weixin_39860732
weixin_39860732
2021-01-11 15:24

VBA anti-analysis avoids dropping/running windows executable in Cuckoo

Earlier this week I came across some VBA droppers that tested if Python was installed on the system using WQL, and if found, did not drop/run the executable.

MD5: 9ac7b014849edaa83600542b4bb95813

Relevant part from Behavior analysis:

API: IWbemServices_ExecQuery

Arguments: query: Select * from Win32_product WHERE name like 'Python %' query_language: WQL flags: 272

该提问来源于开源项目:cuckoosandbox/cuckoo

  • 点赞
  • 写回答
  • 关注问题
  • 收藏
  • 复制链接分享
  • 邀请回答

6条回答

  • weixin_39625098 weixin_39625098 4月前

    That's interesting. I'm not sure that these are tricks that will stay for very long tho. Isn't Python a pretty legitimate application to have on regular workstations too?

    点赞 评论 复制链接分享
  • weixin_39661589 weixin_39661589 4月前

    one quick and dirty way might be to drop the strings from WMI: execute in powershell in the VM: Remove-wmiobject -class "win32_product" - side effects possible though. Have not tested it thoroughly yet.

    Better would be to just remove the python registrations from the table.

    Seems like a query that could be intercepted at the hooking level. Have not seen many samples though, that rely on the WMI python queries.

    点赞 评论 复制链接分享
  • weixin_39873191 weixin_39873191 4月前

    Not experienced in this but is it not possible for cuckoo to replace certain strings prior to them being received by the malware? If this kind of thing was possible then it could be possible to replace anti-analysis strings (i.e vbox) with other things too so even if the sandbox would have been detected it is not with the option obviously to disable this if someone wanted to see its detected VM execution path (in case it doesn't just terminates but deviates in an interesting way)

    点赞 评论 复制链接分享
  • weixin_39636707 weixin_39636707 4月前

    Hey maybe a good workarround while the error persists is dump the memory and export the executables from the memory.

    It's interesting, look

    
    2016-06-28 01:33:29,000 [root] INFO: Date set to: 06-28-16, time set to: 08:33:29
    2016-06-28 01:33:29,015 [root] DEBUG: Starting analyzer from: C:\pbnpygsv
    2016-06-28 01:33:29,015 [root] DEBUG: Storing results at: C:\rErflGvxNF
    2016-06-28 01:33:29,015 [root] DEBUG: Pipe server name: \\.\PIPE\WxplLxmTJW
    2016-06-28 01:33:29,015 [root] DEBUG: No analysis package specified, trying to detect it automagically.
    2016-06-28 01:33:29,015 [root] INFO: Automatically selected analysis package "doc"
    2016-06-28 01:33:53,132 [root] DEBUG: Started auxiliary module Browser
    2016-06-28 01:33:53,132 [modules.auxiliary.digisig] DEBUG: Checking for a digitial signature.
    2016-06-28 01:33:54,941 [modules.auxiliary.digisig] DEBUG: File has an invalid signature.
    2016-06-28 01:33:54,941 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
    2016-06-28 01:33:54,941 [root] DEBUG: Started auxiliary module DigiSig
    2016-06-28 01:33:54,941 [root] DEBUG: Started auxiliary module Disguise
    2016-06-28 01:33:54,941 [root] DEBUG: Started auxiliary module Human
    2016-06-28 01:33:54,957 [root] DEBUG: Started auxiliary module Screenshots
    2016-06-28 01:33:54,957 [root] DEBUG: Started auxiliary module Usage
    2016-06-28 01:33:55,207 [lib.api.process] INFO: Successfully executed process from path "C:\Program Files\Microsoft Office\Office12\WINWORD.EXE" with arguments ""C:\Users\User\AppData\Local\Temp\9ac7b0148
    49edaa83600542b4bb95813.doc" /q" with pid 3372
    2016-06-28 01:33:55,223 [lib.api.process] DEBUG: Using QueueUserAPC injection.
    2016-06-28 01:33:55,239 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3372
    2016-06-28 01:34:16,963 [lib.api.process] INFO: Successfully resumed process with pid 3372
    2016-06-28 01:34:16,963 [root] INFO: Added new process to list with pid: 3372
    2016-06-28 01:34:24,686 [root] INFO: Cuckoomon successfully loaded in process with pid 3372.
    2016-06-28 01:34:24,747 [root] INFO: Disabling sleep skipping.
    2016-06-28 01:34:24,920 [root] INFO: Added new file to list with path: C:\Users\User\AppData\Roaming\Microsoft\Templates\Normal.dotm
    2016-06-28 01:34:25,232 [root] INFO: Added new file to list with path: C:\Users\User\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{435289BC-7BF5-436B-8C3C-FD4817AF1889}.tmp
    2016-06-28 01:34:25,309 [root] INFO: Added new file to list with path: C:\Users\User\AppData\Local\Temp\9ac7b014849edaa83600542b4bb95813.doc
    2016-06-28 01:34:25,388 [root] INFO: Added new file to list with path: C:\Users\User\AppData\Local\Temp\~$c7b014849edaa83600542b4bb95813.doc
    2016-06-28 01:34:25,964 [root] INFO: Added new file to list with path: C:\Users\User\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{12669350-1D47-447D-8969-52809CE82B3A}.tmp
    2016-06-28 01:34:26,121 [root] INFO: Added new file to list with path: C:\Users\User\AppData\Local\Temp\VBE\MSForms.exd
    2016-06-28 01:34:33,032 [root] INFO: Added new file to list with path: C:\Users\User\AppData\Local\Temp\~DF09303157E7652869.TMP
    2016-06-28 01:34:33,157 [root] INFO: Stopping WMI Service
    2016-06-28 01:34:33,421 [root] INFO: Stopped WMI Service
    2016-06-28 01:34:33,453 [lib.api.process] DEBUG: Using CreateRemoteThread injection.
    2016-06-28 01:34:33,469 [root] INFO: Disabling sleep skipping.
    2016-06-28 01:34:33,469 [root] INFO: Added new process to list with pid: 608
    2016-06-28 01:34:33,469 [root] INFO: Cuckoomon successfully loaded in process with pid 608.
    2016-06-28 01:34:35,480 [root] INFO: Starting WMI Service
    2016-06-28 01:34:35,496 [root] INFO: Started WMI Service
    2016-06-28 01:34:46,183 [modules.auxiliary.human] INFO: Closing Office window.
    2016-06-28 01:34:46,183 [modules.auxiliary.human] INFO: Closing Office window.
    2016-06-28 01:35:01,033 [lib.api.process] DEBUG: Using CreateRemoteThread injection.
    2016-06-28 01:35:01,033 [root] INFO: Announced starting service "upnphost"
    2016-06-28 01:35:01,049 [lib.api.process] DEBUG: Using CreateRemoteThread injection.
    2016-06-28 01:35:01,065 [root] INFO: Disabling sleep skipping.
    2016-06-28 01:35:01,065 [root] INFO: Added new process to list with pid: 864
    2016-06-28 01:35:01,065 [root] INFO: Cuckoomon successfully loaded in process with pid 864.
