Using Flare Floss to analyze the API hashing malware.

[caleblawrence]

Hello guys! We talked a bit after the talk and I mentioned how Flare Floss can be used to automatically deobfuscate hashed data. I tried running it on the api hash binary and it outputs the hashed function calls in the screenshot below (kernel and user strings). https://github.com/mandiant/flare-floss

It does output a lot of strings (around 1k). I think this is just because of the include statements at the top and everything being put into the binary.

Anyway I thought I would share this. It's pretty cool how they use heuristics to identify the decoding functions which means even brand new encryptions/hashing methods are still deobfuscated.

Of course running this on every single binary would not me practical as it can take a fair bit of time. In this case you could turn off the tightstrings and stackstrings feature which speeds it up a lot (just doing api call hashing doesn't require those two checks).

Thanks for the awesome talk and for answering all my questions at the end. Feel free to close this or do whatever - I just opened it to show you guys what I discovered. :)

[snus-b]

caleblawrence, Thank you for sharing. I'll have to play with the tool as I'm curious on which of why it didn't flag the messageboxA function pointer. Or this is just a sample of the output. We'll keep the issue open so others can see. The whole point of this repo is so people can play and learn.

[caleblawrence]

messageboxA

Yeah this is just a sample. I see that it decoded that as well when I checked.

You can output the results to a file and thats what I did in this case. For this sample it found a lot of strings (1077) because of the included libraries: