Skip to main content

Posts

Showing posts from 2017

Extracting encrypted contents from Kronos Banking Trojan

Introduction  This post explains how to identify and extract encrypted contents stashed away in the Resource section of malware . It's a common technique used by malware authors  to make analysis more difficult and the current analysis uses pestudio for initial analysis, using signsrch to identify encryption algorithms and using x64dbg to disassemble the binary Tools pestudio -  https://www.winitor.com/ signsrch signsrch -  http://aluigi.altervista.org/mytoolz.htm   x64dbg-  https://x64dbg.com/#start hxd -  https://mh-nexus.de/en/hxd/ Disclaimer You are dealing with real malware samples Don’t expose them to internal networks or internet Analyze them in a controlled environments (sandboxes) We are not responsible for any consequences of damage if you fail to obey the rules Analysis A windows 7 virtual machine was setup with above mentioned tools. Ensured that a clean state of windows 7 with all tools was taken as a snapshot  The below mentioned Kronos variant

Extracting ZeroAccess from NTFS Extended Attributes using PowerForensics

Introduction  This post explains how to use PowerForensics ( https://github.com/Invoke-IR/PowerForensics ) to extract ZeroAccess infected system's NTFS extended attributes content. ZeroAccess used NTFS extended attributes to maintain persistent mechanism on infected system. "If installed on Windows Vista or higher ZeroAccess will attempt to patch the Windows file services.exe. A subroutine inside services.exe is overwritten with shellcode that is carried inside the ZeroAccess dropper. A large amount of binary data is also written to the NTFS Extended Attributes of services.exe. Extended Attributes are a feature of NTFS similar in nature to Alternate Data Streams where extra information about the file can be stored on the file system. ZeroAccess uses this feature to hide a whole PE file as well as shellcode that loads the PE file. The overwritten subroutine in services.exe reads in all the data from the Extended Attributes and executes it. The shellcode then loads and e

Five awesome tools to perform behavioural analysis of a malware

Introduction  This post explains about five awesome tools to perform behavioural analysis of a malware. These tools are really handy to perform a quick behavioural analysis to understand the characteristics of malware specimen. The main objective of behavioural analysis is to pull out indicators of compromise to defend and detect proactively. Tools  Process Hacker  (http://processhacker.sourceforge.net/) Process Monitor (ProcMon) ( https://technet.microsoft.com/en-us/sysinternals/processmonitor.aspx) CaptureBat ( https://www.honeynet.org/node/315 ) Microsoft Network Monitor ( https://blogs.technet.microsoft.com/netmon/p/downloads/ ) Autoruns ( https://technet.microsoft.com/en-us/sysinternals/bb963902.aspx ) Disclaimer You are dealing with real malware samples Don’t expose them to internal networks or internet Analyze them in a controlled environments (sandboxes) We are not responsible for any consequences of damage if you fail to obey the rules Analysis  A win