Hi,
In this blogpost I'm going to Analyse Win32.Katusha.o Trojan Dropper; usually dropped via e-mail attachment or via compromised web page.
Katusha.o appeared in various domains located in KR, USA and RU, we have had approximately 6 Domains that contained the same version of Katusha with the only difference that each dropper has a different Hardcoded and Encrypter URL string used to download other malicious executables.
1. hxxp://bornstory.com/*
2. hxxp://digitalartfact.com/*
3. hxxp://aquui.in/v2/out/ *
4. hxxp://perejopa.com/tpsa/swar/*
5. hxxp://megatuz.ru/dh/*
6. hxxp://pulselocums.com.au/media/*
Every malicious domain contain also the following executables:
1. rapport.exe MD5: 587a7521a124f2b57538ae0b6123ca23
2. stats.exe MD5: 903BBE2D8314071F3A79D386E6E4D3DA
rapport.exe is Backdoor.Win32.Turkojan.
My sample come out from megatuz.ru
Domain : hxxp://www.megatuz.ru, IpAddress : 193.105.207.105, Location : Kazakhstan
Here you can check also shared domains that belog to 193.105.207.105 by observing that AS50793 ALFAHOSTNET Alfa-Host LLP => ( 193.105.207.0/24 ) is already listed as ZeuS Command and Control hoster.
More information on megatuz.ru C&C Server Anatomy can be checked here:
https://zeustracker.abuse.ch/monitor.ph ... megatuz.ru
A graph can be viewed here: http://www.robtex.com/as/as50793.html#asinfo
Here we go to observe stats.exe trojan.
FileName: stats.exe
FileSize: 159.00 KB (162816 bytes)
MD5: 903BBE2D8314071F3A79D386E6E4D3DA
SHA-1: D09A90770691C6C940FC273F6A768478BB2D523A
ImportTable is not crippled and values coherents
ResourceDirectory presents one entry, a Dialog called "PROCJOB"
Let's take a look at a self explaining screenshot of Floating Frequency plot:
This is a comparison between our dropper and a clean executable, as you can see the one containing encrypted data is clearly distinguishable from the executable in clean, Density is evident, now just for fun and confirmation a 3D plot that cleary show the density of the two files:
Now it's time to reverse in the canonical way stats.exe; application is written with VisualC++, se we must locate call main(argc,argv) and start analyzing from the top.
call 00413780 allocates various pieces of heap and decodes a portion of code, the most interesting feature is that the RET address of this call is not in main but points out to 004136B0. The piece of code that belongs to this last seen address has the same scope of the previous one, just code decryption/unpacking and finally again ret lands to a different address from the caller 00418030. This piece of code was originally decrypted, and now this last one is going to decrypt a second layer.
During analysis emerged various layer of encryption decoded on fly, these last one works as decoders for other pieces of code successively Heap Allocated and ready to be dumped as a new executable. But the most interesting aspect is the usage of API Spoofing Techniques.
API Spoofing it's an Anti-ReverseEngineering technique which has the intent to Fool the debugger API Name Resolution and consequently deceiving the analyst that will see for example a Call ExitProcess when in reality the malware uses a CreateFile.
Another important observation is that, analysis of this sample should be performed by using OllyDbg2 with Debug Child Process Event checked, this because at a certain point the Father malware will drop on the hardisk another executable and successively execute it via CreateProcess, by using Child Process Event awareness we are sure that even if some call is missing by analyst and exactly in that call CreateProcess is called a new instance of OllyDbg will popup and break execution at Child Process's EntryPoint.
The executable that produces the Child Process, is almost identical to stats.exe with a basical difference, near to the end there is a Code Injection procedure. Performed in the classical way of Process Enumeration via CreateToolhelp32Snapshot, successively Opening Process via OpenProces and performing WriteProcessMemory in combo with CreateRemoteThread.
We have essentially two Files decrypted and dumped to hardisk by stats.exe both of them located Documents and Settings\%user\Data Application\
There are two randomly named directories that contains the executable used to inject code and a .bin
During infection process both executables creates some static named mutexes, so due to univocity of these object Mutex Names can be used as Evidence Indicator and consequently as should be obvious as Detection element.
Global\{2C9B3931-D5D1-B2CF-3E91-BCC8B33D8E79}
Global\{B9FA2C73-C093-27AE-3E91-BCC8B33D8E79}
Global\{F8615710-BBF0-6635-9F57-C80112FBFAB0}
Injection interests essentially system processes and has the effect of downloading an encrypted file stats.bin
This post it's just an overview of Katusha essentially to show its anatomy.
Sample can be downloaded from https://zeustracker.abuse.ch/monitor.ph ... megatuz.ru
See you to the next post,
Giuseppe 'Evilcry' Bonfa
In this blogpost I'm going to Analyse Win32.Katusha.o Trojan Dropper; usually dropped via e-mail attachment or via compromised web page.
Katusha.o appeared in various domains located in KR, USA and RU, we have had approximately 6 Domains that contained the same version of Katusha with the only difference that each dropper has a different Hardcoded and Encrypter URL string used to download other malicious executables.
1. hxxp://bornstory.com/*
2. hxxp://digitalartfact.com/*
3. hxxp://aquui.in/v2/out/ *
4. hxxp://perejopa.com/tpsa/swar/*
5. hxxp://megatuz.ru/dh/*
6. hxxp://pulselocums.com.au/media/*
Every malicious domain contain also the following executables:
1. rapport.exe MD5: 587a7521a124f2b57538ae0b6123ca23
2. stats.exe MD5: 903BBE2D8314071F3A79D386E6E4D3DA
rapport.exe is Backdoor.Win32.Turkojan.
My sample come out from megatuz.ru
Domain : hxxp://www.megatuz.ru, IpAddress : 193.105.207.105, Location : Kazakhstan
Here you can check also shared domains that belog to 193.105.207.105 by observing that AS50793 ALFAHOSTNET Alfa-Host LLP => ( 193.105.207.0/24 ) is already listed as ZeuS Command and Control hoster.
More information on megatuz.ru C&C Server Anatomy can be checked here:
https://zeustracker.abuse.ch/monitor.ph ... megatuz.ru
A graph can be viewed here: http://www.robtex.com/as/as50793.html#asinfo
Here we go to observe stats.exe trojan.
FileName: stats.exe
FileSize: 159.00 KB (162816 bytes)
MD5: 903BBE2D8314071F3A79D386E6E4D3DA
SHA-1: D09A90770691C6C940FC273F6A768478BB2D523A
ImportTable is not crippled and values coherents
ResourceDirectory presents one entry, a Dialog called "PROCJOB"
Let's take a look at a self explaining screenshot of Floating Frequency plot:
This is a comparison between our dropper and a clean executable, as you can see the one containing encrypted data is clearly distinguishable from the executable in clean, Density is evident, now just for fun and confirmation a 3D plot that cleary show the density of the two files:
Now it's time to reverse in the canonical way stats.exe; application is written with VisualC++, se we must locate call main(argc,argv) and start analyzing from the top.
call 00413780 allocates various pieces of heap and decodes a portion of code, the most interesting feature is that the RET address of this call is not in main but points out to 004136B0. The piece of code that belongs to this last seen address has the same scope of the previous one, just code decryption/unpacking and finally again ret lands to a different address from the caller 00418030. This piece of code was originally decrypted, and now this last one is going to decrypt a second layer.
During analysis emerged various layer of encryption decoded on fly, these last one works as decoders for other pieces of code successively Heap Allocated and ready to be dumped as a new executable. But the most interesting aspect is the usage of API Spoofing Techniques.
API Spoofing it's an Anti-ReverseEngineering technique which has the intent to Fool the debugger API Name Resolution and consequently deceiving the analyst that will see for example a Call ExitProcess when in reality the malware uses a CreateFile.
Another important observation is that, analysis of this sample should be performed by using OllyDbg2 with Debug Child Process Event checked, this because at a certain point the Father malware will drop on the hardisk another executable and successively execute it via CreateProcess, by using Child Process Event awareness we are sure that even if some call is missing by analyst and exactly in that call CreateProcess is called a new instance of OllyDbg will popup and break execution at Child Process's EntryPoint.
The executable that produces the Child Process, is almost identical to stats.exe with a basical difference, near to the end there is a Code Injection procedure. Performed in the classical way of Process Enumeration via CreateToolhelp32Snapshot, successively Opening Process via OpenProces and performing WriteProcessMemory in combo with CreateRemoteThread.
We have essentially two Files decrypted and dumped to hardisk by stats.exe both of them located Documents and Settings\%user\Data Application\
There are two randomly named directories that contains the executable used to inject code and a .bin
During infection process both executables creates some static named mutexes, so due to univocity of these object Mutex Names can be used as Evidence Indicator and consequently as should be obvious as Detection element.
Global\{2C9B3931-D5D1-B2CF-3E91-BCC8B33D8E79}
Global\{B9FA2C73-C093-27AE-3E91-BCC8B33D8E79}
Global\{F8615710-BBF0-6635-9F57-C80112FBFAB0}
Injection interests essentially system processes and has the effect of downloading an encrypted file stats.bin
This post it's just an overview of Katusha essentially to show its anatomy.
Sample can be downloaded from https://zeustracker.abuse.ch/monitor.ph ... megatuz.ru
See you to the next post,
Giuseppe 'Evilcry' Bonfa
