Recently while surfing Reddit, I came across this beautiful subreddit which is dedicated to NK. While reading "mind blowing" miracles of the Supreme Leader, I clicked on several links, one link led to another and during my visits to several NK web sites, I came across the Korean Central News Agency of DPRK. Just by taking a look at very top of the HTML source code of homepage, I saw this code:
In this article, I'll show you my malware analysis environment and setup. I have to say that all software and configurations written in this article are totally my personal preference, this is my configuration and I like it, but please don't hesitate to share your ideas. So I'll start from very beginning: OS installation.
Analysis of Finfisher shell extension which is basically a keylogger DLL, driverw.sys file which they use for MBR modifications (in case \\.\PhysicalDrive0 wasn't accessible from user-mode) and mssounddx.sys which is in direct communication with MBR code and used to create thread and inject code into user-mode processes.
In previous post, I fully analyzed dropper part of FinFisher malware. In this post, I'll share with you details of FinFisher malware main component which I got it from the dropper. This part is also as interesting as dropper part and does have several techniques and tricks, but as far as I know, again, most of them was already known and used in other malwares, but I might be wrong. So stay tuned for a another very detailed step by step analysis.
As you may have heard, recently Finfisher malware sample leaked online. As I got a little free time today, I decided to take a look at it. Sample I'm going to analyze in this article is finfisher1.exe.bin:
In this article I'll analyze recent Havex malware. You can read more about this malware here.
First of all I want to thank Kyle Wilhoit for providing me all samples of Havex malware.
Ok, let's start... As far as I've seen all samples of this malware have a resource called ICT (in SCADA module it is called TYU) which contains encoded config file: