2015-11-06 – TRAFFIC ANALYSIS EXERCISE – EMAIL ROULETTE

Although I have went thru a few of these, this will be my first post on them.

http://www.malware-traffic-analysis.net/2015/11/06/index.html

The scenario:

During an email  spam mail filter outage an employee opened a malicious E-Mail.

Our mission:

To identify these items pertaining to the incident and to provide any other details.

Date and approximate time of the infection.
The infected computer’s IP address.
The infected computer’s MAC address.
The infected computer’s host name.
Which email the employee opened.

Answers:

Infection Time: (Frame 85, DNS Query for Name: kennedy.sitoserver.com)
Arrival Time: Nov  6, 2015 16:22:38.340799000 Central Standard Time

Client IP address: 10.3.66.103 (10.3.66.103)
Client MAC address: Dell_2d:90:81 (00:24:e8:2d:90:81)
Host Name: Strout-PC
Note: if we set a filter of “ bootp.option.hostname “ we can get this info from 1 frame.

Which Employee: arthur.stoyt@turkey-mania.co
Email Opened was: #4 
Dated Friday, November 06, 2015 3:05 PM
With Subject line of “You have received a new fax, document 000497762”

As we look at the traffic if we filter on “dns” then the first thing we see after the system trying to get an IP is this.

FirstSite-Crop

As we can see here “kennedy.sitoserver.com” with an IP of 174.121.246 is our first site to show up.

Going thru the emails we find an obfuscated java script in email 4 that was labeled “fax000497762.doc.js” and it looked like this. (if your antivirus doesn’t kill it first)

ObfucatedMalware

After spending way to much time de-obfuscating the script by hand  we end up with this.

De-ObfuscatedScript

It calls out to the 3 sites and if it connects then

it will down load a file to to the temp folder and attempt to run it so lets set a filter for the IP and see what all it does. “ ip.addr eq 174.121.246.162 “

IP1

That’s still a little to much unneeded info so lets try a new filter

“ ip.addr eq 174.121.246.162 and (http.request or http.response) “

Oh that’s better

IP2

Here we can see we narrowed down the traffic to just the get and response traffic for the suspect IP.

This appears to be downloading just gif files but if we look at the data in the display we see this.

exeGiveaway

This is a dead giveaway that it contains a programs code.

So what are these 3 files we extracted from the traffic.

The first on with a MD5 of “e2fc96114e61288fc413118327c76d93”  shows up on VirusTotal as a Trojan dropper and many other things.

This is the one I done all of my work on.

It is a VB5/6 file that makes it appear that it was from DHL by the info found it in.

https://www.virustotal.com/en/file/f195bc9c26e0819663a907f855f6cff1125812993b89ba9d7bc48272181e2c73/analysis/

The next one with a MD5 of “e2151a8411627ea2a288f2241735d0d0” shows up on VirusTotal as Trojan Generic on most of the list.

When Checked In PeStudio It does not have a Signature for this file what it was created with but the import makes it suspect as a MFC application. Original Name of pattern.exe

https://www.virustotal.com/en/file/24625e658cff6564bb37fcaf2d10784dc8b1632506c44bcdea943ead12df60bb/analysis/

The third file with a MD5 of “35a09d67bee10c6aff48826717680c1c” shows up on VirusTotal as another Trojan / Info stealer.

When Checked in PeStudio this one does not have a Signature for the type either but viewing the imports I would assume that it is written in a form of C/C++.

This File Also pretends to be “VMware command line Toolbox”

I did not run the last 2 to see what all they did but the rest of this will be on the First one that was a VB5/6 file. This one appears to account for most of the traffic seen in Pcap

Here is a link to a previous Pcap on VirusTotal about it. It does contain some of the same sites detected in this search.

https://www.virustotal.com/en/file/f40867760c5d45915139b48359886931a9fd552e1c085d54308831cf9ae76ef5/analysis/

The VB Malware:

So what does this thing do ?

When run on a VM without the other 2 files running it will will blink and disappear not appearing to be doing anything.

I was not able to fully understand the decompiled code but after running the malware it is more clear.

The Malware creates a key in  “HKEY_CURRENT_USER\Software” I believe the name is as a result of a calculation  because I believe I’ve seen it changes every run.

Sets 2 values then then launches a process under WMI that starts MSHTA with a java script value that reads the value in the key decoding it and then launching Power shell with a environment variable to read another registry key  which then launches regsvr32.exe with the environment variable that is base 64 encoded. Launches another version with the base 64 string environment variable reads a previously created registry key .

Next it queries the Value of the RUN key and finds it is empty.

Next it sets the Value of the New Key

Next It query’s a value in the new key

Next it (regsvr32) locates the original malware file

Next the Original Malware file Deletes the original Registry key and  checks to see it is gone. Then it closes.

Next regsvr32 seem to be looking for Wireshark  and other tools.
(It does this several times)

Next it Query’s the new registry keys again  (It does this several times)

Then it Finally Creates Two Null Named Values in the registry under  The HKCU  Run key  which contain 2 separate Java Scripts.

It also attempts to delete a non existent key of.

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\internat.exe

Next it creates a new instance of regserver32.exe and reads the keys again.

Finally the First versions close then the original malware is deleted from the location where it was launched from.

This is also looking for a registry key “HKCU\Software\XK72 Ltd  folder” which appears to be another form of traffic monitor tool.

It keep this traffic pattern up over and over again in the Process Monitor Trace.

Sheww that is allot.

We can view the traffic generated live thru Process Explorer it sends a lot ‘ SYN “ packets.

The PowerShell Script

This power shell script that is base 64 decoded and then run appears to be a PowerShell, “Shell Script”, it will inject into several process and do its work. What ever that may be.

This script defiantly needs more research to see how it functions.

As mentioned above it loads 2 scripts from the HKCU  RUN key on boot to persist the infection and work it does.(I’m still not sure exactly what that is.) it will go thru the process of loading the values from it’s “Configuration” registry key launching mshta.exe,powershell, then the most likely injected regserver32.exe with what ever that “Shell Code” was.

Wow this thing is nasty.

Now lets go back and look at some of the traffic it produced.

If we look at the traffic under statistics –> Endpoints –> ipv4 then sort by packets we can see the result of just the “SYN’s sent and the multiple places they were sent to in the short time.

Here we see in Process Explorer some of the traffic in a different run. Do you notice what process it is running under ?

Network1

Network2

If we set a filter of “ ip.addr == 8.8.8.8 “ whuch is for the Google public DNS server, we can see a repeating pattern with the exception of “Name: pomppondy.net” and a few others. We see that is repeats a search with a transaction ID starting with Hex 0x00000001 to 0x00000028 that is 1 to 40 decimal.

The sites that end in ddns.net are for sites thru noip.org

If we set a Filter for “ dns.flags == 0x8180 “ then we can see all  of the queries where there IP’s associated with them. If we go 1 step further and set a filter for

“ip.addr == 8.8.8.8 and  dns.flags == 0x8180 “ then we can view only the queries that used the Google Public DNS. It still leaves 77 packets that returned valid IP’s.

If we set 1 more filter for “http.request.method == “POST” “ we see only 2 entries.

These 2 send some sort of encrypted or compressed data to the form page.

It has an IP of  “ 31.192.112.238 “ so lets set a filter of  “ ip.addr == 31.192.112.238 “ and see what it is doing.

It appears it is only sending that data and the interesting parts for me is it directly calling the IP address and didn’t look it up. So this may be the phone home call.

There is so much going on here it will make your head spin, and will require more time than would be allowed at a company to research it all.

 

So now after all of that how do we get rid of this thing.

If we try and open the registry with Regedit we see this

If we try and view this with Regedit we see this error(twice 1 for each value).

RunOpenError1

If we look at it with Autoruns we see this.

2NdRunAutoruns

As you can see here both values are displayed in Autoruns as “Default” or no name.

A past try to get rid of this by deleting it with Autoruns didn’t work so well since the malware is injected into the system and most likely protecting the run key.

So the new way is to find the Configuration  key and delete it.

RegLocation

But first we have to kill the regsvr32 processes or the configuration key will automatically be replaced.

Reinfection4cp

Once we delete this key and reboot the first scripts in the run key crashes since it can’t find that data in the configuration key to start the injection process.

I also disabled the network interface to stop it calling out.

If we see this then we know the configuration key stayed deleted.

ScriptError

SecondErrorPNG

Just click ‘NO”. and we get this. (twice, once for each script)

AfterScriptError

Next we fire up Autoruns (as Admin) again but we still can not delete the values with it.

DeleteError

So what do we do from here, By accident I discovered if we jump to the “RUN” key using Autoruns after the same error pops up that that we originally seen. Wow there are 2 values there now even though it says they are not set.

2Values

Note: When I tried to delete this key without jumping with Autoruns it would not allow it .

Now just delete the “RUN” key, restart the system  and then we see this.

AfterClean

The system put the real “Run” key back.

And to verify that it is real we turn back on the network card and run the verify command in Process explorer which verifies the file.

VMwaretools verified 

The loaded EXE  is verified, so now a little more searching should verify this nasty thing was cleaned from the VM system.

If you made it this far congratulations and thanks for keep reading.

I’m sure there is more traffic to look at but I’m wore out now.

This actually took several days to research and 1 more day to write up.

If this thing does this much to a system I would hate to see what happens if all 3 of them get launched on 1 system.

I hope others have learned from this as much as I have.

Advertisements

About pcsxcetrasupport3

My part time Business, I mainly do system building and system repair. Over the last several years I have been building system utility's in vb script , HTA applications and VB.Net to be able to better find the information I need to better understand the systems problems in order to get the systems repaired and back to my customers quicker.
This entry was posted in Malware and tagged . Bookmark the permalink.

3 Responses to 2015-11-06 – TRAFFIC ANALYSIS EXERCISE – EMAIL ROULETTE

  1. kpop fashion says:

    Truly no matter if someone ԁoesn’t be aware
    oof tһen its up to othеr people thɑt tɦey ᴡill heⅼp, sso Һere іt
    takes pⅼace.

  2. InfosurOuvrir compte en banque en ligne

  3. Pingback: Wireshark , Pcap files, User-Agent strings and Malware | PC's Xcetra Support

Comments are closed.