Quick “how-to-decode” this banking Trojan encoded string

Remember when you could figure out what bank was being targeted by a Brazilian banking Trojan just by running “strings” against it? Well, that was a while ago.

There’s this decode function widespread among most banking Trojan samples that I get my hands on, especially those written in Delphi.

Let’s take a look!

Also, please don’t mind me interchangeably saying “decode” or “decrypt” — you know what I mean by it!

First, let’s see how this function gets called:

Screenshot_7-1

As I said earlier, this function is pretty common among bankers written in Delphi. The example above is one of these cases. The decryption function is sub_6ba234. Since Delphi uses FASTCALL calling convention, we can see that there are two paramteres.

  1. EAX – String to be decrypted;
  2. EDX – Address of the variable where the result will be written.

Opening sub_6ba234 up, we see this:

STEP_1

As I did in other posts, I’ll focus on the important blocks here. If everything goes well, in the end, we’ll have enough information to build a script to decrypt these strings.

So, in this first block, we can see that the function stores in [ebp+var_14] the address where the result will be written to, and in [ebp+var_4] the string to be decrypted. At the end of the block, there’s a comparison to check if [var_4] (encrypted string) is 0, with the intention to verify if the received string is valid or not. If it’s valid, the function starts the decryption process.

Let’s rename [ebp+var_14] to [ebp+RETURN_VAR] and [ebp+var_4] to [ebp+ENCRYPTED_STRING].

STEP_2

Let’s start with this part:

___:006BA275 lea   eax, [ebp+var_C]
___:006BA278 mov   edx, offset aXmlpz_0 ; "xmlpz"
___:006BA27D call  @UStrLAsg

@UStrLAsg, apparently, copies a const string to a global variable in a safe way (whatever that means). So now [ebp+var_c] holds the string “xmlpz”.

___:006BA28A mov     eax, [ebp+var_C]
___:006BA28D test    eax, eax
___:006BA28F jz      short loc_6BA29


var_c == the address of “xmlpz”, right? If this address (now in EAX) is not 0, the following piece of code gets executed:

___:006BA291 sub     eax, 4
___:006BA294 mov     eax, [eax]


The string’s address gets subtracted by ox4, and the content of the resulting address gets moved into EAX.

I know, quite confusing. Why do something like that? Well, in Delphi, every string is not just an array of characters, but actually a little data structure. The address that is being moved here, holds the length of the referenced string. EAX now holds 5, which is the length of “xmlpz”.

Onto the third block:

___:006BA296 mov     [ebp+var_18], eax
___:006BA299 xor     edi, edi
___:006BA29B lea     eax, [ebp+var_10]
___:006BA29E mov     edx, offset aD_25               ; "D"
___:006BA2A3 call    @UStrLAsg
___:006BA2A8 lea     edx, [ebp+var_24]
___:006BA2AB mov     eax, offset aD_26               ; "D"
___:006BA2B0 call    UpperCase
___:006BA2B5 mov     edx, [ebp+var_24]
___:006BA2B8 mov     eax, [ebp+var_10]
___:006BA2BB call    @UStrEqual
___:006BA2C0 jnz     loc_6BA383

The first line saves the length of “xmlpz” (as we saw previously) in [ebp+var_18]. Then, “D” gets loaded into [ebp+var_10].

UpperCase is very self-explanatory. However, “D” is already in upper case, so this basically stores “D” in [ebp+var_24]. Then @UStrEqual is executed, the parameters being passed to it are var_24 and var_10, which we know are “D” and “D”. Since they’re obviously equal, @UStrEqual will return 1, which is true.

Let’s continue.

STEP_3

@UStrCopy has the following signature:

function @UStrCopy(S:UnicodeString; Index:Integer; Count:Integer): UnicodeString;


So, this is what’s happening:

var_2c := UStrCopy(encrypted_string, 1, 2);


The encrypted_string parameter is “BE54AE7F947B92AD4EB651”.
Screenshot_8

This piece of code clearly instructs @UStrCopy to copy two characters, starting at position 1, to var_2c. Thus, when @UStrCopy gets called, what will var_c contain? “BE”. The first two characters of the encrypted string.

@StrCat will concatenate two strings. This is its signature:

procedure @UStrCat3(var Dest:UnicodeString; Source1:UnicodeString; Source2:UnicodeString);


So, this is what’s happening:

UStrCat3(var_28, "$", var_2c);


Now, we know that var_2c holds “BE”. We can assume that UStrCat will write “$BE” in var_28. Later, StrToInt gets called. In Delphi, hexadecimal values start with the “$” prefix. So the idea here is to transform the string “$BE” in a number. You know that a string and a number have different representation in low-level, right?

The variables var_2c and var_28 won’t be used in the next blocks, so i won’t rename them. But var_1c (which holds the return value from StrToInt) will. So let’s rename it to CURRENT_HEX_BLOCK.

Pay attention to the instruction MOV ESI, 3, as it will be important for the next block.

STEP_4

This is the start of a loop. Important things happen here. The first thing that you might have noticed is that the first block looks exactly like the one we saw previously (the with the StrToInt). And it really almost does the same thing, with some minor exceptions.

The first thing that is different, is the starting position being passed to @UStrCopy. Instead of copying two characters from position 1 of encrypted_string, it’s starting at position 3 (because of MOV ESI, 3 i warned you earlier, remember?). That is, this malware is extracting (in this loop iteration), from string “BE54AE7F947B92AD4EB651”, the string “54”. It’s copying two characters starting from ESI position, and not the fixed position 1 we saw in the other block. You see where this is going, don’t you? Let’s continue.

It then converts the “54” string into an actual hexadecimal value, and stores this number in var_20. Then it compares EDI (which is, at first, 0), with the size of “xmlpz”, which is 5. If EDI is smaller than XMLPZ_LENGTH, it increments EDI by 1, otherwise, it sets EDI back to 1. Again… you see where this is going, don’t you? In this first iteration, therefore, EDI is 1.

Take a look at what comes after:

___:006BA33A movzx   ebx, word ptr [eax+edi*2-2]
___:006BA33F xor     ebx, [ebp+var_20]
___:006BA342 cmp     ebx, [ebp+CURRENT_HEX_BLOCK]


EAX holds “xmlpz”, right? EDI is 1, right? Let’s do the math.

[EAX + (1 * 2 - 2)] = [EAX + (2 - 2)] = [EAX + 0] = "x" = 0x78.


EBX now holds the first character of the “xmlpz” string. “x”, according to the ASCII table is 0x78. So EBX has? 0x78! And what happens when EDI is set to 2? Because we saw that in the next loop iteration, it’ll get incremented. If it EDI gets bigger than “xmlpz”‘s length, it’ll go back to 1, right? So let’s see what will happen when EDI is 2.

[EAX + (2 * 2 - 2)] = [EAX + (4 - 2)] = [EAX + 2] = "m" = 0x6d


Right? Right? Let’s continue.

___:006BA33A movzx   ebx, word ptr [eax+edi*2-2]
___:006BA33F xor     ebx, [ebp+var_20]
___:006BA342 cmp     ebx, [ebp+CURRENT_HEX_BLOCK]


Do you remember what’s in var_20? 0x54, right? And from where did this value come from? It was the third and fourth character from encrypted_string (BE54AE7F947B92AD4EB651). So, what’s happening in this loop iteration is XOR EBX(0x78), 0x54. After the instruction, EBX holds 0x2c.

___:006BA33A movzx   ebx, word ptr [eax+edi*2-2]
___:006BA33F xor     ebx, [ebp+var_20]
___:006BA342 cmp     ebx, [ebp+CURRENT_HEX_BLOCK]

CURRENT_HEX_BLOCK holds the first two characters from encrypted_string, 0xBE. So this is comparing EBX (now 0x2c) with 0xBE.

Let’s rename var_20 to NEXT_HEX_BLOCK. In the end, we’ll write a python script to do all this. It’ll be a lot more readable! But i think it’s very important to understand what’s going on in low-level.

Last part:

STEP_5

The last comparison was if the XOR result (current value of NEXT_HEX_BLOCK xor’d against current letter of “xmlpz”) is bigger than what’s in CURRENT_HEX_BLOCK (which is another block from the encrypted_string). If it is, the XOR result gets subtracted by CURRENT_HEX_BLOCK, otherwise, 0xFF is added to XOR result before the same subtraction. All this math gets stored in EBX, and guess what? EBX now holds the decrypted character! :).

var_38 is the pointer to the final (decrypted) string. var_8 holds 0, so this call to @UStrCat concatenates a null byte right after what was on EBX.

Then, NEXT_HEX_BLOCK gets moved to CURRENT_HEX_BLOCK. The functions adds 2 to ESI, and this determines what position of encrypted_string will be copied on loop_start, that is, NEXT_HEX_BLOCK will hold the next 2 characters after 0x54, 0xAE (remember encrypted_string is BE54AE7F947B92AD4EB651).

ESI gets compared to the length of encrypted_string. If it’s smaller, the loop goes on – with the next hex block. If it’s bigger / equal, the loop ends.


Decryption overview

This is another way to see what’s happening up there:

decryption_process

The string “BE54AE7F947B92AD4EB651” after being decrypted, becomes “modelo.txt”.


Decryption script

This python function wraps up everything we saw.

def decrypt_string(key, x_string):

decrypted_string = ''

key_index = 0
x_index = 2

current_block = x_string[0:2]
current_block = int(current_block, 16)

while x_index current_block:
xor_result = xor_result - current_block

else:
xor_result = xor_result + 0xFF
xor_result = xor_result - current_block

decrypted_string += chr(xor_result)

key_index += 1
x_index += 2

if key_index == len(key):
key_index = 0

current_block = next_block

return decrypted_string

Now, just pass the key and the encrypted string. This is what you should get:

Screenshot_9


That was fun!

Until the next post. 🙂

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s