hello all im new here …
i dont now if i write in the right section or what !!
some one try to send me a worm in .doc file and he is protected the macro with password i successfully bypass the macro password then i extract the code … the codes drop a downloader in appdata dir i try to know what is the code lang. by using PEiD tool and rdg packer detector i got this result :
Detected : Enigma Protector v4.0
screenshot : http://s30.postimg.org/jxzn4a3kx/Untitled.png
i used megadumper in windows 7 x64 bit without success when i dump it its done but when i try to run it i got this error : The application is unable to start correctly 0xc0000005
also i used this tool : scylla_v0.7beta5 i got the same error when i try to run it
any helo please im trying to unpack it since 2 days
if someone need a sample i’ll post it here …
no it’s not mass mailer attack some one send a me Sensitive information that person know me very will and he knows I work in a sensitive facility … im a computer programmer i know vb.net an delphi but im new in reverse engineering so if i can unpack the mlware i can decompile the code and understand what does he do on the system anyway download the mlware from here : http://www.mediafire.com/file/j01kfl2y9hbbv97/viewimages.rar
Just finishing up the report my gauntlet is spitting out. I’d PDF it but it’s watermarked and stamped with my company name…and…opsec of course…so I’ll convert as best I can to HTML. Give me a few
I am very thankful for your effort … i know all if this info i already do an analysis for the malware manually by wireshark and process monitor and regshot … what i need is to unpack the malware from its protected by enigma protector i need to unpack it to read the source code maybe there is some secret’s and Sensitive info in the source !! so can u help me to unpack it please
pry0cc
(Leader & Offsec Engineer & Forum Daddy)
12
“viewimages.exe.bin” was detected as “Enigma Protector v1.1X-1.3X -> Sukhov vladimir & Serge N. Markin”
Interesting. Also.
Is ping.topsite.life a C&C? Is this a piece of ransomware?
Well, you’d have to know the structure of PE files to do that. If you already do, you should know what to do.
If you can recognise the unpacking routine and know how to debug, simply break after the unpacking and then memory dump. It’s highly unlikely that you’ll get source code but if you consider assembly as source code, then you’re good to go (unless you get some C# or VB program).
A strings analysis seems to show matches of all the strings given in @anon3236228’s report including imported API.
Also part of the file’s strings dump.
It would seem likely. I’ve glanced over the functions which the file imports and there are calls to enumerate over running processes, files, services and registry keys where there may be evidence of a virtualised environment (I’ve implemented these methods in Xerxes lel).
Anyway, have fun disassembling that k3k.
1 Like
pry0cc
(Leader & Offsec Engineer & Forum Daddy)
18
Wow! You’ve actually managed to complete this. Nice!
So is this the original DLL that would be executed after the decryption process? Or perhaps injected after memory is mapped and a suitable process is found to be injected into?
I’m interested to know what this does… And where it calls back.
Further investigation pulls up a few more things. I firstly looking inside the DLL grepped for IP addresses with a regex, and found these
101.3.4.1
1.3.6.1
2.16.840.1
Obviously the last one doesn’t work as an IP, 840 is > 255.
Now the first two appear to be very obscure and simple as IP’s. Since we are not looking in any context, it is impossible to know what they do. A GeoIP lookup of the IP’s maps
101.3.4.1 to Taiwan, Tapei,
1.3.6.1 to Guangdong, Guangdong
Both Asian IP’s, with the same timezone, geographically they’re fairly near. I could be reading too much into this. But it feels a large coincidence that two IP addresses are both located in Asia.
Looking more into those strings I am finding:
w:\3rdparty\TntUnicode\Source\TntClasses.pas
W:\3rdparty\ScreamSec\SecUtils.pas
Some other IP looking things:
2.16.840.1.101.3.4.1.1
2.16.840.1.101.3.4.1.21
2.16.840.1.101.3.4.1.41
What seems to be an opensource licence include...
/* This is an independent implementation of the encryption algorithm: */
/* */
/* RIJNDAEL by Joan Daemen and Vincent Rijmen */
/* */
/* which is a candidate algorithm in the Advanced Encryption Standard */
/* programme of the US National Institute of Standards and Technology. */
/* */
/* Copyright in this implementation is held by Dr B R Gladman but I */
/* hereby give permission for its free direct or derivative use subject */
/* to acknowledgment of its origin and compliance with any conditions */
/* that the originators of the algorithm place on its exploitation. */
/* */
/* Dr Brian Gladman ([email protected]) 14th January 1999 */
Links to trial and activation?
EP_TrialExecutions
EP_TrialExecutionsTotal
EP_TrialExecutionsLeft
EP_TrialDays
EP_TrialDaysTotal
EP_RegEncryptRegistrationInformation
EP_RegDecryptRegistrationInformation
EP_ActivationShowDialog
EP_ActivationActivate
EP_ActivationActivateWithId
EP_ActivationActivateWithIdA
And another link to Enigma...
Software\Enigma Protector\%.8x%.8x-%.8x%.8x
Looking through this. I’d like to run it and see what’s going on in a sandbox. But I am afraid it will escape and/or notice and change it’s behaviour.
Perhaps we need some bare metal with a firewall on a switch… This could get interesting… Who wants to try it?
Application virtualization system for Windows. Enigma Virtual Box enables application files and registry to be consolidated in a single executable file […]
pry0cc
(Leader & Offsec Engineer & Forum Daddy)
20
I would think it would probably be Oracle Virtualbox, the virtualisation software.
