Although I have went thru a few of these, this will be my first post on them.
During an email spam mail filter outage an employee opened a malicious E-Mail.
To identify these items pertaining to the incident and to provide any other details.
Date and approximate time of the infection.
The infected computer’s IP address.
The infected computer’s MAC address.
The infected computer’s host name.
Which email the employee opened.
Infection Time: (Frame 85, DNS Query for Name: kennedy.sitoserver.com)
Arrival Time: Nov 6, 2015 16:22:38.340799000 Central Standard Time
Client IP address: 10.3.66.103 (10.3.66.103)
Client MAC address: Dell_2d:90:81 (00:24:e8:2d:90:81)
Host Name: Strout-PC
Note: if we set a filter of “ bootp.option.hostname “ we can get this info from 1 frame.
Which Employee: firstname.lastname@example.org
Email Opened was: #4
Dated Friday, November 06, 2015 3:05 PM
With Subject line of “You have received a new fax, document 000497762”
As we look at the traffic if we filter on “dns” then the first thing we see after the system trying to get an IP is this.
As we can see here “kennedy.sitoserver.com” with an IP of 174.121.246 is our first site to show up.
Going thru the emails we find an obfuscated java script in email 4 that was labeled “fax000497762.doc.js” and it looked like this. (if your antivirus doesn’t kill it first)
After spending way to much time de-obfuscating the script by hand we end up with this.
It calls out to the 3 sites and if it connects then
it will down load a file to to the temp folder and attempt to run it so lets set a filter for the IP and see what all it does. “ ip.addr eq 18.104.22.168 “
That’s still a little to much unneeded info so lets try a new filter
“ ip.addr eq 22.214.171.124 and (http.request or http.response) “
Oh that’s better
Here we can see we narrowed down the traffic to just the get and response traffic for the suspect IP.
This appears to be downloading just gif files but if we look at the data in the display we see this.
This is a dead giveaway that it contains a programs code.
So what are these 3 files we extracted from the traffic.
The first on with a MD5 of “e2fc96114e61288fc413118327c76d93” shows up on VirusTotal as a Trojan dropper and many other things.
This is the one I done all of my work on.
It is a VB5/6 file that makes it appear that it was from DHL by the info found it in.
The next one with a MD5 of “e2151a8411627ea2a288f2241735d0d0” shows up on VirusTotal as Trojan Generic on most of the list.
When Checked In PeStudio It does not have a Signature for this file what it was created with but the import makes it suspect as a MFC application. Original Name of pattern.exe
The third file with a MD5 of “35a09d67bee10c6aff48826717680c1c” shows up on VirusTotal as another Trojan / Info stealer.
When Checked in PeStudio this one does not have a Signature for the type either but viewing the imports I would assume that it is written in a form of C/C++.
This File Also pretends to be “VMware command line Toolbox”
I did not run the last 2 to see what all they did but the rest of this will be on the First one that was a VB5/6 file. This one appears to account for most of the traffic seen in Pcap
Here is a link to a previous Pcap on VirusTotal about it. It does contain some of the same sites detected in this search.
The VB Malware:
So what does this thing do ?
When run on a VM without the other 2 files running it will will blink and disappear not appearing to be doing anything.
I was not able to fully understand the decompiled code but after running the malware it is more clear.
The Malware creates a key in “HKEY_CURRENT_USER\Software” I believe the name is as a result of a calculation because I believe I’ve seen it changes every run.
Sets 2 values then then launches a process under WMI that starts MSHTA with a java script value that reads the value in the key decoding it and then launching Power shell with a environment variable to read another registry key which then launches regsvr32.exe with the environment variable that is base 64 encoded. Launches another version with the base 64 string environment variable reads a previously created registry key .
Next it queries the Value of the RUN key and finds it is empty.
Next it sets the Value of the New Key
Next It query’s a value in the new key
Next it (regsvr32) locates the original malware file
Next the Original Malware file Deletes the original Registry key and checks to see it is gone. Then it closes.
Next regsvr32 seem to be looking for Wireshark and other tools.
(It does this several times)
Next it Query’s the new registry keys again (It does this several times)
Then it Finally Creates Two Null Named Values in the registry under The HKCU Run key which contain 2 separate Java Scripts.
It also attempts to delete a non existent key of.
Next it creates a new instance of regserver32.exe and reads the keys again.
Finally the First versions close then the original malware is deleted from the location where it was launched from.
This is also looking for a registry key “HKCU\Software\XK72 Ltd folder” which appears to be another form of traffic monitor tool.
It keep this traffic pattern up over and over again in the Process Monitor Trace.
Sheww that is allot.
We can view the traffic generated live thru Process Explorer it sends a lot ‘ SYN “ packets.
The PowerShell Script
This power shell script that is base 64 decoded and then run appears to be a PowerShell, “Shell Script”, it will inject into several process and do its work. What ever that may be.
This script defiantly needs more research to see how it functions.
As mentioned above it loads 2 scripts from the HKCU RUN key on boot to persist the infection and work it does.(I’m still not sure exactly what that is.) it will go thru the process of loading the values from it’s “Configuration” registry key launching mshta.exe,powershell, then the most likely injected regserver32.exe with what ever that “Shell Code” was.
Wow this thing is nasty.
Now lets go back and look at some of the traffic it produced.
If we look at the traffic under statistics –> Endpoints –> ipv4 then sort by packets we can see the result of just the “SYN’s sent and the multiple places they were sent to in the short time.
Here we see in Process Explorer some of the traffic in a different run. Do you notice what process it is running under ?
If we set a filter of “ ip.addr == 126.96.36.199 “ whuch is for the Google public DNS server, we can see a repeating pattern with the exception of “Name: pomppondy.net” and a few others. We see that is repeats a search with a transaction ID starting with Hex 0x00000001 to 0x00000028 that is 1 to 40 decimal.
The sites that end in ddns.net are for sites thru noip.org
If we set a Filter for “ dns.flags == 0x8180 “ then we can see all of the queries where there IP’s associated with them. If we go 1 step further and set a filter for
“ip.addr == 188.8.131.52 and dns.flags == 0x8180 “ then we can view only the queries that used the Google Public DNS. It still leaves 77 packets that returned valid IP’s.
If we set 1 more filter for “http.request.method == “POST” “ we see only 2 entries.
These 2 send some sort of encrypted or compressed data to the form page.
It has an IP of “ 184.108.40.206 “ so lets set a filter of “ ip.addr == 220.127.116.11 “ and see what it is doing.
It appears it is only sending that data and the interesting parts for me is it directly calling the IP address and didn’t look it up. So this may be the phone home call.
There is so much going on here it will make your head spin, and will require more time than would be allowed at a company to research it all.
So now after all of that how do we get rid of this thing.
If we try and open the registry with Regedit we see this
If we try and view this with Regedit we see this error(twice 1 for each value).
If we look at it with Autoruns we see this.
As you can see here both values are displayed in Autoruns as “Default” or no name.
A past try to get rid of this by deleting it with Autoruns didn’t work so well since the malware is injected into the system and most likely protecting the run key.
So the new way is to find the Configuration key and delete it.
But first we have to kill the regsvr32 processes or the configuration key will automatically be replaced.
Once we delete this key and reboot the first scripts in the run key crashes since it can’t find that data in the configuration key to start the injection process.
I also disabled the network interface to stop it calling out.
If we see this then we know the configuration key stayed deleted.
Just click ‘NO”. and we get this. (twice, once for each script)
Next we fire up Autoruns (as Admin) again but we still can not delete the values with it.
So what do we do from here, By accident I discovered if we jump to the “RUN” key using Autoruns after the same error pops up that that we originally seen. Wow there are 2 values there now even though it says they are not set.
Note: When I tried to delete this key without jumping with Autoruns it would not allow it .
Now just delete the “RUN” key, restart the system and then we see this.
The system put the real “Run” key back.
And to verify that it is real we turn back on the network card and run the verify command in Process explorer which verifies the file.
The loaded EXE is verified, so now a little more searching should verify this nasty thing was cleaned from the VM system.
If you made it this far congratulations and thanks for keep reading.
I’m sure there is more traffic to look at but I’m wore out now.
This actually took several days to research and 1 more day to write up.
If this thing does this much to a system I would hate to see what happens if all 3 of them get launched on 1 system.
I hope others have learned from this as much as I have.