1/ IntroThis post is a follow-up of this one: http://0x90909090.blogspot.com/2016/07/analyzing-zip-with-wsf-file-inside.html
The malware in question is Locky.
2/ Another LockySomebody sends me other Locky's zip files and I quickly figured that the core functionalities are the same
- a .wsf in a zip file (wsf format slightly changed, so my analyze.py prog in github does not work anymore)
- some layer of obfuscation
- all variables are named different, but the structure and functions are the same
- The downloaded file is XOR-ed with values coming from a PRNG function
- the PRNG seed has changed
This blogpost will talk about the PRNG.
3/ PRNGWikipedia to the rescue:
A pseudorandom number generator (PRNG) is an algorithm for generating a sequence of numbers whose properties approximate the properties of sequences of random numbers. The PRNG-generated sequence is not truly random, because it is completely determined by a relatively small set of initial values, called the PRNG's seed. (...) pseudorandom number generators are important in practice for their speed in number generation and their reproducibility.
And that's it. I think this is a really interesting move because the file downloaded over HTTP looks like random data. Here is the entropy for the file (made with binwalk):
You can compare with the file, once XOR-ed :
This is an interesting way to avoid analysis.
All the network probes only see random data. No particuliar header, no pattern to match.
No static key either (XORed file with static key doesn't see their entropy changing a lot and key can be retrieved).
You can eventually block file downloaded over HTTP when they have no known header and are around 200kB but it's not really precise.
4/ Get the seed
In my previous blogspot, I just copy paste the prng function, with the seed.
If you want to quickly get the seed, you can grep for mash(<data>) in the .wsf file, once extracted from the zip and unobfuscate.
Everything then is the same: generates more than 200k of pseudo random numbers, then XOR the file:
mitsurugi@dojo:~/chall/infected$ js24 uhe_prng.js > prng_js mitsurugi@dojo:~/chall/infected$ ./unxor.py cj937f7l mitsurugi@dojo:~/chall/infected$ file cj937f7l cj937f7l-xored cj937f7l: data cj937f7l-xored: PE32 executable (GUI) Intel 80386, for MS Windows mitsurugi@dojo:~/chall/infected$
5/ Conclusions and questionsI think that everything is not said in the case of Locky. When I read interesting analysis like the one in malwarelabs, I don't understand why they don't ran into the XOR part. No mention about the XOR: they found URL in the wsf file, then they got an .exe file (wut?).
Is there many campaigns, some with exe file other with XOR-ed one? As the URLs mentioned in malwarelabs post are not available anymore, I can't tell :-/
And if you got another samples to share, I'm still willing to take a look :-)
Courage first; power second; technique third.