Quick Volatility overview and R.E. analysis of Win32.Chebri

Introduction In this article we will start from the physical memory dump of a machine suspected of malware compromise, successively with volatility we will establish if the machine is infected and produce evidences from memory artifacts. In the next steps the malicious component will be carved from memory and analyzed with a classical Reverse Engineering […]

Android Fake Вrowser Update Analysis

Recently our colleague N3mes1s found a fake browser updater (password, as usual is: infected) for Android, so I decided to take a look at it. Before we begin I suggest you to download the de-obfuscated java files. The malicious application has the following characteristics: Size: 178111 bytes MD5: 3dcea4358e6229828cfa5a052327088f SHA1: 2f146ea64d5439c243f8e14ecb00b717c60aaacf SHA256: 983e662c5fa649ab25a5209d8996d6ddf581f15ef73d8e14c8360125d2c5f920 Platform: Android Tools: AndroChef Java Decompiler: just to […]

McRat Malware Analysis – Part1

In this issue we are going to analyze McRat, a user’s data and passwords stealer. This malware is interesting since it makes use of some anti-debugging techniques and several encryption/obfuscation layers in order to prevent us from analyzing its code; the analysis will be divided in two parts, during the the first part we will bypass the […]

Analysis of CVE-2010-0188 PDF from RedKit ExploitKit

After noticing a substantial increase in RedKit infections, following a series of investigations performed on URLQuery, we have decided to go deeper to understand what was happening behind the curtains. RedKit is an exploitation packs that uses the following infection flow: We have this for today’s example: http://urlquery.net/report.php?id=1305873 and the resource is http://senreibehn.narod.ru/ A user visiting a page compromised with […]

Update 2 – Facebook infection: the fake “Flash Player”

In these days I’ve seen some friends of mine taken a facebook virus: this virus posts a message with ten friends tagged and a link to a bad site; the infection, that came from Turkey (almost on the surface), is OS independent just because it uses firefox and chrome extension: a fake Flash Player. Html code […]

Stabuniq Financial Infostealer Trojan Analysis

According to Symantec, Stabuniq is a financial infostealer trojan which has been found on servers belonging to financial institutions, including banking firms and credit unions. The Trojan also compromised home computer users and computers at security firms. Targets sounds interesting, so here at UIC R.E.Academy we decided to take an in depth look to this trojan […]

An overview of Cythosia DDoS Bot

Cythosia v2 is a DDoS Botnet System has been published in BlackMarket Forums a while ago, we decided to publish an article shared on my private blog. Here at UIC R.E. Academy we strongly believe in sharing knowledge, for this reason we decided to publish articles, also not up to date, that could come handy/teach […]

Artro Botnet Anatomy Overview

Following the idea of knowledge sharing, here another article taken from my private blog and shared for our readers. Some time ago, while talking with Roman from abuse.ch, we found it necessary to give a more in depth look of a very active Botnet named Artro ( executable commonly identified as Win32/Renos or Trojan-Downloader.Win32.CodecPack ) […]

Deobfuscating generic BlackHole 2 with JsADO

I wrote this article to describe how to use JsADO (JS-Auto-DeObfuscator), a little project that I’m developing so as automatically deobfuscate javascript code: JsADo hooks a js function as eval to get the code to be executed, or element.appendChild to dump the HTML Object to be inserted into page I’m going to explain how to […]

DarkComet Analysis – Understanding the Trojan used in Syrian Uprising

On February 17th the CNN published an interesting article, where some Syrian’s regime opponents claimed that the government was using a Trojan to monitor and disrupt the protestor’s network. Apparently the regime has been using a well-known social engineering technique: impersonate a trusted person then attack from the inside. It is not possible to confirm […]