unixfreaxjp

#OCJP-025 Win32/Trojan.Zeus in JP at Vietnamese Website

Mar 14th, 2012
412
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. English Transcript of Malware Analysis
  2. Case: #OCJP-025
  3. Malware: Win32/Trojan.Zeus (dropper/downloader/backdoor/spyware/PDF-exploiter... you name it..)
  4.  
  5. ===============================
  6. I. MALWARE BINARY ANALYSIS :
  7. ===============================
  8.  
  9. File name................: BtxX9KX.exe
  10. MD5......................: 17bde98108092ed612c4511bd6a633ee
  11. File size................: 271.5 KB ( 278016 bytes )
  12. File type................: Win32 EXE
  13. English Report...........: Wed Mar 14 20:17:36 JST 2012
  14. Analysis by..............: Hendrik ADRIAN / @unixfreaxjp /0day.jp
  15.  
  16. This is the english report base analysis of malware case reported at:
  17. 1. http://unixfreaxjp.blogspot.com/2012/03/ocjp-025.html
  18. 2. https://www.virustotal.com/file/0dbce33621898ecd824a272ce5e960a685051a4a695292efb0b05d604827529e/analysis/
  19. 3. Base URL: http://pastebin.com/FR07ybTp
  20. ----------
  21. ExifTool
  22. ----------
  23. UninitializedDataSize....: 0
  24. InitializedDataSize......: 10752
  25. ImageVersion.............: 0.0
  26. ProductName..............: 2q3wet(R) Windows (R) 2000 Operating System
  27. FileVersionNumber........: 5.0.2137.1
  28. LanguageCode.............: English (U.S.)
  29. FileFlagsMask............: 0x003f
  30. FileDescription..........: Windows TaskManager
  31. CharacterSet.............: Unicode
  32. LinkerVersion............: 2.5
  33. FileOS...................: Windows NT 32-bit
  34. MIMEType.................: application/octet-stream
  35. Subsystem................: Windows GUI
  36. FileVersion..............: 5.00.2137.1
  37. TimeStamp................: 2012:03:09 01:43:00+01:00
  38. FileType.................: Win32 EXE
  39. PEType...................: PE32
  40. InternalName.............: taskmgr
  41. ProductVersion...........: 5.00.2137.1
  42. SubsystemVersion.........: 4.0
  43. OSVersion................: 4.0
  44. OriginalFilename.........: taskmgr.exe
  45. LegalCopyright...........: Copyright (C) 2q3wet Corp. 1991-1999
  46. MachineType..............: Intel 386 or later, and compatibles
  47. CompanyName..............: 2q3wet Corporation
  48. CodeSize.................: 265216
  49. FileSubtype..............: 0
  50. ProductVersionNumber.....: 5.0.2137.1
  51. EntryPoint...............: 0x1210
  52. ObjectFileType...........: Executable application
  53.  
  54. -----------
  55. PE Structs
  56. -----------
  57. Name V-Address V-Size Raw Entropy MD5
  58. .text 4096 1916 2048 5.45 e93f3084f987fa110a4d8ca9274467d9
  59. .textQ1 8192 262260 262656 7.71 de268b266e26e6a4aef8345fd2a01cd0
  60. .textQ2 274432 100 512 0.00 bf619eac0cdf3f68d496ea9344137e8b
  61. .data 278528 444 512 3.84 84072aa523e1285671b0e294565b43e9
  62. .rsrc 282624 9724 9728 3.59 4e3e01ecc8f6cb1250de57f12d923bf3
  63. .reloc 294912 116 512 1.76 250b11d9c9c72539dd168073a62fe6ab
  64.  
  65. (*) Above datas with thank's for Virus Total
  66.  
  67. -----------------
  68. Suspected Points
  69. -----------------
  70.  
  71. *) PE File, unknown packer, used encryption
  72.  
  73. *) CRC Data Unmatched, Claimed: 299582 / Actual: 299581
  74. *) Compile Time: 2012-03-09 09:43:00 <---new made trojan
  75.  
  76. *) Entropy 7.71 is suspicious....(crypter?)
  77. MD5 hash: de268b266e26e6a4aef8345fd2a01cd0
  78. SHA-1 hash: 1867abe9de5a2e502bacea4ef897332057a97a20
  79. Name: .textQ1
  80. Misc: 0x40074
  81. Misc_PhysicalAddress: 0x40074
  82. Misc_VirtualSize: 0x40074
  83. VirtualAddress: 0x2000
  84. SizeOfRawData: 0x40200
  85. PointerToRawData: 0xC00
  86. PointerToRelocations: 0x0
  87. PointerToLinenumbers: 0x0
  88. NumberOfRelocations: 0x0
  89. NumberOfLinenumbers: 0x0
  90. Characteristics: 0x60000020
  91.  
  92. *) Fake system file information found:
  93. Length: 0x27C
  94. ValueLength: 0x0
  95. Type: 0x1
  96. LangID: 040904B0
  97. LegalCopyright: Copyright (C) 2q3wet Corp. 1991-1999
  98. InternalName: taskmgr
  99. FileVersion: 5.00.2137.1
  100. CompanyName: 2q3wet Corporation
  101. ProductName: 2q3wet(R) Windows (R) 2000 Operating System
  102. ProductVersion: 5.00.2137.1
  103. FileDescription: Windows TaskManager
  104. OriginalFilename: taskmgr.exe
  105.  
  106.  
  107. *) Suspicious used of DLL:
  108. OriginalFirstThunk: 0x440E0
  109. Characteristics: 0x440E0
  110. TimeDateStamp: 0x0 [Thu Jan 01 00:00:00 1970 UTC]
  111. ForwarderChain: 0x0
  112. Name: 0x44176
  113. FirstThunk: 0x44104
  114. KERNEL32.dll.CreateFileA Hint[120] <---- Malware drops
  115. KERNEL32.dll.GetWindowsDirectoryA Hint[640]
  116. KERNEL32.dll.lstrlenA Hint[1205]
  117. KERNEL32.dll.lstrcpyA Hint[1199]
  118. KERNEL32.dll.VirtualAlloc Hint[1108] <--- DEP privilege
  119.  
  120. OriginalFirstThunk: 0x440F8
  121. Characteristics: 0x440F8
  122. TimeDateStamp: 0x0 [Thu Jan 01 00:00:00 1970 UTC]
  123. ForwarderChain: 0x0
  124. Name: 0x441A2
  125. FirstThunk: 0x4411C
  126. ADVAPI32.dll.RegOpenKeyW Hint[606] <--- Registry Value Check
  127. ADVAPI32.dll.RegOpenKeyExA Hint[602] <---- Registry Value Check
  128.  
  129. ===============================
  130. II. MALWARE BEHAVIOUR PROCESS
  131. ===============================
  132.  
  133. initial process:
  134.  
  135. sample.exe [/dir/file/pathname] 229,376 bytes
  136. |
  137. +payload.exe %AppData%\%payload-dir%\payload.exe 229,376 bytes
  138. |
  139. +--Explorer.EXE C:\WINDOWS\Explorer.EXE
  140. +--ctfmon.exe cmd.exe "C:\WINDOWS\system32\ctfmon.exe"
  141. +--msmsgs.exe cmd.exe "C:\Program Files\Messenger\msmsgs.exe" /background
  142. +--reader_sl.exe cmd.exe "C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe"
  143.  
  144. later added additional process w/soon stopped:
  145. (parent: oves.exe)
  146. |
  147. +----cmd.exe %System%\cmd.exe 266,240 bytes
  148.  
  149.  
  150. -----------------------------------------------------------------------------
  151. I report the behavior analysis of this malware per process binary above
  152. with the below priority:
  153. (1) sample.exe
  154. (2) payload.exe
  155. (3) Explorer.EXE
  156. (4) msmsgs.exe
  157. (5) reader_sl.exe
  158. -----------------------------------------------------------------------------
  159.  
  160. (1) SAMPLE
  161. File name: sample.exe
  162. MD5: 17bde98108092ed612c4511bd6a633ee
  163. File size: 271.5 KB ( 278,016 bytes )
  164.  
  165. ---------------------
  166. REGISTRY
  167. ---------------------
  168. reg key create:
  169. HKEY_CURRENT_USER\Software\Microsoft\Ynpeo
  170.  
  171. reg value create:
  172. [HKEY_CURRENT_USER\Software\Microsoft\Ynpeo]
  173. 18i62g6a = "Xv7cYZT7zDIVtw=="
  174. 1cf3ifcc = "df6pYQ=="
  175. 2cc8dhbc = 69 9A A9 61 9A 89 B6 32 2C B7 E1 76
  176.  
  177. ---------------------
  178. DLLs
  179. ---------------------
  180. load:
  181. C:\WINDOWS\system32\ntdll.dll 0x7C900000 0x000AF000
  182. C:\WINDOWS\system32\kernel32.dll 0x7C800000 0x000F6000
  183. C:\WINDOWS\system32\ADVAPI32.dll 0x77DD0000 0x0009B000
  184. C:\WINDOWS\system32\RPCRT4.dll 0x77E70000 0x00092000
  185. C:\WINDOWS\system32\Secur32.dll 0x77FE0000 0x00011000
  186.  
  187. runtime:
  188. C:\WINDOWS\system32\NETAPI32.dll 0x5B860000 0x00055000
  189. C:\WINDOWS\system32\comctl32.dll 0x5D090000 0x0009A000
  190. C:\WINDOWS\system32\WS2HELP.dll 0x71AA0000 0x00008000
  191. C:\WINDOWS\system32\WS2_32.dll 0x71AB0000 0x00017000
  192. C:\WINDOWS\system32\OLEAUT32.dll 0x77120000 0x0008B000
  193. C:\WINDOWS\system32\WININET.dll 0x771B0000 0x000AA000
  194. C:\WINDOWS\WinSxS\..comctl32.dll 0x773D0000 0x00103000
  195. C:\WINDOWS\system32\ole32.dll 0x774E0000 0x0013D000
  196. C:\WINDOWS\system32\CRYPT32.dll 0x77A80000 0x00095000
  197. C:\WINDOWS\system32\MSASN1.dll 0x77B20000 0x00012000
  198. C:\WINDOWS\system32\Apphelp.dll 0x77B40000 0x00022000
  199. C:\WINDOWS\system32\msvcrt.dll 0x77C10000 0x00058000
  200. C:\WINDOWS\system32\GDI32.dll 0x77F10000 0x00049000
  201. C:\WINDOWS\system32\SHLWAPI.dll 0x77F60000 0x00076000
  202. C:\WINDOWS\system32\SHELL32.dll 0x7C9C0000 0x00817000
  203. C:\WINDOWS\system32\USER32.dll 0x7E410000 0x00091000
  204.  
  205. memory map:
  206. C:\Documents and Settings\Administrator\Application Data\Ejofd\awylm.exe
  207. C:\WINDOWS\WinSxS\ ..comctl32.dll
  208. C:\WINDOWS\WindowsShell.Manifest
  209. C:\WINDOWS\system32\Apphelp.dll
  210. C:\WINDOWS\system32\SHELL32.dll
  211. C:\WINDOWS\system32\WININET.dll
  212. C:\WINDOWS\system32\WS2HELP.dll
  213. C:\WINDOWS\system32\WS2_32.dll
  214. C:\WINDOWS\system32\comctl32.dll
  215. C:\Windows\AppPatch\sysmain.sdb
  216.  
  217. ---------------------
  218. FILES & DROPS
  219. ---------------------
  220.  
  221. This sample is creating one directory with the below format:
  222. %AppData%\[RANDOM 4characters #1]
  223. to drop in it the payload with the filename [RANDOM 4characters #2.exe]
  224.  
  225. And the payload upon executed will create the directory w/ below format:
  226. %AppData%\[RANDOM 4characters #3]
  227. to drop in it config files with filename [RANDOM 4characters #4.RANDOM 3characters]
  228.  
  229. During the operation the temporary data exchange is used w/ the format below:
  230. [%Temp%\tmp*******.bat]
  231.  
  232. Proof of Concept (PoC)
  233.  
  234. 2 tries was taken w/the current sample w/the below details:
  235. -----------------------------------------------------------------------------
  236. sample:
  237. C:\sample.exe 278,016 bytes 17bde98108092ed612c4511bd6a633ee
  238. -----------------------------------------------------------------------------
  239. Take 1:
  240. Drops:
  241. %AppData%\Ygas\oves.exe 278,016bytes c9c114d777780d35f7353e9520662389
  242. ↑which drops↓
  243. %AppData%\Kerez\ixko.liu 1,305bytes 700f2e487c893e74c00eeb0c1cd7ab4f
  244. then renamed into: %AppData%\ixko.liu.0 0bytes d41d8cd98f00b204e9800998ecf8427e
  245. created temp data: %Temp%\tmp4bbbf287.bat 168 bytes 8feeb2305d2cad502c43e0ec5378115a
  246. (new dirs made during opeartion)
  247. %AppData%\Kerez
  248. %AppData%\Ygas
  249. ------------------------------------
  250. Take 2:
  251. Drops:
  252. %AppData%\Ejofd\awylm.exe
  253. ↑which drops↓
  254. %AppData%\Uhxuig\ylwi.vik
  255. and then renamed into: %AppData%\ylwi.vik.0
  256. creating temp data: %Temp%\tmp4bbbf245.bat
  257. (new dirs made during opeartion)
  258. %AppData%\Ejofd
  259. %AppData%\Uhxuig
  260.  
  261. -----------------------------------------------------------------------------
  262.  
  263. (2) PAYLOAD.EXE
  264.  
  265. I found the payload was varied in names in everytime you run the sample,
  266. but the characteristic is same, as per described above.
  267.  
  268. Characteristic which is as per below:
  269.  
  270. Name: [random4characters.exe] i.e.: awylm.exe
  271. MD5: dd507bdc57aacb3df8831c0df734d4aa
  272. Size: 278,016 Bytes
  273.  
  274. ---------------------
  275. REGISTRY (changed/created)
  276. --------------------
  277. key1: HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Azer
  278. name: 13e9ii4f
  279. to: 0x5608eb5bc423314f0df5
  280.  
  281. key2: HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​
  282. CurrentVersion\​Explorer\​Shell Folders
  283. name: AppData
  284. to: C:\​Documents and Settings\​Administrator\​Application Data
  285.  
  286. ---------------------
  287. MALICIOUS PROCESS INJECTION
  288. --------------------
  289. Remote threads was created by this payload with the following details:
  290. C:\WINDOWS\explorer.exe ←registry op, listening ports, autorun
  291. C:\WINDOWS\system32\ctfmon.exe ←being used to monitor keyboard/mouse activities
  292. C:\Program Files\Messenger\msmsgs.exe ←messaging to motherships
  293. C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe ←execute the malicious PDF files
  294. due to some windows CVE exploit
  295. *) explorer.exe was executed by payload, while-
  296. ctfmon.exe, msmsgs.exe & reader_sl.exe was executed by cmd.exe shell through explorer.exe-
  297. by payload.
  298.  
  299. ------------------------------------------------------------------------------------------
  300.  
  301. (3) EXPLORER.EXE
  302.  
  303. Filename: Explorer.EXE (awylm.exe execute this process in virtual memory)
  304. MD5: 12896823fb95bfb3dc9b46bcaedc9923
  305. File Size: 1,033,728 Bytes
  306. Command Line: C:\WINDOWS\Explorer.EXE
  307. Sstatus: alive
  308.  
  309. This process was executed by code of payload.
  310. This process' jobs are:
  311. - making registration of malware as fake software
  312. - make sure the payload get autoexecuted start
  313. - disarm the browser security policy for opening global port
  314. - opening backdoors,
  315. - Preparing the malicious cookies
  316. - Changing/disable PC internet zone for malicous purpose
  317. - Accessing downloaded malicious cookies
  318. - Monitoring the input device7s activities
  319.  
  320.  
  321. Registry Keys Changed:
  322. ------------------------
  323. 自動起動機能↓(auto exec)
  324. HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN info
  325. {B0F8B226-65CD-AD7D-E811-5333C5ED7021}
  326. "C:\Documents and Settings\Administrator\Application Data\Ejofd\awylm.exe"
  327.  
  328. HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\Currentversion\Run info
  329. {B0F8B226-65CD-AD7D-E811-5333C5ED7021}
  330. "C:\Documents and Settings\Administrator\Application Data\Ejofd\awylm.exe"
  331.  
  332. Windowsファイウォールを無効にされて(disarm firewall notification)
  333. HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile info
  334. DisableNotifications
  335. 0
  336.  
  337. UDPポート16,892をオープンされて↓(opening tcp & udp backdoor)
  338. HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List info
  339. 16892:UDP
  340. 16892:UDP:*:Enabled:UDP 16892
  341.  
  342. TCPポート25,231をオープンされて↓
  343. HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List info
  344. 25231:TCP
  345. 25231:TCP:*:Enabled:TCP 25231
  346.  
  347. 色々マルウェアIDをニセソフトで登録されて(regist fake software)
  348. HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Azer
  349. 363a8039
  350. 0xd8499e5b29414b4f34f521cf
  351.  
  352. HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Azer
  353. iibc3hd
  354. 0x34089e5b
  355.  
  356. パソコンのCookiesをクリーンアップされた↓(disable cleaning up cookies)
  357. HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\InternetExplorer\Privacy
  358. CleanCookies
  359. 0
  360.  
  361. インターネットZONEの設定を無効された↓(dsable internet zone for IE)
  362. HKU\S-1-5-21-842925246-1425521274-308236825-500\​Software\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\0 info
  363. 1609
  364. 0
  365.  
  366. HKU\S-1-5-21-842925246-1425521274-308236825-500\​Software\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\1 info
  367. 1406
  368. 0
  369.  
  370. HKU\S-1-5-21-842925246-1425521274-308236825-500\​Software\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\1 info
  371. 1609
  372. 0
  373.  
  374. HKU\S-1-5-21-842925246-1425521274-308236825-500\​Software\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\2 info
  375. 1609
  376. 0
  377.  
  378. HKU\S-1-5-21-842925246-1425521274-308236825-500\​Software\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\3 info
  379. 1406
  380. 0
  381.  
  382. HKU\S-1-5-21-842925246-1425521274-308236825-500\​Software\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\3 info
  383. 1609
  384. 0
  385.  
  386. HKU\S-1-5-21-842925246-1425521274-308236825-500\​Software\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\4 info
  387. 1406
  388. 0
  389.  
  390. HKU\S-1-5-21-842925246-1425521274-308236825-500\​Software\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\4 info
  391. 1609
  392. 0
  393.  
  394. Read malware Cookies files:
  395. C:\Documents and Settings\Administrator\Cookies\administrator@adobe[1].txt
  396. C:\Documents and Settings\Administrator\Cookies\administrator@google[1].txt
  397. C:\Documents and Settings\Administrator\Cookies\administrator@java[1].txt
  398. C:\Documents and Settings\Administrator\Cookies\administrator@promotion.adobe[1].txt
  399. C:\Documents and Settings\Administrator\Cookies\administrator@sun[1].txt
  400. C:\Documents and Settings\Administrator\Cookies\administrator@walkernews[1].txt
  401.  
  402. payload is using these DLL:
  403. C:\WINDOWS\System32\wshtcpip.dll
  404. C:\WINDOWS\system32\hnetcfg.dll
  405. C:\WINDOWS\system32\mswsock.dll
  406.  
  407. Opening previous ports:
  408. TCP/25231
  409. UDP/16892
  410.  
  411. listening at the below port:
  412. TCP/25231
  413.  
  414. creating mutexes:
  415. Global\{370A7811-AFFA-2A8F-E811-5333C5ED7021}
  416. Global\{370A7816-AFFD-2A8F-E811-5333C5ED7021}
  417. Global\{3BE6AF24-78CF-2663-E811-5333C5ED7021}
  418. Global\{5D329B3C-4CD7-40B7-E811-5333C5ED7021}
  419. Global\{B69AE452-33B9-AB1F-05EB-B06D2817937F}
  420. Global\{B69AE452-33B9-AB1F-1DEA-B06D3016937F}
  421. Global\{B69AE452-33B9-AB1F-55EB-B06D7817937F}
  422. Global\{B69AE452-33B9-AB1F-7DEB-B06D5017937F}
  423. Global\{B69AE452-33B9-AB1F-89EB-B06DA417937F}
  424. Global\{C84914F5-C31E-D5CC-E811-5333C5ED7021}
  425. Global\{EDE09917-4EFC-F065-E811-5333C5ED7021}
  426. Local\{56ECCE04-19EF-4B69-E811-5333C5ED7021}
  427. Local\{56ECCE05-19EE-4B69-E811-5333C5ED7021}
  428.  
  429. ------------------------------------------------------------------------------------------
  430.  
  431. (4) CTFMON.EXE
  432. Filename: ctfmon.exe (awylm.exe wrote to this process in virtual memory)
  433. MD5: 5f1d5f88303d4a4dbc8e5f97ba967cc3
  434. File Size: 15360 Bytes
  435. Command Line: "C:\WINDOWS\system32\ctfmon.exe"
  436. status: alive
  437.  
  438. This malware is having purpose to monitor the input device for malicious purpose.
  439. It has the interaction socket due to th emovement of mouse/keyboard recorded below:
  440.  
  441. Monitoring devices:
  442. VK_LBUTTON (1) 64 (Mouse Lect Click actions)
  443. *) PS: the explorer.exe using the same API for mouse clicking interaction.
  444.  
  445.  
  446. Registry Values Modified:
  447. ------------------------
  448. HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Azer
  449. iibc3hd
  450. 1537083445
  451.  
  452. Files Read/Write:
  453. ------------------
  454. accesssing/reading C:\autoexec.bat
  455.  
  456. Using these DLL:
  457. C:\WINDOWS\system32\WININET.dll
  458. C:\WINDOWS\system32\WS2HELP.dll
  459. C:\WINDOWS\system32\WS2_32.dll
  460.  
  461. ------------------------------------------------------------------------------------------
  462.  
  463. (5) MSMSGS.EXE
  464.  
  465. Filename: msmsgs.exe (awylm.exe wrote to this process in virtual memory)
  466. MD5: 3e930c641079443d4de036167a69caa2
  467. File Size: 1,695,232 Bytes
  468. Command Line: "C:\Program Files\Messenger\msmsgs.exe" /background
  469. Status: alive
  470.  
  471. Executed by shell command through cmd.exe : "C:\Program Files\Messenger\msmsgs.exe /background"
  472. This program was ececuted for malware networking purpose.
  473. Running in the background and responsible to the pcap capture traffic saved at the below URL:
  474. http://
  475. It contacts the mothership IP, having handshake comm and sending encrypted data.
  476.  
  477. Used DLL:
  478. C:\WINDOWS\WindowsShell.Manifest
  479. C:\WINDOWS\system32\MSOERT2.dll
  480. C:\WINDOWS\system32\acctres.dll
  481. C:\WINDOWS\system32\msoeacct.dll
  482.  
  483. ------------------------------------------------------------------------------------------
  484.  
  485. (6) READER_SL.EXE
  486.  
  487. Filename: reader_sl.exe
  488. MD5: 54c88bfbd055621e2306534f445c0c8d
  489. File Size: 40,048 Bytes
  490. Command Line: "C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe"
  491. Status: alive
  492.  
  493. This program was suspected executed for malware exploit purpose.
  494. Executed by shell command through cmd.exe :
  495. "C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe"
  496.  
  497. Cannot find the significant evidence yet. Need more time to simulate more.
  498. Suspected to be used for exploiting PC with some CVE exploitation for the malicius purpose.
  499.  
  500. Used DLL:
  501. C:\WINDOWS\system32\WININET.dll
  502. C:\WINDOWS\system32\WS2HELP.dll (Windows Socket 2.0 Helper for Windows NT)
  503. C:\WINDOWS\system32\WS2_32.dll (Windows Socket 2.0 32-Bit DLL)
  504. ------------------------------------------------------------------------------------------
  505.  
  506.  
  507. =============================
  508. III. NETWORK TRAFFIC REPORT
  509. =============================
  510.  
  511. This sample upon executed successfully will create the network traffic,
  512. as per below details:
  513.  
  514. PROTOCOL DESTINATION NOTE
  515. ---------------------------------------------
  516. ICMP 178.19.25.92 mothership's pong (messenger)
  517. UDP/16892 178.19.25.92 source port (messenger)
  518. UDP/25939 178.19.25.92 destination port (messenger)
  519. TCP/16892 94.62.27.189 source port (messenger)
  520. TCP/28510 94.62.27.189 destination port (messenger)
  521. TCP/25231 (none) backdoor/open (explorer)
  522. *) See belowfor the captured packet data.
  523.  
  524. CAPTURE PACKET DETAILS
  525. -----------------------------------------------
  526. No. Time Source Destination Protocol
  527. 1 0.000000 x.x.x.x 178.19.25.92 UDP
  528. Source port: 16892
  529. Destination port: 25939
  530.  
  531. Frame 1: 197 bytes on wire (1576 bits), 197 bytes captured (1576 bits)
  532. Ethernet II, Src: xx:xx:xx:xx:xx, Dst: 92:27:fc:57:72:bb (92:27:fc:57:72:bb)
  533. Internet Protocol, Src: x.x.x.x, Dst: 178.19.25.92 (178.19.25.92)
  534. User Datagram Protocol, Src Port: 16892 (16892), Dst Port: 25939 (25939)
  535. Data (155 bytes)
  536.  
  537. 0000 d1 4f 1c 1e da 0e c7 20 33 7b 06 90 fb 6d 98 af .O..... 3{...m..
  538. 0010 36 74 14 7f 80 1e ac 5f 44 f1 11 45 bf f7 43 b1 6t....._D..E..C.
  539. 0020 b7 ae f7 51 72 a0 e0 47 99 50 c2 6f a4 5f 3e 4c ...Qr..G.P.o._>L
  540. 0030 84 b1 31 8f 9a d1 ee 11 5f 25 c3 d3 e7 3e 99 9e ..1....._%...>..
  541. 0040 c9 04 13 30 88 ed 01 c6 dd 67 d0 cd 9f f0 03 c7 ...0.....g......
  542. 0050 3c 34 df 32 b6 fb f8 02 50 b0 e7 2e a7 81 0b a2 <4.2....P.......
  543. 0060 af 86 6c a5 6b 09 bf c5 06 24 a6 1e ab c3 80 22 ..l.k....$....."
  544. 0070 6e 34 9c fb 38 65 e9 a3 35 7d fe 79 7b 66 39 f6 n4..8e..5}.y{f9.
  545. 0080 45 c6 f7 5a 03 6b 9b c6 ed 3f 5d 8b 62 54 0e cd E..Z.k...?].bT..
  546. 0090 f2 4a 73 f0 9c b6 b5 94 76 d3 45 .Js.....v.E
  547.  
  548. ------------------------------------------------------------------------
  549. No. Time Source Destination Protocol
  550. 2 0.120353 178.19.25.92 x.x.x.x ICMP
  551.  
  552. Frame 2: 190 bytes on wire (1520 bits), 190 bytes captured (1520 bits)
  553. Ethernet II, Src: 92:27:fc:57:72:bb (92:27:fc:57:72:bb), Dst: xx:xx:xx:xx
  554. Internet Protocol, Src: 178.19.25.92 (178.19.25.92), Dst: x.x.x.x
  555. Internet Control Message Protocol
  556.  
  557. ------------------------------------------------------------------------
  558. No. Time Source Destination Protocol
  559. 3 36.124424 x.x.x.x 178.19.25.92 UDP
  560. Source port: 16892
  561. Destination port: 28510
  562.  
  563. Frame 3: 243 bytes on wire (1944 bits), 243 bytes captured (1944 bits)
  564. Ethernet II, Src: xx:xx:xx:xx, Dst: 92:27:fc:57:72:bb (92:27:fc:57:72:bb)
  565. Internet Protocol, Src: x.x.x.x, Dst: 94.62.27.189 (94.62.27.189)
  566. User Datagram Protocol, Src Port: 16892 (16892), Dst Port: 28510 (28510)
  567. Data (201 bytes)
  568.  
  569. 0000 33 34 b5 b7 07 24 c9 b7 42 ba 88 23 5f d3 eb fd 34...$..B..#_...
  570. 0010 4e 5e 1b 10 e6 32 00 8c 97 22 c2 96 6c 24 90 62 N^...2..."..l$.b
  571. 0020 64 7d 24 82 a1 73 33 94 4a 83 11 bc 7f 36 9d ad d}$..s3.J....6..
  572. 0030 18 c7 42 66 ab 65 bb bd 21 3c f9 ba 6c 19 8a 62 ..Bf.e..!<..l..b
  573. 0040 e5 e2 01 a7 b3 e7 e1 b4 c4 d6 b4 3a 9d 12 44 8d ...........:..D.
  574. 0050 44 52 fe c3 1c 35 bb ca a0 1a 1e 08 4b af 25 ec DR...5......K.%.
  575. 0060 04 23 f5 96 43 80 c8 9c 49 33 d8 9b c5 a1 f1 5f .#..C...I3....._
  576. 0070 b3 ab c5 fe f2 65 51 8c 7e 3d 7f 2a 24 7a 8d db .....eQ.~=.*$z..
  577. 0080 1f 25 a0 32 a4 dd 9e 69 d9 99 ed 16 20 ae 47 02 .%.2...i.... .G.
