### 1 f 34 12/31/2014 09 19 AM ----- ## Sample A ### Hashes: #### Type of Hash Hash MD5 5b4a956c6ec246899b1d459838892493 SHA1 217b8fa45a24681551bd84b573795b5925b2573e SHA-256 93742b415f28f57c61e7ce7d55208f71d5c4880dc66616da52f3c274b20b43b0 ssdeep 24576:D0MfCZaSyUS7YXz3aHUXXeJozanHZCfBvt9MSc99rdI+6cGHe:D02saHQXeManH81t9BONdI3VHe ### VirusTotal results for sample A #### AV product Result Bkav W32.Clod24a.Trojan.ceee MicroWorld-eScan Dropped:Backdoor.Generic.252173 nProtect Dropped:Backdoor.Generic.252173 McAfee Artemis!5B4A956C6EC2 K7AntiVirus Riskware ( 10a2c0f80 ) K7GW Trojan ( 00155adb1 ) NANO-Antivirus Trojan.Win64.Agent.lsivh F-Prot W32/MalwareS.IHA Symantec Backdoor.Pfinet Norman Suspicious_Gen3.DGZV TotalDefense Win32/Pfinet.A TrendMicro-HouseCall TROJ_GEN.R27E1AH Avast Win32:Malware-gen ClamAV Trojan.Agent-126457 Kaspersky Trojan.Win32.Genome.hitb BitDefender Dropped:Backdoor.Generic.252173 Agnitum Trojan.Meredrop!A/hBhJu+uNc Ad-Aware Dropped:Backdoor.Generic.252173 Sophos Mal/Generic-S Comodo TrojWare.Win32.Agent.czua F-Secure Dropped:Backdoor.Generic.252173 DrWeb Trojan.Siggen.27969 VIPRE Trojan.Win32.Generic!BT AntiVir TR/Agent.czua TrendMicro TROJ_GEN.R27E1AH McAfee-GW-Edition Artemis!5B4A956C6EC2 Emsisoft Dropped:Backdoor.Generic.252173 (B) Microsoft Backdoor:WinNT/Pfinet.B GData Dropped:Backdoor.Generic.252173 Commtouch W32/Risk.DWJW-7987 VBA32 Trojan.Agent2 Baidu-International Trojan.Win32.Genome.aR ESET-NOD32 a variant of Win32/Turla.AC Ikarus Trojan.Win32.Genome Fortinet W32/Pfinet!tr AVG Generic16.BBMD Panda Trj/Hmir.F Scanned: 2014-03-16 01:12:54 - 49 scans - 37 detections (75.0%) ### 2 f 34 12/31/2014 09 19 AM ----- ### File characteristics #### Meta data Size: 1052672 bytes Type: PE32 executable (GUI) Intel 80386, for MS Windows Date: 0x4AC5A74C [Fri Oct 2 07:10:04 2009 UTC] EP: 0x4021bb .text 0/5 CRC: Claimed: 0x0, Actual: 0x110f40 [SUSPICIOUS] #### Resource entries Name RVA Size Lang Sublang Type -------------------------------------------------------------------------------BINARY 0xd190 0x3dc00 LANG_ENGLISH SUBLANG_ENGLISH_US PE32 executable (DLL) (native) Intel 80386, for MS Windows BINARY 0x4ad90 0x1d000 LANG_ENGLISH SUBLANG_ENGLISH_US PE32 executable (DLL) (GUI) Intel 80386, for MS Windows BINARY 0x67d90 0x21000 LANG_ENGLISH SUBLANG_ENGLISH_US PE32 executable (DLL) (GUI) Intel 80386, for MS Windows BINARY 0x88d90 0x1f9 LANG_ENGLISH SUBLANG_ENGLISH_US ASCII text, with CRLF, LF line terminators BINARY 0x88f90 0x37c00 LANG_ENGLISH SUBLANG_ENGLISH_US PE32+ executable (DLL) (native) x86-64, for MS Windows BINARY 0xc0b90 0x1bc00 LANG_ENGLISH SUBLANG_ENGLISH_US PE32+ executable (DLL) (GUI) x86-64, for MS Windows BINARY 0xdc790 0x24200 LANG_ENGLISH SUBLANG_ENGLISH_US PE32+ executable (DLL) (GUI) x86-64, for MS Windows #### Version info No version information included. Sections Name VirtAddr VirtSize RawSize Entropy -------------------------------------------------------------------------------.text 0x1000 0x6f34 0x7000 6.582374 .rdata 0x8000 0x1fb8 0x2000 4.803196 .data 0xa000 0x26f4 0x1000 1.559595 .rsrc 0xd000 0xf3990 0xf4000 5.977919 .reloc 0x101000 0x188c 0x2000 2.462180 SECTION 1 (.text ): virtual size : 00006F34 ( 28468.) virtual address : 00001000 section size : 00007000 ( 28672.) offset to raw data for section: 00001000 offset to relocation : 00000000 offset to line numbers : 00000000 number of relocation entries : 0 number of line number entries : 0 alignment : 0 byte(s) Flags 60000020: text only Executable Readable SECTION 2 (.rdata ): virtual size : 00001FB8 ( 8120.) virtual address : 00008000 section size : 00002000 ( 8192.) offset to raw data for section: 00008000 offset to relocation : 00000000 offset to line numbers : 00000000 number of relocation entries : 0 number of line number entries : 0 alignment : 0 byte(s) Flags 40000040: data only Readable SECTION 3 (.data ): virtual size : 000026F4 ( 9972.) virtual address : 0000A000 section size : 00001000 ( 4096.) offset to raw data for section: 0000A000 offset to relocation : 00000000 offset to line numbers : 00000000 number of relocation entries : 0 number of line number entries : 0 alignment : 0 byte(s) Flags C0000040: ### 3 f 34 12/31/2014 09 19 AM ----- ### 4 f 34 12/31/2014 09 19 AM ----- ### 5 f 34 12/31/2014 09 19 AM ----- Start: 1 (SERVICE_SYSTEM_START) ErrorControl: 0 (SERVICE_ERROR_IGNORE) Group: Streams Drivers DisplayName: usblink ImagePath: \SystemRoot\$NtUninstallQ722833$\usbdev.sys #### If during installation anything goes wrong, the registry keys are deleted. The files however are not. During the installation process, extensive logging is ensuring good visibility on potential installation problems. The attacker uses english language for the logging, although he is lacking attention to detail when it comes to correct usage of the language, as the following examples demonstrate: win32 detect... (should be simple past) x64 detect... (should be simple past) CretaFileA(%s): (should be CreateFileA) Can`t open SERVICES key (that shouldn't be a backtick) #### Language deficits are also demonstrated in other files of this collection. We show them in a separate chapter. A list of dropped files is given in the next chapter. ## Dropped files Sample B - usbdev.sys (Resource: 101) ### Hashes #### Type of Hash Hash MD5 db93128bff2912a75b39ee117796cdc6 SHA1 418645c09002845a8554095b355f47907f762797 SHA-256 57b8c2f5cfeaca97da58cfcdaf10c88dbc2c987c436ddc1ad7b7ed31879cb665 3072:3B9f3bhj+FqCjAsWnQNCb/XzeQdRSFqfCeEmI/2XxjptNdjxjkMAE4E:3B9tQHWLrFfCZmI ssdeep /MttB+E4 ### VirusTotal results for sample B #### AV product Result Bkav W32.Cloda11.Trojan.222a MicroWorld-eScan Backdoor.Generic.252173 nProtect Trojan/W32.Agent2.252928 McAfee Artemis!DB93128BFF29 K7GW Trojan ( 0001140e1 ) K7AntiVirus Riskware ( 10a2c0f80 ) Agnitum Trojan.Agent2!HMPS2EOZWFE F-Prot W32/MalwareS.IHA Symantec Backdoor.Pfinet Norman Suspicious_Gen3.DGZV TrendMicro-HouseCall TROJ_GEN.R27E1AH Avast Win32:Malware-gen Kaspersky Trojan.Win32.Agent2.flce BitDefender Backdoor.Generic.252173 Ad-Aware Backdoor.Generic.252173 Sophos Mal/Generic-S F-Secure Backdoor.Generic.252173 DrWeb Trojan.Siggen1.51234 VIPRE Trojan.Win32.Generic!BT AntiVir TR/Rootkit.Gen TrendMicro TROJ_GEN.R27E1AH ### 6 f 34 12/31/2014 09 19 AM ----- #### AV product Result McAfee-GW-Edition Artemis!DB93128BFF29 Emsisoft Backdoor.Generic.252173 (B) Jiangmin Trojan/Agent.djjf Antiy-AVL Trojan/Win32.Agent2 Kingsoft Win32.Troj.Agent2.(kcloud) Microsoft Backdoor:WinNT/Pfinet.B GData Backdoor.Generic.252173 Commtouch W32/Risk.DWJW-7987 VBA32 Trojan.Agent2 Panda Rootkit/Agent.IOO ESET-NOD32 a variant of Win32/Turla.AC Ikarus Trojan.Win32.Agent Fortinet W32/Agent2.LDY!tr AVG Agent2.AHWF Baidu-International Trojan.Win32.Agent.AFZ Scanned: 2014-03-23 21:28:41 - 51 scans - 36 detections (70.0%) ### File characteristics #### Meta data Size: 252928 bytes Type: PE32 executable (DLL) (native) Intel 80386, for MS Windows Date: 0x4AC48FC8 [Thu Oct 1 11:17:28 2009 UTC] EP: 0x22d80 .text 0/5 CRC: Claimed: 0x3e7fe, Actual: 0x3e7fe #### Sections Name VirtAddr VirtSize RawSize Entropy -------------------------------------------------------------------------------.text 0x1000 0x28084 0x28200 6.325480 .basein 0x2a000 0x135 0x200 3.791369 .data 0x2b000 0x20e34 0x12600 1.335577 INIT 0x4c000 0xebc 0x1000 5.343628 .reloc 0x4d000 0x1de0 0x1e00 6.448244 #### Strings Interesting strings: CsrClientCallServer ExitThread LdrGetProcedureAddress ZwTerminateThread \SystemRoot\system32\%s IoCreateDevice ModuleStart ModuleStop \??\%s\cryptoapi.dll \??\%s\inetpub.dll services.exe iexplore.exe firefox.exe opera.exe netscape.exe mozilla.exe msimn.exe outlook.exe adobeupdater.exe ## Sample C - inetpub.dll (Resource: 102) ### 7 f 34 12/31/2014 09 19 AM ----- ### Hashes #### Type of Hash Hash MD5 2145945b9b32b4ccbd498db50419b39b SHA1 690f18810b0cbef06f7b864c7585bd6ed0d207e0 SHA-256 3de0ba77fa2d8b26e4226fd28edc3ab8448434d851f6b2b268ec072c5da92ade ssdeep 3072:HPHvQByUS7Yqy7UKJm1Y3a3v/z61dmh9f3b/LAaulNA7:HPHqyUS7YqyIKH3aHz61Mh9jZulNC ### VirusTotal results for sample C #### AV product Result McAfee Generic.dx!wel K7AntiVirus Riskware Symantec Backdoor.Pfinet Norman W32/Suspicious_Gen3.UANR Avast Win32:Malware-gen eSafe Win32.TRATRAPS BitDefender Backdoor.Generic.429659 F-Secure Backdoor.Generic.429659 VIPRE Trojan.Win32.Generic!BT AntiVir TR/ATRAPS.Gen McAfee-GW-Edition Generic.dx!wel Emsisoft Backdoor.SuspectCRC!IK Antiy-AVL Trojan/win32.agent.gen GData Backdoor.Generic.429659 AhnLab-V3 Backdoor/Win32.Pfinet PCTools Backdoor.Pfinet Ikarus Backdoor.SuspectCRC Panda Trj/CI.A Avast5 Win32:Malware-gen Scanned: 2011-07-07 04:43:10 - 43 scans - 19 detections (44.0%) ### File characteristics #### Meta data Size: 118784 bytes Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows Date: 0x4AC5A6A4 [Fri Oct 2 07:07:16 2009 UTC] EP: 0x20013857 .text 0/5 CRC: Claimed: 0x0, Actual: 0x2cb10 [SUSPICIOUS] #### Sections Name VirtAddr VirtSize RawSize Entropy -------------------------------------------------------------------------------.text 0x1000 0x12976 0x13000 6.509133 .basein 0x14000 0x97 0x1000 0.418760 [SUSPICIOUS] .rdata 0x15000 0x4ede 0x5000 7.011329 [SUSPICIOUS] .data 0x1a000 0x15f0 0x1000 5.453684 .reloc 0x1c000 0x152a 0x2000 4.423836 #### Exports Flags : 00000000 Time stamp : Fri Oct 2 09:07:16 2009 Version : 0.0 DLL name : CARBON.dll Ordinals base : 1. (00000001) # of Addresses: 2. (00000002) ### 8 f 34 12/31/2014 09 19 AM ----- # of Names : 2. (00000002) 1. 00002CB9 ModuleStart 2. 0000266C ModuleStop #### Strings \\.\IdeDrive1\\config.txt ReceiveTimeout SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings NAME object_id VERSION User Carbon v3.51 OPER|Wrong config: bad address| Mozilla/4.0 (compatible; MSIE 6.0) OPER|Wrong config: no port| OPER|Wrong config: empty address| address CW_INET quantity user_winmax user_winmin ST|Carbon v3.51| \\.\IdeDrive1\\log.txt Global\MSMMC.StartupEnvironment.PPT Global\411A5195CD73A8a710E4BB16842FA42C Global\881F0621AC59C4c035A5DC92158AB85E Global\MSCTF.Shared.MUTEX.RPM Global\WindowsShellHWDetection Global\MSDBG.Global.MUTEX.ATF TR|%d| $Id: hide_module_win32.c 10189 2008-11-25 14:25:41Z gilg $ ZwWow64ReadVirtualMemory64 $Id: load_lib_win32.c 10180 2008-11-20 12:13:01Z gilg $ \SysWOW64\ \System32\ CreateRemoteThread ZwTerminateThread LdrGetProcedureAddress ExitThread $Id: mutex.c 3940 2006-03-20 16:47:16Z vlad $ $Id: rw_lock.c 4482 2006-08-30 13:07:14Z vlad $ %x-%x-%x-%x %02d/%02d/%02d|%02d:%02d:%02d|%s|u| search.google.com www.easports.com www.sun.com www.dell.com www.3com.com www.altavista.com www.hp.com search.microsoft.com windowsupdate.microsoft.com www.microsoft.com www.asus.com www.eagames.com www.google.com www.astalavista.com www.bbc.com www.yahoo.com CreateToolhelp32Snapshot() failed: %d OPER|Sniffer '%s' running... ooopppsss...| snoop.exe ettercap.exe wireshark.exe ethereal.exe windump.exe tcpdump.exe HTTP/1.1 %sauth.cgi?mode=query&id=%u:%u:%u:%u&serv=%s&lang=en&q=%u-%u&date=%s %Y-%m-%d %sdefault.asp?act=%u&id=%u&item=%u&event_id=%u&cln=%u&flt=%u&serv=%s&t=%ld&mode=query&lang=en&date=%s lastconnect timestop .bak \\.\IdeDrive1\\ D:AI ### 9 f 34 12/31/2014 09 19 AM ----- @OPER|Wrong timeout: high < low| Mem alloc err P|-1|%d|NULL|%d| P|0|%s|%d|HC=%d HC|%d| P|-1|%d|%s|%d| \\.\IdeDrive1\\Results\result.txt POST HTTP/1.0 A|-1|%u|%s|%s| %u|%s|%s Task %d failed %s,%d \\.\IdeDrive1\\Results\ 207.46.249.57 207.46.249.56 207.46.250.119 microsoft.com 207.46.253.125 207.46.18.94 update.microsoft.com G|0|%d|%d| %u|%s|%s|%s OPER|Wrong config| S|0|%s| S|-1|%d|%s| logperiod lastsend logmax logmin CopyFile(%s, %s):%d CrPr(),WL(),AU() error: %d CrPr() WaitForSingleObject() error: %d CrPr() wait timeout %d msec exceeded: %d T|-1|%d|%d| Task not execute. Arg file failed. WORKDATA run_task DELETE COMPRESSION RESULT stdout CONFIG cmd.exe time2task m_recv() RESULT failed. A|-1|%u|%s|%d| active_con m_send() TASK failed. OBJECT ACK failed. Internal task %d obj %s not equal robj %s... very strange!!! m_recv() OBJECT failed. m_send() OBJECT failed. m_send() WHO failed. AUTH failed. m_recv() AUTH failed. m_send() AUTH failed. m_connect() failed. m_setoptlist() failed. net_password= net_user= allow=*everyone write_peer_nfo=%c%s%c frag_no_scrambling=1 frag_size=32768 m_create() failed. frag.np \\%s\pipe\comnode W|2|%s|%d| 127.0.0.1 m_send() ZERO failed. Trans task %d obj %s ACTIVE fail robj %s net_password=%s net_user=%s \\%s\pipe\%s frag.tcp %s:%d W|1|%s|%d| %u|%s|%s|%s|%s|%d|%s|%s \\.\IdeDrive1\\Tasks\task_system.txt ### 10 f 34 12/31/2014 09 19 AM ----- %u|%s|%s|%s|%s|%d \\.\IdeDrive1\\Tasks\task.txt %u|%s|%s|%s|%s \\.\IdeDrive1\\Tasks\ W|0|%s|%d| W|-1|%s|%d| start T|e|%d| T|s|%d| task_max task_min I|%d| reconstructing block ... %6d unresolved strings depth %6d has bucket sorting ... %d pointers, %d sorted, %d scanned qsort [0x%x, 0x%x] done %d this %d main sort initialise ... too repetitive; using fallback sorting algorithm %d work, %d block, ratio %5.2f CONFIG_ERROR OUTBUFF_FULL UNEXPECTED_EOF IO_ERROR DATA_ERROR_MAGIC DATA_ERROR MEM_ERROR PARAM_ERROR SEQUENCE_ERROR codes %d code lengths %d, selectors %d, bytes: mapping %d, pass %d: size is %d, grp uses are initial group %d, [%d .. %d], has %d syms (%4.1f%%) Y@ %d in block, %d after MTF & 1-2 coding, %d+2 syms in use final combined CRC = 0x%x block %d: crc = 0x%8x, combined CRC = 0x%8x, size = %d $Id: b2_to_m2_stub.c 5273 2007-01-23 17:41:15Z vlad $ $Id: b_tcp.c 8474 2007-09-19 15:40:39Z vlad $ TCP: closed. TCP: connecting... Y1N0 nodelay TCP: send TCP: recv %s:%u nodelay=1 TCP: resolved %s TCP: resolving host name... $Id: l1_check.c 4477 2006-08-28 15:58:21Z vlad $ $Id: m2_to_b2_stub.c 4477 2006-08-28 15:58:21Z vlad $ $Id: m_frag.c 8715 2007-11-29 16:04:46Z urik $ peer_frag_size frag_no_scrambling frag_size Frag: send $Id: m_np.c 8825 2008-01-10 13:13:15Z vlad $ \\.\pipe\ no_server_hijack imp_level net_password net_user write_peer_nfo read_peer_nfo *everyone allow $Id: np_win32_common.c 4483 2006-08-30 13:13:51Z vlad $ anonymous every1 \ipc$ \pipe\ $Id: t_byte1.c 5324 2007-01-30 12:45:35Z vlad $ frag $Id: t_manager.c 8715 2007-11-29 16:04:46Z urik $ transports $Id: t_message1.c 5290 2007-01-26 11:15:03Z vlad $ licence error ### 11 f 34 12/31/2014 09 19 AM ----- ## Sample D - cryptoapi.dll (Resource: 105) ### Hashes #### Type of Hash Hash MD5 a67311ec502593630307a5f3c220dc59 SHA1 74b0c62737f43b0138cfae0d0972178a14fbea10 SHA-256 67bc775cc1a58930201ef247ace86cc5c8569057d4911a8e910ac2263c8eb880 ssdeep 3072:/eZCuX04e/tmjQFFTNna3bFy99f3bay/FjIJA:/eZbUIj4zaLFw9/JI+ ### VirusTotal results for sample D #### AV product Result CAT-QuickHeal Backdoor.Pfinet McAfee Generic.dx!ueu K7AntiVirus Riskware VirusBuster Backdoor.Agent!JK8atQHb1PQ Symantec Backdoor.Pfinet Norman W32/Suspicious_Gen3.JVLR TrendMicro-HouseCall TROJ_GEN.R47C3JS Avast Win32:Malware-gen Kaspersky UDS:DangerousObject.Multi.Generic BitDefender Backdoor.Generic.264016 Emsisoft Backdoor.SuspectCRC!IK Comodo UnclassifiedMalware F-Secure Backdoor.Generic.264016 VIPRE Trojan.Win32.Generic!BT AntiVir TR/ATRAPS.Gen TrendMicro TROJ_GEN.R47C3JS McAfee-GW-Edition Heuristic.BehavesLike.Win32.Suspicious.H GData Backdoor.Generic.264016 AhnLab-V3 