msm-code

╭─msm@mercury /home/msm/21576/dumps
╰─$ rip ./500.400000.58880.recovered.exe
[+][anal] Loaded modules: dridex, teslacrypt, spora, netwire, tinba_dga, cryptomix, kronos, reactor, hancitor, chthonic, nymaim, citadel, cryptoshield, torrentlocker, madlocker, emotet, bunitu, smokeloader, pony, andromeda, gootkit, cryptowall, zeus, bublik, panda, sendsafe, ruckguv, dyre, locky, vmzeus, shifu, sage, tofsee, cerber, odinaff, kovter, vawtrak, kbot, isfb, zloader, necurs, trickbot, h1n1, torment, slave, kins, tinba
Potential malware family dected: ['tofsee']
malware data:

{
  "other": [
    "MSConfig",
    "svchost.exe",

msm-code

----------DOS_HEADER----------

[IMAGE_DOS_HEADER]
0x0        0x0   e_magic:                       0x5A4D    
0x2        0x2   e_cblp:                        0x7EA     
0x4        0x4   e_cp:                          0xC000    
0x6        0x6   e_crlc:                        0x8C07    
0x8        0x8   e_cparhdr:                     0x8EC8    
0xA        0xA   e_minalloc:                    0x8ED8    
0xC        0xC   e_maxalloc:                    0x8EC0    

msm-code

import diaphora
import difflib

class Diaphora:
    def show_pseudo_diff(self, item):
        cur = self.db_cursor()
        sql = """select *
                 from (
                   select prototype, pseudocode, name, 1
                   from functions

msm-code

{
    "binary": "65e561e3300832315a31f29858a8107a", 
    "template_32bit_2": "%windir%\\system32\\rundll32.exe; -%!rndl_0_0_2_1_3% %!rndl_0_0_2_3_8%.dll", 
    "urls": [
        "http://osbjsguans.com/xgkoa/index.php", 
        "http://gendedopn.com/xgkoa/index.php"
    ], 
    "public_key": {
        "e": 65537, 
        "n": "11113205665845436812651904385750414999552913569403314469251258315749133996891461405161790020758234842248099801092820912358831516131541192465714139003657213"

msm-code

{
    "binary": "65e561e3300832315a31f29858a8107a", 
    "template_32bit_2": "%windir%\\system32\\rundll32.exe; -%!rndl_0_0_2_1_3% %!rndl_0_0_2_3_8%.dll", 
    "urls": [
        "http://osbjsguans.com/xgkoa/index.php", 
        "http://gendedopn.com/xgkoa/index.php"
    ], 
    "public_key": {
        "e": 65537, 
        "n": "11113205665845436812651904385750414999552913569403314469251258315749133996891461405161790020758234842248099801092820912358831516131541192465714139003657213"

msm-code

import socket, struct, binascii, random, hashlib
import time, os, errno, glob
import pprint

import libs.tofsee.parse as parse
import libs.tofsee.decompress as decompress
import libs.tofsee.parse_mail as parse_mail
import libs.log as log
from libs.remote import HTTPBot

msm-code

if hash == self.CFG_URL:  # '48c2026b':
    parsed['urls'] += [{'url': append_http(x)} for x in filter(None, map(get_domainc, raw.split(';')))]
elif hash == self.CFG_DGA_HASH:  # 'd9aea02a':
    parsed['dga_hash'] = [uint32(h) for h in chunks(raw, 4)]
elif hash == self.CFG_DOMAINS:  # '095d4b1d':
    parsed['domains'] += map(lambda x: {'cnc': x}, filter(None, map(get_domainc, raw.split(';'))))
elif hash == self.CFG_ENC_KEY:  # '510be622':
    parsed['encryption_key'] = raw
...

msm-code

def parse_static_config(blob):
    i = 0
    while i < len(blob):
        chunk_type = blob[i:i+4]  # chunk type, also called "hash" or "chunk hash" in this article
        chunk_len = from_uint32(blob[i+4:i+8])
        chunk_content = blob[i+8:i+8+chunk_len]
        process_chunk(chunk_type, chunk_content)  # this function should process every type of chunk
        i += 8 + chunk_len

msm-code

struct chunk {
    uint32_t type;
    uint32_t length;
    char data[chunk_length];
}

msm-code

def nymaim_config_crypt(self, mem, ndx):
    """decrypt final config (read keys and length and decrypt raw data)"""
    key0 = mem.dword(ndx)
    key1 = mem.dword(ndx+4)
    len = mem.dword(ndx+8)
    raw = mem.read(ndx + 12, len)

    prev_chr = 0
    result = ''
    for i, c in enumerate(raw):