Lead Author: Maarten van Dantzig

Co-Authors: Danny Heppener, Frank Ruiz,

Yonathan Klijnsma, Yun Zheng Hu,

Erik de Jong, Krijn de Mik,

Lennart Haagsma

# Ponmocup


# Ponmocup

#### A giant hiding in the shadows

###### Version 1.1 November 30, 2015


-----

## Executive Summary

###### Ponmocup, first discovered in 2006 as Vundo or Virtumonde, is one 

 of the most successful botnets of the past decade, in terms of spread

 and persistence. Furthermore, the reasons why this botnet is considered

 highly interesting are that it is sophisticated, underestimated and is

 currently largest in size and aimed at financial gain.

This underestimated botnet is still in active use and under continuous development.

Having established that Ponmocup’s primary goal is likely financial gain, it is interesting
###### to look at its size. Fox-IT has determined that it has infected a cumulative total of more than 15 million unique victims since 2009. At its peak, in July 2011, the botnet consisted of 2.4 million infected systems, which as far as botnets go, is huge. Since then, the botnet has shrunk in size and is currently stable at around 500,000 active

infections, as shown in Figure 1.

Compared to other botnets, Ponmocup is one of the largest currently active and, with

9 consecutive years, also one of the longest running. Ponmocup is rarely noticed though,

as the operators take care to keep it operating under the radar.

Ponmocup’s operators are technically sophisticated, their techniques suggest a deeper

than regular knowledge of the Windows operating system. On top of that, the operators

have close to 10 years of experience with malware development. Their framework was

developed over time, quality tested and then improved in order to increase robustness

and reduce the likelihood of discovery.

The operators are most likely Russian speaking and possibly of Russian origin. This is based
###### on the fact that instructions to business partners and affiliates are written in Russian,

and that historically, Ponmocup would not infect systems in some post-Soviet States.


-----

Ponmocup is believed to be aimed at financial gain. Although it is difficult to quantify

the exact amount of money earned with the Ponmocup botnet, it is likely that it has

already been a multi-million dollar business for years now. There are multiple reasons to

assume this is the case. Firstly, their infrastructure is complex, distributed and extensive,

with servers for dedicated tasks. Secondly, they operate, maintain and monitor their

comprehensive infrastructure with a group of operators and are quickly able to mitigate

potential risks that are discovered. Thirdly, the malware itself is sophisticated and aimed
###### at avoiding detection and analysis. Fox-IT believes, based on the earlier mentioned

reasons, that they are protecting a very well run organization and infrastructure, for

their main goal: financial gain.

Sinkholing Abuse.CH

2,500,000

2,000,000

1,500,000 & delivery method

1,000,000

500,000

Development of Ponmocup

0

_Figure 1: Number of active Ponmocup bots over time_

|Col1|qu hat eas xte ito mi nd ent tu|an it on ns r t tig ai io re,|ti h s iv he a me ne f|fy as to e, ir te d d or|Col6|Col7|Col8|Col9|Col10|Col11|Col12|Col13|Col14|Col15|Col16|Col17|Col18|Col19|Col20|Col21|Col22|
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|||||||||||||||||||||||
||eas|e o|f|im|pr|ov|ed|Po|n|mo|cu|p||||||||||
||eliv|er|y|me|th|od||||||||||||||||
|||||||||||||||||||||||
|||||||||||||||||||||||


Development of Ponmocup


-----

###### Table of contents

**1** **Introduction** **5**

**2 Behind Ponmocup** **6**

2.1 Attribution 6

2.2 Goals and impact 6

2.3 Size 7

**3** **Overview of the technical framework** **8**

3.1 Framework components 8

3.2 Typical Ponmocup infrastructure 8

**4 Delivery methods** **10**

4.1 Delivery through ZIP file 11

4.2 Delivery through a signed Java applet 11

4.3 Delivery through a JAR loader 14

**5** **Installation, persistence**

**and functionality** **16**

5.1 The Ponmocup installer 16

5.2 Core functionality 17

5.3 Specific functionality through plug-ins 19

5.3.1 Plug-ins #14xx range – decide: finding interesting targets 22

5.3.2 Plug-in #2600 – SIP scanner: collecting information

on SIP gateways 23

5.3.3 Plug-in #2610 – router scan: collecting router information 26

5.3.4 Plug-in for MS10-061 vulnerability: lateral movement 27

**6 Command and control traffic** **28**

6.1 Installer communication 29

6.2 Main module communication 30

6.3 Plug-in communication 30

**7** **Anti-analysis techniques** **32**

7.1 Checks for signs of analysis 32

7.2 Delivery of fake payload 32

Appendix i – Targeted keywords 34

Appendix ii – Network based indicators of compromise 36

Appendix iii – Host based indicators of compromise 38


-----

## 1 Introduction


### Ponmocup, first discovered in 2006 as Vundo or Virtumonde, is one of the most successful botnets  of the past decade,  in terms of spread and persistence.


Fox-IT believes this is an underestimated botnet currently still in active use and under
###### continuous development. Though Ponmocup has received only minimal attention

from the security community and is often described as low risk, it is in fact a technically
###### sophisticated malware framework with extensive functionality. The result of our

research provides a complete time-line and unique insight into the modus operandi of

the operation around Ponmocup and describes all the important details of the malware.

Furthermore, this report includes currently not publicly known indicators of compromise,

both on host and network level, where previous research only scratched the surface.


-----

## 2 Behind Ponmocup

###### This chapter discusses non-technical aspects of the Ponmocup botnet:

 attribution, goals, impact and size.


2.1 **Attribution**
###### This section describes a number of aspects related to

the operators of the Ponmocup botnet.

Based on the size of the command and control infrastruc###### ture, it is thought that the infrastructure is maintained, monitored and protected by a well-organized group of operators. This is amongst others based on the domains in use, number of proxies in use, estimated number of back-end systems, used delivery methods and limited

affiliate schemes.

It was also observed that in certain cases, the operators

reacted quickly to events which could impact the botnet’s
###### infrastructure, suggesting that the operators closely

monitor their back-end infrastructure.
###### In addition, some operators were observed as active

members in underground advertisement fraud forum or

signed up for underground advertisement fraud schemes.

It is believed that the operators are most likely Russian
###### speaking and possibly of Russian origin. This is based on the fact that instructions to business partners and

affiliates are written in Russian, and that in the early days,

Ponmocup would not infect systems in the post-Soviet
###### States of Ukraine, Russia and Belarus. However, this

specific block was later removed, for unknown reasons.

As for technical capabilities, it can be said that the oper
ators are fairly sophisticated. The successful combination
###### of various components to execute a stealthy malware framework, in addition to the usage of undocumented Windows APIs to reset system restore points, suggests

deeper than regular knowledge of the Windows operating

system. On top of that, it is certain that the operators have

close to 10 years of experience with malware development,

as the first variant of Ponmocop (Vundo) was discovered

in 2006. This translates into features of the framework

that were developed over time, quality tested with debug


###### releases of various components, in order to increase

robustness and reduce the likelihood of discovery. This

includes the fact that everything in the framework (APIs,

strings, etc) is obfuscated. Furthermore, the infrastructure

###### is well thought out and load balances victims between

domains and proxies as an anti-sinkhole measure. Finally,

the framework uses a number of anti-analysis methods,

such as the fake payload and blacklisting of IP addresses
###### and system fingerprints once an analyst or researcher

is found. Some of these techniques will be discussed in

more detail further on in this paper.

2.2 Goals and impact

As with any modern malware, the Ponmocup framework is

capable of supporting any objective, be it criminal or espi
###### onage-oriented in nature. These theoretical capabilities,

however, aren’t very useful in order to determine the oper
ator’s actual goals. Ponmocup’s real goals have remained

somewhat elusive over the years, primarily because Fox-IT

has only rarely seen any sustained activities taking place.
###### Based on what is known now, Ponmocup’s operators

are believed to be primarily interested in financial gain.
###### However, they are currently either applying extreme restraint or carrying out their activities outside of  Fox-IT’s sphere of knowledge. Either way, they cherish

their botnet and handle it with care. This can be supported

by the following observations.

As shown in paragraph 2.3, Ponmocup is a large botnet,
###### supporting a large amount of victims. This is a direct

result of its design:
###### 1 It is difficult for traditional anti-virus solutions to

reliably detect because it uses unique encryption per

infected system and locates its core components in

a unique location per infected system.

2 It uses one-time domains for installation, which means

###### that these domains cannot be used as indicators of

compromise over time or across organization.


-----

###### 15,000,000+ 500,000+ 2,400,000 Unique infections Currently infected Peak size infections

Infections

Non-infections


_1_ _http://www.bbc.com/_

_news/technology-18547935_

_and http://www.gizmodo._

_co.uk/2012/06/printer-virus-_

_on-the-loose-good-day-for-_

_paper-companies-bad-day-_

_for-trees/_


_Figure 2: Ponmocup key figures_

###### 3 It supports theft of FTP and Facebook credentials

out of the box, which Fox-IT believes may be used to

support further spreading the botnet if needed.

###### Finally, Ponmocup is believed to be aimed at financial

gain for the following reasons:

1 The plug-in that support advertisement fraud (ppc,

abbreviation for ‘pay-per-click’) is the most actively

developed plug-in.
###### 2 The framework appears to target mainly wealthy  and larger English speaking nations for banking,

investment and trading websites that store sensitive

personal information which could help in committing
###### fraud. Its targets originally comprised mainly EU and larger English speaking countries, which later narrowed down to English speaking countries only,

narrowing down even further to United Kingdom and

United States only in 2012.

3 It supports theft of Bitcoin wallets.

As already outlined, Ponmocup is believed to be aimed

at financial gain. Although it is hard to quantify the exact

amount of money earned with the Ponmocup botnet, it
###### is likely that it is already a multi-million dollar business for years now. There are multiple reasons to assume this is the case. Firstly, their infrastructure is complex, distributed and extensive, with servers for dedicated tasks. Secondly, they operate, maintain and monitor  their comprehensive infrastructure with a group of 

operators and are quickly able to mitigate potential risks
###### that are discovered. Thirdly, the malware itself is very sophisticated using a multi staged loader and sophisti

###### cated AV evasion techniques, trying to stay under the radar as much as possible, in order to avoid detection.

Fox-IT believes, based on the earlier mentioned reasons,
###### that they are protecting a very well run organization and infrastructure, for their main motivation: earning

tons of money.

2.3 **Size**
###### Having established that Ponmocup’s primary goal is likely financial gain, it is interesting to look at its size. Fox-IT has determined that Ponmocup has infected a

cumulative total of more than 15 million unique victims

since 2009. At its peak, in July 2011, the botnet consisted

of 2.4 million infected systems, which as far as botnets go,

is huge. The botnet has since then shrunk in size as a result

of a coordinated sinkhole action and natural rotation of

bots. Currently, there are still more than 500,000 victims

checking in to command and control servers each month.

For distribution purposes, more than 5000 websites have
###### been compromised since 2009, using FTP credentials stolen by Ponmocup components, in order to further

spread the malware.

###### Compared to other botnets, Ponmocup is one of the

largest currently active and, with 9 consecutive years, also

one of the longest running. Ponmocup is rarely noticed

though, as the operators take care to keep it operating

under the radar. An update that included a failed printer

exploit, in 2012, provided a rare moment in the lime lights:
###### it caused printers worldwide to start printing garbage

data until they ran out of paper or ink[1].


-----

## 3 Overview of the technical framework

###### Ponmocup is a malware framework, written in C++, designed to infect

 and remain persistent on a large number of victim machines. This

 chapter describes the components that comprise the framework.


3.1 **Framework components**
###### The Ponmocup framework employs a number of  components to deliver, install, execute and control the malware, as listed in Table 1. Each component uses 

different anti-analysis methods to prevent the framework

from being discovered.

###### Reverse engineering the functionalities can be a labor- intensive process, as the malware executes over  various stages, where each string is decrypted in-line

using various algorithms. Components that are integral

to the functioning of the framework are often encrypted

or stored using information specific to a victim’s system.


3.2 Typical Ponmocup infrastructure

The infrastructure used to control the botnet is designed

###### to be resilient to disruption attempts, using a separate

infrastructure per component. This requires an extensive

server set-up which is constantly monitored for perfor
mance issues and disruption attempts by external parties.

Ponmocup communicates to back-end servers over several

proxy layers and each victim can use a specific group of

proxies to communicate. Using proxy groups means that

###### the botnet is spread over several domains, a technique

that makes taking down the entire botnet difficult.


