Malware authors frequently seek code-execution methods that not only evade detection by AV software but also cover tracks and remove evidence that could reveal the origins of the malicious code.  Different methods exist for achieving these objectives, and the high degree of extensibility in Windows provides plenty of options for the bad guys to exploit.

A few days ago I received an intriguing piece of zero-day malware, so I decided to run it through our Vinsula Execution Engine (VEE) to find out what it does. Credit for providing the sample goes to Dave Lowe. This is what the file looks like in Windows Explorer:

 

1352123452.exe

1352123452.exe

File attributes of the executable show that attacker is attempting to trick the user into believing that file came from Microsoft.  The executable camouflages itself as “Configuration Backend Interface” as shown below.

Malware File Properties

Malware File Properties

Here is the link and the VirusTotal report as of today, 20th of October 2013.

1352123452.exe-03-VirusTotal

What makes this malware interesting is its ability to hide its tracks and carry out a successful attack while executing a minimal amount of malicious code.  After running the malware through the VEE, we generate a report that reveals what the malware does and which CnC servers it talks with.

Here is a list of all processes that launch as a result of starting the main malware image file.

     + 1352123452.exe [Process Id: 2892]
         SHA1:bIR7uwdtAiRZw6XA5zVoyNjexbRPWbuWYoNpG4Oy4Kk=
         Image Name: [C:\Temp\c2d3a7d727e34486967c0478f983f967\1352123452.exe]
         + cmd.exe [Process Id: 3984]
             SHA1:F/dG2CaV+ps1STtBhZ0514bTKyOp0uAPQBHex6AkAq4=
             Image Name: [C:\Windows\system32\cmd.exe]
             + regsvr32.exe [Process Id: 3952]
                 SHA1:iQwXNO0e9rJCKpsh1iBc+R4BSt2Kf0GqWilPz2BjGns=
                 Image Name: [C:\Windows\system32\regsvr32.exe]

This is what the malware process tree looks like in Process Explorer. Notice that all processes appear to be Microsoft applications.

Malware Process Tree

Malware Process Tree

The main malware executable 1352123452.exe connects to a CnC server (37.130.225.18) and downloads the additional malware binaries. Then comes the interesting part:  as shown in the process tree connectivity report section below, we can clearly see that 1352123452.exe not only talks with the CnC server, but also the Windows COM registration utility – regsvr32.exe

     + 1352123452.exe [Process Id: 2892]
         =>  TCP IPv4 send XXX.XXX.XXX.55:1092  ==> 37.130.225.18:80
         =>  TCP IPv4 recv XXX.XXX.XXX.55:1092 <==  37.130.225.18:80
         + cmd.exe [Process Id: 3984]
             + regsvr32.exe [Process Id: 3952]
                 =>  TCP IPv4 send XXX.XXX.XXX.55:1087  ==> 37.130.225.18:80
                 =>  TCP IPv4 recv XXX.XXX.XXX.55:1087 <==  37.130.225.18:80

How exactly does this work?

The top-level (main) malware, 1352123452.exe is acting as downloader that connects to a CnC server (37.130.225.18). Its main goal is to deliver the additional malware and activate it. The following files get dropped to a newly created folder C:\ProgramData\2932\

  • 760707.dll
  • 760692.dat
  • wsse.dll

Of the three files above, only wsse.dll is a true binary library. The other two are encrypted data files.

Below are the relevant entries from the Vinsula Execution Engine log that show the files being created under folder C:\ProgramData\2932\

1352123452.exe [Process Id: 2892]
	 Event:Create File[C:\ProgramData\2932\760692.dat]
	 Event:Write File[C:\ProgramData\2932\760692.dat]
	 Event:Create File[C:\ProgramData\2932\760707.dll]
	 Event:Write File[C:\ProgramData\2932\760707.dll]
	 Event:Create File[C:\ProgramData\2932\wsse.dll]
	 Event:Open File[C:\ProgramData\2932\wsse.dll]
	 Event:Read File[C:\ProgramData\2932\wsse.dll]
	 Event:Write File[C:\ProgramData\2932\wsse.dll]

After dropping the additional malware files, the main malware delegates all its malicious activity to standard Windows applications. This is a very devious approach that DOES NOT involve any code injection.

As shown in the process tree above, 1352123452.exe launches Windows Command Prompt (cmd.exe) using following command line:

“C:\Windows\system32\cmd.exe” /c C:\Windows\system32\regsvr32.exe /s “C:\ProgramData\2932\wsse.dll”

This instructs the newly launched Windows Command Prompt (cmd.exe) to run regsvr32.exe and registers one as a COM component of the file images that have been just dropped – wsse.dll.

Next, Windows Command Prompt launches RegSvr32.exe using the command line below:

C:\Windows\system32\regsvr32.exe  /s “C:\ProgramData\2932\wsse.dll”

If we look at the registry changes captured in the VEE log below, we can see that the main malware executable, regsvr32.exe, makes a “minor” modification to the CopyHookHandlers registry key.

+ regsvr32.exe [Process Id: 3952]
	 NtCreateKey Key:\REGISTRY\MACHINE\Software\Classes\Directory\Shellex\CopyHookHandlers\paucvducweuctevdtbs
	 NtCreateKey Key:\REGISTRY\USER\S-1-XXX\Software\Classes\CLSID\{118BEDCA-A901-4203-B4F2-ADCB957D1886}\InprocServer32
	 NtCreateKey Key:\REGISTRY\USER\S-1-XXX\Software\Classes\Directory\Shellex\CopyHookHandlers\paucvducweuctevdtbs
	 NtCreateKey Key:\REGISTRY\USER\S-1-XXX_CLASSES\CLSID\{118BEDCA-A901-4203-B4F2-ADCB957D1886}
	 NtCreateKey Key:\REGISTRY\USER\S-1-XXX_CLASSES\CLSID\{118BEDCA-A901-4203-B4F2-ADCB957D1886}\InprocServer32
	 NtCreateKey Key:\REGISTRY\USER\S-1-XXX_CLASSES\Directory\Shellex\CopyHookHandlers
	 NtCreateKey Key:\REGISTRY\USER\S-1-XXX_CLASSES\Directory\Shellex\CopyHookHandlers\paucvducweuctevdtbs
	 NtSetValueKey Key:\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\CopyHookHandlers\paucvducweuctevdtbs New Value:{118BEDCA-A901-4203-B4F2-ADCB957D1886}
	 NtSetValueKey Key:\REGISTRY\USER\S-1-XXX_CLASSES\CLSID\{118BEDCA-A901-4203-B4F2-ADCB957D1886}\InprocServer32 New Value:C:\ProgramData\2932\wsse.dll
	 NtSetValueKey Key:\REGISTRY\USER\S-1-XXX_CLASSES\Directory\Shellex\CopyHookHandlers\paucvducweuctevdtbs New Value:{118BEDCA-A901-4203-B4F2-ADCB957D1886}

In fact, regsvr32.exe doesn’t have any information about the registry keys and values shown in the VEE log above. RegSvr32.exe accepts several parameters, and one of them is a DLL image name (or its full path). Next, RegSvr32.exe loads the DLL (wsse.dll) and tries to resolve and execute DllRegisterServer API which the DLL is required to export. In this case, the malicious wsse.dll does not export DllRegisterServer API. However, the malware authors obviously thought about this and implemented bootstrapping logic in the entry point of the Dll (DllMain); as soon as wsse.dll gets loaded into the address space of RegSvr32.exe, it executes the malicious code.  Another interesting aspect is that when RegSvr32.exe fails to locate DllRegisterServer API in the DLL being registered, it shows an error. Thanks to RegSvr32.exe command line options, there is a way to suppress the UI dialog box with the error by using RegSvr32.exe with command line switch “/s” as has been done above.

Here is a screenshot that shows the registry change in Registry Editor.

Registry Change

Registry Change

For more details about RegSvr32, please visit http://technet.microsoft.com/en-us/library/cc771017.aspx

The registration routines implemented in the malicious WSSE.DLL also involve removing any Internet proxy settings, as shown in the log below.

+ regsvr32.exe [Process Id: 3952]
	 NtDeleteValueKey Key:\REGISTRY\USER\S-1-XXX\Software\Microsoft\Windows\CurrentVersion\Internet Settings Value:AutoConfigURL
	 NtDeleteValueKey Key:\REGISTRY\USER\S-1-XXX\Software\Microsoft\Windows\CurrentVersion\Internet Settings Value:AutoDetect
	 NtDeleteValueKey Key:\REGISTRY\USER\S-1-XXX\Software\Microsoft\Windows\CurrentVersion\Internet Settings Value:ProxyOverride
	 NtDeleteValueKey Key:\REGISTRY\USER\S-1-XXX\Software\Microsoft\Windows\CurrentVersion\Internet Settings Value:ProxyServer
	 NtSetValueKey Key:\REGISTRY\USER\S-1-XXX\Software\Microsoft\Windows\CurrentVersion\Internet Settings Value:ProxyEnable New Value:0

Before we go back to the behavioral analysis, let’s have a look at the malicious WSSE.DLL. It exports several APIs with weird names where some letters appear twice in the name. This looks like a strange kind of function name obfuscation. Here is a snapshot with the export section as shown by IDA-Pro.

wsse.dll export section

wsse.dll export section

Below you can see some of the Win32 APIs that the DLL imports.

wsse.dll import section

wsse.dll import section

Looking at the strings in WSSE.DLL, there is one that deserves more attention (and was the inspiration for the title of this blog post).

wsse.dll-assembly-01

I’m not sure what exactly the malware author had in mind, but my reading is “Having itself digital wheel simulation nearby venomous (lethal) time snake.”

Another interesting aspect of this malware is that the author decided to implement the core malware logic within the context of a Copy Hook Handler COM component. Copy Hook Handlers are very similar to shell extension COM components. A Copy Hook handler is a native DLL that implements ICopyHook::CopyCallback method. This method is called by Windows Explorer and depending on the return value of the method execution, the implementation indicates to the Shell how and whether it should proceed and allow the file operation. This allows the malware author to include logic in the malicious WSSE.DLL that would prevent the user and other applications from accessing some of the files that have been dropped. In addition to this, it would enable an attacker to closely monitor all file copy/move operations and report them to a CnC server. More details on how to create and register Copy Hook handler are available here “How to Create Copy Hook Handlers” – http://msdn.microsoft.com/en-us/library/windows/desktop/cc144063(v=vs.85).aspx

Once the Copy Hook handler, WSSE.DLL gets registered, Windows Explorer automatically loads it as shown in the screenshot below. There is no need to inject code into Windows Explorer as it automatically picks it up and loads WSSE.DLL into Windows Explorer process. No AV would detect and report that as an issue.

Explorer - WSSE.DLL

After Windows Explorer loads WSSE.DLL, the entry point (DllMain) of the WSSE.DLL executes malicious code that creates several new files as shown below.

explorer.exe [Process Id: 2112]
     Event:Create File[C:\ProgramData\2860a7ec-3f93-462e-9a1a-c1bc11e91c2e]
     Event:Open File[C:\ProgramData\2860a7ec-3f93-462e-9a1a-c1bc11e91c2e]
     Event:Read File[C:\ProgramData\2860a7ec-3f93-462e-9a1a-c1bc11e91c2e]
     Event:Write File[C:\ProgramData\2860a7ec-3f93-462e-9a1a-c1bc11e91c2e]
     Event:Open File[C:\ProgramData\2932]
     Event:Open File[C:\ProgramData\2932\760692.dat]
     Event:Create File[C:\ProgramData\2932\kmidw.dat]
     Event:Create File[C:\ProgramData\2932\lxcwq.dat]
     Event:Open File[C:\ProgramData\2932\lxcwq.dat]
     Event:Read File[C:\ProgramData\2932\lxcwq.dat]
     Event:Write File[C:\ProgramData\2932\lxcwq.dat]
     Event:Open File[C:\ProgramData\2932\wsse.dll]
     Event:Write File[C:\ProgramData\2932\wsse.dll]
     Event:Open File[C:\ProgramData\2932\xdor.dat]
     Event:Read File[C:\ProgramData\2932\xdor.dat]
     Event:Create File[C:\ProgramData\da4f57ad-6a91-452a-93a9-2a567e46c443]
     Event:Create File[C:\ProgramData\da4f57ad-6a91-452a-93a9-2a567e46c443\09c5dbca-f59b-4fbb-8efe-e4327cf532d2]
     Event:Write File[C:\ProgramData\da4f57ad-6a91-452a-93a9-2a567e46c443\09c5dbca-f59b-4fbb-8efe-e4327cf532d2]

1352123452.exe then attempts to connect to 37.130.225.18 on port 80 (http) which appears to be located in London. Below is the geographic location of the IP.

IP Geo Location

We have used http://www.mxtoolbox.com/ReverseLookup.aspx‎ for researching the IP addresses found in this sample. 37.130.225.18 points to 2582e112[dot]rdns[dot]100tb[dot]com.

IP Reverse Lookup

Next we provide an easy way to identify this malware.

Analysis of the file with PEView is easy and that helps us find the different sections in the executable. As shown below, we see a section under the resources which indicates that the binary 1352123452.exe has been created as an ATL COM component using Visual Studio.

PEView

A quick analysis with Hex Editor Neo (or 010 Editor or whichever editor you prefer) shows that the executable main malware 1352123452.exe was built using the ATL template of Visual Studio. The information in the image file reveals that the authors compiled the project using an additional registry script file with an .rgs extension. The script in this file is usually used for describing the registry changes for the COM component(s) implemented in the binary. For more details see “Registering a COM Plug-in” – http://msdn.microsoft.com/en-us/library/windows/desktop/dd874680(v=vs.85).aspx

Hex Editor Neo

Using the GUID that shows up in the screenshot above can help us identify the malware and create a simple YARA rule.

rule lethaltimesnake : trojan
{
    strings: 
        $a = "{BB0D7187-3C44-11D2-BB98-3078302C2030}" fullword nocase
        $b = "CfgComp.CfgComp = s 'CfgComp Class'"
	$c = "Having itself digeital wilhl simultation nearby lethal time snake"

     condition:
        ($a and $b) or $c             
}

Yara

The hashes of the files related to this sample are copied below.

==================================================
Filename : 1352123452.exe
MD5 : 38422e9835b92ec9f4c19e80642da264
SHA1 : f5ea3d43d738f0262afba0513391980be7cb1af4
CRC32 : 04c65ac0
SHA-256 : 6c847bbb076d022459c3a5c0e73568c8d8dec5b44f59bb966283691b83b2e0a9
Full Path : C:\Temp\c2d3a7d727e34486967c0478f983f967\1352123452.exe
File Size : 234,048
File Version : 6.0.6000.16386 (vista_rtm.061101-2205)
Product Version : 6.0.6000.16386
Identical :
Extension : exe
File Attributes : A
==================================================

==================================================
Filename : 760692.dat
MD5 : 4bb7997ddbf99a41a88e345b373ec324
SHA1 : fcc71f1216d9a33f817efd726e9fce2301a080f9
CRC32 : d7ab660d
SHA-256 : e8be0bbbd4392e1810455db81724b6a480de8ecbc2de97f503e3acabfd95913f
Full Path : C:\ProgramData\2932\760692.dat
File Size : 4
File Version :
Product Version :
Identical :
Extension : dat
File Attributes : A
==================================================

==================================================
Filename : 760707.dll
MD5 : 9f4a77b87f9ee0496cb48f919a87c9ef
SHA1 : 1cc0876ef3d1aeea6ac3a06fa0866c8a5afcc5e7
CRC32 : cc1a4813
SHA-256 : a0d3883bc69e4749b32e22ffe21ebc9ff3a78152600a912e7aab95d52846dd72
Full Path : C:\ProgramData\2932\760707.dll
File Size : 4
File Version :
Product Version :
Identical :
Extension : dll
File Attributes : A
==================================================

==================================================
Filename : lxcwq.dat
MD5 : 8044b31ab3a3db2372f5b3088fdbcb0f
SHA1 : 408808561cf3e03167f744687f90ebe0adf096a8
CRC32 : 5aeb8bb4
SHA-256 : 5dd5232329175d7ca29df3e27934d777278f13f379fdb627c69aae915a524dd0
Full Path : C:\ProgramData\2932\lxcwq.dat
File Size : 8
File Version :
Product Version :
Identical :
Extension : dat
File Attributes : A
==================================================

==================================================
Filename : wsse.dll
MD5 : 7a4922bebfd33073ca0849233dbdebac
SHA1 : 67f8fba0abfc61d053e1c0254379a58b9f9f77b0
CRC32 : 14c34767
SHA-256 : 798632a9b72725c0970ea87340a86aebbd29f0a0199dd3adaaf0e64a45c4c0ba
Full Path : C:\ProgramData\2932\wsse.dll
File Size : 102,912
File Version :
Product Version :
Identical :
Extension : dll
File Attributes : A
==================================================

==================================================
Filename : xdor.dat
MD5 : 0a571a66f261a63dd62ba79f02bc4ae1
SHA1 : 0c86eed64cb19a40be744828a37bd3c553c9ae0b
CRC32 : db2ab273
SHA-256 : 1f20ea6ba73e524dfb419a9a17ef7a62a345a76c8f7c1463176f2ade681f7d77
Full Path : C:\ProgramData\2932\xdor.dat
File Size : 430,080
File Version :
Product Version :
Identical :
Extension : dat
File Attributes : A
==================================================

==================================================
Filename : 2860a7ec-3f93-462e-9a1a-c1bc11e91c2e
MD5 : 20f50d964128d32b04e859736d8a5eb3
SHA1 : 9bfda3933c67d4a693f36c1167d0e96a17631ebc
CRC32 : c9c217a0
SHA-256 : 57f631d8fa31c8f838d99408015b8d73cfd1271348f3af577ba880ca6e9ca5c5
Full Path : C:\ProgramData\2860a7ec-3f93-462e-9a1a-c1bc11e91c2e
File Size : 1,300
File Version :
Product Version :
Identical :
Extension :
File Attributes : AHS
==================================================

==================================================
Filename : 09c5dbca-f59b-4fbb-8efe-e4327cf532d2
MD5 : 1f5b1e350ff6757ab8989d8131c92702
SHA1 : ed063668d6b80b715a3c1652a002ba6a32b8ae2c
CRC32 : 1425924a
SHA-256 : e296e52ab85874718a5689c505e1ea97b7177c294a9c7c4cad1fe187b011e5a4
Full Path : C:\ProgramData\da4f57ad-6a91-452a-93a9-2a567e46c443\09c5dbca-f59b-4fbb-8efe-e4327cf532d2
File Size : 74,880
File Version :
Product Version :
Identical :
Extension :
File Attributes : AHS
==================================================