Reversing Gh0stRAT part 2: the DDOS-ening

May 2, 2019 | James Quinn
James Quinn

James Quinn

James has been programming since he was 12 but didn't become interested in Cybersecurity until around 16. He's now finishing his 3rd semester for a Cybersecurity associate's degree. In James' free time, he analyzes malware dropped on his dionaea honeypot and would consider himself an amateur photographer.

May 2, 2019 | James Quinn

Reversing Gh0stRAT part 2: the DDOS-ening

This is a guest post James Quinn, a SOC analyst from Binary Defense. In Part 1 of the Reversing Gh0stRAT series, we talked about a partial Gh0stRAT variant which used an encryption algorithm to hide its traffic.  In part 2, we will be talking about a much more complete Gh0stRAT sample which allows a hacker to take total…

March 25, 2019 | James Quinn

The odd case of a Gh0stRAT variant

This is a guest post by independent security researcher James Quinn. This will be Part 1 of a series titled Reversing Gh0stRAT Variants.  As 2018 drew to a close and 2019 took over, I began to see a different behavior from SMB malware authors.  Instead of massive, multi-staged cryptocurrency miners, I began to see more small, covert RATs serving…

Get the latest security news in your inbox.

Subscribe via Email

October 29, 2018 | James Quinn

MadoMiner Part 2 - Mask

This is a guest post by independent security researcher James Quinn.       If you have not yet read the first part of the MadoMiner analysis, please do so now.  This analysis will pick up where Part 1 left off, while also including  a brief correction.  The x64 version of the Install module was…

September 24, 2018 | James Quinn

MadoMiner Part 1 - Install

2018 seems to be a time for highly profitable cryptominers that spread over SMB file-shares.  Following my analysis on ZombieBoy in July, I found a new malware sample that I’m calling MadoMiner.  With the help of Chris Doman, I was able to analyze it to discover that it uses techniques similar to ZombieBoy, because it hijacks Zombieboy…

July 18, 2018 | James Quinn

ZombieBoy

This is a guest post by independent security researcher James Quinn. Continuing the 2018 trend of cryptomining malware, I’ve found another family of mining malware similar to the “massminer” discovered in early May.  I’m calling this family ZombieBoy since it uses a tool called ZombieBoyTools to drop the first dll. ZombieBoy, like MassMiner, is…

Watch a Demo ›
Get Price Free Trial