Using Flare Floss to analyze the API hashing malware. #2
Comments
|
caleblawrence, Thank you for sharing. I'll have to play with the tool as I'm curious on which of why it didn't flag the messageboxA function pointer. Or this is just a sample of the output. We'll keep the issue open so others can see. The whole point of this repo is so people can play and learn. |
Yeah this is just a sample. I see that it decoded that as well when I checked. You can output the results to a file and thats what I did in this case. For this sample it found a lot of strings ( |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hello guys! We talked a bit after the talk and I mentioned how Flare Floss can be used to automatically deobfuscate hashed data. I tried running it on the api hash binary and it outputs the hashed function calls in the screenshot below (kernel and user strings). https://github.com/mandiant/flare-floss
It does output a lot of strings (around 1k). I think this is just because of the include statements at the top and everything being put into the binary.
Anyway I thought I would share this. It's pretty cool how they use heuristics to identify the decoding functions which means even brand new encryptions/hashing methods are still deobfuscated.
Of course running this on every single binary would not me practical as it can take a fair bit of time. In this case you could turn off the tightstrings and stackstrings feature which speeds it up a lot (just doing api call hashing doesn't require those two checks).
Thanks for the awesome talk and for answering all my questions at the end. Feel free to close this or do whatever - I just opened it to show you guys what I discovered. :)
The text was updated successfully, but these errors were encountered: