This article demonstrates how CyberChef can deobfuscate a .vbs loader used by Nanocore malware, outlining the obfuscation techniques and a step-by-step workflow to reveal the payload. It covers ASCII conversions, hex/decimal mixing, math-based decoding, and regex-driven parsing, culminating in a PowerShell command that executes the Nanocore payload. #Nanocore #MalwareBazaar #CyberChef
Keypoints
- CyberChef is a powerful tool for malware analysis and deobfuscation.
- The article focuses on a .vbs loader for Nanocore malware.
- Obfuscation techniques include ASCII charcodes and character conversions, alternating decimal and hex values, and alternating mathematical operations (addition/division).
- Regular expressions are used to isolate and manipulate obfuscated code.
- The deobfuscation process shows how values are divided and summed to reveal the original script, culminating in a PowerShell-based payload.
- The Nanocore payload is ultimately executed via a PowerShell command, with parts potentially embedded in the comments of the initial script; MalwareBazaar sample referenced.
MITRE Techniques
- [T1059.001] PowerShell β Command execution via PowerShell commands used to run the Nanocore payload. Quote: βMalware execution via PowerShell commands.β
- [T1027] Obfuscated/Compressed Files and Information β Obfuscation techniques used to hide malicious code. Quote: βObfuscation techniques used to hide malicious code.β
- [T1071] Command and Control β Potential use of PowerShell for command and control communications. Quote: βPotential use of PowerShell for command and control communications.β
Indicators of Compromise
- [Hash] SHA256 of the sample β c6092b1788722f82280d3dca79784556df6b8203f4d8f271c327582dd9dcf6e1
- [URL] Malware sample reference β https://bazaar.abuse.ch/sample/c6092b1788722f82280d3dca79784556df6b8203f4d8f271c327582dd9dcf6e1/?ref=embeeresearch.io
- [Domain] Domains referenced β bazaar.abuse.ch, embeeresearch.io