Tuesday, June 18, 2013

Exploring the Darkleech Rabbit Hole - Part 1

Hi folks. Sorry for the delay, I know there are at least a few of you out there who have wondered why this post is late since I've bee promising this was coming for several days now. I had a long fight this morning (a 10+ hour-long fight, to be specific) with a dropper I couldn't get to unXOR. :)

Protip: 010 Editor from SweetScape has some scripts for XORing files - XorSelection and XorSelectionHex. These scripts are great for short length XOR keys (16 bytes or less). However, these scripts are not written to handle 0x00 values, so if you have to XOR using a 128 byte key, for example, (as I did), these scripts will either give you incorrect output or give you array index out of range errors. So, for longer XOR keys, use something like XOR 0.2 by Luigi Ariemma (you can get it here: http://aluigi.altervista.org/mytoolz/xor.zip). Your XOR key needs to be in 0x## format with no spaces, but it works like a charm!

Without further ado - let's get to the rabbit hole. :)

Darkleech Infection Vector

As we know at this point, Darkleech often affects legitimate websites. The victim here was visiting a particular page hosted on cl.jobrapido.com. This is a site similar to monster.com or hotjobs.com, but hosted in Chile. So let's take a quick look at the original landing page HTTP header. This is nothing new, we've all seen this before:

You might recognize that javascript as being similar to what I deobfuscated in my very first post. :) Same thing here. It's an obfuscated JNLP parameter, which later turns into a JNLP applet that pulls down the payload. At this point we don't know what type of exploit it's bringing down, but there's a good chance it's going to be Zeus or BHEK. Good stuff.

Shortly after the victim hits the landing page, a .jar file gets pulled down, seen here:

The .jar file is itself an exploit, so here's some info about it:

Note: The "ETag:" parameter in the HTTP header is actually the md5 of the .jar file.
Filename: unknown
Content-Length: 23798
Mime Type: application/java-archive
md5: 09E00862D678800B1C4DCD642DDA24E3
VirusTotal (8/47 hits): https://www.virustotal.com/en/file/e5bc719838d914592325ef25903bcd047f3257ceaee2c8e50b3dd25f926861bf/analysis/ 

This isn't the full payload, but we're getting tho the fun stuff. This is just one more component that is leading up to pulling down the dropper. Is the suspense killing you yet? :) This jar file, like most other malicious jar files, contains several .class files that end up pointing the victim's host to a payload. This ultimately leads us to...

The Rabbit Hole - about.exe, part 1

The next thing that comes down in the stream is an exe - about.exe, in this case. You'll probably notice that the TCP stream doesn't have the usual MZ file header in it. It's not immediately obvious until you start looking at the content in a hex editor, but the file has been XORed. This is an extremely common technique used by malware writers to try to make your life more difficult. Thankfully this one isn't as complicated as some, but this is also the one that I spent 10 hours trying to un-XOR:

At this point, I saved the tcp stream and cut out everything before the "_.F.9..." since this is where the content of the file starts. Note that the HTTP header was nice enough to give us a filename for reference purposes - about.exe. This might come in handy when trying to identify what type of malware this is.

Here's some info about the obfuscated file:
Filename: about.exe
Content-Length: 158200
Mime Type: application/x-msdownload
File hash (XORed): C58C409BFC1B0DE1E6F3C172F37FF1EF
VirusTotal: Hash not found - This is fine because we're going to get a different hash in a minute.

So, in looking at this version of the exe in a hex editor, here's what we see:

Obviously that doesn't look like an exe, but we already know it is from the mime type (and the filename helps!), so the trick here is to figure out how the file has been obfuscated. The vast majority of the time these files are obfuscated using a simple XOR. How do you figure out what the XOR key is? Pattern analysis. There are other ways to do it via static analysis using a debugger, but I'm going to cover that in another post in the future.

Pattern Analysis

I'm taking a small detour from the 'rabbit hole' to explain the art of pattern analysis; we'll get back to chasing the rabbit hole later. 

Finding the XOR key via pattern analysis is really just looking for repeating patterns, then figuring out where the pattern actually starts. From there - trial and error. Sometimes this can be a really lengthy process, but this is what we do, right? :)

Generally speaking, repeating patterns are most easily found in empty parts of the file - that is, parts with lots of white space. Sometimes this can be most easily identified by looking at the binary in text mode and scrolling down until something jumps out at you. Here's what the exe looks like in 010 Editor's Text View:

Looking at this in text mode makes it MUCH easier to identify repeating patterns. However, this can also be quite deceiving if you aren't paying attention, but more on that in a bit. Let's break this down...

When looking at the file in text view, it would appear that the repeating pattern is this:

That IS a repeating pattern, but it's not the correct repeating pattern. A little trial and error helps us figure that out. 

The good thing about exe files is that they all start with a file header of "MZ". This means we can determine if we have the right XOR key just by XORing the first two bytes of the file. So let's try that. The hex value for the pattern shown above is:

9C 6E 70 52 B4 16 E8 FA CC DE 20 82 64 46 58 AA 3C 8E 10 F2 D4 36 88 1A EC FE C0 22 84 66 78 4A 5C AE 30 92 74 56 A8 3A 8C 1E E0 C2 24 86 18 EA FC CE D0 32 94 76 48 5A AC 3E 80 62 44 A6 38 8A 1C EE F0 D2 34 96 68 7A 4C 5E A0 02 E4 C6 D8 2A BC 0E 90 72 54 B6 08 9A 6C 7E 40 A2 04 E6 F8 CA DC 2E B0 12 F4 D6 28 BA 0C 9E 60 42 A4 06 98 6A 7C 4E 50 B2 14 F6 C8 DA 2C BE 00 E2 C4 26 B8

That's 128 bytes long! Crazy, isn't it? They can be worse, but normally XOR keys are 16 bytes or less. So, let's XOR the first 4 bytes of our file with the first 2 bytes of this XOR key to see if our MZ file header is revealed:

Above you'll see that the bytes of the file have changed from our XOR, but this still isn't an MZ file header. So let's go back to our previous example and I'm going to point something out... This is why you have to pay close attention when looking for patterns.

If you look in the circled area, you'll notice that the pattern actually starts in the line above the one we originally thought was the XOR key. Let's take the first 2 bytes of this hex pattern and XOR the first 4 bytes of the file with that and see what we come up with. Here's the first 2 bytes of the circled part:

12 F4

And here's what the file header looks like when we XOR the first 4 bytes using the key above:

Success! The file header now starts with MZ (4D 5A in hex). So we know our XOR key STARTS with the 2 bytes above, so let's go back into our hex editor and select the 2 bytes above, plus everything after that until the pattern repeats:

Note: This looking in hex view at "empty" parts of the file will often display the XOR key starting at the beginning of a line, as seen below. This can sometimes help figuring out where your pattern starts, as opposed to looking in text view. Text view is generally best for determining where the repeating patterns are located (and thus, the empty space in the file).

This gives us a final XOR key of: 

12 F4 D6 28 BA 0C 9E 60 42 A4 06 98 6A 7C 4E 50 B2 14 F6 C8 DA 2C BE 00 E2 C4 26 B8 0A 9C 6E 70 52 B4 16 E8 FA CC DE 20 82 64 46 58 AA 3C 8E 10 F2 D4 36 88 1A EC FE C0 22 84 66 78 4A 5C AE 30 92 74 56 A8 3A 8C 1E E0 C2 24 86 18 EA FC CE D0 32 94 76 48 5A AC 3E 80 62 44 A6 38 8A 1C EE F0 D2 34 96 68 7A 4C 5E A0 02 E4 C6 D8 2A BC 0E 90 72 54 B6 08 9A 6C 7E 40 A2 04 E6 F8 CA DC 2E B0

Finally, let's XOR our whole file with that key and see what we get:

There we go! Looks a lot more like the normal EXE files we're used to seeing, doesn't it? Sometimes finding these long XOR keys can be quite daunting, but it's very rewarding when you figure it out.

md5 (UN-XORED): 4EE0CA377B501191FA5477AEB0BFB713

Part 2 coming soon! :) Stay tuned.


  1. Thank you for the hard work you took to solve this evil code mistery in XOR. This is what the quality that infosec expect from #MalwareMustDie!

    We'll outsmart the malware infection threat by pure science. We are descendant of great people who built internet by technology for something good and is time to bring it back.

    Some moronz will be furious on this, so be it.
    Keep on the good work! Don't forget to rest well after a hard work.


  2. Is there any associated known bad IP?

    1. I don't have any intel for you on this sample, but you can see in the TCP stream at the top the URL for the landing page. I don't know whether or not that site is still infected, though. It was a month ago when I did this -- usually those things don't stay infected for long.