Analysis of malware infected system (by @c_APT_ure) --------------------------------------------------- Analysis of botnet malware (Kuluoz, Zortob, Smoaler) * This is an ongoing analysis of infected systems. * It will eventually get updated when more data becomes available... (Originally posted on: http://pastebin.com/CSXUpzNu on 2012-10-08) Malware infector: Postetikett_Deutsche_Post_AG.exe (MD5: 61a2f310098b532e62da736eb0b4d7a3) --> VT results see below (infection occured 2012-10-01) -------------------------------------------------------------------------------- Observed C2 traffic and malware downloads (URLs) - some traffic seen up to 2 hrs after infection, most traffic 4 days later. - traffic thru web proxy (with auth) and some connection attempts w/o proxy - faked user-agent: "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)" (NOTE: Windows NT 9.0 !!! hahaha - what Windows version is that?) - several 100s request with "/44f14abe..." URI (88 or 146 hex chars long), but request & response sizes varied greatly (few 100s to > 6000 bytes) Domain/IP port URI ------------------------------------------------------------------------------------ 125.214.75.185 84 /44f14abeAFEFF22DF727A10A34CE024737896697CB[snip] (88 - 146 chars) 178.77.103.54 8080 /44f14abeAFEFF22DF727A10A34CE024737896697C[snip] (88 - 146 chars) 178.77.103.54 8080 //get/sb163.dll.crp 188.212.156.180 8080 /44f14abeAFEFF22DF727A10A34CE02473789669[snip] (88 - 146 chars) 188.212.156.180 8080 //get/passf_v4_2.dll.crp 188.212.156.180 8080 //get/sb165.dll.crp 188.212.156.180 8080 //get/sb166.dll.crp 202.169.224.202 8080 /44f14abeAFEFF22DF727A10A34CE02473789669[snip] (88 - 146 chars) 213.175.218.180 8080 /44f14abeAFEFF22DF727A10A34CE02473789669[snip] (88 - 146 chars) 213.175.218.181 8080 /44f14abeAFEFF22DF727A10A34CE02473789669[snip] (88 - 146 chars) 217.160.236.108 84 /44f14abeAFEFF22DF727A10A34CE024737896697C[snip] (88 - 146 chars) 46.105.121.86 8080 /44f14abeAFEFF22DF727A10A34CE024737896697C[snip] (88 - 146 chars) 46.4.180.98 8080 /44f14abeAFEFF22DF727A10A34CE024737896697CBE[snip] (88 - 146 chars) 50.22.136.150 8080 /44f14abeAFEFF22DF727A10A34CE024737896697C[snip] (88 - 146 chars) 50.22.136.150 8080 //get/passf_v4_2.dll.crp 50.22.136.150 8080 //get/sb163.dll.crp 64.42.8.44 34939 /44f14abeAFEFF22DF727A10A34CE024737896697CBE[snip] (88 - 146 chars) 75.178.216.237 52360 /44f14abeAFEFF22DF727A10A34CE02473789669[snip] (88 - 146 chars) 94.247.176.157 8080 /44f14abeAFEFF22DF727A10A34CE024737896697[snip] (88 - 146 chars) 94.247.176.157 8080 /44f14abeAFEFF22DF727A10A34CE024737896697[snip] (88 - 146 chars) and using default browser (IE) user-agent downloading "//get/faa91cf5e79a76602f094ed38fad5872.exe" on 188.212.156.180 8080 202.169.224.202 8080 46.105.121.86 8080 178.77.103.54 8080 213.175.218.181 8080 50.22.136.150 8080 94.247.176.157 8080 the above was an analysis of the first detected system. now we detected more systems and the following is from more than one: malware download URI: //get/3a87e0bd1556aa4bb5cb18afc58488d3.exe //get/faa91cf5e79a76602f094ed38fad5872.exe //get/passf_v4_2.dll.crp //get/passgrub_f2.dll.crp //get/sb159.dll.crp //get/sb160.dll.crp //get/sb161.dll.crp //get/sb163.dll.crp //get/sb165.dll.crp //get/sb166.dll.crp //get/si42.dll.crp observed on IP:port 125.214.75.185:84 132.230.108.230:80 165.98.214.13:80 174.108.70.40:80 174.48.194.92:80 174.84.249.194:80 178.77.103.54:8080 188.212.156.180:8080 202.169.224.202:8080 203.130.129.58:84 213.175.218.180:8080 213.175.218.181:8080 216.36.18.249:80 217.160.236.108:84 24.3.240.185:80 46.105.121.86:8080 46.4.180.98:8080 50.143.38.99:80 50.22.136.150:8080 50.80.32.191:80 65.24.181.189:80 69.207.6.218:80 71.90.139.25:80 72.240.170.187:80 77.81.225.253:84 81.92.185.13:8080 89.188.224.34:443 94.247.176.157:8080 95.25.52.243:80 95.89.75.204:80 assumed C2 traffic: #requests URI 1 /202aac8e91638A93821FBEC23F4A058BA24A22EB49F211 (POST request) 27585 /202aac8eD76480929F49E0DA270548C4F84C37FA03B51F5F14453354EB782730D5410D5787D1D6707FF977B8 7192 /202aac8eD76480929F49E0DA270548C4F84C37FA03BC115E5D1E7315E670377C960E0E18DA94942C2CAE7FE4C9E2DF86A8504DA2E558168C21798C6AB6C63AB61C67FAD6993A26FD87 231 /44f14abeAFEFF22DF727A10A34CE024737896697CBE1DAD05FEF30CFD0B0A3774933F0847D0EF32D3860CEA6CA785285D392544641A9F87AA2215C49CD838AD8F145B1F35B11DAE8CA 3275 /44f14abeAFEFF22DF727A10A34CE024737896697CBE1DAD05FEF30CFD0B0A3774933F0847D0EF32D3865CEA6CA785285D392544641A9F87AA2215C49CD838AD8F145B1F35B11DAE8CA 4031 /44f14abeAFEFF22DF727A10A34CE024737896697CBE8D4D116B274DA8DEDB1610A7CF3CB264FE5213C359DF3 1 /545e17d390DF63BB8419C1C29B7B9DBFC004368CCDBF78 (POST request) 16 /545e17d3D6D869BA994F9FDA8334D0F09A02239D87F178B11666C337108E8FAC5C5AE4185DC3F1E41839CD83E8F8F783432C6FC32C619065BC72549D21F28E4DF76DCB9E9F389B70 61 /545e17d3D6D869BA994F9FDA8334D0F09A02239D87F876B05F3A877119D6CBBC4915E7570782B4BC1B3A9989 779 /7265823f22C2BCDB6849DCB1A71DFD004B3AA97476B250DA912B1BEC1315E26EB7CBC22D0FEB26DB3ABCCB44 589 /7265823f22C2BCDB6849DCB1A71DFD004B3AA97476BB5EDBD87559A94A44A329F784C16257AC60D330BAC81B1537C16B42BD5A5DAD8C4DF47089A5CD5BA106262AE739E13C17326E The first 8 chars (hex lowercase) seem to be const for each system, the rest is uppercase hex -------------------------------------------------------------------------------- https://www.virustotal.com/file/17130038a713545fc93bd1f01ca2d604d72db237bdd6a7722e97712705f708f0/analysis/ SHA256: 17130038a713545fc93bd1f01ca2d604d72db237bdd6a7722e97712705f708f0 SHA1: badb47c121b959d63177d839d93874b680373f2b MD5: 61a2f310098b532e62da736eb0b4d7a3 File size: 59.0 KB ( 60416 bytes ) File name: 61a2f310098b532e62da736eb0b4d7a3 File type: Win32 EXE Tags: peexe Detection ratio: 32 / 43 Analysis date: 2012-10-05 18:51:36 UTC ( 3 days, 1 hour ago ) ssdeep 1536:AA01spqcXyLeFdLdQE1tpEXgfR11GvWbbq01/zqEquOzzzzzzzzzzzzzzzzzzzzs:APsyMdJQCtp9H7Pq01/zqEquOzzzzzzU TrID Win32 Executable MS Visual C++ (generic) (65.2%) Win32 Executable Generic (14.7%) Win32 Dynamic Link Library (generic) (13.1%) Generic Win/DOS Executable (3.4%) DOS Executable Generic (3.4%) ExifTool MIMEType.................: application/octet-stream Subsystem................: Windows GUI MachineType..............: Intel 386 or later, and compatibles TimeStamp................: 2012:08:31 09:56:44+01:00 FileType.................: Win32 EXE PEType...................: PE32 CodeSize.................: 35840 LinkerVersion............: 10.0 EntryPoint...............: 0x19cc InitializedDataSize......: 23552 SubsystemVersion.........: 5.1 ImageVersion.............: 0.0 OSVersion................: 5.1 UninitializedDataSize....: 0 Portable Executable structural information Compilation timedatestamp.....: 2012-08-31 08:56:44 Target machine................: 0x14C (Intel 386 or later processors and compatible processors) Entry point address...........: 0x000019CC PE Sections...................: Name Virtual Address Virtual Size Raw Size Entropy MD5 .text 4096 35439 35840 6.21 604972e454d31b6d0592de31b570cc31 .rdata 40960 10628 10752 3.80 e810b7a65fb0a961aa64980fecfd5ceb .data 53248 5072 2560 1.78 21c140606375ee6b43d49632e7965e3e .rsrc 61440 10240 10240 4.82 ddba3ce0f3be803368c0a059508c4a94 PE Imports....................: [[KERNEL32.dll]] GetStdHandle, FileTimeToSystemTime, DeactivateActCtx, WaitForSingleObject, EncodePointer, GetFileAttributesW, DuplicateHandle, DeleteCriticalSection, GetCurrentProcess, GetConsoleMode, LocalAlloc, GetVolumeInformationW, SetErrorMode, FreeEnvironmentStringsW, GetLocaleInfoW, SetStdHandle, GetFileTime, WideCharToMultiByte, InterlockedExchange, WriteFile, GetSystemTimeAsFileTime, ReleaseActCtx, HeapReAlloc, GetStringTypeW, GetOEMCP, LocalFree, FormatMessageW, InitializeCriticalSection, LoadResource, GlobalHandle, FindClose, InterlockedDecrement, GetFullPathNameW, GetCurrentThread, SetLastError, GetUserDefaultUILanguage, TlsGetValue, GlobalFindAtomW, GetModuleFileNameW, IsDebuggerPresent, ExitProcess, GetSystemDefaultLCID, HeapSetInformation, CreateActCtxW, ActivateActCtx, UnhandledExceptionFilter, LoadLibraryExW, MultiByteToWideChar, GetPrivateProfileStringW, GlobalAddAtomW, GetSystemDirectoryW, GetSystemDefaultUILanguage, SetUnhandledExceptionFilter, ConvertDefaultLocale, MulDiv, IsProcessorFeaturePresent, DecodePointer, SetEnvironmentVariableA, TerminateProcess, VirtualQuery, SetEndOfFile, GetCurrentThreadId, InterlockedIncrement, WriteConsoleW, InitializeCriticalSectionAndSpinCount, HeapFree, EnterCriticalSection, SetHandleCount, LoadLibraryW, GetVersionExW, FreeLibrary, QueryPerformanceCounter, GetTickCount, TlsAlloc, VirtualProtect, FlushFileBuffers, RtlUnwind, UnlockFile, GetFileSize, GlobalDeleteAtom, GetStartupInfoW, DeleteFileW, GlobalLock, GetPrivateProfileIntW, CompareStringW, lstrcpyW, GetFileSizeEx, GlobalReAlloc, lstrcmpA, CompareStringA, FindFirstFileW, lstrcmpW, GetProcAddress, GlobalAlloc, GetTimeZoneInformation, CreateFileW, GetFileType, TlsSetValue, HeapAlloc, LeaveCriticalSection, GetLastError, LocalReAlloc, LCMapStringW, GetSystemInfo, lstrlenA, GlobalFree, GetConsoleCP, GetThreadLocale, GetEnvironmentStringsW, GlobalUnlock, LockFile, lstrlenW, FileTimeToLocalFileTime, SizeofResource, GetCurrentProcessId, LockResource, GetCommandLineW, HeapQueryInformation, GetCPInfo, HeapSize, WritePrivateProfileStringW, RaiseException, TlsFree, SetFilePointer, ReadFile, GlobalFlags, CloseHandle, GetACP, GetModuleHandleW, FreeResource, GetFileAttributesExW, IsValidCodePage, HeapCreate, FindResourceW, VirtualFree, Sleep, VirtualAlloc [[USER32.dll]] GetSystemMetrics, GetSystemMenu, IsWindow, SendMessageW, wsprintfW, EnableWindow, GetLastActivePopup, LoadIconW, IsWindowVisible, DrawIcon, GetDesktopWindow, GetClientRect, AppendMenuW, DestroyMenu, ShowWindow, SetForegroundWindow, GetWindow, IsIconic, GetFocus, GetPropW, InvalidateRect PE Resources..................: Resource type Number of resources RT_ICON 1 RT_GROUP_ICON 1 RT_MANIFEST 1 Resource language Number of resources RUSSIAN 2 ENGLISH US 1 Symantec Reputation Suspicious.Insight F-Secure Deepguard Suspicious:W32/Malware!Online First seen by VirusTotal 2012-10-01 11:22:13 UTC ( 1 week ago ) Last seen by VirusTotal 2012-10-05 18:51:36 UTC ( 3 days, 1 hour ago ) File names (max. 25) Delta_A_Ticket_Print_Document.exe Postal_Etiqueta_ES.virusexe badb47c121b959d63177d839d93874b680373f2b file-4579083_bin 61a2f310098b532e62da736eb0b4d7a3 tvdbfuiu.exe Postetikett_Deutsche_Post_AG.exe lflkotbg.exe qvshvkhs.exe Postetikett_Deutsche_Post_AG.exe.bin Postetikett_Deutsche_Post_AG.exe AA_Ticket_Print_Document.exe gkgfqilb.exe Postetikett_Deutsche_Post_AG.exe po.vir Postetikett_Deutsche_Post_AG.ex_ p.exe AntiVir TR/Weelsof.EB.7 20121005 Avast Win32:Crypt-NWJ [Trj] 20121005 AVG Downloader.Generic13.JZK 20121005 BitDefender Trojan.Generic.KDV.745445 20121005 CAT-QuickHeal Worm.Kuluoz.b 20121004 ClamAV Win.Trojan.Kuluoz-3 20121005 Commtouch W32/Trojan3.EBU 20121005 Comodo TrojWare.Win32.Trojan.Agent.Gen 20121005 DrWeb Trojan.DownLoader6.62699 20121005 ESET-NOD32 Win32/TrojanDownloader.Zortob.B 20121005 F-Prot W32/Trojan3.EBU 20121005 F-Secure Trojan-Downloader:W32/Agent.DUFN 20121003 Fortinet W32/Zortob.DCF3!tr 20121005 GData Trojan.Generic.KDV.745445 20121005 Ikarus Trojan-Downloader.Win32.Kuluoz 20121005 K7AntiVirus Trojan 20121005 Kaspersky Trojan-Downloader.Win32.Kuluoz.bw 20121005 Kingsoft Win32.Malware.Generic.a.(kcloud) 20120925 McAfee BackDoor-FIS 20121005 McAfee-GW-Edition Generic Downloader.x!gl3 20121005 Microsoft TrojanDownloader:Win32/Kuluoz.B 20121005 MicroWorld-eScan Trojan.Generic.KDV.745445 20121005 Norman W32/Troj_Generic.EMNWC 20121005 nProtect Trojan/W32.Agent.60416.VJ 20121005 Panda Trj/OCJ.A 20121005 PCTools Trojan.Smoaler 20121005 Sophos Troj/Agent-YAB 20121005 Symantec Trojan.Smoaler 20121005 TrendMicro TROJ_ZORTOB.GIF 20121005 TrendMicro-HouseCall TROJ_ZORTOB.GIF 20121005 VIPRE Trojan.Win32.Generic.pak!cobra 20121005 ViRobot Trojan.Win32.A.Downloader.60416.CS 20121005 -------------------------------------------------------------------------------- https://www.virustotal.com/file/ba99de7c445a2f638339d7a59056f8eeb9f9d3ab82a6c9670d080112e99cdb87/analysis/ SHA256: ba99de7c445a2f638339d7a59056f8eeb9f9d3ab82a6c9670d080112e99cdb87 SHA1: d60869c612d044381186888a6bab8e6f1a809b91 MD5: f9d7c80d2bf81c8e4029d22c8d685670 File size: 2.7 MB ( 2882560 bytes ) File name: passf_v4_2.dll.crp File type: unknown Detection ratio: 1 / 44 Analysis date: 2012-10-08 08:15:02 UTC ( 12 hours, 3 minutes ago ) ssdeep 49152:RHuPLsgeJl/Bd1x/lG5Yk8iwWDfmxaT169Wz0QFsxTdNPIq6WTXSqs3hK:FW4gGLNxvQ+PIcXSqs3hK First seen by VirusTotal 2012-10-02 13:40:30 UTC ( 6 days, 6 hours ago ) Last seen by VirusTotal 2012-10-08 08:15:02 UTC ( 12 hours, 3 minutes ago ) File names (max. 25) passf_v4_2.dll.crp vti-rescan DrWeb DLOADER.PWS.Trojan 20121008 -------------------------------------------------------------------------------- https://www.virustotal.com/file/e5e00af044d3c819a20d9e759bcbfe3696d0b709cfc6e22f29f21ae6823591f1/analysis/1349700189/ SHA256: e5e00af044d3c819a20d9e759bcbfe3696d0b709cfc6e22f29f21ae6823591f1 SHA1: 2eca7e8a01307e9e5956bcd0532838fb2c8d298c MD5: 42811529431802dedef6de44ac6e3408 File size: 491.5 KB ( 503296 bytes ) File name: faa91cf5e79a76602f094ed38fad5872.exe File type: Win32 EXE Detection ratio: 5 / 44 Analysis date: 2012-10-08 12:43:09 UTC ( 0 minutes ago ) CAT-QuickHeal (Suspicious) - DNAScan 20121007 Fortinet W32/Kelihos.BBB!tr 20121008 Kaspersky UDS:DangerousObject.Multi.Generic 20121008 Norman W32/Hlux.K 20121008 Panda Suspicious file 20121007 --------------------------------------------------------------------------------