CartellaUnicaTasse Malware

From UIC

CartellaUnicaTasse.exe An Italian Malware Reverse Engineering Study

Infos
Author:	Evilcry
Email:	evilcry@virgilio.it
Website:	http://evilcry.netsons.org
Date:	17/08/2008 (dd/mm/yyyy)
Level:
Language:	Italian
Comments:	Wiki-porting by Pnluck

Introduction

CartellaUnicaTasse.exe is an e-mail spreaded Malware that acts as a Downloader Agent for other Malicious Executable Applications. Thanks to CUT.exe a series of executables are downloaded and runned into the victim user. In this paper we will analyze with a classical RCE Approach the entire structure of CartellaUnicaTasse from the pure Infection to the Network Point of View.

Tools

• Ida
• OllyDbg

Essay

CartellaUnicaTasse.exe is an e-mail spreaded Malware that acts as a Downloader Agent for other Malicious Executable Applications. Thanks to CUT.exe a series of executables are downloaded and runned into the victim user. In this paper we will analyze with a classical RCE Approach the entire structure of CartellaUnicaTasse from the pure Infection to the Network Point of View.

The first executable is delivered as a normal mail attachment with subject Cartella esattoriale n° 003 210400360968173, and its written in VB6 with a layer of UPX, so after a first detection became really easy to detect it. CartellaUnicaTasse basically attempts to enstablish a connection with hxxp://2mug.biz/mef/ and after accessing it, executes the downloaded applications.

This is the list of downloaded executables:

Name: Download1.exe
MD5: 457B534D1141F8B70548506D0D83B4C0
SHA-1: 5D9E106F4B8684D56EF67EB744FCF7CC24B1A23C

Download1.exe works as dialer and is truly similar to Mef.exe, evidently the coder spreaded two versions, download1.exe included into the dowloader CartellaUnicaTasse, and mef that is only placed into 2mug.biz/mef/ directory.

Name: Download2.exe
MD5: 93790593E3B95D6E9CE1EF055FEE2D0E
SHA-1: 1314F59CB1469D67AD4566611BB2972CB9C8764F

Download2.exe is packed with NSPack, it's easy to unpack it, just watch IDA Graph to locate the last instruction of the graph, this will be jump for the OEP.

Also Download2.exe acts as a dialer, and in the same time generates a copy of itself into \system32\ directory.

Let's see in detail what it does:

There is a little difference between this dialer and the others, Download1, Download3 and Mef.exe acts uniquely with 2mug.biz, Download2 inserts into the ZoneMap also 928476362.com.

Download2 creates also a copy of itself placed in C:\WINDOWS\System32\dllconfig\cache\dllcache.exe

The directory System32\dllconfig\cache\ does not exists as System Directory and is created at runtime by the dialer, with a name that remembers System32\dllcache, that's a Real System Directory.

00401B2C call sub_4015A0 contains intersting informations, inside this call we can see intersting strings:

hxxp://mygalleries.biz/mail.php

and an HTTP Header:

after opening a socket, is called GetHostByName with argument hxxp://google-hard.com and some Network operation is accomplished. This malware is not an intersting one :)

Name: Download3.exe
MD5: 63AC4A54790D71AB99FC050E5D3B4F5A
SHA-1: 61F293926800926722866A72B9EA3DE9522600FB

This executable is basically packed with UPX, and does not exist any problem in unpacking it. The structure of the code is really and easy, with SHGetSpecialFolderPathA is located the SpecialFolder of the current account that is running the executable.

Usually C:\Documents and Settings\_UserName_\Application Data\

Next a set of splitted strings are composed:

disinstalla.htm
syslcznp.exe
C:\Documents and Settings\_UserName_\Application Data\semanatiba\syslcznp.exe

The content of syslcznp.exe is loaded from the internal resources of download3 and next builded with CreateFile and WriteFile.

As all others malicious executables cooming from the same source (Download1.exe, Download2.exe, loader_mef.exe, mef.exe) also this contains a basical form of encryption to make difficult a basical deadlist analysis.

In each of these executable the decryption is implemented in the same way: Decrypt(String);

It's not necessary to spent many work about that algorithm, cause is a Reducted Range form of Substitution Cipher.

After building syslcznp.exe, some Registry Key is created and finally syslcznp.exe executed.

Name: syslcznp.exe
MD5: 1CA2A0C7859D1BD3A4DDC5C3491F9036
SHA-1: F03A0E4FBD4FAA457EBF85F70496BBE51A015BD0

This malcious executable is created by Download3.exe and mantains the same kind of encryption and architecture of previous malicious application. With the difference that this time, the Dialer opens some Thread and works with Mutexes.

Let's list the Registry Key Operations:

As every dialer, it accesses surely some URL, let's list it:

hxxp://www.casinoatropez.com/trcpromo-demetrius-profile-pmail18
hxxp://www.casinoatropez.com/trcpromo-demetrius-profile-pmail18

Name: mef.exe
MD5: 457B534D1141F8B70548506D0D83B4C0
SHA-1: 5D9E106F4B8684D56EF67EB744FCF7CC24B1A23C

mef.exe is a dialer written in VC++ that works with RASAPI32.dll, so we can suddenly identify it as a dialer. Let's see the Registry Key Activity:

The RegKey operations are all devoted to the correct configuration of IE Browser settings.

Suddenly after the program EntryPoint we notice some intersting string:

and after these strings

899Xxx is the Italian Phone Numeration for PayServices

As every dialer surely there is a PayWebSite releated, and this can be discovered just with a string search: hxxp://www.pornoaccesso.com/rid=340

Malicious executables are placed into an USA Server (mug.biz). When a victim accesses this website, in the homepage is contained an hidden iframe that points to an Old Exploit of an ActiveX webcam control of Yahoo Messenger that attempts to execute a malicious application called loader_base.exe.

Malware Graph

Final world

Finally I want to thanks first of all my Cattina for providing me this malware example, and Edgar from which I've taken the Hidden Iframe Image! I also thanks Woodmann, MalwareDomainLists, Tuts4You and Reteam Communities :)

Disclaimer