Many incidents happened recently that used legitimate.exe side loading malicious .dll to execute MSXSL and bypass AppLocker.
For more information about side loading malicious dll can read from here.
For more information about MSXSL execution can read from here
From the pentestlab blog, it is running using jscript. However the xsl file can run vbscript too. Sample vbscript execution using xsl can be found here.
For detailed explanation can be found here (It is in Mandarin). If anyone has English post please kindly share in the comment. Thanks!
Then I saw a post in Twitter showed a sample malicious xsl using jscript to run powershell. It can be found here.
How about running powershell without powershell? I have read a post from blackhillsinfosec recently to execute powershell script without running powershell.exe process. It bypassed execution policy and many detection failed to alert the execution.
How about combine MSXSL without powershell.exe? It's going to be interesting.
Here goes my weekend...
Download XML and XSL sample from GitHub.
Download MSXSL from Microsoft.
Download the source code for running powershell without powershell.exe from blackhillsinfosec.
Search the System.Management.Automation.dll from Windows directory:
Then copy the path and compile it.
Now let's try to execute with simple ps1 script. From the process monitor, spotted the powershell is execute through Registry instead of powershell.exe
Now I have EXE and PS1 script. I have to dump them into a single VBS script then insert into XSL.
Simple Google around from EXE to VBS, a python script wrote by Didier Stevens that can convert EXE to VBS.
The VBS script looks good. Let's combine the ps1 script into the VBS script.
Everything seems to be fine when running the VBS using wscript. The a.txt is created.
Let's copy the VBS into XSL. It should run without any errors.
Great! Let's take a look at process monitoring.
MSXSL process created.
Command line file.exe with argument a.ps1 spotted.
Query for directory.
Powershell execution from Registry.
a.txt file created.
Set timeout delay for 2 seconds.
Delete file.exe and a.ps1.
From process monitoring, there is no PowerShell.exe process created. Hence, bypass AppLocker and bypass PowerShell policy execution is possible.
In order to mitigate the attack, detecting MSXSL execution and subprocess contains .ps1 are important.
Sunday, 8 April 2018
Saturday, 31 March 2018
Just another Malware Analysis Guide (6) - Walk Through It
Sample executable file for this guide can be found at here.
Static Analysis
Drag and drop EXE into PeStudio:
ws2_32.dll use for internet connection.
Check on the Imported Symbols, able to notice that the EXE file will perform file creation, write file, registry key creation and network connection.
Next will check on the strings. Under Unclassified, notice huge unknown strings in rdata section.
More suspicious strings are found such as unknown vbs script, base64 encoder strings and registry key.
Now let's use Strings from Sysinternals to dump the strings in the EXE file.
Notice that some strings are not found in PeStudio appeared. The IP addresses and wscript.exe /B.
Notice that the unknown long strings, let's try to decode it using base64. The decoded strings are VBS script. The script create Task Scheduler with PowerShell execution. PowerShell will obtain malicious PowerShell from new created registry.
Dynamic Analysis
Run the EXE in Sandoxie and BSA:
First try without internet connection, the EXE exit if there's no internet connection.
Run the EXE in Sandoxie and BSA with internet connection reveals the malicious activities of the EXE file.
It checks internet connection multiple times before perform more malicious activities.
First, it checks for internet connection to 172.217.31.46. If successful it will create a file name called "unknown.vbs" located at Documents folder.
Second, it checks for internet connection to 162.125.248.1 and 52.74.223.119. If successful it will execute VBS script using wscript.
Final, it executes cmd and create a Task Scheduler to execute PowerShell.
Get information about the IP addresses.
With the dynamic analysis information, we now know what is the activities will perform by the EXE.
Advanced Static Analysis
Open the EXE in x32dbg then press F9 to run single time on the EXE to directly takes us to the main function. After that find the string references on the current module.
Now let's follow the disassembler by right click on the IP address.
On the disassembler, right click or press G to view in graph mode.
Press O or right click to view in Overview mode.
Click on the CPU tab to move back into disassembler view. Perform analysis on the call instructions by follow in disassembler and graph view.
Spot the SHGetFolderPath API called. By checking on MSDN and googling around for the CSIDL, conclude that it is hex 0x5 CSIDL_PERSONAL that will point to current user document path.
Following the execute path in the graph, CreateFile and WriteFile API were called.
Return to disassembler view in CPU tab, insert comment by pressing ";". The edi contain the file name which is unknown.vbs.
Continue to WriteFile API called.
Return back to the main function by pressing "-" then move on to the next call instruction. In here the address is 0xFD1900. SHGetFolderPath appeared again with unknown.vbs. Suspecting it tries to get the unknown.vbs file path.
Return back to main function by pressing "-", notice that the compare instruction that will compare whether the unknown.vbs file existence. If file not found then quit.
If file exits, it will check for network connection to 162.125.2481 before proceed to a call function.
Inside 0xFD1720, there are two long unknown strings being push to the stack. We can follow the long unknown strings in dump.
Continue analysis, there is a call instruction to create a new registry key and data.
The following image is after finished analyzed the call instruction and included comments.
Advanced Dynamic Analysis
Set breakpoint using F2 to get a more detailed understand on what happened before and after the call instruction.
Press F9 to run once. Notice that the unknown.vbs script has created in My Documents folder.
Press F9 again. Notice that new registry key and data has been created.
Press F9 again. Notice that in the stack contained wscript.exe /B command.
Press F9 again. Notice that the unknown.vbs script location is push to the stack.
Press F9 again. Then follow dump in EAX before it push to the stack. It is a full command will executed by system during the next call instruction.
Set a breakpoint after the system call instruction. Notice that the VBS script create a new Task Scheduler. The Task Scheduler contain PowerShell execution.
Open registry editor and copy out the registry data. Perform a base64 decode for UUID. It is a RC4 algorithm that will decrypt the content in registry data UID.
Copy the decoded PowerShell script to PowerShell ISE then edit the scrip to output the decrypted content inside registry data UID to a file.
Decode the PowerShell, it shows that it will connect back to C&C server at 34.211.199.148.
End of Just another Malware Analysis Guide (6) - Walk Through It
Static Analysis
Drag and drop EXE into PeStudio:
ws2_32.dll use for internet connection.
Check on the Imported Symbols, able to notice that the EXE file will perform file creation, write file, registry key creation and network connection.
Next will check on the strings. Under Unclassified, notice huge unknown strings in rdata section.
More suspicious strings are found such as unknown vbs script, base64 encoder strings and registry key.
Now let's use Strings from Sysinternals to dump the strings in the EXE file.
Notice that some strings are not found in PeStudio appeared. The IP addresses and wscript.exe /B.
Notice that the unknown long strings, let's try to decode it using base64. The decoded strings are VBS script. The script create Task Scheduler with PowerShell execution. PowerShell will obtain malicious PowerShell from new created registry.
Dynamic Analysis
Run the EXE in Sandoxie and BSA:
First try without internet connection, the EXE exit if there's no internet connection.
Run the EXE in Sandoxie and BSA with internet connection reveals the malicious activities of the EXE file.
It checks internet connection multiple times before perform more malicious activities.
First, it checks for internet connection to 172.217.31.46. If successful it will create a file name called "unknown.vbs" located at Documents folder.
Second, it checks for internet connection to 162.125.248.1 and 52.74.223.119. If successful it will execute VBS script using wscript.
Final, it executes cmd and create a Task Scheduler to execute PowerShell.
Get information about the IP addresses.
With the dynamic analysis information, we now know what is the activities will perform by the EXE.
Advanced Static Analysis
Open the EXE in x32dbg then press F9 to run single time on the EXE to directly takes us to the main function. After that find the string references on the current module.
Now let's follow the disassembler by right click on the IP address.
On the disassembler, right click or press G to view in graph mode.
Press O or right click to view in Overview mode.
Click on the CPU tab to move back into disassembler view. Perform analysis on the call instructions by follow in disassembler and graph view.
Spot the SHGetFolderPath API called. By checking on MSDN and googling around for the CSIDL, conclude that it is hex 0x5 CSIDL_PERSONAL that will point to current user document path.
Following the execute path in the graph, CreateFile and WriteFile API were called.
Return to disassembler view in CPU tab, insert comment by pressing ";". The edi contain the file name which is unknown.vbs.
Continue to WriteFile API called.
Return back to the main function by pressing "-" then move on to the next call instruction. In here the address is 0xFD1900. SHGetFolderPath appeared again with unknown.vbs. Suspecting it tries to get the unknown.vbs file path.
Return back to main function by pressing "-", notice that the compare instruction that will compare whether the unknown.vbs file existence. If file not found then quit.
If file exits, it will check for network connection to 162.125.2481 before proceed to a call function.
Inside 0xFD1720, there are two long unknown strings being push to the stack. We can follow the long unknown strings in dump.
The following image is after finished analyzed the call instruction and included comments.
Advanced Dynamic Analysis
Set breakpoint using F2 to get a more detailed understand on what happened before and after the call instruction.
Press F9 to run once. Notice that the unknown.vbs script has created in My Documents folder.
Press F9 again. Notice that new registry key and data has been created.
Press F9 again. Notice that in the stack contained wscript.exe /B command.
Press F9 again. Notice that the unknown.vbs script location is push to the stack.
Press F9 again. Then follow dump in EAX before it push to the stack. It is a full command will executed by system during the next call instruction.
Set a breakpoint after the system call instruction. Notice that the VBS script create a new Task Scheduler. The Task Scheduler contain PowerShell execution.
Open registry editor and copy out the registry data. Perform a base64 decode for UUID. It is a RC4 algorithm that will decrypt the content in registry data UID.
Copy the decoded PowerShell script to PowerShell ISE then edit the scrip to output the decrypted content inside registry data UID to a file.
Decode the PowerShell, it shows that it will connect back to C&C server at 34.211.199.148.
End of Just another Malware Analysis Guide (6) - Walk Through It
Subscribe to:
Posts (Atom)