Showing posts with label Malware. Show all posts
Showing posts with label Malware. Show all posts

Monday, 17 October 2016

, , , , ,

The Threat Behind an Italian Phishing Campaign

According to Wikipedia ( Phishing is the attempt to obtain sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly,money), often for malicious reasons, by masquerading as a trustworthy entity in an electronic communication

This case is not about Phishing, because this campaign doesn't try to achieve sensitive information, but instead of phishing it is "something else"...

This email has been delivered in one of my mailbox honeypots.

It's very easy to understand that it is a fake email, but even if today the most of the people believe that it is authentic. This is due the fraudster's evil idea to hits the most sensitive part of the mind of every person, the pocket and the money.

This email seems to come from the Italian Agency that praise taxes.

Clicking on the hyperlink "Scarica il Documento", a web page will be showed to the end user.

Here a file named "Documento Numero 00020160830.pdf" will be download

At the first time I didn't pay attention to the phrase "La password per accedere alla fattura รจ 7604", and I have focused my attention on the file.

I decided to open the document. The icon was a zip icon but by enabling the folder's option "show file extension", the extension was ".pdf"

Well, as I expected it was a zip file, but it asked me a PASSWORD. I was reminded about the password printed in the webpage, I have put it and the file was extracted.

-------------------- STATIC ANALYSIS --------------------

The sample file was packed using NullSoft Software. 
A packer is a special program used to obfuscate the entire file.

Investigating into the sample file, two digital certificates have been discovered.

One of this digital certificate has been revoked.

-------------------- CODE REVERSE ENGINEERING --------------------

The pictures below report a code snippet to show how the malware checks and asks the path of "Temp" directory

...and below is reported the request for "ResourceLocate" directory in order to achieve GUI language.
Into pictures reported below there are strings, like DLL file names, URL and Domain, but also part of command like "[Rename]\r\n"

-------------------- DYNAMIC ANALYSIS --------------------

I have run it on my virtual environment. A process with the same name of the file was executed and another process with a name "xkpgcoc.exe" has been created.

Checking the performance graph is easy to note that only the process "xkpgcoc.exe" was doing  I/O activity on disk."

At  the end of its task, this was the result:

All data into my virtual environment was encrypted by CTB-Locker. The extension used to encrypt files has been seven random chars. The file name pattern after the encryption is: 

Running this ransomware more than one time, I noted that it changes every time the crypt-extension.
Killing the process"xkpgcoc.exe", the countdown disappear and we can read on desktop background the instructions to pay and recovery files. During the malware execution, no network traffic was generated. This mean that the cryptolocker doesn't comunicate with a C2C Server The public key are generated locally using a specific algorithm.

Instruction is also reported in a TXT file, named "!Decrypt-All-Files-aruugia.txt" and "!Decrypt-All-Files-aruugia.jpg", located within "Documents" directory.

Is useful to note four important things:

  1. The Cryptolocker didn't identify that it wasrunning on a Virtual environment
  2. The Cryptolocker didn't network connections with any C2C server
  3. The countdown was not TRUE
  4. There are not information about how much the user have to pay to recovery files.

Going one step ahead, Tor website has been checked, in order to understand the process that the user have to follow in to recovery files.

Typing the public key into the form, we receive the following webpage.

The payment simulation has been done different weeks after the infection. This demonstrate how the countdown is fake and it is useful only to scared the victim.

The webpage reported above could be reached directly knowing the URL. This mean that the fist page does not made a real check on the public key reported into the desktop background and into the instruction files. 

The only check that the first web page do, is to verify if the key was generated by the algorithm embedded into the cryptolocker. A random Public Key does not works and an an error was reported to the user.
This is a trick to lure the user or a not expert analyst.

It is a CTB-Locker and there is no known way to decrypt files encrypted by it without paying the ransom. (as reported by Kaspersky)

Everyone of Kaspersky and TrendMicro decrypter was tested and no one of them have been able to decrypt the files encrypted with CTB-Locker.

-------------------- FORENSICS ANALYSIS --------------------

Below is reported the changes that this ransomware did into my VM.

Chiave cancellata (removed keys) :3

Chiave aggiunta (added keys):32
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{9C691604-1C86-496F-9A97-388265B2C111}
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{9C691604-1C86-496F-9A97-388265B2C111}
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\bxymszh
HKU\S-1-5-21-682910469-3081883402-3337175249-1000\Software\Microsoft\Windows Photo Viewer
HKU\S-1-5-21-682910469-3081883402-3337175249-1000\Software\Microsoft\Windows Photo Viewer\Viewer

Valore cancellato (changed values) :3
HKU\S-1-5-21-682910469-3081883402-3337175249-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{688d2436-fb66-11e5-8224-08d40c63bf18}\shell\: "None"
HKU\S-1-5-21-682910469-3081883402-3337175249-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{688d2436-fb66-11e5-8224-08d40c63bf18}\shell\Autoplay\MUIVerb: "@shell32.dll,-8507"
HKU\S-1-5-21-682910469-3081883402-3337175249-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{688d2436-fb66-11e5-8224-08d40c63bf18}\shell\Autoplay\DropTarget\CLSID: "{F26A669A-BCBB-4E37-ABF9-7325DA15F931}"

Valore aggiunto (added values) :134
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{9C691604-1C86-496F-9A97-388265B2C111}\Path: "\bxymszh"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{9C691604-1C86-496F-9A97-388265B2C111}\Hash:  9C B1 E8 C3 45 CA 30 48 28 22 AF C4 95 DE F4 83 97 E3 11 86 A1 0B 33 AC 0A C1 AF 69 13 65 02 8E
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{9C691604-1C86-496F-9A97-388265B2C111}\Triggers:  15 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 FF FF FF FF FF FF FF FF 58 21 41 00 48 48 48 48 93 EB 00 1F 48 48 48 48 00 48 48 48 48 48 48 48 00 48 48 48 48 48 48 48 01 00 00 00 48 48 48 48 1C 00 00 00 48 48 48 48 01 05 00 00 00 00 00 05 15 00 00 00 05 63 B4 28 0A CF B1 B7 D1 40 E9 C6 E8 03 00 00 48 48 48 48 28 00 00 00 48 48 48 48 57 00 49 00 4E 00 2D 00 50 00 35 00 44 00 49 00 46 00 51 00 42 00 30 00 43 00 31 00 47 00 5C 00 6D 00 61 00 63 00 00 00 38 00 00 00 48 48 48 48 58 02 00 00 10 0E 00 00 80 F4 03 00 FF FF FF FF 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 AA AA 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 FF FF FF FF FF FF FF FF 00 00 00 00 FF FF FF FF 00 00 00 00 00 00 00 00 00 00 00 00
 00 00 00 00 01 00 69 00 63 00 65 00 3A 00 00 00 69 00 2E 00 00 48 48 48 48 48 48 48 00 48 48 48 48 48 48 48 01 00 00 00 48 48 48 48 1C 00 00 00 48 48 48 48 01 05 00 00 00 00 00 05 15 00 00 00 05 63 B4 28 0A CF B1 B7 D1 40 E9 C6 E8 03 00 00 48 48 48 48 28 00 00 00 48 48 48 48 57 00 49 00 4E 00 2D 00 50 00 35 00 44 00 49 00 46 00 51 00 42 00 30 00 43 00 31 00 47 00 5C 00 6D 00 61 00 63 00 00 00
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{9C691604-1C86-496F-9A97-388265B2C111}\DynamicInfo:  03 00 00 00 1A E5 82 A7 10 11 D2 01 1A E5 82 A7 10 11 D2 01 00 00 00 00 00 00 00 00
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\bxymszh\Id: "{9C691604-1C86-496F-9A97-388265B2C111}"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\bxymszh\Index: 0x00000002
HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\xkpgcoc_RASAPI32\EnableFileTracing: 0x00000000
HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\xkpgcoc_RASAPI32\EnableConsoleTracing: 0x00000000
HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\xkpgcoc_RASAPI32\FileTracingMask: 0xFFFF0000
HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\xkpgcoc_RASAPI32\ConsoleTracingMask: 0xFFFF0000
HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\xkpgcoc_RASAPI32\MaxFileSize: 0x00100000
HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\xkpgcoc_RASAPI32\FileDirectory: "%windir%\tracing"
HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\xkpgcoc_RASMANCS\EnableFileTracing: 0x00000000
HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\xkpgcoc_RASMANCS\EnableConsoleTracing: 0x00000000
HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\xkpgcoc_RASMANCS\FileTracingMask: 0xFFFF0000
HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\xkpgcoc_RASMANCS\ConsoleTracingMask: 0xFFFF0000
HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\xkpgcoc_RASMANCS\MaxFileSize: 0x00100000
HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\xkpgcoc_RASMANCS\FileDirectory: "%windir%\tracing"

For sure, if it is a Ransomware it had put some file into the "Tasks" folder (C://%Nome utente%/Windows/System32) in order to be executed on computer startup.

As I expected, into this folder there was a file named "bxymszh" without a file extension. 

Note: Also this file name changes if the cryptolocker is executed more than one time restoring the VM snapshot.

The content of this file are reported below:

<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.2" xmlns="">
  <RegistrationInfo />
    <LogonTrigger id="Trigger1">
  <Actions Context="Author">
    <Principal id="Author">

Below is reported the Temp folder content that includes: 2 folders and one exe file that is the process that has been executed by the evil file ("Documento Numero 00020160830.pdf.exe").

Running this ransomware more than one time, exe file's name (xkpgcoc.exe) does not changes but folders name change every time.

The content of two folders "nsmFEF9.tmp" and "nsbEDF8.tmp" is a DLL file, named "System.dll".

Analyzing both DDLs, them seams to be identical, same strings, same function names (Store, Copy, Alloc), etc, but they are located in two different folders. I suppose an development mistake into the source code.

Going to the parent directory I found other files with not classic extensions. 
This name of these file, contrary to the others DOESN'T change if the malware is executed more than one time. 
We have some good IOCs :)

Going to the parent directory I found other files with not classic extensions. 
This name of these file, contrary to the others DON'T change if the malware is executed more than one time. 
We have some good IOCs :)

In brief, this Cryptolocker use the real CTB-Locker algorithm to encrypt files that until now has been not cracked. Anyway there is a gray area about it that want to summarize in some points:
  • The end-user download a zipped file protect with password that is reported in a static webpage.
  • The Onion web page located into the dark web with a bypass of the first screen.
  • The countdown is only a fake.
  • Two equals DLL files

Every of these points improved or decreased the fraudster's economy?...If the end-user after the file download removed the email? The fraudster has failed at the first step. 

How much it's not worth the trouble?

This was a very strange campaign with a very sophisticated Cryptolocker but with some ordinary mistakes did by a not expert person.


Into \AppData\Local\:
  • aclfepwx.cb
  • aom.t 
  • cwmlmn.p 
  • jsrthsll.lj
  • ljyg.wqbv
  • pnvj.t
  • rcdsn.uv
  • rgfihvmy.uqmas.wp
  • s.wp
  • wb.ibkh
  • yjkjaryt.b

Into \System32\Tasks
  • xkpgcoc.exe

MD5: 474e163b1da51a3da12290190e508f05
SHA1: 126e8fbd68dbf76e9e20477729555049cbe89dd8

Monday, 18 July 2016

, , , , ,

Pokemon GO evolves in Malware GO - Part 1

As reported from different fonts, Pokemon Go is a virtual reality game and it is also the first game developed by Nintendo for smartphone Android and iOS.

Researchers discovered an infected Android version of the mobile game Pokemon GO. The installation file (APK) was modified to include a malicious remote access tool (RAT) called DroidJack, which would give an attacker full control over a victim’s phone.The game was first released in Australia and New Zealand on July 4th and on July 6th in the US. 

The game had not been officially released globally at the same time, many gamers wishing to access the game before it was released in their country, attempted to download a copy of the game outside of legitimate channels.


In the first part of this article I want to do a deep dive analysis of the evil APK and compare the differences between the real and the infected App.

Who created the evil App retrieved a game's copy, inserted inside a RAT tool and spread the APK in different third part market. The attacker took advantages of frenzy of the rest of the world to play the game before to be official released in the countries.


First of all I think it is important to analyze the differences between PERMISSIONs included within the Manifest file.

In the red square is highlighted a part of permissions added into the evil APK.

The user, accepting these permissions give to the attacker the full access of his SMS, contacts list, camera, microphone, Internal and external (SD card) memory, etc.

Another evidence is reported in the image below. In the green square is present the safe part of the APK, in the red square is reported the padding code, where different droidjack server services are invoked to be enabled.
In the same part is possible to read the declaration of two activities, CamSnapDJ and VideoSnapDJ
Two receivers are also declared:
  • Connector to run on boot completed
  • CallListener to read phone state

Inspecting content of both APK files, stand out that three different packages were added by the attacker. 

Droidjack is also known as SandroRat, below is reported the evidence:

The attacker used Java Crypto library to encrypt communications with AES (Advanced Encryption Standard) algorithm.


I was able to decode the Key from the byte array

Below is reported the URL contacted and the port used to communicate with the C&Cs.

This malware identifies the device and creates a Database to store these information. Then everything is sent to the website http://droidjack(dot)net/storeReport(dot)php.

In the class bs the attacker verifies if the device is rooted by checking into the fonder /system/app/ the existence of the APK file Superuser.apk.

If the smartphone is rooted, this malware will have device full control.

The image below reports how this malware monitors and stores information about SMS incoming, outgoing, and in drafted.

In the last picture I reported how the Whatsapp database is read and stolen.

Finally, this report evidences how third part market that give you the opportunity to download APK for free, could spread malicious App. To protect yourself from possible infections, download apps from official app store and not from third-party site.

There's no such thing as a free lunch!!


SHA256: 15db22fd7d961f4d4bd96052024d353b3ff4bd135835d2644d94d74c925af3c4
MD5: d350cc8222792097317608ea95b283a8
  • (IP address:
  • (IP:

Dynamic analysis is coming soon...

Thursday, 7 July 2016

, , , ,

JS Dropper Galaxy

The wonderful ways to obfuscate JavaScript Dropper

Malware Analysis and Code Reverse Engineering is one of my passion in security field.

Today I'd like to show two wonderful ways to offuscate a JavaScript file in order to get complicated code analysis.

I analyzed the same phishing campaign (based on e-mail's Object) that spreads two different JavaScript dropper. 

As usual the author try to lure the user using double file extensions. 

The first is the following:

This file is well obfuscated and only a dynamic analysis help you to understand which actions it will perform during its execution.

The second is the following:

JavaScript Obfuscated Code - Part  1
JavaScript Obfuscated Code - Part 2
This JavaScript give me the evidence that who create it is not a very expert in code development and obfuscating field.

The trick used to obfuscate this file is to create a lot of functions that have an array filled with random number and only one position with text or one char, the function will return when invoked a specific position that is the only char present into the array. (Look Part 1)

The second part shows as who created this file, invoked more than one function within specified array position in order to rebuild URL and other objects ("Scripting.FileSystemObject", "ADODB.Stream", "MSXML2.XMLHTTP") used for evil purpose.

Below I am reporting two images that show the JavaScript code de-obfuscated. Reading it you can see which Objects will invoked in your OS when the JS file will be executed, which URL will be contacted and in which folder the evil files will be stored in your computer. 

No dynamic analysis is necessary to understand which actions this JavaScript will be performed and which URL will be requested.

JavaScript De-obfuscated Code - Part 1
JavaScript De-obfuscated Code - Part 2

 The same Campaign, two different file...?!?!