samples size ‘689908’ and ShortCRC ‘3008032050’.
All these samples are random based on behavior (drops same set of payloads).
File doesn’t seem to use any specific packer but strings are encrypted and it uses overlay
data.
All these files have same MD5 for it sections. So the MD5 differs only based on overlay
data. Usually malware use the overlay data for randomization.
If you strip the ExtraDat overlay data from all these files their MD5 was found to be
same. Based on these I confirm these files are random.
Below you can see the different sections available in all these files. Here .text section
contains the code characteristics so possibly I will hash the entire .text section since it is
common for all these files.
It seems to be plain file. I was able to see all the Code and APIs used by the file. May be
the data are encrypted.
On execution, this file allocates space and writes all the information (payloads it is going
to drop) in the buffer.
Creates a file S7JdZrvW.exe in the %userprofile% folder.
Writes the data from the buffer to the newly created file S7JdZrvW.exe (SillyFDC file)
Sets file time and file attributes to the file S7JdZrvW.exe.
Likewise it drops the following files:
"C:\\Documents and Settings\\---------------\\tell.exe" – TDSS file
"C:\\Documents and Settings\\---------------\\telm.exe" – Trojan-Hiloti file
Then it executes all the dropped files one by one.
0012F984 0041DE00 |CommandLine = "tell.exe"
0012F984 0041DDB0 |CommandLine = "telm.exe"
At last the installer self deletes itself calling cmd /c del
All the above mentioned code is identified in the .text section of the file. Since we
already know this section is common for all the samples I am hashing it entirely.
Scan log:
11/11/2011 12:55:47 PM: Removal process completed. Elapsed time 00:00:18
11/11/2011 12:55:29 PM: Quarantining All Traces: trojan-dropper-zb
11/11/2011 12:55:29 PM: Removal process initiated
11/11/2011 12:52:19 PM: Traces Found: 21
All these samples are random based on behavior (drops same set of payloads).
File doesn’t seem to use any specific packer but strings are encrypted and it uses overlay
data.
All these files have same MD5 for it sections. So the MD5 differs only based on overlay
data. Usually malware use the overlay data for randomization.
If you strip the ExtraDat overlay data from all these files their MD5 was found to be
same. Based on these I confirm these files are random.
Below you can see the different sections available in all these files. Here .text section
contains the code characteristics so possibly I will hash the entire .text section since it is
common for all these files.
It seems to be plain file. I was able to see all the Code and APIs used by the file. May be
the data are encrypted.
On execution, this file allocates space and writes all the information (payloads it is going
to drop) in the buffer.
Creates a file S7JdZrvW.exe in the %userprofile% folder.
Writes the data from the buffer to the newly created file S7JdZrvW.exe (SillyFDC file)
Sets file time and file attributes to the file S7JdZrvW.exe.
Likewise it drops the following files:
"C:\\Documents and Settings\\---------------\\tell.exe" – TDSS file
"C:\\Documents and Settings\\---------------\\telm.exe" – Trojan-Hiloti file
Then it executes all the dropped files one by one.
0012F984 0041DE00 |CommandLine = "tell.exe"
0012F984 0041DDB0 |CommandLine = "telm.exe"
At last the installer self deletes itself calling cmd /c del
All the above mentioned code is identified in the .text section of the file. Since we
already know this section is common for all the samples I am hashing it entirely.
Scan log:
11/11/2011 12:55:47 PM: Removal process completed. Elapsed time 00:00:18
11/11/2011 12:55:29 PM: Quarantining All Traces: trojan-dropper-zb
11/11/2011 12:55:29 PM: Removal process initiated
11/11/2011 12:52:19 PM: Traces Found: 21
No comments:
Post a Comment