Mar 30, 2017 - 1 minute read - malware Ransomware dfir gif exe hide

Trojan-Ransom.Win32.Foreign hides payload exe in gif file

i have written a go commandline tool to extract the exe from the gif file as used by this malware.

As a sample input file you can use SHA1:724fa6b4a6a9cff08cae34cc079ef70d80378b32 the resulting exe file should be SHA1:83f7ce3f6c0a7a92d9b225eb6a2953b761601c58. Both files are available from VirusTotal.

You can download the sample gif with the hidden exe also locally. Use infected as a password for the zip file.

Nov 18, 2016 - 1 minute read - good to know octopress

publish octopress via FTPES

Learing Bits has a detailed walk through how to patch your octopress in order to be able to publish via FTPES.

Oct 13, 2016 - 1 minute read - good to know security docx paranoid dfir

converting docx to text

Reading .docx files for the truly paranoid: unzip -p ./foo.docx | sed -e 's/<[^>]\{1,\}>//g; s/[^[:print:]]\{1,\}//g'
— Halvar Flake (@halvarflake) September 30, 2016

Well, as a truely paranoid guy i would not use unzip, because the code base is not maintained anymore and probably kind of sketchy.

Update

I turned this into a go program, which is available from gitlab.com/scusi/paranoiddocx.

Aug 27, 2016 - 1 minute read - malware unpacking dfir

malware unpacking quick reference

A quick reference for manual unpacking of malware from Abhishek Singh from FireEye. It’s already from 2012, but still kind of usefull. Found via Florian Roth on twitter

Offline copy

Aug 25, 2016 - 1 minute read - announcement in eigener sache ssl

SSL Fingerprints

Die SSL Fingerabrücke für das aktuelle Zertifikat sind:

MD5: 8D A3 0E AC 37 B1 70 6B E6 16 69 DF B1 07 C6 81

SHA1: 7A 0B A5 A0 B7 23 9F 5F EE 1B 86 FB 42 23 17 C2 2E B9 AE 1E

~~TLSA Records im DNS für das Server Zertifikat werden dann (hoffentlich) auch noch kommen. Stay tuned.~~

Diese Domain ist im DNS signiert und die Zertifikate für HTTPS und SMTP sind über DANE gesichert.

Mit dem folgenden Befehl kann man sich das TLS Zertifikat des Servers holen und die SHA256 Prüfsumme ausgeben lassen.

openssl x509 -in <(openssl s_client -servername 0x41414141.de -connect 0x41414141.de:443 -prexit 2>/dev/null) -outform DER | openssl sha256

Die Ausgabe muss man dann mit den Daten aus dem DNS vergleichen.

dig _443._tcp.0x41414141.de IN TLSA +short

Die Ausgabe sollte wie folgt aussehen:

me@mybox:~$ openssl x509 -in <(openssl s_client -servername 0x41414141.de -connect 0x41414141.de:443 -prexit 2>/dev/null) -outform DER | openssl sha256
(stdin)= d108d48a1d54c760c2c2fad90dc1697d065bb5239fcd98e43d553b0def99ed6e

me@mybox:~$ dig _443._tcp.0x41414141.de IN TLSA +short
3 0 1 D108D48A1D54C760C2C2FAD90DC1697D065BB5239FCD98E43D553B0D EF99ED6E

Wie man sehen kann sind die Prüfsummen Werte aus Zeile 2 und 5 identisch, wenn man mal von der unterschiedlichen Groß- und Kleinschreibung absieht.

Aug 25, 2016 - 1 minute read - in eigener sache announcement

baustelle

This site is under construction. On 0x41414141.de i plan to collect all kind of things around the topics of reverse engineering, malware analysis, hacking and that kind of stuff. stay tuned.

Aug 20, 2016 - 1 minute read - announcement

Hello World

1 2

EIP=0x41414141

hacking, reversing and other stuff