, 9 tweets, 5 min read Read on Twitter
Someone's trying to backdoor "hexcalc.exe" from GitHub and not doing a great job. Here's a quick exploration of the VT tester's 6 files, the corresponding PDB anomalies, PS1 & Cobalt Strike shellcode, and Yara #hunting rules.

Thread 1/n
The first file tested by the VT account is hexcalc.exe
0433aeff0ed2cdf5776856f2c37be975
PDB: D:\codes\WinHexCalc\Release\hexcalc.pdb

This led me to search for the original (shady) project from Github: github.com/azlan/WinHexCa…
and this indeed contains this initial hexcalc.exe

2/n
They attempt to backdoor the file 4 different times with PS1 shellcode, uploading all to VT:
ae73fe66415edbfd5669ab567793536b
d7c7c9ef1c1725f497ef5feaa654fc2e
7feaa6255459dcba370252e8905a9a4a
ddc442bd5e5d157011ae79c48ee2189a
PDB: F:\Devel\WinHexCalc-master\Release\hexcalc.pdb
3/n
Basic hunting rule for memory-injectable PowerShell shellcode: feye.io/psb64shcde
^this captures all of these files, it is further discussed here:
4/n
The same submitter then uploads a final hexcalc.exe version weaponized with CS/met http stager shellcode.
e48e566410f6238647eb5ed24cbd6910
Same attacker PDB: F:\Devel\WinHexCalc-master\Release\hexcalc.pdb

Higher detection rate on non-PS1 shellcode: virustotal.com/#/file/a8e3975…
5/n
Second stage payload is still live: hxxp://86.106.131.154:80/9Lre (f9ae24fb8983e22d904a064235eb4124)
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

Refresher on specifying User-Agent when grabbing the payloads:
6/n
This final backdoored version of hexcalc.exe hits on the awesome hunting ruleset from @williballenthin, discussed (& yara rule linked) within his @OPCDE 2019 "Trade War: Shellcode's Wielding of Imports and Exports" presentation:
7/n
I mentioned the utility of PDBs as #threatintel pivots throughout this thread. Read @stvemillertime's PDB #DFIR primer:
8/n
Ultimately, this particular VT tester is sorta *meh* 😕
but the techniques used to detect, understand, and cluster/link this activity together work on real important stuff too -- we just can't always share that on Twitter.
Now go use the referenced #yara hunting rules. 😉
9/9
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Nick Carr
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!