VBA anti-analysis avoids dropping/running windows executable in Cuckoo

[gregcopenhaver]

Earlier this week I came across some VBA droppers that tested if Python was installed on the system using WQL, and if found, did not drop/run the executable.

MD5: 9ac7b014849edaa83600542b4bb95813

Relevant part from Behavior analysis:

API: IWbemServices_ExecQuery

Arguments: query: Select * from Win32_product WHERE name like 'Python %' query_language: WQL flags: 272

[gregcopenhaver]

Another sample that does the same thing:

MD5: 5ed0c2fb72692f9cea963016a6207279

[jbremer]

Interesting :-) If you have any ideas (other than instrumenting the return value of the WQL query or removing related registry keys), please do let us know.

[seifreed]

Hey @gregcopenhaver maybe a good workarround while the error persists is dump the memory and export the executables from the memory.

It's interesting, look

2016-06-28 01:33:29,000 [root] INFO: Date set to: 06-28-16, time set to: 08:33:29
2016-06-28 01:33:29,015 [root] DEBUG: Starting analyzer from: C:\pbnpygsv
2016-06-28 01:33:29,015 [root] DEBUG: Storing results at: C:\rErflGvxNF
2016-06-28 01:33:29,015 [root] DEBUG: Pipe server name: \\.\PIPE\WxplLxmTJW
2016-06-28 01:33:29,015 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2016-06-28 01:33:29,015 [root] INFO: Automatically selected analysis package "doc"
2016-06-28 01:33:53,132 [root] DEBUG: Started auxiliary module Browser
2016-06-28 01:33:53,132 [modules.auxiliary.digisig] DEBUG: Checking for a digitial signature.
2016-06-28 01:33:54,941 [modules.auxiliary.digisig] DEBUG: File has an invalid signature.
2016-06-28 01:33:54,941 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2016-06-28 01:33:54,941 [root] DEBUG: Started auxiliary module DigiSig
2016-06-28 01:33:54,941 [root] DEBUG: Started auxiliary module Disguise
2016-06-28 01:33:54,941 [root] DEBUG: Started auxiliary module Human
2016-06-28 01:33:54,957 [root] DEBUG: Started auxiliary module Screenshots
2016-06-28 01:33:54,957 [root] DEBUG: Started auxiliary module Usage
2016-06-28 01:33:55,207 [lib.api.process] INFO: Successfully executed process from path "C:\Program Files\Microsoft Office\Office12\WINWORD.EXE" with arguments ""C:\Users\User\AppData\Local\Temp\9ac7b0148
49edaa83600542b4bb95813.doc" /q" with pid 3372
2016-06-28 01:33:55,223 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2016-06-28 01:33:55,239 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3372
2016-06-28 01:34:16,963 [lib.api.process] INFO: Successfully resumed process with pid 3372
2016-06-28 01:34:16,963 [root] INFO: Added new process to list with pid: 3372
2016-06-28 01:34:24,686 [root] INFO: Cuckoomon successfully loaded in process with pid 3372.
2016-06-28 01:34:24,747 [root] INFO: Disabling sleep skipping.
2016-06-28 01:34:24,920 [root] INFO: Added new file to list with path: C:\Users\User\AppData\Roaming\Microsoft\Templates\Normal.dotm
2016-06-28 01:34:25,232 [root] INFO: Added new file to list with path: C:\Users\User\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{435289BC-7BF5-436B-8C3C-FD4817AF1889}.tmp
2016-06-28 01:34:25,309 [root] INFO: Added new file to list with path: C:\Users\User\AppData\Local\Temp\9ac7b014849edaa83600542b4bb95813.doc
2016-06-28 01:34:25,388 [root] INFO: Added new file to list with path: C:\Users\User\AppData\Local\Temp\~$c7b014849edaa83600542b4bb95813.doc
2016-06-28 01:34:25,964 [root] INFO: Added new file to list with path: C:\Users\User\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{12669350-1D47-447D-8969-52809CE82B3A}.tmp
2016-06-28 01:34:26,121 [root] INFO: Added new file to list with path: C:\Users\User\AppData\Local\Temp\VBE\MSForms.exd
2016-06-28 01:34:33,032 [root] INFO: Added new file to list with path: C:\Users\User\AppData\Local\Temp\~DF09303157E7652869.TMP
2016-06-28 01:34:33,157 [root] INFO: Stopping WMI Service
2016-06-28 01:34:33,421 [root] INFO: Stopped WMI Service
2016-06-28 01:34:33,453 [lib.api.process] DEBUG: Using CreateRemoteThread injection.
2016-06-28 01:34:33,469 [root] INFO: Disabling sleep skipping.
2016-06-28 01:34:33,469 [root] INFO: Added new process to list with pid: 608
2016-06-28 01:34:33,469 [root] INFO: Cuckoomon successfully loaded in process with pid 608.
2016-06-28 01:34:35,480 [root] INFO: Starting WMI Service
2016-06-28 01:34:35,496 [root] INFO: Started WMI Service
2016-06-28 01:34:46,183 [modules.auxiliary.human] INFO: Closing Office window.
2016-06-28 01:34:46,183 [modules.auxiliary.human] INFO: Closing Office window.
2016-06-28 01:35:01,033 [lib.api.process] DEBUG: Using CreateRemoteThread injection.
2016-06-28 01:35:01,033 [root] INFO: Announced starting service "upnphost"
2016-06-28 01:35:01,049 [lib.api.process] DEBUG: Using CreateRemoteThread injection.
2016-06-28 01:35:01,065 [root] INFO: Disabling sleep skipping.
2016-06-28 01:35:01,065 [root] INFO: Added new process to list with pid: 864
2016-06-28 01:35:01,065 [root] INFO: Cuckoomon successfully loaded in process with pid 864.
2016-06-28 01:35:01,081 [root] INFO: Disabling sleep skipping.
2016-06-28 01:35:01,081 [root] INFO: Added new process to list with pid: 480
2016-06-28 01:35:01,081 [root] INFO: Cuckoomon successfully loaded in process with pid 480.
2016-06-28 01:35:02,500 [root] INFO: Announced starting service "upnphost"
2016-06-28 01:35:02,905 [modules.auxiliary.human] INFO: Found button "Check for a solution and close the program", clicking it
2016-06-28 01:35:03,092 [root] INFO: Added new file to list with path: C:\Users\User\AppData\Local\Temp\~DF707AF09032B84991.TMP
2016-06-28 01:35:03,545 [root] INFO: Added new file to list with path: C:\Users\User\AppData\Roaming\Microsoft\Office\VB12.pip
2016-06-28 01:35:03,747 [root] INFO: Added new file to list with path: C:\Users\User\AppData\Roaming\Microsoft\Office\Word12.pip
2016-06-28 01:35:04,917 [root] INFO: Notified of termination of process with pid 3372.
2016-06-28 01:35:05,463 [root] INFO: Added new file to list with path: C:\Windows\WindowsUpdate.log
2016-06-28 01:35:05,635 [root] INFO: Process with pid 3372 has terminated
2016-06-28 01:35:06,009 [root] INFO: Announced 32-bit process name: sppsvc.exe pid: 3712
2016-06-28 01:35:06,009 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2016-06-28 01:35:06,040 [root] INFO: Disabling sleep skipping.
2016-06-28 01:35:06,056 [root] INFO: Added new process to list with pid: 3712
2016-06-28 01:35:06,056 [root] INFO: Cuckoomon successfully loaded in process with pid 3712.
2016-06-28 01:35:06,352 [root] INFO: Announced 32-bit process name: explorer.exe pid: 1528
2016-06-28 01:35:06,352 [lib.api.process] DEBUG: Using CreateRemoteThread injection.
2016-06-28 01:35:06,368 [root] INFO: Announced 32-bit process name: explorer.exe pid: 1528
2016-06-28 01:35:06,368 [root] INFO: Disabling sleep skipping.
2016-06-28 01:35:06,368 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2016-06-28 01:35:06,384 [root] INFO: Added new process to list with pid: 1528
2016-06-28 01:35:06,384 [root] INFO: Cuckoomon successfully loaded in process with pid 1528.
2016-06-28 01:35:06,602 [root] INFO: Added new file to list with path: C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log
2016-06-28 01:35:06,697 [root] INFO: Added new file to list with path: C:\Windows\SoftwareDistribution\DataStore\Logs\tmp.edb
2016-06-28 01:35:06,789 [root] INFO: Added new file to list with path: C:\Windows\SoftwareDistribution\DataStore\DataStore.edb
2016-06-28 01:35:07,055 [root] INFO: Announced 32-bit process name: svchost.exe pid: 748
2016-06-28 01:35:07,055 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2016-06-28 01:35:07,086 [root] INFO: Disabling sleep skipping.
2016-06-28 01:35:07,101 [root] INFO: Added new process to list with pid: 748
2016-06-28 01:35:07,101 [root] INFO: Cuckoomon successfully loaded in process with pid 748.
2016-06-28 01:35:29,971 [root] INFO: Analysis timeout hit, terminating analysis.
2016-06-28 01:35:29,971 [root] INFO: Created shutdown mutex.
2016-06-28 01:35:30,986 [root] INFO: Shutting down package.
2016-06-28 01:35:30,986 [root] INFO: Stopping auxiliary modules.
2016-06-28 01:35:34,153 [root] INFO: Finishing auxiliary modules.
2016-06-28 01:35:34,153 [root] INFO: Shutting down pipe server and dumping dropped files.
2016-06-28 01:35:34,323 [root] WARNING: Unable to access file at path "C:\Windows\SoftwareDistribution\DataStore\Logs\tmp.edb": [Errno 13] Permission denied: u'C:\\Windows\\SoftwareDistribution\\DataStore
\\Logs\\tmp.edb'
2016-06-28 01:35:35,134 [root] INFO: Analysis completed.

But as @gregcopenhaver says the binary file is not in the dropped files

I dumped the memory and I scan the executables files, the malware is loaded.

[botherder]

That's interesting. I'm not sure that these are tricks that will stay for very long tho. Isn't Python a pretty legitimate application to have on regular workstations too?

[mehgrmlhmpf]

one quick and dirty way might be to drop the strings from WMI: execute in powershell in the VM: Remove-wmiobject -class "win32_product" - side effects possible though. Have not tested it thoroughly yet.

Better would be to just remove the python registrations from the table.

Seems like a query that could be intercepted at the hooking level. Have not seen many samples though, that rely on the WMI python queries.

[kevross33]

Not experienced in this but is it not possible for cuckoo to replace certain strings prior to them being received by the malware? If this kind of thing was possible then it could be possible to replace anti-analysis strings (i.e vbox) with other things too so even if the sandbox would have been detected it is not with the option obviously to disable this if someone wanted to see its detected VM execution path (in case it doesn't just terminates but deviates in an interesting way)