pehyinchin

## industroyer-codex-report.md

      
              1 file
            
          
              0 forks
            
          
                1 comment
              
            
              2 stars
            
          
                ARISTODE
                / industroyer-codex-report.md
            
            
              Created
              November 4, 2025 05:14
            
          
    • Investigation Log

Connected to IDA session, captured module hashes, enumerated exports (DllEntryPoint, Crash) to frame analysis scope.
Decompiled Crash → LaunchConfiguredIec104Sessions:0x100014e0, observed config parsing call and thread fan-out via CreateThread (0x10001547), then traced worker entry StartAddress to identify IEC‑104 workflow.
Analyzed ParseIec104ConfigFile:0x10001610; confirmed _wfopen (0x10001674) and _fgets usage, mapped keywords target_ip, target_port, sequence, stop_comm_service, command_type, operation, shift, range, uselog at refs 0x100017B0–0x10002004 to per-session structure fields.
Inspected RunIec104SessionWorker:0x10002FE0; documented service-kill logic (OpenProcess 0x1000303D / TerminateProcess 0x10003046), IEC-104 connect (Iec104Connect 0x10003079), handshake (SendStartupSequence 0x1000309D), sequence dispatch (range 0x1000315D, shift 0x100031AE) and command emission (IssueSingleCommand calls at 0x1000331A/0x1000335E/0x100034E6/0x10003507).
Reverse engineere


## cuba_ransomware.md

      
              1 file
            
          
              0 forks
            
          
                1 comment
              
            
              2 stars
            
          
                ARISTODE
                / cuba_ransomware.md
            
            
              Created
              November 4, 2025 05:12
            
          
Step 1: Reviewed DriverEntry (0x140001000) to record the device pair \Device\KApcHelper1 /
\DosDevices\KApcHelperLink1, blanket dispatch table, and registration of
ProcessCreateNotifyHandler plus a dummy thread notify hook.
Step 2: Traced the init path into ResolveKernelApis (0x140001244) and
LocateThreadFlagSetterPattern (0x1400014B0) to understand which kernel services and hidden thread
helpers the driver depends on.
Step 3: Decompiled DeviceControlDispatcher (0x140001B70) to map IOCTLs, uncover the handshake
scheme, and note how every command is obfuscated by the HandshakeSeed.
Step 4: Followed the command flow into HandleHandshakeSeed (0x140001124) to confirm token
generation/validation and the use of HandshakeValidated as a global gate.


## pikabot-report-codex.md

      
              1 file
            
          
              0 forks
            
          
                1 comment
              
            
              2 stars
            
          
                ARISTODE
                / pikabot-report-codex.md
            
            
              Created
              November 4, 2025 05:10
            
          
    In-memory loader decrypts and manually maps an embedded payload before handing execution to its
DllMain.
Investigation Log

Step 1: Confirmed IDA attachment to pikabot.exe and enumerated entry points (start at 0x49f3a2,
TLS callback at 0x519630) to understand initial execution vectors.
Step 2: Reviewed CRT startup at 0x49f22b and wWinMain_ManualLoaderEntry (0x519b8f) to see the real
work funneled into ManualMapEmbeddedDll.
Step 3: Checked TlsCallback_ProcessDetach (0x519630) and its thunk TlsCallback_CleanupThunk →