Posts Tagged: malware

This is a python script for Immunity debugger that sets breakpoints on “interesting” APIs. Here is the list of APIs (in no particular order): “ZwRaiseHardError” “bind” “listen” “socket” “DeviceIoControl” “ZwCreateFile” “ZwCreateSection” “ZwQueryInformationFile” “ZwQueryAttributesFile” “ZwCreateUserProcess” “ZwOpenKeyEx” “ZwOpenKey” “ResumeThread” “CopyFileA” “CopyFileExW” “CopyFileW” “CreateDirectoryA” “CreateDirectoryW” “CreateMutexA” “CreateMutexW” “CreateFileA” “CreateFileW” “CreateProcessA” “CreateProcessW” “CreateProcessInternalA” “CreateRemoteThread” “WinExec” “OpenProcess” “Sleep” “IsDebuggerPresent” “WriteProcessMemory” “_write” “ZwWriteFile”… Read Article →

Reportedly the Fysbis backdoor has been used by the Sofacy(APT28) group in targetted attacks against defense organizations and East European governments. The malware has both 32 and 64-bit versions, but in this article we will show snippets from the latter one. As the program starts, it will check if it’s not already running and if not,… Read Article →

This is an IDA script that can do a memory dump. It’s useful to run it after you’ve gone past the obfuscation layer(s) and reached the decrypted code/data/strings. auto eax; auto start; auto end; auto f; f = fopen(“dump.bin”, “w”); start = 0x400000; end = 0x500000; eax = start; while ( eax < end ) {  … Read Article →

Scroll To Top