reverse engineering


Over the last few months we saw that Locky’s loader uses seed parameter to execute properly. This method was probably used to prevent sandboxing, since it will not execute without the correct parameter. Afterwards, we saw Locky shift itself from an EXE to Dynamic Link Library (DLL). We recently encountered yet another Locky development, where binary strains are using the Nullsoft installer package as its loader. In this post we will delve into how to unpack the final binary payload from its Nullsoft package loader. Decompressing Locky’s... [Read More]
by RSS ​​​​​​​Floser Bacurio Jr. and Kenny Yongjian Yang  |  Sep 12, 2016  |  Filed in: Security Research
Sousan Yazdi, Junior Antivirus Analyst Margarette Joven, Antivirus Manager Special Technical Contribution by Liang Huang, Senior Antivirus Analyst CryptoLocker is the name of a ransomware trojan family that emerged late last year. This malware is designed to target Microsoft Windows systems and is renown for its ability to take its victim's files hostage by fully encrypting files on the victim's computer. The victim of the malware then is shown a message informing them that the only possible way to recover the encrypted files is by paying a... [Read More]
by RSS Sousan Yazdi  |  Jan 16, 2014  |  Filed in: Security Research
Recently, I ran into a malicious sample (Android/Mseg.A!tr.spy) which was causing Baksmali to stall. This does not happen that often. I contacted Jesus Freke, the author of smali/baksmali, who quickly fixed the issue. A deeper look in the sample turned out to be quite interesting. The sample is highly obfuscated (perhaps actually a bit too much - we'll discuss that later) with very long and strange class and method names. For instance, we note a class named "AFHttpPacket;>" (yes, the ; and > are part of the name) in a no less strange namespace: "java/util/concurrent/BlockingQueue<Lcom/adfresca/sdk/packet"... [Read More]
by RSS Axelle Apvrille  |  Dec 16, 2013  |  Filed in: Security Research
I recently came across an Android malware sample that does your usual data stealing i.e. leaking data from the victim's phone such as the phone number, contact information etc. Most vendors name this sample Uranico (Android.Uranico, Trojan:Android/Uranico.A) based on the package name "com.link.uranai". However, a closer look at the sample led to the realization that it looked a lot like a sample I had seen before : Android/Loozfon.A!tr, and was hence a variant of it. Hence, we decided to name it Android/Loozfon.B!tr. What led to this correlation... [Read More]
by RSS Ruchna Nigam  |  Jan 14, 2013  |  Filed in: Security Research
As promised, Fortinet's Android challenge begins. hashdays-challenge.apk sha1: 0b12fd28a2d912762d37379e69189cd427eb8bbc sha256: 8acfac2d1646b7689e09aab629a58ba66029b295068ca76cdaccbdc92b4e5ea9 (it's useless to search on the servers, the solution is not there ;) The first one to bring back the correct secret code at Fortinet's booth at Hashdays wins a FortiGate 60C, with AV/IPS/Spam filtering updates for 12 months. You will also be asked to provide a write-up of your solution in the next few days. Prize for #days challenge: a personal UTM... [Read More]
by RSS Axelle Apvrille  |  Oct 29, 2012  |  Filed in: Security Research
Thank you to everyone who tried to solve our FortiChallenge 2k11! We've had way more participants than expected, and two winners : Shirley Chen Nagy Ferenc László Shirley and Nagy found the secret sentence, without even using the hints. A special mention for another participant (StalkR) who tried to solve it in the wake of Insomni’Hack 2011, and managed to reach the md5 collision step. Stay tuned for the official solution! -- the Reverse naM [Read More]
by RSS Alexandre Aumoine  |  Nov 15, 2011  |  Filed in: Security Research
Any progress on our FortiChallenge 2k11? After the first clue, here is the second. Just a reminder that the first hint is meant to help you to find the good way with hashes. Don't miss the modification, Crypto Girl hates MD5 for this reason ! By the way, challenge's submission deadline is extended to Nov 13th, 2011. -- The Reverse naM [Read More]
by RSS Alexandre Aumoine  |  Nov 03, 2011  |  Filed in: Security Research
Stuck on our FortiChallenge 2k11? Here's a first hint! Translations: La fin est encore loin surtout quand on est sur le mauvais chemin ! Wrong track, go back! La fin est proche, l'anneau est inclus. Dawn is close, search for the ring. Mon precieux My precious Hint: -6D01BAE018694CDB446DC7EADBA08BE497A8CBE78BCFE91478AB120B4400E357 -ad23ebc59b720eac0979ead3176de3331ddaa1356466ecc8e8c9fb82f62a6dca -BCA85F09D8D174844C5D5B80095E6EF595181AAB0CABA9144324418B9F291645 -3EE90318AA2881118B8C09A777D52129E61760CCAE1EF679C744A25E9EB50789 -5868049FE51A60811D2C75C3B8896B956EE42114C568DE47531E436CEA2E0F77 –... [Read More]
by RSS Alexandre Aumoine  |  Oct 21, 2011  |  Filed in: Security Research
Hello all, At Insomni'Hack 2011, we created a challenge dedicated to static reversing of Symbian executables (using SDK S60 Ed3 FP1). Sadly, nobody found the full solution, so we finally decided to put it online for you to try, until November 1st, 2011. We will then post the winner's solution on this blog, along with the 'official' solution. To help you out - if needed - this post will be updated with a hint in a few days. Challenge prize? the winner (first good solution) receives ... fame and glory :)) i.e. nothing besides marketing goodies,... [Read More]
by RSS Alexandre Aumoine  |  Oct 17, 2011  |  Filed in: Security Research
Last week we attended Insomni'Hack 2011, where our Crypto Girl (Axelle Apvrille) presented on mobile phone threats. Debriefing of the conference may be found here and there. Both blog authors highlighted the main goal of Axelle's talk, which was to raise awareness about existing threats on smartphones. Mobile phones had already been targeted for a long time (by application sending sms for instance) but since recently (approximately one year) it has been hit by more advanced attacks - probably with the help of cybercriminal organizations. Their... [Read More]
by RSS Alexandre Aumoine  |  Mar 18, 2011  |  Filed in: Security Research