Posts

Showing posts from 2017

Extracting encrypted contents from Kronos Banking Trojan

Image
Introduction 

This post explains how to identify and extract encrypted contents stashed away in the Resource section of malware. It's a common technique used by malware authors  to make analysis more difficult and the current analysis uses pestudio for initial analysis, using signsrch to identify encryption algorithms and using x64dbg to disassemble the binary

Tools
pestudio - https://www.winitor.com/ signsrch signsrch - http://aluigi.altervista.org/mytoolz.htmx64dbg- https://x64dbg.com/#start hxd - https://mh-nexus.de/en/hxd/Disclaimer
You are dealing with real malware samplesDon’t expose them to internal networks or internetAnalyze them in a controlled environments (sandboxes)We are not responsible for any consequences of damage if you fail to obey the rulesAnalysis A windows 7 virtual machine was setup with above mentioned tools. Ensured that a clean state of windows 7 with all tools was taken as a snapshot  The below mentioned Kronos variant is going to be used in following analy…

Extracting ZeroAccess from NTFS Extended Attributes using PowerForensics

Image
Introduction 

This post explains how to use PowerForensics (https://github.com/Invoke-IR/PowerForensics) to extract ZeroAccess infected system's NTFS extended attributes content. ZeroAccess used NTFS extended attributes to maintain persistent mechanism on infected system.

"If installed on Windows Vista or higher ZeroAccess will attempt to patch the Windows file services.exe. A subroutine inside services.exe is overwritten with shellcode that is carried inside the ZeroAccess dropper.
A large amount of binary data is also written to the NTFS Extended Attributes of services.exe. Extended Attributes are a feature of NTFS similar in nature to Alternate Data Streams where extra information about the file can be stored on the file system. ZeroAccess uses this feature to hide a whole PE file as well as shellcode that loads the PE file. The overwritten subroutine in services.exe reads in all the data from the Extended Attributes and executes it. The shellcode then loads and executes t…

Five awesome tools to perform behavioural analysis of a malware

Image
Introduction 
This post explains about five awesome tools to perform behavioural analysis of a malware. These tools are really handy to perform a quick behavioural analysis to understand the characteristics of malware specimen. The main objective of behavioural analysis is to pull out indicators of compromise to defend and detect proactively.

Tools 

Process Hacker (http://processhacker.sourceforge.net/)Process Monitor (ProcMon) (https://technet.microsoft.com/en-us/sysinternals/processmonitor.aspx)CaptureBat (https://www.honeynet.org/node/315)Microsoft Network Monitor (https://blogs.technet.microsoft.com/netmon/p/downloads/)Autoruns (https://technet.microsoft.com/en-us/sysinternals/bb963902.aspx)Disclaimer You are dealing with real malware samplesDon’t expose them to internal networks or internetAnalyze them in a controlled environments (sandboxes)We are not responsible for any consequences of damage if you fail to obey the rulesAnalysis  A windows 7 virtual machine was setup with above me…