search

mandiant / capa-rules

Standard collection of rules for capa: the tool for enumerating the capabilities of programs
https://github.com/mandiant/capa/
Apache License 2.0
517 stars 157 forks source link

resolve API via shellcode hash #175

Open mr-tz opened 3 years ago

mr-tz commented 3 years ago

Summary

Generic way to identify shellcode hashing functions. See #166

Features

re-fox commented 3 years ago

I took a quick initial look at this

Here's a basic block from sample 8bac633f24d21e9f88425e0d3fbaf5c5

0x10004620      ror ecx, 0xd
0x10004623      movsx eax, al
0x10004626      lea edx, [edx + 1]
0x10004629      add ecx, eax
0x1000462b      mov al, byte [edx]
0x1000462d      test al, al
0x1000462f      jne 0x10004620

Along with the extracted features

bb  : 0x10004620: basic block
bb  : 0x10004620: characteristic(tight loop)
insn: 0x10004620: number(0xD)
insn: 0x10004620: number/x32(0xD)
insn: 0x10004620: mnemonic(ror)
insn: 0x10004623: mnemonic(movsx)
insn: 0x10004626: offset(0x1)
insn: 0x10004626: offset/x32(0x1)
insn: 0x10004626: mnemonic(lea)
insn: 0x10004629: mnemonic(add)
insn: 0x1000462b: offset(0x0)
insn: 0x1000462b: offset/x32(0x0)
insn: 0x1000462b: mnemonic(mov)
insn: 0x1000462d: mnemonic(test)
insn: 0x1000462f: mnemonic(jnz)

The following rule should be a reasonable candidate for an cursory ROR 0xD rule. I'm sure there are more variants with instructions broken up that will need to be accounted for.

rule:
  meta:
    name: resolve function by hash ror 13
    namespace: linking/runtime-linking
    author: "@_re_fox"
    scope: basic block
    mbc:
      - Execution::Shared Modules [T1129]
    examples:
  features:
    - and:
      - mnemonic: ror
      - mnemonic: add
      - number: 0xd
      - characteristic: tight loop

I'll stress test the rule and put up an initial PR.

This issue will probably be open for a moment, there are many more algorithms to hunt for (https://github.com/fireeye/flare-ida/blob/master/shellcode_hashes/make_sc_hash_db.py).

re-fox commented 3 years ago

After giving this a closer look, I may have been overly optimistic.

Basic blocks like 0x6545E4B0 in sample capa-testfiles/0761142efbda6c4b1e801223de723578.dll_ make this more difficult.
Large basic blocks with many arithmetic instructions.

There are a couple ways to proceed forward.

One option is to limit the number of instruction/mnemonic hits with count.

Another option is to consider more tightly matching on the mnemonic -> constant relationship. There was an issue created for this. The primary problem with this approach is that it begins to converge on pattern matching within binaries, which is probably out of scope.

mr-tz commented 3 years ago

some relevant features from 2c541f...

getting features for current function 0x1400024F4
func: 0x1400024f4: characteristic(loop)
insn: 0x140002503: offset(0x3C) = IMAGE_DOS_HEADER.e_lfanew
insn: 0x14000250c: offset(0x88) = IMAGE_NT_HEADERS64.OptionalHeader.DataDirectory.VirtualAddress
insn: 0x140002514: mnemonic(add)
insn: 0x140002545: number(0x65)
insn: 0x140002545: mnemonic(imul)
williballenthin commented 1 year ago

alternative strategy is to generate rules from shellcode_hashes that look for the hash values themselves. there are 48 algorithms implemented there today (and 721k hash values total). we could take the dozen or so most common APIs to be obfuscated by hash (socket, VirtualProtect, AdjustTokenPrivilege, etc.) and emit rules like:

name: reference API via hash rot13
3 or more:
  - 0x12343324 = rot13(socket)
  - 0x34294329 = rot13(AdjustTokenPrivileges)
  - 0x65659956 = rot13(VirtualProtect)
  - ...

so this would add around 50 new rules and maybe 600 new number features. that being said, i dont think most of these will hit very often, so that's not awesome (we should profile before/after to ensure the performance hit isn't too bad). but, if it leads an analyst to the right algorithm quickly, that's a big win. i think it should be pretty easy to generate these, so I'm inclined to try this out.

williballenthin commented 1 year ago

explored the prevalence of shellcode hashes in VT with process written up here: http://www.williballenthin.com/post/shellcode-hash-prevalence/

   9162 sll1AddHash32
    391 ror13AddHash32
     95 crc32
     75 ror13AddHash32AddDll
     59 rol5XorHash32
     27 poisonIvyHash
     23 shr2Shl5XorHash32
     16 rol7XorHash32
     16 imul83hAdd
     13 or21hXorRor11Hash32
     12 fnv1Xor67f
      9 xorShr8Hash32
      7 ror9AddHash32
      7 ror13AddHash32Sub20h
      5 ror13AddWithNullHash32
      5 crc32Xor0xca9d4d4e
      5 addRor4WithNullHash32
      5 addRor13Hash32
      5 addRol5HashOncemore32
      5 add1505Shl5Hash32
      4 shl7Shr19AddHash32
      4 ror7AddHash32
      4 rol7AddHash32
      4 chAddRol8Hash32
      3 xorRol9Hash32
      3 ror13AddHash32Sub1
      3 ror11AddHash32
      3 rol9XorHash32
      3 rol9AddHash32
      3 rol3XorHash32
      3 playWith0xe8677835Hash
      3 hash_Carbanak
      2 rol3XorEax
      2 mult21AddHash32
      2 imul21hAddHash32
      2 addRor13HashOncemore32
      1 shl7SubHash32DoublePulser
      1 shift0x82F63B78
      1 ror13AddHash32DllSimple
      1 rol8Xor0xB0D4D06Hash32
      1 rol7AddXor2Hash32
      1 rol5AddHash32
      1 hash_ror13AddUpperDllnameHash32
      1 dualaccModFFF1Hash
      1 crc32bzip2lower
      1 adler32_666
williballenthin commented 1 year ago

i took the results from above and included only hashes with more than 10 hits (arbitrarily):


import urllib
import sqlite3
import binascii
import textwrap
import collections

db = sqlite3.connect("./shellcode_hashes/sc_hashes.db")
conn = db.cursor()
cursor = conn.execute('''
  SELECT symbol_name, hash_name, hash_size, hash_val 
  FROM symbol_hashes
  INNER JOIN hash_types ON symbol_hashes.hash_type = hash_types.hash_type
  WHERE symbol_name IN (
    "LoadLibraryA", 
    "LoadLibraryW", 
    "GetProcAddress", 
    "VirtualAlloc", 
    "VirtualProtect", 
    "CreateRemoteThread", 
    "WriteProcessMemory",
    "socket",
    "InternetOpenA",
    "InternetOpenW",
    "GetVersion",
    "WSAStartup",
    "Sleep"
  )
  ORDER BY symbol_name, hash_name;
''')

hashes = collections.defaultdict(dict)
for symbol_name, hash_name, hash_size, hash_val in cursor.fetchall():
    assert hash_size == 32
    hashes[hash_name][symbol_name] = hash_val

for hash_name, symbols in sorted(hashes.items()):
    if hash_name not in ("sll1AddHash32", "ror13AddHash32", "crc32", "ror13AddHash32AddDll",
                         "rol5XorHash32", "poisonIvyHash", "shr2Shl5XorHash32", "rol7XorHash32", 
                         "imul83hAdd", "or21hXorRor11Hash32", "fnv1Xor67f"):
        continue

    numbers = []
    for symbol_name, hash_val in sorted(symbols.items()):
        content = binascii.hexlify(hash_val.to_bytes(4, "little")).decode("ascii").upper()
        numbers.append(f'      - number: {hex(hash_val)} = {hash_name}({symbol_name})')

    rule = """
rule:
  meta:
    name: references API by hash {hash_name}
    namespace: linking/runtime-linking/shellcode-hash
    authors:
      - william.ballenthin@mandiant.com
    scope: function
    references:
      - https://www.mandiant.com/resources/blog/precalculated-string-hashes-reverse-engineering-shellcode
      - https://github.com/mandiant/flare-ida/tree/master/shellcode_hashes
  features:
    - 3 or more:
{numbers}
""".format(hash_name=hash_name, numbers="\n".join(numbers))

    print(rule)
rule:
  meta:
    name: references API by hash crc32
    namespace: linking/runtime-linking/shellcode-hash
    authors:
      - william.ballenthin@mandiant.com
    scope: function
    references:
      - https://www.mandiant.com/resources/blog/precalculated-string-hashes-reverse-engineering-shellcode
      - https://github.com/mandiant/flare-ida/tree/master/shellcode_hashes
  features:
    - 3 or more:
      - number: 0xff808c10 = crc32(CreateRemoteThread)
      - number: 0xc97c1fff = crc32(GetProcAddress)
      - number: 0x4ccf1a0f = crc32(GetVersion)
      - number: 0xda16a83d = crc32(InternetOpenA)
      - number: 0x2ec21d6c = crc32(InternetOpenW)
      - number: 0x3fc1bd8d = crc32(LoadLibraryA)
      - number: 0xcb1508dc = crc32(LoadLibraryW)
      - number: 0xcef2eda8 = crc32(Sleep)
      - number: 0x9ce0d4a = crc32(VirtualAlloc)
      - number: 0x10066f2f = crc32(VirtualProtect)
      - number: 0xa0f5fc93 = crc32(WSAStartup)
      - number: 0x4f58972e = crc32(WriteProcessMemory)
      - number: 0x5e568bb = crc32(socket)

rule:
  meta:
    name: references API by hash fnv1Xor67f
    namespace: linking/runtime-linking/shellcode-hash
    authors:
      - william.ballenthin@mandiant.com
    scope: function
    references:
      - https://www.mandiant.com/resources/blog/precalculated-string-hashes-reverse-engineering-shellcode
      - https://github.com/mandiant/flare-ida/tree/master/shellcode_hashes
  features:
    - 3 or more:
      - number: 0xc398c21c = fnv1Xor67f(CreateRemoteThread)
      - number: 0xf8f4515a = fnv1Xor67f(GetProcAddress)
      - number: 0x3a2f51e6 = fnv1Xor67f(GetVersion)
      - number: 0xe23b9098 = fnv1Xor67f(InternetOpenA)
      - number: 0xd03b7cee = fnv1Xor67f(InternetOpenW)
      - number: 0x53b20170 = fnv1Xor67f(LoadLibraryA)
      - number: 0x41b1ecc6 = fnv1Xor67f(LoadLibraryW)
      - number: 0x2fa62ad7 = fnv1Xor67f(Sleep)
      - number: 0x328537e = fnv1Xor67f(VirtualAlloc)
      - number: 0x8206278c = fnv1Xor67f(VirtualProtect)
      - number: 0x20125a20 = fnv1Xor67f(WSAStartup)
      - number: 0xc0088895 = fnv1Xor67f(WriteProcessMemory)
      - number: 0x90127013 = fnv1Xor67f(socket)

rule:
  meta:
    name: references API by hash imul83hAdd
    namespace: linking/runtime-linking/shellcode-hash
    authors:
      - william.ballenthin@mandiant.com
    scope: function
    references:
      - https://www.mandiant.com/resources/blog/precalculated-string-hashes-reverse-engineering-shellcode
      - https://github.com/mandiant/flare-ida/tree/master/shellcode_hashes
  features:
    - 3 or more:
      - number: 0x71469c9c = imul83hAdd(CreateRemoteThread)
      - number: 0x9ab9b854 = imul83hAdd(GetProcAddress)
      - number: 0x8e4423da = imul83hAdd(GetVersion)
      - number: 0x8c4b642 = imul83hAdd(InternetOpenA)
      - number: 0x8c4b658 = imul83hAdd(InternetOpenW)
      - number: 0x7f201f78 = imul83hAdd(LoadLibraryA)
      - number: 0x7f201f8e = imul83hAdd(LoadLibraryW)
      - number: 0xbf858053 = imul83hAdd(Sleep)
      - number: 0xde893462 = imul83hAdd(VirtualAlloc)
      - number: 0x6c6ec404 = imul83hAdd(VirtualProtect)
      - number: 0xb3522634 = imul83hAdd(WSAStartup)
      - number: 0xa11bea85 = imul83hAdd(WriteProcessMemory)
      - number: 0xa6402d9f = imul83hAdd(socket)

rule:
  meta:
    name: references API by hash or21hXorRor11Hash32
    namespace: linking/runtime-linking/shellcode-hash
    authors:
      - william.ballenthin@mandiant.com
    scope: function
    references:
      - https://www.mandiant.com/resources/blog/precalculated-string-hashes-reverse-engineering-shellcode
      - https://github.com/mandiant/flare-ida/tree/master/shellcode_hashes
  features:
    - 3 or more:
      - number: 0xdf8469b4 = or21hXorRor11Hash32(CreateRemoteThread)
      - number: 0x3366cd77 = or21hXorRor11Hash32(GetProcAddress)
      - number: 0x57536a6e = or21hXorRor11Hash32(GetVersion)
      - number: 0xa9657c76 = or21hXorRor11Hash32(InternetOpenA)
      - number: 0xa965cc76 = or21hXorRor11Hash32(InternetOpenW)
      - number: 0x94d07c92 = or21hXorRor11Hash32(LoadLibraryA)
      - number: 0x94d0cc92 = or21hXorRor11Hash32(LoadLibraryW)
      - number: 0x20c558ca = or21hXorRor11Hash32(Sleep)
      - number: 0x8c552db6 = or21hXorRor11Hash32(VirtualAlloc)
      - number: 0x74631d3f = or21hXorRor11Hash32(VirtualProtect)
      - number: 0x4cd71aa6 = or21hXorRor11Hash32(WSAStartup)
      - number: 0x8f022e10 = or21hXorRor11Hash32(WriteProcessMemory)
      - number: 0x2ec5991a = or21hXorRor11Hash32(socket)

rule:
  meta:
    name: references API by hash poisonIvyHash
    namespace: linking/runtime-linking/shellcode-hash
    authors:
      - william.ballenthin@mandiant.com
    scope: function
    references:
      - https://www.mandiant.com/resources/blog/precalculated-string-hashes-reverse-engineering-shellcode
      - https://github.com/mandiant/flare-ida/tree/master/shellcode_hashes
  features:
    - 3 or more:
      - number: 0xcf4a7f65 = poisonIvyHash(CreateRemoteThread)
      - number: 0xffc97c1f = poisonIvyHash(GetProcAddress)
      - number: 0x42f13d06 = poisonIvyHash(GetVersion)
      - number: 0x8ab0b534 = poisonIvyHash(InternetOpenA)
      - number: 0x962800e3 = poisonIvyHash(InternetOpenW)
      - number: 0x4134d1ad = poisonIvyHash(LoadLibraryA)
      - number: 0x5dac647a = poisonIvyHash(LoadLibraryW)
      - number: 0xac136ba = poisonIvyHash(Sleep)
      - number: 0x4402890e = poisonIvyHash(VirtualAlloc)
      - number: 0x79c3d4bb = poisonIvyHash(VirtualProtect)
      - number: 0xbba4d88f = poisonIvyHash(WSAStartup)
      - number: 0xe9bbad5 = poisonIvyHash(WriteProcessMemory)
      - number: 0x8eb460e1 = poisonIvyHash(socket)

rule:
  meta:
    name: references API by hash rol5XorHash32
    namespace: linking/runtime-linking/shellcode-hash
    authors:
      - william.ballenthin@mandiant.com
    scope: function
    references:
      - https://www.mandiant.com/resources/blog/precalculated-string-hashes-reverse-engineering-shellcode
      - https://github.com/mandiant/flare-ida/tree/master/shellcode_hashes
  features:
    - 3 or more:
      - number: 0xca306453 = rol5XorHash32(CreateRemoteThread)
      - number: 0xe5b6b6db = rol5XorHash32(GetProcAddress)
      - number: 0x4d14af33 = rol5XorHash32(GetVersion)
      - number: 0x81548ce = rol5XorHash32(InternetOpenA)
      - number: 0x81548d8 = rol5XorHash32(InternetOpenW)
      - number: 0xb4a1003b = rol5XorHash32(LoadLibraryA)
      - number: 0xb4a1002d = rol5XorHash32(LoadLibraryW)
      - number: 0x70798d0 = rol5XorHash32(Sleep)
      - number: 0xa48d8a33 = rol5XorHash32(VirtualAlloc)
      - number: 0x4a155a82 = rol5XorHash32(VirtualProtect)
      - number: 0x2e264ec4 = rol5XorHash32(WSAStartup)
      - number: 0x2a466170 = rol5XorHash32(WriteProcessMemory)
      - number: 0xe0c020d4 = rol5XorHash32(socket)

rule:
  meta:
    name: references API by hash rol7XorHash32
    namespace: linking/runtime-linking/shellcode-hash
    authors:
      - william.ballenthin@mandiant.com
    scope: function
    references:
      - https://www.mandiant.com/resources/blog/precalculated-string-hashes-reverse-engineering-shellcode
      - https://github.com/mandiant/flare-ida/tree/master/shellcode_hashes
  features:
    - 3 or more:
      - number: 0xe61874b3 = rol7XorHash32(CreateRemoteThread)
      - number: 0x1fc0eaee = rol7XorHash32(GetProcAddress)
      - number: 0xcb932ce2 = rol7XorHash32(GetVersion)
      - number: 0x8593dd7 = rol7XorHash32(InternetOpenA)
      - number: 0x8593dc1 = rol7XorHash32(InternetOpenW)
      - number: 0xc8ac8026 = rol7XorHash32(LoadLibraryA)
      - number: 0xc8ac8030 = rol7XorHash32(LoadLibraryW)
      - number: 0x3d9972f5 = rol7XorHash32(Sleep)
      - number: 0x697a6afe = rol7XorHash32(VirtualAlloc)
      - number: 0xa9de6f5a = rol7XorHash32(VirtualProtect)
      - number: 0xcdde757d = rol7XorHash32(WSAStartup)
      - number: 0xbea0bf35 = rol7XorHash32(WriteProcessMemory)
      - number: 0xfc7af16a = rol7XorHash32(socket)

rule:
  meta:
    name: references API by hash ror13AddHash32
    namespace: linking/runtime-linking/shellcode-hash
    authors:
      - william.ballenthin@mandiant.com
    scope: function
    references:
      - https://www.mandiant.com/resources/blog/precalculated-string-hashes-reverse-engineering-shellcode
      - https://github.com/mandiant/flare-ida/tree/master/shellcode_hashes
  features:
    - 3 or more:
      - number: 0x72bd9cdd = ror13AddHash32(CreateRemoteThread)
      - number: 0x7c0dfcaa = ror13AddHash32(GetProcAddress)
      - number: 0xcfd98161 = ror13AddHash32(GetVersion)
      - number: 0x57e84429 = ror13AddHash32(InternetOpenA)
      - number: 0x57e8443f = ror13AddHash32(InternetOpenW)
      - number: 0xec0e4e8e = ror13AddHash32(LoadLibraryA)
      - number: 0xec0e4ea4 = ror13AddHash32(LoadLibraryW)
      - number: 0xdb2d49b0 = ror13AddHash32(Sleep)
      - number: 0x91afca54 = ror13AddHash32(VirtualAlloc)
      - number: 0x7946c61b = ror13AddHash32(VirtualProtect)
      - number: 0x3bfcedcb = ror13AddHash32(WSAStartup)
      - number: 0xd83d6aa1 = ror13AddHash32(WriteProcessMemory)
      - number: 0x492f0b6e = ror13AddHash32(socket)

rule:
  meta:
    name: references API by hash ror13AddHash32AddDll
    namespace: linking/runtime-linking/shellcode-hash
    authors:
      - william.ballenthin@mandiant.com
    scope: function
    references:
      - https://www.mandiant.com/resources/blog/precalculated-string-hashes-reverse-engineering-shellcode
      - https://github.com/mandiant/flare-ida/tree/master/shellcode_hashes
  features:
    - 3 or more:
      - number: 0x799aacc6 = ror13AddHash32AddDll(CreateRemoteThread)
      - number: 0x7802f749 = ror13AddHash32AddDll(GetProcAddress)
      - number: 0x9dbd95a6 = ror13AddHash32AddDll(GetVersion)
      - number: 0xa779563a = ror13AddHash32AddDll(InternetOpenA)
      - number: 0xa829563a = ror13AddHash32AddDll(InternetOpenW)
      - number: 0x726774c = ror13AddHash32AddDll(LoadLibraryA)
      - number: 0x7d6774c = ror13AddHash32AddDll(LoadLibraryW)
      - number: 0xe035f044 = ror13AddHash32AddDll(Sleep)
      - number: 0xe553a458 = ror13AddHash32AddDll(VirtualAlloc)
      - number: 0xc38ae110 = ror13AddHash32AddDll(VirtualProtect)
      - number: 0x8b4978af = ror13AddHash32AddDll(WSAStartup)
      - number: 0xe7bdd8c5 = ror13AddHash32AddDll(WriteProcessMemory)
      - number: 0x7861e240 = ror13AddHash32AddDll(socket)

rule:
  meta:
    name: references API by hash shr2Shl5XorHash32
    namespace: linking/runtime-linking/shellcode-hash
    authors:
      - william.ballenthin@mandiant.com
    scope: function
    references:
      - https://www.mandiant.com/resources/blog/precalculated-string-hashes-reverse-engineering-shellcode
      - https://github.com/mandiant/flare-ida/tree/master/shellcode_hashes
  features:
    - 3 or more:
      - number: 0x7e8cc469 = shr2Shl5XorHash32(CreateRemoteThread)
      - number: 0x935034af = shr2Shl5XorHash32(GetProcAddress)
      - number: 0xfa129d1a = shr2Shl5XorHash32(GetVersion)
      - number: 0x3dd6e351 = shr2Shl5XorHash32(InternetOpenA)
      - number: 0x3dd6e34b = shr2Shl5XorHash32(InternetOpenW)
      - number: 0xf08a755b = shr2Shl5XorHash32(LoadLibraryA)
      - number: 0xf08a7565 = shr2Shl5XorHash32(LoadLibraryW)
      - number: 0x650211cd = shr2Shl5XorHash32(Sleep)
      - number: 0x8abf0222 = shr2Shl5XorHash32(VirtualAlloc)
      - number: 0xbd9c0637 = shr2Shl5XorHash32(VirtualProtect)
      - number: 0x4b1d14c4 = shr2Shl5XorHash32(WSAStartup)
      - number: 0xd51e7b84 = shr2Shl5XorHash32(WriteProcessMemory)
      - number: 0x7fd77e67 = shr2Shl5XorHash32(socket)

rule:
  meta:
    name: references API by hash sll1AddHash32
    namespace: linking/runtime-linking/shellcode-hash
    authors:
      - william.ballenthin@mandiant.com
    scope: function
    references:
      - https://www.mandiant.com/resources/blog/precalculated-string-hashes-reverse-engineering-shellcode
      - https://github.com/mandiant/flare-ida/tree/master/shellcode_hashes
  features:
    - 3 or more:
      - number: 0x33cd714 = sll1AddHash32(CreateRemoteThread)
      - number: 0x348bfa = sll1AddHash32(GetProcAddress)
      - number: 0x34990 = sll1AddHash32(GetVersion)
      - number: 0x1af002 = sll1AddHash32(InternetOpenA)
      - number: 0x1af02e = sll1AddHash32(InternetOpenW)
      - number: 0xd5786 = sll1AddHash32(LoadLibraryA)
      - number: 0xd57b2 = sll1AddHash32(LoadLibraryW)
      - number: 0x1abc = sll1AddHash32(Sleep)
      - number: 0xe3142 = sll1AddHash32(VirtualAlloc)
      - number: 0x38d13c = sll1AddHash32(VirtualProtect)
      - number: 0x39314 = sll1AddHash32(WSAStartup)
      - number: 0x3980f62 = sll1AddHash32(WriteProcessMemory)
      - number: 0x36a4 = sll1AddHash32(socket)
williballenthin commented 1 year ago

image

williballenthin commented 1 year ago

yara matches against samples in our corpus, annotated with capa matches using above shellcode hash rules. disappointing that these don't hit?

edit: upon triaging, many of these hashes show up onsey-twosey, not all grouped in the same function, so the 3 or more clause is too restrictive. i've changed the rule logic to be scope: basic block and or instead of 3 or more.

❯ yara sc_hashes.yar tests/data/
sc_hash_rol7XorHash32 tests/data//50d5ee1ce2ca5e30c6b1019ee64eeec2.exe_ (4 hits)
  0x71e3:$InternetOpenA: D7 3D 59 08
  0x45dd:$LoadLibraryA: 26 80 AC C8
  0x584:$VirtualAlloc: FE 6A 7A 69
  0x658:$VirtualAlloc: FE 6A 7A 69
  0x5b13:$VirtualAlloc: FE 6A 7A 69
sc_hash_add1505Shl5Hash32 tests/data//6be0ae5cb7c3155f70d608fc7670d2d9.exe_ (not in proposed ruleset)
  0x1019e:$GetProcAddress: 1F BB 31 CF
  0x10094:$GetVersion: 8B 61 82 27
  0x1ce02:$InternetOpenA: A1 70 AD F4
  0xf44d:$LoadLibraryA: FB F0 BF 5F
  0xfa84:$LoadLibraryA: FB F0 BF 5F
  0x1003b:$LoadLibraryW: 11 F1 BF 5F
  0xfc13:$Sleep: FE E5 19 0E
  0x1cefe:$WSAStartup: 83 C6 28 61
sc_hash_ror13AddHash32AddDll tests/data//c1969efd1e2be79909b880f4dbb8725e52efca82236f8a2165c5a8245393fcd6.exe_ (one hit)
  0x336aa:$InternetOpenA: 3A 56 79 A7
  0x3369c:$LoadLibraryA: 4C 77 26 07
  0x338d8:$VirtualAlloc: 58 A4 53 E5
sc_hash_rol7XorHash32 tests/data//2d3edc218a90f03089cc01715a9f047f.exe_ (no hits, stored in global table)
  0x99a6:$GetProcAddress: EE EA C0 1F
  0x99aa:$LoadLibraryA: 26 80 AC C8
  0x99b6:$Sleep: F5 72 99 3D
  0x99ba:$VirtualAlloc: FE 6A 7A 69 
sc_hash_rol5XorHash32 tests/data//a933a1a402775cfa94b6bee0963f4b46.dll_ (no hits, shellcode in file overlay)
  0x34eab:$GetProcAddress: DB B6 B6 E5
  0x34ea6:$LoadLibraryA: 3B 00 A1 B4
  0x34e9c:$VirtualAlloc: 33 8A 8D A4
  0x34eb5:$VirtualProtect: 82 5A 15 4A
sc_hash_rol7XorHash32 tests/data//daa13ae302fe8b618ddbf590537443ef.exe_ (function @ 0x4195C6)
  0x1aa2f:$GetProcAddress: EE EA C0 1F
  0x19372:$LoadLibraryA: 26 80 AC C8
  0x19713:$LoadLibraryA: 26 80 AC C8
  0x1a98e:$Sleep: F5 72 99 3D
  0x196c8:$VirtualAlloc: FE 6A 7A 69
  0x1973d:$VirtualProtect: 5A 6F DE A9
williballenthin commented 1 year ago

sll1AddHash32 has an unfortunate set of hashes that are commonly seen numbers/constants:

sc_hash_sll1AddHash32 tests/data//112f9f0e8d349858a80dd8c14190e620.exe_
0x652da:$GetVersion: 90 49 03 00
0x653a96:$GetVersion: 90 49 03 00
0x268d5a:$Sleep: BC 1A 00 00
0x2be470:$Sleep: BC 1A 00 00
0x667d64:$Sleep: BC 1A 00 00
0x42be9a:$socket: A4 36 00 00
0x7202a2:$socket: A4 36 00 00
0x7ce844:$socket: A4 36 00 00

recommend not using this one. and probably explains why its so prevalent in the VT retrohunt.

mr-tz commented 1 year ago

Awesome, loved following along here and in the blog. This is great research and adding the modified rules should make for a great addition.