Gozi/Ursnif (8.22.2019) – Document and Dropped File analysis

It’s Gozi time! And Ursnif time! One of the two. Or both? Either way, here’s the .doc in any.run. It originally came in an attached .zip file with a password of ‘777’. (As an aside, if 666 is the number of the beast, then 777 must be the neighbor of the beast).

For the impatient ones out there, here’s the dropped file.


PART 1: MICROSOFT DOCUMENT

Using OfficeMalScanner, five macro files are dumped. They are…

gozi01.PNG

I don’t write in visual basic, vb scripting, vba whatever. I can read it, but I can’t write it. This is just my way of saying that I may not use the right words to explain things (mea culpa!). Either way, ThisDocument shows us where the macro starts with Sub Document_Open(). Not much happens here except that when the script reaches main, we jump to awBR7S1cN.

gozi02
Macro: ThisDocument

Macro awBR7S1cN steps through quite a bit of nonsense before it gets to line 46. This line contains a function called aQGWKsE that is being fed a very long string. Long strings are always interesting things to which we should pay attention.

gozi03
Macro: awBR7S1cN

We can find function aQGWKsE in macro a9iAyP. This is the deobfuscation function for that long string.

gozi04
Macro: a9iAyP

Pretty sure it works thusly:

70: Get length of string, increment the counter by 2
71: Mid$ -> Grab two characters of string; Val("&H" -> Treat numbers as hexadecimal; Chr$ -> convert hex to ASCII.
72: Toss that variable at the end of aN13XBjP
Go back to top of loop, grab the next two numbers, convert to hex, convert to ASCII...

Therefore the long string above becomes…

c:\Windows\System32\wbem\wmic process list /format:"a18DT.xsl"

It turns out that this is going to run ‘wmic process list’ in order to dump all running process, but output it in a format called “A18DT.xsl”? That’s not normal. But onward with the script.

We now jump back to macro awBR7S1cN. Line 52 calls up a new function called aGd1Xu, which is fed “a18DT.xsl” and aQGWKsE again. Looks like this is going to deobfuscate some more text.

gozi05
Macro: awBR7S1cN

The information in a3gt4mDrq.azfvPRgFr.Text can be found if you open up Microsoft Visual Basic for Applications and look at the project forms. Double-click on the form and you see all of the information getting called up here.

gozi06.PNG

This is a much longer string than before. This gets run through function aQGWKse and decodes to this:

<?xml version='1.0'?>
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:user="http://google.com/names"
...

Looks like an .xml document? Later in macro a9iAyP, we see a file named a18DT.xsl get created and filled with the xml information we see above.

gozi07.PNG

Line 98 creates a new WshShell, and later that calls wmic to start up the .xsl document that was dropped.


PART 2: a18DT.xsl

I’m not going to go into too much detail about this file, except that contains javascript (another language I don’t write in, but can sort of read) and has some interesting strings.

xsl01.PNG

CyberChef to the rescue! Here’s the output below:

Line 20: http://wlibby71e.com/qtra/ttqr.php?l=spxo7.j12
Line 21: wscript.shell
Line 22: scripting.filesystemobject
Line 23: msxml2.xmlhttp
Line 24: savetofile
Line 25: run
Line 26: deletefile
Line 27: avEjrNV.exe

I’m not going to go into any more depth in that script, but looks like it’s going to download (line 20) a file (line 27), and then probably run it or something. You know, like malicious things typically do.

Thanks for reading!

 

2 thoughts on “Gozi/Ursnif (8.22.2019) – Document and Dropped File analysis

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s