  578. 0090 a1 de 24 60 01 08 11 80 a4 e3 fc 14 94 9b aa f2 ..$`............
  579. 00a0 c8 4c f6 db 17 8d b4 32 9e 83 d5 01 a1 0e ed 5f .L.....2......._
  580. 00b0 76 90 bf 1f d2 d3 0d 51 19 24 e6 10 c1 1b f4 88 v......Q.$......
  581. 00c0 db 7c 3b fb 33 d0 22 6a 94 .|;.3."j.
  582.  
  583.  
  584.  
  585. =================================
  586. IV. MALARE VERDICT
  587. =================================
  588.  
  589. SHA1: 416548086c39938fd2d8194c27958261314c01e2
  590. MD5: 17bde98108092ed612c4511bd6a633ee
  591. File size: 271.5 KB ( 278016 bytes )
  592. File name: BtxX9KX.exe
  593. File type: Win32 EXE
  594. Detection ratio: 33 / 43
  595. URL: https://www.virustotal.com/file/0dbce33621898ecd824a272ce5e960a685051a4a695292efb0b05d604827529e/analysis/
  596.  
  597. Antivirus Result Update
  598. ------------------------------
  599. AhnLab-V3 Spyware/Win32.Zbot 20120313
  600. AntiVir TR/Offend.KD.552855 20120314
  601. Antiy-AVL Trojan/Win32.Zbot 20120314
  602. Avast Win32:Zbot-OCM [Trj] 20120314
  603. AVG PSW.Generic9.BQLB 20120314
  604. BitDefender Trojan.Spy.Zbot.EVB 20120314
  605. ByteHero Trojan.Win32.Heur.Gen 20120309
  606. CAT-QuickHeal TrojanSpy.Zbot.dmzm 20120314
  607. ClamAV - 20120314
  608. Commtouch W32/Zbot.DQ3.gen!Eldorado 20120314
  609. Comodo TrojWare.Win32.Trojan.Agent.Gen 20120313
  610. DrWeb Trojan.PWS.Panda.1698 20120314
  611. Emsisoft Trojan-PWS.Win32.Zbot!IK 20120314
  612. eSafe - 20120313
  613. eTrust-Vet - 20120314
  614. F-Prot W32/Zbot.DQ3.gen!Eldorado 20120314
  615. F-Secure Trojan.Spy.Zbot.EVB 20120314
  616. Fortinet W32/Zbot.AAN!tr 20120314
  617. GData Trojan.Spy.Zbot.EVB 20120314
  618. Ikarus Trojan-PWS.Win32.Zbot 20120314
  619. Jiangmin - 20120301
  620. K7AntiVirus Trojan 20120313
  621. Kaspersky Trojan-Spy.Win32.Zbot.dmzm 20120314
  622. McAfee Artemis!17BDE9810809 20120308
  623. McAfee-GW-Edition Generic PWS.y!d2k 20120314
  624. Microsoft PWS:Win32/Zbot.gen!AF 20120314
  625. NOD32 Win32/Spy.Zbot.AAN 20120314
  626. Norman W32/Zbot.BMRX 20120314
  627. nProtect Trojan/W32.Agent.278016.DC 20120314
  628. Panda Generic Trojan 20120313
  629. PCTools - 20120313
  630. Prevx - 20120314
  631. Rising Trojan.Win32.Generic.12B9C7CD 20120314
  632. Sophos Mal/Toqwet-A 20120314
  633. SUPERAntiSpyware - 20120314
  634. Symantec WS.Reputation.1 20120314
  635. TheHacker Trojan/Dropper.Injector.dffv 20120313
  636. TrendMicro - 20120314
  637. TrendMicro-HouseCall TSPY_ZBOT.BUM 20120314
  638. VBA32 - 20120313
  639. VIPRE Trojan.Win32.Generic.pak!cobra 20120314
  640. ViRobot - 20120314
  641. VirusBuster TrojanSpy.Zbot!FzMiqMxwcJ8 20120314
  642.  
  643. ---
  644. Operation Cleanup Japan - #OCJP
  645. ZeroDay Japan
  646. http://0day.jp
  647. Malware Analyst: Hendrik ADRIAN / アドリアン・ヘンドリック
  648. Twitter/VirusTotal/Google: @unixfreaxjp
  649. Analysis Blog: http://unixfreaxjp.blogspot.com
RAW Paste Data