* * Chinese ExploitKit/CVE-2012-1889| FakeIME InfoStealer Trojan * *
================================
CHINESE FAKE IME INFECTIONS
STARTING FAKE NET SERVICE
STARTING CRYPTER SERVICE
INFO STEALER
Found/analysis:
#MalwareMustDie / @unixfreaxjp
================================
-----------
Infector IP:
-----------
IP: 222.73.57.117
inetnum: 222.64.0.0 - 222.73.255.255
netname: CHINANET-SH
descr: CHINANET shanghai province network
descr: China Telecom
descr: No1,jin-rong Street
descr: Beijing 100032
country: CN
-----------
Info:
-----------
person: Wu Xiao Li
address: Room 805,61 North Si Chuan Road,Shanghai,200085,PRC
country: CN
phone: +86-21-63630562
fax-no: +86-21-63630566
e-mail: ip-admin@mail.online.sh.cn
nic-hdl: XI5-AP
mnt-by: MAINT-CHINANET-SH
changed: ip-admin@mail.online.sh.cn 20010510
source: APNIC
-----------
Infector urls:
-----------
h00p://9be14ngfsd.pppdiy.com/jx/xop.html
h00p://9f515lzff3.pppdiy.com/xy/xop.html
h00p://9kpgfwqdrj.pppdiy.com/hx/xop.html
h00p://9mf9x3cl55.pppdiy.com/tl/xop.html
h00p://9spxqc71fa.pppdiy.com/jy/xop.html
h00p://s35fc3qiyl.pppdiy.com/wd/xop.html
h00p://s3ebb5z4sk.pppdiy.com/wd/xop.html
h00p://s52csz5u47.pppdiy.com/wd/xop.html
h00p://s5c2ouavle.pppdiy.com/ny/xop.html
h00p://s9inw8nkk9.pppdiy.com/yl/xop.html
h00p://74jjdqugds.pppdiy.com/zt/xop.html
h00p://75kay4lxj8.pppdiy.com/jy/xop.html
h00p://67ldbpbmmj.pppdiy.com/jy/xop.html
h00p://rq2e9k4ti8.pppdiy.com/xy/xop.html
h00p://rre11swub9.pppdiy.com/yh/xop.html
h00p://436p1bwt5s.pppdiy.com/wd/xop.html
h00p://4a41nvbsst.pppdiy.com/tl/xop.html
h00p://4bo1ocjpk9.pppdiy.com/wm/xop.html
h00p://4eb2c9aupa.pppdiy.com/hx/xop.html
h00p://4ekyz6afnh.pppdiy.com/jy/xop.html
h00p://4gjoqgnvym.pppdiy.com/jy/xop.html
h00p://4j4yxxyugh.pppdiy.com/wd/xop.html
h00p://4s2aqluitq.pppdiy.com/yl/xop.html
h00p://52jbsoqe53.pppdiy.com/ah/xop.html
h00p://rkiit9hy1a.pppdiy.com/zt/xop.html
h00p://rldq7secto.pppdiy.com/jy/xop.html
h00p://roapzl6ao6.pppdiy.com/yl/xop.html
h00p://rohws731yt.pppdiy.com/tl/xop.html
h00p://3q4cnllxe2.pppdiy.com/yl/xop.html
h00p://2e1t8v8z9v.pppdiy.com/zt/xop.html
h00p://2kqi7tk2tx.pppdiy.com/wd/xop.html
h00p://2nzysx8qfy.pppdiy.com/xy/xop.html
h00p://2pg54c2ay2.pppdiy.com/ty/xop.html
h00p://2tvypppa1t.pppdiy.com/jx/xop.html
h00p://2zaco8gjga.pppdiy.com/xy/xop.html
h00p://31fclefhp5.pppdiy.com/jy/xop.html
h00p://37fs5qo4q5.pppdiy.com/jy/xop.html
h00p://3p3sivfs1w.pppdiy.com/jy/xop.html
h00p://rceta3uznz.pppdiy.com/xy/xop.html
h00p://11a1tgjoav.pppdiy.com/wd/xop.html
h00p://quyi6g8jz8.pppdiy.com/zt/xop.html
h00p://r7ykgk31xl.pppdiy.com/ny/xop.html
h00p://r89i2jzv72.pppdiy.com/ah/xop.html
h00p://r8cvnadv11.pppdiy.com/jx/xop.html
h00p://r8v7by8hl7.pppdiy.com/wm/xop.html
h00p://r9mdp167ou.pppdiy.com/xy/xop.html
h00p://ra5dfl2dhp.pppdiy.com/tl/xop.html
h00p://q4u427a9d9.pppdiy.com/wl/xop.html
h00p://qbfjz6vs2b.pppdiy.com/ty/xop.html
h00p://qfckl9xclm.pppdiy.com/xy/xop.html
h00p://qoxvbbwxxv.pppdiy.com/jy/xop.html
h00p://qpm2jb8vds.pppdiy.com/xy/xop.html
h00p://qrbvhfpnfi.pppdiy.com/my/xop.html
h00p://qtxjsy4psn.pppdiy.com/wd/xop.html
h00p://ppmcnqlq4b.pppdiy.com/hx/xop.html
h00p://pnj1c3glru.pppdiy.com/wd/xop.html
h00p://pnrks68rrs.pppdiy.com/wd/xop.html
h00p://pn87z1eiaj.pppdiy.com/yl/xop.html
h00p://pcsssued3v.pppdiy.com/tl/xop.html
h00p://p2rb4o7xo3.pppdiy.com/ty/xop.html
h00p://p444fcmod8.pppdiy.com/jy/xop.html
h00p://oy3eewl8dj.pppdiy.com/wm/xop.html
h00p://z1v1awk14w.pppdiy.com/zx/xop.html
h00p://zlpr6v2wdp.pppdiy.com/wd/xop.html
h00p://zrxodxxsdb.pppdiy.com/jy/xop.html
h00p://x82ndlgusg.pppdiy.com/xy/xop.html
h00p://xgbex2gqur.pppdiy.com/wd/xop.html
h00p://xinfejn8sh.pppdiy.com/yh/xop.html
h00p://ypqdgh1spm.pppdiy.com/zx/xop.html
h00p://yzua8al89b.pppdiy.com/wd/index.ht
h00p://u3gltdtoo4.pppdiy.com/jy/xop.html
h00p://vev8ncrkcm.pppdiy.com/jx/xop.html
h00p://vlbujx6d19.pppdiy.com/xy/xop.html
h00p://vouludav9m.pppdiy.com/wd/xop.html
h00p://vqouin8qdg.pppdiy.com/wd/xop.html
h00p://wjjxh168lj.pppdiy.com/wd/index.ht
h00p://ssx2pc47nw.pppdiy.com/ty/xop.html
h00p://sw29diefib.pppdiy.com/wd/xop.html
h00p://t1zsxal6p5.pppdiy.com/ty/xop.html
h00p://pq58ow6ydk.pppdiy.com/yl/xop.html
h00p://rlcensq6ds.pppdiy.com/wd/xop.html
h00p://s9ms36eb5q.pppdiy.com/ah/xop.html
h00p://p8t89f1q3x.pppdiy.com/xy/xop.html
h00p://pcsir3ijj9.pppdiy.com/zt/xop.html
h00p://pjv68ibarl.pppdiy.com/ah/xop.html
h00p://ow858ymp4d.pppdiy.com/xx/xop.html
h00p://opu3mx9u8s.pppdiy.com/tl/xop.html
h00p://o1v1ia7fzp.pppdiy.com/ah/xop.html
h00p://nq9k8bhtgy.pppdiy.com/tl/xop.html
h00p://mj3aqytgna.pppdiy.com/wd/xop.html
h00p://mkjbyf6vr8.pppdiy.com/xy/xop.html
h00p://lsjq1ic827.pppdiy.com/zt/xop.html
h00p://ln9jwxhwp2.pppdiy.com/jy/xop.html
h00p://kltudl7ixd.pppdiy.com/wd/xop.html
h00p://kb8ngrsrkt.pppdiy.com/zx/xop.html
h00p://ki9hfgy8eb.pppdiy.com/wd/index.ht
h00p://jqqm6ksd4u.pppdiy.com/jx/xop.html
h00p://joez462a36.pppdiy.com/xy/xop.html
h00p://ir1mxyqbe1.pppdiy.com/jy/xop.html
h00p://hrwvzspefk.pppdiy.com/my/xop.html
h00p://hwwlnwoh5u.pppdiy.com/jx/xop.html
h00p://hehqxbhtrr.pppdiy.com/xy/xop.html
h00p://gzfuswbru9.pppdiy.com/xy/xop.html
h00p://gur1nihj4g.pppdiy.com/wd/xop.html
h00p://gcrbfl8iyi.pppdiy.com/jx/xop.html
h00p://fs12vmyw85.pppdiy.com/wd/xop.html
h00p://fs9kdc75dk.pppdiy.com/jy/xop.html
h00p://dxonfcd1zh.pppdiy.com/zt/xop.html
h00p://dfmta9juu5.pppdiy.com/ah/xop.html
h00p://di6uj6rqk3.pppdiy.com/jy/xop.html
h00p://85qcnilv1k.pppdiy.com/my/xop.html
h00p://9fnq4ekiqd.pppdiy.com/wd/index.ht
h00p://4oy56fcvmg.pppdiy.com/jy/xop.html
h00p://x7zzmg5b1v.pppdiy.com/jx/xop.html
h00p://zgxx2raoak.pppdiy.com/jx/xop.html
h00p://wxf3mzd3zn.pppdiy.com/jx/xop.html
h00p://wzrkh2m8xl.pppdiy.com/xx/xop.html
h00p://uc18awkxod.pppdiy.com/my/xop.html
h00p://v2229jswhx.pppdiy.com/wd/xop.html
h00p://pxkxilbpos.pppdiy.com/wm/xop.html
h00p://rakwmwhpve.pppdiy.com/xy/xop.html
h00p://nsqjxjbfcs.pppdiy.com/ah/xop.html
h00p://ny5iceirim.pppdiy.com/jx/xop.html
h00p://iz5lh4r5qi.pppdiy.com/yl/xop.html
h00p://agz5utxh9u.pppdiy.com/wd/index.ht
h00p://4fp9g7s3tr.pppdiy.com/xy/xop.html
h00p://57vcqwfb8a.pppdiy.com/jy/xop.html
h00p://oqlpdxtgux.pppdiy.com/zt/xop.html
h00p://ocd1bm7coa.pppdiy.com/xy/xop.html
h00p://od5aaz7m5e.pppdiy.com/jx/xop.html
h00p://odvn3j955e.pppdiy.com/zx/xop.html
h00p://ogd48fw2lt.pppdiy.com/tl/xop.html
h00p://oixgmmsng1.pppdiy.com/xy/xop.html
h00p://ntuhp4ou1t.pppdiy.com/yl/xop.html
h00p://oaicu6zotz.pppdiy.com/zt/xop.html
h00p://oannucq891.pppdiy.com/jx/xop.html
h00p://nmwlyg9jtd.pppdiy.com/xy/xop.html
h00p://nkkprh379v.pppdiy.com/wd/index.ht
h00p://nf8ri2a2ah.pppdiy.com/zt/xop.html
h00p://myx7rlgfgz.pppdiy.com/yl/xop.html
h00p://mzjqths79w.pppdiy.com/yl/xop.html
h00p://n19yfqnfgx.pppdiy.com/jy/xop.html
h00p://n318aq72eb.pppdiy.com/jy/xop.html
h00p://n3zxb481z3.pppdiy.com/yh/xop.html
h00p://n8dx15kr7y.pppdiy.com/xy/xop.html
h00p://muy6w1ufrw.pppdiy.com/jx/xop.html
h00p://mvhnrd8c9o.pppdiy.com/jy/xop.html
h00p://mvzn8qs8lg.pppdiy.com/wd/xop.html
h00p://mu5dptjoda.pppdiy.com/xy/xop.html
h00p://msogw56yis.pppdiy.com/xy/xop.html
======================
ANALYSIS
======================
--02:53:10-- h00p://9be14ngfsd.pppdiy.com/jx/xop.html
=> `xop.html'
Resolving 9be14ngfsd.pppdiy.com... 222.73.57.117
Connecting to 9be14ngfsd.pppdiy.com|222.73.57.117|:80... connected.
h00p request sent, awaiting response... 200 OK
Length: 9,950 (9.7K) [text/html]
02:53:15 (2.74 KB/s) - `xop.html' saved [9950/9950]
-----------------------------
[h00p] URL: h00p://9be14ngfsd.pppdiy.com/jx/xop.html (Status: 200, Referrer: None)
// ActiveX : f6d90f11-9c73-11d3-b32e-00c04f990bb4 Droped..
`jx.exe'
Connecting to 222.73.57.117:80... connected.
h00p request sent, awaiting response... 200 OK
Length: 48,128 (47K) [application/octet-stream]
------------------------------------
Sections:
UPX0 0x1000 0x7000 0 <<<<<<< PACKED!!
UPX1 0x8000 0xc000 46592 <<<<<<< PACKED!!
UPX2 0x14000 0x1000 512 <<<<<<< PACKED!!
//unpacking.....
UPX 3.07 Markus Oberhumer, Laszlo Molnar & John Reiser Sep 08th 2010
File size Ratio Format Name
------------------ ------ ----------- -----------
58880 <- 48128 81.74% win32/pe sample
Unpacked 1 file.
-------bin analysis------
Fail CRC: Claimed: 0 Actual: 60344
Fail Compile Time: 2033-11-12 07:06:07
Compiler: Microsoft Visual C++ v6.0
//strange,,,,
0x40402c CreateToolhelp32Snapshot
0x404054 Process32First
0x404080 Process32Next
// Renaming itself....
call sub_40161C
call sub_401693
mov ebx, offset aJx3client_exe ; "JX3Client.exe"
--------------traces---------
// Malware OP traces...
000000002FE6 0000004047E6 0 MoveFileA
000000003032 000000404832 0 WriteFile
00000000303E 00000040483E 0 CreateFileA
00000000304C 00000040484C 0 WinExec
000000003074 000000404874 0 CopyFileA
// keystroke controlling...
0000000030C0 0000004048C0 0 GetKeyboardLayoutList
0000000030D8 0000004048D8 0 GetKeyboardLayoutNameA
0000000030F2 0000004048F2 0 ActivateKeyboardLayout
00000000310C 00000040490C 0 GetKeyboardLayout
000000003120 000000404920 0 LoadKeyboardLayoutA
000000003136 000000404936 0 UnloadKeyboardLayout
// IME Traces...
IMM32.dll.ImmGetDescriptionA Hint[0]
IMM32.dll.ImmInstallIMEA Hint[0]
IMM32.dll.ImmIsIME Hint[0]
// temp OPS data
00000000380C 00000040520C 0 %c:\Recycled\%d.tmp
000000003820 000000405220 0 %c:\RECYCLER\%d.tmp
// Crypter service..
00000000E05C 00000040FA5C 0 sc delete cryptsvc
00000000E070 00000040FA70 0 sc config cryptsvc start= disabled
00000000E094 00000040FA94 0 net stop cryptsvc
//registry added traces
00000000E0A8 00000040FAA8 0 %s%s%d.dll // kbdus.dll
00000000E0DC 00000040FADC 0 SOFTWARE\kingsoft\JX3\zhcn
00000000E0F8 00000040FAF8 0 JX3Client // JX3Client.exe
00000000E104 00000040FB04 0 Software\Microsoft\Windows\ShellNoRoam\MUICache
00000000E134 00000040FB34 0 %sdllcache\%s
00000000E144 00000040FB44 0 %syu%s //
//Drops
C:\WINDOWS\system32\chinasougou.ime
C:\WINDOWS\system32\yumidimap.dll
C:\WINDOWS\system32\net1.exe
//Malwareservice...
Filename: net1.exe
MD5: 3f14c041342e3fba343f2a1d11e74bba
SHA-1: 4221467faee4926d692bd5ae71cf0a37f326bf42
File Size: 124928 Bytes
Command Line: net1 stop cryptsvc
//Crypter Service:
Filename: sc.exe
MD5: a48b1c06219a01a60cd8d4d45440bde9
SHA-1: 34af23607ad5afa9e61b6a96cec811e6bdc50b4a
File Size: 31232 Bytes
Command Line: sc config cryptsvc start= disabled
------------------------------------------------------
VIRUS TOTAL CHECKS
-----------------------------------------------------
First Check in VT: (PACKED/ORIGINAL)
https://www.virustotal.com/file/62f1707394325b5c3ac09df8e362b9a0710fbc956b3327f419063e24182c1e5b/analysis/1348946206/
McAfee : Artemis!BBFC347F66C1
K7AntiVirus : Riskware
TheHacker : Posible_Worm32
F-Prot : W32/Heuristic-114!Eldorado
ESET-NOD32 : a variant of Win32/PSW.OnLineGames.QBF
TrendMicro-HouseCall : TROJ_GEN.RCBCEHF
Kaspersky : HEUR:Trojan.Win32.Generic
F-Secure : Dropped:Trojan.PWS.FakeIME.B
VIPRE : Trojan.Win32.Generic!BT
AntiVir : TR/ATRAPS.Gen
TrendMicro : TROJ_GEN.RCBCEHF
McAfee-GW-Edition : Artemis!BBFC347F66C1
Jiangmin : Trojan/Generic.algbo
Microsoft : PWS:Win32/Lolyda.BF
Commtouch : W32/Heuristic-114!Eldorado
AhnLab-V3 : Trojan/Win32.Xema
VBA32 : TrojanPSW.QQTen.ng
PCTools : Trojan.Gen
Ikarus : Trojan-PWS.Win32.Lolyda
Fortinet : W32/Onlinegames.QBF!tr
AVG : unknown virus Win32/DH{HhM6SEVn}
Panda : Suspicious file
---------------------------------------------------------------------
First Check in VT: (UNPACKED)
https://www.virustotal.com/file/f63345d3adc06ca20aafe0e9ab4b0a2c47f4dcff71b0d696dd8ae8412626fe4c/analysis/1348946229/
F-Secure : Dropped:Trojan.PWS.FakeIME.B
DrWeb : BackDoor.PcClient.5930
GData : Dropped:Trojan.PWS.FakeIME.B
Symantec : Suspicious.Cloud.5
Norman : W32/OnLineGames.NVOE
ESET-NOD32 : a variant of Win32/PSW.OnLineGames.QBF
eScan : Dropped:Trojan.PWS.FakeIME.B
Fortinet : W32/Onlinegames.QBF!tr
Emsisoft : Trojan-PWS.Win32.Lolyda!IK
VBA32 : TrojanPSW.QQTen.ng
Kaspersky : HEUR:Trojan.Win32.Generic
Jiangmin : Trojan/Generic.algbo
Rising : Trojan.Win32.Fednu.uhc
Ikarus : Trojan-PWS.Win32.Lolyda
AntiVir : TR/Crypt.ZPACK.Gen
AVG : unknown virus Win32/DH{HhM6SEVn}
Panda : Suspicious file
ViRobot : Trojan.Win32.A.PSW-Frethoq.51200
Comodo : TrojWare.Win32.Poison.QBF
INFECTOR: XOP.HTML
https://www.virustotal.com/file/c9b661491464aecd75cee4bc205d3076829b1b4c9915e2999d15d2a89536f421/analysis/1348946760/
eScan : Exploit.CVE-2012-1889.Gen
nProtect : Exploit.CVE-2012-1889.Gen
CAT-QuickHeal : Exploit.CVE.2012.1889
McAfee : Exploit-CVE2012-1889
K7AntiVirus : Exploit
F-Prot : JS/CVE-1889
Norman : ShellCode.AA
TotalDefense : JS/Tnega.VKD
Avast : JS:CVE-2012-1889 [Expl]
eSafe : JS.ShellCode.Aurora
ClamAV : Exploit.CVE_2012_1889-6
Kaspersky : HEUR:Exploit.Script.Generic
BitDefender : Exploit.CVE-2012-1889.Gen
Sophos : Mal/JSShell-B
Comodo : TestSignature.JS.Agent.SH
F-Secure : Exploit:JS/CVE-2012-1889.A
DrWeb : Exploit.CVE2012-1889
VIPRE : Exploit.HTML.CVE-2012-1889 (v)
AntiVir : Exp/JS.Shellcode.H
McAfee-GW-Edition : Heuristic.BehavesLike.JS.Unwanted
Emsisoft : Trojan.Script!IK
ESET-NOD32 : JS/Exploit.Shellcode.A.gen
Microsoft : Exploit:JS/ShellCode.AT
GData : Exploit.CVE-2012-1889.Gen
Commtouch : JS/CVE-1889
AhnLab-V3 : JS/Agent
Ikarus : Trojan.Script
AVG : Exploit
====================================
MALWARE MUST DIE!!!
#MalwareMustDie
Sept 29 2012 / @unixfreaxjp
===================================