Blog

Archive for March 22nd, 2021

Nim Strings, (Mon, Mar 22nd)

On Tuesday’s Stormcast, Johannes talked about malware written in the Nim Programming language.

Internally, strings in the Nim programming language are stored inside a structure (STRING_LITERAL) that consists of 2 integers followed by the string.

Both integers represent the length of the string, although the second integer has one bit set to indicate it is a string literal.

Here is an example of a program I wrote and compiled to a 32-bit PE file:

In red is the string itself (17 bytes long, 0x11). Green is the first integer: the length of the string (0x00000011) encoded as a little-endian 32-bit integer (0x11000000). Yellow is the second integer: the length of the string encoded as a little-endian 32-bit integer with the 3rd most-significant bit set (0x00000011 + x40000000 -> 0x11000040).

I wrote a Python script to extract these strings. It’s beta: I still have to decided if and how to integrate this in my strings.py tool).

Unlike the classic tool strings, this tool will also extract strings that contain non-printable characters.

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →

March 2021 Traffic Analysis Quiz, (Tue, Mar 23rd)

Introduction

Today’s diary is a new traffic analysis quiz.  For this quiz, I ask participants to write an incident report that identifies the affected Windows host and user account.

If possible, try to identify the malware family associated with this infection.  But there are many different types of malware, and they’re constantly evolving and multiplying, so don’t worry if you don’t recognize the malware family.


Shown above:  So much malware out there.

The packet capture (pcap) for today’s traffic analysis quiz is contained in a zip archive hosted at this Github repository.  The repository also contains another zip archive with malware and artifacts recovered from the infected Windows host.  Be very careful with the malware and artifacts zip.  If you don’t know what you’re doing, do not download the malware and artifacts.  I also recommend participants do this exercise in a non-Windows environment, if possible.

Unlike my previous traffic analysis quizzes, this quiz does not include any alerts on the network traffic.


Shown above:  Pcap for this traffic analysis quiz opened in Wireshark.

Requirements

This type of analysis requires Wireshark.  Wireshark is my tool of choice to review pcaps of infection traffic.  However, default settings for Wireshark are not optimized for web-based malware traffic.  That’s why I encourage people to customize Wireshark after installing it.  To help, I’ve written a series of tutorials.  The ones most helpful for this quiz are:

I always recommend participants use a non-Windows environment like BSD, Linux, or macOS.  Why?  Because most pcaps in these traffic analysis quizzes contain traffic with Windows-based malware.  If you’re using a Windows host to review such pcaps, your antivirus (or Windows Defender) may delete or alter the pcap.  Worst case?  If you extract malware from a pcap and accidentally run it, you might infect your Windows computer.

In this case, I’ve also included a zip archive that contains malware and artifacts retrieved from the infected Windows host.  Unless you are a skilled malware analyst, you should avoid examining the contents of that particular zip archive on a Windows computer, because it’s Windows-based malware.

Active Directory (AD) Environment

The infected Windows host is part of an AD environment, so the pcap contains information about the Windows user account. The user account is formatted as firstname.lastname.  The AD environment characteristics are:

  • LAN segment range: 172.16.4.0/24 (172.16.4.0 through 172.16.4.255)
  • Domain: baritonetv.com
  • Domain Controller: 172.16.4.4 – BaritoneTV-DC
  • LAN segment gateway: 172.16.4.1
  • LAN segment broadcast address: 172.16.4.255

Final Words

Again, the zip archive with a pcap of the traffic for this exercise is available in this Github repository.  Analysis of this infection will be posted in tomorrow’s ISC diary.

Brad Duncan
brad [at] malware-traffic-analysis.net

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →