By ro0ted | March 19, 2015 - 00:45 | Posted in /b/ | 9 Comments
#ro0ted #OpNewblood What the blackhats don’t want you to know: Analyzing an IRC bot infected file

Here I thought we would analyze a cracked program you would find on the internet. Only do this if you have Cuckoo Sandbox or a secure virtual machine as I’m using to download the .exe. We never know what we are dealing with and most warez programs have malware binded to it. Usually botnets, stealers, or keyloggers or it could be the legit program. Here we are going to use IDA Pro. – https://twitter.com/ro0ted/

 

The target?

A cracked commview.

I already know commview is made in Delphi so let’s load it into exeinfoPE to see if it’s altered.

exeinfoPE:

Untitled

I see two things here..
1.) I do not want to throw this in Ollydbg since Olly executes this. I want trust a static analyst over a live one at this moment as the Source shows otherwise than Borland.
2.) I see it has overlay data on it.
OVL = Overlay Data

So we go to >>:
Untitled

Lets see if it’s crypted:

Untitled

Let’s load it in IDA Pro

 

IDA PRO:

Untitled

Always want to read this in case we get any errors of any kind which usually mean the targets packed. I’m not talking about it being crypted that’s different. I’m talking about if the code was obfuscated; altered so we can’t fuck with it.
Doesn’t look like it here:

Untitled

 It doesn’t appear to be packed our it would show the packers name right there usually. Not to mention we see in the navigation bar it appears the .exe broke apart the file. Remember this is your browsing bar. You can immediately tell if the file is packed just buy browsing it. It appears its in chunks:

Untitled

If it was packed you would see only two colors or one….That shows IDA could not break apart the .exe.

Let’s load the patcher in exeinfoPE..

exeinfoPE:

Untitled

Okay the patcher shows Borland which means the program is probably binded and the Strange File in the diagnose shows its crypted. Therefore I still do not want to run the program in Ollydbg. Often what people do is steal a legit patcher to the main binded file.

And if you aren’t using a secure virtual machine not VMware alone..you surely do not want to open it in Ollydbg or any suspicious files for that matter as it will execute as that’s the difference between a Debugger (Olly) vs a disassembler (IDA Pro in this case). If you are reading this and that’s exactly what you plan to do…I would say don’t because that’s fucking retarded.

Stat Zero Test:

Untitled

Not crypted or packed.
This is probably a legit patcher.

Another way to tell that it’s not packed by doing a compiler search which only appears to non packed files:

Untitled

Untitled

Before we load it in IDA Pro let’s use the Delphi Entry Point corrector:

Untitled

Untitled

OEP = Original Entry Point

IDA PRO:

Untitled

This is the start. We can open this in Olly.
The real files to analyze:

Untitled

Never load a suspicious file in Resource Hacker as it will execute the .exe kinda like a debugger. You can still see the resources in 7-Zip.

7zip:

Untitled

Untitled

Try to open the Overlay data of the binded suspected .exe not the patch.
The patch looks clean. It’s not the suspicious .exe here as it loads fine in IDA Pro.

Untitled

Load the OVL in Notepad++
..we won’t be able to see much:

Untitled

So yeah we can see the ware is infected with a bot. We don’t need to run it or scan it on Virus Total. We can just analyze it ourselves. Virus Total doesn’t give you the bots login info anyways :P.
This file was found on Youtube.

ro0ted

 


 

 

Check out my other tuts in my series…. “What the Blackhats don’t want you to know”

 

(In order)

Why am I teaching Reverse Engineering to inexperienced new Anons in OpNewblood?

Whitehat Lab

ASM Programming

Introduction Part 1 Ollydbg 

Introduction Part 2 Using Ollydbg and Tracing Botnets

Analyzing Botnets

 Introduction Part 3 Ollydbg: Cheating a Crackme

Introduction Part 4 Ollydbg: Your first Patch

Encryption 101

Cuckoo Sandbox: Automated Malware Analysis also known as Malwr.com

Introduction to Honeydrive: A Brief Walk Through

Installing Kippo the SSH Honeypot on a VPS Part 1: How to set it up

Resource Hacker

Dll Injection the Easy Way

Visual Basic Binaries Walk Through Part 1

Ollydbg on Steroids

Creating Patchers Part 1

Have you supported the gas mask campaign over the years?

Crack to win a gas mask gift pack

How to edit a register me crack me Pre Part 1

Unwinding Delphi Binaries Walk Through if not Preview

Cracking Delphi Part 2

Reversing Timed Trials: Ollydbg Tricks Part 3

Analyzing Adware

Preview Against Debugging

Bypassing Registering 101

Bypassing Part 2

Android/iOS Reversing

Introducing IDA Pro: Static Analyzing

Hacker’s Disassembler

Ripping Apart Adware

Never trust Warez or Cracked Programs +

 

(Visited 797 times, 1 visits today)


  • You can follow any responses to this entry through the RSS 2.0 feed.
  • Both comments and pings are currently closed.

9 Responses to #ro0ted #OpNewblood What the blackhats don’t want you to know: Analyzing an IRC bot infected file

  1. Pingback: CyberGuerrilla soApboX » #ro0ted #OpNewblood What the blackhats dont want u to know | Packing & Crypting, There’s a difference

    […] https://archive.cyberguerrilla.org/a/2015/ro0ted-opnewblood-what-the-blackhats-dont-want-you-to-know-analy… […]

  2. Pingback: CyberGuerrilla soApboX » #ro0ted #OpNewblood What the blackhats dont want u to know | Packing & Crypting, there’s a difference

    […] Never trust Warez or Cracked Programs: Reversing a Crypted IRC bot infected file […]

  3. Pingback: CyberGuerrilla soApboX » #ro0ted #OpNewblood What the blackhats don’t want you to know: Manually unpacking in Olly

    […] Never trust Warez or Cracked Programs: Reversing a Crypted IRC bot infected file […]

  4. Pingback: CyberGuerrilla soApboX » #ro0ted #OpNewblood What the blackhats don’t want you to know: Add your own menu

    […] Never trust Warez or Cracked Programs: Reversing a Crypted IRC bot infected file […]

  5. Pingback: CyberGuerrilla soApboX » #ro0ted #OpNewblood What the blackhats don’t want you to know: Manually Unpacking 101

    […] Never trust Warez or Cracked Programs: Reversing a Crypted IRC bot infected file […]

  6. Pingback: CyberGuerrilla soApboX » #ro0ted #OpNewblood What the blackhats dont want you to know BE: think ur drive is really wiped?

    […] Never trust Warez or Cracked Programs: Reversing a Crypted IRC bot infected file […]

  7. May 23, 2015 at 17:42
    Docnonymous says:

    Thanks for taking the time to expose peeps to this heavy stuff with the visuals. Even I’m learning here so indeed thanks again.

    Travel well…

  8. How are you I come to China HUA team

  9. Pingback: Tutoriales sobre ingeniería inversa | Cyberhades

    […] Never trust Warez or Cracked Programs: Reversing a Crypted IRC bot infected file […]