SHARE
TWEET

Fake Installer downloads PUP Backdoor

MalwareMustDie May 2nd, 2014 255 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #MalwareMustDie - Fake Installer drops PUP Backdoor.
  2. # 2014-05-02 13:06:40 | @unixfreaxjp
  3.  
  4. // Hint:
  5.  
  6. https://www.virustotal.com/en/ip-address/5.39.5.226/information/
  7. http://urlquery.net/search.php?q=5.39.5.226&type=string&start=2011-06-25&end=2014-05-02&max=50
  8.  
  9. // URL:
  10.  
  11. http://dlp.procloudsvr3.com/4EHTX5KYU49ZDHwscT38XEJi6tq7n0jznJf_rmaMzCibzlRTvy7HyhYsHBZlm-hw1IqFSquT1VSezgSfwCwRbFwW5HHw-wnVSz5ya4ccE2K7zNB1mZd7QdfaiYCUPjs1
  12. http://dlp.procloudsvr3.com/aOgRjb4gp2n4HvWFlVqTLrn6snO3Hn-ePTRjtgI7nAxFZ8uQclq757TRufvlW9QHAhmQO7UKeS2AGEPl9GHNDAT10sIVKmZt8A3mm-R3mdBtThveg8FktM4dkeNtaxZY
  13. http://dlp.cloudsvr38.com/jmrRH5qz2zFU-p9rvlZnnzYC4-qW8Q-KMojSOpkPyZIgwB42YY9CTbV5rjQbnwawgPUmaDIuJ89DJ10cinqTiF9bnk3Kcvv8Aja2gsoF7xu-ChJ0GUAQQXasD3t5EiDe
  14. http://dlp.cloudsvr36.com/A2c8U9C8ubRJZU3EAmGEMz39nAzmh17c9dj8lF4e1zyW4_rEYmKpBELXsRn_hb4o96UMobSYVh1FUD9FfpgRVyVMHoNpYAZAg_BRoB68qDnWK8_pflLMKCMQlv_6WxqF
  15. http://dlp.cloudsvr36.com/0RbGL5gEYV2u6Y9bF5uhqOTUyINHr5OkHFGePCfE0OEyVOcbjLz4TKTof9Io3kRMIqr4Oht4ZqE8TDZWhN_Xq6svQjq041jo2cvo2WK8bleJ8omVAxmHFtPtYHxHa29F
  16.  
  17.  
  18. // Fetch record...
  19.  
  20. --2014-05-02 12:43:07--  http://dlp.procloudsvr3.com/4EHTX5KYU49ZDHwscT38XEJi6tq7n0jznJf_rmaMzCibzlRTvy7HyhYsHBZlm-hw1IqFSquT1VSezgSfwCwRbFwW5HHw-wnVSz5ya4ccE2K7zNB1mZd7QdfaiYCUPjs1
  21. Resolving dlp.procloudsvr3.com (dlp.procloudsvr3.com)... 178.32.29.116
  22. Connecting to dlp.procloudsvr3.com (dlp.procloudsvr3.com)|178.32.29.116|:80... connected.
  23. HTTP request sent, awaiting response... 200 OK
  24. Length: 499032 (487K) [application/octet-stream]
  25. Saving to: 'Setup.exe'
  26. 2014-05-02 12:43:11 (208 KB/s) - 'Setup.exe' saved [499032/499032]
  27.  
  28.  
  29. --2014-05-02 12:50:20--  http://dlp.procloudsvr3.com/aOgRjb4gp2n4HvWFlVqTLrn6snO3Hn-ePTRjtgI7nAxFZ8uQclq757TRufvlW9QHAhmQO7UKeS2AGEPl9GHNDAT10sIVKmZt8A3mm-R3mdBtThveg8FktM4dkeNtaxZY
  30. Resolving dlp.procloudsvr3.com (dlp.procloudsvr3.com)... 5.39.40.131
  31. Connecting to dlp.procloudsvr3.com (dlp.procloudsvr3.com)|5.39.40.131|:80... connected.
  32. HTTP request sent, awaiting response... 200 OK
  33. Length: 499040 (487K) [application/octet-stream]
  34. Saving to: 'Setup.exe'
  35. 2014-05-02 12:50:23 (229 KB/s) - 'Setup.exe' saved [499040/499040]
  36.  
