Blog

Informative, up-to-date and exciting – the Oneconsult Cybersecurity Blog.

Batch File Obfuscation Incident
Melanie Kubli
|
24.05.2023
(updated on: 24.05.2023)

Attackers use batch files to automate and speed up their work because they allow the execution of multiple commands. This way, the attacker does not need to provide any manual input but just needs to execute the malicious script on the victim’s system.

To prevent these malicious batch files from being detected by classic antivirus software, batch files are often further obfuscated using an obfuscator. We will tell you what can happen in such a case.

Batch File Obfuscation Incident

What is Batch File Obfuscation?

Batch file obfuscation is a method to reduce the readability and understandability of a batch file by obfuscating information. The reasons why batch files are obfuscated and how batch file obfuscation can be detected can be read here: An Introduction to Batch File Obfuscation

An Introducation to Batch File Obfuscation

Below, a practical example from a DFIR deployment is presented. The incident is related to the BlackBasta ransomware group. Oneconsult’s incident response team shows how they proceeded when encountering suspicious files and an unknown technique.

Suspicious Batch Files

The Oneconsult team found two strange batch files during an incident response engagement. These files aroused interest because they were stored in “C:\Windows\” and no batch files were expected in this location. First, the more straightforward batch file was analyzed, which uninstalls a monitoring component of Defender.

Contents of the First Batch File Found
Figure 1: Contents of the First Batch File Found

It became interesting when the second .bat file was opened in the editor. As seen in Figure 2, the foreign characters did not help in understanding how the batch file worked. Based on the file extension, it was assumed to be a .bat file using an obfuscation that has not been encountered before.

Batch File Found, Batch File Obfuscation
Figure 2: Batch File Found (Line Breaks Are Enabled)

Pursue Hypotheses

It was suspected that UTF BOMs were being used for confusion. BOM stands for Byte Order Mark and is a byte sequence appended to the beginning of a file. It is used as an identifier to define the byte order as well as the encoding form in UCS/Unicode strings. This allows different systems and text files to be represented correctly. In the past, UTF-16 was often used, which requires two or four bytes for encoding. In order for UTF-16 to be interpreted correctly, it must also be specified whether the bytes are read from left to right or the other way around. The first type of reading is called Big Endian (BE) and the second Little Endian (LE). If UTF-16 LE is to be interpreted, the string fffe (hexadecimal) can be specified at the beginning of a file. Nowadays mainly UTF-8 is used, which supports characters with a length of up to four bytes.

To investigate this, the file was uploaded to CyberChef. CyberChef can be used to quickly and easily apply different transformations to an input. This is especially helpful in DFIR deployments, as hypotheses can be tested without much effort. As can be seen in Figure 3, certain elements are directly readable.

Opened File in CyberChef, Batch File Obfuscation
Figure 3: Opened File in CyberChef

Search for Suitable Obfuscator

A Google search for the term “batch file obfuscation” was performed to understand the obfuscation. One of the first hits points to a GitHub repository that provides an obfuscator for batch files. The provided example shows a significant similarity to the batch file found. The two tricks behind this obfuscation could be understood by skimming the code. As suspected, the first step was to put a wrong UTF BOM at the beginning of the malicious .bat file, in this case, UTF-16 LE. CyberChef does not interpret this BOM, so certain strings are recognizable. Also, cmd.exe does not interpret this BOM, so the code is executed exactly as in the original batch file. The second trick is due to Batch’s syntax on how to access substrings (see asciich.ch). A substring extracts a certain number of characters from a string. The content of the defined string "%VARIABLE_NAME"is output from the "START POSITION" parameter, while the number of characters to be output is determined by the "NUMBER" parameter:

%VARIABLE NAME:~START POSITION,NUMBER SIGN%

An example of this substring approach is demonstrated in Figure 4. Here, the variable "oc" is assigned the string “I hope your week has gotten off to a great start!”. The set command is responsible for setting the variable and with the command “echo” the whole string can be displayed. Now, in the third line, only the part starting from the thirty-seventh character is to be echoed; this is achieved with "%oc:~37%". With "%oc:~37,5", it is determined that from the thirty seventh character, the next 5 characters are to be the output. 

Example for Accessing Substrings
Figure 4: Example for Accessing Substrings

Deobfuscation

In the malicious batch file, a randomly named variable "¯ÃÃÃ" was also defined and assigned a string. This string contains all characters used in the (un-obfuscated) original file. Thus, any character (and thus the program logic) in the original file can be reconstructed by the described substring approach. As can be seen in Figure 5, “%¯ÃÃÃ:~11.1%" becomes "p" and "%¯ÃÃÃ:~15.1%" becomes "o".

Manual Reconstruction of the Original Content Using cmd.exe, Deobfuscation
Figure 5: Manual Reconstruction of the Original Content Using cmd.exe

So that this does not have to be done for each character; this process can be simplified. For this, the content of CyberChef was copied and pasted into a new .bat file. At the beginning of each line, except the line with “set”, the command “echo” was placed. The newly created batch file can be seen in Figure 6.

New Batch File for Reconstruction, Deobfuscation
Figure 6: New Batch File for Reconstruction

The created batch file can now be executed in a VM. Execution in a VM prevents the attacker’s intended commands from being run on a real and valuable system. In general, suspicious files should always be executed in a virtual environment and never on a valuable host system. Figure 7 shows the actual contents of the malicious batch file. The attacker intended to disable Windows Defender with the first two commands, and with the last command, Windows Defender is supposed to be uninstalled.

Original Contents of the Malicious Batch File, Deobfuscation
Figure 7: Original Contents of the Malicious Batch File

What has not been addressed so far is that the obfuscator has defined certain special rules. These insert additional symbols between certain substrings. An example of such additional symbols can be seen in Figure 8. However, this is not relevant to understanding the batch file’s purpose. If this disturbs the reconstruction, these characters can be removed manually.

Additional Symbols Between Substrings, Deobfuscation
Figure 8: Additional Symbols Between Substrings

Summary

In this batch file obfuscation technique, the first step is to convert UTF-8 to UTF-16 LE using BOM. This means that when the file is checked with a text editor, the actual functionality cannot be understood. If this BOM is removed or opened with a tool that ignores it, some program elements can be identified. To further understand the entire content, the syntax used by Batch must be understood. After this, the individual letters and commands can be reconstructed. Attackers use various obfuscation techniques or develop them further, leading to unknown techniques being encountered. Therefore, getting an initial overview using a Google search is always advisable.

Do you still have questions about the batch file obfuscation technique or need support? Our Digital Forensics and Incident Response Team will be happy to help. We look forward to hearing from you.

Author

Since 2022, Melanie Kubli has been working as a DFIR Specialist at Oneconsult. She is a GIAC Certified Forensic Examiner and holds a “Blue Team Level 1” certification.

LinkedIn

Don’t miss anything! Subscribe to our free newsletter.

Your security is our top priority – our specialists provide you with professional support.

Availability Monday to Friday 8:00 a.m. – 6:00 p.m (exception: customers with SLA – please call the 24/7 IRR emergency number).

Private individuals please contact your trusted IT service provider or the local police station.

For more information about our DFIR services here:

QR_CSIRT_2022_EN@2x
Add CSIRT to contacts