Grinju Downloader: Anti-analysis (on steroids) | Part 1

Malpedia Inventory: https://malpedia.caad.fkie.fraunhofer.de/details/vbs.grinju
TLDR: 
This is a very well-thought and equally well-written malware. There’s no VBA that you can analyse. The values and formulas that are used are spread across the worksheets to thousands of rows. The functions, among other things, are used to close the file, corrupt it and also delete the dropped scripts to make analysis extremely hard. In fact, you cannot analyse this malware without altering the code it self. Along the way, you’ll also see some great functions that can be used for anti-analysis techniques.
I've tried to include as much detail as possible but if you think something is not clear or has been left out (mostly its 'how did you get there in the first place?'), please don't hesitate to reach out, either in the comments or just email me.

No Code

Well, that’s not an entirely true title… there is code, just not in the traditional sense when it comes to macro-based malware (which is both exciting to see and also a stroke of genius on the authors’ part — credit where its due). Also, I wanted to reference in the album title from one of my favourite bands :)

Analysing the file

Now that we have a basic understanding of how the malware operates, let’s get into the nitty-gritty.

The problem

Well, the first problem is that if you enable macros and allow execution of the malware, it will complete the execution flow and then simply corrupt the file at which point you won’t be able to analyse the file any longer. Having said that, let’s look at the flow of execution here before we move forward.

  1. The malware runs the first set of macro functions in succession which writes a new set of macro functions to the worksheet
  2. On successful execution of the second set of macro functions, the malware does two things:
  3. It writes a VBS file to the disk
  4. It writes a text file to the disk
  5. It deletes the text file
  6. It corrupts the original excel file
  7. End of execution

Analysis Part 1

In this section, we’ll take a look at the start of the execution chain and how it is implemented.

Zoomed out to 10% and then scrolled out to the right; look all the way to the right closely
Zoomed back at 100%
=IF(AND(APP.MAXIMIZE(),GET.WORKSPACE(19),GET.WORKSPACE(13)>770,GET.WORKSPACE(14)>390,GET.WORKSPACE(31)=FALSE,GET.WORKSPACE(42)),,HALT())
gsiGGMo=R3915C240
gzDNqr=R3890C240
PMXOKD=R3979C240
esvmJMDoTkrH=R3910C240
Another very interesting method that has been applied here, is using the character codes to build the commands!
In the next part, we’ll dive into the code step-by-step and discover more anti-analysis and stealth-exec techniques.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Vishal Thakur

Vishal Thakur

DFIR enthusiast. Founder of HCKSYD. Founder of Security BSides Sydney Australia. Malware Analyst.