malware_analysis
malware_analysis copied to clipboard
telekom-security
`Binary.bz.WrappedSetupProgram` is a cab file
Binary.bz.WrappedSetupProgram is a cab file not a plaintext
test sample : 0e01bad874c61d09d09ce06f76f5e46f6648a1fc943644874c8e1a53a93af9a7
Hey there! Thank you for your contribution. Sorry that it has taken some days for me to reply. I was on a business trip for most of last week and only now find the time to review this. Will check with your test sample and some other local samples that I have and then merge asap :-)
Hi again :-) I reviewed your pull request and also checked the provided sample. Right now I am not sure what the intention behind your proposed change is. The sample works fine with the code as it is:
[INFO] Starting Telekom Security DarkGate Extractor
[INFO] Performing analysis of file: /<redacted>/0e01bad874c61d09d09ce06f76f5e46f6648a1fc943644874c8e1a53a93af9a7
[INFO] MSI wrapped payload detected.
[INFO] Found AU3 script in file ibovBbSd.au3 in the MSI package.
[INFO] Sample uses the following key: aFcOMuvRD. Calculated XOR key is: 0xa5
[INFO] Found candidates for custom base64 alphabet: tc20Hq49MLrjlPsVGRFiOnSgvB6kbA5expXZKduCD3WT1N8zhyJoafIY=EQ+wmU7, zLAxuU0kQKf3sWE7ePRO2imyg9GSpVoYC6rhlX48ZHnvjJDBNFtMd1I5acwbqT+=
{
"anti_analysis": false,
"anti_debug": false,
"anti_vm": false,
"c2_ping_interval": 13,
"c2_port": 2351,
"c2_servers": [
"http://89.248.193.66"
],
"check_disk": false,
"check_ram": false,
"check_xeon": false,
"crypter_au3": true,
"crypter_dll": false,
"crypter_rawstub": false,
"crypto_key": "QlYTYjlwalZvWA",
"flag_14": 13,
"internal_mutex": "icOhsB",
"min_disk": 100,
"min_ram": 4096,
"rootkit": true,
"startup_persistence": true
}
The concept of the unpack_msi_wrapped_payload function is that this function will extract the CAB from the MSI and then extract the compressed files from the CAB and then search for the AU3 file. Are you suggesting we should change this?
Hello, thanks for response, I use the original code on sample 0e01bad874c61d09d09ce06f76f5e46f6648a1fc943644874c8e1a53a93af9a7 and It can not extract the config, there is the debug info
[INFO] Starting Telekom Security DarkGate Extractor
[INFO] Performing analysis of file: msi/0e01bad874c61d09d09ce06f76f5e46f6648a1fc943644874c8e1a53a93af9a7
[INFO] MSI wrapped payload detected.
[INFO] Found AU3 script in file Binary.bz.WrappedSetupProgram in the MSI package.
[INFO] Found embedded payload file candidate with XOR key 0xa5 at offset 895948 with length 671904.
[ERROR] No usable payload found in file: msi/0e01bad874c61d09d09ce06f76f5e46f6648a1fc943644874c8e1a53a93af9a7
After check the code, found that in unpack_msi_wrapped_payload it trying to extract config from Binary.bz.WrappedSetupProgram but it's a cab file, so adding the logic to extract AutoIt script from the cab file.
There is the debug infomation after patch.
[INFO] Starting Telekom Security DarkGate Extractor
[INFO] Performing analysis of file: msi/0e01bad874c61d09d09ce06f76f5e46f6648a1fc943644874c8e1a53a93af9a7
[INFO] MSI wrapped payload detected.
[INFO] CAB file wrapped payload detected.
[INFO] Found AU3 script in file ibovBbSd.au3 in the CAB archive.
[INFO] Sample uses the following key: aFcOMuvRD. Calculated XOR key is: 0xa5
[INFO] Found candidates for custom base64 alphabet: tc20Hq49MLrjlPsVGRFiOnSgvB6kbA5expXZKduCD3WT1N8zhyJoafIY=EQ+wmU7, zLAxuU0kQKf3sWE7ePRO2imyg9GSpVoYC6rhlX48ZHnvjJDBNFtMd1I5acwbqT+=
{
"anti_analysis": false,
"anti_debug": false,
"anti_vm": false,
"c2_ping_interval": 13,
"c2_port": 2351,
"c2_servers": [
"http://89.248.193.66"
],
"check_disk": false,
"check_ram": false,
"check_xeon": false,
"crypter_au3": true,
"crypter_dll": false,
"crypter_rawstub": false,
"crypto_key": "QlYTYjlwalZvWA",
"flag_14": 13,
"internal_mutex": "icOhsB",
"min_disk": 100,
"min_ram": 4096,
"rootkit": true,
"startup_persistence": true
}
Not sure why you can extract AutoIt script from MSI , do I missing something?