I haven't uploaded the dropped files, but I guess detections rates are also very low if at all. This task is left to the reader. ;-)
What is interesting about this malware:
- Makes use of Gentee scripting language (actually uses CreateInstall, which was coded in Gentee)
- Makes use of AutoIt scripting language
- Spawns a shell to download additional component(s)
A dynamic analysis of this malware can be found at malwr.com:
I try to give some additional information, so let's start with the Dropper.
Note: All files of this malware have the extension ".com", but they are all .exe files (just renamed to .com).
Size: 785.742 Bytes
Timestamp: 31.01.2011 17:44:13
The sample can be downloaded at kernelmode.info: http://www.kernelmode.info/forum/viewtopic.php?f=16&t=2445
The Dropper was created with CreateInstall tool (www.createinstall.com) and consists of multiple files. CreateInstall itself is written in Gentee programming language, which is actually a scripting language. Gentee programs can be bundled into standalone .exe files and are interpreted at runtime by the Gentee Interpreter (genteert.dll and guig.dll). The Dropper creates the following files and folders in the Windows Temp folder:
- ...Temp\genteeXX.tmp (XX stands for random Hexbytes)
Thereafter the file inct.com is executed and the following files are deleted again:
This file is a compiled AutoIt script, which by default is packed with UPX. After unpacking it, we can load the executable into an AutoIt decompiler (e.g. www.exe2aut.com) to see that this file just shows the picture "faktura_scan535624.jpg" (see above) and runs the file "aqq1.com" (see above). The picture shows a polish bill of sale from the product from the website fakturki.pl.
This file was (also) created with CreateInstall and drops the following files and folders into Windows Temp and Autostart folder:
Then it runs the file "Symantec.com" and deletes the following files and folders:
This is another AutoIt script compiled into a standalone .exe file. It starts the dropped file "jqs.com" with one of the following two parameters (alphanumeric shellcodes, encoded with alpha2 - see http://skypher.com/wiki/index.php/Hacking/Shellcode/Alphanumeric/ALPHA2):
It first checks if the passed days of the current year reached the number 100. If so, jqs.com with the first shellcode is started and then Symantec.com sleeps for a minute. Then a file named "jar_cache879799398409779005999.tmp" is searched in Temp folder and gets deleted if found. I don't know why this "Java file" is searched and deleted, but it is probably the file that gets downloaded or dropped from the downloaded file. Another possibility is that the malware is launched by a Java Applet or a Java exploit. If this Java file isn't found, jqs.com is started with the second shellcode. Then again it sleeps for a minute, searches for the same "Java file" and deletes it.
|Figure 3: Symantec.com sourcecode|
There are two polish words as function names in the script ("uruchom" = "launch" and "sprzatanie" = "cleanup"). Together with the picture (see above), I think the malware's creator is from poland or polish speaking.
This file was also packed with UPX. This file launches one of the above shellcodes within a new Thread to connect to server at 18.104.22.168. It does this by allocating a memory buffer (VirtualAlloc()) and storing the passed parameter (shellcode) into it. Then the pointer of the buffer is passed as lpParameter to the CreateThread() API function. The new Thread uses the pointer to call the shellcode (call eax).
|Figure 2: Call to shellcode|
|Figure 3: Alphanumeric encoded shellcode|
Now I need a Re-Neducation :-)