# Newest Posts #### Creating a Deobfuscator Sometimes open source tools don't work on a sample and you have get your hands dirty and do things yourself. This post is about how I went from an unknown sample to being able to identify what family the sample is from and derive IOCs from the sample {% content-ref url="/pages/yoUkHN9d6W8o25ZQSozX" %} [Creating a deobfuscator](/malware-writeups/analysis/creating-a-deobfuscator.md) {% endcontent-ref %} #### VBS-JS Polyglot By abusing vbs and JS comments a psuedo-polyglot can be built to take advantage of how cscript and wscript allow a user to specify a scripting engine from the commandline. {% content-ref url="/pages/Y4d0Qy1B2d8qFYJtLxmv" %} [VBS-JS Polyglot](/malware-writeups/development/vbs-js-polyglot.md) {% endcontent-ref %} #### Analyzing GuLoader: Extracting and Deobfuscating PowerShell Payloads This guide outlines how to dissect GuLoader malware by extracting and deobfuscating its PowerShell payloads. It details locating `wscript` calls to extract the initial script and determining substring values for deobfuscation with Python scripts {% content-ref url="/pages/BrKqRZmyr6ZIjo3cESk5" %} [GuLoader Script Deobfuscation](/malware-writeups/analysis/guloader-script-deobfuscation.md) {% endcontent-ref %} #### Creating a PowerShell Obfuscator This method employs several techniques to obfuscate PowerShell payloads, by using XOR encryption, gzipped base64 encoding, and minimal variable usage. It ensures scripts evade detection in PowerShell ISE by encoding input characters with an XOR key, shuffling arrays, and constructing format strings referencing encrypted values. {% content-ref url="/pages/5eFpCXzWCn0iI6bH6Ujp" %} [PowerShell Script Block Obfuscation](/malware-writeups/development/powershell-script-block-obfuscation.md) {% endcontent-ref %} **Solving ROP Emporium split** This challenge, akin to ret2win, demands passing "/bin/cat flag.txt" as an argument to a function rather than the function automatically reading the flag. Using pwndbg and cyclic, the buffer size is determined, followed by the location of specific gadgets using radare2 and ropper to manipulate the program flow and call the desired function. By combining located gadgets, the exploit is crafted to execute "/bin/cat flag.txt," revealing the flag upon script execution. {% content-ref url="/pages/mrpshXCWvzSphMlxqw0D" %} [Split](/binary-exploitation/rop-emporium/split.md) {% endcontent-ref %} **Unraveling Quakbot's Demise: Insights from Operation Duck Hunt** An international coalition, including the FBI, dismantled Quakbot's network, addressing over 700,000 infected hosts. Initial analysis of the Operation Duck Hunt sample revealed vague clues, but meticulous disassembly and debugger use unveiled the shellcode's memory allocation, exposing executable files stored within allocated memory blocks. Deeper investigation into the dumped DLLs and executables provided insights into the sample's timeline and actions, aiding in understanding the takedown's orchestration. *December 5th 2023* {% content-ref url="/pages/pnBKgwCOUdHvsD8fTUPS" %} [Operation Duck Hunt](/malware-writeups/analysis/operation-duck-hunt.md) {% endcontent-ref %} **Solving ROP Emporium ret2win** This post dives deep into mastering ROP exploits, particularly focusing on the 'ret2win' challenge. It guides readers through using Python and Radare2 to craft and execute a specialized code sequence, successfully retrieving hidden data from 'flag.txt'. A concise and practical guide to conquering ROP challenges. {% content-ref url="/pages/uM9MQPmk5BPyBopIRUbF" %} [Ret2Win](/binary-exploitation/rop-emporium/ret2win.md) {% endcontent-ref %} **Exploring AsyncRAT: Dissecting a Multi-Stage Malware** This detailed post offers an in-depth analysis of a sophisticated malware leveraging AsyncRAT, an open-source Remote Access Tool maintained by NYAN-x-CAT. It delves into the intricate infection chain, starting with a malicious WSF file and progressing through PowerShell scripts, shedding light on the malware's staging, persistence establishment, and its final payload injection into RegSvcs.exe. Through technical breakdowns of downloader, builder, injector, and RAT components, it unveils the obfuscation techniques, anti-analysis checks, and communication methods employed by the malware, providing a comprehensive understanding of its functionalities and threat implications. {% content-ref url="/pages/Hpeaa6BCFQCh45SOcihJ" %} [AsyncRAT](/malware-writeups/analysis/asyncrat.md) {% endcontent-ref %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://0x.b4dc0.de/newest-posts.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.