SHARE
TWEET

#OCJP-025 Win32/Trojan.Zeus in JP at Vietnamese Website

unixfreaxjp Mar 14th, 2012 317 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. English Transcript of Malware Analysis
  2. Case: #OCJP-025
  3. Malware: Win32/Trojan.Zeus (dropper/downloader/backdoor/spyware/PDF-exploiter... you name it..)
  4.  
  5. ===============================
  6. I. MALWARE BINARY ANALYSIS :
  7. ===============================
  8.  
  9. File name................: BtxX9KX.exe
  10. MD5......................: 17bde98108092ed612c4511bd6a633ee
  11. File size................: 271.5 KB ( 278016 bytes )
  12. File type................: Win32 EXE
  13. English Report...........: Wed Mar 14 20:17:36 JST 2012
  14. Analysis by..............: Hendrik ADRIAN / @unixfreaxjp /0day.jp
  15.  
  16. This is the english report base analysis of malware case reported at:
  17. 1. http://unixfreaxjp.blogspot.com/2012/03/ocjp-025.html
  18. 2. https://www.virustotal.com/file/0dbce33621898ecd824a272ce5e960a685051a4a695292efb0b05d604827529e/analysis/
  19. 3. Base URL: http://pastebin.com/FR07ybTp
  20. ----------
  21. ExifTool
  22. ----------
  23. UninitializedDataSize....: 0
  24. InitializedDataSize......: 10752
  25. ImageVersion.............: 0.0
  26. ProductName..............: 2q3wet(R) Windows (R) 2000 Operating System
  27. FileVersionNumber........: 5.0.2137.1
  28. LanguageCode.............: English (U.S.)
  29. FileFlagsMask............: 0x003f
  30. FileDescription..........: Windows TaskManager
  31. CharacterSet.............: Unicode
  32. LinkerVersion............: 2.5
  33. FileOS...................: Windows NT 32-bit
  34. MIMEType.................: application/octet-stream
  35. Subsystem................: Windows GUI
  36. FileVersion..............: 5.00.2137.1
  37. TimeStamp................: 2012:03:09 01:43:00+01:00
  38. FileType.................: Win32 EXE
  39. PEType...................: PE32
  40. InternalName.............: taskmgr
  41. ProductVersion...........: 5.00.2137.1
  42. SubsystemVersion.........: 4.0
  43. OSVersion................: 4.0
  44. OriginalFilename.........: taskmgr.exe
  45. LegalCopyright...........: Copyright (C) 2q3wet Corp. 1991-1999
  46. MachineType..............: Intel 386 or later, and compatibles
  47. CompanyName..............: 2q3wet Corporation
  48. CodeSize.................: 265216
  49. FileSubtype..............: 0
  50. ProductVersionNumber.....: 5.0.2137.1
  51. EntryPoint...............: 0x1210
  52. ObjectFileType...........: Executable application
  53.  
  54. -----------
  55. PE Structs
  56. -----------
  57. Name      V-Address  V-Size   Raw      Entropy  MD5
  58. .text       4096    1916      2048     5.45  e93f3084f987fa110a4d8ca9274467d9
  59. .textQ1     8192  262260    262656     7.71  de268b266e26e6a4aef8345fd2a01cd0
  60. .textQ2   274432     100       512     0.00  bf619eac0cdf3f68d496ea9344137e8b
  61. .data     278528     444       512     3.84  84072aa523e1285671b0e294565b43e9
  62. .rsrc     282624    9724      9728     3.59  4e3e01ecc8f6cb1250de57f12d923bf3
  63. .reloc    294912     116       512     1.76  250b11d9c9c72539dd168073a62fe6ab
  64.  
  65. (*) Above datas with thank's for Virus Total
  66.  
  67. -----------------
  68. Suspected Points
  69. -----------------
  70.  
  71. *) PE File, unknown packer, used encryption
  72.    
  73. *) CRC Data Unmatched, Claimed:  299582 / Actual:  299581
  74. *) Compile Time: 2012-03-09 09:43:00 <---new made trojan
  75.  
  76. *) Entropy 7.71 is suspicious....(crypter?)
  77. MD5     hash: de268b266e26e6a4aef8345fd2a01cd0
  78. SHA-1   hash: 1867abe9de5a2e502bacea4ef897332057a97a20
  79. Name:                          .textQ1
  80. Misc:                          0x40074  
  81. Misc_PhysicalAddress:          0x40074  
  82. Misc_VirtualSize:              0x40074  
  83. VirtualAddress:                0x2000    
  84. SizeOfRawData:                 0x40200  
  85. PointerToRawData:              0xC00    
  86. PointerToRelocations:          0x0      
  87. PointerToLinenumbers:          0x0      
  88. NumberOfRelocations:           0x0      
  89. NumberOfLinenumbers:           0x0      
  90. Characteristics:               0x60000020
  91.  
  92. *) Fake system file information found:
  93. Length:                        0x27C    
  94. ValueLength:                   0x0      
  95. Type:                          0x1      
  96. LangID: 040904B0
  97.   LegalCopyright: Copyright (C) 2q3wet Corp. 1991-1999
  98.   InternalName: taskmgr
  99.   FileVersion: 5.00.2137.1
  100.   CompanyName: 2q3wet Corporation
  101.   ProductName: 2q3wet(R) Windows (R) 2000 Operating System
  102.   ProductVersion: 5.00.2137.1
  103.   FileDescription: Windows TaskManager
  104.   OriginalFilename: taskmgr.exe
  105.  
  106.  
  107. *) Suspicious used of DLL:
  108. OriginalFirstThunk:            0x440E0  
  109. Characteristics:               0x440E0  
  110. TimeDateStamp:                 0x0        [Thu Jan 01 00:00:00 1970 UTC]
  111. ForwarderChain:                0x0      
  112. Name:                          0x44176  
  113. FirstThunk:                    0x44104  
  114. KERNEL32.dll.CreateFileA Hint[120] <---- Malware drops
  115. KERNEL32.dll.GetWindowsDirectoryA Hint[640]
  116. KERNEL32.dll.lstrlenA Hint[1205]
  117. KERNEL32.dll.lstrcpyA Hint[1199]
  118. KERNEL32.dll.VirtualAlloc Hint[1108] <--- DEP privilege
  119.  
  120. OriginalFirstThunk:            0x440F8  
  121. Characteristics:               0x440F8  
  122. TimeDateStamp:                 0x0        [Thu Jan 01 00:00:00 1970 UTC]
  123. ForwarderChain:                0x0      
  124. Name:                          0x441A2  
  125. FirstThunk:                    0x4411C  
  126. ADVAPI32.dll.RegOpenKeyW Hint[606] <--- Registry Value Check
  127. ADVAPI32.dll.RegOpenKeyExA Hint[602] <---- Registry Value Check
  128.  
  129. ===============================
  130. II. MALWARE BEHAVIOUR PROCESS
  131. ===============================
  132.  
  133. initial process:
  134.  
  135. sample.exe             [/dir/file/pathname]                 229,376 bytes
  136.   |
  137.   +payload.exe         %AppData%\%payload-dir%\payload.exe  229,376 bytes
  138.     |
  139.     +--Explorer.EXE    C:\WINDOWS\Explorer.EXE
  140.     +--ctfmon.exe      cmd.exe "C:\WINDOWS\system32\ctfmon.exe"
  141.     +--msmsgs.exe      cmd.exe "C:\Program Files\Messenger\msmsgs.exe" /background
  142.     +--reader_sl.exe   cmd.exe "C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe"
  143.  
  144. later added additional process w/soon stopped:
  145. (parent: oves.exe)    
  146.    |
  147.    +----cmd.exe        %System%\cmd.exe             266,240 bytes
  148.  
  149.  
  150. -----------------------------------------------------------------------------
  151. I report the behavior analysis of this malware per process binary above
  152. with the below priority:
  153. (1) sample.exe
  154. (2) payload.exe
  155. (3) Explorer.EXE
  156. (4) msmsgs.exe
  157. (5) reader_sl.exe
  158. -----------------------------------------------------------------------------
  159.  
  160. (1) SAMPLE
  161. File name: sample.exe
  162. MD5:       17bde98108092ed612c4511bd6a633ee
  163. File size: 271.5 KB ( 278,016 bytes )
  164.  
  165. ---------------------
  166. REGISTRY
  167. ---------------------
  168. reg key create:
  169.     HKEY_CURRENT_USER\Software\Microsoft\Ynpeo
  170.  
  171. reg value create:
  172.     [HKEY_CURRENT_USER\Software\Microsoft\Ynpeo]
  173.         18i62g6a = "Xv7cYZT7zDIVtw=="
  174.         1cf3ifcc = "df6pYQ=="
  175.         2cc8dhbc = 69 9A A9 61 9A 89 B6 32 2C B7 E1 76
  176.  
