Yara Analysis
Information
KringleCon - Entry
Conversations
Solution
First I tried to look at the yara_rules file, but it was wicked long. Then I decided to just run the app in order to trigger the rule block. I was hoping to then be able to go into a log file and find the rule that tripped, but the rule was put on the terminal output right there for me.
So rule 135 is what tripped. Let's see what that does.
It looks like it pops on anything that has the string candycane in it? The file hash is in SHA-256 as well.
Can I just change the SHA hash of the file? First lets make sure it matches. It doesn't?
I ran xxd on the binary and scrolled through quickly, it references the candycane string:
Let's edit with xxd, first I open the elf bin in vim, then I type:
:%! xxd -b
I did a search for /cand to jump to the exact spot I want to be in:
Whoops! Wrong spot, I had to search for /can to find the right instance of it.
Then I just changed the c to a b, for 'bandycane', then tried to run the program. I got a ton of errors:
Oh, I have to go back to regular vim mode, xxd -r.
Ok I ended the teminal session then opened it back up. I opened vim again, went into xxd mode, and changed the c to C (63 to 43 in hex). After xxd -r reversing the file, I wrote it out and tried to run the bin. Well, it bypassed that rule, now it hit rule 1035.
What's in rule 1035?
Can I just make the file longer? Found the following command via google:
dd if=/dev/null of=largerfile.txt bs=1 count=0 seek=16777216
That shows it as 16M now!
Oh fuck me, it hit yara rule 1056 both times, not 1035 lolol.
Whats this one?
Well I can't get rid of libc.so.6, but I can probably dump this rogram!! bit.
I nulled out rogram!!.
Now it popped for rule 1732.
Ok now let's pad it out over 50KB.
dd if=/dev/null of=the_critical_elf_app bs=1 count=0 seek=51000
Popped for same rule:
Can I change the 02 to 00?
Boom, that was it!!
Maybe the padding would have worked if I had used truncate? Idk. Doesn't seem to really matter that much.
Next: term-8