Skip to content

Instantly share code, notes, and snippets.


Marcus Botacin marcusbotacin

View GitHub Profile
marcusbotacin / inject.c
Created Sep 28, 2020
Injected DLL Loader
View inject.c
#ifdef INJECT
char cmd[10*NAME_SIZE] = "C:\\Windows\\system32\\rundll32.exe";
sprintf(args,"%s %s,#1",cmd,name);
CreateProcessA(cmd,args,NULL,NULL,FALSE,0,NULL,NULL,&si,&pi );
marcusbotacin / dead.c
Created Sep 28, 2020
Dead Code Excerpt
View dead.c
void dead()
View dropper.c
for(int i=0;i<size;i++){
// byte pointer
unsigned char c1 = ((char*)data)[i];
// add your encryption/decryption routine here
// drop byte to file
// file fully written
marcusbotacin /
Created Apr 25, 2020
A Bit More On Code Obfuscation

A Bit More On Code Obfuscation

I recently published my analysis on the Netwalker Ransomware, which included the deobfuscation step Check it here. I think that (de)obfuscation techniques is an interesting subject, so I decided to write a little bit more about it.

There are basically two types of obfuscation techniques:

  • Binary Level: These are binary transformations to hide instructions and data inside binaries. It is usually implemented by binary packers, often used by malware.
  • Source Code Level: These are source code transformations to hide the program's statements. These are often used by malicious scripts.

In this draft, I will consider only the last case.

marcusbotacin /
Last active Jan 30, 2021
Netwalker Randomware Analysis

Netwalker Ransomware Analysis

Everything starts with a VBS file. It is available on VirusTotal. It is suspicious to have a text file sized 600KB, which already indicates it is a dropper in the first look.

Digging into the file, the first line presents:

code = "==A#>,A#>,A#>,A#>,A#>,A#>,A#>,A#>,A#>,...

Another clue that it is a dropper. Base64 strings often indicate that it is the encoded payload.