Example of obfuscated Malware hidden in JPEG

Last month I analyzed a weaponized word document that came through e-mail. This is nothing special, I see these everyday, but this one gave me something interesting to play with. The file https://www.virustotal.com/en/file/387ea7a4f82d7ba686ca8018684fd2fd803a9c05a4a47130845431d383d81b36/analysis/ launches the following VBS Script https://www.virustotal.com/en/file/fdf6b117b55302ecb7da95b68e9ca5e6882c12cbf41829dfb56688bb94595ea3/analysis/

The script performs HTTP traffic: GET http://ecovalduloir[.]com/fw[.]jpg (No longer available). When it was available, the file has an MD5 of bdd3cf6f227a368a5412f11a10831136,  see https://www.virustotal.com/en/file/ce0e737d3eddbbb102867063f0b163d12358075691407542f9aecafa064538dc/analysis/

At first glance the JPEG look OK, here is a screen capture of what the file image looks like.

When we look at this file through a hex editor it becomes more interesting. Here is the beginning, looks OK.

Here is a snippet a little further on.

At first glance this looks like it's XOR'd with key 73. To be sure, I go ahead and run XORSEARCH, a great tool by Didier Stevens, https://blog.didierstevens.com/programs/xorsearch/ where you can run a search for decoded strings, in my case I took a guess and ran the following command.

./XORSearch -s fw.jpg "DOS mode"

This is telling the script to cycle through different XOR keys to see if it finds the string "DOS mode" inside the file fw.jpg. The output I receive is:

Found XOR 73 position 1451: DOS mode....$

Telling me that 73 is the key that find a string "DOS mode", interesting.  XORSEARCH creates a decoded version of that file as fw.jpg.XOR.73. Lets look at the Hex editor again.

This looks like garbage right? Yeah, that's because the JPEG wasn't encoded to begin with, the appended file was encoded. We need go to the end of the JPG and to the beginning of the executable. Shown below:

Notice our text from the XORSEARCH is found here "DOS mode", this is an easy way to find the place in the hex editor where the decoded file is.  To isolate this file we need to remove everything before the executable header, which starts with MZ, so, I simply deleted everything prior and made MZ the start of my file and kept everything after it. I simply named this file test.exe for now.The result, a file with the hash of 5ba714dfafde422bdd5566893ee704a2