Mi17 Technical issues - Phonesack Grp.exe
(Mi-17 - Russian helicopter model)
Chi tiet don khieu nai gui saigontel.exe
(translated from Vietnamese - “details of the claim sent to Saigontel”, Saigontel is a Vietnamese telecommunications company)
Updated AF MOD contract - Jan 2018.exe
remove_pw_Reschedule of CISD Regular Meeting.exe
Sorchornor_with_PM_-_Sep_2017.exe
20170905-Evaluation Table.xls.exe
CV_LeHoangThing.doc.exe
(fake resumes were also found in Canada)
RobototFontUpdate.exe
. It probably spread through compromised sites, but we do not have sufficient evidence of this.
RobototFontUpdate.exe
and show how it manages to execute the malicious payload in the system.
Roboto Slab regular
TrueType. Font selection seems a bit strange, as it does not support many East Asian languages.
912895e6bb9e05af3a1e58a1da417e992a71a324
) is written to the %temp%
folder and is launched using the Win32 API function ShellExecute
.
%temp%\[0-9].tmp.exe
.
VirtualAlloc
, RtlMoveMemory
and RtlZeroMemory
.
RtlZeroMemory
function RtlZeroMemory
used to reset fields in the PE header. It is impossible to rely on automatic memory dump, because the MZ / PE headers are damaged.
DLLEntry
.
{103004A5-829C-418E-ACE9-A7615D30E125}.dll
HKCU\SOFTWARE\Microsoft\ Windows\CurrentVersion\Run;DeviceAssociationService;rastlsc.exe
).
C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.104a\DeviceAssociationService\
, if not, it writes them to the %APPDATA%\Symantec\Symantec Endpoint Protection\12.1.671.4971.104a\DeviceAssociationService\
folder %APPDATA%\Symantec\Symantec Endpoint Protection\12.1.671.4971.104a\DeviceAssociationService\
:
rastlsc.exe
(SHA1: 2616da1697f7c764ee7fb558887a6a3279861fac
, copy of the legitimate Symantec Network Access Control application, dot1xtra.exe
)
SyLog.bin
(SHA1: 5689448b4b6260ec9c35f129df8b8f2622c66a45
, encrypted backdoor)
rastls.dll
(SHA1: 82e579bd49d69845133c9aa8585f8bd26736437b
, malicious DLL that is being rastlsc.exe
by rastlsc.exe
)
%ProgramFiles%
or %appdata%
. We also observed:
\Symantec\CNG Key Isolation\
\Symantec\Connected User Experiences and Telemetry\
\Symantec\DevQuery Background Discovery Broker Tasks\
rastlsc.exe
, executed using CreateProcessW
.
{BB7BDEC9-B59D-492E-A4AF-4C7B1C9E646B}.dll
), which executes rastlsc.exe
with the krv
parameter. We will discuss in detail below.
rastlsc.exe
file is reset and executed.
rastls.dll
file, which in this case has malicious content.
mcoemcpy.exe
from McAfee, which loads McUtil.dll
. This technique was previously used by PlugX, which attracted the attention of Vietnam CERT (in Vietnamese).
{7032F494-0562-4422-9C39-14230E095C52}.dll
, but we have seen other versions, for example, {5248F13C-85F0-42DF-860D-1723EEAA4F90}.dll
. All exported functions lead to the execution of the same function.
SyLog.bin
file located in the same folder. Other versions tried to open the OUTLFLTR.DAT
file. If the file exists, it will be decrypted using the AES algorithm in CBC mode with a hard-coded 256-bit key, and then the compressed data will be decompressed (LZMA compression).
McUtil.dll
uses a different technique. At first glance, the main function does not perform anything malicious, but in fact it replaces the .text
section of the legitimate mcoemcpy.exe
file, a binary file. It generates a shellcode whose task is to call a function to read the encrypted shellcode of the second stage from the mcscentr.adf
file.
x = False i = 0
buff = genRandom()
opc1 = [0x58,0x59,0x5a,0x5b]
opc2 = [0x50,0x51,0x52,0x53,0x54,0x55,0x56,0x57]
opc3 = [0x90,0x40,0x41,0x42,0x43,0x44,0x45,0x46,0x47,0x48,
0x49,0x4a,0x4b]
while i < len(buff):
currentChar = buff[i] if currentChar < 0xc8:
buff[i] = opc1[currentChar % len(opc1)]
else:
if x:
buff[i] = opc2[currentChar % len(opc2)]
else:
buff[i] = opc3[currentChar % len(opc3)] x = x == False
i+=1
{E1E4CBED-5690-4749-819D-24FB660DF55F}.dll
. The library loads resources and tries to start the DeviceAssociationService service. The decrypted information also contains the shellcode. The latter decodes the final stage: the backdoor.
