This is the analysis of the first dropper Excel file used in APT's attack known as "Ukraine's Power Grid Incident" that occurred on December 23, 2015 in Prykarpattya Oblenergo ["Prikarptya Regional Energy Company" from Ukrainian] in Ivano-Frankivsk, Ukraine. Outline: I. File Characteristics II. Malicious VBA payload III. Dropped Files IV. Yara Signature V. Anti-Virus Report This Excel requires enabled macros. [translated from Ukrainian] I. File Characteristics Malware Sample Source: malwr File Name: BlackEnergy.xls, Додаток1.xls ["Supplemental" - from Ukrainian] Last Author: LSW Creation Datetime: 2015-02-04 07:35:08 Author: user1 Last Saved: 2015-03-18 07:41:04 Application Name: Microsoft Excel Code Page: Cyrillic [Ukrainian] File Size: 717.5 KB II. Malicious VBA payload Here is the head and tails of the malicious VBA payload: ... III.Dropped Files:
(1) vba_macro.exe [SHA1 4c424d5c8cfedf8d2164b9f833f7c631f94c5a4c] (2) rundll32.exe [SHA1 303a90020bf3beaf9acd0ea86487c853636a99a3] (3) desktop.ini [SHA1 95e17541fb7200acfea240430ec01778fe9bf2fe] (4) NTUSER.LOG [SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709] (5) FONTCACHE.DAT [SHA1 315863c696603ac442b2600e9ecc1819b7ed1b54] IV. Yara Signature: rule Excel_BlackEnergy_Dropper : APT { meta: author = "Vitali Kremez" date = "2016-01-18" description = "Detects BlackEnergy 'Dodatok1.xls' Dropper sample" hash0 = "97b7577d13cf5e3bf39cbe6d3f0a7732" sample_filetype = "office" strings: $string0 = "vba_macro.exe" $string1 = "[xls]BlackEnergy.LNK=0" $string2 = "bZR7@N" $string3 = "148, 117" $string4 = " xmp:CreatorTool" $string5 = "VBAProje" $string6 = "drs/shapexml.xmlPK" $string7 = "xpacket begin" $string8 = "Heading 3" wide $string9 = "*\\G{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}#2.5#0#C:\\Program Files (x86)\\Common Files\\Microsoft Shared" wide $string10 = "Gz2Qe1" $string11 = "<1aa1A" $string12 = "gram Fil" $string13 = ":P67, " $string14 = "8@@2AQ" $string15 = "8f>]Bm1" $string16 = "mavCsa" $string17 = "a(266)" $string18= "DPB="CECC62D1A2D356F056F0A91057F00479A3F13335AD22324015ED03758E22F07020BD9639AC5AC0" condition: 18 of them and filesize<718 KB } V. Reports: [1]https://malwr.com/analysis/YmE3MzhiNDM4ZjliNGFkZjhhYWM3MmZmZWNmZWFiZDg/ [2]https://www.virustotal.com/en/file/052ebc9a518e5ae02bbd1bd3a5a86c3560aefc9313c18d81f6670c3430f1d4d4/analysis/ [3]https://www.hybrid-analysis.com/sample/052ebc9a518e5ae02bbd1bd3a5a86c3560aefc9313c18d81f6670c3430f1d4d4?environmentId=4
0 Comments
Leave a Reply. |
AuthorVitali Kremez Archives
September 2016
Categories |