Wednesday, October 15, 2014

phish campaign named "Payment Advice "


This post will be my first attempt to write about malware analysis since im kinda new in this arena so bear with me :)
  • i came across the following file that was sent via email 
    • Filename: 9757f0417b34d3029876c6e715c81935  Payment Advice.zip
      • unzipped file: a14b8cf65e2195d228b9b982e9e4d54c  Payment Advice.exe
    • Dropper Site: woof:://tundecube[.]com/Payment%20Advice.zip
Once the file is executed it goes ahead and performs the following actions on the system:
  • It drops the following files:
    • sides.exe a14b8cf65e2195d228b9b982e9e4d54c on the following location %AppData%\Microsoft\Windows\Templates\
    • WindowsUpdate.exe a14b8cf65e2195d228b9b982e9e4d54c on the following location %AppData%
    • pid.txt e22dd5dabde45eda5a1a67772c8e25dd on the following location %AppData%
    • pidloc.txt cc02e1e3d512cb89ab8fce39614e7260 on the following location %AppData%
  • it performs the following operations on the registry:
    • it sets side.exe to be ran at startup
      • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\side  =  C:\Users\Peter\AppData\Roaming\Microsoft\Windows\Templates\side.exe
    • it sets WindowsUpdate.exe to be ran at startup as well even it is the same file as side.exe probably in order to setup a backup persistence mechanism.
      • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update  =  C:\Users\Peter\AppData\Roaming\WindowsUpdate.exe
    • it opens a listener on port 49951 on localhost
  • it performs the following  connections
    • 66.171.248.172/whatismyipaddress.com:80 
    • 203.169.229.58/ns58.hostingspeed.net:21
    • 203.169.229.58/ns58.hostingspeed.net: 2927
So on performing deeper analysis on these communications the malware queries whatismyipaddress in order to gather the victim's public ip address. then it performs an ftp connection to ns58.hostingspeed.net. on this connection it uploads a file called    Logger_Notification_PETER-PC 10.15.2014 1:39:00 PM.txt see below for ftp connection and initial content of the file.

and here are the contents of the file uploaded which is suspect the file is a keylogger that sends logs of the system every 40 minutes :


once 40 minutes have passed it sends a report of the data it has collected see below: 

This is how this malware operated it acts as a keylogger and a trojan. thank you for reading.





Posted by at No comments:

Sunday, July 27, 2014

Installing/configuring cuckoo sandbox requirements on ubuntu 14 vm on an esx server

im afraid this first post will run a bit long but i really hope the reader find it informative and constructive. here we go...

the first thing we might wanna do is to make sure the ubuntu box run the python version supported for cuckoo. cuckoo supports version 2.7 see below:

labuser@MAE-cuckoo:~$ python --version 
Python 2.7.6

 with this in mind we proceed and install the various python libraries needed to perform a successful install. in order to make the installation of libraries easier we go ahead and install pip

root@MAE-cuckoo:/home/labuser# apt-get install python-pip

right after we go ahead and install some requirements with pip

root@MAE-cuckoo:/home/labuser# pip install sqlalchemy bson jinja2 yara 

the next library to be installed is dpkt which is critical for pcap processing this library needs to be installed from source and one might be able to locate it: here
once downloaded decompress it and run the following command 

root@MAE-cuckoo:/home/labuser/cuckoo/dpkt-1.8# python setup.py install 

in the case of yara one needs to downloaded for its git repo and install from source but before attempting to install yara a few packages need to be installed then proceedd to perform the installation : 


root@MAE-cuckoo:/home/labuser/cuckoo/yara-2.1.0# apt-get install automake libtool

root@MAE-cuckoo:/home/labuser/cuckoo/yara-2.1.0# ./build.sh


next we will install libvirt. this package needs to be installed from source since it needs to be compiled  with esx support a good guide on how to install it is here however on ubuntu 14 there are some patching you must do in order to successfully compile libvirt:

on the file /usr/include/linux/if_bridge.h you must add the following include: #include <netinet/ip6.h>

and also run the following command sed -i -e '/gets is a security/d' grub-core/gnulib/stdio.in.h

also if youre planning to install the latest version of libvirt which is  libvirt-1.2.5 at the moment of this writing you need apso the following package: libpciaccess-dev. in addition  

then we go ahead and install django 
root@MAE-cuckoo:/home/labuser/cuckoo/libvirt-1.2.5# apt-get install python-django

next we install pefile lib 
root@MAE-cuckoo:/home/labuser/cuckoo# wget --no-check-certificate https://pefile.googlecode.com/files/pefile-1.2.10-1
39.tar.gz
root@MAE-cuckoo:/home/labuser/cuckoo/pefile-1.2.10-139# python setup.py install

next we install volatility 
root@MAE-cuckoo:/home/labuser/cuckoo/volatility-2.3.1# wget https://volatility.googlecode.com/files/volatility-2.3.1.tar.gz
root@MAE-cuckoo:/home/labuser/cuckoo/volatility-2.3.1# python setup.py install 

next we configure tcpdump so it can be ran from a non-root account 
root@MAE-cuckoo:/home/labuser/cuckoo/volatility-2.3.1# setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump

next we create cuckoo user and group which is the account cuckoo will run under 
root@MAE-cuckoo:/home/labuser/cuckoo/volatility-2.3.1# adduser cuckoo
root@MAE-cuckoo:/home/labuser/cuckoo/volatility-2.3.1# groupadd cuckoogrp
root@MAE-cuckoo:/home/labuser/cuckoo/volatility-2.3.1# usermod -a -G cuckoogrp cuckoo

now we are ready to download/install cuckoo which can be downloaded here once downloaded the configuration is pretty straightforward see here

thanks for reading and be tuned for the next post which will be related with preparing vms for the cuckoo environment.

Posted by at No comments:
Subscribe to: Posts (Atom)