C2 config extraction failure
hexlax opened this issue · 2 comments
hexlax commented
Just a heads up that the dump tool did not extract the C2s & callback path with a recent DLL:
I have yet to see why that might be but included the dumper output below. Thanks again for creating and sharing such a valuable tool!
Verbose: 0
Loaded: 60A30000
The file is a DLL
Read 312 bytes
The headers are different
-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Exported name:
setupapi.dll
Exports: boobs
-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
affilID: 1
Seed: 0
Delay: 31
Persist Svchost: 0
Persist Registry: 0
Ignore Russian Machines: 1
CallbackPath: <none>
C2Servers: <none>
RsaKeyID: 7C6
RsaKeySizeBytes: 114
Key Alg: A400
Key: RSA1
Key Bits: 2048
Key Exponent: 10001
Key Bytes:
BB B5 11 7C 19 4E B1 39
75 57 4F A6 A7 F4 05 EE
59 F1 1A 07 20 A6 21 A8
91 F0 20 24 DE EF 1F 85
AF 14 A8 27 62 57 94 2C
34 F0 8B C3 B5 BC 05 C1
D2 D1 12 26 1E 67 86 FB
A9 9A BE 90 A8 25 40 92
B4 8E 1C 34 EA 2E E7 FF
8C F7 76 22 8B 25 F5 46
58 85 57 FD A7 EB C1 E4
43 03 2A 61 F9 3F 58 E2
B3 72 1F 8C C7 E3 C5 20
8A 32 41 4E C6 A4 72 FB
98 A4 F9 AE 5C D8 EF 5F
27 F2 55 FE 9D 97 DF 8E
FF DD 4D F8 24 D9 07 D0
0F 4D BB 64 E7 FF 3C B7
98 41 41 59 7B 86 6E D9
D8 3B C7 2C 0E B0 05 75
C7 F5 4A 94 6E DF 4E C9
C1 A9 B0 C7 6A B1 16 D9
18 27 3A 8C 79 0F E9 9A
5F C8 BB 31 1B B7 96 86
34 E7 3F 2A 9F 46 96 48
78 69 D0 DE 2C 46 AD 99
42 C3 27 CC 3A 77 B6 CB
3B 41 38 1C 6D 1C BC E9
74 B0 98 EB 90 C5 7A 87
2C 93 F0 A7 D3 E0 C2 24
CE 1E 67 E0 26 D2 6F 5A
63 E7 96 DF 7F 3E 21 AD
SecsAndCyber commented
@hexlax Sorry for the slow response.
Locky files without embedded C2 information were actually the catalyst that led to the development of this tool. Such samples immediately launch into the attack using the embedded key, Key 7C6 in this case.
hexlax commented
No worries - I figured that might be the case. Thanks for your reply!