Skip to content

Max Kersten

Security through explanation

  • Home
  • Blog
  • Binary Analysis Course
    • Introduction
      • Practical case: Secura Grand Slam CTF “Easy Reverse”
      • The workstation
      • Basic CPU architecture
    • Assembly basics
      • Conditions and loops
      • Practical case: Patch Me 0x01
      • Methods and macros: the call stack
      • Practical case: Buffer Overflow 0x01
      • Crash course
      • Practical case: Crack Me 0x01
      • Practical case: Crack Me 0x02
      • Practical case: Crack Me 0x03
    • Assembly code
      • Hello world
      • Universal Product Code calculator
      • Debugging code
    • Binary types
      • Dot Net
      • Android
      • Browser plug-in
    • Common techniques
      • General techniques
      • Analysing scripts
      • Debugging Dot Net binaries
    • Malware analysis
      • Dot Net RAT
      • Android SMS Stealer
      • LNK & ISESteroids Powershell dropper
      • Emotet droppers
      • Magecart
      • Corona DDoS bot
      • Azorult loader stages
      • Emotet JavaScript downloader
      • Corona Locker
      • ReZer0v4 loader
      • Dumping WhisperGate’s wiper from an Eazfuscator obfuscated loader
    • Analysis scripts
      • PowerShell string formatting deobfuscation
      • JavaScript string concatenation deobfuscation
      • Automatic ReZer0 payload and configuration extraction
      • Ghidra script to decrypt strings in Amadey 1.09
      • Ghidra script to decrypt a string array in XOR DDoS
      • Ghidra script to handle stack strings
    • Obtaining samples
      • Searching samples
    • Documentation
      • Article structure
    • Resources
    • FAQ
    • Miscellaneous
      • A year in review: 2018-2019
      • A year in review: 2019-2020
      • A year in review: 2020-2021
      • A year in review: 2021-2022
  • Whitepapers
  • Projects
    • AndroidProjectCreator
    • m3 framework
      • Extending m3
      • Anubis and Cerberus explained
    • API client libraries
      • Hatching Triage Java API client
      • MalShare Java API client
      • Malware Bazaar Java API client
      • Yaraify Java API client
    • MalwareTheFlag
    • Responsible Disclosures
    • MalPull
    • Capricorn
      • Changelog
    • Archive
      • ShoulderSurfer
      • Stringer
      • Gemini
        • Changelog
  • About me
    • News and conferences
    • Privacy Policy

Malware Analysis

Binary Analysis Course: release notes 0x22

17/09/202013/10/2020 by libra

Additions Added the Automatic ReZer0 payload and configuration extraction article to the analysis scripts chapter. To contact me, you can e-mail me at [info][at][maxkersten][dot][nl], send me a PM on Reddit, or DM me on Twitter @Libranalysis.

Categories Binary Analysis Course, Malware Analysis

Binary Analysis Course: release notes 0x21

26/08/2020 by libra

Additions Added the ReZer0v4 loader article to the malware analysis chapter. To contact me, you can e-mail me at [info][at][maxkersten][dot][nl], send me a PM on Reddit, or DM me on Twitter @Libranalysis.

Categories Binary Analysis Course, Malware Analysis

Binary Analysis Course: release notes 0x1F

03/06/2020 by libra

Additions Added the JavaScript string concatenation deobfuscation article to the analysis scripts chapter. To contact me, you can e-mail me at [info][at][maxkersten][dot][nl], send me a PM on Reddit, or DM me on Twitter @Libranalysis.

Categories Binary Analysis Course, Malware Analysis

Backtracking MageCart infections

06/05/202008/07/2020 by libra

MageCart groups have been roaming around for a while, infecting web shops left and right. Researchers have looked into the technical aspects of the skimmers, as have I. The recent COVID-19 pandemic opened up the playing field even further, which both criminals and researcher saw. Malwarebytes’ Jérôme Segura reported that there was a 26% increase … Read more

Categories MageCart, Malware Analysis, Responsible Disclosure

Binary Analysis Course: release notes 0x1D

14/04/2020 by libra

Additions Added the Emotet JavaScript downloader article to the Malware analysis chapter. To contact me, you can e-mail me at [info][at][maxkersten][dot][nl], send me a PM on Reddit, or DM me on Twitter @Libranalysis.

Categories Binary Analysis Course, Malware Analysis

Binary Analysis Course: release notes 0x1C

26/03/2020 by libra

Additions Added the Azorult loader stages article to the Malware analysis chapter. To contact me, you can e-mail me at [info][at][maxkersten][dot][nl], send me a PM on Reddit, or DM me on Twitter @Libranalysis.

Categories Binary Analysis Course, Malware Analysis

Pivoting on the skimmer’s domain name

27/01/202003/02/2020 by libra

Previously, I wrote about my joint research with Jacob Pimental regarding two ticket resellers that were infected with a credit card skimmer. Based on the domain name of the skimmer’s gate (opendoorcdn[.]com) and URLScan, Jacob and I found 9 more infected webshops. Some of them are still linking to the skimmer’s domain at the moment … Read more

Categories Malware Analysis, Responsible Disclosure

Ticket resellers infected with a credit card skimmer

20/01/202008/07/2020 by libra

First and foremost I’d like to thank Jacob Pimental since he posted the initial lead, after which we joined forces to dive into this case. In his now deleted Tweet, he asked if anybody could help out with a potential credit card skimmer on the OlympicTickets2020 website. Background information Before diving into this case, I’ll … Read more

Categories MageCart, Malware Analysis, Responsible Disclosure

Binary Analysis Course: release notes 0x17

31/10/2019 by libra

Additions The analysis of a Linux based DDoS tool named Corona has been added to the malware analysis chapter. To contact me, you can e-mail me at [info][at][maxkersten][dot][nl], send me a PM on Reddit, or DM me on Twitter @Libranalysis.

Categories Binary Analysis Course, Malware Analysis

Binary Analysis Course: release notes 0x14

23/07/201923/07/2019 by libra

Additions A new article has been added in the Binary types chapter, named Browser plug-in. To contact me, you can e-mail me at [info][at][maxkersten][dot][nl], send me a PM on Reddit, or DM me on Twitter @Libranalysis.

Categories Binary Analysis Course, Malware Analysis
Post navigation
Older posts
1 2 Next →

Recent Posts

  • My impression of BlackHat Europe 2022
  • My impression of BlackHat MEA 2022
  • Yaraify Java API client version 1.0-stable release notes
  • MalPull 1.4-stable release
  • My impression of BlackHat USA 2022 and DEFCON 30

Archives

  • December 2022
  • November 2022
  • October 2022
  • September 2022
  • August 2022
  • July 2022
  • June 2022
  • May 2022
  • April 2022
  • March 2022
  • February 2022
  • January 2022
  • December 2021
  • November 2021
  • October 2021
  • September 2021
  • August 2021
  • July 2021
  • June 2021
  • May 2021
  • April 2021
  • March 2021
  • February 2021
  • January 2021
  • December 2020
  • November 2020
  • October 2020
  • September 2020
  • August 2020
  • July 2020
  • June 2020
  • May 2020
  • April 2020
  • March 2020
  • February 2020
  • January 2020
  • December 2019
  • November 2019
  • October 2019
  • September 2019
  • August 2019
  • July 2019
  • June 2019
  • May 2019
  • April 2019
  • March 2019
  • February 2019
  • January 2019
  • December 2018
  • November 2018
  • October 2018
  • September 2018
  • August 2018
  • July 2018
  • June 2018
  • January 2018
  • October 2017
  • July 2017
  • June 2017
  • May 2017
  • April 2017

Categories

  • AndroidProjectCreator
  • API Clients
  • Binary Analysis Course
  • Capricorn
  • Conferences
  • Ethics
  • Gemini
  • Lectures
  • m3
  • MageCart
  • MalPull
  • Malware Analysis
  • MalwareTheFlag
  • Responsible Disclosure
  • Reviews
  • Uncategorized
  • Web hacking
  • Whitepapers
© 2023 • GeneratePress
Scroll back to top