businessmen with frosties

The Official Blog of Matthiew Morin :: A withani.net Production

A Brief Analysis of SCAN_389_07172013_319.exe


Introduction

I was able to snag this piece of malware from a user at work a few months back (yes, I know, it’s been a while).  It was delivered via email in the typical form of a zipped executable.  As with many companies, we utilize scanning-to-email and scanning-to-folder operations on our printers to reduce paper usage so I wasn’t very surprised to see SCAN_389_07172013_319 as the email title.

Luckily, many of our users have taken my presentations and education sessions on email security fairly seriously and have gained a keen-eye for suspicious emails that manage to land in their inbox. (See, user education does work!)

In the little spare time I have, I decided it would be worth while to do a little analysis of my own on this.  It never hurts to get your hands dirty with a little malware analysis every now and then, so lets jump right into it!

Analysis Environment

While there are automated analysis tools available that do a great job at deciphering malware (see http://www.cuckoosandbox.org/), I thought that it would be more beneficial to take a stab at a dynamic analysis by hand; there’s no easier way to learn than jumping right in I suppose.

For my dynamic environment I spun up a Windows 7 Ultimate VM with PEiD, PE Explorer, EXE Explorer, ProcessMonitor and Wireshark.  There wasn’t much else to speak of on the VM, I didn’t take the time to populate any programs with data because I wasn’t sure what effect the malware would have on the system.  I later found out that having some false data and other applications installed could have been useful.

Having pfSense running in my apartment was also unbelievably useful for this, the ability to shape, firewall and direct traffic to and from the analysis machine worked flawlessly keeping the rest of my network safe and sound in the event that the malware decided to grow legs.

Getting Down to Business

ZIP File Name:  SCAN_389_07172013_319.zip
EXE File Name: SCAN_389_07172013_319.exe
EXE MD5:          f27660b726da76f618a287d7028fe7bf

Dropped Files:

  • 4593324.exe (could change between different executions)
  • onpye.exe (could change between different executions)
  • 4594900.bat (could change between different executions)

Upon initial execution, the program runs a few basic registry queries:

  • HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName
    (Reads current computer name)
  • HKLM\SYSTEM\Setup\OOBEInProgress
    (Checks if “Setup is preparing for first use” is present)
  • HKLM\SYSTEM\Setup\SystemSetupInProgress
    (Checks if System Setup is in progress)
  • HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall
    (Gets an inventory of currently installed programs)

After these preliminary checks are done, the program takes an unexpected turn and checks for the existence of HKCU\Software\WinRAR\HWID.  If this key doesn’t exist it will create it and set the value to a unique value, in this case {03EDA780-D9F1-4B2A-9E42-945F4CD9AFC0}.  The interesting thing is that this value did not appear anywhere else in the registry after a quick search.  Additionally, it adds the keys “Client Hash” and “9695C9999AF619DAEE891878D880910A” which I never determined the reason for.  I assume it was a calculation that was later sent to a server for identification purposes.

Next the program begins specific searches for the registry keys and program files of specific programs.  While none of these programs were installed on this machine, it is probably safe to assume that it is searching for configuration files containing IP addresses, host names, usernames, passwords and other connection information (which would be sent up to a server later in the process.)

The programs that this malware checks for include: BatMail, BitKinex FTP, BlazeFTP, Bormium, Bullet Proof FTP, ChromePlus, Comodo, COREFTP, Cryer WebSitePublisher, CuteFTP, CuteFTP 6 Home & Professional, CuteFTP 7 Home & Professional, CuteFTP 8 Home & Professional, CuteFTP 9, CuteFTP Lite, CuteFTP Pro, CuteFTP Quick Connect Toolbar, CyberDuck, ExpanDrive, Far Manager FTP, FFFTP, FileZilla, FlashFXP FTP, Frigate 3, FTP Explorer, FTPRush, Ghisler Windows Commander & Total Commander, Google Chrome, IncrediMail, Internet Explorer Intelliforms, Ipswitch FTP, LinasFTP, Mozilla, NCH ClassicFTP, Nichrome, Notepad++, NovaFTP, Outlook, PocoMail, Putty, RimArts E-Mail Client, Robo-FTP, RockMelt, SecureFX, SftX.org FTPClient, SmartFTP, TurboFTP, WinZip.

Interestingly enough, this malware will also grab the Windows Mail Password Salt to aid the attacking of any configured Windows Mail accounts.

Once this enumeration process is complete a series of TCP connections are made to three different sites.  The first connection is an HTTPS session to nursenextdoor.com.  This connection stands out from the others mainly due to its short nature and the fact that it was established over HTTPS.  I was not able to determine the content of the connection but it would be safe to assume that either the connection data harvested in the enumeration process was being sent to a server as it was a POST request to /ponyb/gate.php (this has since been cleaned up).

The next TCP connection is an HTTP GET request to lavetrinadeidesideri.it/Twe.exe but provided no noticeable artifacts on the system as the request resulted in a 404 error.  However, it is probably safe to assume that the file is another program designed to gain persistence on the system.

The final TCP connection to 64.39.66.153 was an HTTP GET request for the file fxp.aquasarnami.com/zKo.exe which was saved as one of the dropped files (C:\Users\USERNAME\AppData\Local\Temp\4593324.exe).

4593324.exe is run shortly after the download completes and does an enumeration of the user accounts on the system.  It also drops 2 more files: C:\Users\USERNAME\AppData\LocalLow\oklam.iqb and C:\Users\USERNAME\AppData\Roaming\Hefe\onpye.exe

onpye.exe executes shortly after it’s creation and creates registry keys at HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ to add persistence at system start up.  It also facilitates the start of WinMail.exe which then processes and enumerates popular saved mail locations including inboxes, sent items and deleted items.  Any data found is likely sent to a listening server; however, that was not determined as there was no email data on the test system.

On a final note, during the 4 or so hours I left this machine running, onpye.exe made UDP requests to 423 unique addresses which can be found here.

Summary

The amount of information that this series of malware gathers is rather large.  If you have come across this on a live network, it would be prudent to change passwords and other configuration information as it is most likely in the hands of somebody else.

This was my first real stab at a dynamic malware analysis report and I would love to hear any and all feed back.  Thanks for reading!

Your email address will not be published. Required fields are marked *

*