About

About me

I am Moise. I am not a professional malware analyst; I do this mainly for fun. I have a background in software development across several languages, as well as experience in areas such as network security, threat intelligence, and just a year ago started learning malware analysis. To get in contact reach out on LinkedIn: https://www.linkedin.com/in/moise-medici/

FAQ

What is this website about?

When I started learning malware analysis, I found it very challenging to understand how analysts approached samples and, more importantly, why they made certain decisions. I often saw reports stating things like: "the encryption password is XYZ"; or "if you look here you will see X" without explaining how those conclusions were reached. I struggled to understand where to look, why, and what the underlying thought process was.

While learning, I would find sample hashes from blog posts published by vendors such as Palo Alto, Cisco, and others. I would analyze the sample without reading the report first, and only later compare my findings. This website is meant to be used in a similar way. I provide the information needed to download the sample, and you perform the analysis. If you get stuck or want to compare results, you can read my analysis. This is not meant to be a tutorial.

I believe the barrier to starting malware analysis is higher than it should be. The goal of this website is to lower that barrier by showing how I approach an analysis, the questions I ask myself while examining a sample, the struggles I encounter, and why certain assumptions are made.

There is also a Learn section where I explain why certain statements are made in more detail. For example, if I state that a specific combination of Windows APIs is used for a particular purpose, I create a Learn page showing example code to support that claim. The code is written in C to best demonstrate Windows API capabilities and how they are used.

I also try to approach each sample as if I have no prior knowledge of it, and as if no public information exists about it. For example, if I analyze a WannaCry sample, I will not rely on public write-ups about that specific sample. Internet searches are only used for Windows API documentation, built-in Windows tools, generic malware techniques, assembly references, and similar material. Every page I consult is listed in the Appendix section.

During the analysis, you may see questions that are not strictly necessary for a real-world investigation. This is intentional. My goal is to understand as much as possible about the sample, even if some knowledge is not operationally required. For example, a sample might contain a password protecting a compressed file. The password itself may not matter, but understanding how the protection works and how the password is validated can still be valuable.

I aim to release a new sample analysis every one to two weeks.

What this website is not about?

These reports are not meant to be executive-ready documents for CISOs or for IOC extraction. While they may look like traditional malware reports, many of them are quite long (20+ pages).

I will probably not focus on newly discovered malware. Instead, I prefer samples that are interesting from a learning perspective.

I do not aim to make reports shorter just to make them easier to read. The goal is clarity and completeness.

Samples Download and password?

I always provide samples for download, which are hosted on the GitHub page where the website is located. The sample download can be found at the "Sample Download" link. Sometimes the archive I provide contains additional material, such as network captures. The password is always `infected`. The "Original Download URL" indicates where I obtained the sample, but I do not know whether the source will remain online in the future; therefore, the "Sample Download" link is also provided even when no additional material is available.

What about the code and exe provided?

As per the malware samples, in the learn section you can download the code presented and the compiled versions. The zip is password protected, the password is `infected`. The README.txt shows how to compile the source code, I compile it from Linux, so if you use MacOS or Windows, you might need to compile it in a different way. I think it is only required that you match the architecture (32 or 64 bits) when specified.

How much of the content is AI generated?

Almost none. Since I am not english speaker, I use AI to fix grammar mistakes and readability issues. Every fix is carefully reviewed and the agent is instructed not to make any content change.