Posts

Showing posts from November, 2017

Extracting encrypted contents from Kronos Banking Trojan

Image
Introduction 

This post explains how to identify and extract encrypted contents stashed away in the Resource section of malware. It's a common technique used by malware authors  to make analysis more difficult and the current analysis uses pestudio for initial analysis, using signsrch to identify encryption algorithms and using x64dbg to disassemble the binary

Tools
pestudio - https://www.winitor.com/ signsrch signsrch - http://aluigi.altervista.org/mytoolz.htmx64dbg- https://x64dbg.com/#start hxd - https://mh-nexus.de/en/hxd/Disclaimer
You are dealing with real malware samplesDon’t expose them to internal networks or internetAnalyze them in a controlled environments (sandboxes)We are not responsible for any consequences of damage if you fail to obey the rulesAnalysis A windows 7 virtual machine was setup with above mentioned tools. Ensured that a clean state of windows 7 with all tools was taken as a snapshot  The below mentioned Kronos variant is going to be used in following analy…