In this post I will breakdown a random malware found online.
When we examine the macro itself, we notice that the macro is trying to create a powershell script at “%TEMP%\Catchme\1.ps1″ – my pleasure!
The powershell script is encoded within the cells itself, not something clever.
Lets modify the script and remove the last 7 lines from the function temp() so we can get that powershell script without running it.
The script itself contains some encoded and compressed .NET managed code which will be loaded using System.Reflection.Assembly.Load(byte ).
The assembly is loaded into the application domain of the caller.
But we really want to get the executable itself – its way more fun this way!
To debug .NET assemblies we have some wonderful WinDBG extensions called SOS and SOSEX.
First load sosex.dll to WinDBG
.load “C:\\Users\\mark\\Desktop\\don’t open – dead inside\\sosex.dll”
Next step is settings breakpoints. We are interested in “System.Reflection.Assembly.Load”
All we have left to do is dump the file and take a look at it
.writemem “C:\\Users\\mark\\Desktop\\don’t open – dead inside\\dumped.dll” 07bb1c40 L00046400
sample.xls – md5,70659C4950B32B57DEA60E81DC64279B
1.ps1 – md5,D88A4430EB40F3C6731D66D6FFCB0724
loaded dll – md5,9581221589F01FE90358D31D3450E9A8