Source: VirusShare Malware Family: Backdoor, Ram Scraper Static Analysis Tools: pestudio, Immunity Debugger, CFF Explorer, PEID, BinText, IDA Pro Dynamic Analysis Tools: pexplorer, ProcMon, RegShot, ProcDump, Autoruns, Wireshark, Sandboxie, VMWare Reports: (1) TotalHash: https://totalhash.cymru.com/analysis/?5274255aa6032528360fc222b8aeb911caa35e40 (2) VirusTotal: https://www.virustotal.com/en/file/66112976832889918464be71e7fa134dd5e838717607c7470db9750f1e2bad75/analysis/1450644392/ I . Static Analysis: File Type: Win32 EXE Target machine: Intel 386 or later processors and compatible processors Compilation Timestamp: 2015-01-27 20:58:05 Entry Point: 0x00004A66 Number of Sections: 5 File Info: Microsoft Visual C++ 8 MD5: 0c7631f791c60f79faa1d879056c2e18 SHA256: 66112976832889918464be71e7fa134dd5e838717607c7470db9750f1e2bad75 File size: 117.5 KB (120320 bytes) PDB: (a) H:\WorkNew\FindStr\Release\FindStr.pdb (b) GUID: b5beed83-5225-46bf-8db9-4ff8f6a1bbf9 Anti-Virus Detection Ratio: 30/55 Finding Dependencies (Imports): [1] ADVAPI32.dll [2] IPHLPAPI.DLL (IP Helper API) [3] KERNEL32.dll [4] PSAPI.DLL [5] USER32.dll [6] WININET.dll Red Flags: The count (5) of Authorization functions reached the maximum (1) threshold,1 The count (15) of Memory Management functions reached the maximum (1) threshold. The count (3) of Error Handling functions reached the maximum (1) threshold. The count (5) of Debugging functions reached the maximum (1) threshold. The count (9) of Console functions reached the maximum (1) threshold. The count (7) of System Information functions reached the maximum (5) threshold. The count (15) of WinINet functions reached the maximum (3) threshold. The count (11) of Dynamic-Link Library functions reached the maximum (1) threshold. The count (37) of Process and Thread functions reached the maximum (1) threshold. The count (5) of SEH functions reached the maximum (1) threshold. The count (17) of File Management functions reached the maximum (1) threshold. The Age (31) of the debug file reached the maximum (30) threshold. The count (7) of deprecated imported functions reached the maximum (5) threshold. The count (76) of imported blacklisted functions reached the maximum (1) threshold. The file references a URL (http://quartlet.com/pes13/viewtopic.php|http://horticartf.com/pes13/viewtopic.php|http://kilaxuntf.ru/pes13/viewtopic.php|http://dreplicag.ru/pes13/viewtopic.php|http://fimzusoln.ru/pes13/viewtopic.php|http://wetguqan.ru/pes13/viewtopic.php) unknown by Virustotal. The count (8) of Anti-debug imported functions reached the maximum (1) threshold. The file references child Processes. The file queries for Processes and Modules. The file opts for Address Space Layout Randomization (ASLR) as mitigation technique. The file checksum (0x00000000) is invalid. The file has no Version. The debug file name (findstr.pdb) is different than the file name (66112976832889918464be71e7fa134dd5e838717607c7470db9750f1e2bad75.bin). The file is not signed with a Digital Certificate. The file references 1 MIME64 encoding string(s).
Dynamic Analysis: I. Malicious Indicators: (1) Anti-Detection/Stealthyness *Modifies file/console tracing settings (often used to hide footprints on system) details: "66112976832889918464be71e7fa134dd5e838717607c7470db9750f1e2bad75" (Path: "\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\RASAPI32", Key: "ENABLEFILETRACING", Value: "00000000") source: Registry Access *Queries/modifies the internet cache settings (often used to hide footprints in index.dat or internet cache) details: "66112976832889918464be71e7fa134dd5e838717607c7470db9750f1e2bad75" (Access type: "QUERYVAL", Path: "\REGISTRY\USER\S-1-5-21-1663702577-2139711211-3687027567-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE", Key: "SCAVENGECACHEFILELIMIT") source: Registry Access (2) Spyware/Information Retrieval *Accesses potentially sensitive information from local browsers details: "66112976832889918464be71e7fa134dd5e838717607c7470db9750f1e2bad75" had access to "%LOCALAPPDATA%\Microsoft\Windows\History\History.IE5" (Type: "FileHandle", Context: "NtSetInformationFile") source: Touched Handle (3) Unusual Characteristics *Contains native function calls details: [email protected] at PID 00002372 II. Suspicious Indicators (1) Anti-Detection/Stealthyness *Queries process information details "66112976832889918464be71e7fa134dd5e838717607c7470db9750f1e2bad75" queried SystemProcessInformation (Referenced in the context of a system call) Source: API Call (2) Anti-Reverse Engineering *Contains ability to register a top-level exception handler (often used as anti-debugging trick) details [email protected] at PID 00002372 (3) Environment Awareness *Contains ability to query CPU information details: cpuid at PID 00002372 *Contains ability to query the machine version details: [email protected] at PID 00002372 *Possibly tries to detect the presence of a debugger details: [email protected] at PID 00002372 *Queries volume information details "66112976832889918464be71e7fa134dd5e838717607c7470db9750f1e2bad75" queries volume information of "Z:\" (Referenced in the context of a system call (4) Installation/Persistance *Contains ability to download files from the internet details: [email protected] at PID 00002372 *Modifies auto-execute functionality by setting a value in the registry details: "66112976832889918464be71e7fa134dd5e838717607c7470db9750f1e2bad75" (Access type: "CREATE", Path: "\REGISTRY\MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS") source: Registry Access (5) Network Related *Found potential URL in binary/memory details: "http://quartlet.com/pes13/viewtopic.php|http://horticartf.com/pes13/viewtopic.php|http://kilaxuntf.ru/pes13/viewtopic.php|http://dreplicag.ru/pes13/viewtopic.php|http://fimzusoln.ru/pes13/viewtopic.php|http://wetguqan.ru/pes13/viewtopic.php" source: String (6) Ransomware/Banking *Checks warning level of secure to non-secure traffic redirection details: "66112976832889918464be71e7fa134dd5e838717607c7470db9750f1e2bad75" (Path: "\REGISTRY\USER\S-1-5-21-1663702577-2139711211-3687027567-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS", Key: "WARNONHTTPSTOHTTPREDIRECT") source: Registry Access (7) Spyware/Information Retrieval *Contains ability to register input devices (often used for keylogging) details: [email protected] at PID 00002372 *Contains ability to retrieve keyboard strokes details: [email protected] at PID 00002372 (8) Unusual Characteristics *Creates a mutant that has been seen in the context of malware details: "Local\WininetStartupMutex" "Local\WininetConnectionMutex" "Local\WininetProxyRegistryMutex" (9) Imports RAM scraping and other suspicious APIs EnumProcesses ReadProcessMemory OpenProcess OpenProcessToken GetProcAddress IsDebuggerPresent Sleep CreateThread GetComputerNameA (10) Performed DNS queries horticartf.com kilaxuntf.ru quartlet.com dreplicag.ru fimzusoln.ru wetguqan.ru (11) Exfiltrated data detail: oprat=2&uid=%I64u&uinfo=%s&win=%d.%d&vers=%s source: String Yara Signature: rule Backdoor_Win32_Unskal : BDR/SCRP { meta: author = "Vitali Kremez" date = "2015-12-20" description = "Detected PoSeidon BackDoor/Scraper" hash0 = "0c7631f791c60f79faa1d879056c2e18" sample_filetype = "exe" strings: $pdb = "H:\\WorkNew\\FindStr\\Release\\FindStr.pdb" nocase wide ascii $string0 = "timed out" $string1 = "AR6002" wide $string2 = " delete[]" $string3 = "horticartf.com" $string4 = "CreateSemaphoreExW" $string5 = "sma-se" wide $string6 = "smj-NO" wide $string7 = "IsValidLocaleName" $string8 = "oprat=2&uid=%I64u&uinfo=%s&win=%d.%d&vers=%s" $string9 = "bad exception" $string10 = "_nextafter" $string11 = "omni callsig'" $string12 = "6d6h6l6p6t6x6" $string13 = "DOMAIN error" wide $string14 = "vector copy constructor iterator'" $string15 = "- inconsistent onexit begin-end variables" wide $string16 = "Monday" wide $string17 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) x" $string18 = "horticartf.com" $entrypointOpCode = { E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 6A ?? 68 ?? ?? } condition: 6 of ($string*) or any of ($pdb, $entrypointOpCode) } Sourcefire Rule: alert tcp $HOME_NET any -> any 80, 443 (msg: "PoSeidon C2 CONNECT ALERT"; content:"oprat=2&uid=%I64u&uinfo=%s&win=%d.%d&vers=%s"; "pes13/viewtopic.php"; "dreplicag.ru"; "horticartf.com";"quartlet.com"; "fimzusoln.ru"; "wetguqan.ru"; "kilaxuntf.ru"; "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)"; noncase; flow: to_server; classtype: Trojan-activity)
0 Comments
Leave a Reply. |
AuthorVitali Kremez Archives
September 2016
Categories |