neonprimetime security , just trying to help

Thursday, July 16, 2020

IDAPython beginning, review Hex operand

Just me experimenting with IDAPython

grabbing an operand that is hex and converting/displaying it in multiple ways

# review a hex parameter in assembly
def hexParamReview(addressHex, paramNumber):
 # get line address to pass to idapython
 address = int(addressHex)
 # display what segment its in
 print "segment: %s" % idc.get_segm_name(address)
 # get the assembly command
 print "command: %s" % GetMnem(address)
 # get the assembly 1st parameter
 print "param %d: %s" % (paramNumber, GetOpnd(address, paramNumber))
 # convert parameter from string to hex
 hexAsString = ( GetOpnd(address ,paramNumber)[:-1] )
 print "hex(param 0): 0x%s" % hexAsString
 # convert parameter from hex to int
 try:
  print "int(param 0): %d" % int(hexAsString, 16)
 except(ValueError):
  print "int(param 0): invalid hex"
 # convert parameter from hex to string
 try:
  print "str(param 0): %s" % hexAsString[2:].decode("hex")
 except(TypeError):
  print "str(param 0): undefined"

hexParamReview(0x100048C3, 0)
hexParamReview(here(), 0)


# example:
#  0x100048C3 push 4141h
# output:
#  segment: .text
#  command: push
#  param 0: 4141h
#  hex(param 0): 0x4141
#  int(param 0): 16705
#  str(param 0): AA

Tuesday, July 14, 2020

Excel 4.0 Macros Malware Trickbot XLMMacroDeobfuscator Walkthrough

https://app.any.run/tasks/4cce1050-b8c9-4524-bcc7-473894c29557
ac586e930dc9e191172fca28f4adfc68

excel 4.0 macros example

app.any.run says it calls out to
http://185.82.126.178/trafficdll.php

app.any.run says macros4.0

so use this
https://github.com/DissectMalware/XLMMacroDeobfuscator

open command line
navigate to python 3.6 scripts folder
execute this command
pip install XLMMacroDeobfuscator

navigate to python 3.6 scripts folder
executed this command
xlmdeobfuscator --file badfile.xls

errored out with
unexpected token Token(__ANON_0, '()') at line 1, column 11

i noticed version was
v 0.1.4

but latest is
v 0.1.5

so i re-ran pip installers directly against github to get latest
pip install -U https://github.com/DissectMalware/xlrd2/archive/master.zip
pip install -U https://github.com/DissectMalware/pyxlsb2/archive/master.zip
pip install -U https://github.com/DissectMalware/XLMMacroDeobfuscator/archive/master.zip

then re-ran command
xlmdeobfuscator --file badfile.xls

this time it worked! it spit out macro code
http://pastebin.com/raw/87NZV2Es
auto_open: auto_open->'y'!$AI$6706

CELL:AI6706 , FullEvaluation , $BZ$46254()
CELL:BZ46254 , PartialEvaluation , APP.MAXIMIZE()
CELL:BZ46255 , FullEvaluation , IF(GET.WINDOW(7.0),$GX$7042(),)
CELL:BZ46256 , FullEvaluation , IF(GET.WINDOW(20.0),,$GX$7042())
CELL:BZ46257 , FullEvaluation , IF(GET.WINDOW(23.0)<3.0,$GX$7042(),)
CELL:BZ46258 , FullEvaluation , IF(GET.WORKSPACE(31.0),$GX$7042(),)
CELL:BZ46259 , FullEvaluation , IF(GET.WORKSPACE(13.0)<770.0,$GX$7042(),)
CELL:BZ46260 , FullEvaluation , IF(GET.WORKSPACE(14.0)<390.0,$GX$7042(),)
CELL:BZ46261 , FullEvaluation , IF(GET.WORKSPACE(19.0),,$GX$7042())
CELL:BZ46262 , FullEvaluation , IF(GET.WORKSPACE(42.0),,$GX$7042())
CELL:BZ46263 , FullBranching , IF(ISNUMBER(SEARCH("Windows",GET.WORKSPACE(1.0))),,$GX$7042())
CELL:BZ46263 , FullEvaluation , [TRUE]
CELL:BZ46264 , FullEvaluation , $D$39031()
CELL:D39031 , FullEvaluation , SET.NAME(vkhbtqnj,)
CELL:D39032 , FullEvaluation , SET.NAME(hnjvy,$BG$50951)
CELL:D39033 , FullEvaluation , SET.NAME(niktexbrk,$GV$35265)
CELL:D39034 , FullEvaluation , IF(NiktExbrK<>"gsHoGrv")
CELL:D39035 , FullEvaluation , SET.NAME(gtofvkudcpcd,NiktExbrK)
CELL:D39036 , FullEvaluation , SET.NAME(vkhbtqnj,VKHBTQnJhnjvy())
CELL:D39037 , PartialEvaluation , SET.NAME("NiktExbrK",ABSREF("R[1]C",NiktExbrK))
CELL:D39038 , FullEvaluation , $D$39034()
CELL:D39034 , FullEvaluation , IF(NiktExbrK<>"gsHoGrv")
CELL:D39035 , FullEvaluation , SET.NAME(gtofvkudcpcd,NiktExbrK)
CELL:D39036 , FullEvaluation , SET.NAME(vkhbtqnj,VKHBTQnJhnjvy())
CELL:D39037 , PartialEvaluation , SET.NAME("NiktExbrK",ABSREF("R[1]C",NiktExbrK))
CELL:D39038 , FullEvaluation , $D$39034()
CELL:D39034 , FullEvaluation , IF(NiktExbrK<>"gsHoGrv")
CELL:D39035 , FullEvaluation , SET.NAME(gtofvkudcpcd,NiktExbrK)
CELL:D39036 , FullEvaluation , SET.NAME(vkhbtqnj,VKHBTQnJhnjvy())
CELL:D39037 , PartialEvaluation , SET.NAME("NiktExbrK",ABSREF("R[1]C",NiktExbrK))
CELL:D39038 , FullEvaluation , $D$39034()
CELL:D39034 , FullEvaluation , IF(NiktExbrK<>"gsHoGrv")
CELL:D39035 , FullEvaluation , SET.NAME(gtofvkudcpcd,NiktExbrK)
CELL:D39036 , FullEvaluation , SET.NAME(vkhbtqnj,VKHBTQnJhnjvy())
CELL:D39037 , PartialEvaluation , SET.NAME("NiktExbrK",ABSREF("R[1]C",NiktExbrK))
CELL:D39038 , FullEvaluation , $D$39034()
CELL:D39034 , FullEvaluation , IF(NiktExbrK<>"gsHoGrv")
CELL:D39035 , FullEvaluation , SET.NAME(gtofvkudcpcd,NiktExbrK)
CELL:D39036 , FullEvaluation , SET.NAME(vkhbtqnj,VKHBTQnJhnjvy())
CELL:D39037 , PartialEvaluation , SET.NAME("NiktExbrK",ABSREF("R[1]C",NiktExbrK))
CELL:BZ46263 , FullEvaluation , [FALSE] $GX$7042()
CELL:GX7042 , PartialEvaluation , ALERT("This workbook is corrupted, contact the sender for further informations.")
CELL:GX7043 , End , CLOSE(FALSE)

here's an excel macro 4.0 reference book that google returned me
https://d13ot9o61jdzpp.cloudfront.net/files/Excel%204.0%20Macro%20Functions%20Reference.pdf

SET.NAME appears to assign a variable/name to a particular cell ... so just like an alias

GET.WINDOW returns data about a window, such as the alert popup box, and parameters passed can tell you data like is it hidden? is it maximized?

GET.WORKSPACE returns data about the excel workspace, such as is this macro being debugged? what is the height/width of space? is there a mouse? can it play sound? windows version?

ABSREF is absoluate reference, so references a row and column and returns the data

Interesting to see the "alert" statement
So the popup the excel doc shows when you open is just "fake", the file is not truly corrupted

I notice multiple calls to 'VKHBTQnJhnjvy()' which is not defined in the output of the python script, wonder what it is?

there are also some cells that are referenced by names/variables but not sure what the data is?
$BG$50951
$GV$35265

i open excel doc, but do not enable content
i see a sheet called 'y' on bottom (which is referenced in auto_open above)
i goto $BG$50951 it contains
RETURN(CHAR(GtOFvKUDCpcD-811)) which is a variable above

i goto $GV$35265 it contains a single integer
but numerous cells below also contain integers
http://pastebin.com/raw/Xq1Bzku9
915
927
927
923
869
858
858
860
867
864
857
867
861
857
860
861
865
857
860
866
867
858
927
925
908
913
913
916
910
911
919
919
857
923
915
923

if i subtract the 811 number in the 1st cell from each of these cells, then convert the integers to ascii, this looks like a url
e.g. 915 - 811 = 104 which is 'h' for the 1st letter

