The best part about Malware Reverse Engineering is at Times you will Run Into Samples that require to login into some site to either access or store files.
The user: "Chessgoder" had a great idea to have a stealer that uploads stolen victim information to an FTP server
Not just that but..
to spread it on Nulled ? very risky I say for the server
Now I will take you on the Journey of me Reverse engineering Python Malware with FTP Login
Analyzing the first file I received from him right away he gets it all wrong . It really pisses me off how sloppy these devs are ..
He has a .NET DLL as the dependency for his ".exe" file .
"Well Whats wrong with that ?"
The executable has nothing to do with .NET it was built / Compiled in "Python" "PyInstaller"
Python using .NET dependencies ? cmon you can do alot better ...
To detect the Assembly Type we use this tool called "DIE" , "Detect it Easy":
The same I am analyzing is "Cracking-island" AIO Cracking tool of some sort.
Specifically "[MULTI TOOL] CRACKING ISLAND ACCOUNTS, COMBOLISTS, PORN, TOOLS AND MORE."
To Unpack / Undo "Pyinstaller" we can use the GitHub tool:
As you see it gives us possible entry points so we has somewhere to start looking. Before we do that lets analyze the dumped / extracted files.
Within these files we find another executable linked to it called "CrackingIsland.exe" (Seems to be the legit tool)
We also see the entry point files since we want to see what happens when this program is launched. Now when I run it in Sandboxie it opens a powershell then quickly terminates it self .... hmm ...
We understand what ".pyc" files can be entry points given the output log of "pyinstxtractor"
Before we can go snooping at these ".pyc" files , these files are not treated like text documents so we cant just right click edit with notepad++ see the python source code.
We will use another tool that converts Python Byte Code into Readable code for use
Another tool from Github:
Now building this file is difficult for windows using the "C Make" / "Make" Commands I am not advance enough I suppose to get it working for windows , at least without errors
So we start up out Linux Virtual Machine , specifically this installation / flavor is "Parrot OS"
We run our few "Make" Commands and works like a charm so lets start working with it.
We drag and drop the possible entry point Files into the VM Desktop , rename them so its easy to write on the Shell / Terminal
I usually name them like "1.pyc" "o.pyc" does not matter , whatever makes it easier.
Command goes as: "./pycdc <FILE.PYC>"
The first file we de-compile is "pyiboot01_bootstrap.pyc"
It does not seem to have anything interesting so we then de-compile "pyi_rth_inspect.pyc" same thing .... hmm
Then the final file "contain.pyc" , it prints a lot onto the Terminal , too much , and it looks like Powershell ... ohh I think we might have a hit.
Now its too much for the Terminal to output so using "pycdc" we can add another argument to write the de-compiled data to a output file as such:
"./pycdc <TARGETFILE.PYC> -o <OUTPUTFILE.TXT>" we use the "-o" argument with a path following after , now you don't need the "<>" brackets.
We then Copy this file over to our host machine to further analyze and look into it. Right away it a shit ton of text compressed into one ish line so we will have to "fix" / beautify it
I look for every "$" or "\n" or "{" and start it on a new line so now its all Multi Line.
First thing I notice it has "Anti VM" to make sure its not Executed in a Virtual Machine
The further we go , the more it reveals, it steals all your browser Passwords / History / Cookies , it takes Screenshots,
Even Downloads files from your Desktop / Downloads Folder, Steals Network Information / Passwords.
It just Keeps going and going until we see "ftp"
So lets have fun , we will use "FileZilla" to login.
We get a successful connection
Right away the Directory that stores the stolen information is under "victims" the namespace seems to be "chota.com" -> "public_html"
To be exact it has 71 Victims:
Now lets start downloading ... We will download all files for once because (I still have that left over black hat but mostly so I can contact the victims about their security)
Especially since one of them Owns a Company , Has a website with logins , Source code , Scripts for the Workers to say etc. Seems to be a company Computer...
To make it clear I have no mal intent , but to own a website / company and do naughty things on a computer that holds that data, well cmon ....
When we view the password Files, it seems to have Chinese text chars for random parts of the file , can be the "Username" Field, "Password" Field , "URL" Field , its Random
Seems it either failed at decrypting parts of the info , or improper encoding / decoding for the text.
