{
	"id": "223f6b12-77a0-4b16-a650-72e695fdc3c4",
	"created_at": "2026-04-06T00:19:04.199037Z",
	"updated_at": "2026-04-10T13:11:34.924942Z",
	"deleted_at": null,
	"sha1_hash": "1627cd9210769db87bf592121db5c5ee0be607e6",
	"title": "2016 Updates to Shifu Banking Trojan",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1376353,
	"plain_text": "2016 Updates to Shifu Banking Trojan\r\nBy Dominik Reichel\r\nPublished: 2017-01-06 · Archived: 2026-04-05 17:00:59 UTC\r\nOverview\r\nShifu is a Banking Trojan first discovered in 2015. Shifu is based on the Shiz source code which incorporated techniques\r\nused by Zeus. Attackers use Shifu to steal credentials for online banking websites around the world, starting in Russia but\r\nlater including the UK, Italy, and others.\r\nPalo Alto Networks Unit 42 research has found that the Shifu authors have evolved Shifu in 2016. Our research has found\r\nthat Shifu has incorporated multiple new techniques to infect and evade detection on Microsoft Windows systems. Some of\r\nthese include:\r\nExploitation of CVE-2016-0167 a Microsoft Windows Privilege Escalation vulnerability to gain SYSTEM level\r\nprivileges. Earlier versions of Shifu exploited CVE-2015-0003 to achieve the same goal\r\nUse of a Windows atom to identify if the host is already infected with Shifu in addition to the mutex used by previous\r\nversions\r\nUse of “push-calc-ret” API obfuscation to hide function calls from malware analysts\r\nUse of alternative Namecoin .bit domains\r\nWe have also identified new links between Shifu and other tools which suggest Shifu isn’t simply based on the Shiz Trojan,\r\nbut is probably the latest evolution of Shiz.\r\nThe primary goal of this report is to introduce Shifu’s new features to other malware analysts who may encounter this Trojan\r\nin the future. The following sections give an overview of the new features, and the appendix at the end includes the technical\r\ndetails on the overall functionality of Shifu.\r\nNew Developments and Features in Shifu\r\nThe Shifu version discussed in this analysis is comprised of several stages of payloads and was compiled in June 2016. The\r\nfollowing image illustrates the different files included in the initial loader which get decrypted after execution:\r\nhttps://unit42.paloaltonetworks.com/unit42-2016-updates-shifu-banking-trojan/\r\nPage 1 of 34\n\nFigure 1. File structure of Shifu\r\nThe initial obfuscated loader (x86 exe) contains the encrypted second stage injector (x86 exe). It uses three layers for\r\ndecryption by subsequently allocating memory via VirtualAlloc() for the next layer. The second stage injector gets decrypted\r\ninto memory and the original loader process is then overwritten with it. Next, the section flags are adjusted and the IAT\r\naddresses are resolved. The final decryption layer then jumps to the entry point of the second stage injector.\r\nThe second stage injector contains two exploits for CVE-2016-0167 (x86/x64) that have a compilation time stamp dated\r\nFebruary, 2016. At the time of compilation, patches were not yet available for this vulnerability. However, the malware’s\r\ncompilation time stamp dates June 2016. This may indicate the people behind this Shifu version had access to the zero-day\r\nexploit at that time or gained access to it afterwards. The exploit uses an interesting technique which makes it possible to\r\njust copy the raw disk file into memory. To make the file executable in memory, it uses a custom PE loader shellcode\r\nappended to both versions of the exploit as an PE overlay. The shellcode takes care of all the adjustments needed to get a\r\nproper executable memory image and executes the exploit. By doing so, the file just needs to be copied into a memory\r\nbuffer and execution needs to be passed to the shellcode.\r\nWe have also found multiple other variants of the exploit, standalone versions (x86/64), but also versions which are\r\nembedded in an injector like in Shifu. Additionally, we identified a version of Vawtrak which contains an earlier version of\r\nthe exploit dating back to November 2015, according to the compilation time stamp. The compilation time stamp of this\r\nVawtrak sample itself dates January 2016 and thus is effectively the first malware known to us to use this exploit.\r\nhttps://unit42.paloaltonetworks.com/unit42-2016-updates-shifu-banking-trojan/\r\nPage 2 of 34\n\nThe second stage injector contains several anti-analysis tricks similar to the previous version. It also contains two command\r\nline parameters with functionality that indicate the malware is still in development. Further, the second stage injector uses an\r\natom to check if the system is already infected, instead of using a mutex like most of the malware today. The use of atoms is\r\nnot a new technique, but still not very widespread.\r\nThe main payload is encrypted and packed inside the .tls section of the second stage injector. It first gets decrypted and then\r\nunpacked with the aPLib compression library. As persistence method, the main payload copies the initial loader to the\r\nAppData folder and creates a Jscript file inside the Startup folder which points to it. The second stage injector injects the\r\nmain payload inside a x86 instance of svchost and patches its API function calls with an obfuscation technique to make\r\nstatic and dynamic analysis of the malware more difficult.\r\nCompared to the previous version, the main payload contains some updates. This includes the strings to search on the\r\nvictim’s system, the browser target list, and the bot commands. The main payload uses .bit top-level domains to contact its\r\nC\u0026C server. The domain names, the user-agent string and the URL parameters are encrypted with a modified RC4\r\nencryption algorithm. The domain names indicate that the attackers may be either located in Ukraine or have a Ukrainian\r\nbackground.\r\nUnfortunately, at the time of the analysis the C\u0026C server didn’t respond with any commands and thus further analysis of the\r\ntargeted financial institutions wasn’t possible. This information would be normally downloaded into a configuration file on\r\nthe victim’s disk. For some of its functionality, the main payload hooks some API functions inside the svchost.exe process\r\ninto which it is injected. Further, it uses the Apache web server for the web injections. If it was successfully downloaded\r\nfrom the C\u0026C server, the malware makes use of a layered service provider to hook into the Winsock API for intercepting\r\nand modifying inbound and outbound Internet traffic. It also contains the normally used methods to hook into the browsers\r\nnetworking functions found in many other banking Trojans.\r\nBoth the second stage injector and the main payload contain a lot of strings which are never used. This indicates the\r\nauthor(s) were either in a rush to build the malware or the development was done in a sloppy way.\r\nInstead of the string “IntelPowerAgent6” seen in the last version, this sample contains the string “IntelPowerAgent32”\r\nwhich is never used. In addition to the atom created by the second stage injector to check if the system is already infected,\r\nthe main payload also creates a mutex with a name based on the same procedure to create the name for the atom (see\r\nAppendix). However, the mutex uses a hardcoded prefix named “DAN6J0-” before the byte sequence that is also used for\r\nthe atom string: “{DAN6J0-ae000000d2000000e100}”\r\nFigure 2. Shifu mutex and the associated svchost process\r\nhttps://unit42.paloaltonetworks.com/unit42-2016-updates-shifu-banking-trojan/\r\nPage 3 of 34\n\nShifu, Shiz and Other Related Tools\r\nThe Shifu banking Trojan is mainly based on the Shiz/iBank source code, which is one of the oldest banking Trojans still in\r\nthe wild today. Shiz was first discovered in 2006 and has been through several stages of development since that time. It\r\nbegan as a banking Trojan which only focused on Russian financial institutions. Later, it also began targeting an Italian bank\r\nwhich may have set the stage for a more international focus. The internal versions we have tracked over the last five years\r\nranged from generation 2 to 4 (2011) and 5 (2013/2014). The fifth generation of Shiz was the last one we saw in the wild in\r\n2014 (last internal version was 5.6.25) and it differs from the 4th generation in the coding style. It looks like it was\r\ndeveloped by another coder, which could indicate the source code was sold or shared. The query string used to contact the\r\nC\u0026C server of one of the very first versions of the fifth generation supports our theory:\r\nbotid=%s\u0026ver=5.0.1\u0026up=%u\u0026os=%03u\u0026ltime=%s%d\u0026token=%d\u0026cn=reborn\u0026av=%s\r\nWe can see that the campaign name (cn) contains the string “reborn”.\r\nShifu was first discovered in the wild in the middle of 2015 and we believe it's the evolution of the 5th generation of Shiz\r\nwith a more international focus.\r\nWe have not only tracked the Shiz banking Trojan over the last couple of years, but also found several additional malware\r\ntools allegedly from the same author(s). Collected samples indicate the author(s) have developed a whole set of financially\r\nrelated malware. It’s not clear if the author works as part of a group or uses the malware themselves. These tools are mainly\r\nbased on the source code of the fifth generation of Shiz.\r\nWe have connected these tools together because they all contain a PDB path that has the same root folder:\r\nZ:\\coding\\...\r\nFurthermore, most of the tools are based on the Shiz source code, because the coding style and used API functions are very\r\nsimilar. Also, comparing the code between the tools with BinDiff shows a high degree of similarity. Moreover, those tools\r\nwith network functionality contain query strings similar to the one in Shiz to contact their C\u0026C server.\r\nAs our colleagues from FireEye described last year, the PDB path found in Shifu is as follows:\r\nZ:\\coding\\project\\main\\payload\\payload.x86.pdb\r\nOther tools we have identified have the following PDB paths and are likely from the same author(s):\r\nZ:\\coding\\cryptor\\Release\\crypted.pdb\r\nZ:\\coding\\malware\\tests\\Release\\cryptoshit.pdb\r\nZ:\\coding\\malware\\RDP\\output\\Release\\rdp_bot.pdb\r\nZ:\\coding\\malware\\ScanBot\\Release\\bot.pdb\r\nThe malware internally named \"cryptor\" contains an encrypted sample of BifitAgent, the first malware known to attack the\r\nfinancial software from BIFIT. While it's possible that BifitAgent is developed from the same person, we haven't found any\r\nindications for that. According to the compilation time stamps, most of the samples were created in October/November\r\n2013.\r\nThe malware with the name \"rdp_bot\" is a small bot which uses the RDP protocol to gain full access to a computer. It uses\r\nthe same modified RC4 encryption algorithm as the Shifu version discussed in this article. This tool was probably used\r\nalong the Shiz banking Trojan, because the attacker is able to do his fraudulent activities directly from the victim’s\r\ncomputer. By doing so, one could fool bank antifraud systems which check for the IP address, browser footprints or\r\nkeyboard layouts. The tool is based on the research about RDP performed by Alisa Esage. The samples date from June to\r\nNovember 2013.\r\nThe tool which is named \"cryptoshit\" contains an encrypted sample of rdp_bot and also uses the same modified RC4\r\nalgorithm as the Shifu version described here. The samples date September/October 2013 and January 2014 according to the\r\ncompilation time stamp.\r\nhttps://unit42.paloaltonetworks.com/unit42-2016-updates-shifu-banking-trojan/\r\nPage 4 of 34\n\nThe malware with the internal name \"ScanBot\" is a small backdoor which uses the Super Light Regular Expression library\r\n(SRLE) for scanning a victim’s computer for files via commands from its operator. The samples date June 2013 according to\r\nthe time stamp.\r\nProtection Against Shifu\r\nPalo Alto Networks customers are protected from Shifu in the following ways:\r\nWildfire classifies Shifu files as malicious and signatures are loaded into Threat Prevention\r\nAutoFocus customers can track malware using the Shifu tag\r\nCommand and Control domains used by Shifu are blocked through Threat Prevention\r\nSHA256 Hashes of Samples Discussed\r\nInitial obfuscated loader\r\nd3f9c4037f8b4d24f2baff1e0940d2bf238032f9343d06478b5034d0981b2cd9\r\n368b23e6d9ec7843e537e9d6547777088cf36581076599d04846287a9162652b\r\ne7e154c65417f5594a8b4602db601ac39156b5758889f708dac7258e415d4a18\r\nf63ec1e5752eb8b9a07104f42392eebf143617708bfdd0fe31cbf00ef12383f9\r\nSecond stage injector\r\n003965bd25acb7e8c6e16de4f387ff9518db7bcca845502d23b6505d8d3cec01\r\n1188c5c9f04658bef20162f3001d9b89f69c93bf5343a1f849974daf6284a650\r\nExploit injector\r\ne7c1523d93154462ed9e15e84d3af01abe827aa6dd0082bc90fc8b58989e9a9a\r\nCVE-2016-0167 exploit (x86)\r\n5124f4fec24acb2c83f26d1e70d7c525daac6c9fb6e2262ed1c1c52c88636bad\r\nCVE-2016-0167 exploit (x64)\r\nf3c2d4090f6f563928e9a9ec86bf0f1c6ee49cdc110b7368db8905781a9a966e\r\nMain payload\r\ne9bd4375f9b0b95f385191895edf81c8eadfb3964204bbbe48f7700fc746e4dc\r\n5ca2a9de65c998b0d0a0a01b4aa103a9410d76ab86c75d7b968984be53e279b6\r\nAppendix - Technical details\r\nSecond Stage Injector Analysis\r\nThe second stage injector contains an exploit injector (x86 DLL) which in turn has two embedded exploits (x86/64 DLL) for\r\nCVE-2016-0167. The second stage injector also contains the encrypted and aPLib packed main payload module (x86 DLL)\r\nin its .tls section. For decryption, it uses a modified version of the RC4 encryption algorithm with a salt that is stored in the\r\n.rsrc section. Significant strings in the second stage injector's .data section were XORed with the key 0x8D and get\r\ndecrypted on-the-fly. Decrypted strings:\r\n1\r\n2\r\n3\r\n4\r\n5\r\nAddMandatoryAce\r\nADVAPI\r\nAdvapi32.dlladvapi32.dllws2_32.dll\r\nWPUCloseEvent\r\nWPUCloseSocketHandleWPUCreateEvent\r\nhttps://unit42.paloaltonetworks.com/unit42-2016-updates-shifu-banking-trojan/\r\nPage 5 of 34\n\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n26\r\n27\r\n28\r\n29\r\n30\r\n31\r\n32\r\n33\r\n34\r\n35\r\n36\r\n37\r\n38\r\n39\r\nWPUCreateSocketHandle\r\nWPUFDIsSet\r\nWPUGetProviderPath\r\nWPUModifyIFSHandle\r\nWPUPostMessage\r\nWPUQueryBlockingCallbackWPUQuerySocketHandleContext\r\nWPUQueueApc\r\nWPUResetEvent\r\nWPUSetEvent\r\nWPUOpenCurrentThreadWPUCloseThread\r\nWSPStartup\r\n\u003e %1\\r\\ndel %0\r\nsoftware\\\\microsoft\\\\windows\\\\currentversion\\\\run\r\nABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/echo\r\nrundll32.exe shell32.dll, ShellExec_RunDLL %s\r\nMicrosoft\\\\Microsoft AntimalwareSoftware\\\\Coranti\r\nSoftware\\\\risingSoftware\\\\TrendMicroSoftware\\\\Symantec\r\nSoftware\\\\ComodoGroup\r\nSoftware\\\\Network Associates\\\\TVD\r\nSoftware\\\\Data Fellows\\\\F-SecureSoftware\\\\Eset\\\\Nod\r\nSoftware\\\\Softed\\\\ViGUARD\r\nSoftware\\\\Zone Labs\\\\ZoneAlarm\r\nSoftware\\\\Avg\r\nSoftware\\\\VBA32\r\nSoftware\\\\Doctor WebSoftware\\\\G DataSoftware\\\\Avira\r\nSoftware\\\\AVAST Software\\\\Avast\r\nSoftware\\\\KasperskyLab\\\\protected\r\nSoftware\\\\Bitdefender\r\nSoftware\\\\Panda SoftwareSoftware\\\\Sophos.bat\\\\\\\\.\\\\%C:\r\n|$$$}rstuvwxyz{$$$$$$$\u003e?@ABCDEFGHIJKLMNOPQRSTUVW$$$$$$XYZ[\\\\]^_`abcdefghijklmnopq\r\nconhost\r\nCreateProcessInternalW\r\nConvertStringSecurityDescriptorToSecurityDescriptorWContent-Type: multipart/form-data; boundary=---------------------------\r\n%s\\r\\n\r\nhttps://unit42.paloaltonetworks.com/unit42-2016-updates-shifu-banking-trojan/\r\nPage 6 of 34\n\n40\r\n41\r\n42\r\n43\r\n44\r\n45\r\n46\r\n47\r\n48\r\n49\r\n50\r\n51\r\n52\r\n53\r\n54\r\n55\r\n56\r\n57\r\n58\r\n59\r\n60\r\n61\r\n62\r\n63\r\n64\r\n65\r\n66\r\n67\r\n68\r\n69\r\n70\r\n71\r\n72\r\n73\r\nContent-Type: application/x-www-form-urlencoded\\r\\n\r\nHost: %s\\r\\n%d.%d.%d.%d\r\n%d.%d.%d.%d.%x\r\n%temp%\\\\debug_file.txt\r\n[%u][%s:%s:%u][0x%x;0x%x] %sDnsFlushResolverCache\r\n\\\\*.*\r\ndnsapi.dll\r\nDnsGetCacheDataTable.dll.exedownload.windowsupdate.com\r\nvk.com\r\nyandex.ru\r\nHTTP/1.1https://http://%s\r\nIsWow64Process\r\nkernel\r\nkernel32.dllLdrGetProcedureAddress\r\nMicrosoft\r\nNtAllocateVirtualMemory\r\nCLOSED\r\nLAST_ACKTIME_WAIT\r\nDELETE_TCB\r\nLISTEN\r\nSYN_SENTSYN_RCVDESTAB\r\nFIN_WAIT1\r\nFIN_WAIT2\r\nCLOSE_WAIT\r\nCLOSING\r\nTCP\\t%s:%d\\t%s:%d\\t%s\\n\r\nnetstat\\nProto\\tLocal address\\tRemote address\\tState\\n\r\nntdll.dll\r\nNtResumeProcess\r\nNtSuspendProcess\\\\\\\\?\\\\globalroot\\\\systemroot\\\\system32\\\\drivers\\\\null.sys\r\nNtWriteVirtualMemoryopenRegisterApplicationRestart\r\nRtlCreateUserThread\r\nResetSR\r\nRtlComputeCrc32\r\nhttps://unit42.paloaltonetworks.com/unit42-2016-updates-shifu-banking-trojan/\r\nPage 7 of 34\n\n74\r\n75\r\n76\r\n77\r\n78\r\n79\r\n80\r\n81\r\n82\r\n83\r\n84\r\n85\r\n86\r\n87\r\n88\r\n89\r\n90\r\n91\r\n92\r\n93\r\n94\r\n95\r\n96\r\n97\r\n98\r\n99\r\n100\r\n101\r\n102\r\n103\r\n104\r\n105\r\n106\r\n107\r\nrundll32SeDebugPrivilegeSystemDrive\r\n\\\\StringFileInfo\\\\%04x%04x\\\\ProductName\r\nsoftware\\\\microsoft\\\\windows nt\\\\currentversion\\\\winlogon\r\nshell\r\nSleep\r\nsrclient.dllSeShutdownPrivilege\r\n\\\"%s\\\"\r\n%d\\t%s\\ntaskmgr\\nPID\\tProcess name\\nnet user\\n\r\nthe computer is joined to a domain\\n..\r\n\\\\VarFileInfo\\\\Translation\r\n%windir%\\\\system32\\\\%windir%\\\\syswow64\\\\POST*.exe\r\n%SystemDrive%\\\\\r\n*SYSTEM*%02x%s:Zone.Identifier\r\nGetProcessUserModeExceptionPolicy\r\nSetProcessUserModeExceptionPolicy\r\n%ws\\\\%ws\\n\r\nWORKGROUP\r\nHOMESoftware\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\ExplorerDisableCurrentUserRun\r\n%s.dat\r\nsoftware\\\\microsoft\\\\windows%OS%_%NUMBER_OF_PROCESSORS%\r\nS:(ML;;NRNWNX;;;LW)D:(A;;GA;;;WD)\r\nS:(ML;;NRNWNX;;;LW)D:(A;;GA;;;WD)(A;;GA;;;AC)\r\n\\\\\\\\.\\\\AVGIDSShim\r\nFFD3\\\\\\\\.\\\\NPF_NdisWanIpc:\\\\sample\\\\pos.exe\r\nANALYSERS\r\nSANDBOX\r\nVIRUS\r\nMALWARE\r\nFORTINETMALNETVMc:\\\\analysis\\\\sandboxstarter.exec:\\\\analysisc:\\\\insidetmc:\\\\windows\\\\system32\\\\drivers\\\\vmmouse.sys\r\nc:\\\\windows\\\\system32\\\\drivers\\\\vmhgfs.sys\r\nc:\\\\windows\\\\system32\\\\drivers\\\\vboxmouse.sys\r\nc:\\\\iDEFENSEc:\\\\popupkiller.exe\r\nc:\\\\tools\\\\execute.exe\r\nc:\\\\Perlc:\\\\Python27api_log.dll\r\nhttps://unit42.paloaltonetworks.com/unit42-2016-updates-shifu-banking-trojan/\r\nPage 8 of 34\n\n108\r\n109\r\n110\r\n111\r\n112\r\n113\r\n114\r\n115\r\n116\r\n117\r\n118\r\n119\r\n120\r\n121\r\n122\r\n123\r\n124\r\n125\r\n126\r\n127\r\n128\r\n129\r\n130\r\n131\r\n132\r\n133\r\n134\r\n135\r\n136\r\n137\r\n138\r\n139\r\n140\r\n141\r\ndir_watch.dll\r\npstorec.dll\r\ndbghelp.dll\r\nProcess32NextW\r\nSoftware\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet Settings\\\\Zones\\\\3\r\n1406.bitMiniDumpWriteDump\r\n\\r\\nReferer: %s\\r\\n\r\n\\\\Google\\\\Chrome\\\\User Data\\\\Default\\\\Cache\r\nvar %s = new ActiveXObject(\"WScript.Shell\"); %s.Run(\"%s\");\r\nIntelPowerAgent32\r\n%OS%_%NUMBER_OF_PROCESSORS%\r\n%s\\cmd.exe\r\nComSpec\r\nConsoleWindowClass\r\n.exekernel32.dllntdll.dll\r\nZwQuerySystemInformationZwAllocateVirtualMemory\r\nPsLookupProcessByProcessId\r\nPsReferencePrimaryToken\r\nClass\r\nWindow\r\nopen \"%s\" -q%windir%\\\\system32\\\\sdbinst.exe\r\n/c \"start \"\" \"%s\" -d\"\r\n%windir%\\\\system32\\\\sndvol.exe\r\n\"%s\" -u /c \"%s\\\\SysWOW64\\\\SysSndVol.exe /c \"start \"\" \"%s\" -d\"\"\r\n%temp%\\\\%u\r\n%u.tmp\r\nWow64DisableWow64FsRedirection\r\nWow64RevertWow64FsRedirection\r\nrunas.exe\r\n%systemroot%\\\\system32\\\\svchost.exe\r\n%systemroot%\\\\system32\\\\wscript.exe\r\nsnxhk.dll\r\nsbiedll.dll\r\n/c start \"\" \"%s\" \" \"\r\nhttps://unit42.paloaltonetworks.com/unit42-2016-updates-shifu-banking-trojan/\r\nPage 9 of 34\n\n142\r\n143\r\n144\r\n145\r\ncmd.exe\r\nrunas\r\n--crypt-test\r\nIt work's!\r\n--vm-test\r\nExploit Injector with Embedded CVE-2016-0167 Exploits\r\nThe exploit injector is used to gain SYSTEM privileges on the infected host. The injector contains the actual exploits for\r\nboth x86 and x64 systems. The magic PE bytes (\"MZ\") at the beginning of the files are patched will null bytes to prevent\r\nthem from automatic extraction.\r\nThe second stage injector checks for the current process' integrity level and the OS version. If the integrity level of the\r\nprocess is low and the OS version is 6.1 (Windows 7 / Windows Server 2008 R2), the second stage injector writes the\r\nexploit injector file into memory. Then, it searches for the magic value 0x99999999 in the exploit injector which marks the\r\nbeginning of the PE overlay. When the address was found, 12 bytes are added and the second stage injector jumps to this\r\naddress which is in fact a custom PE loader shellcode. The call to the shellcode looks as follows:\r\n00401EF5   pusha\r\n00401EF6   add esi, 0Ch\r\n00401EF9   call esi   -\u003e PE loader shellcode in overlay\r\n00401EFB   popa\r\nCustom PE loader shellcode\r\nIt first gets the end of the shellcode which is then used to scan the exploit injector file for the magic PE number (\"MZ\"). The\r\ncode to get end of the shellcode looks as follows:\r\n00077174   jmp short 00077178\r\n00077176   pop eax\r\n00077177   retn\r\n00077178   call 00077176\r\nNext, a custom GetProcAddress() function is used together with a hashing function to find the address of VirtualAllocEx().\r\nThen, VirtualAllocEx() is called to allocate a memory buffer of with full access rights into which the exploit injectors\r\nsections are written with the appropriate memory alignments. The necessary memory addresses are then adjusted with help\r\nof the relocation information, the API function addresses are resolved and the IAT is filled. Finally, the shellcode jumps to\r\nthe DLL entry point of the freshly created exploit injector module.\r\nExploit injector\r\nAt first, the strings \"kernel32.dll\", \"LoadLibrary\" and \"GetProcAddress\" are created. Next, the image base address for\r\nkernel32.dll is searched and the addresses of LoadLibrary() and GetProcAddress() are obtained. With help of these API\r\nfunctions, the IAT addresses of the exploit injector get resolved and the IAT is filled. The purpose of this function is unclear,\r\nas it was already done by the second stage injector. Thereafter, a new thread gets created with API function CreateThread().\r\nhttps://unit42.paloaltonetworks.com/unit42-2016-updates-shifu-banking-trojan/\r\nPage 10 of 34\n\nThe thread first calls IsWow64Process() and according to the result either the embedded x86 or x64 version of the exploit\r\nfile is written into a memory buffer. Next, the PE magic value (\"MZ\") is written to the beginning of the exploit file. Then, an\r\nevent named \"WaitEventX\" is created which is later used by the exploit. Then, the main exploit loading function is called.