VMRay Malware Analysis Report Recap – October ’17

Nov 07th 2017

Welcome to the VMRay Malware Analysis Report Recap. Every month our Research Team provides a recap of the malware analysis reports posted to the VMRay Twitter account. This past October, our team analyzed a Word document using a sandbox evasion technique, the execution of shellcode via Dynamic Data Exchange, and NotPetya reborn as BadRabbit. Click the links below to jump to a specific report.


Report Name: Word Doc. Drops Context-Aware Payload



Date Released:

September 25, 2017




We’ve seen a number of social engineering techniques used to trick end-users into enabling macros in Office Documents. This analysis uses the same tactic, tricking an end-user to enable macros in order to view the content (Figure 1).


Enabling Macros Office Documents - Malware Analysis Recap

Figure 1: Social engineering technique used to enable macros in Word Doc.


If macros are enabled a malicious executable is downloaded and executed (Figure 2).


Malicious Executable - Malware Analysis Recap

Figure 2: Malicious executable downloaded and executed


In Figure 3, this sample attempts a sandbox evasion technique by detecting four different sandboxes.


Sandbox Evasion Technique - Malware Analysis Recap

Figure 3: Detecting four different sandboxes



Report Name: EXE File, Executing an Obfuscated Script Written in AutoIt Gains Access to Passwords and Data


Date Released:

October 4, 2017



Our analysis of a Self-Extracting Executable (SFX) hides commands in between French description of ‘Game of Thrones’ (most likely copied from Wikipedia, see Figure 3). Files are extracted to the temp. folder and starts an AutoIt interpreter called “cih.exe” containing an Autoit script “cvn-nhc”.
Without the Game of Thrones text, the SFX script boils down (Figure 4):


SFX Script - Malware Analysis Recap

Figure 4: SFX Script


The AutoIt Script is obfuscated (Figure 5), injects processes and uses NirSoft software to extract passwords and browsing history from Internet Explorer (Figure 6).


AutoIt Script Obfuscated - Malware Analysis Recap

Figure 5: Obfuscated AutoIt Script


Extract Passwords Browsing History IE - Malware Analysis Recap

Figure 6: Attempting to extract passwords and browsing history.



Report Name: Macro-less Word Doc. Uses DDE to Execute Powershell and Download DLL


Date Released:

October 11, 2017



First reported by Sensepost, a new attack method was discovered to execute shell code via Dynamic Data Exchange (DDE) without using macros. In this analysis, we see Microsoft Word prompting the user to allow execution of the DDE command (Figure 7).


Allow Execution DDE Command - Malware Analysis Recap

Figure 7: User prompt allowing execution of DDE Command


Once the user clicks “Yes”, the DDE Command executes cmd and then proceeds to execute Powershell. The sample then uses Powershell to run a malicious DLL (Figure 8).


DDE Command Powershell - Malware Analysis Recap

Figure 8: Using Powershell to run a malicious DLL


For more detail on this DDE technique, read our full analysis blog post.


Report Name: RTF Doc. Uses CVE-2017-8759 Exploit to Execute Code


Date Released:

October 24, 2017



First reported by Twitter user @Jameswt_mht. Prior to this Word Document being opened, Microsoft Word prompts the user to update a set of linked files (Figure 9). This occurs because the RTF document was modified in a way that updates a specific object (Figure 10).


Update Links RTF Doc - Malware Analysis Recap

Figure 9: Prompt to update links


Figure 10: Original update in a normal text editor


If the user allows the update of the RTF-Document in Word, Word then attempts to download a “picture”. This can be seen in the text-view with the command “INCLUDEPICTURE”. This “picture” raises suspicion because the link points only to a PHP-page. In the Network Behavior of the VMRay Analyzer report, we can the “picture” is really the payload retrieving malicious SOAP WSDL definition from an attacker-controlled server. This also starts the HTA Script File also from the attacker-controlled server.


HTTP Response - Malware Analysis Recap

Figure 11: HTTP Response #1


HTTP Response 2 - Malware Analysis Recap

Figure 12: HTTP Response #2


The HTA Script starts then starts a series of PowerShell scripts. At this point, the attacker is in full control of the target machine.


Report Name: Privileged kernel Code Executed from Fake Flash Installer Used in the BadRabbit Ransomware Attack


Date Released:

October 25, 2017



NotPetya ransomware resurfaced at the end of October as BadRabbit. Essentially, this campaign is the equivalent of malware authors putting a new label on an old product.
In this analysis the malware appears as an Adobe Flash update, in reality, it is a dropper containing some payloads. In the first step, the Adobe Flash update executes the dropped “infpub.dat” which is the main controller of the ransomware (Figure 13).


Adobe Flash Executing - Malware Analysis Recap

Figure 13: Adobe Flash update executing the dropped “infpub.dat”


The process “infpub.dat” schedules a reboot with an execution of “dispci.exe” on startup. “dispci.exe” is responsible for the modification of the master boot record.

Looking further into the analysis, the DiskCryptor is a resource of BadRabbit, which was dropped as “cscc.dat” on the target machine to encrypt the files (Figure 14).


DiskCryptor Resource of BadRabbit - Malware Analysis Recap

Figure 14: “cscc.dat” dropped on target machines to encrypt files


The Network Behavior section of the report shows the similarities with NotPetya. Both NotPetya and BadRabbit search in the local network for other parties to execute itself with an SMB tool on other machines (Figure 15).


NotPetya_BadRabbit_Similarities - Malware Analysis Recap

Figure 15: BadRabbit searching in the local network


After encrypting files and spreading over the local network, the scheduled reboot takes effect as verified in the VTI Score (Figure 16).


Scheduled Reboot - Malware Analysis Recap

Figure 16: Scheduled reboot taking effect after files are encrypted


The first reboot does not show the “Bad Rabbit” boot message because the scheduled “dispci.exe” starts to overwrite the master boot record. Then a second reboot is needed to show the “BadRabbit” boot message.
In summary, there wasn’t anything particularly new about BadRabbit. The malware authors pieced together parts from NotPetya, an open-source Diskcryptor, and some additional freeware to create a glued together piece of malware.

Calculate how much malware false positives are costing your organization:
Malware False Positive Cost Calculator