Malware spreads via Skype. Just sends the file to all your contacts, nothing more, nothing less. (no message to invite you to check out "photos", no call, ...)
### Analysis ###
Known MD5's:
293cc1f379c4fc81a7584c40f7c82410
66def80d6f87f6f79156557172f9f295
Callback to IP's:
88.150.177.162
Callback to domains:
Random & partial DGA(1) - Pattern:
http://%random%.aingo.cc
Persistence:
Creates key in:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Injects into:
explorer.exe
Sets Proxy:
Yes
Type of malware: Caphaw - Banking malware
Technical details ~~
Meta-data
================================================================================
File: /home/remnux/samples/invoice_171658.pdf.exe_
Size: 360448 bytes
Type: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5: 293cc1f379c4fc81a7584c40f7c82410
SHA1: 7bb5b71513e01c2095d37f42c64982a3edb523b5
ssdeep: 3072:fkrImDVQFgEHQPqviUBSnk92oKMcs3JVJXnGcYHmZ52ZgMed1pJ8t/Jpm3dDlnx/:MkpCEwCvi2b92NMxBnUmyZ9o1z8tL
Date: 0x52739069 [Fri Nov 1 11:28:41 2013 UTC]
EP: 0x401270 .text 0/4
CRC: Claimed: 0x5eb47, Actual: 0x5eb47
Resource entries
================================================================================
Name RVA Size Lang Sublang Type
--------------------------------------------------------------------------------
RT_CURSOR 0x532b0 0x134 LANG_RUSSIAN SUBLANG_RUSSIAN data
RT_BITMAP 0x536c0 0x1eec LANG_RUSSIAN SUBLANG_RUSSIAN data
RT_BITMAP 0x555b0 0x4e8 LANG_RUSSIAN SUBLANG_RUSSIAN data
RT_ICON 0x55a98 0x128 LANG_RUSSIAN SUBLANG_RUSSIAN GLS_BINARY_LSB_FIRST
RT_ICON 0x55bc0 0xea8 LANG_RUSSIAN SUBLANG_RUSSIAN data
RT_ICON 0x56a68 0x568 LANG_RUSSIAN SUBLANG_RUSSIAN GLS_BINARY_LSB_FIRST
RT_ICON 0x56fd0 0x10a8 LANG_RUSSIAN SUBLANG_RUSSIAN data
RT_ICON 0x58078 0x468 LANG_RUSSIAN SUBLANG_RUSSIAN GLS_BINARY_LSB_FIRST
RT_GROUP_CURSOR 0x533e8 0x14 LANG_RUSSIAN SUBLANG_RUSSIAN Lotus 1-2-3
RT_GROUP_ICON 0x584e0 0x4c LANG_RUSSIAN SUBLANG_RUSSIAN MS Windows icon resource - 5 icons, 16x16, 16-colors
RT_VERSION 0x53400 0x2c0 LANG_RUSSIAN SUBLANG_RUSSIAN data
Sections
================================================================================
Name VirtAddr VirtSize RawSize Entropy
--------------------------------------------------------------------------------
.text 0x1000 0xee6 0x1000 5.764246
.rdata 0x2000 0x49ce2 0x4a000 5.440947
.data 0x4c000 0x619c 0x6000 0.012147 [SUSPICIOUS]
.rsrc 0x53000 0x5530 0x6000 3.693765
Version info
================================================================================
LegalCopyright: gex Copright ls soft
InternalName: jex MUWEfess dlle
FileVersion: 13, 13, 201, 1241
ProductName: jox Weaex Apps
ProductVersion: 13, 13, 21, 153
FileDescription: jex dllx
OriginalFilename: lexlse.exe
Translation: 0x0419 0x04b0
~~
### Prevention ###
* Check your Skype settings. Only allow contacts to send you messages/files & contact you
* Don't download and run unknown files, especially PE(2) files
### Disinfection ###
* Run a full scan with your installed antivirus product
* Look for suspicious Run keys and delete the associated file(s)
* Run a full scan with another antivirus and/or antimalware product
* Change your Skype password
* Change your proxy to the original one(3) (usually none)
* Change ALL your other passwords
* Call your bank to ensure there was no unauthorized withdrawal or transaction
* When in doubt, seek advise on a professional malware removal forum(4)
### Conclusion ###
* Follow above prevention tips
* Use common sense & do not click on or run anything you encounter
* When in doubt, check the file on VirusTotal for example
# Links #
(1) http://en.wikipedia.org/wiki/Domain_generation_algorithm
(2) http://en.wikipedia.org/wiki/Portable_Executable
(3) http://www.wikihow.com/Change-Proxy-Settings
(4) http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs
0 nhận xét:
Đăng nhận xét