We tried to deobfuscate by modifying the original script a bit. After the deobfuscation, we finally obtained more visible code. For easier understanding we have arranged a major part of the script in this sequence:
In the first four lines of the script we can see the URLs of four compromised websites, from which the script tries to download the payload. The script will try the next URL if the previous download fails. If successful, it downloads the encoded payload, which at first looks like a junk file (hash: 5C5D55C1AEB06CA131EEF5BC19C3C1CD):
The packed DLL has an export function “_WinMainExp@16.”
While unpacking the DLL we came across following technique for obscuring virtual machines. In this technique the malware author checks the time difference between two API calls, GetProcessHeap () and CloseHandle (). At runtime it takes the address of CloseHandle () API by using LoadLibrary () and GetProcAddress (), as shown below:
In general, on a real system, CloseHandle () should be faster to execute than GetProcessHeap (). The author checks the time difference between these two APIs for validating the virtualization. The following code snippet explains:
We unpacked the malicious DLL, which shows the export function “qwerty.”
In line number 6 the ExpandEnvironmentStrings () method gets the %TEMP% location to store the downloaded DLL with a random name. The script also verifies the architecture of the machine from lines 11 to 18 by using an if-else statement:
According to the architecture of the machine, the script will run the DLL using Rundll32.exe. In line 22 we can see the process to run the DLL:
We can see the hardcoded parameter “323” in the following snippet:
This post was prepared with the invaluable assistance of Girish Kulkarni and G N Sivagnanam.
Follow us to stay updated on all things McAfee and on top of the latest consumer and mobile security threats.