2322
Detailed Technical Analysis Report of Fake Xerox Multi function Printer Spam Campaign Detailed Technical Analysis Report of Fake Xerox Multi function Printer Spam Campaign
Malware Analysis | 08/22/2018

Detailed Technical Analysis Report of Fake Xerox Multi function Printer Spam Campaign


When was the last time you checked your PC health? Do you know your PC requires a regular Check Up!!!

Fake Xerox Multifunction Printer Spam Campaign Overview

Recently a new malware campaign has been seen, in which an attacker is sending phishing emails to the victim with an attachment of Office Document in the Email.

An attachment contains a malicious document contains an obfuscated malicious macro script that attempts to connect their C&C server to automatically downloads the Trickbot malware in the background on the user’s machine with the help of PowerShell.

 

Flow Chart:

FlowChart

Technical Analysis of Fake Xerox Multifunction Printer Spam Campaign

File Name: xerox.doc

MD5: FEA55342279E4CD81D9407323C86B040

File Type: DOC

Spread Via:  E-mail

Detail Description Fake Xerox Multifunction Printer Spam Campaign with Screenshot:

During execution of xerox.doc, it’s launch Microsoft Word application in Protected View Mode.

Enable Content

Figure 1 Enable Content (Macros Disabled)

By default, Microsoft Office Application has turned on the Protected Mode Feature & Also Disabled the Macro’s for security purposes.

In case, if the user disabled the protection mechanism & enabled the macro’s feature then the warning message notification didn’t pop up. And it will harm your system.

So, it’s always recommended to never disable the protection mode.

Get peace of mind! Get rid of malicious programs instantly

Free Malware Scan Compatible with Win 10,8.1,8 & 7

In case, if the user clicks on the Enable Content button or doesn’t use Microsoft Default Protected View Mode, the Malicious macro will automatically download the payload into %temp% location with the help of Powershell.exe

%temp%\{Random name}.exe

As shown below, WINWORD.exe creates several processes

Process Tree

Figure 2 Process Tree

As shown below, xerox.doc contain obfuscated malicious macro which is not clearly visible and understandable by the normal user.

 

Obfuscated macro Code

Figure 3 Obfuscated Macro Code

To understand the obfuscated code, a person needs to be expertise or having the skillset to deobfuscate this kind of obfuscated code.

By analyzing the above obfuscated macro code, we came to know that it's running the malicious PowerShell script in the background.

PowerShell script:

PowerShell Script

Figure 2 PS Script

As shown above, Bad actor scrambled the PowerShell script by storing the values in multiple variables and adding all the variables in the Invoke-Expression command.

By analyzing the above PowerShell script, we came to know that it attempts to connect their C&C Server if its active it will download the payload at following location C:\Users\admin\AppData\Local\Temp\WDGLXPI.exe

Thereupon, it automatically starts the downloaded payload process (WDGLXPI.exe) on the victim’s machine.

Once the Trickbot malware is downloaded (HASH: 05b995ea556c3116fff8b5b119e491eb), it automatically initiated by the powershell.exe as shown in the above PowerShell script.

Following is the process tree of the trickbot malware

Trickbot Process Tree

Figure 3 Trickbot Process Tree

As shown above, Once the trickbot malware is activated then it deletes the windows defender service with the help of cmd.exe and sc.exe command. First, they stop the windows defender service and thereafter it deletes the windows defender service so, that windows defender didn’t detect their malicious behavior.

Service Deleted

Figure 4 Service Deleted

As shown above, in the trickbot process tree after deleting the service it also attempts to disable the real-time monitoring through PowerShell command.

Thereafter, it copies itself into %appdata%\roaming\vcmsd\WEHMXPJ.exe

Read Detailed Technical Analysis Report of ShutUpAndDance Ransomware

While the malware is running in the background it creates a task scheduler service with the name of MsSystemWatcher in C:\Windows\System32\Tasks

Trickbot malware drops the module and config files at following location C:\Users\admin.admin-PC\AppData\Roaming\vcmsd\Modules as you can see in the following screenshot:

TrickBot Module

Trickbot_2 

Trickbot3

Trickbot5

Figure 5 Trickbot Modules & Config Files

 As shown below trickbot malware injects the svchost.exe and initiated several processes of svchost.exe, cmd.exe ,net.exe, ipconfig.exe, nltest.exe

Svchost Process Tree

Figure 6 Svchost.exe Process Tree

As shown below, trickbot malware attempts to connect their C&C Server on following IP’s & URL to exchange the data.

 

3gihg5esw7lxg2wh.onion:448

92.38.135.78:447

 185.252.213.94:447

31.148.219.201:447

185.82.218.51:447

185.174.173.173:447

As shown below it creates the user folder on their server

hxxps:// 118.200.151.113/ser0814/ADMIN-PC_xxx/64/injectDll/DEBG/browser /

Trickbot malware contains the list of some bank names for their targets following are the few names of them:

 

 

Wells Fargo Bank NA1604

 

NLB Nova Ljubljanska Banka d.d. Ljubljana

 

netteller.com

 

onlinebank.com

partnersfcu.org/OnlineBanking

ibb.firsttrustbank1.co.uk

netbanking.ubluk.com

my.sjpbank.co.uk

ebanking-ch2.ubs.com

ebank.turkishbank.co.uk

banking.triodos.co.uk

infinity.icicibank.co.uk

ibank.theaccessbankukltd.co.uk

www.standardlife.co.uk

www.youinvest.co.uk

ydsbank.com

secure.tddirectinvesting.co.uk

www.deutschebank-dbdirect.com

jpmcsso-uk.jpmorgan.com

secure.aldermorebusinesssavings.co.uk

 

IOC’s

Associated Hash

Filename:WDGLXPI.exe

MD5:05B995EA556C3116FFF8B5B119E491EB

SHA1:16EAAB0E799C4CA02867B75E7338CF5A113672E2

CRC32:B034BF12

SHA-256:0894C3EBDBBC33A7A6406511EED423C0321172C5306249F11B783EA83DE8E5E6

 

Filename:FAQ

MD5:1A8FBCFD74D3F43894DBA3D9B41806DE

SHA1:582E024AE7BFB507166C4F451568D7F7385EA8B4

CRC32:781A92BC

SHA-256:AEA4476B30AD66CE6BFC5D97A3B3DE9AF68666C2FF318E2F8DFD14AF0CABF0F5

 

Filename:info.dat

MD5:847948679F9EB942C38C12EA7B27B992

SHA1:B2DD957C591DB39C6A33F77A820CBD58AE21A1B1

CRC32:F65DE1A2

SHA-256:82E4248EA3326F824CCFC8AB0F40EBE4C79F2085199D7893C14E0A4B27A426F9

 

Filename:README.md

MD5:6B75B09B295113DB62B798FFA28F049A

SHA1:9C2B1C11593B6E2E020D96317C5C9EE290E98E79

CRC32:54AEC39F

SHA-256:7DC91CFE40E51C2880B40481611E6024638724C7BCCF23005BDC161CF14B306D

 

Filename:injectDll32

MD5:2E3B973AA67FDC9104498685AA02954C

SHA1:EF7AC76C22351FC3B3CCBFB115EA5E845D896787

CRC32:ADFCC5C8

SHA-256:6DA339B7451CC4ED60C1F3F26EBC6405F1E3C41D7D2CC0E9A2FE6590D12426ED

 

Filename:networkDll32

MD5:30562B6FE4D8EFDCE3783CDD0909FFE6

SHA1:05B8E3B60512EC12372B817814E436F39E2C801B

CRC32:CAED28C5

SHA-256:2BAB8BA30719A42213DB0087572E481F14DE7CDF7BFFE1A1BE17DB9F09D70525

 

Filename:systeminfo32

MD5:B3A9D059584418A2A0803FB0C6753EA9

SHA1:D19EF63CCEF78C785CBDE5008FBFE7721625D02F

CRC32:AE0D7F34

SHA-256:70DCCAA8296D3101E33F952EB2A927A21F428786F1F8DB724EAF918408E348CF

 

Filename:dinj

MD5:B6D1496A79DBD8395ADA9BA8502695E6

SHA1:2A41021423D02EF5A7B89F0528D8988C83CEAB9F

CRC32:E5EF3275

SHA-256:DC9FA7A21215C495117288E797E7F04CF805CA0EB3611F85055D393E14410945

 

Filename:dpost

MD5:ADB9D36A9DD0114214B3E61EC7C469F6

SHA1:667E3A824FF59A99B19613CC1DDA6960665D169F

CRC32:DC915ECF

SHA-256:5AC71D91988916BDD1397429E315D810438504337E1817002D2B2D997DE97D81

 

 

 

Filename:sinj

MD5:A1862E9728BE7990596DE96FBCC718CF

SHA1:6352E9829D401C07D4E5802913DD1B6CC47AA875

CRC32:4F6D7BCE

SHA-256:0A5345D92CC52B152FDA3E06EE3D049E825A9EBCC8CB15848C4F341ED654D7E3

 

Associated URL

hxxps:// 118.200.151.113/ser0814/ADMIN-PC_xxxxx/1/NJfuy7MRukSnP12PvuCjIxRTVp4/

hxxps:// 118.200.151.113/ser0814/ADMIN-PC_xxxxx/64/injectDll/VERS/browser/

 

Associated Path

C:\Users\admin.admin-pc\AppData\Roaming\vcmsd\info.dat

C:\Users\admin.admin-pc\AppData\Roaming\vcmsd\Modules\systeminfo32

C:\Users\admin.admin-pc\AppData\Roaming\Mozilla\Firefox\Profiles\renpv6dn.default\prefs.js

C:\Users\admin.admin-pc\AppData\Roaming\vcmsd\Modules\injectDll32_configs\sinj

C:\Users\admin.admin-pc\AppData\Roaming\vcmsd\Modules\injectDll32_configs\dpost

 C:\Users\admin.admin-pc\AppData\Roaming\vcmsd\Modules\networkDll32

 C:\Users\admin.admin-pc\AppData\Roaming\vcmsd\Modules\networkDll32_configs\dpost

 

Associated IP

3gihg5esw7lxg2wh.onion:448

92.38.135.78:447

 185.252.213.94:447

31.148.219.201:447

185.82.218.51:447

185.174.173.173:447

Associated Registry Entry

HKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\10B\52C64B7E\LanguageList

HKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\10B\52C64B7E\@%SystemRoot%\system32\qagentrt.dll,-10

HKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\10B\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103

HKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\10B\52C64B7E\@%SystemRoot%\System32\fveui.dll,-843

HKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\10B\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124

HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob

 Also Read Detailed Technical Analysis Report of Princess Ransomware

Are you worried about your PC health?

Check your PC Health for Free!

Powered By:howtoremoveit.info Run Free Scan


Tips to Prevent virus and malware from Infecting Your System:

  1. Enable your popup blocker: Pop-ups and ads on the websites are the most adoptable tactic used by cybercriminals or developers with the core intention to spread malicious programs.
    So, avoid clicking uncertain sites, software offers, pop-ups etc. and Install a powerful ad- blocker for ChromeMozilla, and IE
  2. Keep your Windows Updated: To avoid such infections, we recommend that you should always keep your system updated through automatic windows update.By doing this you can keep your device free from virus.According to the survey, outdated/older versions of Windows operating system are an easy target.
  3. Third-party installation: Try to avoid freeware download websites as they usually install bundled of software with any installer or stub file.
  4. Regular Backup: Regular and periodical backup helps you to keep your data safe in case the system is infected by any kind of virus or any other infection.Thus always backup important files regularly on a cloud drive or an external hard drive.
  5. Always have an Anti-Virus: Precaution is better than cure. We recommend that you install an antivirus like ITL Total Security or a good Malware Removal Tool like Download Virus RemovalTool

 

 

Newsletter

Are your devices Secure?

Best Anti-Malware program in 2018

ad_computer_work
Start Scan Now  Download Time: less than 1 minute
×
×

1

indicatorImg_logo
mlcsetup
2

3

1

2

3

1

2

3