Case of Pony downloading ZeuS via Passworded Zip Attachment of Malvertisement Campaign

Is a workdays so I can not post much so please bear with the below short analysis. But today I can't get rid of my curiosity when reading Mr. Conrad Longmore's newest post on Dynamoo Blog (nice report!) about the malvertisement with encrypted/passworded zip attachment (here's the link -->>[Dynamoo Blog]).
I got lucky to have the similar sample by today's date in my honeypot as per following snapshot and just can't help to take a look into it..

The email header shows the spambot signatures:
Date: Mon, 3 Jun 2013 09:45:57 -0800
From: "Fiserv Secure Notification"
User-Agent: "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0.1) Gecko/20110929 Thunderbird/7.0.1"
MIME-Version: 1.0
And the passworded archive as attachment like the below snapshot:

And by filling the provided information will lead you to the sample here-->>[VirusTotal]
This time it looks like Virus Total was making limited behavior analysis on the sample so I decided to check it myself.

I renamed the malicious attachment with the filename sample2.exe and runs it, as per seen in the decrypt binary code it connected to the below pony gateways:

h00p://116.122.158.195:8080/ponyb/gate.php
h00p://nourrirnotremonde.org/ponyb/gate.php
h00p://zoecopenhagen.com/ponyb/gate.php
h00p://goldenstatewealth.com/ponyb/gate.php
OK, is a pony trojan, a credential stealer & downloader. It downloaded other malwares from th ebelow url set (gotta hack the bins to know these too), later on I know is Zbot:
h00p://www.netnet-viaggi.it/2L6L.exe
h00p://190.147.81.28/yqRSQ.exe
h00p://paulcblake.com/ngY.exe
h00p://207.204.5.170/PXVYGJx.exe
The processes after downloading is becoming like:

With some successful downloaded logs I recorded (for evidence purpose):
--2013-06-04 17:40:46--  h00p://190.147.81.28/yqRSQ.exe
Connecting to 190.147.81.28:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 305664 (299K) [application/x-msdownload]
Saving to: `yqRSQ.exe'
100%[=====================>] 305,664 95.4K/s in 3.1s
2013-06-04 17:40:51 (95.4 KB/s) - `yqRSQ.exe' saved [305664/305664]

--2013-06-04 17:40:59-- h00p://paulcblake.com/ngY.exe
Resolving paulcblake.com... 74.54.147.146
Connecting to paulcblake.com|74.54.147.146|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 305664 (299K) [application/x-msdownload]
Saving to: `ngY.exe'
100%[=====================>] 305,664 144K/s in 2.1s
2013-06-04 17:41:02 (144 KB/s) - `ngY.exe' saved [305664/305664]

--2013-06-04 17:41:15-- h00p://207.204.5.170/PXVYGJx.exe
Connecting to 207.204.5.170:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 305664 (299K) [application/x-msdownload]
Saving to: `PXVYGJx.exe'
100%[=====================>] 305,664 109K/s in 2.7s
2013-06-04 17:41:18 (109 KB/s) - `PXVYGJx.exe' saved [305664/305664]
And then the daemonized of pony malware started:

You'll see the self-copied traces on the original malware (pony) and the downloaded one saved in the %Temp% and %AppData% as per below snapshot, noted the randomized in file names and the fake dates:

So we have actually two malwares in this case, the attached file is ZeuS-based PWS/pony botnet agent which downloading the trojan PWS/Stealer. Let's break it down one by one.

The Pony

The binary is compressed by aPLib v1.01, traces is here:

aPLib v1.01  -  the smaller the better :)
Copyright (c) 1998-2009 by Joergen Ibsen, All Rights Reserved.
More information: http://www.ibsensoftware.com/
It checked some basic info on your system "System Data.."
GetNativeSystemInfo
IsWow64Process
HWID

"... and User's Data"
My Documents
AppData
Local AppData
Cache
Cookies
History
My Documents
Common AppData
My Pictures
Common Documents
Common Administrative Tools
Administrative Tools
Personal
[...]
Then tried to grab your FTP Softwares, Browsers, Email, Terminal server, File sharing credential data like as per I pasted in pastebin here -->>[Pastebin]

Even attempt on accessing the facebook related data。The code was readable :-)

