When dealing with exploit kits we have a need to deobfuscate the final payload that these "Mass customized attacks" (see this video on the topic -> I liked) are throwing our way. Since I do not do Sudoku I very much like the pussle of going through some obfuscated Java code to figure out how to deobfuscate the payloads, but sometimes when we need a quick answer to what really hit us, a tool would be great.
Hopefully NoMoreXor can help us to achieve that.
When I stumbled over a Blackhole EK here the other day I thought it would be a good opportunity to test NoMoreXOR on the payloads. So I fetched 4 JAR files and the obfuscated binary to be sure we had something to work with. For info on how to download exploits and payloads from BHEK see my "Analyzing Blackhole EK" post. My last post was about Neutrino . We had a xored payload from there as well which we can play with. And finally we will have a look at Zeroaccess getL messages(small hope for help on those, but we will see).
1. NoMoreXOR vs Neutrino binary payloads
Lets look at the file we want to deobfuscate:
0000000: 3c31 c3a9 7572 6b79 7575 6b79 75c2 8ec2 <1..urkyuukyu... 0000010: 9479 75c3 896b 7975 716b 7975 316b 7975 .yu..kyuqkyu1kyu 0000020: 716b 7975 716b 7975 716b 7975 716b 7975 qkyuqkyuqkyuqkyu 0000030: 716b 7975 716b 7975 716b 7975 716b 7975 qkyuqkyuqkyuqkyu 0000040: c2a1 6b79 757f 74c3 837b 71c3 9f70 c2b8 ..kyu.t..{q..p.. 0000050: 50c3 9378 39c2 bc4a 2d1d 1818 5905 0304 P..x9..J-...Y... 0000060: 1e07 1006 5916 1005 171a 054b 1b10 5119 ....Y......K..Q. 0000070: 0c1b 5102 1755 3524 2a55 1c04 1d10 5f66 ..Q..U5$*U...._f 0000080: 747f 556b 7975 716b 7975 320b c3a8 c39a t.Ukyuqkyu2..... 0000090: 766a c286 c289 766a c286 c289 766a c286 vj....vj....vj.. 00000a0: c289 51c2 acc3 bbc2 8977 6ac2 86c2 8976 ..Q......wj....v 00000b0: 6ac2 87c2 891c 6ac2 86c2 8951 c2ac c3bd j.....j....Q.... 00000c0: c289 796a c286 c289 51c2 acc3 bcc2 8977 ..yj....Q......w 00000d0: 6ac2 86c2 8951 c2ac c3ab c289 606a c286 j....Q......`j.. 00000e0: c289 51c2 acc3 bac2 8977 6ac2 86c2 8951 ..Q......wj....Q 00000f0: c2ac c3be c289 776a c286 c289 2302 1a1d ......wj....#... 0000100: 766a c286 c289 212e 7975 3d6a 7a75 065f vj....!.yu=jzu._ 0000110: c297 3571 6b79 7571 6b79 75c2 916b 7a74 ..5qkyuqkyu..kzt 0000120: 7a6a 7175 71c3 8f79 7571 c393 7b75 716b zjquq..yuq..{uqk 0000130: 7975 5b49 7975 717b 7975 71c2 ab79 7571 yu[Iyuq{yuq..yuq 0000140: 6b39 7571 7b79 7571 6979 7575 6b79 7571 k9uq{yuqiyuukyuq 0000150: 6b79 7575 6b79 7571 6b79 7571 c3ab 7a75 kyuukyuqkyuq..zu 0000160: 716f 7975 3523 7a75 736b 7975 716b 6975 qoyu5#zuskyuqkiu 0000170: 717b 7975 716b 6975 717b 7975 716b 7975 q{yuqkiuq{yuqkyu 0000180: 616b 7975 716b 7975 716b 7975 1dc3 8779 akyuqkyuqkyu...y 0000190: 75c3 bd6b 7975 711b 7a75 7963 7975 716b u..kyuq.zuycyuqk 00001a0: 7975 716b 7975 716b 7975 716b 7975 716b yuqkyuqkyuqkyuqk
We can see patterns and repetitive chars here. Definately a candidate for XOR. And since we know it to come from an exploit kit we expect win binaries, so it is obuscated.
Lets run NoMoreXOR:
remnux@remnux:~/EK/xor/neutrino$ NoMoreXOR.py -a -o out.hex neutrino.bin [+] Attempting auto analysis [+] HEXing................................: neutrino.bin [+] Saving as.............................: out.hex [+] Attempting to guess the XOR key of....: out.hex [+] Size of content.......................: 379904 [+] Total pages (1024k)...................: 371 [+] Total contiguous 512 chunks...........: 742 [+] Top (5) overall chars ============================================= Occurences | Character(s) --------------------------------------------- 13797 = 0x75 13619 = 0x79 13488 = 0x6b 13332 = 0x71 1479 = 0x86 [+] Total number of unique 512 chunks.....: 642 [+] Top (5) 512 char sequences after cleanup ============================================= Occurences | Character(s) --------------------------------------------- 101 = 716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975 1 = 6e662191ae967f7997adda6f52d7e87c32615ae3afb5d8e378dd4ee885db350032415823d25ce457717afb2c716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975Being no expert on the tool: I think it is telling us that the key is about 4 byte and that the values are 0x75, 0x79, 0x6b and 0x71 (ascii: u, y, k q). Look in the Neutrino post and you will see that thats correct :) At least those are overrepresented in the file. The tool gives us 5 candidates for keys and 5 candidates for files that should be deobfuscated. We have to go hrough them and figure out which one we think fits best.
Lets have a look at candidate 0:
0000000: 4d5a c290 0003 0000 0004 0000 00c3 bfc3 MZ.............. 0000010: bf00 00c2 b800 0000 0000 0000 4000 0000 ............@... 0000020: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0000030: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0000040: c390 0000 000e 1fc2 ba0e 00c2 b409 c38d ................ 0000050: 21c2 b801 4cc3 8d21 5468 6973 2070 726f !...L..!This pro 0000060: 6772 616d 2063 616e 6e6f 7420 6265 2072 gram cannot be r 0000070: 756e 2069 6e20 444f 5320 6d6f 6465 2e0d un in DOS mode.. 0000080: 0d0a 2400 0000 0000 0000 4360 c291 c2af ..$.......C`.... 0000090: 0701 c3bf c3bc 0701 c3bf c3bc 0701 c3bf ................ 00000a0: c3bc 20c3 87c2 82c3 bc06 01c3 bfc3 bc07 .. ............. 00000b0: 01c3 bec3 bc6d 01c3 bfc3 bc20 c387 c284 .....m..... .... 00000c0: c3bc 0801 c3bf c3bc 20c3 87c2 85c3 bc06 ........ ....... 00000d0: 01c3 bfc3 bc20 c387 c292 c3bc 1101 c3bf ..... .......... 00000e0: c3bc 20c3 87c2 83c3 bc06 01c3 bfc3 bc20 .. ............ 00000f0: c387 c287 c3bc 0601 c3bf c3bc 5269 6368 ............Rich 0000100: 0701 c3bf c3bc 5045 0000 4c01 0300 7734 ......PE..L...w4 0000110: c3ae 4000 0000 0000 0000 00c3 a000 0301 ..@.............
Hey that looks to be pretty close. The other candidates did not look like win exe files so we stop at the first one. Luckily I made a python tool to deobfuscate the neutrino binary received. So lets do a diff on the files and check:
remnux@remnux:~/EK/xor/neutrino$ diff -s neutrino.exe neutrino.bin.0.unxored Files neutrino.exe and neutrino.bin.0.unxored are identical
Yes they match exactly :) Nice NoMoreXOR!
