Friday, July 29, 2016

Graphical representation of SWF - Dendrogram

Given the amount of obfuscation that's getting added to SWF files, it can be sometimes painful to analyze them. Going through a huge SWF file can be time consuming and irritating. A graphical representation can always give a perspective of what the SWF is all about and can give a head start during the analysis. In this blog post we'll see how can we create dendrogram graph out of a SWF file for the purpose of analysis.

For creating the dendrogram I first used the JPEXS FFDec library to decompile the file and fed it into a small python script that creates a CSV file. This CSV file can be further fed into "D3.js" to create a graphical representation of "intermodular" calls, "strings" in the class files along with the "imports" (We can add multiple other elements to this - but for now, this will do). Below is the CSV file that was created by the python script post processing each ".as" file from the SWF.

Feeding the CSV file to "D3.js" for dendrogram paints a graphs which can give us a little overview of what's going on with the SWF.

Looking at parts of the graph we can conclude that this SWF exploits CVE-2015-7645 - a Type Confusion vulnerability in Adobe Flash Player.

This exploit is dropped by Angler Exploit Kit - We can also find a key within the SWF that is used during the decrypting payload.

Analyzing the SWF further revealed multiple class files calling a specific module frequently - "class_2.method7". Looking into the source code reveals that this function helps during de-obfuscating strings during run time.

Representation of SWF in graph can be very useful in giving us a little insight about what we are up to. All be it, this doesn't provide a complete picture about the SWF, but nevertheless the output reveals more than useful information.

No comments:

Post a Comment