Monday, March 19, 2012

Cryptam Multi tool - automatic extraction of encrypted exe's and dropped files

We've added a bunch of new features and special case handling to the Cryptam malware document analysis system. Here's a few highlights:

- MS Office Open XML .docx handling
- RTF Datastore embedded file detection
- bitwise not ciphers
- Automatic extraction of encrypted embedded executables, dropped clean PDFs and documents

Executable and dropped clean document extraction:
While we won't be serving up malware exe files for download after processing on Cryptam, we are releasing this free script to extract embedded executables yourself from a document or PDF file. We've seen a increase in malware MS Office documents targeting Tibetan groups using subjects related to self-immolation.

The Cryptam Multi tool - standalone malware extractor from documents:

Extract executables using a known xor key, rol, ror, transposition full/512 byte headers and bitwise not ciphers. Submit a malware document to Cryptam via our API to get the XOR and any ciphers needed for decoding, or query the Cryptam API for decoding parameters of previously submitted documents. All from a single script.

Support for Windows and Mac embedded executables.

Example usage:

$ ls Action\ Plan\ for\ March\ 10th.doc
Action Plan for March 10th.doc

Submit a document from the command line (-submit):
$ php cryptam_multi.php Action\ Plan\ for\ March\ 10th.doc -submit
Submitting Action Plan for March 10th.doc to remote server
using XOR key 100f0e0d0c0b0a09080706050403020100fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0efeeedecebeae9e8e7e6e5e4e3e2e1e0dfdedddcdbdad9d8d7d6d5d4d3d2d1d0cfcecdcccbcac9c8c7c6c5c4c3c2c1c0bfbebdbcbbbab9b8b7b6b5b4b3b2b1b0afaeadacabaaa9a8a7a6a5a4a3a2a1a09f9e9d9c9b9a999897969594939291908f8e8d8c8b8a898887868584838281807f7e7d7c7b7a797877767574737271706f6e6d6c6b6a696867666564636261605f5e5d5c5b5a595857565554535251504f4e4d4c4b4a494847464544434241403f3e3d3c3b3a393837363534333231302f2e2d2c2b2a292827262524232221201f1e1d1c1b1a191817161514131211
wrote 51880 bytes at 60688 as type exe abb7d6371e8b389184802667fbc9a1ac
wrote 76120 bytes at 112568 as type exe aa88ea7d5a2ebdba4755e2e22a98778e

$ ls Action\ Plan\ for\ March\ 10th.doc*
Action Plan for March 10th.doc
Action Plan for March 10th.doc-112568.exe
Action Plan for March 10th.doc-60688.exe
Action Plan for March 10th.doc.out

$ php cryptam_multi.php Iran\'s\ Oil\ and\ Nuclear\ Situation.doc -api
Accessing remote API for decoding params for e92a4fc283eb2802ad6d0e24c7fcc857
using ROR 2
wrote 49160 bytes at 57444 as type exe 0bd8671cc6b6f7ae94bb5c04c12699d3

$ php cryptam_multi.php CVE-2012-0744-xls.xls -apiAccessing remote API for decoding params for 198de4a1ebf05f7f44faf76f167b0233
using XOR key 9a
using ROR 1
wrote 33888 bytes at 66124 as type exe 0decc2ec261bb2cb56456a8173355079
wrote 141224 bytes at 100012 as type exe 68c62ae7a28c2ccca3892b1926ed958f

Extract executables and documents from documents in plaintext:
$ php cryptam_multi.php macmalware.doc
wrote 42556 bytes at 26162 as type macho XXX8786a4887a763d8f3e5243724XXXX
wrote 37376 bytes at 68718 as type doc XXXf81de9f7d53c7e584bc15b1fdXXXX

Extract executables by downloading decode params from the api (-api):
$ php cryptam_multi.php 0353449f52f30d46aa425895f39acd39.virus -api
Accessing remote API for decoding params for 0353449f52f30d46aa425895f39acd39
using XOR key c9
using ROR 7
wrote 33800 bytes at 57420 as type exe 3cd745d8245aeec4c98a9317a7863f70

Extract executables from the command line using known xor key and rol/rol/not:
$ php cryptam_multi.php 0353449f52f30d46aa425895f39acd39.virus -xor c9 -ror 7
using XOR key c9
using ROR 7
wrote 33800 bytes at 57420 as type exe 3cd745d8245aeec4c98a9317a7863f70

Automatically untranspose MZ headers if needed:
$ php cryptam_multi.php TWA\ mourns\ the\ self\ immolation\ deaths\ of\ two\ female\ protesters.doc -api
Accessing remote API for decoding params for 4c689a4dbff1cf735fa44322800ebfe8
using XOR key 9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c
wrote 86016 bytes at 37230 as type exe d1690cb9c36fff1b8f27c20d0784a686
wrote 27648 bytes at 123246 as type doc e4e6dce8b7a59663b5f4888848e4fb0f

$ php cryptam_multi.php
Cryptam Multi Tool - Decode and extract embedded executables from documents
php cryptam_unxor.php virus.doc -xor fe85aa -rol 3 -not -out file.out
php cryptam_unxor.php virus.doc -api [gets decoding params from]
php cryptam_unxor.php virus.doc -submit [upload file to, download params]
-xor XOR key to decode document with
-rol bitwise left shift places
-ror bitwise right shift places
-not use a bitwise not fiter
-tp transposition cipher filter on file
-tph transposition cipher filter on EXE 512 byte header
-submit upload file to Cryptam analyzer, captures decoding params
and extracts EXE/docs/pdfs from file
-api queries Cryptam api with MD5 hash only, captures decoding params
and extracts EXE/docs/pdfs from file

No comments:

Post a Comment