Are you over 18 and want to see adult content?
More Annotations
A complete backup of www.veinsensor.pl
Are you over 18 and want to see adult content?
A complete backup of 131458934.keywordblocks.com
Are you over 18 and want to see adult content?
A complete backup of markkavanagh.com
Are you over 18 and want to see adult content?
A complete backup of azscers.000webhostapp.com
Are you over 18 and want to see adult content?
A complete backup of abc12.onesignal.com
Are you over 18 and want to see adult content?
A complete backup of sp-active.adsrvr.org
Are you over 18 and want to see adult content?
A complete backup of services.runescape.com-api.top
Are you over 18 and want to see adult content?
A complete backup of cb1.dev.rtb.owneriq.net
Are you over 18 and want to see adult content?
Favourite Annotations
MOTO7 專業汽機車資訊 — MOTO7 提供國內外機車新車資訊、試車報告,部品資訊,專欄式騎乘技巧、機械原理介紹!
Are you over 18 and want to see adult content?
SSRana | Intellectual Property Law Firm in India. Patent Law Firm in India
Are you over 18 and want to see adult content?
Фабрика Моды Одесса официальный сайт прямой поставщик одежды от производителей Украины
Are you over 18 and want to see adult content?
International Society for Animal Rights
Are you over 18 and want to see adult content?
Site de encontros português, encontros em Lisboa e Porto
Are you over 18 and want to see adult content?
Мода Фото - Модные тенденции - Показы мод 2019-2020
Are you over 18 and want to see adult content?
Text
Automated.
CMD WATCHER AND MALDOCS CMD Watcher and Maldocs. Having spent a good amount of time analyzing a variety of maldocs, I realized that they had one thing in common. Have a look at this chart below and you might have the same "a-ha"moment I had.
TOOLS UPDATE VS LATEST MALDOCS Tools Update vs Latest Maldocs. A couple of tools have been updated to make it easier to handle the latest malicious documents. URL Monitor. This is essentially a rewrite of URL Revealer. CUSTOM BASE64 DECODER Custom Base64 Decoder. There’s another new exploit pack making its round. Seems to be quite pervasive as I’m seeing its redirect code on many compromised sites. REVELO - JAVASCRIPT DEOBFUSCATOR Revelo - Javascript Deobfuscator. I mentioned a new tool I've been developing to help with Javascript deobfuscation months ago. I've been working on it off and on but it's taking me awhile. 8X8 SCRIPT LEADS TO INFINITY DRIVE-BY 8x8 Script Leads to Infinity Drive-By. The "8x8" script I'm referring to includes a link that looks like this: hxxp://website/JB3xd6iX.php?id=87342871REGISTRY DUMPER
Registry Dumper - Find and Dump Hidden Registry Keys. The cybercriminals behind Poweliks implemented two clever techniques in their malware.The first was leveraging rundll32.dll to execute Javascript and the second was using a method to hide/protect their registry keys.I'll be focusing on the second method.CMD WATCHER UPDATED
CMD Watcher Updated. I've gotten several good feedback regarding CMD Watcher so I'm releasing a new update with these changes. Big thanksto
ARTICLES | KAHU SECURITYTOOLSINTRODUCING RENEOCMD WATCHER AND MALDOCSINTRODUCING PSUNVEILCMD WATCHER UPDATED 17 APR 2020 Another Way to Analyze XLM Macros XLM macros have been making a comeback so it's important to be able to analyze them. I wrote a proof of concept TOOLS | KAHU SECURITYABOUTARTICLES Tools. Disclaimer: All tools have been tested on 32-bit/64-bit Windows 7 but work on Windows 10 as well. They are available free for personal or business use. Many of these tools have been packed to combine DLLs and make them portable. INTRODUCING PSUNVEIL Introducing PSUnveil. PSUnveil is a tool you can use to analyze obfuscated PowerShell scripts. Here's a look at the interface. The tool features three modes to choose from: Manual, Semi-Automated, andAutomated.
CMD WATCHER AND MALDOCS CMD Watcher and Maldocs. Having spent a good amount of time analyzing a variety of maldocs, I realized that they had one thing in common. Have a look at this chart below and you might have the same "a-ha"moment I had.
TOOLS UPDATE VS LATEST MALDOCS Tools Update vs Latest Maldocs. A couple of tools have been updated to make it easier to handle the latest malicious documents. URL Monitor. This is essentially a rewrite of URL Revealer. CUSTOM BASE64 DECODER Custom Base64 Decoder. There’s another new exploit pack making its round. Seems to be quite pervasive as I’m seeing its redirect code on many compromised sites. REVELO - JAVASCRIPT DEOBFUSCATOR Revelo - Javascript Deobfuscator. I mentioned a new tool I've been developing to help with Javascript deobfuscation months ago. I've been working on it off and on but it's taking me awhile. 8X8 SCRIPT LEADS TO INFINITY DRIVE-BY 8x8 Script Leads to Infinity Drive-By. The "8x8" script I'm referring to includes a link that looks like this: hxxp://website/JB3xd6iX.php?id=87342871REGISTRY DUMPER
Registry Dumper - Find and Dump Hidden Registry Keys. The cybercriminals behind Poweliks implemented two clever techniques in their malware.The first was leveraging rundll32.dll to execute Javascript and the second was using a method to hide/protect their registry keys.I'll be focusing on the second method.CMD WATCHER UPDATED
CMD Watcher Updated. I've gotten several good feedback regarding CMD Watcher so I'm releasing a new update with these changes. Big thanksto
ABOUT | KAHU SECURITY About. Kahu Security is a personal blog website used to document and share research and knowledge related to security, digital forensics, reverse engineering, and malware analysis.OLDER ARTICLES
DISCLAIMER. Kahu Security highlights security projects and research that may include references to malicious content. Your use of this website is at your own risk. TOOLS UPDATE VS LATEST MALDOCS Tools Update vs Latest Maldocs. A couple of tools have been updated to make it easier to handle the latest malicious documents. URL Monitor. This is essentially a rewrite of URL Revealer. SECURING KEEPASS WITH A SECOND FACTOR Securing KeePass with a Second Factor. Cybercriminals are now stealing password managers so it's time to make them more secure. You can check out this article for DEOBFUSCATING THE LATEST MALDOCS Deobfuscating the Latest Maldocs. The constant barrage of malicious emails seeping into your users' inboxes appear to be coming from Emotet, Hancitor, and Trickbot. JAVASCRIPT DEOBFUCATION TOOLS (PART 2) Javascript Deobfucation Tools (Part 2) In the previous article, I manually deobfuscated three malicious scripts. This time around, I’ll use publicly available tools to see which ones can tackle real-world obfuscated Javascript code. REVERSING A SELF-CONTAINED PHISHING PAGE Reversing a Self-Contained Phishing Page. I came across this SANS ISC blog article called "Phishing with a self-contained credentials-stealing webpage".According to the article, the complete phishing page is delivered to victims and the phishing page is protected by obfuscated JavaScript. JAVASCRIPT DEOBFUSCATION TOOLS REDUX Javascript Deobfuscation Tools Redux. Back in 2011, I took a look at several tools used to deobfuscate Javascript. This time around I will use several popular automated and semi-automated/manual tools to see how they would fare against today's obfuscated scripts with the least amount of intervention. SCOUT -- NEW TOOL RELEASED Scout -- New Tool Released. Here's another tool that you might find useful when analyzing potentially infected websites. Scout is Pinpointon steroids.
DEOBFUSCATING THE POWERSHELL STEGO SCRIPT Deobfuscating the PowerShell Stego Script. Malwrologist (@DissectMalware) tweeted about an interesting PowerShell script that retrieves malicious content from a PNG file. ARTICLES | KAHU SECURITYTOOLSINTRODUCING RENEOCMD WATCHER AND MALDOCSINTRODUCING PSUNVEILCMD WATCHER UPDATED 11 DEC 2019. Excel VBA Loads DLL into Itself. A security researcher, Mahendra K R, reached out to share a sample with me recently. The researcher was trying 4 JUL 2019. Introducing PSUnveil. PSUnveil is a tool you can use to analyze obfuscated PowerShell scripts. Here's a look at the interface 5 DEC 2018. TOOLS | KAHU SECURITYABOUTARTICLES Description: Reneo is a Windows tool to help incident responders, forensics specialists, and security researchers analyze and reverse engineer malicious and obfuscated scripts and other content. This tool can convert from/to various formats, transform, deobfuscate, encode/decode, encrypt/decrypt, and hash strings. INTRODUCING PSUNVEIL Introducing PSUnveil. PSUnveil is a tool you can use to analyze obfuscated PowerShell scripts. Here's a look at the interface. The tool features three modes to choose from: Manual, Semi-Automated, and Automated. In Manual mode, you will have to find and replace "invoke-expression" (and its many derivatives) to "echo" or "write-output" in the CMD WATCHER AND MALDOCS CMD Watcher and Maldocs. Having spent a good amount of time analyzing a variety of maldocs, I realized that they had one thing in common. Have a look at this chart below and you might have the same "a-ha"moment I had.
CUSTOM BASE64 DECODER Custom Base64 Decoder. There’s another new exploit pack making its round. Seems to be quite pervasive as I’m seeing its redirect code on many compromised sites.REGISTRY DUMPER
Registry Dumper - Find and Dump Hidden Registry Keys. The cybercriminals behind Poweliks implemented two clever techniques in their malware.The first was leveraging rundll32.dll to execute Javascript and the second was using a method to hide/protect their registry keys.I'll be focusing on the second method. 8X8 SCRIPT LEADS TO INFINITY DRIVE-BY 8x8 Script Leads to Infinity Drive-By. The "8x8" script I'm referring to includes a link that looks like this: And can be detected using a regular expression that looks something like this: One set of links redirect users to social engineering scams (e.g. fake Adobe Flash Player update) that I wrote about earlier. REVELO - JAVASCRIPT DEOBFUSCATOR The tool works by writing the Javascript with some user-based modifcations to an HTML file, opening the file inside of the tool, and extracting deobfuscated elements using the Internet Explorer engine. This tool does rely on the user to make some choices based on some understanding of the obfuscated script.CMD WATCHER UPDATED
CMD Watcher Updated. I've gotten several good feedback regarding CMD Watcher so I'm releasing a new update with these changes. Big thanks to @James_inthe_Box and @ledtech3 for the ideas. This new version monitors both cmd.exe and powershell.exe and you have the option to kill either or both processes. Now let's try this on some livemalscripts
DEOBFUSCATING THE POWERSHELL STEGO SCRIPT First, change the end so that we echo the result and not execute it. The variable I echo is the same one defined earlier (underlined). Now copy the entire script, open up the CMD prompt and paste it in. Open the output file and scroll down to the bottom. There's the result (remove the !hoR! at the beginning though). ARTICLES | KAHU SECURITYTOOLSINTRODUCING RENEOCMD WATCHER AND MALDOCSINTRODUCING PSUNVEILCMD WATCHER UPDATED 11 DEC 2019. Excel VBA Loads DLL into Itself. A security researcher, Mahendra K R, reached out to share a sample with me recently. The researcher was trying 4 JUL 2019. Introducing PSUnveil. PSUnveil is a tool you can use to analyze obfuscated PowerShell scripts. Here's a look at the interface 5 DEC 2018. TOOLS | KAHU SECURITYABOUTARTICLES Description: Reneo is a Windows tool to help incident responders, forensics specialists, and security researchers analyze and reverse engineer malicious and obfuscated scripts and other content. This tool can convert from/to various formats, transform, deobfuscate, encode/decode, encrypt/decrypt, and hash strings. INTRODUCING PSUNVEIL Introducing PSUnveil. PSUnveil is a tool you can use to analyze obfuscated PowerShell scripts. Here's a look at the interface. The tool features three modes to choose from: Manual, Semi-Automated, and Automated. In Manual mode, you will have to find and replace "invoke-expression" (and its many derivatives) to "echo" or "write-output" in the CMD WATCHER AND MALDOCS CMD Watcher and Maldocs. Having spent a good amount of time analyzing a variety of maldocs, I realized that they had one thing in common. Have a look at this chart below and you might have the same "a-ha"moment I had.
CUSTOM BASE64 DECODER Custom Base64 Decoder. There’s another new exploit pack making its round. Seems to be quite pervasive as I’m seeing its redirect code on many compromised sites.REGISTRY DUMPER
Registry Dumper - Find and Dump Hidden Registry Keys. The cybercriminals behind Poweliks implemented two clever techniques in their malware.The first was leveraging rundll32.dll to execute Javascript and the second was using a method to hide/protect their registry keys.I'll be focusing on the second method. 8X8 SCRIPT LEADS TO INFINITY DRIVE-BY 8x8 Script Leads to Infinity Drive-By. The "8x8" script I'm referring to includes a link that looks like this: And can be detected using a regular expression that looks something like this: One set of links redirect users to social engineering scams (e.g. fake Adobe Flash Player update) that I wrote about earlier. REVELO - JAVASCRIPT DEOBFUSCATOR The tool works by writing the Javascript with some user-based modifcations to an HTML file, opening the file inside of the tool, and extracting deobfuscated elements using the Internet Explorer engine. This tool does rely on the user to make some choices based on some understanding of the obfuscated script.CMD WATCHER UPDATED
CMD Watcher Updated. I've gotten several good feedback regarding CMD Watcher so I'm releasing a new update with these changes. Big thanks to @James_inthe_Box and @ledtech3 for the ideas. This new version monitors both cmd.exe and powershell.exe and you have the option to kill either or both processes. Now let's try this on some livemalscripts
DEOBFUSCATING THE POWERSHELL STEGO SCRIPT First, change the end so that we echo the result and not execute it. The variable I echo is the same one defined earlier (underlined). Now copy the entire script, open up the CMD prompt and paste it in. Open the output file and scroll down to the bottom. There's the result (remove the !hoR! at the beginning though). ABOUT | KAHU SECURITY About. Kahu Security is a personal blog website used to document and share research and knowledge related to security, digital forensics, reverse engineering, and malware analysis. INTRODUCING PSUNVEIL Introducing PSUnveil. PSUnveil is a tool you can use to analyze obfuscated PowerShell scripts. Here's a look at the interface. The tool features three modes to choose from: Manual, Semi-Automated, and Automated. In Manual mode, you will have to find and replace "invoke-expression" (and its many derivatives) to "echo" or "write-output" in theOLDER ARTICLES
13 DEC 2014. Wild Wild West - 12/2014. Added the following packs: Null Hole, "Hanjuan EK", "Archie EK", "Astrum EK" 6 DEC 2014. Registry Dumper - Find and Dump Hidden Registry Keys. The cybercriminals behind Poweliks implemented two clever techniques in 26 NOV 2014. SECURING KEEPASS WITH A SECOND FACTOR Setting Up YubiKey. Install and run the YubiKey Personalization Tool then plug in the YubiKey into an available USB port. Click on the Challenge-Response menu item at the top then click on the HMAC-SHA1 button. Click on the Configuration Slot 2, ensure user input is required, and the fixed 64-byte input is selected. CUSTOM BASE64 DECODER Custom Base64 Decoder. There’s another new exploit pack making its round. Seems to be quite pervasive as I’m seeing its redirect code on many compromised sites. TOOLS UPDATE VS LATEST MALDOCS Tools Update vs Latest Maldocs. A couple of tools have been updated to make it easier to handle the latest malicious documents. URL Monitor. This is essentially a rewrite of URL Revealer. DEOBFUSCATING THE LATEST MALDOCS Deobfuscating the Latest Maldocs. The constant barrage of malicious emails seeping into your users' inboxes appear to be coming from Emotet, Hancitor, and Trickbot. REVERSING A SELF-CONTAINED PHISHING PAGE Reversing a Self-Contained Phishing Page. I came across this SANS ISC blog article called "Phishing with a self-contained credentials-stealing webpage".According to the article, the complete phishing page is delivered to victims and the phishing page is protected by obfuscated JavaScript.SAVA EXPLOITS PACK
Sava Exploits Pack. This is a new exploit pack that is being offered for free. It also goes by the name, “Pay0C Pack”. The author seemed to have combined exploits CONVERTER.NET RELEASED Converter.NET Released. I spent the past several months porting Converter to the .NET Framework and am finally able to release a public version of it. ARTICLES | KAHU SECURITYTOOLSINTRODUCING RENEOCMD WATCHER AND MALDOCSINTRODUCING PSUNVEILCMD WATCHER UPDATED 11 DEC 2019. Excel VBA Loads DLL into Itself. A security researcher, Mahendra K R, reached out to share a sample with me recently. The researcher was trying 4 JUL 2019. Introducing PSUnveil. PSUnveil is a tool you can use to analyze obfuscated PowerShell scripts. Here's a look at the interface 5 DEC 2018. TOOLS | KAHU SECURITYABOUTARTICLES Description: Reneo is a Windows tool to help incident responders, forensics specialists, and security researchers analyze and reverse engineer malicious and obfuscated scripts and other content. This tool can convert from/to various formats, transform, deobfuscate, encode/decode, encrypt/decrypt, and hash strings. INTRODUCING PSUNVEIL Introducing PSUnveil. PSUnveil is a tool you can use to analyze obfuscated PowerShell scripts. Here's a look at the interface. The tool features three modes to choose from: Manual, Semi-Automated, and Automated. In Manual mode, you will have to find and replace "invoke-expression" (and its many derivatives) to "echo" or "write-output" in the CMD WATCHER AND MALDOCS CMD Watcher and Maldocs. Having spent a good amount of time analyzing a variety of maldocs, I realized that they had one thing in common. Have a look at this chart below and you might have the same "a-ha" moment I had. I realized that many of these maldocs use CMD to launch the next stage. Of course, not all maldocs follow this chart. TOOLS UPDATE VS LATEST MALDOCS Tools Update vs Latest Maldocs. A couple of tools have been updated to make it easier to handle the latest malicious documents. URL Monitor. This is essentially a rewrite of URL Revealer. 8X8 SCRIPT LEADS TO INFINITY DRIVE-BY 8x8 Script Leads to Infinity Drive-By. The "8x8" script I'm referring to includes a link that looks like this: And can be detected using a regular expression that looks something like this: One set of links redirect users to social engineering scams (e.g. fake Adobe Flash Player update) that ICMD WATCHER UPDATED
CMD Watcher Updated. I've gotten several good feedback regarding CMD Watcher so I'm releasing a new update with these changes. Big thanks to @James_inthe_Box and @ledtech3 for the ideas. This new version monitors both cmd.exe and powershell.exe and you have the option to kill either or both processes. Now let's try this on some livemalscripts
CMD WATCHER UPDATED TO V0.3 CMD Watcher Updated to v0.3. I updated CMD Watcher to give you more flexibility in capturing scripts from Office maldocs and other programs. I also noticed that CMD Watcher does not play nicely with Windows 10 x64 consistently so I created 32-bit and 64-bit versions. REVELO - JAVASCRIPT DEOBFUSCATOR The tool works by writing the Javascript with some user-based modifcations to an HTML file, opening the file inside of the tool, and extracting deobfuscated elements using the Internet Explorer engine. This tool does rely on the user to make some choices based on some understanding of the obfuscated script.REGISTRY DUMPER
Registry Dumper - Find and Dump Hidden Registry Keys. The cybercriminals behind Poweliks implemented two clever techniques in their malware.The first was leveraging rundll32.dll to execute Javascript and the second was using a method to hide/protect their registry keys.I'll be focusing on the second method. ARTICLES | KAHU SECURITYTOOLSINTRODUCING RENEOCMD WATCHER AND MALDOCSINTRODUCING PSUNVEILCMD WATCHER UPDATED 11 DEC 2019. Excel VBA Loads DLL into Itself. A security researcher, Mahendra K R, reached out to share a sample with me recently. The researcher was trying 4 JUL 2019. Introducing PSUnveil. PSUnveil is a tool you can use to analyze obfuscated PowerShell scripts. Here's a look at the interface 5 DEC 2018. TOOLS | KAHU SECURITYABOUTARTICLES Description: Reneo is a Windows tool to help incident responders, forensics specialists, and security researchers analyze and reverse engineer malicious and obfuscated scripts and other content. This tool can convert from/to various formats, transform, deobfuscate, encode/decode, encrypt/decrypt, and hash strings. INTRODUCING PSUNVEIL Introducing PSUnveil. PSUnveil is a tool you can use to analyze obfuscated PowerShell scripts. Here's a look at the interface. The tool features three modes to choose from: Manual, Semi-Automated, and Automated. In Manual mode, you will have to find and replace "invoke-expression" (and its many derivatives) to "echo" or "write-output" in the CMD WATCHER AND MALDOCS CMD Watcher and Maldocs. Having spent a good amount of time analyzing a variety of maldocs, I realized that they had one thing in common. Have a look at this chart below and you might have the same "a-ha" moment I had. I realized that many of these maldocs use CMD to launch the next stage. Of course, not all maldocs follow this chart. TOOLS UPDATE VS LATEST MALDOCS Tools Update vs Latest Maldocs. A couple of tools have been updated to make it easier to handle the latest malicious documents. URL Monitor. This is essentially a rewrite of URL Revealer. 8X8 SCRIPT LEADS TO INFINITY DRIVE-BY 8x8 Script Leads to Infinity Drive-By. The "8x8" script I'm referring to includes a link that looks like this: And can be detected using a regular expression that looks something like this: One set of links redirect users to social engineering scams (e.g. fake Adobe Flash Player update) that ICMD WATCHER UPDATED
CMD Watcher Updated. I've gotten several good feedback regarding CMD Watcher so I'm releasing a new update with these changes. Big thanks to @James_inthe_Box and @ledtech3 for the ideas. This new version monitors both cmd.exe and powershell.exe and you have the option to kill either or both processes. Now let's try this on some livemalscripts
CMD WATCHER UPDATED TO V0.3 CMD Watcher Updated to v0.3. I updated CMD Watcher to give you more flexibility in capturing scripts from Office maldocs and other programs. I also noticed that CMD Watcher does not play nicely with Windows 10 x64 consistently so I created 32-bit and 64-bit versions. REVELO - JAVASCRIPT DEOBFUSCATOR The tool works by writing the Javascript with some user-based modifcations to an HTML file, opening the file inside of the tool, and extracting deobfuscated elements using the Internet Explorer engine. This tool does rely on the user to make some choices based on some understanding of the obfuscated script.REGISTRY DUMPER
Registry Dumper - Find and Dump Hidden Registry Keys. The cybercriminals behind Poweliks implemented two clever techniques in their malware.The first was leveraging rundll32.dll to execute Javascript and the second was using a method to hide/protect their registry keys.I'll be focusing on the second method.OLDER ARTICLES
13 DEC 2014. Wild Wild West - 12/2014. Added the following packs: Null Hole, "Hanjuan EK", "Archie EK", "Astrum EK" 6 DEC 2014. Registry Dumper - Find and Dump Hidden Registry Keys. The cybercriminals behind Poweliks implemented two clever techniques in 26 NOV 2014. CMD WATCHER AND MALDOCS CMD Watcher and Maldocs. Having spent a good amount of time analyzing a variety of maldocs, I realized that they had one thing in common. Have a look at this chart below and you might have the same "a-ha" moment I had. I realized that many of these maldocs use CMD to launch the next stage. Of course, not all maldocs follow this chart. REVERSING A SELF-CONTAINED PHISHING PAGE Reversing a Self-Contained Phishing Page. I came across this SANS ISC blog article called "Phishing with a self-contained credentials-stealing webpage".According to the article, the complete phishing page is delivered to victims and the phishing page is protected by obfuscated JavaScript.REGISTRY DUMPER
Registry Dumper - Find and Dump Hidden Registry Keys. The cybercriminals behind Poweliks implemented two clever techniques in their malware.The first was leveraging rundll32.dll to execute Javascript and the second was using a method to hide/protect their registry keys.I'll be focusing on the second method. SCOUT -- NEW TOOL RELEASED Scout -- New Tool Released. Here's another tool that you might find useful when analyzing potentially infected websites. Scout is Pinpointon steroids.
RIG EXPLOIT PACK
RIG Exploit Pack. A new exploit pack has been marketed in the underground since last month and appears to be picking up some steam. The new pack is called RIG and touts the following exploits: DEOBFUSCATING THE LATEST MALDOCS Deobfuscating the Latest Maldocs. The constant barrage of malicious emails seeping into your users' inboxes appear to be coming from Emotet, Hancitor, and Trickbot. DEOBFUSCATING THE POWERSHELL STEGO SCRIPT First, change the end so that we echo the result and not execute it. The variable I echo is the same one defined earlier (underlined). Now copy the entire script, open up the CMD prompt and paste it in. Open the output file and scroll down to the bottom. There's the result (remove the !hoR! at the beginning though). JAVASCRIPT DEOBFUSCATION TOOLS REDUX Javascript Deobfuscation Tools Redux. Back in 2011, I took a look at several tools used to deobfuscate Javascript. This time around I will use several popular automated and semi-automated/manual tools to see how they would fare against today's obfuscated scripts with the least amount of intervention. NEW JAVASCRIPT DEOBFUSCATOR TOOL New Javascript Deobfuscator Tool. This particular spam page redirect was brought to my attention by a colleague because it was getting past the web filters using Javascript obfuscation. ARTICLES | KAHU SECURITYTOOLSINTRODUCING RENEOCMD WATCHER AND MALDOCSINTRODUCING PSUNVEILCMD WATCHER UPDATED 11 DEC 2019. Excel VBA Loads DLL into Itself. A security researcher, Mahendra K R, reached out to share a sample with me recently. The researcher was trying 4 JUL 2019. Introducing PSUnveil. PSUnveil is a tool you can use to analyze obfuscated PowerShell scripts. Here's a look at the interface 5 DEC 2018. TOOLS | KAHU SECURITYABOUTARTICLES Description: Reneo is a Windows tool to help incident responders, forensics specialists, and security researchers analyze and reverse engineer malicious and obfuscated scripts and other content. This tool can convert from/to various formats, transform, deobfuscate, encode/decode, encrypt/decrypt, and hash strings. INTRODUCING PSUNVEIL Introducing PSUnveil. PSUnveil is a tool you can use to analyze obfuscated PowerShell scripts. Here's a look at the interface. The tool features three modes to choose from: Manual, Semi-Automated, and Automated. In Manual mode, you will have to find and replace "invoke-expression" (and its many derivatives) to "echo" or "write-output" in the CMD WATCHER AND MALDOCS CMD Watcher and Maldocs. Having spent a good amount of time analyzing a variety of maldocs, I realized that they had one thing in common. Have a look at this chart below and you might have the same "a-ha" moment I had. I realized that many of these maldocs use CMD to launch the next stage. Of course, not all maldocs follow this chart. TOOLS UPDATE VS LATEST MALDOCS Tools Update vs Latest Maldocs. A couple of tools have been updated to make it easier to handle the latest malicious documents. URL Monitor. This is essentially a rewrite of URL Revealer. 8X8 SCRIPT LEADS TO INFINITY DRIVE-BY 8x8 Script Leads to Infinity Drive-By. The "8x8" script I'm referring to includes a link that looks like this: And can be detected using a regular expression that looks something like this: One set of links redirect users to social engineering scams (e.g. fake Adobe Flash Player update) that ICMD WATCHER UPDATED
CMD Watcher Updated. I've gotten several good feedback regarding CMD Watcher so I'm releasing a new update with these changes. Big thanks to @James_inthe_Box and @ledtech3 for the ideas. This new version monitors both cmd.exe and powershell.exe and you have the option to kill either or both processes. Now let's try this on some livemalscripts
CMD WATCHER UPDATED TO V0.3 CMD Watcher Updated to v0.3. I updated CMD Watcher to give you more flexibility in capturing scripts from Office maldocs and other programs. I also noticed that CMD Watcher does not play nicely with Windows 10 x64 consistently so I created 32-bit and 64-bit versions. REVELO - JAVASCRIPT DEOBFUSCATOR The tool works by writing the Javascript with some user-based modifcations to an HTML file, opening the file inside of the tool, and extracting deobfuscated elements using the Internet Explorer engine. This tool does rely on the user to make some choices based on some understanding of the obfuscated script.REGISTRY DUMPER
Registry Dumper - Find and Dump Hidden Registry Keys. The cybercriminals behind Poweliks implemented two clever techniques in their malware.The first was leveraging rundll32.dll to execute Javascript and the second was using a method to hide/protect their registry keys.I'll be focusing on the second method. ARTICLES | KAHU SECURITYTOOLSINTRODUCING RENEOCMD WATCHER AND MALDOCSINTRODUCING PSUNVEILCMD WATCHER UPDATED 11 DEC 2019. Excel VBA Loads DLL into Itself. A security researcher, Mahendra K R, reached out to share a sample with me recently. The researcher was trying 4 JUL 2019. Introducing PSUnveil. PSUnveil is a tool you can use to analyze obfuscated PowerShell scripts. Here's a look at the interface 5 DEC 2018. TOOLS | KAHU SECURITYABOUTARTICLES Description: Reneo is a Windows tool to help incident responders, forensics specialists, and security researchers analyze and reverse engineer malicious and obfuscated scripts and other content. This tool can convert from/to various formats, transform, deobfuscate, encode/decode, encrypt/decrypt, and hash strings. INTRODUCING PSUNVEIL Introducing PSUnveil. PSUnveil is a tool you can use to analyze obfuscated PowerShell scripts. Here's a look at the interface. The tool features three modes to choose from: Manual, Semi-Automated, and Automated. In Manual mode, you will have to find and replace "invoke-expression" (and its many derivatives) to "echo" or "write-output" in the CMD WATCHER AND MALDOCS CMD Watcher and Maldocs. Having spent a good amount of time analyzing a variety of maldocs, I realized that they had one thing in common. Have a look at this chart below and you might have the same "a-ha" moment I had. I realized that many of these maldocs use CMD to launch the next stage. Of course, not all maldocs follow this chart. TOOLS UPDATE VS LATEST MALDOCS Tools Update vs Latest Maldocs. A couple of tools have been updated to make it easier to handle the latest malicious documents. URL Monitor. This is essentially a rewrite of URL Revealer. 8X8 SCRIPT LEADS TO INFINITY DRIVE-BY 8x8 Script Leads to Infinity Drive-By. The "8x8" script I'm referring to includes a link that looks like this: And can be detected using a regular expression that looks something like this: One set of links redirect users to social engineering scams (e.g. fake Adobe Flash Player update) that ICMD WATCHER UPDATED
CMD Watcher Updated. I've gotten several good feedback regarding CMD Watcher so I'm releasing a new update with these changes. Big thanks to @James_inthe_Box and @ledtech3 for the ideas. This new version monitors both cmd.exe and powershell.exe and you have the option to kill either or both processes. Now let's try this on some livemalscripts
CMD WATCHER UPDATED TO V0.3 CMD Watcher Updated to v0.3. I updated CMD Watcher to give you more flexibility in capturing scripts from Office maldocs and other programs. I also noticed that CMD Watcher does not play nicely with Windows 10 x64 consistently so I created 32-bit and 64-bit versions. REVELO - JAVASCRIPT DEOBFUSCATOR The tool works by writing the Javascript with some user-based modifcations to an HTML file, opening the file inside of the tool, and extracting deobfuscated elements using the Internet Explorer engine. This tool does rely on the user to make some choices based on some understanding of the obfuscated script.REGISTRY DUMPER
Registry Dumper - Find and Dump Hidden Registry Keys. The cybercriminals behind Poweliks implemented two clever techniques in their malware.The first was leveraging rundll32.dll to execute Javascript and the second was using a method to hide/protect their registry keys.I'll be focusing on the second method.OLDER ARTICLES
13 DEC 2014. Wild Wild West - 12/2014. Added the following packs: Null Hole, "Hanjuan EK", "Archie EK", "Astrum EK" 6 DEC 2014. Registry Dumper - Find and Dump Hidden Registry Keys. The cybercriminals behind Poweliks implemented two clever techniques in 26 NOV 2014. CMD WATCHER AND MALDOCS CMD Watcher and Maldocs. Having spent a good amount of time analyzing a variety of maldocs, I realized that they had one thing in common. Have a look at this chart below and you might have the same "a-ha" moment I had. I realized that many of these maldocs use CMD to launch the next stage. Of course, not all maldocs follow this chart. REVERSING A SELF-CONTAINED PHISHING PAGE Reversing a Self-Contained Phishing Page. I came across this SANS ISC blog article called "Phishing with a self-contained credentials-stealing webpage".According to the article, the complete phishing page is delivered to victims and the phishing page is protected by obfuscated JavaScript.REGISTRY DUMPER
Registry Dumper - Find and Dump Hidden Registry Keys. The cybercriminals behind Poweliks implemented two clever techniques in their malware.The first was leveraging rundll32.dll to execute Javascript and the second was using a method to hide/protect their registry keys.I'll be focusing on the second method. SCOUT -- NEW TOOL RELEASED Scout -- New Tool Released. Here's another tool that you might find useful when analyzing potentially infected websites. Scout is Pinpointon steroids.
RIG EXPLOIT PACK
RIG Exploit Pack. A new exploit pack has been marketed in the underground since last month and appears to be picking up some steam. The new pack is called RIG and touts the following exploits: DEOBFUSCATING THE LATEST MALDOCS Deobfuscating the Latest Maldocs. The constant barrage of malicious emails seeping into your users' inboxes appear to be coming from Emotet, Hancitor, and Trickbot. DEOBFUSCATING THE POWERSHELL STEGO SCRIPT First, change the end so that we echo the result and not execute it. The variable I echo is the same one defined earlier (underlined). Now copy the entire script, open up the CMD prompt and paste it in. Open the output file and scroll down to the bottom. There's the result (remove the !hoR! at the beginning though). JAVASCRIPT DEOBFUSCATION TOOLS REDUX Javascript Deobfuscation Tools Redux. Back in 2011, I took a look at several tools used to deobfuscate Javascript. This time around I will use several popular automated and semi-automated/manual tools to see how they would fare against today's obfuscated scripts with the least amount of intervention. NEW JAVASCRIPT DEOBFUSCATOR TOOL New Javascript Deobfuscator Tool. This particular spam page redirect was brought to my attention by a colleague because it was getting past the web filters using Javascript obfuscation.* Home
* About
* Tools
ARTICLES
24 MAY 2020
TOOLS UPDATE VS LATEST MALDOCS A couple of tools have been updated to make it easier to handle the latest malicious documents...17 APR 2020
ANOTHER WAY TO ANALYZE XLM MACROS XLM macros have been making a comeback so it's important to be able to analyze them. I wrote a proof of concept tool that provides insight into what it's doing...1 FEB 2020
EMOTET STATS
The Emotet gang's email lures, which takes advantage of current news events, seems to be quite convincing and successful...12 DEC 2019
REVERSING A SELF-CONTAINED PHISHING PAGE I came across this SANS ISC blog article called "Phishing with a self-contained credentials-stealing webpage"...11 DEC 2019
EXCEL VBA LOADS DLL INTO ITSELF A security researcher, Mahendra K R, reached out to share a sample with me recently. The researcher was trying...4 JUL 2019
INTRODUCING PSUNVEIL PSUnveil is a tool you can use to analyze obfuscated PowerShell scripts. Here's a look at the interface...5 DEC 2018
CMD WATCHER UPDATED TO V0.3 I updated CMD Watcher to give you more flexibility in capturing scripts from Office maldocs...25 NOV 2018
DEOBFUSCATING DOSFUSCATED SCRIPTS In a recent article, I wanted to easily collect malicious scripts dumped from Office...10 NOV 2018
CMD WATCHER UPDATED
I've gotten several good feedback regarding CMD Watcher so I'mreleasing a new...
7 NOV 2018
CMD WATCHER AND MALDOCS Having spent a good amount of time analyzing a variety of maldocs, Irealized that...
2 NOV 2018
RENEO UPDATED
Reneo has been updated to version 0.2 and includes many newfeatures...
1 NOV 2018
DEOBFUSCATING THE POWERSHELL STEGO SCRIPT Malwrologist (@DissectMalware) tweeted about an interesting PowerShell script...24 JUN 2018
INTRODUCING RENEO
Reneo is a Windows tool to help incident responders, forensicsspecialists, and...
14 APR 2018
DEOBFUSCATING THE LATEST MALDOCS The constant barrage of malicious emails seeping into your users'inboxes appear...
30 MAR 2018
REFLOW JAVASCRIPT BACKDOOR A script was left behind on a compromised machine. This led to thediscovery of...
25 FEB 2018
DEOBFUSCATING A "SOPHISTICATED" MAILER "Sophisticated" in that the spammer obfuscated the mailer scriptquite well...
* Recent
* Older
DISCLAIMER
Kahu Security highlights security projects and research that may include references to malicious content. Your use of this website is at your own risk. You assume complete responsibility for, and for all risk of loss and damage resulting from, your downloading and/or using of any information obtained from this website.QUICK LINKS
* Home
* About
* Tools
CONTACT US
kahu.securitygmail(dot)com __ ------------------------- KahuSecurity.com. All Rights Reserved.__
Details
Copyright © 2024 ArchiveBay.com. All rights reserved. Terms of Use | Privacy Policy | DMCA | 2021 | Feedback | Advertising | RSS 2.0