#malwareMustDie - BHEK Cridex (Parfeit trojan downloader) # Binary (static/dynamic/VT) Quick Analysis # @unixfreaxjp /malware]$ date # Sat Dec 22 19:07:15 JST 2012 GET /detects/continues-little.php?zf=30:2v:1f:1j:30&ge=1n:2w:1i:1j:1o:1i:1g:2v:1 m:1m&l=1k&iw=z&hf=d HTTP/1.0 Referer: http://www.irwra.com//wp-content/themes/mantra/uploads/cpa_inform.html User-Agent: Hey Moronz - Let's rock'n'roll #MalwareMustDie! Accept: */* Host: latticesoft.net Connection: Keep-Alive ---request end--- HTTP request sent, awaiting response... ---response begin--- HTTP/1.1 200 OK Server: nginx/1.3.3 Date: Sat, 22 Dec 2012 07:02:18 GMT Content-Type: application/x-msdownload Content-Length: 217088 Connection: close X-Powered-By: PHP/5.3.14 Pragma: public Expires: Sat, 22 Dec 2012 07:02:18 GMT Cache-Control: must-revalidate, post-check=0, pre-check=0 Cache-Control: private Content-Disposition: attachment; filename="calc.exe" Content-Transfer-Encoding: binary ---response end--- 200 OK Length: 217,088 (212K) [application/x-msdownload] 100%[====================================>] 217,088 19.23K/s ETA 00:00 Closed fd 1896 16:02:42 (20.92 KB/s) - `continues-little.php@zf=30%3A2v%3A1f%3A1j%3A30&ge=1n%3A 2w%3A1i%3A1j%3A1o%3A1i%3A1g%3A2v%3A1m%3A1m&l=1k&iw=z&hf=d' saved [217088/217088] //let's call it calc.exe then :-), ====================== BINARY ANALYSIS ======================= // Combination of many sources Binary analysis.... ExifTool: SubsystemVersion.........: 4.0 InitializedDataSize......: 69632 ImageVersion.............: 0.0 ProductName..............: Java(TM) Platform SE 6 U37 FileVersionNumber........: 6.0.370.6 UninitializedDataSize....: 0 LanguageCode.............: Neutral FileFlagsMask............: 0x003f FullVersion..............: 1.6.0_37-b06 CharacterSet.............: Unicode LinkerVersion............: 8.0 OriginalFilename.........: java.exe MIMEType.................: application/octet-stream Subsystem................: Windows GUI FileVersion..............: 6.0.370.6 TimeStamp................: 2003:02:17 03:41:05+00:00 FileType.................: Win32 EXE PEType...................: PE32 InternalName.............: java ProductVersion...........: 6.0.370.6 FileDescription..........: Java(TM) Platform SE binary OSVersion................: 4.0 FileOS...................: Win32 LegalCopyright...........: Copyright 2012 MachineType..............: Intel 386 or later, and compatibles CompanyName..............: Sun Microsystems, Inc. CodeSize.................: 163840 FileSubtype..............: 0 ProductVersionNumber.....: 6.0.370.6 EntryPoint...............: 0x1335 ObjectFileType...........: Executable application PE information: Compilation timedatestamp.....: 2003-02-17 03:41:05 Target machine................: 0x14C (Intel 386 or later processors and compatible processors) Entry point address...........: 0x00001335 PE Sections: .text 0x1000 0x270a5 163840 .rdata 0x29000 0xa4c 4096 .data 0x2a000 0x100040 4096 fdata 0x12b000 0x280 4096 .rsrc 0x12c000 0x807c 36864 TrID Win32 Executable MS Visual C++ (generic) (63.0%) Win32 Executable Generic (14.2%) Win32 Dynamic Link Library (generic) (12.6%) Clipper DOS Executable (3.3%) Generic Win/DOS Executable (3.3%) //Faking Java... CompanyName Sun Microsystems, Inc. FileDescription Java(TM) Platform SE binary FileVersion Full Version InternalName java LegalCopyright Copyright OriginalFilename java.exe ProductName Java(TM) Platform SE 6 U37 //Runtime DLLs: shlwapi.dll kernel32.dll advapi32.dll shell32.dll rpcrt4.dll version.dll //That DLL's calls: 00429000 RegEnumKeyA ADVAPI32 00429004 RegCloseKey ADVAPI32 00429008 RegOpenKeyExA ADVAPI32 0042900C RegQueryValueExA ADVAPI32 00429014 WaitForSingleObject KERNEL32 00429018 CreateThread KERNEL32 0042901C GetFileType KERNEL32 00429020 FormatMessageA KERNEL32 00429024 GetDriveTypeA KERNEL32 00429028 GetCurrentProcessId KERNEL32 0042902C TlsGetValue KERNEL32 00429030 FreeLibrary KERNEL32 00429034 HeapReAlloc KERNEL32 00429038 GetStringTypeA KERNEL32 0042903C FileTimeToLocalFileTime KERNEL32 00429040 HeapCreate KERNEL32 00429044 TlsAlloc KERNEL32 00429048 VirtualAlloc KERNEL32 0042904C GetExitCodeThread KERNEL32 00429050 VirtualFree KERNEL32 00429054 HeapAlloc KERNEL32 00429058 TerminateProcess KERNEL32 0042905C FindNextFileA KERNEL32 00429060 GetFullPathNameA KERNEL32 00429064 GetTimeZoneInformation KERNEL32 00429068 SetHandleCount KERNEL32 0042906C FileTimeToSystemTime KERNEL32 00429070 LCMapStringA KERNEL32 00429074 CreateFileA KERNEL32 00429078 WriteFile KERNEL32 0042907C LoadLibraryA KERNEL32 00429080 QueryPerformanceCounter KERNEL32 00429084 GetLocaleInfoA KERNEL32 00429088 FindClose KERNEL32 0042908C GetCurrentThreadId KERNEL32 00429090 HeapDestroy KERNEL32 00429094 VirtualProtect KERNEL32 00429098 HeapFree KERNEL32 0042909C InterlockedExchange KERNEL32 004290A0 QueryPerformanceFrequency KERNEL32 004290A4 GetExitCodeProcess KERNEL32 004290A8 GetACP KERNEL32 004290AC GetVersionExA KERNEL32 004290B0 LeaveCriticalSection KERNEL32 004290B4 FreeEnvironmentStringsW KERNEL32 004290B8 GetProcAddress KERNEL32 004290BC GetModuleFileNameA KERNEL32 004290C0 LocalFree KERNEL32 004290C4 GetEnvironmentStringsW KERNEL32 004290C8 CompareStringA KERNEL32 004290CC SetEnvironmentVariableA KERNEL32 004290D0 SetEnvironmentVariableW KERNEL32 004290D4 WideCharToMultiByte KERNEL32 004290D8 GetFileAttributesA KERNEL32 004290DC TlsFree KERNEL32 004290E0 GetEnvironmentStrings KERNEL32 004290E4 SetEndOfFile KERNEL32 004290E8 CompareStringW KERNEL32 004290EC SetLastError KERNEL32 004290F0 VirtualQuery KERNEL32 004290F4 SetFilePointer KERNEL32 004290F8 InitializeCriticalSection KERNEL32 004290FC GetModuleHandleA KERNEL32 00429100 CloseHandle KERNEL32 00429104 GetCurrentDirectoryW KERNEL32 00429108 GetCurrentDirectoryA KERNEL32 0042910C MultiByteToWideChar KERNEL32 00429110 FlushFileBuffers KERNEL32 00429114 LCMapStringW KERNEL32 00429118 GetStringTypeW KERNEL32 0042911C HeapSize KERNEL32 00429120 ExitProcess KERNEL32 00429124 GetLastError KERNEL32 00429128 GetCPInfo KERNEL32 0042912C TlsSetValue KERNEL32 00429130 FreeEnvironmentStringsA KERNEL32 00429134 GetCurrentProcess KERNEL32 00429138 GetSystemInfo KERNEL32 0042913C EnterCriticalSection KERNEL32 00429140 GetCommandLineA KERNEL32 00429144 GetTickCount KERNEL32 00429148 GetOEMCP KERNEL32 0042914C ReadFile KERNEL32 00429150 RtlUnwind KERNEL32 00429154 ExitThread KERNEL32 00429158 UnhandledExceptionFilter KERNEL32 0042915C CreateProcessA KERNEL32 00429160 DeleteCriticalSection KERNEL32 00429164 lstrcatA KERNEL32 00429168 IsValidLanguageGroup KERNEL32 0042916C GetStartupInfoA KERNEL32 00429170 FindFirstFileA KERNEL32 00429174 GetSystemTimeAsFileTime KERNEL32 00429178 SetStdHandle KERNEL32 0042917C GetStdHandle KERNEL32 //// garbage pattern used for obfuscating binary code..(repetitive) .text:0040AD40 2D 3A BC E6 33 71 77 72 71 77 72 71 77 72 71 77 -:シ・qwrqwrqwrqw .text:0040AD50 72 71 77 72 71 77 72 71 77 72 71 77 72 71 77 72 rqwrqwrqwrqwrqwr .text:0040AD60 71 77 72 71 77 72 71 77 72 71 77 72 71 77 72 71 qwrqwrqwrqwrqwrq .text:0040AD70 77 72 71 77 72 71 77 72 71 77 72 71 77 72 71 77 wrqwrqwrqwrqwrqw .text:0040AD80 72 71 77 72 71 77 72 71 77 72 71 77 72 71 77 72 rqwrqwrqwrqwrqwr .text:0040AD90 71 77 72 71 77 72 71 77 72 71 77 72 71 77 72 71 qwrqwrqwrqwrqwrq .text:0040ADA0 77 72 71 77 72 71 77 72 71 77 72 71 77 72 71 77 wrqwrqwrqwrqwrqw .text:0040ADB0 72 71 77 72 71 77 72 71 77 72 71 77 72 71 77 72 rqwrqwrqwrqwrqwr .text:0040ADC0 71 77 72 71 77 72 71 77 72 71 77 72 71 77 72 71 qwrqwrqwrqwrqwrq : : : : .text:0040B440 72 71 77 72 71 77 72 71 77 72 71 77 72 71 77 72 rqwrqwrqwrqwrqwr .text:0040B450 71 77 72 71 77 72 71 77 72 71 77 72 71 77 72 71 qwrqwrqwrqwrqwrq .text:0040B460 77 72 71 77 72 71 77 72 71 77 72 71 77 72 71 77 wrqwrqwrqwrqwrqw .text:0040B470 72 71 77 72 71 77 72 71 77 72 71 77 72 71 77 72 rqwrqwrqwrqwrqwr .text:0040B480 71 77 72 71 77 72 71 77 72 71 77 72 71 77 72 71 qwrqwrqwrqwrqwrq .text:0040B490 77 72 71 77 72 71 77 72 71 77 72 71 77 72 71 77 wrqwrqwrqwrqwrqw .text:0040B4A0 72 71 77 72 71 77 72 71 77 72 71 77 72 71 77 72 rqwrqwrqwrqwrqwr .text:0040B4B0 71 77 72 71 77 72 71 77 72 71 3F 07 00 00 E1 07 qwrqwrqwrq?..・ ========================= BEHAVIOUR ANALYSIS (A quicky) ========================= // Files & Processes.... Sample is self deleted & self copied to: %AppData%\KB00927107.exe Running process: %System%\cmd.exe" /c "%Temp%\exp1.tmp.bat"" %Appdata%\KB00927107.exe | +--Code injections in the following processes... wscntfy.exe exp3.tmp.exe // Agressive Network Trace: HTTP requests... URL: http://188.120.226.30:8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/ (differ in every attempt..) TYPE: POST UA: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US) // Registry //autostart... HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Run\KB00777165.exe: ""C:\Documents and Settings\rik\Application Data\KB00777165.exe"" // the parfeit config file in registry (bintext) HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows NT\SD5809E24\: 3C 73 65 74 7 2F 75 72 6C 3E 3C 75 72 6C 20 63 6F 6E 74 65 6E 74 54 79 70 65 3D 22 5E 74 65 78 74 2F 28 68 74 6D 6C 7C 74 6D 6C 7C 70 6C 61 69 6E 29 22 3E 2F 61 75 74 68 65 6E 74 69 63 61 74 69 6F 6E 2F 7A 62 66 2F 6B 2F 3C 3 61 73 68 6D 61 6E 2F 3C 2F 75 72 6C 3E 3C 75 72 6C 20 63 6F 6E 74 65 6E 74 54 79 70 65 3D 22 5E 74 65 7 70 65 3D 22 5E 74 65 78 74 2F 28 68 74 6D 6C 7C 70 6C 61 69 6E 29 22 3E 2F 63 6D 6D 61 69 6E 5C 2E 63 66 : (etc) ============================== PAYLOAD/BINARY DETECTION RATIO ANALYSIS ============================== //VT scans: SHA256: d18b3092907456fa96727bbe5cb24eb1e58777c473954a84bd2566cb2b0c81c0 SHA1: 4c478e491b4c36770612efe781d74bbc67639192 MD5: 8c25020ae092a27396cae4ff5a0a5085 File size: 212.0 KB ( 217088 bytes ) File name: 8c25020ae092a27396cae4ff5a0a5085 File type: Win32 EXE Tags: peexe Detection ratio: 15 / 44 Analysis date: 2012-12-20 08:34:28 UTC ( 1 day, 22 hours ago ) URL: https://www.virustotal.com/latest-scan/d18b3092907456fa96727bbe5cb24eb1e58777c473954a84bd2566cb2b0c81c0 F-Secure : Gen:Variant.Kazy.128823 GData : Gen:Variant.Kazy.128823 VIPRE : Win32.Malware!Drop TrendMicro : TROJ_KRYPTIK.OSJ McAfee-GW-Edition : Artemis!8C25020AE092 TrendMicro-HouseCall : TROJ_KRYPTIK.OSJ MicroWorld-eScan : Gen:Variant.Kazy.128823 Avast : Win32:Crypt-OPM [Trj] Kaspersky : Trojan.Win32.Bublik.woq BitDefender : Gen:Variant.Kazy.128823 McAfee : Artemis!8C25020AE092 Malwarebytes : Spyware.Password Fortinet : W32/Bublik.WOQ!tr ESET-NOD32 : a variant of Win32/Kryptik.AQUE AVG : Generic30.BOYB ---- #MalwareMustDie | @unixfreaxjp