Monday, February 20, 2012

Decrypting embedded encrypted executables

In addition to the detection of embedded executables in documents, you will probably want to run the malware in your dynamic analysis sandbox or do a static analysis in IDA. To decrypt the executable or embedded clean documents etc that are obfuscated/encrypted, we have the following simple script. First you'll need the XOR key and ROL decode shift from a Cryptam report:



Download our cryptam_unxor.php script.

Sample usage:
dev:cryptam_test dev$ strings 34eba128caa21df52b7cec6ea1c80a91.virus|egrep This.program
dev:cryptam_test dev$ php cryptam_unxor.php 34eba128caa21df52b7cec6ea1c80a91.virus -xor 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff -rol 5
dev:cryptam_test dev$ strings 34eba128caa21df52b7cec6ea1c80a91.virus.out|egrep This.program
This program cannot be run in DOS mode.
This program cannot be run in DOS mode.
dev:cryptam_test dev$


Then use your favorite hex editor to grab the content from the MZ header onward.

The script (spacing removed by blog editor, use the link above for a clean copy):
<?PHP
/*
* v0.1
* cryptam_unxor.php: MalwareTracker.com Cryptam - command line script
* unxor and unrol
*/

$key = '';
$rol = 0;
$outfile = '';

//accept a file as input
if (is_file($argv[1]) && $argc % 2 == 0) {
$outfile = $argv[1].".out";
for ($i = 2; $i < $argc; $i+=2) {
if ($argv[$i] == "-xor" && is_file($argv[$i+1]) )
$key = file_get_contents($argv[$i+1]);
else if ($argv[$i] == "-xor" || $argv[$i] == "-key")
$key = $argv[$i+1];
else if ($argv[$i] == "-rol")
$rol = $argv[$i+1];
else if ($argv[$i] == "-out")
$outfile = $argv[$i+1];
}
} else {
echo "invalid number of arguments:\n";
echo "php cryptam_unxor.php virus.doc -xor fe85aa -rol 3 -out file.out\n";
exit(1);
}

$data = file_get_contents($argv[1]);

if ($key != '') {
$data = xorString($data, hex2str($key));
}

if ($rol != '') {
$data = cipherRol($data, $rol);
}

file_put_contents($outfile, $data);


function hex2str($hex) {
$str = '';
for($i = 0; $i<strlen($hex); $i += 2) {
$str .= chr(hexdec(substr($hex,$i,2)));
}
return $str;
}

function cipherRol($string, $x) {
$newstring = '';
for ($i = 0; $i < strlen($string); $i++){
$bin = str_pad(decbin(ord($string[$i])), 8,'0', STR_PAD_LEFT);
$ro = substr($bin, $x).substr($bin, 0, $x);
$newstring .= chr(bindec($ro));
}
return $newstring;
}

function xorString($data, $key) {
$key_len = strlen($key);
$newdata = '';

for ($i = 0; $i < strlen($data); $i++) {
$rPos = $i % $key_len;
$r = '';
if ($key_len == 1)
$r = ord($data[$i]) ^ ord($key);
else
$r = ord($data[$i]) ^ ord($key[$rPos]);

$newdata .= chr($r);
}

return $newdata;
}


?>

No comments:

Post a Comment