Skip to content

Latest commit

 

History

History
76 lines (55 loc) · 4.95 KB

3c18ac6d5fbcb89d733d0f281d68584717934c9628b6795ac89d97eb5d117c5b.md

File metadata and controls

76 lines (55 loc) · 4.95 KB
Raw

3c18ac6d5fbcb89d733d0f281d68584717934c9628b6795ac89d97eb5d117c5b

Has some anti in the secondary layer

including a FS[0xc0] check into a heavens gate + many normal anti checks and tactics Trampolines DbgUiRemoteBreakin and DbgBreakPoint

DbgBreakPoint becomes Nop Ret

DbgUiRemoteBreakin becomes

push 0 mov eax, 2 call eax retn 4

3rd layer downloads:

https://drive.google.com/uc?export=download&id=1aK0VvyQgvNqOCF3dahuSQIcUefrHRqZ3

XOR encoded file

00000000: 6136 6561 3931 6165 3062 6466 6336 3066  a6ea91ae0bdfc60f
00000010: 6131 3434 3738 6630 3066 3831 3362 3138  a14478f00f813b18
00000020: 3838 3464 6262 3236 6564 6162 3861 6664  884dbb26edab8afd
00000030: 3533 3363 6166 3933 3237 6465 3564 3936  533caf9327de5d96
00000040: faca 40cc 1f2e 3c13 8ad8 b466 f3e7 7d0a  ..@...<....f..}.
00000050: 9865 97ff 4102 bf45 f3ad 37dc 32ec 0080  .e..A..E..7.2...
00000060: 0139 1b75 66d6 42bb 9481 ba0e 57c0 84b2  .9.uf.B.....W...
00000070: 270d 9ea7 48ab c5ed b955 8284 7c94 0728  '...H....U..|..(
00000080: 42fe 9b13 6dcb 84a9 fe91 04fb 9048 9a33  B...m........H.3
00000090: 18c5 8420 e060 77e4 a193 a88a e297 3fbe  ... .`w.......?.
000000a0: c3b0 b2a9 3c5c 497d aeb1 da46 4857 2e2a  ....<\I}...FHW.*
000000b0: 4d0a f39a 6f0f b24f 97ad 37dc 32ec 0080  M...o..O..7.2...
000000c0: 6545 9c8c 46cb ab11 b49c 53a4 77dd 6d18  eE..F.....S.w.m.
000000d0: 4a33 6a0d 69b6 2c47 ca6b 722e 5e88 ee82  J3j.i.,G.kr.^...
000000e0: 6cfc c8b7 4262 64ce 8428 e01d 7c74 27f1  l...Bbd..(..|t'.
000000f0: d2b7 43fa b612 f93c 08fc 6b43 a8e4 b87b  ..C....<..kC...{
00000100: 7f92 3d66 3833 d5b9 ccda 4ecc 2305 94a0  ..=f83....N.#...
00000110: 0078 7f55 2f1e 56ef 2bb6 d876 13f1 e92a  .x.U/.V.+..v...*
00000120: c93b f9df 58cb ab11 c6e8 d966 77dd 6d18  .;..X......fw.m.
00000130: 270d 9ea7 48ab c5ed b955 8284 7c95 0728  '...H....U..|..(
00000140: 1ca4 211d 217e 8864 9e3f 80ea 5d69 ce5b  ..!.!~.d.?..]i.[
00000150: 71b6 a450 720f 1e97 cbff 8ee9 83c9 50d1  q..Pr.........P.
00000160: b720 d0cc 1c2e 3c13 0ae2 b566 0c08 7d0a  . ....<....f..}.
00000170: 2025 96ff 4102 ff45 b3bd 37dc 32fc 0080   %..A..E..7.2...
00000180: 0539 1b75 66d6 42bb 9081 ba0e 57c0 84b2  .9.uf.B.....W...

XOR decodes to a remcos sample

6befc80135832c3be7e229b682bf7689707b6457ea16b1691313a629f817306a

Sample doens't have a SETTINGS resource section which is what most config decoders seems to want that I found. Also there's another index value in the config not accounted for in the JPCERT decoder, need to go through and check what the value is if I get time.

Converted a memory based decoder to static and updated it https://gist.github.com/sysopfb/11e6fb8c1377f13ebab09ab717026c87

['nolim.duckdns.org:4922:blessing1234|', 'oneonebilli', '1', '\x00', '\x01', '\x00', '\x00', '\x00', '\x00', '6', 'r\x00e\x00m\x00c\x00o\x00s\x00.\x00e\x00x\x00e\x00', 'r\x00e\x00m\x00c\x00o\x00s\x00', '\x00', '0', 'Remcos-B0YDF1', '1', '6', 'l\x00o\x00g\x00s\x00.\x00d\x00a\x00t\x00', '\x00', '\x01', '\x00', '10', '\x00', 'wikipedia;solitaire;', '5', '6', 'Screenshots', '\x00', '\x00', '\x00', '\x00', '\x00', '\x00', '\x00', '\x00', '\x00', '5', '6', 'MicRecords', '\x00', '0', '0', '', '\x00', '\x01', '0', '\x00', '1', 'r\x00e\x00m\x00c\x00o\x00s\x00', 'r\x00e\x00m\x00c\x00o\x00s\x00', '\x00', '\x00', 'E6B7984F3FE9E61F8FA94748A79726CA', '\x00', '10000', '\x00']

{'Screenshot time': '10', 'Unknown39': 'Disable', 'Hide keylog file': 'Enable', 'Keylog folder': 'r\x00e\x00m\x00c\x00o\x00s\x00', 'Screenshot flag': 'Disable', 'Startup value': 'r\x00e\x00m\x00c\x00o\x00s\x00', 'Mutex': 'Remcos-B0YDF1', 'Keylog file max size': '10000', 'Setup HKCU\\Run': 'Enable', 'Host:Port:Password': 'nolim.duckdns.org:4922:blessing1234|', 'Connect delay': '0', 'Setup HKLM\\Run': 'Disable', 'Keylog flag': '1', 'Unknown55': 'Disable', 'Unknown50': 'Disable', 'Unknown51': 'Disable', 'Unknown52': 'E6B7984F3FE9E61F8FA94748A79726CA', 'Keylog crypt': 'Disable', 'Audio record time': '5', 'Copy file': 'r\x00e\x00m\x00c\x00o\x00s\x00.\x00e\x00x\x00e\x00', 'Unknown13': '0', 'Unknown32': 'Disable', 'Unknown33': 'Disable', 'Unknown31': 'Disable', 'Unknown34': 'Disable', 'Unknown35': 'Disable', 'Hide file': 'Disable', 'Install flag': 'Disable', 'Take Screenshot option': 'Disable', 'Keylog path': 'AppData', 'Assigned name': 'oneonebilli', 'Audio folder': 'MicRecords', 'Delete file': 'Disable', 'Setup HKLM\\Winlogon\\Shell': 'Disable', 'Mouse option': 'Disable', 'Connect interval': '1', 'Take screenshot title': 'wikipedia;solitaire;', 'Keylog file': 'l\x00o\x00g\x00s\x00.\x00d\x00a\x00t\x00', 'Take screenshot time': '5', 'Setup HKLM\\Explorer\\Run': 'Disable', 'Copy folder': 'r\x00e\x00m\x00c\x00o\x00s\x00', 'Unknown46': 'Disable', 'Unknown43': 'Disable', 'Unknown42': '', 'Unknown40': '0', 'Unknown47': '1', 'Screenshot path': 'AppData', 'Unknown45': '0', 'Unknown44': 'Enable', 'Setup HKLM\\Winlogon\\Userinit': 'Disable', 'Install path': 'AppData', 'Unknown53': 'Disable', 'Audio path': 'AppData', 'Screenshot crypt': 'Disable', 'Screenshot file': 'Screenshots', 'Unknown29': 'Disable'}