Some days ago, I discovered in my network a computer trying to make connections through a port which is not allowed in my next generation firewall. I located the suspicious host and I began to look for malicious processes running on it. Thanks to Process Explorer  I swiftly discovered that a VBS (Visual Basic Script) was running in the computer.

I found the script in the windows file system and when I opened it, I could see the code below.

It appears that the file was cypher but it is not a normal Base64 encryption... Staring at the file I found some strings at the bottom of the file which they were not cyphered...

We know that Base64 uses a character to indicate padding which is often "=". In the picture above we can see a lot of "==" characters followed by "-". It is as if it were not a unique string cyphered, but multiples strings coded one by one and separated by "-"... could this be possible?

In this website we can decode Base64 strings. If we decode the Base64 string "Jw==" we can see it corresponds to the ASCII string " ' ". If for example we decode the Base64 string "DQ==" we can see it corresponds to the ASCII string " d "...  Ok, we know how to decode the script... Each Base64 string is separated with an "-" and corresponds to a single character. But how can we decode it quickly?

The first thing I thought was to make another script to decode the first one but I chose to get there another way... If used the notepad to replace the character " - " for a line spacing, I would have a document with one line for each Base64 string like in the picture below.

Now, we can decode all coded strings by just executing a Linux command.
base64 -d script_to_decode.vbs

We can see the entire script uncoded and now we can continue researching the malware behaviour. Reading the code, I could say that this script is used to connect with the command and control server in order to download instructions and upload data from the infected computer. 

To continue researching the malware, we could change the hostname for another one where we would have a computer listening on the port 8088. We will receive the HTTP GET or POST petitions from the infected computer. Doing that, we would know what commands are used in this Botnet without the requirement of doing an advanced static analysis.