Caution
This repository contains malware samples and malicious code. Please do NOT download, run and share malware samples if you dont know what you are doing. Author is not responsible for any damage caused by this malware. This repository exists FOR EDUCATIONAL PURPOSES ONLY!
Note
I write my reports in Polish, my native language. I grew better at making those analysis and each analysis is usually at a newer malware. If you want to learn from them start with the newest first.
On new malware I will be posting YARA rules and scripts to remove both malware and all artifacts (such as changed Windows Registry keys or created directories etc.).
- Lumma Stealer downloaded from file hosting website, steals user data through both unencrypted (HTTP) and encrypted (HTTPS) traffic and uninstalls itself (no persistency).
- Malvertising website serves JScript loader that downloads loaders that end up in PowerShell botnet agent running, achieves persistency by modifying windows registry.
- ClickFix attack downloads .exe malware that achieves persistency and downloads PowerShell loaders that download PHP botnet agent and achieves persistency by modifying windows registry.
| Component | Tool |
|---|---|
| Operating system | QubesOS |
| Software reverse engineering (SRE) framework | Ghidra |
| Network protocol analyzer | Wireshark |
| Virtual machines for malware | Triage or disposable Qubes on Qubes OS |
| Terminal emulator | Alacritty |
| Text/Code editor | Neovim |
If you found new malware you want me to write report on, please create an issue that describes the malware, your issue should contain how to install the malware, from where and if you wish also your report on it.
This repository is available under MIT License.