Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
Video Reviews - Security and Privacy
Comodo FW bypass malware the sandbox (sandbox hips off + on) and voodooshield (autopilot)
Message
<blockquote data-quote="Wave" data-source="post: 560149"><p>After [USER=55081]@askmark[/USER] asked his previous question on this thread I decided to return by downloading the sample and reversing it to understand how it works - just as I went to reverse it I was distracted by some information which made my eyes bleed... The sample is based on the .NET framework, I don't know how I am controlling my laughter right now... But without further adieu:</p><p></p><p>[SPOILER]</p><p>On-execution:</p><p>1. It checks if the program has been executed with arguments</p><p></p><p>2. Depending on #1 results, the program will create a sub key under HKEY_LOCAL_MACHINE ("Software\Id523\Thingthing") - this is a static identifier for the sample which can be used in dynamic analysis systems. It then performs some more registry operations (e.g. obtaining values, setting values).</p><p></p><p>3. Depending on #2 results it will display a message box with the main text value as "Just be patient!".</p><p></p><p>4. If the arguments to the program is "/info" then it will get the location of the UserProfile folder add another string to the end of it, so the path will be: "UserProfile\info.txt". It will then attempt to write data to this file.</p><p></p><p>5. After #4 it will start-up a new process (which will always be notepad.exe and it will give in a parameter to the info.txt is loaded within it.</p><p></p><p>The above are main things that happen within the main start-up function of the sample, however depending on other paths from the if statements on the arguments given to the program:</p><p>- The sample will have a program called "thingthing.exe" located at your UserProfile folder.</p><p>- The sample will execute schtasks.exe with parameters (for the commands) to make a program called thingthing.exe start-up with elevated privileges (bypassing the UAC prompt).</p><p>- The sample will modify values at the registry key HKEY_CURRENT_USER\Control Panel\International (values which will be manipulated: "sBkpShortDate", "sBkpLongDate", "sBkpShortTime", "sBkpTimeFormat")</p><p>- The sample will at some point shutdown the system by running CMD with the "shutdown /r /t" command.</p><p>- The sample actually has a GUI for some sort of "pacman" game, believe it or not.</p><p>- The sample</p><p></p><p>Other programs are exclusively used by this sample (such as the "thingthing.exe") also (e.g. "hog.exe").</p><p></p><p>If you want further analysis just disassemble it if you know how too... The explanations can go on forever, to put it short here: it utilises the registry a lot and can do things like shut down the system and create new tasks... It has a function responsible for choosing it's "payload". <strong>Check the short story note left outside of this spoiler at the bottom of the post for a final verdict.</strong></p><p>[/SPOILER]</p><p></p><p>Very short story:</p><p>This sample is hardly "damaging" at all compared to some real threats out there, it's made in the .NET framework and there is absolutely no code which will be able to "escape" from the Comodo Sandbox itself (or Sandboxie for that matter) and if it ever did bypass a sandbox then I would be seriously concerned for the safety of anyone using it, simply due to how basic this sample really is. Just basic Win32 calls, basic things being done... Whatever the purpose for it not being blocked (which I didn't even investigate as I have seen people talk about it already on this thread, about Valkyrie and Trusted Lists and so on), it definitely does not escape/bypass the actual Comodo sandbox... <img src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" class="smilie smilie--sprite smilie--sprite116" alt=":D" title="Big grin :D" loading="lazy" data-shortname=":D" /></p><p></p><p>Now that this analysis is done I will recover my eyes from the suffering I had at the start when I saw the sample was just nothing more than a .NET program (since there was such hassle over this thread, over a very basic sample).... </p><p></p><p>Honestly I cannot believe there was as much hassle as there has been over this sample...</p><p></p><p>Hope this helped, stay safe. <img src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" class="smilie smilie--sprite smilie--sprite110" alt=";)" title="Wink ;)" loading="lazy" data-shortname=";)" /></p></blockquote><p></p>
[QUOTE="Wave, post: 560149"] After [USER=55081]@askmark[/USER] asked his previous question on this thread I decided to return by downloading the sample and reversing it to understand how it works - just as I went to reverse it I was distracted by some information which made my eyes bleed... The sample is based on the .NET framework, I don't know how I am controlling my laughter right now... But without further adieu: [SPOILER] On-execution: 1. It checks if the program has been executed with arguments 2. Depending on #1 results, the program will create a sub key under HKEY_LOCAL_MACHINE ("Software\Id523\Thingthing") - this is a static identifier for the sample which can be used in dynamic analysis systems. It then performs some more registry operations (e.g. obtaining values, setting values). 3. Depending on #2 results it will display a message box with the main text value as "Just be patient!". 4. If the arguments to the program is "/info" then it will get the location of the UserProfile folder add another string to the end of it, so the path will be: "UserProfile\info.txt". It will then attempt to write data to this file. 5. After #4 it will start-up a new process (which will always be notepad.exe and it will give in a parameter to the info.txt is loaded within it. The above are main things that happen within the main start-up function of the sample, however depending on other paths from the if statements on the arguments given to the program: - The sample will have a program called "thingthing.exe" located at your UserProfile folder. - The sample will execute schtasks.exe with parameters (for the commands) to make a program called thingthing.exe start-up with elevated privileges (bypassing the UAC prompt). - The sample will modify values at the registry key HKEY_CURRENT_USER\Control Panel\International (values which will be manipulated: "sBkpShortDate", "sBkpLongDate", "sBkpShortTime", "sBkpTimeFormat") - The sample will at some point shutdown the system by running CMD with the "shutdown /r /t" command. - The sample actually has a GUI for some sort of "pacman" game, believe it or not. - The sample Other programs are exclusively used by this sample (such as the "thingthing.exe") also (e.g. "hog.exe"). If you want further analysis just disassemble it if you know how too... The explanations can go on forever, to put it short here: it utilises the registry a lot and can do things like shut down the system and create new tasks... It has a function responsible for choosing it's "payload". [B]Check the short story note left outside of this spoiler at the bottom of the post for a final verdict.[/B] [/SPOILER] Very short story: This sample is hardly "damaging" at all compared to some real threats out there, it's made in the .NET framework and there is absolutely no code which will be able to "escape" from the Comodo Sandbox itself (or Sandboxie for that matter) and if it ever did bypass a sandbox then I would be seriously concerned for the safety of anyone using it, simply due to how basic this sample really is. Just basic Win32 calls, basic things being done... Whatever the purpose for it not being blocked (which I didn't even investigate as I have seen people talk about it already on this thread, about Valkyrie and Trusted Lists and so on), it definitely does not escape/bypass the actual Comodo sandbox... :D Now that this analysis is done I will recover my eyes from the suffering I had at the start when I saw the sample was just nothing more than a .NET program (since there was such hassle over this thread, over a very basic sample).... Honestly I cannot believe there was as much hassle as there has been over this sample... Hope this helped, stay safe. ;) [/QUOTE]
Insert quotes…
Verification
Post reply
Top