IDA on bubka hacks stuff

IDA on bubka hacks stuffhttps://hexpysya.github.io/tags/ida/Recent content in IDA on bubka hacks stuffHugo -- gohugo.ioen-usSun, 15 Mar 2026 00:00:00 +0000HTB-Lockpick3.0https://hexpysya.github.io/investigations/htb-lockpick3.0/Sun, 15 Mar 2026 00:00:00 +0000https://hexpysya.github.io/investigations/htb-lockpick3.0/A ELF64 ransomware binary uses XOR string obfuscation keyed on a CLI passphrase, contacts a DigitalOcean C2 to register and retrieve an AES-256-CBC key and IV, recursively encrypts target files in /share/ renaming them to .24bes, exfiltrates the originals via HTTP PUT, zeroes and removes the source files, and installs a systemd service for persistence.CDEF-$tealerhttps://hexpysya.github.io/investigations/cdef-tealer/Tue, 03 Mar 2026 00:00:00 +0000https://hexpysya.github.io/investigations/cdef-tealer/A Dridex loader DLL that dynamically resolves APIs via CRC32 hashing, uses int3/retn as an indirect call mechanism to evade analysis, decrypts embedded strings with RC4, and connects to four hardcoded C2 servers over HTTPS to download additional modules.HTB-Lupinhttps://hexpysya.github.io/investigations/htb-lupin/Sun, 08 Feb 2026 00:00:00 +0000https://hexpysya.github.io/investigations/htb-lupin/Reverse engineering PHORPIEX dropper - analyzing clipboard hijacking, USB spreading, and UPnP NAT traversal techniques.HTB-SneakyKeyshttps://hexpysya.github.io/investigations/htb-sneakykeys/Tue, 03 Feb 2026 00:00:00 +0000https://hexpysya.github.io/investigations/htb-sneakykeys/HTB-Waybackhttps://hexpysya.github.io/investigations/htb-wayback/Thu, 29 Jan 2026 00:00:00 +0000https://hexpysya.github.io/investigations/htb-wayback/HTB-Cyberpsychosishttps://hexpysya.github.io/investigations/htb-cyberpsychosis/Wed, 28 Jan 2026 00:00:00 +0000https://hexpysya.github.io/investigations/htb-cyberpsychosis/HTB-Partial_Encryptionhttps://hexpysya.github.io/investigations/htb-partial_encryption/Mon, 26 Jan 2026 00:00:00 +0000https://hexpysya.github.io/investigations/htb-partial_encryption/HTB-RAuthhttps://hexpysya.github.io/investigations/htb-rauth/Thu, 22 Jan 2026 00:00:00 +0000https://hexpysya.github.io/investigations/htb-rauth/PoshC2: Sharp_v4_x64.dllhttps://hexpysya.github.io/investigations/poschc2-sharp_v4_x64.dll/Tue, 25 Nov 2025 00:00:00 +0000https://hexpysya.github.io/investigations/poschc2-sharp_v4_x64.dll/A .NET DLL decodes architecture-specific shellcode from an embedded base64 string, allocates executable memory, and spawns a thread to execute it. The shellcode performs NTDLL unhooking, AMSI and ETW patching before executing an embedded PE payload identified as a PoshC2 dropper.