If this is accessed often will slow down a program from running. The program attempts to get a handle on the mutex ‘HGL345’, and if it succeeds the program will terminate. A Look Into Konni 2019 Campaign. What elements of the malware’s communication may be effectively detected using a network signature? (2019, November). Retrieved August 13, 2020. SLEEP: Do nothing for a certain amount of seconds. jz loc (Jump if ZF. If we examine them we can see that they don’t have any values assigned. Function calls the ret instruction which pops return address off stack and onto EIP. If these are disassembled it can lead to 4-bytes being hidden from view. Once again we can see this is checking whether the operating system is Windows NT or later; however, even if it is, it is then checking if it’s major version is 5. This comparison is looking for the first byte of the first token. x86 provides instructions for popping and pushing. The first is looking for the character ‘/’ which in this case is found at the end of the URL passed to this function, and the other is looking for the number ‘96’ to be present. Functions like a jmp, except return pointer is pushed to stack. By plotting out the XRefs to SingleXOR, we can see that this is called from a subroutine inside of MultiXOR. Looking at the previous screenshot we can find that arg_0 has been identified which indicates one argument would be expected from this subroutine, and as a result 1 parameter. We can see both in memory, and on disk that the malware creates a file called practicalmalwareanalysis.log. Looking at the exports of ‘Lab11-03.dll’ which we know is copied to this location, we can see this is a valid export. Following the unpacking guidance, we can unpack this executable giving to a new file. Manually generated errors and custom handlers (on the top of the SEH chain) can fool debuggers and disassemblers. Using CTRL + F12 to view the call flow of this DLL is an excellent way to get an idea of its functions. What else must be known? If so, what are these indicators? New macOS Malware Variant of Shlayer (OSX) Discovered. When the malware receives input, what checks are performed on the input to determine whether it is a valid command? Idea behind this posting is to have a huge collection of all interview questions as a single page (most of us have high speed connections, thus loading this page is not an issue). Immediately we can see that this calls _wfopen which indicates there’s a file by the name msutil32.sys which will be opened. As a sidenote, the code inside of our beacon function will check the first character of the beacon response and check if it equals ‘6Fh’ (o). Starting with the custom Base64-encoded index string, we find it is referenced in a subroutine at ‘sub_40103F’. With the cursor in the same location, how do you turn this data into a single ASCII string? By stepping back to what is calling this we can see that 41h (or 0x41 in hex) is being pushed to the stack first, so will be the third argument popped off the stack, and in this case indicates our key for decoding. Note: When attempting to run yarGen.py I experienced an issue with ‘etree’ being imported from lxml. [41], Hancitor has decoded Base64 encoded URLs to insert a recipient’s name into the filename of the Word document. This can be used to monitor how long it has been running for in each request. By using CFF Explorer VIII we can see that msgina32.dll exports a number of functions that correlate to known functions that need to be exported by a legitimate GINA DLL as it is prepended with Wlx. Broadly speaking the process to follow is below: This details analysis undertaken and answers to the lab questions in Chapter 3. Compare the calls in main to lab 6-2’s main method. By running ‘g’ the application runs and hits our new breakpoint. This lab uses the file Lab03-02.dll. Do any imports hint at this program’s functionality? (2019, April 17). This helps us identify that the malware will send the hostname running it Base64-encoded in a GET request to www.practicalmalwareanalysis.com and repeat this approcimately every 30 seconds. Retrieved May 27, 2020. With this we now see that a jump doesn’t occur and the program continues as expected. As shown above persistence is achieved by registering msgina32.dll, which is pulled from its resource section, as a custom GINA DLL in the Windows Registry at the below location: By examining the documentation on GINA, we can see that this is loaded into winlogon, and can have credentials passed through it that can be captured. At this point the OS is usable again. What are this malware’s imports and strings? At this point if we look closer into the memory strings of running svchost processes, we can see that this malware has used process replacement (more commonly known as process hollowing nowadays) to execute under the guise of a svchost process. MAR-10296782-2.v1 – WELLMESS. At this point we can rename this ‘Decrypt_AES’, and take a very similar looking function we previously identified (0040352D) which calls XOR_OP_4, and rename this ‘Encrypt_AES’. Quinn, J. Diving in with a different tool called Exeinfo PE, we are able to determine that this file is packed using the Ultimate Packer for eXecutables (UPX). Using the MSDN page for socket and the named symbolic constants functionality in IDA Pro, can you make the parameters more meaningful? Symantec Security Response. The Domain, URL, Host, or GET parameters wouldn’t be conductive to a longlasting signature. From this we can tell that an existing instance of explorer.exe is being injected into. Used for accessing values on the program Stack Segment. This is one of the advantages to using COM Interfaces as the request API automatically takes the appropriate User Agent from the operating system. If we examine the .rdata section using IDA-Ent and look for random data (Chunk Size: 256 - Max Entropy: 7.9), we find a number of results appear between 0040C8EC and 0040CA1A which aligns with what we found using KANAL. Sodin ransomware exploits Windows vulnerability and processor architecture. Use the tools and techniques described in the chapter to gain information about the files and answer the questions below. Retrieved April 17, 2019. Upload the Lab01-03.exe file to http://www.VirusTotal.com/. Falls ein Verkäufer in den USA oder Großbritannien ansässig ist, kann er das eBay-Programm zum weltweiten Versand (GSP) nutzen. What kind of information is communicated in the malware’s initial beacon? Retrieved October 3, 2019. Retrieved November 5, 2018. Once the GINA DLL has been installed the system needs to be restarted. Check this to avoid getting your service suspended. If we kill internet explorer the advertisement popups will stop. If not, it will create a Mutex with this name. We need to confirm the application isn’t running with any command line parameters and move through with F8 until the breakpoint we set is hit. Patrick Wardle. At this point we can right click the value stored in ESP, and click FOLLOW IN DUMP to view the data that will be encoded. The hooking code looks to primarily be installed from within ‘sub_10001203’. [46], InvisiMole can decrypt, unpack and load a DLL from its resources, or from blobs encrypted with Data Protection API, two-key triple DES, and variations of the XOR cipher. s: strings that may appear across multiple samples, but together would become an indicator. If we expand these comparisons out and sort by the position number we get the below: This in turn allows us to see it is checking for the entry “”. The difference here is that it is jumping if the zero flag IS set, so let’s follow loc_10005309. EDI = buffer location, and AL = Initialization Value. Middle East Cyber-Espionage analyzing WindShift's implant: OSX.WindTail (part 1). Retrieved July 13, 2018. Einkaufen bei eBay ist sicher – dank Käuferschutz. What hard-coded elements are used in the initial beacon? This chapter had no questions, but rather documented setting up a VM for malware analysis. How could you remove this malware once it is installed? Salem, E. et al. Upon restarting and logging in we can see a new file is created. (2013, March 29). Bei eBay finden Sie Artikel aus der ganzen Welt. What happens when you run the malware executable? Finally we take a look at how this encryption function relates to the rest of the malware. [33], OopsIE concatenates then decompresses multiple resources to load an embedded .Net Framework assembly. Examining the strings contained within Lab01-01.dll more closely reveals that there is what appears to be an IP address. After refining some of the rules they now look like the below. We know from previous analysis of this malware that configuration is stored in the registry so by default it communicates with: To analyse how this communication occurs and whether there’s any other network-based indicators we look back to sub_402020 and the function it calls prior to comparing the response received to one of the mentioned commands. Adding these onto ‘d’ (4) you get ‘n’ (14), ‘r’ (18), and ‘s’ (19) respectively. This differs from traditional throwaway malware which may exist only to drop malware before removing itself in that it sets up persistence to allow further malware and C2 to be dropped over time. OilRig has also used certutil to decode base64-encoded files on victims. Based on the API functions alone, what could you rename this function? 31 71 61 7a 32 77 73 78 33 65 64 63 = 1qaz2wsx3edc, DLL 1 mystery data 1: Process ID DLL is running under. By extracting this using Resource Hacker and then leveraging 010 Editor to perform an XOR operation using the key 0x3B, we can see that this neatly decodes to ‘www.practicalmalwareanalysis.com’. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Analysing Lab01-02.exe through Dependency Walker highlighted the below interesting functions: Based on this we can infer that the executable creates and triggers a service, and that it connects to the internet. From this we can see it provides support for input/output of files, and if we compare this to the function references in this context we can make an informed decision that this is in fact the ‘printf’ (print formatted) subroutine, which writes the string to stdout. Looking at this through dependency walker revealed that these were indeed being imported. If we rename it and continue to debug, we realise that termination doesn’t occur here anymore. Jumps if previous instruction set the Overflow Flag), js loc (Jump if SF. This tells us that the field 2 indicates the operating system is Windows NT or later. To understand the dropped malware, we can examine this resource in Resource Hacker, and like in previous analysis conducted, we can save it to a file for opening in IDA. sub_401040 = HTML C2 parsing function. Analyze the malware found in file Lab14-03.exe. One of the methods of doing this is to implement the WlxLoggedOutSAS which will be passed user credentials whenever someone tries to logon at the logon screen. Based on this we can determine that the malware creates a Mutex ‘MZ’ and file at ‘C:\WINDOWS\sytem32\kernel64x.dll’. This matches the reference to milliseconds, in that there are 1000 milliseconds in a second. Reaves, J. When bundled with rep, this is equivalent to memset in C. Malware is often written in C. A C program often has 2 arguments for the main method with argc and argv. Does the malware use standard Base64 encoding? Based on the above analysis we can confirm that this malware stores keystrokes and window information it collects at ‘C:\WINDOWS\sytem32\kernel64x.dll’. OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved July 10, 2018. Iterates over blocks of code one instruction at a time in a linear fashion. [70], OSX/Shlayer can base64-decode and AES-decrypt downloaded payloads. How can you dynamically capture this malware’s activity with Wireshark? This malware has been configured to beacon to a hard-coded loopback address in order to prevent it from harming your system, but imagine that it is a hard-coded external address. (2018, December 20). Based on the search being read and comparisons taking place, we can assume this filter is looking for something similar to the below where is any random string. Initialize all bytes of a buffer to a value. Are there any other files or host-based indicators that you could look for on infected systems? Looking closer at these values we can see that it is setting keys to disable the Windows Firewall by changing these values to 0. This gives us coverage of these interesting events. [73], PipeMon can decrypt password-protected executables. The explicit '' declaration is common amongst keyloggers as they need a way of determining if a key pressed is capitalised or not. Based on our above analysis we assume that this will be injecting into winlogon.exe, but at this stage we haven’t seen any evidence of injection. Looking back at the commands it is then adding 0Dh (13) to EAX which moves the pointer past the text ‘[This is CTI]’ leaving only ‘30’. Comparison will continue until ECX = 0 or byte is found. Subsequent analysis shows that the URL elements mentioned above change. We’re able scroll through the function to see a number of interesting values being pushed to the stack, in this case the values: quit, exit, and cd catch our eyes. [90], Rising Sun decrypted itself using a single-byte XOR scheme. What is the base address requested by DLL1.dll, DLL2.dll, and DLL3.dll? The purpose of this malware is to check if there is an active internet connection, if there is it will proceed to try and open the URL http://www.practicalmalwareanalysis.com/cc.htm using the User-Agent ‘Internet Explorer 7.5/pma%d’ which is passed in from a looping incremental user variable (this is used to track how long the program has been running. Looking at the only calling function to this, we can see that the argument passed to this is the established socket to the C2. It should be noted that memory manipulation using API’s such as ‘VirtualAlloc’ or ‘VirtualAllocEx’ is often used when injecting shellcode into a process. What type of encoding is used for command arguments? mov edx, [eax] - Point to an entry at an offset of 0x88 (previous entry in list). As shown in question 3, there’s 2 obvious network indicators we can use within this program, which is the URL to be opened, and the User-Agent. To do this we will need to setup a breakpoint using WindDbg in our VM and be analysing kernel operations using WinDbg on our host. Based on this we can infer that if an executable file is located, it is is mapped into memory and can then be modified by this program. (n.d.). This instruction is used with a magic string VMXh to perform VMware detection. Options > General > Line Prefixes > (Opcode Bytes as 6) = helps show memory locations and opcode values in Graph Mode. Based on the main method we can see a few API and subroutine calls which we can elaborate on. Of interest is that this beacon has sent some new or modified elements in its HTTP Header including the below: Based on this we begin to assume these may be hard-coded elements. This is due again to a check on the number of arguments passed to the program. From this buffer the characters ‘