 |
Every day new variants of Trojan Banker are created from family of Zeus.
The CRAM (Anti-Malware Research Center of TG Soft) team has analyzed this new variant of Banker, called Trojan.Win32.Banker.ZK. |
Name:
Trojan.Win32.Banker.ZK
Size: 217232 bytes
MD5: 5de629d93b248ec4175b39b5614178f9
Date: 11/28/2013
The
Trojan.Win32.Banker.ZK is downloaded and installed by
Trojan.Win32.Dropper.R (MD5: 11c469a0c2e81e4fefbdf50f0835e249, size 73105 bytes).
The
Trojan.Win32.Dropper.R arrive via email with attachment a false PDF document of invoice, order or payment.
The execution of the attached file (example orders.exe) involves the installation of the dropper inside the folder:
c:\documents and settings\all users\dxwmjh.exe
The threat (
Trojan.Win32.Dropper.R ) adds itself to the registry to start when Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run
[nnnnn] = %AllUsersProfile%\
dx<random>.exe
where nnnnn = random number
Example:
[52098] = c:\documents and settings\all users\dxwmjh.exe
Inside the .EXE file of
Trojan.Win32.Dropper.R the "Time Date Stamp" is: 11/27/2013 13:03:07
The
Trojan.Win32.Dropper.R sends the following encrypted request at site http://dnc.su/bi??ing.php:
"T7xpI0TD7JHnucdjRCBiDoWU2CeeGjTYf035ZXT4VsTjcgJ9oBOndUnr04fvTICLBPQtY1Y/cxc2MA=="
The russian site, reply with a binary encrypted data packet.
The
Trojan.Win32.Dropper.R sends the following request to install the
Trojan.Win32.Banker.ZK and other malware:
http://rivernews.net/top??ws.php
http://latte.su/co??ee.php ---> jerry.bin (39675 bytes)
http://spa??hp.com/grow.exe
http://bizwires.net/fi??ing.php
http://ribous.com/y??k.php
At this point the threat
Trojan.Win32.Banker.ZK is running and adds itself to the registry to start when Windows starts:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\run
[{random clsid}] = %userprofile%\%appdata%\<random1>\<random2>.exe
Example:
[{0964610F-8304-003F-5911-B02472E90F4E}] = C:\Documents and Settings\Luigi\Application Data\Nehire\ebkomo.exe
The
Trojan.Win32.Banker.ZK is copied into a file with a random name in a folder with a random name, created inside "Application Data" of the user.
Inside the .EXE file of
Trojan.Win32.Banker.ZK the "Time Date Stamp" is: 11/28/2013 09:36:42
The
Trojan.Win32.Banker.ZK is able to steal the login/password credentials of access to:
When the
Trojan.Win32.Banker.ZK is running, this inject itself into all processes, hooking at the following API:
| Module: ntdll.dll |
| LdrLoadDll |
API hooking to inject himself in the new processes. |
| NtCreateThread |
| ZwCreateThread |
| Module: KERNEL32.dll |
| GetFileAttributesExW |
API hooking to hide the attibutes of the object {3D077E0F-9C04-345C-5911-B02472E |
| Module: USER32.dll |
| BeginPaint |
GetMessagePos |
API hooking to implement the function of keylogging and screen capture. |
| CallWindowProcA |
GetMessageW |
| CallWindowProcW |
GetUpdateRect |
| DefDlgProcA |
GetUpdateRgn |
| DefDlgProcW |
GetWindowDC |
| DefFrameProcA |
OpenInputDesktop |
| DefFrameProcW |
PeekMessageA |
| DefMDIChildProcA |
PeekMessageW |
| DefMDIChildProcW |
RegisterClassA |
| DefWindowProcA |
RegisterClassExA |
| DefWindowProcW |
RegisterClassExW |
| EndPaint |
RegisterClassW |
| GetCapture |
ReleaseCapture |
| GetClipboardData |
ReleaseDC |
| GetCursorPos |
SetCapture |
| GetDC |
SetCursorPos |
| GetDCEx |
SwitchDesktop |
| GetMessageA |
TranslateMessage |
| Module: CRYPT32.dll |
| PFXImportCertStore |
API hooking to steal the certificate. |
| Module: WS2_32.dll and WININET.dll |
| WS2_32.dll |
closesocket |
API hooking to monitor/capture the network traffic. |
| send |
| WSASend |
| WININET.dll |
HttpQueryInfoA |
| HttpSendRequestA |
| HttpSendRequestExA |
| HttpSendRequestExW |
| HttpSendRequestW |
| InternetCloseHandle |
| InternetQueryDataAvailable |
| InternetReadFile |
| InternetReadFileExA |
To steal email addesses from:
To steal email login/password from:
- Outlook Express
- Windows Mail
- Windows Live Mail
To steal client FTP login/password from:
- FlashFXP
- Total Commander
- ws_ftp
- FileZilla
- Far ftp
- WinSCP
- FTP Commander
- coreftp
- smartftp
Botnet commands:
The
Trojan.Win32.Banker.ZK communicate with the botnet with the following commands:
| os_shutdown |
bot_httpinject_disable |
user_execute |
user_homepage_set |
| os_reboot |
bot_httpinject_enable |
user_cookies_get |
user_ftpclients_get |
| bot_uninstall |
fs_path_get |
user_cookies_remove |
user_emailclients_get |
| bot_update |
fs_search_add |
user_certs_get |
user_flashplayer_get |
| bot_update_exe |
fs_search_remove |
user_certs_remove |
user_flashplayer_remove |
| bot_bc_add |
user_destroy |
user_url_block |
|
| bot_bc_remove |
user_logoff |
user_url_unblock |
|
Geolocation of domains contacted by
Trojan.Win32.Banker.ZK and
Trojan.Win32.Dropper.R:
| Url: |
latte.su |
 |
| IP address: |
211.71.99.66 |
| IP number: |
3544671042 |
| Country: |
Cina |
| Region: |
|
| City: |
|
| Latitude: |
35° 0' North |
| Longitude: |
105° 0' East |
| Time Zone |
China Standard Time |
| GMT Offset: |
08:00:00 |
Other urls:
| Url |
IP address
|
Country |
| latte.su |
211.71.99.66 |
China |
| rivernews.net |
200.63.220.114 |
Ecuador |
| spa??hp.com |
78.46.100.183 |
Germany |
| dnc.su |
106.120.241.226 |
China |
| bizwires.net |
208.73.210.177 |
United States |
| ribous.com |
208.73.210.177 |
United States |
Clean
VirIT version 7.5.47 and later.
Analysis by eng. Gianfranco Tonello
C.R.A.M. (Anti-Malware Research Center) by TG Soft
