Tuesday, February 21, 2017

Malicious IP analysis

We don't know the following Ip address is malicious or not: 103.224.212(.)222
How to proceed our analysis?
Possible approach: try the search in Virus Total.
We got no one flagged it.
VT link: https://www.virustotal.com/en/url/8982272eaf4d679b32716bcbef0d86183e251e4abd49b16547d800d93e42d7c7/analysis/1487660842/
Detection: 0/65.
Additional info:
Quttera- https://quttera.com/sitescan/103.224.212.222 
Sucuri-  https://sitecheck.sucuri.net/results/103.224.212.222



Possible approach: try it in IPvoid or urlvoid.
In this case, IPvoid is our option since we are dealing with the Ip address. We got three results as black listed.

IP Address Information

Analysis Date2017-02-21 03:53:30
Blacklist StatusBLACKLISTED 3/83
IP Address103.224.212.222 (Find Websites)
Reverse DNSlb-212-222.above.com
ASNAS133618
ASN OwnerTrellian Pty. Limited
ISPTrellian Pty. Limited
ContinentOceania
Country CodeFlag (AU) Australia
Latitude / Longitude-33.494 / 143.2104
CityUnknown
RegionUnknown





Possible approach: try the search in threat crowd
Now, we found plenty and which marks to two malicious files.
Threat crowd link: https://www.threatcrowd.org/ip.php?ip=103.224.212.222
First file: https://www.threatcrowd.org/malware.php?md5=c98dc3be0c7fa850ad1a3161c3f8014a
MD5: c98dc3be0c7fa850ad1a3161c3f8014a
Filename:  _b4c61441.tmp
VT link: https://www.virustotal.com/en/file/f42542c789a3d02513b0b031ab6ed1c7e5d0a476ea3e8c0b58e3a5c947a8867d/analysis/
Detection as Potentially unwanted application/ Adware.


Second file: https://www.threatcrowd.org/malware.php?md5=e8e956637f36a97f251746016be22c30
MD5: e8e956637f36a97f251746016be22c30
Filename diaiomjykaxu.exe
VT link: https://www.virustotal.com/en/file/56f64a3d7bb651b2f70b690e06be05ceab2a74eb147a12e13641b82eb0b5a5c3/analysis/
Detection as Ransomware locky/ Teslacrypt filedecoder.
Another possible approach is simple google search:
We found the following url-
It says that Ip belongs to locky ransomware.


Recommendation


It is advised to block this Ip address in the firewall, also need to add this Ip address in blacklist for future verification. If you found this Ip address in your network logs (any connection established with this Ip address), is having more chances of ransomware infection in the network. Advised to follow the general recommendation for ransomware infection.


We will see the analysis of those two files in the future post.


Post created by
newWorld

Monday, February 20, 2017

Analysis of suspicious pdf

Analysis of suspicious pdf:
SWIFT CONFIRMATION.pdf – this pdf file is looks to be suspicious. It came for analysis, we started to look in to the code.


MD5: 524BAE85DB8BA5E6B161BC52D5B34113


(I searched this MD5 in Virustotal, which is uploaded to VT just 7 hours back, when I am writing this post.




Clean result. Zero detection)


This pdf sample connects to the following url:
hxxp://tinyurl.com/jy69pnw
hxxp://bit.ly/2bPBbCF        
hxxps://www.dropbox.com/s/nsuquv0bs5fv4s3/Swift%20Confirmation.scr?dl=1


All these urls are suspicious.


 


 


Execution of the pdf:


I executed the pdf file and attached the screenshot below:


They masked the content and ask us to view adobe online. Again this follows to the dropbox link and leads to download the file named as swift confirmation.scr.



(View on Adobe is linking to dropbox url)


Conversion of shorten url to long url:


hxxp://tinyurl.com/jy69pnw  -  hxxp://www.childrenshomeinternational.org/https/PDF/cancel.htm


(Searched that in google, it goes to virustotal results- https://www.virustotal.com/en/url/10298ea7f52ad85cc4e2fe5ac36d8fcae679c1e4d9a9c23b18f845e54f977614/analysis/   - Flagged as malicious site)


 


hxxp://bit.ly/2bPBbCF  -  hxxp://www.pdfupdatersacrobat.top/website/indexy.html




Finally we got dropbox link:


hxxps://www.dropbox.com/s/nsuquv0bs5fv4s3/Swift%20Confirmation.scr?dl=1


Downloaded the swift confirmation.scr file by accessing that dropbox link in controlled environment at different network.



Executable file and which is not regular scr files. Pretty suspicious.  


Version info:



Looks it contain digital signatures, and version info says the file goes belongs to Samsung Electronics co. ltd.  
Digital signature is not matching, just check the below snapshot:



 
All these properties claims the file is suspicious. Let’s dive more into the code level:
We checked for compiler information, and it says Microsoft Visual Basic 5.0 / 6.0.
Compiler: Microsoft Visual Basic 5.0 / 6.0 . The file is packed one.


  

Operating system - Part 1:

 In our blog, we published several articles on OS concepts which mostly on the perspective for malware analysis/security research. In few in...