We need to do this to know if the malware or something about it is known. We try to find some ‘history’ to this malware. This makes it easy for us to know what to expect. Thus for this, we create a folder ‘Notes.txt’.
Inorder to get to know the hashes, Flare VM comes with a variety of stuff. Simply right click > HashMyFiles and you have a variety of them.
VirusTotal
Now we can see if we get something useful via VirusTotal. Searching by Hash, we get a number of viruses/malwares.
Apart from all this it provides a general overview, given details of creation, modification, etc., along with file names used, registry keys (both opened and set), processes trees, highlights, call, etc. But sometimes, VirusTotal need to get the malware to work in order to get and give better results.
DIE
Detect It Easy (DIE) is a portable application designed for binary analysis and reverse engineering tasks. It provides a user-friendly interface for analyzing executable files, libraries, and other binary formats.
Open the malware executable file in pe bear. If there is any other custom extension after ‘.exe’, remove it to have better idea and not messup with the imports.
DOS Header
DOS Stub
Sections
idata
Imports
By opening KERNEL32.dll we get to know that it is importing many suspicious shit like VirtualProtect, VirtualFree, GetLastError, CloseHandle, WriteProcessMemory, CreateThread, WaitForSingleObject, etc. This is textbook shellcode injection api stuff.
Extended Functions give you the ability to specify a remote process to do it too. Eg. For Virtually Allocating to a remote process, you need to get a handle somehow, so we will see an OpenProcess function here to get an handle or can use (HANDLE)-1 if trying locally. Then you need the extended VirtualAllocEx. The diff b/w the 2 is that VirtualAlloc is for local ones and VirtualAllocEx has a handle, so it allows remote process. So since there are no ‘Ex’ (at the end) in the prev injection api, thus they are self injection api.
But this doesn’t mean that these functions will be called. These are generally imported just to make it look different.
We might have function like WIN32APIFUNCTION, which might expect 3 inputs. But we set them to
WIN32APIFUNCTION(NULL, NULL, NULL) ;
So even if we call this function, it wont make any different but still would be seen in the imports function part of KERNEL32.dll.
Similarly we can abuse ADVAPI32.dll, etc.
floss
floss Ultima.exe.crow #Use this cmd
FLARE FLOSS RESULTS (version v3.0.1-0-g3782dc9)+------------------------+------------------------------------------------------------------------------------+| file path |Ultima.exe.crow || identified language | unknown || extracted strings |||static strings |517 (7882 characters) || language strings |0 ( 0 characters) || stack strings |0|| tight strings |0|| decoded strings |0|+------------------------+------------------------------------------------------------------------------------+ ──────────────────────────── FLOSS STATIC STRINGS (517) ────────────────────────────+-----------------------------------+| FLOSS STATIC STRINGS: ASCII (515) |+-----------------------------------+!This program cannot be run in DOS mode.{%cRich.text`.rdata@.data.pdata@.rsrc@.relocAQAPRQVH1R`>HR >HrP>HJJM1RAQ>HAXAX^YZAXAYAZHXAYZ>HThe power of the sun...in the palm of my hand.ULTIMAuser32.dllL$ SVWHt$ L0_^[L$ SVWHt$X3t$ L0_^[L$@HD$0LD$@HD$(DL$ HT$HHT$HHD$@HT$HHD$@HT$HHL$XHT$XH|$@HD$PHD$8H|$0E3L$PHD$ E3T$XHT$XHMGH3t$ WHT$ HT$ HL$PH3\$`IUSAVHd$ LD$ yd$0E3d$(Ld$ 3A^[]D$PHT$ HT$ HT$ HT$ HL$PH3T$ HL$PH3\$@Ht$HHD$8HD$8HD$@H@SVWHT$`HL$hHT$`LL$0LL$pHL$(3@_^[t!eHuxHcuTL+H3E\$PHL$0LL$(HL$ 3L$PHD$PHD$@Hu/HcH<H;csm\$03\$0H\$0HntelAineIDGenut(=`t!=p w$HT$ HD$ "D$ $\$(3t$0HVirtualTerminalLevelConsole[38;5;240m%s[0m[[38;5;117mi[0m] AttemptingtoreadvaluefromComputer\HKEY_CURRENT_USER\Console\VirtualTerminalLevel...[38;5;240m%s[0m[[38;5;203m![0m] Computer\HKEY_CURRENT_USER\Console\VirtualTerminalLevelexistsbutisn't set to one... (%lu)[38;5;240m%s[0m[[38;5;154m+[0m] Computer\HKEY_CURRENT_USER\Console\VirtualTerminalLevel is already set to one (%lu)![38;5;240m%s[0m[[38;5;203m![0m] Computer\HKEY_CURRENT_USER\Console\VirtualTerminalLevel wasn'tfound![38;5;240m%s[0m[[38;5;117mi[0m] Enablingansisupportforcommandprompt...[38;5;240m%s[0m[[38;5;154m+[0m] Registrykeyandvaluecreatedsuccessfully.Terminalrestartrequired.[38;5;240m%s[0m[[38;5;154m+[0m] Heh.We'll take care of that for you. See ya 'round,initiate.[38;5;196m?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????[38;5;240m%s[0m[[38;5;154m+[0m] OperationUltima,FinalWeapon.v16.8[+] BrandedbytheGarleanEmpire.C:\TempC:\Temp\garlean_note.txt[38;5;240m%s[0m[[38;5;154m+[0m] Leftalittlenuggetbehind.gaiusglitterychocobo123[38;5;240m%s[0m[[38;5;117mi[0m] Welcomeoperator.UseyourEmpire-issuedcredentialstosignin.[38;5;240m%s[0m[[38;5;226m?[0m] Username[0m :: >%31s[38;5;240m%s[0m[[38;5;226m?[0m] Password[0m :: >[38;5;240m%s[0m[[38;5;154m+[0m] Successfullyauthenticated.Welcome,GaiusvanBaelsar.[38;5;240m%s[0m[[38;5;117mi[0m] Allclearfordetonation.Wheneveryou're ready, Black Wolf.[38;5;240m%s[0m[[38;5;226m?[0m] Press <any key> to continue execution.[0m :: >[38;5;240m%s[0m[[38;5;203m![0m] [%d/3] Careful, initiate. Lest you want to lose your head.[38;5;240m%s[0m[[38;5;203m![0m] Maximum login attempts exceeded. Access denied. We'reonourway.[%X][38;5;240m%s[0m[[38;5;203m![0m] eitheryoudidn't supply a function nameor the function actually returned successfully[38;5;240m%s[0m[[38;5;203m![0m] [%s] failed, error: 0x%lx[38;5;240m%s[0m[[38;5;117mi[0m] [0x%p] Current process handle.VirtualAlloc[38;5;240m%s[0m[[38;5;154m+[0m] [0x%p] [RW-] Allocated a buffer with PAGE_READWRITE [RW-] permissions!WriteProcessMemory[38;5;240m%s[0m[[38;5;198m*[0m] [0x%p] [RW-] [%zu/%zu] Writing payload bytes to the allocated buffer...[38;5;240m%s[0m[[38;5;154m+[0m] [0x%p] [RW-] Wrote %zu-bytes to the allocated bufferVirtualProtect[38;5;240m%s[0m[[38;5;154m+[0m] [0x%p] [R-X] Changed buffer'spageprotectiontoPAGE_EXECUTE_READ [R-X]CreateThread[38;5;240m%s[0m[[38;5;154m+[0m] [0x%p] Threadcreated!waitingforittofinishitsexecution...[38;5;240m%s[0m[[38;5;117mi[0m] [0x%p] Threadfinishedexecution,beginningcleanup...[38;5;240m%s[0m[[38;5;117mi[0m] [0x%p] Closedprocesshandle[38;5;240m%s[0m[[38;5;117mi[0m] [0x%p] Closedthreadhandle[38;5;240m%s[0m[[38;5;117mi[0m] [0x%p] Remotebufferfreed[38;5;240m%s[0m[[38;5;117mi[0m] Beginninginitialization...[38;5;240m%s[0m[[38;5;203m![0m] It seems like ANSI is disabled for you, recruit. What did we say about disabling ANSI? That's 40 days in the dungeon for you.
[38;5;240m%s[0m[[38;5;117mi[0m] Exiting...[38;5;240m%s[0m[[38;5;154m+[0m] Ultimaunleashed.Suchdevestation.Thiswasyourintention.Exiting...RSDSC:\Users\hepha\Documents\Programs\maldev\Ultima\x64\Release\Ultima.pdbGCTL.text.text$mn.text$mn$00.text$x.idata$5.00cfg.CRT$XCA.CRT$XCAA.CRT$XCZ.CRT$XIA.CRT$XIAA.CRT$XIAC.CRT$XIZ.CRT$XPA.CRT$XPZ.CRT$XTA.CRT$XTZ.rdata.rdata$voltmd.rdata$zzzdbg.rtc$IAA.rtc$IZZ.rtc$TAA.rtc$TZZ.xdata.idata$2.idata$3.idata$4.idata$6.data.bss.pdata.rsrc$01.rsrc$02WriteProcessMemoryVirtualProtectVirtualFreeVirtualAllocWaitForSingleObjectGetLastErrorCloseHandleCreateThreadKERNEL32.dllRegSetValueExARegCreateKeyExARegGetValueARegCloseKeyADVAPI32.dll__C_specific_handler__current_exception__current_exception_contextmemsetVCRUNTIME140.dllfopen__acrt_iob_func_localtime64_sfflushfclosestrftime__stdio_common_vfprintffputs__stdio_common_vfscanf_time64freegetchar_mkdirmallocputs_seh_filter_exe_set_app_type__setusermatherr_configure_narrow_argv_initialize_narrow_environment_get_initial_narrow_environment_initterm_initterm_eexit_exit_set_fmode__p___argc__p___argv_cexit_c_exit_register_thread_local_exe_atexit_callback_configthreadlocale_set_new_mode__p__commode_initialize_onexit_table_register_onexit_function_crt_atexitterminateapi-ms-win-crt-stdio-l1-1-0.dllapi-ms-win-crt-time-l1-1-0.dllapi-ms-win-crt-heap-l1-1-0.dllapi-ms-win-crt-filesystem-l1-1-0.dllapi-ms-win-crt-runtime-l1-1-0.dllapi-ms-win-crt-math-l1-1-0.dllapi-ms-win-crt-locale-l1-1-0.dllRtlCaptureContextRtlLookupFunctionEntryRtlVirtualUnwindUnhandledExceptionFilterSetUnhandledExceptionFilterGetCurrentProcessTerminateProcessIsProcessorFeaturePresentQueryPerformanceCounterGetCurrentProcessIdGetCurrentThreadIdGetSystemTimeAsFileTimeInitializeSListHeadIsDebuggerPresentGetModuleHandleWstrcmpapi-ms-win-crt-string-l1-1-0.dllmemcpy<?xmlversion='1.0'encoding='UTF-8'standalone='yes'?><assemblyxmlns='urn:schemas-microsoft-com:asm.v1'manifestVersion='1.0'><trustInfoxmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevellevel='asInvoker'uiAccess='false'/></requestedPrivileges></security></trustInfo></assembly>N0L0DigiCertInc1www.digicert.com1$0"DigiCert Assured ID Root CA0220801000000Z311109235959Z0b1DigiCert Inc1www.digicert.com1!0DigiCert Trusted Root G40]J<0"0i3t;mqu]xfv=Y]Bvp,A`RQGt|Lu?cQkoq]dLm0k0$http://ocsp.digicert.com0C7http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E>0<0:4http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0Jz/-5FjiTwZ\T~qj#k"T-'~New Gridiania1Hacker'sGuild1GarleanEmpire1Development&Ransom1GarleanEmpire1&0$gaius@mysweetchocobo.eo0240228092638Z250227092638Z0NewGridiania1Hacker's Guild1Garlean Empire1Development & Ransom1Garlean Empire1&0$gaius@mysweetchocobo.eo00l#-yHeIg6SU8l ed7;#S0Q0E!=gh>x!Ly*J0LhsC`(f*^[0DigiCert Inc1www.digicert.com1!0DigiCert Trusted Root G40220323000000Z370322235959Z0c1DigiCert, Inc.1;092DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA0=rIQU|jWz!hn7!{un'%+Xt@(u($AfIRP,W5y+/s)vq]dLk0i0$http://ocsp.digicert.com0A5http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C<0:082http://crl3.digicert.com/DigiCertTrustedRootG4.crl0%41gi?Gw',=?kAxz8DigiCert, Inc.1;092DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA0230714000000Z341013235959Z0H1DigiCert, Inc.1 0DigiCert Timestamp 20230H-^Eux)9k{s>2!IQ~/s)vS0Q0OIhttp://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0http://ocsp.digicert.com0XLhttp://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0a7hIw.