Jekyll2023-09-25T08:00:31+00:00https://husseinadel7.github.io/huss3del.github.io/feed.xmlHussein AdelFull Stack Developer Malware AnalystHussein AdelWindows Presentation Foundation(WPF)2023-09-15T00:00:00+00:002023-09-15T00:00:00+00:00https://husseinadel7.github.io/huss3del.github.io/projects(.net,js)/Windows_Presentation_Foundation_WPF<blockquote>
<h1 id="applications-using-windows-presentation-foundatiowpf-in-c">Applications Using Windows Presentation Foundatio(WPF) in C#</h1>
</blockquote>
<h1 id="please-find-the-following-applications">Please Find The Following Applications</h1>
<h3 id="modern-school-system">Modern School System</h3>
<h3 id="vending-machine">Vending Machine</h3>
<h3 id="telegram-simulation">Telegram Simulation</h3>
<blockquote>
<h1 id="modern-school-system-">Modern School System <br /></h1>
<p><img alt="Coding" width="600" src="https://github.com/HusseinAdel7/SQL_Server/assets/84356407/8ab4cf3c-8c8e-430c-bf72-1ffcb5e220c6" /> <br /></p>
<h2 id="check-the-code"><a href="https://github.com/HusseinAdel7/Windows_Presentation_Foundatio_--WPF--/tree/main/Modern%20School%20System">Check The Code</a></h2>
<h2 id="check-the-demonstration-video"><a href="https://drive.google.com/file/d/1wwIUU3HL8ZA9edymNmVv9CqERaKaBqpo/view?usp=sharing">check the demonstration video</a></h2>
</blockquote>
<blockquote>
<h1 id="vending-machine--">Vending Machine <br /></h1>
<p><img alt="Coding" width="600" src="https://github.com/HusseinAdel7/Facebook_Hack_Design/assets/84356407/f7416ce5-0e8e-42e0-8531-c80319fc0b85" /> <br /></p>
<h2 id="check-the-code-1"><a href="https://github.com/HusseinAdel7/Windows_Presentation_Foundatio_--WPF--/tree/main/Vendering%20Machine%20GUI">Check The Code</a></h2>
<h2 id="check-the-demonstration-video-1"><a href="https://drive.google.com/file/d/17oMwfh3fD_xsCPJrzUHfonRTMQi36IN8/view?usp=sharing">check the demonstration video</a></h2>
</blockquote>
<blockquote>
<h1 id="telegram-simulations-using-wpf-">Telegram Simulations Using WPF <br /></h1>
<p><img alt="Coding" width="600" src="https://github.com/HusseinAdel7/SQL_Server/assets/84356407/fc9b0264-f771-4331-a2b9-727ba0e8c5ec" /> <br /></p>
<h2 id="check-the-code-2"><a href="https://github.com/HusseinAdel7/Windows_Presentation_Foundatio_--WPF--/tree/main/ChatApp">Check The Code</a></h2>
<h2 id="check-the-demonstration-video-2"><a href="https://drive.google.com/file/d/1sct75bCv2n8KkQKqOjmoieNY2c39HMXp/view?usp=sharing">check the demonstration video</a></h2>
</blockquote>Hussein AdelApplications Using Windows Presentation Foundatio(WPF) in C#Windows Form Applications2023-09-01T00:00:00+00:002023-09-01T00:00:00+00:00https://husseinadel7.github.io/huss3del.github.io/projects(.net,js)/Windows_Form_Applications<blockquote>
<h1 id="applications-using-windows-form-in-c">Applications Using Windows Form in C#</h1>
</blockquote>
<h1 id="please-find-the-following-applications">Please Find The Following Applications</h1>
<h3 id="al-azhar-plan-creation-project">Al Azhar Plan Creation Project</h3>
<h3 id="gurud-system-using-datagridview">GURUD System Using DataGridView</h3>
<h3 id="full-registration-form">Full Registration Form</h3>
<h3 id="simple-registration-form">Simple Registration Form</h3>
<h3 id="calculator">Calculator</h3>
<h3 id="converter">Converter<br /><br /></h3>
<blockquote>
<h1 id="al-azhar-plan-creation-project--">Al Azhar Plan Creation Project <br /></h1>
<p><img alt="Coding" width="600" src="https://github.com/HusseinAdel7/Facebook_Hack_Design/assets/84356407/cf63e257-d9c0-4228-b20e-db5a83e9bf29" /> <br /></p>
<h2 id="check-the-code"><a href="https://github.com/HusseinAdel7/Windows_Forms_Applications/tree/main/%D8%A7%D9%84%D8%A3%D8%B2%D9%87%D8%B1%20%D8%A7%D9%84%D8%B4%D8%B1%D9%8A%D9%81/%D8%A7%D9%84%D8%A3%D8%B2%D9%87%D8%B1%20%D8%A7%D9%84%D8%B4%D8%B1%D9%8A%D9%81">Check The Code</a></h2>
<h2 id="check-the-demonstration-video"><a href="https://drive.google.com/file/d/14wGLyWYPEtq5N_OS96dUBJOUsWU-lE4X/view?usp=sharing">check the demonstration video</a></h2>
</blockquote>
<blockquote>
<h1 id="gurud-system-using-datagridview--">GURUD System Using DataGridView <br /></h1>
<p><img alt="Coding" width="600" src="https://github.com/HusseinAdel7/SQL_Server/assets/84356407/5656bfd7-844b-4292-b5e8-af9911ccb742" /> <br /></p>
<h2 id="check-the-code-1"><a href="https://github.com/HusseinAdel7/Windows_Forms_Applications/tree/main/Dealing_With_DataGridView">Check The Code</a></h2>
<h2 id="check-the-demonstration-video-1"><a href="https://drive.google.com/file/d/1zlY-74-ik8SH0rftsytv0wY_rF_IBQ6T/view?usp=drive_link">check the demonstration video</a></h2>
</blockquote>
<blockquote>
<h1 id="full-registration-form--">Full Registration Form <br /></h1>
<p><img alt="Coding" width="600" src="https://github-production-user-asset-6210df.s3.amazonaws.com/84356407/257551619-c8514dd4-7f8a-45aa-8162-c08eddfab116.png" /> <br /></p>
<h2 id="check-the-code-2"><a href="https://github.com/HusseinAdel7/Windows_Forms_Applications/tree/main/Full_Registeration_Form">Check The Code</a></h2>
