Malware analysis JPHP IceRat analysis

Status
Not open for further replies.

McMcbrad

Level 20
Oct 16, 2020
967
There are new domains and samples correlated today:
1605811784462.png
And there is another version of klip.exe:
 

McMcbrad

Level 20
Oct 16, 2020
967
The website malina1306.zzz.com.ua is alive now, I have possibly opened it before during replacing the content:

View attachment 249334
The newly discovered klip.exe doesn't download the winring driver anymore. Instead it does what I see very frequently nowadays. It downloads a *.cab file from
hxxp://ctldl().windowsupdate().com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?751f87e719573c38
It contains a file named disallowedcert.stl. I am not sure how this is utilised. You mentioned the dwm.exe (spoofing windows process), renamed to winlogin.exe has an invalid signature. Maybe this is trying to block any warnings from Windows not to run the file...
It also downloads additional content, all related to certificates:
1605813512936.png

Unfortunately I can't download the sample and can't find out.
 
Last edited:

McMcbrad

Level 20
Oct 16, 2020
967
Last edited:

struppigel

Moderator
Verified
Staff member
Apr 9, 2020
246
No, that's a different malware family. That file above is a .NET file that just happens to have the same name.

The size of the miner downloader (klip.exe) is that big because it is a JPHP EXE file. It contains the whole JPHP runtime alongside of being a Jar2Exe wrapped file. Even a hello world program would be that big.
 

McMcbrad

Level 20
Oct 16, 2020
967
No, that's a different malware family. That file above is a .NET file that just happens to have the same name.

The size of the miner downloader (klip.exe) is that big because it is a JPHP EXE file. It contains the whole JPHP runtime alongside of being an ExeToJar wrapped file. Even a hello world program would be that big.
I’m not a fan of Java and now JPHP was brought to my life 🤣🤣🤣🤣🤣
This is probably the first JPHP file that I see.
 

Andy Ful

Level 67
Verified
Trusted
Content Creator
Dec 23, 2014
5,629
No, that's a different malware family. That file above is a .NET file that just happens to have the same name.

The size of the miner downloader (klip.exe) is that big because it is a JPHP EXE file. It contains the whole JPHP runtime alongside of being a Jar2Exe wrapped file. Even a hello world program would be that big.
The same is true for AutoIt.:)
 

McMcbrad

Level 20
Oct 16, 2020
967
The same is true for AutoIt.:)
I’ve noticed AutoIT malware executables are rather large. They are usually >3mb.
I found myself a task now... hopefully I will be able to decompile some😅

My guess is that this is a toolkit for sale. Once criminals are being paid and depending on what you’ve ordered, they will register a domain, load it with the necessary files and configuration, and recompile with new link, so distribution can be started.
Effectiveness can then be monitored via data about infected victims, stored in plain text.

I’ve now contacted the hornet nest zzz.com.ua and pointed them to this page, so hopefully this can be disturbed at least temporarily.
 
Last edited:

McMcbrad

Level 20
Oct 16, 2020
967
Here is a tiny bit of domain history from the Ukrainian host.

The Internet archive/Wayback machine didn't come up with anything.
I just grabbed one of them that felt related (klip.exe is the sample I discovered and clip.zzz.com.ua is the URL). Upon checking on VirusTotal, I can see that it resolves the same IP 95.211.16.66. This is definitely the same group. According to URL Haus, this has been involved in ArkeiStealer attack.

This IP keeps serving content to date and plethora of new domains are registered every day:



In this video we can see a tutorial how to use the toolkit and we can see Russian language again.
I wouldn't be surprised if stel.exe turns out to be related.
It is named "Advanced Password + Wallet Stealer" which confirms what I initially thought - that one of the samples should be ClipBanker.
1605869554467.png


You can have a look at other videos by the same user, named "Dominant". They are all tutorials for hacktools. We can see that "Dominant" effectively dominates the PHP language. klips.exe and klient.exe are written in JPHP.


However, this IP is far away from being the only one involved.
5.79.66.145 is another offender, that keeps registering domains on daily bases:
I can't prove they are the same group at the moment, but the way they name and format the domain names/file names, feels the same.
The IP is also owned by AS 60781 ( LeaseWeb Netherlands B.V. ), just like 95.211.16.66. They also abuse the same hosting service, namely zzz.com.ua.


1605863978594.png




Another URL listed on Abuse.Ch is http://giftm.zzz.com.ua/klipper.exe.
This is now dead, but it has distributed sample named klipper.exe (similar to klip.exe) as early as 2018.
IP resolves to 37.48.72.4 in Netherlands again.
It has distributed a file named
This has been a version of AzoruIt.

If all that is right, then my suspicion and intuition that this whole thing serves purpose, much greater than mining 0.00000001 BTC was totally correct.
Mine and @Andy Ful correlation to AzoruIt and Predator the Thief are also correct.

So now we have the project name, we have the code being on inspection and we also know the group behind all that - CobaltGroup.

Sergiu Sechel is a CyberSecurity Researcher at Eyenews. https://twitter.com/sergiusechel?
 
Last edited:

Andy Ful

Level 67
Verified
Trusted
Content Creator
Dec 23, 2014
5,629
I checked the IPs in the former attacks (data from the last 12 months, dedoLa, see my first post). All attacks that used ZZZ.com.au were called to 37.48.72.4 and 5.79.66.145. The IceRat called to 5.79.66.145. The klip.exe calls to the new IP= 95.211.16.67.

There were several attacks (PredatorTheThief, Azoruit, SupremeMiner, MinerPanel, PonyLoader, DirtJumper) on similar IP=95.211.16.66 (many were from kl.com.ua, some from zzz.com.ua and other domains).
https://exchange.xforce.ibmcloud.com/ip/95.211.16.66

Some examples of SuperMiner, MinerPanel, DirtJumper from ZZZ.com.ua

For now, IBM found the Botnet related to IP=95.211.16.67, but not malware files:

Post edited (added VT links).
 
Last edited:

McMcbrad

Level 20
Oct 16, 2020
967
I checked the IPs in the former attacks (data from the last 12 months, dedoLa, see my first post). All attacks that used ZZZ.com.au were called to 37.48.72.4 and 5.79.66.145. The IceRat called to 5.79.66.145. The klip.exe calls to the new IP= 95.211.16.67.

There were several attacks (PredatorTheThief, Azoruit, SupremeMiner, MinerPanel, PonyLoader, DirtJumper) on similar IP=95.211.16.66 (many were from kl.com.ua, some from zzz.com.ua and other domains).
https://exchange.xforce.ibmcloud.com/ip/95.211.16.66

Some examples of SuperMiner, MinerPanel, DirtJumper from ZZZ.com.ua
https://exchange.xforce.ibmcloud.com/malware/B7002F59D1F2D3C74F8A11A12C49AAA4
https://exchange.xforce.ibmcloud.com/malware/EFE83FC366E4CEFAD65118B83EB36CCE
https://exchange.xforce.ibmcloud.com/malware/E12AB48B801CC62A201960F1F577270C
https://exchange.xforce.ibmcloud.com/malware/02A3E7B500313A4E6DA86EFE5836D1AF
https://exchange.xforce.ibmcloud.com/malware/8712CEEA541673818A42DF7A3DA36AA0

For now, IBM found the Botnet related to IP=95.211.16.67, but not malware files:
According to a report from Trend Micro found here: CVE-2017-11882 Exploited to Deliver a Loki Infostealer
The Cobalt hacking group was one of the first to promptly and actively exploit CVE-2017-11882 (patched last November) in their cybercriminal campaigns. We uncovered several others following suit in early December, delivering a plethora of threats that included Pony/FAREIT, FormBook, ZBOT, and Ursnif. Another stood out to us: a recent campaign that used the same vulnerability to install a “cracked” version of the information-stealing Loki.

This Ursnif variant makes use of LOLBins (as also pointed out in this blog). For instance, LOLBins are utilized to start the malware from the registry (mshta.exe + powershell.exe). Furthermore, LOLSnif is capable of download and execute further modules as well as payloads. For instance, a recent blog post mentions that the associated actor dropped a Cobalt Strike BEACON as well as a legitimate TeamViewer VNC client.

The Cobalt Strike group is highly sophisticated and is known to deliver extortive malware, but that's just the beginning. The decentralised network employees money mules in Netherlands (where all IPs lead to), Bulgaria and various other Eastern European countries.

LeaseWeb provides cloud hosting, but it looks like this group relies heavily on their services, which is somewhat unique. They must all be related, if not the same.
 
Last edited:

Andy Ful

Level 67
Verified
Trusted
Content Creator
Dec 23, 2014
5,629
I am probably the last one who finally noticed that IceRat.exe and klip.exe are not only similar but in fact the same malware, despite the different hashes (but Vhash and Imphash are the same). They have almost identical sections (except .rsrc which differs only by hash and Chi2, but have the same Virtual Address - Virtual Size - Raw Size - Entropy). Furthermore they have identical Resources.:unsure:(y)
 
Last edited:

McMcbrad

Level 20
Oct 16, 2020
967
Another IP
I am probably the last one who finally noticed that IceRat.exe and klip.exe are not only similar but in fact the same malware, despite the different hashes (but Vhash and Imphash are the same). They have almost identical sections (except .rsrc which differs only by hash and Chi2, but have the same Virtual Address - Virtual Size - Raw Size - Entropy). Furthermore they have identical Resources.:unsure:(y)
klip.exe is a slightly updated version of IceRat.exe, but I am unsure where the IceRat comes from. I am unable to find any data on that, except some minor RAT project, not related to that at all. It might be a project that has remained undetected until now...
Also, no idea how it ended up there. Who found it and named it IceRat.exe?
Klipper.exe seems to be the first sample, available on urlhaus. It dates back to 2018... This is not a project from yesterday, yet there are no reports over JPHP malware anywhere.
Another thing that I find weird is that, all downloaders, namely cheats.exe and klip.exe are highly sophisticated. However, the content they download is far cry from being a masterpiece in the malware field. The stealer is detected by almost 50 AVs, the driver winring0x64.sys is of unknown use, the Winlogin.exe is an old executable with a digital signature that expired Feb 2020...
 
Last edited:

Andy Ful

Level 67
Verified
Trusted
Content Creator
Dec 23, 2014
5,629
Another IP

klip.exe is a slightly updated version of IceRat.exe, but I am unsure where the IceRat comes from. I am unable to find any data on that, except some minor RAT project, not related to that at all. It might be a project that has remained undetected until now...
Also, no idea how it ended up there. Who found it and named it IceRat.exe?
Yes, it calls different IPs and subdomains, but there can be a built-in choice for several IPs and subdomains. It is hard to update the EXE and preserve such similarity of sections and resources. If so, then one could even make modifications in a hex editor by changing the values of some bytes. I doubt if anything else was changed.

Post edited.
I examined both binaries in the hex editor. The differences are too big for manual changes in the hex editor. I compared my executables made in AutoIt (slightly different versions of the same program). If one makes the changes in the code, then after compilation the differences are often seen only in the .rsrc section - the values of the section's hash, Virtual Size, Raw Size, and Chi2 will be usually different. If additionally the Virtual Size and Raw Size do not differ, this can suggest that the program was only slightly modified.
 
Last edited:

McMcbrad

Level 20
Oct 16, 2020
967
Yes, it calls different IPs and subdomains, but there can be a built-in choice for several IPs and subdomains. If so, then one could probably make modifications in a hex editor by changing the values of some bytes. I doubt if anything else was changed.
When I discovered the klip.exe, it had a detection rate of 3/69, where 2 were Kaspersky and ZoneAlarm, reducing the total number to 2.
All malware hosted in the "hornet nest" had low detection levels, except the Winlogin component, which has an expired signature. Initially, I thought it was 0-day, but now it looks like all these samples are pretty old.

The first klip.exe however, looks like it's been packed. It contains a .upx1 file rather large in size.
This might be absolutely the same code, just packed in a different way. This sample is uploaded on anyrun Aug 2019.
I'm trying to unpack it, but it's saying "not packed by UPX"...

They are only changing what's before .zzz.com.ua and everything else remains same, but they have encoded the URLs into a base64 string... not sure how they change that.
 
Last edited:
Status
Not open for further replies.
Top