Spam mail from fake FedEx

Here is a screenshot of the spam mail which claims to be from FedEx.

 

You will notice that the email address in the From field is suspicious already since it does not use the fedex.com domain.

The ZIP file contains an executable file that is disguised as a PDF file. It uses the double extension .PDF.EXE and uses icon of Acrobat PDF. We currently detect this as Trojan.Win32.Injector.awxd (v)

Summary

Upon execution, it creates a copy of itself as:

%ALLUSERSPROFILE %\m<random string>.exe

To execute itself every time Windows starts, it adds the following registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

56140 = "%ALLUSERSPROFILE %"\m<random string>.exe

It sets the following registry entries to:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

TaskbarNoNotification = 0

HideSCAHealth = 0

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

TaskbarNoNotification = 0

HideSCAHealth = 0

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System

EnableLUA = 0

It also deletes the following registry:

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution

taskmgr.exe

It then spawns an instance of the non-malicious file %SYSTEM%\msiexec.exe. Afterwards, it injects its malicious code to this process. It then deletes itself and downloads the following URLs:

<http>://37.139.47.56/srt/404.php

<http>://62.76.187.171/srt/404.php

<http>://85.143.166.119/srt/404.php

At the time of this writing, the servers now return an HTTP Error 404 Not Found and we are not able to analyze additional downloaded components. But based on its code, the server will give out another URL which contains either an EXE file or a ZIP file:  

seg000:7FFA2C44                 cmp     word ptr [eax], 'ZM'   ; check for 'MZ' indicates it is an EXE file

seg000:7FFA2C49                 jz      short loc_7FFA2C7F

seg000:7FFA2C4B                 cmp     dword ptr [eax], 4034B50h  ; check for 'PK' indicates ZIP file

seg000:7FFA2C51                 jz      short loc_7FFA2C70

A Different Payload

This malware employs multiple anti-analysis techniques. One reason it does this is to make analysis difficult for us malware researchers. In addition, it executes a different payload once it detects that it is being analysed. Instead of carrying out the behavior that was stated in the Summary section, the following modifications will be done:

Creates a copy of itself as:

%ALLUSERSPROFILE %\explorer.exe

To execute itself every time Windows starts, it adds the following registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

Start WingMan Profiler = "%ALLUSERSPROFILE %"\explorer.exe

Opens and listens to port 3232. If someone connects to this port, a remote shell command prompt will be opened.

Anti-analysis Techniques

To start, it checks the environment it is being run on.

• Checks process names for VBoxService.exe (VirtualBox) and vmtoolsd.exe (VMware)
• Queries registry HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Disk\Enum and compares with strings:

_1961:00401E8E                 cmp     dword ptr [ebp-364h], 'awmv'

_1961:00401E98                 jz      short loc_401EBF

_1961:00401E9A

_1961:00401E9A loc_401E9A:

_1961:00401E9A                 cmp     dword ptr [ebp-364h], 'xobv'

_1961:00401EA4                 jz      short loc_401EBF

_1961:00401EA6

_1961:00401EA6 loc_401EA6:

_1961:00401EA6                 cmp     dword ptr [ebp-364h], 'umeq'

_1961:00401EB0                 jz      short loc_401EBF

• Checks process names for 'SbieDll.dll' (Sandboxie)
• Checks process names against stored hashes. There is no way to revert these hashes back to the original string that was used but we were able to map two hashes to wireshark.exe and vmtoolsd.exe.

