Joe Security's Blog

Some days ago a new java 0-day (CVE-2013-0422) has been spotted in the wild (thanks to Kafeine). The exploit targets Java 7 including the latest Java 7 Update 10 release. For protection disable any java plugin within browsers.

According to Kafeine one of the dropped file is the following:

• UTTER-OFFEND.exe (MD5: 237f8ffc0c24191c5bb7bd9099802ee4)

We thought the binary is a good test for our newest Joe Sandbox release. An initial analysis revealed the following startup and signature overview.


Some striking behavior facts from the startup and signature overview:

• Contains tricks to detect virtual machines
• Starts svchost.exe which is legitimate Windows process and writes its process memory, changes threat context
• Creates an autostart registry key
• Deletes Windows safe boot entries
• Delete initial dropped binary
• Creates a new desktop

Lets analyze the individual facts in detail.

Anti-VM tricks

The binary queries the video bios version via registry:


Opens local disk devices:


Using Joe Sandbox SCAE (static code analysis engine) feature enables to understand in detail what happens at code 40141F:


Function 4013C0 opens the drive device (PhysicalDriveX) and communicates through DeviceIoControlCode with it. 2D1400 is the second DeviceIoControlCode (IoControlCode) . A quick Google search revealed that code 2D1400 is IOCTL_STORAGE_QUERY_PROPERTY. If successful DeviceIoControlCode returns in the fourth parameter a buffer of format STORAGE_DEVICE_DESCRIPTOR. The descriptor contains VendorId, ProductId, ProductRevision, SerialNumber strings. The strings are checked in function 401B40:


Qemu, VMware etc are product id strings which are used for comparison (strstr).

For protection the sample checks if its own file name equals sample.exe or virus.exe (GetModuleHandle, GetModuleFileName). If true it deletes itself and terminates.

Function 401B40 is also used to check the value of the VideoBiosVersion key.

Beside these anti-VM tricks based on system artifacts the sample also uses the VMware backdoor I/O port to detect VMware, function 4019F0:


In addition the sample also verifies if wireshark is running (Function 401D50) or if its running sandboxed (Sandboxie: SbieDll.dll):


Infection and Persistence

For injection the sample uses a combination of different strategies to get into svchost. Beside mapping a file to a remote process (NtMapViewOfSection) it also uses WriteProcessMemory to inject its own file into the remote process. For code execution it modifies the context of a thread in svchost.exe (SetThreadContext):



Within svchost.exe it deletes itself, deletes the Windows safeboot entries and creates autostart entries:



Target

In function 413440 the sample creates a new desktop and switches to it. As a result the current desktop with all its windows gets hidden:


Next it creates the following screen (Function 40100 ensures that no other window is overlays the current window):


For understanding the network functionality have a look at function 4150B0 (registration at admin panel), 413500 (querying ip-address.com for getting IP & provider information to display on screen to raise awareness).

All these facts are present in one single Joe Sandbox report which enables you to understand the complete payload and its target within minutes:

• Joe Sandbox report-237f8ffc0c24191c5bb7bd9099802ee4