Wednesday, January 18, 2012

Ramnit, Zeus and the BAT! Part 1

Please note the samples analysed were provided by Andre M. DiMino @sempersecurus (

Sample No MD5 Executable name
Sample1 2f5d28f9792c7d114bed7fdcec00f550 Sample1.exe
Sample2 76991eefea6cb01e1d7435ae973858e6 Sample2.exe


Initial File Analysis

Initial analysis of the files show that both files are packed using UPX and import 3 libraries


6 functions (LoadLibraryA,GetProcAddress,VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess)


1 Functions (InitCommonControls)


1Function (StrCharA)


Dynamic Analysis

Both samples were analysed using Dynamic analysis techniques using various monitoring tools (CaptureBat.exe  and Preservation( see Malware Analysis Cookbook Chapter 9)).

The process below was used to setup the environment

  • Start Monitoring tools (see Preservation and Capturebat section below)
  • Execute samples
  • Snapshot Virtual Machine

    After the final stage was completed the VM was rolled back to a previous state and the same process used for the next sample.

    Monitoring Tools

    The analysis was conducted by first executing preservation.exe with the preservation.exe ln argument this logs everything to the c:\preservation\ directory

    CaptureBat was executed next and configured to capture file, process and registry access as well as capture network activity using the following arguments.

    capturebat.exe –cn –l c:\preservation\Capture.txt

    Initial Log Review

    Preservation Output

    Please note!! Various sections of the log below have been removed

    Upon initial execution of Sample1.exe we can see it starts an instance of  the svchost.exe process (PID 4048)

    [PROCESS START] explorer.exe (PID:2140) started Sample1.exe (PID 2496)
    [THREAD START] explorer.exe (PID:2140) started thread (TID 2520)
    [IMAGE LOAD] Sample1.exe (PID:2496) loaded \Device\HarddiskVolume1\Documents and Settings\nosuchuser\Desktop\ramnit\Sample1.exe

    First SVCHOST Instance

    [PROCESS START] Sample1.exe (PID:2496) started svchost.exe (PID 4048)

    [THREAD START] Sample1.exe (PID:2496) started thread (TID 1244)

    [IMAGE LOAD] svchost.exe (PID:4048) loaded \Device\HarddiskVolume1\WINDOWS\system32\svchost.exe

    Second SVCHOST Instance

    The malware sample then starts another instance of svchost.exe (PID 2384)

    [PROCESS START] Sample1.exe (PID:2496) started svchost.exe (PID 2384)
    [THREAD START] Sample1.exe (PID:2496) started thread (TID 3020)
    [IMAGE LOAD] svchost.exe (PID:2384) loaded \Device\HarddiskVolume1\WINDOWS\system32\svchost.exe

    Sample1 Third Process Initiated

    Sample 1 then goes onto create another pseudo-randomly named executable located in the \Temp directory.The pseudo-randomly nature has been observed by restoring the VM to a previous state and re-infecting the machine(with the same sample) each time the file is named the same apart from the last 2 characters.My assumption at this point is the file name is created using some information from the host machine.

    On the host infected the following remained static during a number of infections: sggjahylqiethd<XX>.exe

    After the randomly named executable is initiated the original executable Sample1.exe is terminated.

    By reviewing the log below it can also be ascertained that services.exe  starts a new service , during each infection the Service name was identical the misspelled:

    Micorsoft Windows Service

    After the service starts we then see System (PID:4) load a suspicious driver: imjvxcsr.sys from the Temp directory.

    [PROCESS START] Sample1.exe (PID:2496) started sggjahylqiethdj (PID 3900)
    [THREAD START] Sample1.exe (PID:2496) started thread (TID 2972)
    [IMAGE LOAD] sggjahylqiethdj (PID:3900) loaded \Device\HarddiskVolume1\DOCUME~1\nosuchuser\LOCALS~1\Temp\sggjahylqiethdjp.exe
    [IMAGE LOAD] sggjahylqiethdj (PID:3900) loaded \SystemRoot\System32\ntdll.dll
    [IMAGE LOAD] sggjahylqiethdj (PID:3900) loaded \WINDOWS\system32\kernel32.dll
    [PROCESS TERMINATE] Sample1.exe (PID:2496) terminating Sample1.exe (PID 2496)
    [THREAD START] System (PID:4) started thread (TID 1416)
    [IMAGE LOAD] sggjahylqiethdj (PID:3900) loaded \WINDOWS\system32\comctl32.dll
    [IMAGE LOAD] sggjahylqiethdj (PID:3900) loaded \WINDOWS\system32\advapi32.dll
    [THREAD START] System (PID:4) started thread (TID 2900)
    [THREAD START] services.exe (PID:760) started thread (TID 3968)
    [DRIVER LOAD] services.exe (PID:760) loading driver \Registry\Machine\System\CurrentControlSet\Services\Micorsoft Windows Service
    ----Removed Multiple Thread Starts and Image Loads ----

    [IMAGE LOAD] System (PID:4) loaded \??\C:\DOCUME~1\nosuchuser\LOCALS~1\Temp\imjvxcsr.sys
    [FILE DELETE] System (PID:4) deleting file \systemroot\temp\3ab95fd5
    [THREAD START] System (PID:4) started thread (TID 4020)

    CaptureBat Output

    The CaputureBat log has all the associated artifacts identified above with the addition of registry entries, file creation and network activity.

    A number of other observations can be seen from the log below:

  • An additional executable (bbioufwf.exe) is created on the file system
  • The file is added to the HKCU\Software\Microsoft\Windows\CurrentVersion\Run registry key
  • The file is also added to the users Startup folder to add persistence (Note when reviewing the file system this file does not appear due to the rootkit)
  • A number of logs are written to by svchost on the local system (log names again appear to be pseudo-randomly generated).
  • A number of temporary files  ~TM<N>.tmp files are created in the Temp folder. This file contains some references to IE cookies but also seems to contain encrypted data.
  • svchost also infects a number of files located in the Program Files directory

    "16/1/2012 13:16:30.23","file","Write","System","C:\Documents and Settings\nosuchuser\Local Settings\Application Data\sutykcno\bbioufwf.exe"

    "16/1/2012 13:16:30.616","registry","SetValueKey","C:\WINDOWS\system32\svchost.exe","HKCU\Software\Microsoft\Windows\CurrentVersion\Run\BbiOufwf"

    "16/1/2012 13:16:27.398","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Documents and Settings\nosuchuser\Start Menu\Programs\Startup\bbioufwf.exe"

    "16/1/2012 13:16:27.429","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Documents and Settings\nosuchuser\Local Settings\Application Data\cclgvecb.log"

    "16/1/2012 13:16:27.491","file","Delete","C:\WINDOWS\system32\svchost.exe","C:\Documents and Settings\nosuchuser\Local Settings\Application Data\sutykcno\px3.tmp"

    "16/1/2012 13:16:34.601","file","Write","C:\Documents and Settings\nosuchuser\Local Settings\Temp\sggjahylqiethdjp.exe","C:\Documents and Settings\nosuchuser\Local Settings\Temp\imjvxcsr.sys"

    "16/1/2012 13:17:30.929","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Documents and Settings\nosuchuser\Local Settings\Application Data\hlgbbwvv.log"

    "16/1/2012 13:17:31.804","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Documents and Settings\nosuchuser\Local Settings\Application Data\dsstrbjb.log"

    "16/1/2012 13:17:37.7","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Documents and Settings\nosuchuser\Local Settings\Temp\~TM4.tmp"

    "16/1/2012 13:20:34.335","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Adobe\Acrobat_com\Acrobat_com.exe"

    Part 2 Memory Analysis to follow.

  • No comments: