HiMan EK and CVE-2013-2551

Quick Analysis

Recently during one of my analysis of URLs from urlquery, I came up with a URL ending in: /ie8910.html. The link, after being opened, returns an index with the following code:   As it can be seen from the "ip-blocked-by-firefox" Google Safe Browsing is already blocking the address, though there is no active service on port 8080 while there's one running on port … read more.

Introduction to ARMv8 64-bit Architecture


Introduction The ARM architecture is a Reduced Instruction Set Computer (RISC) architecture, indeed its originally stood for "Acorn RISC Machine" but now stood for "Advanced RISC Machines". In the last years, ARM processors, with the diffusion of smartphones and tablets, are beginning very popular: mostly this is due to reduced costs, and a more power efficiency compared to … read more.

Eset ChallengeME 2013 Solution


About a month ago I got a link to ESET's ChallengeMe from a friend, yesterday I had some free time to work on that, and finally I solved it. You can get the crackme from the link below: http://www.joineset.com ESET Crackme #1 I have also attached all files to the post as they might be removed after some time. The file name is EsetCrackme2013.exe. and As you … read more.

In depth analysis of Caphaw/Shylock from “FirefoxUpdate.exe” campaign – Part 3


We are finally at the end of our Caphaw/Shylock analysis. This time we will deal entirely with the code injected into explorer.exe process, the context will be a little more complex than previous episodes because we will work within a multithreaded environment. The injected code will identify an active domain (DGA based) in order to download other executables (binary update for … read more.

In depth analysis of Caphaw/Shylock from “FirefoxUpdate.exe” campaign – Part 2


Welcome to the second part of our analysis of Caphaw/Shylock. In the first chapter we have gone through the dropping and unpacking stages of this malware. In this second part we will go through the remaining HSE:: Step(s) - in particular we will see how the previously gathered information will be used, the network interactions between the bot and the Command and Control Server … read more.

In depth analysis of Caphaw/Shylock from “FirefoxUpdate.exe” campaign – Part 1


In this essay we will perform an in-depth analysis (from the unpacking to explorer.exe code injection) of the most recent version of Caphaw/Shylock, a banking malware that, at the time of discovery, … read more.

Active CookieBomb, CVE 2013-2465 and Reveton

Quick Analysis

This is the second QuickAnalysis post after the one by evilcry; During my daily urlquery investigation (http://urlquery.net/report.php?id=5098255), I come across a website infected by the CookieBomb … read more.

AndroidOS.Opfake.a malware analysis

Android OpFake

While sifting through the Clean-MX malware database I found one suspicious APK with a low detection rate (3/39 on VirusTotal), so I decided it was worth to a look at what seemed to be an OpFake … read more.

Low detection “Flash_update.exe”

Quick Analysis

UIC's [Quick Analysis] blog posts are a fast way to share some information and/or samples which are under our microscope. About "Flash_update.exe" During my daily malware hunting I came across a … read more.

Quick Volatility overview and R.E. analysis of Win32.Chebri


Introduction In this article we will start from the physical memory dump of a machine suspected of malware compromise, successively with volatility we will establish if the machine is infected and … read more.