This repository contains analysis products for specific malware samples. Most notably will generally be an annotated disassembler file e.g. Ghidra .gzf, along with any additional scripts that were used during the mark-up process. This will allow you to review the annotated assembly view so that you can practice on your own and have a solution guide to compare to. All malware samples referenced in this page can be downloaded from https://www.malshare.com/
Unpacked Hermes ransomware payload
Deep Dive Analysis video series starts at https://youtu.be/wsdPmW0dt0I
773c5554_annotated_full.gzf: fully annotated ghidra file
773c5554_Dumped_Iat.txt: dumped IAT from memory used to label dynamically resolved APIs
Unpacked Qbot Loader
Video demonstrating how to use partially annotated ghidra file to bypass anti-debug techniques and extract final payload https://youtu.be/ph4sE9lT644
Video demonstrating f5ff6dbf_String_Decryption.py script usage https://youtu.be/4I0LF8Vm7SI
f5ff6dbf_annotated_partial.gzf: partially annotated ghidra file
f5ff6dbf_String_Decryption.py: Ghidra script to automatically decrypt and label all obfuscated strings