We have released the HybridAnalysis Intelligence package for all commercial licenses of Cerbero Suite Advanced. Once the package is installed, you can search malware samples on the Hybrid Analysis cloud.
Author: Erik Pistelli
Obfuscated Batch Scripts in OneNote Document
This malicious OneNote document contains two obfuscated batch scripts and we’ll be using our commercial Simple Batch Emulator package to understand what they do.
SHA256: 46149F56028829246628FFAFC58DF81A4B0FF1C87ED6466492E25AD2F23C0A13
Continue reading “Obfuscated Batch Scripts in OneNote Document”
Extreme PowerShell Obfuscation
We recently stumbled upon an old article by Daisuke Mutaguchi explaining an extreme technique for PowerShell obfuscation. The article is in Japanese, so you may have to use Google translate.
Here’s the final example provided by the author of the article:
${;}=+$();${=}=${;};${+}=++${;};${@}=++${;};${.}=++${;};${[}=++${;};
${]}=++${;};${(}=++${;};${)}=++${;};${&}=++${;};${|}=++${;};
${"}="["+"$(@{})"[${)}]+"$(@{})"["${+}${|}"]+"$(@{})"["${@}${=}"]+"$?"[${+}]+"]";
${;}="".("$(@{})"["${+}${[}"]+"$(@{})"["${+}${(}"]+"$(@{})"[${=}]+"$(@{})"[${[}]+"$?"[${+}]+"$(@{})"[${.}]);
${;}="$(@{})"["${+}${[}"]+"$(@{})"[${[}]+"${;}"["${@}${)}"];
"${"}${.}${[}+${"}${)}${@}+${"}${+}${=}${+}+${"}${+}${=}${&}+${"}${+}${=}${&}+${"}${+}${+}${+}+${"}${[}${[}+${"}${.}${@}+${"}${+}${+}${|}+${"}${+}${+}${+}+${"}${+}${+}${[}+${"}${+}${=}${&}+${"}${+}${=}${=}+${"}${.}${.}+${"}${.}${[}|${;}"|&${;};
Yes, this is valid PowerShell.
Although there are limits to static deobfuscation, we decided to see what can be done about this with the new release of our PowerShell Beautifier package.
CRX Format Package
We have released the “CRX Format” package for all licenses of Cerbero Suite Standard and Advanced. This package provides support for the Chrome extension format.
The package also allows to download Chrome extensions by their public URL.
Chrome extensions can be downloaded either from the main window or from the analysis workspace action.
PList Format Package
We have released the “PList Format” package for all licenses of Cerbero Suite Standard and Advanced. This package provides support for Apple’s property list files.
PList files can be either XML files or binary files: both formats are supported.
PowerShell Malware with x64 Shellcode
This malware gives us a chance to see the recently introduced Silicon Shellcode Emulator in action.
SHA256: 8CF1E49C74FB05DE954A6B70281F47E3CBD021108B0EE11F4A59667FF28BFEE9
OneNote Malware With ISO File
We recently stumbled upon this tweet by @Cryptolaemus1 about a malicious OneNote document with an embedded ISO file. Because of our recently released ISO Format package, we thought it would be interesting to analyze this malware sample with Cerbero Suite.
SHA256: 2B0B2A15F00C6EED533C70E89001248A0F2BA6FAE5102E1443D7451A59023516
The unidentified embedded object in the OneNote document is an ISO file.
ISO Format Package
We have released the “ISO Format” package for all licenses of Cerbero Suite Standard and Advanced.
Video: Silicon Shellcode Emulator Introduction
A quick 70-seconds introduction to Silicon Shellcode Emulator: a lightweight x86/x64 emulator designed for Windows shellcode. This package is available to all commercial licenses of Cerbero Suite Advanced.
Cerbero Suite 6.4 and Cerbero Engine 3.4 are out!
We have released Cerbero Suite 6.4 and Cerbero Engine 3.4. What follows is a list of the most important new features.
Continue reading “Cerbero Suite 6.4 and Cerbero Engine 3.4 are out!”