API tools faq
paste
Advertisement
MalwareMustDie

#MMD BHEK Payload (Cridex) analysis - 20121222

MalwareMustDie
Dec 22nd, 2012
1,500
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 12.31 KB | None | 0 0
raw download clone embed print report
  1. #malwareMustDie - BHEK Cridex (Parfeit trojan downloader)
  2. # Binary (static/dynamic/VT) Quick Analysis
  3. # @unixfreaxjp /malware]$ date
  4. # Sat Dec 22 19:07:15 JST 2012
  5.  
  6. GET /detects/continues-little.php?zf=30:2v:1f:1j:30&ge=1n:2w:1i:1j:1o:1i:1g:2v:1
  7. m:1m&l=1k&iw=z&hf=d HTTP/1.0
  8. Referer: http://www.irwra.com//wp-content/themes/mantra/uploads/cpa_inform.html
  9. User-Agent: Hey Moronz - Let's rock'n'roll #MalwareMustDie!
  10. Accept: */*
  11. Host: latticesoft.net
  12. Connection: Keep-Alive
  13.  
  14. ---request end---
  15. HTTP request sent, awaiting response...
  16. ---response begin---
  17. HTTP/1.1 200 OK
  18. Server: nginx/1.3.3
  19. Date: Sat, 22 Dec 2012 07:02:18 GMT
  20. Content-Type: application/x-msdownload
  21. Content-Length: 217088
  22. Connection: close
  23. X-Powered-By: PHP/5.3.14
  24. Pragma: public
  25. Expires: Sat, 22 Dec 2012 07:02:18 GMT
  26. Cache-Control: must-revalidate, post-check=0, pre-check=0
  27. Cache-Control: private
  28. Content-Disposition: attachment; filename="calc.exe"
  29. Content-Transfer-Encoding: binary
  30. ---response end---
  31. 200 OK
  32. Length: 217,088 (212K) [application/x-msdownload]
  33. 100%[====================================>] 217,088 19.23K/s ETA 00:00
  34. Closed fd 1896
  35. 16:02:42 (20.92 KB/s) - `continues-little.php@zf=30%3A2v%3A1f%3A1j%3A30&ge=1n%3A
  36. 2w%3A1i%3A1j%3A1o%3A1i%3A1g%3A2v%3A1m%3A1m&l=1k&iw=z&hf=d' saved [217088/217088]
  37.  
  38. //let's call it calc.exe then :-),
  39.  
  40.  
  41. ======================
  42.  
  43. BINARY ANALYSIS
  44.  
  45. =======================
  46.  
  47.  
  48. // Combination of many sources Binary analysis....
  49.  
  50. ExifTool:
  51. SubsystemVersion.........: 4.0
  52. InitializedDataSize......: 69632
  53. ImageVersion.............: 0.0
  54. ProductName..............: Java(TM) Platform SE 6 U37
  55. FileVersionNumber........: 6.0.370.6
  56. UninitializedDataSize....: 0
  57. LanguageCode.............: Neutral
  58. FileFlagsMask............: 0x003f
  59. FullVersion..............: 1.6.0_37-b06
  60. CharacterSet.............: Unicode
  61. LinkerVersion............: 8.0
  62. OriginalFilename.........: java.exe
  63. MIMEType.................: application/octet-stream
  64. Subsystem................: Windows GUI
  65. FileVersion..............: 6.0.370.6
  66. TimeStamp................: 2003:02:17 03:41:05+00:00
  67. FileType.................: Win32 EXE
  68. PEType...................: PE32
  69. InternalName.............: java
  70. ProductVersion...........: 6.0.370.6
  71. FileDescription..........: Java(TM) Platform SE binary
  72. OSVersion................: 4.0
  73. FileOS...................: Win32
  74. LegalCopyright...........: Copyright 2012
  75. MachineType..............: Intel 386 or later, and compatibles
  76. CompanyName..............: Sun Microsystems, Inc.
  77. CodeSize.................: 163840
  78. FileSubtype..............: 0
  79. ProductVersionNumber.....: 6.0.370.6
  80. EntryPoint...............: 0x1335
  81. ObjectFileType...........: Executable application
  82.  
  83. PE information:
  84. Compilation timedatestamp.....: 2003-02-17 03:41:05
  85. Target machine................: 0x14C (Intel 386 or later processors and compatible processors)
  86. Entry point address...........: 0x00001335
  87.  
  88. PE Sections:
  89. .text 0x1000 0x270a5 163840
  90. .rdata 0x29000 0xa4c 4096
  91. .data 0x2a000 0x100040 4096
  92. fdata 0x12b000 0x280 4096
  93. .rsrc 0x12c000 0x807c 36864
  94.  
  95. TrID
  96. Win32 Executable MS Visual C++ (generic) (63.0%)
  97. Win32 Executable Generic (14.2%)
  98. Win32 Dynamic Link Library (generic) (12.6%)
  99. Clipper DOS Executable (3.3%)
  100. Generic Win/DOS Executable (3.3%)
  101.  
  102. //Faking Java...
  103. CompanyName
  104. Sun Microsystems, Inc.
  105. FileDescription
  106. Java(TM) Platform SE binary
  107. FileVersion
  108. Full Version
  109. InternalName
  110. java
  111. LegalCopyright
  112. Copyright
  113. OriginalFilename
  114. java.exe
  115. ProductName
  116. Java(TM) Platform SE 6 U37
  117.  
  118. //Runtime DLLs:
  119. shlwapi.dll
  120. kernel32.dll
  121. advapi32.dll
  122. shell32.dll
  123. rpcrt4.dll
  124. version.dll
  125.  
  126. //That DLL's calls:
  127. 00429000 RegEnumKeyA ADVAPI32
  128. 00429004 RegCloseKey ADVAPI32
  129. 00429008 RegOpenKeyExA ADVAPI32
  130. 0042900C RegQueryValueExA ADVAPI32
  131. 00429014 WaitForSingleObject KERNEL32
  132. 00429018 CreateThread KERNEL32
  133. 0042901C GetFileType KERNEL32
  134. 00429020 FormatMessageA KERNEL32
  135. 00429024 GetDriveTypeA KERNEL32
  136. 00429028 GetCurrentProcessId KERNEL32
  137. 0042902C TlsGetValue KERNEL32
  138. 00429030 FreeLibrary KERNEL32
  139. 00429034 HeapReAlloc KERNEL32
  140. 00429038 GetStringTypeA KERNEL32
  141. 0042903C FileTimeToLocalFileTime KERNEL32
  142. 00429040 HeapCreate KERNEL32
  143. 00429044 TlsAlloc KERNEL32
  144. 00429048 VirtualAlloc KERNEL32
  145. 0042904C GetExitCodeThread KERNEL32
  146. 00429050 VirtualFree KERNEL32
  147. 00429054 HeapAlloc KERNEL32
  148. 00429058 TerminateProcess KERNEL32
  149. 0042905C FindNextFileA KERNEL32
  150. 00429060 GetFullPathNameA KERNEL32
  151. 00429064 GetTimeZoneInformation KERNEL32
  152. 00429068 SetHandleCount KERNEL32
  153. 0042906C FileTimeToSystemTime KERNEL32
  154. 00429070 LCMapStringA KERNEL32
  155. 00429074 CreateFileA KERNEL32
  156. 00429078 WriteFile KERNEL32
  157. 0042907C LoadLibraryA KERNEL32
  158. 00429080 QueryPerformanceCounter KERNEL32
  159. 00429084 GetLocaleInfoA KERNEL32
  160. 00429088 FindClose KERNEL32
  161. 0042908C GetCurrentThreadId KERNEL32
  162. 00429090 HeapDestroy KERNEL32
  163. 00429094 VirtualProtect KERNEL32
  164. 00429098 HeapFree KERNEL32
  165. 0042909C InterlockedExchange KERNEL32
  166. 004290A0 QueryPerformanceFrequency KERNEL32
  167. 004290A4 GetExitCodeProcess KERNEL32
  168. 004290A8 GetACP KERNEL32
  169. 004290AC GetVersionExA KERNEL32
  170. 004290B0 LeaveCriticalSection KERNEL32
  171. 004290B4 FreeEnvironmentStringsW KERNEL32
  172. 004290B8 GetProcAddress KERNEL32
  173. 004290BC GetModuleFileNameA KERNEL32
  174. 004290C0 LocalFree KERNEL32
  175. 004290C4 GetEnvironmentStringsW KERNEL32
  176. 004290C8 CompareStringA KERNEL32
  177. 004290CC SetEnvironmentVariableA KERNEL32
  178. 004290D0 SetEnvironmentVariableW KERNEL32
  179. 004290D4 WideCharToMultiByte KERNEL32
  180. 004290D8 GetFileAttributesA KERNEL32
  181. 004290DC TlsFree KERNEL32
  182. 004290E0 GetEnvironmentStrings KERNEL32
  183. 004290E4 SetEndOfFile KERNEL32
  184. 004290E8 CompareStringW KERNEL32
  185. 004290EC SetLastError KERNEL32
  186. 004290F0 VirtualQuery KERNEL32
  187. 004290F4 SetFilePointer KERNEL32
  188. 004290F8 InitializeCriticalSection KERNEL32
  189. 004290FC GetModuleHandleA KERNEL32
  190. 00429100 CloseHandle KERNEL32
  191. 00429104 GetCurrentDirectoryW KERNEL32
  192. 00429108 GetCurrentDirectoryA KERNEL32
  193. 0042910C MultiByteToWideChar KERNEL32
  194. 00429110 FlushFileBuffers KERNEL32
  195. 00429114 LCMapStringW KERNEL32
  196. 00429118 GetStringTypeW KERNEL32
  197. 0042911C HeapSize KERNEL32
  198. 00429120 ExitProcess KERNEL32
  199. 00429124 GetLastError KERNEL32
  200. 00429128 GetCPInfo KERNEL32
  201. 0042912C TlsSetValue KERNEL32
  202. 00429130 FreeEnvironmentStringsA KERNEL32
  203. 00429134 GetCurrentProcess KERNEL32
  204. 00429138 GetSystemInfo KERNEL32
  205. 0042913C EnterCriticalSection KERNEL32
  206. 00429140 GetCommandLineA KERNEL32
  207. 00429144 GetTickCount KERNEL32
  208. 00429148 GetOEMCP KERNEL32
  209. 0042914C ReadFile KERNEL32
  210. 00429150 RtlUnwind KERNEL32
  211. 00429154 ExitThread KERNEL32
  212. 00429158 UnhandledExceptionFilter KERNEL32
  213. 0042915C CreateProcessA KERNEL32
  214. 00429160 DeleteCriticalSection KERNEL32
  215. 00429164 lstrcatA KERNEL32
  216. 00429168 IsValidLanguageGroup KERNEL32
  217. 0042916C GetStartupInfoA KERNEL32
  218. 00429170 FindFirstFileA KERNEL32
  219. 00429174 GetSystemTimeAsFileTime KERNEL32
  220. 00429178 SetStdHandle KERNEL32
  221. 0042917C GetStdHandle KERNEL32
  222.  
  223. //// garbage pattern used for obfuscating binary code..(repetitive)
  224.  
  225. .text:0040AD40 2D 3A BC E6 33 71 77 72 71 77 72 71 77 72 71 77 -:シ・qwrqwrqwrqw
  226. .text:0040AD50 72 71 77 72 71 77 72 71 77 72 71 77 72 71 77 72 rqwrqwrqwrqwrqwr
  227. .text:0040AD60 71 77 72 71 77 72 71 77 72 71 77 72 71 77 72 71 qwrqwrqwrqwrqwrq
  228. .text:0040AD70 77 72 71 77 72 71 77 72 71 77 72 71 77 72 71 77 wrqwrqwrqwrqwrqw
  229. .text:0040AD80 72 71 77 72 71 77 72 71 77 72 71 77 72 71 77 72 rqwrqwrqwrqwrqwr
  230. .text:0040AD90 71 77 72 71 77 72 71 77 72 71 77 72 71 77 72 71 qwrqwrqwrqwrqwrq
  231. .text:0040ADA0 77 72 71 77 72 71 77 72 71 77 72 71 77 72 71 77 wrqwrqwrqwrqwrqw
  232. .text:0040ADB0 72 71 77 72 71 77 72 71 77 72 71 77 72 71 77 72 rqwrqwrqwrqwrqwr
  233. .text:0040ADC0 71 77 72 71 77 72 71 77 72 71 77 72 71 77 72 71 qwrqwrqwrqwrqwrq
  234. : : : :
  235. .text:0040B440 72 71 77 72 71 77 72 71 77 72 71 77 72 71 77 72 rqwrqwrqwrqwrqwr
  236. .text:0040B450 71 77 72 71 77 72 71 77 72 71 77 72 71 77 72 71 qwrqwrqwrqwrqwrq
  237. .text:0040B460 77 72 71 77 72 71 77 72 71 77 72 71 77 72 71 77 wrqwrqwrqwrqwrqw
  238. .text:0040B470 72 71 77 72 71 77 72 71 77 72 71 77 72 71 77 72 rqwrqwrqwrqwrqwr
  239. .text:0040B480 71 77 72 71 77 72 71 77 72 71 77 72 71 77 72 71 qwrqwrqwrqwrqwrq
  240. .text:0040B490 77 72 71 77 72 71 77 72 71 77 72 71 77 72 71 77 wrqwrqwrqwrqwrqw
  241. .text:0040B4A0 72 71 77 72 71 77 72 71 77 72 71 77 72 71 77 72 rqwrqwrqwrqwrqwr
  242. .text:0040B4B0 71 77 72 71 77 72 71 77 72 71 3F 07 00 00 E1 07 qwrqwrqwrq?..・
  243.  
  244.  
  245. =========================
  246.  
  247. BEHAVIOUR ANALYSIS (A quicky)
  248.  
  249. =========================
  250.  
  251. // Files & Processes....
  252.  
  253. Sample is self deleted & self copied to:
  254. %AppData%\KB00927107.exe
  255.  
  256. Running process:
  257. %System%\cmd.exe" /c "%Temp%\exp1.tmp.bat""
  258. %Appdata%\KB00927107.exe
  259. |
  260. +--Code injections in the following processes...
  261. wscntfy.exe
  262. exp3.tmp.exe
  263.  
  264. // Agressive Network Trace:
  265.  
  266. HTTP requests...
  267. URL: http://188.120.226.30:8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/ (differ in every attempt..)
  268. TYPE: POST
  269. UA: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)
  270.  
  271.  
  272. // Registry
  273.  
  274. //autostart...
  275. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Run\KB00777165.exe:
  276. ""C:\Documents and Settings\rik\Application Data\KB00777165.exe""
  277.  
  278. // the parfeit config file in registry (bintext)
  279. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows NT\SD5809E24\: 3C 73 65 74 7
  280. 2F 75 72 6C 3E 3C 75 72 6C 20 63 6F 6E 74 65 6E 74 54 79 70 65 3D 22 5E 74 65 78 74 2F 28 68 74 6D 6C 7C
  281. 74 6D 6C 7C 70 6C 61 69 6E 29 22 3E 2F 61 75 74 68 65 6E 74 69 63 61 74 69 6F 6E 2F 7A 62 66 2F 6B 2F 3C
  282. 3 61 73 68 6D 61 6E 2F 3C 2F 75 72 6C 3E 3C 75 72 6C 20 63 6F 6E 74 65 6E 74 54 79 70 65 3D 22 5E 74 65 7
  283. 70 65 3D 22 5E 74 65 78 74 2F 28 68 74 6D 6C 7C 70 6C 61 69 6E 29 22 3E 2F 63 6D 6D 61 69 6E 5C 2E 63 66
  284. :
  285. (etc)
  286.  
  287. ==============================
  288.  
  289. PAYLOAD/BINARY DETECTION RATIO ANALYSIS
  290.  
  291. ==============================
  292.  
  293. //VT scans:
  294.  
  295. SHA256: d18b3092907456fa96727bbe5cb24eb1e58777c473954a84bd2566cb2b0c81c0
  296. SHA1: 4c478e491b4c36770612efe781d74bbc67639192
  297. MD5: 8c25020ae092a27396cae4ff5a0a5085
  298. File size: 212.0 KB ( 217088 bytes )
  299. File name: 8c25020ae092a27396cae4ff5a0a5085
  300. File type: Win32 EXE
  301. Tags: peexe
  302. Detection ratio: 15 / 44
  303. Analysis date: 2012-12-20 08:34:28 UTC ( 1 day, 22 hours ago )
  304. URL: https://www.virustotal.com/latest-scan/d18b3092907456fa96727bbe5cb24eb1e58777c473954a84bd2566cb2b0c81c0
  305.  
  306. F-Secure : Gen:Variant.Kazy.128823
  307. GData : Gen:Variant.Kazy.128823
  308. VIPRE : Win32.Malware!Drop
  309. TrendMicro : TROJ_KRYPTIK.OSJ
  310. McAfee-GW-Edition : Artemis!8C25020AE092
  311. TrendMicro-HouseCall : TROJ_KRYPTIK.OSJ
  312. MicroWorld-eScan : Gen:Variant.Kazy.128823
  313. Avast : Win32:Crypt-OPM [Trj]
  314. Kaspersky : Trojan.Win32.Bublik.woq
  315. BitDefender : Gen:Variant.Kazy.128823
  316. McAfee : Artemis!8C25020AE092
  317. Malwarebytes : Spyware.Password
  318. Fortinet : W32/Bublik.WOQ!tr
  319. ESET-NOD32 : a variant of Win32/Kryptik.AQUE
  320. AVG : Generic30.BOYB
  321.  
  322. ----
  323. #MalwareMustDie | @unixfreaxjp
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!