• No results found

Malware Analysis Report

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Malware Analysis Report"

Copied!
15
0
0

Loading.... (view fulltext now)

Download now ( 15 Page )

Full text

(1)

© 2014 Red Alert.All Rights Reserved.

2014. 02. 20

[ Xtreme RAT ]

A server program of ‘Xtreme RAT’, a type of RAT (Remote Administration Tool), is distributed recently. The system which is infected with the server program becomes a client of attacker who control the system by remote control. The attacker can steal the information of the infected system such as inputting data from keyboard, MSN E-mail, and clipboard data. In the system that is suspected to be infected, countermeasures according to the action and treatment through A/V are required.

Information Service about a new vulnerability

Malware Analysis Report

(2)

facebook.com/nshc.redalert © 2014 Red Alert.All Rights Reserved. 1

Index

1.

Malware Stub ...3

2.

Technical Details ...6

3.

Red Alert of Opinion ... 12

4.

Removal Recommendations ... 12

(3)

facebook.com/nshc.redalert © 2014 Red Alert.All Rights Reserved. 2

Confidentiality Agreements

This report was written from the Red Alert team. There is no problem user for research purpose, but we don’t care about Legal responsibility. This code is a living document and will be updated from time to time. Please refer to the Red Alert SNS Page to download updates.

(https://www.facebook.com/nshc.redalert)

Analysis reports that are updated on Facebook, including other materials and article, sample can offer premium services the ISAC on the page. (https://isac.nshc.net).

(4)

facebook.com/nshc.redalert © 2014 Red Alert.All Rights Reserved. 3

1.

Malware Stub

Malware Name pdfviewer.exe

File Size 133,624 bytes MD5 50f7368f4b81d4c2891d7a890e8d5b44

Compiled Date 2012.01.18 12:35:52 Etc N/A Table 1. File Info-1

Malware Name dmw.exe

File Size 59,823 bytes MD5 c674a56b67332c033d1a041f32f0daac

Compiled Date 1992.06.19 22:22:17 Etc N/A Table 2. File Info-2

- dl.**********rcontent.com/s/pn*********5zhh/pdfviewer.exe

Index Description

OS Windows XP SP3 KR

Browser Windows Internet Explorer 8

Table 3. Analysis Environment

The malware runs by injecting its’ module to ‘svchost.exe’ and ‘explorer.exe’. A ‘dwm.exe’ is registered on ‘Windows Auto-startup’ that it can the malware resides on the system.

(5)

facebook.com/nshc.redalert © 2014 Red Alert.All Rights Reserved. 4

This is a server which is connected with the malware information.

Figure 2. IP Info-1

Figure 3. IP Info-2

The data of malware and ‘Keylogging’ are stored in the specific folder.

(6)

facebook.com/nshc.redalert © 2014 Red Alert.All Rights Reserved. 5

Also, users can see that ‘explorer.exe’ is running more than one because the malware injects the module of ‘explorer.exe’.

Figure 5. Injected Process

When the infected ‘explorer.exe’ is running, Windows that have the objects symbolizing the ‘Xtreme RAT’ are created.

(7)

facebook.com/nshc.redalert © 2014 Red Alert.All Rights Reserved. 6

2.

Technical Details

The ‘XtremeKeylogger’ created by the infected ‘explorer.exe’ is registered as a clipboard viewer.

Figure 7. Set Clipboard Viewer

In ‘XtremeKeylogger’ procedure, the routine exists that handling the message of ‘WM_DRAWCLIPBOARD’. The ‘WM_DRAWCLIPBOARD’ occurs if the new data is generated to the clipboard. The data of clipboard can be checked in the Windows that is registered as the clipboard viewer.

Figure 8. Branches 'WM_DRAWCLIPBOARD'

In the routine of ‘WM_DRAWCLIPBOARD’ message handling, it stores the ‘Unicode text’ in the buffer.

Figure 9. Get Clipboard Data

The stored data is recorded separately in the file, and the file is as follows:

- %APPDATA%\Microsoft\Windows\((Mutex)).dat

- %APPDATA%\Microsoft\Windows\gzAdbdgue.dat

(8)

facebook.com/nshc.redalert © 2014 Red Alert.All Rights Reserved. 7

The signatures that ‘0xAA, 0xFE’ is existed on the starting point in the data of file. And it is stored in single-byte encryption(XOR 0x55) an ‘Unicode characters’ excluding CRLF(Carriage Return Lin Feed : 0x0D, 0x0A) and ‘0x00’.

Figure 11. XOR Encode Routine

The decoded data excluding the ‘Unicode Text’ is as follows:

(9)

facebook.com/nshc.redalert © 2014 Red Alert.All Rights Reserved. 8

It attempts to hook the system using ‘SetWindowsHookExW’ function on the ‘XremeKeylogger’ windows made by the infected ‘explorer.exe’.

Figure 13. Set Keyboard Hook

A routine that processing of keyboard input message is existed on ‘LowLevelKeyboardProc’ which is executing through ‘global hooking’.

- WM_SYSKEYDOWN : Input ‘System key’

- WM_KEYDOWN : Input ‘Keyboard key’

Figure 14. Branches Key Down Messages

It is divided the windows using ‘Foreground Window’.

(10)

facebook.com/nshc.redalert © 2014 Red Alert.All Rights Reserved. 9

The ‘time information’ is also recorded in the form of ‘DATE_SHORTDATE’ along with the name of ’windows caption’.

Figure 16. Local Time Format

It is saved the contents with ‘single byte encryption (XOR 0x55) in the ‘keylogging data file’ the same way as ‘Clipboard Hooker’. The decoded data excluding the Unicode type is same the below.

Figure 17. Key Logging Data

The ‘keylogging data file’ is sent with the clipboard data to ‘FTP Server’.

(11)

facebook.com/nshc.redalert © 2014 Red Alert.All Rights Reserved. 10

It attempts to hook the system using ‘SetWindowsHookExW’ function on the ‘XremeKeylogger’ windows made by the infected ‘explorer.exe’.

Figure 19. Set Mouse Hook

A routine that processing of mouse input message is existed in ‘LowLevelMouseProc’.

- WM_LBUTTONDOWN : Click the left button of mouse

- WM_RBUTTONDOWN : Click the right button of mouse

- WM_MBUTTONDOWN : Click the wheel of mouse

- WM_LBUTTONDBLCLK : Double click the left button of mouse

- WM_RBUTTONDBLCLK : Double click the right button of mouse

Figure 20. Branches Mouse Click Messages It is also divided the windows using ‘Foreground Window’.

(12)

facebook.com/nshc.redalert © 2014 Red Alert.All Rights Reserved. 11

By using ‘BtiBlt’ function, it captures the screen contents in the memory.

Figure 22. Screen Capture

The captured screen is stored as a ‘.jpg’.

(13)

facebook.com/nshc.redalert © 2014 Red Alert.All Rights Reserved. 12

3.

Red Alert of Opinion

The RAT (Remote Administration Tool) can do ‘Capture screen’, ‘Keylogging’, ‘Steal clipboard data’, ’proxy server’, ‘handle process’, ‘handle windows’, and ‘handle registry’. The case to exploit for stealing the personal information is increasing. Please note the damage of ‘RAT’..

4.

Removal Recommendations

By releasing the check box of ‘Hide protected operation system files (Recommended) and applying ‘Show hidden files and folders’ in the folder option of ‘Windows Explorer’. After this, please delete the files are as follows:

- %APPDATA%\Microsoft\Windows\((Mutex)).cfg - %APPDATA%\Microsoft\Windows\((Mutex)).dat - %APPDATA%\Microsoft\Windows\gzAdbdgue.cfg - %APPDATA%\Microsoft\Windows\gzAdbdgue.dat - %APPDATA%\Microsoft\Windows\gzAdbdgue.xtr - %APPDATA%\System\dmw.exe

(14)

facebook.com/nshc.redalert © 2014 Red Alert.All Rights Reserved. 13

Delete the registry related on the malware.

- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Value Name : HKLM

Value Data : %APPDATA%\System\dmw.exe

- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Value Name : HKCU

Value Data : %APPDATA%\System\dmw.exe

- HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\

{54F31X8D-X7YK-MYWP-XFCM-1M6UNSJ65AWU}

Name : StubPath

Value Data : %APPDATA%\System\dmw.exe restart

- HKCU\Software\gzAdbdgue

- HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows

Value Name : Load

- HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows

Value Name : Load

Please get a thorough system examination by referring ‘Reference. [1] Virus Total’ and treat the malware through A/V.

(15)

facebook.com/nshc.redalert © 2014 Red Alert.All Rights Reserved. 14

5.

Reference

[1] Virus Total https://www.virustotal.com/en/file/e6b8a3a8b4df58ad8c656cafada78a2462023acb5c76fda5f7 d4cc62604a6a20/analysis/ [2] Xtreme RAT https://sites.google.com/site/xxtremerat/

Figure

Table 2. File Info-2
Figure 2. IP Info-1
Figure 5. Injected Process
Figure 7. Set Clipboard Viewer
+7

References

Download now ( PDF - 15 Page - 1.11 MB )

Related documents

Table of Contents Acknowledgements... iii Executive Summary... 1 Planning Methodology and Limitations of the SCORP... 1

More school field trips starting at elementary school may help give our children a lifelong appreciation

Turkish trade unionists and Turkey's membership of the European Union

The objective here is to examine the views of Turkish trade unionists on the country’s accession to the EU and related issues making use of a major survey of over 6,000

The role of the patient in evaluating quality of care

The PROMs questionnaire used in the national programme, contains several elements; the EQ-5D measure, which forms the basis for all individual procedure

NEW YORK UNIVERSITY Stern School of Business Auditing DRAFT Fall 2020

Please note that the class discussion is an important component for these assignments; thus, if you do not attend class on the date the cases are due, you will miss the opportunity

Electrolyte Stability and Discharge Products of an Ionic-Liquid-Based Li-O2 Battery Revealed by Soft X-Ray Emission Spectroscopy

molecular dynamics simulation by Nishino et al. We cannot currently make conclusions about the remaining fragments, but our results and analysis.. unambiguously show that

Corning Cable Systems. At a Glance

Corning Cable Systems has received numerous quality supplier awards from customers and was the recipient of the 1993 Award of Excellence from the International Customer

holiday 2015 core collection

MoVeMent 3 Hand & chrono / Date caSe Material stainless steel, 5 atM band Material stainless steel &