Analysis of 1d4a1bc1cf53be8e18789b4c6c351c6f0ee88e14cf4fbde0adc55e0b39010bdc (maldoc)
The samples included in this analysis were obtained from MalwareBazaar. This writeup will look at two different files. The first file is a .vbs file and the second is a .ps1 script that is downloaded by the vbs file.
This is an analysis of two malicious files that are used to download AsyncRAT. The initial stage is a .vbs script that is delivered via e-mail. When the file is run it reaches out to a sharetext URL to download the second stage which is a powershell file. The powershell script then contains a array of bytes that appear to be a portable executable and uses the C# compiler to run additional code and use
installutil.exe to install additional software.
Overall Process Graph
The .vbs file is the first payload, which is delivered via e-mail. The file name is 7PAX _Trip Itinerary Details.pdf.vbs. It has the following hashes:
SHA1: 2c45d7c3a5c61fca6ee20a129d5cb9b80cdc1f0d SHA256: 1d4a1bc1cf53be8e18789b4c6c351c6f0ee88e14cf4fbde0adc55e0b39010bdc MD5: 6e4351b0e6632264c05dd58c9e53d607
The file size is 200 KB.
As of 2021/09/04 15:50 EST, the file was flagged as malicious by 3/57 vendors. The three vendors that were able to flag the file as malicious are
- Bkav Pro
- ZoneAlarm by Check Point
Analysis of File
The file consists of 866 lines. Most of which are commented out. The actual code runs from line 257 to line 288. There is one function RWS which takes in a parameter called keyword.
Analysis of function RWS.
There is a variable called Lang declared in the function and stores the value
87x83x67x80x84x46x115x104x101x108x108. The values stored in Lang are split based on the parameter that is passed to the function. After the split, each value is converted into an interger and then the character representation of that interger value is used to generate a string.
Using Python we were able to determine that the value in Lang stored the string “WSCRIPT.Shell” if the x in the string are removed which is what happens when line 273 is run since RWS is called with the parameter “X”.
Another hardcoded string is stored in a variable called script. This long string contains a repeating varible that is removed on line 270. The command is a powershell script that is run.
In the command the string “DownloadFile” is split up in order to minimize detection.
Powershell is called but the command is split into multiple variables to minimize detection.
The second stage is downloaded using the command:
CreateObject("WSCRIPT.shell").Run "" 0
The 0 means that the WShell window is hidden.
The command uses powershell to download a file called SystemUpdate.PS1 from hxxps://sharetext[.]me/raw/y0cktoco0.
Once the file is downloaded it is run.
Note: a juypter notebook file showing the deobfuscation process is available here
This is the second stage of that is downloaded upon successful execution of the vbs file. The file hashes for the powershell script are:
Analysis of Powershell
First stage object — “7PAX _Trip Itinerary Details.pdf.vbs”
Downloaded 2nd stage object — “SystemUpdate.ps1”
Dropped executable file — C:\Users\admin\AppData\Local\Temp\xbws1zru.dll