This will be the first in a series (1 of x ) that I was hoping to stuff into a 30 minuet talk at DerbyCon 2017.
In hindsight it would be better suited as an informal training session where questions could have been asked.
Those that have read my post or whom I have decoded something for may know my passion for decoding/decrypting exploit kits started while Angler EK was still “Top Dog”.
That is where I’m going to start.
Our sample is at http://www.malware-traffic-analysis.net/2015/12/21/index.html we will be using sample #2 from this download because it has the redirect page.
In the screenshot from link above you can see the code to the gate / redirect to the exploit kit. This is what we will start with here. This is packet 35.
After extracting the code from the infected page this is the full script. You will have to zoom to get a better look.
Don’t worry we will be taking a closer look at each section.
If we look at the top section of the code we see this.
Here we see an encoded section of text that will get decoded after going thru the rest of the sections getting decoded.
Next we have this large section of “var” and these will be built for later replacements in the functions below.
Looking at the green highlighted variables we can first see that it is declared with “var’ then it is tacking on each element as it get evaluated.
As we can see here we start out our first letters as “fu”.
The first few times I did this I did it all by hand, all of the math and all of the hex to char code conversions. After that was when I started developing tools to deal with this obfuscation.
In this screenshot what I chose to do, still being new to this, was to save the “var’s” to a file and import them into the “Get Vars” program. What this will do is search thru the lines of vars and get a unique list of variable names. I first select a variable name from the dropdown list and the click the “Get Var Val” button to get the associated variables that get added together.
Do to the complexity at the time I chose to split the decode function out to another program. So in the “Script Decode 2” we can see what those variables evaluate to. After doing several of these I had verified we didn’t need to decode this section every time so I did not put this all into 1 program.
So from here we continue on down the line and do all of the decoding for each variable name and if you see the counter next to the names there are 59 unique variable names. So this will still take some time to do all of the decoding and replacements.
After doing all of the reassembling we end up with a variable list like this.
The next step is to do the variable replacements in the functions below.
After doing the replacements It is still not real clear what it is doing.
It will first check the browser being used and pass a parameter of “2” if it is IE.
If it is IE then from the “div” above, it will get the data to decode and a decoding Key.
And formatted a little better.
In order to build this tool I did have to step thru the code several times in the IE debugger to fully understand how it worked.
Looking at several samples even though some math parameters in the final decode function changed they always work out to the same end value after they were evaluated so I could build a static decoder now with just the Key value and the encoded string.
And here is what my final decode function looked like in VB dot Net.
This is still somewhat complicated. The “IeIdx” = 2 here if you want to do the math.
The one thing about these “Kits / Builders” is even though the variables may change, the underlying decoded function stayed the same. This particular encoding has not been used since some time before Angler EK disappeared.
As complicated as this is I would have only have been able to show it quickly and what it looked like decoded in a 30 minuet talk.
The next Post was going to be the landing page but I’ve already written on that so will just add the link to it here so as not to repeat what I’ve done already.
There is a link in this post to the previous one on Angler also.
I’ll Probably do a more recent Magnitude EK version for the next one. They have obfuscated the decoding a bit more than my last post here. https://pcsxcetrasupport3.wordpress.com/2017/04/24/a-look-at-the-magnitude-exploit-kit-encoding/
That’s it for now I hope this helps.