  177. ---------------------
  178. DLLs
  179. ---------------------
  180. load:
  181. C:\WINDOWS\system32\ntdll.dll    0x7C900000     0x000AF000
  182. C:\WINDOWS\system32\kernel32.dll 0x7C800000     0x000F6000
  183. C:\WINDOWS\system32\ADVAPI32.dll 0x77DD0000     0x0009B000
  184. C:\WINDOWS\system32\RPCRT4.dll   0x77E70000     0x00092000
  185. C:\WINDOWS\system32\Secur32.dll  0x77FE0000     0x00011000
  186.  
  187. runtime:
  188. C:\WINDOWS\system32\NETAPI32.dll 0x5B860000     0x00055000
  189. C:\WINDOWS\system32\comctl32.dll 0x5D090000     0x0009A000
  190. C:\WINDOWS\system32\WS2HELP.dll  0x71AA0000     0x00008000
  191. C:\WINDOWS\system32\WS2_32.dll   0x71AB0000     0x00017000
  192. C:\WINDOWS\system32\OLEAUT32.dll 0x77120000     0x0008B000
  193. C:\WINDOWS\system32\WININET.dll  0x771B0000     0x000AA000
  194. C:\WINDOWS\WinSxS\..comctl32.dll 0x773D0000     0x00103000
  195. C:\WINDOWS\system32\ole32.dll    0x774E0000     0x0013D000
  196. C:\WINDOWS\system32\CRYPT32.dll  0x77A80000     0x00095000
  197. C:\WINDOWS\system32\MSASN1.dll   0x77B20000     0x00012000
  198. C:\WINDOWS\system32\Apphelp.dll  0x77B40000     0x00022000
  199. C:\WINDOWS\system32\msvcrt.dll   0x77C10000     0x00058000
  200. C:\WINDOWS\system32\GDI32.dll    0x77F10000     0x00049000
  201. C:\WINDOWS\system32\SHLWAPI.dll  0x77F60000     0x00076000
  202. C:\WINDOWS\system32\SHELL32.dll  0x7C9C0000     0x00817000
  203. C:\WINDOWS\system32\USER32.dll   0x7E410000     0x00091000
  204.  
  205. memory map:
  206. C:\Documents and Settings\Administrator\Application Data\Ejofd\awylm.exe
  207. C:\WINDOWS\WinSxS\ ..comctl32.dll
  208. C:\WINDOWS\WindowsShell.Manifest
  209. C:\WINDOWS\system32\Apphelp.dll
  210. C:\WINDOWS\system32\SHELL32.dll
  211. C:\WINDOWS\system32\WININET.dll
  212. C:\WINDOWS\system32\WS2HELP.dll
  213. C:\WINDOWS\system32\WS2_32.dll
  214. C:\WINDOWS\system32\comctl32.dll
  215. C:\Windows\AppPatch\sysmain.sdb
  216.  
  217. ---------------------
  218. FILES & DROPS
  219. ---------------------
  220.  
  221. This sample is creating one directory with the below format:
  222. %AppData%\[RANDOM 4characters #1]
  223. to drop in it the payload with the filename [RANDOM 4characters #2.exe]
  224.  
  225. And the payload upon executed will create the directory w/ below format:
  226. %AppData%\[RANDOM 4characters #3]
  227. to drop in it config files with filename [RANDOM 4characters #4.RANDOM 3characters]
  228.  
  229. During the operation the temporary data exchange is used w/ the format below:
  230. [%Temp%\tmp*******.bat]
  231.  
  232. Proof of Concept (PoC)
  233.  
  234. 2 tries was taken w/the current sample w/the below details:
  235. -----------------------------------------------------------------------------
  236. sample:
  237. C:\sample.exe                 278,016 bytes 17bde98108092ed612c4511bd6a633ee
  238. -----------------------------------------------------------------------------
  239. Take 1:
  240. Drops:
  241. %AppData%\Ygas\oves.exe                   278,016bytes  c9c114d777780d35f7353e9520662389
  242.   ↑which drops↓
  243. %AppData%\Kerez\ixko.liu                    1,305bytes 700f2e487c893e74c00eeb0c1cd7ab4f
  244.   then renamed into: %AppData%\ixko.liu.0       0bytes d41d8cd98f00b204e9800998ecf8427e
  245.   created temp data: %Temp%\tmp4bbbf287.bat  168 bytes 8feeb2305d2cad502c43e0ec5378115a
  246. (new dirs made during opeartion)
  247. %AppData%\Kerez
  248. %AppData%\Ygas
  249. ------------------------------------
  250. Take 2:
  251. Drops:
  252. %AppData%\Ejofd\awylm.exe
  253.   ↑which drops↓
  254. %AppData%\Uhxuig\ylwi.vik
  255.   and then renamed into: %AppData%\ylwi.vik.0
  256.   creating temp data: %Temp%\tmp4bbbf245.bat
  257. (new dirs made during opeartion)
  258. %AppData%\Ejofd
  259. %AppData%\Uhxuig
  260.  
  261. -----------------------------------------------------------------------------
  262.  
  263. (2) PAYLOAD.EXE
  264.  
  265. I found the payload was varied in names in everytime you run the sample,
  266. but the characteristic is same, as per described above.
  267.  
  268. Characteristic which is as per below:
  269.  
  270. Name: [random4characters.exe] i.e.: awylm.exe
  271. MD5:  dd507bdc57aacb3df8831c0df734d4aa
  272. Size: 278,016 Bytes
  273.  
  274. ---------------------
  275. REGISTRY (changed/created)
  276. --------------------
  277. key1: HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Azer
  278. name: 13e9ii4f
  279. to:   0x5608eb5bc423314f0df5
  280.  
  281. key2: HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​
  282.       CurrentVersion\​Explorer\​Shell Folders  
  283. name: AppData
  284. to:   C:\​Documents and Settings\​Administrator\​Application Data
  285.  
  286. ---------------------
  287. MALICIOUS PROCESS INJECTION
  288. --------------------
  289. Remote threads was created by this payload with the following details:
  290. C:\WINDOWS\explorer.exe              ←registry op, listening ports, autorun
  291. C:\WINDOWS\system32\ctfmon.exe       ←being used to monitor keyboard/mouse activities
  292. C:\Program Files\Messenger\msmsgs.exe ←messaging to motherships
  293. C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe ←execute the malicious PDF files
  294.                                                          due to some windows CVE exploit
  295. *) explorer.exe was executed by payload, while-
  296. ctfmon.exe, msmsgs.exe & reader_sl.exe was executed by cmd.exe shell through explorer.exe-
  297. by payload.
  298.  
  299. ------------------------------------------------------------------------------------------
  300.  
  301. (3) EXPLORER.EXE
  302.  
  303. Filename:       Explorer.EXE (awylm.exe execute this process in virtual memory)
  304. MD5:            12896823fb95bfb3dc9b46bcaedc9923
  305. File Size:      1,033,728 Bytes
  306. Command Line:   C:\WINDOWS\Explorer.EXE
  307. Sstatus:        alive
  308.  
  309. This process was executed by code of payload.
  310. This process' jobs are:
  311.  - making registration of malware as fake software
  312.  - make sure the payload get autoexecuted start
  313.  - disarm the browser security policy for opening global port
  314.  - opening backdoors,
  315.  - Preparing the malicious cookies
  316.  - Changing/disable PC internet zone for malicous purpose
  317.  - Accessing downloaded malicious cookies
  318.  - Monitoring the input device7s activities
  319.  
  320.  
  321. Registry Keys Changed:
  322. ------------------------
  323. 自動起動機能↓(auto exec)
  324. HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN  info    
  325. {B0F8B226-65CD-AD7D-E811-5333C5ED7021}         
  326. "C:\Documents and Settings\Administrator\Application Data\Ejofd\awylm.exe"
  327.  
  328. HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\Currentversion\Run  info
  329. {B0F8B226-65CD-AD7D-E811-5333C5ED7021}         
  330. "C:\Documents and Settings\Administrator\Application Data\Ejofd\awylm.exe"
  331.  
  332. Windowsファイウォールを無効にされて(disarm firewall notification)
  333. HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile  info
  334. DisableNotifications   
  335. 0
  336.  
  337. UDPポート16,892をオープンされて↓(opening tcp & udp backdoor)
  338. HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List info
  339. 16892:UDP      
  340. 16892:UDP:*:Enabled:UDP 16892
  341.  
  342. TCPポート25,231をオープンされて↓
  343. HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List info
  344. 25231:TCP      
  345. 25231:TCP:*:Enabled:TCP 25231
  346.  
