Source: VirusShare
Malware Family: RAM Scraper Static Analysis Tools: pestudio, CFF Explorer, PEID, BinText, IDA Pro Dynamic Analysis Tools: pexplorer, ProcMon, RegShot, ProcDump, Autoruns, Wireshark, Sandboxie, VMWare, Comodo Reports: (1) Comodo: http://camas.comodo.com/cgi-bin/submit?file=7d58756a3b1469ca4243383c5f31e21841836ebc70b84a53d2eaa66754fdbe3b (2) VirusTotal: https://www.virustotal.com/en/file/7d58756a3b1469ca4243383c5f31e21841836ebc70b84a53d2eaa66754fdbe3b/analysis/1450836933/ I . Static Analysis:
0 Comments
Source: VirusShare
Malware Family: RAM Scraper Static Analysis Tools: pestudio, Immunity Debugger, CFF Explorer, PEID, BinText, IDA Pro Dynamic Analysis Tools: pexplorer, ProcMon, RegShot, ProcDump, Autoruns, Wireshark, Sandboxie, VMWare Reports: (1) Malwr: https://malwr.com/analysis/NzAwOWJjNWJmMzc0NDViYTlhYjQ0OGMxYWI2MGM4ODU/ (2) VirusTotal: https://www.virustotal.com/en/file/74fe8c68d878cc9699a2781be515bb003931ffa2ad21dc0c2c48eb91caba4b44/analysis/1450745229/ I . Static Analysis: File Type: Win32 EXE Target machine: Intel 386 or later processors and compatible processors Compilation Timestamp: 2013-11-28 23:08:01 Entry Point: 0x0001CF20 Number of Sections: 3 File Info: Microsoft Visual C++ 5.0 Reference: OWASP discussion on point-of-sale (POS) malware
Lesson on "Anatomy of memory scraping credit card stealing POS malware" RE: Important Windows calls used by POS malware Step 1: Find POS process with credit card data EnumProcesses OpenProcess EnumProcessModules GetModuleBaseName Step 2: Elevate privilege to SE_DEBUG_NAME OpenProcessToken LookupPrivilegeValue AdjustTokenPrivilege Step 3: Open POS process OpenProcess Step 4: RAM Scraping VirtualQueryEx ReadProcessMemory Source: http://resources.infosecinstitute.com/windows-functions-in-malware-analysis-cheat-sheet-part-1/
Windows Functions
Malware Family: InfoStealer Zeus
Static Analysis Tools: pestudio, Immunity Debugger, CFF Explorer, PEID, BinText Dynamic Analysis Tools: pexplorer, ProcMon, RegShot, ProcDump, Autoruns, Wireshark, Sandboxie, ApateDNS, NetworkMiner, Cuckoo Reports: (1) Malwr: https://malwr.com/analysis/Mjc4ODYzNjVmNjQ2NGIzN2IyOWI4Y2U2M2JlZWJjM2E/ (2) VirusTotal: https://www.virustotal.com/en/file/ff59e8731f22ed5049ca534be4dd58f307d313979eadca5eb3804394581e9782/analysis/ I . Static Analysis: bot.exe Name: bot.exe File Type: DOS EXE Target machine: Intel 386 or later processors and compatible processors Compilation Timestamp: 2014-06-09 20:38:53 Entry Point: 0x00005DC9 Number of Sections: 4 MD5: 8b1f16fd00aeba6e1ee50a84b564e882 SHA256: ff59e8731f22ed5049ca534be4dd58f307d313979eadca5eb3804394581e9782 File size: 22.5 KB Anti-Virus Detection Ratio: 42 / 55 Finding Dependencies (Imports): [1] KERNEL32.dll *GetProcAddress *InterlockedIncrement *LoadLibraryA [2] USER32.dll Red Flags: The file embeds a file (Type: Unknown, MD5: EA829505EEC49A100DFCBE84C8D2C736). The file references the Event Log. The file ignores Address Space Layout Randomization (ASLR) as mitigation technique. The file is resource-less. The file has no Version. The file ignores cookies on the stack (GS) as mitigation technique. The file is not signed with a Digital Certificate. The file contains 3 crypto signatures. Source: VirusShare