**Component** **Purpose**


Delivery Delivery methods used to infect victims with Ponmocup

Installer Installs Ponmocup persistently, thoroughly checks the target machine for analysis capabilities

Initiator DLL stored on disk, starts the loader in memory and hands over control to the loader

Loader Finds the location of the registry key containing the encrypted main module and plug-ins,

decrypts the content, starts and hands over control to the main module

Main module Communicates with command and control server and retrieves and executes plug-ins

Plug-ins Provide functionalities for specific tasks

Back-end infrastructure Infrastructure used to control compromised systems

_Table 1: Overview of Ponmocup components and their purpose_

|o he iff ro ev nt ar si o t r s Co De|mp m er m er en io ng he to m liv|o al en be se si us va fu re po ery|ne wa t a in e ve st ri nc d u ne|nt re nti g d ng p ag ou ti si nt|s t, a -a is ine ro es s a on ng|o s l nal co er ce, w lg ing in|de ist ys ver in ss h ori o for|liv ed is ed g t, er th f t m|er in me . he as e e ms he ati|, i T th f th ac . C fr on|
|---|---|---|---|---|---|---|---|---|---|---|
|Ins|tal|ler|||||||||
|Ini|tia|tor|||||||||
|Lo|ad|er|||||||||
|Ma|in|m|od|ule|||||||
|Plu|g-|ins|||||||||
|Ba|ck-|en|d i|nfr|as|tru|ct|ure|||

|ta le s t cti m str mp ew pe P D|ll, 1. o on al in o o cif urp eli|ex Ea pre al wa g i ne rk ic os ver|ec ch ve iti re s d nt ar to e y|ut co nt es e e s t e o a v me|e m th ca xe cry ha fte ict th|an po e f n c pt t a n im ods|d ne ra be ut e re en ’s u|co nt m a l es d i in cr sy sed|
|---|---|---|---|---|---|---|---|---|
|In|sta|lls|Po|n|mo|cu|p p|er|
|D|LL s|to|re|d o|n d|isk|, s|tar|
|Fi de|nd cr|s t yp|he ts|loc the|at c|ion ont|o en|f th t, s|
|C|om|m|uni|ca|tes|w|ith|co|
|Pr|ov|ide|fu|nc|tio|na|lit|ies|
|In|fra|st|ruc|tu|re|us|ed|to|


The operators have gone out of their way to try and defeat

detection by anti-virus software, automated analysis, as

well as manual analysis. Their attempts have proven very
###### successful: over the last five years only a few analyses

of Ponmocup have been published, of which none have

managed to uncover the full truth of the framework.


Plug-ins carrying out specific tasks or exfiltrating specific
###### data make use of separate proxies as well as separate

back-end servers.

A simplified overview of the infrastructure between the

operators and a victim is shown in Figure 3.


-----

_Figure 3: Typical infrastructure including victim and operators_


-----

## 4 Delivery methods

###### This chapter describes historic and current delivery methods used to

 distribute the Ponmocup malware


###### From 2009 to 2011 the two main methods used to  distribute Ponmocup were fake codec packs and fake

Flash Player updates. However, after a sinkhole attempt
###### in 2011 [2] the authors developed their own distribution method, publicly known as Zuponcic [3], named after 

the first website that was compromised for distri­bution
###### purposes using this method. Although Zuponcic is 
```
    |myspace\.|bebo\.).*$ [NC,OR]
    |google\.).*$ [NC,OR]
    |netscape\.).*$ [NC,OR]
    |alltheweb\.).*$ [NC,OR]
    |instagram).*$  [NC]
  RewriteCond %{HTTP_REFERER}!^.*(imgres).*$  [NC]

```
commonly described as an exploit kit, that actually isn’t

an accurate description because it doesn’t use exploits.
###### Instead, it uses three distinct infection vectors, which

in most cases depend on interaction with the victim.

Websites affected by Zuponcic are typically compromised

using FTP credentials, stolen from machines infected by

Ponmocup. This allows the operators behind Ponmocup

to upload a carefully crafted .htaccess file to every acces
###### sible folder. It redirects visitors from the compromised website to the Zuponcic delivery mechanism. The code in the .htaccess file responsible for this redirect is placed between 500 blank lines to make it seem as if the file is empty. This code itself makes sure that not just anyone gets redirected to the malicious website;
 the visitor must have visited the compromised website


###### via a search engine, social media network or webmail

application. This reduces the number of potential victims,

###### but often filters out potential victims that would more easily notice a website behaving out of the ordinary, such as the owner of the website or frequent visitors.  A snippet from the .htaccess file checking for valid

referrers:

###### Once a visitor is attacked by Zuponcic, their IP-address is

blacklisted and will no longer be targeted until the IP-address

is cleared from the blacklist, regardless of whether the attack

was successful or not. Additionally a cookie is placed on the

machine to make sure that not only the IP-address, but also the

actual machine itself is blacklisted. Potential victims redirected

by the .htaccess file are first taken to an intermediate website

(typically hijacked GoDaddy domains) using one out of 60

listed URI patterns. The conditions that a potential victim

has to meet in order to be attacked are visualized in Figure 5.

Because Zuponcic requires a valid referrer chain and blacklists

an IP-address after a single hit and most URL analysis tools fail

to perform dynamic analysis on these compromised websites,

###### most of these websites are falsely classified as ‘safe’ and

remain compromised for relatively longer periods.

|Col1|Col2|R R R R R R|ew ew ew ew ew ew|ri ri ri ri ri ri|te |m te |g te |n te |a te |i te|Co ys Co o Co et Co ll Co ns Co|nd p nd og nd s nd th nd t nd|ac le % ca e ag|%{ e\ %{ \.) {H pe %{ we %{ ra %{|HT .|b HT .* T \. HT b\ HT m) HT|TP e TP $ TP ).* TP .). TP .* TP|_R bo _R [N _R $ _R *$ _R $ _R|EF \.) EF C, EF [N EF [ EF EF|ER .* ER OR ER C, ER NC ER [N ER|ER $ ER ] ER OR ER ,O ER C] ER|} [N } }^ ] }^ R] }^ }!|^( C, ^( (h (h (h ^.*|ht OR ht tt tt tt (i|tp ] tp p\ p\ p\ m|\: \: :\ :\ :\ gr|\/ \/ /\ /\ /\ es|\/)?([^\/\?]*\.)?(tweet|twit|linkedin|instagram|facebook\. \/)?([^\/\?]*\.)?(hi5\.|blogspot\.|friendfeed\.|friendster\. /)?([^\/\?]*\.)?(yahoo\.|bing\.|msn\.|ask\.|excite\.|altavista\. /)?([^\/\?]*\.)?(aol\.|hotbot\.|goto\.|infoseek\.|mamma\. /)?([^\/\?]*\.)?(lycos\.|metacrawler\.|mail\.|PINterest ).*$ [NC]|
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|


-----

_Figure 4: Using victim’s own keywords for payload filename_

Because the certificates used by Zuponcic are stolen from

victims that have been infected by Ponmocup, it typically

does not take long for a revoked certificate to be replaced
###### by a new one. In most cases revoked certificates were

replaced with a newly stolen certificate within 1–3 weeks.

###### The file doing all the work, FlashPlayer.class, is heavily

obfuscated using control flow obfuscation. Additionally,
###### all strings are encoded using an encoding key which 

consists of dynamic values from the process stack. This
###### works if the class and calling method names are static,

which has always been the case for Zuponcic; the class

###### name is ‘FlashPlayer’ and calling method is ‘init’, which

results in ‘FlashPlayerinit’ as the decoding key.

final StackTraceElement
```
  stackTraceElement = new Exception().

```
getStackTrace()[1];

final String string = new

StringBuffer(stackTraceElement.
```
  getMethodName()).insert(0,
  stackTraceElement.getClassName()).

```
toString();

###### FlashPlayer.class will create an empty .tmp file with a

random short name (2–5 characters) in the TEMP directory.

###### It then HTTP POSTs to the Zuponcic host, using a token

which is unique per victim, to retrieve an RC4 encrypted

payload. This payload is then stored in the .tmp file and

decrypted with a key also uniquely generated per victim
###### (taken from the landing page). If the applet is allowed to run, it will execute the payload, once executed the browser redirects the victim to the actual website that

|Because victims does no by a ne replace The file obfusca all strin consist works i which h name is results|t th t t w d w d te gs s o f t as ‘F in|he at ak on it oin d a f d he al la ‘Fl|ce ha e l e. h a g usi re yn cl w sh as|rti ve on In n all ng e a as ays Pla hP|fic be g f m ew th co nc mi s a b ye la|ate en or os ly e nt od c v nd ee r’ yer|s in a r t c st wo ro ed alu c n an in|us fe ev as ole rk l f u e alli th d it’|ed ct ok es n, F lo si s fr ng e c ca as|by ed ed re cer la w o ng o m as llin th|Z by ce v ti sh bf an m t et e f g e|up P rti ok fic Pl us e he h or m de|on on fic ed ate ay ca nc p od Z eth co|cic mo at ce w er. tio o ro na up o di|ar cu e t rt ith cla n. din ce m on d i ng|e s p, o b ifi in ss A g ss es ci s ‘i ke|to it e cat 1–, is dd ke st ar c; t ni y.|le ty re es 3 h iti y ac e he t’,|n f pic pla w we ea on wh k. sta c w|ro all ce er ek vil all ic Th ti las hic|m y d e s. y y, h is c, s h|
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|fni a sta get fni a Str get sta toS|l ck St l in Me ck tr|S Tr a S g t Tr i|ta a ck tr Bu ho a ng|ck ce Tr in ff dN ce ()|Tr El ac g er a El ;|ac em e( st (s me em|e e )[ r t () e|El nt 1] in ac ). nt|em = ; g kT in .g|en n = ra se et|t e n ce rt C|w ew E (0 la|Ex le, ss|ce me Na|p n m|ti t. e(|on )).|()|.|||


_2_ _How Big is Big? Some Botnet_

_Statistics - https://www._

_abuse.ch/?p=3294_

_3_ _http://blog.Fox-IT.com/2013/_

_12/19/not-quite-the-average-_

_exploit-kit-zuponcic/_


###### Once a visitor is actually redirected to the Zuponcic landing page he or she is targeted based on the used browser and presence of the Java browser plug-in. The decision chart in Figure 6 depicts the various methods

used to infect visitors with the Ponmocup payload. The

next paragraphs describe each method in more detail.

4.1 **Delivery through ZIP file**
###### Using a browser other than Internet Explorer 8/10 or  not having Java installed, a victim will receive a ZIP file

containing the payload. The name of the ZIP and embedded

payload is derived from the previously used search terms,

as shown inFigure 4.

Compared to the attack vectors abusing Java, described

in paragraphs 4.2 and 4.3, this attack method puts in very

little effort to hide the payload. Perhaps the operators felt

safe enough to introduce this method to their arsenal of

infection vectors at the cost of slightly more attention.

4.2 Delivery through a signed Java applet

This infection vector relies on social engineering or out
dated Java software in order to execute a Java applet.

These applets are typically run in a sandbox, in order to

prevent them from touching the file system, so to drop
###### the Ponmocup installer on a victim’s machine this Java applet has to escape the sandbox. Ponmocup success- fully does so because the Java applet is signed with a valid certificate, stolen from a legitimate organization. Older versions of Java (pre-dating Java 7 Update 21 to be specific) which blindly trust certificates issued by authorities, will run this applet outside of the sandbox

without even asking for the user’s permission.

Recent versions of Java always prompt for user approval
###### before running applets, though in this case the applet

might still appear legitimate to potential victims, as the

applet is still signed with a valid certificate and claims to

be executing an application with the name ‘FlashPlayer’.
###### The certificates listed in Table 2 have all been used by

Zuponcic to infect victims with Ponmocup.


-----

##### Zuponcic flow


_Figure 5: Zuponcic redirection flow_


-----

_Figure 6: Zuponcic attack flow_


-----

**Subject** **Fingerprint (SHA1)** **Issuer** **Year**


Kurz Instruments, Inc. 8A:DC:2D:8B:B5:3C:DC:93:C9:80:C4:F6:C0:80:59:73:8B:88:19:16 GlobalSign 2012

R P InfosystemsPvt Ltd BB:48:74:0F:01:E6:7F:EE:A6:06:96:4B:D5:81:A7:30:BF:D0:54:D7 VeriSign 2012–2013

iLoqOy 76:90:09:5B:C3:FC:9F:9D:74:98:56:F6:E1:DD:22:C0:89:44:F7:F9 VeriSign 2013–2014

AUZSOLUTIONS.com.au F1:39:8E:53:D1:F8:FC:06:34:F5:4E:68:72:88:5F:31:CC:09:35:23 COMODO 2014

Queen’s University 73:E8:D6:F3:91:77:2A:7F:AE:81:C3:81:73:14:2E:C8:F6:28:2A:E4 UserTrust 2015

_Table 2: Stolen certificates used in the delivery of Ponmocup_


###### was visited, whether the execution is successful or not, leaving to believe nothing strange has happened, 


engineering, Zuponcic tricks many victims into running
###### its malicious payload. This is done by using the search

terms used in the redirecting search engine in the payload

name, as shown in the example in Figure 4.

This JAR file contains an RC4 encrypted payload. The key is

based on the target’s IP address. This means the key and

###### the embedded encrypted binary are unique per target. Once the JAR is executed, the code below recovers the

|w n a I t r 4 A m f|a ot p f e ha ou .3 t a or|s v , l ro xe t t tin D arg nu an|is ea ces cu he e eli et all yo|ite vin s tio cr pr ve u y d ne|d, g ou n o eat ev ry sin o to|w to tli f t ed en t g I wn r|he b ne he .t ts hr E1 loa un|th eli d i p mp an ou 0 de th|e ev n ayl fli y e gh wil d is|r t e n Fig oa e i vi a l r an ma|he ot ur d f s d de JA ec d e nu|e hi e 7 ai el nc R l eiv xe al|xe ng . ls, ete e f oa e cu ly,|cu st Fla d f ro d a J te bu|ti ra sh ro m er AR d. t t|on ng Pl m bei fil It hr|is e ay dis ng e ma ou|s ha er. k. le wh y s gh|uc s h cla Th ft ich ee cl|ce a ss is ar h m ev|ss pp en cle ou as un er|Col23|
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|||fi (o s fi I fi S b fi i m { } fi|na p et na np na tr uf na f at na|l en Re l ut l in fe l (( ch g l|UR Co qu Bu St St g re Ma ma er ro by|LC n e f r ri gr d t tc (r up t|o ne st fe ea n o Re ch he e e[|nn ct Pr re mR g up ad er r ad = ]|ec io op dR ea re = e m = Li ma di|t n e e d ad " r.c a P ne tc ge|io = rt ad er L "; l tc at )) he st|n n y( er (o in os he te .f r.|op ew "U b pe e e( r; r ni d g =|e U se u n = ); n. () ro Me|nC R r ff Co b co ) up ss|on L( -A er nn uf mp () a|ne "h ge e ec fe il ; ge|c tt nt dR t re e Di|ti p: ", ea io d (" ge|on // de n. Re ([0 s|; ch "M r ge ad - t.|eckip.dyndns.com").openConnection()). ozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"); = new BufferedReader(new tInputStream())); er.readLine(); 9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3})"). getInstance("MD5").digest(group.getBytes());|


-----

_Figure 7: Java Applet retrieving and executing payload using per connection specific information_


### Through clever social engineering, Zuponcic tricks many victims into running its malicious payload.


-----

## 5 Installation, persistence  and functionality

###### This chapter describes the core components of Ponmocup, its method

 of installation, achieving persistence and its modular system of plug-ins

 aimed at providing a wide variety of functions on compromised systems.


5.1 **The Ponmocup installer**
###### The installer is responsible for persistently installing

various Ponmocup components on a system. This para
graph focuses on components installed directly on disk.

All other core components are stored and encrypted in

the registry. Without these, the initiator described in this

chapter cannot function.

###### Depending on the privileges available to the installer,

the initiator can either be installed in the system direc
tory or in the Application Data directory. When run with

administrative privileges, the initiator will be named after

an existing file in the system directory, with 1–2 random

characters appended. For example, a randomly selected

legitimate file could be:

```
<Principals>

```
<Principal id="Author">

<UserId>System</UserId>

<RunLevel>HighestAvailable</RunLevel>
```
<LogonType>InteractiveTokenOrPassword
   </LogonType>
</Principal>
</Principals>

```
<Actions Context="Author">
```
<Exec>

```
<Command>C:\Windows\system32\

runDLL32.exe</Command>

<Arguments>"C:\Windows\system32\

msg711A.DLL",ZBADQX</Arguments>
```
</Exec>

```
</Actions>


If stored in the system directory the file will have the R

(Read-only), S (System) and H (Hidden) attributes set. The

installer adds a scheduled task to start the initiator during
###### system boot, with the privileges of NT AUTHORITY\

SYSTEM:

|Col1|Col2|C:|\W|i|nd|ow|s\|S|ys|te|m3|2\|m|sg|71|1.|ac|m|Col20|Col21|Col22|Col23|
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
||n|d t|he|P|on|m|oc|up|in|iti|at|or|wo|ul|d|be|na|m|ed|:|||
|||C:|\W|i|nd|ow|s\|S|ys|te|m3|2\|m|sg|71|1A|.D|LL|||||


###### This effectively means that the core function- alities of Ponmocup  are uniquely encrypted  and stored in a unique  location for every victim.


Without administrative privileges the initiator is stored
###### in the Application Data directory with a random name (6–10 characters) and initiated during system boot via 

a run-key in the registry.

During installation some additional tasks are carried out

by the installer to ensure persistence. One of these tasks,

not often seen, is to delete all system restore points and

to disable the system restore option itself. To achieve this

###### Ponmocup makes use of two APIs from the srclient.DLL library; srclient.ResetSR and srclient.DisableSR. These APIs are not documented by Microsoft, which is one of


-----

|Col1|Col2|Col3|Col4|Col5|Col6|Col7|
|---|---|---|---|---|---|---|
|ks|||||||
||||||||
||||||||


###### Memory

**Loader**

Modified UPX

compressed dll

**Decrypt and load**

**main module and plug-ins**

**Main module** **Plug-ins**

Runs Execute

persistently specific tasks


###### Disk

**Scheduled task**

**Initiator**

Packed DLL,

stored on disk

**Allocate memory**

Allocate and transfer control

to new binary in memory


###### Starting the Ponmocup core is a three part process consisting of the DLL on disk (initiator), a custom UPX compressed DLL in memory (loader) and the payloads

in registry (main module and plug-ins):

1 The initiator is started by the scheduled task or run key;
###### 2 Once loaded into memory the initiator transfers

control to a (modified) UPX compressed DLL;
###### 3 This DLL acts as a loader for the main module and

plug-ins.

The loader has the most important responsibilities in this

process, as it has to find the main module and plug-ins,

which are all encrypted and only stored in registry; both
###### the encryption key and location are based on unique aspects of a victim’s machine. This effectively means

that the core functionalities of Ponmocup are uniquely

encrypted and stored in a unique location for every victim.


###### Registry

**System information**

VolumeSerialNumber,

System directory and root

directory creation times

**Encrypted main**

**module and plug-ins**

**Information storage**

Check-sums

Configs

Counters


_4_ _https://isc.sans.edu/_

_forums/diary/Some+tricks+_

_from+Confickers+bag/5830/_


_Figure 8: Overview of the process of loading Ponmocup_

the indicators that the operators have a thorough under
standing of windows internals, which displays a certain

level of sophistication which is seen throughout the entire

###### framework. One of these particular APIs (ResetSR) was

also used by the Conficker worm[ 4].

5.2 Core functionality

The core of Ponmocup are the components installed on

a victim’s machine by default. These mainly include the

###### components responsible for starting the main module, but also include persistent plug-ins providing specific

tasks for persistence purposes.

As shown in Figure 8, loading Ponmocup is a multi-step

process which is best broken down into three categories:

files on disk, activity in memory and the usage of stored

information in the Windows registry.


-----

###### The following unique information about the victim’s

machine is used to base the encryption on:

- Date and time of the system directory creation

- Volume serial number of the root directory of the

volume Ponmocup is installing on, retrieved through

the GetVolumeInformation API

###### • Date and time of the System Volume Information

directory creation

As can be seen in the code snippet below, these unique

values are each XOR’d with their combined value, forming

a 16 bytes key which is used to encrypt the main module.
###### For encryption a slightly modified version of the RC4

algorithm is used.

These values are used to uniquely generate the location

of the main module and plug-ins in the Windows Registry.

An example of what the registry keys might look like:

HKEY_CURRENT_USER\Software\wkcxjxlv\

Wjtnpgzc

In this case the ‘Wjtnpgzc’ key stores the Ponmocup main

module, and persistent plug-ins. Once decrypted using

the unique key, the value of this registry key is typically

outlined as follows:

- Total size of decrypted content (first 4 bytes);

- Main module;

- Persistent plug-in(s).


###### Using this machine specific information the loader can find the location of the encrypted main module  and plug-ins in the Windows Registry, decrypt their 

contents and execute the payloads. Before decrypting,
###### these machine-specific values are verified against the checksums, which were stored in the registry during

installation, to check if none of these values have changed.

If these checks succeed, the decryption routine is started.

After decryption the loader verifies the integrity of the
###### decrypted content by comparing the CRC32 checksum

of the result with the checksum of the content before it

was stored in registry during installation. Once this final

check succeeds, plug-ins stored in registry are executed

and control is given to the main module, which can then

initiate command and control traffic. If at any stage during
###### this process, a verification or integrity check fails, the

Ponmocup execution process halts.
###### The main module and plug-ins can interact with each

other using shared memory. This functionality is mainly

used by plug-ins that only run if the main module is indeed

actively running.

###### Both the main module and plug-ins use the registry to

store configs, checksums or other relevant information

storage such as counters or IDs. Information storage that

may be helpful during a forensic investigation could, for

example, be:

- Main PIN[5] ID

   - A PIN indicates a group of plug-ins which will be

run on a victim’s machine at some point in time.

|v a F a T o A|al 16 or lg he f t n|ue b e ori se he ex|s a yt nc th v m am|re es ry m alu ain p|ea ke pti is es m le|ch y w on us ar o of|XO hi a ed e du w|R’ ch sl . us le ha|d is ig ed an t t|wit us htl to d p he|h t ed y u lu re|he to mo niq g-i gis|ir e d ue ns tr|co nc ifi ly in y k|m ry ed ge th ey|bin pt ve ne e s|ed th rs ra Wi mi|v e m io te nd gh|alu a n o th ow t l|e, in f e l s R oo|fo mo th oc e k l|Col23|Col24|
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|||H W|KE jt|Y_ np|CU gz|R c|RE|NT|_U|SE|R\|S|of|tw|a|re|\w|kc|xj|x|lv|\||
|I t o • • •|n t mo he ut|his du u lin To M Pe|c le niq ed ta ai rs|ase , a ue a l s n ist|th nd k s f ize mo en|e p ey oll o du t|‘W ers , t ow f d le plu|jtn ist he s: ec ; g-|p en va ry in|gzc t lu pt (s).|’ k plu e o ed|ey g- f t co|st in hi nt|or s. s r en|es On eg t (|th ce ist fir|e P d ry st|on ec ke 4|m ry y i by|oc pte s t te|up d yp s);|||
|||/ k k k k / k k k|* ey ey ey ey * ey ey ey|se _1 _1 _1 _1 xo _1 _1 _1|tu [0 [1 [2 [3 r [0 [1 [2|p ] ] ] ] */ ] ] ]|k = = = = ^= ^= ^=|ey ts d t k|s ys wV sy ey ke ke ke|*/ 32 ol sv _1 y_ y_ y_|d um ol [2 1[ 1[ 1[|ir e i ] 3] 3] 3]|.d Se nf + ; ; ;|wL ri od k|ow al ir ey|Da ; .d _1|te w [0|Ti Lo ]|m wD +|e at k|^ eT ey|ts i _1|ys32dir. dwHighDateTime; me ^ tsysvolinfodir.dwHighDateTime; [1] - 0x6F6F6F70;|


-----

###### - Some of these plug-ins that belong to the PIN

can be persistent, but some plug-ins might only
###### be executed once. Knowing the PIN ID could  help identify what type of tasks may have been

executed on a victim’s machine.

###### - If, for example, this value stores 0x4A39, the  PIN ID is 19001. Please see the next paragraph 

for more detailed information.

- Run counter

   - The main module increases a counter in registry

for every minute it’s been active.

###### - If, for example, this value stores 0x0F, the main


share more than 4000 different versions, indicating this

framework is under continuous development.
###### The following paragraphs describe some of the more

prominent plug-ins used in the Ponmocup framework.

Plug-ins can either be present in memory only, or remain
###### persistent by being stored and encrypted in the same 

registry key as the main module. Whether or not a plug-in

remains persistent is dependent on the type of functional
ities the plug-in provides. Once retrieved, a plug-in can make

itself persistent by using the machine specific information,

mentioned in chapter 5.2, to encrypt and append itself to

the registry key which stores the main module and the other

plug-ins. The quality of the plug-ins are thoroughly tested

using specifically developed debug versions.

###### Identifying plug-ins is possible by analyzing their PE headers: at offset 0x20 a standard PE header contains a

reserved word (WORD e_res[4]), of which e_res[3] is used

by Ponmocup to store the ID of the corresponding plug-in.

The version of the plug-in ID can be found 3 bytes further

at WORD e_oemid.

###### In the example below, the PE header stores the value 0x044C (little-endian) in WORD e_res[3] and 0x0BBB

(little-endian) in WORD e_oemid, resulting in plug-in ID ‘1100’

and version ‘3003’ (typically written as plug-in 1100.3003).

###### Table 2 provides an overview of the most important 

plug-ins, which are basically all DLLs given a unique iden

_5_ _The PIN number – a term_

_used by the operators and of_

_unknown origin – is one of the_

_values stored in the registry._

|Col1|Col2|rsi ne tr . T ec yin : a d o sio e xa C ( di sio p , w rs|st d i y k he ifi g t wo cu n _o m lit an n ‘ ro h io|ent n c ey q cal pl off rd p t of em pl tle ) in 30 vid ich n n|b ha w ual ly ug se (W o s th id e b -e W 03 es ar u|y u pt hic ity de -in t 0 OR to e p . el nd OR ’ (t a e mb|sin er h s o ve s x2 D re lu o ia D yp n ba er|g 5.2 to f th lo is 0 e_ th g-i w, n) e_ ic ov sic a|the , t res e pe po a s re e I n I th in oe all er all nd|m o e th pl d d ss ta s[4 D o D c e P W mi y w vie y a na|ac n e ug- eb ib nd ]), f t an E O d, r rit w ll m|hi cry ma in u le ar of he b he RD es te o DL e|ne pt in s a g v by d P w co e f ad e_ ult n a f t Ls by|sp an mo re er a E hi rr ou er re in s p he gi th|ec d d th sio na he ch es nd s s[ g in lu m ve e o|ifi ap ule or ns ly ad e_ po 3 tor 3] p g-i os n a p|c in pe an ou . zin er re nd by es an lug n 1 t u era|fo nd d t gh g co s[3 ing te t d -in 10 im niq to|rm it he ly th nt ] i p s f he 0x ID 0. po ue rs|at se o tes ei ai s u lug urt va 0 ‘11 30 rt id .|io lf t the te r P ns se -i he lu BB 0 03 an en|n, o r d E a d n. r e B 0’ ). t -|
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|00000000 4d 5a 90 00 03 00 00 00 04 00 00 00 00000010 b8 00 00 00 00 00 00 00 40 00 00 00 00000020 4c 04 00 00 bb 0b 00 00 00 00 00 00 00000030 00 00 00 00 00 00 00 00 00 00 00 00 00000040 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c 00000050 69 73 20 70 72 6f 67 72 61 6d 20 63 00000060 74 20 62 65 20 72 75 6e 20 69 6e 20 00000070 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00000080 50 45 00 00 4c 01 04 00 00 00 00 00|c 6 4 0|ff 00 00 80 d 1 4 0 00|f 0 0 0 2 6 4 0 0|f a 0 0 1 e f 0 0|0 0 0 0 5 6 5 0 0|0 1 0 0 4 e 3 0 0|0 0 0 0 6 6 2 0 0|0 0 0 0 8 f 0 0 0||| | | | | | | | ||M .. L .. .. is t m P|Z. . .. . . b od E.|.. .. .. .. .. pr e e .L|. .. . .. .. og ru .. .|.. . .. . .! r n .. ..|.. @. .. .. . am i $ ..|. .. .. .. .L c n .. .|.. . . . .! a D .. ..|.. .. .. .. T nn OS .. ..|.| .| .| .| h| o| | .| .||||


-----

**Identifier** **Name** **Purpose** **Versions**


1100 new

downloader


This plug-in is known as the main module of the Ponmocup framework. Retrieves and

executes additional plug-ins.


3003

6


1300 history tool Collects and exfiltrates browser history from all popular browsers. This plug-in is

deprecated and it’s functionality are currently implemented in the 14XX plug-in range.


1350 avkill Disables anti-virus related services that could potentially stop Ponmocup from functioning. 104


1400


decide

decide_

vkusnota[6]

decide

ppc [7]

ppc

ppc


Retrieves browser history for all popular browsers, and checks if any URLs of interest to

the operators were visited by the victim (only checked using a checksum). If this is the

case these URLs are exfiltrated to a back-end server where this information is logged.

This plug-in is only retrieved if the target is in one of the following countries of interest:

- Australia, Belgium, Canada, Switzerland, Germany, Denmark, Estonia, France, United

Kingdom, Mexico, Netherlands, Norway, New Zealand, Portugal, Sweden, United States

Retrieves browser history for all popular browsers, and checks if any URLs of interest to

the operators were visited by the victim (only checked using a checksum). If this is the

case these URLs are exfiltrated to a back-end server where this information is logged.

This plug-in is only retrieved if the target is in one of the following countries of interest:

- Australia, Canada, New Zealand, United States, United Kingdom

Retrieves browser history for all popular browsers, and checks if any URLs of interest to

the operators were visited by the victim (only checked using a checksum). If this is the

case these URLs are exfiltrated to a back-end server where this information is logged.

This plug-in is only retrieved if the target is in one of the following countries of interest:

- United States, United Kingdom

Advertisement fraud plug-in. Plug-in can inject code into the processes of Chrome,

Firefox and Internet Explorer. When certain keywords are detected, a victim can be

redirected to an alternative page (taken from an encrypted config in the registry).

This plug-in is specifically used for the PIN[8] 3xx, 160xx and 170xx ranges.

Advertisement fraud plug-in. Plug-in can inject code into the processes of Chrome,

Firefox and Internet Explorer. When certain keywords are detected, a victim can be

redirected to an alternative page (taken from an encrypted config in the registry).

This plug-in is specifically used for the PIN 150xx range.

Advertisement fraud plug-in. Plug-in can inject code into the processes of Chrome,

Firefox and Internet Explorer. When certain keywords are detected, a victim can be

redirected to an alternative page (taken from an encrypted config in the registry).

This plug-in is specifically used for the PIN 190xx range.


135

1

85

587

1

26

10

24

9

1


16XX socks Precursor of the 18XX plug-in range, allowing the operators to connect to a victim directly,

this connection is typically set-up to a specific port opened in the Windows firewall.

18XX socks 2 Precursor of the 25XX plug-in range, allowing the operators to connect to a victim directly,

this connection is typically set-up to a specific port opened in the Windows firewall.


proxy


Used to directly connect to infected machines. To make sure machines behind a device

providing network address translation (NAT) can still be reached individually, UPnP

is used, and ports 1900 (UDP) and 2869 (TCP) are opened in the Windows firewall.


2550 proxy 2 Similar to the other plug-ins in the 2500 range, this plug-in can be used to directly

|Col1|Col2|Col3|Col4|Col5|
|---|---|---|---|---|
||14|02|||
||14|03|||
||150|7|||
|1|511||||
|1|512||||
|1|6X|X|||
|1|8X|X|||
|2|50|0|||
|2|55|0|||

|Col1|Col2|Col3|Col4|Col5|
|---|---|---|---|---|
|de vk|cid usn|e_ ot|a6||
|de|cid|e|||
|pp|c 7||||
|pp|c||||
|pp|c||||
|so|cks||||
|so|cks|2|||
|pr|oxy||||
|pr|oxy|2|||

|•||Au Kin|str gd|ali om|a, B ,|el Me|giu xic|m, o,|Col10|Col11|Col12|Col13|
|---|---|---|---|---|---|---|---|---|---|---|---|---|
|R th ca Th •|etr e o se is|iev pe th pl Au|es ra es ug- str|br tor e U in ali|ow s RL is o a,|se we s a nl Ca|r h re re y r nad|ist visi ex etr a,|||||
|R th ca Th •|etr e o se is|iev pe th pl Un|es ra es ug- ite|br tor e U in d S|ow s RL is o ta|se we s a nl tes|r h re re y r , U|ist visi ex etr ni|||||
|A Fi re Th|dv ref dir is|ert ox ec pl|ise an te ug-|m d I d t in|ent nt o a is s|fr ern n a pe|au et lte ci|d p Ex rn fica|||||
|A Fi re Th|dv ref dir is|ert ox ec pl|ise an te ug-|m d I d t in|ent nt o a is s|fr ern n a pe|au et lte ci|d p Ex rn fica|||||
|A Fi re Th|dv ref dir is|ert ox ec pl|ise an te ug-|m d I d t in|ent nt o a is s|fr ern n a pe|au et lte ci|d p Ex rn fica|||||
|Pr th|ec is|ur co|sor nn|of ect|th io|e 1 n is|8X ty|X p pic|lu all||||
|Pr th|ec is|ur co|sor nn|of ect|th io|e 2 n is|5X ty|X p pic|lu all|g-i y s|||
|U pr is|se ov us|d t idi ed|o d ng , a|ire ne nd|ctl tw po|y c or rts|on k a 19|ne dd 00|ct re (U|to ss t DP|inf ra ) a||
|Si co|mi nn|lar ec|to t t|th o in|e o fe|the cte|r p d|lu ma|g-i chi|ns i ne|n t s.|he|


-----

**Identifier** **Name** **Purpose** **Versions**


2600 SIP scanner Scans devices on the local subnet of the target for SIP (Sessions Initiation Protocol) agents

and, if a SIP agent is present, exfiltrates information returned by the agent.


2610 router

scanner


7

3

3


2700

2701

2750


FTPg

FTPg_spec

fbcookie


Scans gateway IP address of the target for common ports used by routers, and exfiltrates

basic information returned by the services running on these ports.

1 Grabs and exfiltrates FTP and Bitcoin credentials and attempts to do so for every local

user on the infected machine by bruteforcing the passwords of these accounts (using

a list of commonly used passwords).

2 The specifically targeted FTP clients and Bitcoin wallets are similar to the list used by

the infamous Pony Loader (2.0) Trojan [9].

3 Stolen FTP credentials are mainly used to spread Ponmocup, with the delivery method

described in chapter 4.

1 Grabs and exfiltrates FTP and Bitcoin credentials and attempts to do so for every

local user on the infected machine by bruteforcing the passwords of these accounts

(using a list of commonly used passwords).

2 The specifically targeted FTP clients and Bitcoin wallets are similar to the list used by

the infamous Pony Loader (2.0) Trojan.

3 Stolen FTP credentials are primarily used to further spread Ponmocup, using the

delivery method discussed in chapter

4 The functionalities of this plug-in appear to be similar to plug-in #2700, but the

operators are likely using this plug-in for special (spec) occasions.

Grabs and exfiltrates stored Facebook credentials and cookies and attempts to do so for

every local user on the infected machine by attempting to bruteforce these accounts

using a list of commonly used passwords. Fox-IT has not yet observed abuse of these

credentials on a large scale. It is therefore suspected that they may be used in the event

of a significant loss in the number of victims, necessitating the introduction of a new

spreading mechanism by the Ponmocup operators.


2760 sysinfo Gathers extensive information about an infected machine, also scans for a long and

diverse list of analysis and monitoring software.


2810


btcg


Grabs and exfiltrates generic and specific Bitcoin wallet data. Specifically targeted

Bitcoin wallets:

- Multibit

- Electrum


_6_ _vkusnota is a Russian term_

_to describe something tasty_

_(though typically associated_

_with food)_

_7_ _ppc is short for pay-per-click_

_8_ _For a description of the_

_concept of PINs,_

_see paragraph 5.2._

_9_ _[https://www.damballa.](https://www.damballa.com/pony-loader-2-0-steals-credentials-bitcoin-wallets-source-code-sale/ )_

_[com/pony-loader-2-0-steals-](https://www.damballa.com/pony-loader-2-0-steals-credentials-bitcoin-wallets-source-code-sale/ )_

_[credentials-bitcoin-wallets-](https://www.damballa.com/pony-loader-2-0-steals-credentials-bitcoin-wallets-source-code-sale/ )_

_[source-code-sale/](https://www.damballa.com/pony-loader-2-0-steals-credentials-bitcoin-wallets-source-code-sale/ )_


3101 ppc Most recently developed advertisement fraud plug-in, generates ad-fraud traffic to

websites stored in a separate configs file in registry.

_Table 3: Overview of Ponmocup’s most important plug-ins_

|Col1|an ng wa er mi (sp|d th llet sp lar ec|att e p s a rea to ) o|em as re d pl cc|pt sw si Po ug- asi|s t or mil nm in on|o d ds ar oc #2 s.|o s of to up 70|o f the the , u 0,|or se li sin bu|ev ac st g t t t|er co use he he|y un d|ts by|
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
||d c ng no th tat|oo to t y at in|ki br et th g t|es ut ob ey he|an efo ser ma int|d a rc ve y b ro|tte e t d a e du|m he bu use cti|pts se se d i on|to acc of n t of|d ou th he a n|o s nt es ev ew|o f s e en|or t|
||ch|ine|, a|lso|sc|an|s f|or|a l|on|g a|nd|||
||lle|t d|ata|. S|pe|cif|ica|lly|ta|rge|te|d|||
|g-i y.|n,|ge|ner|at|es|ad|-fr|aud|tr|af|fic|to|||

|Col1|Col2|Col3|Col4|Col5|
|---|---|---|---|---|
||||1||
|||1|6||
||||5||
||||2||
|||3|4||


-----

###### To efficiently distribute certain functionalities to a victim, plug-ins can be grouped into a so called ‘PIN’ as earlier mentioned. For example, the PIN that has been most actively used since June 2012 is identified

as PIN 19001 and contains 10 unique plug-ins. The table
###### below contains an overview of the most frequently used PINs and what plug-ins they are comprised of: 

**PIN** **Plug-ins**


###### Identifying plug-ins is possible  by analyzing their  PE headers.


15001 1511, 1600, 2500, 2700, 2810


investment websites, accounting websites and websites

###### used to store personal information, which are used for intelligence purposes (for example law enforcement software or online insurance websites). An example  of such keywords recovered by Fox-IT, is shown in the

snippet below.

###### In total Fox-IT has identified 214 unique keywords,

APPENDIX I contains the full list of recovered keywords.
###### The goal of this plug-in is clear: identifying targets of

interest based on their browsing behavior.

Through analysis of three specific versions of the decide
###### plug-in, Fox-IT has identified what countries were  targeted by this plug-in at certain moments in time,

shown in Figure 9:

- 2009–2010: Australia, Belgium, Canada, Switzerland,

Germany, Denmark, Estonia, France, United Kingdom,
###### Mexico, Netherlands, Norway, New Zealand,

Portugal, Sweden, United States

- 2010–2011: Australia, Canada, New Zealand, United

|1|160|002|2|1|150|07, 1|160|00,|, 25|500|0, 2|270|00,|281|10|Col17|Col18|Col19|Col20|Col21|Col22|Col23|Col24|Col25|
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|T 5 T b a d h T i P o o k|160|02|: O lu ar gh er -i as am ro nt o to h rd|ve g- ge t hi n p e e w en cu rs ec s|150|7,|160|0,|25|00|, 2|70|0,|28|10||||||||||
||170|01|||150|7,|160|0,|25|00|, 2|70|0,|28|10||||||||||
||170|02|||150|7,|160|0,|25|00|, 2|70|0,|28|10||||||||||
||19|001|||135 275|0, 0,|14 28|03, 10|15|12,|25|00|, 2|60|0,|26|10,|27|00|, 2|70|1,|||
||190|02|||135|0,|14|03,|15|12,|25|50,|26|10|, 2|70|0,|27|60,|28|10||||
||19|010|||135|0,|14|03,|15|12,|25|00|, 2|610|, 2|70|0,|28|10||||||
||abl .3. hr ro pl at os hi ts o p nl ey|e 4 1 P t ou ws ug ab tn s b co nm era y c wo|||rvi ins ts his st ar of s o ser t a p o fr ke can|ew # ty ory se Go f t hi ga p om d i b|of 14 p fo th og he st in er b n e d|Po xx e o r e h le co or st ato ec th ivi|nm ra f p all is C ok y is sp rs o e f de|oc ng lu m to hr ie c ec . T mi or d i|up e g-i ajo ry om s s oll ifi o ng m nt|’s – d n, r b fro e, tor ec c k pr k of o 4|mo ec op ro m bu ed te ey ev no C ca|st c id er ws , f t i o d f w en wn RC te|om e: at er or t n t or or t t , t 32 go|m fin or s. ex wil he th ds he he ch rie|onl di s c No am l al ta e p of i se e s:|y u ng an t pl so rg lu in nte k ck on|se in re onl e, re et’ g-i ter re ey su lin|d P te tr y th tr s m n t es st w ms e b|INs re iev wil e S iev a o t t s o ord . T a|sting e the l such QLite e the chine check o the f the s are hese nking|||
|||<c <c <c <c <c <c <c|r r r r r r r|c_ c_ c_ c_ c_ c_ c_|in in in in in in in|de de de de de de de|x x x x x x x|=0 =0 =1 =0 =0 =3 =0|0 1 9 2 8 8 1|po po po po po po po|s s s= s s s s|=0 =0 1 =0 =1 =2 =0|0 6 6 7 1 9 6|le le le le le le le|n n ng n ng ng n|gt gt t gt t t gt|h= h= h= h= h= h= h=|13 01 02 02 01 01 01|c c c|ch ch he ch h h ch|ec ec c ec ec ec ec|ks ks ks ks ks ks ks|um um um um um um um|=0x03098019 keyword=us.etrade.com> =0x01d405fc keyword=dmv.org> =0x0167da70 keyword=drivingrecords.com> =0x023605bb keyword=geico.com> =0x00fe800a keyword=lppolice.com> =0x058533bc keyword=businessonline.huntington.com/> =0x02247d64 keyword=bbva.es>|


-----

5.3.2 Plug-in #2600 – SIP scanner: collecting

information on SIP gateways

This plug-in attempts to identify SIP gateways on the local

###### subnet of a victim. SIP, the Sessions Initiation Protocol, 

is a communications protocol used to setup and connect

communications sessions, typically for voice and video


###### calls. In the example below the plug-in identifies that the gateway IP 10.0.0.1 is running an Asterisk server; a software implementation of a telephone private

branch exchange (PBX) which can be used to set-up VoIP

connections.


00:00:00.000 ---if---flags=[UP,BROADCAST,,,MULTICAST]---addr=[10.0.0.13]---mask=[255.255.255.0]-
-bcast=[255.255.255.255]--
00:00:05.000 ---range---start=[10.0.0.0]---end=[10.0.0.254]---self=[0]--
00:00:05.000 ---ip_count=[254]---d_avr_ms=[78]---d_min_ms=[3]---d_max_ms=[153]--
t_est_sec=[178]--
00:02:11.562 ---send_error---code=[10049]---to=[10.0.0.0:5060]--
00:02:17.281 ---known---src=[10.0.0.13]---dst=[10.0.0.1:5060]--
00:02:17.281 ---pre---begin---from=[10.0.0.1:5060]---len=[502]---crc=[4d2d01bc]--
SIP/2.0 404 Not Found

Via: SIP/2.0/UDP 10.0.0.13:5060;branch=z9hG4bK4eb9c9fb;received=10.0.0.13;rport=5060
```
From: "Unknown" <SIP:100@10.0.0.13>;tag=e6eaecf352f8f49ab25dcec3eba0461664bc3d70f6
To: "Unknown" <SIP:100@10.0.0.1>;tag=as7afdf3b5

```
Call-ID: df356de4463be948e998593728fd0d69@10.0.0.13

CSeq: 102 OPTIONS

Server: Asterisk PBX

Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE

Supported: replaces, timer

Accept: application/sdp

Content-Length: 0

00:02:17.281 ---pre---end--

###### This browser history is collected for the  plug-into check its content against specific keywords of interest to the Ponmocup operators.


-----

###### The plug-in then attempts to retrieve more information on the type of SIP gateway running on this IP address, by sending 

an OPTIONS and REGISTER, an example of an OPTIONS request:

00:03:15.750 ---SIP_scan_id---idx=[0]---scan_idx=[0]---pkt_type=[0]---sock_type=[0]--
src=[10.0.0.13]--dst=[10.0.0.1:5060]--
00:03:15.750 ---send-begin---len=[556]--
OPTIONS SIP:109@10.0.0.1:5060 SIP/2.0

Via: SIP/2.0/UDP 10.0.0.13:5060;branch=z9hG4bKcac70ed4

Max-Forwards: 70
```
  From: “Unknown” <SIP:Unknown@10.0.0.13>;tag=b899892894cb3bdc261a57219952fb0a26dea3e1cc
  To: <SIP:109@10.0.0.1:5060>
  Contact: <SIP:Unknown@10.0.0.13:5060>

```
Call-ID: 6d070c9e641bff4fb90c47f66806d6d6@10.0.0.13:5060

CSeq: 102 OPTIONS

User-Agent: Zoiper for Windows rev.1812

Date: Sat, 06 Jun 2015 12:13:12 GMT

Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH

Supported: replaces, timer

Content-Length: 0

00:03:15.750 ---send-end---
The responses are summarized at the end of the log file and a CRC32 checksum is calculated over the content. In the example

below the summary indicates that the response to request ID 3021 returned a 401 response:

|00:03:15.750 ---SIP_scan_id---idx=[0]---scan_idx=[0]---pkt_type=[0]---sock_type=[0]--- src=[10.0.0.13]--dst=[10.0.0.1:5060]--- 00:03:15.750 ---send-begin---len=[556]--- OPTIONS SIP:109@10.0.0.1:5060 SIP/2.0 Via: SIP/2.0/UDP 10.0.0.13:5060;branch=z9hG4bKcac70ed4 Max-Forwards: 70 From: “Unknown” <SIP:Unknown@10.0.0.13>;tag=b899892894cb3bdc261a57219952fb0a26dea3e1cc To: <SIP:109@10.0.0.1:5060> Contact: <SIP:Unknown@10.0.0.13:5060> Call-ID: 6d070c9e641bff4fb90c47f66806d6d6@10.0.0.13:5060 CSeq: 102 OPTIONS User-Agent: Zoiper for Windows rev.1812 Date: Sat, 06 Jun 2015 12:13:12 GMT Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH Supported: replaces, timer Content-Length: 0 00:03:15.750 ---send-end----|Col2|Col3|Col4|Col5|Col6|Col7|Col8|Col9|Col10|Col11|Col12|Col13|Col14|Col15|Col16|Col17|Col18|Col19|Col20|Col21|Col22|Col23|
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|T b|he el|r ow|esp t|o he|ns su|es m|ar m|e s ary|um in|m di|ar ca|iz te|ed s t|at ha|th t t|e he|en re|d o sp|f t on|he se|lo t||
|||0 -i 0 0 1 2 , , 3 0|0: d 21 00 ,3 04 20 40 02 0:|07 =[ ,4 ,3 02 ,4 26 24 2, 07|:2 30 03 01 8, 02 ,4 ,2 10 :2|7. 21 0, 0, 40 3, 00 00 20 7.|85 ,3 10 30 29 10 6, 0, ,2 85|9 00 4, 12 ,1 2, 20 20 02 9|-- 2, 20 ,4 00 10 0 1 4, --|-- 3 2 0 2, 0 3, 2, 30 -c|-- 00 7,4 08 21 1, 10 20 2 rc|ty ,4 0 ,4 0 30 08 0, 3, =[|p 01 11 02 ,2 19 ,1 20 20 42|e= 7, ,3 7, 00 ,4 01 6, 17 4|[1 40 03 40 2, 00 5, 10 ,2 76|]- 26 0, 03 30 1, 40 29 02 1f|-- ,4 30 ,2 24 10 0 ,3 0, c]|co 00 27 0 ,4 22 0, 01 30 --|de 4 ,1 25 01 ,2 20 7, 09 -|=[ ,3 00 ,3 4 0 15 30 ,2|4 03 9, 02 ,4 23 ,3 6 0|01]---stamp=[fbd1e9ad]---count=[155]- ,3001,2021,1019,103,3004,2019,3015,3014,2007,107,2010,106,4 4019,3006,205,2001,1007,2022,301,3005,4020,1025,309,3003,1 9,1014,1030,2016,4022,2030,2028,207,1006,2018,4010,1011,102 025,2006,108,4005,307,3026,304,3025,105,1004,2013,3018,109, ,4012,310,4007,3011,1027,4028,1012,1010,1028,4009,1018,4015 08,3013,1017,202,2029,209,110,1005,1024,4002,1003,2009,1016 ,2011,1026,3016,2008,4016,201,302,4013,2005,3008,4018,2004, 14,1023,1013,208,3000,3007,3020,305,203]---|


-----

2009 – 2010

2010 – 2011

2012 – 2015


_Figure 9: Overview of countries targeted by Ponmocup’s decide plug-in_

###### All the discovered information is then encrypted and exfiltrated to a dedicated plug-in proxy, and stored in the back-end,

where the operators can query the data for information of interest.

Because the processing of this data happens on back-end servers, Fox-IT does not know the exact purpose of harvesting this

type of information. Having access to SIP gateways could be useful for VoIP fraud, but would also allow for the interception

of voice/video communication.


###### In total Fox-IT has identified 25 plug-ins with unique identifiers, among them they share more than 4000 different versions, indicating this framework is under continuous development. 


-----

5.3.3 Plug-in #2610 – router scan: collecting router

information
###### This plug-in identifies what gateway IP the victim’s

machine uses (for example 10.0.0.1) and then attempts

to identify if, on that gateway, any services respond on

the following ports:

- 22 (SSH)

- 23 (Telnet)

- 80 (HTTP)

- 443 (HTTPS)

- 8080 (Alternative HTTP port, often used by proxies)
###### Using an example of a typical router with an example

|• U p f|si ag oll|8 ng e ow|08 a on in|0 ( n e th g i|Al x e nf|te am ga or|rn pl te m|ati e wa ati|ve of y I on|H a t P, :|TTP yp thi|p ic s p|or al lu|t, ro g-i|oft ut n|en er wo|u wi ul|se th d e|d b a x|y n e filt|pr xa ra|Col23|
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|||0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 <! < < </ 0|0: 0: 0: 0: 0: 0: 0: 0: 0: 0: 0: 0: 0: 0: 0: 0: 0: 0: 0: 0: 0: 0: 0: D ht ti h 0:|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 OC ml tl tm 00|:2 :2 :2 :2 :2 :2 :2 :2 :2 :2 :2 :2 :2 :2 :2 :2 :2 :2 :4 :4 :4 :4 :4 TY > e> l> :4|6. 6. 6. 6. 6. 6. 6. 6. 6. 6. 6. 6. 6. 6. 6. 6. 6. 6. 1. 1. 1. 3. 3. PE Ex 3.|48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 64 64 64 06 06 a 06|5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 1 1 1 3 3 HT mp 3|-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- ML le --|-s -a -n -d -a -i -t -d -h -l -l -I -G -D -P -S -a -m -c -m -h -r -r P R -h|c d a e d n y h a ea ea pA a h r e d y o y t e e UB o t|an ap me sc dr de pe cp ve s s d te cp im co ap ht nn ht tp pl pl L ut tp|_s te =[ r= =[ x= =[ en wi eo ee dr wa Se ar nd te tp ec tp _s y= y_ IC er _e|ta r_ {4 [A 0a [2 6] ab ns bt xp es yL rv yW ar r_ _ t_ _ t [1 da “ P n|r s AE MD 00 ]- -- l = =[ =[ sL i e i y e st e en ar ]- t -/ ag d-|t- ta E8 0 -- - ed [0] 14 1 i st r( ns Wi nd ar rr d- t- -- a_ /W e --|-- rt 0 PC 00 =[ -- 4 44 st (1 1) Se ns -- t- or -- -- re st 3C </|-- EB NE d] 1] - 54 54 (1 )- -- rv Se - -- =[ se pl ar // ti|- -8 T -- -- 66 69 )- -- -i e r se 1 rv y t DT tl|42 Fa - - 12 72 -- ip pa r( ve r 4]- e _c -- D e>|0- m 7] 7 ip ad dd 1) r( ve - r= od -l H|4950-ACDF-9C04A9D530D1}]--- ily PCI Ethernet-adapter]--- --- ]--- addr=[10.0.0.13]---ipmask=[255.255.255.0]---ctx=[2]--- dr=[10.0.0.1]---ipmask=[0.0.0.0]---ctx=[0]--- r=[10.0.0.1]---ipmask=[]---ctx=[0]--- ---ipaddr=[0.0.0.0]---ipmask=[0.0.0.0]---ctx=[0]--- 1)---ipaddr=[0.0.0.0]---ipmask=[0.0.0.0]---ctx=[0]--- r=[10.0.0.1]---url=[/]--- - [10.0.0.1]---url=[/]--- e=[200]---reply_len=[113]--- en=[113]--- TML 4.01 Transitional//EN”>|


-----

Additionally the plug-in will attempt to access the web###### server on port 80 via the /admin URL, and exfiltrates

the server’s response. In the example below the /admin

does not exist:


###### A plug-in containing  an exploit for the vulnerability in the Microsoft print spooler service, first used as  a zero-day by Stuxnet  two years earlier.


00:00:43.063 ---myhttp_start--
server=[10.0.0.1]---url=[/admin]--
00:00:58.063 ---connect_error=[14]--
00:00:58.063 ---myhttp_end--
00:00:58.063 ---telnet_start--
addr=[10.0.0.1:23]--
00:01:13.063 ---connect_error=[14]--
00:01:13.063 ---telnet_end--
00:01:19.172 ---discover_ok--
00:01:19.172 ---devcount=[1]--
00:01:19.188 ---valid_igd=

[http://10.0.0.1:80/

WANIPConnection]--
00:01:19.188 ---addr=[10.0.0.19]--
00:01:19.188 ---ext_ip=[0.0.0.0]--
00:01:19.188 ---time1=[1445467515]--
00:01:19.188 ---gtc1=[1573203]--
00:01:19.188 ---scan_end--
00:01:53.000 ---crc=[3aea52f2]--

execute it with system privileges on unpatched Windows

machines. This effectively made Ponmocup a worm and

the amount of infected machines increased significantly.

However when a Windows system was patched for the
###### vulnerability, the payload would not be written to the

system directory, but instead, to the default print spooler

folder; the directory used by Windows to queue printer

jobs. The print spooler service then saw the Ponmocup
###### binary as a print job, and continued to send it to the

printer, which then carried on to print the binary. Because
###### the exploit is attempted multiple times, the printers

usually just kept on printing, until they ran out of either

paper or ink.

Once companies all over the world started complaining
###### about their printers printing, what was presumably, 

‘garbage data’, the story was soon picked up by the media,

something the Ponmocup operators picked up on as well,

as the plug-in was removed the very next day. To avoid

even more attention the plug-in was removed from the

default plug-in list and was never re-used as a separate

plug-in again.


_10_ _https://support.microsoft._

_com/en-us/kb/2347290_

_11_ _http://www.symantec.com/_

_connect/blogs/printer-_

_madness-w32printlove-video_


###### Because the processing of this data happens on 

back-end servers, Fox-IT does not know the exact purpose

of harvesting this type of information. Storing informa
tion on router devices could help in further propagating

Ponmocup through the local network, but could also aid

in identifying interesting targets.

5.3.4 Plug-in for MS10-061 vulnerability: lateral

movement

12 June 2012, the day of the renewed Ponmocup release:

a plug-in containing an exploit for the vulnerability in the

Microsoft print spooler service [10], first used as a zero-day
###### by Stuxnet two years earlier, is added to the group of 

plug-ins that are pushed to every newly infected machine,

a move the operators would soon come to regret.

###### By impersonating the print spooler service Ponmocup could move its payload into the system directory and


-----

## 6 Command and control traffic

###### All Ponmocup components that can communicate with command and

 control servers contain hardcoded domains. These domains are not

 command and control servers and are not used to send data to, but are

 merely used to calculate the IP addresses of the actual command and

 control servers.


###### To achieve this, Ponmocup resolves the hardcoded

domain and converts the returned IP into a hex value. It

then takes the CRC32 checksum of the domain and XORs
###### these two values with each other, recovering the real

command and control IP address.
###### This is visualized in Figure 11. In the example above the main module contains the hardcoded domain ‘claims­

reference.net’. As this domain has no direct relation to any

actual Ponmocup infrastructure, this is a clever method
###### of hiding the real command and control servers from

any prying eyes.

Additionally, to avoid detection by intrusion detection and

prevention systems, the operators behind Ponmocup have

put in a lot of effort to hide its command and control traffic:

###### • Command and control traffic only occurs once to

twice every two days and occurs at random times.

- URLs are randomly structured from a combination of

two lists, both containing 50+ unique paths which are


commonly used by legitimate websites.

###### • A command and control server typically returns a 

“404 Not Found” HTTP response to make it seem as if

the page does not exist and isn’t accepting any data.

###### • Data is RC4 encrypted but the key is generated 

differently per component.

- The encrypted data is stored in the ‘Cookie’ header.

   - Data is serialized into multiple fields, each Cookie

name is randomly chosen out of a list of 177 key###### words which are commonly used by legitimate

websites.

   - Storing data in the Cookie header using popular
###### cookie keywords is a technique that Fox-IT also observed in the highly sophisticated Regin

framework.

- Domains used to calculate command and control IP

only use common TLD’s (.net, .com, .org).

- Plug-ins use separate proxies and back-ends to which

they log exfiltrated data.


-----

6.1 **Installer communication**

The installer makes use of one hardcoded domain which is

only used during installation. By using a domain for installation

###### purposes only, the other domains used for command and 

control traffic won’t be discovered as easily. This also means

that taking down this domain would not impact the current

botnet size, but only cause a minor hiccup in new infected

machines being able to talk back to the Ponmocup backend.

This one time has only been changed a couple of times; ‘faster
nation.net’ has been the static installation domain since 2012.


Data is RC4 encrypted using a random 16 bytes key and

encoded with a custom base64 table.

Before base64 encoding, Ponmocup first places the RC4

key on top of the data, calculates the CRC32 of the data

and places this value at the end of data. After decryption,

every block of data has the CRC32 value of that block at

the end (last 4 bytes)[15].

###### A typical Ponmocup check-in would look something 

like this:

|Cookie: uid=referringpath=0tMNPEubad4AlBaw4aZNqYj-PphJ-N mKteiILceVXJAwJ88VdDXdzjTq2zhM2HZ5kR_c_3i111MXafapXw-DLKk SER58Th1CP; ARSiteUser=server=UiZgtrfSoQ5zfIjHnd88G_iU4Nw thepoint=czAc0MvfrFF3sVd2vehRHAo1ZASIGD3a1PCoidT0IKjiPkjN IiZ6XAkSGH0O4oXStZfojpjcSR-46IJja-cK7N9meCk1im6xTB1ocayDm oTv8KAVlOQ0o7IWRx2ffWe6shtDPjYhYUwgTRHtFTN5_yF0T72wfLj7df D3n1mOOCD6u-VZbjxr0USzySQjVPEIj6CxfGcvD1nzwvX2I8r6id5EAnu Vmw9wrRGPrsYgkvvrn-PW_7JyEqfp7h7WjlgSuYmciCO43vKuL9VR84BS|Col2|Col3|Col4|Col5|CN Nv OF YP ZQ Sl D k 19|5P xe t B_ _ LU W3 KR|Rz O RM b2 yV B ck 5|4F qH T- l 3L uS Sm hL|_z mj y0 r1 Kg Kg o Gn|JT fh m; nt j AB jF tv|x d _ ED xK W CY sd|wo z4 Yk 54 qV gx 5|qh op 8 s8 uu dm dI|GO TI 8N EB 0l W ZQ|h oV S1 38 uX e_ sD|K; T4 Cp A D Ii|c 10 c4 Qd wJ j7|lo x ff dd II Kh|gi AN D E6 50 gh|d= f- ck Rs zx q|KG Lx K Iz|ts -5 xb Zm|A- _ WY Mf|J Z|Col26|
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
||||||he d o|fo n|llo the|w m|ing ac|f hin|iel e.|ds: At|le|ast|o|ne|PIN|is|pu|sh|ed|to||||
||||||m|||||||||||||||||||||
|||||||||||||||||||||||||||
||||||vi|cti|m|ma|ch|ine|th|us|fa|r||||||||||||
||||||p o|f t|he|de|fa|ult|PI|N||||||||||||||
|||||||||||||||||||||||||||
|||||||||||||||||||||||||||
|||||ni|str|ati|ve|pri|vil|eg|es?|||||||||||||||
||||rvi|ce|?|||||||||||||||||||||
||||t o|f t|he|an|ti-|vir|tu|aliz|at|ion|ch|ec|ks|||||||||||
||||nf|or|ma|tio|n s|uc|h a|s t|he|us|ag|e o|f a|pr|ox|y||||||||
|||en|abl|ed|?|||||||||||||||||||||
|||ati|on|d|ate|of|th|e s|ys|te|m d|ire|ct|ory||||||||||||
|||ati|on|d|ate|of|th|e S|ys|te|m V|ol|um|e I|nf|or|ma|tio|n d|ire|ct|or|y|||
||Sys|te|m|Vo|lu|me|N|um|be|r||||||||||||||||
||s u|se|d t|o c|alc|ula|te|a|pro|xy|IP,|in|clu|di|ng|th|eir|CR|C3|2 c|he|cks|u|ms||


_Table 5: Common fields stored in the Cookie header during command and control traffic_


-----

6.2 Main module communication

For continuous communication four hardcoded domains

are, again, used to calculate the IP of the command and

control server. Ponmocup resolves two domains at a time,

the first calculated IP is used to send data to, the second
###### is resolved as a back-up in case the first IP cannot be

reached. To prevent the botnet from being taken down,
###### two of the four hardcoded domains are changed every

periodically[12] by updating the main module, as shown in

Figure 12. By regularly rotating these domains for the past
###### 4 years, all the Ponmocup bots are now load balanced

between more than 10 domains.

To take down the botnet, one would had to have analyzed
###### every Ponmocup payload, in intervals of 2–6 months, for 4 years straight; a time consuming task given the

complexity of the malware.

###### The encryption routine used by the main module for

command and control traffic is identical to the installer.

###### Payload B

 branean.com claimsreference.net
 citiesorders.com directlyvast.com
 directiculture.com directiculture.com
 enckfeld.net enckfeld.net

 Payload A

_Figure 12: Separation of domains per payload_


6.3 Plug-in communication

Plug-ins capable of communicating with command and
###### control servers use dedicated domains which calculate IP addresses for proxies that log to separate back-end

servers.

###### Although all plug-ins RC4 encrypt (exfiltrated) data,

the RC4 key can differ. The cookie header is still used by

plug-ins to exfiltrate basic information such as counters

or checksums, but the exfiltration of larger data is done

via (encrypted) POST requests.


-----

_12_ _In most cases we’ve observed_

_domains rotating in inter-_

_vals of 3–6 months_


-----

## 7 Anti-analysis techniques

###### One of the reasons Ponmocup has been able to stay under the radar,

 for as long as it has, is related to the different methods the malware

 uses to thwart analysis attempts.


###### By specifically and heuristically checking for network
 and host based analysis tools, debuggers and virtualized environments, and then delivering a fake payload, the  operators aim to prevent their malware from being

detected by the security industry.

7.1 **Checks for signs of analysis**

Ponmocup’s anti-analysis checks are performed during

installation, but most Ponmocup components perform
###### anti-analysis checks separately. The main module, for example, performs anti-analysis checks every time a

victim’s machine is rebooted, and plug-ins perform similar
###### checks individually when they are executed. The table below lists a number of anti-analysis checks, some of

which are less common:

_Figure 13: How the analysis flag decides between_

_the installation of the real or fake malware_


7.2 **Delivery of fake payload**
###### If one of the anti-analysis checks triggers, implying an attempt to analyze the malware, a flag is set and

Ponmocup goes on to use one of its most clever tricks;

delivery of a fake payload, as explained in Figure 13.

###### Where typical malware employing anti-analysis imme- diately exits if being analyzed, Ponmocup installs SanctionedMedia; a pay per install software bundle, which merely injects advertisements into webpages, commonly classified as adware. Because an analyst 

still observes an actual payload being dropped, the fake
###### malware sample will often be analyzed. As this fake 

payload does nothing more than inject advertisements

and is relatively easy to remove, it will generally not be
###### of much interest to analysts or anti-virus companies. 

This fake payload is a simple, yet highly effective, disguise

for a payload that poses a far more serious threat.

The fake payload is also installed onto a system in a far

more obvious manner than the real payload, appearing in

the process list as an exe, of which the name is derived
###### from a random file in the system directory with 2–3 random characters appended, with the file description ‘RecSave’, product name ‘MyPCProtect’ and original file name ‘Smad.exe’. This payload is written in .NET, as opposed to the traditional C++ used in the actual

Ponmocup framework.


-----

###### This fake payload is a simple, yet highly effective, disguise  for a payload that poses a far more serious threat.


_Figure 14: Homepage of SanctionedMedia.com, the fake payload used as a disguise by Ponmocup_


**Evasion method** **Applicable to:**


Blacklisted usernames Currentuser, Sandbox, Honey, Vmware, Nepenthes, Snort, Andy, roo

Blacklisted computer names (Anubis) TU-4NH09SMCG1HC, InsideTm


Blacklisted processes

Blacklisted services


vmware, vmount2, vmusrvc, vmsrvc, VBoxService, vboxtray, xenservice,

joeboxserver, joeboxcontrol, wireshark, sniff_hit, sysAnalyzer, filemon,

procexp, procmon, regmon, autoruns, atcp2log., awpta., EHSniffer., HTTP Sniffer,

EtherD., geturl., HttpAnalyzer, InjectWinSock, HTTPDebugger

vmicheartbeat, vmicvss, vmicshutdown, vmicexchange, vmci, vmdebug, vmmouse,

VMTools, VMMEMCTL, vmware, vmx86, vpcbus, vpc-s3, vpcuhub, msvmmouf,

VBoxMouse, VBoxGuest, VBoxGuest, VBoxSF, xenevtchn,

xennet, xennet6, xensvc, xenvdb


Blacklisted drivers hgfs.sys, vmhgfs.sys, prleth.sys, prlfs.sys, prlmouse.sys, prlvideo.sys,

prl_pv32.sys, vpc-s3.sys, vmsrvc.sys, vmx86.sys, vmnet.sys


Blacklisted Product ID’s related to sandboxes



- Anubis (76487-337-8429955-22614)

- Joe Box (55274-640-2673064-23950)

- CWSandbox (76487-644-3177037-23510)


Installed software names in registry Hyper-V, VirtualMachine

Hardware description Vbox

VMware guest to host communication channel A check done by executing the “IN” (x86) assembly instruction with the parameter

0x564D5868 (VMXh) to connect to the VMWare I/O port


Screen resolution, color depth (amount of colors

in a single pixel), and additional monitor checks


Virtual environments often lack an actual monitor/screen or have a default

resolution (e.g. 800x600).


Number of recently opened documents A check in the registry if the machine has had at least opened 10 files.

Number of URLs in browser history A check in the registry if there are at least 10 URLs in the browser history.

Installed software A check in the registry if at least one software package has been installed.

Mouse movement Consecutive calls to the ‘GetCursorPos’ API to determine if victim is moving

the mouse.


Banned system fingerprint

Banned IP

_Table 6: List of evasion methods_


If Ponmocup catches an analyst, the fingerprint of the system will immediately

be blacklisted, after which this specific fingerprint and corresponding IP can never

get infected with the malware again.

Ponmocup blacklists more than a 1000 IP ranges. Some of these ranges have been

put on this blacklist preemptively and some have been blacklisted because they were

observed analyzing the malware. The IP ranges on this blacklist belong to anti-virus

and threat intelligence companies as well as large banks in various countries.

|Col1|Col2|Col3|m|Col5|Col6|Col7|Col8|Col9|Col10|Col11|Col12|Col13|Col14|Col15|Col16|Col17|Col18|Col19|Col20|Col21|Col22|Col23|
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
||||ms ire to In|rvc sh ru jec|, V ar ns, tW|Bo k, s at in|xS ni cp2 So|er f_f lo ck,|vic hit, g., H|e, sy aw TTP|vb sA pt D|oxt na a., eb|ra lyz EH ug|y, x er Sn ger|en , fil iff|se em er.,|rvi on H|ce, , TTP|S|nif|fer,||
||||hu vm xG db|td x8 ue|ow 6, st,|n, vp V|vm cb Bo|ic us, xSF|exc vp , x|ha c- en|ng s3, ev|e, vp tch|vm cu n,|ci, hu|vm b,|d ms|eb vm|ug, m|vm ou|m f,|ou|se|
||||s, c.|prl sys|fs. , v|sys mx|, p 86|rlm .sy|o s,|use vm|.s ne|ys, t.s|pr ys|lvi|de|o.s|ys,||||||
||||55- 64 17|22 -23 70|614 95 37-|) 0) 23|510|)|||||||||||||||
||||||||||||||||||||||||
||||||||||||||||||||||||
||||“I ct|N” to|(x th|86) e V|as M|se Wa|mb re|ly I/|in O p|str or|uc t|tio|n w|it|h t|he|pa|ra|me|ter|
||||k a|n|act|ua|l m|on|ito|r/|scr|ee|n o|r h|av|e a|de|fa|ult||||
||||ac|hin|e h|as|ha|d|at l|ea|st|op|en|ed|10|fil|es.||||||
|||re|ar|e a|t le|as|t 1|0 U|RL|s in|t|he|bro|w|ser|hi|sto|ry|.||||
|||ea|st|on|e s|oft|wa|re|pa|ck|ag|e h|as|be|en|in|sta|lle|d.||||
|||tC|urs|or|Po|s’|API|to|de|te|rm|ine|if|vic|ti|m i|s m|ov|in|g|||
||na h t wa|lys his re|t, sp ag|the ec ain|fi ific .|ng fi|erp ng|rin erp|t o rin|f t t a|he nd|sy co|ste rr|m esp|wi on|ll i di|mm ng|e IP|dia ca|tel n n|y ev|er|
|ore em m co|th pt alw mp|an ive ar an|a ly e. T ies|10 an he as|00 d s IP we|IP om ra ll|ran e h ng as l|ge av es arg|s. S e b on e|o ee thi ba|me n s b nks|of bla lac in|th ckl kli va|ese ist st rio|ra ed bel us|ng be on co|es ca g t un|ha use o a tri|ve th nti es.|be ey -vi|en w ru|ere s|


-----

## Appendix I

###### Targeted keywords

The following is a list of keywords that the operators of Ponmocup deemed interesting.

The keywords are used by the 14XX plug-in range (decide), as explained in paragraph 5.3.1.

|achCreate /bb/logon /bbw/ /business/login /business/online/ /BusinessAppsHome.faces /cb/servlet/cb/ /clkccm/ /cmachid.r /cmserver/ /cmwire /Common/Admin /createWire /cs70_banking/ /customerlink/ /direct.bankofamerica.com /ebc_ebc1961/ /fxim /hbcash.exe/ /ibcorporate /IBWS/ /icm1/ /icm2/ /inets/ /onlineserv/cm/ /phcp/servlet/ /RsaGoIdAuthentication.aspx /sbuser/ /wcmfd/wcmpw/ /webcm/ /wire/confri m /wireapproval /wireinitiation /wireManager /wiretransaction /WireTransfer access.jpmorgan.com adminamps.53.com advisorchannel.com ameritrade.com|bancoherrero.com bankatlantic.web-cashplus.com bankbahamasonline.com bankinter.com bankline.natwest.com bankline.rbs.com bankline.ulsterbank.co.uk banklink.com bankofamerica.com/smallbusiness banqueprivee1818.com bbva.es bbvanetoffci e.com bbw/LogonStateMachineServlet.mibs blilk.com boursedirect.fr boursorama.com boursorama.com business.co-operativebank.co.uk business.hsbc.co.uk business.netbankerplus.com business.santander.co.uk businessaccess.citibank.citigroup.com businessbanking. businessclassonline. business-eb.ibanking-services.com businessonline. businessonline.huntington.com/ businessportal.mibank.com bxs.com caixacatalunya.com caixacatalunya.es cajacanarias.es cajamar.es CashMgmt cashmgt cashmgt.fri sttennessee.biz/ Cashplus Cashplus cashproonline.bankofamerica.com cmbnv.com|
|---|---|


-----

|cmol.bbt.com cmserver/login_validate.cfm commercial.hsbc.com.hk commercial.wamu.com Compassconnect.compassbank.com cortalconsors.fr credentialdirect.com deutsche-bank.es direct.53.com/logon53Direct.jsp directnet.com dmv dmv.org drivingrecords.com ebanking-services.com enternetbank.com/exact4web/ eregal.com etrade.com exact4web express.53.com fast-trade.com fortuneo.fr fundsxpress.com fxpayments.americanexpress.com geico.com goldleafach.com gpsmoneymanager hnnconhsvraps01 home1.cybusinessonline.co.uk infoplus. inteligator.com internetbanking.unfcu.org invest.ameritrade.com itreasury.regions.com/phcp/ servlet/CustomerLoginServlet lcl.fr libertymutualbusinessdirect.com linebourse.fr lloydslink.online.lloydsbank.com logincm.aspx lppolice.com|metrobankdirect.com/corporate.asp mfasa.chase.com mybusinessbank.co.uk myvirtualmerchant.com nordnet.lu nordnet.no nordnet.se nwolb.com olb.ent.com online.citibank.com online-business.bankofscotland.co.uk PassmarkSignIn.faces pcsbanking.net pcs-sd.net phxrs-opera quickbooks.com rbcdain.automatedfinancial.com rbsdigital.com risk.nexis.com sabadellatlantico.com safe.bankofamerica.com sanostra.es scotiaitrade.com secure.bankofamerica.com selfbank.es siebertnet.com singlepoint.usbank.com sitekey.bankofamerica.com sitibusiness.citibank.com srvc1.jpmorgan.com srvc2.jpmorgan.com ss2.experian.com streetscape.com svbconnect.com tioexpress.com trade.loginandtrade.com trademonster.com treas-mgt.frostbank.com treasury.pncbank.com treasurypathways.com|ulsterbank.co.uk ulsterbankanytimebanking.co.uk us.etrade.com usaa.com wblnk wcmfd/wcmpw web2.westlaw.com web-access.com webach webcmpr. webinfocus. webinfocus.mandtbank.com weblink.websterbank.com websteronline.com wellsoffci e.wellsfargo.com whitneybusinessnetwork.whitneybank.com www.signatureny.web-access.com www.treasury.pncbank.com www2.citizensbankmoneymanagergps.com www8.comerica.com|
|---|---|---|


-----

## Appendix II

###### Network based indicators of compromise

**Domains**

The following domains appear hardcoded in Ponmocup instances and are used for C&C IP calculation, as described in paragraph 6.1.

`abccornet.com` `dogmationation.com` piclbumestream.com
```
              adertisecorp.com dynodns.org postdone.com

```
affilipcorp.com `enckfeld.net` `ratilovskoye.com`
```
              anexcorp.org familyinteresting.com recising.com
              britishfederal.org fasternation.net searchforthat.net
              changinessmen.com freewayreg.com sectionsfear.com
              claimsreference.net headedpicked.com separtila.com
              clickoptimiser.net headedpicked.net standardbay.net
              contentdeliveryorg.net highlytraditional.org streamingadv.com
              contextexpert.org himmeding.com ternations.com

```
continuatu.com `howeveraged.net` `thomaslaid.net`

culminaccessful.com `hydroelection.net` traffictradexpert.com

`cybernan.net` `illegedly.com` twicecitizens.com
```
              defenciclovis.com imagesharehost.com veristats.net

```
`descriptioned.com` `leadwriting.com` virtualsearches.com
```
              detroportans.com meetinglimited.com workerssan.net

```
directiculture.com `netdiscovery.org` `yaltimate.com`
```
              directlyvast.com picasootoolbar.com

```
**Resolving IP’s**

The following IPs are pointed to by the hardcoded domains listed above, as explained in chapter 6.

|abccornet.com adertisecorp.com affli ipcorp.com anexcorp.org britishfederal.org changinessmen.com claimsreference.net clickoptimiser.net contentdeliveryorg.net contextexpert.org continuatu.com culminaccessful.com cybernan.net defenciclovis.com descriptioned.com detroportans.com directiculture.com directlyvast.com|Col2|Col3|Col4|Col5|Col6|Col7|Col8|Col9|Col10|Col11|Col12|Col13|Col14|Col15|Col16|Col17|Col18|dogmationation.com dynodns.org enckfeld.net familyinteresting.com fasternation.net freewayreg.com headedpicked.com headedpicked.net highlytraditional.org himmeding.com howeveraged.net hydroelection.net illegedly.com imagesharehost.com leadwriting.com meetinglimited.com netdiscovery.org picasootoolbar.com|Col20|Col21|Col22|Col23|Col24|piclbumestream.com postdone.com ratilovskoye.com recising.com searchforthat.net sectionsfear.com separtila.com standardbay.net streamingadv.com ternations.com thomaslaid.net traffci tradexpert.com twicecitizens.com veristats.net virtualsearches.com workerssan.net yaltimate.com|
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|R T|e he|so f|lvi oll|ng ow|IP in|’s g I|Ps|ar|e|po|int|ed|t|o b|y t|he|h||ar|dc|od|ed|||
|||1 2 4 6 1 2 3 8 6 8 2 2 1 1 2 4 1 2|09 43 .2 3. 66 31 1. 5. .8 0. 22 34 16 56 1. 2. 99 27|.7 .1 27 77. .1 .1 17 66 8. 21 .2 .1 .1 .4 8. 10 .1 .2|4. 82 .7 1 78 50 1. .2 25 3. 19 02 81 4. 19 7. 72 48|19 .1 0. 06 .1 .9 13 3. .8 59 .8 .8 .5 19 4. 14 .5 .1|5. 00 65 .1 13 8. 0. 12 0 .5 5. 1. .6 5. 15 0. 2. 4.|14 .2 .1 13 24 5 0 79 20 1 20 14 66 79|9 27 44 7 9 6 0 7||||||||||||1 4 1 2 2 9 4 4 1 1 2 2 1 2 4 1 1 1|55 4. 68 04 53 4. 0. 9. 04 44 03 53 06 04 1. 51 06 14|.83.123.22 36.245.224 .23.171.69 .37.98.202 .101.238.123 75.201.33 22.124.164 197.32.49 .127.201.198 .61.46.13 .136.214.219 .134.178.81 .8.16.175 .11.56.48 252.243.242 .225.26.181 .110.29.248 .225.99.185|2.171.234.238 50.116.56.144 102.209.206.89 7.34.116.64 38.155.216.69 27.251.60.63 158.76.160.100 100.134.242.235 124.3.139.20 25.20.33.76 189.140.10.37 59.228.144.104 204.11.56.48 29.205.223.64 94.75.201.33 118.15.53.129 22.149.159.105|


-----

**IPs used for Command and Control traffic**

The following IPs are actually used for command and control traffic, as explained in chapter 6.

|182.62.211.45 185.17.184.249 214.66.10.71 217.23.3.243 217.23.3.244 217.23.3.249 232.187.207.67|26.252.164.23 28.16.103.211 62.212.68.230 78.109.28.248 78.109.28.249 78.109.28.250 85.17.133.193|Col3|Col4|Col5|Col6|Col7|85.17.133.194 89.172.227.240 93.115.88.220 95.211.240.193 95.211.240.194|Col9|Col10|Col11|Col12|Col13|Col14|Col15|Col16|Col17|Col18|Col19|Col20|Col21|Col22|Col23|Col24|Col25|Col26|
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
||||||.1.|||||||||||||||||||||
|alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (ms HTTP Request (generic)"; fol w:established,to_server; cont pattern;http_header; content:"Pragma|3a| no-cache|0d 0a| Control|3a| no-cache|0d 0a|";http_header; content:!"Refer content:"Cookie|3a| ";http_header; pcre:"/^Host\x3A[^\r\n x2e\d{1,3}\r\n/Hm"; content:!"Accept-Encoding|3a| ";http_h ";http_header; content:!"Content-Type|3a| ";http_header; com/2015/12/02/ponmocup-a-giant-hiding-in-the-shadows; t count 1, seconds 600; classtype:trojan-activity; priorit alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (ms plugin-specifci check-in"; content:"GET"; http_method; co distance:0; content:"Content-Type: application/x-www-for distance:0; pcre:"/Host: ([0-9]{1,3}\.){3}[0-9]{1,3}\x0d/"; Mozilla/4."; distance:0; content:"Cookie: "; pcre:"/Cook (=){0,2}/i"; distance:0; urilen:<50,norm; content:!"Refere by_src, count 1, seconds 600; classtype:trojan-activity; com/2015/12/02/ponmocup-a-giant-hiding-in-the-shadows; s|||||g: en "; e ]+ ea r hr y: g: nt m- di i r" r id|"F t: ht r|3 ?\d de ef es 1; "F en ur st e: ; ef :2|O "A tp a { r er ho s O t: le a [ t e 10|X- cc _ |"; 1, ; en l i X- "H n nc a- hr re 01|SR e he h 3} co c d: d: SR T co e: z0 e nc 68|T pt ad tt \x nt e: ty 21 T TP de 0; -9 sh e 6|- : er p_ 2e e ur pe 00 - /1 d" c ]{ ol :u ;|Tr */ ; h \d nt l, l 15 Tr .1 ; on 1, d: rl re|o *| c ea {1 :! ht i 33 o |0 f t 10 ty ,h v:|ja 0d on de ,3 "A tp mi ; ja d0 as en }= p tt 1;|n 0 te r; }\ cc :/ t, r n a| t_ t: [a e p: )|- a| n x2 ep /b t ev - Ac pa "U -z li //|Po "; t:" e\ t- lo ra :1 Po c t se 0- mi bl|n fa C d La g c ;) n ep te r- 9 t, og|mo s ac {1 n .F k mo t: rn A +/ .F|cu t_ he ,3 gu ox by cu * ; ge ]{ tr o|p - }\ ag -I _s p /* nt 20 ac x-|e| T. r "; : ,5 k IT|3a c, 00 .|| }||
|||||||||||||||||||||||||||
|alert udp $HOME_NET $SIP_PORTS -> any any (msg:"FOX (SIP scanner)"; content:"User-Agent|3a| Zoiper for limit, count 1, seconds 3600, track by_src; refere ponmocup-a-giant-hiding-in-the-shadows; sid:2100149||-S Wi nc 3;|RT nd e: c|ow ur l|- s l, as|Tr r ht st|oj ev t yp|an .1 p: e:|81 //b t|- 2| l ro|Po 0d og ja|nm 0 .F n-|o a| ox a|cu "; -I ct|p t T. iv|pl hr co it|u es m y;|gi h /2 r|n ol 01 e|#2 d: 5/ v:|60 t 12 1;|0 y /0 )|pe 2/|||


-----

## Appendix III

###### Host based indicators of compromise

**YARA signature**

###### The following YARA signature can be used to scan for Ponmocup plug-ins in memory. This is based on the content of the PE

headers, as explained in chapter 5.3


rule Ponmocup : plugins
```
{       meta:

```
description = "Ponmocup plugin detection (memory)"

author = "Danny Heppener, Fox-IT"
```
       strings:

```
$1100 = {4D 5A 90 [29] 4C 04}
$1201 = {4D 5A 90 [29] B1 04}
$1300 = {4D 5A 90 [29] 14 05}
$1350 = {4D 5A 90 [29] 46 05}
$1400 = {4D 5A 90 [29] 78 05}
$1402 = {4D 5A 90 [29] 7A 05}
$1403 = {4D 5A 90 [29] 7B 05}
$1404 = {4D 5A 90 [29] 7C 05}
$1405 = {4D 5A 90 [29] 7D 05}
$1406 = {4D 5A 90 [29] 7E 05}
$1500 = {4D 5A 90 [29] DC 05}
$1501 = {4D 5A 90 [29] DD 05}
$1502 = {4D 5A 90 [29] DE 05}
$1505 = {4D 5A 90 [29] E1 05}
$1506 = {4D 5A 90 [29] E2 05}
$1507 = {4D 5A 90 [29] E3 05}
$1508 = {4D 5A 90 [29] E4 05}
$1509 = {4D 5A 90 [29] E5 05}
$1510 = {4D 5A 90 [29] E6 05}
$1511 = {4D 5A 90 [29] E7 05}
$1512 = {4D 5A 90 [29] E8 05}
$1600 = {4D 5A 90 [29] 40 06}
$1601 = {4D 5A 90 [29] 41 06}
$1700 = {4D 5A 90 [29] A4 06}
$1800 = {4D 5A 90 [29] 08 07}
$1801 = {4D 5A 90 [29] 09 07}
$1802 = {4D 5A 90 [29] 0A 07}
$1803 = {4D 5A 90 [29] 0B 07}
$2001 = {4D 5A 90 [29] D1 07}
$2002 = {4D 5A 90 [29] D2 07}
$2003 = {4D 5A 90 [29] D3 07}
$2004 = {4D 5A 90 [29] D4 07}
$2500 = {4D 5A 90 [29] C4 09}
$2501 = {4D 5A 90 [29] C5 09}
$2550 = {4D 5A 90 [29] F6 09}
$2600 = {4D 5A 90 [29] 28 0A}
$2610 = {4D 5A 90 [29] 32 0A}
$2700 = {4D 5A 90 [29] 8C 0A}
$2701 = {4D 5A 90 [29] 8D 0A}
$2750 = {4D 5A 90 [29] BE 0A}
$2760 = {4D 5A 90 [29] C8 0A}
$2810 = {4D 5A 90 [29] FA 0A}
```
       condition:

```
any of ($1100,$1201,$1300,$1350,$1400,$1402,$1403,$1404,$1405,$1406,
$1500,$1501,$1502,$1505,$1506,$1507,$1508,$1509,$1510,$1511,$1512,$1600,$1601,$1700,$1800,$1801,
$1802,$1803,$2001,$2002,$2003,$2004,$2500,$2501,$2550,$2600,$2610,$2700,$2701,$2750,$2760,$2810)
```
}

```

-----

**Registry**

Registry keys used by the Ponmocup framework for information storage.


HKEY_CURRENT_USER\Software\Microsoft\Multimedia\1

HKEY_CURRENT_USER\Software\Microsoft\Multimedia\2

HKEY_CURRENT_USER\Software\Microsoft\Multimedia\3

HKEY_CURRENT_USER\Software\Microsoft\Multimedia\4

HKEY_CURRENT_USER\Software\Microsoft\Multimedia\5

HKEY_CURRENT_USER\Software\Microsoft\Multimedia\6

HKEY_CURRENT_USER\Software\Microsoft\Multimedia\7

HKEY_CURRENT_USER\Software\Microsoft\Multimedia\8

HKEY_CURRENT_USER\Software\Microsoft\Multimedia\9

HKEY_CURRENT_USER\Software\Microsoft\Multimedia\10

HKEY_CURRENT_USER\Software\Microsoft\Multimedia\11


Copyright © 2015 Fox-IT BV

All rights reserved. No part of this document shall be reproduced, stored in a retrieval system or transmitted by any means
###### without written permission from Fox-IT. Violations will be prosecuted by applicable law. The general service conditions of

Fox-IT B.V. apply to this documentation.

**Trademark**

Fox-IT and the Fox-IT logo are trademarks of Fox-IT B.V.

All other trademarks mentioned in this document are owned by the mentioned legacy body or organization.


-----

fox-it

**•** Was founded in 1999.

**•** Established one of the first Cyber Security

Operations Centers in Europe.

**•** Is Europe’s largest specialized cyber security

company.

**•** Operates in three business areas:

1 Cyber Threat Management: a solution portfolio

aimed at reducing the risks of cyber threats,

and includes: professional services, managed

security services, and technology;

2 Web and Mobile event analytics: a solution

portfolio that is aimed at reducing financial

risks in (online) payment transactions;

3 High Assurance: solutions that make trusted

communication possible to the highest

classification levels.

**•** Has been involved in many high-profile Incident

Response cases. Most of the cases we worked on

are secret. An approved selection can be shared

upon request.

Fox-IT

Olof Palmestraat 6, Delft t +31 (0) 15 284 79 58 Iban nl57abna0554697041

po box 638, 2600 ap Delft f +31 (0) 15 284 79 90 kvk Haaglanden 27301624

The Netherlands www.Fox-IT.com


-----