Malware analysis JPHP IceRat analysis

Status
Not open for further replies.

struppigel

Moderator
Verified
Staff member
Apr 9, 2020
271
This sample was found @McMcbrad
We, that is @upnorth, @McMcbrad and me, have already started looking into this. We decided to continue in a public forum thread. I will use this first post as compilation what we found so far and keep updating it with new information.

@McMcbrad extracted the following URL from a weaponized document which is were the sample is from: VirusTotal
Unfortunately we don't have this document. The first part of the infection chain that I found is a dropper.

The malware has a rather long infection chain. Outline:

Code:
Browes --> 1.exe --> cheats.exe --> klient.exe --> stel.exe
              |                        |    
           CryptoTabSetup              klip.exe --> Winlogin.exe
                                       |       \
                                  MMMMMM.MMMM  WinRing0x64.sys


1. Trojan Dropper: Browes.exe
Overview
VT: VirusTotal
File type: PE32, SFX file
Compile time: 2020-03-26 10:02:47
First submission: 2020-10-26 07:57:33

Behaviour
Dropper for 1.exe

2. Trojan Dropper: 1.exe
Overview
VT: VirusTotal
File type: Windows Cabinet file
Compile time: 2013-10-14 06:48:22
First submission: 2020-10-26 11:33:06

Behaviour
Dropper for cheats.exe and a CryptoTab Setup file

CryptoTab setup: VirusTotal
^This file is not malicious and probably used as a lure.

3. Downloader cheats.exe
Overview
VT: VirusTotal
File type: PE 32
Compiler: JPHP
Any.run: cheats.exe (MD5: DAE90AE7FE103FC7E1866B4E13389101) - Interactive analysis - ANY.RUN
SHA256: 0161540edfceb643389a28ebe7d1092639596325e8f40defe52192ab999d3d36

Behaviour
Downloads klient.exe, saves it in :
  • %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\<random_name>.exe
  • %TEMP%\<random_name>.exe
The <random_name> is chosen from this list:
  • System
  • WindowsShell
  • exploler
  • antiDrw
  • antiSsl
  • ADB
  • Microsoft
  • system

4. Backdoor klient.exe
Overview

URL: hxxp://malina1306.zzz(.)com.ua/klient(.)exe
File type: PE 32
Compiler: JPHP
Compilation date: 2020-10-17 10:55:16
SHA256: cebee34d5f0292befca058537bf2320dd1492afa26fb9af471155c9332046320
VT: (3/71) VirusTotal
Malware type: Backdoor, controlled via C&C
C&C servers: hxxp://malina1306.zzz.com(.)ua and hxxp://bests.zzz.com(.)ua

Behaviour
Will check files on C&C server and do actions depending on their contents.
Downloads, among others, klip.exe (coinminer downloader) and stel.exe (stealer).

Similar samples
VT relations tab shows that at least 2 more files have been provided by that URL. They are slightly different versions of the same threat.
Files provided by hxxp://malina1306.zzz(.)com.ua/klient(.)exe
(3/69) VirusTotal
(4/69) VirusTotal

5. Coinminer downloader klip.exe
Overview
This was the first sample we analyzed, but it is not the main sample.

Hosting URL: hxxp://malina1306.zzz(.)com.ua/klip.exe
File type: PE 32
Compiler: JPHP
Compilation date: 2020-11-05 19:28:34
SHA256: 06a10cf99cc7c2d2ebc3e41300404e8f5816eb31a869d22835ade3a381199c0b
Any.Run: Malware type: Coinminer downloader

Behaviour
The sample downloads and drops this coinminer: VirusTotal
The download URL: hxxp://malina1306.zzz(.)com.ua/p/Winlogin(.)exe
The drop location: %TEMP%/Winlogin.exe

Downloads the coinminer's config (JSON file):
MMMMMM.MMMM --> c0a3b67b4056aeefd086edbe0c6ccb5fa7835505ef4ebe6220e5f914012e9e32

Also downloads and drops WinRing0.sys VirusTotal
Download URL: hxxp://malina1306.zzz(.)com.ua/p/WinRing0x64(.)sys
This file is no malware in itself but it seems to be abused by malware.

6. Stealer stel.exe
Overview
VT: (49/70) VirusTotal
Hosting URL: hxxp://malina1306.zzz(.)com.ua/stel.exe
File type: PE 32
Compiler: PyInstaller
Compilation date: 2020-08-08 12:30:37
Contact URLs: rudy.zzz(.)com.ua and malina1306.zzz(.)com.ua
Malware type: Credential stealer

Behaviour
Steals credentials:
  • Firefox
  • Yandex browser
  • Filezilla
  • Chrome
  • Amigo
  • kometa
  • Orbitum
  • Chromium
  • K-Melon

7. Attribution
@upnorth suspects a relationship to Olympic Destroyer due to the file name for the dropped file: Winlogin.exe
Comparing with Checkpoint research: New Strain of Olympic Destroyer Droppers - Check Point Research

Note: I removed attribution info that has no proof for a connection.

8. Older versions
klip.exe:
http://invalid666.zzz.com.ua/klip.exe - Interactive analysis - ANY.RUN

IceRat.exe:
hxxp://quarini.zzz.com(.)ua/Ice/
--> we took the name of this malware from this sample



JPHP Decompilation Notes
JPHP is a PHP implementation for the Java VM. Github page: jphp-group/jphp
There is no decompiler for this, afaik.

What I found out you can do:
  • Use 7zip to extract contents
  • open files with .phb extension in a hex editor
  • delete data up to the 0xCAFEBABE magic bytes, save result as .class file
  • use, e.g., Fernflower to decompile .class files to Java code


9. Hosting Domain
URL: hxxp://malina1306.zzz(.)com.ua
WHOIS: Whois Lookup Captcha
Translation of picture below (see spoiler):
Enter User
Download miner (v1)
Download miner (v2)
manila_panel.png
More files hosted on that page:
hosted_files.png

I freshly downloaded those:

visa.txt: empty
min.exe: NA
1.exe: (2/71) VirusTotal
klient.exe: (3/71) VirusTotal
klip.exe: 06a10cf99cc7c2d2ebc3e41300404e8f5816eb31a869d22835ade3a381199c0b (our sample)
winlogin.exe: NA
Winlogin.exe: (41/72) VirusTotal (coinminer)
stel.exe: (49/70) VirusTotal (PyInstaller compiled stealer)
MMMMMM.MMMM: c0a3b67b4056aeefd086edbe0c6ccb5fa7835505ef4ebe6220e5f914012e9e32 (JSON file with miner configuration)

dow_klip.txt: ba049d910ceccfd69af1df754fa4d9a23c7b9165cb2eb66b375ca195531bee2a (infected client data)
pr.txt: dd34bde50b956333b0d154ef88036b5b596b3952311ac46d8b98470590da96e2 (infected client data)
--> both files contain a listing with tuplets of of MAC address, operating system, RAM, processor, username (a lot of them Russian). I suspect these are infected clients.
listing.png
 
Last edited:

upnorth

Moderator
Verified
Staff member
Malware Hunter
Jul 27, 2015
4,170
For those that don't know what the Olympic Destroyer was/is I can highly recommend watch it here :
 

struppigel

Moderator
Verified
Staff member
Apr 9, 2020
271
I found the main code of the application (took me a while, since I didn't know how JPHP saves its files)
You see that Base64 string? That's the download URLs for the miner, miner config and WinRing0x64.sys.
main_code.png

Will update the first post with my findings later.
 

upnorth

Moderator
Verified
Staff member
Malware Hunter
Jul 27, 2015
4,170

Andy Ful

Level 68
Verified
Trusted
Content Creator
Dec 23, 2014
5,650
The Ukrainian web hosting company ZZZ.com.ua was several times used to host malware for spam attacks:
https://www.avira.com/en/blog/forfiles-used-in-a-living-off-the-land-attack-to-spread-ransomware
related to Locdoor ransomware (DryCry)

https://blog.talosintelligence.com/2020/09/threat-roundup-0911-0918.html
related to Win.Malware.Arkei-9753125-1

related to LoadPCBanker

http://dedola.eu/malware.php
page=7, 20, 25, 34, 36, 43, 47, 48, 56, 57, 59-66, etc.
related to AzoRuit, PredatorTheThief, Evrial, and Coinminers

https://vulners.com/rst/RST:09E24F97-3B5B-3C28-B679-7CBD716C9AEA
https://www.threatcrowd.org/ip.php?ip=5.79.66.145

Here is a very interesting event of putting a Backdoor in a Ruby Password Strength Checking Library (on RubyGems) related to smiley.zzz.com[.]ua.
https://www.cyclonis.com/hackers-put-backdoor-in-ruby-password-strength-checking-library/
 

struppigel

Moderator
Verified
Staff member
Apr 9, 2020
271

struppigel

Moderator
Verified
Staff member
Apr 9, 2020
271
To be exact: The sample klip.exe 06a10cf99cc7c2d2ebc3e41300404e8f5816eb31a869d22835ade3a381199c0b
is only a coinminer downloader.

However, the sample klient.exe cebee34d5f0292befca058537bf2320dd1492afa26fb9af471155c9332046320
Has some command and control abilities. I did not see remote control in the sense of being able to move the mouse etc. It's a backdoor but not a RAT.
This file may also download stel.exe (the python stealer).
There are 2 server addresses:
server.assign("hxxp://malina1306.zzz.com(.)ua");
aserver.assign("hxxp://bests.zzz.com(.)ua");
The commands seem to be triggered by availability and contents of certain files on the server. See image below. If the file dow_stil.txt is available, it will download and persist the stealer. Same can be done with a clipbanker and a keylogger. The main purpose seems to be gathering credentials.

down_stil.png

I am still making the code more readable and also writing detection signatures.
 
Last edited:

upnorth

Moderator
Verified
Staff member
Malware Hunter
Jul 27, 2015
4,170

Andy Ful

Level 68
Verified
Trusted
Content Creator
Dec 23, 2014
5,650
It seems that klip.exe is a downloader as @struppigel has noticed. The downloaded & executed files seem very suspicious:
  • winring0x64.sys is used in legal software but this version is very old (2008-07-26) so using it for anything is very suspicious.
  • winlogin.exe is a BitCoinMiner (original name dwm.exe from Yandex) but there is something wrong with the digital signature.
The IP 95.211.16.67 points to 58 subdomains of ZZZ.com.ua:
The malina1306.zzz.com.ua is now dead so this suggests a phishing subdomain. I have not investigated others, yet.
 
Last edited:

struppigel

Moderator
Verified
Staff member
Apr 9, 2020
271
No, that's a different malware family. That file above is a .NET file that just happens to have the same name.

The size of the miner downloader (klip.exe) is that big because it is a JPHP EXE file. It contains the whole JPHP runtime alongside of being a Jar2Exe wrapped file. Even a hello world program would be that big.
 

Andy Ful

Level 68
Verified
Trusted
Content Creator
Dec 23, 2014
5,650
No, that's a different malware family. That file above is a .NET file that just happens to have the same name.

The size of the miner downloader (klip.exe) is that big because it is a JPHP EXE file. It contains the whole JPHP runtime alongside of being a Jar2Exe wrapped file. Even a hello world program would be that big.
The same is true for AutoIt.:)
 

Andy Ful

Level 68
Verified
Trusted
Content Creator
Dec 23, 2014
5,650
I checked the IPs in the former attacks (data from the last 12 months, dedoLa, see my first post). All attacks that used ZZZ.com.au were called to 37.48.72.4 and 5.79.66.145. The IceRat called to 5.79.66.145. The klip.exe calls to the new IP= 95.211.16.67.

There were several attacks (PredatorTheThief, Azoruit, SupremeMiner, MinerPanel, PonyLoader, DirtJumper) on similar IP=95.211.16.66 (many were from kl.com.ua, some from zzz.com.ua and other domains).
https://exchange.xforce.ibmcloud.com/ip/95.211.16.66

Some examples of SuperMiner, MinerPanel, DirtJumper from ZZZ.com.ua

For now, IBM found the Botnet related to IP=95.211.16.67, but not malware files:

Post edited (added VT links).
 
Last edited:
Status
Not open for further replies.
Top