Mirai DDOS Malware Submissions on VirusTotal

Author: Vitali Kremez @VK_intel
Source: https://www.virustotal.com
Goal: Visualize and analyze all recent Mirai DDoS malware submissions on VirusTotal



Steps:
(1) Pull all of the recent Mirai malware submissions from VirusTotal, identified by the YARA signature;
(2) Push the data to ELK (Elasticsearch, Logstash, and Kibana); and
(3) Create a custom timeline dashboard with all the most recent Mirai malware hashes.

Time  first_seen   Mirai md5  
November 28th 2016, 12:49:26.000
November 28th 2016, 12:48:58.000
5849bb9ceefee5ef295e7e966d0ba2b5
November 29th 2016, 20:45:44.000
November 28th 2016, 12:25:06.000
9ba4401c2a4faa8975175498dc1fbfd4
November 28th 2016, 12:25:37.000
November 28th 2016, 12:25:06.000
9ba4401c2a4faa8975175498dc1fbfd4
November 28th 2016, 16:54:20.000
November 28th 2016, 12:25:06.000
9ba4401c2a4faa8975175498dc1fbfd4
November 24th 2016, 01:50:13.000
November 24th 2016, 01:49:39.000
bd3689a91daff90950b0f83aeb7ed503
November 23rd 2016, 10:43:12.000
November 20th 2016, 22:26:52.000
6e2002f8d9a6d372d15d9c9dbe9fe286
November 24th 2016, 14:21:42.000
November 20th 2016, 22:26:52.000
6e2002f8d9a6d372d15d9c9dbe9fe286
November 23rd 2016, 16:59:07.000
November 18th 2016, 11:49:09.000
68933ff0ead688099653de1518632a5b
November 28th 2016, 13:37:15.000
November 14th 2016, 18:17:40.000
cb2b4f743d5125cc4c1e067abc783b82
November 29th 2016, 01:56:03.000
November 5th 2016, 03:38:23.000
e8da1bab26ac3507af1c65ee3796170d
November 29th 2016, 01:55:51.000
November 5th 2016, 03:00:39.000
15adef2c484166480d3684425f1fc0b4
November 30th 2016, 04:08:32.000
October 23rd 2016, 20:36:24.000
b0f48738fddf5c14c474f4bda38d81c1

Dridex Node Tracker

Author: Vitali Kremez
Goal: Track all Dridex nodes and ingest the data into Elasticsearch, Kibana, Logstash (ELK) instance
Sourcehttps://feodotracker.abuse.ch/

Steps:
(1) Obtain the feed data using the custom scraper “dridexloader.py”;
(2) Load the data to the MySQL database;
(3) Push to the data to Elasticsearch;
(4) Create custom dashboards for the data visualization

The most recent Dridex nodes from the malware feeds are as follows:

Time C2 malware
November 18th 2016; 13:35:55.000 188.126.72.179 Dridex
November 18th 2016; 05:55:13.000 174.37.216.226 Dridex
November 18th 2016; 05:55:13.000 166.78.144.68 Dridex
November 16th 2016; 13:54:38.000 54.235.86.173 Dridex
November 15th 2016; 09:53:22.000 193.136.97.4 Dridex
November 15th 2016; 09:53:22.000 93.122.165.54 Dridex
November 11th 2016; 09:09:04.000 149.210.158.54 Dridex
November 11th 2016; 09:09:04.000 87.254.45.29 Dridex
October 27th 2016; 06:19:59.000 210.2.86.72 Dridex
October 27th 2016; 06:19:59.000 162.243.47.192 Dridex
October 26th 2016; 07:06:32.000 46.101.10.156 Dridex
October 26th 2016; 07:06:32.000 120.138.18.110 Dridex
October 26th 2016; 07:06:32.000 198.20.239.21 Dridex
October 23rd 2016; 20:07:38.000 92.222.219.26 Dridex
September 29th 2016; 08:09:00.000 23.253.210.81 Dridex
September 27th 2016; 05:46:30.000 62.108.36.240 Dridex
September 27th 2016; 05:46:30.000 132.248.49.100 Dridex
September 27th 2016; 05:46:30.000 148.251.46.169 Dridex
September 15th 2016; 02:14:31.000 50.57.75.172 Dridex
September 15th 2016; 02:14:31.000 130.88.149.87 Dridex
September 6th 2016; 13:00:07.000 109.104.92.167 Dridex

Reverse Engineering: Debugging in IDA

Sourcehttp://opensecuritytraining.info/
Tip: Press “D” to convert to data types on the “Source” or “arg” parameter.

(1) Set up a breakpoint on the “add” function right after the “sscanf” call on the fourth challenge.

(2) Pass all the necessary parameters to get to the fourth challenge.
(3) Review the windows and adjust the breakpoint
(4) Get into the “mov” function with the “Src” parameter and convert the value to data (press “D”). You see the passed values converted from hex to characters as “3[SPACE]k[SPACE]251.”

Viper Framework: Installing Malware Repository Framework

Sourcehttps://github.com/viper-framework/viper
Goal: Install a malware repository box for subsequent storage and malware triage to Cuckoo.

Steps: python viper-web

[*] Session opened
[*] DLL: MSVCRT.dll
  0x43e0e0: memset
  0x43e0e4: wcsstr
  0x43e0e8: malloc
  0x43e0ec: free
  0x43e0f0: wcslen
  0x43e0f4: wcscpy
  0x43e0f8: wcscat
  0x43e0fc: memcmp
  0x43e100: _strdup
  0x43e104: sprintf
  0x43e108: atoi
  0x43e10c: strlen
  0x43e110: strstr
  0x43e114: _strnicmp
  0x43e118: strncpy
  0x43e11c: strcmp
  0x43e120: sscanf
  0x43e124: strcpy
  0x43e128: memcpy
  0x43e12c: _wcsicmp
  0x43e130: wcsncpy
  0x43e134: localtime
  0x43e138: mktime
[*] DLL: KERNEL32.dll
  0x43e140: GetModuleHandleW
  0x43e144: HeapCreate
  0x43e148: GetProcAddress
  0x43e14c: HeapDestroy
  0x43e150: ExitProcess
  0x43e154: LoadLibraryW
  0x43e158: Sleep
  0x43e15c: HeapFree
  0x43e160: CloseHandle
  0x43e164: InitializeCriticalSection
  0x43e168: GetEnvironmentVariableW
  0x43e16c: SetEnvironmentVariableW
  0x43e170: GetCurrentProcess
  0x43e174: DuplicateHandle
  0x43e178: CreatePipe
  0x43e17c: GetStdHandle
  0x43e180: HeapAlloc
  0x43e184: CreateProcessW
  0x43e188: WaitForSingleObject
  0x43e18c: EnterCriticalSection
  0x43e190: LeaveCriticalSection
  0x43e194: MultiByteToWideChar
  0x43e198: FreeLibrary
  0x43e19c: CreateFileW
  0x43e1a0: WriteFile
  0x43e1a4: LoadLibraryA
  0x43e1a8: GetDriveTypeW
  0x43e1ac: FindFirstFileW
  0x43e1b0: FindClose
  0x43e1b4: GetFileAttributesW
  0x43e1b8: GetTempPathW
  0x43e1bc: SetFileAttributesW
  0x43e1c0: DeleteFileW
  0x43e1c4: GetLocalTime
  0x43e1c8: HeapReAlloc
  0x43e1cc: DeleteCriticalSection
  0x43e1d0: AllocConsole
  0x43e1d4: GetConsoleScreenBufferInfo
  0x43e1d8: SetConsoleCtrlHandler
  0x43e1dc: SetConsoleTitleW
  0x43e1e0: WideCharToMultiByte
[*] DLL: USER32.DLL
  0x43e1e8: EnumWindows
  0x43e1ec: GetWindowTextW
  0x43e1f0: CharLowerW
  0x43e1f4: GetActiveWindow
  0x43e1f8: WinHelpW
[*] DLL: SHELL32.DLL
  0x43e200: ShellExecuteExW
[*] DLL: WSOCK32.DLL
  0x43e208: closesocket
  0x43e20c: WSACleanup
  0x43e210: WSAStartup
  0x43e214: connect
  0x43e218: socket
  0x43e21c: inet_addr
  0x43e220: gethostbyname
  0x43e224: htons
  0x43e228: bind
  0x43e22c: ioctlsocket
  0x43e230: select
  0x43e234: __WSAFDIsSet
  0x43e238: send
  0x43e23c: sendto
  0x43e240: recvfrom
  0x43e244: recv
[*] DLL: NTDLL.DLL
p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px ‘Andale Mono’; color: #28fe14; background-color: #000000; background-color: rgba(0, 0, 0, 0.9)} span.s1 {font-variant-ligatures: no-common-ligatures; color: #34bbc8} span.s2 {font-variant-ligatures: no-common-ligatures}
  0x43e24c: ZwQuerySystemInformation

Reverse Engineering: Recursion in Bomb4.exe


    Function that calls itself
  •     May take the form of circular call relationship
  •     Determine what the base cases are.
  •     Example of when you might see recursion:
  •     Divide and conquer algorithms
  •     Sorting
  •     Tree or graph traversal, such as directory or file search
Here is the pseudocode:

    {
    int result; // eax@4
    int v2; // [esp+0h] [ebp-Ch]@1
    int v3; // [esp+8h] [ebp-4h]@1 v2 v2 = sscanf(Src, aD, &v3); if (
    if ( v2 != 1 || v3 < 1 )
    BombBlowupFunc(v2);
    result = fibonacci(v3); if (
    if ( result != 55 )
    BombBlowupFunc(1); return
    return result; }
    {
    int v2; // esi@3

    if ( a1 <= 1 )
    return 1;
    v2 = fibonacci(a1 – 1);
    return v2 + fibonacci(a1 – 2);
    }

    Reverse Engineering Software: For Loop in Bomb2.exe




    I. Multiple/Variable Argument functions

    • sscanf
    • Highlight push before calls for context

    II. Array Access

    • Commonly found within for loops
    • General form: [base+count*increment]
    mov     eax, [ebp+arg_4] ; base
    add eax, 14h ; count*increment

    III. For Loop
    • 3-expressions for (i=0; i < 256; i++) {}
      • Initialization
      • Test
      • Counter
    • Note, all parts are optional.
    • In most (not all) cases there will be a common variable



    This is a classic for loop. Note the 3 parts of a for loop:

    • Initialization
    loc_4011D1:
    mov [ebp+var_4], 1
    jmp short loc_4011E3
    • Test expression
    loc_4011E3:
    cmp [ebp+var_4], 6
    jge short loc_401207
    • Counter
    loc_4011DA:
    mov edx, [ebp+var_4]
    add edx, 1
    mov [ebp+var_4], edx

    Reverse Engineering: Switch Cases in Bomb3.exe



    • Switch cases are compiled into different styles, depending on the compiler, optimization settings, and case values
      • may look like nested if..else if..else if..else..
      • may use a jump table array
    • For a jump table, the case is translated into an index within the table and multipled by the size of a pointer.
    mov     edx, [ebp+var_18]
    jmp ds:off_401328[edx*4]
    • Analysts are faced with many paths that are never visited
    • Understanding the input and desired output can help to avoid unnecessary analysis