Tag Archives: Worm

Trojan dropper bdf243b7a296f7aecc366c799e3fb865ee3aff7c72d8d942e2b2632a347fe5c3


SHA256: bdf243b7a296f7aecc366c799e3fb865ee3aff7c72d8d942e2b2632a347fe5c3

I downloaded this sample from Malshare.

I started decoding PE hex to text file and found that the PE file has embedded another file which will be dropped on execution.

blg7-wp-12

Filename: help.exe

SHA256: 837bef64239be017a2aac92852576efc7d84774d90f64e9d69c5cc3a2b4ecce4

It also drops Autoexec.bat.exe file and Autoexec.exe files at C:\ location. (But it didn’t drop these files instead it dropped AutoRun.INF and AutoRun.exe)

blg7-wp-9.PNG

blg7-wp-8.PNG

Also found computer username emartinez in path to PDB file, that means this file must be compiled on a machine under this user account.

blg7-wp-3.PNG

and username janettedoe in another path to startup programs

blg7-wp-14.PNG

I executed this PE file for dynamic analysis. I found this file dropped Helpme.exe, AutoRun.INF same location I have seen in hex code.

Files Dropped:

  1. C:\Windows\System32\HelpMe.exe
  2. C:\AutoRun.INF
  3. C:\AutoRun.exe

Screenshots

blg7-wp-23.PNG

AUTORUN.INF file at location C:\ 

AUTORUN.INF file executes executable AutoRun.exe file. (Below screenshot)

blg7-wp-27.PNG

blg7-wp-34

 

Another executable dropped at below location

C:\$Recycle.Bin\S-1-5-18

C:\$Recycle.Bin\S-1-5-21-3461203602-4096304019-2269080069-100

blg7-wp-31.PNG

blg7-wp-32

I did rename C:\$Recycle.Bin\S-1-5-18\desktop.ini file to desktop.ini.exe and double click to execute it. It has given error Cannot create file “C:\Windows\System32\HelpMe.exe 

blg7-wp-33.PNG

Then I executed desktop.ini.exe file with administrative privilege (before execute this file I had commented AutoRun.exe file at location C:\) and this file executed C:\Windows\System32\HelpMe.exe which dropped file AutoRun.exe at location C:\

blg7-wp-34

I disassembled AutoRun.exe file and found this creates file Soft.lnk which again has path to execute HelpMe.exe on windows startup.

blg7-wp-35.PNG

Below soft.lnk has comment Stone, I hate you! this file has target to execute AUTORUN.INF.exe

blg7-wp-22

No internet connectivity has been tested from this malware, as this analysis done offline.

 

HelpMe.exe malware


VirusTotal: 

SHA256 – 9ff1c8e6d80ebf5626714362cbc55a53ba17038e841773d24fdc018891adb52e

Tools used for analysis: OllydbgWireSharkPEExplorer,

I started debugging using Ollydbg. The first warning I received is

“Module ‘AutoRUN_’ has entry point outside the code (as specified in the PE header). Maybe this file is self-extracting or self-modifying. Please keep it in mind when setting breakpoints!”

1.PNG

The executable file extracts HelpMe.exe file and copy it to C:\Windows\System32

6.PNG

2

Also it got extracted AUTORUN_INF.exe file at C:\ location. same location it create files

AUTORUN.ini file

4

3

AutoRun.exe file executes HelpMe.exe file.

This also adds HelpMe.exe file to Startup programs and rename shortcut icon to Soft

soft ink

StartUp

Behavior of this malware I observed is, this gets replicated itself and and creates/hides word, pdf, xsls and  pages document files under RecycleBin folder.

5

I also observed the HelpMe.exe keep changing location from C:\Windows\System32 to C:\Windows\SysWow64

I stopped my analysis here after spending 2 days as there are a lot of things this malware doing in background.

Thanks.