**[« A Volatility Plugin Created for Detecting Malware Used in Targeted Attacks | Main](http://blog.jpcert.or.jp/2015/11/a-volatility-plugin-created-for-detecting-malware-used-in-targeted-attacks.html)** **Nov 19, 2015** # Decrypting Strings in Emdivi **Hello, this is You ‘Tsuru’ Nakatsuru at Analysis Center.** **As introduced in the previous blog post, my colleagues presented on the attacks arising** **[in Japan at CODE BLUE 2015, entitled “Revealing the Attack Operations Targeting](http://codeblue.jp/2015/en/)** **Japan”.** **In this entry, I will introduce the details of an IDAPython script** **“emdivi_string_decryptor.py”, which JPCERT/CC developed to analyse Emdivi, a remote** **control malware. The script was also introduced in our presentation at CODE BLUE 2015.** **Please utilize the script along with the codes, etc., that are already published on** **JPCERT/CC’s GitHub account.** **JPCERTCC/aa-tools · GitHub** **[https://github.com/JPCERTCC/aa-tools](https://github.com/JPCERTCC/aa-tools)** **Encrypted Strings within Emdivi** **Emdivi encrypts strings such as URLs that they connect to and stores them in itself.** **Depending on the sample, encrypted strings are Base64-encoded and stored as in Figure** **1, or in other cases, just saved in an encrypted binary format.** **Figure 1: Encrypted strings encoded with Base64** **In the incident analysis phase, these encrypted strings need to be decrypted in order to** **identify information such as URLs that the malware connects to, etc. For this purpose,** **JPCERT/CC developed emdivi_string_decryptor.py.** **Analysis on Emdivi’s Decryption Process** **Emdivi runs the following process in order to decrypt the strings in itself.** **Upon its startup, it calculates the key for decryption, based on the following string** **information:** **The sample’s version strings** **e.g. t17.08.26..3340.4444** **Random long strings in the sample** **e.g. jp5cQEhSR7xMEdv1JOjh5eKGsMxSCAE5M57CijC8VgN1KMbBvP9** **(Omitted hereafter)** **It then combines these strings with Base64 encode, MD5 hash value calculation and** **others to calculate the decryption key as in Figure 2. Depending on Emdivi’s version, it** **sometimes combines addition and other arithmetic process for this calculation.** **R** **E** **C** **E** **N** **Decrypting Strings in Emdivi** **[A Volatility Plugin Created for Detecting](http://blog.jpcert.or.jp/2015/11/a-volatility-plugin-created-for-detecting-malware-used-in-targeted-attacks.html)** **Malware Used in Targeted Attacks** **Emdivi and the Rise of Targeted Attacks** **in Japan** **The 5th CERT-RO Annual International** **[Conference in Bucharest and Latest](http://blog.jpcert.or.jp/2015/10/the-5th-cert-ro-annual-international-conference-in-bucharest-and-latest-cyber-security-trends-in-romania.html)** **Cyber Security Trends in Romania** **APCERT Annual General Meeting and** **Conference 2015 in Kuala Lumpur** **VPN Servers Altered by Attacker Leading** **[to Scanbox, a Reconnaissance](http://blog.jpcert.or.jp/2015/09/vpn-servers-altered-by-attacker-leading-to-scanbox-a-reconnaissance-framework.html)** **Framework** **Enhanced Protected Mode in Internet** **Explorer** **PoisonIvy adapts to communicate** **through Authentication Proxies** **[The 27th FIRST Annual Conference in](http://blog.jpcert.or.jp/2015/07/the-27th-first-annual-conference-in-berlin.html)** **Berlin** **[Protected Mode in Internet Explorer](http://blog.jpcert.or.jp/2015/07/protected-mode-in-internet-explorer.html)** **C** **A** **T** **E** **G** **[#APCERT](http://blog.jpcert.or.jp/apcert/)** **[#FIRST](http://blog.jpcert.or.jp/first/)** **[#Incident management](http://blog.jpcert.or.jp/incident_management/)** ## #JPCERT news #Threats **[#Trends in Japan](http://blog.jpcert.or.jp/trends/)** **[#Tsubame](http://blog.jpcert.or.jp/tsubame/)** **[#Vulnerabilities](http://blog.jpcert.or.jp/vulnerabilities/)** **[Africa](http://blog.jpcert.or.jp/africa/)** **[India](http://blog.jpcert.or.jp/india/)** **[Indonesia](http://blog.jpcert.or.jp/indonesia/)** **[Laos](http://blog.jpcert.or.jp/laos/)** **[Mongolia](http://blog.jpcert.or.jp/mongolia/)** **[Myanmar](http://blog.jpcert.or.jp/myanmar/)** **[Pacific Islands](http://blog.jpcert.or.jp/pac/)** **[Sri Lanka](http://blog.jpcert.or.jp/srilanka/)** **[Thailand](http://blog.jpcert.or.jp/thai/)** **A** **C** **C** **E** **S** **[A Volatility Plugin Created for Detecting](http://blog.jpcert.or.jp/2015/11/a-volatility-plugin-created-for-detecting-malware-used-in-targeted-attacks.html)** **Malware Used in Targeted Attacks** **Emdivi and the Rise of Targeted Attacks** **in Japan** **Analysis of a Recent PlugX Variant - “P2P** **PlugX”** **[A New UAC Bypass Method that Dridex](http://blog.jpcert.or.jp/2015/02/a-new-uac-bypass-method-that-dridex-uses.html)** **Uses** **Decrypting Strings in Emdivi** **The 5th CERT-RO Annual International** **[Conference in Bucharest and Latest](http://blog.jpcert.or.jp/2015/10/the-5th-cert-ro-annual-international-conference-in-bucharest-and-latest-cyber-security-trends-in-romania.html)** **Cyber Security Trends in Romania** **[APCERT Annual General Meeting and](http://blog.jpcert.or.jp/2015/10/apcert-annual-general-meeting-and-conference-2015-in-kuala-lumpur.html)** **Conference 2015 in Kuala Lumpur** **VPN Servers Altered by Attacker Leading** **[to Scanbox, a Reconnaissance](http://blog.jpcert.or.jp/2015/09/vpn-servers-altered-by-attacker-leading-to-scanbox-a-reconnaissance-framework.html)** **Framework** **[PoisonIvy adapts to communicate](http://blog.jpcert.or.jp/2015/07/poisonivy-adapts-to-communicate-through-authentication-proxies.html)** **through Authentication Proxies** **Fiddler Core's insecure Default flag may** **lead to Open Proxy Issue** **L** **I** **N** **K** **S** **[JPCERT homepage](http://www.jpcert.or.jp/english/)** **[Follow us @jpcert_en](http://twitter.com/jpcert_en)** ----- **Figure 2: Calculated decryption key** **Using the decryption key calculated here, Emdivi performs decryption just before it uses** **the strings. Processes related to the encryption are implemented as classes. Figure 3** **shows information of those classes.** **Figure 3: Encryption related classes defined within Emdivi** **Many samples of Emdivi use XxTEA as in Figure 3, but we have confirmed that some** **versions use AES. Also, there are some versions that switch the encryption and** **decryption process, and we have seen that some use XxTEA encryption process for** **decryption.** **After analysing various samples of Emdivi, we were able to summarise the method for the** **decryption key calculation and the decryption process as in Chart 1 below. For details of** **the decryption key generation process, please refer to the source codes of** **emdivi_string_decryptor.py.** **Table 1: Decryption process for each Emdivi version** **t19 and t20 mid** **t20 early and late** **t17** **versions** **versions** **XxTEA** **Decryption process** **XxTEA Encryption** **AES Encryption** **Decryption** **MD5(** **scanf(** **MD5(base64(ver))** **"%x%x%x%x",** **Method to calculate decryption** **Inc_Add(ver17_key)** **key** **+** **Inc_Add(ver17_key)** **[:24]** **MD5(key_string))** **)** **Before Using emdivi_string_decryptor.py** **Since emdivi_string_decryptor.py is an IDAPython script, it requires disassembler IDA for** **execution. Also, the version string used when calculating the decryption key is required** **for string decryption.** **Before actually using the tool, you have to obtain the version string from the memory or** **communication data.** **If you are obtaining the string from the memory, execute Emdivi in an analysis** **environment and then search for the string in the memory by using debugger, etc. You do** **not have to worry about virtual environment detection, since the version string is** **generated before the detection process.** **If you are obtaining the version string from the communication data, you would need to** **decode that data. For decoding, you can use emdivi_postdata_decoder.py which is also** **made public together with emdivi_string_decryptor.py. Here below is what you will see** **when executing by giving the data you want to decode to emdivi_postdata_decoder.py’s** **argument.** **A** **R** **C** **H** **I** **[November 2015](http://blog.jpcert.or.jp/2015/11/)** **[October 2015](http://blog.jpcert.or.jp/2015/10/)** **[September 2015](http://blog.jpcert.or.jp/2015/09/)** **[August 2015](http://blog.jpcert.or.jp/2015/08/)** **[July 2015](http://blog.jpcert.or.jp/2015/07/)** **[June 2015](http://blog.jpcert.or.jp/2015/06/)** **[May 2015](http://blog.jpcert.or.jp/2015/05/)** **[April 2015](http://blog.jpcert.or.jp/2015/04/)** **[March 2015](http://blog.jpcert.or.jp/2015/03/)** **[February 2015](http://blog.jpcert.or.jp/2015/02/)** **[More...](http://blog.jpcert.or.jp/archives.html)** **C** **A** **T** **E** **G** **[#APCERT](http://blog.jpcert.or.jp/apcert/)** **[#FIRST](http://blog.jpcert.or.jp/first/)** **[#Incident management](http://blog.jpcert.or.jp/incident_management/)** **[#JPCERT news](http://blog.jpcert.or.jp/jpcert_news/)** **[#Threats](http://blog.jpcert.or.jp/threats/)** **[#Trends in Japan](http://blog.jpcert.or.jp/trends/)** **[#Tsubame](http://blog.jpcert.or.jp/tsubame/)** **[#Vulnerabilities](http://blog.jpcert.or.jp/vulnerabilities/)** **[Africa](http://blog.jpcert.or.jp/africa/)** **[India](http://blog.jpcert.or.jp/india/)** **[Indonesia](http://blog.jpcert.or.jp/indonesia/)** **[Laos](http://blog.jpcert.or.jp/laos/)** **[Mongolia](http://blog.jpcert.or.jp/mongolia/)** **[Myanmar](http://blog.jpcert.or.jp/myanmar/)** **[Pacific Islands](http://blog.jpcert.or.jp/pac/)** **[Sri Lanka](http://blog.jpcert.or.jp/srilanka/)** **[Thailand](http://blog.jpcert.or.jp/thai/)** |Col1|t17|t19 and t20 mid versions|t20 early and late versions| |---|---|---|---| |Decryption process|XxTEA Decryption|XxTEA Encryption|AES Encryption| |Method to calculate decryption key|MD5( MD5(base64(ver)) + MD5(key_string))|scanf( "%x%x%x%x", Inc_Add(ver17_key) )|Inc_Add(ver17_key) [:24]| ----- **r13ftV -> win7_32JP_SP1-IE11*968** **"yhmsuRvo" -> "1"** **"date" -> "9v3r: t17.08.26..3340.4444 | NT: 6.1.7601 [ja-JP]** **| MEM: 2048M | GMT(9)"** **Please note that the version string included in the communication data may be different** **from the string required for the decryption. Therefore, we recommend obtaining the string** **from the memory.** **Executing emdivi_string_decryptor.py** **If you have obtained the version string, you are all set. Load the target Emdivi into IDA,** **and execute emdivi_string_decryptor.py. Then, it will process as follows:** **1. Input version string** **2. Calculate decryption key** **3. Search for encrypted string** **4. Decrypt string** **5. Output results and insert comments in the corresponding section** **Upon execution of emdivi_string_decryptor.py, the following dialog box appears to input** **the version string.** **Figure 4: Dialog box to input version string** **After you input the version string, the tool will display the decrypted string in the console,** **and it will be inserted as a comment to where the encrypted string is stored. This is shown** **in Figure 5.** **Figure 5: Screenshot after executing emdivi_string_decryptor.py** **Now you can obtain various information including URLs that the malware connects to.** **Based on these and other related pieces of information, JPCERT/CC coordinates and** **handles incidents caused by attack operations involving Emdivi.** **In Summary** **We hope that the scripts that we made public will contribute in dealing with the attacks** **relating to Emdivi, and in improving malware analysis techniques.** **A blog entry by Kaspersky (see Reference) has revealed that a few versions of Emdivi** **use the infected users’ SID. Unfortunately, the current version of** **emdivi_string_decryptor.py is not yet adapted to input SID. Furthermore, it is possible that** **new versions of Emdivi with other encryption methods may emerge in the future. We** **welcome any pull requests on GitHub.** **Thanks for reading.** **-You Nakatsuru** ----- **p** **g** **y** **apt/** **[Posted on Nov 19, 2015 in #JPCERT news, #Threats, #Trends in Japan | Permalink](http://blog.jpcert.or.jp/jpcert_news/)** -----