👾
0xB4DC0DE
  • 👾Welcome to 0x.B4DC0.DE
  • Newest Posts
  • Hack The Box Updates
  • Malware / Writeups
    • Development
      • PowerShell Script Block Obfuscation
      • VBS-JS Polyglot
    • Analysis
      • AsyncRAT
      • Operation Duck Hunt
      • GuLoader Script Deobfuscation
      • Creating a deobfuscator
      • SmokeLoader Analysis
        • Clearing the Smoke: A Smokeloader Analysis Part 1
  • Binary Exploitation
    • ROP Emporium
      • Ret2Win
      • Split
Powered by GitBook
On this page

Was this helpful?

  1. Malware / Writeups
  2. Analysis

Creating a deobfuscator

PreviousGuLoader Script DeobfuscationNextSmokeLoader Analysis

Last updated 3 months ago

Was this helpful?

When searching for samples on MalwareBazaar, I often gravitate towards samples that have no tags so I can emulate a black box approach to whatever sample I download. More often than not, this approach doesn't yield anything too interesting, but sometimes, I stumble across an unconventional sample. This sample was one of the rare ones that didn't follow other samples and implemented its obfuscation differently.

At first glance the sample seems simple, setting a variable to an obviously obfuscated string.

After the string is defined, some more weird JavaScript antics are done. I don't understand the nuances of JS, so I'm not completely sure what is going on in the next screenshot. But I don't care too much. The only thing I care about is how to dump the next stage for analysis. In this case, the sample's author set "toString" to the sample's payload.

The next stage can be dumped by changing "toString" to a placeholder variable name, printing the variable with WScript.Echo, and commenting out the last line to prevent the sample from executing

Running the sample with cscript will dump the next stage to the command line where you can redirect the output to a file to save the next stage for analysis.

After some "beautification", the sample is still very ugly and obfuscated. This is where the true purpose of this post comes out: creating a deobfuscator to turn this mess into something readable (it's still a JS sample, so take "readable" with a grain of salt).

At a glance a few patterns can identified, the first one looks like a weird take on string concatenation, and the second one features some regex to build a string.

The first technique employed uses a ternary operator to determine the character in the string. If the value on the left-hand side is true the first value is set as the next character, and if the value is false the second character is set. The deobfuscator script I wrote searches for these strings using regex to find strings that start with a parenthesis followed by two to three numbers, a space, any character 20 - 28 times, then ending with "). This allows us to evaluate the expression, determine its output, and replace the obfuscated character with its deobfuscated counterpart. While looking at the sample I noticed that the expression is always true, so I took a shortcut when writing the deobfuscator and simply cut the first character and replaced it instead of evaluating the expression from Python.

The next technique wasn't nearly as simple to implement, requiring me to extract the string and the regex with regex. This can be broken down into two steps, finding double quote strings, then combining that with searching for "[replace]" and extracting the string after it. After that is done, the extracted regex can be used against the string and replaced to make the sample readable.

This alone left some strings using this method untouched, the author implemented another layer on some of the strings. This layer used a bunch of different methods to derive the string. But, when complete they all resolve to "replace". This can be verified by creating a quick test in JS to print out one of the strings. Knowing this more regex can be used to locate large strings contained within braces

After all this is completed some extra cleaning is done to make the deobfuscated sample easier to read, such as removing string concatenation and removing excessive newlines. Once deobfuscated some domain names and other IOCs become apparent, searching these domains lets us identify the sample's family. This sample belongs to the bondat worm family, with very few posts about the family which I think is interesting. The sample has some anti-analysis techniques baked in and a method to self-propagate through removable media. This is the first real worm I've ever analyzed so it's pretty cool to see in a random sample from Malware Bazaar. Shoutout to https://blog.360totalsecurity.com/en/bondat-worm-struck-again-built-botnets-for-mining-cryptocurrency-and-attacking-wordpress/ for being one of the only technical writeups on the family.

SHA256: cf4e4ff772986a87ccce3162e8e120003a21a33832173ba8c4650f2fe5735bc0

Link: https://bazaar.abuse.ch/sample/cf4e4ff772986a87ccce3162e8e120003a21a33832173ba8c4650f2fe5735bc0/

String Concatenation
Regex String
Obfuscated Strings
Test Script
Test Output
Worm stuff
Anti-analysis