A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #25857  by EP_X0FF
 Thu May 14, 2015 4:22 am
Image

Malware downloader using some anti-forensics (doesn't work), UAC bypass method (uacme concept #10) and seems full of specific code for various AV's behaviour detection systems. According to VT there is no meaningful name to it from AV, yet. Loader comes probably from script-kiddie who previously worked on ransomware(s). Nick name "Phobos".

Reviewed by damagelab -> https://damagelab.org/index.php?showtopic=25839 (site unavailable at the moment of post).

Except uac bypass so far there is nothing interesting in this loader. Malware injects itself into copy of explorer.exe and by using IFileOperation autoelevation (trigger UAC set on max) copies bthudtask.exe to system32\setup folder. Next it makes a copy of system dll newdev.dll, patches it with shellcode (EPO + new section) and again with IFileOperation (triggering UAC 2nd time) copies this dll into system32\setup. Next loader start bthudtask.exe with ShellExecuteEx. As result there happening classical dll hijacking and since bthudtask.exe autoelevated, malware stored inside patched newdev.dll will be running on High IL. This autoelevation method abuses way of whitelisting MS did with UAC, where it doesn't control full path to autoelevated application (while they actually must be all hardcoded) nor controlling application specific dlls loading path (even if application inside system32 you must control it too) allowing attacker do all required manipulations inside Windows folder, preparing things for successful dll hijacking.

After successful elevation you will see hit-parade of spawning processes - two copies of explorer.exe for example or svchost.exe if something went wrong. That circus not suspicious at all, sarcasm. There was an interesting overview of successful/failed autoelevations in damagelab post. Statistic data show that most of people (in targeted countries) sit under default UAC settings (or with UAC turned off) even on Windows 8.1.

Please don't be shy and submit sample to as many AV companies as you can.

VT dropper
https://www.virustotal.com/en/file/903d ... 431575696/

VT loader part
https://www.virustotal.com/en/file/ad3b ... 431574970/

Sample courtesy of vaber and R136a1

Dropper and patched by shellcode newdev.dll in attach.
Attachments
pass: malware
(156.89 KiB) Downloaded 202 times
Last edited by EP_X0FF on Mon Oct 12, 2015 10:01 am, edited 2 times in total. Reason: image replaced
 #26454  by Xylitol
 Thu Aug 06, 2015 8:24 pm
Image
Fun to see 'Aerosol' ripping content form here.

Anyway, H1N1 sample delivered via spam
da575b916f419b9e8bfea12168fa9902: 32/55 - malwr - ThreatExpert
Image Image

Download tasks:
→ mastiksoul.org/1.exe - VxVault
→ globalconspiracy.hj.cx/1.exe - VxVault
Both tasks have same hash: https://malwr.com/analysis/YWQ0YmE5ZmFi ... hkMTNiNjI/
---
Flu season starting early: the H1N1 Loader ~ https://asert.arbornetworks.com/wp-cont ... g_h1n1.pdf
Attachments
 #26476  by EP_X0FF
 Sun Aug 09, 2015 5:57 am
Muhaha he copy-pasted word by word.
 #26510  by Xylitol
 Thu Aug 13, 2015 9:41 pm
H1N1 Loader delivered via spam.
b4f060fc95332ac7a9a1e34212b13c98: 21/55 - malwr - ThreatExpert
• dns: 4 ›› ip: 195.2.88.196 - adress: MEGAPOLISSS006.SU

Download tasks:
→ blanke.com.pl/7u54g/23dc5h5.exe - VxVault
• dns: 1 ›› ip: 195.78.66.212 - adress: BLANKE.COM.PL
→ nicemar.ro/7u54g/23dc5h5.exe - VxVault
• dns: 1 ›› ip: 46.102.253.130 - adress: NICEMAR.RO
→ airalgerie.co.uk/7u54g/23dc5h5.exe VxVault
• dns: 1 ›› ip: 77.66.30.214 - adress: AIRALGERIE.CO.UK
---
Both tasks have same hash, appear to be Dridex, VT: 4/56
Attachments
infected
(176.01 KiB) Downloaded 78 times
 #26565  by Xylitol
 Wed Aug 19, 2015 12:10 pm
H1N1 Loader still delivered via spam vector.
6550ddee84f9177233c18a7e94fbedcf >> VT: 4/55
Image
• dns: 0 ›› ip: - adress: MEGAPOLISSS006.SU // domain down, but ips are still up.

Download tasks:
→ jmdb.nl/eyer/6574.exe - VxVault
• dns: 1 ›› ip: 83.137.194.73 - adress: JMDB.NL
→ inmueblesveracruz.com/eyer/6574.exe - VxVault
• dns: 1 ›› ip: 184.154.49.74 - adress: INMUEBLESVERACRUZ.COM
→ cocktailkleider24.com/eyer/6574.exe - VxVault
• dns: 1 ›› ip: 188.94.254.51 - adress: COCKTAILKLEIDER24.COM
VT: 2/56
Image Image
Attachments
infected
(100.19 KiB) Downloaded 74 times
infected
(62.62 KiB) Downloaded 74 times
 #26786  by EP_X0FF
 Wed Sep 23, 2015 8:11 am
Does anyone have any recent samples of this loader? To test with latest Windows 10547 build which seems delivers something special for it :) Previous samples simple crash ("bydlocode" as is).
 #26787  by EP_X0FF
 Wed Sep 23, 2015 8:24 am
Xylitol wrote:H1N1 Loader still delivered via spam vector.
This one use WUSA /extract to drop newdev.dll to the system32\setup (for further use together with copied through wusa bthudtask.exe) folder and this is not working on win10 by design because /extract option is no longer valid.
 #27026  by sysopfb
 Wed Oct 21, 2015 1:29 pm
Spammed out yesterday and does the same stuff with wusa /extract for bthudtask.exe and hijacks newdev.dll

Downloaded Dyreza, version 1157, 2010uk21 campaign
Attachments
infected
(30.62 KiB) Downloaded 82 times
 #28028  by R136a1
 Tue Mar 15, 2016 4:19 pm
Two months ago, the author of H1N1 loader released a new version of his tool (H1N1v2) which he claims was completely rewritten. Some of the new features include a rewrote UAC bypass method and a new social engineering technique to elevate privileges if the malware runs at low integrity level. These two techniques and some general aspects of the new version will be discussed in this post.


H1N1v2
The new version of H1N1 loader is made up of an loader (exe) and a payload (dll). The loader is a x86 executable without any imports and has a small file size of 14.5 KB. It contains the encrypted and Upack compressed payload which has a size of 76 KB when unpacked. The used API functions of the loader and payload are resolved on the fly with the help of hashes instead of strings for both, library and API function names. Like in the previous version, sensitive strings are obfuscated and get also deobfuscated on the fly just before they are used.


Elevate privileges through WMI
One of the tasks of the loader is to check for the OS version and the current mandatory integrity level of the process. If it runs on at least Windows Vista and the integrity level is anything below SECURITY_MANDATORY_MEDIUM_RID, the loader tries to elevate privileges with the help of WMI console application. This is done by executing wmic.exe with ShellExecuteEx() and passing the string process call create "<MalwareFilePath>" as lpParameters along with runas as lpVerb.

This results in the following UAC dialog box:

Image

As you can see, the dialog box without any details doesn't look suspicious at first, because a legit Windows program is to be executed. An inexperienced user might click "Yes", not expecting a malicious application will be executed in the background. However, after expending the details menu you can see the malware which gets actually executed.

If someone falls for the trick, a new process of the malware with high integrity level will be created:

Image

Finally, the old process will be terminated and the new process continues with the injection of the payload.


UAC bypass - modified Wusa method
If the loader process has at least SECURITY_MANDATORY_MEDIUM_RID integrity level, it spawns a new instance of explorer.exe and injects the decrypted payload into it. The payload then copies the Windows delta package expander dpx.dll from the system directory into the AppData directory. Next, it opens dpx.dll to write a small shellcode into a code cave at the end of the .text section and patches the unconditional jump at the beginning of the dll in order to jump to the shellcode:

Image Image

Then, it subsequently creates two cabinet files in AppData directory named both cabfile.cab with first wusa.exe and secondly the patched dpx.dll as contents. These two contents are extracted into the drivers folder of the system directory with the help of wusa.exe and the command /quiet <CabFilePath> /extract:<TargetFilePath>. Finally, wusa.exe in the drivers will be executed with ShellExecuteEx() along with runas as lpVerb. Due two the fact that wusa.exe still has the <autoElevate>true</autoElevate> property present in all Windows versions it will be run as a high integrity level process. Further, since dpx.dll is one of the statically-linked libraries of wusa.exe, the patched version residing in the same directory gets loaded first at startup (DLL Side-Loading). This results in the shellcode inside dpx.dll being executed which in turn executes the original loader in the context of wusa.exe (high integrity). However, as EP_X0FF already pointed out, this method doesn't work on Windows 10 which is kind of strange to implement such a technique...


Files
Loader: https://www.virustotal.com/en/file/7b49 ... /analysis/
Payload: https://www.virustotal.com/en/file/8c21 ... 458057506/ (packed)
https://www.virustotal.com/en/file/08c0 ... 458057548/ (unpacked)


List of (decrypted) strings and used API functions of the loader
Code: Select all
Strings:
runas
wmic
process call create __s_
\SysWOW64\explorer.exe
\explorer.exe

Ntdll.dll:
NtAllocateVirtualMemory
NtClose
NtCreateSection
NtMapViewOfSection
NtQueryInformationProcess
NtQuerySsystemInformation
NtUnmapViewOfSection

Kernel32.dll
CloseHandle
CreateProcessW
CreateToolhelp32Snapshot
ExitProcess
GetCurrentProcessId
GetModuleFileNameW
GetVersionExW
GetWindowsDirectoryW
LoadLibraryA
Process32First
Process32Next
ReadProcessMemory
ResumeThread
Sleep
VirtualAlloc
VirtualFree
lstrcmpiW
ltrslenW

Advapi32.dll:
GetSidSubAuthority
GetSidSubAuthorityCount
GetTokenInformation
OpenProcessToken

Shell32.dll:
ShellExecuteExW

User32.dll:
wsprintfW
List of (decrypted) strings and used API functions of the payload
Code: Select all
Strings:
explorer.exe
spirate.biz:80/gate.php
M4AJQPCS9lLskNPbU21tdc9Z
\SysWOW64\
\System32\
wusa.exe
dpx.dll
drivers
cabfile.cab
cmd.exe /c makecab __s_
cmd.exe /c wusa /quiet __s_ /extract:__s_
cmd.exe /c net stop _s
cmd.exe /c sc config _s start= disabled
Software\Classes\http\shell\open\command
&browsers=
\Mozilla\Firefox\Profiles
\*.*
\logins.Json
\Software\Microsoft\Internet Explorer\IntelliForms\Storage2
url: %s,login: %s,password: %s\r\n
&mails=
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook
Email
POP3 Password
POP3 User
SMTP Port
SMTP Server
SMTP Password
SMTP User
HTTP/1.1
Accept: */*
accept-Encoding: none
accept-Language: en-US.q=0.8
Content-Type: application/x-www-form-urlencoded
Connection: close
RC4-Size: 
get.adobe.com
flashplayer/download/?dualoffer=false&installer=%.8X
guid=%.8X%.8X&os=%d&bits=%d&pl=%d
guid=%.8X%.8X&report=
hostname
encryptedUsername
encryptedPassword

Ntdll.dll:
LdrProcessRelocationBlock
NtClose
NtCreateSection
NtMapViewOfSection
NtQueryInformationProcess
NtUnmapViewOfSection

Kernel32.dll:
CloseHandle
CopyFileW
CreateEventA
CreateFileA
CreateFileMappingA
CreateFileW
CreateProcessA
CreateProcessW
CreateThread
DeleteFileW
ExitProcess
FindClose
FindFirstFileA
FindNextFileA
GetFileAttributesA
GetFileAttributesW
GetFileSize
GetLocaleInfoA
GetModuleFileNameW
GetModuleHandleA
GetProcAddress
GetShortPathNameA
GetVersionExW
GetVolumeInformationW
GetWindowsDirectoryW
LoadLibraryA
MapViewOfFile
OutputDebugStringA
OutputDebugStringW
ReadFile
ReadProcessMemory
ResumeThread
Sleep
UnmapViewOfFile
VirtualAlloc
VirtualFree
VirtualProtect
WaitForMultipleObjects
WaitForSingleObject
WideCharToMultiByte
WriteFile
lstrcat
lstrcpy
lstrcpyW
lstrlen
lstrlenW

Advapi32.dll:
AllocateAndInitializeSid
CheckTokenMembership
CloseServiceHandle
CryptAcquireContextA
CryptCreateHash
CryptDestroyHash
CryptGetHashParam
CryptHashData
CryptReleaseConext
EnumServiceStatusA
FreeSid
GetSidSubAuthority
GetSidSubAuthorityCount
GetTokenInformation
OpenProcessToken
OpenSCManagerA
RegCloseKey
RegCreateKeyA
RegEnumKeyA
RegOpenKeyA
RegOpenKeyW
RegQueryValueExA
RegQueryValueExW 
RegSetValueExA

Urlmon.dll:
ObtainUserAgentString

Wininet.dll:
FindCloseUrlCache
FindFirstUrlCacheEntryA
FindNextUrlCacheEntryA
HttpAddRequestHeadersA
HttpOpenRequestA
HttpQueryInfoA
HttpSendRequestA
InternetCloseHandle
InternetConnectA
InternetOpenA
InternetQueryOptionA
InternetReadFile
InternetSetOptionA

Shell32.dll:
SHGetSpecialFolderPathA
SHGetSpecialFolderPathW
ShellExecuteExW

User32.dll:
wsprintfA
wsprintfW

Crypt32.dll:
CryptUnprotectData

Ws2_32.dll:
WSACleanup
WSAStartup
closesocket
connect
gethostbyname
socket
Attachments
PW: infected
(48.55 KiB) Downloaded 77 times