Eset ChallengeME 2013 Solution

About a month ago I got a link to ESET’s ChallengeMe from a friend, yesterday I had some free time to work on that, and finally I solved it. You can get the crackme from the link below: http://www.joineset.com ESET Crackme #1 I have also attached all files to the post as they might be […]

In depth analysis of Caphaw/Shylock from “FirefoxUpdate.exe” campaign – Part 3

We are finally at the end of our Caphaw/Shylock analysis. This time we will deal entirely with the code injected into explorer.exe process, the context will be a little more complex than previous episodes because we will work within a multithreaded environment. The injected code will identify an active domain (DGA based) in order to download other […]

In depth analysis of Caphaw/Shylock from “FirefoxUpdate.exe” campaign – Part 2

Welcome to the second part of our analysis of Caphaw/Shylock. In the first chapter we have gone through the dropping and unpacking stages of this malware. In this second part we will go through the remaining HSE:: Step(s) – in particular we will see how the previously gathered information will be used, the network interactions […]

In depth analysis of Caphaw/Shylock from “FirefoxUpdate.exe” campaign – Part 1

In this essay we will perform an in-depth analysis (from the unpacking to explorer.exe code injection) of the most recent version of Caphaw/Shylock, a banking malware that, at the time of discovery, was ranked as FUD (Fully UnDetected) by VirusTotal. The article will cover the following topics: Analysis of the packer and related unpacking. Reverse […]

Quick Volatility overview and R.E. analysis of Win32.Chebri

Introduction In this article we will start from the physical memory dump of a machine suspected of malware compromise, successively with volatility we will establish if the machine is infected and produce evidences from memory artifacts. In the next steps the malicious component will be carved from memory and analyzed with a classical Reverse Engineering […]

Stabuniq Financial Infostealer Trojan Analysis

According to Symantec, Stabuniq is a financial infostealer trojan which has been found on servers belonging to financial institutions, including banking firms and credit unions. The Trojan also compromised home computer users and computers at security firms. Targets sounds interesting, so here at UIC R.E.Academy we decided to take an in depth look to this trojan […]

An overview of Cythosia DDoS Bot

Cythosia v2 is a DDoS Botnet System has been published in BlackMarket Forums a while ago, we decided to publish an article shared on my private blog. Here at UIC R.E. Academy we strongly believe in sharing knowledge, for this reason we decided to publish articles, also not up to date, that could come handy/teach […]

Artro Botnet Anatomy Overview

Following the idea of knowledge sharing, here another article taken from my private blog and shared for our readers. Some time ago, while talking with Roman from abuse.ch, we found it necessary to give a more in depth look of a very active Botnet named Artro ( executable commonly identified as Win32/Renos or Trojan-Downloader.Win32.CodecPack ) […]

DarkComet Analysis – Understanding the Trojan used in Syrian Uprising

On February 17th the CNN published an interesting article, where some Syrian’s regime opponents claimed that the government was using a Trojan to monitor and disrupt the protestor’s network. Apparently the regime has been using a well-known social engineering technique: impersonate a trusted person then attack from the inside. It is not possible to confirm […]

Reverse Dxtory

It’s been a while since reversing of .NET applications began. I still remember the first tutorials on the subject and the first targets for which changing a few bytes with an hex editor was enough to fully remove the restrictions from. So much has changed: developers of both software and protections made the reversing process […]