This is a collection of our raw research notes. Each post is generated from a Jupyter Notebook that can be found in our GitHub Research repository. Notes may contain errors, spelling mistakes, grammar mistakes, and incorrect code. Please keep in mind these are all rough drafts. Pull requests are welcome!

Notes

• Cobalt Strike Analysis

  Taking a look at Cobalt Strike config extraction and emulation

  Jun 9, 2022

• Triage Amadey Loader

  Triage of Amadey loader

  May 29, 2022

• Does Entropy Matter? A Pseudoscientific Study!

  How useful is entropy for identifying packed samples?

  May 26, 2022

• Emotet x64 Stack Strings Config Emulation

  Taking a look at the new Emotet stack strings config

  May 19, 2022

• Bumblebee Loader

  Taking a look at Bumblebee loader

  May 12, 2022

• Magniber Ransomware Triage

  Taking a look at Magniber ransomware and analyzing malware with syscalls

  May 6, 2022

• Syscall Reversing

  Helper scripts for statically reversing malware with syscalls

  May 3, 2022

• Emotet 64-bit

  Initial Triage of new Emotet 64-bit sample

  Apr 30, 2022

• Emotet Deobfuscation Generic Solution

  Removing obfsucation from Emotet with a generic solution

  Apr 20, 2022

• Symbolic Execution For Deobfuscation The Basics

  The Theory Behind Angr and Symbolic Execution and Control Flow Flattening

  Apr 13, 2022

• Emotet Deobfuscation

  Removing CFF Obfuscation From Emotet Using Angr and Symbolic Execution

  Apr 6, 2022

• Angr Control Flow Deobfuscation

  Learning about Angr for deobfuscation

  Mar 26, 2022

• Pandora Ransomware

  Analysis of Pandora ransomware including some fun unpacking

  Mar 19, 2022

• BlackCat Ransomware

  Analysis of new BlackCat ransomware with encrypted config

  Mar 16, 2022

• Hermetic Wizard Malware

  Analysis of the Hermetic Wizard malware used to spread Hermetic Wiper in the Ukrainian cyber attacks

  Mar 10, 2022