Skip to main content

Posts

Showing posts from November, 2017

Extracting encrypted contents from Kronos Banking Trojan

Introduction  This post explains how to identify and extract encrypted contents stashed away in the Resource section of malware . It's a common technique used by malware authors  to make analysis more difficult and the current analysis uses pestudio for initial analysis, using signsrch to identify encryption algorithms and using x64dbg to disassemble the binary Tools pestudio -  https://www.winitor.com/ signsrch signsrch -  http://aluigi.altervista.org/mytoolz.htm   x64dbg-  https://x64dbg.com/#start hxd -  https://mh-nexus.de/en/hxd/ Disclaimer You are dealing with real malware samples Don’t expose them to internal networks or internet Analyze them in a controlled environments (sandboxes) We are not responsible for any consequences of damage if you fail to obey the rules Analysis A windows 7 virtual machine was setup with above mentioned tools. Ensured that a clean state of windows 7 with all tools was taken as a snapshot  The below mentioned Kronos variant