•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

••

•

•

•

•

•

From Tinba’s webinjects configuration

•

•

••

BROWSERBANK

C&C SERVER

Login Page

Client Side Server

Side

From Trickbot’s redirects configuration

•

•

••

•

•

Sandboxed

Automation

Malware specific

decryption script

Malware Configuration

•• stored

• encryption stages

• custom crypto

• encryption key

• frequently

••

•

••

•

••

•

••

•

••

•

•

••

•

•

•

•

•

•

•

RC4AES

•

AES RC4

The idea:

Find loops with mathematical operations

………….

………….

…………..

XOR

………….

………….

…………

••

•

••

•

1.•

•

2.•

3.

•

•

•

•

………….

………….

VirtualAlloc

………….

………….

VirtualAlloc

………….

………….

………….

VirtualAlloc

XOR

RWX

© 2017 F5 Networks

RW

………….

………….

VirtualAlloc

………….

………….

VirtualAlloc

………….

………….

………….

VirtualAlloc

XOR

RWX

© 2017 F5 Networks

RW

RW………….

………….

VirtualAlloc

………….

………….

VirtualAlloc

………….

………….

………….

VirtualAlloc

XOR

RWX

© 2017 F5 Networks

RW

RW

Hash: 1c43d2aa92..

Hash: 3c6a240d6..

………….

………….

VirtualAlloc

………….

………….

VirtualAlloc

………….

………….

………….

VirtualAlloc

XOR

RWX

© 2017 F5 Networks

RW

RW………….

………….

VirtualAlloc

………….

………….

VirtualAlloc

………….

………….

………….

VirtualAlloc

XOR

RWX

Hash: 1c43d2aa92..

Hash: 3c6a240d6..

Hash: 1c43d2aa92..

Hash: 2c5023a24..

© 2017 F5 Networks

RW

PLAINTEXT ?………….

………….

VirtualAlloc

………….

………….

VirtualAlloc

………….

………….

………….

VirtualAlloc

XOR

RWX

Hash: 1c43d2aa92..

Hash: 3c6a240d6..

Hash: 1c43d2aa92..

Hash: 2c5023a24..

© 2017 F5 Networks

RW

CONFIG !………….

………….

VirtualAlloc

………….

………….

VirtualAlloc

………….

………….

………….

VirtualAlloc

XOR

RWX

© 2017 F5 Networks

injectsinjectsinjectsExplorer.exeSvchost.exe

RWRW

XOR

RWX

Svchost

NtResumeThread hook

•

•

•

•

0x400000

packer

0x3c0000

payload

0x600000

final

payload

Unpacking

Allocation

Allocation

Allocation

Malware

Allocations

•

•

••

••

••

RWX

© 2017 F5 Networks

VirtualAlloc

JMP EAX

………

………

RWX

RWX

© 2017 F5 Networks

VirtualAlloc

JMP EAX

………

………

RWX

RWX

© 2017 F5 Networks

VirtualAlloc

JMP EAX

………….

………….

VirtualAlloc

………….

………….

VirtualAlloc

………….

………….

………….

VirtualAlloc

XOR

RWX

RWX

© 2017 F5 Networks

………….

………….

VirtualAlloc

………….

………….

VirtualAlloc

………….

………….

………….

VirtualAlloc

XOR

© 2017 F5 Networks

RWX

RWX

RW

………….

………….

VirtualAlloc

………….

………….

VirtualAlloc

………….

………….

………….

VirtualAlloc

XOR

© 2017 F5 Networks

RWX

RWX

RW

RW………….

………….

VirtualAlloc

………….

………….

VirtualAlloc

………….

………….

………….

VirtualAlloc

XOR

© 2017 F5 Networks

RWX

RWX

RW

RW

Hash: 1c43d2aa92..

Hash: 3c6a240d6..

………….

………….

VirtualAlloc

………….

………….

VirtualAlloc

………….

………….

………….

VirtualAlloc

XOR

© 2017 F5 Networks

RWX

RWX

RW

RW………….

………….

VirtualAlloc

………….

………….

VirtualAlloc

………….

………….

………….

VirtualAlloc

XOR

Hash: 1c43d2aa92..

Hash: 3c6a240d6..

Hash: 1c43d2aa92..

Hash: 2c5023a24..

© 2017 F5 Networks

RWX

RWX

RW

CONFIG………….

………….

VirtualAlloc

………….

………….

VirtualAlloc

………….

………….

………….

VirtualAlloc

XOR

© 2017 F5 Networks

RWX

RWX

RWRW

XOR

RWX

Svchost

NtResumeThread hook

•

•

•

••

•

•

•

•

•

•

•

•

•

•

@___ignis@s0lid_dr4g0n

• CryptoHunt

• https://code.google.com/p/kerckhoffs/

• findcrypt2-with-mmx

• FindCrypt

• http://www.recon.cx/2012/schedule/events/208.en.html

• Finding and Extracting Crypto Routines from Malware