MALWARE ANALYSIS - VBScript Decoding & Deobfuscating

Ladies and gentlemen, welcome back to another YouTube video from John Hammond. In this video we are going to take a look at a strange file. This is something that we stumbled across, it's kind of quirky and I think it's a fun story so we'll dive in together so we'll jump into my terminal here where all the good stuff is happening and I've created this vbe directory and in this directory I have a file something dot vbe so I run our usual file recognition on this What we're going to try to figure out is what the hell it is, we're going to run the file command on this file and the result of that is just data that doesn't help me much, so general the resource is like okay well let's just put strings on that easy lemon squeezer see if there's anything interesting in that um no absolutely not it's just a can full of garbage and nonsense so I'm wondering what it is this, obviously, of course, the next one.

Best to ask our good friend and uncle Google here, so we'll fire it up in a web browser and I'll search for a vbe extension just to see what the fuck this thing is, uh fileinfo.com as the first result. gives me good knowledge here this says that a vbe file extension is a script written in visual basic script a programming language which is a reduced version of visual basic stores the source code in an encrypted format so it is not recognizable executed from natively on Windows by the Windows host script wscript.exe or cscript.exe.

Well, a vbe file may contain a virus, so do not open a vbe file if it is an unknown email attachment. You can decode a vbe file to verify the legitimacy of its source code by dragging and dropping the file. file content in vbs

decoding

script what is there a vbs

decoding

script you can also drag and drop vbs files in vbs encoding script to encode is there anything to decode encode and decode vbs scripts and these are simple things oh microsoft ? You like them in your gallery, this page says that our goal is to help you understand what a file with vbe suffixes is and how to open it.

It is a type of script file encoded with

vbscript

. Ah, okay, that explains why we couldn't really read anything. out of this good noise because it is a basic visual script as it is normally plain text and human readable as it is a scripting language but it is encoded for that so we could try to decode it. However, I'm running on Windows right now, so I don't think I can run a vbs script to decode it. I wonder if there is any other file that can do it. Other utilities or tools that can do it, but apparently it's a script file coded with a vb script, so it's probably already there. weird and strange if it's a vbe script uh vbe decoding is something i'm now using dark theme okay thanks firefox google uh oh there's a python script by didier stevens i might be pronouncing your name wrong sorry mate also 2016.

Okay, let's do it, let's try it, oh, there's a reference here, maybe I can read it to understand a little more about what this is, oh, thanks, why are you still doing that? Take me, I feel like Microsoft is the one. that put me in dark mode, they said no, no, no, you should save your eyes, man, so let's save this, I'll put it in this current directory, I'll bring it down here, okay, and now I have a decode. vbe.python file, this is 2016. Is it Python 2 or Python 3? um, apparently it's just doing weird assignments and replacing these things, okay, I guess we'll do it, it doesn't look like there's anything horrendous and malicious there, so let's use Python. three decode vbe.pi that does nothing directly, nothing right, is it really going to make me use Python 2?

Is it like reading from the central entrance or something? Oh yeah, I guess I should have read that error message. cis.center didn't read it I'm a dumb, dumb attack on Python3. Can I just give you a file? Yes, okay, the tachometer will display this help message. You can just pass it a file. Okay, let's do a Python 3 um vbe decode in our algo.vb and that spits out. and die great, it's probably Python three things. Research can't use a string dust on a byte-like object, yeah, that's totally a pain for Python 3. Will it work in Python 2?

By the way, it decodes something like vbe, it's just empty space. no way no way how big this file is no way look at that scroll bar no way this is just going to translate as empty white space I don't think so, what is the script doing? What is this vbe decoding doing? um manual yeah encoded vbe script that's what we want to provide a file can also be a password protected zip file with infected password um it does it oh it checks for python 3 whatever it just wasn't doing that would work, I guess fixing the pipeline file to chain standard hashes with correct chunk data, oh well, okay, just chunk it so you don't have to do it all at once and this mapping with decoding thing, I guess, figure out some of the bytes, um, what do you like? actually it's like this if we go to the right main function which is randby main, when we run the script it checks the manual, it checks if we are really looking for help or if we provide arguments, we will decode vbe based on the stdin or the file that we specify to decode vbe is the function we want to check here, fix the pipeline, uh, check for win32 to do some peculiar things.

I'm on Linux right now; otherwise it makes a match or either creates this variable or matches to search. with regex for something um and then it gets the content and then if it matches or doesn't match it tells me it can't find an encoded script otherwise it decodes the groups oh it only indexes the first match so it only goes for be like one thing, no matter what's in the script, yeah, okay, so the first thing you find is what's nothing and it looks like you're just using that marker for a hashtag in the carrot tilde sign, it literally says ha with equal sign a little prefix there so that has to be something um but it only does it for the first one we should patch it and fix it so it does it for everyone because I want to see what all those other things this script is . just weird because it has some weirdness, uh, let's do a regex dot search so we can use the same arguments to the regex pattern to search the contents of the file and then we'll have a match that we did before, but instead of just showing one, let's comment that out and do a four in a match because that will return a list, search all will give us a list of all of that, so we'll focus it on decoding the correct chunk. or match the zero groups, but instead of just getting the first index, let's try to do it inside the loop, running it on all the matches correctly, so if I save that and go back to our terminal, does it look better for us now, let's try ? that Python 2 decodes vbe into something.vbe oh, I have something else, oh, and it has a lot more, this also still looks like weird garbage, oh, but I can see some really human-readable source code stuff here, sort of okay, that's something, oh, and there are a lot of results, so we went over the whole thing.

Let me adjust that so I like what we should call this point vbs decoded, yeah, and it spits it out because I use it. Okay, now I have this decoded vbs that can be decoded. vbs oh you need ascii d text well actually something readable here we go ok so this is genuine this is a real basic visual script now with a lot of weirdness but for the sake of our sanity let's try to highlight something of syntax. and sublime text um, I'm pretty sure there's a basic visual script like a package that sublime text can use, so yeah, I pressed Ctrl Shift p on my keyboard to invoke sublime text, um, like the command panel of the control line, um, and I just entered.

Install the package so I can get into package control and I see that this one just writes vbs for the basic visual script so as I hit enter it looks like it installed successfully let me close all of this now and see if it shows up better yeah with syntax. highlighting okay perfect um let's see what the heck this thing is and does because there are a lot of completely random variable names here also I think this is funny these w script dot sleep zeros that's what literally does nothing that line does absolutely nothing it's just me I'm going to sleep for zero seconds, meaning don't sleep, don't wait, so how many of them are there because I see them repeated over and over again?

Some sublime text tells me that there are 231 occurrences of wscript.sleep, so let's get that thing out of here. I'm just going to find and replace all of that with an empty string so they're gone. I press control h to find and replace in sublime text and once you specify what you want to find. and what you want to replace, I use these backslashes here to escape the parentheses because I'm in regex mode and then you press ctrl alt enter on your keyboard, it will find and replace for each occurrence, so it works, I don't. know what this comment is base64 let's pipe it to base64 decoding uh my face is in the way nothing useful okay but it's a comment so it's a little strange it's not doing anything and I saw that the line The point of the script was probably just morphed into that because of the standard part that script was doing to decode this.

We probably should, in all honesty, and I think I want to address this as soon as I finish recording this video, it's like a neat thing. the script or make it so that it does it on every occurrence of these hardcoded markers that it finds, um, instead of just doing the first one, because what if a file like this is run again so that we can use Python 3 if I do it? this and maybe improve it make some parts of the arch make other more interesting things you can discover on my github very soon now let's see what else we have here uh dim is the marker and the basic visual script to create a new variable or type to declare hey , I'm going to end up using this um and this thing is apparently set to 544 for some reason, so I'm going to rename that variable and this is kind of like my process whenever I see some variable names that don't make sense. .

I'll try to read the code and understand what they do or what they're used for and rename them so I can understand it as I read and see all the occurrences later in the code um, so this will be 544. There we go again, find and replace all those and then we have this thing that takes a tangent function like weird trigonometric functions, um, we'll call it tangent function result, I guess, and then we have this thing, oh, and that was that big giant mass of nonsense that we saw earlier, yeah, this goes on forever, look this is my horizontal scroll bar.

Okay, so we'll call it, uh, big mass of nonsense, I think that's appropriate. name for this here big mass of nonsense here we go um and then we create more variables 142 for some reason doing another tangent function why are these things happening 142. I see I'm being weird here I didn't use underscores and the previous variable names and now I'm using underscores, these are classic programmer inconsistencies, not that I'm programming anything right now, another tangent function, I don't think that actually does anything, these variables are literally never used again, no, no, they're not . completely useless, thanks, weird basic visual script, how about this thing, oh, that one is set up with an at delimiter, that's weird, apparently all those five at signs, huh, we'll call them five at signs, what's up with This stinker, oh, another, another tangent nonsense right?

I do literally nothing, it just takes a tangent value for no reason, okay, a big mass of nonsense, we have five at signs, we make another tangent function call, oh, and then we take the big mass of nonsense and divide it with the five at signs. ooh oh because they're all separated by similar numbers here they're all maybe characters maybe like ascii characters we'll keep browsing for more tangent functions cool uh that's set to zero I'm just going to set that doesn't look like it's being used in a random tangent function, but this, however, is so we will remove that and more tangent functions, a complete waste of time, what is it used for, oh, that is working with the great mass of nonsense that is down there, what is supposed to be the limit in U is that a

vbscript

u-bound function u-bound vbscript u-bound function oh, I'm back out of dark mode, sorry for your eyes, everyone converts the largest subscript for the indicated dimension of an array, what It means that?

Oh, so they use l I'm forced to see the total number of things here. U-bound is going to get the count. It's correct for a single dimensional array which wasn't very useful. w3 schools explained or maybe it was, maybe I'm just a stupid tutorial. i literally exactly the same, the largest subscript value,I'm pretty sure it's just taking the length. I'm pretty sure you're just getting the script length of that array, yeah, so let's call that and subtract one from it, so we'll just call it nonsense length and note that nonsense has now been divided by these signs of at, so we're literally getting a list essentially or like an array of all these numbers, so okay, move on to more tangent functions, die by e. is equal to zero to the length of the nonsense ooh this is a for loop here's a final four anywhere where the heck isn't this oh there's a next okay, we should, we should probably remove some of these large amounts of new lines that I just put here because of the w script garbage, um, let's clean that up, everyone can disappear five in the signs, we divide the large mass of nonsense, the length of the nonsense is now being used and another one right after that as a useless tangent function , then we make another useless tangent function inside the for loop.

By the way, you should indent this for loop so we can understand our logical flow. I'm cleaning right now. There's a lot of stupid stuff in this tab, um, okay, so we can. look at the for loop, this is another useless tangent function. This is also another useless tangent function. Okay, so the whole wscript.sleep zero thing and all these useless tangent functions just cause the code to do random things or have weird functionality. like behavior

analysis

will just die or it's like oh no, this seems fine, it's just doing trigonometry over here um oh, but actually yeah, oh, we actually do things with our big mass of nonsense, um, it seems that is being indexed with e being our correct iterator, so e is our iterator.

I don't want to control h that e because e will be present in a lot of other random things like real variables that I want to use so let's call that meaningless slap index that in oh and then we take the character of that okay then sorry , I need to replace that specifically with a meaningless, meaningless character. I can write another stupid, useless tangent procedure and another stupid, useless tangent procedure, but eventually we're building a new string of apparently all the characters. joined, yeah, yeah, another useless tangent function, oh, and then we sleep for real and run globally, all the characters join, so we're building, we're looping through that list and pulling data from it, what's this running globally? ? making the bb script run global the statement run global runs one or more statements specified in the global namespace of a script oh shit ok so it's basically eval, it basically runs like within the current context, plus random tangent functions, so we should probably find out what that's all about. the characters come together, but we have, oh god, so much more to do in this script, shit, wait a second, they all look exactly the same, they all look identical, I mean, not identical, right, but they are literally like that. it goes on for 25,000 lines and more than that because we cleaned up half the thing, another random comment with no real base64 that makes no sense, so what else did we get?

What else did we get? Let's go back to where we were and calculate. find out what these things are doing, so this is a function and we define some variable with completely random strings, let's call that random string, let's call it another random string because that's being defined for that thing, just after it you test if the random string it is not the same. to the other random string, then you end them together or not, you concatenate them, that's the operator for concatenate in the Visual Basic strip, I think it concatenates them together. We'll call it as concatenated and then we do a for loop for one. to three where we set the return value of this function so that it just adds the concatenated, is this function ever called?

Oh, it's redefined, what the heck, how many times do they redefine this function? 165, which is literally the exact same code, is just that. It had exactly the same numbers of variables, but it just doesn't do anything. Has this function ever been called? Although let me go back to the last call or the last match, no, it's literally just, it's just defining and declaring these functions. It doesn't do anything if I search. for each function and remove them, what else is left in this code? Do you ever use these features? um, let's use regular expressions and try to get newline characters up to a newline, newline or not, let's find an end function and space function I think I need it to be greedy is it like this, uh shit, how do I do this?

I want a multi line pattern match and oh god final function I want all this please how can you not match? I do not know what. new line stuff i need to handle ctrl h for the function we match everything and then join new lines anything as many times as possible up to a new line several times several times what the hell regex this will be the death of Yo, seriously What the hell guys, do I know I've done this before? Function, anything that matches a newline character, anything that matches, let's get several of these until the final function, until the final function, oh my God, I'm like crying.

I mean, what's a good way to do this? I'm going to suffocate. I'm going to bump into this wall for a couple of minutes, so if you get bored, skip ahead. I know I've done this before to work. Anything. to a new line, get me anything on the next line and match that as many times as you can. match this thing oh new line plus that as many times as you can no how about something else a new line as many times as you can? No, this is me like I'm choking on regular expressions. Everyone, we're going to spend five minutes on this video just because I'm literally trying random things, but I see some sublime text that matches the first line.

Do I need a case-free selection? no full case-insensitive word should do it and work fine, this is a stupid waste because let's just go on with all these other strings, because we know this thing is defined repeatedly but never actually called, so any of these functions this thing is called, wait. this is exactly the same setup as looking at rksn xbl, obviously it just loops to look for a random number that is concatenated into the strings you concatenated and which have no real purpose, but then if you search for this it is never actually called , what are you doing? defines more random variables outside the scope of these functions, so it's the same variables over and over again, okay, this is useless, that part probably does literally nothing, um, let's get back to our big stinking mass of nonsense, our only friend here. um and let's try to figure out what this thing is doing so we're going to put it in its own sublime text window so you can get the context of what we're working with here, let's turn off word wrapping so you can I can see this crazy thing um and now let's get into Python and break this down our way, you know, let's do Python 3 and let's take this whole blob and store it as right blob and I'll paste it into cool now that I have it. one blob and that's it, so let's do a blob dot division on those five at characters and now we have all these ascii numbers and took the character from these, so we'll do exactly the same thing on some good list comprehension , we'll make a character array from c to c in that blob and that needs to be an integer, so first we'll convert them to an integer and then we'll take the character array um oh, and there's an empty line at the end, so we will do another check if that value c exists if it is not an empty string if it is an empty string we will ignore it completely, but that gives us some things if I join them all together Will we have an actual readable string here?

Yeah, oh, and that's a totally more visual basic script. Well, let's save this as content and now write that to a file. Let's open the second stage.vbs on the right and write it with our content, okay, open another terminal down here, now we have the second stage.vbs, so let's take a look at that thing oh recorder houdini skype houdini fx now we're coming to the real

malware

, ladies and gentlemen, this has a hostname for duck dns. on port 81, installation directory for a temp windows environment variable using an lnk folder and an lnk file, I set those public variables out of order for the w script objects we built in, so the system object dot shell script files and let's take a look at this code let's see what it does guys can we clean this up?

Can we clean this up? maybe uh maybe there's maybe a basic visual script beautifier beautiful vb code indenter i trust you indent thank you thank you code beautify about you did you like do it? automatically what the heck what the heck okay that doesn't work vbs beautifier format code holy cow i'm going down a rabbit hole here i'm just trying to find a code beautifier it doesn't need to be visual basic script guys i just need to beautify the inline javascript unifying code, we already did vbscript um slap dot, no it's not doing it yet, is there a phoebe script in this?

I swear I've done this before beautify visual basic script online vba online code formatter it looks promising let's do it yeah yeah okay so let's call this uh second clean stage so we have a name decent for private variables. The installation name will be this script, it takes the home directory and gets the installation directory. if you don't have an existing folder, then you put it in temporary. Okay, it sleeps for a while, creates other USB extension variables and then we do the next thing on error, so we completely ignore the things we do for a moment, while the loop install should be true. another function that is defined, oh, and then we get answers, if we post on something, it's that a function is another nice function and then we understand what the answer is.

I guess c2 command and control server uninstall shipping okay so I can download stuff upload stuff list drivers and run processes yeah so how this thing installs apparently it's ready if we have free space this is very, this is a very thorough check, hey, if we have space, if we have a writable drive, the drive is ready for us. to use it, then go ahead and put it all here, U-bound again. Okay, get the name and then add an lnk file creating a shortcut. Yes, that is the lnk file using comspec that will evaluate to cmd.exe cmd.exe c to run. just a command echo randomness and start this script by adding quotes with chr w 34 echo random start and then the file name for this script and then it comes out ah and then oh a registry icon appears which are sorted classes and just a normal lnk default icon and then we save it, we do the same thing with more randomization of the startup here, so okay, we invoke it with explorer apparently yes for every folder you have, if you search for it, find it, save it, that it's pretty good.

Creepy scary uninstall looks like it deletes some registry keys, it's fine and tries to persist or hide like run registry keys, the classic old auto runs nerfs by deleting the lnk file and post seems like it creates an http object and publishes as a web request to our host on that port with the command we want to get, so it has to be ours, it has to be specifically c2 and the information is included in the user agent ooh, included in the user agent header information about the computer that we can see is in a function here and that takes information from WMI.

Windows Management Instrumentation takes all class information from the Win32 operating system. Creepy and scary. run and then use wscript.exe to invoke this creepy dookie with our installation directory and installation name so that this file will simply persist in the registry. those bad guys hardware IDs get more information security um oh, it's like looking for the firewall, is that right? looking at yeah yeah and looking for antivirus products sneaky mom oh that's awesome just check to see hey what's going to stop me what are the security products you have on your computer that could slow me down we might have to weaken all those antiviruses. stuff if we want to be a really bad guy um USB diffusion oh wow we're almost done we're almost done I swear html http okay download a file so we can exfiltrate stuff in and out yeah we publish with shipping or getting to be able to retrieve things so that the c2 server can run in and out uh exfiltrating data exfiltrating files with download and upload of course all using the adodb stream storing that file with the file system object saving these things very cleverly list drivers list faf which one It doesn't occur to me not to list processes,yes, just use wmi again by selecting from win32 process, exit the process, so it's going to commit suicide, how do we do it? oh oh oh oh just kill a process you can pass in a pit and it will just fire the thing right and run command and control correctly you will get a little cmd shell just run comspec which again will be cmd.exe with slash c and that's it everything, oh so that's some c2 stuff that's some command and control stuff, ladies and gentlemen, written in basic visual script that persists in the registry checking for these hostnames or that hostname and I've seen variants of this, yeah they Google it, they can see this code and they can see other versions of it and maybe we can do it. that in a later video, but they will change the hostname, they will change the installation directory, they will change the port, what is this thing called.

I'm going to need to get into a meeting, so I have to go soon, but yeah, here's a gist of this four years ago, same kind of thing, different hosts, different installation directories and different ports, so this has existed, looks like this is the dunihee h worm from houdini, oh and Fireeye has some good things about this and it's old. it's old like it's 2013 20 2015. but it was cool to dive into this and poke around in it so yeah yeah literally exactly the same code almost do nihi I guess that's the name of that remote access toolkit . remote access you know trojan rat visual basics journey so it was cool, it was fun, I had a good time with it um maybe this is a new interpretation maybe uh houdini and duhini are back in action um but I mean, this It's a recent thing.

So maybe the code could be a little different. I don't know what version number of the

malware

it might be, but I hope you enjoyed this little deep dive into some weird basic visual script file that was encoded. I'm working on decoding that change around some of those variables and following them in the basic visual script, but it was a lot of fun to shoot. I had a lot of fun doing this and I hope you had fun seeing that maybe you learned a trick or two, maybe you'll like them. that methodology of reviewing and understanding the source code when you can read it correctly when it is human readable in plain text being a programming language, but that is, if you haven't done it yet, maybe these could be some indicators of compromise that you can add to your library or anything like that, but I think that's it, I think that's all I wanted to do in this video, it was fun, I had five fun times, let's get this over with everyone, thank you so much for watching, really .

I really hope you enjoyed this video if you liked this video and want to do more things like this. I'm having a good time with this and I think it's cool to present a real-life use case and practical application to some of this nerdiness. cyber stuff we do um but I just hope you enjoyed it if you did do all that youtube algorithm stuff hit the subscribe button if you haven't already leave a comment I'm very helpful that's it very helpful and I'm grateful for that kind of expansion of the YouTube algorithm and I like the video and stuff, okay buddy, I'm fading, this is, I'm at the end, I'm at the end of my rope here, so, I have to close.

This video is off thank you very much everyone, I love you and I hope you like this video and see you in the next one, bye, take care everyone.