Update 2024-03-31-Malware-Analysis.md

sachinoliver · web-flow · commit 60d6e820f9ce · 2024-03-31T23:08:52.000+05:30
diff --git a/_posts/2024-03-31-Malware-Analysis.md b/_posts/2024-03-31-Malware-Analysis.md
@@ -20,7 +20,7 @@ The sample is having a extenstion of .vbs, so dont run it, instead open with `no
 
 ![notepad](https://github.com/sachinoliver/blog/assets/63084488/72f1f334-0195-4792-94fb-b3a54c266e6b)
 
-Its a starigtforward obfuscation. The function Tightness which takes the decimal value and return ASCII, which is (101) for letter 'e', and after deobfuscation and building the final URL, we can see proper clean code.
+Its a starigtforward obfuscation. The function Tightness which takes the decimal value and return `ASCII`, which is (101) for letter 'e', and after `deobfuscation` and building the final URL, we can see proper clean code.
 
 ![note](https://github.com/sachinoliver/blog/assets/63084488/673c51f3-2e7d-42f7-814d-fb2ad66c12aa)
 
@@ -30,9 +30,9 @@ The code is trying to download and execute the content of the resourse at the UR
 So lets curl the URL and get the file content downloaded... and it says 404 as of now the resourse is not available at the URL
 ![image](https://github.com/sachinoliver/blog/assets/63084488/eaef3524-aa5c-4d0d-8051-32efe3f69e74)
 
-So we have a propblem here, while i am analysing the sample the content or the payload which need to get downloaded during the execution of the above vbs script is no more availble in the pastebin.... so how are we going to analyse it....!!!!
+So we have a problem here, while I am analysing the sample the content or the payload which need to get downloaded during the execution of the above `vbs` script is no more available in the pastebin.... so how are we going to analyse it....!!!!
 
-After seraching alot on internet, i was not getting the same file from any sandbox or from any Malware sample stores, So while I discussed the situation with my friend "[`Binary Panda`](https://binarypanda.me/)" who does similiar stunts with malware, so we both where trying to find the sample in different `sandboxes`. Meanwhile we saw in one of the popular sandbox we saw there is way to download pcap files for the sample which it has analyzed. That triggered a good idea!! Why cant we recreate the sample back from the pcap file!!!!
+After seraching alot on internet, I was not getting the same file from any sandbox or from any Malware sample stores, So while I discussed the situation with my friend "[`Binary Panda`](https://binarypanda.me/)" who does similiar stunts with malware, so we both where trying to find the sample in different `sandboxes`. Meanwhile we saw in one of the popular sandbox we saw there is way to download pcap files for the sample which it has analyzed. That triggered a good idea!! Why cant we recreate the sample back from the pcap file!!!!
 
 ![image](https://github.com/sachinoliver/blog/assets/63084488/614384e7-3039-44f9-9d6d-5d9b9d08ec72)
 Building the sample from the response header.
@@ -65,7 +65,7 @@ After decoding that we get a `powershell` script which needs some rearrangement.
 
 ![vscode](https://github.com/sachinoliver/blog/assets/63084488/f59fb93b-467c-4755-827e-fa6781a5b761)
 
-Here is the clean powershell script.
+Here is the clean `powershell` script.
 So the what the script does is it retrieve data from a series of URLs. 
 
 ## Stage3
@@ -93,7 +93,7 @@ Will Keep as a Desktop Banckground xD
 
 
 Now as per the powershell script there are Flags `<<BASE64_START>>` and `<<BASE64_END>>` which we need to find from the file.
-So seems like a sense of steganography technique implemented here..
+So seems like a sense of `steganography` technique implemented here..
 Lets find it in HxD 
 
 
