuscated script is a normal python script. With an extra module pytransform.py and a few extra runtime files, the plain Python scripts can be replaced with obfuscated ones seamlessly.
3. Malware obfuscation techniques Register Reassignment Register reassignment is another simple technique that switches registers from generation to generation. Note that the wildcard searching can make this technique useless. A original malware is obfuscated by reassigning EAX and EBX to EBX and EDX respectively.
However, the number of suitable defenses remains to be few. For Linux command line obfuscation, we can barely find any detection tools. Concerning defenses against Windows command obfuscation, existing schemes turn out to either lack of toolization, or only partially resolve the entire problem, sometimes even inaccurately.
Mar 07, 2017 · The first sample we will investigate is a.wsf file. This type of file is a Windows script file and can contain various scripting languages. In this case, we’re dealing with an obfuscated VBScript. Due to the obfuscation, it’s impossible to see on first sight what this script is trying to accomplish.
Dec 18, 2019 · Earlier this year, we did a roundup of the first 6 months of MacOS malware in 2019, noting that there had been quite an uptick in outbreaks, from a return of OSX.Dok and Lazarus to new cryptominers, a fake WhatsApp trojan and the rapid development of a macOS bug which allowed remotely-hosted attacker code to execute on a local machine without warning from Gatekeeper.