Skip to content

Malware University

Class is in Session

  • About
    • Privacy Policy
  • Contact
  • Resources

MFA Abuse in Splunk

Posted on August 11, 2022 - August 11, 2022 by admin

With all the MFA bombing/lazy swiping going on, maybe you need to find such abuses in your environment.

Twilio, Cloudflare, and Cisco were all hit recently with 2FA/MFA attacks and valid stolen credentials.

index=okta sourcetype=OktaIM2:log eventType=system.push.send_factor_verify_push OR ((legacyEventType=core.user.factor.attempt_success) AND (debugContext.debugData.factor=OKTA_VERIFY_PUSH)) OR ((legacyEventType=core.user.factor.attempt_fail) AND (debugContext.debugData.factor=OKTA_VERIFY_PUSH))
| stats count(eval(legacyEventType="core.user.factor.attempt_success")) as successes count(eval(legacyEventType="core.user.factor.attempt_fail")) as failures count(eval(eventType="system.push.send_factor_verify_push")) as pushes by authenticationContext.externalSessionId, user, _time
| stats latest(_time) as lasttime earliest(_time) as firsttime sum(successes) as successes sum(failures) as failures sum(pushes) as pushes by authenticationContext.externalSessionId, user
| eval seconds=lasttime-firsttime
| eval lasttime=strftime(lasttime, "%c")
| search (pushes > 3)
| eval totalattempts=successes+failures
| eval finding="Normal authentication pattern"
| eval finding=if(failures==pushes AND pushes>1, "Authentication attempts not successful because multiple pushes denied", finding)
| eval finding=if(totalattempts==0, "Multiple pushes sent and ignored", finding)
| eval finding=if(successes > 0 AND pushes > 3, "Multiple pushes sent, potential abuse detected", finding)
| where seconds < 300
Posted in Current EventsTagged 2fa, lazy swiping, mfa bombing, SPL, splunkLeave a comment

Virtualbox Automation

Posted on March 23, 2022 - March 23, 2022 by admin

The following Python code may be used to remotely control a Virtualbox-managed virtual machine. It is useful for batch testing or malware analysis (sandbox management).

#!/usr/bin/env python3

#
# Installing the virtualbox deps:
#   python3 -m pip install pyvbox
#   Download the VirtualBox SDK from https://www.virtualbox.org/wiki/Downloads
#   Unzip the package
#   cd sdk/installer
#   python3 vboxapisetup.py install
#

import virtualbox
import logging


class Sandbox(object):
    def __init__(self, name):
        vbox = virtualbox.VirtualBox()
        self.vm = vbox.find_machine(name)
        #self.session = virtualbox.Session()
        self.session = virtualbox.library.ISession(self.vm.create_session())

        return


    def start(self):
        logging.info('Starting the VM from Office snapshot')
        self.snapshot = self.vm.find_snapshot('Office 2007 Live')
        progress = self.session.machine.restore_snapshot(self.snapshot)
        progress.wait_for_completion()
        self.session.unlock_machine()
        # progress = self.vm.launch_vm_process(self.session, 'headless', '')
        progress = self.vm.launch_vm_process(self.session, '', '')
        progress.wait_for_completion()

        if self.vm.state == self.vm.state.running:
            print('Successfully running')
        print('Done')

        # Create guest session.
        self.console = virtualbox.library.IConsole(self.session.console)
        self.guest = self.console.guest
        # self.guest.sessions[0] contains our IGuestSession object
        self.os_type = self.guest.os_type_id	    # Example
        # self.guest = virtualbox.library.IGuest(self.session)
        # Session is already established in snapshot of unlocked machine?
        self.g_session = self.guest.create_session('malware', 'password', '', '')

        return


    #
    # Username is 'malware'; password is 'password'
    #
    def guest_session_test(self):
        self.console = virtualbox.library.IConsole(self.session.console)
        self.guest = self.console.guest
        # self.guest.sessions[0] contains our IGuestSession object
        self.os_type = self.guest.os_type_id	    # Example
        # self.guest = virtualbox.library.IGuest(self.session)
        # Session is already established in snapshot of unlocked machine?
        self.g_session = self.guest.create_session('malware', 'password', '', '')
        # 1 = R
        # 2 = 
        # 3 = RW
        flag = virtualbox.library.FileCopyFlag(0)
        # This stores the file in your user's home directory by default.
        self.g_session.file_copy_from_guest('C:/Program Files (x86)/Microsoft Office/Office12/GRAPH.EXE', 'C:/WINDOWS/Temp/graph.exe', [flag])


    def drop_artifact(self, artifact_path, destination_on_guest):
        logging.info('About to drop "{}" to "{}"'.format(artifact_path, destination_on_guest))
        flag = virtualbox.library.FileCopyFlag(0)
        progress = self.g_session.file_copy_to_guest(artifact_path, destination_on_guest, [flag])
        progress.wait_for_completion()
        logging.info('"{}" successfully dropped to guest'.format(artifact_path))

        return


    def receive_artifact(self, src_on_guest, path_host_save):
        logging.info('About to pull "{}" to "{}"'.format(src_on_guest, path_host_save))
        flag = virtualbox.library.FileCopyFlag(0)
        progress = self.g_session.file_copy_from_guest(src_on_guest, path_host_save, [flag])
        progress.wait_for_completion()
        logging.info('"{}" successfully saved to "{}"'.format(src_on_guest, path_host_save))

        return


    def execute_command(self, 
                        executable_path: str, 
                        arguments: [str],
                        environment_changes: [str],
                        process_create_flag: [virtualbox.library.ProcessCreateFlag],
                        timeout_ms: int,
                        priority: virtualbox.library.ProcessPriority,
                        affinity: [int]):
        terminate_flag = virtualbox.library.ProcessWaitForFlag(2)

        self.guest_process = self.g_session.process_create_ex(  executable_path, 
                                                                arguments, 
                                                                environment_changes,
                                                                process_create_flag,
                                                                timeout_ms,
                                                                priority,
                                                                affinity)
        logging.info('Process "{}" successfully kicked off...waiting for it to finish'.format(executable_path))
        self.process_wait_result = self.guest_process.wait_for(terminate_flag)
        if self.process_wait_result == virtualbox.library.ProcessWaitResult(5):
            logging.info('Process "{}" exceeded the timeout threashold of {} milliseconds'.format(  executable_path,
                                                                                                    str(timeout_ms))) 
        elif self.process_wait_result == virtualbox.library.ProcessWaitResult(2):
            logging.info('Process "{}" terminated gracefully'.format(executable_path))


    def stop(self):
        # Shut off VM
        progress = self.session.console.power_down()
        progress.wait_for_completion()

        return


s = Sandbox('Windows 7 Office')
s.start()
# s.guest_session_test()
s.drop_artifact('C:/WINDOWS/System32/cmd.exe', 'C:/WINDOWS/Temp/cmd_2016.exe')
#s.execute_command(  'C:/WINDOWS/Temp/cmd_2016.exe',
s.execute_command(  'C:/Program Files (x86)/Microsoft Office/Office12/GRAPH.EXE',
                    [],
                    [],
                    [virtualbox.library.ProcessCreateFlag(0)],
                    20000,
                    virtualbox.library.ProcessPriority(1),
                    [])
s.stop()
Posted in UtilitiesTagged automation, hypervisor, io, malware analysis, Python, sandbox, test, virtualbox

Repository Poisoning

Posted on March 23, 2022 - March 23, 2022 by admin

This stuff has been going on since at least the middle 2000s with the Debian APT repository getting popped by dikline, installing a backdoored ssh daemon and notifying a remote server when ruby was downloaded and installed.

An activist released several updates to a popular nodejs repository he helps run, which gets about 1 million downloads a week. RIAevangelist thought he could help the current situation in Eastern Europe by wiping all files on disk by renaming them all with a [heart] icon if a web service reported they were geolocated in Russia or Belarus.

He quickly had his Twitter account compromised and had docs dropped on him, alleging infidelity to his Japanese wife, along with other personal and family details and a message from the hacker to not mess around with things bigger than him.

Companies and open source projects around the world are concerned with such behavior as this is, yet again, another example of massive supply chain dependencies in our software world which are taken for granted. All you need is one bad actor to potentially bring your business or community down.

Some companies may be paranoid and resourceful enough to maintain their own repositories if they were not already doing so. Otherwise they will continue to trust the devil they don’t know.

This is a potentially big blow for the open source community and high level interpreted languages everywhere.

Trust is paramount to business.

Posted in Current EventsTagged activism, backdooring, node-ipc, nodejs, repo

Bastion

Posted on November 5, 2021 - November 5, 2021 by admin

Not all job scams are the same. Some have you work legitimately and pay a going rate, while in this case you deliver them the expertise needed to steal. Hacking group FIN7 was caught operating Bastion Security, fronting as a British company yet operating out of Russia.

A threat intelligence company had a source join the underground group via the front business. The spy was able to obtain FIN7 tooling once joining. Carbanak and Lizar/Tirion were the tools he found the group using for “pentests”.

Jobs were advertised around $1000 USD per month for 9 – 12 hours of work per day through the week. Rough conditions for Eastern Europeans.

Bastion took cover with their name, trying to pass themselves off as other legitimate security-named companies registered and known to major search engines. Their website looks legitimate yet is mostly copied from Convergent Network Solutions.

Part of the demands of the group is for an operator to install VMs locally with ports to the host unblocked.

Posted in Current EventsTagged fin7Leave a comment

OpenSea NFT Bug

Posted on October 14, 2021 - October 14, 2021 by admin

Users are being sent “gifts” with executable photos. Within a browser context. Siphoning off peoples’ JS-powered wallet by communicating within the browser. Requires some social engineering to get an extra click, confirming the siphoning.

Watch your wallets.

Posted in Current Events, TechniquesTagged cyrpto, javascript, opensea, phishing, svg, xml, xss

WHOIS Quick Summary

Posted on October 9, 2021 - October 9, 2021 by admin

This is a useful WHOIS query tool. Gives you the most important information you need in an easy-to-read-and-understand format.

