Difference between revisions of "Analysis:20130516-0001"
Line 459: | Line 459: | ||
==Report== | ==Report== | ||
− | These were found on file share directories located on multiple Windows servers. Without running in a sandbox environment, it can be assumed is likely a preservation component for the Qakbot malware package, the renamed "dll" files are most likely hooked into the host system where they routinely execute and re-create the packaged executable (via the "Kernel32.dll", CreateFileA and WriteFile functions) | + | These were found on file share directories located on multiple Windows servers. Without running in a sandbox environment, it can be assumed with moderate certainty this is likely a preservation component for the Qakbot malware package, the renamed "dll" files are most likely hooked into the host system where they routinely execute and re-create the packaged executable within (via the "Kernel32.dll", CreateFileA and WriteFile functions) |
Latest revision as of 21:31, 16 May 2013
Analysis by: Kradorex Xeron (talk) 18:25, 16 May 2013 (EDT)
File Attributes
File Attribs as follows:
Hashes
File hashes are md5
d085f63b8386e0d3337671b75461ff8f daaqvjzgl.ztd d085f63b8386e0d3337671b75461ff8f hirpckeb.tcn d085f63b8386e0d3337671b75461ff8f kvhswkfhdl.ckm d085f63b8386e0d3337671b75461ff8f kzenuh.kiy d085f63b8386e0d3337671b75461ff8f lyeefmrig.zud d085f63b8386e0d3337671b75461ff8f mganoydtxg.pio d085f63b8386e0d3337671b75461ff8f qkdefhtrv.dyb d085f63b8386e0d3337671b75461ff8f ruqtdtbay.agp d085f63b8386e0d3337671b75461ff8f xwnpnoxtg.yyx d085f63b8386e0d3337671b75461ff8f zbgwpvm.nwm d085f63b8386e0d3337671b75461ff8f zpcfsmdylh.zje d085f63b8386e0d3337671b75461ff8f zuwtjqidrj.zyh
This indicates all files have the same content
Type
File types scanned as:
daaqvjzgl.ztd: MS-DOS executable PE for MS Windows (DLL) (GUI) Intel 80386 32-bit hirpckeb.tcn: MS-DOS executable PE for MS Windows (DLL) (GUI) Intel 80386 32-bit kvhswkfhdl.ckm: MS-DOS executable PE for MS Windows (DLL) (GUI) Intel 80386 32-bit kzenuh.kiy: MS-DOS executable PE for MS Windows (DLL) (GUI) Intel 80386 32-bit lyeefmrig.zud: MS-DOS executable PE for MS Windows (DLL) (GUI) Intel 80386 32-bit mganoydtxg.pio: MS-DOS executable PE for MS Windows (DLL) (GUI) Intel 80386 32-bit qkdefhtrv.dyb: MS-DOS executable PE for MS Windows (DLL) (GUI) Intel 80386 32-bit ruqtdtbay.agp: MS-DOS executable PE for MS Windows (DLL) (GUI) Intel 80386 32-bit xwnpnoxtg.yyx: MS-DOS executable PE for MS Windows (DLL) (GUI) Intel 80386 32-bit zbgwpvm.nwm: MS-DOS executable PE for MS Windows (DLL) (GUI) Intel 80386 32-bit zpcfsmdylh.zje: MS-DOS executable PE for MS Windows (DLL) (GUI) Intel 80386 32-bit zuwtjqidrj.zyh: MS-DOS executable PE for MS Windows (DLL) (GUI) Intel 80386 32-bit
Sizes
text data bss dec hex filename 267490 324 0 267814 41626 daaqvjzgl.ztd 267490 324 0 267814 41626 hirpckeb.tcn 267490 324 0 267814 41626 kvhswkfhdl.ckm 267490 324 0 267814 41626 kzenuh.kiy 267490 324 0 267814 41626 lyeefmrig.zud 267490 324 0 267814 41626 mganoydtxg.pio 267490 324 0 267814 41626 qkdefhtrv.dyb 267490 324 0 267814 41626 ruqtdtbay.agp 267490 324 0 267814 41626 xwnpnoxtg.yyx 267490 324 0 267814 41626 zbgwpvm.nwm 267490 324 0 267814 41626 zpcfsmdylh.zje 267490 324 0 267814 41626 zuwtjqidrj.zyh
File disassembly
Only checking one file considering all are the same:
daaqvjzgl.ztd
Virustotal scan: https://www.virustotal.com/en/file/d2377ec83f1463d8186789f8507e9872cdc982aed6a7915a37ffcb976baddf08/analysis/1368751819/
objdump (daaqvjzgl.ztd)
daaqvjzgl.ztd: file format pei-i386 Characteristics 0x210e executable line numbers stripped symbols stripped 32 bit words DLL Time/Date Tue May 29 07:54:35 2012 Magic 010b (PE32) MajorLinkerVersion 6 MinorLinkerVersion 0 SizeOfCode 00000400 SizeOfInitializedData 00041800 SizeOfUninitializedData 00000000 AddressOfEntryPoint 0000115b BaseOfCode 00001000 BaseOfData 00002000 ImageBase 10000000 SectionAlignment 00001000 FileAlignment 00000200 MajorOSystemVersion 4 MinorOSystemVersion 0 MajorImageVersion 0 MinorImageVersion 0 MajorSubsystemVersion 4 MinorSubsystemVersion 0 Win32Version 00000000 SizeOfImage 00047000 SizeOfHeaders 00000400 CheckSum 00000000 Subsystem 00000002 (Windows GUI) DllCharacteristics 00000000 SizeOfStackReserve 00100000 SizeOfStackCommit 00001000 SizeOfHeapReserve 00100000 SizeOfHeapCommit 00001000 LoaderFlags 00000000 NumberOfRvaAndSizes 00000010 The Data Directory Entry 0 00000000 00000000 Export Directory [.edata (or where ever we found it)] Entry 1 00002044 00000050 Import Directory [parts of .idata] Entry 2 00004000 00041068 Resource Directory [.rsrc] Entry 3 00000000 00000000 Exception Directory [.pdata] Entry 4 00000000 00000000 Security Directory Entry 5 00046000 00000048 Base Relocation Directory [.reloc] Entry 6 00000000 00000000 Debug Directory Entry 7 00000000 00000000 Description Directory Entry 8 00000000 00000000 Special Directory Entry 9 00000000 00000000 Thread Storage Directory [.tls] Entry a 00000000 00000000 Load Configuration Directory Entry b 00000000 00000000 Bound Import Directory Entry c 00002000 00000044 Import Address Table Directory Entry d 00000000 00000000 Delay Import Directory Entry e 00000000 00000000 CLR Runtime Header Entry f 00000000 00000000 Reserved There is an import table in .rdata at 0x10002044 The Import Tables (interpreted .rdata section contents) vma: Hint Time Forward DLL First Table Stamp Chain Name Thunk 00002044 00002094 00000000 00000000 00002174 00002000 DLL Name: KERNEL32.dll vma: Hint/Ord Member-Name Bound-To 20d8 98 CreateProcessA 20ea 49 CloseHandle 20f8 907 WriteFile 2104 79 CreateFileA 2112 336 GetEnvironmentVariableA 212c 582 LoadResource 213c 829 SizeofResource 214e 223 FindResourceA 215e 635 OutputDebugStringA 21ba 514 HeapAlloc 21c6 410 GetProcessHeap 00002058 000020d0 00000000 00000000 00002190 0000203c DLL Name: USER32.dll vma: Hint/Ord Member-Name Bound-To 2182 730 wvsprintfA 0000206c 000020c4 00000000 00000000 000021ae 00002030 DLL Name: MSVCRT.dll vma: Hint/Ord Member-Name Bound-To 21a6 720 time 219c 702 strlen 00002080 00000000 00000000 00000000 00000000 00000000 PE File Base Relocations (interpreted .reloc section contents) Virtual Address: 00001000 Chunk size 72 (0x48) Number of fixups 32 reloc 0 offset e [100e] HIGHLOW reloc 1 offset 15 [1015] HIGHLOW reloc 2 offset 21 [1021] HIGHLOW reloc 3 offset 2a [102a] HIGHLOW reloc 4 offset 35 [1035] HIGHLOW reloc 5 offset 49 [1049] HIGHLOW reloc 6 offset 56 [1056] HIGHLOW reloc 7 offset 62 [1062] HIGHLOW reloc 8 offset 79 [1079] HIGHLOW reloc 9 offset 7f [107f] HIGHLOW reloc 10 offset 92 [1092] HIGHLOW reloc 11 offset ae [10ae] HIGHLOW reloc 12 offset d1 [10d1] HIGHLOW reloc 13 offset dd [10dd] HIGHLOW reloc 14 offset f6 [10f6] HIGHLOW reloc 15 offset fd [10fd] HIGHLOW reloc 16 offset 102 [1102] HIGHLOW reloc 17 offset 107 [1107] HIGHLOW reloc 18 offset 11b [111b] HIGHLOW reloc 19 offset 125 [1125] HIGHLOW reloc 20 offset 156 [1156] HIGHLOW reloc 21 offset 16a [116a] HIGHLOW reloc 22 offset 16f [116f] HIGHLOW reloc 23 offset 1be [11be] HIGHLOW reloc 24 offset 1c9 [11c9] HIGHLOW reloc 25 offset 1d1 [11d1] HIGHLOW reloc 26 offset 1da [11da] HIGHLOW reloc 27 offset 1f9 [11f9] HIGHLOW reloc 28 offset 200 [1200] HIGHLOW reloc 29 offset 208 [1208] HIGHLOW reloc 30 offset 20e [120e] HIGHLOW reloc 31 offset 0 [1000] ABSOLUTE
winedump (daaqvjzgl.ztd)
Contents of daaqvjzgl.ztd: 270336 bytes File Header Machine: 014C (i386) Number of Sections: 5 TimeDateStamp: 4FC4B8FB (Tue May 29 07:54:35 2012) offset 216 PointerToSymbolTable: 00000000 NumberOfSymbols: 00000000 SizeOfOptionalHeader: 00E0 Characteristics: 210E EXECUTABLE_IMAGE LINE_NUMS_STRIPPED LOCAL_SYMS_STRIPPED 32BIT_MACHINE DLL Optional Header (32bit) Magic 0x10B 267 linker version 6.00 size of code 0x400 1024 size of initialized data 0x41800 268288 size of uninitialized data 0x0 0 entrypoint RVA 0x115b 4443 base of code 0x1000 4096 base of data 0x2000 8192 image base 0x10000000 268435456 section align 0x1000 4096 file align 0x200 512 required OS version 4.00 image version 0.00 subsystem version 4.00 Win32 Version 0x0 0 size of image 0x47000 290816 size of headers 0x400 1024 checksum 0x0 0 Subsystem 0x2 (Windows GUI) DLL characteristics: 0x0 stack reserve size 0x100000 1048576 stack commit size 0x1000 4096 heap reserve size 0x100000 1048576 heap commit size 0x1000 4096 loader flags 0x0 0 RVAs & sizes 0x10 16 Data Directory EXPORT rva: 0x0 size: 0x0 IMPORT rva: 0x2044 size: 0x50 RESOURCE rva: 0x4000 size: 0x41068 EXCEPTION rva: 0x0 size: 0x0 SECURITY rva: 0x0 size: 0x0 BASERELOC rva: 0x46000 size: 0x48 DEBUG rva: 0x0 size: 0x0 ARCHITECTURE rva: 0x0 size: 0x0 GLOBALPTR rva: 0x0 size: 0x0 TLS rva: 0x0 size: 0x0 LOAD_CONFIG rva: 0x0 size: 0x0 Bound IAT rva: 0x0 size: 0x0 IAT rva: 0x2000 size: 0x44 Delay IAT rva: 0x0 size: 0x0 CLR Header rva: 0x0 size: 0x0 rva: 0x0 size: 0x0
Interesting Resource Extraction
daaqvjzgl.ztd_10_BUTTON_0
Virustotal scan: https://www.virustotal.com/en/file/91d53bd1aa6523c5f36653a8d8912c92da770a342ed3c7067b8d4b37ed0a6948/analysis/1368747670/
e48db15c97c00d7c8d5070d3ef76cba2 daaqvjzgl.ztd_10_BUTTON_0: PE32 executable for MS Windows (console) Intel 80386 32-bit
objdump (daaqvjzgl.ztd_10_BUTTON_0)
daaqvjzgl.ztd_10_BUTTON_0: file format pei-i386 daaqvjzgl.ztd_10_BUTTON_0 architecture: i386, flags 0x0000012e: EXEC_P, HAS_LINENO, HAS_DEBUG, HAS_LOCALS, D_PAGED start address 0x00402730 Characteristics 0x103 relocations stripped executable 32 bit words Time/Date Mon Aug 6 00:14:24 2007 Magic 010b (PE32) MajorLinkerVersion 8 MinorLinkerVersion 0 SizeOfCode 00003000 SizeOfInitializedData 0006f000 SizeOfUninitializedData 00000000 AddressOfEntryPoint 00002730 BaseOfCode 00001000 BaseOfData 00004000 ImageBase 00400000 SectionAlignment 00001000 FileAlignment 00001000 MajorOSystemVersion 4 MinorOSystemVersion 0 MajorImageVersion 0 MinorImageVersion 0 MajorSubsystemVersion 4 MinorSubsystemVersion 0 Win32Version 00000000 SizeOfImage 00073000 SizeOfHeaders 00001000 CheckSum 00050f2f Subsystem 00000003 (Windows CUI) DllCharacteristics 00000000 SizeOfStackReserve 00100000 SizeOfStackCommit 00001000 SizeOfHeapReserve 00100000 SizeOfHeapCommit 00001000 LoaderFlags 00000000 NumberOfRvaAndSizes 00000010 The Data Directory Entry 0 00000000 00000000 Export Directory [.edata (or where ever we found it)] Entry 1 000041dc 0000003c Import Directory [parts of .idata] Entry 2 0006e000 00004b6c Resource Directory [.rsrc] Entry 3 00000000 00000000 Exception Directory [.pdata] Entry 4 00000000 00000000 Security Directory Entry 5 00000000 00000000 Base Relocation Directory [.reloc] Entry 6 00000000 00000000 Debug Directory Entry 7 00000000 00000000 Description Directory Entry 8 00000000 00000000 Special Directory Entry 9 00000000 00000000 Thread Storage Directory [.tls] Entry a 00000000 00000000 Load Configuration Directory Entry b 00000000 00000000 Bound Import Directory Entry c 00004000 00000080 Import Address Table Directory Entry d 00000000 00000000 Delay Import Directory Entry e 00000000 00000000 CLR Runtime Header Entry f 00000000 00000000 Reserved There is an import table in .rdata at 0x4041dc The Import Tables (interpreted .rdata section contents) vma: Hint Time Forward DLL First Table Stamp Chain Name Thunk 000041dc 00004218 00000000 00000000 000043e0 00004000 DLL Name: KERNEL32.dll vma: Hint/Ord Member-Name Bound-To 4298 68 CreateMutexW 42a8 199 FreeLibrary 42b6 373 GetSystemDirectoryW 42cc 104 DisableThreadLibraryCalls 42e8 786 WriteFile 42f4 465 IsBadCodePtr 4304 735 UnhandledExceptionFilter 4320 416 GlobalAlloc 432e 463 InterlockedIncrement 4346 185 FindResourceW 4356 471 IsBadWritePtr 4366 268 GetCurrentDirectoryW 437e 564 RaiseException 4390 488 LoadResource 43a0 489 LocalAlloc 43ae 318 GetModuleHandleA 43c2 305 GetLastError 43d2 196 FreeConsole 000041f0 00004264 00000000 00000000 000044b8 0000404c DLL Name: USER32.dll vma: Hint/Ord Member-Name Bound-To 4422 135 DefWindowProcW 4434 187 EndDialog 4440 398 IsDlgButtonChecked 4456 686 WinHelpW 4462 152 DispatchMessageW 4476 517 RegisterWindowMessageW 4490 692 wsprintfW 449c 261 GetDlgItem 44aa 227 GetAncestor 43fa 81 CreateDialogParamW 43ee 42 CharPrevW 4410 561 SetDlgItemTextW 00004204 00000000 00000000 00000000 00000000 00000000 Sections: Idx Name Size VMA LMA File off Algn 0 .text 00002ca3 00401000 00401000 00001000 2**2 CONTENTS, ALLOC, LOAD, READONLY, CODE 1 .rdata 000004c4 00404000 00404000 00004000 2**2 CONTENTS, ALLOC, LOAD, READONLY, DATA 2 .data 00037000 00405000 00405000 00005000 2**2 CONTENTS, ALLOC, LOAD, DATA 3 .rsrc 00004b6c 0046e000 0046e000 0003c000 2**2 CONTENTS, ALLOC, LOAD, READONLY, DATA SYMBOL TABLE: no symbols
winedump (daaqvjzgl.ztd_10_BUTTON_0)
Contents of daaqvjzgl.ztd_10_BUTTON_0: 266240 bytes File Header Machine: 014C (i386) Number of Sections: 4 TimeDateStamp: 46B6A020 (Mon Aug 6 00:14:24 2007) offset 216 PointerToSymbolTable: 00000000 NumberOfSymbols: 00000000 SizeOfOptionalHeader: 00E0 Characteristics: 0103 RELOCS_STRIPPED EXECUTABLE_IMAGE 32BIT_MACHINE Optional Header (32bit) Magic 0x10B 267 linker version 8.00 size of code 0x3000 12288 size of initialized data 0x6f000 454656 size of uninitialized data 0x0 0 entrypoint RVA 0x2730 10032 base of code 0x1000 4096 base of data 0x4000 16384 image base 0x400000 4194304 section align 0x1000 4096 file align 0x1000 4096 required OS version 4.00 image version 0.00 subsystem version 4.00 Win32 Version 0x0 0 size of image 0x73000 471040 size of headers 0x1000 4096 checksum 0x50f2f 331567 Subsystem 0x3 (Windows CUI) DLL characteristics: 0x0 stack reserve size 0x100000 1048576 stack commit size 0x1000 4096 heap reserve size 0x100000 1048576 heap commit size 0x1000 4096 loader flags 0x0 0 RVAs & sizes 0x10 16 Data Directory EXPORT rva: 0x0 size: 0x0 IMPORT rva: 0x41dc size: 0x3c RESOURCE rva: 0x6e000 size: 0x4b6c EXCEPTION rva: 0x0 size: 0x0 SECURITY rva: 0x0 size: 0x0 BASERELOC rva: 0x0 size: 0x0 DEBUG rva: 0x0 size: 0x0 ARCHITECTURE rva: 0x0 size: 0x0 GLOBALPTR rva: 0x0 size: 0x0 TLS rva: 0x0 size: 0x0 LOAD_CONFIG rva: 0x0 size: 0x0 Bound IAT rva: 0x0 size: 0x0 IAT rva: 0x4000 size: 0x80 Delay IAT rva: 0x0 size: 0x0 CLR Header rva: 0x0 size: 0x0 rva: 0x0 size: 0x0
Report
These were found on file share directories located on multiple Windows servers. Without running in a sandbox environment, it can be assumed with moderate certainty this is likely a preservation component for the Qakbot malware package, the renamed "dll" files are most likely hooked into the host system where they routinely execute and re-create the packaged executable within (via the "Kernel32.dll", CreateFileA and WriteFile functions)