Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: Internet Storm Center - Internet Security | DShield Internet Storm Center

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

De-DOSfuscation Example

Published: 2018-12-15
Last Updated: 2018-12-15 19:27:12 UTC
by Didier Stevens (Version: 1)
2 comment(s)

I received some questions about the de-DOSfuscation I did with Python in my last diary entry: "Yet Another DOSfuscation Sample".

From a reader submitted malicious document, I extracted the following command:

This DOS command uses a for loop to convert the numbers in yellow to a new command (PowerShell). The numbers are not converted to characters using the ASCII table, but using a custom table that is provided with variable eA0 (the characters in red).

An interpreter like Python can be used to do the conversion. Here is how I did this, step by step:

First I put the numbers in a list, that I let Python print:

Remark that I did not include the last number present in the list (86): this number indicates the end of the list and is not to be converted to a character (this would cause an index error if I tried).

Next I add a "list comprehension" to the Python statement: [number for number in [... numbers ...]]:

With this list comprehension, I can perform a calculation with each number in the list, by replacing the expression number by a more complex expression. What I do, is use number to index the "red string": ['''red string'''[number] for number in [... numbers ...]]:

Also, remark that the "red string" contains a single quote, hence I can not use a single quote to delimit the string: that's why I use 3 single quoutes: '''red string'''.

The result is a list of characters. I can now concatenate all those characters with ''.join(...):

Let me illustrate a couple of errors you might encounter when you apply this method.

First, you get this when you include the last number (86):

"string index out of range": 86 is bigger than the largest index that can be used on the "red string", hence I get this index error. 86 is not an "index number", but a "stop number".

This is the error you get if you use single quotes to delimit the "red string":

The single quote inside the "red string" is taken as the closing single quote of the string, and the remainder of the string is parsed as a Python expression, which fails.

Finally, I updated my numbers-to-string tool with option -t, so that you don't have to write a long Python statement to do the decoding, but can use my numbers-to-string tool instead:


Didier Stevens
Senior handler
Microsoft MVP

2 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Bombstortion?? Boomstortion??
Dec 14th 2018
2 days ago by Rick (2 comments)

Phishing Attack Through Non-Delivery Notification
Dec 13th 2018
3 days ago by Xme (0 comments)

Yet Another DOSfuscation Sample
Dec 12th 2018
3 days ago by DidierStevens (0 comments)

Microsoft December 2018 Patch Tuesday
Dec 11th 2018
4 days ago by Richard (0 comments)

Arrest of Huawei CFO Inspires Advance Fee Scam
Dec 10th 2018
6 days ago by Johannes (0 comments)

Quickie: String Analysis is Still Useful
Dec 9th 2018
6 days ago by DidierStevens (0 comments)

View All Diaries →

Latest Discussions

PDF vs. DOCX in phishing mails
created Dec 14th 2018
1 day ago by sciurium (0 replies)

Securing AV/IoT best practice question
created Dec 10th 2018
5 days ago by Anonymous (0 replies)

virtual server design
created Nov 28th 2018
2 weeks ago by Anonymous (0 replies)

Intern needs help
created Nov 23rd 2018
3 weeks ago by Anonymous (0 replies)

CVE Links Are Broken
created Nov 17th 2018
4 weeks ago by George (1 reply)

View All Forums →

Latest News

View All News →

Top Diaries

Wide-scale Petya variant ransomware attack noted
Jun 27th 2017
1 year ago by Brad (6 comments)

Using a Raspberry Pi honeypot to contribute data to DShield/ISC
Aug 3rd 2017
1 year ago by Johannes (16 comments)

Detection Lab: Visibility & Introspection for Defenders
Dec 15th 2017
1 year ago by Russ McRee (2 comments)

Second Google Chrome Extension Banker Malware in Two Weeks
Aug 29th 2017
1 year ago by Renato (0 comments)

Maldoc with auto-updated link
Aug 17th 2017
1 year ago by Xme (2 comments)