HTA JScript to PowerShell - Novter Malware Analysis

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hello everyone and welcome back welcome back to another youtube video welcome back to another malware analysis video seemingly uh everyone's favorite kind of video that i've been doing lately so uh let's dive into this one i think this one is gonna be a lot of fun i'm pretty excited to bring this to you i will add a little disclaimer and note i have already ran through this but trust me this is jam-packed with a lot of good stuff so let's dive into it i'll hop over to my computer screen here uh i am running in my ubuntu linux vm some of you might be scratching your head like john what the heck you got a little cali linux dragon here uh aren't you running cali no it's just the wallpaper for the click bait that's all we do here we just we just feed the youtube algorithm that's all i know how to do so i'll open up my command line here and i have a directory created called hta and in this directory i've got some files like a little json file for some registry contents that we'll get into and a waco dot hta that is not the original name of the file i didn't want to end up doing that because there are going to be some things that will be mentioned in this video uh about hey some folks uh but there's nothing there's nothing wrong with that there's nothing in that it's just the name of the file but you'll notice the dot hta extension now if you aren't familiar if you aren't aware if you don't know etc uh an hta extension is an html application it's literally taking html the regular markup language a hyper text markup language right the html acronym and giving it some super powers so that it can run code not just act as a decoration or the language that will help you structure documents in html the markup language but it gives it some other flexibility so that it can actually execute stuff so the little little blurb here that google will give us it's an html application for microsoft windows program that source code consists of html dynamic html and one or more scripting languages supported by internet explorer like visual basic script or jscript html is used to generate the user interface but the scripting language is used for program logic so it's spicy there's some good stuff in there you might actually see uh hta files often used for like ransomware notices uh so that is its own can of worms that we won't dive into and this one is admittedly not a ransomware notice but take a look at this one we have our work cut out for each other ladies and gentlemen this one should be uh this should be a ton of fun so i guess we can start by cleaning this thing uh you guys know me i tend to just try and save a copy of this so i have the original and i'll go through it and like try and add in my own like manually going through it carving through the code to add an indentation and beautifying it trying to make sense of the variables etc etc uh and some folks have asked me john what are you doing why are you wasting your time you're an idiot and i tell them i know i know i am an idiot uh you could just be using an online tool like a beautifier and you're totally right uh that would make this significantly faster now i say hey i like to use this time while i'm going through and manually beautifying the code to like actually get a sense of what the program is doing like what the code actually does it's weird i don't know like washing dishes it it builds character you know you could just run it in the dishwasher but there's something about it anyway uh we will use an online beautifier for this just to kind of speed us along because there's a lot to unpack here you'll notice that this is just going to end up being a chunk of jscript a chunk of javascript and that's it so we'll pass this to a javascript beautifier online maybe that takes some fun out of working through it but trust me we're going to dive into some good stuff in just a moment so let's fire up another web browser let's google for a cheeky javascript beautifier beautifier and let's grab that beautifier.io scroll down dump in the code here it's all one massive line click on that beautify code button and now it's a little bit more sane and sensible not a lot but a little oh all right oof oof uh that lost some of the indentations so i'm just going to select it all and tab it through i think that's as far as we need yeah okay cool nice so here we are here we are with our neat little jscript or javascript uh rendition and i've said this many times in the past if you aren't familiar with jscript and kind of the different differentiation between it and javascript it's basically javascript not gonna lie it's essentially javascript but it can run on your host because windows the little microsoft dialect their rendition of jscript uh this iteration or sort of rendition of javascript is a high performance scripting language design and creative active online content for the world wide web javascript loves developers and automated wide variety of projects and web pages including activex object control and java programs again google's blurb here yes it's used in microsoft internet explorer and it's implemented in the active scripting engine so you might see objects like an activex object that allow you to do things with the windows operating system and on that host on that computer so now that we know what we're looking at let's try and make sense of this thing um we're in this cleaned file name so i don't think there's a whole lot to do other than dive through it we have this start of seemingly a registry key hkcu for hk hkey current user and the software little subfolder there little key now that variable has a random name but it's used in the very very next variable to just concatenate some strings together so i don't think this is used anywhere else nope it's not so we can just kind of grab that and put it right there really easy we don't need those semicolons with those concatenation because we can make sense of what it is and what it's doing and then we have some other wonky stuff going on you'll notice they're using a backslash x to denote a character 68 does lend us in the range of ascii characters so while this looks like a byte it looks like a hexadecimal thing it's still going to end up evaluating to a regular like printable character adds in an fi and adds in a list or an array now i see this structure a lot there are a lot of variables or some syntax that's just a list it's just an array but they index one specific part of it which is weird uh and then i i don't know it's just adding extra noise adding extra chaos stuff to avoid that anti-virus stepping in or preventative security measures from automatically detecting this so it tries to hide this is the artifact that was left on the computer touching the file system so they're going to be a little stealthy they're going to try and be clever now because they're using this syntax to just grab a character from this list or from this array uh we can honestly and because it's just simple like string concatenation we can probably carve this out and determine what that value is going to be now i'll go through this i'll try and move pretty quick because it's probably pretty boring to look at but because it's node because it's jscript did i open up another terminal yeah i did we can run it locally kind of server side on linux in node or using node.js now if you get to the portion and fragment of jstrip code that is specific to windows like creating those activex objects or working with w script and wmi and things like that that obviously won't work it won't run in linux that's part of the reason why i do some of my analysis in linux because yes i'm more familiar with it i enjoy it i like being in linux it's also because i'm not going to accidentally detonate some portions of the malware now i say that and i'll totally go into a windows vm and throw stuff in there anyway but you know you know me so let's slap this in and this will just churn out what that variable is going to end up being set to i went through this in kind of an iterative process and just messed with it so i will try and cruise through that so you really see the same thing uh and maybe i'll go ahead and clean up and edit this video so there's a quick like speedy time lapse or something i like this one it's a it's a good old f variable can i get an f in the chat f in the comments okay so i finished kind of going through just determining what those values might be as as strings did i lose one up at the top here oh i guess i removed that one for the registry key and didn't end up nerfing it um but you'll notice that none of these are really all that useful none of them mean anything or do anything that doesn't look like base64 and some other kind of encoding that i would recognize now that doesn't mean however that these are just complete nonsense maybe later down in the code this these variables will be used maybe to just index a specific letter or get some characters or substrings and slices of it so i'm going to keep them uh we could try and rename them to like what their contents are but for now i'm just going to kind of leave it and keep cruising along this next segment of code looked really weird to me because it it it runs a try statement that'll try to evaluate code or do something but it instantly throws an error and it it catches this error it uses a try catch and the catch will take in an argument which i wasn't sure is that going to be like the exception type is that going to be the error message uh and then it tries to index that like with square braces taking out portions of it so i thought that was weird and odd but these try statements aren't going to mean anything they're just again more noise to trip over av or whatever the case may be and uh then the catch code will actually run but grab the value maybe out of these error messages we can try this again in node and just see how it looks and what it evaluates to so i'll slap these in but you'll see it just kind of makes the period be the only thing that's actually returned out so that's that i guess we can try this over and over again and again slowly determine what it builds out but you'll notice maybe there's a little bit of a pattern here uh whatever is passed into that throw statement for the error inside of the try block it grabs that and considers that to be the value of the variable that it's setting inside of the catch statement so again maybe this will be useful somewhere uh i'll speed through this in the magic of video editing so you guys don't have to sit through me doing this song and dance okay so now we're done with that segment and again now we just sort of have single letters which isn't all that useful um we may get to a point where all this is practically useless eventually we'll get to maybe a lower level or like a segment of the code that just kind of evaluates everything in fact that's probably pretty likely considering what this does next um and maybe that's like hey john you wasted your time here and that's probably pretty valid uh i still like to go through it when i can to get a better idea as to what the code is using or what variables might be in what like some of these maybe wouldn't evaluate out to a single letter or if it had something like more of a smoking gun or more of a tell-tale as to what was going on so i i wanted to go ahead and go through that i'll still do this for kind of the other segments and then they start to actually pull out some interesting jscript or javascript like constructs here and maybe that was just part of my mind because this came from constructor as the string that it built out looks like these others might be doing something similar i'll grab this variable let's see what we have here ooh an eval statement eval to run more code uh p8sm8s is being sent to the this object now this object in javascript or jscript will like keep track of the instantiation of the code that's running like all kind of notions of functions or variables being set like you can literally see all of the variables that we've just defined or kept track in this object this this object this this object named that thing so uh let's let's again just take take that value uh i do want that and i neglected to copy paste it copy pasta let's see what this guy does oh a w script.shell so that will give us a little bit more functionality to do things specifically with windows that means that maybe we'll actually will get to see some fireworks go off in this code after all um let's go ahead and grab this next portion i'm going to make sure i get the full variable name because that way i want it still in the context of my node interpreter as i go through it and uh in case it's used later on and node will return it out for me so we get activex object just as well as a string that this now code has built out the primitives for so is it going to end up oh or a reg read oh okay do we end up using regreed now that they build out all these string primitives to be able to do something and they're using those specific jscript and javascript kind of syntax what will this do i see an eval statement yet again [Music] variable another almost at the end here oh and this is close maybe to close some handle or something what do we got here lct what is that supposed to be for what is lct supposed to be like part of select no that wouldn't make sense this is being used though this variable is kind of put into action right away they take lct and index it off the same thing oh oh off the constructor what how does that get a function out of that lct lct indexed with constructor oh is that oh that's super cool so that's like the object right a string object that could probably be like literally anything uh let's throw in the classic here take the constructor and yeah yeah yeah so if you get the constructor of the constructor do you just suddenly have a function that's super slick wow they just pulled a function like out of thin air uh let me take note of that uh outlines a function maybe that's the best way to say that uh and then they go ahead and use that variable in the very next one where they define a function based off of this guy oh and that was the eval so they make an anonymous function with that is that what they do this guy he exists in the context doesn't he no no i didn't i didn't define him let's grab that slap it in ah function so let's not call this because i don't want to really execute that but yeah it makes an anonymous function but if you were to execute it it takes everything in this instance and stuffs it into this p8sm 8 variable let's let's do it like that's not going to be that's not going to be malicious at this point so that didn't return anything but now we should have a new magic variable because it's been evaluated and executed in the current context without explicitly creating this variable it has been now defined with all of the guts that this right this code and this object already pulled out so that's kind of cool and then we try with actual stuff that's happening here f l g l d h being defined as a new this object referenced or indexed with an active x object is that right why is that not defined anymore circular what that will reference and get activex object and then it passes in a wscript.shell string argument so this essentially is going to be wscript shell i think that's that's fair to say so we get capability to do windows things and then we eval you can see that up there we run an another eval statement with w script shell regreed so we request a registry object on nalgnkd which is the one that's defined up here aha okay so we reg read that get the contents get the value that's not like set is it it's not pulled into how is that is that being saved or stored as a variable or is it just kind of like executed it is evaled oh they run close oh no no no no it is evaled they eval the reg read contents so they're executing all of this out of the registry the next next stage of this will come from the registry right yeah okay so just as kind of a nice benchmark we successfully turned uh this monstrosity into this which makes at least a little bit more sense so i still i think a good thing to do is to just figure out what's going on and i didn't end up renaming a lot of variables in this one but it's still kind of piecing through it what it really does so let's keep cruising we uh we have this registry file that i have uh prepared and gotten ready for us the registry.json has some good data in it this is a pull from the registry of that target and victim machine at this at this time um and we went ahead to examine as to what really was going to be pulled from this specific key as you can see that's the one that's referenced here and it pulls the data down and executes it so the data here uh i'm gonna go ahead and grab because this is in a json format and because it's wrapped in quotes and in a string it might have some escape characters in it so i'm just going to wrap that all in some output and now i can grab the original portion of it so we'll call this stage two dot js still uh jscript at this point but since that is new code let's try and beautify it here and let's see what we're working with and we'll uh probably save that as like stage two beautified beautified good good uh let's slap that in there now and let's see what we're working with again some indexing it defines the the letter u super exciting uh let's store these just in case we need them this one gets the letter n which you could tell from just simply reading it but i i'm gonna copy paste uh frenzy right now everybody so don't oh i actually didn't see that one coming i didn't expect that to turn into run i just thought of the un so now we have r u n run now that variable which is that r variable which was not defined in this script is still pulling from the context of the original wacko thing here so this vfr c4 x0m the one that's been defined as r oh i just realized literally all of those were defined to be straight up nonsense and then re-evaluated just make more noise guys don't let the don't let the edr see you so we get run and then this was our wscript.shell right wscript dot shell or wscript shell grabbing the run function and then passing in some commands here no new syntax oh powershell powershells in the mix uh scrolling all the way to the end i see some commas here which tell me that these are other arguments so if i were to slap this entire like input here as if it were maybe mangling the the string a little bit i will run into a wall just like plopping this into node.js because 0 is going to end up being the return value from the very very last element there like that the comma is going to kind of get in the way so as you can see that evaluates to zero that the second argument evaluates to zero so these are just kind of the arguments for uh like no window i think uh when you pass those to run it's like minified minimize no window just try and be as stealthy or as quiet as you can so let's just pass in as run and now we have this power shell portion which i'll grab all the way to the very very end because i do see them doing some weird string stuff in there yeah it's indexed out but i'm sure you uh being the smart person you are can see that that is just going to poop out uh powershell.exe inc for encoded yeah yeah yeah yeah so now we have another powershell payload now we have another stage yet again um this is encoded just in simple base64 so we can hop back over and try to base64 decode this i'm just going to spit it out into standard output and pipe it to i realize my pipe isn't visible because my big ugly face is in the way i'll pipe that to base64 with a b minus d to decode it attack d now we get this which is kind of tiny which is kind of small but let's go ahead and define that as we have now a stage two uh let's make a stage three and now we're into powershell we've broken out of some jscript but let's see what this thing is nice uh let's clean or beautify this uh i haven't found a good online powershell beautifier uh i know there's one that you can run locally there's like a dtw beautify script that you can download and work with uh but truthfully i i i don't think i have it installed on my linux rendition of powershell right now but anyway this one was super small and super easy we could just kind of do by hand uh notice they have a lots of random backticks in here that backtick is typically used as an escape sequence or an escape character in powershell oftentimes you'll see like a backslash in other languages like backslash n to denote a new line backslash t to denote a tab that's all done with an escape backtick in powershell but if you were to add in a backtick on a letter that doesn't need to be escaped in certain cases powershell like doesn't care and it pretends they aren't there so that's again another kind of cheesy technique that could be used to hide and not make sure that hey stupid signature detection won't pick up on some of those um blatant and egregiously bad code so just nerfing out all of those backticks looks like now we have reg being billed out as hku so again the current user un x 2m that's the same reg path that we kind of saw earlier but there's this whole other big thing here full reg is going to end up doing a format string we add in looks like software replacing some characters and oh there's another semicolon there the expression will get item property and then there's an iex ah an invoke expression iex kind of the powershell alias for invoke expression which means that it will run and evaluate code on the fly so it doesn't need to be written to disk we have the full reg variable we could try and build out uh i'll put node over at the top here and now let's hop into powershell i'm running powershell core in my linux virtual machine so if i just spit this in it's not really going to give me anything because these other variables aren't defined i probably should have copied those in just as well so let's go ahead and grab those we'll take all of these strings here pretty please and full reg we will determine to be obviously i i'm dumb sorry it's not going to display it out anyway because it's just setting it to a variable in powershell won't return that out to you so you have to examine it and take a look at it yourself this is the registry key that is the same like location that we saw this thing to begin with and it was referenced in that previous hta file 0 or o and x2m blah blah blah but where is the key oh that looks like that's built out in the expression so the expression will get this registry key and add in the parameter or the param which we know is seven one t x one q d v i s great um and then using the format string that really isn't necessary if just to make this confusing for a program it's iex or invoke expression and it evaluates that out so now we have uh transformed and once again gone into the registry for this seven one tx one blah blah blah bringing us to stage four right now in powershell so again i will go ahead and copy this out um i will go take a look at this again displayed out with quotes around it in case i accidentally have any um specific oh god that's seizure inducing never mind never mind please stop please stop all right i'm killing that window sorry that was pretty bad in case it has any um backslashes in it to escape out the strings let's not do that actually you know what maybe we can just kind of do it as we need to uh we'll call that stage four dot ps1 and the line is so long that the syntax highlighting is not triggering on powershell so let's call this stage 4 cleaned oh but this looks like kind of the classic syntax where you just use a gzip compressed stream base64 encoded to bundle up a whole nother payload this is super common we i think we've seen this a lot i'm sure segments of cobalt strike or any other malware family or evasion framework thing we'll we'll do this this is pretty pretty much a long power shell script so we'll see what we get here but down on the very very bottom you can see that we do decompress it with gzip was it gzip was it gunzip oh deflate stream okay and it reads to the end and passes it to [Music] a pipe where it invokes a another iex i'm assuming because it tacks in an x here oh but this is kind of neat i haven't seen a verbose preference variable kind of being used for building out iex before that's slick they did one hello computer one two three where are you just not gonna display that out for me for some reason we could do it in windows if we wanted to you know what let's sing and do it we'll get powershell in here tada one what what that's voodoo magic oh god oh gosh i'm sorry unexpected token iex that's it that's it whatever iex invoke expression uh and it's pipe to it so obviously all of this will be unraveled and decoded and pipe to run but ah we don't want that to detonate right so i'm actually just going to to unravel this i'm going to call this like stage 4 nerfed or something and let's go ahead and remove that invoke expression call because i don't want this thing to run i don't want it to to take off on me i will use powershell however to go ahead and allow this thing to decode itself um i need to be in the hta file folder there we go so stage 4 nerfed if i hit enter on this we'll spit out all of that deflated and decoded and now we have this so um i will i think i can pass that to out file right out file or pipe it to out file that's powershell stage5.ps1 yeah stage five oh boy okay we're in for a treat now this is huge how big is this fine look at look at the sidebar on the right in sublime text how many lines is this almost a thousand almost a thousand no big deal we're only like 30 minutes into the video anyway who needs why don't we go for another three hours um what is up with this line it makes it a tes variable that's just lkhj what is that it's just straight up tess ook nib returns that's that's a medium for any of uh any other watchers of this channel ook nib was has has gone down in infamy as a great power analysis meme here so they'll run an ad type so add type will allow us to automatically compile kind of inline c sharp code from within powershell add type does touch disk it uses the csc.exe or kind of the command line rendition of the c-sharp compiler and that will leave some temporary files in the windows temporary folder you'll see them sometimes with a random name dot zero dot cs or dot zero dot out or dot zero dot command line and that will that will touch disc that that will that is an indicator that ad type was used uh to compile c-sharp on the fly but that's very powerful right that gives powershell a lot more power in that it can use like win32 api calls as we're seeing right here where we can load in some functions from other dlls or other libraries you can see that this grabs and pulls in the syntax to oh what do we got here virtual alec you know allocate some memory load library maybe load in a dll or some more code get proc address to dynamically look for addresses mem copy stuff in that shell code just put it in the buffer protect the allocated memory or maybe mark it as executable right wait for a single object just let it go and create thread obviously execute the thing so powershell is certainly much more powerful when we can load in some of that and that's c sharp in line within powershell then we do this thing which is just a rainbow of a format string um with a lot in here let's uh let's turn word wrap on for that one take a look at it with the magnifying glass i see a couple of semicolons in here so this is like a this is a multi-line thing can i just take this and put it into a different window so that way i can remove these new lines [Music] type of that string arrangement that gives us an object what is that what is that string on its own system run time system runtime introspective services marginalize attribute okay so this is going to do some sort of reflective technique i would think i would imagine what is all this going to give us stop posing oh what's happening oh did i miss a coin here no i might be conflating things there's a set item it sets a variable to i need to ah what's happening i am dumbo unmanaged type okay now these are being uh kind of prefixed with an at sign or the uh sorry the ampersand so i i wasn't positive about this to begin with i was like what is that ampersand doing like if i took this right here took this whole syntax and slapped it in it doesn't return anything out to me but i it noted i noticed that it was defining a variable right it used set item variable on that syntax so if i took a look at variable it looked like it actually