=========================================================================
=========================================================================
STATIC ANALYSIS
=========================================================================
=========================================================================
- MD5 - 73c0bd614ceeaa765f9e1284c28fdc16
- SHA256 - f48f43594cc5563217a6a19d2af2dc8d82f397a98540fd96c0c5b7d6d6a2a402
=========================================================================
- VirusTotal - https://www.virustotal.com/gui/file/f48f43594cc5563217a6a19d2af2dc8d82f397a98540fd96c0c5b7d6d6a2a402/detection
- Compiler - MSVC
- Linker - MS Linker
=========================================================================
- Self Injection Related APIs (KERNEL32): VirtualAlloc, VirtualFree, VirtualProtect, WriteProcessMemory, CreateThread, WaitForSingleObject
- Registry Alteration APIs (ADVAPI32): RegGetvalueA, RegCreateKeyExA, RegSetValueExA, RegCloseKey
=========================================================================
- Revealing Path of of the Developer along with the database - C:\Users\hepha\Documents\Programs\maldev\Ultima\x64\Release\Ultima.pdb
- Potential I/p-O/p Directory - C:\Temp, C:\Temp\garlean_note.txt
- Possible Creds - gaius: glitterychocobo123
=========================================================================
- Opps Lacking -
E = gaius@mysweetchocobo.eo
CN = Garlean Empire
OU = Development & Ransom
O = Garlean Empire
L = Hacker's Guild
S = New Gridiania
C = EO
=========================================================================
=========================================================================
DYNAMIC ANALYSIS
=========================================================================
=========================================================================
- Ultima.exe checks if the: [HKEY_CURRENT_USER\CONSOLE] "VirtualTerminalLevel" = dword:00000001
- If its not enabled, then the process creates this key and sets it to 1. It then exits.
- Once the registry key value has been set and the color is enabled, the malware asks for authentication.
- If we give wrong user, password pair, we seem to get 3 chances to give correct pair.
[09:06:40] [+] Operation Ultima, Final Weapon. v16.8
[09:06:40] [i] Beginning initialization...
[09:06:40] [i] Attempting to read value from Computer\HKEY_CURRENT_USER\Console\VirtualTerminalLevel...
[09:06:40] [+] Computer\HKEY_CURRENT_USER\Console\VirtualTerminalLevel is already set to one (1)!
[09:06:40] [i] Welcome operator. Use your Empire-issued credentials to sign in.
[09:06:40] [?] Username :: > hi
[09:06:50] [?] Password :: > 1
[09:06:50] [!] [1/3] Careful, initiate. Lest you want to lose your head.
[09:06:50] [?] Username :: > hi
[09:06:52] [?] Password :: > 2
[09:06:53] [!] [2/3] Careful, initiate. Lest you want to lose your head.
[09:06:53] [?] Username :: > hi
[09:06:55] [?] Password :: > 3
[09:06:56] [!] [3/3] Careful, initiate. Lest you want to lose your head.
[09:06:56] [!] Maximum login attempts exceeded. Access denied. We're on our way.
- If we succeed, we get the following
[08:53:07] [+] Operation Ultima, Final Weapon. v16.8
[08:53:07] [i] Beginning initialization...
[08:53:07] [i] Attempting to read value from Computer\HKEY_CURRENT_USER\Console\VirtualTerminalLevel...
[08:53:07] [+] Computer\HKEY_CURRENT_USER\Console\VirtualTerminalLevel is already set to one (1)!
[08:53:07] [i] Welcome operator. Use your Empire-issued credentials to sign in.
[08:53:07] [?] Username :: > gaius
[08:53:33] [?] Password :: > glitterychocobo123
[08:53:43] [+] Successfully authenticated. Welcome, Gaius van Baelsar.
[08:53:43] [i] All clear for detonation. Whenever you're ready, Black Wolf.
[08:53:43] [?] Press <any key> to continue execution. :: >
- Once pressing any key, the malware will self inject MessageBox shellcode within itself
[09:01:47] [i] [0xFFFFFFFFFFFFFFFF] Current process handle.
[09:01:47] [+] [0x000002A76AAB0000] [RW-] Allocated a buffer with PAGE_READWRITE [RW-] permissions!
[09:01:47] [*] [0x000002A76AAB0000] [RW-] [377/377] Writing payload bytes to the allocated buffer...
[09:01:47] [+] [0x000002A76AAB0000] [RW-] Wrote 377-bytes to the allocated buffer
[09:01:47] [+] [0x000002A76AAB0000] [R-X] Changed buffer's page protection to PAGE_EXECUTE_READ [R-X]
[09:01:47] [+] [0x00000000000000B4] Thread created! waiting for it to finish its execution...
MSGBOX TITLE - "Ultima"
MSGBOX CONTENT = "The power of the sun... in the palm of my hands."
- After pressing 'Ok', the process cleanly exits.
[09:01:49] [i] [0x00000000000000B4] Thread finished execution, beginning cleanup...
[09:01:49] [i] [0xFFFFFFFFFFFFFFFF] Closed process handle
[09:01:50] [i] [0x00000000000000B4] Closed thread handle
[09:01:50] [i] [0x000002A76AAB0000] Remote buffer freed
[09:01:50] [+] Left a little nugget behind.
[09:01:50] [+] Ultima unleashed. Such devestation. This was your intention. Exiting...
- A file is dropped in the "C:\Temp\" directory named "garlean_note.txt". It reads the following
[+] Branded by the Garlean Empire.
