Friday, July 31, 2020

Decrypt Aisuru Bot Encoded Strings with Qiling Framework

Qiling is an advanced binary emulation framework, with the following features:

  • Cross platform: Windows, MacOS, Linux, BSD, UEFI
  • Cross architecture: X86, X86_64, Arm, Arm64, MIPS
  • Multiple file formats: PE, MachO, ELF
  • Emulate & sandbox machine code in a isolated environment
  • Supports cross architecture and platform debugging capabilities
  • Provide high level API to setup & configure the sandbox
  • Fine-grain instrumentation: allow hooks at various levels (instruction/basic-block/memory-access/exception/syscall/IO/etc)
  • Allow dynamic hotpatch on-the-fly running code, including the loaded library
  • True framework in Python, making it easy to build customized security analysis tools on top

Qiling is backed by Unicorn engine.

Using Qiling is very easy and since it can emulate & sandbox machine code we can take advantage of it to run malicious code/malware without affecting the host.

Statically looking at the strings of "aisuru" bot we can see that it employs some encoding scheme.


These strings are then fed to a function sequentially to get the decrypted string.


The function "sub_80482A0" helps in decoding the encoded strings. Instead of reversing or debugging the function we can use Qiling to get the decoded string.



For this particular case to get the decoded string we could need the following inputs to Qiling,

  1. The binary
  2. Address of the encoded string
  3. Start and End addresses of the function that decodes the string
  4. Address of the decoded string after the function has successfully run
(1). 552b07d4f8f611841eeb9a608c3d6e8526563b96df0b6676267dc274c1195853

(2). The addresses of the encoded strings starts from "0x080525A0" and goes on. Each of the encoded string needs to be put into EAX register and the decoding function has to be called.

(3). The decoding function starts at address "0x080482A0" and ends at "0x08048370".

(4). After some poking around the registers I was able to conclude that the register EDX holds the address of the decoded string.

We now have all the relevant inputs that Qiling requires. With just few lines of python script we can dump all the decoded strings. Below code does that job for us,





The decrypted string list where commands, C2, paths etc are visible now.


References
  1. https://n1ght-w0lf.github.io/tutorials/qiling-for-malware-analysis-part-2/

No comments:

Post a Comment