Tuesday, September 6, 2016

Trojanized file with anti-forensics capabilities


A suspicious file sample was discovered, which was fed into an automated malware analysis to see what it does after detonation. The sample name was<evilmoviename>.php%20www.evildomain.com. Any naive user downloading this file might think that he/she is downloading a URL shortcut or something.





The domain from where the file was downloaded is meson(dot)rghost(dot)ru. This is a file sharing domain.



Using forensic tools we are able to extract browser history and we can see the IIV, on what is the user's behavior which can lead to download of this unknown file resulting in infection. The user seem to be searching for porn sites on skyrock(dot)com and using google search. Google search leads the  


This is the link from where the file was downloaded and we can see that the file name ends with .com which might give the naive user an impression that this is either a download from this URL or this itself is a URL. However the file is an MS-DOS .com executable file. We can see from the pcap of the download that the original file has an "MZ" header which shows its executable nature.



On execution of the file which is an executable. It drops two files “explorer.exe” (unknown hash but when analysed does not show any evil score) and “player.exe” (good known hash of MS Windows Media Player) in the temp folder. The explorer.exe is discovered to be as another SFX which when executes, and creates a folder within the temp folder and drops another file autorun.exe (good known hash from publisher Indigo Rose) and a couple of .ogg and a “autorun.cdd” file. The autorun.cdd file also has a  “PK” header which shows it’s a compressed file. When I try to unzip this, it shows its password protected. This pretty much shows that this file has some sort of configuration which is being protected by the malware author. After every 30 minutes multiple IE windows open up directed to a shortened URL. 






The file calls setWindowsHookEx to hook keystrokes and mouse movements


We can see some .dlls being accessed




We can see weak timestomping done on dropped files as an anti-forensics technique. http://www.hexacorn.com/blog/2012/02/18/anti-forensics-live-examples/


We can also see a some files created and deleted from the temp folder


A mutex is also created by the process, which is linked to some known malware



We can see timestomping done on dropped binaries



 


We can also see persistence mechanism to launch explorer.exe in the temp folder on user logon or computer restart. 



After every 30 minutes many IE windows pop up trying to browse to hxxp://adf(dot)ly/10Ef4U

Here we see a warning that duplicate handle is acquired on Windows process explorer.exe by the malicious file. This is done most probably to inject code inside explorer.exe 


We see the sample is also trying to change IE settings to bypass proxy.






Some strings found inside the file indicates that this is a winrar self extracting file




Another good file anomaly indicator to consider is when the binary's original filename is different than the filename given. Usually attackers rename the file to  make it look like a genuine windows file like in this case ams_launch.exe is renamed to explorer.exe.


While debugging I saw that the file attribute of one of the two dropped binaries in the temp folder (explorer.exe) is being set as "FILE_ATTRIBUTE_ARCHIVE", which means that this is a self extracting archive file as well.



If we right click the dropped explorer.exe and unzip it then we will see that it contains within itself another binary called "autorun.exe" and some other .ogg and one .cdd file.


We can see the a folder with naming convention as ir_ext_temp_<number> is create in temp folder by explorer.exe and autorun.exe is dropped there along with other .ogg and .cdd file. These files belong to publisher called "Indigo Rose". 

At this point I am suspecting that since autorun.exe and player.exe are known good hashes and explorer.exe analysis did not bring much evil out. There must be some evil configuration which is inside the Autoplay folder which is being packaged and is made to be used by autorun.exe to perform the evil tasks.


While debugging explorer.exe I can see that autorun.exe is also an archive file as seen above.


I can see reference to Indigo Rose website

I am guessing that the password protected autorun.cdd contains the configuration which is responsible for popping up IE windows and directing to the shortened URL. Most probably to download next stage attack payload. For me to validate this, I need to crack the password for the password protected cdd file.





While debugging autorun.exe, I placed breakpoints on SetFilePointer. We can see that the pointer is being set to 236 (decminal and "EC" hexadecimal)



Going through the Hex we see the EC points to the "PK" header. The strange thing is there is another PK header within the password protected zip autorun.cdd file and when Olly “CreateFile” with READ_ACCESS, I figured that it should be requiring the password for the password protected zip, which I am able to locate below in the default heap:



 Using this password I was able to successfully unzip the archive which resulted in the below 2 files:



These dat files contain various configurations. The interesting artifact is the “_proj.dat”. And as expected, when we go to the bottom of this config file we can see the shortened URLs. Shortened URLs are usually used by malicious code to bypass URL category filtering. This seems to be the case where a malicious file might be downloaded from these shortened URLs and written to file and executed. This seems to be some code as per which, after every 30 minutes the timer elapses and iexplorer.exe process is created 6 times and the shortened URL is accessed.



This can be validated by looking at the imported names by autorun.exe in Olly. So I am guessing that genuine features and functionality of the Indigo Rose software autorun is used for malicious purpose by putting malicious configuration in the autorun.cdd file and encrypting it with password.


I also see some hardcoded file paths and name of a C source code file called "system_thread.c"


No comments:

Post a Comment