The sample has been already circulated around few weeks ago. But still found less information about this malware on internet. Thus, I decide to make some quick analysis.
Basic File Information
Received filename : Tor_Browser.exeMD5 hash received from report:
Original Filename : suf70_launch.exe
Executable vendor : Indigo Rose Corp.
File size : 707,793 bytes
694DD57886B32AD850224A783198D9FE (Installer file 707,793 bytes) 10D52767B537B2F9F564481665B029E6 (Malicous PE file 9,080 bytes) 761EA80A1C0019D6CB606BB646EBE57F (Malicous PE file 74,240 bytes)MD5 hash from official website:
Official installer file is about 22MB size while the sample is only 700kb.
Summary
The sample that we received is in PE installer file. Using TOR Project file icon. While in installation wizard, user will notice that there is no EULA appear on the screen:
The installer file is a malware dropper. Upon finished installation, the malware will not execute itself automatically. Thus, it will need user interaction to reboot their PC or run it manually from Start Menu.
If user run it from Start Menu, it will run itself from C:\Program Files\Tor Browser\Tor_Browser.exe. This PE file will then run another process from the following location:
C:\Users\<user profile>\AppData\Local\Temp\explorer.exeThen run the %RANDOMNAME%.bat dropped at Windows Temporary folder. This will delete the previous file Tor_Browser.exe after the process has been terminated.
The running fake explorer.exe process will doing several malicious activity including keylogger, save keystroke in encrypted form, resolve IP into malware author DNS.
The explorer.exe will remain it process in memory.
Process Activity
Upon execution of the sample its create the following mutex:
XXXXOOOO
This will make sure only single process of itself is running.
File & folder
Upon installation the following file has been created:
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Tor Browser\ жÔØ Tor Browser.lnk Tor_Browser.lnk C:\Users\<user profile>>\AppData\Roaming\Help\ CREATELINK.EXE (Legit file use to create a shortcut link) iexplore.exe IconCacheBt.DAT (Encrypted fake explorer.exe file) IconConfig.DAT (Encrypted keylogger configuration) C:\Program Files\Tor Browser\Tor_Browser.exe C:\Windows\Tor Browser\uninstall.exe -- Non-malicious file C:\Users\<user profile>\AppData\Local\Temp\explorer.exe
This malware sample also create a shortcut link as a startup to the following folder:
C:\Users\<userprofile>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
The shortcut file will be linked to the following file location:
C:\Users\<userprofile>\AppData\Roaming\Help\iexplore.exe
Windows Registry
The malware will create the following registry key:
HKCU\Software\Microsoft\Windows\DbxUpdateBT "Mark"="ay"
NOTE: This registry key use to mark the current machine as already infected.
The malware also read the following registry key:
HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0\and try to read the following value "~MHz". This value is storing a current CPU speed.
Keylogger Activity
Save key stroke from user input to the following file:
C:\Users\<user profile>\AppData\Local\Temp\win_32.sys
All captured key stroke is saved in encrypted form (Using compression library).
Network
Trying to connect to the following IP:
222.82.13.89:80Domain name found on the malware. Trying to resolve IP from the following DNS:
mychangeip1.ddns.info mychangeip.ddns.us
Miscellaneous
The malware sample (iexplore.exe) also contain a digital certificate embedded to it while fake explorer.exe does not have any digital certificate.
The digital certificate may be stolen and has been revoked.