It's friday afternoon, I had a bit of free time and stumbled across this tweet by PhysicalDrive0 (thx!) two hours ago and thought to give it a try to finally add a new article to this Blog (first of 2014): [https://twitter.com/PhysicalDrive0/status/479921770838102017](https://twitter.com/PhysicalDrive0/status/479921770838102017) So, I went to Google to search for the domain of the Embassy of Greece Beijing and added the (allegedly) malicious java file package that was found by PhysicalDrive0: **URL: http://www.grpressbeijing.com/1.jar (malicious!)** [Next, I loaded the 1.jar file into Java Decompiler to get the source code. It showed, that the functionality is](http://jd.benow.ca/) obfuscated in some way, e.g. the function csfn(String paramString) decrypts all strings by "removing" the numbers of the string parameter: csfn("64s33333e3333t333S55e666c777u5r333i534t76y2M34a55n76a88g666e44r2222") -> setSecurityManager There are some other obfuscation techniques, but they are not important here. Instead, the following deobfuscated code line in the function init() gives us an idea where the actual payload is located: Resp localResp = new Resp(csfn("234p34a55445c43654k632434234235")); -> pack We can also see, that the java package contains a file named pack, so we open 7-Zip and unpack the file. A quick view with a PE viewer showed, that it is a x86 PE executable not even encrypted (SHA256: _b832e4b5a4829c8df6de7b42c5cb32ef25b5ab59072b4c2a7838404cd0dd5e5f):_ ----- Figure 2: Payload inside Java package Figure 3: Payload inside PE viewer So, I opened IDA Pro to take a quick look at the functionality. Together with the strings of the executable, we get a brief idea of what the purpose of this malware is. The important strings are as follows: SELECT * FROM AntiVirusProduct reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v PrivDiscUiShown /t REG_DWORD /d 1 /f reg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v DEPOff /t REG_DWORD /d 1 /f reg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v DisableFirstRunCustomize /t REG_DWORD /d 2 /f reg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v Check_Associations /t REG_SZ /d no /f reg add "HKCU\Software\Microsoft\Internet Explorer\Main" ----- REG_DWORD /d 3 /f reg add "HKCU\Software\Microsoft\Internet Explorer\PhishingFilter" /v Enabled /t REG_DWORD /d 1 /f reg add "HKCU\Software\Microsoft\Internet Explorer\PhishingFilter" reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v WarnOnPostRedirect /t REG_DWORD /d 0 /f reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v WarnonZoneCrossing /t REG_DWORD /d 0 /f reg add "HKCU\Software\Microsoft\Internet Connection Wizard" /v AutoRecover /t REG_DWORD /d 2 /f reg add "HKCU\Software\Microsoft\Internet Connection Wizard" /v Completed /t REG_BINARY /d 1 /f \cmd.exe Together with the output of IDA Pro, we can see that this malware uses the command line tool cmd.exe for adding several registry keys to Internet Explorer. It also tries to retrieve possible AntiVirus information by using the COM interface (dc12a687-737f-11cf-884d-00aa004b2e24 -> IWbemLocator -> SELECT * _FROM AntiVirusProduct). Furthermore, it makes use of the COM to launch an instance of Internet_ Explorer (d30c1661-cdaf-11d0-8a3e-00c04fc9e26e -> IWebBrowser2), supposedly to contact its C&C server. To verify this, we open up Wireshark and run the executable. As a result, we get the following network information: **C&C server: defense.miraclecz.com (IP: 208.115.124.83)** **HTTP GET request: /index.asp?id=50100** Also, we see that it downloads some kind of data (Base64 encoded). But first, we combine the C&C server and the HTTP request and open the URL in our favorite Browser: ----- Figure 4: Base64 encoded (2nd) Payload **URL: defense.miraclecz.com/index.asp?id=50100** As you can see, there is a string named microsoft followed by Base64 encoded data. Side note: Is there _also a Linux equivalent?_ Next, we copy the Base64 encoded data and go to the following website to let us decode it into a file (because I had the feeling it's just another unencrypted executable): [http://www.motobit.com/util/base64-decoder-encoder.asp](http://www.motobit.com/util/base64-decoder-encoder.asp) As a result, we get another executable (SHA256: _a4863f44f48d1c4c050dd7baad767a86b348dd4d33924acf4e0a3cd40c6ae29f) that was only Base64_ encoded and not encrypted in any way: ----- So again, we fire up our PE viewer and take a look at the important strings: http://buy.miraclecz.com reg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v DEPOff /t REG_DWORD /d 1 /f reg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v DisableFirstRunCustomize /t REG_DWORD /d 2 /f reg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v Check_Associations /t REG_SZ /d no /f reg add "HKCU\Software\Microsoft\Internet Explorer\Main" reg add "HKCU\Software\Microsoft\Internet Explorer\PhishingFilter" /v ShownVerifyBalloon /t REG_DWORD /d 3 /f reg add "HKCU\Software\Microsoft\Internet Explorer\PhishingFilter" /v Enabled /t REG_DWORD /d 1 /f reg add "HKCU\Software\Microsoft\Internet Explorer\PhishingFilter" reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v WarnOnPostRedirect /t REG_DWORD /d 0 /f reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v WarnonZoneCrossing /t REG_DWORD /d 0 /f reg add "HKCU\Software\Microsoft\Internet Connection Wizard" /v AutoRecover /t REG_DWORD /d 2 /f reg add "HKCU\Software\Microsoft\Internet Connection Wizard" /v Completed /t REG_BINARY /d 1 /f reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v spoolsv.exe /t REG_SZ /d %%temp%%\spoolsv.exe /f spoolsv.exe Software\Microsoft\Windows\CurrentVersion\Run open file fail cmd timeout error %d Run cmd error %d cmd.exe /c %s>%s %s%d.txt open file error %temp% ----- myWObject \cmd.exe !DOCTYPE html %s/?id1=blank%d&id2=%d%d %s/?id1=%d%d Again, we load the executable into IDA Pro and quickly fly over the assembly code to get an idea of the functionality. Once again, it creates several registry entries with the help of the command line tool and creates an instance of the Internet Explorer (CoCreateInstance() -> d30c1661-cdaf-11d0-8a3e _00c04fc9e26e) for contacting the C&C server. This time, the network information is as follows:_ **C&C server: buy.miraclecz.com (IP: 74.121.191.33)** **URL parameters (from strings of executable):** %s/?id1=blank%d&id2=%d%d %s/?id1=%d%d From the code we can see, that the sample has also the ability to encode/decode data from/to Base64. The dynamic analysis showed the malware sample contacted the C&C server, but wasn't sending any URL parameters (id1, id2). Also the server didn't respond... The files can be downloaded here: [https://www.dropbox.com/s/ckr7p5kka62cc7s/Embassy%20of%20Greece%20-%20Beijing.zip](https://www.dropbox.com/s/ckr7p5kka62cc7s/Embassy%20of%20Greece%20-%20Beijing.zip) Password: "infected" (without "") **_That's it, have a nice weekend..._** -----