Source: VirusShare Malware Family: RAM Scraper Static Analysis Tools: pestudio, CFF Explorer, PEID, BinText, IDA Pro Dynamic Analysis Tools: pexplorer, ProcMon, RegShot, ProcDump, Autoruns, Wireshark, Sandboxie, VMWare, Comodo Reports: (1) Comodo: http://camas.comodo.com/cgi-bin/submit?file=7d58756a3b1469ca4243383c5f31e21841836ebc70b84a53d2eaa66754fdbe3b (2) VirusTotal: https://www.virustotal.com/en/file/7d58756a3b1469ca4243383c5f31e21841836ebc70b84a53d2eaa66754fdbe3b/analysis/1450836933/ I . Static Analysis: Original name: jusched.exe Internal name: Java(TM) Update Scheduler File version: 6.0.100.33 Target machine: Intel 386 or later processors and compatible processors Compilation Timestamp: 2014-01-09 20:34:56 Entry Point: 0x00076A70 Number of Sections: 3 File Info: UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser Subsystem: Windows GUI MD5: aa9686c3161242ba61b779aa325e9d24 SHA256: 7d58756a3b1469ca4243383c5f31e21841836ebc70b84a53d2eaa66754fdbe3b File size: 134.50KB AV detection ratio: 45 / 55 Original sections (3): PE imports: [+] ADVAPI32.dll [+] IPHLPAPI.DLL [+] KERNEL32.dll *VirtualProtect *LoadLibraryA [+] SHELL32.dll [+] WININET.dll Red Flags: The file references the protection of the Virtual Address Space. The count (5) of Memory Management functions reached the maximum (1) threshold. The count (3) of Dynamic-Link Library functions reached the maximum (1) threshold. The file is scored (45/57) by virustotal. The count (9) of imported blacklisted functions reached the maximum (1) threshold. The section (name:UPX0) is blacklisted. The file size (0 bytes) of the section (name:UPX0) reached the minimum (10 bytes) threshold. The section (name:UPX1) is blacklisted. The first section (name:UPX0) is writable. The address of the entry point (0x00076A70) is outside the first section. The count (2) of Writable and Executable sections reached the maximum (0) threshold. The file contains self-modifying code. The count (2) of executable sections reached the maximum (1) threshold. The count (2) of blacklisted sections reached the maximum (1) threshold. The file references child Processes. The file opts for Address Space Layout Randomization (ASLR) as mitigation technique. The file checksum (0x00000000) is invalid. The original filename (jusched.exe) is different than the file name (7d58756a3b1469ca4243383c5f31e21841836ebc70b84a53d2eaa66754fdbe3b). The file ignores cookies on the stack (GS) as mitigation technique. The file is not signed with a Digital Certificate. Unpacked this UPX-packed malware using CFF Explorer: SHA256: 3be27a5128e0c91d409ebacf8802cec2fa109301a806180a93992cf170f07553 Now, we see that the malware was compiled using Microsoft Visual Studio C++ 8. Unpacked PE imports: Unpacked sections: AV detection ratio: only 8 / 49 (!) [VirusTotal by pestudio] Here some interesting strings: II. Dynamic Analysis: (1) Creates a file ""C:\Documents and Settings\User\Application Data\Java SE Platform Updater\jusched.exe"" (2) Creates a process jusched.exe (3) Creates threads lsass.exe lsass.exe jusched.exe (4) DNS queries priv8darkshop.com IN A + (5) HTTP queries priv8darkshop.com GET /post/echo HTTP/1.1 via IP 23.253.126.56 (6) Issues the following commands from C2 and executes svchost.exe: * "update" : download and update from /post/download * "exec" : download and execute * "kill" : delete registry and kill the process * "system": query system information (7) When scraping the POS memory, the malware skips the memory scraping of the following processes: (8) (A) Uploads the scraped data using User-Agent: "something" POST /post/echo with "UP" response with (B) exfiltrated data pre-fixes "&t1=" [Base64-encoded track1 data], "&t2=" [Base64-encoded track2 data], "mac=" [host MAC address]: III. Suspicious Indicators: Contains PDB pathways details: "%USERPROFILE%\Desktop\sop\sop\Release\svchost.pdb" "C:\Users\%USERNAME%\Desktop\sop\sop\Release\sop.pdb" source: String Anti-Reverse Engineering *Contains ability to register a top-level exception handler (often used as anti-debugging trick) details [email protected] at PID 00002176 *PE file has unusual entropy sections UPX1 with unusual entropies 7.91638899703 Environment Awareness *Contains ability to query CPU information General *Contains ability to find and load resources of a specific module [email protected] at PID 00002176 *Contains ability to query system time and process/thread id [email protected] at PID 00002176 [email protected] [email protected] *Reads configuration files "<Input Sample>" read file "C:\Users\desktop.ini" Source: API Call Installation/Persistence *Modifies auto-execute functionality by setting/creating a value in the registry details: "<Input Sample>" (Access type: "CREATE", Path: "\REGISTRY\USER\S-1-5-21-4162757579-3804539371-4239455898-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN") "<Input Sample>" (Access type: "SETVAL", Path: "\REGISTRY\USER\S-1-5-21-4162757579-3804539371-4239455898-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN", Key: "JAVA SE PLATFORM UPDATER", Value: ""%APPDATA%\Java SE Platform Updater\jusched.exe"") source: Registry Suspicious WinAPI calls: LoadLibraryA GetProcAddress VirtualProtect VirtualAlloc RegCloseKey ShellExecuteW InternetOpenW RAM Scraping WinAPI calls: III. Yara Signature:
rule Backdoor_Win32_JackPOS : SCRP { meta: author = "Vitali Kremez" date = "2015-12-22" description = "Detected JackPOS Scraper" hash0 = "aa9686c3161242ba61b779aa325e9d24" sample_filetype = "exe" strings: $pdb1 = “\\ziedpirate.ziedpirate-PC\\” $pdb2 = “\\sop\\sop\\” $string0 = "/post/download" $string1 = "jusched.exe" $string2 = "17/[7PMP" $string3 = "no such8v" $string4 = "something" $string5 = "&t1=" $string6 = "mac=" $string7 = "6(7N7Y7{7" $string8 = "m6w;{p" $string9 = " <security>" $string10 = "064686<6@6D" $string11 = "0N1qSWm" $string12 = "dDh-)$" $string13 = "B(0uuy" $string14 = "48.k6lb" $string15 = "tIQ$wIF" $string16 = "1 1-1O1Y1c1v" $string17 = "mG{/_v" condition: 6 of them or uint16(0) == 0x5A4D and 1 of ($pdb*) and filesize<135KB } Sourcefire Rule: alert tcp any any -> any 80 (msg:"JackPOS Activity Detected"; flow:to_server,established; content: "priv8darkshop.com"; "/post/echo HTTP/1.1"; "User-Agent|3A|something"; "/post/download"; pcre: "/mac=.*(\&t1|&t2).*/"; noncase; flow: to_server; classtype: Trojan-activity).
0 Comments
Leave a Reply. |
AuthorVitali Kremez Archives
September 2016
Categories |