 Hello and welcome to malware analysis for Hedrox. This week, we will be unpacking a shockwave flash file. And I don't want to make another 30 minute video. I think that's way too long, and that's, well, we have a multiple-layered flash malware here, but I won't be unpacking all layers because the principle is the same for all of them. So just to keep it a bit shorter than the last time. All right, so what do we have here? That's our flash file. And we will be unpacking it just using the hex editor. But first, let's take a look at it using static analysis. For that, we have a decompiler. That's free flash decompiler. I will put the download link below. All right, and we open our flash file here. Flash malware was quite popular for a while, and now it's more rare, but it's still in the wild. The free flash decompiler will show you, yeah, basically everything you need. The header data, any binary data, any animations that are in the file, but also sounds. You can also play them, and you can also play the animations if there are any, in this case, nothing. Metadata, of course. And for us, the most important part is the scripts, which is the flash code, the flash action script code that gets executed. And if you know any object-oriented programming language, it shouldn't be a problem to read this. So if you know C-sharp or Java, it's basically similar from just looking at it. This file is obfuscated. We see that the names of the functions are, well, they are not very telling. They don't tell what they mean. But here, this is interesting. This looks like there's also some obfuscation done. Now, it calls this RETE method, and this method calls replace on this function. Where is it? It's here. This is the regex. And the regex searches for one of those three characters, and we have the replace on one of these three characters with nothing. So if you look at these, you basically just have to delete all of these characters that are in the regex to get something that makes sense. I guess the author of this file doesn't like AV companies. Yeah, it's something you might find lots of times that you have bad messages for the AV companies. So OK, if you want to see or de-obfuscate this, then it's basically enough to use a hex editor. That's Flash Action Script. All right, and we might want to do this as well. So I copied it all here in one file, and we will use the regex right in here. Where was it? This is the regex. And Notepad++ also has the option to use regular expressions, and we can now do the same. We can just replace everything in that regular expression with nothing. So I say replace all, but maybe only on that part. I just want to do it on this part of the file. So OK, replace all. And now it makes much more sense what we have here. All right. This has to be replaced with right. PlaceWave, right. This has to be replaced with add, and this has to be replaced with eventListener. Now it looks better, just some leftovers here. OK, I think this looks good. Now these local variables are assigned to this. And so let's check this. This is how it looks like now, not that safe. So basically, we did what this function is doing. We can actually remove it. And that's all that's left. Now this is used throughout the file. It's like the replacement for these functions. So let's say the function or method char code add is basically this variable. And it's used here, so you don't know what it actually means. And for that, you have to replace these with the strings in here. So position, and two is length, and three is right byte, for char code add, and the on, and so on, char code add. I won't do everything here. I think it's just boring if I do this. You can do this at home. Doing it this way will basically replace all of the functions down here as well with these. So you can finally read what this code is actually doing. And you will see that this is not only up to skated, but also packed. And basically, it reads some bytes and then uses load bytes to dynamically execute the flash file that's packed in there. So it's also packed. And unpacking this statically can be a pain. Well, you can do this, of course. But we will be using dynamic unpacking, manual unpacking today. And that means, let's name it correctly. Oh, OK, well, what means we will just open the file in Internet Explorer, allow it to run. Yes. And now our file is running in here. And open up a hex editor that is able to read the memory. For instance, HXD. This has the OpenRAM button. And now you can choose one of those iExpro.exe processes. So you can read them. OK. That's memory that shows here. And you want to look for a search for the beginning of the magic bytes of a flash file. And that's, in this case, this. And then you check that, well, you might not be able to do that now if you are not familiar with flash files. But basically, you look for this string. And you should do it, OK, sensitive. Check the case sensitive button. And then check out if this looks like a flash header to you, that if this makes any sense. So usually, you will have some strings here. And the range of the values in here should make sense. So check out the specification of flash files. Look at some flash files if you are not familiar with them, so you get a feeling for them. And if you have no idea, just try to unpag every flash or FWS you find. And then you will see if it works or not. So all right. The fourth, well, here's the start of it. And at the fourth byte, you have the size of the flash file. Now you can be lazy. And you can dump this file merrily by using a size, copying a size that's probably bigger than your actual flash file. That will work. But if you want to do it the proper way, you can read the size here. And that's a little endian format. So you need to calculate the actual size. Little endian means you reverse the order of these. So it's 0, 7, and then it's a E2. So 7, do we have this scientific problem? Yeah, OK. It's COG, and it's 7E2. And that's the size, and that's more values. So let's select the block. It will correctly select the first part of it. And then we want the length. I'm not sure if this is hex. Yeah, it's hex here, it says so. So we can just say that's our length. And now we copy and paste this to another file. And that's our dump of this flash file. And you do the same for every other FWS you find in this area of the memory. OK, that's our first unpacked unpacked one. We let's just take a look at this with free flash decompiler. I can't tell you if that's already all file. So OK, this looks quite good. Yeah, maybe. But you see, we unpacked something that could be the packed file. And yeah, that's already a recommend that you do the same for every other file you find in here. Let's check this out. The next match is here. That also looks like it makes sense to dump this. And the next match is here. That doesn't look reasonable. I'm not sure. If you're not sure, just dump it as well. That doesn't look reasonable. But that does. I would also dump this. Not sure about this one. But these are probably no flash files here. This one. This one also makes sense, so OK. So that's all there is. It's really simple. Just opening the hex editor, looking for FWS, using the size to cut out that block, and then check it in the decompiler. And that way you will unpack every packed flash file in a flash file. That's it for today. I hope you enjoyed watching. If you have any questions, please post them below. And I hope to see you next week again. Have a nice evening.