Things to Do and See

Videos

• Channel
• Video List
  • Malware Deconstruction
  • Playlists
  • Tutorials

Channel

YouTube

Video List

Malware Deconstruction

• Finding Executable Code in GitHub JSON
  • I found malicious code unexpectedly in the repository JSON data
• Extracting from GitHub JSON plus Zeura Decoding
  • A longer version of the above video which includes the decoding of a zeura-encoded file
• Decoding an IndoTrojan Ransomware script
  • Opening up, decoding, and explaining an IndoTrojan ransomware script
• I wrote a decoder
  • This is the decoder used for ‘cracking’ Zeura, Sendy, and other PHPEncode obfuscated files.
• Bitwise Operations Examples
  • I’ll walk you through what logical (or bitwise) operators do, show how this transforms characters on a bit-by-bit basis, and then provide two real-life examples of how these are used to hide malicious code in seemingly random characters
• Malicious Whitespace
  • I walk the viewer through the functionality of the old CoreLibrariesHandler malware and show a variant that’s significantly harder to detect and equally powerful.
• (Not as) Sneaky as a Fox
  • I step through a webshell dropper that caught my attention when it was unsuccessfully injected into a honeypot…twice. The dropper performs a few interesting functions, which I talk about, and then I briefly show the webshell it attempts to install and point out the particular indicators that allowed me to conclude this was malicious without fully decoding the payload.
• Finding the Fox
  • I walk viewers through the deconstruction of an anonymousF0x web shell, showing the complexities of debugging multi-byte files, highlighting the interesting features of the encoding and multiple layers of this particular web shell, and showing some of the functionality built into it.
• Base64 Basics
  • I step through the process used to encode and decode strings in base64.
• Adventures in PowerShell
  • I walk viewers through a multi-stage PowerShell dropper and the two PE32 executables that it contains
• Bad Design Decision? Or Bad Code?
  • I walk viewers through an iframe injector that is encoded as RGB color codes.
• Bad Style(sheets) Will Ruin Your Site
  • I step through an iframe injector that utilizes CSS stylesheet manipulation to deploy its payload.

Playlists

• What does THAT do?
  • This is the playlist of all videos in the ‘What does THAT do?’ series. This is the main series.
• ClamAV
  • This is a playlist of all ClamAV-specific videos
• Tools and Tips
  • This is a playlist of tips, tricks, and tools that can be used. These are not geared towards decoding a specific kind of malware, but rather processes.

Tutorials

• Creating Logical Signatures
  • Quick tutorial on making a logical signature to detect multiple Subject: headers in an email message

This site is open source. Improve this page.