defined that variable even though it was already running in strings so i i started to think this ampersand is just like another like invoke expression or it'll evaluate code it'll eval that like it's trying to execute please sub so we are continuing to run code through all of this now i kind of want to know what this does not going to lie so let's just send it you know let's just let it rip but it dies for the last line cannot convert the kernel 32 value of type system string to type system type i'm surprised this actually worked all that well in windows but i guess it is just kind of defining variables actually uh what variables were defined there zny oop sorry i was bringing myself into the video by clicking and dragging obs z and y is defined we have more marshall objects tess of course our favorite lkhj reg path is still in there reg key name everything that was defined but row who is new bit converter um param we saw before but kjq and l7p those are new pulling an apto man uh other oddball stuff dq54 as we saw reflection calling conventions assembly builder access so building up the capability to do other spooky scary stuff it errored though so part of me wants to see with that error on windows i'll go back here oh powershell does weird things when it's not i'm not fully i am fully maximized what's going on let's just paste it in let's see what we do oh a lot of these are getting blocked by amsi or that anti-malware scan interface the script contains malicious content and has been blocked by your anti-virus software so part of me wonders if this thing is meant to be an amsi bypass on its own like if we go back oh shoot i guess i never made a cleaned copy of this i'll do stage five cleaned and control z my way home uh we'll go back to the original stage five before we started to clean it up so this whole big thing i wonder if that is meant to be an amsi bypass kind of on its own so i'll go back to uh windows here and msi is on if i run an amsi utils test string it does get triggered and blocked but if i paste all this in i get the same error that i did in linux cannot convert the kernel 32 value of the system now that's in the code like that is that's literally what it was supposed to do so did it just fail when it detonated did this not actually get anywhere i don't know uh and i was thinking uh do i need to use does amsi have to be off for this thing to work so i jumped over to amsi dot fail uh all credit and kudos to flangvik for this and you've seen it i'm sure a few times before flank vic is actually exceptional he's a i see him on twitter and twitch every now and again streaming and doing some cool c sharp stuff so let's see if that actually bypass amsi which it looked like it did now i can run that test proof of concept string without a problem so anti-malware scanning interface is off and if i were to go back and grab this big long syntax does it work now it's it's still a syntax error i i don't know what that was supposed to do or where that would have come from maybe if we were to drill into it more and more we could make sense of it but at this point i think it's time we just kind of move on this looks like a test to determine the architecture it's checking out the size of an integer pointer which means okay is a memory address going to be four bytes or anything otherwise four bytes for 32-bit um looks like eight bytes i think for 64-bit maybe i said that wrong i don't know i my mind just kind of fell apart in that moment this is a beautiful try catch statement that does nothing here in its wild caught in the natural habitat double try catch statements completely wasting space that's a good one oh i'm cleaning again and i need to be in my stage five clean file let's get back to uh let's get back to where the action's at now what are we doing uh we have some more variables being defined our path reg looks like it's replacing oh is this doing something with the reg path variable puts it into our path our path yeah yeah yeah so that's the original here that's the kind of key that we were looking at but body i'm assuming looks like it puts together a mangled get item property reading from our path with reg key name but that reg key name was never defined in this script again that comes from our stage four um or it would have been it would have been our stage three right going back to stage three cleaned we had reg and reg path and all these in this param and full reg reg key name was never actually used in this snippet of powershell but it will be used in the one that follows following those iex layers so param is what it's calling no no no no it was a it was reg key name yeah my face is in the way reg key name so reg key name is this g6 f1 jazz it um and that guy's right here oh that's a that's a big one that's a big fish is he the only one that spirals on to infinity [Music] oh you love to see it you love to see it ladies and gentlemen what's this guy do what are you it doesn't immediately come across as a um let's let's do this in cyber chef real quick just just to see if there's more we need to do with it maybe this program maybe the script and powershell will do something else with it but let's remove those quotes let's do a from base64 nothing really in that nothing really there not not a dos executable not a pe file or a windows program we'll download it so downloads download that into what was this thing called a good old g6 yeah dude now we're like a g6 what are we doing okay now we got that file created um and let's go back to what let's see what the code does let's see if it does anything actually with this um then where do we go function get win32 types oh wow what wait a second what look at this segment here look at this stinking code this is unruly that is insane is it's it's pulling together it's carving out it's building types that are known in like the windows 32 api like a lot of these yeah there's so many that's for one thing freaking cool again there we go now then we're done hey return get win 32 types here you go have like half of the entire 132 api at your disposal and then we get constants um will this work does this this genuinely just carve it all out oh this is just setting the values though isn't it like if we paste this all in i want my i want my win32 constants now let's see what we look like i think that's cool not gonna lie even if it's just like oh hey we're setting up uh the constants and the values for oh execute read and execute rewrite um but some mem commit stuff that that's just kind of cool in my opinion like building that all in into the powershell script makes it even more powerful as i've said before uh does the win32 types one just go does that work trying this on linux probably won't have the most leeway oh yeah that's pretty bloody you cannot call a method on a no valued exception stop trying you idiot let's do it on let's do it on windows see we get oh no this is going to be a long time oh it's actually cruising it did it uh what do our win32 types look like ladies and gentlemen that's kind of cool that's kind of cool not gonna lie and you i'm sure you could like drill down into these even more i'll use fl star great thanks pretty useless can i like index some of these or is there like if i get member on everything does it do it yeah note property run time type i'm sure like if sub system type super smash brothers yeah okay so they're just more objects and stuff you could deal with that that segment of code was huge and i just kind of wanted to see what was up so forgive me a little exploratory tangent as i tend to do um and then we have a bunch of functions the backticks are in here again for some escape character sequences sub signed int as unsigned uh yeah that's what that says sub sub signed into essence like subtract or substitute the numbers carry over that's genuine math that's math guys and then it runs ls oh ls on variable value to n64 that's weird why would it do that why would it need to do that add signed int as unsigned okay more math and yeah defining variables to let this thing go cool compare val 1 greater than val 2 as you int unsigned in a couple if statements in there convert you into int test memory range valid get agent head oh no no get get image nt headers yeah that makes the most sense to me um putting to use our good old win32 types everybody go to the library check out every single book they have get pe basic info get pe data detailed info uh this is huge i'm just cruising through it because i know we have a thousand lines to get through copy sections update memory addresses oh that actually sounds kind of bad sketchy now we're updating memory so we are writing to memory we are going to do some more reflection import dll imports local get delegate type oh we see get delegate type all the time i just saw this wow wow that's uh you can't plan for this people you the show's not scripted that's just the perfect place for uh obfuscation to to just just cut stuff up invoke memory load library what does that do invoke memory load library oh that's a that's the end that's like the bottom that's the very end of the thing it uses this iex thing with the ampersand right invoke uh that's mangled with the format string with the f string there invoke load library invoke load memory library yeah with the body with the with the with the registry value but that's not an executable what are they doing is it is it is just shell code is it not takes in pe bytes yeah gets our good old win32 constants gets our win32 types taken home the whole house pe info get info what get basic info i'm assuming loader uh with some variables [Music] what is that actually trying to spot i i generally can't make sense of that one so i just want to check child item oh duh come back come back sublime text thank you p handle starts at zero effective pe handle zero what happened if you set a p handle to zero does it do something weird variable virtual oh stuff is going on in that let's let's word wrap this thing virtual alec the load address pe info size of image constants mem commit constants mem reserve execute read write totally slapping some shell code in effective ep pe handle piano address add sign let's get let's get the word wrap back in here in this big thing to see what this actually is doing size of headers it's running copy so it's going to end up copying the payload all the bytes from it so it is totally going to do some shotgun stuff i'm assuming you're going to end up like calling right or create thread importing dll in the copy sections though add update memory addresses update memory addresses i think and where is it where's the stinkin wait for single object there it is create thread create thread right there if you couldn't read that and wait for single object so that's what that does but what is this thing that's our g6 oh get another directory please uh that's our g6 boy just theta though it's not an executable this is the same thing that we would have seen out of cyber chef all right well um [Music] i i spent a few minutes just fumbling around in guidro to see if it does anything but i didn't get a lot out of it so um let's do what we always do let's do what makes everybody angry but still always works like all the time let's look and see what uh let's see what gems this thing has if it has anything a lot of pp's in here you know thinking back i i really regret saying that now that i said it out loud i don't it just didn't it really didn't sell the way i wanted it to you know maybe that didn't sound that good either uh registry stuff software microsoft windows nt current version with an endpoint and url to reach back out to let's keep an eye on that let's see if we can reach out disable real-time monitoring that's like down defender please that's literally it software microsoft windows defender real-time protection yeah just go home defender pack it up disable anti-spyware disable routinely taking action no auto update oh that's awesome i i would i should throw this thing in geardrop but we get we have all our answers right here mshta for an hda file again and what are these huge amounts of ip addresses and domains like like uh http urls to reach out to you some http some https there are so many holy cow okay um config kill all kill stop resume modules update update interval there's a user agent in here there's a mozilla when doesn't he try making a post request i'm assuming gathering information like the install date digital product id and there goes another round of a huge amount of ip addresses scroll past right that what we got in here 37 one these are just kind of on their own so they look a little weird unicode characters mem setman copy [Music] internet crack url i've never heard of that is that is that genuinely an api call i might be wrong i mean it might it may very well be i just have never heard of that internet crack okay there's a lot of other stuff in here that is just seemingly api calls uh oh okay so i i need to kind of lay my hand on the table i need to lay the cards out in front the original file that this came from the dot hta file that we this all started uh was in these user poor carry uh in her app data roaming and it had this username uh this file name sorry sui 6q9enh i want to keep track of that because it i think that's useful as to what the original file name was you know what let's actually go ahead and move the original waco.hta to that original name kind of as it should have been but that mshta is like the persistence for this thing like i mean this is how it's going to end up kickstarting itself and it was interesting to me that it already knew the like specific path for that that user for that individual user and the same thing with the registry value like it already knew this binary this shell code whatever this was already had the context of hey this is the registry key that we're using this is the username that we're targeting that was kind of neat in a weird way but that's the endless strings so at this point i think we have gotten the idea across that this is bad i think we can all agree that this is malicious at this point but i do want to know what is this thing um we want to give it our diagnosis right so let me take a look at these strings one more time those ip addresses might be kind of smoking guns maybe that's something we could we could latch on to to do a little bit of research a little bit of detective work as to what really this thing is uh oh i don't really want to use strings if i want to copy all of those ip addresses there are some here wait those are present in this thing as well this looks like good looks like a json object yeah i'm going to remove all of the commas and replace them with a new line there are a couple oddballs that have the beginning and ending uh quote so now let's remove all the commas and just delete them and let's remove all the quotes okay so now we have some indicators of compromise potentially or ip addresses or endpoints that this thing might call back out to i'd love to see if any of these things still exist and uh don't you worry everybody i've got a vpn a little proxy i'm in not i'm inside a virtual machine you and me together are we here no no ringing the phone but no one is picking up oh sorry that that needs a curl also no answer on that one uh the certificate might be being weird maybe no all of these all these don't seem to respond what about these what about these guys down here no route no route bad request oh oh no no does it need http yes https please https i genuinely haven't seen this i i gen this is i genuinely this is new what is this oh no okay we're kind of going into uncharted territory for the moment so bear with me this might be a long video let me save this to download.html oh no oh no no let's get a little google translate because i'm dumb slot machines bro play for free play for free online and without registration is that so why is that so funny to me that shouldn't be funny to me oh my gosh oh my goodness is it doing is it doing anything weird in here maybe the javascript's kind of sketch oh these are just for sliders though these these might be from like links back to itself um i just want to know i just want to know what all this says slow machines so if you were to play slot machines what would happen i just i just want to know oh we got more stuff we got more stuff we got more stuff there's a lot oh online casinos have roulette wheels and poker and blackjack tables but no gaming no gambling club is unthinkable without slot machines they invite gamers to the world of excitement who want to feel the adrenaline try their luck and win big the first classic one armed bandits appeared in the united states our bandits appeared in the united states 100 years ago at the dawn of development slot machines were mechanical had three reels and one pay modern slot machines are more exciting for gamers leisure as they contain up to 40 active lines bonus games and the possibility of doubling prizes you know i think we re the book of raw i think we really doubled our prize here i didn't expect to see this this this i'm having i'm having fun with this demo game crazy fruit crazy fruit or two crazy fruits are too is that a thing is it like a well-known oh aztec empire fruit cocktail crazy monkey resident money game sharky this is too oh my god i didn't even realize how long this file was this this page goes on forever how many stinking slot machine games are there what can we play oh my goodness i know we've left the realm of malware analysis at this point the big bad wolf but i'm just having fun guys you you got to let the boys play i'm just having fun okay uh scrolling down i see comments block for installing meters keeps track of what you click with the counter [Music] um live index live internet live internet live internet are you that's apparently you know uh crochet translate that page please one of the largest in the russian internet blogging platform huh okay site we could have some fun um looking at all of these different like ip addresses and kind of determining where they're where they come from and maybe that would be another great video uh like having something to automate going through some of these would be kind of neat not gonna lie which which was the one that i just copied 156. yeah the 156. that one's offline let's just see let's just see my my curiosity is getting the better of me 403 forbidden i don't have permission to access that one uh okay we could look they're 146 in this list so we could do this forever i i need to stop i need to continue with the actual uh video here a lot of these seemingly are down though or i alright i can't see the miraculous system myself so there's that let's do some detective work at this point um other than that fun frenzy that we just went down uh looking at the slot machine site i wanna get an idea as to what this really is so i'm gonna try and look for like malware samples that use these or other indicators of compromise that might have talked about this before um so i'm gonna take a look at all of these links and kind of get see if i can find anything that might tell me more about this um i'm on any run.net any run dot any dot run some zip file or something that seems to call back out to that 185 ip address another one on a different page but that's kind of it oh this one has strings that contain that this program cannot be run in dos mode like it actually has a header here a pe header for an actual executable and it has the same start of strings that we had seen between the current version getting defender disabled real-time monitoring showing 1 to 10 to 228 entries are there like more of these oh yeah oh this does more though this has like a power shell part of it but it does have all of these defenders shut down things oh no that has that too it has the acl and the big dump of ip addresses yeah yeah yeah what is this thing though does it have a name has this been diagnosed what do you got joe sandbox typically has some really good info um this is a codex file though is there a variant as to how this has kind of been found detection threshold score 100 range 100 reporting whitelisted threat navter malicious i think that's i think that's right that's on the money guys you rolled the slot machines you let it go i think you were right this is a cool chart evader exploiter trojan and bot yeah let me full screen this that's cool that's super cool http servers contact by the sample do not answer likely the sample is an old dropper which does no longer work uh some i i really couldn't get a call back but the slot machine sample modeler's window changes or starting applications analyze the sample with simulated keyboard and key changes cookbook huh breakdown of the miter attack framework stuff that it does signature overview networking it's that rust stuff that we'd kind of already seen what else you got for me these ip addresses are there there's the same one that we had searched for virus total triggers on that joe security nubbed her yar detected never bot and this is an example of an exe is that thing oh they have like a they have a little like demo like area you could look in oh geez sorry i scrolled down but you could like you could watch it you could play through um what happens when the machine is dead or the malware is kind of detonated so reaches out for some that ip address that we saw a moment ago obviously i don't think there's gonna be a lot that really changes on the screen in this case it's going to be silent no created or dropped files contacted some domains over in the netherlands switzerland that's crazy oh this is the report that it displayed and this is back to my internet are using yeah here's the report that it generated are there other ip addresses that will get me anything like what about these ones down here these ones that were kind of out all on their own i just want to see i might search for like malware or indicators of compromise joe sandbox again what is this navter malware it's saying after again translate this page yeah bring that to english for me please research by trend micro has discovered a new modular botnet malware called novter that uses the cover botnet malware to be distributed by malvertising in his x-plate kits ah the attacks are social engineering since they lead the internet user to download a software package necessary to update this outdated adobe flash application from an affected website however instead of updating said software it drops a malicious html application file dot hta victim executes this file and it can grab another powershell payload once powershell script is running disables windows defender yeah yeah and windows you update it processes the malware execute shell code to bypass user account control oh downloads multiple js so wow okay these are the ip addresses that it kind of detected navter that's totally the thing what else we got pick 2019 okay trend micro we found a new modular modulus modular file is botnet malware which we named navter that the kov g-core campaign has been distributing we've been actively monitoring distort since its emergence and early development and saw it being frequently updated we found a new modular file as botnet also called node or sock and divergent like the movie i'm just kidding coveter has been involved yeah cubter's huge for one thing i know covder is has wreaked havoc like crazy navter is around oh there's a techno debriefing let's take a look at that yeah hta file launches powershell receives commands and downloads commands attack chain malicious htma file okay runs a powershell script that appears to take inspiration from the open source invoke ps inject project take a look at that so this is part of empire oh this must be that uh invoke like memory load library does this have a bunch of those like win32 constants and like win32 types in here does it just like build those out too win32 stuff get win32 types and it just yeah yeah yeah oh wow it's different syntax right but it's the same idea like it's the same process of kind of gathering all that information so you could use it and there's just tons of this wow get 132 constants yep yeah exactly so ours was a little bit more obfuscated ours is doing something different but pulls in those functions that it needs and of course i'm sure it'll do like some load library thing helpers sub signed into unsigned ad signed into unsigned it's absolutely power yeah same exact function names convert you into you and get hex is new test memory range valid right by some memory get delegate type get proc address enable sc to bug privilege doing something like impersonation stuff maybe image headers get basic b info okay so this is some stuff we've already seen aspects of this aren't in here but others are is the last thing this does like load in a library or inject something i mean obviously it's going to be invoke ps inject so that's craziness that's crazy cool i'm done scrolling through that what else do we have we have the report that i kind of want to look through but powershell scribble and turn disable windows defender windows update yep powershell script is also embedded with nub there which will be executed filelessly via the powershell reflection technique the back door commands that novtor supports are kill all kill stop resume modules updates those are the exact same ones that we saw even in just the cursory strings wow this is definitely it this is absolutely it nodster that must be comms yeah quick cursorly looking through this wow i want to look at that technical brief oh they have uh indicators of compromise let me look at that too these are some of the js javascript stuff yeah the ip addresses we've seen some specific files that they would have called back ip addresses related yep same thing what do we got in this this should probably just it's likely telling us the same thing so this is different um like syntax but if if those were the research if that's the research that was done back in 2019 now there might be some variations like a different version of what's going on and yeah see they look like they were able to kind of examine this code very well but maybe they had an executable specifically not just uh it sets persistence to the following dropping a randomly named hta file to app data roaming where the routine body contains a hard-coded string with the hd file contents and percent markers which are replaced with randomly generated strings at runtime this hda file contains javascript code yes which reads and executes a powershell payload from registry yes creating three randomly named registry sub keys yeah a little typo here guys a little soft aware trend micro giving you a heads up i'm going to submit a pull request hacktober fix your typos the first two registry sub keys have hardcoded templates in the malwarebody yeah yep and invoke ps inject exact same setup and code that's really cool and this is a really this is a really good like briefing you can see the acl accl json format wow those are the commands for the modules the backdoor commands they run [Music] wow wow i think that's it i think that's all i can cram into my mind right now that i thought that one was was quite a ride to dig through and i love the surprise from one of those machines calling back that was like yeah play some slots let's do some gambling cool i think that's it everybody i think that's all i can offer for this video but i hope you had fun i hope you really enjoyed this deep dive looking through some syntax traversing through jscript and javascript to powershell uh and googling around doing our research hunting and that's that's the fun stuff so i think we'll wrap it up thanks so much for watching everybody i know this was a longer video than most in the kind of this little malware analysis thing the series that we ended up doing but i i had a lot of fun i hope you did too and that's it i'm not gonna say the same thing over and over again anymore i'm done it's the end of the video everybody thank you so so much for watching if you did enjoy this video please do all those youtube algorithm things please like the video maybe leave me a comment let me know what you think write an f in the chat to call back to the very beginning of the video f in the comment section maybe subscribe you know i'd be super happy to do it i i'd love to see that thank you and um that's it i'll see you in the next video everybody thank you so much for watching i love you take care [Music] with [Music] you
Info
Channel: John Hammond
Views: 85,511
Rating: undefined out of 5
Keywords:
Id: bKRNH8vO67g
Channel Id: undefined
Length: 84min 18sec (5058 seconds)
Published: Fri Apr 23 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.