Discover and read the best of Twitter Threads about #Decoding

Most recents (5)

Go is a programming language that comes with a rich standard library containing many useful packages and modules. In this, I provide an overview of the standard library modules in Go.
#golang #library
🧵👇
1️⃣. fmt - This package provides formatted I/O with functions like Println, Printf, and Scanf.
#golang #println
🧵👇
2️⃣. net - This package provides a set of network-related functions like dialing a network address, establishing a connection, and listening to a network port.
#network #http #port #golang
🧵👇
Read 21 tweets
🐀 AsyncRAT 🐀 - Defeating Obfuscation Using CyberChef

An overview of some advanced CyberChef tricks for decoding malware

[1/12] 🧵

#AsyncRAT #Decoding #CyberChef #Malware Decoding Decimal Values using cyberchefDecoding String Reverse Using CyberchefDecoding Replace Operations Using CyberChefExample of Using Registers and Regex to perform Replace Oper
[2/] First, some links if you wish to follow along.

The Malware File: bazaar.abuse.ch/sample/26c9f29…

Links to CyberChef Recipes:
github.com/embee-research…
[3] Decimal Values:

Some text is converted to decimal to hinder simple text based analysis.

To defeat:
- Subsection - This grabs encoded data without removing the rest of the script
- Regex - Grab the decimal and ignore the "chr" junk
- From Decimal - Decode the decimal Decimal Encoded Values "chr(45)" etc - Prior to De
Read 12 tweets
Ursnif Loader (Javascript) - Manual Decoding Using Cyberchef

[1/13] 👇🧵

#Cyberchef #Decoding #Ursnif #Malware
[1.1] A quick summary/TLDR before we get started

- Remove comments (manually or using regex)
- Remove "split" strings (manually or using regex)
- Remove obfuscated numbers
- (optional) Rename Variables
- Apply beautifier and syntax highlight
[2] First, I downloaded the sample from Malware Bazaar and loaded it into a safe analysis VM.

You can find the same sample here
bazaar.abuse.ch/sample/2a72302…
Read 14 tweets
(Possible) AsyncRat loader - Interesting regex to decode the obfuscated C2.

Script was found on host with an active #AsyncRat infection.

#malware #regex #decoding
[1/6] The team at @HuntressLabs are still observing IronPython executables used to load #malware.

In these cases - IronPython (ipyw.exe) file is typically renamed to SupportTool.exe or Ctfmon.exe

Since ipyw.exe is "legitimate", the VT detection rate is very low (0/72).
[2/6] The "update.py" is where the malicious action starts.

This is usually a simple python file containing an additional obfuscated script.

Below you can see this decoded via #CyberChef.
Read 7 tweets
Who's ready to start trying to decode some NBTV? I'll be transmitting some via radio waves soon, but the decoding is tricky... so for anyone interested, I've posted the original audio files to sound cloud so you can practice and get the hang of it. #radio #NBTV
First Step: You'll need to download some open source NBTV decoding software. This site has three versions. I recommend experimenting with all three (the NBTV viewer on the left and "The Big Picture" in the middle - try the older version)
users.tpg.com.au/users/gmillard…
Next step: Go to soundcloud to the NBTV audio files I uploaded and try to decode them (open the NBTV viewing software, set your source to the sound card of your computer, then just play the audio file straight from sound cloud.
Read 13 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!