_1961:00401CB6                 xor     eax, 0E17176Fh

_1961:00401CBB                 cmp     eax, 97CA535Dh

_1961:00401CC0                 jz      loc_401EBF

_1961:00401CC6                 cmp     eax, 23928ADBh

_1961:00401CCB                 jz      loc_401EBF

_1961:00401CD1                 cmp     eax, 6A231AA1h

_1961:00401CD6                 jz      loc_401EBF

_1961:00401CDC                 cmp     eax, 6DD2531Bh

_1961:00401CE1                 jz      loc_401EBF

_1961:00401CE7                 cmp     eax, 3A8B8BE4h

_1961:00401CEC                 jz      loc_401EBF

_1961:00401CF2                 cmp     eax, 3A51FCA1h

_1961:00401CF7                 jz      loc_401EBF

_1961:00401CFD                 cmp     eax, 55BEA691h

_1961:00401D02                 jz      loc_401EBF

_1961:00401D08                 cmp     eax, 32F5A99Ch

_1961:00401D0D                 jz      loc_401EBF

_1961:00401D13                 cmp     eax, 3351E744h

_1961:00401D18                 jz      loc_401EBF

_1961:00401D1E                 cmp     eax, 79B90798h  ; wireshark.exe

_1961:00401D23                 jz      loc_401EBF

_1961:00401D29                 cmp     eax, 0FD53FE32h

_1961:00401D2E                 jz      loc_401EBF

_1961:00401D34                 cmp     eax, 23A97A00h

_1961:00401D39                 jz      loc_401EBF

_1961:00401D3F                 cmp     eax, 0ADC6152Bh

_1961:00401D44                 jz      loc_401EBF

_1961:00401D4A                 cmp     eax, 1365FAFEh

_1961:00401D4F                 jz      loc_401EBF

_1961:00401D55                 cmp     eax, 98847CD1h

_1961:00401D5A                 jz      loc_401EBF

_1961:00401D60                 cmp     eax, 299BC837h  ; vmtoolsd.exe

_1961:00401D65                 jz      loc_401EBF

_1961:00401D6B                 cmp     eax, 35E8EFEAh

_1961:00401D70                 jz      loc_401EBF

_1961:00401D76                 cmp     eax, 632434B6h

_1961:00401D7B                 jz      loc_401EBF

As mentioned earlier, the behavior under "A Different Payload" section will be run if it detects any of these processes or strings.

If your volume information matches the hash 0x20C7DD84h, these mentioned checks are skipped:

_1961:00401C08                 call    dword ptr [ebp-10h] ; GetVolumeInformation

_1961:00401C0B                 lea     eax, [ebp-36Ch]

_1961:00401C11                 push    eax

_1961:00401C12                 call    sub_4016ED

_1961:00401C17                 cmp     eax, 20C7DD84h

_1961:00401C1C                 jz      loc_401EB2

Another anti-analysis technique it used is retrieval of API addresses by using CRC32 hashes.

_1961:00401DBB                 push    0C13A7AD3h      ; RegOpenKeyA

_1961:00401DC0                 push    esi

_1961:00401DC1                 call    GetAPIVaFromCrc32

_1961:00401DC6                 mov     [ebp-34h], eax

_1961:00401DC9                 test    eax, eax

_1961:00401DCB                 jz      loc_401EB2

_1961:00401DD1                 push    0B039ADFEh      ; RegQueryValueExA

_1961:00401DD6                 push    esi

_1961:00401DD7                 call    GetAPIVaFromCrc32

_1961:00401DDC                 mov     [ebp-38h], eax

_1961:00401DDF                 test    eax, eax

_1961:00401DE1                 jz      loc_401EB2

_1961:00401DE7                 push    0A9290135h      ; RegCloseKey

_1961:00401DEC                 push    esi

_1961:00401DED                 call    GetAPIVaFromCrc32

_1961:00401DF2                 mov     [ebp-3Ch], eax

A call to the RegOpenKeyA API would look something like this:

_1961:00401E3C                 push    80000002h

_1961:00401E41                 call    dword ptr [ebp-34h]

Using static analysis, one would not be able to easily see that the API called is RegOpenKeyA.

Yet another anti-analysis technique it uses is a second way of calling its APIs. If in the previous example, the API address is stored directly in [ebp-34h], now the API address is stored layers deeper in the memory.

00004CCC: FF25C061FA7F                 jmp         d,[7FFA61C0]

00004CD2: FF25BC61FA7F                 jmp         d,[7FFA61BC]

00004CD8: FF25B861FA7F                 jmp         d,[7FFA61B8]

00004CDE: FF25B461FA7F                 jmp         d,[7FFA61B4]

00004CE4: FF25A461FA7F                 jmp         d,[7FFA61A4]

00004CEA: FF25A061FA7F                 jmp         d,[7FFA61A0]

00004CF0: FF259C61FA7F                 jmp         d,[7FFA619C]

00004CF6: FF259861FA7F                 jmp         d,[7FFA6198]

Dumping the memory at address 0x7FFA61BC, it leads us to another address 0x7FF90020. Notice the difference in values from one dword to another is 0x10:

At address 0x7FF90020, the instruction would look like this:

The first instruction MOV EDI,EDI is actually a copy of SetFileAttributesW’s first instruction. The JMP instruction points to the next instruction in SetFileAttributesW. See dump at 0x7C8314DD:

Some debuggers only maps the API name to its starting address. As in this case, the debugger was not able to give out the API’s name. This is a bit sophisticated anti-analysis technique. For the malware to accomplish this, it has a built-in disassembler inside (more on this in appendix).

