OST: "Malware Reverse Engineering" Static Analysis Tools: BinText, PEiD (Kanal Plugin), IDA Pro, pestudio Dynamic Analysis Tools: PsExplorer, ProcMon, RegShot, Autoruns, Wireshark, Sandboxie, Anubis Reports: (1) VirusTotal: https://www.virustotal.com/en/file/c62de4a72361cf1db38ba8c4f59d386f0e1c02f190cf6c8698ae3a14295bcb04/analysis/1449634964/ (2) Malwr: https://malwr.com/analysis/ZDgyZDQ3OTkwZGQyNGQ4YmFjZGQxZGRiYjhhNzg2MzQ/# APT1 WEBC2-CLOVER is a second malware that was analyzed as part of the APT1 Comment Crew, the alleged Chinese state-sponsored cyber espionage hacking group. This malware was first referenced in Mandiant's APT1 report. I. Static Analysis Name: WEBC2-CLOVER_sample_065E63AFDFA539727F63AF7530B22D2F File Type: PE32 executable for MS Windows (GUI) Intel 80386 32-bit Target machine: Intel 386 or later processors and compatible processors Compilation timestamp: 2011-03-22 12:59:55 Entry Point: 0x00009981 Number of sections: 4 Signature: Microsoft Visual C++ v6.0 File Hashes: Input MD5: 065e63afdfa539727f63af7530b22d2f Input SHA256: c62de4a72361cf1db38ba8c4f59d386f0e1c02f190cf6c8698ae3a14295bcb04 File Size: 52.0 KB (53248 bytes) Anti-Virus detection: 45 / 55 (with the exception of AegisLab, Alibaba, ByteHero, CMC, Bkav, F-Prot, Malwarebytes, Rising, SUPERAntiSpyware, Zoner) Packer detection: PEiD Armadillo v1.71 Finding Dependencies (Imports):
Here are some interesting strings detected during the static analysis of this sample: Here are the following red flags identified with this binary: (1) It enumerates network resources and existing connections. (2) The binary references Base64 encoding. (3) It has no version. (4) It is not signed with a Digital Certificate. (5) The malware opens up Inter-Process Communication (IPC). (6) It contains ZIP2 encryption artifacts. In addition to Base64 and Zip2, APT1 WEBC2-CLOVER also contains the following interesting data encoding: zlib (RFC 1950) sticks a header onto the compressed data, so seeing one of the following sequences of bytes at the start of a buffer could indicate that it is zlib compressed:
Additionally, the malware contains a string table set to language "Chinese Simplified" in the resource section. II. Dynamic Analysis of WEBC2-ClOVER: This malware mutates, installs itself, and performs activities as ADV.EXE in C:/ root based on the Anubis sandbox report. Binary Activities: (1) Performs File Modification and Destruction: The executable modifies and destructs files which are not temporary. (2) Changes security settings of Internet Explorer. (3) Performs Registry Activities: The executable creates and/or modifies registry entries. Here are some interesting modified Registry keys: Furthermore, this malware attempts to communicate via HTTPS to 64.80.153.108 over port 443. IP 64.80.153.108 resolves to C2 that was parked at some point at ISP Windstream Business, USA (see traffic.pcap attached). Verdict: A WEBC2-CLOVER is a downloader/backdoor designed to retrieve a Web page from C2 server at IP 64.80.153.108. Based on the strings and DLL imports, this malware provides the attacker with an interactive command shell, the ability to upload and download files, and execute commands on the system. Responses to these commands are encrypted and compressed using zlib, zip2, and Base64.before sent via POST command to the server. Additionally, this malware modifies copious Registry keys particularly related to Internet Settings. III. Actionable Sourcefire Rule and Yara Signature: (A) Sourcefire Rule: alert tcp $HOME_NET any -> 64.80.153.108 443 (msg: "WEBC2-CLOVER APT1 DOWNLOADER ALERT"; content:"Call UPDATE_HASH() MIN_MATCH-3 more times"; "ion/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword, "; "User Agent: Mozilla/5.o (compatible; Windows; Windows NT 5.1; en-US; rv:1.8.0.12) Firefox/1.5.0.12"; "16BGLQVafkpuz27CHMRWbglqv-38DINSXchmrw/49EJOTYdinsx0FKPUZejoty5A"; noncase; flow: to_server; seq: 16384; classtype: Trojan-activity) (B) Yara Signature: rule Win_Trojan_APT1_WEBC2_CLOVER : APT { meta: author = "Vital Kremez" date = "2015-12-09" description = "APT1 Clover Comment Crew" hash0 = "065e63afdfa539727f63af7530b22d2f" sample_filetype = "exe" strings: $string0 = "%c%c%c%c%c%c%c" $string1 = "Call UPDATE_HASH() MIN_MATCH-3 more times" $string2 = "COMSPEC" $string3 = "ct_init: 256" $string4 = "Mozilla/4.0 (compatible; MSIE 6.1; Windows NT 5.1; SV1)" $string5 = "ion/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword, " $string6 = "too many codes" $string7 = "ignore" $string8 = "Mozilla/5.0 (Windows; Windows NT 5.1; en-US; rv:1.8.0.12) Firefox/1.5.0.12" $string9 = "- unzip 0.15 Copyright 1998 Gilles Vollant " $string10 = "SHGetPathFromIDList" $string11 = "16BGLQVafkpuz27CHMRWbglqv-38DINSXchmrw/49EJOTYdinsx0FKPUZejoty5A" $string12 = "inconsistent bit counts" $string13 = "timed out" $string14 = "WNetCloseEnum" $string15 = "InternetOpenUrlA" condition: 3 of them and filesize < 53KB } Signature Test with yara -rg: r00t:YaraGenerator-master ____$ yara -rg Win_Trojan_APT1_WEBC2_CLOVER.yar ~/Desktop/malware_analysis_all_materials_2014-09-08_1/labs/ Win_Trojan_APT1_WEBC2_CLOVER [APT] /Users/____/Desktop/malware_analysis_all_materials_2014-09-08_1/labs//WEBC2-CLOVER_sample_065E63AFDFA539727F63AF7530B22D2F Outcome: 100% successful hits on test binary 100% true negatives on clean binaries
0 Comments
Leave a Reply. |
AuthorVitali Kremez Archives
September 2016
Categories |