Kawpfuni Backdoor: Malware Analysis

Source: Xylitol’s great analysis
Goal: Reverse this modular backdoor with the FindResource binary storage, process injection & military operation keywords.
=== IMPORTS ===

MODULE_NAME      HINT   ORD  FUNCTION_NAME
kernel32.dll        0        GetProcAddress
kernel32.dll        0        GetModuleHandleA
kernel32.dll        0        LoadLibraryA
user32.dll           0        wsprintfW
advapi32.dll        0        RegEnumValueA
shlwapi.dll         0        PathFileExistsA
oleaut32.dll        0        VariantChangeTypeEx
kernel32.dll        0        RaiseException

# StringTable 041204b0:

  FileDescription     :  “HncUpdate MFC 응용 프로그램”
  FileVersion         :  “1.0.0.1”
  InternalName        :  “HncUpdate.exe”
  LegalCopyright      :  “Copyright (C) 2003”
  OriginalFilename    :  “HncUpdate.exe”
  ProductName         :  “HncUpdate 응용 프로그램”
  ProductVersion      :  “1.0.0.1”

  VarFileInfo         :  [ 0x412, 0x4b0 ]

=== Packer / Compiler ===

  ASProtect 1.33 – 2.1 Registered (Alexey Solodovnikov)


Imported libraries and Windows API calls: 


Kernel32, LoadLibraryW, LoadLibraryA, SchedServiceMain kernel32.dll

Imported DLLs:  p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Helvetica} p.p2 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Helvetica; min-height: 14.0px}

\samsvc.dll,\dllcache\schedsvc.dll, \schedsvc.dll, mfc80u.dll, c_0605.nls

 Registry: 

SOFTWARE\Microsoft\IE Config\PackageSoftware\Microsoft\Windows\CurrentVersion\Internet Settings.Software\Microsoft\Internet Settings

p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Helvetica}
Instruction Debug strings: 

AdjustTokenPrivileges fAiled: %dOpenProcessToken fAiled: %dLookupPrivilegeVAlue fAiled: %dSeDebugPrivilege

Injected targeted process: 

spoolsv.exe via mfc80u.dll

Self-delete cmd script via ud[.]bat:
p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Helvetica}

echo off.:start.if not exist “%s” goto done.del “%s”.del /AH “%s”.goto start.:done.del c:\windows\system32\hncupdate.exe.del %%

Filesystem process:
p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Helvetica}

FAT32, NTFS, FILE, $EFS, $I30, INDX


p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Helvetica} p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Helvetica}
Extracted payload aka “BsDll[.]pdb” as DLL from Resource.

MD5:

636501DB299D5F63772205755D4AA10F


=== Packer / Compiler ===

  MS Visual C++ 7.0

===================

Name       VirtAddr     VirtSize     RawSize    MD5                              Entropy
——————————————————————————————
.text         0x1000       0x21e52    0x22000    c3930593c3c8ef81a07a4360d48e50a1 6.687287 
.rdata       0x23000     0x41e4      0x5000     ad617b413e70f1e37ac6c6e5e39c7e73 5.054147 
.data        0x28000     0x4b4c      0x3000     8059c57e286035979d292029c7752b0a 4.099338 
.plugins   0x2d000     0xb34        0x1000     36234221ea257e7ca55b1a4622f4a4dc 0.485867    [SUSPICIOUS]
 

.rsrc         0x2e000     0x10          0x1000     620f0b67a91f7f74151bc5be745b7110 0.000000 
.reloc       0x2f000     0x1d92      0x2000     e4167c88184fa8d240732352db5a23f9 5.141479  

Imports:

[1] KERNEL32.dll
[2] USER32.dll
[3] ADVAPI32.dll
[4] SHLWAPI.dll
[5] WININET.dll
[6] urlmon.dll
[7] WS2_32.dll

PDB: 

g:\mail\pc-util\back\backdoor1\Release\BsDll[.]pdb


Military keywords:

army
Army
ARMY
Military
military
MILITARY
weapon
Weapon
WEAPON
battle
Battle
BATTLE
munition
missile
Missile
MISSILE
Aircraft
Figther
Resolve
resolve
Operation
operation
OPERATION
Air Force
AirForce
airforce
AF Portal
AFPortal
EMAIL
AIRFORCE
AIR FORCE
email
NIPR
nipr
SIPR
sipr
SNAP
KORCOM
CENTRIX
GCCS
KR/FE
SMIL
Intranet
intranet
RCIO
TNOSC
RIPR
COMSEC
PACCOM
USFK
PENTAGON
CJCS
cassifi
securet
CASSIFI
Cassifi
Certificat
CERTIFICAT
Pentagon
pentagon
usfk
RSOI
xfdl

 Self-delete batch script routine:

@echo off
:start
if not exist %WINDIR%\system32\ipv6ld.dll goto done
del %WINDIR%\system32\ipv6ld.dll
goto start
:done
del %0



Backdoor commands:


p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Helvetica}

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s