Source: "Malware Reverse Engineering" Malware Family: Donwloader. Backdoor Implant Static Analysis Tools: pestudio, IDA Pro, CFF Explorer, PEID, BinText Dynamic Analysis Tools: pexplorer, ProcMon, RegShot, ProcDump, Autorun, Wireshark, Sandboxie Reports: (1) Malwr: https://malwr.com/analysis/ZWZkNGE4MWM5M2ZkNDYxMmFjZjJjNTcwOTExNDdlYTA/ (2) VirusTotal: https://www.virustotal.com/en/file/a627a4c74a4b092287e91cf6fbfd086c1355e1eb0160e55f8c9b568aca1c73c4/analysis/1450093133/ I. Static Analysis: nba_implant.ex_ Name: nba_implant.ex_ File Type: PE32 executable (GUI) Intel 80386 32-bit Target Machine: Intel 386 or later processors and compatible processors Compilation Timestamp: 2007-03-13 11:26:26 Entry Point: 0x00006801 PEiD: Armadillo v1.71 Number of sections: 3 File Hashes Input MD5: bd3c75e238b1b6074bcf56e7e9aa183b Input SHA256: a627a4c74a4b092287e91cf6fbfd086c1355e1eb0160e55f8c9b568aca1c73c4 File Size: 84.0 KB ( 86016 bytes ) Anti-Virus detection: 37/43 (with the exception of Malwarebytes, SuperAntiSpyware, Alibaba, AegisLab, ByteHero, Bkav) [Analyst's Note: 12 AVs did not evaluate this binary.] Finding Dependencies (Imports): (1) WS2_32.dll (Windows Networking API) Here are this implant's calls of interest: * send() * recv() * socket() * connect() * gethostbyname() (2) KERNEL32.dll (3) USER32.dll (4) ADVAPI32.dll Here are some interesting strings: Here are some interesting string: (1) $EDRGF%&^.htmlGET ^*%%RTG*(&^%FTGYHJIJ%^&*()*&*^&%RDFG(JKJH.aspGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^*%%RTG*(&^%FTGYHJIJ%^&*()*&*^&%RDFG(JKJH.aspGET *(&*^TGH*JIHG^&*(&^%*(*)OK)(*&^%$EDRGF%&^.html (2) GetLastActivePopup *(3) SVCH0ST.EXE (4) c:\pagefile.pif (5) Referer: http://www[.]baidu.com (6) /*(&*^TGH*JIHG^&*(&^%*(*)OK)(*&^%$EDRGF%&^.html *(7) %%comspec%% /c %s %s (8) fuckweb (9) DDos [Analyst's Note: *SVCH0ST.EXE is not the same legitimate Windows service SVCHOST.EXE. It is the writer's attempt to obfuscate the process. *%compsec% is an environment variable in Windows which normally points to the command line interpreter.] Red Flags: *The file references a URL. *The file checksum (0x00000000) is invalid. *The file is resource-less,2The file has no Version. *The file ignores Address Space Layout Randomization (ASLR) as mitigation technique. *The file is not signed with a Digital Certificate. Using nba_implant_exe, find the function that calls the recv() API and view it graphically using
recv expects a one 12-byte packets. It is doing a switch jump via jz (compare) function. In addition to networking API functions of WS2_32.dll, we also have to recognize LoadLibraryA calls that could pull other DLLs such as wininet.dll in this case. Here, we observer subsequent InternetOpen* networking functions. II. Dynamic Analysis: Dropped two files: 1 - nba_implant_exe.exe 2 - rs.bat Here is the batch algorithm of rs.bat: This batch script is the so-called "watchdog" that watches the malware presence in a specific directory and re-creates it if it is not found. The purpose of this script is to maintain persistence on the compromised host.
(0) Disables Windows Firewall (1) Opened files C:\nba_implant.exe C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\\rs.bat C:\WINDOWS\system32\cmd.exe (2) Wrote files C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\\rs.bat (3) Copied files Source: C:\nba_implant.exe Destination: C:\WINDOWS\system32\SVCH0ST.EXE (4) Launched processes C:\WINDOWS\system32\SVCH0ST.EXE C:\WINDOWS\system32\cmd.exe /c C:\DOCUME~1<USER>~1\LOCALS~1\Temp\\rs.bat Suspicious Indicators: (1) Contains ability to query the machine version [email protected] at 18472-1-00406801 [email protected] at 18472-83-00409D3D (2) Unusual Characteristics *Suspicious APIs details: WSASocketA sendto (Ordinal #20) closesocket (Ordinal #3) recv (Ordinal #16) WSAStartup (Ordinal #115) socket (Ordinal #23) connect (Ordinal #4) send (Ordinal #19) VirtualAlloc CreateProcessA CopyFileA DeleteFileA GetModuleFileNameA CreateThread Sleep WriteFile CreateFileA GetTempPathA GetProcAddress LoadLibraryA GetVersionExA GetComputerNameA GetTickCount UnhandledExceptionFilter GetModuleHandleA GetStartupInfoA GetCommandLineA TerminateProcess CreateServiceA StartServiceA StartServiceCtrlDispatcherA OpenProcessToken (3) Network related *Found potential URL in binary/memory details: Pattern match: "http://www.baidu.com" Pattern match: "http://localhost:1234/ip.jpg" source: String III. Outcome Sourcefire Rule: alert tcp $HOME_NET any -> any any (msg: "DOWNLOADER MURKA NBA IMPLANT ALERT"; content:"$EDRGF%&^.htmlGET ^*%%RTG*(&^%FTGYHJIJ%^&*()*&*^&%RDFG(JKJH.aspGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^*%%RTG*(&^%FTGYHJIJ%^&*()*&*^&%RDFG(JKJH.aspGET *(&*^TGH*JIHG^&*(&^%*(*)OK)(*&^%$EDRGF%&^.html"; "/*(&*^TGH*JIHG^&*(&^%*(*)OK)(*&^%$EDRGF%&^.html"; "HTTP/1.1"; "Referer: http://www.baidu.com"; "Cache-Control: no-cache"; noncase; classtype: Trojan-activity) Yara Signature: rule Win_ Downloader_Murka_NBA_Implant : BAC { meta: author = "Vitali Kremez" date = "2015-12-14" description = "Detects Downloader NBA Implant" hash0 = "bd3c75e238b1b6074bcf56e7e9aa183b" sample_filetype = "exe" strings: $service_name_short = "SVCH0ST.EXE" nocase $string0 = "$EDRGF%&^.htmlGET ^*%%RTG*(&^%FTGYHJIJ%^&*()*&*^&%RDFG(JKJH.aspGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^*%%RTG*(&^%FTGYHJIJ%^&*()*&*^&%RDFG(JKJH.aspGET *(&*^TGH*JIHG^&*(&^%*(*)OK)(*&^%$EDRGF%&^.html" $string1 = "HttpSendRequestA" $string2 = "%%comspec%% /c %s %s" $string3 = "WindowsXP" $string4 = "20070313" $string5 = "InternetReadFile" $string6 = "HHtYHHtF" $string7 = "/*(&*^TGH*JIHG^&*(&^%*(*)OK)(*&^%$EDRGF%&^.html" $string8 = "InternetCloseHandle" $string9 = "Runtime Error" $string10 = "HTTP/1.1" $string11 = "Shell32.dll" $string12 = "Microsoft Visual C" $string13 = "fuckweb" $string14 = " Runtime Library" $string15 = "AVlogic_error@std@@" condition: 5 of them or all of ($service*) and filesize < 100KB }
0 Comments
Leave a Reply. |
AuthorVitali Kremez Archives
September 2016
Categories |