[Solved] F2K0 Software - Malware Analysis Warning
Good Afternoon TheBATeam!
My name is Zeek Halkyr, I am the mini admin and manager of the Discord Channel for TheBATeam. After an extended discussion and malware analysis with the community helping me in the public chat, we have come to the conclusion with research that a popular "Batch To EXE" Container By F2K0 (or "Compiler" as some people reference it) can be considered malicious, and users are advised not to develop with this platform.
Here I will share what we know, what the information means, and why it matters. I will also give the community some alternatives for this software, one of which is paid and the rest are open source.
- What is a "Batch To EXE" Converter -
Before I get into the malware analysis, a short summary of what a Batch To EXE Converter is. This type of software allows you to Obfuscate your Batch script (or a collection of scripts) into a container program in an EXE format.
There are typically two types of these converters. The first type, one which I like to call a "Container" type, simply embeds your file (with potentially some obfuscation) into a c/c++/c# program, compiles it, and on runtime extracts the file into a temporary folder and runs the file. These have security flaws (Like the ability to intercept the file on runtime and steal the code), but they are the most popular and the only efficient version at the time. Another theoretical type, one which hasn't been fully constructed, is a "Compiler" type. Wherein in this type, your code is physically converted to a different language, say a C representation of the basic batch functions, and the resulting code is actually compiled into an EXE. There have been some small implementations of this on top of a popular paid converter created by BDargo.
- F2K0's Bat To Exe Converter -
F2K0 released a Bat To Exe converter as early as 2016 and provided updates up until 2018. The design was simple and useful and allowed a simple batch script to be immediately compiled into an EXE with embedded application info, admin manifest, and even experimental UPX compression. An example of the UI of the program can be found here: https://imgur.com/a/E8VSq0R
As far as we knew, the software was safe up until a mass amount of AV software was triggered after a recent version. Following this, subsequent and previous versions of the software were triggered by over 10 major AV distributors (Windows Defender, BitDefender, McAfee, Norton).
- The Analysis -
After receiving the topic in the discord, I took the liberty to request a virus total sample from another machine.
The original source file is 1KB and simply echoes hello world. Furthermore, on the compilation, the file size grew to about 90KB. An overhead of nearly 80KB. Far too much for a simple extract-and-execute.
Looking deeper into the file, by scanning it with VirusTotal, we came across many security threats. The full sample can be viewed here. I will summarize the threats we analyzed from it:
- The file imported non-essential DLL functions that are unnecessary for the program. These functions included Multiprocessing/Multithreading modules (CriticalSection, Threads, etc. The program shouldn't be running multiple programs at once), and many Kernel32.dll modules. Some of these modules and functions are safe, but the amount of threading and system memory collection that was used was suspicious.
- Furthermore, there were only 4096 bytes of the official code. The rest of the data (and the 80kb overhead) was in a read-only data section, and a .TEXT section (The latter, containing nearly 50KB of data). As our text file containing the batch code was less than 2 kilobytes, this 50KB of extra data is nonessential and is something the converter inserted. As this overhead is large enough to contain a small assembly or C program, this is highly suspicious.
- Finally, the process on runtime read/created five separate TMP files of around 10KB each. These files contained garbage data that I was not able to successfully decompile, but this is unexpected behavior for a container executable for a batch script.
This concludes the bulk of the "Standard" analysis. As you can see above, there is definite suspicion of unwanted and potentially dangerous activity happening in this program. However, we will go deeper into this executable below.
- What Is In That Read-Only Data? -
For the sake of ensuring others' security, I took the liberty to run an instance of the compiler and compile a small executable, after this I decided to decompile the program with a disassembler. I assumed the program was a c++/c program (judging by file size) and was meant for 32 bit Intel processors.
Following this, by disassembling the program I didn't expect to understand the logic of the program, as it was mainly built in C and the code is not optimized for peeking in assembly.
What I found with the data was a large section of "DB" operands. These denote a byte of data, and what I found (with the inline comments of my disassembler showing the contents of these bytes) was random characters spread out. I was unable to efficiently decompile these characters as if they were a program, but my decompiler successfully registered non-garbage code (shifting registers around and many many MANY bytes's being defined. Furthermore, the .rdata is marked as read-only and was likely copied to a .tmp file (the size of the .data was around the same as the .tmp files I accounted for).
- The Conclusion -
The summary of this is, there is lots of suspicious access and systems being used with F2KO's converter, and I strongly suggest you do not use this program.
A list of alternatives I would suggest you consider is:
- Advanced Bat To Exe Converter (PAID) By BDargo
- B2EV By Tsnake (Lightweight)
- Jobfuscator (Online)
- Slimm Bat To Exe
Thank you for your time, and stay safe.
Wow! This is really very informative and important, as I used to compile my projects using this program - but as soon as it started giving me a hard time with antivirus false-alarms - so, I decided to believe more on the source code, then sharing the executable file with others.
And sharing Source Code, instead of Exe - also builds trust between programmers. Can you do me one little favor, please share the link of the public chat (if possible), also some informative screenshots or a short video / GIF - If you can attach any of such material here in the comments. So it will be easier for others to understand as well.
And I have noticed that in the end - you have provided some alternative solutions to minimize the problem, please also give links to these programs, so others can easily find them and use them as per their convenience.
Thank you so much for sharing it with all of us.