Ave Maria RAT – .xls, ADS, and EQNEDT32!

Life is like a malicious document. You never know what you’re going to get. Or not. Either way, this document was really quite interesting with its twists and turns. We will be working off of this document right here: https://app.any.run/tasks/ce33bea3-9f2d-4507-ae43-2a96bb814bc5

A picture is often worth a thousand words. I mapped out the document, files, and processes into a single picture below. We’ll have to see if this picture simplifies the explanation or is the cause of a great number of words.

avemaria.jpg

Document

Using oledump.py, we can see that this document contains some macros (A3) and a few oleObject binaries (B2, C2, and D3). All of them need to be investigated.

picture_01.png

vbaProject.bin

The only macro worth looking at is Module1. The first few lines contain what looks like some base64 encoded strings. We can also see that a lot of strings are being added to variable s.

avemaria_02.png

Variable x contains a path to C:\programdata\asc.txt.

avemaria_03.png

In line 185, we can see that the text file asc.txt is going to get created, with an additional alternate data stream called script1.vbs. Line 195 writes the contents of s into script1.vbs.

avemaria_04.png

And finally, line 200 contains the part that uses cscript to run asc.txt:script1.vbs.

avemaria_05.png

asc.txt:script1.vbs

The two most important lines in this script are base64 encoded strings in lines 2 and 3. They decode to the URL and the name of the executable to download.

avemaria_06.png

fsdfdsfs = http[:]//5[.]199[.]143[.]127/bin.exe
yulkytjtrhtjrkdsarjky = bin.exe

Line 130 contains the command to download the executable and line 133 executes it.

avemaria_07.png

You’ll see from the any.run output, that while this macro is executed, it never makes a successful connection to 5.199.143.127. But that’s okay, the oleobject binaries were successful.

oleObject1.bin

This binary contains a file called xx which gets dropped in the temp location (C:\Users\[user]\AppData\Local\Temp\xx). More on this later.

oleObject2.bin

This binary contains a file called yy which also gets dropped in the temp location (C:\Users\[user]\AppData\Local\Temp\yy). Again, more on this later.

oleObject3.bin

This is where the secondary process really kicks off. Here’s what this binary contains:

avemaria_08.png

The equation editor (EQNEDT32.exe) take a hold of that string and executes it. This renames file yy to y.js and then executes it.

cmd /c ren %tmp%\yy y.js&CSCRipt %tmp%\y.js

y.js

Upon execution, this file changes file xx to xx.vbs (line 11 and function ChangeFileName). It then executes xx.vbs in line 12 and deletes y.js in line 15.

avemaria_09.png

xx.vbs

Structurally, xx.vbs is very similar to asc.txt:script1.vbs. The top contains the same base64 encoded strings. They run through functions to decode them. The end of the script downloads the binary and executes it.

avemaria_10.png

fsdfdsfs = http[:]//5[.]199[.]143[.]127/bin.exe
yulkytjtrhtjrkdsarjky = bin.exe

avemaria_11.png

In this case, xx.vbs actually did download .bin. Upon execution, it copied and renamed itself to C:\Users\[user]\AppData\Roaming\images.exe. It even adds itself to HKCU\SOftware\Microsoft\Windows\CurrentVersion\Run for persistence.

And when it executes, it reaches back out to 5.199.143.127.

Thanks for reading!