ReLearEx

Posted on 21. January 201821. January 2018 by itsectopics

A Worm Called ‘Stration’ (Part IV) – How Stration calls APIs

H3llo, d34r fr13nd

In this chapter of our analysis, we will look at the sample in question by using a combination of a debugger (OllyDbg) and a disassembler (IDA Pro). Specifically, I will show you how Stration prepares itself for an API call.

Posted on 27. December 2017 by itsectopics

Hooking Series PART II: Interrupt Descriptor Table Hooking

H3ll0 ReLearEx-Nation,

in the second part of my hooking series, I want to show how to hook the Interrupt Descriptor Table (IDT). The IDT is an array that is able to contain at most 256 descriptors. Each of them is 8 byte in size.
Read more

Posted on 26. December 201727. December 2017 by itsectopics

Hooking Series PART I : Import Address Table Hooking

H3llo ReLearEx-Nation,

A few days ago, I had the idea to write a short series of hooking techniques. In this post, I will demonstrate how the Import Address Table of a running PE module can be hooked successfully.
Read more

Posted on 23. September 201723. September 2017 by itsectopics

A Worm Called ‘Stration’ (Part III) – Basic Dynamic Analysis

Hello,

In this blog post, I want to write about the basic dynamic analysis to gain insight into the activities performed by the Stration.

Posted on 10. September 2017 by itsectopics

A Worm Called ‘Stration’ (Part II) – Manual Unpacking

Hello 🐱‍💻

At the end of my last post, I unpacked the malware sample using the -d switch provided by UPX. Now, I will demonstrate other ways to unpack it. To do this, I will use OllyDbg.

Posted on 26. July 201725. August 2017 by itsectopics

A Worm Called ‘Stration’ (Part I) – Basic Static Analysis

Hello,

In this blog post I will talk about the Worm ‘Stration’ (aka ‘Warezov’ or just ‘Strat’). It is a worm which has its first appearance between the end of 2006 and beginning of 2007 – so, nearly ten years ago. The sample I use has the following SHA256 value: f671318c0dee143118188a670cef72bbac08d898e47815f1ea54da88bc3bd3c6

When you start with the analysis of a malicious file, one rule is to try to obtain a general overview before putting it under the microscope and looking at every little detail of the sample. Thus, I plan to divide the whole analysis into smaller chunks. In this part, I want to apply basis static analysis techniques to gain some small but important properties of the sample before I dive into a more deeper analysis.