#!/bin/bash

if [ -e ${1} ]; then
    echo "You did not supply a domain"
    exit 1
fi

DOMAIN=${1}
CMD=$(whois ${DOMAIN})

function HandleRIPE {
    # I wanted to make life hard on myself by echoing out the unformatted string.
    # We get to play with grep-based look ahead parsing to extract strings.
    # xargs will clean the output.
    # echo "INetNum|"$(echo ${CMD} | grep -o -P '(?<=inetnum:).*(?=netname:)' | xargs)
    echo "INetNum|"$(echo "${CMD}" | grep -m 1 'inetnum' | cut -d':' -f2- | xargs 2>/dev/null)
    echo "Country|"$(echo "${CMD}" | grep -m 1 'country' | cut -d':' -f2- | xargs 2>/dev/null)
    echo "OrgName|"$(echo "${CMD}" | grep -m 1 'org-name' | cut -d':' -f2- | xargs 2>/dev/null)
    echo "Phone|"$(echo "${CMD}" | grep -m 1 'phone' | cut -d':' -f2- | xargs 2>/dev/null)
    Remarks=()
    # echo "${CMD}" | grep 'remarks' | while read -r line ; do
    while read line; do
        found=0
        fmt_line=$(echo "${line}" | cut -d':' -f2- | xargs 2>/dev/null)
        len_remarks=${#Remarks[@]}
        if [ ${len_remarks} -eq 0 ]; then
            Remarks+=("${fmt_line}") 
            # echo "Remarks|${fmt_line}"
        else
            for i in "${Remarks[@]}"; do 
                echo "$i" | grep "${fmt_line}" 2>&1 > /dev/null
                if [ $? -eq 0 ]; then 
                    # Remarks+=("${fmt_line}")
                    # echo "Remarks|${fmt_line}"
                    found=1
                fi
            done
            # BASH is not a real programming language.
            # Can't do [ ! ${found} ]
            # # true -eq false if [[ ${found} -eq false ]]; then
            if [ ${found} -eq 0 ]; then 
                Remarks+=("${fmt_line}")
            fi
        fi
    # done
    done < <(echo "${CMD}" | grep 'remarks')
    # Damned subshells, need to implement process substitution to redirect output from separate processes to keep
    # this variable alive.
    for i in "${Remarks[@]}"; do
        echo "Remarks|${i}"
    done
}

function HandleARIN {
    # I wanted to make life hard on myself by echoing out the unformatted string.
    # We get to play with grep-based look ahead parsing to extract strings.
    # xargs will clean the output.
    # echo "INetNum|"$(echo ${CMD} | grep -o -P '(?<=inetnum:).*(?=netname:)' | xargs)
    echo "INetNum|"$(echo "${CMD}" | grep -m 1 'NetRange' | cut -d':' -f2- | xargs 2>/dev/null)
    echo "Country|"$(echo "${CMD}" | grep -m 1 'Country' | cut -d':' -f2- | xargs 2>/dev/null)
    echo "OrgName|"$(echo "${CMD}" | grep -m 1 'OrgName' | cut -d':' -f2- | xargs 2>/dev/null)
    echo "Phone|"$(echo "${CMD}" | grep -m 1 'OrgAbusePhone' | cut -d':' -f2- | xargs 2>/dev/null)
    Remarks=()
    # echo "${CMD}" | grep 'remarks' | while read -r line ; do
    while read line; do
        found=0
        fmt_line=$(echo "${line}" | cut -d':' -f2- | xargs 2>/dev/null)
        len_remarks=${#Remarks[@]}
        if [ ${len_remarks} -eq 0 ]; then
            Remarks+=("${fmt_line}") 
            # echo "Remarks|${fmt_line}"
        else
            for i in "${Remarks[@]}"; do 
                echo "$i" | grep "${fmt_line}" 2>&1 > /dev/null
                if [ $? -eq 0 ]; then 
                    # Remarks+=("${fmt_line}")
                    # echo "Remarks|${fmt_line}"
                    found=1
                fi
            done
            # BASH is not a real programming language.
            # Can't do [ ! ${found} ]
            # # true -eq false if [[ ${found} -eq false ]]; then
            if [ ${found} -eq 0 ]; then 
                Remarks+=("${fmt_line}")
            fi
        fi
    # done
    done < <(echo "${CMD}" | grep 'remarks')
    # Damned subshells, need to implement process substitution to redirect output from separate processes to keep
    # this variable alive.
    for i in "${Remarks[@]}"; do
        echo "Remarks|${i}"
    done
}

#
# If we receive a RIPE query, the user supplied an IP.
# We also need to handle ARIN queries.
#
echo "${CMD}" | grep "RIPE" 2>&1 > /dev/null
if [ $? -eq 0 ]; then
    HandleRIPE  
    exit 0
fi
echo "${CMD}" | grep "ARIN" 2>&1 > /dev/null
if [ $? -eq 0 ]; then
    HandleARIN
    exit 0
fi

#
# Command xargs by itself removes the whitespace, amazing!
#
echo "Registrar|"$(echo "${CMD}" | grep -m 1 'Registrar URL' | cut -d':' -f2- | xargs 2>/dev/null)
echo "AbuseEmail|"$(echo "${CMD}" | grep -m 1 'Registrar Abuse Contact Email' | cut -d':' -f2 | xargs 2>/dev/null)
echo "AbusePhone|"$(echo "${CMD}" | grep -m 1 'Registrar Abuse Contact Phone' | cut -d':' -f2 | xargs 2>/dev/null)
# Two results are returned on some WHOIS in the field.  Only show the date, not time.
echo "CreationDate|"$(echo "${CMD}" | grep -m 1 'Creation Date' | cut -d':' -f2 | cut -d'T' -f1 | xargs 2>/dev/null)
Posted in UtilitiesTagged osint, reconaissance, scripting, shell, threat intelligence, whoisLeave a comment

Resourceful Fraudster Frees Phones, Gets Prison

Posted on September 21, 2021 - September 21, 2021 by admin

AT&T, world’s largest telecom company, reported losses over $200,000,000 USD after a Pakistani fraudster, Muhammed Fahd, started and managed several unlocking services since the summer of 2012.

Fahd recruited AT&T employees with monetary bribes to allow his companies the ability to unlock tethered cell phones purchased under contract by customers of AT&T. AT&T caught on in April 2013, blocking the ability of certain staff to unlock cell phones.

A malware developer was hired to create software which allowed the fraud team to collect and analyze network data of how AT&T was unlocking customers’ cell phones. This allowed the team to unlock cell phones via their third-party companies from Pakistan.

The bribery continued with asking employees to implant hardware devices such as WiFi access points within the company’s internal network.

At least 1,900,033 cell phones were unlocked by his team, allegedly worth $201,497,430.94 USD to AT&T. His companies included Swif Unlocks Inc, Endless Trading FZE, Endless Connections Inc, and iDevelopment Co.

Hong Kong made the arrest of Fahd in February 2018. August 2019 he was extradited to the US to face judgement. He is now sentenced to 12 years in prison for committing wire fraud, which he admitted to in September 2020.

Posted in Current EventsTagged att, fraud, unlockingLeave a comment

PowerShell Monitor File Activity

Posted on September 14, 2021 - September 14, 2021 by admin

This script allows you to monitor the file-related events (recursive) under a given folder. Be careful with short paths.

$folder = 'c:\scripts' # Enter the root path you want to monitor.
$filter = '*.*'  # You can enter a wildcard filter here.  Like *.bat.

# In the following line, you can change 'IncludeSubdirectories to $true if required.                          
$fsw = New-Object IO.FileSystemWatcher $folder, $filter -Property @{IncludeSubdirectories = $false;NotifyFilter = [IO.NotifyFilters]'FileName, LastWrite'}

# Here, all three events are registerd.  You need only subscribe to events that you need:

Register-ObjectEvent $fsw Created -SourceIdentifier FileCreated -Action {
$name = $Event.SourceEventArgs.Name
$changeType = $Event.SourceEventArgs.ChangeType
$timeStamp = $Event.TimeGenerated
Write-Host "The file '$name' was $changeType at $timeStamp" -fore green
Out-File -FilePath c:\scripts\filechange\outlog.txt -Append -InputObject "The file '$name' was $changeType at $timeStamp"}

Register-ObjectEvent $fsw Deleted -SourceIdentifier FileDeleted -Action {
$name = $Event.SourceEventArgs.Name
$changeType = $Event.SourceEventArgs.ChangeType
$timeStamp = $Event.TimeGenerated
Write-Host "The file '$name' was $changeType at $timeStamp" -fore red
Out-File -FilePath c:\scripts\filechange\outlog.txt -Append -InputObject "The file '$name' was $changeType at $timeStamp"}

Register-ObjectEvent $fsw Changed -SourceIdentifier FileChanged -Action {
$name = $Event.SourceEventArgs.Name
$changeType = $Event.SourceEventArgs.ChangeType
$timeStamp = $Event.TimeGenerated
Write-Host "The file '$name' was $changeType at $timeStamp" -fore white
Out-File -FilePath c:\scripts\filechange\outlog.txt -Append -InputObject "The file '$name' was $changeType at $timeStamp"}
Posted in UtilitiesTagged file activity, monitoring, Powershell, windowsLeave a comment

TDL4 IDAPython Decryptor

Posted on September 14, 2021 - September 14, 2021 by admin

This is a script used to unpack a hidden area of the bootsector after a TDL4 infection. This is classic code but still useful is anyone needs it. Written by your humble admin many years ago.

import idaapi

# Simulate C-style for() loop.
def cfor(first, test, update):
    while test(first):
        yield first
        first = update(first)


# Bit-shifting operations.
#def ROR(x, n, bits = 32):
#    mask = (2L**n) - 1
#    mask_bits = x & mask
#    return (x >> n) | (mask_bits << (bits - n))

#def ROL(x, n, bits = 32):
#    return ROR(x, bits - n, bits)
def ROR(byte, count):
    while count > 0:
        byte = (byte >> 1 | byte << 7) & 0xFF
        count -= 1
    return byte


if __name__ == "__main__":
    print "TDL4 Decrypt"
    print "A script to unpack the contents hidden on the bootsector of a TDL4 infected host"
    print ""
    
    encryptedBytes = [None] * 311
    
    rorCount = 311  # 0x137 (CX)
    count = 0
    # target starts at 0x62A in memory
    for i in cfor(int('0x2A', 16), lambda i : i < (311 + i), lambda i : i + 1):
        cryptedByte = idaapi.get_byte(i)
        print "Byte[" + hex(i) + "]:    " + hex(cryptedByte)
        idaapi.patch_byte(i, ROR(cryptedByte, rorCount - count))
        count += 1
        if count == 311:
            break
Posted in UtilitiesTagged bootsector, decryptor, ida pro, idapython, malware, tdl4, windowsLeave a comment

Read (and infect) Windows MBR

Posted on September 14, 2021 - September 14, 2021 by admin

This code is useful for detecting the exact version of Windows you are using, and then choosing to infect (writing to PHYSICALDRIVE0) of the target machine. Windows 2012 Server and XP are supported in this snippet.

#include "stdafx.h"

#define BUFFER_SIZE		1000
#define SZ_WXP_MBR		382
#define SZ_W2K12_MBR	870 

// You can't include things like partition table, because they are probably unique to each machine.
unsigned char WXP_MBR[382] = {
    0x33, 0xC0, 0x8E, 0xD0, 0xBC, 0x00, 0x7C, 0xFB,
    0x50, 0x07, 0x50, 0x1F, 0xFC, 0xBE, 0x1B, 0x7C,
    0xBF, 0x1B, 0x06, 0x50, 0x57, 0xB9, 0xE5, 0x01,
    0xF3, 0xA4, 0xCB, 0xBD, 0xBE, 0x07, 0xB1, 0x04,
    0x38, 0x6E, 0x00, 0x7C, 0x09, 0x75, 0x13, 0x83,
    0xC5, 0x10, 0xE2, 0xF4, 0xCD, 0x18, 0x8B, 0xF5,
    0x83, 0xC6, 0x10, 0x49, 0x74, 0x19, 0x38, 0x2C,
    0x74, 0xF6, 0xA0, 0xB5, 0x07, 0xB4, 0x07, 0x8B,
    0xF0, 0xAC, 0x3C, 0x00, 0x74, 0xFC, 0xBB, 0x07,
    0x00, 0xB4, 0x0E, 0xCD, 0x10, 0xEB, 0xF2, 0x88,
    0x4E, 0x10, 0xE8, 0x46, 0x00, 0x73, 0x2A, 0xFE,
    0x46, 0x10, 0x80, 0x7E, 0x04, 0x0B, 0x74, 0x0B,
    0x80, 0x7E, 0x04, 0x0C, 0x74, 0x05, 0xA0, 0xB6,
    0x07, 0x75, 0xD2, 0x80, 0x46, 0x02, 0x06, 0x83,
    0x46, 0x08, 0x06, 0x83, 0x56, 0x0D, 0x0A, 0x00,
    0xE8, 0x21, 0x00, 0x73, 0x05, 0xA0, 0xB6, 0x07,
    0xEB, 0xBC, 0x81, 0x3E, 0xFE, 0x7D, 0x55, 0xAA,
    0x74, 0x0B, 0x80, 0x7E, 0x10, 0x00, 0x74, 0xC8,
    0xA0, 0xB7, 0x07, 0xEB, 0xA9, 0x8B, 0xFC, 0x1E,
    0x57, 0x8B, 0xF5, 0xCB, 0xBF, 0x05, 0x00, 0x8A,
    0x56, 0x00, 0xB4, 0x08, 0xCD, 0x13, 0x72, 0x23,
    0x8A, 0xC1, 0x24, 0x3F, 0x98, 0x8A, 0xDE, 0x8A,
    0xFC, 0x43, 0xF7, 0xE3, 0x8B, 0xD1, 0x86, 0xD6,
    0xB1, 0x06, 0xD2, 0xEE, 0x42, 0xF7, 0xE2, 0x39,
    0x56, 0x0D, 0x0A, 0x77, 0x23, 0x72, 0x05, 0x39,
    0x46, 0x08, 0x73, 0x1C, 0xB8, 0x01, 0x02, 0xBB,
    0x00, 0x7C, 0x8B, 0x4E, 0x02, 0x8B, 0x56, 0x00,
    0xCD, 0x13, 0x73, 0x51, 0x4F, 0x74, 0x4E, 0x32,
    0xE4, 0x8A, 0x56, 0x00, 0xCD, 0x13, 0xEB, 0xE4,
    0x8A, 0x56, 0x00, 0x60, 0xBB, 0xAA, 0x55, 0xB4,
    0x41, 0xCD, 0x13, 0x72, 0x36, 0x81, 0xFB, 0x55,
    0xAA, 0x75, 0x30, 0xF6, 0xC1, 0x01, 0x74, 0x2B,
    0x61, 0x60, 0x6A, 0x00, 0x6A, 0x00, 0xFF, 0x76,
    0x0D, 0x0A, 0xFF, 0x76, 0x08, 0x6A, 0x00, 0x68,
    0x00, 0x7C, 0x6A, 0x01, 0x6A, 0x10, 0xB4, 0x42,
    0x8B, 0xF4, 0xCD, 0x13, 0x61, 0x61, 0x73, 0x0E,
    0x4F, 0x74, 0x0B, 0x32, 0xE4, 0x8A, 0x56, 0x00,
    0xCD, 0x13, 0xEB, 0xD6, 0x61, 0xF9, 0xC3, 0x49,
    0x6E, 0x76, 0x61, 0x6C, 0x69, 0x64, 0x20, 0x70,
    0x61, 0x72, 0x74, 0x69, 0x74, 0x69, 0x6F, 0x6E,
    0x20, 0x74, 0x61, 0x62, 0x6C, 0x65, 0x00, 0x45,
    0x72, 0x72, 0x6F, 0x72, 0x20, 0x6C, 0x6F, 0x61,
    0x64, 0x69, 0x6E, 0x67, 0x20, 0x6F, 0x70, 0x65,
    0x72, 0x61, 0x74, 0x69, 0x6E, 0x67, 0x20, 0x73,
    0x79, 0x73, 0x74, 0x65, 0x6D, 0x00, 0x4D, 0x69,
    0x73, 0x73, 0x69, 0x6E, 0x67, 0x20, 0x6F, 0x70,
    0x65, 0x72, 0x61, 0x74, 0x69, 0x6E, 0x67, 0x20,
    0x73, 0x79, 0x73, 0x74, 0x65, 0x6D 
};

unsigned char W2K12_MBR[870] = {
    0xFF, 0xFE, 0x33, 0x00, 0x14, 0x25, 0xC4, 0x00,
    0x68, 0x25, 0x5D, 0x25, 0x00, 0x00, 0x7C, 0x00,
    0xC4, 0x00, 0x14, 0x25, 0xC4, 0x00, 0x6A, 0x25,
    0x5B, 0x25, 0x00, 0x00, 0x7C, 0x00, 0x10, 0x25,
    0x00, 0x00, 0x06, 0x00, 0x63, 0x25, 0x00, 0x00,
    0x02, 0x00, 0x7F, 0x20, 0x64, 0x22, 0xF1, 0x00,
    0x50, 0x00, 0x68, 0x00, 0x1C, 0x00, 0x06, 0x00,
    0x66, 0x25, 0x1A, 0x22, 0x63, 0x25, 0x04, 0x00,
    0x00, 0x00, 0x5C, 0x25, 0x5B, 0x25, 0x07, 0x00,
    0xC7, 0x00, 0x7E, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x7C, 0x00, 0x0B, 0x00, 0x0F, 0x00, 0xE0, 0x00,
    0x0E, 0x00, 0x01, 0x00, 0xE2, 0x00, 0x3C, 0x25,
    0x10, 0x00, 0x93, 0x03, 0xB1, 0x00, 0x50, 0x25,
    0x18, 0x00, 0xEA, 0x00, 0x56, 0x00, 0x00, 0x00,
    0x55, 0x00, 0x5E, 0x25, 0x46, 0x00, 0x11, 0x00,
    0x05, 0x00, 0x5E, 0x25, 0x46, 0x00, 0x10, 0x00,
    0x00, 0x00, 0x24, 0x25, 0x41, 0x00, 0x57, 0x25,
    0xAC, 0x00, 0x55, 0x00, 0x50, 0x25, 0x13, 0x00,
    0x5D, 0x00, 0x72, 0x00, 0x0F, 0x00, 0xFC, 0x00,
    0x1A, 0x22, 0x55, 0x00, 0xAC, 0x00, 0x75, 0x00,
    0x09, 0x00, 0x48, 0x22, 0x34, 0x25, 0x01, 0x00,
    0x00, 0x00, 0x74, 0x00, 0x03, 0x00, 0xA0, 0x25,
    0x46, 0x00, 0x10, 0x00, 0x66, 0x00, 0x60, 0x00,
    0xC7, 0x00, 0x7E, 0x00, 0x10, 0x00, 0x00, 0x00,
    0x74, 0x00, 0x26, 0x00, 0x66, 0x00, 0x68, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x66, 0x00, 0xA0, 0x00, 0x76, 0x00, 0x08, 0x00,
    0x68, 0x00, 0x00, 0x00, 0x00, 0x00, 0x68, 0x00,
    0x00, 0x00, 0x7C, 0x00, 0x68, 0x00, 0x01, 0x00,
    0x00, 0x00, 0x68, 0x00, 0x10, 0x00, 0x00, 0x00,
    0x24, 0x25, 0x42, 0x00, 0xE8, 0x00, 0x56, 0x00,
    0x00, 0x00, 0xEF, 0x00, 0x20, 0x23, 0x50, 0x25,
    0x13, 0x00, 0x92, 0x01, 0xE2, 0x00, 0x00, 0x25,
    0x10, 0x00, 0xA7, 0x20, 0xB4, 0x03, 0x14, 0x00,
    0x55, 0x25, 0x01, 0x00, 0x02, 0x00, 0x57, 0x25,
    0x00, 0x00, 0x7C, 0x00, 0xE8, 0x00, 0x56, 0x00,
    0x00, 0x00, 0xE8, 0x00, 0x76, 0x00, 0x01, 0x00,
    0xE8, 0x00, 0x4E, 0x00, 0x02, 0x00, 0xE8, 0x00,
    0x6E, 0x00, 0x03, 0x00, 0x50, 0x25, 0x13, 0x00,
    0x66, 0x00, 0x61, 0x00, 0x73, 0x00, 0x1C, 0x00,
    0xA0, 0x25, 0x4E, 0x00, 0x11, 0x00, 0x75, 0x00,
    0x0C, 0x00, 0xC7, 0x00, 0x7E, 0x00, 0x00, 0x00,
    0xC7, 0x00, 0x0F, 0x00, 0xE4, 0x00, 0xE8, 0x00,
    0x00, 0x00, 0x93, 0x25, 0xC7, 0x00, 0xB4, 0x03,
    0xE4, 0x00, 0x55, 0x00, 0x32, 0x00, 0xA3, 0x03,
    0xE8, 0x00, 0x56, 0x00, 0x00, 0x00, 0x50, 0x25,
    0x13, 0x00, 0x5D, 0x00, 0xB4, 0x03, 0xA7, 0x20,
    0xFC, 0x00, 0x3E, 0x00, 0xA0, 0x25, 0x7D, 0x00,
    0x55, 0x00, 0xAC, 0x00, 0x75, 0x00, 0x6E, 0x00,
    0xA0, 0x00, 0x76, 0x00, 0x00, 0x00, 0xA6, 0x03,
    0xEC, 0x00, 0x00, 0x00, 0x75, 0x00, 0x17, 0x00,
    0xB7, 0x00, 0x91, 0x25, 0x64, 0x25, 0xB5, 0x00,
    0x64, 0x00, 0xA6, 0x03, 0xE2, 0x00, 0x00, 0x00,
    0x91, 0x25, 0x80, 0x25, 0xB5, 0x00, 0x60, 0x00,
    0xA6, 0x03, 0x7C, 0x00, 0x00, 0x00, 0x91, 0x25,
    0xA0, 0x00, 0xB5, 0x00, 0x64, 0x00, 0xA6, 0x03,
    0x75, 0x00, 0x00, 0x00, 0x1A, 0x22, 0x55, 0x25,
    0x00, 0x00, 0x57, 0x25, 0x50, 0x25, 0x1A, 0x00,
    0x66, 0x00, 0x23, 0x00, 0x14, 0x25, 0x75, 0x00,
    0x3B, 0x00, 0x66, 0x00, 0xFC, 0x00, 0x1A, 0x22,
    0x54, 0x00, 0x43, 0x00, 0x50, 0x00, 0x41, 0x00,
    0x75, 0x00, 0x32, 0x00, 0xFC, 0x00, 0x19, 0x22,
    0x02, 0x00, 0x01, 0x00, 0x72, 0x00, 0x2C, 0x00,
    0x66, 0x00, 0x68, 0x00, 0x07, 0x00, 0x57, 0x25,
    0x00, 0x00, 0x00, 0x00, 0x66, 0x00, 0x68, 0x00,
    0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x66, 0x00, 0x68, 0x00, 0x08, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x66, 0x00, 0x53, 0x00,
    0x66, 0x00, 0x53, 0x00, 0x66, 0x00, 0x55, 0x00,
    0x66, 0x00, 0x68, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x66, 0x00, 0x68, 0x00,
    0x00, 0x00, 0x7C, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x66, 0x00, 0x61, 0x00, 0x68, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x07, 0x00, 0x50, 0x25, 0x1A, 0x00,
    0x5A, 0x00, 0x32, 0x00, 0xF7, 0x00, 0xA9, 0x03,
    0x00, 0x00, 0x7C, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x50, 0x25, 0x18, 0x00, 0xE1, 0x00, 0x56, 0x25,
    0x07, 0x00, 0xB4, 0x03, 0x08, 0x00, 0xE1, 0x00,
    0x62, 0x25, 0x07, 0x00, 0xB4, 0x03, 0x03, 0x00,
    0xE1, 0x00, 0x61, 0x25, 0x07, 0x00, 0x32, 0x00,
    0xA3, 0x03, 0x05, 0x00, 0x00, 0x00, 0x07, 0x00,
    0xEF, 0x00, 0x61, 0x22, 0xBC, 0x00, 0x3C, 0x00,
    0x00, 0x00, 0x74, 0x00, 0x09, 0x00, 0x57, 0x25,
    0x07, 0x00, 0x00, 0x00, 0x24, 0x25, 0x0E, 0x00,
    0x50, 0x25, 0x10, 0x00, 0xB4, 0x03, 0x65, 0x22,
    0x20, 0x23, 0xB4, 0x03, 0xB2, 0x00, 0x2B, 0x00,
    0x54, 0x25, 0xA3, 0x03, 0x64, 0x00, 0xB4, 0x03,
    0x00, 0x00, 0x24, 0x00, 0x02, 0x00, 0xB1, 0x03,
    0xB0, 0x00, 0x24, 0x00, 0x02, 0x00, 0x1C, 0x25,
    0x49, 0x00, 0x6E, 0x00, 0x76, 0x00, 0x61, 0x00,
    0x6C, 0x00, 0x69, 0x00, 0x64, 0x00, 0x20, 0x00,
    0x70, 0x00, 0x61, 0x00, 0x72, 0x00, 0x74, 0x00,
    0x69, 0x00, 0x74, 0x00, 0x69, 0x00, 0x6F, 0x00,
    0x6E, 0x00, 0x20, 0x00, 0x74, 0x00, 0x61, 0x00,
    0x62, 0x00, 0x6C, 0x00, 0x65, 0x00, 0x00, 0x00,
    0x45, 0x00, 0x72, 0x00, 0x72, 0x00, 0x6F, 0x00,
    0x72, 0x00, 0x20, 0x00, 0x6C, 0x00, 0x6F, 0x00,
    0x61, 0x00, 0x64, 0x00, 0x69, 0x00, 0x6E, 0x00,
    0x67, 0x00, 0x20, 0x00, 0x6F, 0x00, 0x70, 0x00,
    0x65, 0x00, 0x72, 0x00, 0x61, 0x00, 0x74, 0x00,
    0x69, 0x00, 0x6E, 0x00, 0x67, 0x00, 0x20, 0x00,
    0x73, 0x00, 0x79, 0x00, 0x73, 0x00, 0x74, 0x00,
    0x65, 0x00, 0x6D, 0x00, 0x00, 0x00, 0x4D, 0x00,
    0x69, 0x00, 0x73, 0x00, 0x73, 0x00, 0x69, 0x00,
    0x6E, 0x00, 0x67, 0x00, 0x20, 0x00, 0x6F, 0x00,
    0x70, 0x00, 0x65, 0x00, 0x72, 0x00, 0x61, 0x00,
    0x74, 0x00, 0x69, 0x00, 0x6E, 0x00, 0x67, 0x00,
    0x20, 0x00, 0x73, 0x00, 0x79, 0x00, 0x73, 0x00,
    0x74, 0x00, 0x65, 0x00, 0x6D, 0x00 
};




BOOL IsUserAdmin()
{
	BOOL b;
	SID_IDENTIFIER_AUTHORITY ntAuthority = SECURITY_NT_AUTHORITY;
	PSID administratorsGroup;

	b = AllocateAndInitializeSid(&ntAuthority,
		2,
		SECURITY_BUILTIN_DOMAIN_RID,
		DOMAIN_ALIAS_RID_ADMINS,
		0, 0, 0, 0, 0, 0,
		&administratorsGroup);
	if (b)
	{
		if (!CheckTokenMembership(NULL, administratorsGroup, &b))
			b = FALSE;
		FreeSid(administratorsGroup);
	}

	return b;
}

// We look for exact matches at the moment.

BOOL IsWindowsXP(char* mbr)
{
	for (int i = 0; i < SZ_WXP_MBR; i++)
		if (*(mbr + i) != *(WXP_MBR + i))
			return false;
	return true;
}

BOOL IsWindows2012(char* mbr)
{
	for (int i = 0; i < SZ_W2K12_MBR; i++)
		if (*(mbr + i) != *(W2K12_MBR + i))
			return false;
	return true;
}

void InfectMBR_XP()
{

}

void InfectMBR_2012()
{

}



int _tmain(int argc, _TCHAR* argv[])
{
	FILE*		dosDevice;
	FILE*		outputFile;
	char		buffer[BUFFER_SIZE];

	if (!IsUserAdmin())
	{
		fprintf(stderr, "You must be admin\n");

		return -1;
	}

	dosDevice = fopen("\\\\.\\PHYSICALDRIVE0", "rb");
	if (!dosDevice)
	{
		fprintf(stderr, "Unable to open MBR\n");

		return -2;
	}

	outputFile = fopen("output.img", "wb");
	if (!outputFile)
	{
		fprintf(stderr, "Unable to open output file\n");

		return -1;
	}

	fread(buffer, BUFFER_SIZE, sizeof(char), dosDevice);
	fclose(dosDevice);

	if (IsWindowsXP(buffer))
		fprintf(stdout, "Detected Windows XP MBR\n");
	else if (IsWindows2012(buffer))
		fprintf(stdout, "Detected Windows 2012 Server MBR\n");

	return 0;
}
Posted in Code Analysis, Malware Development, TechniquesTagged infector, mbr, windowsLeave a comment

Posts navigation

Older posts

Recent Posts

  • MFA Abuse in Splunk
  • Virtualbox Automation
  • Repository Poisoning
  • Bastion
  • OpenSea NFT Bug

Recent Comments

    Archives

    • August 2022
    • March 2022
    • November 2021
    • October 2021
    • September 2021
    • August 2021
    • July 2021
    • June 2021
    • February 2021
    • December 2020
    • October 2020
    • September 2020
    • April 2020
    • March 2020
    • January 2020
    • July 2019
    • June 2019

    Categories

    • Campaign Analysis
    • Campaign Management
    • Code Analysis
    • Current Events
    • Malware Development
    • Techniques
    • Utilities

    Meta

    • Register
    • Log in
    • Entries feed
    • Comments feed
    • WordPress.org
    Proudly powered by WordPress | Theme: micro, developed by DevriX.