Category Archives: Writeup

[ Technical Teardown : “Your 2016 Tax Report From IRAS”. In Word 2003 XML Document (.xml)? ]

Several days ago, i saw this “Old Technique” being used again. But i wasn’t interested with it until today when i saw that it’s trying to spoof as Inland Revenue Authority of Singapore (IRAS)

So what is this “Old Technique” that i’m talking about.  It’s basically using the good old “Word 2003 XML Document” trick.  But i’ll walk you through the entire process

[ Sample used in the analysis ]
MD5: 25abc03eb402c1b6b99543cca626c78d
SHA256: 143c59cf481a921b99061557684194041d8462cd31f75ff806b9f1b22940a35d

[ Part 1 : Getting Started ]
For those who want to follow along, this is a linkg to the email file 143c59cf481a921b99061557684194041d8462cd31f75ff806b9f1b22940a35d

Do note, this is a MALICIOUS file, so please do the analysis in a “safe” environment. The password to the attachment is “infected29A

Now, let’s start getting our hands dirty…and open the suspicious email with Visual Studio Code.

As we can see from the above image, the attacker seems to be  sending this spoofed email as  if they are from IRAS and we can find out several things from the email headers

EMAIL HEADERS:

  • Date: Wed, 26 Apr 2017 06:51:42 +0800
  • From (possibly spoofed): “Inland Revenue Authority of Singapore “<tax_no_reply-no@iras.gov.sg>
  • Subject: [IRAS: IMMEDIATE ATTENTION] Your 2016 Tax Report!!!
  • Message-ID: <77724133945041300816867@WIN-2TAK14O2BL3>

However, if we analyse it properly, we know that the attacker probably sent this from this IP address : 62.210.139.92.

Received: from 62-210-139-92.rev.poneytelecom.eu
(62-210-139-92.rev.poneytelecom.eu [62.210.139.92])

Based on the above image, we can see the contents of that email message that it’s trying to do social engineering on the victims and asking the victims to open the “doc” file

EMAIL MESSAGE:

 

[ Part 2 : Email attachment ]

Now let’s try to look at the attachment and we can see this.  No worries, let’s Base64 decode it.

What is interesting after Base64 decoding it, i don’t see a .doc file.  Rather, what we could see is an XML file as shown here.

 

When you open a Microsoft Office Word 2010 XML document, Microsoft Office Word 2007 XML document, or a Microsoft Office Word 2003 XML document, your Microsoft Internet Explorer will not display the document by using the default Internet Explorer. Instead, if you had Microsoft Office installed.  Microsoft Word will open the XML document instead.  Why is this so?

Let’s take a look at the image above.  Starting from Word 2003, Word documents are built using XML in what Microsoft calls the WordprocessingML. Basically Windows will detect this XML (because of the mso-application declaration) and will launch Word if you double-click it.  Microsoft got a good Overview of WordProcessingML here.

But let’s inspect this XML file first.

 

First thing that caught my eye is this.

It’s seems like it’s asking victims to “Enable Content to view” Smells like Macros again.

If we were to look further down, we can see the reference to “/word/vbaProject.bin” as shown in the image below.

Ok, more Base64 decoding to do. Once we decoded, we can spot the familiar “D0CF11E0A1B11AE1

Ok, now let’s save this Base64 decoded file and use Profiler to parse it again and we should be able to see this.

Ok, let’s deobfuscate this Macro and we should get back something like the following:

So basically it’s just downloading the payload from http://travelbag[.]ca/lk/lk/kdabz.exe

The hash of this malware is “305B32DDC8786A56FABDA1114F6BF549AEB1B283FB3915D6076D49A7E5265FCB

Since that malware is developed in .NET, i shall leave the reversing of the malware as an exercise to the readers.

[ Part 3 : Side Note ]

I know some of you are wondering did attackers made this by hand?  I highly doubt so.  I don’t want to encourage script kiddies in replicating this but it’s really simple 🙁

Thanks & Regards
Jacob Soo

 

 

[ Technical Teardown: Analysing MalSpam Attack – 標的型攻撃メール ]

Yesterday afternoon, there is an alert about MalSpam attack happening in Japan.
https://www.cc.uec.ac.jp/blogs/news/2017/04/20170425malwaremail.html

Malware authors have been sending malware via zipped attachments in spam emails for a long long time but many people are still puzzled at why/how it works. I will try to fill in the required information about where to look out for information and how decode some of the information.

Firstly, we are going to learn how are a bit about the .msg file format and how is it used to store a message object in a .msg file, which then can be shared between clients or message stores that use the file system.

In order to analyze the .msg file without Outlook, we can read more about the file format from:

The purpose of this post is to give a better technical understanding of how attackers makes use spam emails to spread malware.

[ Sample used in the analysis ]
MD5: 3370c5c8d0f42a33a652de0cc2f923ed
SHA256: 8613d560b4ab064bb6380fd999b65ef1a436b1f16161ef8789137691e8844587
Sample:

[ Part 1 : Getting Started ]
For those who want to follow along, this is a linkg to the .msg file 8613d560b4ab064bb6380fd999b65ef1a436b1f16161ef8789137691e8844587

Do note, this is a MALICIOUS file, so please do the analysis in a “safe” environment. The password to the attachment is “infected29A

Now, let’s start getting our hands dirty…and open the suspicious .msg file using Profiler.

 

Each “__substg” contains valuable pieces of information. The first four of the eight digits at the end tells you what kind of information it is (Property). The last four digits tells you the type (binary, ascii, Unicode, etc)

  • 0x007d: Message header
  • 0x0C1A: Sender name
  • 0x0C1F: Sender email
  • 0x0E1D: Subject (normalized)
  • 0x1000: Message body

Since this is a forwarded email (SOC-Mail00135 【注意:標的型攻撃メール?】FW 固定床炉処理日報),  we can see that it’s most probably a spoof email from a Japanese Institution.

 

[ Part 2 : Email attachment ]
Since we can’t do proper email investigation, let’s look at the attachments.  Let’s look at “Root Entry/__attach_version1.0_#00000000” and refer to the specifications again.

  • //Attachments (37xx):
  • 0x3701: Attachment data
  • 0x3703: Attach extension
  • 0x3704: Attach filename
  • 0x3707: Attach long filenm
  • 0x370E: Attach mime tag

If we were to look at “__substg1.0_3704001F”, we will see that the filename of the attachment is called “M58A33~1.zip” and the display name “__substg1.0_3001001F” of the attachment is called “M58A33530641949.zip”.

 

Now let’s look at the actual data located within “__substg1.0_37010102” as shown below.

We can see that the zip file contained a .docx file, “vhlwspyw.docx

Now, let’s press “Ctrl+A” to select the entire contents. Then copy it into a new file as shown in the image below

 

We can now analyse the .docx but let’s use Profiler instead since it can already parse this entire Outlook file and identify what is inside the attachment.

As we can see from the image below, the docx contained an embedded OLE object which is actually a Javascript file.

The extracted Javascript looks like this.

After deobfuscation, its using PowerShell to download the payload from http://ca[.]tradelatinos[.]co/js90.bin?LIOv

However the payload is unavailable when i tried to grab it, but i’ve found these other js90.bin for same campaign.

Hashes of Malicious .DOCX

Hashes of Malware

These are all Ursnif or Dreambot and there are articles and reversing tutorials on them.  So i shall leave it as an exercise for the readers.

  • http://www.seculert.com/blogs/ursnif-deep-technical-dive
  • https://www.youtube.com/watch?v=raoL6_0A5aw

Some of the subject titles of the emails are:

「付け出し」,「 発送の御連絡」,「のご注文ありがとうございます」,「固定床炉処理日報 」 , 「給料振込の件」

Thanks & Regards
Jacob Soo

[ Walkthrough : SANS 2015 CDI DFIR Challenge ]

Sorry that we haven’t been able to write anything interesting for the last few months.

I thought of publishing this first thing right after the competition had ended but Real Life gets the better of most of us. I totally forgotten about this as i was busy helping NUSGreyhats with their CTF and with my own personal stuff. It was lying on the draft folder collecting virtual dust just like my entry for SANS HolidayHackChallenge. 🙁
I don’t remember whether did i submit my answers for this challenge. 🙁

Below is my walkthrough for SANSCDI Forensic Challenge and i hope the process of solving the questions might be useful to someone out there. The entire challenge consists of 3 parts.

[ NTUSER.DAT CHALLENGE ]
In Part 1, we were given a link, http://dfir.to/EVIDENCE1 to download the data.
I have attached the file here incase the link is gone. Vibranium-NTUSER
On the page, we were asked the following questions.

1. What was the most recent keyword that the user vibranium searched using Windows Search for on the nromanoff system?
2. How many times did the vibranium account run excel.exe on the nromanoff system?
3. What is the most recent Typed Url in the Vibranium NTUSER.dat? (Enter in the following format: http:///)

On Windows XP, there is actually the ACMru key located in the following registry key:
ntuser.dat\Software\Microsoft\Search Assistant\ACMru
This key stores the search terms that have been typed into a Windows search dialog box.
The following subkeys define where the search term was used:
5001 – List of terms used for the Internet Search Assistant
5603 – List of terms used for the Windows XP files and folders search
5604 – List of terms used in the “word or phrase in a file” search
5647 – List of terms used in the “for computers or people” search

Unfortunately on Windows Vista, it did not include a registry key for user searches.
However on Windows 7, the history of search terms using Windows Search can be found in the following registry key:
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery
The WordWheelQuery subkey records information about user searches.

There are many great registry tools out there. But for this particular challenge, i will be using Windows Registry Recovery.

Challenge.0x0001

As we can see from the above image, the very first entry in the MRUListEx is “01 00 00 00.”
This simply means that the entry “1” is the most recently searched item.

In this particular case, we can see that the value for the first entry is “alloy” and that’s our answer.
Challenge.0x0002

Moving on to the 2nd question, 2. How many times did the vibranium account run excel.exe on the nromanoff system?
For this particular question, we are required to check the following registry key:
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist

Challenge.0x0003

As we can see, the entries are all encoded using Rot13, the value we should be looking at is:
{7P5N40RS-N0SO-4OSP-874N-P0S2R0O9SN8R}\Zvpebfbsg Bssvpr\Bssvpr14\RKPRY.RKR
After decoding, the value will be:
{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Microsoft Office\Office14\EXCEL.EXE

The number of times EXCEL.EXE was executed can be found at offset 0x04 in the UserAssist entry.
In this instance, the value is 4, which means that EXCEL.EXE was executed four times and that is our answer. 😀

Next we are asked, 3. What is the most recent Typed Url in the Vibranium NTUSER.dat? (Enter in the following format: http:///)
For this particular question, we need to check the following registry key.
NTUSER.DAT\Software\Microsoft\Internet Explorer\TypedURLs

Challenge.0x0004

As we can see from the image above, the most recent typed url is “http://199.73.28.114:53/” and that is the answer.

[ SYSTEM and SOFTWARE CHALLENGE ]
In Part 2, we were given a link, http://dfir.to/EVIDENCE2 to download the data.
I have attached the file here incase the link is gone. SOFTWARE-SYSTEM-HIVES.zip
On the page, we were asked the following questions.

1. The Windows Registry shows evidence of one USB device connecting to the nromanoff system. What is the serial number for this device?
2. What was the volume letter assigned to this USB device? (Enter just the letter for the volume.)
3. What is the volume name for the USB device that was inserted into the nromanoff system? (Enter the volume name in ALL CAPS.)

For the 1st question, there are many different methods to find out the answer. So i will go through 2 of the common methods.
The first method that i will be using is to check the following registry:
SYSTEM\ControlSet001\Enum\USBSTOR

As we can see from the image below, the serial number of the usb device is “AA951D0000007252”
Challenge.0x0001

For the 2nd method, we can check the following registry:
SYSTEM\MountedDevices

As you can see from the below image, we found out usb device and also the volume letter, “E” assigned to it. We have found the answer to question #2 too.
Challenge.0x0002

Moving to question #3, 3. What is the volume name for the USB device that was inserted into the nromanoff system? (Enter the volume name in ALL CAPS.)
We need to check the following registry key:
SOFTWARE\Microsoft\Windows Portable Devices\Devices

Challenge.0x0003

Once again, we found out the volume name for the usb device, “SECRETPLANS”

[ MEMORY ANALYSIS CHALLENGE ]
In Part 3, we were given a link, http://dfir.to/EVIDENCE3 to download the data.
I have attached the file here incase the link is gone. memory-raw.zip
On the page, we were asked the following questions.

1. To what remote IP address did the spinlock.exe process (PID 1328) have a connection?
2. What is the name of the user who is logged into Romanoff at the time the system memory was acquired?
3. Enter the time/date the system last booted according to the creation time of the initializing Windows process in the memory image. (Enter UTC time/date in the following format: YYYY-MM-DD HH:MM:SS)

For this particular challenge, we were given a memory dump file. The best way to solve this is to use Volatility
As i am unsure of the profile to use, i used the imageinfo option to see what profiles should i use.
volatility-2.5.standalone.exe -f memory-raw.img imageinfo

As we can see from the image below, we can use the following profile. Win7SP0x86, Win7SP1x86
Challenge.0x0001

The first question, 1. To what remote IP address did the spinlock.exe process (PID 1328) have a connection?
The option that we should be using is “netscan” and the command is
volatility-2.5.standalone.exe –profile=Win7SP0x86 -f memory-raw.img netscan

The returned results should look like the following image.
Challenge.0x0002

However, we are suppose to look for the remote IP address that spinlock.exe connected to.
We can see that spinlock.exe (PID 1328) is connected to “199.73.28.114” and that is our answer.
Challenge.0x0003

For the 2nd question, 2. What is the name of the user who is logged into Romanoff at the time the system memory was acquired?
We should check the following registry key in order to know the name of the user who is logged into Romanoff.
HKEY_CURRENT_USER\Volatile Environment

The option that we will be using for volatility is “printkey -K ‘Volatile Environment'”
volatility-2.5.standalone.exe –profile=Win7SP0x86 -f memory-raw.img printkey -K “Volatile Environment”

As we can in the image below, the username is “vibranium”
Challenge.0x0004

Hooray, we are moving to the last question of this challenge.
3. Enter the time/date the system last booted according to the creation time of the initializing Windows process in the memory image. (Enter UTC time/date in the following format: YYYY-MM-DD HH:MM:SS)

This is fairly straight forward, according to https://technet.microsoft.com/en-us/library/bb457123.aspx.
“ntoskrnl.exe” is the first to load, we know that the process”System” will be process we should be checking

Using “pslist” option,
volatility-2.5.standalone.exe –profile=Win7SP0x86 -f memory-raw.img pslist

As we can see in the image below, the time for “System” is 2012-04-04 11:47:29 UTC+0000 and that is our answer to the last question.
Challenge.0x0005

I hope that the entire walkthrough is simple enough to follow and do on your own.

Happy Reversing
Jacob Soo

[ Walkthrough 2015移动安全挑战赛(第二届): iOS Challenge 1 ]

It’s been a long time since we wrote something here.
Today i will be writing on a simple iOS crackme which i found some time to play with 10days ago.

To make it easier for everyone to follow this lame guide of mine.
I’ve attached the file here: iOS Crackme

iOS.0x0001

The original question given to participants is like above.

But i’ve loosely translated the above text for simplicity sake. 😀

Opening the binary file in IDA Pro, the first thing that i usually look for in iOS Crackmes are “Strings” or “onClick” first.

In this case, i went for “strings”. The first thing that caught my eye is “decryptPassword
iOS.0x0001_1

Double click that string and then press “X” to list the cross references. I selected the method using that.

iOS.0x0001_2

After selecting that, you will get the following.

iOS.0x0001_3

As i’m on of those lucky ones to have the “Decompiler”, pressing “tab” and we will see this beautiful pseudo code.

iOS.0x0001_4

I’ve extracted out the codes for better reading purposes.

 

Based on the above pseudo codes, we can identify several things.

1.) There are 5 loops. Each loop started off by doing Caesar Cipher on the following base64 encoded string.

2.) After the Caesar Cipher, it base64 decoded the returned result .

3.)  Then it did a AES decrypt with the base64 decoded string and the key is the following: