Tag: analysis

Deobfuscating Javascript Malware

Hello,

I just received a javascript sample, from one of my friends. He said that this sample was sent by an malicious email address. and seem that the bad actors are trying to trick people to click on the file.

THen i quickly open up the file in a text editor, and relized that the file is strongly obfuscated, that can not be read normally. So, to figure out what exactly behind it, i have to deobfuscate javascript. Then the journey begins.

The code: http://pastebin.com/uk0vk3VT ( i can’t post the code here because it’s too long
Meh, >5000 lines of code, and mostly are seem nonsense. But, i noticed on the top of the code:


function f(s) {return eval(s);};

It uses eval() to execute a variable s. And at the very last of the file, i saw:

if (c["length"] >= 12) f(c);

It calls f with c as the input. And from the line 5664 to 5670, i got:

b = aj85dZA;
b = b"join";
b = b"split";
b = b"join";
b = b"split";
c = b"reverse";
c = c"join";

It takes all the data of the huge chunk above and do some tasks. I’m to lazy in this phase to rewrite the code, so i use Chrome, with a little trick, change:

function f(s) {return eval(s);};

to
function f(s) {return document.write(s);};
So when we execute the code, it will prints out the value of s, rather than execute it. So we can get another piece of code for the next phase. Fire up Chrome -> F12 -> Paste the modified code -> Enter, and:

js_decoded_phase1
Pretty easy, eh? Phase 1 completed. But still, the code is obfuscated. We got more, but seem to be really ugly since it is unstructured. I use Jsbeautifier to clean up and restructure it, for a better view. In a second, we have:

Full code is at: http://pastebin.com/p332nWSa (sorry, because i don’t want to make this post to be very long)

From there, why can’t i use Chrome to evaluate the code? Simply i don’t have any idea about the code, so better not run it, because it’s too complicated to set a breakpoint or trace down. So, what did i do?

In the very beginning of the code, i see a lot of variables which are strings. Seem that they’re originally a word, but now that word is splitted into pieces, each one is stored in a dedicated variable, and the variable’s name is randomized. So, i started to think that, i need to reformat all the name of those variables.

The scheme is simple, rename the variable name, according to its value. Just need a text editor, anyone that can perform search and replace, and replace them all in whole document. In this case, i choose sublime, and it consumes a lot of time to finish the task, because i have to do a lot of steps with mouse, not the hotkey. I believe that some other editors that can do better.

Start the boring task
Start the boring task

After a while, 20-30 mins, maybe, i replace all the name of variables which store readable strings. Phew, i can believe that i have done a most-boring-task-ever. Then i quickly scroll down in the file, i got a diamond:

Voila
Voila

So, what can you see in there? Yeah, i think that you saw some interesting things here. We have some sensitive data hare. I did the magic with just “Search and Replace”. Now the next job is combine them together and make it rocks. Delete the plus (“+”) sign, or better rewrite the code based on what you actually saw, now everything is clearly, even a kid can do that, like a tetris game.

The obfuscation scheme is:

  • Split sensitive strings into pieces, and then obfuscate the name.
  • Use many junk code to make it harder to read. You can read the code that it makes some function that only return the input “as it”.
  • Use Object[“MethodName”]() instead of the traditional object.methodName(). So it’s really hard to keep up with.

Next to it, i got:

Maliciouse URLs
Maliciouse URLs

Now we have the malicious URLs. There are 3, from the first time i saw them, they’re still active, but in this time, they removed the file from the server (just 3 days ago). Anybody interested, just do a whois.

List of malicious URLS:

http://sirimba.com.br/qiovtl
http://zakagimebel.ru/krcsvf
http://repair-service.london/uywgi7v

 

The fully cleaned the code i posted to gist. I built it truely from the obfuscated code. Now it’s fully readable. Mission accomplished. Nothing special, just “Search and replace”, and then tidy up the code.

From the code, I can know that it create some WScript objects, connects to the server and download file to %TEMP%, with the name 0ttyR4ET9BxiI.exe. This file is encrypted, the decryption code is right below of the main function. I decrypted it and uploaded to virustotal, in Jul 12, only 17 AV Detected, but to Jul 13, the number is 31 (link). It’s a ransomware (a new variant?). I want to post about analysis result here, but, seem to be enough, maybe in the next post, we will dissect it and make the fun.

Any request for the decrypted malware, feel free to mail me (Posting it right here is not a good idea).

Enjoy and stay safe,

Regards,
Levis

 

Advertisements

[Show up] WhiteHat Grand Prix 2014 Final RE400 Challenge

Xin chào các bạn

Đây là 1 video show up tiếp theo, cũng là để kết thúc cho việc writeup GrandPrix.

Bài RE400 này cũng là trích xuất từ 1 loại malware .NET, 1 dạng dropper khá thông dụng, cho nên bên cạnh việc tìm flag, tôi đã cố gắng phân tích nhiều hơn để có thể chia sẻ với các bạn về phương pháp decrypt code, chắc chắn sẽ hữu dụng trong việc phân tích các loại malware .NET sau này.

Tôi đã từng gặp 1 số loại malware sử dụng phương pháp decrypt và drop/execute tương tự (điển hình là con malware được embed trong IDM Silent mà tôi đã có 1 bài phân tích ở ĐÂY).

Thể loại malware .NET càng ngày càng trở nên phổ biên hơn bởi vì chúng được build rất nhanh chóng và dễ dàng, lại được .NET Framework hỗ trợ quá mạnh về mặt tính năng, nên có thể nói là kẻ xấu chỉ cần nghĩ ra ý tưởng, sau đó click, click trong VS và .NET Framework sẽ hoàn thành nốt những gì chúng muốn.

Nếu nói rằng .NET malware không mạnh và nguy hiểm bằng các loại malware native khác, thì cũng không sai, nhưng cũng không hoàn toàn đúng. Cryptographic Locker là 1 loại ransomware tương tự như CryptoLocker, và nó được viết bằng Visual Basic .NET.

Vậy nên, bên cạnh việc tìm flag, hãy chú ý vào phương pháp thực hiện. FIle RE400 và code decrypt các bạn có thể down ở ĐÂY. Và dưới đây là video:

Enjoy and best Regards,

Levis

[Beta-Testing] ShellOp converter 0.1 – Convert from Shellcode to Opcode and disasm code

Dear all,
This’s my small tool called “ShellOp Converter”, which will convert
from shellcode to opcode and disasm these codes also. I created this when working around with some shellcodes embedded in some viruses.
Main features:

Convert Shellcode (Hex string) to opcode.
The opcode can be save to Hard disk.
Disasm the shellcode to MASM syntax(use BeaEngine)
Fix the shellcode entered automatically(only get the hexadecimal
character(s), others will be ignored)

A demo picture to show how it works:
shellop
Very simple interface, we have 5 buttons there:
-The “Convert” button: Convert shell code to opcode and disasm these
codes.
-The “Clear” button: Clear the input box
-The “Save data to file” button: Save the converted opcode to a file
-The “Copy to Clipboard” button: Copy the disasm codes to clipboard
-The “About” button: about me and some other simple words.
Note: Still on beta-testing, so all bug reports are welcome.
Link download it here:
DOWNLOAD LINK UPPIT
Thank to: Beatrix ( BeaEngine’s author), all REPT’s members and REPT’s Friends, and greetings to all reversers in this world
Best Regards
Levis/REPT