Source: VirusShare Malware Family: Backdoor, RAM Scraper Static Analysis Tools: pestudio, CFF Explorer, PEID, BinText, IDA Pro Dynamic Analysis Tools: pexplorer, ProcMon, RegShot, ProcDump, Autoruns, Wireshark, Sandboxie, Comodo Reports: (1) TotalHash: https://totalhash.cymru.com/analysis/?a6eb86b55148a7a491093f1f6af6a15c4b44b96c (2) VirusTotal: https://www.virustotal.com/en/file/11591204155db5eb5e9c5a3adbb23e99a75c3b25207d07d7e52a6407c7ad0165/analysis/1451210102/ I . Static Analysis: File type: Win32 EXE Target machine: Intel 386 or later processors and compatible processors Compilation Timestamp: 2014-12-31 14:47:27 Entry Point: 0x0000FA46 Number of Sections: 4 MD5: ccbf7cba35bab56563c0fbe4237fdc41 SHA256: 9036d04ac3075bc18251c03a5fd1665a28e8a3a484e7ed77fae800a5015a153d File size: 93.0 KB (95232 bytes) Detection ratio: 42/ 55 PE imports: [+] ADVAPI32.dll [+] GDI32.dll [+] IPHLPAPI.DLL [+] KERNEL32.dll [+] MSVCRT.dll [+] OLEAUT32.dll [+] PSAPI.DLL [+] SHELL32.dll [+] SHLWAPI.dll [+] USER32.dll [+] WININET.dll [+] WS2_32.dll [+] NTDLL.dll [+] OLE#@.dll [+] URLMON.dll Red Flags: The file references the protection of the Virtual Address Space. The file fingerprints for Web browsers. The file references the Firefox API. The count (9) of Authorization functions reached the maximum (1) threshold. The count (19) of Registry functions reached the maximum (1) threshold. The count (37) of Memory Management functions reached the maximum (1) threshold. The count (13) of Tool Help functions reached the maximum (1) threshold. The count (3) of Directory Management functions reached the maximum (1) threshold. The count (13) of Debugging functions reached the maximum (1) threshold. The count (7) of System Information functions reached the maximum (5) threshold. The count (9) of Clipboard functions reached the maximum (3) threshold. The count (11) of WinINet functions reached the maximum (3) threshold. The count (5) of Dynamic-Link Library functions reached the maximum (1) threshold. The count (35) of Process and Thread functions reached the maximum (1) threshold. The count (3) of SEH functions reached the maximum (1) threshold. The count (33) of File Management functions reached the maximum (1) threshold. The count (380) of blacklisted strings reached the maximum (30) threshold. The file references 1 MIME64 encoding string(s). The count (26) of deprecated imported functions reached the maximum (5) threshold. The count (141) of imported blacklisted functions reached the maximum (1) threshold. The count (7) of antidebug imported functions reached the maximum (1) threshold. The file modifies the registry. The file references the Clipboard. The file references child Processes. The file queries for files and streams. The file queries for Processes and Modules. The file monitors Registry operations. The file references data on a Socket. The file opts for Address Space Layout Randomization (ASLR) as mitigation technique. The file checksum (0x00000000) is invalid. The file is resource-less. The file has no Version. The file ignores cookies on the stack (GS) as mitigation technique. The file is not signed with a Digital Certificate. II. Dynamic Analysis: Creates mutex "MLUSSI-DUPPO" Imports suspicious DLLs Posts data to the C2 via the following commands: Incident Response: Risk Assessment Spyware/Leak Contains ability to open the clipboard Contains ability to retrieve keyboard strokes POSTs files to a webserver Persistence Modifies auto-execute functionality by setting/creating a value in the registry Fingerprint Reads the cryptographic machine GUID Contains ability to lookup the windows account name Reads the active computer name Network Behavior Contacts 1 domain and 1 host. Platform Intelligence Sample contains signature combinations unique to malicious reports combo Modifies auto-execute functionality by setting/creating a value in the registry POSTs files to a webserver Reads the windows installation date Contains ability to retrieve keyboard strokes Contains ability to enumerate processes/modules/threads Modifies auto-execute functionality by setting/creating a value in the