Thanks for Sharing – Indicators

{6 Comments}

Based on popular request, I’m listing the indicators that I gathered from the malware in the situation described in the previous post (Thanks for Sharing). Don Clifton (@Digitalsec4u) has also shared his (and will be updating more) over on his blog at digitalsecurity4u.

The initial tip came from the following tweets by @c_APT_ure:

#malware news [1/2]: badware domains starting with (analyze|bold|blood|gone|adsa|bsdm) and ending: “\.[a-z]{2,3}\.(tf|pn|mn|ms|cm|cc)” [tbc]

#malware news [2/2]: badware hosts moved from 188.72.201.x & 188.72.194.x to 31.184.192.x

Based on these indicators, I searched some of the sensors that I have access to and low and behold, got some hits. The indicators for the initial malware are:

MD5 757bb8d0ae847290119fcb9ea0d3b231
UPX Packed
Spawns svchost which: Copies itself to AppData, deletes the original, and creates a run value named YahooPartnerToolbar
It also modifies several IE cache limits (sets to 0×81830)
Lastly, it reads Firefox profiles and accesses signons.sqlite

The malware then makes several requests for the following IP/Domain pairs. In testing, not all requests included successful responses.

Google.com (Probable connection check)
POST http://ocean2372721.ru:80/sss/index.php (31.184.237.143) – Frequently Repeated
GET http://www.whitestarlogic.com:80/forum/Themes/core/images/topic/1.exe (184.168.55.1)
GET http://www.mercierautos.ca:80/img/1.exe (69.49.101.51)
GET http://www.whitestarlogic.com:80/forum/Themes/core/images/topic/test.exe (184.168.55.1)

During testing, I was able to successfully retrieve test.exe, but have not been able to fully examine it. The indicators I have are included below. It has a 18/43 detection rate on Virustotal at the moment.

MD5 017461c175d725113826b409249bb447
When run, the malware attempts to run as Skype and if it’s not found, and error box is displayed.
One interesting piece that is present in a string dump of the executable is the path to the program database:
C:\Users\LeX\Documents\Projects\SFlooder\Release\SFakeDropper_exe.pdb

Has anyone noted any other pieces of malware that may be linked to the same user? As you can see, the author failed to randomize the path to the file and even names the project and executable with some hints to their functionality. The project alone is a Skype flooding application and it seems that this particular executable was the fake Skype dropper, which also explains why it attempts to make additional requests to the IPs and domains above.

That’s all for this time, but be sure to check out the analysis from the others involved!

6 Comments… Share your views

  1. > Spawns svchost which: Copies itself to AppData, deletes the original,

    What’s the full path in AppData, and what does “deletes the original” refer to?

    > …creates a run key named YahooPartnerToolbar

    Key, or value? Which Run key…HKLM or HKCU?

    > It also modifies several IE cache limits (sets to 81830)

    What does this mean?

    > It has a 18/43 detection rate on Virustotal at the moment.

    Do you have any information available on what it was detected as? I know a lot of times the names are different, but maybe if some of the bigger, more well-known engines provided something, that might be useful. Also, did your finding for the malware match up with any of the detections?

    > When run, the malware attempts to run as Skype and if it’s not found, and error box is displayed.

    I’m not sure what this means…”attempts to run as Skype and if it’s found…”…can you elaborate?

    Thanks for sharing!

    • Thanks for reading and for the comments.

      Based on the information I currently have, the answers to your questions are as follows:
      Full Path: \Documents and Settings\USERNAME\Application Data\D15A02.exe
      and the original executable (ticket.exe) was deleted from the location it was originally executed.

      My mistake on the registry naming. It creates a value in the registry key (YahooPartnerToolbar) in HKCU and sets the data to C:\Documents and Settings\USERNAME\Application Data\D15A02.exe

      With regards to the IE settings, the malware sets the HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\CACHE\PATHS(1-4) CachePath values and HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\SHELL FOLDERS (AppData, Cache, History, and Cookies values) to the “normal” default locations within the user’s profile. The CacheLimit values associated with HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\CACHE\PATHS(1-4) sets the maximum size allowed for storage in each cache. In this example, setting the value to 0×81830 translates to roughly 518mb in size.

      With regards to the VirusTotal detections, the first piece examined (20/43 detection) is detected as Artemis (McAfee), DoFoil (Several), and Bredo (Sophos).
      The second piece examined (18/43 detection) detected as Artemis (McAfee), PWS:Win32/Sypak.A (Microsoft).

      For the last question, I should have more accurately stated that the malware attempts to start Skype, and run in the same context. This is more of an assumptions since the analysis platform didn’t have Skype and I haven’t had a chance to get back to it. I believe Don will be elaborating on this in his next post.

      -Keith

  2. Thanks for providing this information. I asked those questions because as a host-based analyst, those are the types of things I look for, particularly when it comes to creating IOCs for such things. I’ve worked with other malware RE folks in the past, and with one exception, they’ve all focused primarily on what’s most useful to them, rather than providing something that’s useful to others.

    For example, when performing a host-based exam, and I find something that had opened a whole through the XP firewall, I’ll note the port and a date/time stamp, if available. That way, I can give something to the network analyst…the source IP and port for outbound communications, when attempts to communicate off of the system or infrastructure may have started, etc. These artifacts can also be useful to memory analysts, etc.

    Were you able to perform any more detailed analysis of any of the executables? For example, beyond the MD5 hashes, were there any particular artifacts found in the PE headers? I saw that you ran strings, but how about PEView or PEiD? Was there a particular compiler signature? Did the PE file have file versioning information embedded?

    Thanks.

    • Not a problem. I appreciate the feedback so that I can incorporate those points in to any future posts on similar topics. As of this point, I haven’t been able to perform any in-depth analysis due to other responsibilities (primarily school…). If I get a chance today, I’ll run the executables through PEiD and post the results.

      -Keith

  3. Keith,

    > Spawns svchost which: Copies itself to AppData…

    Can you clarify “spawns svchost”? Does it create a file called “svchost.exe” somewhere (if so, where), launch it, etc? Or does it initiate another version of the legit svchost, or inject into one that already exists?

    thanks.

Leave a Comment

Your email address will not be published.

*