Posts

Sample bazaar.abuse.ch — aa1b1384dbf123607f6f63132f355e7486ccd67a0e03d3af2db40a333b70797b from pathlib import Path WORKING_DIR = Path('/path/to/rhadamanthys/') SAMPLE_PATH = WORKING_DIR.joinpath('aa1b1384dbf123607f6f63132f355e7486ccd67a0e03d3af2db40a333b70797b.exe') DB_PATH = WORKING_DIR.joinpath('rdm-testing.bndb') view = binaryninja.open_view(SAMPLE_PATH) view.create_database(DB_PATH) Helpers # Search type libraries for matching name, return prototype. def search_type_libraries(fname: str, view: BinaryView): # not super efficient to search every single time... for typelib in view.type_libraries: for name, obj in typelib.named_objects.items(): if not isinstance(obj, FunctionType): continue if fname == name: return obj def name_and_type_next_data_var(view: BinaryView, v: Variable, address: int, name: str, new_type: Type): mlil = view.get_functions_containing(address)[0].mlil for op in mlil.get_var_uses(v): if isinstance(op, MediumLevelILStore) and isinstance(op.dest, MediumLevelILConstPtr): data_var = view.get_data_var_at(op.dest.constant) data_var.name = name data_var.type = new_type Adding a type library: ...

Static Emotet Configuration Extraction The goal here is to reproduce this technique from VMRay’s post using Binary Ninja. This post from Open Analysis was also very helpful. With those posts as the foundation I was able to focus on the Binary Ninja API. This turned out to be much easier than anticipated, Binary Ninja’s High Level Intermediate Language did most of the work once I figured out how to access it. Sample used: c688e079a16b3345c83a285ac2ae8dd48680298085421c225680f26ceae73eb7 ...

Overview Extract configuration from a process memory dump containing a running beacon. Initial extraction on the full minidump file fails (TODO: figure out exactly why it fails). Using yara to find the segment where beacon is residing passing that segment to dissect.cobaltstrike allows the proper configuration extraction. Libraries dissect.cobaltstrike minidump yara Samples Sample was chosen somewhat randomly from the results of this virustotal search. VT Search: crowdsourced_yara_rule:000aa75fc2|CobaltStrike_Sleep_Decoder_Indicator trid:"Windows Minidump" from dissect.cobaltstrike.beacon import BeaconConfig from dissect.cobaltstrike import beacon from minidump.minidumpfile import MinidumpFile import yara from pprint import pprint SAMPLE = "../../malware/minidumps/beacon.mdmp" Attempt Extraction on full dump Using the normal method and the iter_beacon_config_blocks method recommened by the documentation. ...