06-27-2017: "Amazon.com – Your Cancellation" Spam Leads to Scareware & Weight Loss Scam

Source: Email spam
Date:  June 27, 2017
Subject: Amazon.com – Your Cancellation 173-222723-2163799 (ref. **)
From: “order-update@amazon[.]com” (ref. *)

Goal: Review the email infection/redirection chain leading to scareware on IE
Background: Previously, the same campaign led to the weigh loss spam.
Tools: Fiddler, any JS debugger

Obfuscated redirection chain to scareware/weight loss spam is as follows:

  1. “Amazon.com – Your Cancellation” email href link
  2. hxxp://www[.]cuinavo[.]com/maritime[.]php
  3. hxxp://bestdiet[.]world/?a=401336&c=cpcdiet&s=4220620174
  4. hxxp://moneybetinc[.]com/d/r6t0b27039?rtb=c2da1390dbacd52002e62d397bb5e4f7[.]0&h=0[.]23&rtc=101890_697e696c2343d7da35a0871e91b02e37_ef9aeab99e7822b8f14ddb4f4fa8bd2f1498533889[.]1375_175&subid=NDAxMzM2LU5ESXlNRFl5TURFM05BPT0%3D
  5. hxxp://blobar[.]org/d/r6t0b27039?k=25a6755c0c62719e2d64bcb003637769[.]1498533321[.]628[.]1&rtb=c2da1390dbacd52002e62d397bb5e4f7[.]0&h=0[.]23&rtc=101890_697e696c2343d7da35a0871e91b02e37_ef9aeab99e7822b8f14ddb4f4fa8bd2f1498533889[.]1375_175&subid=NDAxMzM2LU5ESXlNRFl5TURFM05BPT0%3D&r=&z=240

Scareware I:

hxxp://sjoiadiiwdj32892378310[.]xyz/errorinwindowsfound404errorvirus 

Scareware II: 

hxxp://www[.]microsoft-user-alert[.]xyz/microsoft-alert-call-for-support-1-855-633-1666

Scareware III.

hxxp://errorsporttollfree9[.]xyz/microsoftAlert

Weight loss scam IV: 

hxxp://bestdiet.world/us/xxrr/cla-safflower-oil/?bhu=8mcwpko8zespkyV8J8QiBqm51VGT46J9C

Analysis:

I. “Amazon.com – Your Cancellation” email href link leads to the following website:
  • hxxp://www[.]cuinavo[.]com/maritime[.]php

II. Retrieve the code via curl > code.html, paste the JavaScript function into the JS debugger.
Comment out setTimeout and add “alert” on the function schoole() and observer the next redirect to the following website:
  • hxxp://bestdiet[.]world/?a=401336&c=cpcdiet&s=4220620174
IIII. Launch Fiddler and track the redirection chain to scareware

Run 1:
Run 2:
Run 3:
IV. Observe the landing page leading to scareware popup.

Run 1:


Run 2:
Run 3:

Malicious domain blocklist:
  1. hxxp://www[.]cuinavo[.]com/maritime[.]php
  2. hxxp://bestdiet[.]world/?a=401336&c=cpcdiet&s=4220620174
  3. hxxp://moneybetinc[.]com/d/r6t0b27039?rtb=c2da1390dbacd52002e62d397bb5e4f7[.]0&h=0[.]23&rtc=101890_697e696c2343d7da35a0871e91b02e37_ef9aeab99e7822b8f14ddb4f4fa8bd2f1498533889[.]1375_175&subid=NDAxMzM2LU5ESXlNRFl5TURFM05BPT0%3D
  4. hxxp://blobar[.]org/d/r6t0b27039?k=25a6755c0c62719e2d64bcb003637769[.]1498533321[.]628[.]1&rtb=c2da1390dbacd52002e62d397bb5e4f7[.]0&h=0[.]23&rtc=101890_697e696c2343d7da35a0871e91b02e37_ef9aeab99e7822b8f14ddb4f4fa8bd2f1498533889[.]1375_175&subid=NDAxMzM2LU5ESXlNRFl5TURFM05BPT0%3D&r=&z=240

Scareware I:

hxxp://sjoiadiiwdj32892378310[.]xyz/errorinwindowsfound404errorvirus 

Scareware II: 

hxxp://www[.]microsoft-user-alert[.]xyz/microsoft-alert-call-for-support-1-855-633-1666

Scareware III.

hxxp://errorsporttollfree9[.]xyz/microsoftAlert

Weight loss scam IV: 

hxxp://bestdiet.world/us/xxrr/cla-safflower-oil/?bhu=8mcwpko8zespkyV8J8QiBqm51VGT46J9C

Spam originating IP*

180[.]250[.]153[.]197 (DomainTools)

inetnum:        180.250.128.0 – 180.250.159.255netname:        TLKM_D3D4_ASTINET_180_CUSTOMERcountry:        IDdescr:          PT TELKOM INDONESIAdescr:          Menara Multimedia Lt. 7descr:          Jl. Kebonsirih No.12descr:          JAKARTAadmin-c:        AR165-APtech-c:         HM444-APstatus:         ASSIGNED NON-PORTABLEmnt-by:         MAINT-TELKOMNET


Email headers (defanged)**:

Authentication-Results: spf=softfail (sender IP is 180[.]250[.]153[.]197)
 smtp.mailfrom=unitedwaylane.org; hotmail.com; dkim=none (message not signed)
 header.d=none;hotmail.com; dmarc=fail action=quarantine
 header.from=amazon[.]com;
Received-SPF: SoftFail (protection[.]outlook[.]com: domain of transitioning
 unitedwaylane.org discourages use of 180[.]250[.]153[.]197 as permitted sender)
X-IncomingTopHeaderMarker: OriginalChecksum:62325BB6EE949A25F7137383F5223FB0274314903C8331F43DBB3A9AC69D1140;UpperCasedChecksum:ECDCBA2E3C784D1951EFC14295EED9DC8207A5280F4C245C1B79829DBCE4E91C;SizeAsReceived:1087;Count:19
Received: from localhost ([180[.]250[.]153[.]197]) by BAY004-MC1F55.hotmail.com with Microsoft SMTPSVC(7.5.7601.23143);
 Mon, 26 Jun 2017 02:27:36 -0700
Bristled-Offensively-Uncomputable: premise
Chaotic-Elevators: 891b729f1edbb
Content-Type: text/html; charset=”UTF-8″
From: “order-update@amazon.com”
Content-Transfer-Encoding: 7bit
Bound-Documentaries-Lavishly: 2aaba5abff87f
To: REDACTED
X-AMAZON-MAIL-RELAY-TYPE: notification
Reply-To: “order-update@amazon[.]com”
Bounces-to: a7d24f875448b4c4b5ec283256a1543af0625eaaa589@bounces.amazon.com
Taxonomy-Whitman-Friedrich: 558617B1251C
Message-ID:
Date: Mon, 26 Jun 2017 16:27:36 +0000
X-AMAZON-RTE-VERSION: 2.0
Subject: Amazon.com – Your Cancellation 173-222723-2163799
Return-Path: dbaker@unitedwaylane[.]orgX-OriginalArrivalTime: 26 Jun 2017 09:27:36.0439 (UTC) FILETIME=[729CF070:01D2EE5E]
X-IncomingHeaderCount: 19
X-MS-Exchange-Organization-Network-Message-Id: 089e0edc-2b1d-4a1e-8f14-08d4bc75957e
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa:0
X-MS-Exchange-Organization-MessageDirectionality: Incoming
CMM-sender-ip: 180[.]250[.]153[.]197CMM-sending-ip: 180[.]250[.]153[.]197CMM-Authentication-Results: hotmail.com; spf=softfail (sender IP is
 180[.]250[.]153[.]197; identity alignment result is fail and alignment mode is
 relaxed) smtp.mailfrom=dbaker@unitedwaylane[.]org; dkim=none (identity
 alignment result is pass and alignment mode is relaxed) header.d=amazon.com;
 x-hmca=none header.id=order-update@amazon.com
CMM-X-SID-PRA: order-update@amazon.com

Domain Blocklist:

  1. hxxp://www[.]cuinavo[.]com/maritime[.]php
  2. hxxp://bestdiet[.]world/?a=401336&c=cpcdiet&s=4220620174
  3. hxxp://moneybetinc[.]com/d/r6t0b27039?rtb=c2da1390dbacd52002e62d397bb5e4f7[.]0&h=0[.]23&rtc=101890_697e696c2343d7da35a0871e91b02e37_ef9aeab99e7822b8f14ddb4f4fa8bd2f1498533889[.]1375_175&subid=NDAxMzM2LU5ESXlNRFl5TURFM05BPT0%3D
  4. hxxp://blobar[.]org/d/r6t0b27039?k=25a6755c0c62719e2d64bcb003637769[.]1498533321[.]628[.]1&rtb=c2da1390dbacd52002e62d397bb5e4f7[.]0&h=0[.]23&rtc=101890_697e696c2343d7da35a0871e91b02e37_ef9aeab99e7822b8f14ddb4f4fa8bd2f1498533889[.]1375_175&subid=NDAxMzM2LU5ESXlNRFl5TURFM05BPT0%3D&r=&z=240

Scareware I:

hxxp://sjoiadiiwdj32892378310[.]xyz/errorinwindowsfound404errorvirus 

Scareware II: 

hxxp://www[.]microsoft-user-alert[.]xyz/microsoft-alert-call-for-support-1-855-633-1666

Scareware III.

hxxp://errorsporttollfree9[.]xyz/microsoftAlert

Weight loss scam IV: 

hxxp://bestdiet.world/us/xxrr/cla-safflower-oil/?bhu=8mcwpko8zespkyV8J8QiBqm51VGT46J9C 

p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Helvetica}

Let’s Learn: How to Unpack Locky "Osiris" Ransomware

Goal: Unpack Locky ransomware payload using WriteProcessMemory API buffer’s dump.
Source@tmmalanalyst
Tool: ollyDbg, CFF Explorer

Background
Locky ransomware utilizes a loader/patcher algorithm patching and unloading the decoded payload in memory. Many other malware families use this same exact methodology. 

Theory: 
Locky ransomware patches itself using CreateProcessW API setting the creation flag to CREATE_SUSPENDED and writing itself into the buffer via WriteProcessMemory API. Next, the ransomware process won’t be executed immediately; it does not start until called ResumeThread. So, the ransomware has time to patch in memory.


The Locky payload decoding/patching API calls are as follows:

I. CreateProcessW [ref. *]

  • invoke CreateProcessW, NULL, “C:\Documents and Settings\Administrator\Desktop\osiris[.]exe”, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, 0010D8CC, 0010E354

000FBE30   00942791  /CALL to CreateProcessW from 0094278B
000FBE34   00000000  |ModuleFileName = NULL
000FBE38   0010D6C4  |CommandLine = “”C:\Documents and Settings\Administrator\Desktop\osiris[.]exe””
000FBE3C   00000000  |pProcessSecurity = NULL
000FBE40   00000000  |pThreadSecurity = NULL
000FBE44   00000000  |InheritHandles = FALSE
000FBE48   00000004  |CreationFlags = CREATE_SUSPENDED
000FBE4C   00000000  |pEnvironment = NULL
000FBE50   00000000  |CurrentDir = NULL
000FBE54   0010D8CC  |pStartupInfo = 0010D8CC
000FBE58   0010E354  \pProcessInfo = 0010E354


II. WriteProcessMemory (ref. **)

  • invoke WriteProcessMemory, 00000064, 0x300000, 009A0000, 190, NULL

000FBE44   009428BA  /CALL to WriteProcessMemory from 009428B4
000FBE48   00000064  |hProcess = 00000064 (window)
000FBE4C   00300000  |Address = 0x300000
000FBE50   009A0000  |Buffer = 009A0000
000FBE54   00000190  |BytesToWrite = 190 (400.)
000FBE58   00000000  \pBytesWritten = NULL


III. ResumeThread (ref. ***)

  • invoke ResumeThread, 00000068

000FBE54   00942E81  /CALL to ResumeThread from 00942E7E
000FBE58   00000068  \hThread = 00000068 (window)


Practice:
I. Load Ollydbg and click “File” -> locky.exe
II. Click “Go to” -> “Expression” -> Type “WriteProcessMemory” and set up a breakpoint on it using F2.
III. Run the process using F9 and follow buffer to observe the unpacked Locky in the dump section.

IV.  Then, click on “Backup” -> “Save data to file.”

V. Verify the exported payload and IAT in CFF Explorer. Profit!

Locky extension

.osiris

POST requests:

  • &length=..&failed=..&encrypted=
  • &act=stats&path=
  • &v=2..&x64=..&sp=..&os=…&serv=..&corp=..&lang=..&act=getkey&affid=..
  • &act=gethtml&lang= 
  • ..&act=gettext&lang=..


Registry

  • Software\Microsoft\Windows\CurrentVersion\Run 


Self-kill routine: 

cmd.exe /C del /Q /F

Blacklist

tmp;winnt;Application Data;AppData;Program Files (x86);Program Files;temp;thumbs.db;$Recycle.Bin;System Volume Information;Boot;Windows

Locky instructions: 

/_HELP_instructions.html._HELP_instructions.bmp.._HELP_instructions.txt.._Locky_recover_instructions.bmp._Locky_recover_instructions.txt

Delete shadow copy:

vssadmin.exe Delete Shadows /Quiet /All  

Targeted extensions:

yuv…ycbcra..xis…x3f…x11…wpd…tex…sxg…stx…st8…st5…srw…srf…sr2…sqlitedb..sqlite3…sqlite..sdf…sda…sd0…s3db..rwz…rwl…rdb…rat…raf…qby…qbx…qbw…qbr…qba…py..psafe3..plc…plus_muhd…pdd…p7c…p7b…oth…orf…odm…odf…nyf…nxl…nx2…nwb…ns4…ns3…ns2…nrw…nop…nk2…nef…ndd…myd…mrw…moneywell…mny…mmw…mfw…mef…mdc…lua…kpdx..kdc…kdbx..kc2…jpe…incpas..iiq…ibz…ibank…hbk…gry…grey..gray..fhd…fh..ffd…exf…erf…erbsql..eml…dxg…drf…dng…dgc…des…der…ddrw..ddoc..dcs…dc2…db_journal..csl…csh…crw…craw..cib…ce2…ce1…cdrw..cdr6..cdr5..cdr4..cdr3..bpw…bgt…bdb…bay…bank..backupdb..backup..back..awg…apj…ait…agdl..ads…adb…acr…ach…accdt…accdr…accde…ab4…3pr…3fr…vmxf..vmsd..vhdx..vhd…vbox..stm…st7…rvt…qcow..qed…pif…pdb…pab…ost…ogg…nvram…ndf…m4p…m2ts..log…hpp…hdd…groups..flvv..edb…dit…dat…cmt…bin…aiff..xlk…wad…tlg…st6…st4…say…sas7bdat..qbm…qbb…ptx…pfx…pef…pat…oil…odc…nsh…nsg…nsf…nsd…nd..mos…indd..iif…fpx…fff…fdb…dtd…design..ddd…dcr…dac…cr2…cdx…cdf…blend…bkp…al..adp…act…xlr…xlam..xla…wps…tga…rw2…r3d…pspimage..ps..pct…pcd…m4v…m…fxg…flac..eps…dxb…drw…dot…db3…cpi…cls…cdr…arw…ai..aac…thm…srt…save..safe..rm..pwm…pages…obj…mlb…md..mbx…lit…laccdb..kwm…idx…html..flf…dxf…dwg…dds…csv…css…config..cfg…cer…asx…aspx..aoi…accdb…7zip..1cd…xls…wab…rtf…prf…ppt…oab…msg…mapimail..jnt…doc…dbx…contact…n64…m4a…m4u…m3u…mid…wma…flv…3g2…mkv…3gp…mp4…mov…avi…asf…mpeg..vob…mpg…wmv…fla…swf…wav…mp3…qcow2…vdi…vmdk..vmx…wallet..upk…sav…re4…ltx…litesql…litemod…lbf…iwi…forge…das…d3dbsp..bsa…bik…asset…apk…gpg…aes…ARC…PAQ…tar.bz2…tbk…bak…tar…tgz…gz..7z..rar…zip…djv…djvu..svg…bmp…png…gif…raw…cgm…jpeg..jpg…tif…tiff..NEF…psd…cmd…bat…sh..class…jar…java..rb..asp…cs..brd…sch…dch…dip…pl..vbs…vb..js..h…asm…pas…cpp…c…php…ldf…mdf…ibd…MYI…MYD…frm…odb…dbf…db..mdb…sql…SQLITEDB..SQLITE3…011…010…009…008…007…006…005…004…003…002…001…pst…onetoc2…asc…lay6..lay…ms11(Securitycopy)..ms11..sldm..sldx..ppsm..ppsx..ppam..docb..mml…sxm…otg…odg…uop…potx..pom..pptx..pptm..std…sxd…pot…pps…sti…sxi…otp…odp…wb2…123…wks…wk1…xltx..xltm..xlsx..xlsm..xlsb..slk…xlw…xlt…xlm…xlc…dif…stc…sxc…ots…ods…hwp…602…dotm..dotx..docm..docx..DOT…3dm…max…3ds…xml…txt…CSV…uot…RTF…pdf…XLS…PPT…stw…sxw…ott…odt…DOC…pem…p12…csr…crt…key..wallet.dat..


Reference:

BOOL CreateProcess(
                                   LPCTSTR lpApplicationName, // pointer to name of executable module
                                   LPTSTR lpCommandLine, // pointer to command line string
                                   LPSECURITY_ATTRIBUTES lpProcessAttributes, // pointer to process security attributes
                                   LPSECURITY_ATTRIBUTES lpThreadAttributes, // pointer to thread security attributes
                                   BOOL bInheritHandles, // handle inheritance flag
                                   DWORD dwCreationFlags, // creation flags
                                   LPVOID lpEnvironment, // pointer to new environment block
                                   LPCTSTR lpCurrentDirectory, // pointer to current directory name
                                   LPST
ARTUPINFO lpStartupInfo, // pointer to STARTUPINFO
                                   LPPROCESS_INFORMATION lpProcessInformation // pointer to PROCESS_INFORMATION );


** BOOL WriteProcessMemory(
                                               HANDLE hProcess, // handle to process whose memory is written to
                                               LPVOID lpBaseAddress, // address to start writing to
                                               LPVOID lpBuffer, // pointer to buffer to write data to
                                               DWORD nSize, // number of bytes to write
                                               LPDWORD lpNumberOfBytesWritten // actual number of bytes written );

*** BOOL ResumeThread(
  HANDLE hThread // handle to the thread to be restarted
);

Elasticsearch

Elasticsearch Concept
Goal: Document and annotate some quick notes on learning elasticsearch.

I. CREATING YOUR OWN ANALYZER: SET UP ANALYZER SETTINGS

curl -X PUT "http://localhost:9200/wiki" -d '{
"index" : {
"number_of_shards" : 4,
"number_of_replicas" : 1,
"analysis" : {
"analyzer" : {
"content" : {
"type" : "custom",
"tokenizer" : "standard",
"filter" : ["lowercase", "stop", "kstem"],
"char_filter" : ["html_strip"]
}
}
}
}

}'

II. PUT (CREATE) MAPPING":
CREATE MAPPING (STRING -> TEXT) for INDEX

curl -X PUT "http://localhost:9200/wiki/articles/_mapping" -d '{
"articles" : {
"_all" : { "enabled" : true } ,
"properties" : {
"Title" : { "type" : "text" , "analyzer" : "content" , "include_in_all" : false, "index" : "no" },
"link" : { "type" : "text" , "include_in_all" : false, "index" : "no" },
"Author" : { "type" : "text" , "include_in_all" : false },
"timestamp" : { "type" : "date" , "format" : "dd-MM-yyyy HH:mm:ss", "include_in_all" : false },
"html" : { "type" : "text" , "analyzer" : "content", "include_in_all" : true }
}
}
}'

A. GENERATE JSON OBJECT FOR ELASTICSEARCH

python json_generator.py https://en.wikipedia.org/wiki/France > France.json
'''
# Python module script
/*import urllib2
import json
import sys

link = sys.argv[2]
htmlObj = { "link" : link,
"Author" : "anomymous",
"timestamp" : "12-12-2018 14:16:00",
"Title" : sys.argv[1]
}
response = urllib2.urlopen(link)
htmlObj['html'] = response.read()
print json.dumps(htmlObj, indent=4)
*/
'''

III. XPOST (PUSH) JSON FILE TO ELASTICSEARCH WIKI ARTICLES

curl -XPOST "http://localhost:9200/wiki/articles/" -d @France.json

IV. USING PHRASE QUERY TO SEARCH: SEARCH ELASTICSEARCH INDEX FOR CONTENT

curl -X POST "http://localhost:9200/wiki/_search?pretty" -d '{
"_source" : [
"Title"
],
"query" : {
"query_string": {
"query" : "mobile"
}
}
}'

V. USING THE HIGHLIGHTING FEATURE: SEARCH ELASTICSEARCH INDEX FOR CONTENT (HIGHLIGHTED)

# Query highlighted content
curl -X POST "http://localhost:9200/wiki/_search?pretty" -d '{
"_source" : [
"Title"
],
"query" : {
"query_string": {
"query" : "mobile"
}
}
"highlight" : {
"pre_tags" : [""],
"post_tags" : ["
"],
"fields" : {
"Content" : {}
}
}
}
}'


VI. PAGINATION

curl -X POST "http://localhost:9200/wiki/_search?pretty" -d '{
"from" : 0,
"size" : 10,
"query" : {
"simple_query_string" : {
"query" : "mobile",
"fields" : [
"_all"
]
}
},
"highlight" : {
"fields" : {
"html" : {
"pre_tags" : [
"

"
],
"post_tags" : [
"

"
],
"fragment_size" : 10,
"number_of_fragments" :3
}
}
}
}'

CHAPTER 2: BUILDING YOUR OWN E-COMMERCE SOLUTION

type
String
Integer
Long
Float
Double
Boolean
Date
geo_point
Null
Ipv4

I. CREATE (PUT) INDEX "products"

curl -X PUT "http://localhost:9200/products" -d '{
"index" : {
"number_of_shards" : 1,
"number_of_replicas" : 1
}
}'

II. CREATING MAPPING: Put "product" as the type for "products" index

curl -X PUT "http://localhost:9200/products/product/_mapping" -d '{
"product" : {
"properties" : {
"name" : {
"type" : "text"
},
"description" : {
"type" : "text"
},
"dateOfManufactering" : {
"type" : "date",
"format" : "YYYY-MM-dd"
},
"price" : {
"type" : "long"
},
"productType" : {
"type" : "text",
"include_in_all" : "false",
"index" : "not_analyzed"
},
"totalBuy" : {
"type" : "long",
"include_in_all": "false",
},
"imageURL" : {
"type" : "text",
"include_in_all": "false",
"index" : "no"
},
}
}
}'

Let’s Learn (DIY): Sophisticated Cobalt Strike Gang’s CVE-2017-0199 Loader

Goal: Reverse the first stage loader RTF CVE-2017-0199 loader used by Cobalt Strike gang targeting Russian-speaking financial institutions. This loader’s been seen in conjunction with the Microsoft Word Intruder 8.0.
Source@xdxdxdxdoa
Tool: rtfdump 0.5, ILspy
CVE-2017-0199: Exploit that allows “remote attackers to execute arbitrary code via a crafted document, aka “Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows API” [source].
Observed unique filename:

  • Пеня по задолженности.doc -> “Debt collection notification.doc” (from Russian to English)
  • Заявление на расторжение договора.doc -> “Application for contract closure.doc” (from Russian to English)

SHA-256: c5d7c5c94468ba74211e08d7c2ad9d0274011d432edc1af8cdf2215b2c9d9291
Type
  • Rich Text Format (CVE-2017-0199 exploit) 
  • Objects OLE embedded (Package)
  • OLE Autolink (Package)

Here are the steps:
  • I. Command: python2.7 rtfdump.py file.rtf


  • II. Command: python2.7 rtfdump.py -f O file.rtf
OLE 1.0 objects embedded within this RTF file with the “-f O” command
  • III. Command: python2.7 rtfdump.py -s 8 file.rtf | more (on the 8 field found in the previous step)
The section 01050000 02000000 indicates an OLE 1.0 object. As the line starts with 9f330500 contains an OLE file.

With option -H, we can convert the hexadecimal characters to binary:

  • IV. Command: python2.7 rtfdump.py -s 8 -H file.rtf 

With option -i, we can obtain more information about the binary (embedded object):
    • V. Command: python2.7 rtfdump.py -s 8 -H -i file.rtf 

    Name: ‘Package\x00’ Position embedded: 00000020 Size embedded: 0005339f md5: a9039264caf3285bf968849bf84ad951 magic: 02007e57

    With option -E, we can extract the embedded object:

    • VI. Command: python2.7 rtfdump.py -s 8 -H -E -d file.rtf > binary.exe

    The payload is written in Microsoft Visual C# / Basic .NET titled “ExecPS.” Using ILspy, we decompile the embedded binary. The embedded binary has a PDF icon and an internal name as “ExecPS[.]exe.”



    Checks for Dr. Web anti-virus process and breaks if they exist.
    • ProcessName = “dwengine” || “spidergate” || “spidernt” | “spideragent”
    Moreover, the embedded binary is digitally signed by “Elektro, OOO” from Nizhni Novgorod, Russia.

    • CN = Elektro, OOO
    • O = Elektro, OOO
    • STREET = d. 13 kv. 11, prospekt Soyuzny
    • L = Nizhni Novgorod
    • S = Nizhegorodskaya oblast
    • PostalCode = 603040
    • C = RU

    p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px ‘Andale Mono’; color: #28fe14; background-color: #000000; background-color: rgba(0, 0, 0, 0.9)} span.s1 {font-variant-ligatures: no-common-ligatures} p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px ‘Andale Mono’; color: #28fe14; background-color: #000000; background-color: rgba(0, 0, 0, 0.9)} span.s1 {font-variant-ligatures: no-common-ligatures} p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px ‘Andale Mono’; color: #28fe14; background-color: #000000; background-color: rgba(0, 0, 0, 0.9)} span.s1 {font-variant-ligatures: no-common-ligatures}

    p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 8.5px Helvetica}

    Let’s Learn: Pushdo Loader Analysis from RIG EK

    Goal: Reverse the Pushdo Trojan, delivered from the RIG Exploit Kit on June 22, 2017.
    Source@Zerophage1337

    Pushdo execution flow:

    Registry persistence: 

    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    Self-kill routine: 

    :repeat
    del %s
    if exist %s
    goto :repeat
    del %

    Random C2 domains:

    ex-olive[.]com;pb-games[.]com;fink[.]com;stnic[.]co[.]uk;netcr[.]com;findbc[.]com;tyrns[.]com;medius[.]si;ora[.]ecnet[.]jp;c9dd[.]com;sclover3[.]com;spanesi[.]com;fcwcvt[.]org;h-f[.]net;2print[.]com;nunomira[.]com;x0c[.]com;owsports[.]ca;cokocoko[.]com;evcpa[.]com;sjbs[.]org;depalo[.]com;wifi4all[.]nl;abdg[.]com;holleman[.]us;domon[.]com;fe-bauer[.]de;cel-cpa[.]com;alteor[.]cl;ottospm[.]com;transsib[.]com;com-sit[.]com;ka-mo-me[.]com;pr-park[.]com;mqs[.]com[.]br;yoruksut[.]com;rs-ag[.]com;ora-ito[.]com;iamdirt[.]com;wnsavoy[.]com;elpro[.]si;myropcb[.]com;fnw[.]us;photo4b[.]com;koz1[.]net;pupi[.]cz;snugpak[.]com;item-pr[.]com;pdqhomes[.]com;valdal[.]com;mobilnic[.]net;nqks[.]com;quadlock[.]com;waldi[.]pl;abart[.]pl;vexcom[.]com;hummer[.]hu;synetik[.]net;baijaku[.]com;valselit[.]com;crcsi[.]org;udesign[.]biz;credo[.]edu[.]pl;11tochi[.]net;otena[.]com;vitaindu[.]com;edimart[.]hu;olras[.]com;wkhk[.]net;naoi-a[.]com;pohlfood[.]com;jenco[.]co[.]uk;pcgrate[.]com;petsfan[.]com;tc17[.]com;vazir[.]se;aevga[.]com;lrsuk[.]com;xaicom[.]es;pwd[.]org;nelipak[.]nl;speelhal[.]net;dgmna[.]com;ftchat[.]com;tvtools[.]fi;gpthink[.]com;maktraxx[.]com;kernsafe[.]com;jacomfg[.]com;dayvo[.]com;reglera[.]com;yocinc[.]org;jchysk[.]com;railbook[.]net;yumgiskor[.]kz;t-tre[.]com;fnsds[.]org;stajum[.]com;medisa[.]info;jroy[.]net

    06-21-2017 Locky Ransomware: Config Analysis

    Sourcehttps://www.virustotal.com/en/file/b546fad0209bbf800c11565c4720fdb2685966242d2ff162f7be556dd037a6a1/analysis/
    Confighttps://github.com/vkremez/MalwareConfigurations/blob/master/crime_win32_locky_conf_June21-2017.txt


    Locky extension

    .loptr

    POST requests:

    • &length=..&failed=..&encrypted=
    • &act=stats&path=
    • &v=2..&x64=..&sp=..&os=…&serv=..&corp=..&lang=..&act=getkey&affid=..
    • &act=gethtml&lang=..&act=gettext&lang=..

    Registry

    • Software\Microsoft\Windows\CurrentVersion\Run 

    Self-kill routine: 

    cmd.exe /C del /Q /F

    Blacklist

    tmp;winnt;Application Data;AppData;Program Files (x86);Program Files;temp;thumbs.db;$Recycle.Bin;System Volume Information;Boot;Windows

    Locky instructions: 

    /_HELP_instructions.html._HELP_instructions.bmp.._HELP_instructions.txt.._Locky_recover_instructions.bmp._Locky_recover_instructions.txt

    Delete shadow copy:

    vssadmin.exe Delete Shadows /Quiet /All 

    C2:

    hxxp://185[.]115[.]140[.]170/checkupdate

    Targeted extensions:

    ..yuv…ycbcra..xis…x3f…x11…wpd…tex…sxg…stx…st8…st5…srw…srf…sr2…sqlitedb..sqlite3…sqlite..sdf…sda…sd0…s3db..rwz…rwl…rdb…rat…raf…qby…qbx…qbw…qbr…qba…py..psafe3..plc…plus_muhd…pdd…p7c…p7b…oth…orf…odm…odf…nyf…nxl…nx2…nwb…ns4…ns3…ns2…nrw…nop…nk2…nef…ndd…myd…mrw…moneywell…mny…mmw…mfw…mef…mdc…lua…kpdx..kdc…kdbx..kc2…jpe…incpas..iiq…ibz…ibank…hbk…gry…grey..gray..fhd…fh..ffd…exf…erf…erbsql..eml…dxg…drf…dng…dgc…des…der…ddrw..ddoc..dcs…dc2…db_journal..csl…csh…crw…craw..cib…ce2…ce1…cdrw..cdr6..cdr5..cdr4..cdr3..bpw…bgt…bdb…bay…bank..backupdb..backup..back..awg…apj…ait…agdl..ads…adb…acr…ach…accdt…accdr…accde…ab4…3pr…3fr…vmxf..vmsd..vhdx..vhd…vbox..stm…st7…rvt…qcow..qed…pif…pdb…pab…ost…ogg…nvram…ndf…m4p…m2ts..log…hpp…hdd…groups..flvv..edb…dit…dat…cmt…bin…aiff..xlk…wad…tlg…st6…st4…say…sas7bdat..qbm…qbb…ptx…pfx…pef…pat…oil…odc…nsh…nsg…nsf…nsd…nd..mos…indd..iif…fpx…fff…fdb…dtd…design..ddd…dcr…dac…cr2…cdx…cdf…blend…bkp…al..adp…act…xlr…xlam..xla…wps…tga…rw2…r3d…pspimage..ps..pct…pcd…m4v…m…fxg…flac..eps…dxb…drw…dot…db3…cpi…cls…cdr…arw…ai..aac…thm…srt…save..safe..rm..pwm…pages…obj…mlb…md..mbx…lit…laccdb..kwm…idx…html..flf…dxf…dwg…dds…csv…css…config..cfg…cer…asx…aspx..aoi…accdb…7zip..1cd…xls…wab…rtf…prf…ppt…oab…msg…mapimail..jnt…doc…dbx…contact…n64…m4a…m4u…m3u…mid…wma…flv…3g2…mkv…3gp…mp4…mov…avi…asf…mpeg..vob…mpg…wmv…fla…swf…wav…mp3…qcow2…vdi…vmdk..vmx…wallet..upk…sav…re4…ltx…litesql…litemod…lbf…iwi…forge…das…d3dbsp..bsa…bik…asset…apk…gpg…aes…ARC…PAQ…tar.bz2…tbk…bak…tar…tgz…gz..7z..rar…zip…djv…djvu..svg…bmp…png…gif…raw…cgm…jpeg..jpg…tif…tiff..NEF…psd…cmd…bat…sh..class…jar…java..rb..asp…cs..brd…sch…dch…dip…pl..vbs…vb..js..h…asm…pas…cpp…c…php…ldf…mdf…ibd…MYI…MYD…frm…odb…dbf…db..mdb…sql…SQLITEDB..SQLITE3…011…010…009…008…007…006…005…004…003…002…001…pst…onetoc2…asc…lay6..lay…ms11(Securitycopy)..ms11..sldm..sldx..ppsm..ppsx..ppam..docb..mml…sxm…otg…odg…uop…potx..pom..pptx..pptm..std…sxd…pot…pps…sti…sxi…otp…odp…wb2…123…wks…wk1…xltx..xltm..xlsx..xlsm..xlsb..slk…xlw…xlt…xlm…xlc…dif…stc…sxc…ots…ods…hwp…602…dotm..dotx..docm..docx..DOT…3dm…max…3ds…xml…txt…CSV…uot…RTF…pdf…XLS…PPT…stw…sxw…ott…odt…DOC…pem…p12…csr…crt…key..wallet.dat..

    p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Helvetica} p.p2 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Helvetica; min-height: 14.0px}

    Python WinAppDbg Template Constructs

    Source: https://gitlab.com/vitali.kremez/winappdbg_contruct
    Credit: WinappDbg; Parsia
    ###########################
    #### WinAppDbg  ###########
    ##########################

    I.  GetRunnerProcess

        if (args.run):
    # Concat all arguments into a string
    myargs = " ".join(args.run)

    if win32.PathFileExists(args.run[0]) is True:
    # File exists
    # Create a Debug object
    debug = winappdbg.Debug()

    try:
    # Debug the app
    # First item is program and the rest are arguments
    # execl: https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/debug.py#L358
    my_process = debug.execl(myargs)

    print("Attached to {0} - {1}".format(my_process.get_pid(),
    my_process.get_filename()))

    # Keep debugging until the debugger stops
    debug.loop()

    finally:
    # Stop the debugger
    debug.stop()
    print("[*] Debugger stopped.")

    else:
    print("{0} not found.".format(args.run[0]))
    exit()

    II. GetSystemInformation()
        if(args.sysinfo):
    # Create a System object
    # https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/system.py#L66
    system = winappdbg.System()

    # Use the built-in WinAppDbg table
    # https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/textio.py#L1094
    table = winappdbg.Table("\t")

    # New line
    table.addRow("", "")

    # Header
    title = ("System Information", "")
    table.addRow(*title)

    # Add system information
    table.addRow("------------------")
    table.addRow("Bits", system.bits)
    table.addRow("OS", system.os)
    table.addRow("Architecture", system.arch)
    table.addRow("32-bit Emulation", system.wow64)
    table.addRow("Admin", system.is_admin())
    table.addRow("WinAppDbg", winappdbg.version)
    table.addRow("Process Count", system.get_process_count())

    print table.getOutput()
    exit()

    III. GetProcessList
        if (args.getprocesses):

    system = winappdbg.System()

    # We can reuse example 02 from the docs
    # https://winappdbg.readthedocs.io/en/latest/Instrumentation.html#example-2-enumerating-running-processes
    table = winappdbg.Table("\t")
    table.addRow("", "")

    header = ("pid", "process")
    table.addRow(*header)

    table.addRow("----", "----------")

    processes = {}

    # Add all processes to a dictionary then sort them by pid
    for process in system:
    processes[process.get_pid()] = process.get_filename()

    # Iterate through processes sorted by pid
    for key in sorted(processes.iterkeys()):
    table.addRow(key, processes[key])

    print table.getOutput()
    exit()

    IV.AttachByProcessID
        if (args.pid):
    system = winappdbg.System()

    # Get all pids
    pids = system.get_process_ids()

    if args.pid in pids:
    # pid exists

    # Create a Debug object
    debug = winappdbg.Debug()

    try:
    # Attach to pid
    # attach: https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/debug.py#L219
    my_process = debug.attach(args.pid)

    print "Attached to %d - %s" % (my_process.get_pid(),
    my_process.get_filename())

    # Keep debugging until the debugger stops
    debug.loop()

    finally:
    # Stop the debugger
    debug.stop()
    print "Debugger stopped."

    else:
    print "pid %d not found." % (args.pid)

    exit()

