A strain of a Crowti ransomware emerged, the variant known as CryptoWall, was spotted by researchers in early 2013. Ransomware by nature is extraordinarily destructive but this one in particular was a bit beyond that. Over the next 2 years, with over 5.25 billion files encrypted and 1 million+ systems infected, this virus has definitely made its mark in the pool of cyber weapons. Below you can find a list of the top ten infected countries:

Image for post
Image for post
Source: Dell Secure Works

CryptoWall is distinct in that its campaign ID initially gets sent back to their C2 servers for verification purposes. The motivation behind these ID’s are to track samples by the loader vectors. The one we will be analyzing in our laboratory experiment has the crypt1 ID that was first seen around February 26th, 2014. The infection vector is still unknown today but we will be showing how to unpack the loader, and extract the main ransomware file. Some of the contagions have been caused by Drive-by downloads, Cutwail/Upatre, Infinity/Goon exploit kit, Magnitude exploit kit, Nuclear exploit kit/Pony Loader, and Gozi/Neverquest. …


As many of you may or may not be aware of, I have a serious obsession with embedded systems security. It wasn’t until about two years ago where I started my journey of incorporating my knowledge in reverse engineering software applications into pulling apart firmware from embedded devices. Additionally, I also started learning hardware security concepts such as side-channel attacks, fault-injections/glitch attacks, bit flipping, and more.

Anyone who has began their careers in embedded security will tell you that the Arduino board is the best device to get started on. They have a pretty intricate IDE, and an abundant amount of HAL (Hardware Abstraction Layer) API calls to use. …


One of my all time favorite subfields of reverse engineering is the dissection of viruses. In this article I will be exploring malware from the infamous APT29 adversarial group. I will extricate an embedded executable from the main loader that has been classified as Coll Cozy Bear. This loader will need its DOS Stub / PE header reconstructed. Let’s get started.

Below are the Indicators of Compromise (IOC) from the dynamic link library (DLL) we are about to open in a disassembler. An IOC is a piece of forensic data such as observed artifacts found on a network or in an operating system. …


While working on a reverse engineering project, I came across a binary that appeared to be malformed since it couldn’t be disassembled, but when running the executable, it worked. After researching for a bit I was able to discover that parts of the executable were encrypted. What does it mean to encrypt a code segment and why would anyone want to attempt to reverse engineer such a thing?! Well, let’s take a dive into a Windows PE (Portable Executable) file as an example and look into what segments make up a PE program.

Windows uses a paged-based virtual system and having a large code section is easier to maintain within the operating system side of things. Paging is a memory management scheme that eliminates the need for adjacent allocation of physical memory. A physical or virtual memory address is generated by the CPU. An example would be if a Logical Address = 31 bit, then that Logical Address Space = 2³¹ words = 2 G words (1 G = 2³⁰). The mapping from virtual/logical to physical address is done by the Memory Management Unit (MMU) and this mapping is known as paging. …

About

Ryan Cornateanu

Security Researcher | Reverse Engineer | Embedded Systems

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store