<h2 id="check-the-demonstration-video-2"><a href="https://drive.google.com/file/d/1c-rVAqbMVoqJzKXB0X2bbxw21_R5hjm9/view?usp=sharing">check the demonstration video</a></h2>
</blockquote>
<blockquote>
<h1 id="simple-registration-form--">Simple Registration Form <br /></h1>
<p><img alt="Coding" width="600" src="https://github-production-user-asset-6210df.s3.amazonaws.com/84356407/257552363-879ef752-c5e8-4fff-98ed-191c2486a6a5.png" /> <br /></p>
<h2 id="check-the-code-3"><a href="https://github.com/HusseinAdel7/Windows_Forms_Applications/tree/main/Registration_Page">Check The Code</a></h2>
<h2 id="check-the-demonstration-video-3"><a href="https://drive.google.com/file/d/1TK2YOb5N9NNenIuZ0Bt6K5kWTG-s3QmI/view?usp=sharing">check the demonstration video</a></h2>
</blockquote>
<blockquote>
<h1 id="calculator-">Calculator <br /></h1>
<p><img alt="Coding" width="600" src="https://github-production-user-asset-6210df.s3.amazonaws.com/84356407/257551654-9a5dee77-d6e7-4406-be57-6da36b8d1780.png" /> <br /></p>
<h2 id="check-the-code-4"><a href="https://github.com/HusseinAdel7/Windows_Forms_Applications/tree/main/Calculator">Check The Code</a></h2>
<h2 id="check-the-demonstration-video-4"><a href="https://drive.google.com/file/d/15pKVL3wkIQaejiU5OITgJtz7SLmMAxlN/view?usp=sharing">check the demonstration video</a></h2>
</blockquote>
<blockquote>
<h1 id="converter-">Converter <br /></h1>
<p><img alt="Coding" width="600" src="https://github-production-user-asset-6210df.s3.amazonaws.com/84356407/257551640-fef82640-b7a4-4028-a9dc-fdfe20a810cc.png" /> <br /></p>
<h2 id="check-the-code-5"><a href="https://github.com/HusseinAdel7/Windows_Forms_Applications/tree/main/Convertor">Check The Code</a></h2>
<h2 id="check-the-demonstration-video-5"><a href="https://drive.google.com/file/d/1E3OsmNx2CBS0ni5TYefQNnYU-PIanj5-/view?usp=sharing">check the demonstration video</a></h2>
</blockquote>Hussein AdelApplications Using Windows Form in C#OOP_C# Applications2023-08-01T00:00:00+00:002023-08-01T00:00:00+00:00https://husseinadel7.github.io/huss3del.github.io/projects(.net,js)/OOP_Csharp<blockquote>
<h1 id="applications-oop-in-c">Applications OOP in C#</h1>
</blockquote>
<h1 id="please-find-the-following-application">Please Find The Following Application</h1>
<h3 id="vending-machine">Vending Machine</h3>
<h4 id="customer-page">Customer Page</h4>
<h4 id="technical-support-page">Technical Support Page</h4>
<h4 id="admin-page">Admin Page</h4>
<h5 id="using-inheritance-abstraction-interface-and-encabslation-concepts">Using Inheritance, Abstraction, Interface and Encabslation Concepts</h5>
<blockquote>
<h1 id="vending-machine--">Vending Machine <br /></h1>
<p><img alt="Coding" width="600" src="https://github.com/HusseinAdel7/Facebook_Hack_Design/assets/84356407/b2641710-8622-474b-bb54-1f425ee84b89" /> <br /></p>
<h2 id="check-the-code"><a href="https://github.com/HusseinAdel7/OOP_CSharp/tree/main/Vendering%20Machine">Check The Code</a></h2>
<h2 id="check-the-demonstration-videos"><a href="https://drive.google.com/file/d/1TciVhFnpeiE5DUactwfuy5USrSuZTBqe/view?usp=sharing">check the demonstration videos</a></h2>
</blockquote>Hussein AdelApplications OOP in C#Strong-Stego2023-07-11T00:00:00+00:002023-07-11T00:00:00+00:00https://husseinadel7.github.io/huss3del.github.io/graduation_project/Strong-Stego<blockquote>
<h1 id="strong-stego">Strong-Stego</h1>
<h2 id="hiding-malware-in-an-image-with-a-different-steganographic-technique">Hiding malware in an image with a different steganographic technique</h2>
<h2 id="using-a-different-technique-for-the-lsb-model">Using A different Technique For the LSB Model</h2>
<h2 id="some-functions-in-the-following-">Some Functions in the following:-</h2>
<p>1- Implementing two malware (info stealer and ransomware)<br />
2- Embedding two malware in an Image using a newly proposed method based on LSB <br />
3- Sending the image to a victim <br />
4- Stealing all information about the victim (device information, passwords on browsers)<br />
5- Sending the stolen information to the attacker<br />
6- Encrypt all victim’s data<br /></p>
<h2 id="skills">Skills:</h2>
<h4 id="steganography">Steganography</h4>
<h4 id="security">Security</h4>
<h4 id="python-programming-language">Python (Programming Language)</h4>
<h4 id="networking">Networking</h4>
<h4 id="image-processing">Image Processing</h4>
<h2 id="here-are--screenshoots-of-the-project">Here are ScreenShoots Of The Project</h2>
</blockquote>
<p><img alt="Coding" width="600" src="https://github.com/HusseinAdel7/SQL_Server/assets/84356407/6e9bc0e6-053b-4880-a76b-9b4421730c61" /> <br /><br />
<img alt="Coding" width="600" src="https://github.com/HusseinAdel7/SQL_Server/assets/84356407/2c717319-7bb3-49d9-98b2-83fb4793efe6" /> <br /><br />
<img alt="Coding" width="600" src="https://github.com/HusseinAdel7/SQL_Server/assets/84356407/a8c6fb8d-e2ee-4828-80af-66cb084fa58f" /> <br /><br />
