raja mani**As cyber security Analyst and Researcher we come across lot of payload with Random gigligook strings containing malicious code without revealing what exactly it does until you see them working in action on victim machine. This blog Focuses on the baby steps of Learning how to deal with Obfuscated code during your analysis. This way you can understand what a payload does before even executing them on your environment
Baby Step 1 Encryption and Decryption
I created one base64 value for a string
echo 'This is a Test!' | base64
VGhpcyBpcyBhIFRlc3QhCg==
Lets Test How Encryption works through AES
You need 2 things to Encrypt
1 - Actual Data , 2 -Keys used to Encrypt**
Here is where you usually use CyberChef on the analysis. Imagine you received some Random Gigligook string , You know that it has been arrived using a Recipe, like the one we saw above. The Job of the analyst is to figure out what recipe has been used to arrive at that gigligook
Since on our example we know what exactly the recipe is we know how to revert back to the normal string.
So What we learn from here , when we eat a cooked food , we know its made up of recipes similarly when you see a obfuscated string , there is a methodology involved to arrive at that. your job is to find what exactly is that.
BABY Step 2 - Practice some of the operations in each category
There are 401 possible CyberChef operations that can be used to form a Recipe at the time of writing. Suggest to explore each category and try to understand what kinds of operations is possible in each category and get familiarize on some of the operations.
This will help to develop the mind map while dealing with a Encoded code
Data format - 58 Operations
Encryption / Encoding - 50 Operations
Public Key - 18 Operations
Arithmetic / Logic - 25 Operations
Networking - 28 Operations
Language - 6 Operations
Utils - 42 Operations
Date / Time - 9 Operations
Extractors - 15 Operations
Compression - 12 Operations
Hashing - 40 Operations
Code tidy - 28 Operations
Forensics - 10 Operations
Multimedia - 28 Operations
Other - 16 Operations
Flow control - 16 Operations
We are not gonna discuss every single operation we are gonna take some examples and drill down aspects of the obfuscation and DE obfuscation
Baby Step 3 Start finding suspicious Obfuscated Samples
Recipe 1 - Extract base64, raw inflate and code beautify
Filename: ahack.bat
Zipped File: cc9c6c38840af8573b8175f34e5c54078c1f3fb7c686a6dc49264a0812d56b54_183SnuOIVa.bin.gz
Sample: SHA256 cc9c6c38840af8573b8175f34e5c54078c1f3fb7c686a6dc49264a0812d56b54
A batch script Ran a encoded powershell
First thing to notice
• We don't need all string we need only encoded string (Regular expression is required)
• FromBase64 in powershell is used so we also should use them
• Compression technique is used we saw Deflate stream in the script
Lets build our Recipe
1 - To filter out Base encoded string use the regex
Regex
[a-zA-Z0–9+/=]{30,}
We know the charecter length is 30 + and may contain a-z 0–9 + / = repeated without a space so we have to look for them
When you see a Magic wand always hover over them
2 - Now we know Frombase64 operation is required.
This makes complete sense because we also saw a base64 operation in the encoded PowerShell
Again Magic Wand is giving us further clue here
3 - Now lets use Raw inflate
It also makes complete sense because we saw compression Technique being used.
We don't see a magic wand now, possibly its because we have arrived at the exact Deobfuscated strings. Last part is beautifying them
4 - Beautify
So we arrived at the exact code the malware author intended now its all about code analysis.
Ofcourse you can still use CyberChef to drill further into the code using options like below
So what is our Recipe to arrive at the final code ?
Recipe 2 - Code Obfuscation
https://www.hybrid-analysis.com/sample/1240695523bbfe3ed450b64b80ed018bd890bfa81259118ca2ac534c2895c835?environmentId=120
Here we don't have any clue all we know is we see some unwanted strings like below. Most likely this do not convey any meaning.
^|\|-|_|\/|\s
1 - Lets Remove them and see how the encoded content becomes.Lets try and use find and replace operation here
Yes it worked it got converted
Not into something meaningful when you look close you must notice these things
- No magic wand for help
- 1 is the reverse of InvokeItem
- 2 is the reverse of DownloadFile
- 3 is the reverse of powershell
So why dont we try reversing
2 - Lets Reverse and see
Now lets write down what we observe
1 - There is some urls
2 - ; is implying next line
3 - Split operation for @
4 - There is Download File attempt using loops
Lets deal with these
3 - Three operations at one shot i am using to make the code readable
In short it looks like its gonna download some payload from Remote website
4 - Use ExtractURLs
So we are good here we are likely to expect some ingress tool transfer from these websites
So what is our Recipe to arrive at the final code ?
Recipe 3 : Charcode Double decoding
Lets take this sample
https://www.virustotal.com/gui/file/2e9004985c2b9461c35b2a1a7765e35db1e8b352f622c4aa388e3227f4dd8c98/content/strings
There is clue here Sting.FromCharcode
1 - Lets use the Regex to filter the exact charcode
([0–9]{2,3}(,\s|))+
In the above regex i am saying number between 0 to 9 repeated two to three times ([0–9]{2,3} followed by comma and space or close bracket (,\s|) repeated 1 to any number of times (+)
Ok ! now we are sitting with the exact Char code
2 - Lets use FromCharcode
Wow! We saw encoding done twice now
We are again seeing String.FromCharCode couple of times,so what we should be doing again ?
3 - use same Regex to isolate CharCodes again
4 - When using FromCharCode again i arrived at the url
The JavaScript leads us here
So what is our Recipe to arrive at the final code ?
