Share this page!

Matt Profile picture
Twitter logo
4 Feb, 13 tweets, 6 min read
Let's walk through #malware de-obfuscation of a REvil PowerShell ransomware script in #CyberChef. The original can be found below if you want to play alone at home! hybrid-analysis.com/sample/e1e19d6…
Following my analysis, I realised there is an excellent write up of the same PowerShell on SANS here which is worth a read: isc.sans.edu/forums/diary/P… Thanks to @xme for saving me the detonation to learn its ransomware! 👍
Taking a scan we can see an AES decrypt function and blob of Base64 - likely what is to be decrypted. Later on we see our IV and Key variables references, also in Base64.
Step 1 in CyberChef is to use a Subsection to convert the Base64 to hex values so we can pass to the AES decrypt operation. (You can actually pass Base64/UTF-8 as well but its always nicer to work in hex! 😎)
Next you can place the IV and Key into two Registers for later use. Essentially like variables (or memory registers which ever makes more sense to you), Registers are really handy for 'saving' data for later use to pass in CyberChef operations. Here they are saved as $R0 and $R1.
Then we can pass the register values to the isolated blob of encrypted hex data. We isolate that through a regex. The decrypted blob (second screenshot) has another block of hex as variable $hex_str
From there we can isolate that blob of hex via another regex, and convert to bytes using 'From hex' operation. Then hello we see our friend 'This program cannot be run in DOS mode.
We can highlight the garbage code up until the MZ header. CyberChef will tell us how many bytes that is: 1925
Need to 'drop bytes'? There's an operation for that! We can just cut the 1925 bytes away to leave us with our PE file.
What's next? Hash and look it up? Save it off for more analysis? Here it is in the awesome PEStudio.
So, why CyberChef?
1⃣Low barrier to entry, all the tools in the one interface.
2⃣ Immediate feedback! Go wrong? You can step back.
3⃣ Training! A senior member can walk through this de-obfuscation with junior team member so they can learn the 'why' and not just to run a script.
Thanks for reading this long thread! If you want to learn the skills and gain the confidence to use these operations to de-obfuscate malware like this, join CyberChef for Security Analysts! learncyberchef.com
I'll put this recipe up on the Github repo and always welcome more to learn what others are doing with this amazing tool. github.com/mattnotmax/cyb…

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Matt

Matt Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @mattnotmax

Matt Profile picture
2 Feb
Here it is! It was an absolute pleasure to develop this course, #CyberChef for Security Analysts, with @chrissanders88. I've tried to cover a range of use cases for work in our field but I probably only scratched the surface. (1/5)
What I've aimed to do instead is to teach the skills so that you can look at the data you'll be using in your work and be confident you can whip up a recipe in CyberChef to suit your needs (2/5).
What's covered are the fundamentals of CyberChef up to the more advanced features that make it the indispensable tool for network defenders. Totally unpaid tweet right here: 👇 (3/5)
Read 5 tweets
Matt Profile picture
23 Mar 20
A small Powershell script leads to a longer #CyberChef recipe.

(1/6): Let's extract the obfuscated section with a regular expression: a regex lookahead/lookbehind.
(2/6) We're going to convert the obfuscated text into Character Codes.
(3/6) Now, following the script we have to subtract 1 from each of the Character Code values and convert it back again. So we put a 1 next to each value with a Find/Replace...
Read 6 tweets
Matt Profile picture
5 Jan 20
So in #DFIR you'll come across lots (and lots) of timestamps. Let's take a quick dive into this weird and wonderful world....(1/x)
For Windows, FILETIME is your main man. It's a 64-bit value that represents the number of 100-nanosecond intervals that have elapsed since 12:00 A.M. January 1, 1601 Coordinated Universal Time (UTC). (2/x) docs.microsoft.com/en-au/windows/…
So why 1601? According to Microsoft, "The Gregorian calendar operates on a 400-year cycle, and 1601 is the first year of the cycle...active at the time Windows NT was being designed...it was chosen to make the math come out nicely." Seems fair. (3/x) devblogs.microsoft.com/oldnewthing/20…
Read 15 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @mattnotmax has new unrolls!

Check out other threads from @mattnotmax!

Read all threads by @mattnotmax