[ Technical Teardown: HongKong Protest Malware ]

[ How it starts ]
It all started when we saw Tsui Lokman mentioned about an executable that they received and it could be a malware.
This particular piece of malware could potentially be used to target Hongkongers participating in #OccupyCentral & #UmbrellaMovement .
Being the curious cat(s), we started asking for a copy of it to analyse it.

[ Sample used in the analysis ]

[ Updates ] Since @vietwow requested for a copy of the sample.
We have attached it here like always.
Letter To Hong Kong 20141011_pdf_viewer. The pw to the zip is “infected29A
[ Tool Used ]

 

[ Analysis of Dropper ]
1) The executable is being camouflaged as an adobe executable (pdf viewer) by using an adobe icon as shown here.
logo
Image 1 : Screenshot of Dropper

A Microsoft Excel Icon is also found in the executable as well (using resource hacker tool). However the icon is not used at all. Probably there is another version of the dropper that disguise itself as a Excel document.

resource hacker Image 2 : Extra icon using ResHacker

2) Upon execution of the dropper, the malware copied itself to C:\Documents and Settings\Administrator\Application Data\WMService.exe. The path that the malware copied to varies depending on the operating system versions. For Win XP, the path would be [drive]:\Documents and Settings\[User Name]\Application Data\WMService.exe] while for vista and above the path would be [drive]:\Users\[User Name]\AppData\Roaming\WMService.exe.

envImage 3 : Screenshot of Dropped location

The first function of interest when running the malware is the decryption of the encrypted strings in the program. @address 00403E9A we can see that there is a function call to address 00401F70.

decrypt

 Image 4 : List of Encoded Strings

From the above assembly codes, we can see several encrypted strings. Note that there are several calls to function 00401AAE. This function is called to decrypt the encrypted strings. Instead of going through the decryption routine… my approach is to use ollydbg to help me to decrypt the strings in runtime as shown below.

decrypted

 Image 5 : List of Decoded Strings

now we can make a better educated guess on what the malware is doing with the decrypted string. Previously IDA Pro strings did not really churn out any useful strings for us but with the decrypted strings we can see the evil server domain name.

Moving on we can see that after the decryption routine, an argument -st is supplied to the executable.
On analyzing the dropper via IDA Pro, the dropper has 2 distinct paths.
1 of the paths (Path A) is taken when an -st argument is not supplied when executing the dropper while the other path (Path B) is taken when -st argument is supplied to the binary.
Path A is taken when the dropper is first executed by the user in which no arguments is passed in to the process. Path B is taken when the system boots up and execute the dropper via registry’s run in which an argument is provided to the process.

paths

Image 6 : 2 Paths of Malware

[ Analysis of Path A ]

At address 00403FAF we can see that a function @00403B55 is being called. This function forms the cmd.exe’s command and execute it as shown below.

command

Image 7 : Command Line to add Registry Entry

A registry entry is added via  reg add hkcu\software\microsoft\windows\currentversion\run /v hotkey /t reg_sz /d “C:\Documents and Settings\Administrator\Application Data\WMService.exe -st”

After execution, the dropper “deletes” itself by moving itself to C:\Documents and Settings\Administrator\Application Data\WMService.exe via c:\windows\system32\cmd.exe.

delete

Image 8 : Command Line to “Move” Malware to another location

[ Analysis of Path B ]

The first thing that Path B does was to create a Mutex object with the name “c8aabdc4” using CreateMutex function. In the event that the mutex already exists, the program will terminate.

mutex

 Image 9 : Creation of MutexName

The mutex is used to prevent 2 of such process running at the same time. The malware then continues to call function at address 0040264A where it gets the computer name and internal IP address of the computer.

Next GetTempPathA is called to form the path C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\s.bin which is used as the destination file path of the actual payload.

The function at address 00403D60 takes in the domain name www.sslquery.myz.info:443 and resolve it to an IP address – 113.10.245.133.

sslquery

 Image 10 : Possibly C&C of Malware

Function 00402350 is called to form the Get Request to the C&C server. In the function we can see that computer name and internal IP address as shown below.

data

 Image 11 : Data that are sent back to C&C

The appended information gotten from the victim  are encoded and appended to the URL.

URLDownloadToFileA is then called to upload user info and download the payload from the url below:

http://113.10.245.133:443/23qRBtcuhhT6RQlyu1UCPE7/Xr3zuUKejqj7jvbDS1lOxlTzc4W/3LaRfo+f6HiSg+RE1LQHP0Dd0tSVMT9KXTMmKh71dOj9vKvFS6Rn6+6Qf2jVjmNyHWn5BUV0QP+zEm9/XEXDd9RR0Tvnq2BpE66tKoZkUtDLuVT8X7BGjOa2Ct/VHNHXdTdWvYRYfnoXU0fCXtr7927GHEHho5uvxXgW149eEuExWXjslwtvniW0lF6maDcOmWbAcohjm/jLbHIa1RWR3hMY8y/+nmJXSrQ6D3wah9JHwORUvCUKK1X3Kt4w3AJBXJzC9qtD131K4P3R++cZdtdAewC+66LHA+3oBk9nIbTaGsD6prIZS1LrhRh3xB0ZJuds/bsxqJodiATKSWnASEvbMU2ZCs605p/3KorQsDgkdXEZOUzv8NEPyN/vLTTN3opci7d7N+sBtZXA3OqG+1tn+pBLIfggVDSZP/LJcOEYHfo+eLLweqc=.bin

to C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\s.bin

However at the time of analyzing the sample, the server was already down…

download

 Image 12 : Download URL of another payload

should the actual payload (s.bin) exists we would expect that the first byte of the downloaded payload is the type of command to execute as shown in the switch statement below. The function responsible for reading the commands from the downloaded payload is at address 00402553.

switch

 Image 13 : List of Commands for Malware

Based on the above switch statements, we can observe that the payload downloaded is in fact commands to be executed on the machine. We do not really need to download and analyze the payload to know what it is doing. The functions that the malware can perform are reading files, upload file to server, executing commands, delete file, find file and retrieving logical drive info.

Once the command to the malware is executed, the instruction file, s.bin, is deleted.

As we can see in the image below, the malware would call back to its server every hourly and retrieve new commands to execute.

processloop

 Image 14 : Hourly Sleep

[ Dropping of Persistent Backdoor ]
Earlier on, we have mentioned that the malware added an entry to the registry. This registry key is added for persistence.
Location: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Name: Hotkey
Value: C:\Documents and Settings\Administrator\Application Data\WMService.exe -st

You may find a screen shot of this at [ Analysis of Path A ] section

[ Anti Analysis Features ]
The author of this malware implemented time delay in the program possibly for the purpose of evading anti virus detection. It is known that anti virus executes program to detect for malicious codes however it would only execute the program for a short period of time. A time delay approach could potentially evades such scanning.

Using breakpoint in OllyDbg, we observed that IsDebuggerPresent is used to detect if a debugger is attached to the dropper. However there is no difference in the core operations even if the dropper detects that a debugger is present.

[ Whois Investigation ]
A quick Whois query using CentralOps revealed that the domain name (www.sslquery.myz.info) is also pointing to the IP address (113.10.245.133) which
we have had also found it earlier in the binary. As myz.info is a “Free Dynamic DNS” service offered by ChangeIP.com, the infiltrator can change the IP address easily without affecting the callback.

However the server is currently inactive. (Information correct as of 22/10/2014)

[ Domain Whois record ]

Queried whois.afilias.info with “myz.info”…

Domain Name:MYZ.INFO
Domain ID: D1182102-LRMS
Creation Date: 2001-10-26T05:20:59Z
Updated Date: 2012-07-12T14:25:25Z
Registry Expiry Date: 2017-10-26T05:20:59Z
Sponsoring Registrar:Network Solutions, LLC (R122-LRMS)
Sponsoring Registrar IANA ID: 2
WHOIS Server:
Referral URL:
Domain Status: clientTransferProhibited
Registrant ID:52605919-NSI
Registrant Name:ChangeIP Network OperationsZZZ
Registrant Organization:
Registrant Street: 1200 Brickell Avenue
Registrant Street: Suite 1950
Registrant City:Miami
Registrant State/Province:FL
Registrant Postal Code:33131
Registrant Country:US
Registrant Phone:+1.8007913367
Registrant Phone Ext:
Registrant Fax: +1.7862246593
Registrant Fax Ext:
Registrant Email:noc@changeip.com
Admin ID:52605919-NSI
Admin Name:ChangeIP Network OperationsZZZ
Admin Organization:
Admin Street: 1200 Brickell Avenue
Admin Street: Suite 1950
Admin City:Miami
Admin State/Province:FL
Admin Postal Code:33131
Admin Country:US
Admin Phone:+1.8007913367
Admin Phone Ext:
Admin Fax: +1.7862246593
Admin Fax Ext:
Admin Email:noc@changeip.com
Billing ID:C1256251-LRMS
Billing Name:ChangeIP.com
Billing Organization:ChangeIP.com
Billing Street: 1200 Brickell Avenue
Billing Street: Suite 1950
Billing City:Miami
Billing State/Province:FL
Billing Postal Code:33131
Billing Country:US
Billing Phone:+1.8007913367
Billing Phone Ext:
Billing Fax:
Billing Fax Ext:
Billing Email:billing@changeip.com
Tech ID:52605919-NSI
Tech Name:ChangeIP Network OperationsZZZ
Tech Organization:
Tech Street: 1200 Brickell Avenue
Tech Street: Suite 1950
Tech City:Miami
Tech State/Province:FL
Tech Postal Code:33131
Tech Country:US
Tech Phone:+1.8007913367
Tech Phone Ext:
Tech Fax: +1.7862246593
Tech Fax Ext:
Tech Email:noc@changeip.com
Name Server:NS1.CHANGEIP.ORG
Name Server:NS2.CHANGEIP.ORG
Name Server:NS3.CHANGEIP.ORG
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
DNSSEC:Unsigned

inetnum: 113.10.245.0 – 113.10.245.255

netname: NWTBB-HK
descr: NWT Broadband Service
country: HK
admin-c: NC315-AP
tech-c: KW315-AP
status: ASSIGNED NON-PORTABLE
remarks: For network abuse email <abuse@newworldtel.com>
mnt-irt: IRT-NEWWORLDTEL-HK
changed: kmmwong@newworldtel.com 20101208
mnt-by: MAINT-HK-NEWWORLDTEL
source: APNIC

irt: IRT-NEWWORLDTEL-HK
address: 17/F Chevalier Commercial Centre,8 Wang Hoi Road, Kowloon Bay,Hong Kong.
e-mail: abuse@newworldtel.com
abuse-mailbox: abuse@newworldtel.com
admin-c: KW315-AP
tech-c: IDC1-AP
tech-c: NC315-AP
auth: # Filtered
mnt-by: MAINT-HK-NEWWORLDTEL
changed: abuse@newworldtel.com 20101207
source: APNIC

person: Kwong Ming Wong
nic-hdl: KW315-AP
e-mail: kmmwong@newworldtel.com
address: 17/F Chevalier Commercial Centre,8 Wang Hoi Road, Kowloon Bay,Hong Kong.
phone: +852-21300120
fax-no: + 852 – 2133 2175
country: HK
changed: kmmwong@newworldtel.com 20060814
mnt-by: MAINT-HK-NEWWORLDTEL
source: APNIC

person: Network Management Center
nic-hdl: NC315-AP
e-mail: nmc@newworldtel.com
address: 17/F Chevalier Commercial Centre,
address: 8 Wang Hoi Road, Kowloon Bay,
address: Hong Kong.
phone: + 852 – 2130-0120
fax-no: + 852 – 2133 2175
country: HK
changed: kmmwong@newworldtel.com 20080804
mnt-by: MAINT-HK-NEWWORLDTEL
source: APNIC

% Information related to ‘113.10.245.0/24AS17444’

route: 113.10.245.0/24
descr: NWT Route Object
origin: AS17444
mnt-by: MAINT-HK-NEWWORLDTEL
changed: kmmwong@newworldtel.com 20110114
source: APNIC

% This query was served by the APNIC Whois Service version 1.69.1-APNICv1r0 (WHOIS4)

 

Signing Off
D O & J Soo

[ Forensics Walk-through: DFIRCON EAST Smartphone Forensics Challenge ]

Today I was asked by a good friend of mine on whether there could be 2 answer(s) to the last question in DFIRCON EAST Smartphone Forensics Challenge.

Being the curious cat, i downloaded the Challenge and have a quick look and decided to write this out while i’m at it. It seems like we are given an iOS backup folder and an Android .apk file.

[ Tools Used ]
iPhone Backup Browser – https://code.google.com/p/iphonebackupbrowser/
SQLite Database Browser – http://sqlitebrowser.org/
pList Editor – http://www.icopybot.com/plist-editor.htm or use the default viewer in Mac
Cerbero Profiler – http://cerbero.io/profiler/

Let’s go through the question(s) and load the iOS backup folder using iPhone Backup Browser as shown here.
DFIR.001

[ 1st Question ]
1. What third-party applications have been granted access to device camera photos?
Ok, if you have done iOS forensics before. It’s always good to do a quick check of the TCC SQLite3 database.
You might be asking “What is TCC SQLite3 database”?
Well, this SQLite3 database is used to control what permissions iOS apps have.
TCC.db is located at the following location on your phone.
/root/var/mobile/Library/TCC/TCC.db
Likewise this file also exists on a Mac.
~/Library/Application Support/com.apple.TCC/TCC.db

Incase, you have “accidentally” allowed more permissions than you wanted. You can use tccutil to reset the permissions instead of “tampering” the SQLite3 file.

So using SQLite DB Browser on TCC.db, we can immediately see the permissions granted to which applications.
DFIR.002

So for this particular question, Facebookand Dropbox were both granted permissions to access the device camera photos.

[ 2nd Question ]
2. What third-party applications have been granted access to the device address book?
Actually if you had looked at TCC.db, you will notice that the answer to this question is “Waze” as shown here.
DFIR.003

[ 3rd Question ]
3. Which websites were visited that requested the iPhone’s geolocation information for optimal browsing and were granted access?
Ok, now if you want to find out which website(s) requested this. The first thing to look for is GeolocationSites.plist
In this case, if you use iPhone Backup Browser to extract out the file. It should be located here:
iOS backup\Liz Lemon’s iPhone\System\Library\WebKit\GeolocationSites.plist
Using pList Editor or the default one on a Mac, you should see something like this.

Based on the returned results, we know that both “https://m.stubhub.com” and “http://m.simplyhired.com” are the website(s) that request geolocation and were granted access.

[ 4th Question ]
4. What permissions does the application MysteryApp.apk NOT have on the device?
Naise, now we have moved on to the Android .apk file.
Let’s extract out the Android.manifest file and we should have something like this.
DFIR.004
And if we do a quick check against the options that we were given:

  • Record audio
  • Read contacts
  • Send SMS
  • Record video
  • Mount & unmount files

We can quickly eliminate and know that that the permission that “MysteryApp.apk” don’t have is “Record video

[ 5th Question ]
5. What is the SHA1 digest value associated with the classes.dex file for the MysteryApp.apk application?
This is the question which my good friend asked about.
To me, if it’s SHA1 of classes.dex. The answer is definitely “0C3A720EB61D736E21561E9AA96066A4771F0F70
My friend was actually talking about the SHA-1 Signature found in the Dex header.
But the answer was saying “SHA1 (value within file)” so i’m not sure whether the original question implied the wrong thing or the answer was weird?

[ 6th Question ]
6. What foreign language word(s) are found within the MysteryApp.apk application?
We were given these options:

  • запись аудио – Record audio
  • mesajlaşma – Messaging
  • 未接来电 – Missed Calls
  • 連絡 – Contacts
  • None of the above

For this particular, you can use Cerbero Profiler and immediately you will know that the only foreign language found is “Chinese”.
Doing a quick check, we will see this.
DFIR.005
Thus we know the correct answer to this is “未接来电 – Missed Calls“.

After doing a speed-run on this, I really regretted not taking part in DFIRCON EAST Smartphone Forensics Challenge in the first place. xDDD

I do hope this quick walk-through will be sufficient for others to pick up and learn more stuff about mobile forensics.

Happy Reversing,
Jacob Soo