for %%f in (*) do (
c:\users\221602\desktop\neo_apps\strings64.exe -n 8 %%f | findstr github
)
Showing posts with label strings. Show all posts
Showing posts with label strings. Show all posts
Sunday, November 7, 2021
Friday, April 10, 2020
Find all Malware in a Folder with a Single String in it
# the keyword string to search for
$stringToSearchFor = "http://nsis.sf.net/NSIS_Error";
# run strings on all malware *.bin files in the directory and output strings to .bin.txt files
get-childitem \ -filter *.bin |select name,fullname|foreach-object {$cmd = "/c strings64.exe -n 8 `""+$_.fullname +"`" > `""+$_.name+".txt`""; start-process -filepath "cmd.exe" -argumentlist $cmd}
# search each *.bin.txt strings results for that keyword
get-childitem \ -filter *.bin.txt| select name,fullname|foreach-object{[string []] $lines = Get-Content -Path $_.f
ullname;if($lines -contains $stringToSearchFor){$_.name}}
----------
search all malware files for a single string
----------
sample output
----------
EasyPDFCombine.bin.txt
EverydayLookup.bin.txt
FromDocToPdf.bin.txt
Internet Speed Tracker.bin.txt
YourTemplateFinder.bin.txt
$stringToSearchFor = "http://nsis.sf.net/NSIS_Error";
# run strings on all malware *.bin files in the directory and output strings to .bin.txt files
get-childitem \ -filter *.bin |select name,fullname|foreach-object {$cmd = "/c strings64.exe -n 8 `""+$_.fullname +"`" > `""+$_.name+".txt`""; start-process -filepath "cmd.exe" -argumentlist $cmd}
# search each *.bin.txt strings results for that keyword
get-childitem \ -filter *.bin.txt| select name,fullname|foreach-object{[string []] $lines = Get-Content -Path $_.f
ullname;if($lines -contains $stringToSearchFor){$_.name}}
----------
search all malware files for a single string
----------
sample output
----------
EasyPDFCombine.bin.txt
EverydayLookup.bin.txt
FromDocToPdf.bin.txt
Internet Speed Tracker.bin.txt
YourTemplateFinder.bin.txt
Friday, January 4, 2019
Random Strings Output Notes
Running strings against an executable, here's some random findings and thoughts behind each
The sample file in question
https://www.virustotal.com/#/file/1c44d829d130986ade5661947b841a6a0ca79c37fe1c57ea9b93931362a324f2/detection
!This program cannot be run in DOS mode.
==> so we know this is a windows executable
MSVBVM50.DLL
VBA5.DLL
==> so we know this program was written with Visual Basic 5.0 Run-time library
@*\AC:\src\Utils\SystemInstaller\SystemInstaller.vdp
SystemInstaller.exe
==> seems to indicate that a .VDP (visual studio deployment project) was used when building this probably for installation of the software
kernel32
GetWindowsDirectoryA
GetSystemDirectoryA
GetTempPathA
==> indicates that this software might be using the windows API to determine the user's windows, system, and temp folder paths ... perhaps to grab files or put files in there
c:\program files\devstudio\vb\vb5.olb
==> likley indicates that the Microsoft Developer Studio ( devstudio ) was utilized to build this Visual Basic 5.0 project
drvSource
fraNewFile
filSource
lstFiles
dirSource
dirSource_Change
drvSource_Change
==> indicates that this program may prompt a user for Drive, Directory, or File popup boxes such as
btnExit_Click
btnFrom_Click
btnMake_Click
btnTo_Click
==> indicates that there is a GUI or user interface to this application
Error extracting from
Couldn't delete
Couldn't open
Couldn't copy
Extracted
Error copying stub (
Error opening
Error copying
__vbaFileClose
__vbaFileOpen
__vbaFileSeek
==> indicates files are likely being opened, copied, and deleted
__vbaPrintFile
==> indicates this software may have printing capabilties, also confirms this is a Visual Basic program
__vbaPutOwner3
==> indicates this program has multiple windows / popups and it's setting the parent of one window to another window
__vbaRedim
__vbaAryDestruct
==> indicates the program is allocating space for variables / arrays of data
__vbaHresultCheckObj
==> just indicates the program does it's own error handling and checks the error #s which are stored in HResult
You are required to have a destination file name
You must have some files to add
Select-Extracting file name
Make EXE
Should automatically install self-installing system OCX's or DLL's
==> indicates the program is making a program or executable and saving it to disk
MHC Associates
==> could indicate who created this executable, OSINT indicates MHC Associates, Inc., provides marking management system to manage marketing materials from a single online shopping cart.
Microsoft Visual C++ Runtime Library
==> continues to confirm it's a windows program and that it's also using C++ libraries
SizeofResource
LoadResource
FindResourceA
==> indicates this program may have resources (such as icons) that it's using and loading
LoadLibraryExA
GetProcAddress
LoadLibraryA
GetModuleHandleA
GetModuleFileNameA
==> indicates this program may dynamically load some libraries or function calls on the fly
RegDeleteKeyA
RegCreateKeyExA
RegDeleteValueA
RegCloseKey
RegOpenKeyExA
RegEnumKeyExA
RegSetValueExA
RegQueryInfoKeyA
RegEnumValueA
==> indicates this software could open, edit, or delete registry values
OleSaveToStream
OleLoadFromStream
==> indicates this software may use COM objects in Windows
HeapCreate
VirtualFree
VirtualAlloc
==> indicates this program may allocate additional memory
CreateFileA
ReadFile
==> indicates this program may create new or read existing files off disk
EMR_POLYGON16
EMR_POLYDRAW16
EMR_SELECTPALLETTE
==> indicates the program may draw objects or pictures
** PDF file created with demo version of the VideoSoftware VSPDF control. **
==> indicates this installer may include a PDF embedded in it, perhaps readme instructions
deflate 1.0.4 Copyright 1995-1996 Jean-loup Gailly
==> indicates this software may have compressed files embedded in it with the deflation algorithm
VSPDF Control
Copyright 2001 ComponentOne
VSPDF.VSPDF.1 = s ':-) VideoSoft VSPDF 7.0'
Use this control to convert documented created with VSPrinter 7.0 to PDF format. The PDF format is a platform-independent format developed by Adobe Systems and supported by Adobe Acrobat and other products
www.componentone.com
5900-T Hollis Street
Emeryvilla, CA 94608
VSPrinter7
Choose Printer and Print FileW
Printing...
==> indicates the program may use pre-built UI controls like buttons, textboxes, etc. and pdf generation from the vendor called ComponentOne and printer controls
!This program cannot be run in DOS mode
==> indicates this installer has potentially multiple embedded Executables inside it
<TITLE>&s</TITLE>
<BODY BGCOLOR=#%02x%02x%02x">
==> indicates this program will be generating HTML or web pages
VeriSign, Inc.1301
https://www.verisign.com/rpa0
ComponentOne1>0<
<ComponentOne VSPRINT7 Ocx Fil
==> indicates one of the embedded executables may be digitally signed by ComponentOne
The sample file in question
https://www.virustotal.com/#/file/1c44d829d130986ade5661947b841a6a0ca79c37fe1c57ea9b93931362a324f2/detection
!This program cannot be run in DOS mode.
==> so we know this is a windows executable
MSVBVM50.DLL
VBA5.DLL
==> so we know this program was written with Visual Basic 5.0 Run-time library
@*\AC:\src\Utils\SystemInstaller\SystemInstaller.vdp
SystemInstaller.exe
==> seems to indicate that a .VDP (visual studio deployment project) was used when building this probably for installation of the software
kernel32
GetWindowsDirectoryA
GetSystemDirectoryA
GetTempPathA
==> indicates that this software might be using the windows API to determine the user's windows, system, and temp folder paths ... perhaps to grab files or put files in there
c:\program files\devstudio\vb\vb5.olb
==> likley indicates that the Microsoft Developer Studio ( devstudio ) was utilized to build this Visual Basic 5.0 project
drvSource
fraNewFile
filSource
lstFiles
dirSource
dirSource_Change
drvSource_Change
==> indicates that this program may prompt a user for Drive, Directory, or File popup boxes such as
btnExit_Click
btnFrom_Click
btnMake_Click
btnTo_Click
==> indicates that there is a GUI or user interface to this application
Error extracting from
Couldn't delete
Couldn't open
Couldn't copy
Extracted
Error copying stub (
Error opening
Error copying
__vbaFileClose
__vbaFileOpen
__vbaFileSeek
==> indicates files are likely being opened, copied, and deleted
__vbaPrintFile
==> indicates this software may have printing capabilties, also confirms this is a Visual Basic program
__vbaPutOwner3
==> indicates this program has multiple windows / popups and it's setting the parent of one window to another window
__vbaRedim
__vbaAryDestruct
==> indicates the program is allocating space for variables / arrays of data
__vbaHresultCheckObj
==> just indicates the program does it's own error handling and checks the error #s which are stored in HResult
You are required to have a destination file name
You must have some files to add
Select-Extracting file name
Make EXE
Should automatically install self-installing system OCX's or DLL's
==> indicates the program is making a program or executable and saving it to disk
MHC Associates
==> could indicate who created this executable, OSINT indicates MHC Associates, Inc., provides marking management system to manage marketing materials from a single online shopping cart.
Microsoft Visual C++ Runtime Library
==> continues to confirm it's a windows program and that it's also using C++ libraries
SizeofResource
LoadResource
FindResourceA
==> indicates this program may have resources (such as icons) that it's using and loading
LoadLibraryExA
GetProcAddress
LoadLibraryA
GetModuleHandleA
GetModuleFileNameA
==> indicates this program may dynamically load some libraries or function calls on the fly
RegDeleteKeyA
RegCreateKeyExA
RegDeleteValueA
RegCloseKey
RegOpenKeyExA
RegEnumKeyExA
RegSetValueExA
RegQueryInfoKeyA
RegEnumValueA
==> indicates this software could open, edit, or delete registry values
OleSaveToStream
OleLoadFromStream
==> indicates this software may use COM objects in Windows
HeapCreate
VirtualFree
VirtualAlloc
==> indicates this program may allocate additional memory
CreateFileA
ReadFile
==> indicates this program may create new or read existing files off disk
EMR_POLYGON16
EMR_POLYDRAW16
EMR_SELECTPALLETTE
==> indicates the program may draw objects or pictures
** PDF file created with demo version of the VideoSoftware VSPDF control. **
==> indicates this installer may include a PDF embedded in it, perhaps readme instructions
deflate 1.0.4 Copyright 1995-1996 Jean-loup Gailly
==> indicates this software may have compressed files embedded in it with the deflation algorithm
VSPDF Control
Copyright 2001 ComponentOne
VSPDF.VSPDF.1 = s ':-) VideoSoft VSPDF 7.0'
Use this control to convert documented created with VSPrinter 7.0 to PDF format. The PDF format is a platform-independent format developed by Adobe Systems and supported by Adobe Acrobat and other products
www.componentone.com
5900-T Hollis Street
Emeryvilla, CA 94608
VSPrinter7
Choose Printer and Print FileW
Printing...
==> indicates the program may use pre-built UI controls like buttons, textboxes, etc. and pdf generation from the vendor called ComponentOne and printer controls
!This program cannot be run in DOS mode
==> indicates this installer has potentially multiple embedded Executables inside it
<TITLE>&s</TITLE>
<BODY BGCOLOR=#%02x%02x%02x">
==> indicates this program will be generating HTML or web pages
VeriSign, Inc.1301
https://www.verisign.com/rpa0
ComponentOne1>0<
<ComponentOne VSPRINT7 Ocx Fil
==> indicates one of the embedded executables may be digitally signed by ComponentOne
Wednesday, June 7, 2017
Random Strings XML notes
Random notes on running strings and finding xml
If you see something like ...
<?xml version='1.0' encoding='UTF-8' standalone='yes'?>
<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
<security>
<requestedPrivileges>
<requestedExecutionLevel level='asInvoker' uiAccess='false' />
</requestedPrivileges>
</security>
</trustInfo>
</assembly>
It could be a Visual Basic Manifest that specifies a requested execution level (default is asInvoker), and for example could specify a requested execution level of highestAvailable or requireAdministrator.
More about neonprimetime
Top Blogs of all-time
Top Github Contributions
Copyright © 2017, this post cannot be reproduced or retransmitted in any form without reference to the original post.
If you see something like ...
<?xml version='1.0' encoding='UTF-8' standalone='yes'?>
<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
<security>
<requestedPrivileges>
<requestedExecutionLevel level='asInvoker' uiAccess='false' />
</requestedPrivileges>
</security>
</trustInfo>
</assembly>
It could be a Visual Basic Manifest that specifies a requested execution level (default is asInvoker), and for example could specify a requested execution level of highestAvailable or requireAdministrator.
More about neonprimetime
Top Blogs of all-time
- pagerank botnet sql injection walk-thru
- DOM XSS 101 Walk-Through
- An Invoice email and a Hot mess of Java
Top Github Contributions
Copyright © 2017, this post cannot be reproduced or retransmitted in any form without reference to the original post.
Monday, March 20, 2017
Fattura Invoice PDF zip exe that uses eMailExtractor
So I'm still learning at this, but I thought I'd walk through my thought process and see if anybody wanted to explain what I did right or wrong :-) A few days ago there was this link
hxxp://www[.]coccorullo[.]it/fattura/Fattura_49922pdf.zip
When extracted you ended up with
0843d52e1df49221a095fbdd0bc4a2cb Fattura_49922pdf.exe
I believe per google translate that Fattura = Invoice so this was likely part of some Phishing email masquerading as an Invoice.
When I ran strings I saw text that seemed to indicate a different program called emailExtractor
When I ran objdump I saw text that seemed to indicate this file was perhaps originally named eMailExtractor.exe
After a google search I came up with this site hxxps://www[.]maxprog[.]com/site/software/internet-marketing/email-extractor_sheet_us.php
So my thoughts were either a.) This is just the legit software and Virus Total screaming cause it's crap ad-loaded junk or b.) perhaps the attacker just renamed or made it look like legit software in order to throw off security researchers or perhaps c.) something more is going on here, like maybe the attacker modified this eMailExtractor.exe for his evil bidding, and made it so that when the user executes, it will "collect all emails on his computer" and then send them back to the attacker somehow. An email Harvester.
Thoughts?
More about neonprimetime
Top Blogs of all-time
Top Github Contributions
Copyright © 2017, this post cannot be reproduced or retransmitted in any form without reference to the original post.
hxxp://www[.]coccorullo[.]it/fattura/Fattura_49922pdf.zip
When extracted you ended up with
0843d52e1df49221a095fbdd0bc4a2cb Fattura_49922pdf.exe
I believe per google translate that Fattura = Invoice so this was likely part of some Phishing email masquerading as an Invoice.
When I ran strings I saw text that seemed to indicate a different program called emailExtractor
When I ran objdump I saw text that seemed to indicate this file was perhaps originally named eMailExtractor.exe
After a google search I came up with this site hxxps://www[.]maxprog[.]com/site/software/internet-marketing/email-extractor_sheet_us.php
So my thoughts were either a.) This is just the legit software and Virus Total screaming cause it's crap ad-loaded junk or b.) perhaps the attacker just renamed or made it look like legit software in order to throw off security researchers or perhaps c.) something more is going on here, like maybe the attacker modified this eMailExtractor.exe for his evil bidding, and made it so that when the user executes, it will "collect all emails on his computer" and then send them back to the attacker somehow. An email Harvester.
Thoughts?
More about neonprimetime
Top Blogs of all-time
- pagerank botnet sql injection walk-thru
- DOM XSS 101 Walk-Through
- An Invoice email and a Hot mess of Java
Top Github Contributions
Copyright © 2017, this post cannot be reproduced or retransmitted in any form without reference to the original post.
Subscribe to:
Posts (Atom)