Here is a screenshot of the spam mail which claims to be
from FedEx.
You will notice that the email address in the From field is
suspicious already since it does not use the fedex.com domain.
The ZIP file contains an executable file that is disguised
as a PDF file. It uses the double extension .PDF.EXE and uses icon of Acrobat
PDF. We currently detect this as Trojan.Win32.Injector.awxd (v)
Summary
Upon execution, it creates a copy of itself as:
%ALLUSERSPROFILE %\m<random string>.exe
To execute itself every time Windows starts, it adds the
following registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
56140 = "%ALLUSERSPROFILE %"\m<random
string>.exe
It sets the following registry entries to:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
TaskbarNoNotification = 0
HideSCAHealth = 0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
TaskbarNoNotification = 0
HideSCAHealth = 0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
EnableLUA = 0
It also deletes the following registry:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Image
File Execution
taskmgr.exe
It then spawns an instance of the non-malicious file %SYSTEM%\msiexec.exe.
Afterwards, it injects its malicious code to this process. It then deletes itself
and downloads the following URLs:
<http>://37.139.47.56/srt/404.php
<http>://62.76.187.171/srt/404.php
<http>://85.143.166.119/srt/404.php
At the time of this writing, the servers now return an HTTP Error
404 Not Found and we are not able to analyze additional downloaded components.
But based on its code, the server will give out another URL which contains either
an EXE file or a ZIP file:
seg000:7FFA2C44 cmp word ptr [eax], 'ZM' ; check
for 'MZ' indicates it is an EXE file
seg000:7FFA2C49 jz short loc_7FFA2C7F
seg000:7FFA2C4B cmp dword ptr [eax], 4034B50h ; check for 'PK' indicates ZIP file
seg000:7FFA2C51 jz short loc_7FFA2C70
A Different Payload
This malware employs multiple anti-analysis techniques. One
reason it does this is to make analysis difficult for us malware researchers.
In addition, it executes a different payload once it detects that it is being analysed.
Instead of carrying out the behavior that was stated in the Summary section, the following modifications
will be done:
Creates a copy of itself as:
%ALLUSERSPROFILE %\explorer.exe
To execute itself every time Windows starts, it adds the
following registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Start WingMan Profiler = "%ALLUSERSPROFILE %"\explorer.exe
Opens and listens to port 3232. If someone connects to this
port, a remote shell command prompt will be opened.
Anti-analysis
Techniques
To start, it checks the environment it is being run on.
- Checks process names for VBoxService.exe (VirtualBox) and vmtoolsd.exe (VMware)
- Queries registry HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Disk\Enum and compares with strings:
_1961:00401E8E
cmp dword ptr [ebp-364h],
'awmv'
_1961:00401E98 jz
short loc_401EBF
_1961:00401E9A
_1961:00401E9A loc_401E9A:
_1961:00401E9A
cmp dword ptr [ebp-364h],
'xobv'
_1961:00401EA4
jz short loc_401EBF
_1961:00401EA6
_1961:00401EA6 loc_401EA6:
_1961:00401EA6
cmp dword ptr [ebp-364h],
'umeq'
_1961:00401EB0 jz short loc_401EBF
- Checks process names for 'SbieDll.dll' (Sandboxie)
- Checks process names against stored hashes. There is no way to revert these hashes back to the original string that was used but we were able to map two hashes to wireshark.exe and vmtoolsd.exe.
_1961:00401CB6
xor eax, 0E17176Fh
_1961:00401CBB
cmp eax, 97CA535Dh
_1961:00401CC0
jz loc_401EBF
_1961:00401CC6
cmp eax, 23928ADBh
_1961:00401CCB
jz loc_401EBF
_1961:00401CD1
cmp eax, 6A231AA1h
_1961:00401CD6
jz loc_401EBF
_1961:00401CDC
cmp eax, 6DD2531Bh
_1961:00401CE1
jz loc_401EBF
_1961:00401CE7
cmp eax, 3A8B8BE4h
_1961:00401CEC
jz loc_401EBF
_1961:00401CF2
cmp eax, 3A51FCA1h
_1961:00401CF7
jz loc_401EBF
_1961:00401CFD
cmp eax, 55BEA691h
_1961:00401D02
jz loc_401EBF
_1961:00401D08
cmp eax, 32F5A99Ch
_1961:00401D0D
jz loc_401EBF
_1961:00401D13
cmp eax, 3351E744h
_1961:00401D18
jz loc_401EBF
_1961:00401D1E
cmp eax, 79B90798h ; wireshark.exe
_1961:00401D23
jz loc_401EBF
_1961:00401D29
cmp eax, 0FD53FE32h
_1961:00401D2E
jz loc_401EBF
_1961:00401D34 cmp
eax, 23A97A00h
_1961:00401D39
jz loc_401EBF
_1961:00401D3F
cmp eax, 0ADC6152Bh
_1961:00401D44
jz loc_401EBF
_1961:00401D4A
cmp eax, 1365FAFEh
_1961:00401D4F jz loc_401EBF
_1961:00401D55
cmp eax, 98847CD1h
_1961:00401D5A
jz loc_401EBF
_1961:00401D60
cmp eax, 299BC837h ; vmtoolsd.exe
_1961:00401D65
jz loc_401EBF
_1961:00401D6B
cmp eax, 35E8EFEAh
_1961:00401D70
jz loc_401EBF
_1961:00401D76
cmp eax, 632434B6h
_1961:00401D7B
jz loc_401EBF
As mentioned earlier, the behavior under "A Different
Payload" section will be run if it detects any of these processes or
strings.
If your volume information matches the hash 0x20C7DD84h, these
mentioned checks are skipped:
_1961:00401C08
call dword ptr [ebp-10h] ; GetVolumeInformation
_1961:00401C0B
lea eax, [ebp-36Ch]
_1961:00401C11
push eax
_1961:00401C12
call sub_4016ED
_1961:00401C17
cmp eax, 20C7DD84h
_1961:00401C1C
jz loc_401EB2
Another anti-analysis technique it used is retrieval of API addresses
by using CRC32 hashes.
_1961:00401DBB
push 0C13A7AD3h ; RegOpenKeyA
_1961:00401DC0
push esi
_1961:00401DC1
call GetAPIVaFromCrc32
_1961:00401DC6
mov [ebp-34h], eax
_1961:00401DC9
test eax, eax
_1961:00401DCB
jz loc_401EB2
_1961:00401DD1
push 0B039ADFEh ; RegQueryValueExA
_1961:00401DD6
push esi
_1961:00401DD7
call GetAPIVaFromCrc32
_1961:00401DDC
mov [ebp-38h], eax
_1961:00401DDF
test eax, eax
_1961:00401DE1
jz loc_401EB2
_1961:00401DE7
push 0A9290135h ; RegCloseKey
_1961:00401DEC
push esi
_1961:00401DED
call GetAPIVaFromCrc32
_1961:00401DF2
mov [ebp-3Ch], eax
A call to the RegOpenKeyA API would look something like this:
_1961:00401E3C
push 80000002h
_1961:00401E41
call dword ptr [ebp-34h]
Using static analysis, one would not be able to easily see that
the API called is RegOpenKeyA.
Yet another anti-analysis technique it uses is a second way
of calling its APIs. If in the previous example, the API address is stored
directly in [ebp-34h], now
the API address is stored layers deeper in the memory.
00004CCC: FF25C061FA7F jmp d,[7FFA61C0]
00004CD2: FF25BC61FA7F jmp d,[7FFA61BC]
00004CD8: FF25B861FA7F jmp d,[7FFA61B8]
00004CDE: FF25B461FA7F jmp d,[7FFA61B4]
00004CE4: FF25A461FA7F jmp d,[7FFA61A4]
00004CEA: FF25A061FA7F jmp d,[7FFA61A0]
00004CF0: FF259C61FA7F jmp d,[7FFA619C]
00004CF6: FF259861FA7F jmp d,[7FFA6198]
Dumping the memory at address 0x7FFA61BC, it leads us to
another address 0x7FF90020. Notice the difference in values from one dword to
another is 0x10:
At address 0x7FF90020, the instruction would look like this:
The first instruction MOV EDI,EDI is actually a copy of SetFileAttributesW’s
first instruction. The JMP instruction points to the next instruction in
SetFileAttributesW. See dump at 0x7C8314DD:
Some debuggers only maps the API name to its starting address.
As in this case, the debugger was not able to give out the API’s name. This is
a bit sophisticated anti-analysis technique. For the malware to accomplish
this, it has a built-in disassembler inside (more on this in appendix).
Additional dump at address 0x77F9000 (in increments of 0x10,
one instruction is stored followed by an E9 jump):
For the downloader part, the malware also authenticates the
data that was returned by the server. It expects the server to return a data that
will match a hash in the code. It will
only download the next component if it successfully authenticates the data
returned by the server.
Network Activity
It assembles a string with the following format:
id:%lu|bid:%lu|bv:%lu|os:%lu|la:%lu|rg:%lu
An example would be:
"id:1957944140|bid:2100|bv:120|os:849|la:31191969|rg:1"
It encrypts the string with RC4 using the key b8d4b5527da0f28c47cd82d86557d4dc
and encodes the ciphertext using Base64. The encoded string is sent via HTTP
POST requests to the following URLs:
<http>://37.139.47.56/srt/404.php
<http>://62.76.187.171/srt/404.php
<http>://85.143.166.119/srt/404.php
This is illustrated by the following packet capture:
Appendix A. Disassembler
Querying parts of the following code in Google tells us it is
a disassembler routine:
_1961:0040101F
cmp word ptr [esi-1], 20CDh
_1961:00401025
jnz short loc_401031
_1961:00401027
inc esi
_1961:00401028
lodsd
_1961:00401029
jmp loc_40112F
_1961:0040102E ; ---------------------------------------------------------------------------
_1961:0040102E
_1961:0040102E loc_40102E: ; CODE XREF:
sub_401000+1Dj
_1961:0040102E
lodsb
_1961:0040102F
inc ah
_1961:00401031
_1961:00401031 loc_401031: ; CODE XREF:
sub_401000+25j
_1961:00401031
shr eax, 1
_1961:00401033
mov al,
ss:byte_401147[ebp+eax]
_1961:0040103A
jb short loc_40103F
_1961:0040103C
shr eax, 4
Interesting to note is that one of the search hits leads to a
disassembler called Catchy32 v1.6 - Length Disassembler
Engine 32bit which is part of a bootkit malware:
0 comments:
Post a Comment