When I first started working with exploit kits I started with Angler EK.
I was learning how the redirect from the compromised site worked and building tools to decode them. Once you get to the exploit kit landing page then the work really begins. There were several different encodings and encryptions used to conceal what was on the landing pages.
With that much data to go thru I did not work much with the flash files as most of my spare time was used trying to figure out a new encoding for the landing page or the PHP redirect and then build tools to quickly decode them.
Now that I have a little more experience and more tools in my toolbox I decided to go back and take a look at a later version of the flash file before they disappeared from the internet.
Our first sample from here http://www.malware-traffic-analysis.net/2015/07/08/index.html
We see the layout of the flash file and how obfuscated it is.
Anything with “this.Var_1.” gets a replacement.
Now if we skip forward in time to this one http://www.malware-traffic-analysis.net/2016/04/28/index.html and take a look at the PCAP file we see that there are 2 different flash files downloaded.
Lets take a look at the first one.
We first see a picture file and no binary data file.
We also notice that there are only 3 script files in this one.
Hmm, looks like it might be working with a picture file.
What are these numbers as a string ?
This Look like it might do something . Lets save this and take a closer look with Notepad++.
Even obfuscated you can see what this third section does. This is a RC4 decryption that uses the “&” instead of “%” 255. (I’ve seen both used in different decoders)
Now lets do the replacements and see what this looks like.
This first part is getting us set up , I’m mainly just showing it with the replacements.
Here you may be able to see my notes. Method_1 will kick things off and call the function to get and extract the data from the picture file then it passes that data to method_2 to do the decoding using the key from function “lII1I1()”. It will then load the bytes returned and go from there.
Here we see it gets the picture data using the built in function to work with bitmap data.
It will create 1 loop inside another to extract the the data using the height and width as the upper limits for the 2 different index values.
It will next get the first pixel a position 0,0 and convert the RGB values into an integer value and then “&” it with “16777215” to use as a output data length limit.
This will keep looping thru until it gets all of the data into a new byte array.
It then runs it thru the RC4 decryption to decode.
Now we have enough information to build a new tool.
This tool is simple. We select the Picture file, input the extracted key string and click a button and it returns the decoded hex output.
Next we just copy paste this into a hex editor to see what we have, and as you can see it is another flash file.
We now save this in the hex editor as a swf file.
After opening it up in JPEXS Free Flash Decompiler we see that this is a large file.
There is a lot going on in this one and will take some time to work my way thru it.
I went thru another one from later and it was much smaller so this may have still been in the development mode. The later version also used the same decoding function but a different decryption key.
That’s it for this one.
Thank you for reading.