Home
Artists
Search Recent Random
Posts
Search DMs Popular Hash Lookup Tags Random
Importer
Import FAQ
Register
Partychan Telegram Find&Fuck Waifus ThePornDude
Home Artists Posts Import Register

Live Stream VOD: Pikabot is Back - Automated String Extraction - Part 3 (Patreon)

Published:
2023-12-02 02:42:47
Imported:
Tags:
Flagged

Content

The third and final part in our series on the new Pikabot core! In this stream complete our custom emulator to automatically extract encrypted strings from the malware and create a few yara rules for hunting.

Fun fact, the string extractor also works on the Pikabot loader!

Sample

39d6f7865949ae7bb846f56bff4f62a96d7277d2872fec68c09e1227e6db9206

Notes

PikaBot Is Back With a Vengeance - Part 2

Files

Live Stream VOD: Pikabot is Back - Automated String Extraction - Part 3

Comments

Gabriele

Hello Sergey, excellent jobs congratulations! I tried the script and it works on some samples, only there is no C2 present in the strings decrypted, can you confirm? Also, I have tried the script on some samples obtained from VT via the Yara Rule created during the live and it doesn't seem to work. I'll leave them for you if it would help: 814d3382ee2047e8c543878a934becdfb1531fb51f80eeb1f6f69ec08ca726ae 298f7194c59b7f8ba4dd6f4c0c727ab885e598abd623bc99a360dfe7552f34f7 9dc0fe4122b4ec220c6c0d3f11f6ab0cbc23b23cff438818868c42e50e1e2e8c 3316b2087e41a54a4bc60bef2058b10a645265e60f965e0c3d71da0bf5e221cd d488894eb98fc8cd2ed0cbeca25d4d07b8637a3376717702f9c4b64570ff64d2 Thanks again!

Gabriele

for hash a79c4a29075098abda0558c40cfc2250ab3dbae6598b7b967a43856532cbce05, function 0x412443 seems related to C2 activities, C2 decrypted at position 0x4126aa. It looks like a different version of RC4 or a custom alghorithm, I think that's why the decryption doesn't work. 004125fd 3b c7 CMP EAX,EDI 00412638 3b f7 CMP ESI,EDI do { abStack_310[uVar2] = (byte)uVar2; uVar2 = uVar2 + 1; } while (uVar2 < 0x100); uVar2 = 0; do { bVar1 = abStack_310[uVar2]; local_40 = (uint)bVar1 + (&local_5c)[uVar2 & 0xf] + local_40 & 0xff; abStack_310[uVar2] = abStack_310[local_40]; uVar2 = uVar2 + 1; abStack_310[local_40] = bVar1; bVar1 = abStack_310[1]; } while (uVar2 < 256);

oalabs
>>123703788

Yes, the c2 is not in the decrypted strings, it is stored as a global buffer of data, and is decrypted in a slightly different way.

Gabriele
>>123703788

Thank you! will there be a new live for C2 decryption? I also tried RussianPanda's script, however it only works on some samples.

oalabs
>>123703788

I wasn't planning on it as the process is very similar to the strings, you can use the same analysis approach and just apply it to the global data. If you are stuck on this I could maybe make a quick explainer but prob not a full stream.