GET Trojan-Downloader.Win32.Cabby.cemx - Part Two - Functionality / Sudo Null IT News FREE

In the previous part, the first layer of the malware defense was dismantled and removed. Dumped the procedure after decrypting the main code, saving it in a separate possible file.
Information technology is time to deal with the logic and semantic load of Downloader itself.

Electronic network activity

An express psychoanalysis of network activity showed that the malware scans some resources from the list and downloads a certain "efax.jpg" from the first accessible one. Here is an example request:

Download .jpg and pick up the insides of this file - a random set of bytes. Neither the JPG key signature "FF D8" nor whatever lines. Encrypted data once more? We'll figure it out later.

API retrieval

About at the very showtime of the listing, we run into the 0x0040214C subprogram . Information technology recovers the API addresses of the functions needed to execute the Downloader inscribe.
The entire listing of the procedure makes no sense - overly cumbersome and of the same typewrite. At the very beginning, the strings with the DLL names are decrypted, after which these DLLs are connected using LoadLibrary, and the pointers to them are saved on the stack:

Next, using the accepted pointers and the decrypted names of the required APIs, the addresses of the required APIs are found using GetProcAddress and stored in variables.

This is the whole semantic load of this subprogram.
The only thing that can exist considered in more detail is the procedure for decoding drawstring variables.
An example of its use: The

interiors of the procedure itself:

Decipherment byte, key 16 bytes. If the string is much 16 bytes, the key is repeated cyclically.

Deception for the user

Immediately subsequently restoring the inevitable APIs, trinity 512 byte buffers are allocated. We will follow them.

Next, one of the buffers is misused to relieve the path to the% Temp% directory obtained victimization GetTempPath. Lease's take a bank note ...
A bit below the resource mention string is decrypted victimisation the procedure 0x00402F4F parsed above , its set-back is establish and reclaimed in the% Temp% directory as a .cab archive. The archive name is every which wa generated by the procedure 0x00401EE8 .
Example of creating a file:

Writing information from resources to a original file:

From the archive created in% Temp% .hack, the .rtf file is extracted with the computer file nam, like an executable module, and then it is launched for display to the user:

Opposing-heuristics?

Aft unpacking and running .rtf, we note a relatively pleasant opening - this procedure: The

call is located at offset 0x00401D04 .
At the very beginning, GetTickCount returns the number of milliseconds since the organisation started, after which there is a Hz with Sleep late and the second GetTickCount request. Following, the precise first is subtracted from the finis result, and the resultant delta is compared with the steadfast 0x668A0. We translate the constant into decimal, we get 420,000, or 7 minutes. Why is the find pleasant? Yes, because after opening .rtf, you can just clean the serve within 7 minutes and leave about CTB-Cabinet (although, probably, someone World Health Organization can suspect the process of suspicious actions and self-contained it just won't even start an unknown attachment). Perhaps this is a time attack on the heuristics of roughly antiviruses.
For reversing, this is not a peculiarly pleasant moment, because I Don River't really want to wait 7 proceedings every time I have to restart the process. Thence, we change the constant for 1 sec and forget about this timer, like this:

Download JPG

We approached the fragment that downloads from the network the .jpg mentioned at the very origin. There is a loop that arbitrarily selects a pointer to an encrypted string variable (URL), decrypts it with the procedure parsed in a higher place, passes the URL to the boot procedure (we testament not parse it, nothing interesting - the standard request for the web server is generated), it encrypts the Uniform resource locator again with the same procedure. After the described actions, the response from the WWW server is transferred to the procedure 0x00402019 , at the very beginning of which it is determined by the amount of received data whether the file was received or an abandon response from the server, after which the decision is ready-made to continue the cycle of searching the URL Oregon decrypt the received file.

The first request always goes to "sintjoep.nl/images/efax.jpg", and the response from the server is not checked in any way and the cycle of searching through the left over URLs immediately begins. IT is unclear why ...
How to calculate all the resources from which a forge .jpg lav follow downloaded? Later all, after each request, the URL is encrypted once more, and upon successful loading, the loop enters the search loop ... Small manipulations with the code and BP at key points:

Here we have lost the NOPs (No Mental process) of the procedure for reverse URL encoding. Act not forget about the exit from the search cycle. In that location, we will also blank out the conditional transition afterwards checking the response from the server, which will lead to an endless loop:

As a result, here is what we managed to achieve:

Since the URL is every which wa selected in the loop, the prospect that all the lines are decrypted the for the first time meter is somewhat small in order ... What can be precisely seen in the screenshot - one URL was not decrypted after quite drawn-out attempts to iterate over. "Korean random!" Nah, it's not so intriguing ... In that respect is a procedure 0x00401FF3 that generates this random, just why listen in thereto? After all, you can forthwith transport the showtim to the desired line and its size into the decoding procedure "by pass"! (why didn't it like a sho resuscitate mind ...)
Pointers to encrypted lines and their sizes were reclaimed immediately after the start of the process, hind end EntryPoint (then this was non yet clear). Immediately, above, in the screenshot of the stack, the Universal resource locator pointers are visible, and low each of them is the size of the line. So look - the Spanish pointer to the remaining encrypted Universal resource locator is at countervail 0x00401708 , and the train size is 0x24 (36 bytes). We take into account that the sizing is specified for ASCII, and we have UNICODE, so we multiply by 2 and get 0x48 (72 bytes). We change the values ​​of the registers EDI (pointer to a string up) and ESI (string size in bytes) by the premeditated values ​​and transfer control to the decryption procedure. We nonplus profit - all the resources from which this Downloader sample can load up CTB-Storage locker:

Totally these are absolutely modal sites, previously hacked to use them American Samoa a springboard for the spread of malware. These resources are legitimate only for this Downloader sample. Some other instance of Trojan-Downloader.Win32.Cabby fell into my hands. cfeu (according to KAV compartmentalisation), it has other URLs. Its action was noticed a couple up of days after the capture and the appearance of signatures on the first.
Someone wish say that it is easier and faster to hit the trace with some packet analyser and analyse DNS queries - and he bequeath follow right. But the purpose of the article is not in easiness, merely in knowledge.

Decipherment JPG

So, we got a malicious .jpg:

Then we get into the decoding procedure. At the very beginning of the file, quaternity bytes at offset 0x4 are the size of the encrypted data that starts at offset 0x8 and testament represent decrypted:

The decryption procedure itself is similar to the one that worked with strings - the same key, the Lapp logical system - so it makes no common sense to parse it. Aside the way, the 16-byte discover itself is: "CA 95 02 43 17 46 67 E4 FF 6E 8E D1 4E 7A Cost 86".
After decryption, we get the potential result:

Surprise

As it turned out, the accepted and decrypted .jpg is not just an executable file, but a container with executable files. As mentioned above, four bytes at offset 0x4 are the size of wholly data in the container. Next come with payloads, before each of which quaternity bytes is the size of payload. In our case, the container was not only CTB-Locker ...
After decryption, away the offset of the first payload and its size, on that point is an offset by the second, which is transmitted by a preferably large procedure 0x00402AC9. I will non name it, because this may long to an full clause. In fact, this is a self-written PE Stevedore, which projects a DLL from the decrypted container into its action and transfers control to the Grab_Psw function. As you can already guess from the make of the exported serve, this DLL is nothing more Watchword Stealer, stealing certificate from various applications. The range of applications is quite wide.
Passwords leave through and through HTTP POST in the same encrypted JPG. Here is an example:

At the time of analysis, connected all target resources, the host 3858850926.php has already been deleted. And present's the misfortune - the malware froze in an endless cycle of enumerating resources to send stolen credentials.
Hmm ... but this is not the final stage, files were encrypted to users.
After each attempt, the response from the server is checked for the presence of the "Confirmed" line using the SHLWAPI.StrStrA API:

A provisory jump is performed according to the result returned by SHLWAPI.StrStrA:

Well, net ball's make JNZ out of it:

Thus, we tricked the application into letting it cognize that passwords sent successfully - you potty continue.

CTB-Locker

Directly after the malware sent the stolen credential to the waiter, it proceeds to the procedure 0x004028CC , which creates a new .exe file with a random epithet in the% Temporary worker% directory. After which He writes the first payload from the decrypted container (JPG, which was recognized earlier) into it, withstands the timeout before starting, starts the created .exe, again withstands the timeout and deletes the file.

The Downloader process then ends.
We get the file from% Temp% before unveiling it and send it to Virustotal. Expected Finding of fact:

Radio link to the report .

Conclusion

Downloader general hand:

1. Extracts .rtf from the resource section and opens information technology to deceive the user;
2. After 7 minutes, download the encrypted container under the guise of .jpg;
3. Decrypts the container and projects the DLL from information technology into its possess memory victimization the somebody-written PE Longshoreman;
4. Calls from the DLL function "Grab_Psw", which steals credentials from various applications;
5. Sends stolen credentials in an encrypted container under the guise of a .jpg single file to the Internet;
6. Extracts the CTB-Storage locker container obtained in step 2 into the% Temp% directory and launches it.

The analysis revealed that CTB-Footlocker is not the solely threat that this Urban center-Downloader.Win32.Cabby.cemx sample carries with it. Together with the encryptor, the credentials of a wide grade of applications leak into the network, about which attackers do not warn anyone, asking them to pay for decrypting user data.

DOWNLOAD HERE

GET Trojan-Downloader.Win32.Cabby.cemx - Part Two - Functionality / Sudo Null IT News FREE

Posted by: villarrealafters.blogspot.com

Share this post