Hidden .Net Resources “Are Your Tools Finding Them” ?

This file was found thru Twitter https://twitter.com/0x7fff9/status/936301229612961792 and https://beta.virusbay.io/sample/browse/106366f1fe0f39232bc86be49ecbad4a

This sample appears to be a test piece of Ransomware written in dot Net with 2 binary resources that do not show up in normal tools. No obfuscation was used to “Hide” the resources. I was able to build my own test program that would respond the same way.

So really, they are not necessarily hidden, it’s just that some tools don’t see them.

I have run across this problem before but don’t see it very often when viewing the decompiled dot Net files.

If we look at the recourses in few different tools we don’t see this data.

Lets start with PEStudio , I had reported this problem a couple of times and have gotten no response about it.

Here we see PEStudio next to ILSpy


It can be found here https://www.winitor.com/binaries.html

Next we have MITEC  EXE Explorer


It can be found here http://www.mitec.cz/exe.html

Finally we have Resource Hacker


It can be found here. http://www.angusj.com/resourcehacker/ (I assume this is the same one everyone else uses)

The only thing I can think of is they are not enumerating every type of resource or because the data has no file extension associated with it is not being seen.

So lets save the resources data to a file. We end up with a file called “gray.resources”

Opening it up in a hex editor we  see this.


This would not be easy to extract without more information, so after some trial and error I got a tool to extract the binary data to .bin files.


This simple tool will enumerate all of the resources, list the names and type then extract just the data of  “Type Byte[]” to the folder with the name and a .bin extension.

As you can see this one only had 2 items. I have not tested it yet on other files.

Lets take a look at the first one.


And the Second


These look to be encrypted/encoded so lets go back to ILSpy and see how.


The highlighted area is where it tells us what to do with the extracted resources.

At the top we see the key used for decryption and test4 at the bottom is AES CBC mode.
It also has a hard coded Salt value.

Since I didn’t have a tool for this type yet I just borrowed the code from them and after fixing 1 bug that may have been introduced in the decompilation  I got it working.


Notice anything in the out put ? 0x4D5A(MZ)

So we now have an extracted and decrypted binary.

Here is the second one.


They just used the AES function to hide the registry “Run Path”.

What we end up with is the program that does the actual “Bad Stuff” including encrypting various files using a folder/ file extension list.


As of Last night that Bitcoin value did not exist.

Towards the bottom we have a “Random” password generator. The problem is it does not appear to save it anywhere to use for decryption later that I have found so far.


They are also nice enough to delete the shadow copies too.


I also looked up the GUID and you can find it used in several places.

I have no Idea if this thing will even run and do what the code suggest it will do.

The point to this whole post was not to show the malware, but to highlight the problem of mainstream tools not being able to find or show these types of resources.

There could be more than meets the eye that is not being shown as it was here.

That is for this one. Go check your tools.

Posted in Malware, Programming, security | Tagged , | Leave a comment

Peeling away the layers of a word document macro

The sample used in this one was first brought to my attention from the blog post by @HerbieZimmerman  and the blog post is here. https://www.herbiez.com/?p=1028 and the link to the doc file is here https://www.hybrid-analysis.com/sample/0de3f4380b642e59d0cde5570ed13bfc727000b94a034ce10e1f87bfac3fac79?environmentId=100

This one peaked my interest because it had 3 obfuscated scripts plus a “ThisDocument”  script instead of just 2 that I have normally been seeing .

There are several ways to extract the script(s) but I have been trying Open Office and it has worked fairly well for this type.

Here is what we see when we open the script that contains the “AutoOpen” sub.


When opening up the script in Open Office they are default disabled. The “Rem” is commenting out those lines so the code can not run. But it can also make it harder to read so you can use Notpad++ or your favorite editor and do a  find replace of “REM “ (include the space) with “” (Nothing).

We see the “Sub AutoOpen()” which will cause this script to get fired when the document opens.

As the notes show the “Shell” will call the function listed with the parameter of “0” Zero or hidden. You can read about it here . https://msdn.microsoft.com/en-us/vba/language-reference-vba/articles/shell-function

If you look just under the green box you can see where the function starts.

If we keep scrolling down we see where the value of the function gets set.


We see here that there are several strings that get tacked onto each other including the third item of “Chr(34)” AKA the double quote.

These strings are the different function names that gets called to build the final string that gets added in at that position.

Lets get the fourth item and take a closer look.


Here we see the fourth item corresponds to a function above and calls a “Mid” function on a string above that.

So this takes the string in “APwTzEijQ” and extracts a substring from it starting at character 19 and takes 71 characters and then returns the string.

But as you can see there are way to many of these to do by hand so either extract and echo the result of building the string(s) or build a new tool.


So using this if we cleaned out almost everything we don’t need we end up with this.


The output is the value that will get tacked on in this position.

After some trial and error I added a new section to my tool to tell me which functions were not present in the current script.

If we notice from the screenshot above and here
”XZGDjkTXd = iXjTfDtwt + MfwkTAlmO + Chr(34) +”
those are the first 2 values that get tacked on to this new script.

Those will be found in the other 2 scripts.

The first value






Now we have to piece this back together in the correct order.


This is the full reassembled script. This is still hard to read so lets format it in a way we can read it better.

One thing you may notice is all of the  ‘+’  and + in this part of the script. We will have to remove those before we start the string replacements.

When the script is run they will automatically be taken care of but we have to remove them for the method we are using here.


Lets take a closer look at the top of this.


If you look closely at the set variables the word “powershell” is broken up into different variables and reassembled in the last “set’.
The ComSpec at the end will decode to “IEX”

ComSpec We want Chars 4,26,25 which builds “IEX”

On the bottom section this is where we are peeling away more layers in the form of string replacements.

The trick is to do it in the correct order.


The Highlighted area is the inner most section and the final section left.

If you can zoom on this and the shot above you will notice the way that the “ ( ) “ are highlighted in red. This tells us where the section will begin and end.

A normal nested function will start evaluating from the most inner section working out.

Here we start at the most outward section and do the replacements working towards the middle.

As we find in my last article the “-cReplace” means it is a case sensitive replacement meaning you only replace the exact string, which could be in the middle of another string as long as it is the exact string. the plain “-Replace” is not case sensitive so will find the string if it is upper, lower or even random mixed case.

Here you can also note that the “[Char]” is in the proper case as I have already done a string replace for the mixed case versions so let use a new tool to find out what all of the char codes evaluate to.


So here we have 3 items to replace.
“-cREplACe  (tiQ),$-REPLacE’3Gj’,’-REPLacE(PBw),|)“   If you have trouble seeing, the 3GJ actually gets replaced by the single quote.

After doing the replacements we move in another level.


The highlighted area is the new string section we will be doing the string replacements with.

Just below are the strings that we will be working with.

Here is an issue we can run into while de-obfuscating by hand.


In the earlier replacement we replaced some characters with the single quote now it stops us from doing a proper replacement using notepad++ so we have to remove the dual single quotes to do the final string replacement. We will have to keep an eye on this problem with each layer or it will not get some of the characters replaced properly.


We can see we had to remove/ replace the dual single quotes here also.

And finally we have.


And a more cleaned up formatted version.


This defiantly would not run as is but you can see what it is doing now.

The part from $franc to the catch statement is the final decoded section.The rest in the screenshot is left for reference and also artifacts left after decoding the other levels.

We finally see that we have 5 different URL’s that it will attempt to download a file from and put it in the “Public” folder with a random Numeric name from 1 to 3453245 plus a “.exe” and attempt to run it.

If it has an error it will write the error to the console window even though it was launched as hidden.

One last important note. Always use a “working” copy so if you mess something up you don’t have to go back and re-extract the the scripts. You could just make a new copy and start over.

So why would we want to decode the script in this manner rather than just running it in a sandbox? It could have possibly had some sandbox checking routine and just exit if it finds what it does not want to run with.

If the routine did not loop thru all of the sites in an attempt to download the file then you may miss some of the possible download sites.

To get a better understanding of “How” the obfuscation works, it’s strengths and it weaknesses.

Finally, another excuse to build more tools and hone my programing skills.

Well that’s it for this one I hope we all learned a few things.

Posted in Malware, PowerShell, security, VBScript | Tagged , , | Leave a comment

De-obfuscating a PowerShell Script Obfuscated by Invoke-Obfuscation

Here I will be trying to deep dive on how the obfuscation works and what is required to de-obfuscate it.

This sample comes from @James_inthe_box posted here https://twitter.com/James_inthe_box/status/928644055054946305 on November 9th 2017.

Here is the link to the “pastebin” of the script if you want to follow along. https://pastebin.com/P5AK7div

When we first look at it we see this.


That is the full script. The first thing you may notice here is that it is in 3 separate parts so we will tackle 1 part at a time.

If we look at the top of Section-1 we see it is being set as a variable and there is a long array of binary strings.


And the bottom.


This is fairly straight forward. It will take each binary string in the array and convert it to an Integer 16 and then to a string/Char.  Lets take a closer look at that little piece on the end.


So what does this last part do? It calls “$ShellID” to get the string but only uses the Characters in positions 1 and 13. So lets do that.


So we call $shellid  and it returns a string as seen here and then we convert that to an indexed list to see better what letters are used.

So in the end this first level gets binary decoded then piped to IEX after we concatenate them together. IEX is short for the cmdlet “Invoke-Expression”.

This would be to much to do by hand so you could just extract the the binary array and do an echo on it to see what it decodes to. But in usual fashion I like to make drag and drop programs to do it with so I’m not having to “run” anything if possible.


I thought I had messed up my decoder at first but lets take a closer look.


Here they are using the function where the values were disassembled to a “random” array so we have to rebuild the string from the array.

So another new tool. (Still a work in progress and a few bugs yet)


Now we have most all of the arrays replaced with the strings. the next step is to do the Char conversions that we will be doing the string replacements with. In the screenshot you may see something like this “-F  [ChaR]92)”  So we have to convert that char code to a actual Character in this case 92 = “\”.

We also have to remove the “ ‘+’ “ from the string which tells us to concatenate the string in order to do our string replacement  from strings like “ (‘+'((B’+’5d@*B5d+B5d ”.

You you will also note that there are some “-c” in with the replace function and thanks to @danielhbohannon  I found out the it stands for Case Sensitive. So we only replace the string that exactly matches.

-creplace (case-sensitive)
-ireplace (case-insensitive)
-replace (same as -ireplace)

We can also see at the bottom of the script section that there are more string replacements.


After doing all of the replacements and some cleaning up, we get this as the final output.


Here we can see an array of partial URL’s and some other variables that get set up.

In section 2 we see this.


At the top, again it is using  the Shell ID to spell out “IEX” and also we have an array of Binary values.


In this case it is using Random characters as split Char’s rather than “,”. This is still fairly easy to overcome. Looking at the way this is implemented I way say there would be only a handful of characters that could not be used for the split  chars.

After decoding the first level we see this.


Here again we have the mixed up arrays and at the bottom we have several string replacements.


Once we rebuild the array strings and do the replacements and clean up a few things we end up with this.


As you can see, there is still some random string cases used here which makes it more difficult to read, but still readable.

In the final section we see this.


This is similar to decode as section 2 but it uses different separator characters.


After decoding.


Once they got to the third level they did not add extra obfuscation like the first 2 sections.

Below we see that they are checking for tool names. I would assume no average person would have those on their system so it must be checking for a sandbox or researcher.


After viewing all 3 sections I do not believe that it is possible to automate decoding the way I have done here. There are just to many option variables to be able to account for in a script or a program. Each layer would have to be viewed and peeled away as you go until the original code is revealed.

What I have done here in a windows programs could also be done in PowerShell or python script passing in each section to decode. The only other way would be to possibly echo it out after it decoded itself which could get dangerous depending on what it would end up doing. In the case above it could get caught and end or exit without revealing what it does.

Most likely I still have a few minor mistakes in my decoded versions that would not allow them to run, but should be clear enough to tell what it is doing now.

That’s it for this one. I hope this shows it is possible to decode even this type of encoding with some patience and persistence. (And a few new tools to help)

Posted in Malware, security | Tagged , | Leave a comment

Not A DerbyCon Talk part #1

This will be the first in a series (1 of x ) that I was hoping to stuff into a 30 minuet talk at DerbyCon 2017.

In hindsight it would be better suited as an informal training session where questions could have been asked.

Those that have read my post or whom I have decoded something for may know my passion for decoding/decrypting exploit kits started while Angler EK was still “Top Dog”.

That is where I’m going to start.

Our sample is at http://www.malware-traffic-analysis.net/2015/12/21/index.html we will be using sample #2 from this download because it has the redirect page.

In the screenshot from link above you can see the code to the gate / redirect to the exploit kit. This is what we will start with here. This is packet 35.

After extracting the code from the infected page this is the full script. You will have to zoom to get a better look.


Don’t worry we will be taking a closer look at each section.

If we look at the top section of the code we see this.


Here we see an encoded section of text that will get decoded after going thru the rest of the sections getting decoded.

Next we have this large section of  “var” and these will be built for later replacements in the functions below.


Looking at the green highlighted variables  we can first see that it is declared with “var’ then it is tacking on each element as it get evaluated.


As we can see here we start out our first letters as “fu”.

The first few times I did this I did it all by hand, all of the math and all of the hex to char code conversions. After that was when I started developing tools to deal with this obfuscation.


In this screenshot what I chose to do, still being new to this, was to save the “var’s” to a file and import them into the “Get Vars” program. What this will do is search thru the lines of vars and get a unique list of variable names. I first select a variable name from the dropdown list and the click the “Get Var Val”  button to get the  associated variables that get added together.

Do to the complexity at the time I chose to split the decode function out to another program. So in the “Script Decode 2” we can see what those variables evaluate to. After doing several of these I had verified we didn’t need to decode this section every time so I did not put this all into 1 program.

So from here we continue on down the line and do all of the decoding for each variable name and if you see the counter next to the names there are 59 unique variable names. So this will still take some time to do all of the decoding and replacements.

After doing all of the reassembling we end up with a variable list like this.


The next step is to do the variable replacements in the functions below.


After doing the replacements It is still not real clear what it is doing.


It will first check the browser being used  and pass a parameter of “2” if it is IE.

If it is IE then from the “div” above, it will get the data to decode and a decoding Key.



And formatted a little better.


In order to build this tool I did have to step thru the code several times in the IE debugger to fully understand how it worked.

Looking at several samples even though some  math parameters in the final decode function changed they always work out to the same end value after they were evaluated so I could build a static decoder now with just the Key value and the encoded string.

And here is what my final decode function looked like in VB dot Net.


This is still somewhat complicated. The “IeIdx” = 2 here if you want to do the math.

The one thing about these “Kits / Builders” is even though the variables may change, the underlying decoded function stayed the same. This particular encoding has not been used since some time before Angler EK disappeared.

As complicated as this is I would have only have been able to show it quickly and what it looked like decoded in a 30 minuet talk.

The next Post was going to be the landing page but I’ve already written on that so will just add the link to it here so as not to repeat what I’ve done already.


There is a link in this post to the previous one on Angler also.

I’ll Probably do a more recent Magnitude EK version for the next one. They have obfuscated the decoding a bit more than my last post here. https://pcsxcetrasupport3.wordpress.com/2017/04/24/a-look-at-the-magnitude-exploit-kit-encoding/

That’s it for now I hope this helps.

Posted in Malware, security | Tagged , | Leave a comment

Extracting and decoding malicious macros

The sample used here is from the video from  Karsten Hahn @struppigel .

If you have not seen any of them before I would highly recommend checking them out.

The video can be found here https://youtu.be/SCJVW1E8dFA

The Sample can Be found here at Hybird-Analysis if you want to follow along.

In the Video he shows a base 64 string that he extracts from the document using a Hex Editor like this.


After watching the video and locating the file I wanted to take a deeper look at it seeing how my methods would work at decoding this file.

I recently decided to try and  use “Apache OpenOffice”  to do the macro extraction from the documents and it has worked.

When We first open the document we see this.


At least the default is to pop up a warning. After clicking “OK” we see.


That is actually a picture on the document not a popup window.

When we locate the macro we see this.


Closer look in Notepad++


That is kind of difficult to sort thru so lets clear out everything that does not appear to do anything. We end up with this.


That sure did cut a lot of junk out of the way.

So it looks like it is getting the value of the documents comments property.


As you can see here the comments section is where the Base64 string gets extracted from.

And the full Base64 string.


Most of the “Red Team Tools” use UTF-16 encoding. So we will try Base64 decoding using UTF-16 Encoding.

After decoding I get this.


A closer look.


So what is this thing doing ? If we get a closer look at the end we se this.


Normally what I see is hex separated some type of fill in delimiter/ fill-in chars that gets removed.

Here we have Decimal char codes using several different split chars  to turn the Char codes into normal characters . This is the first time I’ve seen this done so another new tool to quickly overcome this type of encoding.


All this new tool does is a string replacement for the various split chars used and replaces them all with just one, in this case is a comma. Once you have a common split character then you can splint on that char and loop thru and decode the the char code and return the string output.

We could have done a string replace 1 char at a time and ended up with something like this.


After that we still have to decode the Decimal Char Codes.

Here is a closer look at the formatted script that was decoded.


This script will reach out to the sites to download the file and save it with a random name.

I was not able to download the file directly today after extracting the URL’s.

So we know it was a downloader but we don’t know what it would have downloaded if it had succeeded.

This had peeked my interest because of the multiple split chars used in between char codes and the fact that they did not use the Macro to store the base 64 string but the Documents Comment section to hide it.

That’s it for this one I hope you learned something as well as I did.

Posted in Malware, security | Tagged , , | Leave a comment

Decoding Java Script Walk Thru

This is from a request by Herbie Zimmerman‏ @HerbieZimmerman to show how my decoding process works to decode a script found on Payload Security by My Online Security‏ @dvk01uk (Twitter Link to Conversation https://twitter.com/Ledtech3/status/894672552341229568)

Link to file download on Payload Security

After downloading the script we first see this . This just looks like a big mess.


If we look at the bottom of this section we find this.


As we can see here is is using “DcyHCgvJUL” as the split then rejoining the sections that were created.

What is is effectively doing is replacing the string “DcyHCgvJUL” with nothing or just remove every instance of the string from the full string.

So after we do that and clean it up so it is readable we get this.


We can see the highlighted in green the function and Char Code that get replaced. In red shows the “String.fromCharCode”.

After we clean that up we see this part.


Here “ivtDmuhkcPSLyzelI” is getting the value of the registry key which is the same for Windows 7 or Windows 10.


So the value is “C:\Users\Public\Music”

Here “rxMIJzwygfbtaPXoR” is using the function “sNIVfMCzcKwAmxOPoEv” to get the char code at index 1 which is decimal 58. Index will start counting at “0” Zero here.

That’s as far as we can go here, so lets take a look at the remaining parts of the script.

Next we see a section that will get the current year.


In the next section it looks similar to the first but if we search for the variable name there is only 1 hit which could indicate that it is only used to confuse the reverser.


After looking further down and not finding anything that would decode and use this function, lets just get rid of this section.

Next we see what the get year does.


It will get the current year and compare it with the value of 2017 and if they match then run eval function. Which we don’t find yet.

The next section down is another large section of scrambled looking text. After looking further this appears to be more junk code so lets get rid of it too.

That leaves us with this final section that appears to decode something . Lets clean it up and see what it does.


This section will take the string in “LIDuvEgKznlBWFkV” and run thru each char and get the char code and add an amount to it and if it equals 1 of 2 amounts or the file path from the registry does not exist or if the file path = 58 then ignore it. Else we take the charCode and get the Char and add it to a new string.

But first we need to reduce that math function to know what values they are working with.


In order to figure out what this will evaluate to we have to understand the order of precedence for the math functions. https://www.w3schools.com/js/js_arithmetic.asp

So going by the order of precedence we would see this.


So this value is  “-1”

And the Next 2 values


So now we can get a better idea of what the values are doing.


So now we know we get the char code for each Char and add “–1” (Subtract 1 from char code) if result = 42 or 64 we ignore it and go onto the next Character in the string.

And when Decoded it looks like this.


This could have been done by building a html wrapper around the functions needed to decode but I usually just build a windows program for doing this type of decoding.

But you can also see that it also needs to be “Unescaped”


This is meant to be evaluated so it has extra escapes in it so lets clean it up a little better.


So this is the final script that gets run.

While looking at the code and following all of the eval functions there was 1 variable name that was not found anywhere during the decoding process which suggest to me that this script was called by something else.

This is at the very bottom of the script , it calls this final decoded script to run it.


Well that it for now I hope someone learns for this as I did.

Posted in Malware, security | Tagged , | Leave a comment

A look at the Magnitude Exploit Kit encoding

In this post I will be going thru the multiple ways that they use to encode 3 pages in the pcap. I will use the pacp available from Zerophage @Zerophage1337 located here https://zerophagemalware.com/2017/04/20/magnitude-ek-urls-from-14-20-april/

We will start with the initial get request at packet 178.


Notice anything strange about the “Full request URI: “ It is doubled up. Make note because we will need this later.

Next we get our first encoded page in packet 180.


When we first see this it looks like a jumbled mess.


After formatting by hand it is a little more clear on what it is doing.


In an older version they had “toString” set as a variable but here they are using Unicode encoding “toS\u0074r\u0069\u006e\u0067” so lets fix that.


Next lets take a closer look at the first function.


So what does this do? A quick look would make it appear that it is using the value left of the comma on each side of the operator to get a Boolean result and the larger number right of the comma gets used in the “toString” function. In other scripts I’ve looked at if the result is true then it will use the left value, if false then it will use the right value.

In the “toString” function it really only accepts 1 parameter so the second value appears to be ignored.

When we see a function like this “ (1294399205).toString(36) “  this would be converting Base 10 to Base 36.

I’ve noticed that so far that the number on the right is always used so I don’t bother to do the math. It is still only 2 possibilities anyway. So the result of decoding this is.


So lets go thru and do all of the decoding and replacements.


Now that is a little better but we still have some encoded parameters.

So how does this work ? This is where that note comes into play from above. We take the full path “ http://fx4you%5B.%5Dnet/” (not including the brackets.) and tack on the string  “m6t35”.

So the numbers in the parentheses is the index value from the combined string.


So lets do the replacements on those.


Now that we have that complete, that just leaves the parameter of “dgaO0”. The values generated from this is a form of a Checksum calculated by adding the char code values of each letter for the screen property and then Xor’ing that result by a number and tacking on “y” and then the real value of the property and tacking on a “t”. It will continue for all of the property values.


In each of the pcaps I’ve looked at the Xor value has been different. So that number will change.

When all of that is combined we end up with the full get request in packet 182.


So now we are at packet 184 lets take a closer look at the formatted page.


This decoding is similar to the last one but as you can see something strange is going on here. They are using a value from the screen info  and adding something else.

After decoding the first part now we have this.


Now if we look closer at the function “n57TV13J” we will see that it takes as input 2 number values and the left will add the value of  screen height to it and the right will subtract the value of “systemXDPI” from it.


We can reverse calculate what these values are or pull them from the last get request.

If we set it up like a chart then we can see what we need.


The indexed values are the values from the get request. The bottom list is the calculated parameter values. We can just look and see that for “Height” we get a value of 632 for the checksum and 1024 for the real screen height. We get 987 for the checksum and 96 for the real value.

And to calculate the result.


Now lets go thru and do the rest of them. Here is what we end up with.


Now it looks like we still have several Index values to replace using the URL that led us here.


Now lets do the index replacements and see what we end up with.


As we can see here it is checking for Kaspersky Virtual keyboard and if not found it will make the call to the next Url. I assume it will just quit if it does or throw an error, I can not find a reference to the value in the catch statement.

In packet 186 we see the get request and in packet 200 we see the obfuscated page we will work with.


This is a very busy page. It used the base decoding like in the first section, but it also uses Hex, Integer, and Octal Char codes to build strings.

I’ll save everyone the step by step on this one as it is a long drawn out process to do it by hand.

After decoding and formatting the first section and decoding the variable array for “lW” we get this.


All of the “lW” items highlighted get replaced by the index value, so lets do that. (Note: commented section with the decoded array.)

Even after decoding and doing the replacements we still have some math functions and other encoding to tend with. We have multiple layers to hide what is going on but we can still get and idea of what is happening even with the bad formatting that yet needs to be cleaned up.


The highlighted section shows a call to download a scriptlet file.

Here further down we can see 2 possible execute calls.


There is still a lot of formatting and possible junk/unused code that could be removed but we should have enough to tell what this is doing and it most likely would not run  in this state either.

The web request from above is found in packet 329 and the response in in packet 340.

After formatting this packet here is what we have for the downloaded scriptlet file.


Even with the slight obfuscation here we can see that it will make a call out to that URL download and run the file.

And if we look up that Class ID we find this.


What do you know borrowed malware.

Well that’s as far as we are going on this one.

Thanks for reading if you got this far.

Posted in Malware, Networking, security | Tagged , | 2 Comments