Follow me on Twitter
I received some malspam on 03/13/18 entitled “About a internship.” The email came with an attachment called “Janeen Resume.doc”:
The email is pretending to come from somebody interested in a job opening and they have attached their “résumé.” In reality, this document is being used as a downloader for Sigma ransomware.
Opening the document confirms that it is password protected:
Inputting the password presents the victim with some instructions:
I typically scan malicious Office documents for embedded macros using tools like olevba.py and oledump.py. However, if you were do this before removing the password then you wouldn’t get any detections:
To get around this, I simply removed the password and saved the document.
To do that, click on “Protect Document”, remove the password, click “OK”, and then save the document:
Scanning the document again shows it is a “Microsoft Word 2007+” document file using the Office Open XML (OOXML) file format. Because it’s a XML-based file, we can unzip it and look at the contents:
Unzipping the file allows you to see the contents, including the images (image1.png and image2.png) used within the document. Also, embedded macros in XML-based Office documents are typically store in a binary file named vbaProject.bin, which we can see in the “word” directory.
Using strings we can quickly examine vbaProject.bin for any interesting ASCII strings:
As you can see from the image above, strings found the command and URL used to download the malware payload.
An even better option for this scenario would be to use olevba.py:
olevba.py is handy tool because it gives analysts a table summarizing risky keywords that were found within the file. Another good option would be to use oledump.py.
Now, getting back to examining the file from the perspective of the victim… After entering the password and clicking “Enable Content” the victim’s host would make a HEAD request, followed by a GET request, for the malware payload:
You can see that the User-Agent is “Microsoft BITS/7.8”, confirming the bitsadmin tool was used to download the file. The malware payload is downloaded from the remote server and saved to %AppData% as “taskwgr.exe”.
Payload in %AppData%:
Process tree during the infection:
Additional information about some of the processes:
- cmd.exe (PID: 4832) creates process conhost.exe (PID: 2420)
- cmd.exe (PID: 4832) creates process bitsadmin.exe (PID: 3432)
- svchost.exe (PID: 888) renames file C:Users[removed]AppDataRoamingBIT1F3F.tmp to C:Users[removed]AppDataRoamingtaskwgr.exe
- bitsadmin.exe (PID: 3432) kills its own process
- cmd.exe (PID: 4832) creates process taskwgr.exe (PID: 4600)
- taskwgr.exe (PID: 4600) creates child process taskwgr.exe (PID: 5656)
- cmd.exe (PID: 4832) kills its own process
- taskwgr.exe (PID: 5656) creates file C:Users[removed]AppDataRoamingMicrosoft[GUID]taskwgr.exe
- taskwgr.exe (PID: 5656) sets autostart registry key HKCUSOFTWAREMicrosoftWindowsCurrentVersionRunchrome
- taskwgr.exe (PID: 5656) creates file C:Users[removed]AppDataRoamingMicrosoft[GUID]System.zip
A copy of the malware in %AppData%Microsoft[GUID]:
The sample never encrypted files in my virtual lab but did encrypt files on a physical host (not mine). However, I didn’t have the time to do any further analysis so I can’t confirm how it’s detecting my virtual sandbox.
When the process is complete the desktop background will be changed to a green text message over a black background (the images below were borrowed from the Internet):
While encrypting the system, Sigma ransomware creates ransom notes named ReadMe.txt in each folder that a file was encrypted.
Below is an image of ReadMe.html:
Sigma ransomware page:
File name: Resume.doc
File name: taskwgr.exe
- 220.127.116.11 – onlinedocuments.ir – HEAD and GET – /email.bin
- 18.104.22.168 – ip-api.com – GET /json – NON MALICIOUS
The password is “infected”