Anatomy of a traffic generating trojan

This is a trojan with interesting behavior, That I came across during the third part of November. I have decided to analyze this malware (chosen from the pile of thousands i have for days of boredom…) because its behavior seemed very interesting when executing it in the sandbox. Aside from achieving persistence and making a DNS query for, It did not do much. I suspected it had something to hide…

About The Analysis Process: 

After the first execution in my custom sandbox, as I have noticed nothing too exciting happened and the execution timed out after the max value set by the sandbox, I started suspecting this malware has awfully long sleep timers in its code.

I have started the static analysis phase, but noticed this malware has a small amount of imports, and a strange procedure with lots of lodsb assembly commands. That procedure was a Custom Packer, which was not identified by PEid.

The imports before unpacking:


For easy unpacking, I executed the malware until the return of what seemed to be the unpack procedure:


Setting the breakpoint:


Right after the breakpoint, I did a took a memory memory dump to easily dump the processes from memory. Those are the imports after the unpack procedure returned:


While analyzing the dump I have noticed that this executable launches three svchost.exe processes. Each one of those svchost processes main purpose is traffic generation, but each one has an extra purpose. (Ex. Mutex creation, Persistence, Downloading the DAT files)


A short static analysis of one of the svchost processes proved me right about the sleep timers:


Sleep2This malware does not have to be executed from an administrator account, we can see that because it achieves its persistence by adding itself to:

HKU\software\microsoft\windows\current version\run 

with the executable pofpopitegra.exe as the value,  which is dropped at c:\document and settings\%username%\pofpopitegra.exe

Network behavior:

This malware generates a pretty big amount of web traffic, to sites it probably gets from this DAT file downloaded over the network, and from some html files with encoded comments. No evidence was found inside any of the svchost files or the malware executable itself for URL or IP addresses of any kind, except for the URL from which the DAT file is downloaded from.



The encoded comments:



The malware generated some SMTP traffic as well. The next part of the analysis, I will dive deeper into the traffic generated by this malware sample, and try to reverse engineer the encryption of the DAT file.