MAR-10132963 Malware Characterization //node() | //@* This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. The DHS does not endorse any commercial product or service, referenced in this bulletin or otherwise. This document is marked TLP:WHITE. Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol, see http://www.us-cert.gov/tlp. US-CERT 2017-08-14T18:50:36.425206+00:00 bmachine F694.F694.G8WM.F694.F694.F694.F694.F694.F694 6.4.17 .log. If the malware is able to connect, it will send the log file to the C2. In this analysis, the C2 was determined to be 202.126.90.89. See Screenshot 1. If no results are returned, the malware will terminate. The malware contains an attack component that can perform the following commands: ---Begin Bot Commands--- DownExec - Downloads and executes files (calls URLDownloadToFile) ChngBotconfig - Changes the configuration of the bot BotUpdate - Updates the attack modules BotDie - Terminates the bot by calling a self-deleting batch file, msvcrt.bat [No Name] - Starts a new attack [No Name] - Stops the attack ---End Bot Commands--- The malware is capable of conducting three different types of attacks: ---Begin Attack List--- NTP_ATTACK - Network Time Protocol attack via UDP flood CGN_ATTACK - Carrier Grade NAT attack targeting CGN IP addresses DNS_ATTACK - Domain Name Service attack via UDP flood ---End Attack List--- When the Network Card Service (netplug) is started, the malware will begin logging activity to the file, .log which is stored in the current directory. The log file records all installation and connection activity associated with the bot and is written in plaintext. The following is a sample of log file entries associated with the service startup: ---Log File Entries--- AtkNum: TotalPackets: Resovle DnsName Falied: --> Written if unable to resolve DNS name from configuration file __ResolveDnsName: --> Written if resolution is successful :Connecting...: --> Written during connection process :Connected --> Written if connection is successful :HS Success --> If unsuccessful the socket will be closed :Connection Failed --> Written if connection fails MyMain Started --> Service is initiated CreateService Success --> Service is successfully created StartService Success --> Service is successfully started CreateBotMutex: ERROR_ALREADY_EXISTS --> Mutex is successfully created LoadConfig Failed: ERROR_ALREADY_EXISTS --> The service is already running SERVICE_CONTROL_SHUTDOWN, error code = --> The service failed to start SetServiceStatus failed, error code = --> The service is not configured correctly **************Connection Fins... --> Written when the log is successfully sent to the C2 ---End File Entries--- Each time the service is started, it will attempt to open and read data from the configuration file: ---Log File Entries--- ExtractPackage Failed: %d --> Written if the service fails to open the file ExtractConfig Failed: %d --> Written if the service fails to read the file ExtractPackage Success --> Written if the service successfully opens the file ExtractConfig Success --> Written if the service successfully reads the file Install and Run Success --> Written the new config installation is successful ---End File Entries--- When the service receives an attack command, the program creates a new log file called edbchk.log. This file is stored in C:\Windows\System32\catroot2\ and records all activity associated with the attack bot only. The following entries can be written to the log: ---Begin File Entries--- ############## Received Attack Cmd %d#... --> Written when the attack command is received Waiting For NTP Attack ...Remain --> Written when the NTP attack is staged Waiting For NTP Fake Attack ...Remain --> Written when the NTP fake attack is staged ############## NTP Attack Started --> Written when the NTP Attack starts ############## NTP Fake Attack Started --> Written when the NTP Attack starts Reamin Time: --> Written at intervals during the attack ############## NTP Attack Ended --> Written when the attack ends ############## NTP AttackTime is up --> Written if the attack fails ############## CGN Attack Started --> Written when the CGN attack starts Waiting for CGN Attack ...Remain --> Written when the CGN attack is staged ############## CGN Attack Ended ### --> Written when the CGN attack ends ############## CGN AttackTime is up --> Written if the CGN attack fails Waiting for DNS Attack ...Remain --> Written when the DNS Attack is staged ############## DNS Attack Started --> Written when the DNS Attack starts ############## DNS Attack Ended ### --> Written when the DNS Attack ends DNS AttackTime is up --> Written if the DNS Attack fails ############## Received Stop Cmd --> Written when the attack bot is stopped ---End File Entries--- If the bot is terminated (BotDie) the program will generate a self-deleting script called msvcrt.bat to delete itself. Msvcrt.bat contains the following data: ---Begin Msvcrt File--- @echo off del /a %1 if exist %1 goto D1 del /a %0 %s "%s" ---End Msvcrt File---]]> 5D29DFE2EA9CA8DA3FF7A14FB20C5E86 180224 PE32 executable (GUI) Intel 80386, for MS Windows MD5 5d29dfe2ea9ca8da3ff7a14fb20c5e86 SHA1 3fdf856b6fbcb23e7c3372a3f53ce26c0fe6de77 SHA256 e95c318d1b1906d57471bb524fff128356c160132d4230db04ab5898ec0eb145 SHA512 6d4304dc3ad67bd31b4726c646bdd76a4e029a71d65223b6d437a6742cadacd5fef7769f649205542747289d3cdaec83c2ac1d8a1a03ef35f6d0326f0dcaea98 SSDEEP 3072:9sCh49HhQS2qaWuLYyJHYnGerQJDu70cSrzdZHlIbFX:9sCh4TQqaZYyJHYGen70lzdZFSZ Microsoft Visual C++ v6.0 6.13711245238 5 2014-12-17T14:03:38Z 4096 MD5 6a5356bedf23ccecac180cd887c15de8 0.792314879114 .text 77824 6.14523436219 MD5 72d9f7da3d7eb917a18954668399ce67 .rdata 8192 3.96837828979 MD5 af59deeeff5d5f41ecdd092b80536d25 .data 12288 4.24722552284 MD5 b994d715f522732213ea03cb2013a469 .rsrc 77824 6.31904971708 MD5 219125d84f95e9ec104a49383da7b991 Connected_To Related_To Connected_From Screenshot 1: Program Connection Log Related_To 202.126.90.89 Related_To Characterized_By Connected_From 153.68.198.14 Characterized_By Connected_To 8F4FC2E10B6EC15A01E0AF24529040DD 53248 PE32 executable (GUI) Intel 80386, for MS Windows MD5 8f4fc2e10b6ec15a01e0af24529040dd SHA1 b164ba5e5734c469839292ede4d5c04e76523bae SHA256 aff73144a359020abbb4bde3f80858d822b840dd7171ba7946b77ba9b3487831 SHA512 56c150b551ee5f276665defc55183cffc9eb8a919fc9ecaf8fb65d0e8af08f61caf9849007b4d4a43c994e7b99b52ed2f0c863bb4f4424ce77baf59a731cb630 SSDEEP 768:wH75DjuOD73BTzuqK6C1C+UjuoxxPDzREAY8aTk0kjo:W5pZCTUVjQpk0so Microsoft Visual C++ v6.0 5.20908628282 4 2015-08-25T09:09:28Z 4096 MD5 a4fc300b72266ccce1977f93b1bca3b5 0.640698472599 .text 28672 6.07747984156 MD5 11eab7228491af5ac109f58055c8f94f .rdata 12288 3.84897647617 MD5 6dd10b0e9a62a4943665e32d36c02b9f .data 8192 3.74298941886 MD5 1bdda8ad01a81904160d4aaff5028678 Related_To mimefilter.xml_584AC94142F0B7C0DF3D0ADDE6E661ED 528 data MD5 584ac94142f0b7c0df3d0adde6e661ed SHA1 1f21185303b7992d6ef54b23e816d48911496b9d SHA256 bd1233850f192dc34afe0e7738f98673718c5a9f5bc7f4710c3aa7da6f970346 SHA512 e026a92c53efc83814a3b3e32df5e6ce92b7a67bafcfe272cd74bd11ce147b075d9b7720ab77492257ba2b7592a3dfa265d2023e3f7d9e975ebc4571ee7ebd53 SSDEEP 12:N80aKgpdlWhMwlpIh1XdPDFVxzsSCe2nI8xm062UdYoPP4jySeNTi:N80ngJKrILd1vEm062UdNPor 7.59623010182 Related_To Related_To Screenshot 2: Decrypted Config File Related_To 443 TCP Related_To inetnum: 202.126.90.0 - 202.126.90.255 netname: ULUSNET descr: ULUSNET mobile WiMax subs pool#1 country: MN admin-c: UNT1-AP tech-c: UNT1-AP status: ASSIGNED NON-PORTABLE mnt-by: MAINT-MN-ULUSNET mnt-irt: IRT-ULUSNET-MN changed: tuvshinbayar@mobicom.mn 20170727 source: APNIC irt: IRT-ULUSNET-MN address: MPRP building, 313, Ulaanbaatar, Mongolia e-mail: manlai@ulusnet.mn abuse-mailbox: manlai@ulusnet.mn admin-c: NT331-AP tech-c: NT331-AP auth: # Filtered mnt-by: MAINT-MN-ULUSNET changed: manlai@ulusnet.mn 20110329 source: APNIC role: Ulusnet Network Team address: Sambuu street - 47, Post office-38, Chingeltei district, Ulaanbaatar - 15171, Mongolia country: MN phone: +976-75759944 e-mail: peering@mobicom.mn admin-c: NT331-AP tech-c: NT331-AP nic-hdl: UNT1-AP mnt-by: MAINT-MN-ULUSNET changed: tuvshinbayar@mobicom.mn 20170727 source: APNIC % Information related to '202.126.90.0/24AS38218' route: 202.126.90.0/24 descr: MN-MONGOLIA-ULUSNET origin: AS38218 mnt-by: MAINT-MN-ULUSNET changed: manlai@ulusnet.mn 20090418 source: APNIC Characterizes MD5 5d29dfe2ea9ca8da3ff7a14fb20c5e86 SHA1 3fdf856b6fbcb23e7c3372a3f53ce26c0fe6de77 202.126.90.89 MD5 8f4fc2e10b6ec15a01e0af24529040dd SHA1 b164ba5e5734c469839292ede4d5c04e76523bae MD5 584ac94142f0b7c0df3d0adde6e661ed SHA1 1f21185303b7992d6ef54b23e816d48911496b9d Queried whois.arin.net with "n 153.68.198.14"... NetRange: 153.66.0.0 - 153.87.255.255 CIDR: 153.80.0.0/13, 153.72.0.0/13, 153.68.0.0/14, 153.66.0.0/15 NetName: NCRWIN17 NetHandle: NET-153-66-0-0-1 Parent: APNIC-ERX-153 (NET-153-0-0-0-0) NetType: Direct Allocation OriginAS: Organization: NCR Corporation (NCR) RegDate: 1991-09-23 Updated: 2014-01-08 Ref: https://whois.arin.net/rest/net/NET-153-66-0-0-1 OrgName: NCR Corporation OrgId: NCR Address: GNCS - WHQ Address: 3097 Satellite Blvd. City: Duluth StateProv: GA PostalCode: 30096 Country: US RegDate: 1989-03-29 Updated: 2012-09-11 Ref: https://whois.arin.net/rest/org/NCR OrgTechHandle: CGH3-ARIN OrgTechName: Haug, Chris Gordon OrgTechPhone: +1-905-819-4168 OrgTechEmail: ch134537@ncr.com OrgTechRef: https://whois.arin.net/rest/poc/CGH3-ARIN OrgAbuseHandle: CGH3-ARIN OrgAbuseName: Haug, Chris Gordon OrgAbusePhone: +1-905-819-4168 OrgAbuseEmail: ch134537@ncr.com OrgAbuseRef: https://whois.arin.net/rest/poc/CGH3-ARIN OrgTechHandle: SPEAR14-ARIN OrgTechName: spear, Bryan OrgTechPhone: +1-770-689-2237 OrgTechEmail: BS185095@corp.ncr.com OrgTechRef: https://whois.arin.net/rest/poc/SPEAR14-ARIN RTechHandle: CGH3-ARIN RTechName: Haug, Chris Gordon RTechPhone: +1-905-819-4168 RTechEmail: ch134537@ncr.com RTechRef: https://whois.arin.net/rest/poc/CGH3-ARIN Characterizes 153.68.198.14 Suspicious File - MD5 Malware Artifacts US-CERT 2017-08-02T03:16:03.073370+00:00 Suspicious File - SHA1 Malware Artifacts US-CERT 2017-08-02T03:16:03.074343+00:00 Suspicious IP IP Watchlist US-CERT 2017-08-02T03:16:15.905216+00:00 Suspicious File - MD5 Malware Artifacts US-CERT 2017-08-02T03:16:28.857250+00:00 Suspicious File - SHA1 Malware Artifacts US-CERT 2017-08-02T03:16:28.858208+00:00 Suspicious File - MD5 Malware Artifacts US-CERT 2017-08-02T03:16:40.681322+00:00 Suspicious File - SHA1 Malware Artifacts US-CERT 2017-08-02T03:16:40.682321+00:00 Suspicious IP IP Watchlist US-CERT 2017-08-03T15:45:11.482921+00:00 MAEC Characterization of 5d29dfe2ea9ca8da3ff7a14fb20c5e86 ClamAV Win.Trojan.Agent-1388767 Kaspersky HackTool.Win32.Agent.aesh Microsoft Security Essentials Backdoor:Win32/Winsec.B!dha TrendMicro House Call BKDR_SCADPRV.B TrendMicro BKDR_SCADPRV.B MAEC Characterization of 8f4fc2e10b6ec15a01e0af24529040dd nProtect Backdoor/W32.Agent.53248.LS McAfee RDN/Generic BackDoor NetGate Trojan.Win32.Malware K7 Riskware ( 0040eff71 ) Systweak trojan.deltacharlie F-secure Trojan.GenericKD.5400227 Kaspersky Backdoor.Win32.Agent.guhi BitDefender Trojan.GenericKD.5400227 Microsoft Security Essentials Trojan:Win32/Dynamer!rfn Sophos Troj/DeltaC-A TrendMicro House Call BKDR_ESCAD.SMHA TrendMicro BKDR_ESCAD.SMHA Emsisoft Trojan.GenericKD.5400227 (B) Avira TR/Fuery.kevww Ahnlab Backdoor/Win32.Escad ESET a variant of Generik.DXNZOSG trojan NANOAV Trojan.Win32.Agent.eqhpcw Vir.IT eXplorer Trojan.Win32.Genus.BWG Quick Heal DDoS.HidenCobra.S1166387 Ikarus Trojan.SuspectCRC AVG SCGeneric2.BDVR MAEC Characterization of 584ac94142f0b7c0df3d0adde6e661ed 10132963 Malicious Code Malicious Artifact Detected Malicious Artifact Detected Malicious Artifact Detected Malicious Artifact Detected Malicious Artifact Detected Malicious Artifact Detected Malicious Artifact Detected Malicious Artifact Detected Malicious Artifact Detected Malicious Artifact Detected Malicious Artifact Detected Malicious Artifact Detected Malicious Artifact Detected Malicious Artifact Detected Malicious Artifact Detected Malicious Artifact Detected Malicious Artifact Detected Malicious Artifact Detected