xthpt/:w/wwf.cabeoo.koc/m
// Means:
http://www.facebook.com/
HTTP/1.0 POST communication's header decoded:
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/5.0)
POST %s HTTP/1.0
Host: %s
Accept: */*
Accept-Encoding: identity, *;q=0
Accept-Language: en-US
Content-Length: %lu
Content-Type: application/octet-stream
Connection: close
Content-Encoding: binary
User-Agent: %s
Content-Length:
Location:
HTTP/1,0 GET communication's header coded:
GET %s HTTP/1.0
Host: %s
Accept-Language: en-US
Accept: */*
Accept-Encoding: identity, *;q=0
Connection: close
User-Agent: %s
String for logins :-)
diamond        jason          scooby         thomas     maxwell        whatever       cheese         asdf    
hope internet joseph blink182 justin god sunshine banana
maggie mustdie genesis jasmine james password christ gates
maverick john forum purple chicken blessing soccer flower
online letmein emmanuel test danielle snoopy qwerty1 taylor
spirit mike cassie angels iloveyou2 1q2w3e4r friend lovely
george knight victory grace fuckoff cookie summer hannah
friends jordan23 passw0rd hello prince chelsea merlin princess
dallas abc123 foobar poop junior pokemon phpbb compaq
adidas red123 ilovegod blessed rainbow hahaha jordan jennifer
1q2w3e praise nathan heaven fuckyou1 aaaaaa saved myspace1
orange freedom blabla hunter nintendo hardcore dexter smokey
testtest jesus1 digital pepper peanut shadow viper matthew
asshole london peaches john316 none welcome winner harley
apple computer football1 cool church mustang sparky rotimi
biteme microsoft power buster bubbles bailey windows fuckyou
william muffin thunder andrew robert blahblah 123abc soccer1
mickey qwert gateway faith destiny matrix lucky single
asdfgh mother iloveyou! ginger loving jessica anthony joshua
wisdom master football hockey gfhjkm stella jesus green
batman qazwsx tigger hello1 mylove benjamin ghbdtn 123qwe
michelle samuel corvette angel1 jasper testing admin starwars
david canada angel superman hallo secret hotdog love
eminem slayer killer enter cocacola trinity baseball silver
scooter rachel creative daniel helpme richard password1 austin
asdfasdf onelove google forever nicole peace dragon michael
sammy qwerty zxcvbnm nothing guitar shalom trustno1 amanda
baby prayer startrek dakota billgates monkey chris charlie
samantha iloveyou1 ashley kitten looking iloveyou happy bandit
Malicious WSA base botnets calls used:

Client Hash
STATUS-IMPORT-OK
gethostbyname
socket
connect
closesocket
send
select
recv
setsockopt
Some PoC of request vs response of this binary's networking:

The Stealer is... Trojan ZeuS Botnet Agent (Zbot)

I analyzed sample like this in the recent popular malvertisement campaign like I pasted it here -->>[Pastebin]. This one is one of the kind, with the below highlights:

Process injection target:


launchpadshell.exe
dirclt32.exe
wtng.exe
prologue.exe
pcsws.exe
fdmaster.exe
Usual strings:

bancline
fidelity
micrsolv
bankman
vantiv
episys
jack henry
cruisenet
gplusmain
Encoding ROT traces:
abcdefghijklmnopqrstuvwxyz
^_`abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
|$$$}rstuvwxyz{$$$$$$$>?@ABCDEFGHIJKLMNOPQRSTUVW$$$$$$XYZ[\]^_`abcdefghijklmnopq
!"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
!"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
Botnet connectivity by HTTP/1.1, also as per previous sample's has:
GET
HTTP/1.1
Connection: Close
Authorization
Basic
GET
POST
div
script
nbsp;
connection
proxy-connection
content-length
transfer-encoding
upgrade
chunked
keep-alive
close
Botnet commands:

DELETE
HEAD
PUT
CONNECT
OPTIONS
TRACE
COPY
LOCK
MKCOL
MOVE
PROPFIND
PROPPATCH
SEARCH
UNLOCK
REPORT
MKACTIVITY
CHECKOUT
MERGE
M-SEARCH
NOTIFY
SUBSCRIBE
UNSUBSCRIBE
PATCH
PURGE
Here's the VT's detection ratio for the zbot, is too darn low:
URL is here -->>[VirusTotal]
SHA256:40b4fa7433319d2b4d2fc8e8265547665e6492d3d64d0ecc2b30108b8d732a1c
SHA1: 4f3fda6c688c11a2a15bf88fb1ff005dc0045324
MD5: aa8463f91cd44a436d2468b33c2cafbb
File size: 298.5 KB ( 305664 bytes )
File name: PXVYGJx.exe
File type: Win32 EXE
Tags: peexe
Detection ratio: 2 / 47
Analysis date: 2013-06-04 08:46:46 UTC ( 2 hours, 55 minutes ago )

Fortinet : W32/Kryptik.AGAJ!tr
McAfee-GW-Edition : Heuristic.LooksLike.Win32.Suspicious.B

Overall Network Analysis (To aim CnC)

A set of this infection will make an outbound traffic like this:
Which is showing the Zbot trojan downloader hosts below:

With the unique DNS requests as below:

Incoming UDP via local port 25916 are detected from below IP:

81.133.189.232
95.234.169.221
211.209.241.213
63.85.81.254
108.215.44.142
142.136.161.103
PoC:

These are the source information:
Additionally, this is how our data got sent to the pony panels:

Samples


The sample is shared for the research purpose and raising the detection ratio.

Download is here -->>[MediaFire]

Additional

#MalwareMustDie!