Ghidra SRE: The AZORult Field Test

From blog.yoroi.company

Introduction

One of the most anticipated moments in the infosec community during the last few months was, with no doubt, the Ghidra public release. On the 5th of March, at the RSA conference, Ghidra has been presented to the public revealing the inner details of the Software Reverse Engineering (SRE) framework that National Security Agency used for more than a decade.

Its release was a sort of “main event” for security researchers all around the globe, which immediately started exploring its functionalities to find out its place within the reversing tool panorama. Cybaze-Yoroi ZLAB team also decided to play around with it, but this time using a real case study, AZORult: one of the most active threats spreading nowadays, always using new methodologies to avoid detection. For this reason a recent AZORult sample has been chosen to field-test the NSA reverse engineering tool.

Technical Analysis

Hash12a7b79430bf3b788396009eadb6cbc4da97cba55c6653048d2dd294fa90dc3a
ThreatAzorult
Size809 KB
SSDEEP12288:KKi7ifyf5/TIEAcp2o/DZDlvs6SskijhnHW3/qgQrjSh4rNxPXJE:K6m5UYZRUokohnH4QrjCCP5E

The sample is a PE32 file apparently coded in Visual C++, containing references to major IT companies in its metadata fields like Google and Amazon.

Read more…