Let’s see how protected you think you are.

This malicious URL turned up on the malc0de crowd sourcing site on March 11.

 

Figure 1 - Appearance of the malicious URL on malc0de March 11

 

Figure 1

 

Unfortunately the exact time of the submission is not known. What is known is that the VirusTotal site registered the submission at least 16 hours earlier before we started looking at it which was at 10:18 AM UTC on March 12, and as of that time, almost 16 hours later; only 13 AV products out of 49 detected it.

 

Figure 2 - VirusTotal scan results for javaplas.exe March 11

 

Figure 2

 

Granted some of the scanners are for adware, but even discounting those there are a number of big players that let this file through. Now, even assuming you are updating your signatures as often as VirusTotal does (that is, as soon as they become available) -- you are still in trouble.
The file in question is a .NET executable and when decompiled by dotPeek  (our tool of choice for this example), reveals among others the following classes:

 

Figure 3 - dotPeek decompiling result for javaplas.exe

 

Figure 3

 

Right away the Decrypt and the obfuscation towards the decompiling of some class methods stand out:

 

Figure 4 - Attempting decompiling in dotPeek

 

Figure 4

 

 

And that includes Main, the entry point method:

 

Figure 5 - More obfuscated methods in dotPeek

 

 

 Figure 5

 

To get an idea about what’s going on inside the obfuscated methods let’s look at the MSIL byte code, which is generally more prone to various forms of obfuscation. Looking at the Main methods it shows that it is referring to the WindowsFormsApplicationBase::Run method.  By the way, the leave.s loc_2D jump over the finally{..} block is most probably a culprit that throws out the decompiler.


Figure 6 - MSIL byte code in IDA

 

Figure 6

 

At a glance there are a number of interesting methods which look quite suspicious and found inside WindowsFormsApplicationBase:

 

Figure 7 - WindowsFormsApplicationBase in dotPeek

 

Figure 7

 

 

For instance: WriteUrlToMemoryMappedFile

 

WriteUrlToMemoryMappedFile

 

stores a remote URL in a local file, possibly for use by other malware components:

 

WriteUrlToMemoryMappedFile_methods

 

No less interesting is RegisterChannel:

 

RegisterChannel

 

 

This method creates a channel, with channel services allowing for inbound and outbound control connections over TCP/IP.  There are also a number of other methods imported from Microsoft.Visualbasic.dll such as: RegistryProxy, Name, Network, ComputerInfo, and  FileSystemProxy. These are all for getting objects to manipulate the registry, gain access to the network, and retrieve information regarding the computer’s name, memory-loaded assemblies and operating system. All of this, in terms of security, makes the .net assembly quite peculiar. But this is just scratching the surface. When executed, the file self-injects its own process with a loader and continues to build and decrypt itself in memory in small chunks. The rest of the malware code is stored in the .text section together with the byte code. The information entropy of the .text section is high which suggests that the self-injected code is encrypted.

The trojan performs the following actions:

 

Drops malicious PE files:

  • C:\NTKernel\nt32.exe
  • C:\NTKernel\javaan14v3u1.exe
  • C:\%user%\Documents\315load32.exe
  • C:\ProgramData\load32.exe
  • C:\ProgramData\NTKernle\nt32.exe

Jaavaan14v3u1.exe injects an iexplorer.exe instance with its own code and then terminates. Execution then continues from the iexplorer.exe process.

 

Drops:

 

C:\%user%\AppData\Roaming\Microsoft\Windows\StartMenu\Programs\Startup\Update.Microsoft.com.url file
Which points to: C:\ProgramData\NTKernle\nt32.exe

Keeps many copies of itself around the system and constantly monitors and restarts itself in case its processes are shut down.

 

Downloads and installs updates for itself (if available) from zoros<snip>.com

 

Downloads the file CPU.files, which indicates that the trojan is used for mining bitcoins.

 

So overall this is an extremely pervasive and harmful piece of malware which roots itself deep within the system and is extremely hard to get rid of.  And this all could’ve been stopped if the installation file: javaplas.exe was detected. Let’s see how we are doing after two days of the file being in the wild. Here’s the latest snap shot from VirusTotal on March 14:

 

Figure 8 - VirusTotal scan results for javaplas.exe March 14

 

Figure 8

 

It shows that even after more than two days, this very pervasive and dangerous piece of malware is not picked up by some of the major AV players.
And here are the scan results for the malware file dropped by the trojan.

 

Figure 9 - VirusTotal scan results for javaan.exe March 14

 

Figure 9

 

These results are even less comforting. The actual piece of code that is responsible for the malware’s payload was only first submitted 9 hours ago and is detected by even fewer AV products.
Looking at the source of this file on the web we can see that this particular family has been around and has been updated since at least March 3.

 

Figure 10 - Malicious URL history on malc0de

 

Figure 10

 

It shows a frequency of updates with an average of one per day. And if it takes more than two days to get it detected we are in trouble.
It also pays to notice that the zoros<snip>.com site represents a legitimate business and looks like it fell to a hack attack or social engineering attempt.

 

Figure 11 - the compromised host

 

Figure 11

 

A quick look through the whois database shows the owner and the location of the malware seeding site.

 

Figure 12 - Whois records for zoros<snip>.com

 

Figure 12

 

The physical address of the owner happens to be in Samokov city in Bulgaria.

We made our best effort to notify the site developers and the registrant of the domain name about the hosted malware.


So, as usual, exercise vigilance and remember that the first line of defense is you. Pay attention to the source of files and in particular, executables. Trust your common sense. Take note of the little things because this is where you can see (or even sense) that there’s something wrong. That trojan dropper file, javaplas.exe, doesn’t’ sound too trustworthy, especially when you consider where it came from.

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
Showing results for 
Search instead for 
Do you mean 
About the Author
Featured


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.