We recently stumbled upon an old article by Daisuke Mutaguchi explaining an extreme technique for PowerShell obfuscation. The article is in Japanese, so you may have to use Google translate.
Here’s the final example provided by the author of the article:
Yes, this is valid PowerShell.
Although there are limits to static deobfuscation, we decided to see what can be done about this with the new release of our PowerShell Beautifier package.
Continue reading “Extreme PowerShell Obfuscation”
This malware gives us a chance to see the recently introduced Silicon Shellcode Emulator in action.
Continue reading “PowerShell Malware with x64 Shellcode”
We recently stumbled upon this tweet by @Cryptolaemus1 about a malicious OneNote document with an embedded ISO file. Because of our recently released ISO Format package, we thought it would be interesting to analyze this malware sample with Cerbero Suite.
The unidentified embedded object in the OneNote document is an ISO file.
Continue reading “OneNote Malware With ISO File”
An interesting sample containing a number of different obfuscation techniques. In this article we analyze the dropper in detail and reach the final stage.
The first file we encounter is a OneNote document. If the “OneNote Format” package is installed, all files are automatically extracted.
Continue reading “RedLine Stealer Dropper”
We created an UPX Unpacker package for the upcoming 5.6 version of Cerbero Suite.
From the UPX web-site: “UPX is a free, portable, extendable, high-performance executable packer for several executable formats.”
By installing the UPX Unpacker package, binaries compressed with UPX are automatically identified and unpacked as child objects.
PE, ELF and Mach-O binaries are all supported.
If for some reason a binary is not automatically unpacked, the unpacker can be invoked manually as an action.
Additionally, the unpacker can be invoked from Python.
from Pkg.UPXUnpacker.Unpack import unpack
ret, output = unpack(file_name)
# prints the unpacker output
This package will be available for all licenses of Cerbero Suite.
We have just released our String Decrypter package on Cerbero Store for all licenses of Cerbero Suite. The String Decrypter package is very useful for reversing malware and during CTFs.
This utility can be invoked as an action from a hex view or a Carbon disassembly. It can be used to brute-force the decryption of strings and byte-arrays.
String Decrypter supports various types of string encodings combined with endianness and it can filter decoded strings with the following options:
– Don’t filter (include raw byte-arrays)
– Include only decoded strings
– Include only strings with ASCII characters
– Include only string matching a regular expression provided by the user
The plugin supports parallel execution, which will make the difference if more algorithms are added to the list. Also, for every decryption method the number of combinations is displayed.
For every decrypted entry, String Decrypter shows the performed operation along with the string encoding (if available).