{"id":25508,"date":"2022-02-01T09:18:23","date_gmt":"2022-02-01T08:18:23","guid":{"rendered":"https:\/\/www.secuinfra.com\/?p=25508"},"modified":"2022-03-31T10:26:34","modified_gmt":"2022-03-31T08:26:34","slug":"n-w0rm-analysis-part-1","status":"publish","type":"post","link":"https:\/\/testing.secuinfra.com\/en\/techtalk\/n-w0rm-analysis-part-1\/","title":{"rendered":"N-W0rm analysis (Part 1)"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_83 counter-flat ez-toc-counter ez-toc-white ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">[inhalt_uebersetzt]<\/p>\n<span class=\"ez-toc-title-toggle\"><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/testing.secuinfra.com\/en\/techtalk\/n-w0rm-analysis-part-1\/#Overview\" >Overview<\/a><\/li><li class='ez-toc-page-1'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/testing.secuinfra.com\/en\/techtalk\/n-w0rm-analysis-part-1\/#First_Stage\" >First Stage<\/a><\/li><li class='ez-toc-page-1'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/testing.secuinfra.com\/en\/techtalk\/n-w0rm-analysis-part-1\/#Stage_2_RILSXDKOPJHNTXT\" >Stage 2 (RILSXDKOPJHN.TXT)<\/a><\/li><li class='ez-toc-page-1'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/testing.secuinfra.com\/en\/techtalk\/n-w0rm-analysis-part-1\/#Stage_3\" >Stage 3<\/a><\/li><li class='ez-toc-page-1'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/testing.secuinfra.com\/en\/techtalk\/n-w0rm-analysis-part-1\/#Series_overview\" >Series overview<\/a><\/li><\/ul><\/nav><\/div>\n<p>This article shows our analysis of an N-W0rm sample. This appears to be a relatively new sample and according to Malware Bazaar the first sample was seen on the 18<sup>th<\/sup> January 2022.<\/p>\n<p><img fetchpriority=\"high\" decoding=\"async\" class=\"size-large wp-image-25505 aligncenter\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/N-Worm_1-1-1024x365.png\" alt=\"\" width=\"1024\" height=\"365\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/N-Worm_1-1-1024x365.png 1024w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/N-Worm_1-1-300x107.png 300w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/N-Worm_1-1-768x273.png 768w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/N-Worm_1-1-24x9.png 24w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/N-Worm_1-1-36x13.png 36w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/N-Worm_1-1-48x17.png 48w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/N-Worm_1-1.png 1390w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/p>\n<p>We got the sample from Malware Bazaar and hence do not know this sample is delivered. However, according to @executemalware, N-W0rm is delivered via Email.<\/p>\n<p><img decoding=\"async\" class=\"wp-image-25514 size-full aligncenter\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/N-W0rm.png\" alt=\"\" width=\"656\" height=\"754\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/N-W0rm.png 656w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/N-W0rm-261x300.png 261w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/N-W0rm-21x24.png 21w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/N-W0rm-31x36.png 31w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/N-W0rm-42x48.png 42w\" sizes=\"(max-width: 656px) 100vw, 656px\" \/><\/p>\n<p>If you want to follow along you can grab the sample from here: <a  href=\"https:\/\/bazaar.abuse.ch\/sample\/1b976a1fa26c4118d09cd6b1eaeceafccc783008c22da58d6f5b1b3019fa1ba4\/\"  dpc-external=\"true\"  target=\"_blank\"  rel=\"nofollow\" >https:\/\/bazaar.abuse.ch\/sample\/1b976a1fa26c4118d09cd6b1eaeceafccc783008c22da58d6f5b1b3019fa1ba4\/<\/a><\/p>\n<h2><span class=\"ez-toc-section\" id=\"Overview\"><\/span>Overview<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Before we start analyzing the sample, let&#8217;s take a closer look at the architecture of the compromise. The following figure shows the infection from the first stage to the final payload:<\/p>\n<figure id=\"attachment_25488\" aria-describedby=\"caption-attachment-25488\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img decoding=\"async\" class=\"wp-image-25488 size-large\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/N-Worm_1-1024x528.png\" alt=\"\" width=\"1024\" height=\"528\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/N-Worm_1-1024x528.png 1024w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/N-Worm_1-300x155.png 300w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/N-Worm_1-768x396.png 768w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/N-Worm_1-24x12.png 24w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/N-Worm_1-36x19.png 36w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/N-Worm_1-48x25.png 48w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/N-Worm_1.png 1451w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-25488\" class=\"wp-caption-text\">Figure_1: Infection overview<\/figcaption><\/figure>\n<p>As you can see in the figure above the infection ends with two 2 .NET binaries being dropped. Today\u2019s article will describe all the way from the initial infection to that point. The analysis of the two binaries will be covered in our next article.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"First_Stage\"><\/span><strong>First<\/strong> Stage<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>This sample is delivered as a VBS file that uses obfuscation to make static analysis harder and evade signatures. In our first step, we will deobfuscate the VBS code and unveil the second stage. Below you will find the full code of the first stage. Line 3 contains a rather long string that contains obfuscated PowerShell. As this long line would destroy the image, we replaced it for aesthetic reasons.<\/p>\n<p>&nbsp;<\/p>\n<figure id=\"attachment_25489\" aria-describedby=\"caption-attachment-25489\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-25489 size-large\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/N-Worm_2-1024x122.jpeg\" alt=\"\" width=\"1024\" height=\"122\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/N-Worm_2-1024x122.jpeg 1024w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/N-Worm_2-300x36.jpeg 300w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/N-Worm_2-768x92.jpeg 768w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/N-Worm_2-24x3.jpeg 24w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/N-Worm_2-36x4.jpeg 36w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/N-Worm_2-48x6.jpeg 48w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/N-Worm_2.jpeg 1183w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-25489\" class=\"wp-caption-text\">Figure_2:Initial VBS Code<\/figcaption><\/figure>\n<p>As the original source only contains 5 lines, we can walk through the code line by line.<\/p>\n<p>Here some important strings are scrambled by replacing some chars with other chars and then at runtime reversing this operation. We can reverse this operation by using the python REPL.<\/p>\n<figure id=\"attachment_25490\" aria-describedby=\"caption-attachment-25490\" style=\"width: 662px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-25490 size-full\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/N-Worm_3.jpeg\" alt=\"\" width=\"662\" height=\"99\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/N-Worm_3.jpeg 662w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/N-Worm_3-300x45.jpeg 300w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/N-Worm_3-24x4.jpeg 24w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/N-Worm_3-36x5.jpeg 36w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/N-Worm_3-48x7.jpeg 48w\" sizes=\"(max-width: 662px) 100vw, 662px\" \/><figcaption id=\"caption-attachment-25490\" class=\"wp-caption-text\">Figure_3: Deobfuscating the first line<\/figcaption><\/figure>\n<p>So, the string will be deobfuscated to <strong>Wscript.SheLL<\/strong>. This means that this sample will send some commands to the operating system somewhere later. In the next line nothing interesting is happening, only the <strong>Wscript.SheLL<\/strong> object is created. Now line 3 is the interesting part as this line holds a long string containing obfuscated PowerShell code. As in line 4, this code will also be executed, we will need to analyze it to fully understand this malware.<\/p>\n<p>First, as we can see in line 3, the full PowerShell Code is in one line. We normally don\u2019t write code like this. To make this at least a bit more readable, we need to space this code across multiple lines, like it is usually done. Semicolons (;) are used to indicate Line-Breaks. To use those to our advantage, we can paste this long line into a text editor and replace all semicolons with a line-break (\\n) and a semicolon to keep the syntax.<\/p>\n<p>&nbsp;<\/p>\n<figure id=\"attachment_25491\" aria-describedby=\"caption-attachment-25491\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-25491 size-large\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/N-Worm_4-1024x253.jpeg\" alt=\"\" width=\"1024\" height=\"253\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/N-Worm_4-1024x253.jpeg 1024w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/N-Worm_4-300x74.jpeg 300w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/N-Worm_4-768x190.jpeg 768w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/N-Worm_4-24x6.jpeg 24w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/N-Worm_4-36x9.jpeg 36w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/N-Worm_4-48x12.jpeg 48w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/N-Worm_4.jpeg 1082w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-25491\" class=\"wp-caption-text\">Figure_4: Beautified PowerShell Code<\/figcaption><\/figure>\n<p>The first that pops into our eye is the IP address at the top. We will come back to it later, but for now, we found an important IOC.<\/p>\n<p>This PowerShell snippet defines a function called <strong>CHGBGWUCPVSBXIVTHVKR<\/strong> in line 2. This function will be called in line 10 and the result is executed with <strong>IEX<\/strong> in line 11. So based on the call of IEX to the result of the function we can assume that the function decodes some further PowerShell that is executed. The string that will be deobfuscated is in line 10 which is again a very long string, that we have replaced again here. To deobfuscate this string, the probably easiest thing we could do is to copy this whole code snippet, replace the IEX in line 11 by echo and execute it in a PowerShell session. Alternately you could reimplement the function in e.g., Python and execute it there. We opted for the second method and reimplemented the logic on python. The screenshot below shows the code.<\/p>\n<p>&nbsp;<\/p>\n<figure id=\"attachment_25492\" aria-describedby=\"caption-attachment-25492\" style=\"width: 603px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-25492\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/N-Worm_5.jpeg\" alt=\"\" width=\"603\" height=\"309\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/N-Worm_5.jpeg 603w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/N-Worm_5-300x154.jpeg 300w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/N-Worm_5-24x12.jpeg 24w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/N-Worm_5-36x18.jpeg 36w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/N-Worm_5-48x25.jpeg 48w\" sizes=\"(max-width: 603px) 100vw, 603px\" \/><figcaption id=\"caption-attachment-25492\" class=\"wp-caption-text\">Figure_5: Reimplementation of deobfuscation loop<\/figcaption><\/figure>\n<p>By running our Python script to deobfuscate the long string, we get yet again an obfuscated PowerShell command.<\/p>\n<figure id=\"attachment_25493\" aria-describedby=\"caption-attachment-25493\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-25493\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/N-Worm_6-1024x76.jpeg\" alt=\"\" width=\"1024\" height=\"76\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/N-Worm_6-1024x76.jpeg 1024w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/N-Worm_6-300x22.jpeg 300w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/N-Worm_6-768x57.jpeg 768w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/N-Worm_6-24x2.jpeg 24w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/N-Worm_6-36x3.jpeg 36w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/N-Worm_6-48x4.jpeg 48w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/N-Worm_6.jpeg 1335w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-25493\" class=\"wp-caption-text\">Figure_6: Output of the above Python script<\/figcaption><\/figure>\n<p>Again, we can either enter this code into a PowerShell session or recreate the Script in e.g., Python, and execute it there. Again, we choose to reimplement it in Python. The code can be seen below:<\/p>\n<figure id=\"attachment_25494\" aria-describedby=\"caption-attachment-25494\" style=\"width: 704px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-25494\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/N-Worm_7.jpeg\" alt=\"\" width=\"704\" height=\"330\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/N-Worm_7.jpeg 704w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/N-Worm_7-300x141.jpeg 300w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/N-Worm_7-24x11.jpeg 24w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/N-Worm_7-36x17.jpeg 36w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/N-Worm_7-48x23.jpeg 48w\" sizes=\"(max-width: 704px) 100vw, 704px\" \/><figcaption id=\"caption-attachment-25494\" class=\"wp-caption-text\">Figure_7: Deobfusaction and output<\/figcaption><\/figure>\n<p>This last decoded command brings us back to the beginning. Remember the IP address at the beginning? That\u2019s the content of the variable $Hx. So, all this decoding only to download the file and execute it.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Stage_2_RILSXDKOPJHNTXT\"><\/span>Stage 2 (RILSXDKOPJHN.TXT)<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Oh Boy, the second stage looks a bit bulkier than the first one. This sample is fully packed with obfuscated strings and the usage of the replace function is rather dominant here. As this stage contains a bit more code than the previous one, we will not copy-paste every single line here. If you want to truly understand what is happening here, we recommend that you download the sample yourself and follow along.<\/p>\n<p>We will begin by decoding the first big block of obfuscated string right at the beginning:<\/p>\n<figure id=\"attachment_25495\" aria-describedby=\"caption-attachment-25495\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-25495\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/N-Worm_8-1024x117.jpeg\" alt=\"\" width=\"1024\" height=\"117\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/N-Worm_8-1024x117.jpeg 1024w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/N-Worm_8-300x34.jpeg 300w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/N-Worm_8-768x88.jpeg 768w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/N-Worm_8-24x3.jpeg 24w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/N-Worm_8-36x4.jpeg 36w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/N-Worm_8-48x5.jpeg 48w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/N-Worm_8.jpeg 1418w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-25495\" class=\"wp-caption-text\">Figure_8: First Block of obfuscatated code in the second stage<\/figcaption><\/figure>\n<p>The obfuscated string is in the second line. This string is first modified by calling replace() twice on it. Lastly, the string is then deobfuscated by the loop in line 3. This loop might look strange at first, but it is rather simple.<\/p>\n<p>This loop starts by calling -split on the string from line 2, i.e., converting the big string into a list based on a condition. This Regex-based condition searches for hex-characters and after every second occurrence, it splits. That means our iterate variable always contains two hex-chars. These chars are then converted to ASCII and lastly concatenated. If we put all this together, we can again recreate this logic in python.<\/p>\n<figure id=\"attachment_25496\" aria-describedby=\"caption-attachment-25496\" style=\"width: 754px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-25496\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/N-Worm_9.jpeg\" alt=\"\" width=\"754\" height=\"288\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/N-Worm_9.jpeg 754w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/N-Worm_9-300x115.jpeg 300w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/N-Worm_9-24x9.jpeg 24w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/N-Worm_9-36x14.jpeg 36w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/N-Worm_9-48x18.jpeg 48w\" sizes=\"(max-width: 754px) 100vw, 754px\" \/><figcaption id=\"caption-attachment-25496\" class=\"wp-caption-text\">Figure_9: Python based deobfusaction of the first block<\/figcaption><\/figure>\n<p>Running this script yields the following output (I\u2019ve added the variable $A1 from the first line for clearness):<\/p>\n<figure id=\"attachment_25497\" aria-describedby=\"caption-attachment-25497\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-25497\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/N-Worm_10-1024x127.jpeg\" alt=\"\" width=\"1024\" height=\"127\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/N-Worm_10-1024x127.jpeg 1024w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/N-Worm_10-300x37.jpeg 300w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/N-Worm_10-768x95.jpeg 768w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/N-Worm_10-24x3.jpeg 24w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/N-Worm_10-36x4.jpeg 36w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/N-Worm_10-48x6.jpeg 48w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/N-Worm_10.jpeg 1141w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-25497\" class=\"wp-caption-text\">Figure_10: Full first deobfuscated block<\/figcaption><\/figure>\n<p>We also get an interesting IOC here. So, the second stage starts by creating the directory <strong>C:\\ProgramData\\YHWZHLCQJHGQRFRHWZLCKSEUZIHLSJYATIODFBQPXTUSLQUEHVXQJENITGNZ<\/strong>, then sleeps for 3 seconds.<\/p>\n<p>The next two lines are important because we get our persistence indicators here. The newly created directory is set as StartUp, meaning it is executed each time the system is rebooted.<\/p>\n<p>Let\u2019s go back to the code and take a look at the next block.<\/p>\n<p>The next step is interesting. The Variable <strong>$ZEJOTRZCRVYEGGCGNZPLJDJROGPKEIGINPVGHOQXYSFSXBDOKJATKYHEPRNO<\/strong> will hold what appears to be HTML content, starting with a scripblock inserting VBScript code.<\/p>\n<p>&nbsp;<\/p>\n<figure id=\"attachment_25498\" aria-describedby=\"caption-attachment-25498\" style=\"width: 588px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-25498\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/N-Worm_11.png\" alt=\"\" width=\"588\" height=\"89\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/N-Worm_11.png 588w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/N-Worm_11-300x45.png 300w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/N-Worm_11-24x4.png 24w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/N-Worm_11-36x5.png 36w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/N-Worm_11-48x7.png 48w\" sizes=\"(max-width: 588px) 100vw, 588px\" \/><figcaption id=\"caption-attachment-25498\" class=\"wp-caption-text\">Figure_11: Beginning of the scriptblock<\/figcaption><\/figure>\n<p>Now the function <strong>var_func()<\/strong> takes no arguments and its only purpose is to deobfuscate multiple strings it contains<\/p>\n<p>In line 36 we can see that this will be an hta file that will be saved in the following path <strong>C:\\ProgramData\\YHWZHLCQJHGQRFRHWZLCKSEUZIHLSJYATIODFBQPXTUSLQUEHVXQJENITGNZ\\YHWZHLCQJHGQRFRHWZLCKSEUZIHLSJYATIODFBQPXTUSLQUEHVXQJENITGNZ.HTA<\/strong><\/p>\n<p><strong>\u00a0<\/strong><\/p>\n<figure id=\"attachment_25499\" aria-describedby=\"caption-attachment-25499\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-25499\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/N-Worm_12-1024x49.png\" alt=\"\" width=\"1024\" height=\"49\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/N-Worm_12-1024x49.png 1024w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/N-Worm_12-300x14.png 300w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/N-Worm_12-768x37.png 768w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/N-Worm_12-24x1.png 24w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/N-Worm_12-36x2.png 36w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/N-Worm_12-48x2.png 48w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/N-Worm_12.png 1451w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-25499\" class=\"wp-caption-text\">Figure_12: Creation of an HTA file<\/figcaption><\/figure>\n<p>&nbsp;<\/p>\n<p>As the content of this hta is only obfuscated by the usage of repeatably calls to replace() we will not show all steps taken to deobfuscate but rather only the end result. The decoding ends with the scripts downloading the next stage from http:\/\/15.188.246[.]78\/Q\/SSSSSSHSJSJSA.txt and executing it.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Stage_3\"><\/span>Stage 3<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>This will be the final stage I promise!<\/p>\n<p>Again, we are greeted with a bunch of obfuscated code. This time there are two big blocks of obfuscated code. Both strings start with 4D5A, i.e., the MZ header.<\/p>\n<p>Next follows a function called <strong>vip().<\/strong> While looking a bit confusing, it only decodes the base64 input.<\/p>\n<p>Lastly, the code contains a huge block of obfuscated code, that is passed as input to the <strong>vip()<\/strong> function. Let&#8217;s pass this big chunk of code into the <strong>vip()<\/strong> function and take a look at what is happening. To make things maybe a bit easier to understand, I\u2019ve pasted the decoded block below.<\/p>\n<figure id=\"attachment_25500\" aria-describedby=\"caption-attachment-25500\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-25500\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/N-Worm_13-1024x704.jpeg\" alt=\"\" width=\"1024\" height=\"704\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/N-Worm_13-1024x704.jpeg 1024w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/N-Worm_13-300x206.jpeg 300w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/N-Worm_13-768x528.jpeg 768w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/N-Worm_13-24x17.jpeg 24w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/N-Worm_13-36x25.jpeg 36w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/N-Worm_13-48x33.jpeg 48w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/N-Worm_13.jpeg 1335w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-25500\" class=\"wp-caption-text\">Figure_13: Last block of code in third stage<\/figcaption><\/figure>\n<p>&nbsp;<\/p>\n<p>We can see a new function called <strong>HB<\/strong> which takes a single parameter and appears to do some decoding. This function is called in lines 17 and 18. Further down below we recognize some important Strings. E.g., look at like 33 where we see chunks of .NET code to load binaries into memory. I assume that all the lines up from 19 are only responsible to load the two binaries that are decoded in lines 17 and 18. As for now, I\u2019m not really interested in how the binary is loaded but rather only the binaries, let\u2019s dump them to disc by deobfuscating them. As we only really need the two strings that start with 4D5A, the function to deobfuscate them, and then a single call to the function we can write the following code.<\/p>\n<p>&nbsp;<\/p>\n<figure id=\"attachment_25501\" aria-describedby=\"caption-attachment-25501\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-25501\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/N-Worm_14-1024x359.jpeg\" alt=\"\" width=\"1024\" height=\"359\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/N-Worm_14-1024x359.jpeg 1024w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/N-Worm_14-300x105.jpeg 300w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/N-Worm_14-768x269.jpeg 768w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/N-Worm_14-24x8.jpeg 24w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/N-Worm_14-36x13.jpeg 36w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/N-Worm_14-48x17.jpeg 48w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/N-Worm_14.jpeg 1300w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-25501\" class=\"wp-caption-text\">Figure_14: Deobfusaction of the two PE&#8217;s<\/figcaption><\/figure>\n<p>Running that code dumps two .NET binaries which will be analyzed in the next article.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-25518 size-large\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/N-Worm_15-2-1024x77.png\" alt=\"\" width=\"1024\" height=\"77\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/N-Worm_15-2-1024x77.png 1024w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/N-Worm_15-2-300x23.png 300w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/N-Worm_15-2-768x58.png 768w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/N-Worm_15-2-24x2.png 24w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/N-Worm_15-2-36x3.png 36w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/N-Worm_15-2-48x4.png 48w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/N-Worm_15-2.png 1332w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/p>\n<p>&nbsp;<\/p>\n<p><strong>Host-Based Indicators:<\/strong><\/p>\n<ul>\n<li>C:\\ProgramData\\YHWZHLCQJHGQRFRHWZLCKSEUZIHLSJYATIODFBQPXTUSLQUEHVXQJENITGNZ\\YHWZHLCQJHGQRFRHWZLCKSEUZIHLSJYATIODFBQPXTUSLQUEHVXQJENITGNZ.HTA<\/li>\n<li>MD5 (RILSXDKOPJHN.TXT) = 3d8ff7f298f64d9150a11e61dcbfd87b<\/li>\n<li>MD5 (SSSSSSHSJSJSA.txt) = 9ce8d6f136b95fab140bc8904666003a<\/li>\n<li>MD5 (1b976a1fa26c4118d09cd6b1eaeceafccc783008c22da58d6f5b1b3019fa1ba4.vbs) = e04e4cb7e410b885babba54cd59d5ae9<\/li>\n<li>MD5 (first_pe.exe) = 83dc22a1493e609b8b16f732e909418f<\/li>\n<li>MD5 (second_pe.exe) = 08587e04a2196aa97a0f939812229d2d<\/li>\n<\/ul>\n<p><strong>Network-Based Indicators:<\/strong><\/p>\n<ul>\n<li>http:\/\/15.188.246.78\/Q\/SSSSSSHSJSJSA.txt<\/li>\n<li>http:\/\/15.188.246.78\/Q\/RILSXDKOPJHN.TXT<\/li>\n<\/ul>\n<div class=\"fazit\"><\/p>\n<h2><span class=\"ez-toc-section\" id=\"Series_overview\"><\/span>Series overview<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><a href=\"https:\/\/testing.secuinfra.com\/en\/techtalk\/n-w0rm-analysis-part-2\/\">N-W0rm analysis Part 2<\/a><\/p>\n<p><\/div>\n","protected":false},"excerpt":{"rendered":"<p>According to Malware Bazaar, samples have been distributed since around mid-January. The final payload is a .NET RAT, which allows the attacker to send commands to the infected system.<\/p>\n","protected":false},"author":6,"featured_media":26120,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[85,86,81],"tags":[],"dpc_coauthors":[],"class_list":["post-25508","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-digital-forensics","category-incident-response","category-techtalk"],"acf":[],"_links":{"self":[{"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/posts\/25508","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/comments?post=25508"}],"version-history":[{"count":0,"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/posts\/25508\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/media\/26120"}],"wp:attachment":[{"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/media?parent=25508"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/categories?post=25508"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/tags?post=25508"},{"taxonomy":"dpc_coauthors","embeddable":true,"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/dpc_coauthors?post=25508"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}