[hx1997]

https://www.eff.org/deeplinks/2014/01/v ... s-personal

In attach related samples.

The executables dropped seem to be encoded. Many odd "3F" bytes in them. Does anyone have idea on how to decode them?

Thanks!

[reverser]

Clean exes/docs extracted from the macro code in the word files.

[unixfreaxjp]

I think this is a custom made. Not that "bootkit-level" sophisticated, but just a well-thought made. It's good for sharing.
I don't know how to name this threat..pls forgive to open new Topic, hope to post next samples of the similar ones in the future in the same thread.

The hta dropper with VBScript: https://www.virustotal.com/en/file/69a3 ... 408963597/
The dropped PE dropper: https://www.virustotal.com/en/file/8b34 ... 408964268/
EXE Payload Patcher: https://www.virustotal.com/en/file/86d4 ... 408963508/
DLL loaded by EXE payload by hacking wscript.exe https://www.virustotal.com/en/file/cb4c ... 408964214/

Sample & drops are all attached, if you need reference or hint, peek this report (it's not a promotion, an information): http://blog.malwaremustdie.org/2014/08/ ... lware.html
It will be more of these series. Better get used to similar coding.

[hx1997]

Something related

http://www.kernelmode.info/forum/viewto ... =16&t=3127

Good work btw ;)

[unixfreaxjp]

Something related

http://www.kernelmode.info/forum/viewto ... =16&t=3127

Good work btw ;)

Thank's. A question: Is your sample is BEFORE or AFTER the one we analyzed? This is very important question for this investigation actually, since we have some contact info used by its CNC now.
IF the ANSWER is AFTER, then we will reverse your suggested related sample right away.

[hx1997]

Thank's. A question: Is your sample is BEFORE or AFTER the one we analyzed? This is very important question for this investigation actually, since we have some contact info used by its CNC now.
IF the ANSWER is AFTER, then we will reverse your suggested related sample right away.

Hmm... I'm not sure if I get what you meant by "before or after", since I didn't come across these samples on a victim's computer by chance, instead I just grabbed them from VT according to the hash in EFF's article. So they shouldn't be any different from the samples you analyzed.

[unixfreaxjp]

Thank you so much for the kindly reply.

Thank's. A question: Is your sample is BEFORE or AFTER the one we analyzed? ..

Hmm... I'm not sure if I get what you meant by "before or after"..

This group is slick. Some samples was released by them. Different in format, some in .DOC, some is in different filenames. Each samples with different CNC. Some samples were made fails too.
The problem is we're dealing w/6months ago's threat, yet the CNC was having activity until 3months ago. It means some unknown samples are still out there. They'll be back for sure. This time we're ready. If you happen to know something similar in MO, pls kindly help to post please it here?
With thank's in advance.

[unixfreaxjp]

Clean exes/docs extracted from the macro code in the word files.

First sample was analyzed, hta installer, drops, all stages is as same as per posted in MMD.
Spawned:

Code: Select all

    sample1.exe PID: 1196 MD5: F38D0FB4F1AC3571F07006FB85130A0D
        XX.tmp PID: 2932 MD5: 082B2155921DBB6296D632DF571086EA
            defrag.exe PID: 2152 MD5: 90F5BBBA8760F964B933C5F0007592D2
                wscript.exe PID: 3324 MD5: DC3CC9BB16E6C8401E640914A4C9FAC5

CNC domains:

Code: Select all

menmin.strezf.com resolved to:91.229.77.179
static.jg7.org	resolved to:76.162.203.160
imaps.qki6.com dead

Same CNC communication blob (BUT this time is to: 76.162.203.160)

Code: Select all

38 ce 64 01 ba 7f 62 03 42 dd 66 05 f6 db c3 03 07 f8 db 00 13 f1 0e 02 6d e7 4c 01 a7 d1 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 

[hx1997]

Thank you so much for the kindly reply.

This group is slick. Some samples was released by them. Different in format, some in .DOC, some is in different filenames. Each samples with different CNC. Some samples were made fails too.
The problem is we're dealing w/6months ago's threat, yet the CNC was having activity until 3months ago. It means some unknown samples are still out there. They'll be back for sure. This time we're ready. If you happen to know something similar in MO, pls kindly help to post please it here?
With thank's in advance.

Sure, I'll let you know if I come across any.

[unixfreaxjp]

The second and third samples are completely different. Based on timeline this ones are assumed the previous threat used by attacker. Same MO in crafting the samples & basic methods shows same actors.
I didn't have time to reverse it yet, but the below quick illustration/static analysis data will give some idea..

A kinda "heavy-weight" copy-paster)))


These are the complete drops (attached):

Process monitored:

Code: Select all

sample2.exe (pid: 1424 md5: 4adfb75e1b5546932deb91b4d39439a5)
  ↓
  werfault.exe (pid: 3400 md5: ec7fb2c830544dfa0cbb037d79d38151)
    ↓(self-spawned, no polymorphic trace)
  werfault.exe (pid: 4072 md5: ec7fb2c830544dfa0cbb037d79d38151)
        ↓
        cmd: rundll32.exe $AppData\Roaming\Microsoft\Werfault\WerFault.dll PrepareDebugSymbolEx ::S\%AppData%\Roaming\Microsoft\Werfault\WerFault.exe pid: 2164  md5: f6b34cd47caf6d68106b9f8055f35c50

A quick scan result on my tweaked tool shows (better read this before reversing):

Code: Select all

Meta-data
================================================================================
File:    sample2
Size:    690176 bytes
Type:    PE32 executable (GUI) Intel 80386, for MS Windows
MD5:     4adfb75e1b5546932deb91b4d39439a5
SHA1:    b6cfda71c85af7b1cb4496c79b8260fa13e02684
Date:    0x510A24D8 [Thu Jan 31 08:01:28 2013 UTC]
EP:      0x40a927 .text 0/5
CRC:     Claimed: 0xb0ee2, Actual: 0xb0ee2 
DLL:     False
Sect:    5
AntiDbg: Yes
AntiVM:  VMware trick
Packer: No

Resource entries
================================================================================
Name               RVA      Size     Lang         Sublang                  Type
--------------------------------------------------------------------------------
RT_ICON            0x992e0  0x668    LANG_ENGLISH SUBLANG_ENGLISH_US       data
RT_ICON            0x99948  0x2e8    LANG_ENGLISH SUBLANG_ENGLISH_US       data
RT_ICON            0x99c30  0x128    LANG_ENGLISH SUBLANG_ENGLISH_US       GLS_BINARY_LSB_FIRST
RT_ICON            0x99d58  0xea8    LANG_ENGLISH SUBLANG_ENGLISH_US       data
RT_ICON            0x9ac00  0x8a8    LANG_ENGLISH SUBLANG_ENGLISH_US       data
RT_ICON            0x9b4a8  0x568    LANG_ENGLISH SUBLANG_ENGLISH_US       GLS_BINARY_LSB_FIRST
RT_ICON            0x9ba10  0xb242   LANG_ENGLISH SUBLANG_ENGLISH_US       PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
RT_ICON            0xa6c54  0x25a8   LANG_ENGLISH SUBLANG_ENGLISH_US       data
RT_ICON            0xa91fc  0x10a8   LANG_ENGLISH SUBLANG_ENGLISH_US       data
RT_ICON            0xaa2a4  0x468    LANG_ENGLISH SUBLANG_ENGLISH_US       GLS_BINARY_LSB_FIRST
RT_GROUP_ICON      0xaa70c  0x92     LANG_ENGLISH SUBLANG_ENGLISH_US       MS Windows icon resource - 10 icons, 48x48, 16-colors
RT_VERSION         0xaa7a0  0x340    LANG_ENGLISH SUBLANG_ENGLISH_US       data
RT_MANIFEST        0xaaae0  0x25f    LANG_ENGLISH SUBLANG_ENGLISH_US       ASCII text, with very long lines, with no line terminators

Sections
================================================================================
Name       VirtAddr     VirtSize     RawSize      Entropy     
--------------------------------------------------------------------------------
.text      0x1000       0x223ba      0x22400      6.595678    
.rdata     0x24000      0x74c2       0x7600       6.192410    
.data      0x2c000      0x6c820      0x6a800      7.991715    [SUSPICIOUS]
.rsrc      0x99000      0x11d40      0x11e00      7.296055    [SUSPICIOUS]
.reloc     0xab000      0x2256       0x2400       3.969295    

Suspicious Sections:
================================================================================
Sect. Name:	.data   
MD5   hash:	0730bc4c6a281a053ccdd823c0632723
SHA-1 hash:	63dffee3b57966d82dcafeda81e365dc44d05b30
Sect. Name:	.rsrc   
MD5   hash:	c78dc0f5d991dea2cb6acfdc9b3c6b16
SHA-1 hash:	0420e99292f52bdc5f5771160371167b6630dd7e

Version info
================================================================================
LegalCopyright: \xa9 Microsoft Corporation. All rights reserved.
InternalName: TODO: <Internal name>
FileVersion: 6.1.7600
CompanyName: Microsoft Corporation
ProductName: Microsoft\xae Windows\xae Operating System
ProductVersion: 6.1.7600
FileDescription: Windows Features
OriginalFilename: 
Translation: 0x0409 0x04b0

File and URL:
================================================================================
FILE:		KERNEL32.dll
FILE:		USER32.dll
FILE:		ADVAPI32.dll
FILE:		SHELL32.dll
FILE:		SHLWAPI.dll
URL:		http://schemas.microsoft.com/SMI/2005/WindowsSettings

Suspicious API Functions:
================================================================================
Func. Name:	WriteFile
Func. Name:	CreateFileW
Func. Name:	GetTempPathW
Func. Name:	LockResource
Func. Name:	DeleteFileW
Func. Name:	GetModuleFileNameW
Func. Name:	CreateDirectoryW
Func. Name:	LoadLibraryW
Func. Name:	GetProcAddress
Func. Name:	GetCommandLineW
Func. Name:	Sleep
Func. Name:	FindResourceW
Func. Name:	FindResourceExW
Func. Name:	GetTempFileNameW
Func. Name:	GetComputerNameA
Func. Name:	CreateToolhelp32Snapshot
Func. Name:	Process32NextW
Func. Name:	Process32FirstW
Func. Name:	CreateFileA
Func. Name:	GetModuleHandleW
Func. Name:	GetStartupInfoW
Func. Name:	GetTickCount
Func. Name:	UnhandledExceptionFilter
Func. Name:	IsDebuggerPresent
Func. Name:	TerminateProcess
Func. Name:	RegCreateKeyExW
Func. Name:	GetUserNameA
Func. Name:	RegOpenKeyExA
Func. Name:	RegCloseKey
Func. Name:	RegOpenKeyExW

Suspicious API Anti-Debug:
================================================================================
Anti Debug:	Process32NextW
Anti Debug:	Process32FirstW
Anti Debug:	UnhandledExceptionFilter
Anti Debug:	IsDebuggerPresent
Anti Debug:	TerminateProcess

Suspicious API Anti-VM (manually added):
================================================================================
explorer.exe: thread delay: -1800 ;; make sure you have more than 3 minutes to run this to get the good result then :-))
Registry queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\disk\Enum name: 0
0x40204E mov eax, 564D5868h ; "hXMV" (ascii)