Press "Enter" to skip to content

MADRID Labs Posts

Ghidra Plug-in to Decode XOR-Obfuscated Strings

As a reverse engineer/malware analyst, it is important to be able to write scripts to help automate your workflow. One example is to be able to write plug-ins for tools such as Ghidra that can aid in deobfuscating strings for a particular sample. In this example we will be recovering strings that have been obfuscated using the bitwise XOR operation. This example uses fairly simple techniques that will serve as an introduction to writing Python Plugins, and string deobfuscation routines. Code: https://github.com/comosedice2012/XOR-Decode-Strings-Ghidra-Plugin/blob/main/deobfuscate_ghidra_strings.pyOriginal sample and DLL: https://github.com/jstrosch/XOR-Decode-Strings-IDA-PluginAnalysis on Youtube: https://youtu.be/un8I6dfuDVQ Below is a sample of the obfuscated string pattern. The function…

Comments closed

Analyzing Document with Malicious Excel 4.0 Macros

Let’s look at an example of Excel 4.0 macros, which is an old technique that has made a recent comeback. Excel 4.0 macros were introduced in Excel version 4.0 in 1992. What makes theses macros so powerful, is you can run commands directly from these sheets in an Excel document. There is a long list of what you can do (https://d13ot9o61jdzpp.cloudfront.net/files/Excel%204.0%20Macro%20Functions%20Reference.pdf and https://0xevilc0de.com/excel-4-macros-get-workspace-reference/). How Do Excel 4.0 Macros Work? A simple example below pops the calculator, and prints some text. To do this, right click on the “sheet” tab at the bottom of the screen, click “insert”, and select “Excel…

Comments closed

Announcing Collaboration with Any.Run

Any.Run, an interactive online sanbox, has started a formal cooperation with the MADRID Labs at Dakota State University, under the supervision of Dr Josh Stroschein. This collaboration serves to benefit the students, courses and other activities at DSU that is focused on malware analysis. The following is a snippet from the AnyRun press release: ANY.RUN, an interactive online sandbox for detecting and investigating malware, has started a cooperation with Dakota State University in Madison, S.D.  Three online malware courses at DSU – Malware Analysis, Intrusion Detection, and Advanced Malware – have integrated the service into their programs, giving students a…

Comments closed

Qbot: Analyzing PHP Proxy Scripts from Compromised Web Server

About Qbot Qbot (also known as Qakbot) is an information stealer that has been active since 2007. It was originally used as a banking trojan, but has since been updated to steal credentials from other sites as well that are not financial. Qbot has also been observed being used for a variety of different types of activities, including distributing ransomware. Recently, Qbot has been distributed through spam email campaigns. Specifically, a URL is sent through an email. This URL belongs to a compromised WordPress site controlled by the attacker. This URL is redirected to a malicious PHP script that loads…

Comments closed

Analysis of Password Protected Malicious Word Document

Let’s take a look at an example of a malicious Word document that has a password-protected VBA project. When looking at malware, it is a good idea to first verify the file type you are looking at. Many malware authors will purposely use deceptive file extensions to try to look as benign as possible. So, running the “file” command on the file, it is confirmed to be a Word document, as the extension suggests. Our next step is checking the streams for macros using oledump.py. The following three streams have macros in them, indicated by an uppercase “M”. Searching for…

Comments closed