Ghidra: Shadow Hammer (Stage 1: Setup.exe) complete static Analysis

This is a complete static analysis of the Shadow Hammer Stage 1 Setup.exe.

The Ghidra project is available either as a shared project in the rManganese repository on the ghidra-server.org Ghidra server (see    • Ghidra: Server / Shared Projects (using gh...   on how to use this repository) or as a download from https [://] anonfile [.] com [/] 57Uan9ifne [/] ShadowHammer_2019_04_24_gar (WARNING: This is real malware!).

Materials used in the video:
Scripts: https://github.com/0x6d696368/ghidra_...
Data Type Archives: https://github.com/0x6d696368/ghidra-...
Terminus website: http://terminus.rewolf.pl/terminus/

There is now a simple stack string reassembly script: https://github.com/0x6d696368/ghidra_...

Video Contents:
00:00 - Intro
00:30 - Importing and fixing PE header (to workaround Ghidra bug)
01:40 - Quick dynamic analysis
02:16 - START of static analysis
08:21 - Finding injected shellcode (called from _crtExitProcess)
09:38 - START of analyzing shellcode
12:20 - Decoder function (to decode resource)
16:15 - START analysis of code decoded from resource
16:50 - Resolving kernel32.dll via TIB traversal
22:09 - getAddrByHash (import hiding code)
25:43 - Brute forcing function import hashes
29:37 - import resolution function (calling getAddrByHash over 5 libraries)
33:58 - START analyzing payload (target selector and C2)
35:18 - getAdapterAddresses + MD5 + comparing to target list
37:00 - Code that is executed when not a target
38:28 - C2 (code that is executed when in target list)
39:48 - END of analysis; talking about Ghidra
40:59 - END of video

ERRATA:
At 14min07sec - 0x10 is 16byte not 32 ... but it didn't make a difference, so the error went unnoticed. Edit (20200216): Someone informed me that I probably made that mistake because the code allocated 32 bytes, but then only decoded 16 bytes.