Tag malware

ImmunityDbg API breakpoints script

This is a python script for Immunity debugger that sets breakpoints on “interesting” APIs. Here is the list of APIs (in no particular order): “ZwRaiseHardError” “bind” “listen” “socket” “DeviceIoControl” “ZwCreateFile” “ZwCreateSection” “ZwQueryInformationFile” “ZwQueryAttributesFile” “ZwCreateUserProcess” “ZwOpenKeyEx” “ZwOpenKey” “ResumeThread” “CopyFileA” “CopyFileExW” “CopyFileW” “CreateDirectoryA” “CreateDirectoryW”…

Fysbis backdoor analysis

Reportedly the Fysbis backdoor has been used by the Sofacy(APT28) group in targetted attacks against defense organizations and East European governments. The malware has both 32 and 64-bit versions, but in this article we will show snippets from the latter one.…

IDA script to create a memory dump

This is an IDA script that can do a memory dump. It’s useful to run it after you’ve gone past the obfuscation layer(s) and reached the decrypted code auto eax; auto start; auto end; auto f; f = fopen(“dump.bin”, “w”); start =…

Forensics with Volatility

Command Description $./volatility –filename=. –profile=WinXPSP2x86 psscan Check for hidden processes (would show as False in pslist or psscan) $./volatility –filename=. –profile=WinXPSP2x86 psxview Check for hidden processes (would show as False in pslist or psscan) $./volatility –filename=. –profile=WinXPSP2x86 envars -p 123…