Hi everyone. I'm trying to get into doing analysis regularly. So today I present another blog.
Today I did an analysis on a piece of malware filename 163842953.exe
MD5: 84e5e263ff859dae0df198c2b9051cf8 There is no clear consensus on what the Malware is on virustotal, and it has a horrendously low detection rate with the engines. (https://www.virustotal.com/en/file/da958d67485d4162f374fca97c3cfdd060aabb1ca49351efabdb5c4f414b2dd9/analysis/)
Here is a basic rundown on what I was able to find. When executed the file excuses cmd.exe silently and drops the following files:
There is slightly better coverage for these files on the AV engines, excluding the last file which appears to have the job of performing reachback.
Speaking of which we saw a few URLs requested in this sample. IIRC, all requests were sent on port 80.
dupler-histu.com GET /b/shoe/456 HTTP/1.1
kozzi-acompany.com GET /libk25.98/jquery/ multiple requests for this file.
GET /wpad.dat HTTP/1.1 User-Agent: System.Net.AutoWebProxyScriptEngine/2.0.50727.4927
mirutaruda.com GET /startloader HTTP/1.1 GET /style.css HTTP/1.1 - mmmhhee.exe is linked to this domain according to virustotal.
krowdclown.com GET /style.css HTTP/1.1 multiple requests for this file.
Now i'm no registry expert, so crawling through the entries was not easy, but I did notice these strange entries:
HKU\USER SID\Software\Cpvnutujyk - SID removed
So thats what I got today, please leave feedback, thanks! EDIT: A comment on one of the reports links one of the domains to ASPROX, Unconfirmed, but certainly possible.