"Talking keyboard": detailed analysis of a malicious promotion Trojan

"Talking keyboard": detailed analysis of a malicious promotion Trojan

I. background

In middle November, a rogue software named "talking keyboard" experienced explosive growth. The interception volume increased from zero to more than 0.2 million overnight, we found through Backtracking that it was mainly promoted and installed by the "on-demand" pornographic player.

However, during the analysis, the software was very innocent-directly installed and run, and its function was to press the key to play the corresponding sound, with almost no malicious behavior. However, after testing, its functions are not complete. If you click online upgrade without making any judgment, the prompt that the latest version is displayed. Is this really all the functions of the software?

 

Figure 1: explosive growth in Trojan interception volume

Ii. Sample Introduction

Software name: Talking keyboard

File Name: Key_jpls_9181068.exe

MD5: 40dd0aca08e51406179f61cbc382ea84

Behavior description: The file name is determined during installation. If the file name does not comply with the rules, the installation wizard is displayed. If the file name does not comply with the rules, the following files are released and run in the % appdata % \ TsanZioxs directory after installation.

 

Figure 2: release a file after installation

In addition to many audio files, the Sound directory also contains two data files.

 

Figure 3: Partial files in the Sound directory

After running, it looks like a normal software, with interfaces and seemingly normal functions.

 

Figure 4: Task Bar creation icon

 

Figure 5: related page after clicking the icon

Iii. Detailed Analysis

QcemTiosp.exe behavior:

1. Create Icons in the notification area of the taskbar and create relevant interfaces for disguise. However, the software itself cannot implement the playback button sound function. If the conditions are met, the relevant interface will not appear after the machine is restarted and will be executed directly in the background. A large number of exception handling functions are added to the Trojan code and an exception is thrown, which is used for interference analysis.

 

Figure 6

2. Create a thread and start the trojan action: first obtain the MAC address, use the hash algorithm to calculate the MAC address into a hash value, and then send it to udp.1qingling.com.cn: 2005, UDP protocol is used to conceal the communication.

 

Figure 7

 

Figure 8

 

Figure 9

3. receive the data returned by the server and determine the returned value. If the returned value is 0 × 191, no action is performed.

 

Figure 10

4. Why does the system return 0x191 if only the hash value of the MAC is uploaded? Is there a blacklist? Or determine the virtual machine through MAC? However, no. After multiple tests, it is found that the returned value is related to the current IP address. For example, in the test of Beijing, Shenzhen, Chengdu, and Hangzhou, it was found that only Beijing and Shenzhen returned 0 × 191. It seems that the trojan had at least avoided users in Beijing and Shenzhen.

 

Figure 11

5. If the current city is not the city to be blocked, it will no longer be installed, reveal its true nature, and start the trojan behavior: first, create a boot item to stay on the computer for a long time, and then Enter in the Sound directory. binfile ing to memory.

 

Figure 12

6. After analysis, Enter. bin and Space. binfiles are compressed. The compression parameters exist at the end of the file. Search for the Space and Enter keywords to locate the compression parameters, as shown in:

 

Figure 13

 

Figure 14

7. obtain the relevant parameters and decompress them using the zlib library. The Trojan statically compiles the zlib library with version 1.2.3.

 

Figure 15

8. After decompression, perform a simple check on the file. After confirming that the file is a PE file, create its own slave process and inject the decompressed PE into the slave process for running.

 

Figure 16

 

Figure 17

 

Figure 18

Enter.exe behavior:

This file is decompressed by Enter. bin and will not be implemented. MD5: 1DCC1E25CF884AF7AF6EA3927CAB9D6E

1. Download the configuration file http://config.1qingling.com/biz/810.xml. the configuration file is encrypted and cannot be decrypted. The main functions of this trojan are divided into three parts: Promotion of rogue games, pop-up windows, and pop-up windows in the lower right corner. The effective time, pop-up frequency, and time are configured for each function.

 

Figure 19

2. parse the configuration file and download and promote the file based on the configuration file.

 

Figure 20

 

Figure 21: promotional documents

3. the pop-up window function code in the configuration is not in this file, and it loads Enter. bind Space in the same way. binfile and load it in the memory. Then, use the parameters in the configuration file as command line parameters to create its own zombie process and set Space. bin injection.

 

Figure 22

 

Figure 23

Space.exe behavior:

This file is decompressed by Space. bin and will not be implemented. MD5: 1DCC1E25CF884AF7AF6EA3927CAB9D6E

1. The main function of this file is to obtain the parameter information related to the pop-up window from the command line parameters for pop-up.

 

Figure 24

2. Specific pop-up behaviors:

1) Large pop-up window advertisement 25: corresponding to Label.

 

Figure 25

2) pop-up window advertisement in the lower right corner 26: corresponding to Label.

 

Figure 26

Iv. Postscript

With the popularization of security software, the survival space of pure Trojans is getting smaller and smaller. More Trojans insert malicious code into seemingly normal software for disguise, except for malicious code in the background, on the front-end, it also creates a disguised interface to install itself as harmless as possible, and even avoids the analysis of security vendors by means of ip restrictions.

Most of the malicious promotion list of this trojan is rogue software, and there are a few Trojans that are very harmful and will be analyzed later.