Didier Stevens

Thursday 7 January 2016

BlackEnergy .XLS Dropper

Filed under: maldoc,Malware — Didier Stevens @ 0:00

I’m providing a 2-day training at Brucon Spring Training 2016: “Analysing Malicious Documents“.

I analyzed the spreadsheet (97b7577d13cf5e3bf39cbe6d3f0a7732) used in the recent BlackEnergy attacks against Ukrainian news media and electric industry.

numbers-to-hex_V0_0_1.zip (https)
MD5: 9050768633DDADF34900DAB0061F3B24
SHA256: 00B099F3939251F2027F2705AD08AE352C0FC447C86EB3271721FB2935CF71B6

hex-to-bin_V0_0_1.zip (https)
MD5: 18FC870888B333D8B081CE3E31428A1B
SHA256: 17B4257C6951C792FFE64EDDDFF20674AD07DE2699EF066BDF7A548DA09E6592

2 Comments »

  1. I tend to take a simpler approach to the initial investigation, consider it Triage or initial “Do I care”. Using OfficeMalScanner you get:

    ———————————
    [Scanning for VB-code in DB.XLS]
    ———————————
    Sheet1
    ThisWorkbook
    ———————————————————–
    VB-MACRO CODE WAS FOUND INSIDE THIS FILE!
    The decompressed Macro code was stored here:

    ——> D:\tools\OfficeMalScanner\DB.XLS-Macros
    ———————————————————–

    Using 7-Zip to view the archive you get:

    D:\tools\OfficeMalScanner\db.xls\_VBA_PROJECT_CUR\VBA\

    So both of these tell me that the Excel file has embedded Macros and at this point unless I needed to really know what was in the payload, stop here, delete it and move on. Good enough for most to know it’s “fishy”.

    But great work on providing us tools to go the next step Didier!

    MG
    @HackerHurricane

    Comment by Michael Gough — Friday 22 January 2016 @ 16:30

  2. You don’t bother to look for post-compromise IOCs in order to find out whether the payload has been successfully executed in your enterprise? That’s how the majority of my time is spent, honestly…

    Comment by ThatGuy031415 — Tuesday 16 February 2016 @ 14:40


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 447 other followers

%d bloggers like this: