Decoding NanoCore Rat

NanoCore is one of many Remote Access Trojans that are available. This particular rat is a so called premium rat which means it comes with a price tag. The current price to buy the latest version is $20. In the Authors own Words

nano_desc

However as this is a premium rat it is also one of the types that many coders try to crack and release, which is exactly what happened with an early release of this rat. Making it available to a much wider audience.

I have talked about some of my methods for walking through Java Rats i figured now would be a good time to walk you through my process for RATS written in .NET

Generating Samples

The first thing we need are samples that we can work with...

Read More

Viper – Binary Management and analysis Framework

Viper

When it comes to analyzing malware it can be a fairly complex affair. Depending on the complexity of the malware your analysing there are many approaches you can take and each of these will typically require the use of several tools or scripts. This is where http://viper.li comes in to play.

Created by Claudio ‘nex’ Guarnieri, viper is “A binary management and analysis framework dedicated to malware and exploit researchers.” It comes with some basic features that allow you to add search and work with samples. Where it comes into strength is through the community contributed modules. These modules greatly extend vipers functionality.

At the time of writing the current list of modules are as follows.

Commands

  • clear – Clear the console
  • close – Close the current session
  • delete – Delet...
Read More

Look inside a Dark Comet Campaign

As many of you who read this blog will know i have a fondness for researching RATS. In this post im going to stay on the same topic but im going to change the perspective. To date i have concentrated on understanding how the ‘Server’ was holding the configs and how to extract them.

Now im going to look at the data that is extracted by theses tools.

The Tool

DarkComet, a free ‘semi publicly’ available RAT. The client and the server for Dark Comet are well understood at this point and there are hundreds of blog posts by researchers far better then myself so im not going to dwell too much on these points except to say its easy to get hold of, its easy to use and its fairly powerful if it gets installed on your system.

If your unfortunate enough to become infected and even worse your infected ...

Read More

BSides London

This is a little late to post, but here it is anyway.

BSides is a framework for a security conference by the community for the community. it’s designed that anyone who can get a space and some sponsorship can organise a conference with a lot of the hard work already covered by the framework. T hats not to say that the organisers, volunteers and sponsors don’t put a lot of work in behind the scenes.

BSides London has been around for a couple of years and grows every year. This year I decided, with a little prompting, to submit a Talk and a Workshop. The talk didn’t make it on to the main agenda but my workshop did, A practical session showing how I reverse a RAT and extract the config. Small session with no more than 8 in attendance but feedback was positive.

One of the things that bsides L...

Read More

RAT Decoders

I have talked about decoding RATS several times now in previous posts and if you have read them you will know that im creating Static decoders for the most common Remote Access Trojans.

In this post ill be releasing a handful of the static decoders i have written so far.

I have set up a Repo on GitHub that will hold a collection of Python Scripts that will extract and decode the configuration settings from common rats.

Each of these decoders is already running on http://malwareconfig.com and has additional features that are not included in the scripts. like Snort rules IOC Files and VirusTotal Linking.

You can read more about MalwareConfig.com in upcoming posts or read more here http://malwareconfig.com/about

Current Rats

Here is a list of the currently supported RATS:

  • Adwind
  • Arcom
  • BlackN...
Read More

I Hear you like Mount Points

tl;dr

Having just finished my SANS 508 Course i want to share a quick script to help mount partitions and disk images acquired as part of a forensic analysis.

I Hear You Like Mount Points

The SANS 508 is an Advanced Computer Forensics course and the majority of the course is examining Disk Images. The course uses E01 Images of a single partition, this is done to simplify the classroom activities, copying full disk images is time consuming and detrimental to a learning experience.

How does this scale to real life? In the real world you will have mixes of Full disk images with multiple partitions and in some cases different formats for each partition, think dual Boot Linux and windows with recovery partitions. Needless to say real world examples can get complex quickly.

When it comes to the ...

Read More

MalwareConfig

For those of you who read this blog on a more regular basis you will know what i talking about, for those of you who just landed here let me explain.

My project over the last several months has been looking at Remote Access Trojans / Tools. My aim was not to discover how they operate, RATS for the most part operate in the same way.

What i was interested in was how to detect these RATS and more importantly how could i share the information I was gathering with anyone else who could make use of it. The data set will largely contain Samples from ‘Script Kiddies’ who mass target individuals just to get Slaves, but it will also capture samples that have been used by Crime Packs and potentially even APT Actors.

Most methods of capturing this data use sandboxes to run the sample and observe its b...

Read More

Blue Banana RAT Config

Following on from my last post on Adwind rat i found another Java Based Rat that is freely available to the public. Blue Banana has been around for a couple of years and looks very similar to early versions of frutas.

Here is the pitch from the coder.

Info1

My aim was much the same as my last analysis on Adwind Rat. Im not so interested in its capabilities more about how its config is stored and how i can get to it.

Opening up the .Jar file i immediately see the bit i want “config.txt” :)

config.txt contains a long string of chars that look like hex values, could a simple hex decoder be all i need?

No sadly not. Looks like im going to be reading through some Java class files to figure this one out.

Attempting to de-compile the java byte code didn’t work very well, i tried a few different de...

Read More

AdWind Rat Analysis

If you have been reading my recent posts you will know that I’m working on a project to provide a public facing web application that will allow people to upload samples and in return they will get the configuration, Snort Rule, Yara Rule and IOC files specific to each instance.

This post will show you how i muddle my way thought figuring out how to extract a config file so it can be added to the collection of extraction scripts.

AdWind RAT Brief history

adWind has 4 Major milestones in its history.

  1. Starsting life as a proof of concept on indetectables.net it was named futas and was free in its original Spanish, and later in translated English.
  2. From frutas it became AdWind and went up for sale as a “Premium” RAT. Prices ranged from $75 for a single license to $ 250 for multiple licences.
Read More

Malware Sample Configuration Extractor

First of all

MERRY CHRISTMAS / SEASONS GREETINGS AND A HAPPY NEW YEAR

In my last post I talked about extracting configurations from malware samples . If you haven’t already read it you can find it here.

In the article I created several python scripts that would extract the relevant configuration sections. There are also many scripts and techniques out on the interwebs that other researchers have created and shared.

My project for the upcoming months is to create a public framework and web application that will simplify the process of extracting, storing, searching and sharing these configurations.

Currently and somewhat unimaginatively named as the “Malware Sample Configuration Extractor” it is capable of extracting Configs from the following:

Supported Malware

  1. Bozok Rat
  2. Jrat
  3. DarkComet
Read More