Monthly Archives: March 2019

Microsoft Shortcut (LNK) trojan malware


I have downloaded this Microsoft shortcut malicious sample from Virustotal for analysis

After downloading, I renamed as sample.lnk. (Microsoft shortcut extension .LNK)

When I opened properties tab of this file, found below properties which clearly shows its now shortcut of any application but a PowerShell script which executed on opening.

  • Target Type: Application
  • Target: PowerShell scrip
  • Description: Windows PowerShell

b4_4

b4_1

 

I copied and pasted PowerShell script to text file.

b4_2

Behavior of PowerShell script:

  • Download another PowerShell script out-763347625.ps1 from URL https[:]// latinotca-ar[.]com

I double click on it to check the behavior, a command prompt windows opened and closed.

I could see the PowerShell script executed and tried to connect to the URL. WireShark captured the network traffic.

b4_3.PNG

b4_5

 

The web site has taken down. I tried to open the URL in browser, URL is inaccessible.

VIrusTotal sample:

SHA-256: 5c5c2c6197d4b1c24c438b8fb0452257c9e4085ac59297a985ec92ef1720b74d

 

Emotet malware analysis


VirusTotal sample – c9bdfb2d6ac9e493bc391b2f64b48d8d5cde10645ea921951b23112e6d73545c

File Type: Microsoft Word Document

Document Property:

I have used Oletools to analyse word document properties and analyse content.

wm2.PNG

wm3.PNG

This word document has VBA macros.

After parsing word document using olevba, this tells, file has suspicious hex string and Base64 strings.

And file has below macros,

  • LUDoB_BX.cls
  • fkkkCAk.bas
  • ZAAcAA.bas

And macros will auto execute on opening document

wm4.PNG

I start debugging macros in word document,

wm5.PNG

After Enable Editing, Open View Macros under View tab

wm6

wm7

Click on Edit and change autoopen() function to autoopen2().

wm8

There are many small chunks of Base64 strings which  are concatenating and creating a PowerShell script I have captured the Base64 string in text file and tried to decode. I didn’t get the complete base64 but some part of it and can be recognized it is PowerShell script.

wm14.PNG

(nEw-OBJECt sySTeM.Io.comPReSsIOn.dEfLatEstReAM( [Io.mEMORystREam] [coNverT]::FrOMbase64stRING((‘ZZJh’+’i’+’5’+’tAEIb/y’+’n’+’4’+’QNiFVz9YP5US4MbYSS’+’gOmhLN’+’H’+’QXQz’+’6kbd9XSjOUL’+’+e’+’zdtJbSdb7s87z’+’vDO2’+’O8g’+’q5’+’z4P’+’r0E’+’EA’+’an8’+’OI’+’esbXKA5TGfoCJ1PmR2SK’+’bFFZz5ivG45’+’CecZrKJMA’+’wKeV’+’Ut2jbW’+’M’+’7
IArsj9xisrWnzmRSKI3’+’a’+’u’+’9’+’2Xk/10wwbNVRmTQ6npG’+’csO’+’LRe24’+’zjuHZq’+’m’+’yaoy’+’c’+’chPvF’+’F’+’Z1w3/e’+’k4’+’f’+’FLs9Cl’+’7aT’+’v5’+’b+EfXv2Wi63FQv’+’zSs5Gau/Y/’+’tJ’+’7m9N’+’xiwH3nBR/’+’zPeDdubW’+’p96xquFvSJLj1j1Pk44’+’L74N’+’N’+’iDT

during debugging, I got the below values are stored in the variable YAAAAAA and it is reading registry key values.

wm9

wm10

wm13.PNG

while debugging, I captured traffic using WireShark and found, connection has been made to web site emseenerji[.]com at IP 94[.]73[.]147[.]237. URL is still alive and can be accessed.

wm11.PNG

wm12.PNG

The complete URL which was accessed by this program http:// emseenerji[.]com/wp-content/RRKu/

My host machine AV blocked this URL and I couldn’t analyze traffic further from this URL to my VM.

Thank you.

HelpMe.exe malware


VirusTotal: 

SHA256 – 9ff1c8e6d80ebf5626714362cbc55a53ba17038e841773d24fdc018891adb52e

Tools used for analysis: OllydbgWireSharkPEExplorer,

I started debugging using Ollydbg. The first warning I received is

“Module ‘AutoRUN_’ has entry point outside the code (as specified in the PE header). Maybe this file is self-extracting or self-modifying. Please keep it in mind when setting breakpoints!”

1.PNG

The executable file extracts HelpMe.exe file and copy it to C:\Windows\System32

6.PNG

2

Also it got extracted AUTORUN_INF.exe file at C:\ location. same location it create files

AUTORUN.ini file

4

3

AutoRun.exe file executes HelpMe.exe file.

This also adds HelpMe.exe file to Startup programs and rename shortcut icon to Soft

soft ink

StartUp

Behavior of this malware I observed is, this gets replicated itself and and creates/hides word, pdf, xsls and  pages document files under RecycleBin folder.

5

I also observed the HelpMe.exe keep changing location from C:\Windows\System32 to C:\Windows\SysWow64

I stopped my analysis here after spending 2 days as there are a lot of things this malware doing in background.

Thanks.