Cities Skylines II Malware [FULL REVERSE ENGINEERING ANALYSIS]

John Hammond · Beginner ·🔐 Cybersecurity ·1y ago

Key Takeaways

The video analyzes a malware incident in the City Skylines 2 modding community using tools like Binary Ninja, VirusTotal, and Flare, demonstrating reverse engineering and malware analysis techniques.

Full Transcript

downloading mods for a video game is not safe more often than not the hack or the cheat or the mod itself will be malware that'll infect your computer or even if you found some mod developers or a community in a hub that shares what should be clean and trusted mods there's always the chance that the developer and something some way along the supply chain could still be compromised and that is part of the story that we'll talk about today because recently just a little bit ago and I'm behind on this I'm a little late to the party but look on October 31st Halloween one member of my Discord server shares we have a malware incident in the city skylines 2 modding Community potentially thousands of game players affected and there is an official post by the developers and including a virus total report of the suspected file or the malware and malicious part of this mod if we actually take a look at the official post that was linked that is over on the Paradox forum and I got to say I don't play City skylines 2o I don't use any of the mods I've honestly never heard of this Paradox Forum before but it seems like this is where a lot of players get some stuff about the game mods things to get in the action and that is a well-known trusted and reputable Source but there is an important update for All City skyline 2 players there's a potential security issue that has affected the traffic mod for City skylines 2 late Monday evening an outside actor pushed an update to the mod which includes a dlll file or a dynamic link library that they believe is malicious we've already removed it and the current version is still safe to download now but if your mod was synced and you played the game using that mod between Monday and then then there's a possibility you may have had the malicious file and have been compromised or affected in this video we'll do some reverse Engineering in Mau analysis to make sense as to what this mod really did and we'll tell the whole story from beginning to end from Cradle to grave we'll talk about the original infection hearing it from the mod developer themselves and we'll understand the whole Community response and I got to say there is a whole lot to this story especially which is how the community kind of came together because a lot of people have been talking about this Eric Parker was digging into this lowlevel was chatting about this people were screaming all over Reddit I know the PC security Channel and a whole lot of others were trying to track this thing but if I may say and I think this is awesome I think the ground truth really came from JH Discord which is pretty cool hey REM my coworker was tagging some other sweet smart individuals I do want to give the shout out to Lochness Lochness Co has done some incredible things with this Illuminati fish and all the others that dig get a chance to dig into this and I know we had like the people from the the city skylines game modding Community jumped into the server chatting trying to understand and it was really cool sort of synthesis of just normal game players and developers alongside like security researchers reverse Engineers malware analysts and there was just a really really cool kind of I don't know Showcase of the conversations and how that was going back and forth and I know that I will ramble about that more later but when we really get into this Lochness over on November 1st said okay I'll dig into this now and I know that Lochness is a big fan of bja or binary ninja because when you're doing reverse engineering malare analysis you've got a lot of options right you could be using gidra you could be using Ida maybe R2 Radar Radar 2 however you say it cutter in the graphical user interface but I know and even my great friends tell me hey bja biner ninja is pretty awesome so we thought look let's follow along and do this just as well we do have the sample over on virus total note that it has like 40 out of 72 detections across all these different engines now and at the time recording it's November 10th uh granted this was all kind of breaking ground on October 31st November 1st so there's been some time dealt to here but at least it was uploaded to VT so we could download or I could download it I know with virus total Enterprise but not everyone can so this was shared on Mal share and I'm thankful for that and I do want to give a huge shout out to monkey and raver from the PC security Channel they had shared the sample with my video editor Nord Garen and I do need to give an extreme amount of thank you and kudos to nor Garen because he if you don't know does a heck of a lot more binary and compiled language reverse engineering that I do in fact he's a game modder himself and super duper qualified to dig into this so I got to learn a couple tricks from him as we got to download this fast math. dll and rip it apart in binary ninja this is a real malware sample so it should really be looked at inside of a virtual environment for Safety and Security right I've created just a windows development box and really you should have a snapshot ready and snapshot all the time as often as you can when you're putting this together I'm just using vmw workstation but as this virtual machine starts up we can go ahead and get in our disassembler and debugger and before we go too much further please let me say this video is sponsored by flare I'll tell you more about them soon but just for a super quick crash course flare is a threat exposure management solution that means that you can create different identifiers and even keep track of any activity out and about on the internet or even the dark web so whenever someone is chatting about you your company your business your employees your people anything that you might want to add different sort of detectors for you could see that across even anything in elicit networks like marketplaces Forum posts ransomware blogs or leak sites telegram channels and all that shady dark web stuff or just on the open internet like pce spin websites leaky S3 buckets GitHub and more and of course there are a ton of data that they have available from ingested info stealer malware logs this is where you could see any of the credentials that again you your team your peers your colleagues others that might have their information exposed out on the internet when you could track down even by domain email username password or even with a website that that data was leaked from there is so much more you can do with Flare between their API setting up custom notifications or alerts when some information is found out and about or even just taking a look at generated threat intelligence and curated CTI pertinent to you and your business and your company maybe you need to stay on top of what information is out and about from thread actors and adversaries and what they're doing in the current landscape look you can get access and see all this and more with a free trial link below in the video description to get started with Flare all right now that we are inside of our virtual machine we've got our fast math. dll file downloaded and ready for us to take a look at it it's nothing fancy here nothing special taking a look at the details security information it is not signed there's no certificate that comes alongside this we can start to open it up now you might do this in Ida you might do this in gidra but we in this video can take it on in binary ninja so I'll open that up I'll click the open button go navigate to it and we'll walk through everything and everything here and it will start Us in the underscore start function you can see that in the very middle of the screen we're taking a look at the display in the code View where we actually can take a look at the raw bytes if we really wanted to kind of much like a hex editor but really we should get back to the portable executable PE linear for how we might be able to view the code you could of course see this in the graph view which you might be used to in Ida or others in the linear setup here we actually could toggle this to the raw disassembly where we're taking a look at just the assembly instructions or the high medium or lowlevel intermediary language honestly I really like the pseudo C code because that way it just looks like code that we might be used to seeing in pure C you do of course have all these symbols on the top left we could explore those further cross references to whatever we're looking at but really what we can start on is this start function here all right now before we go too far though I do want to show you this really cool view that binary ninja offers you uh if you just go up to the view menu they do have this triage summary that has a lot of really quick and convenient easy analysis stuff that you might be liking in Mal analysis reverse engineering usual instant response you've got your entropy sort of visualization here typical file info Header information and we can scroll to the right there to see a little bit more but especially with this being a dll it's probably worthwhile to take a look at imports and exports now normally like an online sandbox maybe any run or Joe sandbox hybrid analysis whatever they would try to Kickstart and run for dynamic analysis with any exported ordinal like run dll d. dll to call the file and then like number one or the first exported function unfortunately this has no exports so pretty clear this one's a little bit sketchy this is certainly and we'll find more this is malware but it's a little bit ghoulish on the inside and I think that's worth noting look seeing kind of a sketchy no exports dll of course we could take a look through the strings here you can of course search through anything and everything if you want to within binary ninja um but there's nothing special or secret here no easy wins I can't just run strings and be done with it we are going to have to do some real reverse engineering so with that let's get to it now note this is a dll and that must mean that it's going to be maybe attached to or ran inside of a process or hey whatever loads that Dynamic link library with a dll reason as to whether it's being attached detached whatever you're probably used to seeing that in the boilerplate code to create a dll and normally that ARG 2 would be the reason that is actually being it worked with in this dll so we're checking if the ARG is equal to one in which case we use this sub function call here 1 180 c78 whatever and if we actually double click into that we can see a lot more of the usual boiler plate that's handling for like the security cookie stary stuff to handle that process so nothing all that interesting for us we can hit n on the keyboard to rename that as the usual security cookie function nothing fancy hit accept move on we do have the call that follows though dll main dispatch if I double click into that it is as you would expect now to handle the reason with the dll that was passed in with arg1 ARG 2 arg3 now inside of this function we want to track down where the code actually happens like when things start right cuz if we find some logic or a code branch that goes to the end of the program or the end of code to run well it's not going to run and that's not all that interesting for us so this conditional here if R2 is equal to0 and whatever data value we could double click in noting that's just zeros to start presumably if that's less than or equal to R2 then we return zero nothing happens there so that's probably not interesting we're probably not going to find the condition where R2 is equal to zero we might assume when the security cookie is set up if R2 is equal to 1 from what we just saw before we could see if our 2 less than one if it we're subtracting one from it is somehow suddenly then greater than one that would fall down this code but that's probably not going to happen because we know maybe presumably ARG 2 is one so let's just kind of follow through with that train of thought here thinking let's not take that if statement if we were to do 1 minus one greater than one not going to happen let's hit the L statement down below but if we do that we set RBX to one which if we're checking if it's not equal to zero which we know is now one so strange decompilation setup there but that will actually tell us okay we call this conditional enter this RX 2 will equal our DL main CRT dispatch ar1 R2 R3 all being included so we do follow through with this logic dll main CRT dispatch let's click into that and go see what that does oh well actually taking a look at the code here you could see the a little bit more information on it either attaching detaching doing whatever it might do based off of arg1 or ARG 2 here but that looks like regular handling for D in this case our ARG 2 were to be one if we were again working with that hypothesis we do end up calling this thing sub 1800 c6f whatever we can double click into that and then what do we do scrolling through to understand a little bit more regular startup lock fast fail Shenanigans uh dll main before initialize uh that's going to end up initializing having stuff run this sub is just initialize sist head nothing peculiar default local standard input and output options oh and then we do something with a lot of data values here and we could double click into these data 1 180 C8 whatever uh more zeros as we expand and explore them I'm hitting escape to go back by the way same thing with another nothing all that interesting but we do check after initial iiz uh we use this init term function with data again currently being zeros and then data again currently being zeros but in between those two we do see a sub routine a sub that is really something interesting what is that init term actually kind of doing because that seems to be the only thing that will happen in this conditional everything else is released RDI check will go through with regular dispatch calls nothing fancy there so that looks like the only thing that would happen if this is going to end up being returned out of the function here for our dcrt main dispatch right that function if we go back into it will do something with init term or init term what is that if we go Google init term init term init terore E from Microsoft documentations thanks Microsoft ignite internal method that walk a table of function pointers and initialize them the first pointer is the starting location in the table ooh and the second pointer is the ending location so it's just defining bounds when we saw that init term thing whatever and if it's going to initialize and probably run some functions like realistically that means that what we just saw at the start c820 being the zeros above and then just following that was the C 8210 being the end that means that in between here this data that is a sub routine double click on it that's a function oh wait a second it says this function is too large to analyze what was that yeah yeah yeah Force analysis of this function this may take a while okay so giant bloated function presumably we can double click on that and we can see down on the bottom left analysis Phase 1 it is now analy ing to rip apart and see that function might take a little bit so I'll pause and wait until we get there okay so now that this big sub 1800001 0000 is uh done analyzing we can scroll through it and it's kind of weird like you see all this there's a lot of character variables being defined uh a lot of 3 3 3 33s randomly like weird random stuff just a bunch variables being created a lot of Threes a lot of 33s and hex they just seem to be odd um and this goes on and on for a long time here if I scroll down this this must be why that function was so big and was not analyzed automatically but if I were like I know I'm looking at the pseudo let me switch this to the disassembly and oh hey binary ninja uh just took a second it's hanging there because this is probably taken so much time little bit of lag I I'll see when this comes back to life okay yeah yeah yeah yeah coming back to us but look just everything you'd expect move instructions over and over and over again adding to RSP and one new bite at a time so presumably building out like another payload like a second stage and you see this hex 33 over and over and over again uh let's kind of table this for the moment let me bring us back to what would be the start of this function where we could see all the move instructions start and then continue forever but this is code right it will execute this and put this all on the stack um ultimately it's going to be loading something into memory so let me rename this let me just hit n to rename this to like MW we could add that status yeah yeah yeah like whatever maybe right payload is probably a fine name but once that's renamed let's sort of walk backwards and kind of hey remind ourselves how we got to where we are I'll hit escape to bring us back and I do want to bring this back to pseudo so we could see some of the code because remember we saw that inside of that init term sort of function between those two bounds and that was in this sub routine that was all inside of we could call this whatever we wanted to but it was in the dlll main CRT dispatch and that dll main CRT dispatch was in the L statement of dll main dispatch that we started with but once we were done with that we could see we're testing if racks to the return value of that if it did not fail right if it's not equal to zero then we go to this label if I double click on that oh it just brings us back up to the lse statement that we started with to begin with but whatever ultimately that calls this sub routine which calls this sub routine if R2 is equal to one so let's drill down to that oh and what's going on here we can check while current process ID is not equal to XEX 1 2 3 4 that's not likely that's probably not going to happen because that's going to be a random process ID that will be a true condition so we'll enter this W Loop we can check if we can flush file buffers and that will be the break so assuming that's not going to happen we keep adding to RBX in the loop and maybe some way somehow we'll follow through once RBX is greater than or equal to whatever hex value we do something with data here dataor 180 and this is memory that we could click into and take a look at so it starts at zero you can see that uh and that's I'm going to assume an iterator right because we do it we have a do while loop here but they do something interesting they have an i null pointer where they're sort of doing like an inverse index into a buffer presumably because they keep growing and adding this over and over and over again but that's a different data value because the other one was ending in ca750 this ends in C a758 so double clicking on that it starts as zeros presumably but this Loop will exor oh exor you can see the the clear as day right this this line here the carrot symbol will exort with hex 33 which is just what we saw when we got to see that other big sub routine function and a lot of those 333 hex 33 so I'm curious is that all the move instructions that we saw it's just an a second stage payload exord with hex 33 we could probably take a look at that we could extract that dynamically but just to like go check uh at the very very top here the symbols we did rename that to whatever payload if I double click in here and go see this one more time in the disassembly take a look at these move instructions right we start with the hex 7e and then 69 so let me open up like Firefox this can be super simple super dumb and easy like let me just get genuinely cyber Chef open and then literally 7 e69 that is hex right so we need to do from hex and then we can say exor with the key being hex as the option set 33 the output is MZ the very start of a portable executable header or executable exe or. dll right so that whole sub routine everything that we're seeing here is probably just Another Second Stage payload exord with hex 33 let's extract that all out dynamically with a debugger if I get back to the section that we were in when we saw this exor operation we could just add a break point after that do while loop honestly we could just hit F2 and you can use a debugger here within binary ninja but I'll admit I think I don't know I've seen that do I don't know how to set that up smartly with a dll or dynamic link Library I do know that x64 debug another debugger that so many people love can handle that really nice and easily it'll just use like its own internal DL main to get smart and do that so let me do that with x64 debug before we do run that dynamically though we know and need to understand that okay running the process will put memory locations in different spots that will be different than what we would see in binary ninja right all because of aslr the address space layout randomization so what we can do is actually open up the 010 editor and I got to give huge props big shout out and big thanks to Nord Garen because he's taught me this if we were to try and open up the uh fast math. dll that will actually tell us look you could use this template because they do have some smart understanding of what all these different file formats are to make the 010 editor a super smart and good hex editor we can install that super easily and now it'll know okay these are all the sections and headers and things that are important for the file that you're actually looking at so I can drill down into just down below here uh the NT header I believe and the optional headers here going to the very very bottom of this we should be able to see what would be the dll characteristics taking a look in that we can go find if I expand this out the dynamic base and that is what will allow us to if I toggle this one to a zero change this so we don't have the aslr in action for this binary I can hit zero and then save contrl s now when I open up our x64 debugger and now we could simply open the fast math. dll that does have aslr turned off so everything should match the same addresses as we've seen inside of binary ninja and if we wanted to we could go take a look at the options and preferences because we should see the default like hey breakpoint settings will allow us to create a breakpoint or we don't even have to honestly at the very start of this thing running so honestly we could smartly safely hit go and go ahead and continue execution and you'll see that'll automatically bring us to the start or address of our entry points as we begin execution here but we need to put a break point just as we know right after this big long Loop that would exor that buffer and everything that we might want to pull out to get that second stage payload right so that is at this address 1 1800 c42 E1 we can right click copy that and because aslr is off I could just hit contrl G and that'll allow us to jump to or go to to a location and since we're running we should be able to go find this correct expression as I