Over the past couple of months Minerva Labs’ research team has received multiple alerts of possibly malicious code-unpacking from an executable named FlashHelperService.exe. We decided to investigate this binary in order to determine whether this is a false positive or actual malware. It appears that the binary exhibits various malicious techniques. Hence, we’ve chosen to publish our findings, in hopes of benefiting the community and helping others that are investigating the same case.
It is important to mention that the file is signed by “Zhong Cheng Network” which is a distributor of Adobe’s software in China. There are already numerous complaints on Adobe’s site about the company and its fishy software.
Analysis of the Binary:
The binary contains an embedded DLL encrypted inside its data section, which is reflectively loaded and executed:
The in-memory DLL is internally named ServiceMemTask.dll and has numerous incriminating features:
- A capability to access the flash[.]cn website and download files.
- Downloading encrypted DLL files from the same website, decrypting them, and reflectively loading them.
- Clear text names of various analysis tools are present inside the decrypted binary (which we did not see being used):
- An ability to profile the OS and send it back to the server.
The memory payload contacts the hardcoded URL https://cloud.flash[.]cn/fw/cz/y0fhk8csvhigbzqy9zbv7vfzxdcllqf2.dcb and XOR decrypts data downloaded from there using the hardcoded key “932f71227bdc3b6e6acd7a268ab3fa1d”.
The output is an obfuscated json file that serves as a task from the server:
- ccafb352bb3 is the URL for the next payload.
- d072df43184 is the MD5 sum of the encrypted payload.
- e35e94f6803 is the 3DES key of the payload.
The DLL file is linked against curl, which it uses to download the file “tt.eae” into the modules main directory “C:\Users\Username\AppData\LocalLow\AdobeFlash\FlashCfg”. The file is encrypted using 3DES, with an implementation similar to the one found here. After decryption and decompression (7zip) a PE file internally named “”tt.dll”” is revealed. The DLL file is yet again reflectively loaded and executed.
After investigating this suspicious code and its subsequent payloads, we can determine that its final intent is adware-like. This functionality can be seen in the file “nt.dll” (SHA256 in IOC section) which is downloaded and reflectively loaded similarly to “tt.dll”. We will update this blogpost with information about “nt.dll” and the initial infection vector of this PUP, which appears to be an executable signed by Adobe.