• Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg
  • Delicious

Anti-Malware Laboratory

Yet Another Malware Blog

About

An informal blog from your friendly neighborhood software security humans.

Blog Archive

  • ►  2015 (5)
    • ►  October (1)
    • ►  August (2)
    • ►  May (1)
    • ►  March (1)
  • ▼  2014 (8)
    • ▼  October (1)
      • Upatre: .ENC File Extension
    • ►  July (1)
      • SPAM: Taxes, allowances and tax credits
    • ►  June (1)
      • Bitcrypt v2.0
    • ►  May (4)
      • Spam mail from fake FedEx
    • ►  April (1)
  • ►  2013 (12)
    • ►  December (3)
    • ►  November (5)
    • ►  August (2)
    • ►  March (2)
  • ►  2012 (35)
    • ►  April (4)
    • ►  March (12)
    • ►  February (17)
    • ►  January (2)

Categories

adobe (1) android (10) android february (1) baksmali (1) Black Hole (2) crimepack (1) disassembler (1) exploit (3) Exploits (4) Fakeav Winrar sfx (1) Fishbowl (1) flash (1) gift certificates (1) Google Authenticator (1) google play (1) hcp (1) java (1) Malware (5) mdac (1) Mobile (24) NSA Mobility Program (1) obfuscated script (1) pdf (1) Reversing (2) rhino (1) skype (1) smali (1) spam (1) test (1) Unpacking (1) vouchers (1) vulnerability (3)

Popular Posts

  • Bank of America spam: An Analysis
    An email claiming to be from Bank of America lures users to open an attachment that shows how to open secure emails from the bank. The mess...
  • [BE CAUTIOUS] Dragon Ball Z: Resurrection of F MALWARE and SCAM
    Be wary of downloading movies in torrent sites.  Executables can also be executed with a file size as huge as a gigabyte...
  • Unpacking MFC Compiled CryptoWall Malware
    Unpacking MFC Compiled CryptoWall Malware Introduction First and foremost, this article does not intend to analyze what CryptoWall malw...

Visitors to this blog

Thursday, October 23, 2014

Upatre: .ENC File Extension

Posted on Thursday, October 23, 2014 by bernadette | No comments
Cybercriminals uses different techniques to pass through different kinds of network intrusion defenses the users have in their system to avoid malwares. This time criminals have found a new way to deceive users and be able steal important information by encrypting the file and making it unexecutable with a file extension of either “.ENC” or “.EXE”. These files are known to be downloaded by Upatre malwares.

Upatre malwares sizes are ranging from 5KB-10KB only. This malware size is noticeably small compared to other malwares since its main role is to just download “.enc”  or “.exe” files, decompress it then executes it. In order to evade malware detection, downloaded files magic bytes are ZZP and without the downloader the downloaded files are completely un-executable.


Sample of downloaded file

The Downloader
cef76fa7b4b30f76c7b6d2eefa30d944

It will first check if the malware is running with its desired filename from %TEMP% folder. If not it will create a copy of itself with its desired filename then execute it using ShellExecuteW.

Check if the existing filename is budha.exe

Create and Execute budha.exe

It will connect to the following sites to download another malware which is the encrypted one (“.enc” or “.exe” files).
  • dcmsservices.com/images/stories/slides/pdf.enc
  • electriciansdublinireland.com/wp-content/uploads/2014/01/pdf.enc
  • freebiegalore.com/facelift/pdf.exe
  • freebiesvaults.info/freebies/nucleus/images/pdf.exe


This file is also the one responsible in decrypting and decompressing the downloaded file. In the above memory dump at offset 60, the first four bytes are the decryption keys using XOR operand. But before decrypting the downloaded files it will first check if the magic bytes of the downloaded file are ZZP\0. Decrypted files are in a compressed form and are needed to decompress using RTLDecompressBuffer


Magic Bytes checking

Decryption and Decompression routine


Copy of decrypted file

Note: ZZP/0 is not included in bytes to be decrypt.

If the above check fails, it will skip the decryption part and proceed on checking the MZ header. It will create a copy of decompressed or a valid win32 PE downloaded file in %TEMP% folder and then execute it.


MZ header checking and creating a copy of downloaded file

The Downloaded File

The downloaded file contains encrypted file in resource section.

Encrypted resource

Decrypted resource

It parses resource section through the FindResource, LoadResource and LockResource APIs instead of LoadBitmap so that it can copy its data to another application.

This malware is simply the loader of the encrypted Win32 file in Resource section. It uses process hollowing technique to load the said file but instead of loading legitimate process, it creates another process of the downloaded file in a suspended state.




Then the malware will unmap the original code from memory in the host process using ZwUnmapViewOfSection API, and use VirtualAllocEx to allocate memory for the new code.


The malware will write its new code into the hollow host process using WriteProcessMemory. The data to be written into the hollow host process is from resource section of the downloaded file (0x40555A). Then the malware will simply resume the suspended process using ResumeThread.



The hallowed process contains an encrypted chunk of code where in these codes are responsible for calling the functions in creating a copy of itself.


It will create a folder in %APPDATA% with a random folder name, first character is always in capital letters. This folder contains a copy of this malware also with a random filename.

Code snippet in generating random folder and malware name

Sample folder and malware name

Then this malware will execute the created copy of itself using CreateProcessW.


It will enumerate all of the running processes and check the SID length of each process. In this case if the SID length is 0x1c the malware will create thread that run into the virtual address space of this process through CreateRemoteThread.











Read More

Tuesday, July 8, 2014

SPAM: Taxes, allowances and tax credits

Posted on Tuesday, July 08, 2014 by Unknown | No comments
I received a new spam mail quite recently stating that I can claim a tax refund. What caught my attention is that it says I have a tax refund from US even if in actuality I have never worked nor paid taxes in the US.
Here is a screenshot of the spam mail.

This mail has an archived file attached “Refund-Form-ID_0842893.zip” claiming to be a form in which I need to complete and submit for issuance of the said tax refund.

Inside the zip file is a malicious executable file named “Tax_76483691535948579.elc.exe” and is detected by ThreatTrack’s Vipre as Trojan.Win32.Zbot.qu (v) (but most commonly known as Andromeda by some).

This malware is closely related or should I say an updated version of the malware spam previously analyzed by my colleague in http://www.antimalwarelab.com/2014/05/spam-mail-from-fake-fedex.html.

ANTI-DEBUGGING


Checks for process names to avoid, hashes them using ntdll.RtlComputeCrc32 and compares it to a table of CRC32-hashes within its body. Previous version of this malware uses direct comparison of hashes, now it uses a table where it loops and checks for the hash values listed in the table.

seg000:000011E8                 call    CreateToolhelp32Snapshot
…
…
seg000:0000120B                 call    Process32First
…
…
seg000:0000121A _checkNextProc:                         ; CODE XREF: DebugCheck+B9j
seg000:0000121A                 xor     edi, edi
seg000:0000121C                 cmp     [ebp+var_210], bl
seg000:00001222                 jz      short loc_124D
seg000:00001224
seg000:00001224 _convertToSmallCaps:                    ; CODE XREF: DebugCheck+75j
seg000:00001224                 lea     esi, [ebp+edi+var_210]
seg000:0000122B                 mov     al, [esi]
seg000:0000122D                 xor     ecx, ecx
seg000:0000122F                 cmp     al, 5Ah ; 'Z'
seg000:00001231                 setle   cl
seg000:00001234                 xor     edx, edx
seg000:00001236                 cmp     al, 41h ; 'A'
seg000:00001238                 setnl   dl
seg000:0000123B                 test    edx, ecx
seg000:0000123D                 jz      short loc_1243
seg000:0000123F                 add     al, 20h ; ' '
seg000:00001241                 mov     [esi], al
seg000:00001243
seg000:00001243 loc_1243:                               ; CODE XREF: DebugCheck+67j
seg000:00001243                 inc     edi
seg000:00001244                 cmp     [ebp+edi+var_210], bl
seg000:0000124B                 jnz     short _convertToSmallCaps
seg000:0000124D
seg000:0000124D loc_124D:                               ; CODE XREF: DebugCheck+4Cj
seg000:0000124D                 push    edi
seg000:0000124E                 lea     eax, [ebp+var_210]
seg000:00001254                 push    eax             ; # process name
seg000:00001255                 push    ebx
seg000:00001256                 call    RtlComputeCrc32
seg000:0000125B                 mov     ecx, ds:7FF90218h ; # hash table of process to check
seg000:00001261                 xor     edx, edx
seg000:00001263                 jmp     short loc_1271
seg000:00001265 ; ---------------------------------------------------------------------------
seg000:00001265
seg000:00001265 _contHashCheck:                         ; CODE XREF: DebugCheck+9Dj
seg000:00001265                 cmp     eax, ecx
seg000:00001267                 jz      short _hashProcFound ; # hash matched
seg000:00001269                 mov     ecx, ds:7FF9021Ch[edx*4]
seg000:00001270                 inc     edx
seg000:00001271
seg000:00001271 loc_1271:                               ; CODE XREF: DebugCheck+8Dj
seg000:00001271                 cmp     ecx, ebx
seg000:00001273                 jnz     short _contHashCheck
seg000:00001275                 jmp     short loc_127E


CRC32-hash table of processes to avoid

These are some of the hashes that were recovered by trial and error. As we know, recovering strings based from a computed hash is near impossible. These strings are file names/process names of common monitoring and analysis tools.
wireshark.exe – 0x77AE10F7
vboxservice.exe – 0x64340DCE
vboxtray.exe – 0x63C54474
vmtoolsd.exe – 0x278CDF58
vmwareuser.exe – 0x99DD4432
procmon.exe – 0x5BA9B1FE
filemon.exe – 0x3D46F02B
regmon.exe  - 0x3CE2BEF3
netmon.exe – 0xF344E95D

It may also check for the CRC32-hash of the drive name where Windows directory is located and compare it to 0x20C7DD84 before it continues.

It checks for sbiedll.dll which is a used by Sandboxie (Sandbox security software for Windows).

SYSTEM CHANGES


It adds the following registry entries in attempt to hide suspicion.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer TaskbarNoNotification dword:00000000
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer HideSCAHealth dword:00000000
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EnableLUA dword:00000000
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer TaskbarNoNotification dword:00000000
HKEY_CURRENT_USER \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer HideSCAHealth dword:00000000

It also deletes an autorun registry key of taskmgr.exe located in “image file execution options” if available
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\image file execution options\taskmgr.exe

It will also disable some windows security services like
wscsvc – windows security center service
WinDefend – windows defender service
MpsSvc – part of windows firewall service
SharedAccess – internet connection sharing service
Wuauserv – windows update service

It then proceeds to delete its main executable in an attempt to cleanup its traces.


PAYLOAD


It first checks the operating system if Windows 32-bit or 64-bit and injects its code to either of each
%windir%\SysWOW64\msiexec.exe (for 64-bit)
%windir%\system32\msiexec.exe (for 32-bit)

It uses two code injection techniques so that if the first one fails, it still has its backup routine.

First is by the conventional way of injecting code to a target process (msiexec.exe) by using CreateProcess, MapViewOfSection,  overwrite entry point of target process to point to code of malware,  then ResumeThread.
seg000:00002561                 call    dword ptr ds:7FF900F8h ; # CreateProcessW
…
…
seg000:0000259E                 call    NtMapViewOfSection
seg000:000025A3                 test    eax, eax
seg000:000025A5                 jnz     loc_262D
seg000:000025AB                 mov     esi, [ebp+var_34]
seg000:000025AE                 mov     eax, [ebp+arg_4]
seg000:000025B1                 mov     ecx, [ebp+var_4]
seg000:000025B4                 add     edi, esi
seg000:000025B6                 push    edi
seg000:000025B7                 add     ecx, eax
seg000:000025B9                 push    6
seg000:000025BB                 lea     eax, [ebp-3Ch]  ; # overwrite entry point of msiexec.exe with
seg000:000025BB                                                        ; # 68 BF160A00     PUSH 0A16BF
seg000:000025BB                                                        ; # C3              RETN
seg000:000025BE                 push    eax
seg000:000025BF                 mov     [ebp+var_3B], ecx
seg000:000025C2                 call    MemCopy
…
…
seg000:000025F1                 call    NtUnmapViewOfSection
…
…
seg000:00002639                 push    [ebp+var_20]
seg000:0000263C                 call    dword ptr ds:7FF90120h ; # ResumeThread

The other is the same procedure as above but calls QueueUserAPC first before going to ResumeThread. The logic here is that the malware queues an APC using QueueUserAPC API before the thread begins to run (in this case the thread of msiexec.exe). The queued APC function points to the malware code safely copied to the address space of msiexec.exe. So after resuming the suspended thread,  the APC function is called first, hence executing the code of the malware.
…
…
seg000:00002745                 mov     eax, [ebp+arg_4]
seg000:00002748                 mov     ecx, [ebp+var_4]
seg000:0000274B                 push    [ebp+var_1C]
seg000:0000274E                 add     ecx, eax
seg000:00002750                 push    ecx
seg000:00002751                 call    dword ptr ds:7FF90128h ; # QueueUserAPC
seg000:00002757                 push    [ebp+var_1C]
seg000:0000275A                 mov     [ebp+var_8], eax
seg000:0000275D                 call    dword ptr ds:7FF90120h ; # ResumeThread

It also hooks ntdll.NtOpenSection and GetAddrInfoW to point to its own code.

