Mastodawn

I updated this blog with some more details, including the discussion around adware versus malware and a brief look at lookupktichen, which seems to be a precursor to RecipeLister.

Some interesting discussion in X and in the InvokeRE discord about adware versus malware etc and I definitely agree I “mislabeled” it in my initial desire to categorize.

Always good to chat and learn from others :). Thanks to @struppigel for the excellent discussion!

dingusxmcgee Jun 6

quick new blog today on RecipeLister! This one seems to be making the rounds the past couple of days, and I had a little bit more detail to add, so hope you enjoy 😊

https://blog.dingusxmcgee.com/blog/2025/06/06/Recipe-For-Adware.html

Recipe For Adware

On June 2 2025, @xorist posted a screenshot of some javascript code from a ‘recipe app’ in the InvokeRE community discord. What followed was a rabbit hole of confusion, mysterious functionality, dashed dreams, more confusion, and ultimately culminated in Yahoo Search.

Malware Analysis with Dingus

dingusxmcgee May 16

Karsten Hahn May 16

Blog: Printer company provided infected printer software for half a year.

➡️ XRed backdoor
➡️ SnipVex virus

Initially reported by Youtuber of "Serial Hobbyism"

https://www.gdatasoftware.com/blog/2025/05/38200-printer-infected-software-downloads

Procolored: Printer company serves malware für six months, claims "false positive" warnings

What do a coin stealer, an abandoned backdoor and a file infector have in common? They all resided in the download section on the website of a printer company - stowed away in installer files for drivers and utilities. We took a closer look.

dingusxmcgee May 1

Karsten Hahn Apr 30

🦔 📹New Video: Analysis of Virut - Part I
➡️ self-modifying code
➡️ Ghidra markup decryption stub
➡️ API resolving
➡️ unpacking
#MalwareAnalysisForHedgehogs
https://www.youtube.com/watch?v=250Bxe0qlQY

Malware Analysis - Virut, a polymorphic file infector

YouTube

dingusxmcgee Apr 19

Washi Apr 18

After #flareon11 challenge 7, I got inspired to build tooling for #dotnet Native AOT reverse engineering.

As such, I built a #Ghidra Analyzer that can automatically recover most .NET types, methods and frozen objects (e.g., strings).

👉https://blog.washi.dev/posts/recovering-nativeaot-metadata/

Recovering Metadata from .NET Native AOT Binaries

Ever seen a binary that looks like a .NET binary based on its strings, but .NET decompilers are not able to open them?

Washi

dingusxmcgee Apr 8

Karsten Hahn Apr 8

I wrote how to use knowledge about .NET structures and streams for writing .NET Yara signatures.

E.g. IL code patterns, method signature definitions, GUIDs, compressed length

#GDATATechblog #100DaysOfYara
https://www.gdatasoftware.com/blog/2025/04/38145-yara-signatures-net-malware

100 Days of YARA: How to write .NET code signatures

If you write YARA signatures for .NET assemblies only relying on strings, you are seriously missing out. Learn what you can do to level up your YARA rules.

dingusxmcgee Apr 2

Karsten Hahn Apr 2

Podcast with @jstrosch and @psifertex about:
binary ninja, CTFs, AI, the future of cyber security

https://open.spotify.com/episode/6tMYu7g7P9LuMoehALiCsL

EP07 Jordan Wiens - Inside the Mind of a Binary Ninja: CTFs, AI and the Future of Cyber Security

Behind the Binary by Google Cloud Security · Episode

Spotify

dingusxmcgee Mar 30

Jesko Hüttenhain Mar 30

On a more serious note: I recently added many lines of code to #BinaryRefinery for a fairly niche purpose: Unpacking (malicious) InnoSetup archives that hide their password within the setup #PascalScript. Check it out if that is something you have to deal with. My approach to this was to write an emulator for this arcane language, and I wrote a little blog post about my process!
https://blag.nullteilerfrei.de/2025/03/30/complete-first-correct-later-writing-a-pascal-script-emulator/

Complete First; Correct Later: Writing a Pascal Script Emulator – nullteilerfrei

dingusxmcgee Mar 26

Trying something different today. Been looking into offensive tooling as a way to stay up to date and informed in Incident Response. Its not malware, but I still had fun, thanks for reading if you do :)

https://blog.dingusxmcgee.com/blog/2025/03/26/Using-Rubeus-And-Certify-To-Unpac-The-Hash.html

Using Rubeus And Certify To Unpac The Hash

Trying something new, little bit of Rubeus, little bit of Certify, little bit of curiosity…Come check it out with me!

Malware Analysis with Dingus

dingusxmcgee Mar 24

Wietze Mar 24

By making minor changes to command-line arguments, it is possible to bypass EDR/AV detections.

My research, comprising ~70 Windows executables, found that all of them were vulnerable to this, to varying degrees.

Here’s what I found and why it matters 👉 https://wietze.github.io/blog/bypassing-detections-with-command-line-obfuscation

Bypassing Detections with Command-Line Obfuscation

Defensive tools like AVs and EDRs rely on command-line arguments for detecting malicious activity. This post demonstrates how command-line obfuscation, a shell-independent technique that exploits executables’ parsing “flaws”, can bypass such detections. It also introduces ArgFuscator, a new tool that documents obfuscation opportunities and generates obfuscated command lines.

Recipe For Adware​