Source: VirusShare Malware Family: RAM Scraper Static Analysis Tools: pestudio, CFF Explorer, PEID, BinText, IDA Pro Dynamic Analysis Tools: pexplorer, ProcMon, RegShot, ProcDump, Autoruns, Wireshark, Sandboxie, Comodo Reports: (1) TotalHash: https://totalhash.cymru.com/analysis/?a6eb86b55148a7a491093f1f6af6a15c4b44b96c (2) VirusTotal: https://www.virustotal.com/en/file/11591204155db5eb5e9c5a3adbb23e99a75c3b25207d07d7e52a6407c7ad0165/analysis/1451210102/ I . Static Analysis: File type: Win32 EXE Target machine: Intel 386 or later processors and compatible processors Compilation Timestamp: 2014-05-08 17:41:10 Entry Point: 0x000011D8 Number of Sections: 3 MD5: 12c9c0bc18fdf98189457a9d112eebfc SHA256: 11591204155db5eb5e9c5a3adbb23e99a75c3b25207d07d7e52a6407c7ad0165 Contains ability to download files from the Internet
details recv@WS2_32.dll at PID 00002272 Contains ability to write to a remote process details [email protected] at PID 00002272 Drops executable files details "javaw.exe" has type "PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows" source Dropped File Network Related Found potential IP address in binary/memory details "81.4.111.176" source String details Heuristic match: "total-updates.com" source String *Creates log.txt with the keylogged data Unusual Characteristics Imports suspicious APIs details VirtualAlloc source Static Parser III. Yara Signature: rule Backdoor_Win32_BackoffPOS : BDR/SCRP { meta: author = "Vitali Kremez" date = "2015-12-27" description = "Detected BackoffPOS Scraper" hash0 = "12c9c0bc18fdf98189457a9d112eebfc" sample_filetype = "exe" strings: $string0 = "&op=%d&id=%s&ui=%s&wv=%d&gr=%s&bv=%s" $string1 = "/windebug/updcheck.php" $string2 = "81.4.111.176 " $string3 = "\OracleJava\Log.txt" $string4 = "\OracleJava\javaw.exe" $string5 = "GET %s HTTP/1.1Host: %s Connection: close" $string6 = "LANMANNT" $string7 = “SYSTEM\CurrentControlSet\Control\ProductOptions” $string8 = “nUndsa8301nskal” condition: all of them and filesize<77KB } Sourcefire Rule: alert any $HOME_NET any -> any any (msg:" BackoffPOS Alert”; content: “total-updates.com“;”zoom2energy.com”; “/windebug/updcheck.php”; “User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0”; pcre: “/.*(&op=| &id=|&ui=%s&wv=|&gr=|&bv=| ).*/”; pcre: “/.*(/userfiles/fb_sprd6.exe ).*/”; classtype: Trojan-activity
0 Comments
Leave a Reply. |
AuthorVitali Kremez Archives
September 2016
Categories |