Update Analysis_2020-02-08.md
This commit is contained in:
parent
ba32b14ba3
commit
532f7844e1
@ -17,7 +17,40 @@
|
|||||||
<h2>Malware analysis <a name="Malware-analysis"></a></h2>
|
<h2>Malware analysis <a name="Malware-analysis"></a></h2>
|
||||||
<h3>The initial vector<a name="Initial"></a></h3>
|
<h3>The initial vector<a name="Initial"></a></h3>
|
||||||
|
|
||||||
<h6>The initial vector is an RTF file who use a well-know vulnerability (CVE-2017-11882) for execute a js script (1.a) form the package of OLE objects.</h6>
|
<h6>The initial vector is an malicious document using a macro. As the first look, we can note some constant variables can be replace and deletefor improvement the reading of the code.</h6>
|
||||||
|
|
||||||
|
``` VBA
|
||||||
|
|
||||||
|
Private Const HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHOneMask = 16515072
|
||||||
|
Private Const HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHTwoMask = 258048
|
||||||
|
Private Const HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHThreeMask = 4032
|
||||||
|
Private Const HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHFourMask = 63
|
||||||
|
|
||||||
|
Private Const HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHighMask = 16711680
|
||||||
|
Private Const HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHMidMask = 65280
|
||||||
|
Private Const HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHLowMask = 255
|
||||||
|
|
||||||
|
Private Const MNAJSAQQQQQQ18 = 262144
|
||||||
|
Private Const MNAJSAQQQQQQ12 = 4096
|
||||||
|
Private Const MNAJSAQQQQQQ6 = 64
|
||||||
|
Private Const MNAJSAQQQQQQ8 = 256
|
||||||
|
Private Const MNAJSAQQQQQQ16 = 65536
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
<h6> We can see the both functions for auto-open the macro in the reading of the document for the Word and Excel document. This is for a common code for the both vectors or for reduce the rate of the detection, hard to say it.</h6>
|
||||||
|
|
||||||
|
``` VBA
|
||||||
|
Sub AutoOpen()
|
||||||
|
AddSpace
|
||||||
|
End Sub
|
||||||
|
|
||||||
|
Private Sub Workbook_Open()
|
||||||
|
AddSpace
|
||||||
|
End Sub
|
||||||
|
```
|
||||||
|
|
||||||
|
</li>
|
||||||
<p align="center">
|
<p align="center">
|
||||||
<img src="">
|
<img src="">
|
||||||
</p>
|
</p>
|
||||||
@ -57,6 +90,7 @@
|
|||||||
* [impor.doc](https://app.any.run/tasks/454fe6a2-e2d0-4fa3-ba1d-78e2c7372ddd)
|
* [impor.doc](https://app.any.run/tasks/454fe6a2-e2d0-4fa3-ba1d-78e2c7372ddd)
|
||||||
|
|
||||||
<h6> Resources : </h6><a name="Ressources"></a>
|
<h6> Resources : </h6><a name="Ressources"></a>
|
||||||
|
* [Encode64 / Decode64 in VB.NET](https://stackoverflow.com/questions/12879661/encode64-decode64-in-vb-net)
|
||||||
|
* [New Neutrino Bot comes in a protective loader](https://blog.malwarebytes.com/threat-analysis/2017/02/new-neutrino-bot-comes-in-a-protective-loader/)
|
||||||
* [URLhaus Neutrino](https://urlhaus.abuse.ch/browse/tag/Neutrino/)
|
* [URLhaus Neutrino](https://urlhaus.abuse.ch/browse/tag/Neutrino/)
|
||||||
* [VB2019 paper: Rich Headers: leveraging this mysterious artifact of the PE format](https://www.virusbulletin.com/virusbulletin/2020/01/vb2019-paper-rich-headers-leveraging-mysterious-artifact-pe-format/)
|
* [VB2019 paper: Rich Headers: leveraging this mysterious artifact of the PE format](https://www.virusbulletin.com/virusbulletin/2020/01/vb2019-paper-rich-headers-leveraging-mysterious-artifact-pe-format/)
|
||||||
|
Loading…
Reference in New Issue
Block a user