This malware is information stealer, probably designed for the purpose of corporate espionage operations. We got three samples which is reported as Shakti Malware.
The samples are:
https://www.virustotal.com/en/file/d6d64c61dada8b5ccfa970356057a6c2c7697f084922744c5a2e29aff079647b/analysis/1470314447/ - Main executable
https://www.virustotal.com/en/file/490974f9bbca168dbb3e2ca6552a2701e18cb09f29232b12ce4dfe0aa7ff342c/analysis/1471098701/ - Carrier dll
https://www.virustotal.com/en/file/343630542a5c402c6b02482bcbcdc258385606e74f11ecb7ab9c545031383179/analysis/ - Payload dll
We started our analysis with main executable:
We found the following string in the memory "EA20E48B6CBC1134DCC52B9CD23479C7web4solution.net"
This hash : "EA20E48B6CBC1134DCC52B9CD23479C7" we already seen in the strings.
When we convert this hash to text: "HEMAN"
Hxxp://web4solution.net is the cnc for this malware.
This file inject itself to the google chrome browser process and drops uninst.dll in the current directory.
It collects the basic information from the system and sending to the cnc server.
Both the carrier dll and payload dll reveals the project directory in its strings.
00000000C0C8 00001000D6C8 0 E:\Projects\ComplexStatement\Shakti\Code\Carrier\Release\Carrier.pdb
00000000F700 000010010B00 0 E:\Projects\ComplexStatement\Shakti\Code\Payload\Release\Payload.pdb
Payload.dll comes with a hardcoded list of the extensions, for which the bot is looking:
They are targeting MS office files, very much used in our day to day business. These malware fingerprints the victim system and it having list of os version which is targeted by this sample:
It looks specifically looks for cluster server edition, datacentre edition.
IOC:
hxxp://web4solution.net/external/update
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\igfxtray [\path\to\trojan.exe]
%UserProfile%\uninst.dll
url: hxxp://web4solution.net
IP: 75.98.32.104
Files:
b1380af637b4011e674644e0a1a53a64: main executable
bc05977b3f543ac1388c821274cbd22e: Carrier.dll
7d0ebb99055e931e03f7981843fdb540: Payload.dll
Other found samples:
8ea35293cbb0712a520c7b89059d5a2a
C&C: securedesignus.com
6992370821f8fbeea4a96f7be8015967
C&C: securedesignuk.com
d9181d69c40fc95d7d27448f5ece1878
CnC: web4solution.net
Conclusion:
We need to add the following url to our threat intelligence, so that we can find out whether this infection in existing in environment or not.
CnC: web4solution.net
C&C: securedesignuk.com
C&C: securedesignus.com
newWorld
(Note: Post created for learning purposes of malware sample, and gives the understanding for analysis, study purpose.)
No comments:
Post a Comment