Viper – Binary Management and analysis Framework


When it comes to analyzing malware it can be a fairly complex affair. Depending on the complexity of the malware your analysing there are many approaches you can take and each of these will typically require the use of several tools or scripts. This is where comes in to play.

Created by Claudio ‘nex’ Guarnieri, viper is “A binary management and analysis framework dedicated to malware and exploit researchers.” It comes with some basic features that allow you to add search and work with samples. Where it comes into strength is through the community contributed modules. These modules greatly extend vipers functionality.

At the time of writing the current list of modules are as follows.


  • clear – Clear the console
  • close – Close the current session
  • delete – Delet...
Read More

Look inside a Dark Comet Campaign

As many of you who read this blog will know i have a fondness for researching RATS. In this post im going to stay on the same topic but im going to change the perspective. To date i have concentrated on understanding how the ‘Server’ was holding the configs and how to extract them.

Now im going to look at the data that is extracted by theses tools.

The Tool

DarkComet, a free ‘semi publicly’ available RAT. The client and the server for Dark Comet are well understood at this point and there are hundreds of blog posts by researchers far better then myself so im not going to dwell too much on these points except to say its easy to get hold of, its easy to use and its fairly powerful if it gets installed on your system.

If your unfortunate enough to become infected and even worse your infected ...

Read More

BSides London

This is a little late to post, but here it is anyway.

BSides is a framework for a security conference by the community for the community. it’s designed that anyone who can get a space and some sponsorship can organise a conference with a lot of the hard work already covered by the framework. T hats not to say that the organisers, volunteers and sponsors don’t put a lot of work in behind the scenes.

BSides London has been around for a couple of years and grows every year. This year I decided, with a little prompting, to submit a Talk and a Workshop. The talk didn’t make it on to the main agenda but my workshop did, A practical session showing how I reverse a RAT and extract the config. Small session with no more than 8 in attendance but feedback was positive.

One of the things that bsides L...

Read More

RAT Decoders

I have talked about decoding RATS several times now in previous posts and if you have read them you will know that im creating Static decoders for the most common Remote Access Trojans.

In this post ill be releasing a handful of the static decoders i have written so far.

I have set up a Repo on GitHub that will hold a collection of Python Scripts that will extract and decode the configuration settings from common rats.

Each of these decoders is already running on and has additional features that are not included in the scripts. like Snort rules IOC Files and VirusTotal Linking.

You can read more about in upcoming posts or read more here

Current Rats

Here is a list of the currently supported RATS:

  • Adwind
  • Arcom
  • BlackN...
Read More

I Hear you like Mount Points


Having just finished my SANS 508 Course i want to share a quick script to help mount partitions and disk images acquired as part of a forensic analysis.

I Hear You Like Mount Points

The SANS 508 is an Advanced Computer Forensics course and the majority of the course is examining Disk Images. The course uses E01 Images of a single partition, this is done to simplify the classroom activities, copying full disk images is time consuming and detrimental to a learning experience.

How does this scale to real life? In the real world you will have mixes of Full disk images with multiple partitions and in some cases different formats for each partition, think dual Boot Linux and windows with recovery partitions. Needless to say real world examples can get complex quickly.

When it comes to the ...

Read More


For those of you who read this blog on a more regular basis you will know what i talking about, for those of you who just landed here let me explain.

My project over the last several months has been looking at Remote Access Trojans / Tools. My aim was not to discover how they operate, RATS for the most part operate in the same way.

What i was interested in was how to detect these RATS and more importantly how could i share the information I was gathering with anyone else who could make use of it. The data set will largely contain Samples from ‘Script Kiddies’ who mass target individuals just to get Slaves, but it will also capture samples that have been used by Crime Packs and potentially even APT Actors.

Most methods of capturing this data use sandboxes to run the sample and observe its b...

Read More

Blue Banana RAT Config

Following on from my last post on Adwind rat i found another Java Based Rat that is freely available to the public. Blue Banana has been around for a couple of years and looks very similar to early versions of frutas.

Here is the pitch from the coder.


My aim was much the same as my last analysis on Adwind Rat. Im not so interested in its capabilities more about how its config is stored and how i can get to it.

Opening up the .Jar file i immediately see the bit i want “config.txt” :)

config.txt contains a long string of chars that look like hex values, could a simple hex decoder be all i need?

No sadly not. Looks like im going to be reading through some Java class files to figure this one out.

Attempting to de-compile the java byte code didn’t work very well, i tried a few different de...

Read More

AdWind Rat Analysis

If you have been reading my recent posts you will know that I’m working on a project to provide a public facing web application that will allow people to upload samples and in return they will get the configuration, Snort Rule, Yara Rule and IOC files specific to each instance.

This post will show you how i muddle my way thought figuring out how to extract a config file so it can be added to the collection of extraction scripts.

AdWind RAT Brief history

adWind has 4 Major milestones in its history.

  1. Starsting life as a proof of concept on it was named futas and was free in its original Spanish, and later in translated English.
  2. From frutas it became AdWind and went up for sale as a “Premium” RAT. Prices ranged from $75 for a single license to $ 250 for multiple licences.
Read More

Malware Sample Configuration Extractor

First of all


In my last post I talked about extracting configurations from malware samples . If you haven’t already read it you can find it here.

In the article I created several python scripts that would extract the relevant configuration sections. There are also many scripts and techniques out on the interwebs that other researchers have created and shared.

My project for the upcoming months is to create a public framework and web application that will simplify the process of extracting, storing, searching and sharing these configurations.

Currently and somewhat unimaginatively named as the “Malware Sample Configuration Extractor” it is capable of extracting Configs from the following:

Supported Malware

  1. Bozok Rat
  2. Jrat
  3. DarkComet
Read More

Extracting Configurations From Malware Samples

I like RAT’s and i don’t mean the furry creatures that live in cages or sewer lines, I am of course talking about Remote Access Trojans. Used by Script Kiddies, E Crime Rings and APT groups alike. they provide a wide range of tools and capabilities for any one who manages to get one implanted on your network or system.

Over the last few weeks i  have been working with two different RATS looking at their C2 Traffic and trying to dissect their network protocol. Having this understanding of the network protocol for each rat allows for some very bespoke IDS rules to be created.

The other aspect i was looking at was , as described in the title, extracting the configuration information...

Read More