 Hello and welcome to malware analysis for Hedrox. Today's topic is Rep files and how to unwrap them. At least it's one method to unwrap them. I think I will show some others in other videos. Our file today is win32.bat. I changed the extension so I do not accidentally execute it. And let's check what this file does. And I will explain along the way what a wrapper actually is. Okay, Dye says it's possibly a VBS to EXE file. And that means it assumes it's a VBScript that has been put inside an EXE Portable Executable file. So a wrapper usually works that way that you have a script or let's say or Java or Python script or VBScript or batch. And that there's an application that turns it into an EXE by creating while putting it into a step. And this step will drop the script inside into the temp folder executed and delete the script after execution. And the execution deletion part happens so fast that you often cannot just grab the file from the temp folder. So you need some tricks to get it. Okay, so it says it's VB to EXE possibly. And the compiler is pure basic. But we don't care about the compiler. If we know it's a rep file, we just want the script inside and nothing else. So we do not want to debug the unwrapping or something. So don't care about the compiler. But yeah, I now I want to know if that's indeed the case with the VBS to EXE. So first, I like to check with products and laser visualization where the interesting areas are. So let's just check this. I still don't get a mic stand. So the typing is a bit loud. That's the visualization. Oh, I missed one part. Give us a visualization. There it is. And the fan is loud. Sorry. Okay, there is the visualization part. And in this area, at the end, there is a, well, there's a higher entropy here. So it might be where the script is packed. And we have strings here, these strings here and here they come from the import. So we can see the imports there. And the strings here in the end, they are part of the resources. Often if they are part of the resources, you have the manifest there or other information that's in strings. And here are also some strings. So let's take a look into the area at the end. This at the front, it looks more like code. And that's something you would look at in a digital sampler on Oli. But for now, I want to look at it with a hex editor. And that's where I usually see the strings and so on. So yeah, that's more code like. And here is the area of the imports. Let's take a look at the end. Some some padding strings. And indeed, there's the manifest. And this area is the version information, which sometimes gives away some information like what what the file was intended to do. But actually, even if it says it's from Microsoft, you cannot rely on that because everyone can just edit this version information. And some people do. That's an interesting string here b to e decompile p even dot but b to e stands for batch to exe. And let's see if we find some similar strings here. That's the imports part. This regular pattern is often it can be image or icon. Okay, now that's interesting. Here, we have the strings that belong to a batch to exe exe wrapper. And there's also some kind of batch script inside here. But it's not our batch script that we want. Our batch script is well, saved somewhere and encoded or encrypted somewhere in the file. Now, we know it's a wrapper. And with that, we can use only to get the file inside. We open our file and the idea now is that we just set a breakpoint on the right fall call. So let's do that run. We are now in couple 32 at the beginning of the right fall function. And we already see that there's the beginning of a batch script. So let's follow in dump. And there it is. We will see if we see the end. Yeah, here's the end. So we can just copy that binary copy binary copy. That's a good idea. Now open your hex editor, new file and paste it. And there we can save that. That's all dumped batch. Here it is. Now change the language. And nice. That's a ransomware or yeah, that's a ransomware. Now you can see what's a pretty cheap ransomware. I mean, like for the lines again. What it does is it deletes a safe boot keys. Okay. It adds itself to the usual auto run. Why you it disables task manager registry tools and CMD removes the desktop, I guess. And then, well, you know, it is disabled CMD and then it says Windows blocked Windows blocked in the CMD. I'm not sure that this will be shown. If CMD is disabled. Sometimes I wonder if the mother of us actually test their mother. So what's that? That's the code. So and this turns everything back except for the safe boot option. I guess it's disabled safe boot if you remove these keys. So but this this will be reverted. So you can just enter this password. Or you can't because the command the CMD is disabled. Well, let's run the file. I think this might be interesting. Yeah, but just as showed notice, now we unpacked the batch script using Oli by by breaking the right file call could have also waited until it writes it has written the file and like before the deletion could have breakpointed there and grabbed the file from the template. Alternatively, you can change the security settings on the template. So no one is allowed to delete any file in it. And this might obviously this will prevent the deletion so you can grab it from there. It doesn't work for this sample. I tried it and it creates a folder folder in there and then a file and then because it can't delete anything, it will just break the application will just stop working. So okay. But this usually works. Okay, executing it. It's not a batch really. This one's the PE but our windows doesn't care if it's dot but or dot easy or anything. It's as long as it's executable. So okay. See, and that's it. No CMD and no ransom node. I doubt that they got any money from that ransomware. Now if I try to open task manager, it says it was deactivated by the administrator. Okay. And that's already it for today. Thank you for watching. And next week, I'm probably pretty busy. So for now, it's a bit hard to keep the schedule of one week. I guess for now, it's more two week schedule. But I try to get back to one week again. Okay. Oh, see you next time.