{"id":543,"date":"2012-02-13T16:42:29","date_gmt":"2012-02-13T16:42:29","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=543"},"modified":"2012-02-20T01:09:10","modified_gmt":"2012-02-20T01:09:10","slug":"purple-haze-analysis","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2012\/02\/13\/purple-haze-analysis\/","title":{"rendered":"Purple Haze Analysis"},"content":{"rendered":"<p>As I mentioned in my previous post, last weekend I had a look at Purple Haze malware to see what sort of new stuff can be found there. In this blog entry, I will describe step by step what malware does &#8211; i.e. simple static and dynamic analysis. Well, it&#8217;s not so simple, but here it goes&#8230;<\/p>\n<p>&nbsp;<\/p>\n<h2>STATIC ANALYSIS<\/h2>\n<pre><strong>File properties<\/strong><\/pre>\n<pre>Name\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 9746b4f684b9d7d346ff131cd024e68d1b06e1b81571ce6d3c5067f0829d7932\r\nSize\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 130560\u00a0 0001FE00\r\nMD5\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 A1B3E59AE17BA6F940AFAF86485E5907\r\nSHA1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 6D07CF72201234A07AB57FB3FC00B9E5A0B3678E\r\nFUZZY\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 3072:Bkt+9iOinX6OunNa8ad76Jw+0HGdsZ7nncCH6\/CH2:Bd8X6\/Xad76J0GdkLLH,\r\n            \"9746b4f684b9d7d346ff131cd024e68d1b06e1b81571ce6d3c5067f0829d7932\"\r\nEntropy\u00a0\u00a0\u00a0\u00a0 7.72339425411489\r\nType\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 MZ PE i386 DEB\r\nCompiled\u00a0\u00a0\u00a0 2011-06-04 11:45:38 (Saturday)\r\nImage\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ImageBase      = 00400000\r\n            SizeOfImage    = 0002B000\r\n            EntryPointRVA  = 0001514B\r\n            EntryPointFile = 0001454B<\/pre>\n<pre><strong>Sections<\/strong>\r\n.text\u00a0\u00a0\r\n      vo = 00001000, vs = 00018B5A\r\n      fo = 00000400, fs = 00018C00\r\n      flags = E0000020, XWR, CODE\r\n.ctext\r\n      vo = 0001A000, vs = 00003492\r\n      fo = 00019000, fs = 00003600\r\n      flags = 40000040, R, IDATA\r\n.data\r\n      vo = 0001E000, vs = 000085BB\r\n      fo = 0001C600, fs = 00001A00\r\n      flags = C0000040, WR, IDATA\r\n.rdata\r\n      vo = 00027000, vs = 00001502\r\n      fo = 0001E000, fs = 00001600\r\n      flags = 40000040, R, IDATA\r\n.rsrc\r\n      vo = 00029000, vs = 00000010\r\n      fo = 0001F600, fs = 00000200\r\n      flags = 40000040, R, IDATA\r\n.reloc\r\n      vo = 0002A000, vs = 000005D8\r\n      fo = 0001F800, fs = 00000600\r\n      flags = 42000040, R, IDATA<\/pre>\n<pre><strong><strong>File structure<\/strong><\/strong>\r\n4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00\u00a0 MZ..............\r\n...\r\n50 45 00 00 4C 01 06 00 E2 1A EA 4D 00 00 00 00\u00a0 PE..L......M....\r\n00 00 00 00 E0 00 02 01 0B 01 09 00 00 8C 01 00\u00a0 ................\r\n...\r\n2E 74 65 78 74 00 00 00 5A 8B 01 00 00 10 00 00\u00a0 .text...Z.......\r\n00 8C 01 00 00 04 00 00 00 00 00 00 00 00 00 00\u00a0 ................\r\n00 00 00 00 20 00 00 E0 2E 63 74 65 78 74 00 00\u00a0 .... ....ctext..\r\n92 34 00 00 00 A0 01 00 00 36 00 00 00 90 01 00\u00a0 .4.......6......\r\n00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40\u00a0 ............@..@\r\n2E 64 61 74 61 00 00 00 BB 85 00 00 00 E0 01 00\u00a0 .data...........\r\n00 1A 00 00 00 C6 01 00 00 00 00 00 00 00 00 00\u00a0 ................\r\n00 00 00 00 40 00 00 C0 2E 72 64 61 74 61 00 00\u00a0 ....@....rdata..