As I mentioned in my previous post, last weekend I had a look at Purple Haze malware to see what sort of new stuff can be found there. In this blog entry, I will describe step by step what malware does – i.e. simple static and dynamic analysis. Well, it’s not so simple, but here it goes…
STATIC ANALYSIS
File properties
Name 9746b4f684b9d7d346ff131cd024e68d1b06e1b81571ce6d3c5067f0829d7932
Size 130560 0001FE00
MD5 A1B3E59AE17BA6F940AFAF86485E5907
SHA1 6D07CF72201234A07AB57FB3FC00B9E5A0B3678E
FUZZY 3072:Bkt+9iOinX6OunNa8ad76Jw+0HGdsZ7nncCH6/CH2:Bd8X6/Xad76J0GdkLLH,
"9746b4f684b9d7d346ff131cd024e68d1b06e1b81571ce6d3c5067f0829d7932"
Entropy 7.72339425411489
Type MZ PE i386 DEB
Compiled 2011-06-04 11:45:38 (Saturday)
Image ImageBase = 00400000
SizeOfImage = 0002B000
EntryPointRVA = 0001514B
EntryPointFile = 0001454B
Sections
.text
vo = 00001000, vs = 00018B5A
fo = 00000400, fs = 00018C00
flags = E0000020, XWR, CODE
.ctext
vo = 0001A000, vs = 00003492
fo = 00019000, fs = 00003600
flags = 40000040, R, IDATA
.data
vo = 0001E000, vs = 000085BB
fo = 0001C600, fs = 00001A00
flags = C0000040, WR, IDATA
.rdata
vo = 00027000, vs = 00001502
fo = 0001E000, fs = 00001600
flags = 40000040, R, IDATA
.rsrc
vo = 00029000, vs = 00000010
fo = 0001F600, fs = 00000200
flags = 40000040, R, IDATA
.reloc
vo = 0002A000, vs = 000005D8
fo = 0001F800, fs = 00000600
flags = 42000040, R, IDATA
File structure 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 MZ.............. ... 50 45 00 00 4C 01 06 00 E2 1A EA 4D 00 00 00 00 PE..L......M.... 00 00 00 00 E0 00 02 01 0B 01 09 00 00 8C 01 00 ................ ... 2E 74 65 78 74 00 00 00 5A 8B 01 00 00 10 00 00 .text...Z....... 00 8C 01 00 00 04 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 20 00 00 E0 2E 63 74 65 78 74 00 00 .... ....ctext.. 92 34 00 00 00 A0 01 00 00 36 00 00 00 90 01 00 .4.......6...... 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 ............@..@ 2E 64 61 74 61 00 00 00 BB 85 00 00 00 E0 01 00 .data........... 00 1A 00 00 00 C6 01 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 40 00 00 C0 2E 72 64 61 74 61 00 00 ....@....rdata.. 02 15 00 00 00 70 02 00 00 16 00 00 00 E0 01 00 .....p.......... 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 ............@..@ 2E 72 73 72 63 00 00 00 10 00 00 00 00 90 02 00 .rsrc........... 00 02 00 00 00 F6 01 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 40 00 00 40 2E 72 65 6C 6F 63 00 00 ....@..@.reloc.. D8 05 00 00 00 A0 02 00 00 06 00 00 00 F8 01 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 ............@..B ... .text (entropy = 7.73691850981344) 56 47 46 56 57 57 56 47 0A 9C E5 22 67 72 4D 75 VGFVWWVG..."grMu 4C 75 47 53 06 D6 81 32 93 1D 01 00 EA 07 00 00 LuGS...2........ 63 D8 74 9F E7 98 8E A0 77 CB DB A8 60 22 86 98 c.t.....w...`".. F2 D4 C2 8D 72 D5 D3 8F 7D C7 52 91 A6 A5 F0 89 ....r...}.R..... ... .ctext (entropy = 7.69122372438427) F8 BC 81 EC 07 59 F0 87 93 EC 91 5B 10 30 C4 0C .....Y.....[.0.. 9B 55 10 2C 9D F8 98 38 18 AF 18 18 6E 82 EF 82 .U.,...8....n... 8B E6 A9 20 5A B1 24 94 08 69 AB E8 72 B0 16 2C ... Z.$..i..r.., 34 30 30 BD 14 8B B2 BD 3C 24 BC 38 A0 3C 60 2E 400.....<$.8.<`. ... .data (entropy = 7.29026900956825) 00 00 00 00 E2 1A EA 4D 00 00 00 00 02 00 00 00 .......M........ 3A 00 00 00 45 F8 01 00 45 DE 01 00 4D 6A 6C 6D :...E...E...Mjlm 74 72 54 6A 55 4F 42 55 44 47 65 44 64 67 6E 58 trTjUOBUDGeDdgnX 55 4A 56 6D 49 6D 4B 50 52 6A 4A 6D 48 4F 58 61 UJVmImKPRjJmHOXa ... .rdata (entropy = 5.47242760415688) 64 77 02 00 6E 77 02 00 78 77 02 00 80 77 02 00 dw..nw..xw...w.. 8E 77 02 00 A0 77 02 00 A8 77 02 00 B2 77 02 00 .w...w...w...w.. BC 77 02 00 CA 77 02 00 D2 77 02 00 E2 77 02 00 .w...w...w...w.. EA 77 02 00 F8 77 02 00 02 78 02 00 0C 78 02 00 .w...w...x...x.. ... .rsrc (entropy = 0.020393135236085) 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ ... .reloc (entropy = 6.43219032611337) 00 20 00 00 78 00 00 00 14 30 18 30 1C 30 20 30 . ..x....0.0.0 0 24 30 28 30 2C 30 30 30 34 30 38 30 3C 30 40 30 $0(0,0004080<0@0 44 30 48 30 4C 30 50 30 54 30 58 30 5C 30 60 30 D0H0L0P0T0X0\0`0 64 30 68 30 6C 30 70 30 74 30 78 30 7C 30 80 30 d0h0l0p0t0x0|0.0 ... Debug data 52 53 44 53 F8 D8 EF 46 9B 0A 74 43 A1 B4 9B 36 RSDS...F..tC...6 24 56 EB BC 0B 00 00 00 57 3A 5C 76 44 67 68 6E $V......W:\vDghn 4F 7A 6A 70 5C 66 73 65 73 6F 64 67 66 5C 4B 70 Ozjp\fsesodgf\Kp 65 47 68 65 41 2E 70 64 62 00 eGheA.pdb. === Entry Point 2D FB 50 00 00 55 8B EC 81 EC CC 00 00 00 53 BB -.P..U........S. 6A E2 4C 04 89 5D FC 68 80 E1 41 00 C7 45 F8 69 j.L..].h..A..E.i E2 4C 04 FF 15 D8 70 42 00 3B 35 D0 20 40 00 81 .L....pB.;5. @.. 2D C4 20 40 00 04 21 40 00 81 35 C4 20 40 00 EC -. @..!@..5. @..
DYNAMIC ANALYSIS
9746b4f684b9d7d346ff131cd024e68d1b06e1b81571ce6d3c5067f0829d7932
[x] creates/opens file %TEMP%\1.tmp
[x] creates its own copy changing it on the fly from EXE to DLL
via MapViewOfFileEx API
src: \\?\globalroot\Device\HarddiskVolume1\test\
9746b4f684b9d7d346ff131cd024e68d1b06e1b81571ce6d3c5067f0829d7932
dst: %TEMP%\1.tmp
[x] uses print spooler via AddMonitorW to load %TEMP%\1.tmp
%TEMP%\1.tmp is now loaded inside spoolsv.exe
[x] deletes file %TEMP%\1.tmp
[x] creates driver file \??\C:\WINDOWS\TEMP\2.tmp
[x] moves file
src: \\?\globalroot\Device\HarddiskVolume1\test\
9746b4f684b9d7d346ff131cd024e68d1b06e1b81571ce6d3c5067f0829d7932
dst: %TEMP%\3.tmp
[x] creates service key system\currentcontrolset\services\50d5930
[x] sets reg value HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\50d5930\\imagepath
= \??\C:\WINDOWS\TEMP\2.tmp
[x] sets reg value HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\50d5930\\type
= 1
[x] marks file %TEMP%\3.tmp for deletion via HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\Session Manager\\PendingFileRenameOperations
[x] uses NtLoadDriver to loads the driver: \registry\machine\system\currentcontrolset\
services\50d5930
writes internal files to a newly created device
[x] creates file \??\globalroot\device\00000d83\{7bd8ce81-2e78-3820-e33d-255a2feb1937}\ph.dll
[x] creates file \??\globalroot\device\00000d83\{7bd8ce81-2e78-3820-e33d-255a2feb1937}\phx.dll
[x] creates file \??\globalroot\device\00000d83\{7bd8ce81-2e78-3820-e33d-255a2feb1937}\phd
[x] creates file \??\globalroot\device\00000d83\{7bd8ce81-2e78-3820-e33d-255a2feb1937}\phdx
[x] creates file \??\globalroot\device\00000d83\{7bd8ce81-2e78-3820-e33d-255a2feb1937}\phs
[x] creates file \??\globalroot\device\00000d83\{7bd8ce81-2e78-3820-e33d-255a2feb1937}\phdata
[x] creates file \??\globalroot\device\00000d83\{7bd8ce81-2e78-3820-e33d-255a2feb1937}\phld
[x] creates file \??\globalroot\device\00000d83\{7bd8ce81-2e78-3820-e33d-255a2feb1937}\phln
[x] creates file \??\globalroot\device\00000d83\{7bd8ce81-2e78-3820-e33d-255a2feb1937}\phlx
[x] deletes kernel driver file C:\WINDOWS\TEMP\2.tmp
deletion of original \WINDOWS\system32\spoolsv.exe
[x] moves file
src: \\?\globalroot\Device\HarddiskVolume1\WINDOWS\system32\spoolsv.exe
dst: C:\WINDOWS\TEMP\4.tmp, flags=
[x] marks file C:\WINDOWS\TEMP\4.tmp (\WINDOWS\system32\spoolsv.exe) for deletion
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\PendingFileRenameOperations
so, \WINDOWS\system32\spoolsv.exe is moved to 4.tmp, marked for deletion,
but will reappear after the reboot
QUICK STATIC ANALYSIS OF COMPONENTS
Okay, once we looked at the file and its execution flow, it’s time to poke around to see what stuff is actually hidden inside the embedded files. Extracting the files is not too difficult and we can see that there is a bunch of them actually:
Components
Name ____globalroot_device_00000d83_{7bd8ce81-2e78-3820-e33d-255a2feb1937}_ph.dll
Size 28704
MD5 B0BB987BB74664F4DFB4154EED5406B1
SHA1 A7AF591015D8C1959EF0CD692372E39BD4AB4994
FUZZY 768:EvHSw/VoWy9bEUPoUy1BS9YOshh1pXSVSDgmY:EPSw/VdqEUP2Zhh1piR,"____globalroot_device_00000d83_{7bd8ce81-2e78-3820-e33d-255a2feb1937}_ph.dll"
Entropy 6.29082900424848
Type MZ PE i386 DLL
Compiled 2012-01-18 23:33:08 (Wednesday)
The ad clicking module, interesting string:
%[^.].%[^(](%[^)])
PurpleHaze
ph|%s|%s|%s|%s
HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: %d
Cache-Control: must-revalidate, no-cache, no-store
Pragma: no-cache
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Connection: close
<body><a id=link href='%s'></body>
<script>document.getElementById('link').click()</script>
phdata
svchost.exe
netsvcs
Global
java.exe
jp2launcher.exe
acrord32.exe
%d.%d.%d_%d.%d_%d
S:(ML;;NW;;;LW)
%s.dll
kernelbase
http://%s%s
http/1.
host:
Name ____globalroot_device_00000d83_{7bd8ce81-2e78-3820-e33d-255a2feb1937}_phd
Size 32288
MD5 970EFB57CBB4962B6A74D94CD22BCA63
SHA1 06049082C9B367A2A0BADAE077D7F9527C5D2690
FUZZY 768:B6Ad2SmKTyScPlv75iXeeH6OMRrUfsi7fIhEl7UaAxPWaOlXuVI:B6Ad2GTolD5/NEnf72BxPWaGu+,
"____globalroot_device_00000d83_{7bd8ce81-2e78-3820-e33d-255a2feb1937}_phd"
Entropy 7.30737347784811
Type MZ PE i386 SYS DLL
Compiled 2012-01-23 12:07:36 (Monday)
Kernel driver
Name ____globalroot_device_00000d83_{7bd8ce81-2e78-3820-e33d-255a2feb1937}_phdata
Config file
[PurpleHaze]
pn=161
all=ph.dll
allx=phx.dll
wait=3600
Name ____globalroot_device_00000d83_{7bd8ce81-2e78-3820-e33d-255a2feb1937}_phdx
Size 22048
MD5 66EB89E848C036C5755406E871947700
SHA1 2AFD2AF269C620BDD5041ED0D3EE47502E3ACA4F
FUZZY 384:wcMGOJ+SOnSGQu8l6PtjVaglZSo7uvyt1/2j9tLvA+EDgS+DBcG2ATbWY0b:wcMuJnEu8l6VjggbSuM9ZvBEDgXD2GhU,
"____globalroot_device_00000d83_{7bd8ce81-2e78-3820-e33d-255a2feb1937}_phdx"
Entropy 6.07370244368794
Type MZ PE AMD64 Kernel driver for AMD64bit
Name ____globalroot_device_00000d83_{7bd8ce81-2e78-3820-e33d-255a2feb1937}_phld
Binary file
Name ____globalroot_device_00000d83_{7bd8ce81-2e78-3820-e33d-255a2feb1937}_phln
Size 3174
MD5 3B39D436107BAC7B0A62465BA9150EFF
SHA1 40FE02BE9F35135C1102A26B1F5A502C80DB7457
FUZZY 48:MCB01djg5hZ+t3ICFnX4xfQAgCvq9zk+VhF6s6a1JQlI:3Ug5hm3toxISq9F30I,
"____globalroot_device_00000d83_{7bd8ce81-2e78-3820-e33d-255a2feb1937}_phln"
Entropy 5.42879880799889
Type MZ PE i386 SYS DLL
Compiled 2012-01-18 23:31:34 (Wednesday)
Kernel driver
Name ____globalroot_device_00000d83_{7bd8ce81-2e78-3820-e33d-255a2feb1937}_phlx
Size 3688
MD5 42223C735194A70B1EBCA70DB0EDE2C1
SHA1 52A7D5AFA5FF6663CC80F1CAAAFCFCEA8394C1E7
FUZZY 48:pFkZdjymAezwDtpHH3UfcuZ3X1eD9AoizmBOsTmHtuZCzF5qzyCd8vw6XO:IymAIV8WeTcmzNXD,
"____globalroot_device_00000d83_{7bd8ce81-2e78-3820-e33d-255a2feb1937}_phlx"
Entropy 5.29079091610341
Type MZ PE AMD64
Kernel driver for AMD64bit
Name ____globalroot_device_00000d83_{7bd8ce81-2e78-3820-e33d-255a2feb1937}_phs
Binary file; contains strings:
phdata ; [PurpleHaze]
pn=161
Name ____globalroot_device_00000d83_{7bd8ce81-2e78-3820-e33d-255a2feb1937}_phx.dll
Size 3104
MD5 9B82A980F6DFBB0124D7C765F8A7F7C2
SHA1 083E31FC72FAAD085612374D90AF46CD5AAABB06
FUZZY 24:eFGSY85CW06GdUZSEdRXIQum+aUDtXAR9RWgUXdf4iE//4Cjbh45pxZ3:iY8g6GdnIRXnJTEtXATMgUeiEH4CPq,
"____globalroot_device_00000d83_{7bd8ce81-2e78-3820-e33d-255a2feb1937}_phx.dll"
Entropy 2.76585363725654
Entropy2 0.686573878169023
Type MZ PE AMD64 Portable executable 64 bit for AMD
Name _TEMP__1.tmp
Size 130592
MD5 7BD5F8C04051276C0078EBA3F28004D5
SHA1 608DC2C2B1549AF8EAC7B8FD12F875029CA84700
FUZZY 3072:Bkt+9iOinX6OunNa8ad76Jw+0HGdsZ7nncCH6/CH2:Bd8X6/Xad76J0GdkLLH,
"_TEMP__1.tmp"
Entropy 7.72253522274673
Type MZ PE i386 DEB
Compiled 2011-06-04 11:45:38 (Saturday)
Name c__WINDOWS_Temp_2.tmp
Size 32288
MD5 970EFB57CBB4962B6A74D94CD22BCA63
SHA1 06049082C9B367A2A0BADAE077D7F9527C5D2690
FUZZY 768:B6Ad2SmKTyScPlv75iXeeH6OMRrUfsi7fIhEl7UaAxPWaOlXuVI:B6Ad2GTolD5/NEnf72BxPWaGu+,
"c__WINDOWS_Temp_2.tmp"
Entropy 7.30737347784811
Type MZ PE i386 SYS DLL DEB
Compiled 2012-01-23 12:07:36 (Monday)
Kernel driver
THAT’S ALL FOR NOW
It would seem that the main dropper is an old piece from June 2011, and modules have been recompiled in January 2012.