MuddyWater (11-23-2019) – Part 2: Macro analysis and dropped file

Continuing from part one, we can now use Microsoft Visual Basic for Applications to step through the macro and see how it works.

First things first, the macro starts here with Workbook_Open().


It calls a function called irnqdecjko. In this function, we see multiple calls to another function called irnqdxjwko which is fed a number.


Function irnqdxjwko takes the parameter fed and uses it to query a form named F. It will take that text from form F and split it on the periods and toss it into an array called h.



In this case, the fifty-second item in array is chosen and saved to variable g. Here is the fifty-second item in that array:


That value is then tossed into another function called irnqdkjdkoIrnqddjdko will then decode that string. It takes four characters of the array at a time, does an xor a few times amongst some other manipulations and outputs it to variable g. This loops again and again until it is done.


Those two functions are called over and over again throughout the entire macro. Below is the main function that does most of the heavy lifting for this macro.


The first part sets up the WScript.Shell object and some other variables. I’ve added the decoded values.


We can see that the CallByName is used throughout this macro. It gets fed parameters such as RegWrite and to what those registries should be set.


The next section edits the \CurrentVersion\Run\ registry to have wucj.exe execute a file called zdrqgswu that gets dropped in the TEMP folder. According to this article, wucj.exe is just a copy of wscript.exe.


Ultimately, this macro makes use of wscript.exe to run the dropped file named zdrqgswu. What does this file do? (by the way, you can download it —-> HERE <—-)


I’m not going to go into too much detail here, but a quick overview…

  • Variable blhcqkvwge gets decoded in line 14 and stored in variable hdupqjaiot.
  • The strings in lines 23 and 24 get decoded using function jhohvgaemi. They decode to “ScriptControl” and “JScript” respectively.
  • This means that line 29 is really “JScript.Eval(hdupqjaiot)”.

And what exactly is in hdupqjaoit? Here’s a partial output:


And we can finally see the URL to which it reaches out.

Thanks for reading!


One thought on “MuddyWater (11-23-2019) – Part 2: Macro analysis and dropped file

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s