Goal: Reverse the latest Magniber ransomware with the focus on its PEB traversal function resolving APIs to hardcoded hashes.
Original infector: a4100b682b2b63374e4ed2fc937d9b96
Decoded payload: f51a5b8ee6a5f25aa293911702a37a34
Background:
- The ransomware served by Magnitude Exploit Kit (EK), named “Magniber,” specifically targets individuals in the Republic of Korea. Magniber checks that the potential victim’s system default language is Korean (code: 0x0412) via GetSystemDefaultUILanguage; if it is, the ransomware will terminate. Magniber generates a unique command-and-control (C2) server and ransom note website for each victim, only giving a valid response if the victim’s public IP address is located in South Korea.
#Magniber #Ransomware new variant via #MagnitudeEK with extension “.wmfxdqz”, evolved and is obfuscated now – still targets to South Korea.
Thx! @hasherezade @jeromesegura
MD5: a4100b682b2b63374e4ed2fc937d9b96 pic.twitter.com/b1BultusoG— Marcelo Rivero (@MarceloRivero) December 13, 2017
https://platform.twitter.com/widgets.js
Malwarebytes’ @hasherezade and FireEye researchers previously extensively covered some of the Magniber ransomware cryptography and basic functionality. The scope of the blog is to unpack the ransomware with the focus on its PEB traversal function resolving APIs to hardcoded hashes.
Outline:
I. Unpacking Magniber ransomware
II. Victim ID generation function
III. The PEB traversal function resolving hashes to API
IV. Indicators of compromise
I. Unpacking malware
Extract the first-layer Magniber ransomware payload after it decodes and injects itself via WriteProcessMemory. This process is rather trivial, and it includes simply dumping the buffer in OllyDbg.
II. Victim ID generation function
The very first function the Magniber ransomware performs right after the “start,” which is the main entry, is the DWORD victim ID generation function iterating from 0-9 in one function and from a-z in another one. The passed argument to the function is 19, which signifies the length of the returned bot ID generation function. It is a pretty interesting way to generate victim IDs leveraging GetTickCount Windows API calls iterating through [0-9a-z] characters until it reaches the count of 19 characters.
The C++ function is as follows:
_WORD *__cdecl generator_19_victim_id_string(int a1)
{
HANDLE v1;
_WORD *v3;
int i;
v1 = GetProcessHeap();
v3 = HeapAlloc(v1, 8u, 2 * a1 + 2);
for ( i = 0; i < a1; ++i )
{
if ( get_tick_count_func(0, 1) )
v3[i] = get_tick_count_func(‘0’, ‘9’);
else
v3[i] = get_tick_count_func(‘a’, ‘z’);
}
v3[a1] = 0;
return v3;
III. The PEB traversal code resolving hashes to APIs
Here, we observe interesting Magniber ransomware technique for traversing the Process Environment Block (PEB) data.
PEB is a user-mode data structure that can be used by applications to get information such as the list of loaded modules, process startup arguments, heap address amongst other useful capabilities. From MSDN more on the PEB structure, read here.
The malware traverses PEB structure to search for module hash match obtaining access to PEB via __readfsdword( 0x30 ) [fs:30h] iterating through loaded modules looking for pFunctionName and matching it with hash via ROTR macro implementing the logic of a rotate right operation.
By and large, this PEB traversal function is used to load hashes and to avoid usual sequence of LoadLibrary and GetProcAddress API from anti-virus basic detection. In this case, the ransomware resolves all Advapi32 cryptography, registry and Internet API calls.
Notably, this PEB traversal is almost an exact copy of the GitHub code belonging to the project “Position Independent Code Bindshell.”
The function C++ code works as follows:
int __cdecl resolve_api_by_hash(int a1)
{
int pFunctionName;
int v3;
int v4;
int v5;
_DWORD *pdwFunctionNameBase;
int v7;
int v8;
unsigned int dwFunctionHash;
int dwModuleHash;
int v11;
_BYTE *pTempChar;
_BYTE *pTempChar_;
unsigned int i;
unsigned int j;
v7 = *(_DWORD *)(*(_DWORD *)(__readfsdword(0x30) + 0xC) + 0xC);// 0x30 = PEB; 0x0C = InLoadOrderModuleList
while ( *(_DWORD *)(v7 + 0x18) )
// while (pDataTableEntry->DllBase != NULL))
{
dwModuleHash = 0;
v8 = *(_DWORD *)(v7 + 0x18);
// pDataTableEntry->DllBase
v3 = *(_DWORD *)(v7 + 0x2C);
// pDataTableEntry->BaseDllName
v4 = *(_DWORD *)(v7 + 0x30);
// pNTHeader
v5 = *(_DWORD *)(*(_DWORD *)(v8 + 0x3C) + v8 + 0x78);
/*pNTHeader >OptionalHeader.DataDirectory[0].VirtualAddress;dwExportDirRVA
*/
v7 = *(_DWORD *)v7;
if ( v5 )
// dwExportDirRVA != 0
{
for ( i = 0; i < HIWORD(v3); ++i )
// calculate module hash
{
pTempChar = (_BYTE *)(i + v4); // pTempChar
v11 = (dwModuleHash <> 13);
// dwModuleHash = ROTR32( dwModuleHash, 13 )
if ( (signed int)*(_BYTE *)(i + v4) < ‘a’ )
// if ( *pTempChar >= 0x61 )
dwModuleHash = v11 + *pTempChar;
// dwModuleHash += *pTempChar
else
dwModuleHash = v11 + *pTempChar – ‘ ‘;
// dwModuleHash += *pTempChar – 0x20
}
pdwFunctionNameBase = (_DWORD *)(*(_DWORD *)(v5 + v8 + 0x20) + v8);
// pdwFunctionNameBase = (PDWORD) ((PCHAR) pModuleBase + pExportDir->AddressOfNames)
for ( j = 0; j < *(_DWORD *)(v5 + v8 + 0x18); ++j )// for (i = 0; i < dwNumFunctions; i++)
{
dwFunctionHash = 0;
pFunctionName = v8 + *pdwFunctionNameBase;
// (PCSTR) (*pdwFunctionNameBase + (ULONG_PTR) pModuleBase)
++pdwFunctionNameBase;
pTempChar_ = (_BYTE *)pFunctionName;
do
dwFunctionHash = ((dwFunctionHash <> 13)) + *pTempChar_++;
// dwFunctionHash = ROTR32( dwFunctionHash, 13 )
while ( *(pTempChar_ – 1) );
if ( dwModuleHash + dwFunctionHash == a1 )
return *(_DWORD *)(*(_DWORD *)(v5 + v8 + 28) + v8 + 4 * *(_WORD *)(*(_DWORD *)(v5 + v8 + 36) + v8 + 2 * j))
+ v8;
}
}
}
return 0;
}
{
int pFunctionName;
int v3;
int v4;
int v5;
_DWORD *pdwFunctionNameBase;
int v7;
int v8;
unsigned int dwFunctionHash;
int dwModuleHash;
int v11;
_BYTE *pTempChar;
_BYTE *pTempChar_;
unsigned int i;
unsigned int j;
v7 = *(_DWORD *)(*(_DWORD *)(__readfsdword(0x30) + 0xC) + 0xC);// 0x30 = PEB; 0x0C = InLoadOrderModuleList
while ( *(_DWORD *)(v7 + 0x18) )
// while (pDataTableEntry->DllBase != NULL))
{
dwModuleHash = 0;
v8 = *(_DWORD *)(v7 + 0x18);
// pDataTableEntry->DllBase
v3 = *(_DWORD *)(v7 + 0x2C);
// pDataTableEntry->BaseDllName
v4 = *(_DWORD *)(v7 + 0x30);
// pNTHeader
v5 = *(_DWORD *)(*(_DWORD *)(v8 + 0x3C) + v8 + 0x78);
/*pNTHeader >OptionalHeader.DataDirectory[0].VirtualAddress;dwExportDirRVA
*/
v7 = *(_DWORD *)v7;
if ( v5 )
// dwExportDirRVA != 0
{
for ( i = 0; i < HIWORD(v3); ++i )
// calculate module hash
{
pTempChar = (_BYTE *)(i + v4); // pTempChar
v11 = (dwModuleHash <> 13);
// dwModuleHash = ROTR32( dwModuleHash, 13 )
if ( (signed int)*(_BYTE *)(i + v4) < ‘a’ )
// if ( *pTempChar >= 0x61 )
dwModuleHash = v11 + *pTempChar;
// dwModuleHash += *pTempChar
else
dwModuleHash = v11 + *pTempChar – ‘ ‘;
// dwModuleHash += *pTempChar – 0x20
}
pdwFunctionNameBase = (_DWORD *)(*(_DWORD *)(v5 + v8 + 0x20) + v8);
// pdwFunctionNameBase = (PDWORD) ((PCHAR) pModuleBase + pExportDir->AddressOfNames)
for ( j = 0; j < *(_DWORD *)(v5 + v8 + 0x18); ++j )// for (i = 0; i < dwNumFunctions; i++)
{
dwFunctionHash = 0;
pFunctionName = v8 + *pdwFunctionNameBase;
// (PCSTR) (*pdwFunctionNameBase + (ULONG_PTR) pModuleBase)
++pdwFunctionNameBase;
pTempChar_ = (_BYTE *)pFunctionName;
do
dwFunctionHash = ((dwFunctionHash <> 13)) + *pTempChar_++;
// dwFunctionHash = ROTR32( dwFunctionHash, 13 )
while ( *(pTempChar_ – 1) );
if ( dwModuleHash + dwFunctionHash == a1 )
return *(_DWORD *)(*(_DWORD *)(v5 + v8 + 28) + v8 + 4 * *(_WORD *)(*(_DWORD *)(v5 + v8 + 36) + v8 + 2 * j))
+ v8;
}
}
}
return 0;
}
The PEB traversal function leveraged 18 times to import and resolve the following hashes to their respective functions as follows:
IV. Indicators of Compromise
Default AES_KEY:
rpa7A7464MovZ807
Initialization vector:
fKwJ97sQ63y1D309
The list of the decoded subdomains is as follows:
piruns[.]racing
sawchip[.]life
oneking[.]space
Tor Domain:
r6zhyjiytkramynl[.]onion
The list of whitelisted directories is as follows:
[‘:\\\\documents and settings\\\\all users\\\\’, ‘:\\\\documents and settings\\\\default user\\\\’, ‘:\\\\documents and settings\\\\localservice\\\\’, ‘:\\\\documents and settings\\\\networkservice\\\\’, ‘\\\\appdata\\\\local\\\\’, ‘\\\\appdata\\\\locallow\\\\’, ‘\\\\appdata\\\\roaming\\\\’, ‘\\\\local settings\\\\’, ‘\\\\public\\\\music\\\\sample music\\\\’, ‘\\\\public\\\\pictures\\\\sample pictures\\\\’, ‘\\\\public\\\\videos\\\\sample videos\\\\’, ‘\\\\tor browser\\\\’, ‘\\\\$recycle.bin’, ‘\\\\$windows.~bt’, ‘\\\\$windows.~ws’, ‘\\\\boot’, ‘\\\\intel’, ‘\\\\msocache’, ‘\\\\perflogs’, ‘\\\\program files (x86)’, ‘\\\\program files’, ‘\\\\programdata’, ‘\\\\recovery’, ‘\\\\recycled’, ‘\\\\recycler’, ‘\\\\system volume information’, ‘\\\\windows.old’, ‘\\\\windows10upgrade’, ‘\\\\windows’, ‘\\\\winnt’]
Targeted extensions:
[‘doc’, ‘docx’, ‘xls’, ‘xlsx’, ‘ppt’, ‘pptx’, ‘pst’, ‘ost’, ‘msg’, ’em’, ‘vsd’, ‘vsdx’, ‘csv’, ‘rtf’, ‘123’, ‘wks’, ‘wk1’, ‘pdf’, ‘dwg’, ‘onetoc2’, ‘snt’, ‘docb’, ‘docm’, ‘dot’, ‘dotm’, ‘dotx’, ‘xlsm’, ‘xlsb’, ‘xlw’, ‘xlt’, ‘xlm’, ‘xlc’, ‘xltx’, ‘xltm’, ‘pptm’, ‘pot’, ‘pps’, ‘ppsm’, ‘ppsx’, ‘ppam’, ‘potx’, ‘potm’, ‘edb’, ‘hwp’, ‘602’, ‘sxi’, ‘sti’, ‘sldx’, ‘sldm’, ‘vdi’, ‘vmx’, ‘gpg’, ‘aes’, ‘raw’, ‘cgm’, ‘nef’, ‘psd’, ‘ai’, ‘svg’, ‘djvu’, ‘sh’, ‘class’, ‘jar’, ‘java’, ‘rb’, ‘asp’, ‘php’, ‘jsp’, ‘brd’, ‘sch’, ‘dch’, ‘dip’, ‘p’, ‘vb’, ‘vbs’, ‘ps1’, ‘js’, ‘asm’, ‘h’, ‘pas’, ‘cpp’, ‘c’, ‘cs’, ‘suo’, ‘sln’, ‘ldf’, ‘mdf’, ‘ibd’, ‘myi’, ‘myd’, ‘frm’, ‘odb’, ‘dbf’, ‘db’, ‘mdb’, ‘accdb’, ‘sq’, ‘sqlitedb’, ‘sqlite3’, ‘asc’, ‘lay6’, ‘lay’, ‘mm’, ‘sxm’, ‘otg’, ‘odg’, ‘uop’, ‘std’, ‘sxd’, ‘otp’, ‘odp’, ‘wb2’, ‘slk’, ‘dif’, ‘stc’, ‘sxc’, ‘ots’, ‘ods’, ‘3dm’, ‘max’, ‘3ds’, ‘uot’, ‘stw’, ‘sxw’, ‘ott’, ‘odt’, ‘pem’, ‘p12’, ‘csr’, ‘crt’, ‘key’, ‘pfx’, ‘der’, ‘1cd’, ‘cd’, ‘arw’, ‘jpe’, ‘eq’, ‘adp’, ‘odm’, ‘dbc’, ‘frx’, ‘db2’, ‘dbs’, ‘pds’, ‘pdt’, ‘dt’, ‘cf’, ‘cfu’, ‘mx’, ‘epf’, ‘kdbx’, ‘erf’, ‘vrp’, ‘grs’, ‘geo’, ‘st’, ‘pff’, ‘mft’, ‘efd’, ‘rib’, ‘ma’, ‘lwo’, ‘lws’, ‘m3d’, ‘mb’, ‘obj’, ‘x’, ‘x3d’, ‘c4d’, ‘fbx’, ‘dgn’, ‘4db’, ‘4d’, ‘4mp’, ‘abs’, ‘adn’, ‘a3d’, ‘aft’, ‘ahd’, ‘alf’, ‘ask’, ‘awdb’, ‘azz’, ‘bdb’, ‘bib’, ‘bnd’, ‘bok’, ‘btr’, ‘cdb’, ‘ckp’, ‘clkw’, ‘cma’, ‘crd’, ‘dad’, ‘daf’, ‘db3’, ‘dbk’, ‘dbt’, ‘dbv’, ‘dbx’, ‘dcb’, ‘dct’, ‘dcx’, ‘dd’, ‘df1’, ‘dmo’, ‘dnc’, ‘dp1’, ‘dqy’, ‘dsk’, ‘dsn’, ‘dta’, ‘dtsx’, ‘dx’, ‘eco’, ‘ecx’, ’emd’, ‘fcd’, ‘fic’, ‘fid’, ‘fi’, ‘fm5’, ‘fo’, ‘fp3’, ‘fp4’, ‘fp5’, ‘fp7’, ‘fpt’, ‘fzb’, ‘fzv’, ‘gdb’, ‘gwi’, ‘hdb’, ‘his’, ‘ib’, ‘idc’, ‘ihx’, ‘itdb’, ‘itw’, ‘jtx’, ‘kdb’, ‘lgc’, ‘maq’, ‘mdn’, ‘mdt’, ‘mrg’, ‘mud’, ‘mwb’, ‘s3m’, ‘ndf’, ‘ns2’, ‘ns3’, ‘ns4’, ‘nsf’, ‘nv2’, ‘nyf’, ‘oce’, ‘oqy’, ‘ora’, ‘orx’, ‘owc’, ‘owg’, ‘oyx’, ‘p96’, ‘p97’, ‘pan’, ‘pdb’, ‘pdm’, ‘phm’, ‘pnz’, ‘pth’, ‘pwa’, ‘qpx’, ‘qry’, ‘qvd’, ‘rctd’, ‘rdb’, ‘rpd’, ‘rsd’, ‘sbf’, ‘sdb’, ‘sdf’, ‘spq’, ‘sqb’, ‘stp’, ‘str’, ‘tcx’, ‘tdt’, ‘te’, ‘tmd’, ‘trm’, ‘udb’, ‘usr’, ‘v12’, ‘vdb’, ‘vpd’, ‘wdb’, ‘wmdb’, ‘xdb’, ‘xld’, ‘xlgc’, ‘zdb’, ‘zdc’, ‘cdr’, ‘cdr3’, ‘abw’, ‘act’, ‘aim’, ‘ans’, ‘apt’, ‘ase’, ‘aty’, ‘awp’, ‘awt’, ‘aww’, ‘bad’, ‘bbs’, ‘bdp’, ‘bdr’, ‘bean’, ‘bna’, ‘boc’, ‘btd’, ‘cnm’, ‘crw’, ‘cyi’, ‘dca’, ‘dgs’, ‘diz’, ‘dne’, ‘docz’, ‘dsv’, ‘dvi’, ‘dx’, ‘eio’, ‘eit’, ’emlx’, ‘epp’, ‘err’, ‘etf’, ‘etx’, ‘euc’, ‘faq’, ‘fb2’, ‘fb’, ‘fcf’, ‘fdf’, ‘fdr’, ‘fds’, ‘fdt’, ‘fdx’, ‘fdxt’, ‘fes’, ‘fft’, ‘flr’, ‘fodt’, ‘gtp’, ‘frt’, ‘fwdn’, ‘fxc’, ‘gdoc’, ‘gio’, ‘gpn’, ‘gsd’, ‘gthr’, ‘gv’, ‘hbk’, ‘hht’, ‘hs’, ‘htc’, ‘hz’, ‘idx’, ‘ii’, ‘ipf’, ‘jis’, ‘joe’, ‘jp1’, ‘jrtf’, ‘kes’, ‘klg’, ‘knt’, ‘kon’, ‘kwd’, ‘lbt’, ‘lis’, ‘lit’, ‘lnt’, ‘lp2’, ‘lrc’, ‘lst’, ‘ltr’, ‘ltx’, ‘lue’, ‘luf’, ‘lwp’, ‘lyt’, ‘lyx’, ‘man’, ‘map’, ‘mbox’, ‘me’, ‘mel’, ‘min’, ‘mnt’, ‘mwp’, ‘nfo’, ‘njx’, ‘now’, ‘nzb’, ‘ocr’, ‘odo’, ‘of’, ‘oft’, ‘ort’, ‘p7s’, ‘pfs’, ‘pjt’, ‘prt’, ‘psw’, ‘pu’, ‘pvj’, ‘pvm’, ‘pwi’, ‘pwr’, ‘qd’, ‘rad’, ‘rft’, ‘ris’, ‘rng’, ‘rpt’, ‘rst’, ‘rt’, ‘rtd’, ‘rtx’, ‘run’, ‘rzk’, ‘rzn’, ‘saf’, ‘sam’, ‘scc’, ‘scm’, ‘sct’, ‘scw’, ‘sdm’, ‘sdoc’, ‘sdw’, ‘sgm’, ‘sig’, ‘sla’, ‘sls’, ‘smf’, ‘sms’, ‘ssa’, ‘sty’, ‘sub’, ‘sxg’, ‘tab’, ‘tdf’, ‘tex’, ‘text’, ‘thp’, ‘tlb’, ‘tm’, ‘tmv’, ‘tmx’, ‘tpc’, ‘tvj’, ‘u3d’, ‘u3i’, ‘unx’, ‘uof’, ‘upd’, ‘utf8’, ‘utxt’, ‘vct’, ‘vnt’, ‘vw’, ‘wbk’, ‘wcf’, ‘wgz’, ‘wn’, ‘wp’, ‘wp4’, ‘wp5’, ‘wp6’, ‘wp7’, ‘wpa’, ‘wpd’, ‘wp’, ‘wps’, ‘wpt’, ‘wpw’, ‘wri’, ‘wsc’, ‘wsd’, ‘wsh’, ‘wtx’, ‘xd’, ‘xlf’, ‘xps’, ‘xwp’, ‘xy3’, ‘xyp’, ‘xyw’, ‘ybk’, ‘ym’, ‘zabw’, ‘zw’, ‘abm’, ‘afx’, ‘agif’, ‘agp’, ‘aic’, ‘albm’, ‘apd’, ‘apm’, ‘apng’, ‘aps’, ‘apx’, ‘art’, ‘asw’, ‘bay’, ‘bm2’, ‘bmx’, ‘brk’, ‘brn’, ‘brt’, ‘bss’, ‘bti’, ‘c4’, ‘ca’, ‘cals’, ‘can’, ‘cd5’, ‘cdc’, ‘cdg’, ‘cimg’, ‘cin’, ‘cit’, ‘colz’, ‘cpc’, ‘cpd’, ‘cpg’, ‘cps’, ‘cpx’, ‘cr2’, ‘ct’, ‘dc2’, ‘dcr’, ‘dds’, ‘dgt’, ‘dib’, ‘djv’, ‘dm3’, ‘dmi’, ‘vue’, ‘dpx’, ‘wire’, ‘drz’, ‘dt2’, ‘dtw’, ‘dv’, ‘ecw’, ‘eip’, ‘exr’, ‘fa’, ‘fax’, ‘fpos’, ‘fpx’, ‘g3’, ‘gcdp’, ‘gfb’, ‘gfie’, ‘ggr’, ‘gih’, ‘gim’, ‘spr’, ‘scad’, ‘gpd’, ‘gro’, ‘grob’, ‘hdp’, ‘hdr’, ‘hpi’, ‘i3d’, ‘icn’, ‘icon’, ‘icpr’, ‘iiq’, ‘info’, ‘ipx’, ‘itc2’, ‘iwi’, ‘j’, ‘j2c’, ‘j2k’, ‘jas’, ‘jb2’, ‘jbig’, ‘jbmp’, ‘jbr’, ‘jfif’, ‘jia’, ‘jng’, ‘jp2’, ‘jpg2’, ‘jps’, ‘jpx’, ‘jtf’, ‘jw’, ‘jxr’, ‘kdc’, ‘kdi’, ‘kdk’, ‘kic’, ‘kpg’, ‘lbm’, ‘ljp’, ‘mac’, ‘mbm’, ‘mef’, ‘mnr’, ‘mos’, ‘mpf’, ‘mpo’, ‘mrxs’, ‘my’, ‘ncr’, ‘nct’, ‘nlm’, ‘nrw’, ‘oc3’, ‘oc4’, ‘oc5’, ‘oci’, ‘omf’, ‘oplc’, ‘af2’, ‘af3’, ‘asy’, ‘cdmm’, ‘cdmt’, ‘cdmz’, ‘cdt’, ‘cmx’, ‘cnv’, ‘csy’, ‘cv5’, ‘cvg’, ‘cvi’, ‘cvs’, ‘cvx’, ‘cwt’, ‘cxf’, ‘dcs’, ‘ded’, ‘dhs’, ‘dpp’, ‘drw’, ‘dxb’, ‘dxf’, ‘egc’, ’emf’, ‘ep’, ‘eps’, ‘epsf’, ‘fh10’, ‘fh11’, ‘fh3’, ‘fh4’, ‘fh5’, ‘fh6’, ‘fh7’, ‘fh8’, ‘fif’, ‘fig’, ‘fmv’, ‘ft10’, ‘ft11’, ‘ft7’, ‘ft8’, ‘ft9’, ‘ftn’, ‘fxg’, ‘gem’, ‘glox’, ‘hpg’, ‘hpg’, ‘hp’, ‘idea’, ‘igt’, ‘igx’, ‘imd’, ‘ink’, ‘lmk’, ‘mgcb’, ‘mgmf’, ‘mgmt’, ‘mt9’, ‘mgmx’, ‘mgtx’, ‘mmat’, ‘mat’, ‘ovp’, ‘ovr’, ‘pcs’, ‘pfv’, ‘plt’, ‘vrm’, ‘pobj’, ‘psid’, ‘rd’, ‘scv’, ‘sk1’, ‘sk2’, ‘ssk’, ‘stn’, ‘svf’, ‘svgz’, ‘tlc’, ‘tne’, ‘ufr’, ‘vbr’, ‘vec’, ‘vm’, ‘vsdm’, ‘vstm’, ‘stm’, ‘vstx’, ‘wpg’, ‘vsm’, ‘xar’, ‘ya’, ‘orf’, ‘ota’, ‘oti’, ‘ozb’, ‘ozj’, ‘ozt’, ‘pa’, ‘pano’, ‘pap’, ‘pbm’, ‘pc1’, ‘pc2’, ‘pc3’, ‘pcd’, ‘pdd’, ‘pe4’, ‘pef’, ‘pfi’, ‘pgf’, ‘pgm’, ‘pi1’, ‘pi2’, ‘pi3’, ‘pic’, ‘pict’, ‘pix’, ‘pjpg’, ‘pm’, ‘pmg’, ‘pni’, ‘pnm’, ‘pntg’, ‘pop’, ‘pp4’, ‘pp5’, ‘ppm’, ‘prw’, ‘psdx’, ‘pse’, ‘psp’, ‘ptg’, ‘ptx’, ‘pvr’, ‘px’, ‘pxr’, ‘pz3’, ‘pza’, ‘pzp’, ‘pzs’, ‘z3d’, ‘qmg’, ‘ras’, ‘rcu’, ‘rgb’, ‘rgf’, ‘ric’, ‘riff’, ‘rix’, ‘rle’, ‘rli’, ‘rpf’, ‘rri’, ‘rs’, ‘rsb’, ‘rsr’, ‘rw2’, ‘rw’, ‘s2mv’, ‘sci’, ‘sep’, ‘sfc’, ‘sfw’, ‘skm’, ‘sld’, ‘sob’, ‘spa’, ‘spe’, ‘sph’, ‘spj’, ‘spp’, ‘sr2’, ‘srw’, ‘wallet’, ‘jpeg’, ‘jpg’, ‘vmdk’, ‘arc’, ‘paq’, ‘bz2’, ‘tbk’, ‘bak’, ‘tar’, ‘tgz’, ‘gz’, ‘7z’, ‘rar’, ‘zip’, ‘backup’, ‘iso’, ‘vcd’, ‘bmp’, ‘png’, ‘gif’, ‘tif’, ‘tiff’, ‘m4u’, ‘m3u’, ‘mid’, ‘wma’, ‘flv’, ‘3g2’, ‘mkv’, ‘3gp’, ‘mp4’, ‘mov’, ‘avi’, ‘asf’, ‘mpeg’, ‘vob’, ‘mpg’, ‘wmv’, ‘fla’, ‘swf’, ‘wav’, ‘mp3’]
Reverse Engineering, Malware Deep Insight 