Decrypting Downloaded Files
Introduction to Malware Command and Control
Malware authors commonly design their malware to communicate with their operators. In some cases, these command and control (C2) channels are designed to allow the malware operator to send commands and receive data back. Others may be designed as malware downloaders, where an initial malware infection downloads more specialized malware once it has gained a foothold on a target system.
Since these downloads occur over the network, they are potentially vulnerable to detection by network-based cybersecurity solutions. For this reason, many malware variants use some level of encryption or encoding to conceal their malware from signature-based detection schemes.
Identifying an Encrypted File
It is possible to inspect a copy of any file downloaded by malware, but the tools required depend on the encryption algorithm used. In some cases, it may be necessary to analyze the downloader malware itself to find the decryption key or extract a decrypted copy of the file from memory.
However, if an encoding or weak encryption algorithm is used, it is possible to extract the file directly from network traffic.
This is the case for the network traffic shown above. Looking at the body of the message, a pattern is evident.
Some types of files contain empty space used for padding and NULL characters are a common padding byte. This means that, if a one-time pad or XOR cipher is used for encryption, some portion of the secret key is revealed. Looking at this traffic, it is evident that XOR encryption with a key containing the letters mlvr was used.
Extracting a File from Wireshark
To decrypt the file, it is necessary to extract it from the packet capture. Luckily, Wireshark will do this for you.
As shown above, open the File menu and scroll down to Export Objects. In this case, the file is being transferred over HTTP, so select that as an option.
After doing so, the screen above will appear. This screen is numbered based upon the packet containing the file download, which is 708 in this case. Highlighting that row in the table and selecting Save will extract the file from the traffic and save a copy locally.
Performing File Decryption
At this point, we have a copy of the file and know that it was encrypted using an XOR cipher with the key mlvr. To decrypt the file and view its original contents, we can use a simple script. Since the XOR cipher reverses itself (XORing with the same key produces the original plaintext), we simply need to XOR the file with the key again.
The code snippet shown above uses Python to accomplish this. This program does the following:
- Opens a file handle as f and reads the contents of the file into h.
- Defines the key as the variable pad.
- Iterates over the length of the file. For each character, it performs the XOR of it and the appropriate byte of the pad (based upon its position in the file) and stores the result in decoded.
- Opens a file out.file using a file handle named o and writes the contents of decoded.
This program can be run with the command python decode.py assuming that the Python code is named decode.py and is located in the same directory as the downloaded file.
After running the Python code, open it up in a hex editor to see if it worked. Looking at the results above, we see that the file starts with the characters MZ and contains the phrase “This program cannot be run in DOS mode”.
Both of these are indications that the file is a Windows executable. This means that it is likely second-stage malware in this attack and not a configuration file or other data.
File Decryption in the Wild
This traffic and malware sample are extracted from an attack campaign observed in the wild. The use of a weak encryption algorithm was largely intended to defeat simple, automated network analysis, not actual reverse engineering.
Some malware variants will still use weak encryption or encoding for this purpose, while others may use stronger encryption. In either case, it is possible to access the downloaded file simply because, at some point, it needs to be decrypted by the malware to be useful.
We've encountered a new and totally unexpected error.
Get instant boot camp pricing
A new tab for your requested boot camp pricing will open in 5 seconds. If it doesn't open, click here.