Malware Family: Ransomware Trojan, TeslaCrypt 2.2.2 Static Analysis Tools: pestudio, Immunity Debugger, CFF Explorer, PEID, BinText, IDA Pro Dynamic Analysis Tools: pexplorer, ProcMon, RegShot, ProcDump, Autoruns, Wireshark, Sandboxie, ApateDNS, netcat, VMWare (Windows XP SP1) Reports: (1) TotalHash: https://totalhash.cymru.com/analysis/?a8c986ae2083e8510429be9c3a7cf8c98a5ec8d0 (2) VirusTotal: https://www.virustotal.com/en/file/6b3ffc56dc48dd4e0878e2c741666ce5df5de92210cb28709b6b468afe27a27e/analysis/1450551677/ I . Static Analysis: d62c66750363a910542c39b2d726c656.exe Name: d62c66750363a910542c39b2d726c656.exe File Type: Win32 EXE Target machine: Intel 386 or later processors and compatible processors Compilation Timestamp: 2015-12-08 16:11:48 Entry Point: 0x0000881C Number of Sections: 5 MD5: d62c66750363a910542c39b2d726c656 SHA256: 6b3ffc56dc48dd4e0878e2c741666ce5df5de92210cb28709b6b468afe27a27e Source: "Malware Reverse Engineering"
Malware Family: PDF Shell Code Exploit Analysis Tools: PDFStreamDumper, pestudio, IDA Pro, CFF Explorer, PEID, BinText Reports: (1) Malwr: https://malwr.com/analysis/YmMzZDEwYzVhNDg4NDFmOTg0MDQxM2RjOGMyOWViZGE/ (2) VirusTotal: https://www.virustotal.com/en/file/a6bde95330c830646945f2564c5bec27802bcbb117316bdda2520a11a4dbead9/analysis/1450231420/ I.Malware Analysis: CVE-2007-5659_PDF__9BC1735453963E33EA1857CC25AA5A19_SurveyOnObama... File Type: PDF File Hashes Input MD5: 9bc1735453963e33ea1857cc25aa5a19 Input SHA256: a6bde95330c830646945f2564c5bec27802bcbb117316bdda2520a11a4dbead9 File Size: 72.2 KB (73896 bytes) Anti-Virus detection: 40 / 55 (with the exception of Malwarebytes, SuperAntiSpyware, Alibaba, AegisLab, ByteHero, Bkav) OST: "Malware Reverse Engineering"
Malware Family: Dropper Static Analysis Tools: pestudio, Immunity Debugger, CFF Explorer, PEID, BinText Dynamic Analysis Tools: pexplorer, ProcMon, RegShot, ProcDump, Autoruns, Wireshark, Sandboxie Reports: (1) Malwr: https://malwr.com/analysis/Mzg2NWQ5ZDg5YmZmNGU4YTg3YzhmMWJiYjFiMjg3NTg/ (2) VirusTotal: https://www.virustotal.com/en/file/94f690dec48f9080eb0ba00e823e26a59c1b7dabe695ed954f9715afc313a730/analysis/1450185879/ I . Static Analysis: dropper.ex_ Name: dropper.ex_ File Type: PE32 executable (console) Intel 80386, for MS Windows Target machine: Intel 386 or later processors and compatible processors Compilation Timestamp: 2011-05-03 16:55:49 Entry Point: 0x0000900D Number of Sections: 6 MD5: cb905889c03593359262e25b80021dfd SHA256: 94f690dec48f9080eb0ba00e823e26a59c1b7dabe695ed954f9715afc313a730 File size: 22.5 KB (23040 bytes) Packer: Polycrypt Anti-Virus Detection Ratio: 30/55 Finding Dependencies (Imports): -KERNEL32.DLL * GetProcAddress Here are some interesting strings: Source: "Malware Reverse Engineering"
Malware Family: Donwloader. Backdoor Implant Static Analysis Tools: pestudio, IDA Pro, CFF Explorer, PEID, BinText Dynamic Analysis Tools: pexplorer, ProcMon, RegShot, ProcDump, Autorun, Wireshark, Sandboxie Reports: (1) Malwr: https://malwr.com/analysis/ZWZkNGE4MWM5M2ZkNDYxMmFjZjJjNTcwOTExNDdlYTA/ (2) VirusTotal: https://www.virustotal.com/en/file/a627a4c74a4b092287e91cf6fbfd086c1355e1eb0160e55f8c9b568aca1c73c4/analysis/1450093133/ I. Static Analysis: nba_implant.ex_ Name: nba_implant.ex_ File Type: PE32 executable (GUI) Intel 80386 32-bit Target Machine: Intel 386 or later processors and compatible processors Compilation Timestamp: 2007-03-13 11:26:26 Entry Point: 0x00006801 PEiD: Armadillo v1.71 Number of sections: 3 File Hashes Input MD5: bd3c75e238b1b6074bcf56e7e9aa183b Input SHA256: a627a4c74a4b092287e91cf6fbfd086c1355e1eb0160e55f8c9b568aca1c73c4 File Size: 84.0 KB ( 86016 bytes ) Anti-Virus detection: 37/43 (with the exception of Malwarebytes, SuperAntiSpyware, Alibaba, AegisLab, ByteHero, Bkav) [Analyst's Note: 12 AVs did not evaluate this binary.] Finding Dependencies (Imports): (1) WS2_32.dll (Windows Networking API) Here are this implant's calls of interest: * send() * recv() * socket() * connect() * gethostbyname() (2) KERNEL32.dll (3) USER32.dll (4) ADVAPI32.dll Here are some interesting strings: Source: OST on "Malware Reverse Engineering", Professor Poz Goals:
Purpose of networking code in malware
How to detect If the intruder uses a specific tool, technique, or procedure, then it is likely possible to fingerprint Command and Control While each of the listed purposes of networking code offers an opportunity to detect and prevent an intrusion, we will focus on remote access tool (RAT) analysis in our examples and exercises. Windows Networking APIs [source: Sikorski, M. & Honig, A. (2012).“Practical Malware Analysis,” p. 313] Command and Control (C2)
Understanding a remote access tool (RAT) is all about understanding its network communication. All RATs are broken into two pieces, an implant, which is placed on the compromised system, and a controller, which the intruder uses to control the implant. The network communication is then one of four types:
Indicators Creating low false positive, low false negative signatures can be difficult. The best indicators come from hard-coded, static strings in the malware. For example, when the C2 is tunneled over HTTP and is using a unique User-Agent string, the string can be turned into a simple NIDS signature. When there are no strings that would yield a low false positive signature, attributes of the C2 can sometimes be used to create effective, though higher false positive, signatures. Examples:
IDS Rule Writing WARNING: Know where your signatures will be used! For example, HTTP communication through a proxy can change the headers or the requested resource depending on which side of the proxy the signature is implemented. Pre-proxy means the requested resource is a full URL, with protocol and domain name. Post-proxy means possible additional headers added by the proxy, such as X-Forwarded-For or Via. Don’t give up if the C2 is encrypted. Depending on the chosen encryption algorithm or implementation, a reasonable signature is still possible. For example, if the attacker is using RC4, has embedded the key in the malware itself, and the pre-encrypted C2 has well-defined fields that are NULL padded, you can pick an offset into the data that you know will always be NULL bytes before encryption and compute their encrypted values. Then a simple NIDS signature can be used to test for those specific bytes at the chosen offset. |
AuthorVitali Kremez Archives
September 2016
Categories |