reverse engineering
A Deep Dive into Lokibot Infection Chain
1 min read
News summary Lokibot is one of the most well-known information stealers on the malware landscape. In this post, we’ll provide a technical breakdown of one of the latest Lokibot campaigns. Talos also has a new script to unpack the dropper’s third stage. The actors behind Lokibot usually have the ability to steal multiple types of […]
Talos Tools of the Trade
1 min read
If you’re looking for something to keep you busy while we’re all stuck inside during the holidays, Cisco Talos has a few tools for you you can play with in the coming days and weeks. We recently updated GhIDA to work with the latest version of IDA and we are releasing new features for the […]
Dynamic Data Resolver – Version 1.0.1 beta
1 min read
Cisco Talos is releasing a new beta version of Dynamic Data Resolver (DDR) today. This release comes with a new architecture for samples using multi-threading. The process and thread tracing has been completely reimplemented. We also fixed a few bugs and memory leaks. Another new feature is that the DDR backend now comes in two […]
New IDA Pro plugin provides TileGX support
1 min read
Cisco Talos has a new plugin available for IDA Pro that provides a new disassembler for TileGX binaries. This tool should assist researchers in reverse-engineering threats in IDA Pro that...
Disassembler and Runtime Analysis
1 min read
This post was authored by Paul Rascagneres. Introduction In the CCleaner 64bit stage 2 previously described in our blog, we explained that the attacker modified a legitimate executable that is part of “Symantec Endpoint”. This file is named EFACli64.dll. The modification is performed in the runtime code included by the compiler, more precisely in the […]
WinDBG and JavaScript Analysis
1 min read
This blog was authored by Paul Rascagneres. Introduction JavaScript is frequently used by malware authors to execute malicious code on Windows systems because it is powerful, natively available and rarely disabled. Our previous article on .NET analysis generated much interest relating to how to use WinDBG to analyse .js files. In this post we extend our description of […]
Taking the FIRST look at Crypt0l0cker
1 min read
This post is authored by Matthew Molyett. Executive Summary In March, Talos reported on the details of Crypt0l0cker based on an extensive analysis I carried out on the sample binaries. Binaries — plural — because, as noted in the original blog, the Crypt0l0cker payload leveraged numerous executable files which shared the same codebase. Those executables had nearly identical […]
PyREBox, a Python scriptable Reverse Engineering sandbox
1 min read
This post was authored by Xabier Ugarte Pedrero In Talos, we are continuously trying to improve our research and threat intelligence capabilities. As a consequence, we not only leverage standard tools for analysis, but we also focus our efforts on innovation, developing our own technology to overcome new challenges. Also, Talos has traditionally supported open-source […]
Indicators of Compromise and where to find them
4 min read
Indicators of Compromise (“IOC”) are used to suggest a system has been affected by some form of malware. An Indicator of Compromise can be anything from a file name to the behavior observed while malware is actively running on an infected system. Where do they look? Social media, new feeds, industry reports, Threat Grid sample […]
3