-
Batch Deobfuscation (RemcosRAT)
Batch Scripts “A “batch” file is a script file in DOS, OS/2 and Microsoft Windows. It consists of a series of commands to be executed by the command-line interpreter, stored in a plain text file. A batch file may contain any command the interpreter accepts interactively and use constructs that...
-
Malicious Document Analysis Part-2 (Microsoft Excel Documents)
Introduction On the previous article we started malicious document analysis topic with Microsoft Word Documents. In this blog we will see Malicious Excel Documents. Actually these 2 topics and from now on malicious document topics will not be so different. I wanna analyze most seen type of malwares and these...
-
Malicious Document Analysis Part-1 (Microsoft Word Documents)
What are Malicious Documents? In cyber attacks, there are multiple stages to an attack, and these stages have specific objectives. In the concept of the Cyber Kill Chain, it is known that attackers use different tools and technologies at different stages to carry out a successful attack. In this article,...
-
Powershell and Obfuscation
What is Powershell? Powershell is an object-oriented automation language developed by Microsoft in 2006. Built with .NET, this platform is built to make it easier for system administrators to manage devices and create scheduled tasks. In 2016, the source code was published as open-source. So why is there powershell in...
-
What is Unpacking?
What is Unpacking? One of the primary goals of malware developers is to make it difficult to analyze and, for the reasons that arise, to detect. More than one technique is used for this purpose. The subject of this article will be the “packing” technique, which is perhaps the most...
-
Patching
What is Patching? It is a concept known to everyone who used a computer in the 2000s and somehow thought, “How can I use this software for free?”; Patching. There were cracker brothers/sisters who were cool to us back then, behaviors that seemed extremely mysterious to us because we didn’t...
-
YARA Rules
Content What is YARA rule? Meta Strings Conditions What is YARA rule? YARA is a tool used by analysts in the classification/identification of malware with a specific syntax. The rules written for this software are also called the YARA Rule. This blog post contains information about the general concept of...
-
x86 Assembly Language 101
What is Assembly? In the first years of computers, different processor architectures began to be produced. These architectures are the rules that determine the code that can be run on and the results of the code that is run. I don’t want to dive too far into its history (I...
-
PE Format
What is PE ? PE (Portable Executable) are files that can be moved and run between Windows systems without compatibility problems. To be portable, a common language/architecture must be defined for all devices, data that means “A” on one device must mean “A” on another device. Here, too, an architecture...
-
Malware Analysis Basics
Malware Analysis Basics Topics Malware lab preparation What is malware? What are the types of analysis? Toolkit Compiling a C/C++ Source File Example Introduction One Windows (7/10) virtual machine and one RemNux virtual machine are required to be used in the analyzes to be performed. FlareVM is available as Windows...