Source: VirusShare Malware Family: RAM Scraper Static Analysis Tools: pestudio, CFF Explorer, PEID, BinText, IDA Pro Dynamic Analysis Tools: pexplorer, ProcMon, RegShot, ProcDump, Autoruns, Wireshark, Sandboxie, Comodo Reports: (1) Malwr: https://malwr.com/analysis/MDk3OGEwNjc5NTY5NDViNmJlMGRiZjRiOTM1Yjk4YTY/ (2) VirusTotal: https://www.virustotal.com/en/file/686dbe5eb148db706e48a74eba627270055ed1ba534a98d5d00690577eb42e49/analysis/1451436599/ I . Static Analysis: File type: Win32 EXE Target machine: Intel 386 or later processors and compatible processors Compilation Timestamp: 2015-02-22 17:23:22 Entry Point: 0x0000151D Number of Sections: 3 MD5: af13e7583ed1b27c4ae219e344a37e2b SHA256: 686dbe5eb148db706e48a74eba627270055ed1ba534a98d5d00690577eb42e49 File size: 17.5 KB (17920 bytes)
Detection ratio: 45/ 55 PE imports: [+] ADVAPI32.dll [+] KERNEL32.dll [+] USER32.dll [+] WS2_32.dll Red Flags: The file fingerprints for Web browsers. The file fingerprints for Email clients. The count (7) of Memory Management functions reached the maximum (1) threshold. The count (5) of Tool Help functions reached the maximum (1) threshold. The count (3) of Dynamic-Link Library functions reached the maximum (1) threshold. The count (13) of Process and Thread functions reached the maximum (1) threshold. The count (3) of Mailslot functions reached the maximum (1) threshold. The count (52) of blacklisted strings reached the maximum (30) threshold. The count (6) of deprecated imported functions reached the maximum (5) threshold. The count (27) of imported blacklisted functions reached the maximum (1) threshold. The file ignores Data Execution Prevention (DEP) as mitigation technique. The file ignores Address Space Layout Randomization (ASLR) as mitigation technique. The file checksum (0x00000000) is invalid. The file is resource-less. The file has no Version. The file ignores cookies on the stack (GS) as mitigation technique. The file is not signed with a Digital Certificate. II. Dynamic Analysis: *Dependency overview: 686dbe5eb1.exe C:\686dbe5eb1.exe Analysis reason: Primary Analysis Subject ctfmon.exe C:\WINDOWS\system32\ctfmon.exe Analysis reason: 686dbe5eb1.exe wrote to the virtual memory of this process msmsgs.exe C:\Program Files\Messenger\msmsgs.exe Analysis reason: 686dbe5eb1.exe wrote to the virtual memory of this process reader_sl.exe C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe Analysis reason: 686dbe5eb1.exe wrote to the virtual memory of this process wscntfy.exe C:\WINDOWS\system32\wscntfy.exe Analysis reason: 686dbe5eb1.exe wrote to the virtual memory of this process kxuckd.exe C:\Program Files\Common Files\kxuckd.exe Analysis reason: 686dbe5eb1.exe wrote to the virtual memory of this process drlwszvxbeo.exe C:\Program Files\Common Files\drlwszvxbeo.exe Analysis reason: 686dbe5eb1.exe wrote to the virtual memory of this proces (1) Threads Created services.exe lsass.exe (2) Creates a file mailslot\LogCC Signatures Installation/Persistence Contains ability to write to a remote process details [email protected] at PID 0000060 Writes data to a remote process details "686dbe5eb148db706e48a74eba627270055ed1ba534a98d5d00690577eb42e49" wrote 5557 bytes to a foreign process "armsvc.exe" (PID: 00001232) "686dbe5eb148db706e48a74eba627270055ed1ba534a98d5d00690577eb42e49" wrote 5557 bytes to a foreign process "AutoIt3.exe" (PID: 00002872) "686dbe5eb148db706e48a74eba627270055ed1ba534a98d5d00690577eb42e49" wrote 5557 bytes to a foreign process "cmd.exe" (PID: 00002624) "686dbe5eb148db706e48a74eba627270055ed1ba534a98d5d00690577eb42e49" wrote 5557 bytes to a foreign process "tshark.exe" (PID: 00001120) "686dbe5eb148db706e48a74eba627270055ed1ba534a98d5d00690577eb42e49" wrote 5557 bytes to a foreign process "AutoIt3.exe" (PID: 00001768) "686dbe5eb148db706e48a74eba627270055ed1ba534a98d5d00690577eb42e49" wrote 5557 bytes to a foreign process "AutoIt3.exe" (PID: 00002808) "686dbe5eb148db706e48a74eba627270055ed1ba534a98d5d00690577eb42e49" wrote 5557 bytes to a foreign process "AutoIt3.exe" (PID: 00000284) "686dbe5eb148db706e48a74eba627270055ed1ba534a98d5d00690577eb42e49" wrote 5557 bytes to a foreign process "AutoIt3.exe" (PID: 00003068) "686dbe5eb148db706e48a74eba627270055ed1ba534a98d5d00690577eb42e49" wrote 5557 bytes to a foreign process "StaticStreamMgr.exe" (PID: 00002116) "686dbe5eb148db706e48a74eba627270055ed1ba534a98d5d00690577eb42e49" wrote 5557 bytes to a foreign process "dumpcap.exe" (PID: 00002084) source API Call System Security Allocates virtual memory in foreign process details "686dbe5eb148db706e48a74eba627270055ed1ba534a98d5d00690577eb42e49" allocated 00005557 bytes of memory in "tshark.exe" (Protection: "execute/read/write") "686dbe5eb148db706e48a74eba627270055ed1ba534a98d5d00690577eb42e49" allocated 00005557 bytes