SHOW:
|
|
- or go back to the newest paste.
1 | English Transcript of Malware Analysis | |
2 | Case: #OCJP-025 | |
3 | Malware: Win32/Trojan.Zeus (dropper/downloader/backdoor/spyware/PDF-exploiter... you name it..) | |
4 | ||
5 | =============================== | |
6 | I. MALWARE BINARY ANALYSIS : | |
7 | =============================== | |
8 | ||
9 | File name................: BtxX9KX.exe | |
10 | MD5......................: 17bde98108092ed612c4511bd6a633ee | |
11 | File size................: 271.5 KB ( 278016 bytes ) | |
12 | File type................: Win32 EXE | |
13 | English Report...........: Wed Mar 14 20:17:36 JST 2012 | |
14 | Analysis by..............: Hendrik ADRIAN / @unixfreaxjp /0day.jp | |
15 | ||
16 | This is the english report base analysis of malware case reported at: | |
17 | 1. http://unixfreaxjp.blogspot.com/2012/03/ocjp-025.html | |
18 | 2. https://www.virustotal.com/file/0dbce33621898ecd824a272ce5e960a685051a4a695292efb0b05d604827529e/analysis/ | |
19 | 3. Base URL: http://pastebin.com/FR07ybTp | |
20 | ---------- | |
21 | ExifTool | |
22 | ---------- | |
23 | UninitializedDataSize....: 0 | |
24 | InitializedDataSize......: 10752 | |
25 | ImageVersion.............: 0.0 | |
26 | ProductName..............: 2q3wet(R) Windows (R) 2000 Operating System | |
27 | FileVersionNumber........: 5.0.2137.1 | |
28 | LanguageCode.............: English (U.S.) | |
29 | FileFlagsMask............: 0x003f | |
30 | FileDescription..........: Windows TaskManager | |
31 | CharacterSet.............: Unicode | |
32 | LinkerVersion............: 2.5 | |
33 | FileOS...................: Windows NT 32-bit | |
34 | MIMEType.................: application/octet-stream | |
35 | Subsystem................: Windows GUI | |
36 | FileVersion..............: 5.00.2137.1 | |
37 | TimeStamp................: 2012:03:09 01:43:00+01:00 | |
38 | FileType.................: Win32 EXE | |
39 | PEType...................: PE32 | |
40 | InternalName.............: taskmgr | |
41 | ProductVersion...........: 5.00.2137.1 | |
42 | SubsystemVersion.........: 4.0 | |
43 | OSVersion................: 4.0 | |
44 | OriginalFilename.........: taskmgr.exe | |
45 | LegalCopyright...........: Copyright (C) 2q3wet Corp. 1991-1999 | |
46 | MachineType..............: Intel 386 or later, and compatibles | |
47 | CompanyName..............: 2q3wet Corporation | |
48 | CodeSize.................: 265216 | |
49 | FileSubtype..............: 0 | |
50 | ProductVersionNumber.....: 5.0.2137.1 | |
51 | EntryPoint...............: 0x1210 | |
52 | ObjectFileType...........: Executable application | |
53 | ||
54 | ----------- | |
55 | PE Structs | |
56 | ----------- | |
57 | Name V-Address V-Size Raw Entropy MD5 | |
58 | .text 4096 1916 2048 5.45 e93f3084f987fa110a4d8ca9274467d9 | |
59 | .textQ1 8192 262260 262656 7.71 de268b266e26e6a4aef8345fd2a01cd0 | |
60 | .textQ2 274432 100 512 0.00 bf619eac0cdf3f68d496ea9344137e8b | |
61 | .data 278528 444 512 3.84 84072aa523e1285671b0e294565b43e9 | |
62 | .rsrc 282624 9724 9728 3.59 4e3e01ecc8f6cb1250de57f12d923bf3 | |
63 | .reloc 294912 116 512 1.76 250b11d9c9c72539dd168073a62fe6ab | |
64 | ||
65 | - | (*) Below datas with thank's for Virus Total |
65 | + | (*) Above datas with thank's for Virus Total |
66 | ||
67 | ----------------- | |
68 | Suspected Points | |
69 | ----------------- | |
70 | ||
71 | *) PE File, unknown packer, used encryption | |
72 | ||
73 | *) CRC Data Unmatched, Claimed: 299582 / Actual: 299581 | |
74 | *) Compile Time: 2012-03-09 09:43:00 <---new made trojan | |
75 | ||
76 | *) Entropy 7.71 is suspicious....(crypter?) | |
77 | MD5 hash: de268b266e26e6a4aef8345fd2a01cd0 | |
78 | SHA-1 hash: 1867abe9de5a2e502bacea4ef897332057a97a20 | |
79 | Name: .textQ1 | |
80 | Misc: 0x40074 | |
81 | Misc_PhysicalAddress: 0x40074 | |
82 | Misc_VirtualSize: 0x40074 | |
83 | VirtualAddress: 0x2000 | |
84 | SizeOfRawData: 0x40200 | |
85 | PointerToRawData: 0xC00 | |
86 | PointerToRelocations: 0x0 | |
87 | PointerToLinenumbers: 0x0 | |
88 | NumberOfRelocations: 0x0 | |
89 | NumberOfLinenumbers: 0x0 | |
90 | Characteristics: 0x60000020 | |
91 | ||
92 | *) Fake system file information found: | |
93 | Length: 0x27C | |
94 | ValueLength: 0x0 | |
95 | Type: 0x1 | |
96 | LangID: 040904B0 | |
97 | LegalCopyright: Copyright (C) 2q3wet Corp. 1991-1999 | |
98 | InternalName: taskmgr | |
99 | FileVersion: 5.00.2137.1 | |
100 | CompanyName: 2q3wet Corporation | |
101 | ProductName: 2q3wet(R) Windows (R) 2000 Operating System | |
102 | ProductVersion: 5.00.2137.1 | |
103 | FileDescription: Windows TaskManager | |
104 | OriginalFilename: taskmgr.exe | |
105 | ||
106 | ||
107 | *) Suspicious used of DLL: | |
108 | OriginalFirstThunk: 0x440E0 | |
109 | Characteristics: 0x440E0 | |
110 | TimeDateStamp: 0x0 [Thu Jan 01 00:00:00 1970 UTC] | |
111 | ForwarderChain: 0x0 | |
112 | Name: 0x44176 | |
113 | FirstThunk: 0x44104 | |
114 | KERNEL32.dll.CreateFileA Hint[120] <---- Malware drops | |
115 | KERNEL32.dll.GetWindowsDirectoryA Hint[640] | |
116 | KERNEL32.dll.lstrlenA Hint[1205] | |
117 | KERNEL32.dll.lstrcpyA Hint[1199] | |
118 | KERNEL32.dll.VirtualAlloc Hint[1108] <--- DEP privilege | |
119 | ||
120 | OriginalFirstThunk: 0x440F8 | |
121 | Characteristics: 0x440F8 | |
122 | TimeDateStamp: 0x0 [Thu Jan 01 00:00:00 1970 UTC] | |
123 | ForwarderChain: 0x0 | |
124 | Name: 0x441A2 | |
125 | FirstThunk: 0x4411C | |
126 | ADVAPI32.dll.RegOpenKeyW Hint[606] <--- Registry Value Check | |
127 | ADVAPI32.dll.RegOpenKeyExA Hint[602] <---- Registry Value Check | |
128 | ||
129 | =============================== | |
130 | II. MALWARE BEHAVIOUR PROCESS | |
131 | =============================== | |
132 | ||
133 | initial process: | |
134 | ||
135 | sample.exe [/dir/file/pathname] 229,376 bytes | |
136 | | | |
137 | +payload.exe %AppData%\%payload-dir%\payload.exe 229,376 bytes | |
138 | | | |
139 | +--Explorer.EXE C:\WINDOWS\Explorer.EXE | |
140 | +--ctfmon.exe cmd.exe "C:\WINDOWS\system32\ctfmon.exe" | |
141 | +--msmsgs.exe cmd.exe "C:\Program Files\Messenger\msmsgs.exe" /background | |
142 | +--reader_sl.exe cmd.exe "C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe" | |
143 | ||
144 | later added additional process w/soon stopped: | |
145 | (parent: oves.exe) | |
146 | | | |
147 | +----cmd.exe %System%\cmd.exe 266,240 bytes | |
148 | ||
149 | ||
150 | ----------------------------------------------------------------------------- | |
151 | I report the behavior analysis of this malware per process binary above | |
152 | with the below priority: | |
153 | (1) sample.exe | |
154 | (2) payload.exe | |
155 | (3) Explorer.EXE | |
156 | (4) msmsgs.exe | |
157 | (5) reader_sl.exe | |
158 | ----------------------------------------------------------------------------- | |
159 | ||
160 | (1) SAMPLE | |
161 | File name: sample.exe | |
162 | MD5: 17bde98108092ed612c4511bd6a633ee | |
163 | File size: 271.5 KB ( 278,016 bytes ) | |
164 | ||
165 | --------------------- | |
166 | REGISTRY | |
167 | --------------------- | |
168 | reg key create: | |
169 | HKEY_CURRENT_USER\Software\Microsoft\Ynpeo | |
170 | ||
171 | reg value create: | |
172 | [HKEY_CURRENT_USER\Software\Microsoft\Ynpeo] | |
173 | 18i62g6a = "Xv7cYZT7zDIVtw==" | |
174 | 1cf3ifcc = "df6pYQ==" | |
175 | 2cc8dhbc = 69 9A A9 61 9A 89 B6 32 2C B7 E1 76 | |
176 | ||
177 | --------------------- | |
178 | DLLs | |
179 | --------------------- | |
180 | load: | |
181 | C:\WINDOWS\system32\ntdll.dll 0x7C900000 0x000AF000 | |
182 | C:\WINDOWS\system32\kernel32.dll 0x7C800000 0x000F6000 | |
183 | C:\WINDOWS\system32\ADVAPI32.dll 0x77DD0000 0x0009B000 | |
184 | C:\WINDOWS\system32\RPCRT4.dll 0x77E70000 0x00092000 | |
185 | C:\WINDOWS\system32\Secur32.dll 0x77FE0000 0x00011000 | |
186 | ||
187 | runtime: | |
188 | C:\WINDOWS\system32\NETAPI32.dll 0x5B860000 0x00055000 | |
189 | C:\WINDOWS\system32\comctl32.dll 0x5D090000 0x0009A000 | |
190 | C:\WINDOWS\system32\WS2HELP.dll 0x71AA0000 0x00008000 | |
191 | C:\WINDOWS\system32\WS2_32.dll 0x71AB0000 0x00017000 | |
192 | C:\WINDOWS\system32\OLEAUT32.dll 0x77120000 0x0008B000 | |
193 | C:\WINDOWS\system32\WININET.dll 0x771B0000 0x000AA000 | |
194 | C:\WINDOWS\WinSxS\..comctl32.dll 0x773D0000 0x00103000 | |
195 | C:\WINDOWS\system32\ole32.dll 0x774E0000 0x0013D000 | |
196 | C:\WINDOWS\system32\CRYPT32.dll 0x77A80000 0x00095000 | |
197 | C:\WINDOWS\system32\MSASN1.dll 0x77B20000 0x00012000 | |
198 | C:\WINDOWS\system32\Apphelp.dll 0x77B40000 0x00022000 | |
199 | C:\WINDOWS\system32\msvcrt.dll 0x77C10000 0x00058000 | |
200 | C:\WINDOWS\system32\GDI32.dll 0x77F10000 0x00049000 | |
201 | C:\WINDOWS\system32\SHLWAPI.dll 0x77F60000 0x00076000 | |
202 | C:\WINDOWS\system32\SHELL32.dll 0x7C9C0000 0x00817000 | |
203 | C:\WINDOWS\system32\USER32.dll 0x7E410000 0x00091000 | |
204 | ||
205 | memory map: | |
206 | C:\Documents and Settings\Administrator\Application Data\Ejofd\awylm.exe | |
207 | C:\WINDOWS\WinSxS\ ..comctl32.dll | |
208 | C:\WINDOWS\WindowsShell.Manifest | |
209 | C:\WINDOWS\system32\Apphelp.dll | |
210 | C:\WINDOWS\system32\SHELL32.dll | |
211 | C:\WINDOWS\system32\WININET.dll | |
212 | C:\WINDOWS\system32\WS2HELP.dll | |
213 | C:\WINDOWS\system32\WS2_32.dll | |
214 | C:\WINDOWS\system32\comctl32.dll | |
215 | C:\Windows\AppPatch\sysmain.sdb | |
216 | ||
217 | --------------------- | |
218 | FILES & DROPS | |
219 | --------------------- | |
220 | ||
221 | This sample is creating one directory with the below format: | |
222 | %AppData%\[RANDOM 4characters #1] | |
223 | to drop in it the payload with the filename [RANDOM 4characters #2.exe] | |
224 | ||
225 | And the payload upon executed will create the directory w/ below format: | |
226 | %AppData%\[RANDOM 4characters #3] | |
227 | to drop in it config files with filename [RANDOM 4characters #4.RANDOM 3characters] | |
228 | ||
229 | During the operation the temporary data exchange is used w/ the format below: | |
230 | [%Temp%\tmp*******.bat] | |
231 | ||
232 | Proof of Concept (PoC) | |
233 | ||
234 | 2 tries was taken w/the current sample w/the below details: | |
235 | ----------------------------------------------------------------------------- | |
236 | sample: | |
237 | C:\sample.exe 278,016 bytes 17bde98108092ed612c4511bd6a633ee | |
238 | ----------------------------------------------------------------------------- | |
239 | Take 1: | |
240 | Drops: | |
241 | %AppData%\Ygas\oves.exe 278,016bytes c9c114d777780d35f7353e9520662389 | |
242 | ↑which drops↓ | |
243 | %AppData%\Kerez\ixko.liu 1,305bytes 700f2e487c893e74c00eeb0c1cd7ab4f | |
244 | then renamed into: %AppData%\ixko.liu.0 0bytes d41d8cd98f00b204e9800998ecf8427e | |
245 | created temp data: %Temp%\tmp4bbbf287.bat 168 bytes 8feeb2305d2cad502c43e0ec5378115a | |
246 | (new dirs made during opeartion) | |
247 | %AppData%\Kerez | |
248 | %AppData%\Ygas | |
249 | ------------------------------------ | |
250 | Take 2: | |
251 | Drops: | |
252 | %AppData%\Ejofd\awylm.exe | |
253 | ↑which drops↓ | |
254 | %AppData%\Uhxuig\ylwi.vik | |
255 | and then renamed into: %AppData%\ylwi.vik.0 | |
256 | creating temp data: %Temp%\tmp4bbbf245.bat | |
257 | (new dirs made during opeartion) | |
258 | %AppData%\Ejofd | |
259 | %AppData%\Uhxuig | |
260 | ||
261 | ----------------------------------------------------------------------------- | |
262 | ||
263 | (2) PAYLOAD.EXE | |
264 | ||
265 | I found the payload was varied in names in everytime you run the sample, | |
266 | but the characteristic is same, as per described above. | |
267 | ||
268 | Characteristic which is as per below: | |
269 | ||
270 | Name: [random4characters.exe] i.e.: awylm.exe | |
271 | MD5: dd507bdc57aacb3df8831c0df734d4aa | |
272 | Size: 278,016 Bytes | |
273 | ||
274 | --------------------- | |
275 | REGISTRY (changed/created) | |
276 | -------------------- | |
277 | key1: HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Azer | |
278 | name: 13e9ii4f | |
279 | to: 0x5608eb5bc423314f0df5 | |
280 | ||
281 | key2: HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\ | |
282 | CurrentVersion\Explorer\Shell Folders | |
283 | name: AppData | |
284 | to: C:\Documents and Settings\Administrator\Application Data | |
285 | ||
286 | --------------------- | |
287 | MALICIOUS PROCESS INJECTION | |
288 | -------------------- | |
289 | Remote threads was created by this payload with the following details: | |
290 | C:\WINDOWS\explorer.exe ←registry op, listening ports, autorun | |
291 | C:\WINDOWS\system32\ctfmon.exe ←being used to monitor keyboard/mouse activities | |
292 | C:\Program Files\Messenger\msmsgs.exe ←messaging to motherships | |
293 | C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe ←execute the malicious PDF files | |
294 | due to some windows CVE exploit | |
295 | *) explorer.exe was executed by payload, while- | |
296 | ctfmon.exe, msmsgs.exe & reader_sl.exe was executed by cmd.exe shell through explorer.exe- | |
297 | by payload. | |
298 | ||
299 | ------------------------------------------------------------------------------------------ | |
300 | ||
301 | (3) EXPLORER.EXE | |
302 | ||
303 | Filename: Explorer.EXE (awylm.exe execute this process in virtual memory) | |
304 | MD5: 12896823fb95bfb3dc9b46bcaedc9923 | |
305 | File Size: 1,033,728 Bytes | |
306 | Command Line: C:\WINDOWS\Explorer.EXE | |
307 | Sstatus: alive | |
308 | ||
309 | This process was executed by code of payload. | |
310 | This process' jobs are: | |
311 | - making registration of malware as fake software | |
312 | - make sure the payload get autoexecuted start | |
313 | - disarm the browser security policy for opening global port | |
314 | - opening backdoors, | |
315 | - Preparing the malicious cookies | |
316 | - Changing/disable PC internet zone for malicous purpose | |
317 | - Accessing downloaded malicious cookies | |
318 | - Monitoring the input device7s activities | |
319 | ||
320 | ||
321 | Registry Keys Changed: | |
322 | ------------------------ | |
323 | 自動起動機能↓(auto exec) | |
324 | HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN info | |
325 | {B0F8B226-65CD-AD7D-E811-5333C5ED7021} | |
326 | "C:\Documents and Settings\Administrator\Application Data\Ejofd\awylm.exe" | |
327 | ||
328 | HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\Currentversion\Run info | |