\r\nThe exploit loading function searches for the following process names and if found also the module names for the following\r\nstrings which are part of Trend Micro security software:\r\n\"uiSeAgnt.exe\"\r\n\"PtSessionAgent.exe\"\r\n\"PwmSvc.exe\"\r\n\"coreServiceShell.exe\"\r\nIf one of the processes is found, a suspended process of wuauclt.exe is created. Otherwise, a suspended process of\r\nsvchost.exe is created. In both cases, the command line argument \"-k netsvcs\" is passed, but can be only used by\r\nsvchost.exe. It should be noted that this functionality always fails if the x64 version of Trend Micro Internet Security is\r\ninstalled. The code (x86) calls CreateToolhelp32Snapshot() on a x64 process which results in an error\r\n(ERROR_PARTIAL_COPY). Moreover, it also fails because the code tries to access a protected Trend Micro process\r\n(ERROR_ACCESS_DENIED).\r\nNext, it maps the x86 or x64 file of the exploit into memory with CreateFileMapping() and MapViewOfFile() and fills in the\r\nmemory with the exploit bytes. Finally, the section gets mapped into the suspended process of svchost.exe or wuauclt.exe by\r\nusing ZwMapViewOfSection(). It then checks the OS version if it is 5.2 (Windows Server 2003 / Windows XP 64-Bit\r\nEdition) and exits the function if so. Afterwards, two memory buffers are created and a shellcode is written to each of them.\r\nThe first obfuscated shellcode calls the second shellcode, which is a stager for the mapped exploit file. Next, it calls\r\nResumeThread() to execute the suspended process so the exploit is executed.\r\nThe second stage injector verifies that the exploit was successful by checking if the integrity level of itself is still\r\nSECURITY_MANDATORY_LOW_RID. If not, the exploit successfully elevated privileges to\r\nSECURITY_MANDATORY_SYSTEM_RID and continues with the injection of the main payload. If the exploit failed, it\r\ntries to execute itself under the SYSTEM user account with help of the Windows command line (cmd.exe) and runas.exe\r\ntool.\r\nAtom String Building\r\nInstead of using a mutex like most of today’s malware, the second stage injector creates an atom and checks the global atom\r\ntable to see if an instance of Shifu is already running.\r\nAt first, it uses the template string \"%OS%_%NUMBER_OF_PROCESSORS%\" for the API ExpandEnvironmentStrings()\r\nto get the Windows version and number of processors. For example, in Windows 7 with one processor the result would be\r\n\"Windows_NT_1\". This string is then used to calculate four CRC32 hashes with RtlComputeCrc32() and the following\r\ninitial values:\r\n0xFFFFFFFF\r\n0xEEEEEEEE\r\n0xAAAAAAAA\r\n0x77777777\r\nThe resulting CRC hashes of the string \"Windows_NT_1\" are as follows:\r\n0x395693AE\r\n0xB24495D2\r\n0xF39F86E1\r\n0xBAE0B5C8\r\nNext, the last byte of each CRC hash is stored as a DWORD value on the stack:\r\n0xAE000000 (from 0x395693AE)\r\n0xD2000000 (from 0xB24495D2)\r\n0xE1000000 (from 0xF39F86E1)\r\nhttps://unit42.paloaltonetworks.com/unit42-2016-updates-shifu-banking-trojan/\r\nPage 11 of 34\n\n0xC8000000 (from 0xBAE0B5C8)\r\nThe stack with the hash byte sequence looks as follows:\r\nAE 00 00 00 D2 00 00 00 E1 00 00 00 C8 00 00 00\r\nThe atom string is then created by converting first 8 bytes of the hash byte sequence to ASCII characters with snprintf()\r\nfunction. The result in this case would be:\r\n\"ae000000d2000000\"\r\nAt last, it calls GlobalFindAtom() API to check if the atom is present and calls GlobalAddAtom() if not.\r\nFigure 3. Shifu atom in the global atom table\r\nCommand Line Arguments\r\nThe second stage injector has two command line parameters of which only one has a functionality. They may be used for an\r\nupcoming feature or were just forgotten to be removed.\r\n--crypt-test\r\nShows just a message box with the text \"It work's!\"\r\n--vm-test\r\nNo functionality\r\nAnti-Analysis Tricks\r\nAnti Sandboxie / Avast\r\nShifu checks if the module snxhk.dll (Avast) or sbiedll.dll (Sandboxie) is present in its own process space by calling\r\nGetModuleHandleA() and runs an infinite Sleep() loop if a handle is returned.\r\nAll the following anti analysis tricks are only used if Shifu is executed on a 32-bit Windows machine (no Wow64 process).\r\nProcess name detection\r\nIt enumerates running process names, converts them to lowercase, calculates the CRC32 hashes of those names and\r\ncompares to the following list:\r\nhttps://unit42.paloaltonetworks.com/unit42-2016-updates-shifu-banking-trojan/\r\nPage 12 of 34\n\n0x99DD4432 - ?\r\n0x1F413C1F - vmwaretray.exe\r\n0x6D3323D9 - vmusrvc.exe\r\n0x3BFFF885 - vmsrvc.exe\r\n0x64340DCE - ?\r\n0x63C54474 - vboxtray.exe\r\n0x2B05B17D - ?\r\n0xF725433E - ?\r\n0x77AE10F7 - ?\r\n0xCE7D304E - dumpcap.exe\r\n0xAF2015F2 - ollydbg.exe\r\n0x31FD677C - importrec.exe\r\n0x6E9AD238 - petools.exe\r\n0xE90ACC42 - idag.exe\r\n0x4231F0AD - sysanalyzer.exe\r\n0xD20981E0 - sniff_hit.exe\r\n0xCCEA165E - scktool.exe\r\n0xFCA978AC - proc_analyzer.exe\r\n0x46FA37FB - hookexplorer.exe\r\n0xEEBF618A - multi_pot.exe\r\n0x06AAAE60 - idaq.exe\r\n0x5BA9B1FE - procmon.exe\r\n0x3CE2BEF3 - regmon.exe\r\n0xA945E459 - procexp.exe\r\n0x877A154B - peid.exe\r\n0x33495995 - autoruns.exe\r\n0x68684B33 - autorunsc.exe\r\n0xB4364A7A - ?\r\n0x9305F80D - imul.exe\r\n0xC4AAED42 - emul.exe\r\n0x14078D5B - apispy.exe\r\n0x7E3DF4F6 - ?\r\n0xD3B48D5B - hookanaapp.exe\r\n0x332FD095 - fortitracer.exe\r\n0x2D6A6921 - ?\r\n0x2AAA273B - joeboxserver.exe\r\n0x777BE06C - joeboxcontrol.exe\r\n0x954B35E8 - ?\r\n0x870E13A2 - ?\r\nFile detection\r\nShifu checks if the following files or folders exist on the system and runs an infinite Sleep() loop if so:\r\nc:\\sample\\pos.exe\r\nc:\\analysis\\sandboxstarter.exe\r\nc:\\analysis\r\nc:\\insidetm\r\nc:\\windows\\system32\\drivers\\vmmouse.sys\r\nc:\\windows\\system32\\drivers\\vmhgfs.sys\r\nc:\\windows\\system32\\drivers\\vboxmouse.sys\r\nc:\\iDEFENSE\r\nc:\\popupkiller.exe\r\nc:\\tools\\execute.exe\r\nc:\\Perl\r\nc:\\Python27\r\nhttps://unit42.paloaltonetworks.com/unit42-2016-updates-shifu-banking-trojan/\r\nPage 13 of 34\n\nDebugger detection\r\nIt checks if it’s being debugged by calling IsDebuggerPresent(). Also, it calls ZwQueryInformationSystem() with\r\nProcessDebugPort and ProcessDebugObjectHandle to check for a debugger presence. If a debugger is detected it runs an\r\ninfinite Sleep() loop.\r\nWireshark detection\r\nShifu attempts to open \\\\.\\NPF_NdisWanIp with CreateFile() and will enter an infinite Sleep() loop if it is successful.\r\nSelf-sanity checks\r\nIt checks its own file name length if it is longer than 30 characters and runs an infinite Sleep() loop if so. Also, it checks if its\r\nown process name CRC32 hash matches one of the following:\r\n0xE84126B8 - sample.exe\r\n0x0A84E285 - ?\r\n0x3C164BED - ?\r\n0xC19DADCE - ?\r\n0xA07ACEDD - ?\r\n0xD254F323 - ?\r\n0xF3C4E556 - ?\r\n0xF8782263 - ?\r\n0xCA96016D - ?\r\nFurthermore, it checks if one of the following modules from GFI Sandbox is present in its own process address space:\r\napi_log.dll\r\ndir_watch.dll\r\npstorec.dll\r\nUnknown anti-analysis trick\r\nShifu uses an anti-analysis trick whose purpose is unknown to us. It retrieves the address of Process32NextW() and\r\ncompares the first 5 bytes with the sequence 0x33C0C20800 which disassembles to:\r\n33C0  XOR EAX,EAX\r\nC2 0800   RETN 8\r\nThis code is only present in 32-bit Windows XP and not in later Windows versions, because the Unicode version of that\r\nfunction probably wasn't implemented yet. If the code sequence is found meaning that Shifu was executed on 32-bit\r\nWindows XP, it runs an infinite Sleep() loop.\r\nWindows domain name check\r\nIt checks if the computer workgroup name is either \"WORKGROUP\" or \"HOME\" with API functions NetServerGetInfo()\r\nand NetWkstaGetInfo() and runs an infinite Sleep() loop otherwise. Next, it checks for the name \"ANALYSERS\" and runs\r\nthe infinite loop if found.\r\nComputer and user name check\r\nShifu gets the computer and user name with GetComputerName() and GetUserName() to check for the following strings:\r\nSANDBOX\r\nFORTINET\r\nVIRUS\r\nMALWARE\r\nMALNETVM\r\nhttps://unit42.paloaltonetworks.com/unit42-2016-updates-shifu-banking-trojan/\r\nPage 14 of 34\n\nIf one is found it runs an infinite loop.\r\nProcess termination feature\r\nSecond stage injector of Shifu enumerates all running processes, converts every name to lower case, calculates the CRC32\r\nhash of it and compares it to the following ones:\r\n0xD2EFC6C4 - python.exe\r\n0xE185BD8C - pythonw.exe\r\n0xDE1BACD2 - perl.exe\r\n0xF2EAA55E - autoit3.exe\r\n0xB8BED542 - ?\r\nIf one matches, it first tries to terminate the process with OpenProcess() and TerminateProcess(). If that fails, it tries to close\r\nthe main window handle of the process if it is flagged as HANDLE_FLAG_PROTECT_FROM_CLOSE with ZwClose().\r\nThen, it opens the process with full access rights and unmaps it from memory with ZwUnmapViewOfSection(). At last, the\r\nmain window handle of the unmapped process is closed.\r\nMain Payload Decryption, Unpacking and Injection\r\nTo decrypt the main payload, the second stage injector retrieves a salt needed for the decryption algorithm from its .rsrc\r\nsection. It uses a modified RC4 algorithm where the salt is used to XOR the array of 256 bytes byte after byte at the\r\nbeginning. The encrypted array is then used to decrypt the main payload located in the .tls section. The decrypted main\r\npayload is additionally packed with the aPLib compression library.\r\nIf the initial loader runs as a medium or high integrity level process, the routine which calculates the atom string name is\r\ncalled again. This time, only the first 4 bytes are used to build a string, for example \"ae000000\". Next, the CRC32 hash of\r\nthis string is calculated and used to XOR another array of 256 bytes starting from 0x0 to 0xFF. This encrypted array is then\r\nused to again encrypt the decrypted main payload. The resulting encrypted data are written to registry for persistence\r\npurposes under the key \"HKCU\\software\\microsoft\\windows\" with a random CRC32 hash name, for example \"f4e64d63\".\r\nAlso, a second value with the string \"ae000000\" as name is created and filled up with null bytes and the path of the initial\r\nloader, for example \"C:\\ProgramData\\7d5d6044.exe\". At last, the temporarily encrypted main payload gets decrypted again.\r\nFigure 4. Encrypted main payload and initial loader path stored in the Windows registry\r\nNext, the main payload gets unpacked into memory. Thereafter, a suspended svchost.exe process (x86) is created with the\r\nsame integrity level as the parent process. The main payload gets mapped into the process and the magic PE value (MZ)\r\npatched. The svchost process gets then resumed so the main payload is executed. At last, a batch file is created and executed\r\nin the %TEMP% folder. It overwrites the original executed initial loader with a random number of bytes to cover the tracks.\r\nThe random bytes are always followed by a space character and the CR LF control characters.\r\nhttps://unit42.paloaltonetworks.com/unit42-2016-updates-shifu-banking-trojan/\r\nPage 15 of 34\n\nMain Payload Analysis\r\nThe main payload module's IAT function names were XORed with the key 0xFF to make static analysis more difficult.\r\nSignificant strings in the .data section are also XORed with the key 0x8D and get decrypted on-the-fly. Decrypted strings:\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n26\r\n27\r\n28\r\n29\r\n30\r\nAddMandatoryAce\r\nADVAPI\r\nAdvapi32.dlladvapi32.dllws2_32.dll\r\nWPUCloseEvent\r\nWPUCloseSocketHandleWPUCreateEvent\r\nWPUCreateSocketHandle\r\nWPUFDIsSet\r\nWPUGetProviderPath\r\nWPUModifyIFSHandle\r\nWPUPostMessage\r\nWPUQueryBlockingCallbackWPUQuerySocketHandleContext\r\nWPUQueueApc\r\nWPUResetEvent\r\nWPUSetEvent\r\nWPUOpenCurrentThreadWPUCloseThread\r\nWSPStartup\r\nABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/echo\r\n\u003e %1\\r\\ndel %0\r\nrundll32.exe shell32.dll, ShellExec_RunDLL %s\r\nsoftware\\\\microsoft\\\\windows\\\\currentversion\\\\run\r\nMicrosoft\\\\Microsoft AntimalwareSoftware\\\\Coranti\r\nSoftware\\\\risingSoftware\\\\TrendMicroSoftware\\\\Symantec\r\nSoftware\\\\ComodoGroup\r\nSoftware\\\\Network Associates\\\\TVD\r\nSoftware\\\\Data Fellows\\\\F-SecureSoftware\\\\Eset\\\\Nod\r\nSoftware\\\\Softed\\\\ViGUARD\r\nSoftware\\\\Zone Labs\\\\ZoneAlarm\r\nSoftware\\\\Avg\r\nSoftware\\\\VBA32\r\nSoftware\\\\Doctor WebSoftware\\\\G DataSoftware\\\\Avira\r\nhttps://unit42.paloaltonetworks.com/unit42-2016-updates-shifu-banking-trojan/\r\nPage 16 of 34\n\n31\r\n32\r\n33\r\n34\r\n35\r\n36\r\n37\r\n38\r\n39\r\n40\r\n41\r\n42\r\n43\r\n44\r\n45\r\n46\r\n47\r\n48\r\n49\r\n50\r\n51\r\n52\r\n53\r\n54\r\n55\r\n56\r\n57\r\n58\r\n59\r\n60\r\n61\r\n62\r\n63\r\n64\r\nSoftware\\\\AVAST Software\\\\Avast\r\nSoftware\\\\KasperskyLab\\\\protected\r\nSoftware\\\\Bitdefender\r\nSoftware\\\\Panda SoftwareSoftware\\\\Sophos.bat|$$$}rstuvwxyz{$$$$$$$\u003e?\r\n@ABCDEFGHIJKLMNOPQRSTUVW$$$$$$XYZ[\\\\]^_`abcdefghijklmnop\r\nq\r\n\\\\\\\\.\\\\%C:\r\nconhost\r\nCreateProcessInternalW\r\nConvertStringSecurityDescriptorToSecurityDescriptorWContent-Type: application/x-www-form-urlencoded\\r\\n\r\nContent-Type: multipart/form-data; boundary=---------------------------%s\\r\\n\r\nHost: %s\\r\\n%d.%d.%d.%d\r\n%d.%d.%d.%d.%x\r\n%temp%\\\\debug_file.txt\r\n[%u][%s:%s:%u][0x%x;0x%x] %sDnsFlushResolverCache\r\n\\\\*.*\r\ndnsapi.dll\r\nDnsGetCacheDataTable.dll.exedownload.windowsupdate.com\r\nvk.com\r\nyandex.ru\r\nHTTP/1.1https://http://%s\r\nIsWow64Process\r\nkernel\r\nkernel32.dllLdrGetProcedureAddress\r\nMicrosoft\r\nNtAllocateVirtualMemory\r\nCLOSED\r\nLAST_ACKTIME_WAIT\r\nDELETE_TCB\r\nLISTEN\r\nSYN_SENTSYN_RCVDESTAB\r\nFIN_WAIT1\r\nFIN_WAIT2\r\nCLOSE_WAIT\r\nhttps://unit42.paloaltonetworks.com/unit42-2016-updates-shifu-banking-trojan/\r\nPage 17 of 34\n\n65\r\n66\r\n67\r\n68\r\n69\r\n70\r\n71\r\n72\r\n73\r\n74\r\n75\r\n76\r\n77\r\n78\r\n79\r\n80\r\n81\r\n82\r\n83\r\n84\r\n85\r\n86\r\n87\r\n88\r\n89\r\n90\r\n91\r\n92\r\n93\r\n94\r\n95\r\n96\r\n97\r\n98\r\nCLOSING\r\nTCP\\t%s:%d\\t%s:%d\\t%s\\n\r\nnetstat\\nProto\\tLocal address\\tRemote address\\tState\\n\r\nntdll.dll\r\nNtResumeProcess\r\nNtSuspendProcess\\\\\\\\?\\\\globalroot\\\\systemroot\\\\system32\\\\drivers\\\\null.sys\r\nNtWriteVirtualMemoryopenRegisterApplicationRestart\r\nRtlCreateUserThread\r\nResetSR\r\nRtlComputeCrc32\r\nrundll32SeDebugPrivilegeSystemDrive\r\n\\\\StringFileInfo\\\\%04x%04x\\\\ProductName\r\nsoftware\\\\microsoft\\\\windows nt\\\\currentversion\\\\winlogon\r\nshell\r\nSleep\r\nsrclient.dllSeShutdownPrivilege\r\n\\\"%s\\\"\r\n%d\\t%s\\ntaskmgr\\nPID\\tProcess name\\nnet user\\n\r\nthe computer is joined to a domain\\n..\r\n\\\\VarFileInfo\\\\Translation\r\n%windir%\\\\system32\\\\%windir%\\\\syswow64\\\\POST*.exe\r\n%SystemDrive%\\\\\r\n*SYSTEM*%02x%s:Zone.Identifier\r\nGetProcessUserModeExceptionPolicy\r\nSetProcessUserModeExceptionPolicy\r\n%ws\\\\%ws\\n\r\nWORKGROUP\r\nHOMEsoftware\\\\microsoft\\\\windowsSoftware\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\ExplorerDisableCurrentUserRun\r\n%s.dat\r\n%OS%_%NUMBER_OF_PROCESSORS%\r\nS:(ML;;NRNWNX;;;LW)D:(A;;GA;;;WD)\r\nS:(ML;;NRNWNX;;;LW)D:(A;;GA;;;WD)(A;;GA;;;AC)\r\n\\\\\\\\.\\\\AVGIDSShim\r\nFFD3\\\\\\\\.\\\\NPF_NdisWanIpc:\\\\sample\\\\pos.exe\r\nhttps://unit42.paloaltonetworks.com/unit42-2016-updates-shifu-banking-trojan/\r\nPage 18 of 34\n\n99\r\n100\r\n101\r\n102\r\n103\r\n104\r\n105\r\n106\r\n107\r\n108\r\n109\r\n110\r\n111\r\n112\r\n113\r\n114\r\n115\r\n116\r\n117\r\n118\r\n119\r\n120\r\n121\r\n122\r\n123\r\n124\r\n125\r\n126\r\n127\r\n128\r\n129\r\n130\r\n131\r\n132\r\nANALYSERS\r\nSANDBOX\r\nVIRUS\r\nMALWARE\r\nFORTINETMALNETVMc:\\\\analysis\\\\sandboxstarter.exec:\\\\analysisc:\\\\insidetmc:\\\\windows\\\\system32\\\\drivers\\\\vmmouse.sys\r\nc:\\\\windows\\\\system32\\\\drivers\\\\vmhgfs.sys\r\nc:\\\\windows\\\\system32\\\\drivers\\\\vboxmouse.sys\r\nc:\\\\iDEFENSEc:\\\\popupkiller.exe\r\nc:\\\\tools\\\\execute.exe\r\nc:\\\\Perlc:\\\\Python27api_log.dll\r\ndir_watch.dll\r\npstorec.dll\r\ndbghelp.dll\r\nProcess32NextW\r\n1406Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet Settings\\\\Zones\\\\3\r\n.bitMiniDumpWriteDump\r\n\\r\\nReferer: %s\\r\\n\r\n\\\\Google\\\\Chrome\\\\User Data\\\\Default\\\\Cache\r\nvar %s = new ActiveXObject(\"WScript.Shell\"); %s.Run(\"%s\");\r\nGenuineIntelAuthenticAMDCentaurHauls7z\r\nfnbqooqdaixfueangywblgabirdgvkewdyqgfqaioluesyrpryfkjerfsouemaxnavrkguxmcmhckwprunurmhehclermtufwiyjbqhwlunbun\r\nuumeowfjmerxppxrgaxukyx\r\nPowerManager_M5VKII_%d\r\n[type=ftp]\\n[botid=%s]\\n[proc=%s]\\n[data=%s]\\n\r\n[type=pop3]\\n[botid=%s]\\n[proc=%s]\\n[data=%s]\\n\r\n%OS%_%NUMBER_OF_PROCESSORS%\r\n[type=post]\\n[botid=%s]\\n[url=%s]\\n[ua=%s]\\n[proc=%s]\\n[ref=%s]\\n[keys=%s]\\n[data=%s]\\n\r\nname=%s\u0026ok=%s\u0026id=%d\u0026res_code=%d\u0026res_text=%s_%x\r\nname=%s\u0026ok=%s\u0026id=%d\u0026res_code=%d\u0026res_text=%s\r\nbotid=%s\u0026ver=%s.%u\u0026up=%u\u0026os=%u\u0026ltime=%s%d\u0026token=%d\u0026cn=%s\u0026av=%s\u0026dmn=%s\u0026mitm=%u\r\njava.exe|javaw.exe|plugin-container.exe|acrobat.exe|acrod32.exe\r\ntellerplus|bancline|fidelity|micrsolv|bankman|vanity|episys|jack\r\nhenry|cruisenet|gplusmain|silverlake|v48d0250s1Root|TrustedPeople|SMS|Remote Desktop|REQUEST\r\nTREASURE|BUH|BANK|ACCOUNT|CASH|FINAN|MONEY|MANAGE|OPER|DIRECT|ROSPIL|CAPO|BOSS|TRADEactive_b\r\nhttps://unit42.paloaltonetworks.com/unit42-2016-updates-shifu-banking-trojan/\r\nPage 19 of 34\n\n133\r\n134\r\n135\r\n136\r\n137\r\n138\r\n139\r\n140\r\n141\r\n142\r\n143\r\n144\r\n145\r\n146\r\n147\r\n148\r\n149\r\n150\r\n151\r\n152\r\n153\r\n154\r\n155\r\n156\r\n157\r\n158\r\n159\r\n160\r\n161\r\n162\r\n163\r\n164\r\n165\r\n166\r\n-----------------------------%s\\r\\nContent-Disposition: form-data; name=\\\"pcname\\\"\\r\\n\\r\\n%s!%s\\r\\n-----------------------------\r\n%s\\r\\nContent-Disposition: form-data; name=\\\"file\\\"; filename=\\\"report\\\"\\r\\nContent-Type: text/plain\\r\\n\\r\\n%s\\r\\n--------------\r\n---------------%s--\\r\\n\r\n%domain%deactivebc\r\ninject\r\nkill_os\r\nloadactive_sk\r\ndeactive_sk\r\nwipe_cookiesmitm_modmitm_script\r\nmitm_geterr\r\nget_keylog\r\nget_sols!active_bc\\[(\\d+)\\] (\\S+) (\\d+)\r\n!deactive_bc\\[(\\d+)\\]\r\n!inject\\[(\\d+)\\] (\\S+)\r\n!kill_os\\[(\\d+)\\]\r\n!get_keylog\\[(\\d+)\\]!load\\[(\\d+)\\] (\\S+)!update\\[(\\d+)\\] (\\S+)\r\n!wipe_cookies\\[(\\d+)\\]\r\n!active_sk\\[(\\d+)\\] (\\S+) (\\d+)\r\n!deactive_sk\\[(\\d+)\\]\r\n!mitm_mod\\[(\\d+)\\] (\\S+) (\\d+) (\\S+)!mitm_script\\[(\\d+)\\] (\\S+)\r\n!mitm_geterr\\[(\\d+)\\]\r\n!get_sols\\[(\\d+)\\]\r\nATCASH\r\nATLOCAL\r\nCERTCERTX\r\nCOLVCRAIF\r\nCRYPT\r\nCTERM\r\nSCREEN\r\nINTER\r\nELBALOCAL\r\nELBAWEB\r\nELBAWEB\r\nELBAWEB\r\nhttps://unit42.paloaltonetworks.com/unit42-2016-updates-shifu-banking-trojan/\r\nPage 20 of 34\n\n167\r\n168\r\n169\r\n170\r\n171\r\n172\r\n173\r\n174\r\n175\r\n176\r\n177\r\n178\r\n179\r\n180\r\n181\r\n182\r\n183\r\n184\r\n185\r\n186\r\n187\r\n188\r\n189\r\n190\r\n191\r\n192\r\n193\r\n194\r\n195\r\n196\r\n197\r\n198\r\n199\r\n200\r\nPUTTY\r\nVNCVIEW\r\nMCLOCAL\r\nMCSIGN\r\nOPENVPN\r\nPIPEK\r\nPIPEK\r\nPIPEK\r\nPIPEK\r\nPOSTSAP\r\nchrome.dll\r\nmxwebkit.dlldragon_s.dlliron.dllvivaldi.dll\r\nnspr4.dll\r\nnss3.dllbrowser.dll\r\nAdvapi32.dllrsaenh.dll\r\nkernel32.dllIprivLibEx.dll\r\ncryptui.dll\r\ncrypt32.dll\r\nntdll.dll\r\nssleay32.dllurlmon.dll\r\nuser32.dll\r\nWininet.dll\r\nWs2_32.dll\r\nPSAPI.dll\r\nNzBrco.dll\r\nVirtualProtect\r\nLoadLibraryExW\r\nZwQuerySystemInformationWSARecv\r\nWSASend\r\nZwDeviceIoControlFile\r\nURLDownloadToCacheFileW\r\nURLDownloadToFileW\r\nTranslateMessageSSL_get_fd\r\nSSL_write\r\nhttps://unit42.paloaltonetworks.com/unit42-2016-updates-shifu-banking-trojan/\r\nPage 21 of 34\n\n201\r\n202\r\n203\r\n204\r\n205\r\n206\r\n207\r\n208\r\n209\r\n210\r\n211\r\n212\r\n213\r\n214\r\n215\r\n216\r\n217\r\n218\r\n219\r\n220\r\n221\r\n222\r\n223\r\n224\r\n225\r\n226\r\n227\r\n228\r\n229\r\n230\r\n231\r\n232\r\n233\r\n234\r\nPFXImportCertStore\r\nCryptEncryptCPExportKey\r\nCreateProcessInternalW\r\nCreateDialogParamW\r\nGetClipboardDatagetaddrinfo\r\ngethostbyname\r\nGetAddrInfoExW\r\nGetMessageA\r\nGetMessageW\r\nDeleteFileA\r\nGetModuleBaseNameW\r\nbad port value\r\ncan't find plug-in path\r\ncan't get bot path\r\ncan't download file\r\ncan't encrypt file\r\ncan't save inject config to filecan't get temp file\r\nfile is not valid PEcan't delete original file\r\ncan't replace original file\r\ncan't close handle\r\ncan't protect file\r\noriginal file not found\r\ncan't execute file\r\ncan't create directory\r\ncan't unzip file #1\r\ncan't unzip file #2\r\nmitm_mod is inactivehttpd.exe is anactive\r\nmicrosoft.com\r\ndropbox.com\r\nKEYGRAB\r\nPasswordTELEMACOScelta e Login dispositivo\r\nTLQ Web\r\ndb Corporate Banking WebSecureStoreCSP - enter PIN\r\ngoogle.com\r\nhttps://unit42.paloaltonetworks.com/unit42-2016-updates-shifu-banking-trojan/\r\nPage 22 of 34\n\n235\r\n236\r\n237\r\n238\r\n239\r\n240\r\n241\r\n242\r\n243\r\n244\r\n245\r\n246\r\n247\r\n248\r\n249\r\n250\r\n251\r\n252\r\n253\r\n254\r\n255\r\n256\r\n257\r\n258\r\n259\r\n260\r\n261\r\n262\r\n263\r\n264\r\n265\r\n266\r\n267\r\n268\r\nSoftware\\\\SimonTatham\\\\PuTTYreg.txt\r\nSoftware\\\\Microsoft\\\\Internet Explorer\\\\MainTabProcGrowth\r\nTemp\\\\Low\r\ncrc32[%x]\r\nACCT\r\nAUTHINFO PASS\r\nAUTHINFO USER\r\nAuthorization\r\n:BA:[bks]\r\n%X!%X!%08X\r\nbtc_path.txtbtc_wallet.dat\r\nbitcoin\\\\wallet.dat\r\n%s%s\\\\%u_cert.pfx\r\ncmdline.txt\r\n1.3.6.1.5.5.7.3.3\r\nCodeSign\\n\r\nSoftware\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\r\n[del]\r\nDefault\r\n.exeELBA5\\\\ELBA_dataftp://anonymous:ftp://%s:%s@%s:%d\\n\r\nHBPData\\\\hbp.profileHH:mm:ssdd:MMM:yyyy\r\nI_CryptUIProtect\\\\exe\\\\\r\ninfected.exx%s%s\\\\%u_info.txt\r\n[ins]\r\nInstallDate\r\n%02u.jpg%s\\\\%02d.jpgKEYLOG\r\n%s\\\\keylog.txt\r\n[TOKEN ON]\r\n\\n\\n[%s (%s-%s) - %s (%s)]\\n[pst]%s[/pst]\r\nltcd_path.txt\r\nltcd_wallet.dat\r\nlitecoind\\\\wallet.dat\r\nltc_path.txtltc_wallet.dat\r\nlitecoin\\\\wallet.dat\\\\MacromediaMultiCash@Sign\r\nhttps://unit42.paloaltonetworks.com/unit42-2016-updates-shifu-banking-trojan/\r\nPage 23 of 34\n\n269\r\n270\r\n271\r\n272\r\n273\r\n274\r\n275\r\n276\r\n277\r\n278\r\n279\r\n280\r\n281\r\n282\r\n283\r\n284\r\n285\r\n286\r\n287\r\n288\r\n289\r\n290\r\n291\r\n292\r\n293\r\n294\r\n295\r\n296\r\n297\r\n298\r\n299\r\n300\r\n301\r\n302\r\nC:\\\\Omikron\\\\MCSign\r\n[ML][MR]Global\\\\{4C470E-%08x-%08x-%08x}\r\nGlobal\\\\{DAN6J0-%s}\r\nnoneopera.exe\r\nPASS\r\npassword.txt\\\\\\\\.\\\\pipe\\\\%s\r\npop3://%s:%s@%s:%d\\n%PROCESSOR_ARCHITECTURE%Referer\r\n[ret]\r\n%08x\\\\system32\\\\rstrui.exe\r\n\\\\scrs\\\\send%s%s%s%d%s:%s\r\nsysinfo.txt\r\n[tab]\r\ndata.txt\u003cunnamed\u003e\r\n\u003cuntitled\u003e\r\nupdate\r\nUSER\r\nUser-agent\r\nvkeys\r\n%x\\r\\n\r\n\\r\\n%x%x%x.tmp\r\n\\\\*.txt\r\n%02x%2b\r\ntorrent\r\n-config config.vnc\r\n--config\r\nconfig.ovpn\r\ndata.txt[type=post]\\n\r\nCreateFileW\r\npos.exe\r\nbank.exePOS\r\nsecure.\r\n.mozgoogle.com\r\nCertVerifyCertificateChainPolicyCertGetCertificateChain\r\nSSL_AuthCertificateHook\r\nhttps://unit42.paloaltonetworks.com/unit42-2016-updates-shifu-banking-trojan/\r\nPage 24 of 34\n\n303\r\n304\r\n305\r\n306\r\n307\r\n308\r\n309\r\n310\r\n311\r\n312\r\n313\r\n314\r\n315\r\n316\r\n317\r\n318\r\n319\r\n320\r\n321\r\n322\r\n323\r\n324\r\n325\r\n326\r\n327\r\n328\r\n329\r\n330\r\n331\r\n332\r\n333\r\n334\r\n335\r\n336\r\nUSERNAMESoftware\\\\ESET\\\\ESET Security\\\\CurrentVersion\\\\Info\r\nC8FFAD27AE1BBE28BE24DDF20AF36EF901C609968930ED82CEFBC64808BA34102C4FABA0560523FB4CCBF33684F77C\r\n3A7D2D598E872DD78033E7F900B78A0C710CDF0941662FF7745A435D4BC18D5661E0582B21B2DB8FCA1C0CA3401D0F\r\n85A558AB6A76A010F606CD77B35A480B6B7176F0903299B91F1BBD141B4D33615849C35557357DAB819BC3D4A8722BB\r\nB66C7A326BE859BD94930331B37DEE6EF4C475EA4B33DE4699FFDBCD34E196E19FE630E631D2C612705048620183BCF\r\n484A4380C4B00D8D94D131C31DB53AE6BCDCCC14131BAC99A68C59A604D0AE9116E9196F7FA3EA5F86F67E9B175CC\r\n997728B7D\r\n10001\r\nget=1\r\nCOMPNAMEAppDataDir\r\nupdfiles\\\\upd.ver\r\nupdfiles\\\\lastupd.ver\r\nSYSTEM\\\\CurrentControlSet\\\\services\\\\Avg\\\\SystemValues\r\nLocal AppData\r\nAvg2015\r\nAvg2014\r\nAvg2013\r\nAvg2012\r\nAvg2011\r\nupdate\r\nSoftware\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\explorer\\\\Browser Helper Objects\\\\{8CA7E745-EF75-4E7B-BB86-\r\n8065C0CE29CA}\r\nSoftware\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\explorer\\\\Browser Helper Objects\\\\{BB62FFF4-41CB-4AFC-BB8C-2A4D4B42BBDC}\r\nSoftware\\\\Microsoft\\\\Internet Explorer\\\\MainEnable Browser Extensions\r\nhttpd.exe\r\n%s\\\\httpd.exe\r\nconnect\r\ndata\\\\index.php\r\nlogs\\\\error.log\r\nerror.log\r\n\u003c?\\n';\\n$bot_id = '\r\n$bot_net = '$key_log_file = '\r\n$process_file = '\r\nhttps://unit42.paloaltonetworks.com/unit42-2016-updates-shifu-banking-trojan/\r\nPage 25 of 34\n\n337\r\n338\r\n339\r\n340\r\n341\r\n342\r\n343\r\n344\r\n345\r\n346\r\n347\r\n348\r\n349\r\n350\r\n351\r\n352\r\n353\r\n354\r\n355\r\n356\r\n357\r\n358\r\n359\r\n360\r\n361\r\n362\r\n363\r\n364\r\n365\r\n366\r\n367\r\n368\r\n369\r\n370\r\n127.0.0.1\r\nListen %s:%u\\n\r\nconf\\\\httpd.confSSL_PORT%u\u003e\\n\r\n[type=post]\\n\r\n[type=screen]\\n\r\n[type=knock]\\n\r\n74??834E0440B832FFFFFF\r\n74??834E04405F5EB832FFFFFF\r\nDEBUG\r\nmemory.dmp\r\nconfig.xml\r\nphp5ts.dll\r\nzend_stream_fixup\r\nzend_compile_file\r\nindex.php\r\nconfig.php\r\ncontent.php\r\niexplore.exe|firefox.exe|chrome.exe|opera.exe|browser.exe|dragon.exe|epic.exe|sbrender.exe|vivaldi.exe|maxthon.exe|ybr\r\nowser.exe|microsoftedgecp.exe\r\nInternetQueryDataAvailable\r\nInternetReadFileInternetReadFileExA\r\nInternetReadFileExW\r\nInternetSetStatusCallbackA\r\nInternetSetStatusCallbackW\r\nHttpSendRequestAHttpSendRequestExA\r\nHttpSendRequestExW\r\nHttpSendRequestW\\r\\n0\\r\\n\\r\\n\r\n.rdata\r\n\\r\\n\\r\\nHTTP/1.\r\nTransfer-Encoding\r\nchunked\r\nContent-Length\r\nclose\r\nProxy-ConnectionHostAccept-Encoding\r\nhttps://unit42.paloaltonetworks.com/unit42-2016-updates-shifu-banking-trojan/\r\nPage 26 of 34\n\n371\r\n372\r\n373\r\n374\r\n375\r\n376\r\n377\r\n378\r\n379\r\n380\r\n381\r\n382\r\n383\r\n384\r\n385\r\n386\r\n387\r\n388\r\n389\r\n390\r\n391\r\n392\r\n393\r\nx-xss-protectionx-content-security-policy\r\nx-frame-options\r\nx-content-type-options\r\nIf-Modified-Since\r\nIf-None-Match\r\ncontent-security-policy\r\nx-webkit-cspConnection\r\nhttp://\r\nhttps://NSS layer\r\nContent-TypeBasic\r\nPR_ClosePR_Connect\r\nPR_GetNameForIdentity\r\nPR_Read\r\nPR_SetError\r\nPR_WriteReferer:\r\nAccept-Encoding:\\r\\n1406SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\3\r\ndata_after\\ndata_before\\n\r\ndata_enddata_inject\\n\r\nset_url %BOTID%\r\n%BOTNET%InternetCloseHandle\r\nHTMLc:\\\\inject.txt\r\nDalvik/1.6.0 (Linux; U; Android 4.1.2; GT-N7000 Build/JZO54K)\r\nxxx_process_0x%08x\r\nCommon.js\r\nAPI Obfuscation\r\nThe main payload uses an API obfuscation technique known as Push-Calc-Ret obfuscation. The calls to the real API\r\nfunctions are patched by the second stage injector after the main payload gets injected into the svchost process. Whenever a\r\nWindows API function should have been called, instead the address of a trampoline function is called which calculates the\r\nactual function address. All the trampoline function addresses are stored in an array in memory.\r\nFor example, the main payload wants to call CreateFile(), but this call is patched. Now, it calls the trampoline function\r\nwhich could look as follows:\r\n00846110   PUSH 2B464C25\r\n00846115   PUSHFD\r\n00846116   XOR DWORD PTR SS:[ESP+4], 5DB5E13F\r\nhttps://unit42.paloaltonetworks.com/unit42-2016-updates-shifu-banking-trojan/\r\nPage 27 of 34\n\n0084611E   POPFD\r\n0084611F   RETN\r\nFirst, a value is pushed to the stack. Next, the EFLAGS register is saved to the stack, because it will be altered by the\r\nfollowing XOR instruction (OF, CF flags are cleared and the SF, ZF, and PF flags are set according to the result). Then, the\r\npreviously pushed value is XORed with another value to calculate the actual API function address. At last, the EFLAGS\r\nregister gets restored and the real API function address is called via the RETN instruction.\r\nPersistence Method\r\nThe main payload copies the initial obfuscated loader file to the %ProgramData% folder with a random file retrieved with\r\nGetTickCount(). Then, it creates a JScript file named \"Common.js\" in the Startup folder of the current user. The file contains\r\nthe following code which runs the initial loader after the system was rebooted:\r\nvar yqvltidpue = new ActiveXObject(\"WScript.Shell\");\r\nyqvltidpue.Run(\"C:\\\\PROGRA~3\\\\930d4a6d.exe\")\r\nUpdates of the Main Payload compared to Previous Version\r\nReports on previous versions of Shifu have been published by FireEye and Fortinet.\r\nIn comparison to the previous version, the list of substrings to scan for in the string that gets created with the computer\r\nname, user name, install date and system drive volume serial number was expanded:\r\nTREASURE\r\nBUH\r\nBANK\r\nACCOUNT\r\nCASH\r\nFINAN\r\nMONEY\r\nMANAGE\r\nOPER\r\nDIRECT\r\nROSPIL\r\nCAPO\r\nBOSS\r\nTRADE\r\nUpdated command list:\r\nactive_sk\r\ndeactive_sk\r\ndeactivebc\r\nget_keylog\r\nget_sols\r\ninject\r\nkill_os\r\nload\r\nmitm_geterr\r\nmitm_mod\r\nmitm_script\r\nwipe_cookies\r\nhttps://unit42.paloaltonetworks.com/unit42-2016-updates-shifu-banking-trojan/\r\nPage 28 of 34\n\nUpdated list of targeted browsers:\r\niexplore.exe\r\nfirefox.exe\r\nchrome.exe\r\nopera.exe\r\nbrowser.exe\r\ndragon.exe\r\nepic.exe\r\nsbrender.exe\r\nvivaldi.exe\r\nmaxthon.exe\r\nybrowser.exe\r\nmicrosoftedgecp.exe\r\nThe main payload will download the Apache httpd.exe server file from one of the C\u0026C servers to store it on disk for web\r\ninjection purposes. Compared to the previous version, the main payload also contains two strings which indicate some\r\nfunctionality for the Zend PHP Framework:\r\nzend_stream_fixup\r\nzend_compile_file\r\nFunction Hooking in Svchost\r\nLike in the previous version, the malware hooks some API functions to redirect URLs, capture network traffic, the clipboard\r\nand to log keystrokes. It uses a technique known as inline function hooking where the first 5 bytes of a function get patched\r\nwith a jump to the malware's hook handlers. The following functions get hooked:\r\nNtDeviceIoControlFile (ntdll.dll)\r\nZwDeviceIoControlFile (ntdll.dll)\r\nGetClipboardData (user32.dll)\r\nGetMessageA (user32.dll)\r\nGetMessageW (user32.dll)\r\nTranslateMessage (user32.dll)\r\nGetAddrInfoExW (ws2_32.dll)\r\ngethostbyname (ws2_32.dll)\r\ngetaddrinfo (ws2_32.dll)\r\nNetwork Functionality\r\nThe main payload of Shifu uses .bit top-level domains which is a decentralized DNS system based on the Namecoin\r\ninfrastructure. The malware requests the IP addresses of the domains by subsequently contacting the following hardcoded\r\nNamecoin DNS servers:\r\n92.222.80.28\r\n78.138.97.93\r\n77.66.108.93\r\nThe C\u0026C domain names, the user-agent string and the URL parameters are encrypted with a modified RC4 encryption\r\nalgorithm. Decrypted strings:\r\nklyatiemoskali.bit\r\nslavaukraine.bit\r\nMozilla/5.0 (Windows; U; Windows NT 5.2 x64; en-US; rv:1.9a1) Gecko/20061007 Minefield/3.0a1\r\nL9mS3THljZylEx46ymJ2eqIdsEguKC15KnyQdfx4RTcVu8gCT\r\nhttps://www.bing.com\r\n/english/imageupload.php\r\n/english/userlogin.php\r\nhttps://unit42.paloaltonetworks.com/unit42-2016-updates-shifu-banking-trojan/\r\nPage 29 of 34\n\n/english/userpanel.php\r\n1brz\r\nThe encrypted strings are stored in the following format inside the .data section:\r\n\u003cLengthOfString\u003e\u003cEncryptedString\u003e\r\nThe domain string “klyatiemoskali“ means roughly translated to wish something bad to Muscovites. The second domain\r\nstring “slavaukraine” means translated “glory to the Ukraine”. The included RC4 key\r\n\"L9mS3THljZylEx46ymJ2eqIdsEguKC15KnyQdfx4RTcVu8gCT\" is used to encrypt the network traffic.\r\nAt the time of analysis, only the following Namecoin DNS server was answering with the IP address of the actual C\u0026C\r\nserver:\r\n77.66.108.93 (ns1.dk.dns.d0wn.biz)\r\nFigure 5. Namecoin DNS server information of 77.66.108.93\r\nThe following screenshot shows the captured network traffic during the dynamic analysis of Shifu:\r\nhttps://unit42.paloaltonetworks.com/unit42-2016-updates-shifu-banking-trojan/\r\nPage 30 of 34\n\nFigure 6. Shifu network traffic captured with Wireshark\r\nWe can see that Shifu subsequently queries the Namecoin DNS servers with the domain name klyatiemoskali.bit to get the\r\nIP address. After one name server responds with the IP address of the C\u0026C server, it does a TLS handshake to open an\r\nencrypted network channel. Finally, it sends some encrypted data and gets an encrypted answer. However, no further\r\nnetwork traffic could have been observed during the time of the analysis. Both domain names, klyatiemoskali.bit and\r\nslavaukraine.bit, resolved to the IP address 103.199.16.106 at the time of analysis.\r\nAs the .bit top-level domain relies on the Namecoin cryptocurrency which is based on the Bitcoin system, every transaction\r\ncan be traced back. Thus, we can use a Namecoin block explorer to look when the .bit domains were registered and which IP\r\naddresses are connected to it. For example, if we use the web service namecha.in, we can get the following information for\r\nklyatiemaskali.bit:\r\nWe can see the same information for slavaukraine.bit:\r\nhttps://unit42.paloaltonetworks.com/unit42-2016-updates-shifu-banking-trojan/\r\nPage 31 of 34\n\nBoth domains were registered on 2016-06-03 and only one IP address is assigned to them. This IP address coincides with the\r\nresponse of the Namecoin DNS server we have seen in the captured network traffic. Moreover, we can see the domain seems\r\nto be still active.\r\nURL Query String for C\u0026C Server\r\nThe main payload contains a query string template used to send information of the victim to the C\u0026C server:\r\nbotid=%s\u0026ver=%s.%u\u0026up=%u\u0026os=%u\u0026ltime=%s%d\u0026token=%d\u0026cn=%s\u0026av=%s\u0026dmn=%s\u0026mitm=%u\r\nWe can see that some information is dynamically retrieved (bot identifier, uptime, operating system version, local\r\ntimestamp, token, anti-virus software, domain name of workstation, man in the middle interception detected), while also\r\nstatic values like the bot version and the campaign name are send. An example of the created query string could look as\r\nfollows:\r\nbotid=26C47136!A5A4B18A!F2F924F2\u0026ver=1.759\u0026up=18294\u0026os=6110\u0026ltime=-8\u0026token=0\u0026cn=1brz\u0026av=\u0026dmn=\u0026mitm=0\r\nWe can see that the internal Shifu version is “1.759” and the campaign name is stated “1brz”.\r\nIf we compare Shifu's query string with the one of the latest Shiz version we have tracked which dates February 2014\r\n(internal version 5.6.25), we can see the similarity between those two malwares:\r\nbotid=%s\u0026ver=5.6.25\u0026up=%u\u0026os=%03u\u0026ltime=%s%d\u0026token=%d\u0026cn=sochi\u0026av=%s\r\nModified RC4 Encryption Algorithm\r\nShifu uses a modified version of the RC4 encryption algorithm. We have reconstructed the algorithm in Python and show\r\nhow the domain name \"klyatiemoskali.bit\" present in the main payload will be encrypted as an example:\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\nimport os\r\nimport binascii\r\n###initial values##########\r\nstring = \"klyatiemoskali.bit\"\r\nseed =\r\n\"fnbqooqdaixfueangywblgabirdgvkewdyqgfqaioluesyrpryfkjerfsouemaxnavrkguxmcmhckwprunurmhehclermtufwi\r\nyjbqhwlunbunuumeowfjmerxppxrgaxukyx\"\r\nbuffer = [0] * (len(string))\r\ntable_encr = [0] * 0x102\r\nhttps://unit42.paloaltonetworks.com/unit42-2016-updates-shifu-banking-trojan/\r\nPage 32 of 34\n\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n26\r\n27\r\n28\r\n29\r\n30\r\n31\r\n32\r\n33\r\n34\r\n35\r\n36\r\n37\r\n38\r\n39\r\n40\r\n41\r\n42\r\n43\r\ntable_encr[0x100] = 1\r\ntable_encr[0x101] = 0\r\n###########################\r\n###string2buffer###########\r\ni = 0\r\nwhile (i\u003clen(string)):\r\n    char_1 = string[i]\r\n    int_1 = ord (char_1)\r\n    buffer[i] = int_1\r\n    i += 1\r\n###string2buffer###########\r\n###encryption table########\r\ni = 0\r\nwhile (i \u003c 0x100):\r\n    table_encr[i] = 0x000000ff\u0026i\r\n    i += 1\r\ni = 0\r\nj = 0\r\nwhile (i \u003c 0x100):\r\n    char_1 = seed[j]\r\n    int_2 = ord (char_1)\r\n    table_encr[i] ^= int_2\r\n    i += 1\r\n    j += 1\r\n    if (j == len(seed)):\r\n        j = 0\r\n###########################\r\n###encryption##############\r\nsize_1 = len(string)\r\ni = 0\r\nwhile (size_1 != 0):\r\n    byte_buf = buffer[i]\r\n    ind_1 = table_encr[0x100]\r\n    ind_2 = table_encr[ind_1]\r\nhttps://unit42.paloaltonetworks.com/unit42-2016-updates-shifu-banking-trojan/\r\nPage 33 of 34\n\n44\r\n45\r\n46\r\n47\r\n48\r\n49\r\n50\r\n51\r\n52\r\n53\r\n54\r\n55\r\n56\r\n57\r\n58\r\n59\r\n60\r\n61\r\n62\r\n63\r\n64\r\n65\r\n66\r\n67\r\n68\r\n69\r\n    ind_3 = 0x000000ff\u0026(ind_2 + table_encr[0x101])\r\n    ind_4 = 0x000000ff\u0026(table_encr[ind_3])\r\n    table_encr[ind_1] = ind_4\r\n    table_encr[ind_3] = ind_2\r\n    buffer[i] = 0x000000ff\u0026(table_encr[0x000000ff\u0026(ind_2 + ind_4)] ^ byte_buf)\r\n    table_encr[0x100] = 0x000000ff\u0026(ind_1 + 1)\r\n    table_encr[0x101] = ind_3\r\n    i += 1\r\n    size_1 -= 1\r\ni = 0\r\nstr_1 = \"\"\r\nwhile (i \u003c len(string)):\r\n    str_1 = str_1 + chr(buffer[i])\r\n    i += 1\r\n###########################\r\n###output##################\r\nprint (\"Cleartext string: %s\" % string)\r\nprint (\"Encrypted: 0x%s\" % binascii.hexlify(str_1))\r\n###########################\r\nSource: https://unit42.paloaltonetworks.com/unit42-2016-updates-shifu-banking-trojan/\r\nhttps://unit42.paloaltonetworks.com/unit42-2016-updates-shifu-banking-trojan/\r\nPage 34 of 34",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/unit42-2016-updates-shifu-banking-trojan/"
	],
	"report_names": [
		"unit42-2016-updates-shifu-banking-trojan"
	],
	"threat_actors": [],
	"ts_created_at": 1775434744,
	"ts_updated_at": 1775826694,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1627cd9210769db87bf592121db5c5ee0be607e6.pdf",
		"text": "https://archive.orkl.eu/1627cd9210769db87bf592121db5c5ee0be607e6.txt",
		"img": "https://archive.orkl.eu/1627cd9210769db87bf592121db5c5ee0be607e6.jpg"
	}
}