Example of Multiple Stages Dropper
If some malware samples remain simple (see my previous diary[1]), others try to install malicious files in a smooth way to the victim computers. Here is a nice example that my spam trap captured a few days ago. The mail looks like a classic phishing attempt:
From: admintmseals@telkomsa.net To: [redacted] Subject: New Catalogue #2017 Date: 14 Mar 2017 03:12:51 -0700 Dear, FYI! Please submit the file to me asap. Thank you. Best Regards Rachel Lo Ufficio Commerciale Vimin Box S.r.l. Via Emanuele T. D'Azeglio, 2 12030 Lagnasco - CUNEO - ITALY Tel. +39 0175 282082-3 Fax +39 0175282059 P. Iva 02281230041
There was a file attached to this email. A RAR archive “Catalogue Request.rar" (MD5: 9556abef02749c65eba8acf80c83598a). The archive contained a PE file "Catalogue Request.exe” (MD5: 913858642d0f28cef3736519d6a50ea6). When the file was submitted to VT for the first time, it got a nice score of 8/58! When executed, the malicious PE dropped three artefacts on the victim’s computer:
%USERPROFILE%\9arfG4Fhjq\x (MD5: 4a137d468520bf7257a1744500c8c69d) %USERPROFILE%9arfG4Fhjq\8ybl.dll (MD5: ec97baff7339df00b036d5b77b3f04f5) %USERPROFILE%\9arfG4Fhjq\l7xauv.vbs (MD5: b49fd655fdbf4846453716c70929a396)
Note: the directory and files are not generated randomly. I executed the sample in multiple environments and it always created the same files. Once files have been dropped on the disk, it executes the first .vbs by launching a wscript.exe:
Set a9arfG4Fhjq = CreateObject("Shell.Application"):a9arfG4Fhjq.ShellExecute "rundll32","8ylb.dll ab1ksnp”
During the execution, another VBS file is created in C:\9arfG4Fhjq9arfG4Fhjq (MD5: b82a33bd326050d4587eda1855a41223) and a RunOnce key is created to execute it at next reboot. However, the process crashed in my sandbox and the malware installation was not successful.
The file ‘x’ looked suspicious. It is a rogue BMP image file:
$ file x x: PC bitmap, Windows 3.x format, 882 x 562 x 24
If you display it, it looks suspicious:
Thanks to Adam[2] on the rem-alumni mailing-list, the file was analyzed and, guess what, it contains another malicious PE file:
$ hexdump -C x.bmp|head -20 00000000 42 4d 66 b5 16 00 00 00 00 00 36 00 00 00 28 00 |BMf.......6...(.| 00000010 00 00 72 03 00 00 32 02 00 00 01 00 18 00 00 00 |..r...2.........| 00000020 00 00 30 b5 16 00 c4 0e 00 00 c4 0e 00 00 00 00 |..0.............| 00000030 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff |................| 00000040 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................| * 00000120 ff 6d 65 67 61 70 65 73 74 72 63 2c 35 71 52 23 |.megapestrc,5qR#| 00000130 51 7f 79 66 21 76 9a 8e 50 23 e9 7f 7d 66 2e 76 |Q.yf!v..P#..}f.v| 00000140 65 71 10 23 4b 7f 7d 66 2e 76 65 71 50 23 51 7f |eq.#K.}f.veqP#Q.| 00000150 7d 66 2e 76 65 71 50 23 51 7f 7d 66 2e 76 65 71 |}f.veqP#Q.}f.veq| 00000160 50 23 51 7f 7d 66 2e 77 65 71 ea 33 51 71 62 d2 |P#Q.}f.weq.3Qqb.| 00000170 27 bb 44 c9 51 6f 9c 5e ed f6 7a 1e 0c 02 70 53 |'.D.Qo.^..z...pS| 00000180 23 10 1a 14 4f 1b 45 1c 25 50 25 5f 1f 03 0e 04 |#...O.E.%P%_....| 00000190 10 1f 70 56 3f 1b 18 14 0e 21 0c 1f 63 11 5c 75 |..pV?....!..c.\u| 000001a0 59 51 2e 76 65 71 50 23 51 7f 7d 66 2e 76 65 71 |YQ.veqP#Q.}f.veq| 000001b0 50 23 51 7f 7d 66 2e 76 65 71 50 23 51 7f 7d 66 |P#Q.}f.veqP#Q.}f| 000001c0 2e 76 65 71 50 23 51 7f 7d 66 2e 76 65 71 50 23 |.veqP#Q.}f.veqP#| 000001d0 51 7f 7d 66 2e 76 65 71 50 23 51 7f 7d 66 2e 76 |Q.}f.veqP#Q.}f.v| 000001e0 65 71 50 23 51 7f 7d 66 2e 76 65 71 50 23 51 7f |eqP#Q.}f.veqP#Q.| 000001f0 7d 66 2e 76 65 71 50 23 51 7f 7d 66 2e 76 65 71 |}f.veqP#Q.}f.veq|
We clearly see repeated sequences of bytes:
ff 6d 65 67 61 70 65 73 74 72 63 2c 35 71 52 23 51 7f 79 66 21 76 9a 8e 50 23 e9 7f 7d 66 2e 76 65 71 10 23 4b 7f 7d 66 2e 76 65 71 50 23 51 7f 7d 66 2e 76 65 71 50 23 51 7f 7d 66 2e 76 65 71 50 23 51 7f 7d 66 2e 77 65 71 ea 33 51 71 62 d2 27 bb 44 c9 51 6f 9c 5e ed f6 7a 1e 0c 02 70 53 23 10 1a 14 4f 1b 45 1c 25 50 25 5f 1f 03 0e 04 10 1f 70 56 3f 1b 18 14 0e 21 0c 1f 63 11 5c 75 59 51 2e 76 65 71 50 23 51 7f 7d 66 2e 76 65 71 50 23 51 7f 7d 66 2e 76 65 71 50 23 51 7f 7d 66 2e 76 65 71 50 23 51 7f 7d 66 2e 76 65 71 50 23 51 7f 7d 66 2e 76 65 71 50 23 51 7f 7d 66 2e 76
The file is XOR’d with the following key: ‘0x2e 0x76 0x65 0x71 0x50 0x23 0x51 0x7f 0x7d 0x66’. Once decoded, when have now a PE file packed with UPX (MD5: a9bc758fe544e229884eb3e0df483677). The final decoded file is a classic Fareit trojan (MD5: 03c5ac152126ff6d007c36789d9d3812). It communicates with the following C2:
hxxp://23.249.166.175/star/gate.php
Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key
My next class:
Reverse-Engineering Malware: Malware Analysis Tools and Techniques | London | Mar 3rd - Mar 8th 2025 |
×
Diary Archives
Comments
Anonymous
Mar 18th 2017
7 years ago
When you xor any number with 0 the result is that number.
JH
Anonymous
Mar 19th 2017
7 years ago
When you xor any number with 0 the result is that number.
JH[/quote]
True. If you XOR a bunch of '0x00' with the key 'azerty' you get this:
$ python xor.py | hexdump -C
00000000 61 7a 65 72 74 79 61 7a 65 72 74 79 61 7a 65 72 |azertyazertyazer|
00000010 74 79 61 7a 65 72 74 79 61 7a 65 72 74 79 61 7a |tyazertyazertyaz|
00000020 65 72 74 79 61 7a 65 72 74 79 61 7a 65 72 74 79 |ertyazertyazerty|
00000030 61 7a 65 72 74 79 61 7a 65 72 74 79 61 7a 65 72 |azertyazertyazer|
00000040 74 79 61 7a 65 72 74 79 61 7a 65 72 74 79 61 7a |tyazertyazertyaz|
00000050 65 72 74 79 61 7a 65 72 74 79 61 7a 65 72 74 79 |ertyazertyazerty|
00000060 61 7a 65 72 0a |azer.|
Anonymous
Mar 19th 2017
7 years ago