Welcome to GoggleHeadedHacker
Reverse Engineering Crypto Functions: RC4 and Salsa20
25 August 2021
Many malware samples use encryption for Command and Control (C2) communications, encrypting files, string obfuscation, and many other tasks. It can be challenging to know which encryption algorithm you are looking at when analyzing a sample. This post aims to teach newer analysts about common encryption algorithms, how they work, and how you can identify them when reverse engineering.
Sodinokibi Ransomware Analysis
02 May 2021
Back in March, a new version of the Sodinokibi (AKA REvil) Ransomware was released. Sodinokibi is a Ransomware-as-a-Service (RaaS) provider that has been covered in the news quite a bit. With the new version out, I decided to give a technical analysis of how it operates. I got the sample from an overview of the new features that R3MRUM gave in a tweet towards the end of March. The file, whose hash is
12d8bfa1aeb557c146b98f069f3456cc8392863a2f4ad938722cd7ca1a773b39, can be found on VirusTotal or Any.Run.
Anti-Analysis Techniques Used in Excel 4.0 Macros
24 March 2021
I recently reversed another Excel document with 4.0 Macros that was similar to my previous post on the subject but had some added anti-analysis features that I wanted to share. I recommend reading the previous post to learn more as this article will not be going step-by-step through the analysis process. If you would like to follow along you can find the sample here.
Automatic Gobfuscator Deobfuscation with EKANS Ransomware
17 March 2021
A few months ago I saw an article by Netlab 360 describing the malware BlackRota, specifically the obfuscation method used known as gobuscate. I noticed that a deobfuscator was made for this using Binary Ninja’s API, so I decided to take a crack at developing a plugin for Cutter. To demonstrate the tool I created, I will also give a brief analysis of another malware sample that uses gobfuscate, Ekans.
Malicious Excel 4.0 Macro Analysis
17 December 2020
A while back I gave a brief analysis about an obfuscation technique used in a malicious Excel document on Twitter. This technique utilized Excel 4.0 macros to grab a second stage and had some interesting Anti-Sandbox evasion. In this post I want to give an in-depth analysis on the obfuscation that was used and how to deobfuscate the macros to get the second stage.