Tuesday, June 5, 2012

Malware Embedded With Double Obfuscation

As a good number of y'all know, there are various tools available to extract embedded (and obfuscated) executable binaries from files such as DOCs, XLSs, PDFs, etc.  However, what if there are double layers of obfuscation used?  It's been my experience that these must be deobfuscated manually which includes "eyeballing" and deductive reasoning.

For example, below is a excerpt from a malacious XLS file.


Offset    0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F
00008610 00 00 00 00 00 00 00 00 00 00 00 C3 1E 40 00 70 Ã @ p
00008620 10 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 @
00008630 00 00 00 00 00 00 00 53 22 8E 87 B7 87 87 87 C7 S"Ž‡·‡‡‡Ç
00008640 87 87 87 78 78 87 87 0C 87 87 87 87 87 87 87 83 ‡‡‡xx‡‡ ‡‡‡‡‡‡‡ƒ
00008650 87 87 87 87 87 87 87 87 87 87 87 87 87 87 87 87 ‡‡‡‡‡‡‡‡‡‡‡‡‡‡‡‡
00008660 87 87 87 87 87 87 87 87 87 87 87 87 87 87 87 87 ‡‡‡‡‡‡‡‡‡‡‡‡‡‡‡‡
00008670 87 87 87 08 87 87 87 67 76 2C 67 87 CC 17 5B 95 ‡‡‡ ‡‡‡gv,g‡Ì [•
00008680 0C 97 43 5B 95 C2 01 11 B0 85 80 A0 71 F1 A0 91 —C[•Â °…€ qñ ‘
00008690 51 85 B1 91 61 61 71 C0 85 A1 D1 85 A0 D0 61 85 Q…±‘aaqÀ…¡Ñ… Ða…
000086A0 11 61 85 C3 73 B2 85 51 71 C1 D1 65 57 57 27 C5 a…Ãs²…QqÁÑeWW'Å
000086B0 87 87 87 87 87 87 87 B5 C1 3F 0A F1 D7 D9 3F F1 ‡‡‡‡‡‡‡µÁ? ñ×Ù?ñ
000086C0 D7 D9 3F F1 D7 D9 3F 46 16 19 3F E1 D7 D9 3F 07 ×Ù?ñ×Ù?F ?á×Ù?
000086D0 26 69 3F E1 D7 D9 3F C9 16 39 3F E1 D7 D9 3F 07 &i?á×Ù?É 9?á×Ù?
000086E0 26 79 3F B1 D7 D9 3F 07 26 99 3F D1 D7 D9 3F F1 &y?±×Ù? &™?Ñ×Ù?ñ
000086F0 D7 C9 3F B2 D7 D9 3F D7 26 E8 3F A1 D7 D9 3F 7F ×É?²×Ù?×&è?¡×Ù?
00008700 26 69 3F D1 D7 D9 3F 7F 26 99 3F E1 D7 D9 3F A2 &i?Ñ×Ù? &™?á×Ù?¢
00008710 11 B1 01 F1 D7 D9 3F 87 87 87 87 87 87 87 87 87 ± ñ×Ù?‡‡‡‡‡‡‡‡‡
00008720 87 87 87 87 87 87 87 87 87 87 87 87 87 87 87 82 ‡‡‡‡‡‡‡‡‡‡‡‡‡‡‡‚
00008730 D3 87 87 43 97 C7 87 59 C8 D2 73 87 87 87 87 87 Ó‡‡C—LJYÈÒs‡‡‡‡‡


At first glance, the XOR key 0x87 should be readily apparent, so let's XOR it with that value and see what we get.  I fully expected to see an MZ header with a DOS stub, but interestingly, I don't see anything at like that at all.  Check it out...


Offset      0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F
00008610   87 87 87 87 87 87 87 87  87 87 87 44 99 C7 87 F7   ‡‡‡‡‡‡‡‡‡‡‡D™Ç‡÷
00008620   97 C7 87 87 87 87 87 87  87 87 87 87 87 87 87 87   —LJ‡‡‡‡‡‡‡‡‡‡‡‡‡
00008630   87 87 87 87 87 87 87 D4  A5 09 00 30 00 00 00 40   ‡‡‡‡‡‡‡Ô¥..0...@
00008640   00 00 00 FF FF 00 00 8B  00 00 00 00 00 00 00 04   ...ÿÿ..‹........
00008650   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
00008660   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
00008670   00 00 00 8F 00 00 00 E0  F1 AB E0 00 4B 90 DC 12   ......àñ«à.KÜ.
00008680   8B 10 C4 DC 12 45 86 96  37 02 07 27 F6 76 27 16   ‹.ÄÜ.E†–7..'öv'.
00008690   D6 02 36 16 E6 E6 F6 47  02 26 56 02 27 57 E6 02   Ö.6.ææöG.&V.'Wæ.
000086A0   96 E6 02 44 F4 35 02 D6  F6 46 56 E2 D0 D0 A0 42   –æ.Dô5.ÖöFVâÐРB
000086B0   00 00 00 00 00 00 00 32  46 B8 8D 76 50 5E B8 76   .......2F¸vP^¸v
000086C0   50 5E B8 76 50 5E B8 C1  91 9E B8 66 50 5E B8 80   P^¸vP^¸Á‘ž¸fP^¸€
000086D0   A1 EE B8 66 50 5E B8 4E  91 BE B8 66 50 5E B8 80   ¡î¸fP^¸N‘¾¸fP^¸€
000086E0   A1 FE B8 36 50 5E B8 80  A1 1E B8 56 50 5E B8 76   ¡þ¸6P^¸€¡.¸VP^¸v
000086F0   50 4E B8 35 50 5E B8 50  A1 6F B8 26 50 5E B8 F8   PN¸5P^¸P¡o¸&P^¸ø
00008700   A1 EE B8 56 50 5E B8 F8  A1 1E B8 66 50 5E B8 25   ¡î¸VP^¸ø¡.¸fP^¸%
00008710   96 36 86 76 50 5E B8 00  00 00 00 00 00 00 00 00   –6†vP^¸.........
00008720   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 05   ................
00008730   54 00 00 C4 10 40 00 DE  4F 55 F4 00 00 00 00 00   T..Ä.@.ÞOUô.....


At offset 8637, you can see the pattern of a windows executable, but something is amiss.  Closer inspection shows every byte is nibble swapped (i.e. D4 A5 09 00 30 should be 4D 5A 90 00 03, etc). 


EXTRACTED BINARY EXCERPT (in raw form):

Offset    0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F
00000000 D4 A5 09 00 30 00 00 00 40 00 00 00 FF FF 00 00 Ô¥ 0 @ ÿÿ
00000010 8B 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 ‹
00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000030 00 00 00 00 00 00 00 00 00 00 00 00 8F 00 00 00
00000040 E0 F1 AB E0 00 4B 90 DC 12 8B 10 C4 DC 12 45 86 àñ«à K Ü ‹ ÄÜ E†
00000050 96 37 02 07 27 F6 76 27 16 D6 02 36 16 E6 E6 F6 –7 'öv' Ö 6 ææö
00000060 47 02 26 56 02 27 57 E6 02 96 E6 02 44 F4 35 02 G &V 'Wæ –æ Dô5
00000070 D6 F6 46 56 E2 D0 D0 A0 42 00 00 00 00 00 00 00 ÖöFVâÐÐ B
00000080 32 46 B8 8D 76 50 5E B8 76 50 5E B8 76 50 5E B8 2F¸ vP^¸vP^¸vP^¸
00000090 C1 91 9E B8 66 50 5E B8 80 A1 EE B8 66 50 5E B8 Á‘ž¸fP^¸€¡î¸fP^¸



Armed with this knowledge, it's easy to carve out the binary, nibble-swap the bytes and your ready to reverse the embedded code.

EXTRACTED BINARY EXCERPT (after nibble-swap)

Offset    0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F
00000000 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 MZ ÿÿ
00000010 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ¸ @
00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000030 00 00 00 00 00 00 00 00 00 00 00 00 F8 00 00 00 ø
00000040 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 º ´ Í!¸ LÍ!Th
00000050 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F is program canno
00000060 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20 t be run in DOS
00000070 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00 mode. $
00000080 23 64 8B D8 67 05 E5 8B 67 05 E5 8B 67 05 E5 8B #d‹Øg å‹g å‹g å‹
00000090 1C 19 E9 8B 66 05 E5 8B 08 1A EE 8B 66 05 E5 8B é‹f å‹ î‹f å‹


=========================================================================

Next time, we'll look at another type of double obfuscation that was even more cool.  See ya then...

No comments:

Post a Comment