48e29119b03641499492336695c29ffd

From aldeid
Jump to: navigation, search

Description

  • SHA256: 66a296fb5c388db8005c850f6c14fcfc36447bdc24a142ed4f6153d260846845
  • SHA1: 7c0eff63cdea6ea46f2a89f24e6f62e859e5e819
  • MD5: 48e29119b03641499492336695c29ffd
  • File size: 92.5 KB ( 94720 bytes )
  • File type: Win32 EXE
  • Location: C:\System Volume Information\_restore{513E13D9-9DEA-495E-B9CA-81E5CC08F4FD}\RP282\A0279980.com
  • File name: A0279980.com

PE Signature:

  • Copyright: Copyright MamuzeĀ© 2013
  • Publisher: House
  • Product: Sunce
  • Version: 3, 0, 0, 0
  • Original name: Voda.exe
  • Internal name: Travka
  • File version: 1, 3, 4, 7
  • Description: Marko
  • Comments: Praslin

Detection

Antivirus detection

Detection ratio: 42/48 (2013-10-01)

Antivirus Result Update
Agnitum Trojan.DL.Andromeda!OVR9prejAzY 20130930
AhnLab-V3 Spyware/Win32.Zbot 20130930
AntiVir TR/Dldr.Andromeda.tze 20131001
Antiy-AVL Trojan/Win32.Generic 20131001
Avast Win32:Downloader-SYZ [Trj] 20131001
AVG SHeur4.BFHZ 20131001
Baidu-International Trojan.Win32.Agent.40 20131001
BitDefender Trojan.Generic.KDV.927010 20131001
Bkav W32.GamarueSymmiA.Trojan 20130927
CAT-QuickHeal Worm.Gamarue.B 20131001
Commtouch W32/Backdoor.LOGQ-7581 20131001
Comodo TrojWare.Win32.Injector.AFHI 20131001
DrWeb BackDoor.Andromeda.22 20131001
Emsisoft Trojan.Generic.KDV.927010 (B) 20131001
ESET-NOD32 a variant of Win32/Injector.AEYF 20131001
F-Secure Trojan.Generic.KDV.927010 20131001
Fortinet W32/Injector.AFHI!tr 20131001
GData Trojan.Generic.KDV.927010 20131001
Ikarus Worm.Win32.Gamarue 20131001
K7AntiVirus Riskware 20130930
K7GW Riskware 20130930
Kaspersky Trojan-Downloader.Win32.Andromeda.tze 20131001
Kingsoft Win32.Troj.Undef.(kcloud) 20130829
Malwarebytes Trojan.Bot.RV 20131001
McAfee RDN/Generic Downloader.x!di 20131001
McAfee-GW-Edition RDN/Generic Downloader.x!di 20131001
Microsoft Worm:Win32/Gamarue.I 20131001
MicroWorld-eScan Trojan.Generic.KDV.927010 20131001
Norman Injector.FGGB 20131001
nProtect Trojan-Downloader/W32.Andromeda.94720 20131001
Panda Trj/OCJ.D 20131001
PCTools Trojan.Fakeavlock 20131001
Rising Trojan.Win32.Generic.148E617B 20130930
Sophos Troj/Bckdr-RPN 20131001
SUPERAntiSpyware Trojan.Agent/Gen-Dropper 20131001
Symantec Trojan.Fakeavlock 20131001
TheHacker Trojan/Injector.aeyf 20130930
TrendMicro TROJ_SPNR.0BDA13 20131001
TrendMicro-HouseCall TROJ_SPNR.0BDA13 20131001
VBA32 BScope.Trojan.MSA.5417 20131001
VIPRE Trojan.Win32.Generic!BT 20131001
ViRobot Trojan.Win32.S.Zbot.94720 20131001

Network indicators

SIEM

POST /in.php HTTP/1.1
Host: orzdwjtvmein.in
User-Agent: Mozilla/4.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 72
Connection: close

upqchC83slHHEu1nnIKGIwiLrHo3Vt68T3yqvhQu2TqetQn3qIy7Q6bpTfDUtYFR593/MQ==

Network connections

IP Domain
65.55.184.26 www.update.microsoft.com
195.22.26.231 xdqzpbcgrvkj.ru
195.22.26.231 anam0rph.su
195.22.26.231 orzdwjtvmein.in
195.22.26.231 ygiudewsqhct.in
195.22.26.231 bdcrqgonzmwuehky.nl
109.236.84.12 somicrososoft.ru
95.211.98.157
65.55.184.155
8.8.4.4
195.22.26.231
109.236.84.12

Backdoor feature

It seems that the svchost.exe process that is dropped by the malware opens a socket on port 8000/tcp.

C:\>netstat -anb
[SNIP] 
TCP        0.0.0.0:8000        0.0.0.0:0        LISTENING        52804
C:\WINDOWS\system32\ws2_32.dll
-- composants inconnus --
C:\Documents and Settings\All Users\svchost.exe
C:\WINDOWS\system32\kernel32.sll
[svchost.exe]

Host based indicators

Files

Incomplete.png
INCOMPLETE SECTION OR ARTICLE
This section/article is being written and is therefore not complete.
Thank you for your comprehension.

Registry

Following registry key has been modified:

  • Registry key path: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched
  • Old value: C:\Program Files\Fichiers communs\Java\Java Update\jusched.exe
  • New value: C:\Documents and Settings\All Users\svchost.exe

Mutex

A mutex called "Urcca" is created:

Andromeda-mutex-urcca.png

Analysis

Imports

KERNEL32.dll
LoadLibraryA
OpenMutexA
SizeofResource
GetModuleHandleA
LoadResource
GetProcAddress
FindResourceA
CloseHandle
GetCurrentProcessId
WaitForSingleObject
CreateThread
GetFileSize
ADVAPI32.dll
RegCloseKey

Malware Dropper architecture

This malware is a dropper. Indeed, as depicted on the below picture, we can see that socket features are only activated by the wuauclt.exe which is dropped by the initial malware.

Andromeda-timeline-analysis.png

Remediation

Following tools have been confirmed to be able to detect/clean the infection:

Links

Comments

blog comments powered by Disqus