------------------------------
2/12/2019
https://app.any.run/tasks/c72c5d4e-510e-4d5d-a863-502ecc3ea777
https://www.virustotal.com/#/file/57d57613ef46c879ca65a307b52625628b706601bf10cebad126d5bbcbbc9118/detection
hxxp://85.143.220.1/sin.png
Compiler:
- Microsoft Visual Basic(6.0)[Native]
Running behavior: (RUN AS ADMINISTRATOR)
- saw child process of cmd and powershell
- saw child process with random name (tsjclbpt.exe) with child of svchost, then disappeared
- a few minutes later svchost.exe re-appeared with multiple child processes of the same name
- wrote copy of itself %appdata%\roaming\sysdefrag\tsjclbpt.exe
- wrote settings.ini in same folder with random strings in it
- wrote Data folder in same folder with pwgrab, systeminfo, injectdll files
- captured no dns or http network traffic
Memory strings while Running:
- closed too fast to capture initially but when svchost.exe re-opened captured one of it's children
--- strings that look like url params (serialNumber=, emailAddress=, ?456789:;<=, /snapshoot/)
--- a string for login data (\google\chrome\...\Login Data.bak , Grab_Passwords_Chrome, Outlook password)
--- repeated strings (WATAUAVAWH, @A_A^A]A\_)
--- strings of language/country (french-canadian, italian-swiss, spanish-honduras, etc.)
--- copyright string (P.J. Plauger, licensed by Dinkumware)
--- lots of functions that start with "Crypt"
--- lots of numerical decimal type numbers (1.2.840.113549.1.95, 1.3.6.1.5.5.7.2.2, etc.)
--- string that looks like pc info (sin6/PCNAME.RANDOMLETTERS/83/)
--- Numerous IP addresses in a row with various ports (190.146.112.216:8082, 97.87.127.198:80, etc.)
--- html / xml like tags (<dpost>, <handler>)
--- table names like (tablecredit_cards, server_addresses, card_metadata)
--- lists of encryption algorithms (AES-128-CBC, DES-EDE3-CBC, SSL_RSA, TLS_RSA, etc.)
--- strings that look like url params (serialNumber=, emailAddress=, ?456789:;<=, /snapshoot/)
--- a string for login data (\google\chrome\...\Login Data.bak , Grab_Passwords_Chrome, Outlook password)
--- repeated strings (WATAUAVAWH, @A_A^A]A\_)
--- strings of language/country (french-canadian, italian-swiss, spanish-honduras, etc.)
--- copyright string (P.J. Plauger, licensed by Dinkumware)
--- lots of functions that start with "Crypt"
--- lots of numerical decimal type numbers (1.2.840.113549.1.95, 1.3.6.1.5.5.7.2.2, etc.)
--- string that looks like pc info (sin6/PCNAME.RANDOMLETTERS/83/)
--- Numerous IP addresses in a row with various ports (190.146.112.216:8082, 97.87.127.198:80, etc.)
--- html / xml like tags (<dpost>, <handler>)
--- table names like (tablecredit_cards, server_addresses, card_metadata)
--- lists of encryption algorithms (AES-128-CBC, DES-EDE3-CBC, SSL_RSA, TLS_RSA, etc.)
IDA Pro Behavior (RUN AS ADMINISTRATOR)
- It ran successfully, i saw all the child processes spawned, etc then it exited with code 0
2/8/2019
https://app.any.run/tasks/b621b7ef-eeb0-4d87-93cb-36b8bebb8c5b
https://www.virustotal.com/#/file/41b6047c2edf7edcd565450ef04b92a5aa9b0a29cf35e0b2a3f27538d21559df/detection
Compiler:
- Microsoft Visual C/C++(-)[-]
Running behavior: (RUN AS ADMINISTRATOR)
- saw cmd launch powershell immediately after
- saw a new svchost.exe running temporarily then disappears
- popup saying windows defender was deleted
- a few minutes later svchost.exe starts up again with 1 child process also named svchost.exe
- wrote copy of itself to %appdata%\roaming\cleanmem\vasao.exe
- wrote settings.ini in same folder with random strings in it
- wrote Data folder in same folder with pwgrab, systeminfo, injectdll files
- captured no real dns or http network traffic except dns lookup to "ident.me" (176.58.123.25)
Memory strings while Running:
- closed too fast to get memory capture on 1st one, but grabbed svchost.exe child again
--- lots of functions that start with "Crypt"
--- lots of numerical decimal type numbers (1.2.840.113549.1.95, 1.3.6.1.5.5.7.2.2, etc.)
--- lots of functions that start with "Crypt"
--- lots of numerical decimal type numbers (1.2.840.113549.1.95, 1.3.6.1.5.5.7.2.2, etc.)
--- urls & ip (6lwyu54ybblfuex6.onion , 185.62.188.30:443)
--- Numerous IP addresses in a row with various ports ( 68.119.85.138:449, 103.47.169.27:449)
--- string that looks like pc info (sat36/PCNAME_RANDOMCHARACTERS/5/spk/)
--- tons of strings about Certificates from Verisign, GoDaddy, Symantec, etc.
--- repeated strings (WATAUAVAWH, @A_A^A]A\_)
IDA Pro Behavior (RUN AS ADMINISTRATOR)
- It ran successfully, i saw all the child processes spawned, etc then it exited with code 0
No comments:
Post a Comment