Report - CrySyS Lab
Report - CrySyS Lab
Report - CrySyS Lab
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
5.3 Modules found on planetanews.org<br />
The modules found on the servers planetanews.org and politnews.org are generally old, they most<br />
likely belong to older campaigns. The files are generally stored in files with “.txt” extension in ASCIIhexadecimal<br />
format extended with command tags. An example is shown below:<br />
[DATA]<br />
4D5A90000300000004000000FFFF0000B8000000000000004000000000000000000000000000000<br />
0CCCCCCCCCCE966000000E996000000E970020000E9CB000000E92F020000E90E010000E9C70200<br />
…<br />
00000000000000<br />
[/DATA]<br />
[EXT]<br />
c:\sys.exe<br />
Figure 40– Executable file format in .txt files found on planetanews and politnews<br />
As one can see, the hex string begins with 4D5A, which is the equivalent of “MZ”, so no extra<br />
encryption is in place.<br />
Most likely these modules are deciphered and used by C&C communication tools, like the sample<br />
b0b59e2569fb1de00f76a8d234d2088a described below.<br />
Some of the modules are found in raw hex-ascii files like:<br />
4D5A90000300000004000000FFFF0000B80...<br />
ode.txt<br />
Figure 41– Executable file format in .txt files found on politnews – without tags – ct.txt<br />
hash: 5c03228a7f9149b07fc7316d68119342<br />
compile time: 2009-08-04<br />
This module saves the list of running processes and the content of the “\windows\system32\wbem”<br />
folder into the file “C:\sysdll12.txt”<br />
ct.txt<br />
hash: BA7F9A2CEC106773D17DF4F571B4B8E8<br />
compile time: 2009-08-11<br />
This module uses the GetTcpTable call and saves the list of active TCP connections and their status<br />
into the file “C:\\sysdll9.txt”.<br />
34