2390
Detailed Technical Analysis Report of Fake KPMG Personnel Spam Campaign Detailed Technical Analysis Report of Fake KPMG Personnel Spam Campaign
Malware Analysis | 09/14/2018

Detailed Technical Analysis Report of Fake KPMG Personnel Spam Campaign


When was the last time you checked your PC health? Do you know your PC requires a regular Check Up!!!

Fake KPMG FY18 Q4 Personnel Spam Campaign

Overview

Recently a new malware campaign has been seen, in which an attacker is sending fake KPMG FY18 Q4 Personnel phishing emails to clients with an attachment of Office Spreadsheet in the Email.

An attachment contains a malicious spreadsheet contains an obfuscated malicious macro script that attempts to connect their C&C server to automatically downloads the Trickbot malware in the background on the user’s machine with the help of PowerShell.

 

Flow Chart:

FlowChart

Technical Analysis of Fake KPMG FY18 Q4 Personnel Spam Campaign

File Name: FY18.xls

MD5: AF7FCCC0AB6CB818BF5C946352DE36C7

File Type: DOC

Spread Via:  E-mail

Detail Description Technical Analysis of Fake KPMG FY18 Q4 Personnel Spam Campaign with Screenshots:

During execution of xerox.doc, it’s launch Microsoft Excel application in Protected View Mode.

Enabled Content

Figure 1 Enable Content (Macros Disabled)

By default, Microsoft Office Application has turned on the Protected Mode Feature & Also Disabled the Macro’s for security purposes.

In case, if the user disabled the protection mechanism & enabled the macro’s feature then the warning message notification didn’t pop up. And it will harm your system.

So, it’s always recommended to never disable the protection mode.

malware crusher

 

In case, if the user clicks on the Enable Content button or doesn’t use Microsoft Default Protected View Mode, the Malicious macro will automatically download the payload into %temp% location with the help of Powershell.exe

%temp%\{Random name}.exe

Similar Detailed Technical Analysis Report of New Variant of Jigsaw Ransomware

As shown below, Excel.exe creates several processes

Process Tree

Figure 2 Process Tree

As shown below, FY18.xlsx contain Scrambled malicious macro which is not clearly understandable by the normal user.

 

 Workbook_Open

Scrambled Macro

Figure 3 Obfuscated Macro Code

To understand the scrambled code, a person needs to be expertise or having the skillset to understand this kind of scrambled code.

By analyzing the above scrambled macro code, we came to know that it's running the malicious PowerShell script in the background.

PowerShell script:

PowerShell Code

Figure 2 PS Script

By analyzing the above PowerShell script, we came to know that it attempts to connect their C&C Server if its active it will download the payload at following location C:\Users\admin\AppData\Local\Temp\the.exe

Thereupon, it automatically starts the downloaded payload process (the.exe) on the victim’s machine.

Once the Trickbot malware is downloaded (HASH: FAD68D7BCAE15F01AC2E1B9D6580B5FE), it automatically initiated by the powershell.exe as shown in the above PowerShell script.

Following is the process tree of the trickbot malware

Trickbot Process Tree

Figure 3 Trickbot Process Tree

As shown above,Once the trickbot malware is activated then it deletes the windows defender service with the help of cmd.exe and sc.exe command. First they stop the windows defender service and thereafter it deletes the windows defender service so, that windows defender didn’t detect their malicious behavior.

Service Deleted

Figure 4 Service Deleted

As shown above, in the trickbot process tree after deleting the service it also attempts to disable the real-time monitoring through PowerShell command.

Thereafter, it copies itself into %appdata%\roaming\sysmsu\the.exe

While the malware is running in the background it creates a task scheduler service with the name of MsSystemWatcher in C:\Windows\System32\Tasks

Trickbot malware drops the module and config files at following location C:\Users\admin.admin-PC\AppData\Roaming\vcmsd\Modules as you can see in the following screenshot:

 

 

Trickbot Modules

 

Trickbot_Module_1

Trickbot_Module_3

Trickbot_3

Figure 5 Trickbot Modules & Config Files

 As shown below trickbot malware injects the svchost.exe and initiated several processes of svchost.exe, cmd.exe ,net.exe, ipconfig.exe, nltest.exe

Trikcbot_Process_Tree3

Figure 6 Svchost.exe Process Tree

As shown below, trickbot malware attempts to connect their C&C Server on following IP’s & URL to exchange the data.

 

34.192.84.239

178.116.83.49

67.26.73.254

195.54.162.42

188.114.210.9

 

As shown below it creates the user folder on their server

hxxp://188.114.210.9:8082/serxxx/PC_W617601.55B17B/64/injectDll/DEBG/browser /

Trickbot malware contains the list of some bank names for their targets following are the few names of them:

 

 

Wells Fargo Bank NA1604

 

NLB Nova Ljubljanska Banka d.d. Ljubljana

 

netteller.com

 

onlinebank.com

partnersfcu.org/OnlineBanking

ibb.firsttrustbank1.co.uk

netbanking.ubluk.com

my.sjpbank.co.uk

ebanking-ch2.ubs.com

ebank.turkishbank.co.uk

banking.triodos.co.uk

infinity.icicibank.co.uk

ibank.theaccessbankukltd.co.uk

www.standardlife.co.uk

www.youinvest.co.uk

ydsbank.com

secure.tddirectinvesting.co.uk

www.deutschebank-dbdirect.com

jpmcsso-uk.jpmorgan.com

secure.aldermorebusinesssavings.co.uk

 

IOC’s

Associated Hash

Filename:the.exe

MD5:FAD68D7BCAE15F01AC2E1B9D6580B5FE

SHA1:ED78A34E8E9A3EE9C7B07BBD13BD146DE428D534

CRC32:6D101F95

SHA-256:53E87CA7D245CC1B486C2370A59C47113BF75B9D8A3BB1FC453BD089D15E5BD1

 

Filename:info.dat

MD5:2CEFB9D51FFE8AFE11248A9BC29CA31A

SHA1:F1A44751C708B4BCC8D09424B45D886B455D74CD

CRC32:AE8E17A4

SHA-256:B414C94739FF7DA205A790FC69AAC3BC28D56CDDEBEB5DA8F988384554879922

 

 

Filename:README.md

MD5:0CA491B297B32070C506E52715D3DDBE

SHA1:3C49C21725891E9AB36DF05E4BE1D41648B52D63

CRC32:3686D3E8

SHA-256:71E5510831C8CA2CDAF55043D837CD662F084B28D304E65DA9D2F6EEE4EBAE2C

 

 

Filename:injectDll32

MD5:AA7E85756556681A98B99C6907DDDE30

SHA1:D5BCBE2C96026BB7CFFA8F67C6BB76940ABC1420

CRC32:DD1B251D

SHA-256:DC61FC13CE4752F5C40D4F1589A8A85652C1B40BA751D3E2E9CB747C96BB2558

 

Filename:networkDll32

MD5:E7BD5C2CA5CB694F4A513E7A021BDD11

SHA1:9ED57AA9CF17D1E879DB8704F0209A7EB45D9CA6

CRC32:D562260D

SHA-256:30AABBB530124B5B1706CC665D830F528B68D818070A88F3B6763DFDE65CDCA0

 

Filename:systeminfo32

MD5:B3A9D059584418A2A0803FB0C6753EA9

SHA1:D19EF63CCEF78C785CBDE5008FBFE7721625D02F

CRC32:AE0D7F34

SHA-256:70DCCAA8296D3101E33F952EB2A927A21F428786F1F8DB724EAF918408E348CF

 

Filename:FAQ

MD5:08B0BFECA7BDF1BFEA5E4B9C6C0905E7

SHA1:87B35E59B97517D690A80C71629D36CCCC40C228

CRC32:C4C65E98

SHA-256:830464E6BC4B913753856D0DD2D682B244CF81CD83B3C9F1FB27B84BE1F843CF

 

Filename:dpost

MD5:B1FC43343C4A013114FE25214B493BB8

SHA1:B91B37A932D7FAE662EFD179D97786C140124A11

CRC32:1D7893E1

SHA-256:9130DEEAB5B1BEAED968396136BA75DE06826E11B590D50CCC73F1BB16EBB905

 

Filename:sinj

MD5:BAC9E3AA1E1BEC522655BB05DE16C624

SHA1:E74865FFACC938E8A85E6306332C04995C6131D1

CRC32:B7E53FA9

SHA-256:44D3C9AC1CF99E9529D4197FDFBC548862457E1E5DC3388CB0D5B243C3E942CF

 

Filename:dinj

MD5:25264E3F4DADF284CDA56F57FE9489CD

SHA1:FA47C0EB773D3951A7CE6549FDDFE746C8C3A755

CRC32:A3518A9A

SHA-256:452F5A06101DA4ABA9FBDBB2C8CBAFBCEC6EB41F8CCDD8833F12771A815C6644

 

 

Associated URL

hxxp://188.114.210.9:8082/serxxx/PC_W617601.55B17B/64/injectDll/DEBG/browser /

 

Associated Path

C:\Users\admin.admin-pc\AppData\Roaming\sysmsu\info.dat

C:\Users\admin.admin-pc\AppData\Roaming\sysmsu\Modules\systeminfo32

C:\Users\admin.admin-pc\AppData\Roaming\Mozilla\Firefox\Profiles\renpv6dn.default\prefs.js

C:\Users\admin.admin-pc\AppData\Roaming\sysmsu\Modules\injectDll32_configs\sinj

C:\Users\admin.admin-pc\AppData\Roaming\sysmsu\Modules\injectDll32_configs\dpost

 C:\Users\admin.admin-pc\AppData\Roaming\sysmsu\Modules\networkDll32

 C:\Users\admin.admin-pc\AppData\Roaming\sysmsu\Modules\networkDll32_configs\dpost

 

Associated IP

34.192.84.239

178.116.83.49

67.26.73.254

195.54.162.42

188.114.210.9

Associated Registry Entry

HKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\10B\52C64B7E\LanguageList

HKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\10B\52C64B7E\@%SystemRoot%\system32\qagentrt.dll,-10

HKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\10B\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103

HKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\10B\52C64B7E\@%SystemRoot%\System32\fveui.dll,-843

HKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\10B\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124

HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob

Also, Read: Detailed Technical Analysis Report of Fake Companies House Spam Campaign

malware crusher

Newsletter

×
×
#include file="../statichtml/static_notification.html"

1

ITLSecureVPN_setup.exe
2

3

1

2

3

1

2

3