In the spirit of trying to update more this year, I'm going back through some old samples that I've written decoders for. The following sample can be found https://app.any.run/tasks/b4f51d23-6346-478b-9b1a-4fd6970274a2/
In particular, reference the following screenshot.
In this example, the malware is using a custom alphabet that starts with aKCC.... and ends with $A5x.
The rest of the script runs through the character placement in the alphabet (73;17;66...) finds the character that matches the location that corresponds to that number and places the character there.
With this knowledge we could manually go through and decode this. However, the would take a bit of time, so I wrote a quick python script, which is provided on my website www.lukeacha.com, check out the tool here: http://www.lukeacha.com/downloads/emotet-decoder3.zip
I wrote a CTF challenge based on this sample, so downloaded file actually has the solve for the CTF I wrote last year, However, if you want to run a similar obfuscation through this tool or the one from the app.any.run sample above, simply replace the alphabet variable and the encodedstring variable information with your data.
Here is what that output looks like:
Based on this information, we now know the urls where the next stage of the infection is attempting to be downloaded from. This can then be used to look through logs for users who have opened the malware or be used to add to a watch list.
I hope this makes sense and that the tool is useful for an analyst somewhere down the road.
In particular, reference the following screenshot.
In this example, the malware is using a custom alphabet that starts with aKCC.... and ends with $A5x.
The rest of the script runs through the character placement in the alphabet (73;17;66...) finds the character that matches the location that corresponds to that number and places the character there.
With this knowledge we could manually go through and decode this. However, the would take a bit of time, so I wrote a quick python script, which is provided on my website www.lukeacha.com, check out the tool here: http://www.lukeacha.com/downloads/emotet-decoder3.zip
I wrote a CTF challenge based on this sample, so downloaded file actually has the solve for the CTF I wrote last year, However, if you want to run a similar obfuscation through this tool or the one from the app.any.run sample above, simply replace the alphabet variable and the encodedstring variable information with your data.
Here is what that output looks like:
Based on this information, we now know the urls where the next stage of the infection is attempting to be downloaded from. This can then be used to look through logs for users who have opened the malware or be used to add to a watch list.
I hope this makes sense and that the tool is useful for an analyst somewhere down the road.
Comments
Post a Comment