Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #malwareMustDie - BHEK Cridex (Parfeit trojan downloader)
- # Binary (static/dynamic/VT) Quick Analysis
- # @unixfreaxjp /malware]$ date
- # Sat Dec 22 19:07:15 JST 2012
- GET /detects/continues-little.php?zf=30:2v:1f:1j:30&ge=1n:2w:1i:1j:1o:1i:1g:2v:1
- m:1m&l=1k&iw=z&hf=d HTTP/1.0
- Referer: http://www.irwra.com//wp-content/themes/mantra/uploads/cpa_inform.html
- User-Agent: Hey Moronz - Let's rock'n'roll #MalwareMustDie!
- Accept: */*
- Host: latticesoft.net
- Connection: Keep-Alive
- ---request end---
- HTTP request sent, awaiting response...
- ---response begin---
- HTTP/1.1 200 OK
- Server: nginx/1.3.3
- Date: Sat, 22 Dec 2012 07:02:18 GMT
- Content-Type: application/x-msdownload
- Content-Length: 217088
- Connection: close
- X-Powered-By: PHP/5.3.14
- Pragma: public
- Expires: Sat, 22 Dec 2012 07:02:18 GMT
- Cache-Control: must-revalidate, post-check=0, pre-check=0
- Cache-Control: private
- Content-Disposition: attachment; filename="calc.exe"
- Content-Transfer-Encoding: binary
- ---response end---
- 200 OK
- Length: 217,088 (212K) [application/x-msdownload]
- 100%[====================================>] 217,088 19.23K/s ETA 00:00
- Closed fd 1896
- 16:02:42 (20.92 KB/s) - `continues-little.php@zf=30%3A2v%3A1f%3A1j%3A30&ge=1n%3A
- 2w%3A1i%3A1j%3A1o%3A1i%3A1g%3A2v%3A1m%3A1m&l=1k&iw=z&hf=d' saved [217088/217088]
- //let's call it calc.exe then :-),
- ======================
- BINARY ANALYSIS
- =======================
- // Combination of many sources Binary analysis....
- ExifTool:
- SubsystemVersion.........: 4.0
- InitializedDataSize......: 69632
- ImageVersion.............: 0.0
- ProductName..............: Java(TM) Platform SE 6 U37
- FileVersionNumber........: 6.0.370.6
- UninitializedDataSize....: 0
- LanguageCode.............: Neutral
- FileFlagsMask............: 0x003f
- FullVersion..............: 1.6.0_37-b06
- CharacterSet.............: Unicode
- LinkerVersion............: 8.0
- OriginalFilename.........: java.exe
- MIMEType.................: application/octet-stream
- Subsystem................: Windows GUI
- FileVersion..............: 6.0.370.6
- TimeStamp................: 2003:02:17 03:41:05+00:00
- FileType.................: Win32 EXE
- PEType...................: PE32
- InternalName.............: java
- ProductVersion...........: 6.0.370.6
- FileDescription..........: Java(TM) Platform SE binary
- OSVersion................: 4.0
- FileOS...................: Win32
- LegalCopyright...........: Copyright 2012
- MachineType..............: Intel 386 or later, and compatibles
- CompanyName..............: Sun Microsystems, Inc.
- CodeSize.................: 163840
- FileSubtype..............: 0
- ProductVersionNumber.....: 6.0.370.6
- EntryPoint...............: 0x1335
- ObjectFileType...........: Executable application
- PE information:
- Compilation timedatestamp.....: 2003-02-17 03:41:05
- Target machine................: 0x14C (Intel 386 or later processors and compatible processors)
- Entry point address...........: 0x00001335
- PE Sections:
- .text 0x1000 0x270a5 163840
- .rdata 0x29000 0xa4c 4096
- .data 0x2a000 0x100040 4096
- fdata 0x12b000 0x280 4096
- .rsrc 0x12c000 0x807c 36864
- TrID
- Win32 Executable MS Visual C++ (generic) (63.0%)
- Win32 Executable Generic (14.2%)
- Win32 Dynamic Link Library (generic) (12.6%)
- Clipper DOS Executable (3.3%)
- Generic Win/DOS Executable (3.3%)
- //Faking Java...
- CompanyName
- Sun Microsystems, Inc.
- FileDescription
- Java(TM) Platform SE binary
- FileVersion
- Full Version
- InternalName
- java
- LegalCopyright
- Copyright
- OriginalFilename
- java.exe
- ProductName
- Java(TM) Platform SE 6 U37
- //Runtime DLLs:
- shlwapi.dll
- kernel32.dll
- advapi32.dll
- shell32.dll
- rpcrt4.dll
- version.dll
- //That DLL's calls:
- 00429000 RegEnumKeyA ADVAPI32
- 00429004 RegCloseKey ADVAPI32
- 00429008 RegOpenKeyExA ADVAPI32
- 0042900C RegQueryValueExA ADVAPI32
- 00429014 WaitForSingleObject KERNEL32
- 00429018 CreateThread KERNEL32
- 0042901C GetFileType KERNEL32
- 00429020 FormatMessageA KERNEL32
- 00429024 GetDriveTypeA KERNEL32
- 00429028 GetCurrentProcessId KERNEL32
- 0042902C TlsGetValue KERNEL32
- 00429030 FreeLibrary KERNEL32
- 00429034 HeapReAlloc KERNEL32
- 00429038 GetStringTypeA KERNEL32
- 0042903C FileTimeToLocalFileTime KERNEL32
- 00429040 HeapCreate KERNEL32
- 00429044 TlsAlloc KERNEL32
- 00429048 VirtualAlloc KERNEL32
- 0042904C GetExitCodeThread KERNEL32
- 00429050 VirtualFree KERNEL32
- 00429054 HeapAlloc KERNEL32
- 00429058 TerminateProcess KERNEL32
- 0042905C FindNextFileA KERNEL32
- 00429060 GetFullPathNameA KERNEL32
- 00429064 GetTimeZoneInformation KERNEL32
- 00429068 SetHandleCount KERNEL32
- 0042906C FileTimeToSystemTime KERNEL32
- 00429070 LCMapStringA KERNEL32
- 00429074 CreateFileA KERNEL32
- 00429078 WriteFile KERNEL32
- 0042907C LoadLibraryA KERNEL32
- 00429080 QueryPerformanceCounter KERNEL32
- 00429084 GetLocaleInfoA KERNEL32
- 00429088 FindClose KERNEL32
- 0042908C GetCurrentThreadId KERNEL32
- 00429090 HeapDestroy KERNEL32
- 00429094 VirtualProtect KERNEL32
- 00429098 HeapFree KERNEL32
- 0042909C InterlockedExchange KERNEL32
- 004290A0 QueryPerformanceFrequency KERNEL32
- 004290A4 GetExitCodeProcess KERNEL32
- 004290A8 GetACP KERNEL32
- 004290AC GetVersionExA KERNEL32
- 004290B0 LeaveCriticalSection KERNEL32
- 004290B4 FreeEnvironmentStringsW KERNEL32
- 004290B8 GetProcAddress KERNEL32
- 004290BC GetModuleFileNameA KERNEL32
- 004290C0 LocalFree KERNEL32
- 004290C4 GetEnvironmentStringsW KERNEL32
- 004290C8 CompareStringA KERNEL32
- 004290CC SetEnvironmentVariableA KERNEL32
- 004290D0 SetEnvironmentVariableW KERNEL32
- 004290D4 WideCharToMultiByte KERNEL32
- 004290D8 GetFileAttributesA KERNEL32
- 004290DC TlsFree KERNEL32
- 004290E0 GetEnvironmentStrings KERNEL32
- 004290E4 SetEndOfFile KERNEL32
- 004290E8 CompareStringW KERNEL32
- 004290EC SetLastError KERNEL32
- 004290F0 VirtualQuery KERNEL32
- 004290F4 SetFilePointer KERNEL32
- 004290F8 InitializeCriticalSection KERNEL32
- 004290FC GetModuleHandleA KERNEL32
- 00429100 CloseHandle KERNEL32
- 00429104 GetCurrentDirectoryW KERNEL32
- 00429108 GetCurrentDirectoryA KERNEL32
- 0042910C MultiByteToWideChar KERNEL32
- 00429110 FlushFileBuffers KERNEL32
- 00429114 LCMapStringW KERNEL32
- 00429118 GetStringTypeW KERNEL32
- 0042911C HeapSize KERNEL32
- 00429120 ExitProcess KERNEL32
- 00429124 GetLastError KERNEL32
- 00429128 GetCPInfo KERNEL32
- 0042912C TlsSetValue KERNEL32
- 00429130 FreeEnvironmentStringsA KERNEL32
- 00429134 GetCurrentProcess KERNEL32
- 00429138 GetSystemInfo KERNEL32
- 0042913C EnterCriticalSection KERNEL32
- 00429140 GetCommandLineA KERNEL32
- 00429144 GetTickCount KERNEL32
- 00429148 GetOEMCP KERNEL32
- 0042914C ReadFile KERNEL32
- 00429150 RtlUnwind KERNEL32
- 00429154 ExitThread KERNEL32
- 00429158 UnhandledExceptionFilter KERNEL32
- 0042915C CreateProcessA KERNEL32
- 00429160 DeleteCriticalSection KERNEL32
- 00429164 lstrcatA KERNEL32
- 00429168 IsValidLanguageGroup KERNEL32
- 0042916C GetStartupInfoA KERNEL32
- 00429170 FindFirstFileA KERNEL32
- 00429174 GetSystemTimeAsFileTime KERNEL32
- 00429178 SetStdHandle KERNEL32
- 0042917C GetStdHandle KERNEL32
- //// garbage pattern used for obfuscating binary code..(repetitive)
- .text:0040AD40 2D 3A BC E6 33 71 77 72 71 77 72 71 77 72 71 77 -:シ・qwrqwrqwrqw
- .text:0040AD50 72 71 77 72 71 77 72 71 77 72 71 77 72 71 77 72 rqwrqwrqwrqwrqwr
- .text:0040AD60 71 77 72 71 77 72 71 77 72 71 77 72 71 77 72 71 qwrqwrqwrqwrqwrq
- .text:0040AD70 77 72 71 77 72 71 77 72 71 77 72 71 77 72 71 77 wrqwrqwrqwrqwrqw
- .text:0040AD80 72 71 77 72 71 77 72 71 77 72 71 77 72 71 77 72 rqwrqwrqwrqwrqwr
- .text:0040AD90 71 77 72 71 77 72 71 77 72 71 77 72 71 77 72 71 qwrqwrqwrqwrqwrq
- .text:0040ADA0 77 72 71 77 72 71 77 72 71 77 72 71 77 72 71 77 wrqwrqwrqwrqwrqw
- .text:0040ADB0 72 71 77 72 71 77 72 71 77 72 71 77 72 71 77 72 rqwrqwrqwrqwrqwr
- .text:0040ADC0 71 77 72 71 77 72 71 77 72 71 77 72 71 77 72 71 qwrqwrqwrqwrqwrq
- : : : :
- .text:0040B440 72 71 77 72 71 77 72 71 77 72 71 77 72 71 77 72 rqwrqwrqwrqwrqwr
- .text:0040B450 71 77 72 71 77 72 71 77 72 71 77 72 71 77 72 71 qwrqwrqwrqwrqwrq
- .text:0040B460 77 72 71 77 72 71 77 72 71 77 72 71 77 72 71 77 wrqwrqwrqwrqwrqw
- .text:0040B470 72 71 77 72 71 77 72 71 77 72 71 77 72 71 77 72 rqwrqwrqwrqwrqwr
- .text:0040B480 71 77 72 71 77 72 71 77 72 71 77 72 71 77 72 71 qwrqwrqwrqwrqwrq
- .text:0040B490 77 72 71 77 72 71 77 72 71 77 72 71 77 72 71 77 wrqwrqwrqwrqwrqw
- .text:0040B4A0 72 71 77 72 71 77 72 71 77 72 71 77 72 71 77 72 rqwrqwrqwrqwrqwr
- .text:0040B4B0 71 77 72 71 77 72 71 77 72 71 3F 07 00 00 E1 07 qwrqwrqwrq?..・
- =========================
- BEHAVIOUR ANALYSIS (A quicky)
- =========================
- // Files & Processes....
- Sample is self deleted & self copied to:
- %AppData%\KB00927107.exe
- Running process:
- %System%\cmd.exe" /c "%Temp%\exp1.tmp.bat""
- %Appdata%\KB00927107.exe
- |
- +--Code injections in the following processes...
- wscntfy.exe
- exp3.tmp.exe
- // Agressive Network Trace:
- HTTP requests...
- URL: http://188.120.226.30:8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/ (differ in every attempt..)
- TYPE: POST
- UA: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)
- // Registry
- //autostart...
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Run\KB00777165.exe:
- ""C:\Documents and Settings\rik\Application Data\KB00777165.exe""
- // the parfeit config file in registry (bintext)
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows NT\SD5809E24\: 3C 73 65 74 7
- 2F 75 72 6C 3E 3C 75 72 6C 20 63 6F 6E 74 65 6E 74 54 79 70 65 3D 22 5E 74 65 78 74 2F 28 68 74 6D 6C 7C
- 74 6D 6C 7C 70 6C 61 69 6E 29 22 3E 2F 61 75 74 68 65 6E 74 69 63 61 74 69 6F 6E 2F 7A 62 66 2F 6B 2F 3C
- 3 61 73 68 6D 61 6E 2F 3C 2F 75 72 6C 3E 3C 75 72 6C 20 63 6F 6E 74 65 6E 74 54 79 70 65 3D 22 5E 74 65 7
- 70 65 3D 22 5E 74 65 78 74 2F 28 68 74 6D 6C 7C 70 6C 61 69 6E 29 22 3E 2F 63 6D 6D 61 69 6E 5C 2E 63 66
- :
- (etc)
- ==============================
- PAYLOAD/BINARY DETECTION RATIO ANALYSIS
- ==============================
- //VT scans:
- SHA256: d18b3092907456fa96727bbe5cb24eb1e58777c473954a84bd2566cb2b0c81c0
- SHA1: 4c478e491b4c36770612efe781d74bbc67639192
- MD5: 8c25020ae092a27396cae4ff5a0a5085
- File size: 212.0 KB ( 217088 bytes )
- File name: 8c25020ae092a27396cae4ff5a0a5085
- File type: Win32 EXE
- Tags: peexe
- Detection ratio: 15 / 44
- Analysis date: 2012-12-20 08:34:28 UTC ( 1 day, 22 hours ago )
- URL: https://www.virustotal.com/latest-scan/d18b3092907456fa96727bbe5cb24eb1e58777c473954a84bd2566cb2b0c81c0
- F-Secure : Gen:Variant.Kazy.128823
- GData : Gen:Variant.Kazy.128823
- VIPRE : Win32.Malware!Drop
- TrendMicro : TROJ_KRYPTIK.OSJ
- McAfee-GW-Edition : Artemis!8C25020AE092
- TrendMicro-HouseCall : TROJ_KRYPTIK.OSJ
- MicroWorld-eScan : Gen:Variant.Kazy.128823
- Avast : Win32:Crypt-OPM [Trj]
- Kaspersky : Trojan.Win32.Bublik.woq
- BitDefender : Gen:Variant.Kazy.128823
- McAfee : Artemis!8C25020AE092
- Malwarebytes : Spyware.Password
- Fortinet : W32/Bublik.WOQ!tr
- ESET-NOD32 : a variant of Win32/Kryptik.AQUE
- AVG : Generic30.BOYB
- ----
- #MalwareMustDie | @unixfreaxjp
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement