Category:Encryption

From aldeid
Jump to navigation Jump to search

Description

  • Malware often encrypt content (strings, content sent to C&C)
  • A reversible cipher uses the same function to encode and decode

Online resources

Cipher list and tools
https://gist.github.com/tigertv/cd9ab0563c5012a36978cf0abfd34948
Encoding/decoding tools
https://gchq.github.io/CyberChef/
https://cryptii.com/
https://www.dcode.fr/
https://paulschou.com/tools/xlate/
https://www.guballa.de/vigenere-solver (able to brute force Vigenere key)
https://quipqiup.com/ (able to brute force key)
http://kripto.rf.gd/ (Enigmator)
http://www.webutils.pl/index.php?idx=xx
Hash crackers
https://md5decrypt.net/
https://md5hashing.net/
Cipher identifier
https://www.boxentriq.com/code-breaking/cipher-identifier

Detecting cryptography in malware

Strings and Imports

Constants

Entropy

Some algorithm can't be detected from constants because they build their structures on the fly. This is the case for the International Data Encryption Algorithm (IDEA) and the RC4 algorithms.

You can search for high-entropy content to detect such algorithms using IDA Entropy Plugin:

Revealing base64 encoding with high 6-bit entropy in the data section (64-bit (0x40) chunk size with maximum entropy of 5.95)
Revealing AES encryption with high 8-bit entropy in the rdata section (256-bit (0x100) chunk size with maximum entropy of 7.9)

Decryption in practice

Basic decryption

INCOMPLETE SECTION OR ARTICLE
This section/article is being written and is therefore not complete.
Thank you for your comprehension.

Complex decryption

With OllyDbg

Suppose we are analyzing a malware that encrypts an image file (a bmp file) using a complex encryption mechanism and that the encryption routine is reversible (same routine to encrypt and decrypt). We can use modify the flow in the malware to decrypt encrypted content. Below is an example.

Let's setup 2 breakpoints in OllyDbg:

  • At offset 0x401880, just before the content is encrypted
  • At offset 0x40190A, just after the file is written

Once the program has reached our first breakpoint (0x401880), the arguments on the stack represent the buffer that is about to be encrypted:

  • [1] At 0x401880, the breakpoint is reached.
  • [2] The arguments on the stack represent the buffer pointed by the ESP register
  • [3] Right click on the 1st argument and select "Follow in Dump"
  • [4] Notice the magic word for *.bmp files (0x42 0x4D) which confirms that the buffer contains a bitmap image just before being encrypted. Select all the dump from here to the end (Begin the selection and while you maintain the left click, press the END key to reach the end).
  • [5] Now, open your encrypted file in a hexadecimal editor and copy the entire content in hex.
  • [6] Paste the content to OllyDbg in place of your selection (Right click > Binary > Binary paste)
  • [7] Run the program (F9) until it reaches our second breakpoint. Add the *.bmp extension to the new file generated by the malware. It's our decoded image.

With python scripting in Immunity Debugger

INCOMPLETE SECTION OR ARTICLE
This section/article is being written and is therefore not complete.
Thank you for your comprehension.

Encypting volumes

Bitlocker

See here.

TrueCrypt

INCOMPLETE SECTION OR ARTICLE
This section/article is being written and is therefore not complete.
Thank you for your comprehension.

LUKS

What is LUKS?

LUKS (Linux Unified Key Setup) is the standard for Linux hard disk encryption. By providing a standard on-disk-format, it does not only facilitate compatibility among distributions, but also provides secure management of multiple user passwords. In contrast to existing solution, LUKS stores all setup necessary setup information in the partition header, enabling the user to transport or migrate his data seamlessly.

cryptsetup is the tool to use to mount LUKS volumes.

Find key in memory dump

You can find a LUKS key in a memory dump using aeskeyfind:

$ wget https://github.com/TeamCTF-PRIME/auto_vol/raw/master/aeskeyfind
$ ./aeskeyfind memory.raw
8d3f527****************58dbc0ed1
$ echo "8d3f527****************58dbc0ed1" | xxd -r -p > key.bin

Mount LUKS volume

$ sudo apt install cryptsetup
$ sudo modprobe dm-crypt
$ mkdir /data/tmp/vol/
$ sudo cryptsetup open --type luks --master-key-file=key.bin forensic.img luks_vol

It will create a device /dev/mapper/luks_vola that we can now mount:

$ sudo mount /dev/mapper/luks_vola /data/tmp/vol/

Comments

Keywords: caesar crypto encryption base64 decode encode





Pages in this category