Malware Report: iauzzy.exe
Malware report of iauzzy.exe
Summary
This malware will create a file named ‘qqt.exe’ under the %WinDir%. This is the exact malicious executable file. qqt.exe is able to communicate to the ‘Command & Control’ server via IRC. The controller behind is able to execute any code; reboot the infected machine; clean the malware itself, etc.
Static Analysis
Unpack
This is a packed file. I can get few information before unpacking it. Use upx to unpack it.
Calculate Hash
MD5: Message-Digest algorithm 5: 1E88F7A6F6BACC647012784C0FA2C9F1
SHA-1: US Secure Hash Algorithm 1: 9E065956031A862646DAADC7A2674AC7B1B5D184
SHA-256: US Secure Hash Algorithm: 18B56E7C5ECF61C93DE70EA470F6BF61C2B59A3A86683A9EBA0A573761393BE6
Open with PEStuiod
There are strings like ‘!@login’ , ‘!@exit’. They are the instructions communicated with C2 server.
Dynamic Analysis
Behavior Analysis
Run iauzzy.exe in OllyDBG.
At BP 4015D7, It create File qqt.exe under C:\Windows\.
Calculate Hash of qqt.exe.
MD5: Message-Digest algorithm 5: 1E88F7A6F6BACC647012784C0FA2C9F1
SHA-1: US Secure Hash Algorithm 1: 9E065956031A862646DAADC7A2674AC7B1B5D184
SHA-256: US Secure Hash Algorithm: 18B56E7C5ECF61C93DE70EA470F6BF61C2B59A3A86683A9EBA0A573761393BE6
Run qqt.exe in OllyDBG.
Through ProcessExplorer, I found it will connect to the server : slack.isfs.org.hk at port 6667 and 103.
Config local hosts file, adding below line:
127.0.0.1 slack.isfs.org.hk
It will redirect the host name to localhost.
Set BewareIRCServer (an IRC server software) config file, allowing it to listern to port 6667 and 103. Then open XChat (an IRC client software), config like below screenshot.
When qqt.exe is running, there’re two channels in the XChat. One is called ‘zeus’ another one is ‘ccccccccccc’
Enter any one, you will see there’s another guy in the chatroom. This is the bot behind qqt.exe. In OllyDBG, set BP at 4020B5 and try typing in ‘!@login something’ , you’ll find the correct password.
At port 6667, the password is ‘wiedo’ ; at port 103 the password is ’750208?’.
After login, the attacker can commit malicious operatios. For example, he can send ‘!@reboot’ to restart the infected machine, ‘!@run calc.exe’. Of course the attacker will not run calculator simply.
Besides, I also found the guy who maybe the author of this malware. After login at XChat, I typed in ‘Who made You?’. It returns a Chinese name.
Process
Processes Created:
[CreateProcess] Explorer.EXE:1376 > "%UserProfile%\Desktop\Samples\iauzzy\iauzzy.exe "
[CreateProcess] iauzzy.exe:3000 > "%WinDir%\qqt.exe"
File
[CreateFile] iauzzy.exe:3000 > %WinDir%\qqt.exe [SHA256: c9bdf30de160ac30ead5c1a7a736bf00c9fb2f35bb5b17b3e844e36370069ad1]
Registry
iauzzy will add qqt.exe to the registry under key : ‘HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update’ , which indicates everytime the infected machine startup. The malware will be executed automatically.
Detailed changes displayed below:
[RegSetValue] iauzzy.exe:3000 > HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = C:\Windows\qqt.exe
[RegSetValue] qqt.exe:2268 > HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = 0
[RegDeleteValue] qqt.exe:2268 > HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
[RegDeleteValue] qqt.exe:2268 > HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride
[RegDeleteValue] qqt.exe:2268 > HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
[RegDeleteValue] qqt.exe:2268 > HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoDetect
[RegSetValue] qqt.exe:2268 > HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 46 00 00 00 4C 00 00 00 01 00 00 00 00 00 00 00
[RegSetValue] qqt.exe:2268 > HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix =
[RegSetValue] qqt.exe:2268 > HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = Cookie:
[RegSetValue] qqt.exe:2268 > HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = Visited:
[RegSetValue] qqt.exe:2268 > HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = 1
[RegSetValue] qqt.exe:2268 > HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = 1
[RegSetValue] qqt.exe:2268 > HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = 1
[RegSetValue] qqt.exe:2268 > HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = 0
[RegSetValue] qqt.exe:2268 > HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = 1
[RegSetValue] qqt.exe:2268 > HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = 1
[RegSetValue] qqt.exe:2268 > HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = 1
[RegSetValue] qqt.exe:2268 > HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = 0
Network
slack.isfs.org.hk
www.mmbest.com
testirc.88cc.org
Modus Operandi Assumption
After acquiring many infected machines, the attacker may login to XChat (or any other IRC clients) to commit the crime. For example, the attacker is able to launch a DDos attack to paralyze the target server vir qqt.exe. Eventually the guy can wipe out the malware and trace it produced from the infected machines.
Amazing!
ReplyDelete