Update 2024-03-31-Malware-Analysis.md

sachinoliver · web-flow · commit 845d124ca354 · 2024-03-31T23:16:04.000+05:30
diff --git a/_posts/2024-03-31-Malware-Analysis.md b/_posts/2024-03-31-Malware-Analysis.md
@@ -16,7 +16,7 @@ render_with_liquid: false
 ![image](https://github.com/sachinoliver/blog/assets/63084488/68595ca5-857c-4dd8-9069-bd6b03df63c8)
 
 Extracted the sample from [`Malwarebazar`](https://bazaar.abuse.ch/sample/48abb729c4dd3419bbadd04d974a668d216d5513556d455bbd70dd3e2b723573/) with the password "infected".
-The sample is having a extenstion of .vbs, so dont run it, instead open with `notepad++`.
+The sample has an extention of .vbs, so dont run it, instead open with `notepad++`.
 
 ![notepad](https://github.com/sachinoliver/blog/assets/63084488/72f1f334-0195-4792-94fb-b3a54c266e6b)
 
@@ -25,14 +25,14 @@ Its a starigtforward obfuscation. The function Tightness which takes the decimal
 ![note](https://github.com/sachinoliver/blog/assets/63084488/673c51f3-2e7d-42f7-814d-fb2ad66c12aa)
 
 
-The code is trying to download and execute the content of the resourse at the URL.
+The code is trying to download and execute the content of the resource at the URL.
 
-So lets curl the URL and get the file content downloaded... and it says 404 as of now the resourse is not available at the URL
+So lets curl the URL and get the file content downloaded... and it says 404 as of now the resource is not available at the URL
 ![image](https://github.com/sachinoliver/blog/assets/63084488/eaef3524-aa5c-4d0d-8051-32efe3f69e74)
 
 So we have a problem here, while I am analysing the sample the content or the payload which need to get downloaded during the execution of the above `vbs` script is no more available in the pastebin.... so how are we going to analyse it....!!!!
 
-After seraching alot on internet, I was not getting the same file from any sandbox or from any Malware sample stores, So while I discussed the situation with my friend "[`Binary Panda`](https://binarypanda.me/)" who does similiar stunts with malware, so we both where trying to find the sample in different `sandboxes`. Meanwhile we saw in one of the popular sandbox we saw there is way to download pcap files for the sample which it has analyzed. That triggered a good idea!! Why cant we recreate the sample back from the pcap file!!!!
+After searching alot on internet, I was not getting the same file from any sandbox or from any Malware sample stores, So while I discussed the situation with my friend "[`Binary Panda`](https://binarypanda.me/)" who does similiar stunts with malware, so we both where trying to find the sample in different `sandboxes`. Meanwhile we saw in one of the popular sandbox we saw there is way to download pcap files for the sample which it has analyzed. That triggered a good idea!! Why cant we recreate the sample back from the pcap file!!!!
 
 ![image](https://github.com/sachinoliver/blog/assets/63084488/614384e7-3039-44f9-9d6d-5d9b9d08ec72)
 Building the sample from the response header.
@@ -77,7 +77,7 @@ So here we have two Urls that need to be downloaded for further analysis.
 But the file content is no more available in the location!!
  
 ![planet](https://github.com/sachinoliver/blog/assets/63084488/3d893871-23ad-4ffd-91e7-cb3db6e0a86b)
-Same thing happnens here too the file is not present in the localtion, so we recreate it with PCAP file which we downloaded before.
+Same thing happens here too the file is not present in the location, so we recreate it with PCAP file which we downloaded before.
 
 After building the jpeg file, opened it in a `HxD`
 
@@ -89,7 +89,7 @@ Seems like we need some cleaning to bring a real jpg file.
 
 ![steagno](https://github.com/sachinoliver/blog/assets/63084488/b6f6658c-c8fc-42aa-9792-67235a7da10c)
 Nice isnt it...
-Will Keep as a Desktop Banckground xD
+Will Keep as a Desktop Background xD
 
 
 Now as per the powershell script there are Flags `<<BASE64_START>>` and `<<BASE64_END>>` which we need to find from the file.
@@ -100,7 +100,7 @@ Lets find it in HxD
 ![image](https://github.com/sachinoliver/blog/assets/63084488/941fe0e4-fbbb-4e29-b650-a056b1138efb)
 ![image](https://github.com/sachinoliver/blog/assets/63084488/80528826-d3dc-4d05-9d92-678d94b432bd)
 
-Scrolling throught the `HxD` we saw `<<BASE64_START>>` and `<<BASE64_END>>` flags. 
+Scrolling through the `HxD` we saw `<<BASE64_START>>` and `<<BASE64_END>>` flags. 
 
 So lets decode the base64 string in `Cyberchef`
 ![image](https://github.com/sachinoliver/blog/assets/63084488/4c581c2b-18bf-43cf-8e24-98abbda62d87)
@@ -115,7 +115,7 @@ Let open it in `dnSpy`
 ![image](https://github.com/sachinoliver/blog/assets/63084488/08b1d7ae-23d5-499b-b1b4-dc5c2450314a)
 
 ## Persistence Technique
-After searching throught the .NET code, a method of ensuring persistence can be seen. This involves the program inserting itself into a registry key, enabling it to launch automatically upon each system startup. This persistence tactic help the malware to maintain a foothold within the compromised system.
+After searching through the .NET code, a method of ensuring persistence can be seen. This involves the program inserting itself into a registry key, enabling it to launch automatically upon each system startup. This persistence tactic help the malware to maintain a foothold within the compromised system.
 
 ![image (5)](https://github.com/sachinoliver/blog/assets/63084488/fc45cf3b-b29f-4740-be87-84959f89599b)
 
