![]() This string is later used as a name for a pipe. It formats a string using values derived from GetTickCount, probably to make it random and avoid conflict. The create_thread function is also not complex. All names in the following screenshots were recovered or created during reverse engineering. Then it enters into a loop that calls Sleep(10000) indefinitely.Īs a note, the sample is stripped so it does not contain any function or variable names in it (except the Windows API imports). The next function creates a new thread within it which we will analyze later. ![]() The first function call is part of the runtime and it is doing some initialization which we can ignore. Binary Ninja now supports split views, so we can conveniently view HLIL and disassembly side-by-side: ![]() However, for handwritten or obfuscated code, I prefer to look at the disassembly, which offers a closer view of what is happening. Viewing code in HLIL can often speed up analysis. The sample seemed to be compiler-generated and not obfuscated, so I decided to mainly analyze the sample in HLIL. UnpacMe also processed the sample and recognized it as Cobalt Strike, but the unpacked artifact did not make any sense.Īt this point, I realized I wasn’t going to get much further without analyzing the sample with Binary Ninja to see how it worked. Then, I uploaded the sample to UnpacMe to see if it could be unpacked automatically. The sample executed fine in the sandbox and was recognized as cobaltstrike. This suggested the sample was packed by a custom packer/encryptor.Īs is routine for malware analysis, I started by executing the sample in an online sandbox. However, there were only dozens of functions recognized, which is quite a small number relative to its size. After loading it into Binary Ninja, I saw it was not packed or encrypted by any well-known packer or protector. It is an x86 PE binary that is 284kB in size. ![]() First ImpressionsĪ friend of mine shared with me this sample (zip password: infected). Much of the effort was spent on fixing the file so it could be loaded by Binary Ninja for further analysis. Initially, I thought this must not be a PE executable at all, but I gradually realized it was. The dropper decrypts, loads, and executes the payload. The payload is a custom executable file format based on DLL. In this blog post, I will explain how I reverse engineered a Cobalt Strike dropper and obtained its payload. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |