Full technical analysis of DragonForce's Windows x86 encryptor: MinGW C++ with Salsa20 multi-mode encryption, BYOVD kernel driver EDR bypass (rentdrv2.sys + truesight.sys), WMI shadow copy deletion, Restart Manager file handle killing, IOCP network scanning, and COM-based scheduled task persistence.
grep -rl "Malware Analysis" ./posts
#Malware Analysis
3 matches
Full technical analysis of RansomHub's Go-based Windows encryptor: garble package obfuscation, X25519+ChaCha20 encryption scheme, built-in SMB lateral movement using go-smb, IOCP parallel file encryption, and service recovery disruption.
Assembly-level analysis of SafePay ransomware — a LockBit 3.0 derivative with a custom CRC-32 import resolver, triple-XOR string obfuscation, IOCP-driven parallel encryption, and NT-layer privilege escalation. Full API inventory recovered by cracking 130+ export hashes.