It checks for internet connection by querying common DNS names like
update.microsoft.com
microsoft.com
bing.com
google.com
yahoo.com

It will then craft a message with the following format before it sends it to its C&C server
“id:%lu|bid:%lu|os:%lu|la:%lu|rg:%lu”
where,
id = Volume information of infected drive
bid = Bot ID version
os = Operating system version (whether 32 or 64bit)
la = ip address of infected host
rg = Check if it runs on administrative level (1 or 0)

Here is an example of its data string that is to be sent to C&C
id:2894982272|bid:34|os:593|la:3232258948|rg:1

It will be encrypted using RC4 with the key b8d4b5527da0f28c47cd82d86557d4dc and then Base64 encoding afterwards.

Here is the final encrypted equivalent of the same string


It uses Google Public DNS servers (8.8.8.8 & 8.8.8.4) to query its C&C servers listed below
http://62.76.40.177/srt/ge.php
http://37.139.47.108/srt/ge.php

As of this writing, the servers listed above are already inactive. However; variants of this malware family suggests that it downloads the well-known zeus bot or zbot malwares.

It may also download additional malware functionalities or plugins with dll export functions as “aReport” & “aUpdate”. Since the links are dead and I haven’t produced any additional downloaded files, I can only assume that “aReport” function sends some info to its C&C server while “aUpdate” function checks for an updated version of the malware.

Below is a code snippet on how it attempts to call the aReport function by traversing dll modules that are loaded in memory, looking for its dll component that is supposedly loaded already then using GetProcAddress to get the function address of aReport, then subsequently calling aReport function. The same procedure is done to aUpdate.
seg000:00000CFC                 call    CreateToolhelp32Snapshot
seg000:00000D01                 mov     [ebp+var_4], eax
seg000:00000D04                 cmp     eax, 0FFFFFFFFh
seg000:00000D07                 jz      loc_D93
seg000:00000D0D                 lea     eax, [ebp+var_228]
seg000:00000D13                 push    eax
seg000:00000D14                 push    [ebp+var_4]
seg000:00000D17                 mov     [ebp+var_228], 224h
seg000:00000D21                 call    Module32First
seg000:00000D26                 test    eax, eax
seg000:00000D28                 jz      short loc_D8A
seg000:00000D2A                 push    ebx
seg000:00000D2B                 push    esi
seg000:00000D2C
seg000:00000D2C _loopProc:                              ; CODE XREF: sub_CDD+A9j
seg000:00000D2C                 push    7FF904BCh       ; # "aReport"
seg000:00000D31                 push    [ebp+var_20C]
seg000:00000D37                 call    dword ptr ds:7FF90068h ; # GetProcAddress
seg000:00000D3D                 test    eax, eax
seg000:00000D3F                 jz      short _nextModule
seg000:00000D41                 call    eax             ; # call function "aReport"


FAKE PAYLOAD


When it suspects that it is being analyzed or reversed, it executes its fake payload routine by adding the following registry entries

