I was asked to find some tools that can be used for malware analysis and intel. Atm, the budget hasn’t been established but I’ll cross that road later.

Currently, the tools used are all open source (Mostly from GREM / SANS) and there have been no problems with that, just was posed with collecting information about paid tooling.

We have IDA Pro and possibly Maltego on the drawing board, what other tools are worth purchasing?

Did I stumble on some evidence of a compromise? Or am I just being paranoid? I'm not sure if what I'm seeing would be normal for android malware these days.

Carrier logs for the phone's one account show incoming messages from a single origin number, at a rate of about 50 per day, for a week. On the device, there is no record of this number - no texts or calls. It is an unknown number. The block lists on the device are small and don't show this number, and there's no blocking enabled at the carrier. Tech support at the carrier said the origin number is in their block for customers.

Dynamic Tracing engines are crucial tools in Reverse Engineering. By executing a desired use-case and collecting code coverage, you can effectively narrow down the sections of the binary to refine your understanding of the program. While dealing with a MIPS binary reversing challenge, I came across a tool called Cannoli, which provides tracing capability in Qemu User-mode. It allows you to write plugins to trace execution paths and memory operations like read and write. What’s most fascinating about this tool is not just what it does (as there are other tools that also do this), but how quickly and elegantly it accomplishes its tasks. In other words, I was captivated by its engineering.

The tool’s author patched Qemu to expose some of its internal functions, allowing you to inject your own code into the JIT code emitted by Qemu for execution. This is achieved by providing two callbacks: one before an instruction is lifted and another before an instruction performing a memory operation is lifted in Qemu. The real work is done by the code you inject into the JIT code. This custom code exposes execution trace and memory operation data via IPC to another process, which then post-processes this data.

Essentially, you’ll be writing the data consumer library that is sent via IPC. The IPC design is also interesting. It uses shared memory-based IPC, where you allocate a large block of memory that is divided into smaller chunks. The idea is to use chunk sizes that match your CPU cache size to avoid cache misses, thereby improving performance. The design supports a single producer and multiple consumers. A single write-only chunk is available to the producer, and once the producer is done, it releases the buffer to be consumed. The consumers then post-process the data, clear it, and release the memory chunk to be reused by the producer.

One important thing to note is that this tool doesn’t allow you to modify the behavior of the executing program; it only allows you to observe the program’s behavior. Despite this, it’s still a very powerful tool. All of this is achieved by introducing about ~200 lines of code into QEMU. There’s a lot more to discuss about this tool that can’t fit into this small post. I would recommend checking out the project link and the blog post that discusses these tools in depth.

Project link : https://github.com/MarginResearch/cannoli

https://margin.re/2022/05/cannoli-the-fast-qemu-tracer/

https://margin.re/2023/02/harness-the-power-of-cannoli/

Hello,im not sure if this is the right place to ask ,but i couldnt find an answer to it,I have prior experience in C++ and OOP C++ (up to c++11) but no C exposure. and I've heard from people that got the course that the later is mainly on C, im asking if the course can be followed using C++ or the C concepts used in it arent C-unique(memory management for exemple)

I recently received a file from a user. It's supposed to be a file used in online game. But I'm suspecting if the file is a malware and send sensitive information like account password to the others. I checked the file, but I'm not professional cyber-security engineer. So I would like to request some help. I will post the original link here.

https://anonymfile.com/50eN9/costumegeometry.bin

Are there any good sources to use that can search the darkweb to see if a particular email account/password has been compromised?

I'm familiar with 'Have I Been Pwned', however that focuses on large leaks and I'm interested to see what can be found for more general instances.

We analyzed Konni RAT Malware which was developed by advanced persisten group APT37 according to MITRE ATT&CK. We performed dynamic malware analysis using Any.run cloud malware analysis tool. Konni malware masqureades as word document file which when opened downloads a spyware executable designed to exfitlrate and send machine OS and credentials data to the main C2 server. The malware uses powershell to execute system commands to achieve the aformentioned objectives.

Video

Writeup

https://www.researchgate.net/publication/379537228_Malware_Research_shows_that_SpyLoan_Apps_have_entered_Tanzania_and_is_exploiting_Tanzanian_Citizens

and

https://medium.com/@brotheralameen/malware-research-shows-that-spyloan-apps-have-entered-tanzania-and-is-exploiting-tanzanian-76ae9d2bb23f

In this research, we see the approach of Spy Loan Malware Apps in Tanzania. The threat actors then use the data to harass their victims who refuse to pay their money by means of extortion and blackmail, while the rest of their data remains in the cloud in China. Thus, a proof of cyber-espionage happening in Tanzania by the Chinese and the apps being a National Security Threat posed by the Chinese.

In late February 2023, threat actors rode a wave of initial access using Microsoft OneNote files. In this case, we observed a threat actor deliver IcedID using this method. The threat actor used FileZilla to exfiltrate data from the network before deploying Nokoyawa ransomware.

https://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion/

Looking into getting into RE or Malware Research/Development and wondering any current opinions on these two courses. I already went through most of the RE stuff on Udemy but getting my company to pay for these might take a while for approval given that I only want this for my own personal interests and curiosity.

Hey Everyone , I Have Been Learning Malware Analysis From The Last Year and Blue Teaming From 2 years , I Studied For The Malware

- Practical Malware Analysis

- Malware Analysis Techniques

- TCM Course

- ASM and C++ Basics
I am also making reports For samples

but i kind stuck in IDA Pro I am Trying To Analyze Every Function and Get Into A Rabbit Hole and not Much Good In RE any resources ?
and what i should know to work as a Malware Analyst
from techniques , books , and so on

and last I am not good in simple TI

i kind feel most of what i am learning is not what companies want or not the real MA Job
thanks .

I recently encountered a phishing site targeting the customers, former and current, of several banks and credit unions. I reported the domain to the registrar listed on whois, who suspended the domain.

Before the domain got yanked, I saved a copy of a particular bit of Javascript on that phishing page. The code is unsurprisingly obfuscated. I have been able to make some sense of the logic in the code after figuring out the string-dictionary substitution scheme used in the code.

As far as I can tell, the code gathers browser characteristics and then use XMLHttpRequest to send a compressed/encrypted (?) form of the data back to the scammers.

Below is the part of the code that does the compression/encryption, after some deobfuscation.

f={
    'h':function(D){
        if (D==null) {
            return '';
        } else {
            return f.g(D,function(E){return "4qHnrLSYkzxFAiVN$QdfE3vT0CZymIXeGPwgs5OD78Wc1ouj6UtbKRlp2a-BJMh9+".charAt(E)});
        }
    },
    'g':function(D,F,G,H,I,J,K,L,M,N,O,P,Q,R,S,T){
        if(null==D)return'';
        for(H={},I={},J='',K=2,L=3,M=2,N=[],O=0,P=0,Q=0;Q<D.length;Q+=1) {
            R=D.charAt(Q);
            Object["prototype"]["hasOwnProperty"]["call"](H,R)||(H[R]=L++,I[R]=!0);
            S=J+R;
            if(Object["prototype"]["hasOwnProperty"]["call"](H,S)) {
                J=S;
            } else{
                if(Object["prototype"]["hasOwnProperty"]["call"](I,J)){
                    if(256>J["charCodeAt"](0)){
                        for(G=0;G<M;O<<=1,5==P?(P=0,N["push"](F(O)),O=0):P++,G++);
                        for(T=J["charCodeAt"](0),G=0;8>G;O=T&1|O<<1,P==5?(P=0,N["push"](F(O)),O=0):P++,T>>=1,G++);
                    } else {
                        for(T=1,G=0;G<M;O=T|O<<1.23,5==P?(P=0,N["push"](F(O)),O=0):P++,T=0,G++);
                        for(T=J["charCodeAt"](0),G=0;16>G;O=O<<1.49|T&1,P==5?(P=0,N["push"](F(O)),O=0):P++,T>>=1,G++);
                    }
                    K--,0==K&&(K=Math["pow"](2,M),M++),delete I[J]
                } else for(T=H[J],G=0;G<M;O=T&1.19|O<<1.68,P==5?(P=0,N["push"](F(O)),O=0):P++,T>>=1,G++);
                J=(K--,K==0&&(K=Math["pow"](2,M),M++),H[S]=L++,String(R))
            }
        }
        if(''!==J){
            if(Object["prototype"]["hasOwnProperty"]["call"](I,J)){
                if(256>J["charCodeAt"](0)){
                    for(G=0;G<M;O<<=1,P==5?(P=0,N["push"](F(O)),O=0):P++,G++);
                    for(T=J["charCodeAt"](0),G=0;8>G;O=T&1.12|O<<1.41,5==P?(P=0,N["push"](F(O)),O=0):P++,T>>=1,G++);
                }else{
                    for(T=1,G=0;G<M;O=O<<1|T,5==P?(P=0,N["push"](F(O)),O=0):P++,T=0,G++);
                    for(T=J["charCodeAt"](0),G=0;16>G;O=O<<1|1&T,P==5?(P=0,N["push"](F(O)),O=0):P++,T>>=1,G++);
                }
                K--,K==0&&(K=Math["pow"](2,M),M++),delete I[J]
            } else for(T=H[J],G=0;G<M;O=1.11&T|O<<1.37,P==5?(P=0,N["push"](F(O)),O=0):P++,T>>=1,G++);
            K--,0==K&&M++
        }
        for(T=2,G=0;G<M;O=O<<1.8|1.89&T,P==5?(P=0,N["push"](F(O)),O=0):P++,T>>=1,G++);
        for(;;) {
            if(O<<=1,5==P){
                N["push"](F(O));break
            }else P++;
        }
        return N["join"]('')
    }
}

The way it is used is encoded_string=f.h(original_string).

Does this code look familiar to anyone?

Which one is better?

This is a continuation of my 2023, 2022, and 2021 posts and series of the same title.

#Most active:

LockBit 3.0 - http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/

Inc Ransom - http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/

Qilin - http://kbsqoivihgdmwczmxkbovk7ss2dcynitwhhfu5yw725dboqo5kthfaad.onion/

Blackbasta - http://stniiomyjliimcgkvdszvgen3eaaoz55hreqqx6o77yvmpwt7gklffqd.onion/

Play - http://mbrlkbtq5jonaqkurjwmxftytyn2ethqvbxfu4rgjbkkknndqwae6byd.onion/

Akira - https://akiral2iz6a7qgd3ayp3l6yub7xx2uep76idk3u2kollpj5z3z636bad.onion/

Cactus - https://cactusbloguuodvqjmnzlwetjlpj6aggc6iocwhuupb47laukux7ckid.onion

Everest - http://ransomocmou6mnbquqz44ewosbkjk3o5qjsl3orawojexfook2j7esad.onion/

Ransomhub - http://ransomxifxwc5eteopdobynonjctkxxvap77yqifu2emfbecgbqdw6qd.onion/

Abyss-data - http://3ev4metjirohtdpshsqlkrqcmxq6zu3d7obrdhglpy5jpbr7whmlfgqd.onion/

8base - http://xb6q2aggycmlcrjtbjendcnnwpmmwbosqaugxsqb4nx6cmod3emy7sad.onion/

Rhysida - http://rhysidafohrhyy2aszi7bm32tnjat5xri65fopcxkdfxhi4tidsg7cad.onion/

RansomEXX - http://rnsm777cdsjrsdlbs4v5qoeppu3px6sb2igmh53jzrx7ipcrbjz5b2ad.onion/

BianLian - http://bianlianlbc5an4kgnay3opdemgcryg2kpfcbgczopmm3dnbz3uaunad.onion/

Cloak - http://cloak7jpvcb73rtx2ff7kaw2kholu7bdiivxpzbhlny4ybz75dpxckqd.onion/

Hunters International - https://hunters55rdxciehoqzwv7vgyv6nt37tbwax2reroyzxhou7my5ejyid.onion/companies

Dragonforce - http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion/blog

3am - http://threeamkelxicjsaf2czjyz2lc4q3ngqkxhhlexyfcp2o6raw4rphyad.onion/

Medusa - http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/

#Active-ish:

cl0p - http://santat7kpllt6iyvqbr7q4amdv6dzrh6paatvyrzl7ry3zm72zigf4ad.onion

RA World - http://raworldw32b2qxevn3gp63pvibgixr4v75z62etlptg3u3pmajwra4ad.onion/

Blacksuit - http://weg7sdx54bevnvulapqu6bpzwztryeflq3s23tegbmnhkbpqz637f2yd.onion/

Dunghill - http://p66slxmtum2ox4jpayco6ai3qfehd5urgrs4oximjzklxcol264driqd.onion/index.html

D0nutLeaks - http://sbc2zv2qnz5vubwtx3aobfpkeao6l4igjegm3xx7tk5suqhjkp5jxtqd.onion/xd

Cuba - http://cuba4ikm4jakjgmkezytyawtdgr2xymvy6nvzgw5cglswg3si76icnqd.onion/

Karakurt - https://3f7nxkjway3d223j27lyad7v5cgmyaifesycvmwq7i7cbs23lb6llryd.onion

KillSec - http://kill432ltnkqvaqntbalnsgojqqs2wz4lhnamrqjg66tq6fuvcztilyd.onion/

Lorenz - http://lorenzmlwpzgxq736jzseuterytjueszsvznuibanxomlpkyxk6ksoyd.onion/

Meow - http://meow6xanhzfci2gbkn3lmbqq7xjjufskkdfocqdngt3ltvzgqpsg5mid.onion/

You can find all the groups and stay up to date at:

• https://www.ransomlook.io/
• https://ransomwatch.telemetry.ltd/#/profiles
• https://github.com/fastfire/deepdarkCTI/blob/main/ransomware_gang.md

Hi I am struggling to setup CAPE I followed all tuts I have seen online. Please if someone can help out I appreciate it.

I accidentally downloaded Pinaview while downloading a game. I tried deleting it and after a few tries, and it worked using anti-malware apps. There seems to be tmp file that I cannot open nor delete, it it malware? Does running a malware scan really delete it?

Hello,

can you track down this malware with me:

https://file.io/xKJqJluxVFTA

2 Files which should be a "game".

So far I tracked town that the put files in your Autostart and try to access 185.125.50.17 where is Hashtopolis running.

{

"files-path": "C:\\Users\\TEST\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\files",
"crackers-path": "C:\\Users\\TEST\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\crackers",
"hashlists-path": "C:\\Users\\TEST\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\hashlists",
"zaps-path": "C:\\Users\\TEST\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup",
"preprocessors-path": "C:\\Users\\TEST\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\preprocessors",
"url": "http://185.125.50.17:8080/api/server.php"
}

Is this malware doing something else or it just abuse your system as hashcracker?

How do you get rid of the Mobility-search browser hijacker. Also, why can't Norton fix this?

Hey all, our new report is out. It's a look at Android malware from 2023. Here's a few highlights:

Tambir - A backdoor which targets victims across Turkey. We know that it It disguises itself as an IPTV app, but doesn't manifest any such functionality. Instead, it's a full-fledged spyware app which collects SMS messages, keystrokes, etc.

Dwphon - This exhibits many characteristics of pre-installed Android malware. E.g: it collects device and personal info, as well as data about third-party applications installed on the device. Infection path remains unclear.

Gigabud - A RAT which has been active since at least mid-2022. Focused on stealing banking creds from victims in Southeast Asia, it initially mimicked a local airline app, but later crossed borders into other countries, such as Peru, and also changed functionality to fake loan malware.