Malware Family: InfoStealer Zeus Static Analysis Tools: pestudio, Immunity Debugger, CFF Explorer, PEID, BinText Dynamic Analysis Tools: pexplorer, ProcMon, RegShot, ProcDump, Autoruns, Wireshark, Sandboxie, ApateDNS, NetworkMiner, Cuckoo Reports: (1) Malwr: https://malwr.com/analysis/Mjc4ODYzNjVmNjQ2NGIzN2IyOWI4Y2U2M2JlZWJjM2E/ (2) VirusTotal: https://www.virustotal.com/en/file/ff59e8731f22ed5049ca534be4dd58f307d313979eadca5eb3804394581e9782/analysis/ I . Static Analysis: bot.exe Name: bot.exe File Type: DOS EXE Target machine: Intel 386 or later processors and compatible processors Compilation Timestamp: 2014-06-09 20:38:53 Entry Point: 0x00005DC9 Number of Sections: 4 MD5: 8b1f16fd00aeba6e1ee50a84b564e882 SHA256: ff59e8731f22ed5049ca534be4dd58f307d313979eadca5eb3804394581e9782 File size: 22.5 KB Anti-Virus Detection Ratio: 42 / 55 Finding Dependencies (Imports): [1] KERNEL32.dll *GetProcAddress *InterlockedIncrement *LoadLibraryA [2] USER32.dll Red Flags: The file embeds a file (Type: Unknown, MD5: EA829505EEC49A100DFCBE84C8D2C736). The file references the Event Log. The file ignores Address Space Layout Randomization (ASLR) as mitigation technique. The file is resource-less. The file has no Version. The file ignores cookies on the stack (GS) as mitigation technique. The file is not signed with a Digital Certificate. The file contains 3 crypto signatures. Interesting Strings: 000000024E18 000000425E18 0 Proxy-Connection 000000024E44 000000425E44 0 Accept-Encoding 000000024E54 000000425E54 0 identity 000000024E64 000000425E64 0 If-Modified-Since 000000024E7C 000000425E7C 0 sqlite3_close 000000024E8C 000000425E8C 0 sqlite3_exec 000000024E9C 000000425E9C 0 sqlite3_free 000000024EAC 000000425EAC 0 sqlite3_open16 000000024EBC 000000425EBC 0 NSS layer 000000024F00 000000425F00 0 |$$$}rstuvwxyz{$$$$$$$>?@ABCDEFGHIJKLMNOPQRSTUVW$$$$$$XYZ[\] 000000024F3F 000000425F3F 0 abcdefghijklmnopq 000000024F74 000000425F74 0 del "%s" 000000024F7E 000000425F7E 0 if exist "%s" goto d 000000024F9C 000000425F9C 0 @echo off 000000024FAB 000000425FAB 0 del /F "%s" 000000024F74 000000425F74 0 del "%s" 000000024F7E 000000425F7E 0 if exist "%s" goto d 000000024F9C 000000425F9C 0 @echo off 000000024FAB 000000425FAB 0 del /F "%s" 000000024FDC 000000425FDC 0 Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1) 000000025014 000000426014 0 Connection: close 000000025028 000000426028 0 If-None-Match: %s 0000000250E8 0000004260E8 0 cabinet.dll II. Cuckoo Dynamic Analysis: (1) Start server listening on 0.0.0.0:17585 process: {u'process_name': u'Explorer.EXE', u'process_id': 1420} signs: [{u'type': u'api', u'value': {u'category': u'socket', u'status': True, u'return': u'0x00000000', u'timestamp': u'2015-12-13 04:33:09,733', u'thread_id': u'1896', u'repeated': 0, u'api': u'bind', u'arguments': [{u'name': u'ip', u'value': u'0.0.0.0'}, {u'name': u'socket', u'value': u'0x000006e0'}, {u'name': u'port', u'value': u'17585'}], u'id': 601}}, {u'type': u'api', u'value': {u'category': u'socket', u'status': True, u'return': u'0x00000000', u'timestamp': u'2015-12-13 04:33:09,763', u'thread_id': u'1896', u'repeated': 0, u'api': u'listen', u'arguments': [{u'name': u'socket', u'value': u'0x000006e0'}], u'id': 719}}] (2) Tries to unhook Windows functions monitored by Cuckoo (3) Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (4) Creates Zeus mutex: signs: [{u'type': u'mutex', u'value': u'MPSWabDataAccessMutex'}] (5) Modifies local Firewall Settings: signs: [{u'type': u'registry', u'value': u'HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile'}] (6) Installs itself for autorun at Windows startup: process: None signs: [{u'type': u'registry', u'value': u'HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Currentversion\\Run'}] process: None signs: [{u'type': u'registry', u'value': u'HKEY_USERS\\S-1-5-21-1547161642-507921405-839522115-1004\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon'}] (7) Writes files: C:\WINDOWS\system32\rsaenh.dll \\.\PIPE\lsarpc C:\WINDOWS\ \\.\MountPointManager C:\ff59e8731f22ed5049ca534be4dd58f307d313979eadca5eb3804394581e9782 C:\Documents and Settings\<USER>\Application Data\Ezgy\oggo.exe C:\Documents and Settings\<USER>\Application Data\Yrbouv\adde.pox C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\tmp0f5a3bc0.bat C:\Documents and Settings\<USER>\Application Data\Microsoft\Address Book\<USER>.wab C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\MPS1.tmp Here is the batch script that this malware creates to maintain persistency on the compromised host: @echo off :d del "C:\Users\_____\Downloads\bot.exe" if exist "C:\Users\_____\Downloads\bot.exe" goto d del /F "C:\Users\_____\AppData\Local\Temp\tmpd279f1e8.bat" (8) HTTP requests: URL: http://go.everli-killz.xyz/two/config.jpg TYPE: GET USER AGENT: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022) URL: http://yandex.ru/ TYPE: GET USER AGENT: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022) (9) DNS requests: go.everli-killz.xyz (198.105.221.5) yandex.ru (77.88.55.55) www.yandex.ru (5.255.255.55) III. Yara Signature:
rule Win32_VMZbot : ZBOT { meta: author = "Vitali Kremez" date = "2015-12-18" description = "Detects this sample of VMZbot InfoStealer" hash0 = "8b1f16fd00aeba6e1ee50a84b564e882" sample_filetype = "exe" strings: $service_name = "wscntfy.exe" $string0 = "aeiouy" $string1 = "script" $string2 = "if exist "%s" goto d" $string3 = "sqlite3_exec" $string4 = "PPSj@SSh" $string5 = "fv<bx@YrCEIL(TCFQQKUY" $string6 = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)" $string7 = "FCIFlushCabinet" $string8 = "D$uPj\\Y" $string9 = "Algc([oh}e" $string10 = "D$0L;D$" $string11 = "QSUVh bB" $string12 = ";$;,;4;<;D;L;T;\\;d;l;t;" $string13 = "\\XJxHh" $string14 = "D$ Xj\\f" $string15 = "$$$}rstuvwxyz{$$$$$$$>" $string16 = "If-None-Match: %s" $string17 = "ZM]K]sncwpariDxvtyqj1" $string18 = "Authorization" condition: 6 of them or any of ($service*) and filesize<23KB } Sourcefire Rule: alert tcp $HOME_NET any <-> any 80, 443 (msg: "VMZBOT C2 CONNECT ALERT"; content:"yandex.ru"; "go.everli-killz.xyz"; "GET /two/config.jpg"; "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)"; noncase; flow: to_server; classtype: Trojan-activity) IV. Submitted Reference [zeustracker]:
0 Comments
Leave a Reply. |
AuthorVitali Kremez Archives
September 2016
Categories |