![]() ![]() GetTask function that our Client object can perform - and it begins with a for loop, that iterates through all of the C2 servers we saw previously, to check if there is a new task for it to execute. Personally, I think this is the most interesting function to look through. These act like beacons and this C2 code controls the implants to run commands and continue post-exploitation ops. bin file is likely already present on the victim, pre-planted much like the Registry value. Again, it prepares a WMIC command and executes it - this time without the use of a Scheduled Task.Ĭonsidering this pluginID is passed as an argument to the unique. The ExecutePlugin function seems to prepare a command, utilizing a file present in the TEMP directory based off of this specific target’s unique identification number. GlobalStrings properties WMIC_EXEC and TASK_CREATE are used to craft a custom command that is populated with the arguments passed in. This preparation of a time variable, adding an extra minute to the current time and the creation of a “task” variable leads us to believe the malware is in fact creating a Scheduled Task to execute what it needs to. ![]() We then see the code prepare both an execCommand and taskCommand separately, using the Windows Management Instrumentation (WMI) and a “task” to execute the code. The PrepareExectionTask function is interesting, because we see it calculates the current time and then properly handles it as a string, and even adds a minute buffer. Yes, that typo is really in the source code - it is in fact Exection. In the next segment of code we see two new functions, PrepareExectionTask and ExecutePlugin. We will see that used throughout the rest of the code. One interesting property that has been set it is the. So, we can deduce that Registry value contained more JavaScript code that has now been brought into this context. GlobalStrings all pulled from a variable with a corresponding name. The eval statement executes a string value as if it were code. Just after, more properties are set for the Client object like. We can see just following that-the LibraryLoadContext function seems to eval the contents of that Registry value. HKEY_CURRENT_USER\Software\ApplicationContainer\Appsw64\WebLib32 This Registry data must be something pre-planted with the malware. ![]() It uses this WScript.Shell in an inline LoadLibraryReg function, which we can see reads the contents out of a Windows Registry value. We said this was JavaScript code, but because it is loading a ActiveXObject we can safely say this is JScript (the Microsoft-specific dialect of JavaScript, that can access more Windows internals via Internet Explorer). Here, a Client object is being defined, and stitching in a property CoMainObject so it can access the WScript.Shell functionality. Beneath the client_config definition you saw above, the code continues with this: So let’s dive into the rest of this JavaScript code. It wouldn’t be a Huntress blog post if we didn’t go through at least some analysis of this malware, would it? After further research, it seems this sample is dubbed throughout the community as " Valak." Maybe we have a strange sense of humor laughing at malware? But Wait, There’s More! ![]() We wanted to share this with you because, hopefully, you get a chuckle out of it too. If you think about it… why would they bother obfuscating? If this malware is still going to be effective, and your antivirus or EDR solution doesn’t pick up on it, who needs to go through all those extra steps? The takeaway here is that some hackers are bold and have the audacity to include these sensitive details right in their attack. If you haven't seen these other domains before, feel free to add them to your IOC library or block them. That is unlikely to be hosting malware or being used by C2 operations - if anything, the implant might reach out to it to hide alongside normal network traffic and "look legit." While the latter domains certainly look suspicious, the domain is known to be owned by Google. This COMMAND_C2 list contains both fake and legitimate domains. Well, we didn’t have to try too hard to figure that one out! No detective work needed. ![]()
0 Comments
Leave a Reply. |