De-obfuscating Malicious Code

Designed by Brandy Gordon in Adobe

💡💡Scenario: A suspicious configuration file was found on your company’s system. During an analysis of the file you found this…

Obfuscated hex code found in a configuration file

💡💡Lets see what the code is hiding! Here is my process….

• First, Remove the delimiter “ \x “ and enter into CyberChef in hex pair format then de-obfuscate (1) from Hex, (2) from Base 64 (double layer obfuscation). Btw, I attempted to use the From Hex with Delimiter “ \x “ but this returned errors. However, the recipe I ended up using revealed some interesting URL strings.

De-obfuscation in CyberChef

Output — List of URLs

• Second, Lets enter the URLs in Virus Total…. I just needed to grab one URL and I got a hit! The URLs were flagged as malicious. They are associated with “Dridex Ransomware” and “Locky Ransomware”

Virus Total Results — URLs flagged as Malware

• Third, Now its time to dig a little deeper into the Locky and Dridex Ransomware. Lets do a search and see what the world knows!

💡Several Articles were found on the Dridex and Locky Ransomware that are associated with the previously discovered URLs.

💡💡Summary, this type of investigation is normally done at speed to gain some clarity of the situation. In parallel the incident response team will conduct forensics protocols as well as isolation, contamination and eradication procedures. These protocols and procedures should be formalized into a IR playbook.

Thanks for reading.🖤