Understanding calling conventions during malware analysis

When you do analysis of malware in for example x64dbg or IDA Pro it’s important that you understand how functions are called, what arguments are passed to the function and how to recognize the local variables within that function.

Further down in this post are my notes from the SANS FOR610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques course and the The IDA Pro Book.

First some core concepts.

A function is aRead more.

Risky Business #480 — Uber, Kaspersky woes continue – VMRay

I did my first podcast interview for Risky Business (hosted by Patrick Gray) and described how I use VMRay for automated malware analysis. I enjoyed it a lot! You can listen to at Risky Business #480 — Uber, Kaspersky woes continue, the part on VMRay starts at 41:30.

If you’re interested in integrating VMRay with MISP then have a look at

MISP EcoSystem – Threat Intelligence, VMRay, MISP from Koen Van ImpeRead more.

Stealing a cryptocurrency wallet. Or is it a metasploit reverse shell?

SANS ISC posted a diary on 9 Fast and Easy Ways To Lose Your Crypto Coins and a report on scans for Bitcoin wallet files.

This started me thinking about setting up a simple honeypot, pretending to be a self-decompressing crypto wallet archive and see if criminals would actually open that file, hoping it to be an unprotected crypto wallet.

Announce a “wallet.dat” / “wallet.zip” on public dump sites; Host the file on a publicRead more.

Integrate vulnerability information from VulnDB in MISP

MISP, Malware Information Sharing Platform & Threat Sharing is a feature-rich platform for sharing threat intelligence information. You can extend MISP so that it integrates nicely with your own security solutions via the MISP module extensions. These MISP module extensions, https://github.com/MISP/misp-modules/, allow you to

extend the MISP threat intelligence sharing platform without altering the core; connect and enrich the MISP information from other information providers; get started quickly without a need to study theRead more.

MISP-Dashboard, real-time visualization of MISP events

You are running a MISP instance and you want to visualize the MISP events in real-time?

MISP-Dashboard can do that! An example :

Vimeo video :

In this post I will walk you through how to setup MISP-Dashboard, based on the event data made available via botvrij.eu.

MISP-Dashboard is a new repository showing live data and statistics from the MISP ZMQ. It means you need to have MISP-ZMQ configured.

The MISP ZeroMQ pluginRead more.

BadRabbit malware

Another day, another supposedly large scale malware attack. This time it’s called BadRabbit.

2017-10-25 : Detection methods (Windows events) 2017-10-25 : YARA rules 2017-10-25 : Removed spreading via Eternalblue 2017-10-25 : Removed Petya link

Based on the information from ESET the malware targets

transportation organizations governmental organizations media outlets Russia fewer attacks in Ukraine, Turkey and Germany

The malware is delivered via a fake Adobe Flash update (drive-by attack)

hxxp://1dnscontrol.com/flash_install.php (block this URL) hxxp://1dnscontrol.com/install_flash_player.exe (blockRead more.

Malware abusing Microsoft Office DDE features

SANS has reported on different malware attacks (Hancitor and Necurs) that abuse the Microsoft Office DDE feature. Similarly, Talos also reported on a malware campaign that used the same technique to get a first foothold in an organisation (DNSMessenger).

DDE is a Microsoft feature now superseded by OLE that allows applications to share data and memory. Usage of the feature does not require a macro and will not show the user a security warning. TheRead more.

Practical KRACKs

KRACKs (Key Reinstallation AttaCKs) is a number of vulnerabilities in WPA2, related to key handshakes between a client and an access point.

An attacker can trick a victim into reinstalling an already-in-use key. This key (the 3rd message in a 4-way handshake) is resent multiple times by the attacker and each time installed by the client, resetting the nonce. By forcing nonce reuse in this manner, the same encryption key is used with nonce valuesRead more.

What I learned by attending FOR610: Reverse-Engineering Malware / part 1

I attended SANS FOR610: Reverse-Engineering Malware instructed by Jess Garcia in Copenhagen (Sep-17). I’m now studying for certification and using captured malware samples for doing exercises. In this post I go through

Using public (OSINT) information; Behavioural analysis with sandboxes (via a public malware sandbox); Malicious Office documents.

Note that the purpose of the exercise is not to understand in detail every line of code in the malware. The analysis is done from an incidentRead more.

Basic Security Tools You Cannot Afford to Miss in Your Risk Management Program

I published an article on IBM Security Intelligence on Basic Security Tools You Cannot Afford to Miss in Your Risk Management Program. The article covers essential, freely available, tools for doing security risk management.