VALUE MINUS 811 TO CHAR
915 104 h
927 116 t
927 116 t
923 112 p
869 58 :
858 47 /
858 47 /
860 49 1
867 56 8
864 53 5
857 46 .
867 56 8
861 50 2
857 46 .
860 49 1
861 50 2
865 54 6
857 46 .
860 49 1
866 55 7
867 56 8
858 47 /
927 116 t
925 114 r
908 97 a
913 102 f
913 102 f
916 105 i
910 99 c
911 100 d
919 108 l
919 108 l
857 46 .
923 112 p
915 104 h
923 112 p

Which ends up being
http://185.82.126.178/trafficdll.php

Which Urlhaus indicates downloaded Trickbot on a certain date
https://urlhaus.abuse.ch/url/406715/

Wednesday, July 1, 2020

failed attempt at trickbot analysis with ida

Trickbot analysis following OALabs tutorial

http://www.malware-traffic-analysis.net/2018/05/16/index.html
https://www.youtube.com/watch?v=EdchPEHnohw
Sha256: fa9ad80c0977cdbfe8419d27ca9ad909d34f1737df726f4d175f6b85b0670074

checked pestudio, ASLR was enabled
disabled ASLR with CFF Explorer (Dll can move, Image is NX Compatible)

since hybrid analysis loads same malware (process injection maybe?) set breakpoints
CreateProcessInternalW
WriteProcessMemory
ResumeThread

bp1 [CreateProcessInternalW] 3rd parameter on stack debug033:003089C0
which is the same path as our binary we are running

then it terminated? unlike the OALabs video in which is break next at WriteProcessMemory
must be something catching my vm and terminating?

kill the trickbot process
restart in IDA
hit CreateProcessInternalW breakpoints
CTRL-F7 (run until return) until i get to user code

code resolves all APIs (repeated multiple times)
GetModuleHandleA
GetProcAddress
then calls
GetThreadContext
followed by
ReadProcessMemory
VirtualAllocEx
test/jz <-- Virtual Alloc is returning 0 and then debugger is terminating (but a process still alive in task manager [the paused one?])
WriteProcessMemory

Tuesday, June 30, 2020

ida bokbot / iced ida python upx

Bokbot/Iced

my notes on following OALabs tutorial, i'm going to try using IDA

https://www.youtube.com/watch?v=wObF9n2UIAM
https://app.any.run/tasks/5fb451b5-a3d6-451c-9ce1-76897bf53f2d/
0ca2971ffedf0704ac5a2b6584f462ce27bac60f17888557dc8cd414558b479e

because it appears like process injection in hybrid analysis, try these breakpoints
CreateProcessInternalW
WriteProcessMemory
ResumeThread

bp1 [CreateProcessInternalW]
string on stack is this EXEs full path

bp2 [WriteProcessMemory] <-- looking for a PE file in memory that is getting written
on the stack, 1st parameter is handle of process
2nd parameter is the "destination" memory location
3rd parameter is the "source" memory location, or WHAT DATA THEY ARE WRITING
debug041:002C0000, end 0x002E0000, size = 0x20000
starts with MZ so definitely an EXE
hit SHIFT-F2, select python, type in this code
filename = AskFile(1, "*.bin", "Output file name")
address = 0x002C0000
size = 0x20000
dbgr = False
with open(filename, "wb") as out:
data = GetManyBytes(address, size, use_dbg=dbgr)
out.write(data)
save the dumped file to your desktop

Open newly saved dump file in PE BEAR
notice sections are named UPX0, UPX1, UPX2

Open in Hex Editor, notice how "code" starts at the Virtual Addres (6000) (null bytes before) instead of the Raw (400)
this means it's mapped, so we need to change it to unmapped
1) change the addresses so Raw = Virtual Address in PE BEAR
2.) change the sizes to match also
3.) SAVE AS "dumped file unmapped.bin" to your desktop

Unfortunately UPX tools likely won't worked now that we changed it from mapped to unmapped addresses

