It’s been far too long since the last MindshaRE post, so I decided to share a technique I’ve been playing around with to pull C2 and other configuration information out of malware that does not store all of its configuration information in a set structure or in the resource section (for a nice set of publicly available decoders check out KevTheHermit’s RATDecoders repository on GitHub). Being able to statically extract this information becomes important in the event that the malware does not run properly in your sandbox, the C2s are down or you don’t have the time / sandbox bandwidth to manually run and extract the information from network indicators.
more here...........http://www.arbornetworks.com/asert/2014/10/mindshare-statically-extracting-malware-c2s-using-capstone-engine/
more here...........http://www.arbornetworks.com/asert/2014/10/mindshare-statically-extracting-malware-c2s-using-capstone-engine/