|
Emails remain a nice way to infect people: Write a message with pertinent information, respect the format and style of the organization you're targeting, add some social engineering and you have good chances that your victim will open the attached malicious file. In 2015, we saw an increase in malicious OLE documents (Microsoft Office). Those files contain VBA macros that are automatically executed or, again with a social engineering trick, the user is enticed to execute it. The detection rate by antivirus also improved with time. That's why attackers switched to other ways to infect computers. I see more and more malicious JavaScript code zipped and sent to victims. The goal remains the same: once executed,a payload is downloaded from the Internet which will try to infect the victim's computer. Of course, OLE document as well as JavaScript scripts are obfuscated to be unreadable by humans and, to defeat scanning tools. There are nice tools to analyze OLE documents: oledump.py and olevba.py are very powerful. And what about JavaScript? Here is an example of JavaScript obfuscation that I found a few days ago:
function wd84hhhps() { return 'ev'; };
function wd84hhhps2() { return 'al'; };
this[wd84hhhps() + wd84hhhps2()](jqVGIjaTF);
The key point is to locate the eval() function. In the example above, it is quite easy to understand, eval() is called by concatenating the two substrings. But it's usually not so easy. You need tools to automate this tasks as much as possible. I like the JavaScript Deobfuscator. The tool has been recently upgraded and is very easy to use. Here is a example based on a malicious script I received (its VT score is 20/55) Notes:
JavaScript Deobfusctator is a stand alone executable (but it requires the Microsoft .NET framework 4.5). Run it and load your sample:
The first step is to click on "Clues". This option will scan the code and highlights some interesting parts of the code. In our example, we see:
The interesting code is: var gzixinhp=this; var pkelgjqh=gzixinhp[pwiynyhd]; pkelgjqh(rbhxtuqpiq); If we search for "rbhxtuqpiq", we see that the variable is populated with the content of "pkwefagovz" using a for() loop. We can highlight them one by one to jump back in the code:
Based on this analyze, we know that "pkelgjqh" is our obfuscated eval() function. We can now highlight it and use the "Convert" button to see the code:
And finally, to make the code more readable, use the "Copy Output to Input" button followed by "Beautify":
Now the script looks very simple. It contains a dl() function which downloads two malicious payloads, saves them in the %TEMP% directory using the provided name and execute them. You can now extract IOC's and, if interested, download the two binaries for further analysis. Here is a link to the analyzed content of both URLs: https://www.virustotal.com/en/url/87ea8c2ac74b9dee82955fe7c7d6d81c350b6fc22615dd7d521c1ce1227a3e09/analysis/ (Cryptowall 4.0) This technique is not fully automated like it could be performed by a malware analysis system running a sandbox but it helps you to really understand how the scripts are working and how attackers implement new obfuscation techniques. Happy hunting! Xavier Mertens |
Xme 697 Posts ISC Handler Jan 17th 2016 |
| Thread locked Subscribe |
Jan 17th 2016 6 years ago |
|
Last image didn't show up in the post
|
Anonymous |
| Quote |
Jan 15th 2016 6 years ago |
|
Thank you for the notification, fixed!
|
Xme 697 Posts ISC Handler |
| Quote |
Jan 15th 2016 6 years ago |
|
Good post as always Xavier! One note: the last 2 VirusTotal links accidentally point to the same URL.
Cheers! Bart @bartblaze |
bartblaze 6 Posts |
| Quote |
Jan 15th 2016 6 years ago |
|
Damn, I need more coffee. Fixed too!
|
Xme 697 Posts ISC Handler |
| Quote |
Jan 15th 2016 6 years ago |
|
Great post! When I tried to download that tool it's asking for a password...any ideas?
|
Ender 4 Posts |
| Quote |
Jan 15th 2016 6 years ago |
|
It's on top of the download page:
"All files are compressed using 7-Zip with the password: kahusecurity" |
Xme 697 Posts ISC Handler |
| Quote |
Jan 15th 2016 6 years ago |
|
Can you recommend a good resource that doesn't require me to download an exe - environment won't allow installs of software. Does someone have a "safe" web-based deobfuscator?
|
Juice 12 Posts |
| Quote |
Jan 15th 2016 6 years ago |
|
I don't know a good "online" deobfuscator" but they are many "beautifier" ...
As said in my diary, I recommend to use this tool in a sandboxed environment. You can't deploy a VM? |
Xme 697 Posts ISC Handler |
| Quote |
Jan 15th 2016 6 years ago |
|
Unfortunately no, very limited what I can install on this machine. I suppose I could cut and paste and email to another machine, but that would mean bringing another laptop to work.
|
Juice 12 Posts |
| Quote |
Jan 18th 2016 6 years ago |
|
If your environment is locked at this point, it's better you won't play with malicious code on your corporate laptop! Dedicate a specific environment for such tasks.
|
Xme 697 Posts ISC Handler |
| Quote |
Jan 18th 2016 6 years ago |
|
I've always had issued with AV alerts with Kahu tools (as they note on their Web site) but the updated version of JSDeobfuscator.exe get's quarantined by Sourcefire AMP, is detected by 10/20 by Jotti's, and 22/54 on VT. There's a DNS callout to VBOXSVR.ovh.net. Even though I know the majority of the detects are because it's a packed file, going to be a tough sale this time convincing my boss I should whitelist/restore the file. In the past I've only had to exclude the Kahu directory my tools were in for AV, but doing an AMP override is global. Any thoughts?
|
JeffSoh 31 Posts |
| Quote |
Jan 19th 2016 6 years ago |
|
The PE file is indeed packed, that's why many AV's flag it as malicious. About the DNS request, VBOXSVR.ovh.net does not resolve to an IP. 'VBOXSVR' is the default hostname used by VirtualBox for file sharing with the guest OS. Could be some remaining debugging code? (false positive).
|
Xme 697 Posts ISC Handler |
| Quote |
Jan 20th 2016 6 years ago |
|
Enough to say no thanks! Kahuna needs to prevent themselves from triggering. AV binaries are full of threat indicators yet downloading Mcafee doesn't flag as dangerous or does just navigating to the site not do that.
|
Xme 1 Posts |
| Quote |
Nov 29th 2016 5 years ago |
.PNG)
Sign Up for Free or Log In to start participating in the conversation!
https://www.sans.edu