2. NoMoreXOR vs Blackhole binary payloads
Lets look at the payload received from the blackhole EK:
0000000: 2f1e 3618 c289 7c6e 50c2 b614 c3b6 c3a8 /.6...|nP....... 0000010: 2533 3ec2 a0c2 bac3 a4c3 8638 c2aa 1cc2 %3>........8.... 0000020: 8e70 12c2 b416 c288 7a6c 5e40 c2a2 04c3 .p......zl^@.... 0000030: a6c3 98c3 8a3c c2ae 10c3 b2c3 9436 c2a8 .....<.......6.. 0000040: 1ac2 8c7e 6042 c2a4 06c3 b8c3 aac3 9cc3 ...~`B.......... 0000050: 8e30 c292 7456 483a 2cc2 9e00 c3ac c39b .0..tVH:,....... 0000060: c29c c296 0a48 c3a7 1d13 2c77 24c2 976d .....H....,w$..m 0000070: c3aa 48c3 ab17 66c3 8858 c3b3 69c2 82c2 ..H...f..X..i... 0000080: b359 c2b6 6bc2 9bc2 82c2 b0c2 af56 c2a4 .Y..k........V.. 0000090: 043d 6ac3 8e5b c3be 523d c398 08c3 9e43 .=j..[..R=.....C 00000a0: c2ad c380 c2af 4bc3 a21d 4451 43c2 ba36 ......K...DQC..6 00000b0: c3b4 c396 c388 3ac2 ac1e c280 3201 c2a6 ......:.....2... 00000c0: 18c3 867d 6850 3256 52c2 b9c3 9ac3 8c3e ...}hP2VR......> 00000d0: c2a0 02c3 a4c3 8638 4a1c c281 7159 c2b5 .......8J...qY.. 00000e0: 14c2 ba7a 1a5e 40c2 a2c3 8cc3 a7c3 98c3 ...z.^@......... 00000f0: 8a3c c2ae 1002 c28d 36c2 a81a c29c 7e60 .<......6.....~` 0000100: 4204 06c3 b8c3 aac3 9cc2 8e30 c292 6456 B..........0..dV 0000110: 48c2 ba2e c29e 00c3 a6c3 8426 c298 0ac3 H..........&.... 0000120: bcc3 aec3 9036 c294 7668 5a4c c2be 20c2 .....6..vhZL.. . 0000130: 82c3 a444 c2b8 2ac2 980e c3b0 76c2 aec2 ...D..*.....v... 0000140: 9408 c3b8 c3ac c39e c380 22c2 8476 584a .........."..vXJ 0000150: c2ac 2ec2 9072 54c2 a628 c29a 1cc3 bec3 .....rT..(...... 0000160: a0c3 8224 c286 787a 5c4e c2b0 12c3 b4c3 ...$..xz\N...... 0000170: 96c3 883a c2ac 1ec2 80c3 aec3 b1c2 a718 ...:............ 0000180: c2b6 7c6e 50c2 b2c3 94c3 b7c3 a876 763e ..|nP........vv> 0000190: c2a0 02c3 a4c3 8638 c2aa 1cc2 8e70 52c3 .......8.....pR. 00001a0: b614 c288 c282 715e 40c2 a204 c3a6 c398 ......q^@....... 00001b0: c38a 3cc2 ae10 c3b2 c394 36c2 a81a c28c ..<.......6..... 00001c0: 7e60 42c2 a406 c3b8 c3aa c39c c38e 30c2 ~`B...........0. 00001d0: 9274 5648 c2ba 2cc2 9e00 c3a2 c384 26c2 .tVH..,.......&. 00001e0: 980a c3bc c3ae c390 32c2 9476 685a 4cc2 ........2..vhZL.
