The Oficla malware is a family of Trojans which inject code into running processes in order to download and execute files. We have seen the malware in the wild, downloading several additional malware families. The Trojan is often spammed out via mass mailings for example as UPS_Document or DHL_document. So we decided to do a deeper technical analysis of this Trojan. Upon execution we see the following events:
Oficla drops the ’1.tmp’ file into the temporary directory and loads the file as library into itself. Also it creates a new process using Microsoft Windows system svchost.exe executable image and injects the DLL into this process. During these events, we can monitor some network activity.
We can see that it uses some sort of communication protocol with some instructions instead of just downloading and running the malware file directly. Loading the sample into the debugger and after bypassing the runtime encryption and the anti-debugging code we find the API call for loading the DLL.
We take a look at the DLL’s exported functions and continue stepping into the process:
The function that is first called is ‘swsmtsi’ at address 0×10001560 with the file path of the sample as parameter. This function is creating the svchost.exe process in a suspended state.
After the process is created it uses ‘ZwMapViewOfSection’ to map code into the new created process…
…with the resulting BaseAddress address at 0×0009000. It completes the injection process using the unusual ‘QueueUserAPC’ API setting the callback address at the address previously obtained.
The following ‘ResumeThread’ call starts the execution of svchost.exe process. Now we attach a second debugger to this svchost.exe process to get more information. We put a breakpoint at address 0×00090000 and another breakpoint on sample.exe after the ‘ResumeThread’ function and then continue sample.exe. After a few debugging steps in the second debugger we can see exactly what the injected code does.
It loads the kernel32.dll and uses ‘GetProcAddress’ to get addresses for the API functions ‘FreeLibrary’, ‘DeleteFile’ and ‘ExitThread’.
The main part in this function is to load the dropped ‘1.tmp’ DLL file and call a function with the strange name ‘jyvudd’. With the calling of the ‘jyvudd’ function the injected routine has done its job. Before continuing with the debugging we first will have a look at the memory layout.
We can use these sections to find interesting code inside memory. And we find what looks like encrypted null terminated strings which could contain information about the communication protocol.
At address 0x1000478C we find the decrypt function.
To decrypt all the strings we create a small Python function to emulate this function.
With this Python function for emulating the decrypt function we can dump the ‘.rdata’ section of the malware and decrypt its content.
This is a list of command words which is used in the communication with the Command & Control server of the Oficla botnet. Going a little deeper into the Trojan we find the parser for the received command line. The Trojan then uses a dispatcher function which takes the queue generated by the parser as parameter containing the commands to execute. The next table shows all commands which are used within the communication.
Each element in this table is a structure of two dwords. The command’s encrypted string address and the command’s parameter type.
The bot is running in a loop, accessing the server periodically. Inside the malware we can see that it has a large range of commands that can be received and executed. It is able to go to a specific URL, download and execute payload, to update itself, using a list of backup servers and even to terminate processes in the infected system.
This botnet resembles the ones using IRC protocol, but has a few advantages; it uses the standard HTTP protocol for communication which allows it to easily bypass firewalls. Also on the local side, it uses ‘svchost.exe’ for hiding from firewalls that have rules based on process names.
The used techniques show that Oficla is very sophisticated and adaptive. Nevertheless, Avira is detecting this bot as TR/Oficla.GM.