Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ========================
- #MalwareMustDie!
- Attachment Zbot Campaign Spam.
- File/malware Analysis:
- Sample : ./Statement57-27-05-2013.exe
- MD5 : 0bbf809dc46ed5d6c9f1774b13521e72
- SHA256 : 00b832b5128a7caffe8bd4a854b1e112d488acb37f3a787245d077ae0d106400
- @unixfreaxjp ~]$ date
- Tue May 28 23:50:23 JST 2013
- ========================
- // Some fakes:
- Fake Compile date: 2011-02-07 04:32:22
- Fake (PE) signature:
- LegalTrademarks: Gyhinoh Vovyruc Owog Ubuxe Evy Vuzy Ciza Nanef Hary
- SubsystemVersion: 4.0
- InitializedDataSize: 76288
- Publisher: Commander Group
- Product: Yzy
- Version: 3, 6
- Original name: Mpjogana1vavo.exe
- Internal name: Ocosiq
- File version: 3, 6, 5
- Description: Erytep Zadopi Ukaho
- // Looks creepy enough, see the hash has already in VT database:
- // Virus Totals:
- VT URL : https://www.virustotal.com/latest-scan/00b832b5128a7caffe8bd4a854b1e112d488acb37f3a787245d077ae0d106400
- SHA256: 00b832b5128a7caffe8bd4a854b1e112d488acb37f3a787245d077ae0d106400
- SHA1: 9a50fa08e71711d26d86f34d8179f87757a88fa8
- MD5: 0bbf809dc46ed5d6c9f1774b13521e72
- File size: 237.0 KB ( 242688 bytes )
- File name: Statement 57-27-05-2013.exe
- File type: Win32 EXE
- Tags: peexe
- Detection ratio: 27 / 47
- Analysis date: 2013-05-28 11:38:53 UTC ( 2 minutes ago )
- First submission 2013-05-27 12:48:38 UTC ( 22 hours, 52 minutes ago )
- Last submission 2013-05-28 11:38:53 UTC ( 2 minutes ago )
- Verdict of ./Statement 57-27-05-2013.exe with MD5 0bbf809dc46ed5d6c9f1774b13521e72 :
- ----------------------------------------------------------------------------
- MicroWorld-eScan: Trojan.GenericKD.1012186
- nProtect : Trojan.Zbot.IAA
- McAfee : PWS-Zbot-FBBF
- Malwarebytes : Spyware.Passwords
- F-Prot : W32/Trojan3.FID
- Symantec : Trojan.Zbot
- Norman : Suspicious_Gen4.EBMZD
- ByteHero : Trojan.Malware.Obscu.Gen.002
- TrendMicro-HouseCall : TROJ_GEN.RC9H1ER13
- Avast : Win32:Malware-gen
- Kaspersky : Trojan-Spy.Win32.Zbot.lvpo
- BitDefender : Trojan.GenericKD.1012186
- Sophos : Troj/Zbot-FHI
- Comodo : TrojWare.Win32.Trojan.Agent.Gen
- F-Secure : Trojan.GenericKD.1012186
- DrWeb : Trojan.PWS.Panda.4379
- VIPRE : Trojan.Win32.Generic!BT
- AntiVir: TR/Spy.ZBot.lvpo
- Emsisoft : Trojan.Win32.Agent.AMN (A)
- ESET-NOD32: Win32/Spy.Zbot.AAU
- GData : Trojan.GenericKD.1012186
- Commtouch : W32/Trojan.RYWZ-7367
- AhnLab-V3 : Spyware/Win32.Zbot
- Ikarus : Trojan-Spy.Agent
- Fortinet : W32/Zbot.AOV!tr
- AVG : Zbot.AGJ
- ==================================
- Why Zbot?? A Hint for all user
- ===================================
- Why it's a Zbot?
- Let's take a look at the VT report page at the behavior tab,
- See these zbot variant trademarks below↓ (ref:VT behavior info)
- Drops:
- C:\Documents and Settings\<USER>\Application Data\Etivu\irjypy.exe
- C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\tmp4affcd27.bat
- C:\Documents and Settings\<USER>\Application Data\Microsoft\AddressBook\<USER>.wab
- And self-copied:
- C:\autoexec.bat
- C:\WINDOWS\system32\rsaenh.dll
- And injection of the following processes:
- explorer.exe
- wscntfy.exe
- python.exe
- VBoxTray.exe
- irjypy.exe
- Also an opening of (LDAP/AD) Services:
- MACHINE: localhost
- DATABASE: SERVICES_ACTIVE_DATABASE
- Thus the UDP Communication <MACHINE_DNS_SERVER>:53
- 64.4.10.33:123
- 78.161.154.194:25633
- 186.29.77.250:18647
- 190.37.115.43:29609
- 187.131.8.1:13957
- 181.67.50.91:27916
- :
- ======================
- BYNARY ANALYSIS
- ======================
- // The hex:
- Sections:
- .text 0x1000 0x282f8 164864
- .rdata 0x2a000 0x840 2560
- .data 0x2b000 0x1c70b 67584
- .rsrc 0x48000 0x1788 6144
- Entry Point at 0x243cb
- Virtual Address (Reversing Start) is 0x424fcb
- FileAccess & CreateDate: 2013:05:28 12:38:54+01:00
- Unpacked but decoded..
- Hex:
- 00004D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 MZ..............
- 0010B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ........@.......
- 002000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
- 003000 00 00 00 00 00 00 00 00 00 00 00 D0 00 00 00 ................
- 00400E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 ........!..L.!Th
- 005069 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F is program canno
- 006074 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20 t be run in DOS
- 00706D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00 mode....$.......
- 008007 21 34 D1 43 40 5A 82 43 40 5A 82 43 40 5A 82 .!4.C@Z.C@Z.C@Z.
- 009050 48 07 82 51 40 5A 82 BC 60 5E 82 73 40 5A 82 PH..Q@Z..`^.s@Z.
- 00A045 63 50 82 51 40 5A 82 80 4F 07 82 6A 40 5A 82 EcP.Q@Z..O..j@Z.
- 00B0C0 48 07 82 4B 40 5A 82 15 48 5C 82 55 40 5A 82 .H..K@Z..H..U@Z.
- 00C052 69 63 68 43 40 5A 82 00 00 00 00 00 00 00 00 RichC@Z.........
- 00D050 45 00 00 4C 01 04 00 D6 75 4F 4D 00 00 00 00 PE..L....uOM....
- 00E000 00 00 00 E0 00 0E 01 0B 01 04 00 00 84 02 00 ................
- 00F000 2A 01 00 00 00 00 00 CB 4F 02 00 00 10 00 00 .*.......O......
- 010000 A0 02 00 00 00 40 00 00 10 00 00 00 02 00 00 ......@.........
- 011004 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 ................
- 012000 A0 04 00 00 04 00 00 EF 78 04 00 02 00 00 00 .........x......
- 013000 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 ................
- 014000 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 ................
- 015038 A1 02 00 64 00 00 00 00 80 04 00 88 17 00 00 8...d...........
- 016000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
- 017000 00 00 00 00 00 00 00 40 B1 02 00 1C 00 00 00 ........@.......
- 018000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
- 019000 00 00 00 00 00 00 00 00 B0 02 00 40 00 00 00 ............@...
- 01A000 00 00 00 00 00 00 00 00 A0 02 00 38 01 00 00 ............8...
- 01B000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
- 01C000 00 00 00 00 00 00 00 2E 74 65 78 74 00 00 00 .........text...
- 01D0F8 82 02 00 00 10 00 00 00 84 02 00 00 04 00 00 ................
- 01E000 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 ............ ..`
- 01F02E 72 64 61 74 61 00 00 40 08 00 00 00 A0 02 00 .rdata..@.......
- // let's take a look deeper into the PE,
- // You'll find Encrypted Namess:
- aO5wtsorusvc 0x42B8B5
- a8eysgvdxnrdrmq 0x42B8C5
- aWvecqn3l6na5kv 0x42B8F4
- aQadfxc3bkbf6a7 0x42B90D
- a1k4f88rrsqgj3p 0x42F647
- aMosebysnhh3liy 0x42FD11
- aQhbheglrtya 0x431082
- aDb1xkjnouegqm8 0x43108E
- aWhvdsthna3stgf 0x431633
- aXq4pbgyyo2y1af 0x43168A
- aRmkluoeowsbd5q 0x43169D
- aAtxdtwisbwtaqv 0x431B0B
- aMnnlt73yynlsgn 0x431E11
- a2lotgmlteqxhen 0x433EE8
- aMhhev7ngmbnabs 0x434201
- aO15lyfcgwsrffh 0x4343CC
- aRbmxwyrdebxc4q 0x43440E
- aCefsqvjtjfusoo 0x434439
- aGktg3qeulemrem 0x4347B7
- aOw4qmji2lcapqu 0x434969
- aMbchrhfikirjuv 0x434D94
- aJhcixlnclhnasd 0x435318
- aQckavhbsue811o 0x435A7F
- aIbaadkacjtanuo 0x435DB4
- aJlptchgcrflx8g 0x435E07
- aAuqtkevbqlfmbv 0x43661B
- aSuyim6vh22ffnk 0x436A4E
- aWsxn3prvlrmt7q 0x436E5E
- aByrox5fnfiwpwa 0x437912
- aNg2hskcdygucdk 0x43792C
- aEumbpejckmqitr 0x438030
- aUm6bojq1k4qhee 0x4395D3
- aX68nruj61yqfdh 0x439779
- aWdjykxqpve8lhf 0x43AADF
- // And encoded functions at .Text:
- sub_420FAD .text 0x420FAD
- sub_421087 .text 0x421087
- sub_421631 .text 0x421631
- sub_421702 .text 0x421702
- sub_42183D .text 0x42183D
- sub_421869 .text 0x421869
- sub_421B23 .text 0x421B23
- sub_421CC4 .text 0x421CC4
- sub_421E53 .text 0x421E53
- sub_421F97 .text 0x421F97
- sub_4220AA .text 0x4220AA
- sub_4221B2 .text 0x4221B2
- sub_4223A5 .text 0x4223A5
- sub_42243B .text 0x42243B
- sub_42274F .text 0x42274F
- sub_42289C .text 0x42289C
- sub_4229FB .text 0x4229FB
- sub_422B13 .text 0x422B13
- sub_422BD6 .text 0x422BD6
- sub_422BF8 .text 0x422BF8
- sub_422CA9 .text 0x422CA9
- sub_422D7F .text 0x422D7F
- sub_422E3B .text 0x422E3B
- sub_4230C6 .text 0x4230C6
- sub_4232AD .text 0x4232AD
- sub_42337C .text 0x42337C
- sub_4237AF .text 0x4237AF
- sub_4238B3 .text 0x4238B3
- sub_4241F6 .text 0x4241F6
- sub_4242CC .text 0x4242CC
- sub_42438D .text 0x42438D
- sub_424538 .text 0x424538
- sub_4246D2 .text 0x4246D2
- sub_4247BB .text 0x4247BB
- sub_424885 .text 0x424885
- sub_42498A .text 0x42498A
- sub_424A56 .text 0x424A56
- sub_424B47 .text 0x424B47
- sub_424BD7 .text 0x424BD7
- sub_424C9C .text 0x424C9C
- sub_424D35 .text 0x424D35
- sub_424D87 .text 0x424D87
- sub_424E6F .text 0x424E6F
- sub_427214 .text 0x427214
- sub_4272A8 .text 0x4272A8
- sub_42734F .text 0x42734F
- sub_42743D .text 0x42743D
- sub_427560 .text 0x427560
- sub_427634 .text 0x427634
- sub_427718 .text 0x427718
- sub_427739 .text 0x427739
- sub_42781B .text 0x42781B
- sub_42875E .text 0x42875E
- sub_4289BA .text 0x4289BA
- sub_428AC6 .text 0x428AC6
- sub_428D3D .text 0x428D3D
- sub_428DD9 .text 0x428DD9
- sub_428EB0 .text 0x428EB0
- sub_428F2B .text 0x428F2B
- sub_429063 .text 0x429063
- [...]
- // Not good.. The decoded here and there...
- // let's analyze & decode this for more info..
- ===============================
- Peeling the Binary
- ===============================
- // Analysis result upon effort to decode the binary:
- // List of the full DLL used:
- cabinet.dll
- @kernel32.dll
- kshell32.dll
- urlmon.dll
- Wadvapi32.dll
- userenv.dll
- gdiplus.dll
- LdrLoadDll
- ntdll.dll
- KERNEL32.dll
- USER32.dll
- ADVAPI32.dll
- SHLWAPI.dll
- SHELL32.dll
- Secur32.dll
- ole32.dll
- GDI32.dll
- WS2_32.dll
- CRYPT32.dll
- WININET.dll
- OLEAUT32.dll
- NETAPI32.dll
- IPHLPAPI.DLL
- VERSION.dll
- msvcrt.dll
- // List of the full call used:
- BSeTcbPrivilege
- SeShutdownPrivilege
- ProfileImagePath
- ObtainUserAgentString
- GetProductInfo
- RegDeleteKeyExW
- GetFileInformationByHandleEx
- SetFileInformationByHandle
- GdiplusStartup
- GdiplusShutdown
- GdipCreateBitmapFromHBITMAP
- GdipDisposeImage
- GdipGetImageEncodersSize
- GdipGetImageEncoders
- GdipSaveImageToStream
- GetProcAddress
- LoadLibraryA
- NtTerminateProcess
- LdrLoadDll
- LdrGetDllHandle
- NtQueryInformationProcess
- WaitForSingleObject
- CreateThread
- SetLastError
- GetModuleHandleW
- InitializeCriticalSection
- GetLastError
- DeleteCriticalSection
- FileTimeToDosDateTime
- GetTempFileNameW
- DosDateTimeToFileTime
- lstrcmpA
- lstrcpynA
- FreeLibrary
- LoadLibraryW
- CreateFileW
- lstrlenW
- GetTempPathW
- GetProcAddress
- FileTimeToLocalFileTime
- SetFileAttributesW
- lstrcpyW
- lstrcpyA
- lstrcmpiA
- CreateRemoteThread
- OpenProcess
- VirtualFreeEx
- Process32FirstW
- Process32NextW
- CreateToolhelp32Snapshot
- CloseHandle
- GetEnvironmentVariableW
- CreateProcessW
- GetCurrentThread
- Thread32First
- Thread32Next
- LoadLibraryA
- lstrcmpiW
- LeaveCriticalSection
- EnterCriticalSection
- GetTickCount
- TerminateThread
- WaitForMultipleObjects
- DuplicateHandle
- ResumeThread
- VirtualFree
- VirtualAlloc
- VirtualProtect
- GetThreadContext
- SetThreadContext
- VirtualQuery
- GetCurrentProcess
- InterlockedCompareExchange
- FlushInstructionCache
- GetCurrentThreadId
- lstrlenA
- TryEnterCriticalSection
- SetEvent
- Sleep
- CreateEventW
- ResetEvent
- GetExitCodeThread
- SetThreadPriority
- GetSystemTime
- GetCommandLineW
- GetNativeSystemInfo
- GetDriveTypeW
- GetSystemDefaultUILanguage
- GetLogicalDrives
- GetProcessTimes
- GetModuleFileNameW
- lstrcmpW
- GlobalMemoryStatusEx
- GetUserDefaultUILanguage
- GetDiskFreeSpaceExW
- GetVolumeInformationW
- TlsGetValue
- TlsSetValue
- SetEndOfFile
- SetFilePointerEx
- SetFileTime
- WriteFile
- GetFileAttributesW
- ReadFile
- FlushFileBuffers
- GetFileSizeEx
- GetFileTime
- DeleteFileW
- GetFileInformationByHandle
- LocalFree
- CreateDirectoryW
- ExpandEnvironmentStringsW
- TlsAlloc
- GetPrivateProfileStringW
- GetPrivateProfileIntW
- TlsFree
- FindFirstFileW
- FindClose
- RemoveDirectoryW
- FindNextFileW
- GetThreadPriority
- QueryPerformanceCounter
- MapViewOfFile
- UnmapViewOfFile
- CreateFileMappingW
- MoveFileExW
- WideCharToMultiByte
- MultiByteToWideChar
- GetVersionExW
- ExitProcess
- GetSystemTimeAsFileTime
- WTSGetActiveConsoleSessionId
- GetHandleInformation
- HeapAlloc
- HeapFree
- HeapDestroy
- HeapCreate
- HeapReAlloc
- GetProcessId
- UnregisterWait
- RegisterWaitForSingleObject
- SystemTimeToFileTime
- GetTimeZoneInformation
- GetLocalTime
- InterlockedIncrement
- InterlockedDecrement
- IsBadReadPtr
- VirtualAllocEx
- WriteProcessMemory
- CreateMutexW
- OpenMutexW
- ReleaseMutex
- lstrcatW
- GetComputerNameW
- GetVolumeNameForVolumeMountPointW
- SetErrorMode
- OpenEventW
- GetCurrentProcessId
- GlobalLock
- GlobalUnlock
- CharToOemW
- GetCursorPos
- GetIconInfo
- DrawIcon
- LoadCursorW
- GetSystemMetrics
- GetLastInputInfo
- CharUpperW
- GetClipboardData
- TranslateMessage
- PostQuitMessage
- CharLowerA
- CharLowerW
- DispatchMessageW
- PeekMessageW
- orMultipleObjects
- ExitWindowsEx
- ToUnicode
- GetKeyboardState
- GetLengthSid
- OpenProcessToken
- GetSidSubAuthority
- OpenThreadToken
- GetSidSubAuthorityCount
- GetTokenInformation
- CreateProcessAsUserW
- LookupPrivilegeValueW
- AdjustTokenPrivileges
- CryptVerifySignatureW
- CryptGetKeyParam
- CryptImportKey
- CryptDestroyKey
- CryptDestroyHash
- InitializeSecurityDescriptor
- SetSecurityDescriptorDacl
- ConvertStringSecurityDescriptorToSecurityDescriptorW
- GetSecurityDescriptorSacl
- SetSecurityDescriptorSacl
- RegCreateKeyExW
- RegCloseKey
- EqualSid
- CryptGetHashParam
- CryptAcquireContextW
- CryptReleaseContext
- CryptCreateHash
- CryptHashData
- RegQueryValueExW
- RegQueryInfoKeyW
- RegDeleteKeyW
- RegDeleteValueW
- RegOpenKeyExW
- RegFlushKey
- RegEnumKeyExW
- RegSetValueExW
- InitiateSystemShutdownExW
- IsWellKnownSid
- ConvertSidToStringSidW
- PathRemoveExtensionW
- PathFindFileNameW
- PathRemoveFileSpecW
- StrCmpNA
- StrRChrA
- StrCmpIW
- StrChrW
- StrCmpW
- StrCmpNIW
- StrCmpNW
- StrChrA
- StrCmpNIA
- PathRemoveBackslashW
- PathRenameExtensionW
- PathGetDriveNumberW
- PathIsDirectoryW
- PathSkipRootW
- PathUnquoteSpacesW
- wvnsprintfW
- wvnsprintfA
- PathQuoteSpacesW
- PathFindExtensionW
- PathMatchSpecW
- PathIsURLW
- UrlUnescapeA
- PathAddBackslashW
- StrStrIW
- SHLWAPI.dll
- SHGetFolderPathW
- CommandLineToArgvW
- ShellExecuteW
- GetUserNameExW
- DeleteSecurityContext
- DecryptMessage
- EncryptMessage
- CoCreateInstance
- CoUninitialize
- CoInitializeSecurity
- CoInitializeEx
- CoTaskMemFree
- CoSetProxyBlanket
- CLSIDFromString
- StringFromGUID2
- CreateStreamOnHGlobal
- CreateCompatibleBitmap
- CreateCompatibleDC
- SelectObject
- DeleteObject
- CreateDCW
- GetDeviceCaps
- DeleteDC
- BitBlt
- GetAddrInfoW
- freeaddrinfo
- WSAGetOverlappedResult
- WSASend
- WSARecv
- getaddrinfo
- FreeAddrInfoW
- WSAStringToAddressW
- WSAAddressToStringA
- WSACreateEvent
- WSAEventSelect
- WSAEnumNetworkEvents
- WSAAddressToStringW
- WSAIoctl
- WSACloseEvent
- PFXImportCertStore
- CertDeleteCertificateFromStore
- CertOpenSystemStoreW
- CertCloseStore
- CertEnumCertificatesInStore
- CertDuplicateCertificateContext
- PFXExportCertStoreEx
- CryptUnprotectData
- HttpSendRequestExA
- HttpQueryInfoA
- InternetConnectA
- InternetCrackUrlA
- InternetReadFile
- InternetSetOptionA
- InternetWriteFile
- HttpOpenRequestA
- HttpEndRequestA
- HttpAddRequestHeadersA
- InternetOpenA
- InternetCloseHandle
- InternetQueryOptionA
- NetUserGetInfo
- NetApiBufferFree
- NetUserEnum
- GetAdaptersAddresses
- GetFileVersionInfoW
- VerQueryValueW
- GetFileVersionInfoSizeW
- _errno
- memcpy
- memcmp
- _purecall
- memset
- memchr
- memmove
- strcmp
- _ultow
- _vsnwprintf
- _vsnprintf
- strtoul
- RtlUnwind
- SetFilePointer
- OutputDebugStringA
- TerminateProcess
- UnhandledExceptionFilter
- SetUnhandledExceptionFilter
- _except_handler3
- // Now we see much better picture of what the bins
- // actually does...
- // Let's see the traces..
- ===================================================
- Traces Analysis - Tearing aparts malware functions
- ===================================================
- // The logic used for the temporary files:
- tmp (calling environment temp)
- %s%08x.%s (format)
- Wrote file: C:\Documents and Settings\USER\Local Settings\Temp\tmpf8d49d9f.bat (checked)
- // The config used:
- C(is a variable).dat
- Wrote file: C:\Documents and Settings\rik\Local Settings\Application Data\cofa.uxo.dat (checked)
- // Trace of decoding method:
- Microsoft Enhanced Cryptographic Provider v1.0
- // decoded target sections:
- .text < to be encoded
- .data < to be encoded
- .reloc < to be added section...
- // batch commands executed via CMD:
- del "%s"
- if exist "%s" goto d
- @echo off
- del /F "%s"
- // some username sets.. #precious #hint if u know zbot.
- tellerplus
- bancline
- fidelity
- micrsolv
- bankman
- vantiv
- episys
- jack henry
- cruisenet
- gplusmain
- silverlake
- v48d0250s1
- fastdoc
- // Code injection process names:
- launchpadshell.exe
- dirclt32.exe
- wtng.exe
- prologue.exe
- pcsws.exe
- fdmaster.exe
- // It indeed confirming the x64 processor..
- IsWow64Process
- //...and also sniffng x64 at:
- HKCU\Software\Microsoft","SUCCESS","Desired Access: Create Sub Key, WOW64_64Key"
- HKCU\Software\Microsoft\Haatneylcoa","SUCCESS","Desired Access: Query Value, Set Value, WOW64_64Key"
- HKLM\Software\Microsoft\Windows NT\CurrentVersion","SUCCESS","Desired Access: Query Value, WOW64_64Key"
- HKLM\Software\Policies\Microsoft\Cryptography","NAME NOT FOUND","Desired Access: Read, WOW64_64Key"
- HKLM\Software\Microsoft\Cryptography","SUCCESS","Desired Access: Read, WOW64_64Key"
- HKLM\System\WPA\TabletPC","NAME NOT FOUND","Desired Access: Query Value, WOW64_64Key"
- HKLM\SYSTEM\WPA\MediaCenter","SUCCESS","Desired Access: Query Value, WOW64_64Key"
- HKLM\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers","NAME NOT FOUND","Desired Access: Read, WOW64
- HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers","NAME NOT FOUND","Desired Access: Read, WOW64
- HKLM\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\awoty.exe","NAME NOT FOUND","Desired Access: R
- HKCU\Software\Microsoft\Haatneylcoa","SUCCESS","Desired Access: Query Value, WOW64_64Key"
- HKLM\System\WPA\TabletPC","NAME NOT FOUND","Desired Access: Query Value, WOW64_64Key"
- HKLM\SYSTEM\WPA\MediaCenter","SUCCESS","Desired Access: Query Value, WOW64_64Key"
- HKLM\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers","NAME NOT FOUND","Desired Access: Read, WOW64
- HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers","NAME NOT FOUND","Desired Access: Read, WOW64
- HKLM\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\cmd.exe","NAME NOT FOUND","Desired Access: Read, WOW64
- HKLM\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags","NAME NOT FOUND","Desired Access: Read, WOW64_64Key"
- HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags","NAME NOT FOUND","Desired Access: Read, WOW64_64Key"
- // Some HTTP Headers commands..
- POST
- GET
- HTTP/1.1
- Connection: Close
- Accept-Language:
- // Tests connection sites:
- http://www.google.com/
- http://www.bing.com/
- // internet connectivity..
- connection
- proxy-connection
- content-length
- transfer-encoding
- upgrade
- chunked
- keep-alive
- close
- Authorization
- Basic
- div
- script
- nbsp;
- // Zbot commands:
- DELETE
- HEAD
- PUT
- CONNECT
- OPTIONS
- TRACE
- COPY
- LOCK
- MKCOL
- MOVE
- PROPFIND
- PROPPATCH
- SEARCH
- UNLOCK
- REPORT
- MKACTIVITY
- CHECKOUT
- MERGE
- M-SEARCH
- NOTIFY
- SUBSCRIBE
- UNSUBSCRIBE
- PATCH
- PURGE
- // Wrote log file:
- C:\Documents and Settings\rUSER\ntuser.dat.LOG","SUCCESS","EndOfFile: 49,152"
- C:\Documents and Settings\rUSER\ntuser.dat.LOG","SUCCESS","EndOfFile: 53,248"
- C:\Documents and Settings\rUSER\ntuser.dat.LOG","SUCCESS","EndOfFile: 57,344"
- ======================
- More registry
- (Is not what has been written in VT , only)
- =====================
- // wrote base64 encoded encrypted data in registry at:
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Haatneylcoa\2fejgjfb:
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Haatneylcoa\21ai7ij3:
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Haatneylcoa\36j81186:
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Haatneylcoa\11e25340:
- ... with data like;
- sDRF4O5RpPdxW5NITFgtTeurljPpBoq+Oh0xJITaj36z/X/WWiQWX9WHdNCznV3RdwdwZN/0nCG5QS0wAd5ZZMREnj14Nvrv+lQh
- fmMIdOuYSAK+HY1uM2kIt6HJXkx0o5nlx5dPslmKUtiGcBISorfLD91MQh7SqWrv2Y7noOkieVerFwA/KHIBxZK2+yjlmpF+uMd8
- l4A/e31F9M6AMgSCr3tYUTc48swBh3rTkykzEQolU0dLODBtVnYTbbfVw9XGZ4UUt7y7JDNcv+hNQ+y/38TCUv2rnHpP0AFgeBz9
- ZS+fxT8x3IjXt0uNtEewlWS021QvBeaQaho3zQlq0luTbRO1aBGu3WEPtJSe5MyMC6bjIvHj8z9NMSuKrpW58Y7k04nRk/zRUXwu
- B2qxbKsVy3G2FiPfEsWiVK+vlUBq3oq+SuTHd/Rj1MHKamn4JUr3nOm3dSSvfMrv59d3BWRWCj3BheORrJ3uZLOqf8Tgl8kOhvTh
- jdnGTn3+AB8DWXTAhHuHf9K7qhLq0xDKTACu9tUZbee+D8sOeB5awW9MfWCfahnKJtWy0oZNWGghC/FQQDmeIjNWXLkCvRIA1R7v
- fLcudKlrmS9728Uu4yhNoO9sS09hjyXTFflA1EYIKHxCo8TlmAkuSgwrkicEOOt1yGzrGhO0I52iqCIH50iy4dYB1iStoB/g0B6t
- [...]
- YvkC4cYclFqVOo2lYVaGFGA7ziaJAyvFJ5rIYYRA6i8nF42SRC6kVigdDdIQPqV7LRcXntGPixcVaPDgb/qIILNbz8zkJ7boLUzn
- fDyj+fO9gHo+PiX27xLt27tNPySsZtfg62dFFL1qOsgY/sk2YF1gKBkneMInWcOI29mxA1alAGMriU8wRX/OrhE1aRx9li4gGdm9
- ETCRCWfq+cZZQlRl+3cDC9aanA7QfqycElf1vFXA5cqq+Marv53gItjzauowZqyMzy7VAmxRwpvCcu2mMrJG/TS0xgNY9D7ZKuFR
- ktuHDQZbNCgiT/LcEIJyaPBVH8ijBSEsMg==
- ..or :
- sDRF4HBUpPc1RhRP2lGIpNhVWo8a6AqeVn0oKIj8Ho8EP8ECwN64q+uHdNCznV3RdwdwZN/0nCC5QS1feP0llodjFaqWEV/LhZQ7
- jzjEp70owuIN0mbmNl4gkYzIF/lBu54KVHORFnOg6y8/8hEjk2+XugiKz+mZKEZAZPMLJqia9bBdKG301jxlRmGuzM4BsB2m7UTX
- a7SjVX4swkd+nsQBuIHcKdu3Ul9EhafWwNnOQD2DEEA7x3vJeL8YnNXjeIUElx7fbe0DDGLpvt0SIdjnEoCkV7iEEfAcVGhuX8Wf
- wkPZ3YczFbwYIdLjjiutxhnGVeUBNBZiZeP42nV7n8hnjFFlQp3R+CodXah+ihJo56J6X4hhgx0mw4DCuMTXOb2a0cCfPSdH1kw/
- B7aP54wBuitjH+F8ur/eVK+vlUBq3oq+SuTHd/Rj1MHKamn4JUr3nHMS0XVvcmc6MCZBMAsVT6yiTDQPXG+KIurQ5AzcvskOhvTh
- jdnGTn3+AB8DWXTAhHuHf9K7qhLqSLVuHcKSvEIWlBhoaiyq7jS3CXFazeck5JFrQYaL0oZNWGghC/FQQDmeIjNWXLkCvRIA1R7v
- fLe10Q06Xn1t10UmGGnfKbFKyq/g8HNxRG9/gRf24g1Co/TkmAkuSm4xcbYkTTYDG4B2hM5p6rCX7WmrbREBsuzbGlIdswor2lGU
- [...]
- d+oZ653QF8A2uYYy8Lk3KCHoq/qfKNqZwt4hWSyU6E8X2yYjYlOceMX73pilACKfgVBsBYAdm4pcUVwflzM6beswWiT3uJ9hEWlS
- lS3JVPlSidGGQuNcXDoOzybYamvE3VUyXTRIjBgEepRkz2GOQiZTT/+0MFmSY1xxFkuTyH2v7fEXaB+P32l37Vgsvh9YADlAoBgl
- mPOufRCwC+OMP+5/bF8CjDOrHYTb5ZIVqiszPnpruR6MiZOqL6V1fEEnp3WA6fqPIu/4z4uDaVeagG0otDzjWMc+Bl/2n+69hawW
- G750I28g/NNd359zupA8nSvdUO4W38Vk9Z+LZAFhV2JNs4ZNI9jhjIuw1VxAJXNBvB7xMsFk+xx1QV/1aw2+ZAh4i8BBvnpO1joq
- V0dx238ObAIiUwe9Og8k7TK10JnC+wVyb0OM1Ki2qN3RXIZi8Zee5Uwi3EwxD4YJ0ve3S6ra8spViYr8pMdwOCDIvHNtXey3i8C/
- xdaYuz3JlYb2lkF4GT48uO/sBheOoiY60EdXchYSmJFjO9LvFaK9L4PsDYPuHiYy4Cty8ptFJ6Quh/1vl6vCkMYLY6I6TI89PpQm
- d3FqPBeIALgS5BC9U7a9ft3zUDFfe1Q0ZERX+p/Y0ci935hlNuDQDcnvlUj+BjyV/Swmc55oYEOvDB1EchFPiZ3SwCkoNb81qbmY
- vBIJk6kWMMrsZXXEAIMYGEIZCJorLumRPkhk0UtJzPNCLeoNi0CW7PH2PoBtK66EqIg=
- ... And with additional encrypted data like:
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Haatneylcoa\36j81186:
- 0000 F8 58 5F 63 96 5D 93 0E A5 87 99 35 CB EC EC DB .X_c.].....5....
- 0010 4F C2 CE 34 BD 47 55 28 8D AB 08 BB BC 43 E4 FE O..4.GU(.....C..
- 0020 50 E4 3B 81 59 11 55 13 97 99 8A BE A4 F7 2F 35 P.;.Y.U......./5
- 0030 86 52 70 64 DE F4 9C 30 BF 40 2D 30 A9 7F FD 35 .Rpd...0.@-0...5
- 0040 1A 74 4D 90 41 85 90 FF CE D4 2B 61 F8 74 31 4F .tM.A.....+a.t1O
- 0050 56 51 D3 00 A4 96 48 69 ED E6 63 E0 3B 83 93 50 VQ....Hi..c.;..P
- 0060 E2 E4 D5 E0 05 D8 71 14 1A C5 1A 10 8A 80 A5 72 ......q........r
- 0070 6F AB 11 0F AA 83 C4 52 D4 AF E2 7F F5 42 E8 37 o......R.....B.7
- 0080 1B 0A 54 A0 27 79 A3 E9 6E 51 DC 30 14 93 3E EB ..T.'y..nQ.0..>.
- 0090 6B A2 3C 27 32 DD 9B D2 41 92 92 FF 50 71 21 62 k.<'2...A...Pq!b
- 00A0 E4 10 47 27 33 5B A5 3E 58 A8 33 8A 89 0B E0 8B ..G'3[.>X.3.....
- 00B0 AB 22 C0 44 07 5F 01 6D C7 A7 E8 27 50 3B 34 43 .".D._.m...'P;4C
- 00C0 DE AD 75 1B 08 E9 68 EB FD CF 73 F5 D8 77 3E B3 ..u...h...s..w>.
- 00D0 19 4B E1 82 93 FE 3A ED CB D6 CC 32 94 9D AF 84 .K....:....2....
- 00E0 A1 96 22 4B 40 19 8A EF 2A DF D2 03 52 8E 19 47 .."K@...*...R..G
- 00F0 A5 75 39 5D 9D 4F 04 F2 79 37 4B B7 FE D4 42 04 .u9].O..y7K...B.
- 0100 31 B1 5E 0D 4C 19 81 9A 9D CE FE 72 83 98 F7 12 1.^.L......r....
- 0110 61 84 81 B3 F0 DF 12 74 5E 34 02 1A DD AD 78 9E a......t^4....x.
- [...] [...] [...]
- // This mess was changing my internet account with LDAP service:
- \Internet Account Manager\Accounts\WhoWhere\LDAP Server ID: 0x00000003
- \Internet Account Manager\Accounts\WhoWhere\Account Name: "WhoWhere インターネット ディレクトリ サービス"
- \Internet Account Manager\Accounts\WhoWhere\LDAP Server: "ldap.whowhere.com"
- \Internet Account Manager\Accounts\WhoWhere\LDAP URL: "http://www.whowhere.com"
- \Internet Account Manager\Accounts\WhoWhere\LDAP Search Return: 0x00000064
- \Internet Account Manager\Accounts\WhoWhere\LDAP Timeout: 0x0000003C
- \Internet Account Manager\Accounts\WhoWhere\LDAP Authentication: 0x00000000
- \Internet Account Manager\Accounts\WhoWhere\LDAP Simple Search: 0x00000001
- \Internet Account Manager\Accounts\WhoWhere\LDAP Logo: "%ProgramFiles%\Common Files\Services\whowhere.bmp"
- \Internet Account Manager\Accounts\VeriSign\LDAP Server ID: 0x00000002
- \Internet Account Manager\Accounts\VeriSign\Account Name: "VeriSign インターネット ディレクトリ サービス"
- \Internet Account Manager\Accounts\VeriSign\LDAP Server: "directory.verisign.com"
- \Internet Account Manager\Accounts\VeriSign\LDAP URL: "http://www.verisign.com"
- \Internet Account Manager\Accounts\VeriSign\LDAP Search Return: 0x00000064
- \Internet Account Manager\Accounts\VeriSign\LDAP Timeout: 0x0000003C
- \Internet Account Manager\Accounts\VeriSign\LDAP Authentication: 0x00000000
- \Internet Account Manager\Accounts\VeriSign\LDAP Search Base: "NULL"
- \Internet Account Manager\Accounts\VeriSign\LDAP Simple Search: 0x00000001
- \Internet Account Manager\Accounts\VeriSign\LDAP Logo: "%ProgramFiles%\Common Files\Services\verisign.bmp"
- \Internet Account Manager\Accounts\Bigfoot\LDAP Server ID: 0x00000001
- \Internet Account Manager\Accounts\Bigfoot\Account Name: "Bigfoot インターネット ディレクトリ サービス"
- \Internet Account Manager\Accounts\Bigfoot\LDAP Server: "ldap.bigfoot.com"
- \Internet Account Manager\Accounts\Bigfoot\LDAP URL: "http://www.bigfoot.com"
- \Internet Account Manager\Accounts\Bigfoot\LDAP Search Return: 0x00000064
- \Internet Account Manager\Accounts\Bigfoot\LDAP Timeout: 0x0000003C
- \Internet Account Manager\Accounts\Bigfoot\LDAP Authentication: 0x00000000
- \Internet Account Manager\Accounts\Bigfoot\LDAP Simple Search: 0x00000001
- \Internet Account Manager\Accounts\Bigfoot\LDAP Logo: "%ProgramFiles%\Common Files\Services\bigfoot.bmp"
- \Internet Account Manager\Accounts\Active Directory GC\LDAP Server ID: 0x00000000
- \Internet Account Manager\Accounts\Active Directory GC\Account Name: "Active Directory"
- \Internet Account Manager\Accounts\Active Directory GC\LDAP Server: "NULL"
- \Internet Account Manager\Accounts\Active Directory GC\LDAP Search Return: 0x00000064
- \Internet Account Manager\Accounts\Active Directory GC\LDAP Timeout: 0x0000003C
- \Internet Account Manager\Accounts\Active Directory GC\LDAP Authentication: 0x00000002
- \Internet Account Manager\Accounts\Active Directory GC\LDAP Simple Search: 0x00000000
- \Internet Account Manager\Accounts\Active Directory GC\LDAP Bind DN: 0x00000000
- \Internet Account Manager\Accounts\Active Directory GC\LDAP Port: 0x00000CC4
- \Internet Account Manager\Accounts\Active Directory GC\LDAP Resolve Flag: 0x00000001
- \Internet Account Manager\Accounts\Active Directory GC\LDAP Secure Connection: 0x00000000
- \Internet Account Manager\Accounts\Active Directory GC\LDAP User Name: "NULL"
- \Internet Account Manager\Accounts\Active Directory GC\LDAP Search Base: "NULL"
- \Internet Account Manager\Accounts\PreConfigVer: 0x00000004
- \Internet Account Manager\Accounts\PreConfigVerNTDS: 0x00000001
- \Internet Account Manager\Server ID: 0x00000004
- \Internet Account Manager\Default LDAP Account: "Active Directory GC"
- // And activate the malicious WAB (AddressBook):
- \Software\Microsoft\WAB\WAB4\Wab File Name\: "C:\Documents and Settings\rik\Application Data\Microsoft\Address Book\rik.wab"
- \Software\Microsoft\WAB\WAB4\OlkContactRefresh: 0x00000000
- \Software\Microsoft\WAB\WAB4\OlkFolderRefresh: 0x00000000
- (the other is as per you saw in the behavior analysis, good reference)
- ================================
- // Zbot Network Analysis:
- =================================
- //ICMP:
- (DST-IP)
- ---------------
- 109.242.53.221
- 203.59.98.143
- 87.126.253.100
- 194.225.33.145
- 62.38.110.99
- // TCP Communication (ESTABLISHED)
- (IP):(DST-PORT)
- ---------------
- 176.62.240.159 TCP/1046
- 190.37.198.197 TCP/1050
- 77.52.101.167 TCP/1047
- 92.51.106.142 TCP/1044
- // TCP Communication (FAILED)
- 77.52.101.167 TCP/1047
- // UDP Communication (ESTABLISHED)
- (IP):(DST-PORT)
- ---------------
- 87.202.38.85:26043
- 79.135.36.74:26094
- 181.67.50.91:27916
- 203.59.98.143:28022
- 78.161.154.194:25633
- 194.94.127.98:25549
- 176.62.240.159:24509
- 2.134.138.250:24581
- 95.141.135.26:25316
- 190.37.198.197:28133
- 195.169.125.228:29902
- 190.11.9.62:29691
- 190.37.115.43:29609
- 63.85.81.254:29130
- 66.170.195.42:28632
- 77.52.101.167:28906
- 36.69.33.103:29025
- 63.85.81.254:29130
- 176.62.240.159:24509
- 75.4.237.76:24145
- 49.245.21.129:10029
- 94.68.105.30:10038
- 122.163.41.96:10211
- 201.248.5.93:10313
- 84.59.222.81:21469
- 180.254.255.197:10643
- 41.201.235.43:10761
- 109.242.53.221:10914
- 124.123.214.163:10940
- 194.225.33.145:11337
- 180.254.155.197:10643
- 209.252.46.18:10643
- 89.122.155.200:10556
- 108.251.104.195:10416
- 91.22.119.127:10497
- 37.212.177.153:10510
- 89.122.155.200:10556
- :
- [...]
- Please see the UDP PCAP for the full list here:
- http://www.mediafire.com/?rteb7ee8xs9rzk0
- ---
- #MalwareMustDie!
- @unixfreaxjp ~]$ date
- Tue May 28 23:50:23 JST 2013
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement