When I\u2019m teachning FOR610[1<\/a>], I always say to my students that reverse engineering does not only apply to \u201cexecutable files\u201d (read: PE or ELF files). Most of the time, the infection path involves many stages to defeat the Security Analyst or security controls. Here is an example that I found yesterday. An email was received via an attached ZIP\u00a0archive. It contained a simple file: \u201cPayment_confirmation_copy_30K__202512110937495663904650431.vbs\u201d (SHA256:d9bd350b04cd2540bbcbf9da1f3321f8c6bba1d8fe31de63d5afaf18a735744f) identified by 17\/65 antiviruses on VT[2<\/a>]. Let\u2019s have a look at the infection path.<\/p>\n The VBS script was obfuscated but\u00a0easy to reverse. First it started with a delay loop of 9 seconds:<\/p>\n This allow the script to wait before performing nasty actions and avoid using the sleep() function which is often considered as suspicious. Then the script will generate a PowerShell script by concatenating a lot of strings. The \u201cPowerShell\u201d string is hidden behind this line:<\/p>\n The script is reconstructed like this:<\/p>\n The result is executed with an Shell.Application object. The PowerShell script is also heavily obfuscated. Two functions are used for this purpose:<\/p>\n The second function just invokes an \u201cInvoke-Expression\u201d with the provided string. The first one reconstrusts strings by extraction some characters from the provided one. Example:<\/p>\n The variable meseventrally will containt \u201cnET.wEBClIent\u201d.<\/p>\n The first part of the deobfuscated script will prepare the download of the next payload:<\/p>\n The loop waits for a successful download from ths URL: hxxps:\/\/drive[.]google[.]com\/uc?export=download&id=1jFn0CatcuICOIjBsP_WxcI_faBI9WA9S<\/p>\n It stores the payload in C:UsersREMAppDataRoamingbudene.con. Once decoded, it\u2019s another piece of PowerShell that also implements deobfuscation functions.<\/p>\n The script will invoke an msiexec.exe process and inject the FormBook into it. The injected payload\u00a0is C:UsersREMAppDataLocalTempbin.exe (SHA256:12a0f592ba833fb80cc286e28a36dcdef041b7fc086a7988a02d9d55ef4c0a9d)[3<\/a>]. The C2 server is 216[.]250[.]252[.]227:7719.<\/p>\n Here is an overview of the activity generated by all the scripts on the infected system:<\/p>\n [1]\u00a0https:\/\/www.sans.org\/cyber-security-courses\/reverse-engineering-malware-malware-analysis-tools-techniques<\/a> Xavier Mertens (@xme) (c) SANS Internet Storm Center. https:\/\/isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.<\/p><\/div>\n \t\nDim Hump\nHump = DateAdd(\u201cs\u201d, 9, Now())\nDo Until (Now() > Hump)\n Wscript.Sleep 100\n Frozen = Frozen + 1\nLoop<\/pre>\n
\nNestlers= array(79+1,79,80+7,60+9,82,83,72,69,76,76)<\/pre>\n
\nRoastable11 = Roastable11 + \u201cmv 'udenri\u201d\nRoastable11 = Roastable11 + \u201cgstjenes\u201d\nRoastable11 = Roastable11 + \u201cte\u2019;\u201d\nRoastable11 = Roastable11 + \u201cfunction \"\nRoastable11 = Roastable11 + \u201cMicrocoulomb\u201d\nRoastable11 = Roastable11 + \" ($s\u201d\nRoastable11 = Roastable11 + \u201ckattes\u201d\nRoastable11 = Roastable11 + \u201ckemas='sel\u201d\nRoastable11 = Roastable11 + \u201cvang\u201d\nRoastable11 = Roastable11 + \u201cav\u2019)\u201d\n...<\/pre>\n
\nfunction Microcoulomb ($skatteskemas=\u2018selvangav\u2019)\n{\n $bletr=4;\n do {\n folkesangeren+=skatteskemas[$bletr];\n $bletr+=5;\n overhringens=Get-Date\n }\n until (!skatteskemas[$bletr]);\n $folkesangeren\n}\n\nfunction Blokbogstavers65 ($srlings)\n{\n countryish22(srlings)\n}<\/pre>\n\n$mesoventrally=Microcoulomb \u2019 :::n TTTEJJJJTjjjj.nnnnw::::E\u2019;\n$mesoventrally+=Microcoulomb \u2018i iiB SSSCccc l EE INNNNe * *n;;;;t\u2019;<\/pre>\n
\nwhile ((!brandmesterens))\n{\n Blokbogstavers65 (Microcoulomb '...\u2019) ;\n Blokbogstavers65 retsforflgende;\n Blokbogstavers65 (Microcoulomb '...');\n<\/s> Blokbogstavers65 (Microcoulomb '...') ;\n <\/em>Blokbogstavers65 (Microcoulomb '...\u2019) ;\n fedayee=serigraphic[$dichotomically]\n}<\/pre>\n![\"\"](\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/isc-20251113-1.png?ssl=1\")
<\/p>\n
\n[2]\u00a0https:\/\/www.virustotal.com\/gui\/file\/d9bd350b04cd2540bbcbf9da1f3321f8c6bba1d8fe31de63d5afaf18a735744f<\/a>
\n[3]\u00a0https:\/\/www.virustotal.com\/gui\/file\/12a0f592ba833fb80cc286e28a36dcdef041b7fc086a7988a02d9d55ef4c0a9d<\/a><\/p>\n
\nXameco
\nSenior ISC Handler – Freelance Cyber Security Consultant
\nPGP Key<\/a><\/p>\n
\n
<\/BR><\/p>\n