Not so easy to determine. Could it be encrypted? Again a payload binary from an exploit kit so we expect a win exe. Lets run NoMoreXOR
remnux@remnux:~/EK/xor/blackhole$ NoMoreXOR.py -a -o out.hex a.bin [+] Attempting auto analysis [+] HEXing................................: a.bin [+] Saving as.............................: out.hex [+] Attempting to guess the XOR key of....: out.hex [+] Size of content.......................: 311280 [+] Total pages (1024k)...................: 303 [+] Total contiguous 512 chunks...........: 607 [+] Top (5) overall chars ============================================= Occurences | Character(s) --------------------------------------------- 943 = 0x56 939 = 0x8a 935 = 0x1a 934 = 0x3a 931 = 0x6a [+] Total number of unique 512 chunks.....: 467 [+] Top (5) 512 char sequences after cleanup ============================================= Occurences | Character(s) --------------------------------------------- 134 = f2d436881aecfec0228466784a5cae30927456a83a8c1ee0c2248618eafcced0329476485aac3e806244a6388a1ceef0d23496687a4c5ea002e4c6d82abc0e907254b6089a6c7e40a204e6f8cadc2eb012f4d628ba0c9e6042a406986a7c4e50b214f6c8da2cbe00e2c426b80a9c6e7052b416e8faccde2082644658aa3c8e10f2d436881aecfec0228466784a5cae30927456a83a8c1ee0c2248618eafcced0329476485aac3e806244a6388a1ceef0d23496687a4c5ea002e4c6d82abc0e907254b6089a6c7e40a204e6f8cadc2eb012f4d628ba0c9e6042a406986a7c4e50b214f6c8da2cbe00e2c426b80a9c6e7052b416e8faccde2082644658aa3c8e10 6 = 6244a6188a7c6e50b214f6e8dacc3ea002e4c638aa1c8e7052b416887a6c5e40a204e6d8ca3cae10f2d436a81a8c7e6042a406f8eadcce3092745648ba2c9e00e2c426980afceed0329476685a4cbe20826446b82a9c0ef0d2349608faecdec0228466584abc2e907254b6289a0cfee0c22486786a5c4eb012f4d6c83aac1e806244a6188a7c6e50b214f6e8dacc3ea002e4c638aa1c8e7052b416887a6c5e40a204e6d8ca3cae10f2d436a81a8c7e6042a406f8eadcce3092745648ba2c9e00e2c426980afceed0329476685a4cbe20826446b82a9c0ef0d2349608faecdec0228466584abc2e907254b6289a0cfee0c22486786a5c4eb012f4d6c83aac1e80
Nothing to conclude from this output? Seems like there is one key though...
Again 5 files to look more into.
File 0:
0000000: c39d c38a 00c2 90c2 93c2 90c2 90c2 90c2 ................ 0000010: 94c2 90c2 90c2 906f 6fc2 90c2 9028 c290 .......oo....(.. 0000020: c290 c290 c290 c290 c290 c290 c390 c290 ................ 0000030: c290 c290 c290 c290 c290 c290 c290 c290 ................ 0000040: c290 c290 c290 c290 c290 c290 c290 c290 ................ 0000050: c290 c290 c290 c290 c290 c290 c290 c290 ................ 0000060: c290 c290 c290 c290 c290 c290 c290 c290 ................ 0000070: c290 c290 10c2 90c2 90c2 90c2 9ec2 8f2a ...............* 0000080: c29e c290 24c2 995d c2b1 28c2 91c3 9c5d ....$..]..(....] 0000090: c2b1 c384 c3b8 c3b9 c3a3 c2b0 c3a0 c3a2 ................ 00000a0: c3bf c3b7 c3a2 c3b1 c3bd c2b0 c3b3 c3b1 ................ 00000b0: c3be c3be c3bf c3a4 c2b0 c3b2 c3b5 c2b0 ................ 00000c0: c3a2 c3a5 c3be c2b0 c3b9 c3be c2b0 c394 ................ 00000d0: c39f c383 c2b0 c3bd c3bf c3b4 c3b5 c2be ................ 00000e0: c29d c29d c29a c2b4 c290 c290 c290 c290 ................ 00000f0: c290 c290 c290 c380 c395 c290 c290 c39c ................ 0000100: c291 c296 c290 10c3 9234 c381 c290 c290 .........4...... 0000110: c290 c290 c290 c290 c290 c290 70c2 90c2 ............p...
Not what we where looking for, continue
File 1:
0000000: 4d5a c290 0003 0000 0004 0000 00c3 bfc3 MZ.............. 0000010: bf00 00c2 b800 0000 0000 0000 4000 0000 ............@... 0000020: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0000030: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0000040: c280 0000 000e 1fc2 ba0e 00c2 b409 c38d ................ 0000050: 21c2 b801 4cc3 8d21 5468 6973 2070 726f !...L..!This pro 0000060: 6772 616d 2063 616e 6e6f 7420 6265 2072 gram cannot be r 0000070: 756e 2069 6e20 444f 5320 6d6f 6465 2e0d un in DOS mode.. 0000080: 0d0a 2400 0000 0000 0000 5045 0000 4c01 ..$.......PE..L. 0000090: 0600 c280 42c2 a451 0000 0000 0000 0000 ....B..Q........ 00000a0: c3a0 000f 010b 0102 3200 7600 0000 c388 ........2.v..... 00000b0: 0100 0000 0000 c3b0 5900 0000 1000 0000 ........Y....... 00000c0: c2a0 0000 0000 4000 0010 0000 0002 0000 ......@......... 00000d0: 0400 0000 0000 0000 0400 0000 0000 0000 ................ 00000e0: 00c2 8002 0000 0400 00c2 a4c2 9a02 0002 ................ 00000f0: 0000 0000 0010 0000 1000 0000 0010 0000 ................ 0000100: 1000 0000 0000 0010 0000 0000 0000 0000 ................ 0000110: 0000 00c2 8cc2 b501 003c 0000 0000 c380 .........<...... 0000120: 0100 c2ac c2ba 0000 0000 0000 0000 0000 ................ 0000130: 0042 0200 c3b8 1d00 0000 0000 0000 0000 .B.............. 0000140: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0000150: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0000160: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0000170: 00c3 a8c2 b501 0020 0000 0000 0000 0000 ....... ........ 0000180: 0000 0000 0000 0000 0000 0000 0000 0000 ................
Nice, thats more like it.
Now lets test it -> I ran it; and what else to expect than Ransomeware.
2-0 to NoMoreXOR - Great!
3. NoMoreXOR vs Zeroaccess getL messages
Lastly lets have a brief look at ZeroAccess P2P traffic that we know to be XORed.Original traffic:
0000000: c2b8 3f35 c3be 28c2 94c2 8dc2 abc3 89c3 ..?5..(......... 0000010: 80c3 91c2 99c2 85c2 956f 3f0a .........o?.
Output from NoMoreXOR:
remnux@remnux:~/EK/xor/zeroaccess$ NoMoreXOR.py -a -o out.hex getl2 [+] Attempting auto analysis [+] HEXing................................: getl2 [+] Saving as.............................: out.hex [+] Attempting to guess the XOR key of....: out.hex [+] Size of content.......................: 56 [+] Total pages (1024k)...................: 0 [+] Total contiguous 512 chunks...........: 0 [+] Top (5) overall chars ============================================= Occurences | Character(s) --------------------------------------------- 7 = 0xc2 4 = 0xc3 2 = 0x3f 1 = 0xbe 1 = 0xab [+] Total number of unique 512 chunks.....: 1 [+] Top (5) 512 char sequences after cleanup ============================================= Occurences | Character(s) --------------------------------------------- 1 = c2b83f35c3be28c294c28dc2abc389c380c391c299c285c2956f3f0a [+] Trying XOR key : c2b83f35c3be28c294c28dc2abc389c380c391c299c285c2956f3f0a [+] XOR'ing................................: getl2 [+] Saving as..............................: getl2.0.unxored [+] Scanning with Yara [-] Using rules............................: /usr/local/etc/capabilities.yara
Only one candidate this time:
0000000: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0000010: 0000 0000 0000 0000 0000 0000 0a .............No luck this time. I guess the tool was not made for it either.
4. Conclusion
Seems like we have found a really useful tool here. Thanks to @Hiddenillusion for sharing. As this tool is totally open source we are able to extend the tool should we want to do that.
Happy XORing Exploit Kit payloads
For description and how to use see the link to Hiddenillusions above.
Further reading:
Malwarebites on XOR - By Joshua Cannell
SANS DFIR - By Lenny Zeltser