I recently came across a penetration test that taught me how to reverse engineer a malware. This malware caused Obfuscation for several days to the victim. During this period some investigation was done to help fix the problem.
The phases of penetration testing applies in any task you are set out to do, which also applied during this adventure. The journey began by performing reconnaissance, where the origin of the malware was found through the Public Domains and is where the decoded malware codes were also found. All this was only possible through proper reconnaissance which is the most important stage in finding a solution to a problem.
Reverse engineering can be defined as the process of duplication another producer’s product following a thorough examination of its construction or composition. Reverse engineering a malware can be the most cumbersome activity which requires patience and persistence. The malware made use of a method called function cloaking to obfuscate the code. Obfuscation is basically making the script or program less friendly to the human eye to quickly understand.
Below is the obfuscated malware in question
The analysis of the malware began by checking from the bottom and not top, from in and not out, what that means is you would check first the inner working of the malware going outside rather than starting from the outside going in. Going to the end of the malware I found the below piece of line of code
Starting from the inside of the code we can obviously see that the inner variable is $cyber, where by the variable was declared in the begging of the obfuscated malware. The variable $cyber has a value associated with it as show below
In order to decode the value of variable $cyber in english (readable format) or regularcode there are two methods which could be used to decode the malware,
First Method: Using PHP scripts
First is to create a php script to decode the encryptor. To explain what was done is eval was replaced with echo so that when the script runs it doesn’t do what code says it just shows me code in memory and the variable $cyber was replaced by its value as
so when it was echo it would take the string then it would run base64_decode function then the results that it would get it would run a URL encode function then the result that it would get it would run HTML special chars_decode function then the final result is what will be echoed back on screen.
The logic was to first decode the variable $cyber which is the inner variable to get the functions needed to decode the variable $crime and that’s how the encoded malware was decoded.
Second Method: Using online decoders
The malware made use of several encoding scheme to obfuscate the malware. There are a lot of online decoders which a person could use if your not good in coding. The first part of the value of the variable $cyber was encoded by base64 encoding scheme but reverse the code a base64 decoder was used as show in the below image.
A value was obtained which was URL encoded so to reverse the code an online URL decoder was used
After the URL encoded value was decoded, the value obtained is the same value obtained in method 1 using the script decoder1.php as shown below
The next step was to repeat the same logic here used in variable $cyber. The variable $crime was replaced by the value of crime and by looking at the code made you could tell it was making use of gzuncompress. Getting on the online decoder eval gzinflate base64_decode PHP Decoder, the decoder was able to decode the second part of the malware which is the crime variable.
After getting the results you then take the decoded output and paste it as it is to the gzuncompress decoder, and the malware was decoded as shown in the below image.