Source: VirusShare Malware Family: RAM Scraper Static Analysis Tools: pestudio, Immunity Debugger, CFF Explorer, PEID, BinText, IDA Pro Dynamic Analysis Tools: pexplorer, ProcMon, RegShot, ProcDump, Autoruns, Wireshark, Sandboxie, VMWare Reports: (1) Malwr: https://malwr.com/analysis/NzAwOWJjNWJmMzc0NDViYTlhYjQ0OGMxYWI2MGM4ODU/ (2) VirusTotal: https://www.virustotal.com/en/file/74fe8c68d878cc9699a2781be515bb003931ffa2ad21dc0c2c48eb91caba4b44/analysis/1450745229/ I . Static Analysis: File Type: Win32 EXE Target machine: Intel 386 or later processors and compatible processors Compilation Timestamp: 2013-11-28 23:08:01 Entry Point: 0x0001CF20 Number of Sections: 3 File Info: Microsoft Visual C++ 5.0 MD5: ce0296e2d77ec3bb112e270fc260f274 SHA256: 74fe8c68d878cc9699a2781be515bb003931ffa2ad21dc0c2c48eb91caba4b44 File size: 264.0 KB (270336 bytes ) PDB: (a) z:\Projects\Rescator\MmonNew\Debug\mmon.pdb (b) GUID: d2867619-74be-4786-be5d-266337ea40aa Packer: InstallShield 2000 *Found OEP and unpacked with OllyDump PE imports: [+] ADVAPI32.dll [+] KERNEL32.dll [+] PSAPI.DLL [+] WS2_32.dll Red Flags: The file transfers control to a Debugger. The file references the protection of the Virtual Address Space. The count (5) of Authorization functions reached the maximum (1) threshold. The count (31) of Memory Management functions reached the maximum (1) threshold. The count (5) of Error Handling functions reached the maximum (1) threshold. The count (5) of Debugging functions reached the maximum (1) threshold. The count (9) of Console functions reached the maximum (1) threshold. The count (9) of Dynamic-Link Library functions reached the maximum (1) threshold. The count (45) of Process and Thread functions reached the maximum (1) threshold. The count (5) of SEH functions reached the maximum (1) threshold. The count (17) of Service functions reached the maximum (1) threshold. The count (15) of File Management functions reached the maximum (1) threshold. The count (206) of blacklisted strings reached the maximum (30) threshold. The count (12) of deprecated imported functions reached the maximum (5) threshold. The count (71) of imported blacklisted functions reached the maximum (1) threshold. The count (5) of antidebug imported functions reached the maximum (1) threshold. The file references the Service Control Manager (SCM). The file references child Processes. The file queries for Processes and Modules. The file ignores Data Execution Prevention (DEP) as mitigation technique. The file ignores Address Space Layout Randomization (ASLR) as mitigation technique. The file checksum (0x00000000) is invalid. The file is resource-less. The file has no Version. The debug file name (mmon.pdb) is different than the file name (74fe8c68d878cc9699a2781be515bb003931ffa2ad21dc0c2c48eb91caba4b44). The file ignores cookies on the stack (GS) as mitigation technique. The file is not signed with a Digital Certificate. The file references 1 MIME64 encoding string(s). Here some interesting strings: Dynamic Analysis: 1. Opens file C:\WINDOWS\system32\cmd.exe 2. Creates process cmd /c net start POSWDS 3. The following local connection was established according to ThreatExpert: 4. The following local connection was established with username Best1_user and password BackupU$r according to ThreatExpert: Anti-Reverse Engineering
Contains ability to register a top-level exception handler (often used as anti-debugging trick) [email protected] at 33268-1030-00422600 Environment Awareness *Contains ability to query the machine version [email protected] at 33268-1-0041CF20 Contains ability to query machine time [email protected] at 33268-1521-004058B0 [email protected] at 33268-964-0042A390 [email protected] at 33268-1434-004056E0 *Makes a branch decision directly after calling an API that is environment aware Found API call [email protected] (Target: "74fe8c68d878cc9699a2781be515bb003931ffa2ad21dc0c2c48eb91caba4b44.bin.exe.bin", Stream UID: "33268-1-0041CF20") which is directly followed by "cmp dword ptr [00441D04h], 02h" and "je 0041CFBFh". *Possibly tries to detect the presence of a debugger [email protected] at 33268-125-00420FA0 Unusual Characteristics *Imports RAM Scraping calls CreateThread ReadProcessMemory Sleep GetModuleHandleA GetModuleFileNameA WinExec GetVersionExA GetProcAddress LoadLibraryA GetStartupInfoA GetCommandLineA WriteFile OutputDebugStringA TerminateProcess VirtualAlloc GetFileAttributesA UnhandledExceptionFilter GetTickCount VirtualProtect CreateProcessA CreateFileA OpenProcessToken CreateServiceA StartServiceCtrlDispatcherA EnumProcesses GetModuleFileNameExA Yara Signature: rule Backdoor_Win32_Kaptoxa : SCRP { meta: author = "Vitali Kremez" date = "2015-12-21" description = "Detected Kaptoxa BlackPOS/Scraper" hash0 = "ce0296e2d77ec3bb112e270fc260f274" sample_filetype = "exe" strings: $fmt = "data_%d_%d_%d_%d_%d.txt" $pdb = " z:\\Projects\\Rescator\\MmonNew\\Debug\\mmon.pdb" nocase wide ascii $string0 = "GOTIT" $string1 = ".memdump" $string2 = "a_env.c" $string3 = "Colombia" $string4 = "South Africa" $string5 = "stdenvp.c" $string6 = "KAPTOXA" nocase wide $string7 = "_heapchk fails with unknown return value" $string8 = " Data: <%s> %s" $string9 = "_freebuf.c" $string10 = "c:\\program files\\microsoft visual studio .net 2003\\$ $string11 = "$basic_ostream@DU" $string12 = "GetModuleInformation" $string13 = "Warning" $string14 = "initnum.c" $string15 = "_filbuf.c" $string16 = "_CrtDbgReport: String too long or IO Error" $string17 = "(%d) : " $string18 = "initctyp.c" condition: 6 of ($string*) or any of ($pdb, $fmt) and filesize<265KB } Sourcefire Rule [source: securityintelligence.com]: alert tcp any any -> any 445 (msg:"KAPTOXA File Write Detected"; flow:to_server,established; content:"SMB|A2|"; content:"\\|00|W|00|I|00|N|00|D|00|O|00|W|00|S|00|\\|00|t|00|w|00|a|00|i|00|n|00|_|00|3|00|2|00|\\"; pcre:"/.*_.*_.*_.*\.|00|t|00|x|00|t/"; flowbits:set,kaptoxa; sid:1;) alert tcp any any -> any 445 (msg:"KAPTOXA Encoded Track Data Detected"; flow:to_server,established; flowbits:isset,kaptoxa; content:"SMB"; pcre:"/(M1|Mf|Mh|Ml|T1|Tf|Th|Tl|sh|sl)[a-zA-Z0-9/]{2}(M1|Mf|Mh|Ml|T1|Tf|Th|Tl|sh|sl)[a-zA-Z0-9/]{2}(M1|Mf|Mh|Ml|T1|Tf|Th|Tl|sh|sl)[a-zA-Z0-9/]{2}(M1|Mf|Mh|Ml|T1|Tf|Th|Tl|sh|sl)[a-zA-Z0-9/]{2}(M1|Mf|Mh|Ml|T1|Tf|Th|Tl|sh|sl)/"; sid:2;) Sourcefire Exfil Rule [source: crowdstrike.com] alert tcp any any <> 199.188.204.182 21 (msg: "KAPTOXA Exfil C2"; sid: 10001;) alert tcp any any <> 50.87.167.144 21 (msg: "KAPTOXA Exfil C2"; sid: 10002;) alert tcp any any <> 63.111.113.99 21 (msg: "KAPTOXA Exfil C2"; sid: 10003;)
0 Comments
Leave a Reply. |
AuthorVitali Kremez Archives
September 2016
Categories |