Reneo is a Windows tool to help incident responders, forensics specialists, and security researchers analyze and reverse engineer malicious and obfuscated scripts and other content. This tool can convert from/to various formats, transform, deobfuscate, encode/decode, encrypt/decrypt, and hash strings. The … Continue reading →

A script was left behind on a compromised machine. This led to the discovery of a Windows backdoor written in JavaScript and the C&C backend scripts. Unfortunately I can’t post too much details because the victim’s organization name is present in the files. The backdoor script is less than 2KB and the only indication of its presence on a compromised...

“Sophisticated” in that the spammer obfuscated the mailer script quite well. He/she apparently put quite a bit of work into concealing and protecting their spamming activity. I normally don’t come across PHP mailers that are obfuscated this well. Here’s what the incoming traffic to the PHP script looks like: If the request is successfully processed...

I was sent a PHP script that was protected by PHPJiami which you can find here. PHPJiami is a decent PHP obfuscator that appears to be able to bypass several online deobfuscators. Here’s what the script looks like: When you run it, you can see what the protected script does. At the top there’s a comments section. Let me change the uppercase...

I spent the past several months porting Converter to the .NET Framework and am finally able to release a public version of it. Many of the original functions are present and I’ve added a few more things to the menu. Several conveniences have also been included that may not be very obvious: + Forms are non-modal so you can have multiple forms open...

An analysis of an infected PC revealed that an attacker used several NSA tools just four days after the Shadow Brokers’ dump then it burned the PC with ransomware when they were done with it. This blog post by Secdo may be related to this one but I can’t be sure. I was asked to assist with an infected PC that had already been turned off. The ransomware...