Fake Skype analysis II

Hace días publicaba una entrada aquí en DragonJAR sobre una aplicación fake que habían colado en el repositorio de software Open Source llamado Sourceforge.

En la primera entrada, hicimos alguna búsqueda de strings en la aplicación, con pyew, extrajimos alguna información además de que hicimos un análisis usando BSA pero sin tener acceso a internet.

Continuamos con el artículo de hoy, primero de todo dando de algo de información del binario.


File: SkypeSetup.exe
Size: 1916301 bytes
Type: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5: 4e6e4f03ae39c1273a7dd64c57ff2099
SHA1: 5c842d5632a9d31c12b51dc73f3e97827117d4d5
ssdeep: 49152:pZsBWOGZFBNmWdOG5jYm23cNDVNJlXso80WH+YIjNP89A6UgXaF:pZsBWOGZFBTdOGj23aJTlRiOpyA6UgS
Date: 0x4D0B8C52 [Fri Dec 17 16:14:10 2010 UTC]
EP: 0x40b2ec .text 0/5
CRC: Claimed: 0x0, Actual: 0x1df18f [SUSPICIOUS]

Si nos fijamos en la fecha de creación es de 2010!

Como comentaba, en la primera parte hicimos un análisis de la aplicación en una sandbox pero sin que esta tuviera acceso a internet, le simulamos algunos servicios usando FakeNET.

¿El análisis cambia con o sin acceso a internet?

Pues la respuesta es si, podemos encontrarnos en varios casos en los que el malware realiza ciertas acciones antes de hacer sus maldades.

  • Peticiones DNS
  • Llamadas al sistema

El paquete entero de Fake Sype, YA contenía un EXE con el instalador, no le hacía falta conectarse a internet. Pero si por lo que sea, no podía conectarse con su panel de Control no hacía nada y daba un error. En cuanto le di acceso a Internet estos fueron los cambios que se hicieron en la sandbox.

 Report generated with Buster Sandbox Analyzer 1.88 at 16:45:47 on 14/07/2013

[ General information ]
 * Analysis duration: 00:02:00
 * File name: c:\documents and settings\user\desktop\malware\skypesetup.exe

[ Changes to filesystem ]
 * Creates file C:\cleanup.bat
 * Creates file C:\cleanup.exe
 * Creates file C:\Program Files\Common Files\Skype\Skype4COM.dll
 * Creates file C:\Program Files\qcdvglgr.txt
 * Creates file (hidden) C:\Program Files\Skype\desktop.ini
 * Creates file C:\Program Files\Skype\Phone\Skype.exe
 * Creates file C:\Program Files\Skype\third-party_attributions.txt
 * Creates file C:\Program Files\Skype\third-party_attributions_click-to-call.txt
 * Creates file C:\Program Files\Skype\Toolbars\Internet Explorer\icon.ico
 * Creates file C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
 * Creates file C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPluginBroker.exe
 * Creates file C:\Program Files\Skype\Toolbars\Internet Explorer\uninstall.ico
 * Creates file C:\Program Files\Skype\Toolbars\Shared\root.pem
 * Creates file C:\Program Files\Skype\Toolbars\Shared\SkypeBrowserOptions.dll
 * Creates file C:\Program Files\Skype\Toolbars\Shared\SkypePnr.dll
 * Creates file C:\Program Files\Skype\Toolbars\SkypeToolbars.msi
 * Creates file C:\Program Files\Skype\Updater\Updater.dll
 * Creates file C:\Program Files\Skype\Updater\Updater.exe
 * Creates file C:\WINDOWS\CDFRT.txt
 * Creates file C:\WINDOWS\Installer\18f4f7.msi
 * Creates file C:\WINDOWS\Installer\18f4fc.msi
 * Creates file C:\WINDOWS\Installer\{4E76FF7E-AEBA-4C87-B788-CD47E5425B9D}\SkypeIcon.exe
 * Creates file C:\WINDOWS\Installer\{B6CF2967-C81E-40C0-9815-C05774FEF120}\IconUninstallIco
 * Creates file C:\WINDOWS\ornrvjo.txt
 * Creates file C:\WINDOWS\system32\BBK3.txt
 * Creates file C:\WINDOWS\system32\CMC.exe
 * Creates file C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\62B5AF9BE9ADC1085C3C56EC07A82BF6
 * Creates file C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\8DFDF057024880D7A081AFBF6D26B92F
 * Creates file C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\62B5AF9BE9ADC1085C3C56EC07A82BF6
 * Creates file C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\8DFDF057024880D7A081AFBF6D26B92F
 * Creates file C:\WINDOWS\system32\CONFIG.DDR
 * Modifies file C:\WINDOWS\system32\d3d9caps.dat
 * Creates file C:\WINDOWS\system32\drivers\khkher.sys
 * Creates file C:\WINDOWS\system32\drivers\puqr.sys
 * Creates file C:\WINDOWS\system32\HookMouse.dll
 * Creates file C:\WINDOWS\system32\MP5.EXE
 * Creates file C:\zip.exe
 * Creates file C:\Documents and Settings\All Users\Application Data\Skype\Apps\login\css\login.css
 * Creates file C:\Documents and Settings\All Users\Application Data\Skype\Apps\login\css\platform\mac.css
 * Creates file C:\Documents and Settings\All Users\Application Data\Skype\Apps\login\css\platform\win.css
 * Creates file C:\Documents and Settings\All Users\Application Data\Skype\Apps\login\css\retina\login.css
 * Creates file C:\Documents and Settings\All Users\Application Data\Skype\Apps\login\images\background.png
 * Creates file C:\Documents and Settings\All Users\Application Data\Skype\Apps\login\images\buttons.png
 * Creates file C:\Documents and Settings\All Users\Application Data\Skype\Apps\login\images\capsLock.png
 * Creates file C:\Documents and Settings\All Users\Application Data\Skype\Apps\login\images\capsLockShort.png
 * Creates file C:\Documents and Settings\All Users\Application Data\Skype\Apps\login\images\checkbox.png
 * Creates file C:\Documents and Settings\All Users\Application Data\Skype\Apps\login\images\dropdown.png
 * Creates file C:\Documents and Settings\All Users\Application Data\Skype\Apps\login\images\fb.png
 * Creates file C:\Documents and Settings\All Users\Application Data\Skype\Apps\login\images\icons.png
 * Creates file C:\Documents and Settings\All Users\Application Data\Skype\Apps\login\images\inputfields.png
 * Creates file C:\Documents and Settings\All Users\Application Data\Skype\Apps\login\images\loader.gif
 * Creates file C:\Documents and Settings\All Users\Application Data\Skype\Apps\login\images\loader.png
 * Creates file C:\Documents and Settings\All Users\Application Data\Skype\Apps\login\images\logoanim.gif
 * Creates file C:\Documents and Settings\All Users\Application Data\Skype\Apps\login\images\messageBottom.png
 * Creates file C:\Documents and Settings\All Users\Application Data\Skype\Apps\login\images\messageBottomShort.png
 * Creates file C:\Documents and Settings\All Users\Application Data\Skype\Apps\login\images\messageTop.png
 * Creates file C:\Documents and Settings\All Users\Application Data\Skype\Apps\login\images\messageTopShort.png
 * Creates file C:\Documents and Settings\All Users\Application Data\Skype\Apps\login\images\msAccount.png
 * Creates file C:\Documents and Settings\All Users\Application Data\Skype\Apps\login\images\msAccountOverlay.png
 * Creates file C:\Documents and Settings\All Users\Application Data\Skype\Apps\login\images\msDefaultPicture.png
 * Creates file C:\Documents and Settings\All Users\Application Data\Skype\Apps\login\images\picture.jpg
 * Creates file C:\Documents and Settings\All Users\Application Data\Skype\Apps\login\images\plus.png
 * Creates file C:\Documents and Settings\All Users\Application Data\Skype\Apps\login\images\retina\[email protected]
 * Creates file C:\Documents and Settings\All Users\Application Data\Skype\Apps\login\images\retina\[email protected]
 * Creates file C:\Documents and Settings\All Users\Application Data\Skype\Apps\login\images\retina\[email protected]
 * Creates file C:\Documents and Settings\All Users\Application Data\Skype\Apps\login\images\retina\[email protected]
 * Creates file C:\Documents and Settings\All Users\Application Data\Skype\Apps\login\images\retina\[email protected]
