Full technical analysis of DragonForce's Windows x86 encryptor: MinGW C++ with Salsa20 multi-mode encryption, BYOVD kernel driver EDR bypass (rentdrv2.sys + truesight.sys), WMI shadow copy deletion, Restart Manager file handle killing, IOCP network scanning, and COM-based scheduled task persistence.
grep -rl "Reverse Engineering" ./posts
#Reverse Engineering
6 matches
Full technical analysis of RansomHub's Go-based Windows encryptor: garble package obfuscation, X25519+ChaCha20 encryption scheme, built-in SMB lateral movement using go-smb, IOCP parallel file encryption, and service recovery disruption.
Assembly-level analysis of SafePay ransomware — a LockBit 3.0 derivative with a custom CRC-32 import resolver, triple-XOR string obfuscation, IOCP-driven parallel encryption, and NT-layer privilege escalation. Full API inventory recovered by cracking 130+ export hashes.
A WsgiDAV opendir gave me staging payloads and a leaked debug log. AES config RE confirmed all six C2 IPs and the full encrypted capability set. PE build timestamp forensics revealed two back-to-back build sessions; the operator's dropper cluster leaked their build-system path on VirusTotal. Neo4j graph of 70 nodes across 3 cloud providers. YARA rules included.
VirusTotal called it PlugX. It broke down into an RC4 layer I could crack offline, a ScatterBrain-flavoured shellcode stub, and then a wall: the real implant is sealed with machine-scoped DPAPI, so it only decrypts on the one victim it was built for. Here's everything up to that wall, why the wall is the whole point, and why I think this is closer to ShadowPad than PlugX.
A single XOR'd Canon.dat turned into a campaign map: reversing the CanonStager loader, writing a memory-based config extractor, pulling the related samples, and walking nine builds out to their CloudFlare-fronted C2 origins.