 Hello everyone and welcome back welcome back to another YouTube video welcome back to another malware analysis video Seemingly everyone's favorite kind of video that I've been doing lately. So let's dive into this one I think this one is gonna be a lot of fun. I'm pretty excited to bring this to you I will add a little disclaimer and note. I have already ran through this, but trust me This is jam-packed with a lot of good stuff. So let's dive into it. I'll hop over to my computer screen here I am running in my Ubuntu Linux VM. Some of you might be scratching your head like John. What the heck? You've got a little Kali Linux dragon here. Aren't you running Kali? No, it's just the wallpaper for the clickbait That's all we do here. We just we just feed the YouTube algorithm. That's all I know how to do So I'll open up my command line here and I have a directory created called HTA and in this directory I've got some files like a little JSON file for some registry contents that we'll get into and a HTA that is not the original name of the file I didn't want to end up doing that because there are going to be some things that will be mentioned in this video About hey some folks, but there's nothing. There's nothing wrong with that. There's nothing in that It's just the name of the file, but you'll notice The dot HTA extension now if you aren't familiar if you aren't aware if you don't know Etc an HTA extension is an HTML application It's literally taking HTML the regular markup language a Hypertext markup language right the HTML acronym and giving it some superpowers so that it can run Code not just act as a decoration or the language that will help you structure documents and HTML the markup language But it gives it some other flexibility so that it can actually execute stuff So the little little blurb here that Google will give us It's an HTML application Microsoft Windows program that source code consists of HTML Dynamic HTML and one or more scripting languages supported by Internet Explorer like visual basic script or J script HTML is used to generate the user interface, but the scripting language is used for program logic So it's spicy. There's some good stuff in there. You might actually see HTA files often used for like ransomware notices So that is its own can of worms that we won't dive into and this one is admittedly not a ransomware notice, but take a look at this one We have our work cut out for each other ladies and gentlemen this one should be this should be a ton of fun So I guess we can start by cleaning this thing. You guys know me I tend to just try and save a copy of this so I have the original And I'll go through it and like try and add in my own Like manually going through it carving through the code to add an indentation and beautifying it trying to make sense of the variables Etc etc and some folks have asked me John. What are you doing? Why are you wasting your time? You're an idiot and I tell them I know I know I am an idiot You could just be using an online tool like a beautifier and you're totally right that would make this significantly faster Now I say hey I like to use this time while I'm going through and manually beautifying the code to like actually get a sense of What the program is doing like what the code actually does. It's weird. I don't know Like washing dishes. It's it builds character. You know, you could just run it in the dishwasher, but There's something about it Anyway, we will use an online beautifier for this just to kind of speed us along because there's a lot to unpack here you'll notice that this is just going to end up being a chunk of J script a chunk of JavaScript and That's it. So we'll pass this to a JavaScript beautifier online Maybe that takes some fun out of working through it, but trust me. We're gonna dive into some good stuff in just a moment So let's fire up another web browser. Let's go for a cheeky JavaScript beautifier Beautifier and let's grab you a beautifier.io Scroll down Dump in the code here. It's all one massive line Click on that beautify code button and now it's a little bit more sane and sensible not a lot but a little Alright oof oof That lost some of the indentation. So I'm just going to select it all and tab it through I think that's as far as we yeah, okay, cool Nice, so here we are here. We are with our neat little J script or JavaScript Rendition and I've said this many times in the past if you aren't familiar with J script and kind of the different Differentiation between it and JavaScript. It's basically JavaScript not gonna lie. It's essentially JavaScript, but It can run on your host Because windows the little Microsoft dialect their rendition of J script this iteration or sort of rendition of JavaScript is a High-performance scripting language design a creative active online content for the worldwide web JavaScript loves the world We're doing an automated wide range of objects and web pages including active X object control and Java programs Again glue Google's blurb here. Yes It's Using Microsoft Internet Explorer and it's implemented in the active scripting engine So you might see objects like an active X object that allow you to do things with The Windows operating system and on that host on that computer so Now that we know what we're looking at Let's try and make sense of this thing We're in this cleaned file name. So I don't think there's a whole lot to do other than Dive through it. We have this start of seemingly a registry key hk cu for hk each key current user And the software little subfolder there a little key now that variable has a random name But it's used in the very very next variable to just concatenate some strings together. So I don't think this is used anywhere else Nope, it's not so we can just kind of Grab that and put it right there really easy We don't need those semicolons of those concatenation because we can make sense of what it is and what it's doing And then we have some other wonky stuff going on You'll notice they're using a backslash X to denote a character 68 does lend us in the range of ASCII characters So while this looks like a bite it looks like a hexadecimal thing It's still gonna end up evaluating to a regular like printable character adds in an fi and adds in a List or an array now. I see the structure a lot. There are a lot of Variables or some syntax. It's just a list. It's just an array, but they index one specific part of it, which is weird and then I don't know it's just adding extra noise adding extra chaos stuff to avoid that antivirus stepping in there's preventative security measures from automatically detecting this so it tries to hide This is the artifact that was left on the computer touching the file system. So they're gonna be a little stealthy They're gonna try and be clever Now because they're using this syntax to just grab a character from this list or from this array We can honestly and because it's just simple String concatenation we can probably carve this out and determine what that value is going to be now I'll go through this I'll try and move pretty quick because it's probably pretty boring to look at but because it's node Because it's J script Did I open up another terminal? Yeah, I did We can just run it locally kind of server side on Linux in Node or using node JS now if you get to the portion and fragment of J script code that is specific to Windows Like creating those active X objects are working with W script and WMI and things like that That obviously won't work. It won't run in Linux That's part of the reason why I do some my analysis in Linux because yes, I'm more familiar with it I enjoy it. I like being in Linux. It's also because I'm not gonna accidentally detonate some portions of the malware now I say that and I'll totally go into Windows VM and throw stuff in there anyway, but you know, you know me so let's slap this in and This will just churn out what that variable is gonna end up being set to I went through this in kind of an iterative process and Just messed with it. So I Will try and cruise through that so you really See the same thing And maybe I'll go ahead and clean up and edit this video. So there's a quick like speedy time-lapse or something I like this one. It's a it's a good old F variable. Can I get an F in the chat? F in the comments Okay, so I finished kind of going through just Determining what those values might be as as strings that I lose one up at the top here. Oh I guess I removed that one for the registry key and didn't end up nerfing it But you'll notice that none of these are really all that useful None of them mean anything or do anything that doesn't look like base 64 and some other kind of encoding that I Would recognize now that doesn't mean however that these are just complete nonsense Maybe later down in the code this these variables will be used Maybe it's just index a specific letter or get some characters or substrings and slices of it So I'm gonna keep them we could try and rename them to like what their contents are But for now, I'm just gonna kind of leave it and keep cruising along this next segment of code Looked really weird to me because it it runs a try statement That'll try to evaluate code or do something, but it instantly throws an error And it catches this error it uses a try catch and the catch will take in an argument Which I wasn't sure is that gonna be like the exception type is that gonna be the error message? And then it tries to index that like with square braces taking out portions of it So I thought that was weird and odd But these try statements aren't going to mean anything. They're just again more noise to trip over AV or whatever the case may be and Then the catch code will actually run but grab the value maybe out of these error messages We can try this again in node and just see how it looks and what it evaluates to so I'll slap these in but you'll see it just kind of makes the period be the only thing that's actually returned out so That's that I guess We can try this over and over again and again slowly determine what it builds out But you'll notice maybe there's a little bit of a pattern here Whatever is passed into that throw statement For the error inside of the tribe lock it grabs that and considers that to be the value of The variable that it's setting inside of the catch statement, so again, maybe this will be useful somewhere I'll speed through this in the magic of video editing. So you guys don't have to sit through me Doing this song and dance Okay, so now we're done with that segment and again Now we just sort of have single letters, which isn't all that useful We may get to a point where all this is Practically useless Eventually we'll get to maybe a lower level or like a segment of the code that just kind of evaluates everything In fact, that's probably pretty likely considering what this does next And maybe that's like hey John you wasted your time here and that's probably pretty valid I still like to go through it when I can to Get a better idea as to what the code is using or what variables might be in what like some of these Maybe wouldn't evaluate out to a single letter or for it had something like more of a smoking gun or more of a telltale As to what was going on so I wanted to go ahead and go through that I'll still do this for kind of the other segments and then they start to actually pull out some interesting J Script or JavaScript like constructs here Maybe that was just part of my mind because this came from Constructor as the string that it built out Looks like these others might be doing something similar. I'll grab this variable Let's see what we have here. Oh an eval statement Eval to run more code P8 s m a s is being set to the this Object now the this object in JavaScript or J script will like keep track of the instantiation of the code that's running like all Kind of notions of functions or variables being set Like you can literally see all of the variables that we've just defined or kept track in this object this this object this this object named that thing so Let's let's again. Just take take that value. I do want that and I neglected to Copy paste it copy pasta Let's see what this guy does Oh a w script on shell So that will give us a little bit more functionality to do things specifically with windows That means that maybe we'll actually will get to see some fireworks go off in this code after all Let's go ahead and grab this next portion I'm gonna make sure I get the full variable name because that way I want still in the context of my node interpreter as I go through it and In case it's used later on and node will return it out for me So we get active X object just as well as a string that this now code is built out the primitives for So is it gonna end up? Oh, we're a reg read. Oh, okay Do we end up using reg read Now that they build out all these string primitives to be able to do something and they're using those specific J script And Javascript kind of syntax. What will this? Do I see an eval statement yet again another Variable we're almost at the end here. Oh, and this is close. We need to close some handle or something What do we got here LCT What is that supposed to be for What is LCT supposed to be Like part of select. No, that wouldn't make sense This is being used though. This variable is kind of put into action right away They take LCT and index it Off the same thing. Oh off the constructor What how does that get a function out of that? LCT LCT Indexed with Constructor. Oh, is that oh, that's super cool. So that's like the object, right a string object That could probably be like literally anything. Let's throw in the classic here. Take the Constructor and yeah, yeah, yeah, so if you get the constructor of the constructor You just suddenly have a function. That's super slick Wow, they just pulled a function like out of thin air Let me take note of that Outlines a function, maybe that's the best way to say that and then they go ahead and use that variable in the very next one Were they to find a function? Based off of this guy. Oh, and that was the eval So they make an anonymous function with that. Is that what they do? This guy he exists Context doesn't know. No, I didn't I didn't define it. Let's grab that slap it in Function So let's not call this because I don't want to really execute that but yeah, it makes an anonymous function But if you were to execute it it takes everything in this instance and Stuffed it into this p8 SM 8 variable Let's let's do it like that's not good to be that's not going to be malicious at this point So that didn't return anything But now we should have a new magic variable because it's been evaluated and executed in the current context without that explicitly Creating this variable. It has been now defined with all of the guts that this right this code and this object already pulled out so that's kind of cool and then We try with actual stuff that's happening here FL GLDH being defined as a new This object referenced or indexed with an active X object Is that right? Why is that not defined anymore? Circular What that will reference and get active X object and then it passes in a w script shell string argument So this essentially is going to be W script shell. I think that's that's fair to say So we get capability to do windows things and then we Eval you can see that up there. We run another eval statement with w script shell Reg read so we request a registry object on NAL GNKD Which is the one that's defined up here, aha Okay, so we read read that get the contents get the value That's not like set. Is it it's not pulled into How is that is that being saved or sort of the variable or is it just kind of like executed? Is eval oh they run close. Oh No, no, no, no, no, it is eval They eval The reg read Contents so they're executing all of this out of the registry the next next stage of this will come from the registry Right. Yeah. Okay, so Just as kind of a nice benchmark we successfully turned This monstrosity Into this which makes at least a little bit more sense So I still I think a good thing to do is to just figure out what's going on And I didn't end up renaming a lot of variables in this one But it's so kind of piece and through it what it really does. So let's keep cruising. We we have This registry file that I have a prepared and gotten ready for us the registry dot JSON has Some good data in it this is a pull from the registry of that target and victim machine at this at this time and we Go ahead and to examine as to what really was going to be pulled from this specific key As you can see, that's the one that's referenced here and it pulls the data down and executes it So the data here I'm gonna go ahead and grab Because this is in a JSON format and because it's wrapped in quotes and in a string it might have some escape characters in it So I'm just going to wrap that all in some output and Now I can grab the original portion of it, so We'll call the stage to dot JS still J script at this point, but Since that is new code, let's try and beautify it here and let's see what we're working with I'm we'll probably save that as like stage to beautified beautified Good good. Let's slap that in there now and let's see what we're working with Again some indexing it defines the the letter u Super exciting Let's store these just in case we need them This one gets the letter n Which you could tell from just simply reading it, but I I'm gonna copy paste frenzy right now everybody so Don't oh, I actually didn't see that one coming. I didn't expect that to turn into run I just thought of the UN. So now we have R UN run now that variable which is that R variable which was not defined in this script is still pulling from the context of the original Waco thing here. So this VFR C4 X0 M the one that's been defined as R Oh, I just realized literally all of those were defined to be straight up nonsense and then re-evaluated Just make more noise guys Don't let the don't let the ADR see you So we get run and then this was our w script shell, right? W script Shell or W script shell grabbing the run Function and then passing in some commands here. No new syntax. Oh Power shell Power shells in the mix School all the way to the end. I see some commas here, which tell me that these are other arguments so if I were to slap this entire Like input here as if it were maybe mangling the the string a little bit I will run into a wall just like plopping this into Node.js because zero is going to end up being the return value From the very very last Element there like that the comma is going to kind of get in the way. So as you can see that evaluates to zero that The second argument evaluates to zero. So these are just kind of the arguments for like no window I think when you pass those to run it's like Minified minimize no window. Just try and be as stealthy or as quiet as you can. So let's just pass in as run and Now we have this power shell portion Which I'll grab all the way to the very very end because I do see them doing some weird string stuff in there Yeah, it's indexed out, but I'm sure you being the smart person you are can see that that is just going to poop out Power shell dot exe ink for encoded. Yeah. Yeah. Yeah So now we have another power shell payload. Now we have another stage yet again This is encoded just in simple base 64. So we can hop back over and try to Base 64 decode this I'm just going to spit it out into standard output and pipe it to I Realize my pipe isn't visible because my big ugly face is in the way. I'll pipe that to base 64 with a B Minus D to decode it tactic. Now we get this Which is kind of tiny which is kind of small But let's go ahead and define that as we have now a stage 2 Let's make a stage 3 and now we're into power shell. We've broken out of some J script But let's see what this thing is Nice Let's clean or beautify this. I haven't found a good online power shell beautifier I know there's one that you can run locally. There's like a DTW beautify script that you can download and work with that truthfully. I I Don't think I have it installed on my Linux rendition of power shell right now, but Anyway, this one was super small and super easy. We could just kind of do by hand Notice they have a lots of random back ticks in here That back tick is typically used as an escape sequence or an escape character in power shell Oftentimes you see like a backslash and other languages like backslash n to denote a new line backslash t to denote a tab That's all done with an escape or a back tick in power shell But if you were to add in a back tick on a letter that doesn't need to be escaped in certain cases power shell like Doesn't care and it pretends they aren't there So that's again another kind of cheesy technique that could be used to hide and not make sure that hey Stupid signature detection won't pick up on some of those blatant and egregiously bad Code so just nerfing out all of those back ticks looks like now we have reg being billed out as HKU So again the current user you and x2m. That's the same reg path that we kind of saw earlier But there's this whole other big thing here full reg is gonna end up doing a format string we add in looks like software replacing some characters and Oh There's another Semi colon there the expression We'll get item property and then there's an IEX ah an invoke expression IEX kind of the power shell alias for invoke expression Which means that it will run and evaluate code on the fly so it doesn't need to be written to disk We have the full reg Variable we could try and build out. I'll put node over at the top here And now let's hop into power shell. I'm running power shell core in my Linux virtual machine. So if I just spit this in It's not really gonna give me anything because these other variables aren't defined I probably should have copied those in just as well. So let's go ahead and grab those we'll take all of these strings here pretty please and Full reg we will determine to be Obviously, I'm dumb. Sorry. It's not gonna display it out anyway because it's just setting it to a variable in power shell Won't return that out to you. So you have to examine it and take a look at it yourself this is the registry key that is the same like location that we saw This thing to begin with and was referenced in that previous HTA file zero or o and x2m blah blah blah, but Where is the key of it looks like that's built out in the expression. So the expression will get this Registry key and add in the parameter or the param Which we know is 7 1 tx 1 q d vias great and then using the format string Really isn't necessary if just to make this confusing for a program It's IEX or invoke expression and it evaluates that out. So now we have Transformed and once again gone into the registry for this 7 1 tx 1 blah blah blah Bring us to stage 4 right now in power shell. So again, I will go ahead and copy this out. I will go take a look at this I again displayed out with quotes around it in case I accidentally have any Specific, oh god, that's seizure inducing never mind never mind. Please stop. Please stop All right, I'm killing that window Sorry, that was pretty bad In case it has any Backslashes in it to escape out the strings. Let's not do that Actually, you know what maybe we can just Kind of do it as we need to We'll call that stage 4 Dot ps1 and the line is so long that the syntax highlighting is not triggering on power show So let's call this stage 4 cleaned. Oh But this looks like kind of the classic syntax where you just use a Gzip compressed stream base 64 encoded to bundle up a whole nother payload. This is super common We I think we've seen this a lot. I'm sure segments of cobalt striker any other Mauer family or evasion Framework thing what we'll do this This is pretty pretty much a long power shell script So we'll see what we get here, but down to the very very bottom You can see that we do decompress it with Gzip Was it Gzip was it guns it? Oh deflate stream, okay, and It reads to the end and passes it to a pipe where it invokes a Another IEX I'm assuming because it taxed an X here. Oh, but this is kind of neat I haven't seen a verbose preference Variable kind of being used for building on IEX before That's slick it one hello Computer one two three We're are you just not gonna display that out for me for some reason we could do it in Windows if we wanted to You know what let's sing and do it. We'll get power shell in here Ta-da One what? What that's voodoo magic. Oh god. Oh gosh. I'm sorry Unexpected token IEX That's it. That's it Whatever IEX invoke expression and it's piped to it. So obviously all of this will be unraveled and decoded and piped to run but I We don't want that to detonate, right? So I'm actually just going to unravel this I'm gonna call this like stage four nerfed or something and let's go ahead and remove that invoke expression call Because I don't want this thing to run. I don't want it to to take off on me I will use power shell. However to go ahead and allow this thing to decode itself I need to be in the HTA file folder. There we go so stage four Nerfed if I hit enter on this will spit out all of that deflated and decoded And now we have this so I will I think I can pass that to out file, right out file or Pipe it to out file That's power shell stage five dot PS1. Yeah Stage five. Oh boy. Okay. We're in for a treat now This is huge How big is this one? Look at look at the sidebar on the right in sublime text. How many lines is this? Almost a thousand almost a thousand no big deal We're only like 30 minutes into the video anyway. Who needs oh, why don't we go for another three hours? Um What is up with this it makes it a TES variable? That's just LKH J. What is that? It's just straight up test Oknib returns That's a that's a meme for any of any other watchers of this channel Oknib was has gone down in infamy as a great power analysis meme here So they're running ad type so ad type will allow us to Automatically compile kind of inline C sharp code from within power shell ad type does touch disk It uses the CSC dot exe or kind of the command line rendition of the C sharp compiler And that will leave some temporary files in the windows temporary folder You'll see them sometimes with a random name dot zero dot CS or dot zero dot out or dot zero dot command line And that will that will touch disk that that will that is an indicator that ad type was used To compile C sharp on the fly, but that's very powerful, right? That gives power shell a lot more power in that it can use like Win32 API calls as we're seeing right here where we can load in some functions from other DLLs or other libraries you can see that this grabs and pulls in the syntax to oh What do we got here virtual alloc? You know allocate some memory load library Maybe load in a DLL or some more code get proc address to dynamically look for addresses Mem copy stuff in that shell code just put it in the buffer protect the allocated memory Or maybe mark it as executable right wait for a single object. Just let it go and create thread obviously execute the thing so Power shell is certainly much more powerful when we can load in some of that And that's C sharp in line within power shell then we do this thing Which is just a rainbow of a format string With a lot in here Let's uh, let's turn word wrap on for that one Take a look at it with the magnifying glass. I See a couple of semicolons in here. So this is like a This is a multi-line thing. Can I just take this and Put it into a different Window so that way I can Remove these new lines Yeah Type of That string arrangement That gives us an object. What is that? What is that string on its own? System run time introspective services Marshallize attribute Okay, so this is gonna do some sort of reflective technique. I would think I would imagine What is all this gonna give us Stop those in. Oh What's happening? Oh, did I miss a? No, I might be Completing things there's a set item It sets a variable to I need the ah What's happening? I am Dumbo unmanaged type Okay, now these are being kind of prefixed with an at sign or the sorry the ampersand so I Wasn't positive about this to begin with I was like, what is that ampersand doing? like if I took this right here Took this whole syntax and slapped it in it doesn't return anything out to me But it notice I noticed that it was defining a variable, right? It's a use set item variable on that syntax So if I took a look at variable it looked like it Actually defined that variable even though it was already running in strings So I started to think this ampersand is just like another like Invoke expression or if it'll evaluate code it'll eval that like it's trying to execute please sub so We are continuing to run code through all of this now I Kind of want to know what this does not gonna lie so Let's just send it, you know Let's just let a rip But it dies For the last line cannot convert the kernel 32 value of type system string to type system type I'm surprised this actually worked all that well in Windows, but I guess it is just kind of defining variables actually What variables were defined there? Zny oops, sorry. I was bringing myself into the video by Clicking and dragging OBS Zny is defined We have more module objects tests of course our favorite LKHJ Reg path is still in there Reg key name Everything that was defined but row who is new bit converter Param we saw before but KJQ and L7P those are new pulling an aptom and other oddball stuff DQ 5 4 as we saw Reflection calling conventions assembly builder access so Building up the capability to do other spooky scary stuff It error though. So part of me wants to see with that error on Windows, I'll go back here. Oh Power shelters weird things when it's not I'm not fully I am fully maximized. What's going on? Let's just paste it in. Let's see what we do. Oh whoa, whoa, whoa a Lot of these are getting blocked by AMSI or that anti-malar scan interface the script contains malicious content and Has been blocked by our anti-virus software So part of me wonders if this thing is meant to be an AMSI bypass on its own Like if we go back. Oh shoot, I guess I never made a clean copy of this. I'll do stage 5 cleaned and Control Z my way home. We'll go back to the original stage 5 before we started to clean it up So this whole big thing. I wonder if that is meant to be an AMSI bypass kind of on its own so I'll go back to Windows here and AMSI is on If I run an AMSI utils test string it does get triggered and blocked But if I paste all this in I Get the same error that I did in Linux cannot convert the kernel 32 value Now that's in the code like that is that's literally what it was supposed to do so Did it just fail what it detonated? Did this not actually get anywhere? I don't know And I was thinking Do I need to use? Does AMSI have to be off for this thing to work? So I jumped over to AMSI fail I'll credit in kudos to Flangvik for this and you've seen it. I'm sure a few times before Flangvik is actually exceptional He's a I see him on Twitter and Twitch every now and again streaming and doing some cool C sharp stuff So let's see if that actually Bypass AMSI would you look like it did now I can run that test proof of concept string without a problem So anti malware scanning your faces off and if I were to go back and grab this big long syntax Does it work now it's it's still a syntax error? I I don't know What that was supposed to do or where that would have come from? Maybe if we were to drill into it more and more we could make sense of it But at this point I think it's time we just kind of move on This looks like a test to determine the architecture It's checking out the size of an integer pointer, which means okay is a memory address gonna be four bytes or anything otherwise four bytes for 32 bit Looks like eight bytes. I think for 64 bit Maybe I said that wrong. I don't know I my mind just kind of fall apart in that moment Oh, this is a beautiful try catch statement that does nothing Here in its wild caught in the natural habitat double try catch statements Completely wasting space That's a good one. Oh, I'm cleaning again, and I need I need to be in my stage five clean file. Let's get back to Let's get back to where the actions at Now what are we doing? We have some more variables being defined our path reg Looks like it's replacing. Oh, is this doing something with the reg path variable It puts it into our path Yeah, yeah, yeah So that's the original here. That's the kind of key that we were looking at but body I'm assuming Looks like it puts together a mangle to get item property Reading from our path with reg key name But that reg key name was never defined in this script Again, that comes from our stage four Or it would have been it would have been our stage three right going back to stage three cleaned We had reg and reg path and all these in this param and full reg Reg key name was never actually used in this Snippet of PowerShell, but it will be used in the one that follows following those IEX Layers so param is what it's calling. No, no, no, no it was a It's reg key name Yeah, my face is in the way reg key name. So reg key name is this g6 f1 jazz it And that guy's right here. Oh, that's a that's a big one That's a big fish. Is he the only one that spirals on to infinity? You love to see it you love to see it ladies and gentlemen What's this guy do what are you it doesn't immediately come across as a Let's let's do this in CyberChef real quick just to just to see if there's more we need to do with it Maybe this program. Maybe the script in PowerShell will do something else with it, but Let's remove those quotes. Let's do a from base 64 Nothing Not not a DOS executable Not a PE file or a Windows program. We'll download it. So Downloads download that into what was this thing called a good old g6. Yeah, dude malware like a g6 What are we doing? Okay, now we got that file created And let's go back to what let's see what the code does let's see if it does anything actually with this Then where do we go function get win 32 types? Oh wow What? Wait a second. What? Look at this segment here. Look at this stinking code. This is Unruly That is insane is it's it's Pulling together. It's carving out. It's building Types that are known and like the Windows 32 API Like a lot of these Yeah There's so many that's for one thing freakin cool Again, there we go. No, then we're done. Hey return get win 32 types here You go have like half of the entire win 32 API at your disposal and then we get constants Well this work does does this this genuinely just carve it all out. Oh This is just setting the values though, isn't it? like if we paste this all in I Want my I want my win 32 constants now. Let's see what we look like I think that's cool Not gonna lie even if it's just like oh, hey, we're setting up the constants and the values for oh Execute read and execute rewrite But some mem commit stuff that that's just kind of cool in my opinion like building that all in Into the power shell script makes it even more powerful as I've said before Does the win 32 types one just Go does that work? Trying this on Linux probably won't have the most leeway. Oh, yeah That's pretty bloody You cannot call a method on a no-valued exception Stop trying you idiot. Let's do it on let's do on Windows. So we get oh No This is gonna be a long time. Oh, it's actually cruising. It did it What do our win 32 types look like ladies and gentlemen That's kind of cool. That's kind of cool Oh Not gonna lie and you I'm sure you could like drill down into these even more. I'll use FL star Great thanks pretty useless. Can I like index some of these? Or is there like if I get member on everything does it do it yeah Note property runtime time. I'm sure like if subsystem type Super smash brothers. Yeah Okay, so they're just more objects and stuff you could deal with that that segment of code was huge And I just kind of wanted to see what was up. So forgive me a little exploratory tangent as I tend to do And we have a bunch of functions The back ticks are in here again for some escape character sequences subsigned int as Unsigned Yeah, that's what that says Sub sub signed int as uns like subtract or substitute the numbers carry over That's genuine math That's math guys, and then it runs LS. Oh LS on variable Value to in 60. That's weird. Why would it do that? Why would it need to do that? add Signed int as unsigned Okay More math And yeah defining variables to let this thing go cool compare Val One greater than Val two as you int Unsigned in couple if statements in there Convert you into int test memory range valid Get agent head oh No, no get get image NT headers Yeah, that makes the most sense to me Putting to use our good ol wind 32 types everybody Go to the library check out every single book they have get PE basic info get PE data detailed info This is huge. I'm just cruising through it because I know we have a thousand lines to get through copy sections Update memory addresses. Oh that actually sounds kind of bad sketchy Now we're updating memory. So we are writing to memory. We are gonna do some more Reflection import DLL imports Local get delegate type. Oh, we see get delegate type all the time I just saw this Wow Wow That's uh, you can't plan for this people the show's not scripted That's just the perfect place for Obfuscation to just just cut stuff up Invoke memory load library. What does that do? Oh, that's a that's the end. That's like the bottom. That's a very interesting It uses this IEX thing with the ampersand right in voc That's mangled with the format string with the f-string there Invoke load library Invoke load memory library. Yeah with the body With the with the with the registry value But that's not an executable. What are they doing? Is it is it is just shellcode is it not Takes in PE bytes. Yeah Gets our good old win 32 constants gets our win 32 types Taking home the whole house P info get info Get basic info I'm assuming Loader With some variables What is that actually trying to spot I generally can't make sense of that one. So I just want to check Child item. Oh duh Come back Come back sublime text. Thank you P handle Starts at zero effective P handle zero. What happened if you set a P handle to zero. Does it do something weird? Variable virtual stuff is going on in that Let's let's word wrap this thing Virtual Alec the load address PE info size of image Constance mem commit constants mem reserve execute read write totally slapping some shellcode in Effective EPN P handle Address add sign Let's get let's get the word wrap back in here in this big thing to see what this actually is doing size of headers It's running copy. So it's gonna end up copying the payload All the bytes from it. So it is totally gonna do some shoppers I'm assuming you're going to end up like calling write or create thread Importing DLL in the copy sections though add update memory Addresses update memory addresses I think And Where is it? Where's the stinking? Wait for single object. There it is create thread Create thread right there If you couldn't read that and wait for single object So that's what that does but What is this thing? That's our g6. Oh Get in the directory, please That's our g6 boy Stay there though. It's not an executable. This is the same thing that we would have seen out of Cybershaft All right. Well, I Spent a few minutes just fumbling around in Gidra to see if it does anything, but I didn't get a lot out of it So let's do what we always do Let's do what makes everybody angry but still always works like all the time Let's look and see what let's see what gems this thing has if it has anything a lot of pps in here, you know Thinking back. I really regret saying that Now that I said it out loud. I don't it just didn't It really didn't sell the way I wanted it to You know, maybe that didn't sound that good you Registry stuff software Microsoft Windows NT car version With an endpoint and URL to reach back out to Let's keep an eye on that. Let's see if we reach out disable real-time monitoring. That's like hmm shut down defender, please It's literally it software Microsoft Windows defender real-time protection. Yeah, just go home defender pack it up disable anti-spyware Disable routinely taking action. No auto update. Oh, that's awesome. I Mean I would I should throw this thing in the drop, but We get we have all our answers right here MSH TA for an HTA file again and what are these huge amounts of IP addresses in domain Like like HTTP URLs to reach at you some HTTP some to HTTPS There are so many Holy cow Okay Config kill all kill stop resume modules update update There's a user agent in here. There's a Mozilla Windows NT tried making a post request. I'm assuming Gathering information like the install date digital product ID and There goes another round of a huge amount of IP addresses Scroll past right that What we got here 37 want these are just kind of on their own so they look a little weird Unicode characters Memsetment copy Internet crack URL I've never heard of that. Is that is that genuinely an API call? I Might be wrong. I Mean it might it may vary will be I just have never heard of that internet crack Okay, there's a lot of other stuff in here that is just seemingly API calls. Oh Okay, so I need to kind of lay my hand on the table I need to lay the cards out in front the original file that this came from the dot HTA file that we this all started Was in these user poor Carrie In her app data roaming and it had this username this file name. Sorry sui 6q9 ennh I want to keep track of that because it I think that's useful As to what the original file name was, you know what? Let's actually Go ahead and move the original wacko dot HTA to that original name kind of as it should have been but that MSH TA is like The persistence for this thing like I mean this is how it's gonna end up kick-starting itself And it was interesting to me that it already knew the like specific path for That that user for that individual user and the same thing with the registry value like It already knew this binary this shellcode whatever this was already had the context of hey This is the registry key that we're using. This is the username that we're targeting That was kind of neat in a weird way, but that's the end of the strings so At this point, I think we have gotten the idea across that This is bad. I think we can all agree that this is malicious at this point, but I do want to know What is this thing? We want to give it our diagnosis, right? So Let me take a look at these strings one more time those IP addresses might be kind of smoking guns Maybe that's something we could we could latch on to to do a little bit of research a little bit of detective work as to what Really this thing is. Oh, I don't really want to use strings if I want to copy all of those IP addresses There's some here Wait, those are present in this thing as well. This looks like it looks like a JSON object Yeah, I'm gonna remove all of the commas and replace them with a new line There are a couple Oddballs that have the beginning and ending Quote so now let's remove all the commas and just delete them Let's remove all the quotes Okay So now we have some indicators of compromise Potentially or IP addresses or endpoints that this thing might call back out to I'd love to see if any of these things still exist And don't you worry everybody? I've got a VPN a little proxy I mean Inside a virtual machine you and me together are we here? No, no ringing the phone, but No one is picking up. Oh, sorry that that needs a curl Also, no answer on that one The certificate might be being weird. Maybe now all of these all these don't seem to respond What about these what about these guys on here? No route no route bad request. Oh No, no, no, does it need HTTPS HTTPS, please HTTPS I Genuinely haven't seen this. I gen this is I genuinely this is new. What is this? Oh, no Okay We're kind of going into uncharted territory for the moment. So bear with me. This might be a long video Let me save this to download.html. Oh, no Let's get a little Google translate because I'm dumb slaw machines Bro play for free Play for free online and without registration. Is that so? Oh Why is that so funny to me? That shouldn't be funny to me. Oh my gosh. Oh my goodness Is it doing is it doing anything weird in here? Maybe the JavaScripts kind of sketch. Oh, these are just for sliders though These these might be from like looks back to itself. I just want to know I just want to know what all this says Slaw machines So if you were to play slaw machines, what would happen? I just I just want to know. Oh We got more stuff. We got more stuff. We got more stuff. There's a lot. Oh Online casinos have roulette wheels and poker and blackjack tables But no gaming no gambling club is unthinkable without slot machines They invite gamers to the world of excitement who want to feel the adrenaline Try their luck and win big the first classic one armed bandits appeared in the United States a hundred years ago at the dawn of development slot machines were mechanical had three reels and one pay line Modern slot machines are more exciting for gamers leisure as they contain up to 40 active lines bonus games and the possibility of doubling prizes You know, I think we wrote the book of raw I think we really doubled our prize here. I didn't expect to see this this this I'm having I'm having fun with this demo game crazy fruit crazy fruit or R2 Crazy fruits or R2. Is that a thing? It's like a well-known. Oh Aztec Empire fruit cocktail crazy monkey resident The money game sharky This is too. Oh my god. I didn't even realize how long this file was this this page goes on forever How many stinking slot machine games are there? What can we play? Oh my goodness I know we've left the realm of malware analysis at this point The big bad wolf but I'm just having fun guys you you gotta let the boys play. I'm just having fun Okay Okay, uh Scrolling down I see Comments block for installing meters keeps track of What you click with the counter Live in the live internet live internet live internet are you that's apparently you know the Crochet translate that please one of the largest in the Russian internet blogging Okay, we can we could have some fun Looking at all of these different like IP addresses and kind of determining where they're where they come from and maybe that would be another great video Like having something to automate going through some of these would be kind of neat not gonna lie Which which was the one that I just copied one five six Yeah, the one five six that one's offline Let's just see let's just see my my curiosity. It's getting the better of me 403 forbidden. I Don't have permission to access that one. Okay We could look there 146 in this list so we could do this forever. I need to stop I need to continue with the actual Video here a lot of these seemingly are down though or I alright. I can't see them or access them myself So there's that Let's do some detective work at this point Other than that fun frenzy that we just went down Looking at the slot machine site. I want to get an idea as to what this really is so I'm gonna try and look for like Malware samples that use these or other indicators of compromise that might have talked about this before So I'm gonna take a look at all of these links and kind of get see if I can find Anything that might tell me more about this I'm on any run net Any run thought any dot run some zip file Or something that seems to call back out to that one eight five IP address Another one in a different page But that's kind of it. Oh This one has strings that Contain that this program cannot be run in DOS mode like it actually has a header here a PE head over an actual executable It has the same start of strings that we had seen Between the current version getting defender disable real-time monitoring Showing one to ten to two hundred twenty entries are there like more of these? Oh Yeah Oh, this does more though. This has like a PowerShell port of it But it does have all of these Defenders shut down things. Oh no that has that too It has the ACL and the big dump of IP addresses. Yeah. Yeah What is this thing though does it have a name has this been diagnosed What do you got? Joe sandbox typically has some really good info This is a codex file though. Is there a variance as to how this has kind of been found? Detection threshold score 100 range 100 reporting whitelisted threat no tear Malicious, I think that's I think that's right. That's on the money guys You rolled the slot machines Let it go and I think you were right This is a cool chart evader exploiter Trojan and bot. Yeah Me full screen this That's cool. That's super cool HTTP servers contact by the bit of sample do not answer likely the sample is an old dropper, which does no longer work Some I really couldn't get a callback, but the slot machine Sample monitors window changes are starting applications Analyze the sample with simulates keyboard and key changes cookbook, huh? Breakdown of the mitre attack framework stuff that it does signature overview Networking it's that rust up that we kind of already seen What else you got for me these IP addresses are there There's the same one that we had searched for Virus total triggers on that Joe security novetter yard detected novetter bot And this is an example of an exe Is that thing? Oh, they have like a they have a little like demo like area you could look in. Oh, jeez. Sorry I scrolled down, but you could like you could watch it. You could play through What happens when the machine is dead early the mower is kind of detonated so Reaches out for some that IP address that we saw a moment ago Obviously, I don't think there's gonna be a lot that really changes on the screen in this case It's gonna be silent No creator drop files contacted some domains over in the Netherlands Switching that's crazy That's crazy. Oh, this is the report that it displayed and this is back to my Yeah Here's the report that it generated Are there other IP addresses that will get me anything like what about these ones down here? These ones that were kind of out all on their own. I just want to see I might search for like malware or indicators of compromise Joe sandbox again. What is this? Novetter malware. It's saying novetter again Translate this page. Yeah, bring that to English for me, please Research by trend micro has discovered a new modular botnet malware called novetter that uses the cover botnet malware to be distributed via Malvertizing and his exploit kits. Ah The tax of social engineering since they lead the internet user to download a software package necessary to update its outdated Adobe flash application from an infected website. However, instead of updating said software it drops a malicious HTML application file dot hta victim executes this file and It can grab another power shell payload Once power show script is running disables Windows Defender. Yeah. Yeah, and Windows you update it processes the malware execute shell code to bypass user account control ooh downloads multiple JS so Wow, okay, these are the IP addresses that it can detect Novetter That's totally the thing What else we got? But 2019, okay Trend micro we found a new modular modulus modular file is botnet malware Which we named Novetter that the cove g core campaign has been distributed and actively monitoring distorts since its emergence in early development And saw it being frequently updated. We found a new modular file is botnet Also called notar sock and divergent like the movie. I'm just kidding Cuptor has been involved. Yeah. Cuptor is huge for one thing. I know Cuptor is as wreak havoc like crazy But Novetter Is around. Oh, there's a technical briefing. Let's take a look at that Yeah HTA file launches power shell Receives commands and downloads commands attack chain malicious htma file Okay Runs a power shell script that appears to take inspiration from the open source invoke PS inject project Take a look at that. This is part of Empire. Oh This must be that invoke like memory load library Does this have a bunch of those like win32 constants and like win32 types in here does it does it like build those out too? Win32 stuff get win32 types and it just yeah. Yeah. Yeah. Yeah. Oh Wow It's different syntax, right, but it's the same idea like It's the same process of kind of gathering all that information so you could use it and there's just tons of this Wow Get win32 constants. Yep. Yeah, exactly. So ours was a little bit more obfuscated ours is doing something different, but Pulls in those functions that it needs and of course, I'm sure it'll do like some load library thing Helpers sub-signed int is unsigned Add signed int is unsigned. It's absolutely power. Yeah Same exact function names convert you into you and get hexes new test memory range valid Right by some memory get delegate type Get proc address Enable se debug privilege doing something like impersonation stuff. Maybe image headers get basic p info Okay, so this is some stuff. We've already seen aspects of this aren't in here, but others are Is the last thing this does like load in a library or Inject something. I mean obviously it's gonna be Invoke ps-inject. So That's craziness That's crazy cool I'm done scrolling through that What else do we have? We have the report that I kind of want to look through but Power shell script will in turn disable Windows Defender Windows update. Yep Power shell script is also embedded with not through which will be executed Filelessly via the PowerShell reflection technique the backdoor commands at no through supports are kill all kill Stop resume modules updates. Yeah, those are the exact same ones that we saw even in just a cursory strings Wow This is definitely it. This is absolutely it nods stir That must be comms. Yeah quick cursor Lee looking through this Wow, I Want to look at that technical brief. Oh, they have Indicators a compromise. Let me look at that too. These are some of the JS JavaScript stuff The IP addresses we've seen Some specific files that they would have called back IP addresses related Yep Same thing What do we got in this? This should probably just is likely telling us the same thing. So this is different Like syntax but if those were The research if that's the research that was done back in 2019 now there might be some variations like a Different version of what's going on and yeah, see they look like they were able to kind of examine this Code very well, but maybe they had an executable specifically not just the It sets persistence of the following dropping a randomly named HCA file to app data roaming Where the routine body contains a hard-coded string with the HCA file contents of percent Markers which are a place with randomly generated strings at runtime. This HCA file contains JavaScript code Yes, which reads and executes a PowerShell payload from registry. Yes creating three randomly named registry subkeys Yeah, oh little typo here guys Little soft aware trend micro Giving you heads up. I'm gonna submit a pull request hacked over fix your typos The first two registry subkeys have hard-coded templates in the malware body Yeah, yep and invoke PSN checks Exact same set up and code That's really cool. And this is a really this is a really good like briefing. You can see the ACL ACCL JSON format Wow Those are the commands for the modules the backdoor commands they run Wow Wow, that's it. I think that's all I can cram into my mind right now That I thought that one was was Quite a ride to dig through and I love the surprise from one of those machines calling back. It was like, yeah play some slots Let's do some gambling Cool, I think that's it everybody. I think that's all I can offer for this video, but I hope you had fun I hope you really enjoyed this deep dive looking through some syntax traversing through J-script and JavaScript to PowerShell And googling around doing our research hunting and that's that's the fun stuff. So I think we'll wrap it up Thanks so much for watching everybody I know this was a longer video than most in the kind of this little malware analysis thing the series that we end up doing but I had a lot of fun. I hope you did too and That's it. I'm not gonna say the same thing over and over again I'm done. It's the end of the video everybody Thank you so so much for watching if you did enjoy this video Please do all those YouTube algorithm things. Please like the video. Maybe leave me a comment Let me know what you think write an F in the chat to call back to the very beginning of the video F in the comment section. Maybe subscribe, you know, I'd be super happy to do it I'd love to see that. Thank you and That's it. I'll see you in the next video everybody. Thank you so much for watching I love you. Take care