Thursday, June 14, 2012

Quick Malware Notes: "WPCT Action Plan from Environment Group.doc" (payload operates under the guise of itunes)

A few days ago, Contagio  Malware Dump posted 90 malware samples (http://contagiodump.blogspot.com/2012/06/90-cve-2012-0158-documents-for-testing.html#more).  My wife wondered why my mouth was drooling.  I told her it was a geek thing and she "cool" then went back to playing Angry Birds.

Anyway, I've only had time to look at one out of the 90 so far, but the one I picked turned out to be a little interesting.  I say that because the malicious RTF file, drops "winword.exe" on the victim host, which further drops "itunes.exe" on the system, both of which are malicious and not what they appear to be (by file name).  In addition, a registry key (see below) is created for persistency. 

HKU\S-1-5-21-2052111302-413027322-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Run\SysUpdate: "C:\Documents and Settings\<user>\Local Settings\Application Data\itunes.exe"

Since most users probably have itunes loaded, this would not probably appear malicious, if they noticed it running - they'd probably just think itunes was looking for updates.

Due to my having to get to my day job, I wasn't able to dive into the code yet, but I was able to take a quick behavioral look at this, and here's a chronological gist of what happens on a compromised system:

Upon execution of "WPCT  Action Plan from Environment Group.doc"...

explorer.exe (legit process)
process: created
-> C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE

WINWORD.EXE (in office11 - legit process)
file: Write
-> C:\Documents and Settings\<user>\Desktop\~$H WPCT  Action Plan from Environment Group.doc
-> C:\Documents and Settings\<user>\Local Settings\Temp\Winword.exe
-> C:\Documents and Settings\<user>\Desktop\6TH WPCT  Action Plan from Environment Group.doc
process: created
-> C:\Documents and Settings\<user>\Local Settings\Temp\Winword.exe

Winword.exe (in %Temp% - malicious)
registry: SetValueKey
-> HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Local AppData
-> HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2ae4eccf-38d9-11dd-8e16-806d6172696f}\BaseClass
file: Write
-> C:\Documents and Settings\<user>\Local Settings\Application Data\itunes.exe
process: created
-> C:\Documents and Settings\<user>\Local Settings\Application Data\itunes.exe
process: created C
-> C:\WINDOWS\system32\cmd.exe

cmd.exe (legit process, but used by malware)
process: created
-> C:\WINDOWS\system32\reg.exe
process: terminated C
-> C:\WINDOWS\system32\reg.exe

reg.exe (legit process, but used by malware)
registry: SetValueKey
-> HKCU\Software\Microsoft\Windows\CurrentVersion\Run\SysUpdate

Winword.exe (%Temp% - malicious)
process: terminated
-> C:\WINDOWS\system32\cmd.exe

itunes.exe (malicious)
registry: SetValueKey
-> HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Recent
registry: SetValueKey
-> HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2ae4eccf-38d9-11dd-8e16-806d6172696f}\BaseClass
-> HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2ae4eccd-38d9-11dd-8e16-806d6172696f}\BaseClass
-> HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2ae4eccc-38d9-11dd-8e16-806d6172696f}\BaseClass
-> HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache
-> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Directory
-> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Paths
-> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1\CachePath
-> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2\CachePath
-> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3\CachePath
-> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4\CachePath
-> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1\CacheLimit
-> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2\CacheLimit
-> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3\CacheLimit
-> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4\CacheLimit
-> HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cookies
-> HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\History
-> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common AppData
-> HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData
-> HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MigrateProxy
-> HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable
registry: DeleteValueKey
-> HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
-> HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride
-> HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
registry: SetValueKey
-> HKLM\SYSTEM\ControlSet001\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable
-> HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
-> HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
-> HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName
-> HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet
-> HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
-> HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName
-> HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet


NETWORK TRAFFIC:

POST /im/linux.php HTTP/1.1
Host: www.maintechy.com
Content-Length: 2281
Cache-Control: no-cache

After I'm able to take a deeper look at this, I'll update this post accordingly.

=========================================================================

File: 6TH WPCT  Action Plan from Environment Group.doc
Size: 167856
MD5:  e836e9ee613bbebfe076ce67c589ae3c
SHA1: 64c2e4384b7ebbdc040453394b203e5d7f0254db

File: Winword.exe
Size: 129536
MD5:  4467369a848fee1424494833237e7b42
SHA1: d7b9f6679ad14b098b41bb80120c97df0e9fa9f7
ssdeep: 3072:Oe5amp1VKNM4kA2xIM7wqEBAMQw8SupZth3pz9:KmpGvpM4AMQw8F7
Compile Time: 4F62A02C (Fri, 16 March 2012 02:06:36 UTC)

File: itunes.exe
Size: 73216
MD5:  972c692625bd57f0c7264c9e048752f6
SHA1: bb9ede8d7243060736a481bee3e0acb2b3b8efd3
ssdeep: 1536:DkXcS22xQxM7K9BqEdDAGlPnI4A7Dte+Rk0SuPxZth3pz:DkA2xIM7wqEBAMQw8SupZth3pz
Compile Time: 4F629F39 (Fri, 16 March 2012 02:02:33 UTC)

No comments:

Post a Comment