TrojanDownloader.Wask Analysis
The file is not packed. It has been written in MSVC (Possibly 2010). Following are the headers present in the PE structure.
Below is the PEDUMP of the Trojan
PE signature found
File Type: EXECUTABLE IMAGE
FILE HEADER VALUES
14C machine (x86)
4 number of sections
518EF109 time date stamp Sun May 12 07:01:53 2013
0 file pointer to symbol table
0 number of symbols
E0 size of optional header
102 characteristics
Executable
32 bit word machine
OPTIONAL HEADER VALUES
10B magic # (PE32)
9.00 linker version
16000 size of code
9E00 size of initialized data
0 size of uninitialized data
1E80 entry point (00401E80)
1000 base of code
17000 base of data
400000 image base (00400000 to 00421FFF)
1000 section alignment
200 file alignment
5.00 operating system version
0.00 image version
5.00 subsystem version
0 Win32 version
22000 size of image
400 size of headers
0 checksum
2 subsystem (Windows GUI)
8000 DLL characteristics
Terminal Server Aware
100000 size of stack reserve
1000 size of stack commit
6400000 size of heap reserve
1000 size of heap commit
0 loader flags
10 number of directories
0 [ 0] RVA [size] of Export Directory
1C10C [ DC] RVA [size] of Import Directory
0 [ 0] RVA [size] of Resource Directory
0 [ 0] RVA [size] of Exception Directory
0 [ 0] RVA [size] of Certificates Directory
21000 [ E44] RVA [size] of Base Relocation Directory
0 [ 0] RVA [size] of Debug Directory
0 [ 0] RVA [size] of Architecture Directory
0 [ 0] RVA [size] of Global Pointer Directory
0 [ 0] RVA [size] of Thread Storage Directory
0 [ 0] RVA [size] of Load Configuration Directory
0 [ 0] RVA [size] of Bound Import Directory
17000 [ 21C] RVA [size] of Import Address Table Directory
0 [ 0] RVA [size] of Delay Import Directory
0 [ 0] RVA [size] of COM Descriptor Directory
0 [ 0] RVA [size] of Reserved Directory
SECTION HEADER #1
.text name
15E35 virtual size
1000 virtual address (00401000 to 00416E34)
16000 size of raw data
400 file pointer to raw data (00000400 to 000163FF)
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
60000020 flags
Code
Execute Read
SECTION HEADER #2
.rdata name
5B54 virtual size
17000 virtual address (00417000 to 0041CB53)
5C00 size of raw data
16400 file pointer to raw data (00016400 to 0001BFFF)
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
40000040 flags
Initialized Data
Read Only
SECTION HEADER #3
.data name
31D0 virtual size
1D000 virtual address (0041D000 to 004201CF)
C00 size of raw data
1C000 file pointer to raw data (0001C000 to 0001CBFF)
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
C0000040 flags
Initialized Data
Read Write
SECTION HEADER #4
.reloc name
F76 virtual size
21000 virtual address (00421000 to 00421F75)
1000 size of raw data
1CC00 file pointer to raw data (0001CC00 to 0001DBFF)
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
42000040 flags
Initialized Data
Discardable
Read Only
Summary
4000 .data
6000 .rdata
1000 .reloc
16000 .text
- It is a stealer. It steals the password from major FTP clients. The list will be mentioned below
- It also acts as a TCP / UDP proxy service allowing redirection of traffic.
- It also contains a downloader module, which downloads executables from c2c.
- This malware is configuration-specific which means certain main features can be turned off using a config mask.
Persistence and Presence
In the initial phase, it starts a thread for mutex creation. The mutex name is formatted using an inbuilt string and a version number in a %s_%d format.
In this case, the mutex and version was “5629186B-0207-4659-AE5D-B09282932A86_519.” It checks continuously for this mutex, and if present, it terminates itself.
Main Configuration and Communication
Static config is decoded using a simple XOR algorithm using a 4 byte XOR key. After decoding static config, various masks and structures are revealed – for example, IP Address or Exfil HTTP server.
In this sample XOR key was 96A534F0h, and after XORing, the following information is revealed:
- IP address
- Exfil HTTP server
- Socket Ports
- Mask value for config.
It also adds a firewall exception rule and masquerades it as Microsoft Office:
In the next subroutine, three manual reset events are created. These events will be later used to trigger c2 connection set.
It also generates a 16byte bot ID based on system parameters or random numbers.
It is either taken from softwaremicrosoftwindowscurrentversionvendorid or generated random using UID create using XOR and MOD.
Main Thread Modules
IP Update Thread
This thread connects to c2 which is present in the binary. It will continuously connect to c2 ip and will try to update a DWORD used later in the initialization packet. This DWORD is saved in Network Byte order.
Now we will discuss different configuration masks used.
ConfigMask: bit 4 (Init packet thread)
After the call to c2thread, it checks a DWORD value extracted from the configuration buffer which is known as the ConfigMask variable. If the 4th bit is set from the mask value, then it starts another thread which will continuously send initialization packets to the c2 and a constant port number using the following format for the value generated from BOTID generation subroutine as mentioned below.
%08X-%04X-%04X-%02X%02X%02X%02X%02X%02X%02X%02X
This subroutine encodes data using a base64 algorithm and connects to c2 from the base packet using port number again obtained from variable InitPacketPort TCP:23407.
Configmask: bit 1 (Registry persistence thread)
If bit 1 is set, then it will start a thread which keeps the malware persistent thought-out using a well know registry value to run on start: SoftwareMicrosoftWindowsCurrentVersionRun.
ConfigMask: Bit 3 (Create a TCP proxy tunnel)
In this subroutine a critical section is created which is shared for synchronization between two threads created in this subroutine. Data Shared using Critical section is 128 bytes long.
Thread1:
This thread binds a TCP port named as ListenPort: 1080 and binds over it . When a connection is accepted an IP address of connecting machine is checked against a 128byte array with the following validation.
((unsigned __int8)(128 >> (unsigned __int8)(hostlonga >> (32 – (8 * i + 8))) % 8) & (unsigned __int8)*(&_80hBytes[32 * i] + (unsigned __int8)((signed int)(unsigned __int8)(hostlonga >>
(32 – (8 * i + 8))) >> 3))) != 0;
where hostlonga = Ipaddress of connecting machine
After that it receives one bye from socket which is used to check for what type of proxy it is supposed to be created.
value 4 = Ip based proxy ( received response will contain a raw ip address)
value 5 = Host name based proxy ( response will contain a printable domain name )
For Ip based proxy
8 bytes are received again from c2 which are formatted as
struct _8bytepacket
{
BYTE Unused;
BYTE Type1; // Should be 1 otherwise fails
WORD PortNumber ;
DWORD Ipaddress;/ IP of target system (HOST order )
}
If type == 1 . then (0x005b || 0x000000) DWORD is sent as failure packet to c2
otherwise (0x005A || 0x000000 ) is sent as success packet
Thread2:
This thread which receives a 128-byte buffer from c2 connecting to port ProxyInfoPort:23404
Configmask: bit 5 (download executable)
If bit 5 is set it will connect to all c2 using a specified port number and will send some data / a placeholder ‘SgrC’ to c2 and will download an executable
ConfigMask: bit 2 and Configmask2 bit 1
If these bits are set, it will start a routine for capturing email addresses from all files in root drive. However, it will skip from following extensions as mentioned below
