Skip to content

Malware analysis

looking for the perfect virus

Name: Noah 2014 Original Soundtrack [Clint Mansell].ex
Size: 1752156
Md5 hash: 6f6550976963f22c3f7367c9d195a9dc
SHA1 hash: c00e58d7dbbb4e747c8685754e3bfdce2e90d803

FileVersion : 3.3.8.1
FileVersion: 3, 3, 8, 1
FileDescription:

antivirus detection: Detection ratio: 7/49

 Antivirus               Result 	               Update 
 AntiVir 	         TR/Dropper.Gen 	       20140415 
 CMC 	                 Trojan.Win32.Generic!O  20140411 
 ESET-NOD32 	         a variant of Win32/Injector.Autoit.ABQ 	 20140415 
 K7AntiVirus 	         Trojan ( 700000111 ) 	 20140414 
 K7GW 	                 Trojan ( 700000111 ) 	 20140414 
 Qihoo-360 	         Malware.QVM10.Gen 	 20140415 
 TrendMicro-HouseCall 	 TROJ_GE.3B0BC417 	 20140415 
 AVG 	? 	 20140415 
 Ad-Aware 	? 	 20140415 
 AegisLab 	? 	 20140415 
 Agnitum 	? 	 20140414 
 AhnLab-V3 	? 	 20140414 
 Antiy-AVL 	? 	 20140415 
 Avast 	? 	 20140415 
 Baidu-International 	? 	 20140415 
 BitDefender 	? 	 20140415 
 Bkav 	? 	 20140415 
 ByteHero 	? 	 20140415 
 CAT-QuickHeal 	? 	 20140415 
 ClamAV 	? 	 20140415 
 Commtouch 	? 	 20140415 
 Comodo 	? 	 20140415 
 DrWeb 	? 	 20140415 
 Emsisoft 	? 	 20140415 
 F-Prot 	? 	 20140415 
 F-Secure 	? 	 20140414 
 Fortinet 	? 	 20140413 
 GData 	? 	 20140415 
 Ikarus 	? 	 20140415 
 Jiangmin 	? 	 20140415 
 Kaspersky 	? 	 20140415 
 Kingsoft 	? 	 20140415 
 Malwarebytes 	? 	 20140415 
 McAfee 	? 	 20140415 
 McAfee-GW-Edition 	? 	 20140415 
 MicroWorld-eScan 	? 	 20140415 
 Microsoft 	? 	 20140415 
 NANO-Antivirus 	? 	 20140415 
 Norman 	? 	 20140415 
 Panda 	? 	 20140414 
 Rising 	? 	 20140414 
 SUPERAntiSpyware 	? 	 20140415 
 Sophos 	? 	 20140415 
 Symantec 	? 	 20140415 
 TheHacker 	? 	 20140413 
 TotalDefense 	? 	 20140415 
 TrendMicro 	? 	 20140415 
 VBA32 	? 	 20140415 
 VIPRE 	? 	 20140415 
 ViRobot 	? 	 20140415 
 nProtect 	? 	 20140415

process:
C:\Documents and Settings\Administrator\Application Data\Noah 2014 Original Soundtrack [Clint Mansell].exe

network activity:
b294237.no-ip.biz
b294237.no-ip.org

persistence:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Adobe c:\documents and settings\administrator\application data\noah 2014 original soundtrack [clint mansell].exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Adobe c:\documents and settings\administrator\application data\noah 2014 original soundtrack [clint mansell].exe

new files:
c:\Documents and Settings\Administrator\Application Data\
Noah 2014 Original Soundtrack [Clint Mansell].exe

c:\Documents and Settings\Administrator\Application Data\dclogs\
2014-04-15-3.dc

registry:
HKEY_CURRENT_USER\Software\DC3_FEXEC\

malware type: DarkComet

Bookmark/FavoritesEmailFacebookTwitterShare

Pentru detectarea semnaturilor am utilizat o varianta a algoritmului de cautare Boyer–Moore realizata de Ameer Ayoub

  • scaneaza toate fisierele executabile(PE files)
  • tipareste numele si locatia fisierelor identificate
  • dictionar pentru stocarea semnatuilor {“nume malware”: “hex bytes” }
  • lista false positive
  • logs: nr fisierelor scanate; nr fisierelor care nu au putut fi scanate, eventual si adresa lor
  • utilizeaza semnaturi simple (hex)
  • python 2.7
  • lent :))

F:\
FP F:\FPtest.exe
malw1 F:\M6s1.exe
malw2 F:\M6s2.exe
Nr fisiere scanate: 170
Fisiere care nu au putut fi scanate: 0

from win32api import GetLogicalDriveStrings
import sys
import os
import hashlib

# Boyer Moore String Search implementation in Python
# Ameer Ayoub <ameer.ayoub@gmail.com>

# Generate the Bad Character Skip List
def generateBadCharShift(term):
    skipList = {}
    for i in range(0, len(term)-1):
        skipList[term[i]] = len(term)-i-1
    return skipList

# Generate the Good Suffix Skip List
def findSuffixPosition(badchar, suffix, full_term):
    for offset in range(1, len(full_term)+1)[::-1]:
        flag = True
        for suffix_index in range(0, len(suffix)):
            term_index = offset-len(suffix)-1+suffix_index
            if term_index < 0 or suffix[suffix_index] == full_term[term_index]:
                pass
            else:
                flag = False
        term_index = offset-len(suffix)-1
        if flag and (term_index <= 0 or full_term[term_index-1] != badchar):
            return len(full_term)-offset+1

def generateSuffixShift(key):
    skipList = {}
    buffer = ""
    for i in range(0, len(key)):
        skipList[len(buffer)] = findSuffixPosition(key[len(key)-1-i], buffer, key)
        buffer = key[len(key)-1-i] + buffer
    return skipList

# Actual Search Algorithm
def BMSearch(haystack, needle):
    goodSuffix = generateSuffixShift(needle)
    badChar = generateBadCharShift(needle)
    i = 0
    while i < len(haystack)-len(needle)+1:
        j = len(needle)
        while j > 0 and needle[j-1] == haystack[i+j-1]:
            j -= 1
        if j > 0:
            badCharShift = badChar.get(haystack[i+j-1], len(needle))
            goodSuffixShift = goodSuffix[len(needle)-j]
            if badCharShift > goodSuffixShift:
                i += badCharShift
            else:
                i += goodSuffixShift
        else:
            return i
    return -1

def md5Checksum(filePath): # calculeaza md5 fisier
    fh = open(filePath, 'rb')
    m = hashlib.md5()
    while True:
        data = fh.read(8192)
        if not data:
            break
        m.update(data)
    return m.hexdigest()

dicsig = {"malw1":"78200000000000004C20000000000000000000006A2000000020000054", "malw2":"6A00680030400068073040006A00E80D0000006A00E800000000FF2500204000FF25082040"}
falsepositive = ["abb01a09857e9758a7737d31ac5598d6", "abb01a09857e9758a7737d31ac55987"]

radacina = GetLogicalDriveStrings().split("\x00") #lista partitii
nescanate     = [] # fisiere care nu au putut fi scanate
totalfisiere  = 0  # nr fisiere scanate

for i in range(0, len(radacina) - 1): # iterare fisiere
  print radacina[i] # partitia in care scaneaza 
  for root, subFolders, files in os.walk(radacina[i]):
    for file in files:
      fullpath = os.path.join(root, file)
      totalfisiere += 1
      try:
        with open(fullpath, "rb") as handle:
            if handle.read(2).encode("hex") == "4d5a":  #if PE file
                fisier = handle.read()
                for i in dicsig.keys():
                    semnatura = dicsig[i].decode("hex")
                    rezultatscan = BMSearch(fisier, semnatura) 
                    if rezultatscan != -1:
                        if md5Checksum(fullpath) not in falsepositive: 
                            print i ,"\t", fullpath
                        else :
                            print "FP\t", fullpath
                            break
      except Exception as exceptie:
        print str(exceptie), fullpath
        nescanate.append(str(exceptie))

print "Logs:\n"        
print "Nr fisiere scanate:", totalfisiere
print "Fisiere care nu au putut fi scanate:", len(nescanate)

Fisiere pentru teste: http://ge.tt/553GmPU1/v/0?c
File: Fisierepentruteste.rar MD5: 3c01091d8b5c02a1053aac8277f3ccff

Subiect: Your_Name Esti castigator, o petrecere de sfarsit de saptamana impreuna cu apropiati.
De la:   “Sharise Watson” sharisewatson@aol.com
Data:    Luni, Martie 17, 2014
Către:  your@email.com

Salutare!

Completeaza astazi documentul alipit ca sa ridici premiul si hotaraste azi locatia dorita sau ridica oferta acum in EURO!! Copiaza fisierul anexat; acceseaza-l si INREGISTREAZA-TE! ATENTIE! Oferta noastra este valida doar pentru utilizatorii de Microsoft Windows.

Va dorim O zi buna!!

Din partea Hotel Cool Predeal
————————————————————————–
Fisiere atasate:
untitled-[1.2].html
YourName.zip
————————————————————————–
Name: YourName.exe
Size: 155136 bytes (151.5 KBs)

Antivirus detection:
Scan Result: 13/34

AVG Free:Trojan horse Generic_r.DMC
ArcaVir: Clean
Avast:Win32:Agent-ASXJ [Trj]
AntiVir (Avira): Clean
BitDefender: Clean
VirusBuster Internet Security: Clean
Clam Antivirus: Clean
COMODO Internet Security: Clean
Dr.Web: Clean
eTrust-Vet: Clean
F-PROT Antivirus:W32/Agent.NK2.gen!Eldorado (generic, not disinfectable)
F-Secure Internet Security:Gen:Variant.Symmi.38727
G Data:Win32:Agent-ASXJ [Trj]
IKARUS Security:Win32.SuspectCrc
Kaspersky Antivirus:HEUR:Trojan.Win32.Generic
McAfee:Generic-FAOV!BC56D5E985E0
MS Security Essentials: Clean
Norman: Clean
Norton Antivirus: Clean
Panda Security:Suspicious
A-Squared: Clean
Quick Heal Antivirus: Clean
Solo Antivirus: Clean
Sophos:Troj/Bckdr-RRM
Trend Micro Internet Security: Clean
VBA32 Antivirus: Clean
Zoner AntiVirus: Clean
Ad-Aware:Trojan.Win32.Bckdr.rrm (v)
BullGuard: Clean
Immunet Antivirus: Clean
K7 Ultimate: Clean
NANO Antivirus: Clean
Panda CommandLine:Trj/Genetic.gen
VIPRE:Trojan.Win32.Bckdr.rrm (v)

Procese:
C:\Documents and Settings\Administrator\Application Data\mkhtbiczhsajrzg\abzywugkim.exe
   C:\Documents and Settings\Administrator\Application Data\mkhtbiczhsajrzg\qvhalfwqp.exe

Network activity:
degreehealth.net
forwardhealth.net
degreeclothes.net
forwardclothes.net
degreedistant.net
forwarddistant.net
answerseparate.net
glassseparate.net
answerhealth.net
glasshealth.net
answerclothes.net
glassclothes.net
answerdistant.net
glassdistant.net
difficultseparate.net
heardseparate.net
difficulthealth.net
heardhealth.net
difficultclothes.net
heardclothes.net
difficultdistant.net
hearddistant.net
pleasantseparate.net
necessaryseparate.net
pleasanthealth.net
necessaryhealth.net
pleasantclothes.net
necessaryclothes.net
pleasantdistant.net
necessarydistant.net
orderseparate.net
requireseparate.net
orderhealth.net
requirehealth.net
orderclothes.net
requireclothes.net
orderdistant.net
requiredistant.net
leaderseparate.net
heavenseparate.net
leaderhealth.net
heavenhealth.net
leaderclothes.net
heavenclothes.net
leaderdistant.net
heavendistant.net
heavyseparate.net
gentleseparate.net
heavyhealth.net
gentlehealth.net
heavyclothes.net
gentleclothes.net
heavydistant.net
gentledistant.net
variousseparate.net
returnseparate.net
varioushealth.net
returnhealth.net
variousclothes.net
returnclothes.net
variousdistant.net
returndistant.net
degreecatch.net
forwardcatch.net
degreeeearly.net
forwardeearly.net
degreepublic.net
forwardpublic.net
degreedress.net
forwarddress.net
answercatch.net
glasscatch.net
answereearly.net
glasseearly.net
answerpublic.net
glasspublic.net
answerdress.net
glassdress.net
difficultcatch.net
heardcatch.net
difficulteearly.net
heardeearly.net
difficultpublic.net
heardpublic.net
difficultdress.net

New files:
C:\Documents and Settings\Administrator\Application Data\mkhtbiczhsajrzg\
abzywugkim.exe -Hidden file
abzywugkim.u0jp
qvhalfwqp.exe -Hidden file

Persistence:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
System Configuration Link-Layer C:\documents and settings\administrator\application data\mkhtbiczhsajrzg\abzywugkim.exe

* numele fisierelor noi, respectiv al subdirectorului in care se afla sunt diferite pentru fiecare calculator infectat