    2016-06-28 01:35:01,081 [root] INFO: Disabling sleep skipping.
    2016-06-28 01:35:01,081 [root] INFO: Added new process to list with pid: 480
    2016-06-28 01:35:01,081 [root] INFO: Cuckoomon successfully loaded in process with pid 480.
    2016-06-28 01:35:02,500 [root] INFO: Announced starting service "upnphost"
    2016-06-28 01:35:02,905 [modules.auxiliary.human] INFO: Found button "Check for a solution and close the program", clicking it
    2016-06-28 01:35:03,092 [root] INFO: Added new file to list with path: C:\Users\User\AppData\Local\Temp\~DF707AF09032B84991.TMP
    2016-06-28 01:35:03,545 [root] INFO: Added new file to list with path: C:\Users\User\AppData\Roaming\Microsoft\Office\VB12.pip
    2016-06-28 01:35:03,747 [root] INFO: Added new file to list with path: C:\Users\User\AppData\Roaming\Microsoft\Office\Word12.pip
    2016-06-28 01:35:04,917 [root] INFO: Notified of termination of process with pid 3372.
    2016-06-28 01:35:05,463 [root] INFO: Added new file to list with path: C:\Windows\WindowsUpdate.log
    2016-06-28 01:35:05,635 [root] INFO: Process with pid 3372 has terminated
    2016-06-28 01:35:06,009 [root] INFO: Announced 32-bit process name: sppsvc.exe pid: 3712
    2016-06-28 01:35:06,009 [lib.api.process] DEBUG: Using QueueUserAPC injection.
    2016-06-28 01:35:06,040 [root] INFO: Disabling sleep skipping.
    2016-06-28 01:35:06,056 [root] INFO: Added new process to list with pid: 3712
    2016-06-28 01:35:06,056 [root] INFO: Cuckoomon successfully loaded in process with pid 3712.
    2016-06-28 01:35:06,352 [root] INFO: Announced 32-bit process name: explorer.exe pid: 1528
    2016-06-28 01:35:06,352 [lib.api.process] DEBUG: Using CreateRemoteThread injection.
    2016-06-28 01:35:06,368 [root] INFO: Announced 32-bit process name: explorer.exe pid: 1528
    2016-06-28 01:35:06,368 [root] INFO: Disabling sleep skipping.
    2016-06-28 01:35:06,368 [lib.api.process] DEBUG: Using QueueUserAPC injection.
    2016-06-28 01:35:06,384 [root] INFO: Added new process to list with pid: 1528
    2016-06-28 01:35:06,384 [root] INFO: Cuckoomon successfully loaded in process with pid 1528.
    2016-06-28 01:35:06,602 [root] INFO: Added new file to list with path: C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log
    2016-06-28 01:35:06,697 [root] INFO: Added new file to list with path: C:\Windows\SoftwareDistribution\DataStore\Logs\tmp.edb
    2016-06-28 01:35:06,789 [root] INFO: Added new file to list with path: C:\Windows\SoftwareDistribution\DataStore\DataStore.edb
    2016-06-28 01:35:07,055 [root] INFO: Announced 32-bit process name: svchost.exe pid: 748
    2016-06-28 01:35:07,055 [lib.api.process] DEBUG: Using QueueUserAPC injection.
    2016-06-28 01:35:07,086 [root] INFO: Disabling sleep skipping.
    2016-06-28 01:35:07,101 [root] INFO: Added new process to list with pid: 748
    2016-06-28 01:35:07,101 [root] INFO: Cuckoomon successfully loaded in process with pid 748.
    2016-06-28 01:35:29,971 [root] INFO: Analysis timeout hit, terminating analysis.
    2016-06-28 01:35:29,971 [root] INFO: Created shutdown mutex.
    2016-06-28 01:35:30,986 [root] INFO: Shutting down package.
    2016-06-28 01:35:30,986 [root] INFO: Stopping auxiliary modules.
    2016-06-28 01:35:34,153 [root] INFO: Finishing auxiliary modules.
    2016-06-28 01:35:34,153 [root] INFO: Shutting down pipe server and dumping dropped files.
    2016-06-28 01:35:34,323 [root] WARNING: Unable to access file at path "C:\Windows\SoftwareDistribution\DataStore\Logs\tmp.edb": [Errno 13] Permission denied: u'C:\\Windows\\SoftwareDistribution\\DataStore
    \\Logs\\tmp.edb'
    2016-06-28 01:35:35,134 [root] INFO: Analysis completed.
    

    image

    But as says the binary file is not in the dropped files

    I dumped the memory and I scan the executables files, the malware is loaded.

    image

    点赞 评论 复制链接分享
  • weixin_39860732 weixin_39860732 4月前

    Another sample that does the same thing:

    MD5: 5ed0c2fb72692f9cea963016a6207279

    点赞 评论 复制链接分享
  • weixin_39760434 weixin_39760434 4月前

    Interesting :-) If you have any ideas (other than instrumenting the return value of the WQL query or removing related registry keys), please do let us know.

    点赞 评论 复制链接分享

相关推荐