Posts

Breaking Down A Variant of GlobeImposter Ransomware

Image
GlobeImposter Analysis Sample:  28f7aeea9a0a1f79f792213f44475e9d5d9304cd0e61e3ecb2b9d38e0271a310 This GlobeImposter sample is unpacked, non-obfuscated. All the APIs are linked in load-times, so the IAT is reliable. If you are new to reverse C++, this is a great beginner tutorial . Starting point For this sample, I started the analysis by running the  FindCrypt-Yara plugin. The corresponding result includes references to a Base64 table and a Prime_Constant used in RSA cipher. Tracing Base64 table references will lead you in the middle of id (public key) encryption routine at  0x40E880 which we will in-depth later. On the contrary, if your starting point is pivoting  CreateProcessW or ShellExecuteExW , you will get to the main function at 0x40FFF0 Drop Files The GlobeImposter malicious behavior starts with calling the function at 0x410830 is to drop  2 files:   ids.txt  in the current process directory and HOW_TO_BACK_YOUR_FILES...

Learning Cryptography Through Analyzing Ransomware: Jigsaw and Turkstatik

Image
In the malware family, ransomware is like a flashy cousin who gets all the attention. The immediate impact and psychological terror of ransomware bring it an incredible amount of recognition and visibility. Today we will take a look at 2 ransomware: Jigsaw and TurkStatik 1. Jigsaw Sample :  76e0c8cd82dba5a880125070e43cbd9d505c39b22858cd86ff6253181b5f193c From looking as the Import, Jigsaw appears to be a .Net application which is great news. Instead of IDA, you can use any commercial  .Net decompilers to get the accurate C# codes. I highly recommend  dnSpy  . It's FREE while also having debugging functionality. Opened in dnSpy, this sample is unpacked and non-obfuscated. First. we start our analysis by looking at the Resources section There are 3 pieces of information stored here: an array of "supported" extensions, the JigsawImage , and the crypto wallet address. Next, we move on to the code section inside each module. Conveniently, Main...

3 Levels of Unpacking For Newbies. Part #2: Stubbornly Unpack VB6 RunPE

Image
This is the second part of the 3 parts series attempt to teach beginners the fundamental concepts and basic techniques for unpacking. Since I am a beginner myself, I hope my way of thinking would be more relatable to others out there. For  Part#1 , in order to recognize and unpack UPX, we learned a little bit about PE Structure, RVA, IAT, run-time linking, software breakpoint vs hardware breakpoint, tail jump, and using Scylla to rebuild IAT . We also learn the trick of setting hardware-breakpoint on the stack when encountering pusha/pushad so that the execution will stop at the corresponding  popa/popad . Sadly, as far as I know, this trick won't work on more complicated packers. However, today we will learn a technique that can apply to the majority of packers: setting breakpoints on Windows API, or some people call it: API hooking 1. Introduction In order to interact with Windows OS, every software has to call Windows APIs. Tho, not all APIs are created equally. Choos...

3 Levels of Unpacking For Newbies. Part #1: Conceptually Unpack UPX

Image
Introduction This is a 3 parts series attempting to teach beginners how to unpack malware. As a beginner myself, I hope my thinking process will be more relatable to others. If I make mistakes in this blog, please feel free to give me feedback. Manual unpacking can be a very intimidating task for starters. Without knowing the tips and tricks, the process can take days and weeks, or you may never find the answers. I intend to not only show you some must-know tricks but also explain why they work or don't work. These articles will be similar to a lab when I perform a standard old-school unpacking process and explain the details along the way. Part 1: UPX Packer - The "Hello World" of Reverse Engineering Just like every computer scientist starts out with the "Hello World" program, every reverse engineer learns how to unpack UPX at some point. You can download UPX  here . Basically," upx filename"  will pack a file, and " upx -d filename...

A Police Department Scam on Zalo App that leads to an Android SpySMS variant

Image
The Scam A few days ago, one of my acquaintances was getting scammed. She was contacted on the phone by a "police officer," saying she has been accused of committing a crime. Apparently, a current well-known criminal group has mentioned her name. After confirming her identity, a fake subpoena was sent to her Zalo account. The document had her name, an authority signature, and a stamp. FYI, Zalo is a popular chat app in Vietnam that uses phone numbers as account IDs. As a typical working-class Vietnamese lady, her exposure to the Internet is pretty much Youtube and Zalo. It may be hard for us to believe, but that is all it takes for her to get bamboozled. Next step, she was requested to go on a Police Department phishing site and enter the citizen ID to view her case. Interestingly, she had to enter the correct ID for it to work. I guess that they used the information she provided earlier to set up the webpage. After the successful identification, a new page was serv...