Malware Utkonos

wow ... #njrat is still used? /bwawusa.org/system/nj6pp.exe VT:1c846c9281998ea2b6c4493e3ccafad6 c2:mailsdc61,ga @James_inthe_box @jcarndt @JAMESWT_MHT @500mk500

2020-02-03: [Researcher Pin] #EKANS/#SNAKE Ransomware Analysis & ICS Targeting Perspective As the ransomware strain was first identified and discovered with myself & @malwrhunterteam hunting for Golang ransomware. Sober outlook & analysis from the intel perspective.https://twitter.com/DragosInc/status/1224350671761289218 …

Though, to be fair... The original request for some of these features came from Sir Tom of the House of Lancaster (@tlansec). Credit where credit is due, of course. ;)

Since I convert the RVA to a file offset you can even check to see if enough functions are all "xor eax, eax; retn;" - which is pretty dope to be able to do so easily. There are other things this branch lets you do too, but I'll leave that up to you all to come up with. ;) 3/?

A good commit message should be 1/3 what you did and 2/3 why you did it. Learned that a long time ago and try to live by it and share it with others. I can’t count the number of times I’ve dug out an ancient commit and the message helped me instantly remember what I did and why.

Your commit logs and documentation are always superb, thanks! Makes great reading.

If you're one of the places which use the dotnet module (we use it at $job) it's worth noting that it will break rules if you're looking for specific user strings. I don't like breaking backwards compatibility but getting parsing correct is important in this case. 2/2