Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Binary.bz.WrappedSetupProgram is a cab file #4

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Binary.bz.WrappedSetupProgram is a cab file #4

wants to merge 1 commit into from

Conversation

vest12385
Copy link

Binary.bz.WrappedSetupProgram is a cab file not a plaintext

test sample : 0e01bad874c61d09d09ce06f76f5e46f6648a1fc943644874c8e1a53a93af9a7

@fabian-marquardt
Copy link
Collaborator

Hey there! Thank you for your contribution. Sorry that it has taken some days for me to reply. I was on a business trip for most of last week and only now find the time to review this. Will check with your test sample and some other local samples that I have and then merge asap :-)

@fabian-marquardt
Copy link
Collaborator

Hi again :-) I reviewed your pull request and also checked the provided sample. Right now I am not sure what the intention behind your proposed change is. The sample works fine with the code as it is:

[INFO] Starting Telekom Security DarkGate Extractor
[INFO] Performing analysis of file: /<redacted>/0e01bad874c61d09d09ce06f76f5e46f6648a1fc943644874c8e1a53a93af9a7
[INFO] MSI wrapped payload detected.
[INFO] Found AU3 script in file ibovBbSd.au3 in the MSI package.
[INFO] Sample uses the following key: aFcOMuvRD. Calculated XOR key is: 0xa5
[INFO] Found candidates for custom base64 alphabet: tc20Hq49MLrjlPsVGRFiOnSgvB6kbA5expXZKduCD3WT1N8zhyJoafIY=EQ+wmU7, zLAxuU0kQKf3sWE7ePRO2imyg9GSpVoYC6rhlX48ZHnvjJDBNFtMd1I5acwbqT+=
{
    "anti_analysis": false,
    "anti_debug": false,
    "anti_vm": false,
    "c2_ping_interval": 13,
    "c2_port": 2351,
    "c2_servers": [
        "http://89.248.193.66"
    ],
    "check_disk": false,
    "check_ram": false,
    "check_xeon": false,
    "crypter_au3": true,
    "crypter_dll": false,
    "crypter_rawstub": false,
    "crypto_key": "QlYTYjlwalZvWA",
    "flag_14": 13,
    "internal_mutex": "icOhsB",
    "min_disk": 100,
    "min_ram": 4096,
    "rootkit": true,
    "startup_persistence": true
}

The concept of the unpack_msi_wrapped_payload function is that this function will extract the CAB from the MSI and then extract the compressed files from the CAB and then search for the AU3 file. Are you suggesting we should change this?

@vest12385
Copy link
Author

Hello, thanks for response, I use the original code on sample 0e01bad874c61d09d09ce06f76f5e46f6648a1fc943644874c8e1a53a93af9a7 and It can not extract the config, there is the debug info

[INFO] Starting Telekom Security DarkGate Extractor
[INFO] Performing analysis of file: msi/0e01bad874c61d09d09ce06f76f5e46f6648a1fc943644874c8e1a53a93af9a7
[INFO] MSI wrapped payload detected.
[INFO] Found AU3 script in file Binary.bz.WrappedSetupProgram in the MSI package.
[INFO] Found embedded payload file candidate with XOR key 0xa5 at offset 895948 with length 671904.
[ERROR] No usable payload found in file: msi/0e01bad874c61d09d09ce06f76f5e46f6648a1fc943644874c8e1a53a93af9a7

After check the code, found that in unpack_msi_wrapped_payload it trying to extract config from Binary.bz.WrappedSetupProgram but it's a cab file, so adding the logic to extract AutoIt script from the cab file.

There is the debug infomation after patch.

[INFO] Starting Telekom Security DarkGate Extractor
[INFO] Performing analysis of file: msi/0e01bad874c61d09d09ce06f76f5e46f6648a1fc943644874c8e1a53a93af9a7
[INFO] MSI wrapped payload detected.
[INFO] CAB file wrapped payload detected.
[INFO] Found AU3 script in file ibovBbSd.au3 in the CAB archive.
[INFO] Sample uses the following key: aFcOMuvRD. Calculated XOR key is: 0xa5
[INFO] Found candidates for custom base64 alphabet: tc20Hq49MLrjlPsVGRFiOnSgvB6kbA5expXZKduCD3WT1N8zhyJoafIY=EQ+wmU7, zLAxuU0kQKf3sWE7ePRO2imyg9GSpVoYC6rhlX48ZHnvjJDBNFtMd1I5acwbqT+=
{
    "anti_analysis": false,
    "anti_debug": false,
    "anti_vm": false,
    "c2_ping_interval": 13,
    "c2_port": 2351,
    "c2_servers": [
        "http://89.248.193.66"
    ],
    "check_disk": false,
    "check_ram": false,
    "check_xeon": false,
    "crypter_au3": true,
    "crypter_dll": false,
    "crypter_rawstub": false,
    "crypto_key": "QlYTYjlwalZvWA",
    "flag_14": 13,
    "internal_mutex": "icOhsB",
    "min_disk": 100,
    "min_ram": 4096,
    "rootkit": true,
    "startup_persistence": true
}

Not sure why you can extract AutoIt script from MSI , do I missing something?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@vest12385 @fabian-marquardt