The file is not packed. It has been written in MSVC (Possibly 2010). Following are the headers present in the PE structure.
Below is the PEDUMP of the Trojan
PE signature found File Type: EXECUTABLE IMAGE FILE HEADER VALUES 14C machine (x86) 4 number of sections 518EF109 time date stamp Sun May 12 07:01:53 2013 0 file pointer to symbol table 0 number of symbols E0 size of optional header 102 characteristics Executable 32 bit word machine OPTIONAL HEADER VALUES 10B magic # (PE32) 9.00 linker version 16000 size of code 9E00 size of initialized data 0 size of uninitialized data 1E80 entry point (00401E80) 1000 base of code 17000 base of data 400000 image base (00400000 to 00421FFF) 1000 section alignment 200 file alignment 5.00 operating system version 0.00 image version 5.00 subsystem version 0 Win32 version 22000 size of image 400 size of headers 0 checksum 2 subsystem (Windows GUI) 8000 DLL characteristics Terminal Server Aware 100000 size of stack reserve 1000 size of stack commit 6400000 size of heap reserve 1000 size of heap commit 0 loader flags 10 number of directories 0 [ 0] RVA [size] of Export Directory 1C10C [ DC] RVA [size] of Import Directory 0 [ 0] RVA [size] of Resource Directory 0 [ 0] RVA [size] of Exception Directory 0 [ 0] RVA [size] of Certificates Directory 21000 [ E44] RVA [size] of Base Relocation Directory 0 [ 0] RVA [size] of Debug Directory 0 [ 0] RVA [size] of Architecture Directory 0 [ 0] RVA [size] of Global Pointer Directory 0 [ 0] RVA [size] of Thread Storage Directory 0 [ 0] RVA [size] of Load Configuration Directory 0 [ 0] RVA [size] of Bound Import Directory 17000 [ 21C] RVA [size] of Import Address Table Directory 0 [ 0] RVA [size] of Delay Import Directory 0 [ 0] RVA [size] of COM Descriptor Directory 0 [ 0] RVA [size] of Reserved Directory SECTION HEADER #1 .text name 15E35 virtual size 1000 virtual address (00401000 to 00416E34) 16000 size of raw data 400 file pointer to raw data (00000400 to 000163FF) 0 file pointer to relocation table 0 file pointer to line numbers 0 number of relocations 0 number of line numbers 60000020 flags Code Execute Read SECTION HEADER #2 .rdata name 5B54 virtual size 17000 virtual address (00417000 to 0041CB53) 5C00 size of raw data 16400 file pointer to raw data (00016400 to 0001BFFF) 0 file pointer to relocation table 0 file pointer to line numbers 0 number of relocations 0 number of line numbers 40000040 flags Initialized Data Read Only SECTION HEADER #3 .data name 31D0 virtual size 1D000 virtual address (0041D000 to 004201CF) C00 size of raw data 1C000 file pointer to raw data (0001C000 to 0001CBFF) 0 file pointer to relocation table 0 file pointer to line numbers 0 number of relocations 0 number of line numbers C0000040 flags Initialized Data Read Write SECTION HEADER #4 .reloc name F76 virtual size 21000 virtual address (00421000 to 00421F75) 1000 size of raw data 1CC00 file pointer to raw data (0001CC00 to 0001DBFF) 0 file pointer to relocation table 0 file pointer to line numbers 0 number of relocations 0 number of line numbers 42000040 flags Initialized Data Discardable Read Only Summary 4000 .data 6000 .rdata 1000 .reloc 16000 .text
- It is a stealer. It steals the password from major FTP clients. The list will be mentioned below
- It also acts as a TCP / UDP proxy service allowing redirection of traffic.
- It also contains a downloader module, which downloads executables from c2c.
- This malware is configuration-specific which means certain main features can be turned off using a config mask.
Persistence and Presence
In the initial phase, it starts a thread for mutex creation. The mutex name is formatted using an inbuilt string and a version number in a %s_%d format.
In this case, the mutex and version was “5629186B-0207-4659-AE5D-B09282932A86_519.” It checks continuously for this mutex, and if present, it terminates itself.
Main Configuration and Communication
Static config is decoded using a simple XOR algorithm using a 4 byte XOR key. After decoding static config, various masks and structures are revealed – for example, IP Address or Exfil HTTP server.
In this sample XOR key was 96A534F0h, and after XORing, the following information is revealed:
- IP address
- Exfil HTTP server
- Socket Ports
- Mask value for config.
It also adds a firewall exception rule and masquerades it as Microsoft Office:
In the next subroutine, three manual reset events are created. These events will be later used to trigger c2 connection set.
It also generates a 16byte bot ID based on system parameters or random numbers.
It is either taken from softwaremicrosoftwindowscurrentversionvendorid or generated random using UID create using XOR and MOD.
Main Thread Modules
IP Update Thread
This thread connects to c2 which is present in the binary. It will continuously connect to c2 ip and will try to update a DWORD used later in the initialization packet. This DWORD is saved in Network Byte order.
Now we will discuss different configuration masks used.
ConfigMask: bit 4 (Init packet thread)
After the call to c2thread, it checks a DWORD value extracted from the configuration buffer which is known as the ConfigMask variable. If the 4th bit is set from the mask value, then it starts another thread which will continuously send initialization packets to the c2 and a constant port number using the following format for the value generated from BOTID generation subroutine as mentioned below.
This subroutine encodes data using a base64 algorithm and connects to c2 from the base packet using port number again obtained from variable InitPacketPort TCP:23407.
Configmask: bit 1 (Registry persistence thread)
If bit 1 is set, then it will start a thread which keeps the malware persistent thought-out using a well know registry value to run on start: SoftwareMicrosoftWindowsCurrentVersionRun.
ConfigMask: Bit 3 (Create a TCP proxy tunnel)
In this subroutine a critical section is created which is shared for synchronization between two threads created in this subroutine. Data Shared using Critical section is 128 bytes long.
This thread binds a TCP port named as ListenPort: 1080 and binds over it . When a connection is accepted an IP address of connecting machine is checked against a 128byte array with the following validation.
((unsigned __int8)(128 >> (unsigned __int8)(hostlonga >> (32 – (8 * i + 8))) % 8) & (unsigned __int8)*(&_80hBytes[32 * i] + (unsigned __int8)((signed int)(unsigned __int8)(hostlonga >>
(32 – (8 * i + 8))) >> 3))) != 0;
where hostlonga = Ipaddress of connecting machine
After that it receives one bye from socket which is used to check for what type of proxy it is supposed to be created.
value 4 = Ip based proxy ( received response will contain a raw ip address)
value 5 = Host name based proxy ( response will contain a printable domain name )
For Ip based proxy
8 bytes are received again from c2 which are formatted as
BYTE Type1; // Should be 1 otherwise fails
WORD PortNumber ;
DWORD Ipaddress;/ IP of target system (HOST order )
If type == 1 . then (0x005b || 0x000000) DWORD is sent as failure packet to c2
otherwise (0x005A || 0x000000 ) is sent as success packet
This thread which receives a 128-byte buffer from c2 connecting to port ProxyInfoPort:23404
Configmask: bit 5 (download executable)
If bit 5 is set it will connect to all c2 using a specified port number and will send some data / a placeholder ‘SgrC’ to c2 and will download an executable
ConfigMask: bit 2 and Configmask2 bit 1
If these bits are set, it will start a routine for capturing email addresses from all files in root drive. However, it will skip from following extensions as mentioned below