Deobfuscating a “Sophisticated” Mailer

“Sophisticated” in that the spammer obfuscated the mailer script quite well. He/she apparently put quite a bit of work into concealing and protecting their spamming activity. I normally don’t come across PHP mailers that are obfuscated this well.

Here’s what the incoming traffic to the PHP script looks like:

If the request is successfully processed then the following (more or less) gets returned:


After cleaning up the HTTP request body and separating the parameters, you can see that there’s five sets of parameters. Remember this for later.

Now let’s have a look at the PHP script. The top part contains a large base64-encoded blob. At the bottom you can see that it reads in the cookie value and uses it to XOR the second, shorter base64-encoded string.

I’m in the process of rewriting Converter so it’s a good time to put this new program to the test. Here’s what Reneo looks like when I de-XOR the string.

I get another layer of obfuscation so I just repeat the process.

This is the result. This function reads in the large blob at the top, splits everything into four characters, builds an extraction list, reorders it in a certain way, concatenates a base64 string, decodes it, then evals the result.

Here’s the final, deobfuscated mailer script. The interesting bits are at the beginning.

The mailer script reads in the POST body, sorts the variables and concatenates them, then XORs this value with a hardcoded key.

Let’s go through this step-by step. Based on the above five sets of parameters, the variables are:


Sorted and joined together it becomes:


This value is then XOR’d with the hardcoded key built into the script, e886f82a-1c47-4677-93a6-5181ff8b8977, which results in the following in hex. This is the XOR key to decrypt the POST request values.


If I take the values from the POST request, sort it by the same variable name then join the values together, it will look something like this (truncated base64-encoded string):


I then XOR this string with the key and get the mailing instructions which include the campaign info and recipients:

The spam message in this specific run looks like this:

The obfuscated PHP script can be found online (here and here). However, without the cookie value from the POST request, it would be very difficult to deobfuscate the PHP script. Additionally, the POST request cannot be deobfuscated without knowing the hardcoded XOR key in the PHP script. I’m fairly certain that the cookie value and XOR key will all be different for each compromised server which is probably why this is going under the radar.

Posted in Malscript | Tagged , , | Comments Off on Deobfuscating a “Sophisticated” Mailer

Deobfuscating PHPJiami

I was sent a PHP script that was protected by PHPJiami which you can find here. PHPJiami is a decent PHP obfuscator that appears to be able to bypass several online deobfuscators. Here’s what the script looks like:

When you run it, you can see what the protected script does.

At the top there’s a comments section. Let me change the uppercase “P” in “PHP” to lowercase.

Now when I run the script, nothing happens. This means there’s some kind of anti-tampering function in the script.

Let me clean up the script so we can see what it’s doing. If you look at the second function, you can see what looks like variable assignments.

At the bottom of the script, you can see a blob of obfuscated text. This is probably where the prize is.

After studying this a bit, I go back up to the second function and echo out the variables to see what they contain (look at the comments). That last line is interesting as it reads a copy of itself.

The section right below that has some interesting variables as well. It looks like it’s using MD5 to ensure the script isn’t modified. If all is good, the blob at the bottom gets uncompressed, rot13’d, etc.

Although I have only have a brief understanding of what the script does, I think I have enough to deobfuscate the blob. Since I cannot modify this script to make it cough up the prize, I can trick it into thinking that the script hasn’t changed by making it read a copy of itself (I call this the “reflection technique”).

Here’s the two changes made to the beautified version.

On the actual script or other PHPJiami scripts, all I do is search for strings that are at the end of the previous line which is ():”; Then put in the reference to the original script. From there, I search for “return” and put an echo there.

When the script is run, I get a result which looks something like this which doesn’t mean too much.

But when you view the source, you can see the original source code.

I just did a quick check to see if anyone else did a deobfuscation write-up and I came across this Chinese site.

It describes a few methods but one technique they offered caught my eye:

If you execute this, you get the deobfuscated script and it’s so easy to do. Might even work on a bunch of other scripts too.

Scroll down to the very bottom and you’ll see a long base64 string. If you decode this, you get the original script which is the same version I got using my, more difficult, reflection technique. Oh wellz.

Always nice to have multiple methods to use since their obfuscation method will probably be upgraded in the future.

Posted in Malscript | Tagged , , | Comments Off on Deobfuscating PHPJiami

ConverterNET v0.1 Released

I spent the past several months porting Converter to the .NET Framework and am finally able to release a public version of it.

Many of the original functions are present and I’ve added a few more things to the menu. Several conveniences have also been included that may not be very obvious:

+ Forms are non-modal so you can have multiple forms open at once
+ Many forms can be maximized
+ Many forms have split containers that you can resize
+ Context menu have been added to key textboxes
+ Textboxes are using a monospaced font

The Convert Binary function has been changed. You can choose to load a binary or text file and convert the file appropriately. If you want to XOR or shift the files then choose “Transform Only” then enter your comma-delimited text or hex key.

