ฝัง
- เผยแพร่เมื่อ 2 ต.ค. 2024
- Join us for a deep dive into this interesting malware that was used to drop Emotet. We will reverse engineer the loader and provide a tips and tricks for IDA Pro along the way!
-----
OALABS DISCORD
/ discord
OALABS PATREON
/ oalabs
OALABS TIP JAR
ko-fi.com/oalabs
OALABS GITHUB
github.com/OALabs
UNPACME - AUTOMATED MALWARE UNPACKING
www.unpac.me/#/
-----
Automated Malware Unpacking
www.unpac.me/
Any-Run Sandbox Run of Malicious Document
any.run/report...
Loader Sample Free Download from Malshare
fb07f875dc45e6045735513e75a83c50c78154851bd23a645d43ea853e6800ac
malshare.com/s...
PrnLoader decryption script (python)
gist.github.co...
Feedback, questions, and suggestions are always welcome : )
Sergei / herrcore
Sean / seanmw
As always check out our tools, tutorials, and more content over at www.openanalys...
#MalwareAnalysis #IDAPro #PrnLoader
![Malware Triage Tips: How To Stop Wasting Time in IDA On Packed Samples [ Twitch Clip ]](http://i.ytimg.com/vi/f59HWEFG5Do/mqdefault.jpg)
The Return of the King
I've never seen the hex-rays decompilation fix where you dig into functions until you get a good decompilation then back your way out. Very cool, thanks!
I don't understand a lot of malware analysis, but I find this fascinating and entertaining.
This is pretty neat! They could probably have used something better than a video to avoid so many null bytes, but maybe it was the only thing that thought would be long enough, or stay up long enough!
You could probably use a file of the same size, and either just do it byte for byte, or if you wanted to be fancy, do a bit more math and make it so that you use every byte, but loop back around (basically off by one. First loop through the key data starts at byte 1. Second loop byte 2, byte 3, etc).
Computers are fun!
Glad you're back, best malware channel
Aw thanks : )))
I am sorry to hear about doggy
Thanks 💔
P0rn mp4 on bash--->Linux users : "Shut up and take my money!!!" :-) Thanks for the effort Sergei, great content as usual!
Hey,I really missing you guys😁😁,this video is really funny and impressed me,thanks so much,take care 😁😁
Great video, welcome back. Will you do a video about unpacking Visual Basic packers like the one at the end of the video? I struggle with them
I think they have used github.com/vxunderground/WinAPI-Tricks/blob/main/Stdio/WtZeroMemory.c to zero out the memory before use at 9:03
Soo happy to see you back :)
HOLY SHIT, I love the Queeblo outro (that even rhymed!)
Haha! I was wondering if anyone would know what it was.... yeh you know you f-n' feel me...
One-time pad through porn, wow.
hope you have a Malware analysis series.. love u
this is awesome, thank you very much! please keep this sort of content coming! subscribed :)
amazing video matey :)
Very Niiiice (as always)! I also really like what you did with the Nerd Notes. Keep up the good work :)
ngl, this loader is badass
I wonder how many of these videos have hidden uses
Great stuff! Really missed the content and was very happy to see a new video :)
I'm currently focusing my Analysis on Anti_RE Obfuscation (Like the jumps in the new Egregor Loader). Would be highly appreciated if you could do something about Anti-RE obfuscation :)
FlareOn7 this year had a challenge that actually kinda had a similar technique; just not using porn of course. XD
Yeh this def has a bit of a "CTF" feel to it : )
Does all ntdll api's lie in kernel section or user mode section? Or are there some nt-api's that lie in usermode section.
ntdll.dll is loaded in user land (it's a dll) and provides the interface to the kernel, we touch on this a bit in a very old video if you are interested th-cam.com/video/CiZ5D6wlIrw/w-d-xo.html
Good one!!!
hey :)
i would love to see you reversing this malware:
github.com/ytisf/theZoo/tree/master/malwares/Binaries/Trojan.Kovter
i found it really sophisticated (although it is not packed!).
it resides totally in registry and its very sneaky.
i couldnt debug it because it somehow "scrumbled" his addresses while debugging (probably he knew it being debuged).
i wish you would upload a video on this one! you are the king! THNKS
Oh no Kovter haha! I did a lot of work on this malware for my dayjob a few years back.. it's a beast. It's compile in Delphi so it's got crazy vtables and pointer hell. It might be actually be a good tutorial on how to deal with Delphi. Also the config is passed in a memory section from the loader so you can't just execute it and start debugging without the loader or you will just have the fake config... it's really crazy haha. Maybe... I guess that is my way of saying, maybe I will do a video on it : )
thanks for the response!
you are the king :)
I told myself that I'm just going to watch the first 5 minutes of video.... 36 minutes later I finished the whole video :D
just a question: how someone should analyze vv6 file in IDA?
😹😹 The TH-cam vortex has sucked you in once again haha! So for VB6 there are two approaches... if you just need to unpack it I would recommend just using a debugger and a few breakpoints and avoiding analyzing it at all (th-cam.com/video/ylWInOcQy2s/w-d-xo.html). If the malware is actually written in VB6 and you need to analyze it (hello diamond fox) then you are in for a bad time. IDA won't cut it, you will need something that can analyze the VB6 pcode. The only tool I know of is the vb-decompiler and it's not free www.vb-decompiler.org/products.htm. It is a real pain.
@@OALABS Thank you so much for your guidance and info.
Then I hope it won't come down to vb-decompiler :D
🔥🔥
Great to see you guys back! Condolences on the doggo :( but great to see another life enter the OA family!
Aw thanks : ))
hey tell the bulldog i like him
I'll pass it along ;)
vb6, oooold school stuff !
Lol yeh. There are a few packers that use VB6 that we see pretty often... I think they are old and just get re-used. It's a pain but they can be unpacked pretty quickly... if you come across actual VB6 malware though ... run for the hills!! haha
Can you make a video how to find and remove malwares manually and professionally
But bin to executable file?
I just rename the extension on executable files .bin so they don't accidentally execute. When you load an executable in x64db or IDA it doesn't matter what the extension is because the extension handle isn't used to execute the binary.
@@OALABS so its not full unpacked of binary because we can't run the bin file in executable file rather then we can see the only Dissammbly of codes in debugger..
Actually i am confused there because bin ext is not similar to exe because we start unpacking from exe file but we get the bin file except to get the exe file after unpacking..
it's just a file extension, it has no impact on the binary itself
@@OALABS oh but how to run the binary filw with bin ext try to run via debugger then let me know,how we can get output of binary file bro
Why not encrypt using AES and store te key online via pastbin and the like... I find it soo much convoluted for so little.. Am I wrong?
Yeh haha one of the weirdest loaders ... almost like a troll, but it's real!
Right? Seems like an error prone way to make sure your malware won't work.
Finally! I was waiting for this video!
So they use key from the porn server, which could be firewall blocked on some part of office target machines, moreover this key could be deleted or modified by porn server administration. The size of download is huge and could be noticed by victim. Too much of pain compared to just small binary key, stored at controlled server. Looks more like a fun project or something...
Yes for sure! MalwareHunterTeam had a really good point about this (twitter.com/malwrhunterteam/status/1337088582100652032?s=20). This is a real sample that was dropping emotet but it seems more like a troll than a serious effort haha. Maybe the developer was bored lol. But the technique is very good, if they improved it by downloading something more common and less suspicious it could be a very good protection.
Discovered this channel a week ago and it's honestly made a great start to 2020. It's allowed me to finally make the jump from sandboxing and looking for API functions in strings to actually debugging and unpacking which is honestly something I thought was completely inaccessible until now. Been soaking in your videos all week and used your trick of following VirtualAlloc through and setting the breakpoint at the return so the location gets stored in eax to finally dump my first payload out of memory and it legit made my day.
Heckkkkk yeh! That's awesome! Thanks for sharing, it's very motivating to hear feedback like that : )
Can you share some good resource for firmware analysis (using Ida pro), {NVRAM , UART Analysis}
Sadly I don't know much about firmware reversing... never had the occasion to dig into it...
Lol did not plan to watch the whole thing but glad I did
It's basically unboxing for programmers. Very entertaining.
Lol!!
very interesting, i wonder if there will be variations of this that use local windows files like one of the default sound files,or maybe fetch something usually common to download like a js framework file since these are usually minified and compressed and don't raise suspicions from avs.
Yeh this technique could definitely be expanded to be used in a much more dangerous way... this implementation is a bit of a trolly way of doing things... if the developers were serious they could make it much more difficult.
Somehow I found it pretty funny that you felt the need to include "porn" in the names of the locals/vars too lol
; )
saw the notification, havent even seen the vid but have to quickly comment; miss you!
gonna watch this later tonight!
edit: damn not first
Hey thanks!! Hope you enjoy this one! We will try to get back to a regular schedule as things get back to normal here.
We love you and your analysis 😍
Absolutely awesome 🤘
Would a patreon account help bump up the priority of making these kinds of videos? I'd be willing to throw a couple bucks your way to keep these videos coming.
We have considered it but it just doesn't seem like a good fit right now. I really like working on UnpacMe and some of our other projects too so I feel like with a patreon it would just be more pressure but it wouldn't really free up any more time...
@@OALABS Leaving me thirsty is all I'm hearing =P I will reluctantly agree that UnpacMe is a much better use of your limited time.
Welcome back mate! I missed your in-between jokes :)
: )))
Good to see you back !
Oh and by the way. This somehow reminds me of that malware that used Britney Spears Instagram channel for C2...
Finally,i miss you :love:
By the way,does intro music have a name?
Thanks : )) Our intro is a remix of the famous Bill O'reilly freak out haha!
I remember going to look for it a while back... th-cam.com/video/5neF_7Rtee0/w-d-xo.html
This is my favourite version... th-cam.com/video/Ln-cBFanW9I/w-d-xo.html
@@OALABS damn,thanks!
Awesome work as usual !! Keep them coming
: ))
Hi can you try decompiler by JEB product?
can u give me crypter make the server clean haw i can cntact u bro pls ?
eh help me find anti aliasing effect in a game ? star citizen ? trying to disable it by HexD
Man do u remember that graphical visualization for the PE binaries? For when the malware tries to do something like: `image` + 0x3c + 0x78. Could u link it again?
I think you may be referring to the corkami PE101 poster github.com/corkami/pics/tree/master/binary/pe101 ?
@@OALABS yeshhhhh thank u so much. This and the 102 poster. Tyyy