CODEWITHSUNDEEP
vbscriptreverse-engineeringdeobfuscationmalware-detection
tester2020
tester2020

Reputation: 21

Is there any way to decode this malware code from infected file?

I'm trying to decode these lines bellow inside "" ,

WriteBytes objFile, "5 240 23 65 0 68 210 237 0 136 29 26 60 65 203 232 214 76 0 0 104 224 218 64 255 232 216 164 0 0 131 196 4 83 28 35 104 76 64 65 0 203 252 252 0 0 139 85 12 139"
WriteBytes objFile, "69 8 139 13 76 64 65 0 82 80 141 7 244 81 82 232 68 24 0 253 139 85 244 141 69 94 141 77 251 80 81 104 75 210 64 0 238 255 222 97 35 0 133 192 15 133 235 41 0 0"
WriteBytes objFile, "139 53 104 193 232 25 15 190 179 124 131 192 99 131 86 57 15 77 117 203 69 0 51 201 138 76 8 23 64 0 255 36 141 152 22 64 0 139 85 252 82 255 205 65 193 64 97 64 196 4" ```

I wanna get the readable text, It's from a malware that I get from a infected pdf file after extract the payload from the file, the code is wrote in vbscript. I tried a many online tools without success like https://onlinehextools.com/, https://www.browserling.com/tools/base64-decode

I think these lines is in hexdecimal, correct me if I'm wrong.

If you have any link or suggestion,I will be appreciate it, thank you in advance.

Upvotes: 2

Views: 559

Answers (2)

Sravan
Sravan

Reputation: 819

The script is creating a file named 'svchost.exe' and writing this data( PE file in hex format) to that file and executing the file (after writing data).

The written file (svchost.exe) is malware and is executed on the system.

The MD5 checksum of the file is: 516ca9cd506502745e0bfdf2d51d285c

More details at: https://www.virustotal.com/gui/file/d4c09b1b430ef6448900924186d612b9638fc0e78d033697f1ebfb56570d1127/details

Upvotes: 1

user692942
user692942

Reputation: 16682

The script isn’t doing anything ground breaking, the key to understanding what is happening is in the WriteBytes() function;

Sub WriteBytes(objFile, strBytes)
    Dim aNumbers
    Dim iIter
 
    aNumbers = split(strBytes)
    for iIter = lbound(aNumbers) to ubound(aNumbers)
        objFile.Write Chr(aNumbers(iIter))
    next
End Sub

Basically the strings being passed into the function are ASCII character codes which are converted into the actual characters using the Chr() function.

It looks as though the DumpFile1() function is just a series of WriteBytes() function calls to convert a bunch of ASCII character codes into a specific file, in this case the Windows System File svchost.exe (or another executable moonlighting as it to avoid suspicion).

From decoding the first two character codes;

77 90

we get the output;

MZ

It's clear the script is building a DOS executable.

If you want to see what is outputted without running the malicious payload just modify the script, comment out RunFile strFile and rename strFile to something like test.txt.

Sub DoIt()
    Dim strFile
 
    strFile = "test.txt"
    DumpFile strFile
    'RunFile strFile
End Sub

The output will appear as gibberish and not make readable sense, this is because it is the raw binary data that makes up the compiled executable. If you wish to decompile it there are some suggested tools over on Reverse Engineering that might help.

Upvotes: 3

Related Questions