I'm learning that if you're looking for somewhere to breakpoint in confusing malware try
jmp eax ; // or any register for that matter, it's jumping to a dynamic address
call eax ; // or any register for that matter, it's jumping to a dynamic address
call dword_xxx; // it's jumping to an address saved in data, perhaps dynamically loaded
Also a breakpoint in
ntdll.dll -> ResumeThread ; // malware may suspend and then restart when completed editing
ntdll.dll -> ResumeProcess ; // malware may suspend and then restart when completed editing
Also look at the IDA color coded graph across the top, look for a large chunk of data, which is probably the packed code, find the label for it, for xrefs to that label, then breakpoint there.
Monday, November 12, 2018
IDA Error "The instruction at ... referenced memory at ... The memory could not be written"
If you're running malware in IDA and get a error such as
8A1EE: The instruction at 0x8A1EE referenced memory at 0x0. The memory could not be written -> 0000000000000000 (exc.code c0000006, tid 2268)
Per the OALabs youtube video
https://www.youtube.com/watch?v=ScBB-Hi7NxQ
This might be caused by the Debugger holding a handle to malware sample and the malware itself wanting its own exclusive handle to the file.
Thus the malware errors out because it cannot collect an exclusive handle to the malware sample since the debugger already has a handle.
To remediate, one potential fix is to try ...
- Set a breakpoint in IDA on startup
- In the debugger "Modules" window, find "ntdll.dll" and the "NtCreateFile" function, set a breakpoint
- Continue the debugger, it will eventually hit NtCreateFile
- Then "Continue until Return" multiple times until you return to the malware code
- In my case it was a call to "kernel32.dll" "CreateFileA" that triggered this call
- If you look at the parameters to "CreateFileA", the 3rd parameter was set to 0 which means an exclusive handle
- If you look in the return result of CreateFileA it returned FFFFFFFF which means an "invalid file handle" which is what's causing the error
- So, add a breakpoint to this CreateFileA call
- Kill the debugging process
- Re-launch the program until it hits your new breakpoint
- Change that 3rd parameter from 0x0 to 0x7 to give yourself full access
- Now allow it to run, and notice the return value is no longer FFFFFFFF , it's a valid file handle now, and thus you've gotten past that error caused by the exclusive handle!
8A1EE: The instruction at 0x8A1EE referenced memory at 0x0. The memory could not be written -> 0000000000000000 (exc.code c0000006, tid 2268)
Per the OALabs youtube video
https://www.youtube.com/watch?v=ScBB-Hi7NxQ
This might be caused by the Debugger holding a handle to malware sample and the malware itself wanting its own exclusive handle to the file.
Thus the malware errors out because it cannot collect an exclusive handle to the malware sample since the debugger already has a handle.
To remediate, one potential fix is to try ...
- Set a breakpoint in IDA on startup
- In the debugger "Modules" window, find "ntdll.dll" and the "NtCreateFile" function, set a breakpoint
- Continue the debugger, it will eventually hit NtCreateFile
- Then "Continue until Return" multiple times until you return to the malware code
- In my case it was a call to "kernel32.dll" "CreateFileA" that triggered this call
- If you look at the parameters to "CreateFileA", the 3rd parameter was set to 0 which means an exclusive handle
- If you look in the return result of CreateFileA it returned FFFFFFFF which means an "invalid file handle" which is what's causing the error
- So, add a breakpoint to this CreateFileA call
- Kill the debugging process
- Re-launch the program until it hits your new breakpoint
- Change that 3rd parameter from 0x0 to 0x7 to give yourself full access
- Now allow it to run, and notice the return value is no longer FFFFFFFF , it's a valid file handle now, and thus you've gotten past that error caused by the exclusive handle!