HKEY_CLASSES_ROOT\.max HKEY_CLASSES_ROOT\.max @ "Matrix.Document"
HKEY_CLASSES_ROOT\.max\ShellNew HKEY_CLASSES_ROOT\.max\ShellNew NullFile ""
HKEY_CLASSES_ROOT\Matrix.Document HKEY_CLASSES_ROOT\Matrix.Document @ "Matrix Document"
HKEY_CLASSES_ROOT\Matrix.Document\DefaultIcon HKEY_CLASSES_ROOT\Matrix.Document\DefaultIcon @ "{malware path}\{malware.exe},0"
HKEY_CLASSES_ROOT\Matrix.Document\shell HKEY_CLASSES_ROOT\Matrix.Document\shell\open HKEY_CLASSES_ROOT\Matrix.Document\shell\open\command HKEY_CLASSES_ROOT\Matrix.Document\shell\open\command @ "{malware path}\{malware.exe} "%1""
HKEY_CLASSES_ROOT\Matrix.Document\shell\print HKEY_CLASSES_ROOT\Matrix.Document\shell\print\command HKEY_CLASSES_ROOT\Matrix.Document\shell\print\command @ "{malware path}\{malware.exe} /p "%1""
HKEY_CLASSES_ROOT\Matrix.Document\shell\printto HKEY_CLASSES_ROOT\Matrix.Document\shell\printto\command HKEY_CLASSES_ROOT\Matrix.Document\shell\printto\command @ "{malware path}\{malware.exe} /pt "%1" "%2" "%3" "%4""
HKEY_CURRENT_USER\Software\Matrix HKEY_CURRENT_USER\Software\Matrix\Recent File List HKEY_CURRENT_USER\Software\Matrix\Settings HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.max HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.max @ "Matrix.Document"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.max\ShellNew HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.max\ShellNew NullFile ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Matrix.Document HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Matrix.Document @ "Matrix Document"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Matrix.Document\DefaultIcon HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Matrix.Document\DefaultIcon @ "{malware path}\{malware.exe},0"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Matrix.Document\shell HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Matrix.Document\shell\open HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Matrix.Document\shell\open\command HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Matrix.Document\shell\open\command @ "{malware path}\{malware.exe} "%1""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Matrix.Document\shell\print HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Matrix.Document\shell\print\command HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Matrix.Document\shell\print\command @ "{malware path}\{malware.exe} /p "%1""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Matrix.Document\shell\printto HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Matrix.Document\shell\printto\command HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Matrix.Document\shell\printto\command @ "{malware path}\{malware.exe} /pt "%1" "%2" "%3" "%4""



Read More

Wednesday, June 18, 2014

Bitcrypt v2.0

Posted on Wednesday, June 18, 2014 by bernadette | No comments
Bitcrypt is a ransomware program where in it encrypts certain types of file in the system using RSA public-key cryptography. This malware will display a message offering the user to decrypt the data once the payment is made through Bitcoin.

 Summary
  
Upon execution, it will create a thread that will periodically check and terminate running instance of taskmgr.exe and regedit.exe.
It will also check the existence of the following registry entry:
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
    • Value Name: Bitcomint 
    • %APPDATA%\[RANDOM FILE NAME].exe
If the above registry entry doesn't exist it will create one and also create a copy of itself in %APPDATA%. After ensuring that the malware will start every time the Windows start, it will execute the following commands:
  • /K bcdedit /set {bootmgr} displaybootmenu no
  • /K bcdedit /set {default} bootstatuspolicy ignoreallfailures
It will set country or region location of windows through the following registry entry:
  • HKEY_CURRENT_USER\Control Panel\International\Geo
    • Value Name: Nation
    • Data : 244 (244 is the country code of US)
It will then check if the following files exists in %APPDATA%, if not it will create a copy of the following files and then execute a copy of itself in %APPDATA%, then terminate and delete the currently running file.
  • bitcrypt.ccw
    • This file contains base 64 strings, BitCrypt ID and status of encryption of files in the system
      • BitCrypt ID format
        • WIN -<region location of Windows>-<4 random numbers><index of base64 strings>
  • BitCrypt.txt 
    • This file contains information where to download the program decryptor. This note is in 10 different languages: English, French, German, Russian, Italian, Spanish, Portuguese, Japanese, Chinese and Arabic. In this note it also claims that files are encoded using RSA-1024 key. As of this moment, links given by this note is not accessible.

It will create del.bat to delete the currently running file and execute the copy of itself in %APPDATA%.


Extraction of base 64 strings

This malware creates jump table of the available random base 64 string arrays. Using Delphi generator it randomly chose an index of what set of strings to use at the time of infection.
Based from the image above, the string index is 1A2h, based on malware code it extracts the base 64 string using the following instruction:
  • MOV EDX,DWORD PTR DS:[ESI*4+47DE98]  ESI: = 0x1A2 (418)
    • ESI*4 = 1A2 * 4 = 688


Infection Routine

This malware will encrypt files with the following file extensions:
  • *.dbf
  • *.mdb
  • *.mde
  • *.xls
  • *.xlw
  • *.docx
  • *.doc
  • *.cer
  • *.key
  • *.rtf
  • *.xlsm
  • *.xlsx
  • *.txt
  • *.xlc
  • *.docm
  • *.xlk
  • *.text
  • *.ppt
  • *.djvu
  • *.pdf
  • *.lzo
  • *.djv
  • *.cdx
  • *.cdt
  • *.cdr
  • *.bpg
  • *.xfm
  • *.dfm
  • *.pas
  • *.dpk
  • *.dpr
  • *.frm
  • *.vbp
  • *.php
  • *.js
  • *.wri
  • *.css
  • *.asm
  • *.jpg
  • *.jpeg
  • *.dbx
  • *.dbt
  • *.odc
  • *.sql
  • *.abw
  • *.pab
  • *.vsd
  • *.xsf
  • *.xsn
  • *.pps
  • *.lzh
  • *.pgp
  • *.arj
  • *.gz
  • *.pst
  • *.xl
It will first search and list down all the files with the above file extensions.
It will encrypt the target file and write the encrypted data to a new file with ".bitcrypt2" extension then delete the original file. 

Encryption routine
Payload

After encryption of files, it will change the status of infection in bitcrypt.ccw file from false to EncryptComplete.

It will change the wall paper with BitCrypt.bmp to notify the user that the system has been infected by Bitcrypt v2.0.

And just to make sure that the user will be able to read Bitcrypt.txt, it will open this file through notepad.exe


Read More

Saturday, May 31, 2014

Spam mail from fake FedEx

Posted on Saturday, May 31, 2014 by Unknown | No comments
Here is a screenshot of the spam mail which claims to be from FedEx.

 
You will notice that the email address in the From field is suspicious already since it does not use the fedex.com domain.

The ZIP file contains an executable file that is disguised as a PDF file. It uses the double extension .PDF.EXE and uses icon of Acrobat PDF. We currently detect this as Trojan.Win32.Injector.awxd (v)

Summary

Upon execution, it creates a copy of itself as:
%ALLUSERSPROFILE %\m<random string>.exe

To execute itself every time Windows starts, it adds the following registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
56140 = "%ALLUSERSPROFILE %"\m<random string>.exe

It sets the following registry entries to:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
TaskbarNoNotification = 0
HideSCAHealth = 0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
TaskbarNoNotification = 0
HideSCAHealth = 0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
EnableLUA = 0

It also deletes the following registry:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution
taskmgr.exe

It then spawns an instance of the non-malicious file %SYSTEM%\msiexec.exe. Afterwards, it injects its malicious code to this process. It then deletes itself and downloads the following URLs:

<http>://37.139.47.56/srt/404.php
<http>://62.76.187.171/srt/404.php
<http>://85.143.166.119/srt/404.php

At the time of this writing, the servers now return an HTTP Error 404 Not Found and we are not able to analyze additional downloaded components. But based on its code, the server will give out another URL which contains either an EXE file or a ZIP file:  

seg000:7FFA2C44                 cmp     word ptr [eax], 'ZM'   ; check for 'MZ' indicates it is an EXE file
seg000:7FFA2C49                 jz      short loc_7FFA2C7F
seg000:7FFA2C4B                 cmp     dword ptr [eax], 4034B50h  ; check for 'PK' indicates ZIP file
seg000:7FFA2C51                 jz      short loc_7FFA2C70

A Different Payload

This malware employs multiple anti-analysis techniques. One reason it does this is to make analysis difficult for us malware researchers. In addition, it executes a different payload once it detects that it is being analysed. Instead of carrying out the behavior that was stated in the Summary section, the following modifications will be done:

Creates a copy of itself as:
%ALLUSERSPROFILE %\explorer.exe

To execute itself every time Windows starts, it adds the following registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Start WingMan Profiler = "%ALLUSERSPROFILE %"\explorer.exe

Opens and listens to port 3232. If someone connects to this port, a remote shell command prompt will be opened.

