Tuesday, April 8, 2014

New Analysis Apr 8 2014

Hi everyone. I'm trying to get into doing analysis regularly. So today I present another blog.

Today I did an analysis on a piece of malware filename 163842953.exe
MD5: 84e5e263ff859dae0df198c2b9051cf8 There is no clear consensus on what the Malware is on virustotal, and it has a horrendously low detection rate with the engines. (https://www.virustotal.com/en/file/da958d67485d4162f374fca97c3cfdd060aabb1ca49351efabdb5c4f414b2dd9/analysis/)

Here is a basic rundown on what I was able to find. When executed the file excuses cmd.exe silently and drops the following files:
File.exe: F2D365780E7DD0691C6FFB0EB888CABA
hhhii.exe: 53E9C0B26A983F00CD625BF2A1EB419B
mmmhhee.exe: 0EAAA93B405EC6B42121066646C56958

There is slightly better coverage for these files on the AV engines, excluding the last file which appears to have the job of performing reachback.

Speaking of which we saw a few URLs requested in this sample. IIRC, all requests were sent on port 80.
dupler-histu.com GET /b/shoe/456 HTTP/1.1
kozzi-acompany.com   GET /libk25.98/jquery/ multiple requests for this file.
GET /wpad.dat HTTP/1.1 User-Agent: System.Net.AutoWebProxyScriptEngine/2.0.50727.4927
mirutaruda.com  GET /startloader HTTP/1.1 GET /style.css HTTP/1.1 -  mmmhhee.exe is linked to this domain according to virustotal.
krowdclown.com GET /style.css HTTP/1.1  multiple requests for this file.

Now i'm no registry expert, so crawling through the entries was not easy, but I did notice these strange entries:
HKU\USER SID\Software\Cpvnutujyk - SID removed
HKLM\SOFTWARE\Wow6432Node\Cpvnutujyk\License: 0x000001C8

So thats what I got today, please leave feedback, thanks! EDIT: A comment on one of the reports links one of the domains to ASPROX, Unconfirmed, but certainly possible.

No comments:

Post a Comment