MALWARE ANALYSIS - VBScript Decoding & Deobfuscating

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
ladies and gentlemen welcome back to another john hammond youtube video in this video we're going to take a look at a weird file this is something that we had stumbled across it is kind of peculiar and i think it's kind of a fun story so we'll dive in together so we'll hop over to my terminal here where all the good stuff is happening and i've created this directory vbe and in this directory i have a file something dot vbe so running our regular usual file reconnaissance on this thing we'll try to figure out what the heck it is we'll run the file command on this file and the output of that is just simply data which doesn't exactly help me all that much uh usually the go-to is like all right well let's just kind of run strings on that easy peasy lemon squeezy see if there's anything interesting in that um no absolutely not it is just a boatload of garbage and nonsense so i'm like wtf what is this thing obviously of course the next best thing is to go ask our good friend and uncle google here so we'll fire that up in a web browser and i'll look for a vbe extension just to see what the crap this thing is uh fileinfo.com as the first result gives me some good good knowledge here this says a vbe file extension is a script written in visual basic script a programming language that is a reduced version of visual basic stores the source code in an encoded format so it's not recognizable run natively in windows by the windows script host wscript.exe or cscript.exe okay a vbe file can contain a virus so do not open a vbe file if it is an unknown email attachment you can decode a vbe file to verify legitimacy of its source code by dragging and dropping the file contents onto the decode vbs script what there is a decode vbs script you can also drag and drop vbs files onto the encode vbs script to encode is there a thing what what decode encode and decode vbs scripts and these are just straight up things oh microsoft has them in like their gallery this page says that our goal is to help you understand what a file with a vbe suffixes and how to open it it is a vbscript encoded script file type ah okay so that explains why we couldn't really read anything out of this good noise because it is visual basic script as is normally in plain text and human readable is as it is a scripting language but it is encoded to that so we could try and decode it i am however running on windows right now so i don't think i could particularly run a vbs script to decode it i wonder if there are any other file things that might do it any other utilities or tools that can do it but it is apparently a vb script encoded script file so it's probably already weird and wonky if it is a vbe script uh vbe decode is that a thing i am now using dark theme okay thanks firefox google uh oh there's a python script for it from didier stevens i might be mispronouncing your name i'm sorry my friend also 2016. okay um let's do it let's try it oh there's a reference here maybe i can read that to kind of understand a little bit more of what this thing is oh thanks why do you keep doing that take me i feel like microsoft is the one that like put me in dark mode they were like no no no no you you should save your eyeballs dude so let's save this thing i'll put in this current directory i'll just w get that down here okay and now i have a decode vbe.python file this is 2016. is this python 2 or python 3. um it's just doing weird mappings seemingly and replace this stuff okay i guess we'll just do it doesn't look like there's anything horrendous and malicious there so let's python three decode vbe.pi that is doing nothing straight nothing okay um is it really going to make me use python 2 does it like read from center input or something oh yeah the i guess i should have read that error message cis.center did not read i'm a dumb dumb python3 attack h can i just give it a file yeah okay tach will show this help message you can just pass it a file all right let's do a python 3 um decode vbe on our something.vb and that spits up and dies cool that's probably python three things re.search cannot use a string powder on a bytes-like object yeah that's totally a python 3 nuisance will it work in python 2 pretty please by the way to decode vbe something what it's just an empty space there's no way there's there's no way how big is this file no way look at that scroll bar there is no way this just translates to like an empty s white space i don't buy that what is the script doing what is this decode vbe doing um manual yep encoded vbe script that's what we want provide a file can also be a password protected zip file with password infected um it does it oh it checks for python 3 what whatever i just wasn't getting it to work i guess fix pipe file to string hash standard out right chunk data oh nice okay it just sort of chunkifies it so it doesn't have to do it all at once and this mapping thing with decode i guess figures out some of the bytes um what is the thing that like actually does it like if we go to the main function right which is randby main when we run the script checks the manual it checks if we actually are looking for help or if we supply arguments we will decode vbe either based off of standard input or the file we specify so decode vbe is the function that we want to check out here it fixes the pipe uh checks for win32 does some peculiar things i'm on linux right now otherwise it does an o match or it creates this variable o match to search with regular expressions for something um and then gets the content and then if it matches or if it doesn't match it tells me it can't find an encoded script otherwise it decodes the groups oh it only indexes the first match so it's only going to get like one thing no matter what what is in the script yeah it's a okay so that first thing that it finds is what's straight nothing and it looks like it's just