Analysis of the flash drive malware (newfolder.exe)

Name
MD5 Hash73C4E0E99949B68835A0EA80307E27A3
SHA-1 HashD3B61C2EE5A85FF6A4C7BFE6C38E616BC95141AB
VirusTotalVirusTotal
Hybrid-analysisHybrid-analysis
Download linkDownload Here
Password of zip infected

First of all,let me tell a little about this sample. This is a very common malware in Iran. You can find it almost on every public computers and usually on flash drives. In my case, I found it on my flash drive after connected it to my university public computers. lets take a look at the file using DIE (Detect it easy!). using DIE we can see that the malware probably is not packed and there is no signature of any know packer or encrypter. Also the entropy of the file confirm our guess.

Now that we know it is probably not packed, lets use the string command line to check the strings inside the PE file. I going to show only strings with the length greater than 10 using this command:
strings.exe -n 10 -nobanner svchost10.exe
(Strings v2.53 is one of the tools in windows sysinternals and can be downloaded from here.)
Now lets take a look at the strings below:

!This program cannot be run in DOS mode.
bad allocation
http://en.wikipedia.org
cpp-logo285728.test
not connected, waiting
\new folder .exe
Software\Microsoft\Windows\CurrentVersion\Run
svchost10.exe
WirelessConfig
win-428542.exe
IN UR FACE !
username:
http://www.nestao.com/wp-includes/Text/Diff/Engine/engine/
http://ebookcenter.vvs.ir/
Temp update file:
Exe Filename:
Exe Absolute:
Waiting for connection
win-645721.test
dlversion.php?id=
dlupdate.dat
vector<T> too long
C:\Documents and Settings\Administrator\My Documents\Visual Studio 2008\Projects\vertigodl\Release\vertigodl.pdb
CreateFileA
GetFileSize
FindFirstFileW
GetDriveTypeA
GetVolumeInformationA
GetModuleFileNameW
GetLastError
GetModuleFileNameA
FindNextFileW
GetCurrentDirectoryA
CloseHandle
DeleteFileA
CreateThread
KERNEL32.dll
DispatchMessageW
DefWindowProcW
CreateWindowExW
RegisterClassExW
TranslateMessage
LoadCursorW
PostQuitMessage
GetMessageW
USER32.dll
RegSetValueExA
RegOpenKeyExW
GetUserNameA
RegCloseKey
ADVAPI32.dll
ShellExecuteA
SHGetFolderPathA
SHELL32.dll
??$?8DU?$char_traits@D@std@@V?$allocator@D@1@@std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@0@Z
??$?9DU?$char_traits@D@std@@V?$allocator@D@1@@std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@0@Z
??$?6DU?$char_traits@D@std@@V?$allocator@D@1@@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@@Z
?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
??$?HDU?$char_traits@D@std@@V?$allocator@D@1@@std@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z
??$?H_WU?$char_traits@_W@std@@V?$allocator@_W@1@@std@@YA?AV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@0@ABV10@PB_W@Z
??$?HDU?$char_traits@D@std@@V?$allocator@D@1@@std@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z
?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB
?uncaught_exception@std@@YA_NXZ
?swap@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXAAV12@@Z
?reserve@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEXI@Z
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHPBDH@Z
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ
?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEXXZ
?append@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEAAV12@I_W@Z
?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEXXZ
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z
?_Tidy@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@IAEX_NI@Z
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@XZ
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z
?substr@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QBE?AV12@II@Z
??A?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEAA_WI@Z
??4?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEAAV01@ABV01@@Z
??1?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@XZ
??0?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@ABV01@@Z
??0?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@PB_W@Z
?find_last_of@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDI@Z
?end@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV?$_String_const_iterator@DU?$char_traits@D@std@@V?$allocator@D@2@@2@XZ
?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV?$_String_const_iterator@DU?$char_traits@D@std@@V?$allocator@D@2@@2@XZ
?erase@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@II@Z
??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z
??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBD@Z
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z
MSVCP90.dll
PathIsDirectoryW
SHLWAPI.dll
URLDownloadToFileA
urlmon.dll
DeleteUrlCacheEntryA
WININET.dll
?what@exception@std@@UBEPBDXZ
??1exception@std@@UAE@XZ
??0exception@std@@QAE@XZ
??0exception@std@@QAE@ABQBD@Z
??0exception@std@@QAE@ABV01@@Z
_invalid_parameter_noinfo
??3@YAXPAX@Z
??2@YAPAXI@Z
MSVCR90.dll
__dllonexit
_encode_pointer
_decode_pointer
_amsg_exit
__getmainargs
_XcptFilter
_ismbblead
_initterm_e
_configthreadlocale
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
_crt_debugger_hook
_except_handler4_common
?terminate@@YAXXZ
?_type_info_dtor_internal_method@type_info@@QAEXXZ
_invoke_watson
_controlfp_s
InterlockedExchange
InterlockedCompareExchange
GetStartupInfoA
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
QueryPerformanceCounter
GetTickCount
GetCurrentThreadId
GetCurrentProcessId
GetSystemTimeAsFileTime
__CxxFrameHandler3
_CxxThrowException
.?AVtype_info@@
@className
.?AVexception@std@@
.?AVlogic_error@std@@
.?AVlength_error@std@@
.?AVbad_alloc@std@@
RTVVjrqmjr}
!/9?NGGaaq^^^m
+388<<a^^^^]^
#%88<Ca[]]]]]
#%''CCZ[^\\\]
#%'''<[[^^\\]
#%''<_a[^^^\^
#%''<<aa^^^^^
##''<_am^m^^m
"%%8D<aabm^^m
#-8<Iaammmmm
"#%89addammmr
$-8<Gdnmmmj
$-8GIdnnjrr
$-8GGhnsrr}
$-9Gdhnszz
$-9GGggs}s
uwxz.4DC\JJMU
'* KJJJ;t
Vcccl),Fbb_:
Vccll7,bheb:
Vcj[S/dhhhbH
_VTTTPJJJBH
#MgR'Qj.(Vq
Lhh(QjT/SiB3Sh'5Ti
Lit%Qla-TkM3Ti>5Sf85Qd(6Rf
Liz$Qli,UmU2VlD5Ti:5Rf55Qd1Y
Li|#Qmo+Un\Fs
%Jc_(Nf/)Sl
Hc}(Nfg1QfL4Qd%5Th
%Mgr.RhY4RfE5Qd:f
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
<security>
<requestedPrivileges>
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
</requestedPrivileges>
</security>
</trustInfo>
<dependency>
<dependentAssembly>
<assemblyIdentity type="win32" name="Microsoft.VC90.CRT" version="9.0.21022.8" processorArchitecture="x86" publicKeyToken="1fc8b3b9a1e18e3b"></assemblyIdentity>
</dependentAssembly>
</dependency>
</assembly>PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD
535B5p5v5~5
686N6g6o6u6
7(7-7E7J7c7v7
23282B2f2|2
3#3-33393>3{3
424G4b4m4t4
5)5/565M5Z5h5n5{5
6"7;7A7^7d7l7
8 939H9U9p9
1)282J2T2f2|2
8(8.8>8D8K8V8\8p8
9X9]9g9n9t9y9~9
:(:-:2:H:M:V:[:h:x:~:
;<;B;L;R;[;g;
<#<*<:<B<H<T<_<}<
="=.=3=C=H=N=T=j=q=z=
?&?+?L?Q?p?
141A1M1U1]1i1
9!9&9,919A9F9L9Q9a9f9l9q9
(2,2024282<2@2L2P2|2
7 7$74787<7@7H7`7p7t7
9 9<9@9H9\9d9x9
: :,:L:T:`:
;$;,;8;X;d;
<$<<<T<d<x<
=<=D=L=T=\=d=l=t=|=
>(>4><>T>\>h>
?$?0?P?X?d?

I have highlighted the most important strings in the PE file. as it is obvious, there are three urls in the file which probably means that the malware try to connect to these urls and there is also an API function named 'URLDownloadToFileA' which means that probably this malware try to download another file from one of these pages and also there is a 'ShellExecuteA' which is actually perfect to execute the file after downloading it.
Also it is obvious that this malware written in C++ code as we can see lots of C++ methods in the strings section.

Now lets see whats going on inside this old devil. As it is seen in the below image, it is a very obvious windows application that call the WinMain function and then try to create a window with CreateWindowEx and register a class using RegisterClassEx and I have highlighted the offset of the wndProc procedure to receive the windows messages.

click here to see the larg image

So we are going to add a breakpoint to the wndproc procedure (here sub_4020E0) and press F9 to continue and wait for the windows to send messages to this routine. The breakpoints hits several times until it hits with the message WM_CREATE and jumps to address loc_40219A (figure below) and starts to execute user defined codes.

click here to see the larg image

In user-defined function (image below), you can see several calls to std::cout function with different strings which probably means that the writer of the malware tried to test every steps of his/her code and he/she was not sure what he/she was doing.

click here to see the larg image

The first thing after the malware ran is to get the address of the AppData folder (by passing CSIDL_APPDATA with value 0X1A) and the return address is c:\users\[username]\AppData\Roaming and then try to copy itself into this address.

click here to see the larg image

Then the malware tries to write its address in registry (HKCU/Software/Microsot/Windows/CurrentVersion/Run) with 'WirelessConfig' name in order to run at windows startup.

click here to see the larg image

After writing in the registry, the malware tries to check if the system is connected to internet or not. In fact it has a very ridiculous way of doing that. it tries to connect to http://wikipedia.com and download the first page of this site using 'URLDownloadToFileA' to a file 'cpp-logo285728.test' in AppData folder, if the download is not successful it sleeps for one second (by calling sleep(1000)) and then try again. After it makes sure that it is connected to the internet, then it tries to download:
http://www.nestao.com/wp-includes/Text/Diff/Engine/engine/dlupdate.dat
to
c:\users\[myusername]\appdata\roaming\win-428542.exe

click here to see the larg image

click here to see the larg image

and check if it is downloaded correctly (by openning it using fopen in 'rb' mode) and if everything is fine then execute the the downloaded exe file using 'ShellExecuteA' API. Since at the time of analysing this malware, the webpage which contained the exe file was down, I copied calc.exe into AppData folder and as you already guessed, the malware executed it!!!

click here to see the larg image

There is one other part that we missed here. How the malware spread and infect other systems?
If you look at the image below, somewhere in the code, the malware tries to create and execute a thread and I followed the startAddress parameter of the thread and set a breakpoint on it. when the breakpoint hit, I saw the code that tried to check my drives (GetDriveTypeA,GetVolumeInformationA) every 10 seconds and see if it is removable or not (like flash drives) and if so, then it would copy itself to that drive.

click here to see the larg image

This one was actually very easy to analyse since it hadn't used any packer or exe protector and it was very straight forward.
but using flash drives to spread is actually a very effective way and probably thats why this malware has been exists for a long time.

Conclusion
In conclusion, this malware actually has no harm since the url which it tries to download its payload is down. However, it copies itself from one computer to another using flash drives and hide the benign files in the flash drives.