Friday, April 27, 2018

Details of Lokibot - Malspam

#Lokibot #malspam
new stub.exe
dumped #lokibot
sha256 C:\Users\admin\AppData\Roaming\F63AAA\A71D80.exe 4878c77955611f9641100aae97867c5d3bd4183aa8ddf4b45ca453990f5f51fa 

IOC details:

Malicious IP address: 91.234.99(.)171
Malicious url hxxp://dealinproces(.)com/doll/Panel/five/fre.php

post by

Monday, April 16, 2018

Interesting File in VT:

Today, one of the malware researchers reported a VirusTotal link in the twitter. The interesting part is the file's creation time and mentioning of sample seen in the wild.

The sample in the VT

First Seen in the wild
ExifTool detail
The above screenshot of the comments from malware researcher on twitter.

Post made by

Thursday, April 12, 2018

Microsoft Patch Tuesday for April 2018:

Microsoft patches 66 bugs and 24 of them were rated as critical. Among that 24 critical bug, a bug in the SharePoint is noted as worthy of attention. CVE-2018-1034, privilege elevation bug in the SharePoint. “An elevation of privilege vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server. An authenticated attacker could exploit the vulnerability by sending a specially crafted request to an affected SharePoint server,” Microsoft said. They also warned users of five Graphics Remote Code Execution bugs (CVE-2018-1010, -1012, -1013, -1015, -1016) knotted to the Windows Font Library. “Each of these patches covers a vulnerability in embedded fonts that could allow code execution at the logged-on user level. Since there are many ways to view fonts – web browsing, documents, attachments – it’s a broad attack surface and attractive to attackers,” Zero Day Initiative team noted.

Analysis of Potentially Unwanted Application

During the log analysis, our malware researcher spotted a virus detection where an URL getting blocked as malware. Let us analyse this case:

Blocked URL: 

Malicious URL
We visited the URL in control environment which is dedicated to malware analysis. It downloads a PE file as Update.msi. Meanwhile, we checked in the VirusTotal for the URL scan results and if any downloading of the file gets cross verified by VirusTotal. 

VT result for the malicious URL

We traversed to the detection rate for the downloaded file which is flagged as a potentially unwanted application (PUA). ESET detection as CrossRider which is PUA variant. 

File Hash- VT result

When we checked the relationship tab on the VirusTotal page, it shows another archive file which gets flagged many antimalware engines listed on the VirusTotal page. They all detect the sample as Adware.Googupdate. 

Related File in the VirusTotal

VirusTotal Links for the reader's reference:

URL Detection:

Downloaded File:

Related File:

Analysis of the Malware file:

The file is a potentially unwanted application. It falls under the family of Googupdate variants and crossrider variants.
It will target the web browsers and change the settings so that it can perform start page hijack, search page hijack in that infected systems.

Dissecting of that given binary in controlled environment:
We found following things:

It looks for the browser:
000000004F30   000010006930      0   %ProgramFiles%\Google\Chrome\Application\%BROWSNAMEC%.exe
000000004FA8   0000100069A8      0   %ProgramW6432%\Google\Chrome\Application\%BROWSNAMEC%.exe
000000005020   000010006A20      0   %LOCALAPPDATA%\Google\Chrome\Application\%BROWSNAMEC%.exe
000000005098   000010006A98      0   %LOCALAPPDATA%\Chrome\Application\%BROWSNAMEC%.exe
000000005100   000010006B00      0   Google Chrome
00000000511C   000010006B1C      0   Chrome
00000000512C   000010006B2C      0   %s\chrome.exe
000000005148   000010006B48      0   select * from win32_process where executablepath like "%%BROWSNAMEC%.exe"
0000000051DC   000010006BDC      0   executablepath
0000000051FC   000010006BFC      0   Mozilla Firefox

This file checks for the following information:

000000005240   000010006C40      0   SOFTWARE\Microsoft\Windows NT\CurrentVersion
00000000529C   000010006C9C      0   CurrentMajorVersionNumber
0000000052D0   000010006CD0      0   CurrentMinorVersionNumber
000000005304   000010006D04      0   CurrentVersion
000000005324   000010006D24      0   ProgramW6432
000000005340   000010006D40      0   %d--%d--%d
000000005358   000010006D58      0   username
000000005370   000010006D70      0   select * from win32_computersystem
0000000053BC   000010006DBC      0   serialNumber
0000000053D8   000010006DD8      0   select * from win32_volume
000000005410   000010006E10      0   filesystem
000000005428   000010006E28      0   version
000000005438   000010006E38      0   select * from win32_bios
00000000546C   000010006E6C      0   serialnumber
000000005488   000010006E88      0   select * from win32_physicalmedia
0000000054E8   000010006EE8      0   BINRES
0000000054F8   000010006EF8      0   explorer.exe
000000005518   000010006F18      0   %s %s %s "%s" "%s" "%s" %d "%s" %s
000000005560   000010006F60      0   Software\CLASSES\CLSID\{9563BC59-9556-4805-8CD4-886781779D8D}

These are the sites found in the memory:

000000006800   000010009000      0
000000006A58   000010009258      0
000000006BE8   0000100093E8      0


-Check whether any weird behaviour in the web browser settings i.e. changes in the web browser settings.
-Any changes in the start page (homepage) instead of your favourite home page or default browser page.
-Check for more kind of popup ads.

Recommended actions: 

-Don't open popup ads, since it may lead to the installation of this sort of PUA files in your system.
-Use recommended adware cleaner. But, most of the AV products will remove these stuff. A proper update is important.

Setting up breakpoints in VirtualAlloc and VirtualProtect during malware analysis:

 Malware analysts add breakpoints in functions like `VirtualProtect` and `VirtualAlloc` for several key reasons: Understanding Malware Behav...