+ -

Pages

Monday, December 18, 2017

Malware - TrickBot Analysis December 2017

What's new:

New Execution flow - directory structure has changed.
Instead of the winapp folder, you need to look for this:

C:\Users\me\AppData\Roaming\services\
C:\Users\me\AppData\Roaming\services\Modules

And of course, new icon :)


 

 

Identifiers:


Microsoft Visual Basic v5.0/v6.0

Imports:
MSVBVM60.DLL  - 70 functions

1 VERSIONINFO
FILEVERSION 5,0,0,0
PRODUCTVERSION 5,0,0,0
FILEOS 0x4
FILETYPE 0x1
{
BLOCK "StringFileInfo"
{
    BLOCK "040904B0"
    {
        VALUE "CompanyName", "Thadickatt House"
        VALUE "FileDescription", "Pil, ecco quanto produce il Sistema Umbria"
        VALUE "LegalCopyright", "Copyright © 2017 - DUESSE COMMUNICATION S.r.l"
        VALUE "LegalTrademarks", "Edah, should not be confused with the Haredi communal body in Israel known as the Edah"
        VALUE "ProductName", "Thadickat"
        VALUE "FileVersion", "5.00"
        VALUE "ProductVersion", "5.00"
        VALUE "InternalName", "Thadickat"
        VALUE "OriginalFilename", "Thadickat.exe"
    }
}

BLOCK "VarFileInfo"
{
    VALUE "Translation", 0x0409 0x04B0 
}
}


FLOW:

Load Image
C:\Windows\SysWOW64\kernel32.dll






Load Image
C:\Windows\SysWOW64\KernelBase.dll






RegOpenKey
HKLM\System\CurrentControlSet\Control\Terminal Server






RegOpenKey
HKLM\Software\Wow6432Node\Policies\Microsoft\Windows\Safer\CodeIdentifiers






Load Image
C:\Windows\SysWOW64\apphelp.dll






RegOpenKey
HKLM\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Disable8And16BitMitigation






CreateFile
C:\Windows\SysWOW64\rpcss.dll






RegOpenKey
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager






RegCloseKey
HKLM\Software\Wow6432Node\Microsoft\Cryptography\Offload






CreateFile
C:\Users\Vishal Thakur\AppData\Local\Temp\~DF77D59600395B2DB0.TMP






RegOpenKey
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions






RegOPenKey
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\KnownFolders






CreateFile
C:\Users\Vishal Thakur\AppData\Roaming






CreateFile
C:\Users\Vishal Thakur\AppData\Roaming\services






CreateFile
C:\Users\Vishal Thakur\AppData\Roaming\services\Uiaejdlat.exe






CreateFile
C:\Windows\SysWOW64\ntmarta.dll






SetEndOfFileInformationFile
C:\Users\Vishal Thakur\AppData\Roaming\services\Uiaejdlat.exe






WriteFile
C:\Users\Vishal Thakur\AppData\Roaming\services\Uiaejdlat.exe






Thread Exit






Process Exit






CloseFile






RegOpenKey
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Uiaejdlat.exe






CreateFile
C:\Users\Vishal Thakur\AppData\Roaming\services\Uiaejdlat.exe















*Uiaejdlat.exe will obviously change with every binary - lookout for the reg entries and file creations.

Label :
5 RakshaTec: December 2017 What's new: New Execution flow - directory structure has changed. Instead of the winapp folder, you need to look for this: C:\...

Monday, December 4, 2017

Cracking password protected VBA Project code - macro code in complex encryption

It's pretty well documented on the internet how you can crack a password protected project code in office documents. It works almost in all cases :)

If the document is protected using a different scheme, you will not find the DPB entry for password in the hex code. This becomes a bit of an annoyance.

Here's how to crack quickly.

The file asks for a password when you try to look into the project code.












1. Save the file on your desktop.







Try to load this into a hex editor and see if you can find the DPB entry - you won't.

























Now follow on to the next step.

2. Change the file extention to 'zip'















3. Now simply double-click on this archive to enter the compressed file.











You will see a bunch of stuff. Go into the 'word' folder and look for the .bin file.




















Now, copy the bin file (vbaProject.bin) to a different location and open it  in your favourite hex editor and search for DPB.























You will find it now.

Change this to DPx and save the file.











4. Now, replace the bin file in the archive with this new file that you just saved. Note that we are not unzipping the file at any point.

5. Move back up and rename the file extention back to .doc from .zip.

6. Now open this file in word - it will throw a bunch of errors, just click through them.

7. Now, when you go into the project, it will not ask you for a password, but will still not shoew you the code. That's ok, its expected. Don't panic, just go into the project properties and give it a new password. Save and exit.

8. Re-launch the file in Word - go to the project, it'll ask you for a password. Give it the new password that you set.

9. Enjoy.

:)

5 RakshaTec: December 2017 It's pretty well documented on the internet how you can crack a password protected project code in office documents. It works almost i...
< >
Subscribe to: Posts (Atom)