Showing posts with label xor. Show all posts
Showing posts with label xor. Show all posts

Thursday, February 16, 2023

Redline Malware Malware Analysis Feb 16 2023

Started with this redline malware sample 

https://www.joesandbox.com/analysis/808971/0/html

Which the sandbox says dumps a bunch of child-processes and eventually drops these 2 payloads

AV killer

https://www.virustotal.com/gui/file/850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

Healer.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0

SHA-1 421a7167da01c8da4dc4d5234ca3dd84e319e762



Infostealer

https://www.virustotal.com/gui/file/dc28c9d9ab3f30222ed59f3991c5981bec40604e725ece488d8599eef917a7b3 

The Infostealer looks a lot like this blog ( https://securityscorecard.com/research/detailed-analysis-redline-stealer/ )

Franchise.exe

MD5 dd0c9e110c68ce1fa5308979ef718f7b

SHA-1 473deb8069f0841d47b74b7f414dacc6f96eca78


C2: 193.233.20.13:4136


It is stored in a self extracting .CAB file (microsoft cabinet)

It unpacks itself 4 times actually before we finally see the payload.

Each time the child .CAB file is stored in a Resource named "CABINET"

Each time there is 2 .exes inside the .CAB .

Each of the repeated dumps the "RUNPROGRAM" resource launches another child .CAB extractor.







Eventually though on the last extract it's 2 .NET executables instead of X86 and .CAB extrator.



The first .NET executable is an AV killer that turns off defender, windows updates, etc.



The 2nd .nET executable is the infostealer that grabs wallets, vpn , discord, and much more








                                            
There are some Russian characters and nearby region country names



There is also code for the c2 command and control traffic that is Xor'd with a key "Sigma" and base64 encoded. 193.233.20.13:4136











Posted by at 3 comments:
Labels: , , , , , , , , , , ,

Tuesday, July 28, 2020

attempt at emotet api resolver

random scattered notes
https://app.any.run/tasks/585ddd5e-0dde-421f-8b8a-e7dbaf4f8c05/

3F32E053657036D09C84D6DAD220EF50

update: after-the-fact This blog seems useful
https://distributedcompute.com/2020/04/19/how-emotet-resolves-apis/
"...the FS register points to the Thread Environment Block, or TEB. The offset 0x30 contains a pointer to the Process Environment Block, or PEB. From there the malware will walk the structure to _PEB_LDR_DATA which contains the head of a doubly-linked list called InMemoryOrderModuleList. This list contains the list entries containing BaseDllName and DllBase. When the entry point to the PE header is located, the PE structure is walked to find the export table. Emotet will then loop over the exported names to find the API function it is searching for..."

-----------
api monitor
-----------
910.exe
- spawned child "mssvp.exe" in appdata
- create windows service mssvp

sc delete "service name"
copy emotet_copy.exe emotet.exe
breakpoint openscmanager
ctrl-f7 (run until return, until get back to "debug" code)
select program segment, highlight, click 'C' for code, analyze
change to "Graph View"

look for code
  mov ecx, [esi+30h]
  call sub_???? (transform api with bunch of xors)
  xor eax, 11D20899h
  cmp eax, ebx

looking for 23F29385 (in ebx)

dll name transformed xor'd
emotet-910.exe C9F6F7D9 D824FC40
ntdll.dll D22E2014 C3FC288D
kernel32.dll 8F7EE672 9EaCEDEB
KERNELBASE.dll 6267DEE4 73B5D57D
USER32.dll D3361080 C2E41B19
GDI32.dll B6C64D61 A71446F8
LPK.dll FF368B1D EEE48084
UPS10.dll F73320A7 E6E12B3E
msvcrt.dll 88053F6B 99D734F2
ADVAPI32.dll 3220981C 23F29385 (found it)

mov edx, 4A609DFEh
mov ecx, 23F29385h #transformed & xor'd api to resolve
call apiResolver

apiResolver(edx=not used (4A609DFEh), ecx=transformAndXordApi (23F29385))
 apiResolverInternal(edi=4A609DFEh, ecx=transformAndXordApi (23F29385))
  foreach api in fs:30h
   eax = subTransformModule(ecx=edi+esicounter) #30h intervals
   eax = eax | 11D20399h
   if(eax == transformAndXordApi)
    eax = [esi+18h] # the starting address of the module dll (75D20000 for ADVAPI32)
exit loop & use it

functionResolver(edx=function looking for (4A609DFEh), ecx=apiResolutionDllAddress (75D20000 for ADVAPI32))
 foreach function
  ecx = ecx + apicounter #ecx starts as ADVAPI32 address
  eax = subTransformFunction(ecx)
  eax = eax | 5776499Bh
  if(eax == edx)
     eax=ecx
exit loop & use it

looking for 4A609DFEh (in ebp+var8)

function name transformed xor'd
** F82294E8 AF54DD73
** 838A4B1E D4FC0285
** FC3ECBB7 AB48822C
** 4C8FA46C 1BF9EDF7
** 4C8FA482 1BF9ED19
CloseServiceHandle  ***                ***
Posted by at 1 comment:
Labels: , , , , ,

Monday, April 13, 2020

Xor brutexor.py Example

C++ code to xor encrypt or decrypt (below)
When compiled it builds XorTesting.exe
You can find the hardcoded value by running brutexor.py ( http://hooked-on-mnemonics.blogspot.com/p/iheartxor.html )

$> python.exe brutexor.py XorTesting.exe | findstr http

0x672f key 0x1f  http://www.google.com/happy


-----------------------
C++ code
-----------------------
#include <stdio.h>
#include <string.h>
#include <cstdlib>

int main(int argc, char * argv[])
{
    if ((argc == 3 && strlen(argv[1]) == 1 && argv[1][0] == '0') ||
        (argc == 2 && strlen(argv[1]) == 1 && argv[1][0] == '1'))
    {
        char parameter[50] = "wkkohhh1xppxsz1|pr0w~oof\0";
        char xord[50];
        int key = 31;
        if (argv[1][0] == '0')
        {
            printf("Running in 'user input(0)' mode\n\n");
            strncpy_s(parameter, argv[2], strlen(argv[2]));

            unsigned int i = 0;
            for (i = 0; i < strlen(parameter); i++)
            {
                xord[i] = parameter[i] ^ key;
            }
            xord[i] = '\0';

            printf("key   : 0x%x\n", key);
            printf("before: %s\n", parameter);
            printf("after : %s\n", xord);
        }
        else if (argv[1][0] == '1')
        {
            printf("Running in 'hardcoded value (1)' mode\n\n");

            unsigned int i = 0;
            for (i = 0; i < strlen(parameter); i++)
            {
                xord[i] = parameter[i] ^ key;
            }
            xord[i] = '\0';

            printf("key   : 0x%x\n", key);
            printf("before: %s\n", parameter);
            printf("after : %s\n", xord);
        }
    }
    else
        printf("Usage:\n  0 = user input mode\n  1 = hardcoded value mode\n\n  XorTesting.exe 0 cleartextvalue\n  XorTesting.exe 1");

    return EXIT_SUCCESS;
}
Posted by at 1 comment:
Labels: , ,

Friday, November 9, 2018

IDA Python Xor Decode malware strings 

If you have an area in memory that is xor obfuscated

debug007:0018FB04 db 0CEh ; Î
debug007:0018FB05 db  27h ; '
debug007:0018FB06 db  9Ch ; œ
debug007:0018FB07 db  1Ah
debug007:0018FB08 db  95h ; •
debug007:0018FB09 db  2Eh ; .
debug007:0018FB0A db  22h ; "
debug007:0018FB0B db  57h ; W
debug007:0018FB0C db  91h ; ‘
debug007:0018FB0D db  21h ; !
debug007:0018FB0E db  57h ; W
debug007:0018FB0F db  3Ah ; :

and you have assembly code that decodes or xors it to get it back to readable value

.text:00401654 mov     eax, [esp+28h+arg_0]
.text:00401658 movzx   ecx, byte ptr [eax]
.text:0040165B movzx   edx, byte ptr [eax+1]
.text:0040165F xor     cl, 0A3h
.text:00401662 xor     dl, 54h
.text:00401665 mov     [esp+28h+memcpySource], cl
.text:00401669 movzx   ecx, byte ptr [eax+2]
.text:0040166D mov     [esp+28h+var_23], dl
.text:00401671 movzx   edx, byte ptr [eax+3]
.text:00401675 not     cl
.text:00401677 xor     dl, 75h
.text:0040167A mov     [esp+28h+var_22], cl
.text:0040167E movzx   ecx, byte ptr [eax+4]
.text:00401682 mov     [esp+28h+var_21], dl
.text:00401686 movzx   edx, byte ptr [eax+5]
.text:0040168A xor     cl, 0E7h
.text:0040168D xor     dl, 44h
.text:00401690 mov     [esp+28h+var_20], cl
.text:00401694 movzx   ecx, byte ptr [eax+6]
.text:00401698 mov     [esp+28h+var_1F], dl
.text:0040169C movzx   edx, byte ptr [eax+7]
.text:004016A0 xor     cl, 4Bh
.text:004016A3 xor     dl, 23h
.text:004016A6 mov     [esp+28h+var_1E], cl
.text:004016AA movzx   ecx, byte ptr [eax+8]
.text:004016AE mov     [esp+28h+var_1D], dl
.text:004016B2 movzx   edx, byte ptr [eax+9]
.text:004016B6 xor     cl, 0BFh
.text:004016B9 xor     dl, 45h
.text:004016BC mov     [esp+28h+var_1C], cl
.text:004016C0 movzx   ecx, byte ptr [eax+0Ah]
.text:004016C4 mov     [esp+28h+var_1B], dl
.text:004016C8 movzx   edx, byte ptr [eax+0Bh]
.text:004016CC xor     cl, 3Bh
.text:004016CF xor     dl, 56h


You can decode or xor it to read it in IDA Python scripting by going to
file -> script command
and entering code like this
where 'd' is filled with the encoded hex values
and the print statements are filled with the individual xor values from the code

from textwrap import wrap
d = "ce279c1a952e22579121573a"
bytes = wrap(d, 2)
for i in range(len(bytes)):
 bytes[i] = int(bytes[i],16)
print(chr(bytes[0] ^ 0xa3))
print(chr(bytes[1] ^ 0x54))
print(chr((~bytes[2]) & 0x000000FF))
print(chr(bytes[3] ^ 0x75))
print(chr(bytes[4] ^ 0xe7))
print(chr(bytes[5] ^ 0x44))
print(chr(bytes[6] ^ 0x4b))
print(chr(bytes[7] ^ 0x23))
print(chr(bytes[8] ^ 0xbf))
print(chr(bytes[9] ^ 0x45))
print(chr(bytes[10] ^ 0x3b))
print(chr(bytes[11] ^ 0x56))


thus in this example
d = "ce279c1a952e22579121573a"
prints out
mscorjit.dll

which is a library the malware is going to load
Posted by at 5 comments:
Labels: , , , ,
Subscribe to: Posts (Atom)