Obviously those "images" with links to the corresponding executables... that they are the same, although it seems that they are of different size, they are to mislead. Executables point in this direction: http://ads.sapo.[ REMOVED]/event.ng/Type=click&FlightID=90951&AdID=169189&TargetID=6167&ASeg=&AMod=&Segments=8,69,154,526,527,688,1343,2130,2884,3325,3747,4552,4663,4778,4932,4963,4971,5065,5081,5088,5117,5152,5165,5169,5200,5295,5301,5508,5549,5557&Targets=246,5389,704,6167&Values= 31,43,51,60,72,84,90,91,100,110,150,193,204,209,376,978,1036,1097,1100,1399,1436,1459,1478,1488,1489,1733,1754,1819,1863,1922,1941,2020,2174,2230,2863,2869,2956,2993,3322,3533,3576&RawValues=&Redirect=http://www.givinbeauty.com/UserFiles/File/photos.php?0.19325211365355321Igual eu te falei aquele dia e voce nao quis acreditar. Friend to people counts not finger!
Veja só o que seu amiguinho andou aprontando nessas fotos.
DSC02421.jpg (568.3 KB)
DSC02521.jpg (603.4 KB)
That link leads to an executable file: http://www.givin[DELETED].com/UserFiles/File/photos.php?0.19325211365355321.
We will see below that this site has a login option and if they hacked it, it was there, they uploaded the executable and forwarded it by mail. In addition, as we will see, they used another website to redirect in this case to http://ads.sapo.[ REMOVED]/event.ng/.When you download the Trojan and observe it with Peid you will find that it is packaged with UPX. If we open the EXE we will see a string like this:
.rdata:00414BA8 0000000B C WINRAR. SFX .rdata:00414BCC 00000039 C d:\\Projects\\WinRAR\\SFX\\build\\sfxrar32\\Release\\sfxrar.pdb
These lines mean that they are self-extracting executables of WinRAR. Do we need to decompress them with Olly? No, with WinRAR we can unzip it in a folder and it will leave a file called: loader.jar, a JAVA application and we have already taken some layers out of the onion.
We can make use of WinRAR once again to decompress the JAVA JAR, as these are compressed with ZIP. So we right-click and extract to a folder. It will return the folders that you see in the image.
Now let's go to the best, decompile the . CLASS, the compiled JAVA files (the famous . OBJ). These files are interpreted by the JAVA classloader and are executed as one more application. There are many JAVA CLASS file decompilers and one of the best known is the JAVA Decompiler DJ.
We will see the Imports, some interesting and others not so much.
The first are the most interesting obviously, we will see that they are classes made with the help of a friend of our creator called squareroot. If we look a little for the name of the class, the nickname of the creator and the word Class, we find a Russian site that offered to download: build___00002469.jar that apparently contained this same content.import b.d; import by.squareroot.injector.lib.MyKernel32; import by.squareroot.injector.struct.Context; import by.squareroot.injector.struct.MemoryBasicInformation; import by.squareroot.injector.struct.ProcessInformation; import by.squareroot.injector.struct.StartupInfoA; import by.squareroot.injector.struct.TotalProcInfo; import by.squareroot.injector.struct.WoW64Context; import by.squareroot.injector.struct.pe.MZHeader; import by.squareroot.injector.struct.pe.PEInfo; import by.squareroot.injector.struct.pe.PE_ExtHeader; import by.squareroot.injector.struct.pe.PE_Header; import by.squareroot.injector.struct.pe.SectionHeader; import com.sun.jna.Platform; import com.sun.jna.Pointer; import com.sun.jna.platform.win32.Advapi32Util; import com.sun.jna.platform.win32.WinReg; import java.io.BufferedInputStream; import java.io.BufferedOutputStream; import java.io.File; import java.io.FileOutputStream; import java.io.IOException; import java.io.InputStream; import java.net.URL; import java.nio.ByteBuffer; import java.util.Properties;
We must not give up there (we must learn to look as the great Fravia, QEPD taught us) we will look a little further we will find a reference in this stitio that seems to be from another reverser analyzing jaZEUS.
If we read that article a little and then continue with it we can conclude two things:
- The creator of this virus used the same technique and resources as the jaZEUS virus to infect its victims.
- It is a variant of JAZeus or the original version.
We will see that the Launcher class is not found in our Injectorpackage and neither is the crypt package. But if we will find the same thing in the data package.
In JAZeus apparently the two .EXE are encrypted, in our variant, only app.exe is encrypted and dummy.exe not, we can see it simply by opening the EXE and seeing its header. If we debug dummy.exe we will see that it is another dropper made in C++ that will seek to decrypt app.exe, looking for the encryption method in the method file and then using that parameter to decrypt and execute it.
Apparently the method of unpacking this virus is the same as JAZeus does, with the variant that the launcher does not have. From what I see the launcher is unified in a.class since it runs app.exe after decrypting it from there inside. The injector package takes care of the assembly and in-memory injection of the executable for the execution of the actual virus. In the method "a" of the class "a", we will see that it is put at the beginning to start when our OS starts:
s = a("data/app.exe");
b.a a1 = a();
try
{
ifnull)
{
String s1;
if((s1 = ((Properties) (obj)).getProperty("hklmnull)
{
String s2 = a();
Advapi32Util.registrySetStringValue(WinReg.HKEY_LOCAL_MACHINE, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\", s1, s2);
}
String s3;
if((s3 = ((Properties) (obj)).getProperty("hklunull)
{
obj = a();
Advapi32Util.registrySetStringValue(WinReg.HKEY_CURRENT_USER, "Software\\Microsoft\\Windows\\CurrentVersion\\Run\\", s3, ((String) (obj)));
}
}
}
As we can see we will find other interesting pieces of code, to find our virus we will have to decrypt app.exe. Not having the launcher becomes a little difficult but the most important thing is that we find how it works, to stop it at least we must take out that registration key.If it becomes a JAZeus we will have some more security problems, we can also find the 3DES encryption method as a string in the others. CLASS, in addition to a possible key, phrase widely used as a demo of blog post, etc.
Spark by Disidents
