[Converter v0.7] Analyzing and Deobfuscating Malicious Scripts

Sunday, March 17, 2013

Malicious Java applets have been making news for awhile so I thought I would update Converter to include some new features to help with deobfuscating them.

This is a list of changes made to this version:
+ Replaced Binary-to/from-Text with Binary-to/from-Hex to make it more useful
+ Added Filter > “Keep Hex” to only keep hex characters
+ Added Format > “Mixed Octal to Hex” to convert a mixture of text and octal to hex
+ Added Format > “Sort Text” to sort a string
+ Added Format > “Hex Format – CSV” separates hex values with a comma
+ Added Tools > “String Builder” to keep values between quotes
+ Modified “Dec-to-Hex” and “Dec-to-Octal” to handle negative integers
+ Added “copy output to input” option to Secret Decoder Ring
+ Added ability to import first KB (or all) of data to Key Search/Convert
+ Eliminated extra fields in Key Search/Convert screen
+ Made expression capability in Key Search/Convert and Convert Binary File a little more robust (added Extra > “Expressions Help”)

Here’s a look at some of the features in action…
This applet used binary strings to hide its actions:
Just paste it in and the Binary-to-Hex feature will split on every eight characters and convert them to hex. You can choose the Output Format using the dropdown at the bottom.
Here we see an applet concatenating several variables together before it deobfuscates it:
Using the “String Builder” feature…
Just paste the section in and Converter will concatenate everything between the quotes together. Make sure the beginning and ending quotes are present.
This applet is using a mix of text and octal characters:
The “Mixed Octal to Hex” feature…
Will convert the string (including escaped characters) to hex.
This applet is using an array of positive and negative integers:
Converter now converts decimal to hex properly.
This particular applet takes this concatenated string and deobfuscates it by running through a decoder routine three times:
The Secret Decoder Ring now allows you to copy the output to the input field so you can decode it any number of times without having to manually copy/paste each time.
Finally, you can see the changes made to the Key Search/Convert screen. I tried to make the expressions as flexible as possible.

Download Converter v0.7
Official website: http://www.kahusecurity.com/

Subscribe via e-mail for updates!