~Dissecting Malware
// f0wL's Blog about malware analysis and reverse engineering
~Dissecting Malware
About PINEs and supply chain attacks gone wrong

So I got myself a Pinebook Pro to run and port OpenBSD on. (Un)fortunatelly it seems like slowly but surely everything I get my hands on has something to do with Malware, so let's have a look what's in store today.


Factory

Sality @ AnyRun | HybridAnalysis | VirusTotal --> sha256 37f1b6394a408e0a959b82ff118a526c1362b4ddc1db5da03c9ffa70acaebff4


On the 3rd of November it was first publicly disclosed by stheo on Twitter that there were unidentified Windows-related files on the boot partition of Pinebook Pro. As the Discussion in the Discord/IRC Chat evolved it became clear that only the second batch (the 64GB EMMC Versions) of the Notebook has to be infected. The initial VirusTotal Analysis revealed that the Files in question were related to the Sality Botnet.



After recieving my Pinebook I immediately opened the Dolphin Filemanager to check /boot and sure enough, there were two files with seemingly random filenames ending in .pif and an autorun.inf file.


On the Pinebook


I haven't seen a pif file in a pretty long time, so I had to refresh my memory a bit as well. PIF stands for "Program information file" and describes certain environmental conditions and settings for a given application. In modern versions of windows this information is stored in .LNK Files. So does it contain shell commands similar to how the GermanWiper stage 1 worked? Quoting Wikipedia here:

"Although a file in PIF format does not contain any executable code (it lacks executable files' magic number "MZ"), Microsoft Windows handles all files with (pseudo-)executables' extensions in the same manner: all .COMs, .EXEs, and .PIFs are analyzed by the ShellExecute function and will run accordingly to their content and not extension, meaning a file with the PIF extension can be used to transmit computer viruses."

Sounds really interesting 🤔 So let's throw it into a Hex Editor and ... wait is that a MZ-Header? Looks like we've got an executable here after all.


MZ Header


It also looks like at least one of the two EXEs has been padded quite heavily.


File padding


Running kithj.exe in AnyRun with standard UAC settings results in the Malware requesting access via injecting into the Desktop Window Manager Process to run at an elevated level and look more legit.


Firewall Dialog


Looking at the Process Graph we notice multiple process injections into various system applications (namely the Windows Explorer, Desktop Window Manager, Task Scheduler and WindaNr).


Anyrun Process Graph


Ghidra can't make much of it with the standard analysis settings and can only find two "functions" in total.


Functions detected by Ghidra


IOCs

Sality Hashes

kithj.exe --> SHA256: 37f1b6394a408e0a959b82ff118a526c1362b4ddc1db5da03c9ffa70acaebff4
              SSDEEP: 3072:m5y36RPOJTdktKKu37BLgwl7gMt7pwObB:mQqRQydiBLJl7Jt7N

augjb.exe --> SHA256: 6245eb607e53209126191e4b6cdf7d64f52394f6bc6a2a9529a28ed49be19c82
              SSDEEP: 3072:EE6sGYXKm+NFN3GtRM0XS0aGNH3MYaOJEQ/Xh6:AsqdWdbaG8YOcx6

autorun.inf --> SHA256: f5adcd0989f9c4033fcd214e8998dde85865c6bf178c4eaed94128e6f5389bd6

Associated Files

augjb.pif(.exe)
kithj.pif(.exe)
autorun.inf

URLs

hxxp://padrup[.]com.ds/sobaka1.gif
hxxp://paaaaad[.]fd.fd

IPs of contacted Hosts

IP - Port - exclusively UDP
118.136.16.138 - 5614
180.247.53.107 - 7866
86.107.231.10 - 7534
93.114.69.232 - 5684
220.247.166.100 - 4492
202.177.246.59 - 6715
189.122.188.39 - 7538
89.38.237.65 - 5064
188.215.25.69 - 6310
14.96.75.194 - 6130
212.76.78.10 - 6260
14.98.120.25 - 6740
112.204.145.248 - 5300
200.8.145.17 - 6780



Try not to stare - MedusaLocker at a glance

Mystic but also a new(-ish) threat: Medusa ransomware. Let's take a quick peek, but don't look too close or you may need to fetch backups soon.

===== Work in Progress ===== A short disclaimer: downloading and running the samples linked below will compromise your computer and data, so be f$cking careful. Also check with your local laws as owning malware binaries/ sources might be illegal depending on where you live. medusa.exe @ AnyRun --> sha256 3a5b015655f3aad4b4fd647aa34fda4ce784d75a20d12a73f8dc0e0d866e7e01 dix_16.exe @ HybridAnalysis --> sha256 49da42d00cc3ad6379ead2e07fd5f09bd358b144a6e78aad4bb1a8298e2bb568 Extracted PDB-Path: C:\Users\Gh0St\Desktop\MedusaLockerInfo\MedusaLockerProject\MedusaLocker\Release\MedusaLocker.pdb Read More


Earn-quick-BTC-with-Hiddentear.mp4 / About Open Source Ransomware

Pun intended. Gootkit is one of the most spread banking malware at the moment and I deemed it a good opportunity to deobfuscate a bit of scrambled code

A general disclaimer as always: downloading and running the samples linked below will lead to the encryption of your personal data, so be f$cking careful. Also check with your local laws as owning malware binaries/ sources might be illegal depending on where you live. "Shade Ransomware creater is stupid fxxxxx.exe" @ Any.Run --> sha256 ba978eee90be06b1ce303bbee33c680c2779fbbc5b90c83f0674d6989564a70a Because HiddenCrypt is Written in C# utilizing the .NET Framework 4 static analysis...

Read More
Nicht so goot - Breaking down Gootkit and Jasper (+ FTCODE)

Pun intended. Gootkit is one of the most spread banking malware at the moment and I deemed it a good opportunity to deobfuscate a bit of scrambled code

A short disclaimer: downloading and running the samples linked below will compromise your computer and data, so be f$cking careful. Also check with your local laws as owning malware binaries/ sources might be illegal depending on where you live. Gootkit Stage 3 Sample available @ Hybrid Analysis --> 3e846a7316dbc15a38cfd522b14ad3f1a72d79959cbae9fd14621400d77cbc37 #gootkit #jasperloader #banker Jshttps://t.co/PsYBIeph19Payloadhttps://t.co/hLThGNJDiKIOCswws.tkgventures.[com -> ont.carolinabeercompany.[com/bolp.cabs/adp.reevesandcompany.[com/rbody320@VK_Intel @malwrhunterteam @James_inthe_box @reecdeep— JAMESWT (@JAMESWT_MHT)...

Read More
Return of the Mummy - Welcome back, Emotet

Or to be more historically precise: Imhotep was the Egyptian, Emotet is the Malware strain we are going to take a Look at. Last week it returned from its summer vacation with a few new tricks

A short disclaimer: downloading and running the samples linked below will compromise your computer and data, so be f$cking careful. Also check with your local laws as owning malware binaries/ sources might be illegal depending on where you live. Emotet Sample #1 @ Hybrid Analysis --> sha256 6076e26a123aaff20c0529ab13b2c5f11259f481e43d62659b33517060bb63c5 Emotet Sample #2 @ Hybrid Analysis --> sha256 757b35d20f05b98f2c51fc7a9b6a57ccbbd428576563d3aff7e0c6b70d544975 Emotet brought home a few souveniers from summer trip as well. The image above and below show...

Read More
Malicious RATatouille 🐀

Remcos is a commercially sold Remote Adiministration Toolkit (RAT) that is regularly distributed as Spyware

Depending on the licensing model and capabilities Remcos is sold for 58$ to 389$ by the company (with the pretty fitting name) Breaking Security. Feature-wise the manfacturer's website lists: Remote Administration, Support, Surveillance, Anti-Theft and Proxy. In most cases the executable is dropped via a boobytrapped Office or XML Document. Of course I will not link to any of their webpages or products since shilling out for cybercriminals would be the last thing I'd do....

Read More
Osiris, the god of afterlife...and banking malware?!

After coming back from the Chaos Communication Camp two days ago I thought it would be a good idea to check on the current malware events out there, so come along for the ride

I came across this sample after this tweet by @James_inthe_box : Found by @FewAtoms at:borel[.]fr/notices/CanadaPost.zip -> vbs drops:https://naot[.]org/cms/file/fixed111.exeI'd like to say with confidence: I have no idea what this is. https://t.co/z18z17Kau8 pic.twitter.com/68zg3HpkRI— James (@James_inthe_box) August 28, 2019 A short disclaimer: downloading and running the samples linked below will compromise your computer and data, so be f$cking careful. Also check with your...

Read More
GermanWiper's big Brother? GandGrab's kid ? Sodinokibi!

After last week's analysis on GermanWiper I thought it would be about time to have a Look at Sodinokibi aka REvil, the new weird kid on the block.

According to Cybereason the Sodinokibi Ransomware was written by the same guys who created GandCrab, which is a pretty big deal after GandCrab retired recently. The samples that I'll be looking at today were first dropped in Asia, but it did not take long to reach other continents as well. A general disclaimer as always: downloading and running the samples linked below will lead to the encryption of your personal data, so be...

Read More
TFW Ransomware is only your side hustle...

and you constantly have to apply for jobs. A partial analysis of the "GermanWiper" Ransomware

Today someone posted about a Ransomware attack on the local chat plaform Jodel (don't judge please, as you know the sketchy corners of the web get you the best samples :D) which instantly peaked my interest. What I got was this email and the two attached files. The two attached files Applicant Name - Lebenslauf Aktuell.doc.lnk and Applicant Name - Arbeitszeugnisse Aktuell.doc.lnk are made to look like Microsoft Office...

Read More
Picking Locky 🔓

Back in 2016 Locky was (one of) the first to commercialize the "art" of holding data for ransom. I picked this strain because I would like a bit more of a challenge in terms of obfuscation and anti-disassembly techniques, so strap in for this OG Ransomware

Locky (at least the first few versions) is said to be created by the makers of the Dridex/Cridex banking trojans. For example the spreading mechanism via macros in Word or Excel documents sent out via carefully crafted spear-phishing emails is exactly the same for both of these strains. A general disclaimer as always: downloading and running the samples linked below will lead to the encryption of your personal data, so be f$cking careful. Also check with...

Read More
  • 1
  • 2

About me

Hey there! My Name is Marius Genheimer aka f0wL and I'm a Computer Science Student from Germany. As you can probably tell I like to analyse malware (especially Ransomware) in my spare time.

https://sandbox.lol

My shot at an automated analysis platform based on the Cuckoo Sandbox. Feel free to drop your samples!

https://phish.fishing

A tracking and logging system for Phishing attacks and Malspam

Receive Updates

ATOM

Contacts