I recently came across a penetration test that taught me how to reverse engineer a malware. This malware caused Obfuscation for several days to the victim. During this period some investigation was done to help fix the problem.
The phases of penetration testing applies in any task you are set out to do, which also applied during this adventure. The journey began by performing reconnaissance, where the origin of the malware was found through the Public Domains and is where the decoded malware codes were also found. All this was only possible through proper reconnaissance which is the most important stage in finding a solution to a problem.
REVERSE ENGINEERING
Reverse engineering can be defined as the process of duplication another producer’s product following a thorough examination of its construction or composition. Reverse engineering a malware can be the most cumbersome activity which requires patience and persistence. The malware made use of a method called function cloaking to obfuscate the code. Obfuscation is basically making the script or program less friendly to the human eye to quickly understand.
Below is the obfuscated malware in questionÂ
The analysis of the malware began by checking from the bottom and not top, from in and not out, what that means is you would check first the inner working of the malware going outside rather than starting from the outside going in. Going to the end of the malware I found the below piece of line of code
Starting from the inside of the code we can obviously see that the inner variable is $cyber, where by the variable was declared in the begging of the obfuscated malware. The variable $cyber has a value associated with it as show below
“ZXZhbCUyOCUyNnF1b3QlM0IlM0YlMjZndCUzQiUyNnF1b3QlM0IuZ3p1bmNvbXByZXNzJTI4Z3p1bmNv
bXByZXNzJTI4Z3ppbmZsYXRlJTI4Z3ppbmZsYXRlJTI4Z3ppbmZsYXRlJTI4YmFzZTY0X2RlY29kZSUyOHN0c
nJldiUyOCUyNENyaW1lJTI5JTI5JTI5JTI5JTI5JTI5JTI5JTI5JTNC”
In order to decode the value of variable $cyber in english (readable format) or regularcode there are two methods which could be used to decode the malware,
First Method: Using PHP scripts
First is to create a php script to decode the encryptor. To explain what was done is eval was replaced with echo so that when the script runs it doesn’t do what code says it just shows me code in memory and the variable $cyber was replaced by its value as
shown below
From:
eval(htmlspecialchars_decode(urldecode(base64_decode($cyber)));
To:
echo(htmlspecialchars_decode(urldecode(base64_decode(“ZXZhbCUyOCUyNnF1b3QlM0IlM0YlMjZndCU
zQiUyNnF1b3QlM0IuZ3p1bmNvbXByZXNzJTI4Z3p1bmNvbXByZXNzJTI4Z3ppbmZsYXRlJTI4Z3ppbmZsY
XRlJTI4Z3ppbmZsYXRlJTI4YmFzZTY0X2RlY29kZSUyOHN0cnJldiUyOCUyNENyaW1lJTI5JTI5JTI5JTI5JTI5J
T5JTI5JTI5JTNC”)));
so when it was echo it would take the string then it would run base64_decode function then the results that it would get it would run a URL encode function then the result that it would get it would run HTML special chars_decode function then the final result is what will be echoed back on screen.
The logic was to first decode the variable $cyber which is the inner variable to get the functions needed to decode the variable $crime and that’s how the encoded malware was decoded.
Second Method: Using online decoders
The malware made use of several encoding scheme to obfuscate the malware. There are a lot of online decoders which a person could use if your not good in coding. The first part of the value of the variable $cyber was encoded by base64 encoding scheme but reverse the code a base64 decoder was used as show in the below image.
A value was obtained which was URL encoded so to reverse the code an online URL decoder was used
After the URL encoded value was decoded, the value obtained is the same value obtained in method 1 using the script decoder1.php as shown below
eval(“?>”.gzuncompress(gzuncompress(gzinflate(gzinflate(gzinflate(base64_decode(strrev($Crime))))))));
The next step was to repeat the same logic here used in variable $cyber. The variable $crime was replaced by the value of crime and by looking at the code made you could tell it was making use of gzuncompress. Getting on the online decoder eval gzinflate base64_decode PHP Decoder, the decoder was able to decode the second part of the malware which is the crime variable.
After getting the results you then take the decoded output and paste it as it is to the gzuncompress decoder, and the malware was decoded as shown in the below image.
Highly informative article about reverse engineering
Someone essentially help to make seriously posts I would state. This is the first time I frequented your website page and thus far? I surprised with the research you made to create this particular publish incredible. Excellent job!
Thank you very much for the kind compliment I really appreciate it. will keep on posting more research contents i do
I am not sure where you’re getting your information, but good topic. I needs to spend some time learning much more or understanding more. Thanks for fantastic info I was looking for this information for my mission.
Thank you very much, my work is purely based on research and work, I really appreciate you kind words
I used to be suggested this blog by means of my cousin. I am now not sure whether this post is written by him as nobody else realize such specified approximately my trouble. You are wonderful! Thanks!