Microsoft Onenote

[WVAuditors]

About accounts on capesandbox.com

• Issues isn't the way to ask for account activation. Ping capesandbox in Twitter with your username

This is open source and you are getting free support so be friendly!

• Free support from doomedraven ended - no whiskey, no support. For updates check the documentation.

Prerequisites

Please answer the following questions for yourself before submitting an issue.

• [x ] I am running the latest version
• [x ] I did read the README!
• [x ] I checked the documentation and found no answer
• [x ] I checked to make sure that this issue has not already been filed
• [x ] I'm reporting the issue to the correct repository (for multi-repository projects)
• [x ] I have read and checked all configs (with all optional parts)

Expected Behavior

The expected behavior would be running [Invoice _00198683.one] for analysis. This is malware that we captured today. It seems this is a MS OneNote file.

Current Behavior

Detected as .vbs script. Are there any analysis packages for MS OneNote? If not is there a possible way to execute this malware to be analyzed running inside the onenote process with Cape?

Failure Information (for bugs)

No failure

Steps to Reproduce

Please provide detailed steps for reproducing the issue.

1. Ran as expected.

Context

Please provide any relevant information about your setup. This is important in case the issue is not reproducible except for under certain conditions. Operating system version, bitness, installed software versions, test sample details/hash/binary (if applicable).

Question	Answer
Git commit	Type $ git log \| head -n1 to find out
OS version	Azure, Ubuntu 20.04, Windows 10

Failure Logs

N/A

[doomedraven]

what about https://github.com/kevoreilly/CAPEv2/blob/master/analyzer/windows/modules/packages/one.py ?

[doomedraven]

i guess it needs some detection for proper package selection

[WVAuditors]

I just noticed that. Thank you.

[kevoreilly]

Just looking at this now - my test ended up running as hta despite correct .one extension and selection code in analyzer/lib/core/packages.py

[doomedraven]

@WVAuditors can you share magic signature from ms one file to add it to sflock?

[WVAuditors]

@doomedraven I sure can just fill me in on what magic signature is. Are you referring the 256SHA hash? Or do I need to look elsewhere?

[kevoreilly]

magic = open(self.sample_path, "rb").read(16)
    if magic == b"\xE4\x52\x5C\x7B\x8C\xD8\xA7\x4D\xAE\xB1\x53\x78\xD0\x29\x96\xD3":
        # it's onenote

[WVAuditors]

I am sorry not a clue.

[WVAuditors]

I was able to add the analysis package one.py. Ran it through analysis and lots of bad behavior. I wish I could help you more on the magic signature part. Please pardon my ignorance I am just not familiar enough with what you are referring to.

[WVAuditors]

Analysis on my private sandbox

Timestamp Source IP Source Port Destination IP Destination Port Protocol GID SID REV Signature Category Severity 2023-01-09 17:37:30.831129+0000 10.14.2.5 [VT] 50419 8.8.8.8 [VT] 53 UDP 1 2034316 1 ET POLICY Observed DNS Query to File Transfer Service Domain (transfer .sh) Potentially Bad Traffic 2 2023-01-09 17:37:30.831129+0000 10.14.2.5 [VT] 50419 8.8.8.8 [VT] 53 UDP 1 2035139 1 ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in DNS Lookup) Misc activity 3 2023-01-09 17:37:30.855537+0000 10.14.2.5 [VT] 50419 8.8.8.8 [VT] 53 UDP 1 2034316 1 ET POLICY Observed DNS Query to File Transfer Service Domain (transfer .sh) Potentially Bad Traffic 2

Signatures CAPE extracted potentially suspicious content Multiple direct IP connections DNS query to anonymous/temporary file storage service detected Created network traffic indicative of malicious activity

Analysis on public sandbox No Detections - Ran as vbs package

https://capesandbox.com/analysis/351206/

Filename
Invoice _00198683.one File Type data File Size 20584 bytes MD5 af9e5a25e7ce6b5cdfbb8ebbede5de0c SHA1 c87208e439945d3a15111475dce7a763fef75438 SHA256 15212428deeeabcd5b11a1b8383c654476a3ea1b19b804e4aca606fac285387f [VT] [MWDB] [Bazaar] SHA3-384 7ff3b722fd4efa69ad4033a18d2cdbca395e2596a8ad071f654e6b510a392cbc5a21a64e88e12b0545d694fce3d3a0ed CRC32 71EAF22C TLSH T179927C253BD19159C5F968325AD3EB09656AFB112662070FFB89268C4F34340CEA1FEF Ssdeep 384:itxsi54pydQRlAueAr+KDfx+ZJOEgJ+6eAL:itxsiWpDRlwkkwEgJ7

[doomedraven]

filetype/magic but i see that is data in cape

file --mime yaraQA.py
yaraQA.py: text/x-script.python; charset=us-ascii

file yaraQA.py
yaraQA.py: Python script text executable, ASCII text

[doomedraven]

i have released sflock2 with ms one detection, upgrade it to latest version pip3 install -U SFlock2 or poetry run pip install -U SFlock2

[WVAuditors]

I was able to get the output below if that helps anything for magic signature.

b'\xe4R\{'

[WVAuditors]

Installing collected packages: SFlock2 Attempting uninstall: SFlock2 Found existing installation: SFlock2 0.3.34 Uninstalling SFlock2-0.3.34: Successfully uninstalled SFlock2-0.3.34 Successfully installed SFlock2-0.3.41

[doomedraven]

Kevin provided proper magic for that. so now it should be autodetected and set to one package

[doomedraven]

>>> from sflock import unpack
>>> q = unpack(b"file.cab")
KeyboardInterrupt
>>> a = unpack(b"15212428deeeabcd5b11a1b8383c654476a3ea1b19b804e4aca606fac285387f")
>>> a.package
'one'

so that sets now proper package