In this new version of zipdump.py, you can provide a YARA rule directly on the command line, without having to store it inside a file.
Just start the value of option -y with # and type your rule (use quotes because of spaces):
zipdump_v0_0_9.zip (https)
MD5: 2700AF663980204075107164AA12750A
SHA256: 5686F24373AF64E1F5D866C71B29A22CE97964EC563A2219681A6268CC9A1153
This new version of base64dump.py has a new option: -z. With this option, you can ignore leading null bytes (to be used for example to handle UNICODE).
You can see this option used in this video (starting 1:28):
base64dump_V0_0_7.zip (https)
MD5: D37DE7CEFDA55ADD1822EADDD84D5FFB
SHA256: 5F676DF8B36172A1D7B29F03E2B0CCB026BB9A96DF8830FDB137E65CBB59DD63
Here is an overview of content I published in June:
Blog posts:
YouTube videos:
Videoblog posts:
SANS ISC Diary entries:
NVISO Labs blog posts:
NVISO YouTube videos:
Here is an overview of content I published in May:
Blog posts:
YouTube videos:
Videoblog posts:
NVISO Labs blog posts:
Some small changes to my XOR known plaintext attack tool (xor-kpa), which will be detailed in an ISC Diary entry.
xor-kpa_V0_0_5.zip (https)
MD5: 023D8E3725E0EF7CEC449085AA96BB3A
SHA256: 7517DD44AFBFA11122FD940D76878482F50B7A2A2BCD1D7A2AF030F6CAC4F4E3
In this video, I show how to get started with my tools and a WannaCry sample.
Tools: pecheck.py, zipdump.py, strings.py
Sample: 84c82835a5d21bbcf75a61706d8ab549
Added handling of zlib errors when performing a dictionary attack.
zipdump_v0_0_8.zip (https)
MD5: 51B971B57800D126B2067DC53303355A
SHA256: 095EE6000E99B9193C830B8BA11139907CB9445FD7D94D81E3F97A8B458D5D16
After adding support for password lists in zipdump, I decided to add an internal password list to zipdump, based on John’s public domain password list.
This internal password list (a few thousand passwords) can be used by providing filename . (a single dot) to options -P and –passwordfilestop.
zipdump_v0_0_7.zip (https)
MD5: 7B3D165B68B4E66D7EFCF54B25E08115
SHA256: DC794679CFDEA57AC532E11BC338F6823EECC26A36CB844B29EF15F93B6BA1C1
This new version of re-search.py has a build-in regular expression for bitcoin addresses, together with a Python function to validate the address.
re-search_V0_0_7.zip (https)
MD5: 38EBBC6B45476AA2FB03DC9604D2F7EE
SHA256: 7BE3B986126C3E40A886A66A08EA360EEE01A29F064F2D3235A1311C4FB4E45E
I’ve seen reports that WannaCry uses a mutex with name Global\MsWinZonesCacheCounterMutexA.
The samples I analyzed all use another mutex: Global\MsWinZonesCacheCounterMutexA0. That’s a digit zero at the end.
I have not found a sample that uses mutex Global\MsWinZonesCacheCounterMutexA (e.g. without digit zero at the end).
Update 1: I got confirmation from Costin Raiu from Kaspersky that the mutex is Global\MsWinZonesCacheCounterMutexA0.
Update 2: dynamic analysis with sample 84c82835a5d21bbcf75a61706d8ab549 shows that there are 2 mutexes that can prevent the ransoming of files: MsWinZonesCacheCounterMutexA and Global\MsWinZonesCacheCounterMutexA0. Remark that the Global namespace must be used with mutex MsWinZonesCacheCounterMutexA0, while it may not be used with mutex MsWinZonesCacheCounterMutexA.
Remark that the code above contains string “Global\\MsWinZonesCacheCounterMutexA”, but that is not the actual string used for OpenMutexA.
The actual string used for OpenMutexA is created by a sprintf “%s%d” call, and results in “Global\\MsWinZonesCacheCounterMutexA0“, that is “Global\\MsWinZonesCacheCounterMutexA” with a digit 0 (zero) appended.
Mutexes have long been used by malware authors to prevent more than one instance of the malware running on the same machine. An old anti-malware trick consists in the creation of a specific mutex, to prevent the execution of a specific malware.
I’ve seen tools and scripts published to create mutex Global\MsWinZonesCacheCounterMutexA to prevent WannaCry from infecting machines. This will not work for the samples I analyzed.
Samples I disassembled:
7c465ea7bcccf4f94147add808f24629644be11c0ba4823f16e8c19e0090f0ff (contained as a resource in 5ad4efd90dcde01d26cc6f32f7ce3ce0b4d4951d4b94a19aa097341aff2acaec).
86721e64ffbd69aa6944b9672bcabb6d (contained as a resource in 5bef35496fcbdbe841c82f4d1ab8b7c2).
Samples I searched for containing the mutex and sprintf code:
509c41ec97bb81b0567b059aa2f50fe8
5bef35496fcbdbe841c82f4d1ab8b7c2
638f9235d038a0a001d5ea7f5c5dc4ae
7f7ccaa16fb15eb1c7399d422f8363e8
84c82835a5d21bbcf75a61706d8ab549
86721e64ffbd69aa6944b9672bcabb6d
d6114ba5f10ad67a4131ab72531f02da
db349b97c37d22f5ea1d1841e3c89eb4
f107a717f76f4f910ae9cb4dc5290594
If you have a sample that actually uses mutex Global\\MsWinZonesCacheCounterMutexA and not mutex Global\\MsWinZonesCacheCounterMutexA0 (e.g. with digit zero appended), please post a comment with the hash of your sample.
Didier Stevens 