View Log opens the installation log file (Report.xml) using the default web browser. The log file contains details about the graphics hardware and software components installed. The Report.xml file can also be found in the folder: C:\Program Files\AMD\CIM\Reports\
NOTE! These are optional choices. The installation of the downloaded Radeon Software package will not continue after Express Uninstall or Custom Uninstall has completed. To continue installing the downloaded Radeon Software package, please rerun the executable file.
Static analysis reveals that most components of IceRat are written in JPHP. This is a PHP implementation that runs on the Java VM. This implementation uses .phb files instead of Java .class files -- a file type that, as I suspect, is not commonly supported by antivirus products. So far I haven't heard or found any other malware that uses JPHP which partially explains the low detection rates on VirusTotal.
The .phb files contain the 0xCAFEBABE magic bytes for Java .class files somewhere down below. Removing the first part of the file excluding the magic bytes makes it possible to decompile these files into Java code with, e.g., Fernflower. The right side of the picture below shows how the file should look like after modification.
IceRat consists of several small components instead of putting all functionality into one file. As a result most of these files may not attract any attention if their context is missing. E.g., a downloader is only malicious if the downloaded file is malware. If information about the downloaded file is missing and cannot be inferred, there is no reason to detect the downloader as malware.
The chain of infection and related files is in the graphic below. White boxes show non-malicious files. At least four of these files are JPHP EXE files, namely cheats.exe, 1.exe, klient.exe and klip.exe. The main component of IceRat is klient.exe.
According to McMcbrad the first IceRat sample came from a malicious document for which he didn't keep a hash or file. The first part of the chain that I could find is Browes.exe which may have been distributed as trojanized software download for CryptoTab. Browes.exe is a selfextracting WinRAR archive that drops and executes the Windows Cabinet file 1.exe.
The Windows Cabinet file is also a dropper for two more files, namely a non-malicious setup for CryptoTab software, and a malware downloader named cheats.exe. CryptoTab is a browser with mining features, but its installation is not silent. The affected user will see the browser setup window (see image below) which is why I assume CryptoTab is provided as a lure. To summarize: The infection chain starts with a downloader in a trojanized dropper in a dropper.
The JPHP file cheats.exe has the project name droper (sic). It accesses IceRat's main server to download the backdoor klient.exe. It chooses randomly one of the following names from a list:
The command and control happens by periodically checking the contents of certain files on the malware server. E.g. klient.exe will check the content of the file hxxp://malina1306.zzz.com.ua/dow_stil.txt. If that file contains a line that matches the string :::: for the infected system (see image below), klient.exe will download the stealer from hxxp://malina1306.zzz.com.ua/stel.exe and save it to c:\Windows\Temp\.Browser.exe.
The file 1.exe is downloaded from hxxp://malina1306.zzz.com.ua/1.exe or hxxp://bests.zzz.com.ua/1.exe and saved under a randomly generated name by creating a random number between 10000 and 1000000. The resulting file location is c:\Windows\Temp\..exe. This component communicates via Telegram to the malware operator.
Two more files are referenced in klient.exe but don't exist anymore: hxxp://malina1306.zzz.com.ua/min.exe would be downloaded to c:\Windows\Temp\.Jawaw Se binar.exe. hxxp://malina1306.zzz.com.ua/klog.exe would be downloaded to c:\Windows\Temp\.Windows Push.exe. Based on the filenames one would assume that min.exe should be the coinminer whereas klip.exe rather sounds like a clipbanker. But that was not provided by the server. klog.exe might have been a keylogger.
The coinminer downloader obtains the configuration file MMMMMM.MMMM, the driver WinRing0x64.sys by OpenLibSys.org, as well as the coinminer Winlogin.exe from hxxp://malina1306.zzz.com.ua/p/. The configuration shows the user email@example.com.
IceRat has gone unnoticed for longer than usual. I attribute this mainly to the choice of using JPHP as well as the fragmentation of the malware's features into many small files. "Small" does not mean the size of the files here. These are comparably large because they carry the JPHP runtime with them. "Small" rather refers to the amount of features they have or capability of the code. If one file does only little on its own, it won't show malicious behaviour to an automated analysis system. That way it stays undetected.
The log files that are used to communicate with the server contain more than 200 entries with different systems. Many usernames of the infected systems are kyrillic which indicates that mostly East European and Russian regions are affected.
In this posting we analyze Crackonosh. We look first at how Crackonosh is installed. In our analysis we found that it drops three key files winrmsrv.exe, winscomrssrv.dll and winlogui.exe which we analyze below. We also include information on the steps it takes to disable Windows Defender and Windows Update as well as anti-detection and anti-forensics actions. We include information on how to remove Crackonosh. Finally, we include indicators of compromise for Crackonosh.
The only clue to what happened before the Maintenance.vbs creates this registry key and how the files appear on the computer of the victim is the removal of InstallWinSAT task in maintenance.vbs. Hunting led us to uncover uninstallation logs containing Crackonosh unpacking details when installed with cracked software.
Serviceinstaller.msi does not manipulate any files on the system, it only modifies the registry to register serviceinstaller.exe, the main malware executable, as a service and allows it to run in safe mode. Below you can see the registry entries serviceinstaller.msi makes.
Looking at winrmsrv.exe (aaf2770f78a3d3ec237ca14e0cb20f4a05273ead04169342ddb989431c537e83) behavior showed something interesting in its API calls. There were over a thousand calls of FindFirstFileExW and FindNextFileExW. We looked at what file it was looking for, unfortunately the author of malware hid the name of the file behind an SHA256 hash as shown below.
After decryption we found names of other parts of malware, some URLs, RSA public keys, communication keys for winrmsrv.exe and commands for XMRig. RSA keys are 8192 and 8912 bits long. These keys are used to verify every file downloaded by Crackonosh (via StartupCheckLibrary.dll, winrmsrv.exe, winscomrssrv.dll).
StartupCheckLibrary.dll is the way how the author of Crackonosh can download updates of Crackonosh on infected machines. Startupchecklibrary.dll queries TXT DNS records for domains first[.]universalwebsolutions[.]info and second[.]universalwebsolutions[.]info (or other TLDs like getnewupdatesdownload[.]net and webpublicservices[.]org). There are TXT DNS records like ajdbficadbbfC@@@FEpHw7Hn33. From the first twelve letters it computes the IP address as shown on image. Next five characters are the digits of the port encrypted by adding 16. This gives us a socket, where to download wksprtcli.dll. The last eight characters are the version. Downloaded data is validated against one of the Public keys stored in the config file.
Wksprtcli.dll (exports DllGetClassObjectMain) is updating older versions of Crackonosh. The oldest version of wksprtcli.dll that we found checks only the nonexistence of winlogui.exe. Then it deletes diskdriver.exe (previous coinminer) and autostart registry entry. The newest version has a time frame when it runs. It deletes older versions of winlogui.exe or diskdriver.exe and drops new version of winlogui.exe. It drops new config files and installs winrmsrv.exe and winscomrssrv.dll. It also changed the way of starting winlogui.exe from registry HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run to a task scheduled on user login.
Wksprtcli.dll also checks computer time. The reason may be not to overwrite newer versions and to make dynamic analysis harder. It also has written date after which it to stop winlogui task to be able to replace files.
First, in the config file, there is offset (49863) and range (33575) defined. For every port there is computed SHA-256 from date (days from Unix Epoch time) and 10 B from config file. Every port is then set as offset plus the first word of SHA moduled by range (offset + (2 B of SHA % range)).