Abstract: This Trojan directs control flow from the original exe on execution, ostensibly without even running the original app. This sample was detected in a ‘Desktop Window Manager’ app. But on closer in section it was found out to be a compiler. The original payload was encrypted in various sections around the code body, as data with jmp instructions pushing the control flow around and about the various islands.
Import tables have an obfuscated interface, and calling them was done though a runtime generation of the api offsets and adding that to the required dll imagebase, and then searching for the string in the dll import tables. Further a particular hash value is encountered after which all previous sections are overwritten along with the data encrypted islands, and the decrypted malcode is entered. Here the PE imagebase is dynamically initialized and memory allocated and then the pe is built around this framework.
It seems to go in an infinite loop, using a sleep parameter of 0ms, while checking for net connectivity. It tests the localhost(port 50370 tcp) for internet connection and if it finds, it activates the download process, through generation of GET requrests over http using hardcoded uri’s, implemented using the winsock api (ws_32.dll). It also enumerates various popular social networking sites and adds them to a target list. Specific CLSID’s and other mal files (*.cfg) are detected as potentially malicious using online repositories, and giving an indication that these payloads are widely distributed.
Static and Dynamic Analysis:
407BFC push eax =400000, the image base. Memory dumping preparation begins here otensibly.
Ntdll.dll imagebase saved:
And saves 4088F8,
Then kernel32 function address..
The stack at this time:
New stack addresses pushed;
This code enumerates the api functions, EBX contains the dll image base, ESI the offset of the api into it. Added together they give the VA.
Compares with this hash value:
Cycles through this indexing section to traverse the api list.
Notice uses pushàretn instructions to travel across sections instead of jump.
EDX keeps a record of the number of functions traversed.
It enters at the data encrypted section at, 407e6E
Reenumeration of kernel32 api’s
And saved on the stack as:
These will be used in the decrypted PE.
Malicious Links Hardcoded in the decrypted process memory:
Dynamically linked dll’s;
A few ID’s are enumerated from the hardcoded database:
Popular Networking Sites are enumerated and targeted:
Malcode Originates from here:
The original file is a multipurpose compiler- using AutoDock, Bison as the docking GUI (Scientific usage) and Lexical Parsing engine as usedin compilers. A typical compiler disssasembly is seen, with various switches and compiling sections being identified. It tries to parse –JSCript, VBScript, .java files. Outputs .c and .cpp files as well. But the malcode is appended in the section shown above, which is connected to two referenced calls from within the trojan file, from the compiler code.
This infection begins right from the start at 40103C and again supposed compiler error with a swift jump from 401394. Thus almost immediately control is transferred to the malcode.
After building the imports using impRec giving 401000 as the OEP (the usual stuff) a complete list of the new api’s are successfully detected, and the import table is built. We take this built executable having the following characteristics.
Decrypted and built PE:
This dump has the string UPX in the first section text along with other data. This might indicate something though not very apparent and certainly not detected.
Further, we see
More Links are downloaded:
This file has a very malicious detection online:
Uses the WinSock Api functions (ws2_32.dll) to establish a connection and download the links. It also constructs GET requests and executes it over HTTP port 80.
A loopback test (localhost) is used to check connectivity and a socket port 50370 is being hard coded. This could be another identifier since this is consistent across the file.
It also enumerates the browser type and preference/config files-Mozilla IE>7 and Opera.
This enumerates the system/special folders;
Searches for all files \*.*, and performs some file attributes operations on it.
Overall not destructive, but could be given the already detected payloads and trojan activity and obfuscaton.
Shellcode Executable Analysis:
Malicious code decoded from the above:
After conversion from shellcode to exe file format the following characteristics were noted:
Online search results in detection by six vendors as a trojan downloader, including this name-Silvana.
The remaining loop in function a_AK6_() has the function of extracting bytes from offset 0x1200 from the file image. Examining the file confirms this as a marker is implemented at:
This shellcode is again extracted an converted to exe format for analysis.
Obfuscated API interface API Dll and function names are built dynamically and loaded using LoadLibrary():
And downloads the url to file in the local system:
And goes in an infinite loop.
TcpView shows 592 UDP port usages for this download activity.
The vulnerability can be mitigated by the steps described and discussed in this document.
UDP port 592 can be audited for any illegal activity or disabled.
Malicious entertainment sites should be avoided as they are riddled with such insidious installations.