Threat Level: green Handler on Duty: Russ McRee

SANS ISC: Internet Storm Center - SANS Internet Storm Center Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

Sleeping VBS Really Wants To Sleep

Published: 2016-12-10
Last Updated: 2016-12-10 20:23:20 UTC
by Didier Stevens (Version: 1)
3 comment(s)

Diary reader Wayne Smith shared an interesting malicious document with us. Wayne also provided us with his own analysis: this malicious document sleeps and checks the time online before it activates its payload.

First we take a look at the sample (md5 7EAB96D2BC04CA155DE035815B88EE00) with oledump.py.

It's a .docx file that contains 4 embedded objects. When we calculate the hashes, we see that the 4 documents are identical:

As all objects are identical, we just need to analyze one object:

It's a VBS file, let's extract it:

Analysis of this obfuscated code reveals that it is a downloader with a particular property (for a maldoc): before downloading and executing the payload, this VBS code will sleep for 5 minutes, checking the elapsed time every minute by querying http://time.nist.gov:13.

By sleeping and checking the time online, this sample hopes to evade detection by sandboxes that do time acceleration without interfering with online time checking. This sample will sleep indefinitely when online time querying fails.

Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com
NVISO

3 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Mirai - now with DGA
Dec 9th 2016
1 day ago by Rick (0 comments)

Good Cop; Bad Cop; Domain Cop?
Dec 8th 2016
2 days ago by Johannes (4 comments)

The Passwords You Should Never Use
Dec 7th 2016
3 days ago by Xme (9 comments)

Attacking NoSQL applications
Dec 6th 2016
4 days ago by Bojan (1 comment)

Hancitor Maldoc Videos
Dec 5th 2016
5 days ago by DidierStevens (0 comments)

View All Diaries →

Latest Discussions

404 Project: Compatible with mod_security?
created Dec 4th 2016
6 days ago by Ted (1 reply)

Confused about SHA1 in Certs and upcoming changes in browsers
created Dec 2nd 2016
1 week ago by Dana (1 reply)

SQL Slammer activity
created Nov 30th 2016
1 week ago by lwhitworth (2 replies)

Need help with classifying botnets via log entries
created Nov 17th 2016
3 weeks ago by Anonymous (0 replies)

Good read about PCI DSS
created Nov 16th 2016
3 weeks ago by scanforsecurity.com (0 replies)

View All Forums →

Latest News

View All News →

Top Diaries

Dyn.com DDoS Attack
Oct 21st 2016
1 month ago by Johannes (9 comments)

Port 7547 SOAP Remote Code Execution Attack Against DSL Modems
Nov 29th 2016
1 week ago by Johannes (21 comments)

TR-069 NewNTPServer Exploits: What we know so far
Nov 29th 2016
1 week ago by Johannes (12 comments)

Critical Cisco ASA IKEv1/v2 Vulnerability. Active Scanning Detected
Feb 12th 2016
9 months ago by Johannes (25 comments)

Protecting Powershell Credentials (NOT)
Dec 2nd 2016
1 week ago by Rob VandenBrink (3 comments)