This week, reader Ahmed Elshaer submitted a malicious HTA file. He was able to deobfuscate the VBscript inside the HTA file, but had difficulties with the obfuscated PowerShell script launched by the VBscript.
Later, Ahmed reached out again: he had deobfuscated the PowerShell script, and shared his analysis with us. Thanks Ahmed! I'm posting his analysis here, but with pictures of the (partially) deobfuscated script to avoid triggering AV.
Analysis of Powershell Malware Captured on March 1st 2019:
We have detected a suspicious Process executed on one of the machines which turned to be a result of malicious
from looking at the HTA which is a VBScript you will notice its obfuscated and can be easily de-obfuscated
i have made a python script before to quickly de-obfuscate simple split/replace code that can also be used with this.
Below the HTA File Content:
after replacing "![_%/+-$>#*&])(=?<" with nothing we should get the de-obfuscated code:
you can notie its a multi-layer obfuscation, that we have to deal with to understand this malware.
i took the Powershell command mentioned in the VBScript and tried to tweak it a bit to remove the dangerous part and to get the actual code.
And here is the result of the 1st iteration of decoding the provided Powershell code after saving it to a file.
decoding the result we have from the previous command as follows.
we will have the below code, also de-obfuscated Powershell code.
Following same approach we done previously.
spliting the code at ; and looking into it, it's very easy to do string format by hand on each string to form the original powershell command.
which will result the final code here.
looking into the code here we can see that this script will do the following:
we downloaded the malware and do simple check on the File which turned to be signed ursnif sample. which steals system information and attempts to steal banking and online account credentials.
# PS C:\Users\User> sigcheck.exe .\eDRTou.exe
when running the Malware, you will notice its trying to contact C2 Server.
Below you can find Dynamic analysis for this malware:
Mar 10th 2019
11 months ago
Video for this Analysis: https://youtu.be/xNNYdH_GrZk
Mar 11th 2019
11 months ago