diff options
author | Cyrille Bagard <nocbos@gmail.com> | 2023-10-21 21:51:20 (GMT) |
---|---|---|
committer | Cyrille Bagard <nocbos@gmail.com> | 2023-10-21 21:51:20 (GMT) |
commit | c370bb014b20654a2b7351b2a9d7e1e5a3ce92cc (patch) | |
tree | 524409a832cbca63c631ae1b884c73bf5a0b36a7 /tests/analysis | |
parent | 0140499d4340c074b039194a2e71808d909d8cbd (diff) |
Implement a few extra customized Windows API hashings.
Diffstat (limited to 'tests/analysis')
-rw-r--r-- | tests/analysis/scan/pyapi.py | 89 |
1 files changed, 85 insertions, 4 deletions
diff --git a/tests/analysis/scan/pyapi.py b/tests/analysis/scan/pyapi.py index cfd12b3..7a697b3 100644 --- a/tests/analysis/scan/pyapi.py +++ b/tests/analysis/scan/pyapi.py @@ -139,7 +139,7 @@ class TestRostPythonAPI(ChrysalideTestCase): return struct.unpack('<I', t)[0] - # Example : + # Example: # - PlugX (2020) - https://vms.drweb.fr/virus/?i=21512304 mod = find_token_modifiers_for_name('crc32') @@ -151,7 +151,7 @@ class TestRostPythonAPI(ChrysalideTestCase): self.assertEqual(b2i(transformed[0]), 0x3690e66) - # Example : + # Example: # - GuLoader (2020) - https://www.crowdstrike.com/blog/guloader-malware-analysis/ mod = find_token_modifiers_for_name('djb2') @@ -163,7 +163,64 @@ class TestRostPythonAPI(ChrysalideTestCase): self.assertEqual(b2i(transformed[0]), 0xcf31bb1f) - # Example : + def testCustomAPIHashing(self): + """Reproduce custom API Hashing results.""" + + def b2i(t): + return struct.unpack('<I', t)[0] + + + # Example: + # Underminer Exploit Kit (2019) - https://jsac.jpcert.or.jp/archive/2019/pdf/JSAC2019_1_koike-nakajima_jp.pdf + + mod = find_token_modifiers_for_name('add1505-shl5') + self.assertIsNotNone(mod) + + source = b'LoadLibraryA' + transformed = mod.transform(source) + + self.assertEqual(b2i(transformed[0]), 0x5fbff0fb) + + + # Example: + # Enigma Stealer (2023) https://www.trendmicro.com/es_mx/research/23/b/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs.html + + mod = find_token_modifiers_for_name('enigma-murmur') + self.assertIsNotNone(mod) + + source = b'CreateMutexW' + transformed = mod.transform(source) + + self.assertEqual(b2i(transformed[0]), 0xfd43765a) + + + # Examples: + # - ShadowHammer (2019) - https://blog.f-secure.com/analysis-shadowhammer-asus-attack-first-stage-payload/ + # - ShadowHammer (2019) - https://securelist.com/operation-shadowhammer-a-high-profile-supply-chain-attack/90380/ + + mod = find_token_modifiers_for_name('imul21-add') + self.assertIsNotNone(mod) + + source = b'VirtualAlloc' + transformed = mod.transform(source) + + self.assertEqual(b2i(transformed[0]), 0xdf894b12) + + + # Examples: + # - Bottle Exploit Kit (2019) - https://nao-sec.org/2019/12/say-hello-to-bottle-exploit-kit.html + # - ShadowHammer (2019) - https://securelist.com/operation-shadowhammer-a-high-profile-supply-chain-attack/90380/ + + mod = find_token_modifiers_for_name('imul83-add') + self.assertIsNotNone(mod) + + source = b'GetProcAddress' + transformed = mod.transform(source) + + self.assertEqual(b2i(transformed[0]), 0x9ab9b854) + + + # Examples: # - ?? (2021) - https://www.threatspike.com/blogs/reflective-dll-injection # - Mustang Panda (2022) - https://blog.talosintelligence.com/mustang-panda-targets-europe/ @@ -181,7 +238,7 @@ class TestRostPythonAPI(ChrysalideTestCase): self.assertEqual(b2i(transformed[0]), 0x91afca54) - # Example + # Example: # - Energetic Bear (2019) - https://insights.sei.cmu.edu/blog/api-hashing-tool-imagine-that/ mod = find_token_modifiers_for_name('sll1-add-hash32') @@ -193,6 +250,30 @@ class TestRostPythonAPI(ChrysalideTestCase): self.assertEqual(b2i(transformed[0]), 0x000d5786) + # Example: + # - SideWinder/WarHawk (2022) - https://www.zscaler.com/blogs/security-research/warhawk-new-backdoor-arsenal-sidewinder-apt-group + + mod = find_token_modifiers_for_name('sub42') + self.assertIsNotNone(mod) + + source = b'LoadLibraryA' + transformed = mod.transform(source) + + self.assertEqual(transformed[0], b'\x8e\xb1\xa3\xa6\x8e\xab\xa4\xb4\xa3\xb4\xbb\x83') + + + # Example: + # - TrickBot (2021) - https://medium.com/walmartglobaltech/trickbot-crews-new-cobaltstrike-loader-32c72b78e81c + + mod = find_token_modifiers_for_name('sub-index1') + self.assertIsNotNone(mod) + + source = b'raw.githubusercontent.com' + transformed = mod.transform(source) + + self.assertEqual(transformed[0], b'\x73\x63\x7a\x32\x6c\x6f\x7b\x70\x7e\x6c\x80\x7f\x72\x80\x72\x7f\x7f\x86\x78\x82\x89\x44\x7a\x87\x86') + + def testBytePatternModifiersAPI(self): """Validate the API for pattern modifiers.""" |