Bot hosted on Hotfile's server

 

UNAM’s Computer Emergency Response Team received a report about an allegedly malicious file that was hosted on the known file hosting website “hotfile.com” with the name “filrulais.exe”. For this reason, we proceeded to analyze the sample.

 

 

 

Thebinary filewas executed on a controlled environment without Internet access. The process “firulais.exe” started and, using ProcessExplorer, we saw the string “RimellriRimellri on the column CompanyName”. It also troyanized the process explorer.exe”, which provides a graphical user interface for accessing Windows file system.

 

 

 

If among the monitoring tools used we had Processmonitoron execution, the malware forced the closing of the tool to be able to hide its actions both on the file system and on Windows registry.

 

 

 

On the network traffic, DNS requests to resolve the domains "api.wipmania.com" and "moXXX2.net" were found.

The domain api.wipmania.comis a free geolocation service that provides the country of the IP address consulted.

 

 

As for the modifications on the file system, we found that the file only deleted itself.

 

 

Next, the sequence of the domains that the malware tried to resolve, each associated with a different computer on the subnet:

       -   When trying to resolve the domain api.wipmania.com, it requested "moXXX2.net" and "moXXX3.net".

       -   It can also be observed that during its attempts to resolve the domain api.wipmania.com, it tried to connect to the port 80, which is associated to web services.

 

 

 

       -  When trying to resolve the domain “moXXX2.net”, it requested “api.wipmania.com”. Using the port 1887, which is not associated to a known service, on its attempts.

 

 

 

       -  When trying to resolve “moXXX3.net”, also using the port 1887, it requested "api.wipmania.com", "moXXX2.net" and "moXXX4.net".

 

 

 

       -  And using the port 1887 to connect to moXXX4.net, it requested "api.wipmania.com", "moXXX2.net" and "moXXX3.net".

 

 

 

On the image below, it is shown that the malicious domains were associated to two IP addresses.

 

 

 

We will now present our findings after providing  the malware with the ports 80 and 1887 for the domains api.wipmania.com and “moXXX2.net” respectively.

 

After habilitating the web service, a GET request to the main page of  “api.wipmania.com” could be observed on the network traffic; hence, we could look up the web manually to figure out the information that the malware needed.

 

 

 

 

After consulting the site “api.wipmania.com”, it returned the country identifier of the IP address used to check the website.

On the images below, two examples can be seen: the first was made from a personal computer and the second one was obtained using a proxy. It returned the countries Mexico and Austria respectively.

 

 

 

Because the service associated to the port 1887 is not known, it was convenient to open the port with Netcat. On the network traffic, we obtained the password “speed”, which was most likely used to authenticate on the server. The nick "{ESP|XPa}mfcidge}" and the user "mfcidge" were also obtained.

 

 

 

These data were and indicator that the malware sample could be a bot that, after infecting a computer, turns it into a member of a zombie network.

 

 

 

When the sample was allowed to interact with the Internet, the first connection it made was to the domain “api.wipmania.com” and later to the site that required the password, the nick and the user to authenticate.

 

 

 

Afterwards, a connection to the website Hotfile was established and the sample downloaded another malicious code.

 

 

 

On the image below, the program “2.exe” that was downloaded and executed by the analyzed malware, is shown.

 

 

 

The changes on the file system were these:

-          Executable file “2.exe” added to the path “C:\documents and Settings\Administrator\Program Data”.

-          It deleted itself from the path where it was executed, in this case it was on the Desktop.

 

 

 

On the next image it is possible to observe the icon of the downloaded binary.

 

 

 

The file downloaded by the malware makes multiple connections to different websites, as seen on the image below, where they are all established and to the remote port 80.

 

 

 

When the malware “firulais.exe” had access to the Internet, we could observe on the network traffic that we were dealing with a bot, due to the use of credentials to authenticate to the C&C:

       -  Password: speed

       -  Nick: n{MX|XPa}mfcidge }   The parameter “MX” was concatenated to the string to keep a record of the computers infected per country.

       -  User: bqnmfsk

 

 

 

This IRC bot is of type PUSH, which means that it waits silently for commands from the C&C instead of asking the malicious server repeatedly to know if there are new actions to perform.

 

The instructions used to download two more executable files from the hotfile service are shown below. As seen on the image below, the file “unthecahnces.exe” could not be downloadedsuccessfully because the md5 signatures were not the same. However, the download of the binary file "jhfmm.exe", to the path “C:\Documents and Settings\Administrator\Program Data”, where it was later renamed “2.exe” was done without problems.

 

 

 

As can be seen below, the second downloaded file called “jhfmm.exe” is the same as the “2.exe” file.

 

 

 

On the string analysis, the following parameters were obtained:

       -  Company name: RimellriRimellri

       -  Product name: CosmKticRimellri

       -  Original file name: Rimellri.exe

 

 

 

The geographical location of the C&C, according to tcputils.com is Las Vegas, Nevada in the United States.

 

 

 

The results obtained from the VirusTotal website showed that, by the time of the analysis, only 18 out of 47 antivirus engines detected the file “firulais.exe”. The report is shown below.

 

 

Submitted by lgonzalez on Tue, 01/21/2014 - 22:39