Some bots and trojans are using simple encryption to download other component. When you trace malware, you might see some url to be downloaded, but when you manually fetch it, its nothing by a gibberish data. First they download a relatively small file say, ff.rar, from malicious web hosting site. The file is not actually a RAR achive but contains data that looks encrypted. But when try to decrypt it, the file may contain the actual link of the malicious file or component to be downloaded by the malware.
Example: ff.rar
00000000: 29 1A 61 35-63 64 65 74-2E 61 00 00-00 00 00 00 )?a5cdet.a
00000010: 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00
00000020: 00 00 41 5D-5D 59 13 06-06 48 5A 4D-1F 5C 07 4A A]]Y???HZM?\•J
00000030: 46 44 06 43-43 06 4F 4F-07 4C 51 4C- FD?CC?OO•LQL
Your instinct will tell you that this could be the download URL, and that must be using http.
At offset 0x23 and 0x24 are the same bytes (5D) which could be decrypted to 'TT' of 'http'.
Hmm..applying simple math, 5d ^ X = 74 (74 is the hex value for 't'), so x = 29. Now lets try to decrypt it using that value as the key.
Using hiew, you can quickly decrypt the bytes using the value X=29 as the key
1. Open the file in hiew, hex mode. Position the cursor at offset 0
2. Press F3 (edit), then F8 (XOR). Put 29 hex as the XOR mask. Enter.
3. Pressing F8 will decrypt it similar below:
00000000: 00 33 48 1C-4A 4D 4C 5D-07 48 29 29-29 29 29 29 3H?JML]•H))))))
00000010: 29 29 29 29-29 29 29 29-29 29 29 29-29 29 29 29 ))))))))))))))))
00000020: 29 29 68 74-74 70 3A 2F-2F 61 73 64-36 75 2E 63 ))http://asd6u.c
00000030: 6F 6D 2F 6A-6A 2F 66 66-2E 65 78 65- om/jj/ff.exe
Now you have the actual link of the malware and you can manually wget it from the link hXXp://asd6u.com/jj/ff.exe
Example: ff.rar
00000000: 29 1A 61 35-63 64 65 74-2E 61 00 00-00 00 00 00 )?a5cdet.a
00000010: 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00
00000020: 00 00 41 5D-5D 59 13 06-06 48 5A 4D-1F 5C 07 4A A]]Y???HZM?\•J
00000030: 46 44 06 43-43 06 4F 4F-07 4C 51 4C- FD?CC?OO•LQL
Your instinct will tell you that this could be the download URL, and that must be using http.
At offset 0x23 and 0x24 are the same bytes (5D) which could be decrypted to 'TT' of 'http'.
Hmm..applying simple math, 5d ^ X = 74 (74 is the hex value for 't'), so x = 29. Now lets try to decrypt it using that value as the key.
Using hiew, you can quickly decrypt the bytes using the value X=29 as the key
1. Open the file in hiew, hex mode. Position the cursor at offset 0
2. Press F3 (edit), then F8 (XOR). Put 29 hex as the XOR mask. Enter.
3. Pressing F8 will decrypt it similar below:
00000000: 00 33 48 1C-4A 4D 4C 5D-07 48 29 29-29 29 29 29 3H?JML]•H))))))
00000010: 29 29 29 29-29 29 29 29-29 29 29 29-29 29 29 29 ))))))))))))))))
00000020: 29 29 68 74-74 70 3A 2F-2F 61 73 64-36 75 2E 63 ))http://asd6u.c
00000030: 6F 6D 2F 6A-6A 2F 66 66-2E 65 78 65- om/jj/ff.exe
Now you have the actual link of the malware and you can manually wget it from the link hXXp://asd6u.com/jj/ff.exe
Posts
No comments:
Post a Comment