Skip to content


Malware Analysis

Malware Families

AlphaBlend Campaign






Malware Collections

Collection Maintenance Tools

Antivirus Internals

Antivirus Bypass




PDF Based

C2 Techniques

  • dnscat2 -
  • DropboxC2C -
  • gcat (Gmail) -
  • HTTP/2 Go -


Fileless Attacks

New Reference

Summarized References

Malicious Documents

Malicious Scripts

  • Targeting powershell.exe, cscript.exe, cmd.exe and mshta.exe
  • Windows Subsystem for Linux introduce more script support
  • Prevent Powershell detection:
    • If the attacker places a malicious script under the path %USERPROFILE%\profile.ps1 and start PowerShell ISE, the script will be executed without powershell.exe being involved
    • Bypass execution policy: HKEY_CURRENT_USER\Software\MicrosoftPowerShell\1\ShellIds\Microsoft.PowerShell - And set the registry value ExecutionPolicy to Unrestricted.
    • Invoke-NoShell
      • 12 different evasive document permutations
    • Invoke-Obfuscation
    • Invoke-DOSfuscation

Living off the Land

Malicious Code in Memory



New References


  • Rule-based approach to create descriptions of malware families based on textual or binary patterns.
    • Rules are composed of two sections:
      • strings definition (optional)
      • condition
    • Example rule:
      rule dummy 
          condition: true 
      rule silent_banker : banker
          description = "This is just an example"
          threat_level = 3
          in_the_wild = true
          $a = {6A 40 68 00 30 00 00 6A 14 8D 91}
          $b = {8D 4D B0 2B C1 83 C0 27 99 6A 4E 59 F7 F9}
          $a or $b or $c
    • Sections
      • Meta Section
      • Strings Section
        • Specifies the strings that are used to identify.
        • In YarGen, there are three categories of these strings, marked by $s, $x, and $z.
          • $s ("Highly Specific Strings") are very specific strings that will not appear in legitimate software.
            • Server addresses
            • Names of hacking tools and malwar
            • Typos in common strings
          • $x ("Specific Strings") are likely to be indicators of malware files, but might also appear in legitimate files.
          • $z are likely to be ordinary but are not currently included in the goodware string database.
      • Condition Section
  • GitHub:
  • awesome-yara:
  • Rule Sets:
  • Analyze: yara <yara-rule> <target-file>
    • -m: print metadata of rules satisfied
    • -c: print number of matches (file path:match result)
    • -s: print matching string (hexadecimal virtual address:$string identifier:string value)
    • -p: prefix the description
  • Analyze using multiple rules:
    for file in $(find PATH-TO-DIRECTORY-CONTAINING-RULES -name '*.yar'); do 
        test $(yara -c ${file} PATH-TO-FILE) -gt 0 && echo $file;
    done 2>/dev/null
  • yaraGen - Creation of yara rules from strings found in malware files while removing all strings that also appear in goodware files. yarGen includes a big goodware strings and opcode database:
    python --update
    • A YarGen rule can be:
      • simple rule
      • super rule: If multiple sample files are used, YarGen will try to identify the similarities between the samples and combine the identified strings into a "super rule". Metadata section has: super_rule = 1.
        • Simple rules generated for each file is still there.
        • Overlap of rule strings between the simple rules and the super rule.
        • --nosimple to remove simple rules.
        • --nosuper not to create super rules.
    • Options:
      • --excludegood: exclude all of the goodware strings
      • --score flag: output the scores as comments in the rule file
      • -rc (maxstrings): maximum number of strings to include in each rule (20 by default)
      • -z (min-score): minimum score a script should have to be included in rule
      • -a: author
      • -r: reference


New References