 Hello, Spaggy friends, and welcome to Mervir Analysis for Hedrugs. Today, we will be looking at unpacking of script Mervir. And this is our sample. It's also the original name of the sample, like you can find it in the wild. So let's take a look at it. It has a WSF extension. It's a Windows scripting file, could be JScript or VBScript or similar. And you just open it with notepad or a similar editor. Okay, we see it's a VBScript. And VBScript has an instruction separator that's the colon. So if you want to make some sense of this, just copy it and replace the colon with a new line. You might have to set it to extended first. Replace with new line all. Set the highlighting to visual basic. Okay, now it looks a bit better. We have this function here, HIO. And it ends here. All right, here's another function, Q. And the last line is an execute on the return value of the HIO function. And this is the argument. It's a very long string. So what's happening here is this is a packed code. And that's the encoded code. That's decoded by this HIO function and afterwards executed with this execute command. Now, we do not, we don't need to analyze this here. Because all we want to do is we want to see what's inside, what's this code here doing when it's executed. So just replace the execute with a print command or something similar. I find. Please stay here. That's annoying. Okay. Wscript echo. And now save this. And you should be able to, instead of execute the code, you should print the code now. Genius. Now, if you double click this, it will run wscript.exe like this. But that doesn't help you very much because, well, it prints everything to the window. We don't want that. So just use cscript instead. And it will print the output to the console. Unpacked one. This looks good. Did I call it unpacked two? Okay. And here we have our unpacked code and it's still not readable. Again, here's an execute command. And in vbscript, it does not matter how it's, how the casing is like this is the function keyword and it's all camera case kind of. But that doesn't matter. It's case and sensitive. It's still the same as execute and lower case or uppercase or whatever. This executes the queue. And this is some queue. Well, variable. This is also some kind of mess up stuff in here. So again, we will just do the same as before and echo the output. Okay, cscript, unpacked one, two, unpacked two. Expected end of statement where I said, ah, here. It puts a header to the output. So just remove the header. Then it should work. Okay. Now we have unpacked two. That's a bit smaller. And it has an execute global. That's also an execute kind of function. It executes OET and OET is OET and this string. So what does it do? It's appending some characters right here. And those are based on that variable. And that again is split that. Okay. So that means the context is missing. We just copy it in here. Instead of this echo, we copy it in here. And now if you double click on this, it will highlight the variable and XUO. And here you can see that the contents of XUO are built up this way. So it consists of lots of numbers with dots in between. And then it will split these on the dots. And then, yeah, kind of do something with the numbers to turn them into a string. So we replace this with W script echo. Save and do the same as before. It's again unpacked one, two, unpacked three this time. So now we open this in Notepad and we have... Okay, let's copy this. We have a huge string in here. And the colon, we will replace them again with the new line. This looks like the maverick code, but it's obfuscated. So we have functions that make sense for maverick code. Like great shortcut, drive path. That's definitely doing some interesting stuff in here. We just cannot read the strings that it uses because they are obfuscated by this. I have written a Python script to de-obfuscate the strings. And the obfusc.py, it just prints it on here. De-obfuscated. I will also show you the script. That's the Python script, just reads in alpha unpacked three dot VBS. And for each line, it will find those patterns of X bracket and some value in it. And then replace the value that's in it with a char representation of it. And then turn it to lowercase. And that way we can de-obfuscate the code. It's not executable anymore because it's not really a perfect de-obfuscation. The strings don't have any... For example, you would have to put those strings into those quotation marks, which we didn't do in this case. But usually all you want to do is understand the maverick that's inside. It's not always necessary that you de-obfuscate it perfectly so that it still runs. And in this case, I figured it's enough to do it this way. And you can see now what this maverick is doing. You also see our original file name here just said it's lowercase because I turned everything lowercase. And you can see it searches for drives and for removable drives and it creates shortcuts in those drives by replacing files on these with the shortcuts. And the shortcuts in turn will run the maverick code, this code here that we now de-obfuscated. Here's the command to run it. And this is also a persistence function in here that will add our script file to the registry to make it outrun on every startup. So it also carries some Android products as you can see here. It also has some kind of vector in it to receive some commands that it can do. Yeah, that's pretty interesting. If you want to take a look at it, I will put the link into the description below so you can download it from payload security, reverse it. And I will also put a paste event for my de-obfuscation script. Feel free to modify it if you think you can make a better one. Yeah, and that's it for today. Thank you for watching. Please post any questions below. Have a nice evening.