  37. --2014-05-02 13:09:46--  http://dlp.cloudsvr38.com/jmrRH5qz2zFU-p9rvlZnnzYC4-qW8Q-KMojSOpkPyZIgwB42YY9CTbV5rjQbnwawgPUmaDIuJ89DJ10cinqTiF9bnk3Kcvv8Aja2gsoF7xu-ChJ0GUAQQXasD3t5EiDe
  38. Resolving dlp.cloudsvr38.com (dlp.cloudsvr38.com)... 46.105.161.137
  39. Connecting to dlp.cloudsvr38.com (dlp.cloudsvr38.com)|46.105.161.137|:80... connected.
  40. HTTP request sent, awaiting response... 200 OK
  41. Length: 319832 (312K) [application/octet-stream]
  42. Saving to: 'Setup.exe'
  43. 2014-05-02 13:09:48 (169 KB/s) - 'Setup.exe' saved [319832/319832]
  44.  
  45.  
  46.  
  47. // Debug
  48.  
  49. GET /4EHTX5KYU49ZDHwscT38XEJi6tq7n0jznJf_rmaMzCibzlRTvy7HyhYsHBZlm-hw1IqFSquT1VSezgSfwCwRbFwW5HHw-wnVSz5ya4ccE2K7zNB1mZd7QdfaiYCUPjs1 HTTP/1.1
  50. Accept: */*
  51. Host: dlp.procloudsvr3.com
  52. Connection: Keep-Alive
  53. HTTP request sent, awaiting response...
  54.  
  55. HTTP/1.1 200 OK
  56. Server: nginx
  57. Date: Fri, 02 May 2014 04:03:24 GMT
  58. Content-Type: application/octet-stream
  59. Content-Length: 499032
  60. Connection: keep-alive
  61. Vary: Accept-Language, Cookie
  62. Content-Language: en
  63. Content-Disposition: filename=Setup.exe
  64.  
  65. 200 OK
  66. Registered socket 3 for persistent reuse.
  67. Length: 499032 (487K) [application/octet-stream]
  68. Saving to: 'Setup.exe'
  69. 100%[====================>] 499,032      197KB/s   in 2.5s
  70. 2014-05-02 13:03:27 (197 KB/s) - 'Setup.exe' saved [499032/499032]
  71.  
  72.  
  73. // Full session:
  74.  
  75. --2014-05-02 13:06:38--  http://dlp.cloudsvr38.com/jmrRH5qz2zFU-p9rvlZnnzYC4-qW8Q-KMojSOpkPyZIgwB42YY9CTbV5rjQbnwawgPUmaDIuJ89DJ10cinqTiF9bnk3Kcvv8Aja2gsoF7xu-ChJ0GUAQQXasD3t5EiDe
  76. Resolving dlp.cloudsvr38.com (dlp.cloudsvr38.com)... 54.200.252.181
  77. Caching dlp.cloudsvr38.com => 54.200.252.181
  78. Connecting to dlp.cloudsvr38.com (dlp.cloudsvr38.com)|54.200.252.181|:80... connected.
  79.  
  80. GET /jmrRH5qz2zFU-p9rvlZnnzYC4-qW8Q-KMojSOpkPyZIgwB42YY9CTbV5rjQbnwawgPUmaDIuJ89DJ10cinqTiF9bnk3Kcvv8Aja2gsoF7xu-ChJ0GUAQQXasD3t5EiDe HTTP/1.1
  81. Accept: */*
  82. Host: dlp.cloudsvr38.com
  83. Connection: Keep-Alive
  84. HTTP request sent, awaiting response...
  85.  
  86. HTTP/1.1 200 OK
  87. Content-Disposition: filename=Setup.exe
  88. Content-Language: en
  89. Content-Type: application/octet-stream
  90. Date: Fri, 02 May 2014 04:06:39 GMT
  91. Server: nginx
  92. Vary: Accept-Language, Cookie
  93. Content-Length: 499032
  94. Connection: keep-alive
  95.  
  96. 200 OK
  97. Length: 499032 (487K) [application/octet-stream]
  98. Saving to: 'Setup.exe'
  99. 100%[=========>] 499,032      436KB/s   in 1.1s
  100. 2014-05-02 13:06:40 (436 KB/s) - 'Setup.exe' saved [499032/499032]
  101.  
  102.  
  103.  
  104. // Cloud DNS
  105.  
  106. ;; QUESTION SECTION:
  107. ;dlp.procloudsvr3.com.          IN      A
  108.  
  109. ;; ANSWER SECTION:
  110. dlp.procloudsvr3.com.   332     IN      CNAME   dlpr3.tgusrv.com.
  111. dlpr3.tgusrv.com.       12      IN      A       54.200.252.181    
  112.                      /* ↑Short TTL*/
  113.  
  114. // RoundRobin IP
  115.  
  116. $ while true; do dig +short dlpr3.tgusrv.com A; sleep 2; done
  117. 37.59.93.34
  118. 5.135.66.83
  119. 176.31.87.147
  120. 54.200.252.181
  121. 176.31.87.147
  122. 54.200.252.181
  123. 5.39.40.131
  124. 5.39.5.226
  125. ^C
  126.  
  127.  
  128. // There are two download payloads:
  129.  
  130. Setup.exe
  131. https://www.virustotal.com/en/file/92d8677c6a4e7508edd9f96a1cae539b324bd1d3a4894d242b0bef941f4c9c25/analysis/1399007797/
  132. Setup2.exe
  133. https://www.virustotal.com/en/file/ee41130e11711ccb480ca8377f130be1c114d40e2eba48d48acd4900e4b64ae7/analysis/1399007809/
  134.  
  135. // And both are dropping this PE:
  136. Android.exe / Apk_Setup.exe
  137. https://www.virustotal.com/en/file/5d4c7345e36592ec207055ca7eb51c8805cddea9e2b70eb4b7ba2966678e7bc9/analysis/1399007997/
  138.  
  139. //Verdict Evidence:
  140. https://lh6.googleusercontent.com/-F72SeYsUzvY/U2MxkxIvGxI/AAAAAAAAPjw/7lqFjd-whGo/s1024/A1000101.png
  141. https://lh5.googleusercontent.com/-1kLFi8UaZh8/U2Mxk7fi4ZI/AAAAAAAAPjs/_dEMPrSe_E4/s1024/A2000101.png
  142.  
  143. // Which is having these badness:
  144.  
  145. // drops
  146. C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\nso2.tmp (successful)
  147. C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\android\android.exe (successful)
  148. C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\android\android.exe.config (successful)
  149. C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\android\Newtonsoft.Json.dll (successful)
  150. C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\android\SQLite.Interop.dll (successful)
  151. C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\android\System.Data.SQLite.dll (successful)
  152.  
  153. // Spawn process of its own & daemonized..
  154. C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\android\android.exe (successful)
  155. https://jbxcloud.joesecurity.org/index.php/analysis/43101/0/html
  156.  
  157. // Loading config for HTTP communication (backdoor)
  158. <?xml version="1.0"?>
  159. <configuration>
  160.   <appSettings>
  161.     <add key="UseElevatedPermissions" value="0" />
  162.   </appSettings>
  163.   <system.net>
  164.     <settings>
  165.       <httpWebRequest useUnsafeHeaderParsing="true"/>
  166.     </settings>
  167.   </system.net>
  168.   <system.web>
  169.     <httpRuntime maxRequestLength="19000"/>
  170.     <webServices>
  171.       <protocols>
  172.         <add name="HttpGet"/>
  173.         <add name="HttpPost"/>
  174.       </protocols>
  175.     </webServices>
  176.   </system.web>
  177.  
  178.   <startup useLegacyV2RuntimeActivationPolicy="true">
  179.     <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.0,Profile=Client"/>
  180.     <supportedRuntime version="v2.0.50727"/>
  181.   </startup>
  182.   <runtime>
  183.     <NetFx40_LegacySecurityPolicy enabled="true"/>
  184.   </runtime>
  185. </configuration>
  186.  
  187. ---
  188. #MalwareMustdie!
RAW Paste Data
Top