#phishingkit threat actor emails 2018-11-12
#phishingkit actor emails https://twitter.com/Techhelplistcom/status/1061885792027586560 185.52.3.156 http://routelabel.net hosting 12\12\12\authenticate.php:$email= "cforeplyto@gmail.com"; 12\12\12\login.php:$email= "cforeplyto@gmail.com"; drop\newdropbox\00\000\001\index\gm33ail\geemail.php: $to ="andyjames009@yandex.com"; 2019box\SA\drop\newdropbox\00\000\001\index\li33ve\li33ve.php: $to ="gdaan7@gmail.com"; 2019box\SA\drop\newdropbox\00\000\001\index\off33ice\off33ice.php: $to ="gdaan7@gmail.com"; 2019box\SA\drop\newdropbox\00\000\001\index\others\otherother.php: $to ="gdaan7@gmail.com"; 2019box\SA\drop\newdropbox\00\000\001\index\yah33oo\yah33oo.php: $to ="gdaan7@gmail.com"; Anymail%20Magnet\magnet\loader.php:$to = "mchlliving@gmail.com"; Anymail%20Magnet\magnet\Verify.php:$to = "mchlliving@gmail.com"; Anymail%20Magnet%20-%20zilo\magnet\loader.php:$to = "zakichahul@gmail.com"; Anymail%20Magnet%20-%20zilo\magnet\Verify.php:$to = "zakichahul@gmail.com"; luno\index2.php: $to = "markjamesons717@gmail.com"; luno\index2.php: "CC:markjamesons717@gmail.com"; microsoftonline.secured\m1soft\verify.php:$mail_to = "feminist008@gmail.com"; sharep\final.php:$send = "steveaustin1234@gmail.com"; http://uahowias.com/12.zip http://zahwes.com/microsoftonline.secured.zip http://qtoksa.com/verify.login.microsoftonline/sharep.zip http://taowlk.com/Luno/luno.zip http://hanlskes.com/Anymail%20Magnet.zip http://hanlskes.com/forum/Anymail%20Magnet.zip http://hanlskes.com/invoice/Anymail%20Magnet.zip http://hanlskes.com/admin/Anymail%20Magnet.zip http://hanlskes.com/Confirmation/Anymail%20Magnet%20-%20zilo.zip http://hanlskes.com/Proposal%20/Anymail%20Magnet.zip http://kalusm.com/2019box.zip
#phishingkit actor emails https://twitter.com/Techhelplistcom/status/1061845780791726081 103.75.189.106 vpsmalaysia[.]com[.]my hosting amiro\includes\my_email.php:$my_email = "madauthy@protonmail.com"; Excel23\next.php:$send = "paulm.petromin@gmail.com"; HotmailOfficeNew\next.php:$send = "paulm.petromin@gmail.com"; microsoftonline.secured\m1soft\verify.php:$mail_to = "feminist008@gmail.com"; NAVER\oku.php:$send = "ddonwise1010@yandex.com, maria.hirschberghof@gmail.com"; office365\next.php:$send = "anny.duweivices@gmail.com"; wetransfers\next.php:$send = "anny.duweivices@gmail.com"; http://chowusi.com/download/OUTLOOKNEW.zip http://batwoks.com/test/test_files.zip http://swealsk.com/11/NAVER.zip http://swealsk.com/13/NAVER.zip http://swealsk.com/6/NAVER.zip http://swealsk.com/10/NAVER.zip http://swealsk.com/7/NAVER.zip http://swealsk.com/8/NAVER.zip http://swealsk.com/2/NAVER.zip http://swealsk.com/5/NAVER.zip http://swealsk.com/9/NAVER.zip http://swealsk.com/3/NAVER.zip http://swealsk.com/12/NAVER.zip http://swealsk.com/1/NAVER.zip http://swealsk.com/4/NAVER.zip http://bahlowk.com/amiro.zip http://ualkws.com/microsoftonline.secured.zip http://gaklosk.com/microsoftonline.secured.zip http://ouiask.com/HotmailOfficeNew.zip http://ouiask.com/office365.zip http://ouiask.com/Excel23.zip http://ouiask.com/wetransfers.zip
#phishingkit threat actor emails https://twitter.com/Techhelplistcom/status/1061840412883722240 35.183.119.114 @digitalocean hosting 1\1\1\1\passportx.php:$send = "zzxxccah22@gmail.com"; domain_updated\review\connectID.php:$own = 'cleanestresults@gmail.com'; form\bringitback.php:$send = "ladi.pupo@yandex.com"; office\office365\bringitback.php:$send = "ladi.pupo@yandex.com"; office365\form\bringitback.php:$send = "ladi.pupo@yandex.com"; Review\file\site\process.php:$to = "info.contactsss01@gmail.com"; http://fbg6.cf/qw/General.zip http://b6y76.ga/feyi/newestyahoo.zip http://b6y76.ga/uu/Docusign%20_1.zip http://b6y76.ga/faith/secure01c.chase.web.auth.dashboard..zip http://b6y76.cf/ll/domain_updated.zip http://sfdgvr65.ga/hot-auto.zip http://sfdgvr65.cf/ourtimet%20_1.zip http://fbg6.ga/office365/form.zip http://fbg6.ga/office365.zip http://fbg6.ga/office.zip http://fbg6.ga/office/office365.zip http://gb667u76.tk/1.zip http://gb667u76.tk/review/Review.zip
Friday, November 9, 2018
IDA Python bitwise NOT Decode malware strings
If you have an area in memory that is xor obfuscated debug007:0018FB06 db 9Ch ; œ debug007:0018FB07 db 1Ah and you have assembly code that decodes it with a bitwise not like this .text:00401671 movzx edx, byte ptr [eax+3] .text:00401675 not cl .text:00401677 xor dl, 75h You can decode it to read it in IDA Python scripting by going to file -> script command and entering code like this where 'd' is filled with the encoded hex values and the print statements are filled with the individual xor values from the code from textwrap import wrap d = "9c1a" bytes = wrap(d, 2) for i in range(len(bytes)): bytes[i] = int(bytes[i],16) print(chr((~bytes[0]) & 0x000000FF)) print(chr(bytes[1] ^ 0x75)) thus in this example d = "9c1a" prints out 'co'
IDA Python Xor Decode malware strings
If you have an area in memory that is xor obfuscated debug007:0018FB04 db 0CEh ; Î debug007:0018FB05 db 27h ; ' debug007:0018FB06 db 9Ch ; œ debug007:0018FB07 db 1Ah debug007:0018FB08 db 95h ; • debug007:0018FB09 db 2Eh ; . debug007:0018FB0A db 22h ; " debug007:0018FB0B db 57h ; W debug007:0018FB0C db 91h ; ‘ debug007:0018FB0D db 21h ; ! debug007:0018FB0E db 57h ; W debug007:0018FB0F db 3Ah ; : and you have assembly code that decodes or xors it to get it back to readable value .text:00401654 mov eax, [esp+28h+arg_0] .text:00401658 movzx ecx, byte ptr [eax] .text:0040165B movzx edx, byte ptr [eax+1] .text:0040165F xor cl, 0A3h .text:00401662 xor dl, 54h .text:00401665 mov [esp+28h+memcpySource], cl .text:00401669 movzx ecx, byte ptr [eax+2] .text:0040166D mov [esp+28h+var_23], dl .text:00401671 movzx edx, byte ptr [eax+3] .text:00401675 not cl .text:00401677 xor dl, 75h .text:0040167A mov [esp+28h+var_22], cl .text:0040167E movzx ecx, byte ptr [eax+4] .text:00401682 mov [esp+28h+var_21], dl .text:00401686 movzx edx, byte ptr [eax+5] .text:0040168A xor cl, 0E7h .text:0040168D xor dl, 44h .text:00401690 mov [esp+28h+var_20], cl .text:00401694 movzx ecx, byte ptr [eax+6] .text:00401698 mov [esp+28h+var_1F], dl .text:0040169C movzx edx, byte ptr [eax+7] .text:004016A0 xor cl, 4Bh .text:004016A3 xor dl, 23h .text:004016A6 mov [esp+28h+var_1E], cl .text:004016AA movzx ecx, byte ptr [eax+8] .text:004016AE mov [esp+28h+var_1D], dl .text:004016B2 movzx edx, byte ptr [eax+9] .text:004016B6 xor cl, 0BFh .text:004016B9 xor dl, 45h .text:004016BC mov [esp+28h+var_1C], cl .text:004016C0 movzx ecx, byte ptr [eax+0Ah] .text:004016C4 mov [esp+28h+var_1B], dl .text:004016C8 movzx edx, byte ptr [eax+0Bh] .text:004016CC xor cl, 3Bh .text:004016CF xor dl, 56h You can decode or xor it to read it in IDA Python scripting by going to file -> script command and entering code like this where 'd' is filled with the encoded hex values and the print statements are filled with the individual xor values from the code from textwrap import wrap d = "ce279c1a952e22579121573a" bytes = wrap(d, 2) for i in range(len(bytes)): bytes[i] = int(bytes[i],16) print(chr(bytes[0] ^ 0xa3)) print(chr(bytes[1] ^ 0x54)) print(chr((~bytes[2]) & 0x000000FF)) print(chr(bytes[3] ^ 0x75)) print(chr(bytes[4] ^ 0xe7)) print(chr(bytes[5] ^ 0x44)) print(chr(bytes[6] ^ 0x4b)) print(chr(bytes[7] ^ 0x23)) print(chr(bytes[8] ^ 0xbf)) print(chr(bytes[9] ^ 0x45)) print(chr(bytes[10] ^ 0x3b)) print(chr(bytes[11] ^ 0x56)) thus in this example d = "ce279c1a952e22579121573a" prints out mscorjit.dll which is a library the malware is going to load
IDA Get String pointed to by Address
Related to this blog post
https://neonprimetime.blogspot.com/2018/10/malwaretech-ida-python-cheatsheet.html
and this
https://neonprimetime.blogspot.com/2018/11/ida-python-print-string-in-register.html
If you're in IDA and you have a address that you know points to a string
0018FB7C db 6Dh ; m
0018FB7D db 73h ; s
0018FB7E db 63h ; c
0018FB7F db 6Fh ; o
0018FB80 db 72h ; r
0018FB81 db 6Ah ; j
0018FB82 db 69h ; i
0018FB83 db 74h ; t
0018FB84 db 2Eh ; .