The Key Search/Convert function has also changed a bit. Specifically you can choose:

+ Single key (e.g. abc ^ x)
+ Multi-key (e.g. a ^ x, b ^ y, c ^ z)
+ Multi-key sub-loop (e.g. a ^ xyz, b ^ xyz, c ^ xyz)
+ Multi-key step # (e.g. a ^ (xyz % step), etc ).

You can get ConverterNET (32-bit and 64-bit binaries are included) from here. If you encounter any bugs, please let me know.

Posted in Tools | Tagged , | Comments Off on ConverterNET v0.1 Released

Not Your Typical Ransomware Infection

An analysis of an infected PC revealed that an attacker used several NSA tools just four days after the Shadow Brokers’ dump then it burned the PC with ransomware when they were done with it. This blog post by Secdo may be related to this one but I can’t be sure.

I was asked to assist with an infected PC that had already been turned off. The ransomware encrypted the usual file extensions as well as .exe, .dll, .sqlite, .log, .xml, .dat, etc making it extremely difficult to piece together the activity that had taken place earlier.

On 4/18/17, a remote user logged into the computer via RDP and proceeded to execute a program called “key.exe” which dropped files in “C:\ProgramData\MicrosoftHostDLL\” including synchosted.exe (which is turned out to be NSSM – The non-sucking service manager). A new remote admin account called “backup1” was created and the password written to the info.ini file (and c:\info.txt).

The attacker downloaded several tools to the downloads folder and disabled anti-virus and added an exclusion for c:\users\backup1 in Windows Defender.

Other tools were installed as well such as UniversalTermsrvPatch-x64 and Advanced IP Scanner.

Based on the evidence, the following NSA tools were used by the attacker:

+ FuzzBunch (exploit framework)
+ Architouch (SMB recon)
+ EternalBlue (SMB exploit)
+ DoublePulsar (backdoor)
+ DanderSpritz (event log deleter, password stealer, screengrabber, keylogger)
+ PeddleCheap (shellcode/DLL injector)

When FuzzBunch is run, log files are created which provide a history of the operator’s activities. However, the ransomware program encrypted these files.

There were some files left untouched for some reason and I was able to collect details that show whether an attempt was successful or not.

One successful compromise prompted the attacker to download and install OWASP-ZSC to compile shellcode and use PeddleCheap to push that onto the machine. Each attempt caused the PC to crash. Digging into the crash dumps yielded the shellcode source.

When this failed, other attempts were made to install malware.

I tried to get the payload from the above site but it was no longer available. I found something in Google’s cache that seemed to match the file names.

The attacker then downloaded executables onto the desktop and tried to push them onto the other PC which failed. Having given up, the attacker trashed the PC by executing ransomware known as “Global Imposter”.

It appears that this attacker was figuring out how to use the NSA tools and eventually with enough practice s/he is going to get good at it. Others will too so we will probably start seeing a higher level of attacks — attacks using military-grade implants that don’t leave a whole lot of traces behind. Good luck to all of us.


Filename: key.exe
MD5: EECD77E9D522F3BA9022AC55487D98F1
Size: 1.19MB

Filename: synchosted.exe
MD5: E1D51EAE61D112CB00F8F9CED4D7294C
Size: 331KB

Filename: genpwd.exe
MD5: 0569047CAD5FFE8C40290960FFDCFDA1
Size: 808KB

Filename: local.exe
MD5: B1BA95F7F943E424D562AA5BB255ADC5
Size: 530KB

Filename: 1.exe
MD5: 227837783DFC1C2B3575746478CC133E
Date: 7KB

Filename: 2.exe
MD5: 1AB7415C4A38F45085857FB9E6BD2069
Size: 72KB

Filename: 3.exe
MD5: 6D1029FABF4D314065E3B33AC02ACEA6
Size: 1.14MB

Filename: 4.exe
MD5: 9B79D2C612E4EAFB9034FD652F5A20EA
Size: 1.14MB

Filename: Aifc0CC.exe
MD5: E967102AA181290B3A2BB68AD36E285A
Size: 72KB

Filename: GFDXaoPXi.exe
MD5: 81B9EA03264EA0A2B65B36EACB05B465
Size: 72KB

IPs/Domains – – – – – –

Posted in Malware | Tagged , , | Comments Off on Not Your Typical Ransomware Infection

Wild Wild West – 05/2017

Another update to the exploit kit scene. There’s been some changes but nothing very exciting. We can’t put our guards down however since this could change very easily.

If anyone cares to share the source for anything in the most wanted category, I would love to study it. And yes that includes Eris / Solar / Neptune.

Big thanks to Kafeine for his input as I couldn’t have done this without him!

Posted in Exploit Packs | Comments Off on Wild Wild West – 05/2017