Chen Fengfeng, Alfa laboratory, Tianrongxin

0 * 00 overview

This is a sample captured by @ neteagle. I'm curious to ask you to come and have a look and make a brief analysis. This is a backdoor program with infection function. We call it eraseme backdoor because of its propagation name eraseme_% d% d% d% d% d.exe. This is my first analysis report. Thank you for your guidance. If there is anything wrong in the analysis, please point out.

The sample mainly includes three procedures:

PE program (Pe0): shell program, mainly responsible for releasing Pe1

PE program (Pe1): core program, responsible for infection and control, use upx to reduce volume and release sys1

Driver (sys1): modify system TCPIP concurrent maximum connections

0 × 01 program operation process

• Pe0 program running process (eraseme_. Exe)

1. Check whether the environment is in a normal environment. If there is file monitoring, process monitoring, Wireshark program running, or running in wmware or Sandboxie sandbox environment, exit directly; (PS: also check whether the current user is currentuser, guess that it can be a sandbox environment that will log in with currentuser name, let me know if you have a friend who knows)

Check if it is in VMWare

Detect Sandboxie

Find whether Wireshark, procomon, file monitor, registry monitor are executed

2. In the normal environment, decrypt its own resources, obtain Pe1, and inject it into the newly created process for execution;

3. Clean up the file open C: \ windows \ system32 \ cmd.exe / C del C: \ eraseme.Exe > nul

4. exit

• Pe1 program operation process
• Get the operating system version;
• Check whether the user name of the computer contains the fields "snadbox" and "VM". Exit if it exists;
• Get the name of the current module and write it into the registry key HKLM \ software \ Microsoft \ windows \ CurrentVersion \ run to realize self startup after power on;
• Determine whether the file winrsc.exe already exists in the system directory. If not, copy Pe0 to the system directory and rename it to winrsc.exe (copy itself under XP to the directory of C: \ windows \ system, and put win7 to the directory of% appdata% \ Microsoft \ windows \ start menu \ programs \ startup \)
• If it exists, a thread will be created to perform the main functions of the backdoor:

1) Create EXE file to execute mutual exclusion

2) Through zwsystemdebugcontrol, hide the current process (XP is valid), create a thread to release the sys file to C: \ windows \ system32 \ drivers \ sysdrv32.sys, load the driver and run it.

3) Create a thread camouflage web server, randomly generate a port (1120 ~ 64535), listen, and receive the data at the beginning of the 'get' character. Will send its own binary data to the connection;

4) Establish a TCP connection with port 555 of C & C server mail.vspcord.com. After the connection is successful, send the relevant information of the machine, wait for the receiving command, and send the relevant information according to the command

5) Create a thread, traverse and search the intranet, and find all hosts of open 139 and 445 ports in the intranet. Then, the IPC $brute force cracking (with a simple dictionary, and new dictionary data can be distributed through remote control) is performed on these hosts. The cracking program copies it to the remote host, renames it as eraseme% d% d% d% d% d.exe (% d is a random number of 1-9), creates the service execution or uses the scheduled task execution, and sends it to the C & C server

”PRIVMSG #xploit :[ntpass(NetAddJob)] \\192.168.231.128  $passwd$:$username$ [$share]”

“PRIVMSG #xploit :[ntpass(Service)] \\192.168.231.128  $passwd$:$username$ [$share]“；。

6) Create a thread for U-disk monitoring. When a U-disk exists, it will copy itself to the root directory of the U-disk to generate win.com files. And write the autorun.inf file in the root directory to execute the file automatically.

Power raising

Implementation process hiding

Check whether the active user name contains fields such as currentuser, sandbox, VMware, etc

Copy itself to system directory

Copy to C: \ windows \ system under XP\

Win7 copy to% appdata% \ Microsoft \ windows \ start menu \ programs \ start up\

1. Release sysdrv32.sys and modify the maximum concurrent connections of TCPIP. The default is 252

2. Listen to a random port under its IP. When there is a connection to send "get" data, first send http / 1.0 200 ok.. server: Private ..

Then send its binary data to the past

3. Send machine related information to the mail.vspcord.com server, wait for the server to return data, and execute relevant commands according to the data

Send machine related information

Accept and execute instructions and codes sent by the server

4. Traverse the hosts with ports 445 and 139 in the LAN, and then propagate their files to the LAN hosts through IPC $

Traverse the built-in user name and password table, and propagate through IPC $after connecting successfully

5. Remote start

Start by creating a service

Send "privmsg ා xploit: [ntpass (service)] \ \ 192.168.231.128 $passwd $: $username $[$share]" to C & C server;

Send "privmsg ා xploit: [ntpass (netaddjob)] \ \ 192.168.231.128 $passwd $: $username $[$share]" to the C & C server by starting the scheduled task

6. When there is a mobile disk, it will copy itself to win.com, the root directory of the mobile disk, write the autorun.inf file, and insert the system's direct execution sample

0 * 02 summary

After analysis, it can be seen that it has added a lot of virtual machine and sandbox checks, which can avoid the detection of some apt detection tools, but its avoidance method is relatively common; there are many functions in the code for XP, and it is spread through NetBIOS violent guessing, so guessing should be an early sample.