%x%w}uEy8H_|s1Ul2|X/gGeNew Gridiania1Hacker's Guild1Garlean Empire1Development & Ransom1Garlean Empire1&0$gaius@mysweetchocobo.eoCKc~}o!b(<,'?d}U&U5#KGM\t0w0c1DigiCert, Inc.1;092DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA240228093224Z0/2Qwv~U~xP&`a0R5DdNg*=B}5`rbnz}+------------------------------------+| FLOSS STATIC STRINGS: UTF-16LE (2) |+------------------------------------+RegCreateKeyExARegSetValueExA ───────────────────────── FLOSS STACK STRINGS (0) ───────────────────────── ───────────────────────── FLOSS TIGHT STRINGS (0) ───────────────────────── ─────────────────────────── FLOSS DECODED STRINGS (0) ───────────────────────────FLARE-VM Thu 03/28/2024 6:22:27.97C:\Users\miche\Desktop\malware>
Note that this below is color padding,
[38;5;240m%s
[0m[
[38;5;154m+
[0m]
The text you provided seems to be formatted with ANSI escape codes for terminal colors. Here's a breakdown of what each part represents:
[38;5;240m: This sequence indicates a foreground color change. Specifically, 38 signifies that the following codes are for foreground color, 5 indicates that the color will be specified using 8-bit color mode, and 240 specifies the color index. In this case, color index 240 typically corresponds to a shade of gray.
%s: This is a placeholder for a string value that will be inserted into the formatted text.
[0m: This sequence resets the text formatting to default. It clears any color or style changes applied earlier.
[: This bracket seems to be a part of the formatted text but doesn't have any specific ANSI escape code associated with it.
[38;5;154m: Similar to the first sequence, this indicates a foreground color change to color index 154, which typically corresponds to a specific color.
+: This is a literal character '+'.
[0m]: Another sequence that resets the text formatting to default, followed by a closing bracket.
In summary, the text appears to be a formatted string with colored text using ANSI escape codes, followed by a literal '+'.
Anyways so here we seems to get some interesting stuff like
http://ocsp.digicert.com0C7http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E 4http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0#these are generally certificates attached. Might not see this much unless you are #using a leaked cert for malware (are illegal)New Gridiania1Hacker's Guild1Garlean Empire1Development & Ransom1Garlean Empire1&0$gaius@mysweetchocobo.eo0240228092638Z250227092638Z0New Gridiania1Hacker's Guild1Garlean Empire1Development & Ransom1Garlean Empire1&0$gaius@mysweetchocobo.eo0
We seem to get the following from this -
Revealing Path of of the Developer along with the database - C:\Users\hepha\Documents\Programs\maldev\Ultima\x64\Release\Ultima.pdb
Potential I/p-O/p Directory - C:\Temp, C:\Temp\garlean_note.txt
Possible Creds - gaius: glitterychocobo123
Cert details
From Properties > Digital Signature > Details, we get our stuff.
View the cert, and get more details.
That’s all for Static Analysis. And our final Notes.txt looks something like this,