Some week ago mp0x submitted me a malware sample named recycled.exe approximately 1,4 MB with the request of Reverse Engineering it.
MD5 Checksum: 9f958d9d0ce84626311d452b16000abb
recycled.exe was a sample of Backdoor.FlyAgent or also called Dropper.Win32.Flystud
Let's see its internals ;)
Executable is packed with PE-Crypt.CF (so called by Kaspersky Labs) that is a not so hard to unpack polymorfic protector, with classical functionalities of resource protection/IT Destruction/Anti Dump (based on ReadProcessMemory Dumpers)/Anti-Debug.
Backdoor.FlyAgent infects also explorer.exe and creates a new executable 784399.EXE which starts an hidden process.
After unpacking it, this is the essential flowchart: http://i31.tinypic.com/2zzrksi.png
and this is the Registry activity of Recycled.exe
[KEY OPEN]: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\History
[WRITE]: C.:.\.D.o.c.u.m.e.n.t.s. .a.n.d. .S.e.t.t.i.n.g.s.\.h.a.x.m.e.\.L.o.c.a.l. .S.e.t.t.i.n.g.s.\.H.i.s.t.o.r.y..
[WRITE]: C.:.\.D.o.c.u.m.e.n.t.s. .a.n.d. .S.e.t.t.i.n.g.s.\.h.a.x.m.e.\.L.o.c.a.l. .S.e.t.t.i.n.g.s.\.H.i.s.t.o.r.y..
[KEY OPEN]: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache
[WRITE]: C.:.\.D.o.c.u.m.e.n.t.s. .a.n.d. .S.e.t.t.i.n.g.s.\.h.a.x.m.e.\.L.o.c.a.l. .S.e.t.t.i.n.g.s.\.T.e.m.p.o.r.a.r.y. .I.n.t.e.r.n.e.t. .F.i.l.e.s..
[WRITE]: C.:.\.D.o.c.u.m.e.n.t.s. .a.n.d. .S.e.t.t.i.n.g.s.\.h.a.x.m.e.\.L.o.c.a.l. .S.e.t.t.i.n.g.s.\.T.e.m.p.o.r.a.r.y. .I.n.t.e.r.n.e.t. .F.i.l.e.s..
[KEY OPEN]: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cookies
[WRITE]: C.:.\.D.o.c.u.m.e.n.t.s. .a.n.d. .S.e.t.t.i.n.g.s.\.h.a.x.m.e.\.C.o.o.k.i.e.s..
[WRITE]: C.:.\.D.o.c.u.m.e.n.t.s. .a.n.d. .S.e.t.t.i.n.g.s.\.h.a.x.m.e.\.C.o.o.k.i.e.s..
[KEY OPEN]: \ProxyBypass
[WRITE]: ...
[WRITE]: ...
[KEY OPEN]: \IntranetName
[WRITE]: ...
[WRITE]: ...
[KEY OPEN]: \UNCAsIntranet
[WRITE]: ...
[WRITE]: ...
[KEY OPEN]: \CachePath
[WRITE]: C:\Documents and Settings\haxme\Local Settings\Temporary Internet Files\Content.IE5\Cache3
[WRITE]: C:\Documents and Settings\haxme\Local Settings\Temporary Internet Files\Content.IE5\Cache3
[KEY OPEN]: \CacheLimit
[WRITE]: .?.
[WRITE]: .?.
[KEY OPEN]: \CachePath
[WRITE]: C:\Documents and Settings\haxme\Local Settings\Temporary Internet Files\Content.IE5\Cache4
[WRITE]: C:\Documents and Settings\haxme\Local Settings\Temporary Internet Files\Content.IE5\Cache4
[KEY OPEN]: \CachePath
[WRITE]: C:\Documents and Settings\haxme\Local Settings\Temporary Internet Files\Content.IE5\Cache2
[WRITE]: C:\Documents and Settings\haxme\Local Settings\Temporary Internet Files\Content.IE5\Cache2
[KEY OPEN]: \CachePath
[WRITE]: C:\Documents and Settings\haxme\Local Settings\Temporary Internet Files\Content.IE5\Cache1
[WRITE]: C:\Documents and Settings\haxme\Local Settings\Temporary Internet Files\Content.IE5\Cache1
[KEY OPEN]: \Directory
[WRITE]: C:\Documents and Settings\haxme\Local Settings\Temporary Internet Files\Content.IE5
[KEY OPEN]: \Paths[WRITE]: C:\Documents and Settings\haxme\Local Settings\Temporary Internet Files\Content.IE5
This the FileSystem Activity
[OPEN/READ]: C:\WINDOWS\system32\0D3672\784399.EXE
[WRITE]: MZ......................@...............................................!..L.!This program cannot be run in DOS mode..\n$...............................................................................................P
[WRITE]: MZ......................@...............................................!..L.!This program cannot be run in DOS mode..\n$...............................................................................................P
[OPEN/READ]: e:\installers\Recycled.ese.exe
[OPEN/READ]: C:\WINDOWS\WindowsShell.Manifest
[OPEN/READ]: C:\WINDOWS\explorer.exe (Explorer Infection!)
[OPEN/READ]: C:\Documents and Settings\haxme\Local Settings\History\History.IE5\index.dat
[OPEN/READ]: C:\DOCUME~1\haxme\LOCALS~1\Temp\E_N4\HtmlView.fne
[WRITE]: MZ......................@...............................................!..L.!This program cannot be run in DOS mode..\n$..........y...*...*...*...*...*...*...*...*0..*...*...*...*...*s..*...*s..*...*#
[WRITE]: MZ......................@...............................................!..L.!This program cannot be run in DOS mode..\n$..........y...*...*...*...*...*...*...*...*0..*...*...*...*...*s..*...*s..*...*#
[OPEN/READ]: \\.\PhysicalDrive0
[OPEN/READ]: C:\DOCUME~1\haxme\LOCALS~1\Temp\E_N4\krnln.fnr
[WRITE]: MZ......................@...............................................!..L.!This program cannot be run in DOS mode..\n$.......x..0<..c<..c<..cG..c?..cj..c...c<..c...c...c...c...c...c<..cw..c^..c)
[WRITE]: MZ......................@...............................................!..L.!This program cannot be run in DOS mode..\n$.......x..0<..c<..c<..cG..c?..cj..c...c<..c...c...c...c...c...c<..cw..c^..c)
[OPEN/READ]: C:\DOCUME~1\haxme\LOCALS~1\Temp\E_N4\eAPI.fne
[WRITE]: MZ......................@...............................................!..L.!This program cannot be run in DOS mode..\n$.........O...!...!...!...-...!.h./...!...+.o.!...2...!...!...!... ...!.h.|...!...
...[WRITE]: MZ......................@...............................................!..L.!This program cannot be run in DOS mode..\n$.........O...!...!...!...-...!.h./...!...+.o.!...2...!...!...!... ...!.h.|...!...
[OPEN/READ]: C:\DOCUME~1\haxme\LOCALS~1\Temp\E_N4\spec.fne
[WRITE]: MZ......................@...............................................!..L.!This program cannot be run in DOS mode..\n$..........sA`. A`. A`. .|. R`. A`. .`. #.. D`. ... -`. ... C`. ... @`.
[WRITE]: MZ......................@...............................................!..L.!This program cannot be run in DOS mode..\n$..........sA`. A`. A`. .|. R`. A`. .`. #.. D`. ... -`. ... C`. ... @`.
[OPEN/READ]: C:\DOCUME~1\haxme\LOCALS~1\Temp\E_N4\cnvpe.fne
[WRITE]: MZ......................@...............................................!..L.!This program cannot be run in DOS mode..\n$........^.5.?.f.?.f.?.f. .f.?.fa#.f.?.f. .f.?.f.?.f.?.f. .f.?.f. .f.?.fR
[WRITE]: MZ......................@...............................................!..L.!This program cannot be run in DOS mode..\n$........^.5.?.f.?.f.?.f. .f.?.fa#.f.?.f. .f.?.f.?.f.?.f. .f.?.f. .f.?.fR
[OPEN/READ]: C:\Documents and Settings\haxme\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Now let's see Explorer Infection:
this is the Registry Activity:
[KEY OPEN]: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c7d23c22-70e4-11dd-b8b7-806\BaseClass
[WRITE]: D.r.i.v.e..
[WRITE]: D.r.i.v.e..
[KEY OPEN]: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5ce8d9f6-5d19-11dd-abed-806\BaseClass
[WRITE]: D.r.i.v.e..
[WRITE]: D.r.i.v.e..
[KEY OPEN]: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5ce8d9f4-5d19-11dd-abed-806\BaseClass
[WRITE]: D.r.i.v.e..
and this the FileSystem Activity:
784399.EXE
http://i32.tinypic.com/dviq9l.png
[WRITE]: D.r.i.v.e..
and this the FileSystem Activity:
[OPEN/READ]: \\.\MountPointManager
[OPEN/READ]: \\.\WMIDataDevice
[OPEN/READ]: \\.\PIPE\lsarpc784399.EXE
http://i32.tinypic.com/dviq9l.png
Post
0 commenti:
Posta un commento