Monday, 22 July 2013

Red October [Hex Code Analysis]




This post walks through the analysis of the hex encoded shell codes in the file "51edea56c1e83bcbc9f873168e2370af" that lead to the decoding and unpacking of the stage 1 dropper.

Analyze the Byte Distribution of 51edea56c1e83bcbc9f873168e2370af

Most of the bytes are within the range of 0x0 to 0x9 and 0xA to 0xF. This indicates that there are large portions of text that are hex encoded strings. 

Visual Inspection
Visual inspection of the file will reveal that the shell codes are actually hiding in plain sight. In this particular file, they are easy to tell apart from the rest of the extra bytes. 

The strings to look out for are:
- strings that are continuous;
- strings that are of a reasonable length;
- strings that only have bytes that are in the range of 0x0 to 0x9 and 0xA to 0xF.

The strings to ignore are:
- strings that are not ascii;
- strings that contain characters that are out of the range of  0x0 to 0x9 and 0xA to 0xF;
- strings that are long repetitions of one or two bytes (eg. 00000000000..., 01010101010101..., EFEFEFEF..., etc).

The analysis steps above will lead you to find 3 chunks of interesting hex encoded strings.

First chunk of encoded hex strings.
Second chunk of encoded hex strings.
Third chunk of encoded hex strings.

Decode the Strings

The chunks of hex encoded strings are decoded using a handy python script. The result is 3 binary files.

Python script for hex decoding.

Analyze the file sizes and byte distributions
The file size of third chunk is significantly larger that the first two chunks and the analysis of the decoded bytes surfaces an interesting fact - the byte 0xDE has the most occurrences, and makes up 25.6%. This suggests that this binary chunk is XOR ^ 0xDE encoded.

0xDE is the majority byte, making up 25.6% of the entire chunk.

Decoding the Packed Dropper
Based on the information gathered from analyzing the bytes, proceed to XOR ^ 0xDE decode the file and retrieve the packed dropper.

Decode using another handy python script.

Remove the first 10 bytes and save the file. 

The result is the packed binary msmx21.exe.

Alternative Approach >> Shell Code Analysis

No comments:

Post a Comment