40 matches found
Threadtear - Multifunctional Java Deobfuscation Tool Suite
Threadtear is a multifunctional deobfuscation tool for java. Suitable for easier code analysis without worrying too much about obfuscation. Even the most expensive obfuscators like ZKM or Stringer are included. It also contains older deobfuscation tools from my github account, but it can also be...
Cellebrite UFED 7.29 Hardcoded ADB Authentication Keys Vulnerability
Cellebrite UFED versions 5.0 through 7.29 use four hardcoded RSA private keys to authenticate to the ADB daemon on target devices. Extracted keys can be used to place evidence onto target devices when performing a forensic extraction. Title: Cellebrite Hardcoded ADB Authentication Keys Publicatio...
Cellebrite Hardcoded ADB Authentication Keys
Vulnerability Details Affected Vendor: Cellebrite Affected Product: UFED Affected Version: 5.0 - 7.29 Platform: Embedded Windows CWE Classification: CWE-321: Use of hardcoded cryptographic keys CVE ID: CVE-2020-11723 2. Vulnerability Description Cellebrite UFED uses four hardcoded RSA private...
Cellebrite UFED 7.29 Hardcoded ADB Authentication Keys
KL-001-2020-001 : Cellebrite Hardcoded ADB Authentication Keys Title: Cellebrite Hardcoded ADB Authentication Keys Advisory ID: KL-001-2020-001 Publication Date: 2020.04.13 Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2020-001.txt 1. Vulnerability Details Affected Vendor...
ABD - Course Materials For Advanced Binary Deobfuscation
Advanced Binary Deobfuscation This repository contains the course materials of Advanced Binary Deobfuscation at the Global Cybersecurity Camp GCC Tokyo in 2020. Course Abstract Reverse engineering is not easy, especially if a binary code is obfuscated. Once obfuscation performed, the binary would...
Defeating Compiler-Level Obfuscations Used in APT10 Malware
Summary The Carbon Black Threat Analysis Unit TAU recently analyzed a series of malware samples that utilized compiler-level obfuscations. For example, opaque predicates were applied to Turla mosquito and APT10 ANEL. Another obfuscation, control flow flattening, was applied to APT10 ANEL and Dhar...
CIRTKit - Tools For The Computer Incident Response Team
One DFIR console to rule them all. Built on top of theViper Framework Documentation Please see the wiki for more information about CIRTKit and documentation Roadmap Future integrations Bit9 Palo Alto Networks EnCase/FTK Future modules Packet Analysis possibly Dshell Javascript...
FLARE Script Series: Automating Objective-C Code Analysis with Emulation
This blog post is the next episode in the FireEye Labs Advanced Reverse Engineering FLARE team Script Series. Today, we are sharing a new IDAPython library – flare-emu – powered by IDA Pro and the Unicorn emulation framework that provides scriptable emulation features for the x86, x8664, ARM, and...
NOKKI Malware Sports Mysterious Link to Reaper APT Group
The Reaper APT group, suspected of being affiliated with North Korea, turns out to have a link to the recently uncovered NOKKI malware family. Palo Alto’s Unit 42 recently observed NOKKI-laden attacks targeted Russian- and Cambodian-speaking individuals with political lures. NOKKI is a backdoor,...
Recam Redux - DeConfusing ConfuserEx
This post is authored by Holger Unterbrink and Christopher MarczewskiOverviewThis report shows how to deobfuscate a custom .NET ConfuserEx protected malware. We identified this recent malware campaign in our Advanced Malware Protection AMP telemetry. Initial infection is via a malicious Word...
FLOSS - FireEye Labs Obfuscated String Solver (Automatically extract obfuscated strings from malware)
Rather than heavily protecting backdoors with hardcore packers, many malware authors evade heuristic detections by obfuscating only key portions of an executable. Often, these portions are strings and resources used to configure domains, files, and other artifacts of an infection. These key...
reversemap - Analyse SQL injection attempts in web server logs
Analyse SQL injection attempts in web server logs The program can either be run in batch mode or interactive mode. In batch mode the program will accept Apache web server logs and will deobfuscate requested URLs from the logs. In interactive mode the program will prompt for user input and will...
Deobfuscating Python Bytecode
Introduction During an investigation, the FLARE team came across an interesting Python malware sample MD5: 61a9f80612d3f7566db5bdf37bbf22cf that is packaged using py2exe. Py2exe is a popular way to compile and package Python scripts into executables. When we encounter this type of malware we...
CVE-2013-5036
The Square Squash allows remote attackers to execute arbitrary code via a YAML document in the 1 namespace parameter to the deobfuscation function or 2 sourcemap parameter to the sourcemap function in app/controllers/api/v1controller.rb...
Deserialization of untrusted data
The Square Squash allows remote attackers to execute arbitrary code via a YAML document in the 1 namespace parameter to the deobfuscation function or 2 sourcemap parameter to the sourcemap function in app/controllers/api/v1controller.rb...
Squash YAML Code Execution Vulnerability
This Metasploit module exploits a remote code execution vulnerability in the YAML request processor of the Squash application. This file is part of the Metasploit Framework and may be subject to redistribution and commercial restrictions. Please see the Metasploit web site for more information on...
[Converter v0.7] Analyzing and Deobfuscating Malicious Scripts
Malicious Java applets have been making news for awhile so I thought I would update Converter to include some new features to help with deobfuscating them. This is a list of changes made to this version: + Replaced Binary-to/from-Text with Binary-to/from-Hex to make it more useful + Added Filter...
Java Applet JMX Remote Code Execution
This module abuses the JMX classes from a Java Applet to run arbitrary Java code outside of the sandbox as exploited in the wild in February of 2013. Additionally, this module bypasses default security settings introduced in Java 7 Update 10 to run unsigned applet without displaying any warning t...
D-Link DCS Cameras Authentication Bypass / Command Execution
D-Link DCS Cameras suffer from authentication bypass and remote command execution vulnerabilities due to a remote information disclosure of the configuration. Unauthenticated remote access to D-Link DCS cameras =================================================== ADVISORY INFORMATION Title:...
New Linux OS REMnux Designed For Reverse Engineering Malware
A security expert has released a stripped-down Ubuntu distribution designed specifically for reverse-engineering malware. The OS, called REMnux, includes a slew of popular malware-analysis, network monitoring and memory forensics tools the comprise a very powerful environment for taking apart...