When I first seen a screenshot of this one that’s what this was, Unknown.
Here is the twitter message that Jérôme Segura from Malwarebytes posted.
and the response by William Metcalf @node5 replied that it was Sundown/Xer and they steal from everyone for their Exploit Kit.
While researching other reports of Sundown, the code and the domains used in this version appears not the same as was reported in several other post on the Sundown EK. Is this a new version of Sundown? I don’t know, this is my first real look at it.
This version appears to be trying to look like Angler EK, it uses 5 sections that get decoded and each section has 1 or more levels to decode to get down to the final decoded code.
On June 15th 2016 Brad Duncan @malware_traffic posted his captured run here
that Jérôme Segura Mentioned in his Post.
If we look at what was posted for the first redirect from the infected site we see this.
(Screenshot borrowed from malware-traffic-analysis.net)
Here they are sending the person to 5 different URL’s but a closer look tells you they are actually hosted on the same IP.
Here is a closer look at what Jérôme Segura posted.
In the traffic from the Pcap from malware-traffic-analysis.net we can see there were 2 landing pages and at first they appeared to be exactly the same but doing a binary compare on them we know for a fact that they were different.
I next went thru and decoded every section as far as it would decode.
Viewing the decoded sections, “Most” of the sections contained code that would not run on its best day. In one of the decoded sections I even found a known Angler EK decryption key and some of the code from an Angler EK section. Reviewing the code in this section for what would have been the exploit section in Angler there were 2 separate decoding functions with the same name for what should decode some of the encoded strings.
Although there appears to be some advance functionality in this, um, Kit, it does not appear to be properly implemented at the moment. Just because it is ugly don’t totally dismiss this thing yet.
So if this thing is basically broken how is it calling out to download the flash and Silverlight ?
They are using embedded links in the code is several places.
In the first section we se this.
The top part of this is a hex encoded base 64 alphabet and then the base 64 decoding function , then finally the string to decode.
Once decoded we see this.
If you look close this is also a base 64 string but the string was reversed.
In the screenshot above we can see the eval that kicks of this part , taking the reversed base 64 string and using this reverse function to reverse it then, finally base 64 decode and then we end up with this.
If you take a close look there are a few “p,a,c,k,e,d” sections it in. When you try and decode that it returns what you input.
Moving down on the same code from the first decoded section we see this.
If we drop the hex code for the “FlashVars value” into a hex editor we see this.
Here we can see there is no call for a “.exe” file but a link to
“http://trasergsgfsdx[.]xyz/z.php?id=8” which shows up in packet 602.
If we look at this section for the second landing page we se this.
It is has “z.exe” and a different site name and id number.
If we move on down on the first landing page we see this.
We have a call at the top using the same Url that was found in the hex above
If we clean up the top of this and zoom in we see this.
If we look at the bottom we se this.
The section in between is percent encoded hex so lets decode that and see what we get.
Above they are using a array of variables and an index number to build the code with.
Also notice the number on the special folder it is calling for.
It also has the appearance of having the option to save a file as a dll or an exe.
Another interesting thing if we scroll down to the bottom of the page we see.
Looking at this bottom function it looked familiar.
The left is from this exploit kit the right is from Angler EK. The differences are the variable names, the left is using “&” and the right is using “%” from some items.
Also the left is pushing to a char array then reassembling the string where the right just goes to string.
When trying to decompile the the .exe artifact the decompiler said it may be “packed” ,but looking at the file in a hex editor it appears to be corrupted or encrypted in certain sections rather than packed .
Here is a quick shot of the Silverlight after decompiling it.
Even after de-obfuscating this it is still large and a lot to navigate thru.
From a static analysis point it is difficult to tell what would and would not work in this.
It would need dynamic analysis.
Before I finish with this first pcap lets take a look at some ‘Who Is” for this site.
Notice the dates at the top, this url was not up long before it was found.
And the Scumware report.
Now to the second Pcap, there were some changes from the first one.
On June 20th 2016 Brad Duncan posted another pcap in with a exploit kit dump.
Lets start this one by looking at the traffic and using filters for the streams to see what goes with what. The first filter is just “ http.request or http.response “ .
Here we have multiple gets and the first 2 were no doubt from the original infected page.
In this view we see at least 2 different landing pages, 1 flash not found, 1 flash that was found, and 2 Silverlight files downloaded.
If we set a filter of “tcp.stream eq 0 and (http.request or http.response)” we see what packets goes with this stream.
A filter of “tcp.stream eq 1 and (http.request or http.response)”
A filter of “tcp.stream eq 3 and (http.request or http.response)” (stream two was empty)
And a filter of “tcp.stream eq 4 and (http.request or http.response)”
What does this do for us ? Since all of these point to the same IP it can help to see what is related a little easier.
If we look at the first one it tried to get a flash file but could not find the file.
The second one has a landing page and tried to get a Silverlight file but the traffic appears as though it did not get it.
The third one also contains a landing page and this time is did download a Silverlight application.
The fourth one instead of a “normal” landing page we get something else.
But let’s look at the third stream first.
If we base 64 decode the first section we se this.
We can see it is wanting “carolinamovie.swf” but the traffic supports that it was not returned but the Silverlight one was in this stream. So lets look at it.
Here we can (almost) see that it is looking for the Silverlight. And the hex in the hex editor.
Doing a binary compare the 2 Silverlight files from the first Pcap and this one are the same.
Now on to stream number 4.
When we look at packet 174 in stream number 4 we don’t see a “normal” landing page but this.
And at the bottom we see this.
so what is this ? Perhaps this will give it away.
If we do a string search on the internet this code appears to be borrowed from this site.
So they appear to be using open SSL to decrypt the bottom 2 sections.
At the time of this writing I didn’t have time to build a decoder.
Since it does appear to download a Flash file before we run out of traffic I can only assume that it does work.
One last surprise before I close.
Good luck with that borrowed name.
In conclusion, I still can’t decide if the person(s) who write this don’t have a clue, are just testing out only certain parts of the exploit kit. If they are just trying to see what they can get out of researchers or possibly even some Collage project. There is just to much non working code in here to be a streamlined Exploit kit.
If you made it this far thanks for sticking with me.
That’s it for now.