Hello, in this post, we will do malware analysis and reverse engineering of VIP Keylogger.
The file was downloaded from MalwareBazaar
The SHA256 hash of the file is as shown below,
d6255b39e2be431e6226c8414b75721a16c114960f8a87acc06ea9fa7563006f
The file is being flagged by 4 security vendors as malicious.
The file opened in Notepad appears to be obfuscated.
The data present within %% can be replaced to create a meaningful batch command, i.e., the first line can be evaluated as @echo off.
We replaced the first few lines to deobfuscate,
The deobfuscated lines above yield the current file’s full path when executed,
The preceding few lines execute the current batch file with a minimized window and also copy itself to the user profile directory with the name aoc.bat.
All the next lines contain similar obfuscation,
We can use the regex %([a-z]{15}+)% to replace the data to create meaningful statements within a batch script.
Once replaced, we can observe data being set to variables.
After the deobfuscation, we can see those variables being concatenated at a later point within the script.
NOTE: Don’t replace the regex entirely within the file. Since the replacement will also remove the code where data is being concatenated, it will make the script unexecutable.
The concatenated string contains 229 variables for replacement. We use the previously deobfuscated data after regex replace to print the concatenated output to the console.
The data is,
Finally, we replace the remaining lines with the previously mentioned regular expression to produce the deobfuscated batch script.
The console output of concatenated data from various variables, after being deobfuscated, results in another PowerShell command, as shown.
The PowerShell command contains a string that contains a replacement of “ghobbwnmfz”. We replace the following to get another string within the PowerShell command as
The formed string after replacement contains a base64 encoded string, which we decode using CyberChef.
The decoded string, in turn, contains another PowerShell script.
The script extracts data in parts that start with :::[1-4] from the initial batch script that copied itself to user profiles with the name aoc.bat
The following are the parts extracted.
The extracted parts are being concatenated, replaced, and base64 decoded.
Equivalent output of the above operation using CyberChef,
The output contains PowerShell script that contains functions, as shown below,
In short, the functions perform the following operations,
| Function | Description |
|---|---|
| Initialize-FlowerGarden | Initializes the environment variables |
| Setup-FlowerPolicy | Sets the execution policy to bypass/unrestricted |
| Disable-FlowerLogging | Disables event logging |
| Setup-FlowerEnvironment | Disables/tweaks AMSI |
| Perform-FlowerMaintenance | Disables/tweaks AMSI |
Further, the variable $orange also contains base64 encoded data that is being decoded and uncompressed using gzip.
Cyberchef would help to decode this as follows,
Yet another PowerShell script is being shown as output.
Unlike the last PowerShell script that extracted parts from the initial script containing :::[1-4], this script extracts :: from the initial script located in the user profile directory for performing further operations,
The extracted data is being split with \ to create an array containing two elements. Afterward, respective elements are base64 decoded. Then, it was decrypted using AES and uncompressed using gzip.
The decoded output is,
The first part, after performing the previously mentioned operations, results in an executable file,
The second part, after performing the previously mentioned operations, also results in an executable file,
Thank you for being up to here. We will continue the analysis in the next part for the executables uncovered.