Anti-analysis Techniques

To start, it checks the environment it is being run on.
  • Checks process names for VBoxService.exe (VirtualBox) and vmtoolsd.exe (VMware)
  • Queries registry HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Disk\Enum and compares with strings:
_1961:00401E8E                 cmp     dword ptr [ebp-364h], 'awmv'
_1961:00401E98                 jz      short loc_401EBF
_1961:00401E9A
_1961:00401E9A loc_401E9A:
_1961:00401E9A                 cmp     dword ptr [ebp-364h], 'xobv'
_1961:00401EA4                 jz      short loc_401EBF
_1961:00401EA6
_1961:00401EA6 loc_401EA6:
_1961:00401EA6                 cmp     dword ptr [ebp-364h], 'umeq'
_1961:00401EB0                 jz      short loc_401EBF

  • Checks process names for 'SbieDll.dll' (Sandboxie)
  • Checks process names against stored hashes. There is no way to revert these hashes back to the original string that was used but we were able to map two hashes to wireshark.exe and vmtoolsd.exe.
_1961:00401CB6                 xor     eax, 0E17176Fh
_1961:00401CBB                 cmp     eax, 97CA535Dh
_1961:00401CC0                 jz      loc_401EBF
_1961:00401CC6                 cmp     eax, 23928ADBh
_1961:00401CCB                 jz      loc_401EBF
_1961:00401CD1                 cmp     eax, 6A231AA1h
_1961:00401CD6                 jz      loc_401EBF
_1961:00401CDC                 cmp     eax, 6DD2531Bh
_1961:00401CE1                 jz      loc_401EBF
_1961:00401CE7                 cmp     eax, 3A8B8BE4h
_1961:00401CEC                 jz      loc_401EBF
_1961:00401CF2                 cmp     eax, 3A51FCA1h
_1961:00401CF7                 jz      loc_401EBF
_1961:00401CFD                 cmp     eax, 55BEA691h
_1961:00401D02                 jz      loc_401EBF
_1961:00401D08                 cmp     eax, 32F5A99Ch
_1961:00401D0D                 jz      loc_401EBF
_1961:00401D13                 cmp     eax, 3351E744h
_1961:00401D18                 jz      loc_401EBF
_1961:00401D1E                 cmp     eax, 79B90798h  ; wireshark.exe
_1961:00401D23                 jz      loc_401EBF
_1961:00401D29                 cmp     eax, 0FD53FE32h
_1961:00401D2E                 jz      loc_401EBF
_1961:00401D34                 cmp     eax, 23A97A00h
_1961:00401D39                 jz      loc_401EBF
_1961:00401D3F                 cmp     eax, 0ADC6152Bh
_1961:00401D44                 jz      loc_401EBF
_1961:00401D4A                 cmp     eax, 1365FAFEh
_1961:00401D4F                 jz      loc_401EBF
_1961:00401D55                 cmp     eax, 98847CD1h
_1961:00401D5A                 jz      loc_401EBF
_1961:00401D60                 cmp     eax, 299BC837h  ; vmtoolsd.exe
_1961:00401D65                 jz      loc_401EBF
_1961:00401D6B                 cmp     eax, 35E8EFEAh
_1961:00401D70                 jz      loc_401EBF
_1961:00401D76                 cmp     eax, 632434B6h
_1961:00401D7B                 jz      loc_401EBF

As mentioned earlier, the behavior under "A Different Payload" section will be run if it detects any of these processes or strings.

If your volume information matches the hash 0x20C7DD84h, these mentioned checks are skipped:
_1961:00401C08                 call    dword ptr [ebp-10h] ; GetVolumeInformation
_1961:00401C0B                 lea     eax, [ebp-36Ch]
_1961:00401C11                 push    eax
_1961:00401C12                 call    sub_4016ED
_1961:00401C17                 cmp     eax, 20C7DD84h
_1961:00401C1C                 jz      loc_401EB2

Another anti-analysis technique it used is retrieval of API addresses by using CRC32 hashes.
_1961:00401DBB                 push    0C13A7AD3h      ; RegOpenKeyA
_1961:00401DC0                 push    esi
_1961:00401DC1                 call    GetAPIVaFromCrc32
_1961:00401DC6                 mov     [ebp-34h], eax
_1961:00401DC9                 test    eax, eax
_1961:00401DCB                 jz      loc_401EB2
_1961:00401DD1                 push    0B039ADFEh      ; RegQueryValueExA
_1961:00401DD6                 push    esi
_1961:00401DD7                 call    GetAPIVaFromCrc32
_1961:00401DDC                 mov     [ebp-38h], eax
_1961:00401DDF                 test    eax, eax
_1961:00401DE1                 jz      loc_401EB2
_1961:00401DE7                 push    0A9290135h      ; RegCloseKey
_1961:00401DEC                 push    esi
_1961:00401DED                 call    GetAPIVaFromCrc32
_1961:00401DF2                 mov     [ebp-3Ch], eax

A call to the RegOpenKeyA API would look something like this:
_1961:00401E3C                 push    80000002h
_1961:00401E41                 call    dword ptr [ebp-34h]

Using static analysis, one would not be able to easily see that the API called is RegOpenKeyA.

Yet another anti-analysis technique it uses is a second way of calling its APIs. If in the previous example, the API address is stored directly in [ebp-34h], now the API address is stored layers deeper in the memory.

00004CCC: FF25C061FA7F                 jmp         d,[7FFA61C0]
00004CD2: FF25BC61FA7F                 jmp         d,[7FFA61BC]
00004CD8: FF25B861FA7F                 jmp         d,[7FFA61B8]
00004CDE: FF25B461FA7F                 jmp         d,[7FFA61B4]
00004CE4: FF25A461FA7F                 jmp         d,[7FFA61A4]
00004CEA: FF25A061FA7F                 jmp         d,[7FFA61A0]
00004CF0: FF259C61FA7F                 jmp         d,[7FFA619C]
00004CF6: FF259861FA7F                 jmp         d,[7FFA6198]

Dumping the memory at address 0x7FFA61BC, it leads us to another address 0x7FF90020. Notice the difference in values from one dword to another is 0x10:












At address 0x7FF90020, the instruction would look like this:


The first instruction MOV EDI,EDI is actually a copy of SetFileAttributesW’s first instruction. The JMP instruction points to the next instruction in SetFileAttributesW. See dump at 0x7C8314DD:






Some debuggers only maps the API name to its starting address. As in this case, the debugger was not able to give out the API’s name. This is a bit sophisticated anti-analysis technique. For the malware to accomplish this, it has a built-in disassembler inside (more on this in appendix).

Additional dump at address 0x77F9000 (in increments of 0x10, one instruction is stored followed by an E9 jump):

For the downloader part, the malware also authenticates the data that was returned by the server. It expects the server to return a data that will match a hash in the code.  It will only download the next component if it successfully authenticates the data returned by the server. 

Network Activity
It assembles a string with the following format:
id:%lu|bid:%lu|bv:%lu|os:%lu|la:%lu|rg:%lu

An example would be:
"id:1957944140|bid:2100|bv:120|os:849|la:31191969|rg:1"

It encrypts the string with RC4 using the key b8d4b5527da0f28c47cd82d86557d4dc and encodes the ciphertext using Base64. The encoded string is sent via HTTP POST requests to the following URLs:
<http>://37.139.47.56/srt/404.php
<http>://62.76.187.171/srt/404.php
<http>://85.143.166.119/srt/404.php

This is illustrated by the following packet capture:
























Appendix A. Disassembler

Querying parts of the following code in Google tells us it is a disassembler routine:
_1961:0040101F                 cmp     word ptr [esi-1], 20CDh
_1961:00401025                 jnz     short loc_401031
_1961:00401027                 inc     esi
_1961:00401028                 lodsd
_1961:00401029                 jmp     loc_40112F
_1961:0040102E ; ---------------------------------------------------------------------------
_1961:0040102E
_1961:0040102E loc_40102E:                             ; CODE XREF: sub_401000+1Dj
_1961:0040102E                 lodsb
_1961:0040102F                 inc     ah
_1961:00401031
_1961:00401031 loc_401031:                             ; CODE XREF: sub_401000+25j
_1961:00401031                 shr     eax, 1
_1961:00401033                 mov     al, ss:byte_401147[ebp+eax]
_1961:0040103A                 jb      short loc_40103F
_1961:0040103C                 shr     eax, 4

Interesting to note is that one of the search hits leads to a disassembler called Catchy32 v1.6 - Length Disassembler Engine 32bit which is part of a bootkit malware:
https://github.com/hzeroo/Carberp/blob/master/source%20-%20absource/pro/all%20source/bootkit.old/BKGen/i386/Catchy32.inc

Read More
Newer Posts Older Posts Home
Subscribe to: Posts (Atom)
volute-glacial
volute-glacial
 volute-glacial
volute-glacial
Copyright © Anti-Malware Laboratory | Powered by Blogger
Design by Fabthemes | Blogger Template by NewBloggerThemes.com