Nov. 14, 2023, 12:19 a.m. | /u/mattbann

Malware Analysis & Reports

I have been reverse engineering a piece of malware that attacked a friend of mine. Its a single executable around 70MB and upon loading it up I noticed that the majority of it is zero'ed out memory.
In a section called .ndata 60% of the program is interpreted like this:

0047b002 ?? ??

Which I'm assuming is either some unknown data type or the creators attempt of giving the executable enough size so that someone doesn't suspect the file size …

called engineering ghidra malware memory piece program reverse reverse engineering single space

Information Security Engineers

@ D. E. Shaw Research | New York City

Security Operations Analyst | Connected Technology Group

@ KPMG Australia | Melbourne, Australia

Database Security Engineer Lead, Vice President

@ MUFG | Tampa - 4050 West Boy Scout Blvd.

Consultant, Offensive Security, Cyber Risk

@ Kroll | New Delhi, India

Ethical hacker / Pentester H/F

@ Hifield | Sèvres, France

Digital Trust Cyber Transformation Consultant

@ KPMG India | Mumbai, Maharashtra, India