    V. AttachByProcessName
        if (args.pname):
    debug = winappdbg.Debug()

    # example 3:
    # https://winappdbg.readthedocs.io/en/latest/_downloads/03_find_and_attach.py

    try:
    debug.system.scan()
    for (process, name) in debug.system.find_processes_by_filename(args.pname):
    print "Found %d, %s" % (process.get_pid(),
    process.get_filename())

    debug.attach(process.get_pid())

    print "Attached to %d-%s" % (process.get_pid(),
    process.get_filename())

    debug.loop()

    finally:
    # Stop the debugger
    debug.stop()
    print "Debugger stopped."
    exit()

    VI. WriteLoggerOutput
        global logger
    if args.output:
    # verbose=False disables printing to stdout
    logger = winappdbg.Logger(args.output, verbose=False)
    else:
    logger = winappdbg.Logger()

    # Example
    # logger.log_text("Started %d - %s" % (my_process.get_pid(), my_process.get_filename()))

    VII. GetLoadedModules
    class DebugEvents(winappdbg.EventHandler):
    """
    Event handler class.
    event: https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/event.py
    """

    def load_dll(self, event):
    """
    Called when a new module is loaded.
    """
    # https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/module.py#L71

    """
    Module object methods:
    get_base, get_filename, get_name, get_size, get_entry_point,
    get_process, set_process, get_pid,
    get_handle, set_handle, open_handle, close_handle

    get_size and get_entry_point do not work because WinAppDbg internally
    uses GetModuleInformation.
    https://msdn.microsoft.com/en-us/library/ms683201(v=VS.85).aspx
    And it cannot get info on files with "that were loaded with the
    LOAD_LIBRARY_AS_DATAFILE flag.""

    This is related:
    https://blogs.msdn.microsoft.com/oldnewthing/20150716-00/?p=45131
    """
    module = event.get_module()

    logstring = "\nLoaded DLL:\nName: %s\nFilename: %s\nBase Addr: %s\n" % \
    (module.get_name(), module.get_filename(), hex(module.get_base()))

    mylogger.log_text(logstring)

    # _ = module.get_size()

    print module.get_handle()

    # Create an instance of our eventhandler class
    myeventhandler = DebugEvents()

    VIII. GetProcessCreateProcessInfo
    class DebugEvents(winappdbg.EventHandler):
    """
    Event handler class.
    event: https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/event.py
    """

    def create_process(self, event):
    process = event.get_process()
    pid = event.get_pid()
    # pid = process.get_pid()
    filename = process.get_filename()

    mylogger.log_text("CreateProcess %d - %s" % (pid, filename))

    def exit_process(self, event):
    process = event.get_process()
    pid = event.get_pid()
    # pid = process.get_pid()
    filename = process.get_filename()

    mylogger.log_text("ExitProcess %d - %s" % (pid, filename))

    def create_thread(self, event):
    process = event.get_process()
    thread = event.get_thread()

    tid = thread.get_tid()
    name = thread.get_name()

    mylogger.log_text("CreateThread %d - %s" % (tid, name))

    def exit_thread(self, event):
    process = event.get_process()
    thread = event.get_thread()

    tid = thread.get_tid()
    name = thread.get_name()

    mylogger.log_text("ExitThread %d - %s" % (tid, name))

    # Create an instance of our eventhandler class
    myeventhandler = DebugEvents()

    IX. BasicHookFunction
    class DebugEvents(winappdbg.EventHandler):
    """
    Event handler class.
    event: https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/event.py
    """

    def load_dll(self, event):
    module = event.get_module()

    if module.match_name("kernel32.dll"):

    # Resolve function addresses
    address_CreateFileA = module.resolve("CreateFileA")
    address_CreateFileW = module.resolve("CreateFileW")

    # Types are here
    # https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/win32/defines.py#L380
    sig_CreateFileA = (PVOID, DWORD, DWORD, PVOID, DWORD, DWORD, HANDLE)
    sig_CreateFileW = (PVOID, DWORD, DWORD, PVOID, DWORD, DWORD, HANDLE)

    pid = event.get_pid()

    # Hook function(pid, address, preCB, postCB, paramCount, signature)
    # https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/breakpoint.py#L3969
    event.debug.hook_function(pid, address_CreateFileA,
    preCB=pre_CreateFileA,
    postCB=post_CreateFileA,
    signature=sig_CreateFileA)

    event.debug.hook_function(pid, address_CreateFileW,
    preCB=pre_CreateFileW,
    postCB=post_CreateFileW,
    signature=sig_CreateFileW)

    # Another way of setting up hooks without signature

    """
    event.debug.hook_function(pid, address_CreateFileA,
    preCB=pre_CreateFileA,
    postCB=post_CreateFileA,
    paramCount=7)

    event.debug.hook_function(pid, address_CreateFileW,
    preCB=pre_CreateFileW,
    postCB=post_CreateFileW,
    paramCount=7)
    """

    # Callback functions
    # -------------------

    # Callback function parameters are always
    # (event, ra (return address), then function parameters)
    # self is first if part of the eventhandler class


    def pre_CreateFileW(event, ra, lpFileName, dwDesiredAccess, dwShareMode,
    lpSecurityAttributes, dwCreationDisposition,
    dwFlagsAndAttributes, hTemplateFile):

    """
    This will be called as soon as we enter the function and before the
    function stack frame is created.
    """

    process = event.get_process()

    # Suspend the process because why not
    process.suspend()
        mylogger.log_text("Hit kernel32!CreateFileW")

    # 32-bit so all parameters are on stack

    # In case you want a pointer to the top of the stack
    # thread = event.get_thread()

    # All memory read stuff are at
    # https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/process.py#L125

    # fUnicode=True because we are in the Wide or Unicode version of the API
    myFileName = process.peek_string(lpFileName, fUnicode=True)

    mylogger.log_text("lpFilename: %s" % (myFileName))

    # Resume the process
    process.resume()


    def pre_CreateFileA(event, ra, lpFileName, dwDesiredAccess, dwShareMode,
    lpSecurityAttributes, dwCreationDisposition,
    dwFlagsAndAttributes, hTemplateFile):

    process = event.get_process()

    # Suspend the process because why not
    process.suspend()

    mylogger.log_text("Hit kernel32!CreateFileA")

    # fUnicode=False because we are in the ANSI version
    myFileName = process.peek_string(lpFileName, fUnicode=False)

    mylogger.log_text("lpFilename: %s" % (myFileName))

    process.resume()


    def post_CreateFileW(event, retval):

    mylogger.log_text("Leaving kernel32!CreateFileW")
    mylogger.log_text("Return value: %x" % (retval))


    def post_CreateFileA(event, retval):

    mylogger.log_text("Leaving kernel32!CreateFileA")
    mylogger.log_text("Return value: %x" % (retval))

    # Create an instance of our eventhandler class
    myeventhandler = DebugEvents()

    X. BetterHookFunction
    class DebugEvents(winappdbg.EventHandler):
    """
    Event handler class.
    event: https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/event.py
    """

    # Better hooking
    # https://winappdbg.readthedocs.io/en/latest/Debugging.html#example-9-intercepting-api-calls

    apiHooks = {

    # Hooks for the kernel32 library.
    "kernel32.dll": [

    # We have seen these before
    # Function Signature
    ("CreateFileA", (PVOID, DWORD, DWORD, PVOID, DWORD, DWORD, HANDLE)),
    ("CreateFileW", (PVOID, DWORD, DWORD, PVOID, DWORD, DWORD, HANDLE)),

    # Can also pass parameter count
    # ("CreateFileA", 6),
    # ("CreateFileW", 6),
    ],
    }

    # Now we can simply define a method for each hooked API.
    # "pre_" methods are called when entering the hooked function.
    # "post_" methods are called when returning from the hooked function.