329 | {B0F8B226-65CD-AD7D-E811-5333C5ED7021} | |
330 | "C:\Documents and Settings\Administrator\Application Data\Ejofd\awylm.exe" | |
331 | ||
332 | Windowsファイウォールを無効にされて(disarm firewall notification) | |
333 | HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile info | |
334 | DisableNotifications | |
335 | 0 | |
336 | ||
337 | UDPポート16,892をオープンされて↓(opening tcp & udp backdoor) | |
338 | HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List info | |
339 | 16892:UDP | |
340 | 16892:UDP:*:Enabled:UDP 16892 | |
341 | ||
342 | TCPポート25,231をオープンされて↓ | |
343 | HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List info | |
344 | 25231:TCP | |
345 | 25231:TCP:*:Enabled:TCP 25231 | |
346 | ||
347 | 色々マルウェアIDをニセソフトで登録されて(regist fake software) | |
348 | HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Azer | |
349 | 363a8039 | |
350 | 0xd8499e5b29414b4f34f521cf | |
351 | ||
352 | HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Azer | |
353 | iibc3hd | |
354 | 0x34089e5b | |
355 | ||
356 | パソコンのCookiesをクリーンアップされた↓(disable cleaning up cookies) | |
357 | HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\InternetExplorer\Privacy | |
358 | CleanCookies | |
359 | 0 | |
360 | ||
361 | インターネットZONEの設定を無効された↓(dsable internet zone for IE) | |
362 | HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\0 info | |
363 | 1609 | |
364 | 0 | |
365 | ||
366 | HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\1 info | |
367 | 1406 | |
368 | 0 | |
369 | ||
370 | HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\1 info | |
371 | 1609 | |
372 | 0 | |
373 | ||
374 | HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\2 info | |
375 | 1609 | |
376 | 0 | |
377 | ||
378 | HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\3 info | |
379 | 1406 | |
380 | 0 | |
381 | ||
382 | HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\3 info | |
383 | 1609 | |
384 | 0 | |
385 | ||
386 | HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\4 info | |
387 | 1406 | |
388 | 0 | |
389 | ||
390 | HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\4 info | |
391 | 1609 | |
392 | 0 | |
393 | ||
394 | Read malware Cookies files: | |
395 | C:\Documents and Settings\Administrator\Cookies\administrator@adobe[1].txt | |
396 | C:\Documents and Settings\Administrator\Cookies\administrator@google[1].txt | |
397 | C:\Documents and Settings\Administrator\Cookies\administrator@java[1].txt | |
398 | C:\Documents and Settings\Administrator\Cookies\administrator@promotion.adobe[1].txt | |
399 | C:\Documents and Settings\Administrator\Cookies\administrator@sun[1].txt | |
400 | C:\Documents and Settings\Administrator\Cookies\administrator@walkernews[1].txt | |
401 | ||
402 | payload is using these DLL: | |
403 | C:\WINDOWS\System32\wshtcpip.dll | |
404 | C:\WINDOWS\system32\hnetcfg.dll | |
405 | C:\WINDOWS\system32\mswsock.dll | |
406 | ||
407 | Opening previous ports: | |
408 | TCP/25231 | |
409 | UDP/16892 | |
410 | ||
411 | listening at the below port: | |
412 | TCP/25231 | |
413 | ||
414 | creating mutexes: | |
415 | Global\{370A7811-AFFA-2A8F-E811-5333C5ED7021} | |
416 | Global\{370A7816-AFFD-2A8F-E811-5333C5ED7021} | |
417 | Global\{3BE6AF24-78CF-2663-E811-5333C5ED7021} | |
418 | Global\{5D329B3C-4CD7-40B7-E811-5333C5ED7021} | |
419 | Global\{B69AE452-33B9-AB1F-05EB-B06D2817937F} | |
420 | Global\{B69AE452-33B9-AB1F-1DEA-B06D3016937F} | |
421 | Global\{B69AE452-33B9-AB1F-55EB-B06D7817937F} | |
422 | Global\{B69AE452-33B9-AB1F-7DEB-B06D5017937F} | |
423 | Global\{B69AE452-33B9-AB1F-89EB-B06DA417937F} | |
424 | Global\{C84914F5-C31E-D5CC-E811-5333C5ED7021} | |
425 | Global\{EDE09917-4EFC-F065-E811-5333C5ED7021} | |
426 | Local\{56ECCE04-19EF-4B69-E811-5333C5ED7021} | |
427 | Local\{56ECCE05-19EE-4B69-E811-5333C5ED7021} | |
428 | ||
429 | ------------------------------------------------------------------------------------------ | |
430 | ||
431 | (4) CTFMON.EXE | |
432 | Filename: ctfmon.exe (awylm.exe wrote to this process in virtual memory) | |
433 | MD5: 5f1d5f88303d4a4dbc8e5f97ba967cc3 | |
434 | File Size: 15360 Bytes | |
435 | Command Line: "C:\WINDOWS\system32\ctfmon.exe" | |
436 | status: alive | |
437 | ||
438 | This malware is having purpose to monitor the input device for malicious purpose. | |
439 | It has the interaction socket due to th emovement of mouse/keyboard recorded below: | |
440 | ||
441 | Monitoring devices: | |
442 | VK_LBUTTON (1) 64 (Mouse Lect Click actions) | |
443 | *) PS: the explorer.exe using the same API for mouse clicking interaction. | |
444 | ||
445 | ||
446 | Registry Values Modified: | |
447 | ------------------------ | |
448 | HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Azer | |
449 | iibc3hd | |
450 | 1537083445 | |
451 | ||
452 | Files Read/Write: | |
453 | ------------------ | |
454 | accesssing/reading C:\autoexec.bat | |
455 | ||
456 | Using these DLL: | |
457 | C:\WINDOWS\system32\WININET.dll | |
458 | C:\WINDOWS\system32\WS2HELP.dll | |
459 | C:\WINDOWS\system32\WS2_32.dll | |
460 | ||
461 | ------------------------------------------------------------------------------------------ | |
462 | ||
463 | (5) MSMSGS.EXE | |
464 | ||
465 | Filename: msmsgs.exe (awylm.exe wrote to this process in virtual memory) | |
466 | MD5: 3e930c641079443d4de036167a69caa2 | |
467 | File Size: 1,695,232 Bytes | |
468 | Command Line: "C:\Program Files\Messenger\msmsgs.exe" /background | |
469 | Status: alive | |
470 | ||
471 | Executed by shell command through cmd.exe : "C:\Program Files\Messenger\msmsgs.exe /background" | |
472 | This program was ececuted for malware networking purpose. | |
473 | Running in the background and responsible to the pcap capture traffic saved at the below URL: | |
474 | http:// | |
475 | It contacts the mothership IP, having handshake comm and sending encrypted data. | |
476 | ||
477 | Used DLL: | |
478 | C:\WINDOWS\WindowsShell.Manifest | |
479 | C:\WINDOWS\system32\MSOERT2.dll | |
480 | C:\WINDOWS\system32\acctres.dll | |
481 | C:\WINDOWS\system32\msoeacct.dll | |
482 | ||
483 | ------------------------------------------------------------------------------------------ | |
484 | ||
485 | (6) READER_SL.EXE | |
486 | ||
487 | Filename: reader_sl.exe | |
488 | MD5: 54c88bfbd055621e2306534f445c0c8d | |
489 | File Size: 40,048 Bytes | |
490 | Command Line: "C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe" | |
491 | Status: alive | |
492 | ||
493 | This program was suspected executed for malware exploit purpose. | |
494 | Executed by shell command through cmd.exe : | |
495 | "C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe" | |
496 | ||
497 | Cannot find the significant evidence yet. Need more time to simulate more. | |
498 | Suspected to be used for exploiting PC with some CVE exploitation for the malicius purpose. | |
499 | ||
500 | Used DLL: | |
501 | C:\WINDOWS\system32\WININET.dll | |
502 | C:\WINDOWS\system32\WS2HELP.dll (Windows Socket 2.0 Helper for Windows NT) | |
503 | C:\WINDOWS\system32\WS2_32.dll (Windows Socket 2.0 32-Bit DLL) | |
504 | ------------------------------------------------------------------------------------------ | |
505 | ||
506 | ||
507 | ============================= | |
508 | III. NETWORK TRAFFIC REPORT | |
509 | ============================= | |
510 | ||
511 | This sample upon executed successfully will create the network traffic, | |
512 | as per below details: | |
513 | ||
514 | PROTOCOL DESTINATION NOTE | |
515 | --------------------------------------------- | |
516 | ICMP 178.19.25.92 mothership's pong (messenger) | |
517 | UDP/16892 178.19.25.92 source port (messenger) | |
518 | UDP/25939 178.19.25.92 destination port (messenger) | |
519 | TCP/16892 94.62.27.189 source port (messenger) | |
520 | TCP/28510 94.62.27.189 destination port (messenger) | |
521 | TCP/25231 (none) backdoor/open (explorer) | |
522 | *) See belowfor the captured packet data. | |
523 | ||
524 | CAPTURE PACKET DETAILS | |
525 | ----------------------------------------------- | |
526 | No. Time Source Destination Protocol | |
527 | 1 0.000000 x.x.x.x 178.19.25.92 UDP | |
528 | Source port: 16892 | |
529 | Destination port: 25939 | |
530 | ||
531 | Frame 1: 197 bytes on wire (1576 bits), 197 bytes captured (1576 bits) | |
532 | Ethernet II, Src: xx:xx:xx:xx:xx, Dst: 92:27:fc:57:72:bb (92:27:fc:57:72:bb) | |
533 | Internet Protocol, Src: x.x.x.x, Dst: 178.19.25.92 (178.19.25.92) | |
534 | User Datagram Protocol, Src Port: 16892 (16892), Dst Port: 25939 (25939) | |
535 | Data (155 bytes) | |
536 | ||
537 | 0000 d1 4f 1c 1e da 0e c7 20 33 7b 06 90 fb 6d 98 af .O..... 3{...m.. | |
538 | 0010 36 74 14 7f 80 1e ac 5f 44 f1 11 45 bf f7 43 b1 6t....._D..E..C. | |
539 | 0020 b7 ae f7 51 72 a0 e0 47 99 50 c2 6f a4 5f 3e 4c ...Qr..G.P.o._>L | |
540 | 0030 84 b1 31 8f 9a d1 ee 11 5f 25 c3 d3 e7 3e 99 9e ..1....._%...>.. | |
541 | 0040 c9 04 13 30 88 ed 01 c6 dd 67 d0 cd 9f f0 03 c7 ...0.....g...... | |
542 | 0050 3c 34 df 32 b6 fb f8 02 50 b0 e7 2e a7 81 0b a2 <4.2....P....... | |
543 | 0060 af 86 6c a5 6b 09 bf c5 06 24 a6 1e ab c3 80 22 ..l.k....$....." | |
544 | 0070 6e 34 9c fb 38 65 e9 a3 35 7d fe 79 7b 66 39 f6 n4..8e..5}.y{f9. | |
545 | 0080 45 c6 f7 5a 03 6b 9b c6 ed 3f 5d 8b 62 54 0e cd E..Z.k...?].bT.. | |
546 | 0090 f2 4a 73 f0 9c b6 b5 94 76 d3 45 .Js.....v.E | |
547 | ||
548 | ------------------------------------------------------------------------ | |
549 | No. Time Source Destination Protocol | |
550 | 2 0.120353 178.19.25.92 x.x.x.x ICMP | |
551 | ||
552 | Frame 2: 190 bytes on wire (1520 bits), 190 bytes captured (1520 bits) | |
553 | Ethernet II, Src: 92:27:fc:57:72:bb (92:27:fc:57:72:bb), Dst: xx:xx:xx:xx | |
554 | Internet Protocol, Src: 178.19.25.92 (178.19.25.92), Dst: x.x.x.x | |
555 | Internet Control Message Protocol | |
556 | ||
557 | ------------------------------------------------------------------------ | |
558 | No. Time Source Destination Protocol | |
559 | 3 36.124424 x.x.x.x 178.19.25.92 UDP | |
560 | Source port: 16892 | |
561 | Destination port: 28510 | |
562 | ||
563 | Frame 3: 243 bytes on wire (1944 bits), 243 bytes captured (1944 bits) | |
564 | Ethernet II, Src: xx:xx:xx:xx, Dst: 92:27:fc:57:72:bb (92:27:fc:57:72:bb) | |
565 | Internet Protocol, Src: x.x.x.x, Dst: 94.62.27.189 (94.62.27.189) | |
566 | User Datagram Protocol, Src Port: 16892 (16892), Dst Port: 28510 (28510) | |
567 | Data (201 bytes) | |
568 | ||
569 | 0000 33 34 b5 b7 07 24 c9 b7 42 ba 88 23 5f d3 eb fd 34...$..B..#_... | |
570 | 0010 4e 5e 1b 10 e6 32 00 8c 97 22 c2 96 6c 24 90 62 N^...2..."..l$.b | |
571 | 0020 64 7d 24 82 a1 73 33 94 4a 83 11 bc 7f 36 9d ad d}$..s3.J....6.. | |
572 | 0030 18 c7 42 66 ab 65 bb bd 21 3c f9 ba 6c 19 8a 62 ..Bf.e..!<..l..b | |
573 | 0040 e5 e2 01 a7 b3 e7 e1 b4 c4 d6 b4 3a 9d 12 44 8d ...........:..D. | |
574 | 0050 44 52 fe c3 1c 35 bb ca a0 1a 1e 08 4b af 25 ec DR...5......K.%. | |
575 | 0060 04 23 f5 96 43 80 c8 9c 49 33 d8 9b c5 a1 f1 5f .#..C...I3....._ | |
576 | 0070 b3 ab c5 fe f2 65 51 8c 7e 3d 7f 2a 24 7a 8d db .....eQ.~=.*$z.. | |
577 | 0080 1f 25 a0 32 a4 dd 9e 69 d9 99 ed 16 20 ae 47 02 .%.2...i.... .G. | |
578 | 0090 a1 de 24 60 01 08 11 80 a4 e3 fc 14 94 9b aa f2 ..$`............ | |
579 | 00a0 c8 4c f6 db 17 8d b4 32 9e 83 d5 01 a1 0e ed 5f .L.....2......._ | |
580 | 00b0 76 90 bf 1f d2 d3 0d 51 19 24 e6 10 c1 1b f4 88 v......Q.$...... | |
581 | 00c0 db 7c 3b fb 33 d0 22 6a 94 .|;.3."j. | |
582 | ||
583 | ||
584 | ||
585 | ================================= | |
586 | IV. MALARE VERDICT | |
587 | ================================= | |
588 | ||
589 | SHA1: 416548086c39938fd2d8194c27958261314c01e2 | |
590 | MD5: 17bde98108092ed612c4511bd6a633ee | |
591 | File size: 271.5 KB ( 278016 bytes ) | |
592 | File name: BtxX9KX.exe | |
593 | File type: Win32 EXE | |
594 | Detection ratio: 33 / 43 | |
595 | URL: https://www.virustotal.com/file/0dbce33621898ecd824a272ce5e960a685051a4a695292efb0b05d604827529e/analysis/ | |
596 | ||
597 | Antivirus Result Update | |
598 | ------------------------------ | |
599 | AhnLab-V3 Spyware/Win32.Zbot 20120313 | |
600 | AntiVir TR/Offend.KD.552855 20120314 | |
601 | Antiy-AVL Trojan/Win32.Zbot 20120314 | |
602 | Avast Win32:Zbot-OCM [Trj] 20120314 | |
603 | AVG PSW.Generic9.BQLB 20120314 | |
604 | BitDefender Trojan.Spy.Zbot.EVB 20120314 | |
605 | ByteHero Trojan.Win32.Heur.Gen 20120309 | |
606 | CAT-QuickHeal TrojanSpy.Zbot.dmzm 20120314 | |
607 | ClamAV - 20120314 | |
608 | Commtouch W32/Zbot.DQ3.gen!Eldorado 20120314 | |
609 | Comodo TrojWare.Win32.Trojan.Agent.Gen 20120313 | |
610 | DrWeb Trojan.PWS.Panda.1698 20120314 | |
611 | Emsisoft Trojan-PWS.Win32.Zbot!IK 20120314 | |
612 | eSafe - 20120313 | |
613 | eTrust-Vet - 20120314 | |
614 | F-Prot W32/Zbot.DQ3.gen!Eldorado 20120314 | |
615 | F-Secure Trojan.Spy.Zbot.EVB 20120314 | |
616 | Fortinet W32/Zbot.AAN!tr 20120314 | |
617 | GData Trojan.Spy.Zbot.EVB 20120314 | |
618 | Ikarus Trojan-PWS.Win32.Zbot 20120314 | |
619 | Jiangmin - 20120301 | |
620 | K7AntiVirus Trojan 20120313 | |
621 | Kaspersky Trojan-Spy.Win32.Zbot.dmzm 20120314 | |
622 | McAfee Artemis!17BDE9810809 20120308 | |
623 | McAfee-GW-Edition Generic PWS.y!d2k 20120314 | |
624 | Microsoft PWS:Win32/Zbot.gen!AF 20120314 | |
625 | NOD32 Win32/Spy.Zbot.AAN 20120314 | |
626 | Norman W32/Zbot.BMRX 20120314 | |
627 | nProtect Trojan/W32.Agent.278016.DC 20120314 | |
628 | Panda Generic Trojan 20120313 | |
629 | PCTools - 20120313 | |
630 | Prevx - 20120314 | |
631 | Rising Trojan.Win32.Generic.12B9C7CD 20120314 | |
632 | Sophos Mal/Toqwet-A 20120314 | |
633 | SUPERAntiSpyware - 20120314 | |
634 | Symantec WS.Reputation.1 20120314 | |
635 | TheHacker Trojan/Dropper.Injector.dffv 20120313 | |
636 | TrendMicro - 20120314 | |
637 | TrendMicro-HouseCall TSPY_ZBOT.BUM 20120314 | |
638 | VBA32 - 20120313 | |
639 | VIPRE Trojan.Win32.Generic.pak!cobra 20120314 | |
640 | ViRobot - 20120314 | |
641 | VirusBuster TrojanSpy.Zbot!FzMiqMxwcJ8 20120314 | |
642 | ||
643 | --- | |
644 | Operation Cleanup Japan - #OCJP | |
645 | ZeroDay Japan | |
646 | http://0day.jp | |
647 | Malware Analyst: Hendrik ADRIAN / アドリアン・ヘンドリック | |
648 | Twitter/VirusTotal/Google: @unixfreaxjp | |
649 | Analysis Blog: http://unixfreaxjp.blogspot.com |