For a long time one of the most common sources of ransomware and other malware have been spear phishing emails. Such emails are targeted towards a specific person or organization, and are used by attackers to steal data or install malicious software.
If you are doing digital forensics, you must know that such attacks are quite common even in 2017. During you forensic examinations you can easily face an email like the one on figure 1.
Figure 1. A spear phishing email received by the victim
As you can understand from the email’s body presented on figure 1, it contains an attachment – q23t.docx. What should you do next? Uploading the document to VirusTotal isn’t a bad idea, right? But the results are disappointing – look at figure 2.
Figure 2. VirusTotal scan results for q23t.docx
According to VirusTotal, the file seems to be not malicious. Strange, isn’t it? The reason is – encryption! If look at the email’s body again, you see that the attacker provided the password for the document.
If you use the password, you get three more DOCX files. But are these files really DOCX files? No, just pictograms. But if the victim clicks on one of them, a malicious VBScript starts.
What is more, if you look at figure 3, you can see that all three scripts are identical.
Figure 3. The scripts opened in Notepad app
Let’s use VirusTotal again. As all scripts are identical, we can use any of them. This time we have better results, as you can see at figure 4.
Figure 4. VirusTotal scan results for Payment.vbs
An interesting fact: the script isn’t detected as malicious by two most popular Russian antivirus vendors – Dr.Web and Kaspersky. Just remember this fact for now.
In our opinion, malware analysis is not a digital forensic job, but also we think, that examiners should be capable of performing at least basic static and dynamic analysis.
Of course, there are some automated dynamic malware analysis tools; some are even working online, like VirusTotal. But this time we decided to do it manually, and created our own simple sandbox. And it’s easier than you may think.
We created a Windows 7 virtual machine in VirtualBox, and installed Wireshark and System Explorer. That’s it!
Don’t forget to create a snapshot: you are dealing with a real piece of malware!
Ok, let’s start Wireshark and System Explorer, and look at script’s behavior.
The first thing it does is pinging 22.214.171.124 to test Internet connection. Look at figure 5.
Figure 5. The script pings 126.96.36.199
Then it tries to connect to 188.8.131.52. Unfortunately, it’s unavailable, as you can see on figure 6.
Figure 6. The script tries to connect to 184.108.40.206
But it has another resource to connect – 220.127.116.11. This one is available and it tries to download tmp.pkg. But at the time of the analysis the file isn’t available, look at figure 7.
Figure 7. The script tries to download tmp.pkg
Ok, let’s look at both IP-addresses using some WHOIS services. Look at figures 8 and 9.
Figure 8. WHOIS for 18.104.22.168
Figure 9. WHOIS for 22.214.171.124
Both addresses belong to small providers, and one of them (126.96.36.199) is located in Russia. Do you still remember the fact that top Russian antiviruses didn’t detect our malicious script? Now it makes sense. Or not?