Brian Stadnicki's reverse engineering & malware analysis blog
There is a huge amount of malware created and found every day, easily ranging from 1k to 3k every day just on a public resource such as malshare.
So there is a big question: Who and why is creating so much malware?
Types I believe there’s 2 main bands of malware authors: the kids, and the professionals.
Kids Kids can be taken both figuratively and literally. New “hackers” are often called Script Kiddies, referring to their main ability being to copy and paste public code and trying to use it, often failing badly.
Last year, a major RCE was found in GitLab, CVE-2021-22205, where GitLab versions >= 11.9 and <13.10.3 were affected due to improper image validation before passing it to a file parser.
Malicious image The DjVu image is considered a legacy format, so not much attention has been paid to it. The GitLab RCE depends on a vulnerability in ExifTool, CVE-2021-22204, where improper parsing of annotations, including a dangerous eval to add quotes to a string, caused an RCE.
The SBIDIOT IoT malware was observed earlier this year in april. Recently I spotted a sample with a cryptominer added on, so let’s see what’s changed.
The botnet’s main use is for DDOS attacks on game servers.
Overview Author I took a look at one of the past versions of this malware:
3e948a7995faac6975af3c8c937c66e6b5733cb69dab5d2b87ba4c22e23ef136 It appears that the author could be selfrepnetis, who’s instagram is likely @selfrepnetis and @selfrepnetis_.
Based on the instagram, it appears that this botnet is likely being used for RebirthRebornV2, RebirthVPN, RebirthReboot1.
Today I’m taking a look at a password stealer filled with obfuscation and some virtual machine detection. The sample can be obtained from malshare, with an automated analysis report on joesandbox.
Property Value File Type Portable Executable 64 File Size 3.69 MB CompanyName Say celebrate Date FileDescription Dress Suffer fuel basic FileVersion 6.4.14.15 LegalCopyright Pine Shit (c) 2005 ProductName Almost publication MD5 3c7c6d236721ea4cef0f904ebde6f575 SHA1 d82cd631a49a175caace0fb209f7b9da16e29655 SHA256 ed107d31ac4a6e8f665986e3326cc2c4551fd00ba26f5414faa8edd0f7c20061 Initial overview The sandbox report provides us with a lot of useful initial information.
Self-modifying programs seem to be viewed as something magical, but they’re quite simple.
To demonstrate this, I’ll be writing a self-modifying factorial program in x86, specifically in nasm.
Basic factorial To write a self-modifying factorial program, we first need a normal factorial program.
factorial: push ebp mov ebx, eax factorial_start: sub ebx, 1 cmp ebx, 0 je factorial_end mul ebx jmp factorial_start factorial_end: pop ebp ret This is quite simple, if it needs explanation then this isn’t for you.
This is a challenge from MetaCTF CyberGames 2021. It included .NET dump memory forensics, which doesn’t look to be very common knowledge on how to do, so hopefully this writeup can help with that.
Step into the NET For the grand finale, it’s time to put all of your analysis skills together. You’re going to face a little bit of Crypto & Reverse Engineering and a whole lot of Forensics.