My first look at VBS.Dunihi

Some weeks ago I’ve got two samples of VBS.Dunihi, so I decided to have a quick look. Obviously almost all AV vendors had no detection for it. I am pretty sure that there are plenty reviews of this malware on the web already … but every time I decide to review “the stuff” myself, I learn something new.

Note: This research was performed in my personal isolated home based AV lab.

 

VBS.Dunihi:
 
FILE: MerciJacquieMichel.vbe

Reports:

VT: 21/56

First submission 2015-01-29 13:36:40 UTC ( 7 months, 3 weeks ago )
Last submission 2015-09-21 13:31:38 UTC ( 20 hours, 44 minutes ago )

 

VT coverage is still quite low (keeping in mind the fact that the file is present since more than 7 months).
-This sample has few obfuscation layers which likely makes it difficult to detect (especially in case of small propagation)

 

Obfuscation:

The file extension .vbe seems to indicate the encoded vbs content … so I would expect something like:

But this time the content was not encoded. (Apparently you can just insert usual vbs non-encoded code into a vbe file and it will be interpreted properly)
-It could be used to bypass some poorly coded IPS rules.

The actual file content is funny. The file has 135 194 lines! (But most of them are hopefully empty) … the decoding flow is following:

Before empty lines removal:

After:

Huge number of lines is supposed to make the analysis more difficult … but thanks to this layer I learned a useful function from notepad++:

Once base64 payload is decoded and executed, we get following code:

Once the Hex payload decoded and executed, we get following code:

Once decoded and executed we get final script:

Information:

Final script POST following data to the C&C server:

-volumeserialnumber
-“%computername%”
-%username%
-operating system version
-“POUSSIN”
-antivirusproduct
-“true – ” & date OR “false – ” & date
-spliter = “<” & “|” & “>”

Script commands seem to be self-explanatory:

-“excecute”
-“update”
-“uninstall”
-“send”
-“site-send”
-“recv”
-“enum-driver”
-“enum-faf”
-“enum-process”
-“cmd-shell”
-“delete”
-“exit-process”
-“sleep”

Script functions and methods:
-function post (cmd ,param)
-function information
-function hwid
-function security
-function instance
-function upload (fileurl)
-function enumdriver ()
-function enumfaf (enumdir)
-function enumprocess ()
-sub install
-sub uninstall
-sub upstart ()
-sub sitedownloader (fileurl,filename)
-sub download (fileurl,filedir)
-sub exitprocess (pid)
-sub deletefaf (url)

P.S The final stage malware has different persistence ways and one of them is via USB drive 😉 (Old school). Both samples were sharing common strings, this mean that an IPS rule shouldn’t be so difficult for POST requests.

Regards,

 

Disclaimer:

 

All opinions and rants expressed are solely my own and do not express the views or opinions of my employer

All content and data is my own and does not represent work I have done for my employee