Analysing Obfuscated VBA - Extracting indicators from a Trickbot downloader

Рет қаралды 10,335

Күн бұрын

A rather lengthy video to showcase my analysis techniques and thought processes when analysing malicious macros. In this case I review a Trickbot downloader which hides an interesting nuance if certain folders are present on the machine.
Hopefully of use to those learning how to reverse engineering high-level code.
Sample discussed:
www.virustotal...

Пікірлер: 79

@rakijah 6 жыл бұрын

'Str()' inserts a leading whitespace for the sign of the number. In case of positive numbers, the "+" is implied (lol), so it only leaves the whitespace.

@cybercdh 6 жыл бұрын

that's interesting - thanks for the clarity.

@albert5326 6 жыл бұрын

This channel is the only notification I immediately watch

@cybercdh 6 жыл бұрын

Albert Stoker that’s awesome, thanks!

@HackeXPlorer 5 жыл бұрын

I remember I had to analyse this malware long time back, IOC's where found from dynamic analysis. but the way this was decoded was really interesting. and the use of cyber chef is just perfect. As a KZbinr, I admire your efforts and hard work behind this video. Great JOB!!!

@cybercdh 5 жыл бұрын

thanks for the comment :)

@B0wser998 6 жыл бұрын

I love watching these analysis, it's like solving one big puzzle..

@cybercdh 6 жыл бұрын

awesome - glad you enjoyed.

@IOwnThisHandle 6 жыл бұрын

YES! Quite possibly my favourite content creator.

@cybercdh 6 жыл бұрын

Bob awesome! Thanks for the support.

@IOwnThisHandle 6 жыл бұрын

While I do not want to downplay the amount of time and effort required for a video, have you ever considered a more frequent schedule? After the video finishes, I just wish there was more.

@cybercdh 6 жыл бұрын

Bob :-) id like to do more but things have been pretty hectic lately. When I get a spare hour and an interesting sample I’ve been looking then I’ll throw something together, but sometimes it’s knowing what is of interest to others...

@tiberiusvetus9113 6 жыл бұрын

Excellent analysis. Whoever wrote this would probably be disappointed by how easily you took it apart.

@cybercdh 6 жыл бұрын

ha, hopefully! thanks for the comment.

@anthonydidonato387 6 жыл бұрын

Thanks and welcome back! Been a while since you posted a video. My team and I always enjoy the detailed overview of your analysis.

@cybercdh 6 жыл бұрын

awesome! that's great to hear and thanks for getting in touch.

@RomanKisil 6 жыл бұрын

At 9:57 you've deleted another call method with the noise. Probably won't stop you from successfully analysing the code, just wanted to mention. Great content Colin!

@cybercdh 6 жыл бұрын

someone else also noticed this - i was hoping no one would spot it haha. i'd previously analysed the function and its another function that's pointless and only serves to deliver more noise. thanks for spotting though :)

@nornahh 6 жыл бұрын

Hi Colin, been watching for videos since the start and this one has been my favourite by far. Please keep up the great work as this content is really entertaining! :)

@cybercdh 6 жыл бұрын

Thats awesome, thanks for the comment :)

@MrLimetto 6 жыл бұрын

Interesting to see your thought process. I would like to see similar videos in the future

@cybercdh 6 жыл бұрын

thanks! :)

@argha2091 6 жыл бұрын

Hi colin, its been a while not seen you posting content but your back with a bang !! Good to see your reverse Eng. To flip the code.

@cybercdh 6 жыл бұрын

thanks - appreciate the comment.

@adolin1338 6 жыл бұрын

Love watching your thought process dude, thanks a ton for uploading these

@YalleMro18 6 жыл бұрын

Siempre vale la pena esperar, por tu videos, amigo Colin Hardy

@cybercdh 6 жыл бұрын

thank you :)

@produKtNZ 6 жыл бұрын

Really good to see you back :)

@cybercdh 6 жыл бұрын

thanks!

@produKtNZ 6 жыл бұрын

Mind if I ask 'the' question? Might be obvious what it is :)

@elviraeloramilosic9813 6 жыл бұрын

This was amazing! Welcome back. Finally.

@cybercdh 6 жыл бұрын

thanks! glad you enjoyed.

@marek-ke4xb 6 жыл бұрын

Why you don't use replace all words in sublime for better analysis? Like rename noisy variables names which you know what they are used for

@cybercdh 6 жыл бұрын

marek 5816 Yep, definitely a good technique also.

@trungucpham6074 6 жыл бұрын

I hope you will open a course on Malware Analysis one day.

@cybercdh 6 жыл бұрын

hopefully I wont have to and you can get it all from this channel :)

@ROBERT-ml7ml 6 жыл бұрын

Excellent analysis as always Collin! Have you seen and studied the new "Camubot"? That should be your next video! Cheers!

@cybercdh 6 жыл бұрын

thanks, ive not seen that malware so will check it out. thanks for the tip

@pupper_doggo 6 жыл бұрын

These are really interesting to watch

@cybercdh 6 жыл бұрын

thanks!

@marcelogrsp 4 жыл бұрын

how does the VBA compile the obfuscated code?

@TheYouTubeCuber888 6 жыл бұрын

Why did you delete the call to veLaIBETOCxcuZjAXRYGr at 9:55? How did you know that call did nothing relevant?

@cybercdh 6 жыл бұрын

TheKZbinCuber :-) nice catch. I think I mistakenly deleted that call but new it was benign from my initial analysis prior to the video. Guess I was hoping no one would notice haha.

@HeikkiHeiskanen 6 жыл бұрын

Fantastic! Really interesting stuff.

@cybercdh 6 жыл бұрын

thanks! glad you enjoyed.

@Stdvwr 6 жыл бұрын

so basically delete all the noise and leave only meaningful lines that are indistinguishable from noise, right?

@cybercdh 6 жыл бұрын

pretty much :)

@JanivzZ 6 жыл бұрын

please make more !! thank you !

@cybercdh 6 жыл бұрын

JanivzZ thanks, will keep trying :-)

@x10creeper52 6 жыл бұрын

9:56 did you delete a potentially important call here?

@cybercdh 6 жыл бұрын

:-) not the first to notice. i was hoping no one would notice as i only realised a little later, lol, however it was not important as it was a call to a 'junk' function. feel free to verify :)

@AlexKiraly 6 жыл бұрын

Quality content right here

@cybercdh 6 жыл бұрын

thanks :) appreciate the comment.

@악분 6 жыл бұрын

Good video! Very thank you.

@cybercdh 6 жыл бұрын

thanks :)

@orionweblab 6 жыл бұрын

Say “hey.” If your channel is awesome

@cybercdh 6 жыл бұрын

hey.

@user-cy7hk3jx3o 6 жыл бұрын

If I used windows or linux on vm to analyze kind of this app . Could the viruses transfer to my real device?

@cybercdh 6 жыл бұрын

in this case, the macros are designed to download a secondary payload from the C2, so no. However, there likely exists malware that can escape a VM therefore caution should be used when analysing anything unknown.

@ossamahjaji7985 6 жыл бұрын

it can happen if you have shared folders with your VM

@dwarez 6 жыл бұрын

Hey Colin, long time no see : ]

@cybercdh 6 жыл бұрын

DWarez hey :-)

@ajwas8565 4 жыл бұрын

How does vba run the code when it is so obfuscated? Is there a function that is ran first that decodes it? And if that is the case, wouldn't a virus scanner detect it once it was decoded?

@cybercdh 4 жыл бұрын

The VBA has all it needs to run and inject the malicious code into a process, nothing additional is needed despite it being so obfuscated. It's obfuscated to us as a human-reader, but your CPU just sees the same 1's and 0's.

@ajwas8565 4 жыл бұрын

@@cybercdh I guess I'm still a little confused even after watching the video a few times. Is the original code in base10 then xor'd with that for loop?

@gahlotmindset 6 жыл бұрын

hey, very informative video. Would love if you do a live stream :)

@cybercdh 6 жыл бұрын

thanks for the comment - i may do one in future..

@mrnano1991 6 жыл бұрын

guys one question .. Does these peopel who wrote this malware used these strange variable names or after they finished coding they just encoded the entire code? I mean did they wrote the code like that? or they wrote it as normal software then they mess it up with some encoding stuff?

@NeXtdra42 6 жыл бұрын

nobody can write code like that, it's simply obfuscated afterwards

@cybercdh 6 жыл бұрын

yeh i agree, its probably another piece of code that does the obfuscation. there's lots out there.

@m0rtale195 6 жыл бұрын

33:22 Prolly because those AVs monitor command execution or run time scan lel.

@cybercdh 6 жыл бұрын

yeh, most likely. thanks for the comment.

@akshayverma6836 6 жыл бұрын

Awesome stuff :)

@cybercdh 6 жыл бұрын

thanks :)

@sent4dc 6 жыл бұрын

I would bet Sergey (the author of that malware) wrote a PY script that turns a perfectly readable VBA script into that gibberish.

@kcinplatinumgaming2598 6 жыл бұрын

We thought you got hacked it been so long ...thought you ended up in Tron :D

@cybercdh 6 жыл бұрын

ha!

@sent4dc 6 жыл бұрын

Visual Basic is such a shit language. It starts array indexes at 1. So if someone asks you, what programming language should they start learning first, and if you really hate that person, suggest VB. PS. But honestly, please don't do it. Have a mercy!