 Welcome to Mem Analysis for Hedgehogs. I don't know about you, but it's pretty hot here in Germany. FIA-I has published a paper on the topic dust fuscation and that's actually a collection of fuscation techniques for cnd.ease commands. That's a quite interesting collection. Some of these fuscation techniques haven't been in the world before and so they are new, but some of them are based on previous wild samples. And Wow, there's quite some ugly possibilities to use fuscation. Let's take a look at one wild sample right here. The goal today is to de-fuscate this to the point where we get the actual payload of the sample. The dispatch command was in a macro malware and I skipped the step of extracting the macro and so on. That's not the interesting part right here. Okay, so that's our batch script. Yes, it is one and let's choose the appropriate language for that and we only need no++ and Python to do the task for today. First thing, or the thing that we can easily tackle is the carrot symbol. The carrot symbol can just be removed if you look into the paper. I think that was one of the first things described carrots, right? So it will explain to you that that's an escape character and most common use of fuscation character. So just in this case, we can just use a replace, search and replace function of no++ and we will replace all occurrences, remove the tick mark from the selection. So we replace the carrots with nothing and then we get this. It's still not quite that readable, right? There is another character we can remove most of the time. Those are the commas and semi-colon. So we can do that as well in the same manner, but we don't want to remove it from everything. Here's a part where there's a string that's set to a variable. That's the name of the variable. We don't want to mess with this up. So let's remove this stuff just from this part and the part before. Yeah, replace, place and same with this character. Okay, so that's a little bit better, but still not the way we want it and what is that? The pluses, they are superfluous because these are integers and you add a plus. Okay, it's the same integer. We can use now regular expressions to tackle this task. So what we could do is use something like rexr.com. That's quite interesting for testing your regular expressions because you can enter your text here. You can enter expression here and we'll explain what you did there actually. Here it says, okay, that's the capture group and it's also colored so you find it and so you match this character that from A to that and so on. So you know what you're actually doing here and can quite easily write regular expressions. So let's copy and paste this in there. And I want to remove any plus that is followed after a digit. So firstly the class is a special character. So we have to use the escape for the plus. Now we have our plus values and then digit is slash d. So we may have numbers like that. Actually, yeah, I think that's better. And we want to remove the plus and we want to retain the digit itself. So we put the capture group on the digit. I think that's quite okay. So now we have the marks are correct. So we copy this and if you have if you put the tick on regular expression, you can actually replace and find based on regular expressions. So that's the capture group. You can access the capture group with slash one. That's the first capture group. If you have several of these, you would have slash two, slash three and so on. So we replace this expression with this expression. So that way we remove the plus. Let's test it on a small set like this. Say replace and selection this. Oh wait, we want to use this. All right, place and it works. So we can remove that and place it everywhere. Okay, that's a little bit better and then there's another thing there are like superfluous spaces. We can remove them too. Though we have to take care not to remove them from variable names like these. We have variable names here. So use a regular expression for that as well, maybe. Okay. If we have two spaces, we might want to replace them with one space instead, but not if they are preceded by something like these because those are variable names and not this because there's also a variable name like this. We don't want this. And we don't want space before that. Okay. And now let's add a plus. So it marks all those spaces that are not part of these variables here. I think that should work. That should work. It doesn't work in general, just in this case, I guess. Okay, so if we do that, what do we want to replace it with? Well, we just want to capture, that's a good question, actually, the part we want to retain is this. So one of the spaces is retained and the rest of the spaces can go. So we use that. Yes, so we replace that with that. We will delete, so we will delete the space after that and any other spaces that come after that, while one is here, being retained. Okay. So let's do that and replace them all. Okay. Now it already looks a bit more neat. Again, that's kind of interesting. Let's mark this. So you see where this variable is. Here's one variable. Here's another. What is being done here is we have the variable and this is set to this alphabet right here. It's an alphabet. Okay, let's mark it. And then we have this variable. Okay, let's mark it. And then we have a for loop, which will assign these integers to this x. So first iteration, it's x is 58. Second iteration, x is 1 and so on, until the 66. But then there's like this exception if it equals 66 aboard. But there's no other 66 in there. So it will board right when the last value is there. This variable will access the alphabet with an index x. So basically it will get let's say x first iteration is 58. So it will get the 58 at the 58 position the character in this alphabet and then assign it and add it to this variable. So by this way it will build up the command and the command is executed here. So it will use these indices for building up this alphabet for the encoding of the payload. We can now simply use Python to translate this. Python command line interpreter is quite useful for that. And I will say, okay, alphabet, right? That's a string. So we put this in a string. And as you can see here, the alphabet is 66 characters long. So if you have an index 66, it will be out of bounds because you access the array from 0 to 66. So that last value is an index 65. 66 was from a row. So we don't need the last value and don't really paste this alphabet right here. And then we have our indices and they are first this string. But we don't want this string. Actually, we want the values in there. So we split the string. If you don't add any parameter, any argument to split, it will split in white space. So now we get this. And it's an array of strings, but we want indices. So we want to have integers instead of that. So let's just make this a bit better and convert it to integers. So for every index, we will set the integer value instead. And now it looks better. So we can now say for every index in indices, wait, set the result to payload. The payload, that's the variable we saved the payload in. I will initialize it with an empty string. Before every index in indices, we access the alphabet at index. And we add this to the payload out of range, right? Because that's because of the last value in there. Still did write the payload until that point. We could now write it to a text file. Maybe we should do that. Well, let's just payload txt write. We will write our payload in there. So if we exit this, it will also close the reference. Not bad. To payload txt. And there's the payload. Here's our payload. We set the language to, let's say, PowerShell. So we see what's going on. And all it does, it will iterate through these URLs and then execute them, download the file there, and execute the file that was downloaded. So that's a payload for a downloader which has several sites to access. Yeah, that's already it, I guess. I did a short script that does the de-obfuscation for this particular batch file. So it may not work on others. It's just in case you want to use it and modify it for similar cases. So I'll put a link in the description below. Thanks for watching and see you.