aljaz/securedorg.github.io
1
0
Fork 0
mirror of https://github.com/aljazceru/securedorg.github.io.git synced 2025-12-21 07:54:20 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
b863e8a0ac1d4b71ddd0bbb9c7c3f7b51aa61e79
securedorg.github.io/dynamic2.md
Amanda Rousseau 4e9cb656f0 updating NetworkIOC
2017-03-27 10:22:38 -07:00

96 lines
2.2 KiB
Markdown
Raw Blame History

---
layout: default
permalink: /RE101/section6.1/
title: Dynamic Analysis
---
[Go Back to Reverse Engineering Malware 101](https://securedorg.github.io/RE101/)
# Section 6: Finale #
Congrats, you made it through the workshop. All of your notes an debugging you should have come up with a similar control flow like the diagram and report below.
*Click to Enlarge*
[![alt text](https://securedorg.github.io/images/Diagram.png "diagram")](https://securedorg.github.io/images/Diagram.png)
## Simple Report
Filename: Unkown.exe
Sha256: a635f37c16fc05e554a6c7b3f696e47e8eaf3531407cac27e357851cb710e615
### Summary
This file creates a copy of itself in the %APPDATA% location, sets persistence mechanisms, and beacons to definitely-not-evil.com. If beacon is successful, it will open a messagebox, then decrypt the resource which will then spawn a shell window to open the resource.
### General Characteristics
The file is UPX packed
Import Functions:
* GetEnvironmentVariable
* CopyFile
* DeleteFile
* InternetOpen
* InternetConnect
* HttpOpenRequest
* HttpSendRequest
* MessageBox
* FindResource
* CryptStringToBinary
* CreateFile
* ShellExecute
* CreateProcess
### File System IOC
CreateFile C:\Users\victim\AppData\Roaming\dope.exe CreateFile icon.gif
### Network IOC
GET /ayy HTTP/1.1
Content-Type: text/html
MySpecialHeader: whatever
User-Agent: definitely-not-evil.com
Host: definitely-not-evil.com
Cache-Control: no-cache
### Registry IOC
RegQueryValue HKCU\Software\Microsoft\Windows\CurrentVersion\Run\dope
### Behavior & Control Flow
Processes Created dope.exe
1) Starts by decoding xor strings
2) Checks to see if dope.exe already exists in %APPDATA%
3) If it doesn't exist create a copy of itself to %APPDATA% as dope.exe
4) Set the startup registry key
5) Start the newly copied dope.exe process
6) Delete the original
7) Dope.exe will check the registry key if set
8) Call out to definitely-not-evil.com
9) If the result is "lmao" it will open a messagebox and extract the resource
10) Base64 decode the resource
11) Save decoded resource as icon.gif
12) Shellexecute to open icon.gif
[Section 6 <- Back](https://securedorg.github.io/RE101/section6)
Reference in New Issue View Git Blame Copy Permalink