LogMeIn.com SSL certificate has been suspended – Malware analysis

23 01 2013

I couldnt help myself, I had to take this new baby out for a run.

I ran it in Sandboxie, using BSA – and got the following from the report:

 Report generated with Buster Sandbox Analyzer 1.84 at 13:23:54 on 23/01/2013

[ General information ]
* File name: e:\analysis\logmein\ssl_cert_logmein.scr

[ Changes to filesystem ]
* Modifies file (empty) E:\Analysis\logmein\ssl_cert_logmein.scr
* Creates file (empty) C:\Documents and Settings\Administrator\Application Data\Bydy\ziik.ila
* Creates file (empty) C:\Documents and Settings\Administrator\Application Data\Degi\ymnoo.epa
* Creates file C:\Documents and Settings\Administrator\Application Data\Feto\ypaf.exe

[ Network services ]
* Queries DNS “www.google.com.au”.
* Queries DNS “ssl.gstatic.com”.
* Queries DNS “www.google.com”.

[ Process/window/string information ]
* Enables process privileges.
* Gets system default language ID.
* Gets computer name.
* Checks for debuggers.
* Installs a hook procedure that monitors mouse messages.
* Installs a hook procedure that monitors keystroke messages.

Ok – so it drops a file, deletes itself & does a couple of google queries, installs a key & mouse logger …. but the important one is that it checks for debuggers ….. damn – ive been caught time to rollback the VM snapshot & try another way.

Before I run it outside the sandbox, I grab a registry snapshot with regshot & fire up wireshark.

HKU\S-1-5-21-682003330-1972579041-2146942695-500\Software\Microsoft\Windows\CurrentVersion\Run\Uvxexuk: “”C:\Documents and Settings\Administrator\Application Data\Udre\anuma.exe””
10.6.6.1 -> 8.8.8.8      DNS 80 Standard query 0x88da  A a5ccb72387a28161.com
8.8.8.8 -> 10.6.6.1     DNS 153 Standard query response 0x88da No such name

This time it drops a file (different random name this time) – but the important thing is that it sets it up run on boot. We also see a DNS query for a5ccb72387a28161.com that doesnt return a value … hmmmmm

root@bt:~/BADFILES/LogMeIn-SSL/logmein_2# whois a5ccb72387a28161.com

No match for “A5CCB72387A28161.COM”.
>>> Last update of whois database: Wed, 23 Jan 2013 04:19:45 UTC <<<

ok …. so its not registered …. although I wonder what it would do it it could reach that domain / url….

Time to fire up inetsim and see what happens

[2013-01-23 14:51:52] [825] [dns_53_tcp_udp 972] [10.6.6.1] connect
[2013-01-23 14:51:52] [825] [dns_53_tcp_udp 972] [10.6.6.1] recv: Query Type A, Class IN, Name a5ccb72387a28161.com
[2013-01-23 14:51:52] [825] [dns_53_tcp_udp 972] [10.6.6.1] send: a5ccb72387a28161.com 3600 IN A 10.6.6.11
[2013-01-23 14:51:52] [825] [dns_53_tcp_udp 972] [10.6.6.1] disconnect
[2013-01-23 14:51:52] [825] [dns_53_tcp_udp 972] [10.6.6.1] stat: 1 qtype=A qclass=IN qname=a5ccb72387a28161.com
[2013-01-23 14:51:52] [825] [http_80_tcp 1641] [10.6.6.1:1063] connect
[2013-01-23 14:51:52] [825] [http_80_tcp 1641] [10.6.6.1:1063] recv: POST /dcbe7001/a507590e.php HTTP/1.1
[2013-01-23 14:51:52] [825] [http_80_tcp 1641] [10.6.6.1:1063] recv: Accept: */*
[2013-01-23 14:51:52] [825] [http_80_tcp 1641] [10.6.6.1:1063] recv: User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)
[2013-01-23 14:51:52] [825] [http_80_tcp 1641] [10.6.6.1:1063] recv: Host: a5ccb72387a28161.com
[2013-01-23 14:51:52] [825] [http_80_tcp 1641] [10.6.6.1:1063] recv: Content-Length: 120
[2013-01-23 14:51:52] [825] [http_80_tcp 1641] [10.6.6.1:1063] recv: Connection: Keep-Alive
[2013-01-23 14:51:52] [825] [http_80_tcp 1641] [10.6.6.1:1063] recv: Cache-Control: no-cache
[2013-01-23 14:51:52] [825] [http_80_tcp 1641] [10.6.6.1:1063] recv: <(POSTDATA)>
[2013-01-23 14:51:52] [825] [http_80_tcp 1641] [10.6.6.1:1063] info: POST data stored to: /var/lib/inetsim/http/postdata/294f5db6a7407efb43a12242b0e0dbec996cc4d3
[2013-01-23 14:51:52] [825] [http_80_tcp 1641] [10.6.6.1:1063] info: Request URL: http:/ /a5ccb72387a28161.com/dcbe7001/a507590e[dot]php
[2013-01-23 14:51:52] [825] [http_80_tcp 1641] [10.6.6.1:1063] info: Sending fake file configured for extension ‘php’.
[2013-01-23 14:51:52] [825] [http_80_tcp 1641] [10.6.6.1:1063] send: HTTP/1.1 200 OK
[2013-01-23 14:51:52] [825] [http_80_tcp 1641] [10.6.6.1:1063] send: Server: Microsoft-IIS/4.0
[2013-01-23 14:51:52] [825] [http_80_tcp 1641] [10.6.6.1:1063] send: Connection: Close
[2013-01-23 14:51:52] [825] [http_80_tcp 1641] [10.6.6.1:1063] send: Content-Length: 258
[2013-01-23 14:51:52] [825] [http_80_tcp 1641] [10.6.6.1:1063] send: Content-Type: text/html
[2013-01-23 14:51:52] [825] [http_80_tcp 1641] [10.6.6.1:1063] send: Date: Wed, 23 Jan 2013 03:51:52 GMT
[2013-01-23 14:51:52] [825] [http_80_tcp 1641] [10.6.6.1:1063] info: Sending file: /var/lib/inetsim/http/fakefiles/sample.html
[2013-01-23 14:51:52] [825] [http_80_tcp 1641] [10.6.6.1:1063] stat: 1 method=POST url=http:/ /a5ccb72387a28161.com/dcbe7001/a507590e[dor]php sent=/var/lib/inetsim/http/fakefiles/sample.html postdata=/var/lib/inetsim/http/postdata/294f5db6a7407efb43a12242b0e0dbec996cc4d3
[2013-01-23 14:51:52] [825] [http_80_tcp 1641] [10.6.6.1:1063] disconnect
[2013-01-23 14:51:53] [825] [http_80_tcp 1642] [10.6.6.1:1064] connect
[2013-01-23 14:51:53] [825] [http_80_tcp 1642] [10.6.6.1:1064] recv: POST /dcbe7001/a507590e.php HTTP/1.1
[2013-01-23 14:51:53] [825] [http_80_tcp 1642] [10.6.6.1:1064] recv: Accept: */*
[2013-01-23 14:51:53] [825] [http_80_tcp 1642] [10.6.6.1:1064] recv: User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)
[2013-01-23 14:51:53] [825] [http_80_tcp 1642] [10.6.6.1:1064] recv: Host: a5ccb72387a28161.com
[2013-01-23 14:51:53] [825] [http_80_tcp 1642] [10.6.6.1:1064] recv: Content-Length: 120
[2013-01-23 14:51:53] [825] [http_80_tcp 1642] [10.6.6.1:1064] recv: Connection: Keep-Alive
[2013-01-23 14:51:53] [825] [http_80_tcp 1642] [10.6.6.1:1064] recv: Cache-Control: no-cache
[2013-01-23 14:51:53] [825] [http_80_tcp 1642] [10.6.6.1:1064] recv: <(POSTDATA)>
[2013-01-23 14:51:53] [825] [http_80_tcp 1642] [10.6.6.1:1064] info: POST data stored to: /var/lib/inetsim/http/postdata/b5fd16db60922e8b7d960748fc4e0af6c4a3dde5
[2013-01-23 14:51:53] [825] [http_80_tcp 1642] [10.6.6.1:1064] info: Request URL: http:/ /a5ccb72387a28161.com/dcbe7001/a507590e[dot]php
[2013-01-23 14:51:53] [825] [http_80_tcp 1642] [10.6.6.1:1064] info: Sending fake file configured for extension ‘php’.
[2013-01-23 14:51:53] [825] [http_80_tcp 1642] [10.6.6.1:1064] send: HTTP/1.1 200 OK
[2013-01-23 14:51:53] [825] [http_80_tcp 1642] [10.6.6.1:1064] send: Server: Microsoft-IIS/4.0
[2013-01-23 14:51:53] [825] [http_80_tcp 1642] [10.6.6.1:1064] send: Connection: Close
[2013-01-23 14:51:53] [825] [http_80_tcp 1642] [10.6.6.1:1064] send: Content-Length: 258
[2013-01-23 14:51:53] [825] [http_80_tcp 1642] [10.6.6.1:1064] send: Content-Type: text/html
[2013-01-23 14:51:53] [825] [http_80_tcp 1642] [10.6.6.1:1064] send: Date: Wed, 23 Jan 2013 03:51:53 GMT
[2013-01-23 14:51:53] [825] [http_80_tcp 1642] [10.6.6.1:1064] info: Sending file: /var/lib/inetsim/http/fakefiles/sample.html
[2013-01-23 14:51:53] [825] [http_80_tcp 1642] [10.6.6.1:1064] stat: 1 method=POST url=http://a5ccb72387a28161.com/dcbe7001/a507590e.php sent=/var/lib/inetsim/http/fakefiles/sample.html postdata=/var/lib/inetsim/http/postdata/b5fd16db60922e8b7d960748fc4e0af6c4a3dde5
[2013-01-23 14:51:53] [825] [http_80_tcp 1642] [10.6.6.1:1064] disconnect

and there it is, that looks like a phone home to me – it resolves the url and instantly does two posts to the site http:/ /a5ccb72387a28161.com/dcbe7001/a507590e[dot]php

Interestingly, the two files dropped are different (MD5)

root@bt:~/BADFILES/LogMeIn-SSL/logmein_1# md5sum ypaf.exe
dc3f94ae190fd6db5f4a675097352768  ypaf.exe
root@bt:~/BADFILES/LogMeIn-SSL/logmein_1# md5sum anuma.exe
cad63849694322e025fbb0dcaf6d5a20  anuma.exe

but they are both appear to be zbot

https://www.virustotal.com/file/bdfde6c2b6e25759dd1ea25a7d23905b6c55bc16c4ade9ce0658c4b66c440bcc/analysis/

https://www.virustotal.com/file/cd480e6b94ce259275014a80d3f98e29ebaabd021e4ecf65f0b224ad462e59fc/analysis/

Advertisements

Actions

Information

2 responses

23 01 2013
k0ng0

Nice. Quick question what is the initial file used for analysis
thanks

23 01 2013
Ash

Hi, see the previous post – its the file that the LogMeIn.com SSL certificate expired email was linking to

https://blackundertone.wordpress.com/2013/01/23/logmein-com-ssl-certificate-has-been-suspended-malware/

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s




%d bloggers like this: