Light Dark
September 4, 2015 By Igor Aronov 9 min read
Malware
X-Force

I’ve recently investigated malware that we received from a customer. The SHA-256 is: f4d9660502220c22e367e084c7f5647c21ad4821d8c41ce68e1ac89975175051.

This is not particularly complex malware from a technical point of view, but it illustrates some of the most common techniques used by malware authors to complicate dynamic (automated) and static (manual) analysis.

In order to detect the dynamic analysis environment, it creates a vector that contains a list of the following programs:

  • “OLLYDBG”
  • “W32DASM”
  • “WIRESHARK”
  • “SOFTICE”
  • “PROCESS EXPLORER”
  • “PROCESS MONITOR”
  • “PROCESS HACKER”

The malware enumerates all windows on the infected system, and if any of them are found to belong to one of the programs listed above, the malware would enter a loop and wait for the program to exit. This is a primitive technique, but it is fairly easy and straightforward to implement in a code.

To complicate the static analysis, the malware implements two additional techniques:

1. Any significant strings in the malware are encrypted using a custom encryption scheme. This has the following implications for the malware authors and analysts:

  • Command-and-control (C&C) domain(s) can be hard-coded in the malware. There is no need for malware authors to generate domain generation algorithms (DGA). Those DGAs can be good candidates for the signatures, and malware authors in some cases can incur significant “maintenance” costs for constantly changing DGAs.
  • Application programming interfaces (APIs) used by the malware are resolved at runtime; the names of those APIs are decrypted at runtime, as well. This means that static analysis becomes meaningful only after analyst is able to understand the encryption scheme.

2. Communications to the C&C is encrypted using a custom scheme:

  • Malware communicates to the C&C using custom-encrypted/obfuscated communication on top of regular HTTP. This allows malware authors to generate a fairly generic module that provides a low-cost solution for changing the communication scheme between the infected clients and the C&C. Additionally, real-time network analysis/monitoring can be rendered partially/totally ineffective.

Now let’s take a deeper look at the strings encryption scheme. For example, let’s look at the following string: “UHEOtTKwmsDb1J/2f8l/5w==”. This seems to be the base64 encoded string, but encryption scheme is slightly more complicated. As a first step, the malware generates a key from the hard-coded data. The key generation steps are as shown below:

Hard-coded string is taken: (1)

0386038  74 31 37 2E 30 38 2E 33  31 2E 46 43 30 36 31 37  t17.08.31.FC0617
0386048  2E 35 35 30 36 2E 35 35  30 36 2E 36 38 33 37 00  .5506.5506.6837.

The (1) is then base64 encoded: (2)

00386078  64 44 45 33 4C 6A 41 34  4C 6A 4D 78 4C 6B 5A 44  dDE3LjA4LjMxLkZD
00386088  4D 44 59 78 4E 79 34 31  4E 54 41 32 4C 6A 55 31  MDYxNy41NTA2LjU1
00386098  4D 44 59 75 4E 6A 67 7A  4E 77 3D 3D 00 AB AB AB  MDYuNjgzNw==

Then, MD5 hash of (2), then calculated: (3)

0012F360  63 35 64 37 30 32 61 31  30 34 30 37 62 61 39 62  c5d702a10407ba9b
0012F370  37 32 62 33 61 35 66 35  30 30 37 37 36 66 38 36  72b3a5f500776f86

Next, the malware calculates an MD5 hash of the following hard-coded blob of data: (4)

.rdata:0043F2F0 72 36 78 41 34 46 5A 32+aR6xa4fz2omkmot db 'r6xA4FZ2OmKMOt0EfxM0F0LwhvpIIu5WQTwKI1SlFtpTj9o+voFRfPhMGgG0fiA3B'
.rdata:0043F2F0 66 78 4D 30 46 30 4C 77+db 'fGHlSHbtQpji2hY0M1gKwLVvTXXlaGyU0BVDUaIMTOBXMaWu+ma0cwe3Z4kGkxn9A'
.rdata:0043F2F0 68 76 70 49 49 75 35 57+db 'j9Ux0iFSNWLnj4IxWbVEPGQb6BtJ8 UNk0OZ2sgHP4PwcqIIsriRy0Whe2NKsnT9n'
.rdata:0043F2F0 51 54 77 4B 49 31 53 6C+db 'WoxZ2LCunxF6lZtO0Wp7ZDKa3VihgWPGreePSOv7PG9 qINIupu+w0LSj3LJvZZJk'
.rdata:0043F2F0 46 74 70 54 6A 39 6F 2B+db 'r9TiZWvBgrDDDpfEa5SBo6cHqvgj8NtdOiwT8V 8YeuGbjKtna6+CDFRm 8YC1icD'
.rdata:0043F2F0 76 6F 46 52 66 50 68 4D+db 'gIYnkMnDd REwsITh4WCqHek+ wO4HPQBJuxapX9n0OQliWcYHWQWQ6eeeajVtQ2I'
.rdata:0043F2F0 47 67 47 30 66 69 41 33+db '0gQjgFi6Nv3s3GN8wKw8 RUljQtjah71fB+IoXTIa0RNmwmLUpOyl CCoRy+Exo y'
.rdata:0043F2F0 42 66 47 48 6C 53 48 62+db 'qLprerBsgZmfZ26f10oJJq YpgCSZI+jH9EJUSOWIr0FqF5V5OndeShwyEGeXky E'
.rdata:0043F2F0 74 51 70 6A 69 32 68 59+db 'urMbnT FHKo8evJLsSMY9qDKMk3YMufdCT4EVre9NVROUFeKBjt5yWv+L7ZwPt1Z3'
.rdata:0043F2F0 30 4D 31 67 4B 77 4C 56+db 'C0ECvCe0e0K1TPfb0Os9UrX090g N EybD0YwEiAK7FUyiC10pMlV9Ac8pTueQ37f'
.rdata:0043F2F0 76 54 58 58 6C 61 47 79+db 'e0E5WO+SC0G22qityX9B7b0eRZ2xNV4kZ60N2r0NWbin2kdHK4P5Q9upswqPrL0cs'
.rdata:0043F2F0 55 30 42 56 44 55 61 49+db 'SZr6UYr1yDOhAB0CEu+4As74Bn61P+UHPkQFmy4S BmMZKqh7v6ALVIbcJsEh5vGk'
.rdata:0043F2F0 4D 54 4F 42 58 4D 61 57+db 'MqPSUXPk5tXVXBfFmnJOmi00rfEPBv7yFqfIqGC3KV4ipNm1quFDE4PLvD0oEtmBH'
.rdata:0043F2F0 75 2B 6D 61 30 63 77 65+db '2TJLcxtWL30l2TIXS3tvLsS5BkR2dB OtWdnQXv 2toQ9wkER2dR8BOn04ttOu',0

The MD5 hash is: (5)

00386110  34 61 61 61 65 61 61 39  66 38 31 35 61 30 61 66  4aaaeaa9f815a0af
00386120  34 39 31 37 30 30 33 35  62 64 34 33 31 32 39 66  49170035bd43129f

(3) and (5) are concatenated: (6)

00386160  63 35 64 37 30 32 61 31  30 34 30 37 62 61 39 62  c5d702a10407ba9b
00386170  37 32 62 33 61 35 66 35  30 30 37 37 36 66 38 36  72b3a5f500776f86
00386180  34 61 61 61 65 61 61 39  66 38 31 35 61 30 61 66  4aaaeaa9f815a0af
00386190  34 39 31 37 30 30 33 35  62 64 34 33 31 32 39 66  49170035bd43129f

The MD5 hash of (6) is calculated, and this becomes the key for Tiny Encryption Algorithm (TEA) encryption: (7)

00386078  31 37 62 35 33 30 36 36  31 37 61 39 65 61 63 37  17b5306617a9eac7
00386088  36 61 39 38 66 66 62 38  61 31 37 39 35 66 30 61  6a98ffb8a1795f0a

At this point, preparation is finished and the malware is ready to decrypt strings. The decryption algorithm is as follow:

1. Take the encrypted string — for example, “UHEOtTKwmsDb1J/2f8l/5w==” — and apply a base64-like function to it.

2. Use TEA on the result of 1. The key is produced in (7).

3. Simple final loop to get the decrypted string:

		.text:0041B9B0 0F BE 14 31             movsx   edx, byte ptr [ecx+esi]
		.text:0041B9B4 F6 C1 01                test    cl, 1
		.text:0041B9B7 75 06                   jnz     short loc_41B9BF
		.text:0041B9B9 2B D1                   sub     edx, ecx
		.text:0041B9BB 03 D0                   add     edx, eax                        
		.text:0041B9BD EB 04                   jmp     short loc_41B9C3
		.text:0041B9BF                         ; ---------------------------------------------------------------------------
		.text:0041B9BF
		.text:0041B9BF                         loc_41B9BF:                             
		.text:0041B9BF 2B D0                   sub     edx, eax
		.text:0041B9C1 03 D1                   add     edx, ecx
		.text:0041B9C3
		.text:0041B9C3                         loc_41B9C3:                             
		.text:0041B9C3 88 14 31                mov     [ecx+esi], dl
		.text:0041B9C6 41                      inc     ecx
		.text:0041B9C7 3B C8                   cmp     ecx, eax
		.text:0041B9C9 72 E5                   jb      short loc_41B9B0

4. The decrypted string is:

00385FB8  57 53 41 53 74 61 72 74  75 70 00 00 00 00 00 00  WSAStartup......

The payload consists of the data gathered about the system and is separated by hard-coded strings from the “.data” section. This is a pretty standard scheme used by the malware. The payload generation scheme is described below:

Creates a pseudorandom string and concatenates is with “&” —for example, on the test system: (8)

debug180:00385ED8 26 44 6D 31 63 4C 3D 00 aDm1cl_0 db '&Dm1cL=',0

Adds hostname name and PID: (9)

debug180:00385F38 26 44 6D 31 63 4C 3D 69+aDm1clIiiii0000000013544 db '&Dm1cL=iiiii-000000001*3544',0

Creates additional pseudorandom string and concatenates it with hard-coded values: (10)

debug180:00386280 26 63 37 6A 72 4D 71 74+aC7jrmqt712 db '&c7jrMqt7=12',0

(8), (9) and (10) are concatenated: (11)

debug180:00385F38 26 44 6D 31 63 4C 3D 69+aDm1clIiiii0000000013544C7jrmqt712 db '&Dm1cL=iiiii-000000001*3544&c7jrMqt7=12',0

Hard-coded data is added to (11): (12)

debug180:00386248 26 44 6D 31 63 4C 3D 69+aDm1clIiiii0000000013544C7jrmqt712DateFverT17_08 db '&Dm1cL=iiiii-000000001*3544&c7jrMqt7=12&date=fVER: t17.08.31.FC06'

An MD5 hash of the string in (5) is calculated, and a sub-string of it is taken: (13)

debug180:00385B90 66 38 31 35 61 30 61 66+aF815a0af49170035 db 'f815a0af49170035',0

(13) is appended to (12):

00386248  26 44 6D 31 63 4C 3D 69  69 69 69 69 2D 30 30 30  &Dm1cL=iiiii-000
00386258  30 30 30 30 30 31 2A 33  35 34 34 26 63 37 6A 72  000001*3544&c7jr
00386268  4D 71 74 37 3D 31 32 26  64 61 74 65 3D 66 56 45  Mqt7=12&date=fVE
00386278  52 3A 20 74 31 37 2E 30  38 2E 33 31 2E 46 43 30  R: t17.08.31.FC0
00386288  36 31 37 2E 66 38 31 35  61 30 61 66 34 39 31 37  617.f815a0af4917
00386298  30 30 33 35 00 00 00 00  00 00 00 00 00 AB AB AB  0035.

Information about the major/minor operating system versions and build is added to the payload: (14)

00385ED8  26 44 6D 31 63 4C 3D 69  69 69 69 69 2D 30 30 30  &Dm1cL=iiiii-000
00385EE8  30 30 30 30 30 31 2A 33  35 34 34 26 63 37 6A 72  000001*3544&c7jr
00385EF8  4D 71 74 37 3D 31 32 26  64 61 74 65 3D 66 56 45  Mqt7=12&date=fVE
00385F08  52 3A 20 74 31 37 2E 30  38 2E 33 31 2E 46 43 30  R: t17.08.31.FC0
00385F18  36 31 37 2E 66 38 31 35  61 30 61 66 34 39 31 37  617.f815a0af4917
00385F28  30 30 33 35 09 7C 09 4E  54 3A 20 36 2E 31 2E 37  0035.|.NT: 6.1.7
00385F38  36 30 31 00 00 00 00 00  00 00 00 00 00 AB AB AB  601.

Locale information is added to (14): (15)

00385ED8  26 44 6D 31 63 4C 3D 69  69 69 69 69 2D 30 30 30  &Dm1cL=iiiii-000
00385EE8  30 30 30 30 30 31 2A 33  35 34 34 26 63 37 6A 72  000001*3544&c7jr
00385EF8  4D 71 74 37 3D 31 32 26  64 61 74 65 3D 66 56 45  Mqt7=12&date=fVE
00385F08  52 3A 20 74 31 37 2E 30  38 2E 33 31 2E 46 43 30  R: t17.08.31.FC0
00385F18  36 31 37 2E 66 38 31 35  61 30 61 66 34 39 31 37  617.f815a0af4917
00385F28  30 30 33 35 09 7C 09 4E  54 3A 20 36 2E 31 2E 37  0035.|.NT: 6.1.7
00385F38  36 30 31 09 5B 65 6E 2D  55 53 5D 00 00 AB AB AB  601.[en-US]

Global memory information and system-time information is added to (15): (16)

00386248  26 44 6D 31 63 4C 3D 69  69 69 69 69 2D 30 30 30  &Dm1cL=iiiii-000
00386258  30 30 30 30 30 31 2A 33  35 34 34 26 63 37 6A 72  000001*3544&c7jr
00386268  4D 71 74 37 3D 31 32 26  64 61 74 65 3D 66 56 45  Mqt7=12&date=fVE
00386278  52 3A 20 74 31 37 2E 30  38 2E 33 31 2E 46 43 30  R: t17.08.31.FC0
00386288  36 31 37 2E 66 38 31 35  61 30 61 66 34 39 31 37  617.f815a0af4917
00386298  30 30 33 35 09 7C 09 4E  54 3A 20 36 2E 31 2E 37  0035.|.NT: 6.1.7
003862A8  36 30 31 09 5B 65 6E 2D  55 53 5D 09 7C 09 4D 45  601.[en-US].|.ME
003862B8  4D 3A 20 33 35 38 34 4D  09 7C 09 47 4D 54 28 2D  M: 3584M.|.GMT(-
003862C8  38 29 00 00 00 00 00 00  00 00 AB AB AB AB AB AB  8).

This data in (16) is then encoded using the following algorithm — “Dm1cL,” a randomly generated key for xor — and is HTML-escaped:

.text:00415DA5                         next_character:                         
.text:00415DA5 8B C3                   mov     eax, ebx
.text:00415DA7 3B DA                   cmp     ebx, edx
.text:00415DA9 73 1B                   jnb     short loc_415DC6
.text:00415DAB EB 03                   jmp     short encode_character_loop
.text:00415DAB                         ; ---------------------------------------------------------------------------
.text:00415DAD 8D 49 00                align 10h
.text:00415DB0
.text:00415DB0                         encode_character_loop:                  
.text:00415DB0                                                                 
.text:00415DB0 8B 16                   mov     edx, [esi]
.text:00415DB2 8A 14 02                mov     dl, [edx+eax]
.text:00415DB5 8B 7D 0C                mov     edi, [ebp+object]               ; loop through all characters in the randomly 
																			   ; generated string, xor'ing it with given character
.text:00415DB8 30 14 0F                xor     [edi+ecx], dl
.text:00415DBB 8B 56 04                mov     edx, [esi+4]
.text:00415DBE 40                      inc     eax
.text:00415DBF 3B C2                   cmp     eax, edx
.text:00415DC1 72 ED                   jb      short encode_character_loop
.text:00415DC3 8B 7D 10                mov     edi, [ebp+size]
.text:00415DC6
.text:00415DC6                         loc_415DC6:                             
.text:00415DC6 41                      inc     ecx
.text:00415DC7 3B CF                   cmp     ecx, edi
.text:00415DC9 72 DA                   jb      short next_character

The xor’ed and escaped data is: (17)

00386780  44 6D 31 63 4C 3D 25 35  45 25 35 45 25 35 45 25  Dm1cL=%5E%5E%5E%
00386790  35 45 25 35 45 25 31 41  25 30 37 25 30 37 25 30  5E%5E%1A%07%07%0
003867A0  37 25 30 37 25 30 37 25  30 37 25 30 37 25 30 37  7%07%07%07%07%07
003867B0  25 30 36 25 31 44 25 30  34 25 30 32 25 30 33 25  %06%1D%04%02%03%
003867C0  30 33 26 63 37 6A 72 4D  71 74 37 3D 25 30 32 25  03&c7jrMqt7=%02%
003867D0  30 31 26 64 61 74 65 3D  72 42 51 46 2E 34 25 36  01&date=rBQF.4%6
003867E0  30 25 32 35 25 32 33 25  33 41 25 32 34 25 32 43  0%25%23%3A%24%2C
003867F0  25 33 41 25 32 37 25 32  35 25 33 41 52 57 25 32  %3A%27%25%3ARW%2
00386800  34 25 32 32 25 32 35 25  32 33 25 33 41 72 25 32  4%22%25%23%3Ar%2
00386810  43 25 32 35 25 32 31 75  25 32 34 75 72 25 32 30  C%25%21u%24ur%20
00386820  2D 25 32 35 25 32 33 25  32 34 25 32 34 25 32 37  -%25%23%24%24%27
00386830  25 32 31 25 31 44 68 25  31 44 5A 25 34 30 2E 34  %21%1Dh%1DZ%40.4
00386840  25 32 32 25 33 41 25 32  35 25 33 41 25 32 33 25  %22%3A%25%3A%23%
00386850  32 32 25 32 34 25 32 35  25 31 44 4F 71 7A 39 41  22%24%25%1DOqz9A
00386860  47 49 25 31 44 68 25 31  44 59 51 59 2E 34 25 32  GI%1Dh%1DYQY.4%2
00386870  37 25 32 31 25 32 43 25  32 30 59 25 31 44 68 25  7%21%2C%20Y%1Dh%
00386880  31 44 53 59 25 34 30 25  33 43 39 25 32 43 25 33  1DSY%40%3C9%2C%3
00386890  44 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  D

Conclusion

Firstly, variations of the same techniques described above can be found in many modern malware families. This allows malware authors to hit three targets with one shot. It is a pretty simple encryption scheme, and provided decent design on the part of malware authors, it allows them to change it relatively efficiently. Secondly, it can slightly complicate dynamic and static analysis. Thirdly, it provides an efficient tool for creation of new variants of the same malware that is able to bypass antivirus signatures.

A collection with the relevant malware file hash, malicious domains and IP addresses is available on X-Force Exchange here. Additionally, the list of hard-coded C&C domains found in the malware is provided below:

76TtKl8ZwW6MU29wmPDtT1QNcj5UDbqn/KIVj42N4ZYkZEPTS6ByTw==” / “hxxp[:]//www[.]n-fit-sub.com/ec/index[.]php”

1353A08  79 36 69 45 2B 70 36 6D  31 53 78 78 2B 56 70 38  y6iE+p6m1Sxx+Vp8
1353A18  70 4F 42 6F 50 42 53 6C  48 47 42 34 35 56 76 6E  pOBoPBSlHGB45Vvn
1353A28  64 2F 6C 53 69 78 67 58  68 6F 41 48 61 61 32 66  d/lSixgXhoAHaa2f
1353A38  73 39 39 6A 51 67 3D 3D  00 00 00 00 00 00 00 00  s99jQg==........
013565F8  68 74 74 70 3A 2F 2F 6A  70 2E 76 69 72 68 75 62  http://jp.virhub
01356608  2E 62 69 7A 2F 70 61 67  65 73 2F 23 23 23 23 2E  .biz/pages/####.
01356618  68 74 6D 6C 00 00 00 00  00 AB AB AB AB AB AB AB  html

_______________________________________________________________________________

01351CE0  62 59 6E 43 7A 30 36 4F  78 66 4A 74 79 44 47 4B  bYnCz06OxfJtyDGK
01351CF0  4F 42 2B 73 62 47 57 58  67 69 32 4A 4B 48 58 75  OB+sbGWXgi2JKHXu
01351D00  75 45 4C 6C 77 37 55 31  78 59 63 6B 53 6B 4C 77  uELlw7U1xYckSkLw
01351D10  6A 50 67 66 48 34 65 35  4B 36 59 6F 4E 4C 69 73  jPgfH4e5K6YoNLis
01355F88  68 74 74 70 3A 2F 2F 77  77 77 2E 73 61 6B 75 72  http://www.sakur
01355F98  61 6E 6F 72 65 69 2E 63  6F 6D 2F 6A 61 2D 6A 70  anorei.com/ja-jp
01355FA8  2F 64 65 66 61 75 6C 74  2E 61 73 70 78 00 00 00  /default.aspx...
 |  | 
Igor Aronov
X-Force Advanced Researcher

More from Malware
November 12, 2024

Strela Stealer: Today’s invoice is tomorrow’s phish

12 min read - As of November 2024, IBM X-Force has tracked ongoing Hive0145 campaigns delivering Strela Stealer malware to victims throughout Europe - primarily Spain, Germany and Ukraine. The phishing emails used in these campaigns are real invoice notifications, which have been stolen through previously exfiltrated email credentials. Strela Stealer is designed to extract user credentials stored in Microsoft Outlook and Mozilla Thunderbird. During the past 18 months, the group tested various techniques to enhance its operation's effectiveness. Hive0145 is likely to be…

October 16, 2024

Hive0147 serving juicy Picanha with a side of Mekotio

17 min read - IBM X-Force tracks multiple threat actors operating within the flourishing Latin American (LATAM) threat landscape. X-Force has observed Hive0147 to be one of the most active threat groups operating in the region, targeting employee inboxes at scale, with a primary focus on phishing and malware distribution. After a 3-month break, Hive0147 returned in July with even larger campaign volumes, and the debut of a new malicious downloader X-Force named "Picanha,” likely under continued development, deploying the Mekotio banking trojan. Hive0147…

March 11, 2024

Ongoing ITG05 operations leverage evolving malware arsenal in global campaigns

13 min read - As of March 2024, X-Force is tracking multiple ongoing ITG05 phishing campaigns featuring lure documents crafted to imitate authentic documents of government and non-governmental organizations (NGOs) in Europe, the South Caucasus, Central Asia, and North and South America. The uncovered lures include a mixture of internal and publicly available documents, as well as possible actor-generated documents associated with finance, critical infrastructure, executive engagements, cyber security, maritime security, healthcare, business, and defense industrial production. Beginning in November 2023, X-Force observed ITG05…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature