aljaz/securedorg.github.io
1
0
Fork 0
mirror of https://github.com/aljazceru/securedorg.github.io.git synced 2025-12-24 09:24:20 +01:00
Code Issues Packages Projects Releases Wiki Activity

finishing dynamic

Browse Source
This commit is contained in:
Amanda Rousseau
2017-03-26 23:32:22 -07:00
parent 2a2d1e48a5
commit ffd362ae79
1 changed files with 28 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
dynamic2.md
View File

@@ -10,7 +10,7 @@ title: Dynamic Analysis
Congrats, you made it through the workshop. All of your notes an debugging you should have come up with a similar control flow like the diagram and report below.
*Click to Enlarge*
[![alt text](https://securedorg.github.io/images/diagram.png "diagram")](https://securedorg.github.io/images/diagram.png)
[![alt text](https://securedorg.github.io/images/Diagram.png "diagram")](https://securedorg.github.io/images/diagram.png)
## Simple Report
@@ -19,11 +19,11 @@ Filename: Unkown.exe
Sha256: a635f37c16fc05e554a6c7b3f696e47e8eaf3531407cac27e357851cb710e615
###Summary
### Summary
This file creates a copy of itself in the %APPDATA% location, sets persistence mechanisms, and beacons to definitely-not-evil.com. If beacon is successful, it will open a messagebox, then decrypt the resource which will then spawn a shell window to open the resource.
###General Characteristics
### General Characteristics
The file is UPX packed
@@ -43,31 +43,52 @@ Import Functions:
* CreateProcess
###File System IOC
### File System IOC
CreateFile C:\Users\victim\AppData\Roaming\dope.exe CreateFile icon.gif
Network IOC
GET /ayy HTTP/1.1 Content-Type: text/html MySpecialHeader: whatever User-Agent: definitely-not-evil.com Host: definitely-not-evil.com Cache-Control: no-cache
GET /ayy HTTP/1.1
###Registry IOC
Content-Type: text/html
MySpecialHeader: whatever
User-Agent: definitely-not-evil.com
Host: definitely-not-evil.com
Cache-Control: no-cache
### Registry IOC
RegQueryValue HKCU\Software\Microsoft\Windows\CurrentVersion\Run\dope
###Behavior & Control Flow
### Behavior & Control Flow
Processes Created dope.exe
1) Starts by decoding xor strings
2) Checks to see if dope.exe already exists in %APPDATA%
3) If it doesn't exist create a copy of itself to %APPDATA% as dope.exe
4) Set the startup registry key
5) Start the newly copied dope.exe process
6) Delete the original
7) Dope.exe will check the registry key if set
8) Call out to definitely-not-evil.com
9) If the result is "lmao" it will open a messagebox and extract the resource
10) Base64 decode the resource
11) Save decoded resource as icon.gif
12) Shellexecute to open icon.gif
[Section 6 <- Back](https://securedorg.github.io/RE101/section6)