Close IDA, re-open the new "dumped file unmapped.bin" from the desktop

start debugger, breakpoint at entry
look in graph view for a "jmp" statement following by oddness (this is common with UPX)
in this case it was
UPX1:0041E083
jmp near ptr byte_4015C3
and it has a red error message "start endp ; sp-analysis failed"

note: he says that VirtualAlloc, VirtualProtect trick should also work

so its about to jump to UPX0:004015C3, end 0x00406000, size = 0x4A3D
so i'm going to try in IDA hit SHIFT-F2, select python, type in this code
filename = AskFile(1, "*.bin", "Output file name")
address = 0x004015C3
size = 0x4A3D
dbgr = False
with open(filename, "wb") as out:
data = GetManyBytes(address, size, use_dbg=dbgr)
out.write(data)
but that doesn't seem to give me anything useful, no strings
If I open in IDA as a "binary file" i can see some code though, stack strings, etc. but not what APIs are called

try opening the "dump file unmapped.bin" in x32dbg, start and wait for initial breakpoint
change to graph view
search for the ugly jump in this case
jmp iceid_dumped_unmapped.4015C3
add byte ptr ds:[eax], al ; eax:BaseThreadInitThunk
add byte ptr ds:[eax], al ; eax:BaseThreadInitThunk
add byte ptr ds:[eax], al ; eax:BaseThreadInitThunk
......
breakpoint it and run to it

the value it points to is the new OEP (Original Entry Point)
0x4015C3
if i go in there, the APIs have been mapped so I can see calls to ExitProcess, GetCommandLineA, etc.

Click Scylla
Change OEP to 4015C3
Click dump to save to desktop
click IAT Autosearch
Click Get Imports
Click "Fix Dump"
Terminate in x32dbg

Open IDA, open the fixed dump

generate psuedocode

hover over integer ASCII , click 'r' and it turns it into characters

there are stack strings

this is unpacked but still more work to do

Friday, June 26, 2020

failed attempt at ursnif in ida

ursnif
https://www.malware-traffic-analysis.net/2020/06/10/index2.html
- SHA256 hash: 0329d89a1160ecf8259c9f3064f7435291c6ea0403b26428f172033c934b4a0e
- File location: C:\Users\[username]\AppData\Local\Temp\93296.exe

1st use CFF Explorer to disable ASLR

set 2 breakpoints
virtualalloc ret 10
virtualprotect start

1st breakpoint on VirtualProtect
top stack = .data:unk_13AF568

2nd breakpoint VirtualAlloc
EAX = debug045:00230000

3rd breakpoint VirtualAlloc
EAX = debug046:005D0000

4th breakpoint VirtualAlloc
EAX = debug047:00860000

5th breakpoint VirtualProtect
top stack = debug045:002307B8

6th breakpoint VirtualProtect
top stack = debug045:002304D4

7th breakpoint VirtualProtect (same thing repeats over and over)
top stack = debug045:00230909

breakpoints VirtualProtect on sub functions already mapped

exception thrown

another failed attempt at trickbot analysis in IDA

2nd attempt at trickbot analysis

Trickbot
https://app.any.run/tasks/229b1b03-c04b-4826-a9f4-1a0c60f87d9a/
md5 09CF5ED5EDF9532A802526B663277739
6/26/2020

Breakpoints at
VirtualAlloc ret 10
VirtualProtect start

1st breakpoint at VirtualAlloc
EAX = debug043:00290000

2nd breakspoint at VirtualProtect
top stack = debug043:00291000
has something in it ... but does not start with MZ

3rd breakpoint at VirtualAlloc
EAX = debug045:00200000

4th breakpoint at VirtualAlloc
EAX = 10000000 (i missed what this was?)

BUT previous EAX (debug045:00200000) now has MZ header!!!

so lets try to dump debug045
start = 00200000
end = 00203000
size = 00003000

so hit SHIFT-F2, choose python, type

filename = AskFile(1, "*.bin", "Output file name")
address = 0x00200000
size = 0x3000
dbgr = False
with open(filename, "wb") as out:
data = GetManyBytes(address, size, use_dbg=dbgr)
out.write(data)

Open with PE Bear
does not look right, no Imports or Exports, only 1 section (.text)
seems like invalid dos header text "!This is a 64-bit PE executable"

5th breakpoint is at VirtualAlloc
EAX = debug047:10001000
No new MZ headers, just some random looking data in the monitored sections

6th breakpoint is at VirtualAlloc
EAX = debug049:002D0000
No new MZ headers, just some random looking data in the monitored sections

7th breakpoint is at VirtualAlloc
EAX = debug050:002E0000
No new MZ headers, just some random looking data in the monitored sections

8th breakpoint is at VirtualAlloc
EAX = debug051:01D30000

then process in IDA terminated

My Notes on using IDA to unpack Redaman following the OALabs / Live Overflow blog step by step

My Notes on using IDA to unpack Redaman following the OALabs / Live Overflow blog step by step

https://www.malware-traffic-analysis.net/2018/10/02/index.html
https://www.virustotal.com/gui/file/ceb8efb3a3eb1085c61bba4b0a77d1aca1f7b10511497e1521135f18bf67647c/detection
df725667733410f1a023a76d36fcbd31
https://www.youtube.com/watch?v=YXnNO3TipvM

redaman

add breakpoint to "ret 10" of virtualalloc
must find it, click through jumps to get to kernelbase and find return statement

add breakpoint to "1st line" in virtualprotect
to see the parameters coming in

breakpoint on virtualalloc "ret 10"
look at EAX register, that is memory just allocated
debug044:00320000 , so in "Hex View-1" synchronize with EAX ... then "unsynchronize" to ensure it stays viewing, hit F9 to continue
at next breakpoint, go to view -> open subviews -> segments ... should take you to our debug044, see how it's X (execute) & W (write)
this appears to be the "Loader Stub", a small piece of code that will unpack the malware and setup the real payload

2nd breakpoint on virtuallloc "ret 10" hit
look at EAX, debug047:00350000, sync w/ "Hex View-2" then unsynch

3rd breakpoint on virtualprotect
NOTICE our "Hex View-2" now has MZ header, it's an executable at debug047:00350000 !!!
view in view -> open subviews -> segments
start 0x00350000 , end 0x0037B000 ... so size = 0x2B000 or 176128 (per hex calculator https://www.calculator.net/hex-calculator.html?number1=0037B000&c2op=-&number2=00350000&calctype=op&x=83&y=15)

To export/save the EXE that is in memory to your c drive, Hit SHIFT-F2 to execute script
select Python, type in
filename = AskFile(1, "*.bin", "Output file name")
address = 0x009DD5B8
size = 0x37a0
dbgr = False
with open(filename, "wb") as out:
data = GetManyBytes(address, size, use_dbg=dbgr)
out.write(data)

open dumped file in "PE BEAR"
review sections (make sure it had text, data, looks normal)
review imports (make sure it has some, like kernel32 and a few)
question???
mapped (ready to execute, sections start at virtual address) <== yes we want this
or
unmapped (format on disk, sections start at raw address)

finishing the 3rd breakpoint (VirtualProtect)
notice the top parameter on the stack (esp) is 0x00400000
that is the address of our main executable (redaman.exe) that we loaded into IDA
when you see this it's possible they are doing a "PE Overwrite" to overwrite the existing PE in memory

terminate process in ida
open newly dumped file instead
notice the analysis bar has "small blue" code section, and "giant yellow" section which appears to be packed data

click in ida on the beginning of the "giant yellow" packed section
look for xrefs / data links ... and go to code where it's used ... might get lucky and find where it's being unpacked

in our case i picked unk_403000, click 'x' for xref, it took me to a lea eax, unk_403000 statement
below that statement is a loop with xor and rol (rotate left) which may indicate unpacking
parameters to the loop may be
"key"
"size"
"link to blob of encoded text"
below loop is static strings, loadlibrary and getprocaddress calls
one string is rtldecompressbuffer (like unzip in windows)
followed by GetTempFileName and CreateFile and WriteFile
that written file is a DLL likely (written to disk so AV could detect it), they use LoadLibrary to open it
they call an export function called "DllGetClassObject" with arguments "host 000000000"

set breakpoint on that final LoadLibrary
EAX has address to temp file
click into it, hold SHIFT and select the entire string, hit ALT-A to change it to a unicode string
c:\users\xxx\appdata\local\temp\967B.tmp
(notice it's hidden in windows explorer, but if you use HxD hex editor and open the file it shows up as an MZ)
or else in cmd.exe use "attrib c:\users\xxx\appdata\local\temp\*.tmp" to see the file also

open newest dumped file (From .tmp) in PE BEAR
i see exports so its a DLL, I see the "DllGetClassObject" which is the one the malware called