hit contrl V to paste that in so I'll click okay and that'll bring us to the same instructions if I zoom in just to smidge you could probably see this exactly the same disassembly that we would see inside of binary ninja if I toggle that back to disassembly yep there is our call knop and exor work that we're seeing so we'll create that break point there F2 to make sure that that is red now as I do this I do want to go ahead and hit go once again okay cool now our r or our instruction pointer brings us there and now everything is in memory the way that we would have wanted after it has decrypted or un exord hey took out that hex 33 out of the way so we could go determine from the data location that we know between the ca 758 and the ca750 750 should be the one that will now point to the start of our buffer so let me go grab this address I'll copy and paste and in the dump down on the bottom left of the screen we should be able to go now see all this stuff if I hit contrl G again to go to pasting in that location x64 tells us that is a correct expression it'll put us in the right place so I'll click okay and this gives us these memory addresses now if I were to actually go follow them walk through this I can right click the very start let me go to follow qword in dump and we can put that in dump number two since we're already in dump one for the tabs here if I go to this take a look you can see the entire MZ header this program cannot be ran in DOS mode so we have the portable executable the whole next stage binary dll in memory and we can just extract this out now here's the coolest thing here's what we can do we could actually rightclick this really anything as part of this and try to grab this in actually the memory map so for the whole memory that we're currently seeing and whatever page part we're actually in right now if we click that you'll see that it actually puts us into this Heap ID zero that's the one that's highlighted in the mid about the middle of the screen now if I were to rightclick this we can dump memory to a file and then just give us all the junk that's pertinent to the program execution right now including the MZ header and the raw binary for our stage two payload and just slap that on the desktop we can call that whatever stage 2. bin or whatever data.bin uh we will need to carve out the executable but because we know MZ right because we know how we can anchor and go find that in a hex editor like 010 we've already got basically everything that we need let's go open up 010 and let's try to open that let me open our data.bin and now we could simply control F and like just search for if I toggle the format here not in HEX but I actually just want simple asky we know the very start is that MZ the beginning of our portable executable let me hit enter and there it is we see exactly just as we saw previously this program cannot be run in Doss mode and now we could carve out this file by simply taking the very bite before it going all the way to the top and climbing the mountain here and then just hitting delete and then we saved it right so we could save this now if we wanted to or actually apply one of the templates that we know like an executable template to tell it look you're an executable file now you are aexe or a dll you're a portable executable file so if we run this now it smartly adds the colors and headers and everything that we've seen previously but we could if we really wanted to go find the very end and we don't have to like this isn't super duper important but it might be nice if we wanted to hey drill down to the very end here you might be able to see occasionally in the mini map on the right hand side I don't know if my face is in the way so let me move this just to smidge you can see as I'm scrolling down there are a couple blocks here like that are blue highlighted or any other important bits so if I get to maybe the borders that you can see just on the very left and right edges as I go find these little regions I'm curious where is the end do we get to one down below oh no we don't okay so this is the threshold that this bottom half does not have a border surrounding it to know that is an important and necessary exe portion so this 0 df0 a whatever don't care let's select it all and let's delete it that is still just leftover memory that we would have saved when we we're looking at the binary and we saved it out of x640 buug but data.bin now is only our stage 2. whatever dll right it's an executable file we know it's a portable executable file so let's save a copy call this stage 2. dll is probably fine we could work with that and now let's start the process all over again and open that up within binary ninja getting this you know usual malware Russian matrioska doll one layer after the next okay now back in binary ninja we can go ahead and open up that new stage 2. dll that we have prepped on our desktop now once I open this it's going to look pretty similar to what we've seen thus far if I actually toggle this to pseudo C we should be able to see just as we have previously kind of a pretty similar structure to the very start of this code the same way that the first fast math. dll did we know that it's going to do our DL main dispatch we know we have our security cookie function here and we can rename that walk through these usual steps but once we get to our dll main dispatch you'll know we'll follow through with the if and lse statement where the lse statement is what we would realistically take but jump to the label that brings us back to the if condition and then this sub routine that actually gets called so we could click into this but we start now to do something a little bit different you can see in this code where we actually start to work with ooh the process environment block and some of you might be pretty familiar that is the PEB and the PEB is actually some data structure that's inherent to all binaries or portable executables actual programs that run on Windows that actually has some really interesting data that could be used and abused by malware because it can actually keep track of all of the Imports or like oh memory objects stuff that it might use within the code and context execution of the program in fact it actually keeps track of the modules that it might use like kernel 32 kernel32.dll is one that I mentioned specifically because it will have a method or an exposed function to load library or to load other DLS pull in other libraries that code could continue to use so rather than our malware and the sample being something that could be easily signatured by antivirus where it has like the actual Imports for maybe nefarious functions like oh connect to a socket or encrypt something or things that could raise an eyebrow well it'll actually do some tricks with the process environment block and walk through enough of the data structure that it could reflectively using its own components hide and mask a sort of more subtle import or load library for something else that's not then hardcoded or seen in the contents the binary it reflectively Imports the stuff that it needs with some other tricks and that is ultimately the PEB walk or PEB crawl we'll see that in action though we'll dig into it a little bit more but hopefully that's at least a crash course in that anyway we know that this data value is going to end up being a process environment blog so we could just rename that to like data uncore PEB or whatever that's fine we do see down below if R2 is equal to one a conditional that should should just be again the dll startup reason if that's the case we will create thread with another sub routine so create thread will run immediately some new code and we can call this I don't know whatever MW malware start function or whatever for our stage two double clicking into this now we've got a lot more to work with in fact this is a much longer function that we'll explore soon but you might have noticed just at the very very top kind of important here look they do start to work with the PEB this rax1 variable is going to work with data PEB with some hex 18 offset so I think it's important to note now we could actually retype this because the PEB as it's working with it is going to be a pointer to that type for the process execution block PEB that is the yeah process environment block forgive me so let me press y on the keyboard and the hotkey in binary ninja to retype is why uh we could just change that to a PEB PEB with an asterisk right there to denote that is a pointer now I'll hit accept enter on that and thankfully this is pretty awesome binary ninja will now just rework and sort of hey analyze and give us a lot more of the C like Syntax for the structure components and things that are much more readable as we're kind of examining and reverse engineering this so take a look now we could see how we would pull out parts of the PEB in fact the inmemory order module list and that is as I was talking about earlier the data structures that could help the malware author track down the pieces and breadcrumbs that it could use to then reflectively load other modules or other dlls and get access to code in another new sneaky way but if I keep scrolling down we could actually see some of this in that F link and maybe some of you that have been cruising through malive Academy or other resources are very familiar with this process we could rename this to like I don't know MW module list if we really wanted to but down below this one is the one that's the most important because it ends up doing some subtraction with hex 10 right that is going to end up kind of realigning whatever offset as we're working through we actually want to end up considering that as one of the entries in the loader table data structure entry thing I'm not familiar with the name off the top of my head but I believe what we should end up doing is taking that VAR 3 f8 in this case and retyping that to with Y on our keyboard it is just uh ldr ldt no that should be ldr data table entry and uh asterisk again for it to be a pointer there I actually don't see it autoc completing though so I want to be able to add some of those type definitions and structures to Binary ninja and I think I can get those online from like the x640 buug headers that it might offer like Google x640 bug PEB loader data table entry here's one result x640 buug Source debug ndl NTD L.H uh I think this should if I search foror PEB we do have the PEB loader data and I would like that piece how about just loader data table entry do we have that yep we do we could grab that just as well we can actually trunk at some parts of this cuz we don't need all of it uh let me actually get a Sublime Text window open and I will pull together some cooking show magic uh this was from Nord Garen and his incredible work we had just gotten a we kind of cleaned it up and got the Unicode string just the dependency from the Microsoft documentation but then the structure for the PEB loader data the PEB the other loader data table entry and all this stuff we could give that to biner ninja so it could more smartly figure this out if I copy and paste all this back in binary ninja over on the left hand side kind of like Visual Studio or whatever vs code where you've got these icons to get to different things the type section I rightclick any part of this uh we could actually create types from sees Source I and that hotkey now if I were to paste this in fingers crossed we've kind of cleaned that up made it smarter and given all the definitions for these structures and types I can just click create and fingers crossed okay already type called you long yeah that's fine we can overwrite that yes okay seemingly good now I could try to retype arvar 3 f8 and let me do that with that y hotkey that should be the loader data table entry and an asterisk with a pointer there so if I do this cool now we should be able to see the base dll name being loaded in and I do want to double click this refresh just to make sure it is going to do all the analysis that it can kind of though now we could actually see it's going to end up getting the base dll name we could if we wanted to hey Define these as parts that we might like to use later on in our code but it'll Loop through this and actually check the length do some interesting tests down below that are actually going to end up being I don't know how well you could see this uh a two lower implementation because it actually goes through and ends up taking if the value that's kind of interpr as an asky number is going to be greater than hex 41 and less than hex 5A if that's the case it'll end up converting or adding hex 20 to it which if you look through the asky letters or characters 0 through 255 that actually just means we're going to take what might be an uppercase character and force that to a lowercase character so it's a two lower implementation if you wanted to you could hit the semicolon on this to add a comment in biner ninja you can just say to lower implementation that's good for our learning but we will see this over and over and over again because they are now going to do some PEB walk PEB crawling implementation to track this down but they do this in a very interesting way because they actually end up trying to get as I mentioned kernel32.dll as one example for a dll to load functions out of but they're actually going to do this for other dlls just as well and they referred to them all not by oh the asky representation of like the string konel 32 but by a unique and specific hash or a hash ID that's coming together from their own hashing algorithm that they use throughout this and we can actually see that in this for Loop right here which maybe we could try to analyze we do test with an iteration for Loop IAL 0 I less than VAR 448 and we saw that defined up here as actually 3 a0 458 brings us to oh another piece that we're all working through so some length right for the string that we're going through that is literally as you might be able to say the length of the string that we're specifying for a name of a dll like konel 32 or what have you we could actually rename all this to be like MW string length that follows down we can do MW length because that's set to it all just as well now when I go see this we could see that that's what we do over and over and over again so for each character we actually try to get information from a data structure we double click on this there's a lot of nonsense there but that's actually going to be a big list of in fact heximal IDs really stuff that we'll be able to determine because they do some math here where they add in what would be the ordinal value of a given character 428 being the index that we end up using here exord you can see the carrot symbol here with var4 f82 shifted to the left two bytes two bits forgive me also exord with VAR 4 f82 what is that one okay that is what starts with our hash or like the hash that we're generating so let me try to rename that like o # value MW prefix and this is really hard and tough to say out loud so forgive me but that is obviously going to be some hexadecimal value if we know that the data that's represented here is supposed to be a list of these that is being accessed because it's indexing at all of this we're seeing it plus to add that value moving through the array we could try to retype this so with all that said let's let's change the type of this data block as we know that that's really just going to be the hex values like u32 T right so y on the keyboard let's change that to our U 32t and now fingers crossed if we hit accept on this it'll analyze it change this up and it'll look like it's actually indexing you see these Square braces kind of just denoting the very uh beginning and end of this so now we've lost the sh sh to whatever left two bits but now we're still doing this with a shift to the right eight bits and there is actually one more tidbit we can add to this to help make this even easier for us and this probably shows a good Learning lesson for when you should kind of always be back in forth between sure the pseudo C that we like to read because it's easy and maybe just the pure disassembly because if we were to actually kind of split the window here let me try to split pain horizontally so we can get something on the right and something on the left I know this gets a little bit hard to read with my face in the way but over on the right one let me say that I'm just going to click in on that very exact line where we are indexing from that data buffer to determine the hash value in the loop but if I move this over to the other side and if I were to say okay show me the disassembly here you can see I'm at that instruction but if I kind of take a look just before all this it is going to end up indexing and working with all this stuff from EA but eax is what ends up being worked with just previously actually coming from ECX and ECX is Ed with hex FF which means it's going to only be within that bounds of hex FF or 256 right so if that's going to be the component that's really used to index out of the data buffer mean it's probably pretty likely that our data buffer going all the way back down here is really at a length of 256 entries so let me retype that one more time we know it's un32 t as we've added but now let's actually Supply the length to 56 so when I accept and hit enter on this now we've got that analyzed a little bit smarter to Index this and if I actually double click on this it's a heck of a lot easier to read and this is much more clearly all these ID values that will match a hash for what we could be looking for in the hash algorithm to determine a dll name that we could import as our malware will do what it does and then later maybe a function name or method that we want to call out of that dll so this is awesome this is data that we could use and we could actually recreate the hashing algorithm and then determine what is it going to do and what is it going to load all throughout the rest of this code so totally we want to go copy all this and then start to work with it so all the way from the top and the bottom what we could do is copy in fact copy as CR is probably best uh 32-bit elements little Indian is what we're going to be looking for now I can get back into Sublime text and let me open up a new script where we'll actually start to write some python code let me save this uh let's just make it a piy file where we could build out uh our cheer. py good and we could change this to an actual list in Python so let's remove some of the C like syntax and make that just a hash table equals and now we basically want to build out the same capability that they did with the hash function where if they were given a string remember an input string for a dll name that they were trying to find like just for for an example let's say uh dll name can equal kernel 32.dll and let's define get hash ID given a name right string name whatever of course this is where you saw that string name. lower remember they had that two lower implementation not super necessary for us as we're starting to play with this but they Loop through every character in that string name name and they took the asky value which was the ordinal in Python o function we could call and if we look back at what this was doing compared to the C syntax going back down to the for Loop for our hashing implementation you can see that they grab that value they exor it with a hash value and that's the current hash value that they started with with hex FFF FF whatever but then they end up working with it through out because they're updating this and then they change it and reset it at the very end so that's all stuff we should know let's build that out back in our python code let's say hash value equals hex f f FF for fs and then inside of the loop for the character we grab its asky value we exor that with the hash value and remember this is going to end up being an index from our hash table right they do index that just as we've seen here and that is going to be then exord with the hash value bit shifted to the right 8 so do that with the hash value and let me move this up to make sure you can see it hash value bit shifted by 8 and that should be the new hash value everything that that returns is going to be that that back in biner ninja we see we just increment the character we don't need to do that in Python because that's already been done for us but in the very end we do the hash value xord with hex FFF all over again so I think we can add that at the very end right let's return our hash value exord with 1 2 3 4 1 234 so can I now try to get the hash ID for our dll name Colonel 32.dll and if I print this oh broke everything I have an error list index out of range oh that's the hashtable tidbit here binge is not showing me that because it probably doesn't need to but that is still Ed with the hex FF right that's to only say look we're only going to get something within the range of 256 so let me update that to everything in this index inside of the square braces I want to make sure that that has another and hex FF right let's try to print this and let me build view this in the current page so you should still be able to see this as a value what is that in HEX can I run that 6 a e69 f02 that looks a little bit familiar because that is exactly Colonel 32 dll that they try to load first cool okay so we have just recreated that hashing implementation and now we could track down not only the dlls that they load but now all of the functions that they will reflectively walk through with this PEB craw and we could see this kind of just honestly ignoring or abstracting a lot of the stuff that they do later because we'll see this process again and again now with a new hex value but this is where we could do something really kind of interesting because if we were to say okay Colonel 32.dll I know even just I I pulled that example out of thin air because that's just what we're used to with load library and all these examples here if it's trying to grab some other functions it would be worth knowing what the names literally the string representation of all the other potential dlls are and then the functions that could be called from that now this is where some of our sweet friends over at malore can come in handy because they have helped put together an awesome resource for exactly this so let me say big shout out to malor seriously genuinely this is pretty cool and I hope it's a good resource for others as we are trying to learn and walk through this process but look these are all genuinely literally strings for dlls that could be loaded but then all the methods or functions that could follow so this could get kind of crude a little bit scrp happy but if I were to look for kernel 32 if I could type correctly there it is and that could very well be the hash that we might end up working with uh and all of the functions that could come through and follow that so if we were to use this Json file common ds. Json we could take our hash Checker capability and give it a little bit more instrumentation to Now look up based off any dll name that we want to look for what is that hash let's minimize our get hash ID function here dll name isn't super duper important but if I were to open so let me open that commor ds. Json just read as bytes doesn't matter we can do that as file pointer philp honestly we don't need the uh mode here because we just want the file pointer and if we were to import Json then Jason our good buddy could totally help us load that philp file pointer that will determine that as the dlls that we actually will end up reading through and given that we could look through every single dll like dll name in the dlls and note in that Json file they don't actually have the dll suffix but we would want that because that's what we built out for our implementation of this get hash ID function so dll could equal dll name plus. dll stupid and dumb but that works and we could generate the hash like we could just simply say the hash of that dll is get hash ID given that dll and check if the hash is something that we want like maybe we're looking for a Target like Target Target hash ID is probably a fine name and that was something that we started with going back to bjo right six this we could copy that value knowing that that is Kernel 32 that should be all that we need uh let's add that variable there if that's the case then we can print the dll and like a found appropriate dll adding that and then we can Loop through all of the other functions in that because we know okay they're probably then going to after they've loaded that specific dll Now call a specific function within it we can say for each function in the dll Json data given the dll name that we're looking at now get the hash ID of each of those cuz it's all coming from the exact same lookup table get the hash ID of each function so we can say the function hash will equal that and then let's actually print out each function name and the hex value just as we've seen above of the hash that we've calculated so with that we could totally build out we could do like an l statement here just as well if we can't find that could not find dll module mapping to ID now we have this given capability to get not only a Target hash for a specific dll that we're looking for Kel 32. de on this case but then we'll see what all the other functions will correspond to and we can just kind of kind of map back and forth oh did I break something yeah I broke something clearly oh the L statement doesn't need to happen because that we could do that after our for Loop right you can do a four else just in case we never find anything we just won't care about that line but now we do clearly see all of the functions that will be called given a hash ID knowing that we did see that in kernel32.dll so here is where we can put this to the test let me copy all of this data put this in a new buffer for us and let's say that in Binga we know colel 32 corresponds to this 6 AE value that hash ID that we've uncovered scrolling down we'll see it now trying to work through the same for Loop implementation and trying to determine what would be 60 or excuse me 906a whatever so if we copy that hex address now go determine not not an address but an ID value for us right our hash that corresponds to create thread that is the function that we know it's reflectively pulling in and grabbing thanks to that kind of process here and the PEB walk that they do very very cool because now we know that we've determined this actually been able to pull it down grab that value and ultimately inside of this condition we know let me rename this to our MW create threa

Original Description

https://jh.live/flare || Track down shady sellers, hunt for cybercrime, or manage threat intelligence and your exposed attack surface with Flare! Start a free trial and see what info is out there: https://jh.live/flare VirusTotal Sample: https://www.virustotal.com/gui/file/8c6c3f9b3fd8497322cd9e798790aa3485a44f9c5418bb4aa97b630a3fb8cead/details Start of Discord Conversation: https://discord.com/channels/470253814235136040/607682806356770827/1301688943343046699 Lockness Writeup: https://website.locknessko.com/blog/cs2_malware Paradox Statement: https://www.paradoxinteractive.com/games/cities-skylines-ii/news/traffic-breach-statement Malcore Common DLL JSON Resource: https://om.malcore.io/t/common-dll-and-exports-resource/638 Learn Cybersecurity with Just Hacking Training: https://justhacking.com Learn Coding: https://jh.live/codecrafters Don't listen to other "influencer" VPN crap -- host YOUR OWN: https://jh.live/openvpn WATCH MORE: Dark Web & Cybercrime Investigations: https://www.youtube.com/watch?v=_GD5mPN_URM&list=PL1H1sBF1VAKVmjZZr162aUNCt2Uy5ozAG&index=4 Malware & Hacker Tradecraft: https://www.youtube.com/watch?v=LKR8cdfKeGw&list=PL1H1sBF1VAKWMn_3QPddayIypbbITTGZv&index=5 📧JOIN MY NEWSLETTER ➡ https://jh.live/email 🙏SUPPORT THE CHANNEL ➡ https://jh.live/patreon 🤝 SPONSOR THE CHANNEL ➡ https://jh.live/sponsor 🌎FOLLOW ME EVERYWHERE ➡ https://jh.live/twitter ↔ https://jh.live/linkedin ↔ https://jh.live/discord ↔ https://jh.live/instagram ↔ https://jh.live/tiktok 💥 SEND ME MALWARE ➡ https://jh.live/malware 🔥YOUTUBE ALGORITHM ➡ Like, Comment, & Subscribe!
Watch on YouTube ↗ (saves to browser)
Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from John Hammond · John Hammond · 0 of 60

← Previous Next →
1 Code Commentaries? PHP to JavaScript in Bash and PHP!
Code Commentaries? PHP to JavaScript in Bash and PHP!
John Hammond
2 Tutorials? MySQL connection with PHP and Bash!
Tutorials? MySQL connection with PHP and Bash!
John Hammond
3 Variable Naming in Python! Happy Birthday, Linux! Nokia N900!
Variable Naming in Python! Happy Birthday, Linux! Nokia N900!
John Hammond
4 JavaScript Splits The URL!
JavaScript Splits The URL!
John Hammond
5 HTML Tables in Python!
HTML Tables in Python!
John Hammond
6 HTML, Net Shares, GML!
HTML, Net Shares, GML!
John Hammond
7 Python 08 Programming Style and Comments
Python 08 Programming Style and Comments
John Hammond
8 Python 26 Object Oriented Programming
Python 26 Object Oriented Programming
John Hammond
9 75 Python Tutorials, Out Now!
75 Python Tutorials, Out Now!
John Hammond
10 Batch 14 Mathematical Expressions
Batch 14 Mathematical Expressions
John Hammond
11 Batch 85 Array Append
Batch 85 Array Append
John Hammond
12 Batch 86 Array Count
Batch 86 Array Count
John Hammond
13 Batch 87 Array Index
Batch 87 Array Index
John Hammond
14 Batch 88 Array Insert
Batch 88 Array Insert
John Hammond
15 Batch 89 Array Remove
Batch 89 Array Remove
John Hammond
16 Batch 90 Array Reverse
Batch 90 Array Reverse
John Hammond
17 Python [colorama] 00 Installing on Linux
Python [colorama] 00 Installing on Linux
John Hammond
18 Python [colorama] 09 Cursor Position
Python [colorama] 09 Cursor Position
John Hammond
19 Python [hashlib] 02 Algorithms
Python [hashlib] 02 Algorithms
John Hammond
20 Python 00 Installing IDLE on Linux
Python 00 Installing IDLE on Linux
John Hammond
21 Python [pygame] 11 Rectangular Collision Detection
Python [pygame] 11 Rectangular Collision Detection
John Hammond
22 Python [pygame] 12 Platforming Rectangular Collision Resolution
Python [pygame] 12 Platforming Rectangular Collision Resolution
John Hammond
23 Python [XML-RPC] 01 Research
Python [XML-RPC] 01 Research
John Hammond
24 Python [pyenchant] 03 Personal Word Lists
Python [pyenchant] 03 Personal Word Lists
John Hammond
25 FancyURLopener Authentication and User-Agent [urllib] 03
FancyURLopener Authentication and User-Agent [urllib] 03
John Hammond
26 Python 04: PEP8 Coding
Python 04: PEP8 Coding
John Hammond
27 Python Challenge! 17 COOKIES
Python Challenge! 17 COOKIES
John Hammond
28 Google CTF 2016: Ernst Echidna
Google CTF 2016: Ernst Echidna
John Hammond
29 Google CTF 2016: Spotted Quoll
Google CTF 2016: Spotted Quoll
John Hammond
30 Google CTF 2016: Can you Repo It?
Google CTF 2016: Can you Repo It?
