A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #28182  by opticoax
 Sun Apr 03, 2016 5:38 am
This malware same is already been analyzed, but I tried working it on my own as an exercise, so I ran bbcrack.py against it and got it decoded. I see an MZ header in there indicating an embedded executable in the Word document.

https://malwr.com/analysis/NTEzMjYxZDE0 ... RjZTRkNDQ/

I can see this analysis says there is a connection going out to 91.239.232.145

I was hoping to be able to find that IP address or its corresponding URL during my analysis, but nothing.

I ran Foremost against the bbcrack deobfuscated file (xorD6 + inc) hoping it would pull out the executable so I could drill into that, but all Foremost pulled out was another embedded Word doc.

Just trying to figure out where that IP is hidden and why Foremost isnt carving out the .exe for me.
 #28187  by puzzlex
 Sun Apr 03, 2016 12:11 pm
So, have you got to the point where this is the exe file that it drops? f9ea75f082a66a23ea422d2f9412ee9a
https://malwr.com/analysis/NmU1NGM1Yzhj ... M2NDllYTk/

The attached script extracts the exe from the docfile.

My starting point was a zip archive inside the doc (encoded in hex), which contained a 2MB activex file, this file contained the shell code which decodes another shellcode which finally decrypts the exe and runs it with winexec
Attachments
extract.py
(377 Bytes) Downloaded 53 times
 #28219  by opticoax
 Wed Apr 06, 2016 5:55 am
I started with the original .rtf file that was sent in an email.

After I ran bbcrack agains it, it returned a decoded version with xor of D6 and incremental o combination.

When I looked at the new decoded version, I found the MZ marker and "This file cannot be run in DOS mode" inside. Although is does look like the case was flipped to that "MZ" was represented as "mz"...etc.

I tried running Foremost against the decrypted file, and all it pulled out was another .doc file with the words "Hello, if you can read this exploit worked"

I see in the Malwr description that it is reaching out to some IP's. I was trying to figure out why Foremost isnt carving out the .exe so that I can try digging into that.

I never successfully got the .exe pulled out of the original RTF file, I just got it decoded and saw the embedded .exe
 #28221  by puzzlex
 Wed Apr 06, 2016 7:48 am
The exe I pulled out is the one I linked above from malwr.com. When you run it, it connects to the IP address you mentioned.

I tried now bbcrack to see what it pulls out, but not sure how long it would take to finish, so I hit CTRL-C. Could you upload your exe? Just to compare.

I did see the incremental XOR encryption in the shellcode but also the first 512 bytes of the exe were swapped. Meaning that MZ appeared ZM and "This program" appeared something like "hTsi porrgma"... this was true only for the first 512 bytes, the rest was untouched. I don't know about bbcrack if it could have pulled out this trick right.
 #28309  by opticoax
 Thu Apr 14, 2016 4:46 am
puzzlex,

I think it is this case-switching which is stalling Foremost.

Foremost pulled out the other .doc.

Can i post the file directly to this forum or will I need to use an intermediary?

Sorry for not being more proactive on this....work + tax season doesnt leave much wiggle room.

And thanks for your help on this.
Attachments
bbcrack decode of the original flile
(510.55 KiB) Downloaded 45 times