  347. 色々マルウェアIDをニセソフトで登録されて(regist fake software)
  348. HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Azer
  349. 363a8039       
  350. 0xd8499e5b29414b4f34f521cf
  351.  
  352. HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Azer
  353. iibc3hd        
  354. 0x34089e5b
  355.  
  356. パソコンのCookiesをクリーンアップされた↓(disable cleaning up cookies)
  357. HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\InternetExplorer\Privacy
  358. CleanCookies   
  359. 0
  360.  
  361. インターネットZONEの設定を無効された↓(dsable internet zone for IE)
  362. HKU\S-1-5-21-842925246-1425521274-308236825-500\​Software\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\0 info
  363. 1609   
  364. 0
  365.  
  366. HKU\S-1-5-21-842925246-1425521274-308236825-500\​Software\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\1 info
  367. 1406   
  368. 0
  369.  
  370. HKU\S-1-5-21-842925246-1425521274-308236825-500\​Software\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\1 info
  371. 1609   
  372. 0
  373.  
  374. HKU\S-1-5-21-842925246-1425521274-308236825-500\​Software\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\2 info
  375. 1609   
  376. 0
  377.  
  378. HKU\S-1-5-21-842925246-1425521274-308236825-500\​Software\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\3 info
  379. 1406   
  380. 0
  381.  
  382. HKU\S-1-5-21-842925246-1425521274-308236825-500\​Software\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\3 info
  383. 1609   
  384. 0
  385.  
  386. HKU\S-1-5-21-842925246-1425521274-308236825-500\​Software\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\4 info
  387. 1406   
  388. 0
  389.  
  390. HKU\S-1-5-21-842925246-1425521274-308236825-500\​Software\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\4 info
  391. 1609   
  392. 0
  393.  
  394. Read malware Cookies files:
  395. C:\Documents and Settings\Administrator\Cookies\administrator@adobe[1].txt
  396. C:\Documents and Settings\Administrator\Cookies\administrator@google[1].txt
  397. C:\Documents and Settings\Administrator\Cookies\administrator@java[1].txt
  398. C:\Documents and Settings\Administrator\Cookies\administrator@promotion.adobe[1].txt
  399. C:\Documents and Settings\Administrator\Cookies\administrator@sun[1].txt
  400. C:\Documents and Settings\Administrator\Cookies\administrator@walkernews[1].txt
  401.  
  402. payload is using these DLL:
  403. C:\WINDOWS\System32\wshtcpip.dll
  404. C:\WINDOWS\system32\hnetcfg.dll
  405. C:\WINDOWS\system32\mswsock.dll
  406.  
  407. Opening previous ports:
  408. TCP/25231
  409. UDP/16892
  410.  
  411. listening at the below port:
  412. TCP/25231
  413.  
  414. creating mutexes:
  415. Global\{370A7811-AFFA-2A8F-E811-5333C5ED7021}
  416. Global\{370A7816-AFFD-2A8F-E811-5333C5ED7021}
  417. Global\{3BE6AF24-78CF-2663-E811-5333C5ED7021}
  418. Global\{5D329B3C-4CD7-40B7-E811-5333C5ED7021}
  419. Global\{B69AE452-33B9-AB1F-05EB-B06D2817937F}
  420. Global\{B69AE452-33B9-AB1F-1DEA-B06D3016937F}
  421. Global\{B69AE452-33B9-AB1F-55EB-B06D7817937F}
  422. Global\{B69AE452-33B9-AB1F-7DEB-B06D5017937F}
  423. Global\{B69AE452-33B9-AB1F-89EB-B06DA417937F}
  424. Global\{C84914F5-C31E-D5CC-E811-5333C5ED7021}
  425. Global\{EDE09917-4EFC-F065-E811-5333C5ED7021}
  426. Local\{56ECCE04-19EF-4B69-E811-5333C5ED7021}
  427. Local\{56ECCE05-19EE-4B69-E811-5333C5ED7021}
  428.  
  429. ------------------------------------------------------------------------------------------
  430.  
  431. (4) CTFMON.EXE
  432. Filename:       ctfmon.exe (awylm.exe wrote to this process in virtual memory)
  433. MD5:            5f1d5f88303d4a4dbc8e5f97ba967cc3
  434. File Size:      15360 Bytes
  435. Command Line:   "C:\WINDOWS\system32\ctfmon.exe"  
  436. status:         alive
  437.  
  438. This malware is having purpose to monitor the input device for malicious purpose.
  439. It has the interaction socket due to th emovement of mouse/keyboard recorded below:
  440.  
  441. Monitoring devices:
  442. VK_LBUTTON (1)          64 (Mouse Lect Click actions)
  443. *) PS: the explorer.exe using the same API for mouse clicking interaction.
  444.  
  445.  
  446. Registry Values Modified:
  447. ------------------------
  448. HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Azer    
  449. iibc3hd        
  450. 1537083445  
  451.  
  452. Files Read/Write:
  453. ------------------
  454. accesssing/reading C:\autoexec.bat
  455.  
  456. Using these DLL:
  457. C:\WINDOWS\system32\WININET.dll
  458. C:\WINDOWS\system32\WS2HELP.dll
  459. C:\WINDOWS\system32\WS2_32.dll
  460.  
  461. ------------------------------------------------------------------------------------------
  462.  
  463. (5) MSMSGS.EXE
  464.  
  465. Filename:       msmsgs.exe (awylm.exe wrote to this process in virtual memory)
  466. MD5:            3e930c641079443d4de036167a69caa2
  467. File Size:      1,695,232 Bytes
  468. Command Line:   "C:\Program Files\Messenger\msmsgs.exe" /background
  469. Status:         alive
  470.  
  471. Executed by shell command through cmd.exe : "C:\Program Files\Messenger\msmsgs.exe /background"
  472. This program was ececuted for malware networking purpose.
  473. Running in the background and responsible to the pcap capture traffic saved at the below URL:
  474. http://
  475. It contacts the mothership IP, having handshake comm and sending encrypted data.
  476.  
  477. Used DLL:
  478. C:\WINDOWS\WindowsShell.Manifest
  479. C:\WINDOWS\system32\MSOERT2.dll
  480. C:\WINDOWS\system32\acctres.dll
  481. C:\WINDOWS\system32\msoeacct.dll
  482.  
  483. ------------------------------------------------------------------------------------------
  484.  
  485. (6) READER_SL.EXE
  486.  
  487. Filename:       reader_sl.exe
  488. MD5:            54c88bfbd055621e2306534f445c0c8d
  489. File Size:      40,048 Bytes
  490. Command Line:   "C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe"  
  491. Status:         alive
  492.  
  493. This program was suspected executed for malware exploit purpose.
  494. Executed by shell command through cmd.exe :
  495. "C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe"  
  496.  
  497. Cannot find the significant evidence yet. Need more time to simulate more.
  498. Suspected to be used for exploiting PC with some CVE exploitation for the malicius purpose.
  499.  
  500. Used DLL:
  501. C:\WINDOWS\system32\WININET.dll
  502. C:\WINDOWS\system32\WS2HELP.dll (Windows Socket 2.0 Helper for Windows NT)
  503. C:\WINDOWS\system32\WS2_32.dll (Windows Socket 2.0 32-Bit DLL)
  504. ------------------------------------------------------------------------------------------
  505.  
  506.  
  507. =============================
  508. III. NETWORK TRAFFIC REPORT
  509. =============================
  510.  
  511. This sample upon executed successfully will create the network traffic,
  512. as per below details:
  513.  
  514. PROTOCOL     DESTINATION  NOTE
  515. ---------------------------------------------
  516. ICMP         178.19.25.92 mothership's pong (messenger)
  517. UDP/16892    178.19.25.92 source port  (messenger)
  518. UDP/25939    178.19.25.92 destination port (messenger)
  519. TCP/16892    94.62.27.189 source port (messenger)
  520. TCP/28510    94.62.27.189 destination port (messenger)
  521. TCP/25231    (none)       backdoor/open (explorer)
  522. *) See belowfor the captured packet data.
  523.  
  524. CAPTURE PACKET DETAILS
  525. -----------------------------------------------
  526. No. Time      Source    Destination  Protocol
  527. 1   0.000000  x.x.x.x   178.19.25.92 UDP      
  528. Source port: 16892  
  529. Destination port: 25939
  530.  
  531. Frame 1: 197 bytes on wire (1576 bits), 197 bytes captured (1576 bits)
  532. Ethernet II, Src: xx:xx:xx:xx:xx, Dst: 92:27:fc:57:72:bb (92:27:fc:57:72:bb)
  533. Internet Protocol, Src: x.x.x.x, Dst: 178.19.25.92 (178.19.25.92)
  534. User Datagram Protocol, Src Port: 16892 (16892), Dst Port: 25939 (25939)
  535. Data (155 bytes)
  536.  
  537. 0000  d1 4f 1c 1e da 0e c7 20 33 7b 06 90 fb 6d 98 af   .O..... 3{...m..
  538. 0010  36 74 14 7f 80 1e ac 5f 44 f1 11 45 bf f7 43 b1   6t....._D..E..C.
  539. 0020  b7 ae f7 51 72 a0 e0 47 99 50 c2 6f a4 5f 3e 4c   ...Qr..G.P.o._>L
  540. 0030  84 b1 31 8f 9a d1 ee 11 5f 25 c3 d3 e7 3e 99 9e   ..1....._%...>..
  541. 0040  c9 04 13 30 88 ed 01 c6 dd 67 d0 cd 9f f0 03 c7   ...0.....g......
  542. 0050  3c 34 df 32 b6 fb f8 02 50 b0 e7 2e a7 81 0b a2   <4.2....P.......
  543. 0060  af 86 6c a5 6b 09 bf c5 06 24 a6 1e ab c3 80 22   ..l.k....$....."
  544. 0070  6e 34 9c fb 38 65 e9 a3 35 7d fe 79 7b 66 39 f6   n4..8e..5}.y{f9.
  545. 0080  45 c6 f7 5a 03 6b 9b c6 ed 3f 5d 8b 62 54 0e cd   E..Z.k...?].bT..
  546. 0090  f2 4a 73 f0 9c b6 b5 94 76 d3 45                  .Js.....v.E
  547.  
  548. ------------------------------------------------------------------------
  549. No. Time      Source       Destination  Protocol
  550. 2   0.120353  178.19.25.92 x.x.x.x  ICMP    
  551.  
  552. Frame 2: 190 bytes on wire (1520 bits), 190 bytes captured (1520 bits)
  553. Ethernet II, Src: 92:27:fc:57:72:bb (92:27:fc:57:72:bb), Dst: xx:xx:xx:xx
  554. Internet Protocol, Src: 178.19.25.92 (178.19.25.92), Dst: x.x.x.x
  555. Internet Control Message Protocol
  556.  
  557. ------------------------------------------------------------------------
  558. No. Time      Source     Destination  Protocol
  559. 3   36.124424 x.x.x.x    178.19.25.92      UDP      
  560. Source port: 16892  
  561. Destination port: 28510
  562.  
  563. Frame 3: 243 bytes on wire (1944 bits), 243 bytes captured (1944 bits)
  564. Ethernet II, Src: xx:xx:xx:xx, Dst: 92:27:fc:57:72:bb (92:27:fc:57:72:bb)
  565. Internet Protocol, Src: x.x.x.x, Dst: 94.62.27.189 (94.62.27.189)
  566. User Datagram Protocol, Src Port: 16892 (16892), Dst Port: 28510 (28510)
  567. Data (201 bytes)
  568.  
  569. 0000  33 34 b5 b7 07 24 c9 b7 42 ba 88 23 5f d3 eb fd   34...$..B..#_...
  570. 0010  4e 5e 1b 10 e6 32 00 8c 97 22 c2 96 6c 24 90 62   N^...2..."..l$.b
  571. 0020  64 7d 24 82 a1 73 33 94 4a 83 11 bc 7f 36 9d ad   d}$..s3.J....6..
  572. 0030  18 c7 42 66 ab 65 bb bd 21 3c f9 ba 6c 19 8a 62   ..Bf.e..!<..l..b
  573. 0040  e5 e2 01 a7 b3 e7 e1 b4 c4 d6 b4 3a 9d 12 44 8d   ...........:..D.
  574. 0050  44 52 fe c3 1c 35 bb ca a0 1a 1e 08 4b af 25 ec   DR...5......K.%.
  575. 0060  04 23 f5 96 43 80 c8 9c 49 33 d8 9b c5 a1 f1 5f   .#..C...I3....._
  576. 0070  b3 ab c5 fe f2 65 51 8c 7e 3d 7f 2a 24 7a 8d db   .....eQ.~=.*$z..
  577. 0080  1f 25 a0 32 a4 dd 9e 69 d9 99 ed 16 20 ae 47 02   .%.2...i.... .G.
  578. 0090  a1 de 24 60 01 08 11 80 a4 e3 fc 14 94 9b aa f2   ..$`............
  579. 00a0  c8 4c f6 db 17 8d b4 32 9e 83 d5 01 a1 0e ed 5f   .L.....2......._
  580. 00b0  76 90 bf 1f d2 d3 0d 51 19 24 e6 10 c1 1b f4 88   v......Q.$......
  581. 00c0  db 7c 3b fb 33 d0 22 6a 94                        .|;.3."j.
  582.  
  583.  
  584.  
  585. =================================
  586. IV. MALARE VERDICT
  587. =================================
  588.  
  589. SHA1:            416548086c39938fd2d8194c27958261314c01e2
  590. MD5:             17bde98108092ed612c4511bd6a633ee
  591. File size:       271.5 KB ( 278016 bytes )
  592. File name:       BtxX9KX.exe
  593. File type:       Win32 EXE
  594. Detection ratio: 33 / 43
  595. URL: https://www.virustotal.com/file/0dbce33621898ecd824a272ce5e960a685051a4a695292efb0b05d604827529e/analysis/
  596.  
  597. Antivirus       Result  Update
  598. ------------------------------
  599. AhnLab-V3       Spyware/Win32.Zbot      20120313
  600. AntiVir         TR/Offend.KD.552855     20120314
  601. Antiy-AVL       Trojan/Win32.Zbot       20120314
  602. Avast   Win32:Zbot-OCM [Trj]    20120314
  603. AVG     PSW.Generic9.BQLB       20120314
  604. BitDefender     Trojan.Spy.Zbot.EVB     20120314
  605. ByteHero        Trojan.Win32.Heur.Gen   20120309
  606. CAT-QuickHeal   TrojanSpy.Zbot.dmzm     20120314
  607. ClamAV  -       20120314
  608. Commtouch       W32/Zbot.DQ3.gen!Eldorado       20120314
  609. Comodo  TrojWare.Win32.Trojan.Agent.Gen         20120313
  610. DrWeb   Trojan.PWS.Panda.1698   20120314
  611. Emsisoft        Trojan-PWS.Win32.Zbot!IK        20120314
  612. eSafe   -       20120313
  613. eTrust-Vet      -       20120314
  614. F-Prot  W32/Zbot.DQ3.gen!Eldorado       20120314
  615. F-Secure        Trojan.Spy.Zbot.EVB     20120314
  616. Fortinet        W32/Zbot.AAN!tr         20120314
  617. GData   Trojan.Spy.Zbot.EVB     20120314
  618. Ikarus  Trojan-PWS.Win32.Zbot   20120314
  619. Jiangmin        -       20120301
  620. K7AntiVirus     Trojan  20120313
  621. Kaspersky       Trojan-Spy.Win32.Zbot.dmzm      20120314
  622. McAfee  Artemis!17BDE9810809    20120308
  623. McAfee-GW-Edition       Generic PWS.y!d2k       20120314
  624. Microsoft       PWS:Win32/Zbot.gen!AF   20120314
  625. NOD32   Win32/Spy.Zbot.AAN      20120314
  626. Norman  W32/Zbot.BMRX   20120314
  627. nProtect        Trojan/W32.Agent.278016.DC      20120314
  628. Panda   Generic Trojan  20120313
  629. PCTools         -       20120313
  630. Prevx   -       20120314
  631. Rising  Trojan.Win32.Generic.12B9C7CD   20120314
  632. Sophos  Mal/Toqwet-A    20120314
  633. SUPERAntiSpyware        -       20120314
  634. Symantec        WS.Reputation.1         20120314
  635. TheHacker       Trojan/Dropper.Injector.dffv    20120313
  636. TrendMicro      -       20120314
  637. TrendMicro-HouseCall    TSPY_ZBOT.BUM   20120314
  638. VBA32   -       20120313
  639. VIPRE   Trojan.Win32.Generic.pak!cobra  20120314
  640. ViRobot         -       20120314
  641. VirusBuster     TrojanSpy.Zbot!FzMiqMxwcJ8      20120314
  642.  
  643. ---
  644. Operation Cleanup Japan - #OCJP
  645. ZeroDay Japan
  646. http://0day.jp
  647. Malware Analyst: Hendrik ADRIAN / アドリアン・ヘンドリック
  648. Twitter/VirusTotal/Google: @unixfreaxjp
  649. Analysis Blog: http://unixfreaxjp.blogspot.com
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top