\r\n02 15 00 00 00 70 02 00 00 16 00 00 00 E0 01 00\u00a0 .....p..........\r\n00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40\u00a0 ............@..@\r\n2E 72 73 72 63 00 00 00 10 00 00 00 00 90 02 00\u00a0 .rsrc...........\r\n00 02 00 00 00 F6 01 00 00 00 00 00 00 00 00 00\u00a0 ................\r\n00 00 00 00 40 00 00 40 2E 72 65 6C 6F 63 00 00\u00a0 ....@..@.reloc..\r\nD8 05 00 00 00 A0 02 00 00 06 00 00 00 F8 01 00\u00a0 ................\r\n00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42\u00a0 ............@..B\r\n...\r\n<strong>.text\u00a0\u00a0\u00a0 (entropy = 7.73691850981344)<\/strong>\r\n56 47 46 56 57 57 56 47 0A 9C E5 22 67 72 4D 75\u00a0 VGFVWWVG...\"grMu\r\n4C 75 47 53 06 D6 81 32 93 1D 01 00 EA 07 00 00\u00a0 LuGS...2........\r\n63 D8 74 9F E7 98 8E A0 77 CB DB A8 60 22 86 98\u00a0 c.t.....w...`\"..\r\nF2 D4 C2 8D 72 D5 D3 8F 7D C7 52 91 A6 A5 F0 89\u00a0 ....r...}.R.....\r\n...\r\n<strong>.ctext\u00a0\u00a0 (entropy = 7.69122372438427)<\/strong>\r\nF8 BC 81 EC 07 59 F0 87 93 EC 91 5B 10 30 C4 0C\u00a0 .....Y.....[.0..\r\n9B 55 10 2C 9D F8 98 38 18 AF 18 18 6E 82 EF 82\u00a0 .U.,...8....n...\r\n8B E6 A9 20 5A B1 24 94 08 69 AB E8 72 B0 16 2C\u00a0 ... Z.$..i..r..,\r\n34 30 30 BD 14 8B B2 BD 3C 24 BC 38 A0 3C 60 2E\u00a0 400.....&lt;$.8.&lt;`.\r\n...\r\n<strong>.data\u00a0\u00a0\u00a0 (entropy = 7.29026900956825)<\/strong>\r\n00 00 00 00 E2 1A EA 4D 00 00 00 00 02 00 00 00\u00a0 .......M........\r\n3A 00 00 00 45 F8 01 00 45 DE 01 00 4D 6A 6C 6D\u00a0 :...E...E...Mjlm\r\n74 72 54 6A 55 4F 42 55 44 47 65 44 64 67 6E 58\u00a0 trTjUOBUDGeDdgnX\r\n55 4A 56 6D 49 6D 4B 50 52 6A 4A 6D 48 4F 58 61\u00a0 UJVmImKPRjJmHOXa\r\n...\r\n<strong>.rdata\u00a0\u00a0 (entropy = 5.47242760415688)<\/strong>\r\n64 77 02 00 6E 77 02 00 78 77 02 00 80 77 02 00\u00a0 dw..nw..xw...w..\r\n8E 77 02 00 A0 77 02 00 A8 77 02 00 B2 77 02 00\u00a0 .w...w...w...w..\r\nBC 77 02 00 CA 77 02 00 D2 77 02 00 E2 77 02 00\u00a0 .w...w...w...w..\r\nEA 77 02 00 F8 77 02 00 02 78 02 00 0C 78 02 00\u00a0 .w...w...x...x..\r\n...\r\n<strong>.rsrc\u00a0\u00a0\u00a0 (entropy = 0.020393135236085)<\/strong>\r\n00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00\u00a0 ................\r\n00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\u00a0 ................\r\n00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\u00a0 ................\r\n00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\u00a0 ................\r\n...\r\n<strong>.reloc\u00a0\u00a0 (entropy = 6.43219032611337)<\/strong>\r\n00 20 00 00 78 00 00 00 14 30 18 30 1C 30 20 30\u00a0 . ..x....0.0.0 0\r\n24 30 28 30 2C 30 30 30 34 30 38 30 3C 30 40 30\u00a0 $0(0,0004080&lt;0@0\r\n44 30 48 30 4C 30 50 30 54 30 58 30 5C 30 60 30\u00a0 D0H0L0P0T0X0\\0`0\r\n64 30 68 30 6C 30 70 30 74 30 78 30 7C 30 80 30\u00a0 d0h0l0p0t0x0|0.0\r\n...\r\n<strong>Debug data<\/strong>\r\n52 53 44 53 F8 D8 EF 46 9B 0A 74 43 A1 B4 9B 36\u00a0 RSDS...F..tC...6\r\n24 56 EB BC 0B 00 00 00 57 3A 5C 76 44 67 68 6E\u00a0 $V......W:\\vDghn\r\n4F 7A 6A 70 5C 66 73 65 73 6F 64 67 66 5C 4B 70\u00a0 Ozjp\\fsesodgf\\Kp\r\n65 47 68 65 41 2E 70 64 62 00\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 eGheA.pdb.\r\n\r\n===\r\n<strong>Entry Point<\/strong>\r\n2D FB 50 00 00 55 8B EC 81 EC CC 00 00 00 53 BB\u00a0 -.P..U........S.\r\n6A E2 4C 04 89 5D FC 68 80 E1 41 00 C7 45 F8 69\u00a0 j.L..].h..A..E.i\r\nE2 4C 04 FF 15 D8 70 42 00 3B 35 D0 20 40 00 81\u00a0 .L....pB.;5. @..\r\n2D C4 20 40 00 04 21 40 00 81 35 C4 20 40 00 EC\u00a0 -. @..!@..5. @..<\/pre>\n<h2><\/h2>\n<h2>DYNAMIC ANALYSIS<\/h2>\n<pre><strong><strong> 9746b4f684b9d7d346ff131cd024e68d1b06e1b81571ce6d3c5067f0829d7932 <\/strong><\/strong><\/pre>\n<pre> [x] creates\/opens file %TEMP%\\1.tmp\r\n\u00a0[x] creates its own copy changing it on the fly from EXE to DLL\r\n     via MapViewOfFileEx API\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 src: \\\\?\\globalroot\\Device\\HarddiskVolume1\\test\\\r\n           9746b4f684b9d7d346ff131cd024e68d1b06e1b81571ce6d3c5067f0829d7932\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 dst: %TEMP%\\1.tmp\r\n\u00a0[x] uses print spooler via AddMonitorW to load %TEMP%\\1.tmp\r\n\r\n<strong>%TEMP%\\1.tmp is now loaded inside spoolsv.exe<\/strong>\r\n\u00a0[x] deletes file %TEMP%\\1.tmp\r\n\r\n\u00a0[x] creates driver file \\??\\C:\\WINDOWS\\TEMP\\2.tmp\r\n\u00a0[x] moves file\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 src: \\\\?\\globalroot\\Device\\HarddiskVolume1\\test\\\r\n           9746b4f684b9d7d346ff131cd024e68d1b06e1b81571ce6d3c5067f0829d7932\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 dst: %TEMP%\\3.tmp\r\n\u00a0[x] creates service key system\\currentcontrolset\\services\\50d5930\r\n\u00a0[x] sets reg value HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\50d5930\\\\imagepath\r\n     = \\??\\C:\\WINDOWS\\TEMP\\2.tmp\r\n\u00a0[x] sets reg value HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\50d5930\\\\type\r\n     = 1\r\n\u00a0[x] marks file %TEMP%\\3.tmp for deletion via HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\\r\n     Control\\Session Manager\\\\PendingFileRenameOperations\r\n\u00a0[x] uses NtLoadDriver to loads the driver: \\registry\\machine\\system\\currentcontrolset\\\r\n     services\\50d5930\r\n\r\n<strong>writes internal files to a newly created device<\/strong>\r\n\u00a0[x] creates file \\??\\globalroot\\device\\00000d83\\{7bd8ce81-2e78-3820-e33d-255a2feb1937}\\ph.dll\r\n\u00a0[x] creates file \\??\\globalroot\\device\\00000d83\\{7bd8ce81-2e78-3820-e33d-255a2feb1937}\\phx.dll\r\n\u00a0[x] creates file \\??\\globalroot\\device\\00000d83\\{7bd8ce81-2e78-3820-e33d-255a2feb1937}\\phd\r\n\u00a0[x] creates file \\??\\globalroot\\device\\00000d83\\{7bd8ce81-2e78-3820-e33d-255a2feb1937}\\phdx\r\n\u00a0[x] creates file \\??\\globalroot\\device\\00000d83\\{7bd8ce81-2e78-3820-e33d-255a2feb1937}\\phs\r\n\u00a0[x] creates file \\??\\globalroot\\device\\00000d83\\{7bd8ce81-2e78-3820-e33d-255a2feb1937}\\phdata\r\n\u00a0[x] creates file \\??\\globalroot\\device\\00000d83\\{7bd8ce81-2e78-3820-e33d-255a2feb1937}\\phld\r\n\u00a0[x] creates file \\??\\globalroot\\device\\00000d83\\{7bd8ce81-2e78-3820-e33d-255a2feb1937}\\phln\r\n\u00a0[x] creates file \\??\\globalroot\\device\\00000d83\\{7bd8ce81-2e78-3820-e33d-255a2feb1937}\\phlx\r\n\u00a0[x] deletes kernel driver file C:\\WINDOWS\\TEMP\\2.tmp\r\n\r\n<strong>deletion of original \\WINDOWS\\system32\\spoolsv.exe<\/strong>\r\n\u00a0[x] moves file\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 src: \\\\?\\globalroot\\Device\\HarddiskVolume1\\WINDOWS\\system32\\spoolsv.exe\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 dst: C:\\WINDOWS\\TEMP\\4.tmp, flags=\r\n\u00a0[x] marks file C:\\WINDOWS\\TEMP\\4.tmp (\\WINDOWS\\system32\\spoolsv.exe) for deletion\r\n\u00a0\u00a0\u00a0\u00a0 HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\PendingFileRenameOperations\r\n\r\nso, \\WINDOWS\\system32\\spoolsv.exe is moved to 4.tmp, marked for deletion,<\/pre>\n<pre>but will reappear after the reboot<\/pre>\n<h2><\/h2>\n<h2>QUICK STATIC ANALYSIS OF COMPONENTS<\/h2>\n<p>Okay, once we looked at the file and its execution flow, it&#8217;s time to poke around to see what stuff is actually hidden inside the embedded files. Extracting the files is not too difficult and we can see that there is a bunch of them actually:<\/p>\n<pre><strong>Components<\/strong>\r\n<a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/02\/ph6.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter size-medium wp-image-551\" title=\"ph6\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/02\/ph6-300x102.png\" alt=\"\" width=\"300\" height=\"102\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/02\/ph6-300x102.png 300w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/02\/ph6.png 997w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/a>\r\n<strong>Name\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ____globalroot_device_00000d83_{7bd8ce81-2e78-3820-e33d-255a2feb1937}_ph.dll<\/strong>\r\nSize\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 28704\r\nMD5\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 B0BB987BB74664F4DFB4154EED5406B1\r\nSHA1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 A7AF591015D8C1959EF0CD692372E39BD4AB4994\r\nFUZZY\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 768:EvHSw\/VoWy9bEUPoUy1BS9YOshh1pXSVSDgmY:EPSw\/VdqEUP2Zhh1piR,\"____globalroot_device_00000d83_{7bd8ce81-2e78-3820-e33d-255a2feb1937}_ph.dll\"\r\nEntropy\u00a0\u00a0\u00a0\u00a0 6.29082900424848\r\nType\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 MZ PE i386 DLL\r\nCompiled\u00a0\u00a0\u00a0 2012-01-18 23:33:08 (Wednesday)\r\n\r\nThe ad clicking module, interesting string:<\/pre>\n<pre style=\"padding-left: 30px;\">%[^.].%[^(](%[^)])\r\nPurpleHaze\r\nph|%s|%s|%s|%s\r\nHTTP\/1.1 200 OK\r\nContent-Type: text\/html\r\nContent-Length: %d\r\nCache-Control: must-revalidate, no-cache, no-store\r\nPragma: no-cache\r\nExpires: Sat, 01 Jan 2000 00:00:00 GMT\r\nConnection: close\r\n&lt;body&gt;&lt;a id=link href='%s'&gt;&lt;\/body&gt;\r\n&lt;script&gt;document.getElementById('link').click()&lt;\/script&gt;\r\nphdata\r\nsvchost.exe\r\nnetsvcs\r\nGlobal\r\njava.exe\r\njp2launcher.exe\r\nacrord32.exe\r\n%d.%d.%d_%d.%d_%d\r\nS:(ML;;NW;;;LW)\r\n%s.dll\r\nkernelbase\r\nhttp:\/\/%s%s\r\n\u00a0http\/1.\r\nhost:<\/pre>\n<pre><strong>Name\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ____globalroot_device_00000d83_{7bd8ce81-2e78-3820-e33d-255a2feb1937}_phd<\/strong>\r\nSize\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 32288\r\nMD5\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 970EFB57CBB4962B6A74D94CD22BCA63\r\nSHA1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 06049082C9B367A2A0BADAE077D7F9527C5D2690\r\nFUZZY\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 768:B6Ad2SmKTyScPlv75iXeeH6OMRrUfsi7fIhEl7UaAxPWaOlXuVI:B6Ad2GTolD5\/NEnf72BxPWaGu+,\r\n            \"____globalroot_device_00000d83_{7bd8ce81-2e78-3820-e33d-255a2feb1937}_phd\"\r\nEntropy\u00a0\u00a0\u00a0\u00a0 7.30737347784811\r\nType\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 MZ PE i386 SYS DLL\r\nCompiled\u00a0\u00a0\u00a0 2012-01-23 12:07:36 (Monday) \r\n\r\nKernel driver\r\n\r\n<strong><strong>Name\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ____globalroot_device_00000d83_{7bd8ce81-2e78-3820-e33d-255a2feb1937}_phdata<\/strong><\/strong>\r\nConfig file\r\n[PurpleHaze]\r\npn=161\r\nall=ph.dll\r\nallx=phx.dll\r\nwait=3600 <strong><strong> <\/strong><\/strong><\/pre>\n<pre><strong><strong>Name\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ____globalroot_device_00000d83_{7bd8ce81-2e78-3820-e33d-255a2feb1937}_phdx <\/strong><\/strong>\r\nSize\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 22048\r\nMD5\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 66EB89E848C036C5755406E871947700\r\nSHA1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 2AFD2AF269C620BDD5041ED0D3EE47502E3ACA4F\r\nFUZZY\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 384:wcMGOJ+SOnSGQu8l6PtjVaglZSo7uvyt1\/2j9tLvA+EDgS+DBcG2ATbWY0b:wcMuJnEu8l6VjggbSuM9ZvBEDgXD2GhU,\r\n            \"____globalroot_device_00000d83_{7bd8ce81-2e78-3820-e33d-255a2feb1937}_phdx\"\r\nEntropy\u00a0\u00a0\u00a0\u00a0 6.07370244368794\r\nType\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 MZ PE AMD64 Kernel driver for AMD64bit <strong><strong> <\/strong><\/strong><\/pre>\n<pre><strong><strong>Name\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ____globalroot_device_00000d83_{7bd8ce81-2e78-3820-e33d-255a2feb1937}_phld <\/strong><\/strong>\r\nBinary file<strong><strong> <\/strong><\/strong><\/pre>\n<pre><strong><strong>Name\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ____globalroot_device_00000d83_{7bd8ce81-2e78-3820-e33d-255a2feb1937}_phln <\/strong><\/strong>\r\nSize\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 3174\r\nMD5\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 3B39D436107BAC7B0A62465BA9150EFF\r\nSHA1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 40FE02BE9F35135C1102A26B1F5A502C80DB7457\r\nFUZZY\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 48:MCB01djg5hZ+t3ICFnX4xfQAgCvq9zk+VhF6s6a1JQlI:3Ug5hm3toxISq9F30I,\r\n            \"____globalroot_device_00000d83_{7bd8ce81-2e78-3820-e33d-255a2feb1937}_phln\"\r\nEntropy\u00a0\u00a0\u00a0\u00a0 5.42879880799889\r\nType\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 MZ PE i386 SYS DLL\r\nCompiled\u00a0\u00a0\u00a0 2012-01-18 23:31:34 (Wednesday) \r\n\r\nKernel driver <strong> <\/strong><\/pre>\n<pre><\/pre>\n<pre><strong>Name\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ____globalroot_device_00000d83_{7bd8ce81-2e78-3820-e33d-255a2feb1937}_phlx<\/strong>\r\nSize\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 3688\r\nMD5\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 42223C735194A70B1EBCA70DB0EDE2C1\r\nSHA1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 52A7D5AFA5FF6663CC80F1CAAAFCFCEA8394C1E7\r\nFUZZY\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 48:pFkZdjymAezwDtpHH3UfcuZ3X1eD9AoizmBOsTmHtuZCzF5qzyCd8vw6XO:IymAIV8WeTcmzNXD,\r\n            \"____globalroot_device_00000d83_{7bd8ce81-2e78-3820-e33d-255a2feb1937}_phlx\"\r\nEntropy\u00a0\u00a0\u00a0\u00a0 5.29079091610341\r\nType\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 MZ PE AMD64 \r\n\r\nKernel driver for AMD64bit<\/pre>\n<pre><strong>Name\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ____globalroot_device_00000d83_{7bd8ce81-2e78-3820-e33d-255a2feb1937}_phs<\/strong><strong><strong><\/strong> <\/strong><\/pre>\n<pre>Binary file; contains strings:\r\n            phdata ;\u00a0\u00a0 [PurpleHaze]\r\n            pn=161\r\n\r\n<strong><strong><strong><strong>Name\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ____globalroot_device_00000d83_{7bd8ce81-2e78-3820-e33d-255a2feb1937}_phx.dll <\/strong><\/strong><\/strong><\/strong>\r\nSize\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 3104\r\nMD5\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 9B82A980F6DFBB0124D7C765F8A7F7C2\r\nSHA1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 083E31FC72FAAD085612374D90AF46CD5AAABB06\r\nFUZZY\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 24:eFGSY85CW06GdUZSEdRXIQum+aUDtXAR9RWgUXdf4iE\/\/4Cjbh45pxZ3:iY8g6GdnIRXnJTEtXATMgUeiEH4CPq,\r\n            \"____globalroot_device_00000d83_{7bd8ce81-2e78-3820-e33d-255a2feb1937}_phx.dll\"\r\nEntropy\u00a0\u00a0\u00a0\u00a0 2.76585363725654\r\nEntropy2\u00a0\u00a0\u00a0 0.686573878169023\r\nType\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 MZ PE AMD64<strong><strong><strong><strong> <\/strong><\/strong><\/strong><\/strong>Portable executable 64 bit for AMD<strong><strong><strong><strong> <\/strong><\/strong><\/strong><\/strong><\/pre>\n<pre><strong><strong> Name\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 _TEMP__1.tmp <\/strong><\/strong>\r\nSize\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 130592\r\nMD5\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 7BD5F8C04051276C0078EBA3F28004D5\r\nSHA1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 608DC2C2B1549AF8EAC7B8FD12F875029CA84700\r\nFUZZY\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 3072:Bkt+9iOinX6OunNa8ad76Jw+0HGdsZ7nncCH6\/CH2:Bd8X6\/Xad76J0GdkLLH,\r\n            \"_TEMP__1.tmp\"\r\nEntropy\u00a0\u00a0\u00a0\u00a0 7.72253522274673\r\nType\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 MZ PE i386 DEB\r\nCompiled\u00a0\u00a0\u00a0 2011-06-04 11:45:38 (Saturday)\r\n\r\n<strong><strong> Name\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 c__WINDOWS_Temp_2.tmp <\/strong><\/strong>\r\nSize\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 32288\r\nMD5\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 970EFB57CBB4962B6A74D94CD22BCA63\r\nSHA1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 06049082C9B367A2A0BADAE077D7F9527C5D2690\r\nFUZZY\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 768:B6Ad2SmKTyScPlv75iXeeH6OMRrUfsi7fIhEl7UaAxPWaOlXuVI:B6Ad2GTolD5\/NEnf72BxPWaGu+,\r\n            \"c__WINDOWS_Temp_2.tmp\"\r\nEntropy\u00a0\u00a0\u00a0\u00a0 7.30737347784811\r\nType\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 MZ PE i386 SYS DLL DEB\r\nCompiled\u00a0\u00a0\u00a0 2012-01-23 12:07:36 (Monday)\r\n\r\nKernel driver<\/pre>\n<h2><\/h2>\n<h2>THAT&#8217;S ALL FOR NOW<\/h2>\n<p>It would seem that the main dropper is an old piece from June 2011, and modules have been recompiled in January 2012<strong><strong><\/strong>.<\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"<p>As I mentioned in my previous post, last weekend I had a look at Purple Haze malware to see what sort of new stuff can be found there. In this blog entry, I will describe step by step what malware &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2012\/02\/13\/purple-haze-analysis\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[9],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/543"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=543"}],"version-history":[{"count":14,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/543\/revisions"}],"predecessor-version":[{"id":615,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/543\/revisions\/615"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=543"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=543"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=543"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}