Wednesday, July 12, 2017

Analysis of PoSeidon downloader and keylogger

In this post I analyze a sample of Poseidon (sample: 1b7f205b663af9a6eb44f18555bdaad86e0fa58f3a9e4aced3e2ae1e3ed472b5, you can read about it here). The original sample is a downloader. It is working, and there are online and working CnCs in the list of CnCs that the sample carries. However the malware could be failing to download the second stage executable (the keylogger) because of a bug in the downloader.


The first sample is a downloder for the keylogger. It copies itself to c:\windows\system32\winsrv.exe and installs in run key (it creates WinSrvWD mutex too). Then it autodeletes the first exe and creates two processes:

Both processes are running the same executable. Svchost.exe is running a function that it is only dedicated to protect WinSrv.exe in case the process dies.

WinSrv.exe executes the main code of the downloader.

Basically the downloader tries to connect the list of CnCs:

When it is able to resolve a domain of the list, it tries to connect and send information about the machine (if it is not able to resolve, it tries the next url):

Here it comes the problem. When It connects a valid url, the CnC should answer it with a response with an structure that the downloader understands. But it seems to have a bug when the server is a valid domain and a valid http server, but it is not running the CnC server, it answers with some http “not found” error or something like that (an error page). In this case, the malware can’t find the valid structure that it searchs for, and it reattemps the same url. And again, it happens the same.

So, when the downloader finds a valid http server that is not running the CnC server code, the downloader will enter into a loop trying the same url and won’t continue with the next urls (and it never will download the second exe).

It was happening this, so i had to trick it for the downloader continued trying the next urls. Finally it found a valid url with valid CnC server answering, and here it’s the answer from the server:

As we can see, it is a valid html saying “this page does not exists!” prefixed with the malware structure.

In the malware answer we can find a url where it can download the second stage exe, and a new list of urls.

It will keep the new list of urls into a file: c:\windows\system32\winsrv.exe.cfg, and it will run another instance of svchost.exe to inject (process hollowing) the downloaded exe POSNumBot_baked.exe.

I haven’t seen other interesting things in the downloader to comment. As we saw, the query to the CnC server it is easy, it is plain text and it only encode with base64 the machine info. It would be not hard to write a python client.


The second executable that it downloads is the keylogger. I uploaded it here.

It is not packed. It runs perfectly with double-click (not necesary the downloader to load it).

It creates a window where it will receive keyboard events:

Here it logs keyboard events:

It queues keyboard events to a list that is read from another thread, and this other thread is responsible for communication with CnC:

The thread that connects CnC:

It composes a query like this:

oprat=2&uid=6922070704454700032&uinfo=<user info>==&win=6.1&vers=13.40M&logs=<logged keys>

Uinfo is information about the user, encoded with base64 (like the downloader did).

The logs= parameter is used to send logged keys. This information is encrypted with a simple xor val, 0x2a, and encoded with base64:

This second PE only has an unique CnC url to connect.

We open a notepad to cause keyboard events:

Here it is a capture of the data sent to the CnC:

With this tiny script we decode the data sent in logs parameter:

import base64

s = “QUFBREVYT3FoS0lBWVpLSU93cWhLSUFZWktJT3deT1pLTnFvRF5PWHdxZH9nb3hlCh93cWZrWFhFXXdxZH9nb3hlCh93cWZrWFhFXXdxZH9nb3hlCh93cWZrWFhFXXdxektNT25FXUR3cW5rWFhFXXdxb0ROd3F4a1hYRV13cX9rWFhFXXdxYkVHT3dxeGtYWEVdd3F/a1hYRV13cWJFR093cXpLTU9uRV1Ed3FvRF5PWHdxZH9nb3hlCh93cW5rWFhFXXdxb0ROd3FvRF5PWHdxb0ROd3Fkf2dveGUKH3dxZmtYWEVdd3F4a1hYRV13cWZrWFhFXXdxeGtYWEVdd3Fkf2dveGUKH3dxZmtYWEVdd3F4a1hYRV13cWR/Z294ZQofd3Fma1hYRV13cXpLTU9uRV1Ed3Fua1hYRV13cW9ETndxbmtYWEVdd3FvRE53cXpLTU9uRV1Ed3Fua1hYRV13cW9ETndxemt/eWt3Hx4cEh4ccW9EXk9Ydx4cEh0TAQUdEwVxb0ReT1h3Eh4bGRgbcW9EXk9YdxwSHhMBEh0TEh0eHB8eExIeExIeHBI=”

s = base64.b64decode(s)

sout = “”

for i in range(0, len(s)):
sout += chr(ord(s[i])^0x2A)

f = open(“decryptlog_out.bin”, “wb”)

We get these decrypted results:

kkknore[Backspace][Backspace]tepad[Enter][NUMERO 5][LArrow][NUMERO 5][LArrow][NUMERO 5][LArrow][PageDown][DArrow][End][RArrow][UArrow][Home][RArrow][UArrow][Home][PageDown][Enter][NUMERO 5][DArrow][End][Enter][End][NUMERO 5][LArrow][RArrow][LArrow][RArrow][NUMERO 5][LArrow][RArrow][NUMERO 5][LArrow][PageDown][DArrow][End][DArrow][End][PageDown][DArrow][End][PAUSA]546846[Enter]46879+/79/[Enter]841321[Enter]6849+87987465498498468

If we compare these results with the notepad of the capture, we see the pressed keys ar contained in the log (btw, some words in the log like “NUMERO” or “PAUSA”, are spanish. I suppose this is due to my vmware guest machine spanish configuration).


PoSeidon seems to be a simple dowloader + keylogger not specially dificult to debug. If I did not make a mistake while debugging, it seems the downloader has a bug that would prevent it to download the second exe when a previous valid url with a valid http server is found, but the CnC server is not installed there.


No comments:

Post a Comment