adawolfa

daily occasional dose of nihilism

Dnes si, milé děti, povíme pohádku o loupežníkovi Kolovratníkovi z Babišova velkostatku, který chudým bral a bohatým dával.

„V minulosti již zavedené opatření v podobě emisních poplatků na nejstarší vozy vedlo k radikálnímu snížení jejich dovozu. Kupující jednoduše začali preferovat koupi novějších a čistších vozů. Stát může v této politice jednoduše pokračovat“.

A ve které realitě žijete vy?

VirusTotal sample execution

So today I read an interesting article about how a binary was automatically submitted to Microsoft Defender online service for further analysis. It turns out that unknown binaries are, sometimes, uploaded and executed in a testing environment on a computer with Internet access.

I made a simple C# application which simply dumps all environment variables, running processes and captures ipconfig output. This dump is then sent to my endpoint and it’s stored in database. For some reason, I wasn’t able to trigger Microsoft Defender automatic sample submission, so I tried something different - I’ve submitted the binary to virustotal.com.

I’ve immediately got green - no malware found. Interestingly, nothing was submitted to my API at that point. But, few minutes later, application was executed somewhere!

Two responses came from the same address and, assuming from internal IP, also same computer.

IP: 66.102.8.227

Path: C:\Program Files (x86)\Windows Resource Kits\Tools\;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;c:\python27;C:\Users\John\AppData\Local\Microsoft\WindowsApps;;c:\python27\lib\site-packages\pywin32_system32
SESSIONNAME: Console
PATHEXT: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
USERDOMAIN: WIN-VUA6POUV5UP
PROCESSOR_ARCHITECTURE: x86
ProgramW6432: C:\Program Files
PUBLIC: C:\Users\Public
APPDATA: C:\Users\John\AppData\Roaming
windir: C:\Windows
LOCALAPPDATA: C:\Users\John\AppData\Local
CommonProgramW6432: C:\Program Files\Common Files
TIX_LIBRARY: C:\Python27\tcl\tix8.4.3
TCL_LIBRARY: C:\Python27\tcl\tcl8.5
TMP: C:\Users\John\AppData\Local\Temp
TK_LIBRARY: C:\Python27\tcl\tk8.5
ProgramFiles: C:\Program Files (x86)
PROCESSOR_LEVEL: 6
CommonProgramFiles(x86): C:\Program Files (x86)\Common Files
HOMEPATH: \Users\John
COMPUTERNAME: WIN-VUA6POUV5UP
USERPROFILE: C:\Users\John
PROCESSOR_ARCHITEW6432: AMD64
USERNAME: John
NUMBER_OF_PROCESSORS: 1
PROCESSOR_IDENTIFIER: Intel64 Family 6 Model 45 Stepping 7, GenuineIntel
PYTHONPATH: c:\tools
ComSpec: C:\Windows\system32\cmd.exe
LOGONSERVER: \\WIN-VUA6POUV5UP
TEMP: C:\Users\John\AppData\Local\Temp
ProgramFiles(x86): C:\Program Files (x86)
CommonProgramFiles: C:\Program Files (x86)\Common Files
USERDOMAIN_ROAMINGPROFILE: WIN-VUA6POUV5UP
PROCESSOR_REVISION: 2d07
SystemRoot: C:\Windows
PROMPT: $P$G
ALLUSERSPROFILE: C:\ProgramData
SystemDrive: C:
PSModulePath: C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules
OS: Windows_NT
ProgramData: C:\ProgramData
HOMEDRIVE: C:


c:\Users\John\Downloads\download.exe

Path: C:\Program Files (x86)\Windows Resource Kits\Tools\;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;c:\python27;C:\Users\John\AppData\Local\Microsoft\WindowsApps;;c:\python27\lib\site-packages\pywin32_system32
SESSIONNAME: Console
PATHEXT: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
USERDOMAIN: WIN-VUA6POUV5UP
PROCESSOR_ARCHITECTURE: x86
ProgramW6432: C:\Program Files
PUBLIC: C:\Users\Public
APPDATA: C:\Users\John\AppData\Roaming
windir: C:\Windows
LOCALAPPDATA: C:\Users\John\AppData\Local
CommonProgramW6432: C:\Program Files\Common Files
TIX_LIBRARY: C:\Python27\tcl\tix8.4.3
TCL_LIBRARY: C:\Python27\tcl\tcl8.5
TMP: C:\Users\John\AppData\Local\Temp
TK_LIBRARY: C:\Python27\tcl\tk8.5
ProgramFiles: C:\Program Files (x86)
PROCESSOR_LEVEL: 6
CommonProgramFiles(x86): C:\Program Files (x86)\Common Files
HOMEPATH: \Users\John
COMPUTERNAME: WIN-VUA6POUV5UP
USERPROFILE: C:\Users\John
PROCESSOR_ARCHITEW6432: AMD64
USERNAME: John
NUMBER_OF_PROCESSORS: 1
PROCESSOR_IDENTIFIER: Intel64 Family 6 Model 45 Stepping 7, GenuineIntel
PYTHONPATH: c:\tools
ComSpec: C:\Windows\system32\cmd.exe
LOGONSERVER: \\WIN-VUA6POUV5UP
TEMP: C:\Users\John\AppData\Local\Temp
ProgramFiles(x86): C:\Program Files (x86)
CommonProgramFiles: C:\Program Files (x86)\Common Files
USERDOMAIN_ROAMINGPROFILE: WIN-VUA6POUV5UP
PROCESSOR_REVISION: 2d07
SystemRoot: C:\Windows
PROMPT: $P$G
ALLUSERSPROFILE: C:\ProgramData
SystemDrive: C:
PSModulePath: C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules
OS: Windows_NT
ProgramData: C:\ProgramData
HOMEDRIVE: C:


c:\Users\John\Downloads\download.exe

svchost
svchost
svchost
svchost
splwow64
SearchUI
winlogon
conhost
svchost
dwm
svchost
sihost
svchost
c:\python27\python.exe
conhost
C:\Program Files\Meterpreter\metsvc.exe
c:\Users\John\Downloads\download.exe
lsass
smss
services
conhost
csrss
wininit
msdtc
C:\Windows\SysWoW64\cmd.exe
OSPPSVC
svchost
svchost
C:\Program Files\Meterpreter\metsvc-server.exe
svchost
csrss
WMIADAP
svchost
RuntimeBroker
svchost
explorer
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
ShellExperienceHost
WmiPrvSE
svchost
svchost
svchost
System
spoolsv
Idle


Windows IP Configuration


Ethernet adapter Ethernet 2:

   Connection-specific DNS Suffix  . : 
   Link-local IPv6 Address . . . . . : fe80::b587:5273:1adc:5eb3%5
   IPv4 Address. . . . . . . . . . . : 10.0.2.15
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.0.2.2

This came from a different address and it was executed with administrator privileges.

IP: 54.39.189.18

Path: C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\dotnet\;C:\Program Files (x86)\dotnet\;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Users\admin\AppData\Local\Programs\Python\Python37\Scripts\;C:\Users\admin\AppData\Local\Programs\Python\Python37\
SESSIONNAME: Console
PATHEXT: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
USERDOMAIN: USER-PC
PROCESSOR_ARCHITECTURE: x86
ProgramW6432: C:\Program Files
PUBLIC: C:\Users\Public
APPDATA: C:\Users\admin\AppData\Roaming
windir: C:\Windows
LOCALAPPDATA: C:\Users\admin\AppData\Local
CommonProgramW6432: C:\Program Files\Common Files
windows_tracing_flags: 3
windows_tracing_logfile: C:\BVTBin\Tests\installpackage\csilogfile.log
TMP: C:\Users\admin\AppData\Local\Temp
USERPROFILE: C:\Users\admin
ProgramFiles: C:\Program Files (x86)
PROCESSOR_LEVEL: 6
FP_NO_HOST_CHECK: NO
HOMEPATH: \Users\admin
COMPUTERNAME: USER-PC
PROCESSOR_ARCHITEW6432: AMD64
USERNAME: admin
NUMBER_OF_PROCESSORS: 2
PROCESSOR_IDENTIFIER: Intel64 Family 6 Model 60 Stepping 1, GenuineIntel
SystemRoot: C:\Windows
ComSpec: C:\Windows\system32\cmd.exe
LOGONSERVER: \\USER-PC
TEMP: C:\Users\admin\AppData\Local\Temp
ProgramFiles(x86): C:\Program Files (x86)
CommonProgramFiles: C:\Program Files (x86)\Common Files
PROCESSOR_REVISION: 3c01
CommonProgramFiles(x86): C:\Program Files (x86)\Common Files
ALLUSERSPROFILE: C:\ProgramData
SystemDrive: C:
PSModulePath: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\
OS: Windows_NT
ProgramData: C:\ProgramData
HOMEDRIVE: C:


C:\Users\admin\Downloads\DTR.Test.exe

Path: C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\dotnet\;C:\Program Files (x86)\dotnet\;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Users\admin\AppData\Local\Programs\Python\Python37\Scripts\;C:\Users\admin\AppData\Local\Programs\Python\Python37\
SESSIONNAME: Console
PATHEXT: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
USERDOMAIN: USER-PC
PROCESSOR_ARCHITECTURE: x86
ProgramW6432: C:\Program Files
PUBLIC: C:\Users\Public
APPDATA: C:\Users\admin\AppData\Roaming
windir: C:\Windows
LOCALAPPDATA: C:\Users\admin\AppData\Local
CommonProgramW6432: C:\Program Files\Common Files
windows_tracing_flags: 3
windows_tracing_logfile: C:\BVTBin\Tests\installpackage\csilogfile.log
TMP: C:\Users\admin\AppData\Local\Temp
USERPROFILE: C:\Users\admin
ProgramFiles: C:\Program Files (x86)
PROCESSOR_LEVEL: 6
FP_NO_HOST_CHECK: NO
HOMEPATH: \Users\admin
COMPUTERNAME: USER-PC
PROCESSOR_ARCHITEW6432: AMD64
USERNAME: admin
NUMBER_OF_PROCESSORS: 2
PROCESSOR_IDENTIFIER: Intel64 Family 6 Model 60 Stepping 1, GenuineIntel
SystemRoot: C:\Windows
ComSpec: C:\Windows\system32\cmd.exe
LOGONSERVER: \\USER-PC
TEMP: C:\Users\admin\AppData\Local\Temp
ProgramFiles(x86): C:\Program Files (x86)
CommonProgramFiles: C:\Program Files (x86)\Common Files
PROCESSOR_REVISION: 3c01
CommonProgramFiles(x86): C:\Program Files (x86)\Common Files
ALLUSERSPROFILE: C:\ProgramData
SystemDrive: C:
PSModulePath: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\
OS: Windows_NT
ProgramData: C:\ProgramData
HOMEDRIVE: C:


C:\Users\admin\Downloads\DTR.Test.exe

dwm
winlogon
taskhost
taskhost
smss
csrss
conhost
svchost
SearchFilterHost
svchost
wmpnetwk
frida-winjector-helper-64
spoolsv
pythonw
lsm
svchost
svchost
svchost
explorer
lsass
C:\Users\admin\AppData\Local\Temp\frida-cce960e005f9cecbea94cf1ed62cd59b\frida-winjector-helper-32.exe
C:\Users\admin\AppData\Local\Temp\frida-cce960e005f9cecbea94cf1ed62cd59b\frida-winjector-helper-32.exe
csrss
conhost
svchost
svchost
services
sppsvc
audiodg
svchost
svchost
wininit
C:\Users\admin\Downloads\DTR.Test.exe
rundll32
svchost
SearchProtocolHost
WmiPrvSE
svchost
C:\Windows\pyw.exe
SearchIndexer
System
WmiPrvSE
WmiPrvSE
Idle


Windows IP Configuration


Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . : openstacklocal
   Link-local IPv6 Address . . . . . : fe80::4143:fe31:8593:6d6e%11
   IPv4 Address. . . . . . . . . . . : 10.0.2.15
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.0.2.2

Tunnel adapter isatap.openstacklocal:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : openstacklocal

It’s not something surprising or particularly interesting, really. Just a recyclable short-lived container.

However, VirusTotal executes your program after saying it’s clean to a user. And even if it doesn’t, well - you could detect environment, do the application interactive (like waiting for a mouse move, or something which only happens on a real computer) and conditionally download and execute an actual malicious code.

Sure, VirusTotal has its uses - but can we say, in general, that a green marked application is safe to run? No, we cannot. The only thing you can assume is that the binary itself doesn’t contain malicious code, or it’s not well known, at least.

Just don’t blindly trust VirusTotal and think twice about what it actually does.

Každému doporučuji využít jedinečné možnosti nahlédnout do duše zakazovače, který se s námi podělil o neotřelé téma Auto je zbraň. Padají nejrůznější nápady, jak se vypořádat s hromadami mrtvol kolem silnic - jenom letos při dopravní nehodě zemřelo nejméně 380 lidí! Pana Skalického zjevně vzrušují kurzy bezpečné jízdy, líbilo by se mu také, kdyby na automobil s výkonnějším motorem bylo zapotřebí absolovování zkoušky a milostivého svolení úředníka. Jízdu v silnějším autě by si pak měl každý zasloužit.