Shamoon the Wiper in details

We continue to analyse the Shamoon malware. This blog contains information about the internals of the malicious samples involved in this campaign.

Samples nesting

The main executable (dropper) includes 3 resources, each maintains a ciphered program. The cipher is pretty simple – xor by dword. This was mentioned in our first blog-post.

Resource PKCS12:112 maintains an encoded executable, xor’ed with key value 0xFB5D7F25. It is saved to disk using a name taken from a hardcoded list in the %WINDIR%\System32 folder during the dropper execution. In turn, this module maintains resource READONE :101 (xor key: 0xF052AF15), a driver decoded and saved to disk as %WINDIR%\System32\Drivers\DRDISK.SYS.

Resource PKCS7:113 maintains an executable, xor’ed with key 0x00BAD417 and saved to disk as %WINDIR%\System32\NETINIT.EXE during dropper execution.

Resource X509:116 maintains an AMD64 version of main the Shamoon executable (dropper) xor’ed with key 0xBB1AC25C. This in turn contains almost the same set of resources as its Win32 counterpart: PKCS12:112 – this file is the AMD64 version of the 1st executable dropped, with an AMD64 version of a driver, and PKCS7:113 – the AMD64 version of NETINIT.EXE. So, 112 and 113 resources have the same xor keys in x86 and AMD64 versions of the dropper, but the drivers’ keys are different: the AMD64 version is xored by 0x10CAFFA0 value when x86 is ciphered with 0xF052AF15. This picture is worth a thousand words and sums up these on disk files:

Shamoon samples nesting

So, the Shamoon main executable has been coded to work in 3 modes:

1. the sample is run as a typical program in a 32-bit OS (argument-dependent) 2. the sample is run in a 64-bit OS 3. the sample is run as a service in a 32-bit OS

64-bit environment

First, the program checks if it has been launched in a 64-bit operating system. If so, it drops the AMD64 version of the main executable by decrypting the X509:116 resource and saving the decrypted data to disk as %WINDIR%\System32\trksrv.exe. Then it creates and starts the service “TrkSvr” using the following command line:

%WINDIR%\System32\cmd.exe /c “ping -n 30 127.0.0.1 >nul && sc config TrkSvr binpath= system32\trksrv.exe && ping -n 10 127.0.0.1 >nul && sc start TrkSvr “

This branch comes to an end and the program exits.

Let’s take a look what the program does if it runs as a typical program in a 32-bit operating system.

Read more: Shamoon the Wiper in details

Story added 21. September 2012, content source with full text you can find at link above.