Monday, January 7, 2019

SID to UserID, UserID to SID


This blog
https://community.spiceworks.com/how_to/2776-powershell-sid-to-user-and-user-to-sid

by SpoonerTech at Spiceworks was very helpful at going back and forth using powershell to and from a User Id or a SID #

Thanks,

Step 1: Domain User to SID

This will give you a Domain User's SID
$objUser = New-Object System.Security.Principal.NTAccount("DOMAIN_NAME", "USER_NAME")
$strSID = $objUser.Translate([System.Security.Principal.SecurityIdentifier])
$strSID.Value

Step 2: SID to Domain User

This will allow you to enter a SID and find the Domain User
$objSID = New-Object System.Security.Principal.SecurityIdentifier `
("ENTER-SID-HERE")
$objUser = $objSID.Translate( [System.Security.Principal.NTAccount])
$objUser.Value

Friday, January 4, 2019

Statis Analysis of Packed EXEs - IMAGE_SECTION_HEADER size comparisons

Random notes while studying the "Practical Malware Analysis" book by Michael Sikorski and Andrew Honig

If I used PE Studio and go to the sections tab it's showing IMAGE_SECTION_HEADER details

2 fields of interest are the
- virtual-size
- raw-size

Virtual size is how much is allocated when loaded.
Raw size is how big the section is on disk.

In normal programs these 2 sizes are relatively similar (they won't be exact, but they should be similar) because when a program's section is loaded to memory it should take approximately the same space that it was on disk.

The .data section is a caveat, as it's normal for the .data section in windows programs to have much more virtual / allocated space than the raw disk.

Large differences or anomalies can indicate a malicious nature, such as a packed program where for example either
a.) space is allocated for a section, but the disk has nothing in that section ... which means some other section may write to here once executed
b.) space allocated for a section is dramatically larger that what's on disk meaning it may be unpacking or writing something once executed

Looking at some real examples

--------
legitimate nbstat.exe
--------
.text (virtual=10036, raw=10240)   <== similar sizes
.data (virtual=44608, raw=512)  <== normal to be different
.rsrc (virtual=2104, raw=2560)   <== similar sizes
.reloc (virtual=802, raw=1024)   <== similar sizes

--------
legitimate notepad.exe
--------
.text (virtual=42748, raw=43008) <== similar sizes
.data (virtual=8458, raw=4096)  <== normal to be different
.rsrc (virtual=127336, raw=127488) <== similar sizes
.reloc (virtual=3640, raw=4096)  <== similar sizes

since all sizes are similar, this does not appear to be packed

-----------
legitimate FireEye floss32.exe
-----------
.text (virtual=40100, raw=40448)  <== similar sizes
.data (virtual=42, raw=512) <== normal to be different
.rdata (virtual=20232, raw=20480) <== similar sizes
.bss (virtual=50696, raw=0)  <== i think bss is always initialized to 0, so it probably has no disk
.idata (virtual=3036, raw=3072) <== similar sizes
.CRT (virtual=52, raw=512) <== section auto-created by Microsoft C++ compiler
.tls (virtual=32, raw=512) <== section auto-created by Microsoft TlsAlloc thread allocation manager
.rsrc (virtual=95464, raw=95744) <== similar sizes

since all sizes are similar, this does not appear to be packed

------------
legitimate Move.Mouse.exe freeware
------------
.text (virtual=683100, raw=683520) <== similar sizes
.rsrc (virtual=87160, raw=87552) <== similar sizes
.reloc (virtual=12, raw=512) <== used to resolve addresses, seems too small to matter

since all sizes are similar, this does not appear to be packed


------------
PrivaZer.exe
md5 D1560DBFC8FB5B0F78FEEF20D8410885
https://app.any.run/tasks/30aeeda0-fae8-4369-9411-c5dedc3be3e3
-------------
CODE (virtual=6078616, raw=6078976) <== similar sizes
DATA (virtual=96272, raw=96768) <== similar sizes
BSS (virtual=59021, raw=0) <== i think it's normal for BSS to be empty
.idata (virtual=19586, raw=19968) <== similar sizes
.edata (virtual=79, raw=512) <== too small to be concerned
.tls (virtual=560, raw=0) <== too small to be concerned
.rdata (virtual=24, raw=512) <== too small to be concerned
.reloc (virtual=318176, raw=318464) <== similar sizes
.rscr (virtual=10750710, raw=10750976) <== similar sizes

since all sizes are similar, this does not appear to be packed


--------------
Documentacao - Importante .exe
md5 913812CB2959F5611A8CD699932FE043
https://app.any.run/tasks/ca9fe312-bf54-42a4-a103-a47e603665e3
--------------
.text (virtual=386572, raw=387072) <== similar sizes
.rdata (virtual=70440, raw=70656) <== similar sizes
.data (virtual=37224, raw=7680) <== normal to be different
.rsrc (virtual=10104, raw=10240) <== similar sizes

since all sizes are similar, this does not appear to be packed


--------------
data.exe
md5 FC1F15917F36BB6C1D18466AB39BF1A0
https://app.any.run/tasks/8bc211e2-ee2b-4806-9887-482fa2a8cb9e
--------------
.text (virtual=225492, raw=225792) <== similar sizes
.rsrc (virtual=1344, raw=1536) <== similar sizes
.reloc (virtual=12, raw=512) <== too small to be concerned

since all sizes are similar, this does not appear to be packed



-----------
keygen.exe
md5 E0B94BD0A0451BCC539D4D5DC76DD27A
https://app.any.run/tasks/39ac85c7-6ae4-4b31-9518-6678c688cbc0
------------
UPX0 (virtual=40960, raw=0) <== notice the huge virtual size and 0 bytes on disk, that means something it going to get written here after loading, probably the malicious code
UPX1 (virtual=28672, raw=26624) <== entry point to program, similar sizes, but UPX1 name should be a dead giveaway that it's packed with UPX
.rsrc (virtual=20480, raw=16896) <== there is a difference here, more allocated than actually existing, so it's possibly something could get written here after loading also

since it has the dramatic differences in sizes, this is packed

------------
  • m6IYue1m.exe
  • md5 8b0ab017f6b7900fdffb165fca08723d
https://www.virustotal.com/#/file/a4ea9b8116ca39cd538250ece162aea9ced57723f9520bca1e19ac7c948d6e03/detection
------------
.text (virtual=115391, raw=115712) <== similar sizes
.rdata (virtual=57896, raw=58368) <== similar sizes
.data (virtual=44868, raw=4608) <== normal to be different
.gfids (virtual=4644, raw=1536) <== quite a different, more allocated than on disk, perhaps could be used to unpack or write something, also had a random section name
.rsrc (virtual=139260, raw=139264) <== similar sizes
.reloc (virtual=7908, raw=8192) <== similar sizes

given 1 section has the big difference in sizes and it's named randomly, this could be packed

-------------
  • lary.exe
md5 68b28f07c4d49f94341e739c36b17843
https://www.virustotal.com/#/file/8a94a86a695bb46d01cbfe84e2ceb3b159aa2c46069044ec7bc87d4d4830af65/detection
--------------
no name (virtual=517792, raw=168960) <== large difference, definitely could unpack and write stuff to this section, also interesting that the section has no defined name, and it's the entry point
no name (virtual=8192, raw=2048) <== big difference, definitely could unpack and write stuff to this section
no name (virtual=4096, raw=0) <== only allocated, nothing on disk, suspicious
no name (virtual=12288, raw=9728) <== big difference, definitely could unpack and write stuff to this section
no name (virtual=4096, raw=0) <== only allocated, nothing on disk, suspicious
no name (virtual=4096, raw=512) <== big difference, definitely could unpack and write stuff to this section
no name (virtual=32768, raw=0) <== only allocated, nothing on disk, very suspicious, large space
.rsrc (virtual=454656, raw=157696) <== big difference, definitely could unpack and write stuff to this section
.data (virtual=532480, raw=529920) <== similar sizes
.adata (virtual=4096, raw=0) <== only allocated, nothing on disk, suspicious

lots of dramatic size difference, sections without names, this looks packed

-----------------
  • Miracle_Loader.exe
md5 8e2e9241cbe301c777b7719570ad5b1d
https://www.virustotal.com/#/file/f4e0872a3839b6b2236c9b2cf9bf1d868e813ab95e69d360a11772c64afd56fe/details
-----------------
.textbss (virtual=106496, raw=0) <== normal to be empty
.text (virtual=8192, raw=0) <== big difference, odd that the code section is empty, probably gets unpacked to here
.data (virtual=131072, raw=0) <== big difference, odd that the data section is empty, probably gets unpacked to here
.idata (virtual=4096, raw=0) <== big difference, odd that the data section is empty, probably gets unpacked to here
.rsrc (virtual=4096, raw=0) <== big difference, odd that the resource section is empty, probably gets unpacked to here
.sedata (virtual=1228800, raw=0) <== big difference, odd that the data section is empty, probably gets unpacked to here
.vmp0 (virtual=4096, raw=0) <== big difference, strange name, reminds me of UPX0 and UPX1 packing naming convention, so i'm guessing code gets unpacked here when loaded
.vmp1 (virtual=1286956, raw=0) <== big difference, strange name, reminds me of UPX0 and UPX1 packing naming convention, so i'm guessing code gets unpacked here when loaded
.vmp2 (virtual=2139888, raw=2140160) <== similar sizes, this is also the entry point, reminds me of the UPX naming convention, I'm guessing this is the unpacking stub code that will unpack to vmp0 & vmp1 sections
.rsrc (virtual=2396, raw=2560) <== similar sizes

with the dramatic size differences and interesting naming conventions, this appears packed.  I think vmp stands for VMProtect ( Software Protection vmpsoft.com/ )


Random Strings Output Notes

Running strings against an executable, here's some random findings and thoughts behind each

The sample file in question
https://www.virustotal.com/#/file/1c44d829d130986ade5661947b841a6a0ca79c37fe1c57ea9b93931362a324f2/detection

!This program cannot be run in DOS mode.
==> so we know this is a windows executable

MSVBVM50.DLL
VBA5.DLL
==> so we know this program was written with Visual Basic 5.0 Run-time library

@*\AC:\src\Utils\SystemInstaller\SystemInstaller.vdp
SystemInstaller.exe
==> seems to indicate that a .VDP (visual studio deployment project) was used when building this probably for installation of the software

kernel32
GetWindowsDirectoryA
GetSystemDirectoryA
GetTempPathA
==> indicates that this software might be using the windows API to determine the user's windows, system, and temp folder paths ... perhaps to grab files or put files in there

c:\program files\devstudio\vb\vb5.olb
==> likley indicates that the Microsoft Developer Studio ( devstudio ) was utilized to build this Visual Basic 5.0 project

drvSource
fraNewFile
filSource
lstFiles
dirSource
dirSource_Change
drvSource_Change
==> indicates that this program may prompt a user for Drive, Directory, or File popup boxes such as


btnExit_Click
btnFrom_Click
btnMake_Click
btnTo_Click
==> indicates that there is a GUI or user interface to this application

Error extracting from
Couldn't delete
Couldn't open
Couldn't copy
Extracted
Error copying stub (
Error opening
Error copying
__vbaFileClose
__vbaFileOpen
__vbaFileSeek
==> indicates files are likely being opened, copied, and deleted

__vbaPrintFile
==> indicates this software may have printing capabilties, also confirms this is a Visual Basic program

__vbaPutOwner3
==> indicates this program has multiple windows / popups and it's setting the parent of one window to another window

__vbaRedim
__vbaAryDestruct
==> indicates the program is allocating space for variables / arrays of data

__vbaHresultCheckObj
==> just indicates the program does it's own error handling and checks the error #s which are stored in HResult

You are required to have a destination file name
You must have some files to add
Select-Extracting file name
Make EXE
Should automatically install self-installing system OCX's or DLL's
==> indicates the program is making a program or executable and saving it to disk

MHC Associates
==> could indicate who created this executable, OSINT indicates MHC Associates, Inc., provides marking management system to manage marketing materials from a single online shopping cart. 

Microsoft Visual C++ Runtime Library
==> continues to confirm it's a windows program and that it's also using C++ libraries

SizeofResource
LoadResource
FindResourceA
==> indicates this program may have resources (such as icons) that it's using and loading

LoadLibraryExA
GetProcAddress
LoadLibraryA
GetModuleHandleA
GetModuleFileNameA
==> indicates this program may dynamically load some libraries or function calls on the fly

RegDeleteKeyA
RegCreateKeyExA
RegDeleteValueA
RegCloseKey
RegOpenKeyExA
RegEnumKeyExA
RegSetValueExA
RegQueryInfoKeyA
RegEnumValueA
==> indicates this software could open, edit, or delete registry values

OleSaveToStream
OleLoadFromStream
==> indicates this software may use COM objects in Windows

HeapCreate
VirtualFree
VirtualAlloc
==> indicates this program may allocate additional memory

CreateFileA
ReadFile
==> indicates this program may create new or read existing files off disk

EMR_POLYGON16
EMR_POLYDRAW16
EMR_SELECTPALLETTE
==> indicates the program may draw objects or pictures

** PDF file created with demo version of the VideoSoftware VSPDF control. **
==> indicates this installer may include a PDF embedded in it, perhaps readme instructions

deflate 1.0.4 Copyright 1995-1996 Jean-loup Gailly
==> indicates this software may have compressed files embedded in it with the deflation algorithm

VSPDF Control
Copyright 2001 ComponentOne
VSPDF.VSPDF.1 = s ':-) VideoSoft VSPDF 7.0'
Use this control to convert documented created with VSPrinter 7.0 to PDF format.  The PDF format is a platform-independent format developed by Adobe Systems and supported by Adobe Acrobat and other products
www.componentone.com
5900-T Hollis Street
Emeryvilla, CA 94608
VSPrinter7
Choose Printer and Print FileW
Printing...
==> indicates the program may use pre-built UI controls like buttons, textboxes, etc. and pdf generation from the vendor called ComponentOne and printer controls

!This program cannot be run in DOS mode
==> indicates this installer has potentially multiple embedded Executables inside it

<TITLE>&s</TITLE>
<BODY BGCOLOR=#%02x%02x%02x">
==> indicates this program will be generating HTML or web pages

VeriSign, Inc.1301
https://www.verisign.com/rpa0
ComponentOne1>0<
<ComponentOne VSPRINT7 Ocx Fil
==> indicates one of the embedded executables may be digitally signed by ComponentOne