Zloader Infection Analysis – Threat Analysis

SHA256 Hash: 3212793038ca67b8a43471c722d7b72a7dad814fdcdef2e8c0cb8327119854c1

File Name: req_form-876352142.xls

Oledump confirms Excel 4.0 Macro with visible sheet:

Sheet 1:

Sheet 2: Formulas and functions are very spaced out and obfuscated.

Cells: CY6696 & CY6698

CY6696:

Deobfuscation

In order to deobfuscated the formula, calculations are performed based on two cell values. The first cell is initially blank and has its value calculated by the “SET.VALUE” function. Function “GET.CELL” is also used in the calculation, which returns information about the formatting, location, or contents of a cell. It’s used in a macro whose behavior is determined by the status of a particular cell. The second cell is pre-loaded with a value. All of the formulas begin with an equal sign (=).

=SET.VALUE(HC33931, 371/2*GET.CELL(19,ER62521))

=SET.VALUE(HC33931, 371/2*8)

HC33931 = 1484

BO65431 = -1423

CHAR(1484 + (-1423))

CHAR(61)

Character “=”

Syntax: GET.CELL(type_num, reference)

Type_num is a number that specifies what type of cell information you want.

Reference is a cell or a range of cells from which you want information.

Observed Type_Nums:

Type_num 17 = Row height of cell, in points.

Type_num 19 = Size of font, in points.

Type_num 38 = Shade foreground color as a number in the range 1 to 56. If color is automatic, returns 0.

Type_num 50 = Number indicating the cell's vertical alignment:

1 = Top

2 = Center

3 = Bottom

4 = Justified

Deobfuscated Formula:

This section of the macro is a sandbox check that looks to see if the Microsoft Excel window is maximized. If not, function “GOTO” diverts main execution flow.

Syntax: GET.WINDOW(type_num, window_text)

Type_num 23 = Number indicating the size of the window (including charts)

1 = Restored

2 = Minimized (displayed as an icon)

3 = Maximized

Deobfuscated Call Functions:

URL Downloaders:

hxxp://www.esvconnects[.]com/wp-content/plugins/apikey/wp-front.php – 104.18.61[.]95

hxxp://linguy[.]cn/wp-content/plugins/apikey/wp-front.php – 118.25.194[.]69

At the time of infection, one or both of the URL Downloaders had HTTP redirect setup to 176.96.238[.]42/j/o.dll

43/71 Detections on VirusTotal - Zloader

SHA256 Hash: ccf1e6416673f50f016cfa1658e9dd29793195b9bc701fedc1218d122faeb6b2

The Excel File can also be analyzed with XMLMacroDeobfuscator:

Dynamic Analysis

Error upon enabling content, cannot find file “C:\Users\Public\nNme.html”:

Apache Server setup to serve file “wp-front.php”:

Resolve URL Downloader Domains to Apache Server:

File “C:\Users\Public\nNme.html” found but is not a valid Win32 application, confirming execution:

HTTP 301 redirect setup in file "wp-front.php" to serve "o.dll":

The malicious Excel file runs reg.exe to check for "Enable all macros" as another sandbox check: C:\Windows\SysWOW64\reg.exe EXPORT HKCU\Software\Microsoft\Office\16.0\Excel\Security C:\Users\Public\1lf7Ank.reg /y

The Dll file is downloaded to "C:\Users\Public\nNme.html" and ran via rundll32.exe with the export function DllRegisterServer.

PID (0x9f4) Created:

PID (0x9f4) Created PID (0xe14):

PID (0xe14) Created PID (0xfe8) - MSIEXEC.EXE 32-Bit:

PID (0xfe8) Running IPCONFIG & NET Commands:

Netstat Showing Suspicious TCP Connection 217.12.218[.]100 (Dronten, Netherlands):

PID (0xfe8) Wrote File “s.exe”:

PID (0xfe8) Created PID (0xc28) From File “s.exe”:

“s.exe” (shown below) is Win32 Cabinet Self Extractor – Used to run tasks and functions on computers, extractors are hidden and start by themselves.

SHA256 Hash: 0f240bb86ad32e9dd0fcd6992da7bd197e2a1bc4a05114773d01b7464920c08d

8/70 Detections on VirusTotal – Trojan Downloader

Wireshark Shows “s.exe” Downloaded From Naaldwijk, Netherlands (Host Sailor Ltd.):

Extracted Command:

PID (0xc28) “s.exe” Wrote JavaScript File “Sero002298.jse”:

PID (0xc28) Created PID (0xd18) - Win32 Cabinet Self Extractor Command:

PID (0xd18) Created PID (0xd00) – Used Wscript to run JavaScript “Sero002298.jse”:

JavaScript “Sero002298.jse” Deleted By PID (0xd00) Roughly 17 Minutes After Running:

Two registry keys, one for running "s.exe" on user logon and the second for extraction cleanup:

To retrieve the JavaScript File “Sero002298.jse”, “s.exe” was executed manually. This time the malware created folder “IXP001.TMP”. The JavaScript is highly obfuscated and contains interesting strings (sampled below):