My next class:

Example of Multiple Stages Dropper

Published: 2017-03-18. Last Updated: 2017-03-18 06:42:17 UTC
by Xavier Mertens (Version: 1)
3 comment(s)
If some malware samples remain simple (see my previous diary[1]), others try to install malicious files in a smooth way to the victim computers. Here is a nice example that my spam trap captured a few days ago. The mail looks like a classic phishing attempt:
From: admintmseals@telkomsa.net
To: [redacted]
Subject: New Catalogue #2017
Date: 14 Mar 2017 03:12:51 -0700

Dear,

FYI!
Please submit the file to me asap.
Thank you.

Best Regards
Rachel Lo

Ufficio Commerciale
Vimin Box S.r.l.
Via Emanuele T. D'Azeglio, 2
12030 Lagnasco - CUNEO - ITALY
Tel. +39 0175 282082-3   Fax +39 0175282059
P. Iva 02281230041
There was a file attached to this email. A RAR archive “Catalogue Request.rar" (MD5: 9556abef02749c65eba8acf80c83598a). The archive contained a PE file "Catalogue Request.exe” (MD5: 913858642d0f28cef3736519d6a50ea6). When the file was submitted to VT for the first time, it got a nice score of 8/58! When executed, the malicious PE dropped three artefacts on the victim’s computer:
%USERPROFILE%\9arfG4Fhjq\x (MD5: 4a137d468520bf7257a1744500c8c69d)
%USERPROFILE%9arfG4Fhjq\8ybl.dll (MD5: ec97baff7339df00b036d5b77b3f04f5)
%USERPROFILE%\9arfG4Fhjq\l7xauv.vbs (MD5: b49fd655fdbf4846453716c70929a396)
Note: the directory and files are not generated randomly. I executed the sample in multiple environments and it always created the same files. Once files have been dropped on the disk, it executes the first .vbs by launching a wscript.exe:
Set a9arfG4Fhjq = CreateObject("Shell.Application"):a9arfG4Fhjq.ShellExecute "rundll32","8ylb.dll ab1ksnp”
During the execution, another VBS file is created in C:\9arfG4Fhjq9arfG4Fhjq (MD5: b82a33bd326050d4587eda1855a41223) and a RunOnce key is created to execute it at next reboot. However, the process crashed in my sandbox and the malware installation was not successful. 
 
The file ‘x’ looked suspicious. It is a rogue BMP image file:
$ file x
x: PC bitmap, Windows 3.x format, 882 x 562 x 24
If you display it, it looks suspicious:
Thanks to Adam[2] on the rem-alumni mailing-list, the file was analyzed and, guess what, it contains another malicious PE file:
$ hexdump -C x.bmp|head -20
00000000  42 4d 66 b5 16 00 00 00  00 00 36 00 00 00 28 00  |BMf.......6...(.|
00000010  00 00 72 03 00 00 32 02  00 00 01 00 18 00 00 00  |..r...2.........|
00000020  00 00 30 b5 16 00 c4 0e  00 00 c4 0e 00 00 00 00  |..0.............|
00000030  00 00 00 00 00 00 ff ff  ff ff ff ff ff ff ff ff  |................|
00000040  ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff  |................|
*
00000120  ff 6d 65 67 61 70 65 73  74 72 63 2c 35 71 52 23  |.megapestrc,5qR#|
00000130  51 7f 79 66 21 76 9a 8e  50 23 e9 7f 7d 66 2e 76  |Q.yf!v..P#..}f.v|
00000140  65 71 10 23 4b 7f 7d 66  2e 76 65 71 50 23 51 7f  |eq.#K.}f.veqP#Q.|
00000150  7d 66 2e 76 65 71 50 23  51 7f 7d 66 2e 76 65 71  |}f.veqP#Q.}f.veq|
00000160  50 23 51 7f 7d 66 2e 77  65 71 ea 33 51 71 62 d2  |P#Q.}f.weq.3Qqb.|
00000170  27 bb 44 c9 51 6f 9c 5e  ed f6 7a 1e 0c 02 70 53  |'.D.Qo.^..z...pS|
00000180  23 10 1a 14 4f 1b 45 1c  25 50 25 5f 1f 03 0e 04  |#...O.E.%P%_....|
00000190  10 1f 70 56 3f 1b 18 14  0e 21 0c 1f 63 11 5c 75  |..pV?....!..c.\u|
000001a0  59 51 2e 76 65 71 50 23  51 7f 7d 66 2e 76 65 71  |YQ.veqP#Q.}f.veq|
000001b0  50 23 51 7f 7d 66 2e 76  65 71 50 23 51 7f 7d 66  |P#Q.}f.veqP#Q.}f|
000001c0  2e 76 65 71 50 23 51 7f  7d 66 2e 76 65 71 50 23  |.veqP#Q.}f.veqP#|
000001d0  51 7f 7d 66 2e 76 65 71  50 23 51 7f 7d 66 2e 76  |Q.}f.veqP#Q.}f.v|
000001e0  65 71 50 23 51 7f 7d 66  2e 76 65 71 50 23 51 7f  |eqP#Q.}f.veqP#Q.|
000001f0  7d 66 2e 76 65 71 50 23  51 7f 7d 66 2e 76 65 71  |}f.veqP#Q.}f.veq|
We clearly see repeated sequences of bytes:
ff 6d 65 67 61 70 65 73 74 72
63 2c 35 71 52 23 51 7f 79 66
21 76 9a 8e 50 23 e9 7f 7d 66
2e 76 65 71 10 23 4b 7f 7d 66
2e 76 65 71 50 23 51 7f 7d 66
2e 76 65 71 50 23 51 7f 7d 66
2e 76 65 71 50 23 51 7f 7d 66
2e 77 65 71 ea 33 51 71 62 d2
27 bb 44 c9 51 6f 9c 5e ed f6
7a 1e 0c 02 70 53 23 10 1a 14
4f 1b 45 1c 25 50 25 5f 1f 03
0e 04 10 1f 70 56 3f 1b 18 14
0e 21 0c 1f 63 11 5c 75 59 51
2e 76 65 71 50 23 51 7f 7d 66
2e 76 65 71 50 23 51 7f 7d 66
2e 76 65 71 50 23 51 7f 7d 66
2e 76 65 71 50 23 51 7f 7d 66
2e 76 65 71 50 23 51 7f 7d 66
2e 76 65 71 50 23 51 7f 7d 66
2e 76
The file is XOR’d with the following key: ‘0x2e 0x76 0x65 0x71 0x50 0x23 0x51 0x7f 0x7d 0x66’. Once decoded, when have now a PE file packed with UPX (MD5: a9bc758fe544e229884eb3e0df483677). The final decoded file is a classic Fareit trojan (MD5: 03c5ac152126ff6d007c36789d9d3812). It communicates with the following C2:
hxxp://23.249.166.175/star/gate.php

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key

3 comment(s)
My next class:

Comments

You never fail to impress me with your work Xavier.Can I ask why you think the XOR key is repeated so many times in the code? Is this just lazy coding?
These are probably all areas in the program with all nul characters.
When you xor any number with 0 the result is that number.

JH
[quote=comment#39137]These are probably all areas in the program with all nul characters.
When you xor any number with 0 the result is that number.

JH[/quote]

True. If you XOR a bunch of '0x00' with the key 'azerty' you get this:

$ python xor.py | hexdump -C
00000000 61 7a 65 72 74 79 61 7a 65 72 74 79 61 7a 65 72 |azertyazertyazer|
00000010 74 79 61 7a 65 72 74 79 61 7a 65 72 74 79 61 7a |tyazertyazertyaz|
00000020 65 72 74 79 61 7a 65 72 74 79 61 7a 65 72 74 79 |ertyazertyazerty|
00000030 61 7a 65 72 74 79 61 7a 65 72 74 79 61 7a 65 72 |azertyazertyazer|
00000040 74 79 61 7a 65 72 74 79 61 7a 65 72 74 79 61 7a |tyazertyazertyaz|
00000050 65 72 74 79 61 7a 65 72 74 79 61 7a 65 72 74 79 |ertyazertyazerty|
00000060 61 7a 65 72 0a |azer.|

Diary Archives