MAR-10132963Malware Characterization//node() | //@*This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. The DHS does not endorse any commercial product or service, referenced in this bulletin or otherwise. This document is marked TLP:WHITE. Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol, see http://www.us-cert.gov/tlp.US-CERT2017-08-14T18:50:36.425206+00:00bmachineF694.F694.G8WM.F694.F694.F694.F694.F694.F6946.4.17.log. If the malware is able to connect, it will send the log file to the C2. In this analysis, the C2 was determined to be 202.126.90.89. See Screenshot 1. If no results are returned, the malware will terminate.
The malware contains an attack component that can perform the following commands:
---Begin Bot Commands---
DownExec - Downloads and executes files (calls URLDownloadToFile)
ChngBotconfig - Changes the configuration of the bot
BotUpdate - Updates the attack modules
BotDie - Terminates the bot by calling a self-deleting batch file, msvcrt.bat
[No Name] - Starts a new attack
[No Name] - Stops the attack
---End Bot Commands---
The malware is capable of conducting three different types of attacks:
---Begin Attack List---
NTP_ATTACK - Network Time Protocol attack via UDP flood
CGN_ATTACK - Carrier Grade NAT attack targeting CGN IP addresses
DNS_ATTACK - Domain Name Service attack via UDP flood
---End Attack List---
When the Network Card Service (netplug) is started, the malware will begin logging activity to the file, .log which is stored in the current directory. The log file records all installation and connection activity associated with the bot and is written in plaintext. The following is a sample of log file entries associated with the service startup:
---Log File Entries---
AtkNum:
TotalPackets:
Resovle DnsName Falied: --> Written if unable to resolve DNS name from configuration file
__ResolveDnsName: --> Written if resolution is successful
:Connecting...: --> Written during connection process
:Connected --> Written if connection is successful
:HS Success --> If unsuccessful the socket will be closed
:Connection Failed --> Written if connection fails
MyMain Started --> Service is initiated
CreateService Success --> Service is successfully created
StartService Success --> Service is successfully started
CreateBotMutex: ERROR_ALREADY_EXISTS --> Mutex is successfully created
LoadConfig Failed: ERROR_ALREADY_EXISTS --> The service is already running
SERVICE_CONTROL_SHUTDOWN, error code = --> The service failed to start
SetServiceStatus failed, error code = --> The service is not configured correctly
**************Connection Fins... --> Written when the log is successfully sent to the C2
---End File Entries---
Each time the service is started, it will attempt to open and read data from the configuration file:
---Log File Entries---
ExtractPackage Failed: %d --> Written if the service fails to open the file
ExtractConfig Failed: %d --> Written if the service fails to read the file
ExtractPackage Success --> Written if the service successfully opens the file
ExtractConfig Success --> Written if the service successfully reads the file
Install and Run Success --> Written the new config installation is successful
---End File Entries---
When the service receives an attack command, the program creates a new log file called edbchk.log. This file is stored in C:\Windows\System32\catroot2\ and records all activity associated with the attack bot only. The following entries can be written to the log:
---Begin File Entries---
############## Received Attack Cmd %d#... --> Written when the attack command is received
Waiting For NTP Attack ...Remain 5D29DFE2EA9CA8DA3FF7A14FB20C5E86180224PE32 executable (GUI) Intel 80386, for MS WindowsMD55d29dfe2ea9ca8da3ff7a14fb20c5e86SHA13fdf856b6fbcb23e7c3372a3f53ce26c0fe6de77SHA256e95c318d1b1906d57471bb524fff128356c160132d4230db04ab5898ec0eb145SHA5126d4304dc3ad67bd31b4726c646bdd76a4e029a71d65223b6d437a6742cadacd5fef7769f649205542747289d3cdaec83c2ac1d8a1a03ef35f6d0326f0dcaea98SSDEEP3072:9sCh49HhQS2qaWuLYyJHYnGerQJDu70cSrzdZHlIbFX:9sCh4TQqaZYyJHYGen70lzdZFSZMicrosoft Visual C++ v6.06.1371124523852014-12-17T14:03:38Z4096MD56a5356bedf23ccecac180cd887c15de80.792314879114.text778246.14523436219MD572d9f7da3d7eb917a18954668399ce67.rdata81923.96837828979MD5af59deeeff5d5f41ecdd092b80536d25.data122884.24722552284MD5b994d715f522732213ea03cb2013a469.rsrc778246.31904971708MD5219125d84f95e9ec104a49383da7b991Connected_ToRelated_ToConnected_FromScreenshot 1: Program Connection LogRelated_To202.126.90.89Related_ToCharacterized_ByConnected_From153.68.198.14Characterized_ByConnected_To8F4FC2E10B6EC15A01E0AF24529040DD53248PE32 executable (GUI) Intel 80386, for MS WindowsMD58f4fc2e10b6ec15a01e0af24529040ddSHA1b164ba5e5734c469839292ede4d5c04e76523baeSHA256aff73144a359020abbb4bde3f80858d822b840dd7171ba7946b77ba9b3487831SHA51256c150b551ee5f276665defc55183cffc9eb8a919fc9ecaf8fb65d0e8af08f61caf9849007b4d4a43c994e7b99b52ed2f0c863bb4f4424ce77baf59a731cb630SSDEEP768:wH75DjuOD73BTzuqK6C1C+UjuoxxPDzREAY8aTk0kjo:W5pZCTUVjQpk0soMicrosoft Visual C++ v6.05.2090862828242015-08-25T09:09:28Z4096MD5a4fc300b72266ccce1977f93b1bca3b50.640698472599.text286726.07747984156MD511eab7228491af5ac109f58055c8f94f.rdata122883.84897647617MD56dd10b0e9a62a4943665e32d36c02b9f.data81923.74298941886MD51bdda8ad01a81904160d4aaff5028678Related_Tomimefilter.xml_584AC94142F0B7C0DF3D0ADDE6E661ED528dataMD5584ac94142f0b7c0df3d0adde6e661edSHA11f21185303b7992d6ef54b23e816d48911496b9dSHA256bd1233850f192dc34afe0e7738f98673718c5a9f5bc7f4710c3aa7da6f970346SHA512e026a92c53efc83814a3b3e32df5e6ce92b7a67bafcfe272cd74bd11ce147b075d9b7720ab77492257ba2b7592a3dfa265d2023e3f7d9e975ebc4571ee7ebd53SSDEEP12:N80aKgpdlWhMwlpIh1XdPDFVxzsSCe2nI8xm062UdYoPP4jySeNTi:N80ngJKrILd1vEm062UdNPor7.59623010182Related_ToRelated_ToScreenshot 2: Decrypted Config FileRelated_To443TCPRelated_Toinetnum: 202.126.90.0 - 202.126.90.255
netname: ULUSNET
descr: ULUSNET mobile WiMax subs pool#1
country: MN
admin-c: UNT1-AP
tech-c: UNT1-AP
status: ASSIGNED NON-PORTABLE
mnt-by: MAINT-MN-ULUSNET
mnt-irt: IRT-ULUSNET-MN
changed: tuvshinbayar@mobicom.mn 20170727
source: APNIC
irt: IRT-ULUSNET-MN
address: MPRP building, 313, Ulaanbaatar, Mongolia
e-mail: manlai@ulusnet.mn
abuse-mailbox: manlai@ulusnet.mn
admin-c: NT331-AP
tech-c: NT331-AP
auth: # Filtered
mnt-by: MAINT-MN-ULUSNET
changed: manlai@ulusnet.mn 20110329
source: APNIC
role: Ulusnet Network Team
address: Sambuu street - 47, Post office-38, Chingeltei district, Ulaanbaatar - 15171, Mongolia
country: MN
phone: +976-75759944
e-mail: peering@mobicom.mn
admin-c: NT331-AP
tech-c: NT331-AP
nic-hdl: UNT1-AP
mnt-by: MAINT-MN-ULUSNET
changed: tuvshinbayar@mobicom.mn 20170727
source: APNIC
% Information related to '202.126.90.0/24AS38218'
route: 202.126.90.0/24
descr: MN-MONGOLIA-ULUSNET
origin: AS38218
mnt-by: MAINT-MN-ULUSNET
changed: manlai@ulusnet.mn 20090418
source: APNICCharacterizesMD55d29dfe2ea9ca8da3ff7a14fb20c5e86SHA13fdf856b6fbcb23e7c3372a3f53ce26c0fe6de77202.126.90.89MD58f4fc2e10b6ec15a01e0af24529040ddSHA1b164ba5e5734c469839292ede4d5c04e76523baeMD5584ac94142f0b7c0df3d0adde6e661edSHA11f21185303b7992d6ef54b23e816d48911496b9dQueried whois.arin.net with "n 153.68.198.14"...
NetRange: 153.66.0.0 - 153.87.255.255
CIDR: 153.80.0.0/13, 153.72.0.0/13, 153.68.0.0/14, 153.66.0.0/15
NetName: NCRWIN17
NetHandle: NET-153-66-0-0-1
Parent: APNIC-ERX-153 (NET-153-0-0-0-0)
NetType: Direct Allocation
OriginAS:
Organization: NCR Corporation (NCR)
RegDate: 1991-09-23
Updated: 2014-01-08
Ref: https://whois.arin.net/rest/net/NET-153-66-0-0-1
OrgName: NCR Corporation
OrgId: NCR
Address: GNCS - WHQ
Address: 3097 Satellite Blvd.
City: Duluth
StateProv: GA
PostalCode: 30096
Country: US
RegDate: 1989-03-29
Updated: 2012-09-11
Ref: https://whois.arin.net/rest/org/NCR
OrgTechHandle: CGH3-ARIN
OrgTechName: Haug, Chris Gordon
OrgTechPhone: +1-905-819-4168
OrgTechEmail: ch134537@ncr.com
OrgTechRef: https://whois.arin.net/rest/poc/CGH3-ARIN
OrgAbuseHandle: CGH3-ARIN
OrgAbuseName: Haug, Chris Gordon
OrgAbusePhone: +1-905-819-4168
OrgAbuseEmail: ch134537@ncr.com
OrgAbuseRef: https://whois.arin.net/rest/poc/CGH3-ARIN
OrgTechHandle: SPEAR14-ARIN
OrgTechName: spear, Bryan
OrgTechPhone: +1-770-689-2237
OrgTechEmail: BS185095@corp.ncr.com
OrgTechRef: https://whois.arin.net/rest/poc/SPEAR14-ARIN
RTechHandle: CGH3-ARIN
RTechName: Haug, Chris Gordon
RTechPhone: +1-905-819-4168
RTechEmail: ch134537@ncr.com
RTechRef: https://whois.arin.net/rest/poc/CGH3-ARINCharacterizes153.68.198.14Suspicious File - MD5Malware ArtifactsUS-CERT2017-08-02T03:16:03.073370+00:00Suspicious File - SHA1Malware ArtifactsUS-CERT2017-08-02T03:16:03.074343+00:00Suspicious IPIP WatchlistUS-CERT2017-08-02T03:16:15.905216+00:00Suspicious File - MD5Malware ArtifactsUS-CERT2017-08-02T03:16:28.857250+00:00Suspicious File - SHA1Malware ArtifactsUS-CERT2017-08-02T03:16:28.858208+00:00Suspicious File - MD5Malware ArtifactsUS-CERT2017-08-02T03:16:40.681322+00:00Suspicious File - SHA1Malware ArtifactsUS-CERT2017-08-02T03:16:40.682321+00:00Suspicious IPIP WatchlistUS-CERT2017-08-03T15:45:11.482921+00:00MAEC Characterization of 5d29dfe2ea9ca8da3ff7a14fb20c5e86ClamAVWin.Trojan.Agent-1388767KasperskyHackTool.Win32.Agent.aeshMicrosoft Security EssentialsBackdoor:Win32/Winsec.B!dhaTrendMicro House CallBKDR_SCADPRV.BTrendMicroBKDR_SCADPRV.BMAEC Characterization of 8f4fc2e10b6ec15a01e0af24529040ddnProtectBackdoor/W32.Agent.53248.LSMcAfeeRDN/Generic BackDoorNetGateTrojan.Win32.MalwareK7Riskware ( 0040eff71 )Systweaktrojan.deltacharlie F-secureTrojan.GenericKD.5400227KasperskyBackdoor.Win32.Agent.guhiBitDefenderTrojan.GenericKD.5400227Microsoft Security EssentialsTrojan:Win32/Dynamer!rfnSophosTroj/DeltaC-ATrendMicro House CallBKDR_ESCAD.SMHATrendMicroBKDR_ESCAD.SMHAEmsisoftTrojan.GenericKD.5400227 (B)AviraTR/Fuery.kevwwAhnlabBackdoor/Win32.EscadESETa variant of Generik.DXNZOSG trojanNANOAVTrojan.Win32.Agent.eqhpcwVir.IT eXplorerTrojan.Win32.Genus.BWGQuick Heal DDoS.HidenCobra.S1166387IkarusTrojan.SuspectCRCAVGSCGeneric2.BDVRMAEC Characterization of 584ac94142f0b7c0df3d0adde6e661ed10132963Malicious CodeMalicious Artifact DetectedMalicious Artifact DetectedMalicious Artifact DetectedMalicious Artifact DetectedMalicious Artifact DetectedMalicious Artifact DetectedMalicious Artifact DetectedMalicious Artifact DetectedMalicious Artifact DetectedMalicious Artifact DetectedMalicious Artifact DetectedMalicious Artifact DetectedMalicious Artifact DetectedMalicious Artifact DetectedMalicious Artifact DetectedMalicious Artifact DetectedMalicious Artifact DetectedMalicious Artifact Detected