Saturday, January 24, 2015

Using OfficeMalScanner to look at a Macro and more...

I came across a Microsoft Word document that contained a macro.  I decided to tear it apart to understand it a little better.  The steps I took are below:

1.  I downloaded OfficeMalScanner from http://www.reconstructer.org/code.html and placed it in the same directory as the Word document.  OfficeMalScanner could be placed in a separate directory.

2. Ran OfficeMalScanner against the Macro:

3. Then used the "inflate" command to extract the contents of the file:

4. I then moved the location of the decompressed files to the location of where I am working.

5. I ran the scanner on the first binary in the word/vbaProject.bin file and it extracted the contents of the macro:

6. With the extracted macro lets take a look at the first few lines of it to find Indicators of Compromise (IOC)s:

Looking at the first part of the macro that was extracted we can see a filename that we can look for "updater.exe" in the directory "C:\Users\<Username>\AppData\Local\Temp" unless it does not exist and then place it in "C:\Users\<Username>\AppData\" as the file "ntuserssc.exe".

7. Looking at more of the macro:

We notice that the fso or the File System Object is inside of an OLE Formatted Object.  Also the size of the object is comparable to SS or 168,448 bytes.

8.  Going back to the files that were extracted let's find the file that is larger than 168k in bytes:

Found that the oleObject1.bin file is slightly larger than the 168k we are looking for.

9. I used hexdump on the file to see if I could pull out any more indicators:

Looking at this we notice the filename of "updater.exe" a second time in our analysis, but we also see other indicators of possibly information about the creation of the malware:
"C:\Art\Clients\Jag\updater.exe" and "C:\Users\Em\AppData\Local\Temp\updater.exe"

Then we see where the binary starts with the letters MZ.

10.  Let's extract the binary from the file for further analysis using foremost.

Looking at the audit.txt file that foremost creates in the output folder we see the 00000007.exe was extracted.

11.  Uploading this file to VirusTotal returned the following results at the following page if you are interested:
https://www.virustotal.com/en/file/585b38c11e98a2c5891d7f4cbee40bb919ea19ceb12705eabab21dccb10b1328/analysis/

12.  I started looking at the information provided by the anti-viruses about this malware.  The following from ESET was close to the assessment of what I am seeing so far with comparing what it found to the strings in the binary:
http://www.virusradar.com/en/Win32_TrojanDownloader.Hancitor.B/description

Symantec calls it a Remote Access Trojan of (RAT):
http://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=26353

13.   I then uploaded it to a binary analysis service that I like to use called Anubis:
https://anubis.iseclab.org/?action=result&task_id=1691a5a5dccc212d4b192dc1fb187553e&format=html

In the assessment it showed again some of the commands found in the ESET assessment.  However throughout these assessments I still do not see any network indicators.

14.Now to run the binary on a Windows 7 SP1 computer it connects out to the following locations through a TLS connection:

The tor2web.org project let's you browse to servers that are on the Tor network.  Another way to see the URL is with a .onion instead or tor2web.org.  They are trying to anonymize the traffic.

15. The program adds persistence to the computer by adding a run key:

16. The binary starts out with the name of updater.exe or ntuserssc.exe and then goes through a random name then ending up with the name of winlogin.exe.  Notice that the program is also called winlogin.exe imitating the winlogon.exe process:

No comments:

Post a Comment

Test Authentication from Linux Console using python3 pexpect

Working with the IT420 lab, you will discover that we need to discover a vulnerable user account.  The following python3 script uses the pex...