We recently stumbled upon this tweet by @Cryptolaemus1 about a malicious OneNote document with an embedded ISO file. Because of our recently released ISO Format package, we thought it would be interesting to analyze this malware sample with Cerbero Suite.
The unidentified embedded object in the OneNote document is an ISO file.
Continue reading “OneNote Malware With ISO File”
We have released the “ISO Format” package for all licenses of Cerbero Suite Standard and Advanced.
Continue reading “ISO Format Package”
A quick 70-seconds introduction to Silicon Shellcode Emulator: a lightweight x86/x64 emulator designed for Windows shellcode. This package is available to all commercial licenses of Cerbero Suite Advanced.
We have released Cerbero Suite 6.4 and Cerbero Engine 3.4. What follows is a list of the most important new features.
Continue reading “Cerbero Suite 6.4 and Cerbero Engine 3.4 are out!”
We have released the URL Extractor package for all licenses of Cerbero Suite Advanced! This package prints out URLs detected when scanning a file.
In this specific image, URL Extractor detected a URL inside a VBS script contained in a Cabinet archive stored in the resources of an executable inside a OneNote document inside a Zip archive.
Continue reading “URL Extractor Package”
In this post we’re going to analyze a multi-stage PowerShell malware, which gives us an opportunity to use our commercial PowerShell Beautifier package and its capability to replace variables.
Sample SHA2-256: 2840D561ED4F949D7D1DADD626E594B9430DEEB399DB5FF53FC0BB1AD30552AA
Interestingly, the malicious script is detected by only 6 out of 58 engines on VirusTotal.
Continue reading “Reversing Complex PowerShell Malware”
We have released Cerbero Suite 6.3 and Cerbero Engine 3.3. What follows is a list of the most important new features.
Continue reading “Cerbero Suite 6.3 and Cerbero Engine 3.3 are out!”
As of today, the “OneNote Format” package is available to all licenses of Cerbero Suite! The package was previously released for commercial licenses only.
Installing the package from Cerbero Store takes only a few mouse clicks.
Once the package is installed, you can directly inspect OneNote documents in Cerbero Suite and all embedded files are automatically extracted and ready to be inspected.
Continue reading “OneNote Format Package: All Licenses”
We have released version 2.0 of our commercial PowerShell Beautifier package. The new release adds the option to remove unused variables.
For example, this is a snippet of a malicious script:
$T = 'Get'
$M = $T + 'Method'
$I = 'Invoke'
$T = $T + 'Type'
$L = 'Load'
$Q0 = [Reflection.Assembly]
$B = $Q0::$L($MyS)
$B = $B.$T('NewPE2.PE')
$B = $B.$M('Execute')
$Ub = 'C:\Windows\Microsoft'
$z = $Ub + '.NET\Framewor'
$VT = $z + 'k\v4.0.30'
$XQ = $VT + '319\RegSvcs.exe'
$B = $B.$I($null,[object] ($XQ,$serv))
With both variable replacement and removal of unused variables enabled it becomes:
$load_result = [Reflection.Assembly]::Load($x_result)
$get_type_result = $load_result.GetType('NewPE2.PE')
$get_method_result = $get_type_result.GetMethod('Execute')
$invoke_result = $get_method_result.Invoke($null, [object]('C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe', $x_result_2))
We have released the “TAR Format” package for all licenses of Cerbero Suite Standard and Advanced.
The package is also exposed to the SDK:
from Pro.Core import *
from Pkg.TAR import *
c = createContainerFromFile(fname)
obj = TARObject()
if not obj.Load(c) or not obj.ParseArchive():
curoffs = None
entry, curoffs = obj.NextEntry(curoffs)
if entry == None:
# skip directories
print("file name:", entry.name, "file offset:", str(entry.offset_data), "file size:", str(entry.size))
# retrieves the file data as NTContainer
fc = obj.GetEntryData(entry)