diff --git a/cybercriminal groups/FIN7/2021-09-07/FIN7.md b/cybercriminal groups/FIN7/2021-09-07/FIN7.md index bde63bc..929b843 100644 --- a/cybercriminal groups/FIN7/2021-09-07/FIN7.md +++ b/cybercriminal groups/FIN7/2021-09-07/FIN7.md @@ -6,57 +6,57 @@ #### A skilled eye quickly sees that the first lines are linked for deobfuscation of strings, which is often the case in scripting languages because objects and functions often need to be defined before being called. It is therefore necessary to isolate all these parts to create our decoder (array, code to perform to the array with the function). - +
#### As said previously, we can see the default to split with the end separator ";", this cut the for loops. - + #### This time to show one of your best tools against the obfuscated scripts : ```de4js``` . This can be installed on your system but some online sites propose this. This tool can remove various obfuscation techniques used by packers, hexadecimal representation to strings, execute commands in eval and reorganize the code properly (see our beautiful "for" loops). - + #### Now we can observe that the function, return the result from another function "self-executed" for making the manipulation of the array. The output is nested with another function, that a current method used for check if the debug rights is present is an indicator that a debug a session with debugger, this part is to remove. - + #### The next step is to search the reference, the second array and the steps performed once decoded, we note the while with the switch condition and an increment that a good indicator (also a signature for detecting FIN7 implants) to order the next instructions to execute with a switch case. RegExp allow to define regular expression for parse and remove junk code by the second argument, ActiveXObject for getting an object ActiveX for COM object and eval for run the command. - + #### This time to get the order and remove the obfuscation of array in using your favorite sandbox for run and get the results with a simple console.log(), we have the order of the commands and the second array decoded. - + #### You haven't any need to get the expression for find/replace and remove the junk code, this easily predictable. Get the result and use de4js make more easy to understand the next part of code that executed. - + #### Now we note that a loop with a for is performed for getting the next layer and execute by an eval in keep the code of the previous part. - + - + #### On another console just remove the eval for avoiding to execute the code and you have the second layer. - + #### We can see all the recon operations performed by the script, two important things must be observed. First, the exchange is encoded/decoded with a key that given in split the request with "&_&". The second is the random generator of path for the URI and locates the exchange for the third layer. - +