Filename: 7ZJ7.doc
File Size: 204,800
SHA1: 086ef96c939968e9b149dab81350a2732b2fdb8f
MD5: 55687ddebba3665dd44eb7be08dc0c7b
Virus Total Detection Ratio: 19/54
Virus Total Link
The tool oledump.py was created by Didier Stevens and he has maintained the tool as this type of malware has evolved. To read about the command-line options that are available you can run ./oledump.py -h. To begin to initialize the doc file you run "./oledump.py 7ZJ7.doc".
We can see from the output that there are a total of 17 objects that can be selected. I am going to hone in on objects 8-10.
I am going to select object 8 and because it is compressed I am going to use another option to decompress it as shown below:
Then we can do the same thing to extract the macros from objects 9 and 10. After taking the macros and evaluating them I noticed that it would go out to the following URL's to download files:
hxxp://monitoringinternetu.com/components/com_wrapper/7777.txt (79.96.83.88)
hxxp://cdinflatables.com/components/com_wrapper/7777.txt (188.241.222.8)
hxxp://monitoringinternetu.com/components/com_wrapper/rara.txt
hxxp://cdinflatables.com/components/com_wrapper/rara.txt
The rara.txt file contains the following link: https://www.dropbox.com/s/a73az4fj12l7fwo/kslx.exe?dl=1
I was able to find the kslx.exe file on malwr.com which may or may not be the file being requested.
Then by manipulating the macro you can see the following which are the contents of the 7777.txt file broken up into a vbs script then a bat file.
The above vbs script downloads the rara.txt file which is not found as shown above however it is found on the other URL referenced above. Then the file is written to the filesystem as 9.exe. Then the following bat file is executed:
Then the batch file is opened and executed to run the vbs script with cscript and then deletes the vbs file and the bat file that is left behind. I will not go any further with the evaluation of the 9.exe. However, below are the IP Addresses that were used to remotely control the computer:
91.231.84.120
119.81.87.154 (Most of the traffic)
148.251.157.148
148.251.127.184
Filename: kslx.exe
Size: 194,253
SHA1 - c943cccbeb257d8be5ce82d379fbf5e5e0753e2d
MD5 - 23d73f4bbcdd13ceaa9db30056d5c5a2
I thought I would also utilize a tool published by Corelan called PEFrame located here. The output of the tool is below:
$peframe kslx.exe
Short information
------------------------------------------------------------
File Name kslx.exe
File Size 194253 byte
Compile Time 2015-08-04 06:42:54
DLL False
Sections 4
Hash MD5 23d73f4bbcdd13ceaa9db30056d5c5a2
Hash SHA-1 c943cccbeb257d8be5ce82d379fbf5e5e0753e2d
Imphash 7309645e4461d38509039c98e4c661ec
Detected Packer, Anti VM
Directory Import, Debug
Packer matched [1]
------------------------------------------------------------
Packer Microsoft Visual C++ 8.0
Anti VM Trick discovered [1]
------------------------------------------------------------
Trick VMCheck.dll
Suspicious API discovered [4]
------------------------------------------------------------
Function ExitProcess
Function GetModuleHandleA
Function GetProcAddress
Function GetStartupInfoA
File name discovered [6]
------------------------------------------------------------
Library GDI32.dll
Library KERNEL32.dll
Library SHLWAPI.dll
Library WINMM.dll
Library mscms.dll
Database rect1.pdb
In the output it can be observed that it has an anti-vm mechanism and the trick that is discovered. I will need to look into this at another time.
No comments:
Post a Comment