Didier Stevens

Sunday 28 February 2016

Update: translate.py Version 2.2.0 for Locky JavaScript Deobfuscation

Filed under: maldoc,Malware,My Software,Update — Didier Stevens @ 10:45

Over at the ISC Diary I have an entry on Locky JavaScript Deobfuscation. I use my translate tool to perform part of the static analysis.

When you read this diary entry, you’ll see that I have to create 2 Python scripts to be used by translate.py to search with a regular expression and replace all matches with the output of a Python function.

I updated translate.py so that I don’t have to create Python scripts for this regex search-and-replace, but that I can do it from the command-line with a new option. This new option (-r, –regex) takes a regular expression and does a search-and-replace.

Here are the 2 “scripts” using this new option:

translate.py -r "\([^\\\(]+\\u([0-9a-f]{4})[a-z]+'\.e\(\)\)" "lambda oMatch: chr(39) + chr(int(oMatch.group(1), 16)) + chr(39)"
translate.py -r "('[^']*' ?\+ ?)+'[^']*'" "lambda oMatch: chr(39) + eval(oMatch.group(0)) + chr(39)"

If you just want to do a search-and-replace, you can use a constant regex and lambda function, like this (replace False with True):

translate.py -r "False" "lambda oMatch: 'True'"

translate_v2_2_0.zip (https)
MD5: D561D9987A3E5264E40A4B5C4057A732
SHA256: BC532BD5C7DD86DCADDF7B7B9A34453E983E226E103E0591E7D480BB43C350E0

Sunday 24 January 2016

Update: emldump.py Version 0.0.6

Filed under: Malware,My Software,Update — Didier Stevens @ 10:32

A small update to emldump.py to handle (intentionally) malformed MIME files.


More details in my SANS ISC Diary entry “Obfuscated MIME Files”.

emldump_V0_0_6.zip (https)
MD5: 682793840D895E473647F2A1F85A9867
SHA256: D76BADF2A332C3417BB7DD46B783CE90757DD76648D2313083982BFD74902C41

Friday 22 January 2016

BlackEnergy .XLS Dropper Puzzle

Filed under: Malware,Puzzle — Didier Stevens @ 0:00

Over at the ISC diary I posted an entry with a puzzle to help you to practice the extraction of an embedded file in a spreadsheet.

This is the image I embedded:


Thursday 7 January 2016

BlackEnergy .XLS Dropper

Filed under: maldoc,Malware — Didier Stevens @ 0:00

I’m providing a 2-day training at Brucon Spring Training 2016: “Analysing Malicious Documents“.

I analyzed the spreadsheet (97b7577d13cf5e3bf39cbe6d3f0a7732) used in the recent BlackEnergy attacks against Ukrainian news media and electric industry.

numbers-to-hex_V0_0_1.zip (https)
MD5: 9050768633DDADF34900DAB0061F3B24
SHA256: 00B099F3939251F2027F2705AD08AE352C0FC447C86EB3271721FB2935CF71B6

hex-to-bin_V0_0_1.zip (https)
MD5: 18FC870888B333D8B081CE3E31428A1B
SHA256: 17B4257C6951C792FFE64EDDDFF20674AD07DE2699EF066BDF7A548DA09E6592

Monday 28 December 2015

Maldoc GET Range

Filed under: maldoc,Malware — Didier Stevens @ 13:06

I’m providing a 2-day training at Brucon Spring Training 2016: “Analysing Malicious Documents“.

I analyzed a malicious document (365a04140b3abe71c6cb4248d5bbbb57a172f37fe878eec49dc90745f5c37ae3) that does something I hadn’t seen done before in VBS.

This maldoc drops a VBS script, that proceeds to download an executable. The PE file is XOR-encoded and embedded in a valid JPEG file. Here is the image:


Look at the obfuscated code:


Notice SetRequestHeader: This code is using HTTP and is adding something to the headers. Here is the deobfuscated code:


This code is downloading a picture (wp.jpg), but not the complete picture. It sets a header (Range: bytes=28141-) to download only the XOR-encoded PE file hidden in the JPEG image.


Saturday 7 November 2015

Analysis Of An Office Maldoc With Encrypted Payload: oledump plugin

Filed under: maldoc,Malware,My Software,Reverse Engineering — Didier Stevens @ 0:00

After a quick and dirty analysis and a “slow and clean” analysis of a malicious document, we can integrate the Python decoder function into a plugin: the plugin_dridex.py

First we add function IpkfHKQ2Sd to the plugin. The function uses the array module, so we need to import it (line 30):


Then we can add the IpkfHKQ2Sd function (line 152):


And then we can add function IpkfHKQ2Sd to the list in line 217:


This is the code that tries different decoding functions that take 2 arguments: a secret and a key.

I also added code (from plugin_http_heuristics) to support Chr concatenations:


The result is that the plugin can now extract the URLs from this sample:


oledump_V0_0_19.zip (https)
MD5: DBE32C21C564DB8467D0064A7D4D92BC
SHA256: 7F8DCAA2DE9BB525FB967B7AEB2F9B06AEB5F9D60357D7B3D14DEFCB12FD3F94

Friday 6 November 2015

Analysis Of An Office Maldoc With Encrypted Payload (Slow And Clean)

Filed under: maldoc,Malware,My Software,Reverse Engineering — Didier Stevens @ 0:00

In my previous post we used VBA and Excel to decode the URL and the PE file.

In this  post we will use Python. I translated the VBA decoding function IpkfHKQ2Sd to Python:


Now we can decode the URL using Python:


And also decode the downloaded file with my translate program and the IpkfHKQ2Sd function:




Thursday 5 November 2015

Analysis Of An Office Maldoc With Encrypted Payload (Quick And Dirty)

Filed under: maldoc,Malware,My Software,Reverse Engineering — Didier Stevens @ 0:00

The malicious office document we’re analyzing is a downloader: 0e73d64fbdf6c87935c0cff9e65fa3be

oledump reveals VBA macros in the document, but the plugins are not able to extract a URL:


Let’s use a new plugin that I wrote: plugin_vba_dco. This plugin searches for Declare statements and CreateObject calls:


In the first half of the output (1) we see all lines containing the Declare or CreateObject keyword. In the second half of the output (2) we see all lines containing calls to declared functions or created objects.

Although the code is obfuscated (obfuscation of strings and variable names), the output of this plugin allows us to guess that Ci8J27hf2 is probably a XMLHTTP object, because of the .Open, .send, .Status, … methods and properties.

The Open method of the XMLHTTP object takes 3 parameters: the HTTP method, the URL and a boolean (asynchronous or synchronous call):


As we can see, the third parameter is False and the first 2 parameters are the return value of a function called IpkfHKQ2Sd. This function takes 2 parameters: 2 strings. The first string is the result of concatenated Chr functions, and the second string is a literal string. Since the Open method requires the HTTP method and URL as strings, is very likely that function IpkfHKQ2Sd is a decoding function that takes 2 strings as input (meaningless to us) and returns a meaningful string.

Here is the original IpkfHKQ2Sd function. It’s heavily obfuscated:


Here is the same function that I deobfuscated. I didn’t change the function name, but I removed all useless code, renamed variables and added indentation:


We can now see that this function uses a key (sKey) and XOR operations to decode a secret string (sSecret). And now we can also see that this is just a string manipulation function. It does not contain malicious or dangerous statements or function calls. So it is safe to use in a VBA interpreter, we don’t need to translate it into another language like Python.

We are going to use this deobfuscated function in a new spreadsheet to decode the URL parameter:


In the VBA editor of this new spreadsheet, we have the deobfuscated IpkfHKQ2Sd function and a test subroutine that calls the IpkfHKQ2Sd function with strings that we found in the .Open method for the URL argument. The decoded string returned by function IpkfHKQ2Sd is displayed via MsgBox. Executing this test subroutine reveals the URL:


Downloading this file, we see it’s not a JPEG file, but contrary to what we could expect, it’s neither an EXE file:


Searching for .responseBody in the VBA code, we see that the downloaded file (present in .responseBody) is passed as an argument to function IpkfHKQ2Sd:


This means that the downloaded file is also encoded. It needs to be decoded with the same function as we used for the URL: function IpkfHKQ2Sd (but with another key).

To convert this file with the deobfuscated function in our spreadsheet, we need to load the file in the spreadsheet, decode it, and save the decoded file to disk. This can be done with my FileContainer.xls tool (to be released). First we load the encoded file in the FileContainer:



FileContainer supports file conversion: we have to use command C and push the Process Files button:


Here is the default conversion function Convert. This default function doesn’t change the file: the output is equal to the input:


To decode the file, we need to update the Convert function to call the decoding function IpkfHKQ2Sd with the right key. Like this:


And then, when we convert the file, we obtain an EXE file:


This EXE turns out to be Dridex malware: 50E3407557500FCD0D81BB6E3B026404

Remark: reusing code from malware is dangerous unless we know exactly what the code does. To decode the downloaded file quickly, we reused the decoding VBA function IpkfHKQ2Sd (I did not translate it into another language like Python). But to be sure it was not malicious, I deobfuscated it first. The deobfuscation process gave me the opportunity to look at each individual statement, thereby giving me insight into the code and come to the conclusion that this function is not dangerous. We could also have used the obfuscated function, but then we ran the risk that malware would execute because we did not fully understand what the obfuscated function did.

Translating the obfuscating function to another language doesn’t make it less dangerous, but it allows us to execute it in a non-Windows environment (like Linux), thereby preventing Windows malware from executing.

Monday 21 September 2015

PDF + DOC + VBAs Videos

Filed under: Malware,PDF — Didier Stevens @ 10:46

I produced videos showing how I created my “Test File: PDF With Embedded DOC Dropping EICAR” and how to change the settings in Adobe Reader to mitigate this.

Thursday 13 August 2015

Update: pdf-parser Version 0.6.4

Filed under: Malware,My Software,PDF,Update — Didier Stevens @ 0:00

In this new version of pdf-parser, option -H will now also calculate the MD5 hashes of the unfiltered and filtered stream of selected objects, and also dump the first 16 bytes. I needed this to analyze a malicious PDF that embeds a .docm file.


As you can see in this screenshot, the embedded file is a ZIP file (PK). .docm files are actually ZIP files.

pdf-parser_V0_6_4.zip (https)
MD5: 47A4C70AA281E1E80A816371249DCBD6
SHA256: EC8E64E3A74FCCDB7828B8ECC07A2C33B701052D52C43C549115DDCD6F0F02FE

« Previous PageNext Page »

Blog at WordPress.com.