Additional dump at address 0x77F9000 (in increments of 0x10, one instruction is stored followed by an E9 jump):

For the downloader part, the malware also authenticates the data that was returned by the server. It expects the server to return a data that will match a hash in the code.  It will only download the next component if it successfully authenticates the data returned by the server. 

Network Activity

It assembles a string with the following format:

id:%lu|bid:%lu|bv:%lu|os:%lu|la:%lu|rg:%lu

An example would be:

"id:1957944140|bid:2100|bv:120|os:849|la:31191969|rg:1"

It encrypts the string with RC4 using the key b8d4b5527da0f28c47cd82d86557d4dc and encodes the ciphertext using Base64. The encoded string is sent via HTTP POST requests to the following URLs:

<http>://37.139.47.56/srt/404.php

<http>://62.76.187.171/srt/404.php

<http>://85.143.166.119/srt/404.php

This is illustrated by the following packet capture:

Appendix A. Disassembler

Querying parts of the following code in Google tells us it is a disassembler routine:

_1961:0040101F                 cmp     word ptr [esi-1], 20CDh

_1961:00401025                 jnz     short loc_401031

_1961:00401027                 inc     esi

_1961:00401028                 lodsd

_1961:00401029                 jmp     loc_40112F

_1961:0040102E ; ---------------------------------------------------------------------------

_1961:0040102E

_1961:0040102E loc_40102E:                             ; CODE XREF: sub_401000+1Dj

_1961:0040102E                 lodsb

_1961:0040102F                 inc     ah

_1961:00401031

_1961:00401031 loc_401031:                             ; CODE XREF: sub_401000+25j

_1961:00401031                 shr     eax, 1

_1961:00401033                 mov     al, ss:byte_401147[ebp+eax]

_1961:0040103A                 jb      short loc_40103F

_1961:0040103C                 shr     eax, 4

Interesting to note is that one of the search hits leads to a disassembler called Catchy32 v1.6 - Length Disassembler Engine 32bit which is part of a bootkit malware:

https://github.com/hzeroo/Carberp/blob/master/source%20-%20absource/pro/all%20source/bootkit.old/BKGen/i386/Catchy32.inc

Read More

A Trojan Startpage Bundled Promo

Trojan Startpage is a type of trojan that forcefully changes the default start page of a web browser.

This version of startpage found in the wild sometime early December 2013 is noticeably interesting. Unlike most of its predecessor where previous versions uses the registry hack [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] “Start Page” to change the start page of internet explorer, this one incorporates the use of a modified antivirus software to alter the start page of the browser. Together with the modified antivirus software, this version also includes many other non-malicious game software downloaders all squeezed/bundled (hence the title) together with the trojan using an NSIS (Nullsoft Scriptable Install System) installer in an attempt to conceal its execution to the user.

A step by step procedure of how this trojan operates is revealed below.

1. Creates %PROGRAMFILES%\rayying directory.
   

2. Creates “%ALLUSERSPROFILE%\Desktop\ Intornat   Explarer .lnk" which is a shortcut link to rayying.exe. Rayying.exe is a chinese web browser and is not malicious.
   

3. Creates a quick launch icon to rayying.exe in “%APPDATA%\Microsoft\Internet Explorer\Quick Launch” using Intornat Explorer again as shortcut name.
   

4. Creates a directory %PROGRAMFILES%\soft275710 and drops the following files:

• 300.bat - this will execute 300.reg file and forcefully restarts explorer.exe process
• 300.reg - this will add "Attributes"=dword:0133EC20 to registry keys pertaining to different explorer.exe functions like:
• • Default Navigator ({871C5380-42A0-1069-A2EA-08002B30309D})
  • Computer Search Results folder ({1F4DE370-D627-11D1-BA4F-00A0C91EEDBA})
  • Network Search Results ({E17D4FC0-5564-11D1-83F2-00A0C90DC849})
• 275710.txt - a non-malicious txt file
• b_2710.vbe - an encoded VB script that will execute 300.bat
• w_2710.exe - an NSIS compiled dropper/installer of smes.exe (this NSIS is the trojan that is responsible for modifying the start page of web browsers)

The VB script (b_2710.vbe) can be further decoded using the following tool found in http://www.greymagic.com/security/tools/decoder/.

Here is the decoded version of the script:

'1020111003101004571027101010

Dim WSHShell

Set WshShell = WScript.CreateObject("WScript.Shell")

strDesktop = WshShell.SpecialFolders("Desktop") :'ÌØÊâÎļþ¼Ð¡°×ÀÃ桱

Favorites = WshShell.SpecialFolders("Favorites") :'ÌØÊâÎļþ¼Ð¡°×ÀÃ桱

on error resume next

strttWinDir = WshShell.ExpandEnvironmentStrings("%ProgramFiles%")

createobject("wscript.shell").run """300.bat""",0

Dim fso

Set fso =CreateObject("Scripting.FileSystemObject")

fso.DeleteFile WScript.ScriptFullName

5. Runs internet explorer with the following address “http://www.qq937.com/yxyz/cp12/index.html?cid=50789”. While this site loads, it continues its malicious activities to the unsuspecting user in the background.
   

6. The trojan will then attempt to execute b_2710.vbe but since this VBscript is still encoded, the operating system will just return an error. At this point, the trojan’s system infection routine is halted for a moment and will only continue if and only if the user closes the error message. It is possible that this flaw was unintentionally created by the malware author.
   

7. Attempts to download and execute other components
   

8. Executes downloaded file %PROGRAMFILES%\soft275710\wl06079.exe detected by vipre as Trojan.Win32.Generic!BT
9. Executes %PROGRAMFILES%\soft275710\w_2710.exe (which installs smes.exe) detected by vipre as Trojan.NSIS.Startpage.aen (v)
10. Executes downloaded file %PROGRAMFILES%\soft275710\JJmatch_11494.exe a non-malicious game installer
11. Executes downloaded file %PROGRAMFILES%\soft275710\pipi_dae_381.exe a non-malicious game installer

An In Depth Analysis to w_2710.exe - Trojan.NSIS.Startpage.aen (v)

The file w_2710.exe; that came in bundled with other softwares using NSIS installer, is also compressed using an NSIS installer. Executing w_2710.exe will create two new directories in %ALLUSERSPROFILE%\Application Data as “kingsoft\kws” and “smes”.

For %ALLUSERSPROFILE%\Application Data\kingsoft\kws directory, the following files were added:

• kws.ini
• spitesp.dat
• spot.ini

For %ALLUSERSPROFILE%\Application Data\smes directory, the following files were added:

• smes.exe
• kswbc.dll
• kswebshield.dll
• kwssp.dll
• kwsui.dll
• u.bat

It will then execute the batch file u.bat which in turn executing three commands smes.exe -install (installs smes.exe as a service), smes.exe - start (starts the service of smes.exe)  and del %0 (deletes u.bat).

Smes.exe has 5 command line available and these are:

-install

• installs Kingsoft Antivirus Webshield Service

-run

• executes smes.exe as a normal process

-uninstall

• removes Kingsoft Antivirus Webshield Service

-start

• executes smes.exe as a service process

-console

• executes smes.exe as a normal process with verbose logging enabled

A service named Kingsoft Antivirus Webshield Service is created that starts smes.exe everytime the system boots up.

Service Name: Kingsoft Antivirus WebShield Service

Display Name: Kingsoft Antivirus WebShield Service

Service Type: SERVICE_INTERACTIVE_PROCESS, SERVICE_WIN32_OWN_PROCESS

Service State: SERVICE_RUNNING

Binary Path: C:\_target\smes\$APPDATA\smes\smes.exe

Once the service is started, you cannot stop it in Windows’ Services Management Console because smes.exe grays out the STOP button as seen in the figure below.

However, you can manually terminate the running process id of smes.exe using Windows Task Manager or Sysinternal Process Explorer which in turn also stops the service.

Also on a note; once smes.exe starts to execute, the start page of internet explorer visibly changes to http://www.hao144.info/1/. And when terminated, the start page reverts back to the original.

In our analysis, smes.exe proves to be non-malicious by itself; however, malware authors can exploit its features (like changing the start page of web browsers) to their advantage.

In order to fully know how the process of modifying the start page of web browsers was done, we proceed in analyzing smes.exe’s component dlls.

kwssp.dll

exports:

DllCanUnloadNow

DllGetClassObject

- non-malicious

- responsible for reading settings found in kws.ini file and passes the parameters read to kswebshield.dll module.

- attempts to establish connection to labs.duba.net which is the website of kingsoft

kwsui.dll

exports:

DoDisplayLog

GetClassObject

GetHookStatus

SetWindowStyle

Startup

Stop

DllGetClassObject

- non-malicious

- injected to all running processes by using SetWindowsHookEx in order to monitor WH_CBT (http://msdn.microsoft.com/en-us/library/windows/desktop/ms644977(v=vs.85).aspx) and WH_GETMESSAGE (message queue). A good read about windows hooks plus two more other process injection techniques is found in this article http://www.codeproject.com/Articles/4610/Three-Ways-to-Inject-Your-Code-into-Another-Proces

- responsible for injecting kswebshield.dll to running processes

- verifies if it is injected to the following list of process

• KSWebShield.exe
• kxeserv.exe
• kxfwsserv.exe
• winlogon.exe
• explorer.exe
• kugoo.exe
• iexplore.exe
• 360se.exe
• maxthon.exe
• theworld.exe
• ttraveler.exe
• greenbrowser.exe
• MyiQ.exe
• myie.exe
• tmshell.exe
• flashget.exe
• SogouExplorer.exe
• setask.exe
• firefox.exe
• chrome.exe
• gsfbwsr.exe
• opera.exe
• tango.exe
• SaaYaa.exe
• Safari.exe
• MxCore.exe
• AcroRd32.exe
• tango3.exe
• tangoweb.exe

kswbc.dll

exports:

DllCanUnloadNow

DllGetClassObject

DllRegisterServer

DllUnregisterServer

- non-malicious

- injected to iexplore.exe only by kswebshield.dll

kswebshield.dll

exports:

MatchingUWUrl

MatchingUrl

ProcessUWUrl

RegisterUrlProcessor

UnregisterUrlProcessor

UrlProcess

- non-malicious

- injected to running processes using SetWindowsHookEx API

- the culprit responsible for replacing the start page of internet explorer to whatever website is set under “sp” tag under its ini file (kws.ini).

In this figure, kswebshield.dll is already injected to process memory of iexplore.exe and starts to load http://www.hao144.info/1/.

- also hooks the following list of APIs in order to route execution to itself:

• WS2_32.WSASend
• WS2_32.Send
• NTDLL.ZwCreateProcessEx
• NTDLL.ZwCreateProcess
• WININET.HttpOpenRequestA
• WININET.HttpOpenRequestW
• WININET.InternetConnectA
• WININET.InternetConnectW
• WININET.InternetReadFile
• WININET.InternetQueryDataAvailable
• WININET.InternetOpenUrlA
• WININET.InternetOpenUrlW
• WININET.InternetCloseHandle
• KERNEL32.CopyFileExA
• KERNEL32.CopyFileExW
• KERNEL32.CopyFileA
• KERNEL32.CopyFileW
• KERNEL32.LoadLibraryA
• KERNEL32.LoadLibraryW
• KERNEL32.LoadLibraryExA
• KERNEL32.LoadLibraryExW
• KERNEL32.CreateProcessInternalA
• KERNEL32.CreateProcessInternalW
• KERNEL32.CreateProcessW
• KERNEL32.CreateProcessA
• KERNEL32.WinExec
• OLEAUT32.SysAllocStringByteLen
• OLEAUT32.SysAllocStringLen
• SHELL32.ShellExecuteExA
• SHELL32.ShellExecuteExW
• OLE32.CoGetClassObject
• OLE32.CoRegisterClassObject
• OLE32.CoCreateInstance
• SHLWAPI.SHRegGetUSValue
• ADVAPI32.RegQueryValueExA
• ADVAPI32.RegQueryValueExW
• NSPR4.PR_LoadLibrary
• URLMON.CoGetClassObjectFromURL
• URLMON.URLDownloadToCacheFileA
• URLMON.URLDownloadToCacheFileW
• URLMON.URLDownloadToFileA
• URLMON.URLDownloadToFileW

Figure below demonstrates how hooking is done by replacing the first 5 bytes of the target API with a jump offset to the arbitrary code.

Read More