In this blog post series about analysis and obfuscation, I decided to start with one of the most common techniques: Flattening.

Control-Flow flattening is one of the many obfuscation and anti-analysis techniques used by both legitimate software and malware. This method is usually implemented automatically as there’s plenty obfuscators available that can implement it before compiling the source code saving a considerable amount of time to the developer.

The method for flattening a function can be described like this. The main goals are to break the body to very basic blocks and to generate nesting, the more the better. The…


The first time I heard about SunCrypt I was just enjoying my time off preparing some stuff to get dinner ready. My colleagues sent me over some weird samples that were flagged as SunCrypt that were also beaconing to Maze C2 infrastructure, however they weren’t Maze but shared some similarities and that’s basically why they did it as they know my interest in ransomware and my personal fascination with Maze.

As I was checking a couple of hashes, I saw very interesting things that made me go hands-on to investigate further and I ended up spending a lot of time…


For a long time the World has been hearing the ransomware word a lot since Wannacry and still today many hosts for different reasons are compromised or still having remnants of very old ransomware infections such as Cryptowall, Wannacry, Petya and even HiddenTear variants. However the ransomware ecosystem has changed a whole lot.

Ransomware malware has switched from automated crap code containing publicly available or tailored leaked exploits like EternalBlue(MS17–10) to lock and spread through the victim network’s to a fully new scenario where Ransomware operates using a very complex model formed by developers, pentesters, mules and a full system…


More ransomware analysis! Many companies and institutions are experiencing a strong season of ransomware attacks leveraged by different threat actors that after the intrusion use ransomware to obtain direct income from them(RaaS model). Among these new ransomwares I decided to pick Mespinoza aka Pysa ransomware.

Mespinoza also know as Pysa due the file extension of its encrypted files is a ransomware that encrypts selected file types in a system’s available drives and appends the “.pysa” extension to the encrypted files. This ransomware has been spotted in two different languages/variants, C++ and Python.

This activity have been also reported by the…


deathransom ransomware header
deathransom ransomware header

One of the things I enjoy in my free time is malware analysis and tracking so I decided to push out work from time to time and publish some of my findings in the blog.

I particularly enjoy tracking trojans, infostealers and ransomware for different reasons, among them, the fact that the threat actors are continuously forced to evolve in order to survive by modifying and adapting their software to evade host and network detection, making the analysis more and more challenging(also the trolling is funny, to be honest). …


I wanted to put emphasis on Metasploit since is widely used and known by penetration testers, Red Teamers, but also used by many threat actors, including FIN groups. Sometimes I have the feeling that people can underestimate the use of this framework but please, just don’t.

Following the topic about how responders can analyze, extract and determine findings of an intrusion was written in the previous blog post https://medium.com/p/c0d0a3bb5449/edit

This time we will assume the role of Red Team operator or threat actor and we will go through the intrusion process which usually includes antiforensics, related to TA0005 and TA0011…


When working on network traffic analysis, responders need to identify quickly the severity and the depth of the incident once it has been determined that something is going on in a certain host. Analyzing traffic is not always easy due the different implants related to frameworks used for penetration testing and Red Team, malware custom protocols, encrypted traffic and the fact that each network and host nowadays is using many different applications which are constantly sending telemetry.

In this example we will analyze suspicious network activity involving Command and Control communications related to the use of Metasploit framework and how…


There’s a lot of stories nowadays about breaches, intrusions and events around the world. Cyber security is a very fast paced environment where both attack and defense are always evolving, but sometimes is good to know where all started, looking back into history, especially when we talk about cyberwarfare and information warfare.

Both are substantially important for every State to consider specially today when the cyber arena is real, it’s something we hear about every single day and has a real impact on the field, like the Russian attack on the Ukrainian power grid or stuxnet back then, developed by…


In this story, I’ve decided to talk a little bit about this cool mixture that almost everyone in infosec love: read team + blue team.

For this particular case, I wanted to add something out of the words and start talking about more real-scenarios for penetration testing and then this idea came to my mind “Would be nice if I think about some options from black box ethical hacking exercise…?”, …


Amazon Web Services a well known IaaS (Infrastructure As A Service) cloud platform to deploy services like virtual machines, storage services, Networks to expand a private cloud like for example an enterprise’s datacenter, and a ton of really cool services easy to use and to deploy in a fast way, making really easy to scale anything in a short amount of time. That’s one of the reasons why Public Cloud infrastructures like this one are really popular in the last years.

But in other order of things, if you are curious, maybe, after a little bit of exploring inside AWS…

Sapphire

Kimchi and Ransomware. Incident Responder and sort of malware analyst in my free time. Personal blog, opinions are my own.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store