{ "Event": { "analysis": "2", "date": "2017-07-19", "extends_uuid": "", "info": "OSINT - Unravelling .NET with the Help of WinDBG", "publish_timestamp": "1500478901", "published": true, "threat_level_id": "3", "timestamp": "1500478885", "uuid": "596f7d10-18f4-44d9-ae66-48d3950d210f", "Orgc": { "name": "CIRCL", "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" }, "Tag": [ { "colour": "#ffffff", "name": "tlp:white" } ], "Attribute": [ { "category": "Payload delivery", "comment": "PACKED SAMPLES", "deleted": false, "disable_correlation": false, "timestamp": "1500478885", "to_ids": true, "type": "sha256", "uuid": "596f7d56-5c0c-413f-8958-1ab5950d210f", "value": "21acd3457c1a589e117988fe0456e50ed627f051a97ccd11bfeeaf3c0cd79bfe" }, { "category": "Payload delivery", "comment": "PACKED SAMPLES", "deleted": false, "disable_correlation": false, "timestamp": "1500478885", "to_ids": true, "type": "sha256", "uuid": "596f7d56-08f0-412f-9788-1ab5950d210f", "value": "344ce133363f005346210611d5abd2513934a32739bc6e1bbd2257a298484051" }, { "category": "Payload delivery", "comment": "PACKED SAMPLES", "deleted": false, "disable_correlation": false, "timestamp": "1500478885", "to_ids": true, "type": "sha256", "uuid": "596f7d56-7c10-41fc-a418-1ab5950d210f", "value": "45c695e610d78178ec5ca6f4e1993afacf4e435b566cd2caf65408fb6080300f" }, { "category": "Payload delivery", "comment": "PACKED SAMPLES", "deleted": false, "disable_correlation": false, "timestamp": "1500478885", "to_ids": true, "type": "sha256", "uuid": "596f7d56-a90c-432e-a36a-1ab5950d210f", "value": "61653b2811fb7c672584d00417cbc1a56c8372331f1913104f9807a775f25773" }, { "category": "Payload delivery", "comment": "PACKED SAMPLES", "deleted": false, "disable_correlation": false, "timestamp": "1500478885", "to_ids": true, "type": "sha256", "uuid": "596f7d56-0600-4335-9d3f-1ab5950d210f", "value": "ac7bd77245bdf284d36ce1f9e2cb6a21d2dbd38aa1964dbaee4d06563f057ca6" }, { "category": "Payload delivery", "comment": "PACKED SAMPLES", "deleted": false, "disable_correlation": false, "timestamp": "1500478885", "to_ids": true, "type": "sha256", "uuid": "596f7d56-4b20-4277-a0b1-1ab5950d210f", "value": "b607e87acdcb2ef0f102298decc57ca3ea20fabbf02375fd30eddddffbeec320" }, { "category": "Payload delivery", "comment": "PACKED SAMPLES", "deleted": false, "disable_correlation": false, "timestamp": "1500478885", "to_ids": true, "type": "sha256", "uuid": "596f7d56-c7d4-40a6-b2cb-1ab5950d210f", "value": "e93c0aed6bbb4af734403e02d399c124f2d07f8e701fb716c2efe65942f83504" }, { "category": "Payload delivery", "comment": "UNPACKED SAMPLES", "deleted": false, "disable_correlation": false, "timestamp": "1500478885", "to_ids": true, "type": "sha256", "uuid": "596f7d6c-a324-4766-acf1-4cef950d210f", "value": "35dee9106e4521e5adf295cc945355d72eb359d610230142e5dd4adda9678dee" }, { "category": "Payload delivery", "comment": "UNPACKED SAMPLES", "deleted": false, "disable_correlation": false, "timestamp": "1500478885", "to_ids": true, "type": "sha256", "uuid": "596f7d6c-a9a8-4ebc-87d8-4c26950d210f", "value": "b5ce02ee3dfccf28e86f737a6dde85e9d30ff0549ec611d115a1d575b5291c2e" }, { "category": "Payload delivery", "comment": "UNPACKED SAMPLES", "deleted": false, "disable_correlation": false, "timestamp": "1500478885", "to_ids": true, "type": "sha256", "uuid": "596f7d6c-e270-4fde-a868-4e26950d210f", "value": "d9a732dcf87764a87f17c95466f557fac33f041ac6f244dba006ba155d8e9aea" }, { "category": "Payload delivery", "comment": "UNPACKED SAMPLES", "deleted": false, "disable_correlation": false, "timestamp": "1500478885", "to_ids": true, "type": "sha256", "uuid": "596f7d6c-debc-4e8b-80e6-4a86950d210f", "value": "fe068ce56b258762c10cc66525c309e79026c0e44103ca9b223c51382722cb09" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1500478885", "to_ids": false, "type": "text", "uuid": "596f7d8c-f2cc-49e4-a58c-4a71950d210f", "value": ".NET is an increasingly important component of the Microsoft ecosystem providing a shared framework for interoperability between different languages and hardware platforms. Many Microsoft tools, such as PowerShell, and other administrative functions rely on the .NET platform for their functionality. Obviously, this makes .NET an enticing language for malware developers too. Hence, malware researchers must also be familiar with the language and have the necessary skills to analyse malicious software that runs on the platform.\r\n\r\nAnalysis tools such as ILSpy help researchers decompile code from applications, but cannot be used to automate the analysis of many samples. In this article we will examine how to use WinDBG to analyse .NET applications using the SOS extension provided by Microsoft.\r\n\r\nThis article describes:\r\nHow to analyse PowerShell scripts by inserting a breakpoint in the .NET API.\r\nHow to easily create a script to automatically unpack .NET samples following analysis of the packer logic." }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1500478885", "to_ids": false, "type": "link", "uuid": "596f7d9c-b988-4564-be72-4a94950d210f", "value": "http://blog.talosintelligence.com/2017/07/unravelling-net-with-help-of-windbg.html" }, { "category": "Payload delivery", "comment": "PACKED SAMPLES - Xchecked via VT: e93c0aed6bbb4af734403e02d399c124f2d07f8e701fb716c2efe65942f83504", "deleted": false, "disable_correlation": false, "timestamp": "1500478885", "to_ids": true, "type": "sha1", "uuid": "596f7da5-6420-4837-a04a-408302de0b81", "value": "23b1f6dda828dc50963ea841414eab633bfc7dde" }, { "category": "Payload delivery", "comment": "PACKED SAMPLES - Xchecked via VT: e93c0aed6bbb4af734403e02d399c124f2d07f8e701fb716c2efe65942f83504", "deleted": false, "disable_correlation": false, "timestamp": "1500478885", "to_ids": true, "type": "md5", "uuid": "596f7da5-2974-499b-a794-4c4802de0b81", "value": "d8c5268ff36bec6ef67522e407c99847" }, { "category": "External analysis", "comment": "PACKED SAMPLES - Xchecked via VT: e93c0aed6bbb4af734403e02d399c124f2d07f8e701fb716c2efe65942f83504", "deleted": false, "disable_correlation": false, "timestamp": "1500478885", "to_ids": false, "type": "link", "uuid": "596f7da5-3070-40f2-923b-429f02de0b81", "value": "https://www.virustotal.com/file/e93c0aed6bbb4af734403e02d399c124f2d07f8e701fb716c2efe65942f83504/analysis/1493454070/" }, { "category": "Payload delivery", "comment": "PACKED SAMPLES - Xchecked via VT: b607e87acdcb2ef0f102298decc57ca3ea20fabbf02375fd30eddddffbeec320", "deleted": false, "disable_correlation": false, "timestamp": "1500478885", "to_ids": true, "type": "sha1", "uuid": "596f7da5-0884-4f33-b7a1-47e102de0b81", "value": "a0e1c6c4c0469d28e889e15cb4fd1698d580c8b8" }, { "category": "Payload delivery", "comment": "PACKED SAMPLES - Xchecked via VT: b607e87acdcb2ef0f102298decc57ca3ea20fabbf02375fd30eddddffbeec320", "deleted": false, "disable_correlation": false, "timestamp": "1500478885", "to_ids": true, "type": "md5", "uuid": "596f7da5-2838-4086-8f90-4ff202de0b81", "value": "aeefcc7e278e54fc6ee71fa6075fdc48" }, { "category": "External analysis", "comment": "PACKED SAMPLES - Xchecked via VT: b607e87acdcb2ef0f102298decc57ca3ea20fabbf02375fd30eddddffbeec320", "deleted": false, "disable_correlation": false, "timestamp": "1500478885", "to_ids": false, "type": "link", "uuid": "596f7da5-8ba4-4f72-ae5f-425402de0b81", "value": "https://www.virustotal.com/file/b607e87acdcb2ef0f102298decc57ca3ea20fabbf02375fd30eddddffbeec320/analysis/1491852495/" }, { "category": "Payload delivery", "comment": "PACKED SAMPLES - Xchecked via VT: ac7bd77245bdf284d36ce1f9e2cb6a21d2dbd38aa1964dbaee4d06563f057ca6", "deleted": false, "disable_correlation": false, "timestamp": "1500478885", "to_ids": true, "type": "sha1", "uuid": "596f7da5-3f64-44a5-8f9f-435602de0b81", "value": "e79e302f43bfe18fe777e06d321a369a6fbebcb4" }, { "category": "Payload delivery", "comment": "PACKED SAMPLES - Xchecked via VT: ac7bd77245bdf284d36ce1f9e2cb6a21d2dbd38aa1964dbaee4d06563f057ca6", "deleted": false, "disable_correlation": false, "timestamp": "1500478885", "to_ids": true, "type": "md5", "uuid": "596f7da5-8ad8-4107-8023-4dc102de0b81", "value": "c61f4b7fab51bb78a635518cd1dd6bb5" }, { "category": "External analysis", "comment": "PACKED SAMPLES - Xchecked via VT: ac7bd77245bdf284d36ce1f9e2cb6a21d2dbd38aa1964dbaee4d06563f057ca6", "deleted": false, "disable_correlation": false, "timestamp": "1500478885", "to_ids": false, "type": "link", "uuid": "596f7da5-a064-4660-a94e-4e4402de0b81", "value": "https://www.virustotal.com/file/ac7bd77245bdf284d36ce1f9e2cb6a21d2dbd38aa1964dbaee4d06563f057ca6/analysis/1498156633/" }, { "category": "Payload delivery", "comment": "PACKED SAMPLES - Xchecked via VT: 61653b2811fb7c672584d00417cbc1a56c8372331f1913104f9807a775f25773", "deleted": false, "disable_correlation": false, "timestamp": "1500478885", "to_ids": true, "type": "sha1", "uuid": "596f7da5-7170-4554-bc97-4dd202de0b81", "value": "36fce94a8feb925becdb6708ed01e3b6fa1c32a4" }, { "category": "Payload delivery", "comment": "PACKED SAMPLES - Xchecked via VT: 61653b2811fb7c672584d00417cbc1a56c8372331f1913104f9807a775f25773", "deleted": false, "disable_correlation": false, "timestamp": "1500478885", "to_ids": true, "type": "md5", "uuid": "596f7da5-b960-43a9-866a-4f9e02de0b81", "value": "8a8c90f2f65bdab3fc1ada60d0767d3f" }, { "category": "External analysis", "comment": "PACKED SAMPLES - Xchecked via VT: 61653b2811fb7c672584d00417cbc1a56c8372331f1913104f9807a775f25773", "deleted": false, "disable_correlation": false, "timestamp": "1500478885", "to_ids": false, "type": "link", "uuid": "596f7da5-05a4-4ad1-b112-454602de0b81", "value": "https://www.virustotal.com/file/61653b2811fb7c672584d00417cbc1a56c8372331f1913104f9807a775f25773/analysis/1497280580/" }, { "category": "Payload delivery", "comment": "PACKED SAMPLES - Xchecked via VT: 45c695e610d78178ec5ca6f4e1993afacf4e435b566cd2caf65408fb6080300f", "deleted": false, "disable_correlation": false, "timestamp": "1500478885", "to_ids": true, "type": "sha1", "uuid": "596f7da5-70fc-4bbf-8736-419f02de0b81", "value": "6bb562395254d750e418357e59b57061e32022cb" }, { "category": "Payload delivery", "comment": "PACKED SAMPLES - Xchecked via VT: 45c695e610d78178ec5ca6f4e1993afacf4e435b566cd2caf65408fb6080300f", "deleted": false, "disable_correlation": false, "timestamp": "1500478885", "to_ids": true, "type": "md5", "uuid": "596f7da5-67c0-4b36-bd23-4c2702de0b81", "value": "0c814ae689b229063ee7f0045cd36bae" }, { "category": "External analysis", "comment": "PACKED SAMPLES - Xchecked via VT: 45c695e610d78178ec5ca6f4e1993afacf4e435b566cd2caf65408fb6080300f", "deleted": false, "disable_correlation": false, "timestamp": "1500478885", "to_ids": false, "type": "link", "uuid": "596f7da5-8df4-4fef-b6cb-4a0402de0b81", "value": "https://www.virustotal.com/file/45c695e610d78178ec5ca6f4e1993afacf4e435b566cd2caf65408fb6080300f/analysis/1493177175/" }, { "category": "Payload delivery", "comment": "PACKED SAMPLES - Xchecked via VT: 344ce133363f005346210611d5abd2513934a32739bc6e1bbd2257a298484051", "deleted": false, "disable_correlation": false, "timestamp": "1500478885", "to_ids": true, "type": "sha1", "uuid": "596f7da5-9850-4e16-87be-434d02de0b81", "value": "8ac7418803efac76bf5d64cbad35332f0ddc8982" }, { "category": "Payload delivery", "comment": "PACKED SAMPLES - Xchecked via VT: 344ce133363f005346210611d5abd2513934a32739bc6e1bbd2257a298484051", "deleted": false, "disable_correlation": false, "timestamp": "1500478885", "to_ids": true, "type": "md5", "uuid": "596f7da5-e298-4951-8ba0-408702de0b81", "value": "5480488e9f961e1cb1020fa48db5d038" }, { "category": "External analysis", "comment": "PACKED SAMPLES - Xchecked via VT: 344ce133363f005346210611d5abd2513934a32739bc6e1bbd2257a298484051", "deleted": false, "disable_correlation": false, "timestamp": "1500478885", "to_ids": false, "type": "link", "uuid": "596f7da5-3f20-423b-98c8-403302de0b81", "value": "https://www.virustotal.com/file/344ce133363f005346210611d5abd2513934a32739bc6e1bbd2257a298484051/analysis/1492133502/" }, { "category": "Payload delivery", "comment": "PACKED SAMPLES - Xchecked via VT: 21acd3457c1a589e117988fe0456e50ed627f051a97ccd11bfeeaf3c0cd79bfe", "deleted": false, "disable_correlation": false, "timestamp": "1500478885", "to_ids": true, "type": "sha1", "uuid": "596f7da5-34a4-40c4-92e6-421202de0b81", "value": "ca460d04d93e535441bcc4ea3de313645eb7b817" }, { "category": "Payload delivery", "comment": "PACKED SAMPLES - Xchecked via VT: 21acd3457c1a589e117988fe0456e50ed627f051a97ccd11bfeeaf3c0cd79bfe", "deleted": false, "disable_correlation": false, "timestamp": "1500478885", "to_ids": true, "type": "md5", "uuid": "596f7da5-6074-46b0-a001-401002de0b81", "value": "bed8aca8dc2ea2e8fafa2f56db06ba69" }, { "category": "External analysis", "comment": "PACKED SAMPLES - Xchecked via VT: 21acd3457c1a589e117988fe0456e50ed627f051a97ccd11bfeeaf3c0cd79bfe", "deleted": false, "disable_correlation": false, "timestamp": "1500478885", "to_ids": false, "type": "link", "uuid": "596f7da5-0f84-4357-94cc-424a02de0b81", "value": "https://www.virustotal.com/file/21acd3457c1a589e117988fe0456e50ed627f051a97ccd11bfeeaf3c0cd79bfe/analysis/1490674431/" } ] } }