    def pre_CreateFileW(self, event, ra, lpFileName, dwDesiredAccess,
    dwShareMode, lpSecurityAttributes, dwCreationDisposition,
    dwFlagsAndAttributes, hTemplateFile):

    process = event.get_process()
    myFileName = process.peek_string(lpFileName, fUnicode=True)
    mylogger.log_text("pre_CreateFileW opening file %s" % (myFileName))

    def post_CreateFileW(self, event, retval):
    mylogger.log_text("Return value: %x" % retval)

    def pre_CreateFileA(self, event, ra, lpFileName, dwDesiredAccess,
    dwShareMode, lpSecurityAttributes, dwCreationDisposition,
    dwFlagsAndAttributes, hTemplateFile):

    process = event.get_process()
    myFileName = process.peek_string(lpFileName, fUnicode=False)
    mylogger.log_text("pre_CreateFileA opening file %s" % (myFileName))

    def post_CreateFileA(self, event, retval):
    mylogger.log_text("Return value: %x" % retval)

    # Create an instance of our eventhandler class
    myeventhandler = DebugEvents()

    XI. HookInternetExplorer HttpSendRequestW
    class DebugEvents(winappdbg.EventHandler):
    """
    Event handler class.
    event: https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/event.py
    """

    """
    BOOL HttpSendRequest(
    _In_ HINTERNET hRequest,
    _In_ LPCTSTR lpszHeaders,
    _In_ DWORD dwHeadersLength,
    _In_ LPVOID lpOptional,
    _In_ DWORD dwOptionalLength
    );
    """

    apiHooks = {

    # Hooks for the wininet.dll library - note this is case-sensitive
    "wininet.dll": [

    # Function Signature
    ("HttpSendRequestW", (HANDLE, PVOID, DWORD, PVOID, DWORD)),
    ],
    }

    def pre_HttpSendRequestW(self, event, ra, hRequest, lpszHeaders,
    dwHeadersLength, lpOptional, dwOptionalLength):

    process = event.get_process()

    if dwHeadersLength != 0:
    mylogger.log_text(winapputil.utils.get_line())
    mylogger.log_text("HttpSendRequestW")

    headers = process.peek_string(lpszHeaders, fUnicode=True)
    mylogger.log_text("Headers %s" % (headers))

    if dwOptionalLength != 0:
    # This is not unicode - see the pointer name (lp vs. lpsz)
    # fUnicode is set to False (default) then
    optional = process.peek_string(lpOptional, fUnicode=False)

    mylogger.log_text("Optional %s" % (optional))
    mylogger.log_text(winapputil.utils.get_line())

    # Create an instance of our eventhandler class
    myeventhandler = DebugEvents()


    XII. HookInternetExplorer HttpSendRequestW/HttpOpenRequest
    class DebugEvents(winappdbg.EventHandler):
    """
    Event handler class.
    event: https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/event.py
    """

    """
    BOOL HttpSendRequest(
    _In_ HINTERNET hRequest,
    _In_ LPCTSTR lpszHeaders,
    _In_ DWORD dwHeadersLength,
    _In_ LPVOID lpOptional,
    _In_ DWORD dwOptionalLength
    );

    HINTERNET HttpOpenRequest(
    _In_ HINTERNET hConnect,
    _In_ LPCTSTR lpszVerb,
    _In_ LPCTSTR lpszObjectName,
    _In_ LPCTSTR lpszVersion,
    _In_ LPCTSTR lpszReferer,
    _In_ LPCTSTR *lplpszAcceptTypes,
    _In_ DWORD dwFlags,
    _In_ DWORD_PTR dwContext
    );
    """

    apiHooks = {

    # Hooks for the wininet.dll library - note this is case-sensitive
    "wininet.dll": [

    # Function Signature
    ("HttpSendRequestW", (HANDLE, PVOID, DWORD, PVOID, DWORD)),
    ("HttpOpenRequestW", (HANDLE, PVOID, PVOID, PVOID, PVOID, PVOID,
    DWORD, PVOID)),
    ],
    }

    def pre_HttpSendRequestW(self, event, ra, hRequest, lpszHeaders,
    dwHeadersLength, lpOptional, dwOptionalLength):

    process = event.get_process()

    if dwHeadersLength != 0:
    mylogger.log_text(winapputil.utils.get_line())
    mylogger.log_text("HttpSendRequestW")

    headers = process.peek_string(lpszHeaders, fUnicode=True)
    mylogger.log_text("Headers %s" % (headers))

    if dwOptionalLength != 0:
    # This is not unicode - see the pointer name dummy (lp vs. lpsz)
    # False by default but a good idea to include it for clarity
    optional = process.peek_string(lpOptional, fUnicode=False)

    mylogger.log_text("Optional %s" % (optional))
    mylogger.log_text(winapputil.utils.get_line())

    def pre_HttpOpenRequestW(self, event, ra, hConnect, lpszVerb,
    lpszObjectName, lpszVersion, lpszReferer,
    lplpszAcceptTypes, dwFlags, dwContext):

    process = event.get_process()

    verb = process.peek_string(lpszVerb, fUnicode=True)
    if verb is None:
    verb = "GET"

    obj = process.peek_string(lpszObjectName, fUnicode=True)

    mylogger.log_text(winapputil.utils.get_line())
    mylogger.log_text("HttpOpenRequestW")
    mylogger.log_text("verb: %s" % verb)
    mylogger.log_text("obj : %s" % obj)
    mylogger.log_text(winapputil.utils.get_line())

    # Create an instance of our eventhandler class
    myeventhandler = DebugEvents()

    XIII. HoookFireFoxFunction PR_Write
    class DebugEvents(winappdbg.EventHandler):
    """
    Event handler class.
    event: https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/event.py
    """

    # Better hooking
    # https://winappdbg.readthedocs.io/en/latest/Debugging.html#example-9-intercepting-api-calls

    """
    PRInt32 PR_Write(
    PRFileDesc *fd,
    const void *buf,
    PRInt32 amount);

    fd: A pointer to the PRFileDesc object for a file or socket
    buf: A pointer to the buffer holding the data to be written
    amount: The amount of data, in bytes, to be written from the buffer
    """

    apiHooks = {

    # Hooks for the nss3.dll library
    'nss3.dll': [

    ('PR_Write', (PVOID, PVOID, PVOID)),
    ],
    }

    def pre_PR_Write(self, event, ra, fd, buf, amount):

    process = event.get_process()

    if (amount > 100) and (amount < 1000):
    mylogger.log_text("PR_Write")

    # https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/process.py#L1581
    contents = process.read(buf, amount)

    mylogger.log_text("%s" % str(contents))

    mylogger.log_text(winapputil.utils.get_line())

    # Create an instance of our eventhandler class
    myeventhandler = DebugEvents()

    XIV. ModifySleep on x86/X64
    class DebugEvents(winappdbg.EventHandler):
    """
    Event handler class.
    event: https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/event.py
    """

    # Better hooking
    # https://winappdbg.readthedocs.io/en/latest/Debugging.html#example-9-intercepting-api-calls

    """
    VOID WINAPI Sleep(
    _In_ DWORD dwMilliseconds
    );
    https://msdn.microsoft.com/en-us/library/windows/desktop/ms686298(v=vs.85).aspx
    """

    apiHooks = {

    # Hooks for the kernel32.dll library
    "kernel32.dll": [

    # Note how are passing only one parameter
    ("Sleep", (DWORD, )),

    # We can also pass the number of arguments instead of signature
    # ("Sleep", 1),
    ],
    }

    def pre_Sleep(self, event, ra, dwMilliseconds):

    process = event.get_process()
    process.suspend()

    thread = event.get_thread()

    bits = thread.get_bits()
    emulation = thread.is_wow64()

    logstring = "Original dwMilliseconds %d" % dwMilliseconds

    mylogger.log_text(logstring)

    # If running on a 32-bit machine or 32-bit process on 64-bit machine
    if bits == 32 or emulation is True:
    top_of_stack = thread.get_sp()

    # return_address, dwMilliseconds = thread.read_stack_dwords(2)
    # logstring = "Return Address %s" % \
    # winappdbg.HexDump.address(return_address, bits)

    # mylogger.log_text(logstring)

    process.write_dword(top_of_stack+((bits/8)*1), 0)

    # AMD64 calling convention on Windows uses fastcall
    # rcx, rdx, r8, r9 then stack

    elif bits == 64:
    thread.set_register("Rcx", 10000)

    process.resume()
    # Create an instance of our eventhandler class
    myeventhandler = DebugEvents()

    XV. ModifyDomainFunction in IE InternetConnectW
    class DebugEvents(winappdbg.EventHandler):
    """
    Event handler class.
    event: https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/event.py
    """

    # Better hooking
    # https://winappdbg.readthedocs.io/en/latest/Debugging.html#example-9-intercepting-api-calls

    """
    HINTERNET InternetConnect(
    _In_ HINTERNET hInternet,
    _In_ LPCTSTR lpszServerName,
    _In_ INTERNET_PORT nServerPort,
    _In_ LPCTSTR lpszUsername,
    _In_ LPCTSTR lpszPassword,
    _In_ DWORD dwService,
    _In_ DWORD dwFlags,
    _In_ DWORD_PTR dwContext
    );
    """

    apiHooks = {

    # Hooks for the wininet.dll library
    "wininet.dll": [

    # InternetConnectW
    # https://msdn.microsoft.com/en-us/library/windows/desktop/aa384363(v=vs.85).aspx
    # ("InternetConnectW", (HANDLE, PVOID, WORD, PVOID, PVOID, DWORD, DWORD, PVOID)),
    ("InternetConnectW", 8),

    ],
    }

    # Now we can simply define a method for each hooked API.
    # Methods beginning with "pre_" are called when entering the API,
    # and methods beginning with "post_" when returning from the API.

    def pre_InternetConnectW(self, event, ra, hInternet, lpszServerName,
    nServerPort, lpszUsername, lpszPassword,
    dwService, dwFlags, dwContext):

    process = event.get_process()
    process.suspend()
    thread = event.get_thread()

    server_name = process.peek_string(lpszServerName, fUnicode=True)
    print(server_name)

    if server_name == "example.com":

    # mylogger.log_text(server_name)

    # Encoding as UTF16
    new_server_name = "google.com".encode("utf-16le")

    # Get length of new payload
    payload_length = len(new_server_name)

    # Allocate memory in target process and get a pointer
    new_payload_addr = event.get_process().malloc(payload_length)

    # Write the new payload to that pointer
    process.write(new_payload_addr, new_server_name)

    top_of_stack = thread.get_sp()

    bits = thread.get_bits()
    emulation = thread.is_wow64()

    if bits == 32 or emulation is True:

    # Write the pointer to the new payload with the old one
    process.write_dword(top_of_stack + 8, new_payload_addr)

    elif bits == 64:
    thread.set_register("Rdx", new_payload_addr)

    process.resume()

    # Create an instance of our eventhandler class
    myeventhandler = DebugEvents()
    XVI. RegistryReader RegQueryValueExW
    class DebugEvents(winappdbg.EventHandler):
    """
    Event handler class.
    event: https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/event.py
    """

    # Better hooking
    # https://winappdbg.readthedocs.io/en/latest/Debugging.html#example-9-intercepting-api-calls

    """
    LONG WINAPI RegQueryValueEx(
    _In_ HKEY hKey,
    _In_opt_ LPCTSTR lpValueName,
    _Reserved_ LPDWORD lpReserved,
    _Out_opt_ LPDWORD lpType,
    _Out_opt_ LPBYTE lpData,
    _Inout_opt_ LPDWORD lpcbData
    );
    """

    apiHooks = {

    # Hooks for the adviapi32.dll library
    # Can also hook kernel32.dll
    "advapi32.dll": [

    # RegQueryValueEx
    # https://msdn.microsoft.com/en-us/library/windows/desktop/ms724911(v=vs.85).aspx
    # ("RegQueryValueExW", (HANDLE, PVOID, PVOID, PVOID, PVOID, PVOID)),
    ("RegQueryValueExW", 6),

    ],
    }

    def pre_RegQueryValueExW(self, event, ra, hKey, lpValueName, lpReserved,
    lpType, lpData, lpcbData):

    # Store the pointer for later use
    self.hKey = hKey
    self.lpValueName = lpValueName
    self.lpType = lpType
    self.lpData = lpData
    self.lpcbData = lpcbData

    def post_RegQueryValueExW(self, event, retval):
    process = event.get_process()

    process.suspend()

    table = winappdbg.Table("\t")
    table.addRow("", "")

    # Need to watch out for optional parameters
    if self.lpType is not 0:
    keyType = process.read_dword(self.lpType)
    table.addRow("keyType", keyType)

    valueName = process.peek_string(self.lpValueName, fUnicode=True)
    size = process.read_dword(self.lpcbData)

    table.addRow("valueName", valueName)
    table.addRow("size", size)

    if self.lpData is not 0:
    data = process.read(self.lpData, size)
    table.addRow("data", data)
    table.addRow("data-hex", data.encode("hex"))

    mylogger.log_text(table.getOutput())
    mylogger.log_text("-"*30)

    process.resume()

    # Create an instance of our eventhandler class
    myeventhandler = DebugEvents()

    XVII RegistryWriter
    class DebugEvents(winappdbg.EventHandler):
    """
    Event handler class.
    event: https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/event.py
    """

    # Better hooking
    # https://winappdbg.readthedocs.io/en/latest/Debugging.html#example-9-intercepting-api-calls

    """
    LONG WINAPI RegQueryValueEx(
    _In_ HKEY hKey,
    _In_opt_ LPCTSTR lpValueName,
    _Reserved_ LPDWORD lpReserved,
    _Out_opt_ LPDWORD lpType,
    _Out_opt_ LPBYTE lpData,
    _Inout_opt_ LPDWORD lpcbData
    );
    """

    apiHooks = {

    # Hooks for the advapi32.dll library
    "advapi32.dll": [

    # RegQueryValueEx
    # https://msdn.microsoft.com/en-us/library/windows/desktop/ms724911(v=vs.85).aspx
    # ("RegQueryValueExW", (HANDLE, PVOID, PVOID, PVOID, PVOID, PVOID)),
    ("RegQueryValueExW", 6),

    ],
    }

    def pre_RegQueryValueExW(self, event, ra, hKey, lpValueName, lpReserved,
    lpType, lpData, lpcbData):

    # Store the pointer for later use
    self.hKey = hKey
    self.lpValueName = lpValueName
    self.lpType = lpType
    self.lpData = lpData
    self.lpcbData = lpcbData

    def post_RegQueryValueExW(self, event, retval):
    process = event.get_process()

    process.suspend()

    valueName = process.peek_string(self.lpValueName, fUnicode=True)

    if valueName == "layout":
    # size = process.read_dword(self.lpcbData)
    # data = process.read(self.lpData, size)

    newLayout = 0x00

    process.write_dword(self.lpData, newLayout)

    # OR
    # process.write(self.lpData, "00".decode("hex"))

    process.resume()
    # Create an instance of our eventhandler class
    myeventhandler = DebugEvents()