CyberGuerrilla 2014
 Vol.4--No.2014 | 6 Users Online
Friday,May 24,2019 
By ro0ted avatar | December 21, 2014 - 10:06 | Posted in CyberGuerrilla | 2 Comments

#ro0ted #OpNewblood What the Blackhats don’t want you to know: Analyze an .exe in 5mins

Here at Cyber Guerrilla AnonNexus we have released many things. Some of it political, while other subjects may be hacker related. This time we are going to release tutorials based on what “blackhats” don’t want you to know. This tutorial is just a preview if not a sample. The real tutorials will be longer and much more detailed. Our targeted audience will be from beginners to dedicated nerds. For now lets just examine a malicious .exe without opening it or running it. – #ro0ted

p.s. These will be only available here at the Cyber Guerrilla AnonNexus Collective unless of course someone spreads the love somewhere else which is totally rad.

 

Terminology:

Blackhats:  Hackers that have only one intent; doing the most malicious thing an asshole can do to you or your network.

 

Requirements:

ExeInfo PE: http://www.mediafire.com/download/5o1c9vvmu85ajkm/Exeinfo_PE.zip
Notepad++: http://notepad-plus-plus.org/download/v6.7.html
7-zip File Manager: http://www.7-zip.org/download.html
Malicious .exe if you want to try it out for yourself: http://www.mediafire.com/download/wlbxt8768qwjoqq/FLVPlayer-Chrome.exe

The other day I was going to watch a movie on a streaming website. These websites are known for ADWARE!!! Well a pop kept opening up
demanding I must install an addon called FLV Player to watch the movie when you can tell it was bullshit as there was an exit button
on the top right corner. Just another ad, so I bookmarked it to go back to this ad later when I am bored. 

Let's begin. When you downloaded all tools above proceed to step 1. This will be easy and brief. 

Step 1.) Analyze .exe with ExeInfo PE - I will not explain much of what this tool does but don't worry we will get to that in my series of What the Blackhats don't want you to know tutorials coming up. 
IMPORTANT DO NOT THE .EXE. WE ARENT OPENING IT AT ALL.

Open ExeInfo PE, place the malicious .EXE in the file box.
Untitled
Now you should see all kinds of juicy info about the .exe
1
Now I don't need to upload this to .exe I could tell that the movie loading fine without the plugin, it's a virus but mostly all malware comes from adware.
Ignore all the details for now and click S to begin the zero byte test which will let us know if it's crypted.
2
Now you will see a window that says if it is crypted.
3
You can click sections for a graph of the Byte Analyzer, completely unneeded.
4
5
Now click close. Go to the box that shows what it's packed with, in this case its NSIS which you do not need a decompiler for only 7zip so open that and go to the directory where the malicious file is. Top box.
6
Exeinfo Shows in the top box what the .exe is packed. Bottom box what you can use to unpack the packer or decompile the code if its not packed.
Open 7zip to the directory where the .exe is stored.
7
Right click the .exe 7zip>Open Archive
87
Now we see the NSIS crypted stub in the .exe copy that to any directory now open Notepad++

996
Open it in Notepad++
334
Now the code isnt hidden.
88
Scroll through the code and look what you find.
999
Thanks stay tuned for more - ro0ted

BTW Click any of the images to see the original size.

Screenshot from 2014-10-14 01:56:45

 

 

 



  • You can follow any responses to this entry through the RSS 2.0 feed.
  • Both comments and pings are currently closed.

2 Responses to #ro0ted #OpNewblood What the Blackhats don’t want you to know: Analyze an .exe in 5mins

  1. Pingback: #ro0ted #OpNewblood What the Blackhats don’t want you to know: Creating the Whitehat Lab |

    […] What the Blackhats don’t want you to know: Analyze an .exe in 5mins […]

  2. avatar

    I am not finding my [nsis].msi file after opening it via 7 zip, why is that???

nonymous. Whoever you are, we are ungovernable!
> =[]= This site is run by cyberguerrilla, your friendly anonymous autonomous tech collective since 2010 =[]= This the past that can NOT be changed! <