UA-72240440-1

What’s in a Hash?

WARNING: This post contains links to live malware sites; visit/handle with great caution

Malware research, armed with just a single hash value such as an MD5 of a suspect file, can yield amazing results. In this tutorial join me for an adventure in malware discovery using just hash, a browser, notepad, and/or Wireshark to blow the doors off a large scale malware campaign. We didn’t have to test any code behaviorally or perform any reverse engineering. This was originally accomplished in a hands-on class over a 90 minute period in August 2015.

Setup.exe is a questionable file. HashCalc is a freeware Windows program used to identify the MD5 hash of this file, a0efd46f0a698d83cf38e35b0c62e55c. Googling for this exact hash we find several leads of interest. I use CTRL-click on each link to load up the 12 or 13 result pages concurrently while I begin to read the first tab that is loaded. This is more efficient as I aggregate open source intelligence (OSINT) leads for the file in question. Results scraped from OSINT are below:
Meta-data:
sha1:159d3ff38f34b454214510d088d11a4a2b55b471
type:PE32 executable (GUI) Intel 80386, for MS Windows
sha256:8ab70ab897cfda8298de8871aa75a36fd58d5509e2ae8c3df563bbc3a36bd1f1
crc32:9D85298B
ssdeep:98304 : ndVEzssO8Ol4v6+bkvhkKk9PzcckSKwohqy7uCWxqoF27u2Gi+A5qXHD : ElOl4i+bkpwJzglRT7cx67u2ID
size:5300144
md5:a0efd46f0a698d83cf38e35b0c62e55c
digitally signed: SHANGHAI FENGHAN NETWORK INFORMATION TECHNOLOGY STUDIO, 694E2E0ECECA0C1410EC755324F4D446
Compilation timestamp:9/4/2014 1:19:34 PM (take note that this file was reportedly compiled in September of LAST year)

Family AV Aliases:
HfsAdware, Winlock, PUP, Softcnapp

Behavioral
Probable nullsoft installer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\lsl.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Hintsoft
HKEY_LOCAL_MACHINE\SOFTWARE\Sicent
HKEY_LOCAL_MACHINE\SOFTWARE\Goyoo

Installs for auto-run startup/persistence.

Netflow
Listens on 127.0.0.1

Attribution
Contains simplified Chinese language

Related
Matching the alias of Softcnapp Scumware.org lists multiple matches for 183.136.166.248 hosted in China. This also matches the CN data found within the code possibly suggesting CN related authorship and/or attack. Multple links of interest are below including an AdDisplay payload and an exploit which appear to be within the same context of adware. This may also suggest a drive-by exploit being used to install the adware. IOCs are below:

URL MD5 IP Threat
2015-08-13 23:22:33 http://fast.yingyonghui.com/a55c220d11c810c7361… 7B06DDEBF134429BB56D74D5597B80CA 183.136.166.248 CN Android/AdDisplay.Waps.L potentially unwanted application
2015-08-13 03:46:12 http://down.downxiazai.org/fHcPR/Dq693VNWfvt A0EFD46F0A698D83CF38E35B0C62E55C 183.136.166.248 CN Win32/Softcnapp.C.gen potentially unwanted application
2015-08-12 19:41:19 http://down.xiazaidown.org/cx/201508101/18/setu… 7D4D9FFC19B3D0ACF0CF82C6B7CD6E8F 183.136.166.248 CN Win32/Softcnapp.C.gen potentially unwanted application
2015-08-06 01:28:05 http://down.xiazaicdn.ren/cx/2015072914/81/setu… A0EFD46F0A698D83CF38E35B0C62E55C 183.136.166.248 CN Win32/Softcnapp.C.gen potentially unwanted application
2015-08-03 02:30:14 http://down.xiazai.es/5h7TD99K/MB1PorayVvm A0EFD46F0A698D83CF38E35B0C62E55C 183.136.166.248 CN Win32/Softcnapp.C.gen potentially unwanted application
2015-08-02 14:20:18 http://down.downcdn.net/Pk64s/o03e0xq7qld A0EFD46F0A698D83CF38E35B0C62E55C 183.136.166.248 CN Win32/Softcnapp.C.gen potentially unwanted application
2015-07-28 11:53:35 http://down.haodown.org/WI6Yp5Yvb/dMbc0FidfQm A0EFD46F0A698D83CF38E35B0C62E55C 183.136.166.248 CN Win32/Softcnapp.C.gen potentially unwanted application
2014-09-11 12:29:24 http://183.136.166.248/m.wdjcdn.com/apk.wdjcdn…. 4C0BECCA04C65B6F231B8B5FB6F46929 183.136.166.248 CN Android/Exploit.Towel.A trojan
2014-08-13 19:14:45 http://fd3.yingyonghui.com/1bd058353b899ca30fcd… 791C7222139B2CB8191E0ED1B9FC4E3D 183.136.166.248 CN Android/AdDisplay.Dianle.A potentially unwanted application
2014-08-11 18:19:40 http://attach.anzhi.com/forum/201205/29/213216a… 5A37C531EFC1AFEF3C35DF5C3F45F775 183.136.166.248 CN Android/Exploit.Lotoor.AK trojan

The above clearly shows a strong relationship by family attribution and geolocation associated with the one IP 183.136.166.248. Searching data sets just for this IP and/or performing domain intelligence (reverse-IP, passive history, registrant, etc) may yield strong results for additional IOCs and/or attribution. Another IP of interest, 125.39.5.8, also hosted in China, has similar hosting of malware:

URL MD5 IP Threat
2015-08-12 14:13:52 http://xiazhai.tuizhong.com/cx/201507011/13/set… A0EFD46F0A698D83CF38E35B0C62E55C 125.39.5.8 CN Win32/Softcnapp.C.gen potentially unwanted application
2015-08-12 08:19:45 http://down.downxiazai.org/7x8KeI/6hKze2jtlsR A0EFD46F0A698D83CF38E35B0C62E55C 125.39.5.8 CN Win32/Softcnapp.C.gen potentially unwanted application
2015-08-09 05:39:44 http://down.downxiazai.org/X9fLMuFb/Kt8P4xwgGIv… A0EFD46F0A698D83CF38E35B0C62E55C 125.39.5.8 CN Win32/Softcnapp.C.gen potentially unwanted application
2015-08-06 05:43:07 http://down.cdnxiazai.wang/ltwt9kha0l/mXQ5o1AWq… A0EFD46F0A698D83CF38E35B0C62E55C 125.39.5.8 CN Win32/Softcnapp.C.gen potentially unwanted application
2015-08-04 03:02:38 http://xiazai.cdndown.net/cx/2015072914/100/set… 2CB949310D8A267961E3827E6B00EA8C 125.39.5.8 CN Win32/Softcnapp.C.gen potentially unwanted application
2015-07-31 02:40:22 http://cdn6.down.apk.gfan.com/asdf/Pfiles/2014/… 3C10F154FB20BDF4974AB185CDF2CF67 125.39.5.8 CN Android/AdDisplay.Djoy.A potentially unwanted application
2015-07-04 01:02:10 http://down.xiazaicdn.pw/r34K9r44GR/514JA9Z= 52A5C36F5917D128F003580E2F808264 125.39.5.8 CN Win32/Softcnapp.C.gen potentially unwanted application
2015-06-29 23:46:37 http://down.downcdn.in/0mCIEGb6U/Bon31ryCG2= 52A5C36F5917D128F003580E2F808264 125.39.5.8 CN Win32/Softcnapp.C.gen potentially unwanted application
2015-06-29 10:11:38 http://down.haodown.in/1uJknIE57/pHTg12kKRwJ/se… 52A5C36F5917D128F003580E2F808264 125.39.5.8 CN Win32/Softcnapp.C.gen potentially unwanted application
2015-06-29 09:54:31 http://down.downxiazai.org/L9xf1RBQC/Mq6Dawhh3W… 52A5C36F5917D128F003580E2F808264 125.39.5.8 CN Win32/Softcnapp.C.gen potentially unwanted application

Clean-MX has a full linke that is alive at the time of analysis linked to the exact hash we started researching, http://xiazai.cdndown.net/cx/2015071710/114/setup_0448UWt0.exe. This link does in fact serve up an executable with MD5 hash a0efd46f0a698d83cf38e35b0c62e55c, the same file we have been researching. Going to the link without calling that exact EXE gives us another download with the same name and hash. Analyzing the domain and/or URL may help reveal where the attack comes from that leads to an infection.

Additional leads exist on other pages such as https://cymon.io/125.39.5.8. Moving on we see that VirusTotal has analyzed the hash of interest with many filenames that are all numeric but similar, https://www.virustotal.com/en/file/8ab70ab897cfda8298de8871aa75a36fd58d5509e2ae8c3df563bbc3a36bd1f1/analysis/1439304397/, with filenames such as 79460841, 79460846 and so on. Comments and behavioral analysis in that report reveal several important elements:

submitname:”setup_1820MF7D.ex_”
vxstream-threatscore:100/100
memurl:”http://nsis.sf.net/NSIS_Error”
domains:”confignew.3lsoft.com”
hosts:”121.40.77.49:80″
source:https://www.hybrid-analysis.com/sample/8ab70ab897cfda8298de8871aa75a36fd58d5509e2ae8c3df563bbc3a36bd1f1?environmentId=6
confignew.3lsoft.com (121.40.120.230)

Reviewing the Hybrid sandbox analysis report we see the same C&C at 31soft but a different IP of 121.40.77.49. Additional research is needed to follow up on these leads. Doing a little content inspect we download the PCAP from the Hybrid site and open it up in Wireshark. Going to HTTP objects to export we see just one, 14.html, and save it to disk. We also follow the stream starting on packet 25 to see that it returns the following:

GET /20141128/14.html HTTP/1.0
Host: confignew.3lsoft.com
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*

HTTP/1.1 200 OK
Content-Type: text/html
Server: Microsoft-IIS/7.5
X-Powered-By: PHP/5.3.28
X-Powered-By: ASP.NET
Date: Mon, 10 Aug 2015 09:18:14 GMT
Connection: close
Content-Length: 7080

[rec]
N_4=360……..
Z_4=46
O_4=1
B_4=0
D_4=…………
I_4=http://downcdn1.shgaoxin.net/shichangbu/ico/360sd.ico
U_4=http://downcdn1.shgaoxin.net/ysqd/20140415/qh.gif
F_4=Setup_oemyinsudz1.exe
P_4=/S
C_4=
R_4=
S_4=
V_4=
M_4=
X_4=
FN_4=
FU_4=

N_1=……..
Z_1=166
O_1=1
B_1=0
D_1=…………
I_1=http://downcdn1.shgaoxin.net/shichangbu/ico/game_cqby.ico
U_1=http://d.92youx.com/yx/roxj/sqcs/917794/vacatiot.exe
F_1=vacatiot.exe
P_1=
C_1=
R_1=
S_1=
V_1=
M_1=
X_1=
Y_1=1
L_1=
FN_1=
FU_1=

N_2=……….
Z_2=84
O_2=1
B_2=0
D_2=……….
I_2=http://downcdn1.shgaoxin.net/shichangbu/ico/baiduime.ico
U_2=http://downcdn1.shgaoxin.net/shichangbu/bdimesetupstandalone.gif
F_2=bdl.exe
P_2=
L_2=2
C_2=2
R_2=2
S_2=SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BaiduPinyin
V_2=UninstallString
M_2=
X_2=1
FN_2=
FU_2=

N_3=……..
Z_3=66
O_3=1
B_3=0
D_3=…………
I_3=http://downcdn1.shgaoxin.net/shichangbu/ico/baidu.ico
U_3=http://j.br.baidu.com/v1/t/full/p/mini/tn/10003234/ch_dl_url
F_3=3f509ecd15d0db5128f24f1a6dddaa0e.exe
P_3=
L_3=2
C_3=2
R_3=2
S_3=SOFTWARE\Baidu\Baidu
V_3=InstallDir
M_3=
X_3=
FN_3=
FU_3=

N_5=……
Z_5=145
O_5=1
B_5=0
D_5=…………
I_5=http://downcdn1.shgaoxin.net/shichangbu/ico/ttk.ico
U_5=http://download.tk.taotaosou.com/channel/TTK_8020010020140313_setup.exe
F_5=TTK_8020010020140313_setup.exe
P_5=/S
C_5=2
R_5=1
S_5=Software\TaoTaoSou\TTK
V_5=Installed
M_5=0
X_5=0
Y_5=0
N_6=……..
Z_6=130
O_6=1
B_6=0
D_6=…………
I_6=http://downcdn1.shgaoxin.net/shichangbu/ico/youxun.ico
U_6=http://downcdn1.shgaoxin.net/shichangbu2/gaoxintg.gif
F_6=gaoxintg.exe
P_6=
C_6=2
R_6=1
S_6=Software\Microsoft\Windows\CurrentVersion\Uninstall\YouXunBox
V_6=UninstallString
M_6=
X_6=
FN_6=
FU_6=

N_7=……
Z_7=165
O_7=1
B_7=0
D_7=…………….
I_7=http://xiazai.xiazai2.net/sc/ico/lyb1.ico
U_7=http://d.92youx.com/yx/lyb/sqcs/916217/separate.exe
F_7=separate.exe
P_7=
C_7=
R_7=
S_7=
V_7=
M_7=
X_7=
Y_7=
FN_7=
FU_7=

N_8=……..
Z_8=146
O_8=1
B_8=0
D_8=……….
I_8=http://downcdn1.shgaoxin.net/shichangbu/ico/funshion.ico
U_8=http://downcdn1.shgaoxin.net/shichangbu2/FunMini.gif
F_8=FunMini.exe
P_8=
C_8=2
R_8=1
S_8=Software\SystemSres
V_8=aptdir
M_8=
X_8=
FN_8=
FU_8=

N_9=……
Z_9=161
O_9=1
B_9=0
D_9=…………..
I_9=http://xiazai.xiazai2.net/sc/ico/b5t.ico
U_9=http://dl.b5m.cn/marketing/b5t_cl15201.exe
F_9=b5t_cl15201.exe
P_9=
C_9=1
R_9=2
S_9=SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{260669B1-FC2C-41C0-BAA2-6EF3BB188660}
V_9=
X_9=1
N_10=……..
Z_10=48
O_10=1
B_10=0
D_10=……..

Links galore..time to go hunting in a browser to see what we can find. To avoid possible exploitation we can go into a virtual or lab machine and/or use view-source in the URL to capture data. We start with view-source:http://d.92youx.com/yx/roxj/sqcs/917794/vacatiot.exe. We don’t get a response on that file; poking around we find it’s an nginx server but no open directories. We then try view-source:http://download.tk.taotaosou.com/channel/TTK_8020010020140313_setup.exe and get a file with hash 69f5d690eb3e0a4b96e8836ec51ff2ac. We see if there is an open directory and sure enough, http://download.tk.taotaosou.com/channel/ has a ton of executables with similar filenames. We can now use “wget -r” to download codes if we like to analyze them further. At this point there are multiple links of interest and lots of content inspection to take place. Open directories suggest victimized servers that are vulnerable to attack and abused for hosting of hostile code. Additionally seemingly legitimate whois registration and content exist at each domain.

A summary review of initial data reveals many patterns in filenames, URL hosting, where data is hosted, attributes of files and so on. This is clearly a large scale campaign that is very active linked to potentially unwanted (PUP) adware out of China. Just anecodtally checking a few other links, such as view-source:http://downcdn1.shgaoxin.net/shichangbu2/FunMini.gif, we see that is has an MZ header and is actually a Windows executable, NOT a GIF as the link suggests.

It all started with a hash, following a few leads, performing a little content and web inspection, and now we have hundreds of data points upon which to pivot..

Leave a comment