Welcome, Guest: Register On Nairaland / LOGIN! / Trending / Recent / NewStats: 3,150,435 members, 7,808,560 topics. Date: Thursday, 25 April 2024 at 01:27 PM |
Nairaland Forum / Olioxx's Profile / Olioxx's Posts
(1) (2) (3) (4) (5) (6) (7) (8) (9) (10) (of 31 pages)
Programming / Re: Analysing Milan.exe. What I Discovered!!! by olioxx(m): 9:36pm On Dec 20, 2021 |
The file size of the malware is 964kb so I made sure not to waste unnecessary time as this malware can be really tricky. Infact the malware has some methods it use to check if it has made external connection. So right now I'll try to use the Mitre Attack Framework to describe the malware. MITRE ATTACK FRAMEWORK: Resources Development: Acquired Infrastructure (T1583). The Lyceum APT acquire servers to launch there attacks. Command and Control: Application Layered Protocol: DNS(Domain Name Server)(T1071) The Lyceum APT used DNS for there C2C servers.(lol) Persistence: Scheduled Task (T1053). I am very sure that the milan.exe file has persistence mechanism embedded since this is a coordinated attack, the Lyceum APT will want there payload to have some level of persistence, this might be that the program executes upon system startup or at certain time intervals.
|
Programming / Re: Analysing Milan.exe. What I Discovered!!! by olioxx(m): 9:27pm On Dec 20, 2021 |
1st Image: IP address of the other domain name. Summary 1. I found out the PDB path of the milan.exe malware on a typical windows operating system. 2. Found out a lot of useful metadata about the malware, like the creation date, obfuscation info etc. 3. Found out the known browser agent the malware might utilize to establish external connection. 4. Found out that the malware source code contain some hardcoded CMD command, one of such is that the malware fires up the CMD . 5. Found out domain names and IP address associated with the malware, this can be used for Incident Response.
|
Programming / Re: Analysing Milan.exe. What I Discovered!!! by olioxx(m): 9:22pm On Dec 20, 2021 |
6th Step: Finding out the C2C is very important. For this WireShark came to the rescue, I found out some IP address(lol) and also the server name. Infact the names where even available in the String output of the executable which I checked for cross validation. And the server name are .... 1st Image: Server name (actually my analysis shows 2 known server name for this malware) Armed with this information, I went to VT to check out this domain names and viola there are truly malicious. 2nd and 3rd Image: VT shows site as malicious Okay progressing, I went to check out the IP address associated with this domain name. 4th Image: IP address of this domain names The reason for getting the IP address is to ensure that the Incident Response team can effectively block connection with such IP address using a firewall.
|
Programming / Re: Analysing Milan.exe. What I Discovered!!! by olioxx(m): 9:14pm On Dec 20, 2021 |
My two main focus for embarking on the dynamic analysis of the malware is to find out how the file system changes overtime and to find out what the server/domain is. 5th Step I fired up Process Hacker (to do cover up background check) and Process Monitor (to mainly monitor process and events on my lab machine), as usual I was greeted with over 2 million events, but of particular notice is the fact that the malware tries to activate the CMD(Command Prompt) 1st Image: Process Monitor(Filtering for process) 2nd Image: Process Monitor (Filtering for TCP connection) Although I later used WireShark to monitor and track outbound connection, well at the end of the day VirusTotal gave me a digestible information. After some while playing around Process Monitor I took a detour to check out some registry samples other researcher found, and I found quite a lot. 3rd Image: The registry samples from other research work.
|
Programming / Re: Analysing Milan.exe. What I Discovered!!! by olioxx(m): 11:55am On Dec 20, 2021 |
LikeAking: When something does not concern you learn to waka pass. It helps to mind ones business. Have a good day. |
Programming / Re: Analysing Milan.exe. What I Discovered!!! by olioxx(m): 11:54am On Dec 20, 2021 |
Finally I completed the analysis today (Dec 20th). I found out some filesystem and more importantly the C2C servers used. I was surprised to figure that the some of the server used are located in Nigeria. I think these might be VPN-enabled servers(I presume). Tools Used Process Hacker, Process Monitor, WireShark, CMD Edited My Reverse Engineering process was kind of easy as a lot of researchers had already gleaned into the sample, so I connected with them via Twitter to fast track my analysis process, but my main ish is to figure the servers located in Nigeria. Later in the day I'll drop my findings here. |
Programming / Re: Analysing Milan.exe. What I Discovered!!! by olioxx(m): 9:48pm On Dec 18, 2021 |
5th Step: Could this be the browser user agent the malware uses to establish external connection? Well I noted it as well..... Okay so I am done with everything static analysis, by tomorrow I'll dynamically analyze the sample to figure out the c2c servers/domain and then any filesystem attached with the malware. 1 Like
|
Programming / Re: Analysing Milan.exe. What I Discovered!!! by olioxx(m): 9:43pm On Dec 18, 2021 |
4th Step: I found the pdb path of the malware on a typical Windows OS. And the pdb path is ..... Error lol
|
Programming / Re: Analysing Milan.exe. What I Discovered!!! by olioxx(m): 9:41pm On Dec 18, 2021 |
3rd Step: I performed some static Analysis on the malware. I discovered a lot. From pestidio I understood that the malware was actually written with C++ as against .NET. So milan.exe is a c++ executable. Secondly I discovered that the malware was released on May 18 2021 by the Lyceum APT. Similar information was what Detect It Easy presented me.
|
Programming / Re: Analysing Milan.exe. What I Discovered!!! by olioxx(m): 9:36pm On Dec 18, 2021 |
ahmthankgod:. I won't really advice that. Once you are track, INTERPOL will come for you. ahmthankgod:Do what ticks you sir. |
Programming / Re: Analysing Milan.exe. What I Discovered!!! by olioxx(m): 9:35pm On Dec 18, 2021 |
2nd Step: Downloaded tools to aid analysis and RE. 1st Image: Download RegShot for Dynamic Analysis 2nd Image: Download ProcDOT for Dynamic Analysis 3rd Image: Download FakeNet-NG to intercept c2c traffic that might be used by the malware.
|
Programming / Re: Analysing Milan.exe. What I Discovered!!! by olioxx(m): 9:32pm On Dec 18, 2021 |
1st Step: I got the cryptographic hash of the malware sample. |
Programming / Analysing Milan.exe. What I Discovered!!! by olioxx(m): 9:31pm On Dec 18, 2021 |
Disclaimer: The purpose of the thread is to document my experience and meant for educational purpose. I am not liable to any misuse of this information. Some months back the ngCERT made public a know threat/malware targeting Telcos and ISPs. https://nairaland.com/6851878/iranian-hackers-targeting-telcos-nigeria/ These malware are Shark.exe(.NET) and Milan.exe together known as James. During the time the news was made public, I had not really polished my analysis and reverse engineering skills. During the past few days, I setup my lab to be part honeypot and part analysis lab, yesterday I got a sample of milan.exe(although the actual name on my lab is MsNpENg). What I did was to get a feel of what the sample really is. |
Programming / Re: Me And Osland!!! by olioxx(m): 8:28pm On Dec 16, 2021 |
Dec 16, 2021: Paging and CMOS Before I go deep into Paging, it is note worthy that Virtual Address are address that takes paging into account. When paging is enabled, virtual address gets translated to physical address. We can then infer that once paging is enabled on a processor, linear address become virtual address which then gets translated to physical address. Why the term paging? It is termed paging because physical memory is divided into fixed size parts called pages Effects of Paging 1. As a result of paging, memory access becomes virtual in that there is no one to one correspondence between linear address and physical address. eg high linear address may map to low physical address and vice versa. 2. As a result of paging, redundant memory can or may be removed from RAM and transferred to say the Hard Drive or Solid State Drive, and that's why there is the saying that "the RAM is paged out to disk". When a new process is fired up and there is limited memory, the OS can pull out the memory back into RAM. [b[Benefits of Paging[/b] Paging allows the OS behave as if it has more RAM than present, and this allows redundant memory to be paged out and retrieved once needed. You can then run multiple processes on your machine without much issues. |
Programming / Re: Which Programming Languages Do I Learn? by olioxx(m): 8:40pm On Dec 15, 2021 |
toby345:Then try take up CS50, it will help you. I have the certificate and I can root for it any day any time. |
Programming / Re: Me And Osland!!! by olioxx(m): 8:35pm On Dec 15, 2021 |
Dec 15, 2021: Crafting my write up on Paging and the CMOS concept.
Tomorrow I'll drop the write-ups. |
Programming / Re: Me And Osland!!! by olioxx(m): 8:56pm On Dec 14, 2021 |
Dec 14, 2021: Taking a deep delve into Segmentation. Segment Registers in Intel There are six Segment Registers in Intel namely: CS - Code Segment SS - Stack Segment DS - Data Segment ES FS GS - The above 3 are extra data segment registers Each of these Segment Registers contains a 16-bit Segment Selector Segment Selectors There is more to the fact that the six segment registers contain segment selector. In every segment selector (16-bits), there is a visible part and a hidden part, so these means that every 16-bit selector has 2 parts. Details of the Segment Selector parts * Hidden part: This part contains cache of information from lookup table(more on this in a moment), as a user you cannot directly access the hidden part. * Visible Part: The visible part is what can be changed to point to different entry in the look up table. Segment Selectors in action I am going to provide a technical analogy of how the segment selectors works on Intel processors(32bit or 64bit) First of important note in 64-bit Intel processor (according to the Manual), the CS, SS, DS, ES registers in the Hidden part all have a Harcoded Base of 0 and a Hardcoded Limit of 2^64 -1, but the other segment register have the liberty to set hardcoded base to whatever is gotten from the lookup table. Now to the analogy. Register CS(visible part) has a Table Indicator of 0 this means it will point to a table called Global Descriptor Table. When the index is 3, then it will select a Data Structure at 3rd index in the GDT. Access from table information is then stored in the hidden part of CS register. Register FS(visible part) has a Table Indicator of 1 this means it will point to the Local Descriptor Table. When the index is 1, then it will select a data structure at 1st index in LDT. Access from table information will go to the hidden part of the FS register. Note that the above is just an analogy (sample), in real life it may point at different index, the Table Indicators might change. Segmentation Review The Intel manual says the a processor's addressable memory space can also be called linear address space To locate a byte on a particular segment a logical address or far pointer must be provided. What is this Logical Address? Logical Address = Segment Selector + Offset What this means is that on 32-bit Intel processor a logical address is 47-bits in size. While on 64-bit Intel Processor a logical address is 79-bit in size. So in lay man English a logical address is telling the Intel processor , "I want this segment and offset In an orderly chain, the Logical Address translates to Linear Address, as a result of Paging Linear Address translate into Virtual Address, VA translates into Physical Address(RAM). How does this translation occur? 1. Segment Selector does Table Lookup (whether GDT or LDT) 2. Each table has a description of each segment. 3. The description is what is used to locate where the base of a segment is, and then the offset will be added to the base of the segment. 4. Once step 3 is completed, a linear address is gotten. . |
Webmasters / Re: Why Do You Still Work For Nigerian Companies? by olioxx(m): 1:44pm On Dec 12, 2021 |
CUMIN:Back end frameworks like Django/Flask, but not much of such jobs in Nigeria, but plentiful in UK. |
Programming / Re: Should I Take This Job?(photo) by olioxx(m): 11:43am On Dec 12, 2021 |
BigDawsNet: OP please this is a real legit advise, please get internships first, it will help. Supreme145 PeaceJoyLove:Now this is a legit advise, infact what OP should be focusing on now is internships whether paid or unpaid. Like me for example, I just started being active into CyberSec, though little knowledge of past, but instead to be aiming high, I am starting low. I am connecting with top guru in the industry, tapping real world knowledge from there. It hasn't been easy though, but we just dey grind join. OP my most sincerest advise to you: 1. Get internships, no CAP. 2. Starting building professional networks, even if you are a gig worker, don't underestimate the power of refferals. 3. As someone said before, if you can contribute to opensource. 4. Take care of you health (especially mental health). Wishing you all the best. More wins to you. Supreme145:I hope your portfolio, CV are ready sir? Check out this opening (internship) https://jiokcareers.com/job/frontend-developer-internship/?utm_campaign=google_jobs_apply&utm_source=google_jobs_apply&utm_medium=organic Official website of the company. https://whipafrica.com/ Wishing you the best boss. bb6xt:Please can you give me skills endorsement? I want to expand my moves. |
Webmasters / Re: Why Do You Still Work For Nigerian Companies? by olioxx(m): 11:38am On Dec 12, 2021 |
webm: GBAMSOLUTE jesmond3945:Seconded boookworm:LIES Saturated kor staphylococcus ni. CSTRR: Explain this, before wuna go dey write things anyhow. There is no saturation anywhere, Nigerians still getting jobs. CSTRR: Thank God you said something LEGIT, once you are competent, you will get jobs, but otherwise no shi-shi for you. Secondly there is no saturation anywhere, you just have to be good. |
Programming / Re: Learning To Code Is Hard!!!! by olioxx(m): 8:10pm On Dec 11, 2021 |
tensazangetsu20: Oga sir okay case closed, please can you please endorse my C skills on LinkedIn. Since everybody wan dey catch cruise, make me sef catch small cruise. "Nah jobs / gigs wen choke I wan dey apply to now!!! LOBATAN" https://www.linkedin.com/in/olotu-praise-jah-9701b7162/
|
Travel / Re: How To Make It Fast In Brazil As An African (photo) by olioxx(m): 8:42am On Dec 11, 2021 |
walkbrazil4k:. Well said, I think this Philosophy applies everywhere in the world. Regarding friends ehn, a lot of FRENIMIES around now. One gatz shine one's eye. 1 Like |
Romance / Re: Today Is My Birthday by olioxx(m): 1:46pm On Dec 10, 2021 |
Mariangeles:While November borns or Scorpio are LEGEND!!!! #FACT |
Programming / Re: Learning To Code Is Hard!!!! by olioxx(m): 12:38pm On Dec 10, 2021 |
chim14: I thought it is only me that have this mentality, but that is the fucking truth. Look at them PewDiePie, or Linda Ikeji, but at the end of the day God nor go shame us. The truth to the matter is Programming/Software Dev is kind of like the fastest way to start bagging in big cash, but other profession bags even bigger cash than programming. Remember say Wizkid made a reported 5.2billion from O2 in 3 days, if I code from now till next year, I fit nor smell 1billion. 2 Likes |
Jobs/Vacancies / I Need A Cybersecurity Job To Hone My Skills. by olioxx(m): 9:32pm On Dec 08, 2021 |
Job Title: Malware Analysis / Incidence Response Role: Internship (preferable paid) or Entry - Level Portfolio/CV: https://praiseolotu.github.io/Olotu-Praise-Jah LinkedIn: https://www.linkedin.com/in/olotu-praise-jah-9701b7162/ Why I believe I am a better candidate: Experience with reverse engineering, malware analysis, Forensic Analysis and MITRE ATTACK Framework. Relevant Certification: GREM(GIAC Reverse Engineering Malware (In View) cc davide470 cc uboma cc mukina2 cc Seun Please help me push this to front-page. 1 Like 1 Share |
Career / Re: The Nairalife Of A Student Doubling As A Software Engineer by olioxx(m): 2:51pm On Dec 07, 2021 |
remi1444:Don't give up boss, even the girl said it was until July 2020 before she got a job, that was about 2 years after she started. The journey is rough, but perseverance and commitment will make you win. As you said nobody will share there low times, so don't compare yourself please, just keep up the good work and las las you go smile. 2 Likes |
Programming / Re: Me And Osland!!! by olioxx(m): 9:14pm On Dec 06, 2021 |
Dec 6, 2021: Learned about System Calls The major reason why system call is necessary is simply to provide a mechanism for interaction between kernel and user mode. Prior to x86-64 CALL GATE and Interrupts where used to achieve system calls. A stable API also know as System Call Interface is what exposes useful functions from kernel to user mode. To elaborate better let me use this very simple example. In the Kernel there is a function called NTWriteFile(), in the user mode there is a provision for the function WriteFile(), now the Kernel provides this function to the user mode because it knows the user mode will need this functionality. So the System Call Interface exposes this function to ensure a 2 way communication from kernel to user mode. The SCI available to x86-32 processor (Intel) is the assembly instruction SYSENTER/SYSEXIT. SYSENTER: This SCI(System Call Interface) transition from user mode to kernel. SYSEXIT: This SCI moves back to user mode. The SCI available to x86-64 processor is the assembly instruction SYSCALL / SYSRET and they work similar to the 32 bit version just name changed 1 Like |
Programming / Re: Me And Osland!!! by olioxx(m): 9:17pm On Dec 05, 2021 |
Dec 5, 2021: Other things occupying my time, no time for study today. By tomorrow I'll try upload what I've learned. |
Travel / Re: The Best Place To Settle In Brazil As An African (photo) by olioxx(m): 9:04pm On Dec 05, 2021 |
I must really commend OP for this, any time I come on Nairaland I make sure I read your articles. Learnt a lot about beautiful Brazil. Especially there girls, hulala!! OP please post on how to be friends with em Brazilian girls, and I hope they don't have same mentality as our Naija girls ooo. Thanks. |
(1) (2) (3) (4) (5) (6) (7) (8) (9) (10) (of 31 pages)
(Go Up)
Sections: politics (1) business autos (1) jobs (1) career education (1) romance computers phones travel sports fashion health religion celebs tv-movies music-radio literature webmasters programming techmarket Links: (1) (2) (3) (4) (5) (6) (7) (8) (9) (10) Nairaland - Copyright © 2005 - 2024 Oluwaseun Osewa. All rights reserved. See How To Advertise. 84 |