 * Creates file C:\Documents and Settings\All Users\Application Data\Skype\Apps\login\images\retina\[email protected]
 * Creates file C:\Documents and Settings\All Users\Application Data\Skype\Apps\login\images\retina\[email protected]
 * Creates file C:\Documents and Settings\All Users\Application Data\Skype\Apps\login\images\retina\[email protected]
 * Creates file C:\Documents and Settings\All Users\Application Data\Skype\Apps\login\images\retina\[email protected]
 * Creates file C:\Documents and Settings\All Users\Application Data\Skype\Apps\login\images\retina\[email protected]
 * Creates file C:\Documents and Settings\All Users\Application Data\Skype\Apps\login\images\retina\[email protected]
 * Creates file C:\Documents and Settings\All Users\Application Data\Skype\Apps\login\images\retina\[email protected]
 * Creates file C:\Documents and Settings\All Users\Application Data\Skype\Apps\login\images\retina\[email protected]
 * Creates file C:\Documents and Settings\All Users\Application Data\Skype\Apps\login\images\retina\[email protected]
 * Creates file C:\Documents and Settings\All Users\Application Data\Skype\Apps\login\images\retina\[email protected]
 * Creates file C:\Documents and Settings\All Users\Application Data\Skype\Apps\login\images\retina\[email protected]
 * Creates file C:\Documents and Settings\All Users\Application Data\Skype\Apps\login\images\retina\[email protected]
 * Creates file C:\Documents and Settings\All Users\Application Data\Skype\Apps\login\images\retina\[email protected]
 * Creates file C:\Documents and Settings\All Users\Application Data\Skype\Apps\login\images\retina\[email protected]
 * Creates file C:\Documents and Settings\All Users\Application Data\Skype\Apps\login\images\skype.png
 * Creates file C:\Documents and Settings\All Users\Application Data\Skype\Apps\login\images\skypeicon.png
 * Creates file C:\Documents and Settings\All Users\Application Data\Skype\Apps\login\images\skypelogo.png
 * Creates file C:\Documents and Settings\All Users\Application Data\Skype\Apps\login\index.html
 * Creates file C:\Documents and Settings\All Users\Application Data\Skype\Apps\login\js\login.js
 * Creates file C:\Documents and Settings\All Users\Application Data\Skype\Apps\login\languages\ar.js
 * Creates file C:\Documents and Settings\All Users\Application Data\Skype\Apps\login\languages\bg.js
 * Creates file C:\Documents and Settings\All Users\Application Data\Skype\Apps\login\languages\ca.js
 * Creates file C:\Documents and Settings\All Users\Application Data\Skype\Apps\login\languages\cs.js
 * Creates file C:\Documents and Settings\All Users\Application Data\Skype\Apps\login\languages\da.js
 * Creates file C:\Documents and Settings\All Users\Application Data\Skype\Apps\login\languages\de.js
 * Creates file C:\Documents and Settings\All Users\Application Data\Skype\Apps\login\languages\el.js
 * Creates file C:\Documents and Settings\All Users\Application Data\Skype\Apps\login\languages\en.js
 * Creates file C:\Documents and Settings\All Users\Application Data\Skype\Apps\login\languages\es.js
 * Creates file C:\Documents and Settings\All Users\Application Data\Skype\Apps\login\languages\et.js
 * Creates file C:\Documents and Settings\All Users\Application Data\Skype\Apps\login\languages\fi.js
 * Creates file C:\Documents and Settings\All Users\Application Data\Skype\Apps\login\languages\fr.js
 * Creates file C:\Documents and Settings\All Users\Application Data\Skype\Apps\login\languages\he.js
 * Creates file C:\Documents and Settings\All Users\Application Data\Skype\Apps\login\languages\hr.js
 * Creates file C:\Documents and Settings\All Users\Application Data\Skype\Apps\login\languages\hu.js
 * Creates file C:\Documents and Settings\All Users\Application Data\Skype\Apps\login\languages\id.js
 * Creates file C:\Documents and Settings\All Users\Application Data\Skype\Apps\login\languages\it.js
 * Creates file C:\Documents and Settings\All Users\Application Data\Skype\Apps\login\languages\ja.js
 * Creates file C:\Documents and Settings\All Users\Application Data\Skype\Apps\login\languages\ko.js
 * Creates file C:\Documents and Settings\All Users\Application Data\Skype\Apps\login\languages\lt.js
 * Creates file C:\Documents and Settings\All Users\Application Data\Skype\Apps\login\languages\lv.js
 * Creates file C:\Documents and Settings\All Users\Application Data\Skype\Apps\login\languages\nl.js
 * Creates file C:\Documents and Settings\All Users\Application Data\Skype\Apps\login\languages\no.js
 * Creates file C:\Documents and Settings\All Users\Application Data\Skype\Apps\login\languages\pl.js
 * Creates file C:\Documents and Settings\All Users\Application Data\Skype\Apps\login\languages\pt-br.js
 * Creates file C:\Documents and Settings\All Users\Application Data\Skype\Apps\login\languages\pt.js
 * Creates file C:\Documents and Settings\All Users\Application Data\Skype\Apps\login\languages\ro.js
 * Creates file C:\Documents and Settings\All Users\Application Data\Skype\Apps\login\languages\ru.js
 * Creates file C:\Documents and Settings\All Users\Application Data\Skype\Apps\login\languages\sk.js
 * Creates file C:\Documents and Settings\All Users\Application Data\Skype\Apps\login\languages\sl.js
 * Creates file C:\Documents and Settings\All Users\Application Data\Skype\Apps\login\languages\sr-latn.js
 * Creates file C:\Documents and Settings\All Users\Application Data\Skype\Apps\login\languages\sv.js
 * Creates file C:\Documents and Settings\All Users\Application Data\Skype\Apps\login\languages\th.js
 * Creates file C:\Documents and Settings\All Users\Application Data\Skype\Apps\login\languages\tr.js
 * Creates file C:\Documents and Settings\All Users\Application Data\Skype\Apps\login\languages\uk.js
 * Creates file C:\Documents and Settings\All Users\Application Data\Skype\Apps\login\languages\vi.js
 * Creates file C:\Documents and Settings\All Users\Application Data\Skype\Apps\login\languages\zh-hans.js
 * Creates file C:\Documents and Settings\All Users\Application Data\Skype\Apps\login\languages\zh-hant.js
 * Creates file C:\Documents and Settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe
 * Creates file C:\Documents and Settings\All Users\Application Data\Skype\{4E76FF7E-AEBA-4C87-B788-CD47E5425B9D}\Skype.msi
 * Creates file C:\Documents and Settings\All Users\Application Data\Skype\{4E76FF7E-AEBA-4C87-B788-CD47E5425B9D}\SkypeToolbars.msi
 * Creates file C:\Documents and Settings\All Users\Desktop\Skype.lnk
 * Creates file C:\Documents and Settings\All Users\Start Menu\Programs\Skype\Skype.lnk
 * Creates file C:\Documents and Settings\user\Application Data\Microsoft\Windows\DefaultPack\DefaultPack.log
 * Creates file (empty) C:\Documents and Settings\user\Application Data\Skype\shared.lck
 * Creates file C:\Documents and Settings\user\Application Data\Skype\shared.xml
 * Creates file C:\Documents and Settings\user\Application Data\Skype\shared_dynco\dc.db
 * Creates file C:\Documents and Settings\user\Application Data\Skype\shared_dynco\dc.db-journal
 * Creates file (empty) C:\Documents and Settings\user\Application Data\Skype\shared_dynco\dc.lock
 * Creates file C:\Documents and Settings\user\Application Data\Skype\shared_httpfe\queue.db
 * Creates file C:\Documents and Settings\user\Application Data\Skype\shared_httpfe\queue.db-journal
 * Creates file (empty) C:\Documents and Settings\user\Application Data\Skype\shared_httpfe\queue.lock
 * Creates file C:\Documents and Settings\user\Cookies\2Y2009WM.txt
 * Deletes file C:\Documents and Settings\user\Cookies\4SOX27G6.txt
 * Creates file C:\Documents and Settings\user\Cookies\D8FUVP21.txt
 * Creates file C:\Documents and Settings\user\Cookies\IMOENLFD.txt
 * Modifies file (hidden) C:\Documents and Settings\user\Cookies\index.dat
 * Creates file C:\Documents and Settings\user\Cookies\KGOE84NH.txt
 * Creates file (hidden) C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Feeds Cache\desktop.ini
 * Creates file C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Internet Explorer\DOMStore\ABNOJF0A\www.google[1].xml
 * Modifies file (hidden) C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Internet Explorer\DOMStore\index.dat
 * Modifies file C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Internet Explorer\MSIMGSIZ.DAT
 * Creates file C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{4E9E1800-EC94-11E2-8F9B-0800274FAA0E}.dat
 * Creates file C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{4E9E1801-EC94-11E2-8F9B-0800274FAA0E}.dat
 * Creates file C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{4E9E1803-EC94-11E2-8F9B-0800274FAA0E}.dat
 * Creates file C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{563A640F-EC94-11E2-8F9B-0800274FAA0E}.dat
 * Creates file C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Internet Explorer\Services\search_{B893E3EF-BF45-4167-90FD-6D7F2520DC4F}.ico
 * Modifies file (hidden) C:\Documents and Settings\user\Local Settings\History\History.IE5\index.dat
 * Modifies file (hidden) C:\Documents and Settings\user\Local Settings\History\History.IE5\MSHist012013071420130715\index.dat
 * Creates file C:\Documents and Settings\user\Local Settings\Temp\install.bat
 * Creates file C:\Documents and Settings\user\Local Settings\Temp\install_skype.exe
 * Creates file C:\Documents and Settings\user\Local Settings\Temp\setup.cpl
 * Creates file C:\Documents and Settings\user\Local Settings\Temp\setup_skype.cpl
 * Creates file C:\Documents and Settings\user\Local Settings\Temp\Skype.msi
 * Creates file C:\Documents and Settings\user\Local Settings\Temp\SkypeToolbars.msi
 * Creates file C:\Documents and Settings\user\Local Settings\Temporary Internet Files\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat
 * Creates file C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\5INHMPF5\c04c592cd2babbd6[1].js
 * Creates file C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\5INHMPF5\favicon[1].ico
 * Creates file C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\5INHMPF5\logo3w[1].png
 * Creates file C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\5INHMPF5\rs=AItRSTPykpoFa5KBzk1U6LafAMpzPobqCw[1]
 * Creates file C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\82CP43M5\chrome-48[1].png
 * Creates file C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\82CP43M5\favicon[1].ico
 * Creates file C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\82CP43M5\mgyhp_sm[1].png
 * Modifies file (hidden) C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\index.dat
 * Creates file C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\TUBOCA54\externalSettings[1].js
 * Creates file C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\TUBOCA54\nav_logo132[1].png
 * Creates file C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\TUBOCA54\rs=AItRSTPykpoFa5KBzk1U6LafAMpzPobqCw[1]
 * Creates file C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\TUBOCA54\tia[1].png
 * Creates file C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\Z4LDT046\BBK3[1].zip
 * Creates file C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\Z4LDT046\google_es[1].htm
 * Creates file C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\Z4LDT046\k1_a31af7ac[1].png
 * Creates file C:\Documents and Settings\user\SendTo\Skype.lnk

Como veis la diferencia de actividad en el sistema de archivos es brutalmente mas grande. Sio miramos el registro.

[ Changes to registry ]
* Creates value "Content Type=6100700070006C00690063006100740069006F006E002F0078002D0073006B007900700065000000" in key HKEY_LOCAL_MACHINE\software\Classes\.skype
* Creates value "(Default)=Skype.Content" in key HKEY_LOCAL_MACHINE\software\Classes\.skype
binary data=53006B007900700065002E0043006F006E00740065006E0074000000
* Creates Registry key HKEY_LOCAL_MACHINE\software\Classes\.skype\Skype.Content\ShellNew
* Creates value "AppID={EE487F98-D1F7-49DD-965D-BFEBAFACBD66}" in key HKEY_LOCAL_MACHINE\software\Classes\AppID\SkypeDialog.DLL
binary data=7B00450045003400380037004600390038002D0044003100460037002D0034003900440044002D0039003600350044002D004200460045004200410046004100430042004400360036007D000000
* Creates value "AppID={CB487EA6-E83B-4F63-8CAE-B1B1D23DA65E}" in key HKEY_LOCAL_MACHINE\software\Classes\AppID\SkypeIEPlugin.DLL
binary data=7B00430042003400380037004500410036002D0045003800330042002D0034004600360033002D0038004300410045002D004200310042003100440032003300440041003600350045007D000000
* Creates value "AppID={89FCA069-AB28-4731-97C2-A9BF40D60D2B}" in key HKEY_LOCAL_MACHINE\software\Classes\AppID\SkypePnr.DLL
binary data=7B00380039004600430041003000360039002D0041004200320038002D0034003700330031002D0039003700430032002D004100390042004600340030004400360030004400320042007D000000
* Creates value "LocalService=SkypeUpdate" in key HKEY_LOCAL_MACHINE\software\Classes\AppID\{27E6D007-EE3B-4FF7-8AE8-28EF0739124C}
binary data=53006B007900700065005500700064006100740065000000
* Creates value "ServiceParameters=/ComService" in key HKEY_LOCAL_MACHINE\software\Classes\AppID\{27E6D007-EE3B-4FF7-8AE8-28EF0739124C}
binary data=2F0043006F006D0053006500720076006900630065000000
* Creates value "(Default)=SkypeIEPluginBroker" in key HKEY_LOCAL_MACHINE\software\Classes\AppID\{60398160-9B57-4070-880B-0EF15F4A05F8}
binary data=53006B007900700065004900450050006C007500670069006E00420072006F006B00650072000000
* Deletes value "LaunchPermission" in key HKEY_LOCAL_MACHINE\software\Classes\AppID\{69AD4AEE-51BE-439B-A92C-86AE490E8B30}
old value "LaunchPermission=01000480700000008C000000000000001400000002005C0004000000000018000100000001020000000000052000000020020000000014000100000001010000000000050400000000001400010000000101000000000005060000000000140001000000010100000000000512000000010500000000000515000000A05F841F5E2E6B49CE120303F4010000010500000000000515000000A05F841F5E2E6B49CE120303F4010000"
* Creates value "(Default)=SkypePNR" in key HKEY_LOCAL_MACHINE\software\Classes\AppID\{89FCA069-AB28-4731-97C2-A9BF40D60D2B}
binary data=53006B0079007000650050004E0052000000

Aquí solo he puesto una pequeña porción, el contenido entero está aquí => http://justpaste.it/skype

Otra de las cosas que cambiaban en la sandbox una vez que le dimos acceso a internet es el tráfico de red.


[ Network services ]
 * Queries DNS "serrasulshopping.com.br".
 * Queries DNS "ui.skype.com".
 * Queries DNS "www.skype.com".
 * Queries DNS "download.skype.com".
 * Queries DNS "crl.verisign.com".
 * Queries DNS "csc3-2010-crl.verisign.com".
 * Queries DNS "g.msn.com".
 * Queries DNS "download.microsoft.com".
 * Queries DNS "crl.microsoft.com".
 * Queries DNS "www.bing.com".
 * Queries DNS "g.ceipmsn.com".
 * Queries DNS "apps.skypeassets.com".
 * Queries DNS "crl.usertrust.com".
 * Queries DNS "toolbar.skype.com".
 * Queries DNS "dsn11.d.skype.net".
 * Queries DNS "crl.comodoca.com".
 * Queries DNS "es.msn.com".
 * Queries DNS "www.google.com".
 * Queries DNS "www.google.es".
 * Queries DNS "ssl.gstatic.com".
 * Queries DNS "support.skype.com".
 * C:\WINDOWS\system32\rundll32.exe Connects to "187.45.242.166" on port 80 (TCP - HTTP).
 * C:\Documents and Settings\user\Local Settings\Temp\install_skype.exe Connects to "91.190.218.39" on port 80 (TCP - HTTP).
 * C:\Documents and Settings\user\Local Settings\Temp\install_skype.exe Connects to "91.190.216.12" on port 80 (TCP - HTTP).
 * C:\Documents and Settings\user\Local Settings\Temp\install_skype.exe Connects to "212.106.219.155" on port 80 (TCP - HTTP).
 * C:\WINDOWS\system32\msiexec.exe Connects to "23.37.165.163" on port 80 (TCP - HTTP).
 * C:\Documents and Settings\user\Local Settings\Temp\install_skype.exe Connects to "65.54.165.55" on port 80 (TCP - HTTP).
 * C:\Documents and Settings\user\Local Settings\Temp\install_skype.exe Connects to "92.122.126.114" on port 80 (TCP - HTTP).
 * C:\Documents and Settings\user\Local Settings\Temp\install_skype.exe Connects to "212.106.219.184" on port 80 (TCP - HTTP).
 * C:\Documents and Settings\user\Local Settings\Temp\IXP000.TMP\DefaultPack.EXE Connects to "212.106.219.113" on port 80 (TCP - HTTP).
 * C:\Documents and Settings\user\Local Settings\Temp\IXP000.TMP\DefaultPack.EXE Connects to "157.56.229.140" on port 80 (TCP - HTTP).
 * C:\Program Files\Skype\Phone\Skype.exe Connects to "88.221.47.240" on port 443 (TCP - HTTPS).
 * C:\Program Files\Skype\Phone\Skype.exe Connects to "178.255.83.2" on port 80 (TCP - HTTP).
 * C:\Documents and Settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe Connects to "91.190.216.16" on port 443 (TCP - HTTPS).
 * C:\Program Files\Skype\Phone\Skype.exe Connects to "64.4.23.153" on port 40008 (TCP).
 * C:\Program Files\Skype\Phone\Skype.exe Connects to "193.95.154.39" on port 33033 (TCP).
 * C:\WINDOWS\system32\rundll32.exe Connects to "119.9.14.47" on port 80 (TCP - HTTP).
 * C:\Program Files\Internet Explorer\IEXPLORE.EXE Connects to "162.209.15.123" on port 80 (TCP - HTTP).
 * C:\Program Files\Internet Explorer\IEXPLORE.EXE Connects to "173.194.45.20" on port 80 (TCP - HTTP).
 * C:\Program Files\Internet Explorer\IEXPLORE.EXE Connects to "173.194.45.24" on port 80 (TCP - HTTP).
 * C:\Program Files\Internet Explorer\IEXPLORE.EXE Connects to "173.194.41.239" on port 80 (TCP - HTTP).
 * Downloads file from "serrasulshopping.com.br/images/st.img".
 * Downloads file from "ui.skype.com/ui/0/6.5.0.158/en/lightinstaller?source=lightinstaller".
 * Downloads file from "www.skype.com/go/getskype-lightmsi?version=6.5.0.158".
 * Downloads file from "download.skype.com/msi/SkypeSetup_6.5.0.158.msi".
 * Downloads file from "ui.skype.com/ui/0/6.5.0.158/en/getnewestversion?source=lightinstaller&defaultbrowser=ie".
 * Downloads file from "crl.verisign.com/pca3-g5.crl".
 * Downloads file from "csc3-2010-crl.verisign.com/CSC3-2010.crl".
 * Downloads file from "ui.skype.com/ui/0/6.5.0.158/en/go/getextra-skypetoolbar?source=lightinstaller".
 * Downloads file from "www.skype.com/go/getextra-skypetoolbar?intsrc=client-_-windows-_-6.5-_-go-getextra-skypetoolbar&source=lightinstaller".
 * Downloads file from "g.msn.com/1ewenusDefaultPack/UP97_DefaultPack".
 * Downloads file from "download.skype.com/toolbars/SkypeToolbars.msi?intsrc=client-_-windows-_-6.5-_-go-getextra-skypetoolbar&source=lightinstaller".
 * Downloads file from "download.microsoft.com/download/A/E/2/AE2DB51C-3B3C-4608-BD8D-602805146F49/UniversalInstallers/Skype/UP97/DefaultPack.EXE".
 * Downloads file from "crl.microsoft.com/pki/crl/products/microsoftrootcert.crl".
 * Downloads file from "ui.skype.com/ui/0/6.5.0.158./en/installed".
 * Downloads file from "www.bing.com/favicon.ico".
 * Downloads file from "g.ceipmsn.com/8SE/44?MI=A47DEEE4A82947DD97ACC0EF03DADB40&LV=1.7.11.0&OS=5.1.2600.1&TE=26&TV=brIE8.0.6001.18702%7cec2014%7cem".
 * Downloads file from "g.ceipmsn.com/8SE/44?MI=E09D2E4681DC4F8DA9D5F9E08B352D83&LV=1.7.11.0&OS=5.1.2600.1&TE=22&TV=isUP97%7cpkDefaultPack%7crt4%7ctmes-es%7cdbIE8.0.6001.18702%7chdIE8.0.6001.18702%2c1%7csdIE8.0.6001.18702%2c1%7cpo4%7cseIE8.0.6001.18702%2c0%7cbu0%7cfc0%7chpIE8.0.6001.18702%2c1%7cpf%7cdfDHP%2cIE8.0.6001.18702%2c1*DSE%2cIE8.0.6001.18702%2c0%7clc%7cld%7clt%7ccd2013-07-14%7cct14:47:08%7cabIE%7csbIE%2cMF%2cGC%2cAS%7cui0".
 * Downloads file from "crl.usertrust.com/AddTrustExternalCARoot.crl".
 * Downloads file from "crl.comodoca.com/COMODOSSLCA2.crl".
 * Downloads file from "119.9.14.47/BBK3.zip".
 * Downloads file from "162.209.15.123/k1/notify.php".
 * Downloads file from "www.google.com/".
 * Downloads file from "www.google.es/".
 * Downloads file from "www.google.es/images/icons/product/chrome-48.png".
 * Downloads file from "www.google.es/images/mgyhp_sm.png".
 * Downloads file from "www.google.es/images/srpr/logo3w.png".
 * Downloads file from "www.google.es/xjs/_/js/k=xjs.s.en_US.l3EGKs4A4V8.O/m=c,sb,cr,cdos,epb,jp,vm,tbui,mb,wobnm,cfm,abd,bihu,kp,lu,m,tnv,erh,hv,lc,ob,r,sf,sfa,tbpr,hsm,j,p,pcc,csi/am=wA/rt=j/d=1/sv=1/rs=AItRSTPykpoFa5KBzk1U6LafAMpzPobqCw".
 * Downloads file from "www.google.es/extern_chrome/c04c592cd2babbd6.js?bav=on.2,or.r_qf.".
 * Downloads file from "www.google.es/xjs/_/js/k=xjs.s.en_US.l3EGKs4A4V8.O/m=gf,adp,sy41,sy32,sy33,sy42,sy34,sy36,sy39,sy43,sy46,sy44,sy45,sy47,sy31,sy72,sy37,sy48,sy49,sy67,sy40,sy70,sy78,sy86,sy88,sy89,sy90,sy91,sy92,llc,sy57,sy93,async,foot,sy143,vs/am=wA/rt=j/d=0/sv=1/rs=AItRSTPykpoFa5KBzk1U6LafAMpzPobqCw".
 * Downloads file from "www.google.com/textinputassistant/tia.png".
 * Downloads file from "ssl.gstatic.com/gb/images/k1_a31af7ac.png".
 * Downloads file from "www.google.es/gen_204?atyp=i&ct=&cad=&vet=10CAYQ-Cc&ei=BbriUfOXL8SlPfmygMgG&zx=1373813262370".
 * Downloads file from "www.google.es/images/nav_logo132.png".
 * Downloads file from "www.google.es/favicon.ico".
 * Downloads file from "www.skype.com/go/click-to-call?setlang=EN".

[ Process/window/string information ]
 * Hooks API "ntdll.dll-->LdrInitializeThunk".

En este registro de tráfico de red podemos ver como cosas “maliciosas”:


* Downloads file from "119.9.14.47/BBK3.zip".
 * Downloads file from "162.209.15.123/k1/notify.php".

* Downloads file from "serrasulshopping.com.br/images/st.img".

Después de analizar los orígenes me encontré con un directory listing

skype

Hay varios ficheros interesantes cnt.txt que son todos los usuarios que picaron al instalar la aplicación.

Los PHP que son los encargados de crear el archivo y hacer la redirección.

Para el uso y disfrute lo he colgado en mediafire para que lo podáis analizar.

  • http://www.mediafire.com/?xw69xzqga6ly38z

Autor: Seifreed

Formado en un equipo de lucha contra el fraude. He trabajado implementando la protección y prevención del fraude en varios clientes dentro del sector bancario nacional e internacioal. Mi trabajo consiste en encontrar soluciones a los problemas actuales y futuros de las entidades financieras respecto al código malicioso y el fraude. Especialidades como el análisis de malware, análisis forense, ingeniería inversa o tareas de hacking ético, forman parte de mis tareas diarias. Soy ponente ien eventos nacionales (No cON Name, Owasp, Navaja Negra) e internacionales (DraonJAR CON - Colombia). Soy profesor asociado en La Salle enseñando el curso MPWAR (Master in High Performance Web Programming) y el máster de ciberseguridad de La Salle (MCS. Master in Cybersecurity) Miembro de asociaciones y grupos de research como la HoneyNet Project, Owasp, SySsec etc.. También soy el organizador de las conferencias Hack&Beers en Barcelona

Compartir este Artículo

Siguenos!

O Puedes Subscribete

ANTES DE

SALIRTE ...

NO TE

ARREPENTIRÁS

!Gracias¡

NO OLVIDES NUESTRAS REDES SOCIALES