I found the script in the windows file system and when I opened it, I could see the code below.
It appears that the file was cypher but it is not a normal Base64 encryption... Staring at the file I found some strings at the bottom of the file which they were not cyphered...
We know that Base64 uses a character to indicate padding which is often "=". In the picture above we can see a lot of "==" characters followed by "-". It is as if it were not a unique string cyphered, but multiples strings coded one by one and separated by "-"... could this be possible?
In this website www.base64decode.org we can decode Base64 strings. If we decode the Base64 string "Jw==" we can see it corresponds to the ASCII string " ' ". If for example we decode the Base64 string "DQ==" we can see it corresponds to the ASCII string " d "... Ok, we know how to decode the script... Each Base64 string is separated with an "-" and corresponds to a single character. But how can we decode it quickly?
The first thing I thought was to make another script to decode the first one but I chose to get there another way... If used the notepad to replace the character " - " for a line spacing, I would have a document with one line for each Base64 string like in the picture below.
Now, we can decode all coded strings by just executing a Linux command.
base64 -d script_to_decode.vbs
We can see the entire script uncoded and now we can continue researching the malware behaviour. Reading the code, I could say that this script is used to connect with the command and control server in order to download instructions and upload data from the infected computer.
To continue researching the malware, we could change the hostname for another one where we would have a computer listening on the port 8088. We will receive the HTTP GET or POST petitions from the infected computer. Doing that, we would know what commands are used in this Botnet without the requirement of doing an advanced static analysis.
0 comments:
Post a Comment