using that marker for a hashtag at sign tilde carrot literally says ha with the equal sign little prefix there so that's got to be something um but only does it for the first one we should totally like patch that and fix that so it does it for all of them because i want to see what all those other things are this script is just weird in that it has some oddities uh let's let's do a regex dot find all so that way we can use the same arguments for the regular expression pattern to look for in the contents of the file and then we'll have a match which we did earlier but rather than just displaying one let's comment that out and let's do like a four match in o match because that'll return a list find all will give us a list of all that and so we'll center it out right chunk decode o match groups zero but rather than just getting the first index let's try and do that inside of the loop running it on all of the matches right so if i save that and go back to our terminal does that look any better for us now let's try that python 2 decode vbe on something.vbe oh i got something else oh and it got a lot else this also still looks like jank weird oh but i can see like actually human readable source code stuff in here sort of okay that's something oh and there's a lot of output so we totally went through the whole thing um let me t that to like what should we call this uh decoded dot vbs yeah and it spits it out because i use t okay so now i have this decoded vbs can decoded decoded.vbs oh it needs a d ascii text good okay actually somewhat readable there we go um okay so this is this is genuine this is actual visual basic script now with a lot of weirdness um but let's for the sake of our sanity try and get some syntax highlighting and sublime text um i'm pretty sure there is a visual basic script like package thing that sublime text can just use so yeah i hit ctrl shift p on my keyboard to invoke sublime text um like control line command panel um and and i just entered install package so i could get into package control and i see this one just typing in vbs for visual basic script so while whack enter on that looks like it successfully installed let me close all this out now and see if it displays it better yes with syntax highlighting okay perfect um let's see what the heck this thing is and does because there are a lot of completely random variable names in here i also think this is hilarious these w script dot sleep zeros that's that that literally does nothing that line does absolutely nothing it's just going to sleep for zero seconds as in don't sleep don't wait so how many of those are there because i see them like repeated over and over and over again um sublime text tells me there are 231 occurrences of wscript.sleep so let's nerf that thing out of here i'm just going to find and replace all that with an empty string so they all go away i i hit control h to do find and replace in sublime text and once you're specifying what you want to find and what you want to replace i use these backslashes here to escape the parentheses because i am in regular expressions mode and then you hit ctrl alt enter on your keyboard it will do the find and replace for every single occurrence so that works i don't know what this comment is is this base64 let's pipe that into base64 decode uh my face is in the way nothing useful okey-dokey but it's a comment so like that's kind of weird it's not doing anything and i saw that w script dot sleeve line was probably just morphed into it because of the standard outright chunk thing that that script was doing to decode this we should probably in all honesty and i think i want to tackle this um as soon as i'm done recording this video is like sort of clean the script up or make it so that it does do it on every single occurrence of these encoded markers that it finds um rather than just doing the first one because what if a file like this like runs comes along again so we can python 3 if i this and maybe make it better do some arc parts do some other more interesting things you can find out on my github real real soon now let's see what else we got here uh dim is the marker and visual basic script to create a new variable or kind of declare hey i'm going to end up using this um and this thing is apparently set to 544 for some reason so i'm going to rename that variable and this is kind of like my process whenever i see some variable names that don't make sense i'll try and read through the code and understand what they do or what they're being used for and uh rename them so i can make sense of that as i read and see all the occurrences later down later on in the code um so this is just going to be 544. there we go again find and replace all of those and then we have this thing that takes a tangent function like weird trigonometry functions um we'll call that like tangent func result i guess and then we have this thing oh and that was that big giant blob of straight nonsense we saw earlier yeah this thing goes on forever look this is my horizontal scroll bar what all right so we'll call that uh big blob of nonsense i think that's the appropriate name for it here big blob of nonsense there we go um and then we make more variables 142 for some reason doing another tangent function why are these things happening 142. i i see i'm being weird here i didn't use underscores and those previous variable names and now i'm using underscores this is classic programmer inconsistencies not that i'm programming anything right now another tangent function i don't think that actually does anything are these variables literally ever used again no no they're not that is completely useless thank you weird visual basic script how about this thing oh that one's set to an at sign delimiter that's weird seemingly all those five at signs uh we'll call that five at signs what about this stinking oh another another tangent nonsense that doesn't do literally anything it just takes a tangent value for no reason okay big blob of nonsense we've got five at signs we do another tangent function call oh and then we take the big blob of nonsense and we split it with the five at signs ooh oh because those are all separated by like numbers here those are all maybe characters maybe like ascii characters we'll keep cruising more tangent functions great uh that is set to zero i'm just gonna set that doesn't look like it's being used in a random tangent function but this however is so we'll kill that and more tangent function complete waste of time what is that used for oh that's working with the big blob of nonsense down there what is u-bound supposed to be is that a function vbscript u-bound u-bound vbscript u-bound function oh i'm back out of dark mode again sorry for your eyeballs everybody turns the largest subscript for the indicated dimension of an array what does that mean what oh so they they use l bound to see the total number of things here u-bound is going to kind of get the count is that right for a single dimension array that was not very helpful uh explanation w3 schools or maybe it was maybe i'm just stupid tutorials point tells me literally the exact same thing largest subscript value i'm pretty sure that is just taking the length i'm pretty sure that's just getting the length of the script of that array yeah so let's call that and they subtract one from it so we'll just call that like length of nonsense and keep in mind that nonsense has now just been split by these at signs so we are literally getting a list essentially or like an array of all of these numbers so okay moving on more tangent functions die for e equals zero to the length of nonsense ooh this is a for loop here is there an end four anywhere where the heck is this not oh there's a next okay we should we should probably remove some of these serious amount of new lines that i just put in here because of the w script garbage um let's clean that up these can all go away five at signs we split the big blob of nonsense the length of the nonsense is now being used and another just following that as a useless tangent function then we do another useless tangent function inside of the for loop i should indent this for loop by the way just so we can kind of understand our logic flow i'm just cleaning right now there's a lot of stupid stuff in this um all right tab that so we can see the for loop there this is yet another useless tangent function this is also yet another useless tangent function okay so the whole wscript.sleep zero thing and all these useless tangent functions is just making the code do random things or not like have strange functionality so like behavioral analysis will just die or it's like oh no this thing seems fine it's just doing trigonometry over here um oh but we do actually oh we do actually do stuff with our big blob of nonsense um that looks like it's being indexed with e being our iterator right so e is our iterator i don't want to control h that e because e will be present in a lot of other random things like actual variables that i want to use so let's call that index of nonsense slap that in oh and then we take the character of that okay so oh sorry i need to replace that specifically with character of nonsense non nonsense i can type another stupid useless tangent procedure and another useless stupid tangent procedure but eventually we're building up a new string seemingly of all characters joined together yeah yeah another useless tangent function oh and then we actually sleep for real and we execute global all characters join together so we're building out we're looping through that list and carving out data out of it what is this execute global thing doing bb script execute global the execute global statement executes one or more specified statements in the global namespace of a script oh crap okay so it's basically eval it's basically execute like within the current context more random tangent functions so we should probably figure out what that all characters join together thing is but we have oh god a lot more to do in this script holy crap wait a second these all look like the exact same thing these all look identical wtf i mean not identical right but they're they're literally this goes on for 25 000 lines and more than that because we cleaned half the thing another random comment with not actual base64 that doesn't make sense so what else we got what else we got let's go back to where we were and let's kind of figure out what these things are doing so this is a function and we define some variable with completely random strings let's call that random string let's call that another random string because that's being defined to that thing just following it it tests if the random string is not equal to the other random string then it ends them together or no they concatenate them that's that's that's the operator to concatenate in visual basic strip i think so it concatenates them together um we'll call that like concatenated and then we do a for loop for one to three where we set the return value of this function to that it just adds in the concatenated thing is this function ever called oh it's redefined what the heck how many times they redefine this function 165 what it literally is the exact same code it's just it had the exact same variable numbers but it's just doing nothing is this function ever called though let me go back to the like the last call or the last match no it's literally just it's just defining and declaring these functions it does straight up nothing if i search for every single function and carve these out what else is left in this code do they ever actually use these functions um let's use regular expressions and try to get new line characters up to a new line new line or no let's search for an end function and space function i think i need that to be greedy is that right uh crap how do i do this i want multi-line pattern matching and oh gosh end function i want this entire thing please how are you not matching that i don't know what new line things i need to deal with ctrl h for function which we do match everything and then match new lines any anything as many times as you can up to a new line multiple times multiple times what the heck regular expressions this will be the death of me seriously what the heck guys i know i've done this before function anything matching it with a new line character anything matching it let's get multiple of these up up to end function up up to end function oh my gosh i'm like crying i mean what's a good way to do this i'm gonna like i'm gonna stifle i'm gonna stumble at this wall for like a couple minutes so if you get bored like skip ahead i know i've done this before function anything get me to a new line get me anything on the following line and match that as many times as you can match this thing oh new line plus that as many times as you can no how about anything plus a new line as many times as you can no no this is me like choking at regular expressions everybody we're gonna burn five minutes on this video just because i'm literally trying random things but i'm seeing sublime text match the first line do i need like a in selection no reverse case no case insensitive whole word should that do it and function okay this is a stupid loss cause let's move on all these other strings though because we know this thing is repeatedly defined but it is never actually called so are any of these functions called this thing wait this is the exact same setup like looking at rksn xbl obviously it just loops for a random number concatenating on the strings that it concatenated that have no real purpose but then if you search for this thing it's never actually called what what are you doing it just defines more random variables outside of the scope of these functions so it's the same variables over and over again okay this is useless that that portion probably doesn't do literally anything um let's just go back to our stinkin big blob of nonsense our only friend here um and let's try and carve out what this thing is doing so we'll slap it in to a its own sublime text window so you can kind of get the context as to what we're working with here let's turn off word wrap so you can see just this insanity um and now let's get into python and let's just split this on in our own way you know let's do python 3 and take this entire blob and store it as blob right and i'll paste that in great now i have a blob and that's the whole thing so let's do a blob dot split on those what was it five five characters of at signs and now we have all these ascii numbers and it took the character of these so we will do the exact same thing in some nice neat list comprehension we'll do character array of c for c in that blob and that needs to be an integer so we'll cast those to an integer first and then we'll take the character array of it um oh and there's an empty line at the very very end so we'll do another check if that c value exists if it's not an empty string if it is an empty string we'll totally ignore it but that gives us some stuff if i join all of those together will we have like an actual readable string here yup oh and that is totally more visual basic script okay um let's save this as content and now let's write that to a file let's open um second stage.vbs right and let's just write to it with our content okay open up another terminal down here now we have second stage.vbs so let's take a gander at that thing oh recoder houdini skype houdini fx now we're getting to the real malware boys ladies and gentlemen this has a host name for duck dns on port 81 installing directory for a windows environment variable of temp using an lnk folder an lnk file i set those out of order public variables for the w script objects that we pull in so w script dot shell file system object and let's take a gander through this code let's see what it does boys can we clean this up can we clean this maybe uh maybe is there a maybe a visual basic script beautifier beautiful vb code indenter i trust you indent thank you thank you code beautify about you did you like do it automatically what the heck what the heck all right that isn't working either vbs beautifier format code holy cow i am i am falling down a rabbit hole here just trying to find a let's just like code beautifier it doesn't need to be visual basic script guys i just need to online javascript unifier code beautifier we already did vbscript um slap dot in nope it still isn't doing it is there phoebe script in this at all i swear i've done this before beautify visual basic script online online vba code formatter that looks promising let's do that yeah yeah yeah all right so let's call this uh cleaned second stage so we actually have decent naming of things private variables install name is going to be this script it grabs the startup directory and it gets the install directory if it does not have an existing folder then it puts it in temp okay sleeps for some time creates other variables usb spreading and then we do the thing on error resume next so we totally ignore things we do a little while true while loop install must be another function that's defined oh and then we get responses are we posting to something is that a function is that another function cute and then we just kind of understand what the response is from i'm assuming command and control server c2 uninstall send okay so we can download things upload things enumerate drivers and you make processes yeah so how this thing installs apparently is ready if we have free space this is very this is very thorough checking hey if we have space if we have a writable drive the drive is ready for us to use then go ahead and put it all here some u-bound again okay getting the getting the name and then adding a lnk file creating a shortcut yep that's the lnk file using comspec which will evaluate to cmd.exe cmd.exe c to run just one command echo randomness and start to this script adding in quotes with chr w 34 echo random start and then the file name for this script and then exit ah and then oh it's getting an icon from the registry that's kind of neat classes and just a regular lnk default icon and then we save it do the same thing with more randomization of start in here so okay we invoke it with explorer seemingly yeah for every single folder that it has if it looks for it it finds it saves it that's kind of neat spooky scary uninstall looks like it deletes some registry keys okay and it tries to persist or hide in like the run registry keys classic good old auto runs nerfs itself by deleting the lnk file and post looks like it does make an http object and post like a web request to our host on that port with the command that we want to get so that has to be our that that has to be specifically the c2 and the information is including in the user agent ooh it includes in the user agent header information about the computer which we can see is on a function here and that grabs some wmi information windows management instrumentation grabs all the information from the win32 operating system class spooky scary upstart that's gotta be okay writing to yeah yeah yeah this is writing to the registry key the default run and then use wscript.exe to invoke this spooky dookie thing with our install directory and install name so this file it just persists in the registry those bad guys hardware id get more information security um oh is it like looking for the firewall is it like looking yeah yeah and looking for antivirus products you sneaky mom oh that's awesome it just checks to see hey what's gonna stop me what are the security products that you have on your computer that might slow me down we might have to nerf all those anti-virus things if we want to be a real bad guy um usb spreading oh whoa we're almost done we're almost done i swear html http okay downloads a file so we can like exfiltrate things in and out right yep we post with is sending or get to be able to retrieve things so the c2 server can work in and out uh exfiltrating data exfiltrating files with download and upload of course all using the adodb stream storing that file with the file system object saving these things very slick enumerate drivers enumerate faf which i don't off the top of my head no enumerate processes yep just using again wmi selecting from win32 process exit process so it's going to kill itself how do we oh oh oh oh it just kills a process you can pass in a pit and just it'll shoot the thing okay and run command and control right get a little cmd shell just run comspec which is gonna again be cmd.exe with slash c and that is it oh so that is some c2 that is some command and control ladies and gentlemen written in visual basic script persisting in the registry checking out these host names or that host name and i've seen variants of this if you google around you can look at this code and you can see other renditions of it and maybe we can do that in a later video but they'll change the hostname they'll change the install directory they'll change the port what what is this thing kind of called i am going to need to jump into a meeting so i have to go soon but yeah yeah here's a a gist for this thing four years ago uh same sort of thing different hosts different install directory and different port so this thing's been around looks like this is dunihee h worm by houdini oh and fireeye has some good stuff on this and it's old it's old like this is 2013 20 2015. but it was kind of cool to uh dive into this and poke around with it so uh yeah yeah yeah literally the exact same code just about do nihi i guess is the name of that remote access toolkit a remote access you know trojan rat visual basics trip so that was cool that was fun i had a good time with that um maybe this is a new rendition maybe uh houdini and duhini is back in action um but i mean this is this is kind of recent so maybe the code might be a little bit different i don't know what version number of the malware that it might be but uh i hope you enjoyed this little deep dive into some strange odd encoded visual basic script file uh inco decoding that changing around some of those variables and uh following it through in the visual basic script but this was very fun to record i had a lot of fun doing this and uh i hope you had fun watching that maybe you learned a few tricks or two maybe you like that methodology of kind of going through and understanding the source code when you can read it right when it's when it's a human readable in plain text being a scripting language but that is that uh if you haven't already maybe this could be some indicators of compromise you can throw into your library or any of that stuff but uh i think that's it i think that's all i wanted to do in this video this was fun i had five fun let's wrap this thing up everybody thank you so much for watching i really really hope you enjoyed this video if you did like this video and you want to do more stuff like this i i have a good time with this and i think it's kind of cool to put a real life use case and practical application to some of this nerd cyber stuff that we do um but uh i just hope you enjoyed it if you did please do all those youtube algorithm things please hit that subscribe button if you haven't already um leave a comment i'm super helpful that that is super helpful and i am grateful for that kind of uh expanding the youtube algorithm and uh like the video and stuff all right dude i'm fading out this is i'm at the end i'm at the end of my rope here so uh i i gotta shut this video off thank you so much everybody i love you and i hope you like this video and i'll see you in the next one goodbye everybody take care
Info
Channel: John Hammond
Views: 310,850
Rating: 4.9252276 out of 5
Keywords:
Id: 3Q9-X_NRlJc
Channel Id: undefined
Length: 42min 22sec (2542 seconds)
Published: Wed Feb 10 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.