Introduction
Surfing the darknet, we found a forum in which some users shares many cracked software each other. One of these software promises to generate Premium Account for Netflix services for free. So we decided to analyze it. With our surprise, we discovered that it is a malware (without generating any Netflix account, unfortunately).
This malware is not indexed yet: only one site on the Clearnet takes track of it and it was uploaded for the first time around September 20th, probably by the author in order to test its stealthy. Studying the malware, we realized that it is a bot that belongs to an alive botnet. We were able to estimate the size of the botnet analyzing the number of visits to the Pastebin page that contains the payload. In fact, the malware is composed by a first part, which is a downloader for a second part, which is a real bot, just uploaded on Pastebin.
Figure 1 – Number of visits on Pastebin page
There is no existing report, obviously, about this sample. So, we need to analyze in deep the malware to understand its complete behavior.
Basic static Analysis
Downloader
Filename: wonder.exe
MD5 | 486954967e02a2e1577bd7dd91026102 |
SHA-1 | 27b2fc98c91dddf002cda77da3f44cf9a05d7fba |
SHA-256 | c3f5f5bfe39b55ffe0343950e0a4bf0433c35679a01daf07ce6c0ccc7d4da9b7 |
File size | 365 KB |
Table 1 – Generic Info about Wonder Downloader
Sections
Table 2 – Info about Wonder Downloader’s Sections
Payload/Bot
Filename: payload.exe
MD5 | 84fdcb1f23f592543381c85527c19aaa |
SHA-1 | cc2f96a2f4dbc4b0176bab37c22a48ebfe1bac06 |
SHA-256 | 15d390626fea8d06adc261e0588ec40d17b6a62a2320313073ba94809c5e0f4d |
File size | 205 KB |
Table 3 – Generic Info about Wonder Bot
Sections
Table 4 – Info about Wonder Bot’s Sections
Using some static analysis tools, such as PEiD, we discovered that the malware is based on .NET Framework and it is written in C#.
Figure 2 – PEiD view
Behavioral Analysis
The infection starts with the execution of the “wonder.exe” file, which is the downloader of the effective payload. The downloader tries to connect to “pastebin.com” in order to retrieve the encoded payload. Otherwise, if there isn’t internet connection, the file “wonder.exe” crashes with the following screen.
Figure 3 – Wonder crash screen
In a standard condition, in which the internet connection is up, the downloader retrieves from “https://pastebin.com/raw/E8ye2hvM” the bot payload to execute.
When the payload starts, in the first time it tries in vain to resolve the domain “wiknet.mooo.com” because it’s not registered. Successively, it resolves “wiknet.wikaba.com” to the IP “104.200.67.190”.
Figure 4 – DNS traffic of the malware
Accessing to this site using a browser, we have the following screen:
Figure 5 – Fake site screen
This is a fake page of another existing site, “www.support.com”, which has the same front-end page. The interesting thing about the fake page is that every link on it refers to the original page: so, if we click on one link of them, we are redirected on the corresponding page on “support.com”.
At this point, the only reasonable hypothesis is that this IP refers to a Command and Control.
From the point of view of the behavioral analysis, the only suspicious activities found are:
- The DNS requests showed in Figure 3.
- The creation of a file in “AppData/Local/Temp” path, probably used as support for the bot actions.
- The persistence mechanism, adding to “C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup” a link to itself.
All the traffic between the bot and the C2C is on TLSv1 layer, so we can’t see.
Advanced analysis
Using specific tools to analyse .NET applications, we deobfuscated and decompiled the bot and we found much more information about it.
Evasion Techniques
As all the sophisticated malwares, it applies some evasion techniques in order to avoid the detection and the analysis:
Figure 6 – Searching of VBox libraries
In the Figure 5 we can see that the malware searches for some specific virtualization software libraries, such as “vmGuestLib.dll” and “vmbusres.dll”, in order to realize that it is in a virtual environment and do not show its malicious behavior. In fact, if its conditions are verified, it can kill itself or show the following windows:
Figure 7 – Evasion technique
Malware’s control flow
With our advanced techniques, we extracted the complete working scheme of the malware.
Figure 8 – Complete scheme of the malware’s behavior
As above mentioned, the malware’s logic can be divided in two parts: downloader logic and bot logic.
Downloader Logic:
- Check Internet connection: the first stage is control whether the connection is present. If it isn’t the malware kill itself.
- Download the payload from “pastebin.com/raw/E8ye2hvM”: the payload is codified in Base64 and it is incapsulated into a GZ archive.
Figure 9 – Raw data of the payload
- Decode and extract the retrieved payload.
- Execute the payload: the bot is executed in the same address space of the downloader.
Bot Logic:
- Create Startup link: the persistence mechanism is implemented adding to “C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup” a link to the file that contains the downloader, for two reasons:
- The payload will be downloaded on every reboot of the machine, so the bot code could be modified by the author, who could implement new features.
- The bot code is loaded in the downloader’s memory space so it is never written on the disk of victim’s machine.
- Check Internet connection: if it isn’t present the bot waits for it.
- Connect first to “wiknet.mooo.com” without response. After it resolves “wiknet.wikaba.com” to the IP address “104.200.67.190”.
- Send POST request to the “/FeedBack.php” path: the bot reveals its existence to the C2C sending a request with the “User-Agent” header with its own Bot_ID (which we successively deepen).
- Find commands files already downloaded: the bot searches the commands downloaded in the previous contact with C2C, which are stored in some files in the “AppData/Local/Temp” path.
- Send info about the system and retrieve new commands at “/CheckVersion.php” path: the bot sends all the info gathered about the victim machine to the C2C through a POST request at the specified path. The response contains the new command that will be execute by the bot.
- Execute the command just received.
Bot ID creation
Because of its “bot nature”, once installed on the victim machine, the bot has to create an ID for identify itself into the botnet. This ID is forged encrypting some host information using MD5 algorithm and adding a static string to it.
Figure 10 – Bot ID creation
Commands List
The bot receives some commands from C2C. Through the advanced analysis we have reported a list of all available commands. Some commands, at this time, are not implemented yet. The list of commands is:
KEYWORD | Add all files contained in a specific folder into a rar archive |
KEY | Create a file “ky” in the path. This file is a trigger to upload all info gathered to the C2C at the path “/log.php” |
KEYS | Delete the “ky” file |
REUPLOAD | Contact the C2C at the path “/FeedBack.php” |
RESTARTME | Restart the bot |
BLOCK | Create the kill switch and stop the bot |
SCREEN | Take a screenshot |
LAN | Create a file “LA” in the path. This file is a trigger to a feature not implemented yet. |
LANS | Delete the “LA” file |
USB | Create a file “us”+BOT_ID in the path. This file is a trigger to infect Removable Devices. |
USBS | Delete the “us”+BOT_ID file |
HD | Create a file “hd”+BOT_ID in the path. This file is a trigger to infect Hard Drives. |
HDS | Delete the “hd”+BOT_ID file |
SHUTDOWN | Shutdown the system |
RESTART | Reboot the system |
PROCANDSOFT | List all active processes and all installed softwares |
DEL-TEMP | Delete all files in “AppData/Local/Temp” path |
RAR | Create a RAR archive adding to it all the information gathered. The archive is sent to the C2C. |
RARM | Create a RAR archive adding to it all the information gathered in that month. The archive is sent to the C2C. |
RARW | Create a RAR archive adding to it all the information gathered in that week. The archive is sent to the C2C. |
KILL | Kill a specific process |
Table 3 – Commands List
Kill Switch
The malware can be stopped by the C2C using the command “BLOCK”. This command creates a new file in the “AppData/Local/Temp” path called:
“Block~” + BOT_ID
Where BOT_ID is the same string showed in Figure 9.
The file can be used also as a vaccine by the user to avoid the infection.
Figure 11 – Kill Switch
Yara Rules
import “pe”
rule Wonder_Botnet_Downloader {
meta:
description = “Yara Rule for Wonder Botnet Downloader identification”
author = “CSE CybSec Enterprise – Z-Lab”
last_updated = “2017-10-19”
tlp = “white”
category = “informational”
condition:
(
pe.version_info[“CompanyName”] contains “stsdt$#^%#$^#$dstsdt$#^%#$^#$dstsdt$#^%#$^#$dstsdt$#^%#$^#$”
or
pe.version_info[“Comments”] contains “stsdt$#^%#$^#$dstsdt$#^%#$^#$dstsdt$#^%#$^#$dstsdt$#^%#$^#$”
or
pe.version_info[“FileDescription”] contains “stsdt$#^%#$^#$dstsdt$#^%#$^#$dstsdt$#^%#$^#$dstsdt$#^%#$^#$”
or
pe.version_info[“LegalCopyright”] contains “stsdt$#^%#$^#$dstsdt$#^%#$^#$dstsdt$#^%#$^#$dstsdt$#^%#$^#$”
or
pe.version_info[“LegalTradeMarks”] contains “stsdt$#^%#$^#$dstsdt$#^%#$^#$dstsdt$#^%#$^#$dstsdt$#^%#$^#$”
or
pe.version_info[“ProductName”] contains “stsdt$#^%#$^#$dstsdt$#^%#$^#$dstsdt$#^%#$^#$dstsdt$#^%#$^#$”
)
and pe.number_of_imports == 1 and pe.imports(“mscoree.dll”)
}
rule Wonder_Botnet_Bot {
meta:
description = “Yara Rule for Wonder Botnet Payload identification”
author = “CSE CybSec Enterprise – Z-Lab”
last_updated = “2017-10-19”
tlp = “white”
category = “informational”
strings:
// SmartAssembly Obfuscator
$a = “SmartAssembly”
// MD5 encryption
$b = “MD5CryptoServiceProvider”
condition:
$a and $b and
(
pe.version_info[“Comments”] contains “Folder Details”
or
pe.version_info[“LegalCopyright”] contains “Copyright Folder”
or
pe.version_info[“LegalTradeMarks”] contains “Folder Details”
)
and pe.number_of_imports == 1 and pe.imports(“mscoree.dll”)
}