2348
Detailed Technical Analysis Report of Fake Companies House Spam Campaign Detailed Technical Analysis Report of Fake Companies House Spam Campaign
Malware Analysis | 08/30/2018

Detailed Technical Analysis Report of Fake Companies House Spam Campaign


When was the last time you checked your PC health? Do you know your PC requires a regular Check Up!!!

Fake Companies House eReminder Spam Campaign Overview

Recently a new malware campaign has been seen in the UK, in which an attacker is sending phishing emails to Companies House Clients with an attachment of Office Document in the Email.

An attachment contains a malicious document contains an obfuscated malicious macro script that attempts to connect their C&C server to automatically downloads the Trickbot malware in the background on the user’s machine with the help of PowerShell.

Flow Chart:

FlowChart

Technical Analysis of Fake Companies House Spam Campaign

File Name: confirmation.doc

MD5: 1092EE9913FCD8F11C34CD17E01C7DFC

File Type: DOC

Spread Via:  E-mail

malware crusher


Detail Description Fake Companies House with Screenshot:

During execution of confirmation.doc, it’s launch Microsoft Word application in Protected View Mode.

Macros Disabled

Figure 1 Enable Content (Macros Disabled)

By default, Microsoft Office Application has turned on the Protected Mode Feature & Also Disabled the Macro’s for security purposes.

In case, if the user disabled the protection mechanism & enabled the macro’s feature then the warning message notification didn’t pop up. And it will harm your system.

So, it’s always recommended to never disable the protection mode.

Also, Read Detailed Technical Analysis Report of Total Wipe Out Ransomware

In case, if the user clicks on the Enable Content button or doesn’t use Microsoft Default Protected View Mode, the Malicious macro will automatically execute the malicious code in the background, without user concern.

As you can see below, in the background that an attacker has used the AutoOpen Function, which means, on opening the document malicious macro code will start its execution process.

AutoOpen Function

Figure 2 AutoOpen Function

 

As shown below, WINWORD.exe creates several processes

WinWord Process Tree

Figure 3 Process Tree

As shown below, confirmation.doc contain obfuscated malicious macro which is not clearly visible and understandable by the normal user & it also contains various modules with the UserForm1.

 

Obfuscated Macro

Figure 4 Obfuscated Macro Code

To understand the obfuscated code, a person needs to be expertise or having the skillset to deobfuscate this kind of obfuscated code.

As shown below, this malicious macro code is using User Form & shell function to launch the final PowerShell command with the help of CMD.exe

UserForm

Figure 5 Length to Calculate

Calling Malicious Function

Figure 6 Calling Malicious Function

By analyzing the above obfuscated macro code, we came to know that it's running the malicious PowerShell script in the background.

PowerShell script:

PowerShell Function

Figure 5 PS Script

As shown above, by analyzing the above PowerShell script, we came to know that it attempts to connect one of their C&C Server by using try-catch block method, if one URL fails to download the payload then it will pass to the catch block to download the payload on the victim machine.

If the URL is active, it will download the payload at following location C:\Users\admin\AppData\Local\Temp\yenrotta.exe

Thereupon, it automatically starts the downloaded payload process (yenrotta.exe) on the victim’s machine.

Once the Trickbot malware is downloaded (HASH: 5b0cbb6abbb24bcf52c189e9efdab9eb), it automatically initiated by the powershell.exe as shown in the above PowerShell script.

Following is the process tree of the trick but malware

Trickbot Process Tree

Figure 6 Trickbot Process Tree

As shown above, Once the trickbot malware is activated then it deletes the windows defender service with the help of cmd.exe and sc.exe command. First, they stop the windows defender service and thereafter it deletes the windows defender service so, that windows defender didn’t detect their malicious behavior.

Service Deleted

Figure 4 Service Deleted

As shown above, in the trickbot process tree after deleting the service it also attempts to disable the real-time monitoring through PowerShell command.

Thereafter, it copies itself into %appdata%\roaming\vsmcd\yentotta.exe

While the malware is running in the background it creates a task scheduler service with the name of MsSystemWatcher in C:\Windows\System32\Tasks


malware crusher


Trickbot malware drops the module and config files at the following location C:\Users\admin.admin-PC\AppData\Roaming\vcmsd\Modules as you can see in the following screenshot:

 

 Module_1 Module_2 Module_3 Module_4 Module_5

Figure 5 Trickbot Modules & Config Files

 As shown below trickbot malware injects the svchost.exe and initiated several processes of svchost.exe, cmd.exe, net.exe, ipconfig.exe, nltest.exe

Svchost_1

Figure 6 Svchost.exe Process Tree

As shown below, it also creates the several files at following location C:\Users\admin.admin-PC\AppData\Local\Microsoft\Vault\4BF4C442-9B8A-41A0-B380-DD4A704DDB28

Vault Files

Figure 7 Vault Files

 

As shown below, trickbot malware attempts to connect their C&C Server on following IP’s & URL to exchange the data.

 

54.38.201.122:443

162.247.155.150:443

 

 

As shown below it creates the user folder on their server

hxxps://54.38.201.122/182.72.1.90/ser0828/ADMIN-PC_W6xxxxxxxx/send/

Trickbot malware contains the list of some bank names for their targets following are the partial names of them:

 

 

www.bankline.ulsterbank.ie

NLB Nova Ljubljanska Banka d.d. Ljubljana

 

netteller.com

 

onlinebank.com

partnersfcu.org/OnlineBanking

ibb.firsttrustbank1.co.uk

netbanking.ubluk.com

my.sjpbank.co.uk

ebanking-ch2.ubs.com

ebank.turkishbank.co.uk

banking.triodos.co.uk

infinity.icicibank.co.uk

ibank.theaccessbankukltd.co.uk

www.standardlife.co.uk

www.youinvest.co.uk

ydsbank.com

secure.tddirectinvesting.co.uk

www.deutschebank-dbdirect.com

jpmcsso-uk.jpmorgan.com

secure.aldermorebusinesssavings.co.uk

 

IOC’s

Associated Hash

File Name: confirmation.doc

MD5: 1092EE9913FCD8F11C34CD17E01C7DFC

 

Filename: Policy.vpol

MD5: C4603D24852540F89C091D85395E9C1B

SHA1: F2D3F26770EA66C084C9836021757519DB99C4AB

CRC32: B417EC37

 

Filename: FAQ

MD5: 44E7721ED085027D1692DFA4356AA2E1

SHA1: 98B36A149810315716AE99B98D9BC0FC8A8B95E1

CRC32: ADB1BA40

 

Filename: info.dat

MD5: 41CF4BFD5591F3A74D4B2A9FEC6D276E

SHA1: 2282C4FC3039D3999106195648CD0FA980EA140D

CRC32: 38C1EA73

 

Filename: README.md

MD5: 9E8CC02038685D7661E547BDA5E10D9B

SHA1: 425A0EA1306E8DF70253FEC77B6D9408764AEC36

CRC32: 98EC0E89

 

Filename: yentotta.exe

MD5: 5B0CBB6ABBB24BCF52C189E9EFDAB9EB

SHA1: C5D115AD42E6DCA5FD08E17EFA50C69CC8A300FB

CRC32: B66C42CB

 

Filename: mailsearcher32

MD5: F877C696C4082654FE64E135966FFCC6

SHA1: 34D44FFB9F57FAABF77528DD81F4D9990D2ED983

CRC32: 622D8C91

 

Filename: networkDll32

MD5: 30562B6FE4D8EFDCE3783CDD0909FFE6

SHA1: 05B8E3B60512EC12372B817814E436F39E2C801B

CRC32: CAED28C5

 

Filename: systeminfo32

MD5: B3A9D059584418A2A0803FB0C6753EA9

SHA1: D19EF63CCEF78C785CBDE5008FBFE7721625D02F

CRC32: AE0D7F34

 

Filename: importDll32

MD5: 3C0A14D3E4E5F1968434ECB017A4689B

SHA1: F98CA6A41521EC9655F750578111D6E2D08D43A9

CRC32: FA2B7317

 

Filename: injectDll32

MD5: 2E3B973AA67FDC9104498685AA02954C

SHA1: EF7AC76C22351FC3B3CCBFB115EA5E845D896787

CRC32: ADFCC5C8

 

Filename: dinj

MD5: 64078E299D391D5D3CD7CE2B1DFF76B5

SHA1: 5F05E6DDBA3E87F2E9DDC58A266DA63E7F591D29

CRC32: C1B06A4D

 

Filename: dpost

MD5: 2F3AC7FA7304C0AE2F83C9C66015F782

SHA1: 4800128B06405C9AF469F14304773EA1980869A6

CRC32: 7555D155

 

Filename: sinj

MD5: 78229773D899AFE223388286608EC099

SHA1: ACEAE19663A8C8FA84CA67CC5A9F8C396D5C570A

CRC32: 9E9E51B8

 

Filename: mailconf

MD5: CFA2A959539E47465537DE5300B7D5E4

SHA1: 44C041248E5BD3B8FAB2DACC46C1E2B63DFD70C3

CRC32: 4A6259F9

 

Filename: dpost

MD5: 2F3AC7FA7304C0AE2F83C9C66015F782

SHA1: 4800128B06405C9AF469F14304773EA1980869A6

CRC32: 7555D155

 

Filename: etorador.bat

MD5: 4A97DBD24537980ACC99C1F4354BA3D8

SHA1: 683646B8A20848EF5AD35C00D890AF8B04378770

CRC32: B7D945F0

 

Associated URL

hxxps://inventeksys[.]com/odjbas[.]dlknxaaa

hxxp://apps[.]identrust[.]com/roots/dstrootcax3[.]p7c

hxxp://bathroomsign[.]com/odjbas[.]dlknxaaa

hxxp://www[.]download[.]windowsupdate[.]com/msdownload/update/v3/static/trustedr/en/authrootstl[.]cab

 

Associated Path

C:\Users\admin.admin-pc\AppData\Roaming\vcmsd\info.dat

C:\Users\admin.admin-pc\AppData\Roaming\vcmsd\Modules\systeminfo32

C:\Users\admin.admin-pc\AppData\Roaming\Mozilla\Firefox\Profiles\renpv6dn.default\prefs.js

C:\Users\admin.admin-pc\AppData\Roaming\vcmsd\Modules\injectDll32_configs\sinj

C:\Users\admin.admin-pc\AppData\Roaming\vcmsd\Modules\injectDll32_configs\dpost

 C:\Users\admin.admin-pc\AppData\Roaming\vcmsd\Modules\networkDll32

 C:\Users\admin.admin-pc\AppData\Roaming\vcmsd\Modules\networkDll32_configs\dpost

 

Associated IP

54.38.201.122:443

162.247.155.150:443

Associated Registry Entry

HKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\10B\52C64B7E\LanguageList

HKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\10B\52C64B7E\@%SystemRoot%\system32\qagentrt.dll,-10

HKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\10B\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103

HKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\10B\52C64B7E\@%SystemRoot%\System32\fveui.dll,-843

HKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\10B\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124

HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob

Similar Read Detailed Technical Analysis Report of New Variant of Jigsaw Ransomware

Newsletter

×
×
#include file="../statichtml/static_notification.html"

1

ITLSecureVPN_setup.exe
2

3

1

2

3

1

2

3