Source: VirusShare Malware Family: RAM Scraper Static Analysis Tools: pestudio, CFF Explorer, PEID, BinText, IDA Pro Dynamic Analysis Tools: pexplorer, ProcMon, RegShot, ProcDump, Autoruns, Wireshark, Sandboxie, Comodo Reports: (1) Malwr: https://malwr.com/analysis/YTNkZDNmNmRkZjExNDU0NDg2OGZlMmZmOWYzODI0YmU/ (2) VirusTotal: https://www.virustotal.com/en/file/b579c8866f7850110a8d2c7cc10110fa82f86a8395b93562f36e9f500a226929/analysis/1451185979/ I . Static Analysis: Internal Filename: FrameworkServiceLog.exe File type: Win32 EXE Target machine: Intel 386 or later processors and compatible processors Compilation Timestamp: 2014-06-22 15:29:34 Entry Point: 0x00007B22 Number of Sections: 5 MD5: b57c5b49dab6bbd9f4c464d396414685 SHA256: b579c8866f7850110a8d2c7cc10110fa82f86a8395b93562f36e9f500a226929 File size: 131.5 KB (134656 bytes) Detection ratio: 46 / 55 PE imports: [+] ADVAPI32.dll [+] KERNEL32.dll [+] PSAPI.DLL [+] WS2_32.dll Red Flags: The file fingerprints for Web browsers. The count (5) of Authorization functions reached the maximum (1) threshold. The count (15) of Memory Management functions reached the maximum (1) threshold. The count (5) of Tool Help functions reached the maximum (1) threshold. The count (3) of Error Handling functions reached the maximum (1) threshold. The count (3) of Debugging functions reached the maximum (1) threshold. The count (9) of Console functions reached the maximum (1) threshold. The count (9) of Dynamic-Link Library functions reached the maximum (1) threshold. The count (35) of Process and Thread functions reached the maximum (1) threshold. The count (5) of SEH functions reached the maximum (1) threshold. The count (21) of Service functions reached the maximum (1) threshold. The count (17) of File Management functions reached the maximum (1) threshold. The file is scored (46/55) by Virustotal. The count (135) of blacklisted strings reached the maximum (30) threshold. The count (70) of imported blacklisted functions reached the maximum (1) threshold. The count (6) of antidebug imported functions reached the maximum (1) threshold. The file references the Service Control Manager (SCM). The file references child Processes. The file references the Event Log. The file opts for Address Space Layout Randomization (ASLR) as mitigation technique. The file has no Version. The file is not signed with a Digital Certificate. The file references a URL (https://pbs.twimg.com/media/BemB94NCMAArTly.jpg) scored (0/59) by Virustotal. The file references a URL (http://1389blog.com/pix/molotov-cocktails-usa-ukraine-syria-egypt-libya.jpg) scored (0/58) by Virustotal. The file references a URL (http://www.moonofalabama.org/2014/01/libya-syria-and-now-ukraine-color-revolution-by-force.html) scored (0/59) by Virustotal. The file references a URL (http://williamblum.org/books/americas-deadliest-export) scored (0/66) by Virustotal. The file references a URL (https://en.wikipedia.org/wiki/List_of_wars_involving_the_United_States) scored (0/63) by Virustotal. Here is an interesting string: II. Dynamic Analysis: *Contains a command line executable, listening to the following commands Service Start Stop Install Uninstall *Installs service faking McAfee Framework Management Instrumentation in mcfmiscv registry with the above-referenced commands *Whitelists the following processes during the RAM scraping function: smss.exe csrss.exe wininit.exe services.exe lsass.exe svchost.exe winlogon.exe sched.exe spoolsv.exe conhost.exe ctfmon.exe wmiprvse.exe mdm.exe taskmgr.exe explorer.exe RegSrvc.exe firefox.exe chrome.exe *Creates exfil batch script t.bat The dump file is named McTrayErrorLogging.dll and is pushed to a machine with IP address 10.44.2.153 on the local network. *Anti-Reverse Engineering Contains ability to register a top-level exception handler (often used as anti-debugging trick) details [email protected] at PID 00004080 *Environment Awareness Possibly tries to detect the presence of a debugger details [email protected] at PID 00004080 Contains ability to query system information *Network Related Found potential URL in binary/memory details Pattern match: "https://en.wikipedia.org/wiki/List_of_wars_involving_the_United_States" Pattern match: "389blog.com/pix/molotov-cocktails-usa-ukraine-syria-egypt-libya.jpg" Pattern match: "https://pbs.twimg.com/media/BemB94NCMAArTly.jpg" Pattern match: "http://1389blog.com/pix/molotov-cocktails-usa-ukraine-syria-egypt-libya.jpg" Pattern match: "http://www.moonofalabama.org/2014/01/libya-syria-and-now-ukraine-color-revolution-by-force.html" Pattern match: "http://williamblum.org/books/americas-deadliest-export" source String Suspicious and POS scraping APIs details WSAStartup (Ordinal #115) GetModuleFileNameExA OpenProcess CreateToolhelp32Snapshot Process32Next Process32First GetModuleFileNameA ReadProcessMemory CreateProcessA GetTickCount CreateFileA CreateFileW CreateThread Sleep GetDriveTypeW GetCommandLineA UnhandledExceptionFilter IsDebuggerPresent TerminateProcess GetProcAddress GetModuleHandleW WriteFile GetModuleFileNameW GetStartupInfoW LoadLibraryW CreateServiceA StartServiceA OpenProcessToken StartServiceCtrlDispatcherA III. Yara Signature: rule Backdoor_Win32_FrameworkPOS : BDR/SCRP { meta: author = "Vitali Kremez" date = "2015-12-27" description = "Detected FrameworkPOS Scraper" hash0 = "b57c5b49dab6bbd9f4c464d396414685" sample_filetype = "exe" strings: $string0 = "McTrayErrorLogging.dll” $string1 = "t.bat" $string2 = "scalar deleting destructor'" $string3 = "vector destructor iterator'" $string4 = "SING error" wide $string5 = "Saturday" wide $string6 = "February" wide $string7 = "Runtime Error!" wide $string8 = "urn:schemas-microsoft-com:asm.v1" $string9 = "$char_traits@D@std@@@std@@" $string10 = "Friday" wide $string11 = "http://1389blog.com/pix/molotov-cocktails-usa-ukraine-syria-egypt-libya.jpg" $string12 = ""https://en.wikipedia.org/wiki/List_of_wars_involving_the_United_States" $string13 = "- floating point support not loaded" wide $string14 = "- Attempt to use MSIL code from this assembly during native code initialization" wide $string15 = "C$PjQV" $string16 = "ctfmon.exe" $string17 = "- not enough space for locale information" wide $string18 = "vftable'" condition: 6 of them and filesize<132KB } Sourcefire Rule: alert any $HOME_NET any -> $HOME_NET 389,445 (msg:"Framework POS SMB Alert”; content: “McTrayErrorLogging.dll”; “t.bat”; classtype: Trojan-activity)
0 Comments
Leave a Reply. |
AuthorVitali Kremez Archives
September 2016
Categories |