John Hammond
31 Google CTF 2016: No Big Deal
Google CTF 2016: No Big Deal
John Hammond
32 Google CTF 2016: In Recorded Conversation
Google CTF 2016: In Recorded Conversation
John Hammond
33 Homemade CTF Challenge: 01 "Orchestra"
Homemade CTF Challenge: 01 "Orchestra"
John Hammond
34 Homemade CTF Challenge: 02 "Bae's Base"
Homemade CTF Challenge: 02 "Bae's Base"
John Hammond
35 Homemade CTF Challenge: 03 "Web Hunt"
Homemade CTF Challenge: 03 "Web Hunt"
John Hammond
36 Homemade CTF Challenge: 04 "UPX"
Homemade CTF Challenge: 04 "UPX"
John Hammond
37 Homemade CTF Challenge: 05 "The Assumption Song"
Homemade CTF Challenge: 05 "The Assumption Song"
John Hammond
38 Homemade CTF Challenge: 06 "A Brisk Stroll"
Homemade CTF Challenge: 06 "A Brisk Stroll"
John Hammond
39 Homemade CTF Challenge: 06 "I lost my password!"
Homemade CTF Challenge: 06 "I lost my password!"
John Hammond
40 web25 :: Mr. Robot : EKOPARTY CTF 2016
web25 :: Mr. Robot : EKOPARTY CTF 2016
John Hammond
41 web50 : RFC 7230 :: EKOPARTY CTF 2016
web50 : RFC 7230 :: EKOPARTY CTF 2016
John Hammond
42 misc50 : Hidden inside EKO :: EKOPARTY CTF 2016
misc50 : Hidden inside EKO :: EKOPARTY CTF 2016
John Hammond
43 Hack The Vote 2016 CTF: Sander's Fan Club [web100]
Hack The Vote 2016 CTF: Sander's Fan Club [web100]
John Hammond
44 Hack The Vote 2016 CTF Warpspeed [forensics150]
Hack The Vote 2016 CTF Warpspeed [forensics150]
John Hammond
45 Juniors CTF 2016 :: Black Suprematic Square
Juniors CTF 2016 :: Black Suprematic Square
John Hammond
46 Juniors CTF 2016 :: Six Strange Tales
Juniors CTF 2016 :: Six Strange Tales
John Hammond
47 Juniors CTF 2016 :: Lost Code
Juniors CTF 2016 :: Lost Code
John Hammond
48 Juniors CTF 2016 :: Here Goes!
Juniors CTF 2016 :: Here Goes!
John Hammond
49 Juniors CTF 2016 :: Southern Cross
Juniors CTF 2016 :: Southern Cross
John Hammond
50 Juniors CTF 2016 :: Clone Attack
Juniors CTF 2016 :: Clone Attack
John Hammond
51 Juniors CTF 2016 :: Dirty Repo
Juniors CTF 2016 :: Dirty Repo
John Hammond
52 Juniors CTF 2016 :: Hackers Blog
Juniors CTF 2016 :: Hackers Blog
John Hammond
53 Juniors CTF 2016 :: Voting!!!
Juniors CTF 2016 :: Voting!!!
John Hammond
54 Juniors CTF 2016 :: The Good, The Bad and The Junkman
Juniors CTF 2016 :: The Good, The Bad and The Junkman
John Hammond
55 Juniors CTF 2016 :: Stop Thief!
Juniors CTF 2016 :: Stop Thief!
John Hammond
56 Juniors CTF 2016 :: ROFL
Juniors CTF 2016 :: ROFL
John Hammond
57 Juniors CTF 2016 :: Restriced Area
Juniors CTF 2016 :: Restriced Area
John Hammond
58 Juniors CTF 2016 :: Oh SSH!
Juniors CTF 2016 :: Oh SSH!
John Hammond
59 HackCon CTF 2017 TRIVIA and BONUS Challenges
HackCon CTF 2017 TRIVIA and BONUS Challenges
John Hammond
60 HackCon CTF 2017 "Bacche" Challenges
HackCon CTF 2017 "Bacche" Challenges
John Hammond

This video teaches viewers how to analyze malware using Binary Ninja, understand PEB and DLL analysis, and implement hashing algorithms, all while demonstrating threat exposure management using Flare.

Key Takeaways
  1. Download malware sample from VirusTotal
  2. Upload malware sample to Mal share
  3. Create a Windows development box in VMWare Workstation
  4. Download and open Fast Math.dll in Binary Ninja
  5. Start disassembling and debugging in Binary Ninja
  6. Disable ASLR to match binary addresses in Binary Ninja
  7. Set breakpoint at 0x1180C42E1
  8. Follow qword in dump to extract MZ header and stage two payload
💡 The malware uses a PEB walk to load DLLs and determine their hash IDs, which can be used to track down DLLs and functions that are reflectively walked through.

Related Reads

📰
Botnet Activity Escalates While Web3 Development Persists Amidst Bearish Market
Learn how botnet activity and Web3 development are impacted by the bearish market, and why it matters for cybersecurity and blockchain professionals
Dev.to AI
📰
When Ransomware Hits, the District Stops
Learn a recovery playbook for schools and local government to minimize downtime when ransomware hits, focusing on proactive measures beyond just backups
Dev.to · Ryan Beglau
📰
Jalisco, OmegaLord Phishing Kits Target Microsoft 365 Accounts
Learn about new phishing kits targeting Microsoft 365 accounts and how to protect against them
TechRepublic
📰
I Patched My OpenClaw Instance Against the Claw Chain Vulnerabilities in 40 Minutes — Here's the Checklist
Learn how to patch OpenClaw instances against Claw Chain Vulnerabilities in under an hour with a simple checklist
Dev.to AI
Up next
AI Found ALL Vulnerabilities - Release Delayed!
Pranjal
Watch →