Blog

VMRay Malware Analysis Report Recap – October ’17

Welcome to the VMRay Malware Analysis Report Recap. Every month our Research Team provides a recap of the malware analysis reports posted to the VMRay Twitter account. This past October, our team analyzed a Word document using a sandbox evasion technique, the execution of shellcode via Dynamic Data Exchange, and NotPetya reborn as BadRabbit. Click the links below to jump to a specific report.


Report Name: Word Doc. Drops Context-Aware Payload

Date Released:

September 25, 2017

SHA256:

2f031c6eb15cf2ca7855375d8bffe4d7a3b9b7ba95dc7d23e80f29b3d424a8ca

We’ve seen a number of social engineering techniques used to trick end-users into enabling macros in Office Documents. This analysis uses the same tactic, tricking an end-user to enable macros in order to view the content (Figure 1).

Enabling Macros Office Documents - Malware Analysis Recap
Figure 1: Social engineering technique used to enable macros in Word Doc.

If macros are enabled a malicious executable is downloaded and executed (Figure 2).

Malicious Executable - Malware Analysis Recap
Figure 2: Malicious executable downloaded and executed

In Figure 3, this sample attempts a sandbox evasion technique by detecting four different sandboxes.

Sandbox Evasion Technique - Malware Analysis Recap
Figure 3: Detecting four different sandboxes

Report Name: EXE File, Executing an Obfuscated Script Written in AutoIt Gains Access to Passwords and Data

Date Released:

October 4, 2017

SHA256:

9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d

Our analysis of a Self-Extracting Executable (SFX) hides commands in between French description of ‘Game of Thrones’ (most likely copied from Wikipedia, see Figure 3). Files are extracted to the temp. folder and starts an AutoIt interpreter called “cih.exe” containing an Autoit script “cvn-nhc”.

Without the Game of Thrones text, the SFX script boils down (Figure 4):

SFX Script - Malware Analysis Recap
Figure 4: SFX Script

The AutoIt Script is obfuscated (Figure 5), injects processes and uses NirSoft software to extract passwords and browsing history from Internet Explorer (Figure 6).

AutoIt Script Obfuscated - Malware Analysis Recap
Figure 5: Obfuscated AutoIt Script
Extract Passwords Browsing History IE - Malware Analysis Recap
Figure 6: Attempting to extract passwords and browsing history.

Report Name: Macro-less Word Doc. Uses DDE to Execute Powershell and Download DLL

Date Released:

October 11, 2017

SHA256:

d5c27308f50a9c6d8ccd01269ca09a7a13e1615945b8047c4e55c610718e317e

First reported by Sensepost, a new attack method was discovered to execute shell code via Dynamic Data Exchange (DDE) without using macros. In this analysis, we see Microsoft Word prompting the user to allow execution of the DDE command (Figure 7).

Allow Execution DDE Command - Malware Analysis Recap
Figure 7: User prompt allowing execution of DDE Command

Once the user clicks “Yes”, the DDE Command executes cmd and then proceeds to execute Powershell. The sample then uses Powershell to run a malicious DLL (Figure 8).

DDE Command Powershell - Malware Analysis Recap
Figure 8: Using Powershell to run a malicious DLL

For more detail on this DDE technique, read our full analysis blog post.


Report Name: RTF Doc. Uses CVE-2017-8759 Exploit to Execute Code

Date Released:

October 24, 2017

SHA256:

7a641c8fa1b7a428bfb66d235064407ab56d119411fbaca6268c8e69696e6729

First reported by Twitter user @Jameswt_mht. Prior to this Word Document being opened, Microsoft Word prompts the user to update a set of linked files (Figure 9). This occurs because the RTF document was modified in a way that updates a specific object (Figure 10).

Update Links RTF Doc - Malware Analysis Recap
Figure 9: Prompt to update links
Figure 10: Original update in a normal text editor

If the user allows the update of the RTF-Document in Word, Word then attempts to download a “picture”. This can be seen in the text-view with the command “INCLUDEPICTURE”. This “picture” raises suspicion because the link points only to a PHP-page. In the Network Behavior of the VMRay Analyzer report, we can the “picture” is really the payload retrieving malicious SOAP WSDL definition from an attacker-controlled server. This also starts the HTA Script File also from the attacker-controlled server.

HTTP Response - Malware Analysis Recap
Figure 11: HTTP Response #1
HTTP Response 2 - Malware Analysis Recap
Figure 12: HTTP Response #2

The HTA Script starts then starts a series of PowerShell scripts. At this point, the attacker is in full control of the target machine.


Report Name: Privileged kernel Code Executed from Fake Flash Installer Used in the BadRabbit Ransomware Attack

Date Released:

October 25, 2017

SHA256:

630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da

NotPetya ransomware resurfaced at the end of October as BadRabbit. Essentially, this campaign is the equivalent of malware authors putting a new label on an old product.

In this analysis the malware appears as an Adobe Flash update, in reality, it is a dropper containing some payloads. In the first step, the Adobe Flash update executes the dropped “infpub.dat” which is the main controller of the ransomware (Figure 13).

Adobe Flash Executing - Malware Analysis Recap
Figure 13: Adobe Flash update executing the dropped “infpub.dat”

The process “infpub.dat” schedules a reboot with an execution of “dispci.exe” on startup. “dispci.exe” is responsible for the modification of the master boot record.

Looking further into the analysis, the DiskCryptor is a resource of BadRabbit, which was dropped as “cscc.dat” on the target machine to encrypt the files (Figure 14).

DiskCryptor Resource of BadRabbit - Malware Analysis Recap
Figure 14: “cscc.dat” dropped on target machines to encrypt files

The Network Behavior section of the report shows the similarities with NotPetya. Both NotPetya and BadRabbit search in the local network for other parties to execute itself with an SMB tool on other machines (Figure 15).

NotPetya_BadRabbit_Similarities - Malware Analysis Recap
Figure 15: BadRabbit searching in the local network

After encrypting files and spreading over the local network, the scheduled reboot takes effect as verified in the VTI Score (Figure 16).

Scheduled Reboot - Malware Analysis Recap
Figure 16: Scheduled reboot taking effect after files are encrypted

The first reboot does not show the “Bad Rabbit” boot message because the scheduled “dispci.exe” starts to overwrite the master boot record. Then a second reboot is needed to show the “BadRabbit” boot message.

In summary, there wasn’t anything particularly new about BadRabbit. The malware authors pieced together parts from NotPetya, an open-source Diskcryptor, and some additional freeware to create a glued together piece of malware.