Sunday, November 30, 2014

Fireeye - Flare-On Challenge 4

This one was a malicious PDF. Ooh nice. I'd never done one of those before and get to learn something new now. So for starters I read a great paper by Didier Stevens to understand how to go about analyzing PDFs.

As it turns out, objects can be hidden (I knew this) inside PDFs. This includes Javascript and shellcode (knew this too). What I didn't know though is how to go about extracting these malicious objects. So after following the PDF paper, I learnt how to use the tools pdfid and pdfparser. Both these are available here.

Anyway I started off looking for strings inside the PDF using a simple Hex Editor. Nothing interesting found. Run pdfid to get some information about the file...and whether there were any malicious objects inside it.

python C:\Users\arvind\Desktop\Fireeye_Flareon\C4\APT9001.pdf

Object 6 in the output appeared to have some malicious content hidden inside it. So obviously, the next logical step is to extract these malicious objects.

python --object 6 --filter --raw C:\Users\arvind\Desktop\Fireeye_Flareon\C4\APT9001.pdf

This resulted in a large amount of heavily obfuscated JS being revealed. Here is a sample - notice the large variable names - this is just classic "Security by obscurity" an attempt to throw the reverser off.

var HdPN = "";
    var zNfykyBKUZpJbYxaihofpbKLkIDcRxYZWhcohxhunRGf = "";
    var IxTUQnOvHg = unescape("%u72f9%u4649%u1525%u7f0d%u3d3c%ue084%ud62a%ue139%ua84a%u76b9%u9824%u7378%u7d71%u757f%u2076%u96d4%uba91%u1970%ub8f9%ue232%u467b%u9ba8%ufe01%uc7c6%ue3c1%u7
    var MPBPtdcBjTlpvyTYkSwgkrWhXL = "";

    for (EvMRYMExyjbCXxMkAjebxXmNeLXvloPzEWhKA=128;EvMRYMExyjbCXxMkAjebxXmNeLXvloPzEWhKA>=0;--EvMRYMExyjbCXxMkAjebxXmNeLXvloPzEWhKA) MPBPtdcBjTlpvyTYkSwgkrWhXL += unescape("%ub32f%u379
    ETXTtdYdVfCzWGSukgeMeucEqeXxPvOfTRBiv = MPBPtdcBjTlpvyTYkSwgkrWhXL + IxTUQnOvHg;
    OqUWUVrfmYPMBTgnzLKaVHqyDzLRLWulhYMclwxdHrPlyslHTY = unescape("%ub32f%u3791");
    fJWhwERSDZtaZXlhcREfhZjCCVqFAPS = 20;


The first thing I did was do a lot of "Find-Replace" on all these variables and make them human readable. After a little bit of manual was clear that there was this large "unescape" blob..right at the top which was doing something.

I added a few document.write() and alert() calls to print out the variable values. This was a disaster and obviously the flag isn't a JS variable value. Its UNICODE for sure...because of the %u at the start. But then it maps to Hangul characters :). Googling the name of the PDF document revealed that this was some advanced APT malware I was upset that I'd now have to learn Hangul to crack this. Nothing wrong of course with that...but not er..what I wanted to spend my time learning right now :)

This turned out to be a dead end though. I mean...okay its Hangul but what now? :(. So I went back to basics...and started looking for other tools in that space. There was a new tool called peeppdf that I tried to install...but after 2 hours of fighting trying to get libemu and pylibemu installed...I gave up out of sheer boredum now and started looking at the JS again.

If it isn't Hangul or some wacky Unicode...its meaning is something else. What? So I RTFM more and find an awesome link that explains more:'s shellcode :). That's why it did NOT render in ASCII when I was trying to print it out. Ok now...I followed the instructions on that link, used that cool little script, edited it a bit to remove the "Help" code as it did not compile...and then converted the Shellcode to C...and then compiled the C code to an Exe file using wine and mingw -

Nice. Now I have shell code that I need to debug as usual. Load in IDA. Get entry point. Set BP in Olly on entry point. OllyDbg time :). All the useful code eventually runs from 402000.

A little F8 and you can see all those instructions magically appear. Hangul indeed. Bah :). Set a breakpoint on 4023C1. You can see the Email address in EAX :).

This EMail address is then XORed repeatedly with the word BEEF and the result is displayed in a Message Box. So really...if we'd just known that at the start and brute force XOR'd with all 4 character strings .. we'd have saved ourselves a ton of trouble :)

The Email address is:

No comments: