Posted on Leave a comment

SPE/MiniFlame

SPE/MiniFlame contains the same “main” encryption alg from ver 4.00-5.00

It looks like this:
.text:10007DDE Decrypt_str_10007DDE proc near ; CODE XREF: sub_10001223+5p
.text:10007DDE ; sub_10001223+16p ...
.text:10007DDE
.text:10007DDE arg_0 = dword ptr 4
.text:10007DDE
.text:10007DDE mov ecx, [esp+arg_0]
.text:10007DE2 push esi
.text:10007DE3 cmp byte ptr [ecx+0Ch], 42h
.text:10007DE7 lea esi, [ecx+0Dh]
.text:10007DEA jnz short loc_10007DF0
.text:10007DEC mov eax, esi
.text:10007DEE pop esi
.text:10007DEF retn
.text:10007DF0 ; ---------------------------------------------------------------------------
.text:10007DF0
.text:10007DF0 loc_10007DF0: ; CODE XREF: Decrypt_str_10007DDE+Cj
.text:10007DF0 push ebx
.text:10007DF1 xor ebx, ebx
.text:10007DF3 xor edx, edx
.text:10007DF5 cmp [ecx+0Ah], bx
.text:10007DF9 jbe short loc_10007E16
.text:10007DFB
.text:10007DFB loc_10007DFB: ; CODE XREF: Decrypt_str_10007DDE+36j
.text:10007DFB mov al, dl
.text:10007DFD add al, 6Eh
.text:10007DFF imul bl
.text:10007E01 mov bl, 0C2h
.text:10007E03 sub bl, al
.text:10007E05 sub bl, dl
.text:10007E07 add [edx+esi], bl
.text:10007E0A mov bl, [edx+esi]
.text:10007E0D movzx eax, word ptr [ecx+0Ah]
.text:10007E11 inc edx
.text:10007E12 cmp edx, eax
.text:10007E14 jb short loc_10007DFB
.text:10007E16
.text:10007E16 loc_10007E16: ; CODE XREF: Decrypt_str_10007DDE+1Bj
.text:10007E16 mov eax, esi
.text:10007E18 pop ebx
.text:10007E19 mov byte ptr [ecx+0Ch], 42h
.text:10007E1D pop esi
.text:10007E1E retn
.text:10007E1E Decrypt_str_10007DDE endp
.text:10007E1E
.text:10007E1F
.text:10007E1F ; =============== S U B R O U T I N E =======================================
.text:10007E1F
.text:10007E1F
.text:10007E1F srand_10007E1F proc near ; CODE XREF: sub_10003377+Dp
.text:10007E1F push 0 ; Time
.text:10007E21 call ds:time
.text:10007E27 push eax ; Seed
.text:10007E28 call ds:srand
.text:10007E2E pop ecx
.text:10007E2F pop ecx
.text:10007E30 retn
.text:10007E30 srand_10007E1F endp
.text:10007E30

basically the structure is of a stream-cipher, where the generated key is not XORd, but ADDed to the encrypted byte to be decrypted. This is very similar to flame. dl is a counter, so the main thing is bl and the imul function. It’s not that complicated or novel, but still interesting.

It’s a bit strange, as the encrypted string table basically consists of some 3-tuple elements, and only the middle on is encrypted by the code above. It is similar, but not that similar to other Duqu or Flame encryption technique.

Here is some perl code to make a simple decryptor:

tobedecrypted:$t

$al=$dl;
$al= ($al+ 0x6e)%256;
$ax=$al*$bl % 65536; #imul bl?
$al=$ax % 256;
$bl= 0xc2;
$bl= ($bl -$al) %256;
$bl= ($bl -$dl) %256;
$t2= ($t+$bl) %256;
$bl= $t2;
$dl= ($dl+1) %256; #in fact dx, but dh is not used only as loop variable

$bufall2.=pack("C",$t2);
$i+=1;
if ($new==1)
{
$bl=0;
$dl=0;
}

output buffer: $bufall2

So after all, we can decrypt main strings. This encryption technique was not changed between 4.00-5.00 versions and also relates to USB (U) versions, too.

For v5.00 we get the following strings


bdagent.exe
%yJ^
outpost.exe
`icsvnt32a.ocx
Global\AdvTW32Ready500WfEvent
8Global\AdvTW32SyncEvent
lnkfile\shellex\IconHandler
{00021401-0000-0000-C000-000000000046}
dgfw
(icsvnt32.ocx
%windir%\system32\
%allusersprofile%\
msfrmt32.dll
gGlobal\ShellTRPInitEvent
Global\AdvTW32AutoDetect
8Global\MICEvent
(Global\TUSEvent
L1---
Global\ShlZoneSynchMutex
vbtLw
%allusersprofile%\mstlis.log
4|k
Iphlpapi.dll
Ws2_32.dll
\SS_data.bmp.ppm
%temp%\tksp1.tmp
W%temp%\tksp2.tmp
%temp%\tksp3.tmp
W%temp%\tksp4.tmp
%temp%\tksp7.tmp
%temp%\tksp8.tmp
]ContLo.txt
Cont.txt

ChannelD.txt

ChannelC.txt
ChannelB.txt
[ChannelA.txt
zFIONA
nSONIA
) Ti
hELVIS
0EVE
JC,B
DRAKE
xCHARLES
ALEX
BARBARA
tTIFFANY
pEOC
(
P%allusersprofile%\datFE2B.da1
%temp%\daa59.tmp
Q%windir%\system32\msfrmt32.dll
FiV=.
DllStartServer
P)mVu
jDllSto
77?'
lk_data.txt
%^no

inet_addr
inet_ntoa
htonl
ntohs
htons
GetAdaptersInfo
OGetBestInterface
RearWindow detected no activity since delta started, maybe no one logged in?.
+*#PFl+
RearWindow failed.
RearWindow throw an exception.
function returned:
BARBAR
BARBAR
Alex ends. Result is:
Alex Starts
Sam ends. Result is:
nH,1
Sam Starts
9Yg3d
Charles ends. Result is:
Charles Starts
Drake ends. Result is:
Drake Starts
tWO8
Elvis ends. Result is:
Elvis Starts
Eve ends. Result is:
Eve Starts
Sonia ends. Result is:
=1g3
Sonia Starts
'W~~
Fiona ends. Result is:
)OOQ
Fiona Starts
S{+w\
h&K=
{%mk
$&FILE_NAME=
&ACTION=
&COMP_ID=
@&LOGGED_ON=
&SEC_COUNT=
&SUC_CMD_ATTEMPTS=
&CMD_ATTEMPTS=
&COMPUTER_NAME=
P&MAC=
(&IP=
&SERVICE_PACK=
&VERSION_INFO=
+&LI=
&COM_B=
SP v5.00H
@&TOOL_B=
Rdw^,Q
h0T^
&PASSWORD=
@&n8
UNIQUE_NUMBER=
jIQ:
85.25.0.24
LifeS
Q194.192.14.125
Grendercodec.info
videosy
nvidiastream.info
nvidiadrivers.i
202.75.58.179
nvidiasoft.info
syncstream.info
xflashupdates.info
/cgi-bin/counter.cgi
KSYSTEM\CurrentControlSet\Control\TimeZoneInformation
+!XQ
StandardTimeBias
StandardDateBias
SYSTEM\CurrentControlSet\Hardware Profiles\Current\Software\Fonts
PixelShader
advapi32.dll
Global\TRStepEvent
aah/x
sGlobal\MSTKCSrvEvent
vqL7
%allusersprofile%\icsvntu32.ocx
oC7g
Global\ShlZoneDataMutex
SYSTEM
svchost.exe
TRegNotifyChangeKeyVa
"'F/
explorer
KSOFTWARE\Classes\CLSID{35CEC8A3-2BE6-11D2-8773-92E220524153}\InProcServer32
SOFTWARE\Classes\CLSID{450D8FBA-AD25-11D0-98A8-0800361B1103}\InProcServer32
mydocs.dll
SOFTWARE\Classes\CLSID{35CEC8A3-2BE6-11D2-8773-92E220524153}\InprocServer32
SOFTWARE\Classes\CLSID{4E14FBA2-2E22-11D1-9964-00C04FBBB345}\InprocServer32
%windir%\System32\es.dll
MACHINE\SOFTWARE\Classes\CLSID{4E14FBA2-2E22-11D1-9964-00C04FBBB345}\InprocServer32
DllUnregisterServer
DllRegisterServer
DllGetClassObject
%a+8@9
DllCanUnloadNow
LSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
PDefaultUserName
6Dq6
hNUL=
kernel32.dll
t_b|&
uGetIfTable
+iphlpapi.dll
shlwapi.dll
0PathS
?A5!
RevertToSelf
ImpersonateLoggedOnUser
XU-
RegOverridePredefKey
RegOpenCurrentUser
OpenProcessToken
LoadLibraryA
cVirtualAlloc
VirtualFree
VirtualProtect
)GetProcAddress
%allusersprofile%\Wnm.tmp
ProxyOverride
ProxyServer
ProxyEnable
0Software\Microsoft\Windows\CurrentVersion\Internet Settings
www.google.com
0Deskto
@Onenotem.exe
&?G?
Onenote.exe
paltalk.exe
mmc.exe
d&|
us
mstsc.exe
ypager.exe
visio.exe
TE$o
powerpnt.exe
winproj.exe
k (c>
notepad.exe
netscape.exe
putty.exe
ftp.exe
telnet.exe
%exceed.exe
H`vS
sinetinfo.exe
icqlite.exe
icq.exe
@frontpage.exe
aim95.exe
(aim.exe
acrord32.exe
|acrobat.exe
Cygwin.exe
msdev.exe
xmsnmsgr.exe
msgplus.exe
hmsmsgs.exe
excel.exe
HWINWORD.exe
msimn.exe
OUTLOOK.exe
Mozilla.exe
firefox.exe
iexplore.exe

We did not cross-check it, but strange that it’s BARBAR here and not BARBARA (might be the fault of the decryptor).
The more interesting is that everybody was so interested in the language of recent targeted malware (Duqu, Flame, Gauss) and we could not get much “language mistakes” in those cases. Compared to that this is strange:


Alex ends. Result is:
Alex Starts

“Result is” is strange. “Starts” with capital S (for all functions, and all knows versions of the malware) is also strange.

<

p>
“RearWindow throw an exception.” – throw or throws? surely strange. This type of error was never convicted in Duqu and Flame or we were not able to find such yet.