• Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg
  • Delicious

Anti-Malware Laboratory

Yet Another Malware Blog

About

An informal blog from your friendly neighborhood software security humans.

Blog Archive

  • ►  2015 (5)
    • ►  October (1)
    • ►  August (2)
    • ►  May (1)
    • ►  March (1)
  • ▼  2014 (8)
    • ►  October (1)
    • ►  July (1)
    • ►  June (1)
    • ▼  May (4)
      • Spam mail from fake FedEx
      • A Trojan Startpage Bundled Promo
      • PCode Vobfus Malware
      • Native Vobfus Malware
    • ►  April (1)
  • ►  2013 (12)
    • ►  December (3)
    • ►  November (5)
    • ►  August (2)
    • ►  March (2)
  • ►  2012 (35)
    • ►  April (4)
    • ►  March (12)
    • ►  February (17)
    • ►  January (2)

Categories

adobe (1) android (10) android february (1) baksmali (1) Black Hole (2) crimepack (1) disassembler (1) exploit (3) Exploits (4) Fakeav Winrar sfx (1) Fishbowl (1) flash (1) gift certificates (1) Google Authenticator (1) google play (1) hcp (1) java (1) Malware (5) mdac (1) Mobile (24) NSA Mobility Program (1) obfuscated script (1) pdf (1) Reversing (2) rhino (1) skype (1) smali (1) spam (1) test (1) Unpacking (1) vouchers (1) vulnerability (3)

Popular Posts

  • Bank of America spam: An Analysis
    An email claiming to be from Bank of America lures users to open an attachment that shows how to open secure emails from the bank. The mess...
  • [BE CAUTIOUS] Dragon Ball Z: Resurrection of F MALWARE and SCAM
    Be wary of downloading movies in torrent sites.  Executables can also be executed with a file size as huge as a gigabyte...
  • Unpacking MFC Compiled CryptoWall Malware
    Unpacking MFC Compiled CryptoWall Malware Introduction First and foremost, this article does not intend to analyze what CryptoWall malw...

Visitors to this blog

Saturday, May 31, 2014

Spam mail from fake FedEx

Posted on Saturday, May 31, 2014 by Unknown | No comments
Here is a screenshot of the spam mail which claims to be from FedEx.

 
You will notice that the email address in the From field is suspicious already since it does not use the fedex.com domain.

The ZIP file contains an executable file that is disguised as a PDF file. It uses the double extension .PDF.EXE and uses icon of Acrobat PDF. We currently detect this as Trojan.Win32.Injector.awxd (v)

Summary

Upon execution, it creates a copy of itself as:
%ALLUSERSPROFILE %\m<random string>.exe

To execute itself every time Windows starts, it adds the following registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
56140 = "%ALLUSERSPROFILE %"\m<random string>.exe

It sets the following registry entries to:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
TaskbarNoNotification = 0
HideSCAHealth = 0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
TaskbarNoNotification = 0
HideSCAHealth = 0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
EnableLUA = 0

It also deletes the following registry:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution
taskmgr.exe

It then spawns an instance of the non-malicious file %SYSTEM%\msiexec.exe. Afterwards, it injects its malicious code to this process. It then deletes itself and downloads the following URLs:

<http>://37.139.47.56/srt/404.php
<http>://62.76.187.171/srt/404.php
<http>://85.143.166.119/srt/404.php

At the time of this writing, the servers now return an HTTP Error 404 Not Found and we are not able to analyze additional downloaded components. But based on its code, the server will give out another URL which contains either an EXE file or a ZIP file:  

seg000:7FFA2C44                 cmp     word ptr [eax], 'ZM'   ; check for 'MZ' indicates it is an EXE file
seg000:7FFA2C49                 jz      short loc_7FFA2C7F
seg000:7FFA2C4B                 cmp     dword ptr [eax], 4034B50h  ; check for 'PK' indicates ZIP file
seg000:7FFA2C51                 jz      short loc_7FFA2C70

A Different Payload

This malware employs multiple anti-analysis techniques. One reason it does this is to make analysis difficult for us malware researchers. In addition, it executes a different payload once it detects that it is being analysed. Instead of carrying out the behavior that was stated in the Summary section, the following modifications will be done:

Creates a copy of itself as:
%ALLUSERSPROFILE %\explorer.exe

To execute itself every time Windows starts, it adds the following registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Start WingMan Profiler = "%ALLUSERSPROFILE %"\explorer.exe

Opens and listens to port 3232. If someone connects to this port, a remote shell command prompt will be opened.

Anti-analysis Techniques

To start, it checks the environment it is being run on.
  • Checks process names for VBoxService.exe (VirtualBox) and vmtoolsd.exe (VMware)
  • Queries registry HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Disk\Enum and compares with strings:
_1961:00401E8E                 cmp     dword ptr [ebp-364h], 'awmv'
_1961:00401E98                 jz      short loc_401EBF
_1961:00401E9A
_1961:00401E9A loc_401E9A:
_1961:00401E9A                 cmp     dword ptr [ebp-364h], 'xobv'
_1961:00401EA4                 jz      short loc_401EBF
_1961:00401EA6
_1961:00401EA6 loc_401EA6:
_1961:00401EA6                 cmp     dword ptr [ebp-364h], 'umeq'
_1961:00401EB0                 jz      short loc_401EBF

  • Checks process names for 'SbieDll.dll' (Sandboxie)
  • Checks process names against stored hashes. There is no way to revert these hashes back to the original string that was used but we were able to map two hashes to wireshark.exe and vmtoolsd.exe.
_1961:00401CB6                 xor     eax, 0E17176Fh
_1961:00401CBB                 cmp     eax, 97CA535Dh
_1961:00401CC0                 jz      loc_401EBF
_1961:00401CC6                 cmp     eax, 23928ADBh
_1961:00401CCB                 jz      loc_401EBF
_1961:00401CD1                 cmp     eax, 6A231AA1h
_1961:00401CD6                 jz      loc_401EBF
_1961:00401CDC                 cmp     eax, 6DD2531Bh
_1961:00401CE1                 jz      loc_401EBF
_1961:00401CE7                 cmp     eax, 3A8B8BE4h
_1961:00401CEC                 jz      loc_401EBF
_1961:00401CF2                 cmp     eax, 3A51FCA1h
_1961:00401CF7                 jz      loc_401EBF
_1961:00401CFD                 cmp     eax, 55BEA691h
_1961:00401D02                 jz      loc_401EBF
_1961:00401D08                 cmp     eax, 32F5A99Ch
_1961:00401D0D                 jz      loc_401EBF
_1961:00401D13                 cmp     eax, 3351E744h
_1961:00401D18                 jz      loc_401EBF
_1961:00401D1E                 cmp     eax, 79B90798h  ; wireshark.exe
_1961:00401D23                 jz      loc_401EBF
_1961:00401D29                 cmp     eax, 0FD53FE32h
_1961:00401D2E                 jz      loc_401EBF
_1961:00401D34                 cmp     eax, 23A97A00h
_1961:00401D39                 jz      loc_401EBF
_1961:00401D3F                 cmp     eax, 0ADC6152Bh
_1961:00401D44                 jz      loc_401EBF
_1961:00401D4A                 cmp     eax, 1365FAFEh
_1961:00401D4F                 jz      loc_401EBF
_1961:00401D55                 cmp     eax, 98847CD1h
_1961:00401D5A                 jz      loc_401EBF
_1961:00401D60                 cmp     eax, 299BC837h  ; vmtoolsd.exe
_1961:00401D65                 jz      loc_401EBF
_1961:00401D6B                 cmp     eax, 35E8EFEAh
_1961:00401D70                 jz      loc_401EBF
_1961:00401D76                 cmp     eax, 632434B6h
_1961:00401D7B                 jz      loc_401EBF

As mentioned earlier, the behavior under "A Different Payload" section will be run if it detects any of these processes or strings.

If your volume information matches the hash 0x20C7DD84h, these mentioned checks are skipped:
_1961:00401C08                 call    dword ptr [ebp-10h] ; GetVolumeInformation
_1961:00401C0B                 lea     eax, [ebp-36Ch]
_1961:00401C11                 push    eax
_1961:00401C12                 call    sub_4016ED
_1961:00401C17                 cmp     eax, 20C7DD84h
_1961:00401C1C                 jz      loc_401EB2

Another anti-analysis technique it used is retrieval of API addresses by using CRC32 hashes.
_1961:00401DBB                 push    0C13A7AD3h      ; RegOpenKeyA
_1961:00401DC0                 push    esi
_1961:00401DC1                 call    GetAPIVaFromCrc32
_1961:00401DC6                 mov     [ebp-34h], eax
_1961:00401DC9                 test    eax, eax
_1961:00401DCB                 jz      loc_401EB2
_1961:00401DD1                 push    0B039ADFEh      ; RegQueryValueExA
_1961:00401DD6                 push    esi
_1961:00401DD7                 call    GetAPIVaFromCrc32
_1961:00401DDC                 mov     [ebp-38h], eax
_1961:00401DDF                 test    eax, eax
_1961:00401DE1                 jz      loc_401EB2
_1961:00401DE7                 push    0A9290135h      ; RegCloseKey
_1961:00401DEC                 push    esi
_1961:00401DED                 call    GetAPIVaFromCrc32
_1961:00401DF2                 mov     [ebp-3Ch], eax

A call to the RegOpenKeyA API would look something like this:
_1961:00401E3C                 push    80000002h
_1961:00401E41                 call    dword ptr [ebp-34h]

Using static analysis, one would not be able to easily see that the API called is RegOpenKeyA.

Yet another anti-analysis technique it uses is a second way of calling its APIs. If in the previous example, the API address is stored directly in [ebp-34h], now the API address is stored layers deeper in the memory.

00004CCC: FF25C061FA7F                 jmp         d,[7FFA61C0]
00004CD2: FF25BC61FA7F                 jmp         d,[7FFA61BC]
00004CD8: FF25B861FA7F                 jmp         d,[7FFA61B8]
00004CDE: FF25B461FA7F                 jmp         d,[7FFA61B4]
00004CE4: FF25A461FA7F                 jmp         d,[7FFA61A4]
00004CEA: FF25A061FA7F                 jmp         d,[7FFA61A0]
00004CF0: FF259C61FA7F                 jmp         d,[7FFA619C]
00004CF6: FF259861FA7F                 jmp         d,[7FFA6198]

Dumping the memory at address 0x7FFA61BC, it leads us to another address 0x7FF90020. Notice the difference in values from one dword to another is 0x10:












At address 0x7FF90020, the instruction would look like this:


The first instruction MOV EDI,EDI is actually a copy of SetFileAttributesW’s first instruction. The JMP instruction points to the next instruction in SetFileAttributesW. See dump at 0x7C8314DD:






Some debuggers only maps the API name to its starting address. As in this case, the debugger was not able to give out the API’s name. This is a bit sophisticated anti-analysis technique. For the malware to accomplish this, it has a built-in disassembler inside (more on this in appendix).

Additional dump at address 0x77F9000 (in increments of 0x10, one instruction is stored followed by an E9 jump):

For the downloader part, the malware also authenticates the data that was returned by the server. It expects the server to return a data that will match a hash in the code.  It will only download the next component if it successfully authenticates the data returned by the server. 

Network Activity
It assembles a string with the following format:
id:%lu|bid:%lu|bv:%lu|os:%lu|la:%lu|rg:%lu

An example would be:
"id:1957944140|bid:2100|bv:120|os:849|la:31191969|rg:1"

It encrypts the string with RC4 using the key b8d4b5527da0f28c47cd82d86557d4dc and encodes the ciphertext using Base64. The encoded string is sent via HTTP POST requests to the following URLs:
<http>://37.139.47.56/srt/404.php
<http>://62.76.187.171/srt/404.php
<http>://85.143.166.119/srt/404.php

This is illustrated by the following packet capture:
























Appendix A. Disassembler

Querying parts of the following code in Google tells us it is a disassembler routine:
_1961:0040101F                 cmp     word ptr [esi-1], 20CDh
_1961:00401025                 jnz     short loc_401031
_1961:00401027                 inc     esi
_1961:00401028                 lodsd
_1961:00401029                 jmp     loc_40112F
_1961:0040102E ; ---------------------------------------------------------------------------
_1961:0040102E
_1961:0040102E loc_40102E:                             ; CODE XREF: sub_401000+1Dj
_1961:0040102E                 lodsb
_1961:0040102F                 inc     ah
_1961:00401031
_1961:00401031 loc_401031:                             ; CODE XREF: sub_401000+25j
_1961:00401031                 shr     eax, 1
_1961:00401033                 mov     al, ss:byte_401147[ebp+eax]
_1961:0040103A                 jb      short loc_40103F
_1961:0040103C                 shr     eax, 4

Interesting to note is that one of the search hits leads to a disassembler called Catchy32 v1.6 - Length Disassembler Engine 32bit which is part of a bootkit malware:
https://github.com/hzeroo/Carberp/blob/master/source%20-%20absource/pro/all%20source/bootkit.old/BKGen/i386/Catchy32.inc

Email ThisBlogThis!Share to XShare to FacebookShare to Pinterest
Newer Post Older Post Home

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)
volute-glacial
volute-glacial
 volute-glacial
volute-glacial
Copyright © Anti-Malware Laboratory | Powered by Blogger
Design by Fabthemes | Blogger Template by NewBloggerThemes.com