Malware Analysis JPHP IceRat analysis

struppigel · Nov 19, 2020

This sample was found @McMcbrad
We, that is @upnorth, @McMcbrad and me, have already started looking into this. We decided to continue in a public forum thread. I will use this first post as compilation what we found so far and keep updating it with new information.

@McMcbrad extracted the following URL from a weaponized document which is were the sample is from: VirusTotal
Unfortunately we don't have this document. The first part of the infection chain that I found is a dropper.

The malware has a rather long infection chain. Outline:

Code:

Browes --> 1.exe --> cheats.exe --> klient.exe --> stel.exe
              |                        |    
           CryptoTabSetup              klip.exe --> Winlogin.exe
                                       |       \
                                  MMMMMM.MMMM  WinRing0x64.sys

1. Trojan Dropper: Browes.exe
Overview
VT: VirusTotal
File type: PE32, SFX file
Compile time: 2020-03-26 10:02:47
First submission: 2020-10-26 07:57:33

Behaviour
Dropper for 1.exe

2. Trojan Dropper: 1.exe
Overview
VT: VirusTotal
File type: Windows Cabinet file
Compile time: 2013-10-14 06:48:22
First submission: 2020-10-26 11:33:06

Behaviour
Dropper for cheats.exe and a CryptoTab Setup file

CryptoTab setup: VirusTotal
^This file is not malicious and probably used as a lure.

3. Downloader cheats.exe
Overview
VT: VirusTotal
File type: PE 32
Compiler: JPHP
Any.run: cheats.exe (MD5: DAE90AE7FE103FC7E1866B4E13389101) - Interactive analysis - ANY.RUN
SHA256: 0161540edfceb643389a28ebe7d1092639596325e8f40defe52192ab999d3d36

Behaviour
Downloads klient.exe, saves it in :

%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\<random_name>.exe
%TEMP%\<random_name>.exe

The <random_name> is chosen from this list:

System
WindowsShell
exploler
antiDrw
antiSsl
ADB
Microsoft
system

4. Backdoor klient.exe
Overview
URL: hxxp://malina1306.zzz(.)com.ua/klient(.)exe
File type: PE 32
Compiler: JPHP
Compilation date: 2020-10-17 10:55:16
SHA256: cebee34d5f0292befca058537bf2320dd1492afa26fb9af471155c9332046320
VT: (3/71) VirusTotal
Malware type: Backdoor, controlled via C&C
C&C servers: hxxp://malina1306.zzz.com(.)ua and hxxp://bests.zzz.com(.)ua

Behaviour
Will check files on C&C server and do actions depending on their contents.
Downloads, among others, klip.exe (coinminer downloader) and stel.exe (stealer).

Similar samples
VT relations tab shows that at least 2 more files have been provided by that URL. They are slightly different versions of the same threat.
Files provided by hxxp://malina1306.zzz(.)com.ua/klient(.)exe
(3/69) VirusTotal
(4/69) VirusTotal

5. Coinminer downloader klip.exe
Overview
This was the first sample we analyzed, but it is not the main sample.

Hosting URL: hxxp://malina1306.zzz(.)com.ua/klip.exe
File type: PE 32
Compiler: JPHP
Compilation date: 2020-11-05 19:28:34
SHA256: 06a10cf99cc7c2d2ebc3e41300404e8f5816eb31a869d22835ade3a381199c0b
Any.Run:

klip.exe (MD5: CEBD4B8468EE89E804BE61D091247540) - Interactive analysis - ANY.RUN

Interactive malware hunting service. Live testing of most type of threats in any environments. No installation and no waiting necessary.

app.any.run

Malware type: Coinminer downloader

Behaviour
The sample downloads and drops this coinminer: VirusTotal
The download URL: hxxp://malina1306.zzz(.)com.ua/p/Winlogin(.)exe
The drop location: %TEMP%/Winlogin.exe

Downloads the coinminer's config (JSON file):
MMMMMM.MMMM --> c0a3b67b4056aeefd086edbe0c6ccb5fa7835505ef4ebe6220e5f914012e9e32

Also downloads and drops WinRing0.sys VirusTotal
Download URL: hxxp://malina1306.zzz(.)com.ua/p/WinRing0x64(.)sys
This file is no malware in itself but it seems to be abused by malware.

6. Stealer stel.exe
Overview
VT: (49/70) VirusTotal
Hosting URL: hxxp://malina1306.zzz(.)com.ua/stel.exe
File type: PE 32
Compiler: PyInstaller
Compilation date: 2020-08-08 12:30:37
Contact URLs: rudy.zzz(.)com.ua and malina1306.zzz(.)com.ua
Malware type: Credential stealer

Behaviour
Steals credentials:

Firefox
Yandex browser
Filezilla
Chrome
Amigo
kometa
Orbitum
Chromium
K-Melon

7. Attribution
@upnorth suspects a relationship to Olympic Destroyer due to the file name for the dropped file: Winlogin.exe
Comparing with Checkpoint research: New Strain of Olympic Destroyer Droppers - Check Point Research

Note: I removed attribution info that has no proof for a connection.

8. Older versions
klip.exe:
http://invalid666.zzz.com.ua/klip.exe - Interactive analysis - ANY.RUN

IceRat.exe:

Analysis IceRat.exe (MD5: 5E864667D91E3867A29DF90DBCADB6B2) Malicious activity - Interactive analysis ANY.RUN

Interactive malware hunting service. Live testing of most type of threats in any environments. No installation and no waiting necessary.

app.any.run

hxxp://quarini.zzz.com(.)ua/Ice/
--> we took the name of this malware from this sample

JPHP Decompilation Notes
JPHP is a PHP implementation for the Java VM. Github page: jphp-group/jphp
There is no decompiler for this, afaik.

What I found out you can do:

Use 7zip to extract contents
open files with .phb extension in a hex editor
delete data up to the 0xCAFEBABE magic bytes, save result as .class file
use, e.g., Fernflower to decompile .class files to Java code

9. Hosting Domain
URL: hxxp://malina1306.zzz(.)com.ua
WHOIS: Whois Lookup Captcha
Translation of picture below (see spoiler):

Enter User
Download miner (v1)
Download miner (v2)

More files hosted on that page:

I freshly downloaded those:

visa.txt: empty
min.exe: NA
1.exe: (2/71) VirusTotal
klient.exe: (3/71) VirusTotal
klip.exe: 06a10cf99cc7c2d2ebc3e41300404e8f5816eb31a869d22835ade3a381199c0b (our sample)
winlogin.exe: NA
Winlogin.exe: (41/72) VirusTotal (coinminer)
stel.exe: (49/70) VirusTotal (PyInstaller compiled stealer)
MMMMMM.MMMM: c0a3b67b4056aeefd086edbe0c6ccb5fa7835505ef4ebe6220e5f914012e9e32 (JSON file with miner configuration)

dow_klip.txt: ba049d910ceccfd69af1df754fa4d9a23c7b9165cb2eb66b375ca195531bee2a (infected client data)
pr.txt: dd34bde50b956333b0d154ef88036b5b596b3952311ac46d8b98470590da96e2 (infected client data)
--> both files contain a listing with tuplets of of MAC address, operating system, RAM, processor, username (a lot of them Russian). I suspect these are infected clients.

upnorth · Nov 19, 2020

For those that don't know what the Olympic Destroyer was/is I can highly recommend watch it here :

Cybercrime - The Olympic Destroyer - 2018

Olympic Destroyer tells the story of one of the most deceptive hacks in history – the 2018 Pyeongchang Olympic Games. But what makes this hacking attempt so slippery? And what makes the response so ‘extraordinarily brilliant? Immense interesting investigation about the Olympic Destroyer. This...

malwaretips.com

Freud2004 · Nov 19, 2020

Was not Olympic Destroyer a Frankenstein malware? The real origin was ever revel?

Not locking good, has Black Friday approach the number off new treads will increase.

struppigel · Nov 19, 2020

I found the main code of the application (took me a while, since I didn't know how JPHP saves its files)
You see that Base64 string? That's the download URLs for the miner, miner config and WinRing0x64.sys.

Will update the first post with my findings later.

upnorth · Nov 19, 2020

struppigel said:
ТЕХНИЧЕСКОЕ_ЗАДАНИЕ_НА_РАЗРАБОТКУ_МОБИЛЬНОГО_ПРИЛОЖЕНИЯ.doc (can you provide the hash please?)
Comparing with Checkpoint research: New Strain of Olympic Destroyer Droppers - Check Point Research

Do you mean another file then from Checkpoints report?

