4cd7efdb1a7ac8c4387c515a7b1925931beb212b95c4f9d8b716dbe18f54624f
Tags
remote-access-trojantrojan
Details
Name |
ilasvc.exe |
---|
Size |
1056768 bytes |
---|
Type |
PE32+ executable (GUI) x86-64, for MS Windows |
---|
MD5 |
05d38bc82d362dd57190e3cb397f807d |
---|
SHA1 |
52b04d348adf7e42e7c7d6c2ec9aabbcaba07188 |
---|
SHA256 |
4cd7efdb1a7ac8c4387c515a7b1925931beb212b95c4f9d8b716dbe18f54624f |
---|
SHA512 |
d03894ad9ce7a5f0e58a5e6385926263507f2571e3cbe60fce1ed5463a77152a7779d8b494ee7a6ff4986de19c0a92cbcc8dae5697d69dc196c474723ee553ef |
---|
ssdeep |
24576:mStdBO8/kIH46+jHd3JURkxXH3rg9fNJa9y5xmDYzgLu8b7oCK:mST2+qXHbg91Ja9y5MOgL3K |
---|
Entropy |
7.599564 |
---|
Antivirus
ESET |
a variant of Win64/Injector.HA.gen trojan |
---|
IKARUS |
Trojan.Win64.Injector |
---|
YARA Rules
- rule CISA_10382580_03 : loader
{
meta:
Author = "CISA Code & Media Analysis"
Incident = "10382580"
Date = "2022-05-02"
Last_Modified = "20220602_1200"
Actor = "n/a"
Category = "Loader"
Family = "n/a"
Description = "Detects loader samples"
MD5_1 = "3764a0f1762a294f662f3bf86bac776f"
SHA256_1 = "f7f7b059b6a7dbd75b30b685b148025a0d4ceceab405e553ca28cacdeae43fab"
MD5_2 = "21fa1a043460c14709ef425ce24da4fd"
SHA256_2 = "66966ceae7e3a8aace6c27183067d861f9d7267aed30473a95168c3fe19f2c16"
MD5_3 = "e9c2b8bd1583baf3493824bf7b3ec51e"
SHA256_3 = "7ea294d30903c0ab690bc02b64b20af0cfe66a168d4622e55dee4d6233783751"
MD5_4 = "de0d57bdc10fee1e1e16e225788bb8de"
SHA256_4 = "33b89b8915aaa59a3c9db23343e8c249b2db260b9b10e88593b6ff2fb5f71d2b"
MD5_5 = "9b071311ecd1a72bfd715e34dbd1bd77"
SHA256_5 = "3c2c835042a05f8d974d9b35b994bcf8d5a0ce19128ebb362804c2d0f3eb42c0"
MD5_6 = "05d38bc82d362dd57190e3cb397f807d"
SHA256_6 = "4cd7efdb1a7ac8c4387c515a7b1925931beb212b95c4f9d8b716dbe18f54624f"
strings:
$s0 = { B8 01 00 00 00 48 6B C0 00 C6 44 04 20 A8 B8 01 }
$s1 = { 00 00 48 6B C0 01 C6 44 04 20 9A B8 01 00 00 }
$s2 = { 48 6B C0 02 C6 44 04 20 93 B8 01 00 00 00 48 }
$s3 = { C0 03 C6 44 04 20 9B B8 01 00 00 00 48 6B C0 }
condition:
all of them
}
ssdeep Matches
No matches found.
PE Metadata
Compile Date |
2020-04-30 19:43:57-04:00 |
---|
Import Hash |
99197f3296550481a848ea8d4e097487 |
---|
Company Name |
Sysinternals - www.sysinternals.com |
---|
File Description |
Flush cached data to disk. |
---|
Internal Name |
Sync |
---|
Legal Copyright |
Copyright (C) 2016 Mark Russinovich |
---|
Original Filename |
Sync.exe |
---|
Product Name |
Sysinternals Sync |
---|
Product Version |
2.2 |
---|
PE Sections
MD5 |
Name |
Raw Size |
Entropy |
---|
a917582fc3e796bb1d43bfce05c0cfb3 |
header |
1024 |
3.105665 |
5fbd29958a5484173910cb06dcfc4e9e |
.text |
310784 |
6.453454 |
34b6e6a847957ef90ef9460e0f8dd3d0 |
.rdata |
98304 |
5.168254 |
e32c1166142d325350f6e6443db43144 |
.data |
3584 |
2.609738 |
ffc4ab2046acad015eba98898e975ad5 |
.pdata |
18432 |
5.804487 |
502485fa11633b4eb9eaef15fcb482a5 |
.rsrc |
622080 |
7.975998 |
69687e4a3ffbefbe782d13637ce8605a |
.reloc |
2560 |
4.913641 |
Relationships
4cd7efdb1a... |
Connected_To |
151.106.30.120 |
Description
This malware is a 64-bit Windows loader that contains an embedded encrypted malicious executable. During runtime, this embedded executable is decrypted and loaded into memory, never touching the system's hard disk. The encrypted executable is similar in functionality to the file 66966ceae7e3a8aace6c27183067d861f9d7267aed30473a95168c3fe19f2c16, described in report MAR-10382580.r1.v1. The malware embedded within this loader attempts to communicate with the hard-coded C2 Internet Protocol (IP) address 151[.]106[.]30[.]120. This malware provides a vast array of C2 capabilities including the ability to log keystrokes, upload and execute additional payloads, function as a proxy, and have graphical user interface (GUI) access over a target Windows system's desktop. Many of the structures utilized to implement the C2 capabilities in this malware appear to be derived from the same source code as 66966ceae7e3a8aace6c27183067d861f9d7267aed30473a95168c3fe19f2c16, however this malware utilizes much more complex obfuscation to hinder the analysis of its code structures. This malware also utilizes a more complex encryption algorithm to secure its network communications.
The malware embedded within this binary utilizes a secure strings scheme based on a rotating XOR cipher (Figure 7). The strings are partially decrypted and listed below with their corresponding approximate memory address locations during runtime -- assuming a base address of 0x260000.
--Begin Decoded Strings--
('0x264e32', 'RegQueryValueExl')
('0x264f58', 'RegQueryValueEx\\')
('0x265325', 'GetCurrentProcessId')
('0x265bc9', 'GetEnvironmentVariableW')
('0x265cc1', 'ShellExecuteExW')
('0x268b20', 'GetAdaptersInfo')
('0x268c49', 'GetAdaptersInfo')
('0x26a77c', 'EnumDependentServicesW')
('0x26a98b', 'EnumDependentServi')
('0x26abb9', 'ControlService')
('0x26ad5b', 'QueryServiceStatus')
('0x26af62', 'CloseServiceHandle')
('0x26c3ed', 'GetComputerNameW')
('0x277621', 'GetEnvironmentVariableW')
('0x27856f', 'GetLogicalDriveStringsW')
('0x2788e5', 'GetVolumeInformationW')
('0x278f87', 'FindFirstFileW')
('0x27a3f3', 'GetSystemDirectoryW')
('0x27bf04', 'SetFilePointerEx')
('0x27d125', 'RemoveDirectoryW')
('0x27daa7', 'FindFirstFileW')
('0x284074', 'GetClipboardData')
('0x2850d4', 'GetForegroundWindow')
('0x28513d', 'GetDesktopWindow')
('0x28b443', 'GetProcessHeap')
('0x28b533', 'CoInitializeEx')
('0x28b655', 'StartServiceCtrlDispatch')
('0x28cd63', 'GetModuleFileNameW')
('0x2636f3', 'UnkownError')
('0x2649f3', "Display''''")
('0x264ab0', 'RegOpenKeyExW')
('0x264af0', 'ADVAPI32.dll')
('0x264ca0', 'RegEnumKeyExW')
('0x264ce0', 'ADVAPI32.dll')
('0x264d80', 'RegOpenKeyExW')
('0x264dc0', 'ADVAPI32.dll')
('0x264e90', 'ADVAPI32.dll')
('0x264fb0', 'ADVAPI32.dll')
('0x265160', 'RegCloseKey')
('0x2651b0', 'ADVAPI32.dll')
('0x265390', 'KERNEL32.dll')
('0x265c30', 'KERNEL32.dll')
('0x265d20', 'SHELL32.dll')
('0x266950', 'GetVersionExW')
('0x266990', 'KERNEL32.dll')
('0x266b63', 'CurrentMajorVersionNum')
('0x266c33', 'CurrentMajorVersionNum')
('0x268b80', 'IPHLPAPI.dll')
('0x268c03', 'KERNEL32.dll')
('0x268ca0', 'IPHLPAPI.dll')
('0x26a710', 'GetTickCount')
('0x26a750', 'KERNEL32.dll')
('0x26a7b8', 'EnumDepende')
('0x26a7f3', 'Advapi32.dll')
('0x26a872', 'GetLastError')
('0x26a8b0', 'KERNEL32.dll')
('0x26a940', 'KERNEL32.dll')
('0x26aa17', 'Advapi32.dll')
('0x26aafb', 'OpenServiceW')
('0x26ab4b', 'Advapi32.dll')
('0x26ac33', 'Advapi32.dll')
('0x26acd4', 'Sleep')
('0x26ad24', 'KERNEL32.dll')
('0x26adea', 'Advapi32.dll')
('0x26aeaa', 'GetTickCount')
('0x26af03', 'KERNEL32.dll')
('0x26afdb', 'Advapi32.dll')
('0x26c2e0', 'GetUserNameW')
('0x26c320', 'Advapi32.dll')
('0x26c450', 'KERNEL32.dll')
('0x26cad0', 'KERNEL32.dll')
('0x273220', 'closesocket')
('0x274a90', 'getsockname')
('0x275280', 'getsockname')
('0x276583', 'Erroroccurswhiles')
('0x276714', 'NoTabsinclient.')
('0x2769e3', 'NoTabsinclient.')
('0x276b60', 'KERNEL32.dll')
('0x277690', 'KERNEL32.dll')
('0x2785e0', 'KERNEL32.dll')
('0x2786d3', 'ErroroccursinGetL')
('0x278950', 'KERNEL32.dll')
('0x2789e0', 'GetDriveTypeW')
('0x278a20', 'KERNEL3')
('0x278f10', 'PathCombineW')
('0x278f50', 'SHLWAPI.dll')
('0x278fa4', 'FindFirstFile')
('0x278fe0', 'KERNEL32.dll')
('0x279120', 'PathCombineW')
('0x279160', 'SHLWAPI.dll')
('0x2791c1', 'CreateFileW')
('0x279200', 'KERNEL32.dll')
('0x279280', 'GetFileTime')
('0x2792c0', 'KERNEL32.dll')
('0x279320', 'CloseHandle')
('0x279360', 'KERNEL32.dll')
('0x2796a0', 'FindNextFileW')
('0x2796e0', 'KERNEL32.dll')
('0x2797b3', 'Cannotaccesstofold')
('0x27a460', 'KERNEL32.dll')
('0x27a4e3', 'kernel32.dll')
('0x27a540', 'PathCombineW')
('0x27a580', 'SHLWAPI.dll')
('0x27a5e0', 'CreateFileW')
('0x27a620', 'KERNEL32.dll')
('0x27a692', 'GetFileTime')
('0x27a6d0', 'KERNEL32.dll')
('0x27a730', 'CloseHandle')
('0x27a770', 'KERNEL32.dll')
('0x27acf0', 'CreateFileW')
('0x27ad30', 'KERNEL32.dll')
('0x27ade0', 'GetFileTime')
('0x27ae20', 'KERNEL32.dll')
('0x27af80', 'GetLastError')
('0x27afc0', 'KERNEL32.dll')
('0x27b430', 'GetLastError')
('0x27b470', 'KERNEL32.dll')
('0x27b932', 'CreateFileW')
('0x27b970', 'KERNEL32.dll')
('0x27b9f0', 'GetLastError')
('0x27ba30', 'KERNEL32.dll')
('0x27bf60', 'KERNEL32.dll')
('0x27c000', 'KERNEL32.dll')
('0x27c080', 'KERNEL32.dll')
('0x27c1b0', 'CloseHandle')
('0x27c1f0', 'KERNEL32.dll')
('0x27c270', 'GetLastError')
('0x27c2b0', 'KERNEL32.dll')
('0x27c3c3', 'Nodescriptorfound.')
('0x27c860', 'KERNEL32.dll')
('0x27c950', 'CloseHandle')
('0x27c990', 'KERNEL32.dll')
('0x27c9f0', 'GetLastError')
('0x27ca30', 'KERNEL32.dll')
('0x27cb00', 'CloseHandle')
('0x27cb40', 'KERNEL32.dll')
('0x27cdc0', 'CloseHandle')
('0x27ce00', 'KERNEL32.dll')
('0x27d180', 'KERNEL32.dll')
('0x27d1f0', 'DeleteFileW')
('0x27d230', 'KERNEL32.dll')
('0x27d290', 'GetLastError')
('0x27d2d0', 'KERNEL32.dll')
('0x27d3e3', 'Deletesuccessed.')
('0x2c3743', 'Deletepayloadcorrupt')
('0x27da30', 'PathCombineW')
('0x27da70', 'SHLWAPI.dll')
('0x27dac4', 'FindFirstFile')
('0x27db00', 'KERNEL32.dll')
('0x27dc20', 'PathCombineW')
('0x27dc60', 'SHLWAPI.dll')
('0x27ded1', 'FindNex2@\x04@%@')
('0x27df10', 'KERNEL32.dll')
('0x284030', 'OpenClipboard')
('0x284110', 'Kernel32.dll')
('0x2841b3', '<CTRL+V>')
('0x284253', '</CTRL+V>')
('0x284fe3', 'Composition')
('0x285073', 'Sfwr\\irsf\\i')
('0x28507c', 'otaeMcootW')
('0x285484', 'Monitor%d[%d*%d]')
('0x28b280', 'DeleteObject')
('0x28b400', 'KERNEL32.dll')
('0x28b4a0', 'KERNEL32.dll')
('0x28b6d0', 'Advapi32.dll')
('0x28cdc0', 'KERNEL32.dll')
('0x28d230', 'ExitProcess')
('0x28d270', 'KERNEL32.dll')
('0x28d3b0', 'GetTempPathW')
('0x28d3f0', 'KERNEL32.dll')
('0x28d4a0', 'PathCombineW')
('0x28d4e0', 'SHLWAPI.dll')
--End Decoded Strings--
Screenshots

Figure 1 - This screenshot illustrates the malware sending an initial block of data to its hard-coded C2 server. As with the malware sample 66966ceae7e3a8aace6c27183067d861f9d7267aed30473a95168c3fe19f2c16 in MAR-10382580.r1.v1, this malware's initial outbound block contains a chunk of random data and the unicode string "hello".

Figure 2 - This screenshot illustrates the malware's hard-coded cryptographic key it utilizes to encrypt and decrypt its network communications traffic via the algorithm in Figure 4.
