Skip to main content

Analysis: Trojan.Downloader.d602d80109fbb976449f6e0c5bcea51a0adb85e5f233cae02625896622f46b75

An analysis of a Trojan.Downloader I recently pulled out from one of my honeypots, which led to an interesting find.

Loading the sample into Relyze and viewing the strings, there are a few things which jump out:

.rdata:0x0001CBC8 string_http117411_1:
.rdata:0x0001CBC8        db "http://117.41.185.216:9999/cmd.exe\x00"
.rdata:0x0001CBEB        dd 0x00000000
.rdata:0x0001CBEF        dd 0x00000000
.rdata:0x0001CBF3        db 0x00
.rdata:0x0001CBF4 string_ccmdexe:
.rdata:0x0001CBF4        db "c:\\cmd.exe\x00"
.rdata:0x0001CBFF        dd 0x00000000
.rdata:0x0001CC03        db 0x00
.rdata:0x0001CC04 string_http117411:
.rdata:0x0001CC04        db "http://117.41.185.216:9999/serv.exe\x00"
.rdata:0x0001CC28        dd 0x00000000
.rdata:0x0001CC2C        dd 0x00000000
.rdata:0x0001CC30 string_cservexe:
.rdata:0x0001CC30        db "c:\\serv.exe\x00"
.rdata:0x0001CC3C        dd 0x00000000

Presumably, the Trojan will download the files from 117.41.185.216:9999 and store the downloaded file in the root of C:\.

I wonder if there is a directory listing on that URL… Yes it does. In fact the URI points to a HFS File Server (http://www.rejetto.com/hfs/).

Presumably all of those binaries are various forms of malware :/

Guess I know what the next several articles are going to be written on…

References

VirusTotal

Sample - https://www.virustotal.com/en/file/d602d80109fbb976449f6e0c5bcea51a0adb85e5f233cae02625896622f46b75/analysis/

SHA256 Hashes of all found files in the root of the HFS Server:
956fb360812924c15a388c1aff001bff8153a011f8e49e5a151bc4f05c4e6ac7
24bad2f2095ed17cc45a629c780d331f3767f14e32eeff35893e0cb48a9b13d5
7d99db10fc754bc0b7eb3067ddd39eeb9ca621193e7170b229abddc5d1a04f22
759e2795c7e15e8e074cff3481aa5d00248b1404828cbc2c89028161c05e46c7
843dab8bedaec4b73a3789ed2247baaaa9f9ef967e34e6de52af3491379523bb
42a0ad22bffb187544a18101cd0ba7980cfef823e8bdb3b15f21d0bf14142c0b
148226ef442310f10edc9ec1d012b37f729d2544065df6498321fda9e0a0f1f8
874fcaf532297c2cbfec631c723b19f16946902213aef482001507a423adb87c
1ba47a5b3ec3dd8af56b92f37c02649fc4a001bf24e2cd820bf60bbddd22da37
e1309c606e39a6b2f976610a2f4319d20f802c8a2eb28e1c4c31040e1b602c9e
2a1d5abf6e5fa8473b4e84bad325c1e0f6c3660d267a9cd5ba88dcb47117edde
4045799daf14d28f3f6ba6ebb90f8f2234bed471146a5ba5a2cd5e0befd73709
d47a00f4e0f251fbc3a46eba988cfc9b1b2db40a04fe5c29afe50a03bcd50adc
0d32b6a4dfc1aecae0dad6359714743467f13ba5c54ccdd095f8255bc92fcde2
0eefc9d79a7b2f925c1e1beb28296254216b28ab69972b3654fff9029a600c54
4a61b5cd437fd724b81defcc7ad1785d63e06bb7c68f0ab9fe60b8f6dcfda429
1e73975dd299c8b4ee19060c581764f5ab80d520b29ac1b7e6bd0fd9fd4c4766
65a1287ce1de9ff0e505496bc8c89c83096d66a4e219701e39b3f1bc4ff40f9e
58dde47d0ae3d1df650c66845a57d15d27afe1d9a0bbe7707bede3b4d3dd0946

Tools

  1. Relyze – https://www.relyze.com/
  2. PEStudio