VirusTotal

www.virustotal.com

struppigel · Nov 19, 2020

upnorth said:
Do you mean another file then from Checkpoints report?

VirusTotal

VirusTotal

www.virustotal.com

McMcbrad said there were similar files for our sample.
I haven't gotten any document related to our malware sample.

Andy Ful · Nov 19, 2020

The Ukrainian web hosting company ZZZ.com.ua was several times used to host malware for spam attacks:
https://www.avira.com/en/blog/forfiles-used-in-a-living-off-the-land-attack-to-spread-ransomware
related to Locdoor ransomware (DryCry)

https://blog.talosintelligence.com/2020/09/threat-roundup-0911-0918.html
related to Win.Malware.Arkei-9753125-1

A Malicious Sight in Google Sites

Netskope Threat Research Labs discovered an interesting drive-by download attack in Google. The threat actor involved in this attack initially deployed a

www.netskope.com

related to LoadPCBanker

http://dedola.eu/malware.php
page=7, 20, 25, 34, 36, 43, 47, 48, 56, 57, 59-66, etc.
related to AzoRuit, PredatorTheThief, Evrial, and Coinminers

https://vulners.com/rst/RST:09E24F97-3B5B-3C28-B679-7CBD716C9AEA
https://www.threatcrowd.org/ip.php?ip=5.79.66.145

Here is a very interesting event of putting a Backdoor in a Ruby Password Strength Checking Library (on RubyGems) related to smiley.zzz.com[.]ua.
https://www.cyclonis.com/hackers-put-backdoor-in-ruby-password-strength-checking-library/

Andy Ful · Nov 19, 2020

Similar sample was analyzed there:

Analysis IceRat.exe (MD5: 5E864667D91E3867A29DF90DBCADB6B2) Malicious activity - Interactive analysis ANY.RUN

Interactive malware hunting service. Live testing of most type of threats in any environments. No installation and no waiting necessary.

app.any.run

Instead of using klip.exe it used IceRat.exe and called to quarini[.]zzz[.]com[.]ua

struppigel · Nov 19, 2020

Andy Ful said:
Similar sample was analyzed there:

Analysis IceRat.exe (MD5: 5E864667D91E3867A29DF90DBCADB6B2) Malicious activity - Interactive analysis ANY.RUN

Interactive malware hunting service. Live testing of most type of threats in any environments. No installation and no waiting necessary.

app.any.run

Instead of using klip.exe it used IceRat.exe and called to quarini[.]zzz[.]com[.]ua

Indeed, this is the same family. And now we have a name for it. Project name is also IceRAT.

struppigel · Nov 19, 2020

To be exact: The sample klip.exe 06a10cf99cc7c2d2ebc3e41300404e8f5816eb31a869d22835ade3a381199c0b
is only a coinminer downloader.

However, the sample klient.exe cebee34d5f0292befca058537bf2320dd1492afa26fb9af471155c9332046320
Has some command and control abilities. I did not see remote control in the sense of being able to move the mouse etc. It's a backdoor but not a RAT.
This file may also download stel.exe (the python stealer).
There are 2 server addresses:

server.assign("hxxp://malina1306.zzz.com(.)ua");
aserver.assign("hxxp://bests.zzz.com(.)ua");

The commands seem to be triggered by availability and contents of certain files on the server. See image below. If the file dow_stil.txt is available, it will download and persist the stealer. Same can be done with a clipbanker and a keylogger. The main purpose seems to be gathering credentials.

I am still making the code more readable and also writing detection signatures.

upnorth · Nov 19, 2020

Analysis http://quarini.zzz.com.ua/Ice/45.130.136.10/cmd.txt Malicious activity - Interactive analysis ANY.RUN

Interactive malware hunting service. Live testing of most type of threats in any environments. No installation and no waiting necessary.

app.any.run

The IceRat sample :

https://www.hybrid-analysis.com/sample/29c63169ffc5dfacef9245c0f3afae987525f9b164a17133e51f598d3b75120d/5fb67f855ebb8d446806a539

Andy Ful · Nov 19, 2020

It seems that klip.exe is a downloader as @struppigel has noticed. The downloaded & executed files seem very suspicious:

winring0x64.sys is used in legal software but this version is very old (2008-07-26) so using it for anything is very suspicious.
winlogin.exe is a BitCoinMiner (original name dwm.exe from Yandex) but there is something wrong with the digital signature.

The IP 95.211.16.67 points to 58 subdomains of ZZZ.com.ua:

Subdomain Finder - C99.nl

Subdomain Finder is a scanner that scans an entire domain to find as many subdomains as possible.

subdomainfinder.c99.nl

The malina1306.zzz.com.ua is now dead so this suggests a phishing subdomain. I have not investigated others, yet.

Andy Ful · Nov 19, 2020

The website malina1306.zzz.com.ua is alive now, I have possibly opened it before during replacing the content:

The new klip.exe still downloads the same BitCoinMiner as the older version:
hxxp://malina1306[.]zzz[.]com[.]ua/p/Winlogin.exe

I downloaded this file and compared it with OP.

Andy Ful · Nov 19, 2020

The disallowedcertstl.cab contains disallowedcert.stl:

VirusTotal

www.virustotal.com

Something wrong is with the digital certificate.
It was also involved in some malicious activity:

ForgottenSeer 89360 · Nov 19, 2020

I found an early and a lot more basic version of IceRat: https://hybrid-analysis.com/sample/...04ea7339deb1a896020e/5aceaffa7ca3e10b6e2be9cc
And a repository here:
hxxps://www.nhuttruong.com/2018/07/huge-rat-repository-450-rats-nearly.html?m=1[/URL]

struppigel · Nov 19, 2020

McMcbrad said:
I found an early and a lot more basic version of IceRat: https://hybrid-analysis.com/sample/...04ea7339deb1a896020e/5aceaffa7ca3e10b6e2be9cc

No, that's a different malware family. That file above is a .NET file that just happens to have the same name.

The size of the miner downloader (klip.exe) is that big because it is a JPHP EXE file. It contains the whole JPHP runtime alongside of being a Jar2Exe wrapped file. Even a hello world program would be that big.

Andy Ful · Nov 19, 2020

struppigel said:
No, that's a different malware family. That file above is a .NET file that just happens to have the same name.

The size of the miner downloader (klip.exe) is that big because it is a JPHP EXE file. It contains the whole JPHP runtime alongside of being a Jar2Exe wrapped file. Even a hello world program would be that big.

The same is true for AutoIt.

struppigel · Nov 20, 2020

I updated the first post. Will be looking more into klient.exe and stel.exe today.
I consider writing a small python script to extract and decompile JPHB code automatically.

upnorth · Nov 20, 2020

Here is a tiny bit of domain history from the Ukrainian host.

URLhaus | Checking your browser

urlhaus.abuse.ch

The Internet archive/Wayback machine didn't come up with anything.

Andy Ful · Nov 20, 2020

I checked the IPs in the former attacks (data from the last 12 months, dedoLa, see my first post). All attacks that used ZZZ.com.au were called to 37.48.72.4 and 5.79.66.145. The IceRat called to 5.79.66.145. The klip.exe calls to the new IP= 95.211.16.67.

There were several attacks (PredatorTheThief, Azoruit, SupremeMiner, MinerPanel, PonyLoader, DirtJumper) on similar IP=95.211.16.66 (many were from kl.com.ua, some from zzz.com.ua and other domains).
https://exchange.xforce.ibmcloud.com/ip/95.211.16.66

Some examples of SuperMiner, MinerPanel, DirtJumper from ZZZ.com.ua

For now, IBM found the Botnet related to IP=95.211.16.67, but not malware files:

95.211.16.67 IP Address Report

IBM X-Force Exchange is a threat intelligence sharing platform enabling research on security threats, aggregation of intelligence, and collaboration with peers

exchange.xforce.ibmcloud.com

Post edited (added VT links).

Malware Analysis JPHP IceRat analysis

Moderator

Moderator

Level 10

Moderator

Moderator

Moderator

From Hard_Configurator Tools

From Hard_Configurator Tools

Moderator

Moderator

Moderator

From Hard_Configurator Tools

From Hard_Configurator Tools

From Hard_Configurator Tools

ForgottenSeer 89360

Moderator

From Hard_Configurator Tools

Moderator

Moderator

From Hard_Configurator Tools

Similar threads