<img alt="Coding" width="600" src="https://github.com/HusseinAdel7/SQL_Server/assets/84356407/d49729e0-d6d4-42d4-bd71-7930cd946994" /> <br /><br />
<img alt="Coding" width="600" src="https://github.com/HusseinAdel7/SQL_Server/assets/84356407/3786027e-61db-4543-aefe-29e0761228d2" /> <br /><br />
<img alt="Coding" width="600" src="https://github.com/HusseinAdel7/SQL_Server/assets/84356407/be333288-3a1f-4ea9-ba86-4bd2e49c8cd5" /> <br /><br />
<img alt="Coding" width="600" src="https://github.com/HusseinAdel7/SQL_Server/assets/84356407/9e82f6d5-37e7-44c0-9f3b-8818d4be1840" /> <br /><br />
<img alt="Coding" width="600" src="https://github.com/HusseinAdel7/SQL_Server/assets/84356407/2db05da7-c2b4-4a13-b455-8216afd1f701" /> <br /><br /></p>
<h1 id="please-find-the-documentation-and-code-for-my-project">Please Find The Documentation and Code For My Project</h1>
<h2 id="check-them-out-"><a href="https://github.com/HusseinAdel7/Graduation_Project">Check Them Out </a></h2>Hussein AdelStrong-Stego Hiding malware in an image with a different steganographic technique Using A different Technique For the LSB Model Some Functions in the following:- 1- Implementing two malware (info stealer and ransomware) 2- Embedding two malware in an Image using a newly proposed method based on LSB 3- Sending the image to a victim 4- Stealing all information about the victim (device information, passwords on browsers) 5- Sending the stolen information to the attacker 6- Encrypt all victim’s data Skills: Steganography Security Python (Programming Language) Networking Image Processing Here are ScreenShoots Of The ProjectAlazhar Plane Project2023-07-10T00:00:00+00:002023-07-10T00:00:00+00:00https://husseinadel7.github.io/huss3del.github.io/projects(.net,js)/Alazhar_Plan_Project<blockquote>
<h1 id="a-website-for-generating-a-plan-for-the-student-welfare-department">A website For Generating A Plan For The Student Welfare Department</h1>
<h2 id="using-html-animation-css-css3-and-javascript">Using Html, Animation, CSS, CSS3 And Javascript</h2>
</blockquote>
<h2 id="check-it-out-"><a href="https://husseinadel7.github.io/Alazhar_Plan_Project/">Check It Out </a></h2>Hussein AdelA website For Generating A Plan For The Student Welfare Department Using Html, Animation, CSS, CSS3 And JavascriptDarkSide Ransomware Analysis2023-03-12T00:00:00+00:002023-03-12T00:00:00+00:00https://husseinadel7.github.io/huss3del.github.io/various_projects/DarkSide%20Ransomware%20Analysis<h1 id="introduction">Introduction</h1>
<p>Ransomware, is a type of malware that prevents users from accessing their system or files and demands that a ransom be paid to regain access.
Users are shown instructions on how to pay a ransom to obtain a decryption key to decrypt their files and get them back.</p>
<h1 id="whats-darkside-ransomware">What’s DarkSide Ransomware</h1>
<ul>
<li>
<p>The threat actors behind DarkSide ransomware are of Russian origin and are likely former affiliates of the REvil RaaS [ransomware-as-a-service] group.</p>
</li>
<li>
<p>DarkSide ransomware appeared in August 2020</p>
</li>
<li>
<p>DarkSide ransomware operates as a service(RaaS)</p>
</li>
</ul>
<h1 id="full-analysis">Full Analysis</h1>
<p>Here I did all aspects of Analysis so, I passed by Static, Dynamic, Advanced Static, and Advanced Dynamic analysis.<br /> Supporting by Pictures from Analysis To help for reading easily. So, Let’s Start.</p>
<h1 id="static-analysis">Static Analysis</h1>
<p>MD5: 0202E80ABE75635256443CB5FD7C0283<br />
SHA1 : A78851A9490DA007771DA340EC8F8C96745D8913<br />
SHA256 : 9BD51F68587E0E49E8C0F8225BC8C3FEAC453EBD6B34B0ABA91C493CE75F4E80<br /></p>
<h3 id="virustotal">Virustotal</h3>
<p><img src="https://user-images.githubusercontent.com/84356407/195300493-21036bee-bf8f-49a8-99a3-64be2db7f0e7.png" width="600" /></p>
<h3 id="unpacked">Unpacked</h3>
<p>This sample is unpacked. It was checked by DIE<br />
<img src="https://user-images.githubusercontent.com/84356407/195300518-9b0727a2-75d3-4f16-8cb1-46114461e344.png" width="500" /><br /></p>
<h3 id="strings">Strings</h3>
<p>While Looking for Strings, I didn’t Found many strings in this sample<br />
<img src="https://user-images.githubusercontent.com/84356407/195301825-91b279d6-8c1d-48c1-8446-85e69341342e.png" width="500" /></p>
<h1 id="dynamic-analysis">Dynamic Analysis</h1>
<ul>
<li>When you click on the sample to run it, it imediatly ctreates a process by it’s name as shown:<br />
<img src="https://user-images.githubusercontent.com/84356407/195307539-eaa243b3-7da1-4f4e-b24b-d01cef1dfa21.png" width="400" /></li>
<li>Then It encrypes files sytem as showm:-<br />
<img src="https://user-images.githubusercontent.com/84356407/195307560-edd57f5d-68be-4f46-9cb9-3b572bb6999a.png" width="400" /></li>
<li>The encrypted file extention is .f1f25696 as shown:-<br />
<img src="https://user-images.githubusercontent.com/84356407/195307576-90f9bb8b-836d-4163-b5b8-5ddfb7302489.png" width="400" /></li>
<li>The Wallpaper of the disktop is changed as shown:-<br />
<img src="https://user-images.githubusercontent.com/84356407/195307591-62065fec-9f9b-4c88-aee5-fbf4dc0465b0.png" width="400" /></li>
</ul>
<h1 id="advanced-static-analysis">Advanced Static Analysis</h1>
<p>I faced many struggles while I was analyzing the assembly code by IDA Like:</p>
<ul>
<li>there are many loops in functions</li>
<li>The third function in the main function is so long And I didn’t catch anything.</li>
<li>There are no APIs That can help me in the analysis.</li>
<li>There are many calls like “call dword-4208D0” so, it calls something from the data section and that is maybe resolving API functions and put addresses for these functions inside these addresses like “dword-4208D0”</li>
<li>Make an import address table for itself for making the analysis difficult for analysts.</li>
</ul>
<p float="left">
<img src="https://user-images.githubusercontent.com/84356407/195363925-8dd57703-7fec-4626-9726-e7347d24923b.png" width="200" />
<img src="https://user-images.githubusercontent.com/84356407/195363935-aeef7184-c83f-449e-a0e1-06ea4996a5aa.png" width="200" />
<img src="https://user-images.githubusercontent.com/84356407/195363948-7f5729e8-2b96-43c2-b64c-725c5e83a449.png" width="200" />
<img src="https://user-images.githubusercontent.com/84356407/195363972-095251dd-0d53-48db-839f-386ef63aadce.png" width="300" />
</p>
<h1 id="advanced-dynamic-analysis">Advanced Dynamic Analysis</h1>
<ul>
<li>First of all this malware checks the installed language of the victim’s device as shonw:
<img src="https://user-images.githubusercontent.com/84356407/195850165-73b0bcff-5acc-4b33-accb-e29bb2dd612b.png" width="600" /></li>
<li>Then it loads Dlls and resolves Functions
<img src="https://user-images.githubusercontent.com/84356407/195850512-ce86fc6e-0bbd-47a5-84e2-8d4ebadd2ebf.png" width="600" /></li>
<li>
<p>From Kernal32.dll it loads two functions “LoadLibraryA” and “GetProcAddress” for resolving needed functions as shown:-<br />
<img src="https://user-images.githubusercontent.com/84356407/195850723-d51a2d59-002a-4f8b-bf28-65e2cc2399d4.png" width="600" /></p>
</li>
<li>All dlls and resolved functions from them.
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>This Function For Resolving Functions From DLL
The Resolved Function is : <ntdll.ZwClose> (77E92AA0)
The Resolved Function is : <kernel32.SetEvent> (77C53080)
DLL Loaded: 77610000 C:\Windows\SysWOW64\advapi32.dll
DLL Loaded: 77710000 C:\Windows\SysWOW64\msvcrt.dll
Thread 240 created, Entry: ntdll.77E55900, Parameter: 00724540
DLL Loaded: 77690000 C:\Windows\SysWOW64\sechost.dll
DLL Loaded: 766F0000 C:\Windows\SysWOW64\rpcrt4.dll
Thread 80 created, Entry: ntdll.77E55900, Parameter: 00724540
The Resolved Function is : <advapi32.ConvertSidToStringSidW> (7762E4C0)
DLL Loaded: 76850000 C:\Windows\SysWOW64\user32.dll
DLL Loaded: 77A60000 C:\Windows\SysWOW64\win32u.dll
DLL Loaded: 75DD0000 C:\Windows\SysWOW64\gdi32.dll
DLL Loaded: 77440000 C:\Windows\SysWOW64\gdi32full.dll
DLL Loaded: 75D50000 C:\Windows\SysWOW64\msvcp_win.dll
DLL Loaded: 777E0000 C:\Windows\SysWOW64\ucrtbase.dll
Thread 1348 created, Entry: ntdll.77E55900, Parameter: 00724540
DLL Loaded: 76F70000 C:\Windows\SysWOW64\imm32.dll
The Resolved Function is : <user32.CloseDesktop> (76891730)
The Resolved Function is : <gdi32.GetTextExtentPoint32W> (75DD6BF0)
DLL Loaded: 77520000 C:\Windows\SysWOW64\ole32.dll
DLL Loaded: 76AE0000 C:\Windows\SysWOW64\combase.dll
The Resolved Function is : <combase.CoSetProxyBlanket> (76C176E0)
DLL Loaded: 767B0000 C:\Windows\SysWOW64\oleaut32.dll
The Resolved Function is : <oleaut32.VariantClear> (767CE610)
DLL Loaded: 75E00000 C:\Windows\SysWOW64\shell32.dll
The Resolved Function is : <shell32.ShellExecuteW> (75F555A0)
DLL Loaded: 77990000 C:\Windows\SysWOW64\shlwapi.dll
The Resolved Function is : <shlwapi.PathRemoveFileSpecW> (779A4FB0)
DLL Loaded: 72F50000 C:\Windows\SysWOW64\wininet.dll
The Resolved Function is : <wininet.HttpSendRequestW> (73225720)
DLL Loaded: 75CD0000 C:\Windows\SysWOW64\netapi32.dll
DLL Loaded: 75CB0000 C:\Windows\SysWOW64\wkscli.dll
DLL Loaded: 75C90000 C:\Windows\SysWOW64\srvcli.dll
DLL Loaded: 75B80000 C:\Windows\SysWOW64\logoncli.dll
The Resolved Function is : <logoncli.DsGetDcCloseW> (75B9F870)
DLL Loaded: 75C60000 C:\Windows\SysWOW64\wtsapi32.dll
The Resolved Function is : <wtsapi32.QueryUserToken> (75C61930)
DLL Loaded: 75AF0000 C:\Windows\SysWOW64\activeds.dll
DLL Loaded: 75AB0000 C:\Windows\SysWOW64\adsldpc.dll
DLL Loaded: 76D60000 C:\Windows\SysWOW64\Wldap32.dll
The Resolved Function is : <activeds.ADsFreeEnumerator> (75B10670)
DLL Loaded: 75B50000 C:\Windows\SysWOW64\userenv.dll
The Resolved Function is : <userenv.DestroyEnvironmentBlock> (75B57F30)
DLL Loaded: 736D0000 C:\Windows\SysWOW64\mpr.dll
The Resolved Function is : <mpr.WNetGetUniversalNameW> (736E1100)
DLL Loaded: 75A40000 C:\Windows\SysWOW64\RstrtMgr.dll
DLL Loaded: 75A10000 C:\Windows\SysWOW64\ncrypt.dll
DLL Loaded: 779E0000 C:\Windows\SysWOW64\bcrypt.dll
DLL Loaded: 759E0000 C:\Windows\SysWOW64\ntasn1.dll
The Resolved Function is : <rstrtmgr.RmEndSession> (75A477E0)
</code></pre></div> </div>
</li>
<li>After checking devices language and resolving APIs Functions that it needs, it looks for a mutex called “Global” if it exists, it shutdown and exit, and If it doesn’t exit, it creates a mutex with this name “Global” and keeps going for runnig. As shown :-
<img src="https://user-images.githubusercontent.com/84356407/195852331-02587ef8-de62-4274-80c6-18383fb3d0e3.png" width="600" /></li>
<li>Then it decodes a string “SOFTWARE\Microsoft\Cryptography” and this is a key in registry as shown :- <br />
<img src="https://user-images.githubusercontent.com/84356407/195852642-ab3eeaa8-b5a8-432f-bb0d-194d932b80d8.png" width="600" /></li>
<li>Then it gets machine GUID for this device to generate the extention for this malware as shown :- <br />
<img src="https://user-images.githubusercontent.com/84356407/195852788-71222b79-8349-407d-91a5-c4a66fc29a4b.png" width="600" /></li>
<li>Then it generates the extention for the malware from GUID machine “.f1f25696”:- <br />
<img src="https://user-images.githubusercontent.com/84356407/196274208-5b9e7869-fdf7-4e2a-8c5e-e3cfa1799597.png" width="600" /></li>
<li>Then It checks if you’re a 220 membership (group admin) or not
<img src="https://user-images.githubusercontent.com/84356407/196465385-43af5d65-e3ee-41e0-b106-650e7ea31dca.png" width="600" /></li>
<li>Then It gets more info about token member ship
<img src="https://user-images.githubusercontent.com/84356407/196473018-48459fbb-0d21-46ad-8215-6e047cc6d3cd.png" width="600" /></li>
<li>Then it creates a COM objecet to run
<img src="https://user-images.githubusercontent.com/84356407/196549801-eddaf046-dd24-4b76-9085-d070c3c26725.png" width="600" /></li>
<li>Then it decodes two strings “Elevation:Administrator!new:”, “{3E5FC7F9-9A51-4367-9063-A120244FBEC7}” and this is a UUID for Privilege Escalation
<img src="https://user-images.githubusercontent.com/84356407/196557569-a3ee46bd-5838-4135-9f1d-cc525a46d02d.png" width="600" /></li>
<li>Then it decodes a path for system32 and dllhost.exe for using COM and run the malware<br />
<img src="https://user-images.githubusercontent.com/84356407/196558746-d63f3070-8691-4ab3-9623-772cbb70b1b1.png" width="600" /><br />
<img src="https://user-images.githubusercontent.com/84356407/196558757-d2edf632-2622-4e76-91eb-1c475a03dbd6.png" width="600" /><br />
<img src="https://user-images.githubusercontent.com/84356407/196558954-bffd89a6-c630-4085-8108-f8a06627e3f3.jpg" width="600" /></li>
<li>Then it creates a process <br />
<img src="https://user-images.githubusercontent.com/84356407/196563975-2a63d182-9e55-4916-b240-6146604002ad.png" width="600" /></li>
<li>Then it checks if you have AT ATHUROTY or not <br />
<img src="https://user-images.githubusercontent.com/84356407/196564462-cbb85930-7876-45a7-940a-4e720b1da856.PNG" width="600" /></li>
<li>Then it looks for a service with “.f1f25696” extention if it finds it, it detetes this service and creates it <br />
<img src="https://user-images.githubusercontent.com/84356407/196565252-12cd4199-fa22-409d-8059-5826b19aa81a.PNG" width="600" />
<img src="https://user-images.githubusercontent.com/84356407/196565879-67ade26d-7abc-4501-8f8c-72811d02df22.PNG" width="600" /></li>
<li>Then a service with “.f1f25696” extension will be created
<img src="https://user-images.githubusercontent.com/84356407/196566351-83f5f9c7-bd09-4ca0-a300-e09260629b8d.png" width="600" /></li>
<li>It creates the readme file “README.f1f25696.txt” this file will be left in each encrypted path
<img src="https://user-images.githubusercontent.com/84356407/196647607-f9abe8de-101f-4c92-ac48-317fd563c932.png" width="600" /></li>
<li>The file content is <br /></li>
</ul>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>----------- [ Welcome to DarkSide ] ------------->
What happend?
----------------------------------------------
Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data.
But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network.
Follow our instructions below and you will recover all your data.
Data leak
----------------------------------------------
First of all we have downloaded more then 500GB data from your network.
Included:
-Accounting data
-Finance data
-HR
-Employees confidential data(photos, benefits, taxes, etc)
-Marketing
-Budgets
-Taxes(sales tax compliance, property, income and franchise taxes, etc)
-Payrolls
-Banking data
-Arbitration
-Scans
-Insurance
-Reconciliations
-Reports(monthly bank inventory, monthly financial, claims reports, etc)
-Audits(DHG, insurance audits, etc)
-B2B clients config data
-Confidentiality 2020
-2020, 2021 Business plans
-2019, 2020, 2021 years Closing (full dumps)
-and a lot of other sensitive data
Your personal leak page: http://darksidc3iux462n6yunevoag52ntvwp6wulaz3zirkmh4cnz6hhj7id.onion/162/thedixiegroup/LCfyHRcwffrYTblpZvoPO3XDbrYPcNu0wVAsH5p49LSjBfzTmtdXT48azXFlMu7q
On the page you will find examples of files that have been downloaded.
The data is preloaded and will be automatically published if you do not pay.
After publication, your data will be available for at least 6 months on our tor cdn servers.
We are ready:
- To provide you the evidence of stolen data
- To delete all the stolen data.
What guarantees?
----------------------------------------------
We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests.
All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems.
We guarantee to decrypt one file for free. Go to the site and contact us.
How to get access on website?
----------------------------------------------
Using a TOR browser:
1) Download and install TOR browser from this site: https://torproject.org/
2) Open our website: http://dark24zz36xm4y2phwe7yvnkkkkhxionhfrwp67awpb3r3bdcneivoqd.onion/W57MRI9C7YZJUZEABBBYRQLSUTG22JZ9MAH0WT1ISHC405KP7Z2UWY3AI3J68DNM
When you open our website, put the following data in the input form:
Key:
ug8lgpX3WrFzlEJ6HBWlwJnf7jemhfnlxBw9porj1uuYFTgKbxJQJLYiteQS7DwgZn7dH0fs7qPPWmZ6inPv5GTmSJZNAjGLVIjd4SoiyTdGyophf0zPBxx6uEAOJxM0Woo4ZGeKVoUDHtZsqZNnhMF7aPh54VnKpIJXiZDbZZw4P06xTuw1UMeiTE7wdg7HWZMepAVTzEI2W04RbkPFQHfUgEDcslDxbr83BvopYTYGKFRmtNUMH8OsOZQrOtv50xWDaOfbqxbzfHMJm30QGaGpgylJHQZsscz3XBnwIdvlwBJ9KN4DVgFgziRdvwJrfCP6YN1CYTOQgw1rzqmIU4G1xGYv7rE3jiBY1s4D3Y26SbppTceAVMu1mKx5CFIE3EbtcAsNtEqLHDbPnMCvU6Apwp17TXGob8xXJpEDBZhIzdTaCuybcprwcFNTOzccjbIH81W39MrcJi9mNO3kHRe5fxmIFKvc9v8aQDihGyC65DtdabyBjidXI1NyNONT4PTyrxYqgffPsNDFuzz2yMrXiTAwtAQPqny5BBJQsfVhpLXTtnLvWg1
!!! DANGER !!!
DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them.
!!! DANGER !!!
</code></pre></div></div>
<ul>
<li>Then it starts to read paths on the computer and encrypt them
<img src="https://user-images.githubusercontent.com/84356407/196647928-2d14440e-c323-4e22-8187-b07106a636c6.png" width="600" /></li>
</ul>
<h1 id="how-to-prevent-darkside-ransomware-attacks">How to Prevent DarkSide Ransomware Attacks</h1>
<ul>
<li>Use updated malware detection techniques.</li>
<li>Backup your files</li>
<li>Using more than access authentication (complexed passwords, fingerprint, …)</li>
<li>Monitoring privileged account access</li>
</ul>
<h1 id="summarization">Summarization</h1>
<p>In this article, we analyzed the DarkSide ransomware that encrypts your file system and demands a ransom to decrypt these files.<br /> Then we gave a few steps to protect yourself and prevent the ransomware attack.
So if you liked my analyzed technique you can give me feedback about my analysis. <br />
Thanks ☺♥</p>Hussein AdelIntroduction Ransomware, is a type of malware that prevents users from accessing their system or files and demands that a ransom be paid to regain access. Users are shown instructions on how to pay a ransom to obtain a decryption key to decrypt their files and get them back.SQL Commands2023-03-10T00:00:00+00:002023-03-10T00:00:00+00:00https://husseinadel7.github.io/huss3del.github.io/projects(.net,js)/SQL_Commands<blockquote>
<h1 id="sql-commands">SQL Commands</h1>
<h2 id="working-on-company-database-you-can-find-it-in-the-attached-link">Working On Company Database You Can Find It In The Attached Link</h2>
<h3 id="find-the-company-db-with-a-simple-visualization-for-its-table-and-relationships">Find The Company DB With a Simple Visualization For Its Table And Relationships</h3>
<h3 id="find-files-for-the-sql-commands-about-the-company-database">Find Files For The SQL Commands About The Company Database</h3>
<h2 id="please-find-the-following-commands">Please Find The Following Commands</h2>
<h3 id="file-grouping">File Grouping</h3>
<h3 id="trigger">trigger</h3>
<h3 id="transaction">Transaction</h3>
<h3 id="subquery">SubQuery</h3>
<h3 id="operatorslikeonbetween--join">Operators(LIKE,ON,BETWEEN) && JOIN</h3>
<h3 id="functions-and-procedures">Functions and Procedures</h3>
<h3 id="error-handling">Error Handling</h3>
<h3 id="dml">DML</h3>
<h3 id="constraints">Constraints</h3>
</blockquote>
<h2 id="check-them-out-"><a href="https://github.com/HusseinAdel7/SQL_Server">Check Them Out </a></h2>Hussein AdelSQL Commands Working On Company Database You Can Find It In The Attached Link Find The Company DB With a Simple Visualization For Its Table And Relationships Find Files For The SQL Commands About The Company Database Please Find The Following Commands File Grouping trigger Transaction SubQuery Operators(LIKE,ON,BETWEEN) && JOIN Functions and Procedures Error Handling DML ConstraintsAnalysis A Keylogger2023-02-10T00:00:00+00:002023-02-10T00:00:00+00:00https://husseinadel7.github.io/huss3del.github.io/various_projects/Analysis%20A%20Keylogger<h1 id="keylogger">Keylogger</h1>
<p>Keyloggers are a particularly insidious type of spyware that can record and steal the user’s keystrokes on a device. They are Software that logs what you type on your keyboard.</p>
<h1 id="sample-overview">Sample overview</h1>
<p>md5 : A7F21E412022554D187D6A876A3C08AC</p>
<p>sha1 : 70E39BDFCAA4BCF0021311E8298266E527CF7C97</p>
<p>sha256 : 9B683D2FDA7CA7ADCC043E4412271009A0E115CA55F9A718C385A3F46B57AE6B</p>
<h3 id="virustotal">Virustotal</h3>
<p><img src="https://user-images.githubusercontent.com/84356407/178140235-94f78b7c-d6af-4a86-8975-8d7c35f68f69.png" width="600" /></p>
<h3 id="unpacked">Unpacked</h3>
<p>This sample is unpacked. It was checked by DIE & EXEINFO & PEID</p>
<p><img src="https://user-images.githubusercontent.com/84356407/178139617-b804e8bc-074d-428c-b6c2-3a4c09c9e44e.png" width="500" /></p>
<h3 id="strings">Strings</h3>
<p><img src="https://user-images.githubusercontent.com/84356407/178142954-278e5f6b-ff1f-4ab0-80c9-dd0d1a3b0c67.png" width="300" /></p>
<h1 id="how-it-works">How it works?</h1>
<p>By examining the main function for this sample we found that it calls the ‘SetWindowsHookExA’ that installs the hook which is the type of ‘WH_KEYBOARD_LL’ that is specific to keyboard events then it points to the Hooking Function ‘Hooking_Keyboard_Fun’ as shown in the following picture:-</p>
<p><img src="https://user-images.githubusercontent.com/84356407/178153358-d46daa19-cb66-4381-8492-70199eca9801.png" width="400" />
<br /><br />inside this function ‘Hooking_Keyboard_Fun’ we can find that calls ‘KeyLogging_Fun’ as shown in the following picture:-</p>
<p><img src="https://user-images.githubusercontent.com/84356407/178153830-083069a9-06d3-4aa7-87af-5c638712db61.png" width="400" />
<br /><br />By examining this function ‘KeyLogging_Fun’ we can find :-</p>
<p>First : it creates a file called ‘practicalmalwareanalysis.log’ by calling ‘CreateFileA’ function to recode everything that you write on the keyboard then as shown in the following picture:-</p>
<p><img src="https://user-images.githubusercontent.com/84356407/178156194-7c894054-9572-416c-a875-18a7f2e2d63a.png" width="400" />
<br /><br />Inside this file ‘practicalmalwareanalysis.log’ it recodes the window name that you open by calling this fun ‘GetForegroundWindow’ as shown in the following picture:-</p>
<p><img src="https://user-images.githubusercontent.com/84356407/178156200-f85c2643-7757-425e-81a0-bf0c13c43d09.png" width="400" />
<br /><br />It recodes the window name as the folloing pattern “ [Window: New Tab - window name]” as shown in the following picture:-<br /><br />
<img src="https://user-images.githubusercontent.com/84356407/178156205-ce6acb23-acbd-4761-ab3c-ad4c697ef822.png" width="400" /><br />
<img src="https://user-images.githubusercontent.com/84356407/178156450-1c64ee3c-80b7-4788-b7a9-debee841d02e.png" width="500" /></p>
<p><br />Then it recodes eveything that you write on the keyboard but it first make a comparission in some case by its switch cases to check if you cleck on ‘BackSpace’,’Crtl’ or numbers etc. Then it recodes these Keystrokes as shown in the following picture:-<br /><br /></p>
<p><img src="https://user-images.githubusercontent.com/84356407/178156226-06d41da3-a783-48ff-a634-de052cf8b74d.png" width="500" />
<br /><br />Then it close the Handle for the file ‘practicalmalwareanalysis.log’ by calling ‘CloseHandle’ funcion as shown in the following picture:-<br />
<img src="https://user-images.githubusercontent.com/84356407/178156229-ee146033-8f11-45a0-b2d4-6b994c7d858e.png" width="500" /><br /><br /></p>
<h1 id="iocs-">IOCs <br /></h1>
<p>####——–</p>
<h3 id="hashes">Hashes</h3>
<p>sha256 : 9B683D2FDA7CA7ADCC043E4412271009A0E115CA55F9A718C385A3F46B57AE6B</p>
<h3 id="functions">Functions</h3>
<p>WriteFile</p>
<p>GetForegroundWindow</p>
<p>SetWindowsHookExA</p>
<h3 id="strings-1">Strings</h3>
<p>practicalmalwareanalysis.log</p>
<p>[SHIFT]</p>
<p>[TAB]</p>
<p>[BACKSPACE]</p>
<p>[CAPS LOCK]</p>
<h1 id="sumerization">Sumerization</h1>
<p>This malware called ‘Keylogger’, creates a file called ‘practicalmalwareanalysis.log’ then it records everything that you write on the keyboard
and this is a picture that shows the functionality after running this malware</p>
<p><img src="https://user-images.githubusercontent.com/84356407/178157096-6f599656-2aa4-4c40-a687-169987f8eeb9.png" width="500" /></p>Hussein AdelKeylogger Keyloggers are a particularly insidious type of spyware that can record and steal the user’s keystrokes on a device. They are Software that logs what you type on your keyboard.Employee Registeration Using Laravel and Mysql2023-01-10T00:00:00+00:002023-01-10T00:00:00+00:00https://husseinadel7.github.io/huss3del.github.io/projects(.net,js)/Employee_Registeration<blockquote>
<h1 id="a-website-for-registeration-emolyees-in-a-databade">A website For Registeration emolyees in a databade</h1>
<h2 id="using-html-css-bootstrap-php-laravel-and-mysql">Using Html, CSS, Bootstrap, PHP, Laravel and Mysql</h2>
</blockquote>
<h2 id="check-it-out-"><a href="https://github.com/HusseinAdel7/Employee_Registeration_Using_Laravel_and-Mysql/raw/main/laravel.mp4">Check It Out </a></h2>Hussein AdelA website For Registeration emolyees in a databade Using Html, CSS, Bootstrap, PHP, Laravel and Mysql Check It OutAnalysis ClickMe .NET2023-01-02T00:00:00+00:002023-01-02T00:00:00+00:00https://husseinadel7.github.io/huss3del.github.io/analyze_.net_malware/Analysis%20ClickMe<h1 id="introduction">Introduction</h1>
<p>This challenge is called ClickMe. it is written in .NET</p>
<h1 id="how-it-works">How it works</h1>
<ul>
<li>First, if you run the exe file (ClickMe) there is a message box will appear as the following:
<img src="https://user-images.githubusercontent.com/84356407/205482766-fcd57e56-5c76-457b-89e9-060218894060.png" width="300" /></li>
<li>After clicking on “OK” there are three monsters you must beat them depending on their “hp” you must click “number of clicking” as the following:</li>
</ul>
<p float="left">
<img src="https://user-images.githubusercontent.com/84356407/205482771-e52f2904-c123-46d4-9ee2-9bbbb73477bd.png" width="200" />
<img src="https://user-images.githubusercontent.com/84356407/205482772-efe3e468-6ca5-40e7-8cf6-488355ee1114.png" width="200" />
<img src="https://user-images.githubusercontent.com/84356407/205482782-95dc8042-22f5-462f-90a9-104eadaab222.png" width="200" />
<img src="https://user-images.githubusercontent.com/84356407/205482784-9fcf5047-af67-4fd7-b1a8-bcd7263a9b23.png" width="200" />
</p>
<ul>
<li>But the third monster requires to click 100.000.000 times to beat him as the following:
<img src="https://user-images.githubusercontent.com/84356407/205482787-cb10d0df-f82c-43df-b8fa-663cfbc11b35.png" width="200" />
<h1 id="detailed-analysis">Detailed Analysis</h1>
</li>
<li>So the first step is to know which language is that app is written to deal with so I used Detect it easy “DIE” to know as the following: <br />
<img src="https://user-images.githubusercontent.com/84356407/205483408-20f27d41-9ff9-42d1-822e-4c506c1b36ed.png" width="400" /></li>
<li>After knowing that we are gonna use “dnSpy” to analysis this .NET Code <br /></li>
<li>After loading that app on dnSpy we are gonna go to the entry point so by clicking right-click on the app and go the entry point as the following:
<img src="https://user-images.githubusercontent.com/84356407/205483581-9299adb0-d429-4474-a751-9dc58c10218a.png" width="500" /></li>
<li>It runs the form as the following:<br />
<img src="https://user-images.githubusercontent.com/84356407/205483629-18b870ea-e393-4e0d-a40b-898ffed09578.png" width="500" /></li>
<li>We have three monsters and their names store in “monster_a[]”as the following:
<img src="https://user-images.githubusercontent.com/84356407/205483692-4307ef7e-b689-44a1-830d-d7397eed18fd.png" width="500" />
<img src="https://user-images.githubusercontent.com/84356407/205483944-097f8677-2c6b-44b8-b45b-54efd67334ca.png" width="500" /><br /></li>
</ul>
<h1 id="beating-the-first-monster-">Beating the First Monster <br /></h1>
<ul>
<li>There is a variable called “cur_hp_num” it decreases by one each time you click on the “Hit” to beat him. I put a break point there to watch its value as the following
<img src="https://user-images.githubusercontent.com/84356407/205484322-06ee2635-76f9-42b4-8f1a-16cfcf0c3cd7.png" width="500" /></li>
<li>I added the variable on the watch section to watch its value <br /></li>
<li>for beating him, I put the value for “cur_hp_num” by zero “0” and starting debugging as the following :<br />
<img src="https://user-images.githubusercontent.com/84356407/205484275-cca30b83-cd2d-4c91-9af5-40776a30f603.png" width="500" /></li>
<li>The final message is :<br />
<img src="https://user-images.githubusercontent.com/84356407/205484539-933c7f79-4bbe-458f-9418-09e59556cd94.png" width="500" /></li>
</ul>
<h1 id="beating-the-second-monster-">Beating the Second Monster <br /></h1>
<ul>
<li>As I did in the first monster as I did in the second one as the following:-</li>
</ul>
<p float="left">
<img src="https://user-images.githubusercontent.com/84356407/205484710-ca5e45f7-ac7a-4a77-bc89-82472ac2738f.png" width="400" />
<img src="https://user-images.githubusercontent.com/84356407/205484632-be7ff584-5216-4ec9-b18e-6c5429bfa3a0.png" width="400" />
<img src="https://user-images.githubusercontent.com/84356407/205484654-f4c5a12b-76ec-43d1-98f1-05b255c68b4b.png" width="400" />
</p>
<h1 id="beating-the-third-monster">Beating the Third Monster<br /></h1>
<ul>
<li>I did as I did in the previous two monsters but it appears a message says “It’s not fair! Cheating is wrong”<br /></li>
<li>I searched for this message and I found it inside a condition that checks another variable’s value that must not equal one “1”<br /></li>
<li>
<p>Then I searched for that variable called “check_point”, and I found it increases by one inside a condition check “the monster must be the third one and the cur_hp_num must be 689”<br /></p>
</li>
<li>So I change this variable “check_point” and make it “1” “true” to not enter in the condition of the message “It’s not fair! Cheating is wrong”<br /></li>
<li>Then I changed the value for the cur_hp_num by zero “0” <br /></li>
<li>As the following<br /></li>
</ul>
<p><img src="https://user-images.githubusercontent.com/84356407/205484974-5b491c8b-243f-476f-87b4-7646aed7c945.png" width="500" /><br /><br />
<img src="https://user-images.githubusercontent.com/84356407/205484970-a6235a78-a1a7-4d9c-91ea-c5d5dda6f7e0.png" width="500" /><br />
<img src="https://user-images.githubusercontent.com/84356407/205484973-a38eb76a-91ec-4811-99f7-e915c5ab608c.png" width="500" /><br /></p>
<p>Thansk ☻♥</p>Hussein AdelIntroduction This challenge is called ClickMe. it is written in .NET