Analysis Report

MAR-10201537 – HIDDEN COBRA FASTCash-Related Malware

Last Revised
Alert Code
AR18-275A

Notification

This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. The DHS does not endorse any commercial product or service, referenced in this bulletin or otherwise.

This document is marked TLP:WHITE. Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol, see http://www.us-cert.gov/tlp.

Summary

Description

This report is a update to NCCIC report MAR-10201537.r1.v1, published Nov 8, 2018, and contains additional information related to two XCOFF executables identified in the original report as non-malicious:SHA256:10ac312c8dd02e417dd24d53c99525c29d74dcbc84730351ad7a4e0a4b1a0ebaca9ab48d293cc84092e8db8f0ca99cb155b30c61d32a1da7cd3687de454fe86cFurther analysis indicates these files are malicious. Once injected into the memory space of legitimate processes, these applications have the ability to modify ISO 8583 transaction data, an International Communications Protocol used for exchanging ATM card transaction requests and responses, resulting in fraudulent ATM withdrawals.Analysis of the remaining artifacts has not been modified, and includes the following:Three (3) additional XCOFF executable files, one of which may have been used to inject the malware described above into the memory space of a targeted server.One (1) ASCII Log file, possibly created by the use of the XCOFF injector (b3efec…)Two (2) versions of a Themida packed proxy service module, both Windows executables: one 32-bit and one 64-bit.    This malware has the ability to modify local firewall settings & listen for Incoming traffic.One (1) Remote access Trojan (RAT), with the ability to modify firewall settings, accept remote commands, install proxy services, install & run additional malware payloads & exfiltrate data.One (1) 64-bit installer application; payload associated with this installer was not available for analysis.

For a downloadable copy of IOCs, see:

MAR-10201537

Files (12)

10ac312c8dd02e417dd24d53c99525c29d74dcbc84730351ad7a4e0a4b1a0eba (Lost_File.so)

1f2cd2bc23556fb84a51467fedb89cbde7a5883f49e3cfd75a241a6f08a42d6d (Unpacked_dump_4a740227eeb82c20...)

3a5ba44f140821849de2d82d5a137c3bb5a736130dddb86b296d94e6b421594c (Lost_File1_so_file)

4a740227eeb82c20286d9c112ef95f0c1380d0e90ffb39fc75c8456db4f60756 (4f67f3e4a7509af1b2b1c6180a03b3...)

820ca1903a30516263d630c7c08f2b95f7b65dffceb21129c51c9e21cf9551c6 (5cfa1c2cb430bec721063e3e2d144f...)

9ddacbcd0700dc4b9babcd09ac1cebe23a0035099cb612e6c85ff4dffd087a26 (Unpacked_dump_820ca1903a305162...)

a9bc09a17d55fc790568ac864e3885434a43c33834551e027adb1896a463aafc (8efaabb7b1700686efedadb7949eba...)

ab88f12f0a30b4601dc26dbae57646efb77d5c6382fb25522c529437e5428629 (d0a8e0b685c2ea775a74389973fc92...)

ca9ab48d293cc84092e8db8f0ca99cb155b30c61d32a1da7cd3687de454fe86c (2.so)

d465637518024262c063f4a82d799a4e40ff3381014972f24ea18bc23c3b27ee (Injection_API_executable_e)

e03dc5f1447f243cf1f305c58d95000ef4e7dbcc5c4e91154daa5acd83fea9a8 (Injection_API_log_generating_s...)

f3e521996c85c0cdb2bfb3a0fd91eb03e25ba6feef2ba3a1da844f1b17278dd2 (inject_api)

IPs (1)

75.99.63.27

Findings

820ca1903a30516263d630c7c08f2b95f7b65dffceb21129c51c9e21cf9551c6

Tags

backdoorproxytrojan

Details
Name 5cfa1c2cb430bec721063e3e2d144feb
Size 1643616 bytes
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 5cfa1c2cb430bec721063e3e2d144feb
SHA1 c1a9044f180dc7d0c87e256c4b9356463f2cb7c6
SHA256 820ca1903a30516263d630c7c08f2b95f7b65dffceb21129c51c9e21cf9551c6
SHA512 a65e615203269b657e55fe842eca0542a4cd3bac80d3039d85dfb5fbbfdb5768bbabe2fc86f213fb1a759124a82780a1cfbb9fd8457f4923cefad73e9db6f6a4
ssdeep 24576:LTxUZWB9BdhYaqJ+LkDWo+eIgV10M/w6weSx4y4Golx+Q/K:LVUZWTjoSkz+eIg/z/YxFasgK
Entropy 7.957226
Antivirus
Ahnlab Trojan/Win32.Agent
Antiy Trojan/Win32.BTSGeneric
Avira BDS/RMS.ejnsf
BitDefender Trojan.GenericKD.30382654
Cyren W32/Trojan.KBJG-8883
ESET a variant of Win32/Packed.Themida.AOO trojan
Emsisoft Trojan.GenericKD.30382654 (B)
Ikarus Trojan.Win32.Themida
McAfee Trojan-FPWN!5CFA1C2CB430
Microsoft Security Essentials Trojan:Win32/Cobfast
NANOAV Trojan.Win32.RMS.ewarws
NetGate Trojan.Win32.Malware
Sophos Troj/Agent-AZWN
Symantec Trojan.Gen.2
TrendMicro TrojanS.91189A95
TrendMicro House Call TrojanS.91189A95
VirusBlokAda Backdoor.RMS
Zillya! Backdoor.Agent.Win64.370
Yara Rules

No matches found.

ssdeep Matches

No matches found.

PE Metadata
Compile Date 2017-08-14 13:14:04-04:00
Import Hash baa93d47220682c04d92f7797d9224ce
PE Sections
MD5 Name Raw Size Entropy
23041caef38d4991296ffbe42743c691 header 4096 0.825738
da701d0e0ab6bfbddd747feebed96546   156672 7.983417
d41d8cd98f00b204e9800998ecf8427e .rsrc 0 0.000000
efcb51d4d8a55d441d194e80899bb2b0 .idata 512 1.308723
231617ad2dc2a0c3f2d8e3241c57626f   512 0.240445
92a0680fea369ae11f900c1a92e5499c gvxlrmcr 1474048 7.954645
cf68e5165e3b89c0ece9b4905abf861a eolnwoiw 512 3.342017
Process List
Process PID PPID
820ca1903a30516263d630c7c08f2b95f7b65dffceb21129c51c9e21cf9551c6.exe 2104 (2084)
lsass.exe 468 (384)
Description

This application is a Themida packed 32-bit Windows executable. This application is designed to unpack and execute a service proxy module in memory (5c0a4f9e67ced69eaea17092444b2c1a).Analysis indicates that this proxy module is designed to accept command-line parameters to perform its functions. The module is designed to modify the Windows Firewall on the victim’s machine to allow for incoming connections and to force the compromised system to function as a proxy server. The proxy module uses the following command to open the Windows Firewall port on the victim’s machine in order to allow for incoming connections:--Begin firewall modification--"netsh firewall add portopening TCP <port> RPCServer"--End firewall modification--The malware is designed to listen to an open port for incoming traffic. The traffic may contain instructions to perform any of the following functions:   -Retrieve information about the logon sessions, drives installed, and operating system   -Search for files   -Execute process   -Terminate processes   -Delete files   -Execute command   -Download and upload files   -Read files and write files-Compress and decompress filesThis malware used the multi-protocol file transfer library "libcurl 7.49.1" for transferring data with a URL syntax. It supports the following network protocols:   -POP3   -SMTP   -IMAP   -LDAP   -DICT   -FTP   -HTTP   -HTTPS

9ddacbcd0700dc4b9babcd09ac1cebe23a0035099cb612e6c85ff4dffd087a26

Tags

trojan

Details
Name Unpacked_dump_820ca1903a30516263d630c7c08f2b95f7b65dffceb21129c51c9e21cf9551c6.exe
Size 4247040 bytes
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 5c0a4f9e67ced69eaea17092444b2c1a
SHA1 8462cb955a6c459036a3e27d59b1b8b6cc9acfd5
SHA256 9ddacbcd0700dc4b9babcd09ac1cebe23a0035099cb612e6c85ff4dffd087a26
SHA512 3a0f668d5ae4998ad6555adccbfcf837eabee2dcb2e36a3c9cad8efe0996a5a7ba238041b8f31b1e2feb36165daac0c6b5fe70e4df5339dce0aa0d031d455dec
ssdeep 98304:mv9KZUELYbD09b2WBFs6BEroKso7aO7/Qs7K:mwZHs6BaoE71MEK
Entropy 6.823899
Antivirus
Ahnlab Trojan/Win32.Agent
Antiy Trojan/Win32.Casdet
Avira TR/Casdet.kgzto
BitDefender Gen:Trojan.Heur.PT.@BW@bq9rd7j
Cyren W32/Trojan.JVPW-7331
Emsisoft Gen:Trojan.Heur.PT.@BW@bq9rd7j (B)
Ikarus Trojan.Win32.Casdet
K7 Riskware ( 0040eff71 )
McAfee Trojan-Themida
Microsoft Security Essentials Trojan:Win32/Cobfast
NANOAV Trojan.Win32.PT.fjoljg
Quick Heal Trojan.IGENERIC
Sophos Troj/Agent-AZXJ
Symantec Trojan Horse
TrendMicro Backdoo.9B86B81E
TrendMicro House Call Backdoo.9B86B81E
VirusBlokAda Trojan.Agentb
Zillya! Trojan.Agentb.Win32.20050
Yara Rules

No matches found.

ssdeep Matches

No matches found.

PE Metadata
Compile Date 2017-08-14 13:14:04-04:00
Import Hash baa93d47220682c04d92f7797d9224ce
PE Sections
MD5 Name Raw Size Entropy
22f49b12cb818728d293ae43082d8949 header 1024 2.661805
01c0e5316c7bba2ebdc00754a1d83f2a   311296 6.307203
d41d8cd98f00b204e9800998ecf8427e .rsrc 0 0.000000
5e501430acba545b719c0887357226dd .idata 1024 0.778128
37fabfab797e631603a696b7ac2296d7   2459136 5.741823
c10780e19363abda168c5861ce481635 gvxlrmcr 1474048 7.954349
671f4fb0c657d89c924064db6be0442e eolnwoiw 512 3.326839
Description

This file is the unpacked version of 820ca1903a30516263d630c7c08f2b95f7b65dffceb21129c51c9e21cf9551c6.Displayed below are strings of interest for this unpacked proxy module:--Begin strings of interest--httplibcurl/7.49.1%s:%d%255[^:]:%d:%255s%255[^:]:%d<no protocol>%I64u-ALL_PROXYall_proxyhttp_proxy_proxyNO_PROXYno_proxy%s://%s%s%s:%hu%s%s%s;type=%c[%*45[0123456789abcdefABCDEF:.]%cftp@example.comanonymous%s%s%sUser-Agent: %sSet-Cookie:RELOADFLUSHSESSidentitysockssocks4socks4asocks5socks5hpop3POP3.smtpSMTP.IMAPIMAP.LDAPLDAP.DICTDICT.FTP./?]%[^%15[^:]://%[^/?]%[^file%15[^:]:%[^%s://%sFALSETRUE#HttpOnly_expiresmax-ageversiondomainpathhttponlysecure%1023[^;=] =%4999[^;%s%s%s%I64dunknown# Fatal libcurl error# Netscape HTTP Cookie File# https://curl.haxx.se/docs/http-cookies.html# This file was generated by libcurl! Edit at your own risk.none[%s %s %s]fromHeaderDatahost!0123456789abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ(nil)(nil).%ld0123456789%d.%d.%d.%dHTTP%sAuthorization: Basic %sProxy-%s:%sBasicAuthorization:Proxy-authorization:DigestNTLMHTTP/Expect: 100-continue100-continueExpect:ConnectionContent-LengthContent-Type:Host:If-Modified-Since: %sIf-Unmodified-Since: %sLast-Modified: %s%s, %02d %s %4d %02d:%02d:%02d GMTContent-Type: application/x-www-form-urlencodedContent-Length: 0Content-Length: %I64dContent-Length:%s%s%s%s=%sCookie:%s HTTP/%s%s%s%s%s%s%s%s%s%s%sftp://%s:%s@%sContent-Range: bytes %s/%I64dContent-Range: bytes %s%I64d/%I64dContent-Range: bytes 0-%I64d/%I64dContent-Range:Range: bytes=%sRange:Host: %s%s%s:%huHost: %s%s%sAccept: */*Accept:;type=ftp://Transfer-Encoding: chunkedchunkedTransfer-Encoding:Accept-Encoding: %sAccept-Encoding:Cookie:Referer: %sReferer:User-Agent:POSTHEADLocation:Proxy-authenticate:WWW-Authenticate:Last-Modified:Content-Encoding:x-gzipgzipdeflateConnection:closeProxy-Connection:keep-aliveServer:RTSP/%d.%d %3dHTTP %3dHTTP/%d.%d %d%hu.%hu.%hu.%huHTTP/1.%d %dCONNECT %s HTTP/%s%s%s%sHost: %s%s%s%s:%huCONNECT%s:%hudefaultmachinepasswordlogin_netrcHOMEc%c==%c%c%c=%c%c%c%capplication/xml.xmltext/html.htmltext/plain.txt.jpegimage/jpeg.jpgimage/gif.gif; filename="%s"------------------------%08x%08x--%s----%s--Content-Type: %s--%sContent-Disposition: attachmentContent-Type: multipart/mixed; boundary=%sContent-Disposition: form-data; name="--%s%s; boundary=%sContent-Type: multipart/form-dataOut of memoryBad content-encoding foundWrite errorMalformed encoding foundIllegal or missing hexadecimal sequenceToo long hexadecimal number%02xauth-intauth%08x%08x%08x%08x%s, algorithm="%s"%s, opaque="%s"username="%s", realm="%s", nonce="%s", uri="%s", response="%s"username="%s", realm="%s", nonce="%s", uri="%s", cnonce="%s", nc=%08x, qop=%s, response="%s"%s:%s:%08x:%s:%s:%sd41d8cd98f00b204e9800998ecf8427e%s:%s:%sMD5-sessalgorithmopaquerealmtruestalenonceNTLMSSPNTLMSSP%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%s%sNTLMSSP%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%cKGS!@#$%%c%c%c%cout of memory1.2.8internal error: deflate stream corruptrequested length does not fit in intdeflate 1.2.8 Copyright 1995-2013 Jean-loup Gailly and Mark Adler1.2.8--End strings of interest--

4a740227eeb82c20286d9c112ef95f0c1380d0e90ffb39fc75c8456db4f60756

Tags

backdoorproxytrojan

Details
Name 4f67f3e4a7509af1b2b1c6180a03b3e4
Size 2206296 bytes
Type PE32+ executable (console) x86-64, for MS Windows
MD5 4f67f3e4a7509af1b2b1c6180a03b3e4
SHA1 1c9a437ed876a0ce0e5374bd93acdfd9e9023f1f
SHA256 4a740227eeb82c20286d9c112ef95f0c1380d0e90ffb39fc75c8456db4f60756
SHA512 aa310ce7bb649c7bac9295ec0e68c15d595a2bea79c4d0fb22cd13779deee02a04df2824f5583a8cc5f249659474feeb5f647b0a875fe2bc663d8e4c34275316
ssdeep 49152:9ywn1c6Q+lkOpdHyjyDMXSfRndy7vdaCYzQ7cxTEhr2nvoBPVis8M:Ja6HtHk+nojUT6r2nvoB/
Entropy 7.956937
Antivirus
Ahnlab Trojan/Win64.Agent
Antiy Trojan/Win64.NukeSped
BitDefender Trojan.Generic.22876704
Cyren W64/Trojan.LTPJ-3011
ESET Win64/NukeSped.AA trojan
Emsisoft Trojan.Generic.22876704 (B)
Ikarus Trojan.Win64.Nukesped
McAfee Trojan-FPWN!4F67F3E4A750
Microsoft Security Essentials Trojan:Win64/NukeSped
NANOAV Trojan.Win64.RMS.facjgp
NetGate Malware.Generic
Quick Heal Trojan.IGENERIC
Sophos Troj/NukeSped-H
Symantec Trojan.Gen.2
TrendMicro Trojan.C9DEC062
TrendMicro House Call Trojan.C9DEC062
Vir.IT eXplorer Backdoor.Win32.RMS.EN
VirusBlokAda Trojan.Win64.Agent
Yara Rules

No matches found.

ssdeep Matches

No matches found.

PE Metadata
Compile Date 2017-08-14 13:14:12-04:00
Import Hash baa93d47220682c04d92f7797d9224ce
PE Sections
MD5 Name Raw Size Entropy
4bd1bcb9809fedb1d4f556b695fb95a6 header 4096 0.868689
32f3f5b6711f8cb1c9655b615701f50d   184832 7.922033
d41d8cd98f00b204e9800998ecf8427e .rsrc 0 0.000000
74c1d1ec299d8a058f22b61277ceea66 .idata 512 1.297004
f4facb792a8404ec46a8119da73d6ec4   512 0.231158
075fa8edf884d5a43ba9a96c4b20de25 twvngiow 1994240 7.960560
a1785d4faeedfebd99e0cc737f38f551 pavwhbmc 512 4.473835
5af578a4785cc0683866fa19e262eb4d .pdataI 14336 5.546603
Process List
Process PID PPID
lsass.exe 468 (384)
4a740227eeb82c20286d9c112ef95f0c1380d0e90ffb39fc75c8456db4f60756.exe 2120 (2152)
Description

This application is a Themida packed 64-bit Windows executable. This application is designed to unpack and execute a service proxy module in memory (02959903cd988443e5ef519d556b34b0).Analysis indicates that this proxy module is designed to accept command-line parameters to perform its functions. The module is designed to modify the Windows Firewall on the victim’s machine to allow for incoming connections and to force the compromised system to function as a proxy server.The proxy module uses the following command to open the Windows Firewall port on the victim’s machine in order to allow for incoming connections:--Begin firewall modification--"netsh firewall add portopening TCP <port> RPCServer"--End firewall modification--The malware is designed to listen to an open port for incoming traffic. The traffic may contain instructions to perform any of the following functions:   -Retrieve information about the logon sessions, drives installed, and operating system   -Search for files   -Execute process   -Terminate processes   -Delete files   -Execute command   -Download and upload files   -Read files and write files-Compress and decompress filesThis malware used the multi-protocol file transfer library "libcurl 7.49.1" for transferring data with a URL syntax. It supports the following network protocols:   -POP3   -SMTP   -IMAP   -LDAP   -DICT   -FTP   -HTTP   -HTTPS

1f2cd2bc23556fb84a51467fedb89cbde7a5883f49e3cfd75a241a6f08a42d6d

Tags

trojan

Details
Name Unpacked_dump_4a740227eeb82c20286d9c112ef95f0c1380d0e90ffb39fc75c8456db4f60756.exe
Size 5889536 bytes
Type PE32+ executable (console) x86-64, for MS Windows
MD5 02959903cd988443e5ef519d556b34b0
SHA1 18e346aa6ee6d3faeae21474f33f5a4601a99213
SHA256 1f2cd2bc23556fb84a51467fedb89cbde7a5883f49e3cfd75a241a6f08a42d6d
SHA512 cc20d9105f0f91c443a6b6c156bfccde81a1b7fa7a9267c156b9129dece9ddeba706d9d1c49da47d54387ade63e1fe2ecc79743f51de1cf92ee23603dba71761
ssdeep 98304:s0Mu3F1FKHTTEB/oVHhOEVHtHk+nojUT6r2nvoB:sQ/F0TQ/oVBOEjHk+aUTXoB
Entropy 6.820153
Antivirus
Ahnlab Trojan/Win64.Agent
Antiy Trojan/Win64.NukeSped
Avira TR/NukeSped.hpdmh
BitDefender Trojan.GenericKD.31269196
Cyren W64/Trojan.KXMA-8070
ESET a variant of Win64/NukeSped.AS trojan
Emsisoft Trojan.GenericKD.31269196 (B)
Ikarus Trojan.Win64.Nukesped
K7 Trojan ( 0053e7091 )
McAfee Trojan-NukeSped
Microsoft Security Essentials Trojan:Win64/NukeSped
Quick Heal Trojan.IGENERIC
Sophos Troj/Casdet-A
Symantec Trojan Horse
TACHYON Trojan/W64.Agent.5889536
TrendMicro Backdoo.9E21C9BF
TrendMicro House Call Backdoo.9E21C9BF
VirusBlokAda Trojan.Win64.Agent
Zillya! Trojan.NukeSped.Win64.25
Yara Rules

No matches found.

ssdeep Matches

No matches found.

PE Metadata
Compile Date 2017-08-14 13:14:12-04:00
Import Hash baa93d47220682c04d92f7797d9224ce
PE Sections
MD5 Name Raw Size Entropy
a425d258e0ddf17fe412040b81d41aac header 1024 2.802251
9cfb80616de943facef57fabbece780a   374784 6.195005
d41d8cd98f00b204e9800998ecf8427e .rsrc 0 0.000000
55e1897e20dbef5db7b4a718fd539ef7 .idata 1024 0.797549
83734ab1f8e17720271dc4b429ea0f6c   3503616 5.733920
18f194fd3ae2455d8e26aad2e0dd6685 twvngiow 1994240 7.960332
5fa71bdf383d16a6b25955bff53efb90 pavwhbmc 512 4.459428
5af578a4785cc0683866fa19e262eb4d .pdataI 14336 5.546603
Description

This file is the unpacked version of 4a740227eeb82c20286d9c112ef95f0c1380d0e90ffb39fc75c8456db4f60756.Displayed below are strings of interest for this unpacked proxy module:--Begin strings of interest--httplibcurl/7.49.1%s:%d%255[^:]:%d:%255s%255[^:]:%d<no protocol>%I64u-ALL_PROXYall_proxyhttp_proxy_proxyNO_PROXYno_proxy%s://%s%s%s:%hu%s%s%s;type=%c[%*45[0123456789abcdefABCDEF:.]%cftp@example.comanonymous%s%s%sUser-Agent: %sSet-Cookie:RELOADFLUSHSESSidentitysockssocks4socks4asocks5socks5hpop3POP3.smtpSMTP.IMAPIMAP.LDAPLDAP.DICTDICT.FTP./?]%[^%15[^:]://%[^/?]%[^file%15[^:]:%[^%s://%sFALSETRUE#HttpOnly_expiresmax-ageversiondomainpathhttponlysecure%1023[^;=] =%4999[^;%s%s%s%I64dunknown# Fatal libcurl error# Netscape HTTP Cookie File# https://curl.haxx.se/docs/http-cookies.html# This file was generated by libcurl! Edit at your own risk.none[%s %s %s]fromHeaderDatahost!0123456789abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ(nil)(nil).%ld0123456789%d.%d.%d.%dHTTP%sAuthorization: Basic %sProxy-%s:%sBasicAuthorization:Proxy-authorization:DigestNTLMHTTP/Expect: 100-continue100-continueExpect:ConnectionContent-LengthContent-Type:Host:If-Modified-Since: %sIf-Unmodified-Since: %sLast-Modified: %s%s, %02d %s %4d %02d:%02d:%02d GMTContent-Type: application/x-www-form-urlencodedContent-Length: 0Content-Length: %I64dContent-Length:%s%s%s%s=%sCookie:%s HTTP/%s%s%s%s%s%s%s%s%s%s%sftp://%s:%s@%sContent-Range: bytes %s/%I64dContent-Range: bytes %s%I64d/%I64dContent-Range: bytes 0-%I64d/%I64dContent-Range:Range: bytes=%sRange:Host: %s%s%s:%huHost: %s%s%sAccept: */*Accept:;type=ftp://Transfer-Encoding: chunkedchunkedTransfer-Encoding:Accept-Encoding: %sAccept-Encoding:Cookie:Referer: %sReferer:User-Agent:POSTHEADLocation:Proxy-authenticate:WWW-Authenticate:Last-Modified:Content-Encoding:x-gzipgzipdeflateConnection:closeProxy-Connection:keep-aliveServer:RTSP/%d.%d %3dHTTP %3dHTTP/%d.%d %d%hu.%hu.%hu.%huHTTP/1.%d %dCONNECT %s HTTP/%s%s%s%sHost: %s%s%s%s:%huCONNECT%s:%hudefaultmachinepasswordlogin_netrcHOMEc%c==%c%c%c=%c%c%c%capplication/xml.xmltext/html.htmltext/plain.txt.jpegimage/jpeg.jpgimage/gif.gif; filename="%s"------------------------%08x%08x--%s----%s--Content-Type: %s--%sContent-Disposition: attachmentContent-Type: multipart/mixed; boundary=%sContent-Disposition: form-data; name="--%s%s; boundary=%sContent-Type: multipart/form-dataOut of memoryBad content-encoding foundWrite errorMalformed encoding foundIllegal or missing hexadecimal sequenceToo long hexadecimal number%02xauth-intauth%08x%08x%08x%08x%s, algorithm="%s"%s, opaque="%s"username="%s", realm="%s", nonce="%s", uri="%s", response="%s"username="%s", realm="%s", nonce="%s", uri="%s", cnonce="%s", nc=%08x, qop=%s, response="%s"%s:%s:%08x:%s:%s:%sd41d8cd98f00b204e9800998ecf8427e%s:%s:%sMD5-sessalgorithmopaquerealmtruestalenonceNTLMSSPNTLMSSP%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%s%sNTLMSSP%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%cKGS!@#$%%c%c%c%cout of memory1.2.8internal error: deflate stream corruptrequested length does not fit in intdeflate 1.2.8 Copyright 1995-2013 Jean-loup Gailly and Mark Adler1.2.8--End strings of interest--

ab88f12f0a30b4601dc26dbae57646efb77d5c6382fb25522c529437e5428629

Tags

remote-access-trojantrojan

Details
Name d0a8e0b685c2ea775a74389973fc92ca
Size 122880 bytes
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 d0a8e0b685c2ea775a74389973fc92ca
SHA1 c752ad74cb99a836eec4b984dab03cb7e99eb974
SHA256 ab88f12f0a30b4601dc26dbae57646efb77d5c6382fb25522c529437e5428629
SHA512 6ec195aa1ec3226252f4959c0abbe0db06645e5b3dea8351d2da8dfb87cce71ce1424159e325fa6a77bf2fe4f0a3181e1ed23f4eb17db6bdc119e4fec7273416
ssdeep 3072:pNwZ4j/a2NlHbAoTL4592kHhEBZTWTBfg09ruXlN:pNwZ4zaibAoTL45oMEPWTBp9ruXl
Entropy 6.098281
Antivirus
Ahnlab Trojan/Win32.Alreay
Antiy Trojan[Banker]/Win32.Alreay
BitDefender Gen:Variant.Graftor.364318
Cyren W32/Heuristic-KPP!Eldorado
ESET a variant of Win32/NukeSped.CK trojan
Emsisoft Gen:Variant.Graftor.364318 (B)
Ikarus Trojan.Win32.NukeSped
K7 Riskware ( 0040eff71 )
McAfee Generic Trojan.aa
Microsoft Security Essentials Trojan:Win32/NukeSped
NANOAV Trojan.Win32.Alreay.fipyuo
NetGate Trojan.Win32.Malware
Quick Heal Trojan.IGENERIC
Sophos Troj/Agent-AZXI
Symantec Trojan.Gen
TACHYON Trojan.Generic.18331628
TrendMicro Trojan.3BCCD691
TrendMicro House Call Trojan.3BCCD691
VirusBlokAda TrojanBanker.Alreay
Zillya! Trojan.Agent.Win32.722146
Yara Rules

No matches found.

ssdeep Matches

No matches found.

PE Metadata
Compile Date 2016-03-19 14:03:05-04:00
Import Hash 4215312bc485628dca703e26b9c891d0
Company Name None
File Description Resource cache builder tool
Internal Name mcbuilder.exe
Legal Copyright ⓒ Microsoft Corporation. All rights reserved.
Original Filename None
Product Name Microsoft® Windows® Operating System
Product Version 6.2.9200.16384
PE Sections
MD5 Name Raw Size Entropy
e31fd661c75ca688e967a8cb3acaf667 header 4096 0.719150
ee501cdb0da38b6674f2156044a7c4fa .text 81920 6.357905
01772205e022a2ffd1809a471bd44333 .rdata 20480 6.533817
6292ff91b59460d11cb00c8553b79b2d .data 12288 3.569966
c8d0ecf5c22d5806a5af87953844408c .rsrc 4096 1.146235
Packers/Compilers/Cryptors
Microsoft Visual C++ v6.0
Process List
Process PID PPID
lsass.exe 468 (384)
ab88f12f0a30b4601dc26dbae57646efb77d5c6382fb25522c529437e5428629.exe 2344 (2104)
Relationships
ab88f12f0a... Contains 75.99.63.27
Description

This application is a 32-bit Windows executable. This application is designed to execute as a service named "helpsvcs." The application utilizes the Rivest Cipher 4 (RC4) encryption algorithm to encrypt configuration data and stores a four-byte data (unique identifier), RC4 key, and the encrypted configuration data into the following registry:--Begin registry key--hKey = HKEY_LOCAL_MACHINESubkey = "SYSTEM\CurrentControlSet\Services\Security"ValueName = "Data1"ValueData = "Encrypted configuration data"hKey = HKEY_LOCAL_MACHINESubkey = "SYSTEM\CurrentControlSet\Services\PVS\Security"ValueName = "Data1"ValueData = "Encrypted configuration data"--End registry key--Displayed below is the RC4 key for encrypting and decrypting the configuration data:--Begin RC4 key--11 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00--End RC4 key--Displayed below is the hard-coded configuration data, which contains command and control (C2) information:--Begin hard-coded configuration data--FF 04 00 02 00 00 00 04 FF 08 00 00 4B 63 3F 1B     ===> 75.99.63.2700 00 00 00 FF 02 00 01 BB 01 FF 04 00 04 00 00     ===> port 44300 00 FF 04 00 03 3C 00 00 00 FF 04 00 05 00 0000 00 FF 04 00 08 01 00 00 00 FF 04 00 06 00 0000 00 FF 00 00 09 00 FF 00 00 0A 00 FF 00 00 0B00 FF 00 00 0C 00 FF 00 00 0D 00 FF 00 00 0E 00FF 04 00 07 00 00 00 00 FD--End hard-coded configuration data--Displayed below is the data stored in the registry including the four byte data (unique identifier), RC4 key, and the encrypted configuration data:--Begin configuration data--10 00 20 00            ==> four bytes data (unique identifier)11 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00        ===> RC4 keyFF 04 00 02 00 00 00 04 FF 08 00 00 4B 63 3F 1B     ===> configuration00 00 00 00 FF 02 00 01 BB 01 FF 04 00 04 00 0000 00 FF 04 00 03 3C 00 00 00 FF 04 00 05 00 0000 00 FF 04 00 08 01 00 00 00 FF 04 00 06 00 0000 00 FF 00 00 09 00 FF 00 00 0A 00 FF 00 00 0B00 FF 00 00 0C 00 FF 00 00 0D 00 FF 00 00 0E 00FF 04 00 07 00 00 00 00 FD--End configuration data--The malware is designed to encrypt a payload from the remote operator using the following hard-coded RC4 key.--Begin hard-coded RC4 key--53 87 F2 11 30 3D B5 52 AD C8 28 09 E0 52 60 D0 6C C5 68 E2 70 77 3C 8F 12 C0 7B 13 D7 B3 9F 7C--End hard-coded RC4 key--The encrypted payload is installed into the following registry key:--Begin registry key--hKey = HKEY_LOCAL_MACHINESubkey = "SYSTEM\CurrentControlSet\Services\Security"ValueName = "Data0"ValueData = "Encrypted payload"--End registry key--The malware uses the following command to open the Windows Firewall port on the victim’s machine in order to allow incoming connections:--Begin firewall modification--"netsh firewall add portopening TCP 443 "Windows Firewall Remote Management""--End firewall modification--The malware binds and listens on port 443 for incoming connections from a remote operator. No outbound connection was observed during analysis. Static analysis indicates that the malware is capable of providing remote command and control capabilities, including the ability to exfiltrate data, install and run secondary payloads, and provide proxy services on a compromised system. The malware utilizes the RC4 encryption algorithm to encrypt/decrypt a portion of its communications data to and from the remote operator.Following is a list of the types of data exfiltrated by the malware, to include the victim's system information and the malware data:   - network adapter information   - computer name   - username   - systems Internet Protocol (IP) address   - hard-coded value (00 00 00 04h)   - current directory of the malware   - %Current directory%\malware.exe   - hard-coded value (01h)   - hard-coded value "PVS"   - the victim's operating system information   - installed drives information   - the current system timeDisplayed below are additional functions the malware performs based on specified commands from the remote operator:   -Retrieve information drives installed   -Search for files   -Execute processes   -Terminate processes   -Delete files   -Execute commands   -Download and upload files   -Read files and write files   -Compress and uncompress files   -Change the listening port for Remote Desktop via registry modification

a9bc09a17d55fc790568ac864e3885434a43c33834551e027adb1896a463aafc

Tags

trojan

Details
Name 8efaabb7b1700686efedadb7949eba49
Size 105984 bytes
Type PE32+ executable (DLL) (GUI) x86-64, for MS Windows
MD5 8efaabb7b1700686efedadb7949eba49
SHA1 7b17d63694eee51010bcad143bc72e355e17cb50
SHA256 a9bc09a17d55fc790568ac864e3885434a43c33834551e027adb1896a463aafc
SHA512 fce7a868b531f55b3f483dd66b3c029328ea18bf7586b00172e3c6735023631fa9091f4ac5d4d2f32da95045c18af7f433bbae1e989d68ae710beb676008512b
ssdeep 3072:jpaydDE0X8ShTP3SkwsX7Uo+fcqVFn+v4hbHxW:j0yx8eTP3SNC7UbUqVLx
Entropy 6.150963
Antivirus
Ahnlab Malware/Win64.Generic
Antiy Trojan/Win64.NukeSped
BitDefender Trojan.GenericKD.30902108
Cyren W64/Trojan.PRVF-4031
ESET Win64/NukeSped.AK trojan
Emsisoft Trojan.GenericKD.30902108 (B)
Ikarus Trojan.Win64.Nukesped
K7 Trojan ( 0052a98d1 )
McAfee Generic Trojan.aa
Microsoft Security Essentials Trojan:Win64/Cobfast
Quick Heal Trojan.IGENERIC
Sophos Troj/Agent-AZWM
Symantec Trojan.Gen.2
TrendMicro Trojan.C9DEC062
TrendMicro House Call Trojan.C9DEC062
VirusBlokAda Trojan.Win64.Agent
Zillya! Trojan.GenericKD.Win64.495
Yara Rules

No matches found.

ssdeep Matches

No matches found.

PE Metadata
Compile Date 2015-01-07 21:49:56-05:00
Import Hash f124895b94c3b1ec5baf7f21dc62122a
Company Name Microsoft Corporation
File Description Microsoft Neutral Natural Language Server Data and Code
Internal Name NlsLexicons0002
Legal Copyright © Microsoft Corporation. All rights reserved.
Original Filename NlsLexicons0002.dll
Product Name Microsoft® Windows® Operating System
Product Version 6.1.7600.16385
PE Sections
MD5 Name Raw Size Entropy
7db95ed8565bbdbfc5ed4c5e80c68a4f header 1024 2.598472
387bb23a8901baa300e42ce92310530e .text 71680 6.521050
f0411cd79ef1b71082f0817fe17fe1e6 .rdata 18432 4.690004
25afe34ab1b36cc1ee118c9165f8619c .data 7680 3.582928
1bb7ba760f7f7cba0addd4a273b464f6 .pdata 4096 4.606565
922af695fe14a7f70f8e068dcadc0584 .rsrc 1536 4.074927
729c12997f9639810666bb171ea9241d .reloc 1536 2.990709
Process List
Process PID PPID
lsass.exe 468 (384)
rundll32.exe 2204 (1172)
Description

This application is a malicious 64-bit Windows Dynamic Link Library (DLL), designed to run as a Windows service under Windows "svchost.exe." When executed, it searches and attempts to load and RC4-decrypt a payload from the following registry into memory:--Begin registry key--hKey = HKEY_LOCAL_MACHINESubkey = "SYSTEM\CurrentControlSet\Services\Security"ValueName = "Data0"hKey = HKEY_LOCAL_MACHINESubkey = "SYSTEM\CurrentControlSet\Services\Security"ValueName = "Data2"--End registry key--The binary that installs the encrypted payload in the registry was not available for analysis.

75.99.63.27

Ports
  • 443 TCP
Whois

Domain Name: optonline.netRegistry Domain ID: 4531660_DOMAIN_NET-VRSNRegistrar WHOIS Server: whois.godaddy.comRegistrar URL: http://www.godaddy.comUpdated Date: 2016-06-08T16:38:21ZCreation Date: 1996-10-07T04:00:00ZRegistrar Registration Expiration Date: 2018-10-06T04:00:00ZRegistrar: GoDaddy.com, LLCRegistrar IANA ID: 146Registrar Abuse Contact Email: abuse@godaddy.comRegistrar Abuse Contact Phone: +1.4806242505Domain Status: clientTransferProhibited http://www.icann.org/epp#clientTransferProhibitedDomain Status: clientUpdateProhibited http://www.icann.org/epp#clientUpdateProhibitedDomain Status: clientRenewProhibited http://www.icann.org/epp#clientRenewProhibitedDomain Status: clientDeleteProhibited http://www.icann.org/epp#clientDeleteProhibitedRegistrant Organization: Cablevision Systems CorporationRegistrant State/Province: New YorkRegistrant Country: USName Server: AUTHNS1.CV.NETName Server: AUTHNS1.CVNET.COMDNSSEC: signedDelegationURL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/>>> Last update of WHOIS database: 2018-05-22T21:00:00Z <<<

Relationships
75.99.63.27 Contained_Within ab88f12f0a30b4601dc26dbae57646efb77d5c6382fb25522c529437e5428629

d465637518024262c063f4a82d799a4e40ff3381014972f24ea18bc23c3b27ee

Tags

trojan

Details
Name Injection_API_executable_e
Size 89088 bytes
Type 64-bit XCOFF executable or object module
MD5 b3efec620885e6cf5b60f72e66d908a9
SHA1 274b0bccb1bfc2731d86782de7babdeece379cf4
SHA256 d465637518024262c063f4a82d799a4e40ff3381014972f24ea18bc23c3b27ee
SHA512 a36dab1a1bc194b8acc220b23a6e36438d43fc7ac06840daa3d010fddcd9c3168a6bf314ee13b58163967ab97a91224bfc6ba482466a9515de537d5d1fa6c5f9
ssdeep 1536:CnM87WOrh1EEshNunXJzZst56iYTKg+T8v6paBLc0s7G8Y+s0nrTqG0s0nrTqB:CpW2h1mhpaBqTrverE
Entropy 5.052439
Antivirus
Antiy Trojan[inject]/Unix.FASTCash
Cyren Trojan.LKIM-2
Ikarus Trojan.Unix.FastCash
McAfee Trojan-FastCash
Microsoft Security Essentials Trojan:Unix/FastCash.A!dha
Symantec Trojan.Fastcash
TrendMicro Trojan.0A2906AC
TrendMicro House Call Trojan.0A2906AC
VirusBlokAda Trojan.Fastcash
Yara Rules

No matches found.

ssdeep Matches

No matches found.

Process List
Process PID PPID
lsass.exe 496 (384)
cmd.exe 2976 (2944)
rundll32.exe 2456 (2976)
AcroRd32.exe 2916 (2456)
Relationships
d465637518... Related_To e03dc5f1447f243cf1f305c58d95000ef4e7dbcc5c4e91154daa5acd83fea9a8
Description

This file is an AIX (Advanced Interactive Executive) executable, intended for a proprietary UNIX operating system developed by IBM. This application is designed to inject a library into a currently running process. Figure 1 contains a screenshot of strings of interest. The strings indicate the application is a command-line utility enabling an operator to easily conduct code injection on an IBM AIX platform. Analysis indicates this application logs it usage to a log file (Figure 2).

Screenshots

Figure 1 -

Figure 1 -

Figure 2 -

Figure 2 -

3a5ba44f140821849de2d82d5a137c3bb5a736130dddb86b296d94e6b421594c

Tags

trojan

Details
Name Lost_File1_so_file
Size 114688 bytes
Type 64-bit XCOFF executable or object module
MD5 d790997dd950bb39229dc5bd3c2047ff
SHA1 7e6407c28c55475aa81853fac984267058627877
SHA256 3a5ba44f140821849de2d82d5a137c3bb5a736130dddb86b296d94e6b421594c
SHA512 afdeec93ecb0f97cdf712e80597c3b8ec1e9cad58e1673f2f3ad7f096d49450759b1621dc533b7cdeb62ee5970233bfa820b72cc4b33b919afd49d84823feae9
ssdeep 1536:lJhosJHev1QFf+Z/2kREPItM9arn4nwF8uHit2Ofut:jhZJtf+Z/tJtMErn4/k62Iut
Entropy 4.803161
Antivirus
Antiy Trojan/Generic.Generic
Cyren Trojan.VJAQ-8
Ikarus Trojan.Unix.FastCash
McAfee Trojan-FastCash
Microsoft Security Essentials Trojan:Unix/FastCash.B!dha
Symantec Trojan.Fastcash
TrendMicro Trojan.0A2906AC
TrendMicro House Call Trojan.0A2906AC
VirusBlokAda Trojan.Fastcash
Yara Rules

No matches found.

ssdeep Matches

No matches found.

Process List
Process PID PPID
lsass.exe 496 (384)
cmd.exe 2136 (3040)
rundll32.exe 2728 (2136)
AcroRd32.exe 2900 (2728)
Description

This file is an AIX executable, intended for a proprietary UNIX operating system developed by IBM. This file is a library application designed to provide export functions, which allows an application to perform transactions on financial systems using the ISO8583 standard. A list of the ISO8583 functions is displayed in Figure 3 and Figure 4.

Screenshots

Figure 3 -

Figure 3 -