Category Archives: Profiler

JBIG2 Encoded Malware in PDFs

The upcoming version of Profiler 2.7 adds support for JBIG2 encoding inside PDFs. Although JBIG2 isn’t intended to encode data other than images, it can be used to do so. Quoting the PDF documentation: The JBIG2Decode filter (PDF 1.4) decodes … Continue reading

Posted in PDF, Profiler | Tagged | 2 Comments

Yet another PDF/XDP Malware

Today we’re going to analyze yet another sample of PDF containing an XDP form. The difference between this sample and the one of my previous post is that this one will be less about JavaScript deobfuscation and more about anti-analysis … Continue reading

Posted in PDF, Profiler | Tagged , , , | Comments Off on Yet another PDF/XDP Malware

Extracting C&C from Android Malware

Even though AndroRat (http://www.symantec.com/connect/blogs/remote-access-tool-takes-aim-android-apk-binder) had been around for eons and the source code was made available (https://github.com/DesignativeDave/androrat) but there are many new ones popping out everyday. Today I will go through with you on how we can make Profiler work … Continue reading

Posted in DEX, Profiler | Tagged , | Comments Off on Extracting C&C from Android Malware

Malware in a MSG

Even though sending malware via zipped attachments in spam emails is nothing new and had been around for eons but many people are still puzzled at how it works. Thus, I will go through with you on how to do … Continue reading

Posted in CFBF, Profiler | Tagged , , , | 4 Comments

PDF/XDP Malware Reversing

Recently version 2.6 of Profiler has been released and among the improvements support for XDP has been introduced. For those of you who are unfamiliar with XPD, here’s the Wikipedia description: “XML Data Package (XDP) is an XML file format … Continue reading

Posted in PDF, Profiler | Tagged , , , | Comments Off on PDF/XDP Malware Reversing

Profiler 2.6

Profiler 2.6 is out with the following news: – added initial support for XML files – added support for XDP files (extraction of embedded PDFs) – exposed the ABC format – improved the parsing of malformed PDF streams – fixed … Continue reading

Posted in Profiler | Tagged | Comments Off on Profiler 2.6

Windows Memory Forensics

Let’s begin with an image: Yep. That’s an icon. In an executable. In a process address space. In a raw memory dump. And here is the video demonstration: This is just a proof-of-concept. We still haven’t decided whether to develop … Continue reading

Posted in Demo, Forensics, Profiler | Tagged , | 3 Comments

Profiler 2.5

Profiler 2.5 is out with the following news: – introduced scan provider extensions – added support for Torrent files – added the capability to display views as dialogs – exposed official Python bindings for capstone – added new controls to … Continue reading

Posted in Profiler | Tagged | Comments Off on Profiler 2.5

Torrent Support

Following our recent introduction to Scan Providers, here’s a first implementation example. In this post we’ll see how to add support for Torrent files in Profiler. Of course, the implementation shown in this post will be available in the upcoming … Continue reading

Posted in Forensics, Profiler | Tagged , , | Comments Off on Torrent Support

Scan Providers

Version 2.5.0 is close to being released and comes with the last type of extension exposed to Python: scan providers. Scan providers extensions are not only the most complex type of extensions, but also the most powerful ones as they … Continue reading

Posted in Profiler, Python, SDK | Comments Off on Scan Providers