0018FB85 db 64h ; d
0018FB86 db 6Ch ; l
0018FB87 db 6Ch ; l
0018FB88 db 0 ; 0
And you want to print out that string go to
File -> Script Command
Choose Python as your scripting language
type in this command and hit run
print(GetString(0x0018FB7C))
which displays in the Output Window
mscorjit.dll
https://neonprimetime.blogspot.com/2018/10/malwaretech-ida-python-cheatsheet.html
and this
https://neonprimetime.blogspot.com/2018/11/ida-python-print-string-in-register.html
If you're in IDA and you have a address that you know points to a string
0018FB7C db 6Dh ; m
0018FB7D db 73h ; s
0018FB7E db 63h ; c
0018FB7F db 6Fh ; o
0018FB80 db 72h ; r
0018FB81 db 6Ah ; j
0018FB82 db 69h ; i
0018FB83 db 74h ; t
0018FB84 db 2Eh ; .
0018FB85 db 64h ; d
0018FB86 db 6Ch ; l
0018FB87 db 6Ch ; l
0018FB88 db 0 ; 0
And you want to print out that string go to
File -> Script Command
Choose Python as your scripting language
type in this command and hit run
print(GetString(0x0018FB7C))
which displays in the Output Window
mscorjit.dll
IDA Python Get String pointed to by Register
Related to this blog post
https://neonprimetime.blogspot.com/2018/10/malwaretech-ida-python-cheatsheet.html
If you're in IDA and you have a register, say EAX pointing to a location
RAX 000000000018FB7C
0018FB7C db 6Dh ; m
0018FB7D db 73h ; s
0018FB7E db 63h ; c
0018FB7F db 6Fh ; o
0018FB80 db 72h ; r
0018FB81 db 6Ah ; j
0018FB82 db 69h ; i
0018FB83 db 74h ; t
0018FB84 db 2Eh ; .
0018FB85 db 64h ; d
0018FB86 db 6Ch ; l
0018FB87 db 6Ch ; l
0018FB88 db 0 ; 0
And you want to print out that string go to
File -> Script Command
Choose Python as your scripting language
type in this command and hit run
print(GetString(GetRegValue("EAX")))
which displays in the Output Window
mscorjit.dll
https://neonprimetime.blogspot.com/2018/10/malwaretech-ida-python-cheatsheet.html
If you're in IDA and you have a register, say EAX pointing to a location
RAX 000000000018FB7C
0018FB7C db 6Dh ; m
0018FB7D db 73h ; s
0018FB7E db 63h ; c
0018FB7F db 6Fh ; o
0018FB80 db 72h ; r
0018FB81 db 6Ah ; j
0018FB82 db 69h ; i
0018FB83 db 74h ; t
0018FB84 db 2Eh ; .
0018FB85 db 64h ; d
0018FB86 db 6Ch ; l
0018FB87 db 6Ch ; l
0018FB88 db 0 ; 0
And you want to print out that string go to
File -> Script Command
Choose Python as your scripting language
type in this command and hit run
print(GetString(GetRegValue("EAX")))
which displays in the Output Window
mscorjit.dll
Subscribe to:
Posts (Atom)