Backdoor/Win32.Pfinet PCTools Backdoor.Pfinet Ikarus Backdoor.SuspectCRC Panda Trj/CI.A Avast5 Win32:Malware-gen Scanned: 2011-05-08 11:16:36 - 42 scans - 23 detections (54.0%) ### File characteristics #### Meta data Size: 135168 bytes Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows Date: 0x4AC5A662 [Fri Oct 2 07:06:10 2009 UTC] EP: 0x20015d85 .text 0/5 CRC: Claimed: 0x0, Actual: 0x2ccd6 [SUSPICIOUS] #### Exports Flags : 00000000 Time stamp : Fri Oct 2 09:06:07 2009 Version : 0.0 DLL name : carbon_system.dll Ordinals base : 1. (00000001) # of Addresses: 1. (00000001) # of Names : 1. (00000001) ### 12 f 34 12/31/2014 09 19 AM ----- 1. 00002655 ModuleStart #### Sections Name VirtAddr VirtSize RawSize Entropy -------------------------------------------------------------------------------.text 0x1000 0x150d5 0x16000 6.417399 .basein 0x17000 0x97 0x1000 0.418760 [SUSPICIOUS] .rdata 0x18000 0x5380 0x6000 6.450645 .data 0x1e000 0x15e0 0x1000 5.450370 .reloc 0x20000 0x15e4 0x2000 4.991237 #### Strings $Id: t_utils.c 5503 2007-02-26 13:14:30Z vlad $ $Id: t_status.c 5666 2007-03-19 16:18:00Z vlad $ $Id: t_message1.c 5290 2007-01-26 11:15:03Z vlad $ $Id: t_manager.c 8715 2007-11-29 16:04:46Z urik $ $Id: t_byte1.c 5324 2007-01-30 12:45:35Z vlad $ $Id: np_win32_common.c 4483 2006-08-30 13:13:51Z vlad $ $Id: m_np.c 8825 2008-01-10 13:13:15Z vlad $ $Id: m_frag.c 8715 2007-11-29 16:04:46Z urik $ $Id: m2_to_b2_stub.c 4477 2006-08-28 15:58:21Z vlad $ $Id: l1_check.c 4477 2006-08-28 15:58:21Z vlad $ $Id: b_tcp.c 8474 2007-09-19 15:40:39Z vlad $ $Id: b2_to_m2_stub.c 5273 2007-01-23 17:41:15Z vlad $ $Id: thread.c 4593 2006-10-12 11:43:29Z urik $ $Id: rw_lock.c 4482 2006-08-30 13:07:14Z vlad $ $Id: mutex.c 3940 2006-03-20 16:47:16Z vlad $ $Id: load_lib_win32.c 10180 2008-11-20 12:13:01Z gilg $ $Id: hide_module_win32.c 10189 2008-11-25 14:25:41Z gilg $ \\.\IdeDrive1\\Tasks\ \\.\IdeDrive1\\Results\ Global\MSDBG.Global.MUTEX.ATF Global\WindowsShellHWDetection Global\MSCTF.Shared.MUTEX.RPM Global\881F0621AC59C4c035A5DC92158AB85E Global\411A5195CD73A8a710E4BB16842FA42C Global\MSMMC.StartupEnvironment.PPT \\.\IdeDrive1\\log.txt TR|%d| SR|%d| ST|Carbon v3.61| \\.\IdeDrive1\\*.bak \\.\IdeDrive1\\ \\.\IdeDrive1\\Tasks\task.txt \\.\IdeDrive1\\Tasks\task_system.txt \\.\IdeDrive1\\Tasks\*.tmp \\.\IdeDrive1\\config.txt sys_winmin TIME sys_winmax \\.\IdeDrive1\\restrans.txt quantity CW_LOCAL address object D:(A;OICIID;GRGWGX;;;WD) Carbon v3.61 System VERSION object_id NAME CW_INET logperiod OPER|Survive me, i`m close to death... free space less than 5%%...| OPER|Low space... free space less than 10%%...| ZwWow64ReadVirtualMemory64 ExitThread LdrGetProcedureAddress ZwTerminateThread CreateRemoteThread \System32\ \SysWOW64\ OPER|Wrong timeout: high < low| %02d/%02d/%02d|%02d:%02d:%02d|%s|s| CreateToolhelp32Snapshot() failed: %d ### 13 f 34 12/31/2014 09 19 AM ----- tcpdump.exe windump.exe ethereal.exe wireshark.exe ettercap.exe snoop.exe OPER|Sniffer '%s' running... ooopppsss...| %x-%x-%x-%x run_task_system WORKDATA \\.\IdeDrive1\\Results\result.txt I|%d| task_min task_max T|s|%d| %u|1|%s|%s %u|2|%s|%s|%s T|e|%d| start time2task cmd.exe CONFIG stdout RESULT COMPRESSION DELETE %u|%s|%s %u|%s|%s|%s Task not execute. Arg file failed. T|-1|%d|%d| AS_USER:LogonUser():%d AS_USER:DuplicateTokenEx():%d explorer.exe AS_CUR_USER:OpenProcessToken():%d AS_CUR_USER:DuplicateTokenEx():%d CrPr() wait timeout %d msec exceeded: %d CrPr() WaitForSingleObject() error: %d CrPr(),WL(),AU():%d CopyFile(%s, %s):%d Memory allocation error. Use no compression frag.np \\.\Global\PIPE\comnode frag_size=32768 frag_no_scrambling=1 allow=*everyone active_con frag.tcp/%s:445 frag.np/%s \\.\IdeDrive1\\logtrans.txt A|2|%s| W|%s|%s| m_send() ZERO1 failed W|%s|%s|%s| \*.tmp m_send() ZERO2 failed R|%s|%d| \\%s\pipe\comnode frag.tcp net_user= net_password= write_peer_nfo=%c%s%c P|0|%s|%d| P|-1|%d|%s|%d| P|-1|%d|%d| nodelay=N W|-1|%d|%s| SEND AUTH W|-1|%d|%s|%s| RECV AUTH AUTH FAILED SEND WHO SEND OBJECT_ID logmin logmax lastsend S|0|%s| S|-1|%d|%s| Task %d failed %s, %d A|-1|%u|%s|%s| ### 14 f 34 12/31/2014 09 19 AM ----- timestop lastconnect .bak %u:%u:%u:%u:%u Freeze Ok. \$NtUninstallQ722833$\usbdev.sys \\.\IdeDrive1\\usbdev.bak \\.\IdeDrive1\\inetpub.bak \\.\IdeDrive1\\inetpub.dll \\.\IdeDrive1\\cryptoapi.bak \\.\IdeDrive1\\cryptoapi.dll Update Ok. Update failed =(( Can`t create file. \\.\IdeDrive1\\Plugins\ Can't create file '%s', error %d =(( Create plugin '%s' OK. Create plugin '%s' failed. Write error, %d. PLUGINS Find existing record. not_started|%d Config update success. enable%s Config record error: %s = %s. Plugin not found in config. Plugin already loaded. ModuleStart can`t find entry point. loadlibrary() failed. Plugin start failed, %d try to run dll with user priv. can`t get characs. Plugin not PE format. Plugin start success. Plugin start failed. disable%s removed%s Plugin not loaded. Plugin deleted. Plugin delete failed, %d. Plugin terminated. Plugin terminate failed, %d. ModuleStop Plugin dll stop success. Plugin dll stop failed. Plugin freelib success. Plugin freelib failed, %d. Internal command not support =(( %u|1|%s G|0|%d|%d| W|0|%s|%d| A|0|%s|%d| %u|%s|%s|%s|%s %u|%s|%s|%s|%s|%d|%s|%s %u|%s|%s|%s|%s|%d W|1|%s|%d| A|1|%s|%d| %s:%d \\%s\pipe\%s m_create() failed. net_user=%s net_password=%s m_setoptlist() failed. m_connect() failed. m_send() AUTH failed. m_recv() AUTH failed. AUTH failed. m_send() WHO failed. m_send() OBJECT failed. m_recv() OBJECT failed. Trans task %d for obj %s ACTIVE fail robj=%s OBJECT ACK failed. m_send() TASK failed. m_recv() WIN RESULT failed. m_recv() ACT RESULT failed. m_send() ACT RESULT failed. enable L|-1|can`t find entry point %s| L|-1|loadlibrary() failed %d| L|-1|%s|%d| ### 15 f 34 12/31/2014 09 19 AM ----- L|-1|try to run dll %s with user priv| L|-1|can`t get characs %s| L|-1|not PE format %s| L|-1| parse error %s| L|-1| parse error %s| L|0|%s| L|-1|AS_CUR_USER:OpenProcessToken():%d, %s| L|-1|AS_CUR_USER:DuplicateTokenEx():%d, %s| L|-1|AS_CUR_USER:LogonUser():%d, %s| L|-1|wrong priv %s| L|-1|CreateProcessAsUser():%d, %s| D:AI TCP: resolving host name... TCP: resolved %s TCP: closed. TCP: connecting... nodelay Y1N0 TCP: send TCP: recv %s:%u Frag: send frag_size frag_no_scrambling peer_frag_size \\.\pipe\ allow *everyone read_peer_nfo write_peer_nfo net_user net_password imp_level no_server_hijack every1 anonymous \pipe\ \ipc$ frag transports licence error ## Sample E - usbdev.sys - x64 - (Resouce: 161) ### Hashes #### Type of Hash Hash MD5 62e9839bf0b81d7774a3606112b318e8 SHA1 6f2e50c5f03e73e77484d5845d64d952b038a12b SHA-256 39050386f17b2d34bdbd118eec62ed6b2f386e21500a740362454ed73ea362e8 ssdeep 3072:S9f3buYUVKa6a1206K55kL+tkA3qkQQ0dwZATH:S9iYUImo06KXkL+qA6kf0dwK ### VirusTotal results for sample E #### AV product Result McAfee+Artemis Pfinet nProtect Trojan/W32.Agent.228352.W McAfee Pfinet F-Prot W32/Pfinet.A a-squared Backdoor.Pfinet!IK Avast Win32:Malware-gen ClamAV Trojan.Agent-126457 Kaspersky Trojan.Win32.Agent.czua BitDefender Trojan.Generic.2617254 Comodo TrojWare.Win32.Agent.czua F-Secure Trojan:W64/Carbys.gen!A ### 16 f 34 12/31/2014 09 19 AM ----- #### AV product Result DrWeb Trojan.Siggen.27969 TrendMicro TROJ_PFINET.A Authentium W32/Pfinet.A Jiangmin Trojan/Agent.dcrw Antiy-AVL Trojan/Win32.Agent.gen Symantec Backdoor.Pfinet Microsoft Backdoor:WinNT/Pfinet.B GData Trojan.Generic.2617254 VBA32 Trojan.Win32.Agent.czua PCTools Backdoor.Pfinet Ikarus Backdoor.Pfinet AVG Agent2.YKW Panda Rootkit/Agent.MXI Scanned: 2009-12-27 12:15:01 - 40 scans - 24 detections (60.0%) ### File characteristics #### Meta data Size: 228352 bytes Type: PE32+ executable (DLL) (native) x86-64, for MS Windows Date: 0x4AC48FE7 [Thu Oct 1 11:17:59 2009 UTC] EP: 0x21454 .text 0/6 CRC: Claimed: 0x397f7, Actual: 0x397f7 #### Sections Name VirtAddr VirtSize RawSize Entropy -------------------------------------------------------------------------------.text 0x1000 0x2126c 0x21400 6.518352 .basein 0x23000 0xc7 0x200 2.902918 .data 0x24000 0x23a3c 0x13400 1.284443 .pdata 0x48000 0x10b0 0x1200 5.035513 INIT 0x4a000 0x10ce 0x1200 4.944873 .reloc 0x4c000 0x99a 0xa00 4.576183 #### Strings The strings correspond mostly to the ones of Sample B. ## Sample F - inetpub.dll - x64 (Resource: 162) ### Hashes #### Type of Hash Hash MD5 e1ee88eda1d399822587eb58eac9b347 SHA1 32287d26656587c6848902dbed8086c153d94ee7 SHA-256 92c2023095420de3ca7d53a55ed689e7c0086195dc06a4369e0ee58a803c17bb ssdeep 3072:vr84EaVK9B9MklzeALxqS6kcLyHFQ+vYnb9f3bkrlESXdMQyFc8:QPp9B9MkllLMScLmsb9IKrF1 ### VirusTotal results for sample F #### AV product Result Symantec Backdoor.Pfinet Scanned: 2014-03-23 21:27:06 - 51 scans - 1 detections (1.0%) ### 17 f 34 12/31/2014 09 19 AM ----- ### File characteristics #### Meta data Size: 113664 bytes Type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows Date: 0x4AC5A6C2 [Fri Oct 2 07:07:46 2009 UTC] EP: 0x200149d0 .text 0/5 CRC: Claimed: 0x0, Actual: 0x1e6b8 [SUSPICIOUS] #### Sections Name VirtAddr VirtSize RawSize Entropy -------------------------------------------------------------------------------.text 0x1000 0x13b8d 0x13c00 6.247940 .rdata 0x15000 0x582e 0x5a00 6.692290 .data 0x1b000 0x1ae0 0x1400 4.598089 .pdata 0x1d000 0x8c4 0xa00 4.522066 .reloc 0x1e000 0x248 0x400 2.325587 #### Strings The strings correspond mostly to the ones of Sample C. ## Sample G - cryptoapi.dll - x64 (Resource: 165) ### Hashes #### Type of Hash Hash MD5 a7853bab983ede28959a30653baec74a SHA1 eee11da421c7268e799bd938937e7ef754a895bf SHA-256 0e3842bd092db5c0c70c62e8351649d6e3f75e97d39bbfd0c0975b8c462a65ca ssdeep 3072:U/ylCK5WUZFspUjcF65zlEzEOflC9Pw6OPEH66kcXF9f3b6ivgCUHXM:1gWWUrg3ANOP+6cXF9/u ### VirusTotal results for sample G #### AV product Result Symantec Backdoor.Pfinet AntiVir TR/ATRAPS.Gen2 Scanned: 2014-03-23 21:26:59 - 51 scans - 2 detections (3.0%) ### File characteristics #### Meta data Size: 147968 bytes Type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows Date: 0x4AC5A685 [Fri Oct 2 07:06:45 2009 UTC] EP: 0x2001bd80 .text 0/6 CRC: Claimed: 0x0, Actual: 0x32c9f [SUSPICIOUS] #### Sections Name VirtAddr VirtSize RawSize Entropy -------------------------------------------------------------------------------.text 0x1000 0x1af6d 0x1b000 6.195387 .basein 0x1c000 0xc7 0x200 2.902918 .rdata 0x1d000 0x66f0 0x6800 6.585248 .data 0x24000 0x1b00 0x1400 4.647566 .pdata 0x26000 0xad4 0xc00 4.848795 .reloc 0x27000 0x2a6 0x400 2.344107 ### 18 f 34 12/31/2014 09 19 AM ----- ### 19 f 34 12/31/2014 09 19 AM ----- ### 20 f 34 12/31/2014 09 19 AM ----- ### 21 f 34 12/31/2014 09 19 AM ----- ### 22 f 34 12/31/2014 09 19 AM ----- ### 23 f 34 12/31/2014 09 19 AM ----- [...] .text:0001E122 mov [ebp+xor_key], 4E415341h ; key .text:0001E129 mov [ebp+part_1], 7253605h ; part 1 encrypted .text:0001E130 mov [ebp+part_2], 3C282524h ; part 2 encrypted [...] .text:0001E17B mov eax, [ebp+part_1] .text:0001E17E xor eax, [ebp+xor_key] ; decrypt part 1: IdeD .text:0001E181 mov [ebp+part_1], eax [...] .text:0001E184 mov ecx, [ebp+part_2] .text:0001E18A xor ecx, [ebp+xor_key] ; decrypt part 2: rive .text:0001E18D mov [ebp+part_2], ecx [...] #### They are seriously using a key 0x4E415341 to decrypt the string. 0x4E415341 is ASCII for ‘NASA’. That’s how they decrypt and assemble the string IdeDrive, appending a ‘1’ in the next step and using if for creating the destination. Full excerpt below: [...] .text:0001E11B mov [ebp+var_20], 0 .text:0001E122 mov [ebp+xor_key], 4E415341h .text:0001E129 mov [ebp+part_1], 7253605h .text:0001E130 mov [ebp+part_2], 3C282524h .text:0001E13A xor eax, eax .text:0001E13C mov [ebp+drive], eax .text:0001E142 mov [ebp+var_338], eax .text:0001E148 mov [ebp+var_334], ax .text:0001E14F push 104h ; size_t .text:0001E154 push 0 ; int .text:0001E156 lea ecx, [ebp+cryptoapi.dll] .text:0001E15C push ecx ; void * .text:0001E15D call memset .text:0001E162 add esp, 0Ch .text:0001E165 push 104h ; size_t .text:0001E16A push 0 ; int .text:0001E16C lea edx, [ebp+inetpub.dll] .text:0001E172 push edx ; void * .text:0001E173 call memset .text:0001E178 add esp, 0Ch .text:0001E17B mov eax, [ebp+part_1] .text:0001E17E xor eax, [ebp+xor_key] .text:0001E181 mov [ebp+part_1], eax .text:0001E184 mov ecx, [ebp+part_2] .text:0001E18A xor ecx, [ebp+xor_key] .text:0001E18D mov [ebp+part_2], ecx .text:0001E193 mov edx, [ebp+part_1] .text:0001E196 push edx .text:0001E197 call order_bytes .text:0001E19C mov [ebp+part_1], eax .text:0001E19F mov eax, [ebp+part_1] .text:0001E1A2 mov [ebp+part_1], eax .text:0001E1A5 mov ecx, [ebp+part_2] .text:0001E1AB push ecx .text:0001E1AC call order_bytes .text:0001E1B1 mov [ebp+part_2], eax .text:0001E1B7 mov edx, [ebp+part_2] .text:0001E1BD mov [ebp+part_2], edx .text:0001E1C3 mov eax, [ebp+part_1] .text:0001E1C6 mov [ebp+drive], eax .text:0001E1CC mov ecx, [ebp+part_2] .text:0001E1D2 mov [ebp+var_338], ecx .text:0001E1D8 lea edx, [ebp+drive] .text:0001E1DE add edx, 0FFFFFFFFh .text:0001E1E1 mov [ebp+var_454], edx .text:0001E1E7 mov eax, [ebp+var_454] .text:0001E1ED mov cl, [eax+1] .text:0001E1F0 mov [ebp+var_455], cl .text:0001E1F6 add [ebp+var_454], 1 .text:0001E1FD cmp [ebp+var_455], 0 .text:0001E204 jnz short loc_1E1E7 .text:0001E206 mov edi, [ebp+var_454] .text:0001E20C mov dx, word ptr ds:a1 ; "1" .text:0001E213 mov [edi], dx .text:0001E216 lea eax, [ebp+drive] .text:0001E21C push eax .text:0001E21D push offset a??SCryptoapi_d ; "\\??\\%s\\cryptoapi.dll" .text:0001E222 lea ecx, [ebp+cryptoapi.dll] .text:0001E228 push ecx ; char * ### 24 f 34 12/31/2014 09 19 AM ----- ### 25 f 34 12/31/2014 09 19 AM ----- ### 26 f 34 12/31/2014 09 19 AM ----- ### 27 f 34 12/31/2014 09 19 AM ----- .data:2001EF58 offset sub_2000DDC0> #### TODO: these functions need to be analyzed and described Other reports mention different other transports that are not present in this collection. Transport (Type) CIRCL BAE deresz/tecamac tcp (1) x x b2m (1) x np (2) x x enc (2) x reliable (2) x frag x x x m2b (2) x x m2d (2) x t2m (3) x udp (4) x doms (4) x domc (4) x frag.np and frag.tcp replies: SEND AUTH RECV AUTH AUTH FAILED SEND WHO SEND OBJECT_ID #### frag.np/frag.tcp options: frag_size=32768 frag_no_scrambling=1 allow=*everyone active_con net_user= net_password= write_peer_nfo=%c%s%c nodelay=N ### Files from cryptoapi.dll \\.\IdeDrive1\ \\.\IdeDrive1\log.txt \\.\IdeDrive1\*.bak \\.\IdeDrive1\Tasks\\task.txt \\.\IdeDrive1\Tasks\\task_system.txt \\.\IdeDrive1\Tasks\\*.tmp \\.\IdeDrive1\config.txt \\.\IdeDrive1\restrans.txt \\.\IdeDrive1\Tasks\\ \\.\IdeDrive1\Results\\ \\.\IdeDrive1\logtrans.txt \\.\IdeDrive1\usbdev.bak \\.\IdeDrive1\inetpub.bak \\.\IdeDrive1\inetpub.dll \\.\IdeDrive1\cryptoapi.bak \\.\IdeDrive1\cryptoapi.dll \\.\IdeDrive1\Plugins\\ ### Pipes from cryptoapi.dll \\\\.\\Global\\PIPE\\comnode \\\\%s\\pipe\\comnode \\\\%s\\pipe\\%s ### Custom error codes, shared in sample B, C and D (E and F to be check) CUSTOM_ERROR_01 = 21590001h ### 28 f 34 12/31/2014 09 19 AM ----- ### 29 f 34 12/31/2014 09 19 AM ----- ### 30 f 34 12/31/2014 09 19 AM ----- ### 31 f 34 12/31/2014 09 19 AM ----- ### 32 f 34 12/31/2014 09 19 AM ----- ### 33 f 34 12/31/2014 09 19 AM ----- ### 34 f 34 12/31/2014 09 19 AM -----