https://hexpysya.github.io/tags/reverse-engineering/Recent content in Reverse Engineering on bubka hacks stuffHugo -- gohugo.ioen-usWed, 18 Mar 2026 00:00:00 +0000https://hexpysya.github.io/investigations/cdef-obfuscated/Wed, 18 Mar 2026 00:00:00 +0000https://hexpysya.github.io/investigations/cdef-obfuscated/A malicious Word document uses a password-protected AutoOpen macro to drop and execute js script, which decrypts an embedded blob into stage2.js. It is a implant that establishes persistence via a hidden scheduled task, collects system reconnaissance, and beacons to two compromised WordPress C2 servers, downloading and executing a next-stage .pif payloadhttps://hexpysya.github.io/investigations/htb-lockpick3.0/Sun, 15 Mar 2026 00:00:00 +0000https://hexpysya.github.io/investigations/htb-lockpick3.0/A ELF64 ransomware binary uses XOR string obfuscation keyed on a CLI passphrase, contacts a DigitalOcean C2 to register and retrieve an AES-256-CBC key and IV, recursively encrypts target files in /share/ renaming them to .24bes, exfiltrates the originals via HTTP PUT, zeroes and removes the source files, and installs a systemd service for persistence.https://hexpysya.github.io/investigations/cdef-tealer/Tue, 03 Mar 2026 00:00:00 +0000https://hexpysya.github.io/investigations/cdef-tealer/A Dridex loader DLL that dynamically resolves APIs via CRC32 hashing, uses int3/retn as an indirect call mechanism to evade analysis, decrypts embedded strings with RC4, and connects to four hardcoded C2 servers over HTTPS to download additional modules.https://hexpysya.github.io/investigations/cdef-xworm/Sun, 01 Mar 2026 00:00:00 +0000https://hexpysya.github.io/investigations/cdef-xworm/A .NET XWorm RAT that establishes triple persistence via scheduled task, startup shortcut, and registry Run key, implements keylogging, clipboard hijacking for crypto wallets, and communicates with multiple C2 servers over TCP using AES-ECB encrypted payloads.https://hexpysya.github.io/investigations/htb-lupin/Sun, 08 Feb 2026 00:00:00 +0000https://hexpysya.github.io/investigations/htb-lupin/Reverse engineering PHORPIEX dropper - analyzing clipboard hijacking, USB spreading, and UPnP NAT traversal techniques.https://hexpysya.github.io/investigations/htb-sneakykeys/Tue, 03 Feb 2026 00:00:00 +0000https://hexpysya.github.io/investigations/htb-sneakykeys/https://hexpysya.github.io/investigations/htb-wayback/Thu, 29 Jan 2026 00:00:00 +0000https://hexpysya.github.io/investigations/htb-wayback/https://hexpysya.github.io/investigations/htb-bypass/Wed, 28 Jan 2026 00:00:00 +0000https://hexpysya.github.io/investigations/htb-bypass/https://hexpysya.github.io/investigations/htb-cyberpsychosis/Wed, 28 Jan 2026 00:00:00 +0000https://hexpysya.github.io/investigations/htb-cyberpsychosis/https://hexpysya.github.io/investigations/htb-partial_encryption/Mon, 26 Jan 2026 00:00:00 +0000https://hexpysya.github.io/investigations/htb-partial_encryption/https://hexpysya.github.io/investigations/htb-rauth/Thu, 22 Jan 2026 00:00:00 +0000https://hexpysya.github.io/investigations/htb-rauth/https://hexpysya.github.io/investigations/htb-hubbub/Wed, 21 Jan 2026 00:00:00 +0000https://hexpysya.github.io/investigations/htb-hubbub/https://hexpysya.github.io/investigations/poschc2-sharp_v4_x64.dll/Tue, 25 Nov 2025 00:00:00 +0000https://hexpysya.github.io/investigations/poschc2-sharp_v4_x64.dll/A .NET DLL decodes architecture-specific shellcode from an embedded base64 string, allocates executable memory, and spawns a thread to execute it. The shellcode performs NTDLL unhooking, AMSI and ETW patching before executing an embedded PE payload identified as a PoshC2 dropper.https://hexpysya.github.io/investigations/dropper-cs.exe-analysis/Sun, 23 Nov 2025 00:00:00 +0000https://hexpysya.github.io/investigations/dropper-cs.exe-analysis/C2 .NET implant. AES-encrypted config, HTTPS beacon to <code>192.168.248.128</code>, fileless in-memory execution, anti-debug via divide-by-zero.