registry Contains ability to write to a remote process Contains ability to open the clipboard Reads the windows product ID Signatures Environment Awareness Reads the system/video BIOS version details "<Input Sample>" (Path: "HKLM\HARDWARE\DESCRIPTION\SYSTEM", Key: "SYSTEMBIOSVERSION") "<Input Sample>" (Path: "HKLM\HARDWARE\DESCRIPTION\SYSTEM", Key: "VIDEOBIOSVERSION") source Registry Access Reads the windows product ID details "<Input Sample>" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION", Key: "DIGITALPRODUCTID") source Registry Access Network Related Malicious artifacts seen in the context of a contacted host details Found malicious artifacts related to "107.179.62.18" (ASN: 32421, Owner: Black Lotus Communications): ... URL: http://stormstresser.net/ (AV positives: 1/66 scanned on 12/11/2015 17:31:25) URL: http://whatmaninternationalltd.com/auth/view/document (AV positives: 11/66 scanned on 11/24/2015 08:21:36) URL: http://businesspvtlimited.com/auth/view/document (AV positives: 5/66 scanned on 11/24/2015 08:17:13) URL: http://www.addaxoil.com/EC21/EC21.com/index.html (AV positives: 6/66 scanned on 11/24/2015 08:10:07) URL: http://whatmaninternationalltd.com/ (AV positives: 6/66 scanned on 11/24/2015 08:07:58) File SHA256: 247a95ba3c97418f2d0f9ec0825b279d41ab4e9c980c3e90f10745e0fcb657f6 (AV positives: 2/57 scanned on 11/22/2015 08:13:31) File SHA256: 86898e53549cadcb285fc8a7353d82dfcc9477c7f530bc81f00212d15324e21d (AV positives: 2/57 scanned on 08/27/2015 13:28:19) File SHA256: e75a6fb20c88debbd66b619b9214a22ab52ae9022f1cf39cd9fba8725845c816 (AV positives: 29/56 scanned on 08/18/2015 15:19:03) File SHA256: e351ba38cf8e497e05420d315ed3ac57f015e04beca0eb158de7b9b779290221 (AV positives: 13/57 scanned on 08/18/2015 05:55:18) File SHA256: c4af133b16e8323a6aa67440863b461c3be53b9540f828f52250f2036f16d6bd (AV positives: 33/56 scanned on 08/18/2015 02:15:44) source Network Traffic Unusual Characteristics Contains native function calls details [email protected] at PID 00002196 References suspicious system modules details "csrss.exe" "lsass.exe" source String Suspicious Indicators Anti-Reverse Engineering Contains ability to register a top-level exception handler (often used as anti-debugging trick) details [email protected] at PID 00002196 Environment Awareness Contains ability to query the machine version details [email protected] at PID 00002196 Possibly tries to implement anti-virtualization techniques details "SOFTWARE\VMware, Inc.\VMware Tools" (Indicator: "vmware") "VBOX" (Indicator: "vbox") "QEMU" (Indicator: "qemu") source String Reads the cryptographic machine GUID details "<Input Sample>" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY", Key: "MACHINEGUID") source Registry Access Reads the windows installation date details "<Input Sample>" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION", Key: "INSTALLDATE") source Registry Access General POSTs files to a webserver details "POST /admin/tasks.php HTTP/1.0 Host: stormstresser.net User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0 Content-type: application/x-www-form-urlencoded Cookie: session=21232f297a57a5a743894a0e4a801fc3 Content-length: 6" with no payload source Network Traffic Installation/Persistance Contains ability to download files from the internet details recv@WS2_32.DLL at PID 00002196 [email protected] at PID 00002196 recv@WS2_32.DLL at PID 00002196 [email protected] at PID 00002196 [email protected] at PID 00002196 recv@WS2_32.DLL at PID 00002196 [email protected] at PID 00002196 recv@WS2_32.DLL at PID 00002196 [email protected] at PID 00002196 Contains ability to write to a remote process details [email protected] at PID 00002196 Modifies auto-execute functionality by setting/creating a value in the registry details "<Input Sample>" (Access type: "CREATE", Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN") "<Input Sample>" (Access type: "SETVAL", Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN", Key: "WRITE.EXE", Value: "%APPDATA%\MLVSSI-DUPPO\write.exe") "<Input Sample>" (Access type: "SETVAL", Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN", Key: "_9036D04AC3075BC18251C03A5FD1665A28E8A3A484E7ED77FAE800A5015A153D.EXE", Value: "%SAMPLEDIR%\_9036d04ac3075bc18251c03a5fd1665a28e8a3a484e7ed77fae800a5015a153d.exe") source Registry Access Network Related Uses a User Agent typical for browsers, although no browser was ever launched details Found user agent(s): Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0 source Network Traffic System Security Adjusts debug privileges details "<Input Sample>" adjusted SE_DEBUG_PRIVILEGE source API Call Unusual Characteristics Imports suspicious and RAM scraping APIs details FindNextFileW FindFirstFileW CreateDirectoryA DeviceIoControl GetFileAttributesA CreateProcessA GetProcAddress GetModuleHandleA OutputDebugStringA ExitThread GetComputerNameA WriteProcessMemory VirtualAlloc VirtualAllocEx Process32Next Process32First CreateToolhelp32Snapshot CopyFileA TerminateProcess OpenProcess ReadProcessMemory UnhandledExceptionFilter GetStartupInfoA VirtualProtect GetThreadContext IsDebuggerPresent CheckRemoteDebuggerPresent GetVersionExA CreateProcessW DeleteFileA GetModuleFileNameA GetDriveTypeA FindFirstFileA Sleep GetTickCount FindNextFileA CreateFileA GetFileSize WriteFile CreateFileMappingA MapViewOfFile GetWindowThreadProcessId RegCreateKeyExA RegEnumKeyExA OpenProcessToken RegDeleteValueA GetUserNameA RegCloseKey RegOpenKeyA RegOpenKeyExA URLDownloadToFileA sendto (Ordinal #20) WSAStartup (Ordinal #115) socket (Ordinal #23) connect (Ordinal #4) recv (Ordinal #16) send (Ordinal #19) WSASend closesocket (Ordinal #3) InternetReadFile InternetOpenA InternetConnectA HttpSendRequestW InternetCloseHandle HttpSendRequestA GetModuleFileNameExA EnumProcesses source Static Parser Contacts domains details "stormstresser.net" Contacts server details "107.179.62.18:80" source Network Traffic Loads modules at runtime details "<Input Sample>" loaded module "RASADHLP.DLL" at base 72710000 "<Input Sample>" loaded module "%WINDIR%\SYSTEM32\FWPUCLNT.DLL" at base 73DF0000 "<Input Sample>" loaded module "C:\WINDOWS\SYSTEM32\MSWSOCK.DLL" at base 75520000 "<Input Sample>" loaded module "C:\WINDOWS\SYSTEM32\WSHTCPIP.DLL" at base 74E4000 Installation/Persistance Contains ability to lookup the windows account name details [email protected] at PID 0000219 Employs the following anti-analysis techniques: Sends HTTP queries:
POST /admin/tasks.php HTTP/1.0 Host: stormstresser.net User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0 Content-type: application/x-www-form-urlencoded Cookie: session=21232f297a57a5a743894a0e4a801fc3 Content-length: 6 Readable: ping=1 Raw hex: 70696E673D310A00 WinAPI RAM Scraping function: CreateToolhelp32Snapshot/Process32First/Process32Next to iterate over the processes, then a combination of OpenProcess -> VirtualQueryEx -> ReadProcessMemory to pull the contents of memory. Neutrino whitelists the following processes:
III. Yara Signature: rule Backdoor_Win32_NeutrinoPOS : BDR/SCRP { meta: author = "Vitali Kremez" date = "2015-12-28" description = "Detected NeutrinoPOS Scraper" hash0 = "ccbf7cba35bab56563c0fbe4237fdc41" sample_filetype = "exe" strings: $string0 = ":0:6:<:B:L:Q:u:" $string1 = "ftpte.exe" $string2 = "dwflood" $string3 = "SOFTWARE\\VMware, Inc.\\VMware Tools" $string4 = "7'7F7S7" $string5 = "4e4m4s4y4" $string6 = "document.cookie" $string7 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion" $string8 = "0000-0000-0000-0000-0000" $string9 = "0.0L0Q0W0" $string10 = "loader" $string11 = "smartftp.exe" $string12 = "DigitalProductId" $string13 = "displayName" wide $string14 = "> >->Z>" $string15 = "22393$7(7,7074787<7" $string16 = "929I9N9S9a9k9" $string17 = "freeftp.exe" condition: 17 of them and filesize<94KB } ff= &host= &form &browser dumpgrab= &track_data &process_name Sourcefire Rule: alert any $HOME_NET any -> any any (msg:" NeutrinoPOS Alert”; content: “stormstresser.net" ; “/admin/tasks.php”; “User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0”; pcre:"/.*(ff=|\&host=|\&form=|dumpgrab=|\&track_data=\&process_name).*/"; classtype: Trojan-activity)
0 Comments
Leave a Reply. |
AuthorVitali Kremez Archives
September 2016
Categories |