legal contact
 

FOR610 Reverse-Engineering Malware

Workbook: Section 1

These are my notes while preparing myself for the GIAC exam.

Step 1.1

Extract ASCII and Unicode strings embedded into brbbot.exe

GitHUB reference analysis: https://github.com/itaymigdal/malware-analysis-writeups/blob/main/Brbbot/Brbbot.md


pestr brbbot.exe

[....]

  • Crypt
  • AcquireContextW
  • CryptDeriveKey
  • CryptReleaseContext
  • CryptEncrypt
  • CryptCreateHash
  • CryptDestroyKey
  • CryptDecrypt
  • CryptDestroyHash
  • CryptHashData

[....]

Software\Microsoft\Windows\CurrentVersion\Run

brbconfig.tmp

Use PeStudio on Windows REM Workstation and peframe on REMnux to examine key aspects of brbbot.exe and spot anomalous characteristics

Step 1.3

fakedns (to answer all dns requests with the local IP)

httpd start to serve http requests from above

wireshark to extract the actual payload

Embeded payload:

123f373e600822282f3e366028362828753e233e603828292828753e233e602c32353235322f753e233e603828292828753e233e60283e292d32383e28753e233e602c323537343c3435753e233e6037283a2828753e233e60282d383334282f753e233e60282d383334282f753e233e603d34352f3f292d3334282f753e233e603d34352f3f292d3334282f753e233e60282d383334282f753e233e60282d383334282f753e233e603f2c36753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60163e363429227b1834362b293e282832343560282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282b343437282d753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60083e382e29322f22133e3a372f33083e292d32383e753e233e60282d383334282f753e233e600d1c1a2e2f33083e292d32383e753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e6028323334282f753e233e60282d383334282f753e233e60282d383334282f753e233e602f3a28303334282f2c753e233e60282d383334282f753e233e60282d383334282f753e233e60382f3d363435753e233e603e232b3734293e29753e233e6008333e37371e232b3e29323e35383e1334282f753e233e60083e3a2938330e12753e233e60282d383334282f753e233e60092e352f32363e192934303e29753e233e60092e352f32363e192934303e29753e233e60282d383334282f753e233e60083e3a29383312353f3e233e29753e233e60282d383334282f753e233e60282d383334282f753e233e602d362f343437283f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60173438301a2b2b753e233e60092e352f32363e192934303e29753e233e60282d383334282f753e233e60282d383334282f753e233e601a2b2b3732383a2f3234351d293a363e1334282f753e233e600c3235082f34293e751a2b2b753e233e60092e352f32363e192934303e29753e233e60092e352f32363e192934303e29753e233e602f3a28303334282f2c753e233e603f37373334282f753e233e600c323508180b753e233e60282d383334282f753e233e60282d383334282f753e233e603f37373334282f753e233e60282d383334282f753e233e60313a2d3a2c753e233e603f3e3834362b32373e753e233e603834353334282f753e233e6039293939342f753e233e

  • Note down fakedns replying back to requesting: fakedns[INFO]: Response: brb.3dtuts.by -> 192.168.11.128
  • Note down httpd being asked for ads.php

Step 1.4

run_speakeasy.py -t brbbot.exe -o speakeasy.json 2> speakeasy.txt

capa -vv brbbot.exe >brbbot.capa.txt

code speakeasy.txt:

KERNEL32.CreateFileA("brbconfig.tmp", "GENERIC_READ | GENERIC_WRITE", 0x1, 0x0, "CREATE_ALWAYS", 0x20002000000000, 0x0)' -> 0x80

CreateFileA("brbconfig.tmp", 0x1, 0x1, 0x0, "OPEN_EXISTING", 0x80, 0x0)' -> 0x84

'KERNEL32.ReadFile(0x84, 0x8580, 0x3e8, 0x1211c88, 0x0)' -> 0x1

'ADVAPI32.CryptDecrypt(0x8560, 0x0, 0x1, 0x0, 0x8580, 0x1211c88)' -> 0x1

code brbbot.capa.txt

api: wininet.HttpOpenRequest @ 0x14000306B

api: CryptEncrypt @ 0x140002B62

api: ws2_32.gethostbyname @ 0x1400017C3

string: "Software\\Microsoft\\Windows\\CurrentVersion\\Run" @ 0x140002413


Step 1.5

using x64dbg and setting a breakpoint on ReadFile

Debug > Run to user code

find the section that finally decrypts and place the cursor right after (to "test eax,eax")

Debug > Run until selection


Note the XOR key of "5b"

Also note down the reverse writen commands that the process is willing to accept:
"uri=ads.php;exec=cexe;file=elif;conf=fnoc;exit=tixe;encode=5b;sleep=30000"

Cyberchef
1. In the Operations region of CyberChef, find the From Hex operation, click on it (without letting go of the mouse), and drag it to the Recipe region.
2. In the Operations region of CyberChef, navigate to the Encryption / Decoding section, find the XOR operation, click on it (without letting go of the mouse), and drag it to the Recipe region.
3. Specify the deobfuscation key by typing 5b into the Key area of the XOR recipe step. This is the key you discovered earlier after decrypting the brbconfig.tmp file

This could be a list of processes and services that shall NOT be decrypted as the system needs to run a little for decrypting the system after the the coins have been paid.
Idle;System;smss.exe;csrss.exe;wininit.exe;csrss.exe;services.exe;winlogon.exe;lsass.exe;svchost.exe;svchost.exe;fontdrvhost.exe;fontdrvhost.exe;svchost.exe;svchost.exe;dwm.exe;svchost.exe;svchost.exe;svchost.exe;svchost.exe;svchost.exe;svchost.exe;svchost.exe;svchost.exe;svchost.exe;svchost.exe;svchost.exe;svchost.exe;svchost.exe;svchost.exe;svchost.exe;svchost.exe;Memory Compression;svchost.exe;svchost.exe;svchost.exe;svchost.exe;svchost.exe;svchost.exe;svchost.exe;svchost.exe;svchost.exe;svchost.exe;svchost.exe;spoolsv.exe;svchost.exe;svchost.exe;svchost.exe;svchost.exe;svchost.exe;svchost.exe;svchost.exe;svchost.exe;SecurityHealthService.exe;svchost.exe;VGAuthService.exe;svchost.exe;svchost.exe;svchost.exe;svchost.exe;sihost.exe;svchost.exe;svchost.exe;taskhostw.exe;svchost.exe;svchost.exe;ctfmon.exe;explorer.exe;ShellExperienceHost.exe;SearchUI.exe;svchost.exe;RuntimeBroker.exe;RuntimeBroker.exe;svchost.exe;SearchIndexer.exe;svchost.exe;svchost.exe;vmtoolsd.exe;svchost.exe;svchost.exe;svchost.exe;svchost.exe;svchost.exe;LockApp.exe;RuntimeBroker.exe;svchost.exe;svchost.exe;ApplicationFrameHost.exe;WinStore.App.exe;RuntimeBroker.exe;RuntimeBroker.exe;taskhostw.exe;dllhost.exe;WinSCP.exe;svchost.exe;svchost.exe;dllhost.exe;svchost.exe;javaw.exe;decompile.exe;conhost.exe;brbbot.exe

Step 1.7

using fakedns

using inetsim to intercept https traffic

sudo less /var/log/inetsim/service.log


Note: GET /images/1m6r.exe HTTP/1.1

Note: Request URL: https://talonstamed.com/images/1m6r.exe

Step 1.8

using accept-all-ips

usr/local/bin/accept-all-ips

if [ "${2}" = "" ]; then
  INTERFACE=`mynic`
else
  INTERFACE="${2}"
fi
if [ "${1}" = "start" ]; then
  echo "OK, iptables will accept and redirect connections to all IPs on $INTERFACE."
  echo "Remember to set the client system's default gateway to IP of this REMnux host."
  sudo iptables -t nat -A PREROUTING -i $INTERFACE -j REDIRECT
  sudo ip6tables -t nat -A PREROUTING -i $INTERFACE -j REDIRECT
elif [ "${1}" = "stop" ]; then
  echo "OK, iptables is set to stop redirecting connections to all IPs on $INTERFACE."
  sudo iptables -t nat -D PREROUTING -i $INTERFACE -j REDIRECT
  sudo ip6tables -t nat -D PREROUTING -i $INTERFACE -j REDIRECT
else 
  echo "Usage: accept-all-ips <start|stop> [interface]"
fi