Fake Installer downloads PUP Backdoor

1. #MalwareMustDie - Fake Installer drops PUP Backdoor.
2. # 2014-05-02 13:06:40 | @unixfreaxjp
3.  
4. // Hint:
5.  
6. https://www.virustotal.com/en/ip-address/5.39.5.226/information/
7. http://urlquery.net/search.php?q=5.39.5.226&type=string&start=2011-06-25&end=2014-05-02&max=50
8.  
9. // URL:
10.  
11. http://dlp.procloudsvr3.com/4EHTX5KYU49ZDHwscT38XEJi6tq7n0jznJf_rmaMzCibzlRTvy7HyhYsHBZlm-hw1IqFSquT1VSezgSfwCwRbFwW5HHw-wnVSz5ya4ccE2K7zNB1mZd7QdfaiYCUPjs1
12. http://dlp.procloudsvr3.com/aOgRjb4gp2n4HvWFlVqTLrn6snO3Hn-ePTRjtgI7nAxFZ8uQclq757TRufvlW9QHAhmQO7UKeS2AGEPl9GHNDAT10sIVKmZt8A3mm-R3mdBtThveg8FktM4dkeNtaxZY
13. http://dlp.cloudsvr38.com/jmrRH5qz2zFU-p9rvlZnnzYC4-qW8Q-KMojSOpkPyZIgwB42YY9CTbV5rjQbnwawgPUmaDIuJ89DJ10cinqTiF9bnk3Kcvv8Aja2gsoF7xu-ChJ0GUAQQXasD3t5EiDe
14. http://dlp.cloudsvr36.com/A2c8U9C8ubRJZU3EAmGEMz39nAzmh17c9dj8lF4e1zyW4_rEYmKpBELXsRn_hb4o96UMobSYVh1FUD9FfpgRVyVMHoNpYAZAg_BRoB68qDnWK8_pflLMKCMQlv_6WxqF
15. http://dlp.cloudsvr36.com/0RbGL5gEYV2u6Y9bF5uhqOTUyINHr5OkHFGePCfE0OEyVOcbjLz4TKTof9Io3kRMIqr4Oht4ZqE8TDZWhN_Xq6svQjq041jo2cvo2WK8bleJ8omVAxmHFtPtYHxHa29F
16.  
17.  
18. // Fetch record...
19.  
20. --2014-05-02 12:43:07--  http://dlp.procloudsvr3.com/4EHTX5KYU49ZDHwscT38XEJi6tq7n0jznJf_rmaMzCibzlRTvy7HyhYsHBZlm-hw1IqFSquT1VSezgSfwCwRbFwW5HHw-wnVSz5ya4ccE2K7zNB1mZd7QdfaiYCUPjs1
21. Resolving dlp.procloudsvr3.com (dlp.procloudsvr3.com)... 178.32.29.116
22. Connecting to dlp.procloudsvr3.com (dlp.procloudsvr3.com)|178.32.29.116|:80... connected.
23. HTTP request sent, awaiting response... 200 OK
24. Length: 499032 (487K) [application/octet-stream]
25. Saving to: 'Setup.exe'
26. 2014-05-02 12:43:11 (208 KB/s) - 'Setup.exe' saved [499032/499032]
27.  
28.  
29. --2014-05-02 12:50:20--  http://dlp.procloudsvr3.com/aOgRjb4gp2n4HvWFlVqTLrn6snO3Hn-ePTRjtgI7nAxFZ8uQclq757TRufvlW9QHAhmQO7UKeS2AGEPl9GHNDAT10sIVKmZt8A3mm-R3mdBtThveg8FktM4dkeNtaxZY
30. Resolving dlp.procloudsvr3.com (dlp.procloudsvr3.com)... 5.39.40.131
31. Connecting to dlp.procloudsvr3.com (dlp.procloudsvr3.com)|5.39.40.131|:80... connected.
32. HTTP request sent, awaiting response... 200 OK
33. Length: 499040 (487K) [application/octet-stream]
34. Saving to: 'Setup.exe'
35. 2014-05-02 12:50:23 (229 KB/s) - 'Setup.exe' saved [499040/499040]
36.  
37. --2014-05-02 13:09:46--  http://dlp.cloudsvr38.com/jmrRH5qz2zFU-p9rvlZnnzYC4-qW8Q-KMojSOpkPyZIgwB42YY9CTbV5rjQbnwawgPUmaDIuJ89DJ10cinqTiF9bnk3Kcvv8Aja2gsoF7xu-ChJ0GUAQQXasD3t5EiDe
38. Resolving dlp.cloudsvr38.com (dlp.cloudsvr38.com)... 46.105.161.137
39. Connecting to dlp.cloudsvr38.com (dlp.cloudsvr38.com)|46.105.161.137|:80... connected.
40. HTTP request sent, awaiting response... 200 OK
41. Length: 319832 (312K) [application/octet-stream]
42. Saving to: 'Setup.exe'
43. 2014-05-02 13:09:48 (169 KB/s) - 'Setup.exe' saved [319832/319832]
44.  
45.  
46.  
47. // Debug
48.  
49. GET /4EHTX5KYU49ZDHwscT38XEJi6tq7n0jznJf_rmaMzCibzlRTvy7HyhYsHBZlm-hw1IqFSquT1VSezgSfwCwRbFwW5HHw-wnVSz5ya4ccE2K7zNB1mZd7QdfaiYCUPjs1 HTTP/1.1
50. Accept: */*
51. Host: dlp.procloudsvr3.com
52. Connection: Keep-Alive
53. HTTP request sent, awaiting response...
54.  
55. HTTP/1.1 200 OK
56. Server: nginx
57. Date: Fri, 02 May 2014 04:03:24 GMT
58. Content-Type: application/octet-stream
59. Content-Length: 499032
60. Connection: keep-alive
61. Vary: Accept-Language, Cookie
62. Content-Language: en
63. Content-Disposition: filename=Setup.exe
64.  
65. 200 OK
66. Registered socket 3 for persistent reuse.
67. Length: 499032 (487K) [application/octet-stream]
68. Saving to: 'Setup.exe'
69. 100%[====================>] 499,032      197KB/s   in 2.5s
70. 2014-05-02 13:03:27 (197 KB/s) - 'Setup.exe' saved [499032/499032]
71.  
72.  
73. // Full session:
74.  
75. --2014-05-02 13:06:38--  http://dlp.cloudsvr38.com/jmrRH5qz2zFU-p9rvlZnnzYC4-qW8Q-KMojSOpkPyZIgwB42YY9CTbV5rjQbnwawgPUmaDIuJ89DJ10cinqTiF9bnk3Kcvv8Aja2gsoF7xu-ChJ0GUAQQXasD3t5EiDe
76. Resolving dlp.cloudsvr38.com (dlp.cloudsvr38.com)... 54.200.252.181
77. Caching dlp.cloudsvr38.com => 54.200.252.181
78. Connecting to dlp.cloudsvr38.com (dlp.cloudsvr38.com)|54.200.252.181|:80... connected.
79.  
80. GET /jmrRH5qz2zFU-p9rvlZnnzYC4-qW8Q-KMojSOpkPyZIgwB42YY9CTbV5rjQbnwawgPUmaDIuJ89DJ10cinqTiF9bnk3Kcvv8Aja2gsoF7xu-ChJ0GUAQQXasD3t5EiDe HTTP/1.1
81. Accept: */*
82. Host: dlp.cloudsvr38.com
83. Connection: Keep-Alive
84. HTTP request sent, awaiting response...
85.  
86. HTTP/1.1 200 OK
87. Content-Disposition: filename=Setup.exe
88. Content-Language: en
89. Content-Type: application/octet-stream
90. Date: Fri, 02 May 2014 04:06:39 GMT
91. Server: nginx
92. Vary: Accept-Language, Cookie
93. Content-Length: 499032
94. Connection: keep-alive
95.  
96. 200 OK
97. Length: 499032 (487K) [application/octet-stream]
98. Saving to: 'Setup.exe'
99. 100%[=========>] 499,032      436KB/s   in 1.1s
100. 2014-05-02 13:06:40 (436 KB/s) - 'Setup.exe' saved [499032/499032]
101.  
102.  
103.  
104. // Cloud DNS
105.  
106. ;; QUESTION SECTION:
107. ;dlp.procloudsvr3.com.          IN      A
108.  
109. ;; ANSWER SECTION:
110. dlp.procloudsvr3.com.   332     IN      CNAME   dlpr3.tgusrv.com.
111. dlpr3.tgusrv.com.       12      IN      A       54.200.252.181    
112.                      /* ↑Short TTL*/
113.  
114. // RoundRobin IP
115.  
116. $ while true; do dig +short dlpr3.tgusrv.com A; sleep 2; done
117. 37.59.93.34
118. 5.135.66.83
119. 176.31.87.147
120. 54.200.252.181
121. 176.31.87.147
122. 54.200.252.181
123. 5.39.40.131
124. 5.39.5.226
125. ^C
126.  
127.  
128. // There are two download payloads:
129.  
130. Setup.exe
131. https://www.virustotal.com/en/file/92d8677c6a4e7508edd9f96a1cae539b324bd1d3a4894d242b0bef941f4c9c25/analysis/1399007797/
132. Setup2.exe
133. https://www.virustotal.com/en/file/ee41130e11711ccb480ca8377f130be1c114d40e2eba48d48acd4900e4b64ae7/analysis/1399007809/
134.  
135. // And both are dropping this PE:
136. Android.exe / Apk_Setup.exe
137. https://www.virustotal.com/en/file/5d4c7345e36592ec207055ca7eb51c8805cddea9e2b70eb4b7ba2966678e7bc9/analysis/1399007997/
138.  
139. //Verdict Evidence:
140. https://lh6.googleusercontent.com/-F72SeYsUzvY/U2MxkxIvGxI/AAAAAAAAPjw/7lqFjd-whGo/s1024/A1000101.png
141. https://lh5.googleusercontent.com/-1kLFi8UaZh8/U2Mxk7fi4ZI/AAAAAAAAPjs/_dEMPrSe_E4/s1024/A2000101.png
142.  
143. // Which is having these badness:
144.  
145. // drops
146. C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\nso2.tmp (successful)
147. C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\android\android.exe (successful)
148. C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\android\android.exe.config (successful)
149. C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\android\Newtonsoft.Json.dll (successful)
150. C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\android\SQLite.Interop.dll (successful)
151. C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\android\System.Data.SQLite.dll (successful)
152.  
153. // Spawn process of its own & daemonized..
154. C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\android\android.exe (successful)
155. https://jbxcloud.joesecurity.org/index.php/analysis/43101/0/html
156.  
157. // Loading config for HTTP communication (backdoor)
158. <?xml version="1.0"?>
159. <configuration>
160.   <appSettings>
161.     <add key="UseElevatedPermissions" value="0" />
162.   </appSettings>
163.   <system.net>
164.     <settings>
165.       <httpWebRequest useUnsafeHeaderParsing="true"/>
166.     </settings>
167.   </system.net>
168.   <system.web>
169.     <httpRuntime maxRequestLength="19000"/>
170.     <webServices>
171.       <protocols>
172.         <add name="HttpGet"/>
173.         <add name="HttpPost"/>
174.       </protocols>
175.     </webServices>
176.   </system.web>
177.  
178.   <startup useLegacyV2RuntimeActivationPolicy="true">
179.     <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.0,Profile=Client"/>
180.     <supportedRuntime version="v2.0.50727"/>
181.   </startup>
182.   <runtime>
183.     <NetFx40_LegacySecurityPolicy enabled="true"/>
184.   </runtime>
185. </configuration>
186.  
187. ---
188. #MalwareMustdie!