Hwang

Hwang

MalPRE Analyst

Floxif Family Infection Sample Analysis

4 minute read

Published:

1 Overview

The sample releases the symsrv.dll module in the directory C:\Program Files\Common Files\System, where symsrv.dll is the main infection module. The sample writes this module into memory and begins scanning files and directories on the victim’s computer, infecting files outside of the %system%, %windows%, and %temp% folders to avoid infecting system files that could cause system instability. During the infection process, it downloads additional malicious module components from the attacker’s C2 server, but due to the C2 being inactive, further analysis of other malicious modules is not possible.

2 Mitigation Recommendations

● Install an intelligent terminal defense system and perform a full system virus scan.

3 Detailed Analysis

3.1 setup.exe Analysis

After executing the sample (759FAE966FE22FB00B8331AF36556513), it first loads the symsrv.dll module and then releases it into the Program Files\Common Files\System directory.

TimeProcess IDOperationFile
11:19:13:8710014284e3f2f0f18b4.. 3008:1052FILE touchC:\Program Files\Common Files\System\symsrv.dll
11:19:13:87110014284e3f2f0f18b4… 3008:0FILE_openC:\Program Files\Common Files\System\symsrv.dll
11:19:13:8710014284e3f2f0f18b4… 3008:1052FILE writeC:\Program Files\Common Files\System\symsrv.dll
11:19:13:87100014284e3f2f0f18b4… 3008:0FILE_modifiedC:\Program Files\Common Files\System\symsrv.dll
11:19:13:8710014284e3f2f0f18b4… 3008:0FILE_openC:\Program Files\Common Files\System\symsrv.dll

The DLL path is written into the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows registry key. Once a program loads, it will load the DLL specified in the AppInit_DLLs registry entry.

KeyTypeValue
AppInit_DLLsREG_SZC:\PROGRA~1\COMMON~1\System\symsrv.dll
DdeSendTimeoutREG_DWORD0x00000000 (0)
DesktopHeapLoggingREG_DWORD0x00000001 (1)
abDeviceNotSelectedTimeoutREG_SZ15
GDIProcessHandleQuotaREG_DWORD0x00002710 (10000)
ab]IconServiceLibREG_SZIconCodecService.dll
LoadAppInit_DLLsREG_DWORD0x00000001 (1)
RequireSignedAppInit_DLLsREG_DWORD0x00000000 (0)
ShutdownWarningDialogTim…REG_DWORD0xFFFFFFFF (4294967295)
ab SpoolerREG_SZyes
abTransmissionRetryTimeoutREG_SZ90
USERNestedWindowLimitREG_DWORD0x00000032 (50)
USERPostMessageLimitREG_DWORD0x00002710 (10000)
USERProcessHandleQuotaREG_DWORD0x00002710 (10000)

Once the DLL module is loaded, it begins to infect files.

3.2 symsrv.dll Analysis

The sample (98D56568C600383803D56B493B461BFA) is a DLL module. By examining the export table with PE tools, it is identified as an infectious virus of the F1oxif family.

After loading, the sample calls the GetSystemDirectoryA, GetWindowsDirectoryA, and GetTempPathA APIs to obtain the locations of the %system%, %windows%, and %temp% folders, thereby avoiding infection of files in these folders to prevent system shutdown issues.

Image

It also initializes the C2 and some function addresses.

Image

Image

Image

It then creates a mutex named “Global\SYS E0A9138”.

Subsequently, it performs privilege escalation. After escalation, it hooks the KiUserExceptionDispatcher function for anti-debugging, and hooks RegOpenKeyExA, RegOpenKeyExW to protect its own registry entries. It also hooks CredReadW, CreateServiceA, CreateServiceW, OpenServiceA, OpenServiceW, WinVerifyTrust, CreateFileW, ExitProcess, CreateProcessInternalW, MessageBoxTimeoutW, and WahReferenceContextByHandle functions for self-preservation and file infection.

It checks whether common antivirus software exists on the computer.

Image

Finally, it uses a combination of CreateToolhelp32Snapshot, Process32First, and Process32Next APIs to obtain the process list, and uses CreateToolhelp32Snapshot, Module32First, and Module32Next APIs to obtain the module list from each process.

The sample checks against the previously obtained three folders: %system%, %windows%, and %temp%.

If the traversed module path is not located in any of the three folders mentioned above, the sample reads the file into memory, performs the infection, renames the original file with a “.dat” extension, sets the file attributes to system file and hidden, then writes the infected file from memory back to disk with the original filename, and finally calls MoveFileExA to set the original file for deletion on the next startup.

Image

Image

During the infection process, the sample requests to download the following files from C2 (hxxp://5isohu.com/, hxxp://www.aieov.com/): logo.gif, setup.exe, so.gif.

Image

Image

The following is the data traffic captured by wirsharp.

TimeSource IPDestination IPProtocolRequest
40 5.257000127.0.0.1127.0.0.1HTTP133 HTTP/1.0 200 OK (text/html)
231 11.185000192.168.19.128192.0.2.123HTTP98 GET /setup.exe HTTP/1.1
232 11.201000192.168.19.128192.168.19.128HTTP98 GET /setup.exe HTTP/1.1
363 12.340000192.168.19.128192.0.2.123HTTP101 GET/setup.exe HTTP/1.1
364 12.340000192.168.19.128192.168.19.128HTTP101 GET /setup.exeHTTP/1.1
423 12.464000192.168.19.128174.139.10.194HTTP98 GET /setup.exe HTTP/1.1
424 12.464000192.168.19.128192.168.19.128HTTP98 GET /setup.exe HTTP/1.1
494 12.886000192.168.19.128192.0.2.123HTTP97 GET /logo.gif HTTP/1.1
495 12.886000192.168.19.128192.168.19.128HTTP97 GET /logo.gif HTTP/1.1
502 12.886000192.168.19.128192.168.19.128HTTP133 HTTP/1.0 200 OK(image/gif)
503 12.886000192.0.2.123192.168.19.128HTTP133 HTTP/1.0 200 OK(image/gif)
1187 54.772000192.168.19.128192.0.2.123HTTP95 GET /so.gif HTTP/1.1
1188 54.772000192.168.19.128192.168.19.128HTTP95 GET /so.gif HTTP/1.1
1195 54.772000192.168.19.128192.168.19.128HTTP133 HTTP/1.0 200 OK(image/gif)
1196 54.772000192.0.2.123192.168.19.128HTTP133 HTTP/1.0 200 OK(image/gif)
1213 54.881000192.168.19.128192.0.2.123HTTP98 GET /so.gif HTTP/1.1
1214 54.881000192.168.19.128192.168.19.128HTTP98 GET /so.gif HTTP/1.1
1221 54.881000192.168.19.128192.168.19.128HTTP133 HTTP/1.0 200 OK(image/gif)
1222 54.881000192.0.2.123192.168.19.128HTTP133 HTTP/1.0 200 OK(image/gif)
1239 54.990000192.168.19.128174.139.10.194HTTP95 GET /so.gif HTTP/1.1
1240 54.990000192.168.19.128192.168.19.128HTTP95 GET /so.gif HTTP/1.1

1247 54.990000 192.168.19.128 192.168.19.128 HTTP 133 HTTP/1.0 200 OK(image/gif)

Among them, logo.gif is executed after download.

Image

Since both C2 servers are inactive and no related historical samples are associated, further analysis of subsequent payloads is not possible.

You May Also Enjoy

Ursnif New Variant Latest Attack Activity Analysis Report

4 minute read

Published:

1. Overview

Recently, Antiy CERT captured a Ursnif banking Trojan attack activity during network monitoring. This attack activity delivered an initial payload in the form of an email containing a malicious macro document. The content of the email was a payment reminder written in Italian. After the macro code in the document was run, it would access a remote server to download and load a malicious dll (downloader). After the dll was loaded, it would collect information about the victim’s host and send it back to the attacker’s server, while receiving the data of subsequent modules in the response data. As of the time of analysis, the server had become invalid, and it was temporarily impossible to know the detailed functions of the subsequent modules.