This malware is definitely created by a professional as it has an advance method of installing itself. And the malware author knows that what he/she created is BAD.
0x0BAD - Signature of ShellCode for data stealing.
Installation
This malware was dropped by a PDF file that takes advantage of a known vulnerability which results to Privilege Escalation. To maintain its privilege to run as admin, it creates the following autostart key:
Software\Microsoft\Windows NT\Currentversion\Winlogon
Shell="explorer.exe, <malware_path_and_filename>"
This malware inject its code to windows taskbar by searching for Shell_TrayWnd window handle. And also, It uses ZwQuerySystemInformation to get all the running processes in the system wherein it will calculate the hash of the names of running processes. The hashes will then be compared to the hardcoded list of hashes of executable files that will be targeted for code injection. Here are targeted executables and their corresponding hashes:
69CD16BA - iexplore.exe
7B6061F9 - firefox.exe
880F19D2 - chrome.exe
DD87014F - opera.exe
74667F89 - explorer.exe
This malware uses hashes instead of directly providing the API name that it needs. It uses the TIB (FS[0x18]) to get all the loaded dll modules. Below are the list of APIs and their corresponding hashes:
1F8B758A - ntdll.dll
B05FD69A - LdrGetDllHandle
CCE8D5E4 - LdrLoadDll
FBAF20FE - ZwSetInformationThread
F84E6809 - ZwResumeThread
251E0CC9 - ZwDelayExecution
17CF5544 - RtlGetProcessHeaps
9B2E0E85 - RtlAllocateHeap
41324137 - ZwQuerySystemInformation
086A61AC - RtlReAllocateHeap
E4A0A8C0 - RtlFreeHeap
CD74BF79 - ZwOpenProcess
309A4C54 - ZwClose
73ED9B27 - ZwCreateSection
5D859023 - ZwMapViewOfSection
B62E0ECD - _snprintf
6828791B - ZwTerminateThread
0301DA7D - RtlDecompressBuffer
CE8286AD - ZwAllocateVirtualMemory
4F515588 - kernel32.dll
1A08B014 - CreateRemoteThread
C3B42C10 - GetModuleFileNameW
98D29F2E - GetModuleFileNameA
63A4DEA5 - GetShortPathNameW
412E83B3 - GetShortPathNameA
EB771CAF - CreateEventA
F6F15646 - ExpandEnvironmentStringsA
438EED48 - CloseHandle
A01B4F40 - GetFileAttributesA
69FB2CCE - GetFileAttributesW
5568AE6B - CreateFileA
DC0BC10F - WriteFile
534D310F - ExitProcess
2415842C - DeleteFileW
7DC71262 - DeleteFileA
293DF8B5 - GetProcessVersion
5B117232 - advapi32.dll
E4A8B4E0 - OpenProcessToken
3B97B437 - GetTokenInformation
5B1D4476 - EqualSid
1A726DBB - DuplicateTokenEx
F5E6C455 - RegCreateKeyExA
A63ACEB9 - RegSetValueExA
8F2D0F57 - RegCloseKey
5A4B3EDE - user32.dll
8FAFF46C - FindWindowA
D69D869A - PostMessageA
71669709 - SetWindowLongA
69DE0153 - shell32.dll
F955B5FA - ShellExecuteA
69304E4B - ole32.dll
5142539F - CoCreateGuid
Information Stealing
This malware has the following capabilities:
Delete files
Download and execute files
Send stolen data to server
Stop its own process
But the above routines will not get executed if the following network monitoring tools are running:
tcpdump.exe
windump.exe
ethereal.exe
wireshark.exe
ettercap.exe
snoop.exe
dsniff.exe
It steals the following information from a compromised machine:
Uptime of the machine
Temp folder
File listing on certain directory
Drive Types
Network Resources
TCP and UDP connection table
List of running processes
List of names of open windows
Machine Information (Manufacturer and Model)
Operating System version
Processor Information
Computer Name
Local Group
Local Users
Language
Timezone
Country
Installed Windows Updates
And then collates and encrypts the above mentioned data before sending them to the following sites via HTTP POST request:
http://{REMOVED}play.com/wp-includes/sitemap/?rank=78964
http://{REMOVED}ree.ir/wp-content/plugins/online-chat/?rank=87758
0 comments:
Post a Comment