Clik here to view.
Perfect Keylogger - Not a so perfect protection itself. An old infected...
Hello everybody, everything has started by watching this video on youtube made by some user "St.Bandera"https://www.youtube.com/watch?v=xv1WbTQbXzYHis "nasty dirty trick" used to crack the software has...
View ArticleClik here to view.
A crypto-defeat story of a malware labeled as: Backdoor.MSIL.Agent - NanoCore...
Hello Everybody, on 14/01/2019 just another RAT has been seen in the wild.https://www.hybrid-analysis.com/sample/38cba78c3d1650f2ad347c0254837f376fd4434904096451faee82ec31ed829a Such sample born as...
View ArticleClik here to view.
Free decryptor tool: Unpacking, Analysis and solution for the JobCrypter...
Hello everybody! sha256: 37e28559fba615aee1204eebf551dc588f7dc5b8a7e11893a1602da40b03f4fb...
View ArticleClik here to view.
Free decryption tool: .Happy Ransomware variant spotted in the wild
Hello everybody, today I'm gonna write a very quick analysis about an Happy Ransomware variant spotted in the wild on Jan 24 2019....
View ArticleClik here to view.
Pandabanker: from the obfuscated JS to the unpacked PE file
Hi Everybody, today I was looking at the amazing Yomi sandbox and a sample caught my attention: https://yomi.yoroi.company/report/5c5008255bd174287f15cea3/5c500979c32b700be2d9b30e/overview...
View ArticleClik here to view.
When a malware hide code into images and uses an open source project to run...
Hello Everybody,Nowdays, from WhatsApp to the malwares, hiding code in images is very trendy. 😂 Something similar has happened to me today with this sample:...
View ArticleClik here to view.
Double packed .net Malware: PNG obfuscation, resources Deobfuscation, On The...
Hi Everybody! I was searching another specific malware when I found this (old) .net malware. My sick brain spoke to me: "ok, take a look on it...it's just an old shitty .net malware... give him just 5...
View ArticleClik here to view.
D-Link DNS-320 NAS Cr1ptT0r Ransomware ARM Dynamic Analysis - QEMU and...
Hi Everybody, a few days ago I saw a tweet from @Amigo_A_ asking for help about a new ransomware which was affecting a D-Link 320 NAS.The first thought was directed to the historical disabling of dlink...
View ArticleClik here to view.
Cr1pt0r ransomware: FireEye FLARE idb2pat.py script to build your IDA Pro...
Hi Everybody, from my previous post in order to have an human approch to analyze the stripped ELF Cr1pt0r I wrote just a few words about IDA Pro feature to build FLIRT signature. What is FLIRT? "The...
View ArticleClik here to view.
Cr1pt0r Ransomware Analysis Libsodium/NaCl Encryption, Decryption,...
Hi Everybody, After my two posts here and here this is the third about Cr1pt0r. Cr1pt0r main function decompiled by using RecDec plugin (graph view representation is huge to be seen in a picture):...
View ArticleClik here to view.
DE-Cr1pt0r tool - The Cr1pt0r ransomware decompiled decryption routine
Hello Everybody, after so many articles( 1 - 2 - 3 ) about my research on this Cr1ptor ransomware finally there is a tiny way to decrypt your files.SPOILER ALERT: This is a very early alpha release, is...
View ArticleClik here to view.
Libsodium sealed boxes: multiple (32) working secret keys for one public key
Hi Everybody, starting from the strange fact where, during Cr1pT0r RE, I found 3 different but valid secret keys, I wanted to dig a bit more. And yes I was wrong. For a single public key there are 32...
View ArticleClik here to view.
Tp-Link CPE-510/520 "new" Config.bin structure: Decryption, modify,...
So far, seems nobody has yet relased a tool to decrypt such kind of config structure. By doing only static analysis we'll take a look how to figure out the new TP-Link CPE-510/520 (probably also...
View ArticleClik here to view.
TP-Link RE200 aka AC750: Unpack, repack, validate image by md5 hashing and...
This article demonstrates how "easy" may be build a potentially malicious firmware. This way should be valid for EVERY TP-Link firmware header version 1 (identified by the very first 4 bytes in the...
View ArticleClik here to view.
TP-Link RE200 config.bin decryption and manipulation
A very quick article to share with you how to decrypt the TP-Link RE200 config.binIn this article we take up the concepts seen in the previous one jumping straight into Ghidra to take a look at the...
View ArticleClik here to view.
Linksys RE6500 - CVE-2020-35713 CVE-2020-35714 CVE-2020-35715 CVE-2020-35716...
Linksys RE6500 is a pretty new range extender build by Linksys, well, more properly by Belkin. An USA product built just a few thousand km east in the "suicide factory" (the Foxconn factory, China) My...
View ArticleClik here to view.
Ho-mobile Data breach series: What if they suffer from a User Enumeration...
Hello Folks, talking about an Italian mobile phone carrier it's time for me to write in Italian. Sorry for that.Ebbene si, pare proprio che oltre 2.5milioni di clienti abbiano la propria identità in...
View ArticleClik here to view.
[D-Link DWR-921 | DWR-925 | DWR-118 ] Hardcoded backdoor implemented by vendor
Hi Folks,I owned a D-Link DWR-921 HW:C3 with OpenWRT, but once no longer in use I decided to put the stock firmware back and as consequence the need to have a console root access. 😁This device has been...
View ArticleClik here to view.
[ CVE-2022-40602 ] ZyXEL LTE3301-M209 - "Backdoor" credentials
Hi Folks,as a continuation from the previous post, we're going to take a look at ZyXEL LTE3301-M209.[!] Togheter with Zyxel PSIRT, we decided not to reveal the credentials. In addition, due to the...
View ArticleClik here to view.
[TP-Link TL-R483G Industrial router] Config.bin file Decrypted
Hi Folks, today I'm gonna take a quick look to the TP-Link TL-R483G sold in China.I've got a chance to have a firmware and config file on Github so I decided to dig into it.Once unpacked the firmware...
View Article
