Didier Stevens

Wednesday 2 November 2016

Maldoc With Process Hollowing Shellcode

Filed under: maldoc,Malware — Didier Stevens @ 0:00

Last week I came across a new Hancitor maldoc sample. This sample contains encoded shellcode that starts a new (suspended) explorer.exe process, injects its own code (an embedded, encoded exe) and executes it. This process hollowing technique bypasses application whitelisting.

This maldoc uses VBA macros (no surprise) to execute its payload.

20161101-214505

The encoded shellcode is a property in stream 17:

20161101-220639

I used my decoder.xls method to decode the shellcode (the name of the decoding function is apocope). And then Radare2 and my script to disassemble the shellcode (32-bit and 64-bit shellcode):

20161101-221418

The shellcode uses WIN32 API functions like CreateProcess, ZwUnmapViewOfSection, GetThreadContext, ResumeThread, … to inject code into the newly created process (explorer.exe) and execute it. This method is called process hollowing or process replacement.

The explorer.exe process is created in a suspended state, the code for explorer.exe is removed, the code for the payload is injected, the context of the thread is updated and then the thread is resumed. This method bypasses application whitelisting, as explorer.exe is a whitelisted PE-file.

The payload is an PE-file (exe) embedded and encoded in the maldoc in stream 5. STARFALL is the string that indicates the start of the payload. The PE-file is encoded with base64 with each byte XORed with 15 and then 3 subtracted. This file can be detected and extracted with my decode-search.py tool:

20161101-223522

This executable was not yet submitted to VirusTotal, most likely because it’s never written to disk. I did submit it: cdcd2ca36ed9a2b060dd4147bc5f7706.

This exe tries to download a payload from 3 URLs:

20161101-224906

Friday 14 October 2016

Analyzing Office Maldocs With Decoder.xls

Filed under: maldoc,Malware,My Software — Didier Stevens @ 13:27

There are Office maldocs out there with some complex payload decoding algorithms. Sometimes I don’t have the time to convert the decoding routines to Python, and then I will use the VBA interpreter in Excel. But I have to be careful not to execute the payload, just decode it. In the following video, I show how I do this.

Tools: oledump.py, decoder.xls

Sample: 2f918f49c3f926bb1538eaad6e8e6883

Monday 16 May 2016

New YARA Rule: PE_File_pyinstaller

Filed under: Malware,My Software — Didier Stevens @ 0:00

This is a YARA rule to detect PE files that were created with PyInstaller (a tool to convert Python programs to binary executables).

More info in my ISC Diary entry: Python Malware – Part 1.

/*
  Version 0.0.1 2016/05/14
  Source code put in public domain by Didier Stevens, no Copyright
  https://DidierStevens.com
  Use at your own risk

  Shortcomings, or todo's ;-) :

  History:
    2016/05/14: start
*/

import "pe"

rule PE_File_pyinstaller
{
    meta:
        author = "Didier Stevens (https://DidierStevens.com)"
        description = "Detect PE file produced by pyinstaller"
    strings:
        $a = "pyi-windows-manifest-filename"
    condition:
        pe.number_of_resources > 0 and $a
}

yara-rules-V0.0.8.zip (https)
MD5: 83D10B0A18D3F8E2C744B8FEA10F5E67
SHA256: 2D47165757F909440F6D1A95FF5C0EA1355B355AE7475D2A0CF821D3B9A6235A

Tuesday 22 March 2016

YARA Rule To Detect VBE Scripts

Filed under: maldoc,Malware,My Software — Didier Stevens @ 0:00

Malicious documents that drop VBE scripts (VBScript Encode scripts) are in the wild. Here is an example:

20160321-214635

20160321-214711

I have a YARA rule to detect VBE scripts:

20160321-214305

20160321-214346

20160321-214502

yara-rules-V0.0.6.zip (https)
MD5: 01CB37759AC30EEA8D2B66226609C73E
SHA256: 1B56C1D7D0E1A8F500674B74F93F3E7DE6B2EFC85259ABE3A57F1DCA458CCFF8

Friday 11 March 2016

Update: oledump.py Version 0.0.23

Filed under: maldoc,Malware,My Software,Update — Didier Stevens @ 9:44

I’m providing a 2-day training at Brucon Spring Training 2016: “Analysing Malicious Documents“. Use promo-code SPRING16 for a 10% discount.

This new version of oledump brings an update to the –cut option and a new plugin: plugin_hifo.

As I documented in this ISC Diary entry, maldocs can store URLs in properties of userforms:

20160221-185714

The plugin plugin_hifo is a simple plugin that looks for streams that end with /o and then searches for strings starting with http (hence the name: http in form /o).

20160311-103509

oledump_V0_0_23.zip (https)
MD5: 991910FF4AA47808A5BBCE0CC109D41A
SHA256: 612B6FD06856C7790D2F66B29286E7B89D35D8354ADB167CA512CC1CDE3F6C47

Saturday 5 March 2016

Even More Obfuscated MIME Type Files

Filed under: maldoc,Malware,My Software,Update — Didier Stevens @ 9:45

I’m providing a 2-day training at Brucon Spring Training 2016: “Analysing Malicious Documents“. Use promo-code SPRING16 for a 10% discount.

I received another maldoc sample (MD5 73D06B898E03395DA3D60D11E49751CC):

20160305-102423

Lines 2, 3, 6, 7 and 8 are there to obfuscate this MIME type file. emldump.py now detects all lines without a colon in the first block (all lines before the empty line 9: 1 – 8).

20160305-103000

You can filter out these lines with option -f:

20160305-103136

emldump_V0_0_8.zip (https)
MD5: B6FBAF2AB403AFE30F7C3D7CA166793B
SHA256: 7A7016B29F291C3D42B43D43B265DAD86B96DA519DB426163CC2D15C556896E3

Monday 29 February 2016

More Obfuscated MIME Type Files

Filed under: maldoc,Malware,My Software,Update — Didier Stevens @ 20:57

I’m providing a 2-day training at Brucon Spring Training 2016: “Analysing Malicious Documents“. Use promo-code SPRING16 for a 10% discount.

I received a maldoc sample (MD5 FAF75220C0423F94658618C9169B3568):

20160229-213357

You can see it’s a MIME Type file, and that it is obfuscated. The second line is a very long line of seemingly random letters and digits. This throws of Python’s MIME parser used by my emldump tool:

20160229-214123

emldump just detects this as a text file, and not as a multipart MIME Type file.

If we remove that second line, for example with findstr /v (or grep -v), emldump recognizes the different parts:

20160229-214500

Since obfuscated MIME Type files are becoming more and more prevalent, I’m adding a filter option to emldump to filter out lines that obfuscate the MIME Type files. For the moment, option -f throws out lines longer than 100 characters and header lines that are not fields (just like option -H).

This new version of emldump.py detects some (simple) types of obfuscation:

20160229-215458

And with option -f you can filter out these obfuscating lines:

20160229-215704

Download:

emldump_V0_0_7.zip (https)
MD5: 819D4AF55F556B2AF08DCFB3F7A8C878
SHA256: D5C7C2A1DD3744CB0F50EEDFA727FF0487A32330FF5B7498349E4CB96E4AB284

Sunday 28 February 2016

Update: translate.py Version 2.2.0 for Locky JavaScript Deobfuscation

Filed under: maldoc,Malware,My Software,Update — Didier Stevens @ 10:45

Over at the ISC Diary I have an entry on Locky JavaScript Deobfuscation. I use my translate tool to perform part of the static analysis.

When you read this diary entry, you’ll see that I have to create 2 Python scripts to be used by translate.py to search with a regular expression and replace all matches with the output of a Python function.

I updated translate.py so that I don’t have to create Python scripts for this regex search-and-replace, but that I can do it from the command-line with a new option. This new option (-r, –regex) takes a regular expression and does a search-and-replace.

Here are the 2 “scripts” using this new option:

translate.py -r "\([^\\\(]+\\u([0-9a-f]{4})[a-z]+'\.e\(\)\)" "lambda oMatch: chr(39) + chr(int(oMatch.group(1), 16)) + chr(39)"
translate.py -r "('[^']*' ?\+ ?)+'[^']*'" "lambda oMatch: chr(39) + eval(oMatch.group(0)) + chr(39)"

If you just want to do a search-and-replace, you can use a constant regex and lambda function, like this (replace False with True):

translate.py -r "False" "lambda oMatch: 'True'"

translate_v2_2_0.zip (https)
MD5: D561D9987A3E5264E40A4B5C4057A732
SHA256: BC532BD5C7DD86DCADDF7B7B9A34453E983E226E103E0591E7D480BB43C350E0

Sunday 24 January 2016

Update: emldump.py Version 0.0.6

Filed under: Malware,My Software,Update — Didier Stevens @ 10:32

A small update to emldump.py to handle (intentionally) malformed MIME files.

20160124-112917

More details in my SANS ISC Diary entry “Obfuscated MIME Files”.

emldump_V0_0_6.zip (https)
MD5: 682793840D895E473647F2A1F85A9867
SHA256: D76BADF2A332C3417BB7DD46B783CE90757DD76648D2313083982BFD74902C41

Friday 22 January 2016

BlackEnergy .XLS Dropper Puzzle

Filed under: Malware,Puzzle — Didier Stevens @ 0:00

Over at the ISC diary I posted an entry with a puzzle to help you to practice the extraction of an embedded file in a spreadsheet.

This is the image I embedded:

Waterlogue-2016-01-11-20-13-29

Next Page »

Blog at WordPress.com.