An analysis of a Trojan.Downloader I recently pulled out from one of my honeypots, which led to an interesting find.
Loading the sample into Relyze and viewing the strings, there are a few things which jump out:
.rdata:0x0001CBC8 string_http117411_1: .rdata:0x0001CBC8 db "http://117.41.185.216:9999/cmd.exe\x00" .rdata:0x0001CBEB dd 0x00000000 .rdata:0x0001CBEF dd 0x00000000 .rdata:0x0001CBF3 db 0x00 .rdata:0x0001CBF4 string_ccmdexe: .rdata:0x0001CBF4 db "c:\\cmd.exe\x00" .rdata:0x0001CBFF dd 0x00000000 .rdata:0x0001CC03 db 0x00 .rdata:0x0001CC04 string_http117411: .rdata:0x0001CC04 db "http://117.41.185.216:9999/serv.exe\x00" .rdata:0x0001CC28 dd 0x00000000 .rdata:0x0001CC2C dd 0x00000000 .rdata:0x0001CC30 string_cservexe: .rdata:0x0001CC30 db "c:\\serv.exe\x00" .rdata:0x0001CC3C dd 0x00000000
Presumably, the Trojan will download the files from 117.41.185.216:9999
and store the downloaded file in the root of C:\
.
I wonder if there is a directory listing on that URL… Yes it does. In fact the URI points to a HFS File Server (http://www.rejetto.com/hfs/).
Presumably all of those binaries are various forms of malware :/
Guess I know what the next several articles are going to be written on…
References
VirusTotal
Sample - https://www.virustotal.com/en/file/d602d80109fbb976449f6e0c5bcea51a0adb85e5f233cae02625896622f46b75/analysis/
SHA256 Hashes of all found files in the root of the HFS Server:
956fb360812924c15a388c1aff001bff8153a011f8e49e5a151bc4f05c4e6ac7
24bad2f2095ed17cc45a629c780d331f3767f14e32eeff35893e0cb48a9b13d5
7d99db10fc754bc0b7eb3067ddd39eeb9ca621193e7170b229abddc5d1a04f22
759e2795c7e15e8e074cff3481aa5d00248b1404828cbc2c89028161c05e46c7
843dab8bedaec4b73a3789ed2247baaaa9f9ef967e34e6de52af3491379523bb
42a0ad22bffb187544a18101cd0ba7980cfef823e8bdb3b15f21d0bf14142c0b
148226ef442310f10edc9ec1d012b37f729d2544065df6498321fda9e0a0f1f8
874fcaf532297c2cbfec631c723b19f16946902213aef482001507a423adb87c
1ba47a5b3ec3dd8af56b92f37c02649fc4a001bf24e2cd820bf60bbddd22da37
e1309c606e39a6b2f976610a2f4319d20f802c8a2eb28e1c4c31040e1b602c9e
2a1d5abf6e5fa8473b4e84bad325c1e0f6c3660d267a9cd5ba88dcb47117edde
4045799daf14d28f3f6ba6ebb90f8f2234bed471146a5ba5a2cd5e0befd73709
d47a00f4e0f251fbc3a46eba988cfc9b1b2db40a04fe5c29afe50a03bcd50adc
0d32b6a4dfc1aecae0dad6359714743467f13ba5c54ccdd095f8255bc92fcde2
0eefc9d79a7b2f925c1e1beb28296254216b28ab69972b3654fff9029a600c54
4a61b5cd437fd724b81defcc7ad1785d63e06bb7c68f0ab9fe60b8f6dcfda429
1e73975dd299c8b4ee19060c581764f5ab80d520b29ac1b7e6bd0fd9fd4c4766
65a1287ce1de9ff0e505496bc8c89c83096d66a4e219701e39b3f1bc4ff40f9e
58dde47d0ae3d1df650c66845a57d15d27afe1d9a0bbe7707bede3b4d3dd0946
Tools
- Relyze – https://www.relyze.com/
- PEStudio