MAR-10257062.r1.v2
Malware Characterization
//node() | //@*
This document is marked TLP:WHITE--Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.us-cert.gov/tlp.
US-CERT
2020-08-25T10:27:14-04:00
BMachine
61
7.1.0
switch.dll
118784
PE32 executable (DLL) (console) Intel 80386, for MS Windows
MD5
c4141ee8e9594511f528862519480d36
SHA1
2b22d9c673d031dfd07986906184e1d31908cea1
SHA256
129b8825eaf61dcc2321aad7b84632233fa4bbc7e24bdf123b507157353930f0
SHA512
dfc1ad2cb2df2b79ac0f2254b605a2012b94529ac220350a4075e60b06717918175cff5c22e52765237b78ec4edffd6df20f333e28a405a4339a10288158e7fc
SSDEEP
3072:lUGDXTpE8AKDKDOf+8ZagCfG4aAzFdIARrhxg6/ZpDA:+GDXTpFDKDMZagX4aAB2Cg6hpD
Microsoft Visual C++ DLL *sign by CodeRipper
6.454745
5
2019-06-22 01:59:31-04:00
1024
MD5
00f8301c11847b70346d6271098d8f1c
2.2965
.text
84992
6.641787
MD5
c3bee35076d728ce32b67f5bc66587f3
.rdata
17920
5.170073
MD5
6b094443cad879acc7285f991243ddb0
.data
7168
4.275765
MD5
11060bd3e49075b78be8670ff46d9a48
.reloc
7680
4.792696
MD5
3637e0cd32608b060e308fdd9742ea97
Characterized_By
Characterized_By
Characterized_By
Characterized_By
Characterized_By
Characterized_By
Characterized_By
Figure 1
Figure 2
Figure 3
Figure 4
Figure 5
Figure 6
Figure 7
switch.exe
67448
PE32 executable (GUI) Intel 80386, for MS Windows
MD5
89081f2e14e9266de8c042629b764926
SHA1
730c1b9e950932736fc4b02cbdb4e4e891485ac2
SHA256
39cbad3b2aac6298537a85f0463453d54ab2660c913f4f35ba98fffeb0b15655
SHA512
bbb5aa4d8e7a011daff71774ee9c74fa4d14627de1c25e0437c879bd1cd137223d5c2fb20fd101a511a95e59d91ea884b0947229ee67e40a4a24350573fb9e54
SSDEEP
768:aQ1PWoWzXyjJsTKJUniYs1pdLn4nDT622YuYDIhscWTJqLPNofEDy9nAXmIEHbKa:aQ5WDziX+nD0LWT6FYZDgs5ULPIJEYp
Microsoft Visual C++ ?.?
6.396614
6
2018-06-13 02:17:06-04:00
1024
MD5
cde81f1500263860f325ee8f80c483ce
2.497464
.text
38912
6.518662
MD5
a8c0a36524287fef367821e833a68350
.rdata
10752
4.87802
MD5
e1c66ff8e5f0e1909e2691360c974420
.data
4096
2.117927
MD5
22783e6c2539d6828f3d42b030ca08e9
.rsrc
512
5.105006
MD5
81195ca9b22c050f79e44175e9e7150e
.reloc
3584
4.791228
MD5
36571bcb45b1ae18dfcf7edc8c5c3d4a
.dat: Logs general messages and errors.
Entry Format: [][PID:][TID:] "]
C:\intel\_DMP_V\spvmdl.dat: Logs API hooking/unhooking success and failure.
Entry Format:
Hook Success Entry: 'Windows'
Hook Error Entry: 'Linux'
UnHook Success Entry: 'Acer'
UnHook Error Entry: 'Lenovo'
C:\intel\_DMP_V\TMPL.dat: Logs Send/Receive Message metadata
Entry Format:
Recv Entry: 'recv - SOCK=, Addr=, Port=, pBuf=, size=' Send Entry: 'send - SOCK=, Addr=, Port=, size=' C:\intel\_DMP_V\TMPR.tmp: Logs Received Messages
C:\intel\_DMP_V\TMPS.tmp: Logs Sent Messages
C:\intel\_DMP_V\TMPHSMS.tmp: Logs LocalHost ARQC sent messages C:\intel\_DMP_V\TMPHSMR.tmp: Logs LocalHost ARQC received messages
C:\intel\_DMP_V\spvmscap.dat: Logs modified sent messages
C:\intel\_DMP_V\spvmsuc.dat: Logs modified sent messages metadata (encrypted)
--End files--
Upon attaching to a process, the sample will decrypt the encrypted config from the configuration file and read it into memory. Next, it will hook the processes send and recv winAPIs. When the “send" function is called, it will check to see if the port is 7029, if so, it will log the data and metadata in the above log files, if not it will just pass through calling send as the program normally would. When the "receive" function is called, it will check to see if the port is 7029, if so, it will wait for packets received from port 7029 and parse the following ISO8583 fields out of the incoming datagram:
--Begin fields--
MESSAGE_TYPE_INDICATOR (MTI)
PRIMARY_ACCOUNT_NUMBER (PAN)
PROCESSING_CODE
RESERVED_NATIONAL_3
--End fields--
Next, it checks the loaded configuration for the PAN. If it exists, it will continue processing, otherwise it will pass. Then it will check the blacklist file for the PAN. If blacklist contains 'all' or the PAN, will set the RESPONSE_CODE to 51 (Insufficient funds) in the response message. It looks for the following message types:
--Begin message types--
POS system message
ATM transaction request
ATM balance inquiry
--End message types--
Next it, constructs what appears to be an Authorization Request Cryptogram (ARQC) message:
--Begin format--
Uses the PRIMARY_ACCOUNT_NUMBER and ICC_DATA
Contains the hardcoded string: "U8BFE0AE12F9000C1480B297BE43CAC97"
Sends to localhost on port 9990
Parses the response Authorization Response Cryptogram (ARPC) message
--End format--
Finally, it constructs and sends a ISO8583 response message.
When detaching from the process, the sample unhooks the “send” and “recv” WINAPI functions, returning them to their normal state. It will then overwrite the first 0x400 bytes of the in-memory DLL from the process, effectively cleaning up any trace of the sample.
The sample frequently uses code that is taken from GitHub with a few modifications in some cases. The sample uses code that is taken from github.com/petewarden/c_hashmap to load the configuration file into memory in a hashmap, API hooking using Microsoft’s Detour library at github.com/Microsoft/Detours and the ISO8583 parsing code is taken from github.com/sabit/Oscar-ISO8583 (slightly modified to facilitate parsing of IBM037 formatted data).
The encryption that is used for all log/config files is likely an AES variant with the following keys:
--Begin keys--
zRuaDglxjec^tDtt
Slsklqc^mNgq`lyz
--End keys--]]>
A2B1A45A242CEE03FAB0BEDB2E460587
130560
PE32 executable (DLL) (console) Intel 80386, for MS Windows
MD5
a2b1a45a242cee03fab0bedb2e460587
SHA1
e9c9ef312370d995d303e8fc60de4e4765436f58
SHA256
5cb7a352535b447609849e20aec18c84d8b58e377d9c6365eafb45cdb7ef949b
SHA512
4ced785089832287d634c77c2b5fb16efb2147b75da9014320c98d1bc0933504bfba77273576c35b97548d25acb88a0f2944cbef6a78509f945a8502f8910da8
SSDEEP
3072:j5KO2SQhF+VJbGHMjjNNyCkeZjDYJklGCx:oO2SQT+nGHADyAZjJwC
Microsoft Visual C++ DLL *sign by CodeRipper
6.431962
6
2018-07-03 08:11:16-04:00
1024
MD5
cbe7e7fdab96c22785fa8d7c03ca6b2b
2.429436
.text
89600
6.630313
MD5
03d36f4d9ae3e002027c981c399ab8c6
.rdata
23040
5.215776
MD5
d1f983704c508544b315d577fe3563e1
.data
8192
4.358771
MD5
a4b79dca294053725e2b2091453d9d85
.rsrc
512
5.115767
MD5
d762ef71411860ae50212e14c0a5ba72
.reloc
8192
4.774185
MD5
2e4eb6056385f6f721d970cafe65bebe
CISA_Consolidated.yara: CISA_10257062_01
Malware Artifacts
MD5
c4141ee8e9594511f528862519480d36
SHA1
2b22d9c673d031dfd07986906184e1d31908cea1
SHA256
129b8825eaf61dcc2321aad7b84632233fa4bbc7e24bdf123b507157353930f0
NCCIC
http://plusvic.github.io/yara/
NCCIC
2020-08-25T14:28:37+00:00
MD5 and SHA1 of Malicious File
Malware Artifacts
MD5
89081f2e14e9266de8c042629b764926
SHA1
730c1b9e950932736fc4b02cbdb4e4e891485ac2
SHA256
39cbad3b2aac6298537a85f0463453d54ab2660c913f4f35ba98fffeb0b15655
NCCIC
2020-08-25T14:28:37+00:00
CISA_Trusted3rdParty_Consolidated.yara: CISA_3P_10257062
Malware Artifacts
MD5
a2b1a45a242cee03fab0bedb2e460587
SHA1
e9c9ef312370d995d303e8fc60de4e4765436f58
SHA256
5cb7a352535b447609849e20aec18c84d8b58e377d9c6365eafb45cdb7ef949b
NCCIC
http://plusvic.github.io/yara/
NCCIC
2020-08-25T14:28:38+00:00
MAEC Characterization of c4141ee8e9594511f528862519480d36
ClamAV
Win.Trojan.Alreay-7189205-0
McAfee
Trojan-Banking
K7
Riskware ( 0040eff71 )
Symantec
Trojan Horse
Zillya!
Trojan.NukeSped.Win32.183
Antiy
Trojan/Win32.Tiggre
BitDefender
Trojan.GenericKD.32541173
Sophos
Troj/Banker-GYS
Comodo
Malware
TrendMicro House Call
Backdoo.62DC2502
TrendMicro
Backdoo.62DC2502
Emsisoft
Trojan.GenericKD.32541173 (B)
Avira
TR/Spy.Banker.pubvd
VirusBlokAda
BScope.TrojanBanker.Agent
ESET
a variant of Win32/NukeSped.GA trojan
NANOAV
Trojan.Win32.NukeSped.gexoae
Lavasoft
Trojan.GenericKD.32541173
Ikarus
Trojan.Spy.Banker
HIDDEN-COBRA
trojan
MAEC Characterization of 89081f2e14e9266de8c042629b764926
ClamAV
Win.Trojan.Alreay-7189192-0
McAfee
Trojan-Banking
K7
Riskware ( 0040eff71 )
Symantec
Trojan Horse
Zillya!
Trojan.Alreay.Win32.96
Antiy
Trojan[Banker]/Win32.Alreay
Microsoft Security Essentials
Trojan:Win32/LazInjector.DD!MSR
Sophos
Troj/Banker-GYS
Comodo
Malware
TrendMicro House Call
TROJ_NO.4FADD924
TrendMicro
TROJ_NO.4FADD924
Emsisoft
Gen:Variant.Ursu.634943 (B)
VirusBlokAda
TrojanBanker.Alreay
Ahnlab
HackTool/Win32.Injector
ESET
a variant of Generik.CWSORYC trojan
NANOAV
Trojan.Win32.Alreay.geqrko
Ikarus
Trojan.Inject
MAEC Characterization of a2b1a45a242cee03fab0bedb2e460587
VirusBlokAda
BScope.TrojanBanker.Agent
10257062.r1.v2
Malicious Code
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected