Welcome to the new Woodmann RCE Messageboards Regroupment
Please be patient while the rest of the site is restored.

To all Members of the old RCE Forums:
In order to log in, it will be necessary to reset your forum login password ("I forgot my password") using the original email address you registered with. You will be sent an email with a link to reset your password for that member account.

The old vBulletin forum was converted to phpBB format, requiring the passwords to be reset. If this is a problem for some because of a forgotten email address, please feel free to re-register with a new username. We are happy to welcome old and new members back to the forums! Thanks.

All new accounts are manually activated before you can post. Any questions can be PM'ed to Kayaker.

[ TECHNICAL TEAR DOWN : DIGICOUPPOAN (PUP/ADWARE) ]

This forum focuses on analyzing malware and any aspects of dealing with packer protections.
Locked
User avatar
Gunther
Junior Member
Posts: 27
Joined: Sun Dec 06, 2009 10:58 pm

[ TECHNICAL TEAR DOWN : DIGICOUPPOAN (PUP/ADWARE) ]

Post by Gunther »

Recently while i was trying to troubleshoot my relative’s home network.
I happened to notice that their Chrome browser is infected with a PUP/Adware.

PUP stands for Potentially Unwanted Programs. The one that i’ve come across is DIgiCOuppOan.
I suspect that machine was infected when one of them went to some p0rn sites.

DIgiCOuppOan is classified as a potentially unwanted adware. DIgiCOuppOan claims to enhance your web browsing experiences and save your time and money by providing discounts and other bonuses and deals. DIgiCOuppOan program is compatible with the majority of the top retailers online.

DIgiCOuppOan program will display their ads with a pop up box which contains various ads according to yous queries when you browsing online. Currently DIgiCOuppOan adware program displays at least four basic types of advertising including sponsored links, coupons, video related ads and banner ads, “pop-unders” or interstitial ads.

Instead of writing what is it about. I’ll be doing my own technical tear-down of this PUP/Adware.
I’ve attached the link to the file here for anyone interested to try analysing it themselves.
[ATTACH]2926[/ATTACH]
The password to the attachment is “infected29A

[ Sample used in the analysis ]
MD5: 3e77ff05e942fd87964f5588b6274623
SHA1: a2f3a6af0a6f2e757e1e19694c1db614d11b464b

[ How it starts ]
Since it’s an Chrome Extension Adware, let’s check the permissions of this Adware and further dissect it.
Let’s try to understand how Chrome Extension works.
Chrome’s Extension will always require a manifest file, a background.html and possibly some JavaScript files as documented by Google here.

The manifest file, called manifest.json, gives information about the extension, such as the most important files and the capabilities that the extension might use.
For this particular Adware, we can see what sort of permissions did manifest.json request for below.

Code: Select all

{
  "name": "DIgiCOuppOan",
  "version": "5.3",
  "description": "",
  "manifest_version": 2,
  "background": {"page": "background.html"},
  "content_scripts": [
    {
		"all_frames": true,
		"matches": ["http://*/*","https://*/*"],
		"js": ["content.js"],
		"run_at":"document_end"
    }
  ],
  
  "permissions": [
    "http://*/*",
    "https://*/*",
    "tabs",
    "cookies",
    "management",
    "notifications",
    "contextMenus",
    "management",
    "storage"
  ]
}
From the above manifest.json and the documentation from here.
We can see that it will inject content.js at the end of all webpages visited by user(s).
Once this Chrome extension started, it will start “background.html”.

From the “permissions”, we can also see the permissions that it require.
For a better understanding of the permissions and what each individual permission mean, the following will be a good reference.
https://developer.chrome.com/extensions ... ermissions

[ Dissecting Background.html ]
Let’s take a look at “background.html” and we can see that once it’s loaded, it will start 2 other JavaScripts, “L7Y9.js” & “lsdb.js

[ATTACH]2927[/ATTACH]

[ Dissecting L7Y9.js ]
Let’s take a look at L7Y9.js and we can see that there is a decode function.
Even though on first glance, the string looks like it’s base64 encoded but in reality it is not.

Now let’s write a decode function without running the actual script. Below is a simple decoding script.

Code: Select all

<html>
</body>
    <script>
        var xlat = "abcdwxyzstuvrqponmijklefghABCDWXYZSTUVMNOPQRIJKLEFGH9876543210+/";
        function _utf8_decode(a) {
            for (var b = "", c = 0; c < a.length ;) {
                var d = a.charCodeAt(c);
                if (128 > d) b += String.fromCharCode(d),
                    c++;
                else if (191 < d && 224 > d) var e = a.charCodeAt(c + 1),
                    b = b + String.fromCharCode((d & 31) << 6 | e & 63),
                    c = c + 2;
                else var e = a.charCodeAt(c + 1),
                    f = a.charCodeAt(c + 2),
                    b = b + String.fromCharCode((d & 15) << 12 | (e & 63) << 6 | f & 63),
                    c = c + 3
            }
            return b;
        }
        
        function decode(a) {
            for (var a = a.replace(/[^A-Za-z0-9\+\/]/g, ""), b = "", c = 0; c < a.length ;) {
                var d = this.xlat.indexOf(a.charAt(c++)),
                    e = this.xlat.indexOf(a.charAt(c++)),
                    f = this.xlat.indexOf(a.charAt(c++)),
                    g = this.xlat.indexOf(a.charAt(c++)),
                    h = (e & 15) << 4 | f >> 2,
                    i = (f & 3) << 6 | g,
                    b = b + String.fromCharCode(d << 2 | e >> 4);
                64 != f && 0 < h && (b += String.fromCharCode(h));
                64 != g && 0 < i && (b += String.fromCharCode(i))
            }
            return this._utf8_decode(b);
        }
        
        var url = decode("Azm9CdOLv6qEWfqPBfbIhePLgS4PBMhLv6q4BMrLo6w0AyhApe0MgUFbhMJqn6Vele0Qgk8NqHa5nU4Jm8DQpyPJm7ZzAylwle0QD9ZGANqsCMmZm6tUBTVGg7ZnnU8KrzxsCTDEAMw8CMmRiztPAwZdq75ECymdmNxQgkZEAVlsClmRmfxkA9hGANr5CeqOq7ZMCHbEAeZrnHDele0Qh9lGAeZonelKrzxsCUZEhzqzCUZhq6tQDHDFAVVyCkZKmftjAxPOjeCECVqOk9qspkg2Azm9CdOLv7DVDzVLDftMAeFVC6bLDc4TB79LC6VKgG1/Cj8OhVO4B7hSjwxMA98dWlhlB7PZjeC6rdZcjM8zl7O5AM8zAwDOhkmlB7P6iztQC9ZGhyxzCMmKpftTAxbcje5ECkZGq6bQgjlGhyJsCMVOiwr6BTbEhwqyCePZizbQlkZFlyJxClmRmNtQCHZFg7Y6AyhHrzbPAwFdq8hlB7PNmftPAw0bhe5ECkZGizbUC9DGixU6CMP6q6xQekhFiy4xCVqOeMZqhHbGk7Zjn9Y4mTJODzmEpS1Lh7l9hMVIhe4LDG4TBG4PBc0HWe4TvH0FoeZMeTVLhMtrnehRjkq4lVlLAMxqhHCEpwtpBkDfATZQBkDOm7ZVmxlLANDsCMPHiztUgkDGhy54CMqOkwtqBTbFizs6CyPZqftUA9ZGAeZsnHDKrzbUn9hFAMxsCyPlizxkA9lFlyJyCMPHpzxTAdDOhNrECyVOjwr6lVlLAMDxCMVOj9xVBTbFiztsCymHm6tsejDGANC6CePhmNxsBUlGk7ZAAw8NrztjAxqdidVyp7Z9Dza3vG0ShyxIgeFZA7hPBylHvMqLBi0HWe4TvH0FoeZMeTVLhMtrnehRjkq4lVlLAMxqhHCEpwtpBkDfATZQBkDOm7ZVmxlLANDsCMPHiztUgkDGhy54CMqOkwtqBTbFizs6CyPZqftUA9ZGAeZsnHDKrzbUn9hFAMxsCyPlizxkA9lFlyJyCMPHpzxTAdDOhNrECyVOjwr6lVlLAMDxCMVOj9xVBTbFiztsCymHm6tsejDGANC6CePhmNxsBUlGk7ZAAw8NrztjAxqdidVyp7Z9Dza3vG0HWe4TANbPvMqLvMVIv6q4BMrLo6w0AyhApe0MgUFbhMJqn6Vele0Qgk8NqHa5nU4Jm8DQpyPJm7ZzAylwle0QD9ZGANqsCMmZm6tUBTVGg7ZnnU8KrzxsCTDEAMw8CMmRiztPAwZdq75ECymdmNxQgkZEAVlsClmRmfxkA9hGANr5CeqOq7ZMCHbEAeZrnHDele0Qh9lGAeZonelKrzxsCUZEhzqzCUZhq6tQDHDFAVVyCkZKmftjAxPOjeCECVqOk9qspkg2Azm9CdOLv7FPDMlHAe8EBylQB7sKAe4MBG0HWe4TvH0FoeZMeTVLhMtrnehRjkq4lVlLAMxqhHCEpwtpBkDfATZQBkDOm7ZVmxlLANDsCMPHiztUgkDGhy54CMqOkwtqBTbFizs6CyPZqftUA9ZGAeZsnHDKrzbUn9hFAMxsCyPlizxkA9lFlyJyCMPHpzxTAdDOhNrECyVOjwr6lVlLAMDxCMVOj9xVBTbFiztsCymHm6tsejDGANC6CePhmNxsBUlGk7ZAAw8NrztjAxqdidVyp7Z9Dza3vG0NCM08Czq8CylGC7l9vMVKhM1LC6VKgG1/Cj8OhVO4B7hSjwxMA98dWlhlB7PZjeC6rdZcjM8zl7O5AM8zAwDOhkmlB7P6iztQC9ZGhyxzCMmKpftTAxbcje5ECkZGq6bQgjlGhyJsCMVOiwr6BTbEhwqyCePZizbQlkZFlyJxClmRmNtQCHZFg7Y6AyhHrzbPAwFdq8hlB7PNmftPAw0bhe5ECkZGizbUC9DGixU6CMP6q6xQekhFiy4xCVqOeMZqhHbGk7Zjn9Y4mTJODzmEpS1LhMVIhfqLBMFPBMlOhftVvMqLBi0HWe4TvH0FoeZMeTVLhMtrnehRjkq4lVlLAMxqhHCEpwtpBkDfATZQBkDOm7ZVmxlLANDsCMPHiztUgkDGhy54CMqOkwtqBTbFizs6CyPZqftUA9ZGAeZsnHDKrzbUn9hFAMxsCyPlizxkA9lFlyJyCMPHpzxTAdDOhNrECyVOjwr6lVlLAMDxCMVOj9xVBTbFiztsCymHm6tsejDGANC6CePhmNxsBUlGk7ZAAw8NrztjAxqdidVyp7Z9Dza3vG0MAeFVhylHA7hLCNVLDi4TB79LC6VKgG1/Cj8OhVO4B7hSjwxMA98dWlhlB7PZjeC6rdZcjM8zl7O5AM8zAwDOhkmlB7P6iztQC9ZGhyxzCMmKpftTAxbcje5ECkZGq6bQgjlGhyJsCMVOiwr6BTbEhwqyCePZizbQlkZFlyJxClmRmNtQCHZFg7Y6AyhHrzbPAwFdq8hlB7PNmftPAw0bhe5ECkZGizbUC9DGixU6CMP6q6xQekhFiy4xCVqOeMZqhHbGk7Zjn9Y4mY==");
        console.log(url);
    </script>
</body>
</html>
After decoding had been done. The decoded message or URL(s) in this case are

Code: Select all

h--p://spysimplejob.info/sync/?q=hfZ9ofbLAfkMCyVUojaMg708BNmGWj8jmGhGheDUojwHrjsHrdaGrdn9rchPBMn0qHr7pja5rdkHrihHC7n0pdCFqjaHpjUHqTkEqTkFrjs8qch7hfs0pihLC7VUojgErihOAen0qHrHpdsGrHY7rjw7qjYFqHnErShZhMg0rShSCH9F;h--p://getyourfilespot.com/sync/?q=hfZ9ofbLAfkMCyVUojaMg708BNmGWj8jmGhGheDUojwHrjsHrdaGrdn9rchPBMn0qHr7pja5rdkHrihHC7n0pdCFqjaHpjUHqTkEqTkFrjs8qch7hfs0pihLC7VUojgErihOAen0qHrHpdsGrHY7rjw7qjYFqHnErShZhMg0rShSCH9F;h--p://getfilenow.co.il/sync/?q=hfZ9ofbLAfkMCyVUojaMg708BNmGWj8jmGhGheDUojwHrjsHrdaGrdn9rchPBMn0qHr7pja5rdkHrihHC7n0pdCFqjaHpjUHqTkEqTkFrjs8qch7hfs0pihLC7VUojgErihOAen0qHrHpdsGrHY7rjw7qjYFqHnErShZhMg0rShSCH9F;h--p://bdalalakfiles.com/sync/?q=hfZ9ofbLAfkMCyVUojaMg708BNmGWj8jmGhGheDUojwHrjsHrdaGrdn9rchPBMn0qHr7pja5rdkHrihHC7n0pdCFqjaHpjUHqTkEqTkFrjs8qch7hfs0pihLC7VUojgErihOAen0qHrHpdsGrHY7rjw7qjYFqHnErShZhMg0rShSCH9F;h--p://syncjpi.co.il/sync/?q=hfZ9ofbLAfkMCyVUojaMg708BNmGWj8jmGhGheDUojwHrjsHrdaGrdn9rchPBMn0qHr7pja5rdkHrihHC7n0pdCFqjaHpjUHqTkEqTkFrjs8qch7hfs0pihLC7VUojgErihOAen0qHrHpdsGrHY7rjw7qjYFqHnErShZhMg0rShSCH9F;h--p://livesimplejob.info/sync/?q=hfZ9ofbLAfkMCyVUojaMg708BNmGWj8jmGhGheDUojwHrjsHrdaGrdn9rchPBMn0qHr7pja5rdkHrihHC7n0pdCFqjaHpjUHqTkEqTkFrjs8qch7hfs0pihLC7VUojgErihOAen0qHrHpdsGrHY7rjw7qjYFqHnErShZhMg0rShSCH9F;h--p://groupsuperset.info/sync/?q=hfZ9ofbLAfkMCyVUojaMg708BNmGWj8jmGhGheDUojwHrjsHrdaGrdn9rchPBMn0qHr7pja5rdkHrihHC7n0pdCFqjaHpjUHqTkEqTkFrjs8qch7hfs0pihLC7VUojgErihOAen0qHrHpdsGrHY7rjw7qjYFqHnErShZhMg0rShSCH9F;h--p://filesonlinehere.com/sync/?q=hfZ9ofbLAfkMCyVUojaMg708BNmGWj8jmGhGheDUojwHrjsHrdaGrdn9rchPBMn0qHr7pja5rdkHrihHC7n0pdCFqjaHpjUHqTkEqTkFrjs8qch7hfs0pihLC7VUojgErihOAen0qHrHpdsGrHY7rjw7qjYFqHnErShZhMg0rShSCH9F;h--p://filedeskforyou.com/sync/?q=hfZ9ofbLAfkMCyVUojaMg708BNmGWj8jmGhGheDUojwHrjsHrdaGrdn9rchPBMn0qHr7pja5rdkHrihHC7n0pdCFqjaHpjUHqTkEqTkFrjs8qch7hfs0pihLC7VUojgErihOAen0qHrHpdsGrHY7rjw7qjYFqHnErShZhMg0rShSCH9F
From first glance, it’s probably those links that will be injected into the webpages that the user(s) visits.
It is persistently writing data to the Local Storage as we saw that it requested “Storage” permission in the manifest.json file.

[ Conclusion ]
While this is not one of the state of the art Chrome Extension Malware, but it’s probably one of the many PUP/Adware out there.

I hope that this is fairly simple to understand technical tear down that people can repeat the steps on their own and learn how to analyse Chrome Extension PUP/Adware or even Chrome Extension malware on their own.

BR,
[ Gunther ]
Attachments
DIgiCOuppOan.01.png
bkkdkcifjmepenkhibomliiocmpiejlj.zip
(5.49 KiB) Downloaded 170 times
User avatar
Woodmann
Posts: 3605
Joined: Fri Jan 26, 2001 6:28 pm

Post by Woodmann »

Nice quick how to Gunther. Thanks.
It's funny how many computers I have removed this from.
Since I dont have the time to play with them, I always wondered
how they performed.

In the last 2-3 years I have taken to writing a .txt file on each computer
I fix with 10 simple rules of what not to do.
I make that screen display at start up every time the computer starts.

Woodmann
Learn Or Die.
User avatar
Aimless
Senior Member
Posts: 869
Joined: Thu Sep 13, 2001 3:11 am

Post by Aimless »

Would love to see that txt file. :)
Blame Microsoft, get l337 !!
wbe
Posts: 139
Joined: Fri Oct 19, 2001 7:53 am
Location: Ankara, Turkey

Post by wbe »

Aimless wrote:Would love to see that txt file. :)
Most probably, it would be something like the attached one below. :devil:
Attachments

[The extension txt has been deactivated and can no longer be displayed.]

User avatar
Woodmann
Posts: 3605
Joined: Fri Jan 26, 2001 6:28 pm

Post by Woodmann »

No, I dont have a problem with porn sites. ;)

Perhaps later, if I have the ambition I will post it.

'Tis very lame that you have to tell people not to do these things.

Woodmann

[ATTACH]2929[/ATTACH]
Attachments

[The extension txt has been deactivated and can no longer be displayed.]

Learn Or Die.
wbe
Posts: 139
Joined: Fri Oct 19, 2001 7:53 am
Location: Ankara, Turkey

Post by wbe »

That 10 comp commandments, it is hilarious. :D

As for porn, those which I healed had almost all the very same symptoms which could be traced back to porn. Anyway, that's not surprising, since we're a bunch of geezers living on those blue pills. :devil:
User avatar
evaluator
Posts: 1539
Joined: Tue Sep 18, 2001 2:00 pm

Post by evaluator »

1. is "big ration of shit" flavored?
2.
YOU WILL BE RIDICULED AND BELITTLED BY ME AND EVERYONE ELSE
mazo: please, more, more RIDICULE AND BELITTLE me..
User avatar
Woodmann
Posts: 3605
Joined: Fri Jan 26, 2001 6:28 pm

Post by Woodmann »

1) Oh, you dont want to know the flavor. After I fix it the 2nd time I tell them "dont dare come back to me again".
2) Only one has come back a third time. I dont see him anymore :smug:

Woodmann
Learn Or Die.
Locked