Showing posts tagged #malware analysis

Return Home

Goal

Analyze code re-use in binaries to attribute unknown samples to families / threat actors. To do this we can obtain the list of functions in an executable and hash each function's opcodes using a fuzzy hash algorithm (kind of what Diaphora does). For the fuzzy hashing I will be using ssdeep, and for the opcode extraction r2 (and r2pipe).

Data preparation

First, we need some data to work on (hashes + samples). I will be using a QuantLoader sample set, as it is a rather simple malware.

With that in mind, we need to identify some landmark functions in a Quant

Read More

I've recently come across an APT named Dimnie by Palo Alto's Unit42 (full report here). The purpose of Dimnie is to exfiltrate sensitive data to the attacker. The peculiarity about Dimnie is that it does so with a peculiar trick. Dimnie changes the HTTP Host header to point to a well-known trusted domain while it actualy sends the request to an attacker-controlled server. This can be done as the HTTP Host header is not actually used for routing, but rather for virtual hosting purposes, as the docs say. This makes the HTTP request look like it's headed to a trusted

Read More

Notice: As noted by @Antelox this is just a loader that drops LokiBot, not LokiBot itself.

Preface

Loki is a credential harvester bot sold in Russian underground forums and black markets.

Loki as advertised

Goal

For this blogpost, the goal will be to defeat/patch Loki's anti measures to be able to properly analyze malicious behavior.

Analysis

Initial triage

File hashes for the sample I'll be using:

MD5: 09D2E274F1F50AB81105A3A6B9BE34CF
SHA-1: 04AD370BFE1A0AFA273568EE18F8C14BD8E612DC
SHA-256: D7AAAFB88B91A937D1EF8BCAA97F88A13545364269F510A95DAB4A72B68A4313

The sample has a pretty low detection ratio (8/58) as of now (29/03/2017) on VirusTotal.

TrID report:

Win32 Executable Delphi generic (37.4%)
Windows screen saver (34.

Read More

Goal

In this entry we will have a look at the Bendis maldoc. Bendis is a fairly unknown and simple maldoc that has a dropper functionality. It's only purpose is being a gateway for more mature malware.

Word document

We are confronted yet again with a Word document which includes macros.

File hashes:

MD5: 3e77ad5e07c65aeeb7a3b2e268eb102b
SHA1: 73f35866e29959a2397303fb3ec0c0b7e74226f3
SHA256: fdda128f909cbfb549a6a342cfb71e09dfbc695d799dbfd80d95b42e82fc1e9c
ssdeep1536:OXxUzn9/biXPK2NSy7DL3WBWZn+9cHYRJ5SEbbXr7eLTFxXw:USYSy49rRLbbO7

If we try to open the VBA debugger we will see heavily obfuscated code, even strings are obfuscated. A quick look reveals that there is a module called XoGrrJy that has many calls to CallByName so

Read More

Previous analysis:

We are presented with a Word document that has macros. The VBA code for the macros is obfuscated but we can clearly see that it is using some interesting Win32 API calls like VirtualAlloc and CallWindowProc, which later renames.

Thus, we can just set a breakpoint on the renamed CallWindowProc function to trace shellcode. (This is explained more in depth by the Minerva guys).


Shellcode

The shellcode first resolves LdrLoadDLL:

Then resolves Kernel32.dll

Resolves ExpandEnvironmentStringsA:

And calls it with %TMP%\\bg618.exe.

Then resolves CreateFileA, VirtualAlloc, VirtualFree and CreateWindowProcA, ReadFile, CloseHandle and

Read More