2017-05-31 Cleaned Up Script from Jaff Ransomware

So last week I came across some malspam that used a PDF with an embedded Word document in it that encrypted my test VM with Jaff ransomware which I discussed here. Trying to figure out how the script worked, I came across some aspects/things that I had not seen done before. Here is my walk through of this script.

I started with the cleaned up scripts that made up the macro by using OfficeMalScanner against the Word document. Once I had the scripts, I walked through the code starting with the “ThisDocument” script. This is where the malicious macro will start from since the “autoopen” subroutine is listed here. What you will want to look for are calls to other sub-routines or functions in the various script files – in this case there is a function called Synomati and it passed the parameter “a4833.”

Sub autoopen()
SignIn_Fish = 0
Synomati "a4833"
End Sub

Looking for “Synomati” in all the scripts, you will see there are multiple hits for it in Module1 and Module2. Start with Module1 and you will see the following function.

Public Function Synomati(Comps)
	GoTo l12
	strComputer = Comps
	If InStr(1, strCaption, "Windows 7", vbTextCompare) Then
		Synomati = "Win7"
	End If
	If InStr(1, strCaption, "XP", vbTextCompare) Then
		Synomati = "XP"
	End If
	Dim c As STRIX
	Set c = New STRIX
	CallByName c, LocalBrowser.T2.Text, _VbMethod
End Function

You will immediately go to ‘l12’ which then proceeds to set some variables (one of which is the script STRIX), and calls a function in the STRIX script (LocalBrowser.T2.Text). **Note: this script uses GOTO statements throughout it. When looking through the STRIX script for the function LocalBrowser.T2.Text, I could not find it, but did notice that there was a function called “setAsMainTarget.”

Public Function setAsMainTarget() As String
tt = ThisDocument.BuiltInDocumentProperties("Content status").Value
	MotoGP = Split(tt, "Abcdef")
	privateProbeName = MotoGP(Quubo * 3)

	setAsMainTarget = ""

End Function

This got me thinking – why are there statements throughout the scripts called “LocalBrowser.” and in this one something being referenced in “ThisDocument” and it’s properties (especially the content status value)? After some time and some research, I came across the fact that the “ThisDocument.BuiltInDocumentProperties(“Content status”).Value” is actually found within the file information for the Word document itself.

Also, while looking at the code within the builtin VB editor in Word, I noticed that there was a form called “LocalBrowser.” Within this form there were other details that the scripts referenced as you can see below.

LocalBrowser.T2.Text -> setAsMainTarget
LocalBrowser.Label1.Caption -> rundll32.exe 
LocalBrowser.Command.Caption -> V
LocalBrowser.ZK.Caption -> http://
LocalBrowser.OptionButton1.Tag -> Open
LocalBrowser.ToggleButton1.Caption -> Send
LocalBrowser.Label2.Caption -> File

Now that the values for LocalBrowser. are known, and the fact that other values could be referenced from within the actual Word document itself, I could really start walking through the code. The cleaned up code can be found here.

***Note: The functions High4 / WidthA and possibly Subfunc, I believe, deal with encrypting the download of the binary from the compromised website since the PCAP has the repeated string of “6WLms4bGcHU5iDixvWv6Wmuql3ILxV8S” in it.

Leave a Reply

Your email address will not be published. Required fields are marked *