Christmas Postcard Spam and Trojan.Win32.Waledac
Steve sent me a sample of malware classified as Trojan.Win32.Waledac that he has received in some Christmas Postcard Spam emails with following subjects:
Merry Christmas and best wishes just for you
Merry Christmas 2009!
A super Xmas card for you
Merry XXXmas!
You’ve got a Merry Christmas greeting e-card
I made this e-card only for U!
Xmas postcard for U!
The file come from this malicious domain:
1 | superchristmaslights.com |
The file is named postcard.exe :
Report Generated 1.1.2009 at 23.45.44 (GMT 1)
Filename: postcard.exe
File size: 378 KB
MD5 Hash: 31A8756B48576862E6312BDC063FA94B
SHA1 Hash: B463B6D251A26A86A1F1472D6DBC0D953F4B4D5C
CRC32: 1186267902
Application Type: Executable (EXE) 32bit
Packer detected: Nothing found *
Self-Extract Archive: Nothing found
Binder Detector: Nothing found
Detection Rate: 10 on 23 (43.478 %)Antivirus Sig Version Result
a-squared 01/01/2009 Trojan.Win32.Waledac!IK
Avira AntiVir 7.1.1.58 TR/Proxy.Gen
Avast 090101-0 –
AVG 270.10.1/1870 Downloader.Generic_r.CL
BitDefender 01/01/2009 –
ClamAV 01/01/2009 –
Comodo 859 –
Dr.Web 01/01/2009 –
Ewido 01/01/2009 –
F-PROT 6 20090101 W32/Downloader.F.gen!Eldorado
G DATA 19.2206 Email-Worm.Win32.Iksmas.u A
IkarusT3 01/01/2009 Trojan.Win32.Waledac
Kaspersky 01/01/2009 Email-Worm.Win32.Iksmas.u
McAfee 01/01/2009 Generic.dx trojan
MHR (Malware Hash Registry) – –
NOD32 v3 3731 Win32/Waledac
Norman 2009/01/01 –
Panda –
Solo Antivirus 01/01/2009 –
Sophos 01/01/2009 W32/Waled-E
TrendMicro 741(574100) –
VBA32 01/01/2009 –
VirusBuster 10.100.12 –
After executing the file the malware loaded 2 interesting Windows .DLL files:
1 | crypt32.dll |
crypt32.dll is a module that contains the functions used by the Windows Crypto API.
1 | rsaenh.dll |
rsaenh.dll is a module that implements the Microsoft enhanced cryptographic service provider (CSP) that uses 128-bit encryption.
Next, postcard.exe established a connection with this IP:
1 | 128.174.141.174 (scouter.age.uiuc.edu) |
Internet traffic:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 | POST /moalahio.png HTTP/1.1 Referer: Mozilla Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla Host: 128.174.141.174 Content-Length: 2471 Cache-Control: no-cache ... ... POST /tkstywuzpa.png HTTP/1.1 Referer: Mozilla Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla Host: 128.174.141.174 Content-Length: 231 Cache-Control: no-cache ... ... POST /moalahio.png HTTP/1.1 Referer: Mozilla Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla Host: 128.174.141.174 Content-Length: 2471 Cache-Control: no-cache ... ... POST /sqzexu.png HTTP/1.1 Referer: Mozilla Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla Host: 128.174.141.174 Content-Length: 957 Cache-Control: no-cache ... ... POST /tkstywuzpa.png HTTP/1.1 Referer: Mozilla Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla Host: 128.174.141.174 Content-Length: 231 Cache-Control: no-cache ... ... |
The malware sent a large amount of encrypted data to the previous IP, then we saw a new established connection with this IP:
1 | 77.81.158.87 (host-77-81-158-87.nettelecom.ro) |
Internet traffic:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 | POST /ljpo.png HTTP/1.1 Referer: Mozilla Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla Host: 77.81.158.87 Content-Length: 935 Cache-Control: no-cache ... ... POST /qiahgxhv.png HTTP/1.1 Referer: Mozilla Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla Host: 77.81.158.87 Content-Length: 957 Cache-Control: no-cache ... ... POST /ljpo.png HTTP/1.1 Referer: Mozilla Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla Host: 77.81.158.87 Content-Length: 935 Cache-Control: no-cache ... ... |
The malware sent different data (always encrypted) to the previous IP.
The malware maybe has used the above loaded .DLLs to generate the encrypted data to send. The malware created the following registry key to be able to start everytime Windows is booted:
1 | HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PromoReg |
We can see from unpacked code some interesting IP Database:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 | e42bbf422911ae20c226ce474117d36b 69.216.244.118 33a4c14ed5b99a93d9051e861950c95b 84.16.228.132 875ad1299102e719d64e1f603579946f 195.66.21.101 bb313847e73e976ebf1d530e61580925 124.139.225.67 5a341f66b83424016a076835ab1e2028 82.234.120.193 56230a7f2762d952957c196ed5667708 76.114.29.106 795ae21fd963137cf764c13b7350d81e 69.226.184.49 1736fd55be508f098a7a3f51601cae28 85.113.20.62 546765494659555f456488273961ad7c 128.174.141.174 a94cd3032818e00f0124726991780d3e 88.180.152.39 00244943fe7ba2651e27637a9b404b58 77.81.158.87 9b35c94714342118db7cf638fd2e5552 208.96.18.58 6175420c4618b01fc06e965a2f31892f 98.149.117.205 b7284359a11e331d6a7a3649f015137f 89.204.197.156 d97e4b6d8654d505d60036576161b230 208.100.133.110 5e688303662cf5751373083b307fd310 87.68.182.181 e4609a3fcb07ea326654993d78362916 97.77.217.22 0b7d594d0d2a4b13f1609305e1318b55 68.145.54.93 6a02995eb47fa02d99192638042a084d 140.113.35.54 1d589b269c2c5c774a2da10323283a54 83.194.165.145 066cfc1a7a39cd639e7b3c37e6644c3d 64.228.2.176 064fd8557167e31f88509d0b8822b937 76.167.145.175 ec51551bc454a965d1408075ec756d06 86.20.80.208 7a5aeb16da4eff2aa7679567880a272c 216.117.238.161 5f58c925c9010148dd312b1d4f05af20 84.229.245.60 2d035f40a870a110f0244337b64e8928 76.16.23.4 0d2dae07643d262e203ea15f405eab72 99.254.16.247 6532a404d47aea066a36910d5974b463 68.144.251.138 40720551cd0ada6c7123a3089c20b61a 68.144.116.252 c323b124143757127813ca386a6ab65d 217.199.98.148 79334d1fab6b6d224508555f8a0b2d51 85.26.91.207 022c8b0cd0771439fc2e57177b5a224d 65.34.235.11 bd72a21e4046f358e821d12aeb6f8e1f 69.203.93.7 897c927517449c38fe53720bfd2a9c12 124.189.1.101 52692810613bf83f222fc57ba7540f26 93.126.83.104 840f401ba368e2355f58ef121b7b3241 24.20.193.61 211ae92b9466fe272f0b40385106c650 140.112.185.29 c941270b1e7cf42b72166922e02f5778 98.218.108.161 4b5d730cf827a057710a5013ae20d61c 121.188.215.191 4b122c5bcb169d4dc9264a32e65a2c0f 125.176.11.198 cc4fa44c644efa24ab7f6a3e2917ab09 125.99.58.135 2445c3486e3e093dd33e542b2310ee22 77.52.35.178 882f897b4f1dce534715ab3805139802 98.200.16.184 4a5fbe688419c0279643e4633d115761 211.58.123.154 ea05cf39221a96029f7444054524de04 82.137.77.90 ca584349fa2d2231b3581240325cc70b 71.205.27.148 623af10463241f316450154eaf7e4e7b 67.191.81.183 011d947df3310317fc138640bb18115e 84.215.135.59 bb3f8f764e7ace1fc560687e1b659d0e 89.76.120.87 ae4ec27ce13fa23273796f0d1e07596c 163.23.198.82 5368186f7d2b9d66037d71587348fd16 70.216.217.169 1104c926c72d4a05754b4a1c7b63c835 128.42.210.154 ac179a03ed62914bfb6d2c61f8696a13 24.7.208.150 ce5fc814746c514a08682a7760269b02 118.218.55.237 06215f44631b1d7ecf5d8f297b3e212d 89.162.165.122 db7e7f1cb56f5f166d134e13ff0fa340 80.167.195.221 f50b3533f75c1e389438e76f7c14fe28 70.128.123.202 472b4f1cbe7cd2369e548b3c85104942 134.114.26.128 6a543000997a9c6a8a33cf290840b40d 210.7.71.146 254f077a333de2072b0c812f5f5dd152 71.228.199.73 185977470819fb152133df248224b655 77.38.180.186 cb55db027f574b79315b4e2c7d2e8b79 84.127.99.237 90036017e449ec35ce3e2a763d6f0427 99.247.215.190 |
We can also see some references to a proxy or socks5 client/server, and some possible Spam commands:
1 2 3 4 5 6 7 | socks5 emails http_stats dns_ip smtp_ip sender_threads sender_queue |
This is the malicious domain we found inside the malware code:
hxxp://mirabellaclub.com/goldenp.php
And we can also see a lot of file extensions:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 | .avi .mov .wmv .mp3 .wave .wav .wma .ogg .vob .jpg .jpeg .gif .bmp .exe .dll .ocx .class .msi .zip .rar .jar .hxw .hxh .hxn .hxd |
References:
Leave a Reply