1fa8159447d1629e2e703a9136403100

From aldeid
Jump to navigation Jump to search

Description

INCOMPLETE SECTION OR ARTICLE
This section/article is being written and is therefore not complete.
Thank you for your comprehension.

Detection

Antivirus Result Update
Kaspersky HEUR:Trojan.Win32.Generic 20130614
Malwarebytes Trojan.FakeMS 20130614
Panda Suspicious file 20130613

File information

Suspicious files

%user%\application data\
├── Apvim
│   └──fudya.poz
├── Cywino
│   └── opomu.exe
├── ivivo
│   ├──cache
│   │  ├── CACHEDIR.TAG
│   │  └── plugins-04041e.dat
│   ├── ivivobin
│   └── ivivorc
└── Izpibe

opomu.exe

  • SHA256: fc40bcdc2b5ce4b84c93cf01048f0715910ad25470d8f2799e3b85fb1a2bf264
  • SHA1: aaa4c81b1227d09a081d63d2171602e8c0e07ace
  • MD5: 1fa8159447d1629e2e703a9136403100
  • File size: 354.0 KB ( 362496 bytes )
  • File name: opomu.exe
  • File type: Win32 EXE
  • Detection ratio: 3 / 47 (2013-06-14 11:19:27 UTC)

Network behavior

Connections to http://www.google.com/webhp

Impacts

  • Key, Mouse, Clipboard, Microphone and Screen Caputering
    • Contains functionality to read the clipboard data
    • Contains functionality to retrieve information about pressed keystrokes
  • Networking
    • Contains functionality to download additional files from the internet
    • Urls found in memory or binary data
      • http://%02x%02x%02x%02x%02x%02x%02x%02x.com/%02x%02x%02x%02x/%02x%02x%02x%02x.php
      • http://www.google.com/webhp
    • Found strings which match to known social media urls
      • String found in binary or memory: facebook.com equals www.facebook.com (Facebook)
  • Remote Access Functionality
    • Contains VNC / remote desktop functionality (RFB version string found)
  • Obfuscation/Evasion
    • Binary may include packed or crypted data
    • Contains functionality to dynamically determine API calls
    • PE file contains sections with non-standard names
    • PE sections with suspicious entropy found
    • HIPS / PFW / Operating System Protection Evasion
      • Contains functionality to add an ACL to a security descriptor
      • Contains functionality to create a new security descriptor
      • Contains functionality to inject threads in other processes
    • Anti Debugging
      • Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
      • Contains functionality to dynamically determine API calls
      • Contains functionality which may be used to detect a debugger (GetProcessHeap)
      • Creates guard pages, often used to prevent reverse engineering and debugging
      • Program does not show much activity (idle)
    • Virtual Machine Detection
      • Contains functionality to enumerate / list files inside a directory
      • Contains functionality to query local drives
  • Spreading
    • Contains functionality to enumerate / list files inside a directory
    • Contains functionality to query local drives
  • System Summary
    • Contains functionality to access the windows certificate store
    • Contains functionality to adjust token privileges (e.g. debug / backup)
    • Contains functionality to enum processes or threads
    • Contains functionality to call native functions
    • Contains functionality to shutdown / reboot the system
    • Language, Device and Operating System Detection
      • Contains functionality to query local / system time
      • Contains functionality to query the account / user name
      • Contains functionality to query time zone information
      • Contains functionality to query windows version

Links