kartone

Learning Python Python is the language I always wanted to learn. I tried but failed every single time, don’t know exactly why. This time was different though, I knew from the first line of code. So, with a little push of a dear friend of mine (thanks Elio!), I tried to investigate how to decode Sodinokibi ransomware configurations for hundreds, maybe thousands, of samples. I intended to understand, using powerful insights from VirusTotal Enterprise API, if there are relationships between Threat Actor, mapped inside the ransomware configuration, and the country visible from the VirusTotal sample submission. I am perfectly aware that it’s not as easy as it seems: the ransomware sample submission’s country, visible from VirusTotal, may not be the country affected by the ransomware itself. But, in one case of another, I think there could be somehow a link between the two parameters: maybe from the Incident Response perspective. ...

How does a malicious backdoor designed to sniff sensitive HTTPS traffic go completely undetected? During an IR case, we found and dissected a highly targeted malware sample, a custom Apache module we callp0sT5n1F3r. This threat was specifically engineered for its target’s environment and was rated 100% clean by all major security vendors due to its extensive use of custom encryption. This report details the reverse engineering journey, from the initial static analysis to the critical breakthrough: cracking its custom RC4 encryption scheme. This discovery allowed us to unveil its true purpose—intercepting financial transaction data—and even uncover a hidden HTML interface used by the attackers. ...

My own technical analysis of the malware that, in 2017, spread like wildfire encrypting thousands of computers, using one of the tools leaked from the National Security Agency by the group named ShadowBrokers. Almost two years passed after that weekend of May 2017, when the crypto-worm WannaCry infested the net thanks to the EternalBlue exploit. In roughly two days, WannaCry spread itself all over the world infecting almost 230.000 computers in over 150 countries: ...

…or, in other words, when failing to reverse a CTF binary makes you lose that job. During a past job interview, I was tasked to reverse four linux binaries of increasing difficulties as proof of my ability into the reverse engineering field. I solved the first two in a matter of an hour, the third one required me an entire day of work but sadly, I was not able to solve the last one. I don’t know if I wasn’t selected because of this fail, but it proved me one sure thing: I wasn’t prepared enough or, at least, as much as I wanted. Flash forward, I successfully ended up with another job, but that challenge kept staying there, like a small needle, in my head. During the following months, I studied and practiced a lot, mainly into firmware reversing field and, every now and then, I’ve tried to solve that sneaky challenge. ...

If you tried to burn and run the Kali image that can be downloaded from the Offensive Security website, probably you ended up in a non bootable image. U-Boot SPL 2018.05+dfsg-1 (May 10 2018 - 20:24:57 +0000) Trying to boot from MMC1 U-Boot 2018.05+dfsg-1 (May 10 2018 - 20:24:57 +0000) CPU: Freescale i.MX6Q rev1.2 996 MHz (running at 792 MHz) CPU: Extended Commercial temperature grade (-20C to 105C) at 19C Reset cause: POR Board: MX6 Cubox-i DRAM: 2 GiB MMC: FSL_SDHC: 0 Loading Environment from MMC... *** Warning - bad CRC, using default environment Failed (-5) No panel detected: default to HDMI Display: HDMI (1024x768) In: serial Out: serial Err: serial Net: FEC Hit any key to stop autoboot: 0 switch to partitions #0, OK mmc0 is current device Scanning mmc 0:1... AHCI 0001.0300 32 slots 1 ports 3 Gbps 0x1 impl SATA mode flags: ncq stag pm led clo only pmp pio slum part No port device detected! Device 0: Model: Firm: Ser#: Type: Hard Disk Capacity: not available ... is now current device timeout exit! timeout exit! timeout exit! timeout exit! timeout exit! timeout exit! This is how you can fix it. ...

During last months, my interest in hardware hacking got an exponential growth due to the fact I had the chance to get my hands on some so-ho routers unretired from local Telcos. So what a great opportunity to open and try to crack them, without worrying about irreparable damage? Inspecting the device My first device was the Technicolor TG582N distributed in Italy by Fastweb. Front side Back side ...

After the first two parts here and here, we can move forward giving the sample a run inside a disassembler to look what’s inside and, eventually, into a debugger to see it live. IDA has some difficulties to analyze the sample due to the facts it heavily uses anti-disassembly trick: Note that the conditional jump to 41062E never gonna happens. We can patch those bytes \xF8\x72\x01 with NOP instruction or leave them alone knowing the fact that IDA can be fooled during analysis. Also at 41062F the sample delays its execution, invoking GetTickCount function and dividing the remainder of the DIV instruction by a predefined constant. So until the CMP instruction is satisfied it will run this bunch of code a pseudo-random number of times. It appears that this technique can trick some antivirus heuristic controls. ...

After we were able to unpack the sample like we did in the previous post, it’s time to understand what the malware is intended to do. The very first thing that I normally do is to give the sample a dry run inside a dedicated virtual machine, just to observe its behavior and monitoring its API calls. These calls can be monitored with a little tool called ApiLogger - that can be found here and it’s automatically installed by the Flare-vm script. ...

During my day by day job, I had the chance to came across a mail that was blocked by an antispam platform. Attached to this mail there was a sample recognized as a variant of Pony Stealer malware. Since I’ve been greatly interested into malware analysis in the last few months, I thought it would be fun, and also a useful exercise, to apply all the notions I’ve been reading so far and writing this post, maybe, would help me in fixing methodologies and concepts. I hope this will be a two parts blog post: during this first part I will focus on unpacking the malware, during the second one I’ll try to analyze its real behavior. Let’s the journey begin. ...

This writeup covers the Vulnhub CTF machine named Homeless by Min Ko Ko. Honestly this was a hard box and I had a hard time with some really nasty tricks but finally, I learned a lot. Seriously, a lot. After booting up victim box and kali, initial phase, as always, is discovering the box: Discovering box Box had from my DHCP server address 172.16.10.127 Mapping some ports: Scanning for open ports ...