I published the following diary on isc.sans.org: “Windows Batch File Deobfuscation“: Last Thursday, Brad published a diary about a new ongoing campaign delivering the Emotet malware. I found another sample that looked the same. My sample was called ‘Order-42167322776.doc’ (SHA256:4d600ae3bbdc846727c2922485f9f7ec548a3dd031fc206dbb49bd91536a56e3 and looked the same as the one analyzed Brad. The
Tag: Deobfuscation
[SANS ISC] Obfuscating without XOR
I published the following diary on isc.sans.org: “Obfuscating without XOR“. Malicious files are generated and spread over the wild Internet daily (read: “hourly”). The goal of the attackers is to use files that are: not know by signature-based solutions not easy to read for the human eye That’s why many
[SANS ISC] Analysis of a Maldoc with Multiple Layers of Obfuscation
I published the following diary on isc.sans.org: “Analysis of a Maldoc with Multiple Layers of Obfuscation“. Thanks to our readers, we get often interesting samples to analyze. This time, Frederick sent us a malicious Microsoft Word document called “Invoice_6083.doc” (which was delivered in a zip archive). I had a quick
[SANS ISC] Diverting built-in features for the bad
I published the following diary on isc.sans.org: “Diverting built-in features for the bad“. Sometimes you may find very small pieces of malicious code. Yesterday, I caught this very small Javascript sample with only 2 lines of code… [Read more]
[SANS ISC Diary] Analysis of a Suspicious Piece of JavaScript
I published the following diary on isc.sans.org: “Analysis of a Suspicious Piece of JavaScript“. What to do on a cloudy lazy Sunday? You go hunting and review some alerts generated by your robots. Pastebin remains one of my favourite playground and you always find interesting stuff there. In a recent