{"id":854,"date":"2017-05-26T12:15:01","date_gmt":"2017-05-26T11:15:01","guid":{"rendered":"http:\/\/www.herbiez.com\/?p=854"},"modified":"2017-05-31T09:39:34","modified_gmt":"2017-05-31T08:39:34","slug":"2017-05-26-jaff-ransomware-from-malspam","status":"publish","type":"post","link":"https:\/\/www.herbiez.com\/?p=854","title":{"rendered":"2017-05-26 Jaff Ransomware From Malspam"},"content":{"rendered":"

So yesterday I came across some malspam that used a PDF with an embedded Word document in it that encrypted my test VM with the Jaff ransomeware. It looks like Brad (@Malware_Traffic<\/a>) received something very similar to me which you can read about here<\/a>. As a side note, I did get the script from the Word doc via OfficeMalScanner, but I am still trying to go through it since it does not make complete sense to me. If I make any progress on that I will do another blog post about it. Thankfully the malicious URLs are not obfuscated and are pretty obvious. <\/p>\n

A couple of updates to this post:
\n – I have managed to clean up the script from the Word doc and for the most part it makes sense. You can find that post here<\/a>.
\n – The pattern that I talk about below (6WLms4bGcHU5iDixvWv6Wmuql3ILxV8S) is the XOR key for the encoded binary. You can find that in packet 194 as per David Ledbetter\u200f @Ledtech3<\/a> in our Twitter conversation<\/a>. Thanks David!<\/p>\n

For the PCAP, Process Monitor, and artifacts from this writeup, check out my Github repo here<\/a>.<\/p>\n

Indicators of Compromise:
\n=========================
\n176.223.209.7 \/ bionorica[.]md (HTTP)
\n\t– http:\/\/virustotal.com\/en\/url\/1319e48ffff1f483c4417117b05adebf4332c2159f72a7c3f0298f63b9f40cdb\/analysis\/<\/a>
\ndorobratiohdtyszxwk[.]com (DNS)
\n\t– http:\/\/virustotal.com\/en\/url\/f47f9aa274b58f3c9aa0372a1dd51852e94206a2564043bb9f45b3db4feed5bc\/analysis\/<\/a>
\nbetter57toiuydof.net\/af\/TrfHn4 (Found in the script)
\n\t– http:\/\/virustotal.com\/en\/url\/ccc36efe7080f4639c4d335ce79db757abc6eda5a345dc34fa0231da1beec0b9\/analysis\/<\/a>
\nyoutoolgrabeertorse[.]org (Found in the script)
\n\t– http:\/\/virustotal.com\/en\/url\/2c3b14b70ff8ebbca7a20efc0d1d62f03dca63bded81158a086ef336a16a6a05\/analysis\/<\/a>
\nenseling-gmbh.de (Found in the script)
\n\t– http:\/\/virustotal.com\/en\/url\/4ee1064da2f5e6920221b280217456ff72e6186e88824ed7896067feee548c2c\/analysis\/<\/a><\/p>\n

Artifacts:
\n==========
\nFile name: 73065.pdf
\nFile size: 66KB
\nFile location: NA
\nMD5: 1d4d609c84602287536954ad4d892f34
\nVirustotal: http:\/\/virustotal.com\/en\/file\/0ef771f2b212042dc718078b0b8a51df2e26056773ff81b499c5e716bbf2b351\/analysis\/<\/a>
\nDetection ratio: 17 \/ 55
\nFirst submission: 2017-05-25 13:39:13 UTC
\nMalwr: NA
\nHybrid Analysis: NA <\/p>\n

File name: GXHK4ZU.doc
\nFile size: 104KB
\nFile location: NA
\nMD5: 7c6df429f3c306e48679341a63ebaa20
\nVirustotal: NA
\nMalwr: NA
\nHybrid Analysis: NA<\/p>\n

File name: TrfHn4[1].txt
\nFile size: 217 KB
\nFile location: C:\\Users\\%username%\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\1LABJKYH\\
\nMD5: 9585bc2d5d63b189bf8455d2e05cfb5e
\nVirustotal: http:\/\/virustotal.com\/en\/file\/ba7952ae07b41d049ad82674aeffbd43a5079f1db10a941db6545490c6c386bd\/analysis\/<\/a>
\nDetection ratio: 2 \/ 56
\nFirst submission: 2017-05-25 11:47:44 UTC
\nMalwr: NA
\nHybrid Analysis: NA<\/p>\n

File name: fremsoho8
\nFile size: 217KB
\nFile location: C:\\Users\\%username%\\AppData\\Local\\Temp\\
\nMD5: 9585bc2d5d63b189bf8455d2e05cfb5e
\nVirustotal: http:\/\/virustotal.com\/en\/file\/ba7952ae07b41d049ad82674aeffbd43a5079f1db10a941db6545490c6c386bd\/analysis\/<\/a>
\nDetection ratio: 2 \/ 56
\nFirst submission: 2017-05-25 11:47:44 UTC
\nMalwr: NA
\nHybrid Analysis: NA <\/p>\n

File name: bruhadson8.exe
\nFile size: 217KB
\nFile location: C:\\Users\\%username%\\AppData\\Local\\Temp\\
\nMD5: fc8c82354bbc40f2662d577863c6b20f
\nVirustotal: http:\/\/virustotal.com\/en\/file\/2cc1d8edc318e0e09aad6afbc48999980f8e39e54734bca4c1a95c7b5db39569\/analysis\/<\/a>
\nDetection ratio: 34 \/ 61
\nFirst submission: 2017-05-25 11:44:54 UTC
\nMalwr: NA
\nHybrid Analysis: http:\/\/www.hybrid-analysis.com\/sample\/2cc1d8edc318e0e09aad6afbc48999980f8e39e54734bca4c1a95c7b5db39569?environmentId=100<\/a><\/p>\n

Analysis of Malware:
\n====================
\nThis looks to be a simple infection with not much complexity (outside of me not fully understanding the macro in the Word doc – different issue). <\/p>\n

\"\"<\/a><\/p>\n

The infection started when the following email was opened and the PDF was executed, which in turn suggested opening the Word document. <\/p>\n

\"\"<\/a><\/p>\n

\"\"<\/a><\/p>\n

Once the macro was run, there was a call from within the script to the domain “bionorica[.]md\/TrfHn4” (not sure why the others were not run as there was no DNS queries for them in my PCAP).<\/p>\n

\r\nShtefin = Replace("bionorica.md\/TrfHn4Vbetter57toiuydof.net\/af\/TrfHn4Vyoutoolgrabeertorse.org\/af\/TrfHn4Venseling-gmbh.de\/TrfHn4", "RRDD", "om")<\/pre>\n
\"\"<\/a><\/p>\n
Interestingly enough, if you use “Follow –> HTTP Stream” in Wireshark instead of “TCP Stream” (as I did in the above image) you will see a repeating pattern of “6WLms4bGcHU5iDixvWv6Wmuql3ILxV8S” within the traffic. I am not sure what this pattern is or if there is any significance to it but thought that I would mention it. ***See my update above as this is the XOR key.<\/p>\n
The request to the malicious site via the Word document saved the file to “C:\\Users\\%username%\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\1LABJKYH\\” as a file called “TrfHn4[1].txt.”<\/p>\n
I assume that once this has been downloaded to the system, the script copied the file over to the %TEMP% location (C:\\Users\\%username%\\AppData\\Local\\Temp\\) and renamed the file to “fremsoho8” since there is a reference to this in one of the functions in the script and since the hashes, the sizes, and content of both files are exactly same.<\/p>\n
\r\nPublic Function SignIn_ProjectSpeed()\r\n\r\nGoTo labelBabel2\r\n    Set FSO = CreateObject("Scripting.FileSystemObject")\r\n\r\nSet oArgs = WScript.Arguments\r\nIf oArgs.Count = 1 Then\r\n        strComputer = CStr(oArgs(0))\r\nElse\r\n    strComputer = InputBox("Enter computer name")\r\nEnd If\r\n\r\nSet objWMIService = GetObject("winmgmts:\\\\" & strComputer & "\\root\\CIMV2")\r\n\r\nlabelBabel2:\r\n SignIn_Project = SignIn_LAKOPPC\r\n SignIn_PathTo2 = SignIn_Project + "\\fremsoho" + CStr(itemI)\r\n\r\n\r\nGoTo labelBabel3\r\n    \r\nlabelBabel3:\r\nSignIn_Project = SignIn_Project + Replace(MotoGP(12), ".", CStr(itemI) + ".")\r\n SubProperty.Type = 1\r\nEnd Function<\/pre>\n
Then the malicious binary called “bruhadson8.exe” is created from the Word document and then proceeded to run.<\/p>\n
\"\"<\/a><\/p>\n
\"\"<\/a><\/p>\n
\"\"<\/a><\/p>\n
After it searched through the registry and made some adjustments to values there, it started writing out the instructions for decrypting files in the various folders and appending the extension “.wlu” to the end of files that it encrypted.<\/p>\n
\"\"<\/a><\/p>\n
\"\"<\/a><\/p>\n
Lastly, there was a DNS request to “dorobratiohdtyszxwk[.]com” but there was no such domain in my example. From what Brad was able to see in his example; this was a callback once the system was infected. I looked at the malicious binary using the STRINGS command and I could not see any reference to this domain, so I decided to run “bruhadson8.exe” again and suspend the process and use a tool called “Strings2” to look at the process while in memory and pipe that out to a log file. In the log I could see that there was a single line for “hxxp:\/\/dorobratiohdtyszxwk[.]com\/a5\/.” Looking up the domain in Virustotal and trying the IP addresses from the passive DNS results, I was able to reach the site this time, but nothing was pulled back or seen. <\/p>\n","protected":false},"excerpt":{"rendered":"
So yesterday I came across some malspam that used a PDF with an embedded Word document in it that encrypted my test VM with the Jaff ransomeware. It looks like Brad (@Malware_Traffic) received something very similar to me which you can read about here. As a side note, I did get the script from the Word doc via OfficeMalScanner, but I am still trying to go through it since it does not make complete sense to me. If I make any progress on that I will do another blog post about it. Thankfully the malicious URLs are not obfuscated and…<\/p>\n
 Continue reading<\/span><\/i><\/a> <\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"class_list":["post-854","post","type-post","status-publish","format-standard","hentry","category-packet-analysis"],"_links":{"self":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts\/854","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=854"}],"version-history":[{"count":4,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts\/854\/revisions"}],"predecessor-version":[{"id":876,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts\/854\/revisions\/876"}],"wp:attachment":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=854"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=854"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=854"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}