Month: March 2017

Ploutos ATM Malware Analysis

Source: VirusTotal

 File identification
MD5 eca2ca8ecf63816d9a157888e3d871dc
SHA1 b0b13b336ee8770bb2a90fb1292fd9dcabd046f4
SHA256 d99339d3dc6891cdd832754c5739640c62cd229c84e04e9e3cad743c6f66b1b9

 FileVersionInfo properties
Copyright
Copyright © Ploutos 2013

Product Ploutos
Original name Ploutos.exe
Internal name Ploutos.exe
File version 1.0.0.0
Description Ploutos
 PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2013-07-24 07:09:14
Entry Point 0x0000944E
Number of sections 3
 .NET details
Module Version ID b943871a-96c9-53f0-1673-9625474d13a6
 PE sections
 PE imports
[+] mscoree.dll
 Number of PE resources by type
RT_MANIFEST 1
RT_VERSION 1
 Number of PE resources by language
NEUTRAL 2

The following command codes, entered using the ATM keypad, and their purpose are as follows:

12340000: To test if the keyboard is receiving commands.

12343570: Generate ATM ID, which is stored in the DATAA entry in the config.ini file.

12343571XXXXXXXX: Has two actions:

Activate ATM ID by generating an activation code based on an encoded ATM ID and the current date. This value is stored in the DATAC entry in the config.ini file. The eight bytes read in must be a valid encoded ATM ID generated by a function called CrypTrack(). A valid ATM activation code must be obtained in order for the ATM to dispense cash.
    Generate timespan: Sets a timer to dispense money, the value will be stored in the DATAB entry in the config.ini file.


12343572XX: Commands the ATM to dispense money. The removed digits represent the number of bills to dispense.   

Malware Forensics: Necurs Dropper via NTSecureSys

Source: Immunity Debugger, IDA Pro



File: necurs_dropper[.]exe
Size: 97792 Bytes
MD5: 6B3D2D146E683DAF0DEB906D57393E22

Mutex:
Name *    
————————————————–
   Instance0:  ESENT Performance Data Schema Version 40  

Ports:
Port    PID    Type    Path    
————————————————–

  • 3417    2688 TCP    C:\Documents and Settings\Administrator\Desktop\dropper[.]exe    
  • 3418    3536 TCP    C:\Documents and Settings\Administrator\Desktop\dropper[.]exe    
  • 3419    384 TCP    C:\Documents and Settings\Administrator\Desktop\dropper


API Logger (Interesting Calls):

  • 91222     CreateFileA(\\.\NtSecureSys)    
  • 912c6     GetCurrentProcessId()=2688
  • 771bd3a9     connect(69.50.214[.]54:80)

URLs (via GlobalAddAtomA API):
————————————————–
Picture
Picture
RegKeys (Anti-AV Check):
————————————————–

  • SUNBELT SOFTWARE
  • Sunbelt Software
  • G DATA Software
  • CJSC Returnil Software
  • Check Point Software Technologies Ltd
  • Panda Software International
  • FRISK Software International Ltd
  • ALWIL Software
  • SUNBELT SOFTWARE
  • Sunbelt Software
  • G DATA Software
  • CJSC Returnil Software
  • Check Point Software Technologies Ltd
  • Panda Software International
  • FRISK Software International Ltd
  • ALWIL Software

Reversing Malicious RTF Document: MS10-087 Exploit CVE-2010-3333

Image 1: The maldoc titled as “ANCALOG[.]doc” reveals RFT artifacts.
G0al: Practice reverse engineering RFT exploits. In this case, we analyze the infamous exploit for MS10-087 CVE-2010-3333. This exploit was heavily used by various Chinese and Eastern-European APT groups. The sample below was submitted from Poland on June 6, 2016.

I. Malware Sample: ANCALOG[.]doc
 Original Filename       ANCALOG[.]doc
MD5 4483ad299158eb54f6ff58b5346a36ee
SHA-1 7551c2d2c1b3271cecab6fc803626bc3d505aacd
SHA-256 97913941fb149e85d76d82cb19a8045d0cf4f07f7addb91ea94081050e0693b2
ssdeep 48:mdTagznhm11D1Dl8NYYhpWo0FdzMwRH0dgw9h3WEQDT:mxB6VV5o0vH0dJD8T
Size 664.9 KB (680855 bytes)
Type Rich Text Format
Magic Rich Text Format data, version 1, unknown character set
TrID
Rich Text Format (100.0%)

Image 2-3: The list of all contents as it is displated by rtfdump from the RTF maldoc.
Command Sequence:
I. python2.7 rtfdump.py -y rtf.yara 97913941fb149e85d76d82cb19a8045d0cf4f07f7addb91ea94081050e0693b2

Image 4: The maldoc scan by the RTF Yara ruleset reveals various signs of exploitation inside the maldoc.

p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px ‘Andale Mono’; color: #28fe14; background-color: #000000; background-color: rgba(0, 0, 0, 0.9)} span.s1 {font-variant-ligatures: no-common-ligatures}

II. python2.7 rtfdump.py -s 337677 97913941fb149e85d76d82cb19a8045d0cf4f07f7addb91ea94081050e0693b2 

Image 5: The rftdump script reveals the encoded payload inside the maldoc.

p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px ‘Andale Mono’; color: #28fe14; background-color: #000000; background-color: rgba(0, 0, 0, 0.9)} span.s1 {font-variant-ligatures: no-common-ligatures}

III. python2.7 rtfdump.py -s 338677 -H ../97913941fb149e85d76d82cb19a8045d0cf4f07f7addb91ea94081050e0693b2 

Image 6: The hexidecimal decoded values reveal six sequential NOP calls (often used to setup the stage for exploits) at “0x35” and the “cmd” script in the end.

p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px ‘Andale Mono’; color: #28fe14; background-color: #000000; background-color: rgba(0, 0, 0, 0.9)} span.s1 {font-variant-ligatures: no-common-ligatures}

IV.python2.7 rtfdump.py -s 338677 -H -c “0x35:” -d ../97913941fb149e85d76d82cb19a8045d0cf4f07f7addb91ea94081050e0693b2 > shellcode.bin

Yara RTF Maldoc Signature:
p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px ‘Andale Mono’; color: #28fe14; background-color: #000000; background-color: rgba(0, 0, 0, 0.9)} p.p2 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px ‘Andale Mono’; color: #28fe14; background-color: #000000; background-color: rgba(0, 0, 0, 0.9); min-height: 14.0px} span.s1 {font-variant-ligatures: no-common-ligatures}

rule includepicture_http
{
    meta:
        author = “Didier Stevens (https://DidierStevens.com)”
    strings:
        $a1 = “INCLUDEPICTURE”
        $a2 = “http” nocase
    condition:
        $a1 and $a2
}
// https://securelist.com/analysis/publications/37158/the-curious-case-of-a-cve-2012-0158-exploit/
rule ListView2_CLSID
{
    meta:
        author = “Didier Stevens (https://DidierStevens.com)”
    strings:
        $a1 = {4B F0 D1 BD 8B 85 D1 11 B1 6A 00 C0 F0 28 36 28}
    condition:
        any of them
}
rule http
{
    meta:
        author = “Didier Stevens (https://DidierStevens.com)”
    strings:
        $a1 = “http” nocase
    condition:
        $a1
}
rule RTF_Object
{
    meta:
        author = “Didier Stevens (https://DidierStevens.com)”
    strings:
        $a1 = {01 05 00 00 02 00 00 00}
    condition:
        any of them
}
rule pFragments
{
    meta:
        author = “Didier Stevens (https://DidierStevens.com)”
    strings:
        $a1 = “pFragments”
    condition:
        $a1
}

p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px ‘Andale Mono’; color: #28fe14; background-color: #000000; background-color: rgba(0, 0, 0, 0.9)} span.s1 {font-variant-ligatures: no-common-ligatures}