If failed to decrypt that will be an issue as far as decrypting as the "Master key" isn't actually really stored anywhere and newer Chromium Based Browser
Use AES-GCM Decryption that uses a master Password Located in the "Local State" File , that we don't have
If the Password that is Encrypted Starts with "v10" or "v11" that mean its uses "AES-GCM" that will need a Master Password, you can use C++ "BCrypt" API For that
Else you can use functions like:
The C++ WinAPI Called "CryptUnprotectData" to Decrypt it
Hmm well lets see...
Our of curiosity I decided to throw the text document in "HXD" a Hex Editor to possibly see if I can make sense of the Chinese Chars.
And well if we look at the portions to where the Chinese Chars are suppose to be , it appears somewhat plain text , but enough to let us know it didn't fail to decrypt it just failed at decoding / encoding.
HXD:
So now lets make a tool to Decode the Text properly and Write it to a Text File.
Since we will heavily be using Buffer and Bytes and Encoding we will use ".NET/C#" Since its a safe and easy language
We need some way though to identify the Chinese Text Strings and or Identify each string, I start looking at HXD after and before every Field that is Encoded with Chinese Chars
I notice they have Byte Patters the Byte Sequence is "0x0D, 0x00, 0x0D, 0x0A, 0x00"
Understanding Text , this looks to be in Unicode / aka using 2 Bytes from each Char so "55 00" would be Char "H"
I notice this "0A" Char a lot as well, I don't know what specific char that is as it appears in HXD as "."
I also Understand this Text Document has "\n" Chars , aka New Line char so signify when data is on a New line
But what are the bytes for the Char "\n" ?
Hmmm.. how can we figure this out (We can go into .NET use:
but instead we used our good old Friend "GPT"
We ask it:
"what is the byte code / value for "\n""
It Replies:
I had more context relating to C# for some CLR Questions , but specifically what we are looking for is the "Hexadecimal" Value of "\n"
Hexadecimal is way to represent a number using the "Base16" System
Little about the "Base16" System
Most Humans use the "Base10" System: { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9 }
"Base16" Extends the representation of a number by using the Alphabet: { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, A, B, C, D, E, F }
its a way we can represent Large numbers in the "Base10" System in a smaller looking number ? If that makes sense ? Binary aka Computers use the "Base2" System
Since our reset point is after "1" a Base2 Number can get large the bigger you increment , large length wise
(OK enough of the Base System sorry I get lost sometimes in teaching , Base systems was something took me a while to understand learned years ago )
Either following Before or After (Depending on if Little or Big Endian or LSB / MSB ) byte 0x00 / 00 Will be its partner next to the actual byte "0A"
Given that its Unicode it represents it self with Two Bytes of Data for each Char.
Now that we understand this we can essentially find that byte sequence: "0x0D, 0x00, 0x0D, 0x0A, 0x00"
To Split at each new line of Data understanding that byte Sequence contains "0x0A" the "\n" Char and some other Bytes that appear before
From there each Line , we will get the bytes Read Unicode from it, Add it to a List of Strings and Re Write the Text to a new Document and we shall be good
Now before you say anything , yes there are probably software out there to help with my issue
Notepad++ didn't seem to work but I am also a more do it my self person I just prefer doing it my self.
Also yes the code can be optimized a lot more, sped up more, cleaned more, even made to be more safe but if it works, it works for now
So lets See the Code:
Now when we drag and drop the Text File into the Program to Fix up, the output for the Console looks like:
We open the Text Document, and Boom its Fixed so happy now and so proud
So now we will Nuke the Server by Deleting all the Contents on it, Attempt to Shut it down (I don't think I can do that from my end )
Spread the credentials to render the access invalid since it is now public and everyone has access to the server and is aware of it.
Leave a little Note in the FTP Server let them know I was there
Also contact any of the victims about security and they may have been compromised
Also a lot do seem to be analysis machines as their "Anti-VM" / "Anti Analysis" Method is really weak
RIP:
IMAGES:
SCANS:
As always stay safe out there guys , always run programs in a Sandbox or a VM !!
Edited by ObbedCode, 06 February 2023 - 08:03 AM.