skip to Main Content

Sinowal analysis (Windows 7, 32-bit)

Sinowal (also known as Torpig or Anserin) is constant one of the top banking trojan all over the world since 2006. So I asked myself, why is there so little info on the web? Just found old articles, that’s why I decided to take a new look at Sinowal.

Sinowal is a spyware trojan that can be used to perform post-authentication man-in-the-middle (MitM) content-manipulation attacks, a fancy way of saying that it can change basically anything sent or received between your browser and any web server in any HTTP session, even those encrypted by TLS/SSL. It’s also been incorporated with a boot sector rootkit known as Mebroot (MAOS).

Sinowal is actually distributed by the Blackhole Exploit Kit. A type of crimeware web application developed by who is known under the nickname Paunch. Since its appearance in September 2010, Blackhole Exploits Kit had a very positive insight into the criminal environment.

The Blackhole Exploit Kit (BH) is based on PHP and a MySQL backend and incorporate support for exploiting the most widely used and vulnerable security flaws in order to provide cybercriminals with the highest probability of successful exploitation. The BH typically target versions of the Windows operating system and applications installed on Windows platforms (including Java, Adobe Reader, Adobe Flash Player).

So we need to find live Blackhole Exploit Kits with Sinowal as payload. Let’s visit one of my favorite malware sources:

Blackhole Exploit Kit domainsFig. 1: Blackhole Exploit Kit domains

I searched for ‘Blackhole’ and ‘Sinowal’…we need to find both of them under the same domain name.

Sinowal domainsFig. 2: Sinowal domains

URLqueryFig. 3: Detected Blackhole exploit kit v1.1 HTTP GET request

Infection and Installation
Test Environment
OS: Microsoft Windows 7 Ultimate (32-bit)
Version: 6.1.7600, Service Pack 0
User Account: Admin [administrative privileges]

Please wait page is loading...Fig. 4: Typical message of the Blackhole Exploit Kit so that the victim remains patient while the exploit code executes.

CVE-2011-3544Fig. 5: Java Exploit CVE-2011-3544


File System Modifications
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\40\2f3fd5e8-3316ca13 –>Main.class
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U9STA1X5\index[1].htm

SinowalFig. 6: Sinowal files

java.exe (PID 324) Process Create C:\Windows\system32\regsvr32.exe SUCCESS
(PID 2576) Command line: regsvr32 -s “C:\Users\Admin\AppData\Local\Temp\0.46102976370872994.exe”

Deleted FilesFig. 7: Deleted Sinowal files


Encrypted ConfigFig. 8: Encrypted config files

Registry Modifications
HKCR\CLSID\{F12BE2CC-A901-4203-B4F2-ADCB957D1887}\InprocServer32 “C:\ProgramData\Windows\wsse.dll”
HKCU\Software\Classes\CLSID\{F12BE2CC-A901-4203-B4F2-ADCB957D1887}\InprocServer32 “C:\ProgramData\Windows\wsse.dll”
HKEY_USERS\S-1-5-21-3240576276-2792762255-2876033290-1000\ Software\Classes\CLSID\{F12BE2CC-A901-4203-B4F2-ADCB957D1887}\InprocServer32 “C:\ProgramData\Windows\wsse.dll”
HKEY_USERS\S-1-5-21-3240576276-2792762255-2876033290-1000\_Classes\CLSID\{F12BE2CC-A901-4203-B4F2-ADCB957D1887}\InprocServer32 “C:\ProgramData\Windows\wsse.dll”
HKCR\Directory\Shellex\CopyHookHandlers\MicrosoftCopy “{F12BE2CC-A901-4203-B4F2-ADCB957D1887}”
HKCU\Software\Classes\Directory\Shellex\CopyHookHandlers\MicrosoftCopy “{F12BE2CC-A901-4203-B4F2-ADCB957D1887}”
HKLM\ Software \Classes\Directory\Shellex\CopyHookHandlers\MicrosoftCopy “{F12BE2CC-A901-4203-B4F2-ADCB957D1887}”
HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit “HKCR\CLSID\{F12BE2CC-A901-4203-B4F2-ADCB957D1887}\InprocServer32 “C:\ProgramData\Windows\wsse.dll”
HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached “{F12BE2CC-A901-4203-B4F2-ADCB957D1887}”
HKEY_USERS\S-1-5-21-3240576276-2792762255-2876033290-1000\ Software\Classes\Directory\Shellex\CopyHookHandlers\Microsoft Copy “{F12BE2CC-A901-4203-B4F2-ADCB957D1887}”
HKEY_USERS\S-1-5-21-3240576276-2792762255-2876033290-1000_Classes\Directory\Shellex\CopyHookHandlers\Microsoft Copy “{F12BE2CC-A901-4203-B4F2-ADCB957D1887}”
HKEY_USERS\S-1-5-21-3240576276-2792762255-2876033290-1000\ Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached “{F12BE2CC-A901-4203-B4F2-ADCB957D1887}” […]

StartupFig. 9: Startup

It registers itself as a BHO (Browser Helper Object) in order to monitor the Internet network traffic. This way, it knows which websites are accessed by the user.

BHOFig. 10: Common Browser Hijacking Method


Sinowal appeared without the Mebroot component.

Network Analysis

Network AnalysisFig. 12: Network Analysis

HTTP object listFig. 13: HTTP object list

System Process ListFig. 14: System Process List is sent to

gretqetarqe.euFig. 15:

Successful ExploitationFig. 16: Successful Exploitation…Sinowal is dropped (contacts.exe = 0.46102976370872994.exe = wsse.dll).

TCP ConnectionsFig. 17: TCP Connections including the process names

Embedded German TextFig. 18: Embedded german text (pcap file and wsse.dll).

SpiegelOnline.deFig. 19: Source:

File name: rin.jar -> main.class (CVE-2011-3544)
File type: Executable Jar File
File size: 4.05 KB (4148 bytes)
MD5: 97DB22CBB47DD695EB6E8E55D3EA26FA
SHA1: AE378FC9A8C5CA23E67A76826B1C7478E227D4A1
SHA256: 6A218970DAEA9E526F24C53225BD2AC3509FADC94486AE685B4E6865B1845243

Analysis date: 2012-03-02 13:55:21 UTC
Result: 15/43


File name: wsse.dll
File type: Win32 DLL
File size: 104.0 KB (106496 bytes)
MD5: 391fbe6207a2592e2916422689be8c00
SHA1: 83c6452fd3bea8cd4ea87492b865d609e8a39580
SHA256: 7c1e5b7bd3514ca9773c12c32456d848f28b74789551ad4d701df1671e59d4dd

Analysis date: 2012-02-16 19:24:16 UTC
Result: 10/43


XyliBox: An overview of Blackhole exploit kit v1.1.0
Imperva: Deconstructing the Black Hole Exploit Kit
Zscaler Research: Analysis of a Blackhole Exploit page
MDL: Domain name prediction algorithm for Sinowal/Mebroot infection domains
Unmask Parasites: Lorem Ipsum and Twitter Trends in Malware
Krebs on Security: New Java Attack Rolled Into Exploit Kits

This Post Has 3 Comments
  1. Thank you for the research. Did you know what answer from server it receives when it send processes list? How it affects to it behavior of infection?

    1. It’s a long list with installed programs and drivers, too.
      I can’t see such an answer from server…I think it’s only for blacklisting and may be for remote access.

  2. I was recently attacked by a later variant. It uses the same ClassID. It was detected by Security Essentials. The following is the data from it:


    I am curious as to how it functions. Does it transmit the info it obtains continously or does it gather info into a log file and then transmits it? As Fig 18 and Fig 19 are confusing. Does it require an executable to be downloaded such as in Fig 16 for it to be fully deployed?

Comments are closed.

Back To Top