{92BA1818-0119-4F79-874E-E3BF79C355B8}.dll
checks if rastlsc.exe
executed with krv
as the first parameter. If yes, the task is created, and rastlsc.exe
is executed again, but without this parameter.
{A96B020F-0000-466F-A96D-A91BBF8EAC96}.dll
\HKCU\SOFTWARE\Classes\AppX[a-f0-9]{32}
, nothing remarkable.
mutex_encoding_str
in UTF-16 and encodes in hexadecimal. The result is used as the name of the mutex. For example, for a user whose name begins with abc
and a key in the form of vwx
, the mutex will be \Sessions\1\BaseNamedObjects\170015001b
.
HTTPProv.dll
library into memory, calls an entry point, and then calls the CreateInstance
export function.
25123
. To obtain the IP address of the server, the backdoor first creates a specific DNS query.
letters=domain_encoding_str # “ghijklmnop” hex_pc_name=pc_name.encode(“UTF-16LE”).encode(“hex”) s=''
for c in hex_pc_name:
if 0x2f < ord(c) < 0x3a:
s+=letters[ord(c) - 0x30]
else:
s+=c
random-pc
, and the version ID is 0x0a841523, then the following domain is generated:
niggmhggmeggmkggmfggmdggidggngggmjgg.ijhlokga.dwarduong[.]com
[ghijklmnopabcdef]{4-60}\.[ghijklmnopabcdef]{8}\.[az]+\.[az]+
25123
. Each sample has three different domain names that are used to search for a C & C server.
[ RC4 (4 )][ ]
rand
function. After decrypting and unpacking a packet, the data has the following format:
[dw:][dw:][dw: ][dw: ][dw:] [dw:]
HKCU\SOFTWARE\Classes\ AppXc52346ec40fb4061ad96be0e6cb7d16a\DefaultIcon
HTTPprov
. It is used as an alternative way to communicate with the server. The DLL file sends a POST request via HTTP. It also supports HTTPS and proxy usage of SOCKS5, SOCKS4a and SOCKS4. The library is statically linked with libcurl
.
HKCU\SOFTWARE\Classes\ CLSID{E3517E26-8E93-458D-A6DF-8030BC80528B}
.
Mozilla/4.0 ( ; MSIE 8.0; Windows NT 6.0; Trident/4.0)
.
buffEnd = ((DWORD)genRand(4) % 20) + 10 + buff; while (buff < buffEnd){
b=genRand(16);
if (b[0] - 0x50 > 0x50)
t=0;
else
*buf++= UPPER(vowels[b[1] % 5]);
v=consonants[b[1]%21]); if (!t)
v=UPPER(v);
*buff++= v;
if (v!='h' && b[2] - 0x50 < 0x50)
*buff++= 'h';
*buff++= vowels[b[4] % 5];
if (b[5] < 0x60)
*buff++= vowels[b[6] % 5];
*buff++= consonants[b[7] % 21];
if (b[8] < 0x50)
*buff++= vowels[b[9] % 5];
*buff++= '-';
};
*buff='\0';
checksum=crc32(buff)
num2=(checksum >> 16) + (checksum & 0xffff) * 2
num1=(num2 ^ 1) & 0xf
URL=GENERATED_DOMAIN+ “/” + num1 + “/” + num2 + “-” + buff
HTTPprov
library URI generator, we get the following URL:
hXXp://niggmhggmeggmkggmfggmdggidggngggmjgg.ijhlokga.aisicoin[.]com/ 13/139756-Ses-Ufali-L
HKLM\SOFTWARE\Microsoft\Windows NT\ CurrentVersion
values: ProductName
, CSDVersion
, CurrentVersion
, ReleaseId
, CurrentBuildNumber
and the result of the call IsWow64Process (x86|x64)
GetVolumeInformationW:VolumeNameBuffer
), VolumePathNames
SELECT SerialNumber FROM Win32_BaseBoard
GetLogicalDriveStringW
HTTPprov
)
46.183.220.81
46.183.220.82
46.183.222.82
46.183.222.83
46.183.222.84
46.183.223.106
46.183.223.107
74.121.190.130
74.121.190.150
79.143.87.230
Source: https://habr.com/ru/post/421779/