Tools required
VMware IDA Disassembler OllyDbg Debugger Hex editor
First, we will examine its dynamic analysis behavior. Running it though Cuckoo we get the following basic details about it:
We now have an initial idea what the malware is doing. It can be summarized as:
Connects to traffic. Has an anti-sandbox feature (based on time difference) Hooks and Reads browser data. Hides itself in ADS.
Look at some of its some of its registry modification or retrievals. HKEY_CURRENT_USERSoftwareGlobalSCAPECuteFTP 6 HomeQCToolbar HKEY_CURRENT_USERSoftwareGlobalSCAPECuteFTP 6 ProfessionalQCToolbar HKEY_CURRENT_USERSoftwareGlobalSCAPECuteFTP 7 HomeQCToolbar HKEY_CURRENT_USERSoftwareGlobalSCAPECuteFTP 7 ProfessionalQCToolbar HKEY_CURRENT_USERSoftwareGlobalSCAPECuteFTP 8 HomeQCToolbar HKEY_CURRENT_USERSoftwareGlobalSCAPECuteFTP 8 ProfessionalQCToolbar HKEY_CURRENT_USERSoftwareGlobalSCAPECuteFTP 9QCToolbar HKEY_CURRENT_USERSoftwareFlashFXP3 HKEY_CURRENT_USERSoftwareFlashFXP HKEY_CURRENT_USERSoftwareFlashFXP4 HKEY_LOCAL_MACHINESoftwareFlashFXP3 HKEY_LOCAL_MACHINESoftwareFlashFXP HKEY_LOCAL_MACHINESoftwareFlashFXP4 HKEY_CURRENT_USERSoftwareFileZilla HKEY_CURRENT_USERSoftwareFileZilla Client HKEY_LOCAL_MACHINESoftwareFileZilla HKEY_LOCAL_MACHINESoftwareFileZilla Client HKEY_CURRENT_USERSoftwareBPFTPBullet Proof FTPMain HKEY_CURRENT_USERSoftwareBulletProof SoftwareBulletProof FTP ClientMain HKEY_CURRENT_USERSoftwareBPFTPBullet Proof FTPOptions HKEY_CURRENT_USERSoftwareBulletProof SoftwareBulletProof FTP ClientOptions HKEY_CURRENT_USERSoftwareBPFTP HKEY_CURRENT_USERSoftwareTurboFTP HKEY_LOCAL_MACHINESoftwareTurboFTP HKEY_CURRENT_USERSoftwareSotaFFFTP HKEY_CURRENT_USERSoftwareSotaFFFTPOptions HKEY_CURRENT_USERSoftwareCoffeeCup SoftwareInternetProfiles HKEY_CURRENT_USERSoftwareFTPWareCOREFTPSites HKEY_CURRENT_USERSoftwareFTP ExplorerFTP ExplorerWorkspaceMFCToolBar-224 HKEY_CURRENT_USERSoftwareFTP ExplorerProfiles HKEY_CURRENT_USERSoftwareVanDykeSecureFX HKEY_CURRENT_USERSoftwareCryerWebSitePublisher HKEY_CURRENT_USERSoftwareExpanDriveSessions HKEY_CURRENT_USERSoftwareExpanDrive HKEY_LOCAL_MACHINESoftwareNCH SoftwareClassicFTPFTPAccounts HKEY_CURRENT_USERSoftwareNCH SoftwareClassicFTPFTPAccounts HKEY_CURRENT_USERSOFTWARENCH SoftwareFlingAccounts HKEY_LOCAL_MACHINESOFTWARENCH SoftwareFlingAccounts HKEY_CURRENT_USERSoftwareFTPClientSites HKEY_LOCAL_MACHINESoftwareFTPClientSites HKEY_CURRENT_USERSoftwareSoftX.orgFTPClientSites HKEY_LOCAL_MACHINESoftwareSoftX.orgFTPClientSites HKEY_CURRENT_USERSOFTWARELeapWare HKEY_LOCAL_MACHINESOFTWARELeapWare HKEY_CURRENT_USERSoftwareMartin Prikryl HKEY_LOCAL_MACHINESoftwareMartin Prikryl HKEY_CURRENT_USERSoftwareSouth River TechnologiesWebDriveConnections HKEY_LOCAL_MACHINESoftwareSouth River TechnologiesWebDriveConnections As you can see, it is evident that it is trying to look for stored password related information. Apart from stored credentials, it also steals bitcoin. Following is the list software it tries to steal from: It copies itself into the system by using an integer filename, which is executed though a chain of ShellExecuteEx
Not only does pony steal information, but it also downloads other malware, which are hardcoded in the binary itself Now let’s look at the network traffic it has generated. Content-Length: 270 Content-Type: application/octet-stream Connection: close Content-Encoding: binary User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022) Accept-Language: en-US Accept: / Accept-Encoding: identity, *;q=0 Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
It sends basic information to the command and control server, which we are going to examine deeply in the second post.
Network information
domain: TITRATRESFI.RU
nserver: ns1.entrydns.net.
nserver: ns2.entrydns.net.
state: REGISTERED, DELEGATED, VERIFIED
person: Private Person
registrar: R01-RU
admin-contact: https://partner.r01.ru/contact_admin.khtml
created: 2015.11.09
paid-till: 2016.11.09
free-date: 2016.12.10
source: TCI
Last updated on 2015.11.15 16:16:33 MSK
Domain Name: ADISHMA.COM
Registrar: PDR LTD. D/B/A PUBLICDOMAINREGISTRY.COM
Sponsoring Registrar IANA ID: 303
Whois Server: whois.PublicDomainRegistry.com
Referral URL: http://www.PublicDomainRegistry.com
Name Server: NS1.SOFTONETECHNOLOGIES.COM
Name Server: NS2.SOFTONETECHNOLOGIES.COM
Status: clientTransferProhibited http://www.icann.org/epp#clientTransferProhibited
Updated Date: 07-sep-2015
Creation Date: 26-dec-2014
Expiration Date: 26-dec-2015
IOC