of memory in "AutoIt3.exe" (Protection: "execute/read/write") "686dbe5eb148db706e48a74eba627270055ed1ba534a98d5d00690577eb42e49" allocated 00005557 bytes of memory in "StaticStreamMgr.exe" (Protection: "execute/read/write") "686dbe5eb148db706e48a74eba627270055ed1ba534a98d5d00690577eb42e49" allocated 00005557 bytes of memory in "dumpcap.exe" (Protection: "execute/read/write") "686dbe5eb148db706e48a74eba627270055ed1ba534a98d5d00690577eb42e49" allocated 00005557 bytes of memory in "mscorsvw.exe" (Protection: "execute/read/write") source API Call Changes memory access rights in foreign process to write/execute details "686dbe5eb148db706e48a74eba627270055ed1ba534a98d5d00690577eb42e49" changed protection rights in "tshark.exe" (Base: 002c0000, Size: 00005557, Protection: "execute/read/write") "686dbe5eb148db706e48a74eba627270055ed1ba534a98d5d00690577eb42e49" changed protection rights in "tshark.exe" (Base: 002c0000, Size: 00008192, Protection: "execute/read/write") "686dbe5eb148db706e48a74eba627270055ed1ba534a98d5d00690577eb42e49" changed protection rights in "AutoIt3.exe" (Base: 00110000, Size: 00005557, Protection: "execute/read/write") "686dbe5eb148db706e48a74eba627270055ed1ba534a98d5d00690577eb42e49" changed protection rights in "AutoIt3.exe" (Base: 00110000, Size: 00008192, Protection: "execute/read/write") "686dbe5eb148db706e48a74eba627270055ed1ba534a98d5d00690577eb42e49" changed protection rights in "AutoIt3.exe" (Base: 006b0000, Size: 00005557, Protection: "execute/read/write") "686dbe5eb148db706e48a74eba627270055ed1ba534a98d5d00690577eb42e49" changed protection rights in "AutoIt3.exe" (Base: 006b0000, Size: 00008192, Protection: "execute/read/write") "686dbe5eb148db706e48a74eba627270055ed1ba534a98d5d00690577eb42e49" changed protection rights in "AutoIt3.exe" (Base: 00230000, Size: 00005557, Protection: "execute/read/write") "686dbe5eb148db706e48a74eba627270055ed1ba534a98d5d00690577eb42e49" changed protection rights in "AutoIt3.exe" (Base: 00230000, Size: 00008192, Protection: "execute/read/write") source API Call Queries process information details "686dbe5eb148db706e48a74eba627270055ed1ba534a98d5d00690577eb42e49" queried SystemProcessInformation (Referenced in the context of a system call) Anti-Emulation (VM Detection) Contains ability to query the machine version details [email protected] at PID 00000604 Installation/Persistance Contains ability to create a remote thread (often used for process injection) details [email protected] at PID 00000604 Network Signatures Found potential URL in binary/memory details "adminpanel.000a.biz/rec.php" source String Spyware/Information Retrieval Contains ability to enumerate processes/modules/threads details [email protected] at PID 00000604 Imports suspicious and RAM scraping APIs details OpenProcess VirtualAllocEx WriteProcessMemory CreateRemoteThread GetModuleHandleA GetProcAddress GetVersionExA Sleep CreateToolhelp32Snapshot Process32First Process32Next VirtualAlloc WSAStartup socket closesocket connect send source Static Parser Informative Contacts server details "77.109.171.155" source Network Traffic Runs shell commands details "%WINDIR%\system32\cmd.exe /c NET USE Z: \\192.168.56.1\VM1 123456 /USER:<USER> /PERSISTENT:Yes" on 2015-03-03.20:36:09 source Monitored Target RAM scraping algorithm: func = CreateToolhelp32Snapshot Process32FirstW(func) do OpenProcess while true if VirtualQueryEx ReadProcessMemory else break CloseHandle while Process32NextW CloseHandle VirtualFree Whitelists the following processes during the RAM scraping function: windbg.exe logounui.exe taskmgr.exe skype.exe thunderbird.exe devenv.exe steam.exe winlogon.exe wininit.exe csrss.exe smss.exe svchost.exe firefox.exe chrome.exe explorer.exe psi.exe pidgin.exe System III. Yara Signature: rule Backdoor_Win32_GetMyPassPOS : BDR/SCRP { meta: author = "Vitali Kremez" date = "2015-12-29" description = "Detected GetMyPassPOS Scraper" hash0 = "af13e7583ed1b27c4ae219e344a37e2b" sample_filetype = "exe" strings: $string0 = "logounui.exe" $string1 = " adminpanel.000a.biz/rec.php" $string2 = "chrome.exe" $string3 = "thunderbird.exe" $string4 = "\\\\.\\mailslot\\LogCC" $string5 = "windbg.exe" $string6 = "csrss.exe" $string7 = "pidgin.exe" $string8 = "/%s?encoding=%c&t=%c&cc=%I64d&process=” $string9 = "smss.exe" $string10 = "wininit.exe" $string11 = "firefox.exe" $string12 = "8SVWARASATAUH" $string13 = "SVWARASATAUH" $string14 = "svchost.exe" condition: 14 of them and filesize<18KB } Sourcefire Rule: alert any $HOME_NET any -> any any (msg:" GetMyPass POS Alert”; content: “adminpanel.000a.biz”; “/rec.php”; “77.109.171.155”; “pcre: “/.*(encoding=|\&t=|\&cc=|\&process=).*/”; pcre:”/.*(/rec.php).*/”; classtype: Trojan-activity)
0 Comments
Leave a Reply. |
AuthorVitali Kremez Archives
September 2016
Categories |