21 04 2012
IETab_IE65 Malware Analysis
So I decided to pick another “South Korean” piece of malware to keep things local. I was browsing around and came across one called, IETab_IE65.exe.
To be honest, I forgot where I found it, so I apologize for not giving credit to the site. If you’re reading this, and you hosted the file, please let me know so I can provide a proper reference. I tend to download randomly at times and sometimes forget.
Ok, let’s get started. Here is the lab I will be using. It’s a simple modification of my “Pentesting Lab”. That’s what makes VMWare great! A couple snapshots and a delete or two on Google Draw and you’re good to go with a new lab setup. It’s nothing special, but it works.
I might also add. The physical system I have is a hard drive that I swap when I am doing malware analysis. That way I don’t have to buy two systems. I simply hot swap the SSD OS drives and i’m off and running. It’s a nice way to get up and running pretty quickly. I also have Deep Freeze running on it.
First things first I decided to go ahead and run md5 sum against the exe file and here is the output:
Here it is in txt form so you can copy/paste if you want; aae3ab2c365b91bd494405bed879c2b1
I wasn’t familiar with what, “Nullsoft PiMP Stub -> SFX [Nullsoft PiMP SFX]*” was so I hit up Google and found the following; “NSIS is an open source, script-driven installation system with minimal overhead backed by Nullsoft. SFX Tool is a nice and intuitive frontend that gives you the possibility to generate and compile NSIS scripts. This way you can create installers with no need to write a single line of script code.” . From what I read it doesn’t appear to be any kind of packer so i’ll move on at this point.
Prior to execution I had Process Explorer, CaptureBAT, Procmon, and apateDNS running.
Here is what process explorer looked like after executing the file:
This simply takes the output of CaptureBAT and outputs it to out.txt, which is located on my desktop. I also like to pre-create the out.txt file because then I don’t pick up the file creation activity in CaptureBAT. It’s just less noise. That’s always useful/helpful. The less stuff to sift through the better. In either case, let’s look at some of the output.
process: created C:\[snip]\Desktop\IETab_IE65.exe -> C:\Program Files\IETab\IETab.exe
process: terminated C:\Windows\explorer.exe -> C:\[snip]\Desktop\IETab_IE65.exe
We see see some deletions and creations here:
nsProcess.dll had a lot of the same stuff. Mostly API call strings and various dll names listed. I’ll save the space and not list them here. I wasn’t able to recover some of the other dlls listed in CaptureBAT. I re-ran the program with no luck so I decided to move on.
The is the Run key. I wont call it persistance considering that it actually installs the program to the system, but it does; however, make sure it starts up.
file: Write C:\[snip]\Desktop\IETab_IE65.exe -> C:\Program Files\IETab\IETab.dll
file: Write C:\[snip]\Desktop\IETab_IE65.exe -> C:\Program Files\IETab\IETab.exe
file: Write C:\[snip]\Desktop\IETab_IE65.exe -> C:\Program Files\IETab\Uninstall.exeThis appears to be some house cleaning:
file: Delete C:\[snip]\Desktop\IETab_IE65.exe -> C:\[snip]\AppData\Local\Temp\inst.xxx
file: Delete C:\[snip]\Desktop\IETab_IE65.exe -> C:[snip]\AppData\Local\Temp\nsdE9F2.tmp\IpConfig.dll
file: Delete C:\[snip]\Desktop\IETab_IE65.exe -> C:\[snip]\AppData\Local\Temp\nsdE9F2.tmp\NSISdl.dll
file: Delete C:\[snip]\Desktop\IETab_IE65.exe -> C;\[snip]\AppData\Local\Temp\nsdE9F2.tmp\nsProcess.dll
file: Delete C:\[snip]\Desktop\IETab_IE65.exe -> C:\[snip]\AppData\Local\Temp\nsdE9F2.tmp\UAC.dll
registry: DeleteValueKey C:\Program Files\IETab\IETab.exe -> HKCU\[snip]\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
registry: DeleteValueKey C:\Program Files\IETab\IETab.exe -> HKLM\[snip]\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
registry: DeleteValueKey C:\Program Files\IETab\IETab.exe -> HKCU\[snip]\CurrentVersion\Internet Settings\ZoneMap\IntranetName
registry: DeleteValueKey C:\Program Files\IETab\IETab.exe -> HKLM\[snip]\CurrentVersion\Internet Settings\ZoneMap\IntranetName
registry: SetValueKey C:\Program Files\IETab\IETab.exe -> HKCU\[snip]\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet
registry: SetValueKey C:\Program Files\IETab\IETab.exe -> HKCU\[snip]\CurrentVersion\Internet Settings\ZoneMap\AutoDetect
file: Write C:\Program Files\IETab\IETab.exe -> C:\[snip]\AppData \Local\Temp\IEU1002.exe
process: created C:\Program Files\IETab\IETab.exe -> C:\[snip]\AppData \Local\Temp\IEU1002.exeLater down in the CaptureBAT log you see this entry:
file: Write C:\[snip]\AppData\Local\Temp\IEU1002.exe -> C:\[snip]\AppData\Local\Temp\ updini.xxx
file: Delete C:\[snip]\AppData\Local\Temp\IEU1002.exe -> C:\[snip]\AppData\Local\Temp\ updini.xxxI was also able to recover this updini.xxx. You can see a URL listed in the strings and the
This matches some of the network activity I had picked up on as well. Here is a screen shot from apateDNS:
You can see here that it was attempting to reach out to ietab[dot]sidetab.co[dot]kr
[Ignore the 127.0.0.1 for server ip in ApateDNS - I changed it prior to running Wireshark. I typically run ApateDNS prior to running network stuff just so I can get a quick picture of what's being requested.]
I executed the malware on a live box, and we will walk through some of the Wireshark traffic now.
Here we see the DNS query in Wireshark:
Let’s follow this…
I also noted the random MAC address I generated on my VMWare NIC. You see it in the GET request. Further down the flow I come across another HTTP GET request:
The User-Agent looks interesting as well… I don’t even have Mozilla installed on my lab box. Maybe something to look at later. In either case I am more interested in this IEU1002.exe file that it appears to go out and grab.
Here is a GET request to a exh.dat file. I was not able to recover the exh.dat file.
Lastly, here an update request.
I connected a live system to the internet and camped out in the following directory: C:\Users\malware_win7x86\AppData\Roaming\IETab. I wasn’t seeing much activity on the wire once everything was installed, so I figured I would fire up Internet Explorer and see what happens when I go out on the web and browse around.
As soon as I fired up IE network connections were made back to 126.96.36.199, and a few files appeared in this directory. Specifically, ex.dat, exh.dat, hoobl.x, and hub.x. Here are the Bintext searches on them:
hoobl.x looks like a bunch of URLs, but when I went out to them nothing “special” happened.
Here is the output from hub.x. Still not sure what its purpose is…Thoughts
So now that I can see that IEU1002.exe was downloaded via the internet I am curious what it is. We saw it multiple times in CaptureBAT as well. It just so happened I was able to retrieve it from the CaptureBAT log.
What’s interesting about this IEU1002.exe file is that when I load it up into PEView I get some interesting stuff.
The md5 hash for this particular file is: 4abae2b952a10dd442eef4ea4fa9015f, which gets multiple hits on ThreatExpert and others. 
Here is the PEiD output:
where you see the PUSH, MOV, etc. commands. That’s the mnemonics section within Olly.So now you have located the POPAD. Move down a few lines until you see a JMP command. Once you locate the JMP command this is where you will want to set your breakpoint.
Once your breakpoint is set run the program by clicking the, “Play” button up top, or hitting F9.
Your program should now be paused (note the bottom right corner) because it hit our breakpoint. You will want to hit, F8 (step-over) one time. So you’re taking the jump.
Remember our JMP command was going to take us to, IEU1002.004030FA. If you look at the virtual address on the left had side you will see: 004030FA. That means we made the jump. Note the red box on the right hand right. We are starting to see actual “text” in the comments section. Our program is unpacked at this point and we want to dump the running process. There is a plugin within Olly for that. It’s done by doing the following:
We will simply accept these defaults at this point (can be more complicated that this if the PE header is messed up, but that’s another blog completely).
The next windows after you click, “Dump” will ask you where you want to save the file. I called it IEU1002_Dumped.exe
Let’s quickly compare the packed vs. the unpacked version. The one on the left is packed. The one on the right is unpacked. I’ll let you be the judge.
Now that the file is unpacked I think this is a good stopping point. It’s getting longer than I had expected. I type this stuff as I do it. I don’t pre-plan the post, work it, and then blog it. I’m analyzing/learning as I type.
NOTE: If you want the files to follow along email me and I can send them too you.
Stay tuned for more….
Since I have no life I decided to do Part II: Memory Analysis this evening (Korean time).
I also might try and do some code analysis (possibly – I lack on Assembly Fu) so we will see if I can actually figure anything out.
Thanks for reading!