G20_REPORT.HLP – PAYLOAD ANALYSIS
2 comments Mar 25, 2011 | Posted by hbojaxhi in Malware
Today I will analyze the following file and its payload:
File Name: G20_REPORT.hlp File Size: 140505 bytes MD5: b7db936e928b774ace570805bd2f19fe SHA1: d3ef504dd402ca9f61f09ee840b321978ec92cb2 AV: 12/43 (27.9%) VirusTotal
This file was posted at http://contagiodump.blogspot.com/ and downloaded here.
- When I opened this HLP file, I was greeted with the following message:
- This message may indicate that this file was not intended for a US target, but it is just a guess.
- I have actually never (I think) analyzed a HLP file before, but I figured they are similar to CHM files. So, I set out to find a tool that would decompile the HLP file for me (for CHM files you would use hh.exe on your XP system)
- I downloaded a tool from HelpScribble: http://www.helpscribble.com/decompiler.html
- When I ran the tool against the HLP file, I received two files: a .HPJ file that contains some very suspicious strings but no payload, and a file named DATA with the following characteristics:
File Name: DATA File Size: 131072 bytes MD5: 7546d06dc3be174cf92a291b7e5b1c23 SHA1: 0d3ca4e316a826a294911dc72b428a8c104a2df8
- This DATA file looks to contain an obfuscated executable. Here is what this looks like with a hex viewer:
0000h: 87 90 5A CA C9 CA CA CA CE CA CA CA 35 35 CA CA ‡ZÊÉÊÊÊÎÊÊÊ55ÊÊ 0010h: 72 CA CA CA CA CA CA CA 8A CA CA CA CA CA CA CA rÊÊÊÊÊÊÊŠÊÊÊÊÊÊÊ 0020h: CA CA CA CA CA CA CA CA CA CA CA CA CA CA CA CA ÊÊÊÊÊÊÊÊÊÊÊÊÊÊÊÊ 0030h: CA CA CA CA CA CA CA CA CA CA CA CA 1A CA CA CA ÊÊÊÊÊÊÊÊÊÊÊÊ.ÊÊÊ 0040h: C4 D5 70 C4 CA 7E C3 07 EB 72 CB 86 07 EB 9E A2 ÄÕpÄÊ~Ã.ërˆ.랢 0050h: A3 B9 EA BA B8 A5 AD B8 AB A7 EA A9 AB A4 A4 A5 £¹êº¸¥¸«§ê©«¤¤¥ 0060h: BE EA A8 AF EA B8 BF A4 EA A3 A4 EA 8E 85 99 EA ¾ê¨¯ê¸¿¤ê£¤êŽ…™ê 0070h: A7 A5 AE AF E4 C7 C7 C0 EE CA CA CA CA CA CA CA §¥®¯äÇÇÀîÊÊÊÊÊÊÊ 0080h: C7 AE D4 14 83 CF BA 47 83 CF BA 47 83 CF BA 47 Ç®Ô.ƒÏºGƒÏºGƒÏºG 0090h: 83 CF BB 47 8A CF BA 47 00 C7 E7 47 80 CF BA 47 ƒÏ»GŠÏºG.ÇçG€ÏºG 00A0h: 6B D0 B1 47 81 CF BA 47 3B C9 BC 47 82 CF BA 47 kбGϺG;ɼG‚ϺG 00B0h: 98 A3 A9 A2 83 CF BA 47 CA CA CA CA CA CA CA CA ˜£©¢ƒÏºGÊÊÊÊÊÊÊÊ 00C0h: CA CA CA CA CA CA CA CA CA CA CA CA CA CA CA CA ÊÊÊÊÊÊÊÊÊÊÊÊÊÊÊÊ 00D0h: 9A 8F CA CA 86 CB CE CA E5 0C 9A 86 CA CA CA CA šÊʆËÎÊå.š†ÊÊÊÊ 00E0h: CA CA CA CA 2A CA C5 CB C1 CB CC CA CA C8 CA CA ÊÊÊÊ*ÊÅËÁËÌÊÊÈÊÊ 00F0h: CA E8 CA CA CA CA CA CA CA DA CA CA CA DA CA CA ÊèÊÊÊÊÊÊÊÚÊÊÊÚÊÊ 0100h: CA EA CA CA CA CA 8A CA CA DA CA CA CA C8 CA CA ÊêÊÊÊÊŠÊÊÚÊÊÊÈÊÊ 0110h: CE CA CA CA CA CA CA CA CE CA CA CA CA CA CA CA ÎÊÊÊÊÊÊÊÎÊÊÊÊÊÊÊ 0120h: CA AA CA CA CA CE CA CA CA CA CA CA C8 CA CA CA ʪÊÊÊÎÊÊÊÊÊÊÈÊÊÊ 0130h: CA CA DA CA CA DA CA CA CA CA DA CA CA DA CA CA ÊÊÚÊÊÚÊÊÊÊÚÊÊÚÊÊ 0140h: CA CA CA CA DA CA CA CA CA CA CA CA CA CA CA CA ÊÊÊÊÚÊÊÊÊÊÊÊÊÊÊÊ 0150h: E2 EA CA CA E2 CA CA CA CA 8A CA CA 16 D7 CA CA âêÊÊâÊÊÊÊŠÊÊ.×ÊÊ 0160h: CA CA CA CA CA CA CA CA CA CA CA CA CA CA CA CA ÊÊÊÊÊÊÊÊÊÊÊÊÊÊÊÊ 0170h: CA CA CA CA CA CA CA CA CA CA CA CA CA CA CA CA ÊÊÊÊÊÊÊÊÊÊÊÊÊÊÊÊ 0180h: CA CA CA CA CA CA CA CA CA CA CA CA CA CA CA CA ÊÊÊÊÊÊÊÊÊÊÊÊÊÊÊÊ
- So, it is obvious that we are dealing with a one byte XOR key: 0xCA.
- Once we XOR the data with 0xCA, we see an executable with the following characteristics:
File Name: File1.exe File Size: 10240 bytes MD5: 3c89b2258256582ded7cf9906d9c94ea SHA1: 11056257e379721de5b465d4ec8a8b74a2892387 PE Time: 0x4C50C62F [Thu Jul 29 00:07:11 2010 UTC] AV: 21/42 (50%) VirusTotal
- The rest of the decrypted data appears to be junk data to me.
- The first chunk of it appears to be a partial executable file. This chunk is repeated 2-3 times.
- Some of the interesting strings in this partial executable are: Administra, baihongsoft, and 360Tray.exe.
- The rest of the data appears to be a small RTF file that is repeated several times.
- Some of the strings from this file are:
- Author: bruteforce
- Company: usa
- Operator: bruteforce
- OK, back to the interesting stuff. Lets execute file1.exe that we carved out of the DATA file.
- When executed this file does the following:
- Creates a copy of itself: C:\WINDOWS\system32\sysnet.exe
- Entrenches itself in the registry as an ActiveX component under:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{04D762DA-1605-84E9-D6CE-A3E9E53AF8BC}
- StubPath: C:\WINDOWS\system32\sysnet.exe
- The Trojan launches an instance of iexplore.exe and injects its code into it:
- “C:\Program Files\Internet Explorer\IEXPLORE.EXE” -nohome
- Every time I see the behavior noted thus far, I think Poison Ivy RAT. The last piece of the puzzle for me to confirm my suspicion is the first beacon from the Trojan, which for Poison Ivy is typically 256 bytes of binary data.
- Indeed, this Trojan beacons to:
- www.microsoft.acmetoy.com over TCP port 80
- www.microsoft.instanthq.com over TCP port 443
- www.microsoft.proxydns.com over TCP port 1863
- And once a connection is established, it sends 256 bytes of data to the C2 node.
- The capability of Poison Ivy is very impressive, although because it has been around for a few years now, every AV vendor is familiar with it. I am surprised 50% of them did not identify this file as malicious VirusTotal.
- The functionality of Poison Ivy is well documented, but if you have never played with it before it is cool to give it a try.
- You can download it here (if you are going to do so please do so through a VM, and only use this tool in a VM):
- This tool allows you to both create a server file (i.e. the Trojan that is delivered to a target like sysnet.exe), and to use it as a client (i.e. what an intruder would have on the C2 node).
- So, if you open Poison Ivy 2.3.2 on another VM emulating your C2 node, and select Client mode, you can set the port and the password. Ah, we need to get the password that was configured with our sample.
- You can always try the default password: admin
- Many times the people creating these PI servers are too lazy to change the password.
- In our case password admin does not work.
- In order to get the password, all you need to do is to dump the memory of process iexplore.exe or just attach to it with a debugger to access its memory.
- Then run a search for something you know about the Trojan’s configuration, such as a domain name.
- On the first hit that you get, right above it you should see the password. Here is a screeshot from our sample:
- So, the password used in this sample is: admin@338.
- We can now configure our client:
- When the Trojan server (sysnet.exe) connects to our client, you will see a connection in your window:
- You can see how an attacker can handle multiple victims from this window.
- When you double-click on the connected victim, you will be able to see the power of this tool/Trojan.
- It still amazes me that a 10KB file can do so much:
Questions?
Really appreciate the informative comments/instruction type write-ups!