SHARE
TWEET

#MMD BHEK Payload (Cridex) analysis - 20121222

MalwareMustDie Dec 22nd, 2012 131 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #malwareMustDie - BHEK Cridex (Parfeit trojan downloader)
  2. # Binary (static/dynamic/VT) Quick Analysis
  3. # @unixfreaxjp /malware]$ date
  4. # Sat Dec 22 19:07:15 JST 2012
  5.  
  6. GET /detects/continues-little.php?zf=30:2v:1f:1j:30&ge=1n:2w:1i:1j:1o:1i:1g:2v:1
  7. m:1m&l=1k&iw=z&hf=d HTTP/1.0
  8. Referer: http://www.irwra.com//wp-content/themes/mantra/uploads/cpa_inform.html
  9. User-Agent: Hey Moronz - Let's rock'n'roll #MalwareMustDie!
  10. Accept: */*
  11. Host: latticesoft.net
  12. Connection: Keep-Alive
  13.  
  14. ---request end---
  15. HTTP request sent, awaiting response...
  16. ---response begin---
  17. HTTP/1.1 200 OK
  18. Server: nginx/1.3.3
  19. Date: Sat, 22 Dec 2012 07:02:18 GMT
  20. Content-Type: application/x-msdownload
  21. Content-Length: 217088
  22. Connection: close
  23. X-Powered-By: PHP/5.3.14
  24. Pragma: public
  25. Expires: Sat, 22 Dec 2012 07:02:18 GMT
  26. Cache-Control: must-revalidate, post-check=0, pre-check=0
  27. Cache-Control: private
  28. Content-Disposition: attachment; filename="calc.exe"
  29. Content-Transfer-Encoding: binary
  30. ---response end---
  31. 200 OK
  32. Length: 217,088 (212K) [application/x-msdownload]
  33. 100%[====================================>] 217,088       19.23K/s    ETA 00:00
  34. Closed fd 1896
  35. 16:02:42 (20.92 KB/s) - `continues-little.php@zf=30%3A2v%3A1f%3A1j%3A30&ge=1n%3A
  36. 2w%3A1i%3A1j%3A1o%3A1i%3A1g%3A2v%3A1m%3A1m&l=1k&iw=z&hf=d' saved [217088/217088]
  37.  
  38. //let's call it calc.exe then :-),
  39.  
  40.  
  41. ======================
  42.  
  43. BINARY ANALYSIS
  44.  
  45. =======================
  46.  
  47.  
  48. // Combination of many sources Binary analysis....
  49.  
  50. ExifTool:
  51. SubsystemVersion.........: 4.0
  52. InitializedDataSize......: 69632
  53. ImageVersion.............: 0.0
  54. ProductName..............: Java(TM) Platform SE 6 U37
  55. FileVersionNumber........: 6.0.370.6
  56. UninitializedDataSize....: 0
  57. LanguageCode.............: Neutral
  58. FileFlagsMask............: 0x003f
  59. FullVersion..............: 1.6.0_37-b06
  60. CharacterSet.............: Unicode
  61. LinkerVersion............: 8.0
  62. OriginalFilename.........: java.exe
  63. MIMEType.................: application/octet-stream
  64. Subsystem................: Windows GUI
  65. FileVersion..............: 6.0.370.6
  66. TimeStamp................: 2003:02:17 03:41:05+00:00
  67. FileType.................: Win32 EXE
  68. PEType...................: PE32
  69. InternalName.............: java
  70. ProductVersion...........: 6.0.370.6
  71. FileDescription..........: Java(TM) Platform SE binary
  72. OSVersion................: 4.0
  73. FileOS...................: Win32
  74. LegalCopyright...........: Copyright    2012
  75. MachineType..............: Intel 386 or later, and compatibles
  76. CompanyName..............: Sun Microsystems, Inc.
  77. CodeSize.................: 163840
  78. FileSubtype..............: 0
  79. ProductVersionNumber.....: 6.0.370.6
  80. EntryPoint...............: 0x1335
  81. ObjectFileType...........: Executable application
  82.  
  83. PE information:
  84. Compilation timedatestamp.....: 2003-02-17 03:41:05
  85. Target machine................: 0x14C (Intel 386 or later processors and compatible processors)
  86. Entry point address...........: 0x00001335
  87.  
  88. PE Sections:
  89.    .text 0x1000 0x270a5 163840
  90.    .rdata 0x29000 0xa4c 4096
  91.    .data 0x2a000 0x100040 4096
  92.    fdata 0x12b000 0x280 4096
  93.    .rsrc 0x12c000 0x807c 36864
  94.  
  95. TrID
  96.    Win32 Executable MS Visual C++ (generic) (63.0%)
  97.    Win32 Executable Generic (14.2%)
  98.    Win32 Dynamic Link Library (generic) (12.6%)
  99.    Clipper DOS Executable (3.3%)
  100.    Generic Win/DOS Executable (3.3%)
  101.  
  102. //Faking Java...
  103. CompanyName
  104. Sun Microsystems, Inc.
  105. FileDescription
  106. Java(TM) Platform SE binary
  107. FileVersion
  108. Full Version
  109. InternalName
  110. java
  111. LegalCopyright
  112. Copyright
  113. OriginalFilename
  114. java.exe
  115. ProductName
  116. Java(TM) Platform SE 6 U37
  117.  
  118. //Runtime DLLs:
  119.    shlwapi.dll
  120.    kernel32.dll
  121.    advapi32.dll
  122.    shell32.dll
  123.    rpcrt4.dll
  124.    version.dll
  125.  
  126. //That DLL's calls:
  127. 00429000  RegEnumKeyA               ADVAPI32
  128. 00429004  RegCloseKey               ADVAPI32
  129. 00429008  RegOpenKeyExA             ADVAPI32
  130. 0042900C  RegQueryValueExA          ADVAPI32
  131. 00429014  WaitForSingleObject       KERNEL32
  132. 00429018  CreateThread              KERNEL32
  133. 0042901C  GetFileType               KERNEL32
  134. 00429020  FormatMessageA            KERNEL32
  135. 00429024  GetDriveTypeA             KERNEL32
  136. 00429028  GetCurrentProcessId       KERNEL32
  137. 0042902C  TlsGetValue               KERNEL32
  138. 00429030  FreeLibrary               KERNEL32
  139. 00429034  HeapReAlloc               KERNEL32
  140. 00429038  GetStringTypeA            KERNEL32
  141. 0042903C  FileTimeToLocalFileTime   KERNEL32
  142. 00429040  HeapCreate                KERNEL32
  143. 00429044  TlsAlloc                  KERNEL32
  144. 00429048  VirtualAlloc              KERNEL32
  145. 0042904C  GetExitCodeThread         KERNEL32
  146. 00429050  VirtualFree               KERNEL32
  147. 00429054  HeapAlloc                 KERNEL32
  148. 00429058  TerminateProcess          KERNEL32
  149. 0042905C  FindNextFileA             KERNEL32
  150. 00429060  GetFullPathNameA          KERNEL32
  151. 00429064  GetTimeZoneInformation    KERNEL32
  152. 00429068  SetHandleCount            KERNEL32
  153. 0042906C  FileTimeToSystemTime      KERNEL32
  154. 00429070  LCMapStringA              KERNEL32
  155. 00429074  CreateFileA               KERNEL32
  156. 00429078  WriteFile                 KERNEL32
  157. 0042907C  LoadLibraryA              KERNEL32
  158. 00429080  QueryPerformanceCounter   KERNEL32
  159. 00429084  GetLocaleInfoA            KERNEL32
  160. 00429088  FindClose                 KERNEL32
  161. 0042908C  GetCurrentThreadId        KERNEL32
  162. 00429090  HeapDestroy               KERNEL32
  163. 00429094  VirtualProtect            KERNEL32
  164. 00429098  HeapFree                  KERNEL32
  165. 0042909C  InterlockedExchange       KERNEL32
  166. 004290A0  QueryPerformanceFrequency KERNEL32
  167. 004290A4  GetExitCodeProcess        KERNEL32
  168. 004290A8  GetACP                    KERNEL32
  169. 004290AC  GetVersionExA             KERNEL32
  170. 004290B0  LeaveCriticalSection      KERNEL32
  171. 004290B4  FreeEnvironmentStringsW   KERNEL32
  172. 004290B8  GetProcAddress            KERNEL32
  173. 004290BC  GetModuleFileNameA        KERNEL32
  174. 004290C0  LocalFree                 KERNEL32
  175. 004290C4  GetEnvironmentStringsW    KERNEL32
  176. 004290C8  CompareStringA            KERNEL32
  177. 004290CC  SetEnvironmentVariableA   KERNEL32
  178. 004290D0  SetEnvironmentVariableW   KERNEL32
  179. 004290D4  WideCharToMultiByte       KERNEL32
  180. 004290D8  GetFileAttributesA        KERNEL32
  181. 004290DC  TlsFree                   KERNEL32
  182. 004290E0  GetEnvironmentStrings     KERNEL32
  183. 004290E4  SetEndOfFile              KERNEL32
  184. 004290E8  CompareStringW            KERNEL32
  185. 004290EC  SetLastError              KERNEL32
  186. 004290F0  VirtualQuery              KERNEL32
  187. 004290F4  SetFilePointer            KERNEL32
  188. 004290F8  InitializeCriticalSection KERNEL32
  189. 004290FC  GetModuleHandleA          KERNEL32
  190. 00429100  CloseHandle               KERNEL32
  191. 00429104  GetCurrentDirectoryW      KERNEL32
  192. 00429108  GetCurrentDirectoryA      KERNEL32
  193. 0042910C  MultiByteToWideChar       KERNEL32
  194. 00429110  FlushFileBuffers          KERNEL32
  195. 00429114  LCMapStringW              KERNEL32
  196. 00429118  GetStringTypeW            KERNEL32
  197. 0042911C  HeapSize                  KERNEL32
  198. 00429120  ExitProcess               KERNEL32
  199. 00429124  GetLastError              KERNEL32
  200. 00429128  GetCPInfo                 KERNEL32
  201. 0042912C  TlsSetValue               KERNEL32
  202. 00429130  FreeEnvironmentStringsA   KERNEL32
  203. 00429134  GetCurrentProcess         KERNEL32
  204. 00429138  GetSystemInfo             KERNEL32
  205. 0042913C  EnterCriticalSection      KERNEL32
  206. 00429140  GetCommandLineA           KERNEL32
  207. 00429144  GetTickCount              KERNEL32
  208. 00429148  GetOEMCP                  KERNEL32
  209. 0042914C  ReadFile                  KERNEL32
  210. 00429150  RtlUnwind                 KERNEL32
  211. 00429154  ExitThread                KERNEL32
  212. 00429158  UnhandledExceptionFilter  KERNEL32
  213. 0042915C  CreateProcessA            KERNEL32
  214. 00429160  DeleteCriticalSection     KERNEL32
  215. 00429164  lstrcatA                  KERNEL32
  216. 00429168  IsValidLanguageGroup      KERNEL32
  217. 0042916C  GetStartupInfoA           KERNEL32
  218. 00429170  FindFirstFileA            KERNEL32
  219. 00429174  GetSystemTimeAsFileTime   KERNEL32
  220. 00429178  SetStdHandle              KERNEL32
  221. 0042917C  GetStdHandle              KERNEL32
  222.  
  223. //// garbage pattern used for obfuscating binary code..(repetitive)
  224.  
  225. .text:0040AD40  2D 3A BC E6 33 71 77 72  71 77 72 71 77 72 71 77  -:シ・qwrqwrqwrqw
  226. .text:0040AD50  72 71 77 72 71 77 72 71  77 72 71 77 72 71 77 72  rqwrqwrqwrqwrqwr
  227. .text:0040AD60  71 77 72 71 77 72 71 77  72 71 77 72 71 77 72 71  qwrqwrqwrqwrqwrq
  228. .text:0040AD70  77 72 71 77 72 71 77 72  71 77 72 71 77 72 71 77  wrqwrqwrqwrqwrqw
  229. .text:0040AD80  72 71 77 72 71 77 72 71  77 72 71 77 72 71 77 72  rqwrqwrqwrqwrqwr
  230. .text:0040AD90  71 77 72 71 77 72 71 77  72 71 77 72 71 77 72 71  qwrqwrqwrqwrqwrq
  231. .text:0040ADA0  77 72 71 77 72 71 77 72  71 77 72 71 77 72 71 77  wrqwrqwrqwrqwrqw
  232. .text:0040ADB0  72 71 77 72 71 77 72 71  77 72 71 77 72 71 77 72  rqwrqwrqwrqwrqwr
  233. .text:0040ADC0  71 77 72 71 77 72 71 77  72 71 77 72 71 77 72 71  qwrqwrqwrqwrqwrq
  234.        :                :                          :                  :
  235. .text:0040B440  72 71 77 72 71 77 72 71  77 72 71 77 72 71 77 72  rqwrqwrqwrqwrqwr
  236. .text:0040B450  71 77 72 71 77 72 71 77  72 71 77 72 71 77 72 71  qwrqwrqwrqwrqwrq
  237. .text:0040B460  77 72 71 77 72 71 77 72  71 77 72 71 77 72 71 77  wrqwrqwrqwrqwrqw
  238. .text:0040B470  72 71 77 72 71 77 72 71  77 72 71 77 72 71 77 72  rqwrqwrqwrqwrqwr
  239. .text:0040B480  71 77 72 71 77 72 71 77  72 71 77 72 71 77 72 71  qwrqwrqwrqwrqwrq
  240. .text:0040B490  77 72 71 77 72 71 77 72  71 77 72 71 77 72 71 77  wrqwrqwrqwrqwrqw
  241. .text:0040B4A0  72 71 77 72 71 77 72 71  77 72 71 77 72 71 77 72  rqwrqwrqwrqwrqwr
  242. .text:0040B4B0  71 77 72 71 77 72 71 77  72 71 3F 07 00 00 E1 07  qwrqwrqwrq?..・
  243.  
  244.  
  245. =========================
  246.  
  247. BEHAVIOUR ANALYSIS (A quicky)
  248.  
  249. =========================
  250.  
  251. // Files & Processes....
  252.  
  253. Sample is self deleted & self copied to:
  254.   %AppData%\KB00927107.exe
  255.  
  256. Running process:
  257.   %System%\cmd.exe" /c "%Temp%\exp1.tmp.bat""
  258.   %Appdata%\KB00927107.exe
  259.     |
  260.     +--Code injections in the following processes...
  261.          wscntfy.exe
  262.          exp3.tmp.exe
  263.  
  264. // Agressive Network Trace:
  265.  
  266. HTTP requests...
  267. URL:  http://188.120.226.30:8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/ (differ in every attempt..)
  268. TYPE: POST
  269. UA:   Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)
  270.  
  271.  
  272. // Registry
  273.  
  274. //autostart...
  275. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Run\KB00777165.exe:
  276. ""C:\Documents and Settings\rik\Application Data\KB00777165.exe""
  277.  
  278. // the parfeit config file in registry (bintext)
  279. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows NT\SD5809E24\: 3C 73 65 74 7
  280.  2F 75 72 6C 3E 3C 75 72 6C 20 63 6F 6E 74 65 6E 74 54 79 70 65 3D 22 5E 74 65 78 74 2F 28 68 74 6D 6C 7C
  281. 74 6D 6C 7C 70 6C 61 69 6E 29 22 3E 2F 61 75 74 68 65 6E 74 69 63 61 74 69 6F 6E 2F 7A 62 66 2F 6B 2F 3C
  282. 3 61 73 68 6D 61 6E 2F 3C 2F 75 72 6C 3E 3C 75 72 6C 20 63 6F 6E 74 65 6E 74 54 79 70 65 3D 22 5E 74 65 7
  283.  70 65 3D 22 5E 74 65 78 74 2F 28 68 74 6D 6C 7C 70 6C 61 69 6E 29 22 3E 2F 63 6D 6D 61 69 6E 5C 2E 63 66
  284.     :
  285.     (etc)
  286.  
  287. ==============================
  288.  
  289. PAYLOAD/BINARY DETECTION RATIO ANALYSIS
  290.  
  291. ==============================
  292.  
  293. //VT scans:
  294.  
  295. SHA256: d18b3092907456fa96727bbe5cb24eb1e58777c473954a84bd2566cb2b0c81c0
  296. SHA1: 4c478e491b4c36770612efe781d74bbc67639192
  297. MD5: 8c25020ae092a27396cae4ff5a0a5085
  298. File size: 212.0 KB ( 217088 bytes )
  299. File name: 8c25020ae092a27396cae4ff5a0a5085
  300. File type: Win32 EXE
  301. Tags: peexe
  302. Detection ratio: 15 / 44
  303. Analysis date: 2012-12-20 08:34:28 UTC ( 1 day, 22 hours ago )
  304. URL:  https://www.virustotal.com/latest-scan/d18b3092907456fa96727bbe5cb24eb1e58777c473954a84bd2566cb2b0c81c0
  305.  
  306. F-Secure                 : Gen:Variant.Kazy.128823
  307. GData                    : Gen:Variant.Kazy.128823
  308. VIPRE                    : Win32.Malware!Drop
  309. TrendMicro               : TROJ_KRYPTIK.OSJ
  310. McAfee-GW-Edition        : Artemis!8C25020AE092
  311. TrendMicro-HouseCall     : TROJ_KRYPTIK.OSJ
  312. MicroWorld-eScan         : Gen:Variant.Kazy.128823
  313. Avast                    : Win32:Crypt-OPM [Trj]
  314. Kaspersky                : Trojan.Win32.Bublik.woq
  315. BitDefender              : Gen:Variant.Kazy.128823
  316. McAfee                   : Artemis!8C25020AE092
  317. Malwarebytes             : Spyware.Password
  318. Fortinet                 : W32/Bublik.WOQ!tr
  319. ESET-NOD32               : a variant of Win32/Kryptik.AQUE
  320. AVG                      : Generic30.BOYB
  321.  
  322. ----
  323. #MalwareMustDie | @unixfreaxjp
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top