evilcode1 (qassam) 2017-04-10 10:25:45 UTC #1

hello all im new here ...
i dont now if i write in the right section or what !!
some one try to send me a worm in .doc file and he is protected the macro with password i successfully bypass the macro password then i extract the code ... the codes drop a downloader in appdata dir i try to know what is the code lang. by using PEiD tool and rdg packer detector i got this result :
Detected : Enigma Protector v4.0
screenshot : http://s30.postimg.org/jxzn4a3kx/Untitled.png

i used megadumper in windows 7 x64 bit without success when i dump it its done but when i try to run it i got this error : The application is unable to start correctly 0xc0000005
also i used this tool : scylla_v0.7beta5 i got the same error when i try to run it

any helo please im trying to unpack it since 2 days
if someone need a sample i'll post it here ...

Joe_Schmoe 2017-04-10 10:55:37 UTC #2

Can you PM me a download link?

dtm 2017-04-10 12:11:32 UTC #3

Maybe when you unpacked it, it damaged the original file. Perhaps you could try restoring the headers.

pry0cc (Full-time Badass) 2017-04-10 12:27:03 UTC #4

Hmm interesting. Do you know the person? Or is it a mass mailer attack?

I'd be interested in unpacking it and finding where it connects to... You could do some damage yourself

Post the file and I'm sure somebody here will take up your challenge...

evilcode1 (qassam) 2017-04-10 19:33:28 UTC #5

i dont know how to do that can u guide me

evilcode1 (qassam) 2017-04-10 19:35:27 UTC #6

download it from here : http://www.mediafire.com/file/j01kfl2y9hbbv97/viewimages.rar
password for rar : 1

evilcode1 (qassam) 2017-04-10 19:41:51 UTC #7

no it's not mass mailer attack some one send a me Sensitive information that person know me very will and he knows I work in a sensitive facility .... im a computer programmer i know vb.net an delphi but im new in reverse engineering so if i can unpack the mlware i can decompile the code and understand what does he do on the system anyway download the mlware from here : http://www.mediafire.com/file/j01kfl2y9hbbv97/viewimages.rar

password : 1

Phoenix750 (Hardware Bias!) 2017-04-10 20:14:26 UTC #8

@pry0cc ahhh, good 'ol eye for an eye style

-Phoenix750

L0k1 2017-04-13 01:39:33 UTC #9

Just finishing up the report my gauntlet is spitting out. I'd PDF it but it's watermarked and stamped with my company name..and..opsec of course..so I'll convert as best I can to HTML. Give me a few

L0k1 2017-04-13 01:57:11 UTC #10

Here ya go. This is everything it could dig up

https://s-3.tech/evilcode1.html

evilcode1 (qassam) 2017-04-13 17:46:16 UTC #11

I am very thankful for your effort ... i know all if this info i already do an analysis for the malware manually by wireshark and process monitor and regshot .... what i need is to unpack the malware from its protected by enigma protector i need to unpack it to read the source code maybe there is some secret's and Sensitive info in the source !! so can u help me to unpack it please

pry0cc (Full-time Badass) 2017-04-15 06:02:01 UTC #12

"viewimages.exe.bin" was detected as "Enigma Protector v1.1X-1.3X -> Sukhov vladimir & Serge N. Markin"

Interesting. Also.

Is ping.topsite.life a C&C? Is this a piece of ransomware?

dtm 2017-04-15 07:32:38 UTC #13

Well, you'd have to know the structure of PE files to do that. If you already do, you should know what to do.

If you can recognise the unpacking routine and know how to debug, simply break after the unpacking and then memory dump. It's highly unlikely that you'll get source code but if you consider assembly as source code, then you're good to go (unless you get some C# or VB program).

leroymckeeubZ (Leroy Mckee) 2017-04-15 10:42:59 UTC #14

i also think so. Seems like hybrid-analysis was right

leroymckeeubZ (Leroy Mckee) 2017-04-15 10:44:19 UTC #15

https://www.hybrid-analysis.com/sample/1f2b128d26a58a572ea1faee2c4d9dc759eb8add16d9ad0547b3f0305fea212a?environmentId=100

pry0cc (Full-time Badass) 2017-04-15 19:15:45 UTC #16

I did a good 'ol strings dump on the file, and found this SOFTWARE\Borland\Delphi\RTL

I'm also seeing references to virtualbox. Perhaps this has some sort of virtualbox escape/detection mechanism? Watch out where you run it.

I wonder if this is of any relevance?

http://www.iacertification.org/reverse_engineering_malware_1505.html

A piece of malware called Sub7 was also compiled using Borland C. It also accesses registry keys (like this does). Perhaps this is the same thing?

dtm 2017-04-16 12:05:49 UTC #17

So I've recovered this which, IIRC, was encrypted using a simple XOR cipher after being packed using aPLib compression:

Password: infected

EDIT: VirusTotal scan

A strings analysis seems to show matches of all the strings given in @L0k1's report including imported API.

Also part of the file's strings dump.

It would seem likely. I've glanced over the functions which the file imports and there are calls to enumerate over running processes, files, services and registry keys where there may be evidence of a virtualised environment (I've implemented these methods in Xerxes lel).

Anyway, have fun disassembling that k3k.

pry0cc (Full-time Badass) 2017-04-17 06:19:28 UTC #18

Wow! You've actually managed to complete this. Nice!

So is this the original DLL that would be executed after the decryption process? Or perhaps injected after memory is mapped and a suitable process is found to be injected into?

I'm interested to know what this does... And where it calls back.

Further investigation pulls up a few more things. I firstly looking inside the DLL grepped for IP addresses with a regex, and found these

101.3.4.1
1.3.6.1
2.16.840.1

Obviously the last one doesn't work as an IP, 840 is > 255.

Now the first two appear to be very obscure and simple as IP's. Since we are not looking in any context, it is impossible to know what they do. A GeoIP lookup of the IP's maps

101.3.4.1 to Taiwan, Tapei,
1.3.6.1 to Guangdong, Guangdong

Both Asian IP's, with the same timezone, geographically they're fairly near. I could be reading too much into this. But it feels a large coincidence that two IP addresses are both located in Asia.

Looking more into those strings I am finding:

w:\3rdparty\TntUnicode\Source\TntClasses.pas
W:\3rdparty\ScreamSec\SecUtils.pas


Some other IP looking things: 
2.16.840.1.101.3.4.1.1
2.16.840.1.101.3.4.1.21
2.16.840.1.101.3.4.1.41


What seems to be an opensource licence include...

/* This is an independent implementation of the encryption algorithm:   */
/*                                                                      */
/*         RIJNDAEL by Joan Daemen and Vincent Rijmen                   */
/*                                                                      */
/* which is a candidate algorithm in the Advanced Encryption Standard   */
/* programme of the US National Institute of Standards and Technology.  */
/*                                                                      */
/* Copyright in this implementation is held by Dr B R Gladman but I     */
/* hereby give permission for its free direct or derivative use subject */
/* to acknowledgment of its origin and compliance with any conditions   */
/* that the originators of the algorithm place on its exploitation.     */
/*                                                                      */
/* Dr Brian Gladman ([email protected]) 14th January 1999     */


Links to trial and activation? 

EP_TrialExecutions
EP_TrialExecutionsTotal
EP_TrialExecutionsLeft
EP_TrialDays
EP_TrialDaysTotal

EP_RegEncryptRegistrationInformation
EP_RegDecryptRegistrationInformation
EP_ActivationShowDialog
EP_ActivationActivate
EP_ActivationActivateWithId
EP_ActivationActivateWithIdA

And another link to Enigma...
Software\Enigma Protector\%.8x%.8x-%.8x%.8x

Looking through this. I'd like to run it and see what's going on in a sandbox. But I am afraid it will escape and/or notice and change it's behaviour.

Perhaps we need some bare metal with a firewall on a switch.... This could get interesting..... Who wants to try it?