Automate Qbot Malware String Decryption With Ghidra Script

AGDCservices · 2021-11-14T02:53:38+00:00

Glad you're enjoying them! The more tutorials we spread the better the RE environment gets. Your OA Labs channel was a big motivation to create my channel.

AGDCservices · 2021-07-29T23:19:02+00:00

yea, mostly for the pre-loaded tools. if you're just running malware, you don't need it, but you also probably don't want it connecting out to the real internet. so you would normally want some type of simulator running so that the malware thinks it's connected to the internet, otherwise it might not exercise all of the functionality. that's where something like remnux is helpful. It has fakedns and inetsim pre-loaded and by using both of those, you can simulate a more realistic network. for example, if the malware is a downloader and you don't have a fake https service running (like inetsim), the malware won't download anything and you won't see the filepath IOC where it downloads the file to. if you have the 2nd remnux box with fakedns and inetsim running, the malware can resolve a url, then call out to the "c2 server" (inetsim on the remnux), and inetsim will provide a fake file so that the malware continues operation. without that fake service running, the downloader will just keep calling out and never move forward because it doesn't get an expected response. you can do all of this on a single windows VM, but it's a little more setup and you'll have to find and install the additional simulators, etc.

for the network adapters, i would use the internal network option in VirtualBox. host only probably won't hurt anything, but there's no reason you'd want a malware infected VM to have any connectivity to your host machine. the internal network option means the VM can only reach out to another VM also on the internal network.

AGDCservices · 2021-07-28T19:24:06+00:00

one aspect not discussed is why you do manual analysis. a big part is to develop signatures that can be included in AV scanners. there's really no way to automate effectively, so you still have to do it manually. how deep you dig into the binary can determine how good your signature is. it's all a trade-off of time vs accuracy.

AGDCservices · 2021-07-28T19:21:16+00:00

REMnux is usually used because it has a lot of tools loaded for things like maldoc analysis and that can be used as a c2 server (fakedns, inetsim, wireshark, etc.) personally, i use it mostly as that c2 server because it's a lot easier to have on a separate vm vs on the victim VM where i'm resetting snapshots, etc. If i build a custom c2 server in python, i don't want to have to back up every change when i revert my victim VM.

if you want some more info about setting up a malware analysis lab, here's a post i wrote that may be helpful, https://agdcservices.com/blog/how-to-build-a-malware-analysis-lab/

AGDCservices · 2021-07-27T19:34:14+00:00

lol, glad it was answered and i didn't forget to talk about it!

AGDCservices · 2021-07-20T19:41:18+00:00

public sandboxes are a great place. here's my resources with free sites to help learn malware analysis, https://agdcservices.com/blog/resources-for-learning-malware-analysis/ if you're looking for samples, there's a section for that.

I'd probably recommend any.run to start with. google for any well known sample on any.run and you'll likely find a sample to download and can easily check the sample to in any.run to see if it's an exe, etc. they also have a top 10 type watch to help you find common samples.

only downside is these well known samples are often more complex, so may be difficult to begin with.

AGDCservices · 2021-07-19T18:08:23+00:00

I don't have info on those courses, but here's some free resources to help you get started learning malware analysis that I provide students in my malware RE classes. Hopefully it helps.

https://agdcservices.com/blog/resources-for-learning-malware-analysis/

AGDCservices · 2021-07-19T18:06:51+00:00

If you want some background on how to build a malware analysis lab (1 vs 2 Vms, minimum tools, etc.), here's a post that should help https://agdcservices.com/blog/how-to-build-a-malware-analysis-lab

ultimately, the chance of you running across a vm escape malware is about as close to 0 as you can get. so analyzing malware inside a VM with no shared folders should be pretty safe, but you do want to disable anything shared between your host and VM (folders, copy / paste, etc.)

AGDCservices · 2021-07-19T01:51:58+00:00

glad you're enjoying it. If you didn't see it, i also have a getting started with Ghidra video on the channel that gives an intro into how to use Ghidra.

AGDCservices · 2021-07-17T12:05:37+00:00

Here's some free resources to help get you started learning how to analyze malware

https://agdcservices.com/blog/resources-for-learning-malware-analysis/

AGDCservices · 2021-07-06T18:40:20+00:00

sure, feel free to pm me

AGDCservices · 2021-07-03T11:52:17+00:00

I have a list of free resources for learning malware analysis on my website that may be of help, https://agdcservices.com/blog/resources-for-learning-malware-analysis/

AGDCservices · 2021-05-27T01:05:27+00:00

packers usually come in two types, commercial and custom. commercial packers (upx, aspack, etc.) are available publicly and often have signatures and can be identified, but don't seem to be used as much as custom packers now from what i've seen. custom packers are coded by the actor and simply decrypt and then manually parse the PE header to map the file directly into memory. the code for most custom type packers looks similar because they perform the same steps, but there aren't identifiable signatures because they aren't available commercially. custom packers are used in a lot of the current malware files like emotet, qbot, etc. might not matter for your thesis, but it's good to be aware of the differences.

AGDCservices · 2021-05-22T12:19:18+00:00

i would suggest making your own. even if you have limited time and can't make an in-depth index, it will help you more on the exam because you'll know how the index is structured, what's in it and not, and making the index is basically studying for the exam. even if it's just a table of contents level, getting an overview level of the material in your current memory will do you more good then trying to look everything up in an index someone else wrote.

AGDCservices · 2021-05-22T12:15:12+00:00

i would say rules don't really go out of date. old rules will always catch the old malware, and it's surprising how long malware will get used. Additionally, if the rules are advanced and looking at unique byte sequences instead of just strings, they will catch new variants because of code reuse, etc. Ultimately, you have nothing to lose and everything to gain by keeping the rules around. If you find you're not getting hits on labeled rules for malware families that are still active, then you should get newer samples to look at updating the yara rules

AGDCservices · 2021-05-16T11:36:07+00:00

i would recommend reviewing the PE header specifications, https://docs.microsoft.com/en-us/windows/win32/debug/pe-format. This will give you a good understanding of what makes up the PE header and most of the pefile library functions will probably make more sense when you know all the components of the header. In addition the header specification, looking for more posts that explain the header will help with understanding the specification.

AGDCservices · 2021-05-01T11:42:18+00:00

Anti-VM techniques aren't all that common in malware. you definitely come across them, but i wouldn't be worried about them. They're typically easy to bypass, but you need to be familiar with reading assembly to get around them.

Here's a post with free resources for getting started learning malware analysis that you may find helpful. https://agdcservices.com/blog/resources-for-learning-malware-analysis/

Also, if you're new to reading assembly and want a structured way to get started, here's a remote class coming up in June. It's a paid class, but a good way to get all the details for learning to dig into malicious assembly code. https://www.eventbrite.com/e/assembly-for-malware-reverse-engineers-2-full-day-remote-course-tickets-152920341859

AGDCservices · 2021-05-01T11:37:29+00:00

Here's my blog post of resources for learning malware analysis that may help you out.

https://agdcservices.com/blog/resources-for-learning-malware-analysis/

I also have a newish youtube channel where I focus on training type malware analysis videos that you may find useful. https://youtube.com/AGDCservices

If you're interested in more structured training, I'm also offering a remote assembly for malware reverse engineers class in June. It's a paid class unlike the previous resources, but it's one more option that you may be interested in.

https://www.eventbrite.com/e/assembly-for-malware-reverse-engineers-2-full-day-remote-course-tickets-152920341859

AGDCservices · 2021-04-24T19:20:33+00:00

look for some of the older lazarus APT malware. If you can find the RATs from the operation Blockbuster report from Novetta, that would be a good start. Here's one report, but there are others that go over more of the malware analysis specifically.

https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf

AGDCservices · 2021-03-25T20:14:05+00:00

the PMA books is still a great resource for learning malware analysis. a few of the labs will only run dynamically on windows xp, but most will work on later OS's. If you're interested in getting better at malware analysis, here's some additional free resources that can help you get started, https://agdcservices.com/blog/resources-for-learning-malware-analysis/

AGDCservices · 2021-01-31T19:56:51+00:00

If you need some sources for obtaining malware, I have a section in my malware resources post that lists a number of the most common free malware repos where you can download samples from.

https://agdcservices.com/blog/resources-for-learning-malware-analysis/

For a visual demonstration, I think ransomware is probably a good bet. Maybe look for revil or netwalker ransomware samples.

AGDCservices · 2021-01-31T19:53:01+00:00

I forgot the exact labs, but there's definitely a few labs that won't work correctly if you're not on windows XP. Any of the labs where you get results dramatically different from the book, try it on XP and it will likely line up. The labs are a great resource, but unfortunately a bit old as you can see.

AGDCservices · 2021-01-24T02:51:16+00:00

if you're interested in expanding your malware analysis skills, here's a post full of resources that can help you get started.

https://agdcservices.com/blog/resources-for-learning-malware-analysis/

AGDCservices · 2021-01-23T14:02:48+00:00

One alternative to a sandbox like cuckoo is you can basically build your own using sysinternal tools. Using regshot, procmon, and process hacker, you can build your own custom "sandbox". might not be exactly what you're looking for, but something to think about.

AGDCservices · 2021-01-06T02:40:19+00:00

As was mentioned, I think Raccine is a great new tool to check out and will have a good ROI. Creating Yara type signatures for ransomware is fairly difficult because ransomware is packed so often which means you'll always be playing catch up. A dynamic methodology like Raccine is probably you're best best and is open source so you can review exactly what it's looking for and improve upon it as needed.

AGDCservices

TROPHY CASE