A colleague and I reverse-engineered the Clop ransomware binary (with SHA256 hash value 2f29950640d024779134334cad79e2013871afa08c7be94356694db12ee437e2), and observed that it contained two obfuscated resources:
SIXSIX SIXSIX1 One of them is just the README file that the malware drops all over the disk, so nothing too exciting, but the other is a batch script that deletes the volume shadow copies. Granted, you could just debug it and get it to drop these files, but as a personal challenge I decided to write a deobfuscator based on my analysis of the decompiled code (I looked at it in both Ghidra and IDA Pro, the latter of which was much more helpful in this case).
My journey thus far I began programming in middle school in BASIC on a Radio Shack TRS-80 (“Trash 80”) that ran using two 5.25” floppy disks (to be fair, you pretty much had to learn BASIC in order to use the thing). I’m not that old, we simply didn’t have much money growing up so I got ancient computers from places like the Goodwill (the kind that were so old and junky people literally gave them away).
This information is covered in introductory courses on Windows/NTFS forensics, but I often lose track of the original source for technical information that I can cite in expert reports and other deliverables. Also, I’m not a fan of citing proprietary training materials that can’t be easily found on the web, purchased from Amazon, or found in a public library.
This post is a quick summary of a few articles from Microsoft with links to the original articles.
I recently was provided with a 64GB raw memory image created by the free DumpIt tool from a Windows 2012 R2 x64 server. To my dismay, neither Volatility nor Rekall could make heads or tails of it. After debugging a little further, I discovered that neither tool was able to find the kernel debugger data block (_KDDEBUGGER_DATA64) structure.
After a lot of Googling and consultation of the handy bible on this subject matter, The Art of Memory Forensics, I think I finally understand what went wrong (but I’m eagerly seeking clarification/correction from the DFIR/infosec community if I’m mistaken!
It seems like many times when I try to learn something new, I find that I am missing some prerequisite knowledge or skill set that needs to be understood and/or mastered before I can proceed. This humorous comic illustrates this experience:
http://abstrusegoose.com/272 Be sure to click on the actual comic to advance to the next scene.