Example of Multiple Stages Dropper
If some malware samples remain simple (see my previous diary[1]), others try to install malicious files in a smooth way to the victim computers. Here is a nice example that my spam trap captured a few days ago. The mail looks like a classic phishing attempt:
From: admintmseals@telkomsa.net To: [redacted] Subject: New Catalogue #2017 Date: 14 Mar 2017 03:12:51 -0700 Dear, FYI! Please submit the file to me asap. Thank you. Best Regards Rachel Lo Ufficio Commerciale Vimin Box S.r.l. Via Emanuele T. D'Azeglio, 2 12030 Lagnasco - CUNEO - ITALY Tel. +39 0175 282082-3 Fax +39 0175282059 P. Iva 02281230041
There was a file attached to this email. A RAR archive “Catalogue Request.rar" (MD5: 9556abef02749c65eba8acf80c83598a). The archive contained a PE file "Catalogue Request.exe” (MD5: 913858642d0f28cef3736519d6a50ea6). When the file was submitted to VT for the first time, it got a nice score of 8/58! When executed, the malicious PE dropped three artefacts on the victim’s computer:
%USERPROFILE%\9arfG4Fhjq\x (MD5: 4a137d468520bf7257a1744500c8c69d) %USERPROFILE%9arfG4Fhjq\8ybl.dll (MD5: ec97baff7339df00b036d5b77b3f04f5) %USERPROFILE%\9arfG4Fhjq\l7xauv.vbs (MD5: b49fd655fdbf4846453716c70929a396)
Note: the directory and files are not generated randomly. I executed the sample in multiple environments and it always created the same files. Once files have been dropped on the disk, it executes the first .vbs by launching a wscript.exe:
Set a9arfG4Fhjq = CreateObject("Shell.Application"):a9arfG4Fhjq.ShellExecute "rundll32","8ylb.dll ab1ksnp”
During the execution, another VBS file is created in C:\9arfG4Fhjq9arfG4Fhjq (MD5: b82a33bd326050d4587eda1855a41223) and a RunOnce key is created to execute it at next reboot. However, the process crashed in my sandbox and the malware installation was not successful.
The file ‘x’ looked suspicious. It is a rogue BMP image file:
$ file x x: PC bitmap, Windows 3.x format, 882 x 562 x 24
If you display it, it looks suspicious:

Thanks to Adam[2] on the rem-alumni mailing-list, the file was analyzed and, guess what, it contains another malicious PE file:
$ hexdump -C x.bmp|head -20 00000000 42 4d 66 b5 16 00 00 00 00 00 36 00 00 00 28 00 |BMf.......6...(.| 00000010 00 00 72 03 00 00 32 02 00 00 01 00 18 00 00 00 |..r...2.........| 00000020 00 00 30 b5 16 00 c4 0e 00 00 c4 0e 00 00 00 00 |..0.............| 00000030 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff |................| 00000040 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................| * 00000120 ff 6d 65 67 61 70 65 73 74 72 63 2c 35 71 52 23 |.megapestrc,5qR#| 00000130 51 7f 79 66 21 76 9a 8e 50 23 e9 7f 7d 66 2e 76 |Q.yf!v..P#..}f.v| 00000140 65 71 10 23 4b 7f 7d 66 2e 76 65 71 50 23 51 7f |eq.#K.}f.veqP#Q.| 00000150 7d 66 2e 76 65 71 50 23 51 7f 7d 66 2e 76 65 71 |}f.veqP#Q.}f.veq| 00000160 50 23 51 7f 7d 66 2e 77 65 71 ea 33 51 71 62 d2 |P#Q.}f.weq.3Qqb.| 00000170 27 bb 44 c9 51 6f 9c 5e ed f6 7a 1e 0c 02 70 53 |'.D.Qo.^..z...pS| 00000180 23 10 1a 14 4f 1b 45 1c 25 50 25 5f 1f 03 0e 04 |#...O.E.%P%_....| 00000190 10 1f 70 56 3f 1b 18 14 0e 21 0c 1f 63 11 5c 75 |..pV?....!..c.\u| 000001a0 59 51 2e 76 65 71 50 23 51 7f 7d 66 2e 76 65 71 |YQ.veqP#Q.}f.veq| 000001b0 50 23 51 7f 7d 66 2e 76 65 71 50 23 51 7f 7d 66 |P#Q.}f.veqP#Q.}f| 000001c0 2e 76 65 71 50 23 51 7f 7d 66 2e 76 65 71 50 23 |.veqP#Q.}f.veqP#| 000001d0 51 7f 7d 66 2e 76 65 71 50 23 51 7f 7d 66 2e 76 |Q.}f.veqP#Q.}f.v| 000001e0 65 71 50 23 51 7f 7d 66 2e 76 65 71 50 23 51 7f |eqP#Q.}f.veqP#Q.| 000001f0 7d 66 2e 76 65 71 50 23 51 7f 7d 66 2e 76 65 71 |}f.veqP#Q.}f.veq|
We clearly see repeated sequences of bytes:
ff 6d 65 67 61 70 65 73 74 72 63 2c 35 71 52 23 51 7f 79 66 21 76 9a 8e 50 23 e9 7f 7d 66 2e 76 65 71 10 23 4b 7f 7d 66 2e 76 65 71 50 23 51 7f 7d 66 2e 76 65 71 50 23 51 7f 7d 66 2e 76 65 71 50 23 51 7f 7d 66 2e 77 65 71 ea 33 51 71 62 d2 27 bb 44 c9 51 6f 9c 5e ed f6 7a 1e 0c 02 70 53 23 10 1a 14 4f 1b 45 1c 25 50 25 5f 1f 03 0e 04 10 1f 70 56 3f 1b 18 14 0e 21 0c 1f 63 11 5c 75 59 51 2e 76 65 71 50 23 51 7f 7d 66 2e 76 65 71 50 23 51 7f 7d 66 2e 76 65 71 50 23 51 7f 7d 66 2e 76 65 71 50 23 51 7f 7d 66 2e 76 65 71 50 23 51 7f 7d 66 2e 76 65 71 50 23 51 7f 7d 66 2e 76
The file is XOR’d with the following key: ‘0x2e 0x76 0x65 0x71 0x50 0x23 0x51 0x7f 0x7d 0x66’. Once decoded, when have now a PE file packed with UPX (MD5: a9bc758fe544e229884eb3e0df483677). The final decoded file is a classic Fareit trojan (MD5: 03c5ac152126ff6d007c36789d9d3812). It communicates with the following C2:
hxxp://23.249.166.175/star/gate.php
Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key
Cisco IOS Remote Code Execution Vulnerability -> https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170317-cmp
×
Diary Archives
Comments
www
Nov 17th 2022
6 months ago
EEW
Nov 17th 2022
6 months ago
qwq
Nov 17th 2022
6 months ago
mashood
Nov 17th 2022
6 months ago
isc.sans.edu
Nov 23rd 2022
6 months ago
isc.sans.edu
Nov 23rd 2022
6 months ago
isc.sans.edu
Dec 3rd 2022
5 months ago
isc.sans.edu
Dec 3rd 2022
5 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
isc.sans.edu
Dec 26th 2022
5 months ago
isc.sans.edu
Dec 26th 2022
5 months ago