Didier Stevens

Monday 29 February 2016

More Obfuscated MIME Type Files

Filed under: maldoc,Malware,My Software,Update — Didier Stevens @ 20:57

Iā€™m providing a 2-day training at Brucon Spring Training 2016: ā€œAnalysing Malicious Documentsā€œ. Use promo-code SPRING16 for a 10% discount.

I received a maldoc sample (MD5 FAF75220C0423F94658618C9169B3568):

20160229-213357

You can see it’s a MIME Type file, and that it is obfuscated. The second line is a very long line of seemingly random letters and digits. This throws of Python’s MIME parser used by my emldump tool:

20160229-214123

emldump just detects this as a text file, and not as a multipart MIME Type file.

If we remove that second line, for example with findstr /v (or grep -v), emldump recognizes the different parts:

20160229-214500

Since obfuscated MIME Type files are becoming more and more prevalent, I’m adding a filter option to emldump to filter out lines that obfuscate the MIME Type files. For the moment, option -f throws out lines longer than 100 characters and header lines that are not fields (just like option -H).

This new version of emldump.py detects some (simple) types of obfuscation:

20160229-215458

And with option -f you can filter out these obfuscating lines:

20160229-215704

Download:

emldump_V0_0_7.zip (https)
MD5: 819D4AF55F556B2AF08DCFB3F7A8C878
SHA256: D5C7C2A1DD3744CB0F50EEDFA727FF0487A32330FF5B7498349E4CB96E4AB284

Sunday 28 February 2016

Update: translate.py Version 2.2.0 for Locky JavaScript Deobfuscation

Filed under: maldoc,Malware,My Software,Update — Didier Stevens @ 10:45

Over at the ISC Diary I have an entry on Locky JavaScript Deobfuscation. I use my translate tool to perform part of the static analysis.

When you read this diary entry, you’ll see that I have to create 2 Python scripts to be used by translate.py to search with a regular expression and replace all matches with the output of a Python function.

I updated translate.py so that I don’t have to create Python scripts for this regex search-and-replace, but that I can do it from the command-line with a new option. This new option (-r, –regex) takes a regular expression and does a search-and-replace.

Here are the 2 “scripts” using this new option:

translate.py -r "\([^\\\(]+\\u([0-9a-f]{4})[a-z]+'\.e\(\)\)" "lambda oMatch: chr(39) + chr(int(oMatch.group(1), 16)) + chr(39)"
translate.py -r "('[^']*' ?\+ ?)+'[^']*'" "lambda oMatch: chr(39) + eval(oMatch.group(0)) + chr(39)"

If you just want to do a search-and-replace, you can use a constant regex and lambda function, like this (replace False with True):

translate.py -r "False" "lambda oMatch: 'True'"

translate_v2_2_0.zip (https)
MD5: D561D9987A3E5264E40A4B5C4057A732
SHA256: BC532BD5C7DD86DCADDF7B7B9A34453E983E226E103E0591E7D480BB43C350E0

Wednesday 10 February 2016

Create Your Own CMD.XLS

Filed under: Hacking,My Software — Didier Stevens @ 0:00

For several years now I’ve been using my modified cmd.exe from Excel.

20160209-232633

I’m not releasing this spreadsheet with my cmd code, but I release the VBA code. You can create your own spreadsheet (or Word document) with this VBA file. If you don’t know how, here’s a video:

Tuesday 9 February 2016

Overview of Content Published In January

Filed under: Announcement — Didier Stevens @ 0:00

Here is an overview of content I published in January:

Blog posts:

YouTube Videos:

SANS ISC Diary entries:

Sunday 7 February 2016

Update: numbers-to-hex.py Version 0.0.2

Filed under: My Software,Update — Didier Stevens @ 9:21

A bugfix.

numbers-to-hex_V0_0_2.zip (https)
MD5: 911D2BF2EC0839DD595C48FF4BE5E979
SHA256: 41D5B19E401516CB134521E1F6973A16DBFE491303BD93429EEBE55C0B3AFEF6

Blog at WordPress.com.