De-obfuscating Cerber Malspam file

On July 1’st 2016 I seen a tweet by Herbie Zimmerman   @HerbieZimmerman where he had gotten a zip file from some malaspam  containing an obfuscated Java Script file.

The infection chain is documented on his site here https://www.herbiez.com/?p=550

He had posed that he had trouble reversing the script, so that is what I will cover here.

As we scroll down the script we first see this.

Script1

We see it starts by setting a variable , assigning a value then tacking more on to the end of it. We next see another variable name and a value assigned to it.

If we look close at the second variable name  it is the same variable name and value assigned many times.

So we scroll down until we see this.

Script2

Tacking more onto our initial value. Scroll down some more.

Script3

Hmm a regular expression and new array.

Script4

Looks like this is only supposed to work this year.

Script5

Hmm if the date doesn’t match it return an empty string else ……

Script6

Lets take a closer look at this.

Script7

This looks like it takes our first variable as a hex array and Xor’s it with the Decimal 68.

A close look at the second variable name  and it is never used so lets clean this up and see what is left.

Script8

Now that we have this cleaned up what do we have ?

At the top we see out initial variable as a string of hex Char’s.

Next our variable is being reassigned as a hex array by using the Reg X to spit the string into lengths of 2 hex char’s , or a hex array.

Then we start the while loop.

Next is a check for the year, Interesting thing about this is the function used is depreciated for html  and returns 116 instead of 2016. If you try and drop this script into a html page  it will always be false.

If it succeeds in matching the date then it will run thru the array of bytes and Xor them by “Decimal” 68 (that tripped me up for a few minuets) then finally output the string or the decoded script.

The final 2 lines take our decoded script, drop it into a new function then call it to run the decoded script.

And here is what it looks like.

Script9

The script itself calls out to “http[:]//220.181.87[.]80/ok.jpg” to download the file and uses a random name generator to create a 1 Char name using the alphabet of “1234567890abcdef”  and save the file to the temp folder then launches the resulting .exe file.

That’s pretty much it for this one.

Ok, so I rushed over the part about getting the variable values into a hex array.

We first copy all of the variable parts over to a new text window.

Copied

Next in this case using Notepad ++ , select everything from the left single quote on the second variable to the right single quote on the first variable and then hit the find button.

Find

next chose the replace tab.

ReplaceStr

be sure the “Replace with” is empty, then select replace all and we get.

ReplaceResult

Now take everything in between the 2 single quotes and run it thru your favorite Xor tool.

XorTool

Take the result of the Xor and drop it back into a new Notepad ++ and use the Java Script format .

Format

And there we go.

Script9 

I hope it helps.

Posted in Malware, Networking, security | Tagged , | Leave a comment

Unknown Exploit Kit

When I first seen a screenshot of this one that’s what this was, Unknown.

Here is the twitter message that Jérôme Segura from Malwarebytes posted.

TwitterConv

and the response by William Metcalf @node5 replied that it was Sundown/Xer and they steal from everyone for their Exploit Kit.

While researching other reports of Sundown, the code and the domains used in this version appears not the same as was reported in several other post on the Sundown EK. Is this a new version of Sundown? I don’t know, this is my first real look at it.

This version appears to be trying to look like Angler EK, it uses 5 sections that get decoded and each section has 1 or more levels to decode to get down to the final decoded code.

On June 15th 2016 Brad Duncan @malware_traffic posted his captured  run  here

http://www.malware-traffic-analysis.net/2016/06/15/index.html

that Jérôme Segura Mentioned in his Post.

If we look at what was posted for the first redirect from the infected site we see this.

(Screenshot borrowed from malware-traffic-analysis.net)

2016-06-15-Sundown-EK-image-01

Here they are sending the person to 5 different URL’s but a closer look tells you they are actually hosted on the same IP.

SundownIps

Here is a closer look at what Jérôme Segura posted.

InitialmalwareScreenshot

In the traffic from the Pcap from malware-traffic-analysis.net we can see there were 2 landing pages and at first they appeared to be exactly the same but doing a binary compare on them we know for a fact that they were different.

I next went thru and decoded every section as far as it would decode.

Viewing the decoded sections, “Most” of the sections contained code that would not run on its best day. In one of the decoded sections I even found a known Angler EK decryption key and some of the code from an Angler EK section. Reviewing the code in this section for what would have been the exploit section in Angler there were 2 separate decoding functions with the same name for what should decode some of the encoded strings.

Although there appears to be some advance functionality in this, um, Kit, it does not appear to be properly implemented at the moment. Just because it is ugly don’t totally dismiss this thing yet.

So if this thing is basically broken how is it calling out to download the flash and Silverlight ?

They are using embedded links in the code is several places.

In the first section we se this.

Section-1

The top part of this is a hex encoded base 64 alphabet and then the base 64 decoding function , then finally the string to decode.

Once decoded we see this.

Section-1.var1

If you look close this is also a base 64 string but the string was reversed.

ReverseString

In the screenshot above we can see the eval that kicks of this part , taking the reversed base 64 string and using this reverse function  to reverse it then, finally base 64 decode and then we end up with this.

Packed

If you take a close look there are a few “p,a,c,k,e,d” sections it in. When you try and decode that it returns what you input.

Moving down on the same code from the first decoded section we see this.

FlashBin

If we drop the hex code for the “FlashVars value” into a hex editor we see this.

Section-1-Flashvar

Here we can see there is no call for a “.exe” file but a link to

“http://trasergsgfsdx[.]xyz/z.php?id=8” which shows up in packet 602.

If we look at this section for the second landing page we se this.

ShellCodeBin

It is has “z.exe” and a different site name and id number.

If we move on down on the first landing page we see this.

VBScript

We have a call at the top using the same Url that was found in the hex above

If we clean up the top of this and zoom in we see this.

VB-Top

If we look at the bottom we se this.

VB-Bottom

The section in between is percent encoded hex so lets decode that and see what we get.

Section-4

Above they are using a array of variables and an index number to build the code with.

Also notice the number on the special folder it is calling for.

It also has the appearance of having the option to save a file as a dll or an exe.

Another interesting thing if we scroll down to the bottom of the page we see.

Section-4-bottom

Looking at this bottom function it looked familiar.

DecodeLikeAnglerEK

The left is from this exploit kit the right is from Angler EK. The differences are the variable names, the left is using “&” and the right is using “%” from some items.

Also the left is pushing to a char array then reassembling the string where the right just goes to string.

When trying to decompile the the .exe artifact the decompiler said it may be “packed” ,but looking at the file in a hex editor it appears to be corrupted or encrypted in certain sections rather than packed .

Here is a quick shot of the Silverlight after decompiling it.

SilverExploit

Even after de-obfuscating this it is still large and a lot to navigate thru.

From a static analysis point it is difficult to tell what would and would not work in this.

It would need dynamic analysis.

Before I finish with this first pcap lets take a look at some ‘Who Is” for this site.

WhoIs2

Notice the dates at the top, this url was not up long before it was found.

WhoIs1

Hmm.

And the Scumware report.

ScumwareSearch2

 

Pcap 2

Now to the second Pcap, there were some changes from the first one.

On June 20th 2016 Brad Duncan posted another pcap in with a exploit kit dump.

http://www.malware-traffic-analysis.net/2016/06/20/index.html

Lets start this one by looking at the traffic and using filters for the streams to see what goes with what. The first filter is just “ http.request or http.response “ .

Traffic-1

Here we have multiple gets and the first 2 were no doubt from the original infected page.

In this view we see at least 2 different landing pages, 1 flash not found, 1 flash that was found, and 2 Silverlight files downloaded.

If we set a filter of  “tcp.stream eq 0 and (http.request or http.response)” we see what packets goes with this stream.

Stream0

A filter of “tcp.stream eq 1 and (http.request or http.response)”

Stream1

A filter of “tcp.stream eq 3 and (http.request or http.response)” (stream two was empty)

Stream3

And a filter of “tcp.stream eq 4 and (http.request or http.response)”

Stream4

What does this do for us ? Since all of these point to the same IP it can help to see what is related a little easier.

If we look at the first one it tried to get a flash file but could not find the file.

The second one has a landing page and tried to get a Silverlight file but the traffic appears as though it did not get it.

The third one also contains a landing page and this time is did download a Silverlight application.

The fourth one instead of a “normal” landing page we get something else.

But let’s look at the third stream first.

If we base 64 decode the first section we se this.

146-sect-1

We can see it is wanting “carolinamovie.swf” but the traffic supports that it was not returned but the Silverlight one was in this stream. So lets look at it.

146-sect-2

Here we can (almost) see that it is looking for the Silverlight.  And the hex in the hex editor.

shellforsilver-b

Doing a binary compare the 2 Silverlight files from the first Pcap and this one are the same.

Now on to stream number 4.

When we look at packet 174 in stream number 4 we don’t see a “normal” landing page but this.

Packet-174

And at the bottom we see this.

Packet-174-Bottom

so what is this ? Perhaps this will give it away.

Packet-174-Mid

If we do a string search on the internet this code appears to be borrowed from this site.

http://fossil.kd2.org/garradin/vinfo/92c8bdfeaa2c5f37ddf25197d54baed89dd398ac?sbs=0

With a description of “ A lightweight Javascript Libray for OpenSSL compatible AES CBC encryption.”

So they appear to be using open SSL to decrypt the bottom 2 sections.

At the time of this writing I didn’t have time to build a decoder.

Since it does appear to download a Flash file before we run out of traffic I can only assume that it does work.

One last surprise before I close.

name-b

Good luck with that borrowed name.

Conclusion:

In conclusion, I still can’t decide if the person(s)  who write this don’t have a clue, are just testing out only certain parts of the exploit kit. If they are just trying to see what they can get out of researchers or possibly even some Collage project. There is just to much non working code in here to be a streamlined Exploit kit.

If you made it this far thanks for sticking with me.

That’s it for now.

Posted in Computer, Malware, Networking, security | Tagged , | Leave a comment

Decoding Angler Exploit Kit

After my last post Some data on Angler Exploit Kit I had received a request to write up a tutorial on decoding the Angler EK.  The Question is where to start ?

Since they seem to be on vacation or are in the middle of a new version development I’ve decided to write this up. The basics presented here could be used for any exploit kit.

In order to even start reversing this or any exploit kit you have to have some basic  understanding of Java Script / Html and how they relate to each other. I always hated trying to write a web page but find myself going back to relearn how things worked to find out how the malware is working.

Most of these exploit kits and redirect pages are using some form of obfuscation technique for the decoding functions whether it is just adding a lot of white space, converting to escaped characters, or even adding in random comments like “/*  this is a comment*/” in order to mess with the beautify tools to get the code back to some type of readable form. 

In this post we will be working with the Pcap from http://www.malware-traffic-analysis.net/2016/06/01/index2.html and using the pcap 2016-06-01-pseudoDarkleech-Angler-EK-after-hideandseek.leadconcept[.]net .

Before we can start decoding the landing page we must first find and extract the landing page using Wireshark.

The fastest way I have found to Identify the landing page is by using the filter of  “http.response”. The latest Angler EK pages were always just before a “404 Not found” in the info section. When viewing the traffic and the code you find that there are 2 identical request and the first seems to almost always fail with the 404. On occasion you will find that you have 2 Flash request instead of just 1 and no 404.

WS1PNG

If you see a large gap between the packet/frame of the 404 and the previous one then the landing page will most likely not be shown and has somehow gotten corrupted and possibly missing some bytes like some of them I encountered in the last post.

After locating and verifying that you do have the Angler EK landing page then you need to extract it. Personally I always extract it as a text file so when I’m tired I don’t accidently run it. We need to go to File –> Export Objects –>  HTTP

WS2

Then we see this.

WS3

Next we click the save as button to get the location where you want to save it to (I won’t show mine here : ) ) Another personal preference of mine is to save it with the Packet number , like here I would save it as “ Packet-150.txt” in what ever folder I chose, this way if I need to find it again I can just jump to that packet or in the case of multiple landing pages per pcap I can be sure I have the correct packet.

Also take note of what it will suggest to save as. I have seen it want to save with several things “\” , a name and php,  png , jpg or even html. They try and hide the landing page with several extensions.

Once we extract the landing page and open it up in our favorite text editor we see this. My personal choice at the moment is Notepad++.

Text1

and this

Code1

If we keep on scrolling down we then see this.

Code2

By now you have lots of questions but the first is always, what the heck is this stuff ?

In this last screen shot the code is in script tags, so it must be used somewhere, right ?

So now what ? Lets start by extracting the entire script from the the center of the page and get it into some sort of readable state. When you are first de-obfuscating the script you will want to work with a copy so you can compare if something went wrong in the process.

Code3

Here we see that even after using a Java Script Format function it is still hard to read.

I wrote a tool to fix this but it still has a few bugs so it is just as easy to fix it by hand.

Also notice at the bottom is 2 types of comments . So lets clean this up and see what we end up with.

Now that we have it somewhat de-obfuscated  lets take a look around and get our bearing as to what the script might be doing and where the starting point is.

FullScript

Hmm what is this ?

Code4

It looks like this concocts to an “Eval” and look there is a RegX expression below it.

Hmm what is this item “kTPjPVb = ‘QnJNUUxhQW5PWUdWT3RS’;” it is used in a function above, could this be a variable name or a decoding key ?  We will have to follow along with the code to find out. But what is the “biwi” in the function above ? We will have to trace that too.

I’m not showing the part where you take several different strings / variable names and see where they are used in the code.

If we have a slight understanding of java script we notice that these are nested functions and work together, so where is it actually called from ?

If we do a string search for the variable at the top , “uTGlITcQsYrl” then we end up at the bottom of the script section.

Code5

So the last 2 lines of this script is where it actually starts.

When a page is run it starts evaluating from the top down and it will concatenate the variables and get them ready to use.

So now what is that value in the last line ? We do a string search in our extracted script and don’t find it, so we go to the original (copy) of the extracted page and find it here .

Code6

Looking back at the script, it is extracting the inner html of this ID for the first string to decode.

So now what ? We now have enough information that we can now start building our Html/Java Script decoder.

But what needs to go into it ? First we need a Html page with a Document.Write function to write the output to the page. (borrowed from http://www.w3schools.com/js/js_output.asp and modified slightly)

Code7

We know we need the String from the variable shown above, we need the key value, and the string replace function, and finally the decode functions leaving the rest of the code remaining out. The rest of the code is for doing the eval on each page/ decoded section, we don’t want to run that code , we just want to decode what is in the sections.

Which is also where those small sections of code we showed earlier come in. They identify each of the remaining “Sections” to decode.

After some trial and error and a few choice words for the left off semi colons we end up with out first decoded section.

Code8

I say trial and error because unless you are very good at Html/Java script it will probably take several tries to get together everything you need for it to run properly. There may be a replacement variable that was not close to the rest of the code that you need to go back and find and then include.

Here we see the start of the code needed.

Code9

In this view we set the variable for the String replacements, string to get decoded, RegX string replace , the key used for decoding , and finally the variable to call the function to do the decode.

We next find the end of the decode function by the end braces and the semi colons and copy paste that into our new decoder in between the variables we just inserted and the document.write.

Code10

The “ };;;” tells us it is the end of the function.

Above you can see I added “var result = J6em” . The “J6em” was the variable name that was used to start the decode process where the encoded string and the key was passed to. It also give me one more place to set a break point at.

So we try to run it as is and it fails with a variable of zx not defined.

Code11

We can see plainly that it is defined (below), obfuscated, but defined and in several places in the rest of the script, so what gives ?

Code12

The location of where the code is in no longer in the bigger global code block since we extracted just part of the code so the function below can not use it.

Code13

So first we try and reduce the function so it is readable. That doesn’t work.

We finally realize that the problem is that the function below can not see this variable. So we move it into the function and it works, the code runs all of the way thru and we get the result we wanted.

Now we have a working decoder for this “Type” of encoding.

If you read my last article I found 7 different encodings ( string replacements) with 3 different decoding functions used in the samples I looked at.

Now that we have a working decoder we can do one of several things, we can copy it for each section and just replace the string to decode and our title at the top of the html or use the same decoder and just replace the string to decode.

Note: There seems to be a string length limit in what you can view in the F-12 debugging tools and display on the page. Some of the strings to decode can be very long.

Now as long as the landing page is using the same encoding type all you have to do is replace the string to decode and the key used for every new one you encounter. This method bypasses the problem of dynamic analysis where it is checking for User Agent strings and for other running programs.

Now the real problem.

Once you get each “Section” decoded, the decoded section may have more variables that need decoded in that “Section”. To see what they are doing you will have to start the process all over again for each different decoding function, including that section that you see at the top of the screenshot for what I call the “LowerSection” which used to always be found at the bottom of the decoding script which you now will sometimes find towards the top as seen here.

The decode function for the “LowerSection” variables is not found until you decode section 3 and then not all of strings get decoded before they are used in other sections.

In this example I did not reduce all of the variables to their full string values. If this was the first time you worked with this code you may want to do that, then comment out the others not needed anymore or just use a comment at the end of the final variable name that will be used after they are combined as I did for the “String[‘fromCharCode’] “.

Once you understand how the code works you could always use your favorite programming language and create the decoder that way, like I did.(It is much easier for high volume decoding)

I would suggest that the very first time you run one these to make sure you are running it in a VM just incase there are some surprises laid in for the analyst.

If you are not sure what a function does or what the value is supposed to be, launch it in the F-12 tools (in a VM)  and step thru it to see it as it changes.

String Length Limits

I thought I was done writing this post until I went back to verify if the code would work for Section 4 knowing from experience that is is a very long string.

As I had mentioned above there is a string length limit on what a page will display.

If we check the length of the string for section 4 before it gets decoded we find that it is  66,220 characters long. which is no problem for the input.

CharCount1

When we decode it Using a VB.net version of this decoder we see that the decoded length of the string is 40,907 characters long.

CharCount2

But if we use the Html/Java script version we just made.

Section-4-Test

Notice the end of the string appears to be truncated (above).

CharCount3

As we see in the string length test it is only 40,546 characters long , a difference of  316 characters. So it appears that is what the string length limit is for outputting to a page .

So how do we work around this limit ?

We change our code and  split the string. If we change the top to this.

NewDecode1

And the end to this.

NewDecode2 

So what will this do for us ? Since we have a string length limit  I just use  40,000 as number to do the split at and then we end up with this.

NewDecode3

I know, you seen that it is still truncated in this version as well but here is where the workaround comes in.

If we launch this again in the F-12 tools setting a break point on “var result” then we can step a few more times until the values are filled out.

NewCode5

Extract the values and clean them up.

NewCode6

NewCode7

Clean off the Var name and double quotes on each end plus the word “String” on the end, or just copy paste everything in-between the double quotes .

Join them together and try to beautify them.

NewCode9

but we still have a problem.

CharCount4

Here we see that out Character count is now 40,964 instead of the expected 40,907. That is more so what is going on ?

If we take a close look at the string output to the Html page and what we extracted from the variable in the debugger we see the problem.

NewCode10

NewCode11

Do you see it yet ?

There is an escape character “\” before every single and double quote and even “\” is escaped.

The workaround for this is to copy the string from the output window for the first 40,000 chars so you don’t have to mess with the changes added by the debugger then get the last remaining characters from the debugger value and clean up the “\” by hand or write a script / program to do it for you like I did here for both.

ReplaceEscapes

Now once we clean and join these we end up with.

CharCount5

We end up with the expected 40,907 characters that we expected once we get rid of the extras. It will now also beautify.

FinalTop

FinalBottom

We can now see the code to create a decoder for this encoded section.

Once We decode this section (var b) we see this. (Top)

VarBTop

(Bottom)

VarB-Bottom

My point of showing this section is there seems to be some more code missing from the bottom here. Not that I want to help the writers of this debug it, but if we look  closer at the end we see this.

Varb-bottom-2

The output length before beautifying it is 29,976 characters well within the string length limit.

So this appears that either they truncated the the script before encoding it or got an extra character  from another part of the code this came from. Without seeing the original it would be difficult to tell for sure. Checking a few others I find this “char” also and 1 different one at the end of different samples.

This was not the only potential mistake I found while going thru the code.

As has been said before, even the malware authors can run into problems.

Well that’s it for this one I hope I answered any questions and didn’t create allot more.

Posted in Malware, Programming, security | Tagged , , | Leave a comment

Some data on Angler Exploit Kit

Here is some data assembled from Multiple Pcap’s.

First I would like to thank Brad @malware_traffic for all of the Pcap’s and write-ups posted on http://www.malware-traffic-analysis.net/.

I have downloaded All (almost all I’m sure I missed a couple) Pcap files and extracted every readable Angler EK landing page from those Pcap’s.

My final count for the date ranges of July 10, 2014 21:23:51 to  June 02, 2016 12:02:25 was 149 Landing pages. These pages include multiple runs against the same site and in some cases where there were multiple redirects to different landing pages from the same site in 1 Pcap file. This leads me to think that some sort of automated process is used to infect the sites with.

Encoding Types:

I encountered 7 top level encoding types. The types were determined first by the string replacement function and then by the Decoding function.

This is my type 7

type7

Although there were 7  string encoding types there were only 3 decoding functions used  after doing the string replacements . The first 2 were different from what I am calling types  3-7.

Types 3-7 are using the Xtea encryption using the Right Shift Zero fill function rather than the earlier version of just plain right Shift. 

Xtea

Here we see what the total count for each type that’s in the 149 landing pages that were extracted.

EncodingTypeCount

Although you can easily decode all 7 types with Html  /Java Script I only Decoded All of type 1 and 2 encoding types  to the first level  , I did not decode all of the types 3-7 just some of them.

With the few amounts of type 3-7 it makes me wonder if those are possibly a third party using Angler EK for a targeted attack or I just don’t have enough data to show more of those types.

Those that have been following along with all of the post on Angler EK have seen some of the changes that have taken place over time. Going thru all of these Pcaps you can see even more than what has been reported with the way code sections have been moved around and the code changed.

Changes:

As was reported by Kafeine in April of 2014 Here , there was a reference to their site that showed up in the Angler EK.

dontneedcoffee

If we take a look at the big picture on this one we see there is not a lot in this section.

Section3PNG

We last see this reference  in the packet captures on 2016-03-03 where they rearranged the scripts and sections, this page now looks like this on 2016-03-07 and the reference to malware.dontneedcoffee.com is no longer found.

NewSection3

I guess they needed the real-estate to move things around.

I will be calling the sections that gets decoded with the code in them as “Sections” , I number them from top to bottom like the way the  page gets evaluated as it runs.

The number of sections that get decoded is between 4 –6 . It was down to 4 after the Java and the Silverlight were removed.

There is also a section that I will call the “Lower Section” that is included in every landing page with the changing encoded variable names associated with the site name.

LowerSection

There have been a few different ways that this section appears. Some have the same name and just use an index number, some use a different name and a index number, and those like above that use different names. Not all of those values get decoded before getting used in the building of the pages. Some get used as is. I have also seen different amounts of variables in this section. Most of the time once decoded the Host name is listed under two different index values. Like in this one you can see that the index 1 and 7 are the same strings. (index starts with 0)

You used to always find this section at the bottom of the decoding script for the sections but has moved to the top in some of the landing pages.

Section 1 code:

In the older versions when we decode “Section 1” we see this.

OldSection-1

Then they changed to this.

NewerSection1

In the Pcap from 2016-01-29 they added a new section 1 thus shoving the rest of the pages back. This is what the new section 1 looks like after that date.

NewSection1

Although the variable name in the window section changes and the number “1” will change on occasion but other than that it stays pretty much the same.

 

Exploit Type:

In the first 3 Pcaps there were all 3 types of exploits, Flash , Silverlight , and Java Applet.

Java

Unless I’m missing something after November 02, 2014 15:50:34 the Java was no longer used.

Silverlight:

Starting on April 01, 2015 18:44:24 thru February 15, 2016 14:06:51 the Silverlight code was missing from most of the Pcaps.

In July 03, 2015 11:14:44 we see it show up in section 4.

SilverLight

On 2016-02-19 we find that it was moved to a  new Section 6.

 

SilverToSect6

Payload Section ?

What I believe is the payload section comes in 2 flavors ,Scripts or what I’m calling, do to a lack of a better name of K33N this one has 2 encoding types. If someone has a better name please let me know.

The scripts were used up to July 23, 2015 13:50:21 exclusively until my type K33N Type 1 showed up.

The script looks like this.

Script1

This first part I believe is the payload that gets decoded later.

The second part consist of 2 hex encoded scripts, 1 Java script and 1 VBScript.

Script2

This is what the java script looks like encoded (above) and after decoding (below).

JavaAfter

Even after decoding the VBScript one it is still rather obfuscated and hard to follow along with at first so I won’t show it here.

Here we see my K33N Type 1 encoding.

K33NType1

I only logged 3 of that type and then they Moved to Type 2 at  August 13, 2015 08:00:06.

K33N2

Once you decode this section you see this.

K33N2-Dec

Even once you decode down to this level there are (at least) still 3 more decode functions to fully decode this section. I believe the payload is contained in this section but have not had the time yet to verify it.

Above we see that this is variable “a” (section 3)  later on it is moved to variable “b” (section 4)  and the script around it changes some.

In the Pcap on April 22, 2016 08:00:47

we see yet another major change in this section.

The Encoded part looks similar to the older Type 2.

NewK33N 

We get a surprise once it is decoded.

K33NType2-B

Although more of the code is showing that is readable there are still more parts that get decoded to get the full picture  Including the section shown below.

It appears as though more of the code was not put into the Base64 encoded section.

B64Section

In this newer type this section is smaller which tells me that part of this code was in this Base 64 section in the older versions and possibly even the decoding key that other researchers have found using dynamic analysis and posted about.

Well that’s it for now there is still a lot of data here to go thru and lots more sections to decode to get a full view of the code. Attempting to decode this is not for the easily deterred, you just keep finding layer after layer of encoded sections.

I hope someone gets something useful out of all of this.

 

 

Posted in Malware, Networking, security | Tagged , | 2 Comments

How Does JavaScript Right Shift Zero Fill Work

I have converted several online Classic cipher tools from Java Script, Python, C, and C++ to VB.Net for some of my projects.

I will at times create small projects to get a better understanding of how a certain function works given different input.

In this project I needed to understand how the Java Script “>>>” Right shift zero fill worked for a function I’m trying to convert.

The closest I got to an explanation was this https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Operators/Bitwise_Operators

If the number input was “Positive” then it was just a normal right shift operation that should be found in just about any programming language.

If the number was “Negative” then it starts getting more complicated.

If we look at the simple example they have there.

BorrowedExample

In my test program we see.

NineShit2

We start by converting the negative number to a positive.

Get the binary bits for the number

Flip the bits , what was a “1” is now a “0” and what was a “0” is now a “1”.

Next we trim the right side 2  bits for the shift amount of 2. That only leave us with 2 bits left.

If we convert that back to a Integer then we end up with “1”.

As we’ve seen above in the borrowed example and my test program the expected result is not “1” but “1073741821”. So what else do we have to do ?

Well, this function is based on 32 “Bits” , so.

We subtract the shift amount from 32 and get 30.

Since there are 2 bits left we subtract 2 from 30 and get 28

Next we pad the left side of the remaining bits with 28 “1’s” .

Finally  we convert the binary string back to Integer or Long.

The amount of bits to fill is, (32- Shift Amount) – remaining bits or in this case
(32-2 = 30) –2 bits left = 28.

Now what if we want to shift more than 4 which is the the number of bits for “9”,
“1001” for the Positive value and “0110” for the Flipped bit version.

Then we pad the left side with bits equal to the amount left needed to equal the shift length. For instance we start with 4 bits and want to shift 5 then we pad 1 bit to the left.

Now when we get done shifting there are no bits left . Or we could just say if the shift amount is greater than the available bits then the remaining bits is “0”.

As we see the math above, in this case it would be (32 –5 = 27) – 0 since there are no bits left.

So we end up with 27 “1’s” , “111111111111111111111111111” , convert back to Integer or Long and end up with 134217727 which is the result we were expecting.

NineShift5

During the research of this process, I created some test data from Html/JavaScript to test my program with. After compiling this data and viewing the bits it was easier to see the relationship for the the length and the amount of bits we are working with.

TestData

I randomly chose those numbers to give a wider variety and lengths to work with.

After testing every number and shift on the list, my program agreed with the results shown above.

The bottom set is the last set I was testing once I started asking myself what happens when the shift is greater than the bits available.

In conclusion, the name of this function is a little misleading. When I fist started testing I was trying to “Zero Fill” the left side, taking it literally. That was not working.

After several try’s and building the test data is became clear on how it worked.

I hope this saves someone else several days of testing.

Posted in Programming | Tagged | Leave a comment

2016-03-30 – TRAFFIC ANALYSIS EXERCISE – MARCH MADNESS

Here is another “Malware Traffic Exercise”.

The Scenario:

The last company we were working for at Cupids Arrow in one of the last exercise went bankrupt and do to needing  a job we accepted the offer from the former owners to work for their new company but this time we are working alone and with less resources than before.

At least we don’t have  Sven staring at us.

The System:

Filter used: “bootp.fqdn.name”

Client name: Rockword-PC
Client MAC address: Micro-St_a6:fb:ce (00:1d:92:a6:fb:ce)
Your (client) IP address: 10.21.101.121 (10.21.101.121)

In this one we have a large Pcap file and a screenshot of the alerts generated.

2016-03-30-traffic-analysis-exercise-image-03

Here we see several alerts coming from several different IP’s so we will just have to go down the list and check them all out.

Alert list and filters used , some of my initial notes.

ip.addr eq 198.154.248.183 and (http.request or http.response) Link from Google search.
ip.addr eq 85.93.0.34 and (http.request or http.response)  First redirect using flash.
ip.addr eq 185.46.11.245 and (http.request or http.response) This is Angler EK
ip.addr eq 23.211.235.162 and (http.request or http.response)  Getting currency rates.
ip.addr eq 82.141.230.141 and (http.request or http.response)  2 packets, 1 POST 1 Response ok
ip.addr eq 171.35.182.56 and (http.request or http.response)  POST and 404 replies using hidden Base64 encoded string.
ip.addr eq 103.234.36.148 and (http.request or http.response)  Down;oad a downloader program.
ip.addr eq  104.193.252.234 and (http.request or http.response) not real sure what this one is doing.
ip.addr eq  89.163.241.90 and (http.request or http.response) Not Sure, more ad’s ??
ip.addr eq  162.244.32.122 and (http.request or http.response)  More ad’s ??
ip.addr eq  162.244.32.121 and (http.request or http.response) more ad’s / BDEP ??
ip.addr eq  85.25.41.95 and (http.request or http.response) more.
ip.addr eq  143.95.32.93 and (http.request or http.response)  GameBuilder ??
ip.addr eq  68.177.32.113 and (http.request or http.response) Strange. Encoded /XOR ed escaped string.

As we can see here we got quite a few alerts to deal with but I will start with something that did not make the alert list.

Is this screenshot we see some “Gif89a” files with something called Xmp Data in them. This is the first time I’ve noticed them. A quick search tells us it is supposed to be for metadata for the file.

Gif-Xmp

There is an exploit that can use this section for crashing the viewing application and the amount of spaces and return characters in between the opening and closing tags for this type seems excessive to me. More research on this certain file will need to be done.

The first 3 look similar and are all served up by the roadrunner email client that was used most likely from the advertisements used in it. Packets 3542, 3833 and 3890.

But the last one looks like this which is more like what the description here at http://www.vurdalakov.net/misc/gif/netscape-buffering-application-extension makes it sound like it is supposed to be like. The search term used to find that link was “Extension label: Application (0xff)”

The Wireshark filter used to find just those 4 was “image-gif.extension.label == 0xff”

Normal

After all of the email stuff we next see a click on a link from a Google search.

The Google link leads us to thingstodo.viator[.]com: type A, class IN, addr 198.154.248.183

Packet 7892 is our Get request and we next land at the Response in packet 8009.

Wow a lot of traffic has went by already.

Here  we have a compression failed error  in Wireshark but we can still see the information at the end of the page by following the TCP Stream.

FlashRedirect1

We see 2 get request  packets. One at packet 9696 that downloads a flash file packet 9745 does some form of base 64 decoding and the send out a link to another site.

The get request for packet 9809 is exactly like the one from with the exception, except  that “/index.php” is tacked on to the end which we get redirected again at packet 9913 to http:[//]fireman.carsassurance[.]info/topic/82711-crammer-warder-wept-scenically-wad-difficult-sparingly/’

This leads us to packet 9957 and the response is at packet 10198 which is indeed the Angler EK.

AnglerTraffic

If we view the traffic here associated with the Angler EK we see at packets 9957 and 10205 they are associated with the first flash file that directed us to the exploit kit. 9957 is the get request for the Angler EK landing page and 10205 appears to be a encoded form of base 64 with some data in it. In packet 102011 we have the get request for the Flash file from the Angler EK and in packet 111201 we have a encrypted payload which is most likely decoded by the Flash file.

This in turn leads us to the next Alert at packet 11766 and the response at 11844 which is some currency rates. The alert suggest that it may be a connectivity beacon.

The next alert in packets 11854 and 11863 appear to be from the malware sending data using a base64 encoded string using a post request.

The next alerts at packet 14212 and IP 171.35.182.56 are listed as ETPRO TROJAN Win32/Neutrino checkin 4 .

HiddenDataPost

If we take a closer look at this traffic this is hidden communications with the Command and control server.

CNCTraffic

This traffic is using a Post and 404 Not found pages to pass information back and forth.

The 404 traffic is hiding base 64 string in comment fields.

This leads us to the next alert where this traffic is downloading a binary file named domand756.exe

our next alert is for IP 104.193.252.234 I’m still not totally sure what this is doing but appears to be sending some host information.

FirstUnknown

If we look at these DNS request, back to back right after the EXE was downloaded it would suggest that the calls was made from the malware.

If we look at the malware using PE Studio and look at the Virus total report it has several different names.

PeStudioVirustotal

We see traffic in the alerts for the Bedep  server response from

We also see query’s for NPT servers in several locations and using 2 different Google DNS servers.

NPTQuerys

Here is the traffic associated with what the alerts is saying is the CnC traffic

moregoodstafsforus.com: type A, class IN, addr 85.25.41.95
jimmymorisonguitars.com: type A, class IN, addr 89.163.241.90
daytonamagik.com: type A, class IN, addr 162.244.32.122
bookersmartest.xyz: type A, class IN, addr 162.244.32.121
lovelyroomsforday.com: type A, class IN, addr 104.193.252.234
kjnoa9sdi3mrlsdnfi.com: type A, class IN, addr 89.163.240.118

Each one calls out and and ends up with “HTTP/1.1 302 Moved Temporarily”

Looking at these they all call out to http[:]//popcash[.]net/world/go/103680/204726
Which is a Popup advertiser.

All of the above appear to be doing the cascading calls. the last on in the list is using the same type of calls but is calling out to http[://]c.feed-xml[.]com which is another ad network.

In packets 14847 and 14925 we see that the popcash is directing to a online game

location: http[:]//track.diginews[.]pw/f8a38426-2a48-4dd4-817e-3b521b9af37d?siteid=204726&country=US\r\n

In packets 15003 and 15028 IP: 68.177.32.113 we se another redirect from popcash to the Fake POP Up alert. (part of the decoded source below)

FakeAlert

This also at the bottom of the script direct to histats.com

HitStats

s4.histats.com: type A, class IN, addr 184.173.167.98
s4.histats.com: type A, class IN, addr 208.43.241.178
s4.histats.com: type A, class IN, addr 208.43.241.179
s4.histats.com: type A, class IN, addr 208.43.241.181

The last alert Listed is another Redirect from popcash to a adult site.

Referer: http://popcash%5B.%5Dnet/world/go/103680/204726/

Full request URI: http://xxxsexcamera%5B.%5Dclub/

There is more traffic that did not make the alert list from popcash and the redirects associated with them.

In conclusion this infection generated a lot of traffic and no doubt dropped several files on the infected system. I’m also sure that a lot of windows popped up at the time.

Recommendations :

Follow up with the user and clean the system or do a clean install.

Posted in Malware, Networking, security | Tagged , | Leave a comment

2016-03-24 – ANGLER AND NUCLEAR EK KICKED OFF BY SAME COMPROMISED SITE

In this Traffic we get the chance to look at 2 infections from the same site, but I will concentrate mainly on the exploit kits themselves and the similarities between them noticed while looking at the decoded source code.

You can find Pcap for this Here,

http://www.malware-traffic-analysis.net/2016/03/24/index.html

I may still be fairly new at network traffic analysis but I’m not that new to viewing various types and “Styles” of code.

Although I have been looking at Angler EK for over a year now this is my first look at the Nuclear EK.

We first look at the exploited or compromised website to view the code that will redirect us eventually to the exploit kit of choice for this compromise. For some reason they chose to infect this site twice with 2 different exploit kits. Perhaps the infections are automated and not being checked for any previous infections, or perhaps it was a race to see who’s kit infected first.

Here is a view of the code from the compromised page.

compromisedsitecodepng-B

As we can see here they chose not to obfuscate the redirect for the Nuclear EK but did for the Angler EK.

If we look at the final landing page for both we can see a similar encoding style.

Angler EK

AngularLandingScript

Nuclear EK

NuclearLandingScripte

Both of these use a Modified Base64 decoding scheme but the Angler EK also requires an embed decryption key to decode the sections used.

The current Angler EK with the Flash and the Silverlight exploits have 6 sections that get decoded along with another section that the parameters get decoded from using a different encoding scheme. The nuclear EK in this one only has 2 large sections that get decoded.

Here we also see that the Nuclear EK is employing reversed strings to obfuscate what it is doing and to help hide from string searches.

NuclearRevStr

If we look at this post from FireEye entitled,

“ANGLER EXPLOIT KIT USING K33NTEAM’S OCTOBER INTERNET EXPLORER USE AFTER FREE”

https://www.fireeye.com/blog/threat-research/2015/02/angler_exploit_kitu.html

We can see some similarities of what is used here.

Angler EK

AngularFlash

Nuclear EK

NuclearFlash

The layout for the Angler EK is more alike to the screenshots in the blog article but both are serving up a flash exploit. Also notice the object Id has moved to the left side in this version of the Angler EK.

Looking at the embedded exploit for angler we see it is again very similar to the above mentioned blog article but it is showing more code to decode this section.

AngularExploitPNG 

 

In the Nuclear EK version we see a little different decoding scheme.

NuclearExploit

This version can “currently” be decoded with a standard bas64 decoder.

Once we get these decoded then we start seeing the similarities again but they are not exact. In these 2 screenshots we see, based on reading other articles, what may be the final encrypted payload.

Angular EK

AngularPayload 

Nuclear EK

NuclearPayload

As we have see so far these are highly obfuscated and highly complicated Exploit kits.

The modular nature of them allows for semi-quick changes in the payload and the kit builder most likely employs  the ability for randomize naming of the variables to make it more difficult for a researcher to follow along from one infection to the next.

In conclusion these kits are very complicated and not easily decoded and I am far from discovering all of the secrets they have to offer. Every time you think you figured it out you find yet another layer of encryption/obfuscation. This is more than enough to put off all but the most dedicated of researchers. Also in order to stay ahead of detections they often change various aspects of the encoding scheme to throw off any signatures that may be generated for them and to break tools designed to decode them.  This post is a little shorter than normal.

Thanks for reading if you made it this far.

Posted in Malware, Networking, security | Tagged , , | Leave a comment