Cert Central

Malware Analysis
HijackLibs.net
HijackLibs provides an curated list of DLL Hijacking opportunities: mappings between DLLs and vulnerable executables, with additional metadata for more context. For defenders, this project can provide valuable information when trying to detect DLL Hijacking attempts; for red teamers, this project can help identify DLLs that can be used to achieve DLL Hijacking.
Sogen - Windows User Space Emulator
Sogen is a high-performance Windows user space emulator that can emulate windows processes. It is ideal for security-, DRM- or malware research.
owasp-dep-scan/blint: BLint is a Binary Linter to check the security properties, and capabilities in your executables. Since v2, blint is also an SBOM generator for binaries.
BLint is a Binary Linter to check the security properties, and capabilities in your executables. Since v2, blint is also an SBOM generator for binaries. - owasp-dep-scan/blint
CapacitorSet/box-js
A tool for studying JavaScript malware
revng/revng: revng: the core repository of the rev.ng project
revng: the core repository of the rev.ng project
icicle-emu/icicle-emu: Core emulator components for Icicle
Core emulator components for Icicle
GitHub - volexity/GoResolver: GoResolver is a Go analysis tool using both Go symbol extraction and Control Flow Graph (CFG) similarity to identify and resolve the function symbols of an obfuscated Go binary.
GoResolver is a Go analysis tool using both Go symbol extraction and Control Flow Graph (CFG) similarity to identify and resolve the function symbols of an obfuscated Go binary. - volexity/GoResolver
Analyzing ELF/Sshdinjector.A!tr with a Human and Artificial Analyst | FortiGuard Labs
FortiGuard Labs reverse engineers a malware’s binaries to look into what the malware is actually doing.…
YARA Forge
Streamlined Public YARA Rule Collection
hasherezade/mal_unpack: Dynamic unpacker based on PE-sieve
Dynamic unpacker based on PE-sieve.
Cuckoo Sandbox Evasion PoC available
regshot
Download regshot for free. Regshot is an open-source (LGPL) registry compare utility that allows you to quickly take a snapshot of your registry and then compare it with a second one - done after doing system changes or installing a new software product.
LLVM-powered devirtualization
Virtualization is a powerful technique for code obfuscation, and reversing it can be challenging. In this post, we cover the work done during an internship on developing an automated devirtualization tool. We explore a simplified taint-based approach and discuss its limitations. For a more in-depth analysis, the full report is also made available.
owasp-dep-scan/blint: BLint is a Binary Linter to check the security properties, and capabilities in your executables. Since v2, blint is also an SBOM generator for binaries.
BLint is a Binary Linter to check the security properties, and capabilities in your executables. Since v2, blint is also an SBOM generator for binaries. - owasp-dep-scan/blint
csvl/SEMA: SEMA is based on angr, a symbolic execution engine used to extract API calls. Especially, we extend ANGR with strategies to create representative signatures based on System Call Dependency graph (SCDG). Those SCDGs can be exploited in machine learning modules to do classification/detection.
SEMA is based on angr, a symbolic execution engine used to extract API calls. Especially, we extend ANGR with strategies to create representative signatures based on System Call Dependency graph ...
No symbols? No problem!
This blog will share a tried and tested method for dealing with thousands of unknown functions in a given file to significantly decrease the time spent on analysis while improving accuracy. Once all theory is covered, an instance of the Golang based qBit stealer is analyzed with the demonstrated techniques to show what happens when the theory is put into practice.
ergrelet/themida-unmutate: Static deobfuscator for Themida/WinLicense/Code Virtualizer's mutation-based obfuscation.
Static deobfuscator for Themida/WinLicense/Code Virtualizer's mutation-based obfuscation. - ergrelet/themida-unmutate
elastic/protections-artifacts: Elastic Security detection content for Endpoint
Elastic Security detection content for Endpoint.
DISGOMOJI Malware Used to Target Indian Government | Volexity
Note: Volexity has reported the activity described in this blog and details of the impacted systems to CERT at the National Informatics Centre (NIC) in India. In 2024, Volexity identified a cyber-espionage campaign undertaken by a suspected Pakistan-based threat actor that Volexity currently tracks under the alias UTA0137. The malware used in these recent campaigns, which Volexity tracks as DISGOMOJI, is written in Golang and compiled for Linux systems. Volexity assesses with high confidence that UTA0137 has espionage-related objectives and a remit to target government entities in India. Based on Volexity’s analysis, UTA0137’s campaigns appear to have been successful. DISGOMOJI appears to be exclusively used by UTA0137. It is a modified version of the public project discord-c2, which uses the messaging service Discord for command and control (C2), making use of emojis for its C2 communication. The use of Linux malware for initial access paired with decoy documents (suggesting a […]
cod3nym/Deobfuscar: A simple commandline application to automatically decrypt strings from Obfuscator protected binaries
A simple commandline application to automatically decrypt strings from Obfuscator protected binaries - cod3nym/Deobfuscar
DosX-dev/PE-LiteScan: A simple crossplatform heuristic PE-analyzer
A simple crossplatform heuristic PE-analyzer.
Noodle RAT Reviewing the Backdoor Used by Chinese-Speaking Groups | Trend Micro (NO)
This blog entry provides an analysis of the Noodle RAT backdoor, which is likely being used by multiple Chinese-speaking groups engaged in espionage and other types of cybercrime.
Dipping into Danger: The WARMCOOKIE backdoor — Elastic Security Labs
Elastic Security Labs observed threat actors masquerading as recruiting firms to deploy a new malware backdoor called WARMCOOKIE. This malware has standard backdoor capabilities, including capturing screenshots, executing additional malware, and reading/writing files.
leandrofroes/gftrace: A command line Windows API tracing tool for Golang binaries.
A command line Windows API tracing tool for Golang binaries. - leandrofroes/gftrace
Unveiling malware behavior trends — Elastic Security Labs
An analysis of a diverse dataset of Windows malware extracted from more than 100,000 samples revealing insights into the most prevalent tactics, techniques, and procedures.
joesecurity/sigma-rules: Sigma rules from Joe Security
Sigma rules from Joe Security.
Earth Freybug Uses UNAPIMON for Unhooking Critical APIs
This article provides an in-depth look into two techniques used by Earth Freybug actors: dynamic-link library (DLL) hijacking and application programming interface (API) unhooking to prevent child processes from being monitored via a new malware we’ve discovered and dubbed UNAPIMON.
ashemery/malware-tools: A list of useful tools for Malware Analysis (will be updated regularly)
A list of useful tools for Malware Analysis (will be updated regularly) - ashemery/malware-tools
cmu-sei/pharos: Automated static analysis tools for binary programs
Automated static analysis tools for binary programs - cmu-sei/pharos